URLs & Paths


Web Basics.

How web addresses and file structures work



Challenges

URL Anatomy

🎯 What You'll Learn

  • All the parts of a URL
  • What each component does
  • How to construct URLs properly

📖 The Concept

A URL (Uniform Resource Locator) is like a complete address for finding anything on the web.

Breaking Down a URL

  https://user:pass@www.example.com:8080/path/to/page?search=hello&page=1#section2
  └─┬─┘  └───┬───┘ └──────┬──────┘└─┬─┘└─────┬─────┘└────────┬────────┘└───┬───┘
 scheme  userinfo       host      port     path            query        fragment

Component Details

Part Example Purpose
Scheme https:// Protocol (http, https, ftp, etc.)
Userinfo user:pass@ Authentication (rarely used in URLs now)
Host www.example.com Domain name or IP address
Port :8080 Server port (optional, defaults exist)
Path /path/to/page Location of resource on server
Query ?key=value Parameters passed to server
Fragment #section Client-side anchor (not sent to server)

Query String Format

Multiple parameters are joined with &:

?name=john&age=25&city=boston

Special characters must be encoded:

space → %20 or +
& → %26
= → %3D

🚀 Your Challenge

The server will quiz you on URL components! Answer correctly to get the flag.

curl http://challenge/quiz

Follow the instructions to construct the correct URL!

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

Directory Listing

🎯 What You'll Learn

  • How web servers map URLs to files
  • Directory listings and navigation
  • Finding hidden files and folders

📖 The Concept

Web servers often serve files from a directory on disk. The URL path maps directly to the file system:

Server File System          URL Path
─────────────────          ──────────
/var/www/                  http://site.com/
├── index.html             http://site.com/index.html
├── about.html             http://site.com/about.html
├── images/                http://site.com/images/
│   ├── logo.png           http://site.com/images/logo.png
│   └── banner.jpg         http://site.com/images/banner.jpg
└── docs/                  http://site.com/docs/
    └── readme.txt         http://site.com/docs/readme.txt

Directory Listing

When you request a folder (not a file), the server might:

  1. Show an index file (index.html) - most common
  2. Show a directory listing - list of files
  3. Return 403 Forbidden - access denied
  4. Return 404 Not Found - pretend it doesn't exist

Exploring a Server

curl http://site.com/          # Root directory
curl http://site.com/images/   # Images folder
curl http://site.com/secret/   # Maybe something interesting?

🚀 Your Challenge

A file server is running with several directories. Explore the server to find the hidden flag!

Start by listing the root:

curl http://challenge/

Navigate through the directories to find the flag file!

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

Relative Paths

🎯 What You'll Learn

  • Difference between absolute and relative paths
  • How . and .. work
  • Path traversal techniques

📖 The Concept

Absolute vs Relative Paths

Absolute Path: Full path from the root

/home/user/documents/file.txt
http://example.com/images/logo.png

Relative Path: Path from current location

./file.txt          (current directory)
../other/file.txt   (parent directory)
images/logo.png     (subdirectory)

Special Path Components

Symbol Meaning Example
. Current directory ./file.txt = file.txt
.. Parent directory ../file.txt = one level up
/ Root (absolute) /etc/passwd

Path Traversal Examples

Starting at: /var/www/html/images/

./photo.jpg         → /var/www/html/images/photo.jpg
../index.html       → /var/www/html/index.html
../../config.txt    → /var/www/config.txt
../css/style.css    → /var/www/html/css/style.css

Web URL Path Traversal

Current URL: http://site.com/blog/posts/

./image.png         → http://site.com/blog/posts/image.png
../about            → http://site.com/blog/about
../../contact       → http://site.com/contact

🚀 Your Challenge

You're in /start/here/. Navigate using relative paths to find the flag!

curl http://challenge/start/here/

Use .. to move up directories and find flag.txt hidden elsewhere in the tree.

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

Index Files

🎯 What You'll Learn

  • What index files are
  • Why they exist
  • Different index file names

📖 The Concept

When you request a directory (not a file), the server looks for a default file to show.

How It Works

Request: http://example.com/blog/

Server checks for (in order):
1. /blog/index.html    ← Most common
2. /blog/index.htm
3. /blog/index.php
4. /blog/default.html
5. Directory listing (if enabled)
6. 403 Forbidden

Common Index Files

Filename Typical Use
index.html Static HTML websites
index.htm Older Windows servers
index.php PHP websites
index.asp ASP.NET websites
default.html IIS servers
README.md GitHub/GitLab pages

Why Index Files Matter

  1. Clean URLs: example.com/about/ instead of example.com/about/index.html
  2. Security: Hides the actual file structure
  3. Flexibility: Can change implementation without changing URLs

Explicit vs Implicit

# These often return the same content:
curl http://example.com/
curl http://example.com/index.html

# But not always! Server config matters.

🚀 Your Challenge

The server has multiple directories with different index files. Find the one that contains the flag!

Explore:

  • / - What's the default index here?
  • /blog/ - Check different index file names
  • /admin/ - Might use a different default
curl http://challenge/
curl http://challenge/blog/
curl http://challenge/admin/

Try requesting specific index files to find the hidden flag!

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score