Local file inclusion: double encoding¶

root-me challenge: Local File Inclusion - Double encoding: Find the validation password in the source files of the website.

Using HackTricks File inclusion encoding, PayloadAllTheThings: LFI / RFI using wrappers Wrapper -> php://filter, and cyberchef:

page=pHp%253A%252F%252FFilTer%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dconf

Techniques¶

• Directory traversal

• Path traversal runbook

Counter moves¶

Local file inclusion: double encoding is what this page works through. Server-side validation and least privilege are what these reduce to. The defensive counterpart is in the blue notes on the application layer as a target.