[Day 6] Patch Management Is Hard
{Web Exploitation = LFI}
Challenge
Accessing the webserver returns the following.
Inspecting the URL revealed that the application was invoking the error message from a given file.
Deploy the attached VM and look around. What is the entry point for our web application?
err
Replacing the error file with /etc/passwd
seemed to return the file and confirm the LFI vulnerability.
Use the entry point to perform LFI to read the /etc/flag file. What is the flag?
THM{d29e08941cf7fe41df55f1a7da6c****}
Next, to get the source code of a particular file, I used the PHP filter method as shown below.
Decoding the base64 value then led me to the next flag.
Use the PHP filter technique to read the source code of the index.php. What is the $flag variable's value?
THM{791d43d46018a0d89361dbf60d5d****}
In the source code, I noticed that there is a file called creds.php
and manage.php
manage.php
redirects to login.php
. This is where the creds.php
comes in handy. I used the same filter technique to read the contents of the creds.php
file.
Now that you read the index.php, there is a login credential PHP file's path. Use the PHP filter technique to read its content. What are the username and password?
Logging into the Control System and accessing Password Recovery
reveals the next flag.
Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server?
THM{552f313b52e3c3dbf5257d8c6db7****}
Now that I had access to logs, know where the file is located, and was able to write to the file via web requests, I used the log poisoning method to get remote command execution on the system.
I first poisoned the logs by sending a request with curl
and setting a PHP payload as the user agent as shown below. The payload basically allows an attacker to run arbitrary commands remotely, on the server via the browser.
Following that, I invoked the logfile via LFI and simply added a cmd
argument in the URL and ran commands on the server.
The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.
lfi-aoc-awesome-59aedca683fff9261263bb084880c965
Last updated