▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                      ▄▄▄▄    ▄▄▄▄▄▄▄        ▄▄▄▄▄
                  ▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄       ▄▄▄▄
               ▄▄▄▄  ▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄      ▄▄▄▄▄       ▄▄▄▄
            ▄▄▄   ▄▄▄▄▄▄▄▄         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄
         ▄▄▄    ▄▄▄             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄      
               ▄▄▄             ▄     ▄▄            ▄▄▄▄▄▄▄▄▄
              ▄▄               ▄     ▄                  ▄▄ ▄
            ▄▄▄                 ▄▄▄▄▄▄▄                  ▄▄ 
           ▄▄  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                ▄▄ 
          ▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄        ▄▄
         ▄▄                                      ▄▄▄▄▄▄▄  ▄ 
                    ▄▄▄▄▄                 ▄▄▄▄▄▄       ▄▄▄▄▄
                   ▄▄▄▄▄▄                  ▄▄▄▄▄           
         ▄▄         ▄▄         ▄▄▄▄▄▄         ▄▄          ▄
          ▄▄          ▄▄▄▄▄     ▄▄▄▄      ▄▄▄▄▄        ▄ ▄▄
           ▄▄        ▄▄  ▄                ▄   ▄         ▄▄
             ▄▄                                       ▄▄▄▄
              ▄▄▄                                    ▄ ▄▄
         ▄▄     ▄▄▄▄                              ▄▄▄▄▄▄▄▄▄▄
           ▀▄      ▄▄▄▄▄                    ▄▄▄▄▄▄▄         
              ▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄       ▄▄▄▄▄▄
                ▀▄▄            ▄▄▄▄▄▄▄▄         ▄▄▄▀▀▀
                   ▀▀▄▄▄▄                ▄▄▄▄▄▀▀
                        ▀▀▀▀▀▄▄▄▄▄▄▄▄▄▀▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |
    |---------------------------------------------------------------------------------| 
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |
    |         Follow on Twitter         :     @carlospolopm                           |
    |         Respect on HTB            :     SirBroccoli                             |
    |---------------------------------------------------------------------------------|
    |                                 Thank you!                                      |
    \---------------------------------------------------------------------------------/
          macpeas-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting macpeas. Caching Writable Folders...

                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
                               ╚═══════════════════╝
OS: Linux version 5.4.0-132-generic (buildd@lcy02-amd64-059) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #148-Ubuntu SMP Mon Oct 17 16:02:06 UTC 2022
User & Groups: uid=1000(diego) gid=1000(diego) groups=1000(diego)
Hostname: forgot
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (macpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (macpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (macpeas can discover hosts and scan ports, learn more with -h)



Caching directories DONE

                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
                              ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-132-generic (buildd@lcy02-amd64-059) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #148-Ubuntu SMP Mon Oct 17 16:02:06 UTC 2022
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.5 LTS
Release:	20.04
Codename:	focal
system_profiler Not Found

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560

Potentially Vulnerable to CVE-2022-2588



╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin

╔══════════╣ Date & uptime
Fri Feb 10 19:53:00 UTC 2023
 19:53:00 up 42 min,  0 users,  load average: 0.77, 0.52, 0.48

╔══════════╣ System stats
Filesystem      Size  Used Avail Use% Mounted on
udev            1.9G     0  1.9G   0% /dev
tmpfs           394M  1.1M  393M   1% /run
/dev/sda1       8.8G  6.2G  2.5G  72% /
tmpfs           2.0G     0  2.0G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           2.0G     0  2.0G   0% /sys/fs/cgroup
tmpfs           394M     0  394M   0% /run/user/1000
              total        used        free      shared  buff/cache   available
Mem:        4026088      597140     2053364        1092     1375584     3132692
Swap:       1026044           0     1026044

╔══════════╣ CPU info
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   43 bits physical, 48 bits virtual
CPU(s):                          2
On-line CPU(s) list:             0,1
Thread(s) per core:              1
Core(s) per socket:              1
Socket(s):                       2
NUMA node(s):                    1
Vendor ID:                       AuthenticAMD
CPU family:                      23
Model:                           49
Model name:                      AMD EPYC 7302P 16-Core Processor
Stepping:                        0
CPU MHz:                         2994.375
BogoMIPS:                        5988.75
Hypervisor vendor:               VMware
Virtualization type:             full
L1d cache:                       64 KiB
L1i cache:                       64 KiB
L2 cache:                        1 MiB
L3 cache:                        256 MiB
NUMA node0 CPU(s):               0,1
Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Not affected
Vulnerability Meltdown:          Not affected
Vulnerability Mmio stale data:   Not affected
Vulnerability Retbleed:          Vulnerable
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Retpolines, IBPB conditional, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
/dev/disk/by-uuid/0e6aec1f-7be8-49b9-8e43-d83828f4d864 / ext4 defaults 0 0
/dev/sda2	none	swap	sw	0	0

╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTSIZE=0
PWD=/home/diego
HOME=/home/diego
LANG=C
HISTFILE=/dev/null
USER=diego
SHLVL=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
HISTFILESIZE=0
_=/usr/bin/env

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Kernel Extensions not belonging to apple
╔══════════╣ Unsigned Kernel Extensions
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2

╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Gatekeeper enabled? .......... sestatus Not Found
═╣ sleepimage encrypted? ........ ═╣ XProtect? .................... No
═╣ SIP enabled? ................. ═╣ Connected to JAMF? ........... jamf Not Found
═╣ Connected to AD? ............. No
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
                                   ╚═══════════╝
╔══════════╣ Container related tools present
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No


                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                     ╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS Lambda? .......................... No



                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root           1  0.0  0.2 104352 11260 ?        Ss   19:10   0:01 /sbin/init maybe-ubiquity
root         469  2.8  4.8 308088 193584 ?       R<sl 19:10   1:13 /lib/systemd/systemd-journald
root         502  0.0  0.1  22592  6008 ?        Ss   19:10   0:00 /lib/systemd/systemd-udevd
root         651  0.0  0.4 280136 17948 ?        SLsl 19:10   0:00 /sbin/multipathd -d -s
root         685  0.5  0.0  11356  1688 ?        S<sl 19:10   0:13 /sbin/auditd
systemd+     688  0.0  0.1  90876  6072 ?        Ssl  19:10   0:00 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
root         705  0.0  0.2  47540 10708 ?        Ss   19:10   0:00 /usr/bin/VGAuthService
root         726  0.1  0.2 311508  8412 ?        Ssl  19:10   0:03 /usr/bin/vmtoolsd
root         729  0.0  0.1  99896  6120 ?        Ssl  19:10   0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root         775  0.0  0.1 235560  7116 ?        Ssl  19:10   0:02 /usr/lib/accountsservice/accounts-daemon
message+     776  0.0  0.1   7596  4728 ?        Ss   19:10   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         786  0.0  0.0  81956  3828 ?        Ssl  19:10   0:00 /usr/sbin/irqbalance --foreground
root         789  0.0  0.1 232712  6820 ?        Ssl  19:10   0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog       790  0.4  0.1 224344  5680 ?        Ssl  19:10   0:11 /usr/sbin/rsyslogd -n -iNONE
root         798  0.0  0.9 801140 36376 ?        Ssl  19:10   0:00 /usr/lib/snapd/snapd
root         799  0.0  0.1  17344  7728 ?        Ss   19:10   0:00 /lib/systemd/systemd-logind
root         800  0.0  0.2 393056 11868 ?        Ssl  19:10   0:00 /usr/lib/udisks2/udisksd
vcache       801  0.0  0.1  18932  5536 ?        SLs  19:10   0:00 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m
vcache       944  2.8  2.2 267592 92156 ?        SLl  19:10   1:14  _ /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m
root         843  0.0  0.2 315088 11276 ?        Ssl  19:10   0:00 /usr/sbin/ModemManager
varnish+    1069  1.1  2.0  86552 80960 ?        Ss   19:10   0:29 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log -D -P /run/varnishncsa/varnishncsa.pid
systemd+    1184  0.0  0.3  24568 13196 ?        Ss   19:10   0:00 /lib/systemd/systemd-resolved
root        1228  0.0  0.0   6816  2884 ?        Ss   19:10   0:00 /usr/sbin/cron -f
daemon      1231  0.0  0.0   3796  2160 ?        Ss   19:10   0:00 /usr/sbin/atd -f
diego      65473  0.0  0.1  13928  5896 ?        S    19:42   0:00      _ sshd: diego@notty
diego      65506  0.0  0.0   6972  3628 ?        Ss   19:42   0:00          _ -bash
diego      66447  0.0  0.0   2008  1912 ?        Sl   19:42   0:00              _ /tmp/hFwWS
diego      70897  0.0  0.0   2608   600 ?        S    19:44   0:00                  _ /bin/sh
diego      71572  0.2  0.1   6780  5900 ?        S    19:44   0:01                  |   _ bash /tmp/linpeas.sh
diego      89973  0.0  0.0   2940   776 ?        S    19:47   0:00                  |   |   _ aureport --tty
diego      89974  0.0  0.0   3304   660 ?        S    19:47   0:00                  |   |   _ grep -E su |sudo
diego      71573  0.0  0.0   2516   580 ?        S    19:44   0:00                  |   _ tee peas.log
diego      97702  0.0  0.0   2608   596 ?        S    19:52   0:00                  _ /bin/sh
diego      99219  0.8  0.1   6108  5224 ?        S    19:52   0:00                      _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego     105791  0.0  0.0   6108  3732 ?        S    19:53   0:00                      |   _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego     105795  0.0  0.0   6216  3336 ?        R    19:53   0:00                      |   |   _ ps fauxwww
diego     105794  0.0  0.0   6108  2368 ?        S    19:53   0:00                      |   _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego      99220  0.0  0.0   2516   580 ?        S    19:52   0:00                      _ tee peas.log
root        1249  0.0  0.0   5828  1840 tty1     Ss+  19:10   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
mysql       1263  1.0 10.1 1800764 408508 ?      Ssl  19:10   0:26 /usr/sbin/mysqld
diego      38095 11.4  1.1 356056 46952 ?        Ssl  19:30   2:37 /usr/bin/python3 /home/diego/app/app.py
diego      65333  0.0  0.2  19012  9596 ?        Ss   19:42   0:00 /lib/systemd/systemd --user
diego      65334  0.0  0.0 103756  3316 ?        S    19:42   0:00  _ (sd-pam)
diego      80746  0.0  0.0  81196  3488 ?        SLs  19:45   0:00  _ /usr/bin/gpg-agent --supervised
diego      96180  0.5  0.1   6108  5240 ?        S    19:52   0:00 bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego     105601  1.0  0.0   6108  3988 ?        S    19:53   0:00  _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego     105763  0.0  0.0   6108  3800 ?        S    19:53   0:00      _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego     105764  0.0  0.2  21808 10964 ?        S    19:53   0:00          _ curl -v --unix-socket /run/systemd/userdb/io.systemd.DynamicUser --max-time 1 http:/linpeas
diego     105765  0.0  0.0   3304   656 ?        S    19:53   0:00          _ grep -i Permission denied

