LinPEAS
ââââââââââââââ
âââââââ ââââââââ
âââââââ ââââââââââââââââââââ ââââ
ââââ â ââââââââââââââââââââââââââââââ ââââââ
â âââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââ âââââ âââââââââââââââââ
âââââââââââ ââââââ ââââââ â
ââââââ ââââââââ ââââ
ââ âââ âââââ âââ
ââ ââââââââââââ ââ
â ââ âââââââââââââââââââââââââââââ ââ
â âââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââ ââââ
âââââ âââââ ââââââ ââââ
ââââ âââââ âââââ â ââ
âââââ âââââ âââââââ âââââ âââââ
ââââââ âââââââ âââââââ âââââââ âââââ
ââââââââââââââ â âââââââââââââââ
âââââââââââââ ââââââââââââââ
âââââââââââ ââââââââââââââ
ââââââââââââââââââ ââââââââââââââââââââ
âââââ ââââââââââââââââââââââââââ âââââââââââââ
ââââââââ ââââââââââ ââââââââ
âââââââââââââââââââââââ
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Get latest LinPEAS : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Basic information â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
OS: Linux version 5.4.0-80-generic (buildd@lcy01-amd64-030) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021
User & Groups: uid=1000(user) gid=1000(user) groups=1000(user)
Hostname: Backdoor
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
ââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââĢ System Information â ââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââ
ââââââââââââĢ Operative system
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 5.4.0-80-generic (buildd@lcy01-amd64-030) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
ââââââââââââĢ Sudo version
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31
ââââââââââââĢ CVEs Check
Vulnerable to CVE-2021-4034
./linpeas.sh: 1192: [[: not found
./linpeas.sh: 1192: rpm: not found
./linpeas.sh: 1192: 0: not found
./linpeas.sh: 1202: [[: not found
ââââââââââââĢ PATH
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ââââââââââââĢ Date & uptime
Tue Apr 26 18:42:00 UTC 2022
18:42:00 up 11:18, 0 users, load average: 0.31, 0.08, 0.02
ââââââââââââĢ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3
ââââââââââââĢ Unmounted file-system?
â Check if you can mount unmounted devices
/dev/disk/by-id/dm-uuid-LVM-U2IFjIPx5l70Y85s3L8xVKY4hkOjMjJclbbaE4Nleybc3RrawJjCFL66LNXARQbO / ext4 defaults 0 0
/dev/disk/by-uuid/5a914e61-fe54-403c-b795-1ea056439e0a /boot ext4 defaults 0 0
/dev/mapper/ubuntu--vg-swap none swap sw 0 0
ââââââââââââĢ Environment
â Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
SHLVL=3
LC_CTYPE=C.UTF-8
_=./linpeas.sh
TERM=xterm
HISTSIZE=0
LS_COLORS=
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/home/user
HISTFILE=/dev/null
ââââââââââââĢ Searching Signature verification failed in dmesg
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
ââââââââââââĢ Executing Linux Exploit Suggester
â https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
ââââââââââââĢ Executing Linux Exploit Suggester 2
â https://github.com/jondonas/linux-exploit-suggester-2
ââââââââââââĢ Protections
ââĢ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
ââĢ grsecurity present? ............ grsecurity Not Found
ââĢ PaX bins present? .............. PaX Not Found
ââĢ Execshield enabled? ............ Execshield Not Found
ââĢ SELinux enabled? ............... sestatus Not Found
ââĢ Is ASLR enabled? ............... Yes
ââĢ Printer? ....................... No
