info :
This lab contains a path traversal vulnerability in the display of product images.
The application validates that the supplied filename ends with the expected file extension.
Goal :
To solve the lab, retrieve the contents of the /etc/passwd file.
This lab contains a file path traversal vulnerability, where the application only allows file names ending in .png. The goal is to retrieve the contents of the /etc/passwd file.
The application checks that the user-supplied filename ends with .png, but it does not handle null byte injection correctly.
A null byte (%00) is treated in low-level languages like C as the "end" of a string. If we insert %00 before .png, the application passes validation, but the system will treat everything after the null byte as ignored.
We trick the application by including .png after a null byte, but the server only processes the part before %00.
../../../etc/passwd%00.png
This satisfies the .png check.
But due to the null byte, the server opens:
../../../etc/passwd