Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Distro
[root@hawat ~]# cat /etc/*release
Arch Linux release
LSB_VERSION=1.4
DISTRIB_ID=Arch
DISTRIB_RELEASE=rolling
DISTRIB_DESCRIPTION="Arch Linux"
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://www.archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"
LOGO=archlinuxIt was Arch Linux
Services
[root@hawat ~]# systemctl list-units --state=running
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point
init.scope loaded active running System and Service Manager
session-1.scope loaded active running Session 1 of user root
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
httpd.service loaded active running Apache Web Server
issuetracker.service loaded active running Tracker
mariadb.service loaded active running MariaDB 10.5.8 database server
nginx.service loaded active running A high performance web server and a reverse proxy server
php-fpm7.service loaded active running The PHP FastCGI Process Manager
sshd.service loaded active running OpenSSH Daemon
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running User Login Management
systemd-networkd.service loaded active running Network Service
systemd-udevd.service loaded active running Rule-based Manager for Device Events and Files
user@0.service loaded active running User Manager for UID 0
vmtoolsd.service loaded active running Open Virtual Machine Tools (VMware Tools)
dbus.socket loaded active running D-Bus System Message Bus Socket
systemd-journald-audit.socket loaded active running Journal Audit Socket
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
systemd-networkd.socket loaded active running Network Service Netlink Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
24 loaded units listed.httpd.service
issuetracker.service
mariadb.service
nginx.service
Web_50080 (Pizza & Nextcloud)
[root@hawat conf]# systemctl status httpd
● httpd.service - Apache Web Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 20:59:50 UTC; 7 months 5 days ago
Main PID: 288 (httpd)
Tasks: 7 (limit: 2359)
Memory: 41.3M
CGroup: /system.slice/httpd.service
├─288 /usr/bin/httpd -k start -DFOREGROUND
├─848 /usr/bin/httpd -k start -DFOREGROUND
├─852 /usr/bin/httpd -k start -DFOREGROUND
├─857 /usr/bin/httpd -k start -DFOREGROUND
├─861 /usr/bin/httpd -k start -DFOREGROUND
├─862 /usr/bin/httpd -k start -DFOREGROUND
└─863 /usr/bin/httpd -k start -DFOREGROUNDEnabled and running
/usr/lib/systemd/system/httpd.service
[root@hawat conf]# cat /usr/lib/systemd/system/httpd.service
[Unit]
Description=Apache Web Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=simple
ExecStart=/usr/bin/httpd -k start -DFOREGROUND
ExecStop=/usr/bin/httpd -k graceful-stop
ExecReload=/usr/bin/httpd -k graceful
PrivateTmp=true
LimitNOFILE=infinity
KillMode=mixed
[Install]
WantedBy=multi-user.target[root@hawat conf]# cat httpd.conf | grep -v '^#'
ServerRoot "/etc/httpd"
Listen 50080
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module modules/mod_cgi.so
</IfModule>
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
<IfModule unixd_module>
User http
Group http
</IfModule>
ServerAdmin you@example.com
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/srv/apache"
<Directory "/srv/apache">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "/var/log/httpd/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "/var/log/httpd/access_log" common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/srv/http/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-multilang-errordoc.conf
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-languages.conf
Include conf/extra/httpd-userdir.conf
Include conf/extra/httpd-default.conf
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
LoadModule php7_module modules/libphp7.so
AddHandler php7-script php
Include conf/extra/php7_module.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
Include conf/extra/nextcloud.conf/srv/apache
[root@hawat conf]# ll /etc/httpd/conf/extra/
total 84K
4.0K drwxr-xr-x 3 root root 4.0K Mar 2 2021 ..
4.0K drwxr-xr-x 2 root root 4.0K Feb 15 2021 .
