I need some help here. I was able to find the parameter. After that I tried the LFI-Jhaddix.txt wordlist but I was not able to find anyting.
ffuf -ic -c -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://bla.htb:32219/index.php?parameter=FUZZ -fs 1935
I don’t know how to go further.
Hey, it looks like you are on the right track. You are changing the index.php?parameter= to the parameter name you found right?
Feel free to DM me.
-onthesauce
Hello, friends. I’m kind of stuck on this exercise too.
I kind of found an open parameter too.
But when I’m phasing the payload, according to the suggested list of words, I can’t find a single path.
And I already doubt that my parameter is correct.
Once you have found the parameter,
just use ‘…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/flag.txt’ as parameter value, no need to fuzz for parameter values in any of the wordlists, although you might get some hits for this wordlist LFI-LFISuite-pathtotest-huge.txt
Try this as some exercise, you wont need it to complete the challenge
I’m using dirbuster with pathtotest.txt with (IP)(PORT)/index.php/page?=php://filter/read=convert.base64-encode/resource= and it’s still not working. Some help please.
I hope you have completed this module.
If not this might help.
Use ffuf to fuzz parameters (Hint use the filter fs 2309)
Again use ffuf to fuzz the payload in LFI-Jhaddix.txt file (Hint: again fs is your friend)
Completed. All I can say is there is a lot of …/
Spent some time on this.
Hint: relative path