The very first Web hacking challenge

During this challenge, the user facing the following url:

The hint is asctually in the name of the challenge. To start with, try to fuzz the PHP files on the system. I also started, and noticed that the same error message is in the response:

” Warning: acquire(a.php): failed to open stream: No such file or directory in /var/www/html/index.phpWarning: require(a.php): failed to open stream: No such file or directory in /var/www/html/index.php “

This means, that in the code of the page file, there is a common vulnerability, called Local File Inclusion (LFI). The attacker can simply include any locally available file to the page function. To solve the challenge, we simply have to call the /etc/passwd file. In order to do this, we have to go upper with a few folder levels. This vulnerability is called Path Traversal. There are different methods for this, but the easiest is the “dotdotslash” method.

What is LFI?

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

Local File Inclusion is very similar to Remote File Inclusion (RFI). However, an attacker using LFI may only include local files (not remote files like in the case of RFI).

/source: Acunetix/

What is Path Traversal?

Properly controlling access to web content is crucial for running a secure web server. Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

/source: Acunetix/