4.0K -rw-r--r-- 1 root root 480 Feb 15 2021 nextcloud.conf
4.0K -rw-r--r-- 1 root root 318 Feb 2 2021 php7_module.conf
4.0K -rw-r--r-- 1 root root 2.9K Oct 14 2020 httpd-autoindex.conf
4.0K -rw-r--r-- 1 root root 1.8K Oct 14 2020 httpd-dav.conf
4.0K -rw-r--r-- 1 root root 2.9K Oct 14 2020 httpd-default.conf
4.0K -rw-r--r-- 1 root root 1.1K Oct 14 2020 httpd-info.conf
8.0K -rw-r--r-- 1 root root 5.0K Oct 14 2020 httpd-languages.conf
4.0K -rw-r--r-- 1 root root 1.4K Oct 14 2020 httpd-manual.conf
8.0K -rw-r--r-- 1 root root 4.4K Oct 14 2020 httpd-mpm.conf
4.0K -rw-r--r-- 1 root root 2.2K Oct 14 2020 httpd-multilang-errordoc.conf
16K -rw-r--r-- 1 root root 13K Oct 14 2020 httpd-ssl.conf
4.0K -rw-r--r-- 1 root root 694 Oct 14 2020 httpd-userdir.conf
4.0K -rw-r--r-- 1 root root 1.5K Oct 14 2020 httpd-vhosts.conf
4.0K -rw-r--r-- 1 root root 3.1K Oct 14 2020 proxy-html.confnextcloud.conf
[root@hawat extra]# cat /etc/httpd/conf/extra/nextcloud.conf
<IfModule mod_alias.c>
Alias /cloud /usr/share/webapps/nextcloud/
</IfModule>
<Directory /usr/share/webapps/nextcloud/>
Options FollowSymlinks
AllowOverride all
Require all granted
</Directory>
<VirtualHost *:80>
ServerAdmin foo@foofarm.com
DocumentRoot /usr/share/webapps/nextcloud
ServerName nextcloud.foo.com
ErrorLog /var/log/httpd/nextcloud.foo.info-error_log
CustomLog /var/log/httpd/nextcloud.foo.info-access_log common
</VirtualHost>/cloud is MAPPED to /usr/share/webapps/nextcloud/
/srv/apache (Pizza)
[root@hawat conf]# ll /srv/apache
total 40K
4.0K drwxr-xr-x 5 root root 4.0K Mar 2 2021 ..
12K -rw------- 1 root root 12K Feb 15 2021 .yes.swp
4.0K drwxrwxrwx 4 root root 4.0K Feb 15 2021 .
12K -rw-r--r-- 1 root root 8.9K Feb 15 2021 index.html
4.0K drwxr-xr-x 2 root root 4.0K Feb 15 2021 images
4.0K drwxr-xr-x 2 root root 4.0K Feb 15 2021 4/cloud OR /usr/share/webapps/nextcloud/ (Nextcloud)
[root@hawat conf]# ll /usr/share/webapps/nextcloud/
total 164K
4.0K drwxr-x--- 4 http http 4.0K Feb 10 2021 data
4.0K drwxr-x--- 48 http http 4.0K Feb 10 2021 apps
4.0K drwxr-xr-x 13 root http 4.0K Feb 10 2021 .
4.0K drwxr-xr-x 2 root http 4.0K Feb 10 2021 updater
4.0K drwxr-xr-x 4 root http 4.0K Feb 10 2021 resources
4.0K drwxr-xr-x 3 root http 4.0K Feb 10 2021 themes
4.0K drwxr-xr-x 6 root http 4.0K Feb 10 2021 lib
4.0K drwxr-xr-x 2 root http 4.0K Feb 10 2021 ocm-provider
4.0K drwxr-xr-x 2 root http 4.0K Feb 10 2021 ocs
4.0K drwxr-xr-x 2 root http 4.0K Feb 10 2021 ocs-provider
4.0K drwxr-xr-x 22 root http 4.0K Feb 10 2021 core
4.0K drwxr-xr-x 41 root http 4.0K Feb 10 2021 3rdparty
4.0K drwxr-xr-x 3 root root 4.0K Feb 10 2021 ..
4.0K -rw-r--r-- 1 root http 3.0K Feb 3 2021 .htaccess
4.0K -rw-r--r-- 1 root http 101 Feb 3 2021 .user.ini
20K -rw-r--r-- 1 root http 17K Feb 3 2021 AUTHORS
36K -rw-r--r-- 1 root http 34K Feb 3 2021 COPYING
0 lrwxrwxrwx 1 root http 29 Feb 3 2021 config -> /etc/webapps/nextcloud/config
4.0K -rw-r--r-- 1 root http 3.9K Feb 3 2021 console.php
8.0K -rw-r--r-- 1 root http 5.0K Feb 3 2021 cron.php
4.0K -rw-r--r-- 1 root http 156 Feb 3 2021 index.html
4.0K -rw-r--r-- 1 root http 2.9K Feb 3 2021 index.php
4.0K -rwxr-xr-x 1 root http 283 Feb 3 2021 occ
4.0K -rw-r--r-- 1 root http 3.1K Feb 3 2021 public.php
8.0K -rw-r--r-- 1 root http 5.3K Feb 3 2021 remote.php
4.0K -rw-r--r-- 1 root http 26 Feb 3 2021 robots.txt
4.0K -rw-r--r-- 1 root http 2.4K Feb 3 2021 status.php
4.0K -rw-r--r-- 1 root http 382 Feb 3 2021 version.php/etc/webapps/nextcloud/config
[root@hawat conf]# cat /etc/webapps/nextcloud/config/config.php
<?php
$CONFIG = array (
'instanceid' => 'ocsw7w9pqx2n',
'passwordsalt' => '9FK2od2iZXxDxgWJUu2VM4BfDhIrUa',
'secret' => 'bXe/J+bhGagtXkUy2e2yTs7nS2cNOgrebFBpHmFeQSJ62N49',
'trusted_domains' => array ( $_SERVER['HTTP_HOST'] ),
'datadirectory' => '/usr/share/webapps/nextcloud/data',
'dbtype' => 'mysql',
'version' => '20.0.7.1',
'overwrite.cli.url' => 'http://192.168.120.54:50080/nextcloud',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'ParticularlyBedNot908',
