0

I am learning on Tryhackme.com how to circumvent SSRF filter.

There is a website, let's assume it is test.com. test.com has two access points. First is /private which is restricted, and /new-user-account which can be accessed by users to update their avatars. The goal is to access /private content

enter image description here

Avatars have links back to /assets, and when I attempt to change the avatars link to /private I get an error message says /private access is not allowed.

enter image description here

enter image description here

However, the tutorial used a trick here and circumvented the filter.

"As you can see from the error message, the path cannot start with /private but don't worry, we've still got a trick up our sleeve to bypass this rule. We can use a directory traversal trick to reach our desired endpoint. Try setting the avatar value to x/../private"

enter image description here

I am just curious how this x/../private stuff works? How does the server interpret x/../private to /private? This format does not make sense for me.

schroeder
  • 123,438
  • 55
  • 284
  • 319
userdatagram
  • 1
  • 1
  • Do you know how directory traversal works? Do you know what `..` means to a file system? – schroeder Sep 01 '22 at 17:02
  • Yes, but I just do not know how x/../private map to the correct location – userdatagram Sep 01 '22 at 17:29
  • Did you try `y/../private` and `./../private`? If you know what `..` does, then this should be obvious to you. Else the answer is to send you a basic linux file system tutorial. – schroeder Sep 01 '22 at 18:01
  • Welcome to the community. `x/../private` was just an example, where you need to replace `x` with another valid page... This is pretty trivial as well. – Sir Muffington Sep 01 '22 at 18:18

0 Answers0