Post

TryHackMe - Inclusion

Posted Updated
By Nasrallah Baadi 2 min read

Description

Hello l33ts, I hope you are doing well. We are doing Inclusion from TryHackMe. It’s an easy machine where we use local file inclusion vulnerability and find a user credentials that gives us access to the machine via ssh. We Find we can run a program as root, we leverage that to become root.

Enumeration

nmap

We start a nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}.

  • -sC: run all the default scripts.

  • -sV: Find the version of services running on the target.

  • -T4: Aggressive scan to provide faster results.

Nmap scan report for 10.10.210.218
Host is up (0.097s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
|   256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
|_  256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
80/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: My blog
|_http-server-header: Werkzeug/0.16.0 Python/3.6.9
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have ssh on port 22 and a webserver running on port 80, let’s check the webserver.

Webserver

It looks like we have a blog with some articles, let’s try clicking on one of the view details buttons.

We see in the URL a parameter called name, let’s see if it’s vulnerable to Local file inclusion by requesting the /etc/passwd file, but first, we need to up all the way the root directory of the file system, the payload will like this: ../../../../../etc/passwd.

Let’s add it now to the url, http://{target_IP}/article?name=../../../../../etc/passwd

Note that we use ctrl + u to view the source code which gives us a nicer view.

We found a username and password inside the file.

Foothold

Let’s use the username and password we found to login with ssh.

Great! We are in the machine now, let’s move to privesc.

Privilege Escalation

We can run sudo -l to check our current privileges.

We can run socat as root, we can go to GTFOBins and see how to use socat to get root.

So we can execute the following command sudo socat stdin exec:/bin/sh and become root, let’s try it.

Great! And just like that we have rooted the machine.

Thank you for taking the time to read my writeup, I hope you have learned something with this, if you have any questions or comments, please feel free to reach out to me. See you in the next hack :) .

TryHackMe
tryhackme linux sudo lfi
This post is licensed under CC BY 4.0 by the author.