Cannot change User-Agent header

I’ve been working on the LFI Skills Assessment - File Inclusion module, and I’ve been able to get everything to work except for one thing. No matter what I do, my User-Agent for a log poisoning attack just doesn’t seem to change.

I tried the -A flag with curl, I tried using BurpSuite to modify the HTTP request, and I even tried changing the default User-Agent in Firefox’s settings with “general.useragent.override”, but when I check the access log for the InLaneFreight website, it still shows the old User-Agent header

I’m really confused as to why it doesn’t seem to change, does someone know why this is happening?

(Also, thanks in advance to anyone who replies :])

1 Like

Did anybody assist you? I’m stuck at the exact same place!


Nah, it just started working for some reason, I’m still not exactly sure why.

It’s also been a while since I did that box, so I don’t remember what exactly got it to work, but I’ll try my best :].

From what I remember, the syntax that did work was using curl like this curl -H “User-Agent: user-Agent-Name-Here” (of course there was additional syntax for stuff other than the Agent Header, but I don’t know what it was I think?)

I also tried using just curl to access the website, because I wasn’t sure if the browser was interfering, so when it did work, I was doing everything from the command line.

Lastly, the payload suggested by Hack the Box didn’t work for me, so I used something like this instead: <?php system("yourCommandName 2>&1",$output); ?>

Btw, I don’t remember if the quotation marks breaks the command so you may have to experiment with that.

Also my command looked something like this: “cd …/…/…/…/…/…/; ls”

There was of course also a cat command after I knew where the file was/what the name was.

1 Like

Same thing happened to me. I could not get that flag yesterday. Today I went through the same steps and it worked! Weird, but glad to be done with this module!


1 Like