blog
There is a system-wide cronjob executing a Bash script located in the home directory of the current user; web
PEAS was able to pick that up as well
web@doctor:/opt/clean$ cat /home/web/blog.sh
#!/bin/bash
secret_key=1234 sqlalchemy_database_uri=sqlite://///home/web/blog/flaskblog/site.db /usr/bin/python3 /home/web/blog/run.pyThe cronjob is set to execute the bash script above on reboot, which seems to execute a Python script to start the web application that I exploited. The file also contains a SQL connection string with a secret key of 1234
run.py
web@doctor:~/blog$ cat run.py
from flaskblog import create_app
app = create_app()
if __name__ == '__main__':
app.run(debug=False)Checking the run.py file confirms that the whole thing is setup to start the web application
/home/web/blog/flaskblog seems to be the directory for the web application
flaskblog
web@doctor:~/blog$ cd flaskblog ; ll
total 88K
4,0k drwxr--r-- 10 web web 4,0k mär 9 17:25 .
36k -rw-r--r-- 1 web web 36k mär 9 17:25 site.db
4,0K drwxr--r-- 3 web web 4,0K Sep 23 2020 users
4,0K drwxr--r-- 3 web web 4,0K Sep 23 2020 templates
4,0K drwxr--r-- 3 web web 4,0K Sep 23 2020 static
4,0K drwxr--r-- 3 web web 4,0K Sep 22 2020 main
4,0K drwxr--r-- 3 web web 4,0K Sep 22 2020 posts
4,0K drwxr-xr-x 3 web web 4,0K Sep 22 2020 ..
4,0K drwxrwxr-x 2 web web 4,0K Sep 5 2020 __pycache__
4,0K -rwxr--r-- 1 web web 302 Sep 5 2020 config.py
4,0K drwxr--r-- 3 web web 4,0K Jul 27 2020 errors
4,0K -rwxr--r-- 1 web web 904 Jul 26 2020 __init__.py
4,0K drwxr--r-- 3 web web 4,0K Jul 21 2020 tmp
4,0K -rwxr--r-- 1 web web 1,7K Jul 21 2020 models.py
web@doctor:~/blog/flaskblog$ cat config.py
import os
class config:
SECRET_KEY = os.environ.get('SECRET_KEY')
WTF_CSRF_CHECK_DEFAULT = False
SQLALCHEMY_DATABASE_URI = os.environ.get('SQLALCHEMY_DATABASE_URI')
MAIL_SERVER = ''
MAIL_PORT = 587
MAIL_USE_TLS = True
MAIL_USERNAME = "doctor"
MAIL_PASSWORD = "doctor"Checking the config.py file reveals a credential for mail