Then decode in tab. Step 8: Automate flag retrieval (Intruder + Grep) The flag is in /flag.txt . LFI can read it: ?file=/flag.txt
Use to read source code: ?file=php://filter/convert.base64-encode/resource=index.php burp suite practice exam walkthrough
Test for LFI: GET /admin/view?file=../../../../etc/passwd → returns file. Then decode in tab
This walkthrough assumes you’re attacking a deliberately vulnerable web application (like Juice Shop , DVWA , or a custom CTF) using Burp Suite Community/Pro. Target: http://vulnapp.xyz Goal: Find and exploit vulnerabilities to read the contents of /flag.txt on the server. burp suite practice exam walkthrough
