Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Crontab
root@lantern:~# crontab -l | grep -v '^#'
*/10 * * * * /root/cleanup.sh
*/10 * * * * /usr/bin/rm /root/automation*; /usr/bin/rm /root/.automation*; /usr/bin/systemctl restart bot.service/root/cleanup.sh
root@lantern:~# cat /root/cleanup.sh
#!/bin/bash
# Directory to clean up in /opt/components
DIR_COMPONENTS="/opt/components"
# Files to exclude in /opt/components
EXCLUDE_FILES_COMPONENTS=("FileTree.dll" "FileUpload.dll" "HealthCheck.dll" "Logs.dll" "Resumes.dll")
# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_COMPONENTS=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_COMPONENTS[@]}")
EXCLUDE_PATTERN_COMPONENTS=${EXCLUDE_PATTERN_COMPONENTS:1} # Remove leading '|'
# Find and delete files not in the exclude list in /opt/components
/usr/bin/find "$DIR_COMPONENTS" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_COMPONENTS" | while read -r file; do
/bin/rm -f "$file"
done
# Directory to clean up in /var/www/sites/lantern.htb/static/images
DIR_IMAGES="/var/www/sites/lantern.htb/static/images"
# Files to exclude in /var/www/sites/lantern.htb/static/images
EXCLUDE_FILES_IMAGES=("about-1.jpg" "about-2.jpg" "about.jpg" "avatar-1.jpg" "avatar-2.jpg" "avatar.jpg" "bg-bot.jpg" "bg-top.jpg" "blog-1.jpg" "blog-2.jpg" "blog-3.jpg")
# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_IMAGES=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_IMAGES[@]}")
EXCLUDE_PATTERN_IMAGES=${EXCLUDE_PATTERN_IMAGES:1} # Remove leading '|'
# Find and delete files not in the exclude list in /var/www/sites/lantern.htb/static/images
/usr/bin/find "$DIR_IMAGES" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_IMAGES" | while read -r file; do
/bin/rm -f "$file"
done
/usr/sbin/service blazor-server restartServices
root@lantern:~# systemctl list-units | grep -i running
root@lantern:~# systemctl list-units | grep -i running | awk '{print $1}'
proc-sys-fs-binfmt_misc.automount
init.scope
session-190.scope
auditd.service
blazor-server.service
bot.service
cron.service
dbus.service
flask.service
getty@tty1.service
internalantern.service
irqbalance.service
ModemManager.service
multipathd.service
networkd-dispatcher.service
open-vm-tools.service
polkit.service
rsyslog.service
skipper.service
snapd.service
ssh.service
systemd-journald.service
systemd-logind.service
systemd-networkd.service
systemd-resolved.service
systemd-timesyncd.service
systemd-udevd.service
udisks2.service
upower.service
user@1000.service
vgauth.service
dbus.socket
multipathd.socket
snapd.socket
syslog.socket
systemd-journald-audit.socket
systemd-journald-dev-log.socket
systemd-journald.socket
systemd-networkd.socket
systemd-udevd-control.socket
systemd-udevd-kernel.socketblazor-server.service
root@lantern:~# systemctl status blazor-server.service
● blazor-server.service - Run blazor server as tomas
Loaded: loaded (/etc/systemd/system/blazor-server.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-08-21 12:30:01 UTC; 9min ago
Main PID: 10946 (dotnet)
Tasks: 34 (limit: 4513)
Memory: 148.2M
CPU: 5.258s
CGroup: /system.slice/blazor-server.service
├─10946 dotnet run
└─10966 /home/tomas/LanternAdmin/bin/Debug/net6.0/LanternAdmin
Aug 21 12:30:01 lantern dotnet[10946]: Building...
Aug 21 12:30:04 lantern dotnet[10966]: info: Microsoft.Hosting.Lifetime[14]
Aug 21 12:30:04 lantern dotnet[10966]: Now listening on: http://[::]:3000
Aug 21 12:30:04 lantern dotnet[10966]: info: Microsoft.Hosting.Lifetime[0]
Aug 21 12:30:04 lantern dotnet[10966]: Application started. Press Ctrl+C to shut down.
Aug 21 12:30:04 lantern dotnet[10966]: info: Microsoft.Hosting.Lifetime[0]
Aug 21 12:30:04 lantern dotnet[10966]: Hosting environment: Development
Aug 21 12:30:04 lantern dotnet[10966]: info: Microsoft.Hosting.Lifetime[0]
Aug 21 12:30:04 lantern dotnet[10966]: Content root path: /home/tomas/LanternAdmin/bot.service
root@lantern:~# systemctl status bot.service
● bot.service - Run bot as root
Loaded: loaded (/etc/systemd/system/bot.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-08-21 12:30:01 UTC; 9min ago
Main PID: 10926 (bot.exp)
Tasks: 3 (limit: 4513)
Memory: 2.1M
CPU: 220ms
CGroup: /system.slice/bot.service
├─10926 /usr/bin/expect -f /root/bot.exp
└─10930 nano /root/automation.sh/root/bot.exp
root@lantern:~# cat /root/bot.exp
#!/usr/bin/expect -f
spawn nano /root/automation.sh
set text "echo Q3Eddtdw3pMB | sudo ./backup.sh"
while {1} {
foreach char [split $text ""] {
send "$char"
sleep 1
}
send "\r"
sleep 0.5
for {set i 0} {$i < [string length $text]} {incr i} {
send "\b \b" ;
}
send "\r"
}/root/automation.sh
root@lantern:~# ll | grep -i automation
-rw------- 1 root root 49 Aug 21 12:40 automation.sh.save
-rw-r--r-- 1 root root 1024 Aug 21 12:40 .automation.sh.swpautomation.sh.save
root@lantern:~# cat automation.sh.save
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
echo Q3Eddtdw3pM.automation.sh.swp
root@lantern:~# cat .automation.sh.swp
b0nano 6.2<+rootlantern/root/automation.shflask.service
root@lantern:~# systemctl status flask.service
● flask.service - Flask application as www-data
Loaded: loaded (/etc/systemd/system/flask.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-08-20 22:08:39 UTC; 14h ago
Main PID: 755 (python3)
Tasks: 1 (limit: 4513)
Memory: 23.7M
CPU: 10.823s
CGroup: /system.slice/flask.service
└─755 python3 /var/www/sites/lantern.htb/app.py
Notice: journal has been rotated since unit was started, output may be incomplete./var/www/sites/lantern.htb/app.py
root@lantern:~# cat /var/www/sites/lantern.htb/app.py
from flask import Flask, render_template, send_file, request, redirect, json
from werkzeug.utils import secure_filename
import os
app=Flask("__name__")
@app.route('/')
def index():
if request.headers['Host'] != "lantern.htb":
return redirect("http://lantern.htb/", code=302)
return render_template("index.html")
@app.route('/vacancies')
def vacancies():
return render_template('vacancies.html')
@app.route('/submit', methods=['POST'])
def save_vacancy():
name = request.form.get('name')
email = request.form.get('email')
vacancy = request.form.get('vacancy', default='Middle Frontend Developer')
if 'resume' in request.files:
try:
file = request.files['resume']
resume_name = file.filename
if resume_name.endswith('.pdf') or resume_name == '':
filename = secure_filename(f"resume-{name}-{vacancy}-latern.pdf")
upload_folder = os.path.join(os.getcwd(), 'uploads')
destination = '/'.join([upload_folder, filename])
file.save(destination)
else:
return "Only PDF files allowed!"
except:
return "Something went wrong!"
return "Thank you! We will conact you very soon!"
@app.route('/PrivacyAndPolicy')
def sendPolicyAgreement():
lang = request.args.get('lang')
file_ext = request.args.get('ext')
try:
return send_file(f'/var/www/sites/localisation/{lang}.{file_ext}')
except:
return send_file(f'/var/www/sites/localisation/default/policy.pdf', 'application/pdf')
if __name__ == '__main__':
app.run(host='127.0.0.1', port=8000)internalantern.service
root@lantern:~# systemctl status internalantern.service
● internalantern.service - WASM application as www-data
Loaded: loaded (/etc/systemd/system/internalantern.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-08-20 22:08:39 UTC; 14h ago
Main PID: 757 (dotnet)
Tasks: 32 (limit: 4513)
Memory: 350.8M
CPU: 21.674s
CGroup: /system.slice/internalantern.service
├─ 757 dotnet run
└─1196 dotnet /var/www/sites/.nuget/packages/microsoft.aspnetcore.components.webassembly.devserver/6.0.1/build/../tools/blazor-devserver.dll --a>
Notice: journal has been rotated since unit was started, output may be incomplete.skipper.service
root@lantern:~# systemctl status skipper.service
● skipper.service - Skipper proxy as www-data
Loaded: loaded (/etc/systemd/system/skipper.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-08-20 22:08:39 UTC; 14h ago
Main PID: 763 (skipper)
Tasks: 8 (limit: 4513)
Memory: 23.5M
CPU: 13.119s
CGroup: /system.slice/skipper.service
└─763 skipper -routes-file /var/www/sites/skipper/flask.eskip -address :80 -proxy-preserve-host -access-log /var/www/sites/skipper/logs/access.l>
Notice: journal has been rotated since unit was started, output may be incomplete.