TryHackMe: Inclusion

This is a walkthrough of TryHackMe’s Inclusion room. This is a web-focused room that has a local file inclusion vulnerability.

You can find this room at https://tryhackme.com/room/inclusion

To start, Local File Inclusion is a web application vulnerability that allows for an attacker to view files on the server by specifying the path. This vulnerability happens when an application takes untrusted user data via a parameter and appends it to the path without any validation.

LFI is normally found in GET parameter queries. Usually, this is validated by returning the /etc/passwd file on a machine since this is normally available to all users of a machine which means you will not be unauthorized to view, no matter the user running the web server.

Attackers can leverage this to view files on the local machine such as log files, config files, source code, or other sensitive information on the local machine.

For more information, I recommend reading the PortSwigger article: https://portswigger.net/web-security/file-path-traversal

To begin this room, I ran an nmap to determine the open ports. This showed that SSH was running on port 22 and HTTP on port 80. I decided to take a closer look at HTTP, since this is a LFI vulnerability room. Since this was a basic room, I ran the default nmap script.

nmap 10.10.125.49

nmap on the box shows port 22 and 80 open

While looking at the site, I started looking around for some parameters in the URL that may allow for LFI. Right away, I found the /article path has a query parameter with the name of the article. I tried the following URL to determine if this was vulnerable:

http://10.10.125.49/article?name=/../../../../../etc/passwd

TIP: You can use as many ../ as you want to ensure you get to the root directory.

This URL responded with the /etc/passwd file on the machine, which indicates this web application is vulnerable to LFI.

/etc/passwd file returned by the server

Now that we know the web application is vulnerable, we have to search around for some files. You can put any file in the parameter and it will return. Note: If the file is not found, it will return a 500 internal server error seen below. This means you may need to step up directories (using more ../) or that file name is not found.

This room was looking for the user and root flags, which can be found in the user.txt and root.txt file. After some trial and error, the user.txt file is located one directory above.

http://10.10.125.49/article?name=/../user.txt

The root.txt file is located a few directories above and inside the /root/ folder at the following location:

That’s it! This lab showed a local file inclusion vulnerability and the potential impacts it could have on a server running a web application.