About a year and a half ago, our team was working on an assessment where we had root access to a server via a directory traversal, but we couldn’t convert that to a working shell because of several restrictions on the server and a very strong password policy that was implemented i.e. /etc/shadow passwords could not be cracked during the assessment timeframe. We still knew that we had access to a very valuable target though.
It became quite difficult for us to progress on the assessment as we couldn’t see any files and directories on the server which may be unique, taking this into account Dino and Manny came up with the simple idea of downloading the mlocate database (since we had the required privileges luckily). The mlocate database is quite a mess if you open it directly in any text editor, but we were lucky enough to find pymlocate(https://github.com/salexan2001/pymlocate) which assisted us in obtaining a really neatly formatted file of directory structures on the target machine. Thanks to Alexander Schlemmer (salexan2001) for creating it.
We then created our own tool, called Travesty, which allowed us to automate the entire process, requiring just the vulnerable traversal URL and an output filename.
Utilising the tool has proved to be extremely useful over the course of this year on various assessments and it’s a great way to quickly find valuable information, files and directories on a target, that you wouldn’t normally know of on the machine.
We’ve decided to release the small script to the public, in order to assist analysts in their day to day jobs – if it even helps one security analyst, we’re happy!
We’ve released the tool on our Github at:
There’s a lot of work to be done and things that we want to add to it, but for now it does the job(just!).
In action screenshot: