[magellan@venus ~]$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by github.com/PEASS-ng
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 5.12.8-300.fc34.x86_64 ([email protected]) (gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1), GNU ld version 2.35.1-41.fc34) #1 SMP Fri May 28 15:20:54 UTC 2021
User & Groups: uid=1001(magellan) gid=1001(magellan) groups=1001(magellan) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Hostname: venus
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.12.8-300.fc34.x86_64 ([email protected]) (gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1), GNU ld version 2.35.1-41.fc34) #1 SMP Fri May 28 15:20:54 UTC 2021
lsb_release Not Found
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.9.5p2
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/home/magellan/.local/bin:/home/magellan/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
╔══════════╣ Date & uptime
Tue May 21 23:18:14 BST 2024
23:18:14 up 3:14, 1 user, load average: 0.96, 0.33, 0.16
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
/dev/mapper/fedora_fedora-root / xfs defaults 0 0
UUID=9b284999-7bf6-468c-a942-e8a72d536c39 /boot xfs defaults 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
SHELL=/bin/bash
HISTCONTROL=ignoredups
HOSTNAME=venus
HISTSIZE=0
EDITOR=/usr/bin/nano
PWD=/home/magellan
LOGNAME=magellan
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/magellan
LANG=C.UTF-8
HISTFILE=/dev/null
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
SSH_CONNECTION=192.168.95.3 37224 192.168.95.15 22
XDG_SESSION_CLASS=user
SELINUX_ROLE_REQUESTED=
TERM=xterm-256color
LESSOPEN=||/usr/bin/lesspipe.sh %s
USER=magellan
SELINUX_USE_CURRENT_RANGE=
SHLVL=2
XDG_SESSION_ID=4
XDG_RUNTIME_DIR=/run/user/1001
SSH_CLIENT=192.168.95.3 37224 22
which_declare=declare -f
PATH=/home/magellan/.local/bin:/home/magellan/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin
SELINUX_LEVEL_REQUESTED=
HISTFILESIZE=0
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
MAIL=/var/spool/mail/magellan
SSH_TTY=/dev/pts/0
BASH_FUNC_which%%=() { ( alias;
eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
}
_=/usr/bin/env
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: less probable
Tags: ubuntu=(20.04|21.04),debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: less probable
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
╔══════════╣ Protections
═╣ AppArmor enabled? .............. AppArmor Not Found
═╣ AppArmor profile? .............. unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
═╣ Seccomp enabled? ............... disabled
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... No
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (oracle)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present (if any):
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ Aliyun ECS? .......................... No
grep: /etc/cloud/cloud.cfg: No such file or directory
═╣ Tencent CVM? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No
curl: (6) Could not resolve host: metadata.google.internal
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.0 0.7 110048 16136 ? Ss 20:04 0:04 /usr/lib/systemd/systemd --switched-root --system --deserialize 31
root 572 0.0 0.8 54780 16340 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-journald
root 585 0.0 0.6 34288 12424 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-udevd
systemd+ 657 0.1 0.4 17736 8528 ? Ss 20:04 0:20 /usr/lib/systemd/systemd-oomd
└─(Caps) 0x0000000000000022=cap_dac_override,cap_kill
systemd+ 659 0.0 0.9 33756 19052 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-resolved
└─(Caps) 0x0000000000002000=cap_net_raw
root 660 0.0 0.1 99608 2164 ? S<sl 20:04 0:00 /sbin/auditd
root 664 0.0 0.1 8124 3580 ? S< 20:04 0:00 _ /usr/sbin/sedispatch
root 682 0.0 0.5 389660 11040 ? Ssl 20:04 0:00 /usr/sbin/ModemManager
chrony 687 0.0 0.1 85952 3884 ? S 20:04 0:00 /usr/sbin/chronyd
└─(Caps) 0x0000000002000400=cap_net_bind_service,cap_sys_time
root 693 0.0 2.0 135280 40520 ? Ssl 20:04 0:01 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
root 695 0.0 0.0 3160 1988 ? Ss 20:04 0:00 /usr/sbin/mcelog --daemon[0m --foreground
root 696 0.0 0.4 197624 8948 ? Ssl 20:04 0:00 /usr/sbin/rsyslogd -n
root 697 0.0 0.5 28176 11872 ? Ss 20:04 0:00 /usr/sbin/sssd -i --logger=files
root 749 0.0 0.6 30048 13176 ? S 20:04 0:00 _ /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
