Exploitation

I started playing with the "page" parameter of the website and used LFISuite to try different file paths to see whether it was actually vulnerable to Local File Inclusion.

As you can see I was able to read read the access logs for the webserver. These probably all my requests going out lol.

My favorite tool to use for Local File Inclusion is kadimus. The tool kadimus performs different checks to test whether the application is vulnerable to different RCE methods.

The application is vulnerable to php://input Remote Code Execution.

To test this out I will make the application output something random.

I made the machine output "pwned"

We can take this further to perform arbitrary commands and machinate a reverse shell.

First I wanted to make sure what the arch of the system was in order to generate a reverse shell in MSFVENOM and then download it and execute it on the system.

Started a python web server on port 443.

We see that we were able to download the reverse shell onto the machine, all there was to do is just execute it while my multi handler on Metasploit was listening.

And boom. Reverse shell.