Directory Traversal – Burp Suite

Here are a couple different ways to do directory traversal.

More detailed information is available at the following site.
https://portswigger.net/web-security/file-path-traversal

  1. Normal directory traversal
  2. URL Encoding
  3. Getting around applications that strip directory traversal sequences
  4. Using a null byte

Directory Traversal

What exactly is directory traversal anyway? Well, it is pretty much exactly what it sounds like. We traverse directories by manipulate the file path, for something like an image, to get something more valuable like the passwd file.

In it’s most basic form, we can add ../../../../../etc/passwd to a file path and instead of pulling an image, we get the passwd file.

For instance, if we load an image on a website, it’s file path on the server may be something like /var/www/html/image.png. If we right click on an image and open in a new tab and inspect the URL, we can see this path. “Note: Web servers have a root directory for all the website files. Generally web files’ root starts there not / root of the machine.”

Now if we remove image.png and replace it with ../ (../ on Linux/macOS or ..\ on Windows) we’ll go backwards one directory. String them together and we can go back to the root of the drive. Then we can add /etc/passwd (Or replace with whatever file we want) and load the contents of that file.

Most web applications should have some sort of protections in place to guard against directory traversal. Let’s go over a few ways to get around it.

URL Encoding

URL encoding sometimes can work and is simple to do. In Burp, select the file path, right click, Convert selection -> URL -> URL-encode all characters.

You can also try double encoding. Encode once, select the encoded text and encode again.

In the above screenshots, ../../etc/passwd becomes “%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34”

Getting around applications that strip directory traversal sequences

Sometimes the web app can strip out text that it knows is directory traversal characters/sequences. For instance, it sees ../ in the requested url and just strips it out.

We can do something like the following sequence to get around it.

....//....//etc/passwd

That is 4 periods, followed by 2 slashes. What happens is the web app reads the URL, goes hey ../ is not allowed, bye bye! Removes the two instances of ../ and forwards the URL on. Which ends up being

../../etc/passwd

Which is just perfect for our use case.

Using a Null Byte

If the application is using the file extension to validate that an image or other file is loaded, instead of say passwd, we can try using a null byte. A null byte is used to terminate a string.

../../etc/passwd%00.png

What can end up happening is the web application sees the .png or .jpg at the end and goes “oh that is a valid extension, carry on” and then the system reads the line and sees the null byte and says “Oh null byte! end of file path, here is your file.”

Hydra – Socket error: Connection reset by peer

[VERBOSE] Disabled child 2 because of too many errors
[VERBOSE] Disabled child 6 because of too many errors
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error

Looks like the issue can happen if you have too many threads going at once. Lower the amount of threads your using with -t. Recommended amount for ssh is 4.

hydra -L usernames.txt  -P "passwords.txt" 192.168.1.20 ssh -t4

Hashcat examples

Rule based attack

Use a wordlist and best64 rules to try and crack a wordpress hash. Using rockyou.txt as an example.

-m Specifies the hash type

hashcat -m 400 wordpress.hash -r rules/best64.rule wordlist/rockyou.txt

wordpress.hash is a text file that contains the password hash. You can list multiple hashes in the file

Example contents of file

bob@localhost:~$ cat wordpress.hash 
$P$BeJ2ZWVgSx/rR8ifcTFyjq1ouCCWwu0
bob@localhost:~$

Brute force

Attempt every 8 numeric combination for a WPA2 key.

hashcat -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d

Hashcat built in Charsets

You can swap out the ?d from the above command with any of the built in character sets below.

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

More information
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Rule based attacks are recommended
https://hashcat.net/wiki/doku.php?id=rule_based_attack

Install Hashcat Utils

Hashcat - Kali Linux

Hashcat on Kali Linux

Download the Hashcat utils

wget https://github.com/hashcat/hashcat-utils/archive/master.zip

Run the following commands to unzip and make the binaries

unzip master.zip
cd hashcat-utils-master/src
make

You can now convert an aircrack file by invoking the cap2hccapx binary

./cap2hccapx.bin /path/to/aircrack.cap /path/for/output

How to convert an Aircrack capture file to a Hashcat hccapx

Using Aircrack

aircrack-ng input.cap -J hashcat_output

Unfortunately the above command doesn’t seem to work anymore.

If you try to run Hashcat with the outputted file you’ll get an error.

hashcat_output.hccap: Old hccap format detected! You need to update: https://hashcat.net/q/hccapx

Using Hashcat utils

Refer to this guide for installing the Hashcat utils.

Basic syntax is

./cap2hccapx.bin input.cap output.hccapx

Example

~/Downloads/hashcat-utils-master/src/cap2hccapx.bin aircrack-01.cap aircrack.hccapx

Install Hashcat on Fedora

Install nVidia drivers.  Guide here.

Download binary files from the hashcat website

https://hashcat.net/hashcat/

or use wget

wget https://hashcat.net/files/hashcat-4.1.0.7z

Extract with p7zip

7z x hashcat-4.1.0.7z

cd into the hashcat directory

cd hashcat-4.1.0

Run hashcat

./hashcat64.bin -t 32 -a 7 example0.hash ?a?a?a?a example.dict

Example script:

sudo dnf install p7zip
wget https://hashcat.net/files/hashcat-4.1.0.7z
7z x hashcat-4.1.0.7z
cd hashcat-4.1.0
./hashcat64.bin -t 32 -a 7 example0.hash ?a?a?a?a example.dict

Errors:
If you get the following error, try re-extracting the 7z file with the “x” option, not “e”.  “x : eXtract files with full paths” and ” e : Extract files from archive (without using directory names)”

inc_cipher_aes256.cl: No such file or directory