Traversing the path to 5000$ in Help
Hello readers,
It has been sometime since i have not posted on my blog, its because i am busy working on and reviewing my course “Be a Bug Bounty hunter”. It was scheduled to release earlier but due to the publisher, its under extensive review. So i thought why not blog about a great and peculiar path traversal, i found sometime ago, However i am not going to public the website i found it in though, so lets call the website vulntome.com .
So a path traversal vulnerability is one which can allow an attacker to access the files and directories that are outside of the web root folder, By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths.
The first thing i do when looking for bugs in websites is that i never look for flaws in the main domain, similar was the case in this scenario. I dug up some sub domains on vulntome.com and found out that most of the domains were static. However one domain which was the help.vulntome.com was not static.
Normally when testing for path traversal we try to find a dynamic parameter to fetch the files outside of the webroot folder like some of the examples below.
http://some_site.com.br/get-files.jsp?file=report.pdf
http://some_site.com.br/get-page.php?home=aaa.html
http://some_site.com.br/some-page.asp?page=index.html
But that was not the case here. Because help.vulntome.com had no dynamic parameter. However there were URLs that looked rather peculiar in the source of the webpage, which indicated that the paths could be traversed.
http://help.vulntome.com/@app/skin/views//
Now the goal is to find a sensitive file such as /etc/passwd file using path traversal. Basically the simpler ways of doing that
http://some_site.com.br/get-files?file=../../../../some dir/some filehttp://some_site.com.br/../../../../some dir/some file
Since this was one of the best Helpdesks softwares in the world, i knew that it would not be this simple. The indication was that:
“/” returned a 404
“ /%5c” an empty page
So now the goal was to traverse directories backwards, in linux “..” is used to traverse backwards. So i started iterating
http://help.vulntome.com /@app/skin/views/%5c../etc/passwd.html
http://help.vulntome.com/@app/skin/views/%5c../%5c../etc/passwd.html
And it went on. Before you know it. This returned
http://help.vulntome.com/@app/skin/views/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd.html
Note: Real etc/passwd file not shown because of privacy reasons
The programs was on Hackerone so, i reported using their platform. The program’s security team were quick to respond and reward a good sum for it
Its always in the most strangest of places you find the most critical bugs. Will be blogging more soon enough guys. Stay tuned