LFI To 10 Servers Pwn

Nirmal Dahal
Nov 26, 2019 · 3 min read

While testing on a PRIVATE site back on Dec 19, 2017. I found a “commonfunctions.js” in the source code. That “commanfunctions.js” contained a path from where the pdf’s were downloadable. That point was vulnerable to LFI (Local File Inclusion).

Vulnerable endpoints can be also found in JS codes. Analyze source code once before starting pentest.

So using the common LFI techniques i.e “/etc/passwd, ../../../../etc/passwd”. I was able to read the “passwd & shadow” that was on the system ( i know many of you leave testing after this. Please go for more :) ). While looking into it I found that the web application was hosted on “root”. I still did not think that this was as critical as I wanted it to be. Then I started looking into other places, I tried “/var/spool/mail/root”, that contained some email logs with sensitive information.

(Emails found on the contained sensitive data and cannot be disclosed)

Even with the two findings I still thought there was something more than passwords and emails. Then I started browsing through my computer to see what types of files were contained on the root of Linux. So, I listed all the files in the root directory and then I saw a folder called “.ssh”. I went inside the folder to see what types of files it contained. To my surprise, it had files like “authorizes_keys, id_rsa, id_rsa.pub, known_hosts”. Then I used the same folder path at the LFI endpoint and it had those same files. These files were accessible maybe because the application was hosted on the root.

I copied all the keys that were within the files and replaced them with my own in my “Linux Machine”. I had to manage some file permissions on the key files and then I was ready to GO.

I followed the steps that were used to connect the server through SSH “ssh root@<IP ADDRESS>”. I successfully got into the webserver that was hosting the application.

There I found SQL backup files, other web applications with other sensitive data. After that, I used the “arp” command to view all the IPs on the connected network. There I found almost 15+ IPs that were connected and the server which I gained access had ssh key files to connect other servers in that network. So, using that server I got into 10 other application servers and this is how I pwned ten servers using LFI.

Cheers

Happy Hacking ;)

CryptoGen Nepal

#Made4Security

CryptoGen Nepal

CryptoGen Nepal consists of professional team members who are devoted to providing professional-grade cyber security solutions such as IS audit, VAPT, End-Point Threat Analysis, Forensics & Malware Analysis, Incident Response, Server Assessment, and Hardening.

Nirmal Dahal

Written by

C|EH Master | CNSS | NSE | CCNA Cyber Ops | CPISI | CSFPC

CryptoGen Nepal

CryptoGen Nepal consists of professional team members who are devoted to providing professional-grade cyber security solutions such as IS audit, VAPT, End-Point Threat Analysis, Forensics & Malware Analysis, Incident Response, Server Assessment, and Hardening.