linpeas v3.2.1 by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You must take a look at it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ════════════════════════════════════╣ Basic information ╠════════════════════════════════════ OS: Linux version 4.18.0-240.22.1.el8_3.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)) #1 SMP Thu Apr 8 19:01:30 UTC 2021 User & Groups: uid=1000(michelle) gid=1000(michelle) groups=1000(michelle) context=user_u:user_r:user_t:s0 Hostname: pit.htb Writable folder: /dev/shm [+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) [+] nmap is available for network discover & port scanning, you should use it yourself Caching directories using 2 threads . . . . . . . . . . . . . . . . . . . . . . . . DONE ════════════════════════════════════╣ System Information ╠════════════════════════════════════ [+] Operative system [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits Linux version 4.18.0-240.22.1.el8_3.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)) #1 SMP Thu Apr 8 19:01:30 UTC 2021 [+] Sudo version [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.29 [+] USBCreator [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation [+] PATH [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses /home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin New path exported: /home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin [+] Date Sat 19 Jun 21:26:00 EDT 2021 [+] System stats Filesystem Size Used Avail Use% Mounted on devtmpfs 2.0G 0 2.0G 0% /dev tmpfs 2.0G 0 2.0G 0% /dev/shm tmpfs 2.0G 33M 1.9G 2% /run tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup /dev/mapper/cl-root 2.5G 2.2G 333M 87% / /dev/sda1 488M 184M 269M 41% /boot tmpfs 394M 0 394M 0% /run/user/1000 total used free shared buff/cache available Mem: 4024944 705320 2439316 33480 880308 2996524 Swap: 1961980 0 1961980 [+] CPU info Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 2 NUMA node(s): 1 Vendor ID: AuthenticAMD CPU family: 23 Model: 1 Model name: AMD EPYC 7401P 24-Core Processor Stepping: 2 CPU MHz: 2000.000 BogoMIPS: 4000.00 Hypervisor vendor: VMware Virtualization type: full L1d cache: 32K L1i cache: 64K L2 cache: 512K L3 cache: 65536K NUMA node0 CPU(s): 0,1 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor [+] Environment [i] Any private information inside environment variables? LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:*.tar=38;5;9:*.tgz=38;5;9:*.arc=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lha=38;5;9:*.lz4=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.tzo=38;5;9:*.t7z=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lrz=38;5;9:*.lz=38;5;9:*.lzo=38;5;9:*.xz=38;5;9:*.zst=38;5;9:*.tzst=38;5;9:*.bz2=38;5;9:*.bz=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.war=38;5;9:*.ear=38;5;9:*.sar=38;5;9:*.rar=38;5;9:*.alz=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.cab=38;5;9:*.wim=38;5;9:*.swm=38;5;9:*.dwm=38;5;9:*.esd=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.mjpg=38;5;13:*.mjpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.webm=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.m4a=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.oga=38;5;45:*.opus=38;5;45:*.spx=38;5;45:*.xspf=38;5;45: SSH_CONNECTION=10.10.14.240 57972 10.10.10.241 22 LANG=en_GB.utf8 HISTCONTROL=ignoredups HOSTNAME=pit.htb XDG_SESSION_ID=837 USER=michelle SELINUX_ROLE_REQUESTED= PWD=/home/michelle HOME=/home/michelle SSH_CLIENT=10.10.14.240 57972 22 SELINUX_LEVEL_REQUESTED= HISTFILE=/dev/null SSH_TTY=/dev/pts/1 MAIL=/var/spool/mail/michelle SHELL=/bin/bash TERM=xterm-256color SELINUX_USE_CURRENT_RANGE= SHLVL=2 LOGNAME=michelle DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR=/run/user/1000 PATH=/home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin HISTSIZE=0 HISTFILESIZE=0 LESSOPEN=||/usr/bin/lesspipe.sh %s _=/usr/bin/env [+] Searching Signature verification failed in dmseg [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed Not Found [+] AppArmor enabled? .............. AppArmor Not Found [+] grsecurity present? ............ grsecurity Not Found [+] PaX bins present? .............. PaX Not Found [+] Execshield enabled? ............ Execshield Not Found [+] SELinux enabled? ............... SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 32 [+] Is ASLR enabled? ............... /proc/sys/kernel/randomize_va_space Not Found [+] Printer? ....................... lpstat Not Found [+] Is this a virtual machine? ..... Yes (vmware) ═════════════════════════════════════════╣ Containers ╠══════════════════════════════════════════ [+] Is this a container? ........... No [+] Container related tools present which: no docker in (/home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin) which: no lxc in (/home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin) which: no rkt in (/home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin) which: no kubectl in (/home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin) which: no podman in (/home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin) which: no runc in (/home/michelle/.local/bin:/home/michelle/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/bin) [+] Any running containers? ........ No ═════════════════════════════════════════╣ Devices ╠══════════════════════════════════════════ [+] Any sd*/disk* disk in /dev? (limit 20) disk sda sda1 sda2 [+] Unmounted file-system? [i] Check if you can mount umounted devices /dev/mapper/cl-root / xfs defaults 0 0 /dev/mapper/cl-seeddms /var/www/html/seeddms51x/seeddms/ xfs defaults 0 0 UUID=6c738aaa-f815-4cbd-b6b0-87b922c96df0 /boot ext4 defaults 1 2 /dev/mapper/cl-swap swap swap defaults 0 0 ════════════════════════════════════╣ Available Software ╠════════════════════════════════════ [+] Useful software /usr/bin/nmap /usr/bin/nc /usr/bin/ncat /usr/bin/curl /usr/bin/ping /usr/bin/base64 /usr/bin/perl /usr/bin/php /usr/bin/sudo [+] Installed Compiler ══════════════════════════════╣ Processes, Cron, Services, Timers & Sockets ╠════════════════════════════════ [+] Cleaned processes [i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes michelle 67926 0.2 0.4 421976 18012 ? Sl 21:17 0:01 cockpit-bridge michelle 67798 0.0 0.1 153360 5504 ? S 21:15 0:00 sshd: michelle@pts/1 michelle 67803 0.0 0.1 26996 4216 pts/1 Ss 21:15 0:00 _ -bash michelle 68596 1.5 0.1 13640 4168 pts/1 S+ 21:25 0:00 _ /bin/sh ./linpeas.sh michelle 69292 0.0 0.0 13640 2700 pts/1 S+ 21:26 0:00 _ /bin/sh ./linpeas.sh michelle 69296 0.0 0.0 58692 3984 pts/1 R+ 21:26 0:00 | _ ps fauxwww michelle 69295 0.0 0.0 13640 1232 pts/1 S+ 21:26 0:00 _ /bin/sh ./linpeas.sh root 1 0.0 0.3 1114196 14992 ? Ss Jun18 0:40 /usr/lib/systemd/systemd --switched-root --system --deserialize 18 michelle 66892 0.0 0.2 94024 9764 ? Ss 21:09 0:00 /usr/lib/systemd/systemd --user michelle 66896 0.0 0.1 1183684 5936 ? S 21:09 0:00 _ (sd-pam) michelle 67924 0.0 0.0 27400 520 ? Ss 21:17 0:00 /usr/bin/ssh-agent [+] Binary processes permissions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes 0 lrwxrwxrwx. 1 root root 4 May 10 10:56 /bin/sh -> bash 328K -rwxr-xr-x. 1 root root 326K Apr 26 2020 /usr/bin/ssh-agent 1.6M -rwxr-xr-x. 1 root root 1.6M Apr 7 16:56 /usr/lib/systemd/systemd [+] Files opened by processes belonging to other users [i] This is usually empty because of the lack of privileges to read other user processes information [+] Processes with credentials in memory (root req) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd: process found (dump creds from memory as root) [+] Cron jobs [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r--. 