a webserver s nightmare serving files that let me pwn you
play

A webservers nightmare Serving files that let me pwn you - PowerPoint PPT Presentation

Apr 02, 2024 •165 likes •702 views

A webservers nightmare Serving files that let me pwn you BerlinSides 0x7E2 @gehaxelt June 23, 2018 Introduction Agenda 1. Intro & something about webservers 2. Interesting files 3. Scanning for files 4. Feedback || Answers

  1. A webserver’s nightmare – Serving files that let me pwn you BerlinSides 0x7E2 @gehaxelt June 23, 2018

  2. Introduction Agenda 1. Intro & something about webservers 2. Interesting files 3. Scanning for files 4. Feedback || Answers && Questions @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 2 / 30

  3. Introduction Attention! Intro & something about webservers @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 3 / 30

  4. Introduction $>whoami • Mr. @gehaxelt / 0day.work • Co-Founder of Internetwache.org • MSc CS student at TU Berlin • < 3 CTFs @ ENOFLAG • Join us for the FAUST-CTF • Or sponsor our Defcon trip ;-) @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 4 / 30

  5. Something about webservers Webservers... • How do we identify webservers? 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  6. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  7. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? • Who shut off his server because of GDPR? ;-) 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  8. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? • Who shut off his server because of GDPR? ;-) • What’s the most used webserver software? 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  9. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? • Who shut off his server because of GDPR? ;-) 1 • What’s the most used webserver software? 1 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  10. Something about webservers Who should listen? Someone who... • ... develops websites using Git/SVN/Mercurial ? • ... deploys them on the server using these tools (e.g. git pull)? • ... has a MacOS based system? • ... deploys using rsync/scp/(s)ftp ? • ... develops using Sublime Text and the ‘SFTP‘-Plugin? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 6 / 30

  11. Something about webservers Who should listen? Someone who... • ... develops websites using Git/SVN/Mercurial ? • ... deploys them on the server using these tools (e.g. git pull)? • ... has a MacOS based system? • ... deploys using rsync/scp/(s)ftp ? • ... develops using Sublime Text and the ‘SFTP‘-Plugin? • ... or just wants to pwn those people’s servers? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 6 / 30

  12. Interesting files on webservers Attention! Interesting files - Part I • ... develops websites using Git/SVN/Mercurial ? • ... deploys them on the server using these tools (e.g. git pull)? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 7 / 30

  13. Interesting files on webservers .git directories (1) • VCS developed by Linus Torvalds • Commands: git init / add / commit / push / pull / ... • Data is stored in the .git directory @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 8 / 30

  14. Interesting files on webservers .git directories (2) • Objects can be commits, trees and blobs. 1 1 Figure https://git-scm.com/book/en/v2/Git-Internals-Git-Objects @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 9 / 30

  15. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  16. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? The /.git/ folder might be accessible! 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  17. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? The /.git/ folder might be accessible! Directory listing enabled • It’s trivial to download all object files and restore the repository. • wget –mirror –include-directories=/.git http://domain.tld/.git/ 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  18. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? The /.git/ folder might be accessible! Directory listing enabled Directory listing disabled • It’s trivial to download all object • Obtain first hash (.git/HEAD, files and restore the repository. .git/refs/heads/master) • wget –mirror • Download object file and get –include-directories=/.git new object hashes http://domain.tld/.git/ • Repeat until nothing new is found! • Automation: GitTools 1 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  19. Interesting files on webservers .git directories (4) Demo! @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 11 / 30

  20. Interesting files on webservers .git directories (5) Consequences • Source code disclosure • Get the source and find other vulns ;-) • Find committed credentials and escalate privileges. 1 https://en.internetwache.org/ dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m- @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 12 / 30

  21. Interesting files on webservers .git directories (5) Consequences • Source code disclosure • Get the source and find other vulns ;-) • Find committed credentials and escalate privileges. • In some cases .git/config contains HTTP-BasicAuth credentials • Instant access to company’s repositories (e.g. GitLab / GitHub / ... ) • Access to the CI (e.g. GitLabCI): Build scripts and auto-deployment may lead to server pwnage 1 https://en.internetwache.org/ dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m- @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 12 / 30

  22. Interesting files on webservers .git directories (5) Consequences • Source code disclosure • Get the source and find other vulns ;-) • Find committed credentials and escalate privileges. • In some cases .git/config contains HTTP-BasicAuth credentials • Instant access to company’s repositories (e.g. GitLab / GitHub / ... ) • Access to the CI (e.g. GitLabCI): Build scripts and auto-deployment may lead to server pwnage • A scan 1 showed: ~10k out of Alexa’s Top 1M are affected. • ~250 had HTTP-BasicAuth 1 https://en.internetwache.org/ dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m- @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 12 / 30