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND      PID    TID TASKCMD               USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
 * * * * * /home/diego/bot.py
incrontab Not Found
-rw-r--r-- 1 root root    1042 Feb 13  2020 /etc/crontab

/etc/cron.d:
total 20
drwxr-xr-x   2 root root 4096 Nov  7 11:37 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rw-r--r--   1 root root  201 Feb 14  2020 e2scrub_all
-rw-r--r--   1 root root  191 Apr 23  2020 popularity-contest

/etc/cron.daily:
total 48
drwxr-xr-x   2 root root 4096 Nov  7 11:37 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  376 Dec  4  2019 apport
-rwxr-xr-x   1 root root 1478 Apr  9  2020 apt-compat
-rwxr-xr-x   1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x   1 root root 1187 Sep  5  2019 dpkg
-rwxr-xr-x   1 root root  377 Jan 21  2019 logrotate
-rwxr-xr-x   1 root root 1123 Feb 25  2020 man-db
-rwxr-xr-x   1 root root 4574 Jul 18  2019 popularity-contest
-rwxr-xr-x   1 root root  214 Apr  2  2020 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Jul 22  2022 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x   2 root root 4096 Jul 22  2022 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x   2 root root 4096 Nov  7 11:37 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  813 Feb 25  2020 man-db
-rwxr-xr-x   1 root root  403 Apr 25  2022 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
 * * * * * /home/diego/bot.py

╔══════════╣ Third party LaunchAgents & LaunchDemons
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd

╔══════════╣ Writable System LaunchAgents & LaunchDemons

╔══════════╣ StartupItems
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items

╔══════════╣ Login Items
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items

╔══════════╣ SPStartupItemDataType

╔══════════╣ Emond scripts
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond

╔══════════╣ Services
╚ Search for outdated versions
 [ + ]  alsa-utils
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ + ]  auditd
 [ - ]  console-setup.sh
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ - ]  grub-common
 [ - ]  hwclock.sh
 [ + ]  irqbalance
 [ - ]  iscsid
 [ - ]  keyboard-setup.sh
 [ + ]  kmod
 [ - ]  lvm2
 [ - ]  lvm2-lvmpolld
 [ + ]  multipath-tools
 [ + ]  mysql
 [ + ]  networking
 [ - ]  open-iscsi
 [ + ]  open-vm-tools
 [ - ]  plymouth
 [ - ]  plymouth-log
 [ + ]  procps
 [ - ]  rsync
 [ + ]  rsyslog
 [ - ]  screen-cleanup
 [ + ]  ssh
 [ + ]  udev
 [ + ]  uuidd
 [ + ]  varnish
 [ + ]  varnishncsa
 [ - ]  x11-common

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                        LEFT          LAST                        PASSED               UNIT                         ACTIVATES                     
Fri 2023-02-10 20:06:36 UTC 12min left    n/a                         n/a                  ua-timer.timer               ua-timer.service              
Fri 2023-02-10 21:03:07 UTC 1h 9min left  Thu 2022-11-17 16:11:06 UTC 2 months 24 days ago motd-news.timer              motd-news.service             
Sat 2023-02-11 00:00:00 UTC 4h 6min left  Fri 2023-02-10 19:10:23 UTC 43min ago            logrotate.timer              logrotate.service             
Sat 2023-02-11 00:00:00 UTC 4h 6min left  Fri 2023-02-10 19:10:23 UTC 43min ago            man-db.timer                 man-db.service                
Sat 2023-02-11 01:39:58 UTC 5h 46min left Mon 2022-11-14 14:17:24 UTC 2 months 27 days ago apt-daily.timer              apt-daily.service             
Sat 2023-02-11 02:52:38 UTC 6h left       Mon 2022-11-14 14:44:15 UTC 2 months 27 days ago fwupd-refresh.timer          fwupd-refresh.service         
Sat 2023-02-11 06:42:09 UTC 10h left      Fri 2023-02-10 19:15:48 UTC 38min ago            apt-daily-upgrade.timer      apt-daily-upgrade.service     
Sat 2023-02-11 19:25:19 UTC 23h left      Fri 2023-02-10 19:25:19 UTC 28min ago            systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2023-02-12 03:10:31 UTC 1 day 7h left Fri 2023-02-10 19:11:18 UTC 42min ago            e2scrub_all.timer            e2scrub_all.service           
Mon 2023-02-13 00:00:00 UTC 2 days left   Fri 2023-02-10 19:10:23 UTC 43min ago            fstrim.timer                 fstrim.service                
n/a                         n/a           n/a                         n/a                  snapd.snap-repair.timer      snapd.snap-repair.service     

