linpeas-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 [1;4mLEGEND[0m:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
                                         ╚═══════════════════╝
OS: Linux version 5.4.0-90-generic (buildd@lgw01-amd64-054) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021
User & Groups: uid=1001(paul) gid=1001(paul) groups=1001(paul)
Hostname: routerspace.htb
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)


Caching directories DONE

                                        ╔════════════════════╗
════════════════════════════════════════╣ System Information ╠════════════════════════════════════════
                                        ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-90-generic (buildd@lgw01-amd64-054) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.3 LTS
Release:	20.04
Codename:	focal

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31

╔══════════╣ CVEs Check


╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

╔══════════╣ Date & uptime
Sun May 29 01:06:30 UTC 2022
 01:06:30 up 6 min,  1 user,  load average: 1.29, 0.57, 0.25

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3

╔══════════╣ Unmounted file-system?
╚ Check if you can mount unmounted devices
/dev/disk/by-id/dm-uuid-LVM-9nXgbzHi48m4NorDEO40LZauWKiumJfKXXGpzjLXc6qZhjb1e8rIgPJfJXbsU5uk / ext4 defaults 0 1
/dev/disk/by-uuid/3276aed8-a746-4835-bd04-9038906661b5 /boot ext4 defaults 0 1
/dev/mapper/ubuntu--vg-swap none swap sw 0 0

╔══════════╣ Environment
╚ Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
USER=paul
SSH_CLIENT=10.10.14.132 39518 22
LC_TIME=C.UTF-8
XDG_SESSION_TYPE=tty
SHLVL=1
MOTD_SHOWN=pam
HOME=/home/paul
OLDPWD=/home/paul
SSH_TTY=/dev/pts/0
LC_MONETARY=C.UTF-8
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
LOGNAME=paul
_=./linpeas.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=3
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=C.UTF-8
HISTSIZE=0
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
LC_MEASUREMENT=C.UTF-8
PWD=/home/paul/.r3pek
SSH_CONNECTION=10.10.14.132 39518 10.10.11.148 22
LC_NUMERIC=C.UTF-8
LC_PAPER=C.UTF-8
HISTFILE=/dev/null

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2

╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)

                                             ╔═══════════╗
═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════
                                             ╚═══════════╝
╔══════════╣ Container related tools present
╔══════════╣ Container details
═╣ Is this a container? ........... No═╣ Any running containers? ........ No


                          ╔════════════════════════════════════════════════╗
══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════
                          ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root         678  0.0  0.0   2488   584 ?        S    01:00   0:00  _ bpfilter_umh
root           1  0.7  0.5 103568 11124 ?        Ss   01:00   0:02 /sbin/init auto automatic-ubiquity noprompt
root         474  0.1  0.5  67868 10824 ?        S<s  01:00   0:00 /lib/systemd/systemd-journald
root         502  0.1  0.2  21252  5260 ?        Ss   01:00   0:00 /lib/systemd/systemd-udevd
root         644  0.0  0.8 345708 17940 ?        SLsl 01:00   0:00 /sbin/multipathd -d -s
systemd+     687  0.0  0.3  90228  6164 ?        Ssl  01:00   0:00 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
root         691  0.0  0.5  47528 10532 ?        Ss   01:00   0:00 /usr/bin/VGAuthService
root         692  0.2  0.3 161988  7648 ?        S<sl 01:00   0:00 /usr/bin/vmtoolsd
systemd+     714  0.0  0.3  18408  7484 ?        Ss   01:00   0:00 /lib/systemd/systemd-networkd
  └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
root         746  0.0  0.4 239296  9268 ?        Ssl  01:00   0:00 /usr/lib/accountsservice/accounts-daemon
message+     759  0.0  0.2   7632  4788 ?        Ss   01:00   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         793  0.0  0.1  81960  3844 ?        Ssl  01:00   0:00 /usr/sbin/irqbalance --foreground
root         808  0.1  0.9  29072 18152 ?        Ss   01:00   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
syslog       810  0.0  0.2 224320  5400 ?        Ssl  01:00   0:00 /usr/sbin/rsyslogd -n -iNONE
root         811  0.0  0.3  16700  7488 ?        Ss   01:00   0:00 /lib/systemd/systemd-logind
root         814  0.0  0.6 394876 13604 ?        Ssl  01:00   0:00 /usr/lib/udisks2/udisksd
systemd+     833  0.0  0.6  23896 12260 ?        Ss   01:00   0:00 /lib/systemd/systemd-resolved
root         847  0.0  0.4 236440  9096 ?        Ssl  01:00   0:00 /usr/lib/policykit-1/polkitd --no-debug
root         882  0.0  0.1   6812  2908 ?        Ss   01:00   0:00 /usr/sbin/cron -f
daemon       886  0.0  0.1   3792  2184 ?        Ss   01:00   0:00 /usr/sbin/atd -f
paul        1295  0.0  0.2  13932  6004 ?        S    01:02   0:00      _ sshd: paul@pts/0
paul        1296  0.0  0.2  10128  5576 pts/0    Ss   01:02   0:00          _ -bash
paul       29637  0.5  0.1   3672  2740 pts/0    S+   01:06   0:00              _ /bin/sh ./linpeas.sh -N -q
paul       32408  0.0  0.0   3672  1100 pts/0    S+   01:06   0:00                  _ /bin/sh ./linpeas.sh -N -q
paul       32411  0.0  0.1  10956  3664 pts/0    R+   01:06   0:00                  |   _ ps fauxwww
paul       32412  0.0  0.0   3672  1100 pts/0    S+   01:06   0:00                  _ /bin/sh ./linpeas.sh -N -q
root         897  0.0  0.0   5828  1800 tty1     Ss+  01:00   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
paul         904  0.4  2.6 619688 52360 ?        Ssl  01:00   0:01 PM2 v5.1.2: God Daemon (/home/paul/.pm2)
  └─(Caps) 0x0000000000000400=cap_net_bind_service
paul         915  0.5  2.9 628412 59696 ?        Ssl  01:00   0:01  _ node /opt/www/public/routerspace/index.js
  └─(Caps) 0x0000000000000400=cap_net_bind_service
paul        1020  0.0  0.4  18388  9424 ?        Ss   01:01   0:00 /lib/systemd/systemd --user
paul        1021  0.0  0.1 102988  3148 ?        S    01:01   0:00  _ (sd-pam)
paul        7534  0.0  0.1  81196  3464 ?        SLs  01:03   0:00  _ /usr/bin/gpg-agent --supervised

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND     PID TID TASKCMD               USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root    1042 Feb 13  2020 /etc/crontab

/etc/cron.d:
total 20
drwxr-xr-x   2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rw-r--r--   1 root root  201 Feb 14  2020 e2scrub_all
-rw-r--r--   1 root root  189 Aug 24  2021 popularity-contest

/etc/cron.daily:
total 48
drwxr-xr-x   2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  376 Dec  4  2019 apport
-rwxr-xr-x   1 root root 1478 Apr  9  2020 apt-compat
-rwxr-xr-x   1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x   1 root root 1187 Sep  5  2019 dpkg
-rwxr-xr-x   1 root root  377 Jan 21  2019 logrotate
-rwxr-xr-x   1 root root 1123 Feb 25  2020 man-db
-rwxr-xr-x   1 root root 4574 Jul 18  2019 popularity-contest
-rwxr-xr-x   1 root root  214 May 14  2021 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x   2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x   2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  813 Feb 25  2020 man-db
-rwxr-xr-x   1 root root  403 Aug  5  2021 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                        LEFT          LAST                        PASSED               UNIT                         ACTIVATES                     
Sun 2022-05-29 01:11:02 UTC 4min 26s left Thu 2022-02-17 17:15:34 UTC 3 months 9 days ago  ua-messaging.timer           ua-messaging.service          
Sun 2022-05-29 01:15:23 UTC 8min left     n/a                         n/a                  systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2022-05-29 01:41:58 UTC 35min left    Wed 2022-02-16 14:30:29 UTC 3 months 10 days ago apt-daily-upgrade.timer      apt-daily-upgrade.service     
Sun 2022-05-29 03:10:24 UTC 2h 3min left  Sun 2022-05-29 01:01:09 UTC 5min ago             e2scrub_all.timer            e2scrub_all.service           
Sun 2022-05-29 04:29:44 UTC 3h 23min left Mon 2022-02-07 14:16:28 UTC 3 months 19 days ago fwupd-refresh.timer          fwupd-refresh.service         
Sun 2022-05-29 10:04:14 UTC 8h left       Thu 2021-11-25 07:56:09 UTC 6 months 2 days ago  apt-daily.timer              apt-daily.service             
Sun 2022-05-29 12:41:40 UTC 11h left      Mon 2022-02-07 14:46:42 UTC 3 months 19 days ago motd-news.timer              motd-news.service             
Mon 2022-05-30 00:00:00 UTC 22h left      Sun 2022-05-29 01:00:31 UTC 6min ago             fstrim.timer                 fstrim.service                
Mon 2022-05-30 00:00:00 UTC 22h left      Sun 2022-05-29 01:00:31 UTC 6min ago             logrotate.timer              logrotate.service             
Mon 2022-05-30 00:00:00 UTC 22h left      Sun 2022-05-29 01:00:31 UTC 6min ago             man-db.timer                 man-db.service                

