LinPEAS Output
ââââââââââââââ
âââââââ ââââââââ
âââââââ ââââââââââââââââââââ ââââ
ââââ â ââââââââââââââââââââââââââââââ ââââââ
â âââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââ âââââ âââââââââââââââââ
âââââââââââ ââââââ ââââââ â
ââââââ ââââââââ ââââ
ââ âââ âââââ âââ
ââ ââââââââââââ ââ
â ââ âââââââââââââââââââââââââââââ ââ
â âââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââ ââââ
âââââ âââââ ââââââ ââââ
ââââ âââââ âââââ â ââ
âââââ âââââ âââââââ âââââ âââââ
ââââââ âââââââ âââââââ âââââââ âââââ
ââââââââââââââ â âââââââââââââââ
âââââââââââââ ââââââââââââââ
âââââââââââ ââââââââââââââ
ââââââââââââââââââ ââââââââââââââââââââ
âââââ ââââââââââââââââââââââââââ âââââââââââââ
ââââââââ ââââââââââ ââââââââ
âââââââââââââââââââââââ
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Get latest LinPEAS : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Basic information â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
OS: Linux version 5.4.0-90-generic (buildd@lgw01-amd64-054) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021
User & Groups: uid=1001(paul) gid=1001(paul) groups=1001(paul)
Hostname: routerspace.htb
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
ââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââĢ System Information â ââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââ
ââââââââââââĢ Operative system
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 5.4.0-90-generic (buildd@lgw01-amd64-054) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
ââââââââââââĢ Sudo version
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31
ââââââââââââĢ CVEs Check
./linpeas.sh: 1192: [[: not found
./linpeas.sh: 1192: rpm: not found
./linpeas.sh: 1192: 0: not found
./linpeas.sh: 1202: [[: not found
ââââââââââââĢ PATH
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
ââââââââââââĢ Date & uptime
Tue 03 May 2022 11:49:35 AM UTC
11:49:35 up 10:05, 1 user, load average: 0.40, 0.10, 0.03
ââââââââââââĢ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3
ââââââââââââĢ Unmounted file-system?
â Check if you can mount unmounted devices
/dev/disk/by-id/dm-uuid-LVM-9nXgbzHi48m4NorDEO40LZauWKiumJfKXXGpzjLXc6qZhjb1e8rIgPJfJXbsU5uk / ext4 defaults 0 1
/dev/disk/by-uuid/3276aed8-a746-4835-bd04-9038906661b5 /boot ext4 defaults 0 1
/dev/mapper/ubuntu--vg-swap none swap sw 0 0
ââââââââââââĢ Environment
â Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
USER=paul
SSH_CLIENT=10.10.14.6 40856 22
XDG_SESSION_TYPE=tty
SHLVL=1
MOTD_SHOWN=pam
HOME=/home/paul
SSH_TTY=/dev/pts/0
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
LOGNAME=paul
_=./linpeas.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=16
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
HISTSIZE=0
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/home/paul
SSH_CONNECTION=10.10.14.6 40856 10.10.11.148 22
HISTFILE=/dev/null
ââââââââââââĢ Searching Signature verification failed in dmesg
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
ââââââââââââĢ Executing Linux Exploit Suggester
â https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
ââââââââââââĢ Executing Linux Exploit Suggester 2
â https://github.com/jondonas/linux-exploit-suggester-2
ââââââââââââĢ Protections
ââĢ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
ââĢ grsecurity present? ............ grsecurity Not Found
ââĢ PaX bins present? .............. PaX Not Found
ââĢ Execshield enabled? ............ Execshield Not Found
ââĢ SELinux enabled? ............... sestatus Not Found
ââĢ Is ASLR enabled? ............... Yes
ââĢ Printer? ....................... No
ââĢ Is this a virtual machine? ..... Yes (vmware)
âââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââĢ Container â âââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââ
ââââââââââââĢ Container related tools present
ââââââââââââĢ Container details
ââĢ Is this a container? ........... No
ââĢ Any running containers? ........ No
ââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââĢ Processes, Crons, Timers, Services and Sockets â ââââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââĢ Cleaned processes
â Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
root 677 0.0 0.0 2488 512 ? S 01:44 0:00 _ bpfilter_umh
root 1 0.0 0.5 101560 11156 ? Ss 01:44 0:02 /sbin/init auto automatic-ubiquity noprompt
root 475 0.0 1.6 108636 33940 ? S<s 01:44 0:08 /lib/systemd/systemd-journald
root 502 0.0 0.2 21384 5356 ? Ss 01:44 0:01 /lib/systemd/systemd-udevd
root 643 0.0 0.9 345816 18220 ? SLsl 01:44 0:17 /sbin/multipathd -d -s
systemd+ 681 0.0 0.3 90228 6064 ? Ssl 01:44 0:02 /lib/systemd/systemd-timesyncd
ââ(Caps) 0x0000000002000000=cap_sys_time
root 686 0.0 0.5 47536 10464 ? Ss 01:44 0:00 /usr/bin/VGAuthService
