Skip to content

RCE Lab Tasks

This week in the lab we will look at Remote Code Execution, and file includes style vulnerblilites.

You can complete these tasks in the Web Trainer

Task 1: Remote Code Execution

Take a look at the python based RCE Try to get remote code execution with the following code

data = input(">")
print (eval(data))

Note

We are using eval to fake the old version of input in python3. The code below will work though

Task 2: Directory Traversal through File Includes

Follow the instructions in in What is LFI and try to read the /etc/passwd file on the remote system.

Task 3: Remote File Includes

Read the materials on Remote File Includes and try to get a remote shell using Remote File Includes

Part 4: Dropping a Shell through LFI

Now try to get a shell using Local File Includes

Optional: Log file poisoning.

There are a couple of examples of Log file poisoning also Feel free to work through these to get a shell on the remote machine. There are some notes on Log File Poisioning

RCE through the Apache Log

Use this docker image to get RCE through the apache Log

  • docker run --rm dang42/245_ctf_lfi_apache

RCE through another Service

There is a second example where we can get log file poisoning through a different means

  • docker run --rm dang42/245_lfi_2

Hints

  • You cant read the apache log
  • Try to see what services are running on the remote (Port Scanning)
  • Where do they log information (Especially Failed attempts)
Back to top