Inclusion TryHackMe (THM)
Hello guys a machine was released today in tryhackme. A good machine for beginners learning local file inclusion. The box is really simple and capable for a beginner ethical hacker or penetration tester to handle with much ease. Let’s jump right in.
As always we’ll do a port scan on the Box using nmap
We see that port 22 ssh and port 80 is open and it is running a web server on opening the page using a web browser.
We find a simple web page that just contains web sever inclusion attacks. I decided to do a gobuster on the webpage and got nothing so i decided to follow link view details
It seems like it uses and include function to include webpages. in our case it included a page called hacking
I decided to test for local file inclusion using that parameter. I decided to view a file that is common in all Linux operating system. Passwd
And voila we get passwd file. Now we are sure that the computer is vulnerable to local file inclusion. Decided to view the page source since the output was messy. This is because for there to be next line in a webpage <br> tag must be present in passwd file there isn’t. I pressed CTRL + U on the keyboard to view the page source
And we get a hard-coded credential. That was too easy.
#falconfeast:rootpasswordRemember that ssh was listening on port 22. I tested those credentials on port 22
And we get a user shell as falconfeast. Now we can access the user flag
Now its time to escalate our privilege to become root user. I’ll use a script linpeas a really amazing scripts that automates the process of finding privilege escalation vectors and it output the results with colors. First i uploaded the script to the computer and the script is executes using the command
bash linpeas
And after the script ran we find that the use falconfeast can run socat as root without a password
That seems like our exploit vector decided to search for exploits using GTFOBins and boom we get a way to exploit socat to get root privilege
Decided to run the command on the target machine and created a listener in our local machine listening on port 4444
Then executed the rest of the command on the target machine
And when the command was executed going back to our listener boom we have a root shell
That was too simple. Now i upgraded my shell
Now it’s time to get the root flag
Since we are root we can read the root flag and we are done.
Though the box was easy it really lays a good foundation on penetration testers that are just beginning to learn cyber security. If you wish to try hacking the machine you can get it from the link below
That’s it for now guys till next time Happy pentesting