Cron
A cronjob has been identified by PEAS
www-data@mantis:/dev/shm$ cat /etc/cron.d/db_backup
*/1 * * * * mantis bash /home/mantis/db_backups/backup.shIt executes the /home/mantis/db_backups/backup.sh file as the mantis user with an interval of 30 seconds
/home/mantis/db_backups/backup.sh
Now that I have made the lateral movement to the mantis user, I can enumerate the file
mantis@mantis:~$ cat ~/db_backups/backup.sh
#!/bin/bash
mysqldump -u bugtracker -pBugTracker007 bugtracker > /home/mantis/db_backups/1652766150.sqlIt just dumps the entire bugtracker DB into a file as backup
N/A