4 box enum

# we know we couldn't read /inc directory
www-data@bank:/var/www/bank/inc$ ls -la
ls -la
total 24
drwxr-xr-x 2 www-data www-data 4096 Jan 11  2021 .
drwxr-xr-x 6 www-data www-data 4096 Jan 11  2021 ..
-rw-r--r-- 1 www-data www-data 1214 May 28  2017 footer.php
-rw-r--r-- 1 www-data www-data 2896 May 28  2017 header.php
-rw-r--r-- 1 www-data www-data 2343 May 29  2017 ticket.php
-rw-r--r-- 1 www-data www-data 2830 May 28  2017 user.php

# user.php
[truncated]
$mysql = new mysqli("localhost", "root", "!@#S3cur3P4ssw0rd!@#", "htbbank");

www-data@bank:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
chris:x:1000:1000:chris,,,:/home/chris:/bin/bash

SuidEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/var/htb/bin/emergency
/usr/bin/mtr
/usr/sbin/uuidd
------------------------------

PEAS

╣ Writable passwd file? ................ /etc/passwd is writable

Last updated