Penetration Testing with Kali Linux OffSec
|
|
ls ../../etc
adduser.conf debian_version hostname logrotate.d passwd ... logrotate.conf pam.d rmt sudoers zsh kali@kali:~$ cat ../../etc/passwd root:x:0:0:root:/root:/usr/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin ... king-phisher:x:133:141::/var/lib/king-phisher:/usr/sbin/nologin kali:x:1000:1000:Kali,,,:/home/kali:/usr/bin/zsh Listing 130 - Display contents of /etc/passwd with a relative path Let’s analyze another example. While we can use the cat ../../etc/passwd command shown in listing 130 to display the contents of /etc/passwd, we can achieve the same results using extra ../ sequences. kali@kali:~$ cat ../../../../../../../../../../../etc/passwd root:x:0:0:root:/root:/usr/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin ... king-phisher:x:133:141::/var/lib/king-phisher:/usr/sbin/nologin kali:x:1000:1000:Kali,,,:/home/kali:/usr/bin/zsh Listing 131 - Adding more “../” to the relative path The number of ../ sequences is only relevant until we reach the root file system. Theoretically, we can add as many ../ as we want, since there is nowhere further back to go from /. This can be useful in certain situations, such as when we don’t know our current working directory. In this case, we could specify a large number of ../ to ensure we reach the root file system from a relative pathing perspective. 9.1.2 Identifying and Exploiting Directory Traversals In this section we will explore Directory Traversal 385 attacks, also known as path traversal attacks. This type of attack can be used to access sensitive files on a web server and typically occurs when a web application is not sanitizing user input. For a web application to show a specific page, a web server provides the file from the file system. These files can be located in the web root directory or one of its subdirectories. In Linux systems, the /var/www/html/ directory is often used as the web root. When a web application displays a page, http://example.com/file.html for example, it will try to access /var/www/html/file.html. The http link doesn’t contain any part of the path except the filename because the web root also serves as a base directory for a web server. If a web application is vulnerable to directory traversal, a user may access files outside of the web root by using relative paths, thus accessing sensitive files like SSH private keys or configuration files. 385 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Directory_traversal_attack Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 251 While it is important to understand how to exploit Directory Traversal vulnerabilities, it is also crucial that we can identify them. We should always check for vulnerabilities by hovering over all buttons, checking all links, navigating to all accessible pages, and (if possible) examining the page’s source code. Links can be an especially valuable source of information, providing parameters or other data about the application. For example, if we find the following link, we can extract vital information from it. https://example.com/cms/login.php?language=en.html Listing 132 - Example of a link First, login.php tells us the web application uses PHP. We can use this information to develop assumptions about how the web application works, which is helpful for the exploitation phase. Second, the URL contains a language parameter with an HTML page as its value. In a situation like this, we should try to navigate to the file directly (https://example.com/cms/en.html). If we can successfully open it, we can confirm that en.html is a file on the server, meaning we can use this parameter to try other file names. We should always examine parameters closely when they use files as a value. Third, the URL contains a directory called cms. This is important information indicating that the web application is running in a subdirectory of the web root. Let’s review a case study next. We’ll begin by examining the Mountain Desserts web application. To access it, we’ll need to update the /etc/hosts file on our Kali machine to use the DNS name. We should be aware the assigned IP address for the target machine may change in the labs. 127.0.0.1 localhost 127.0.1.1 kali Yüklə Dostları ilə paylaş:
|