📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Inclusion

PreviousIgniteNextBounty Hunter

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.101.147

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 22,80 -oN nmap 10.10.101.147

Enumeration

Lets visit the website

Clicking through the website we can see that in the URL there is a parameter name

And while changing through different pages, the word after the parameter changes, which is like a directory structure.

Local File Inclusion: A file inclusion vulnerability (web vulnerability) that is most commonly found to affect web applications. An attacker uses LFT to trick the web application into exposing or running files on the web server. It may lead to information disclosure, remote code execution, cross-site scripting and many other vulnerabilities.

So if we are in a file system structure, we can say that we can be currently in /root/home/users/user/article/<file>, so what if we want to see important information which is present in the /etc/passwd file, we can go back a few directories and read the file, like this.

../../../../../../etc/passwd

And it works, we can see the /etc/passwd file. Reading through the file we see a username and password that we can use to login through ssh.

Username: falconfeast

Password: rootpassword

ssh falconfeast@10.10.101.147

We can now read the user flag.

Privilege Escalation

Lets run the command sudo -l to check what we can run as root.

sudo -l
sudo socat stdin exec:/bin/sh

We are now root, we can go read the root flag and answer the last question of this room.

Looks like we can run /usr/bin/socat as root, lets go to and find the commands to privilege escalate to root. They gave the command:

GTFOBins