Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Process
root@yummy:~# ps -auxwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 22456 13388 ? Rs 11:18 0:03 /sbin/init
root 450 0.0 0.5 66984 20320 ? S<s 11:18 0:03 /usr/lib/systemd/systemd-journald
root 490 0.0 0.6 289108 27264 ? SLsl 11:18 0:01 /sbin/multipathd -d -s
root 499 0.0 0.2 31412 9984 ? Ss 11:18 0:00 /usr/lib/systemd/systemd-udevd
systemd+ 540 0.0 0.2 18992 9088 ? Ss 11:18 0:00 /usr/lib/systemd/systemd-networkd
root 670 0.0 0.0 4068 3200 ? Ss 11:18 0:00 dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
systemd+ 682 0.0 0.3 22220 13312 ? Ss 11:18 0:01 /usr/lib/systemd/systemd-resolved
systemd+ 683 0.0 0.1 91020 7808 ? Ssl 11:18 0:00 /usr/lib/systemd/systemd-timesyncd
root 684 0.0 0.2 53456 11648 ? Ss 11:18 0:00 /usr/bin/VGAuthService
root 685 0.1 0.2 317184 10576 ? Ssl 11:18 0:15 /usr/bin/vmtoolsd
root 688 0.0 0.0 85228 2504 ? S<sl 11:18 0:03 /sbin/auditd
_laurel 692 0.0 0.1 10072 6400 ? S< 11:18 0:04 /usr/local/sbin/laurel --config /etc/laurel/config.toml
message+ 780 0.0 0.1 9884 5504 ? Ss 11:18 0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root 796 0.0 0.5 32056 20736 ? Ss 11:18 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
polkitd 801 0.0 0.2 308160 7936 ? Ssl 11:18 0:00 /usr/lib/polkit-1/polkitd --no-debug
root 828 0.0 0.2 18196 8832 ? Ss 11:18 0:00 /usr/lib/systemd/systemd-logind
root 829 0.0 0.3 468940 13440 ? Ssl 11:18 0:00 /usr/libexec/udisks2/udisksd
root 830 0.0 0.1 17156 7168 ? Ss 11:18 0:00 /usr/bin/sudo -u www-data /usr/bin/gunicorn app:app -b 127.0.0.1:3000
www-data 886 0.0 0.6 36512 26824 ? S 11:18 0:02 /usr/bin/python3 /usr/bin/gunicorn app:app -b 127.0.0.1:3000
syslog 916 0.0 0.1 222508 6272 ? Ssl 11:18 0:01 /usr/sbin/rsyslogd -n -iNONE
root 975 0.0 0.3 392028 12672 ? Ssl 11:18 0:00 /usr/sbin/ModemManager
www-data 1062 0.0 1.9 87200 75704 ? S 11:18 0:01 /usr/bin/python3 /usr/bin/gunicorn app:app -b 127.0.0.1:3000
caddy 1396 0.0 0.8 1784564 34404 ? Ssl 11:18 0:00 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
root 1399 0.0 0.0 6824 2688 ? Ss 11:18 0:00 /usr/sbin/cron -f -P
root 1402 0.0 0.0 9544 3712 ? S 11:18 0:00 /usr/sbin/CRON -f -P
root 1403 0.0 0.0 9544 3712 ? S 11:18 0:00 /usr/sbin/CRON -f -P
root 1404 0.0 0.0 9544 3712 ? S 11:18 0:00 /usr/sbin/CRON -f -P
root 1413 0.0 0.0 2800 1664 ? Ss 11:18 0:00 /bin/sh -c /root/scripts/keep-app-integrity.sh
root 1414 0.0 0.0 2800 1664 ? Ss 11:18 0:00 /bin/sh -c /root/scripts/restorescripts.sh
root 1415 0.0 0.0 2800 1664 ? Ss 11:18 0:00 /bin/sh -c /root/scripts/restoreappbackup.sh
root 1416 0.0 0.0 7340 3456 ? S 11:18 0:00 /bin/bash /root/scripts/keep-app-integrity.sh
root 1417 0.0 0.0 7340 3456 ? S 11:18 0:00 /bin/bash /root/scripts/restorescripts.sh
root 1418 0.0 0.0 2896 1664 ? S 11:18 0:00 /usr/bin/inotifywait -m -e modify,create,delete --format %w%f %e /opt/app
root 1421 0.0 0.0 7340 3584 ? S 11:18 0:00 /bin/bash /root/scripts/restoreappbackup.sh
root 1423 0.0 0.0 7408 2184 ? S 11:18 0:00 /bin/bash /root/scripts/keep-app-integrity.sh
root 1425 0.0 0.0 2896 1664 ? S 11:18 0:00 /usr/bin/inotifywait -m -e delete --format %w%f %e /data/scripts/
