Labs→FileVault — Escape the Directory

Path TraversalEasy

FileVault — Escape the Directory

FileVault reads files from /files/ by name — but forgets to sanitise the path. Escape the base directory and read the flag hidden in /secret/flag.txt.

Step-by-step walkthrough ↗

// Objective

Escape the base directory by injecting ../ sequences in the file parameter to read /flag.txt.

ToolkitBrowsercurlBurp Suite

// Machine control

Checking session...

// Submit flag