root 763 0.0 1.9 53020 38884 ? S 20:04 0:00 _ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 698 0.0 0.4 17996 8716 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-homed
root 699 0.0 0.7 272888 15200 ? Ssl 20:04 0:00 /usr/sbin/abrtd -d -s
dbus 700 0.0 0.2 9984 4368 ? Ss 20:04 0:00 /usr/bin/dbus-broker-launch --scope system --audit
dbus 714 0.0 0.1 5828 3400 ? S 20:04 0:00 _ dbus-broker --log 4 --controller 9 --machine-id 2650d1dd6c7744ed8c6524d8bd4b8e5b --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit
└─(Caps) 0x0000000020000000=cap_audit_write
root 717 0.0 0.9 266424 19840 ? Ssl 20:04 0:00 /usr/sbin/NetworkManager --no-daemon[0m
root 782 0.0 0.5 28140 10940 ? Ss 20:04 0:00 /usr/lib/systemd/systemd-logind
magellan 195817 0.0 0.2 45436 5988 ? S 23:12 0:00 _ sshd: magellan@pts/0
magellan 195818 0.0 0.2 24596 5580 pts/0 Ss 23:12 0:00 _ -bash
magellan 195884 0.8 0.2 13248 5608 pts/0 S+ 23:17 0:00 _ /bin/sh ./linpeas.sh
magellan 199064 0.0 0.1 13248 3784 pts/0 S+ 23:18 0:00 _ /bin/sh ./linpeas.sh
magellan 199068 0.0 0.1 24496 3916 pts/0 R+ 23:18 0:00 | _ ps fauxwww
magellan 199067 0.0 0.1 13248 2452 pts/0 S+ 23:18 0:00 _ /bin/sh ./linpeas.sh
root 790 0.0 0.0 2384 744 ? Ss 20:04 0:00 /usr/bin/venus_messaging
magellan 791 0.0 0.1 6904 3096 ? Ss 20:04 0:00 /bin/bash /usr/bin/venus_monitoring_web.sh
magellan 793 0.0 1.8 45948 36748 ? S 20:04 0:00 _ /usr/bin/python3 /home/magellan/venus_monitor_proj/manage.py runserver 0:8080
magellan 835 12.4 2.3 617376 48036 ? Sl 20:04 24:02 _ /usr/bin/python3 /home/magellan/venus_monitor_proj/manage.py runserver 0:8080
root 797 0.0 0.1 53908 3520 ? Ssl 20:04 0:00 /usr/sbin/gssproxy -D
polkitd 826 0.0 1.2 2604308 24428 ? Ssl 20:04 0:00 /usr/lib/polkit-1/polkitd --no-debug
root 857 0.0 0.1 20976 2836 ? Ss 20:04 0:00 /usr/sbin/atd -f
root 864 0.0 0.2 18024 4104 ? Ss 20:04 0:00 /usr/sbin/crond -n
root 870 0.0 0.0 9632 1720 tty1 Ss+ 20:04 0:00 /sbin/agetty -o -p -- u --noclear --noissue tty1 linux
root 875 0.0 0.7 85848 15888 ? Ss 20:04 0:00 /usr/bin/abrt-dump-journal-core -D -T -f -e
root 876 0.0 0.8 77648 16216 ? Ss 20:04 0:00 /usr/bin/abrt-dump-journal-oops -fxtD
root 877 0.0 0.7 85844 15620 ? Ss 20:04 0:00 /usr/bin/abrt-dump-journal-xorg -fxtD
root 179838 0.0 0.3 17536 7608 ? Ss 21:56 0:00 /usr/lib/systemd/systemd-userdbd
root 195879 0.0 0.3 17868 7620 ? S 23:17 0:00 _ systemd-userwork
root 195882 0.0 0.3 17868 7620 ? S 23:17 0:00 _ systemd-userwork
root 195883 0.0 0.3 17868 7620 ? S 23:17 0:00 _ systemd-userwork
magellan 179843 0.0 0.6 22052 13936 ? Ss 21:56 0:00 /usr/lib/systemd/systemd --user
magellan 179845 0.0 0.2 133596 5608 ? S 21:56 0:00 _ (sd-pam)
magellan 187567 0.0 0.0 159148 1036 ? Ss 22:05 0:00 gpg-agent --homedir /home/magellan/.gnupg --use-standard-socket --daemon[0m
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user
Proc 657 with ppid 1 is run by user systemd-oom but the ppid user is root
Proc 659 with ppid 1 is run by user systemd-resolve but the ppid user is root
Proc 687 with ppid 1 is run by user chrony but the ppid user is root
Proc 700 with ppid 1 is run by user dbus but the ppid user is root
Proc 791 with ppid 1 is run by user magellan but the ppid user is root
Proc 826 with ppid 1 is run by user polkitd but the ppid user is root
Proc 179843 with ppid 1 is run by user magellan but the ppid user is root
Proc 187567 with ppid 1 is run by user magellan but the ppid user is root
Proc 195817 with ppid 195809 is run by user magellan but the ppid user is root
Proc 199364 with ppid 1 is run by user setroubleshoot but the ppid user is root
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd: process found (dump creds from memory as root)
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r--. 1 root root 0 Mar 29 2021 /etc/cron.deny
-rw-r--r--. 1 root root 451 Jan 26 2021 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x. 2 root root 21 May 19 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
-rw-r--r--. 1 root root 128 Mar 29 2021 0hourly
/etc/cron.daily:
total 12
drwxr-xr-x. 2 root root 6 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
/etc/cron.hourly:
total 16
drwxr-xr-x. 2 root root 22 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
-rwxr-xr-x. 1 root root 610 Mar 29 2021 0anacron
/etc/cron.monthly:
total 12
drwxr-xr-x. 2 root root 6 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
/etc/cron.weekly:
total 12
drwxr-xr-x. 2 root root 6 Jan 26 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
/var/spool/anacron:
total 12
drwxr-xr-x. 2 root root 63 May 19 2021 .
drwxr-xr-x. 10 root root 113 May 19 2021 ..
