0

I've just participated in a boot2root capture the flag event where I got close to solving an item but couldn't quite get it over the line and want to learn what I could have done differently.

In the event I managed to identify a vulnerable application that would allow me to perform local file inclusion to download any file from the server, but not render it on the page. Typically in this scenario if I can render content to the page I would nc to the web server and write contents to the apache log that I would like PHP to interpret. Since that wasn't the case in this instance (as I could only download files), how could you approach receiving a shell?

Michael A
  • 177
  • 8

1 Answers1

1

LFI, will not get you a shell by itself. You need to download config files and the web application's sources, these can point you to either passwords you can use in the web app, ssh, database or help you find an exploit on a stored web app. (whiteboxing is easier)

Jonathan Allon
  • 721
  • 3
  • 14
  • I did think this was the case, thank-you for verifying! I'll start researching enumeration a bit further since I figure there's a file I should have downloaded but missed. – Michael A Jun 02 '17 at 08:45