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
  └─( - Can Connect)
/run/dbus/system_bus_socket
  └─(Read Write - Can Connect)
/run/irqbalance//irqbalance786.sock
  └─(Read  - Cannot Connect)
/run/irqbalance/irqbalance786.sock
  └─(Read  - Cannot Connect)
/run/lvm/lvmpolld.socket
  └─( - Cannot Connect)
/run/mysqld/mysqld.sock
  └─(Read Write - Can Connect)
/run/mysqld/mysqlx.sock
  └─(Read Write - Can Connect)
/run/snapd-snap.socket
  └─(Read Write - Can Connect)
/run/snapd.socket
  └─(Read Write - Can Connect)
/run/systemd/journal/dev-log
  └─(Read Write - Can Connect)
/run/systemd/journal/io.systemd.journal
  └─( - Cannot Connect)
/run/systemd/journal/socket
  └─(Read Write - Can Connect)
/run/systemd/journal/stdout
  └─(Read Write - Can Connect)
/run/systemd/journal/syslog
  └─(Read Write - Can Connect)
/run/systemd/notify
  └─(Read Write - Can Connect)
/run/systemd/private
  └─(Read Write - Can Connect)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write - Can Connect)
/run/udev/control
  └─( - Cannot Connect)
/run/user/1000/bus
  └─(Read Write - Can Connect)
/run/user/1000/gnupg/S.dirmngr
  └─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent
  └─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent.browser
  └─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent.extra
  └─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent.ssh
  └─(Read Write - Can Connect)
/run/user/1000/pk-debconf-socket
  └─(Read Write - Can Connect)
/run/user/1000/snapd-session-agent.socket
  └─(Read Write - Can Connect)
/run/user/1000/systemd/notify
  └─(Read Write - Can Connect)
/run/user/1000/systemd/private
  └─(Read Write - Can Connect)
/run/uuidd/request
  └─(Read Write - Can Connect)
/run/vmware/guestServicePipe
  └─(Read Write - Can Connect)
/var/run/mysqld/mysqld.sock
  └─(Read Write - Can Connect)
/var/run/mysqld/mysqlx.sock
  └─(Read Write - Can Connect)
/var/run/vmware/guestServicePipe
  └─(Read Write - Can Connect)
/var/snap/lxd/common/lxd-user/unix.socket
  └─( - Cannot Connect)

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf (        <policy group="power">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                             PID PROCESS         USER             CONNECTION    UNIT                      SESSION DESCRIPTION
:1.1                             688 systemd-timesyn systemd-timesync :1.1          systemd-timesyncd.service -       -
:1.10                           1184 systemd-resolve systemd-resolve  :1.10         systemd-resolved.service  -       -
:1.14                          65333 systemd         diego            :1.14         user@1000.service         -       -
:1.2                             775 accounts-daemon root             :1.2          accounts-daemon.service   -       -
:1.256                        110232 busctl          diego            :1.256        session-45.scope          45      -
:1.3                             789 polkitd         root             :1.3          polkit.service            -       -
:1.4                             800 udisksd         root             :1.4          udisks2.service           -       -
:1.5                               1 systemd         root             :1.5          init.scope                -       -
:1.6                             799 systemd-logind  root             :1.6          systemd-logind.service    -       -
:1.7                             843 ModemManager    root             :1.7          ModemManager.service      -       -
:1.8                             798 snapd           root             :1.8          snapd.service             -       -
com.ubuntu.LanguageSelector        - -               -                (activatable) -                         -       -
com.ubuntu.SoftwareProperties      - -               -                (activatable) -                         -       -
org.freedesktop.Accounts         775 accounts-daemon root             :1.2          accounts-daemon.service   -       -
org.freedesktop.DBus               1 systemd         root             -             init.scope                -       -
org.freedesktop.ModemManager1    843 ModemManager    root             :1.7          ModemManager.service      -       -
org.freedesktop.PackageKit         - -               -                (activatable) -                         -       -
org.freedesktop.PolicyKit1       789 polkitd         root             :1.3          polkit.service            -       -
org.freedesktop.UDisks2          800 udisksd         root             :1.4          udisks2.service           -       -
org.freedesktop.UPower             - -               -                (activatable) -                         -       -
org.freedesktop.bolt               - -               -                (activatable) -                         -       -
org.freedesktop.fwupd              - -               -                (activatable) -                         -       -
org.freedesktop.hostname1          - -               -                (activatable) -                         -       -
org.freedesktop.locale1            - -               -                (activatable) -                         -       -
org.freedesktop.login1           799 systemd-logind  root             :1.6          systemd-logind.service    -       -
org.freedesktop.network1           - -               -                (activatable) -                         -       -
org.freedesktop.resolve1        1184 systemd-resolve systemd-resolve  :1.10         systemd-resolved.service  -       -
org.freedesktop.systemd1           1 systemd         root             :1.5          init.scope                -       -
org.freedesktop.thermald           - -               -                (activatable) -                         -       -
org.freedesktop.timedate1          - -               -                (activatable) -                         -       -
org.freedesktop.timesync1        688 systemd-timesyn systemd-timesync :1.1          systemd-timesyncd.service -       -


                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
                              ╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
forgot
127.0.0.1 localhost forgot.htb
127.0.0.1 forgot

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

nameserver 127.0.0.53
options edns0 trust-ad

╔══════════╣ Content of /etc/inetd.conf & /etc/xinetd.conf
/etc/inetd.conf Not Found

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.188  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:58de  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:58de  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:58:de  txqueuelen 1000  (Ethernet)
        RX packets 83685  bytes 22934800 (22.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 83741  bytes 48288682 (48.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 965750  bytes 108402164 (108.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 965750  bytes 108402164 (108.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


