Skills Assessment Walkthrough

HTB Academy Skills Assessment - File Inclusion

Complete walkthrough of the capstone challenge that combines multiple LFI techniques for RCE and flag extraction.

Challenge: "Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system."

Multi-Technique Exploitation Chain

Phase 1: Source Code Disclosure

# Step 1: Discover vulnerable parameter
http://TARGET_IP:PORT/index.php?page=about

# Step 2: PHP filter source disclosure
http://TARGET_IP:PORT/index.php?page=php://filter/convert.base64-encode/resource=index

# Step 3: Decode and analyze source
echo 'BASE64_OUTPUT' | base64 -d | grep -i admin
# Reveals: // echo '<li><a href="ilf_admin/index.php">Admin</a></li>';

Phase 2: Admin Panel Discovery

Phase 3: LFI Exploitation

Phase 4: Log Poisoning & RCE

Techniques Demonstrated

  1. PHP Filter Source Disclosure - Reading application source code

  2. Hidden Functionality Discovery - Finding commented admin panels

  3. Path Traversal & LFI - Basic file inclusion exploitation

  4. Web Server Identification - Testing different log locations

  5. Log Poisoning - User-Agent header injection

  6. Remote Code Execution - Command execution via poisoned logs

Complete Attack Commands

Expected Flag Format

Flag: HTB{...} or similar format Location: /flag_[random].txt in root directory

Alternative Approaches

If primary method fails, try:

  1. SSH Log Poisoning - If SSH is available

  2. PHP Session Poisoning - If sessions are accessible

  3. Data Wrapper RCE - If allow_url_include=On

  4. Different Log Locations - Apache logs, mail logs, etc.

This walkthrough demonstrates the complete HTB Academy Skills Assessment solution, showcasing advanced file inclusion exploitation techniques.

PreviousPrevention & HardeningNextFile Upload Attacks

Last updated