Awsome yet unlucky path traversalWhere to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?

How to make healing in an exploration game interesting

how to write formula in word in latex

How to use deus ex machina safely?

Dice rolling probability game

Happy pi day, everyone!

Min function accepting varying number of arguments in C++17

Hacking a Safe Lock after 3 tries

Did Ender ever learn that he killed Stilson and/or Bonzo?

How to read the value of this capacitor?

What are substitutions for coconut in curry?

PTIJ: Who should I vote for? (21st Knesset Edition)

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

How do I hide Chekhov's Gun?

Are all passive ability checks floors for active ability checks?

Most cost effective thermostat setting: consistent temperature vs. lowest temperature possible

Do I need to be arrogant to get ahead?

Do I need life insurance if I can cover my own funeral costs?

How to write cleanly even if my character uses expletive language?

Why is the President allowed to veto a cancellation of emergency powers?

Can I use USB data pins as power source

How to change two letters closest to a string and one letter immediately after a string using notepad++

Unexpected result from ArcLength

Why do Australian milk farmers need to protest supermarkets' milk price?

Why one should not leave fingerprints on bulbs and plugs?



Awsome yet unlucky path traversal


Where to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?













3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago















3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago













3












3








3








I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question














I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service




web-application penetration-test webserver operating-systems web-service






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 4 hours ago









Lucian NitescuLucian Nitescu

1,287416




1,287416












  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago

















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago
















What about the /opt location?

– Jeroen - IT Nerdbox
4 hours ago





What about the /opt location?

– Jeroen - IT Nerdbox
4 hours ago













@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
4 hours ago





@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
4 hours ago













@hiburn8 "Bash histories of all users"

– Lucian Nitescu
3 hours ago





@hiburn8 "Bash histories of all users"

– Lucian Nitescu
3 hours ago










1 Answer
1






active

oldest

votes


















4














Use the traversal vulnerability to read



/proc/self/environ


This prints out environment variables among other thread information.



Look for a environment variable called DOCUMENT_ROOT






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4














    Use the traversal vulnerability to read



    /proc/self/environ


    This prints out environment variables among other thread information.



    Look for a environment variable called DOCUMENT_ROOT






    share|improve this answer



























      4














      Use the traversal vulnerability to read



      /proc/self/environ


      This prints out environment variables among other thread information.



      Look for a environment variable called DOCUMENT_ROOT






      share|improve this answer

























        4












        4








        4







        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT






        share|improve this answer













        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 3 hours ago









        DaisetsuDaisetsu

        4,21811021




        4,21811021



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Masuk log Menu navigasi

            Image
            JawaSundaBanyumasanBugisAcehBanjarMinangMelayuDeutschEnglishEspañolFrançaisItalianoNederlands (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003Etutupu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="id" dir="ltr"u003Eu003C/divu003Eu003C/divu003Eu003C/divu003E";()); Masuk log Loncat ke navigasi Loncat ke pencarian Bahasa: Jawa | Sunda | Banyumasan | Bugis | Aceh | Banjar | Minang | Melayu | Deutsch | English | Español | Français | Italiano | Nederlands Nama pengguna Kata sandi   Biarkan saya tetap masuk Masuk log Bantuan masuk log Lupa kata sandi? Belum punya akun?Gabung Wikipedia Diperoleh dari "https:/
            Read more

            Identifying “long and narrow” polygons in with PostGISlength and width of polygonWhy postgis st_overlaps reports Qgis' “avoid intersections” generated polygon as overlapping with others?Adjusting polygons to boundary and filling holesDrawing polygons with fixed area?How to remove spikes in Polygons with PostGISDeleting sliver polygons after difference operation in QGIS?Snapping boundaries in PostGISSplit polygon into parts adding attributes based on underlying polygon in QGISSplitting overlap between polygons and assign to nearest polygon using PostGIS?Expanding polygons and clipping at midpoint?Removing Intersection of Buffers in Same Layers

            Image
            Do I have to worry about players making “bad” choices on level up? Is thermodynamics only applicable to systems in equilibrium? gnu parallel how to use with ffmpeg Has any spacecraft ever had the ability to directly communicate with civilian air traffic control? Reverse the word in a string with the same order in javascript Is creating your own "experiment" considered cheating during a physics exam? How to stop co-workers from teasing me because I know Russian? What is a Recurrent Neural Network? Any examples of headwear for races with animal ears? Confusion about capacitors TikZ how to make supply and demand arrows for nodes? Does a creature that is immune to a condition still make a saving throw? How to verbalise code in Mathematica? Upright [...] in italics quotation Cannot populate data in lightning data table Stark VS Thanos Binary Numbers Magic Trick In gnome-terminal only 2 out of 3 zoom keys work You look catfish vs You look like a
            Read more