╔══════════╣ Networks and neighbours
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.10.10.2      0.0.0.0         UG    0      0        0 eth0
10.10.10.0      0.0.0.0         255.255.254.0   U     0      0        0 eth0
Address                  HWtype  HWaddress           Flags Mask            Iface
10.10.11.49                      (incomplete)                              eth0
10.10.11.126                     (incomplete)                              eth0
10.10.11.167                     (incomplete)                              eth0
10.10.11.236                     (incomplete)                              eth0
10.10.11.85                      (incomplete)                              eth0
10.10.11.146                     (incomplete)                              eth0
10.10.11.219                     (incomplete)                              eth0
10.10.11.0                       (incomplete)                              eth0
10.10.11.73                      (incomplete)                              eth0
10.10.11.182                     (incomplete)                              eth0
10.10.11.36                      (incomplete)                              eth0
10.10.11.109                     (incomplete)                              eth0
10.10.11.170                     (incomplete)                              eth0

╔══════════╣ Firewall status
system_profiler Not Found
╔══════════╣ Iptables rules
iptables rules Not Found

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      38095/python3       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:6082          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

╔══════════╣ Hardware Ports

╔══════════╣ VLANs

╔══════════╣ Wifi Info

╔══════════╣ Check Enabled Proxies

╔══════════╣ Wifi Proxy URL

╔══════════╣ Wifi Web Proxy

╔══════════╣ Wifi FTP Proxy

╔══════════╣ Can I sniff with tcpdump?
No

╔══════════╣ Internet Access?
Ping is not available
DNS not available
Port 443 is not accessible
Port 80 is not accessible

╔══════════╣ Scanning local networks (using /24)
══╣ Discovering hosts in 10.10.11.188/24
Scanning top ports of 10.10.11.181

[+] Open port at: 10.10.11.181:135
[+] Open port at: 10.10.11.181:139
[+] Open port at: 10.10.11.181:3268
[+] Open port at: 10.10.11.181:3269
[+] Open port at: 10.10.11.181:389
[+] Open port at: 10.10.11.181:445
[+] Open port at: 10.10.11.181:464
[+] Open port at: 10.10.11.181:53
[+] Open port at: 10.10.11.181:593
[+] Open port at: 10.10.11.181:636
[+] Open port at: 10.10.11.181:80
[+] Open port at: 10.10.11.181:88

Scanning top ports of 10.10.11.186

[+] Open port at: 10.10.11.186:21
[+] Open port at: 10.10.11.186:22
[+] Open port at: 10.10.11.186:80

Scanning top ports of 10.10.11.188 (local)

[+] Open port at: 10.10.11.188:22
[+] Open port at: 10.10.11.188:80

Scanning top ports of 10.10.11.195

[+] Open port at: 10.10.11.195:22
[+] Open port at: 10.10.11.195:443
[+] Open port at: 10.10.11.195:80

Scanning top ports of 10.10.11.196

[+] Open port at: 10.10.11.196:22
[+] Open port at: 10.10.11.196:80

Scanning top ports of 10.10.11.197

[+] Open port at: 10.10.11.197:22
[+] Open port at: 10.10.11.197:80


══╣ Scanning top ports of host.docker.internal



                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1000(diego) gid=1000(diego) groups=1000(diego)

╔══════════╣ Current user Login and Logout hooks

╔══════════╣ All Login and Logout hooks

╔══════════╣ Keychains
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker

╔══════════╣ SystemKey

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Users with console

╔══════════╣ All users & groups

╔══════════╣ Login now
 19:56:56 up 46 min,  0 users,  load average: 26.82, 11.33, 4.59
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
reboot   system boot  Fri Feb 10 19:10:18 2023   still running                         0.0.0.0
diego    pts/0        Fri Nov 18 10:51:30 2022 - Fri Nov 18 10:52:36 2022  (00:01)     10.10.14.40
reboot   system boot  Fri Nov 18 10:50:46 2022 - Fri Nov 18 10:52:38 2022  (00:01)     0.0.0.0

wtmp begins Fri Nov 18 10:50:46 2022

╔══════════╣ Last time logon each user
Username         Port     From             Latest
diego            pts/0    10.10.14.40      Fri Nov 18 10:51:30 +0000 2022

╔══════════╣ Password policy
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
ENCRYPT_METHOD SHA512

╔══════════╣ Relevant last user info and user configs

╔══════════╣ Guest user status

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!



                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
ii  g++                                   4:9.3.0-1ubuntu2                  amd64        GNU C++ compiler
ii  g++-9                                 9.4.0-1ubuntu1~20.04.1            amd64        GNU C++ compiler
ii  gcc                                   4:9.3.0-1ubuntu2                  amd64        GNU C compiler
ii  gcc-9                                 9.4.0-1ubuntu1~20.04.1            amd64        GNU C compiler
/usr/bin/gcc
/usr/bin/g++

╔══════════╣ Writable Installed Applications
╔══════════╣ MySQL version
mysql  Ver 8.0.31-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))


═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No

╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user		= mysql
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/

╔══════════╣ Analyzing MariaDB Files (limit 70)

