I was recently partaking in the Advent of cyber challenge provided my TryHackMe and I came across a part of day 6's challenge which provided a testing environment for LFI to RCE.
disclaimer: I will not be covering the full challenge just turning the LFI into a RCE by leveraging log poisoning.
Before being able to view the logs I had to leverage LFI with the filter php wrapper to read the contents of index.php which then lead me to a file named creds.php which I also had to read using filter. After reading this file I was provided with credentials to log into the system and this is where our journey begins.
When viewing the log page we can see that we are provided with what information is logged and the format it is logged in
user:ip:USER-Agent:page
paying close attention to the file extension of the url which is log.php let's us know that whatever is happening on this page it is being handled server side by the php code.
Now using the curl utility I am going to make a test request ensure that it is logging my requests.
I used the -a flag to specify a custom user agent
As we can see the log file successfully logged my custom user agent. As user agents are an arbitrary value we can make this whatever we wish.
Now next to test if we are able to execute php code via the user-agent and start our attack chain.
we will start by changing our user-agent to invoke phpinfo
<?php phpinfo()?>
Read more about phpinfo here: php.net/manual/en/function.phpinfo.php
After making this request and checking the log file we can see that the user-agent didn't show up, this is actually a positive sign as it indicates that the phpcode was run/stored and not just reflected back to us in plain text.
We are aware that the log location is ./includes/log/app_access.log if the php code did execute it would be stored here now leveraging our previously known LFI vulnerability we can check this by preforming an LFI for this location.
10.10.95.214/index.php?=err./includes/logs/app_access.log
If you pay attention the URL in the above screenshot you can see the we are exploiting the LFI in "err"
if you are reading this because you are stuck trying to figure out the hostname for this challenge, you can view the hostname as part of phpinfo just follow the above steps.
Now that's great that we have completed the TryHackMe challenge but I want to take a step further and get a shell onto the server.
We know the server can execute php code via user-agent and the host operating system is Linux.