Difficulty: Easy
Before we begin I want to mention you DO NOT need to brute force SSH in any way, if you do your likely to miss the point of this room entirely and probably won’t learn much in regards to the way an LFI and RFI attack is performed and works.
With that said let’s continue.
Okay so let’s begin with our enumeration, starting with nmap:
We can see we got a Web server at port 80 and SSH at port 22.
So let’s go and check out the website for any additional or hidden comments first.
Well there’s no interesting comments, however we see this:
This looks like it is teaching us how to perform a LFI or RFI attack.
The first one I want to check out here is the LFI-attack so see what we get:
Okay well this is quite jumbled up, readable but jumbled. So let’s try and view this with “View Page Source”:
Okay well this is much prettier.
Upon reading we can see that for an LFI to take place they are abusing a URL parameter called file per the example above and below:
So this example is using ../../ to change directories enough times that we end up in the directory / where we can then simply add /etc/passwd and esentially view the local machines passwd contents.
So per example let’s try that with the only URL parameter we have here and that’s name=
And wow! It worked, we are viewing the local machines passwd file! What about the shadow file?
And we have the shadow file and the root users password hash and another users password hash!
Well we noticed something in the passwd file that was odd it was a comment with the #, this actually looks like credentials.
So let’s try to SSH in as the user we found:
And we are in!
Now let’s start our usual enumeration here. Firstly I want to check this users home directory:
And we can see our first flag the user.txt so let’s get that now:
Now to continue onward with our other enumeration steps.
Now the sudo -l command:
Awesome and we can see socat can be run here with no root password supplied, with that in mind let’s head over to GTFOBins.
We want to find the socat program name first from the list and then the “sudo” tag and look for a exploit:
And we find a sudo exploit, note I have included the output above the exploit as this is important to note it will spawn a new root shell but without the ability to use commands such as sudo or su because it is not a fully functioning TTY shell.
With that said let’s gain root:
Great and now to find the final root flag which is usually in /root/root.txt:
And we are done! Congratulations and thank you for reading!
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e
