Awsome yet unlucky path traversalWhere to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?

Unexpected result from ArcLength

Combining an idiom with a metonymy

compactness of a set where am I going wrong

How to use deus ex machina safely?

What is the significance behind "40 days" that often appears in the Bible?

Dice rolling probability game

A Cautionary Suggestion

Is it possible to upcast ritual spells?

Does someone need to be connected to my network to sniff HTTP requests?

Why did it take so long to abandon sail after steamships were demonstrated?

Most cost effective thermostat setting: consistent temperature vs. lowest temperature possible

Gantt Chart like rectangles with log scale

Why do passenger jet manufacturers design their planes with stall prevention systems?

Employee lack of ownership

My Graph Theory Students

How to explain that I do not want to visit a country due to personal safety concern?

How could a scammer know the apps on my phone / iTunes account?

Do I need life insurance if I can cover my own funeral costs?

Is it normal that my co-workers at a fitness company criticize my food choices?

How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?

Are there other languages, besides English, where the indefinite (or definite) article varies based on sound?

Have researchers managed to "reverse time"? If so, what does that mean for physics?

Hacking a Safe Lock after 3 tries

What is a^b and (a&b)<<1?



Awsome yet unlucky path traversal


Where to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?













3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago















3















I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question






















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago













3












3








3








I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service







share|improve this question














I am performing a penetration testing on an application hosted on an Ubuntu environment.



So using a path traversal vulnerability, I can download any file.



The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.



What I have tried:



  • Search for logs that can lead me to the path. nginx or apache2 is not there.

  • Search for nginx, apache2 or other configuration files

  • Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)

  • Bash histories of all users

What else should I try?






web-application penetration-test webserver operating-systems web-service




web-application penetration-test webserver operating-systems web-service






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 4 hours ago









Lucian NitescuLucian Nitescu

1,287416




1,287416












  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago

















  • What about the /opt location?

    – Jeroen - IT Nerdbox
    4 hours ago











  • @Jeroen-ITNerdbox no luck :)

    – Lucian Nitescu
    4 hours ago











  • @hiburn8 "Bash histories of all users"

    – Lucian Nitescu
    3 hours ago
















What about the /opt location?

– Jeroen - IT Nerdbox
4 hours ago





What about the /opt location?

– Jeroen - IT Nerdbox
4 hours ago













@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
4 hours ago





@Jeroen-ITNerdbox no luck :)

– Lucian Nitescu
4 hours ago













@hiburn8 "Bash histories of all users"

– Lucian Nitescu
3 hours ago





@hiburn8 "Bash histories of all users"

– Lucian Nitescu
3 hours ago










1 Answer
1






active

oldest

votes


















4














Use the traversal vulnerability to read



/proc/self/environ


This prints out environment variables among other thread information.



Look for a environment variable called DOCUMENT_ROOT






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4














    Use the traversal vulnerability to read



    /proc/self/environ


    This prints out environment variables among other thread information.



    Look for a environment variable called DOCUMENT_ROOT






    share|improve this answer



























      4














      Use the traversal vulnerability to read



      /proc/self/environ


      This prints out environment variables among other thread information.



      Look for a environment variable called DOCUMENT_ROOT






      share|improve this answer

























        4












        4








        4







        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT






        share|improve this answer













        Use the traversal vulnerability to read



        /proc/self/environ


        This prints out environment variables among other thread information.



        Look for a environment variable called DOCUMENT_ROOT







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 3 hours ago









        DaisetsuDaisetsu

        4,21811021




        4,21811021



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Magento 2 duplicate PHPSESSID cookie when using session_start() in custom php scriptMagento 2: User cant logged in into to account page, no error showing!Magento duplicate on subdomainGrabbing storeview from cookie (after using language selector)How do I run php custom script on magento2Magento 2: Include PHP script in headerSession lock after using Cm_RedisSessionscript php to update stockMagento set cookie popupMagento 2 session id cookie - where to find it?How to import Configurable product from csv with custom attributes using php scriptMagento 2 run custom PHP script

            Image
            In the late 1940’s to early 1950’s what technology was available that could melt a LOT of ice? "One can do his homework in the library" Setting correct UTM zone Time travel short story where dinosaur doesn't taste like chicken Do Bugbears' arms literally get longer when it's their turn? Offered promotion but I'm leaving. Should I tell? Subset counting for even numbers The difference between 時 and 時は String reversal in Python Good allowance savings plan? Do f-stop and exposure time perfectly cancel? What are some noteworthy "mic-drop" moments in math? They call me Inspector Morse Do I really need to have a scientific explanation for my premise? Make a transparent 448*448 image Could a cubesat propel itself to Mars? What is the chance of making a successful appeal to dismissal decision from a PhD program after failing the qualifying exam in the 2nd attempt? Could a cubesat be propelled to the moon? the return of Stri
            Read more

            Can not update quote_id field of “quote_item” table magento 2Magento 2.1 - We can't remove the item. (Shopping Cart doesnt allow us to remove items before becomes empty)Add value for custom quote item attribute using REST apiREST API endpoint v1/carts/cartId/items always returns error messageCorrect way to save entries to databaseHow to remove all associated quote objects of a customer completelyMagento 2 - Save value from custom input field to quote_itemGet quote_item data using quote id and product id filter in Magento 2How to set additional data to quote_item table from controller in Magento 2?What is the purpose of additional_data column in quote_item table in magento2Set Custom Price to Quote item magento2 from controller

            Image
            iPad being using in wall mount battery swollen Should I cover my bicycle overnight while bikepacking? Do UK voters know if their MP will be the Speaker of the House? Why can't we play rap on piano? Plagiarism or not? Why didn't Miles's spider sense work before? How to tell a function to use the default argument values? Short story with a alien planet, government officials must wear exploding medallions If human space travel is limited by the G force vulnerability, is there a way to counter G forces? What about the virus in 12 Monkeys? Is it acceptable for a professor to tell male students to not think that they are smarter than female students? Avoiding the "not like other girls" trope? Apex Framework / library for consuming REST services Is there an expression that means doing something right before you will need it rather than doing it in case you might need it? Method Does Not Exist error message How to show a landlord what we have
            Read more

            How to solve knockout JS error in Magento 2 Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?(Magento2) knockout.js:3012 Uncaught ReferenceError: Unable to process bindingUnable to process binding Knockout.js magento 2Cannot read property `scopeLabel` of undefined on Product Detail PageCan't get Customer Data on frontend in Magento 2Magento2 Order Summary - unable to process bindingKO templates are not loading in Magento 2.1 applicationgetting knockout js error magento 2Product grid not load -— Unable to process binding Knockout.js magento 2Product form not loaded in magento2Uncaught ReferenceError: Unable to process binding “if: function()return (isShowLegend()) ” magento 2

            Image
            Does the Pact of the Blade warlock feature allow me to customize the properties of the pact weapon I create? Why isn't everyone flabbergasted about Bran's "gift"? Paektu / Changbai border dispute — why does the BBC shade a large area around the mountain? Is it OK if I do not take the receipt in Germany? How to ask rejected full-time candidates to apply to teach individual courses? /bin/ls sorts differently than just ls What *exactly* is electrical current, voltage, and resistance? Coin Game with infinite paradox Diffie-Hellman with non-prime modulus Example of a central simple algebra Etymology of 見舞い Lights are flickering on and off after accidentally bumping into light switch A journey... into the MIND How to calculate density of unknown planet? How to produce a PS1 prompt in bash or ksh93 similar to tcsh What's the connection between Mr. Nancy and fried chicken? How can I delete rows in the text? How is it possible to implement
            Read more