TryHackMe LFI Writeup

TryHackMe LFI Writeup | How to Exploit an LFI Vulnerable Website – Image credit: https://www.youtube.com/watch?v=63wFsyPhyhE

Welcome back to another TryHackMe Writeup, this time it is the machine called “LFI“. As the name says, the task is about to exploit a website that is vulnerable to the Local File Inclusion (LFI) vulnerability.

As you may already know LFI (Local File Inclusion) is a vulnerability that normally cased by the improper sanitization of the user’s input. When an LFI is found, the attacker will be able to trick the web application read internal files on a web server including the root passwords, SSH keys, users credentials or in some extreme cases credit card info etc. There are a lot of ways an attacker can read by injecting the payloads, here some of them are listed in the PayloadsAllTheThings in GitHub.

So coming back to the point, we are tasked to exploit a machine in TryHackMe called “LFI”, this machine is designed to be vulnerable to LFI exploit.

Finding The Website – Shop

After deploying we noticed a website “Shop” is running. A simple website with a couple of pages. A button “Leave a Review” didn’t open any page, however we saw an error in which already disclosed internal directory structure. And looking at the url, we noticed the parameter used is “page”

LFI – Internal Directory Disclosure

Reading etc/passwd using LFI Vulnerability

To make things easier, we fire up the Burp. As like every attacker we decided to see if we could ready /etc/passwd file and yes, we coud.

So we found the user “Falcon” is the user we are looking for.

Reading .SSH Directory Using LFI

As we already know the machine is vulnerable, we need to find a way to login-to it. We don’t know the password, however we could try to obtain the user’s password hash from the etc/shadow in the similar way we read other files. And we tried to read etc/shadow file and yes, it was readable as well.

The user’s private key normally stores in /user/home/.ssh/id_rsa file, we could as well try to ready in case we couldn’t crack the password.

We used the exactly same way as we read the etc/passwd and etc/shadow we obtained user’s “RSA Private key”

Now we have two possibilities to access the system, SSH the user Falcon and using the private key or crack the shadow hash we obtained.

Cracking Shadow File Using John

We copied the shadow hash to working directory and saved to a file and named it falcon

falcon:$6$xQmTDVmT$hgSLG3ebs.8Tc/F4qqXNnvBBnG736EWpW[---------snip-------]v5.qddMWF4/MoJgN6Hekri8wyJ97k/:18289:0:99999:7:::

And John took a moment and successfully cracked the hash.

SSH – Accessing The System Using Password and Private key

We tried both options and both worked, we assessed the system using the cracked password and as well the SSH. We copied the private key to LFI directory by renaming id_rsa and give right permission.

We SSH the system as Falcon using the private key, and we successfully logged-in as use Falcon.

And usng the password:

User Flag

The user.txt flag was found in the Falcon’s home directory.

Privilege Escalation

The 3rd task was escalating the privileges to root. Running sudo -l, we noticed the user Falcon is able to run /bin/journalctl as root.

JournalCTL

The Journalctl is a utility for querying and displaying logs from journald, systemd’s logging service.

A single command as “sudo /bin/journalctl” will privesc user Falcon to root immediately. Once the command is running we break it by inputting “!/bin/sh” and we are root!!!

We obtained the root flag in the home directory of Root.

That’s it, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.