TryHackMe Inclusion Writeup


This is a walkthrough of the TryHackMe room “Inclusion.” If you haven’t already completed the challenge, do so here

This room is meant to be a beginner’s introduction to local file inclusion, a vulnerability which occurs when some webapp includes files from its own local directories without any kind of sanitization.

Like any good hack, we start with enumeration. Run “nmap -sV” to get the services running on open ports and their versions.

As expected, HTTP is open. SSH is as well, which we’ll use later.

When we connect to our machine, we’re greeted with a few articles.

Click on the middle article and you’ll be treated to an excerpt from the Acunetix blog. What concerns us is the URL for this article.

Our metaknowledge about this machine tells us that “lfiattack” is a local file that the web server is just throwing up. If you read the article, it gives us a handy tip for exploiting this. It’s called a directory traversal attack, and it can be accomplished here by replacing the file name with “../../../../etc/passwd.” There’s no upper limit on the double dots as going to “/..” just takes you back to “/”. You just need enough to get to root.

Going to our malicious URL will display the linux file containing the password information for the users on the machine. Like salt and pepper, the passwd and shadow files go together. Normally we might wget both of them and attack them with John, which is what I did at first. Instead, simply make note of the password listed for user “falconfeast” and use those credentials to SSH in.

Congrats! You have user-level access to the target. The flag is present in the home directory. But we’re not done yet, we want root access. For that, I must admit, I am in new territory. I have a copy of Jay McGuerty’s Network Field Survival Guide, which has a hermeneutic for privilege escalation that I referenced for this. But anyone could’ve found such steps anywhere online. What works for us here is “sudo -l”. This will display the following:

It just so happens that socat has some features which will allow us to get root access. I simply looked up “socat privilege escalation” and found this guide. Socat will basically allow us to pipe STDIN from our host to /bin/bash on the remote host. If that doesn’t make sense I made this diagram:

The command we run for this on the target is “sudo socat tcp4-listen:,reuseaddr EXEC:/bin/sh”. The port can be you want, other than 80 or 22.

Now, from a terminal on your local machine, run “socat — tcp4::” and that’s it!

It’s not quite a normal shell. If you look at the remote shell, you’ll see that “hello” is not a command. You’ll find the flag in root.txt

This was a quick and simple room, perfect for the beginner. MuirlandOracle has a neat shortcut on his blog that takes advantage of the fact that the webserver is already running as root. But the intended method is best for someone looking to understand the demonstrated vulnerability.