Traveller

Traveller: It's been an amazing adventure so far. I've seen so many incredible places and met so many interesting people.

Venti: That's true. And there's always something new to discover. I've been playing music for years, but I'm still finding new inspiration every day.

Traveller: Speaking of inspiration, I came across this website that seems to have a vulnerable feature; can you give me some inspiration?

View Challenge

Background Knowledge

This challenge is a basic implementation of a vulnerability known as "Directory Traversal" or also commonly known as "Path Traversal"

Lack of path authentication in certain web applications, or even static servers can lead to attackers being able to view sensitive files on the server that aren't being actively hosted on the website.

Attackers can traverse through subdirectories using common syntax, or using relative file paths.

Solution

Upon visiting the website, you can see that there's an interesting application with a submit button:

Unlike the other challenges, the source for the script is not given.

However, the /file?path endpoint looks suspicious, taking a further look at the application.

We can conclude that the form returns content when specified a path

And if you actually want to be really funny, you can abuse this and print out the source code for the website itself LOL

And, some of you trollers might think that you can root my server by traversing to /etc/shadow- Too bad, the webserver is running in a Python-alpine docker container, nice try.

Anyway, the flag is located at /flag.txt, or ../flag.txt.