Blog: Difference between revisions
No edit summary |
No edit summary |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 15: | Line 15: | ||
I was looking for common other ways to move from one folder to another and found the following webpage, which lists very well the different types of attacks. | I was looking for common other ways to move from one folder to another and found the following webpage, which lists very well the different types of attacks. | ||
https://book.hacktricks.xyz/pentesting-web/file-inclusion | |||
<syntaxhighlight lang="abap"> | |||
I tried the following commands | I tried the following commands | ||
\..\.. | \..\.. | ||
..%252f..%252f..%252f.. | ..%252f..%252f..%252f.. | ||
./..// | ./..// | ||
....//....// | ....//....// | ||
</ | </syntaxhighlight> | ||
At some point I noticed, when I tried the ....//....// command, that the check only removes the ../ text once, but in this case when there were more characters it left just the right number of characters. | At some point I noticed, when I tried the ....//....// command, that the check only removes the ../ text once, but in this case when there were more characters it left just the right number of characters. | ||
| Line 33: | Line 32: | ||
<code>....//....//....//var/backup/secret.txt</code> | <code>....//....//....//var/backup/secret.txt</code> | ||
===Tools=== | ===Tools=== | ||
* Browser | *Browser | ||
* Common path traversal - | *Common path traversal - https://book.hacktricks.xyz/pentesting-web/file-inclusion | ||
===Flag=== | ===Flag=== | ||
<code>ctftech{hello-world}}</code> | <code><nowiki>ctftech{hello-world}}</nowiki></code> | ||
===Links=== | ===Links=== | ||
*[[CTF Challenges | Back to CTF Challenges page]] | *[[CTF Challenges | Back to CTF Challenges page]] | ||
Latest revision as of 11:52, 30 September 2022
Description
Web administartor is building a new blog to document web development related news and events.
Website is still under construction but some security has been implemented.
50pts
Question
Use the weakness in the web application to read a secret file at /var/backup/secret.txt
Solution
The webpage uses the same solution as before, i.e. it retrieves the content of the webpage from the file. However, when I tried the previous task of moving from one ../ folder to another, a "security" was created for that page which disables that command.
I was looking for common other ways to move from one folder to another and found the following webpage, which lists very well the different types of attacks.
https://book.hacktricks.xyz/pentesting-web/file-inclusion
I tried the following commands
\..\..
..%252f..%252f..%252f..
./..//
....//....//
At some point I noticed, when I tried the ....//....// command, that the check only removes the ../ text once, but in this case when there were more characters it left just the right number of characters.
By taking advantage of this, I was able to open up the right file.
....//....//....//var/backup/secret.txt
Tools
- Browser
- Common path traversal - https://book.hacktricks.xyz/pentesting-web/file-inclusion
Flag
ctftech{hello-world}}
