Academy Skills Assessment - LFI help

Hello. I am stuck on the File Inclusion / Directory Traversal academy module skills assessment. I have read all of the previous posts on this from a year ago, re read the entire module, and tried every combination of LFI/RCE on every extension with no luck. I’ve read the index.php source code but cannot find anything that looks like it would be vulnerable. I have gotten the error page to pop up, but i’m out of ideas. Any help would be GREATLY appreciated as this is day 3 of me being stuck on this question. Thanks in advance. :slight_smile:

In the index.php there is a comment. Have a look at it.

@Mandlebrodt, I second PayloadBunny’s idea. I read the source code about as well as you probably read it the first time through. I spent an extra few hours because I didn’t pay attention to the details. Go line by line if you have to haha!

I got the first part down, Thanks to @PayloadBunny 's help. Now im trying to figure out how to access the flag from the admin page. I was able to get the /etc/passwd to display as well as the nginx access.log, but I have yet to be able to see the flag in the /root directory

The task speaks of the Unix root directory / and you speak of the directory /root
Look at the space between the / and root in the task.

1 Like

I got it! Thank you again so much @PayloadBunny !! I hate getting tripped up on silly mistakes like that, but it’s all part of the process I suppose.