Results 1 to 2 of 2

Thread: globally readable security sensitive files on redhat EL

  1. #1
    xatar
    Guest

    Default globally readable security sensitive files on redhat EL

    Hi all.

    I am doing a pentest and have found a vulnerability with a web application that allows the arbitrary reading of files that are readable by the web server account.

    I can get the /etc/passwd, /etc/snmp/snmp.conf/, /etc/hosts etc. I cannot get the /etc/shadow file as it is only readable by root.

    Are there any files in particular on RedHat Enterprise Linux (2.6.9-34 EL) that I should look for? Remember that they need to be globally readable by the web server! r--r--r--

    Thanks,
    xatar.

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Are you able to browse /etc or issue commands?

    If so you could dump the contents of /etc to a file and grab it then you'd have a list. (Do it recursively).

    Or can you use wild cards? ie: what happens if you try to retrieve /etc/rc1.d/S*

    How about /etc/sudoers or /etc/sudoers

    Some other things that might be of interest:
    /etc/logrotate.conf
    /etc/sysctl.conf
    /etc/ssh/sshd_config

    I suggest looking up some RedHat hardening guides and see:
    1) What files/settings they alter.
    2) What directories/files they protect.
    and see if you can get to any of that information.

    Getting invisible files from the user's home directory might be fun too like .bash_history can you use $HOME/.bash_history or %24home/.bash_history etc.......

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •