WebLFIRCE +300 points

1 year ago - 107 views

Extortion

When we load the web page we see an f parameter in the url. The value it has looks like the name of a page it's including.
Seeing this, I immidiatly thought of Local File Inclusion (LFI), where you include other files than php files to read thier contents.
If we try to for example include the /etc/passwd file, like this:

http://188.166.145.178:30640/?f=../../../../../etc/passwd

We can see that it loaded the file correctly. Now for the question, where is the flag?
I tried a cool trick I found to try and escalate my LFI to Remote Code Execution (RCE).
In PHP, every session is stored as a file on the server. This is how it knows what session contains what information. In these files the variables of the session are stored in plain text. We can abuse this fact by creating a session with our input, that will create a file on the server with our mallicious input. Then include the file using our LFI to execute it as PHP code on the server.
If you look around on the challenge you will find a page (send.php) where we can set our session token to whatever we want. We will include this input later, so I put PHP shell payload in the value:

PHP

<?php system($_GET['cmd']) ?>

Then we need to include the file we just created. For this we only need the session token that is displayed in our cookie. Mine was e210ea894fb04948364a8384ca7e4d8b.
Then its just located in something like /tmp/sess_e210ea894fb04948364a8384ca7e4d8b where the end is your own token.
Now it has included our PHP shell and we can easily control the GET variable we made. So we add &cmd=ls to our url. Now in the output we see a flag.txt. It's pretty obvious that we need to read that, so we use &cmd=cat flag.txt to finally read the flag and submit it to the event.