THM Walkthroughs

LFI Room

This is the easy step, just click on start machine button and wait for it to get started.

The first step is to launch the web page, and then view the page source info. Here is where you will see the parameter you are looking for is “page”. You can also check the different links on the webpage and see in the address that they are all showing the “page=”

Look around the home page and you will notice there is not much to see.

However try adding ../../../../etc/passwd after page= and scroll down to the bottom of the page and you will see some interesting information. You should see that there is a user called Falcon.

Also, you can see that there is a file path home/falcon. The writer, Falconfeast, gives you a clue to search for the bashrc file. So trying /../../../../home/falcon/.bashrc and you will see the .bashrc file.

In order to gain remote access, you need the ssh key. That key is typically stored in the .ssh directory. The file that contains the key is the id_rsa file. Before you try to visit the above web address you need to open Burpe Suite and turn intercept on. Then go to the web page for the id_rsa. this way Burpe Suite will capture the traffic.

Once you try to get to the id_rsa page, go over to Burpe Suite and you will see you have intercepted the web traffic. Right-click on the screen and send this to the repeater. Now go to the repeater tab.

On the repeater page click the send button and you will see the response field populate with data. Scroll down on the response window and you will see the private key for falcon.

As you can see you get the private key stored in the id_rsa file. Highlight the key and then right-click on the highlighted area. You will see an option to “save to file”. Save the file as falcon_id_rsa

Now you will want to change the mod on the the file.

Changing the mod to 600 gives you root-level read and write access to the file. This is needed to gain ssh access to the falcon account. Now you need to ssh into falcon's account.

Make sure you enter your target's IP and not the one I have listed. You should see that you have access to falcon's account.

From here you want to run the ls -a command to see what file are there.

You will notice there is a user.txt file that we should check out. run the cat user.txt command.

Now it's time to escalate our privilege. So we need to check where we can run as root. So, use the command sudo-l.

As you can see, you can run as root in the /bin/journalctl directory with no password. It's not that simple though, so you get a hint to visit the GTFOBins website. Go to the website and scroll down until you find journalctl.

From here you can click on journalctl.

Now its time to access /bin/journalctl

As you can see from the GTFOBins website once you have access you can use the !bin/sh to get and maintain privileged access.

run the id command and you will discover you now have root-level access. Now it is time to get to the root directory and find that flag!

I had a lot of fun completing this room and I hope this write-up helped you if you needed it.