This article will cover on room of TryHackMe. This was a easy room meant to let you train LFI (Local File Inclusion). If you don’t know what LFI is please go back to the training page and read the articles, or click here.
Enumeration
Usually when it comes to CTFs or this type of machines I like running nmap to see what are the available port. As you can see on the image bellow we have two ports open – Port 80 and Port 22.
Well port 80 is associated with web applications so lets see what we have there. Bare in mind that this is an LFI task so if you have done this module the user flag should be super easy to get. There are two ways to obtain that flag.
USER FLAG – v1
If we go to the page and look (click) around we can see our entry point in the URL. We can pass the proper argument to see the password file by using ../../../../etc/passwd after the equal sign. That will show us the password file. From here we can actually get some credentials that we can use to SSHto the machine. I will not provide a picture of it so you can test it by yourself. Once we have SSHed into the machine just view the user flag and you are done.
USER FLAG – v2
The second way to obtain the flag, if you don’t figure out that you need to SSH into the machine, is to view the flag directly into the browser. How to do that. Well we know the user now (check v1 above). We craft a path to view the file.
This were the ways to get the user flag. Lets move to the root flag.
ROOT
To get root flag we can build up on v1. So we have sshed in the machine. The next step is to check what can we run as root. My first command of choice is:
sudo -lThis command will show you what the current user can run with root privileges. From here we can start googling what socat is doing and how we can exploit it. My approach is to check GTFOBins. To make your life easer click here for the right exploit.
I hope it helped. If you have any questions ask in the comments.