1 root root 0 Nov 8 2019 /etc/cron.deny /etc/cron.daily: total 16 drwxr-xr-x. 2 root root 23 May 15 2020 . drwxr-xr-x. 97 root root 8192 May 10 11:25 .. -rwxr-xr-x. 1 root root 195 Apr 17 2020 logrotate /etc/cron.hourly: total 16 drwxr-xr-x. 2 root root 22 Apr 16 2020 . drwxr-xr-x. 97 root root 8192 May 10 11:25 .. -rwxr-xr-x. 1 root root 575 Nov 8 2019 0anacron /etc/cron.monthly: total 12 drwxr-xr-x. 2 root root 6 May 11 2019 . drwxr-xr-x. 97 root root 8192 May 10 11:25 .. /etc/cron.weekly: total 12 drwxr-xr-x. 2 root root 6 May 11 2019 . drwxr-xr-x. 97 root root 8192 May 10 11:25 .. SHELL=/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root RANDOM_DELAY=45 START_HOURS_RANGE=3-22 1 5 cron.daily nice run-parts /etc/cron.daily 7 25 cron.weekly nice run-parts /etc/cron.weekly @monthly 45 cron.monthly nice run-parts /etc/cron.monthly [+] Services [i] Search for outdated versions [+] Systemd PATH [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin [+] Analyzing .service files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#services /lib/systemd/system/cockpit.service is executing some relative path /lib/systemd/system/sssd-kcm.service is executing some relative path /usr/lib/systemd/system/cockpit.service is executing some relative path /usr/lib/systemd/system/sssd-kcm.service is executing some relative path You can't write on systemd PATH [+] System timers [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Sat 2021-06-19 22:05:41 EDT 39min left Sat 2021-06-19 21:05:41 EDT 20min ago dnf-makecache.timer dnf-makecache.service Sun 2021-06-20 00:00:00 EDT 2h 33min left Sat 2021-06-19 00:00:01 EDT 21h ago unbound-anchor.timer unbound-anchor.service Sun 2021-06-20 10:18:51 EDT 12h left Sat 2021-06-19 10:18:51 EDT 11h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service [+] Analyzing .timer files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers [+] Analyzing .socket files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets [+] HTTP sockets [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets [+] D-Bus config files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.fedoraproject.SetroubleshootPrivileged.conf ( ) Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf ( ) [+] D-Bus Service Objects list [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.1 1 systemd root :1.1 init.scope - - :1.1229 982 n/a root :1.1229 - - - :1.24 1104 n/a root :1.24 - - - :1.2405 19057 n/a root :1.2405 - - - :1.32 1134 n/a root :1.32 - - - :1.4 1020 n/a polkitd :1.4 - - - :1.5392 66892 systemd michelle :1.5392 user@1000.service - - :1.5404 66955 n/a root :1.5404 - - - :1.5456 67926 cockpit-bridge michelle :1.5456 session-838.scope 838 - :1.5462 67926 cockpit-bridge michelle :1.5462 session-838.scope 838 - :1.5465 67926 cockpit-bridge michelle :1.5465 session-838.scope 838 - :1.5466 67926 cockpit-bridge michelle :1.5466 session-838.scope 838 - :1.5467 67926 cockpit-bridge michelle :1.5467 session-838.scope 838 - :1.5508 68640 n/a setroubleshoot :1.5508 - - - :1.5509 68640 n/a setroubleshoot :1.5509 - - - :1.5511 69098 n/a root :1.5511 - - - :1.5518 81146 busctl michelle :1.5518 session-837.scope 837 - :1.7 1092 n/a root :1.7 - - - :1.8 1069 n/a root :1.8 - - - :1.9 1104 n/a root :1.9 - - - com.redhat.ifcfgrh1 1104 n/a root :1.24 - - - com.redhat.tuned 1134 n/a root :1.32 - - - org.fedoraproject.FirewallD1 1069 n/a root :1.8 - - - org.fedoraproject.SetroubleshootFixit - - - (activatable) - - org.fedoraproject.SetroubleshootPrivileged 69098 n/a root :1.5511 - - - org.fedoraproject.Setroubleshootd 68640 n/a setroubleshoot :1.5508 - - - org.freedesktop.DBus 1 