login
While inspecting the target system after making basic enumeration, I came across 2 familiar scripts
svc@mentor:~$ ll /usr/local/bin/login*
-rwxr-xr-x 1 svc svc 414 dec 28 11:52 /usr/local/bin/login.py*
-rwxr-xr-x 1 svc svc 103 Jun 12 2022 /usr/local/bin/login.sh*Those 2 login scripts have been already identified during enumerating the SNMP server and they were also picked up by PEAS at a later stage
They both are owned by the current user; svc
login.sh
svc@mentor:~$ cat /usr/local/bin/login.sh
#!/bin/bash
while [ 1 ]; do /usr/local/bin/login.py 'kj23sadkj123as0-d213' 2>/dev/null; sleep 30;doneThe login.sh file loops through invoking the other script with an authentication string passed as an argument.
That authentication string belongs to the james user for the API server application
login.py
svc@mentor:~$ cat /usr/local/bin/login.py
#!/usr/bin/python3
import requests, time
import sys, os
user = 'james'
passw = sys.argv[1]
json_data = {
'email': f'{user}@mentorquotes.htb',
'username': user,
'password': passw,
}
while true:
response = requests.post('http://172.22.0.1:8000/auth/login', json=json_data)
if 'not authorized!' in response:
os.system(f"echo [{time.asctime()}] FAILED LOGIN! >> /root/logins.log")
time.sleep(20)In summary, the script continuously attempts to log in as the james user and the provided password argument. If the login attempt fails (response contains ‘Not authorized!’), it logs the failure to a file and then waits for 20 seconds before attempting another login. The script seems to be designed for monitoring and logging failed login attempts.
However, this does not provide any relevant information in regard to the current scope of engagement