Path Traversal Lab Walkthrough using Browser Dev Tools- PortSwigger Web Security Academy Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

greetings everyone and welcome back to my cyber security show I know it has been a while but I'm glad to have everybody back here and uh a big thank you to the faithful that always tune in like and do all that lovely stuff comment you know how much I love that stuff so uh what are we doing today well I figured it's been a while actually I just got back from Wild West hacking Fest where I got my cool shirt right Black Hills woot woot lot of fun up there in South Dakota and the Black Hills information security folks that put on while was confess shout out to them go check out John strand's anti- siphon training because it's awesome uh also got to hang out with great folks and friends of mine like Jerry oer and Josh Mason from Simply cyber super super great guys super great stuff you want to check out their stuff as well uh who else did I hang out with I saw John Hammond out there always a great time hanging out with John we got to uh you know chat a little bit about what's going on in his world what's going on in mine and uh just getting the band back together it was a lot of fun who else did I see tons of people I honestly I could I could just go down Heath Adams from TCM Zack Hill as well uh Joe Hudson I just did a a webinar with him today so it's it's really like a family community there so it was a lot of fun it was very motivating for me to come back get in the hot seat make something for you guys so what are we doing today that's the question the question is answered with the answer of Port swiger Academy or the web Security Academy I believe it's called so Port swigger people that make burp site let's go check them out right here it is I've got this a little uh blown up in size because I want you to be able to see it right but I've gotten logged in so definitely create yourself an account so just go to Port swiger Donnet create an account once you get logged in you'll probably see something more along the lines of hello there it is this you find that Academy button right here I believe what it did I nope there it is right around there and click that which will take you to the web Security Academy and from there you can start your track now what I thought to do was hey there's a few tracks right because they want you to get to become what do they call it um I forget they've got a name for here we go right practice exam I thought they tell you practitioner they're trying to get you ready for their suet certification exam and they have a name for it but I don't see it anywhere on here but that's neither here nor there what we're looking for is this one The Apprentice I've started the practitioner apparently I got busy and stopped because that's what happens in my life and I thought let's do all what I want to do is demo all the labs let's do a walkthrough for all the labs in The Apprentice track because that's that's all the basic stuff and this is going to be great for you noobs out there that's not pejorative right that's not a slight on you to be a noob I'm a newb at a lot of things you're a noob we're all noobs in some way shape or form let's just embrace our newb and move on and leave it behind once we've learned something new right and that's what we want to do so that's what I want to do with this I thought that'd be a lot of fun and uh a way for me to give back to the community because I'm all about trying to help people level up skill up get better B faster stronger and the portswigger web Security Academy is a phenomenal resource to get you going in web app pent web app pentesting or uh bug Bounty and that kind of stuff right so once you get all logged in you got your account and everything squared away you just start that track that Apprentice track I'm going to hit resume and like I said I'm not going to go through the learning modules I am going to do all the labs and from here we have our first lab and this is the file path traversal simple case which is cool now couple ways in which you could solve this you can use something like portswigger burp site Community or if you have burp sweet Pro knock this out if you got burp S pro I assume you're probably already pretty squared away on how to do this kind of thing maybe not but most likely because you're paying money for a tool you don't know how to use or the concepts behind it does make a lot of sense so you're probably using burp site Community which is pre-loaded in ki Linux I think it's pre-loaded in uh parrot and other pentesting dros other security Focus Linux distributions it runs on Windows you can you can slap it on anything right so go grab that if you don't have it and let's get rocking but what I'm going to use is just the web browser itself to solve this all right so I'm going to hit the oh there's some reading to do don't forget to read always read and it does say this lab contains a path traversal vulnerability in the display of product images very important so yeah they're going to hold our hand a little bit but that's fine right trying to get started get our feet with nothing wrong with that but we have some helps a we know this is going to be a path traversal vulnerability because says so right there and we know it's going to be in the display of product images normally you're going to have to like scour through stuff look at code source code you know right click view source that kind of stuff proxying everything through burp Suite or zap or whatever you you have uh and and and looking for that piece of knowledge and figuring out oh this might be a path reversal but for here we we have that handholding thing but that's fine to solve the lab retrieve the contents of etsy password as we should know Etsy password is the file in NX type system so Unix and Linux uh Mac OS runs BSD I believe under the hood this is a Unix variant or it is UNIX if I'm not mistaken anyway um and that file that Etsy password so in the Etsy directory there's a file called p p sswd or password and in that file contains all the users for that system it's typically World readable not World writable if you find it writable boy you found a good thing well you found a bad thing which is a good thing if you're a pentester or something a bad thing for that organization so we're going to hit access the lab access I feel like that's a weird word access access okay access the lab access the lab how do you say that my my brain is going crazy and here we have a shop an ehhop right you got uh high-end gift wrapping at $19539 and occupy the whatever the mind but that's not what I'm here for I'm here to do a p reversal right so there's going to be a lot of dot dot slashy stuff I'm G to hit view details and this opens the page for this product which is high-end gift trafficing I guess is a service and okay now sometimes you might see this up in the URL right here in the address bar there might be like like you know image equals or file equals or something equals and we do see product ID equals one right around this region right and that could be it I mean heck well you know we can just try it here dot dot dot do whoa too many dots Daniel SL dot do dott do do