TryHackMe | Include — Walkthrough

The3rr0r
4 min read5 days ago

--

Hi there. This is my first writeup. It’s a very interesting machine and you can learn good things from it like LFI attacks, Base64 encode and decode and brute force attacks. Let’s start.

ENUMERATION

We will start with the Nmap. I run it in a directory on my Desktop because I want to have the nmap files. To do this you can use -oA flag.

sudo nmap <IP> -sC -sV -T4 -oA nmap

  • sC: Default Scripts
  • -sV: Versions of services
  • -T4: Controls the speed of the scan
  • -oA <fileName>: outputting scan results in multiple formats simultaneously.

These are the results we need for now

Port 4000/tcp http Node.js

Port 50000/tcp http Apach httpd 2.4.41 ((Ubuntu))

Let’s access in both ports and see what we got.

Port 4000

I put the default credentials guest guest.

When I sign in I see my profile and two other users. I can Add them both. After that we can see these two profiles. Let’s see the David.

The option isAdmin is false. If we press in Recommend an Activity to David isAdmin: true it will change successfully!!!

So, let’s do it to our guest Profile. When I change it I got two other options on the page. API and Settings.

API

In the API we can see an API Dashboard which contains the Admin’s API.

Settings

Here we got Admin Settings.

We only need to insert the URL of Get Admins API into Update Banner Image URL.

After we hit the Update Banner Image button we got a Base64 Encode.

Now we can decode it and see the credentials.

In the terminal we type:

echo “eyJSZXZpZXdBcHBVc2VybmFtZSI6ImFkbWluIiwiUmV2aWV3QXBwUGFzc3dvcmQiOiJhZG1pbkAhISEiLCJTeXNNb25BcHBVc2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJTeXNNb25BcHBQYXNzd29yZCI6IlMkOSRxazZkIyoqTFFVIn0=” | base64 -d

And here is the results.

We got two Usernames (admin, administrator) and two Passwords. Now let’s see what is in port 50000

Port 50000

This Page has only a login form and a home page so we go directly to login form.

We will test the Usernames and the Passwords we found earlier. We are in and here is the first flag!!!

SECOND FLAG

After the first flag we must search for something that will give us access or show us something interesting. Always check the sourse code!!!

If we hit ctrl+u we can see something interesting.

This looks like a Local File Inclusion (LFI). First we open it to see what we can see.

Now we must find the correct LFI payload and replace it with the profile.png.

There are a lot of LFI payloads and it will take a lot of time to find the correct one. After a LOOOONGG TIMEE I find this github page.

This is the correct payload:

http://10.10.108.42:50000/profile.php?img=....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2Fetc%2Fpasswd

I copy it the whole file and then I use the grep command to find the users.

cat passwd.txt | grep home

We got joshua and charles. It’s a good idea to save them in a txt file

Now it’s time for a brute force attack using Hydra.

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.108.42

Now with username: joshua and password 123456 we can use the ssh connection.

ssh joshua@<IP>

password:123456

Now the only think that left is to navigate to /var/www/html

So, cd /var/www/html, and here we go!!!

--

--