Burp Suite User Forum

Create new post

Academy Path Traversal Labs Not Working as Intended?

William | Last updated: Mar 03, 2023 03:25AM UTC

I'm having a nice time working through the academy labs. I've just started working through the path traversal labs where the focus is getting the server to load the /etc/passwd file. I've completed both the "File path traversal, simple case," and " File path traversal, traversal sequences blocked with absolute path bypass," labs; in both instances the lab is "solvable" but the server never actually sends the contents of the file over to my machine. Have you upgraded something recently? Newer version of server? New CDN? It's nice to solve these but feels a lot cooler when you actually see that /etc/passwd file in your browser or proxy.

Ben, PortSwigger Agent | Last updated: Mar 03, 2023 08:44AM UTC

Hi William, If we take the 'File path traversal, traversal sequences blocked with absolute path bypass' lab as an example. When you alter the request and change the 'filename' parameter to /etc/passwd you should then see the contents of the passwd file in the response to this request. This is illustrated in the screenshot below: https://snipboard.io/b9haXH.jpg

Paul | Last updated: May 15, 2023 10:51PM UTC

I'm going to be the second person to say this lab seems broken for me. I follow the steps exactly but when I modify the file path, I don't get a response and then it seems to break the server. I don't have a response in my HTTP history, I don't get one when I have my settings to display the response and I don't get a response when I use repeater. I've tried both firefox and chrome and the issue persists. Usually I have to clear cache and cookies to get back into portswigger. It's very disheartening. I don't even get the solve like the OP does.

Ben, PortSwigger Agent | Last updated: May 16, 2023 09:13AM UTC

Hi Paul, If we are still taking the example of the 'File path traversal, traversal sequences blocked with absolute path bypass' lab (as was the case earlier in this forum thread) then, again, I have just run through this lab and been able to solve it using the solution (essentially, I took the approach of finding the GET /image?filename request in the Proxy History, sending this to Repeater and then altering this so that the filename parameter requests the /etc/passwd file). What might be useful is to see what request you are actually trying to send - you cannot attach screenshots directly to the forum so if it is easier please feel free to send us an email to support@portswigger.net and we can take a look from there.

Maria | Last updated: Feb 29, 2024 12:01PM UTC

Hi All, I think I got this. I had the same problem of not being able to retrieve the contents of "/etc/passwd" though I was sure I was sending the right request, and this is why I came to this forum. At the time of writing this, the request coming out from the client side contains "/product?productId=" while the request being processed to actually retrieve the desired contents has "/image?filename=" instead. I trust this will be of use to you. Kind regards,

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.