After starting the attack machine, this task requires us to visit the link in the tutorial. This can be done by pasting the URL into a new tab of the browser.
This shows the McSys Control System.
The first three questions are as follows:
The URL of this webpage shows an error message linking to a .txt file called error.txt. Changing the title of that .txt file alters the output; outputting an error message that text file does not exist. This part of the URL can be altered for exploitation.
For the first question, the entry point is therefore ‘err’.
We can use the directory traversal technique to search for etc/flag, as per the second question.
The flag will be on the right of the screen and be pasted into the second answer box.
For the third question we can attempt to output the contents of index.php by using the base64 encoding technique.
This brings back a long string at the bottom of the web page. This string can be pasted into the Base64 Decode and Encode website via the link provided in the tutorial, to decode it.
This will return the source code of the index.php file, and the flag is within. This can be pasted into the third answer box.
The remaining four questions are as follows:
The first of these questions can be answered by altering the string previously typed into the URL: swapping index.php for ‘includes/creds.php’, which was found in the source code.
This returns a string at the bottom of the webpage, which again can be decoded using the same website Base64 Decode and Encode.
This will output the username and password which can be pasted into the first of these answer boxes, separated by a colon as shown in the hint.
The second of these questions is answered by using these credentials to log into the website. From the current web page, we will need to go to click on home in the top left. This will then show the original error text at the bottom of the screen, telling us we need to login. Clicking on the login link will bring up the login page.
After logging in we click on password recovery and paste the password for the flag.thm.aoc server into the answer box.
For the third of these questions we logout to get to the original index.php error page before replacing the .txt file in the URL with the string provided in the question.
This accesses the log page from the server side.
For this part we start the attack machine, open up a terminal and use the curl command to execute a display of information about the server, on the logs page. We do this using the file path specified in the question, and the PHP command specified in the tutorial.
This will show PHP information about the server under the entries for previous entry logs on this page. It is important to note that this must be viewed directly on the server via this page, and not via McSkidy’s login page.
Refresh the page to show any new logs.
Our command has executed the display of an information table. We can find the hostname of the server in the top field of the table. In the above screenshot, it is everything from Linux….965, before the version numbers start. This is the answer to the third of these questions.
Navigate to the the original index.php page. Press Shift+Ctrl+i to bring up the inspector. Selecting the cookies under the website in the left column, will show the session ID value, representing our visit to this web page.
Right click on the session token value and copy it. In the search bar, get to the URL of the original index.php page. Once again replace the .txt file with some “../” and then “tmp/sess_”. Paste the session token value immediately after the underscore and press return.
Nothing of note will be visible on the page.
Next we go to the original index.php page (preferably in another tab) once again, and click on login to reach the login screen.
We enter the PHP info script directly into the username field, with a made up password. We submit these credentials.
Although this will not log us in, pressing F12 will bring up the inspector to show the session token value, showing that the session will be logged by the server.
If we now navigate to the tab with the session token in the URL, we will see the PHP info command executed once again but this time via the PHP we injected into the username field.
We have carried out the bonus question/task of using LFI to call the PHP session file to get PHP code executed.
