Looking for guidance on a vulnhub VM

Redirect != LFI.

…my bad…Still seems like the only plausible way in. That’s the only place where there is actually any user-input to be manipulated. The way the web page works is that index.php contains nav.php and main.php (main page) in two frame. nav.php switches what content is displayed in place of main.php by calling content.php.

As long as it doesn’t include the file somewhere (which is sounds like it doesn’t), I doubt there is much you can do. There is on thing that springs to mind, but it’s probably not really that useful and isn’t really a “beginner” level thing. I’d say, focus on finding something else.

I guess I don’t understand what you mean… I am able to traverse directories. I can retrieve the files I know about by inputting ../../../../var/www/html/info or the like. So in theory if I can bypass the .php filter at the end, than I could access system files.

Also, I don’t care if it’s a beginner thing or not, I’m looking for whatever I can get.

It seems it’s still not clear what you found exactly. What it sounded like was that it was purely a redirect. That is the address you put in is given back to your browser (with an added ‘.php’) and requested by the browser that way.

Now it’s starting to sound like it is an LFI after all. If so, here are some other things you can try:

You didn’t explicitly mention it, but you probably tried it: ../..../etc/passwd%00
Although it’s better to confirm that %00 isn’t working by trying something like: props.php%00[/spoiler]
<!- Wrappers!

[spoiler]Array? -!>

I tried both of the null byte suggestions. I am unfamiliar with how I would use wrappers or arrays though. If you could provide examples that would be greatly appreciated :)

Also, I did find that if I added enough repeats of “../../” before the actual file path, php seems to truncate it, but in doing so cuts off the actual file path at the end. I may start trying to find exactly where it cuts off so that maybe I can just get .php to cut off.

That sounds like a good plan. ;) (Thought you already tried it, though.)

http://php.net/manual/en/wrappers.php[/spoiler]
[spoiler]http://php.net/manual/en/function.parse-str.php

Alrighty, this has given me a few good vectors to look into. Thanks for the help dloser! I’ll let you know how it all goes :)

EDIT: So I discovered that the user can enter 4076 bytes before php truncates it or throws it out. I’m suspecting that it may just throw it out though. With the file extension the maximum file path would be 4080 before it gets removed at 4081. I tried a 4080 byte path ending in ../var/www/html/props.php and php wouldn’t open the props.php page. However, a 4076 byte path ending in ../var/www/html/props with the assumed 4 bytes of .php slapped onto the end php is able to call the props.php file. I’ll probably keep poking this for a little bit but most likely I’m going to have to move on unless you see a flaw in my logic.

SECOND EDIT: So I went back to the vulnhub page and people have submitted walkthroughs! Would anyone be willing to take a look and tell me if I’m on the right track?

Vulnhub page:
https://www.vulnhub.com/entry/milnet-1,148/

The walkthroughs are under the “walkthroughs” tab.

@Avengers.it

Your close. Think encoding. Think Wrappers.

(warning heavy spoiler)

Base64 [/spoiler]

This is not the only way to do it though.
The second way is easier.

[spoiler]Some times it’s easier to go for a shell straight away

Hope the above helps.

@Numlock90

I just started messing around with wrappers, actually. I managed to get the source code with php://filter/convert.base64-encode/ but I haven’t tried anything else. Not sure I want a heavy spoiler so I’m going to hold off on opening your suggestions until I try a little more on my own. Thank you for looking into this for me!

EDIT: I did some more research and I was able to execute commands via data:text/plain,<?php ?> and I got a shell! Thanks for the hints you guys!