File Inclusion Demo

00:01

So here we are on D V W A here's an apple Isar. So I know it's a boon to which means it's Lennox, which means if I look for the etc. Password file, it will work. I'm looking for a windows file. It won't work because this is not a Windows box. Also we're looking at PHP and we're on Apache 2.2 point eight.

00:19

And I also know the version of PHP here.

00:23

So I can see this page parameter is including this include PHP

00:29

file. Now

00:31

with Delphi the dot dot slash matters because if I do this and it says etc, password,

00:38

this might not work. So it really depends how far I go back. So you can just keep doing this manually

00:44

again, this might take a long time depending on how far back we go and how

00:49

how the PHP has written.

00:52

But here we go.

00:53

So now we see the etc. Password file. So I'll view source and see how much nicer that is than um in the slide.

01:02

So I'm looking for

01:03

the users, I see MSF admin

01:07

and because I know how uh Lennox is structured and I'm looking at the MSF admin user

01:14

but I'm gonna attack on at the end here

01:18

sort of etc. Password

01:23

is home MSF admin, which is that user 1000

01:27

dot S S H I D R esa.

01:30

If they have their chemists configured, I should be able to read it

01:36

and I can see here that it is mis configured

01:38

and I am I am able to view it. So now what do you do?

01:42

So again, I view Source, I grabbed this key

01:47

and what I'm gonna do

01:49

is that I'm going to make my own key. MSF admin,

01:53

I'm going to paste that private key information into here.

01:57

Going to exit out of this. And you have to charm a this to you can do 400

02:05

or 600.

02:07

Yeah.

02:07

And now what I should be able to do is ssh.

02:10

Mhm.

02:12

MSF admin. And then give it on that boxes. MSF admin, which I did. So

02:17

now I'm on the box because I use elephant to grab the ssh key.

02:23

That's great.

02:24

So let's exit out of here

02:27

and let me show you what happens with our if I remote file inclusion. Now

02:30

Remember I need to be able to see if it can reach out to my server. So NLVP 4444

02:38

and I'll go back and I'm going to change this

02:43

To my server. HDP 19216812- 8.4444.

02:53

And I see here that the connection was received, it's not looking for any file in particular so I can name my file whatever I want to.

03:00

I'm going to kill the connection here.

03:04

And what I'm gonna do is I'm going to create that shell dot txt file

03:08

with MSF venom.

03:12

Now you'll notice the payloads, PHP interpreter, reverse TCP with my host as well as the L host and my L port is 4444

03:22

And we're gonna make this into this TxT file.

03:24

Like I said sometimes when you make it a PHP file, it will execute on your own server. And you're like, oh, this looks awfully familiar. Well that's because it's your own server.

03:34

So the other thing to do is we want to set up uh met despite.

03:40

So you know, I like to execute things directly from the terminal here

03:46

before actually loading municipal the municipal a framework

03:52

so I should have everything set up and ready to go.

04:03

So what I'll do now is I need to set up a server on my own machine.

04:10

So I'm gonna use python three

04:12

an http server.

04:15

And

04:17

I'm going to

04:23

change this now.

04:28

Two. HDP

04:30

1921681228

04:33

8000. Because that's where our servers running on 48,000

04:38

and shell dot txt.

04:43

All right. That's on 48,000. That's why I chose that. And you can see that interpreter session is opened.

04:49

Mhm.

04:50

And I see there it is. So, if I interact with it, session one Sys info.

04:57

I see I'm on my display table here.

04:59

So that's how to leverage both. L if I to find valuable information in this case an ssh key where we can ssh onto this machine

05:08

or r. F. I where we can host our own file and have the server reach out and execute our shell so that now we're on the box here.