simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8e3b1d93f994b9eb4ccd53fb185da60c67def4ee
CTF/HTB/forgot/peas.log
Simon 82b0759f1e init htb 
old htb folders
2023-08-29 21:53:22 +02:00

1521 lines
111 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄
▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄
▄▄▄ ▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄ 
 ▄▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄
 ▄▄ ▄ ▄ ▄▄ ▄
 ▄▄▄ ▄▄▄▄▄▄▄ ▄▄ 
 ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ 
 ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄▄  ▄▄▄▄▄▄▄ ▄ 
    ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄
    ▄▄▄▄▄▄ ▄▄▄▄▄    
▄▄  ▄▄ ▄▄▄▄▄▄ ▄▄   ▄
 ▄▄ ▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
 ▄▄ ▄▄ ▄  ▄ ▄  ▄▄
 ▄▄ ▄▄▄▄
 ▄▄▄ ▄ ▄▄
▄▄ ▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄
▀▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ 
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▀▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▀▀▀
▀▀▄▄▄▄ ▄▄▄▄▄▀▀
▀▀▀▀▀▄▄▄▄▄▄▄▄▄▀▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli  |
|---------------------------------------------------------------------------------|
| Thank you!  |
\---------------------------------------------------------------------------------/
 macpeas-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting macpeas. Caching Writable Folders...
 ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
 ╚═══════════════════╝
OS: Linux version 5.4.0-132-generic (buildd@lcy02-amd64-059) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #148-Ubuntu SMP Mon Oct 17 16:02:06 UTC 2022
User & Groups: uid=1000(diego) gid=1000(diego) groups=1000(diego)
Hostname: forgot
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (macpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (macpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (macpeas can discover hosts and scan ports, learn more with -h)

Caching directories DONE

 ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
 ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-132-generic (buildd@lcy02-amd64-059) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #148-Ubuntu SMP Mon Oct 17 16:02:06 UTC 2022
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
system_profiler Not Found

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560
Potentially Vulnerable to CVE-2022-2588
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
╔══════════╣ Date & uptime
Fri Feb 10 19:53:00 UTC 2023
19:53:00 up 42 min, 0 users, load average: 0.77, 0.52, 0.48
╔══════════╣ System stats
Filesystem Size Used Avail Use% Mounted on
udev 1.9G 0 1.9G 0% /dev
tmpfs 394M 1.1M 393M 1% /run
/dev/sda1 8.8G 6.2G 2.5G 72% /
tmpfs 2.0G 0 2.0G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
tmpfs 394M 0 394M 0% /run/user/1000
total used free shared buff/cache available
Mem: 4026088 597140 2053364 1092 1375584 3132692
Swap: 1026044 0 1026044
╔══════════╣ CPU info
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 43 bits physical, 48 bits virtual
CPU(s): 2
On-line CPU(s) list: 0,1
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 2
NUMA node(s): 1
Vendor ID: AuthenticAMD
CPU family: 23
Model: 49
Model name: AMD EPYC 7302P 16-Core Processor
Stepping: 0
CPU MHz: 2994.375
BogoMIPS: 5988.75
Hypervisor vendor: VMware
Virtualization type: full
L1d cache: 64 KiB
L1i cache: 64 KiB
L2 cache: 1 MiB
L3 cache: 256 MiB
NUMA node0 CPU(s): 0,1
Vulnerability Itlb multihit: Not affected
Vulnerability L1tf: Not affected
Vulnerability Mds: Not affected
Vulnerability Meltdown: Not affected
Vulnerability Mmio stale data: Not affected
Vulnerability Retbleed: Vulnerable
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Retpolines, IBPB conditional, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
Vulnerability Srbds: Not affected
Vulnerability Tsx async abort: Not affected
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
/dev/disk/by-uuid/0e6aec1f-7be8-49b9-8e43-d83828f4d864 / ext4 defaults 0 0
/dev/sda2 none swap sw 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTSIZE=0
PWD=/home/diego
HOME=/home/diego
LANG=C
HISTFILE=/dev/null
USER=diego
SHLVL=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
HISTFILESIZE=0
_=/usr/bin/env
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Kernel Extensions not belonging to apple
╔══════════╣ Unsigned Kernel Extensions
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2

╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Gatekeeper enabled? .......... sestatus Not Found
═╣ sleepimage encrypted? ........ ═╣ XProtect? .................... No
═╣ SIP enabled? ................. ═╣ Connected to JAMF? ........... jamf Not Found
═╣ Connected to AD? ............. No
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)
 ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
 ╚═══════════╝
╔══════════╣ Container related tools present
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No

 ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
 ╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS Lambda? .......................... No

 ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
 ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.0 0.2 104352 11260 ? Ss 19:10 0:01 /sbin/init maybe-ubiquity
root 469 2.8 4.8 308088 193584 ? R<sl 19:10 1:13 /lib/systemd/systemd-journald
root 502 0.0 0.1 22592 6008 ? Ss 19:10 0:00 /lib/systemd/systemd-udevd
root 651 0.0 0.4 280136 17948 ? SLsl 19:10 0:00 /sbin/multipathd -d -s
root 685 0.5 0.0 11356 1688 ? S<sl 19:10 0:13 /sbin/auditd
systemd+ 688 0.0 0.1 90876 6072 ? Ssl 19:10 0:00 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
root 705 0.0 0.2 47540 10708 ? Ss 19:10 0:00 /usr/bin/VGAuthService
root 726 0.1 0.2 311508 8412 ? Ssl 19:10 0:03 /usr/bin/vmtoolsd
root 729 0.0 0.1 99896 6120 ? Ssl 19:10 0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root 775 0.0 0.1 235560 7116 ? Ssl 19:10 0:02 /usr/lib/accountsservice/accounts-daemon
message+ 776 0.0 0.1 7596 4728 ? Ss 19:10 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─(Caps) 0x0000000020000000=cap_audit_write
root 786 0.0 0.0 81956 3828 ? Ssl 19:10 0:00 /usr/sbin/irqbalance --foreground
root 789 0.0 0.1 232712 6820 ? Ssl 19:10 0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog 790 0.4 0.1 224344 5680 ? Ssl 19:10 0:11 /usr/sbin/rsyslogd -n -iNONE
root 798 0.0 0.9 801140 36376 ? Ssl 19:10 0:00 /usr/lib/snapd/snapd
root 799 0.0 0.1 17344 7728 ? Ss 19:10 0:00 /lib/systemd/systemd-logind
root 800 0.0 0.2 393056 11868 ? Ssl 19:10 0:00 /usr/lib/udisks2/udisksd
vcache 801 0.0 0.1 18932 5536 ? SLs 19:10 0:00 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m
vcache 944 2.8 2.2 267592 92156 ? SLl 19:10 1:14 _ /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m
root 843 0.0 0.2 315088 11276 ? Ssl 19:10 0:00 /usr/sbin/ModemManager
varnish+ 1069 1.1 2.0 86552 80960 ? Ss 19:10 0:29 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log -D -P /run/varnishncsa/varnishncsa.pid
systemd+ 1184 0.0 0.3 24568 13196 ? Ss 19:10 0:00 /lib/systemd/systemd-resolved
root 1228 0.0 0.0 6816 2884 ? Ss 19:10 0:00 /usr/sbin/cron -f
daemon  1231 0.0 0.0 3796 2160 ? Ss 19:10 0:00 /usr/sbin/atd -f
diego 65473 0.0 0.1 13928 5896 ? S 19:42 0:00 _ sshd: diego@notty
diego 65506 0.0 0.0 6972 3628 ? Ss 19:42 0:00 _ -bash
diego 66447 0.0 0.0 2008 1912 ? Sl 19:42 0:00 _ /tmp/hFwWS
diego 70897 0.0 0.0 2608 600 ? S 19:44 0:00 _ /bin/sh
diego 71572 0.2 0.1 6780 5900 ? S 19:44 0:01 | _ bash /tmp/linpeas.sh
diego 89973 0.0 0.0 2940 776 ? S 19:47 0:00 | | _ aureport --tty
diego 89974 0.0 0.0 3304 660 ? S 19:47 0:00 | | _ grep -E su |sudo
diego 71573 0.0 0.0 2516 580 ? S 19:44 0:00 | _ tee peas.log
diego 97702 0.0 0.0 2608 596 ? S 19:52 0:00 _ /bin/sh
diego 99219 0.8 0.1 6108 5224 ? S 19:52 0:00 _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego 105791 0.0 0.0 6108 3732 ? S 19:53 0:00 | _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego 105795 0.0 0.0 6216 3336 ? R 19:53 0:00 | | _ ps fauxwww
diego 105794 0.0 0.0 6108 2368 ? S 19:53 0:00 | _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego 99220 0.0 0.0 2516 580 ? S 19:52 0:00 _ tee peas.log
root 1249 0.0 0.0 5828 1840 tty1 Ss+ 19:10 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
mysql 1263 1.0 10.1 1800764 408508 ? Ssl 19:10 0:26 /usr/sbin/mysqld
diego 38095 11.4 1.1 356056 46952 ? Ssl 19:30 2:37 /usr/bin/python3 /home/diego/app/app.py
diego 65333 0.0 0.2 19012 9596 ? Ss 19:42 0:00 /lib/systemd/systemd --user
diego 65334 0.0 0.0 103756 3316 ? S 19:42 0:00 _ (sd-pam)
diego 80746 0.0 0.0 81196 3488 ? SLs 19:45 0:00 _ /usr/bin/gpg-agent --supervised
diego 96180 0.5 0.1 6108 5240 ? S 19:52 0:00 bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego 105601 1.0 0.0 6108 3988 ? S 19:53 0:00 _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego 105763 0.0 0.0 6108 3800 ? S 19:53 0:00 _ bash /tmp/linpeas.sh -t -e -L -M -P dCb#1!x0%gjq
diego 105764 0.0 0.2 21808 10964 ? S 19:53 0:00 _ curl -v --unix-socket /run/systemd/userdb/io.systemd.DynamicUser --max-time 1 http:/linpeas
diego 105765 0.0 0.0 3304 656 ? S 19:53 0:00 _ grep -i Permission denied
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
* * * * * /home/diego/bot.py
incrontab Not Found
-rw-r--r-- 1 root root    1042 Feb 13  2020 /etc/crontab

/etc/cron.d:
total 20
drwxr-xr-x   2 root root 4096 Nov  7 11:37 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rw-r--r--   1 root root  201 Feb 14  2020 e2scrub_all
-rw-r--r--   1 root root  191 Apr 23  2020 popularity-contest

/etc/cron.daily:
total 48
drwxr-xr-x   2 root root 4096 Nov  7 11:37 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  376 Dec  4  2019 apport
-rwxr-xr-x   1 root root 1478 Apr  9  2020 apt-compat
-rwxr-xr-x   1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x   1 root root 1187 Sep  5  2019 dpkg
-rwxr-xr-x   1 root root  377 Jan 21  2019 logrotate
-rwxr-xr-x   1 root root 1123 Feb 25  2020 man-db
-rwxr-xr-x   1 root root 4574 Jul 18  2019 popularity-contest
-rwxr-xr-x   1 root root  214 Apr  2  2020 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Jul 22  2022 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x   2 root root 4096 Jul 22  2022 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x   2 root root 4096 Nov  7 11:37 .
drwxr-xr-x 108 root root 4096 Nov 17 16:11 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  813 Feb 25  2020 man-db
-rwxr-xr-x   1 root root  403 Apr 25  2022 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * /home/diego/bot.py
╔══════════╣ Third party LaunchAgents & LaunchDemons
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd

╔══════════╣ Writable System LaunchAgents & LaunchDemons

╔══════════╣ StartupItems
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items

╔══════════╣ Login Items
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items

╔══════════╣ SPStartupItemDataType

╔══════════╣ Emond scripts
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond

╔══════════╣ Services
╚ Search for outdated versions
 [ + ] alsa-utils
[ + ] apparmor
[ + ] apport
[ + ] atd
[ + ] auditd
[ - ] console-setup.sh
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ - ] grub-common
[ - ] hwclock.sh
[ + ] irqbalance
[ - ] iscsid
[ - ] keyboard-setup.sh
[ + ] kmod
[ - ] lvm2
[ - ] lvm2-lvmpolld
[ + ] multipath-tools
[ + ] mysql
[ + ] networking
[ - ] open-iscsi
[ + ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ - ] rsync
[ + ] rsyslog
[ - ] screen-cleanup
[ + ] ssh
[ + ] udev
[ + ] uuidd
[ + ] varnish
[ + ] varnishncsa
[ - ] x11-common
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2023-02-10 20:06:36 UTC 12min left n/a n/a ua-timer.timer ua-timer.service
Fri 2023-02-10 21:03:07 UTC 1h 9min left Thu 2022-11-17 16:11:06 UTC 2 months 24 days ago motd-news.timer motd-news.service
Sat 2023-02-11 00:00:00 UTC 4h 6min left Fri 2023-02-10 19:10:23 UTC 43min ago logrotate.timer logrotate.service
Sat 2023-02-11 00:00:00 UTC 4h 6min left Fri 2023-02-10 19:10:23 UTC 43min ago man-db.timer man-db.service
Sat 2023-02-11 01:39:58 UTC 5h 46min left Mon 2022-11-14 14:17:24 UTC 2 months 27 days ago apt-daily.timer apt-daily.service
Sat 2023-02-11 02:52:38 UTC 6h left Mon 2022-11-14 14:44:15 UTC 2 months 27 days ago fwupd-refresh.timer fwupd-refresh.service
Sat 2023-02-11 06:42:09 UTC 10h left Fri 2023-02-10 19:15:48 UTC 38min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sat 2023-02-11 19:25:19 UTC 23h left Fri 2023-02-10 19:25:19 UTC 28min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2023-02-12 03:10:31 UTC 1 day 7h left Fri 2023-02-10 19:11:18 UTC 42min ago e2scrub_all.timer e2scrub_all.service
Mon 2023-02-13 00:00:00 UTC 2 days left Fri 2023-02-10 19:10:23 UTC 43min ago fstrim.timer fstrim.service
n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
└─( - Can Connect)
/run/dbus/system_bus_socket
└─(Read Write - Can Connect)
/run/irqbalance//irqbalance786.sock
└─(Read - Cannot Connect)
/run/irqbalance/irqbalance786.sock
└─(Read - Cannot Connect)
/run/lvm/lvmpolld.socket
└─( - Cannot Connect)
/run/mysqld/mysqld.sock
└─(Read Write - Can Connect)
/run/mysqld/mysqlx.sock
└─(Read Write - Can Connect)
/run/snapd-snap.socket
└─(Read Write - Can Connect)
/run/snapd.socket
└─(Read Write - Can Connect)
/run/systemd/journal/dev-log
└─(Read Write - Can Connect)
/run/systemd/journal/io.systemd.journal
└─( - Cannot Connect)
/run/systemd/journal/socket
└─(Read Write - Can Connect)
/run/systemd/journal/stdout
└─(Read Write - Can Connect)
/run/systemd/journal/syslog
└─(Read Write - Can Connect)
/run/systemd/notify
└─(Read Write - Can Connect)
/run/systemd/private
└─(Read Write - Can Connect)
/run/systemd/userdb/io.systemd.DynamicUser
└─(Read Write - Can Connect)
/run/udev/control
└─( - Cannot Connect)
/run/user/1000/bus
└─(Read Write - Can Connect)
/run/user/1000/gnupg/S.dirmngr
└─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent
└─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent.browser
└─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent.extra
└─(Read Write - Can Connect)
/run/user/1000/gnupg/S.gpg-agent.ssh
└─(Read Write - Can Connect)
/run/user/1000/pk-debconf-socket
└─(Read Write - Can Connect)
/run/user/1000/snapd-session-agent.socket
└─(Read Write - Can Connect)
/run/user/1000/systemd/notify
└─(Read Write - Can Connect)
/run/user/1000/systemd/private
└─(Read Write - Can Connect)
/run/uuidd/request
└─(Read Write - Can Connect)
/run/vmware/guestServicePipe
└─(Read Write - Can Connect)
/var/run/mysqld/mysqld.sock
└─(Read Write - Can Connect)
/var/run/mysqld/mysqlx.sock
└─(Read Write - Can Connect)
/var/run/vmware/guestServicePipe
└─(Read Write - Can Connect)
/var/snap/lxd/common/lxd-user/unix.socket
└─( - Cannot Connect)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.1 688 systemd-timesyn systemd-timesync :1.1 systemd-timesyncd.service - -
:1.10 1184 systemd-resolve systemd-resolve :1.10 systemd-resolved.service - -
:1.14 65333 systemd diego :1.14 user@1000.service - -
:1.2 775 accounts-daemon root :1.2 accounts-daemon.service - -
:1.256 110232 busctl diego :1.256 session-45.scope 45 -
:1.3 789 polkitd root :1.3 polkit.service - -
:1.4 800 udisksd root :1.4 udisks2.service - -
:1.5 1 systemd root :1.5 init.scope - -
:1.6 799 systemd-logind root :1.6 systemd-logind.service - -
:1.7 843 ModemManager root :1.7 ModemManager.service - -
:1.8 798 snapd root :1.8 snapd.service - -
com.ubuntu.LanguageSelector - - - (activatable) - - -
com.ubuntu.SoftwareProperties - - - (activatable) - - -
org.freedesktop.Accounts 775 accounts-daemon root :1.2 accounts-daemon.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.ModemManager1 843 ModemManager root :1.7 ModemManager.service - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 789 polkitd root :1.3 polkit.service - -
org.freedesktop.UDisks2 800 udisksd root :1.4 udisks2.service - -
org.freedesktop.UPower - - - (activatable) - - -
org.freedesktop.bolt - - - (activatable) - - -
org.freedesktop.fwupd - - - (activatable) - - -
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 799 systemd-logind root :1.6 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - - -
org.freedesktop.resolve1 1184 systemd-resolve systemd-resolve :1.10 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.5 init.scope - -
org.freedesktop.thermald - - - (activatable) - - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 688 systemd-timesyn systemd-timesync :1.1 systemd-timesyncd.service - -
 ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
 ╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
forgot
127.0.0.1 localhost forgot.htb
127.0.0.1 forgot
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0 trust-ad
╔══════════╣ Content of /etc/inetd.conf & /etc/xinetd.conf
/etc/inetd.conf Not Found

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.188 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:58de prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:58de prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:58:de txqueuelen 1000 (Ethernet)
RX packets 83685 bytes 22934800 (22.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 83741 bytes 48288682 (48.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 965750 bytes 108402164 (108.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 965750 bytes 108402164 (108.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Networks and neighbours
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.10.10.2 0.0.0.0 UG 0 0 0 eth0
10.10.10.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
Address HWtype HWaddress Flags Mask Iface
10.10.11.49 (incomplete) eth0
10.10.11.126 (incomplete) eth0
10.10.11.167 (incomplete) eth0
10.10.11.236 (incomplete) eth0
10.10.11.85 (incomplete) eth0
10.10.11.146 (incomplete) eth0
10.10.11.219 (incomplete) eth0
10.10.11.0 (incomplete) eth0
10.10.11.73 (incomplete) eth0
10.10.11.182 (incomplete) eth0
10.10.11.36 (incomplete) eth0
10.10.11.109 (incomplete) eth0
10.10.11.170 (incomplete) eth0
╔══════════╣ Firewall status
system_profiler Not Found
╔══════════╣ Iptables rules
iptables rules Not Found

