CryptoGen Nepal
Published in

CryptoGen Nepal

LFI To 10 Servers Pwn

While testing on a PRIVATE site back on Dec 19, 2017. I found a “commonfunctions.js” in the source code. That “commanfunctions.js” contained a path from where the pdf’s were downloadable. That point was vulnerable to LFI (Local File Inclusion).

Vulnerable endpoints can be also found in JS codes. Analyze source code once before starting pentest.

So using the common LFI techniques i.e “/etc/passwd, ../../../../etc/passwd”. I was able to read the “passwd & shadow” that was on the system ( i know many of you leave testing after this. Please go for more :) ). While looking into it I found that the web application was hosted on “root”. I still did not think that this was as critical as I wanted it to be. Then I started looking into other places, I tried “/var/spool/mail/root”, that contained some email logs with sensitive information.

(Emails found on the contained sensitive data and cannot be disclosed)

Even with the two findings I still thought there was something more than passwords and emails. Then I started browsing through my computer to see what types of files were contained on the root of Linux. So, I listed all the files in the root directory and then I saw a folder called “.ssh”. I went inside the folder to see what types of files it contained. To my surprise, it had files like “authorizes_keys, id_rsa, id_rsa.pub, known_hosts”. Then I used the same folder path at the LFI endpoint and it had those same files. These files were accessible maybe because the application was hosted on the root.

I copied all the keys that were within the files and replaced them with my own in my “Linux Machine”. I had to manage some file permissions on the key files and then I was ready to GO.

I followed the steps that were used to connect the server through SSH “ssh root@<IP ADDRESS>”. I successfully got into the webserver that was hosting the application.

There I found SQL backup files, other web applications with other sensitive data. After that, I used the “arp” command to view all the IPs on the connected network. There I found almost 15+ IPs that were connected and the server which I gained access had ssh key files to connect other servers in that network. So, using that server I got into 10 other application servers and this is how I pwned ten servers using LFI.

Cheers

Happy Hacking ;)

--

--

--

CryptoGen Nepal consists of professional team members who are devoted to providing professional-grade cyber security solutions such as IS audit, VAPT, End-Point Threat Analysis, Forensics & Malware Analysis, Incident Response, Server Assessment, and Hardening.

Recommended from Medium

IndiaNIC Hackathon 2020

The Recharge Weekly Update (Week 1, October)

Malware-Basic Windows Key logger

Summary of Clean Code w/ SOLID principles

Create Your Own ETF (Exchange-Traded Fund) and Avoid Paying Management Fees

Fast occur move collection.

Spring Boot MYSQL

How Does DevOps Handle Change Management?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nirmal Dahal

Nirmal Dahal

C|EH Master | CNSS | NSE | CCNA Cyber Ops | CPISI | CSFPC

More from Medium

XposedAPI — OffSec Proving Grounds Lab Write-Up

Accessing gpio in linux from user space and kernel space and Performance testing with dht11 sensor

Configuring a DNS server, DHCP server and AD DS in a Windows 2019 server, and Promoting the server…

Coordinating National-Level Cybersecurity Awareness