Arbitrary File Access
Multiple attacks may allow us to arbitrarily read or write files.
Interesting Files To Read π€
-
/etc/passwd
,/etc/group
: users and groups -
/proc/self/environ
: current process environment -
/proc/self/status
and/proc/self/cmdline
: command -
/etc/hosts
,c:\windows\system32\drivers\etc\hosts
: virtual hosts -
/home/<username>/.bash_history
: command history -
/etc/crontab
: cron tasks -
/var/lib/dpkg/status
and alternatives: installed packages -
wp-config.php
and application-specific configuration files -
/etc/ssh/sshd_config
: may contain usernames
LocateDB may be present and in-use. We may use it to find interesting paths. Load any of them using locate -d ./xxxdb [...]
:
-
/var/cache/locate/locatedb
-
/var/lib/mlocate/mlocate.db
-
/var/lib/plocate/plocate.db
Don't forget DNS-related files and DHCP lease files.
Interesting Files To Write π²
-
/etc/shadow
,/etc/passwd
: add/edit users -
/etc/group
: add/edit groups -
/etc/sudoers
: add/edit privileged users
Interesting Files To Know π·οΈ
These files almost always exist and return a known value:
-
/proc/sys/kernel/ostype
: often containsLinux
-
/proc/sys/kernel/randomize_va_space
: often contains2
-
/sys/module/apparmor/parameters/enabled
: often containsY\n
-
/proc/sys/kernel/pid_max
: often contains32768
/4194304
-
/sys/class/power_supply/BAT{n}/type
: often containsBattery
-
/sys/class/tty/tty0/active
: contains a value such astty1
-
/sys/class/power_supply/AC{n}/online
: contains either0
or1
-
/sys/class/net/eth0/type
: contains1
?
π» To-do π»
Stuff that I found, but never read/used yet.
- default webserver roots
- can be fuzzed
- wordlists
-
default-web-root-directory-linux.txt
-
default-web-root-directory-windows.txt
- SecLists LFI
-
/etc/php/X.Y/apache2/php.ini
(web root) -
/etc/php/X.Y/fpm/php.ini
(web root)
-
-
C:\Windows\boot.ini
-
/usr/lib/python
-
/var/spool/cron/crontabs
,/etc/crontab
,/etc/cron.d/
,/etc/cron.daily/
,/etc/cron.hourly/
,/etc/cron.weekly/
,/etc/cron.monthly/
-
/etc/php/X.X/apache2/php.ini
-
/etc/apache2/sites-enabled/
,/var/log/apache2/
-
/proc/net/arp
,/sys/class/net/eth0/address
,/proc/sys/kernel/random/boot_id
,/proc/self/cgroup