nginx@spectra ~ $ bash linpeas.sh linpeas.sh: warning: linpeas.sh: warning: script from noexec mount; see https://chromium.googlesource.com/chromiumos/docs/+/master/security/noexec_shell_scripts.md ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ linpeas v3.2.1 by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You must take a look at it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ════════════════════════════════════╣ Basic information ╠════════════════════════════════════ OS: Linux version 5.4.66+ (neverware@cloudready-builder) (Chromium OS 11.0_pre399094_p20200824-r6 clang version 11.0.0 (/var/tmp/portage/sys-devel/llvm-11.0_pre399094_p20200824-r6/work/llvm-11.0_pre399094_p20200824/clang 83080a294ad7d145d758821bcf4354ad0cb7d299)) #1 SMP Tue Dec 22 13:39:49 UTC 2020 User & Groups: uid=20155(nginx) gid=20156(nginx) groups=20156(nginx) Hostname: spectra Writable folder: /dev/shm [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [-] No port scan capabilities (nc not found) Caching directories using 4 threads . . . . . . . . . . . . . . . . . . . . . . . . DONE ════════════════════════════════════╣ System Information ╠════════════════════════════════════ [+] Operative system [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits Linux version 5.4.66+ (neverware@cloudready-builder) (Chromium OS 11.0_pre399094_p20200824-r6 clang version 11.0.0 (/var/tmp/portage/sys-devel/llvm-11.0_pre399094_p20200824-r6/work/llvm-11.0_pre399094_p20200824/clang 83080a294ad7d145d758821bcf4354ad0cb7d299)) #1 SMP Tue Dec 22 13:39:49 UTC 2020 [+] Sudo version [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.32 [+] USBCreator [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation [+] PATH [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses /usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin New path exported: /usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin [+] Date Sat May 29 11:06:23 PDT 2021 [+] System stats Filesystem Size Used Avail Use% Mounted on /dev/root 2.9G 2.7G 185M 94% / devtmpfs 2.0G 0 2.0G 0% /dev tmp 2.0G 136K 2.0G 1% /tmp run 2.0G 928K 2.0G 1% /run shmfs 2.0G 1.5M 2.0G 1% /dev/shm /dev/sda16 25G 3.1G 21G 14% /mnt/stateful_partition /dev/sda23 976M 2.6M 958M 1% /usr/share/oem /dev/mapper/encstateful 7.2G 17M 7.2G 1% /mnt/stateful_partition/encrypted media 2.0G 0 2.0G 0% /media none 2.0G 0 2.0G 0% /sys/fs/cgroup tmpfs 2.0G 0 2.0G 0% /run/chromeos-config/private imageloader 2.0G 0 2.0G 0% /run/imageloader /dev/loop1 92M 92M 0 100% /usr/share/chromeos-assets/speech_synthesis/patts total used free shared buff/cache available Mem: 4005696 508604 2782164 2588 714928 3060724 Swap: 5867716 0 5867716 [+] CPU info Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 43 bits physical, 48 bits virtual CPU(s): 4 On-line CPU(s) list: 0-3 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 4 Vendor ID: AuthenticAMD CPU family: 23 Model: 1 Model name: AMD EPYC 7401P 24-Core Processor Stepping: 2 CPU MHz: 2000.000 BogoMIPS: 4000.00 Hypervisor vendor: VMware Virtualization type: full L1d cache: 128 KiB L1i cache: 256 KiB L2 cache: 2 MiB L3 cache: 256 MiB Vulnerability Itlb multihit: Not affected Vulnerability L1tf: Not affected Vulnerability Mds: Not affected Vulnerability Meltdown: Not affected Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Vulnerability Spectre v2: Mitigation; Full AMD retpoline, IBPB conditional, STIBP disabled, RSB filling Vulnerability Srbds: Not affected Vulnerability Tsx async abort: Not affected Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good n opl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8 _legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat o verflow_recov succor [+] Environment [i] Any private information inside environment variables? MANPATH=/usr/local/share/man:/usr/share/man:/usr/lib/llvm/share/man SHELL=/bin/bash TERM=xterm-256color HISTSIZE=0 SSH_CLIENT=10.10.14.234 46962 22 SSH_TTY=/dev/pts/0 PORTAGE_CONFIGROOT=/usr/local HISTFILESIZE=0 USER=nginx LD_LIBRARY_PATH=/usr/local/lib64 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.cfg=00;32:*.conf=00;32:*.diff=00;32:*.doc=00;32:*.ini=00;32:*.log=00;32:*.patch=00;32:*.pdf=00;32:*.ps=00;32:*.tex=00;32:*.txt=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36: CONFIG_PROTECT_MASK=/etc/gentoo-release /etc/fonts/fonts.conf /etc/terminfo /etc/dconf /etc/ca-certificates.conf PAGER=/usr/bin/less PATH=/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin MAIL=/var/mail/nginx PWD=/home/nginx EDITOR=/usr/bin/vi GSETTINGS_BACKEND=dconf HOME=/home/nginx SHLVL=2 LOGNAME=nginx SSH_CONNECTION=10.10.14.234 46962 10.10.10.229 22 XDG_DATA_DIRS=/home/nginx/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share:/usr/share INFOPATH=/usr/share/info LADSPA_PATH=/usr/lib64/ladspa HISTFILE=/dev/null XAUTHORITY=/home/chronos/.Xauthority _=/usr/bin/env [+] Searching Signature verification failed in dmseg [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed [ 3.754335] cfg80211: loaded regulatory.db is malformed or signature is missing/invalid [+] AppArmor enabled? .............. AppArmor Not Found [+] grsecurity present? ............ grsecurity Not Found [+] PaX bins present? .............. PaX Not Found [+] Execshield enabled? ............ Execshield Not Found [+] SELinux enabled? ............... sestatus Not Found [+] Is ASLR enabled? ............... Yes [+] Printer? ....................... lpstat Not Found [+] Is this a virtual machine? ..... Yes ═════════════════════════════════════════╣ Containers ╠══════════════════════════════════════════ [+] Is this a container? ........... No [+] Container related tools present which: no docker in (/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin) which: no lxc in (/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin) which: no rkt in (/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin) which: no kubectl in (/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin) which: no podman in (/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin) which: no runc in (/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/lib/llvm/bin:/usr/local/sbin:/usr/sbin:/sbin) [+] Any running containers? ........ No ═════════════════════════════════════════╣ Devices ╠══════════════════════════════════════════ [+] Any sd*/disk* disk in /dev? (limit 20) disk sda sda1 sda10 sda11 sda12 sda13 sda14 sda15 sda16 sda17 sda18 sda19 sda2 sda20 sda21 sda22 sda23 sda24 sda25 [+] Unmounted file-system? [i] Check if you can mount umounted devices ════════════════════════════════════╣ Available Software ╠════════════════════════════════════ [+] Useful software /usr/local/bin/wget /usr/local/bin/curl /bin/ping /usr/local/bin/gcc /usr/local/bin/g++ /usr/local/bin/make /usr/local/bin/gdb /usr/bin/base64 /usr/local/bin/python /usr/local/bin/python2 /usr/local/bin/python3 /usr/local/bin/python2.7 /usr/bin/python3.6 /usr/local/bin/perl /usr/local/bin/php /usr/local/bin/ruby /usr/bin/sudo [+] Installed Compiler /usr/local/bin/gcc /usr/local/bin/g++ ══════════════════════════════╣ Processes, Cron, Services, Timers & Sockets ╠════════════════════════════════ [+] Cleaned processes [i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes root 1 0.2 0.0 12664 3932 ? Ss 10:58 0:01 /sbin/init root 237 0.4 0.1 17040 4424 ? Ss 10:58 0:01 udevd --daemon[0m syslog 534 0.0 0.1 35964 7228 ? S 10:58 0:00 /usr/lib/systemd/systemd-journald └─(Caps) 0x0000002400000000=cap_syslog,cap_audit_read message+ 605 0.0 0.0 9916 2888 ? Ss 10:58 0:00 dbus-daemon --system --fork syslog 657 0.0 0.0 299140 3776 ? Sl 10:58 0:00 /usr/sbin/rsyslogd -n -f /etc/rsyslog.chromeos -i /tmp/rsyslogd.pid root 712 0.0 0.0 4372 808 ? Ss 10:58 0:00 /bin/sh -e /proc/self/fd/9 root 770 0.0 0.0 7344 2556 ? S 10:58 0:00 _ bash /mnt/stateful_partition/rc.local root 776 0.0 0.0 7344 2548 ? S 10:58 0:00 _ /bin/bash /root/script.sh root 1241 0.0 0.0 4372 1848 ? S 10:58 0:00 _ /bin/sh /usr/local/bin/mysqld_safe --bind-address=0.0.0.0 --user=chronos chronos 3674 2.5 5.0 1468524 203540 ? Sl 11:01 0:08 | _ /usr/local/bin/mysqld --basedir=/usr/local --datadir=/usr/local/data --plugin-dir=/usr/local/lib/mysql/plugin --user=chronos --bind-address=0.0.0.0 --log-error=spectra.err --pid-file=spectra.pid root 1242 0.1 0.1 175028 5400 ? Sl 10:58 0:00 _ /usr/local/bin/vmtoolsd root 3835 0.0 0.0 9404 1116 ? S 11:06 0:00 _ /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 60 wpa 766 0.0 0.1 17284 4236 ? S 10:58 0:00 /usr/sbin/wpa_supplicant -u -s -O/run/wpa_supplicant └─(Caps) 0x0000000000003000=cap_net_admin,cap_net_raw chaps 798 0.0 0.2 101968 10772 ? SLsl 10:58 0:00 /opt/tpm1/sbin/chapsd --auto_load_system_token root 800 0.0 0.0 20072 2400 ? Ss 10:58 0:00 /usr/sbin/sshd nginx 3596 0.0 0.1 28300 4176 ? S 11:00 0:00 _ sshd: nginx@pts/0 nginx 3597 0.0 0.0 7476 2976 pts/0 Ss 11:00 0:00 _ -bash nginx 3836 0.5 0.0 6164 3560 pts/0 S+ 11:06 0:00 _ bash linpeas.sh nginx 4512 0.0 0.0 6164 2616 pts/0 S+ 11:06 0:00 _ bash linpeas.sh nginx 4515 0.0 0.0 9616 2356 pts/0 R+ 11:06 0:00 | _ ps fauxwww nginx 4516 0.0 0.0 6164 1276 pts/0 S+ 11:06 0:00 _ bash linpeas.sh root 805 0.0 0.1 101144 7352 ? Ssl 10:58 0:00 /opt/tpm1/sbin/tpm_managerd --wait_for_ownership_trigger root 980 0.0 0.0 16208 408 ? Ss 10:58 0:00 nginx: master process nginx nobody 988 0.8 0.0 16700 3512 ? S 10:58 0:04 _ nginx: worker process root 985 0.0 0.3 407204 12488 ? SLsl 10:58 0:00 /opt/tpm1/sbin/cryptohomed --noclose --direncryption --vmodule= shill 1146 0.0 0.3 34296 13368 ? S 10:58 0:00 /usr/bin/shill --log-level=0 --log-scopes= --vmodule=object_proxy=0,dbus_object=0,bus=0 └─(Caps) 0x0000000800003de0=cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_wake_alarm syslog 1183 0.0 0.0 6540 968 ? S 10:58 0:00 _ /usr/bin/logger --priority daemon err --tag /usr/bin/shill └─(Caps) 0x0000000800003de0=cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_wake_alarm dhcp 2561 0.0 0.0 11264 2812 ? S 10:58 0:00 _ /sbin/dhcpcd -B -q -4 eth0=ethernet_any └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw root 1227 0.0 0.2 102928 9804 ? Ss 10:58 0:00 php-fpm: master process (/usr/local/etc/php-fpm.conf) nginx 1233 0.6 1.1 206112 45624 ? S 10:58 0:02 _ php-fpm: pool www nginx 3763 0.0 0.0 4372 856 ? S 11:03 0:00 | _ /bin/sh -i nginx 3375 0.8 1.1 207364 45940 ? S 10:59 0:03 _ php-fpm: pool www nginx 3455 1.3 1.0 203260 41840 ? S 10:59 0:05 _ php-fpm: pool www attesta+ 1736 0.0 0.2 177440 8684 ? SLsl 10:58 0:00 /opt/tpm1/sbin/attestationd root 1818 0.2 0.3 38564 14588 ? S 10:58 0:01 python2.7 /opt/neverware/install_service.py root 1916 0.0 0.1 19352 5884 ? Ss 10:58 0:00 periodic_scheduler --period=3600 --timeout=14400 --start_immediately --task_name=crash_sender -- /sbin/crash_sender root 1919 0.0 0.2 20668 8032 ? Ss 10:58 0:00 /usr/bin/patchpaneld patchpa+ 1924 0.0 0.1 22632 7192 ? Ss 10:58 0:00 _ /usr/bin/patchpaneld --adb_proxy_fd=4 └─(Caps) 0x0000000000002000=cap_net_raw patchpa+ 1927 0.0 0.1 22636 7532 ? Ss 10:58 0:00 _ /usr/bin/patchpaneld --mcast_proxy_fd=6 └─(Caps) 0x0000000000002000=cap_net_raw patchpa+ 1928 0.0 0.1 22640 7588 ? Ss 10:58 0:00 _ /usr/bin/patchpaneld --nd_proxy_fd=8 └─(Caps) 0x0000000000002000=cap_net_raw root 1933 0.0 0.2 29496 9160 ? Ss 10:58 0:00 neverware_daemon[0m devbrok+ 1978 0.0 0.1 24948 6928 ? S 10:58 0:00 /usr/bin/permission_broker └─(Caps) 0x000000000000300b=cap_chown,cap_dac_override,cap_fowner,cap_net_admin,cap_net_raw root 1992 0.0 0.0 8612 1792 ? Ss 10:58 0:00 minijail0 -u cras -g cras -G --uts -v -l -T static -P /mnt/empty -b / / -k tmpfs /run tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /run/cras /run/cras 1 -b /run/dbus /run/dbus 1 -b /run/systemd/journal -b /run/udev /run/udev -b /dev /dev -b /dev/shm /dev/shm 1 -k proc /proc proc -b /sys /sys -k tmpfs /var tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /var/lib/metrics/ /var/lib/metrics/ 1 -- /sbin/minijail0 -n -S /usr/share/policy/cras-seccomp.policy -- /usr/bin/cras --disable_profile=hsp cras 2069 0.0 0.0 6648 1788 ? S 10:58 0:00 _ /sbin/minijail0 -n -S /usr/share/policy/cras-seccomp.policy -- /usr/bin/cras --disable_profile=hsp root 2004 0.0 0.1 19352 5852 ? Ss 10:58 0:00 periodic_scheduler --period=3600 --timeout=600 --task_name=update_userdataauth -- /usr/libexec/cryptohome/update_userdataauth_from_features.sh avahi 2049 0.0 0.0 11484 220 ? S 10:58 0:00 _ avahi-daemon: chroot helper modem 2044 0.0 0.1 243092 7048 ? Sl 10:58 0:00 /usr/sbin/ModemManager --log-level=INFO └─(Caps) 0x0000000000200000=cap_sys_admin root 2046 0.0 0.1 19352 5740 ? Ss 10:58 0:00 periodic_scheduler --period=86400 --timeout=600 --task_name=cleanup_logs -- /usr/sbin/chromeos-cleanup-logs root 2047 0.0 0.1 30108 6380 ? Ss 10:58 0:00 update_engine root 2098 0.0 0.0 8992 1708 ? S 10:58 0:00 upstart-socket-bridge --daemon[0m root 2589 0.0 0.0 19352 3308 ? Ss 10:58 0:00 periodic_scheduler --period=3600 --timeout=60 --task_name=cros-machine-id-regen -- /usr/sbin/cros-machine-id-regen -r periodic -t 21600 root 2704 0.0 0.0 8744 1888 ? Ss 10:58 0:00 /sbin/minijail0 -u bluetooth -g bluetooth -G -c 3500 -n -- /usr/libexec/bluetooth/bluetoothd --nodetach --configfile=/etc/bluetooth/main.conf --experimental bluetoo+ 2717 0.0 0.2 27616 8256 ? S 10:58 0:00 _ /usr/libexec/bluetooth/bluetoothd --nodetach --configfile=/etc/bluetooth/main.conf --experimental └─(Caps) 0x0000000000003500=cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw root 2729 0.0 0.0 8612 160 ? S 10:58 0:00 /sbin/minijail0 -T static --profile=minimalistic-mountns -i -p -v -r --uts -l -g syslog --mount-dev -b /dev/log -b /sys -k /var /var tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /var/log -b /var/spool 1 -b /var/lib/metrics 1 -b /var/lib/whitelist -k /run /run tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /run/crash_reporter 1 -b /run/dbus -b /home/chronos -- /usr/bin/anomaly_detector root 2763 0.0 0.2 26996 10220 ? S 10:58 0:00 _ /usr/bin/anomaly_detector root 2733 0.0 0.0 8744 200 ? S 10:58 0:00 minijail0 -u bluetooth -g bluetooth -G -i -n -l -p -v -r -t --uts -e --profile minimalistic-mountns -k /run /run tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -k /var /var tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -k /sys /sys tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /run/chromeos-config/v1 -b /dev/log /dev/log 1 -b /run/dbus -b /var/lib/bluetooth 1 -b /sys/devices/virtual/dmi/id -- /usr/bin/btdispatch --vmodule= bluetoo+ 2783 0.0 0.1 21632 5956 ? S 10:58 0:00 _ /usr/bin/btdispatch --vmodule= root 2751 0.0 0.0 6648 188 ? S 10:58 0:00 minijail0 -i -p -v -r --uts -l --profile minimalistic-mountns -b /dev/log -b /dev/rtc -k /run /run tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /run/dbus 1 -b /run/shill -k /var /var tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /var/cache/tlsdated 1 /usr/bin/tlsdated -- /usr/bin/tlsdate -v -C /usr/share/chromeos-ca-certificates -l tlsdate 2759 0.0 0.0 15588 3348 ? S 10:58 0:00 _ /usr/bin/tlsdated -- /usr/bin/tlsdate -v -C /usr/share/chromeos-ca-certificates -l root 2802 0.0 0.0 13492 420 ? S 10:58 0:00 _ /usr/bin/tlsdated -- /usr/bin/tlsdate -v -C /usr/share/chromeos-ca-certificates -l root 2757 0.0 0.0 4372 1644 ? Ss 10:58 0:00 /bin/sh /usr/share/cros/init/activate_date.sh root 3817 0.0 0.0 9404 1084 ? S 11:05 0:00 _ /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 200 metrics 3058 0.0 0.2 28976 8988 ? S 10:58 0:00 /usr/bin/metrics_daemon --nodaemon root 3071 0.0 0.0 6648 204 ? S 10:58 0:00 minijail0 --profile minimalistic-mountns -b /dev/log -b /dev/chromeos-low-mem -b /sys -k /var /var tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /var/log/memd 1 -k /run /run tmpfs MS_NODEV MS_NOEXEC MS_NOSUID mode=755,size=10M -b /run/dbus --uts -p -e -n -l -S /usr/share/policy/memd-seccomp.policy -i -- /usr/bin/memd root 3075 0.0 0.0 11568 2456 ? S 10:58 0:00 _ /usr/bin/memd root 3632 0.0 0.2 30340 10480 ? Ss 11:01 