inclusion - THM Box
Link
- nmap scan here
- Found that there was a server running at port 80 and since this was an inclusion Box, I got into the browser to check the port 80.
- Found some text regarding the LFI and found the site to be
<IP:ADDR>/article?name=lfiattack.
- Checked if this site is vuln to LFI by changing the
lfiattack to ../../../../../../etc/passwd and it was.
- Found the password of a user in the same file and tried to ssh into the server and got into it.
- Found that the user could execute socat as root and found the exploit in GTFOBins Socat#Sudo and got the privileges escalated to root.
- Finally got the user.txt and root.txt from the machine and completed it.
PS: The /etc/shadow file was readable and got the hashes of root user from there and stored it in root.txt, since the machine was completed, I gave no effort in cracking the hash.
~ Machine Completed~