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/home/paul/.pm2/pub.sock
  └─(Read Write)
/home/paul/.pm2/rpc.sock
  └─(Read Write)
/org/kernel/linux/storage/multipathd
/run/dbus/system_bus_socket
  └─(Read Write)
/run/irqbalance//irqbalance793.sock
  └─(Read )
/run/irqbalance/irqbalance793.sock
  └─(Read )
/run/lvm/lvmpolld.socket
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/journal/syslog
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write)
/run/udev/control
/run/user/1001/bus
  └─(Read Write)
/run/user/1001/gnupg/S.dirmngr
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
  └─(Read Write)
/run/user/1001/pk-debconf-socket
  └─(Read Write)
/run/user/1001/systemd/notify
  └─(Read Write)
/run/user/1001/systemd/private
  └─(Read Write)
/run/uuidd/request
  └─(Read Write)
/run/vmware/guestServicePipe
  └─(Read Write)
/var/run/vmware/guestServicePipe
  └─(Read Write)

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf (        <policy group="power">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                            PID PROCESS         USER             CONNECTION    UNIT                        SESSION DESCRIPTION
:1.0                            687 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -
:1.1                            714 systemd-network systemd-network  :1.1          systemd-networkd.service    -       -
:1.11                          1020 systemd         paul             :1.11         user@1001.service           -       -
:1.2                            811 systemd-logind  root             :1.2          systemd-logind.service      -       -
:1.3                              1 systemd         root             :1.3          init.scope                  -       -
:1.38                         35177 busctl          paul             :1.38         session-3.scope             3       -
:1.4                            814 udisksd         root             :1.4          udisks2.service             -       -
:1.5                            746 accounts-daemon root             :1.5          accounts-daemon.service     -       -
:1.6                            847 polkitd         root             :1.6          polkit.service              -       -
:1.7                            833 systemd-resolve systemd-resolve  :1.7          systemd-resolved.service    -       -
:1.8                            808 networkd-dispat root             :1.8          networkd-dispatcher.service -       -
com.ubuntu.LanguageSelector       - -               -                (activatable) -                           -       -
com.ubuntu.SoftwareProperties     - -               -                (activatable) -                           -       -
org.freedesktop.Accounts        746 accounts-daemon root             :1.5          accounts-daemon.service     -       -
org.freedesktop.DBus              1 systemd         root             -             init.scope                  -       -
org.freedesktop.PackageKit        - -               -                (activatable) -                           -       -
org.freedesktop.PolicyKit1      847 polkitd         root             :1.6          polkit.service              -       -
org.freedesktop.UDisks2         814 udisksd         root             :1.4          udisks2.service             -       -
org.freedesktop.UPower            - -               -                (activatable) -                           -       -
org.freedesktop.bolt              - -               -                (activatable) -                           -       -
org.freedesktop.fwupd             - -               -                (activatable) -                           -       -
org.freedesktop.hostname1         - -               -                (activatable) -                           -       -
org.freedesktop.locale1           - -               -                (activatable) -                           -       -
org.freedesktop.login1          811 systemd-logind  root             :1.2          systemd-logind.service      -       -
org.freedesktop.network1        714 systemd-network systemd-network  :1.1          systemd-networkd.service    -       -
org.freedesktop.resolve1        833 systemd-resolve systemd-resolve  :1.7          systemd-resolved.service    -       -
org.freedesktop.systemd1          1 systemd         root             :1.3          init.scope                  -       -
org.freedesktop.thermald          - -               -                (activatable) -                           -       -
org.freedesktop.timedate1         - -               -                (activatable) -                           -       -
org.freedesktop.timesync1       687 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -


                                        ╔═════════════════════╗
════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════
                                        ╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
routerspace.htb
127.0.0.1 localhost
127.0.1.1 routerspace.htb routerspace

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

nameserver 127.0.0.53
options edns0 trust-ad
htb

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.148  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:c05a  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:c0:5a  txqueuelen 1000  (Ethernet)
        RX packets 2827  bytes 996593 (996.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2301  bytes 550194 (550.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 304  bytes 22728 (22.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 304  bytes 22728 (22.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

╔══════════╣ Can I sniff with tcpdump?
No



                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════
                                         ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1001(paul) gid=1001(paul) groups=1001(paul)

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Users with console
paul:x:1001:1001:,,,:/home/paul:/bin/bash
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1001(paul) gid=1001(paul) groups=1001(paul)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon) groups=1(daemon)
uid=111(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=112(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)

