first commit

.docker/hidden_fl4g.txt

@@ -0,0 +1,2 @@
+Well Done.
+Flag is "LFI_Can_L3ad_T0_RCE"

.docker/mycron

@@ -0,0 +1 @@
+* * * * * /bin/resetApache >> /var/log/cron.log 2>&1

.docker/scr

@@ -0,0 +1,4 @@
+#!/bin/bash
+date >> /var/log/cron.log
+rm /var/log/apache2/*
+/usr/sbin/apache2ctl restart

.docker/supervisord.conf

@@ -0,0 +1,13 @@
+[supervisord]
+nodaemon=true
+logfile = /var/log/supervisord.log
+logfile_maxbytes = 50MB
+logfile_backups=10
+
+[program:cron]
+autorestart=false
+command=cron -f
+
+[program:apache2]
+autorestart=false
+command=/usr/sbin/apache2ctl -D FOREGROUND

Dockerfile

@@ -0,0 +1,18 @@
+FROM php:8.0-apache
+
+COPY ./src/ /var/www/html
+RUN chown -R www-data:www-data /var/www/html
+RUN rm /var/log/apache2/*
+RUN apache2ctl restart
+RUN chown -R root:www-data /var/log/apache2/
+COPY .docker/hidden_fl4g.txt /
+RUN chmod +r /hidden_fl4g.txt
+RUN rm -rf /var/www/html/.docker/
+COPY .docker/scr /bin/resetApache
+RUN chmod +x /bin/resetApache
+RUN apt-get update && apt-get -y install cron supervisor
+COPY .docker/mycron /etc/cron.d/mycron
+RUN chmod 0644 /etc/cron.d/mycron
+RUN crontab /etc/cron.d/mycron
+COPY .docker/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+CMD /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

README.md

@@ -0,0 +1,31 @@
+![Docker Image Size (latest by date)](https://img.shields.io/docker/image-size/moeinfatehi/lfi-to-rce)
+![Docker Pulls](https://img.shields.io/docker/pulls/moeinfatehi/lfi-to-rce)
+# LFI to RCE Scenario (challenge)
+This repository is a Dockerized php application containing a LFI (Local File Inclusion) vulnerability which can lead to RCE (Remote Code Execution).<br><br>
+The ideas behind the challenge are:</br>
+* Bypass path traversal sanitization
+* Execute OS command through LFI vulnerability.
+
+# Quick Start Using Docker
+**Using docker hub (Quickest):**
+1. To access the challenges, you need <a href="https://docs.docker.com/install">docker</a> installed.</br>
+2. Run this command to pull and run the image from docker hub:</br>`sudo docker run -d -p 9005:80 moeinfatehi/lfi-to-rce`
+3. Access the challenges with this URL: <a href="http://localhost:9005">http://localhost:9005</a></br></br>
+
+Help:
+```
+-d: detached mode (You can use terminal after running command
+-p: specifies port (you can change 9005 to whatever you want. If you don't have a web server on your host, set it to 80)
+```
+
+**Using docker-compose:**  
+1. To access the challenges, you need <a href="https://docs.docker.com/install">docker</a> and <a href="https://docs.docker.com/compose/install/">docker-compose</a> installed.</br>
+2. Clone the repository</br>`git clone https://github.com/moeinfatehi/lfi-to-rce.git`
+3. Open the main directory of the project (where docker-compose.yml file exists) and run: `docker-compose up`
+4. Access the challenges with this URL: <a href="http://localhost:9005">http://localhost:9005</a>
+
+# Disclaimer
+This project is for Educational purpose ONLY. The usual disclaimer applies, especially the fact that I'm not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these project you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of this program is not my responsibility.
+
+# Hack and have fun !
+If you have any further questions, please don't hesitate to contact me via my <a href="https://twitter.com/MoeinFatehi">twitter</a> account.

docker-compose.yml

@@ -0,0 +1,12 @@
+version: '3'
+services:
+  web:
+    container_name: lfi-to-rce
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - 9005:80
+    volumes:
+       - ./src/:/var/www/html/
+    image: moeinfatehi/lfi-to-rce:latest

src/files/ctf.txt

@@ -0,0 +1 @@
+There are a lot of Capture The Flag (CTF) competitions in our days, some of them have excelent tasks.

src/footer.php

@@ -0,0 +1,21 @@
+
+
+<?php
+/**
+ * Created by PhpStorm.
+ * User: moein
+ * Date: 12/12/18
+ * Time: 1:43 PM
+ */
+?>
+<link rel="stylesheet" href="static/css/bootstrap.min.css">
+<link rel="stylesheet" href="static/css/font-awesome.min.css">
+<div class="footer text-center navbar-fixed-bottom">
+    <hr>
+    <div class="logo">
+        <a href="https://twitter.com/MoeinFatehi" title="Twitter" target="_blank"><i class="fa fa-twitter-square fa-3x twitter-icon"></i></a>
+        <a href="https://github.com/moeinfatehi" title="Github" target="_blank"><i class="fa fa-github-square fa-3x github-icon"></i></a>
+        <a href="https://www.linkedin.com/in/moein-fatehi-87a35936/" title="Linkedin" target="_blank"><i class="fa fa-linkedin-square fa-3x linkedin-icon"></i></a>
+    </div>
+    <p>If you need the solutions, follow <a href="https://twitter.com/MoeinFatehi">@MoeinFatehi</a> on twitter and ask for cheat sheet.</p>
+</div>

src/index.php

@@ -0,0 +1,43 @@
+
+<html>
+<head>
+    <title>LFI to RCE</title>
+</head>
+<body>
+<div id="main">
+    <div class="container">
+        <div class="row">
+            <h1>CTF</h1>
+        </div>
+        <div class="row">
+            <p class="lead">
+                Do some bypass to find the flag.<br />
+            </p>
+        </div>
+    </div>
+</div>
+<div class="container">
+
+    <?php
+    $f='ctf.txt';
+    echo "<a class=\"btn btn-primary\" href=\".?file=$f\" /> What is CTF? </a><br><br>";
+
+    if($file=$_GET['file']){
+        $file=str_replace("../","",$file);
+        if($file!="../index.php"){
+            include('files/'.$file);
+        }
+    }
+    ?>
+
+    <!--Hint: Find the flag in the root directory--!>
+    <!--For ease of use, the webserver will reset every minute.--!>
+
+</div>
+<script type="text/javascript" src="static/js/bootstrap.min.js"></script>
+</body>
+</html>
+
+<?php
+include ("footer.php");
+?>