File path traversal, simple case

Description

This lab contains a path traversal vulnerability in the display of product images.

To solve the lab, retrieve the contents of the /etc/passwd file.

Solution

Click to one of products shop: https://0ac8007304f7f39b81adf85000a300b1.web-security-academy.net/product?productId=2

The parameter productsID seems to not be vulnerable, than we can try to open the relative image, that usually is located into /var/www/images web server directory.

https://0ac8007304f7f39b81adf85000a300b1.web-security-academy.net/image?filename=1.jpg

In this case directory and parameter are different, capturing it with Burp and trasfer to Repeater using CTRL+R

Here, we can modify the filename reference adding ../../../../../etc/passwd to do five jump back into directory, arriving to root / and accessing to /etc/passwd file: