m.555lu.co/vlist.php_vunlhub-DC-1-LinuxSuid提权

1 [00;31m######################################################### [00m

2 [00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script [00m [00;31m# [00m

3 [00;31m######################################################### [00m

4 [00;33m#www.rebootuser.com [00m

5 [00;33m#version 0.95 [00m

6

7 [-] Debug Info8 [00;33m[+] Thorough tests =Disabled [00m9

10

11 [00;33mScan started at:

12 Tue May 7 01:08:48 AEST 2019

13 [00m14

15 [00;33m### SYSTEM ############################################## [00m

16 [00;31m[-] Kernel information:[00m17 Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux

18

19

20 [00;31m[-] Kernel information (continued):[00m21 Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1

22

23

24 [00;31m[-] Specific release information:[00m25 PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"

26 NAME="Debian GNU/Linux"

27 VERSION_ID="7"

28 VERSION="7 (wheezy)"

29 ID=debian30 ANSI_COLOR="1;31"

31 HOME_URL="http://www.debian.org/"

32 SUPPORT_URL="http://www.debian.org/support/"

33 BUG_REPORT_URL="http://bugs.debian.org/"

34

35

36 [00;31m[-] Hostname:[00m37 DC-1

38

39

40 [00;33m### USER/GROUP ########################################## [00m

41 [00;31m[-] Current user/group info:[00m42 uid=33(www-data) gid=33(www-data) groups=33(www-data)43

44

45 [00;31m[-] Users that have previously logged onto the system:[00m46 Username Port From Latest47 root tty1 Thu Feb 28 12:10:51 +1000 2019

48

49

50 [00;31m[-] Who else is logged on:[00m51 01:08:48 up 1:00, 0 users, load average: 0.00, 0.00, 0.00

52 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT53

54

55 [00;31m[-] Group memberships:[00m56 uid=0(root) gid=0(root) groups=0(root)57 uid=1(daemon) gid=1(daemon) groups=1(daemon)58 uid=2(bin) gid=2(bin) groups=2(bin)59 uid=3(sys) gid=3(sys) groups=3(sys)60 uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)61 uid=5(games) gid=60(games) groups=60(games)62 uid=6(man) gid=12(man) groups=12(man)63 uid=7(lp) gid=7(lp) groups=7(lp)64 uid=8(mail) gid=8(mail) groups=8(mail)65 uid=9(news) gid=9(news) groups=9(news)66 uid=10(uucp) gid=10(uucp) groups=10(uucp)67 uid=13(proxy) gid=13(proxy) groups=13(proxy)68 uid=33(www-data) gid=33(www-data) groups=33(www-data)69 uid=34(backup) gid=34(backup) groups=34(backup)70 uid=38(list) gid=38(list) groups=38(list)71 uid=39(irc) gid=39(irc) groups=39(irc)72 uid=41(gnats) gid=41(gnats) groups=41(gnats)73 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)74 uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)75 uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim)76 uid=102(statd) gid=65534(nogroup) groups=65534(nogroup)77 uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)78 uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)79 uid=105(mysql) gid=109(mysql) groups=109(mysql)80 uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)81

82

83 [00;31m[-] Contents of /etc/passwd:[00m84 root:x:0:0:root:/root:/bin/bash85 daemon:x:1:1:daemon:/usr/sbin:/bin/sh86 bin:x:2:2:bin:/bin:/bin/sh87 sys:x:3:3:sys:/dev:/bin/sh88 sync:x:4:65534:sync:/bin:/bin/sync89 games:x:5:60:games:/usr/games:/bin/sh90 man:x:6:12:man:/var/cache/man:/bin/sh91 lp:x:7:7:lp:/var/spool/lpd:/bin/sh92 mail:x:8:8:mail:/var/mail:/bin/sh93 news:x:9:9:news:/var/spool/news:/bin/sh94 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh95 proxy:x:13:13:proxy:/bin:/bin/sh96 www-data:x:33:33:www-data:/var/www:/bin/sh97 backup:x:34:34:backup:/var/backups:/bin/sh98 list:x:38:38:Mailing List Manager:/var/list:/bin/sh99 irc:x:39:39:ircd:/var/run/ircd:/bin/sh100 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh101 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh102 libuuid:x:100:101::/var/lib/libuuid:/bin/sh103 Debian-exim:x:101:104::/var/spool/exim4:/bin/false

104 statd:x:102:65534::/var/lib/nfs:/bin/false

105 messagebus:x:103:107::/var/run/dbus:/bin/false

106 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin107 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false

108 flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash109

110

111 [00;31m[-] Super user account(s):[00m112 root113

114

115 [00;31m[-] Are permissions on /home directories lax:[00m116 total 12K117 drwxr-xr-x 3 root root 4.0K Feb 19 23:51 .

118 drwxr-xr-x 23 root root 4.0K Feb 19 22:34 ..