root 687 0.0 0.3 161984 7724 ? S<sl 01:44 0:34 /usr/bin/vmtoolsd
root 703 0.0 0.4 239296 9228 ? Ssl 01:44 0:02 /usr/lib/accountsservice/accounts-daemon
message+ 705 0.0 0.2 7488 4644 ? Ss 01:44 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
ââ(Caps) 0x0000000020000000=cap_audit_write
root 714 0.0 0.1 81960 3764 ? Ssl 01:44 0:01 /usr/sbin/irqbalance --foreground
root 715 0.0 0.8 29072 17964 ? Ss 01:44 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
syslog 723 0.0 0.2 224320 5540 ? Ssl 01:44 0:01 /usr/sbin/rsyslogd -n -iNONE
root 724 0.0 0.3 16888 7928 ? Ss 01:44 0:00 /lib/systemd/systemd-logind
root 729 0.0 0.6 394836 13604 ? Ssl 01:44 0:00 /usr/lib/udisks2/udisksd
systemd+ 756 0.0 0.3 18408 7700 ? Ss 01:44 0:00 /lib/systemd/systemd-networkd
ââ(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
root 820 0.0 0.4 236440 8972 ? Ssl 01:44 0:00 /usr/lib/policykit-1/polkitd --no-debug
systemd+ 853 0.0 0.6 23896 12240 ? Ss 01:44 0:13 /lib/systemd/systemd-resolved
root 872 0.0 0.1 6812 2856 ? Ss 01:44 0:00 /usr/sbin/cron -f
daemon[0m 883 0.0 0.1 3792 2272 ? Ss 01:44 0:00 /usr/sbin/atd -f
paul 16261 0.0 0.2 13932 5880 ? S 11:34 0:00 _ sshd: paul@pts/0
paul 16262 0.0 0.2 8272 5136 pts/0 Ss 11:34 0:00 _ -bash
paul 17769 0.4 0.1 3684 2836 pts/0 S+ 11:49 0:00 _ /bin/sh ./linpeas.sh
paul 20541 0.0 0.0 3684 1108 pts/0 S+ 11:49 0:00 _ /bin/sh ./linpeas.sh
paul 20543 0.0 0.1 9224 3712 pts/0 R+ 11:49 0:00 | _ ps fauxwww
paul 20545 0.0 0.0 3684 1108 pts/0 S+ 11:49 0:00 _ /bin/sh ./linpeas.sh
root 894 0.0 0.0 5828 1856 tty1 Ss+ 01:44 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
paul 901 0.0 2.9 622996 58520 ? Ssl 01:44 0:17 PM2 v5.1.2: God Daemon (/home/paul/.pm2)
ââ(Caps) 0x0000000000000400=cap_net_bind_service
paul 928 0.2 3.3 635052 66900 ? Ssl 01:44 1:16 _ node /opt/www/public/routerspace/index.js
ââ(Caps) 0x0000000000000400=cap_net_bind_service
root 8462 0.0 0.4 241220 8876 ? Ssl 06:27 0:00 /usr/lib/upower/upowerd
paul 16135 0.0 0.4 18388 9604 ? Ss 11:34 0:00 /lib/systemd/systemd --user
paul 16137 0.0 0.1 102920 3180 ? S 11:34 0:00 _ (sd-pam)
ââââââââââââĢ Binary processes permissions (non 'root root' and not belonging to current user)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
ââââââââââââĢ Files opened by processes belonging to other users
â This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
ââââââââââââĢ Processes with credentials in memory (root req)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)
ââââââââââââĢ Cron jobs
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rw-r--r-- 1 root root 189 Aug 24 2021 popularity-contest
/etc/cron.daily:
total 48
drwxr-xr-x 2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rwxr-xr-x 1 root root 376 Dec 4 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg
-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate
-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest
-rwxr-xr-x 1 root root 214 May 14 2021 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rwxr-xr-x 1 root root 813 Feb 25 2020 man-db
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 403 Aug 5 2021 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
ââââââââââââĢ Systemd PATH
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ââââââââââââĢ Analyzing .service files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH
ââââââââââââĢ System timers
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2022-05-03 15:30:05 UTC 3h 40min left Tue 2022-05-03 03:01:36 UTC 8h ago ua-messaging.timer ua-messaging.service
Tue 2022-05-03 19:11:28 UTC 7h left Tue 2022-05-03 09:33:03 UTC 2h 16min ago motd-news.timer motd-news.service
Tue 2022-05-03 22:45:28 UTC 10h left Tue 2022-05-03 07:13:11 UTC 4h 36min ago apt-daily.timer apt-daily.service
Wed 2022-05-04 00:00:00 UTC 12h left Tue 2022-05-03 01:44:28 UTC 10h ago logrotate.timer logrotate.service
Wed 2022-05-04 00:00:00 UTC 12h left Tue 2022-05-03 01:44:28 UTC 10h ago man-db.timer man-db.service
Wed 2022-05-04 00:23:13 UTC 12h left Tue 2022-05-03 06:27:03 UTC 5h 22min ago fwupd-refresh.timer fwupd-refresh.service
Wed 2022-05-04 01:59:23 UTC 14h left Tue 2022-05-03 01:59:23 UTC 9h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Wed 2022-05-04 06:03:26 UTC 18h left Tue 2022-05-03 06:22:03 UTC 5h 27min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sun 2022-05-08 03:10:01 UTC 4 days left Tue 2022-05-03 01:45:17 UTC 10h ago e2scrub_all.timer e2scrub_all.service
Mon 2022-05-09 00:00:00 UTC 5 days left Tue 2022-05-03 01:44:28 UTC 10h ago fstrim.timer fstrim.service
ââââââââââââĢ Analyzing .timer files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers
ââââââââââââĢ Analyzing .socket files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
ââââââââââââĢ Unix Sockets Listening
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets
/home/paul/.pm2/pub.sock
ââ(Read Write)
/home/paul/.pm2/rpc.sock
ââ(Read Write)
/org/kernel/linux/storage/multipathd
/run/dbus/system_bus_socket
ââ(Read Write)
/run/irqbalance//irqbalance714.sock
ââ(Read )
/run/irqbalance/irqbalance714.sock
ââ(Read )
/run/lvm/lvmpolld.socket
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
ââ(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
ââ(Read Write)
/run/systemd/journal/stdout
ââ(Read Write)
/run/systemd/journal/syslog
ââ(Read Write)
/run/systemd/notify
ââ(Read Write)
/run/systemd/private
ââ(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
ââ(Read Write)
/run/udev/control
/run/user/1001/bus
ââ(Read Write)
/run/user/1001/gnupg/S.dirmngr
ââ(Read Write)
/run/user/1001/gnupg/S.gpg-agent
ââ(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
ââ(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
ââ(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
ââ(Read Write)
/run/user/1001/pk-debconf-socket
ââ(Read Write)
/run/user/1001/systemd/notify
ââ(Read Write)
/run/user/1001/systemd/private
ââ(Read Write)
/run/uuidd/request
ââ(Read Write)
/run/vmware/guestServicePipe
ââ(Read Write)
/var/run/vmware/guestServicePipe
ââ(Read Write)
ââââââââââââĢ D-Bus config files
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">)
ââââââââââââĢ D-Bus Service Objects list
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 681 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
:1.1 729 udisksd root :1.1 udisks2.service - -
:1.15 8462 upowerd root :1.15 upower.service - -
:1.18 16135 systemd paul :1.18 user@1001.service - -
:1.2 703 accounts-daemon[0m root :1.2 accounts-daemon.service - -
:1.3 1 systemd root :1.3 init.scope - -
:1.39 23304 busctl paul :1.39 session-16.scope 16 -
:1.4 820 polkitd root :1.4 polkit.service - -
:1.5 756 systemd-network systemd-network :1.5 systemd-networkd.service - -
:1.6 715 networkd-dispat root :1.6 networkd-dispatcher.service - -
:1.7 724 systemd-logind root :1.7 systemd-logind.service - -
:1.8 853 systemd-resolve systemd-resolve :1.8 systemd-resolved.service - -
com.ubuntu.LanguageSelector - - - (activatable) - - -
com.ubuntu.SoftwareProperties - - - (activatable) - - -
org.freedesktop.Accounts 703 accounts-daemon[0m root :1.2 accounts-daemon.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 820 polkitd root :1.4 polkit.service - -
org.freedesktop.UDisks2 729 udisksd root :1.1 udisks2.service - -
org.freedesktop.UPower 8462 upowerd root :1.15 upower.service - -
org.freedesktop.bolt - - - (activatable) - - -
org.freedesktop.fwupd - - - (activatable) - - -
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 724 systemd-logind root :1.7 systemd-logind.service - -
org.freedesktop.network1 756 systemd-network systemd-network :1.5 systemd-networkd.service - -
org.freedesktop.resolve1 853 systemd-resolve systemd-resolve :1.8 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.3 init.scope - -
org.freedesktop.thermald - - - (activatable) - - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 681 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
âââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââĢ Network Information â ââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââ
ââââââââââââĢ Hostname, hosts and DNS
routerspace.htb
127.0.0.1 localhost
127.0.1.1 routerspace.htb routerspace
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0 trust-ad
htb
ââââââââââââĢ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.148 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:65e0 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:65e0 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:65:e0 txqueuelen 1000 (Ethernet)
RX packets 8511 bytes 1671635 (1.6 MB)
RX errors 0 dropped 96 overruns 0 frame 0
TX packets 1547 bytes 364666 (364.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 14726 bytes 1075882 (1.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14726 bytes 1075882 (1.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ââââââââââââĢ Active Ports
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
ââââââââââââĢ Can I sniff with tcpdump?
No
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Users Information â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
ââââââââââââĢ My user
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#users
uid=1001(paul) gid=1001(paul) groups=1001(paul)
ââââââââââââĢ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
ââââââââââââĢ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Sorry, try again.
ââââââââââââĢ Checking sudo tokens
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
ââââââââââââĢ Checking Pkexec policy
â https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
ââââââââââââĢ Superusers
root:x:0:0:root:/root:/bin/bash
ââââââââââââĢ Users with console
paul:x:1001:1001:,,,:/home/paul:/bin/bash
root:x:0:0:root:/root:/bin/bash
ââââââââââââĢ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1001(paul) gid=1001(paul) groups=1001(paul)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=111(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=112(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
uid=9(news) gid=9(news) groups=9(news)
ââââââââââââĢ Login now
11:49:42 up 10:05, 1 user, load average: 0.45, 0.11, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
paul pts/0 10.10.14.6 11:34 19.00s 0.13s 0.00s w
ââââââââââââĢ Last logons
paul pts/0 Sat Nov 20 18:26:02 2021 - Sat Nov 20 18:26:27 2021 (00:00) 192.168.150.133
h4rithd pts/0 Sat Nov 20 18:25:50 2021 - Sat Nov 20 18:25:54 2021 (00:00) 192.168.150.133
h4rithd pts/0 Sat Nov 20 18:20:14 2021 - Sat Nov 20 18:25:45 2021 (00:05) 192.168.150.133
h4rithd pts/1 Sat Nov 20 17:40:53 2021 - Sat Nov 20 18:20:02 2021 (00:39) 192.168.150.133
paul pts/1 Sat Nov 20 17:38:12 2021 - Sat Nov 20 17:38:15 2021 (00:00) 0.0.0.0
h4rithd pts/0 Sat Nov 20 16:55:08 2021 - Sat Nov 20 17:45:51 2021 (00:50) 192.168.150.1
h4rithd tty1 Sat Nov 20 16:53:43 2021 - down (01:50) 0.0.0.0
reboot system boot Sat Nov 20 16:52:07 2021 - Sat Nov 20 18:44:21 2021 (01:52) 0.0.0.0
wtmp begins Sat Nov 20 16:52:07 2021
ââââââââââââĢ Last time logon each user
Username Port From Latest
root tty1 Mon Feb 21 20:03:42 +0000 2022
paul pts/0 10.10.14.6 Tue May 3 11:34:42 +0000 2022
ââââââââââââĢ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
ââââââââââââĢ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
ââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââĢ Software Information â âââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââââ
ââââââââââââĢ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
ââââââââââââĢ Installed Compilers
ii gcc 4:9.3.0-1ubuntu2 amd64 GNU C compiler
ii gcc-9 9.3.0-17ubuntu1~20.04 amd64 GNU C compiler
/usr/bin/gcc
ââââââââââââĢ Searching mysql credentials and exec
Potential file containing credentials:
-rw-r--r-- 1 root root 641 May 19 2020 /etc/apparmor.d/abstractions/mysql
# ------------------------------------------------------------------
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2013 Christian Boltz
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
# ------------------------------------------------------------------
/var/lib/mysql{,d}/mysql{,d}.sock rw,
/{var/,}run/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
ââââââââââââĢ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Oct 15 2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
ââââââââââââĢ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Feb 17 18:30 /etc/ldap
ââââââââââââĢ Searching ssl/ssh files
ââââââââââââĢ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 paul paul 1126 May 3 11:34 /home/paul/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHMlRztfK70stUYZio9+gbwSkK2KeqjpD1+Cqnv31ZMYGl1E5Z3SFW7Z4gsQn6yfuujNkISuHO5k3ZiuFXytNHgR2mAO40oXt1q02usaBWlDJYsO5HmA4AhHkP0zHW5gl5kkxqcd2Ydn1xWfm6UDEJb++Wogqh3Tl8A79QE+bMApvED3zhIp7ry9zqGqEytyceWKSsQmu5R1gS2pGIIvjDswuxNDe4VsoBWRHq8hO84hQelnryQqt8fCoDMqkYb3FF55z/+6nkE3ZMWnXkaaMKMZQ1zbSl6kDMX3pggdSfa4RRKvn2Og+lBjNqb9fhw3dyNOx/go0yWG5AtZ8cDqxxlixdWMqQajqSIDwNog05B2rX8NLJ3YVFxhD7EeZ0WQDUKxPlCd75hXDVbBD2aDuNS8kYlL+cQemvZLyKF+n0trB0xA+5h4g+b/pf7PCjYpTGS3G7//cAr326sVPDN0PoCfxY4xEby1Kyg1oclcDifDxFDcGti/oiKXWgKi4y1s0= root@kali
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHMlRztfK70stUYZio9+gbwSkK2KeqjpD1+Cqnv31ZMYGl1E5Z3SFW7Z4gsQn6yfuujNkISuHO5k3ZiuFXytNHgR2mAO40oXt1q02usaBWlDJYsO5HmA4AhHkP0zHW5gl5kkxqcd2Ydn1xWfm6UDEJb++Wogqh3Tl8A79QE+bMApvED3zhIp7ry9zqGqEytyceWKSsQmu5R1gS2pGIIvjDswuxNDe4VsoBWRHq8hO84hQelnryQqt8fCoDMqkYb3FF55z/+6nkE3ZMWnXkaaMKMZQ1zbSl6kDMX3pggdSfa4RRKvn2Og+lBjNqb9fhw3dyNOx/go0yWG5AtZ8cDqxxlixdWMqQajqSIDwNog05B2rX8NLJ3YVFxhD7EeZ0WQDUKxPlCd75hXDVbBD2aDuNS8kYlL+cQemvZLyKF+n0trB0xA+5h4g+b/pf7PCjYpTGS3G7//cAr326sVPDN0PoCfxY4xEby1Kyg1oclcDifDxFDcGti/oiKXWgKi4y1s0= root@kali
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
âââĢ Some certificates were found (out limited):
/etc/pki/fwupd/LVFS-CA.pem
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/var/lib/fwupd/pki/client.pem
17769PSTORAGE_CERTSBIN
âââĢ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
âââĢ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
âââĢ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
ââââââââââââĢ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Feb 17 18:30 /etc/pam.d
-rw-r--r-- 1 root root 2133 Jul 23 2021 /etc/pam.d/sshd
ââââââââââââĢ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Aug 24 2021 /usr/share/keyrings
ââââââââââââĢ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
ââââââââââââĢ Analyzing Github Files (limit 70)
drwxr-xr-x 2 root root 4096 Nov 17 06:46 /opt/www/public/routerspace/node_modules/balanced-match/.github
drwxr-xr-x 3 root root 4096 Feb 17 18:30 /usr/local/lib/node_modules/pm2/node_modules/ast-types/.github
drwxr-xr-x 2 root root 4096 Nov 20 17:06 /usr/local/lib/node_modules/pm2/node_modules/balanced-match/.github
drwxr-xr-x 2 root root 4096 Nov 20 17:06 /usr/local/lib/node_modules/pm2/node_modules/moment-timezone/.github
drwxr-xr-x 3 root root 4096 Nov 20 17:06 /usr/local/lib/node_modules/pm2/node_modules/proxy-agent/.github
