Lo-Fi TryHackMe Writeup
Want to hear some lo-fi beats, to relax or study to? We’ve got you covered!
Find This Room: Lo-Fi
Let’s Pwn This Room
Check out similar content on TryHackMe:
Note: The web page does load some elements from external sources. However, they do not interfere with the completion of the room.
Initial Reconnaissance
$ nmap -sV -p- -T4 10.10.120.242
Two Port Found in Open State →
Port 22 → SSH ( Open SSH 8.2p1 Ubuntu )
Port 80 /TCP → HTTP ( Apache httpd 2.2.22 )
Let us now check the source code of the page. We will find that there are endpoints that we can test the vulnerability
Local File Inclusion (LFI) Vulnerability Analysis
The page parameter in the provided code is vulnerable to Local File Inclusion (LFI) due to improper handling of user input. This parameter allows dynamic inclusion of files such as /?page=relax.php, creating an entry point for exploitation if the input is not sanitized.
The backend appears to utilize a PHP function, such as include($_GET['page']);, to dynamically load content. However, if proper validation is not in place, an attacker can exploit this parameter to retrieve sensitive server files, including:
/etc/passwdto gather information about system users./var/www/html/config.phpto obtain application credentials./root/root.txtorflag.txt, which may contain critical information in this context.
By exploiting directory traversal techniques (../), the attacker can potentially gain unauthorized access to arbitrary files on the server.
Let’s check the /etc/passwd by using LFI
http://10.10.120.242/?page=../../../../etc/passwd 
Wow We see the User root in the /etc/passwd file , lets check for the flag inside
The Flag was found → http://10.10.120.242/?page=../../../flag.txt
This shows that the flag.txt was saved inside → var/www/html Location .
Happy Hacking , I want to see you again
Follow Me : Linkedin , Facebook , Github , Join Us On Community , THM Account
Support My Writeup :
