InfoSec LAB

Pit_Initial_Foothold_UNIX

Created: 5 min read

nginx

The current user, nginx, is severely restricted by SELinux. Therefore, the enumeration will be affected and limited by that.

System/Kernel

$ file /bin/bash ; uname -a ; cat /etc/*release
/bin/bash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d6860cc6bde275862ffc23fd60a7c1e2507c818f, stripped
Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 8.3.2011
NAME="CentOS Linux"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
CentOS Linux release 8.3.2011
CentOS Linux release 8.3.2011

CentOS Linux release 8.3.2011 4.18.0-305.10.2.el8_4.x86_64 x86_64

Networks

$ netstat -antup4
 
$ ip a
 
$ ss -tunlp4

Can’t access networking information due to the restriction placed by SELinux

Users & Groups

$ cat /etc/passwd ; ls -la /home        
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sssd:x:996:992:User for sssd:/:/sbin/nologin
chrony:x:995:991::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
michelle:x:1000:1000::/home/michelle:/bin/bash
setroubleshoot:x:994:990::/var/lib/setroubleshoot:/sbin/nologin
cockpit-ws:x:993:989:User for cockpit-ws:/nonexisting:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx:x:992:988:Nginx web server:/var/lib/nginx:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-wsinstance:x:991:987:User for cockpit-ws instances:/nonexisting:/sbin/nologin
rngd:x:990:986:Random Number Generator Daemon:/var/lib/rngd:/sbin/nologin

michelle Cannot access the /home directory due to the restriction placed by SELinux

$ cut -d: -f1 /etc/passwd | xargs -n1 id
uid=0(root) gid=0(root) groups=0(root)
uid=1(bin) gid=1(bin) groups=1(bin)
uid=2(daemon) gid=2(daemon) groups=2(daemon)
uid=3(adm) gid=4(adm) groups=4(adm)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=5(sync) gid=0(root) groups=0(root)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=7(halt) gid=0(root) groups=0(root)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=999(systemd-coredump) gid=997(systemd-coredump) groups=997(systemd-coredump)
uid=193(systemd-resolve) gid=193(systemd-resolve) groups=193(systemd-resolve)
uid=59(tss) gid=59(tss) groups=59(tss)
uid=998(polkitd) gid=995(polkitd) groups=995(polkitd)
uid=997(unbound) gid=994(unbound) groups=994(unbound)
uid=996(sssd) gid=992(sssd) groups=992(sssd)
uid=995(chrony) gid=991(chrony) groups=991(chrony)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=1000(michelle) gid=1000(michelle) groups=1000(michelle)
uid=994(setroubleshoot) gid=990(setroubleshoot) groups=990(setroubleshoot)
uid=993(cockpit-ws) gid=989(cockpit-ws) groups=989(cockpit-ws)
uid=27(mysql) gid=27(mysql) groups=27(mysql)
uid=992(nginx) gid=988(nginx) groups=988(nginx)
uid=48(apache) gid=48(apache) groups=48(apache)
uid=991(cockpit-wsinstance) gid=987(cockpit-wsinstance) groups=987(cockpit-wsinstance)
uid=990(rngd) gid=986(rngd) groups=986(rngd)

SUIDs

$ find / -perm -04000 -ls -type f 2>/dev/null
  2100265     64 -rwsr-x---   1  root     dbus        63760 Apr  7  2021 /usr/libexec/dbus-1/dbus-daemon-launch-helper
  2100728     32 -rwsr-xr-x   1  root     root        29640 Apr  9  2020 /usr/lib/polkit-1/polkit-agent-helper-1
  6294725     12 -rwsr-xr-x   1  root     root        12016 Mar  2  2021 /usr/sbin/grub2-set-bootflag
  6295091     40 -rwsr-xr-x   1  root     root        37864 Jun 15  2020 /usr/sbin/unix_chkpwd
   796538     84 -rwsr-xr-x   1  root     root        84296 Aug 12  2020 /usr/bin/gpasswd
   796541     44 -rwsr-xr-x   1  root     root        43560 Aug 12  2020 /usr/bin/newgrp
   796756     52 -rwsr-xr-x   1  root     root        50456 Jul 21  2020 /usr/bin/mount
   796771     52 -rwsr-xr-x   1  root     root        50320 Jul 21  2020 /usr/bin/su
   796774     36 -rwsr-xr-x   1  root     root        33648 Jul 21  2020 /usr/bin/umount
   797153     36 -rwsr-xr-x   1  root     root        35624 Apr  9  2020 /usr/bin/pkexec
   797191     68 -rwsr-xr-x   1  root     root        65904 Nov  8  2019 /usr/bin/crontab
   797383     80 -rwsr-xr-x   1  root     root        79648 Aug 12  2020 /usr/bin/chage
   882998    164 ---s--x--x   1  root     root       165632 Jan 26  2021 /usr/bin/sudo
  1175587     36 -rwsr-xr-x   1  root     root        33600 Apr  6  2020 /usr/bin/passwd

SGIDs

$ find / -perm -02000 -ls -type f 2>/dev/null       
  4783149    448 -r-xr-sr-x   1  root     ssh_keys   455168 Apr 26  2020 /usr/libexec/openssh/ssh-keysign
     6542     16 -rwx--s--x   1  root     utmp        13344 May 10  2019 /usr/libexec/utempter/utempter
   796783     24 -rwxr-sr-x   1  root     tty         21232 Jul 21  2020 /usr/bin/write

Processes

$ ps -auxwww
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  0.4 1114848 16484 ?       ss   03:00   0:47 /usr/lib/systemd/systemd --switched-root --system --deserialize 17
root        1139  0.0  0.0 119280  2276 ?        ss   03:01   0:00 nginx: master process /usr/sbin/nginx
nginx       1140  1.1  0.2 152116  9472 ?        s    03:01   6:00 nginx: worker process
nginx       1141  0.2  0.2 151984  9472 ?        s    03:01   1:23 nginx: worker process
michelle   69514  0.0  0.1 1184116 7412 ?        s    11:27   0:00 (sd-pam)
root       70105  0.0  0.5 250448 22548 ?        ss   11:35   0:00 php-fpm: master process (/etc/php-fpm.conf)
nginx      70106  0.0  0.4 267060 18576 ?        s    11:35   0:00 php-fpm: pool www
nginx      70107  0.0  0.4 267060 18576 ?        s    11:35   0:00 php-fpm: pool www
nginx      70108  0.0  0.4 267060 18576 ?        s    11:35   0:00 php-fpm: pool www
nginx      70109  0.0  0.4 267060 18584 ?        s    11:35   0:00 php-fpm: pool www
nginx      70110  0.0  0.4 267112 19280 ?        s    11:35   0:00 php-fpm: pool www
nginx      70568  0.0  0.3 266780 13084 ?        s    11:39   0:00 php-fpm: pool www
nginx      70595  0.0  0.0  58680  3660 ?        r    11:40   0:00 ps -auxwww

Cron & Systemd

$ crontab -l ; cat /etc/crontab ; systemctl list-timers

Cannot access crontab or systemctl due to the restriction placed by SELinux

Sudo Version

$ sudo -V
Sudo version 1.8.29
Sudoers policy plugin version 1.8.29
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.29

Sudo version 1.8.29

Glibc Version

$ ldd --version
ldd (GNU libc) 2.28
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

ldd (GNU libc) 2.28

Interactive Graph View

Backlinks