TryHackMe: File Inclusion room write-up

Hi, this is the write-up for File Inclusion, a part of Jr Penetration Tester path in TryHackMe. Let's get started!

Link to TryHackMe File Inclusion room:

Task 3 Path Traversal

What function causes path traversal vulnerabilities in PHP?

Ans: file_get_content

Task 4 Local File Inclusion

For Lab#1, we are just required to enter /etc/passwd on the input box.


Just simply type anything inside the box and we can see the include function.

The directory specified in the include function?

Ans: includes

Task 5 Local File Inclusion — LFI #2


This we need to place the “../../../../etc/passwd%00” on the url.

What does the request look like?

Ans: /lab3.php?file=../../../../etc/passwd%00


Simply input anything into the input box and we can see the function.

What function is causing the directory traversal in Lab#4?

Ans: file_get_contents


Again insert anything into the input box.

And we can see that “allowed files at THM-profile folder only”

What is the directory has to be in the input field?

Ans: THM-profile

Now, what is the os-release? Just input “THM-profile/../../../../etc/os-release” to the input box.

Ans: 12.04



The hint stated we need to change the method to POST. We can either try in burp suite or here. For this write-up, I use Mozilla inspector and change the method to POST. Then, input /etc/flag1 and press include.

Challenge 2

The hint stated “COOKIES”.

I change the value from guest to admin and refresh the page. New things appeared.

So, i guees we can try to change the value to the path we wanted. So, i place “../../../../etc/flag2” to the value and we get the flag.


I tried to input a few ways but it failed.

So, I go for Googling. So, I'm not sure too. But i changed the method to POST and let it intercept by the Burp.

Now encode the path to URL in burp. Remember to add “%00” behind the encoded value.

Now, place it on the file parameter.

And we get the flag!

For the last challenge, we need to place a “cmd shell” inside. So, I created a txt file with print hostname code inside.

Then, run the python3 server.

Run the wget to get files, but it failed.

So, let's remove wget. Run again.

And we get the hostname.

We are done!

Thank you for reading this write-up. This room is pretty fun as I met a lot of challenges too.

Any improvement can reach me through Twitter @curse_jk. or can buy me a coffee Planning to get a new and better laptop to learn and gaming.




Just learning, together we are strong.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Observability of SpringBoot Services in K8s with Prometheus and Grafana

My ultimate guide to the Raspberry pi audio server I wanted — Pulseaudio TCP

Service-to-service Spring 5 + OAuth2 integration

The Android Activity Lifecycle

March 2020

SQL Stored Procedures

Pivoting Sentry DashCam Wireless Bridge for Teslas

How to Become Better at Program Structure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Just learning, together we are strong.

More from Medium

TryHackMe: Git and Crumpets Walkthrough

TryHackMe GamingServer Walkthrough

TryHackMe CVE-2021–41773/42013 Write-up SMN666

Vulnhub: basic pentesting 1 (Walkthrough)