I ignored scanning on this machine because I knew we were in the LFI room. If the IP had not returned a valid site though, I would have run a scan to determine the port where the web server was running.
Once the IP was up, I checked out the site, looked around and noticed it was using this parameter:
Now I can try to see if I can use path traversal to get to some other files.
And the result?
Bingo! Since I can read the passwd file, I’ll check out the users.
There’s a user called “falcon,” so I can again try to traverse to see if his home directory is readable. I’m going to check out if I can read the ssh key:
Perfect! Now I can save that key on my machine and use it to try to ssh into the machine.
Note that I did have to chmod 400 on the key due to the permissions given a new file as root on my own machine. Then I was able to use it.
Success! Got a shell.
From here, I can easily read the user flag:
Time to escalate. I go ahead and check for sudo permissions:
So I can see that falcon can run journalctl with no password. That’s potentially great news.
Heading over to GTFOBins, I look it up to see what can be done.
It indeed looks like there’s a shell exploit.
First I run:
sudo journalctlThen I can try to call a bash shell and see if it functions as expected:
It does, and I’ve successfully gained root access!
From here I can simply navigate to the root folder to read out the root flag, and that’s it!
This is a very basic box, but for further reading on LFI examples and a deeper understanding of the process, I suggest reading this.
A Cyber Journey 