ââĢ Is this a virtual machine? ..... Yes (vmware)
âââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââĢ Container â âââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââ
ââââââââââââĢ Container related tools present
ââââââââââââĢ Container details
ââĢ Is this a container? ........... No
ââĢ Any running containers? ........ No
ââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââĢ Processes, Crons, Timers, Services and Sockets â ââââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââĢ Cleaned processes
â Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
root 1 0.0 0.5 169336 11228 ? Ss 07:23 0:03 /sbin/init auto automatic-ubiquity noprompt
root 485 0.0 0.8 62504 16588 ? S<s 07:23 0:09 /lib/systemd/systemd-journald
root 512 0.0 0.2 21124 5088 ? Ss 07:23 0:02 /lib/systemd/systemd-udevd
systemd+ 515 0.0 0.3 18408 7508 ? Ss 07:24 0:01 /lib/systemd/systemd-networkd
ââ(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
root 658 0.0 0.9 345816 18212 ? SLsl 07:24 0:20 /sbin/multipathd -d -s
systemd+ 683 0.0 0.6 24028 13020 ? Ss 07:24 0:05 /lib/systemd/systemd-resolved
systemd+ 686 0.0 0.3 90228 6100 ? Ssl 07:24 0:03 /lib/systemd/systemd-timesyncd
ââ(Caps) 0x0000000002000000=cap_sys_time
root 697 0.0 0.5 47540 10316 ? Ss 07:24 0:00 /usr/bin/VGAuthService
root 707 0.1 0.4 311500 8416 ? Ssl 07:24 0:43 /usr/bin/vmtoolsd
root 761 0.0 0.3 235564 7416 ? Ssl 07:24 0:02 /usr/lib/accountsservice/accounts-daemon
message+ 763 0.0 0.2 7604 4576 ? Ss 07:24 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
ââ(Caps) 0x0000000020000000=cap_audit_write
root 792 0.0 0.1 81960 3844 ? Ssl 07:24 0:02 /usr/sbin/irqbalance --foreground
root 795 0.0 0.9 28996 18184 ? Ss 07:24 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
syslog 799 0.0 0.2 224348 5364 ? Ssl 07:24 0:02 /usr/sbin/rsyslogd -n -iNONE
root 800 0.0 0.3 16892 7656 ? Ss 07:24 0:00 /lib/systemd/systemd-logind
root 827 0.0 0.1 6812 3048 ? Ss 07:24 0:00 /usr/sbin/cron -f
root 829 0.0 0.1 8352 3416 ? S 07:24 0:00 _ /usr/sbin/CRON -f
root 875 0.0 0.0 2608 1600 ? Ss 07:24 0:00 | _ /bin/sh -c while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
root 100049 0.0 0.1 8404 3784 ? S 18:32 0:00 | _ su user -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
user 100050 0.0 0.1 6892 3248 ? Ss 18:32 0:00 | _ bash -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
user 100054 0.0 0.1 11844 3776 ? S 18:32 0:00 | _ gdbserver --once 0.0.0.0:1337 /bin/true
user 100062 0.0 0.0 376 4 ? t 18:32 0:00 | _ /bin/true
root 830 0.0 0.1 8352 3416 ? S 07:24 0:00 _ /usr/sbin/CRON -f
root 852 0.0 0.0 2608 1600 ? Ss 07:24 0:16 _ /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root ;; done
root 103972 0.0 0.0 5476 592 ? S 18:42 0:00 _ sleep 1
daemon[0m 858 0.0 0.1 3792 2188 ? Ss 07:24 0:00 /usr/sbin/atd -f
root 889 0.0 0.9 194040 18848 ? Ss 07:24 0:02 /usr/sbin/apache2 -k start
www-data 1274 0.0 1.6 195560 32936 ? S 07:25 0:05 _ /usr/sbin/apache2 -k start
www-data 5609 0.0 1.7 195748 34128 ? S 07:54 0:05 _ /usr/sbin/apache2 -k start
www-data 61554 0.0 1.7 195808 34788 ? S 14:13 0:05 _ /usr/sbin/apache2 -k start
www-data 64561 0.0 1.5 195428 31868 ? S 14:33 0:05 _ /usr/sbin/apache2 -k start
www-data 75181 0.0 1.5 194904 30476 ? S 15:45 0:02 _ /usr/sbin/apache2 -k start
