Inclusion
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets visit the website
Clicking through the website we can see that in the URL there is a parameter name
And while changing through different pages, the word after the parameter changes, which is like a directory structure.
Local File Inclusion: A file inclusion vulnerability (web vulnerability) that is most commonly found to affect web applications. An attacker uses LFT to trick the web application into exposing or running files on the web server. It may lead to information disclosure, remote code execution, cross-site scripting and many other vulnerabilities.
So if we are in a file system structure, we can say that we can be currently in /root/home/users/user/article/<file>
, so what if we want to see important information which is present in the /etc/passwd
file, we can go back a few directories and read the file, like this.
And it works, we can see the /etc/passwd
file. Reading through the file we see a username and password that we can use to login through ssh.
Username: falconfeast
Password: rootpassword
We can now read the user flag.
Privilege Escalation
Lets run the command sudo -l
to check what we can run as root.
Looks like we can run /usr/bin/socat
as root, lets go to GTFOBins and find the commands to privilege escalate to root. They gave the command:
We are now root, we can go read the root flag and answer the last question of this room.
Last updated