╔══════════╣ Login now
 01:06:39 up 6 min,  1 user,  load average: 1.16, 0.56, 0.26
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
paul     pts/0    10.10.14.132     01:02   23.00s  0.19s  0.00s /bin/sh ./linpeas.sh -N -q

╔══════════╣ Last logons
paul     pts/0        Sat Nov 20 18:26:02 2021 - Sat Nov 20 18:26:27 2021  (00:00)     192.168.150.133
h4rithd  pts/0        Sat Nov 20 18:25:50 2021 - Sat Nov 20 18:25:54 2021  (00:00)     192.168.150.133
h4rithd  pts/0        Sat Nov 20 18:20:14 2021 - Sat Nov 20 18:25:45 2021  (00:05)     192.168.150.133
h4rithd  pts/1        Sat Nov 20 17:40:53 2021 - Sat Nov 20 18:20:02 2021  (00:39)     192.168.150.133
paul     pts/1        Sat Nov 20 17:38:12 2021 - Sat Nov 20 17:38:15 2021  (00:00)     0.0.0.0
h4rithd  pts/0        Sat Nov 20 16:55:08 2021 - Sat Nov 20 17:45:51 2021  (00:50)     192.168.150.1
h4rithd  tty1         Sat Nov 20 16:53:43 2021 - down                      (01:50)     0.0.0.0
reboot   system boot  Sat Nov 20 16:52:07 2021 - Sat Nov 20 18:44:21 2021  (01:52)     0.0.0.0

wtmp begins Sat Nov 20 16:52:07 2021

╔══════════╣ Last time logon each user
Username         Port     From             Latest
root             tty1                      Mon Feb 21 20:03:42 +0000 2022
paul             pts/0    10.10.14.132     Sun May 29 01:02:26 +0000 2022

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!



                                       ╔══════════════════════╗
═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════
                                       ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
ii  gcc                                  4:9.3.0-1ubuntu2                      amd64        GNU C compiler
ii  gcc-9                                9.3.0-17ubuntu1~20.04                 amd64        GNU C compiler
/usr/bin/gcc

╔══════════╣ Searching mysql credentials and exec

╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Oct 15  2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
	comment = public archive
	path = /var/www/pub
	use chroot = yes
	lock file = /var/lock/rsyncd
	read only = yes
	list = yes
	uid = nobody
	gid = nogroup
	strict modes = yes
	ignore errors = no
	ignore nonreadable = yes
	transfer logging = no
	timeout = 600
	refuse options = checksum dry-run
	dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Feb 17 18:30 /etc/ldap


╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)




-rw-r--r-- 1 paul paul 81 May 29 01:01 /home/paul/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDjmclqrLGY6+RTPWcGyJI61rymvp8jkbVpiiCc/GN5C

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/var/lib/fwupd/pki/client.pem
29637PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Feb 17 18:30 /etc/pam.d
-rw-r--r-- 1 root root 2133 Jul 23  2021 /etc/pam.d/sshd




╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Aug 24  2021 /usr/share/keyrings




╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Analyzing Github Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov 17  2021 /opt/www/public/routerspace/node_modules/balanced-match/.github
drwxr-xr-x 3 root root 4096 Feb 17 18:30 /usr/local/lib/node_modules/pm2/node_modules/ast-types/.github
drwxr-xr-x 2 root root 4096 Nov 20  2021 /usr/local/lib/node_modules/pm2/node_modules/balanced-match/.github
drwxr-xr-x 2 root root 4096 Nov 20  2021 /usr/local/lib/node_modules/pm2/node_modules/moment-timezone/.github
drwxr-xr-x 3 root root 4096 Nov 20  2021 /usr/local/lib/node_modules/pm2/node_modules/proxy-agent/.github




╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

-rw-r--r-- 1 root root 2796 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 paul paul 1200 Nov 20  2021 /home/paul/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 3267 Jan  6  2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2274 Jul 27  2021 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Jul 27  2021 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Jul 27  2021 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Jul 27  2021 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13  2020 /usr/share/popularity-contest/debian-popcon.gpg

drwx------ 3 paul paul 4096 May 29 01:06 /home/paul/.gnupg

╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
-rw-r--r-- 1 root root 477 Nov 19  2020 /usr/local/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml


╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb  2  2020 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25  2020 /etc/skel/.bashrc
-rw-r--r-- 1 paul paul 3771 Nov 20  2021 /home/paul/.bashrc





-rw-r--r-- 1 root root 807 Feb 25  2020 /etc/skel/.profile
-rw-r--r-- 1 paul paul 823 Nov 20  2021 /home/paul/.profile






