4 box enum web
SuidEnum
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/sbin/exim-4.90-6
------------------------------
PEAS
User & Groups: uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
╣ Cleaned processes
root 1137 1.4 2.1 263612 87516 ? Sl 05:59 1:37 splunkd -p 8089 start
╣ Cron jobs
@reboot /home/web/blog.sh
╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
╣ Users with console
root:x:0:0:root:/root:/bin/bash
shaun:x:1002:1002:shaun,,,:/home/shaun:/bin/bash
splunk:x:1003:1003:Splunk Server:/opt/splunkforwarder:/bin/bash
web:x:1001:1001:,,,:/home/web:/bin/bash
╣ Capabilities
/usr/bin/python3.8 = cap_sys_ptrace+ep
# tried this a lot, bind shell does not work, port doesn't open.
# fixed code py2to3 errors and everything - not the way forward
# splunk passwd file; cant read
/opt/splunkforwarder/etc/passwd
-> Extracting tables from /home/web/blog/flaskblog/site.db (limit 20)
--> Found interesting column names in user (output limit 10)
CREATE TABLE user (
id INTEGER NOT NULL,
username VARCHAR(20) NOT NULL,
email VARCHAR(120) NOT NULL,
image_file VARCHAR(20) NOT NULL,
password VARCHAR(60) NOT NULL,
PRIMARY KEY (id),
UNIQUE (username),
UNIQUE (email)
)
1, admin, admin@doctor.htb, default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S
-> Extracting tables from /opt/clean/site.db (limit 20)
--> Found interesting column names in user (output limit 10)
CREATE TABLE user (
id INTEGER NOT NULL,
username VARCHAR(20) NOT NULL,
email VARCHAR(120) NOT NULL,
image_file VARCHAR(20) NOT NULL,
password VARCHAR(60) NOT NULL,
PRIMARY KEY (id),
UNIQUE (username),
UNIQUE (email)
)
1, admin, admin@doctor.htb, default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S
╣ Finding passwords inside logs (limit 70)
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
Last updated