Phase 1: Reconnaissance

I started by navigating to the web application. The site presented a "Lo-Fi Music Player" interface.

While exploring the site, I clicked on one of the music tracks ("Chill"). I noticed the URL changed to include a parameter fetching a PHP file:

Press enter or click to view image in full size

None

Observation: The page= parameter seems to be loading local files (chill.php). This is a classic indicator of a potential Local File Inclusion (LFI) or Path Traversal vulnerability.

Phase 2: Vulnerability Testing

Attempt 1: The Direct Approach

I attempted to access the sensitive Linux password file directly using an absolute path:

Payload: /?page=/etc/passwd

Press enter or click to view image in full size

None

Response: The server responded with a custom error message/WAF (Web Application Firewall) blocking the request:

"HACKKERRR!! HACKER DETECTED. STOP HACKING YOU STINKIN HACKER!"

Analysis: The application is likely filtering inputs that start with / (absolute paths) or checking for specific keywords, but the error confirms that my input is being processed by the backend.

Attempt 2: The Bypass (Directory Traversal)

Since the direct path failed, I decided to use Directory Traversal (../) to move up from the current directory (likely /var/www/html/) to the root directory.

Payload: /?page=../../../etc/passwd

Press enter or click to view image in full size

None

Response: Success! The application leaked the contents of /etc/passwd

This confirms the Path Traversal vulnerability exists and the application is running as www-data.

Phase 3: Capturing the Flag

Now that I had confirmed arbitrary file read capabilities, I looked for the flag. Standard CTF convention often places flags in flag.txt in the upper directories.

Payload: /?page=../../../flag.txt

Press enter or click to view image in full size

None

Result: The server returned the flag!