Web App Hacking, Part 10: Directory or Path Traversal

Hacking

Welcome back, my novice hackers!

In this series on Web App Hacking, we are examining multiple ways to hack web sites and web applications. In this particular tutorial we will examine directory or path traversal. In this type of attack, the hacker is able to get access files on the underlying server that might be confidential or critical.

As you know, the Apache web server (the world’s most popular web server) serves up it sites at /var/www/html (on Windows servers it is c:\inetpub\wwwroot). This means that when you are viewing web pages at a web site, those pages are all sub-pages or sub-directories from that root directory.

What if –while we connected to the web server- we could navigate out of this directory and navigate to other directories on the server and serve up those files for display in our browser? If so, we might be able to find critical information on the server from /etc directory or /proc directory or even the /var directory. In this way, we might be able to find key information on the server such as key users, confidential information, the processes being run or even access and change the Apache config file.

In this tutorial, we will attempting directory traversal against the intentionally vulnerable DVWA website built into Metasploitable.

Step #1: Login and Set Security

The first step is to login to DVWA. The credentials are “admin” and “password’ (speaking of Damn Vulnerable!).

Then set the security to “low”.

Step #2: Check the URL

If you were to run a vulnerability scanner such as OWASP-ZAP against DVWA, you will likely find multiple directories that are vulnerable to directory traversal (here they refer to it as “Directory Browsing”).

These directories often end with URL pointing to an internal file such index.html similar to below.

/script.php?page=index.html

Here PHP script is pointing to a file such as index.html. The hacker or pentester can take advantage of this vulnerability in the PHP code to redirect the script to another file on the underlying server and display it.

Within the DVWA web site we can find several URL’s pointing to internal files such as;

/dvwa/vulnerabilities/fi/?page=

If we can direct the URL to an internal file on the underlying server we may be able to get it to reveal key or confidential information.

Remember that the Apache server is serving pages from the /var/www/html directory. That means that the pages we are viewing are literally at the following directory on the underlying server;

/var/www/html/dvwa/vulnerabilities/fi

To think of it in other terms, the pages the web server is displaying the browser are 6 levels up from the / (root) directory. This means that if we can get the PHP script to move up six levels we would be in the / directory. We might be able to use ../ to move up one directory level or string six together to move up 6 levels.

Let’s try using the following URL that would move up 6 levels from the specified file location to the / directory and then serve us /etc/passwd file.

192.168.1.112/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd

As you can see, we were able to display all the user accounts on Linux server underlying the Apache web server!

Of course, the /etc/passwd file has the user accounts, but not the passwords. Passwords are stored in /etc/shadow as hashes. Let’s try to access that file and see whether we can get access to those password hashes.

As you can see, this method will NOT work to access the password hashes as they are only accessible to the root user and we have entered the server as a regular user without admin privileges. As a result, we get the permission denied message.

Step #3: Accessing the /proc Directory

In addition, we might be able to use the same technique to access key information from the /proc directory. Remember, every process has a file in the proc directory. For instance, we may be able to determine the version of the operating system from the /proc/version file. WE may be able to access it by creating a URL such as;

http://192.168.1.112/dvwa/vulnerabilities/fi/?page=../../../../../../proc/version

As we can see in the screenshot above, this directory traversal to the /proc directory serves up the version of the underlying Linux server (Linux Server 2.6.24). This may be critical information in determining how we might compromise and attack this server further (exploits are usually specific to version of the software).

By accessing the /proc/net/tcp file on the server, we can see all the TCP connections the server has established. We could get the similar results regarding the UDP connections by accessing /proc/net/udp.

Finally, let’s try to access the /proc/sched_deb file. This file is the process scheduler on Linux systems. By accessing it, we should be able to get a snapshot of the processes running on the system including their PID.

Conclusion

Web servers that are vulnerable to directory traversal or directory browsing can be manipulated to serve up confidential or critical data to the hacker including user account, process information or even a confidential file residing on the server such as a network diagram or vulnerability assessment.