In this post, we covered local file inclusion vulnerability using Billu-B0x machine from Vulnhub.
Local file inclusion is a vulnerability that lets an attacker manipulate a vulnerable URL parameter and use it to access internal resources such as sensitive files and directories.
Finding the Way In
My first move was to scan the network to find the machine’s IP address. Once I had that, I ran a service scan to see what was running. The scan showed two open ports:
- Port 22 (SSH): For secure remote login.
- Port 80 (HTTP): A web server.
I noted the versions of both the SSH and web server software, as older versions are often vulnerable to known exploits.
Poking at the Web Server
With a web server running, my next step was to see what I could find there. I tried some basic SQL injection attacks, but those didn’t work. So, I fired up a tool called DirBuster to see if I could find any hidden directories.
DirBuster found a PHPMyAdmin directory, which is a web-based interface for managing MySQL databases. This was a great find, but I still needed a username and password to get in.
The LFI Vulnerability
As I continued to explore the web server, I found a test.php
file that was vulnerable to Local File Inclusion (LFI). This is a vulnerability that lets you view the contents of local files on the server by passing a file path as a parameter in the URL.
I used the curl
command to test the LFI vulnerability and was able to view the contents of the index.php
file. This was my way in.
Database Credentials
Now that I had a way to read files on the server, I went straight for the good stuff. I used the LFI vulnerability to read the config.php
file, which I knew would likely contain the database credentials. And sure enough, it did! I found the username and password for the MySQL database.
PHPMyAdmin and a Dead End
With the database credentials in hand, I was able to log into PHPMyAdmin. I found a table with another username and password, but my attempts to upload malware through PHPMyAdmin failed due to some connection issues. It was time to try a different approach.
Root via SSH
I went back to the LFI vulnerability and used it to read the PHPMyAdmin configuration file. This was the jackpot. The configuration file contained the password for the root user.
With the root username and password, I was able to log in via SSH and gain full control of the machine. Game over.
Video Demonstration