www-data 79729 0.0 0.6 194560 13080 ? S 16:16 0:02 _ /usr/sbin/apache2 -k start
www-data 90924 0.0 0.6 194560 13080 ? S 17:33 0:00 _ /usr/sbin/apache2 -k start
www-data 92253 0.0 0.6 194560 13124 ? S 17:41 0:00 _ /usr/sbin/apache2 -k start
www-data 92265 0.0 0.6 194560 13124 ? S 17:41 0:00 _ /usr/sbin/apache2 -k start
www-data 92285 0.0 0.6 194560 13124 ? S 17:41 0:00 _ /usr/sbin/apache2 -k start
root 900 0.0 0.0 5828 1848 tty1 Ss+ 07:24 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
user 933 0.0 0.4 18388 9588 ? Ss 07:24 0:00 /lib/systemd/systemd --user
user 943 0.0 0.1 103076 3220 ? S 07:24 0:00 _ (sd-pam)
user 96723 0.0 0.1 7108 4000 ? Ss 18:11 0:00 _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root 959 0.0 0.3 232716 6760 ? Ssl 07:24 0:00 /usr/lib/policykit-1/polkitd --no-debug
mysql 968 0.2 20.3 1757172 408088 ? Ssl 07:24 1:34 /usr/sbin/mysqld
root 39905 0.0 0.4 249492 9792 ? Ssl 11:48 0:00 /usr/lib/upower/upowerd
root 52249 0.0 0.1 6952 2500 ? Ss 13:11 0:00 SCREEN -dmS root
root 52251 0.0 0.2 8272 5192 pts/0 Ss+ 13:11 0:00 _ -/bin/bash
user 68605 0.0 0.1 3356 2912 ? S 15:00 0:01 /bin/true
user 97088 0.0 0.0 376 16 ? S 18:13 0:00 /bin/true
user 97109 0.0 0.0 376 16 ? S 18:13 0:00 /bin/true
user 100047 0.0 0.0 2608 540 ? S 18:32 0:00 /bin/sh
user 100088 0.0 0.1 3976 2960 ? S 18:32 0:00 _ /bin/bash
user 100106 0.0 0.2 5168 4444 ? S 18:33 0:00 _ /bin/bash -i
user 100781 0.0 0.4 15960 9632 ? S 18:37 0:00 _ python3 -c import pty;pty.spawn("/bin/bash");
user 100782 0.0 0.2 8496 4920 pts/1 Ss 18:37 0:00 _ /bin/bash
user 101449 0.2 0.1 3680 2612 pts/1 S+ 18:41 0:00 _ /bin/sh ./linpeas.sh
user 104293 0.0 0.0 3680 1100 pts/1 S+ 18:42 0:00 _ /bin/sh ./linpeas.sh
user 104296 0.0 0.1 9420 3508 pts/1 R+ 18:42 0:00 | _ ps fauxwww
user 104297 0.0 0.0 3680 1100 pts/1 S+ 18:42 0:00 _ /bin/sh ./linpeas.sh
ââââââââââââĢ Binary processes permissions (non 'root root' and not belonging to current user)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
ââââââââââââĢ Files opened by processes belonging to other users
â This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
ââââââââââââĢ Processes with credentials in memory (root req)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 process found (dump creds from memory as root)
sshd: process found (dump creds from memory as root)
ââââââââââââĢ Cron jobs
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 Jul 24 2021 .
drwxr-xr-x 97 root root 4096 Nov 15 13:38 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all
-rw-r--r-- 1 root root 712 Mar 27 2020 php
-rw-r--r-- 1 root root 191 Feb 1 2021 popularity-contest
/etc/cron.daily:
total 52
drwxr-xr-x 2 root root 4096 Nov 15 13:33 .
drwxr-xr-x 97 root root 4096 Nov 15 13:38 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 539 Jul 5 2021 apache2
-rwxr-xr-x 1 root root 376 Dec 4 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg
-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate
-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest
-rwxr-xr-x 1 root root 214 Dec 7 2020 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Feb 1 2021 .
drwxr-xr-x 97 root root 4096 Nov 15 13:38 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Feb 1 2021 .
drwxr-xr-x 97 root root 4096 Nov 15 13:38 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Nov 15 13:33 .
