Local File Inclusion
A page that includes a file by user-controlled name is a window into the whole host. Drill turning that read into proof — and toward code execution.
Confirm the parameter loads a server file, then traverse to a known target such as /etc/passwd. Adjust depth and encoding until the path resolves.
Where PHP is in play, read application source via the base64 filter wrapper, then look for a log or session sink to escalate the read primitive toward execution.
How the attack works
- Confirm the include parameter reads a server-side file.
?page=/etc/passwd - If it prepends a directory, traverse upward until the path resolves.
?page=../../../../etc/passwd - Read PHP source instead of executing it with the base64 filter wrapper.
?page=php://filter/convert.base64-encode/resource=index - Look for a poisonable sink (access log, session file) to turn the read into RCE.
?page=/var/log/apache2/access.log
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
Local File Inclusion
A page that includes a file by user-controlled name is a window into the whole host. Drill turning that read into proof — and toward code execution.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.