Can you get the flag? We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
The listing of the directory /usr/share/nginx/html is displayed, as suggested by the challenge description, and given the title and context of the challenge, a Path Traversal immediately comes to mind. An application affected by this vulnerability allows an attacker to read arbitrary files located on the web server (in fact, we are interested in reading the file flag.txt as defined in the challenge description). Additionally, we are told that the site filters absolute paths. An absolute path is defined as such when the location of an element is specified starting from the root (/) of the filesystem. Therefore, since the file flag.txt is located right in the root directory, we won’t be able to send just /flag.txt as a payload, due to the filter on the absolute path. Let’s move on to the exploitation.
🔬 Vulnerability Analysis
Potential Vulnerabilities
Path Traversal
🎯 Solution Path
Exploitation Steps
Initial setup
Once we understand that the filter doesn’t allow us to directly access flag.txt, we need to find a solution for this. To navigate the file system via CLI (Command Line Interface), we can also use . or .., where the dot refers to the current directory we are in, and dotdot refers to the parent directory (which we can call the mother directory).
Exploitation
Once this is understood, to navigate back to the root directory / and extract the flag.txt file, since we are currently in the /usr/share/nginx/html directory, we need to go back exactly 3 directories. This is because:
With the first ../ we will reach /usr/share/nginx,
With the second, we will reach /usr/share,
With the third, we will reach /.
So, by specifying the path ../../.., we correctly reach the root directory / and can access the flag.txt file. To summarize, the payload to send will be ../../../flag.txt, with which we will bypass the filter on the absolute path and retrieve the file content, where the flag is written inside.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit simply sends a POST request to /read.php, sending ../../../flag.txt to exploit the Path Traversal vulnerability. Then, it extracts the flag from the response using a regex.
