TRY HACK ME: Write-Up Module- Web Hacking: File Inclusion

(Hi People, just wanted to inform you that due to the copyright issue that TryHackMe has claimed on this particular article I am expected to remove all the text that belongs to THM for this particular room except for the lab solutions that I have taken from my own VM machines and posted here).

To know the contents please visit TryHackMe for the same room on File Inclusion and visit here to know the solutions.

essential parts of the URL.

Task 2 Deploy the VM-

After deploying VM, Please visit the link http://10.10.193.48/ to solve labs:

Task 3 Path Traversal-

Path Traversal

Also known as Directory traversal, a web security vulnerability allows an attacker to read operating system resources, such as local files on the server running an application. The attacker exploits this vulnerability by manipulating and abusing the web application’s URL to locate and access files or directories stored outside the application’s root directory.

Example of how directory traversal looks like-

As a result, the web application sends back the file’s content to the user.

Answer to the questions of this section-

Task 4 Local File Inclusion — LFI

Local File Inclusion ( LFI)

LFI attacks against web applications are often due to a developers’ lack of security awareness. With PHP, using functions such as include, require, include_once, and require_one often contribute to vulnerable web applications. In this room, we’ll be picking on PHP, but it’s worth noting LFI vulnerabilities also occur when using other languages such as ASP, JSP, or even in Node.js apps. LFI exploits follow the same concepts as path traversal.

Answer to the questions of this section-

LAB1: Solution

LAB2: Solution

Task 5 Local File Inclusion — LFI #2

In this task, we go a little bit deeper into LFI. We discussed a couple of techniques to bypass the filter within the include function.

Answer to the questions of this section-

LAB 3: Solution

LAB 4: Solution

LAB 5: Solution

LAB 6: Solution

Task 6 Remote File Inclusion — RFI

Remote File Inclusion — RFI

Remote File Inclusion (RFI) is a technique to include remote files and into a vulnerable application. Like LFI, the RFI occurs when improperly sanitizing user input, allowing an attacker to inject an external URL into include function. One requirement for RFI is that the allow_url_fopen option needs to be on.

LAB Playground- Solution

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

Create cmd.txt file -

Code inside cmd.txt file-

Start your [default in-built] python server using python3 –m http.server 9001 [9001 is random port]

Navigate to http://10.10.222.25:9001 in brower to view your cmd.txt

Do RFI in the Playground parameter-

Task 7 Remediation:

Steps of remediation are provided in the TryHackMe room itself. Please visit the room and know the remediations.

Task 8 Challenge:

Make sure the attached VM is up and running then visit: http://10.10.193.48/challenges/index.php

Answer to the questions of this section-

FLAG 1: Use Brup Suite to change parameter in the request and repeater tab

Change GET method to POST method in request using Burp Suite and put file parameter = ../../../../etc/flag1

FLAG 2: Use Brup Suite to change parameter in the request and repeater tab

First, change cookie parameter; THM to admin and then after once you login as Admin, change THM to ../../../../etc/flag2%00

THM= admin; send request

And then change THM value to ../../../../etc/flag2%00

FLAG 3: Use Brup Suite to change parameter in the request and repeater tab

Change GET method to POST method in request using Burp Suite and put file parameter = ../../../../etc/flag3%00

LAB Playground is already solved in Task 6 RFI.

That is all for this Write-up, hoping this will help you in solving the challenges of File Inclusion room. Have Fun and Enjoy Hacking!

Do visit other rooms and modules on TryHackMe for more learning.

-by Shefali Kumari