TryHackMe LFI writeup (Beginner friendly)

Hi, welcome. This is my very first write-up for TryHackMe platform. I am new to writing write-up and will try to improve my write-up skills. I would like to help other beginners like me to understand more as some write-ups were too hard to understand.
This room is created by falconfeast.

LFI TryHackMe Room Link: https://tryhackme.com/room/lfi

TASK 1 DEPLOY

TASK 2 Getting User Access via LFI

There are seven questions in this task. After go to the link provided by TryHackMe, the link will show this page.

#1
We were asked to look around the page for the name of the parameter, and after clicking some buttons, the URL will show some in common.

Yes, the word ‘page’.

#2
So, as the creator mentioned, we could try to include ../../../../etc/passwd after the word ‘page’ in the URL. And we could see at the bottom of the page:

#3
This is basically similar to the #2.

#4
We could see at the bottom of the list, the user of on the system.

#5
I do not understand much for this but since it can be completed straight away and I ignored it.

#6
The user’s private key is normally stored in /home/user/.ssh/id_rsa, so we could try our luck.

Yes, we could get the private key.

But I prefer another way which I think it is easier.

By using /etc/shadow, it outputs the hash for user falcon which we can use to brute-force the password using hashcat.

After we obtain the cracked password, we could start to get into ssh.

#7
Simply type ‘ls’ and we will see the user.txt.

TASK 3 Escalating your privilege to root

#1
We could enter “sudo -l” and we can see what could be run by user.

#2
Search for the term in GTFObins and we could see the binary for privilege escalation. Copy and paste it into the terminal and bam — we got the root.

#3
Navigate to root and finally, we get the root.txt!!!

This is the end of the write-up for this LFI room. I learn quite a few things in this room. Thank you THM for having such a good platform for us to learn to hack.

Thank you for reading.