Tags: web 

Rating:

We’re given a website with an LFI vulnerability in its page parameter. This was used to leak index.php, and then subsequently bypass a check in the local file inclusion for the hardcoded '/etc/passwd' with '/etc/./passwd'.

Original writeup (https://n00bsec.github.io/update/post/exploitation/reverse-engineering/2017/10/01/DefCampCTF.html).