Introduction
Local File Inclusion (LFI).
Local file inclusion is one of the Web Application vulnerability
To access this machine, we must connect with https://tryhackme.com/ network through VPN.
After connected check the machine connectivity using ping command and start enumeration
Enumerate
I used Nmap to check for open ports and services.
As per the scanned result, we can see that ports 22/TCP SSH & 80/TCP HTTP are open. So, Let’s access port 80 first and check for details.
When I accessed HTTP 80 using web browser, website opened and found some articles related to LFI attack and RFI attack. I checked LFI-attack article and saw logs as showed below.
When you read the article, it gives us a tip for exploiting this. It’s called a directory traversal attack, and it can be accomplished here by replacing the file name with “../../../../etc/passwd.”
Exploitation
By replacing url name from http://IP/article?name=lfiattack to http://IP/article?name=../../../../etc/passwd, we found there is credential in clear text format as shown below.
Now, we got the credentials for SSH we can access the remote machine by the command ssh flaconfeast@<IP>.
Privilege Escalation
From SSH logged in we can clearly identified that we have logged in as normal user named falconfeast.
In order to get the two flags, we need root access and to get the it we have to check it by typing sudo -l. In the end it shows specific path to run as root.
/usr/bin/socat
Go to gtfobins website and search for socat sudo where you can find the command which helps to do privilege escalation.
"sudo socat stdin exec:/bin/sh"
By executing this command, we get the root access and our privilege escalation is successful completed.
Finally, we got the two flags from root.txt and user.txt
Hope, this blog was helpful for beginners who were trying this machine.
References
GTFOBins - https://gtfobins.github.io