drwxr-xr-x 97 root root 4096 Nov 15 13:38 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 813 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 403 Aug 5 2021 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
ââââââââââââĢ Systemd PATH
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ââââââââââââĢ Analyzing .service files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH
ââââââââââââĢ System timers
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2022-04-26 19:09:00 UTC 26min left Tue 2022-04-26 18:39:09 UTC 3min 15s ago phpsessionclean.timer phpsessionclean.service
Tue 2022-04-26 21:06:32 UTC 2h 24min left Tue 2022-04-26 11:48:06 UTC 6h ago fwupd-refresh.timer fwupd-refresh.service
Wed 2022-04-27 00:00:00 UTC 5h 17min left Tue 2022-04-26 07:24:03 UTC 11h ago logrotate.timer logrotate.service
Wed 2022-04-27 00:00:00 UTC 5h 17min left Tue 2022-04-26 07:24:03 UTC 11h ago man-db.timer man-db.service
Wed 2022-04-27 04:44:23 UTC 10h left Tue 2022-04-26 14:05:32 UTC 4h 36min ago apt-daily.timer apt-daily.service
Wed 2022-04-27 06:02:41 UTC 11h left Tue 2022-04-26 14:08:00 UTC 4h 34min ago motd-news.timer motd-news.service
Wed 2022-04-27 06:53:09 UTC 12h left Tue 2022-04-26 07:38:53 UTC 11h ago apt-daily-upgrade.timer apt-daily-upgrade.service
Wed 2022-04-27 07:39:03 UTC 12h left Tue 2022-04-26 07:39:03 UTC 11h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2022-05-01 03:10:01 UTC 4 days left Tue 2022-04-26 07:24:32 UTC 11h ago e2scrub_all.timer e2scrub_all.service
Mon 2022-05-02 00:00:00 UTC 5 days left Tue 2022-04-26 07:24:03 UTC 11h ago fstrim.timer fstrim.service
ââââââââââââĢ Analyzing .timer files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
ââââââââââââĢ Analyzing .socket files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
ââââââââââââĢ Unix Sockets Listening
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
/run/dbus/system_bus_socket
ââ(Read Write)
/run/irqbalance//irqbalance792.sock
ââ(Read )
/run/irqbalance/irqbalance792.sock
ââ(Read )
/run/lvm/lvmpolld.socket
/run/mysqld/mysqld.sock
ââ(Read Write)
/run/mysqld/mysqlx.sock
ââ(Read Write)
/run/screen/S-root/52249.root
/run/systemd/journal/dev-log
ââ(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
ââ(Read Write)
/run/systemd/journal/stdout
ââ(Read Write)
/run/systemd/journal/syslog
ââ(Read Write)
/run/systemd/notify
ââ(Read Write)
/run/systemd/private
ââ(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
ââ(Read Write)
/run/udev/control
/run/user/1000/bus
ââ(Read Write)
/run/user/1000/gnupg/S.dirmngr
ââ(Read Write)
/run/user/1000/gnupg/S.gpg-agent
ââ(Read Write)
/run/user/1000/gnupg/S.gpg-agent.browser
ââ(Read Write)
/run/user/1000/gnupg/S.gpg-agent.extra
ââ(Read Write)
/run/user/1000/gnupg/S.gpg-agent.ssh
ââ(Read Write)
/run/user/1000/pk-debconf-socket
ââ(Read Write)
/run/user/1000/systemd/notify
ââ(Read Write)
/run/user/1000/systemd/private
ââ(Read Write)
/run/uuidd/request
ââ(Read Write)
/run/vmware/guestServicePipe
ââ(Read Write)
/var/run/mysqld/mysqld.sock
ââ(Read Write)
/var/run/mysqld/mysqlx.sock
ââ(Read Write)
/var/run/vmware/guestServicePipe
ââ(Read Write)
ââââââââââââĢ D-Bus config files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">)
ââââââââââââĢ D-Bus Service Objects list
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 683 systemd-resolve systemd-resolve :1.0 systemd-resolved.service - -
:1.1 1 systemd root :1.1 init.scope - -
:1.10 933 systemd user :1.10 user@1000.service - -
:1.13 39905 upowerd root :1.13 upower.service - -
:1.2 515 systemd-network systemd-network :1.2 systemd-networkd.service - -
:1.3 686 systemd-timesyn systemd-timesync :1.3 systemd-timesyncd.service - -
:1.4 800 systemd-logind root :1.4 systemd-logind.service - -
:1.5 761 accounts-daemon[0m root :1.5 accounts-daemon.service - -
:1.78 107649 busctl user :1.78 session-c19.scope c19 -
:1.8 795 networkd-dispat root :1.8 networkd-dispatcher.service - -
:1.9 959 polkitd root :1.9 polkit.service - -
com.ubuntu.LanguageSelector - - - (activatable) - - -
com.ubuntu.SoftwareProperties - - - (activatable) - - -
org.freedesktop.Accounts 761 accounts-daemon[0m root :1.5 accounts-daemon.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 959 polkitd root :1.9 polkit.service - -
org.freedesktop.UPower 39905 upowerd root :1.13 upower.service - -
org.freedesktop.bolt - - - (activatable) - - -
org.freedesktop.fwupd - - - (activatable) - - -
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 800 systemd-logind root :1.4 systemd-logind.service - -
org.freedesktop.network1 515 systemd-network systemd-network :1.2 systemd-networkd.service - -
org.freedesktop.resolve1 683 systemd-resolve systemd-resolve :1.0 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.1 init.scope - -
org.freedesktop.thermald - - - (activatable) - - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 686 systemd-timesyn systemd-timesync :1.3 systemd-timesyncd.service - -
âââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââĢ Network Information â ââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââ
ââââââââââââĢ Hostname, hosts and DNS
Backdoor
127.0.0.1 localhost
127.0.1.1 backdoor
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0 trust-ad
ââââââââââââĢ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.125 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:2651 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:2651 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:26:51 txqueuelen 1000 (Ethernet)
RX packets 817595 bytes 124219010 (124.2 MB)
RX errors 0 dropped 275 overruns 0 frame 0
TX packets 730516 bytes 92381015 (92.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 45636 bytes 3595398 (3.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 45636 bytes 3595398 (3.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ââââââââââââĢ Active Ports
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 100054/gdbserver
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 97088/true
tcp 0 0 0.0.0.0:47645 0.0.0.0:* LISTEN 97109/true
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
ââââââââââââĢ Can I sniff with tcpdump?
