⚠ CLASSIFIED — PENETRATION TEST

MISSION BRIEFING

Module 3 | Directory Traversal Attack

Scenario

You have gained access to a corporate internal network. An internal document portal called IntraDoc is running on the network.

Initial reconnaissance suggests the application passes filenames directly into the server's file system without proper sanitisation — a classic directory traversal vulnerability. Your objective is to exploit it and exfiltrate sensitive credentials stored outside the web root.

Objectives

Identify the vulnerable ?file= parameter in the IntraDoc portal.

Use ../ traversal sequences to escape the document root.

Locate and read the credentials file containing the ADMIN_API_KEY.

Submit the exfiltrated key via the Incident Report application.

Tools Available

🌐

Web Browser

Navigate and manipulate the target application URL

📝

Notepad

Take notes, record paths and findings

📋

Incident Report

Submit your exfiltrated API key for grading

📖

Reference Manual

Directory traversal syntax and encoding guide

Target

http://intradoc.lab

Display Mode

🎯 Assignment Goals

Identify the vulnerable file parameter in the web application.

Use directory traversal to escape the document root.

Locate and read the file that contains the API key

Submit the admin API key via the Incident Report app.

🌐

Web Browser

📝

Notepad

📖

Reference Manual

📋

Incident Report

WEB BROWSER

New Tab

←

→

↻

LAB BROWSER

Enter a URL above to begin

        Target application: http://intradoc.lab

        This is an internal document portal running on the lab network.

INTRADOC PORTAL

Internal document management system — v2.1.4 | Running on DocServe/1.4

Welcome to IntraDoc. Browse available documents below or use the navigation above.

📊

Q3 Summary

Quarterly performance report

?file=reports/q3_summary.txt

📋

IT Policy

Information technology guidelines

?file=docs/it_policy.txt

🗂️

Onboarding Guide

New employee documentation

?file=docs/onboarding.txt

🔌

Network Audit

Infrastructure assessment

?file=reports/network_audit.txt

👥

HR Handbook

Human resources policies

?file=docs/hr_handbook.txt

📝

Changelog

Application version history

?file=docs/changelog.txt

← Back intradoc.lab/view?file=...

← Back intradoc.lab

404 — FILE NOT FOUND

The requested file could not be located on this server.

Try a different path or return to the document list.

← Back intradoc.lab/view

403 — ACCESS DENIED

Direct access to this resource is not permitted.

Hint: Try adjusting the number of ../ sequences or check the file path.

NOTEPAD — submission.txt

Ln 1, Col 1UTF-8submission.txt

Paste the ADMIN_API_KEY value from credentials.conf and submit

REFERENCE MANUAL — DIRECTORY TRAVERSAL

QUICK REFERENCE GUIDE

▶ What is Directory Traversal?

A directory traversal vulnerability allows an attacker to read files outside the intended web root by manipulating file path parameters using ../ sequences to "walk up" the directory tree.

▶ Basic Traversal Sequences

      ../          — go up one directory

      ../../       — go up two directories

      ../../../    — go up three directories

      ../../../../ — go up four directories

▶ URL Encoding (Alternative Method)

      . → %2e

      / → %2f

      ../ → %2e%2e%2f  OR  %2e%2e/

      ../ → ..%2f  (partial encoding)

      Both raw and encoded traversal may work

      depending on how the server sanitizes input.

▶ Example Attack URL

      http://target.lab/view?file=../../../../etc/passwd
    

▶ Linux File System Layout

      /               — filesystem root

      /etc/           — system configuration

      /var/www/html/  — typical web root

      /home/          — user home directories

      /tmp/           — temporary files

MISSION BRIEFING

CYBERSEC LAB

🎯 Assignment Goals

INTRADOC PORTAL

404 — FILE NOT FOUND

403 — ACCESS DENIED