Path Traversal: A PortSwigger 101 Walkthrough
Hey there! Thanks for dropping by this article. Today, we’re getting into some serious stuff in the world of ethical hacking — Path Traversal or Directory Traversal. And guess what? We’re also diving into some Portswigger labs related to this cool topic. So, grab yourself a cup of coffee, settle in, and let's unravel the mysteries together!
Understanding Path Traversal:
Path Traversal, also known as Directory Traversal, is a significant concern in ethical hacking. It involves exploiting vulnerabilities in a system’s security by manipulating file paths. Attackers attempt to access files and directories beyond the intended scope, potentially leading to unauthorized access and data breaches.
The Implications:
Before we get into the practical aspects with Portswigger labs, let’s understand the implications of Path Traversal. It can compromise the confidentiality, integrity, and availability of sensitive information. Unchecked Path Traversal vulnerabilities can pave the way for unauthorized access to critical files, potentially exposing sensitive data.
Into Action: Portswigger Labs with Burp Suite
Now that we’ve covered the basics, it’s time to get hands-on with Portswigger — the go-to web app security Platform offering labs to up your game in handling vulnerabilities. We’re focusing on Path Traversal labs and our tool of choice is Burp Suite. No more delays it's Time to roll! 🚀
Lab 1 of 6: File Path Traversal, Simple Case
In this Lab, there’s a vulnerability in how product images are displayed.
Your mission: Retrieve the contents of the /etc/passwd file to conquer this lab. Let’s crack it! 🕵️♂️🔍
Step 1: Capturing the Request in BurpSuite
Initiate the process by loading the lab in your browser and capturing the request in Burp Suite. Don’t forget to apply the images filter in Burp Suite, given our focus on image URLs for vulnerability detection. Simply forward the captured request to the repeater for continued analysis in Step 2.
Step 2: Analyzing the request and Navigating the Directory Structure
Under the provided instructions, the objective is to access the contents of the /etc/passwd file. To achieve this, a systematic approach involves navigating through the directory structure by employing the “../” query iteratively until reaching the root directory. Subsequently, the focus shifts to accessing the /etc/passwd file. This systematic process ensures a comprehensive and effective retrieval of the required information.
Command:
../../../etc/passwdLab 2 of 6: File path traversal, traversal sequences blocked with absolute path bypass
This Lab features a path traversal vulnerability in the product image display.
Your goal: Retrieve the /etc/passwd file contents to conquer the challenge. Ready Time to crack it! 🕵️♂️🔍
Step 1: Capturing the Request in BurpSuite
Start by loading the lab in your browser and capturing the request in Burp Suite. Don’t forget to apply the images filter in Burp Suite, given our focus on image URLs for vulnerability detection. Simply forward the captured request to the repeater for continued analysis in Step 2.
Step 2: Analyzing the request and Navigating the Directory Structure
Under the given instructions, the goal is to access the /etc/passwd file. Unlike the previous scenario, there’s no need to use “../” for directory navigation, as there are no restrictions. Use the command “/etc/passwd” to solve the lab efficiently.
Command:
/etc/passwdLab 3 of 6: File path traversal, traversal sequences stripped non-recursively
This Lab presents a path traversal vulnerability within its product image display. Despite the application stripping path traversal sequences from user-supplied filenames.
Your mission: Crack the challenge by accessing the /etc/passwd file contents. Ready to dive in? 🕵️♂️🔍
Step 1: Capturing the Request in BurpSuite
Start by loading the lab in your browser and capturing the request in Burp Suite. Don’t forget to apply the images filter in Burp Suite, given our focus on image URLs for vulnerability detection. Simply forward the captured request to the repeater for continued analysis in Step 2.
Step 2: Analyzing the request and Navigating the Directory Structure
Under the provided instructions, the objective is to access the contents of the /etc/passwd file. To overcome the frontend’s rejection of “../,” a workaround involves using the “....//” command iteratively. By employing this method, even though the system restricts or ignores “../” input, the “....//” command persists, enabling successful traversal. The final step involves utilizing the “....//....//....//etc/passwd” command, ensuring a systematic and effective completion of the lab.
