LFI (INCLUSION) TryHackMe Walkthrough

Hello everyone. Here is one more write-up on Inclusion Machine. It is a easier one and very beginner friendly. It is easier than previous one, no need to do directory brute forcing, no need to crack any hashes. Everything in this machine is crystal clear. Let’s dive into the topic.


As we know, the first step to solve any machine is to scan and check for open ports. We have the IP address of the machine, now let’s use the following command of nmap to see which ports are open. The output of this looks similar to the following picture.

nmap -sC -sV

NMAP output

We found that port 22 (SSH) and port 80 (Web server) is open. Even few other ports are also open which are not useful. Now let’s access the web page of the machine. It looks like a simple blog with few articles.

Web page

When we click on any article, check the url there is a parameter named name=. Let’s check whether is it vulnerable or not. Remove everything after name= and add the following command. If it displays the /etc/passwd file, then the parameter is vulnerable.


Here /../../../ is used to bypass if there are any filters. YEAH….. We got the /etc/passwd file. The username and password are clearly mentioned without any hashes.

/etc/passwd file


We have username and password of the user. We also found that port 22 is open. Let’s access to ssh by the following command.

ssh falconfeast@

Give the required credentials when asked. If it asks, Are you sure to continue connecting, answer it as yes.


We got the connection, now we can access any file the user has permission to. The user.txt file is located in home directory


NOW IT’S SHOW TIME…. Time to become the root. Let’s check what permissions do the user falconfeast has to do. It can be done by using following command.

sudo -l

sudo -l

We found that /usr/bin/socat can be run by the user and it has no password. We need to get the required payload to exploit it.

For that go to gtfobins.github.io , search for socat and scroll down to sudo part. Copy the exploit given and paste it in the shell.

gtfobins page

sudo socat stdin exec:/bin/sh

HURAAY…!! Now we are the root, for confirmation type whoami, it should show root. Now you can get the root.txt file which is in the root directory.

Root access

CONGRATULATIONS for solving the machine. It is very easy and you learnt how to exploit parameters in url and also how to escalate our privileges.

That’s it for this story, will meet you with another write-up.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium


$ANT Tokens Whitepaper

lucasdu.com | devlog #3

Listing Loopring Token (LRC) on VNDC Wallet


{UPDATE} Roar! - AR Boardgame Hack Free Resources Generator

What is decentralized storage and how does it work?

Previse HackTheBox By Hussien Misbah

The global battle for personal data

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tridev Reddy

Tridev Reddy

More from Medium

TryHackMe: Write-Up Linux PrivEsc — Capstone Challenge

Alfred —  TryHackMe walkthrough

TryHackMe: UltraTech

Chocolate Factory — Try Hack Me