Aim : Target Goal • Retrieve the contents of the /etc/passwd file

Lab Concept Overview :

Many applications that place user input into file paths implement defenses against
path traversal attacks. These can often be bypassed.
If an application strips or blocks directory traversal sequences from the user supplied filename, it might be possible to bypass the defense using a variety of
techniques.
You might be able to use an absolute path from the filesystem root, such
as filename=/etc/passwd , to directly reference a file without using any traversal
sequences.

So let’s Solved this PortSwigger Lab.

First Access Lab from the Portswigger Account. You Got this Interface.

Most Important thing is Open the Website in Burpsuite Browser or else Proxy configured Browser.

I opened website in Burp’s browser . after it Intercept is on and reload website.

after reloading you capture many web requests

I capture Many request in which one request has filename parameter and file path.

So you can select any image web request and send to the Repeater.

Okay So starts path traversal attack, with this sequence

Our Success path

../../../etc/passwd

Oops , We get error in which displayed 400 Bad Request.

It is generate errors because if web-application blocks directory traversal sequences from the user supplied filename.

So we can change our Sequence . 

/etc/passwd

Awesome , We get file content Lab solved.

That fine we just use filename=/etc/passwd, to directly reference a file without
using any traversal sequences.

Our Lab Solved…..

Categorized in:

Attacks, Walkthrough,