| Lab/Room | TryHackMe - LFI vulnerability |
|---|---|
| Type | Challenge |
| Statut | Done |
| Date | 25/01/2026 |
Want to hear some lo-fi beats, to relax or study to? We've got you covered!
Climb the filesystem to find the flag! Finding the weakness to access the file system.
I will start with the basic check first to well understand how the target is working first.
The initial Nmap scan does not reveal any unexpected information. A full TCP port scan confirms that the host is reachable and exposes only two services, which aligns with the expected attack surface at this stage.
No additional services or filtered ports are discovered, suggesting a minimal and fairly locked-down external exposure.
Directory enumeration using Gobuster does not provide any meaningful results. The scan completes successfully but only reveals the /server-status endpoint, which is forbidden (403) and therefore not directly exploitable.
At this point, enumeration does not uncover hidden directories or files that could immediately lead to further exploitation.
The web application appears to be a simple interface resembling a video platform, featuring a media library and a search bar. The search functionality accepts user input but does not return meaningful results, nor does it appear to be protected by input validation mechanisms.
Testing the search parameter manually shows that arbitrary input is reflected in the URL, for example:
<http://10.65.140.63/?search=pwd>
Several client-side injection vectors are tested: