This lab contains a path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file.
🔧 Lab Setup & Files
Files and Environment
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
The first thing I did was inspect the page source:
Page Source
As we can see, as mentioned in the theory (Path Traversal), we find several images with src="/image?filename=image.jpg". So, the path traversal will most likely be in the filename parameter. Let’s move on to the exploitation phase.
🔬 Vulnerability Analysis
Potential Attack Vectors
Path Traversal
🎯 Solution Path
Step-by-Step Guide
Initial setup
By making a request like https://0ada005d03b4c71c801b7217004d0023.web-security-academy.net/image?filename=something, we will be able to read arbitrary files on the web server.
Exploitation
As also reported in the theory, in this case, we attempt to read /etc/passwd. Remember that we can insert more ../ than what is actually needed to reach the root directory /. So, trying with the following payload:
I was able to successfully read the /etc/passwd file even though it only required a minimum of three ../ to reach the root. To read the file, since the browser will render it as an image due to the <img> tag, we can use the developer tools and, in the Network section, inspect the request made and, in the Response section, select UTF-8 format to correctly read the text of the /etc/passwd file.
Passwd
Alternatively, this can also be done more directly via BurpSuite. By intercepting the request and forwarding it, we can view the history and read the response, or we can send the request to the Repeater (CTRL+R) and directly view the /etc/passwd file in the response window as done in the Solution Confirmation section:
Solution Confirmation
Burp Lab Solution
🛠️ Exploitation Process
Technical Approach
The automatic exploit performs a GET request by setting the filename=../../../etc/passwd parameter to read the passwd file by exploiting the Path Traversal vulnerability.