-rw------- 1 root root 317 Nov  3 12:43 /etc/mysql/debian.cnf

╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Aug 16 18:48 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
	comment = public archive
	path = /var/www/pub
	use chroot = yes
	lock file = /var/lock/rsyncd
	read only = yes
	list = yes
	uid = nobody
	gid = nogroup
	strict modes = yes
	ignore errors = no
	ignore nonreadable = yes
	transfer logging = no
	timeout = 600
	refuse options = checksum dry-run
	dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Nov  7 11:36 /etc/ldap


╔══════════╣ Searching ssl/ssh files
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/var/lib/fwupd/pki/client.pem
99219PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov  7 11:37 /etc/pam.d
-rw-r--r-- 1 root root 2133 Feb 26  2020 /etc/pam.d/sshd




╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
tmux 3.0a


/tmp/tmux-1000
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov  8 11:23 /usr/share/keyrings




╔══════════╣ Analyzing Filezilla Files (limit 70)

-rw-r--r-- 1 root root 2928 Mar 22  2020 /usr/share/bleachbit/cleaners/filezilla.xml


╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

-rw-r--r-- 1 root root 2796 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 diego diego 1200 Feb 10 19:45 /home/diego/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 3267 Jul  4  2022 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2247 Feb  2  2022 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg
-rw-r--r-- 1 root root 2274 Feb  2  2022 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Feb  2  2022 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Feb  2  2022 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Feb  2  2022 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 2250 Oct 25 16:46 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg
-rw-r--r-- 1 root root 2235 Feb  2  2022 /usr/share/keyrings/ubuntu-advantage-ros.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13  2020 /usr/share/popularity-contest/debian-popcon.gpg

drwx------ 4 diego diego 4096 Feb 10 19:56 /home/diego/.gnupg


╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb  2  2020 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind



╔══════════╣ Analyzing Windows Files (limit 70)






















lrwxrwxrwx 1 root root 20 Nov  3 12:43 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
lrwxrwxrwx 1 root root 24 Nov  3 12:42 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 Nov  3 12:43 /var/lib/dpkg/alternatives/my.cnf



























╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25  2020 /etc/skel/.bashrc
-rw-r--r-- 1 diego diego 3771 Jun 28  2022 /home/diego/.bashrc





-rw-r--r-- 1 root root 807 Feb 25  2020 /etc/skel/.profile
-rw-r--r-- 1 diego diego 807 Jun 28  2022 /home/diego/.profile






                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-- 1 root messagebus 51K Oct 25 13:09 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 144K Oct 17 16:25 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 23K Feb 21  2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Mar 30  2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 55K Feb  7  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 163K Jan 19  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 87K Mar 14  2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Feb  7  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 67K Mar 14  2022 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 52K Mar 14  2022 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 84K Mar 14  2022 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 14  2022 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 67K Feb  7  2022 /usr/bin/su

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root tty 35K Feb  7  2022 /usr/bin/wall
-rwxr-sr-x 1 root ssh 343K Mar 30  2022 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K Mar 14  2022 /usr/bin/expiry
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 83K Mar 14  2022 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
  /etc/ld.so.conf.d/libc.conf
/usr/local/lib
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	0000003fffffffff
CapAmb:	0000000000000000

Parent Shell capabilities:
0x0000000000000000=

Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep

╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3461 Jun 21  2022 sbin.dhclient
-rw-r--r-- 1 root root  9793 Oct 25 20:07 usr.bin.firefox
-rw-r--r-- 1 root root  3202 Feb 25  2020 usr.bin.man
-rw-r--r-- 1 root root 28376 Oct 17 16:25 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  2006 Oct 19 11:35 usr.sbin.mysqld
-rw-r--r-- 1 root root  1575 Feb 11  2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1385 Dec  7  2019 usr.sbin.tcpdump

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2022-11-14+17:00:34.8890621780 /usr/local/sbin/laurel
2022-11-14+15:45:18.6905743680 /home/diego/bot.py
2022-11-14+15:32:32.4705947200 /opt/security/ml_security.py
2022-11-04+11:20:56.2201051380 /usr/local/bin/cmark
2022-11-04+11:20:56.1678832020 /usr/local/bin/pygmentize
2022-07-09+13:47:32.8162692890 /usr/local/bin/nltk
2022-07-09+13:47:31.5122698240 /usr/local/bin/tqdm
2022-07-09+13:47:25.2282723810 /usr/local/bin/f2py3.8
2022-07-09+13:47:25.2282723810 /usr/local/bin/f2py3
2022-07-09+13:47:25.2242723820 /usr/local/bin/f2py
2022-07-09+13:29:33.8846898820 /usr/local/bin/toco_from_protos
2022-07-09+13:29:33.8846898820 /usr/local/bin/toco
2022-07-09+13:29:33.8846898820 /usr/local/bin/tflite_convert
2022-07-09+13:29:33.8846898820 /usr/local/bin/tf_upgrade_v2
2022-07-09+13:29:33.8846898820 /usr/local/bin/tensorboard
2022-07-09+13:29:33.8846898820 /usr/local/bin/saved_model_cli
2022-07-09+13:29:33.8846898820 /usr/local/bin/import_pb_to_tensorboard
2022-07-09+13:29:33.8846898820 /usr/local/bin/estimator_ckpt_converter
2022-07-09+13:16:00.1010646620 /usr/local/bin/markdown_py
2022-07-09+13:16:00.0250644650 /usr/local/bin/wheel
2022-07-09+13:15:59.9890643700 /usr/local/bin/google-oauthlib-tool
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-verify
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-sign
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-priv2pub
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-keygen
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-encrypt
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-decrypt
2022-06-24+12:36:03.0241953670 /usr/local/bin/flask
2020-05-07+12:40:01.1333022800 /etc/console-setup/cached_setup_terminal.sh
2020-05-07+12:40:01.1333022800 /etc/console-setup/cached_setup_keyboard.sh
2020-05-07+12:40:01.1333022800 /etc/console-setup/cached_setup_font.sh
2020-05-07+12:38:26.8879969470 /etc/network/if-up.d/mtuipv6
2020-05-07+12:38:26.8879969470 /etc/network/if-pre-up.d/mtuipv6

╔══════════╣ Unsigned Applications
╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x  3 root root 4096 Jul 22  2022 .
drwxr-xr-x 20 root root 4096 Nov  7 12:13 ..
drwxr-xr-x  3 root root 4096 Nov 14 15:32 security

╔══════════╣ Unexpected in root
/snap
/boot
/tmp
/cdrom
/lost+found
/mnt
/media
/lib32
/sys
/lib64
/proc
/libx32
/root
/etc
/var
/lib
/run
/srv

╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/diego/app/app.py
/home/diego/bot.py
/root/

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/diego
/home/diego/app
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service
/sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service

╔══════════╣ Readable files belonging to root and readable by me but not world readable

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/home/diego/app/flask_session/c422b74f2fe2d270539eee0d1bebf5bc
/home/diego/app/flask_session/2029240f6d1128be89ddc32729463129
/home/diego/app/flask_session/02b67f99d0d47f7295c63e9208f57f66
/home/diego/app/flask_session/93fe96458920e46ccdd62caa9903114e
/home/diego/app/flask_session/5960a0811e9503d8ee4cebfdbdd5ca40
/home/diego/app/flask_session/cf8080fb6cc5cc1ab94c543db9a97a6b
/home/diego/peas.log
/home/diego/.gnupg/crls.d/DIR.txt
/var/log/syslog
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000@b8dee92a64b443179990842dacf3d889-000000000010720f-0005f45dd9c301e0.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000@b8dee92a64b443179990842dacf3d889-00000000000e9045-0005f45dc1c7bb87.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system@c7d1ee69c5ab40d48bd0b9a36509ccac-00000000000e7637-0005f45dc1b7b0c7.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system@c7d1ee69c5ab40d48bd0b9a36509ccac-0000000000106d01-0005f45dd9b76fb4.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000.journal
/var/log/auth.log

╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes
Writable: /home/diego/peas.log

╔══════════╣ Files inside /home/diego (limit 20)
total 968
drwxr-xr-x 9 diego diego   4096 Feb 10 19:45 .
drwxr-xr-x 3 root  root    4096 Jun 28  2022 ..
lrwxrwxrwx 1 diego diego      9 Jun 28  2022 .bash_history -> /dev/null
-rw-r--r-- 1 diego diego    220 Jun 28  2022 .bash_logout
-rw-r--r-- 1 diego diego   3771 Jun 28  2022 .bashrc
drwxrwxr-x 5 diego diego   4096 Jun 28  2022 .cache
drwx------ 4 diego diego   4096 Feb 10 19:56 .gnupg
drwxrwxr-x 2 diego diego   4096 Nov 14 12:58 .keras
drwxrwxr-x 4 diego diego   4096 Jun 28  2022 .local
drwx------ 3 diego diego   4096 Jun 28  2022 .mozilla
-rw-r--r-- 1 diego diego    807 Jun 28  2022 .profile
drwxrw-r-- 5 diego diego   4096 Nov 16 15:04 app
-rwxr-xr-x 1 root  root     970 Nov 14 15:45 bot.py
-rw-rw-r-- 1 diego diego 828098 Feb 10 19:42 linpeas.sh
-rw-rw-r-- 1 diego diego  98956 Feb 10 19:57 peas.log
drwx------ 3 diego diego   4096 Nov  3 14:56 snap
-rw-r----- 1 diego diego     33 Feb 10 19:10 user.txt

╔══════════╣ Files inside others home (limit 20)

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)

╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root staff 1422 Jul  9  2022 /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/ext/filters/client_channel/backup_poller.h
-rwxr-xr-x 1 root root 226 Feb 17  2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 392817 Feb  9  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 11886 Nov  7 11:38 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13  2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 0 Oct 17 15:19 /usr/src/linux-headers-5.4.0-132-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Oct 17 15:19 /usr/src/linux-headers-5.4.0-132-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 237863 Oct 17 15:19 /usr/src/linux-headers-5.4.0-132-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-132/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 44048 Aug 16 13:23 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 9833 Oct 17 15:19 /usr/lib/modules/5.4.0-132-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Oct 17 15:19 /usr/lib/modules/5.4.0-132-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 1802 Aug 15 20:07 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1413 Nov  7 11:37 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 39448 Oct 19 11:35 /usr/lib/mysql/plugin/component_mysqlbackup.so
-rw-r--r-- 1 root root 2743 Apr 23  2020 /etc/apt/sources.list.curtin.old

╔══════════╣ Reading messages database
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/snapd/errtracker.db: regular file, no read permission

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
 -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
 -> Extracting tables from /var/lib/fwupd/pending.db (limit 20)

╔══════════╣ Downloaded Files
╔══════════╣ Web files?(output limit)

