TryHackMe’s File Inclusion — This room introduces file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal | Karthikeyan Nagaraj

Make Sure to Connect with TryHackMe’s VPN to Attack box to access the Machine

Task 3 — Path Traversal

• Also known as Directory traversal, a web security vulnerability allows an attacker to read operating system resources, such as local files on the server running an application.
• The attacker exploits this vulnerability by manipulating and abusing the web application’s URL to locate and access files or directories stored outside the application’s root directory.
• Path traversal vulnerabilities occur when the user’s input is passed to a function such as file_get_contents in PHP.

1. What function causes path traversal vulnerabilities in PHP?

Ans: file_get_contents

Task 4 — Local File Inclusion — LFI

1. Give Lab #1 a try to read /etc/passwd. What would the request URI be?

Ans: /lab1.php?file=/etc/passwd

2. In Lab #2, what is the directory specified in the include function?

Ans: includes

Task 5— Local File Inclusion — LFI #2

1. Give Lab #3 a try to read /etc/passwd. What is the request look like?

If we put our payload into the text field “File Name” the path gets encoded, so we have to inject the payload into the search bar as below

http://<MACHINE-IP>/lab3.php?file=../../../../etc/passwd%00

Ans: lab3.php?file=../../../../etc/passwd%00

2. Which function is causing the directory traversal in Lab #4?

Ans: file_get_contents

3. Try out Lab #6 and check what is the directory that has to be in the input field?

Ans: THM-profile

4. Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

Ans: 12.04

Task 6 — Remote File Inclusion — RFI

• Remote File Inclusion (RFI) is a technique to include remote files and into a vulnerable application.
• Like LFI, the RFI occurs when improperly sanitizing user input, allowing an attacker to inject an external URL into include function.
• One requirement for RFI is that the allow_url_fopen option needs to be on.

The risk of RFI is higher than LFI since RFI vulnerabilities allow an attacker to gain Remote Command Execution (RCE) on the server. Other consequences of a successful RFI attack include:

• Sensitive Information Disclosure
• Cross-site Scripting (XSS)
• Denial of Service (DoS)

Task 7 — Remediation

1. Keep system and services, including web application frameworks, updated with the latest version.
2. Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.
3. A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.
4. Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn’t need them, such as allow_url_fopen on and allow_url_include.
5. Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.
6. Never trust user input, and make sure to implement proper input validation against file inclusion.
7. Implement whitelisting for file names and locations as well as blacklisting.

Task 8 — Challenge

Navigate to http://<machine-ip>/challenges/index.php

1. Capture Flag1 at /etc/flag1

Ans: F1x3d-iNpu7-f0rrn

2. Capture Flag2 at /etc/flag2

Ans: c00k13_i5_yuMmy1

3. Capture Flag2 at /etc/flag3

Ans: P0st_1s_w0rk1in9

4. Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

Ans: lfi-vm-thm-f8c5b1a78692

Detailed Explanation will be given in the Upcoming post

Author: Karthikeyan Nagaraj ~ Cyberw1ng