Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system
Cron
root@keeper:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/2 * * * * /usr/bin/cp /root/RT30000.zip /home/lnorgaard/
*/2 * * * * /usr/bin/mysql rtdb < /root/SQL/Articles.sql
*/2 * * * * /usr/bin/mysql rtdb < /root/SQL/Users.sql
@reboot sleep 10; /usr/bin/spawn-fcgi -C 15 -u www-data -g www-data -a 127.0.0.1 -p 9000 /usr/share/request-tracker4/libexec/rt-server.fcgiThe root user has a set of cronjobs;
- every 30 seconds;
- copies the
/root/RT30000.zipfile to the/home/lnorgaard/directory - executes SQL queries read from the
/root/SQL/Articles.sqlfile - executes SQL queries read from the
/root/SQL/Users.sqlfile
- copies the
- on reboot
- starts the Request Tracker web application on
127.0.0.1:9000usingspawn-fcgi
- starts the Request Tracker web application on
Articles.sql
root@keeper:~/SQL# cat Articles.sql
-- MariaDB dump 10.19 Distrib 10.6.12-MariaDB, for debian-linux-gnu (x86_64)
--
-- host: localhost Database: rtdb
-- ------------------------------------------------------
-- Server version 10.6.12-MariaDB-0ubuntu0.22.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 set time_zone='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `Articles`
--
DROP TABLE IF EXISTS `Articles`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `Articles` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`Name` varchar(255) NOT NULL DEFAULT '',
`Summary` varchar(255) NOT NULL DEFAULT '',
`SortOrder` int(11) NOT NULL DEFAULT 0,
`Class` int(11) NOT NULL DEFAULT 0,
`Parent` int(11) NOT NULL DEFAULT 0,
`URI` varchar(255) CHARACTER SET ascii COLLATE ascii_general_ci DEFAULT NULL,
`Disabled` int(2) NOT NULL DEFAULT 0,
`Creator` int(11) NOT NULL DEFAULT 0,
`Created` datetime DEFAULT NULL,
`LastUpdatedBy` int(11) NOT NULL DEFAULT 0,
`LastUpdated` datetime DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `Articles`
--
LOCK TABLES `Articles` WRITE;
/*!40000 ALTER TABLE `Articles` DISABLE KEYS */;
/*!40000 ALTER TABLE `Articles` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- dump completed on 2023-07-25 20:06:42This SQL script is a MariaDB database dump, containing table structure and data for a table named Articles. The script includes column definitions such as id, Name, Summary, etc., and defines their attributes. The dump concludes with configuration settings and comments, reflecting the creation and population of the Articles table.
Users.sql
root@keeper:~/SQL# cat Users.sql
-- MariaDB dump 10.19 Distrib 10.6.12-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost Database: rtdb
-- ------------------------------------------------------
-- Server version 10.6.12-MariaDB-0ubuntu0.22.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `Users`
--
DROP TABLE IF EXISTS `Users`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `Users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`Name` varchar(200) NOT NULL,
`Password` varchar(256) DEFAULT NULL,
`AuthToken` varchar(16) CHARACTER SET ascii COLLATE ascii_general_ci DEFAULT NULL,
`Comments` text DEFAULT NULL,
`Signature` text DEFAULT NULL,
`EmailAddress` varchar(120) DEFAULT NULL,
`FreeformContactInfo` text DEFAULT NULL,
`Organization` varchar(200) DEFAULT NULL,
`RealName` varchar(120) DEFAULT NULL,
`NickName` varchar(16) DEFAULT NULL,
`Lang` varchar(16) DEFAULT NULL,
`Gecos` varchar(16) DEFAULT NULL,
`HomePhone` varchar(30) DEFAULT NULL,
`WorkPhone` varchar(30) DEFAULT NULL,
`MobilePhone` varchar(30) DEFAULT NULL,
`PagerPhone` varchar(30) DEFAULT NULL,
`Address1` varchar(200) DEFAULT NULL,
`Address2` varchar(200) DEFAULT NULL,
`City` varchar(100) DEFAULT NULL,
`State` varchar(100) DEFAULT NULL,
`Zip` varchar(16) DEFAULT NULL,
`Country` varchar(50) DEFAULT NULL,
`Timezone` varchar(50) DEFAULT NULL,
`SMIMECertificate` text DEFAULT NULL,
`Creator` int(11) NOT NULL DEFAULT 0,
`Created` datetime DEFAULT NULL,
`LastUpdatedBy` int(11) NOT NULL DEFAULT 0,
`LastUpdated` datetime DEFAULT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `Users1` (`Name`),
KEY `Users4` (`EmailAddress`)
) ENGINE=InnoDB AUTO_INCREMENT=30 DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `Users`
--
LOCK TABLES `Users` WRITE;
/*!40000 ALTER TABLE `Users` DISABLE KEYS */;
INSERT INTO `Users` VALUES (1,'RT_System','*NO-PASSWORD*',NULL,'Do not delete or modify this user. It is integral to RT\'s internal database structures',NULL,NULL,NULL,NULL,'The RT System itself',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,'2023-05-23 14:15:42',1,'2023-05-23 14:15:42'),(6,'Nobody','*NO-PASSWORD*',NULL,'Do not delete or modify this user. It is integral to RT\'s internal data structures',NULL,'',NULL,NULL,'Nobody in particular',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,'2023-05-23 14:15:42',1,'2023-05-23 14:15:42'),(14,'root','!bcrypt!12!vkIHy8uQ.Wd6chNuDb5Ycu5fhxTsKS1PXQJeQGbqnQOAIBL7xmqWu','a054dcc60425d611','SuperUser',NULL,'root@localhost',NULL,NULL,'Enoch Root',NULL,NULL,'root',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,'2023-05-23 14:15:43',1,'2023-05-23 15:29:36'),(27,'lnorgaard','!bcrypt!12!n9Qqt2yiA0VXneZeatIRMOVvdwJdB6waOIbrwEuEtn1WwpkMEj9YS','aa1313a3aae48c5e','New user. Initial password set to Welcome2023!',NULL,'lnorgaard@keeper.htb','Helpdesk Agent from Korsbæk','','Lise Nørgaard','Lise','da','lnorgaard','','','','','','','','','','','',NULL,14,'2023-05-24 10:23:41',1,'2023-05-24 10:41:05'),(29,'webmaster@keeper.htb','*NO-PASSWORD*',NULL,'Autocreated when added as a watcher',NULL,'webmaster@keeper.htb',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,'2023-05-24 10:37:17',1,'2023-05-24 10:37:17');
/*!40000 ALTER TABLE `Users` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2023-07-25 20:06:10This SQL script appears to be a database dump created by MariaDB. The script includes both the database schema and data for a table named Users. It starts with version information and configuration settings, followed by the creation of the Users table structure, including various columns with data types and constraints. The script then inserts data into the Users table, including user information such as names, passwords (hashed), emails, and more. The dump concludes with additional configuration settings and comments indicating the completion timestamp.
This is how the system maintains the integrity of those 2 users; lnorgaard and root