I wrote a post a while back on turning a directory traversal vulnerability into root access on Unix or Linux systems. The post and a tool I wrote to help facilitate attacks can be found here. These vulnerabilities can be fun because they are often rated as moderate risks, with CVSS scores around 5.0, and therefore go unremediated.

I came across a Windows host with a directory traversal vulnerability issue recently and realized I should write a Windows based post for this class of vulnerability. Many times, the example for the exploit is that you can obtain win.ini, and thus the person responsible for patching thinks ‘yippy, you can read win.ini’ and the issue isn’t patched. However, there are some critical Windows system files that can be retrieved if you know where to look.

The most likely files to be leveraged to obtain access to a Windows host are the SAM, SYSTEM, and SECURITY files that store registry data, including password hashes in LM, NTLM, and MSCACHE format. The active files are locked by Windows when it is booted and therefore are unlikely to be accessible with a directory traversal attack. What we want are the backup copies or repair versions that are often found on virtually all versions of Windows.

Common backup/recovery directories for these files include:

  • C:\WINNT\repair
  • C:\Windows\repair
  • C:\Windows\System32\config\RegBack

Leveraging the directory traversal attack to retrieve one of these files would involve sending the directory traversal string, followed by one of the above paths, followed by SAM, SYSTEM, or SECURITY. Usually, ten levels deep in the directory traversal will work. An example:


Try each path, and if you aren’t having success then try encoding (..%2f or %2e%2e%2f) or double encoding (..%252f or %252e%252e%252f) the directory traversal portion of the payload.

Once you have the files you can attempt to crack any stored passwords. My first choice is to load the file in Ophcrack with the various free rainbow tables (XP free fast, Vista free, Vista special, and XP special) and begin cracking. To do this, launch Ophcrack and select Load->Encrypted SAM as shown below.

Now begin to crack away. If you don’t have any success here, then try using Ophcrack’s online submission tool found here. If you still aren’t having success, then you might need to attempt to crack any cached passwords from previously logged on users.

I use Cain to get the hashes, but I use Hashcat to crack them as it is much faster. First, you need to browse to the “Cracker” tab in Cain and then click on MS-Cache Hashes on the left hand side of the interface. Right mouse click in the right hand side of the interface and click “Add to list” as shown below.

You will then need to add the paths to the SYSTEM and SECURITY files so that Cain can pull out the usernames and cached hashes. An example is show below.

I then write down these hash values and the usernames and save them in a file in the format of hash:username, one per line. You can attempt to crack the password in Cain, but it isn’t going to be very fast. I like to use Hashcat with a decent GPU for this task as it is blazing fast in comparison. I did a little research, and one of the best values in terms of performance and cost are the GeForce GTX 750 Ti OC based GPU’s. You can see a chart here that shows these cards as being one of the highest in performance of SHA1 cracking per dollar, and similarly good value in cracking other hashes. I picked one up for $145 and was able to run through every possible combination for a 1 to 7 character password in 16 hours (my quad core i5 with 8GB of RAM estimated it would take 72 days – that’s what it’s like without a GPU).

I suggest first attempting to use a password list like rockyou, as you can run through this list faster than brute forcing. Given I have an NVidia based card, I use cudaHashcat with a command similar to the following example.

  cudaHashcat64.exe -m 1100 -n 32 myhashfile.txt rockyou.txt

The ‘-m 1100’ tells Hashcat that this is a MS-Cache based hash, the ‘-n 32’ tells Hashcat to use 32 threads, then I pass the file with the hashes and usernames, and then the password list. Another option is to use the Hashcat rules for rockyou with something similar to the example below.

  cudaHashcat64.exe -m 1100 -n 32 -r rules\rockyou-30000.rule myhashfile.txt rockyou.txt

If these attempts are unsuccessful and you have a day or two to attempt cracking, then run all combinations of up to a 7 or 8 character password. Here is an example that I use that is for up to a 7 character password with all character sets (upper and lower case alphabet, numbers, and special characters).

  cudaHashcat64.exe -m 1100 -n 32 -a 3 myhashfile.txt ?a?a?a?a?a?a?a

The ‘-a 3’ tells Hashcat to use brute force mode and the ‘?a?a?a?a?a?a?a’ string tells Hashcat to test all character sets up to 7 characters in length. This command took the system with the above listed NVidia card 16 hours and was over 69 trillion combinations.

Another option is to use the directory traversal vulnerability to obtain unattended installation, sysprep, or image capture answer files for servers and workstations. These files are created for unattended installations created by sysprep, often remain on systems long past initial system setup, and frequently store cleartext (or base64 encoded) credentials used to join the system to the domain. These files are often named ‘unattend.xml’, ‘autounattend.xml’, ‘sysprep.xml’, ‘sysprep.inf’, or ‘wdscapture.inf’ and can be found in one of the following locations:

  • C:\
  • C:\sysprep\
  • C:\Windows\Panther\
  • C:\Windows\Panther\Unattend\
  • C:\Windows\System32\
  • C:\Windows\System32\Sysprep\

Assuming you are successful in cracking a password that can be used on the network, the next step is to escalate until you have domain administrator level access. See my previous posts here and here for some techniques on escalating access in a Windows environment.

Note that these types of attacks can be successful against all directory traversal vulnerabilities in all types of software, such as FTP, TFTP, web applications, and other types of systems.

I hope others have success with these techniques. Happy Hunting!

Tagged with:

2 Responses to Directory Traversal to Administrator

  1. premjith says:

    Good post on directory traversal and password cracking, Thanks.

  2. codewatch says:

    Updated to add information on unattended installation files created by sysprep. This was omitted in my hurry to get the rest up on the blog.

Leave a Reply

Your email address will not be published. Required fields are marked *