Clean
PSPY was able to detect that the root cronjob process was executing a Python script located at /opt/clean/cleandb.py
web@doctor:/opt/clean$ ll
total 52K
4,0K drwxrwxr-x 2 root root 4,0K Sep 7 2020 .
4,0K drwxr-xr-x 4 root root 4,0K Sep 6 2020 ..
4,0K -rwxr-xr-x 1 root root 211 Sep 6 2020 cleandb.py
36K -rw-r--r-- 1 root root 36K Sep 6 2020 site.db
4,0K -rwxr-xr-x 1 root root 129 Jul 26 2020 clean.pyHeading over to the directory, I see 2 Python script and a DB file
cleandb.py
web@doctor:/opt/clean$ cat cleandb.py
#!/usr/bin/env python3
import os
os.system('rm /home/web/blog/flaskblog/site.db')
os.system('cp /opt/clean/site.db /home/web/blog/flaskblog/site.db')
os.system('chown web:web /home/web/blog/flaskblog/site.db')The cleandb.py file uses the os library/module to execute the following OS commands;
- removal of a DB file at
/home/web/blog/flaskblog/site.db - copying
/opt/clean/site.dbto/home/web/blog/flaskblog/site.db - changing the ownership of
/home/web/blog/flaskblog/site.dbtoweb:web
flaskblog
web@doctor:/opt/clean$ ll /home/web/blog/flaskblog
total 88K
4,0k drwxr--r-- 10 web web 4,0k mär 9 17:20 .
36k -rw-r--r-- 1 web web 36k mär 9 17:20 site.db
4,0K drwxr--r-- 3 web web 4,0K Sep 23 2020 users
4,0K drwxr--r-- 3 web web 4,0K Sep 23 2020 templates
4,0K drwxr--r-- 3 web web 4,0K Sep 23 2020 static
4,0K drwxr--r-- 3 web web 4,0K Sep 22 2020 main
4,0K drwxr--r-- 3 web web 4,0K Sep 22 2020 posts
4,0K drwxr-xr-x 3 web web 4,0K Sep 22 2020 ..
4,0K drwxrwxr-x 2 web web 4,0K Sep 5 2020 __pycache__
4,0K -rwxr--r-- 1 web web 302 Sep 5 2020 config.py
4,0K drwxr--r-- 3 web web 4,0K Jul 27 2020 errors
4,0K -rwxr--r-- 1 web web 904 Jul 26 2020 __init__.py
4,0K drwxr--r-- 3 web web 4,0K Jul 21 2020 tmp
4,0K -rwxr--r-- 1 web web 1,7K Jul 21 2020 models.pyThe /home/web/blog/flaskblog directory is the application directory for the web server that I exploited
So I guess the /opt/clean/site.db file is the original database
clean.py
web@doctor:/opt/clean$ cat clean.py
#!/usr/bin/env python3
import os
os.system('rm /var/www/html/*')
os.system('cp /opt/clean/index.html /var/www/html/index.html')The clean.py file also uses the os library/module to execute the following OS commands;
- removal of everything in the
/var/www/htmldirectory - copying
/opt/clean/index.htmlto/var/www/html/index.html
This Python script seems rather irrelevant for the moment
site.db
web@doctor:/opt/clean$ cat site.db
��u�MtablepostpostCREATE TABLE post (
id INTEGER NOT NULL,
title VARCHAR(100) NOT NULL,
date_posted DATETIME NOT NULL,
content TEXT NOT NULL,
user_id INTEGER NOT NULL,
PRIMARY KEY (id),
FOREIGN KEY(user_id) REFERENCES user (id)
)�~�_tableuseruserCREATE TABLE user (
id INTEGER NOT NULL,
username VARCHAR(20) NOT NULL,
email VARCHAR(120) NOT NULL,
image_file VARCHAR(20) NOT NULL,
password VARCHAR(60) NOT NULL,
PRIMARY KEY (id),
UNIQUE (username),
UNIQUE (email)
��;��wdac-#�adminadmin@doctor.htbdefault.gif$2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S
����# TestUse
admin
��ddddddd�+�lz#?m doctor blog2020-09-18 20:48:37.55555A free blog to share medical knowledge. Be kind! While the DB file is not great for reading as it is in binary format, I can see a web credential with a password hash This was enumerated through earlier. PEAS was able to pick it up
I transferred the DB file and open it up on Kali for better reviewing experience
There is the credential in the user table
hashcat was unable to crack the password hash