File path traversal, validation of file extension with null byte bypass

Let's access the image through the browser.

We can now intercept this request in Burp Suite using the Proxy.

Now, we can forward the request to the Repeater to makes changes in it.

Let's change the filename parameter to the following and forward the request:

../../../etc/passwd

The server expects a .png file extension.

We can use %00 characters before the extension so that our string gets terminated before the extension

../../../etc/passwd%00.png

We have successfully solved the lab.