Command:
....//....//....//etc/passwdLab 4 of 6: File path traversal, traversal sequences stripped with superfluous URL-decode
This Lab features a path traversal vulnerability in the product image display. Despite the application blocking input with path traversal sequences, it undergoes URL decoding before usage.
Your task: Retrieve the /etc/passwd file contents to solve the lab successfully.
Step 1: Capturing the Request in BurpSuite
Start by loading the lab in your browser and capturing the request in Burp Suite. Don’t forget to apply the images filter in Burp Suite, given our focus on image URLs for vulnerability detection. Simply forward the captured request to the repeater for continued analysis in Step 2.
Step 2: Analyzing the request and Navigating the Directory Structure
Under the provided instructions, the goal is to access the contents of the /etc/passwd file. To overcome the frontend’s rejection of “../”, a workaround involves encoding the “/” symbol using URL-encoding, specifically applying two rounds of encoding. Even if the backend decodes the first round, the second round ensures that the full command persists. The complete command for this lab is “..%25%32%66..%25%32%66..%25%32%66etc/passwd”, guaranteeing a systematic and effective completion of the task.
Command:
..%25%32%66..%25%32%66..%25%32%66etc/passwdLab 5 of 6: File path traversal, validation of start of path
This Lab exposes a path traversal vulnerability in the product image display. The application sends the complete file path through a request parameter and verifies that the provided path commences with the anticipated folder.
Your objective: Retrieve the contents of the /etc/passwd file to solve the lab successfully.
Step 1: Capturing the Request in BurpSuite
Start by loading the lab in your browser and capturing the request in Burp Suite. Don’t forget to apply the images filter in Burp Suite, given our focus on image URLs for vulnerability detection. Simply forward the captured request to the repeater for continued analysis in Step 2.
Step 2: Analyzing the request and Navigating the Directory Structure
Under the given instructions, the objective is to access the /etc/passwd file. The directory path in the URL, retrieved using BurpSuite, is /var/www/images, with the requirement that the starting path should always be /var/www/images. To address this, the command /var/www/images/../../../etc/passwd is used to retrieve the file’s content, ensuring an efficient resolution of the lab.
Command:
/var/www/images/../../../etc/passwdLab 6 of 6: File path traversal, validation of file extension with null byte bypass
This Lab reveals a path traversal vulnerability in the product image display, where the application validates that the provided filename concludes with the anticipated file extension.
Your objective: Retrieve the contents of the /etc/passwd file to solve the lab successfully.
Step 1: Capturing the Request in BurpSuite
Start by loading the lab in your browser and capturing the request in Burp Suite. Don’t forget to apply the images filter in Burp Suite, given our focus on image URLs for vulnerability detection. Simply forward the captured request to the repeater for continued analysis in Step 2.
Step 2: Analyzing the request and Navigating the Directory Structure
Under the provided instructions, the goal is to access the /etc/passwd file. To overcome the extension restriction, a null bypass %00 is employed. The command “../../../etc/passwd%00.png” utilizes this technique, allowing the efficient retrieval of the file’s contents and successful completion of the lab. A null bypass in this context serves as a delimiter, signaling the end of the filename and potentially bypassing restrictions tied to file extensions.
Command:
../../../etc/passwd%00.pngConclusion:
So, let’s wrap up what we’ve dived into here. We kicked things off by getting into the nitty-gritty of path traversal — understanding why it’s a security risk and what kind of mess it can create. From there, we rolled up our sleeves and tackled some real-world challenges, using cool techniques like null byte and absolute file path to tease out vulnerabilities in web apps. We managed to crack six labs along the way. Hopefully, you’ve got a decent grasp of path traversal now. If you’re keen on more of these adventures, hit that follow button for future articles — we’re just getting started!
