Since this is an LFI room I am going to assume it is just port 22 and 80 open on this machine. If I am wrong I will nmap the box later. So, the first thing I want to do is visit the web page and take a look around.
The next thing I am going to do is spin up Burp to see if I can intercept some requests and how this site works. Once I have the proxy in the browser setup and Burp running I simply click on a link on the site and see what Burp tells me is being sent.
I will send that request to the repeater tab of the program to see what I can do to manipulate that request. Once it is in the repeater I will replace the
lfiattack with the following
../../../etc/passwd and see what response I get back from the server. The number of directory transversal
../ is a guess on my end. I will add or remove until I get something back from the server and the /etc/passwd file will show the users on the machine.
And now we have a response, withing that response is a username/password that I can use to ssh onto the server. Once I am on the server I do an
ls to list the contents of the directory. I can see that there is a user.txt in that folder and I used the
cat command to show the contents of the file. Now that I have the user.txt flag it is time to see what it takes to get the root flag.
The first thing I do is a
sudo -l to see what this user can do as a sudoer. There is a command that this user can do as sudo. That is the
/usr/bin/socat and with that information I will go to GTObins to see how to use that command to gain a root shell.
GTFOBins gives this
socat stdin exec:/bin/sh command and since this user can run that as sudo I will use the following command to get a root shell,
sudo socat stdin exec:/bin/sh. After I run that the next command I will run is
whoami to see what user I am on the box. It should return root as the user. If it does now it is time to find the root.txt file and get the contents. I will use the
find / -name root.txt command to see where the files is and then use the
cat command to get the contents for the flag and that is it for this room.
As always questions/comments please email me at [email protected] and remember have a great day.