Platform: TryHackme

Link: https://tryhackme.com/room/lofi

Instructions:

Want to hear some lo-fi beats, to relax or study to? We’ve got you covered!

Access this challenge by deploying both the vulnerable machine by pressing the green “Start Machine” button located within this task, and the TryHackMe AttackBox by pressing the  “Start AttackBox” button located at the top-right of the page.

Navigate to the following URL using the AttackBox: http://MACHINE_IP and find the flag in the root of the filesystem.

Writeup

This CTF challenges us to find the flag at the root of the filesystem!

First lets begin by opening up the webpage, we are greeted with the following:

Now, first thing I did, is I saw the search button and wondered what would happen if I inputted something that was not in the Discography. Doing so, we find that the search bar selects the files by indicating changing the url to include a ? modifier. For instance:

http://10.201.80.244/?page=vibe.php

It also seems that a request is made to a youtube video to be embedded. However this doesn’t work because the pages are private. So we get no music to listen to.

However, in the previous request, notice the .php file request. We potentially could use this to our advantage to obtain the file we need at the root!

Quickly I attempted the following http://10.201.80.244/?page=/ to get jump scared with the following response:

Okay, so that didn’t work, however that does confirm to us that we can use the URL to potentially access files on the server, we just have to be a bit more crafty!

So, lets just do the following instead:

http://10.201.80.244/?page=../../../../../flag.txt

Doing ../ takes us back in the directory when change directory is used. As a result, I just strung a bunch of those together and asked for the flag.txt and that worked!