ââââââââââââĢ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 paul paul 1200 Nov 20 19:45 /home/paul/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 3267 Jan 6 2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2274 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpg
drwx------ 3 paul paul 4096 May 3 11:49 /home/paul/.gnupg
ââââââââââââĢ Searching docker files (limit 70)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
-rw-r--r-- 1 root root 477 Nov 19 2020 /usr/local/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml
ââââââââââââĢ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb 2 2020 /usr/share/bash-completion/completions/postfix
ââââââââââââĢ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
ââââââââââââĢ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc
-rw-r--r-- 1 paul paul 3771 Nov 20 17:32 /home/paul/.bashrc
-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile
-rw-r--r-- 1 paul paul 823 Nov 20 18:30 /home/paul/.profile
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââĢ Interesting Files â âââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
ââââââââââââĢ SUID - Check easy privesc, exploits and write perms
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 67K Jul 21 2020 /usr/bin/su
-rwsr-xr-x 1 root root 67K Jul 14 2021 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 52K Jul 14 2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 84K Jul 14 2021 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 55K Jul 21 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jul 14 2021 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 39K Jul 21 2020 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 163K Feb 3 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 87K Jul 14 2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-- 1 root messagebus 51K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 23K May 26 2021 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Jul 23 2021 /usr/lib/openssh/ssh-keysign
ââââââââââââĢ SGID
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 43K Apr 8 2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Apr 8 2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 31K Jul 14 2021 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root shadow 83K Jul 14 2021 /usr/bin/chage
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 343K Jul 23 2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
-rwxr-sr-x 1 root tty 35K Jul 21 2020 /usr/bin/wall
-rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
ââââââââââââĢ Checking misconfigurations of ld.so
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
ââââââââââââĢ Capabilities
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
Current capabilities:
Current: =
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Shell capabilities:
0x0000000000000000=
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/node = cap_net_bind_service+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
ââââââââââââĢ Users with capabilities
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
ââââââââââââĢ Files with ACLs (limited to 50)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
files with acls in searched folders Not Found
ââââââââââââĢ .sh files in path
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh
ââââââââââââĢ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x 3 root root 4096 Nov 20 17:12 .
drwxr-xr-x 19 root root 4096 Feb 17 18:30 ..
drwxr-xr-x 3 root root 4096 Nov 20 17:12 www
ââââââââââââĢ Unexpected in root
ââââââââââââĢ Files (scripts) in /etc/profile.d/
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files
total 32
drwxr-xr-x 2 root root 4096 Feb 17 18:30 .
drwxr-xr-x 101 root root 4096 Feb 21 20:04 ..
-rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh
-rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh
-rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh
-rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh
ââââââââââââĢ Permissions in init, init.d, systemd, and rc.d
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
ââĢ Hashes inside passwd file? ........... No
ââĢ Writable passwd file? ................ No
ââĢ Credentials in fstab/mtab? ........... No
ââĢ Can I read shadow files? ............. No
ââĢ Can I read shadow plists? ............ No
ââĢ Can I write shadow plists? ........... No
ââĢ Can I read opasswd file? ............. No
ââĢ Can I write in network-scripts? ...... No
ââĢ Can I read root folder? .............. No
ââââââââââââĢ Searching root files in home dirs (limit 30)
/home/
/home/paul/.bash_history
/home/paul/user.txt
/root/
ââââââââââââĢ Searching folders owned by me containing others files on it (limit 100)
/home/paul
/sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service
/sys/fs/cgroup/unified/user.slice/user-1001.slice/user@1001.service
ââââââââââââĢ Readable files belonging to root and readable by me but not world readable
-r--r----- 1 root paul 33 May 3 01:44 /home/paul/user.txt
ââââââââââââĢ Modified interesting files in the last 5mins (limit 100)
/var/log/syslog
/var/log/auth.log
/var/log/kern.log
/var/log/journal/ee7af938893e4f71ba32f510f53fe3c8/system.journal
/var/log/journal/ee7af938893e4f71ba32f510f53fe3c8/user-1001.journal
ââââââââââââĢ Writable log files (logrotten) (limit 100)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
Writable: /home/paul/.pm2/pm2.log
Writable: /home/paul/.pm2/logs/index-out.log
Writable: /home/paul/.pm2/logs/index-error.log
ââââââââââââĢ Files inside /home/paul (limit 20)
total 808
drwxr-xr-x 8 paul paul 4096 May 3 11:44 .
