════════════════════════════════════╣ Basic information ╠════════════════════════════════════ OS: Linux version 5.4.0-73-generic (buildd@lcy01-amd64-019) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 User & Groups: uid=1001(nathan) gid=1001(nathan) groups=1001(nathan) Hostname: cap Writable folder: /dev/shm [+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories using 2 threads . . . . . . . . . . . . . . . . . . . . . . . . DONE ════════════════════════════════════╣ System Information ╠════════════════════════════════════ [+] Operative system [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits Linux version 5.4.0-73-generic (buildd@lcy01-amd64-019) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal [+] Sudo version [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.31 [+] USBCreator [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation [+] PATH [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin [+] Date Sat Jun 5 22:21:54 UTC 2021 [+] System stats Filesystem Size Used Avail Use% Mounted on udev 937M 0 937M 0% /dev tmpfs 196M 1.1M 195M 1% /run /dev/mapper/ubuntu--vg-ubuntu--lv 8.8G 3.1G 5.7G 35% / tmpfs 980M 0 980M 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 980M 0 980M 0% /sys/fs/cgroup /dev/sda2 976M 200M 710M 22% /boot /dev/loop1 33M 33M 0 100% /snap/snapd/11841 /dev/loop2 72M 72M 0 100% /snap/lxd/16099 /dev/loop0 56M 56M 0 100% /snap/core18/2066 /dev/loop3 68M 68M 0 100% /snap/lxd/20326 /dev/loop4 30M 30M 0 100% /snap/snapd/8542 /dev/loop5 56M 56M 0 100% /snap/core18/1997 tmpfs 196M 0 196M 0% /run/user/1001 total used free shared buff/cache available Mem: 2006376 337532 1136268 1116 532576 1480392 Swap: 2097148 0 2097148 [+] CPU info Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 43 bits physical, 48 bits virtual CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 2 NUMA node(s): 1 Vendor ID: AuthenticAMD CPU family: 23 Model: 49 Model name: AMD EPYC 7302P 16-Core Processor Stepping: 0 CPU MHz: 2994.375 BogoMIPS: 5988.75 Hypervisor vendor: VMware Virtualization type: full L1d cache: 64 KiB L1i cache: 64 KiB L2 cache: 1 MiB L3 cache: 256 MiB NUMA node0 CPU(s): 0,1 Vulnerability Itlb multihit: Not affected Vulnerability L1tf: Not affected Vulnerability Mds: Not affected Vulnerability Meltdown: Not affected Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Vulnerability Spectre v2: Mitigation; Full AMD retpoline, IBPB conditional, STIBP disabled, RSB filling Vulnerability Srbds: Not affected Vulnerability Tsx async abort: Not affected Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic m ovbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmca ll fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor [+] Environment [i] Any private information inside environment variables? LESSOPEN=| /usr/bin/lesspipe %s HISTFILESIZE=0 USER=nathan SSH_CLIENT=10.10.14.240 35640 22 XDG_SESSION_TYPE=tty SHLVL=1 MOTD_SHOWN=pam HOME=/home/nathan SSH_TTY=/dev/pts/0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus LOGNAME=nathan _=./linpeas.sh XDG_SESSION_CLASS=user TERM=xterm-256color XDG_SESSION_ID=2 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin XDG_RUNTIME_DIR=/run/user/1001 LANG=C.UTF-8 HISTSIZE=0 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36: SHELL=/bin/bash LESSCLOSE=/usr/bin/lesspipe %s %s PWD=/home/nathan SSH_CONNECTION=10.10.14.240 35640 10.129.146.192 22 XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop HISTFILE=/dev/null [+] Searching Signature verification failed in dmseg [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed Not Found [+] AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded. [+] grsecurity present? ............ grsecurity Not Found [+] PaX bins present? .............. PaX Not Found [+] Execshield enabled? ............ Execshield Not Found [+] SELinux enabled? ............... sestatus Not Found [+] Is ASLR enabled? ............... Yes [+] Printer? ....................... lpstat Not Found [+] Is this a virtual machine? ..... Yes (vmware) ═════════════════════════════════════════╣ Containers ╠══════════════════════════════════════════ [+] Is this a container? ........... No [+] Container related tools present /snap/bin/lxc [+] Any running containers? ........ No ═════════════════════════════════════════╣ Devices ╠══════════════════════════════════════════ [+] Any sd*/disk* disk in /dev? (limit 20) disk sda sda1 sda2 sda3 sda4 [+] Unmounted file-system? [i] Check if you can mount umounted devices /dev/disk/by-id/dm-uuid-LVM-2om9fd1B3Q2r7E8yJyxwbZF4JCSUIQCqYgbAERHfSMVI2q5K9TyUTeGzFxbyZN4a / ext4 defaults 0 0 /dev/disk/by-uuid/d3d1cf9e-20c6-450f-b152-9854f6a804ad /boot ext4 defaults 0 0 /dev/sda4 none swap sw 0 0 proc /proc proc defaults,hidepid=2 0 0 ════════════════════════════════════╣ Available Software ╠════════════════════════════════════ [+] Useful software /snap/bin/lxc /usr/bin/nc /usr/bin/netcat /usr/bin/wget /usr/bin/curl /usr/bin/ping /usr/bin/gcc /usr/bin/g++ /usr/bin/make /usr/bin/base64 /usr/bin/python3 /usr/bin/perl /usr/bin/sudo [+] Installed Compiler ii g++ 4:9.3.0-1ubuntu2 amd64 GNU C++ compiler ii g++-9 9.3.0-17ubuntu1~20.04 amd64 GNU C++ compiler ii gcc 4:9.3.0-1ubuntu2 amd64 GNU C compiler ii gcc-9 9.3.0-17ubuntu1~20.04 amd64 GNU C compiler /usr/bin/gcc /usr/bin/g++ ══════════════════════════════╣ Processes, Cron, Services, Timers & Sockets ╠════════════════════════════════ [+] Cleaned processes [i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes nathan 2948 0.0 0.2 7152 5224 pts/0 Ss 21:58 0:00 -bash nathan 3926 0.2 0.1 3080 2420 pts/0 S+ 22:21 0:00 _ /bin/sh ./linpeas.sh nathan 4642 0.0 0.0 3080 612 pts/0 S+ 22:21 0:00 _ /bin/sh ./linpeas.sh nathan 4646 0.0 0.1 7648 3248 pts/0 R+ 22:21 0:00 | _ ps fauxwww nathan 4644 0.0 0.0 3080 612 pts/0 R+ 22:21 0:00 _ /bin/sh ./linpeas.sh nathan 4645 0.0 0.0 3080 612 pts/0 S+ 22:21 0:00 _ /bin/sh ./linpeas.sh nathan 2820 0.0 0.4 18520 9504 ? Ss 21:58 0:00 /lib/systemd/systemd --user nathan 4587 0.0 0.1 7108 3992 ? Ss 22:21 0:00 _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only [+] Binary processes permissions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes 0 lrwxrwxrwx 1 root root 4 Jul 31 2020 /bin/sh -> dash 1.6M -rwxr-xr-x 1 root root 1.6M Mar 17 21:36 /lib/systemd/systemd 244K -rwxr-xr-x 1 root root 244K Jun 11 2020 /usr/bin/dbus-daemon[0m [+] Files opened by processes belonging to other users [i] This is usually empty because of the lack of privileges to read other user processes information COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME [+] Processes with credentials in memory (root req) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd Not Found [+] Cron jobs [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab /etc/cron.d: total 20 drwxr-xr-x 2 root root 4096 Jul 31 2020 . drwxr-xr-x 92 root root 4096 Jun 1 10:09 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder -rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all -rw-r--r-- 1 root root 190 Jul 31 2020 popularity-contest /etc/cron.daily: total 48 drwxr-xr-x 2 root root 4096 May 31 16:14 . drwxr-xr-x 92 root root 4096 Jun 1 10:09 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder -rwxr-xr-x 1 root root 376 Dec 4 2019 apport -rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat -rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils -rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg -rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate -rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db -rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest -rwxr-xr-x 1 root root 214 Apr 2 2020 update-notifier-common /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Jul 31 2020 . drwxr-xr-x 92 root root 4096 Jun 1 10:09 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder /etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 Jul 31 2020 . drwxr-xr-x 92 root root 4096 Jun 1 10:09 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 May 23 18:37 . drwxr-xr-x 92 root root 4096 Jun 1 10:09 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder -rwxr-xr-x 1 root root 813 Feb 25 2020 man-db -rwxr-xr-x 1 root root 211 Apr 2 2020 update-notifier-common SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin [+] Services [i] Search for outdated versions [ + ] apparmor [ + ] apport [ + ] atd [ - ] console-setup.sh [ + ] cron [ - ] cryptdisks [ - ] cryptdisks-early [ + ] dbus [ + ] grub-common [ - ] hwclock.sh [ + ] irqbalance [ - ] iscsid [ - ] keyboard-setup.sh [ + ] kmod [ - ] lvm2 [ - ] lvm2-lvmpolld [ + ] multipath-tools [ + ] networking [ - ] open-iscsi [ + ] open-vm-tools [ - ] plymouth [ - ] plymouth-log [ + ] procps [ - ] rsync [ + ] rsyslog [ - ] screen-cleanup [ + ] ssh [ + ] udev [ - ] uuidd [ + ] vsftpd [+] Systemd PATH [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin [+] Analyzing .service files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#services /etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path /lib/systemd/system/atd.service is executing some relative path /lib/systemd/system/initrd-cleanup.service is executing some relative path /lib/systemd/system/initrd-parse-etc.service is executing some relative path /lib/systemd/system/initrd-switch-root.service is executing some relative path /lib/systemd/system/initrd-udevadm-cleanup-db.service is executing some relative path /lib/systemd/system/mdmonitor-oneshot.service is executing some relative path /lib/systemd/system/sysinit.target.wants/systemd-boot-system-token.service is executing some relative path /lib/systemd/system/sysinit.target.wants/systemd-hwdb-update.service is executing some relative path /lib/systemd/system/sysinit.target.wants/systemd-journal-flush.service is executing some relative path /lib/systemd/system/sysinit.target.wants/systemd-machine-id-commit.service is executing some relative path /lib/systemd/system/sysinit.target.wants/systemd-sysusers.service is executing some relative path /lib/systemd/system/sysinit.target.wants/systemd-udev-trigger.service is executing some relative path /lib/systemd/system/sysinit.target.wants/systemd-udevd.service is executing some relative path /lib/systemd/system/systemd-ask-password-console.service is executing some relative path /lib/systemd/system/systemd-ask-password-wall.service is executing some relative path /lib/systemd/system/systemd-boot-system-token.service is executing some relative path /lib/systemd/system/systemd-halt.service is executing some relative path /lib/systemd/system/systemd-hwdb-update.service is executing some relative path /lib/systemd/system/systemd-journal-flush.service is executing some relative path /lib/systemd/system/systemd-kexec.service is executing some relative path /lib/systemd/system/systemd-machine-id-commit.service is executing some relative path /lib/systemd/system/systemd-sysusers.service is executing some relative path /lib/systemd/system/systemd-tmpfiles-clean.service is executing some relative path /lib/systemd/system/systemd-udev-settle.service is executing some relative path /lib/systemd/system/systemd-udev-trigger.service is executing some relative path /lib/systemd/system/systemd-udevd.service is executing some relative path /lib/systemd/system/udev.service is executing some relative path /lib/systemd/user/systemd-tmpfiles-clean.service is executing some relative path /lib/systemd/user/systemd-tmpfiles-setup.service is executing some relative path /usr/lib/systemd/system/atd.service is executing some relative path /usr/lib/systemd/system/initrd-cleanup.service is executing some relative path /usr/lib/systemd/system/initrd-parse-etc.service is executing some relative path /usr/lib/systemd/system/initrd-switch-root.service is executing some relative path /usr/lib/systemd/system/initrd-udevadm-cleanup-db.service is executing some relative path /usr/lib/systemd/system/mdmonitor-oneshot.service is executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-boot-system-token.service is executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-hwdb-update.service is executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-journal-flush.service is executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-machine-id-commit.service is executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-sysusers.service is executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-udev-trigger.service is executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-udevd.service is executing some relative path /usr/lib/systemd/system/systemd-ask-password-console.service is executing some relative path /usr/lib/systemd/system/systemd-ask-password-wall.service is executing some relative path /usr/lib/systemd/system/systemd-boot-system-token.service is executing some relative path /usr/lib/systemd/system/systemd-halt.service is executing some relative path /usr/lib/systemd/system/systemd-hwdb-update.service is executing some relative path /usr/lib/systemd/system/systemd-journal-flush.service is