Sandbox
$ ll /bin /sbin
0 lrwxrwxrwx 1 nobody nogroup 7 Apr 23 2020 /bin -> usr/bin
0 lrwxrwxrwx 1 nobody nogroup 8 Apr 23 2020 /sbin -> usr/sbin
$ ll /usr/bin /usr/sbin
/usr/bin:
total 14M
1.9m -rwxr-xr-x 1 nobody nogroup 1.9m jun 28 11:31 gpg-agent
0 drwxr-xr-x 2 nobody nogroup 340 jun 28 11:31 .
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 cat
40k -rwxr-xr-x 1 nobody nogroup 39k jun 28 11:31 id
136k -rwxr-xr-x 1 nobody nogroup 135k jun 28 11:31 ls
0 lrwxrwxrwx 1 nobody nogroup 13 jun 28 11:31 sh -> /usr/bin/dash
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 basename
124k -rwxr-xr-x 1 nobody nogroup 123k jun 28 11:31 dash
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 base64
12k -rwxr-xr-x 1 nobody nogroup 8.9k jun 28 11:31 lesspipe
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 groups
1.4m -rwxr-xr-x 1 nobody nogroup 1.4m jun 28 11:31 bash
4.0k -rwxr-xr-x 1 nobody nogroup 948 jun 28 11:31 flask
4.7m -rwxr-xr-x 1 nobody nogroup 4.7m jun 28 11:31 gpg
0 lrwxrwxrwx 1 nobody nogroup 19 jun 28 11:31 python3 -> /usr/bin/python3.10
5.7m -rwxr-xr-x 1 nobody nogroup 5.7m jun 28 11:31 python3.10
4.0k drwxr-xr-x 14 nobody nogroup 4.0k jun 6 11:49 ..
/usr/sbin:
total 14M
1.9m -rwxr-xr-x 1 nobody nogroup 1.9m jun 28 11:31 gpg-agent
0 drwxr-xr-x 2 nobody nogroup 340 jun 28 11:31 .
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 cat
40k -rwxr-xr-x 1 nobody nogroup 39k jun 28 11:31 id
136k -rwxr-xr-x 1 nobody nogroup 135k jun 28 11:31 ls
0 lrwxrwxrwx 1 nobody nogroup 13 jun 28 11:31 sh -> /usr/bin/dash
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 basename
124k -rwxr-xr-x 1 nobody nogroup 123k jun 28 11:31 dash
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 base64
12k -rwxr-xr-x 1 nobody nogroup 8.9k jun 28 11:31 lesspipe
36k -rwxr-xr-x 1 nobody nogroup 35k jun 28 11:31 groups
1.4m -rwxr-xr-x 1 nobody nogroup 1.4m jun 28 11:31 bash
4.0k -rwxr-xr-x 1 nobody nogroup 948 jun 28 11:31 flask
4.7m -rwxr-xr-x 1 nobody nogroup 4.7m jun 28 11:31 gpg
0 lrwxrwxrwx 1 nobody nogroup 19 jun 28 11:31 python3 -> /usr/bin/python3.10
5.7m -rwxr-xr-x 1 nobody nogroup 5.7m jun 28 11:31 python3.10
4.0k drwxr-xr-x 14 nobody nogroup 4.0k jun 6 11:49 ..I initially gain the foothold, only to realize that the current system has an extremely minimal set of binaries available
Home
$ ll
total 44K
4.0K drwx------ 4 atlas atlas 4.0K Jun 29 09:44 .gnupg
4.0K drwxr-xr-x 8 atlas atlas 4.0K Jun 7 13:44 .
4.0K drwxrwxr-x 2 atlas atlas 4.0K Jun 6 08:49 .cache
4.0K drwxr-xr-x 4 nobody nogroup 4.0K May 4 15:19 ..
4.0K drwxrwxr-x 3 atlas atlas 4.0K Feb 7 10:30 .cargo
4.0K drwx------ 2 atlas atlas 4.0K Feb 6 10:34 .ssh
4.0K drwxrwxr-x 6 atlas atlas 4.0K Feb 6 10:33 .local
4.0K drwxrwxr-x 4 atlas atlas 4.0K Jan 15 07:48 .config
0 lrwxrwxrwx 1 nobody nogroup 9 Nov 22 2022 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 atlas atlas 220 Nov 22 2022 .bash_logout
4.0K -rw-r--r-- 1 atlas atlas 3.7K Nov 22 2022 .bashrc
4.0K -rw-r--r-- 1 atlas atlas 807 Nov 22 2022 .profileChecking the home directory of the current user
$ ll .config
total 12K
0 dr-------- 2 nobody nogroup 40 Jun 28 11:31 firejail
4.0K drwxr-xr-x 8 atlas atlas 4.0K Jun 7 13:44 ..
4.0K drwxrwxr-x 4 atlas atlas 4.0K Jan 15 07:48 .
4.0K drwxrwxr-x 3 nobody atlas 4.0K Jan 15 07:48 httpieThe user has the firejail directory present in the .config directory
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
This explains why my current session is extremely limited.
$ ll httpie
total 12K
4.0K drwxrwxr-x 3 nobody atlas 4.0K Jan 15 07:48 .
4.0K drwxrwxr-x 4 atlas atlas 4.0K Jan 15 07:48 ..
4.0K drwxrwxr-x 3 nobody atlas 4.0K Jan 15 07:48 sessions
$ ll httpie/sessions
total 12K
4.0K drwxrwx--- 2 nobody atlas 4.0K May 4 17:30 localhost_5000
4.0K drwxrwxr-x 3 nobody atlas 4.0K Jan 15 07:48 .
4.0K drwxrwxr-x 3 nobody atlas 4.0K Jan 15 07:48 ..
$ ll httpie/sessions/localhost_5000
total 12K
4.0K drwxrwx--- 2 nobody atlas 4.0K May 4 17:30 .
4.0K -rw-r--r-- 1 nobody atlas 611 May 4 17:26 admin.json
4.0K drwxrwxr-x 3 nobody atlas 4.0K Jan 15 07:48 ..There is what appears to be a session log in the JSON format by a possible admin user.
HTTPie (pronounced aitch-tee-tee-pie) is a command-line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. HTTPie is designed for testing, debugging, and generally interacting with APIs & HTTP servers. The http & https commands allow for creating and sending arbitrary HTTP requests. They use simple and natural syntax and provide formatted and colorized output.
$ cat httpie/sessions/localhost_5000/admin.json
{
"__meta__": {
"about": "HTTPie session file",
"help": "https://httpie.io/docs#sessions",
"httpie": "2.6.0"
},
"auth": {
"password": "quietLiketheWind22",
"type": null,
"username": "silentobserver"
},
"cookies": {
"session": {
"expires": null,
"path": "/",
"secure": false,
"value": "eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkludmFsaWQgY3JlZGVudGlhbHMuIl19XX0.Y-I86w.JbELpZIwyATpR58qg1MGJsd6FkA"
}
},
"headers": {
"Accept": "application/json, */*;q=0.5"
}
}There is a CLEARTEXT credential; quietLiketheWind22
I will test it for password reuse against the silentobserver user