systemd root - init.scope - - org.freedesktop.NetworkManager 1104 n/a root :1.9 - - - org.freedesktop.PackageKit 19057 n/a root :1.2405 - - - org.freedesktop.PolicyKit1 1020 n/a polkitd :1.4 - - - org.freedesktop.hostname1 - - - (activatable) - - org.freedesktop.locale1 - - - (activatable) - - org.freedesktop.login1 1092 n/a root :1.7 - - - org.freedesktop.nm_dispatcher - - - (activatable) - - org.freedesktop.portable1 - - - (activatable) - - org.freedesktop.resolve1 - - - (activatable) - - org.freedesktop.systemd1 1 systemd root :1.1 init.scope - - org.freedesktop.timedate1 66955 n/a root :1.5404 - - - ═══════════════════════════════════╣ Network Information ╠════════════════════════════════════ [+] Hostname, hosts and DNS pit.htb 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 nameserver 8.8.8.8 htb [+] Content of /etc/inetd.conf & /etc/xinetd.conf /etc/inetd.conf Not Found [+] Interfaces default 0.0.0.0 loopback 127.0.0.0 link-local 169.254.0.0 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:b9:79:f0 brd ff:ff:ff:ff:ff:ff inet 10.10.10.241/24 brd 10.10.10.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 dead:beef::fc6f:c2ab:4f8e:bbca/64 scope global dynamic noprefixroute valid_lft 86321sec preferred_lft 14321sec inet6 fe80::8811:73af:e9e:6b74/64 scope link noprefixroute valid_lft forever preferred_lft forever [+] Networks and neighbours 10.10.10.2 dev ens160 lladdr 00:50:56:b9:56:77 REACHABLE dead:beef::1 dev ens160 lladdr 00:50:56:b9:56:77 router STALE fe80::250:56ff:feb9:5677 dev ens160 lladdr 00:50:56:b9:56:77 router STALE IP address HW type Flags HW address Mask Device 10.10.10.2 0x1 0x2 00:50:56:b9:56:77 * ens160 [+] Iptables rules iptables rules Not Found [+] Active Ports [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports [+] Can I sniff with tcpdump? No ════════════════════════════════════╣ Users Information ╠════════════════════════════════════ [+] My user [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#users uid=1000(michelle) gid=1000(michelle) groups=1000(michelle) context=user_u:user_r:user_t:s0 [+] Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found [+] Clipboard or highlighted text? xsel and xclip Not Found [+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Sorry, try again. [+] Checking sudo tokens [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens /proc/sys/kernel/yama/ptrace_scope is enabled (0) gdb wasn't found in PATH [+] Checking doas.conf /etc/doas.conf Not Found [+] Checking Pkexec policy [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [+] Superusers root:x:0:0:root:/root:/bin/bash [+] Users with console michelle:x:1000:1000::/home/michelle:/bin/bash root:x:0:0:root:/root:/bin/bash [+] All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1000(michelle) gid=1000(michelle) groups=1000(michelle) uid=11(operator) gid=0(root) groups=0(root) uid=12(games) gid=100(users) groups=100(users) uid=14(ftp) gid=50(ftp) groups=50(ftp) uid=193(systemd-resolve) gid=193(systemd-resolve) groups=193(systemd-resolve) uid=1(bin) gid=1(bin) groups=1(bin) uid=27(mysql) gid=27(mysql) groups=27(mysql) uid=2(daemon[0m) gid=2(daemon[0m) groups=2(daemon[0m) uid=3(adm) gid=4(adm) groups=4(adm) uid=48(apache) gid=48(apache) groups=48(apache) uid=4(lp) gid=7(lp) groups=7(lp) uid=59(tss) gid=59(tss) groups=59(tss) uid=5(sync) gid=0(root) groups=0(root) uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) uid=6(shutdown) gid=0(root) groups=0(root) uid=74(sshd) gid=74(sshd) groups=74(sshd) uid=7(halt) gid=0(root) groups=0(root) uid=81(dbus) gid=81(dbus) groups=81(dbus) uid=8(mail) gid=12(mail) groups=12(mail) uid=990(rngd) gid=986(rngd) groups=986(rngd) uid=991(cockpit-wsinstance) gid=987(cockpit-wsinstance) groups=987(cockpit-wsinstance) uid=992(nginx) gid=988(nginx) groups=988(nginx) uid=993(cockpit-ws) gid=989(cockpit-ws) groups=989(cockpit-ws) uid=994(setroubleshoot) gid=990(setroubleshoot) groups=990(setroubleshoot) uid=995(chrony) gid=991(chrony) groups=991(chrony) uid=996(sssd) gid=992(sssd) groups=992(sssd) uid=997(unbound) gid=994(unbound) groups=994(unbound) uid=998(polkitd) gid=995(polkitd) groups=995(polkitd) uid=999(systemd-coredump) gid=997(systemd-coredump) groups=997(systemd-coredump) [+] Login