                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
                                         ╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 67K Jul 21  2020 /usr/bin/su
-rwsr-xr-x 1 root root 67K Jul 14  2021 /usr/bin[1;31m/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)[0m
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin[1;31m/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)[0m
-rwsr-xr-x 1 root root 52K Jul 14  2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 84K Jul 14  2021 /usr/bin[1;31m/chfn  --->  SuSE_9.3/10[0m
-rwsr-xr-x 1 root root 55K Jul 21  2020 /usr/bin[1;31m/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8[0m
-rwsr-xr-x 1 root root 44K Jul 14  2021 /usr/bin[1;31m/newgrp  --->  HP-UX_10.20[0m
-rwsr-xr-x 1 root root 39K Jul 21  2020 /usr/bin[1;31m/umount  --->  BSD/Linux(08-1996)[0m
-rwsr-xr-x 1 root root 163K Feb  3  2020 /usr/bin[1;31m/sudo  --->  check_if_the_sudo_version_is_vulnerable[0m
-rwsr-xr-x 1 root root 87K Jul 14  2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-- 1 root messagebus 51K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 23K May 26  2021 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Jul 23  2021 /usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 43K Apr  8  2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Apr  8  2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 31K Jul 14  2021 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin[1;31m/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)[0m
-rwxr-sr-x 1 root shadow 83K Jul 14  2021 /usr/bin/chage
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 343K Jul 23  2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab
-rwxr-sr-x 1 root tty 35K Jul 21  2020 /usr/bin/wall
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
  /etc/ld.so.conf.d/libc.conf
/usr/local/lib
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current capabilities:
Current: =
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	0000003fffffffff
CapAmb:	0000000000000000

Shell capabilities:
0x0000000000000000=
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	0000003fffffffff
CapAmb:	0000000000000000

Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/node = cap_net_bind_service+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh

╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x  3 root root 4096 Nov 20  2021 .
drwxr-xr-x 19 root root 4096 Feb 17 18:30 ..
drwxr-xr-x  3 root root 4096 Nov 20  2021 www

╔══════════╣ Unexpected in root

╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 32
drwxr-xr-x   2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r--   1 root root   96 Dec  5  2019 01-locale-fix.sh
-rw-r--r--   1 root root 1557 Feb 17  2020 Z97-byobu.sh
-rw-r--r--   1 root root  729 Feb  2  2020 bash_completion.sh
-rw-r--r--   1 root root 1003 Aug 13  2019 cedilla-portuguese.sh
-rw-r--r--   1 root root 1107 Nov  3  2019 gawk.csh
-rw-r--r--   1 root root  757 Nov  3  2019 gawk.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/paul/.bash_history
/home/paul/user.txt
/root/

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/paul
/sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service
/sys/fs/cgroup/unified/user.slice/user-1001.slice/user@1001.service

╔══════════╣ Readable files belonging to root and readable by me but not world readable
-r--r----- 1 root paul 33 May 29 01:00 /home/paul/user.txt

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/syslog
/var/log/auth.log
/var/log/kern.log
/var/log/lastlog
/var/log/journal/ee7af938893e4f71ba32f510f53fe3c8/system.journal
/var/log/journal/ee7af938893e4f71ba32f510f53fe3c8/user-1001.journal
/var/log/wtmp

╔══════════╣ Writable log files (logrotten) (limit 100)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes
Writable: /home/paul/.pm2/pm2.log
Writable: /home/paul/.pm2/logs/index-out.log
Writable: /home/paul/.pm2/logs/index-error.log

╔══════════╣ Files inside /home/paul (limit 20)
total 52
drwxr-xr-x 9 paul paul 4096 May 29 01:02 .
drwxr-xr-x 3 root root 4096 Feb 17 18:30 ..
lrwxrwxrwx 1 root root    9 Nov 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 paul paul  220 Nov 20  2021 .bash_logout
-rw-r--r-- 1 paul paul 3771 Nov 20  2021 .bashrc
drwx------ 2 paul paul 4096 Feb 17 18:30 .cache
drwx------ 3 paul paul 4096 May 29 01:06 .gnupg
drwxrwxr-x 3 paul paul 4096 Feb 17 18:30 .local
drwxrwxr-x 5 paul paul 4096 May 29 01:00 .pm2
-rw-r--r-- 1 paul paul  823 Nov 20  2021 .profile
drwxrwxr-x 2 paul paul 4096 May 29 01:04 .r3pek
drwx------ 2 paul paul 4096 May 29 01:01 .ssh
drwxr-xr-x 3 paul paul 4096 Feb 17 18:30 snap
-r--r----- 1 root paul   33 May 29 01:00 user.txt

╔══════════╣ Files inside others home (limit 20)

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)

╔══════════╣ Backup folders

╔══════════╣ Backup files (limited 100)
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-90/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237895 Oct 15  2021 /usr/src/linux-headers-5.4.0-90-generic/.config.old
-rw-r--r-- 1 root root 0 Oct 15  2021 /usr/src/linux-headers-5.4.0-90-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Oct 15  2021 /usr/src/linux-headers-5.4.0-90-generic/include/config/net/team/mode/activebackup.h
-rwxr-xr-x 1 root root 1513 Jan 25  2020 /usr/share/doc/libipc-system-simple-perl/examples/rsync-backup.pl
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 392817 Feb  9  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 11070 Nov 20  2021 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13  2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 1775 Feb 25  2021 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1403 Aug 24  2021 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 43888 Mar  9  2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 9073 Oct 15  2021 /usr/lib/modules/5.4.0-90-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9833 Oct 15  2021 /usr/lib/modules/5.4.0-90-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 2743 Aug 24  2021 /etc/apt/sources.list.curtin.old

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)




 -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)


 -> Extracting tables from /var/lib/fwupd/pending.db (limit 20)





╔══════════╣ Web files?(output limit)

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 7202 Mar 25  2020 /usr/share/npm/node_modules/es-to-primitive/.travis.yml
-rw-r--r-- 1 root root 286 Mar 25  2020 /usr/share/npm/node_modules/es-to-primitive/.editorconfig
-rw-r--r-- 1 root root 4130 Mar 25  2020 /usr/share/npm/node_modules/es-to-primitive/.jscs.json
-rw-r--r-- 1 root root 38 Mar 25  2020 /usr/share/npm/node_modules/qrcode-terminal/.travis.yml
-rw-r--r-- 1 root root 6965 Mar 25  2020 /usr/share/npm/node_modules/es-abstract/.travis.yml
-rw-r--r-- 1 root root 276 Mar 25  2020 /usr/share/npm/node_modules/es-abstract/.editorconfig
-rw-r--r-- 1 root root 234 Mar 25  2020 /usr/share/npm/node_modules/es-abstract/.nycrc
-rw-r--r-- 1 root root 4003 Mar 25  2020 /usr/share/npm/node_modules/es-abstract/.jscs.json
-rw-r--r-- 1 root root 309 Mar 25  2020 /usr/share/npm/node_modules/agent-base/.travis.yml
-rw-r--r-- 1 root root 152 Mar 25  2020 /usr/share/npm/node_modules/smart-buffer/.travis.yml
-rw-r--r-- 1 root root 84 Mar 25  2020 /usr/share/npm/node_modules/smart-buffer/.prettierrc.yaml
-rw-r--r-- 1 root root 2261 Mar 25  2020 /usr/share/npm/node_modules/has-symbols/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25  2020 /usr/share/npm/node_modules/libnpmpublish/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25  2020 /usr/share/npm/node_modules/libnpmaccess/.travis.yml
-rw-r--r-- 1 root root 69 Mar 25  2020 /usr/share/npm/node_modules/util-promisify/.travis.yml
-rw-r--r-- 1 root root 189 Mar 25  2020 /usr/share/npm/node_modules/read-installed/.travis.yml
-rw-r--r-- 1 root root 105 Mar 25  2020 /usr/share/npm/node_modules/path-parse/.travis.yml
-rw-r--r-- 1 root root 185 Mar 25  2020 /usr/share/npm/node_modules/socks/.travis.yml
-rw-r--r-- 1 root root 84 Mar 25  2020 /usr/share/npm/node_modules/socks/.prettierrc.yaml
-rw-r--r-- 1 root root 1151 Mar 25  2020 /usr/share/npm/node_modules/is-date-object/.travis.yml
-rw-r--r-- 1 root root 2878 Mar 25  2020 /usr/share/npm/node_modules/is-date-object/.jscs.json
-rw-r--r-- 1 root root 4770 Mar 25  2020 /usr/share/npm/node_modules/is-regex/.travis.yml
-rw-r--r-- 1 root root 4140 Mar 25  2020 /usr/share/npm/node_modules/is-regex/.jscs.json
-rw-r--r-- 1 root root 108 Mar 25  2020 /usr/share/npm/node_modules/fast-json-stable-stringify/.travis.yml
-rw-r--r-- 1 root root 1959 Mar 25  2020 /usr/share/npm/node_modules/object.getownpropertydescriptors/.travis.yml
-rw-r--r-- 1 root root 276 Mar 25  2020 /usr/share/npm/node_modules/object.getownpropertydescriptors/.editorconfig
-rw-r--r-- 1 root root 4140 Mar 25  2020 /usr/share/npm/node_modules/object.getownpropertydescriptors/.jscs.json
-rw-r--r-- 1 root root 72 Mar 25  2020 /usr/share/npm/node_modules/libnpmorg/.travis.yml
