globally readable security sensitive files on redhat EL
I am doing a pentest and have found a vulnerability with a web application that allows the arbitrary reading of files that are readable by the web server account.
I can get the /etc/passwd, /etc/snmp/snmp.conf/, /etc/hosts etc. I cannot get the /etc/shadow file as it is only readable by root.
Are there any files in particular on RedHat Enterprise Linux (2.6.9-34 EL) that I should look for? Remember that they need to be globally readable by the web server! r--r--r--
My life is this forum
Are you able to browse /etc or issue commands?
If so you could dump the contents of /etc to a file and grab it then you'd have a list. (Do it recursively).
Or can you use wild cards? ie: what happens if you try to retrieve /etc/rc1.d/S*
How about /etc/sudoers or /etc/sudoers
Some other things that might be of interest:
I suggest looking up some RedHat hardening guides and see:
1) What files/settings they alter.
2) What directories/files they protect.
and see if you can get to any of that information.
Getting invisible files from the user's home directory might be fun too like .bash_history can you use $HOME/.bash_history or %24home/.bash_history etc.......