TryHackMe: Inclusion room walkthrough
This is a write up covering steps taken to solve a beginner level security challenge on local file inclusion : Inclusion room in TryHackMe platform.
This blog is written as part of task of Masters Certification in Red Team Program from HackerU.
Step 1 : Connect to TryHackMe and start target machine.
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘inclusion’ room — target ip address will be displayed in a minute.
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Step 3: Detailed Findings
22 : SSH OpenSSH 7.6psi
80 : http Werkzeug httpd 0.16.0
1. Accessing open ports
2. Click on View details under ‘LFI-attack’, got a hint for exploring LFI
3. Accessing ../../../../etc/passwd by entering it in url for ‘name’ parameter
passwd file is displayed which has 1 user with password highlighted below
4. As port 22 is open, attempted SSH login with found user name and password and login was successful.
5. Found user.txt flag
6. To find root flag, checked for sudo privileges, found root NOPASSWD permission for /usr/bin/socat
7. As user can gain root access through socat, search for sudo command to gain privileges in gtfobin
8. Run below command in kali, user gains root access
sudo socat stdin exec:/bin/sh
9. Navigate to root folder and found root.txt
With these steps, I was able to answer questions posted in inclusion room on TryHackMe.
Thank you for reading this blog..