LFI
Found 5 related articles
Back to Tags- 2025-02-19
Instant - APK Decompilation, LFI via Swagger API, and Solar-PuTTY Backup Decryption
Technical writeup detailing the compromise of the Instant machine. Initial foothold is achieved through static analysis of a downloadable APK file, revealing subdomains and a hardcoded API key. This key is used to exploit a Local File Inclusion (LFI) vulnerability within the authenticated Swagger API (via the logs reading function), leading to SSH key exfiltration and user access. Privilege escalation is achieved by locating, transferring, and decrypting an encrypted Solar-PuTTY sessions backup file, which yields the root password.
- 2024-11-27
Alert - XSS to LFI, Hash Cracking, and Group Write Privilege Escalation
Technical writeup detailing the compromise of the Alert Linux machine. Initial access is gained by chaining a Stored XSS vulnerability in the Markdown viewer to a Local File Inclusion (LFI) vulnerability in an internal /messages endpoint. LFI is used to exfiltrate an Apache MD5 hash from the .htpasswd file, which is then cracked via Hashcat to obtain SSH credentials for the 'albert' user. Privilege escalation is achieved by identifying a high-privileged PHP process running as root in a directory with group write permissions (management), which the 'albert' user belongs to. The configuration.php file is modified to set the SUID bit on /bin/bash, granting a root shell.
- 2024-11-23
Responder - LFI/RFI Chain to NTLMv2 Hash Capture and WinRM Access
Technical writeup detailing the initial compromise of the Responder machine. The attack chain involves exploiting a Local File Inclusion (LFI) vulnerability in a PHP application, escalating it to an RFI-style attack by injecting a UNC path to force an SMB authentication attempt. The resulting NTLMv2 hash is captured using the Responder tool, cracked with Hashcat, and used to gain full remote access via Evil-WinRM on port 5985.
- 2024-10-21
Chemistry - Pymatgen RCE (CVE-2024-23346), SSH Port Forwarding, and aiohttp LFI (CVE-2024-23334)
Technical writeup detailing the compromise of the Chemistry machine. Initial access (RCE) is gained by exploiting CVE-2024-23346, an arbitrary code execution vulnerability in the pymatgen library via a malicious .CIF file upload, leading to a low-privileged shell. Privilege escalation is achieved by locating hidden credentials in a SQLite database, gaining SSH access, and then using SSH Port Forwarding to access an internal web service. The final step involves exploiting CVE-2024-23334, a critical path traversal vulnerability in aiohttp/3.9.1, to perform Local File Inclusion (LFI) and read the /etc/shadow file for root access.
- 2024-10-20
TwoMillion - API Enumeration, Information Disclosure, and Kernel Privilege Escalation (CVE-2023-0386)
Technical writeup detailing the compromise of the TwoMillion machine. Initial access involves decoding ROT13-encrypted data from JavaScript to find an API endpoint, followed by manipulating API parameters to gain administrator privileges via Insecure Direct Object Reference (IDOR), leading to a reverse shell injection. Local Privilege Escalation is achieved by disclosing plaintext credentials from a '.env' file for SSH access, and finally, exploiting the unpatched Linux Kernel vulnerability, CVE-2023-0386 (OverlayFS/FUSE), to gain root privileges.