webPromedium

Lab 158 — PageCraft — Twig Template Path Traversal via Namespace Bypass

hackadvisor

Task: PHP/Twig knowledge base with layout query parameter controlling template rendering; direct path traversal blocked. Solution: Bypassed validation using Twig @__main__ namespace prefix combined with URL-encoded slashes (%2f) to traverse out of templates directory and read /app/root/flag.txt.

$ ls tags/ techniques/
lfipath_traversalphpnginxurl_encodingcmsdecoy_flagtwigknowledge_basenamespace_bypasstemplate_engine
twig_namespace_path_traversalurl_encoded_slash_bypasstwig_main_namespace_abusevalidation_bypass_via_namespace_prefixpath_traversal_via_encoded_separators
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub to continue. No email required.

$sign in

$ grep --similar

Similar writeups