executing some relative path /usr/lib/systemd/system/systemd-kexec.service is executing some relative path /usr/lib/systemd/system/systemd-machine-id-commit.service is executing some relative path /usr/lib/systemd/system/systemd-sysusers.service is executing some relative path /usr/lib/systemd/system/systemd-tmpfiles-clean.service is executing some relative path /usr/lib/systemd/system/systemd-udev-settle.service is executing some relative path /usr/lib/systemd/system/systemd-udev-trigger.service is executing some relative path /usr/lib/systemd/system/systemd-udevd.service is executing some relative path /usr/lib/systemd/system/udev.service is executing some relative path /usr/lib/systemd/user/systemd-tmpfiles-clean.service is executing some relative path /usr/lib/systemd/user/systemd-tmpfiles-setup.service is executing some relative path You can't write on systemd PATH [+] System timers [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Sat 2021-06-05 22:45:40 UTC 23min left Sun 2021-05-23 18:36:01 UTC 1 weeks 6 days ago fwupd-refresh.timer fwupd-refresh.service Sat 2021-06-05 22:48:05 UTC 25min left Sun 2021-05-23 14:56:11 UTC 1 weeks 6 days ago motd-news.timer motd-news.service Sun 2021-06-06 00:00:00 UTC 1h 37min left Sat 2021-06-05 20:59:46 UTC 1h 22min ago logrotate.timer logrotate.service Sun 2021-06-06 00:00:00 UTC 1h 37min left Sat 2021-06-05 20:59:46 UTC 1h 22min ago man-db.timer man-db.service Sun 2021-06-06 02:00:58 UTC 3h 38min left Sun 2021-05-23 18:36:01 UTC 1 weeks 6 days ago apt-daily.timer apt-daily.service Sun 2021-06-06 03:10:25 UTC 4h 48min left Mon 2021-05-31 16:13:56 UTC 5 days ago e2scrub_all.timer e2scrub_all.service Sun 2021-06-06 03:59:26 UTC 5h 37min left Sat 2021-06-05 21:23:27 UTC 58min ago ua-messaging.timer ua-messaging.service Sun 2021-06-06 06:20:08 UTC 7h left Sat 2021-06-05 21:15:12 UTC 1h 6min ago apt-daily-upgrade.timer apt-daily-upgrade.service Sun 2021-06-06 21:14:42 UTC 22h left Sat 2021-06-05 21:14:42 UTC 1h 7min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service Mon 2021-06-07 00:00:00 UTC 1 day 1h left Mon 2021-05-31 16:13:26 UTC 5 days ago fstrim.timer fstrim.service n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service [+] Analyzing .timer files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers [+] Analyzing .socket files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets [+] HTTP sockets [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets Socket /run/user/1001/snapd-session-agent.socket owned by nathan uses HTTP. Response to /index: {"type":"error","result":{"message":"method \"GET\" not allowed"}} Socket /run/snapd.socket owned by root uses HTTP. Response to /index: {"type":"sync","status-code":200,"status":"OK","result":["TBD"]} Socket /run/snapd-snap.socket owned by root uses HTTP. Response to /index: {"type":"error","status-code":401,"status":"Unauthorized","result":{"message":"access denied","kind":"login-required"}} [+] D-Bus config files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( ) [+] D-Bus Service Objects list [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0 - - - - - - - :1.1 - - - - - - - :1.11 - - - - - - - :1.115 - - - - - - - :1.2 - - - - - - - :1.4 - - - - - - - :1.5 - - - - - - - :1.6 - - - - - - - :1.7 - - - - - - - :1.8 - - - - - - - com.ubuntu.LanguageSelector - - - (activatable) - - - com.ubuntu.SoftwareProperties - - - (activatable) - - - org.freedesktop.Accounts - - - - - - - org.freedesktop.DBus - - - - - - - org.freedesktop.PackageKit - - - (activatable) - - - org.freedesktop.PolicyKit1 - - - - - - - org.freedesktop.UPower - - - (activatable) - - - org.freedesktop.bolt - - - (activatable) - - - org.freedesktop.fwupd - - - (activatable) - - - org.freedesktop.hostname1 - - - (activatable) - - - org.freedesktop.locale1 - - - (activatable) - - - org.freedesktop.login1 - - - - - - - org.freedesktop.network1 - - - - - - - org.freedesktop.resolve1 - - - - - - - org.freedesktop.systemd1 - - - - - - - org.freedesktop.thermald - - - (activatable) - - - org.freedesktop.timedate1 - - - (activatable) - - - org.freedesktop.timesync1 - - - - - - - ═══════════════════════════════════╣ Network Information ╠════════════════════════════════════ [+] Hostname, hosts and DNS cap 127.0.0.1 localhost 127.0.0.1 cap nameserver 127.0.0.53 options edns0 trust-ad [+] Content of /etc/inetd.conf & /etc/xinetd.conf /etc/inetd.conf Not Found [+] Interfaces # symbolic names for networks, see networks(5) for more information link-local 169.254.0.0 eth0: flags=4163 mtu 1500 inet 10.129.146.192 netmask 255.255.0.0 broadcast 10.129.255.255 inet6 fe80::250:56ff:feb9:4af4 prefixlen 64 scopeid 0x20 inet6 dead:beef::250:56ff:feb9:4af4 prefixlen 64 scopeid 0x0 ether 00:50:56:b9:4a:f4 txqueuelen 1000 (Ethernet) RX packets 9694 bytes 1072961 (1.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3964 bytes 1288587 (1.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 5726 bytes 450584 (450.5 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5726 bytes 450584 (450.5 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [+] Networks and neighbours Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.129.0.1 0.0.0.0 UG 0 0 0 eth0 10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 Address HWtype HWaddress Flags Mask Iface 10.129.0.1 ether 00:50:56:b9:b5:5b C eth0 [+] Iptables rules iptables rules Not Found [+] Active Ports [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::21 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - [+] Can I sniff with tcpdump? No ════════════════════════════════════╣ Users Information ╠════════════════════════════════════ [+] My user [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#users uid=1001(nathan) gid=1001(nathan) groups=1001(nathan) [+] Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found [+] Clipboard or highlighted text? xsel and xclip Not Found [+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid Sorry, try again. [+] Checking sudo tokens [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens /proc/sys/kernel/yama/ptrace_scope is not enabled (1) gdb wasn't found in PATH [+] Checking doas.conf /etc/doas.conf Not Found [+] Checking Pkexec policy [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration] AdminIdentities=unix-user:0 [Configuration] AdminIdentities=unix-group:sudo;unix-group:admin [+] Superusers root:x:0:0:root:/root:/bin/bash [+] Users with console nathan:x:1001:1001::/home/nathan:/bin/bash root:x:0:0:root:/root:/bin/bash [+] All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=1001(nathan) gid=1001(nathan) groups=1001(nathan) uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync) uid=103(messagebus) gid=106(messagebus) groups=106(messagebus) uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty) uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=106(tss) gid=111(tss) groups=111(tss) uid=107(uuidd) gid=112(uuidd) groups=112(uuidd) uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump) uid=109(landscape) gid=115(landscape) groups=115(landscape) uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m) uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=112(ftp) gid=118(ftp) groups=118(ftp) uid=113(usbmux) gid=46(plugdev) groups=46(plugdev) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) uid=998(lxd) gid=100(users) groups=100(users) uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump) [+] Login now 22:22:33 up 1:22, 1 user, load average: 0.86, 0.26, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [+] Last logons root pts/0 Fri May 21 14:32:11 2021 - down (00:01) 10.10.14.7 root tty1 Fri May 21 14:31:21 2021 - down (00:02) 0.0.0.0 reboot system boot Fri May 21 14:30:50 2021 - Fri May 21 14:33:53 2021 (00:03) 0.0.0.0 root tty1 Fri May 21 13:43:26 2021 - down (00:47) 0.0.0.0 reboot system boot Fri May 21 13:40:52 2021 - Fri May 21 14:30:42 2021 (00:49) 0.0.0.0 root tty1 Sat May 15 21:41:23 2021 - down (00:01) 0.0.0.0 lab tty1 Sat May 15 21:40:56 2021 - Sat May 15 21:41:11 2021 (00:00) 0.0.0.0 reboot system boot Sat May 15 21:40:45 2021 - Sat May 15 21:42:37 2021 (00:01) 0.0.0.0 wtmp begins Sat May 15 21:40:29 2021 [+] Last time logon each user Username Port From Latest root tty1 Tue Jun 1 10:32:42 +0000 2021 nathan pts/0 10.10.14.240 Sat Jun 5 21:58:31 +0000 2021 [+] Password policy PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 ENCRYPT_METHOD SHA512 [+] Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) [+] Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ═══════════════════════════════════╣ Software Information ╠═══════════════════════════════════ [+] MySQL version mysql Not Found [+] MySQL connection using default root/root ........... No [+] MySQL connection using root/toor ................... No [+] MySQL connection using root/NOPASS ................. No [+] Searching mysql credentials and exec [+] PostgreSQL version and pgadmin credentials Not Found [+] PostgreSQL connection to template0 using postgres/NOPASS ........ No [+] PostgreSQL connection to template1 using postgres/NOPASS ........ No [+] PostgreSQL connection to template0 using pgsql/NOPASS ........... No [+] PostgreSQL connection to template1 using pgsql/NOPASS ........... No [+] Apache server info Not Found [+] Searching PHPCookies Not Found [+] Searching Wordpress wp-config.php files wp-config.php Not Found [+] Searching Drupal settings.php files /default/settings.php Not Found [+] Searching Moodle config.php files config.php inside a moodle folder Not Found [+] Searching Tomcat users file tomcat-users.xml Not Found [+] Mongo information mongo binary Not Found [+] Searching supervisord configuration file supervisord.conf Not Found [+] Searching cesi configuration file cesi.conf Not Found [+] Searching Rsyncd config file /usr/share/doc/rsync/examples/rsyncd.conf [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz [+] Searching Hostapd config file hostapd.conf Not Found [+] Searching wifi conns file Not Found [+] Searching Anaconda-ks config files anaconda-ks.cfg Not Found [+] Searching .vnc directories and their passwd files .vnc Not Found [+] Searching ldap directories and their hashes /etc/ldap The password hash is from the {SSHA} to 'structural' [+] Searching .ovpn files and credentials .ovpn Not Found [+] Searching ssl/ssh files PermitRootLogin yes ChallengeResponseAuthentication no UsePAM yes PasswordAuthentication yes --> Some certificates were found (out limited): /var/lib/fwupd/pki/client.pem /etc/pki/fwupd-metadata/LVFS-CA.pem /etc/pki/fwupd/LVFS-CA.pem /etc/pollinate/entropy.ubuntu.com.pem --> /etc/hosts.allow file found, read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Include /etc/ssh/ssh_config.d/*.conf Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes [+] Searching unexpected auth lines in /etc/pam.d/sshd No [+] Searching Cloud credentials (AWS, Azure, GC) [+] NFS exports? [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe /etc/exports Not Found [+] Searching kerberos conf files and tickets [i] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt tickets kerberos Not Found klist Not Found [+] Searching Kibana yaml kibana.yml Not Found [+] Searching Knock configuration Knock.config Not Found [+] Searching logstash files Not Found [+] Searching elasticsearch files Not Found [+] Searching Vault-ssh files vault-ssh-helper.hcl Not Found [+] Searching AD cached hashes cached hashes Not Found [+] Searching screen sessions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions No Sockets found in /run/screen/S-nathan. [+] Searching tmux sessions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions tmux Not Found [+] Searching Couchdb directory [+] Searching redis.conf [+] Searching dovecot files dovecot credentials Not Found [+] Searching mosquitto.conf [+] Searching neo4j auth file [+] Searching Cloud-Init conf file [+] Searching Erlang cookie file [+] Searching GVM auth file [+] Searching IPSEC files [+] Searching IRSSI files [+] Searching Keyring files Keyring folder: /usr/share/keyrings /usr/share/keyrings: total 44 -rw-r--r-- 1 root root 2274 May 11 10:19 ubuntu-advantage-cis.gpg -rw-r--r-- 1 root root 2236 May 11 10:19 ubuntu-advantage-esm-apps.gpg -rw-r--r-- 1 root root 2264 May 11 10:19 ubuntu-advantage-esm-infra-trusty.gpg -rw-r--r-- 1 root root 2275 May 11 10:19 ubuntu-advantage-fips.gpg -rw-r--r-- 1 root root 7399 Sep 17 2018 ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 6713 Oct 27 2016 ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 4097 Feb 6 2018 ubuntu-cloudimage-keyring.gpg -rw-r--r-- 1 root root 0 Jan 17 2018 ubuntu-cloudimage-removed-keys.gpg -rw-r--r-- 1 root root 1227 May 27 2010 ubuntu-master-keyring.gpg [+] Searching Filezilla sites file [+] Searching backup-manager files [+] Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd passwd file: /usr/share/bash-completion/completions/passwd passwd file: /usr/share/lintian/overrides/passwd [+] Searching GitLab related files [+] Searching PGP/GPG PGP/GPG software: /usr/bin/gpg