root 1426 0.0 0.0 2896 1664 ? S 11:18 0:00 /usr/bin/inotifywait -m -e create --format %w%f %e /data/scripts
root 1427 0.0 0.0 7340 1928 ? S 11:18 0:00 /bin/bash /root/scripts/restorescripts.sh
root 1428 0.0 0.0 7340 1808 ? S 11:18 0:00 /bin/bash /root/scripts/restoreappbackup.sh
root 1446 0.0 0.0 6104 1920 tty1 Ss+ 11:18 0:00 /sbin/agetty -o -p -- \u --noclear - linux
mysql 1486 0.7 10.6 1787360 421700 ? Ssl 11:18 1:47 /usr/sbin/mysqld
root 1772 0.0 0.1 42844 4624 ? Ss 11:18 0:00 /usr/lib/postfix/sbin/master -w
postfix 1774 0.0 0.1 43336 7552 ? S 11:18 0:00 qmgr -l -t unix -u
root 2761 0.0 0.9 475256 38656 ? Ssl 11:44 0:01 /usr/libexec/fwupd/fwupd
root 2768 0.0 0.2 314004 8960 ? Ssl 11:44 0:00 /usr/libexec/upowerd
root 5446 0.0 0.2 12020 8064 ? Ss 13:01 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 5451 0.0 0.0 0 0 ? S 13:01 0:00 [psimon]
qa 5453 0.0 0.2 20296 11392 ? Ss 13:01 0:00 /usr/lib/systemd/systemd --user
qa 5455 0.0 0.0 21148 3516 ? S 13:01 0:00 (sd-pam)
root 6735 0.0 0.1 14992 7876 ? Ss 13:31 0:00 sshd: qa [priv]
qa 6794 0.0 0.1 15508 7360 ? S 13:31 0:02 sshd: qa@pts/0
qa 6795 0.0 0.1 8516 5504 pts/0 Ss+ 13:31 0:00 -bash
root 9241 0.0 0.1 14864 7664 ? Ss 14:37 0:00 sshd: dev [priv]
dev 9245 0.0 0.2 20316 11392 ? Ss 14:37 0:00 /usr/lib/systemd/systemd --user
dev 9248 0.0 0.0 21144 3516 ? S 14:37 0:00 (sd-pam)
dev 9358 0.0 0.1 14996 6944 ? S 14:37 0:01 sshd: dev@pts/2
dev 9359 0.0 0.1 8516 5376 pts/2 Ss 14:37 0:00 -bash
dev 9803 0.0 0.1 8524 5376 pts/2 S 14:45 0:00 /opt/app/bash -p
postfix 10062 0.0 0.1 43304 7680 ? S 14:48 0:00 trivial-rewrite -n rewrite -t unix -u -c
root 10207 0.0 0.1 7604 4096 pts/2 S+ 14:49 0:00 /opt/app/bash -p
postfix 10887 0.0 0.1 43396 7808 ? S 14:57 0:00 cleanup -z -t unix -u -c
postfix 10972 0.0 0.1 43296 7808 ? S 14:58 0:00 pickup -l -t unix -u -c
root 11276 0.2 0.2 15276 8944 ? Ss 15:01 0:01 sshd: root@pts/1
root 11281 0.0 0.2 20320 11392 ? Ss 15:01 0:00 /usr/lib/systemd/systemd --user
root 11282 0.0 0.0 21156 3380 ? S 15:01 0:00 (sd-pam)
root 11351 0.0 0.1 8516 5376 pts/1 Ss 15:01 0:00 -bash
postfix 11503 0.0 0.2 42916 8576 ? S 15:03 0:00 local -t unix
postfix 11597 0.0 0.2 42916 8448 ? S 15:04 0:00 local -t unix
root 12122 0.0 0.0 5684 1920 ? S 15:09 0:00 /usr/bin/sleep 10Cron
root@yummy:~# crontab -l | grep -v '^#'
@reboot /root/scripts/restoreappbackup.sh
@reboot /root/scripts/restorescripts.sh
@reboot /root/scripts/keep-app-integrity.sh
*/5 * * * * /usr/bin/rm -f /data/scripts/fixer*
*/15 * * * * /usr/bin/rm -rf /tmp/tmp*
*/15 * * * * /usr/bin/rm -f /var/mail/*
* * * * * /root/scripts/checkappbackup.sh
*/2 * * * * /root/scripts/dev-app-cleanup.sh@reboot /root/scripts/restoreappbackup.sh@reboot /root/scripts/restorescripts.sh@reboot /root/scripts/keep-app-integrity.sh/root/scripts/checkappbackup.sh/root/scripts/dev-app-cleanup.sh
/root/scripts/restoreappbackup.sh
root@yummy:~/scripts# cat /root/scripts/restoreappbackup.sh
#!/bin/bash
MONITOR_DIR="/data/scripts"
FILE_TO_WATCH="app_backup.sh"
ORIGINAL="5abc61fab3b59c03de515a0122424166"
# Ensure the directory exists
if [ ! -d "$MONITOR_DIR" ]; then
/usr/bin/echo "The directory $MONITOR_DIR does not exist."
