InfoSec LAB

Hetemit_Beyond

Created: 2 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.

Cron

[root@hetemit ~]# crontab -l
no crontab for root

Python Web App

[root@hetemit restjson_hetemit]# ll
total 4
drwxr-xr-x 2 cmeeks cmeeks  87 Nov 13  2020 __pycache__
-rwx------ 1 cmeeks cmeeks 624 Nov 13  2020 app.py
[root@hetemit restjson_hetemit]# cat app.py 
from flask import Flask, request
import hashlib, os
 
app = Flask(__name__)
 
@app.route('/')
def f0():
   return "{'/generate', '/verify'}"
 
@app.route('/generate', methods=['GET','POST'])
def f1():
   if request.method == 'GET':
       return "{'email@domain'}"
   else:
       email = request.form['email'].encode('utf-8')
       return hashlib.sha256(email).hexdigest()
 
@app.route('/verify', methods=['GET','POST'])
def f2():
   if request.method == 'GET':
       return "{'code'}"
   else:
       code = request.form['code']
       result = eval(code)
       return str(result)
 
if __name__ == '__main__':
    app.run()

vsftp

[root@hetemit ~]# cat /etc/vsftpd/vsftpd.conf 
listen=YES
anonymous_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES

samba

[root@hetemit cmeeks]# rpm -q samba
samba-4.11.2-13.el8.x86_64
 
[root@hetemit ~]# cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
 
[global]
	workgroup = SAMBA
	security = user
 
	passdb backend = tdbsam
 
	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw
 
	interfaces = ens160
 
[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
 
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
 
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @printadmin root
	force group = @printadmin
	create mask = 0664
	directory mask = 0775
[Cmeeks]
    comment = cmeeks Files
    path = /home/cmeeks/share
    public = yes
    writable = yes
    browsable = yes
    read only = no
    force user = nobody
    guess ok = yes

writable?

Interactive Graph View

Backlinks