🌐 File path traversal, validation of start of path

Detailed analysis of the lab 'File path traversal, validation of start of path' from the PortSwigger Academy Path traversal series

mH4ck3r0n3 Learning/Web Exploitation/Vulnerabilities Labs

02/04/2025 509 words 3 minutes

Contents

📊 Lab Overview

Field Details Additional Info

🏢 Lab Series Path Traversal Lab URL

🗂️ Category Web 🌐

🆔 Lab ID 5 Unique Identifier

⭐ Difficulty 🟡 Practitioner PortSwigger Rating

👤 Author Unknown Credits if available

💡 Hints Used No Assistance utilized

📅 Date 01-04-2025 Date of execution

👨‍💻 Solved By mH4ck3r0n3 User who solved the lab

Field	Details	Additional Info
🏢 Lab Series	Path Traversal	Lab URL
🗂️ Category	Web	🌐
🆔 Lab ID	5	Unique Identifier
⭐ Difficulty	🟡 Practitioner	PortSwigger Rating
👤 Author	Unknown	Credits if available
💡 Hints Used	No	Assistance utilized
📅 Date	01-04-2025	Date of execution
👨‍💻 Solved By	mH4ck3r0n3	User who solved the lab

📝 Lab Information

This lab contains a path traversal vulnerability in the display of product images. The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder. To solve the lab, retrieve the contents of the /etc/passwd file.

🔧 Lab Setup & Files

Files and Environment

1

Files: None

🔍 Initial Analysis

First Steps

This is the fifth and second-to-last lab in the Path Traversal series.
For a more in-depth explanation, refer to the first lab (File path traversal, simple case).

In this case, the vulnerable parameter remains the same, but the difference is that the path traversal sequence starts from the absolute path of the resource, as we can see in the page source:

Page Source

Let’s move on to the next phase to analyze this in more detail.

🔬 Vulnerability Analysis

Potential Attack Vectors

Path Traversal

🎯 Solution Path

Step-by-Step Guide

Initial setup

As we saw from the page source, the filename parameter accesses the resource from its absolute path. In this case, we have:
/var/www/images/risorsa.jpg.

We know that the var directory is located under the root directory / in a Linux filesystem.
Therefore, we need to traverse up three directories to reach /etc/passwd.

The only filter applied here is that the path must start with /var/www/images.

Let’s move on to the exploitation phase.

Exploitation

Since we have a constraint on the initial path, we can use the dot-dot-slash (../) sequence to traverse up to the root directory and then access the passwd file.

We can achieve this by sending the following parameter:
1
filename=/var/www/images/../../../etc/passwd
The first ../ moves up to the www directory.

The second ../ moves up to the var directory.

The third ../ moves up to the root / directory.

From there, we know that etc is directly under the root, so we append /etc/passwd.

By doing this, we can successfully read the flag:

Passwd

As with the other labs, this can also be done using BurpSuite.

Solution Confirmation

Lab Solution

🛠️ Exploitation Process

Technical Approach

The automatic exploit performs a simple GET request with the parameter:
1
filename=/var/www/images/../../../etc/passwd
It then extracts the contents of the passwd file.

Exploit

🚩 Lab Outcome

1

Lab solved successfully!

Proof of Execution

Proof Of Exploit

Screenshot or log showing successful exploitation

🔧 Tools & Resources

Primary Arsenal

Tool Purpose

Python Exploit

Burp Suite Traffic analysis and manipulation

Tool	Purpose
Python	Exploit
Burp Suite	Traffic analysis and manipulation

💡 Key Learnings

Personal Improvements

Web Exploitation

📚 References & Resources

Official Documentation

PortSwigger Labs

Tool Documentation

Learning Resources

Path Traversal

📊 Final Statistics

Metric	Value	Notes
Time to Solve	00:02	Total time taken
Lab ID	5	Lab Identifier

Created: 01-04-2025 • Last Modified: 01-04-2025
Author: mH4ck3r0n3