-rw-------. 1 root root 9 May 21 21:31 cron.daily
-rw-------. 1 root root 9 May 20 2021 cron.monthly
-rw-------. 1 root root 9 May 21 21:51 cron.weekly
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
RANDOM_DELAY=45
START_HOURS_RANGE=3-22
1 5 cron.daily nice run-parts /etc/cron.daily
7 25 cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/basic.target.wants/rpmdb-rebuild.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/abrtd.service could be executing some relative path
/etc/systemd/system/remote-fs.target.wants/iscsi.service could be executing some relative path
/etc/systemd/system/systemd-homed.service.wants/systemd-homed-activate.service could be executing some relative path
/etc/systemd/user/basic.target.wants/systemd-tmpfiles-setup.service could be executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2024-05-21 23:42:58 BST 24min left Tue 2024-05-21 22:06:26 BST 1h 12min ago dnf-makecache.timer dnf-makecache.service
Wed 2024-05-22 00:00:00 BST 41min left Tue 2024-05-21 20:04:43 BST 3h 13min ago logrotate.timer logrotate.service
Wed 2024-05-22 00:00:00 BST 41min left Tue 2024-05-21 20:04:43 BST 3h 13min ago mlocate-updatedb.timer mlocate-updatedb.service
Wed 2024-05-22 00:00:00 BST 41min left Tue 2024-05-21 20:04:43 BST 3h 13min ago unbound-anchor.timer unbound-anchor.service
Wed 2024-05-22 20:19:29 BST 21h left Tue 2024-05-21 20:19:29 BST 2h 59min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2024-05-26 01:00:00 BST 4 days left Tue 2024-05-21 20:04:43 BST 3h 13min ago raid-check.timer raid-check.service
Mon 2024-05-27 00:53:59 BST 5 days left Tue 2024-05-21 21:09:57 BST 2h 8min ago fstrim.timer fstrim.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sssd-nss.socket is calling this writable listener: /var/lib/sss/pipes/nss
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
/run/.heim_org.h5l.kcm-socket
└─(Read Write)
/run/abrt/abrt.socket
└─(Read Write)
/run/dbus/system_bus_socket
└─(Read Write)
/run/gssproxy.sock
└─(Read Write)
/run/lvm/lvmpolld.socket
/run/mcelog-client
└─(Read )
/run/pcscd/pcscd.comm
└─(Read Write)
/run/systemd/coredump
/run/systemd/home/notify
└─(Read )
/run/systemd/inaccessible/sock
/run/systemd/io.system.ManagedOOM
└─(Read Write)
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/systemd/resolve/io.systemd.Resolve
└─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
└─(Read Write)
/run/systemd/userdb/io.systemd.Home
└─(Read Write)
/run/systemd/userdb/io.systemd.Multiplexer
└─(Read Write)
/run/udev/control
/run/user/1001/bus
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
└─(Read Write)
/run/user/1001/systemd/inaccessible/sock
/run/user/1001/systemd/notify
└─(Read Write)
/run/user/1001/systemd/private
└─(Read Write)
/var/lib/gssproxy/default.sock
└─(Read Write)
/var/lib/sss/pipes/nss
└─(Read Write)
/var/lib/sss/pipes/private/sbus-dp_implicit_files.749
/var/lib/sss/pipes/private/sbus-monitor
/var/run/abrt/abrt.socket
└─(Read Write)
/var/run/mcelog-client
└─(Read )
/var/run/setroubleshoot/setroubleshoot_server
└─(Read Write)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.SetroubleshootPrivileged.conf ( <policy user="setroubleshoot">)
Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf ( <policy user="setroubleshoot">)
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf ( <policy user="polkitd">
<policy user="polkitd">)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 657 systemd-oomd systemd-oom :1.0 systemd-oomd.service - -
:1.1 659 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
:1.10 782 systemd-logind root :1.10 systemd-logind.service - -
:1.11 717 NetworkManager root :1.11 NetworkManager.service - -
:1.118 202710 busctl magellan :1.118 session-4.scope 4 -
:1.13 826 polkitd polkitd :1.13 polkit.service - -
:1.14 699 abrtd root :1.14 abrtd.service - -
:1.2 682 ModemManager root :1.2 ModemManager.service - -
:1.3 698 systemd-homed root :1.3 systemd-homed.service - -
:1.4 693 firewalld root :1.4 firewalld.service - -
:1.40 179843 systemd magellan :1.40 [email protected] - -
:1.44 664 sedispatch root :1.44 auditd.service - -
:1.5 1 systemd root :1.5 init.scope - -
:1.6 700 dbus-broker-lau root :1.6 dbus-broker.service - -
:1.7 717 NetworkManager root :1.7 NetworkManager.service - -
com.redhat.ifcfgrh1 717 NetworkManager root :1.11 NetworkManager.service - -
fi.w1.wpa_supplicant1 - - - (activatable) - - -
net.reactivated.Fprint - - - (activatable) - - -
org.bluez - - - (activatable) - - -
org.fedoraproject.FirewallD1 693 firewalld root :1.4 firewalld.service - -
org.fedoraproject.SetroubleshootFixit - - - (activatable) - - -
org.fedoraproject.SetroubleshootPrivileged - - - (activatable) - - -
org.fedoraproject.Setroubleshootd - - - (activatable) - - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.ModemManager1 682 ModemManager root :1.2 ModemManager.service - -
org.freedesktop.NetworkManager 717 NetworkManager root :1.7 NetworkManager.service - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 826 polkitd polkitd :1.13 polkit.service - -
org.freedesktop.UDisks2 - - - (activatable) - - -
org.freedesktop.home1 698 systemd-homed root :1.3 systemd-homed.service - -
-- UID=0 EUID=0
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 782 systemd-logind root :1.10 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - - -
org.freedesktop.nm_dispatcher - - - (activatable) - - -
org.freedesktop.oom1 657 systemd-oomd systemd-oom :1.0 systemd-oomd.service - -
-- UID=998 EUID=998
org.freedesktop.portable1 - - - (activatable) - - -
org.freedesktop.problems - - - (activatable) - - -
org.freedesktop.problems.daemon[0m 699 abrtd root :1.14 abrtd.service - -
-- UID=0 EUID=0
org.freedesktop.realmd - - - (activatable) - - -
org.freedesktop.reportd - - - (activatable) - - -
org.freedesktop.resolve1 659 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.5 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 - - - (activatable) - - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
venus
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
nameserver 127.0.0.53
options edns0 trust-ad
search .
╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.95.15 netmask 255.255.255.0 broadcast 192.168.95.255
inet6 fe80::a00:27ff:fe18:545e prefixlen 64 scopeid 0x20<link>
ether 08:00:27:18:54:5e txqueuelen 1000 (Ethernet)
RX packets 1994238 bytes 179707443 (171.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1576303 bytes 356905125 (340.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 560 (560.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 560 (560.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 835/python3
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5355 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1001(magellan) gid=1001(magellan) groups=1001(magellan) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
magellan:x:1001:1001::/home/magellan:/bin/bash
root:x:0:0:root:/root:/bin/bash
venus:x:1000:1000::/home/venus:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(bin) gid=1(bin) groups=1(bin)
uid=1000(venus) gid=1000(venus) groups=1000(venus)
uid=1001(magellan) gid=1001(magellan) groups=1001(magellan)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=173(abrt) gid=173(abrt) groups=173(abrt)
uid=192(systemd-network) gid=192(systemd-network) groups=192(systemd-network)
uid=193(systemd-resolve) gid=193(systemd-resolve) groups=193(systemd-resolve)
uid=2(daemon[0m) gid=2(daemon[0m) groups=2(daemon[0m)
uid=29(rpcuser) gid=29(rpcuser) groups=29(rpcuser)
uid=3(adm) gid=4(adm) groups=4(adm)
uid=32(rpc) gid=32(rpc) groups=32(rpc)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=5(sync) gid=0(root) groups=0(root)
uid=59(tss) gid=59(tss) groups=59(tss)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
uid=7(halt) gid=0(root) groups=0(root)
uid=72(tcpdump) gid=72(tcpdump) groups=72(tcpdump)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=989(chrony) gid=985(chrony) groups=985(chrony)
uid=990(dnsmasq) gid=986(dnsmasq) groups=986(dnsmasq)
uid=991(cockpit-wsinstance) gid=987(cockpit-wsinstance) groups=987(cockpit-wsinstance)
uid=992(cockpit-ws) gid=988(cockpit-ws) groups=988(cockpit-ws)
uid=993(setroubleshoot) gid=989(setroubleshoot) groups=989(setroubleshoot)
uid=994(unbound) gid=990(unbound) groups=990(unbound)
uid=995(clevis) gid=991(clevis) groups=991(clevis),59(tss)
uid=996(polkitd) gid=994(polkitd) groups=994(polkitd)
uid=997(systemd-timesync) gid=995(systemd-timesync) groups=995(systemd-timesync)
uid=998(systemd-oom) gid=996(systemd-oom) groups=996(systemd-oom)
uid=999(systemd-coredump) gid=997(systemd-coredump) groups=997(systemd-coredump)
╔══════════╣ Login now
23:19:01 up 3:14, 1 user, load average: 3.04, 0.98, 0.39
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
magellan pts/0 23:12 1:32 0.72s 0.00s w
╔══════════╣ Last logons
magellan pts/0 Tue May 21 23:12:23 2024 still logged in 192.168.95.3
magellan pts/0 Tue May 21 23:10:26 2024 - Tue May 21 23:12:10 2024 (00:01) 192.168.95.3
magellan pts/0 Tue May 21 21:56:59 2024 - Tue May 21 22:47:11 2024 (00:50) 192.168.95.3
reboot system boot Tue May 21 20:04:26 2024 still running 0.0.0.0
root tty1 Thu Jun 3 16:05:35 2021 - crash (1083+03:58) 0.0.0.0
wtmp begins Thu Jan 1 01:00:00 1970
╔══════════╣ Last time logon each user
Username Port From Latest
magellan pts/0 192.168.95.3 Tue May 21 23:12:23 +0100 2024
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/ncat
/usr/bin/ping
/usr/bin/python
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
gcc.x86_64 11.1.1-1.fc34 @updates
/usr/bin/gcc
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r--. 1 root root 458 Jan 30 2021 /etc/rsyncd.conf
╔══════════╣ Analyzing Wifi Connections Files (limit 70)
drwxr-xr-x. 2 root root 33 May 19 2021 /etc/NetworkManager/system-connections
drwxr-xr-x. 2 root root 33 May 19 2021 /etc/NetworkManager/system-connections
-rw-------. 1 root root 289 May 19 2021 /etc/NetworkManager/system-connections/enp0s3.nmconnection
╔══════════╣ Analyzing VNC Files (limit 70)
-rw-r--r--. 1 root root 475 Jan 26 2021 /usr/lib/firewalld/services/vnc-server.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Virtual Network Computing Server (VNC)</short>
<description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