'installed' => true,
);It also uses the MySQL instance; nextcloud:ParticularlyBedNot908
Web_30455 (Sale)
[root@hawat extra]# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 20:59:50 UTC; 7 months 5 days ago
Process: 290 ExecStart=/usr/bin/nginx -g pid /run/nginx.pid; error_log stderr; (code=exited, status=0/SUCCESS)
Main PID: 314 (nginx)
Tasks: 2 (limit: 2359)
Memory: 4.2M
CGroup: /system.slice/nginx.service
├─314 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;
└─315 nginx: worker processEnabled and running
[root@hawat extra]# cat /usr/lib/systemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target network-online.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
PrivateDevices=yes
SyslogLevel=err
ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid; error_log stderr;'
ExecReload=/usr/bin/nginx -s reload
KillMode=mixed
[Install]
WantedBy=multi-user.target[root@hawat extra]# cat /etc/nginx/nginx.conf | grep -v '^#'
user root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 30455;
server_name localhost;
location / {
root /srv/http;
index index.php index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /srv/http;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm7/php-fpm.sock;
fastcgi_index index.php;
root /srv/http;
include fastcgi.conf;
}
}
}/srv/http
/srv/http
[root@hawat extra]# ll /srv/http
total 24K
4.0K drwxrwxrwx 3 root root 4.0K Mar 8 21:49 .
4.0K -rw-rw-rw- 1 mysql mysql 29 Mar 8 21:49 webshell.php
4.0K drwxr-xr-x 5 root root 4.0K Mar 2 2021 ..
4.0K -rw-r--r-- 1 root root 17 Feb 15 2021 phpinfo.php
4.0K -rw-r--r-- 1 root root 3.9K Feb 15 2021 index.php
4.0K drwxr-xr-x 2 root root 4.0K Feb 15 2021 4Web_17445
[root@hawat ~]# systemctl status issuetracker.service
● issuetracker.service - Tracker
Loaded: loaded (/etc/systemd/system/issuetracker.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 20:59:50 UTC; 7 months 5 days ago
Main PID: 263 (java)
Tasks: 36 (limit: 2359)
Memory: 314.8M
CGroup: /system.slice/issuetracker.service
└─263 /usr/bin/java -jar /home/clinton/tracker-0.0.1-SNAPSHOT.jarEnabled and running
/etc/systemd/system/issuetracker.service
[root@hawat ~]# cat /etc/systemd/system/issuetracker.service
[Unit]
Description=Tracker
After=network-online.target
[Service]
Type=simple
PIDFile=/run/issuetracker.pid
ExecStart=/usr/bin/java -jar /home/clinton/tracker-0.0.1-SNAPSHOT.jar
User=clinton
Group=clinton
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target/home/clinton/tracker-0.0.1-SNAPSHOT.jar
tracker-0.0.1-SNAPSHOT.jar
[root@hawat clinton]# jar -xf ./tracker-0.0.1-SNAPSHOT.jar
[root@hawat clinton]# find . -name *.properties -ls -type f 2>/dev/null
397224 4 -rw-r--r-- 1 root root 289 Mar 2 2021 ./BOOT-INF/classes/application.properties
397226 4 -rw-r--r-- 1 root root 60 Mar 2 2021 ./META-INF/maven/com.issue/tracker/pom.properties
[root@hawat clinton]# cat ./BOOT-INF/classes/application.properties
spring.datasource.url=jdbc:mysql://localhost:3306/issue_tracker?serverTimeZone=UTC
spring.datasource.username=issue_user
spring.datasource.password=ManagementInsideOld797
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.jpa.hibernate.ddl-auto=update
server.port=17445
[root@hawat tracker]# pwd
/home/clinton/BOOT-INF/classes/com/issue/tracker
[root@hawat tracker]# ll
total 24K
4.0K drwxr-xr-x 5 root root 4.0K Mar 2 2021 .
4.0K drwxr-xr-x 3 root root 4.0K Mar 2 2021 ..
4.0K -rw-r--r-- 1 root root 744 Mar 2 2021 TrackerApplication.class
4.0K drwxr-xr-x 2 root root 4.0K Mar 2 2021 config
4.0K drwxr-xr-x 2 root root 4.0K Mar 2 2021 issues
4.0K drwxr-xr-x 2 root root 4.0K Mar 2 2021 usersSource code directory located; BOOT-INF/classes/com/issue/tracker
sqlmap
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 2452 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: priority=' AND (SELECT 8606 FROM (SELECT(SLEEP(5)))qtrV)-- YlTo
---