File Inclusion Vulnerability Explained | TryHackMe Junior Penetration Tester

File Inclusion Introduction

We covered file inclusion vulnerability both local and remote. We also explained methods of bypassing filters. This was part of TryHackMe Junior Penetration Tester.

This room aims to equip you with the essential knowledge to exploit file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal. Also, we will discuss the risk of these vulnerabilities if they’re found and the required remediation. We provide some practical examples of each vulnerability as well as hands-on challenges.

In some scenarios, web applications are written to request access to files on a given system, including images, static text, and so on via parameters. Parameters are query parameter strings attached to the URL that could be used to retrieve data or perform actions based on user input.

Get OSCP Certificate Notes

Setting Up the Environment:

• Viewers are instructed to deploy a virtual machine and use the provided IP address to access the labs.
• Several labs are introduced, each designed to demonstrate different aspects of file inclusion vulnerabilities.

Lab 1: Basic File Inclusion:

• The first lab demonstrates a basic file inclusion vulnerability.
• A form is provided where users can submit a file name (e.g., welcome.php). The server then includes this file from the web server’s directory.
• The attacker manipulates the URL to access sensitive files such as /etc/passwd, which contains user account information in Linux systems.
• This basic vulnerability allows attackers to bypass restrictions and access unauthorized files.

Lab 2: Include Function Directory:

• In this lab, the focus is on understanding the directory from which files are being included.
• By submitting an incorrect file name (e.g., high.php), the server reveals that it is searching for files in the includes directory.
• This teaches how to deduce where the server is looking for files and how errors can leak sensitive information.

Lab 3: Directory Traversal:

• The video demonstrates directory traversal, a technique where attackers escape the current directory by using ../ to navigate up the directory structure.
• By navigating up several levels, the attacker can access sensitive files outside the web root, such as /etc/passwd.
• The key here is to understand the file system hierarchy and manipulate file paths to reach sensitive areas.

Lab 4: File Get Contents Function:

• This lab introduces the file_get_contents function, which retrieves the contents of files from the server.
• The attacker tries to access /etc/passwd, but encounters a filter that blocks direct access to sensitive files, showing a message like “You’re not allowed to see source files.”
• Despite this, the function is still vulnerable, and the attacker confirms that file inclusion is possible.

Lab 6: Restricted Directory Access:

• In this lab, the server restricts access to files within a specific directory (e.g., THM_profile).
• The attacker must include the correct directory in the request (e.g., THM_profile/etc/os-release) to retrieve sensitive information about the operating system.

Exploiting Null Byte Injection:

• The video shows how to bypass file extension restrictions using null byte injection (%00).
• The server automatically appends .php to the input, but by using a null byte, the attacker can trick the server into ignoring the .php extension and include any file, such as /etc/passwd.

Challenge Section: Capturing Flags:

• The final part of the video introduces challenges where users must capture flags from specific files.
• The attacker uses POST requests instead of GET requests to interact with the form and capture the flags hidden in sensitive files like /etc/flag1.

Answers

Video Walk-through