119 drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 23:28flag4120

121

122 [00;31m[-] Root is allowed to login via SSH:[00m123 PermitRootLogin yes124

125

126 [00;33m### ENVIRONMENTAL ####################################### [00m

127 [00;31m[-] Environment information:[00m128 APACHE_PID_FILE=/var/run/apache2.pid129 APACHE_RUN_USER=www-data130 APACHE_LOG_DIR=/var/log/apache2131 PATH=/usr/local/bin:/usr/bin:/bin132 PWD=/var/www133 APACHE_RUN_GROUP=www-data134 LANG=C135 SHLVL=1

136 APACHE_LOCK_DIR=/var/lock/apache2137 APACHE_RUN_DIR=/var/run/apache2138 _=/usr/bin/env139

140

141 [00;31m[-] Path information:[00m142 /usr/local/bin:/usr/bin:/bin143

144

145 [00;31m[-] Available shells:[00m146 #/etc/shells: valid login shells

147 /bin/sh148 /bin/dash149 /bin/bash150 /bin/rbash151

152

153 [00;31m[-] Current umask value:[00m154 0022

155 u=rwx,g=rx,o=rx156

157

158 [00;31m[-] umask value as specified in /etc/login.defs:[00m159 UMASK 022

160

161

162 [00;31m[-] Password and storage information:[00m163 PASS_MAX_DAYS 99999

164 PASS_MIN_DAYS 0

165 PASS_WARN_AGE 7

166 ENCRYPT_METHOD SHA512167

168

169 [00;33m### JOBS/TASKS ########################################## [00m

170 [00;31m[-] Cron jobs:[00m171 -rw-r--r-- 1 root root 722 Jul 4 2012 /etc/crontab172

173 /etc/cron.d:

174 total 16

175 drwxr-xr-x 2 root root 4096 Feb 19 23:01 .

176 drwxr-xr-x 85 root root 4096 May 7 00:08 ..

177 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder178 -rw-r--r-- 1 root root 510 May 10 2018php5179

180 /etc/cron.daily:

181 total 68

182 drwxr-xr-x 2 root root 4096 Feb 19 23:01 .

183 drwxr-xr-x 85 root root 4096 May 7 00:08 ..

184 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder185 -rwxr-xr-x 1 root root 633 May 30 2018apache2186 -rwxr-xr-x 1 root root 14985 Oct 24 2014apt187 -rwxr-xr-x 1 root root 314 Nov 5 2012aptitude188 -rwxr-xr-x 1 root root 355 Jun 11 2012bsdmainutils189 -rwxr-xr-x 1 root root 256 May 3 2016dpkg190 -rwxr-xr-x 1 root root 4125 Feb 11 2018 exim4-base191 -rwxr-xr-x 1 root root 89 May 17 2012logrotate192 -rwxr-xr-x 1 root root 1365 Jun 19 2012 man-db193 -rwxr-xr-x 1 root root 606 Sep 25 2010mlocate194 -rwxr-xr-x 1 root root 249 May 26 2012passwd195

196 /etc/cron.hourly:

197 total 12

198 drwxr-xr-x 2 root root 4096 Feb 19 22:25 .

199 drwxr-xr-x 85 root root 4096 May 7 00:08 ..

200 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder201

202 /etc/cron.monthly:

203 total 12

204 drwxr-xr-x 2 root root 4096 Feb 19 22:25 .

205 drwxr-xr-x 85 root root 4096 May 7 00:08 ..

206 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder207

208 /etc/cron.weekly:

209 total 16

210 drwxr-xr-x 2 root root 4096 Feb 19 22:25 .

211 drwxr-xr-x 85 root root 4096 May 7 00:08 ..

212 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder213 -rwxr-xr-x 1 root root 907 Jun 19 2012 man-db214

215

216 [00;31m[-] Crontab contents:[00m217 #/etc/crontab: system-wide crontab

218 #Unlike any other crontab you don't have to run the `crontab'

219 #command to install the new version when you edit this file

220 #and files in /etc/cron.d. These files also have username fields,

221 #that none of the other crontabs do.

222

223 SHELL=/bin/sh224 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin225

226 #m h dom mon dow user command

227 17 * * * * root cd / && run-parts --report /etc/cron.hourly228 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )229 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )230 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )231 #232

233

234 [00;33m### NETWORKING ########################################## [00m

235 [00;31m[-] Network and IP info:[00m236 eth0 Link encap:Ethernet HWaddr 00:0c:29:d1:f4:98

237 inet addr:192.168.16.107 Bcast:192.168.16.255 Mask:255.255.255.0

238 inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link239 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

