Lo-Fi (Easy) TryHackMe Writeup
بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ
Hello everyone, this is a quick and easy writeup for the Lo-Fi room on tryhackme, let’s get started.
link for the room:
https://tryhackme.com/r/room/lofi
1) IP → Hosts File
First, we add the IP address to the hosts file located in /etc/hosts with the following command:
*Note*: this is not necessary unless your having errors/trouble connecting to the site.
echo "<ip of machine> lofi.thm" | sudo tee -a /etc/hostsOr you can do it manually by cding inside the hosts file and adding the IP first followed by a tab then the name for the site.
2) Nmap Scan
Did a simple nmap scan to see what’s running on the machine.
We have 2 ports open: ssh on 22/tcp and http on 80/tcp.
Let’s check the http website and see what’s going on there.
We have a website that’s clearly vulnerable to LFI (Local File Inclusion) attacks, with improper handling of user input, this can create a point of exploitation if the input is not sanitized, if you click on one of the options available in the Discography the url will change and will display a possibly vulnerable parameter, in our case the parameter is ?page=<pagename.php>, we also have ?search when we search for something but i didn’t bother trying with that.
3) LFI Exploitation
Now let’s try and see if we can read some files from this parameter, the most common one being of course the /etc/passwd file.
As you can see, we got a message/hint after playing with the parameter, this gives a sign that we are on the right path, but this still didn’t work. Let’s try a more common technique such as inserting (../../../etc/passwd) this is called a directory traversal attack, you can research about it for more information.
Bingo! we have read the file, this is what’s in the file:
We can see the user root, let’s try common inputs to find the flag such as:
../../../root.txt
../../../root/root.txt
../../../flag.txt
Easy Peasy! this was a very easy room demonstrating LFI and directory traversal attacks, Thank You and Happy Hacking!
