📌 Challenge Info

• Category: Path Traversal
• Name: Local File Inclusion
• Link: Challenge

📖 Description

this lab wants us to get into the admin page and see it via local file inclusion vulnerability.

💡Solution

1. so let’s begin with opening the url

1. we can navigate between the files as we want with no restrictions.
2. there is a parameter appeared in the url named files that gets the content of the Directories , so folder sysadmin contains file named index.html.

1. when clicking on the index.html another parameter appears called f that reads the content of the file .

<http://challenge01.root-me.org/web-serveur/ch16/?files=reseau&f=index.html>

1. all these folders and files are really waste of time nothing important here , but there is an admin link on the right let’s see it.

1. but as we see it’s protected and we don’t have credentials , so let’s get back to the home page .
2. and since we are testing for an LFI vulnerability now let’s try to put ../ in the files parameter .

1. a new files appeared so let’s try to read the admin file with the f parameter .