easy

Level 6: Server Fingerprinting (No Server Header)

Recon

Challenge Description

The origin hides its Server header. Determine which web server powers this app anyway.

Objective

A document viewer allows reading files from a public directory. Use path traversal to access files outside the intended folder.

What you'll learn
  • How ../ sequences navigate directories
  • Path traversal attack techniques
  • Why file path validation is essential
Need a Hint?
Trigger a server-generated error (e.g., 405 at /probes/methods) to fingerprint behavior.

Path traversal patterns:

../filename.txt
../../etc/passwd
../../../secret.txt

The flag is in a parent directory...

Public Document Viewer

Access public documentation files
/public/docs/
Available files: welcome.txt, readme.txt, info.txt
Vulnerable Code
$filename = $_GET['file'];

// VULNERABLE: No path validation
$path = "/public/docs/$filename";

$content = file_get_contents($path);
echo $content;
Always validate and sanitize file paths! Use basename() or whitelisting.
Safety Note: This is a controlled simulation. Real path traversal can expose sensitive system files like /etc/passwd.