drwxr-xr-x 3 root root 4096 Feb 17 18:30 ..
lrwxrwxrwx 1 root root 9 Nov 20 19:32 .bash_history -> /dev/null
-rw-r--r-- 1 paul paul 220 Nov 20 17:32 .bash_logout
-rw-r--r-- 1 paul paul 3771 Nov 20 17:32 .bashrc
drwx------ 2 paul paul 4096 Feb 17 18:30 .cache
drwx------ 3 paul paul 4096 May 3 11:49 .gnupg
-rwxrwx--- 1 paul paul 776167 May 3 11:44 linpeas.sh
drwxrwxr-x 3 paul paul 4096 Feb 17 18:30 .local
drwxrwxr-x 5 paul paul 4096 May 3 01:44 .pm2
-rw-r--r-- 1 paul paul 823 Nov 20 18:30 .profile
drwxr-xr-x 3 paul paul 4096 Feb 17 18:30 snap
drwx------ 2 paul paul 4096 May 3 01:45 .ssh
-r--r----- 1 root paul 33 May 3 01:44 user.txt
ââââââââââââĢ Files inside others home (limit 20)
ââââââââââââĢ Searching installed mail applications
ââââââââââââĢ Mails (limit 50)
ââââââââââââĢ Backup folders
ââââââââââââĢ Backup files (limited 100)
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-90/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237895 Oct 15 2021 /usr/src/linux-headers-5.4.0-90-generic/.config.old
-rw-r--r-- 1 root root 0 Oct 15 2021 /usr/src/linux-headers-5.4.0-90-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Oct 15 2021 /usr/src/linux-headers-5.4.0-90-generic/include/config/net/team/mode/activebackup.h
-rwxr-xr-x 1 root root 1513 Jan 25 2020 /usr/share/doc/libipc-system-simple-perl/examples/rsync-backup.pl
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 11070 Nov 20 16:45 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 1775 Feb 25 2021 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1403 Aug 24 2021 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 43888 Mar 9 2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 9073 Oct 15 2021 /usr/lib/modules/5.4.0-90-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9833 Oct 15 2021 /usr/lib/modules/5.4.0-90-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 2743 Aug 24 2021 /etc/apt/sources.list.curtin.old
ââââââââââââĢ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found: /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found: /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
Found: /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
ââââââââââââĢ Web files?(output limit)
ââââââââââââĢ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 7202 Mar 25 2020 /usr/share/npm/node_modules/es-to-primitive/.travis.yml
-rw-r--r-- 1 root root 286 Mar 25 2020 /usr/share/npm/node_modules/es-to-primitive/.editorconfig
-rw-r--r-- 1 root root 4130 Mar 25 2020 /usr/share/npm/node_modules/es-to-primitive/.jscs.json
-rw-r--r-- 1 root root 38 Mar 25 2020 /usr/share/npm/node_modules/qrcode-terminal/.travis.yml
-rw-r--r-- 1 root root 6965 Mar 25 2020 /usr/share/npm/node_modules/es-abstract/.travis.yml
-rw-r--r-- 1 root root 276 Mar 25 2020 /usr/share/npm/node_modules/es-abstract/.editorconfig
-rw-r--r-- 1 root root 234 Mar 25 2020 /usr/share/npm/node_modules/es-abstract/.nycrc
-rw-r--r-- 1 root root 4003 Mar 25 2020 /usr/share/npm/node_modules/es-abstract/.jscs.json
-rw-r--r-- 1 root root 309 Mar 25 2020 /usr/share/npm/node_modules/agent-base/.travis.yml
-rw-r--r-- 1 root root 152 Mar 25 2020 /usr/share/npm/node_modules/smart-buffer/.travis.yml
-rw-r--r-- 1 root root 84 Mar 25 2020 /usr/share/npm/node_modules/smart-buffer/.prettierrc.yaml
-rw-r--r-- 1 root root 2261 Mar 25 2020 /usr/share/npm/node_modules/has-symbols/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25 2020 /usr/share/npm/node_modules/libnpmpublish/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25 2020 /usr/share/npm/node_modules/libnpmaccess/.travis.yml
-rw-r--r-- 1 root root 69 Mar 25 2020 /usr/share/npm/node_modules/util-promisify/.travis.yml
-rw-r--r-- 1 root root 189 Mar 25 2020 /usr/share/npm/node_modules/read-installed/.travis.yml
-rw-r--r-- 1 root root 105 Mar 25 2020 /usr/share/npm/node_modules/path-parse/.travis.yml
-rw-r--r-- 1 root root 185 Mar 25 2020 /usr/share/npm/node_modules/socks/.travis.yml
-rw-r--r-- 1 root root 84 Mar 25 2020 /usr/share/npm/node_modules/socks/.prettierrc.yaml
-rw-r--r-- 1 root root 1151 Mar 25 2020 /usr/share/npm/node_modules/is-date-object/.travis.yml
-rw-r--r-- 1 root root 2878 Mar 25 2020 /usr/share/npm/node_modules/is-date-object/.jscs.json
-rw-r--r-- 1 root root 4770 Mar 25 2020 /usr/share/npm/node_modules/is-regex/.travis.yml
-rw-r--r-- 1 root root 4140 Mar 25 2020 /usr/share/npm/node_modules/is-regex/.jscs.json
-rw-r--r-- 1 root root 108 Mar 25 2020 /usr/share/npm/node_modules/fast-json-stable-stringify/.travis.yml
-rw-r--r-- 1 root root 1959 Mar 25 2020 /usr/share/npm/node_modules/object.getownpropertydescriptors/.travis.yml
-rw-r--r-- 1 root root 276 Mar 25 2020 /usr/share/npm/node_modules/object.getownpropertydescriptors/.editorconfig
-rw-r--r-- 1 root root 4140 Mar 25 2020 /usr/share/npm/node_modules/object.getownpropertydescriptors/.jscs.json
-rw-r--r-- 1 root root 72 Mar 25 2020 /usr/share/npm/node_modules/libnpmorg/.travis.yml
-rw-r--r-- 1 root root 300 Mar 25 2020 /usr/share/npm/node_modules/socks-proxy-agent/node_modules/agent-base/.travis.yml
-rw-r--r-- 1 root root 284 Mar 25 2020 /usr/share/npm/node_modules/socks-proxy-agent/.travis.yml
-rw-r--r-- 1 root root 292 Mar 25 2020 /usr/share/npm/node_modules/http-proxy-agent/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25 2020 /usr/share/npm/node_modules/libnpmsearch/.travis.yml
-rw-r--r-- 1 root root 6738 Mar 25 2020 /usr/share/npm/node_modules/is-callable/.travis.yml
