# 6 box enum www-data ``` www-data@monitors:/usr/share/cacti$ mysql -u wpadmin -p Enter password: BestAdministrator@2020! mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | wordpress | +--------------------+ 2 rows in set (0.00 sec) mysql> select user_login,user_pass, user_email from wp_users; +------------+------------------------------------+-------------------+ | user_login | user_pass | user_email | +------------+------------------------------------+-------------------+ | admin | $P$Be7cx.OsLozVI5L6DD60LLZNoHW9dZ0 | admin@monitor.htb | +------------+------------------------------------+-------------------+ # we know admin pass; no need to crack # checking the folder name, I tried so much, www-data@monitors:/usr/share/cacti$ cd /var/www www-data@monitors:/var/www$ ls -la total 12 drwxr-xr-x 3 root root 4096 Nov 10 2020 . drwxr-xr-x 15 root root 4096 Nov 10 2020 .. drwxr-xr-x 5 www-data www-data 4096 Apr 21 20:19 wordpress www-data@monitors:/var/www/wordpress$ cat /etc/passwd | grep sh root:x:0:0:root:/root:/bin/bash sshd:x:110:65534::/run/sshd:/usr/sbin/nologin marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash ``` had issues transferring files, no wget, curl used `__curl bash function` ### PEAS ``` # processes root 1343 0.0 1.1 978804 48124 ? Ssl 19:07 0:00 /usr/bin/containerd root 2113 0.0 0.1 110228 5660 ? Sl 19:07 0:00 _ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/d76094c5f30c08c24b23d78c5895d61ea5262ce4095f76efa04031a2502c3be5 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc root 2138 0.1 2.0 3410072 83344 ? Ssl 19:07 0:05 _ /usr/local/openjdk-8/bin/java -Dorg.gradle.appname=gradlew -classpath /usr/src/apache-ofbiz-17.12.01/gradle/wrapper/gradle-wrapper.jar org.gradle.wrapper.GradleWrapperMain --offline ofbiz root 1660 0.0 2.0 1344420 82372 ? Ssl 19:07 0:02 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ╣ Interfaces br-968a1c1855aa: flags=4099 mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255 ether 02:42:c5:ff:fb:68 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 docker0: flags=4163 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 inet6 fe80::42:c1ff:fe0b:d224 prefixlen 64 scopeid 0x20 ether 02:42:c1:0b:d2:24 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5 bytes 446 (446.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth67dfbca: flags=4163 mtu 1500 inet6 fe80::b401:24ff:fe71:571a prefixlen 64 scopeid 0x20 ether b6:01:24:71:57:1a txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 21 bytes 1662 (1.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ╣ Active Ports tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN - ╣ Users with console marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash root:x:0:0:root:/root:/bin/bash ╣ PHP exec extensions /etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-enabled/cacti-admin.monitors.htb.conf /etc/apache2/sites-enabled/monitors.htb.conf ╣ Analyzing Wordpress Files (limit 70) -rwxr-xr-x 1 www-data www-data 3117 Oct 15 2020 /var/www/wordpress/wp-config.php define( 'DB_NAME', 'wordpress' ); define( 'DB_USER', 'wpadmin' ); define( 'DB_PASSWORD', 'BestAdministrator@2020!' ); define( 'DB_HOST', 'localhost' ); -rw-r--r-- 1 998 998 361 Nov 11 2020 /srv/gitlab/data/.gitconfig ╣ Checking if containerd(ctr) is available ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied" ╣ Checking if runc is available ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation runc was found in /usr/bin/runc, you may be able to escalate privileges with it -rw-r--r-- 1 root root 5140 Nov 10 2020 /usr/share/cacti/cacti/include/config.php -rw-r--r-- 1 www-data www-data 5144 May 3 2020 /usr/share/cacti/cacti/include/config.php.dist $database_type = 'mysql'; $database_default = 'cacti'; $database_username = 'cactiuser'; $database_password = 'cactiuser'; $database_port = '3306'; $database_type = 'mysql'; $database_default = 'cacti'; $database_username = 'cacti'; $database_password = 'cactipass'; $database_port = '3306'; ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/monitors/6-box-enum-www-data.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.