This is a write-up for LFI Inclusion room from TryHackMe which is a beginner level LFI challenge:
Our task is simple: Deploy the machine and find LFI parameters and get the user and root flag. First check what all services are running on the machine using:
nmap -sC -sV 10.10.41.78
So we have SSH and a Web Server running. Lets check the website first.
On the website after doing basic browsing we found the following links:
- http://10.10.41.78/article?name=hacking
- http://10.10.41.78/article?name=lfiattack
- http://10.10.41.78/article?name=rfiattack
We have a parameter “name” and this can be used to do LFI.
Lets try the following and see if we get anything:
http://10.10.41.78/article?name=../../../../../etc/passwd
and sure enough we get credentials for a user named falconfeast. Lets login to the box with SSH using these credentials:
ssh falconfeast@10.10.41.78
We got our user flag in the home directory of user falconfeast.
Now lets see if we can run something as sudo using: sudo -l
Yes we can run socat as root and without password. Great lets do some Privilege Escalation. Go to https://gtfobins.github.io/ and search for “socat”. We found:
Lets try this to see if we can get a root shell using what we found:
sudo socat stdin exec:/bin/sh
We got our root flag also. Submit both the flags :)
Originally published at https://basicpentesting.blogspot.com on July 29, 2020.