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 38095/python3
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
╔══════════╣ Hardware Ports

╔══════════╣ VLANs

╔══════════╣ Wifi Info

╔══════════╣ Check Enabled Proxies

╔══════════╣ Wifi Proxy URL

╔══════════╣ Wifi Web Proxy

╔══════════╣ Wifi FTP Proxy

╔══════════╣ Can I sniff with tcpdump?
No

╔══════════╣ Internet Access?
Ping is not available
DNS not available
Port 443 is not accessible
Port 80 is not accessible
╔══════════╣ Scanning local networks (using /24)
══╣ Discovering hosts in 10.10.11.188/24
Scanning top ports of 10.10.11.181
[+] Open port at: 10.10.11.181:135
[+] Open port at: 10.10.11.181:139
[+] Open port at: 10.10.11.181:3268
[+] Open port at: 10.10.11.181:3269
[+] Open port at: 10.10.11.181:389
[+] Open port at: 10.10.11.181:445
[+] Open port at: 10.10.11.181:464
[+] Open port at: 10.10.11.181:53
[+] Open port at: 10.10.11.181:593
[+] Open port at: 10.10.11.181:636
[+] Open port at: 10.10.11.181:80
[+] Open port at: 10.10.11.181:88
Scanning top ports of 10.10.11.186
[+] Open port at: 10.10.11.186:21
[+] Open port at: 10.10.11.186:22
[+] Open port at: 10.10.11.186:80
Scanning top ports of 10.10.11.188 (local)
[+] Open port at: 10.10.11.188:22
[+] Open port at: 10.10.11.188:80
Scanning top ports of 10.10.11.195
[+] Open port at: 10.10.11.195:22
[+] Open port at: 10.10.11.195:443
[+] Open port at: 10.10.11.195:80
Scanning top ports of 10.10.11.196
[+] Open port at: 10.10.11.196:22
[+] Open port at: 10.10.11.196:80
Scanning top ports of 10.10.11.197
[+] Open port at: 10.10.11.197:22
[+] Open port at: 10.10.11.197:80
══╣ Scanning top ports of host.docker.internal

 ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
 ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1000(diego) gid=1000(diego) groups=1000(diego)
╔══════════╣ Current user Login and Logout hooks

╔══════════╣ All Login and Logout hooks

╔══════════╣ Keychains
╚ https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker

╔══════════╣ SystemKey

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for diego on forgot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User diego may run the following commands on forgot:
(ALL) NOPASSWD: /opt/security/ml_security.py
Matching Defaults entries for diego on forgot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User diego may run the following commands on forgot:
(ALL) NOPASSWD: /opt/security/ml_security.py
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console

╔══════════╣ All users & groups

╔══════════╣ Login now
 19:56:56 up 46 min, 0 users, load average: 26.82, 11.33, 4.59
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
reboot system boot Fri Feb 10 19:10:18 2023 still running 0.0.0.0
diego pts/0 Fri Nov 18 10:51:30 2022 - Fri Nov 18 10:52:36 2022 (00:01) 10.10.14.40
reboot system boot Fri Nov 18 10:50:46 2022 - Fri Nov 18 10:52:38 2022 (00:01) 0.0.0.0
wtmp begins Fri Nov 18 10:50:46 2022
╔══════════╣ Last time logon each user
Username Port From Latest
diego pts/0 10.10.14.40 Fri Nov 18 10:51:30 +0000 2022
╔══════════╣ Password policy
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
╔══════════╣ Relevant last user info and user configs

╔══════════╣ Guest user status

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!


 ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
 ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
ii g++ 4:9.3.0-1ubuntu2 amd64 GNU C++ compiler
ii g++-9 9.4.0-1ubuntu1~20.04.1 amd64 GNU C++ compiler
ii gcc 4:9.3.0-1ubuntu2 amd64 GNU C compiler
ii gcc-9 9.4.0-1ubuntu1~20.04.1 amd64 GNU C compiler
/usr/bin/gcc
/usr/bin/g++
╔══════════╣ Writable Installed Applications
╔══════════╣ MySQL version
mysql Ver 8.0.31-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))
═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No

╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
╔══════════╣ Analyzing MariaDB Files (limit 70)

-rw------- 1 root root 317 Nov 3 12:43 /etc/mysql/debian.cnf
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Aug 16 18:48 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Nov 7 11:36 /etc/ldap
╔══════════╣ Searching ssl/ssh files
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/var/lib/fwupd/pki/client.pem
99219PSTORAGE_CERTSBIN
══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov 7 11:37 /etc/pam.d
-rw-r--r-- 1 root root 2133 Feb 26 2020 /etc/pam.d/sshd
╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
tmux 3.0a


/tmp/tmux-1000
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov 8 11:23 /usr/share/keyrings
╔══════════╣ Analyzing Filezilla Files (limit 70)

