Computer Networking > EXAM > File Inclusion. Hack The Box Module 23 (All)

File Inclusion. Hack The Box Module 23

Document Content and Description Below

File Inclusion: Link to challenge: https://academy.hackthebox.com/module/23 (log in required) Class: Tier 0 | Medium | Offensive File Disclosure Local File Inclusion (LFI): Question: Using the file inclusion find the name of a user on the system that starts with "b". Answer: barry Method: lets enter to the website using the target IP and target port provided for us: Lets enter the language tab: There are 2 languages, lets select one of them arbitrary: The file name ‘en.php’ appears on the URL, undicating the website in retrieving the content in the English language from a file called ‘en.php’ located on the web server machine, we can assume the Spanish page retrieved in a similar manner. Now those files are retrieves from the current directory the server is operating on. So lets try to use relative path to obtain the file where the usernames are located – ‘/etc/passwd’. (full path wont work): http://:/index.php?language=../../../../etc/passwd *the reason we need 4 ‘../’ is because in default linux web servers (apache in this case, we can determine by looking at the http response header), operate in ‘/var/www/html’ and in it the ‘languages’ directory, where the languages contents are stored.. Often using relative paths will require trial and error.. anyway 4 ‘../’. *: The content of /etc/passwd appears on the history paragraph, lets scroll down a bit: Question: Submit the contents of the flag.txt file located in the /usr/share/flags directory. Answer: HTB{n3v3r_tru$t_u$3r_!nput} Method: we will use the same principal as the last question: http://:/index.php?language=../../../../usr/share/flags/flag.tx t Basic Bypasses: Question: The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt Answer: HTB{64$!c_f!lt3r$_w0nt_$t0p_lf!} Method: the target website in this question has simple URL defenses: a. it expects the path to begin with ‘languages/’. b. it does simple truncation of ‘../’ - meaning the server sides removes every occurences of the string. So the bypassing it will be simple, for rule a we will simply begin the path with ‘languages’, and for rule b we will insert ‘….//’ instead of ‘../’, the server side will truncate the ‘../’ from ‘….//’ (‘....//’) so the output will be ‘../’ – what we need, we will multiply that 4 times to get to the base directory ‘/’: http://:/index.php? languages/....//....//....//....//flag.txt

[Show More]

Last updated: 6 days ago

Preview 5 out of 38 pages

Get Access

Instant download after payment

Card Payments

₿ Crypto Accepted

Instant download