Inclusion (Tryhackme) Room Writeup By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Inclusion.
Now first of all we will navigate to the Room URL and join it.
https://tryhackme.com/room/lianyu
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
ping 10.10.74.174
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -t4 10.10.74.174
Now we can see that 2 ports are open and the most promising port we can gather info looks to be port 80. Lets see what's on the website there.
We go to the main website and found no info of use . So we have to use gobuster to see additional hidden directories and see if we can gather some info from.
gobuster dir -u http://10.10.74.174 -w /usr/share/dirbuster/wordlist/directory-list-2.3-medium.txt -t 100
From above gobuster search we found only 1 webpage
/article
Lets navigate to webpage and see what information we can gather
We didn’t get anything important here but as directed in the lab we need to find LFI parameters . So lets search them.
When we open the hacking article on the main website , in the url we can see the parameters being displayed. We have found the LFI vulnerability.
/article?name=hacking
Seeing this we know that hacking is the parameter and we can change the parameter to search for files.
After searching with trail and error we finally found the correct parameter to display critical information
/article?name=../../../../etc/passwd
Here we found the passwd file and can see that there is a user credential
Username : falconfeast
Password : rootpassword
As we have ssh port open in the machine we can login into the user and then try to escalate our privilege from there to root.
ssh falconfeast@10.10.74.174
As you see we have successfully logged in the user. Now lets search for our first flag then we will escalate our privilege to root.
cat /home/falconfeast/user.txt
As you can tell here We have successfully found our first flag in the main directory of user falconfeast itself. Now lets try to search some more vulnerabilities to escalate our privilege to root.
Lets see which sudo permissions this user has
sudo -l
And here we go , we have found our vulnerable program named socat through which we can gain root. Lets search GTFO bins and find out how to exploit this .
https://gtfobins.github.io/gtfobins/socat/
On GTFO we successfully found the command to exploit this vulnerability .
sudo socat stdin exec:/bin/sh
cat /root/root.txt
Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.
Proof of Completion
Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .
Happy Hacking !!
