Awsome yet unlucky path traversalWhere to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?

Welcoming 2019 Pi day: How to draw the letter π?

Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?

Interplanetary conflict, some disease destroys the ability to understand or appreciate music

Unexpected result from ArcLength

How to create the Curved texte?

What options are left, if Britain cannot decide?

Opacity of an object in 2.8

Min function accepting varying number of arguments in C++17

It's a yearly task, alright

The difference between「N分で」and「後N分で」

Why doesn't using two cd commands in bash script execute the second command?

What approach do we need to follow for projects without a test environment?

Are ETF trackers fundamentally better than individual stocks?

How to read the value of this capacitor?

Brexit - No Deal Rejection

Is it possible to upcast ritual spells?

Why doesn't the EU now just force the UK to choose between referendum and no-deal?

My adviser wants to be the first author

Existence of subset with given Hausdorff dimension

Do the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?

Why do passenger jet manufacturers design their planes with stall prevention systems?

How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?

What has been your most complicated TikZ drawing?

PTIJ: Who should I vote for? (21st Knesset Edition)



Awsome yet unlucky path traversal


Where to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?













3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    2 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago















3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    2 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago













3












3








3








I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question














I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service




web-application penetration-test webserver operating-systems web-service






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 3 hours ago









Lucian NitescuLucian Nitescu

1,287416




1,287416












  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    2 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago

















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    3 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    2 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    2 hours ago
















What about the /opt location?

– Jeroen - IT Nerdbox
3 hours ago





What about the /opt location?

– Jeroen - IT Nerdbox
3 hours ago













@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
2 hours ago





@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
2 hours ago













@hiburn8 "Bash histories of all users"

– Lucian Nitescu
2 hours ago





@hiburn8 "Bash histories of all users"

– Lucian Nitescu
2 hours ago










1 Answer
1






active

oldest

votes


















4














Use the traversal vulnerability to read



/proc/self/environ


This prints out environment variables among other thread information.



Look for a environment variable called DOCUMENT_ROOT






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4














    Use the traversal vulnerability to read



    /proc/self/environ


    This prints out environment variables among other thread information.



    Look for a environment variable called DOCUMENT_ROOT






    share|improve this answer



























      4














      Use the traversal vulnerability to read



      /proc/self/environ


      This prints out environment variables among other thread information.



      Look for a environment variable called DOCUMENT_ROOT






      share|improve this answer

























        4












        4








        4







        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT






        share|improve this answer













        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        DaisetsuDaisetsu

        4,21811021




        4,21811021



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Isabella Eugénie Boyer Biographie | Références | Menu de navigationmodifiermodifier le codeComparator to Compute the Relative Value of a U.S. Dollar Amount – 1774 to Present.

            Image
            Personnalité américaine du monde des affairesPersonnalité féminine françaiseNaissance en décembre 1841Naissance à ParisDécès en mai 1904Décès à 62 ansDécès à Paris 17 décembre1841Paris12 mai1904Isaac Merritt SingerSingerNew York1863guerre civile américaineParisAngleterreguerre de 1870DevonOldway Mansion (en) PaigntonWinnarettaEdmond de Polignacduchesse DecazesdollarsVictor ReubsaetParisHumbert I er d'Italieviolon de StradivariusStatue de la LibertéBartholdi Isabella Eugénie Boyer.mw-parser-output .entete.humainbackground-image:url("//upload.wikimedia.org/wikipedia/commons/8/82/Picto_infobox_manwoman.png") Isabella Eugénie Boyer. Titre de noblesse Duchesse Biographie Naissance 17 décembre 1841 Paris Décès 12 mai 1904 (à 62 ans) Paris Sépulture Cimetière de Passy Nationalité Française Domicile Oldway Mansion ( en ) Activité Mannequin Conjoint Isaac Merritt Singer (depuis 1863) Enfants Winnaretta Singer Isabelle Singer ( d ) Paris Singer Washington Singer ( en ) Mortimer
            Read more

            Mpande kaSenzangakhona Biographie | Références | Menu de navigationmodifierMpande kaSenzangakhonavoir la liste des auteursm

            Image
            Naissance en 1798Décès en septembre 1872Histoire de l'Afrique du SudRoi zoulouPersonnalité africaine du XIXe siècle projets correspondantsNotes et référencesQuelles sources sont attendues ?Comment ajouter mes sources ?Babanango (en) Royaume zoulouShakaDinganerois de la nation zoulouinDunaNdlela kaSompisi (en) CetshwayoAndries Pretoriusforêt d'Hlatikhulu (en) bataille de NdondakusukaCetshwayoJohn Robert Dunn (en) Tugela Cet article est une ébauche concernant l’Afrique et l’histoire. Vous pouvez partager vos connaissances en l’améliorant ( comment ? ) selon les recommandations des projets correspondants. Cet article ne cite pas suffisamment ses sources (juillet 2012). Si vous disposez d'ouvrages ou d'articles de référence ou si vous connaissez des sites web de qualité traitant du thème abordé ici, merci de compléter l'article en donnant les références utiles à sa vérifiabilité et en les liant à la section « Notes et références » En pratique : Quelles sources sont
            Read more

            Hornos de Moncalvillo Voir aussi | Menu de navigationmodifierm

            Image
            Commune dans La Rioja projets correspondantscommunauté autonomeLa RiojaEspagne Cet article est une ébauche concernant une commune de La Rioja. Vous pouvez partager vos connaissances en l’améliorant ( comment ? ) selon les recommandations des projets correspondants. Hornos de Moncalvillo.mw-parser-output .entete.mapbackground-image:url("//upload.wikimedia.org/wikipedia/commons/7/7a/Picto_infobox_map.png") Administration Pays   Espagne Communauté autonome  La Rioja Province  La Rioja Comarque Logroño Budget 242 488 (2009) Maire Mandat Antonio Mayoral Cerrolaza 2007 Code postal 26372 Démographie Population 96  hab. ( 2010 ) Densité 13  hab./km 2 Géographie Coordonnées 42° 23′ 30″ nord, 2° 35′ 06″ ouest Altitude 676  m Superficie 740   ha  = 7,4  km 2 Localisation Géolocalisation sur la carte : Espagne Hornos de Moncalvillo Géolocalisation sur la carte : Espagne Hornos de Moncalvillo modifier   Hornos de Moncalvillo est une commune de la communauté autonome de La Rioja, en
            Read more