3 box enum charix

# ssh charix:Charix!2#4%6&8(0

# /home/charix contains:
$ file secret.zip
secret.zip: Zip archive data, at least v2.0 to extract
# extracted using charix password

$ file secret
secret: Non-ISO extended-ASCII text, with no line terminators

$ cat secret
[|Ֆz! 
# definitely encrypted

SuidEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/sbin/traceroute6
/usr/sbin/authpf-noip
/usr/sbin/traceroute
/usr/sbin/timedc
/usr/sbin/authpf
/usr/sbin/ppp
/usr/libexec/dma-mbox-create
/usr/libexec/ulog-helper
/usr/bin/lpq
/usr/bin/rlogin
/usr/bin/lprm
/usr/bin/lpr
/usr/bin/crontab
/usr/bin/atrm
/usr/bin/atq
/usr/bin/chpass
/usr/bin/quota
/usr/bin/opieinfo
/usr/bin/login
/usr/bin/batch
/usr/bin/opiepasswd
/usr/bin/lock
/usr/bin/rsh
/usr/local/bin/Xorg
/bin/rcp
/sbin/poweroff
/sbin/mksnap_ffs
/sbin/shutdown
------------------------------

PEAS

╣ PATH
:/home/charix/bin

╣ Superusers
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:

╣ Users with console
charix:*:1001:1001:charix:/home/charix:/bin/csh
root:*:0:0:Charlie &:/root:/bin/csh

╣ Analyzing Http conf Files (limit 70)
-rw-r--r--  1 root  wheel  21199 Jan 24  2018 /usr/local/etc/apache24/httpd.conf

╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
ALL : ALL : allow
ALL : PARANOID : RFC931 20 : deny
ALL : localhost 127.0.0.1 : allow
ALL : [::1] : allow
sendmail : localhost : allow
sendmail : ALL : allow
exim : localhost : allow
exim : ALL : allow
rpcbind : ALL : deny
ypserv : localhost : allow
ypserv : ALL : deny
ftpd : localhost : allow
ftpd : ALL : allow
fingerd : ALL \
        : spawn (echo Finger. | \
         /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
        : deny
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."
		
╣ Analyzing Postfix Files (limit 70)
drwxr-xr-x  3 root  wheel  512 Jul 21  2017 /usr/ports/mail/postfix

╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so
/etc/ld.so.conf

Last updated