This room is great for testing your Local File Inclusion skills. Try it here

Task 1: Deploy the machine and start enumerating

We have to start somewhere, right? Where else than our ever reliable nmap scan:).

nmap gives us two services running , ssh and http.

Next we browse the IP to see if there’s anything interesting on the web app.

Crawling through the website, on clicking ‘view details’ on the page, the app returns a plain text page meaning we might have struck gold.

Looking at the url, the action(clicking ‘view details’) queried the document containing the article from the server. Basic LFI!

The parameter ‘name’ enables us to view files on the server. Let’s try changing the filename to a world-readable file,like the passwd file to get user account information, with the help of path traversal;

Nice! We get an unusual text in the returned passwd file that look like credentials. From the nmap scan,we found the service ssh open and the credentials might help us ssh into the machine. The credentials work!

We find the first flag from listing the contents of the directory.

Task 2: Root it

Since we are a standard user with no special permission, we check for a list of allowed and forbidden commands for the user using;

sudo -l

We see that we are able to run socat with root privileges.

We can exploit this by visiting GTFObins and find an exploit vector.

We find an entry for the socat binary to escalate to root.

sudo socat stdin exec:/bin/sh

we got root! The flag is found in the root folder.