Log
web@doctor:/var/log$ id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)The current user is part of the adm group
web@doctor:/var/log$ ll
total 12M
12k -rw-r----- 1 syslog adm 12k mär 9 17:40 auth.log
48k -rw-r----- 1 syslog adm 42k mär 9 17:40 syslog
12k -rw-r----- 1 syslog adm 11k mär 9 16:12 kern.log
12k -rw-r----- 1 syslog adm 9,6k mär 9 14:09 ufw.log
8,0k -rw------- 1 root root 4,9k mär 9 11:51 vmware-vmsvc-root.log
124k -rw-rw-r-- 1 root utmp 120k mär 9 11:51 wtmp
4,0k drwxr-x--- 2 root adm 4,0k mär 9 11:51 unattended-upgrades
4,0k drwxrwxr-x 13 root syslog 4,0k mär 9 11:51 .
2,6m -rw-r----- 1 syslog adm 2,6m mär 9 11:51 kern.log.1
120k -rw-r--r-- 1 root adm 118k mär 9 11:51 dmesg
1,8m -rw-r----- 1 syslog adm 1,8m mär 9 11:51 syslog.1
4,0k drwxr-xr-x 2 root root 4,0k mär 9 11:51 cups
4,0k -rw------- 1 root root 952 mär 9 11:51 boot.log
52k -rw-r----- 1 syslog adm 45k mär 9 11:51 auth.log.1
0 -rw-rw---- 1 root utmp 0 mär 9 11:51 btmp
84k -rw------- 1 root root 82k mär 9 11:51 boot.log.1
4,0k drwxr-x--- 2 root adm 4,0k mär 9 11:51 apache2
12k -rw-r----- 1 syslog adm 11k mär 9 11:51 ufw.log.1
4,0k -rw------- 1 root root 685 mär 9 11:51 vmware-network.log
12k -rw------- 1 root root 8,5k mär 9 11:51 vmware-vmtoolsd-root.log
4,0K -rw------- 1 root root 2,5K Sep 28 2020 vmware-vmsvc-root.1.log
4,0K -rw------- 1 root root 709 Sep 28 2020 vmware-network.1.log
44K -rw-rw-r-- 1 root utmp 287K Sep 28 2020 lastlog
120K -rw-r--r-- 1 root adm 119K Sep 28 2020 dmesg.0
4,0K -rw------- 1 root root 689 Sep 28 2020 vmware-network.2.log
12K -rw-rw---- 1 root utmp 9,8K Sep 28 2020 btmp.1
24K -rw-r--r-- 1 root adm 23K Sep 28 2020 dmesg.1.gz
4,0K -rw------- 1 root root 1,4K Sep 28 2020 vmware-vmsvc-root.2.log
4,0K -rw------- 1 root root 2,1K Sep 28 2020 vmware-vmsvc-root.3.log
24K -rw-r--r-- 1 root adm 22K Sep 28 2020 dmesg.2.gz
24K -rw-r--r-- 1 root adm 23K Sep 28 2020 dmesg.3.gz
24K -rw-r--r-- 1 root adm 23K Sep 28 2020 dmesg.4.gz
4,0K -rw------- 1 root root 689 Sep 28 2020 vmware-network.3.log
160K -rw-r----- 1 syslog adm 160K Sep 28 2020 syslog.2.gz
48K -rw------- 1 root root 45K Sep 28 2020 boot.log.2
4,0K -rw------- 1 root root 709 Sep 23 2020 vmware-network.4.log
132K -rw-r----- 1 syslog adm 130K Sep 23 2020 syslog.3.gz
36K -rw------- 1 root root 36K Sep 23 2020 boot.log.3
4,0K -rw------- 1 root root 689 Sep 23 2020 vmware-network.5.log
4,0K -rw------- 1 root root 709 Sep 22 2020 vmware-network.6.log
4,0K -rw------- 1 root root 689 Sep 22 2020 vmware-network.7.log
4,0K -rw------- 1 root root 709 Sep 22 2020 vmware-network.8.log
20K -rw------- 1 root root 19K Sep 22 2020 boot.log.4
2,7M -rw-r----- 1 syslog adm 2,7M Sep 22 2020 syslog.4.gz
4,0K -rw------- 1 root root 689 Sep 22 2020 vmware-network.9.log
28K -rw-r----- 1 syslog adm 28K Sep 22 2020 auth.log.2.gz
2,7M -rw-r----- 1 syslog adm 2,7M Sep 22 2020 kern.log.2.gz
4,0K -rw-r----- 1 syslog adm 1,5K Sep 22 2020 ufw.log.2.gz
12K -rw-r----- 1 syslog adm 8,4K Sep 19 2020 syslog.5.gz
12K -rw------- 1 root root 9,1K Sep 18 2020 boot.log.5
40K -rw-r----- 1 syslog adm 40K Sep 18 2020 syslog.6.gz
12K -rw------- 1 root root 9,0K Sep 17 2020 boot.log.6
44K -rw-r----- 1 syslog adm 41K Sep 17 2020 syslog.7.gz
12K -rw------- 1 root root 8,6K Sep 16 2020 boot.log.7
12K -rw-r----- 1 syslog adm 8,9K Sep 14 2020 auth.log.3.gz
244K -rw-r----- 1 syslog adm 241K Sep 14 2020 kern.log.3.gz
4,0K -rw-r----- 1 syslog adm 1,1K Sep 14 2020 ufw.log.3.gz
0 -rw-r--r-- 1 root root 0 Sep 7 2020 dpkg.log
4,0K drwxr-xr-x 2 root root 4,0K Sep 7 2020 apt
4,0K -rw-r--r-- 1 root root 2,7K Sep 6 2020 dpkg.log.1
24K -rw-r--r-- 1 root root 23K Sep 6 2020 Xorg.0.log
24K -rw-r--r-- 1 root root 23K Sep 6 2020 Xorg.0.log.old
12K -rw-r----- 1 syslog adm 9,4K Sep 6 2020 auth.log.4.gz
68K -rw-r----- 1 syslog adm 66K Sep 6 2020 kern.log.4.gz
0 -rw-r--r-- 1 root root 0 Aug 18 2020 alternatives.log
8,0K -rw-r--r-- 1 root root 5,7K Aug 13 2020 dpkg.log.2.gz
4,0K -rw-r--r-- 1 root root 475 Aug 13 2020 alternatives.log.1
4,0K -rw-r--r-- 1 root root 1,2K Aug 13 2020 gpu-manager.log
4,0K drwxrwxr-x 2 root root 4,0K Jul 26 2020 installer
4,0K drwxr-xr-x 16 root root 4,0K Jul 21 2020 ..
12K -rw-r--r-- 1 root root 11K Jul 20 2020 fontconfig.log
4,0K drwxr-sr-x+ 3 root systemd-journal 4,0K Jul 20 2020 journal
4,0K drwxr-xr-x 3 root root 4,0K Apr 23 2020 hp
4,0K drwx------ 2 root root 4,0K Apr 23 2020 private
4,0K drwxr-xr-x 2 root root 4,0K Apr 8 2020 dist-upgrade
4,0K drwx------ 2 speech-dispatcher root 4,0K Jan 19 2020 speech-dispatcher
4,0K drwxr-xr-x 2 root root 4,0K Sep 5 2019 openvpnBy default, being part of the adm group grants read access to a lot of sensitive log files
PEAS was also able to pick this up and suggested 2 Apache log files for review
While I can totally do that by going one by one through every read-able file, I will just use a simpler method
$ grep -r passw . 2>/dev/null
I can recursively check all the read-able file for a keyword,passw
reset_password
web@doctor:/var/log$ gregrep -r passw . 2>/dev/null
[...REDACTED...]
./apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
[...REDACTED...]There is a recorded Apache log of a POST request to /reset_password?email=Guitar123 made by someone
It seems to be a request for password reset and it’s set to Guitar123
While it’s strange that someone put a potential password to a parameter for email address, I should test it for password reuse