Dogcat CTF | TryHackMe | Local File Inclusion (LFI)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody my name is Ron and welcome to my walkthrough for the room dogat now this is another CTF from try hack me and in this video we'll be using tools such as nmap for Port scanning goldbuster for directory enumeration we'll also be exploring local file inclusion and along with that we'll use burp Suite to edit the user agent upload a reverse shell escape a Docker environment and do some privilege escalation to grab those flags now before we get started go ahead and click that like button and subscribe and without further Ado let's get into it okay let's go ahead and get started with dog cat I made a website where you can look at pictures of dogs and cats exploit a PHP application via local file inclusion and break out of a Docker container so go ahead and start up that machine copy the IP address and looking at the questions we're essentially looking for four different flags so let's get started so before I start doing that let me go ahead and do my scans let's go ahead and do our nmap scan let's go ahead and do our goldbuster scan to see what we can find so we just have a index that PHP and looking back at our end map it only seems like we have two ports open 22 for SSH and 80 let's look at the website dog cat a gallery of various dogs or cats what would you like to see a dog cool a cat a dog a cat and if you can see here we have a parameter we have view as the parameter and either dog or cat as the value and since we know that we're doing local file inclusion let's go ahead and do some directory traversals do this see what that shows up okay let's do a index see what's here okay says cannot redeclare contains string I can't read this font in index PHP so one thing we can do here is use a PHP stream wrapper combined with a filter so this technique is often used in web development for various purposes including embedding binary data within scripts however it can be exploited in certain scenarios such as local file inclusion where an attacker might use this technique to encode and exfiltrate sensitive data from a server so let's see what this brings out and here's our BAS 64 oh that's a really long string hold on let's copy this Echo a64 and decode it the thing that we need to focus on is the X parameter defaulting to PHP if not specified so this PHP script dynamically includes content based on user input so now we're going to use x and try it for some directory traversal looking at the code we now know to use the Amper stand x equals as another parameter so now let's see if we can find that Etsy password ety password okay see if we can find it once more and we have something here oh I still have it in the wp let me go ahead and remove that there we go all we had to do was add this parameter move back a few directories and now we can see at C password now after a bit of research of local file inclusion we'll find out that we need to find the access.log found in VAR log Apache 2 this is where we'll be doing some poisoning so since we know that typically root is here VAR is is usually at the same level as Etsy in the tree we can try it out and as you can see it logged plenty of events no did it freeze again oh man my gobster is still going that's why go ahead and stop this so since my goldbuster was still going it was still logging the event taking place wow I just stopped it oh man oh this is going to slow it down I think I'm just going to go ahead and start up a new server cuz this is too much data and it's definitely going to slow it down okay now that we have a new machine up and running we can check out that access log without it being so laggy and here we go and at this point we can try some command execution and inject a reverse shell so let's go ahead and do that I'm going to go ahead and start up a python server open up burp Suite let's go to Target enable foxy proxy on my Firefox browser and refresh this page and now that we capture the request I'm going to go ahead and send this to repeater and user agent we are going to plug in a PHP code snippet this PHP code snippet is a script that downloads a reverse shell that I created and saves it on the server where the script is executed so essentially what we're doing here is injecting this PHP code into access.log so I already have the the server up and running I downloaded the reverse shell and plugged in my try hackme tunnel and I will be using Port 1234 and now I'm going to send the request and let's see if the shell gets downloaded off my server yep there we go now let's turn off foxy proxy and start a listener so we'll be using netcat LNP and the port is 1 2 3 4 and now we can call the Shell let's see what happens let's see if we got a shell yep there we go we got it as you can see we're dub data we're at rout now let's grab those flags so let me go ahead and go to the server directory which is VAR and let's go ahead and C that text file and we found flag number two next let's see what is in this HTML I wonder if we can cat flag that PHP what is that okay that was flag one now let's look for flag three I'm pretty sure it's going to be on rout let's pseudo- L to see what permissions we have okay so no password if we do the environment so one thing we can do is go to GTFO bins type in environment pseudo and plug in the following command and we are root so let's get the last few Flags let's go ahead and Cat that third flag let's go ahead and C flag three there we go THM different environments now we have one flag remaining they did mention that we were in a Docker environment but after browsing through some of these directories we find something interesting in the op directory we have a backup directory and in this backup directory we have a script a backup script so let's go ahead and take a look at that now this pretty much says when executed it will create an archive file named backup. tar in the root container backup since we are Roots we can go ahead and abuse this by appending a reverse shell and getting our last flag so I'm just going to get a regular bash shell edit the IP and Port let's use 1337 as our port and append it to the script so one thing I noticed is that the backup. tar appears to be updating every minute as you can see it's 127 here then it is 12 8 so if we do a netcat lvmp 1337 at 129 we should get a shell and escape the container and there we go it's 129 we got a shell now we can c that last flag escalations on escalations on escalations anyways I hope you guys found this useful I hope you learned something about local file inclusion I know this is probably one of the more basic methods of doing this so go ahead drop a like drop a comment and subscribe for more cyber security content again thank you guys for watching and see you guys on the next one

Info

Channel: RonR1337

Views: 258

Rating: undefined out of 5

Keywords:

Id: MEfFvOWcvkY

Channel Id: undefined

Length: 8min 4sec (484 seconds)

Published: Thu Nov 30 2023