Michelle
After making lateral movement to the michelle user, I am re-doing some basic enumeration that could not be done otherwise as the nginx user previously due to the severe restriction set by SELinux
[michelle@pit ~]$ id -Z
user_u:user_r:user_t:s0Although the michelle user is also restricted by SELinux, it doesn’t seem that severe as the nginx user
Networks
[michelle@pit ~]$ ss -tunlp4
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:161 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:199 0.0.0.0:*
tcp LISTEN 0 64 127.0.0.1:39177 0.0.0.0:* users:(("cockpit-bridge",pid=69520,fd=13))
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* 127.0.0.1:323
127.0.0.1:199
127.0.0.1:39177
SUIDs
[michelle@pit ~]$ find / -perm -04000 -ls -type f 2>/dev/null
2100265 64 -rwsr-x--- 1 root dbus 63760 Apr 7 2021 /usr/libexec/dbus-1/dbus-daemon-launch-helper
2100728 32 -rwsr-xr-x 1 root root 29640 Apr 9 2020 /usr/lib/polkit-1/polkit-agent-helper-1
6294725 12 -rwsr-xr-x 1 root root 12016 Mar 2 2021 /usr/sbin/grub2-set-bootflag
6295089 16 -rwsr-xr-x 1 root root 12320 Jun 15 2020 /usr/sbin/pam_timestamp_check
6295091 40 -rwsr-xr-x 1 root root 37864 Jun 15 2020 /usr/sbin/unix_chkpwd
796538 84 -rwsr-xr-x 1 root root 84296 Aug 12 2020 /usr/bin/gpasswd
796541 44 -rwsr-xr-x 1 root root 43560 Aug 12 2020 /usr/bin/newgrp
796756 52 -rwsr-xr-x 1 root root 50456 Jul 21 2020 /usr/bin/mount
796771 52 -rwsr-xr-x 1 root root 50320 Jul 21 2020 /usr/bin/su
796774 36 -rwsr-xr-x 1 root root 33648 Jul 21 2020 /usr/bin/umount
797153 36 -rwsr-xr-x 1 root root 35624 Apr 9 2020 /usr/bin/pkexec
797191 68 -rwsr-xr-x 1 root root 65904 Nov 8 2019 /usr/bin/crontab
797219 40 -rwsr-xr-x 1 root root 38680 May 11 2019 /usr/bin/fusermount
797383 80 -rwsr-xr-x 1 root root 79648 Aug 12 2020 /usr/bin/chage
882998 164 ---s--x--x 1 root root 165632 Jan 26 2021 /usr/bin/sudo
1175587 36 -rwsr-xr-x 1 root root 33600 Apr 6 2020 /usr/bin/passwd/usr/bin/crontab
SGIDs
[michelle@pit ~]$ find / -perm -02000 -ls -type f 2>/dev/null
4783149 448 -r-xr-sr-x 1 root ssh_keys 455168 Apr 26 2020 /usr/libexec/openssh/ssh-keysign
6542 16 -rwx--s--x 1 root utmp 13344 May 10 2019 /usr/libexec/utempter/utempter
796783 24 -rwxr-sr-x 1 root tty 21232 Jul 21 2020 /usr/bin/writeProcesses
[michelle@pit ~]$ ps -auxwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.4 1114848 16488 ? ss 03:00 0:49 /usr/lib/systemd/systemd --switched-root --system --deserialize 17
michelle 69506 0.0 0.0 27404 516 ? ss 11:27 0:00 /usr/bin/ssh-agent
michelle 69509 0.0 0.2 94020 9716 ? ss 11:27 0:00 /usr/lib/systemd/systemd --user
michelle 69514 0.0 0.1 1184116 7412 ? s 11:27 0:00 (sd-pam)
michelle 69520 0.3 0.7 766148 29368 ? sl 11:27 0:07 cockpit-bridge
michelle 69927 0.0 0.3 60004 12276 ? s 11:30 0:00 /usr/libexec/platform-python -
michelle 69952 0.0 0.0 24100 3988 pts/0 ss 11:30 0:00 /bin/bash
michelle 75116 0.0 0.1 61608 4028 pts/0 r+ 12:00 0:00 ps -auxwwwCron & Systemd
[michelle@pit ~]$ crontab -l ; cat /etc/crontab ; systemctl list-timers
no crontab for michelle
cat: /etc/crontab: Permission denied
NEXT LEFT LAST PASSED UNIT >
Fri 2023-04-07 12:36:01 EDT 35min left Fri 2023-04-07 11:36:01 EDT 24min ago dnf-makecache.timer >
Sat 2023-04-08 00:00:00 EDT 11h left Fri 2023-04-07 03:00:58 EDT 8h ago unbound-anchor.timer >
Sat 2023-04-08 03:15:33 EDT 15h left Fri 2023-04-07 03:15:33 EDT 8h ago systemd-tmpfiles-clean.timer >
3 timers listed.
Pass --all to see loaded but inactive timers, too.
lines 1-7/7 (END)