Webverselabs Mirage Challenge LFI
Scenario :
NovaPan is a self-hosted hosting control panel founded in 2016 and bundled by a handful of European budget hosts, with licences starting at $9/month per server and somewhere around 30,000 active installs. The log-viewer feature was refactored two releases ago when a community contributor sent in a patch hardening the input handler, and the third-party auditors marked it ‘low risk’ after running their usual checklist against it. The contributor’s patch did exactly what its commit message said it did, and nothing more.
Solution :
Since we know this is an LFI challenge , my goal is to find an endpoint that uses a parameter , whether it’s in the URL or inside the body , If we browse the webapp normally we find the /logs/view endpoint , which uses a parameter in the URL .
Now the way i like to search for LFI is by using FFUF with the Jaddix Wordlist from Seclist .
If we filter for 200 Status pages , we get these 2 payloads that we can to try .
Perfect , we are able to get the content of the passwd file :
Now we can use the same payload to read the flag , it is always in the root directory : /flag.txt .
1
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fflag.txt
That was it for this challenge :)