Lo-Fi
Want to hear some lo-fi beats, to relax or study to? We've got you covered!
Hey, fellow hackers! 🏴☠️
Today, I’m sharing a cool LFI (Local File Inclusion) challenge room I tackled. Let’s dive in quickly!
Since this was an LFI challenge, a port scan (nmap) wasn’t necessary. But hey, old habits die hard! So, I ran an nmap scan anyway, just to see what’s open.
🔍Investigating The Website
After scanning through the website, I noticed something interesting—it’s built using PHP. There were two endpoints:
http://10.10.129.104/?search=lofihttp://10.10.129.104/?page=coffee.php
🚨 The "?page=" parameter caught my attention. Why? Because it looked like it was including files dynamically.
My first instinct? Try to read the passwd file (/etc/passwd). So, I entered a classic LFI payload:
?page=/etc/passwd
💥 Boom! Instead of getting the file, I was greeted with a super dramatic error message:
"HACKKERRR!! HACKER DETECTED. STOP HACKING YOU STINKIN HACKER!" 😆
Okay, so the system was blocking requests that started with a "/". No problemo!
🔄Bypassing Security
Since direct access was blocked, I tried the good old directory traversal trick using ../ to move up directories.
?page=../../../etc/passwd🎯 Bingo! We got the passwd file. This confirmed that the LFI vulnerability was real.
🔥Hunt For The Flag
Now, the real challenge—where was the flag? Since there were no user directories, I figured the flag could be placed somewhere random in the system.
So, I started testing different paths, from the root (/). :
?page=../../../flag.txt
🎉 Voilà! Flag Captured!
🏁Final Thoughts
This was a fun and educational challenge! If you’re a developer, make sure your applications validate inputs properly to prevent these attacks.
Hope you enjoyed this write-up! Keep hacking (ethically, of course 😉), and stay curious! 🚀💻
Last updated