Inclusion
A beginner level LFI challenge.
This is the write up for the room Inclusion on Tryhackme and it is part of our cybersecurity training from HackerU .
Firstly we have to make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.
Before starting our Task there are few instruction Given for the box.
Instructions:
- Visit https://tryhackme.com/room/inclusion and join the room.
- Get root-level access.
- Complete the room with all flag verification.
As mentioned in instruction we will have to get the root level access and then complete the room with flag verification.
Task 1:
First deploy the machine after that we will get the Target system IP.
Once the machine is booted up then will move to our next Task.
Note:- There are Two ways to solve this box and get the flags .
Task 2:
To check how many services are running and at which port we have to run Nmap scan. Before runing nmap scan let’s first verify if we are geting the ping with the system.
Now we are set to run nmap scan to find the service on the ports running.
nmap -sS -sV -A 10.10.81.198
-sS (TCP SYN scan)
-sV (Version detection)
-A (Aggressive scan options)
From scan we can see that 2 ports are open which are port 22,port 80.
As port 80 is open will check the website in browser for some information.
Here we can see it is a blog website with some information about LFI and RFI is written. Will enumerate little more to get information if any.
As we went inside the LFI attack we found some information about how LFI vulnerabilty works. so will try LFI attack on this webpage.
As we can see from above image we were successfull in LFI attack and got the user name and password for falconfest user.
We will try ssh login using this user id and password.
As seen in above image we successfully got the login of falconfeast user now will enumerate to get user and root flag.
We got user flag now will try to get the root flag using privilege user.
We tried entering the root directory using falconfest user but permision was denied. so searched if this user has any application right to run as sudo user.
Used sudo -l command to check if any application privilege is provided to this user and found that socat can be run as sudo for this user.
searched for socat in gtfobins website.(https://gtfobins.github.io/)Here we found command for socat to get root shell.
We successfully able to get root shell now will search for root flag.
We got the root flag and submitted it in THM to complete our Task 2.
We completed the THM inclusion box with root access as per the instruction given.
Now 2nd method to get the flag.
We used the same LFI attack to get the user flag.
And tried the same LFI attack to get the root flag and we were successfull.
As seen above we got both the flag using LFI vulnerability.