Awsome yet unlucky path traversalWhere to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?

Why do passenger jet manufacturers design their planes with stall prevention systems?

Min function accepting varying number of arguments in C++17

Why one should not leave fingerprints on bulbs and plugs?

Professor being mistaken for a grad student

Life insurance that covers only simultaneous/dual deaths

Unexpected result from ArcLength

Hacking a Safe Lock after 3 tries

Does Mathematica reuse previous computations?

Sailing the cryptic seas

If curse and magic is two sides of the same coin, why the former is forbidden?

Welcoming 2019 Pi day: How to draw the letter π?

How to deal with taxi scam when on vacation?

A link redirect to http instead of https: how critical is it?

How to read the value of this capacitor?

Does someone need to be connected to my network to sniff HTTP requests?

How to create the Curved texte?

What exactly is this small puffer fish doing and how did it manage to accomplish such a feat?

Do these spellcasting foci from Xanathar's Guide to Everything have to be held in a hand?

Why would a flight no longer considered airworthy be redirected like this?

A sequence that has integer values for prime indexes only:

What do Xenomorphs eat in the Alien series?

My adviser wants to be the first author

Time travel from stationary position?

If I can solve Sudoku can I solve Travelling Salesman Problem(TSP)? If yes, how?



Awsome yet unlucky path traversal


Where to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?













3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago















3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago













3












3








3








I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question














I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service




web-application penetration-test webserver operating-systems web-service






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 3 hours ago









Lucian NitescuLucian Nitescu

1,287416




1,287416












  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago

















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    3 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago
















What about the /opt location?

– Jeroen - IT Nerdbox
3 hours ago





What about the /opt location?

– Jeroen - IT Nerdbox
3 hours ago













@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
3 hours ago





@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
3 hours ago













@hiburn8 "Bash histories of all users"

– Lucian Nitescu
2 hours ago





@hiburn8 "Bash histories of all users"

– Lucian Nitescu
2 hours ago










1 Answer
1






active

oldest

votes


















4














Use the traversal vulnerability to read



/proc/self/environ


This prints out environment variables among other thread information.



Look for a environment variable called DOCUMENT_ROOT






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4














    Use the traversal vulnerability to read



    /proc/self/environ


    This prints out environment variables among other thread information.



    Look for a environment variable called DOCUMENT_ROOT






    share|improve this answer



























      4














      Use the traversal vulnerability to read



      /proc/self/environ


      This prints out environment variables among other thread information.



      Look for a environment variable called DOCUMENT_ROOT






      share|improve this answer

























        4












        4








        4







        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT






        share|improve this answer













        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        DaisetsuDaisetsu

        4,21811021




        4,21811021



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Are there any AGPL-style licences that require source code modifications to be public? Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Force derivative works to be publicAre there any GPL like licenses for Apple App Store?Do you violate the GPL if you provide source code that cannot be compiled?GPL - is it distribution to use libraries in an appliance loaned to customers?Distributing App for free which uses GPL'ed codeModifications of server software under GPL, with web/CLI interfaceDoes using an AGPLv3-licensed library prevent me from dual-licensing my own source code?Can I publish only select code under GPLv3 from a private project?Is there published precedent regarding the scope of covered work that uses AGPL software?If MIT licensed code links to GPL licensed code what should be the license of the resulting binary program?If I use a public API endpoint that has its source code licensed under AGPL in my app, do I need to disclose my source?

            Image
            Flight departed from the gate 5 min before scheduled departure time. Refund options How to show a density matrix is in a pure/mixed state? Can we cancel the equality mark here? How to ask rejected full-time candidates to apply to teach individual courses? Are there any AGPL-style licences that require source code modifications to be public? Why did Israel vote against lifting the American embargo on Cuba? What should one know about term logic before studying propositional and predicate logic? Why is Rajasthan pro BJP in the LS elections but not in the state elections? New Order #6: Easter Egg Question on Gÿongy' lemma proof How to resize main filesystem Is it OK if I do not take the receipt in Germany? My mentor says to set image to Fine instead of RAW — how is this different from JPG? Can I feed enough spin up electron to a black hole to affect it's angular momentum? How do I find my Spellcasting Ability for my D&D character? Is my guitar’s ac
            Read more

            2013 GY136 Descoberta | Órbita | Referências Menu de navegação«List Of Centaurs and Scattered-Disk Objects»«List of Known Trans-Neptunian Objects»

            Image
            Objetos do disco dispersoObjetos transnetunianos objeto transnetunianodisco dispersoSistema Solarcorpo celesteressonância orbitalplanetaplanetamagnitude absolutadiâmetro9 de abril2013Outer Solar System Origins Surveyórbitaexcentricidadesemieixo maiorUAperiélioSolafélio 2013 GY136 Data da descoberta 9 de abril de 2013 Descoberto por Outer Solar System Origins Survey Categoria Transnetuniano Objeto do disco disperso Elementos orbitais Semieixo maior 55,961 UA Perélio 32,595 UA Afélio 79,327 UA Excentricidade 0,418 Inclinação 10,9° Características físicas Dimensões 133 km Magnitude absoluta 7,6 ver 2013 GY 136 , também escrito como 2013 GY136 , é um objeto transnetuniano que está localizado no disco disperso, uma região do Sistema Solar. Este corpo celeste está em uma ressonância orbital de 2:5 com o planeta planeta. Ele possui uma magnitude absoluta de 7,6 [ 1 ] e tem um diâmetro estimado de 133 km. [ 2 ] Descoberta | 2013 GY 136 foi descoberto no dia 9 de abril de 2013 pelo Outer S
            Read more

            Button changing it's text & action. Good or terrible? The 2019 Stack Overflow Developer Survey Results Are Inchanging text on user mouseoverShould certain functions be “hard to find” for powerusers to discover?Custom liking function - do I need user login?Using different checkbox style for different checkbox behaviorBest Practices: Save and Exit in Software UIInteraction with remote validated formMore efficient UI to progress the user through a complicated process?Designing a popup notice for a gameShould bulk-editing functions be hidden until a table row is selected, or is there a better solution?Is it bad practice to disable (replace) the context menu?

            Image
            Delete all lines which don't have n characters before delimiter Why isn't the circumferential light around the M87 black hole's event horizon symmetric? Why did Acorn's A3000 have red function keys? Does the shape of a die affect the probability of a number being rolled? Worn-tile Scrabble Why do UK politicians seemingly ignore opinion polls on Brexit? If a Druid sees an animal’s corpse, can they wild shape into that animal? Is an up-to-date browser secure on an out-of-date OS? Loose spokes after only a few rides How are circuits which use complex ICs normally simulated? Multiply Two Integer Polynomials Resizing object distorts it (Illustrator CC 2018) Do these rules for Critical Successes and Critical Failures seem Fair? Why can Shazam fly? Does a dangling wire really electrocute me if I'm standing in water? Can we generate random numbers using irrational numbers like π and e? Why isn't airport relocation done gradually? What d
            Read more