4 box enum web

SuidEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/sbin/exim-4.90-6
------------------------------

PEAS

User & Groups: uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

╣ Cleaned processes
root        1137  1.4  2.1 263612 87516 ?        Sl   05:59   1:37 splunkd -p 8089 start

╣ Cron jobs
@reboot /home/web/blog.sh

╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -

╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╣ Users with console
root:x:0:0:root:/root:/bin/bash
shaun:x:1002:1002:shaun,,,:/home/shaun:/bin/bash
splunk:x:1003:1003:Splunk Server:/opt/splunkforwarder:/bin/bash
web:x:1001:1001:,,,:/home/web:/bin/bash

╣ Capabilities
/usr/bin/python3.8 = cap_sys_ptrace+ep
# tried this a lot, bind shell does not work, port doesn't open.
# fixed code py2to3 errors and everything - not the way forward

# splunk passwd file; cant read
/opt/splunkforwarder/etc/passwd

 -> Extracting tables from /home/web/blog/flaskblog/site.db (limit 20)
  --> Found interesting column names in user (output limit 10)
CREATE TABLE user (
        id INTEGER NOT NULL,
        username VARCHAR(20) NOT NULL,
        email VARCHAR(120) NOT NULL,
        image_file VARCHAR(20) NOT NULL,
        password VARCHAR(60) NOT NULL,
        PRIMARY KEY (id),
        UNIQUE (username),
        UNIQUE (email)
)
1, admin, admin@doctor.htb, default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S

 -> Extracting tables from /opt/clean/site.db (limit 20)
  --> Found interesting column names in user (output limit 10)
CREATE TABLE user (
        id INTEGER NOT NULL,
        username VARCHAR(20) NOT NULL,
        email VARCHAR(120) NOT NULL,
        image_file VARCHAR(20) NOT NULL,
        password VARCHAR(60) NOT NULL,
        PRIMARY KEY (id),
        UNIQUE (username),
        UNIQUE (email)
)
1, admin, admin@doctor.htb, default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S

╣ Finding passwords inside logs (limit 70)
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

Last updated