Skip to main content

Web Server Hacking using Local File Inclusion Attack

                     Hey Friends I am back with a new tutorials on how to hack a web server using LFI attack or Local File Inclusion Attack.
                     LFI is an attack by which a attacker can access files in directory by including them in the web pages . This happens due to flaws in coding and careless ways of coding.Here I will demonstrate how you can hack a website and get root level access to a server
                     Now some word of caution. You should never perform such activity without the permission of the site owner. This is completely illegal. I am showing you this demo for educational purpose only. I won't be be responsible if you get in trouble after misusing these techniques.  Here I will be showing a demo on a training website of enigmagroup for demo purpose only.

 What do u need to know ?

  • Linux Directory Architecture.
  • About the location of passwd files and its encryption files.
  • Techniques of file traversal in Linux ( use forward slash /).
  • Working with Command Line in linux or windows.
  • Knowledge on using port scanner and password crackers.
  • GET methods.
  • Idea about various ports 
What tools are required ?
  • John The Ripper(password Cracker)-for password scanning
  • Nmap - For searching and scanning open ports
Note: This type of attack is only possible in websites vulnerable to LFI attack and not necessarily every site is vulnerable to this type pf attack.
They usually have this type of url or something like below: 
http://www.site.com/dir/?page=intro  

                                  

Step 1 
Use port scan and determine which OS the server is using. You need to know this because the directory architecture is different in different OS.

 Now browse the website and modify the URL in such ways
http://www.site.com/dir/?page=../etc/passwd
http://www.site.com/dir/?page=../../etc/passwd
http://www.site.com/dir/?page=../../../etc/passwd

Keep doing till you find something like this

 Step 2.Now examine the contents that appears on the screen

 You can see all the list of valid users and their encrypted passwords in the text above.It is in DES   encryption.Now I need to decrypt the encrypted codes.

 Step 3. Open Command Prompt and  Access John the Ripper Folder.
Make a file in the run directory inside John The Ripper Folder and paste the encrpted text.
Like I will use password of the user so the text I will decrypt is    4doxGUy8UpD0o
  Save the file and now from command line  type 
  john passwordfile.txt and wait for some time .You will see the decrypted password 

 Now we have the password n00bs

 Step 4.Now we need to find open ports in the server .We need to perform a port scan to find open ports.

 Now that we find that the ports are open for http is 8080 and 8008.
Now go the address bar and type www.vunerablesite.com:8080 or  www.vunerablesite.com:8008 and will enter the username and password  at the login panel and we have an access now :) :) .

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more