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root staff 29 Jul  9  2022 /usr/local/lib/python3.8/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
-rw-r--r-- 1 diego diego 220 Jun 28  2022 /home/diego/.bash_logout
-rw-r--r-- 1 root root 220 Feb 25  2020 /etc/skel/.bash_logout
-rw------- 1 root root 0 Apr 23  2020 /etc/.pwd.lock
-rw-r--r-- 1 landscape landscape 0 Apr 23  2020 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 0 Feb 10 19:10 /run/network/.ifstate.lock

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-rw-r-- 1 diego diego 828098 Feb 10 19:43 /tmp/linpeas.sh
-rw-r--r-- 1 root root 43086 Nov 17 16:27 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 3874 Jun 24  2022 /var/backups/apt.extended_states.6.gz
-rw-r--r-- 1 root root 159577 Jun 24  2022 /var/backups/dpkg.status.4.gz
-rw-r--r-- 1 root root 4330 Jun 28  2022 /var/backups/apt.extended_states.4.gz
-rw-r--r-- 1 root root 4554 Nov 17 16:01 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 143786 May  7  2020 /var/backups/dpkg.status.6.gz
-rw-r--r-- 1 root root 3890 Jun 24  2022 /var/backups/apt.extended_states.5.gz
-rw-r--r-- 1 root root 140 Jun 24  2022 /var/backups/dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 139 May  7  2020 /var/backups/dpkg.diversions.4.gz
-rw-r--r-- 1 root root 702817 Jun 28  2022 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 139 May  7  2020 /var/backups/dpkg.diversions.5.gz
-rw-r--r-- 1 root root 139 May  7  2020 /var/backups/dpkg.diversions.3.gz
-rw-r--r-- 1 root root 159577 Jun 24  2022 /var/backups/dpkg.status.3.gz
-rw-r--r-- 1 root root 159577 Jun 24  2022 /var/backups/dpkg.status.5.gz
-rw-r--r-- 1 root root 140 Jun 24  2022 /var/backups/dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 159577 Jun 24  2022 /var/backups/dpkg.status.2.gz
-rw-r--r-- 1 root root 268 May  7  2020 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 140 Jun 24  2022 /var/backups/dpkg.statoverride.5.gz
-rw-r--r-- 1 root root 51200 Jun 25  2022 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 140 Jun 24  2022 /var/backups/dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 140 Jun 24  2022 /var/backups/dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 4499 Nov  3 12:42 /var/backups/apt.extended_states.3.gz
-rw-r--r-- 1 root root 2190 May  8  2020 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 139 May  7  2020 /var/backups/dpkg.diversions.1.gz
-rw-r--r-- 1 root root 139 May  7  2020 /var/backups/dpkg.diversions.6.gz
-rw-r--r-- 1 root root 4548 Nov  8 11:23 /var/backups/apt.extended_states.2.gz
-rw-r--r-- 1 root root 174382 Jun 28  2022 /var/backups/dpkg.status.1.gz
-rw-r--r-- 1 root root 139 May  7  2020 /var/backups/dpkg.diversions.2.gz
-rw-r--r-- 1 root root 120 Apr 23  2020 /var/backups/dpkg.statoverride.6.gz
-rw-r--r-- 1 root root 140 Jun 24  2022 /var/backups/dpkg.statoverride.0

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/diego
/run/lock
/run/screen
/run/user/1000
/run/user/1000/dbus-1
/run/user/1000/dbus-1/services
/run/user/1000/gnupg
/run/user/1000/inaccessible
/run/user/1000/systemd
/run/user/1000/systemd/units
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory

/usr/bin/geckodriver
/var/crash
/var/crash/_opt_security_ml_security.py.1000.crash
/var/tmp

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
  Group diego:
/tmp/linpeas.sh

╔══════════╣ Searching passwords in history files

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/component_validate_password.so
/usr/lib/mysql/plugin/validate_password.so
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)There are more creds/passwds files in the previous parent folder

/usr/local/lib/python3.8/dist-packages/google/auth/__pycache__/_credentials_async.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/__pycache__/credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/__pycache__/impersonated_credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/_credentials_async.py
/usr/local/lib/python3.8/dist-packages/google/auth/compute_engine/__pycache__/credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/compute_engine/credentials.py
/usr/local/lib/python3.8/dist-packages/google/auth/credentials.py
/usr/local/lib/python3.8/dist-packages/google/auth/impersonated_credentials.py
/usr/local/lib/python3.8/dist-packages/google/oauth2/__pycache__/_credentials_async.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/oauth2/__pycache__/credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/oauth2/_credentials_async.py
/usr/local/lib/python3.8/dist-packages/google/oauth2/credentials.py
/usr/local/lib/python3.8/dist-packages/grpc/_cython/_credentials
/usr/local/lib/python3.8/dist-packages/grpc/_cython/_credentials/roots.pem
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/caching_sha2_password.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/mysql_clear_password.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/mysql_native_password.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/sha256_password.cpython-38.pyc
  #)There are more creds/passwds files in the previous parent folder

/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/mysql_clear_password.py
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/mysql_native_password.py
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/sha256_password.py
  #)There are more creds/passwds files in the previous parent folder

/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpc++/security/server_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/credentials_impl.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/server_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/server_credentials_impl.h
  #)There are more creds/passwds files in the previous parent folder

/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/alts/alts_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/alts/grpc_alts_credentials_options.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/composite/composite_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/fake/fake_credentials.h

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs