LFI Inclusion — TRY HACK ME

A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag using Local File Inclusion.

Basic Checks to be performed before attacking the machine.

1.Power on the Target Machine and make a note of the IP address.

2.Start your Kali Virtual Machine.

3.Connect to TRY HACK ME OPEN VPN

# sudo openvpn <vpn-file-name>

4.Check connectivity to the target machine from attacker pc (Kali VM).

NMAP (NETWORK MAP) -Enumeration

Process of extracting machine names, network resources , shares , services from a system. NMAP scan is the first step I use to scan the target machine most of the time.

Before I start with NMAP , we need to understand what is LFI(Local File Inclusion) ? File Inclusions are part of Server Side Scripting Language for the Web. It allows an application to read files or provide an download functionality or parse files. If it is not implemented properly an attackers can exploit them which can lead to information disclosure.

You can read more about it @

Local File Inclusion Vulnerability

From NMAP scan , we can notice that the following ports are open and running on Operating System Linux.

1. Port 80
2. Port 22

Open Terminal in the attacker machine and execute the following command

# nmap -A -sCV — reason <Target Machine IP>

The task is on Local File Inclusion and I decided not to do a directory search. In the browser , type the IP address of the Target Machine.

A blog page is displayed. Before we enumerate further , first lets look at the source code of the page and at bottom of the source code you find a footer class with some “name”. You can find the same “name” in the blog website. Could that be username to ssh into the target machine?

Let’s try :

# ssh <username>@<Target Machine IP> . The system prompts for the password. Can we brute force the login password using hydra and rockyou.txt. Thumb Rule if brute forcing takes more than 10–15 min, it means looking at the wrong direction.

We know the login name and let’s make a note of it. We do not know the password of the login name.

When you click on the “View Details” of the blog section you can find the URL changes to “?<something> = <something>”

https://www.example.com/<something>?<something>=<something>

It allows the attacker to perform Path Traversal Attack to access file on the web server to which they should not have access. Path Traversal is basically tricking the web server or the web application to return files that exists outside the web root folder.

The attacker can use special character “../” which is the parent directory and traverse all the directories and access files.

Let me give you an example how to get user.txt without SSH.

Step 1

After = sign in the URL type “/home/<username>t/user.txt”

=/home/<loginname>/user.txt

You will encounter internal server error.

Step 2

Let us now add only one special characters

../home/<loginname>/user.txt” .

You will encounter again internal server error.

Step 3

Let us add another special character “../../home/<loginname>/user.txt”

You will encounter again internal server error.

Step 4

Let us add another special character “../../../home/<loginname>/user.txt”

# ../../../home/<loginname>/user.txt

Follow the same methodology as above for /etc/passwd and you will get the contents in the /etc/passwd. In the /etc/passwd you can find the <loginname> and the password.

We can successfully SSH into the Target Machine and retrieve the user.txt flag.

# ssh <login name> @ <Target Machine IP>

# flag is the same from both the methods.

We need to get root access to retrieve the root.txt flag. There could be multiple ways.

The easier way is to follow the same steps we used to get user.txt using the path traversal.

Step 1

After = sign in the URL type “/root/root.txt”

Step 2

After = sign in the URL type “../root/root.txt”

Step 3

After = sign in the URL type “../../root/root.txt”

Step 4

After = sign in the URL type “../../../root/root.txt”

If you want to gain root shell access through terminal ,follow the following steps.

Step 1

In the terminal type # sudo -l

You can find the user <login name> can run the following commands on the target machine with “(root)NOPASSWD: /xxx/xxx/xxx”. What it means that the attacker can the command as the root user(sudo).

We will now try to attain root shell of the host’s machine. First method is always go to “GTFOBINS’ for bypassing local restrictions on the target machine.

socat | GTFOBins

We need root shell access and execute the following command :

# sudo socat stdin exec:/bin/sh

The reason I added “sudo” is because “sudo -l” indicated that attacker could run as “sudo” with “NOPASSWD”. If you execute without “sudo”, you will not get root access.

Let me demonstrate.

# socat stdin exec:/bin/sh

UID=1000 is not system account and anything less than 1000 is reserved for system accounts and other services.

After executing with sudo enter commands to steady the shell

Steps

python3 -c ‘import pty;pty.spawn(“/bin/bash”)

export TERM=xterm-256color

Navigate to the root folder and capture the root.txt flag.

Overall it was an interesting box exploring different methods to capture the user and root flags.