Included Walkthrough
After the Pathfinder Walkthrough, Here I'm with Included, so... let's hack and grab the flags.
Last updated
After the Pathfinder Walkthrough, Here I'm with Included, so... let's hack and grab the flags.
Last updated
As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Pathfinder machine.
Enough talks, 🥱 Let’s Get It Started 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱👤
To start machine, just click "Join Machine".
Then you can see the IP address for that machine. Usually it is 10.10.10.55 🤠
Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂
As a ping result, It's TTL=63. There is only one route between machine and us (VPN). So definitely it will be a Linux machine.
As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.
Here is the output 👇
So again we have only port 80 open.
To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore, we can point out and run the script engine as fast as possible.
We have only port 80 open here. Now you know what is next..
Let's open web browser and check what is inside the port 80.
By looking at the URL, we can assume that we have some Directory Traversal vulnerability here. So let's check it.
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server. source
We can easily check this using burp suite repeater tab. Let's power up burp suite and navigate to the site again.
As you can see we have Directory Traversal vulnerability. If we can upload any reverse shell script, we can call that file and get success by using this vulnerability. But do how we upload the reverse shell file? I tried so hard to find a way but I could not. 😥😥
Then I looked deeply at all the users which were available in the /etc/passwd using directory traversal vulnerability. You know what I found there? There is a user also in TFTP . Wait what.. How did we miss that port? 🤔🤔 Oh shoot! It's running on UDP port 69.
Let's run Nmap again and check whether that port is alive.
Yay!! It's alive. Let's try to connect to that service.
Yes we can connect to that service and also we can upload any file using that service. Now we have an idea 💡💡. But how do I know the exact path where that file was stored in?
Again we can check that /etc/passwd file to get an idea about the home directory.
Fine! Now we know where my file will be located after I uploaded it to the TFTP.😋😋
First we need to create PHP Reverse Shell. We can simply copy it from our kali webshell directory or using this site.
After editing the above sections you can copy that part of the code and paste it into the file.
Now, let's use TFTP and upload that file. Use put command to upload the file.
Then let's fire up netcat listener and check that file using Directory Traversal vulnerability. The path to file location will be /var/lib/tftpboot/filename.php
We successfully landed a reverse shell as www-data, it's good spawn a TTY shell.
If you look around the /home directory, we have a user called mike. Since all these boxes are connected together, [I mean, passwords are reused] we can check using the passwords we found on Pathfinder walkthrough. Let's try to su mike
Yes! It was successful and we can grab the user flag using Sheffield19 Password. Now it's time to root flag. 😎😎
When it comes to privilege escalations, we can manually check one by one or we can simply run any automation script to do the searching for us. Since this box is the Linux box we can use LinPEAS .
First we need to copy that script to our machine.
Then we can run python demon server to host that file from our end.
Now we can use wget command to download that file to the Included box. But here, I'm not going to download it and run. Instead of that I use curl command to run that file directly.
We can identify interesting stuff by looking at the output file. 👇
As you can see the mike user is in the LXD group. LXD group is a high-privileged group in Linux system.
Here I found lxd/lxc Group - Privilege escalation script from hacktricks. And I'm going to go through the second method in that article.
First, Try to clone the following repository to your host and build an alpine image.
After you executed the build-alpine file, a tar.gx file should be created. File name will be different from my one.
Now we can upload it into the server by using python demon web server and download it through wget.
Now follow the article again. The following command will import the image and create privileged container with it.
Next we need to mount the /root into the image.
Now Let's interact with the container.
As you can see, we have landed on to the root shell. Now we can grab the root.txt file. It's located at /mnt/root/root/
As you can see there is a login.sql file in the /mnt/root/root directory. Let's open it.
And it reveals credentials. Daniel : SNDv*2wzLWf
Okay... I’ll see you on the next box! 🙋♂️🙋♂️
Find me on @twitter
