Detailed analysis of the lab 'File path traversal, traversal sequences blocked with absolute path bypass' from the PortSwigger Academy Path Traversal series
This lab contains a path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. To solve the lab, retrieve the contents of the /etc/passwd file.
🔧 Lab Setup & Files
Files and Environment
1
Files:None
🔍 Initial Analysis
First Steps
Since the analysis was already done for the previous lab, take that as a reference because it involves the same vulnerable parameter: File path traversal, simple case. The only difference from the previous challenge is the introduction of a filter on the filename parameter for the characters: ../.
🔬 Vulnerability Analysis
Potential Attack Vectors
Path Traversal
🎯 Solution Path
Step-by-Step Guide
Exploitation
We are told that any directory passed as a filename will be used as the working directory. Therefore, we simply need to pass the absolute path and not the “relative” one of passwd. That is, since we know it is located in the / directory, we need to directly pass /etc/passwd, forming the final payload: https://0a2a003f047ff99480c9bd2800fa0044.web-security-academy.net/image?filename=/etc/passwd. By visiting the page and viewing the response in the WebDevTools:
Passwd
We can see that instead of an image, we are served the /etc/passwd file. The alternative is always to do it with Burp:
Solution Confirmation
BurpSuite Lab Solution
🛠️ Exploitation Process
Technical Approach
The automatic exploit makes a GET request with the parameter filename=/etc/passwd and prints the response text.
