Directory traversal vulnerabilities are present when a user may gain unauthorized access to files, e.g. by using path traversal operators such as ../.
Discovery
To find directory traversal vulnerabilities on a webpage, try fuzzing query parameters, especially when the value looks like a filename. A common technique is to add ../ and ..\ to the path to traverse the server filesystem.
Also see PHP wrapper trick (php://filter) when the trying to read files that may contain special characters (which may be misinterpreted when include() is used).
Exploitation
To attack a directory traversal vulnerability, simply load the desired file such as /etc/passwd. RCE is achievable when include() is used in the source and PHP wrapper (php://filter) can be used to load attacker-supplied plain text as a file.