A very ...very basic LFI vulnerability (THM)

This is my first formal write up, just under two weeks into starting my OSCP journey. Even though this is a basic challenge, even more so than what is presented in the OSCP material, this is still great experience in documenting what I am doing and my thought process. There is more to come, stay tuned!

   A beginner level LFI challenge 

   Approx. 10 mins to complete

 Lets start with an Nmap scan to see what services are running on the system

  - nmap -T4 -A -p- 10.10.136.66

From the output of our scan we can see that the host is running both SSH and a webserver. Since we know this challenge is focused around LFI, we will check the webserver first.

Navigating around the site, we immediately notice the LFI vulnerability through the URL which includes a file as input, in this case the file parameter is ‘lfiattack’

                         

The web app would read in the file parameter from the request query string and would use that value with an include statement and will execute any arbitrary code passed to it.

I could not find anywhere to upload a file to be used in my LFI attack, so I decided to try a Directory traversal vulnerability.

-  10.10.136.66/article? name =/../../../../etc/passwd

As we can see, this vulnerability allows us to read the contents of the etc/passwd file

- If we take a closer look, we can see there there is something in the file we can use. However, I will leave that up to you to have a look.

               

The credentials XXXXXXX (redacted following THM guidelines).

Thinking where we could possibly use these credentials, we take a look back at our Nmap scan to see what other services are running.

We remember that SSH is also running on the machine.

Using the credentials we found to log into the system works.

Now we can try some basic manual system and user enumeration, the first command we try; Sudo -l shows us that we can run Socat as root without a password.

I then headed over to GTFOBins to see if there were any commands that would allow me to exploit this and spawn a shell as root. 

Fortunately there was a command ( sudo socat stdin exec:/bin/sh ) and this spawns a basic shell as root

lastly we can hunt for the user and root credentials with:

- find / -name root.txt 2> /dev/null

- find / -name user.txt 2> /dev/null

To have a go at this room yourself, visit TryHackMe.

What is an LFI vulnerability?

I know I went over this challenge very quickly and skipped over a few vital steps, but the purpose of this challenge was to exploit an LFI vulnerability. What actually is an LFI attack?

If we take a look at some source code that is vulnerable to an LFI attack.

$file = $_GET['file'];

include('directory/' . $file);

We notice that we are able to specify a file to be included on a server as the input is not properly sanitised. If we were able to upload a PHP file to the server, we would be able to specify that file with the following.

http://example.com/?file=evilshell.php

This would execute the file and if we uploaded a PHP reverse shell, we would be able to connect back to our attack machine.

If we do not have access to upload a file of our own to the server like this example, we could try a directory traversal attack by displaying the contents of files on the server. If it is a Unix server we could try the following to read the contents of the etc/passwd file.

http://example.com/?file=/../../../etc/passwd