TryHackMe LFI(local file inclusion) walkthrough

This is a beginner local file inclusion challenge

ENUMERATION

nmap comes in handy while looking for open ports and vulnerabilities

i found that port 80 and port 22 are open ,since port 80 support the website i opened the website hosted by the <attacker-IP:80>

while viewing the details i noticed some dynamic changes in the url while other part part of the url remains static

and i decided to perform a local file inclusion in the url to get the passwd file from the server < ../../../../../../../etc/passwd>

After analysis of the file i found username and password of the non-root user.Since previously during enumeration i found two ports open port 80 and port 22 which is ssh ,i login using the credentials from the </etc/passwd> file < ssh user@attacker-IP >

in the user directory that's where the user flag is

Next i decided to do privilege escalation to the super user(root)

and i type the <sudo -l> command to see which file can the non root have access to.

The non-root user can access the socat file . Moving to GTFObins i found a command line exec to acquire a shell with socat.

The resulting shell is not a proper TTY shell and lacks the prompt thus i spawn an interactive shell using ptyhon3 <python3 -c ‘import pty;pty.spawn(“/bin/bash”)’>

The root flag is located in </root/root.txt>

cyber security Enthusiast|| pentester ||ctf player