In this post we will walk step by step through how to solve File path traversal, traversal sequences stripped non-recursively on PortSwigger. This lab’s difficulty is Practitioner and it is the third lab on Directory Traversal on Portswigger.

Link to lab: https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively

To start the lab click the ‘Access the Lab’ button.

As we begin the lab we encounter a shop page showcasing different products. It’s worth noting that the products may differ from the screenshot as PortSwigger Labs can vary the content with each lab session. So, don’t worry if your products look different.

When selecting a product it opens a page containing comprehensive details about the product.

Inspecting the source code we can observe an <img> tag referencing an image file named 20.jpg.

Bringing this request into Burp Suite Repeater we can manually attempt to attack the filename parameter.

In our pursuit of directory traversal our initial target is the /etc/passwd file, which is typically accessible to all users on a Linux system. To begin the attack it’s important to know the behavior of the ‘filename’ parameter. Given that it references an image file on the system (in this case, a JPG), we can reasonably assume that this parameter reads files and displays their contents in the browser.

We attempted to use the same payload as in our previous lab, ‘File path traversal, simple case,’ which was ../../../../../../etc/passwd. Unfortunately, we encountered an issue. It appears that the application is blocking the use of ../ in our payload.

We can make an attempt to access the file using an absolute path. An absolute path directly references a file without utilizing any traversal sequences. In this case, the payload would appear as /etc/passwd.

Our payload failed and we encounter another No such file Response message.

We can automate this to discover an exploit using SecLists and Burp Suites Intruder. We can highlight what we would like to fuzz and click Add.

Next we will select LFI-Jhaddix.txt from SecLists for our Payloads.

The final step will be to Setup a Resource Pool to help limit request to the server to prevent taking down the server. This is common when performing web attacks on an engagement. Too many Requests at once can be harmful to a clients website.

After we start our attack we need to wait for a few minutes. Using Burp Professional can speed up this process, but Community can get the job done.

After a few minutes we find the payload ....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd successfully displays the contents of /etc/passwd to us.

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod