Malleum Knowledge Base

Post Initial Foothold Enumeration

2 min read

Initial Foothold

Changing the user to james

su james
Toyota
Loot

Location: /home/james/flag.txt

  1. It’s easier this way:DANTE{j4m3s_NEEd5_a_p455w0rd_M4n4ger!}

Checking the History

history
 
james@DANTE-WEB-NIX01:~$ history
history
    1  cd /home/balthazar
    2  rm .mysql_history
    3  mysql -u balthazar -p TheJoker12345!
    4  cat flag.txt
    5  sudo -l
    6  ls -al
    7  cd .ssh
    8  ls
    9  ls -al
   10  cd ..
   11  ls
   12  ls -al
   13  history

SSH Login with Balthazar

ssh balthazar@10.10.110.100
TheJoker12345!

PSPy

2023/06/11 02:02:01 CMD: UID=0     PID=13024  | /bin/sh -c rm -rf /var/www/html/wordpress/wp-content/themes; cp -R /root/wordpress_backup/themes /var/www/html/wordpress/wp-content/; /bin/bash /root/wordpress_backup/perms.sh
2023/06/11 02:02:01 CMD: UID=0     PID=13025  | rm -rf /var/www/html/wordpress/wp-content/themes
2023/06/11 02:02:01 CMD: UID=0     PID=13026  | cp -R /root/wordpress_backup/themes /var/www/html/wordpress/wp-content/
2023/06/11 02:02:01 CMD: UID=0     PID=13027  |
2023/06/11 02:02:01 CMD: UID=0     PID=13028  | /bin/bash /root/wordpress_backup/perms.sh
2023/06/11 02:02:01 CMD: UID=0     PID=13029  | /bin/bash /root/wordpress_backup/perms.sh
2023/06/11 02:04:01 CMD: UID=0     PID=13030  | /usr/sbin/CRON -f
2023/06/11 02:04:01 CMD: UID=0     PID=13032  | rm -rf /var/www/html/wordpress/wp-content/themes
2023/06/11 02:04:01 CMD: UID=0     PID=13031  | /bin/sh -c rm -rf /var/www/html/wordpress/wp-content/themes; cp -R /root/wordpress_backup/themes /var/www/html/wordpress/wp-content/; /bin/bash /root/wordpress_backup/perms.sh
2023/06/11 02:04:01 CMD: UID=0     PID=13033  |
2023/06/11 02:04:01 CMD: UID=0     PID=13034  | /bin/sh -c rm -rf /var/www/html/wordpress/wp-content/themes; cp -R /root/wordpress_backup/themes /var/www/html/wordpress/wp-content/; /bin/bash /root/wordpress_backup/perms.sh
2023/06/11 02:04:01 CMD: UID=0     PID=13035  | chmod 777 -R /var/www/html/wordpress/wp-content/themes/

LSE

[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/bin/vmware-user-suid-wrapper
/usr/bin/find
---
 
 
 
[*] fst090 SSH files in home directories................................... yes!
---
-rw-r--r-- 1 root root 574 Jul 23  2020 /root/.ssh/id_rsa.pub
-rw------- 1 root root 2610 Jul 23  2020 /root/.ssh/id_rsa
-rw-r--r-- 1 root root 553 Aug 21  2022 /root/.ssh/authorized_keys

Priv Esc

Graph View

Backlinks