pwneglyph logo

Note

web php path-traversal procfs file-read suffix-bypass

Bounce through procfs to escape path normalization that tries to trap reads under one directory.

proc/thread-self/root to Recover / and Read flag.txt

/proc/thread-self/root is a process-relative symlink to the process root view. Path normalization that tries to trap you under one directory can be escaped by bouncing through procfs — useful when a path is suffix-constrained or passed through canonicalization that still allows procfs traversal.

Why It Works

  • Reaching procfs from inside the constrained subtree lets you walk back to the true filesystem root.

Vulnerable Pattern

  • File reads that prepend a base path and append a forced extension while allowing enough traversal components or procfs reachability.

Exploit Flow

  1. See whether normal ../ traversal is blocked or just normalized.
  2. If normalized, reach proc/thread-self/root from the constrained subtree, then walk back to /.
  3. Neutralize forced suffixes with fragment or length tricks if necessary.

Variations

  • /proc/self/root, /proc/thread-self/root, fd-based paths, or symlink farms depending on the runtime.

Common Blockers

  • chroot/container root already constrained, procfs unavailable, or path-length limits making the traversal string too long.

PoC Sketch

../../proc/thread-self/root/flag.txt%23
# (or the challenge-specific equivalent until the suffix is neutralized)

Good Situations To Use It

  • Traversal is normalized but procfs is reachable.
  • A base path + forced suffix constrains your reads.
  • The flag lives outside the intended subtree.

Sources

  • midnight_flag2026/web/clash_of_flans