Overview

Machine Logo

Lo-Fi is an easy TryHackMe machine made by cmnatic. This machine hosts a website on port 80 (http). On this site, we exploit a vulnerable parameter in a PHP page to obtain LFI on the host machine, and we use this to read the flag.

Nmap Scan

I’ll run nmap on all open TCP ports with NSE script and Service Version enumeration, this finds ports: 80,22.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
💫 ~/thm/Lo-Fi/enumeration ➜ nmap -sCV -p 80,22 -v 10.10.228.244
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-13 00:25 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:25
Nmap scan report for 10.10.228.244
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 84:a3:dc:a8:a4:21:a1:b0:e5:01:77:d8:a9:43:31:39 (RSA)
|   256 ee:db:67:aa:b9:3a:4b:fb:a9:ee:d6:fe:24:30:00:72 (ECDSA)
|_  256 a6:f1:97:cf:d4:60:c5:fe:47:f5:da:2b:c3:e9:78:37 (ED25519)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Lo-Fi Music
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is ssh and http runnin Apache httpd 2.2.22 on Ubuntu.

Recon

80 - HTTP

Visiting the site, I am greeted with a website with pages for several genre’s of music.

Website

Trying to use the search bar, it just appends ?search= to the page parameters, and has no real functionality. Instead, I’ll click on one of the pages:

Pages

This appends a new parameter to my URL:

New Parameter

The ?page= parameter is known for being exploitable with either SSRF (Server Side Reqeuest Forgery), or LFI (Local File Inclusion). I’ll try LFI because the machine name is Lo-Fi, which hints at this being LFI:

Hacker Detected...

Getting the flag

There is a filter preventing LFI, I’ll try a Directory Traversal instead:

LFI Success

Boom! That’s LFI, I’ll use this to read /flag.txt, it’s usually there on machine’s like this:

Flag Read

Thoughts

Overall this machine was a really good way to show beginners how to abuse LFI on a simple php site. I’d give this a 10/10, simple and straight to the point. You can read more about LFI here: https://www.invicti.com/learn/local-file-inclusion-lfi/