4 box enum mark
# ssh mark:5AYRft73VtFpc84k
mark@node:/home$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
tom:x:1000:1000:tom,,,:/home/tom:/bin/bash
mark:x:1001:1001:Mark,,,:/home/mark:/bin/bash
mark@node:/home$ ls -la
total 20
drwxr-xr-x 5 root root 4096 Aug 31 2017 .
drwxr-xr-x 25 root root 4096 Sep 2 2017 ..
drwxr-xr-x 2 root root 4096 Aug 31 2017 frank
drwxr-xr-x 3 root root 4096 Sep 3 2017 mark
drwxr-xr-x 6 root root 4096 Sep 3 2017 tom
# no user: frank
mark@node:/var/www/myplace$ cat package.json
{
"name": "myplace",
"description": "A secure place to meet new people.",
"version": "1.0.0",
"private": true,
"dependencies": {
"express": "4.15.x",
"express-session": "1.15.x",
"body-parser": "1.17.x",
"mongodb": "2.2.x"
}
}
$ mongosh --host localhost -u mark -p 5AYRft73VtFpc84k myplace
Current Mongosh Log ID: 614a22df5b8cc6d49ba3bea3
Connecting to: mongodb://localhost:27017/myplace?directConnection=true&serverSelectionTimeoutMS=2000
Using MongoDB: 3.2.16
Using Mongosh: 1.0.6
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
myplace> show dbs
MongoServerError: not authorized on admin to execute command { listDatabases: 1 }
myplace> show collections
users
myplace> db.users.find({})
[
{
_id: ObjectId("59a7365b98aa325cc03ee51c"),
username: 'myP14ceAdm1nAcc0uNT',
password: 'dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af',
is_admin: true
},
{
_id: ObjectId("59a7368398aa325cc03ee51d"),
username: 'tom',
password: 'f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240',
is_admin: false
},
{
_id: ObjectId("59a7368e98aa325cc03ee51e"),
username: 'mark',
password: 'de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73',
is_admin: false
},
{
_id: ObjectId("59aa9781cced6f1d1490fce9"),
username: 'rastating',
password: '5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0',
is_admin: false
}
]
SiudEnum
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/local/bin/backup
------------------------------
mark@node:/tmp$ file /usr/local/bin/backup
/usr/local/bin/backup: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped
# no missing .so files
mark@node:/tmp$ ldd /usr/local/bin/backup
linux-gate.so.1 => (0xf76f4000)
libc.so.6 => /lib32/libc.so.6 (0xf7535000)
/lib/ld-linux.so.2 (0xf76f5000)
mark@node:/tmp$ ls -la /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
# we cannot run it
PEAS
OS: Linux version 4.4.0-93-generic
Description: Ubuntu 16.04.3 LTS
# running process
mongodb 1223 0.3 10.1 282984 76676 ? Ssl 18:20 0:08 /usr/bin/mongod --auth --quiet --config /etc/mongod.conf
╣ Active Ports
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
╣ Users with console
mark:x:1001:1001:Mark,,,:/home/mark:/bin/bash
root:x:0:0:root:/root:/bin/bash
tom:x:1000:1000:tom,,,:/home/tom:/bin/bash
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
Last updated