TryHackMe Lo-Fi Writeup

Introduction

Lo-Fi is an easy TryHackMe room focused on identifying and exploiting a Local File Inclusion (LFI) vulnerability. In this writeup, I'll walk through the enumeration, discovery, and exploitation process used to obtain the flag.

Nmap scan

First thing you do in any CTF is an nmap scan

Now we know that there is a website running on port 80

Discovery

Opening the website I get welcomed with a Lo-Fi page

Looking around I watch the pattern and see how the URL changes depending on the page you're at

I noticed the application used a page parameter to dynamically load PHP files. Since user controlled file inclusion is a common source of Local File Inclusion (LFI) vulnerabilities, I tested whether directory traversal sequences could escape the intended directory.

Exploiting

I tried a basic ../../../etc/passwd and got this back:

Perfect I have successfully exploited a LFI vulnerability here

Flag

Since you could get the content of /etc/passwd using ../../../etc/passwd you should be able to get the content of flag.txt using ../../../flag.txt

What you learn from this CTF

This room demonstrates how unsafe file inclusion can lead to Local File Inclusion vulnerabilities. By manipulating the page parameter with directory traversal sequences, an attacker can access files outside the intended web directory, potentially exposing sensitive information.