[Root-Me] Local File Inclusion - Wrappers write up!

Hello everyone .

Today , I come back to Root-Me Web server challenge . This time , the challenge at medium level . Let's get started ! 

 

The challenge give us a mechanism to upload file image (JPG only) from PC. I decide to test this function 

 

So , after we upload an image , two params appear . 

Because It's about LFI vuln , I try fuzzing param page :

DingDoong , the filter is activated . Forget it , let's focus on PHP Wrapper 

A wrapper is additional code which tells the stream how to handle specific protocols/encodings. For example, the http wrapper knows how to translate a URL into an HTTP/1.0 request for a file on a remote server

Okay ,  in my opinion , this stuff will help us access to a file on a remote server under some ways (read , write , etc ..) . There are many wrappers , each of them serves a different purpose .

PHP Expect Wrapper 

PHP expect:// allows execution of system commands, unfortunately the expect PHP module is not enabled by default. Example:

php?page=expect://ls 

PHP php://filter 

php://filter allows a pen tester to include local files and base64 encodes the output. Therefore, any base64 output will need to be decoded to reveal the contents.

php?page=php://filter/convert.base64-encode/resource=/etc/passwd 

LFI via /proc/self/environ 

If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, then introducing source code via the User Agent header is a possible vector. Once code has been injected into the User Agent header a local file inclusion vulnerability can be leveraged to execute /proc/self/environ and reload the environment variables, executing your reverse shell.

Email a Reverse Shell 

If the target machine relays mail either directly or via another machine on the network and stores mail for the user www-data (or the apache user) on the system then it’s possible to email a reverse shell to the target. If no MX records exist for the domain but SMTP is exposed it’s possible to connect to the target mail server and send mail to the www-data / apache user. Mail is sent to the user running apache such as www-data to ensure file system permissions will allow read access the file /var/spool/mail/www-data containing the injected PHP reverse shell code.

And after spend my time googling , I found a way to combine everything in this chall :

File upload + LFI vulnerability + PHP Wrapper => Use zip:// wrapper !

 

Follow the trick above , I build a PHP normal code - echo my name. ZIP it. Rename it to bypass Upload Image filter and use ZAP proxy send to server :

<?php
echo "4rth4s is here!!!!";
?>

 

Sucessfully !

So, the goal is to read the flag at some where . Check the source code !

Nothing useful here . After 5-10 minutes stuck, I decide to locate the current directory .

<?php
$path = getcwd();
$items = scandir($path);

echo "<p>Content of $path</p>";
echo '<ul>';
foreach ($items as $item) {
    echo '<li>' . $item . '</li>';
}
echo '</ul>';
?> 

We got flag.php . So let's read it and submit the flag for 40 points !

Happy Hacking!