What is Directory Traversal?

Intro

This is my second blog and am pretty excited about it. This is about directory traversal which is a sub-topic of LFI(Local file inclusion) vulnerability. Directory helps you to read secret files while LFI also allows you to perform remote code execution! 😱 Is it important? Yep, especially if you are a bug hunter. It is one of the most critical bugs in existence as it exposes private files to the external web server for hackers to see and then exploit on basis of information retrieved. It’s a bug which is usually among the medium to severe risk range. Pretty much a awesome bug to hunt right?
The bounty’s are huge too!😁

Let’s start hacking!

How does it work?

Basically, we are trying to access an internal file from the server’s backend which not allowed under normal circumstances. We can get the server to retrieve a file by requesting it by modifying one of the paths which were supposed to supply info for something else on the website.

I’ll talk a bit in theory, but don’t worry I’ll then throw you a bunch of practicals so that you know how and roughly where to perform the attack in real life (ethically of course).

A bit of theory:

Let’s say you see a url link like this:
https://vulnerable-site/index.php?search=pictures/cat.png
You click on it and get this

cat.png loaded

Now you might ask how to manipulate the site on giving out valuable info? Well, if the site is vulnerable to lfi, then let’s start the main hacking event 😎

Let’s tamper with the url:
https://vulnerable-site/index.php?search=/etc/passwd

Look’s like we got something:

passwd file captured

Look’s like we got the passwd file. Haha! 😈
Basically we changed the path which page was supposed to return. When you click on the link,
https://vulnerable-site/index.php?search=./pictures/cat.png, the index.php page gets the input for the parameter search to get the cat.png from the given path. We have modified the path to get sensitive files from the server. However this is the most basic cases where there is no sanitization of inputs. Things won’t be this easy in the wild web.

Time for some practicals!

This lab we do is available at: https://github.com/Yavuzlar/VulnLab
You get it on docker or even git clone it. I prefer the docker option as it makes things so simpler. Instructions are given on that page itself.

Let’s attempt the first lab in LFI:

first lab

Look at the url: http://localhost:5000/lab/file-inclusion/learn-the-capital-1/
We don’t find parameter to exploit via our payloads. Let’s try searching using the search button.

Aha! we have now find the parameter we’re looking for:

got the parameter (see red box)

The parameter is ‘country=’ which you can see highlighted in the red box in the above picture. Now since the task of this lab is to get the admin page (it was mentioned in the instructions before entering the lab). Now we got to guess what the page might be named. Looking how the retrieved page is france.php, I guess the admin page shall be admin.php. Let’s try http://localhost:5000/lab/file-inclusion/learn-the-capital-1/index.php?country=admin.php
It didn’t work. Let’s play around. I then put in ../admin.php into the country parameter. And it works:

Look’s like we got access to the admin page 🎉

But this one was quite easy. Let’s do the next one:
Next one is the same except it is on a higher difficulty level. It has some input sanitizations in place. I’ll discuss the code later too and explain how I’m able bypass the filters.

The url is almost identical: http://localhost:5000/lab/file-inclusion/learn-the-capital-2/index.php?country=france.php
So, replacing france.php with ../admin.php doesn’t work in this case. So i tried the following:

  • http://localhost:5000/lab/file-inclusion/learn-the-capital-2/index.php?country=…./admin.php
  • http://localhost:5000/lab/file-inclusion/learn-the-capital-2/index.php?country=..//admin.php
  • http://localhost:5000/lab/file-inclusion/learn-the-capital-2/index.php?country=….//admin.php

and bam 💥 it works on the third try!

Solved the 2nd lab

So, what basically happened here? The input was being filtered and when ‘../’ was being passed into the input to the country parameter. If you see there is a Source code option which shows the php page contents to facilitate us on how the code works. Let’s have a look at the sanitization part:

source code

If you can see:

$page = str_replace( array( “http://”, “https://” ), “”, $page );
$page = str_replace( array( “../”, “..\”” ), “”, $page );

I had to lookup str_replace on the net to find what it does. It’s pretty simple, in this case it replaces some keywords with others as apparent in the above code. As we can see when we include http:// or https:// or ../ or ..” they are stripped off or replaced with nothing (“”). So we had to type “../” within itself, ie., ….//
So when the ../ in the middle is stripped off the outer .. and / comes together and is processed as the path as we wanted: ../admin.php

Let’s do some labs from metasploitable

Metasploitable is a intentionally designed with tons of vulnerabilities to help you with learning hacking. It’s can be used as a virtual machine and it’s pretty easy to set up.
If you don’t know what is metasploitable don’t worry 🤗, I’ll explain how explain you how LFI works in a simple and lucid manner.

Let’s start with security level: medium
As you can see it’s the default LFI page. Let’s tamper the “page” parameter (url: http://192.168.0.142/dvwa/vulnerabilities/fi/?page=include.php).

Default lfi page

Let’s try to retrieve the passwd file. I try page=/etc/passwd, and it worked!😀
Let’s try to get the file by another way. This is because we won’t get it that easy everytime. Let’s go back a directory, let’s try page=../etc/passwd but it still doesn’t work. But let’s keep trying. Let’s page=../../etc/passwd, page=../../../etc/passwd, page=../../../../etc/passwd and then page=../../../../../etc/passwd. Finally it works!

This is what the url should finally look like: http://192.168.0.142/dvwa/vulnerabilities/fi/?page=../../../../../etc/passwd.

passwd file

Let’s try to grab another important file: /etc/hosts. Url:
http://192.168.0.142/dvwa/vulnerabilities/fi/?page=../../../../../etc/hosts

hosts file

Let’s now grab the index.php, which is the default page. http://192.168.0.142/dvwa/vulnerabilities/fi/?page=index.php
It appears we run into an error:

error

Hmm, however we do have a workaround this. This is where wrappers come into play! 🤩

All we gotta do is to use the encoding wrapper, which looks like

  • php://filter/convert.base64 -encode/resource=
  • php://filter/convert.base64 -decode/resource=
  • php://filter/read=string.rot13/resource=

Url: http://192.168.0.142/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64 -encode/resource=index.php

base64 encoded index page

Let’s decode it in the terminal:

Phew! That was some work 😰 But we did it! 🥂😎

I’ll be adding few more examples on a bit higher level here or I’ll make a new article on it. Follow me to stay updated with more awesome articles 🤗

Happy hacking ✨

Support me at: https://www.buymeacoffee.com/h4kr

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store