No
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Users Information â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
ââââââââââââĢ My user
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#users
uid=1000(user) gid=1000(user) groups=1000(user)
ââââââââââââĢ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
ââââââââââââĢ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Sorry, try again.
ââââââââââââĢ Checking sudo tokens
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
ââââââââââââĢ Checking Pkexec policy
â https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
ââââââââââââĢ Superusers
root:x:0:0:root:/root:/bin/bash
ââââââââââââĢ Users with console
root:x:0:0:root:/root:/bin/bash
user:x:1000:1000:user:/home/user:/bin/bash
ââââââââââââĢ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1000(user) gid=1000(user) groups=1000(user)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=111(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=112(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=113(mysql) gid=118(mysql) groups=118(mysql)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
ââââââââââââĢ Login now
18:42:28 up 11:18, 0 users, load average: 0.18, 0.07, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ââââââââââââĢ Last logons
user pts/1 Mon Nov 8 17:00:17 2021 - Mon Nov 8 17:01:46 2021 (00:01) 10.10.14.23
reboot system boot Mon Nov 8 16:59:55 2021 - Mon Nov 8 17:01:48 2021 (00:01) 0.0.0.0
user pts/1 Mon Nov 8 16:45:49 2021 - Mon Nov 8 16:56:44 2021 (00:10) 10.10.14.23
reboot system boot Mon Nov 8 16:43:52 2021 - Mon Nov 8 16:56:46 2021 (00:12) 0.0.0.0
user pts/1 Mon Nov 8 16:39:32 2021 - Mon Nov 8 16:43:15 2021 (00:03) 10.10.14.23
reboot system boot Mon Nov 8 16:37:49 2021 - Mon Nov 8 16:43:17 2021 (00:05) 0.0.0.0
root tty1 Mon Nov 8 16:31:38 2021 - down (00:03) 0.0.0.0
reboot system boot Mon Nov 8 16:30:33 2021 - Mon Nov 8 16:35:34 2021 (00:05) 0.0.0.0
wtmp begins Mon Nov 8 16:30:33 2021
ââââââââââââĢ Last time logon each user
Username Port From Latest
root tty1 Mon Nov 15 13:28:44 +0000 2021
user pts/1 10.10.14.23 Mon Nov 8 17:00:17 +0000 2021
ââââââââââââĢ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
ââââââââââââĢ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
ââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââĢ Software Information â âââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââââ
ââââââââââââĢ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
ââââââââââââĢ Installed Compilers
ââââââââââââĢ MySQL version
mysql Ver 8.0.27-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))
ââĢ MySQL connection using default root/root ........... No
ââĢ MySQL connection using root/toor ................... No
ââĢ MySQL connection using root/NOPASS ................. No
ââââââââââââĢ Searching mysql credentials and exec
Potential file containing credentials:
-rw-r--r-- 1 root root 641 May 19 2020 /etc/apparmor.d/abstractions/mysql
Strings not found, cat the file and check it to get the creds
Potential file containing credentials:
-rwxr-xr-x 1 root root 5607 Nov 6 2019 /etc/init.d/mysql
Strings not found, cat the file and check it to get the creds
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
ââââââââââââĢ Analyzing MariaDB Files (limit 70)
-rw------- 1 root root 317 Nov 15 13:32 /etc/mysql/debian.cnf
ââââââââââââĢ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-10-14T16:24:43
httpd Not Found
Nginx version: nginx Not Found
./linpeas.sh: 2587: grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null: not found
âââĢ PHP exec extensions
drwxr-xr-x 2 root root 4096 Nov 10 15:23 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Nov 10 15:23 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 36 Nov 10 15:23 /etc/apache2/sites-enabled/backdoor.htb.conf -> ../sites-available/backdoor.htb.conf
<VirtualHost *:80>
ServerName backdoor.htb
ServerAlias *
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 Jul 19 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 35 Jul 19 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
-rw-r--r-- 1 root root 72941 Jul 5 2021 /etc/php/7.4/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72539 Jul 5 2021 /etc/php/7.4/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
ââââââââââââĢ Analyzing Wordpress Files (limit 70)
-rwxr-xr-x 1 www-data www-data 3769 Nov 8 17:01 /var/www/html/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpressuser' );
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
define( 'DB_HOST', 'localhost' );
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
ââââââââââââĢ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Oct 15 2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