-rw-r--r-- 1 root root 993 Mar 25 2020 /usr/share/npm/node_modules/is-callable/.istanbul.yml
-rw-r--r-- 1 root root 286 Mar 25 2020 /usr/share/npm/node_modules/is-callable/.editorconfig
-rw-r--r-- 1 root root 4128 Mar 25 2020 /usr/share/npm/node_modules/is-callable/.jscs.json
-rw-r--r-- 1 root root 111 Mar 25 2020 /usr/share/npm/node_modules/dezalgo/.travis.yml
-rw-r--r-- 1 root root 127 Mar 25 2020 /usr/share/npm/node_modules/worker-farm/.travis.yml
-rw-r--r-- 1 root root 277 Mar 25 2020 /usr/share/npm/node_modules/worker-farm/.editorconfig
-rw-r--r-- 1 root root 7236 Mar 25 2020 /usr/share/npm/node_modules/is-symbol/.travis.yml
-rw-r--r-- 1 root root 276 Mar 25 2020 /usr/share/npm/node_modules/is-symbol/.editorconfig
-rw-r--r-- 1 root root 5 Mar 25 2020 /usr/share/npm/node_modules/is-symbol/.nvmrc
-rw-r--r-- 1 root root 4128 Mar 25 2020 /usr/share/npm/node_modules/is-symbol/.jscs.json
-rw-r--r-- 1 root root 139 Mar 25 2020 /usr/share/npm/node_modules/unique-slug/.travis.yml
-rw-r--r-- 1 root root 72 Mar 25 2020 /usr/share/npm/node_modules/libnpmteam/.travis.yml
-rw-r--r-- 1 root root 715 Mar 25 2020 /usr/share/npm/node_modules/https-proxy-agent/.editorconfig
-rw-r--r-- 1 root root 143 Mar 25 2020 /usr/share/npm/node_modules/meant/.travis.yml
-rw-r--r-- 1 root root 58 Mar 25 2020 /usr/share/npm/node_modules/sorted-union-stream/.travis.yml
-rw-r--r-- 1 root root 439 Jul 14 2019 /usr/share/nodejs/ajv/.tonic_example.js
-rw-r--r-- 1 root root 219 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/async-listener/.travis.yml
-rw-r--r-- 1 root root 230 Aug 25 2016 /usr/local/lib/node_modules/pm2/node_modules/fclone/.travis.yml
-rw-r--r-- 1 root root 293 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/cron/.travis.yml
-rw-r--r-- 1 root root 43 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/cron/.prettierrc
-rw-r--r-- 1 root root 512 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/cron/.eslintrc
-rw-r--r-- 1 root root 5451 Aug 28 2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.travis.yml
-rw-r--r-- 1 root root 286 Aug 28 2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.editorconfig
-rw-r--r-- 1 root root 176 Aug 28 2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/test/.eslintrc
-rw-r--r-- 1 root root 231 Aug 28 2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.eslintrc
-rw-r--r-- 1 root root 4140 Aug 28 2017 /usr/local/lib/node_modules/pm2/node_modules/function-bind/.jscs.json
-rw-r--r-- 1 root root 152 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/smart-buffer/.travis.yml
-rw-r--r-- 1 root root 84 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/smart-buffer/.prettierrc.yaml
-rw-r--r-- 1 root root 144 Jun 22 2016 /usr/local/lib/node_modules/pm2/node_modules/yamljs/.travis.yml
-rw-r--r-- 1 root root 71 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/shimmer/.travis.yml
-rw-r--r-- 1 root root 125 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/tx2/.travis.yml
-rw-r--r-- 1 root root 107 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/vizion/.travis.yml
-rw-r--r-- 1 root root 173 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/socks/.travis.yml
-rw-r--r-- 1 root root 124 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/socks/.prettierrc.yaml
-rw-r--r-- 1 root root 119 Nov 20 2017 /usr/local/lib/node_modules/pm2/node_modules/continuation-local-storage/.travis.yml
-rw-r--r-- 1 root root 422 Nov 18 2016 /usr/local/lib/node_modules/pm2/node_modules/continuation-local-storage/.eslintrc
-rw-r--r-- 1 root root 71 Oct 26 1985 /usr/local/lib/node_modules/pm2/node_modules/emitter-listener/.travis.yml
ââââââââââââĢ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 268 Nov 20 16:45 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 921304 Feb 17 13:56 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 139 Nov 20 16:45 /var/backups/dpkg.diversions.1.gz
-rw-r--r-- 1 root root 120 Aug 24 2021 /var/backups/dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 56856 Feb 7 14:51 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 220368 Nov 25 06:07 /var/backups/dpkg.status.1.gz
-rw-r--r-- 1 root root 2550 Nov 21 06:25 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 100 Aug 24 2021 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 51200 May 3 06:25 /var/backups/alternatives.tar.0
ââââââââââââĢ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/paul
/run/lock
/run/screen
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/inaccessible
/run/user/1001/systemd
/run/user/1001/systemd/units
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/var/crash
/var/tmp
ââââââââââââĢ Interesting GROUP writable files (not in Home) (max 500)
â https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
ââââââââââââĢ Searching passwords in history files
ââââââââââââĢ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/systemd/systemd-reply-password
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/local/lib/node_modules/pm2/node_modules/proxy-agent/test/ssl-cert-snakeoil.key
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-store.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/npm/lib/config/get-credentials-by-uri.js
/usr/share/npm/lib/config/set-credentials-by-uri.js
/usr/share/npm/node_modules/agent-base/test/ssl-cert-snakeoil.key
/usr/share/npm/node_modules/http-proxy-agent/test/ssl-cert-snakeoil.key