<port protocol="tcp" port="5900-5903"/>
</service>
╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r--. 1 root root 162 May 19 2021 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r--. 1 root root 82 May 19 2021 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r--. 1 root root 554 May 19 2021 /etc/ssh/ssh_host_rsa_key.pub
══╣ Some certificates were found (out limited):
/etc/cockpit/ws-certs.d/0-self-signed-ca.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
195884PSTORAGE_CERTSBIN
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x. 2 root root 4096 May 31 2021 /etc/pam.d
-rw-r--r--. 1 root root 727 Mar 9 2021 /etc/pam.d/sshd
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
╔══════════╣ Analyzing NFS Exports Files (limit 70)
Connected NFS Mounts:
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
-rw-r--r--. 1 root root 0 Jun 23 2020 /etc/exports
╔══════════╣ Searching kerberos conf files and tickets
╚ http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory
ptrace protection is disabled (0), you might find tickets inside processes memory
-rw-r--r--. 1 root root 880 May 20 2021 /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
-rw-r--r--. 1 root root 189 May 10 2021 /usr/lib64/sssd/conf/sssd.conf
[sssd]
services = nss, pam
domains = shadowutils
[nss]
[pam]
[domain/shadowutils]
id_provider = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
tickets kerberos Not Found
klist Not Found
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /var/lib/sss/mc/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-------. 1 magellan magellan 1200 May 21 22:04 /home/magellan/.gnupg/trustdb.gpg
-rw-r--r--. 1 root root 2899 Aug 24 2020 /usr/share/gnupg/distsigkey.gpg
drwx------. 3 magellan magellan 69 May 21 23:19 /home/magellan/.gnupg
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r--. 1 root root 761 Jul 25 2020 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing Samba Files (limit 70)
-rw-r--r--. 1 root root 853 Apr 29 2021 /etc/samba/smb.conf
browseable = No
read only = No
create mask = 0600
browseable = No
create mask = 0664
directory mask = 0775
╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r--. 1 root root 826 Jul 25 2020 /usr/share/bash-completion/completions/bind
-rw-r--r--. 1 root root 826 Jul 25 2020 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Windows Files (limit 70)
-rw-r--r--. 1 root root 475 Jan 26 2021 /usr/lib/firewalld/services/vnc-server.xml
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r--. 1 root root 492 Jan 26 2021 /etc/skel/.bashrc
-rw-r--r--. 1 magellan magellan 492 Jan 26 2021 /home/magellan/.bashrc
-rw-------. 1 magellan magellan 36 May 21 2021 /home/magellan/.lesshst
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x. 1 root root 73K Apr 7 2021 /usr/bin/chage
-rwsr-xr-x. 1 root root 77K Apr 7 2021 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root 42K Apr 7 2021 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x. 1 root root 49K Feb 12 2021 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x. 1 root root 32K Jan 28 2021 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x. 1 root root 58K Feb 12 2021 /usr/bin/su
-rwsr-xr-x. 1 root root 37K Feb 12 2021 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x. 1 root root 53K Mar 29 2021 /usr/bin/crontab
---s--x--x. 1 root root 182K Jan 26 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x. 1 root root 32K Jan 30 2021 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rws--x--x. 1 root root 33K Feb 12 2021 /usr/bin/chfn ---> SuSE_9.3/10
-rws--x--x. 1 root root 25K Feb 12 2021 /usr/bin/chsh
-rwsr-xr-x. 1 root root 57K Jan 26 2021 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x. 1 root root 16K Apr 12 2021 /usr/sbin/grub2-set-bootflag (Unknown SUID binary!)
-rwsr-xr-x. 1 root root 16K Apr 20 2021 /usr/sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root 24K Apr 20 2021 /usr/sbin/unix_chkpwd
-rwsr-xr-x. 1 root root 115K Apr 10 2021 /usr/sbin/mount.nfs
-rwsr-xr-x. 1 root root 24K Jan 28 2021 /usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-x---. 1 root cockpit-wsinstance 53K May 16 2021 /usr/libexec/cockpit-session (Unknown SUID binary!)
