Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root account after compromising the target system.
Internal Web App (monitoring)
root@sea:~# ll monitoring/
total 16
drwxr-xr-x 2 root root 4096 Feb 25 04:24 ./
drwx------ 7 root root 4096 Aug 11 18:35 ../
-rwxr-xr-x 1 root root 5376 Feb 25 04:24 index.php*
root@sea:~# ll monitoring/index.php
-rwxr-xr-x 1 root root 5376 Feb 25 04:24 monitoring/index.php*
root@sea:~# cat monitoring/index.php
<?php
$valid_users = array("amay" => "mychemicalromance");
function authenticate($valid_users) {
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($valid_users[$_SERVER['PHP_AUTH_USER']]) || $valid_users[$_SERVER['PHP_AUTH_USER']] !== $_SERVER['PHP_AUTH_PW']) {
header('WWW-Authenticate: Basic realm="Restricted Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Unauthorized access';
exit;
}
}
authenticate($valid_users);
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>System Monitor(Developing)</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f2f2f2;
margin: 0;
padding: 0;
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
}
.container {
width: 800px;
background-color: #ffffff;
border-radius: 10px;
box-shadow: 0 0 20px rgba(0, 0, 0, 0.1);
padding: 20px;
}
h1 {
color: #333333;
text-align: center;
margin-top: 0;
}
.status {
padding: 20px;
border-bottom: 1px solid #cccccc;
margin-bottom: 20px;
}
.status:last-child {
border-bottom: none;
margin-bottom: 0;
}
.status h2 {
color: #666666;
margin-top: 0;
}
.status p {
color: #333333;
margin: 10px 0;
}
.status.error {
background-color: #ffe6e6;
}
.status.success {
background-color: #e6ffe6;
}
.button {
background-color: #4CAF50;
color: white;
padding: 10px 20px;
border: none;
border-radius: 5px;
cursor: pointer;
margin-top: 10px;
transition: background-color 0.3s;
display: inline-block;
}
.button:hover {
background-color: #45a049;
}
</style>
</head>
<body>
<div class="container">
<h1>System Monitor(Developing)</h1>
<div class="status">
<h2>Disk Usage</h2>
<?php
$disk_usage = system('df -h / | grep "/"');
$disk_usage_values = explode(" ", $disk_usage);
$used_space = $disk_usage_values[12];
$total_space = $disk_usage_values[8];
?>
<p>Used: <?php echo $used_space; ?></p>
<p>Total: <?php echo $total_space; ?></p>
</div>
<div class="status">
<h2>System Management</h2>
<form action="" method="post">
<button type="submit" name="clean_apt" class="button">Clean system with apt</button>
<button type="submit" name="update_system" class="button">Update system</button>
<button type="submit" name="clear_auth_log" class="button">Clear auth.log</button>
<button type="submit" name="clear_access_log" class="button">Clear access.log</button>
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['clean_apt'])) {
$output = system('sudo apt clean');
echo "<p class='success'>$output</p>";
}
if (isset($_POST['update_system'])) {
$output = system('sudo apt update -y && sudo apt upgrade -y');
echo "<p class='success'>$output</p>";
}
if (isset($_POST['clear_auth_log'])) {
$output = system('sudo truncate -s 0 /var/log/auth.log');
echo "<p class='success'>$output</p>";
}
if (isset($_POST['clear_access_log'])) {
$output = system('sudo truncate -s 0 /var/log/apache2/access.log');
echo "<p class='success'>$output</p>";
}
}
?>
</div>
<div class="status">
<h2>Analyze Log File</h2>
<form action="" method="post">
<select name="log_file">
<option value="/var/log/apache2/access.log">access.log</option>
<option value="/var/log/auth.log">auth.log</option>
</select>
<button type="submit" name="analyze_log" class="button">Analyze</button>
</form>
<?php
if (isset($_POST['analyze_log'])) {
$log_file = $_POST['log_file'];
$suspicious_traffic = system("cat $log_file | grep -i 'sql\|exec\|wget\|curl\|whoami\|system\|shell_exec\|ls\|dir'");
if (!empty($suspicious_traffic)) {
echo "<p class='error'>Suspicious traffic patterns detected in $log_file:</p>";
echo "<pre>$suspicious_traffic</pre>";
} else {
echo "<p>No suspicious traffic patterns detected in $log_file.</p>";
}
}
?>
</div>
</div>
</body>
</html>monitoring watchdog
root@sea:~# ll scripts/
total 12
drwxr-xr-x 2 root root 4096 Aug 1 12:17 ./
