Academy Skills Assessment - LFI help

edited March 9 in Other

Hello, guys.

I would really love a help on Skills Assessment - File Inclusion/Directory Traversal academy exercise.

I have tried almost every technique, but nothing seems to be working for me, so I can not find the exact technique needed for the vulnerability, so I can access root.

Any help? Thanks

Tagged:
«1

Comments

  • Hi Jotunr,
    did you pay attention to the page when doing your test? I think you could do the tests again carefully to have an idea of how the website has been designed for the purpose of LFI.
    try "Source Code Disclosure via PHP Wrappers" we learned in the course and maybe you will find some interesting things ...

  • @jotunr did you make it to the other end of this one? just a bit hung up on it as well...

    @KptnKmer in your reference to the the tools for fuzzing or the wrappers themselves? ive looked at the source for the index.php and i cant see anything that stands out. is there another hint you may be able to drop?

  • edited January 4
    Type your comment> @KptnKmer said:
    > Hi Jotunr,
    > did you pay attention to the page when doing your test? I think you could do the tests again carefully to have an idea of how the website has been designed for the purpose of LFI.
    > try "Source Code Disclosure via PHP Wrappers" we learned in the course and maybe you will find some interesting things ...


    I got the index.php source, its send you to different pages depending on parameter value and if value is acceptable its appending .php, how can we bypass since its php5.5+ we cant use null byte. Stuck here.

    Any help would be appreciated
  • The same problem...

  • look at the source code carefully, maybe line by line, you could find other way out

  • Type your comment> @KptnKmer said:

    Hi Jotunr,
    did you pay attention to the page when doing your test? I think you could do the tests again carefully to have an idea of how the website has been designed for the purpose of LFI.
    try "Source Code Disclosure via PHP Wrappers" we learned in the course and maybe you will find some interesting things ...

    Hi @KptnKmer, thank you for your comment. I followed this instruction and solved the question in a shot.
    For those who still looking for solution, pay more attention at index.php file and you guys will find something interesting.

  • I'm struggling here too

  • Hi folks,

    struggling here too. I got the source code from index.php with the last few lines showing the php-code. I realize that entering some not allowed inputs redirects you to the error page. Also found the admin-panel but it seems useless (isn't it?).

    But i can't figure out how to make my way to the root (/) directory. Any further clue that doesn't directly solve this thing?

    Thx

  • @3xpl0r3r said:

    Hi folks,

    struggling here too. I got the source code from index.php with the last few lines showing the php-code. I realize that entering some not allowed inputs redirects you to the error page.

    This might not help you here.

    Also found the admin-panel but it seems useless (isn't it?).

    It is useful.

    But i can't figure out how to make my way to the root (/) directory. Any further clue that doesn't directly solve this thing?

    Look carefully at what is sent when various things take place. If you tamper with something, does it change what the thing can do?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake said:

    It is useful.

    Good hint! Thought that would be a trap!

    Look carefully at what is sent when various things take place. If you tamper with something, does it change what the thing can do?

    I tried different php-wrappers (obviously wrong) an got nothing on the screen :neutral: Still struggle with this thing. Could you give some further "intial" kickstart?

    Nevertheless thanks so far!

  • Type your comment> @3xpl0r3r said:

    @TazWake said:

    It is useful.

    Good hint! Thought that would be a trap!

    Look carefully at what is sent when various things take place. If you tamper with something, does it change what the thing can do?

    I tried different php-wrappers (obviously wrong) an got nothing on the screen :neutral: Still struggle with this thing. Could you give some further "intial" kickstart?

    Nevertheless thanks so far!

    My mistake - I thought this was a question about the HTB Box Academy, not the Academy LFI.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Can anyone PM with help on this? I think I have a few ideas but dont want to spoil.

  • Is "Source Code Disclosure via PHP Wrappers" in a different module as I can't find any reference to this within the different sections?

  • Sorry that's not true, I've found it couldn't see the wood for the trees!

  • edited March 5

    Hi folks!
    I'm struggling here. I'm stuck in the index.php page and I tried many PHP Wrappers but got nothing on the screen.
    Any hint?

    Thanks!

    EDIT: I wasn't thinking out of the box! Done :smile:

  • edited March 7

    Hello everyone,
    I have been staring at the screen for days trying to figure this out. I have have successfully located the admin panel. But I cant figure out how to get to root. Someone help me please my brain is hurting.

    Update: just finished. that was lit!

  • edited March 8

    @thenevvin can u plz give me a hint
    2 days...still at index.php page tried bruteforce to discover content but nothing found

  • @haCkdoT said:

    @thenevvin can u plz give me a hint
    2 days...still at index.php page tried bruteforce to discover content but nothing found

    Look closely at what happens when you create an account. Tamper with it on a new account and see what changes.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Why is there such an uninformative discussion here? It all comes down to "I've solved it" or " look carefully." I look carefully for the second day, tried everything I could from the training section and did not get any result. What should I pay attention to?

