Academy Skills Assessment - LFI help

It still doesn’t work. I understand that the server is nginx and not Apache, I fix the file paths, but I can’t get anything. Neither using the User-Agent, nor any wrappers.

What else do I need to know besides what the academy has given me in this section?

In theory, nothing. It should all be in the section on Academy.

DOne!!!

Greetings, today I have started this test and I am stagnant; I have tried all the techniques that were developed in the module including those of wrapper and obfuscation of html code but apparently this has mechanisms that do not allow it.

What I see is that they indicate to focus first on the index file but here I have a doubt they refer to the index of the main page which is a php extension and I download it with wget but when checking only in the final part, js files appear. Can someone give me any clues that I can follow.

@thenevvin said:
Hello everyone,
I have been staring at the screen for days trying to figure this out. I have have successfully located the admin panel. But I cant figure out how to get to root. Someone help me please my brain is hurting.

Update: just finished. that was lit!

hmmm I’m also now at the admin panel and I think I have tried all the rce methods listed in the tutorial but nothing seems to be working?

I couldn’t find cookies for the webpage so that rules out the session files method, and I have tried the expect wrapper, data wrapper, rfi with python http server, and none of which seems to work.

I’m completely new to penetration testing. Could someone gimme a hint or sth? I’m stuck at getting rce for the last stage.

#btw basic LFI seems to work in the admin panel, but I believe it’s of no use?

Type your comment> @dragonwarrior said:

@thenevvin said:
Hello everyone,
I have been staring at the screen for days trying to figure this out. I have have successfully located the admin panel. But I cant figure out how to get to root. Someone help me please my brain is hurting.

Update: just finished. that was lit!

hmmm I’m also now at the admin panel and I think I have tried all the rce methods listed in the tutorial but nothing seems to be working?

I couldn’t find cookies for the webpage so that rules out the session files method, and I have tried the expect wrapper, data wrapper, rfi with python http server, and none of which seems to work.

I’m completely new to penetration testing. Could someone gimme a hint or sth? I’m stuck at getting rce for the last stage.

#btw basic LFI seems to work in the admin panel, but I believe it’s of no use?

Admin panel is needed to complete the lab. Read the “LFI to RCE” part entirely, there is a specific section that will help you get RCE.

PD: Apache is not the only software for server applications.

@surfinerd said:
Type your comment> @dragonwarrior said:

@thenevvin said:
Hello everyone,
I have been staring at the screen for days trying to figure this out. I have have successfully located the admin panel. But I cant figure out how to get to root. Someone help me please my brain is hurting.

Update: just finished. that was lit!

hmmm I’m also now at the admin panel and I think I have tried all the rce methods listed in the tutorial but nothing seems to be working?

I couldn’t find cookies for the webpage so that rules out the session files method, and I have tried the expect wrapper, data wrapper, rfi with python http server, and none of which seems to work.

I’m completely new to penetration testing. Could someone gimme a hint or sth? I’m stuck at getting rce for the last stage.

#btw basic LFI seems to work in the admin panel, but I believe it’s of no use?

Admin panel is needed to complete the lab. Read the “LFI to RCE” part entirely, there is a specific section that will help you get RCE.

PD: Apache is not the only software for server applications.

Thxxx I see what u mean by the last sentence. I should’ve read the title twice.

Finally solved this task.

Step to complete this task

Read source code

Take the new LFI to a RCE

Read the “flag”

If you need any herlp ypu can pm me.

Skills Assessment - File Inclusion/Directory Traversal
Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

guy I m stuck on this anyone helps me plz

@lordangelus
Hello!

I wanted to ask some questions concerning this assessment if its alright with you;

  1. When you say: “read the source code”, is this simply by right-clicking on the webpage and selecting “view source” (or using cURL on the url) ?

  2. And then after obtaining the source code, I wanted to confirm, I should then be finding a hint which suggests where the LFI is?

  3. Finally, there is speak of an admin panel somewhere - I have attempted to use dirsearch, but this did not show any “admin.php” panel hiding anywhere… Any suggestions here?

Thank you :slight_smile:

Type your comment> @corelee said:

@lordangelus
Hello!

I wanted to ask some questions concerning this assessment if its alright with you;

  1. When you say: “read the source code”, is this simply by right-clicking on the webpage and selecting “view source” (or using cURL on the url) ?

  2. And then after obtaining the source code, I wanted to confirm, I should then be finding a hint which suggests where the LFI is?

  3. Finally, there is speak of an admin panel somewhere - I have attempted to use dirsearch, but this did not show any “admin.php” panel hiding anywhere… Any suggestions here?

Thank you :slight_smile:

Reading the source code is reading the index.php file. If you simply right click and select source code, it will only show you the html code. Check out the php wrappers section to figure that out. Once you find the clue, you can read the source code of the next level and find out that there is a vulnerability there that wasn’t in the home page. Check out the LFI to RCE section.

1 Like

Thanks! Im now attempting the wrappers; but without success.

I shall keep attempting ^.^

Solved!

I got the LFI and then the RCE . Where should I look for the flag of the question “Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.”?

Can someone give me a tip, I’ve got RCE and I’ve found the name of the flag file in the root directory but I’m struggling to read the contents of the file. I’ve tried using printf and echo but both don’t output anything

The essential issue with this - and a lot of other tests on HTB Academy - is that you think the test wants to quiz you on the stuff you’ve learned during this module - however that is incorrect! What it actually wants to do is test your general abilities after incorporating the skills learnt in this module; hence why it’s very easy to get stuck in the middle of this test after you’ve LFI’d but before you’ve RCE’d since you’re stuck on trying to solve the “wrong problem” as a result of having failed to analyze the information you’ve received properly

I found the admin panel, found the lfi path & managed to rce. My problem is I can’t navigate in the root folder to find the flag. Any suggestions?

Type your comment> @lordangelus said:

Finally solved this task.

Step to complete this task

Read source code

Take the new LFI to a RCE

Read the “flag”

If you need any herlp ypu can pm me.

I read the source code but I can’t get how I can include local file. Any hints?

You have to read the php file, note the html code you can see if you inpect (or ctrl+u) the page. In the source code there is something you can use for lfi.

Finally solved it. Thank you all for your guidance and hints.