Inclusion- A beginner level LFI challenge-Walkthrough-TryHackMe
Dear friends, let us solve challenges in the Inclusion box present in the below link.
- Information Gathering
This is a beginner level room designed for people who want to get familiar with Local file inclusion vulnerability
Resources/Tools Used:
ssh
2. Scanning
nmap 10.10.252.55
We see that port 22 ssh and port 80 are open, and it is running a web server on opening the page using a web browser.
Accessing LFI point
As the port is 80, I browsed the site
10.10.252.55/
We find a simple web page that contains web sever inclusion attacks. I decided to do a gobuster on the webpage and got nothing, so I decided to follow the link view details.
I again came to the site and started browsing its pages
3 pages are Hacking this world, LFI-attack, RFI-attack
It seems like it uses and includes a function to include web pages. in our case, it included a page called hacking
Testing LFI Point
I decided to test for local file inclusion using that parameter. I decided to view a file that is common in all Linux operating systems, Passwd. Upon clicking different links on the web page realized that Local File inclusion (LFI) is possible using the parameter “name.” Used this variable to read contents of “/etc/passwd file
I got some information at
http://10.10.252.55/article?name=../../../etc/passwd
To which at the bottom of the page yielded the /etc/passwd file.
Hurray, we get passwd file. Now we are sure that the computer is vulnerable to local file inclusion. I decided to view the page source since the output was messy. This is because for there to be the next line in a webpage <br> tag must be present in passwd file there isn’t.
From this file found username (falconfeast) and password as rootpassword. Used this user for logging in to the target machine via ssh.
Remember that ssh was listening on port 22. I tested those credentials on port 22
rootpassword
And we get a user shell as falconfeast. So now we can access the user flag.
Now it's time to escalate our privilege to become root user. To get a root flag, we need root privileges and need to perform privilege escalation. For this, I typed “sudo -l” to check if we can run some commands to perform privilege escalation to root.
The “sudo -l” output showed we can use socat for privilege escalation without any password.
That seems like our exploit vector decided to search for exploits using GTFOBins, and we get a way to exploit socat to get root privilege.
Used the above syntax for privilege escalation.
sudo socat stdin exec:/bin/sh
Lovely, got the root flag.
Done!!!!!! Let us see the answers to the challenge questions now.
If you’ve deployed the VM then try to find the LFI parameters and get the user and root flag.
user flag: 60989655118397345799
root flag: 42964104845495153909
Thank you very much for reading. I hope you find this is useful, and if there is something you would like to add or any suggestions, you can contact me anytime..”
