Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

CryptoGen Nepal

CryptoGen Nepal consists of professional team members who are devoted to providing professional-grade cyber security solutions such as IS audit, VAPT, End-Point Threat Analysis, Forensics & Malware Analysis, Incident Response, Server Assessment, and Hardening.

LFI To 10 Servers Pwn

Nirmal Dahal - #Nittam
3 min readNov 26, 2019

--

While testing on a PRIVATE site back on Dec 19, 2017. I found a “commonfunctions.js” in the source code. That “commanfunctions.js” contained a path from where the pdf’s were downloadable. That point was vulnerable to LFI (Local File Inclusion).

Vulnerable endpoints can be also found in JS codes. Analyze source code once before starting pentest.

So using the common LFI techniques i.e “/etc/passwd, ../../../../etc/passwd”. I was able to read the “passwd & shadow” that was on the system ( i know many of you leave testing after this. Please go for more :) ). While looking into it I found that the web application was hosted on “root”. I still did not think that this was as critical as I wanted it to be. Then I started looking into other places, I tried “/var/spool/mail/root”, that contained some email logs with sensitive information.

(Emails found on the contained sensitive data and cannot be disclosed)

Even with the two findings I still thought there was something more than passwords and emails. Then I started browsing through my computer to see what types of files were contained on the root of Linux. So, I listed all the files in the root directory and then I saw a folder called “.ssh”. I went inside the folder to see what types of files it contained. To my surprise, it had files like “authorizes_keys, id_rsa, id_rsa.pub, known_hosts”. Then I used the same folder path at the LFI endpoint and it had those same files. These files were accessible maybe because the application was hosted on the root.

I copied all the keys that were within the files and replaced them with my own in my “Linux Machine”. I had to manage some file permissions on the key files and then I was ready to GO.

I followed the steps that were used to connect the server through SSH “ssh root@<IP ADDRESS>”. I successfully got into the webserver that was hosting the application.

There I found SQL backup files, other web applications with other sensitive data. After that, I used the “arp” command to view all the IPs on the connected network. There I found almost 15+ IPs that were connected and the server which I gained access had ssh key files to connect other servers in that network. So, using that server I got into 10 other application servers and this is how I pwned ten servers using LFI.

Cheers

Happy Hacking ;)

Lfi
Pwn
Server
Thenittam
Lfi To Pwn

--

--

CryptoGen Nepal
CryptoGen Nepal

Published in CryptoGen Nepal

104 followers
Last published Nov 4, 2022

CryptoGen Nepal consists of professional team members who are devoted to providing professional-grade cyber security solutions such as IS audit, VAPT, End-Point Threat Analysis, Forensics & Malware Analysis, Incident Response, Server Assessment, and Hardening.

Nirmal Dahal - #Nittam
Nirmal Dahal - #Nittam

Written by Nirmal Dahal - #Nittam

249 followers
4 following

ISO27001:2022 | C|EH Master | CNSS | NSE | CCNA Cyber Ops | CPISI | CSFPC

Responses (2)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech