TryHackMe! [Web Vulnerabilities] Local File Inclusion

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on everybody my name is John Hammond this is another try hackneyed video and I want to be showcasing the inclusion room which is just a beginner local file inclusion challenge that we can go check out it is free you don't have to be subscribed to access the room so we'll go ahead and join it and deploy our machine so I will go ahead and set up some rooms here for this I'll go ahead and say inclusion will have its own directory I'll make a simple nmap directory and kind of get started with an nmap scan while this guy is running so I will end map tech SeaTac SV om and map initial and I'll paste in the IP address there I'll also go ahead and export that IP address there and it probably still taking its time to spin up so let me actually verify that I can ping him give him a little bit of time whatever let's go ahead and sort of readme file if he's still taking his time to cook we'll call that inclusion just for our notes and I'll go ahead and export that IP address to that that I already have that yeah I did have that copy and pasted in my clipboard there so let's create some skeleton stuff for own documentation in our own notes so we can work with this looks like he's up okay so now let's go ahead and start that hand map script again it says deploy the Machine and start numerating Roger that no answer needed for that task one seemingly let's go check out what test two has us do user flag and root flag so simple stuff looks like no guidance just jump in and beat the machine up so root flag let's get a section for nmap scan let's take a look at what we have here once that loads considering this is talking about local file inclusion I'm going to assume it's going to be asking us to work on a web page so let me fire that up in another tab here that will not connect maybe it's not on port 80 all hosts everything is down everything is down everything is closed that machine is up do I have multiple instances of Open VPN running just one let's make sure tach PN is getting the way but ping works so that's not that's clearly not it let's make it aggressive let's see we got now it loads okay good whatever hello world welcome my blog it's currently a very early stage you can find some the articles that I wrote you can view the details vilify attack or RFI attack most common file on UNIX that we can check is it's that repass word huh all right so if I make our URL visible let's go check out some of this articles yeah article name equals LF I attack so the name here looks to be the argument or the variable that's kind of being passed with HTTP and it simple HTTP GET variable that is allowing us to select other files that were included in here and that looks like they described it here in this page if you view the source it looks a little bit better because looking at it in this code and really we kind of ruins everything the new lines are gone so file equals the get variable used through PHP and it will unsafely include the file like including directory in the file that's how the syntax looks in PHP and we've seen that probably in a lot of other videos and we've seen that before so we can very very much kind of climb the directory tree using the period period or the dot dot to move up parent directory to parent directory parent directory etc etc so this is super simple kind of pretty easy looks like they offer another resource that's doing this as well we're explaining what this really is ok there we go and that gives us some code blocks to kind of read the PHP a little bit more so let's just jump in and go ahead and view the source on any page that we might want to read so we need to supply a value for that name and let's climb the directory tree with dot dot slash dot dot slash dot dot slash and we'll check out its enter a password so there's some stuff in here again we're going to need to view the source because we have these users displayed huh at the bottom we see this someone kind of commented out Falkon feast with root password that's pretty cheesy maybe that is an account we could use to login and SSH is open now that our nmap scan finally came back so let's include this in our notes paste that guy in here and let's perform Elif I attack good my face is not in the way just yet let's go ahead and grab this so if we were running from our terminal we could just simply curl that and that will return the credentials that we just potentially found and now let's SSH to that IP address with falcon feast as our username and we know that the password should be root password which is peculiar that did not work why did that not work if I'll confess that IP address what what what Falcon feast Falcon feast root password does root have a password nothing except what is that supposed to mean is that the broad IP address am i connecting to something that I had in a previous video talking for you said IP ok I was clearly using the wrong IP address as my environment variable this is the problem I'm doing videos back-to-back just tryna turn stuff out for you guys trying to make you some good stuff hopefully I feel like I also lose a certain amount of quality what I'm trying to do a lot of these it's a like quantity versus quality thing then I just say the same word twice I feel like I did quality versus quantity alright so now we are ssh into that machine looks like we have our user flag here so we can go ahead and cat that out i'll spit that into our try hack me submission good good good also take note of that in our notes there and now we also want to probably escalate our privileges to be route we could run Lynn peas but let's just verify anything we can run with sudo looks like we can we can run user been no so cat without a password so let's check GTFO beans fantastic resource for doing malicious things potentially malicious things with kind of built-in binaries that we might see on the system so cat can get a reverse shell a bind shell also a pseudo access okay it has to have a connection back we can't just break it out so let's fire up our own terminal let's see what our IP address is I'm still ten eight nine one one two and let's get a port going so netcat Ln VP quad nine and let's try to sudo user bin so cat so user bin and then my forward slash to type in so cut and oh wait a second it's listening I'm confused with this is doing it runs in privileged contacts me will access the filesystem escalator maintain access run file TTY oh so it just like reads in standard input does that what that does 99 and then I need to supply this oh maybe that syntax is what I should be supplying not that that kind of looks like it's just like listening can I do that can i net cut to the machine IP is it byte is it binding 10 10 157 245 quad 9 ID okay he's just being a socket that's not helpful for me let's spin our shell back up and let's modify that command that GTF opens gave us so we know to connect to 10.8 9.11 12 and our our port that we are listening on on our attacking machine is quad 9 so well now I am NOT allowed to preserve the environment what does that mean tacky there we go now I have a root shell now I am root we could try and stabilize the shell with some poor man's pen test stuff do I have Python prints hello you know what print please subscribe use little shameless plug there Python we do not have how about Python 3 taxi print please this is completely useless because we have root we don't need to do that but whatever let's stabilize that shell we literally just need to go get the root flag whatever we have a sane shell and we can use our autocomplete and left and right and arrow keys so hey it makes me happy I hope it makes you happy too there is our root flag let's go ahead and submit that bad boy and call this machine done so super simple technique right just local file inclusion for some reason and inside of it cetera password there was a comment with some user credentials and that hack count had some privilege escalation route and attack vector to become route so completely on that machine that's that simple case of local file inclusion you've seen it before I'm sure in tons of other videos but this room just emphasizes it showcases it and highlights it so hope you guys enjoyed watching if you did it please do press that like button and comment button subscribe button the bail button the probably other buttons you can click to have my face like the little icon thanks for watching everybody I hate doing out for this I'm just gonna leave I'm just gonna go thanks [Music] [Music] [Music]

Info

Channel: John Hammond

Views: 79,437

Rating: undefined out of 5

Keywords: lfi, local file inclusion, inclusion, try hack me, tryhackme, john hammond, ctf, capture the flag, hack, hacker, exploit, vulnerability, web app, web, web vulnerability, vulnerabilities, pentest

Id: O7-qHZFxjgk

Channel Id: undefined

Length: 10min 51sec (651 seconds)

Published: Tue May 12 2020