Lab Icon

Corporate Breach 2

Challenge Updated 21 Jun 2026 Solution (Pro)
Web Security PHP LFI Path Manipulation File Inclusion

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn XP!

1
Flags
50
XP
71%
Success Rate

Local File Inclusion (LFI) vulnerabilities with filter bypasses represent an intermediate-level web security challenge. While many developers are aware of basic LFI attacks using directory traversal sequences, they often implement incomplete protections that can be circumvented by attackers who understand the underlying file inclusion mechanisms. Learning to bypass these filters is essential for effective security testing.

Understanding PHP File Inclusion

PHP's include and require functions dynamically load and execute files at runtime. When the file path is constructed using user input, it creates a file inclusion vulnerability. Many PHP applications automatically append a file extension (like .php) to the included path, which developers mistakenly believe prevents attackers from reading arbitrary files. However, several techniques exist to work around automatic extension appending, depending on the PHP version and server configuration.

Common Filter Bypass Techniques

When developers implement basic protections against LFI, they often block specific patterns like "../" or ".php" in user input. However, these filters can frequently be bypassed through URL encoding (replacing characters with %xx sequences), double encoding, null byte injection (on older PHP versions), using alternative path separators, or exploiting the application's path normalization logic. Understanding the specific filter implementation is key to identifying the appropriate bypass technique.

Impact of LFI on Web Applications

Successful LFI exploitation can expose sensitive files including application source code, configuration files with database credentials, system files like /etc/passwd, web server configuration files like .htaccess and .htpasswd, and log files that may contain additional sensitive information. In some cases, LFI can be escalated to remote code execution through techniques like log poisoning, PHP filter chains, or including uploaded files. The severity of LFI makes it a high-priority finding in any web security assessment.

What You Will Learn

  • How PHP file inclusion mechanisms work internally
  • Filter bypass techniques for Local File Inclusion attacks
  • Path manipulation and encoding tricks for evading security filters
  • Reading sensitive server files through LFI vulnerabilities
  • Why input filtering alone is insufficient for preventing LFI

Prerequisites

Basic understanding of LFI PHP web application concepts URL encoding knowledge

Ready to hack this lab?

Create a free account and start practicing cybersecurity hands-on.

Start Hacking - It's Free
Start Your Challenge
~1-2 min setup
Dedicated server
Private instance
Standard power
New here? Here's what to do
1
Click "Start Lab" above You'll get your own private machine with an IP address
2
Explore the target Open the IP in your browser and look for vulnerabilities
3
Find and submit flags Flags are secret text strings hidden in the system - paste them below to score

Ready to hack this lab?

Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.

Start Hacking Free

Related Labs

Labs that share similar skills with this one

Include me
Include me
Easy 100 XP 916
PHP LFI
Hack the Login
Hack the Login
Very Easy 50 XP 5745
Authentication Bypass Broken Authentication Client-Side Security Web Security
Secrets in Source: View Source Code to Find the Flag
Secrets in Source: View Source Code to Find the Flag
Very Easy 50 XP 3688
View Source Code HTML Browser DevTools Information Disclosure
Secrets in Source 2: Bypass Security Through Obscurity
Secrets in Source 2: Bypass Security Through Obscurity
Very Easy 50 XP 1171
Client-Side Security Security Through Obscurity Browser DevTools View Source
13,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free