info :

This lab contains a path traversal vulnerability in the display of product images.

The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.

Goal :

To solve the lab, retrieve the contents of the /etc/passwd file.

🧠 Lab Overview:

This lab contains a file path traversal vulnerability, but with an extra layer of input sanitization. Specifically, the application:

1. Strips path traversal sequences such as ../ from user input.
2. Then performs a URL-decode (superfluously) after sanitization.

The goal is to read the contents of the /etc/passwd file using a crafted filename input.

🌟 Vulnerability Insight:

• Normally, submitting ../etc/passwd would be blocked by the input filter.
• Even standard URL-encoded versions like %2e%2e%2f would also be stripped or rejected.
• However, since the application URL-decodes the input after filtering, a bypass is possible using double URL encoding.

✅ Exploit Strategy:

We need to send an input that looks harmless during filtering, but becomes malicious after URL-decoding.