now 21:26:55 up 1 day, 11:23, 2 users, load average: 0.95, 0.32, 0.11 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [+] Last logons michelle pts/2 Sat Apr 18 08:04:12 2020 - Sat Apr 18 08:04:12 2020 (00:00) 10.10.10.2 michelle pts/2 Sat Apr 18 08:04:00 2020 - Sat Apr 18 08:04:05 2020 (00:00) 10.10.10.2 michelle pts/2 Sat Apr 18 08:03:50 2020 - Sat Apr 18 08:03:50 2020 (00:00) 10.10.10.2 michelle pts/2 Sat Apr 18 08:03:40 2020 - Sat Apr 18 08:03:40 2020 (00:00) 10.10.10.2 michelle pts/2 Sat Apr 18 08:03:18 2020 - Sat Apr 18 08:03:18 2020 (00:00) 10.10.10.2 michelle pts/2 Sat Apr 18 07:59:45 2020 - Sat Apr 18 07:59:45 2020 (00:00) 10.10.10.2 root pts/1 Fri Apr 17 17:55:55 2020 - Sat Apr 18 14:07:46 2020 (20:11) 10.10.10.2 michelle pts/1 Fri Apr 17 17:50:59 2020 - Fri Apr 17 17:50:59 2020 (00:00) 10.10.10.2 wtmp begins Fri Apr 17 17:50:59 2020 [+] Last time logon each user [+] Password policy PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 ENCRYPT_METHOD SHA512 [+] Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) [+] Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ═══════════════════════════════════╣ Software Information ╠═══════════════════════════════════ [+] MySQL version mysql Ver 15.1 Distrib 10.3.28-MariaDB, for Linux (x86_64) using readline 5.1 [+] MySQL connection using default root/root ........... No [+] MySQL connection using root/toor ................... No [+] MySQL connection using root/NOPASS ................. No [+] Searching mysql credentials and exec [+] PostgreSQL version and pgadmin credentials Not Found [+] PostgreSQL connection to template0 using postgres/NOPASS ........ No [+] PostgreSQL connection to template1 using postgres/NOPASS ........ No [+] PostgreSQL connection to template0 using pgsql/NOPASS ........... No [+] PostgreSQL connection to template1 using pgsql/NOPASS ........... No [+] Apache server info Not Found [+] Searching PHPCookies Not Found [+] Searching Wordpress wp-config.php files wp-config.php Not Found [+] Searching Drupal settings.php files /default/settings.php Not Found [+] Searching Moodle config.php files config.php inside a moodle folder Not Found [+] Searching Tomcat users file tomcat-users.xml Not Found [+] Mongo information mongo binary Not Found [+] Searching supervisord configuration file supervisord.conf Not Found [+] Searching cesi configuration file cesi.conf Not Found [+] Searching Rsyncd config file rsyncd.conf Not Found [+] Searching Hostapd config file hostapd.conf Not Found [+] Searching wifi conns file Not Found [+] Searching Anaconda-ks config files anaconda-ks.cfg Not Found [+] Searching .vnc directories and their passwd files .vnc Not Found [+] Searching ldap directories and their hashes ldap Not Found [+] Searching .ovpn files and credentials .ovpn Not Found [+] Searching ssl/ssh files /home/michelle/.ssh/authorized_keys /usr/bin/agentxtrap --> Some certificates were found (out limited): /etc/cockpit/ws-certs.d/0-self-signed-ca.pem /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem /etc/pki/ca-trust/source/ca-bundle.legacy.crt /home/michelle/.bash_history Searching inside /etc/ssh/ssh_config for interesting info Include /etc/ssh/ssh_config.d/*.conf [+] Searching unexpected auth lines in /etc/pam.d/sshd auth substack password-auth auth include postlogin account include password-auth password include password-auth session include password-auth [+] Searching Cloud credentials (AWS, Azure, GC) [+] NFS exports? [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe /etc/exports Not Found [+] Searching kerberos conf files and tickets [i] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt -rw-r--r--. 