LFI (INCLUSION) TryHackMe Walkthrough

Hello everyone. Here is one more write-up on Inclusion Machine. It is a easier one and very beginner friendly. It is easier than previous one, no need to do directory brute forcing, no need to crack any hashes. Everything in this machine is crystal clear. Let’s dive into the topic.

ENUMERATION:

As we know, the first step to solve any machine is to scan and check for open ports. We have the IP address of the machine, now let’s use the following command of nmap to see which ports are open. The output of this looks similar to the following picture.

nmap -sC -sV 10.10.216.155

We found that port 22 (SSH) and port 80 (Web server) is open. Even few other ports are also open which are not useful. Now let’s access the web page of the machine. It looks like a simple blog with few articles.

When we click on any article, check the url there is a parameter named name=. Let’s check whether is it vulnerable or not. Remove everything after name= and add the following command. If it displays the /etc/passwd file, then the parameter is vulnerable.

/../../../etc/passwd

Here /../../../ is used to bypass if there are any filters. YEAH….. We got the /etc/passwd file. The username and password are clearly mentioned without any hashes.

ACCESS THROUGH SSH:

We have username and password of the user. We also found that port 22 is open. Let’s access to ssh by the following command.

ssh falconfeast@10.10.216.155

Give the required credentials when asked. If it asks, Are you sure to continue connecting, answer it as yes.

We got the connection, now we can access any file the user has permission to. The user.txt file is located in home directory

PRIVILEGE ESCALATION:

NOW IT’S SHOW TIME…. Time to become the root. Let’s check what permissions do the user falconfeast has to do. It can be done by using following command.

sudo -l

We found that /usr/bin/socat can be run by the user and it has no password. We need to get the required payload to exploit it.

For that go to gtfobins.github.io , search for socat and scroll down to sudo part. Copy the exploit given and paste it in the shell.

sudo socat stdin exec:/bin/sh

HURAAY…!! Now we are the root, for confirmation type whoami, it should show root. Now you can get the root.txt file which is in the root directory.

CONGRATULATIONS for solving the machine. It is very easy and you learnt how to exploit parameters in url and also how to escalate our privileges.

That’s it for this story, will meet you with another write-up.