Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Firewall
root@clue:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere tcp dpt:3000
ACCEPT tcp -- anywhere anywhere tcp dpt:zope-ftp
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:microsoft-ds state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ssn state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:3000 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:3000 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:zope-ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:zope-ftp state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere anthony
root@clue:/home/anthony# ll
total 28K
4.0K drwxr-xr-x 3 anthony anthony 4.0K Aug 5 2022 .
4.0K -rw------- 1 anthony anthony 120 Aug 5 2022 .bash_history
4.0K drwx------ 2 anthony anthony 4.0K Aug 5 2022 .ssh
4.0K drwxr-xr-x 4 root root 4.0K Aug 5 2022 ..
4.0K -rw-r--r-- 1 anthony anthony 220 Apr 18 2019 .bash_logout
4.0K -rw-r--r-- 1 anthony anthony 3.5K Apr 18 2019 .bashrc
4.0K -rw-r--r-- 1 anthony anthony 807 Apr 18 2019 .profile
root@clue:/home/anthony# cat .bash_history
clear
ls -la
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
sudo cp .ssh/id_rsa.pub /root/.ssh/authorized_keys
exitChecking the .bash_history file of the anthony user explains why the SSH private key didn’t work for the anthony user
The user sudo-copied the public key into the root user’s authorized_keys file
Cron
root@clue:~# crontab -l
* * * * * bash /root/smbd.sh/root/smbd.sh
/root/smbd.sh
root@clue:~# cat /root/smbd.sh
#!/bin/bash
# Check if smbd service is running
if systemctl is-active --quiet smbd; then
echo "smbd is already running."
else
# Start smbd service
sudo systemctl start smbd
echo "smbd has been started."
fiN/A
Cassandra
root@clue:~# systemctl status cassandra.service
● cassandra.service - LSB: distributed storage system for structured data
Loaded: loaded (/etc/init.d/cassandra; generated)
Active: active (running) since Fri 2024-08-02 18:08:17 EDT; 7 months 21 days ago
Docs: man:systemd-sysv-generator(8)
Process: 484 ExecStart=/etc/init.d/cassandra start (code=exited, status=0/SUCCESS)
Tasks: 57 (limit: 2358)
Memory: 1.3G
CGroup: /system.slice/cassandra.service
└─804 /usr/bin/java -Xloggc:/var/log/cassandra/gc.log -ea -XX:+UseThreadPriorities -XX:ThreadPriorityPolicy=42 -XX:+HeapDumpO/etc/init.d/cassandra
/etc/init.d/cassandra
root@clue:~# cat /etc/init.d/cassandra
#! /bin/sh
### BEGIN INIT INFO
# Provides: cassandra
# Required-Start: $remote_fs $network $named $time
# Required-Stop: $remote_fs $network $named $time
# Should-Start: ntp mdadm
# Should-Stop: ntp mdadm
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: distributed storage system for structured data
# Description: Cassandra is a distributed (peer-to-peer) system for
# the management and storage of structured data.
### END INIT INFO
# Author: Eric Evans <eevans@racklabs.com>
DESC="Cassandra"
NAME=cassandra
PIDFILE=/var/run/$NAME/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
CONFDIR=/etc/cassandra
WAIT_FOR_START=10
CASSANDRA_HOME=/usr/share/cassandra
CASSANDRA_CONF=$CONFDIR
FD_LIMIT=100000
[ -e /usr/share/cassandra/apache-cassandra.jar ] || exit 0
[ -e /etc/cassandra/cassandra.yaml ] || exit 0
[ -e /etc/cassandra/cassandra-env.sh ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Export JAVA_HOME, if set.
[ -n "$JAVA_HOME" ] && export JAVA_HOME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
