File path traversal, traversal sequences stripped with superfluous URL-decode

Let's access the image.

We can now intercept this request in Burp Suite using the Proxy.

Now, we can forward the request to the Repeater to makes changes in it.

Let's change the filename parameter to the following and forward the request:

../../../etc/passwd

The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.

Original parameter	Stripped parameter
../../../etc/passwd	etc/passwd

We can bypass this by URI encoding the ../../../ character sequence. This way when the server tries to match the pattern, it won't find it because it has been encoded.

Now we can set the filename parameter to the following:

%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66etc/passwd

We have successfully solved the lab.