-rw-r--r-- 1 root root 2928 Mar 22 2020 /usr/share/bleachbit/cleaners/filezilla.xml
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 diego diego 1200 Feb 10 19:45 /home/diego/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 3267 Jul 4 2022 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2247 Feb 2 2022 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg
-rw-r--r-- 1 root root 2274 Feb 2 2022 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Feb 2 2022 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Feb 2 2022 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Feb 2 2022 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 2250 Oct 25 16:46 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg
-rw-r--r-- 1 root root 2235 Feb 2 2022 /usr/share/keyrings/ubuntu-advantage-ros.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpg
drwx------ 4 diego diego 4096 Feb 10 19:56 /home/diego/.gnupg
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb 2 2020 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Windows Files (limit 70)

lrwxrwxrwx 1 root root 20 Nov 3 12:43 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
lrwxrwxrwx 1 root root 24 Nov 3 12:42 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 Nov 3 12:43 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc
-rw-r--r-- 1 diego diego 3771 Jun 28 2022 /home/diego/.bashrc
-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile
-rw-r--r-- 1 diego diego 807 Jun 28 2022 /home/diego/.profile
 ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
 ╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-- 1 root messagebus 51K Oct 25 13:09 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 144K Oct 17 16:25 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Mar 30 2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 87K Mar 14 2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 67K Mar 14 2022 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 52K Mar 14 2022 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 84K Mar 14 2022 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 14 2022 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root tty 35K Feb 7 2022 /usr/bin/wall
-rwxr-sr-x 1 root ssh 343K Mar 30 2022 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K Mar 14 2022 /usr/bin/expiry
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 83K Mar 14 2022 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
 /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
 /etc/ld.so.conf.d/libc.conf
/usr/local/lib
 /etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Parent Shell capabilities:
0x0000000000000000=
Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3461 Jun 21 2022 sbin.dhclient
-rw-r--r-- 1 root root 9793 Oct 25 20:07 usr.bin.firefox
-rw-r--r-- 1 root root 3202 Feb 25 2020 usr.bin.man
-rw-r--r-- 1 root root 28376 Oct 17 16:25 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root 2006 Oct 19 11:35 usr.sbin.mysqld
-rw-r--r-- 1 root root 1575 Feb 11 2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root 1385 Dec 7 2019 usr.sbin.tcpdump
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2022-11-14+17:00:34.8890621780 /usr/local/sbin/laurel
2022-11-14+15:45:18.6905743680 /home/diego/bot.py
2022-11-14+15:32:32.4705947200 /opt/security/ml_security.py
2022-11-04+11:20:56.2201051380 /usr/local/bin/cmark
2022-11-04+11:20:56.1678832020 /usr/local/bin/pygmentize
2022-07-09+13:47:32.8162692890 /usr/local/bin/nltk
2022-07-09+13:47:31.5122698240 /usr/local/bin/tqdm
2022-07-09+13:47:25.2282723810 /usr/local/bin/f2py3.8
2022-07-09+13:47:25.2282723810 /usr/local/bin/f2py3
2022-07-09+13:47:25.2242723820 /usr/local/bin/f2py
2022-07-09+13:29:33.8846898820 /usr/local/bin/toco_from_protos
2022-07-09+13:29:33.8846898820 /usr/local/bin/toco
2022-07-09+13:29:33.8846898820 /usr/local/bin/tflite_convert
2022-07-09+13:29:33.8846898820 /usr/local/bin/tf_upgrade_v2
2022-07-09+13:29:33.8846898820 /usr/local/bin/tensorboard
2022-07-09+13:29:33.8846898820 /usr/local/bin/saved_model_cli
2022-07-09+13:29:33.8846898820 /usr/local/bin/import_pb_to_tensorboard
2022-07-09+13:29:33.8846898820 /usr/local/bin/estimator_ckpt_converter
2022-07-09+13:16:00.1010646620 /usr/local/bin/markdown_py
2022-07-09+13:16:00.0250644650 /usr/local/bin/wheel
2022-07-09+13:15:59.9890643700 /usr/local/bin/google-oauthlib-tool
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-verify
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-sign
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-priv2pub
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-keygen
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-encrypt
2022-07-09+13:15:59.8810640710 /usr/local/bin/pyrsa-decrypt
2022-06-24+12:36:03.0241953670 /usr/local/bin/flask
2020-05-07+12:40:01.1333022800 /etc/console-setup/cached_setup_terminal.sh
2020-05-07+12:40:01.1333022800 /etc/console-setup/cached_setup_keyboard.sh
2020-05-07+12:40:01.1333022800 /etc/console-setup/cached_setup_font.sh
2020-05-07+12:38:26.8879969470 /etc/network/if-up.d/mtuipv6
2020-05-07+12:38:26.8879969470 /etc/network/if-pre-up.d/mtuipv6
╔══════════╣ Unsigned Applications
╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x 3 root root 4096 Jul 22 2022 .
drwxr-xr-x 20 root root 4096 Nov 7 12:13 ..
drwxr-xr-x 3 root root 4096 Nov 14 15:32 security
╔══════════╣ Unexpected in root
/snap
/boot
/tmp
/cdrom
/lost+found
/mnt
/media
/lib32
/sys
/lib64
/proc
/libx32
/root
/etc
/var
/lib
/run
/srv
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/diego/app/app.py
/home/diego/bot.py
/root/
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/diego
/home/diego/app
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service
/sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service
╔══════════╣ Readable files belonging to root and readable by me but not world readable

