# Lo-Fi

{% embed url="<https://tryhackme.com/r/room/lofi>" %}

Hey, fellow hackers! 🏴‍☠️&#x20;

Today, I’m sharing a cool LFI (Local File Inclusion) challenge room I tackled. Let’s dive in quickly!

Since this was an LFI challenge, a **port scan (nmap)** wasn’t necessary. But hey, old habits die hard! So, I ran an **nmap scan** anyway, just to see what’s open.

<figure><img src="https://2619072038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyCrT4YxGad5HFRKWhUG8%2Fuploads%2FbbsqZmJuOzTjngQdCYdg%2Fnmap.jpg?alt=media&#x26;token=2dd29757-5811-4e82-99e9-8705963e7fec" alt=""><figcaption><p>Nmap Result</p></figcaption></figure>

## 🔍Investigating The Website

After scanning through the website, I noticed something interesting—it’s built using **PHP**.\
There were two endpoints:

1. `http://10.10.129.104/?search=lofi`
2. `http://10.10.129.104/?page=coffee.php`

<figure><img src="https://2619072038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyCrT4YxGad5HFRKWhUG8%2Fuploads%2F1huTX8Ywk3CefgfozOqe%2FEndpoint.jpg?alt=media&#x26;token=0e9b420b-928c-46bc-9748-b3c984aeb646" alt=""><figcaption><p>Lo-Fi Website</p></figcaption></figure>

🚨 The **"?page=" parameter** caught my attention. **Why?** Because it looked like it was including files dynamically.

My first instinct? Try to read the **passwd** file (`/etc/passwd`). So, I entered a classic LFI payload:

```bash
?page=/etc/passwd
```

<figure><img src="https://2619072038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyCrT4YxGad5HFRKWhUG8%2Fuploads%2Fwc7lS1YkY9tNUCH8WFRX%2FHacker.jpeg?alt=media&#x26;token=750b057d-d7dc-4e82-96d3-5ebfeddc38fc" alt=""><figcaption><p>LFI Security</p></figcaption></figure>

💥 Boom! Instead of getting the file, I was greeted with a super dramatic error message:

**"HACKKERRR!! HACKER DETECTED. STOP HACKING YOU STINKIN HACKER!"** 😆

Okay, so the system was blocking requests that started with a **"/"**. No problemo!

## 🔄Bypassing Security

Since direct access was blocked, I tried the good old **directory traversal trick** using `../` to move up directories.

```bash
?page=../../../etc/passwd
```

🎯 Bing&#x6F;**!** We got the passwd file. This confirmed that the LFI vulnerability was real.

<figure><img src="https://2619072038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyCrT4YxGad5HFRKWhUG8%2Fuploads%2FefxxPRSsqXySHdLGBStm%2Fexploit.png?alt=media&#x26;token=86a5e66a-eca0-49df-97ec-5575da82ab10" alt=""><figcaption><p>Security Bypassing</p></figcaption></figure>

## 🔥Hunt For The Flag

Now, the real challenge—**where was the flag?**\
Since there were no user directories, I figured the flag could be placed somewhere **random** in the system.

So, I started testing different paths, from the root (`/`). :

```bash
?page=../../../flag.txt
```

<figure><img src="https://2619072038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyCrT4YxGad5HFRKWhUG8%2Fuploads%2FfwkiaVMGF4vDHkjzeaQk%2Fflag.jpeg?alt=media&#x26;token=717b18c7-b449-4880-8848-cc55792a53eb" alt=""><figcaption><p>Flag</p></figcaption></figure>

🎉 V**oilà!** **Flag Captured!**

<figure><img src="https://2619072038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyCrT4YxGad5HFRKWhUG8%2Fuploads%2FBuaZKb8WeMq1cVcXbKDL%2Fcomplete.jpeg?alt=media&#x26;token=e05e7bed-9e24-4216-a1c3-1601b10f30b5" alt=""><figcaption></figcaption></figure>

## 🏁Final Thoughts

This was a fun and educational challenge! If you’re a developer, make sure your applications **validate inputs properly** to prevent these attacks.

Hope you enjoyed this write-up! Keep hacking (ethically, of course 😉), and stay curious! 🚀💻