root💀bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Lab: File path traversal, simple case

image

Our task is to retrieve the contents of the /etc/passwd file.

Navigate to the webpage

image

Right-click on an image and try to open it another tab, we’ll capture this request and send it over to burp repeater

image

Replace the 20.jpg with ../../../../../../etc/passwd. This should read the /etc/passwd file to us

image

Nice

Checking the webpage,

image

We have successfully solved the lab

Lab: File path traversal, traversal sequences blocked with absolute path bypass

image

Our task is to read the content of the /etc/passwd file but defenses has been implemented against path traversal attacks. So we have to bypass this to read the file

Navigate to the webpage

image

Right-click on an image, then click “open image in new tab”, doing this we’ll capture the request on burpsuite and send it over to burp repeater

image

cool, now lets replace 23.jpg with the path ../../../../../../etc/passwd

image

We get the “No such file” message, this is probably because of the defence mechanism that was set up

To bypass this we’ll use an absolute path from the filesystem root, so we’ll have the path /etc/passwd. Lets try this path

image

Checking the webpage

image

We have successfully solved this lab

Lab: File path traversal, traversal sequences stripped non-recursively

image

Our task is to retrieve the /etc/passwd file

Navigate to the webpage

image

Right-click on an image and try to open the image in a new tab, while we do that we’ll capture the request using burpsuite and we’ll send it over to burp repeater

image

Replace the 23.jpg with the file path /etc/passwd, lets see what happens when we do that

image

oops, it didn’t work. This is because the application strips path traversal sequences from the user-supplied filename before using it.

To bypass this, we use nested traversal sequences. So we can try using the file path ....//....//....//etc/passwd

image

Checking the webpage

image

We have successfully completed this lab

Lab: File path traversal, traversal sequences stripped with superfluous URL-decode

image

Our task is to read the content of the file /etc/passwd

Navigate to the webpage

image

Right-click on the image to open in a new tab, while we do this we’ll capture the request on burpsuite and send it over to burp repeater

image

Lets replace 34.jpg to the file path ../../../etc/passwd

image

We get the “No such file” message. Well, this is because the application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.

So, what we can do is url encoding our file path, so we can use the file path ..%252f..%252f..%252fetc/passwd

image

Checking the webpage

image

We have successfully solved this lab

Lab: File path traversal, validation of start of path

image

Our task is to view the content of the /etc/passwd file

Navigate to the webpage,

image

Right-click on an image, then open it in a new tab. We’ll capture that request and send it over to burp repeater

image

cool, now application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder. So to solve this we’ll include the required base folder followed by suitable traversal sequences

This means we’ll have something like this /var/www/images/../../../etc/passwd

image

Nice, we got the content of the /etc/passwd file

Checking the webpage

image

We have successfully solved this lab

Lab: File path traversal, validation of file extension with null byte bypass

image

Our task is to read the /etc/passwd file

Navigate to the webpage

image

Right-click on an image, click on “open image in a new tab”, we’ll capture the request using burpsuite and send it over to burp repeater

image

We know that the application validates that the supplied filename ends with the expected file extension, what we can do is try to use a null byte to effectively terminate the file path before the required extension.

A null byte, often represented as '\0' in programming, is a character with a value of zero. It is used to terminate strings in C-style languages and can also be used in various contexts to denote the end of data or a delimiter.

So, we’ll have a file path like this ../../../etc/passwd%00.jpg.

Lets replace 15.jpg with that file path

image

cool stuff, we are able to read the content of the /etc/passwd file

Checking the webpage

image

We have successfully solved this lab.

This marks the end of the Path Traversal labs😎

Back To Home