Skills Assessment - File Inclusion

Hello, I’ve been stuck in the final assessment for a few hours but no matter what i try, i can’t get past the point where im at.
I’ve been searching for hints at the forum but it appears the assessment got a remake or something because the people responses from another posts doesn’t appear to match what the current assessment of the academy has.

So far, i’ve found the parameter for the LFI and looked at the source code of the index.php to know how to prepare my LFI based on the filters/protections on the website.

So far it appears that if a “…” is found in the url, you get redirected to a error page saying ‘Invalid input detected!’ and if not, a “.php” is automatically appended to the end of our string. The thing is no matter what i do, i can’t bypass the “…” thing that redirects you to the error page. I tried url encoding the dots and the slashes, i tried appending more dots, but nothing appears to work

Any help please? I don’t know what else i can try.

Still don’t know what to do, was anyone able to complete this lab?

Hi boss, I have also been stuck here for a while. I will keep on going but in case u have found something, please do share.

Alright, I got it. It looks like there was no remake of the machine. We are supposed to find the admin portal. I guess its just us that are bit slower than everyone else :smiley: So, as you correctly pointed out, the page parameter on the index.pp page gets filtered. First, it checks for ‘..’ in the payload and displays error message if true. If not, it appends ‘.php’ to the payload.
Thus, we are not able to traverse any paths AND we can only access .php files. Since the version of php running on the target is 5.5+ we can’t use null byte either. Therefore, we can only read .php files in the webroot. Luckily, we have a few at our disposal - the most important one being “index.php”.
In other words, we can read the source code for the index.php file. We can do so using a PHP wrapper using base64.
The source contains the key to the next step.

3 Likes