Results 1 to 5 of 5

Thread: Exploiting Web Server Directory Traversal Arbitrary File Access Share/Save - My123World.Com!

  1. #1
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744

    Exploiting Web Server Directory Traversal Arbitrary File Access

    Just wishing to share to ease our life if come across the same finding next time.

    During a Penetration Test, a vulnerability with medium threat "Web Server Directory Traversal Arbitrary File Access" was reported by Nessus in Sentinel Protection Server.
    For PoC, nessus gave the output of boot.ini file.

    The following code would give the data of boot.ini file of remote server.
    # nc -vv -n 10.1.1.38 6002
    GET /..\..\..\..\..\..\..\boot.ini HTTP/1.0
    I feel it's always better to try to look for the way to own the server instead of just giving the PoC for some vulnerability. It helps in following two ways:
    1. In the attempt to exploit the vulnerability you generally come across new stuff to learn. And that's very crucial.
    2. You and your organization would have good technical impression on client.

    Ok, so by now the vulnerability was confirmed since the remote server was spitting out the content of remote file.
    What next?

    Most of us know that SAM and SYSTEM files residing in repair folder (windows/repair/) contain the password hashes. So the next attempt should be to retrieve those files.

    Simply doing it with HTTP GET method at command prompt will again spit out the content on the console it self. You need to have the files intact in order to retrieve the passwords out of them.

    Why not download them using web browser?
    And you would notice that nothing happened and browser has already modified your input to http://10.1.1.38/repair/SAM

    Actually browsers usually modify the delimiters or just the entire URI, for example IE converts backslashes in slashes while Firefox drops ../ and converts \ in %5c.

    Then how?

    Here comes the savior lynx

    lynx is console base browser and is available in BackTrack by default.

    It will give you the option to download the remote file. Download SAM and similarly download SYSTEM file as well.

    Abstracting the hash out of SAM and SYSTEM files:
    # samdump2 SYSTEM SAM > hashes.txt
    Cain n Abel can also be used for extracting out the hashes from SAM and SYSTEM files.

    Now fire up your 60 Gig NTLM rainbow tables and crack the hashes within seconds or minutes.

    With the obtained Administrator password, of course you can do anything now

    Cheers! Sharing is caring!
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    and thts called woot woot he he
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    very satisfying read ;-) thanks mate

  4. #4
    Gud 1................................................

  5. #5
    Excellent share bro....thats really out of the box thinking
    Last edited by ajaysinghnegi; 01-14-2011 at 02:04 AM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •