Welcome Everyone, In this tutorial we are going to perform One of the Directory Traversal labs from this portswigger
Therefore, the first thing you must understand is that “directory traversal” is another name for “file path traversal”. Don’t be confused about that.
Therefore, in this tutorial, we’ll run a simple lab to demonstrate how Directory Traversal by Portswigger Academy works.
So let’s start
Goal:- retrieve the contents of the /etc/passwd file.
The application’s home page is shown below.
You can see that there are many products being displayed in the screenshot up top. We can click “view details” to find out more information about a specific product.
Let’s intercept it using foxyProxy, an extension that can be used to turn proxies on and off. You can see that I have activated the intercept in the screenshot below.
As you can see in the screenshot below, the next step is to enable the intercept on the Burpsuite as well.
To view an item in greater detail, click on it by selecting “The Gient Enter Key,” which is the first item on the list.
Therefore, after clicking, you can see in the burp suite that we intercepted the GET request to access the request in which the product’s ID was passed. This can now be vulnerable to directory traversal, but according to my checks, it is not.
However, as we are aware when we access a specific page, multiple requests may be made. For example, if the requested page contains five images, five GET requests will be made in order to display those five images.
The GET request for the image of the key is one of several that are made in order to access “The Gient Enter Key” page, and it is vulnerable to Directory Traversal.
Before learning about this vulnerability, you should be familiar with the concepts listed below, which are also explained.
Dotted twice, like “..”
We already know that “..” is primarily used to move up in the current directory’s parent directory. As you can see in the screenshot below, we applied it three times, as “../../../etc/passwd” We will receive our desired output, which is the contents of the passwd file because we executed the request.
/etc/Passwd file
The “/etc/passwd” file on a Linux system houses crucial data about each user account on the system. Each user account is represented by one entry per line in this file, with the seven fields being separated by colons (:).
/var/www/ file
Therefore, “this1” is the directory that is typically used to host a website on a server and it contains all of the website’s resources. Multiple subdirectories, including those for HTML, CSS, Javascript, and other assets like images, videos, and so on, may exist in the “this2” directory.
Now that the request has been intercepted, various sub-requests may be made depending on the page. The following screenshot shows two requests that we find interesting.
The product “The Gient Enter Key” is requested above, but it is not vulnerable.
There is currently a picture of this key, and the request for it is intercepted below.
Therefore, the /var/www/image directory path can be used to store this image. This is a prediction or an assumption, not a confirmation of anything. So let’s try it.
Thus, “filename” is the parameter’s name. And a Directory Traversal vulnerability exists. Let’s replace “37.jpg” with our payload now. Thus, our payload is “../../../etc/passwd” now.
You can now see why I’m only going up three times in this example. I made the assumption that the image is stored in the “/var/www/image” Directory, and in order to browse the “passed” file, we must go to the root directory. From the root(/) directory, we can browse by calling “/etc/passwd” because “/etc/passwd” is in the root directory and can therefore be called.
then let’s forward the request.
I have entered the payload, as can be seen in the screenshot up top. I’m forwarding it now.
I have intercepted the response by right-clicking the request and selecting “Do intercept” >> “Response to this request”
As you can see, I also intercepted the response, allowing us to obtain the contents of the “/etc/passwd” file. So the lab is now resolved.
By doing so, we can take advantage of the Directory traversal vulnerability.