# Just Explore! - 0byteCTF 2023 ## Description Just explore and find a vulnerability innit :) http://0x7e7ctf.zerobyte.me:49723/ ## Solution The appearances of this website is looks like in this image below.  When I clicked the explorer link it shows all files on the explorer directory.  Nothing particular on this explore directory. Maybe the vulnerability in this website is path or directory traversal because the challenge name itself is Just Explore!. I assume that we can explore the directories and all files of this web server. To make sure that this website is indeed vulnerable to path traversal, I tried to read the content of `/etc/passwd` by using this method: ``` ../../../etc/passwd ``` But it seems, that I can't using this method. Maybe by using the information of the web server of this challenge might help me to get the path traversal to work. To get the web server name of this website, we can take a look at response headers.  After some search, I found an article about NGINX alias traversal from [here](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/). Alias in NGINX is served as a replacement for specified file or directory. But if the NGINX configuration file is misconfigured this alias it could lead to similar attacks like path traversal, where the attacker could read other sensitive information. To test if the web server is vulnerable to alias traversal, I used this URL to query the web server. ``` http://0x7e7ctf.zerobyte.me:49723/explore../ ``` After I used the above URL, the web server gives a respond of it's root directory.  Time to start looking for the flag location on this website. After some digging, I found the location of the flag is at `/usr/share/flag.txt`. ``` http://0x7e7ctf.zerobyte.me:49723/explore../usr/share/flag.txt ```  ## Flag `0byteCTF{P4th_Tr4v3rS4L_ThRu_Ng1nX_M1sC0nf1g_4l14s}`