This lab contains a path traversal vulnerability in the display of product images. The application strips path traversal sequences from the user-supplied filename before using it. To solve the lab, retrieve the contents of the /etc/passwd file.
🔧 Lab Setup & Files
Files and Environment
1
Files:None
🔍 Initial Analysis
First Steps
The analysis was already done in the first lab (File path traversal, simple case), and the vulnerable parameter remains the same. In this challenge, the only difference is that, as stated in the description, the web application strips the path traversal sequences we insert. Let’s move on to the exploitation phase.
🔬 Vulnerability Analysis
Potential Attack Vectors
Path Traversal
🎯 Solution Path
Step-by-Step Guide
Initial setup
We just need to understand how the web application processes our input. Since it’s stripping ../, it’s likely performing a replacement on the payload we send. So, if we try ../../../etc/passwd, instead of retrieving the passwd file, we’ll get a Not Found error.
Let’s analyze how the backend code might handle this (I’ll use Python for simplicity). Suppose there’s a replace() function acting on the filename parameter:
1
filename.replace("../","")
In this case, the replace function will remove all occurrences of ../ from our payload, like this:
First Replace
However, this function is quite easy to bypass. Let’s move on to the exploitation phase to see how!
Exploitation
We need to send a payload that, after the replace() function is applied, results in the final filename ../../../etc/passwd.
What happens if we send ....//....//....//etc/passwd?
Second Replace
As we can see, ../ gets removed. But by removing it, the preceding dots and the following slash merge to form ../ in the final payload.
To give another example, imagine we have "flflagag".replace("flag", ""). When the replace() function finds "flag", it removes it, but since we originally had "fl____ag", removing "flag" causes "fl" and "ag" to merge back together, reconstructing "flag".
This is how we bypass the filter!
So, we simply need to send filename=....//....//....//etc/passwd like this:
Once done, we’ll successfully read the /etc/passwd file:
Passwd
Solution Confirmation
Lab Solution
🛠️ Exploitation Process
Technical Approach
The automatic exploit performs a GET request to the vulnerable URL, setting the parameter filename=....//....//....//etc/passwd. It then extracts the content of the /etc/passwd file from the response and displays it.