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x. 1 root tty 25K Feb 12 2021 /usr/bin/write
-rwx--s--x. 1 root slocate 41K Jan 27 2021 /usr/bin/locate
-rwx--s--x. 1 root utmp 16K Jan 27 2021 /usr/libexec/utempter/utempter
-r-xr-sr-x. 1 root ssh_keys 310K Mar 9 2021 /usr/libexec/openssh/ssh-keysign
-rwxr-sr-x. 1 abrt abrt 16K May 25 2021 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache ---> CENTOS
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include ld.so.conf.d/*.conf
ld.so.conf.d
ld.so.conf.d/*
cat: 'ld.so.conf.d/*': No such file or directory
/etc/ld.so.preload
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb: 0x0000000000000000=
══╣ Parent process capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/newgidmap cap_setgid=ep
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/arping cap_net_raw=p
/usr/bin/clockdiff cap_net_raw=p
/usr/sbin/mtr-packet cap_net_raw=ep
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 100
drwxr-xr-x. 2 root root 4096 May 19 2021 .
drwxr-xr-x. 102 root root 8192 Jun 1 2021 ..
-rw-r--r--. 1 root root 726 Jan 26 2021 bash_completion.sh
-rw-r--r--. 1 root root 196 Jan 30 2021 colorgrep.csh
-rw-r--r--. 1 root root 201 Jan 30 2021 colorgrep.sh
-rw-r--r--. 1 root root 1763 May 17 2021 colorls.csh
-rw-r--r--. 1 root root 1606 May 17 2021 colorls.sh
-rw-r--r--. 1 root root 162 Jan 29 2021 colorxzgrep.csh
-rw-r--r--. 1 root root 183 Jan 29 2021 colorxzgrep.sh
-rw-r--r--. 1 root root 216 Jan 26 2021 colorzgrep.csh
-rw-r--r--. 1 root root 220 Jan 26 2021 colorzgrep.sh
-rw-r--r--. 1 root root 80 Jan 29 2021 csh.local
-rw-r--r--. 1 root root 1107 Aug 28 2019 gawk.csh
-rw-r--r--. 1 root root 757 Aug 28 2019 gawk.sh
-rw-r--r--. 1 root root 3424 Jun 23 2020 lang.csh
-rw-r--r--. 1 root root 3187 Jun 23 2020 lang.sh
-rw-r--r--. 1 root root 500 May 6 2021 less.csh
-rw-r--r--. 1 root root 253 May 6 2021 less.sh
-rw-r--r--. 1 root root 122 Mar 3 2021 nano-default-editor.csh
-rw-r--r--. 1 root root 120 Mar 3 2021 nano-default-editor.sh
-rw-r--r--. 1 root root 81 Jan 29 2021 sh.local
-rw-r--r--. 1 root root 120 May 4 2021 which2.csh
-rw-r--r--. 1 root root 478 May 4 2021 which2.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/magellan
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/systemd
/run/user/1001/systemd/inaccessible
/run/user/1001/systemd/inaccessible/dir
/run/user/1001/systemd/inaccessible/reg
/run/user/1001/systemd/units
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
/var/spool/mail/magellan
/var/tmp
/var/tmp/dnf-magellan-eb3dtvaj
/var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
/var/tmp/dnf-magellan-eb3dtvaj/expired_repos.json
/var/tmp/dnf-magellan-eb3dtvaj/hawkey.log
#)You_can_write_even_more_files_inside_last_directory
/var/tmp/dnf-magellan-eb3dtvaj/locks/be5546dbcdfa46e5bfb46559a17e7f02cb64a548
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/lesspipe.sh
/usr/bin/source-highlight-esc.sh
/usr/bin/src-hilite-lesspipe.sh
/usr/bin/setup-nsssysinit.sh
/usr/bin/venus_monitoring_web.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2021-05-21+11:05:56.8903282290 /usr/bin/venus_monitoring_web.sh
2021-05-20+21:44:39.5440508960 /home/magellan/venus_monitor_proj/manage.py
2021-05-20+20:39:52.0991252430 /home/magellan/.local/bin/django-admin
2021-05-20+20:39:46.9977700110 /home/magellan/.local/bin/django-admin.py
2021-05-20+20:39:44.1399710940 /home/magellan/.local/bin/sqlformat
2021-05-20+16:12:11.0829938480 /usr/bin/venus_messaging
╔══════════╣ Unexpected in root
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/journal/2650d1dd6c7744ed8c6524d8bd4b8e5b/system.journal
/var/log/journal/2650d1dd6c7744ed8c6524d8bd4b8e5b/user-1001.journal
/var/log/cron
/var/log/messages
/var/log/secure
/var/tmp/dnf-magellan-eb3dtvaj/dnf.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
/var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
/var/tmp/dnf-magellan-eb3dtvaj/expired_repos.json
/var/tmp/dnf-magellan-eb3dtvaj/hawkey.log
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.18.0
Default mail command: /bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/logrotate.status
ACL support: yes
SELinux support: yes
Writable: /var/tmp/dnf-magellan-eb3dtvaj/dnf.log
Writable: /var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
Writable: /var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
Writable: /home/magellan/venus_monitor_proj/debug.log
╔══════════╣ Files inside /home/magellan (limit 20)
total 876
drwx------. 6 magellan magellan 260 May 21 23:16 .