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/home/diego/app/flask_session/c422b74f2fe2d270539eee0d1bebf5bc
/home/diego/app/flask_session/2029240f6d1128be89ddc32729463129
/home/diego/app/flask_session/02b67f99d0d47f7295c63e9208f57f66
/home/diego/app/flask_session/93fe96458920e46ccdd62caa9903114e
/home/diego/app/flask_session/5960a0811e9503d8ee4cebfdbdd5ca40
/home/diego/app/flask_session/cf8080fb6cc5cc1ab94c543db9a97a6b
/home/diego/peas.log
/home/diego/.gnupg/crls.d/DIR.txt
/var/log/syslog
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000@b8dee92a64b443179990842dacf3d889-000000000010720f-0005f45dd9c301e0.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000@b8dee92a64b443179990842dacf3d889-00000000000e9045-0005f45dc1c7bb87.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system@c7d1ee69c5ab40d48bd0b9a36509ccac-00000000000e7637-0005f45dc1b7b0c7.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system@c7d1ee69c5ab40d48bd0b9a36509ccac-0000000000106d01-0005f45dd9b76fb4.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000.journal
/var/log/auth.log
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
Writable: /home/diego/peas.log

╔══════════╣ Files inside /home/diego (limit 20)
total 968
drwxr-xr-x 9 diego diego 4096 Feb 10 19:45 .
drwxr-xr-x 3 root root 4096 Jun 28 2022 ..
lrwxrwxrwx 1 diego diego 9 Jun 28 2022 .bash_history -> /dev/null
-rw-r--r-- 1 diego diego 220 Jun 28 2022 .bash_logout
-rw-r--r-- 1 diego diego 3771 Jun 28 2022 .bashrc
drwxrwxr-x 5 diego diego 4096 Jun 28 2022 .cache
drwx------ 4 diego diego 4096 Feb 10 19:56 .gnupg
drwxrwxr-x 2 diego diego 4096 Nov 14 12:58 .keras
drwxrwxr-x 4 diego diego 4096 Jun 28 2022 .local
drwx------ 3 diego diego 4096 Jun 28 2022 .mozilla
-rw-r--r-- 1 diego diego 807 Jun 28 2022 .profile
drwxrw-r-- 5 diego diego 4096 Nov 16 15:04 app
-rwxr-xr-x 1 root root 970 Nov 14 15:45 bot.py
-rw-rw-r-- 1 diego diego 828098 Feb 10 19:42 linpeas.sh
-rw-rw-r-- 1 diego diego 98956 Feb 10 19:57 peas.log
drwx------ 3 diego diego 4096 Nov 3 14:56 snap
-rw-r----- 1 diego diego 33 Feb 10 19:10 user.txt
╔══════════╣ Files inside others home (limit 20)

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)

╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root staff 1422 Jul 9 2022 /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/ext/filters/client_channel/backup_poller.h
-rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 11886 Nov 7 11:38 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 0 Oct 17 15:19 /usr/src/linux-headers-5.4.0-132-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Oct 17 15:19 /usr/src/linux-headers-5.4.0-132-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 237863 Oct 17 15:19 /usr/src/linux-headers-5.4.0-132-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-132/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 44048 Aug 16 13:23 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 9833 Oct 17 15:19 /usr/lib/modules/5.4.0-132-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Oct 17 15:19 /usr/lib/modules/5.4.0-132-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 1802 Aug 15 20:07 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1413 Nov 7 11:37 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 39448 Oct 19 11:35 /usr/lib/mysql/plugin/component_mysqlbackup.so
-rw-r--r-- 1 root root 2743 Apr 23 2020 /etc/apt/sources.list.curtin.old
╔══════════╣ Reading messages database
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/snapd/errtracker.db: regular file, no read permission
 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
 -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
 -> Extracting tables from /var/lib/fwupd/pending.db (limit 20)

╔══════════╣ Downloaded Files
╔══════════╣ Web files?(output limit)

