Breaking Paths & Bypassing Filters: A Journey Through Path Traversal


Introduction
Today, I'm sharing my hands-on adventure through a real-world lab from PortSwigger's Web Security Academy, where I successfully exploited a Path Traversal vulnerability to read the sensitive /etc/passwd
file. If you've ever wondered how to sneak past file path filters or what double URL encoding can do for your hacking game, this one's for you.
The Lab Scenario
Lab Name: File path traversal, validation of start of path
In this challenge, the application allowed users to retrieve images from a server via a URL like this: GET /image?filename=smile.jpg
Our goal? Trick the server into reading files outside of the image directory — particularly, the classic Linux file: /etc/passwd
.
Understanding Path Traversal
Path traversal (or directory traversal) is a vulnerability that lets an attacker access files and directories that are stored outside the intended folder. This is often achieved using sequences like: ../ (dot dot slash)
These sequences climb up the directory structure — like walking out of a room, going back into the hallway, and sneaking into a locked file room. 🕵️
The Obstacle Course: Filters and Sanitization
Web applications often sanitize user input to prevent attacks. In our case, basic ../
payloads didn’t work:
GET /image?filename=../../../etc/passwd
This resulted in a 400 Bad Request or a response like: "No such file"
That's when I remembered a classic evasion technique: double URL encoding.
The Payload That Broke Through
After trying multiple bypass techniques, I used this payload:
GET /image?filename=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
Decoded once, it becomes: %2e%2e/%2e%2e/%2e%2e/etc/passwd
Decoded again, it turns into: ../../../../etc/passwd
Boom! The server processed the path and responded with a beautiful dump of the /etc/passwd
file:
root:x:0:0:root:/root:/bin/bash
...
peter:x:12001:12001::/home/peter:/bin/bash
academy:x:10000:10000::/academy:/bin/bash
Success!
What I Learned
Encoding is your friend: Filters that block
../
might not block%2e%2e%2f
, and definitely might not block double-encoded versions.Think in layers: If one decoding cycle blocks you, try sneaking in with two.
Automation helps: Burp Intruder is your ally. You can fuzz payloads to see which ones break through.
Tips for Your Own Journey
Build a personal payload vault with different encoding formats.
Practice decoding manually so you understand the logic.
Don’t memorize payloads — memorize strategies.
Always test different encoding depths: normal, URL-encoded, double-encoded.
Final Words
This challenge was more than a lab. It was a dance with filters, a battle with encoding, and a moment of triumph when the terminal whispered secrets from /etc/passwd
. 🎉
Hack smart. Hack ethically. And always outthink the filter.
~ Xoryush
Subscribe to my newsletter
Read articles from Ayush Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
