Include
Include
Include
π LFI Analysis
π΅οΈ Letβs check the inputs:

π» When we update the field, it updates the display accordingly: 
As you can see, the request goes to an internal server. While exploring the settings, I found a place to update the banner. Since it fetches from an external URL, I tried to pass a request to it: 
π΅οΈ Exploiting SSH Credential Leakage
π So, I logged into the sysmoon app using those credentials:

π‘ Next, I used a wordlist for the LFI exploit: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
β‘ Then, I added it to Replay in Caido (you can also use Burp Suite): 
1
2
joshua:x:1002:1002:,,,:/home/joshua:/bin/bash
charles:x:1003:1003:,,,:/home/charles:/bin/bash
β‘ Privilege Escalation
π You can see there are two users, so I tried brute-forcing SSH:
π I got it!
This post is licensed under CC BY 4.0 by the author.



