TryHackMe Inclusion

Hello Everyone! Today we are going to solve the TryHackMe machine Inclusion

Firstly, connect to the THM machine using VPN and start the machine

Start with Nmap scan to find out the open ports and services running on the machine

Note: If you are running as root, you don’t need to use sudo command

sudo nmap -Pn <ip>

Perform the advance scan to find out the service versions running on the system

nmap -sC -sV -A <ip>

Let’s check the IP-address in the browser to find the details in webpage

In the website they gave us a hint that we are supposed to perform LFI (Local file Inclusion) or RFI (Remote File Inclusion) attack. Open the LFI page to see more content

URL = <ip>/article?name=lfiattack

We can observe that we can perform the LFI Attack in the targeted URL

URL = <ip>/article?name=../../../etc/passwd

We found the user = “falconfeast” and password = “rootpassword”

Since the SSH port is open we try to login using the SSH

sudo ssh falconfeast@10.10.219.81

We successfully logged into the user falconfeast and we also found the user flag

ls

cat user.txt

Now check what file permission does the user falconfeast contains so that we can perform privilege escalation

sudo -l

We found out that socat can be used with root permission, Now open the gtfobins

Now execute the command to get the root shell

sudo socat stdin exec:/bin/sh

We successfully logged into as root user and check for the root flag

We got the root flag, but there is another method to get the flags without using SSH, Execute the paths directly in the URL

We got the user flag and for the root flag also execute the command directly in the URL

This concludes the room and both flags have been captured!