netpgpkeys Not Found netpgp Not Found [+] Searching vim files lrwxrwxrwx 1 root root 9 May 27 09:16 /home/nathan/.viminfo -> /dev/null [+] Checking if containerd(ctr) is available [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation [+] Checking if runc is available [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation [+] Searching docker files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket [+] Interesting Firefox Files [i] https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox [+] Interesting Chrome Files [i] https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox [+] Autologin Files [+] S/Key authentication [+] YubiKey authentication [+] Passwords inside pam.d [+] FastCGI Params [+] SNMPs ════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════ [+] SUID - Check easy privesc, exploits and write perms [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/2066/usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/1997/usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/2066/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/2066/usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2066/usr/bin/gpasswd -rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2066/usr/bin/chsh -rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2066/usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2066/bin/su -rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/1997/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/1997/usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1997/usr/bin/gpasswd -rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1997/usr/bin/chsh -rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1997/usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1997/bin/su -rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/2066/bin/ping -rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/1997/bin/ping -rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 23K Aug 16 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 31K Aug 16 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) -rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount -rwsr-xr-x 1 root root 67K May 28 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 44K May 28 2020 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 87K May 28 2020 /usr/bin/gpasswd -rwsr-xr-x 1 root root 52K May 28 2020 /usr/bin/chsh -rwsr-xr-x 1 root root 84K May 28 2020 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-- 1 root messagebus 51K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-- 1 root systemd-resolve 42K Jun 11 2020 /snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-- 1 root systemd-resolve 42K Jun 11 2020 /snap/core18/1997/usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 109K Jul 10 2020 /snap/snapd/8542/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304) -rwsr-xr-x 1 root root 39K Jul 21 2020 /usr/bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 67K Jul 21 2020 /usr/bin/su -rwsr-xr-x 1 root root 55K Jul 21 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/2066/bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/2066/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/1997/bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/1997/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 163K Jan 19 14:21 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 146K Jan 19 14:36 /snap/core18/2066/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 146K Jan 19 14:36 /snap/core18/1997/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 128K Feb 2 08:21 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304) -rwsr-xr-x 1 root root 463K Mar 9 14:17 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 109K Apr 24 12:05 /snap/snapd/11841/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304) [+] SGID [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at -rwxr-sr-x 1 root crontab 355K Mar 4 2019 /snap/core18/2066/usr/bin/ssh-agent -rwxr-sr-x 1 root crontab 355K Mar 4 2019 /snap/core18/1997/usr/bin/ssh-agent -rwxr-sr-x 1 root shadow 23K Mar 22 2019 /snap/core18/2066/usr/bin/expiry -rwxr-sr-x 1 root shadow 71K Mar 22 2019 /snap/core18/2066/usr/bin/chage -rwxr-sr-x 1 root shadow 23K Mar 22 2019 /snap/core18/1997/usr/bin/expiry -rwxr-sr-x 1 root shadow 71K Mar 22 2019 /snap/core18/1997/usr/bin/chage -rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter -rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab -rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write -rwxr-sr-x 1 root shadow 31K May 28 2020 /usr/bin/expiry -rwxr-sr-x 1 root shadow 83K May 28 2020 /usr/bin/chage -rwxr-sr-x 1 root tty 35K Jul 21 2020 /usr/bin/wall -rwxr-sr-x 1 root shadow 34K Jul 21 2020 /snap/core18/2066/sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 34K Jul 21 2020 /snap/core18/2066/sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root shadow 34K Jul 21 2020 /snap/core18/1997/sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 34K Jul 21 2020 /snap/core18/1997/sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root tty 31K Sep 16 2020 /snap/core18/2066/usr/bin/wall -rwxr-sr-x 1 root tty 31K Sep 16 2020 /snap/core18/1997/usr/bin/wall -rwxr-sr-x 1 root ssh 343K Mar 9 14:17 /usr/bin/ssh-agent -rwxr-sr-x 1 root shadow 43K Apr 8 11:06 /usr/sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 43K Apr 8 11:06 /usr/sbin/pam_extrausers_chkpwd [+] Checking misconfigurations of ld.so [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf /usr/lib/x86_64-linux-gnu/libfakeroot /etc/ld.so.conf.d/libc.conf /usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu [+] Capabilities [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities Current capabilities: Current: = CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Shell capabilities: 0x0000000000000000= CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Files with capabilities (limited to 50): /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip /usr/bin/ping = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep [+] Users with capabilities [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities [+] Files with ACLs (limited to 50) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls files with acls in searched folders Not Found [+] .sh files in path [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path /usr/bin/gettext.sh /usr/bin/rescan-scsi-bus.sh [+] Unexpected in root /lost+found /lib32 /libx32 [+] Files (scripts) in /etc/profile.d/ [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files total 36 drwxr-xr-x 2 root root 4096 May 23 18:37 . drwxr-xr-x 92 root root 4096 Jun 1 10:09 .. -rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh -rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh -rw-r--r-- 1 root root 833 Feb 2 08:21 apps-bin-path.sh -rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh -rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh -rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh -rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh [+] Permissions in init, init.d, systemd, and rc.d [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d [+] Hashes inside passwd file? ........... No [+] Writable passwd file? ................ No [+] Credentials in fstab/mtab? ........... No [+] Can I read shadow files? ............. No [+] Can I read opasswd file? ............. No [+] Can I write in network-scripts? ...... No [+] Can I read root folder? .............. No [+] Searching root files in home dirs (limit 30) /home/ /home/nathan/.bash_history /home/nathan/.viminfo /root/ [+] Searching folders owned by me containing others files on it [+] Readable files belonging to root and readable by me but not world readable [+] Modified interesting files in the last 5mins (limit 100) /home/nathan/.gnupg/crls.d/DIR.txt /home/nathan/.gnupg/pubring.kbx /home/nathan/.gnupg/trustdb.gpg /home/nathan/snap/lxd/20326/.config/lxc/config.yml /var/log/syslog /var/log/journal/06774f23bd654b25a296a616308d2acd/user-1001.journal /var/log/journal/06774f23bd654b25a296a616308d2acd/system.journal /var/log/kern.log /var/log/auth.log [+] Writable log files (logrotten) (limit 100) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation logrotate 3.14.0 Default mail command: /usr/bin/mail Default compress command: /bin/gzip Default uncompress command: /bin/gunzip Default compress extension: .gz Default state file path: /var/lib/logrotate/status ACL support: yes SELinux support: yes [+] Files inside /home/nathan (limit 20) total 372 drwxr-xr-x 5 nathan nathan 4096 Jun 5 22:22 . drwxr-xr-x 3 root root 4096 May 23 19:17 .. lrwxrwxrwx 1 root root 9 May 15 21:40 .bash_history -> /dev/null -rw-r--r-- 1 nathan nathan 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 nathan nathan 3771 Feb 25 2020 .bashrc drwx------ 2 nathan nathan 4096 May 23 19:17 .cache drwx------ 4 nathan nathan 4096 Jun 5 22:22 .gnupg -rw-r--r-- 1 nathan nathan 807 Feb 25 2020 .profile lrwxrwxrwx 1 root root 9 May 27 09:16 .viminfo -> /dev/null -rwxr-xr-x 1 nathan nathan 341863 Jun 5 22:21 linpeas.sh drwxr-xr-x 3 nathan nathan 4096 Jun 5 22:21 snap -r-------- 1 nathan nathan 33 Jun 5 21:00 user.txt [+] Files inside others home (limit 20) [+] Searching installed mail applications [+] Mails (limit 50) [+] Backup folders drwxr-xr-x 2 root root 4096 May 23 19:17 /var/backups total 708 -rw-r--r-- 1 root root 51200 May 23 06:25 alternatives.tar.0 -rw-r--r-- 1 root root 35024 May 23 18:35 apt.extended_states.0 -rw-r--r-- 1 root root 3787 May 22 11:14 apt.extended_states.1.gz -rw-r--r-- 1 root root 3760 May 21 14:27 apt.extended_states.2.gz -rw-r--r-- 1 root root 3949 May 15 21:40 apt.extended_states.3.gz -rw-r--r-- 1 root root 3694 Sep 23 2020 apt.extended_states.4.gz -rw-r--r-- 1 root root 268 Sep 23 2020 dpkg.diversions.0 -rw-r--r-- 1 root root 135 May 15 21:40 dpkg.statoverride.0 -rw-r--r-- 1 root root 607674 May 22 11:14 dpkg.status.0 [+] Backup files (limited 100) -rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz -rw-r--r-- 1 root root 11886 May 23 18:37 /usr/share/info/dir.old -rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz -rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz -rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old -rw-r--r-- 1 root root 0 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 0 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 237862 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/.config.old -rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-48/tools/testing/selftests/net/tcp_fastopen_backup_key.sh -rw-r--r-- 1 root root 0 Sep 10 2020 /usr/src/linux-headers-5.4.0-48-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 0 Sep 10 2020 /usr/src/linux-headers-5.4.0-48-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 237780 Sep 10 2020 /usr/src/linux-headers-5.4.0-48-generic/.config.old -rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-73/tools/testing/selftests/net/tcp_fastopen_backup_key.sh -rw-r--r-- 1 root root 1403 May 23 18:37 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc -rw-r--r-- 1 root root 1775 Feb 25 18:46 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py -rw-r--r-- 1 root root 8729 Sep 10 2020 /usr/lib/modules/5.4.0-48-generic/kernel/drivers/power/supply/wm831x_backup.ko -rw-r--r-- 1 root root 8161 Sep 10 2020 /usr/lib/modules/5.4.0-48-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 9833 Apr 14 16:35 /usr/lib/modules/5.4.0-73-generic/kernel/drivers/power/supply/wm831x_backup.ko -rw-r--r-- 1 root root 9073 Apr 14 16:35 /usr/lib/modules/5.4.0-73-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 44048 Mar 17 07:14 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 root root 2743 Jul 31 2020 /etc/apt/sources.list.curtin.old [+] Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found: /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001 Found: /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001 Found: /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001 Found: /var/www/html/static/images/icon/Thumbs.db: Composite Document File V2 Document, Cannot read section info Found: /var/www/html/static/images/icon/market-value/Thumbs.db: Composite Document File V2 Document, Cannot read section info -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20) -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20) -> Extracting tables from /var/lib/fwupd/pending.db (limit 20) [+] Web files?