Introduction:
This is my Documentation for Inclusion room in TryHackMe. This room is about Local File Inclusion.
Link: https://tryhackme.com/room/inclusion
Resources used:
Kali VM
Nmap
Ssh
GTFObins
Enumeration:
nmap -sC -sV 10.10.205.74
From the scan results, we can derive that 2 services are running:
1. 22 (SSH) (OpenSSH)
2. 80 (HTTP) (Werkzeug httpd)
Web Recon:
Let’s poke at the Webserver and see it’s contents.
Let’s explore the pages of this web app and here we found a place from where we check about LFI vulnerability as show in image below:
Change the value in name parameter from “hacking” into “../../../etc/passwd”
This shows the LFI is possible on this web app but as I was carefully reading the output, the username and password of ssh as shown in figure below:
Now let’s try to connect with this machine using ssh with credentials we got from web app.
ssh falconfeast@10.10.205.74
Now let’s find the user flag.
ls -al
We have successfully found user.txt/user flag as show in image below:
Now let’s find a way to get our root privilege. To check privileges of current user enter following command sh shown in image below:
sudo -l
We came to know that with we can run socat with root privileges on falconfeast user. Now let’s use a shell escape we got from https://gtfobins.github.io/gtfobins/socat/
sudo socat stdin exec:/bin/sh
Now we have root user. Let’s find the root flag in /root directory.
Finally! We have completed the Inclusion room. Thanks for reading my writeup! :)