/usr/share/npm/node_modules/socks-proxy-agent/node_modules/agent-base/test/ssl-cert-snakeoil.key
/usr/share/npm/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.key
/usr/share/pam/common-password
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords
/var/lib/fwupd/pki/secret.key
/var/lib/pam/password
ââââââââââââĢ Checking for TTY (sudo/su) passwords in audit logs
ââââââââââââĢ Searching passwords inside logs (limit 70)
2021-11-20 16:28:31,552 DEBUG root:39 start: subiquity/Identity/POST: {"realname": "RouterSpace", "username": "h4rithd", "crypted_password": "$6$cm...
2021-11-20 16:52:28,636 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords - wb: [644] 25 bytes
2021-11-20 16:52:28,638 - ssh_util.py[DEBUG]: line 124: option PasswordAuthentication added with yes
2021-11-20 16:52:28,731 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon.
2021-11-20 16:52:28,732 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords ran successfully
2021-11-20 18:44:46,992 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 18:44:46,992 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 18:50:05,844 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 18:50:05,844 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 18:53:41,629 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 18:53:41,629 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 19:13:43,796 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-20 19:13:43,796 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-20 21:57:12,077 DEBUG subiquitycore.utils:48 run_command called: chpasswd
2021-11-20 21:57:12,114 DEBUG subiquitycore.utils:61 run_command chpasswd exited with code 0
2021-11-21 06:22:02,191 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 06:22:02,191 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 13:34:28,834 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 13:34:28,834 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 14:47:55,884 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 14:47:55,884 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 15:35:04,276 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 15:35:04,276 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:35:48,406 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:35:48,406 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:37:54,009 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:37:54,009 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:41:19,107 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:41:19,108 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:56:50,225 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:56:50,225 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 16:59:55,247 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 16:59:55,247 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:15:20,565 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:15:20,565 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:41:22,597 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:41:22,597 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:46:37,147 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:46:37,147 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-21 17:49:27,266 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-21 17:49:27,266 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-22 09:34:01,712 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-22 09:34:01,712 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-22 11:32:35,051 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-22 11:32:35,052 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-22 13:06:43,629 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-22 13:06:43,629 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 05:52:21,506 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 05:52:21,506 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 07:36:00,980 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 07:36:00,980 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 08:23:03,868 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2021-11-25 08:23:03,869 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 08:30:32,101 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2021-11-25 08:30:32,101 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:04:58,979 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:04:58,979 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:08:59,841 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:08:59,841 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:11:01,317 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:11:01,317 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-02-07 14:24:53,592 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-02-07 14:24:53,592 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
[ 4.239143] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 8.474250] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
base-passwd depends on libc6 (>= 2.8); however:
base-passwd depends on libdebconfclient0 (>= 0.145); however:
Binary file /var/log/journal/ee7af938893e4f71ba32f510f53fe3c8/user-1001.journal matches
dpkg: base-passwd: dependency problems, but configuring anyway as you requested:
Nov 20 16:45:21 ubuntu-server chage[5521]: changed password expiry for usbmux