0:00 /usr/bin/cros_healthd cros_he+ 3637 0.0 0.1 32436 5576 ? S 11:01 0:00 _ /usr/bin/cros_healthd [+] Binary processes permissions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes 544K -rwxr-xr-x 1 root root 540K Dec 22 05:46 /bin/bash 0 lrwxrwxrwx 1 root root 4 Dec 22 05:46 /bin/sh -> dash 604K -rwxr-xr-x 1 root root 598K Jan 15 15:34 /opt/tpm1/sbin/attestationd 476K -rwxr-xr-x 1 root root 470K Jan 15 15:34 /opt/tpm1/sbin/chapsd 1.5M -rwxr-xr-x 1 root root 1.5M Jan 15 15:34 /opt/tpm1/sbin/cryptohomed 220K -rwxr-xr-x 1 root root 214K Jan 15 15:33 /opt/tpm1/sbin/tpm_managerd 216K -r-xr-xr-x 1 root root 212K Dec 22 05:54 /sbin/dhcpcd 136K -rwxr-xr-x 1 root root 129K Dec 22 05:54 /sbin/init 136K -rwxr-xr-x 1 root root 132K Jan 15 15:30 /sbin/minijail0 92K -rwxr-xr-x 1 root root 87K Jan 15 15:33 /usr/bin/anomaly_detector 56K -rwxr-xr-x 1 root root 49K Jan 15 15:33 /usr/bin/btdispatch 888K -rwxr-xr-x 1 root root 881K Dec 22 05:45 /usr/bin/coreutils 732K -rwxr-xr-x 1 root root 728K Jan 15 15:32 /usr/bin/cros_healthd 28K -rwxr-xr-x 1 root root 27K Dec 22 05:52 /usr/bin/logger 452K -rwxr-xr-x 1 root root 446K Jan 15 15:31 /usr/bin/memd 240K -rwxr-xr-x 1 root root 235K Jan 15 15:32 /usr/bin/metrics_daemon 388K -rwxr-xr-x 1 root root 383K Jan 15 15:34 /usr/bin/patchpaneld 116K -rwxr-xr-x 1 root root 110K Jan 15 15:32 /usr/bin/permission_broker 2.0M -rwxr-xr-x 1 root root 2.0M Jan 15 15:34 /usr/bin/shill 48K -rwxr-xr-x 1 root root 46K Dec 22 05:53 /usr/bin/tlsdated 132K -rwxr-xr-x 1 root root 125K Dec 22 05:59 /usr/lib/systemd/systemd-journald 724K -rwxr-xr-x 1 root root 720K Dec 22 06:10 /usr/libexec/bluetooth/bluetoothd 24M -rwxr-xr-x 1 chronos chronos 24M Jun 29 2020 /usr/local/bin/mysqld 256K -rwxr-xr-x 1 root root 254K Feb 11 10:24 /usr/local/bin/vmtoolsd 928K -rwxr-xr-x 1 root root 924K Dec 22 05:57 /usr/sbin/ModemManager 544K -rwxr-xr-x 1 root root 538K Dec 22 05:53 /usr/sbin/rsyslogd 576K -rwxr-xr-x 1 root root 572K Dec 22 05:55 /usr/sbin/sshd 1.3M -rwxr-xr-x 1 root root 1.3M Dec 22 05:59 /usr/sbin/wpa_supplicant [+] Files opened by processes belonging to other users [i] This is usually empty because of the lack of privileges to read other user processes information COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME [+] Processes with credentials in memory (root req) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd: process found (dump creds from memory as root) [+] Cron jobs [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs crontab Not Found incrontab Not Found [+] Services [i] Search for outdated versions service|chkconfig|rc-status|launchctl Not Found [+] Systemd PATH [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths [+] Analyzing .service files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#services You can't write on systemd PATH [+] System timers [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers [+] Analyzing .timer files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers [+] Analyzing .socket files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets [+] HTTP sockets [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets [+] D-Bus config files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/system.d/BootLockbox.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/Cryptohome.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/ImageBurner.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/SessionManager.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/UpdateEngine.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/UsbBouncer.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/avahi-dbus.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/dhcpcd.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/fi.w1.wpa_supplicant1.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.bluez.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.AnomalyEventService.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Attestation.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.AuthPolicy.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Bluetooth.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Brltty.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Chaps.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Chaps.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Chunneld.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.CrosDisks.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.CrosDns.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.CrosHealthd.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.ImageLoader.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Kerberos.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.MachineLearning.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Mtpd.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.OobeConfigRestore.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Patchpanel.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.PcaAgent.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.PermissionBroker.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.PowerManager.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Seneschal.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.SmbProvider.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.SystemProxy.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.TpmManager.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.Trunks.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.UserDataAuth.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.VmCicerone.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.VmConcierge.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.cras.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.debugd.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.flimflam.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.chromium.lorgnette.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.ModemManager1.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.torproject.tlsdate.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.torproject.tlsdate.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.usbguard1.conf ( ) [+] D-Bus Service Objects list [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus busctl Not Found ═══════════════════════════════════╣ Network Information ╠════════════════════════════════════ [+] Hostname, hosts and DNS spectra 127.0.0.1 localhost ::1 localhost nameserver 8.8.4.4 nameserver 8.8.8.8 nameserver 0.0.0.0 nameserver 0.0.0.0 options single-request timeout:1 attempts:5 dnsdomainname Not Found [+] Content of /etc/inetd.conf & /etc/xinetd.conf /etc/inetd.conf Not Found [+] Interfaces # /etc/networks # # This file describes a number of netname-to-adress # mappings for the TCP/IP subsytem. It is mostly # used at boot time, when no name servers are running. # loopback 127.0.0.0 link-local 169.254.0.0 eth0: flags=4163 mtu 1500 inet 10.10.10.229 netmask 255.255.255.0 broadcast 10.10.10.255 inet6 fe80::250:56ff:feb9:8efb prefixlen 64 scopeid 0x20 inet6 dead:beef::f90a:c0ce:61e9:6708 prefixlen 64 scopeid 0x0 inet6 dead:beef::250:56ff:feb9:8efb prefixlen 64 scopeid 0x0 ether 00:50:56:b9:8e:fb txqueuelen 1000 (Ethernet) RX packets 39119 bytes 6627237 (6.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 39112 bytes 13013878 (12.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 83502 bytes 11528848 (10.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 83502 bytes 11528848 (10.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [+] Networks and neighbours Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 Address HWtype HWaddress Flags Mask Iface 10.10.10.2 ether 00:50:56:b9:56:77 C eth0 [+] Iptables rules iptables rules Not Found [+] Active Ports [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - [+] Can I sniff with tcpdump? No ════════════════════════════════════╣ Users Information ╠════════════════════════════════════ [+] My user [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#users uid=20155(nginx) gid=20156(nginx) groups=20156(nginx) [+] Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found [+] Clipboard or highlighted text? xsel and xclip Not Found [+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Sorry, try again. [+] Checking sudo tokens [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens /proc/sys/kernel/yama/ptrace_scope is not enabled (1) gdb was found in PATH [+] Checking doas.conf /etc/doas.conf Not Found [+] Checking Pkexec policy [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [+] Superusers root:x:0:0:root:/root:/bin/bash [+] Users with console chronos:x:1000:1000:system_user:/home/chronos/user:/bin/bash katie:x:20156:20157::/home/katie:/bin/bash nginx:x:20155:20156::/home/nginx:/bin/bash root:x:0:0:root:/root:/bin/bash [+] All users & groups uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon[0m),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video),1001(chronos-access),219(wpa),207(tss),208(pkcs11),253(preserve) uid=1(bin) gid=1(bin) groups=1(bin),2(daemon[0m),3(sys) uid=10(uucp) gid=14(uucp) groups=14(uucp),402(serial) uid=1000(chronos) gid=1000(chronos) groups=1000(chronos),7(lp),18(audio),27(video),222(input),1001(chronos-access),420(crash-user-access),600(cras),304(fuse-drivefs),240(brltty),208(pkcs11),303(policy-readers),601(wayland) uid=1001(chronos-access) gid=1001(chronos-access) groups=1001(chronos-access) uid=2(daemon[0m) gid=2(daemon[0m) groups=2(daemon[0m),1(bin),4(adm) uid=201(messagebus) gid=201(messagebus) groups=201(messagebus) uid=20100(ippusb) gid=20100(ippusb) groups=20100(ippusb) uid=20104(shill) gid=20104(shill) groups=20104(shill),611(password-viewers),413(tun),212(ipsec),241(modem),303(policy-readers),400(daemon[0m-store),605(debugfs-access) uid=20105(netperf) gid=20105(netperf) groups=20105(netperf) uid=20106(ml-service) gid=20106(ml-service) groups=20106(ml-service) uid=20107(bootlockboxd) gid=20107(bootlockboxd) groups=20107(bootlockboxd),207(tss) uid=20110(crosdns) gid=20110(crosdns) groups=20110(crosdns) uid=20112(vm_cicerone) gid=20112(vm_cicerone) groups=20112(vm_cicerone),420(crash-user-access) uid=20114(seneschal) gid=20114(seneschal) groups=20114(seneschal) uid=20115(seneschal-dbus) gid=20115(seneschal-dbus) groups=20115(seneschal-dbus) uid=20121(oobe_config_restore) gid=20121(oobe_config_restore) groups=20121(oobe_config_restore),207(tss) uid=20122(oobe_config_save) gid=20122(oobe_config_save) groups=20122(oobe_config_save),207(tss) uid=20123(usbguard) gid=20123(usbguard) groups=20123(usbguard) uid=20124(usb_bouncer) gid=20124(usb_bouncer) groups=20124(usb_bouncer) uid=20128(pluginvm) gid=20128(pluginvm) groups=20128(pluginvm),601(wayland) uid=20130(fwupd) gid=20130(fwupd) groups=20130(fwupd) uid=20131(kerberosd) gid=20131(kerberosd) groups=20131(kerberosd),611(password-viewers) uid=20134(cros_healthd) gid=20134(cros_healthd) groups=20134(cros_healthd),6(disk) uid=20137(crash) gid=20137(crash) groups=20137(crash),1001(chronos-access),419(crash-access),420(crash-user-access) uid=20138(kerberosd-exec) gid=20138(kerberosd-exec) groups=20138(kerberosd-exec),20131(kerberosd) uid=20140(metrics) gid=20140(metrics) groups=20140(metrics),605(debugfs-access) uid=20141(chunneld) gid=20141(chunneld) groups=20141(chunneld) uid=20142(healthd_ec) gid=20142(healthd_ec) groups=20142(healthd_ec),416(cros_ec-access) uid=20154(system-proxy) gid=20154(system-proxy) groups=20154(system-proxy) uid=20155(nginx) gid=20156(nginx) groups=20156(nginx) uid=20156(katie) gid=20157(katie) groups=20157(katie),20158(developers) uid=202(syslog) gid=202(syslog) groups=202(syslog) uid=204(sshd) gid=204(sshd) groups=204(sshd) uid=207(tss) gid=207(tss) groups=207(tss) uid=208(pkcs11) gid=208(pkcs11) groups=208(pkcs11) uid=212(ipsec) gid=212(ipsec) groups=212(ipsec),20104(shill),1001(chronos-access),208(pkcs11) uid=213(cros-disks) gid=213(cros-disks) groups=213(cros-disks),6(disk),19(cdrom),80(cdrw),1001(chronos-access) uid=215(tcpdump) gid=215(tcpdump) groups=215(tcpdump) uid=216(debugd) gid=216(debugd) groups=216(debugd) uid=217(openvpn) gid=217(openvpn) groups=217(openvpn) uid=218(bluetooth) gid=218(bluetooth) groups=218(bluetooth),258(uinput) uid=219(wpa) gid=219(wpa) groups=219(wpa),208(pkcs11) uid=220(imageloaderd) gid=220(imageloaderd) groups=220(imageloaderd),1001(chronos-access) uid=222(input) gid=222(input) groups=222(input) uid=223(chaps) gid=223(chaps) groups=223(chaps),207(tss),208(pkcs11),400(daemon[0m-store) uid=224(dhcp) gid=224(dhcp) groups=224(dhcp) uid=226(mtp) gid=226(mtp) groups=226(mtp),85(usb) uid=228(power) gid=228(power) groups=228(power),5(tty),222(input),404(i2c),416(cros_ec-access),600(cras),605(debugfs-access) uid=230(devbroker) gid=230(devbroker) groups=230(devbroker) uid=232(nfqueue) gid=232(nfqueue) groups=232(nfqueue) uid=233(tlsdate-dbus) gid=233(tlsdate-dbus) groups=233(tlsdate-dbus) uid=234(tlsdate) gid=234(tlsdate) groups=234(tlsdate) uid=235(debugd-logs) gid=235(debugd-logs) groups=235(debugd-logs),401(logs-access) uid=237(shill-crypto) gid=237(shill-crypto) groups=237(shill-crypto) uid=238(avahi) gid=238(avahi) groups=238(avahi) uid=239(p2p) gid=239(p2p) groups=239(p2p) uid=240(brltty) gid=240(brltty) groups=240(brltty),5(tty),85(usb) uid=241(modem) gid=241(modem) groups=241(modem),85(usb) uid=247(attestation) gid=247(attestation) groups=247(attestation),207(tss),208(pkcs11),253(preserve),303(policy-readers) uid=250(portage) gid=250(portage) groups=250(portage) uid=251(trunks) gid=251(trunks) groups=251(trunks),207(tss) uid=252(tpm_manager) gid=252(tpm_manager) groups=252(tpm_manager),207(tss),253(preserve) uid=254(authpolicyd) gid=254(authpolicyd) groups=254(authpolicyd),303(policy-readers) uid=255(saned) gid=255(scanner) groups=255(scanner),20100(ippusb),20155(usbprinter) uid=268(dnsmasq) gid=268(dnsmasq) groups=268(dnsmasq) uid=269(lpadmin) gid=269(lpadmin) groups=269(lpadmin),7(lp),20100(ippusb) uid=277(cups) gid=277(cups) groups=277(cups),7(lp),269(lpadmin),20100(ippusb),20155(usbprinter) uid=284(patchpaneld) gid=284(patchpaneld) groups=284(patchpaneld) uid=292(cryptohome) gid=292(cryptohome) groups=292(cryptohome) uid=295(shill-scripts) gid=295(shill-scripts) groups=295(shill-scripts) uid=297(smbproviderd) gid=297(smbproviderd) groups=297(smbproviderd) uid=299(crosvm) gid=299(crosvm) groups=299(crosvm),27(video),413(tun),600(cras),20128(pluginvm),418(virtaccess),601(wayland),400(daemon[0m-store) uid=3(adm) gid=4(adm) groups=4(adm),3(sys),6(disk) uid=300(ntfs-3g) gid=300(ntfs-3g) groups=300(ntfs-3g) uid=302(fuse-exfat) gid=302(fuse-exfat) groups=302(fuse-exfat) uid=304(fuse-drivefs) gid=304(fuse-drivefs) groups=304(fuse-drivefs) uid=305(fuse-sshfs) gid=305(fuse-sshfs) groups=305(fuse-sshfs) uid=307(fuse-smbfs) gid=307(fuse-smbfs) groups=307(fuse-smbfs) uid=308(fuse-rar2fs) gid=308(fuse-rar2fs) groups=308(fuse-rar2fs) uid=309(fuse-zip) gid=309(fuse-zip) groups=309(fuse-zip) uid=4(lp) gid=7(lp) groups=7(lp),20100(ippusb) uid=600(cras) gid=600(cras) groups=600(cras),18(audio),222(input) uid=601(wayland) gid=601(wayland) groups=601(wayland) uid=605(debugfs-access) gid=605(debugfs-access) groups=605(debugfs-access) uid=607(authpolicyd-exec) gid=607(authpolicyd-exec) groups=607(authpolicyd-exec),254(authpolicyd) uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) uid=9(news) gid=13(news) groups=13(news) [+] Login now 11:07:31 up 9 min, 0 users, load average: 0.08, 0.22, 0.18 USER TTY LOGIN@ IDLE JCPU PCPU WHAT [+] Last logons [+] Last time logon each user Username Port From Latest nginx ssh 10.10.14.234 Sat May 29 11:04:41 -0700 2021 [+] Password policy PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 [+] Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) [+] Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ═══════════════════════════════════╣ Software Information ╠═══════════════════════════════════ [+] MySQL version mysql Ver 14.14 Distrib 5.7.20-19, for Linux (x86_64) using 6.3 [+] MySQL connection using default root/root ........... No [+] MySQL connection using root/toor ................... No [+] MySQL connection using root/NOPASS ................. No [+] Searching mysql credentials and exec [+] PostgreSQL version and pgadmin credentials Not Found [+] PostgreSQL connection to template0 using postgres/NOPASS ........ No [+] PostgreSQL connection to template1 using postgres/NOPASS ........ No [+] PostgreSQL connection to template0 using pgsql/NOPASS ........... No [+] PostgreSQL connection to template1 using pgsql/NOPASS ........... No [+] Apache server info Not Found [+] Searching PHPCookies Not Found [+] Searching Wordpress wp-config.php files /usr/local/share/nginx/html/main/wp-config.php define( 'DB_NAME', 'dev' ); define( 'DB_USER', 'dev' ); define( 'DB_PASSWORD', 'development01' ); define( 'DB_HOST', 'localhost' ); /usr/local/share/nginx/html/testing/wp-config.php define( 'DB_NAME', 'dev' ); define( 'DB_USER', 'devtest' ); define( 'DB_PASSWORD', 'devteam01' ); define( 'DB_HOST', 'localhost' ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-config.php define( 'DB_NAME', 'dev' ); define( 'DB_USER', 'dev' ); define( 'DB_PASSWORD', 'development01' ); define( 'DB_HOST', 'localhost' ); /mnt/stateful_partition/dev_image/share/nginx/html/testing/wp-config.php define( 'DB_NAME', 'dev' ); define( 'DB_USER', 'devtest' ); define( 'DB_PASSWORD', 'devteam01' ); define( 'DB_HOST', 'localhost' ); [+] Searching Drupal settings.php files [+] Searching Moodle config.php files [+] Searching Tomcat users file tomcat-users.xml Not Found [+] Mongo information mongo binary Not Found [+] Searching supervisord configuration file supervisord.conf Not Found [+] Searching cesi configuration file cesi.conf Not Found [+] Searching Rsyncd config file /usr/local/etc/rsyncd.conf pid file = /run/rsyncd.pid use chroot = yes read only = yes /mnt/stateful_partition/dev_image/etc/rsyncd.conf pid file = /run/rsyncd.pid use chroot = yes read only = yes [+] Searching Hostapd config file hostapd.conf Not Found [+] Searching wifi conns file Not Found [+] Searching Anaconda-ks config files anaconda-ks.cfg Not Found [+] Searching .vnc directories and their passwd files .vnc Not Found [+] Searching ldap directories and their hashes ldap Not Found [+] Searching .ovpn files and credentials .ovpn Not Found [+] Searching ssl/ssh files /home/nginx/.ssh/authorized_keys /mnt/stateful_partition/dev_image/cache/man/local/de/index.db /mnt/stateful_partition/home/nginx/.ssh/authorized_keys /usr/share/chromeos-ssh-config/keys/authorized_keys /usr/share/chromeos-ssh-config/keys/id_rsa /usr/share/chromeos-ssh-config/keys/id_rsa.pub Possible private SSH keys were found! /mnt/stateful_partition/dev_image/lib64/libssh2.a /mnt/stateful_partition/dev_image/lib64/libgio-2.0.so.0.6400.1 /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/cherrypy/test/test.pem /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/heatmap/remote/data/testing_rsa /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/webplot/remote/data/testing_rsa /mnt/stateful_partition/dev_image/lib64/libssh2.so.1.0.1 /mnt/stateful_partition/dev_image/lib64/libgnutls.so.30.26.2 /mnt/stateful_partition/dev_image/share/misc/magic.mgc /mnt/stateful_partition/dev_image/share/nodebrew/node/v8.9.4/lib/node_modules/npm/doc/misc/npm-config.md /mnt/stateful_partition/dev_image/share/nodebrew/node/v8.9.4/lib/node_modules/npm/html/doc/misc/npm-config.html /mnt/stateful_partition/dev_image/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/http-signature/http_signing.md /mnt/stateful_partition/dev_image/share/tast/data/chromiumos/tast/local/bundles/cros/security/data/openssl_blacklist_cert.key /mnt/stateful_partition/dev_image/bin/gnutls-cli /mnt/stateful_partition/dev_image/libexec/tast/bundles/local/cros /mnt/stateful_partition/dev_image/lib/python2.7/test/badcert.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/badkey.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/keycert.passwd.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/ssl_key.passwd.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/badcert.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/badkey.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/keycert.passwd.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/ssl_key.passwd.pem --> Some certificates were found (out limited): /etc/pki/fwupd-metadata/LVFS-CA.pem /etc/pki/fwupd/LVFS-CA.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/allsans.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/badcert.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/badkey.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/keycert.passwd.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/keycert.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/keycert2.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/nullcert.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/selfsigned_pythontestdotnet.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/ssl_cert.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/ssl_key.passwd.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/ssl_key.pem /mnt/stateful_partition/dev_image/lib/python2.7/test/talos-2019-0758.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/allsans.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/badcert.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/badkey.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/keycert.passwd.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/keycert.pem /mnt/stateful_partition/dev_image/lib/python3.8/test/keycert2.pem --> Some client certificates were found: /mnt/stateful_partition/dev_image/share/cmake-3.17/Templates/Windows/Windows_TemporaryKey.pfx /usr/local/share/cmake-3.17/Templates/Windows/Windows_TemporaryKey.pfx --> Some home ssh config file was found /usr/share/chromeos-ssh-config/keys/authorized_keys /usr/share/chromeos-ssh-config/keys/id_rsa /usr/share/chromeos-ssh-config/keys/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsNpFdK5lb0GfKx+FgsrsM/2+aZVFYXHMPdvGtTz63ciRhq0Jnw7nln1SOcHraSz3/imECBg8NHIKV6rA+B9zbf7pZXEv20x5Ul0vrcPqYWC44PTtgsgvi8s0KZUZN93YlcjZ+Q7BjQ/tuwGSaLWLqJ7hnHALMJ3dbEM9fKBHQBCrG5HOaWD2gtXj7jp04M/WUnDDdemq/KMg6E9jcrJOiQ39IuTpas4hLQzVkKAKSrpl6MY2etHyoNarlWhcOwitArEDwf3WgnctwKstI/MTKB5BTpO2WXUNUv4kXzA+g8/l1aljIG13vtd9A/IV3KFVx/sLkkjuZ7z2rQXyNKuJw== ChromeOS test key ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsNpFdK5lb0GfKx+FgsrsM/2+aZVFYXHMPdvGtTz63ciRhq0Jnw7nln1SOcHraSz3/imECBg8NHIKV6rA+B9zbf7pZXEv20x5Ul0vrcPqYWC44PTtgsgvi8s0KZUZN93YlcjZ+Q7BjQ/tuwGSaLWLqJ7hnHALMJ3dbEM9fKBHQBCrG5HOaWD2gtXj7jp04M/WUnDDdemq/KMg6E9jcrJOiQ39IuTpas4hLQzVkKAKSrpl6MY2etHyoNarlWhcOwitArEDwf3WgnctwKstI/MTKB5BTpO2WXUNUv4kXzA+g8/l1aljIG13vtd9A/IV3KFVx/sLkkjuZ7z2rQXyNKuJw== ChromeOS test key Searching inside /etc/ssh/ssh_config for interesting info Host * UserKnownHostsFile /home/chronos/user/.ssh/known_hosts [+] Searching unexpected auth lines in /etc/pam.d/sshd auth include system-remote-login [+] Searching Cloud credentials (AWS, Azure, GC) [+] NFS exports? [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe /etc/exports Not Found [+] Searching kerberos conf files and tickets [i] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt kadmin was found on /usr/local/bin/kadmin klist execution klist: No credentials cache found (filename: /tmp/krb5cc_20155) -rw-r--r-- 1 chronos chronos 369 Mar 12 2018 /usr/local/share/examples/krb5/krb5.conf -rw-r--r-- 1 chronos chronos 369 Mar 12 2018 /mnt/stateful_partition/dev_image/share/examples/krb5/krb5.conf tickets kerberos Not Found klist Not Found [+] Searching Kibana yaml kibana.yml Not Found [+] Searching Knock configuration Knock.config Not Found [+] Searching logstash files Not Found [+] Searching elasticsearch files Not Found [+] Searching Vault-ssh files vault-ssh-helper.hcl Not Found [+] Searching AD cached hashes cached hashes Not Found [+] Searching screen sessions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions No Sockets found in /tmp/screen/S-nginx. [+] Searching tmux sessions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions tmux Not Found [+] Searching Couchdb directory [+] Searching redis.conf [+] Searching dovecot files dovecot credentials Not Found [+] Searching mosquitto.conf [+] Searching neo4j auth file [+] Searching Cloud-Init conf file [+] Searching Erlang cookie file [+] Searching GVM auth file [+] Searching IPSEC files [+] Searching IRSSI files [+] Searching Keyring files [+] Searching Filezilla sites file [+] Searching backup-manager files [+] Searching uncommon passwd files (splunk) passwd file: /etc/autologin/passwd passwd file: /etc/pam.d/passwd passwd file: /usr/share/baselayout/passwd [+] Searching GitLab related files [+] Searching PGP/GPG PGP/GPG software: /usr/bin/gpg netpgpkeys Not Found netpgp Not Found [+] Searching vim files [+] Checking if containerd(ctr) is available [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation [+] Checking if runc is available [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation [+] Searching docker files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket [+] Interesting Firefox Files [i] https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox [+] Interesting Chrome Files [i] https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox [+] Autologin Files /home/nginx/.ssh/authorized_keysn/etc/autologin /etc/autologin/passwd -rw-r--r-- 1 root root 19 Feb 3 16:43 /etc/autologin/passwd SummerHereWeCome!! /etc/init/autologin.conf -rw-r--r-- 1 root root 978 Feb 3 16:42 /etc/init/autologin.conf # Copyright 2016 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. description "Automatic login at boot" author "chromium-os-dev@chromium.org" # After boot-complete starts, the login prompt is visible and is accepting # input. start on started boot-complete script passwd= # Read password from file. The file may optionally end with a newline. for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do if [ -e "${dir}/passwd" ]; then passwd="$(cat "${dir}/passwd")" break fi done if [ -z "${passwd}" ]; then exit 0 fi # Inject keys into the login prompt. # # For this to work, you must have already created an account on the device. # Otherwise, no login prompt appears at boot and the injected keys do the # wrong thing. /usr/local/sbin/inject-keys.py -s "${passwd}" -k enter end script [+] S/Key authentication [+] YubiKey authentication [+] Passwords inside pam.d /etc/pam.d/chromeos-auth: /usr/bin/test -f /mnt/stateful_partition/etc/devmode.passwd /etc/pam.d/chromeos-auth: pwdfile /mnt/stateful_partition/etc/devmode.passwd [+] FastCGI Params -rw-r--r-- 1 chronos chronos 1007 Sep 27 2019 /usr/local/share/nginx/conf/fastcgi_params -rw-r--r-- 1 chronos chronos 1007 Sep 27 2019 /mnt/stateful_partition/dev_image/share/nginx/conf/fastcgi_params [+] SNMPs ════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════ [+] SUID - Check easy privesc, exploits and write perms [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rws--x--- 1 root messagebus 31K Dec 22 05:48 /usr/libexec/dbus-daemon-launch-helper -rws--x--- 1 root power 18K Jan 15 15:33 /usr/bin/powerd_setuid_helper (Unknown SUID binary) -rwsr-xr-x 1 root root 563K Feb 11 01:04 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable [+] SGID [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid [+] Checking misconfigurations of ld.so [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so /etc/ld.so.conf # ld.so.conf autogenerated by env-update; make all changes to # contents of /etc/env.d directory /lib64 /usr/lib64 /usr/local/lib64 /lib /usr/lib /usr/local/lib /usr/lib/llvm/lib64 [+] Capabilities [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities Current capabilities: Current: = CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Shell capabilities: 0x0000000000000000= CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Files with capabilities (limited to 50): /usr/bin/fusermount = cap_sys_admin+ep /bin/arping = cap_net_raw+ep /bin/ping = cap_net_raw+ep [+] Users with capabilities [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities /etc/security/capability.conf Not Found [+] Files with ACLs (limited to 50) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls files with acls in searched folders Not Found [+] .sh files in path [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path /usr/local/bin/gettext.sh /usr/bin/start_bluetoothd.sh /usr/bin/unix-lpr.sh /usr/bin/start_bluetoothlog.sh /usr/bin/get_bluetooth_device_class.sh /usr/bin/crosh.sh /usr/bin/amuFormat.sh /usr/bin/lprsetup.sh /usr/sbin/kernel_log_collector.sh /usr/sbin/write_gpt.sh [+] Unexpected in root /postinst /lost+found [+] Files (scripts) in /etc/profile.d/ [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files total 20 drwxr-xr-x 2 root root 4096 Jan 15 15:58 . drwxr-xr-x 63 root root 4096 Feb 11 10:24 .. -rw-r--r-- 1 root root 487 Dec 22 05:46 cursor.sh -rw-r--r-- 1 root root 813 Dec 22 06:10 flatpak.sh -rw-r--r-- 1 root root 46 Dec 22 05:46 xauthority.sh [+] Permissions in init, init.d, systemd, and rc.d [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d [+] Hashes inside passwd file? ........... No [+] Writable passwd file? ................ No [+] Credentials in fstab/mtab? ........... No [+] Can I read shadow files? ............. No [+] Can I read opasswd file? ............. No [+] Can I write in network-scripts? ...... No [+] Can I read root folder? .............. No [+] Searching root files in home dirs (limit 30) /home/ /home/user /home/chronos/.oobe_completed /home/.shadow /home/nginx/.bash_history /home/katie/.bash_history /home/root /root/ [+] Searching folders owned by me containing others files on it [+] Readable files belonging to root and readable by me but not world readable [+] Modified interesting files in the last 5mins (limit 100) /usr/local/share/nginx/logs/error.log /usr/local/share/nginx/logs/access.log /home/nginx/.gnupg/trustdb.gpg /home/nginx/.gnupg/pubring.gpg /home/nginx/.gnupg/gpg.conf /mnt/stateful_partition/encrypted.block /mnt/stateful_partition/home/nginx/.gnupg/trustdb.gpg /mnt/stateful_partition/home/nginx/.gnupg/pubring.gpg /mnt/stateful_partition/home/nginx/.gnupg/gpg.conf /mnt/stateful_partition/dev_image/share/nginx/logs/error.log /mnt/stateful_partition/dev_image/share/nginx/logs/access.log /mnt/stateful_partition/encrypted/var/log/net.log /mnt/stateful_partition/encrypted/var/log/tlsdate.log /mnt/stateful_partition/encrypted/var/log/update_engine/update_engine.20210529-105842 /mnt/stateful_partition/encrypted/var/log/journal/00000000000000000000000000000001/system.journal /mnt/stateful_partition/encrypted/var/log/vmware-vmsvc-root.log /mnt/stateful_partition/encrypted/var/log/vmlog/vmlog.20210529-175852 /mnt/stateful_partition/encrypted/var/log/secure /mnt/stateful_partition/encrypted/var/log/messages /mnt/stateful_partition/encrypted/var/log/lastlog /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.DailyUseTime /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.CumulativeUseTime /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.UserCrashesWeekly /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.UserCrashInterval /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.CumulativeCpuTime /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.AnyCrashesWeekly /mnt/stateful_partition/encrypted/var/lib/metrics/uma-events /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.AnyCrashesDaily /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.KernelCrashInterval /mnt/stateful_partition/encrypted/var/lib/metrics/Platform.UserCrashesDaily /var/log/net.log /var/log/tlsdate.log /var/log/update_engine/update_engine.20210529-105842 /var/log/journal/00000000000000000000000000000001/system.journal /var/log/vmware-vmsvc-root.log /var/log/vmlog/vmlog.20210529-175852 /var/log/secure /var/log/messages /var/log/lastlog [+] Writable log files (logrotten) (limit 100) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation logrotate Not Found [+] Files inside /home/nginx (limit 20) total 372 drwxr-xr-x 6 nginx nginx 4096 May 29 11:07 . drwxr-xr-x 8 root root 4096 Feb 2 15:55 .. lrwxrwxrwx 1 root root 9 Feb 4 12:41 .bash_history -> /dev/null -rw-r--r-- 1 nginx nginx 127 Dec 22 05:46 .bash_logout -rw-r--r-- 1 nginx nginx 204 Dec 22 05:46 .bash_profile -rw-r--r-- 1 nginx nginx 551 Dec 22 05:46 .bashrc drwx------ 2 nginx nginx 4096 May 29 11:07 .gnupg drwx------ 3 nginx nginx 4096 Jan 15 15:55 .pki drwx------ 2 nginx nginx 4096 May 29 11:00 .ssh -rwxr-xr-x 1 nginx nginx 341863 May 29 11:04 linpeas.sh drwxr-xr-x 2 nginx nginx 4096 Jan 15 15:55 log [+] Files inside others home (limit 20) /home/chronos/.oobe_completed /home/chronos/Safe Browsing Cookies-journal /home/chronos/startup_settings_cache.json /home/chronos/chrome_shutdown_ms.txt /home/chronos/Default/Media History /home/chronos/Default/Login Data-journal /home/chronos/Default/Login Data /home/chronos/Default/Reporting and NEL /home/chronos/Default/Network Persistent State /home/chronos/Default/heavy_ad_intervention_opt_out.db-journal /home/chronos/Default/Reporting and NEL-journal /home/chronos/Default/previews_opt_out.db /home/chronos/Default/previews_opt_out.db-journal /home/chronos/Default/Favicons /home/chronos/Default/History-journal /home/chronos/Default/History /home/chronos/Default/Web Data /home/chronos/Default/Visited Links /home/chronos/Default/heavy_ad_intervention_opt_out.db /home/chronos/Default/Media History-journal [+] Searching installed mail applications [+] Mails (limit 50) [+] Backup folders [+] Backup files (limited 100) -rw-r--r-- 1 chronos chronos 7141 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/form-data/README.md.bak -rw-r--r-- 1 root root 4733 Feb 11 10:24 /usr/local/share/doc/open-vm-tools/api/html/vmbackup_8h.html -rw-r--r-- 1 root root 6376 Feb 11 10:24 /usr/local/share/doc/open-vm-tools/api/html/vmbackup_8h_source.html -rw-r--r-- 1 chronos chronos 339 Apr 28 2020 /usr/local/share/ri/2.7.0/system/Bundler/EnvironmentPreserver/backup-i.ri -rw-r--r-- 1 chronos chronos 2760 Nov 26 2017 /usr/local/share/man/man8/vgcfgbackup.8.gz -rw-r--r-- 1 chronos chronos 235 Dec 28 2017 /usr/local/docs/README_tokudb_backup -rwxr-xr-x 1 chronos chronos 68056 Feb 17 2018 /usr/local/lib/mysql/plugin/tokudb_backup.so -rwxr-xr-x 1 root root 173120 Feb 11 10:24 /usr/local/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 chronos chronos 5671 Mar 29 2020 /usr/local/lib/python3.8/sqlite3/test/backup.py -rw-r--r-- 1 chronos chronos 6999 Mar 29 2020 /usr/local/lib/python3.8/sqlite3/test/__pycache__/backup.cpython-38.opt-2.pyc -rw-r--r-- 1 chronos chronos 6999 Mar 29 2020 /usr/local/lib/python3.8/sqlite3/test/__pycache__/backup.cpython-38.opt-1.pyc -rw-r--r-- 1 chronos chronos 6999 Mar 29 2020 /usr/local/lib/python3.8/sqlite3/test/__pycache__/backup.cpython-38.pyc -rw-r--r-- 1 chronos chronos 6622 Dec 28 2017 /usr/local/include/backup.h -rw-r--r-- 1 chronos chronos 2007 Feb 15 2018 /usr/local/include/boost/variant/detail/backup_holder.hpp -rw-r--r-- 1 chronos chronos 7141 Jan 2 2018 /mnt/stateful_partition/dev_image/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/form-data/README.md.bak -rw-r--r-- 1 root root 4733 Feb 11 10:24 /mnt/stateful_partition/dev_image/share/doc/open-vm-tools/api/html/vmbackup_8h.html -rw-r--r-- 1 root root 6376 Feb 11 10:24 /mnt/stateful_partition/dev_image/share/doc/open-vm-tools/api/html/vmbackup_8h_source.html -rw-r--r-- 1 chronos chronos 339 Apr 28 2020 /mnt/stateful_partition/dev_image/share/ri/2.7.0/system/Bundler/EnvironmentPreserver/backup-i.ri -rw-r--r-- 1 chronos chronos 2760 Nov 26 2017 /mnt/stateful_partition/dev_image/share/man/man8/vgcfgbackup.8.gz -rw-r--r-- 1 chronos chronos 235 Dec 28 2017 /mnt/stateful_partition/dev_image/docs/README_tokudb_backup -rwxr-xr-x 1 chronos chronos 68056 Feb 17 2018 /mnt/stateful_partition/dev_image/lib/mysql/plugin/tokudb_backup.so -rwxr-xr-x 1 root root 173120 Feb 11 10:24 /mnt/stateful_partition/dev_image/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 chronos chronos 5671 Mar 29 2020 /mnt/stateful_partition/dev_image/lib/python3.8/sqlite3/test/backup.py -rw-r--r-- 1 chronos chronos 6999 Mar 29 2020 /mnt/stateful_partition/dev_image/lib/python3.8/sqlite3/test/__pycache__/backup.cpython-38.opt-2.pyc -rw-r--r-- 1 chronos chronos 6999 Mar 29 2020 /mnt/stateful_partition/dev_image/lib/python3.8/sqlite3/test/__pycache__/backup.cpython-38.opt-1.pyc -rw-r--r-- 1 chronos chronos 6999 Mar 29 2020 /mnt/stateful_partition/dev_image/lib/python3.8/sqlite3/test/__pycache__/backup.cpython-38.pyc -rw-r--r-- 1 chronos chronos 6622 Dec 28 2017 /mnt/stateful_partition/dev_image/include/backup.h -rw-r--r-- 1 chronos chronos 2007 Feb 15 2018 /mnt/stateful_partition/dev_image/include/boost/variant/detail/backup_holder.hpp -rw-r--r-- 1 root root 8920 Dec 22 05:45 /lib/modules/5.4.66+/kernel/drivers/power/supply/wm831x_backup.ko [+] Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found: /etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pemn/home/chronos/Default/heavy_ad_intervention_opt_out.db: cannot open `/etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pemn/home/chronos/Default/heavy_ad_intervention_opt_out.db' (No such file or directory) Found: /home/chronos/Default/previews_opt_out.db: regular file, no read permission Found: /home/nginx/.pki/nssdb/cert9.db: SQLite 3.x database, last written using SQLite version 3032003 Found: /home/nginx/.pki/nssdb/key4.db: SQLite 3.x database, last written using SQLite version 3032003 -> Extracting tables from /home/nginx/.pki/nssdb/cert9.db (limit 20) -> Extracting tables from /home/nginx/.pki/nssdb/key4.db (limit 20) [+] Web files?(output limit) [+] Readable hidden interesting files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data -rw-r--r-- 1 root root 3524 Dec 22 05:46 /etc/bash/bashrc -rw-r--r-- 1 root root 551 Dec 22 05:46 /etc/skel/.bashrc lrwxrwxrwx 1 root root 9 Feb 2 15:55 /home/katie/.bash_history -> /dev/null Searching possible passwords inside /home/katie/.bash_history (limit 100) -rw-r--r-- 1 katie katie 551 Dec 22 05:46 /home/katie/.bashrc lrwxrwxrwx 1 root root 9 Feb 4 12:41 /home/nginx/.bash_history -> /dev/null Searching possible passwords inside /home/nginx/.bash_history (limit 100) -rw-r--r-- 1 nginx nginx 551 Dec 22 05:46 /home/nginx/.bashrc drwxr-xr-x 8 chronos chronos 4096 Jun 28 2020 /usr/local/lib/crew/.git -rw-r--r-- 1 chronos chronos 229 Jun 28 2020 /usr/local/lib/crew/.git/config -rw-r--r-- 1 chronos chronos 3792 Nov 22 2019 /usr/local/share/sandbox/sandbox.bashrc drwxr-xr-x 8 chronos chronos 4096 Jun 28 2020 /mnt/stateful_partition/dev_image/lib/crew/.git -rw-r--r-- 1 chronos chronos 229 Jun 28 2020 /mnt/stateful_partition/dev_image/lib/crew/.git/config -rw-r--r-- 1 chronos chronos 3792 Nov 22 2019 /mnt/stateful_partition/dev_image/share/sandbox/sandbox.bashrc lrwxrwxrwx 1 root root 9 Feb 2 15:55 /mnt/stateful_partition/home/katie/.bash_history -> /dev/null Searching possible passwords inside /mnt/stateful_partition/home/katie/.bash_history (limit 100) -rw-r--r-- 1 katie katie 551 Dec 22 05:46 /mnt/stateful_partition/home/katie/.bashrc lrwxrwxrwx 1 root root 9 Feb 4 12:41 /mnt/stateful_partition/home/nginx/.bash_history -> /dev/null Searching possible passwords inside /mnt/stateful_partition/home/nginx/.bash_history (limit 100) -rw-r--r-- 1 nginx nginx 551 Dec 22 05:46 /mnt/stateful_partition/home/nginx/.bashrc [+] All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-r--r-- 1 chronos chronos 97 Mar 31 2020 /usr/local/lib64/ruby/gems/2.7.0/gems/net-telnet-0.2.0/.travis.yml -rw-r--r-- 1 chronos chronos 1107 Mar 31 2020 /usr/local/lib64/ruby/gems/2.7.0/gems/minitest-5.13.0/.autotest -rw-r--r-- 1 chronos chronos 328 Mar 31 2020 /usr/local/lib64/ruby/gems/2.7.0/gems/power_assert-1.1.7/.travis.yml -rw-r--r-- 1 chronos chronos 89 Mar 31 2020 /usr/local/lib64/ruby/gems/2.7.0/gems/xmlrpc-0.3.0/.travis.yml -rw-r--r-- 1 chronos chronos 29 Oct 26 2014 /usr/local/lib64/python2.7/site-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap -rw-r--r-- 1 chronos chronos 0 Jun 11 2020 /usr/local/lib64/php/.depdblock -rw-r--r-- 1 chronos chronos 0 Jun 11 2020 /usr/local/lib64/php/.lock -rw-r--r-- 1 chronos chronos 2470 Jun 11 2020 /usr/local/lib64/php/.depdb -rw-r--r-- 1 chronos chronos 6961 Jun 11 2020 /usr/local/lib64/php/.filemap -rwxrwxrwx 1 nginx nginx 629 May 9 2016 /usr/local/share/nginx/html/main/wp-content/plugins/akismet/.htaccess -rw-r--r-- 1 nginx nginx 269 Oct 25 2019 /usr/local/share/nginx/html/main/wp-content/themes/twentytwenty/.stylelintrc.json -rw-r--r-- 1 nginx nginx 629 May 9 2016 /usr/local/share/nginx/html/testing/wp-content/plugins/akismet/.htaccess -rw-r--r-- 1 nginx nginx 269 Oct 25 2019 /usr/local/share/nginx/html/testing/wp-content/themes/twentytwenty/.stylelintrc.json -rw-r--r-- 1 chronos chronos 1265 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/.travis.yml -rw-r--r-- 1 chronos chronos 2851 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/.mailmap -rw-r--r-- 1 chronos chronos 76 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/safe-buffer/.travis.yml -rw-r--r-- 1 chronos chronos 92 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/tar/node_modules/minipass/.travis.yml -rw-r--r-- 1 chronos chronos 326 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/is-cidr/.travis.yml -rw-r--r-- 1 chronos chronos 47 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/cmd-shim/.travis.yml -rw-r--r-- 1 chronos chronos 189 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/read-installed/.travis.yml -rw-r--r-- 1 chronos chronos 1414 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/uuid/.eslintrc.json -rw-r--r-- 1 chronos chronos 57 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/JSONStream/.travis.yml -rw-r--r-- 1 chronos chronos 54 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/JSONStream/node_modules/through/.travis.yml -rw-r--r-- 1 chronos chronos 141 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/fs-write-stream-atomic/.travis.yml -rw-r--r-- 1 chronos chronos 1160 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/update-notifier/node_modules/chalk/node_modules/ansi-styles/node_modules/color-convert/node_modules/color-name/.eslintrc.json -rw-r--r-- 1 chronos chronos 116 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/update-notifier/node_modules/latest-version/node_modules/package-json/node_modules/registry-url/node_modules/rc/node_modules/minimist/.travis.yml -rw-r--r-- 1 chronos chronos 116 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/update-notifier/node_modules/latest-version/node_modules/package-json/node_modules/registry-auth-token/node_modules/rc/node_modules/minimist/.travis.yml -rw-r--r-- 1 chronos chronos 48 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/text-table/.travis.yml -rw-r--r-- 1 chronos chronos 65 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/duplexify/.travis.yml -rw-r--r-- 1 chronos chronos 65 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/duplexify/node_modules/stream-shift/.travis.yml -rw-r--r-- 1 chronos chronos 109 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/from2/.travis.yml -rw-r--r-- 1 chronos chronos 48 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/concat-stream/node_modules/typedarray/.travis.yml -rw-r--r-- 1 chronos chronos 68 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/pumpify/.travis.yml -rw-r--r-- 1 chronos chronos 69 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/flush-write-stream/.travis.yml -rw-r--r-- 1 chronos chronos 62 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/stream-each/.travis.yml -rw-r--r-- 1 chronos chronos 65 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/stream-each/node_modules/stream-shift/.travis.yml -rw-r--r-- 1 chronos chronos 58 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mississippi/node_modules/pump/.travis.yml -rw-r--r-- 1 chronos chronos 88 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/node-gyp/.jshintrc -rw-r--r-- 1 chronos chronos 45 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/node-gyp/node_modules/tar/.travis.yml -rw-r--r-- 1 chronos chronos 142 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/node-gyp/node_modules/fstream/.travis.yml -rw-r--r-- 1 chronos chronos 134 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/node-gyp/node_modules/nopt/.travis.yml -rw-r--r-- 1 chronos chronos 43 Dec 7 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/node-gyp/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/.travis.yml -rw-r--r-- 1 chronos chronos 38 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/qrcode-terminal/.travis.yml -rw-r--r-- 1 chronos chronos 116 Dec 7 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/lockfile/.travis.yml -rw-r--r-- 1 chronos chronos 134 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/osenv/.travis.yml -rw-r--r-- 1 chronos chronos 1785 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/readable-stream/.travis.yml -rw-r--r-- 1 chronos chronos 112 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/readable-stream/node_modules/process-nextick-args/.travis.yml -rw-r--r-- 1 chronos chronos 48 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/readable-stream/node_modules/isarray/.travis.yml -rw-r--r-- 1 chronos chronos 143 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/meant/.travis.yml -rw-r--r-- 1 chronos chronos 43 Dec 7 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/.travis.yml -rw-r--r-- 1 chronos chronos 58 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/sorted-union-stream/.travis.yml -rw-r--r-- 1 chronos chronos 60 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/sorted-union-stream/node_modules/stream-iterate/.travis.yml -rw-r--r-- 1 chronos chronos 65 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/sorted-union-stream/node_modules/stream-iterate/node_modules/stream-shift/.travis.yml -rw-r--r-- 1 chronos chronos 108 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/nopt/.travis.yml -rw-r--r-- 1 chronos chronos 66 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/validate-npm-package-name/.travis.yml -rw-r--r-- 1 chronos chronos 48 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/validate-npm-package-name/node_modules/builtins/.travis.yml -rw-r--r-- 1 chronos chronos 116 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mkdirp/.travis.yml -rw-r--r-- 1 chronos chronos 48 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/mkdirp/node_modules/minimist/.travis.yml -rw-r--r-- 1 chronos chronos 48 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/npm-registry-client/node_modules/concat-stream/node_modules/typedarray/.travis.yml -rw-r--r-- 1 chronos chronos 139 Dec 7 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/unique-filename/node_modules/unique-slug/.travis.yml -rw-r--r-- 1 chronos chronos 134 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/read/node_modules/mute-stream/.travis.yml -rw-r--r-- 1 chronos chronos 178 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/http-signature/.dir-locals.el -rw-r--r-- 1 chronos chronos 0 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/http-signature/node_modules/jsprim/node_modules/extsprintf/.gitmodules -rw-r--r-- 1 chronos chronos 189 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/http-signature/node_modules/sshpk/.travis.yml -rw-r--r-- 1 chronos chronos 44 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/http-signature/node_modules/sshpk/node_modules/asn1/.travis.yml -rw-r--r-- 1 chronos chronos 113 