This challenge is focused on LFI. What's LFI?

  • LFI (Local File Inclusion) is a class of web vulnerability and an attack technique/exploitation vector that abuses unsanitized file-include functionality in a web application.
  • What it does: it lets an attacker cause the server-side application to read and/or include files from the local filesystem (and sometimes special streams), leading to information disclosure and — in many cases — remote code execution through secondary techniques.

More detail (how it works)

  • Typical vulnerable pattern (PHP example): the application does something like include($_GET['page']); and then an attacker controls the page parameter.
  • Common exploitation methods:
  • Path traversal: send values like ../../../../etc/passwd to climb directories and read sensitive files (configuration files, passwords, SSH keys, application source).
  • Use of special wrappers/streams (in PHP: php://filter, php://input, data://) to read encoded content or feed data to the interpreter.
  • Log / upload poisoning: if you can inject PHP into a log or upload a file that the application later includes (e.g., including Apache access.log), you can get the server to execute attacker-supplied code.
  • Session or socket files: include session files or other writable files to steal sessions or escalate access.

This is a very quick and easy challenge, so this will be short.

This is the machine info given:

None

Here, we see that 'similar content' is LFI rooms.

This also says to just navigate to the URL for the challenge. Which I guess means the nmap scan isn't necessary, but I did it anyways out of habit, and trying to establish healthy technique.

This is the nmap scan.

None

Here, we see 2 open ports.

Port 22, for SSH.

And Port 80, for HTTP.

In firefox (any web browser), this is what I got.

None

Playing around on the site, you notice the 'page' parameter at the top, which reminded me of IDOR at first, but then I remembered this is LFI, and after a quick refresher on LFI, i attempted "/etc/passwd".

None

^^ This is just the exact same URL, (machine IP), but with "../../../../etc/passwd" added into the URL.

So what's happening here?

The first screenshot, was just simply "http://MACHINE_IP".

This one, is "http://MACHINE_IP/?page=../…/../../etc/passwd".

The "/etc/passwd", is a directory in a linux file system, where all the passwords and account names are listed. (Technically, /etc/shadow is, but that's out of scope for this to explain)

Now, doing the exact same thing, I try "flag.txt".

Now, what this does, is essentially the same as on a Windows computer, you double-clicking a file named "flag.txt" on the Desktop. It's not EXACTLY the same, because it isn't "../Desktop/flag.txt", but i'm explaining the similarity. Linux functions differently than Windows, and everything is a file in Linux.

So, with this in mind, I try "../flag.txt"

None

And, it gives the flag.

The whole point of this, is showing that sometimes Web Apps have a vulnerability named Local File Inclusion. In short, meaning if you find the proper parameter to modify, and modify it with "../../../", you can move around the file system.

This is TryHackMe explaining it out as well:

None