3 box enum charix
# ssh charix:Charix!2#4%6&8(0
# /home/charix contains:
$ file secret.zip
secret.zip: Zip archive data, at least v2.0 to extract
# extracted using charix password
$ file secret
secret: Non-ISO extended-ASCII text, with no line terminators
$ cat secret
[|Ֆz!
# definitely encrypted
SuidEnum
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/sbin/traceroute6
/usr/sbin/authpf-noip
/usr/sbin/traceroute
/usr/sbin/timedc
/usr/sbin/authpf
/usr/sbin/ppp
/usr/libexec/dma-mbox-create
/usr/libexec/ulog-helper
/usr/bin/lpq
/usr/bin/rlogin
/usr/bin/lprm
/usr/bin/lpr
/usr/bin/crontab
/usr/bin/atrm
/usr/bin/atq
/usr/bin/chpass
/usr/bin/quota
/usr/bin/opieinfo
/usr/bin/login
/usr/bin/batch
/usr/bin/opiepasswd
/usr/bin/lock
/usr/bin/rsh
/usr/local/bin/Xorg
/bin/rcp
/sbin/poweroff
/sbin/mksnap_ffs
/sbin/shutdown
------------------------------
PEAS
╣ PATH
:/home/charix/bin
╣ Superusers
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
╣ Users with console
charix:*:1001:1001:charix:/home/charix:/bin/csh
root:*:0:0:Charlie &:/root:/bin/csh
╣ Analyzing Http conf Files (limit 70)
-rw-r--r-- 1 root wheel 21199 Jan 24 2018 /usr/local/etc/apache24/httpd.conf
╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
ALL : ALL : allow
ALL : PARANOID : RFC931 20 : deny
ALL : localhost 127.0.0.1 : allow
ALL : [::1] : allow
sendmail : localhost : allow
sendmail : ALL : allow
exim : localhost : allow
exim : ALL : allow
rpcbind : ALL : deny
ypserv : localhost : allow
ypserv : ALL : deny
ftpd : localhost : allow
ftpd : ALL : allow
fingerd : ALL \
: spawn (echo Finger. | \
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
: deny
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."
╣ Analyzing Postfix Files (limit 70)
drwxr-xr-x 3 root wheel 512 Jul 21 2017 /usr/ports/mail/postfix
╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so
/etc/ld.so.conf
Last updated