drwx------ 7 root root 4096 Aug 11 18:35 ../
-rwxr-xr-x 1 root root 204 Aug 1 12:17 monitoring-watchdog.sh*
root@sea:~# cat scripts/monitoring-watchdog.sh
#!/bin/bash
while true; do
status_site=$(/usr/bin/curl -s --max-time 2 http://127.0.0.1:8080)
if [ $? -ne 0 ]; then
/usr/bin/systemctl restart monitoring.service
fi
sleep 3
doneservice
root@sea:~# systemctl status monitoring.service
● monitoring.service - System Monitoring Developing
Loaded: loaded (/etc/systemd/system/monitoring.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2024-08-11 18:32:11 UTC; 15min ago
Main PID: 50481 (php)
Tasks: 1 (limit: 4594)
Memory: 8.0M
CGroup: /system.slice/monitoring.service
└─50481 /usr/bin/php -S localhost:8080 -t /root/monitoring
Aug 11 18:47:43 sea php[50481]: [Sun Aug 11 18:47:43 2024] 127.0.0.1:42698 Closing
Aug 11 18:47:46 sea php[50481]: [Sun Aug 11 18:47:46 2024] 127.0.0.1:42710 Accepted
Aug 11 18:47:46 sea php[50481]: [Sun Aug 11 18:47:46 2024] 127.0.0.1:42710 [401]: GET /
Aug 11 18:47:46 sea php[50481]: [Sun Aug 11 18:47:46 2024] 127.0.0.1:42710 Closing
Aug 11 18:47:49 sea php[50481]: [Sun Aug 11 18:47:49 2024] 127.0.0.1:42718 Accepted
Aug 11 18:47:49 sea php[50481]: [Sun Aug 11 18:47:49 2024] 127.0.0.1:42718 [401]: GET /
Aug 11 18:47:49 sea php[50481]: [Sun Aug 11 18:47:49 2024] 127.0.0.1:42718 Closing
Aug 11 18:47:52 sea php[50481]: [Sun Aug 11 18:47:52 2024] 127.0.0.1:42730 Accepted
Aug 11 18:47:52 sea php[50481]: [Sun Aug 11 18:47:52 2024] 127.0.0.1:42730 [401]: GET /
Aug 11 18:47:52 sea php[50481]: [Sun Aug 11 18:47:52 2024] 127.0.0.1:42730 Closing/etc/systemd/system/monitoring.service
monitoring.service
root@sea:~# cat /etc/systemd/system/monitoring.service
[Unit]
Description=System Monitoring Developing
After=network.target
[Service]
User=root
Group=root
ExecStart=/usr/bin/php -S localhost:8080 -t /root/monitoring
WorkingDirectory=/root/monitoring
Restart=always
[Install]
WantedBy=multi-user.targetcontact.py
root@sea:/home/geo# ll
total 28
drwxr-x--- 4 geo geo 4096 Aug 1 12:13 ./
drwxr-xr-x 4 root root 4096 Jul 30 12:58 ../
lrwxrwxrwx 1 root root 9 Aug 1 12:13 .bash_history -> /dev/null
-rw-r--r-- 1 geo geo 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 geo geo 3771 Feb 25 2020 .bashrc
drwx------ 5 geo geo 4096 Jul 30 13:12 .local/
-rw-r--r-- 1 geo geo 807 Feb 25 2020 .profile
drwxrwxr-x 2 geo geo 4096 Jul 31 15:10 scripts/
root@sea:/home/geo# cd scripts
root@sea:/home/geo/scripts# ll
total 12
drwxrwxr-x 2 geo geo 4096 Jul 31 15:10 ./
drwxr-x--- 4 geo geo 4096 Aug 1 12:13 ../
-rw-rw-r-- 1 geo geo 1772 Jul 31 15:10 contact.py
root@sea:/home/geo/scripts# cat contact.py
import os
import asyncio
from pyppeteer import launch
import requests
async def XSS(page, url):
login_url = 'http://127.0.0.1/loginURL'
headers = {'host': 'sea.htb'}
data = {'password': 'mychemicalromance'}
response = requests.post(login_url, data=data, headers=headers, allow_redirects=False)
cookie = response.headers.get('Set-Cookie')
cookie = cookie.split(';')
cookie = cookie[1].split('=')[2]
cookie = {'name': 'PHPSESSID', 'value': cookie, 'domain': 'sea.htb'}
await page.setCookie(cookie)
try:
await page.goto(url)
content = await page.content()
except Exception as e:
print(f"[!] Failed at goto. {e}")
async def main():
browser = await launch(headless=True, args=['--no-sandbox'])
page = await browser.newPage()
directory_path = "/var/www/sea/messages/"
while True:
files = os.listdir(directory_path)
message_files = [file for file in files if file.endswith(".txt")]
urls = []
for file in message_files:
try:
file_path = os.path.join(directory_path, file)
with open(file_path, 'r') as f:
lines = f.readlines()
for line in lines:
if line.startswith("Website:"):
website = line.strip().split(": ")[1]
urls.append(website)
except:
print(f"[!] Failed to process {file}")
for url in urls:
try:
await XSS(page, url)
except:
print("[!] Failed at XSS")
os.system(f"rm -f {directory_path}*")
await asyncio.sleep(60)
asyncio.get_event_loop().run_until_complete(main())crontab
geo@sea:~/scripts$ crontab -l | grep -v '^#'
@reboot sleep 120; python3 /home/geo/scripts/contact.py