LFI (INCLUSION) TryHackMe Walkthrough

Hello everyone. Here is one more write-up on Inclusion Machine. It is a easier one and very beginner friendly. It is easier than previous one, no need to do directory brute forcing, no need to crack any hashes. Everything in this machine is crystal clear. Let’s dive into the topic.

ENUMERATION:

As we know, the first step to solve any machine is to scan and check for open ports. We have the IP address of the machine, now let’s use the following command of nmap to see which ports are open. The output of this looks similar to the following picture.

nmap -sC -sV 10.10.216.155

NMAP output

We found that port 22 (SSH) and port 80 (Web server) is open. Even few other ports are also open which are not useful. Now let’s access the web page of the machine. It looks like a simple blog with few articles.

Web page

When we click on any article, check the url there is a parameter named name=. Let’s check whether is it vulnerable or not. Remove everything after name= and add the following command. If it displays the /etc/passwd file, then the parameter is vulnerable.

/../../../etc/passwd

Here /../../../ is used to bypass if there are any filters. YEAH….. We got the /etc/passwd file. The username and password are clearly mentioned without any hashes.

/etc/passwd file

ACCESS THROUGH SSH:

We have username and password of the user. We also found that port 22 is open. Let’s access to ssh by the following command.

ssh falconfeast@10.10.216.155

Give the required credentials when asked. If it asks, Are you sure to continue connecting, answer it as yes.

SSH

We got the connection, now we can access any file the user has permission to. The user.txt file is located in home directory

PRIVILEGE ESCALATION:

NOW IT’S SHOW TIME…. Time to become the root. Let’s check what permissions do the user falconfeast has to do. It can be done by using following command.

sudo -l

sudo -l

We found that /usr/bin/socat can be run by the user and it has no password. We need to get the required payload to exploit it.

For that go to gtfobins.github.io , search for socat and scroll down to sudo part. Copy the exploit given and paste it in the shell.

gtfobins page

sudo socat stdin exec:/bin/sh

HURAAY…!! Now we are the root, for confirmation type whoami, it should show root. Now you can get the root.txt file which is in the root directory.

Root access

CONGRATULATIONS for solving the machine. It is very easy and you learnt how to exploit parameters in url and also how to escalate our privileges.

That’s it for this story, will meet you with another write-up.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Unique Technical Challenges Inherent in Cybersecurity Observability

Protect online privacy with these 6 tools and tricks

Understanding Circle Of Defence Web Security System

{UPDATE} Tank Masters Hack Free Resources Generator

The Dangers of Public Wi-Fi

Names with stories: The story behind Destruction.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tridev Reddy

Tridev Reddy

More from Medium

TryHackMe: Internal

Pentesting Fundamentals TryHackMe

Lumberjack Turtle Writeup — TryHackMe

THM EXPLOITING ALFRED WRITE-UP