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root staff 29 Jul 9 2022 /usr/local/lib/python3.8/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
-rw-r--r-- 1 diego diego 220 Jun 28 2022 /home/diego/.bash_logout
-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout
-rw------- 1 root root 0 Apr 23 2020 /etc/.pwd.lock
-rw-r--r-- 1 landscape landscape 0 Apr 23 2020 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 0 Feb 10 19:10 /run/network/.ifstate.lock
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-rw-r-- 1 diego diego 828098 Feb 10 19:43 /tmp/linpeas.sh
-rw-r--r-- 1 root root 43086 Nov 17 16:27 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 3874 Jun 24 2022 /var/backups/apt.extended_states.6.gz
-rw-r--r-- 1 root root 159577 Jun 24 2022 /var/backups/dpkg.status.4.gz
-rw-r--r-- 1 root root 4330 Jun 28 2022 /var/backups/apt.extended_states.4.gz
-rw-r--r-- 1 root root 4554 Nov 17 16:01 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 143786 May 7 2020 /var/backups/dpkg.status.6.gz
-rw-r--r-- 1 root root 3890 Jun 24 2022 /var/backups/apt.extended_states.5.gz
-rw-r--r-- 1 root root 140 Jun 24 2022 /var/backups/dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 139 May 7 2020 /var/backups/dpkg.diversions.4.gz
-rw-r--r-- 1 root root 702817 Jun 28 2022 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 139 May 7 2020 /var/backups/dpkg.diversions.5.gz
-rw-r--r-- 1 root root 139 May 7 2020 /var/backups/dpkg.diversions.3.gz
-rw-r--r-- 1 root root 159577 Jun 24 2022 /var/backups/dpkg.status.3.gz
-rw-r--r-- 1 root root 159577 Jun 24 2022 /var/backups/dpkg.status.5.gz
-rw-r--r-- 1 root root 140 Jun 24 2022 /var/backups/dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 159577 Jun 24 2022 /var/backups/dpkg.status.2.gz
-rw-r--r-- 1 root root 268 May 7 2020 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 140 Jun 24 2022 /var/backups/dpkg.statoverride.5.gz
-rw-r--r-- 1 root root 51200 Jun 25 2022 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 140 Jun 24 2022 /var/backups/dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 140 Jun 24 2022 /var/backups/dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 4499 Nov 3 12:42 /var/backups/apt.extended_states.3.gz
-rw-r--r-- 1 root root 2190 May 8 2020 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 139 May 7 2020 /var/backups/dpkg.diversions.1.gz
-rw-r--r-- 1 root root 139 May 7 2020 /var/backups/dpkg.diversions.6.gz
-rw-r--r-- 1 root root 4548 Nov 8 11:23 /var/backups/apt.extended_states.2.gz
-rw-r--r-- 1 root root 174382 Jun 28 2022 /var/backups/dpkg.status.1.gz
-rw-r--r-- 1 root root 139 May 7 2020 /var/backups/dpkg.diversions.2.gz
-rw-r--r-- 1 root root 120 Apr 23 2020 /var/backups/dpkg.statoverride.6.gz
-rw-r--r-- 1 root root 140 Jun 24 2022 /var/backups/dpkg.statoverride.0
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/diego
/run/lock
/run/screen
/run/user/1000
/run/user/1000/dbus-1
/run/user/1000/dbus-1/services
/run/user/1000/gnupg
/run/user/1000/inaccessible
/run/user/1000/systemd
/run/user/1000/systemd/units
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory

/usr/bin/geckodriver
/var/crash
/var/crash/_opt_security_ml_security.py.1000.crash
/var/tmp
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
 Group diego:
/tmp/linpeas.sh
╔══════════╣ Searching passwords in history files

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/component_validate_password.so
/usr/lib/mysql/plugin/validate_password.so
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/local/lib/python3.8/dist-packages/google/auth/__pycache__/_credentials_async.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/__pycache__/credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/__pycache__/impersonated_credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/_credentials_async.py
/usr/local/lib/python3.8/dist-packages/google/auth/compute_engine/__pycache__/credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/auth/compute_engine/credentials.py
/usr/local/lib/python3.8/dist-packages/google/auth/credentials.py
/usr/local/lib/python3.8/dist-packages/google/auth/impersonated_credentials.py
/usr/local/lib/python3.8/dist-packages/google/oauth2/__pycache__/_credentials_async.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/oauth2/__pycache__/credentials.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/google/oauth2/_credentials_async.py
/usr/local/lib/python3.8/dist-packages/google/oauth2/credentials.py
/usr/local/lib/python3.8/dist-packages/grpc/_cython/_credentials
/usr/local/lib/python3.8/dist-packages/grpc/_cython/_credentials/roots.pem
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/caching_sha2_password.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/mysql_clear_password.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/mysql_native_password.cpython-38.pyc
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/__pycache__/sha256_password.cpython-38.pyc
#)There are more creds/passwds files in the previous parent folder
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/mysql_clear_password.py
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/mysql_native_password.py
/usr/local/lib/python3.8/dist-packages/mysql/connector/plugins/sha256_password.py
#)There are more creds/passwds files in the previous parent folder
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpc++/security/server_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/credentials_impl.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/server_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/include/grpcpp/security/server_credentials_impl.h
#)There are more creds/passwds files in the previous parent folder
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/alts/alts_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/alts/grpc_alts_credentials_options.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/composite/composite_credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/credentials.h
/usr/local/lib/python3.8/dist-packages/tensorflow/include/external/com_github_grpc_grpc/src/core/lib/security/credentials/fake/fake_credentials.h
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

Reference in New Issue View Git Blame Copy Permalink