-rw-r--r-- 1 root root 300 Mar 25  2020 /usr/share/npm/node_modules/socks-proxy-agent/node_modules/agent-base/.travis.yml
-rw-r--r-- 1 root root 284 Mar 25  2020 /usr/share/npm/node_modules/socks-proxy-agent/.travis.yml
-rw-r--r-- 1 root root 292 Mar 25  2020 /usr/share/npm/node_modules/http-proxy-agent/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25  2020 /usr/share/npm/node_modules/libnpmsearch/.travis.yml
-rw-r--r-- 1 root root 6738 Mar 25  2020 /usr/share/npm/node_modules/is-callable/.travis.yml
-rw-r--r-- 1 root root 993 Mar 25  2020 /usr/share/npm/node_modules/is-callable/.istanbul.yml
-rw-r--r-- 1 root root 286 Mar 25  2020 /usr/share/npm/node_modules/is-callable/.editorconfig
-rw-r--r-- 1 root root 4128 Mar 25  2020 /usr/share/npm/node_modules/is-callable/.jscs.json
-rw-r--r-- 1 root root 111 Mar 25  2020 /usr/share/npm/node_modules/dezalgo/.travis.yml
-rw-r--r-- 1 root root 127 Mar 25  2020 /usr/share/npm/node_modules/worker-farm/.travis.yml
-rw-r--r-- 1 root root 277 Mar 25  2020 /usr/share/npm/node_modules/worker-farm/.editorconfig
-rw-r--r-- 1 root root 7236 Mar 25  2020 /usr/share/npm/node_modules/is-symbol/.travis.yml
-rw-r--r-- 1 root root 276 Mar 25  2020 /usr/share/npm/node_modules/is-symbol/.editorconfig
-rw-r--r-- 1 root root 5 Mar 25  2020 /usr/share/npm/node_modules/is-symbol/.nvmrc
-rw-r--r-- 1 root root 4128 Mar 25  2020 /usr/share/npm/node_modules/is-symbol/.jscs.json
-rw-r--r-- 1 root root 139 Mar 25  2020 /usr/share/npm/node_modules/unique-slug/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25  2020 /usr/share/npm/node_modules/libnpmteam/.travis.yml
-rw-r--r-- 1 root root 715 Mar 25  2020 /usr/share/npm/node_modules/https-proxy-agent/.editorconfig
-rw-r--r-- 1 root root 143 Mar 25  2020 /usr/share/npm/node_modules/meant/.travis.yml
-rw-r--r-- 1 root root 58 Mar 25  2020 /usr/share/npm/node_modules/sorted-union-stream/.travis.yml
-rw-r--r-- 1 root root 439 Jul 14  2019 /usr/share/nodejs/ajv/.tonic_example.js
-rw-r--r-- 1 root root 219 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/async-listener/.travis.yml
-rw-r--r-- 1 root root 230 Aug 25  2016 /usr/local/lib/node_modules/pm2/node_modules/fclone/.travis.yml
-rw-r--r-- 1 root root 293 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/cron/.travis.yml
-rw-r--r-- 1 root root 43 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/cron/.prettierrc
-rw-r--r-- 1 root root 512 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/cron/.eslintrc
-rw-r--r-- 1 root root 5451 Aug 28  2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.travis.yml
-rw-r--r-- 1 root root 286 Aug 28  2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.editorconfig
-rw-r--r-- 1 root root 176 Aug 28  2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/test/.eslintrc
-rw-r--r-- 1 root root 231 Aug 28  2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.eslintrc
-rw-r--r-- 1 root root 4140 Aug 28  2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.jscs.json
-rw-r--r-- 1 root root 152 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/smart-buffer/.travis.yml
-rw-r--r-- 1 root root 84 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/smart-buffer/.prettierrc.yaml
-rw-r--r-- 1 root root 144 Jun 22  2016 /usr/local/lib/node_modules/pm2/node_modules/yamljs/.travis.yml
-rw-r--r-- 1 root root 71 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/shimmer/.travis.yml
-rw-r--r-- 1 root root 125 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/tx2/.travis.yml
-rw-r--r-- 1 root root 107 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/vizion/.travis.yml
-rw-r--r-- 1 root root 173 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/socks/.travis.yml
-rw-r--r-- 1 root root 124 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/socks/.prettierrc.yaml
-rw-r--r-- 1 root root 119 Nov 20  2017 /usr/local/lib/node_modules/pm2/node_modules/continuation-local-storage/.travis.yml
-rw-r--r-- 1 root root 422 Nov 18  2016 /usr/local/lib/node_modules/pm2/node_modules/continuation-local-storage/.eslintrc
-rw-r--r-- 1 root root 71 Oct 26  1985 /usr/local/lib/node_modules/pm2/node_modules/emitter-listener/.travis.yml

