Awsome yet unlucky path traversalWhere to find a fake hierarchy for a honeypot for double-dot/path traversal...

Who is flying the vertibirds?

Sailing the cryptic seas

Are there other languages, besides English, where the indefinite (or definite) article varies based on sound?

SOQL: Populate a Literal List in WHERE IN Clause

Life insurance that covers only simultaneous/dual deaths

Time travel from stationary position?

Professor being mistaken for a grad student

Why one should not leave fingerprints on bulbs and plugs?

Why did it take so long to abandon sail after steamships were demonstrated?

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

Min function accepting varying number of arguments in C++17

Do I need life insurance if I can cover my own funeral costs?

Have researchers managed to "reverse time"? If so, what does that mean for physics?

Are there verbs that are neither telic, or atelic?

how to write formula in word in latex

A sequence that has integer values for prime indexes only:

What should tie a collection of short-stories together?

How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?

How to explain that I do not want to visit a country due to personal safety concern?

Welcoming 2019 Pi day: How to draw the letter π?

What approach do we need to follow for projects without a test environment?

PTIJ: Who should I vote for? (21st Knesset Edition)

Interplanetary conflict, some disease destroys the ability to understand or appreciate music

Look at your watch and tell me what time is it. vs Look at your watch and tell me what time it is



Awsome yet unlucky path traversal


Where to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?













3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:




  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users


What else should I try?










share|improve this question























  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago
















3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:




  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users


What else should I try?










share|improve this question























  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago














3












3








3








I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:




  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users


What else should I try?










share|improve this question














I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:




  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users


What else should I try?







web-application penetration-test webserver operating-systems web-service






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 3 hours ago









Lucian NitescuLucian Nitescu

1,287416




1,287416













  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago



















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago

















What about the /opt location?

– Jeroen - IT Nerdbox
3 hours ago





What about the /opt location?

– Jeroen - IT Nerdbox
3 hours ago













@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
3 hours ago





@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
3 hours ago













@hiburn8 "Bash histories of all users"

– Lucian Nitescu
2 hours ago





@hiburn8 "Bash histories of all users"

– Lucian Nitescu
2 hours ago










1 Answer
1






active

oldest

votes


















4














Use the traversal vulnerability to read



/proc/self/environ


This prints out environment variables among other thread information.



Look for a environment variable called DOCUMENT_ROOT






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4














    Use the traversal vulnerability to read



    /proc/self/environ


    This prints out environment variables among other thread information.



    Look for a environment variable called DOCUMENT_ROOT






    share|improve this answer




























      4














      Use the traversal vulnerability to read



      /proc/self/environ


      This prints out environment variables among other thread information.



      Look for a environment variable called DOCUMENT_ROOT






      share|improve this answer


























        4












        4








        4







        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT






        share|improve this answer













        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 3 hours ago









        DaisetsuDaisetsu

        4,21811021




        4,21811021






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Щит и меч (фильм) Содержание Названия серий | Сюжет |...

            Венесуэла на летних Олимпийских играх 2000 Содержание Состав...

            Meter-Bus Содержание Параметры шины | Стандартизация |...