File Inclusion

This is my first write up so bear with me, I will be trying to document my thought process throughout and how I came to the solution.

What is covered in this room?

1. File Inclusion (LFI and RFI) and Directory/Path Traversal

A useful description of Local File Inclusion and Remote File Inclusion attacks and how they are performed as well as an explanation on how Directory/Path Traversal works which with the use of ../ allows an attacker to step up in the file hierarchy on the system to access specific files or directories that they were not intented to be able to access. This is also commonly known as the dot-dot-slash attack and is a very common method of file inclusion attack.

2. Which files and directories to look out for

We are given certain folders and files to look out for on different systems e.g. /etc/passwd, /etc/shadow/, /proc/version, /boot.ini, /windows/win/.ini, etc.

These files often contain sensitive information for both users and the operating system itself.

I will finish the writeup of the other topics covered in this section later.

Challenges Walkthrough

Flag 1

I found the first challenge quite straight forward, we are required to "Capture Flag1 at /etc/flag1"

As you can see in the screenshot the input form is broken and we need to send a post request to the URL with a file parameter. If you try and enter any text into the form and click submit it just reloads the page.

The next thing I tried was editing the URL and trying to produce an error so we can see where abouts we are, again nothing. I opened devtools and had a look at the form, to which I noticed the form method was a GET request.

I changed the Method to POST, entered some text into the input and hit submit, I then got the error I was looking for.

Error message on-screen

From here I could see the path location we were in which was /var/www/html/, I changed the method back to POST again and used path traversal to get to the root of the directory and then navigated to the /etc/ folder to recieve our flag like this ../../../../etc/flag1.

Contents of file with flag,

It would be useful to mention that after completing the flag I checked the Hint and it mentioned that I could have used BurpSuite to do this also, unfortunatly I have never used BurpSuite so hopefully I will be able to use it in the future!

Flag 2

Flag 2 I found quite a bit more difficult than the first, it asks you to refresh the page which when done shows a welcome message and says that you must be an admin to view this page.

Page after refresh.

The first thing I thought to do was to check if any cookies were set which there is 1 with the value of 'Guest', I changed this to Admin and refreshed the page. You then see a similar layout to the previous Flag but with a welcome message in the File Contents Preview and some errors.

Page after updating the cookie.

I spent some time messing around with the URL trying to add a query parameter in a similar way to the other flag to get something from it but this never returned anything. After some time I gave in and checked the hint which told me to check the cookies which was the first thing I thought to do so I was stumped.

Then I read the errors on the page again and a lightbulb went off, it appears that the files in the include use the Value of the Cookie, which I noticed mainly because I capitalised the A in Admin when I changed the value, I changed the cookie value to the location of the flag in the same way as I did in the previous flag and hit refresh but noticed I still had an error on the page.

File location is correct but they're adding a .php extension to the end.

After checking I noticed that they are adding a .php file extention to the end, I decided adding a null byte to the end of the value would solve this problem and after doing so and refreshing I had the flag.

The edited cookie shown.

Flag 3

In flag 3 the first thing I did was enter some values into the form (First a random string of letters, then /etc/flag3 and then ../../../../etc/flag3) I noticed that in the latter two in the error on screen the slashes, periods and numbers are being removed by sanitation.

Special characters and numbers being removed by sanitation.

I decided to check the Hint as I needed some extra guidance and it had two! The first said "Not everything is filtered" and the second said "The website uses $_REQUESTS to accept HTTP requests. Do research to understand it and what it accepts!".

Being a PHP developer myself I thankfully already knew what the $REQUEST variable did which is contain an array of HTTP Request Variables e.g. $_GET, $_POST and $_COOKIE.

I then spent quite a lot of time messing around and struggling trying different things that didn't seem to work e.g. using the Network tab in Devtools to edit the request and change the method to a POST request and edit the payload but nothing seemed to work.

This is when I went looking for some help and I came to a blog post that explained things (https://amandinegh.gitbook.io/cyberadventure/tryhackme/file-inclusion-room), unfortunatly even with the explaination I couldn't manage to get the flag myself, I opened Postman to see if I had any more luck there and again nothing.

I then decided I would just try and send a POST requst using cURL to see if I had any different response, I prepared the request and send it and it returned the flagcurl -X POST http://10.10.54.16/challenges/chall3.php -d 'method=POST&file=../../../../etc/flag3%00' --output -.

Seemingly the only thing that needed changing was the Request Method from GET to POST, sadly I wasn't able to replicate this in either Devtools or Postman so I'm not 100% sure what the issue was but we still got the flag...

The output of the cURL request with the flag.

RFI

The final section wants us to gain RCE in the Lab playground with RFI to execute the hostname command.

To start I did some research on what I being asked, I established that I needed to create a payload, in this case a PHP file that prints out the server host name.

This was simple enough so I created a new file in my root directory that echo'd out the hostname.

// Returns the server hostname
<?php
echo gethostname();
?>

After the payload was sorted from my research I then noted that I had to setup a generic webserver, I decided to do this with python as I deemed it would be the quickest to do, which it was.

After the server was up and running the only thing left to do was to enter the payload into the URL bar and see if it worked.

Unfortunatly we got an error because the method we used was undefined, I checked and found a different method to get the hostname for earlier versions of PHP and tried again.

// Updated code
<?php
echo php_uname("n");
?>

And as you can see this worked fine and we got the server hostname and completed all the flags for this section!

Conclusion

All in all I really enjoyed this section although it did take me quite a while to complete and definitely pushed my knowledge, I have learnt a lot from it that will undoubtedly help me in the next ones.

PreviousPrevious TopicsNextIntro to SSRF

Last updated