ââââââââââââĢ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Nov 15 13:32 /etc/ldap
ââââââââââââĢ Searching ssl/ssh files
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
âââĢ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/var/lib/fwupd/pki/client.pem
101449PSTORAGE_CERTSBIN
âââĢ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
âââĢ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
âââĢ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
ââââââââââââĢ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov 15 13:33 /etc/pam.d
-rw-r--r-- 1 root root 2133 Mar 9 2021 /etc/pam.d/sshd
ââââââââââââĢ Searching tmux sessions
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
tmux 3.0a
/tmp/tmux-1000
ââââââââââââĢ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov 15 13:29 /usr/share/keyrings
ââââââââââââĢ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
ââââââââââââĢ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 user user 1200 Jul 24 2021 /home/user/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 3267 Jan 6 2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2236 Mar 30 2020 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Mar 30 2020 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpg
drwx------ 4 user user 4096 Apr 26 18:42 /home/user/.gnupg
ââââââââââââĢ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb 2 2020 /usr/share/bash-completion/completions/postfix
ââââââââââââĢ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 69 Jul 5 2021 /etc/php/7.4/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Oct 25 2021 /usr/share/php7.4-common/common/ftp.ini
ââââââââââââĢ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
ââââââââââââĢ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 24 Jul 24 2021 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 Nov 15 13:32 /var/lib/dpkg/alternatives/my.cnf
ââââââââââââĢ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc
-rw-r--r-- 1 user user 3771 Feb 25 2020 /home/user/.bashrc
-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile
-rw-r--r-- 1 user user 807 Feb 25 2020 /home/user/.profile
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Interesting Files â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
ââââââââââââĢ SUID - Check easy privesc, exploits and write perms
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-- 1 root messagebus 51K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 23K May 26 2021 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Jul 23 2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 67K Jul 14 2021 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 84K Jul 14 2021 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 87K Jul 14 2021 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 67K Jul 21 2020 /usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 44K Jul 14 2021 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 464K Feb 23 2021 /usr/bin/screen ---> GNU_Screen_4.5.0
-rwsr-xr-x 1 root root 39K Jul 21 2020 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 55K Jul 21 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 52K Jul 14 2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 31K May 26 2021 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
ââââââââââââĢ SGID
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 31K Jul 14 2021 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 343K Jul 23 2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Jul 21 2020 /usr/bin/wall
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 83K Jul 14 2021 /usr/bin/chage
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/pam_extrausers_chkpwd
ââââââââââââĢ Checking misconfigurations of ld.so
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
ââââââââââââĢ Capabilities
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
Current capabilities:
Current: =
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Shell capabilities:
0x0000000000000000=
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
ââââââââââââĢ Users with capabilities
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
ââââââââââââĢ Files with ACLs (limited to 50)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
files with acls in searched folders Not Found
ââââââââââââĢ .sh files in path
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh
ââââââââââââĢ Unexpected in root
ââââââââââââĢ Files (scripts) in /etc/profile.d/
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files
total 32
drwxr-xr-x 2 root root 4096 Nov 15 13:49 .
drwxr-xr-x 97 root root 4096 Nov 15 13:38 ..
-rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh
-rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh
-rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh
-rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh
ââââââââââââĢ Permissions in init, init.d, systemd, and rc.d
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
ââĢ Hashes inside passwd file? ........... No
ââĢ Writable passwd file? ................ No
ââĢ Credentials in fstab/mtab? ........... No
ââĢ Can I read shadow files? ............. No
ââĢ Can I read shadow plists? ............ No
ââĢ Can I write shadow plists? ........... No
ââĢ Can I read opasswd file? ............. No
ââĢ Can I write in network-scripts? ...... No
ââĢ Can I read root folder? .............. No
ââââââââââââĢ Searching root files in home dirs (limit 30)
/home/
/home/user/user.txt
/home/user/.bash_history
/root/
ââââââââââââĢ Searching folders owned by me containing others files on it (limit 100)
/home/user
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service
/sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service
ââââââââââââĢ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root user 33 Apr 26 07:24 /home/user/user.txt
ââââââââââââĢ Modified interesting files in the last 5mins (limit 100)
/var/log/journal/c7ecccb051e848b499834cfb7ece5dbf/system.journal
/var/log/journal/c7ecccb051e848b499834cfb7ece5dbf/user-1000.journal
/var/log/syslog
/var/log/auth.log
ââââââââââââĢ Writable log files (logrotten) (limit 100)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
ââââââââââââĢ Files inside /home/user (limit 20)
total 796
drwxr-xr-x 6 user user 4096 Apr 26 18:41 .
drwxr-xr-x 3 root root 4096 Nov 10 14:18 ..
lrwxrwxrwx 1 root root 9 Jul 18 2021 .bash_history -> /dev/null
-rw-r--r-- 1 user user 3771 Feb 25 2020 .bashrc
drwx------ 2 user user 4096 Nov 10 14:18 .cache
drwx------ 3 user user 4096 Nov 10 14:18 .config
drwx------ 4 user user 4096 Apr 26 18:42 .gnupg
drwxrwxr-x 3 user user 4096 Nov 10 14:18 .local
-rw-r--r-- 1 user user 807 Feb 25 2020 .profile
-rwxrwxr-x 1 user user 776167 Apr 26 18:41 linpeas.sh
-rw-r----- 1 root user 33 Apr 26 07:24 user.txt
ââââââââââââĢ Files inside others home (limit 20)
ââââââââââââĢ Searching installed mail applications
ââââââââââââĢ Mails (limit 50)
ââââââââââââĢ Backup folders
ââââââââââââĢ Backup files (limited 100)
-rw-r--r-- 1 root root 2743 Feb 1 2021 /etc/apt/sources.list.curtin.old
-rw-r--r-- 1 root root 237862 Jun 17 2021 /usr/src/linux-headers-5.4.0-77-generic/.config.old
-rw-r--r-- 1 root root 0 Jun 17 2021 /usr/src/linux-headers-5.4.0-77-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Jun 17 2021 /usr/src/linux-headers-5.4.0-77-generic/include/config/wm831x/backup.h
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-77/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237862 Jul 9 2021 /usr/src/linux-headers-5.4.0-80-generic/.config.old
-rw-r--r-- 1 root root 0 Jul 9 2021 /usr/src/linux-headers-5.4.0-80-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Jul 9 2021 /usr/src/linux-headers-5.4.0-80-generic/include/config/wm831x/backup.h
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-80/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 11886 Nov 15 13:34 /usr/share/info/dir.old
-rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 44048 Oct 12 2021 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 39448 Oct 22 2021 /usr/lib/mysql/plugin/component_mysqlbackup.so
-rw-r--r-- 1 root root 9073 Jun 17 2021 /usr/lib/modules/5.4.0-77-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9833 Jun 17 2021 /usr/lib/modules/5.4.0-77-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Jul 9 2021 /usr/lib/modules/5.4.0-80-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9833 Jul 9 2021 /usr/lib/modules/5.4.0-80-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 1775 Feb 25 2021 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1403 Nov 15 13:32 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
ââââââââââââĢ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found: /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found: /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found: /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)
ââââââââââââĢ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Nov 10 14:18 .
drwxr-xr-x 13 root root 4.0K Nov 15 13:49 ..
drwxr-xr-x 5 www-data www-data 4.0K Apr 26 07:26 html
/var/www/html:
total 224K
drwxr-xr-x 5 www-data www-data 4.0K Apr 26 07:26 .
drwxr-xr-x 3 root root 4.0K Nov 10 14:18 ..