#
# Function that returns 0 if process is running, or nonzero if not.
#
# The nonzero value is 3 if the process is simply not running, and 1 if the
# process is not running but the pidfile exists (to match the exit codes for
# the "status" command; see LSB core spec 3.1, section 20.2)
#
CMD_PATT="Dcassandra-pidfile=.*cassandra\.pid"
is_running()
{
if [ -f $PIDFILE ]; then
pid=`cat $PIDFILE`
grep -Eq "$CMD_PATT" "/proc/$pid/cmdline" 2>/dev/null && return 0
return 1
fi
return 3
}
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
ulimit -l unlimited
ulimit -n "$FD_LIMIT"
cassandra_home=`getent passwd cassandra | awk -F ':' '{ print $6; }'`
if [ "x$CASSANDRA_HEAPDUMP_DIR" != "x" ]; then
heap_dump_f="$CASSANDRA_HEAPDUMP_DIR/java_`date +%s`.hprof"
else
heap_dump_f="$cassandra_home/java_`date +%s`.hprof"
fi
error_log_f="$cassandra_home/hs_err_`date +%s`.log"
[ -e `dirname "$PIDFILE"` ] || \
install -d -ocassandra -gcassandra -m755 `dirname $PIDFILE`
start-stop-daemon -S -c cassandra -a /usr/sbin/cassandra -q -p "$PIDFILE" -t >/dev/null || return 1
start-stop-daemon -S -c cassandra -a /usr/sbin/cassandra -b -p "$PIDFILE" -- \
-p "$PIDFILE" -H "$heap_dump_f" -E "$error_log_f" >/dev/null || return 2
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon -K -u cassandra -p "$PIDFILE" -R TERM/30/KILL/5 >/dev/null
RET=$?
rm -f "$PIDFILE"
return $RET
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
status)
is_running
stat=$?
case "$stat" in
0) log_success_msg "$DESC is running" ;;
1) log_failure_msg "could not access pidfile for $DESC" ;;
*) log_success_msg "$DESC is not running" ;;
esac
exit "$stat"
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
exit 3
;;
esac
:
# vi:ai sw=4 ts=4 tw=0 etcassandra.yaml
root@clue:/etc/cassandra# cat /etc/cassandra/cassandra.yaml | grep -v '^[#/]'
cluster_name: 'Test Cluster'
num_tokens: 256
hinted_handoff_enabled: true
max_hint_window_in_ms: 10800000 # 3 hours
hinted_handoff_throttle_in_kb: 1024
max_hints_delivery_threads: 2
hints_flush_period_in_ms: 10000
max_hints_file_size_in_mb: 128
batchlog_replay_throttle_in_kb: 1024
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager
roles_validity_in_ms: 2000
permissions_validity_in_ms: 2000
credentials_validity_in_ms: 2000
partitioner: org.apache.cassandra.dht.Murmur3Partitioner
data_file_directories:
- /var/lib/cassandra/data
commitlog_directory: /var/lib/cassandra/commitlog
cdc_enabled: false
disk_failure_policy: stop
commit_failure_policy: stop
prepared_statements_cache_size_mb:
thrift_prepared_statements_cache_size_mb:
key_cache_size_in_mb:
key_cache_save_period: 14400
row_cache_size_in_mb: 0
row_cache_save_period: 0
counter_cache_size_in_mb:
counter_cache_save_period: 7200
saved_caches_directory: /var/lib/cassandra/saved_caches
commitlog_sync: periodic
commitlog_sync_period_in_ms: 10000
commitlog_segment_size_in_mb: 32
seed_provider:
# Addresses of hosts that are deemed contact points.
# Cassandra nodes use this list of hosts to find each other and learn
# the topology of the ring. You must change this if you are running
# multiple nodes!
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
# seeds is actually a comma-delimited list of addresses.
# Ex: "<ip1>,<ip2>,<ip3>"
- seeds: "127.0.0.1"
concurrent_reads: 32
concurrent_writes: 32
concurrent_counter_writes: 32
concurrent_materialized_view_writes: 32
memtable_allocation_type: heap_buffers
index_summary_capacity_in_mb:
index_summary_resize_interval_in_minutes: 60
trickle_fsync: false
trickle_fsync_interval_in_kb: 10240
storage_port: 7000
ssl_storage_port: 7001
listen_address: localhost
start_native_transport: true
native_transport_port: 9042
start_rpc: false
rpc_address: localhost
rpc_port: 9160
rpc_keepalive: true
rpc_server_type: sync
thrift_framed_transport_size_in_mb: 15
incremental_backups: false
snapshot_before_compaction: false
auto_snapshot: true
column_index_size_in_kb: 64
column_index_cache_size_in_kb: 2
compaction_throughput_mb_per_sec: 16
sstable_preemptive_open_interval_in_mb: 50
read_request_timeout_in_ms: 5000
range_request_timeout_in_ms: 10000
write_request_timeout_in_ms: 2000
counter_write_request_timeout_in_ms: 5000
cas_contention_timeout_in_ms: 1000
truncate_request_timeout_in_ms: 60000
request_timeout_in_ms: 10000
slow_query_log_timeout_in_ms: 500
cross_node_timeout: false
endpoint_snitch: SimpleSnitch
dynamic_snitch_update_interval_in_ms: 100
dynamic_snitch_reset_interval_in_ms: 600000
dynamic_snitch_badness_threshold: 0.1
request_scheduler: org.apache.cassandra.scheduler.NoScheduler
server_encryption_options:
internode_encryption: none
keystore: conf/.keystore
keystore_password: cassandra
truststore: conf/.truststore
truststore_password: cassandra
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
# require_client_auth: false
# require_endpoint_verification: false
client_encryption_options:
