• Kaushal Patel

TryHackMe: LFI Inclusion Walkthrough


Introduction

Local File Inclusion (LFI).

Local file inclusion is one of the Web Application vulnerability


Link: https://tryhackme.com/room/inclusion



To access this machine, we must connect with https://tryhackme.com/ network through VPN.

After connected check the machine connectivity using ping command and start enumeration


Enumerate

I used Nmap to check for open ports and services.


As per the scanned result, we can see that ports 22/TCP SSH & 80/TCP HTTP are open. So, Let’s access port 80 first and check for details.

When I accessed HTTP 80 using web browser, website opened and found some articles related to LFI attack and RFI attack. I checked LFI-attack article and saw logs as showed below.

http://IP/article?name=lfiattack


When you read the article, it gives us a tip for exploiting this. It’s called a directory traversal attack, and it can be accomplished here by replacing the file name with “../../../../etc/passwd.”


Exploitation

By replacing url name from http://IP/article?name=lfiattack to http://IP/article?name=../../../../etc/passwd, we found there is credential in clear text format as shown below.


Now, we got the credentials for SSH we can access the remote machine by the command ssh flaconfeast@<IP>.




Privilege Escalation

From SSH logged in we can clearly identified that we have logged in as normal user named falconfeast.

In order to get the two flags, we need root access and to get the it we have to check it by typing sudo -l. In the end it shows specific path to run as root.

/usr/bin/socat


Go to gtfobins website and search for socat sudo where you can find the command which helps to do privilege escalation.

"sudo socat stdin exec:/bin/sh"

By executing this command, we get the root access and our privilege escalation is successful completed.


Finally, we got the two flags from root.txt and user.txt



Hope, this blog was helpful for beginners who were trying this machine.


References

GTFOBins - https://gtfobins.github.io



Happy Learning !


  • Twitter
  • Facebook
  • LinkedIn

This blog is for those who are beginner in Cyber Security . ​Please Subscribe for more update

© 2021 by CyberMetrix