exit 1
fi
# Monitor the directory for create and delete events
/usr/bin/inotifywait -m -e create --format '%w%f %e' "$MONITOR_DIR" | while read fullpath event
do
filename=$(/usr/bin/basename "$fullpath")
if [ "$filename" == "$FILE_TO_WATCH" ]; then
case "$event" in
CREATE)
/usr/bin/echo "The file $filename has been created."
CURRENT=$(/usr/bin/md5sum /data/scripts/app_backup.sh | /usr/bin/awk '{print $1}')
/usr/bin/sleep 2
if [[ $CURRENT != $ORIGINAL ]]; then
/usr/bin/su -c '/bin/bash /data/scripts/app_backup.sh' -s /bin/bash www-data &
fi
/usr/bin/sleep 5
/usr/bin/cp /root/scripts/app_backup.sh /data/scripts/app_backup.sh ; /usr/bin/chmod 644 /data/scripts/app_backup.sh ; /usr/bin/chown root:root /data/scripts/app_backup.sh
/usr/bin/echo "$filename restored."
;;
*)
# Other events, if any, can be handled here
;;
esac
fi
done/root/scripts/restorescripts.sh
root@yummy:~/scripts# cat /root/scripts/restorescripts.sh
#!/bin/bash
MONITOR_DIR="/data/scripts/"
FILES_TO_WATCH=("dbmonitor.sh" "fixer-v1.0.1.sh" "sqlappointments.sql" "table_cleanup.sh")
# Ensure the directory exists
if [ ! -d "$MONITOR_DIR" ]; then
/usr/bin/echo "The directory $MONITOR_DIR does not exist."
exit 1
fi
# Monitor the directory for delete events
/usr/bin/inotifywait -m -e delete --format '%w%f %e' "$MONITOR_DIR" | while read fullpath event
do
filename=$(/usr/bin/basename "$fullpath")
for file in "${FILES_TO_WATCH[@]}"; do
if [ "$filename" == "$file" ]; then
/usr/bin/echo "The file $filename has been deleted."
/usr/bin/cp /root/scripts/$filename /data/scripts/$filename
/usr/bin/echo $filename restore
break # Exit the loop once a match is found
fi
done
done/root/scripts/keep-app-integrity.sh
root@yummy:~/scripts# cat /root/scripts/keep-app-integrity.sh
#!/bin/bash
# Directory to monitor
MONITOR_DIR="/opt/app"
interval=10 # sleep 10 seconds before restoration
# Ensure the directory exists
if [ ! -d "$MONITOR_DIR" ]; then
/usr/bin/echo "The directory $MONITOR_DIR does not exist."
exit 1
fi
# Monitor the directory for any operations (modify, create, delete)
/usr/bin/inotifywait -m -e modify,create,delete --format '%w%f %e' "$MONITOR_DIR" | while read fullpath event
do
/usr/bin/sleep $interval
/usr/bin/echo "Detected $event on $fullpath"
# Removing and Restoring the webapp
cd /opt/app/
/usr/bin/rm -rf *
/usr/bin/unzip -o /root/scripts/yummy-app.zip
/usr/bin/chown -R root:root /opt/app/*
/usr/bin/chown root:www-data /opt/app
/usr/bin/echo "Fixed permissions"
# Ensure the owner is set back to root
/usr/bin/chown root:root "$file"
/usr/bin/echo "Fixed permissions."
done/root/scripts/checkappbackup.sh
root@yummy:~# cat /root/scripts/checkappbackup.sh
#!/bin/bash
# File to check
FILE_PATH="/data/scripts/app_backup.sh"
ORIGINAL_MD5="5abc61fab3b59c03de515a0122424166"
# Check if the file exists
if [ -f "$FILE_PATH" ]; then
# Calculate the MD5sum of the existing file
current_md5=$(/usr/bin/md5sum "$FILE_PATH" | /usr/bin/awk '{ print $1 }')
# Compare the current MD5 with the original MD5
if [ "$current_md5" == "$ORIGINAL_MD5" ]; then
/usr/bin/echo "The file $FILE_PATH exists and its MD5 matches."
exit 0
else
/usr/bin/echo "The MD5 hash does not match, updating the file..."
fi
else
/usr/bin/echo "The file $FILE_PATH does not exist, creating it..."
fi
# Copy the file from /root/scripts and set permissions/ownership
/usr/bin/cp /root/scripts/app_backup.sh /data/scripts/app_backup.sh ; /usr/bin/chmod 644 /data/scripts/app_backup.sh ; /usr/bin/chown root:root /data/scripts/app_backup.sh
/usr/bin/echo "File $FILE_PATH has been updated with the correct version."/root/scripts/dev-app-cleanup.sh
root@yummy:~# cat /root/scripts/dev-app-cleanup.sh
#!/bin/bash
# Directory to delete and restore
APP_DIR="/home/dev/app-production"
ZIP_FILE="/root/scripts/yummy-dev-app.zip"
# Delete the /home/dev/app-production directory
if [ -d "$APP_DIR" ]; then
/usr/bin/echo "Deleting the directory $APP_DIR"
/usr/bin/rm -rf "$APP_DIR"
else
/usr/bin/echo "$APP_DIR does not exist."
fi
/usr/bin/mkdir "$APP_DIR"
cd "$APP_DIR"
/usr/bin/unzip -o "$ZIP_FILE"
/usr/bin/chown -R dev:dev "$APP_DIR"Services
root@yummy:~# systemctl list-units | grep -i running
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point
init.scope loaded active running System and Service Manager
session-541.scope loaded active running Session 541 of User qa
session-806.scope loaded active running Session 806 of User dev
session-905.scope loaded active running Session 905 of User root
auditd.service loaded active running Security Auditing Service
caddy.service loaded active running Caddy
cron.service loaded active running Regular background program processing daemon
dbus.service loaded active running D-Bus System Message Bus
fwupd.service loaded active running Firmware update daemon
getty@tty1.service loaded active running Getty on tty1
ModemManager.service loaded active running Modem Manager
multipathd.service loaded active running Device-Mapper Multipath Device Controller
mysql.service loaded active running MySQL Community Server
networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd
open-vm-tools.service loaded active running Service for virtual machines hosted on VMware
polkit.service loaded active running Authorization Manager
postfix@-.service loaded active running Postfix Mail Transport Agent (instance -)
rsyslog.service loaded active running System Logging Service
ssh.service loaded active running OpenBSD Secure Shell server
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running User Login Management
systemd-networkd.service loaded active running Network Configuration
systemd-resolved.service loaded active running Network Name Resolution
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-udevd.service loaded active running Rule-based Manager for Device Events and Files
udisks2.service loaded active running Disk Manager
upower.service loaded active running Daemon for power management
user@0.service loaded active running User Manager for UID 0
user@1000.service loaded active running User Manager for UID 1000
user@1001.service loaded active running User Manager for UID 1001
vgauth.service loaded active running Authentication service for virtual machines hosted on VMware
yummy.service loaded active running yummy
dbus.socket loaded active running D-Bus System Message Bus Socket
multipathd.socket loaded active running multipathd control socket
ssh.socket loaded active running OpenBSD Secure Shell server socket
syslog.socket loaded active running Syslog Socket
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
systemd-networkd.socket loaded active running Network Service Netlink Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socketyummy.service
yummy.service
root@yummy:~# systemctl status yummy.service
● yummy.service - yummy
Loaded: loaded (/etc/systemd/system/yummy.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-10-07 11:18:46 UTC; 3h 48min ago
Main PID: 830 (sudo)
Tasks: 3 (limit: 4556)
Memory: 113.6M (peak: 113.9M)
CPU: 4.508s
CGroup: /system.slice/yummy.service
├─ 830 /usr/bin/sudo -u www-data /usr/bin/gunicorn app:app -b 127.0.0.1:3000
├─ 886 /usr/bin/python3 /usr/bin/gunicorn app:app -b 127.0.0.1:3000
└─1062 /usr/bin/python3 /usr/bin/gunicorn app:app -b 127.0.0.1:3000
Oct 07 11:18:46 yummy systemd[1]: Started yummy.service - yummy.
Oct 07 11:18:47 yummy sudo[830]: root : PWD=/opt/app ; USER=www-data ; COMMAND=/usr/bin/gunicorn app:app -b 127.0.0.1:3000
Oct 07 11:18:47 yummy sudo[830]: pam_unix(sudo:session): session opened for user www-data(uid=33) by (uid=0)
Oct 07 11:18:50 yummy sudo[886]: [2024-10-07 11:18:50 +0000] [886] [INFO] Starting gunicorn 20.1.0
Oct 07 11:18:50 yummy sudo[886]: [2024-10-07 11:18:50 +0000] [886] [INFO] Listening at: http://127.0.0.1:3000 (886)
Oct 07 11:18:50 yummy sudo[886]: [2024-10-07 11:18:50 +0000] [886] [INFO] Using worker: sync
Oct 07 11:18:50 yummy sudo[1062]: [2024-10-07 11:18:50 +0000] [1062] [INFO] Booting worker with pid: 1062