enabled: false
# If enabled and optional is set to true encrypted and unencrypted connections are handled.
optional: false
keystore: conf/.keystore
keystore_password: cassandra
# require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
# truststore: conf/.truststore
# truststore_password: cassandra
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
internode_compression: dc
inter_dc_tcp_nodelay: false
tracetype_query_ttl: 86400
tracetype_repair_ttl: 604800
enable_user_defined_functions: false
enable_scripted_user_defined_functions: false
windows_timer_interval: 1
transparent_data_encryption_options:
enabled: false
chunk_length_kb: 64
cipher: AES/CBC/PKCS5Padding
key_alias: testing:1
# CBC IV length for AES needs to be 16 bytes (which is also the default size)
# iv_length: 16
key_provider:
- class_name: org.apache.cassandra.security.JKSKeyProvider
parameters:
- keystore: conf/.keystore
keystore_password: cassandra
store_type: JCEKS
key_password: cassandra
tombstone_warn_threshold: 1000
tombstone_failure_threshold: 100000
replica_filtering_protection:
# These thresholds exist to limit the damage severely out-of-date replicas can cause during these
# queries. They limit the number of rows from all replicas individual index and filtering queries
# can materialize on-heap to return correct results at the desired read consistency level.
#
# "cached_replica_rows_warn_threshold" is the per-query threshold at which a warning will be logged.
# "cached_replica_rows_fail_threshold" is the per-query threshold at which the query will fail.
#
# These thresholds may also be adjusted at runtime using the StorageService mbean.
#
# If the failure threshold is breached, it is likely that either the current page/fetch size
# is too large or one or more replicas is severely out-of-sync and in need of repair.
cached_rows_warn_threshold: 2000
cached_rows_fail_threshold: 32000
batch_size_warn_threshold_in_kb: 5
batch_size_fail_threshold_in_kb: 50
unlogged_batch_across_partitions_warn_threshold: 10
compaction_large_partition_warning_threshold_mb: 100
gc_warn_threshold_in_ms: 1000
back_pressure_enabled: false
back_pressure_strategy:
- class_name: org.apache.cassandra.net.RateBasedBackPressure
parameters:
- high_ratio: 0.90
factor: 5
flow: FAST
enable_materialized_views: true
enable_sasi_indexes: true
enable_drop_compact_storage: falsecqlsh
root@clue:~# cqlsh localhost 9042 -u cassie -p SecondBiteTheApple330
Connected to Test Cluster at localhost:9042.
[cqlsh 5.0.1 | Cassandra 3.11.13 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassie@cqlsh> Connected
cassie@cqlsh> SHOW VERSION;
[cqlsh 5.0.1 | Cassandra 3.11.13 | CQL spec 3.4.4 | Native protocol v4]Version
cassie@cqlsh> DESCRIBE CLUSTER;
Cluster: Test Cluster
Partitioner: Murmur3PartitionerSingle cluster; Test Cluster
cassie@cqlsh> DESCRIBE KEYSPACES;
system_traces system_schema system_auth system system_distributedAll default databases
cassie@cqlsh> USE system_auth;
cassie@cqlsh:system_auth> DESCRIBE TABLES;
resource_role_permissons_index role_permissions role_members roles
cassie@cqlsh:system_auth> SELECT * FROM roles;
Unauthorized: Error from server: code=2100 [Unauthorized] message="User cassie has no SELECT permission on <table system_auth.roles> or any of its parents"No access