Path Traversal - Directory Escape

Medium A01:2021 - Access Control 200 points

Challenge Description

This file server allows users to download files from the /public/ directory. However, the server doesn't properly sanitize file paths, allowing you to escape the intended directory using path traversal sequences.

The base path is /public/
Your filename is appended directly: /public/{'{'}filename{'}'}
Use ../ sequences to traverse up directories

Your goal is to read the flag file located at /root/flag.txt.

Learning Objective: Understand how path traversal attacks can break out of restricted directories to access sensitive system files.

File Download (Vulnerable)

/public/

Request: GET /api/files?name=readme.txt

User File Download (Vulnerable)

Username

Filename

Request: GET /api/uploads/user1/photo.jpg

Quick Payloads

Click to try common path traversal payloads:

Submit Flag

Hints -10% per hint

Public Files

Directory Structure

/public/
├── readme.txt
├── logo.png
└── terms.txt

/uploads/
├── user1/
│   ├── photo.jpg
│   └── document.pdf
└── user2/
    └── notes.txt

/private/ [RESTRICTED]
/etc/ [SYSTEM]
/root/ [SYSTEM]

Path Traversal Sequences

../ - Unix/Linux
..\ - Windows
..%2f - URL encoded
..%5c - URL encoded (Windows)
....// - Double encoding bypass
..;/ - Null byte bypass (old)