Test LFI and Path Traversal
reconchecklist
Summary
Look for users and try .ssh under /home/<USER>/.ssh/
Walkthrough
If LFI is suspected, traverse paths to read sensitive files such as SSH keys or /etc/passwd. A hit is file contents returned in the response instead of the normal page—enumerate usernames from /etc/passwd and target /home/<USER>/.ssh/.
Commands
bash
curl 'http://<IP>/page=../../../../home/<USER>/.ssh/id_rsa'