LFI Inclusion-TryHackMe

0xsanz
2 min readJul 29, 2020
LFI -TryHackMe

This is a write-up for LFI Inclusion room from TryHackMe which is a beginner level LFI challenge:

https://tryhackme.com/room/inclusion

Our task is simple: Deploy the machine and find LFI parameters and get the user and root flag. First check what all services are running on the machine using:

nmap -sC -sV 10.10.41.78
nmap scan

So we have SSH and a Web Server running. Lets check the website first.

On the website after doing basic browsing we found the following links:

  • http://10.10.41.78/article?name=hacking
  • http://10.10.41.78/article?name=lfiattack
  • http://10.10.41.78/article?name=rfiattack

We have a parameter “name” and this can be used to do LFI.

Lets try the following and see if we get anything:

http://10.10.41.78/article?name=../../../../../etc/passwd

/etc/passwd file

and sure enough we get credentials for a user named falconfeast. Lets login to the box with SSH using these credentials:

ssh falconfeast@10.10.41.78

We got our user flag in the home directory of user falconfeast.

Now lets see if we can run something as sudo using: sudo -l

sudo -l

Yes we can run socat as root and without password. Great lets do some Privilege Escalation. Go to https://gtfobins.github.io/ and search for “socat”. We found:

Lets try this to see if we can get a root shell using what we found:

sudo socat stdin exec:/bin/sh

socat privesc

We got our root flag also. Submit both the flags :)

Originally published at https://basicpentesting.blogspot.com on July 29, 2020.

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204