Skip to main content

One post tagged with "Local File Inclusion (LFI)"

Local File Inclusion (LFI) is a web application vulnerability that allows an attacker to access and read sensitive files on the target system by manipulating URLs or input fields to point to local file paths instead of intended resources. This can reveal valuable information such as passwords, configuration files, or other sensitive data, potentially granting attackers unauthorized access.

View All Tags

HTB | Included | Write-Up

· 25 min read

Summary:

We test connectivity and scan the target, then enumerate its TFTP service and web page. We find an unauthenticated upload function on TFTP and a Local File Inclusion (LFI) vulnerability on the web page. We use these to upload a PHP reverse shell and gain low-level access via LFI.

With this foothold, we upgrade our access to user level using the acquired clear-text credentials. We then grab the user flag, enumerate further, and exploit privilege escalation opportunities to reach root level access with the help of the lxdprivesc script. Finally, we obtain the root flag.

Machine Name: Included | Difficulty: Easy | OS: Linux