  23. Interesting files on webservers Other VCS Other VCS can be affected, too! • Subversion • Mercurial • ... @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 13 / 30

  24. Interesting files on webservers Attention! Interesting files - Part II • ... has a MacOS based system? • ... deploys using rsync/scp/(s)ftp ? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 14 / 30

  25. Interesting files on webservers .DS_Store files (1) • Apple’s proprietary Desktop Service Store format 1 on MacOS. • Holds meta information (e.g. icons, file name, attributes) about files in a directory. • Hidden and automatically created when entering a directory with ’Finder’. 1 https://en.wikipedia.org/wiki/.DS_Store @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 15 / 30

  26. Interesting files on webservers .DS_Store files (2) Header: • Header contains magic byte, ‘checksum‘, location of ‘root 1 block‘ • Root block holds structural information • Offsets to leaf nodes • Tables of content • Free lists 1 https://0day.work/parsing-the-ds_store-file-format/ @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 16 / 30

Recommend

Single-point Webserver COUNTIS E17 - E18 - E27 - E28 Single-point Webserver The products have an

Single-point Webserver COUNTIS E17 - E18 - E27 - E28 Single-point Webserver The products have an

Single-point Webserver COUNTIS E17 - E18 - E27 - E28 Single-point Webserver The products have an Ethernet port with an integrated web server accessible on a standard web browser (Internet Explorer, firefox) Single-point webserver 2

456 views • 14 slides
Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A

Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A

Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A guided tour through SQL/MX DBS using iTP Webserver Requirements NonStop System iTP Webserver running Firefox or Chrome browser

338 views • 22 slides
2 nd semester Topic 5: Navigation nightmare More Than Just a Bad Dream--A Nightmare's Impact on

2 nd semester Topic 5: Navigation nightmare More Than Just a Bad Dream--A Nightmare's Impact on

2 nd semester Topic 5: Navigation nightmare More Than Just a Bad Dream--A Nightmare's Impact on the Waking Brain 1.Read the article You awake with a pounding heart and clammy hands. Relax, you think to yourself it was just a bad dream. But

204 views • 8 slides
NIGHTMARE CREATURES II Game Design Presentation - Confidential Kalisto Entertainment 1999

NIGHTMARE CREATURES II Game Design Presentation - Confidential Kalisto Entertainment 1999

NIGHTMARE CREATURES II Game Design Presentation - Confidential Kalisto Entertainment 1999 1 NIGHTMARE CREATURES II NIGHTMARE CREATURES II Game Overview Working tittle : Nightmare Creatures II Genre : Horror Action- Adventure Game

317 views • 8 slides
UPDATES Recap Christmas in the Sierra Concert Nightmare Before Christmas ALL SHOWS SOLD

UPDATES Recap Christmas in the Sierra Concert Nightmare Before Christmas ALL SHOWS SOLD

UPDATES Recap Christmas in the Sierra Concert Nightmare Before Christmas ALL SHOWS SOLD OUT! Coming Up 12/14 Dinner and Show Nightmare 12/15 Nightmare Before Christmas 12/16 Nightmare Before Christmas 12/22 Holiday

336 views • 6 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

507 views • 19 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

434 views • 22 slides
Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing system Organized into a hierarchy of directories Files / /etc /Applications /var /tmp /Users /etc/Apache /etc/master.passwd

232 views • 19 slides
20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD Application Scientist Live Chemistry in Microsoft Office Structure representation Chemical search R-group decomposition Import from files or databases

506 views • 13 slides
Using files ITEC 1630 We save data in files on disk or some Week 9: Files &amp; Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files &amp; Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files &amp; Streams other media so that we dont lose it even if the computer is shut off Files can store more data than may fit in Yves Lesprance working memory

248 views • 4 slides
Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open files Different ways of reading files How to write out files How to read then search, count, etc. on files Concepts about

615 views • 26 slides
Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have used regular text files O&gt;en called FLAT FILES These have a certain advantage,

554 views • 22 slides
Internet publishing recommended software, encoding HTML, publishing on webserver Petr Zmostn

Internet publishing recommended software, encoding HTML, publishing on webserver Petr Zmostn

Internet publishing recommended software, encoding HTML, publishing on webserver Petr Zmostn room: A-72a phone: 4222 e-mail: petr.zamostny@vscht.cz PSPad editor Freeware http://www.pspad.com/cz/download.php Making the first

149 views • 14 slides
Imagining Politics beyond Brexit Gone quiet, hasnt it? Last year now seems like a nightmare

