How I access other domains in using Directory Traversal

Kurt Russelle Marmol
2 min readMar 14, 2022


Hi, it’s me again haha Kurt Russelle Marmol aka xkurtph, Web Developer (noobie) and Security Researcher.

Vulnerability Method:

  • Directory / Path Traversal

What is

Infinity Free is a US-based web hosting provider launched in 2016, and, as its name suggests, it offers free hosting services for an indeterminate period of time.


This bug was I accidentally found haha when my friend want to access my files on the web hosting, so I gave them a PHP shell instead of the FTP account. I gave PHP shell because it is easy to use rather than FTP bcz u needed it to log in and access files (time-consuming).

Let’s say I have a domain name I gave my friend a shell path which is

When you try to open a folder or files, your URL path would become like this

can you see the clue? how I access other domains hahaha

here it is

as you can see the epiz_30774583, it is my username in the domain therefore I change it incrementally like this epiz_30774584, epiz_30774585, or epiz_30774586 the whole URL will be like this

and gotcha! you already access other domain files by this method, but it will only work if the other domain has the same host/server as what you use.

The bug is originated from a third-party website but it is also used by to serve, I already reported the bug from but they told me to report to iFastNet because iFastNet was the main provider to host domain.

A bug was already reported and fixed, iFastNet is not offering a bug bounty program but they give me free .com domain as a reward :>

You can watch my full demonstration below.


Using the bug as a method could be lead to breaching other domains and leaking files and sensitive information they have.


March 10, 2022 — Bug submitted and review

March 13, 2022 — Bug fixed and rewarded

Shawarawt sa PlagueSec at KumaTechDevs