4 box enum
bash-4.2$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
guly:x:1000:1000:guly:/home/guly:/bin/bash
# user guly has 2 interesting files
bash-4.2$ cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php
bash-4.2$ cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";
#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>
PEAS
╣ Operative system
Linux version 3.10.0-957.21.3.el7.x86_64
# no gcc
╣ Users with console
guly:x:1000:1000:guly:/home/guly:/bin/bash
root:x:0:0:root:/root:/bin/bash
-rw-r--r--. 1 root root 475 Oct 30 2018 /usr/lib/firewalld/services/vnc-server.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Virtual Network Computing Server (VNC)</short>
<description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
<port protocol="tcp" port="5900-5903"/>
</service>
-rw------- 1 guly guly 639 Jul 9 2019 /home/guly/.viminfo
╣ Mails (limit 50)
71 4 -rw-rw---- 1 guly mail 2941 Jul 2 2019 /var/mail/guly
71 4 -rw-rw---- 1 guly mail 2941 Jul 2 2019 /var/spool/mail/guly
Last updated