This website has a ‘filename’ parameter and a ‘hash’ parameter, which is the hash of the file being served.

In this case we’ll use RFI (Remote File Inclusion) instead of LFI (Local File Inclusion) from Flag 1.

An nmap scan of the machine reveals we have a Windows machine running IIS.

nmap -sV -sC 172.25.0.11

I always create a fresh folder when I tackle machines or series like this. I would definitely suggest doing that.

In this case, we’ll need to host a web server on our Kali machine that contains a file that will instruct the webserver to:

• Fetch and execute another file from our Kali web server that contains reverse shell code.

The source code for the web page is provided on the front page. The vulnerable piece of code is here:

Include statements like this are super dangerous. The website will include any file that is handed to the parameter $localname. If we can get the machine to execute attacker controlled PHP, the game is up!

Any time this is the case, I will try a Nishang shell first.

<https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1>

Base64 encoding will be necessary here because of all the special characters in the line we just copied. In addition to this, we’ll need to make sure our Base64 encoded content is also encoded to UTF-16le (Little Endian) because Windows expects this.

Are you scratching your head right now? —Hopefully! Here’s an important example. You don’t have to do this part, but really think about it.

On my Kali Linux machine, I’ll create a text file like this:

The iCSI Cyber Range is going to crash hard eventually and Mr. Beck will have a very long night!

If I save this file and look at the hex using the xxd command I can see that each character is represented by two Hexadecimal values each: