Hi all.

I am doing a pentest and have found a vulnerability with a web application that allows the arbitrary reading of files that are readable by the web server account.

I can get the /etc/passwd, /etc/snmp/snmp.conf/, /etc/hosts etc. I cannot get the /etc/shadow file as it is only readable by root.

Are there any files in particular on RedHat Enterprise Linux (2.6.9-34 EL) that I should look for? Remember that they need to be globally readable by the web server! r--r--r--

Thanks,
xatar.

Are you able to browse /etc or issue commands?

If so you could dump the contents of /etc to a file and grab it then you'd have a list. (Do it recursively).

Or can you use wild cards? ie: what happens if you try to retrieve /etc/rc1.d/S*

How about /etc/sudoers or /etc/sudoers

Some other things that might be of interest:
/etc/logrotate.conf
/etc/sysctl.conf
/etc/ssh/sshd_config

I suggest looking up some RedHat hardening guides and see:
1) What files/settings they alter.
2) What directories/files they protect.
and see if you can get to any of that information.

Getting invisible files from the user's home directory might be fun too like .bash_history can you use $HOME/.bash_history or %24home/.bash_history etc.......