In this post, I want to share on Directory Traversal Attack Method which can be useful during any Red Teaming OR Penetration Testing

Before I share the demo of the attack over here, let’s study the methodology and the process of the attack on the website.

What is Directory Traversal Attack?

For those who are not familiar with this attack, it’s a vulnerability that can be found on the website. The purpose of the attack would be that the attacker will give permission to read any arbitrary files that are saved or stored on the server.

How to verify that the website is vulnerable?

We can verify this by looking at the source code of the website which I managed to obtain 2 examples or samples to show

First Example

The source code that you see above is coming from OpenSource Machine Writeup which can be read here

At a first glance, we can verify that the source code has a vulnerability such as a Directory Traversal attack.

Where? Where?

The vulnerable code would be file_path = os.path.join(os.getcwd(), “public”, “uploads”, file_name) which it will expose any file

For further information, people can read here

Second Example of Directory Traversal attack

    string $filename,
    bool $use_include_path = false,
    ?resource $context = null,
    int $offset = 0,
    ?int $length = null
): string|false

Another way to verify is from read other source codes such as above. It was taken from PHP: file_get_contents – Manual

The output of the attack will look something such as that shown in the screenshot above.

Demo for the Attack

For this demo, I will be using a retired machine from the Hack The Box environment.

For example, we will see the log from the ftpd that has been saved on the machine where it can expose the information to the public itself.

Aside from that, we also can use the burpusite tool to play with the Directory Traversal attack. Normally, it will show the output when the browser might not show it at all.