(output limit) /var/www/: total 12K drwxr-xr-x 3 root root 4.0K May 23 19:17 . drwxr-xr-x 14 root root 4.0K May 23 19:17 .. drwxr-xr-x 6 nathan nathan 4.0K May 25 07:25 html /var/www/html: total 32K drwxr-xr-x 6 nathan nathan 4.0K May 25 07:25 . drwxr-xr-x 3 root root 4.0K May 23 19:17 .. [+] Readable hidden interesting files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data -rw-r--r-- 1 root root 2319 Feb 25 2020 /etc/bash.bashrc -rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc -rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile lrwxrwxrwx 1 root root 9 May 15 21:40 /home/nathan/.bash_history -> /dev/null Searching possible passwords inside /home/nathan/.bash_history (limit 100) -rw-r--r-- 1 nathan nathan 3771 Feb 25 2020 /home/nathan/.bashrc -rw-r--r-- 1 nathan nathan 807 Feb 25 2020 /home/nathan/.profile -rw-r--r-- 1 root root 3106 Aug 14 2019 /usr/share/base-files/dot.bashrc -rw-r--r-- 1 root root 2978 Feb 17 2020 /usr/share/byobu/profiles/bashrc -rw-r--r-- 1 root root 2778 Sep 15 2018 /usr/share/doc/adduser/examples/adduser.local.conf.examples/bash.bashrc -rw-r--r-- 1 root root 802 Sep 15 2018 /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel/dot.bashrc [+] All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-r--r-- 1 root root 237703 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/.config -rw-r--r-- 1 root root 64706 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/kernel/.asm-offsets.s.cmd -rw-r--r-- 1 root root 4841 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/tools/.relocs_64.o.cmd -rw-r--r-- 1 root root 4841 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/tools/.relocs_32.o.cmd -rw-r--r-- 1 root root 4821 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/tools/.relocs_common.o.cmd -rw-r--r-- 1 root root 148 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/tools/.relocs.cmd -rw-r--r-- 1 root root 271 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/uapi/asm/.unistd_64.h.cmd -rw-r--r-- 1 root root 266 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/uapi/asm/.unistd_32.h.cmd -rw-r--r-- 1 root root 291 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/uapi/asm/.unistd_x32.h.cmd -rw-r--r-- 1 root root 353 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/asm/.xen-hypercalls.h.cmd -rw-r--r-- 1 root root 271 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/asm/.unistd_32_ia32.h.cmd -rw-r--r-- 1 root root 243 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/asm/.syscalls_32.h.cmd -rw-r--r-- 1 root root 267 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/asm/.unistd_64_x32.h.cmd -rw-r--r-- 1 root root 243 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd -rw-r--r-- 1 root root 14556 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/kernel/.bounds.s.cmd -rw-r--r-- 1 root root 999 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/.missing-syscalls.d -rw-r--r-- 1 root root 3708 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.libctype.o.cmd -rw-r--r-- 1 root root 8589 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.orc_gen.o.cmd -rw-r--r-- 1 root root 4509 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.str_error_r.o.cmd -rw-r--r-- 1 root root 6818 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.exec-cmd.o.cmd -rw-r--r-- 1 root root 8955 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.orc_dump.o.cmd -rw-r--r-- 1 root root 8025 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.builtin-orc.o.cmd -rw-r--r-- 1 root root 6293 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.parse-options.o.cmd -rw-r--r-- 1 root root 8568 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.special.o.cmd -rw-r--r-- 1 root root 9371 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/arch/x86/.decode.o.cmd -rw-r--r-- 1 root root 449 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/arch/x86/.objtool-in.o.cmd -rw-r--r-- 1 root root 7763 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.builtin-check.o.cmd -rw-r--r-- 1 root root 420 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.fixdep-in.o.cmd -rw-r--r-- 1 root root 7864 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.help.o.cmd -rw-r--r-- 1 root root 9073 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.elf.o.cmd -rw-r--r-- 1 root root 4404 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.fixdep.o.d -rw-r--r-- 1 root root 6979 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.pager.o.cmd -rw-r--r-- 1 root root 6024 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.sigchain.o.cmd -rw-r--r-- 1 root root 1934 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.subcmd-config.o.cmd -rw-r--r-- 1 root root 5907 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.libstring.o.cmd -rw-r--r-- 1 root root 5270 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.fixdep.o.cmd -rw-r--r-- 1 root root 1910 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.objtool-in.o.cmd -rw-r--r-- 1 root root 8424 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.run-command.o.cmd -rw-r--r-- 1 root root 8664 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.check.o.cmd -rw-r--r-- 1 root root 1238 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.libsubcmd-in.o.cmd -rw-r--r-- 1 root root 6432 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/tools/objtool/.objtool.o.cmd -rw-r--r-- 1 root root 237862 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/.config.old -rw-r--r-- 1 root root 3756 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/genksyms/.parse.tab.o.cmd -rw-r--r-- 1 root root 216 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/genksyms/.parse.tab.c.cmd -rw-r--r-- 1 root root 126 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/genksyms/.lex.lex.c.cmd -rw-r--r-- 1 root root 4225 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/genksyms/.genksyms.o.cmd -rw-r--r-- 1 root root 4770 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/genksyms/.lex.lex.o.cmd -rw-r--r-- 1 root root 155 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/genksyms/.genksyms.cmd -rw-r--r-- 1 root root 4732 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.asn1_compiler.cmd -rw-r--r-- 1 root root 3950 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.kallsyms.cmd -rw-r--r-- 1 root root 5973 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/selinux/genheaders/.genheaders.cmd -rw-r--r-- 1 root root 6805 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/selinux/mdp/.mdp.cmd -rw-r--r-- 1 root root 1655 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.bin2c.cmd -rw-r--r-- 1 root root 8168 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.sign-file.cmd -rw-r--r-- 1 root root 4941 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.recordmcount.cmd -rw-r--r-- 1 root root 4409 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/basic/.fixdep.cmd -rw-r--r-- 1 root root 104 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.elfconfig.h.cmd -rw-r--r-- 1 root root 3889 