240 RX packets:8702 errors:0 dropped:0 overruns:0 frame:0

241 TX packets:3009 errors:0 dropped:0 overruns:0 carrier:0

242 collisions:0 txqueuelen:1000

243 RX bytes:1325354 (1.2 MiB) TX bytes:1103771 (1.0MiB)244

245 lo Link encap:Local Loopback246 inet addr:127.0.0.1 Mask:255.0.0.0

247 inet6 addr: ::1/128 Scope:Host248 UP LOOPBACK RUNNING MTU:16436 Metric:1

249 RX packets:50 errors:0 dropped:0 overruns:0 frame:0

250 TX packets:50 errors:0 dropped:0 overruns:0 carrier:0

251 collisions:0 txqueuelen:0

252 RX bytes:4852 (4.7 KiB) TX bytes:4852 (4.7KiB)253

254

255 [00;31m[-] ARP history:[00m256 192.168.16.254 dev eth0 lladdr 00:22:aa:d0:dd:95REACHABLE257 192.168.16.112 dev eth0 lladdr f0:18:98:6b:ed:5b REACHABLE258

259

260 [00;31m[-] Nameserver(s):[00m261 nameserver 192.168.16.254

262 nameserver 0.0.0.0

263

264

265 [00;31m[-] Default route:[00m266 default via 192.168.16.254dev eth0267

268

269 [00;31m[-] Listening TCP:[00m270 Active Internet connections (servers and established)271 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name272 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -

273 tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -

274 tcp 0 0 0.0.0.0:40858 0.0.0.0:* LISTEN -

275 tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -

276 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -

277 tcp 0 480 192.168.16.107:33469 192.168.16.112:4444 ESTABLISHED 3406/php278 tcp6 0 0 :::22 :::* LISTEN -

279 tcp6 0 0 ::1:25 :::* LISTEN -

280 tcp6 0 0 :::34190 :::* LISTEN -

281 tcp6 0 0 :::111 :::* LISTEN -

282 tcp6 0 0 :::80 :::* LISTEN -

283 tcp6 0 0 192.168.16.107:80 192.168.16.112:52090 TIME_WAIT -

284 tcp6 1 0 192.168.16.107:80 192.168.16.112:63539 CLOSE_WAIT -

285

286

287 [00;31m[-] Listening UDP:[00m288 Active Internet connections (servers and established)289 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name290 udp 0 0 0.0.0.0:59942 0.0.0.0:* -

291 udp 0 0 0.0.0.0:68 0.0.0.0:* -

292 udp 0 0 0.0.0.0:111 0.0.0.0:* -

293 udp 0 0 0.0.0.0:769 0.0.0.0:* -

294 udp 0 0 127.0.0.1:801 0.0.0.0:* -

295 udp 0 0 0.0.0.0:21881 0.0.0.0:* -

296 udp6 0 0 :::52815 :::* -

297 udp6 0 0 :::28256 :::* -

298 udp6 0 0 :::111 :::* -

299 udp6 0 0 :::769 :::* -

300

301

302 [00;33m### SERVICES ############################################# [00m

303 [00;31m[-] Running processes:[00m304 USER PID %CPU %MEM VSZ RSS TTY STAT START TIMECOMMAND305 root 1 0.0 0.0 2296 780 ? Ss 00:08 0:01 init [2]306 root 2 0.0 0.0 0 0 ? S 00:08 0:00[kthreadd]307 root 3 0.0 0.0 0 0 ? S 00:08 0:00 [ksoftirqd/0]308 root 4 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/0:0]309 root 6 0.0 0.0 0 0 ? S 00:08 0:00 [watchdog/0]310 root 7 0.0 0.0 0 0 ? S< 00:08 0:00[cpuset]311 root 8 0.0 0.0 0 0 ? S< 00:08 0:00[khelper]312 root 9 0.0 0.0 0 0 ? S 00:08 0:00[kdevtmpfs]313 root 10 0.0 0.0 0 0 ? S< 00:08 0:00[netns]314 root 11 0.0 0.0 0 0 ? S 00:08 0:00[sync_supers]315 root 12 0.0 0.0 0 0 ? S 00:08 0:00 [bdi-default]316 root 13 0.0 0.0 0 0 ? S< 00:08 0:00[kintegrityd]317 root 14 0.0 0.0 0 0 ? S< 00:08 0:00[kblockd]318 root 15 0.0 0.0 0 0 ? S 00:08 0:00[khungtaskd]319 root 16 0.0 0.0 0 0 ? S 00:08 0:00[kswapd0]320 root 17 0.0 0.0 0 0 ? SN 00:08 0:00[ksmd]321 root 18 0.0 0.0 0 0 ? S 00:08 0:00[fsnotify_mark]322 root 19 0.0 0.0 0 0 ? S< 00:08 0:00[crypto]323 root 95 0.0 0.0 0 0 ? S 00:08 0:00[khubd]324 root 105 0.0 0.0 0 0 ? S< 00:08 0:00[ata_sff]325 root 115 0.0 0.0 0 0 ? S 00:08 0:00[scsi_eh_0]326 root 125 0.0 0.0 0 0 ? S 00:08 0:00[scsi_eh_1]327 root 134 0.0 0.0 0 0 ? S 00:08 0:00[scsi_eh_2]328 root 135 0.0 0.0 0 0 ? S 00:08 0:00[scsi_eh_3]329 root 136 0.0 0.0