Good afternoon.
I want to share my experience of passing this room.
One of the most incomprehensible tasks in my opinion.
I had to spend a lot of time looking for a solution, which turned out to be not so much complicated as confusing.
Due to the fact that I am not a native English speaker and I have to use a translator, the meaning and essence of the question is very often lost. And in order to understand what you need, you have to try a large number of ways and methods.
When you make a request ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://<SERVER_IP>:/index.php?FUZZ = value’ -fs 2287
You get a lot of directory names. They are all Size: 2309, but 1 is different from them. Find it!
Once you’ve found it, don’t waste your time. I tried many tricks and methods of attack. Up to the use of Metasploit and an exploit for Apache.
When you got the directory name and -fs “its size”. You can find an example from this link and use “Find its name in this list” File Inclusion/Path traversal - HackTricks.
You can run a search with sudo ffuf -w ./LFI-Jhaddix.txt:FUZZ -u 'http://ip-server/index.php?xxxx=/.../.../.../FUZZ ’ -fs “found size”
In this way, you will find examples of requests that you need to enter into your browser. Don’t look for the flag right away! It’s practically meaningless until you understand what it takes.
Try getting passwd output first and make sure the query and directory traversal work!
Only then will you be able to easily find the flag.
Don’t use
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘http://<SERVER_IP>:/index.php?language=FUZZ’ -fs 2287
It’s pointless. You will receive a large amount of incomprehensible information, as a result, I did not understand the meaning of this request. Gives only a general picture, but I did not find my -fs in this big list
This meaningless conclusion does nothing, but only takes time.
and also I did not find even approximately a close request that can be used. It’s one thing when you already know what it looks like, another thing when you look at a long list of queries and try to apply them at random!
That’s bullshit.
curl http://<SERVER_IP>:/index.php?language=…/…/…/…/etc/apache2/apache2.conf
as well as
curl http://<SERVER_IP>:/index.php?language=…/…/…/…/etc/apache2/envvars
It also took a lot of time and I did not fully understand why they are needed in the task.
Perhaps the problem is with the translator, but in any case, in my practice, I find that my time is precious, and if I can minimize costs and make everything faster and easier, then it’s better to do so. The main thing is the result at the lowest possible cost. I value my time and it seems to me that it is better to use it to improve your skills.
Good luck.