TryHackMe - Inclusion Writeup
Link : https://tryhackme.com/room/inclusion
Enumeration
First, let’s do an enumeration with the IP address of this machine. I’m gonna run Nmap [Netwok Mapper] to scan any open ports. I’m gonna run this command
|
|
Explaining the nmap scan:
- -sC := scan using nmap default script
- -sV := scan for version
- -oN := output in normal format
So, the Nmap scan result came back. It looks like this machine has HTTP server. Let’s enumerate the webpage.
I love to run something in the background. This is a webpage and I’m gonna run gobuster in the background while I enumerate this manually.
Now, the name of this challenge is Inclusion. That name was really obvious and I’m gonna try the LFI attack to see if it’s working.
Yes, it works!
Here is the parameter I found.
http://10.10.18.21/article?name=../../../../../../etc/passwd
Foothold/Gaining Access
Wait is that ssh password. We just found the ssh password in the /etc/passwd file COOL! let’s try to log in.
I’M IN!!!
let’s grab the user flag.
Privilege Escalation
First, I’m gonna use the sudo -l command to see anything that super interesting.
OK WOW! This user can run the socat with sudo. I’m gonna search socat exploit to privilege escalation on this site GTFOBins.
That was quick. Anyways, I’m a root now. Let’s hunt for the flag
Conclusion
I’ve learned a lot today. Make sure to configure the webpage properly because most of the attack vectors are on the webpage. Before I forgot, please configure the user account and the sudo command properly.
This room so much fun and I hope you guys have fun and learn something new today.