Web
Nmap scan shows a web server running on the target port 80
Webroot
As claimed, it appears to be a temporary website. Perhaps, a testing environment
There appears to be 4 PHP scripts available to choose from
it is possible that it’s being called using the php include method, in which case, can be abused for LFI vulnerability if misconfigured
/ini.php
The /ini.php file typically contains initial configuration settings for a PHP application
Notice it’s now on thebrowse.php file with parameter, file, being used to include() the /ini.php file.
This web server might be vulnerable to LFI after all.
/info.php
The /info.php file displays the system version in this case
/phpinfo.php
The /phpinfo.php file is the standard phpinfo file.
It shows that the version is 5.6.32
/listfiles.php
The /listfiles.php file appears to be listing files in the current working directory in an array.
I see an interesting file,pwdbackup.txt
pwdbackup.txt
The /pwdbackup.txt file contains a long base64-encoded string.
It claims to be a password encoded at least 13 times.
#!/bin/sh
content=$(cat pwd.enc);
for i in $(seq 1 13);
do content=$(echo $content | tr -d ' ' | base64 -d);
done;
echo $contentI got this simple bash script that decodes it
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ ./decode.sh
Charix!2#4%6&8(0
The decoded password is Charix!2#4%6&8(0
LFI
as mentioned earlier, the file parameter at the browse.php file appears to be using the php include method
I can check it
If I submit this
LFI confirmed.