Overview
Lo-Fi is an easy Linux machine from TryHackMe. This box is a short beginner-friendly introduction to Local File Inclusion (LFI) web vulnerability.
We play with a Lofi web server and identify LFI vulnerability, which allows us to traverse the server's filesystem, where we ultimately find the flag.
Nmap scan
Starting with the Nmap scan.
┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -A 10.10.242.156 -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-04 17:27 CET
Nmap scan report for 10.10.242.156
Host is up (0.039s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e1:c2:f5:ef:23:8e:13:8a:95:32:6d:f4:67:3b:a8:07 (RSA)
| 256 52:14:39:94:49:16:08:6a:2f:33:2c:35:f7:e0:42:30 (ECDSA)
|_ 256 57:c0:72:fd:c3:f5:27:6a:a8:8a:bd:e2:66:51:92:ee (ED25519)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Lo-Fi Music
|_http-server-header: Apache/2.2.22 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 37.90 ms 10.9.0.1
2 38.08 ms 10.10.242.156
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.66 secondsThe Nmap scan showed 2 open ports. Port 22 for SSH and port 80 for Apache web server. Let's begin our enumeration on the website.
Web enumeration
I visited the website and got greeted with Lofi beats livestream. There were several categories and a search functionality.
Clicking on different categories, we can see that different PHP pages are loaded. Also notice the "page" parameter in the URL.
Exploiting LFI vulnerability & getting the flag
I started to play with this "page" parameter and tried common LFI payloads (LFI, common web app flaw, hence the title Lo-Fi). When I tried to read "/etc/passwd", I got a scary message back.
When absolute paths don't work, we should try relative paths. When relative paths don't work neither, we should try to encode our payloads. Luckily, we don't have to do that here. Entering the relative path of "/etc/passwd", I was able to read the file.
Bingo! We found the LFI (Local File Inclusion) vulnerability, also known as Path Traversal.
As is common in these CTFs, you want to get as much information about the machine as possible. Below are several files you should try to read when you encounter LFI in CTF machines:
/etc/passwd ---> list of users, their IDs etc.
/etc/hosts ---> local DNS configuration
/proc/self/environ ---> environment variables used by current process
/home/USER/.ssh/id_rsa ---> SSH private key of a user
/var/www/html/* ---> default root directory of web servers
/etc/apache2/apache2.conf ---> Apache config file
/etc/nginx/nginx.conf ---> Nginx config file
/var/log/apache2/access.log ---> Apache logs file
/var/log/apache2/error.log ---> Apache error logs file
/var/log/nginx/access.log ---> Nginx logs file
/var/log/nginx/error.log ---> Nginx error logs fileWe are tasked to find the flag somewhere in the filesystem. After couple attempts, I figured out that the flag is in "flag.txt" file in root of the filesystem.
And that's Lo-Fi machine done! That wasn't so bad, was it?
Summary & final thoughts
Lo-Fi is an easy Linux machine from TryHackMe. This box is a very simple and showcase of LFI, which is one of the most common web app vulnerabilities. This dangerous flaw allows attackers to traverse the server's filesystem, read sensitive files and execute scripts. This challenge lets you get some experience with LFI, see how it works, how it is identified and why it is so dangerous.
In my opinion, great and simple introduction to web app vulnerabilities. Read just a single flag from the filesystem to complete the challenge. Recommending to any complete beginner. Don't underestimate the security of your web apps!