drwxr-xr-x. 4 root root 35 May 20 2021 ..
lrwxrwxrwx. 1 magellan magellan 9 May 21 2021 .bash_history -> /dev/null
-rw-r--r--. 1 magellan magellan 18 Jan 26 2021 .bash_logout
-rw-r--r--. 1 magellan magellan 141 Jan 26 2021 .bash_profile
-rw-r--r--. 1 magellan magellan 492 Jan 26 2021 .bashrc
drwxrwxr-x. 3 magellan magellan 17 May 20 2021 .cache
drwx------. 3 magellan magellan 69 May 21 23:19 .gnupg
-rw-------. 1 magellan magellan 36 May 21 2021 .lesshst
drwx------. 4 magellan magellan 28 May 20 2021 .local
-rw-------. 1 magellan magellan 42 May 20 2021 .python_history
-rw-rw-r--. 1 magellan magellan 38 May 21 2021 .virc
-rw-rw-r--. 1 magellan magellan 218 May 21 2021 .wget-hsts
-rwxr-xr-x. 1 magellan magellan 862779 May 21 22:00 linpeas.sh
-rw-------. 1 magellan magellan 45 May 21 2021 user_flag.txt
drwxrwxr-x. 4 magellan magellan 109 May 21 2021 venus_monitor_proj
╔══════════╣ Files inside others home (limit 20)
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
13658575 0 -rw-rw---- 1 rpc mail 0 May 19 2021 /var/mail/rpc
12586557 0 -rw-rw---- 1 venus mail 0 May 20 2021 /var/mail/venus
12920963 0 -rw-rw---- 1 magellan mail 0 May 20 2021 /var/mail/magellan
13658575 0 -rw-rw---- 1 rpc mail 0 May 19 2021 /var/spool/mail/rpc
12586557 0 -rw-rw---- 1 venus mail 0 May 20 2021 /var/spool/mail/venus
12920963 0 -rw-rw---- 1 magellan mail 0 May 20 2021 /var/spool/mail/magellan
╔══════════╣ Backup files (limited 100)
-rw-r--r--. 1 root root 2124 May 19 2021 /etc/nsswitch.conf.bak
-rw-r--r--. 1 root root 1222 May 31 2021 /etc/selinux/.config_backup
-rw-r--r--. 1 root root 2376 May 12 2021 /usr/lib/modules/5.11.20-300.fc34.x86_64/kernel/drivers/net/team/team_mode_activebackup.ko.xz
-rw-r--r--. 1 root root 2380 May 28 2021 /usr/lib/modules/5.12.8-300.fc34.x86_64/kernel/drivers/net/team/team_mode_activebackup.ko.xz
-rw-r--r--. 2 root root 1405 Mar 10 2021 /usr/lib/python3.9/site-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-39.opt-1.pyc
-rw-r--r--. 2 root root 1405 Mar 10 2021 /usr/lib/python3.9/site-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-39.pyc
-rw-r--r--. 1 root root 1775 Feb 25 2021 /usr/lib/python3.9/site-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r--. 1 root root 305 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_1.conf
-rw-r--r--. 1 root root 465 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_2.conf
-rw-r--r--. 1 root root 194 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_1.conf
-rw-r--r--. 1 root root 212 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_2.conf
-rw-r--r--. 1 root root 241 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_3.conf
-rw-r--r--. 1 root root 447 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_multi_lw_1.conf
-rw-r--r--. 1 root root 285 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_nsna_ping_1.conf
-rw-r--r--. 1 root root 318 Jan 9 2020 /usr/share/doc/teamd/example_configs/activebackup_tipc.conf
-rw-r--r--. 1 root root 41508 Mar 9 2006 /usr/share/doc/pinfo/ChangeLog.old
-r--r--r--. 1 root root 2747 Feb 22 2021 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r--. 1 root root 1014 Nov 23 2017 /usr/share/augeas/lenses/dist/backuppchosts.aug
-rw-r--r--. 1 root root 94749 May 20 2021 /usr/share/info/dir.old
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /etc/pki/nssdb/cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/cert9.db: SQLite 3.x database, last written using SQLite version 0
Found /etc/pki/nssdb/key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/key4.db: SQLite 3.x database, last written using SQLite version 0
Found /etc/pki/nssdb/secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /home/magellan/venus_monitor_proj/db.sqlite3: empty
Found /var/lib/dnf/history.sqlite: SQLite 3.x database, last written using SQLite version 3034001
Found /var/lib/rpm/rpmdb.sqlite: SQLite 3.x database, last written using SQLite version 3034001
-> Extracting tables from /etc/pki/nssdb/cert9.db (limit 20)
-> Extracting tables from /etc/pki/nssdb/key4.db (limit 20)
-> Extracting tables from /var/lib/dnf/history.sqlite (limit 20)
-> Extracting tables from /var/lib/rpm/rpmdb.sqlite (limit 20)
╔══════════╣ Web files?(output limit)
╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r--. 1 root root 168 May 12 2021 /boot/.vmlinuz-5.11.20-300.fc34.x86_64.hmac
-rw-r--r--. 1 root root 167 May 28 2021 /boot/.vmlinuz-5.12.8-300.fc34.x86_64.hmac
-rw-r--r--. 1 root root 0 May 21 20:04 /run/initramfs/.need_shutdown
-rw-r--r--. 1 root root 18 Jan 26 2021 /etc/skel/.bash_logout
