Python3

Absolute Path Traversal

by Brumens

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

Absolute path traversal

Found a way to escape the /tmp/files/notes/ directory and access arbitary files on the vulnerable application!

Goal

Capture the flag! The flag can be found in the file: /tmp/secret/flag.txt

Hints

Hint #1

expand_more

How do the function os.path.join handle files starting with a forward slash (/)?

Solution

Read the solution

expand_more

The program succeeds in filtering the dot-dot-slash attack but fails to protect against an absolute path. When a filename has a prefix consisting of a slash (/), the os.path.join function will start from this path instead and ignore the previous path, resulting in an absolute path traversal vulnerability.

Payload:

/tmp/secret/flag.txt

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result