Hello guys. This room is rated as easy on THM, and from the name we can guess that we’ll have to exploit an LFI to get the initial access.
Let’s dive in and start with an NMap scan.
Accessing the web application we notice that that is a blog. By clicking the
View details button we see that the GET parameter has a
Let’s try and see if the web app is vulnerable to LFI. I started by trying to reach the
/etc/passwd file, and then moved one directory up until I found it.
We see that comment from which we can obtain the initial access.
You can grab the user flag from the users home directory.
Time to privesc!
By doing some recon/enumeration we notice we can run socat as root. You can find the privesc method on GTFOBins page, here.
Firstly, i used socat to create a listener on my machine.
Then running socat as root i created the reverse shell.
Getting back to our terminal where we set up the listener we can see we got the reverse shell and we are root.
Hope you guys learned something! For me was an easy and fun room.