[HTB Academy] File inclusion / directory traversal lab

In the “Local File Inclusion” section of the file inclusion / directory traversal module I am asked to “Use the file inclusion find the name of a user on the system that starts with ‘b’.”. I am stuck. I have managed to successfully disclose the source code for index.php and config.php but am unable to progress further. The config.php file contains an API key and mySQL admin credentials but I cannot connect to the mySQL server, and I don’t know what the API key could be used for. Am I going in the completely wrong direction?

you are not monitoring /etc/passwd. name is there

When you find the vulnerable point, your goal would be to read server’s /etc/passwd file. In there users with UID >= 1000 tend to be the ones to look at.

hi guy,
i find admin panel and i can also get /etc/passwd, but i try to log poisoning with User-Agent,
rec not working ,please help me
thank you very much

I will PM you, not to spoil here.

hello , i can not rec ,please give me some tips,thank you

Me neither. When I try to poison the User-Agent header the log breaks. It strips the PHP code either purposefully or by accident.

log poisoning is right way,but some reasons cause it to work normally

Can somebody help me out with the last skill assessment task?

I stuck at the very end of the box, can write the log with any text, however every time I try to poison it with the given php code the log daemon crashes(?).

I found a YT video where a guy simply wrote the php code in the log and read the flag via webshell. I’d done exactly the same, but for me it just didn’t work :frowning:

Alternatively I tried to poison another logs like ssh with no avail…

Should the php code be encoded or wrapped or something else?

Any help/useful insight would be greatly appreciated.

1 Like

I am stuck at exactly the same place as you doing exactly the same thing. I am 99% convinced that this lab is broken, because I had the same problem on the earlier part of the module that introduced log poisoning.

If you work out a solution to this please point me in the right direction, because I am not sure this lab currently can be completed.

Hey i had the same issu , instead of injecting

<?php system($_GET["cmd"]); ?>

try

<?php system('ls /'); ?>

hopefully it will work your you as well

1 Like

fugatu thanks for your comment