Room: https://tryhackme.com/room/lofi
Overview
This room focuses on Local File Inclusion (LFI) and path traversal vulnerabilities. Below is a summary of my process and findings while exploiting the target.
Initial Setup
- I started the machine and the AttackBox provided by TryHackMe.
- After launching the AttackBox, I navigated to the target IP address in a web browser.
Reconnaissance
On visiting the site, I noticed a section titled "Discography" with multiple buttons.
- Clicking on each button under Discography changed the URL pattern to:
- http://MACHINE_IP/?page=relax.php
- http://MACHINE_IP/?page=sleep.php and so on.
This hinted that the application was including files dynamically via the page parameter — a strong indicator of a potential LFI vulnerability.
Exploitation: LFI and Path Traversal
Since the room hinted at file inclusion, I tested the following payload:
http://MACHINE_IP/?page=../../../../etc/passwd
✅ Success! The contents of /etc/passwd were displayed, confirming the presence of a Local File Inclusion vulnerability.
Searching for the Flag
Now that I had confirmed LFI, the next step was to find and read the flag. I tried exploring directories that might contain flags, such as:
Then, I tried:
🎉 Flag found!
The flag was successfully displayed in the browser.
Conclusion
This was a great exercise in exploiting LFI and understanding the importance of secure file inclusion practices. The key steps included:
- Identifying file inclusion via URL parameters
- Performing path traversal
- Locating sensitive files such as
/etc/passwdand the flag