4 box enum

www-data@cronos:/var/www/admin$ ls -la
total 32
drwxr-xr-x 2 www-data www-data 4096 Jan  1  2021 .
drwxr-xr-x 5 root     root     4096 Apr  9  2017 ..
-rw-r--r-- 1 www-data www-data 1024 Apr  9  2017 .welcome.php.swp
-rw-r--r-- 1 www-data www-data  237 Apr  9  2017 config.php
-rw-r--r-- 1 www-data www-data 2531 Jan  1  2021 index.php
-rw-r--r-- 1 www-data www-data  102 Apr  9  2017 logout.php
-rw-r--r-- 1 www-data www-data  383 Apr  9  2017 session.php
-rw-r--r-- 1 www-data www-data  782 Apr  9  2017 welcome.php

www-data@cronos:/var/www/admin$ cat config.php
<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'admin');
   define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
   define('DB_DATABASE', 'admin');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>

www-data@cronos:/var/www/admin$ netstat -anot
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)

# 3306 = mysql server is running

www-data@cronos:/var/www/admin$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/bin/bash
noulis:x:1000:1000:Noulis Panoulis,,,:/home/noulis:/bin/bash

# /home
www-data@cronos:/home$ ls -la
drwxr-xr-x  4 noulis noulis 4096 Apr  9  2017 noulis

www-data@cronos:/home/noulis$ ls -la
total 44
drwxr-xr-x 4 noulis noulis 4096 Apr  9  2017 .
drwxr-xr-x 3 root   root   4096 Mar 22  2017 ..
-rw------- 1 root   root      1 Dec 24  2017 .bash_history
-rw-r--r-- 1 noulis noulis  220 Mar 22  2017 .bash_logout
-rw-r--r-- 1 noulis noulis 3771 Mar 22  2017 .bashrc
drwx------ 2 noulis noulis 4096 Mar 22  2017 .cache
drwxr-xr-x 3 root   root   4096 Apr  9  2017 .composer
-rw------- 1 root   root    259 Apr  9  2017 .mysql_history
-rw-r--r-- 1 noulis noulis  655 Mar 22  2017 .profile
-rw-r--r-- 1 root   root     66 Apr  9  2017 .selected_editor
-rw-r--r-- 1 noulis noulis    0 Mar 22  2017 .sudo_as_admin_successful
-r--r--r-- 1 noulis noulis   33 Mar 22  2017 user.txt

PEAS

╣ Cron jobs
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

╣ Active Ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -

-rw-r--r-- 1 www-data www-data 3565 Apr  9  2017 /var/www/laravel/config/database.php
            'database' => env('DB_DATABASE', database_path('database.sqlite')),
            'host' => env('DB_HOST', '127.0.0.1'),
            'database' => env('DB_DATABASE', 'forge'),
            'password' => env('DB_PASSWORD', ''),
            'host' => env('DB_HOST', '127.0.0.1'),
            'database' => env('DB_DATABASE', 'forge'),
            'password' => env('DB_PASSWORD', ''),
            'host' => env('REDIS_HOST', '127.0.0.1'),
            'password' => env('REDIS_PASSWORD', null),
            'database' => 0,
			
╣ Interesting Files ╠════════════════════════════════════
╣ SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x 1 root root 40K Mar 29  2016 /usr/bin/chsh (Unknown SUID binary)

╣ SGID
-rwxr-sr-x 1 root utmp 425K Feb  7  2016 /usr/bin/screen
-rwsr-sr-x 1 daemon daemon 51K Jan 15  2016 /usr/bin/at

Previous5 privesc cronjob Next3 :53 dns

Last updated 4 years ago