 What's going on everybody? My name is John Hammond. This is another try hack me video and I want to be showcasing the inclusion room, which is just a beginner local file inclusion challenge that we can go check out. It is free. You don't have to be subscribed to access this room. So we'll go ahead and join it and deploy our machine. So I will go ahead and set up some rooms here for this. I'll go ahead and say inclusion will have its own directory. I'll make a simple end map directory and kind of get started with an end map scan while this guy is running. So I will end map tack C tack SV tack on end map initial, and I'll paste in the IP address there. I'll also go ahead and export that IP address there. And it probably still taking its time to spin up. So let me actually verify that I can ping him, give him a little bit of time, whatever. Let's go ahead and start a read me file if he's still taking his time to cook. We'll call that inclusion just for our notes. And I'll go ahead and export that IP address to that. Did I already have that? Yeah, I did have that copy and pasted in my clipboard there. So let's create some skeleton stuff for our own documentation in our own notes. So we can work with this. Looks like he's up. Okay, so now let's go ahead and start that end map script again. It says deploy the machine and start numerating. Roger that. No answer needed for that task one, seemingly. Let's go check out what task two has us do user flag and root flag. So simple stuff looks like no guidance just jump in and beat the machine up so root flag. Let's get a section for end map scan. Let's take a look at what we have here once that loads. Considering this is talking about local file inclusion, I'm going to assume it's going to be asking us to work on a web page. So let me fire that up in another tab here. That will not connect. Maybe it's not on port 80. All hosts. Everything is down. Everything is down. Everything is closed. That machine is up. Do I have multiple instances of open VPN running just one. Just one. Let's make sure tackpn is getting the way but ping works so that's not that's clearly not it. Let's make it aggressive. Let's see what we got. Now it loads. Okay. Whatever. Hello world welcome to my blog. This is currently a very early stage. You can find some of the articles that I wrote. You can view the details of LFI attack or RFI attack. Most common file on Unix that we can check is it's that repass word. Huh. Alright, so if I make our URL visible, let's go check out some of those articles. Yeah, article name equals LFI attack. So the name here looks to be the argument or the variable that's kind of being passed with HTTP and a simple HTTP get variable that is allowing us to select other files that were included in here. And it looks like they describe it here in this page. If you view the source, it looks a little bit better because looking at it in this code and really kind of ruins everything. The new lines are gone. So file equals the get variable used through PHP and it will unsafely include the file like including directory in the file. That's how the syntax looks in PHP and we've seen that probably in a lot of other videos and we've seen that before so we could very very much kind of climb the directory tree using the period period or the dot dot to move up parent directory parent directory parent directory etc etc. So this is super simple, kind of pretty easy. Looks like they offer another resource that's doing this as well or explaining what this really is. Okay, there we go. And that gives us some code blocks to kind of read the PHP a little bit more. So let's just jump in and go ahead and view the source on any page that we might want to read so we need to supply a value for that name and let's climb the directory tree with dot dot slash dot dot slash dot slash and we'll check out it's that repass word. So there's some stuff in here again we're going to need to view the source because we have these users displayed. Huh. At the bottom we see this one kind of comments it out Falcon feast with root password. That's pretty cheesy. Maybe that is an account we could use to log in and SSH is open now that our end map scan finally came back. So let's include this in our notes. Paste that guy in here. And let's perform LFI attack. Good, my face is not in the way just yet. Let's go ahead and grab this. So if we're running from our terminal we could just simply curl that and that will return the credentials that we just potentially found. And now let's SSH to that IP address with Falcon feast as our username. And we know that the password should be root password, which is peculiar. That did not work. Why did that not work? Falcon feast at IP address. What? What what Falcon feast? Falcon feast root password does root have a password. Nothing except what is that supposed to mean? Is that the right IP address? Am I connecting to something that I had in a previous video? Falcon feast at IP. Okay, I was clearly using the wrong IP address as my environment variable. This is the problem of doing videos back to back just trying to turn stuff out for you guys trying to make you some good stuff. Hopefully, I feel like I also lose a certain amount of quality when I'm trying to do a lot of these. It's the like quantity versus quality thing. Did I just say the same word twice? I feel like I did quality versus quantity. All right. So now we are SSH into that machine. Looks like we have our user flag here. So we can go ahead and cat that out. I'll spit that into our try hack me submission. Good, good, good. Also take note of that in our notes there. And now we also want to probably escalate our privileges to be root. We could run Lynn P's but let's just verify. Are there anything we can run with pseudo looks like we can we can run user been note so cat without a password. So let's check gtfobans. Fantastic resource for doing malicious things potentially malicious things with kind of built in binaries that we might see on a system. So cat can get a reverse shell a bind shell also pseudo access. Okay, it has to have a connection back. We can just break it out. So let's fire up our own terminal. Let's see what our IP address is I'm still 1089112. And let's get a port going. So netcat LNVP quad nine. And let's try to pseudo user bin so cat. So user bin. And then my forward slash to type in so cat. And oh, wait a second, it's listening. I'm confused what this is doing. It runs in privileged contact me will access the file system escalator maintain access run file TTY raw. Oh, so we just like reads in standard input. Is that what that does? And then I need to supply this. Oh, maybe that syntax is what I should be supplying not that. That kind of looks like it's just like listening. Can I do that? Can I netcat to machine IP? Is it by is it binding 1010157245 quad nine ID? Okay, he's just being a socket. That's not helpful for me. Let's spin our shell back up and let's modify that command that GTF opens gave us. So we know to connect to 10.8.9.1112. And our our port that we are listening on our attacking machine is quad nine. So now I am not allowed to preserve the environment. What does that mean? Tacky. There we go. Now I have a root shell. Now I am root. We could try and stabilize the shell with some poor man's pentastuff. Do I have Python print? Hello. You know what print please subscribe. Use a little shameless plug there. Python we do not have how about Python three taxi print please. This is completely useless because we have root we don't need to do that but whatever let's stabilize that shell. We literally just need to go get the root flag whatever we have a same shell and we can use our auto complete and left and right and arrow keys so hey it makes me happy I hope it makes you happy to there is our root flag. Let's go ahead and submit that bad boy and call this machine done. So super simple technique right just local file inclusion for some reason and inside of its center password. There was a comment with some user credentials and that have count had some privilege escalation route and attack vector to become root so completely on that machine. That's that simple case of local file inclusion you've seen it before I'm sure in tons of other videos but this room just emphasizes it showcases it and highlights it so hope you guys enjoyed watching. If you did please do press that like button comment button subscribe button the bell button. The probably other buttons you could click to my face like the little icon. Thanks for watching everybody. I hate doing after this I'm just gonna leave I'm just gonna go thanks thanks for watching.