Lo-Fi TCTF

Tryhackme — WriteUps

Death Esther

~3 min read · March 7, 2025 (Updated: March 7, 2025) · Free: Yes

Lo-Fi Tryhackme — WriteUps

Introduction

This walkthrough is based on the TryHackMe lab "Lo-Fi" from Task 1. The challenge involves exploiting a Local File Inclusion (LFI) vulnerability to retrieve a hidden flag from the system.

Phase 1: Reconnaissance

To begin, perform an initial reconnaissance scan using nmap to identify open ports and running services:

nmap -sV -sC <ip>

Scan Results:

death@esther:~$ nmap -sV -sC 10.10.63.207
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-03 22:43 IST
Nmap scan report for 10.10.63.207
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Lo-Fi Music
|_http-server-header: Apache/2.2.22 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The presence of an open HTTP port (80) running Apache immediately caught my attention. Time to explore the website.

Phase 2: Exploring the Website

On the surface, the website was pretty basic. It had five Lo-Fi music tracks, each with a play button. Nothing seemed unusual — until I clicked on a track and noticed something intriguing in the URL.

The website used a query parameter to fetch videos dynamically. This hinted at a potential Local File Inclusion (LFI) vulnerability.

At this point, my instincts kicked in. Could this be vulnerable to LFI? There was only one way to find out.

Phase 3: Testing for LFI

LFI allows an attacker to include arbitrary files from the system, potentially exposing sensitive information. To test this, I attempted to access the /etc/passwd file—a classic move in LFI exploitation.

http://10.10.63.207/?page=../../../../etc/passwd

And boom! It worked.

This meant I had full access to arbitrary files on the system. Now, it was time for the real prize — the hidden flag.

Phase 4: Capturing the Flag

After several trial-and-error attempts, I discovered the flag stored in a file named flag.txt. I had expected something like User flag.txt, but surprisingly, it was much simpler than I had imagined!

http://10.10.63.207/?page=../../../../flag.txt

Victory! The flag was mine, and the challenge was successfully completed.

Lessons Learned

This exercise reinforced the importance of secure coding practices. Here are some key takeaways:

Always validate user input — Never trust external parameters without sanitization.
Use whitelisting instead of blacklisting — Restrict file access to only necessary directories.
Implement proper access controls — Sensitive files like /etc/passwd and flag.txt should never be accessible via a web application.

#tryhackme-walkthrough #lfi #local-file-inclusion #ctf #ctf-walkthrough