[web-2-1] Local file inclusion (LFI) on www.edu.stf

Description

Leverage LFI on the host www.edu.stf (10.124.1.235).

The flag is stored in the /etc/pt.flag file.

Add www.edu.stf 10.124.1.235 to the /etc/hosts file.

Then i ran nmap to check for open ports.

Open Ports: 21, 22, 80

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 a6:c9:3a:3f:71:4b:ea:7b:0b:55:e9:d5:85:ff:4c:ec (ECDSA)
|_  256 d4:e8:55:8d:31:5c:54:6c:c2:42:c5:49:24:ef:1c:5f (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Heavy Logistics
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 1173.92 seconds

Next, i ran ffuf to scan for directories on the website

┌──(kali㉿kali)-[~]
└─$ ffuf -u <http://www.edu.stf/FUZZ> -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt  

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://www.edu.stf/FUZZ>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

api                     [Status: 301, Size: 231, Words: 14, Lines: 8, Duration: 205ms]
config                  [Status: 200, Size: 2148, Words: 32, Lines: 71, Duration: 205ms]
assets                  [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 205ms]
server-status           [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 206ms]
:: Progress: [62281/62281] :: Job [1/1] :: 194 req/sec :: Duration: [0:05:27] :: Errors: 0 :

I noticed the /api directory and decided to scan it further to look for anything interesting.

┌──(kali㉿kali)-[~]
└─$ ffuf -u <http://www.edu.stf/api/FUZZ> -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt  

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://www.edu.stf/api/FUZZ>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.htaccess               [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 207ms]
.                       [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 207ms]
.html                   [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 206ms]
.php                    [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 206ms]
read.php                [Status: 200, Size: 14, Words: 2, Lines: 1, Duration: 208ms]
.htpasswd               [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
.htm                    [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
.htpasswds              [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
.htgroup                [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 211ms]
wp-forum.phps           [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
.htaccess.bak           [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
.htuser                 [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 206ms]
.ht                     [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 204ms]
.htc                    [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
.htaccess.old           [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
.htacess                [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 205ms]
:: Progress: [37050/37050] :: Job [1/1] :: 194 req/sec :: Duration: [0:03:13] :: Errors: 0 ::

I discovered a read.php file, which looks like a function to read files from the server.