4 box enum
www-data@cronos:/var/www/admin$ ls -la
total 32
drwxr-xr-x 2 www-data www-data 4096 Jan 1 2021 .
drwxr-xr-x 5 root root 4096 Apr 9 2017 ..
-rw-r--r-- 1 www-data www-data 1024 Apr 9 2017 .welcome.php.swp
-rw-r--r-- 1 www-data www-data 237 Apr 9 2017 config.php
-rw-r--r-- 1 www-data www-data 2531 Jan 1 2021 index.php
-rw-r--r-- 1 www-data www-data 102 Apr 9 2017 logout.php
-rw-r--r-- 1 www-data www-data 383 Apr 9 2017 session.php
-rw-r--r-- 1 www-data www-data 782 Apr 9 2017 welcome.php
www-data@cronos:/var/www/admin$ cat config.php
<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'admin');
define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
define('DB_DATABASE', 'admin');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
www-data@cronos:/var/www/admin$ netstat -anot
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN off (0.00/0/0)
# 3306 = mysql server is running
www-data@cronos:/var/www/admin$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/bin/bash
noulis:x:1000:1000:Noulis Panoulis,,,:/home/noulis:/bin/bash
# /home
www-data@cronos:/home$ ls -la
drwxr-xr-x 4 noulis noulis 4096 Apr 9 2017 noulis
www-data@cronos:/home/noulis$ ls -la
total 44
drwxr-xr-x 4 noulis noulis 4096 Apr 9 2017 .
drwxr-xr-x 3 root root 4096 Mar 22 2017 ..
-rw------- 1 root root 1 Dec 24 2017 .bash_history
-rw-r--r-- 1 noulis noulis 220 Mar 22 2017 .bash_logout
-rw-r--r-- 1 noulis noulis 3771 Mar 22 2017 .bashrc
drwx------ 2 noulis noulis 4096 Mar 22 2017 .cache
drwxr-xr-x 3 root root 4096 Apr 9 2017 .composer
-rw------- 1 root root 259 Apr 9 2017 .mysql_history
-rw-r--r-- 1 noulis noulis 655 Mar 22 2017 .profile
-rw-r--r-- 1 root root 66 Apr 9 2017 .selected_editor
-rw-r--r-- 1 noulis noulis 0 Mar 22 2017 .sudo_as_admin_successful
-r--r--r-- 1 noulis noulis 33 Mar 22 2017 user.txt
PEAS
╣ Cron jobs
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
╣ Active Ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
-rw-r--r-- 1 www-data www-data 3565 Apr 9 2017 /var/www/laravel/config/database.php
'database' => env('DB_DATABASE', database_path('database.sqlite')),
'host' => env('DB_HOST', '127.0.0.1'),
'database' => env('DB_DATABASE', 'forge'),
'password' => env('DB_PASSWORD', ''),
'host' => env('DB_HOST', '127.0.0.1'),
'database' => env('DB_DATABASE', 'forge'),
'password' => env('DB_PASSWORD', ''),
'host' => env('REDIS_HOST', '127.0.0.1'),
'password' => env('REDIS_PASSWORD', null),
'database' => 0,
╣ Interesting Files ╠════════════════════════════════════
╣ SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x 1 root root 40K Mar 29 2016 /usr/bin/chsh (Unknown SUID binary)
╣ SGID
-rwxr-sr-x 1 root utmp 425K Feb 7 2016 /usr/bin/screen
-rwsr-sr-x 1 daemon daemon 51K Jan 15 2016 /usr/bin/at
Last updated