|
| 1 | +--- |
| 2 | +title: "TryHackMe: Lo-Fi" |
| 3 | +categories: [TryHackMe] |
| 4 | +tags: [LFI] |
| 5 | +render_with_liquid: false |
| 6 | +img_path: /images/tryhackme_lo_fi/ |
| 7 | +image: |
| 8 | + path: banner.png |
| 9 | +--- |
| 10 | + |
| 11 | +Want to hear some lo-fi beats, to relax or study to? We've got you covered! |
| 12 | + |
| 13 | +{: width="300" height="300" .shadow} |
| 14 | +_<https://tryhackme.com/r/room/lofi>_ |
| 15 | + |
| 16 | +## Reconnaissance |
| 17 | + |
| 18 | +Nmap scan results reveal two open ports: port 22 for SSH and port 80 for HTTP. |
| 19 | + |
| 20 | +```console |
| 21 | +nmap -sC -sV -T3 -Pn --open <MACHINE_IP> |
| 22 | +``` |
| 23 | +{: width="996" height="434"} |
| 24 | + |
| 25 | +We run a scan on the page with Feroxbuster, but after completing the scan, we don’t find any significant results. |
| 26 | + |
| 27 | +{: width="971" height="509"} |
| 28 | + |
| 29 | +{: width="1919" height="648"} |
| 30 | + |
| 31 | +## Web Analysis |
| 32 | + |
| 33 | +The room description hinting that we should test for potential [Local File Inclusion](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion) (LFI) vulnerabilities. Upon visiting the index page, we are presented with links to various genres, each pointing to a different section of the site. These links are dynamically loaded based on user interaction, which suggests the possibility of parameter manipulation. |
| 34 | + |
| 35 | +{: width="1915" height="714"} |
| 36 | + |
| 37 | +## Local File Inclusion |
| 38 | + |
| 39 | +Testing for LFI in this scenario involves analyzing how the application handles the page parameter in the URL. Each genre link likely passes a specific value to this parameter, which the server processes to include the corresponding file. If proper validation is not implemented, this functionality can be exploited to access unintended files on the server. |
| 40 | + |
| 41 | +By manipulating the page parameter with directory traversal techniques, we can assess whether the application is vulnerable. This setup provides an excellent opportunity to test common LFI attack strategies while understanding the impact of such vulnerabilities on real-world systems. |
| 42 | + |
| 43 | +Looking at the source code of the page, we could see that it's possible to perform path traversal attack. |
| 44 | + |
| 45 | +{: width="1452" height="707"} |
| 46 | + |
| 47 | +We test the page parameter for LFI vulnerabilities by trying directory traversal payloads **(../../../../etc/passwd)**. When we submit the payload, it confirmed that the application is indeed vulnerable. |
| 48 | + |
| 49 | +{: width="1916" height="635"} |
| 50 | + |
| 51 | +## Retrieving root flag |
| 52 | + |
| 53 | +By changing our focus to the `/flag.txt` file located in the root directory, as specified in the task, we attempt to include it using the same LFI technique. After submitting the payload, we successfully retrieve the flag. |
| 54 | + |
| 55 | +``` |
| 56 | +<MACHINE_IP>/?page=../../../../../flag.txt |
| 57 | +``` |
| 58 | + |
| 59 | +{: width="1919" height="670"} |
| 60 | + |
| 61 | +## Answer |
| 62 | + |
| 63 | +<details> |
| 64 | + <summary style="cursor:pointer; padding:10px; border:1px solid #ccc; background-color:#f0f0f0; user-select: none;">Answer</summary> |
| 65 | + <div style="padding:10px; border:1px solid #ccc;"> |
| 66 | + <span onclick="navigator.clipboard.writeText('flag{e4478e0eab69bd642b8238765dcb7d18}')" style="cursor:pointer;">flag{e4478e0eab69bd642b8238765dcb7d18}</span> |
| 67 | + <i onclick="navigator.clipboard.writeText('flag{e4478e0eab69bd642b8238765dcb7d18}')" style="float:right; cursor:pointer; font-size:16px;">📄</i> |
| 68 | + </div> |
| 69 | +</details> |
| 70 | + |
0 commit comments