Inclusion (Tryhackme) Room Writeup By Jonty Bhardwaj

Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Inclusion.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/lianyu

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

ping 10.10.74.174

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -t4 10.10.74.174

Now we can see that 2 ports are open and the most promising port we can gather info looks to be port 80. Lets see what's on the website there.

We go to the main website and found no info of use . So we have to use gobuster to see additional hidden directories and see if we can gather some info from.

gobuster dir -u http://10.10.74.174 -w /usr/share/dirbuster/wordlist/directory-list-2.3-medium.txt -t 100

From above gobuster search we found only 1 webpage

/article

Lets navigate to webpage and see what information we can gather

We didn’t get anything important here but as directed in the lab we need to find LFI parameters . So lets search them.

When we open the hacking article on the main website , in the url we can see the parameters being displayed. We have found the LFI vulnerability.

/article?name=hacking

Seeing this we know that hacking is the parameter and we can change the parameter to search for files.

After searching with trail and error we finally found the correct parameter to display critical information

/article?name=../../../../etc/passwd

Here we found the passwd file and can see that there is a user credential

Username : falconfeast

Password : rootpassword

As we have ssh port open in the machine we can login into the user and then try to escalate our privilege from there to root.

ssh falconfeast@10.10.74.174

As you see we have successfully logged in the user. Now lets search for our first flag then we will escalate our privilege to root.

cat /home/falconfeast/user.txt

As you can tell here We have successfully found our first flag in the main directory of user falconfeast itself. Now lets try to search some more vulnerabilities to escalate our privilege to root.

Lets see which sudo permissions this user has

sudo -l

And here we go , we have found our vulnerable program named socat through which we can gain root. Lets search GTFO bins and find out how to exploit this .

https://gtfobins.github.io/gtfobins/socat/

On GTFO we successfully found the command to exploit this vulnerability .

sudo socat stdin exec:/bin/sh

cat /root/root.txt

Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.

Proof of Completion

Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .

Happy Hacking !!

--

--

--

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

New OpenSea Bug That Enables Hackers To Get Up To $1M Discount On Leading NFTs.

New OpenSea Bug That Enables Hackers To Get Up To $1M Discount On Leading NFTs.

Pictorial Presentation of Phishing Detection by Episodic Image Memory

mStable x Vesper Finance — boosted mUSD Pool on Vesper Orbit

Adventures of a Crypto Shrimp #2

Hackers square off to close gaps in satellite cybersecurity

Council Post: How To Ensure Your PAM Solution Helps Eliminate Workflow Disruption

Do you really need DPI to improve the cyber security of your rolling stock?

Team DoJ: World Police

Team DoJ: World Police

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonty Bhardwaj

Jonty Bhardwaj

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

More from Medium

VULNHUB— MISSION-PUMPKIN V1.0: PUMPKINGARDEN WALKTHROUGH

KnightCtf Jan 2022

Rooting Gryphon Routers via Shared VPN

Imagination based AIs — Part -3