Bash History
After making a Lateral Movement to the Matt user, I found out that the .bash_history file of the Matt user is also populated
matt@postman:~$ cat .bash_history
sudo -l
pwd
ls -la
wget https://gist.githubusercontent.com/fabiand/5628006/raw/fe02391084e634092681e3cbe5b7525545f83b84/SimpleHTTPPutServer.py
ls
python SimpleHTTPPutServer.py 8080
mv SimpleHTTPPutServer.py /var/www/html/SimpleHTTPPutServer.py
mv SimpleHTTPPutServer.py /var/www/html/
apt install apache2
su root
mv SimpleHTTPPutServer.py /var/www/html/
su root
cd /var/www/html
ls
python SimpleHTTPPutServer 8080
python -m SimpleHTTPPutServer 8080
service apache2 stop
rm index.html
su root
exit
cd ..
crontab -e
reboot
exit
python -m SimpleHTTPPutServer 8080
python -m SimpleHTTPServer 8080
ls
chmod 700 flag.txt
python server.py 8080
python server.py 127.0.0.1 8080
python server.py 127.0.0.1:8080
mkdir server
mv server server/
ls
mv server.py server/
cd server
ls
cp ../.ssh/id_rsa id_rsa.bak
ls
cd ..
ls
ls -la
passwd
nano server/server.py
python3 server/server.py
nano server/server.py
ssh-keygen
openssl genrsa -des3 -out private.pem 2048
ls
cat private.pem
mv private.pem server/id_rsa.bak
ls
cd server
ls
python3 server.py
python server.py
python server.py 127.0.0.1:8080
su root
ls
nano server.py import sys
nano server.py
python server.py 8080
python server.py 127.0.0.1:8080
ls
service redis restart
su root
ls
echo 'Well Done' > flag.txt
su root
ls
chmod u+s base64
ls -la
crontab -e
exit
cd ~/
ls
cd server
ls
nano reminder
nano justincase.txt
exit
crontab -l
crontab -e
reboot
exit
cd ~/
nano user.txt
rm flag.txt
clear
cd /var/lib/redis
exit
cd ~/
cat user.txt
exit
cd ~/server/
ls
nano justincase.txt
python server.py
python server.py 127.0.0.1:8080
su root
crontab -l
crontab -r
crontab -l
clear
exit
cd /home/Matt
ls -la
cat user.txt
su redis
exitThe bash history of the Matt user also reveals a lot of information;
- presence of
SimpleHTTPPutServer.py - switching to the
rootuser - generation of the encrypted RSA key
- crontab
- presence of
justincase.txt - presence of
server.py
While all that appear to be just another rabbit-holes, I will still take a look into them
SimpleHTTPPutServer.py
Matt@Postman:~$ find / -name SimpleHTTPPutServer.py -ls -type f 2>/dev/null
157972 4 -rw-rw-r-- 1 Matt Matt 482 Aug 25 2019 /var/www/SimpleHTTPPutServer.py
Matt@Postman:~$ cat /var/www/SimpleHTTPPutServer.py
# python -m SimpleHTTPPutServer 8080
import SimpleHTTPServer
import BaseHTTPServer
class SputHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_PUT(self):
print self.headers
length = int(self.headers["Content-Length"])
path = self.translate_path(self.path)
with open(path, "wb") as dst:
dst.write(self.rfile.read(length))
if __name__ == '__main__':
SimpleHTTPServer.test(HandlerClass=SputHTTPRequestHandler)I initially saw this file earlier and didn’t think much of it as it doesn’t contain any valuable information
crontab
matt@postman:~$ crontab -l
no crontab for MattThe Matt user has no crontab
justincase.txt
Matt@Postman:~$ find / -name justincase.txt -ls -type f 2>/dev/nullThe justincase.txt file does not exist
server.py
matt@postman:~$ find / -name server.py -ls -type f 2>/dev/null
525622 8 -rw-r--r-- 1 root root 4624 Jan 29 2018 /usr/lib/python3/dist-packages/dbus/server.py
525859 44 -rw-r--r-- 1 root root 43792 Oct 7 2019 /usr/lib/python3.6/http/server.py
525937 40 -rw-r--r-- 1 root root 37195 Oct 7 2019 /usr/lib/python3.6/xmlrpc/server.pyThere are 3 server.py files within the filesystem and none of them seem to be relevant