LFI — TryHackMe

RECON

NMAP:

Port 80 is open so we should navigate through the web browser and i found some strange parameter which i thought it could be vulnerable

Then i used burpsuite to check the response of the page when we give the LFI payload

It was strange that i found the user name and password was in plain-text in the etc/passwd file.

So i immediately navigated to the ssh with those password and the username

Then i got into the user but i was not root

Privilege Escalation

Gave the command sudo -l

So i could run socat with sudo permission so i searched in gtfobins and got the escalation command sudo socat stdin exec:/bin/sh

Finally i was able to get the root file !!!!!!!!!!!!!!!