LFI -INCLUSION Tryhackme Walkthrough…

3 min readMay 26, 2021

Hee.. guys let check another blog of mine. In this blog i gave detail walkthrough of LFI INCLUSION. I showed 2 differnet Methods to capture the flag. Let get start reading the blog.

Note:

The first step is Reconnissance, why because how much of target information u have that much easy to hack into the system or sever

First Method

Nmap scanning:

Command: nmap -sS -sV -A <Target-Ip>

Port 22 and 80 is open it mean SSH & HTTP is running let check the website.

There is a blog which telling about hacking LFI & RFI Attack let click onthe LFI attack.

They gave the how to do LOCAL FILE INCLUSION which i shown above let do it. I tried and finally i got succeed by getting /etc/passwd folder.

Then i found the falconfeast user which contain ssh password as (rootpassword).

Let do same for /etc/shadow file wheather it giving any data like passwd. We get the root user and noraml user passwd with in hash code

We can copy the passwd and shadow file data save into two different files and use unshadow command to extract the data from both files and save in folder and then use the john ripper or hashcat to crack the password and you get rootpasswors for ssh login

By using same way try to get the normal user and root user flag through LFI Method.

Second Method:

Use the creds which found in the etc/passwd for try to login in to the ssh.

We can see that socat has root privileges with NOPASSWD let try to escalate it. For that go to GTFOBIN search for socat u get the command and use it and try to escalate the root privileges.