Below are rough notes on a recent HTB machine where a Local File Inclusion (LFI) led to a Remote Code Execution and access to the machine.
nmap returned a lot of open ports, running a directory browser using OWASP ZAP turned up multiple webapps. One app kindly included it's version number on the page which made searching for known exploits very easy.
vTiger CRM 5.1.0 turned up details on a LFI on exploit-db which proved successful without much tweaking. The eventual path to passwd showed the app was vulnerable.
https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00Using Burpsuite I ran a list of paths against the URL and was able to gain access to the access.log and the error.log
Once I discovered this I was able to add a refer to the requests and include system commands. The command below allowed me to upload a php reverse shell.
Once the reverse shell was uploaded I gained user level access. sudo -l showed a lot of commands the user could run as root without a password including chmod so I was quickly able to gain root.
Ref: Some great notes on taking advantage of a LFI here
