Tuesday is here and we are back at it again on THM!
We are at the final stage of the File Inclusion module!
In the first task we need to find the method being used which is shown as a GET HTTP method, we amend that to POST.
Also we needed to include the file=/etc/flag1 parameter within the bottom of the Burp Suite request which then shows us the flag.
Lab 2 – We amend the cookie within the developer tools console within Firefox & once we have amended this cookie we can now see the page.
As we can see from the output on the page the file is failing to write to the php function includes/Admin.php, so we amend the cookie now to /../../../../etc/flag2 however it is still appending the .php file extension at the end so we include a nullbyte %00 which strips the .php and then we gain the flag.
This last lab (lab3) confused me, we tried the same from before (from the last task) and it’s pretty much the same, we edit the HTTP method within the code to a POST from a GET request, use directory traversal methods(../../../../) and append the /etc/flag3 with a NULLBYTE %00 and find the flag.
This last section was easy, we capture the request in Burp Suite and just request the /etc/hosts file within the file= parameter and find the hostname of the machine.
Overall, this room was harder than I thought it was going to be and I’ve learnt quite a bit such as adding Nullbytes to stip extensions such as .php files and various other things! Good learning room would recommend!
Until next time & don’t sleepwalk through life!
Bayi (ባይ)