search

LFI + path traversal

From inspection of the network requests, I found a request that loads the profile image using a query parameter to specify the path to the file:

GET /profile.php?img=profile.png HTTP/1.1
Host: xxx.xxx.xxx.xxx:50000
User-Agent: xxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: connect.sid=xxxx
Upgrade-Insecure-Requests: 1
Priority: u=0, i

As found previously, the profile.png is present in the /uploads directory. Thus, it appears that the img query input will be used to search for a file in that directory.

Possible path: /var/www/html/uploads/profile.png.

hashtag
Simple payloads

With knowledge of the current directory, I started off with simple payloads:

  1. Path traversal

    • ../../../../etc/passwd

    • %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd (URL encoded)

    • ..//..//..//..//etc/passwd

    • %2E%2E%2F%2F%2E%2E%2F%2F%2E%2E%2F%2F%2E%2E%2F%2Fetc%2Fpasswd (URL encoded)

  2. Remote public resource

hashtag
Brute force discovery

I performed a brute force attack using ffuf, with the wordlistarrow-up-right:

  • Cookie: -H "Cookie: PHPSESSID=xxxx"

  • Filter out empty responses: --fs 0

The payload: ....//....//....//....//....//....//....//....//....//etc/passwd was found to work:

This provides us the following information:

  1. Usernames:

    • joshua, charles

  2. More importantly, the server is vulnerable to a Local File Inclusion (LFI) vulnerability!

hashtag
Exploring methods of exploitation

LogoPayloadsAllTheThings/File Inclusion/LFI-to-RCE.md at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right

Following the guide in the link above, I explored a few methods to gain RCE on the system. From the previous enumeration steps, we have found multiple open ports/services, where some of them provides use a means to escalate the LFI to RCE.

hashtag
Log poisoning

I tried accessing the following log files (appended to found payload above):

hashtag
1. SMTP (port 25) ~ /var/log/syslog

From enumeration of the SMTP commands, I found a few that will directly log user inputs into the log file:

With this in mind, we can exploit this to achieve RCE. Let's use the VRFY command:

Now, reading the /var/log/syslog via the LFI vulnerability, we are able to view the output of our command that will be executed on the vulnerable machine. With that, we have a gained a web shell. The output can be viewed with the command:

The following command allows us to read the last 20 lines of the log file. Remember to replace <command> with the actual command, and set the PHPSESSID.

We can now replace the command to look around the directory and view the contents of the text file to retrieve our final flag!

hashtag
2. SSH (port 22) ~ /var/log/auth.log

Username

I attempted to send a payload via the username field to SSH:

However, the SSH client does not allow special characters in the username.

Identification string

I explored another method to poison the logs via the identification string:

This method works.

hashtag
Interesting discovery

With the img payload value of # (/profile.php?img=#), we are presented with a status 400 response:

Even though this does not allow for any direct exploits, it tells us the hostname: mail.filepath.lab.

PreviousApache web server (port 50000)NextFurther learning

Last updated