FILE INCLUSION / DIRECTORY TRAVERSAL Academy Skills Assessment

i find the admin panel,but i cant use the LFI what can do next

Anybody can DM me? For the questions "Using the file inclusion find the name of a user on the system that starts with “b”.
" I’m 95% certain my payload is good and somehow it just hangs there without responding. I got the index.php and config.php files and there’s nothing I see there that would prohibit me from using that payload. Thanks

Read carefully the /etc/passwd file, the answer is there.

OK I have done it, the file name was funny:)

I found the source, thus I’ve tried many ways to bypass the control, resultless. I did with and without the null byte. I’ve tried to poison the User Agent, no more result. I’m kinda stuck now :frowning:

i was in the same situation, try to read /etc/passwd/ properly, the name is there

did you try to grep the output of the error.log file ??

Hello everybody , I’m stuck please help. I find access.log of nginix and can read it but when i want to use User agent it don’t add log . any hint ?

1 Like

You are on the right track with the User agent. Play around with your inputs. Maybe make them simple at first just to make sure you can actually run code.

There is a risk that you can enter in a user agent which breaks the admin page when it tries to read the access log, this means that any agent text entered after the one that broke the page will have no effect because the page breaks before it can read any new agents. You will need to restart the assessment machine if that happens.

2 Likes

ht

if anyone is stuck on how to get the flag when you got RCE, remember that you cant use LFI if you dont know the path of your target. in other words once you got RCE find the file you need then you can access it with LFI

As the Gattsu mentioned above, the problem is PHP code. Try to simplify it, how could you execute ls command within PHP without passing it through parameter?

eh estado luchando con este reto,
dentro de /var/www/html debes crear un archivo shell.php con el contenido ```

<?php system($_GET["cmd"]); ?>
luego en otra terminal curl -X GET 'http://10.129.5.70/shell.php'
para luego leer con cat /var/log/apache2/error.log

security