-rw-r--r--. 1 root root 129 May 28 2021 /etc/selinux/targeted/.policy.sha512
-rw-r--r--. 1 root root 1222 May 31 2021 /etc/selinux/.config_backup
-rw-------. 1 root root 0 May 19 2021 /etc/.pwd.lock
-rw-r--r--. 1 root root 208 May 19 2021 /etc/.updated
-rw-r--r--. 1 root root 0 May 19 2021 /var/lib/rpm/.rpm.lock
-rw-r--r--. 1 root root 0 May 19 2021 /var/cache/abrt-di/.migration-group-add
-rw-r--r--. 1 root root 208 May 19 2021 /var/.updated
-rw-r--r--. 1 root root 168 May 12 2021 /usr/lib/modules/5.11.20-300.fc34.x86_64/.vmlinuz.hmac
-rw-r--r--. 1 root root 167 May 28 2021 /usr/lib/modules/5.12.8-300.fc34.x86_64/.vmlinuz.hmac
-rw-r--r--. 1 root root 65 Jan 26 2021 /usr/lib64/.libgmp.so.10.4.0.hmac
-rw-r--r--. 1 root root 65 Mar 21 2021 /usr/lib64/.libhogweed.so.6.3.hmac
-rw-r--r--. 1 root root 65 Mar 21 2021 /usr/lib64/.libnettle.so.8.3.hmac
-rw-r--r--. 1 root root 65 Apr 28 2021 /usr/lib64/.libgcrypt.so.20.hmac
-rw-r--r--. 1 root root 65 Mar 26 2021 /usr/lib64/.libcrypto.so.1.1.1k.hmac
-rw-r--r--. 1 root root 65 Mar 26 2021 /usr/lib64/.libssl.so.1.1.1k.hmac
-rw-r--r--. 1 root root 65 May 29 2021 /usr/lib64/.libgnutls.so.30.30.0.hmac
-rw-r--r--. 1 root root 42 Feb 18 2021 /usr/share/man/man5/.k5identity.5.gz
-rw-r--r--. 1 root root 40 Jan 26 2021 /usr/share/man/man1/..1.gz
-rw-r--r--. 1 magellan magellan 18 Jan 26 2021 /home/magellan/.bash_logout
-rw-rw-r--. 1 magellan magellan 38 May 21 2021 /home/magellan/.virc
-rw-rw-r--. 1 magellan magellan 218 May 21 2021 /home/magellan/.wget-hsts
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r--. 1 magellan magellan 1955 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/dnf.log
-rw-r--r--. 1 magellan magellan 474 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/dnf.librepo.log
-rw-r--r--. 1 magellan magellan 116 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/dnf.rpm.log
-rw-r--r--. 1 magellan magellan 2 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/expired_repos.json
-rw-r--r--. 1 magellan magellan 120 May 21 23:19 /var/tmp/dnf-magellan-eb3dtvaj/hawkey.log
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/authselect/password-auth
/etc/cockpit/ws-certs.d/0-self-signed.key
/etc/pam.d/password-auth
/etc/trusted-key.key
/etc/unbound/root.key
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/admin/auth/user/change_password.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_change_done.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_change_form.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_reset_complete.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/admin/templates/registration/password_reset_confirm.html
#)There are more creds/passwds files in the previous parent folder
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/common-passwords.txt.gz
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/management/commands/__pycache__/changepassword.cpython-39.pyc
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/management/commands/changepassword.py
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/password_validation.py
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/templates/auth/widgets/read_only_password_hash.html
/home/magellan/.local/lib/python3.9/site-packages/django/contrib/auth/templates/registration/password_reset_subject.txt
/home/magellan/.local/lib/python3.9/site-packages/django/forms/jinja2/django/forms/widgets/password.html
/home/magellan/.local/lib/python3.9/site-packages/django/forms/templates/django/forms/widgets/password.html
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/bin/tpm2_activatecredential
/usr/bin/tpm2_makecredential
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/lib64/libsamba-credentials.so.1
/usr/lib64/libsamba-credentials.so.1.0.0
/usr/lib64/samba/libcmdline-credentials-samba4.so
/usr/sbin/grub2-set-password
/usr/sbin/grub2-setpassword
/usr/share/augeas/lenses/dist/jmxpassword.aug
/usr/share/augeas/lenses/dist/postfix_passwordmap.aug
/usr/share/authselect/default/minimal/password-auth
/usr/share/authselect/default/nis/password-auth
/usr/share/authselect/default/sssd/password-auth
/usr/share/authselect/default/winbind/password-auth
/usr/share/doc/openssh/PROTOCOL.key
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man1/tpm2_activatecredential.1.gz
/usr/share/man/man1/tpm2_makecredential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/grub2-set-password.8.gz
/usr/share/man/man8/grub2-setpassword.8.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/var/lib/unbound/root.key
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
[magellan@venus ~]$