do do do dot dot dot dot you're like whoa getting crazy with the dot dot slashes kid what are you doing uh I'm just trying to make sure that I back up far enough because I don't I don't know where I am in this this tree okay so I'm just you can't have too many it won't hurt so just get buck wild with the dot dot slashes just to make sure you get out of there and then from there you know you do your your file the one I'm looking for I'm actually going to go with hosts so I don't solve the the thing yet I'm going to do hosts hit enter and you'll notice I'm not getting I'm not getting there I can hit raw data and you know it's just telling me hey this this wasn't right I don't know what you're doing I'm like okay my bad so I know it's not that might be SQL injection I I don't know but that's not what we're here for that's another video right we'll get there so if it's not there remember it said it was in the product right if we go back to the this here right not the product yeah the product image in the display of the product image now if I was using something like burp twet like a pro like an an attack proxy Z attack proxy from oos something to that effect I could be looking at my HTTP uh request history and seeing all that stuff and I would I would see also the returns that come back the things that are return to us obviously when we requested this page it returned an image that sounds a lot like what they were just telling us so I I want to know what that is I can what I can do is I can right click on this image and click inspect that will open up the web developer tools and if you're in Chrome it'll be a similar but different right it should be similar enough that you're probably able to follow the bouncing ball I'm not a chrome user I don't really like Chrome that much I've I've been using Firefox for forever so that's that's what I'm using you'll notice it highlighted the line of the image like this is this is basically the code where it's calling for that image to be displayed in the page and I can see that here image source here's the here's the HTML or JavaScript image source equals I guess this is HTML equals image question mark which means query for a file name and that file name equals 53. JPEG and that 53. JPEG file is this image of this bike right you see it pops up if you hover over it what what if we change that to a different file right here and then resend will will that work let's find out so I will just double click on that and I will come over and I will remove 53. JPEG and type in do do do do do do do do do do do slash and then dot wait for it dot and then finally another slash again arbitrary amount of dot do slash is just trying to back my way out of whatever directory I'm in so so that I can go back down into Etsy and grab that host's file hit enter you'll notice it it redid the page here but I I don't seem to be seeing an Etsy hosts file actually I see this broken link ah for the image right the image didn't display like dang okay well let's let's view page Source see if anything's in there and yeah it just shows me that same source code of file name equals 53. jpeg okay so that didn't work that's cool by the way I didn't prep this I don't I don't remember exactly where I do know where my next stop is though since that did not exactly work for me I'm going to run over here to this network tab right around this region click on that and you'll notice there is that that file and all I'm going to do is I'm just going to I'm going to refresh the page so that reloads I want I want to see all the stuff I want to see all that goodness coming here and I can see that it threw this now I am probably highlighting images but normally you'll probably be on all and it'll show you everything that got requested when you clicked go to that link all the pages that got requested came from there and you'll notice I got this right here this little lovely get request for that file so if I rightclick on it I believe it has yep right there edit and resend I want to edit that and resend yes enhance so now you just click on that I'll remove 53. JPEG and of course do and then Etsy slash heck I'll go for it why not password and hit send then we'll come over here we will look at this there's the request headers and I think what I want to do here is go to the request no I want to see the response which gave me that which did not work interesting so that tells me I need to intercept that request I thought I did this with the uh this been a while since I've done this by the way but I could have swore I was able to do this without a proxy but maybe I don't maybe I absolutely need that proxy oh wait look at that this says lab solved right here so it actually did work but we didn't get to like we didn't get to see it right says congratulations you you solve the lab yay so this actually works as far as like solving the lab but we don't actually get to see what we did Le I can't see where we could see it uh what if I right click view page Source will that show up no it still shows that file land but that's cool I really just wanted to see that come back and not just give me this I don't know why it's doing that there's probably some trying to think of something yeah who are we to look a gift horse in the mouth though right we we did solve the lab congratulations very anticlimactic but a win nonetheless what I'll do is because I I I want to see this done different I'll come back I'll make another video we'll see how to do it with an attack proxy like burp Suite so definitely stick around for that but other than that hey look at us we are winners of the day we have defeated the worthy foe that was path reversal we climb climbed up Mount path traversed back down and found that that password file probably actually worked when we did it in the um inspector but since I didn't go for Etsy password and I went for Etsy host and said it didn't register as being a win but it was and that's that's a really good uh lesson for us to take away just because you think something didn't work doesn't mean it didn't work you might just have done it you just might not realize you've done it it does happen from time to time so that's an interesting thing like I said if you're newbie you you're looking at nothing and going oh it didn't work maybe it did and that's why it can be helpful to be able to use multiple different tools to see if that stuff is actually worked or if it's working or not so I will make another video like I said but this time we'll use burp site to solve the same problem or the same lab and see if we can actually see anything and visualize our win a little bit better that said all right everyone thanks for watching I don't want to keep you too long and it's been a lot of fun it's been getting back in the seat there so I look forward to seeing upcoming you know series here until then keep hacking

Info

Channel: Daniel Lowrie

Views: 5,696

Rating: undefined out of 5

Keywords: portswigger, burpsuite, owasptop10, owasp, websecurity, webapplicationsecurity, bugbounty, hacking, hacker, cybersecurity, informationsecurity, infosec, kali, kalilinux, parrotos

Id: rY-7gT4S048

Channel Id: undefined

Length: 16min 16sec (976 seconds)

Published: Fri Oct 27 2023