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/http-signature/node_modules/sshpk/node_modules/getpass/.travis.yml -rw-r--r-- 1 chronos chronos 399 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/qs/.editorconfig -rw-r--r-- 1 chronos chronos 5 May 29 2017 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/qs/.eslintignore -rw-r--r-- 1 chronos chronos 630 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/ajv/node_modules/json-schema-traverse/.eslintrc.yml -rw-r--r-- 1 chronos chronos 108 Jan 2 2018 /usr/local/share/nodebrew/node/v8.9.4/lib/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/ajv/node_modules/json-schema-traverse/.travis.yml [+] Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rw-r--r-- 1 root root 135 May 29 11:01 /tmp/disk-cryptohome-unmounted -rw-r--r-- 1 root root 14 May 29 11:01 /tmp/uptime-cryptohome-unmounted -rw-r--r-- 1 root root 135 May 29 11:01 /tmp/disk-other-processes-terminated -rw-r--r-- 1 root root 14 May 29 11:01 /tmp/uptime-other-processes-terminated -rw-r--r-- 1 root root 135 May 29 11:01 /tmp/disk-ui-post-stop -rw-r--r-- 1 root root 14 May 29 11:01 /tmp/uptime-ui-post-stop -rw-r--r-- 1 shill shill 135 May 29 10:58 /tmp/disk-network-ethernet-no-connectivity -rw-r--r-- 1 shill shill 12 May 29 10:58 /tmp/uptime-network-ethernet-no-connectivity -rw-r--r-- 1 root root 5 May 29 10:58 /tmp/firmware-boot-time -rw-r--r-- 1 shill shill 135 May 29 10:58 /tmp/disk-network-ethernet-ready -rw-r--r-- 1 shill shill 12 May 29 10:58 /tmp/uptime-network-ethernet-ready -rw-r--r-- 1 shill shill 135 May 29 10:58 /tmp/disk-network-ethernet-configuration -rw-r--r-- 1 shill shill 12 May 29 10:58 /tmp/uptime-network-ethernet-configuration -rw-r--r-- 1 shill shill 135 May 29 10:58 /tmp/disk-network-ethernet-registered -rw-r--r-- 1 shill shill 12 May 29 10:58 /tmp/uptime-network-ethernet-registered -rw-r--r-- 1 chronos chronos 135 May 29 10:58 /tmp/disk-chrome-main -rw-r--r-- 1 chronos chronos 10 May 29 10:58 /tmp/uptime-chrome-main -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-boot-complete -rw-r--r-- 1 root root 12 May 29 10:58 /tmp/uptime-boot-complete -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-login-prompt-visible -rw-r--r-- 1 root root 12 May 29 10:58 /tmp/uptime-login-prompt-visible -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-chrome-exec -rw-r--r-- 1 root root 10 May 29 10:58 /tmp/uptime-chrome-exec -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-shill-start -rw-r--r-- 1 root root 10 May 29 10:58 /tmp/uptime-shill-start -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-lockbox-cache-end -rw-r--r-- 1 root root 10 May 29 10:58 /tmp/uptime-lockbox-cache-end -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-lockbox-cache-start -rw-r--r-- 1 root root 10 May 29 10:58 /tmp/uptime-lockbox-cache-start -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-post-startup -rw-r--r-- 1 root root 10 May 29 10:58 /tmp/uptime-post-startup -rw-r--r-- 1 root root 135 May 29 10:58 /tmp/disk-pre-startup -rw-r--r-- 1 root root 10 May 29 10:58 /tmp/uptime-pre-startup [+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/shm /home/nginx /media /mnt/stateful_partition/dev_image/share/nginx/html/index.html /mnt/stateful_partition/dev_image/share/nginx/html/main /mnt/stateful_partition/dev_image/share/nginx/html/main/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/license.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/readme.html /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-activate.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/about.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/admin-ajax.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/admin-footer.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/admin-functions.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/admin-header.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/about-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/about-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/about.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/about.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/admin-menu-rtl.css #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/_admin.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/_mixins.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/_variables.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/blue /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/blue/colors-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/blue/colors-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/blue/colors.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/blue/colors.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/blue/colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/coffee /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/coffee/colors-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/coffee/colors-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/coffee/colors.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/coffee/colors.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/coffee/colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ectoplasm /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ectoplasm/colors-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ectoplasm/colors-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ectoplasm/colors.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ectoplasm/colors.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ectoplasm/colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/light /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/light/colors-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/light/colors-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/light/colors.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/light/colors.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/light/colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/midnight /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/midnight/colors-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/midnight/colors-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/midnight/colors.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/midnight/colors.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/midnight/colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ocean /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ocean/colors-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ocean/colors-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ocean/colors.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ocean/colors.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/ocean/colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/sunrise /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/sunrise/colors-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/sunrise/colors-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/sunrise/colors.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/sunrise/colors.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/colors/sunrise/colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/common-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/common-rtl.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/common.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/common.min.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/css/customize-controls-rtl.css #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/custom-background.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/custom-header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/customize.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/edit-comments.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/edit-form-advanced.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/admin-filters.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/admin.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/ajax-actions.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/bookmark.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/class-automatic-upgrader-skin.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/install-helper.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/install.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/accordion.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/accordion.min.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/code-editor.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/code-editor.min.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/color-picker.js #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/widgets/custom-html-widgets.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/widgets/custom-html-widgets.min.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/widgets/media-audio-widget.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/widgets/media-audio-widget.min.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/widgets/media-gallery-widget.js #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/word-count.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/word-count.min.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/xfn.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/js/xfn.min.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/link-add.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/link-manager.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/link-parse-opml.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/link.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/load-scripts.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/maint/repair.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/media-new.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/media-upload.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/media.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/menu-header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/menu.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/about.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/admin.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/credits.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/edit.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/freedoms.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/options-discussion.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/options-general.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/options-head.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/options-media.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/options-permalink.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user/about.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user/admin.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user/credits.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user/freedoms.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user/index.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/users.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/widgets.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-blog-header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-comments-post.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-config.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/admin-en_GB.mo /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/admin-en_GB.po /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/admin-network-en_GB.mo /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/admin-network-en_GB.po /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/en_GB-0ce75ad2f775d1cac9696967d484808c.json #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/plugins/akismet-en_GB.mo /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/plugins/akismet-en_GB.po /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/plugins/hello-dolly-en_GB.mo /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/plugins/hello-dolly-en_GB.po /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/themes /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/themes/twentynineteen-en_GB.mo /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/themes/twentynineteen-en_GB.po /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/themes/twentyseventeen-en_GB.mo /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/themes/twentyseventeen-en_GB.po /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/languages/themes/twentysixteen-en_GB.mo #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/.htaccess /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/LICENSE.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/akismet.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/akismet.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/form.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/img /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/akismet.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/changelog.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/class.akismet-admin.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/class.akismet-cli.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/class.akismet-rest-api.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/activate.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/config.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/connect-jp.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/enter.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/get.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/wrapper.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/hello.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/404.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/archive.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/classes /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/classes/class-twentynineteen-svg-icons.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/classes/class-twentynineteen-walker-comment.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/comments.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/fonts /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/fonts/NonBreakingSpaceOverride.woff /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/fonts/NonBreakingSpaceOverride.woff2 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/footer.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/functions.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/image.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/inc /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/inc/back-compat.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/inc/color-patterns.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/inc/customizer.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/inc/helper-functions.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/inc/icon-functions.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/js/customize-controls.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/js/customize-preview.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/js/priority-menu.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/js/skip-link-focus-fix.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/js/touch-keyboard-navigation.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/package-lock.json /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/package.json /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/page.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/postcss.config.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/print.css #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/_normalize.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/blocks /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/blocks/_blocks.