It’s something every web application penetration tester comes across. You uncover a possible weakness, maybe a local file inclusion, directory traversal, or other vulnerability that could allow for interaction with the file system. What you need to verify the finding is a known file in a known location and, most of the time, testers tend to choose the old stand-by “/etc/passwd”.

But what happens when the web application firewall designer is wise to your penetration tester tricks and blocks on a trigger of “/etc/passwd”? What happens when the verification of this vulnerability is not the end of the finding but the start of your larger attack? Flexibility and a depth of options becomes more important and a larger list of potential local files can be very helpful.

os-file-list (https://github.com/DolosGroup/os-file-list)  is a simple project designed to help penetration testers easily move past “/etc/passwd”, providing a base to cover various configurations and identify gaps in protections. os-file-list is a directory listing of world-readable files from the different Linux distributions available on leading cloud service providers. In addition to the world-readable files, we also provide readable file listings for a basic user with no special permissions as well as the default user created by the cloud service provider (e.g. admin/ec2-user/root). We found the basic user useful for when administrators create a limited user account (a best practice) for handling various tasks and the default user useful when an administrator failed to create a separate user.

The output is a simple one file per line format, easily included in directory enumeration tools such as Burp Intruder, or any custom written script. Additionally, the script used to generate the directory files is included in the project should anyone need to easily generate a custom listing.

Project URL: https://github.com/DolosGroup/os-file-list