12 writeups tagged with LFI
Cacti LFI via CVE-2024-46987 reads configuration files and credentials. Sudo abuse on a custom binary escalates to root.
Hiking Trails web application on Ubuntu. Directory traversal and file inclusion vulnerabilities lead to credentials and shell.
SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.
LFI via lang parameter captures NTLM hash with Responder. Password spray, IIS WebDAV shell upload, RunasCs for lateral movement to Domain Admin.
LFI on Tomcat manager exposes credentials. WAR file deployed for RCE. ZIP password cracking, LXD container privilege escalation for root.
PHP RFI via language parameter loads SMB share for RCE. Lateral movement via credential in web config. CHM file drops reverse shell as Administrator.
Anonymous FTP reveals NVMS-1000 path traversal note. LFI reads credentials file, SSH pivoting to access NSClient++ for SYSTEM.
Site availability checker with .htaccess allowlist bypass. PHP phar deserialization for code execution, proc_open for shell, developer sudo suid binary.
DNS zone transfer reveals subdomains. SMB anonymous share leaks creds. LFI + PHP injection for RCE, Python lib hijack for root.
PHP LFI escalated to RCE via Apache log poisoning. SSH tunneling exposes an internal VNC session running as root.
Brute-force phpLiteAdmin + LFI via chained PHP injection. Port knocking unlocks SSH, chkrootkit path hijack for root.
Multiple valid paths: Elastix LFI to leak credentials, Webmin RCE, or Asterisk extension abuse. Great enumeration practice.