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/elements /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/elements/_elements.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/elements/_lists.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/elements/_tables.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/forms /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/forms/_buttons.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/forms/_fields.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/forms/_forms.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/layout /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/layout/_layout.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/media /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/media/_captions.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/media/_galleries.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/media/_media.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/mixins /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/mixins/_mixins-master.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/mixins/_utilities.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/modules /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/modules/_accessibility.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/modules/_alignments.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/modules/_clearings.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/navigation /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/navigation/_links.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/navigation/_menu-footer-navigation.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/navigation/_menu-main-navigation.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/navigation/_menu-social-navigation.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/navigation/_navigation.scss #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/_site.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/footer /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/footer/_site-footer.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/header /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/header/_site-featured-image.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/header/_site-header.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/primary /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/primary/_archives.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/primary/_comments.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/primary/_posts-and-pages.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/secondary /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/site/secondary/_widgets.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/typography /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/typography/_copy.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/typography/_headings.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/typography/_typography.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/variables-site /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/variables-site/_colors.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/variables-site/_columns.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/variables-site/_fonts.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/variables-site/_structure.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/sass/variables-site/_transitions.scss #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/search.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/single.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/style-editor-customizer.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/style-editor-customizer.scss /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/style-editor.css #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/content /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/content/content-excerpt.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/content/content-none.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/content/content-page.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/content/content-single.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/content/content.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/footer /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/footer/footer-widgets.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/header /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/header/entry-header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/header/site-branding.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/post /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/post/author-bio.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/template-parts/post/discussion-meta.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/404.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/archive.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/css/blocks.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/css/colors-dark.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/css/editor-blocks.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/css/editor-style.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/css/ie8.css #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/images /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/js/customize-controls.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/js/customize-preview.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/js/global.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/js/html5.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/assets/js/jquery.scrollTo.js #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/comments.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/footer.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/front-page.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/functions.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/header.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/inc/back-compat.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/inc/color-patterns.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/inc/custom-header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/inc/customizer.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/inc/icon-functions.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/page.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/readme.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/search.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/footer /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/footer/footer-widgets.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/footer/site-info.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/header /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/header/header-image.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/header/site-branding.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/navigation /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/navigation/navigation-top.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/page /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/page/content-front-page-panels.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/page/content-front-page.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/page/content-page.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/post /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/post/content-audio.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/post/content-excerpt.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/post/content-gallery.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/post/content-image.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentyseventeen/template-parts/post/content-none.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/.stylelintrc.json /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/404.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/css/editor-style-block-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/css/editor-style-block.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/css/editor-style-classic-rtl.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/css/editor-style-classic.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/fonts /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/fonts/inter /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/fonts/inter/Inter-italic-var.woff2 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/fonts/inter/Inter-upright-var.woff2 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/images /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/js/color-calculations.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/js/customize-controls.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/js/customize-preview.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/js/customize.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/assets/js/editor-script-block.js #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/classes /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/classes/class-twentytwenty-customize.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/classes/class-twentytwenty-non-latin-languages.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/classes/class-twentytwenty-script-loader.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/classes/class-twentytwenty-separator-control.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/classes/class-twentytwenty-svg-icons.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/comments.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/footer.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/functions.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/inc /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/inc/custom-css.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/inc/starter-content.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/inc/svg-icons.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/inc/template-tags.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/package-lock.json /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/package.json /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/print.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/readme.txt #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/template-parts/content-cover.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/template-parts/content.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/template-parts/entry-author-bio.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/template-parts/entry-header.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/template-parts/featured-image.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/templates /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/templates/template-cover.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentytwenty/templates/template-full-width.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/upgrade /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020/06 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020/07 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020/08 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2021 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2021/05 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-cron.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/ID3 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/ID3/getid3.lib.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/ID3/getid3.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/ID3/license.commercial.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/ID3/license.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/ID3/module.audio-video.asf.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/IXR /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/IXR/class-IXR-base64.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/IXR/class-IXR-client.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/IXR/class-IXR-clientmulticall.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/IXR/class-IXR-date.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/IXR/class-IXR-error.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Auth /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Auth.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Auth/Basic.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Cookie /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Cookie.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Cookie/Jar.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/HTTP /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/HTTP.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/HTTP/304.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/HTTP/305.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/HTTP/306.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/HTTP/400.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/HTTP/401.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/Transport /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/Transport.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Exception/Transport/cURL.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Hooker.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Hooks.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/IDNAEncoder.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/IPv6.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/IRI.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Proxy/HTTP.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Response /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Response.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Response/Headers.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/SSL.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Session.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Transport /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Transport.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Transport/cURL.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Transport/fsockopen.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/Requests/Utility [+] Interesting GROUP writable files (not in Home) (max 500) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files Group nginx: /usr/local/share/nginx/html/main/wp-content/uploads /usr/local/share/nginx/html/main/wp-content/uploads/2021 /usr/local/share/nginx/html/main/wp-content/uploads/2021/05 /usr/local/share/nginx/html/main/wp-content/uploads/2020 /usr/local/share/nginx/html/main/wp-content/uploads/2020/06 /usr/local/share/nginx/html/main/wp-content/uploads/2020/08 /usr/local/share/nginx/html/main/wp-content/uploads/2020/07 /usr/local/share/nginx/html/main/wp-content/plugins /usr/local/share/nginx/html/main/wp-content/plugins/index.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet /usr/local/share/nginx/html/main/wp-content/plugins/akismet/.htaccess /usr/local/share/nginx/html/main/wp-content/plugins/akismet/class.akismet-widget.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet/views /usr/local/share/nginx/html/main/wp-content/plugins/akismet/views/notice.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet/views/get.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet/views/connect-jp.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet/views/title.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet/views/activate.php #)You_can_write_even_more_files_inside_last_directory /usr/local/share/nginx/html/main/wp-content/plugins/akismet/wrapper.