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.mk_elfconfig.cmd -rw-r--r-- 1 root root 131 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.modpost.cmd -rw-r--r-- 1 root root 6952 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.modpost.o.cmd -rw-r--r-- 1 root root 6884 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.devicetable-offsets.s.cmd -rw-r--r-- 1 root root 5084 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.file2alias.o.cmd -rw-r--r-- 1 root root 6428 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.sumversion.o.cmd -rw-r--r-- 1 root root 3430 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/mod/.empty.o.cmd -rw-r--r-- 1 root root 5242 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.sortextable.cmd -rw-r--r-- 1 root root 3686 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.conmakehash.cmd -rw-r--r-- 1 root root 6628 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/.insert-sys-cert.cmd -rw-r--r-- 1 root root 4147 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/kconfig/.symbol.o.cmd -rw-r--r-- 1 root root 4227 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/kconfig/.parser.tab.o.cmd -rw-r--r-- 1 root root 4987 Apr 14 16:35 /usr/src/linux-headers-5.4.0-73-generic/scripts/kconfig/.lexer.lex.o.cmd [+] Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rw-r--r-- 1 root root 135 May 15 21:40 /var/backups/dpkg.statoverride.0 -rw-r--r-- 1 root root 3760 May 21 14:27 /var/backups/apt.extended_states.2.gz -rw-r--r-- 1 root root 607674 May 22 11:14 /var/backups/dpkg.status.0 -rw-r--r-- 1 root root 51200 May 23 06:25 /var/backups/alternatives.tar.0 -rw-r--r-- 1 root root 3787 May 22 11:14 /var/backups/apt.extended_states.1.gz -rw-r--r-- 1 root root 3694 Sep 23 2020 /var/backups/apt.extended_states.4.gz -rw-r--r-- 1 root root 268 Sep 23 2020 /var/backups/dpkg.diversions.0 -rw-r--r-- 1 root root 35024 May 23 18:35 /var/backups/apt.extended_states.0 -rw-r--r-- 1 root root 3949 May 15 21:40 /var/backups/apt.extended_states.3.gz [+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/mqueue /dev/shm /home/nathan /run/lock /run/screen /run/screen/S-nathan /run/user/1001 /run/user/1001/dbus-1 /run/user/1001/dbus-1/services /run/user/1001/gnupg /run/user/1001/inaccessible /run/user/1001/systemd /run/user/1001/systemd/transient /run/user/1001/systemd/units /snap/core18/1997/tmp /snap/core18/1997/var/tmp /snap/core18/2066/tmp /snap/core18/2066/var/tmp /tmp /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix #)You_can_write_even_more_files_inside_last_directory /var/crash /var/tmp /var/www/html /var/www/html/__pycache__ /var/www/html/__pycache__/app.cpython-38.pyc /var/www/html/app.py [+] Interesting GROUP writable files (not in Home) (max 500) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files Group nathan: [+] Searching passwords in config PHP files [+] Checking for TTY (sudo/su) passwords in audit logs [+] Finding IPs inside logs (limit 70) 80 0.20.04.1 55 10.10.14.7 28 10.10.10.245 20 5.20.04.1 20 0.20.04.3 14 0.20.04.2 12 5.20.04.2 12 20.04.10.7 12 1.20.04.1 12 0.98.9.5 12 0.20.04.4 8 20.04.10.1 8 0.98.9.2 6 3.192.30.7 6 2.20.04.1 6 10.10.14.240 6 020.02.11.4 4 3.20.04.3 4 020.02.11.2 3 10.129.146.192 1 255.255.255.255 1 10.10.10.255 1 1.1.1.1 [+] Finding passwords inside logs (limit 70) 2021-05-15 21:40:52,728 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2021-05-15 21:40:52,728 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2021-05-21 13:42:57,135 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2021-05-21 13:42:57,135 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) Binary file /var/log/journal/06774f23bd654b25a296a616308d2acd/user-1001.journal matches [ 3.413539] systemd[1]: Started Forward Password Requests to Wall Directory Watch. [ 3.945863] systemd[1]: Started Forward Password Requests to Wall Directory Watch. [ 4.326425] systemd[1]: Started Dispatch Password Requests to Console Directory Watch. [ 4.327723] systemd[1]: Condition check resulted in Forward Password Requests to Plymouth Directory Watch being skipped. [+] Finding emails inside logs (limit 70) 2 giometti@linux.it 2 dm-devel@redhat.com [+] Finding *password* or *credential* files in home (limit 70) /usr/lib/systemd/system/systemd-ask-password-console.service /usr/lib/systemd/system/systemd-ask-password-plymouth.service /usr/lib/systemd/system/systemd-ask-password-wall.service [+] Finding passwords inside key folders (limit 70) - only PHP files [+] Finding passwords inside key folders (limit 70) - no PHP files /etc/debconf.conf:#BindPasswd: secret /etc/nsswitch.conf:passwd: files systemd /etc/overlayroot.conf:# $ MAPNAME="secure"; DEV="/dev/vdg"; PASSWORD="foobar" /etc/overlayroot.conf:# crypt:dev=/dev/vdb,pass=somepassword,mkfs=0 /etc/pam.d/common-password:password [success=1 default=ignore] pam_unix.so obscure sha512 /etc/security/namespace.init: gid=$(echo "$passwd" | cut -f4 -d":") /etc/security/namespace.init: homedir=$(echo "$passwd" | cut -f6 -d":") /etc/security/namespace.init: passwd=$(getent passwd "$user") /etc/sos/sos.conf:#password = true /etc/ssl/openssl.cnf:# input_password = secret /etc/ssl/openssl.cnf:# output_password = secret /etc/ssl/openssl.cnf:challengePassword = A challenge password /etc/ssl/openssl.cnf:challengePassword_max = 20 /etc/ssl/openssl.cnf:challengePassword_min = 4 /etc/vmware-tools/vm-support: sed 's/password[[:space:]]\+\(.*\)[[:space:]]\+\(.*\)$/password \1 xxxxxx/g' > \ /var/backups/dpkg.status.0:Depends: passwd, debconf (>= 0.5) | debconf-2.0 [+] Finding possible password variables inside key folders (limit 140) [+] Finding possible password in config files /etc/adduser.conf passwd /etc/security/faillock.conf passwd and ignore centralized (AD, IdM, LDAP, etc.) users. /etc/sysctl.d/10-ptrace.conf credentials that exist in memory (re-using existing SSH connections, /etc/nsswitch.conf passwd: files systemd /etc/overlayroot.conf password is randomly generated password will be stored for recovery in passwd password,mkfs=0 PASSWORD="foobar" PASSWORD" | PASSWORD" | PASSWORD HERE IN THIS CLEARTEXT CONFIGURATION passwords are more secure, but you won't be able to passwords are generated by calculating the sha512sum /etc/debconf.conf passwords. password passwords. passwords password passwords.dat passwords and one for everything else. passwords password is really Passwd: secret [+] Finding 'username' string inside key folders (limit 70) [+] Searching specific hashes inside files - less false positives (limit 70)