Local File Inclusions to Remote Code Execution

Local file inclusion is a type of cyber attack through which an attacker can trick the web application into including files on the web server by exploiting a functionality that dynamically includes local files or scripts. A successful attack can lead to disclosure of sensitive file on the server and also can lead to remote code execution through various ways. i will be giving a proof of concept using a vulnerable server found in TryHackMe. The server gives beginner penetration testers or beginner ethical hackers a good foundation on local file inclusion attack

lets begin:

we start with a Nmap scan to determine the port that the server is running on

Nmap results show that only port 80 is open lets take a look at the web server using a browser

Following the first link LFI Walthrough 1 (Basics)

We get a webpage running PHP but is seems that its using some parameters to access a page. TryHackMe walk through gives you a hint to use “?page=”

If the parameter wasn’t given you could fuzz using a tool WFUZZ that is available on Kali Linux as i’ll demonstrate below. I’ll use a wordlist that i downloaded from Github called Seclists

When the parameter is added to the page and user input is supplied to the link, the input is displayed on the page

Now lets see if we can reads files of the server. I’ll read a file that is common to all linux operating systems passwd

Voila! we are able to view sensitive files that normally we aren’t allowed to view

Local File Inclusion using Directory Traversal

Directory Traversal is a attack which allows attackers to access restricted directories and execute commands outside of the web server’s root directory or other paths. And in our case we’ll view a file one directory up that contains a credit card number. We’ll be using the second link LFI Walkthrough 2 (Using Directory Traversal)

Voila we are able to view the contents of that page


An attacker can attacker attempts to inject malicious input to the server log files to gain remote code execution some of the log files that malicious code can be injected have been listed bellow

For the purpose of demonstration i’ll be using /var/log/apache2/access.log

I’ll be using the Third link LFI Walkthrough 3 for demonstration. I’ll intercept the request using burpsuite a tool that comes preinstalled on Kali Linux and modify the user agent to inject malicious input to the server log and the input will lead to a remote code execution. Highlighted is the malicious input that gets stored in the access log that leads to Remote Code Execution

Now opening the access log file using burpsuite and passing it the parameter that had been used in the malicious PHP input followed by a Linux system command and in the Response

Boom we get code execution now lets go a step further and upload a reverse shell to the server to get a remote shell in our computer. ensure that the PHP reverse shell has your IP address and the port is correctly configured

Start a server on your local box and use wget to download the PHP shell form our local box to the server. Now set up a netcat listener in our local machine for the php shell to connect back to

Now we execute the PHP script on the server to get a connection back at our machine

And boom we have a shell on our local machine. Now let me upgrade the shell for it to become fully interactive

Now we get the flag

and we are done with the box hope you’ve learnt something




Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Privacy Challenges Around the World and My Story As A Victim

Why people feel that internet privacy is a lost cause?

{UPDATE} Ra slots - casino slot machine Hack Free Resources Generator

Los Malandros An NFT Dystopian Sci-fi Adventure 🤖

Hack The Box (Blue)

Response to the Internet, the Deep Web,

Hardening the OCI Terraform provider authentication security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Musyoka Ian

Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

More from Medium

MHSCTF Web Writeup

Hack The Box Cyber Apocalypse 2022: Hardware Challenge Write-ups

HackTheBox: Lame (Writeup)

Hack The Box’s Learn the basics of Penetration Testing: Preignition