Lab 158 — PageCraft — Twig Template Path Traversal via Namespace Bypass

hackadvisor

Task: PHP/Twig knowledge base with layout query parameter controlling template rendering; direct path traversal blocked. Solution: Bypassed validation using Twig @__main__ namespace prefix combined with URL-encoded slashes (%2f) to traverse out of templates directory and read /app/root/flag.txt.