Post cover image

June 30, 2026

Server-1: Vulnerable Job Portal — Path Traversal Walkthrough (5 Flags)

Server-1 is a deliberately vulnerable web server designed for practicing bug bounty reconnaissance and path traversal. It simulates a…

By Enric-xX

2 min read

Server-1 is a deliberately vulnerable web server designed for practicing bug bounty reconnaissance and path traversal. It simulates a realistic job portal with hidden admin panels, exposed backups, internal configuration files, and multiple flags to find.

Repository: https://github.com/Enric-xX/Server-1 Live Server: https://enric-xx.github.io/Server-1/

Reconnaissance

None

At first glance, Server-1 looks like a normal job portal. There are links to Jobs, Companies, a Dashboard, and a Login page. Nothing seems out of the ordinary.

To speed up the discovery process, I used PathTraversalBot, a Python tool that automatically scans for hidden endpoints on any domain.

None

The tool is available directly on the server at /need-find-path.traversal/. From there, you can download the Python script and an installer that handles all dependencies with a single command. Once installed, you simply run it, enter the target domain, and it scans for subdomains, WordPress endpoints, exposed APIs, backup files, and configuration leaks. It generates a report with everything it finds.

Running it against enric-xx.github.io/Server-1 revealed several interesting paths:

  • /admin/ — Hidden admin panel
  • /backup/ — Backup files
  • /employee/database/ — Employee records
  • /phpinfo/ — PHP configuration
  • /robots.txt — Disallowed routes

Flag 1 — Admin Panel

None

Navigating to /admin/ reveals a restricted login panel.

None

Inside the panel, there is a hidden section at /admin/etc/passwd/ that appears the credentials.

None

Inside the panel, clicking on the Flag link reveals the first flag. However, viewing the source code (Ctrl+U) of de admin login pannel reveals the first flag hidden in an HTML comment.

Flag: flag{a3c8e5f0d7b1a4c9e6f2d8b0a5c3e7f}

Flag 2 — Employee Database

None

The path /employee/database/ exposes a list of 99 employees without requiring authentication. Scrolling to the bottom of the list, employee #99 has an unusual email address containing the second flag.

Flag: flag{f1b5d9c0e3a7f4b8d2e6c9a0f3b7d1a}

Flag 3 — Backup Configuration

None

The file /backup/config.bak.html appears to be a leftover backup of the server configuration. At the very end of the file, a FLAG variable is defined.

Flag: flag{f1b5d9c0e3a7f4b8d2e6c9a0f3b7d1a}

Flag 4 — PHP Info

None

The /phpinfo/ directory displays detailed information about the server's PHP environment. Hidden among the configuration data at the bottom is another FLAG variable.

Flag: flag{7d3a9f1b2c4e8f6a0d5b7e9c3f1a8d2b}

Flag 5 — Robots.txt

None

The /robots.txt file lists directories that are disallowed for search engines. At the very bottom of the file, the final flag is visible.

Flag: flag{7f3a9d1b2c4e8f6a0d5b7e9c3f1a8d2b}