Lfi

Machine: Imagery Platform: Hack The Box Difficulty: Medium OS: Linux Focus: Web exploitation, stored XSS leading to admin session hijacking, LFI via log viewer, full source code review, command injection in image processing, credential extraction from encrypted backups, and privilege escalation through misconfigured cron functionality Introduction Imagery is a Linux machine from Hack The Box that heavily focuses on web application analysis and source code review. The attack path requires chaining multiple vulnerabilities, including stored XSS, local file inclusion, command injection, and misconfigured scheduled tasks, making it an excellent machine to practice real-world web exploitation methodology. ...

Machine: Previous Platform: Hack The Box Difficulty: Medium OS: Linux Focus: Next.js middleware auth bypass, LFI with secret leakage, credential extraction, and privilege escalation via Terraform plugin hijacking Executive Summary Previous is a Linux machine that exposes real-world vulnerabilities in modern web applications. The attack chain includes: Next.js middleware authorization bypass (CVE-2025-29927) Local File Inclusion (LFI) through an insecure download endpoint Information disclosure and credential leakage Privilege escalation via Terraform provider hijacking This write-up walks through each issue and shows practical exploitation techniques. ...

Introduction to LFI Local File Inclusion (LFI) happens when a web app loads a file based on user input without strict validation. This usually appears in template engines and dynamic page loaders that read content based on a parameter like ?language=es. If the path is not restricted, an attacker can read arbitrary local files such as /etc/passwd, and in some cases LFI can lead to remote code execution. Modern apps often use parameters to reduce duplicate templates and keep routing simple. That pattern becomes dangerous when the parameter controls the file path directly. Testing starts by identifying the parameter and then trying known local files. ...