TryHackMe Inclusion
Hello Everyone! Today we are going to solve the TryHackMe machine Inclusion
Firstly, connect to the THM machine using VPN and start the machine
Start with Nmap scan to find out the open ports and services running on the machine
Note: If you are running as root, you don’t need to use sudo command
sudo nmap -Pn <ip>
Perform the advance scan to find out the service versions running on the system
nmap -sC -sV -A <ip>
Let’s check the IP-address in the browser to find the details in webpage
In the website they gave us a hint that we are supposed to perform LFI (Local file Inclusion) or RFI (Remote File Inclusion) attack. Open the LFI page to see more content
URL = <ip>/article?name=lfiattack
We can observe that we can perform the LFI Attack in the targeted URL
URL = <ip>/article?name=../../../etc/passwd
We found the user = “falconfeast” and password = “rootpassword”
Since the SSH port is open we try to login using the SSH
sudo ssh falconfeast@10.10.219.81
We successfully logged into the user falconfeast and we also found the user flag
ls
cat user.txt
Now check what file permission does the user falconfeast contains so that we can perform privilege escalation
sudo -l
We found out that socat can be used with root permission, Now open the gtfobins
Now execute the command to get the root shell
sudo socat stdin exec:/bin/sh
We successfully logged into as root user and check for the root flag
We got the root flag, but there is another method to get the flags without using SSH, Execute the paths directly in the URL
We got the user flag and for the root flag also execute the command directly in the URL
This concludes the room and both flags have been captured!