In the “Local File Inclusion” section of the file inclusion / directory traversal module I am asked to “Use the file inclusion find the name of a user on the system that starts with ‘b’.”. I am stuck. I have managed to successfully disclose the source code for index.php and config.php but am unable to progress further. The config.php file contains an API key and mySQL admin credentials but I cannot connect to the mySQL server, and I don’t know what the API key could be used for. Am I going in the completely wrong direction?
you are not monitoring /etc/passwd. name is there
When you find the vulnerable point, your goal would be to read server’s /etc/passwd file. In there users with UID >= 1000 tend to be the ones to look at.
hi guy,
i find admin panel and i can also get /etc/passwd, but i try to log poisoning with User-Agent,
rec not working ,please help me
thank you very much
I will PM you, not to spoil here.
hello , i can not rec ,please give me some tips,thank you
Me neither. When I try to poison the User-Agent header the log breaks. It strips the PHP code either purposefully or by accident.
log poisoning is right way,but some reasons cause it to work normally
Can somebody help me out with the last skill assessment task?
I stuck at the very end of the box, can write the log with any text, however every time I try to poison it with the given php code the log daemon crashes(?).
I found a YT video where a guy simply wrote the php code in the log and read the flag via webshell. I’d done exactly the same, but for me it just didn’t work
Alternatively I tried to poison another logs like ssh with no avail…
Should the php code be encoded or wrapped or something else?
Any help/useful insight would be greatly appreciated.
I am stuck at exactly the same place as you doing exactly the same thing. I am 99% convinced that this lab is broken, because I had the same problem on the earlier part of the module that introduced log poisoning.
If you work out a solution to this please point me in the right direction, because I am not sure this lab currently can be completed.
Hey i had the same issu , instead of injecting
<?php system($_GET["cmd"]); ?>
try
<?php system('ls /'); ?>hopefully it will work your you as well
fugatu thanks for your comment
Change the speech marks (") to apostrophes (') and you’re all good
For me Log Poisoning doesn’t work with HTB Workstation… But Only with my Kali Machine (with VPN) (I spent lot of time understanding that)
You have to change the language to find the vulnerable route. You have the information in Path Traversal to perform that exercise, and by reading etc passwd you will see the username. If you have any doubts, add me on Discord, Carpe Kai#9818
first you have to use curl to get the soure code, remember use the base64 encode, then when you decode that, you will see a path, and there you go, the vulnerable path, after that, fuzz with the correct file
Thank you so much!
May I kindly ask you to share your thoughts on why this is the case -only- in this specific challenge? I understand the differences between php strings encased with single/double,etc quotes, but why does it only matter here?
Have a good time!
Can anyone point me in the right direction for this question
“Fuzz the web application for other php scripts, and then read one of the configuration files and submit the database password as the answer”
I’ve completed the FUZZ part but unsure how I browse to the files?
I did this module about 2 years ago with zero knowledge about anything cybersec related, I’ve recently redone it and it seems like magic honestly. How is it possible to execute php scripts inside log files or gif etc. and why do we use & to specify the parameter after the file. I’m not very familiar with php so if someone can give some explanation I would be grateful.
This module did not find any VPN servers information.
is it not possible to link the experimental target through VPN?