Description

Obtain RCE on the host www.edu.stf (10.124.1.235) through LFI.

To get the flag, run the script /home/rceflag.

From the nmap scanning earlier, we notice that there is FTP port that was open

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 a6:c9:3a:3f:71:4b:ea:7b:0b:55:e9:d5:85:ff:4c:ec (ECDSA)
|_  256 d4:e8:55:8d:31:5c:54:6c:c2:42:c5:49:24:ef:1c:5f (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian|_http-title: Heavy Logistics
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 1173.92 seconds                                                             

We have already confirmed the LFI vulnerability and can read files on the server

This is already a good combo that we can leverage for remote code execution (RCE).

Basically, we can achieve this through log poisoning.

Usually we will inject web logs, but this time we'll try using FTP logs instead.