Directory Traversal
A file parameter that doesn't constrain the path lets you walk the filesystem. Drill traversing out and reading files you were never meant to see.
Confirm the parameter maps to a file read, then climb out of the web root with repeated ../ until a known target like /etc/passwd resolves.
Where naive filters strip sequences, adapt with encoding or nested patterns. Variants change the prefix handling and filtering so you probe rather than paste.
How the attack works
- Confirm the parameter reads a file from disk.
?file=welcome.txt - Traverse upward to a known system file.
?file=../../../../etc/passwd - If sequences are filtered, try URL-encoding or doubled patterns.
?file=..%2f..%2f..%2fetc%2fpasswd ....//....//etc/passwd - Read the returned file and capture the flag.
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
Directory Traversal
A file parameter that doesn't constrain the path lets you walk the filesystem. Drill traversing out and reading files you were never meant to see.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.