            Старые Смолеговицы Содержание История | География | Демография | Достопримечательности | Примечания | НавигацияHGЯOLHGЯOL41 206 832 01641 606 406 141Административно-территориальное деление Ленинградской области«Переписная оброчная книга Водской пятины 1500 года», С. 793«Карта Ингерманландии: Ивангорода, Яма, Копорья, Нотеборга», по материалам 1676 г.«Генеральная карта провинции Ингерманландии» Э. Белинга и А. Андерсина, 1704 г., составлена по материалам 1678 г.«Географический чертёж над Ижорскою землей со своими городами» Адриана Шонбека 1705 г.Новая и достоверная всей Ингерманландии ланткарта. Грав. А. Ростовцев. СПб., 1727 г.Топографическая карта Санкт-Петербургской губернии. 5-и верстка. Шуберт. 1834 г.Описание Санкт-Петербургской губернии по уездам и станамСпецкарта западной части России Ф. Ф. Шуберта. 1844 г.Алфавитный список селений по уездам и станам С.-Петербургской губернииСписки населённых мест Российской Империи, составленные и издаваемые центральным статистическим комитетом министерства внутренних дел. XXXVII. Санкт-Петербургская губерния. По состоянию на 1862 год. СПб. 1864. С. 203Материалы по статистике народного хозяйства в С.-Петербургской губернии. Вып. IX. Частновладельческое хозяйство в Ямбургском уезде. СПб, 1888, С. 146, С. 2, 7, 54Положение о гербе муниципального образования Курское сельское поселениеСправочник истории административно-территориального деления Ленинградской области.Топографическая карта Ленинградской области, квадрат О-35-23-В (Хотыницы), 1930 г.АрхивированоАдминистративно-территориальное деление Ленинградской области. — Л., 1933, С. 27, 198АрхивированоАдминистративно-экономический справочник по Ленинградской области. — Л., 1936, с. 219АрхивированоАдминистративно-территориальное деление Ленинградской области. — Л., 1966, с. 175АрхивированоАдминистративно-территориальное деление Ленинградской области. — Лениздат, 1973, С. 180АрхивированоАдминистративно-территориальное деление Ленинградской области. — Лениздат, 1990, ISBN 5-289-00612-5, С. 38АрхивированоАдминистративно-территориальное деление Ленинградской области. — СПб., 2007, с. 60АрхивированоКоряков Юрий База данных «Этно-языковой состав населённых пунктов России». Ленинградская область.Административно-территориальное деление Ленинградской области. — СПб, 1997, ISBN 5-86153-055-6, С. 41АрхивированоКультовый комплекс Старые Смолеговицы // Электронная энциклопедия ЭрмитажаПроблемы выявления, изучения и сохранения культовых комплексов с каменными крестами: по материалам работ 2016-2017 гг. в Ленинградской области

            Image
            Населённые пункты по алфавитуНаселённые пункты Волосовского районаМызы Ингрии Беседском сельском поселенииВолосовского районаЛенинградской областиПисцовой книгеВодской пятиныКопорского уездаИнгерманландииА. И. БергенгеймамызаАдриана ШонбекаСанкт-Петербургской губернииФ. Ф. ШубертадворовП. И. КёппенаингерманландцевсавакотовЯмбургского уездадесятиныПервой переписи населения Российской империиКингисеппского уездаМолосковицкого районанационального сельсоветаКингисеппского районаМолосковицыКряковоМолосковицыБелого движенияЭрмитажаголубца 59°22′14″ с. ш. 29°02′42″ в. д. H G Я O L Старые Смолеговицы Материал из Википедии — свободной энциклопедии Перейти к навигации Перейти к поиску Деревня Старые Смолеговицы 59°22′14″ с. ш. 29°02′42″ в. д. H G Я O L Страна Россия   Россия Субъект Федерации Ленинградская область Муниципальный район Волосовский Сельское поселение Беседское История и география Первое упоминание 1500 год Прежние названия Смолиговичи, Смолего
            Read more