Imagining Politics beyond Brexit Gone quiet, hasnt it? Last year now seems like a nightmare

Imagining Politics beyond Brexit Gone quiet, hasnt it? Last year now seems like a nightmare from which we are just awakening. The febrile atmosphere of those days when two Prime Ministers struggled to push a withdrawal agreement through

269 views • 8 slides
Web 2.0 A Security Nightmare? SSL and Webapps Webmontag Karlsruhe, 29.5.2006 Hanno Bck,

Web 2.0 A Security Nightmare? SSL and Webapps Webmontag Karlsruhe, 29.5.2006 Hanno Bck,

Web 2.0 A Security Nightmare? SSL and Webapps Webmontag Karlsruhe, 29.5.2006 Hanno Bck, http://www.hboeck.de/ Web 2.0 for everyone? Web 2.0 applications should be available for the common user Blog in 1 minute, Get your own

254 views • 11 slides
A NIGHTMARE FOR THE INTERVENTIONAL CARDIOLOGIST-DES STENT ANEURYSM! DR VARUN CHAWLA MD,DM

A NIGHTMARE FOR THE INTERVENTIONAL CARDIOLOGIST-DES STENT ANEURYSM! DR VARUN CHAWLA MD,DM

A NIGHTMARE FOR THE INTERVENTIONAL CARDIOLOGIST-DES STENT ANEURYSM! DR VARUN CHAWLA MD,DM LIFECARE INSTITUTE OF MEDICAL SCIENCES &amp; RESEARCH,AHMEDABAD,INDIA Disclosure Statement of Financial Interest I, Dr Varun Chawla DO NOT have a

677 views • 32 slides
Outline ! Introduction ! Basic

Outline ! Introduction ! Basic

File Structures An Introduction Outline ! Introduction ! Basic Concepts ! Secondary Storage ! Sequential Files ! Direct Files ! Indexed Files ! Tree-Based Files ! Multilist &amp;

364 views • 35 slides
Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed Sequential Files ! Multilevel Indexes ! Overflow Management ! Performance Analysis rasitjutrakul Indexed Files Ordered Random access sequential

536 views • 22 slides
Django, from nightmare to dream with Best Practices by Stphane Wirtel EuroPython 2017 -

Django, from nightmare to dream with Best Practices by Stphane Wirtel EuroPython 2017 -

Django, from nightmare to dream with Best Practices by Stphane Wirtel EuroPython 2017 - Rimini/y ;-) 11 Luglio 2017 1 / 69 Hello, I am Stphane Python Freelancer Open Source = My Passion/Job PythonFOSDEM CPython contributor PSF, EPS

838 views • 69 slides
The M/o/Vfuscator Turning 'mov' into a soul-crushing RE nightmare { domas / REcon 2015

The M/o/Vfuscator Turning 'mov' into a soul-crushing RE nightmare { domas / REcon 2015

The M/o/Vfuscator Turning 'mov' into a soul-crushing RE nightmare { domas / REcon 2015 REMath (github.com/REMath) Stephen Dolan http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf It is well-known that the x86 instruction set is baroque,

1.93k views • 158 slides
Payroll Tax Train Wreck Resolving Your Clients Payroll Tax Nightmare Eric L. Green, Esq. 1

Payroll Tax Train Wreck Resolving Your Clients Payroll Tax Nightmare Eric L. Green, Esq. 1

Payroll Tax Train Wreck Resolving Your Clients Payroll Tax Nightmare Eric L. Green, Esq. 1 About Tax Rep LLC Tax Rep is a member driven community that helps each other build their representation practice and help taxpayers, with members being

438 views • 29 slides
Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul

Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul

Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul Strackx raoul.strackx@cs.kuleuven.be @raoul_strackx imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium Hardwear.io, June 14 th , 2019

1.05k views • 81 slides
Serving Contextual Communities Serving Contextual Communities The Evangelical Theological

Serving Contextual Communities Serving Contextual Communities The Evangelical Theological

Rochina, Rio Serving Contextual Communities Serving Contextual Communities The Evangelical Theological Seminary of Cairo Serving Contextual Communities Are our seminaries conscious that they are functioning in societies that have crucial

319 views • 30 slides
Sequential Files : Outline ! Overview ! Ordered vs. Unordered ! Physical sequential Files !

Sequential Files : Outline ! Overview ! Ordered vs. Unordered ! Physical sequential Files !

Sequential Files : Outline ! Overview ! Ordered vs. Unordered ! Physical sequential Files ! Physical Linked Sequential Files ! COBOL rasitjutrakul Sequential Files &quot; Logically the records are stored consecutively Physical sequential file

335 views • 22 slides

More recommend