TryHackMe: File Inclusion room write-up

Cursemagic

4 min readOct 28, 2021

Hi, this is the write-up for File Inclusion, a part of Jr Penetration Tester path in TryHackMe. Let's get started!

Link to TryHackMe File Inclusion room: https://tryhackme.com/room/fileinc

Task 3 Path Traversal

What function causes path traversal vulnerabilities in PHP?

Ans: file_get_content

Task 4 Local File Inclusion

For Lab#1, we are just required to enter /etc/passwd on the input box.

Lab#2

Just simply type anything inside the box and we can see the include function.

The directory specified in the include function?

Ans: includes

Task 5 Local File Inclusion — LFI #2

Lab#3

This we need to place the “../../../../etc/passwd%00” on the url.

What does the request look like?

Ans: /lab3.php?file=../../../../etc/passwd%00

Lab#4

Simply input anything into the input box and we can see the function.

What function is causing the directory traversal in Lab#4?

Ans: file_get_contents

Lab#6

Again insert anything into the input box.

And we can see that “allowed files at THM-profile folder only”

What is the directory has to be in the input field?

Ans: THM-profile

Now, what is the os-release? Just input “THM-profile/../../../../etc/os-release” to the input box.

Ans: 12.04

TASK 8 CHALLENGE

CHALLENGE 1

The hint stated we need to change the method to POST. We can either try in burp suite or here. For this write-up, I use Mozilla inspector and change the method to POST. Then, input /etc/flag1 and press include.

Challenge 2

The hint stated “COOKIES”.

I change the value from guest to admin and refresh the page. New things appeared.

So, i guees we can try to change the value to the path we wanted. So, i place “../../../../etc/flag2” to the value and we get the flag.

CHALLENGE 3

I tried to input a few ways but it failed.

So, I go for Googling. So, I'm not sure too. But i changed the method to POST and let it intercept by the Burp.

Now encode the path to URL in burp. Remember to add “%00” behind the encoded value.

Now, place it on the file parameter.

And we get the flag!

For the last challenge, we need to place a “cmd shell” inside. So, I created a txt file with print hostname code inside.

Then, run the python3 server.

Run the wget to get files, but it failed.

So, let's remove wget. Run again.

And we get the hostname.

We are done!

Thank you for reading this write-up. This room is pretty fun as I met a lot of challenges too.

Any improvement can reach me through Twitter @curse_jk. or can buy me a coffee http://buymeacoffee.com/Cursemagic. Planning to get a new and better laptop to learn and gaming.