LFI Directory Traversal Final Assessment Academy

I am stuck on the final assessment. I am able to get /etc/passwd and the log file to show up from the LFI vulnerability. I tried every technique in the LFI academy course and nothing is working, including putting in a php RCE code in the log file which does not execute. Can anyone here give me a slight nudge? thanks!

1 Like

just figured it out. hint is “user agent”

I tried to poison the user agent tag with some php RCE code but it did not work. Is there another trick I am missing?

am able to read etc/passwd file but not able to get flag file any help???

please can anyone help me on the final assessment please what i have tried so far:
-i have fuzz for parameter using ffuf and saw that one working param is the page param
-i have tried fuzzing with the LFIjhadix.txt file in order to spot a path traversal i can use but no success
-i have look for cve concerning php v7 and nginx without success
-i have gone through the source code but no hint

I have meeted this problem also. page=…/… saw invalid input detected. please help me. Thanks!

Hi there how you doing.
Sorry for the late reply are you still blocked ??

completed, thanks