Ryfujk

Time travel from stationary position?

Why do Australian milk farmers need to protest supermarkets' milk price?

Can I use USB data pins as power source

Interplanetary conflict, some disease destroys the ability to understand or appreciate music

How to explain that I do not want to visit a country due to personal safety concern?

If I can solve Sudoku can I solve Travelling Salesman Problem(TSP)? If yes, how?

Why do passenger jet manufacturers design their planes with stall prevention systems?

Existence of subset with given Hausdorff dimension

How to create the Curved texte?

Is it normal that my co-workers at a fitness company criticize my food choices?

How to read the value of this capacitor?

My adviser wants to be the first author

Identifying the interval from A♭ to D♯

How could a scammer know the apps on my phone / iTunes account?

Are there other languages, besides English, where the indefinite (or definite) article varies based on sound?

A sequence that has integer values for prime indexes only:

Who is flying the vertibirds?

The difference between「N分で」and「後N分で」

Do I need life insurance if I can cover my own funeral costs?

Happy pi day, everyone!

Why doesn't using two cd commands in bash script execute the second command?

How to deal with a cynical class?

How to use deus ex machina safely?

How can I track script which gives me "command not found" right after the login?

Awsome yet unlucky path traversal

Where to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?

3

I am performing a penetration testing on an application hosted on an Ubuntu environment.

So using a path traversal vulnerability, I can download any file.

The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.

What I have tried:

• Search for logs that can lead me to the path. nginx or apache2 is not there.


• Search for nginx, apache2 or other configuration files


• Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)


• Bash histories of all users

What else should I try?

web-application penetration-test webserver operating-systems web-service

share|improve this question

asked 3 hours ago

Lucian NitescuLucian Nitescu

1,287416

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What about the /opt location?
  
  – Jeroen - IT Nerdbox
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Jeroen-ITNerdbox no luck :)
  
  – Lucian Nitescu
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @hiburn8 "Bash histories of all users"
  
  – Lucian Nitescu
  2 hours ago
  

  
  
  
  

add a comment | 

3

I am performing a penetration testing on an application hosted on an Ubuntu environment.

So using a path traversal vulnerability, I can download any file.

The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.

What I have tried:

• Search for logs that can lead me to the path. nginx or apache2 is not there.


• Search for nginx, apache2 or other configuration files


• Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)


• Bash histories of all users

What else should I try?

web-application penetration-test webserver operating-systems web-service

share|improve this question

asked 3 hours ago

Lucian NitescuLucian Nitescu

1,287416

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What about the /opt location?
  
  – Jeroen - IT Nerdbox
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Jeroen-ITNerdbox no luck :)
  
  – Lucian Nitescu
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @hiburn8 "Bash histories of all users"
  
  – Lucian Nitescu
  2 hours ago
  

  
  
  
  

add a comment | 

I am performing a penetration testing on an application hosted on an Ubuntu environment.

So using a path traversal vulnerability, I can download any file.

The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.

What I have tried:

• Search for logs that can lead me to the path. nginx or apache2 is not there.


• Search for nginx, apache2 or other configuration files


• Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)


• Bash histories of all users

What else should I try?

web-application penetration-test webserver operating-systems web-service

share|improve this question

asked 3 hours ago

Lucian NitescuLucian Nitescu

1,287416

share|improve this question

asked 3 hours ago

Lucian NitescuLucian Nitescu

1,287416

share|improve this question

asked 3 hours ago

Lucian NitescuLucian Nitescu

1,287416

asked 3 hours ago

Lucian NitescuLucian Nitescu

1,287416

asked 3 hours ago

Lucian NitescuLucian Nitescu

1,287416

1 Answer
1

active

oldest

votes

4

Use the traversal vulnerability to read

/proc/self/environ

This prints out environment variables among other thread information.

Look for a environment variable called DOCUMENT_ROOT

share|improve this answer

answered 2 hours ago

DaisetsuDaisetsu

4,21811021

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

4

Use the traversal vulnerability to read

/proc/self/environ

This prints out environment variables among other thread information.

Look for a environment variable called DOCUMENT_ROOT

share|improve this answer

answered 2 hours ago

DaisetsuDaisetsu

4,21811021

add a comment | 

4

Use the traversal vulnerability to read

/proc/self/environ

This prints out environment variables among other thread information.

Look for a environment variable called DOCUMENT_ROOT

share|improve this answer

answered 2 hours ago

DaisetsuDaisetsu

4,21811021

add a comment | 

Use the traversal vulnerability to read

/proc/self/environ

This prints out environment variables among other thread information.

Look for a environment variable called DOCUMENT_ROOT

share|improve this answer

answered 2 hours ago

DaisetsuDaisetsu

4,21811021

/proc/self/environ

share|improve this answer

answered 2 hours ago

DaisetsuDaisetsu

4,21811021

answered 2 hours ago

DaisetsuDaisetsu

4,21811021

answered 2 hours ago

DaisetsuDaisetsu

4,21811021