Post

Include

Include

Include

Pasted image 20260531114834.png

πŸ” LFI Analysis

πŸ•΅οΈ Let’s check the inputs: Pasted image 20260531121330.png Pasted image 20260531121309.png

πŸ’» When we update the field, it updates the display accordingly: Pasted image 20260531121424.png

As you can see, the request goes to an internal server. While exploring the settings, I found a place to update the banner. Since it fetches from an external URL, I tried to pass a request to it: Pasted image 20260531121546.png

The result: Pasted image 20260531121600.png Pasted image 20260531121617.png

πŸ•΅οΈ Exploiting SSH Credential Leakage

πŸ”‘ So, I logged into the sysmoon app using those credentials: Pasted image 20260531121723.png Pasted image 20260531122617.png

πŸ’‘ Next, I used a wordlist for the LFI exploit: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt

Pasted image 20260531123024.png

⚑ Then, I added it to Replay in Caido (you can also use Burp Suite): Pasted image 20260531123214.png

1
2
joshua:x:1002:1002:,,,:/home/joshua:/bin/bash
charles:x:1003:1003:,,,:/home/charles:/bin/bash

⚑ Privilege Escalation

πŸ“Œ You can see there are two users, so I tried brute-forcing SSH: Pasted image 20260531131004.png Pasted image 20260531131107.png 🏁 I got it!

This post is licensed under CC BY 4.0 by the author.