Casino LFI - Dangerous File Inclusion on Casino Server

In this lab, you will analyze the website of a fictional casino called Casino Royale, whose implementation shows unusual behavior in how it handles internal files. It is suspected to be vulnerable to Local File Inclusion (LFI).

Your mission is to identify how the site interacts with its resources and assess whether its structure can be exploited to access sensitive information from the server.

🌱 How to Start This Lab

Follow these instructions to get started:

1. Download the virtual machine from this link:

1  https://storage.googleapis.com/cybersecurity-machines/casino-lab.ova

1. Import the machine into your preferred virtualization software (VirtualBox, VMware, etc.).
2. Start the VM and begin the challenge.

Recommended Tools

You may consider using the following tools during your investigation:

• Nmap, Netdiscover – for network and service discovery
• Burp Suite, cURL – to intercept and manipulate web parameters
• Web browser, Developer Tools – for manual inspection of the site's behavior
• CyberChef, cat, less – to examine content extracted from the server

Remember: not every included file was meant to be seen.

Happy hacking!