  • @Wiiz4Rd said:

    Why is there such an uninformative discussion here? It all comes down to "I've solved it" or " look carefully."

    Largely because everything else gets flagged as spoiler and deleted.

    I look carefully for the second day, tried everything I could from the training section and did not get any result. What should I pay attention to?

    When you make a request to create a new user account, look at everything that is sent. Dont just click submit and let it happen. Intercept and inspect it. When you've done this and think you understand all the things sent, one will be an obvious candidate to be tampered.

    Tamper with it and see what happens to the account you create.

    Its important to note, it only works on a new account creation, once the account exists, you've missed your chance.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited March 9

    TazWake, thank you for paying attention to my efforts.

    @TazWake said:

    Tamper with it and see what happens to the account you create.

    Its important to note, it only works on a new account creation, once the account exists, you've missed your chance.

    I can't find the account creation form on the site under investigation.
    The source code of the main page showed me 3 possible arguments for index.php. Attempts to use different arguments for 'index.php?page=' failed.

    ffuf does not let you know what other directories or pages there are.

    js/main.js didn't say anything either. Deobfuscation of other scripts, too.

    The form for sending messages from the contacts section didn't help.

    The only result I could get was a message about incorrect input when I used the page= arguments of the form in all sorts of ways ..//

    Which direction should I go next? Maybe I'm not using some application or script that isn't mentioned in the tutorial section?

  • @Wiiz4Rd said:

    Which direction should I go next? Maybe I'm not using some application or script that isn't mentioned in the tutorial section?

    I have a massive apology here. I am an a$$hole and got confused what this was about.

    I am so sorry for leading you astray. I thought it was for Academy.htb not one of the sections on the Academy. I misread the entire thread.

    I will look to see if I can find a way to be more helpful now.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited March 9

    Annoyingly, its the second time Ive done this mistake... This time round I changed the thread title to try and stop myself doing it a third time.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Questions for this part of the Academy are spread across a few threads, is this any help:
    https://forum.hackthebox.eu/discussion/4447/lfi-directory-traversal-final-assessment-academy#latest

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • It still doesn't work. I understand that the server is nginx and not Apache, I fix the file paths, but I can't get anything. Neither using the User-Agent, nor any wrappers.

    What else do I need to know besides what the academy has given me in this section?

  • In theory, nothing. It should all be in the section on Academy.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • DOne!!!!!!!!!

  • Greetings, today I have started this test and I am stagnant; I have tried all the techniques that were developed in the module including those of wrapper and obfuscation of html code but apparently this has mechanisms that do not allow it.

    What I see is that they indicate to focus first on the index file but here I have a doubt they refer to the index of the main page which is a php extension and I download it with wget but when checking only in the final part, js files appear. Can someone give me any clues that I can follow.

  • edited March 21

    @thenevvin said:
    Hello everyone,
    I have been staring at the screen for days trying to figure this out. I have have successfully located the admin panel. But I cant figure out how to get to root. Someone help me please my brain is hurting.

    Update: just finished. that was lit!

    hmmm I'm also now at the admin panel and I think I have tried all the rce methods listed in the tutorial but nothing seems to be working?

    I couldn't find cookies for the webpage so that rules out the session files method, and I have tried the expect wrapper, data wrapper, rfi with python http server, and none of which seems to work.

    I'm completely new to penetration testing. Could someone gimme a hint or sth? I'm stuck at getting rce for the last stage.

    btw basic LFI seems to work in the admin panel, but I believe it's of no use?

  • Type your comment> @dragonwarrior said:

    @thenevvin said:
    Hello everyone,
    I have been staring at the screen for days trying to figure this out. I have have successfully located the admin panel. But I cant figure out how to get to root. Someone help me please my brain is hurting.

    Update: just finished. that was lit!

    hmmm I'm also now at the admin panel and I think I have tried all the rce methods listed in the tutorial but nothing seems to be working?

    I couldn't find cookies for the webpage so that rules out the session files method, and I have tried the expect wrapper, data wrapper, rfi with python http server, and none of which seems to work.

    I'm completely new to penetration testing. Could someone gimme a hint or sth? I'm stuck at getting rce for the last stage.

    btw basic LFI seems to work in the admin panel, but I believe it's of no use?

    Admin panel is needed to complete the lab. Read the "LFI to RCE" part entirely, there is a specific section that will help you get RCE.

    PD: Apache is not the only software for server applications.

Sign In to comment.