Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Cron
root@UC404:/# crontab -l
no crontab for rootWeb
root@UC404:/var/www/html/under_construction# cat forgot.php
<!DOCTYPE html>
<html lang="en">
[...REDACTED...]
<!--
______ __ __ _____ _ _______ _______ _______ ______ __ __
| ____| \/ | /\ |_ _| | / ____\ \ / / ____|__ __| ____| \/ |
| |__ | \ / | / \ | | | | | (___ \ \_/ / (___ | | | |__ | \ / |
| __| | |\/| | / /\ \ | | | | \___ \ \ / \___ \ | | | __| | |\/| |
| |____| | | |/ ____ \ _| |_| |____ ____) | | | ____) | | | | |____| | | |
|______|_| |_/_/ \_\_____|______| |_____/ |_| |_____/ |_| |______|_| |_|
---- Under Construction ----
sendmail.php must receive the variable from the html form and send the message.
|| For security reasons we are working to blacklist some characters ||
//-->
<?php
//system("php sendmail.php " . $_GET['email'], $output); print_r($output)
$badUrl = $_GET['email'];
$goodUrl = str_replace(';', '?', $badUrl);
system("php sendmail.php " . $goodUrl, $output); print_r($output);
?>/Practice/UC404/5-Privilege_Escalation/attachments/{3C5D74EC-28A0-4CB2-8878-57EC6DFD6540}.png)
The PHP part only accepts the value of the email parameter in GET request
; is the only blacklisted character, which is replaced to ? via the PHP’s str_replace function
RPC
/Practice/UC404/5-Privilege_Escalation/attachments/{9096DA71-EA5B-4B99-9CDE-6B21CCF4C6F5}.png)
root@UC404:/# cat /lib/systemd/system/rpcbind.service
[Unit]
Description=RPC bind portmap service
Documentation=man:rpcbind(8)
DefaultDependencies=no
RequiresMountsFor=/run/rpcbind
# Make sure we use the IP addresses listed for
# rpcbind.socket, no matter how this unit is started.
Requires=rpcbind.socket
After=systemd-tmpfiles-setup.service
Wants=remote-fs-pre.target rpcbind.target
Before=remote-fs-pre.target rpcbind.target
[Service]
Environment="OPTIONS=-w"
ExecStart=/sbin/rpcbind -f $OPTIONS
EnvironmentFile=-/etc/rpcbind.conf
EnvironmentFile=-/etc/default/rpcbind
Type=notify
KillMode=process
Restart=on-failure
[Install]
Also=rpcbind.socket
WantedBy=multi-user.target
root@UC404:/# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 42732 mountd
100005 1 tcp 49749 mountd
100005 2 udp 50797 mountd
100005 2 tcp 32873 mountd
100005 3 udp 47731 mountd
100005 3 tcp 55767 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 60304 nlockmgr
100021 3 udp 60304 nlockmgr
100021 4 udp 60304 nlockmgr
100021 1 tcp 40129 nlockmgr
100021 3 tcp 40129 nlockmgr
100021 4 tcp 40129 nlockmgrNFS
root@UC404:/# exportfs -v
root@UC404:/# systemctl status nfs-server
● nfs-server.service - NFS server and services
Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2024-08-02 03:07:56 EDT; 6 months 22 days ago
Process: 446 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Process: 454 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
Main PID: 454 (code=exited, status=0/SUCCESS)
Aug 02 03:07:56 UC404 systemd[1]: Starting NFS server and services...
Aug 02 03:07:56 UC404 systemd[1]: Started NFS server and services.
root@UC404:/# cat /lib/systemd/system/nfs-server.service
[Unit]
Description=NFS server and services
DefaultDependencies=no
Requires=network.target proc-fs-nfsd.mount
Requires=nfs-mountd.service
Wants=rpcbind.socket
Wants=nfs-idmapd.service
After=local-fs.target
After=network.target proc-fs-nfsd.mount rpcbind.socket nfs-mountd.service
After=nfs-idmapd.service rpc-statd.service
Before=rpc-statd-notify.service
# GSS services dependencies and ordering
Wants=auth-rpcgss-module.service
After=rpc-gssd.service gssproxy.service rpc-svcgssd.service
# start/stop server before/after client
Before=remote-fs-pre.target
Wants=nfs-config.service
After=nfs-config.service
[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/sbin/exportfs -r
ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS
ExecStop=/usr/sbin/rpc.nfsd 0
ExecStopPost=/usr/sbin/exportfs -au
ExecStopPost=/usr/sbin/exportfs -f
ExecReload=/usr/sbin/exportfs -r
[Install]
WantedBy=multi-user.target
root@UC404:/# cat /run/sysconfig/nfs-utils
PIPEFS_MOUNTPOINT=/run/rpc_pipefs
RPCNFSDARGS=" 8"
RPCMOUNTDARGS="--manage-gids"
STATDARGS=""
RPCSVCGSSDARGS=""
root@UC404:/# systemctl status nfs-config.service
● nfs-config.service - Preprocess NFS configuration
Loaded: loaded (/lib/systemd/system/nfs-config.service; static; vendor preset: enabled)
Active: inactive (dead) since Fri 2024-08-02 03:07:55 EDT; 6 months 22 days ago
Process: 288 ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh (code=exited, status=0/SUCCESS)
Main PID: 288 (code=exited, status=0/SUCCESS)
root@UC404:/# cat /lib/systemd/system/nfs-config.service
[Unit]
Description=Preprocess NFS configuration
After=local-fs.target
DefaultDependencies=no
[Service]
Type=oneshot
# This service needs to run any time any nfs service
# is started, so changes to local config files get
# incorporated. Having "RemainAfterExit=no" (the default)
# ensures this happens.
RemainAfterExit=no
ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
root@UC404:/# cat /usr/lib/systemd/scripts/nfs-utils_env.sh | grep -v '^#'
nfs_config=/etc/sysconfig/nfs
[ -r /etc/default/nfs-common ] && . /etc/default/nfs-common
[ -r /etc/default/nfs-kernel-server ] && . /etc/default/nfs-kernel-server
mkdir -p /run/sysconfig
{
echo PIPEFS_MOUNTPOINT=/run/rpc_pipefs
echo RPCNFSDARGS=\"$RPCNFSDOPTS ${RPCNFSDCOUNT:-8}\"
echo RPCMOUNTDARGS=\"$RPCMOUNTDOPTS\"
echo STATDARGS=\"$STATDOPTS\"
echo RPCSVCGSSDARGS=\"$RPCSVCGSSDOPTS\"
} > /run/sysconfig/nfs-utils