TryHackMe: Inclusion – A beginner level LFI challenge

In this post, I would like to share some challenges on a basic level of Local File Inclusion(LFI) attack on the TryHackMe.

For those are not familiar with LFI attack, it’s a method which the attacker to trick the web application to expose any information within the webserver. It also can be used to execute any malicious command on the web application to expose any running files that stored on the server.

The damage of the LFI attack to the server would be something as follows:

  • Information Disclosure
  • Remote Code Execution
  • Cross-site Scripting

An example of the command that is used for the LFI is been shown as below:

  • ../../etc/passwd
  • ../../uploads/evil.php

So let begin the LFI challenges!

For the first question, TryHackMe have us to obtain user’s flag on the website interface.

Once we deploy the machine and obtain the machine’s IP, we need to check the website first and the interface will looks as shown below:

From the website interface, I notice that there’s an article on LFI-attack and there’s a View details button. So let’s click on it and see what is been stored over there.

While reading the information that been stored on the website, I notice that something look in-place such as

So, we go to the website URL and let us take a look what is stored in the website

Wow! There are a lot username and password been shown over here. The username and password that caught my eye would be falconfeast:rootpassword

From there, we know that falconfeast is been configured as root privileged access. To access the user flag, we need to change /etc/passwd to /falconfeast/user.txt and the interface shown below will appear.

I will have to hide the flag because the flag might change for different player.

To obtain root flag, we just need to change from /falcontfeast/user.txt to /root/root.txt. The POC would look like below:

The End

Hope this helps to those who want to learn LFI attack!