In this walk through, we will be going through the Path traversal vulnerability section from Webgoat Labs. We will be exploring and exploiting Path traversal and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
1. Path traversal while uploading files
- In this assignment, the goal is to overwrite a specific file on the file system. We need to upload your file to the following location outside the usual upload location.
- I used he below payload to upload a file to another directory.
../../../../../home/webgoat/.webgoat-2023.4/PathTraversal/hacked
2. Path traversal while uploading files again
- Bypasses the mitigation with the below payload.
....//....//....//home/webgoat/.webgoat-2023.4/PathTraversal/hacked
3. Path traversal while uploading files again +1
- In this challenge, the developer is now using the uploaded file name instead of asking file name from user.
- I intercepted the request and used the below payload to successfully write the file to other location.
../hacked
4. Retrieving other files with a path traversal
- In this challenge, we have to retrieve contents of path-traversal-secret.jpg file. The application has a button which shows random images of cat upon clicking.
- I intercepted the request via Burpsuite and analyzed the response. In the response, we can see location header which is using the id parameter to query the DB for the cat images.
- I used the parameter in my GET request path with ls command and seems likes it is injectable.
- Next, i URL encoded the payload and used it with our id parameter and got a directory listing of parent directories where we can see our target file.
../../ %2E%2E%2F%2E%2E%2F
- As i was unable to retrieve the secret from the path-traversal-secret.jpg file. So, i simply removed the extension and got a hit. The clue was that the secret is sha512 hash of our username.
%2E%2E%2F%2E%2E%2Fpath-traversal-secret
- Calculate the hash of our username and completed the challenge.
echo -n 'kratos' | sha512sum 9710fd696c471dcac50bec100993d775ab323f37110f90b02be98347503542d17788acd46f5d536211657e03df7dbad0dd2f35d6a11d39c0835e7791cf705225 -
5. Zip Slip assignment (Not finished)
Also Read: Mutillidae – XML External Entity Injection (XML Validator)
Conclusion:
So, we finally completed the Webgoat Path traversal restrictions Vulnerability section. Next, we can mitigate the potential Path traversal attacks by validating the input against a known set of whitelisted values. Along with that, the input should then be added to a platform filesystem API to canonicalize the path which will then verify that the canonicalized path starts with the expected base directory . On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.
