# Technical Report

## <mark style="color:purple;">Technical Security Report: "Lofi" System</mark>

### <mark style="color:purple;">Purpose of the Report</mark>

This document provides a detailed technical assessment of the "Lofi" system. The objective is to describe, in a structured manner, the vulnerabilities identified and the methodologies used to exploit them. Additionally, this report offers actionable recommendations to mitigate security risks.

***

### <mark style="color:purple;">Methodology</mark>

The security evaluation was conducted using a structured approach, consisting of the following phases:

1. **Reconnaissance:** Identifying open ports and running services through automated scanning tools.
2. **Enumeration:** Exploring public directories and files to extract valuable information.
3. **Exploitation:** Utilizing known vulnerabilities to gain unauthorized access.
4. **Flag Extraction:** Accessing and retrieving sensitive data.

***

### <mark style="color:purple;">Detailed Findings</mark>

#### 1. Reconnaissance

Using nmap, an initial scan was conducted to identify open ports:

```bash
sudo nmap -sCV -F -T5 <target_ip>
```

**Results:**

* Port 22: SSH Service
* Port 80: HTTP Service

> **Impact:** These open ports indicate potential entry points for an attacker. Given that port 80 serves a web application, it was prioritized for analysis.

#### 2. Web Application Analysis

Accessing http\://\<target\_ip> revealed a music streaming site. A manual inspection of the source code and robots.txt did not yield useful information.

Navigating through the "Discography" section, the URL structure changed to:

```url
http://<target_ip>/?page=relax.php
```

This indicated a potential **Local File Inclusion (LFI)** vulnerability

#### 3. Exploiting LFI

By modifying the page parameter, it was possible to access system files:

Attempting to read `/etc/shadow`

<pre><code><strong>http://&#x3C;target_ip>/?page=../../../../etc/shadow
</strong></code></pre>

**Result:** Empty response (processed, but no readable content)

Attempting to read `/etc/passwd`

```
http://<target_ip>/?page=../../../../etc/passwd
```

**Result:** Successfully retrieved user account information.

**Interesting user found:** `games` (but SSH access was restricted due to missing keys).

#### 4. Flag Discovery

Attempts to access the `games` home directory failed. However, by directly requesting `flag.txt`, the flag was successfully retrieved:

```
http://<target_ip>/?page=../../../../flag.txt
```

***

### <mark style="color:purple;">Recommendations</mark>

#### Short-Term Actions

1. Implement strict input validation to prevent arbitrary file inclusion.
2. Restrict the use of `include()` and `require()` functions to prevent unauthorized file access.
3. Limit access permissions to sensitive files.
4. Deploy a Web Application Firewall to detect and block LFI attacks.

#### Long-Term Actions

1. Conduct periodic security audits to identify and mitigate configuration issues.
2. Train personnel in secure development and cybersecurity best practices.
3. Deploy continuous monitoring systems to detect suspicious activity in real-time.

***

### <mark style="color:purple;">Conclusion</mark>

The LOFI machine provided an excellent exercise in identifying and exploiting **Local File Inclusion (LFI)** vulnerabilities. Key takeaways:

* LFI can be leveraged to read system files and access sensitive information.
* Path traversal techniques can bypass certain access restrictions.
* Security measures should be implemented to sanitize user input and prevent arbitrary file inclusion.

This challenge was engaging, featuring a well-structured vulnerability and an enjoyable music theme.