ââââââââââââĢ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rwxr-xr-x 1 www-data www-data 629 May 9 2016 /var/www/html/wp-content/plugins/akismet/.htaccess
-rwxr-xr-x 1 www-data www-data 89 Nov 12 2020 /var/www/html/wp-content/themes/twentytwentyone/.stylelintignore
-rwxr-xr-x 1 www-data www-data 425 May 24 2021 /var/www/html/wp-content/themes/twentytwentyone/.stylelintrc.json
-rwxr-xr-x 1 www-data www-data 689 May 24 2021 /var/www/html/wp-content/themes/twentytwentyone/.stylelintrc-css.json
-rwxr-xr-x 1 www-data www-data 269 Oct 25 2019 /var/www/html/wp-content/themes/twentytwenty/.stylelintrc.json
-rw-r--r-- 1 landscape landscape 0 Feb 1 2021 /var/lib/landscape/.cleanup.user
-rw------- 1 root root 0 Feb 1 2021 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 0 Apr 26 07:24 /run/network/.ifstate.lock
ââââââââââââĢ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 268 Jul 18 2021 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 33913 Nov 15 13:49 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 3767 Jul 18 2021 /var/backups/apt.extended_states.5.gz
-rw-r--r-- 1 root root 4053 Jul 25 2021 /var/backups/apt.extended_states.2.gz
-rw-r--r-- 1 root root 100 Feb 1 2021 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 3823 Jul 19 2021 /var/backups/apt.extended_states.4.gz
-rw-r--r-- 1 root root 572253 Jul 19 2021 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 3818 Jul 19 2021 /var/backups/apt.extended_states.3.gz
-rw-r--r-- 1 root root 40960 Jul 19 2021 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 3854 Oct 30 10:58 /var/backups/apt.extended_states.1.gz
ââââââââââââĢ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/user
/run/lock
/run/screen/S-user
/run/user/1000
/run/user/1000/dbus-1
/run/user/1000/dbus-1/services
/run/user/1000/gnupg
/run/user/1000/inaccessible
/run/user/1000/systemd
/run/user/1000/systemd/units
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory
/var/crash
/var/crash/_usr_bin_true.1000.crash
/var/lib/php/sessions
/var/tmp
ââââââââââââĢ Interesting GROUP writable files (not in Home) (max 500)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
ââââââââââââĢ Searching passwords in history files
ââââââââââââĢ Searching passwords in config PHP files
$pwd = trim( wp_unslash( $_POST['pwd'] ) );
ââââââââââââĢ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/component_validate_password.so
/usr/lib/mysql/plugin/validate_password.so
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/fwupd/pki/secret.key
/var/lib/pam/password
/var/www/html/wp-admin/includes/class-wp-application-passwords-list-table.php
/var/www/html/wp-admin/js/application-passwords.js
/var/www/html/wp-admin/js/application-passwords.min.js
/var/www/html/wp-admin/js/password-strength-meter.js
/var/www/html/wp-admin/js/password-strength-meter.min.js
#)There are more creds/passwds files in the previous parent folder
/var/www/html/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
ââââââââââââĢ Checking for TTY (sudo/su) passwords in audit logs
ââââââââââââĢ Searching passwords inside logs (limit 70)
2021-11-15 13:29:57 status half-configured passwd:amd64 1:4.8.1-1ubuntu5.20.04
2021-11-15 13:29:57 status half-installed passwd:amd64 1:4.8.1-1ubuntu5.20.04
2021-11-15 13:29:57 status unpacked passwd:amd64 1:4.8.1-1ubuntu5.20.04
2021-11-15 13:29:57 upgrade passwd:amd64 1:4.8.1-1ubuntu5.20.04 1:4.8.1-1ubuntu5.20.04.1
2021-11-15 13:29:58 configure passwd:amd64 1:4.8.1-1ubuntu5.20.04.1 <none>
2021-11-15 13:29:58 status half-configured passwd:amd64 1:4.8.1-1ubuntu5.20.04.1
2021-11-15 13:29:58 status installed passwd:amd64 1:4.8.1-1ubuntu5.20.04.1
2021-11-15 13:29:58 status unpacked passwd:amd64 1:4.8.1-1ubuntu5.20.04.1
Binary file /var/log/journal/c7ecccb051e848b499834cfb7ece5dbf/user-1000.journal matches
[ 4.460488] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 5.393664] systemd[1]: Started Forward Password Requests to Wall Directory Watch.