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet/readme.txt /usr/local/share/nginx/html/main/wp-content/plugins/akismet/index.php /usr/local/share/nginx/html/main/wp-content/plugins/akismet/changelog.txt /usr/local/share/nginx/html/main/wp-content/plugins/akismet/class.akismet.php #)You_can_write_even_more_files_inside_last_directory /usr/local/share/nginx/html/main/wp-content/plugins/akismet/_inc/form.js /usr/local/share/nginx/html/main/wp-content/plugins/akismet/_inc/akismet.js /usr/local/share/nginx/html/main/wp-content/plugins/akismet/_inc/akismet.css /usr/local/share/nginx/html/main/wp-content/plugins/akismet/_inc/img /usr/local/share/nginx/html/main/wp-content/plugins/hello.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2021 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2021/05 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020/06 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020/08 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/uploads/2020/07 /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/.htaccess /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/class.akismet-widget.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/notice.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/get.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/connect-jp.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/title.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/views/activate.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/wrapper.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/readme.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/index.php /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/changelog.txt /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/class.akismet.php #)You_can_write_even_more_files_inside_last_directory /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/form.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/akismet.js /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/akismet.css /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/akismet/_inc/img /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/plugins/hello.php /tmp/screen [+] Searching passwords in config PHP files $pwd = trim( wp_unslash( $_POST['pwd'] ) ); $pwd = trim( wp_unslash( $_POST['pwd'] ) ); [+] Checking for TTY (sudo/su) passwords in audit logs [+] Finding IPs inside logs (limit 70) 5 10.10.14.234 4 10.10.10.229 1 10.10.10.255 1 10.10.10.2 [+] Finding passwords inside logs (limit 70) 2021-05-29T17:58:30.240168+00:00 NOTICE sudo[852]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/bin/nginx 2021-05-29T17:58:36.928350+00:00 ERR cryptohomed[985]: GetOwnerPassword: Cannot get owner password until TPM is confirmed to be owned. 2021-05-29T18:01:04.326953+00:00 NOTICE sudo[3649]: root : TTY=unknown ; PWD=/ ; USER=chronos ; COMMAND=/bin/kill -9 -- -1 2021-05-29T18:02:55.950993+00:00 ERR pam_pwdfile[3744]: user not found in password database 2021-05-29T18:02:58.004163+00:00 ALERT sudo[3744]: nginx : command not allowed ; TTY=pts/0 ; PWD=/home/nginx ; USER=root ; COMMAND=list 2021-05-29T18:07:26.669114+00:00 ERR pam_pwdfile[7288]: user not found in password database 2021-05-29T18:07:28.734138+00:00 CRIT sudo[7288]: pam_unix(sudo:auth): auth could not identify password for [nginx] 2021-05-29T18:07:31.072551+00:00 ALERT sudo[7288]: nginx : command not allowed ; TTY=pts/0 ; PWD=/home/nginx ; USER=root ; COMMAND=list [+] Finding emails inside logs (limit 70) 1 dm-devel@redhat.com [+] Finding *password* or *credential* files in home (limit 70) [+] Finding passwords inside key folders (limit 70) - only PHP files /mnt/stateful_partition/dev_image/lib64/build/run-tests.php: if (strpos($section_text['INI'], '{PWD}') !== false) { /mnt/stateful_partition/dev_image/lib64/php/PEAR/Command/Channels.php: $password = $matches[2]; /mnt/stateful_partition/dev_image/lib64/php/PEAR/Command/Channels.php: $password = trim($password); /mnt/stateful_partition/dev_image/lib64/php/PEAR/Command/Channels.php: list($username, $password) = $this->ui->userDialog( /mnt/stateful_partition/dev_image/lib64/php/PEAR/Command/Install.php: $pwd = getcwd(); /mnt/stateful_partition/dev_image/lib64/php/PEAR/Config.php: case 'password': { /mnt/stateful_partition/dev_image/lib64/php/PEAR/Config.php: 'password' => array( /mnt/stateful_partition/dev_image/lib64/php/PEAR/Downloader.php: $password = $config->get('password', null, $channel); /mnt/stateful_partition/dev_image/lib64/php/PEAR/REST.php: $password = $this->config->get('password', null, $channel); /mnt/stateful_partition/dev_image/lib64/php/PEAR/RunTest.php: if (strpos($section_text['ENV'], '{PWD}') !== false) { /mnt/stateful_partition/dev_image/lib64/php/PEAR/RunTest.php: if (strpos($section_text['INI'], '{PWD}') !== false) { /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/class-ftp.php: $this->_password="anon@ftp.com"; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/class-ftp.php: else $this->_password="anon@anon.com"; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/class-ftp.php: if(!is_null($pass)) $this->_password=$pass; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/class-wp-filesystem-ftpext.php: $pwd = ftp_pwd( $this->link ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/file.php: $password_value = '*****'; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/file.php: $password_value = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/meta-boxes.php: $post->post_password = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/post.php: $_POST['post_password'] = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/post.php: $post_data['post_password'] = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/post.php: $post->post_password = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/privacy-tools.php: 'post_password' => '', /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/schema.php:Password: PASSWORD /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/upgrade.php: $email_password = true; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/upgrade.php: $user_password = wp_generate_password( 12, false ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/upgrade.php: 'password' => $user_password, /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/upgrade.php: 'password_message' => $message, /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/upgrade.php: $email_password = false; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/upgrade.php: $user_password = trim( $user_password ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/upgrade.php:Password: %3$s /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/includes/user.php:function default_password_nag_handler( $errors = false ) { /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/install.php: } elseif ( $admin_password != $admin_password_check ) { /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/site-new.php: $password = wp_generate_password( 12, false ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/site-new.php: $password = 'N/A'; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/site-users.php: $password = wp_generate_password( 12, false ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/network/user-new.php: $password = wp_generate_password( 12, false ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/setup-config.php: $pwd = trim( wp_unslash( $_POST['pwd'] ) ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user-edit.php: /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user-new.php: /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-admin/user-new.php: /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-content/themes/twentynineteen/inc/color-patterns.php: input[type="password"]:focus, /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-phpmailer.php: public $Password = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-simplepie.php:define('SIMPLEPIE_TYPE_RSS_091_USERLAND', 4); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-post.php: public $post_password = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-query.php: $search .= " AND ({$wpdb->posts}.post_password = '') "; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $post_password = $content_struct['wp_password']; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $post_password = ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: 'post_password' => $post['post_password'], /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: 'post_password' => null, /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: 'wp_password' => $page->post_password, /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $escaped_password = $this->escape( $password ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[2]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[2]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[2]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[2]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[2]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[1]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[2]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $args[3]; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $password = $this->escape( $args[2] ); /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/class-wp-xmlrpc-server.php: $post_password = $postdata['post_password']; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/deprecated.php: 'post_password' => $post->post_password, /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/feed-atom-comments.php: /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/feed-rss2-comments.php: /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/general-template.php: 'id_password' => 'user_pass', /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/general-template.php: 'label_password' => __( 'Password' ), /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/general-template.php:function wp_lostpassword_url( $redirect = '' ) { /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/load.php: $dbpassword = defined( 'DB_PASSWORD' ) ? DB_PASSWORD : ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/load.php: $dbuser = defined( 'DB_USER' ) ? DB_USER : ''; /mnt/stateful_partition/dev_image/share/nginx/html/main/wp-includes/ms-deprecated.php:function generate_random_password( $len = 8 ) { [+] Finding passwords inside key folders (limit 70) - no PHP files /etc/group-:password-viewers:!:611:kerberosd,shill /etc/group:password-viewers:!:611:kerberosd,shill /etc/init/autologin.conf: passwd="$(cat "${dir}/passwd")" /etc/init/autologin.conf: passwd= /etc/login.defs:# to use the default which is just "Password: ". /etc/login.defs:#LOGIN_STRING "%s's Password: " /etc/openldap/schema/samba.schema: DESC 'Allow Machine Password changes (default: 0 => off)' /etc/openldap/schema/samba.schema: DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' /etc/openldap/schema/samba.schema: DESC 'Length of Password History Entries (default: 0 => off)' /etc/openldap/schema/samba.schema: DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' /etc/openldap/schema/samba.schema: DESC 'Minimal password length (default: 5)' /etc/openldap/schema/samba.schema: DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' /etc/security/namespace.init: gid=$(echo "$passwd" | cut -f4 -d":") /etc/security/namespace.init: homedir=$(echo "$passwd" | cut -f6 -d":") /etc/security/namespace.init: passwd=$(getent passwd "$user") /etc/ssl/openssl.cnf.dist:# input_password = secret /etc/ssl/openssl.cnf.dist:# output_password = secret /etc/ssl/openssl.cnf.dist:challengePassword = A challenge password /etc/ssl/openssl.cnf.dist:challengePassword_max = 20 /etc/ssl/openssl.cnf.dist:challengePassword_min = 4 /etc/ssl/openssl.cnf:# input_password = secret /etc/ssl/openssl.cnf:# output_password = secret /etc/ssl/openssl.cnf:challengePassword = A challenge password /etc/ssl/openssl.cnf:challengePassword_max = 20 /etc/ssl/openssl.cnf:challengePassword_min = 4 /mnt/stateful_partition/dev_image/bin/git-cvsserver: $self->{dbpass} = $cfg->{gitcvs}{$state->{method}}{dbpass} || /mnt/stateful_partition/dev_image/bin/git-cvsserver: $self->{dbuser} = $cfg->{gitcvs}{$state->{method}}{dbuser} || /mnt/stateful_partition/dev_image/bin/git-cvsserver: $self->{dbuser} =~ s/%([mauGg])/$mapping{$1}/eg; /mnt/stateful_partition/dev_image/bin/git-cvsserver: my $password = $line; /mnt/stateful_partition/dev_image/bin/mysqld_multi: "user=s", "password=s", "log=s", "no-log", /mnt/stateful_partition/dev_image/bin/mysqld_multi:$opt_password = undef(); /mnt/stateful_partition/dev_image/bin/mysqld_multi:--password=... Password for mysqladmin user. /mnt/stateful_partition/dev_image/bin/mysqld_multi:password = my_password /mnt/stateful_partition/dev_image/bin/mysqld_safe: MY_PWD="`pwd`" /mnt/stateful_partition/dev_image/bin/mysqld_safe:oldpwd="`pwd`" /mnt/stateful_partition/dev_image/bin/ps-admin: PASSWORD="$2" /mnt/stateful_partition/dev_image/bin/ps-admin: read -s -p "Enter password:" PASSWORD /mnt/stateful_partition/dev_image/bin/ps-admin:PASSWORD="" /mnt/stateful_partition/dev_image/bin/ps-admin:PASSWORD=${PASSWORD:+"-p${PASSWORD}"} /mnt/stateful_partition/dev_image/bin/ps-admin:SCRIPT_PWD=$(cd `dirname $0` && pwd) /mnt/stateful_partition/dev_image/bin/ps_tokudb_admin: PASSWORD="" /mnt/stateful_partition/dev_image/bin/ps_tokudb_admin: PASSWORD="-p$INPUT_PASS" /mnt/stateful_partition/dev_image/bin/ps_tokudb_admin: PASSWORD="-p$2" /mnt/stateful_partition/dev_image/bin/ps_tokudb_admin: read -s -p "Enter password:" INPUT_PASS /mnt/stateful_partition/dev_image/bin/ps_tokudb_admin:PASSWORD="" /mnt/stateful_partition/dev_image/bin/ps_tokudb_admin:SCRIPT_PWD=$(cd `dirname $0` && pwd) /mnt/stateful_partition/dev_image/bin/pt-archiver: . ( $hash{password} ? ",p=$hash{password}" : ''); /mnt/stateful_partition/dev_image/bin/pt-archiver: slave_password => $o->got('slave-password') ? $o->get('slave-password') : '', /mnt/stateful_partition/dev_image/bin/pt-archiver: $dsn->{p} = OptionParser::prompt_noecho("Enter MySQL password: "); /mnt/stateful_partition/dev_image/bin/pt-archiver: $table->{p} = OptionParser::prompt_noecho("Enter password: "); /mnt/stateful_partition/dev_image/bin/pt-archiver: my $slave_password = $args->{slave_password} || ''; /mnt/stateful_partition/dev_image/bin/pt-archiver:If password contains commas they must be escaped with a backslash: "exam\,ple" /mnt/stateful_partition/dev_image/bin/pt-archiver:dsn: password; copy: yes /mnt/stateful_partition/dev_image/bin/pt-config-diff: $dsn->{p} = OptionParser::prompt_noecho("Enter MySQL password: "); /mnt/stateful_partition/dev_image/bin/pt-config-diff:If password contains commas they must be escaped with a backslash: "exam\,ple" /mnt/stateful_partition/dev_image/bin/pt-config-diff:dsn: password; copy: yes /mnt/stateful_partition/dev_image/bin/pt-deadlock-logger: $dsn->{p} = OptionParser::prompt_noecho("Enter MySQL password: "); /mnt/stateful_partition/dev_image/bin/pt-deadlock-logger:If password contains commas they must be escaped with a backslash: "exam\,ple" /mnt/stateful_partition/dev_image/bin/pt-deadlock-logger:dsn: password; copy: yes /mnt/stateful_partition/dev_image/bin/pt-duplicate-key-checker: $o->set('password', OptionParser::prompt_noecho("Enter password: ")); /mnt/stateful_partition/dev_image/bin/pt-duplicate-key-checker:If password contains commas they must be escaped with a backslash: "exam\,ple" /mnt/stateful_partition/dev_image/bin/pt-duplicate-key-checker:dsn: password; copy: yes /mnt/stateful_partition/dev_image/bin/pt-find: $o->set('password', OptionParser::prompt_noecho("Enter password: ")); /mnt/stateful_partition/dev_image/bin/pt-find:If password contains commas they must be escaped with a backslash: "exam\,ple" /mnt/stateful_partition/dev_image/bin/pt-find:dsn: password; copy: yes /mnt/stateful_partition/dev_image/bin/pt-fingerprint: SELECT name, password FROM user WHERE id='12823'; /mnt/stateful_partition/dev_image/bin/pt-fingerprint: select name, password from user where id=? /mnt/stateful_partition/dev_image/bin/pt-fk-error-logger: $dsn->{p} = OptionParser::prompt_noecho("Enter MySQL password: "); /mnt/stateful_partition/dev_image/bin/pt-fk-error-logger:If password contains commas they must be escaped with a backslash: "exam\,ple" /mnt/stateful_partition/dev_image/bin/pt-fk-error-logger:dsn: password; copy: yes [+] Finding possible password variables inside key folders (limit 140) /mnt/stateful_partition/dev_image/bin/pt-online-schema-change: my $cluster_name = $self->get_cluster_name($cxn); /mnt/stateful_partition/dev_image/bin/pt-online-schema-change: my (undef, $cluster_name) = $cxn->dbh->selectrow_array($sql); /mnt/stateful_partition/dev_image/bin/pt-table-checksum: $cluster_name_for{$cxn} = $cluster->is_cluster_node($cxn); /mnt/stateful_partition/dev_image/bin/pt-table-checksum: $cluster_name_for{$master_cxn} = $cluster->is_cluster_node($master_cxn); /mnt/stateful_partition/dev_image/bin/pt-table-checksum: my $cluster_name = $self->get_cluster_name($cxn); /mnt/stateful_partition/dev_image/bin/pt-table-checksum: my (undef, $cluster_name) = $cxn->dbh->selectrow_array($sql); /mnt/stateful_partition/dev_image/docbook/html/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/html/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/html/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/html/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/html/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/slides/s5/ui/default/slides.js: 'Ø<\/a>' + /mnt/stateful_partition/dev_image/docbook/slides/s5/ui/default/slides.js: ' /mnt/stateful_partition/dev_image/docbook/xhtml-1_1/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml-1_1/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml-1_1/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml-1_1/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml/chunk-common.xsl: /mnt/stateful_partition/dev_image/docbook/xhtml/chunk-common.xsl: /mnt/stateful_partition/dev_image/include/proto/device_management_backend.proto: optional string app_name = 1; /mnt/stateful_partition/dev_image/include/proto/device_management_backend.proto: optional string oauth2_client_id = 2; /mnt/stateful_partition/dev_image/include/proto/device_management_backend.proto: required string device_management_token = 1; /mnt/stateful_partition/dev_image/include/proto/policy_signing_key.proto: optional bytes signing_key = 1; /mnt/stateful_partition/dev_image/include/proto/policy_signing_key.proto: optional bytes signing_key_signature = 2; /mnt/stateful_partition/dev_image/include/tidyenum.h: TidyAttr_ACCESSKEY, /**< ACCESSKEY= */ /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/Net/FTP.pm: ${*$ftp}{'net_ftp_host'} = $host; # Remote hostname /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/Pod/Simple/HTMLBatch.pm: qq[" accesskey="1" title="All Documents"><<

\n], /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/x86_64-linux/Config_heavy.pl:netdb_host_type='char *' /mnt/stateful_partition/dev_image/lib/perl5/site_perl/5.26.1/HTTP/Request.pm: my $auth_token = 'auth_token'; /mnt/stateful_partition/dev_image/lib/perl5/site_perl/5.26.1/Percona/XtraDB/Cluster.pm: my $cluster_name = $self->get_cluster_name($cxn); /mnt/stateful_partition/dev_image/lib/python2.7/idlelib/help.html: accesskey="I">index /mnt/stateful_partition/dev_image/lib/python2.7/idlelib/help.html: accesskey="N">next | /mnt/stateful_partition/dev_image/lib/python2.7/idlelib/help.html: accesskey="P">previous | /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/cachecontrol/controller.py: cache_url = self.cache_url(request.url) /mnt/stateful_partition/dev_image/lib/python2.7/test/test_urllib2net.py: u = _urlopen_with_retry(self.FTP_HOST, timeout=None) /mnt/stateful_partition/dev_image/lib/python2.7/test/test_urllib2net.py: u = _urlopen_with_retry(self.FTP_HOST, timeout=60) /mnt/stateful_partition/dev_image/lib/python2.7/test/test_urllib2net.py: with test_support.transient_internet(self.FTP_HOST, timeout=None): /mnt/stateful_partition/dev_image/lib/python2.7/test/test_urllib2net.py: FTP_HOST = 'ftp://www.pythontest.net/' /mnt/stateful_partition/dev_image/lib/python3.8/idlelib/help.html: accesskey="I">index /mnt/stateful_partition/dev_image/lib/python3.8/idlelib/help.html: accesskey="N">next | /mnt/stateful_partition/dev_image/lib/python3.8/idlelib/help.html: accesskey="P">previous | /mnt/stateful_partition/dev_image/lib/python3.8/site-packages/pip/_vendor/cachecontrol/controller.py: cache_url = self.cache_url(request.url) /mnt/stateful_partition/dev_image/lib/python3.8/test/test__xxsubinterpreters.py: self.assertEqual(repr(cid), 'ChannelID(10, recv=True)') /mnt/stateful_partition/dev_image/lib/python3.8/test/test__xxsubinterpreters.py: self.assertEqual(repr(cid), 'ChannelID(10, send=True)') /mnt/stateful_partition/dev_image/lib/python3.8/test/test_urllib2net.py: u = _urlopen_with_retry(self.FTP_HOST, timeout=None) /mnt/stateful_partition/dev_image/lib/python3.8/test/test_urllib2net.py: u = _urlopen_with_retry(self.FTP_HOST, timeout=60) /mnt/stateful_partition/dev_image/lib/python3.8/test/test_urllib2net.py: with support.transient_internet(self.FTP_HOST, timeout=None): /mnt/stateful_partition/dev_image/lib/python3.8/test/test_urllib2net.py: FTP_HOST = 'ftp://www.pythontest.net/' /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/cherrypy/test/test_states.py:db_connection = Dependency(engine) /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/portage/cache/sqlite.py: self._db_connection = self._db_module.connect( /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/portage/data.py: env_key = 'PORTAGE_GRPNAME' /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/portage/data.py: env_key = 'PORTAGE_USERNAME' /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/portage/dbapi/vartree.py: env_keys = [] /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/portage/metadata.py: portdb_porttrees = portdb.porttrees /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/portage/util/_dyn_libs/LinkageMapELF.py: satisfied_consumer_keys = set() /mnt/stateful_partition/dev_image/lib64/python2.7/site-packages/portage/util/env_update.py: env_keys = [x for x in env if x != "LDPATH"] /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/bundler/cli/gem.rb: git_author_name = git_installed ? `git config user.name`.chomp : "" /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/bundler/cli/gem.rb: git_user_email = git_installed ? `git config user.email`.chomp : "" /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/bundler/cli/gem.rb: github_username = git_installed ? `git config github.user`.chomp : "" /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/bundler/dsl.rb: git_name = (git_names & opts.keys).last /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/bundler/dsl.rb: git_names = @git_sources.keys.map(&:to_s) /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/bundler/fetcher.rb: "CI_NAME" => ENV["CI_NAME"], /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/bundler/settings.rb: env_keys = ENV.keys.grep(/\ABUNDLE_.+/) /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/irb/extend-command.rb: alias_name = new_alias_name(base_method) /mnt/stateful_partition/dev_image/lib64/ruby/2.7.0/irb/extend-command.rb: while !same_methods.include?(alias_name = base_name + no) [+] Finding possible password in config files /etc/tcsd.conf credential. credential may have been provided to you by your TPM credential will be used. See credential. credential may have been provided to you by your TPM credential will be used. See credential. credential may have been provided to you by your TPM credential will be used. See /etc/dbus-1/system.d/org.chromium.SystemProxy.conf Credentials"/> /etc/dbus-1/system.d/org.chromium.SmbProvider.conf Credentials"/> /etc/xl2tpd/xl2tpd.conf passwd for auth. /etc/init/autologin.conf passwd= password from file. The file may optionally end with a newline. passwd" ]; then passwd="$(cat "${dir}/passwd")" passwd}" ]; then passwd}" -k enter [+] Finding 'username' string inside key folders (limit 70) /etc/init/file_attrs_cleaner_tool.conf: "Invalid obfuscated username: ${OBFUSCATED_USERNAME}" /mnt/stateful_partition/dev_image/bin/h2xs: ($username,$author) = (getpwuid($>))[0,6]; /mnt/stateful_partition/dev_image/include/glib-2.0/gio/gioenums.h: G_ASK_PASSWORD_NEED_USERNAME = (1 << 1), /mnt/stateful_partition/dev_image/include/glib-2.0/gio/gioenums.h: * @G_ASK_PASSWORD_NEED_USERNAME: operation requires a username. /mnt/stateful_partition/dev_image/include/linux/nl80211.h: * @NL80211_ATTR_FILS_ERP_USERNAME: EAP Re-authentication Protocol (ERP) /mnt/stateful_partition/dev_image/include/proto/chrome_device_policy.proto: optional ShowUserNamesOnSigninProto show_user_names = 6; /mnt/stateful_partition/dev_image/include/proto/device_management_backend.proto: optional string username = 7; /mnt/stateful_partition/dev_image/include/sasl/sasl.h: const char *prompt; /* presented to user (e.g. "Username: ") */ /mnt/stateful_partition/dev_image/include/sasl/sasl.h: * userlen -- length of username, 0 = strlen(user) /mnt/stateful_partition/dev_image/lib/crew/packages/openconnect.rb: system "echo ' read -p \"VPN Username: \" USER' >> vpnc-start" /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/CPAN/HTTP/Credentials.pm: )\nUsername:"; /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/CPAN/HTTP/Credentials.pm: $username = prompt($username_message); /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/CPAN/HTTP/Credentials.pm: my $username_message = shift; /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/CPAN/HTTP/Credentials.pm: my $username_prompt = "\nAuthentication needed! /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/CPAN/HTTP/Credentials.pm: my $username_prompt = "\nProxy authentication needed! /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/Net/POP3.pm: if (ref($username) and UNIVERSAL::isa($username, 'Authen::SASL')) { /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/Net/POP3.pm: my ($self, $username, $password) = @_; /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/Net/SMTP.pm: if (ref($username) and UNIVERSAL::isa($username, 'Authen::SASL')) { /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/Net/SMTP.pm: my ($self, $username, $password) = @_; /mnt/stateful_partition/dev_image/lib/perl5/5.26.1/pod/perlop.pod: login( $username => $password ); /mnt/stateful_partition/dev_image/lib/perl5/site_perl/5.26.1/LWP/Authen/Ntlm.pm: my($domain, $username) = split(/\\/, $user); /mnt/stateful_partition/dev_image/lib/perl5/site_perl/5.26.1/libwww/lwptut.pod: 'username' => 'password' /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/register.py: data['name'] = raw_input('Username: ') /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/register.py: username = raw_input('Username: ') /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/register.py: username: fred /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/register.py: self.username = config['username'] /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/register.py: username = password = '' /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/register.py: username = self.username /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/upload.py: self.username = config['username'] /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/upload.py: auth = "Basic " + standard_b64encode(self.username + ":" + /mnt/stateful_partition/dev_image/lib/python2.7/distutils/command/upload.py: self.username = '' /mnt/stateful_partition/dev_image/lib/python2.7/distutils/config.py: current['username'] = config.get(server, 'username') /mnt/stateful_partition/dev_image/lib/python2.7/distutils/config.py: return {'username': config.get(server, 'username'), /mnt/stateful_partition/dev_image/lib/python2.7/distutils/config.py:username:%s /mnt/stateful_partition/dev_image/lib/python2.7/distutils/tests/test_config.py:username:me /mnt/stateful_partition/dev_image/lib/python2.7/distutils/tests/test_config.py:username:meagain /mnt/stateful_partition/dev_image/lib/python2.7/distutils/tests/test_config.py:username:tarek /mnt/stateful_partition/dev_image/lib/python2.7/distutils/tests/test_register.py:username:me /mnt/stateful_partition/dev_image/lib/python2.7/distutils/tests/test_register.py:username:tarek /mnt/stateful_partition/dev_image/lib/python2.7/distutils/tests/test_upload.py:username:me /mnt/stateful_partition/dev_image/lib/python2.7/distutils/tests/test_upload.py:username:meagain /mnt/stateful_partition/dev_image/lib/python2.7/logging/handlers.py: self.username = None /mnt/stateful_partition/dev_image/lib/python2.7/logging/handlers.py: self.username, self.password = credentials /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_internal/download.py: username = username or "" /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_internal/download.py: username, password = index_url_user_password /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_internal/download.py: username = ask_input("User for %s: " % netloc) /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_internal/download.py: username, password = url_user_password /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_internal/vcs/versioncontrol.py: username, password = user_pass /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/distlib/index.py: self.username = cfg.get('username') /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/distlib/util.py: username = prefix /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/distlib/util.py: username, password = prefix.split(':', 1) /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/distlib/util.py: username = unquote(username) /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/distlib/util.py: username = password = None /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/requests/adapters.py: username=username, /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/requests/adapters.py: username, password = get_auth_from_url(proxy) /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/requests/auth.py: self.username = username /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/requests/auth.py: username = str(username) /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/requests/auth.py: username = username.encode('latin1') /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py: username, password = None, None /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/urllib3/contrib/socks.py: username, password = split /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/pip/_vendor/urllib3/contrib/socks.py: 'username': username, /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/setuptools/package_index.py: creds = " --username=" + auth /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/setuptools/package_index.py: return '%(username)s:%(password)s' % vars(self) /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/setuptools/package_index.py: self.username = username /mnt/stateful_partition/dev_image/lib/python2.7/site-packages/setuptools/package_index.py: >>> long_auth = 'username:' + 'password'*10 /mnt/stateful_partition/dev_image/lib/python2.7/test/test_httpservers.py: base64.b64encode('username:pass')} /mnt/stateful_partition/dev_image/lib/python2.7/test/test_imaplib.py: username = 'anonymous' /mnt/stateful_partition/dev_image/lib/python2.7/test/test_urllib2_localnet.py: HA1_str = "%(username)s:%(realm)s:%(password)s" % final_dict /mnt/stateful_partition/dev_image/lib/python2.7/urllib.py: user = raw_input("Enter username for %s at %s: " % (realm, /mnt/stateful_partition/dev_image/lib/python2.7/urllib2.py: base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \ [+] Searching specific hashes inside files - less false positives (limit 70)