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 268 Nov 20  2021 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 937220 Nov 25  2021 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 56856 Feb  7 14:51 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 100 Aug 24  2021 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 51200 Nov 21  2021 /var/backups/alternatives.tar.0

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/paul
/run/lock
/run/screen
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/inaccessible
/run/user/1001/systemd
/run/user/1001/systemd/units
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
/var/crash
/var/tmp

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files

╔══════════╣ Searching passwords in history files

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)[3mThere are more creds/passwds files in the previous parent folder[0m

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)[3mThere are more creds/passwds files in the previous parent folder[0m

/usr/local/lib/node_modules/pm2/node_modules/enquirer/lib/prompts/password.js
/usr/local/lib/node_modules/pm2/node_modules/proxy-agent/test/ssl-cert-snakeoil.key
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
  #)[3mThere are more creds/passwds files in the previous parent folder[0m

/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
  #)[3mThere are more creds/passwds files in the previous parent folder[0m

/usr/share/npm/lib/config/get-credentials-by-uri.js
/usr/share/npm/lib/config/set-credentials-by-uri.js
/usr/share/npm/node_modules/agent-base/test/ssl-cert-snakeoil.key
/usr/share/npm/node_modules/http-proxy-agent/test/ssl-cert-snakeoil.key
/usr/share/npm/node_modules/socks-proxy-agent/node_modules/agent-base/test/ssl-cert-snakeoil.key
/usr/share/npm/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.key
/usr/share/pam/common-password
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords
/var/lib/fwupd/pki/secret.key
/var/lib/pam/password

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

╔══════════╣ Searching passwords inside logs (limit 70)
 base-passwd depends on libc6 (>= 2.8); however:
 base-passwd depends on libdebconfclient0 (>= 0.145); however:
2021-11-20 16:28:31,552 DEBUG root:39 start: subiquity/Identity/POST: {"realname": "RouterSpace", "username": "h4rithd", "crypted_password": "$6$cm...
2021-11-20 16:52:28,636 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords - wb: [644] 25 bytes
2021-11-20 16:52:28,638 - ssh_util.py[DEBUG]: line 124: option PasswordAuthentication added with yes
2021-11-20 16:52:28,731 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon.
2021-11-20 16:52:28,732 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords ran successfully
2021-11-20 18:44:46,992 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 18:44:46,992 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 18:50:05,844 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 18:50:05,844 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 18:53:41,629 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 18:53:41,629 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 19:13:43,796 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 19:13:43,796 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 21:57:12,077 DEBUG subiquitycore.utils:48 run_command called: chpasswd
2021-11-20 21:57:12,114 DEBUG subiquitycore.utils:61 run_command chpasswd exited with code 0
2021-11-21 06:22:02,191 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 06:22:02,191 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 13:34:28,834 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 13:34:28,834 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 14:47:55,884 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 14:47:55,884 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 15:35:04,276 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 15:35:04,276 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:35:48,406 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:35:48,406 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:37:54,009 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:37:54,009 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:41:19,107 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:41:19,108 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:56:50,225 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:56:50,225 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:59:55,247 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:59:55,247 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:15:20,565 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:15:20,565 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:41:22,597 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:41:22,597 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:46:37,147 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:46:37,147 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:49:27,266 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:49:27,266 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-22 09:34:01,712 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-22 09:34:01,712 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-22 11:32:35,051 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-22 11:32:35,052 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-22 13:06:43,629 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-22 13:06:43,629 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 05:52:21,506 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 05:52:21,506 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 07:36:00,980 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 07:36:00,980 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 08:23:03,868 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 08:23:03,869 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 08:30:32,101 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 08:30:32,101 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:04:58,979 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:04:58,979 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:08:59,841 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:08:59,841 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:11:01,317 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:11:01,317 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:24:53,592 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:24:53,592 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
Binary file /var/log/journal/ee7af938893e4f71ba32f510f53fe3c8/user-1001.journal matches
Nov 20 16:45:21 ubuntu-server chage[5521]: changed password expiry for usbmux
Nov 20 16:45:21 ubuntu-server usermod[5514]: change user 'usbmux' password
Nov 20 16:46:14 ubuntu-server chage[17097]: changed password expiry for sshd
Nov 20 16:46:14 ubuntu-server usermod[17090]: change user 'sshd' password