1 root root 812 Aug 11 2020 /etc/krb5.conf default_ccache_name = KEYRING:persistent:%{uid} tickets kerberos Not Found klist Not Found [+] Searching Kibana yaml kibana.yml Not Found [+] Searching Knock configuration Knock.config Not Found [+] Searching logstash files Not Found [+] Searching elasticsearch files Not Found [+] Searching Vault-ssh files vault-ssh-helper.hcl Not Found [+] Searching AD cached hashes cached hashes Not Found [+] Searching screen sessions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions screen Not Found [+] Searching tmux sessions [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions tmux Not Found [+] Searching Couchdb directory [+] Searching redis.conf [+] Searching dovecot files dovecot credentials Not Found [+] Searching mosquitto.conf [+] Searching neo4j auth file [+] Searching Cloud-Init conf file [+] Searching Erlang cookie file [+] Searching GVM auth file [+] Searching IPSEC files [+] Searching IRSSI files [+] Searching Keyring files [+] Searching Filezilla sites file [+] Searching backup-manager files [+] Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd [+] Searching GitLab related files [+] Searching PGP/GPG PGP/GPG files found: drwx------. 2 michelle michelle 44 Jun 19 21:26 /home/michelle/.gnupg total 8 -rw-------. 1 michelle michelle 32 Jun 19 05:41 pubring.kbx -rw-------. 1 michelle michelle 1200 Jun 19 05:41 trustdb.gpg -rw-------. 1 michelle michelle 1200 Jun 19 05:41 /home/michelle/.gnupg/trustdb.gpg PGP/GPG software: /usr/bin/gpg netpgpkeys Not Found netpgp Not Found [+] Searching vim files [+] Checking if containerd(ctr) is available [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation [+] Checking if runc is available [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation [+] Searching docker files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket [+] Interesting Firefox Files [i] https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox [+] Interesting Chrome Files [i] https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox [+] Autologin Files [+] S/Key authentication [+] YubiKey authentication [+] Passwords inside pam.d [+] FastCGI Params -rw-r--r--. 1 root root 1007 Oct 7 2019 /etc/nginx/fastcgi_params [+] SNMPs -rw-r-x---. 1 root root 19215 Apr 17 2020 /etc/snmp/snmpd.conf ════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════ [+] SUID - Check easy privesc, exploits and write perms [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid strings Not Found strace Not Found -rwsr-xr-x. 1 root root 38K May 11 2019 /usr/bin/fusermount -rwsr-xr-x. 1 root root 65K Nov 8 2019 /usr/bin/crontab -rwsr-xr-x. 1 root root 33K Apr 6 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x. 1 root root 29K Apr 9 2020 /usr/lib/polkit-1/polkit-agent-helper-1 -rwsr-xr-x. 1 root root 35K Apr 9 2020 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) -rwsr-xr-x. 1 root root 37K Jun 15 2020 /usr/sbin/unix_chkpwd -rwsr-xr-x. 1 root root 13K Jun 15 2020 /usr/sbin/pam_timestamp_check -rwsr-xr-x. 1 root root 33K Jul 21 2020 /usr/bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x. 1 root root 50K Jul 21 2020 /usr/bin/su -rwsr-xr-x. 1 root root 50K Jul 21 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x. 1 root root 43K Aug 12 2020 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x. 1 root root 83K Aug 12 2020 /usr/bin/gpasswd -rwsr-xr-x. 1 root root 78K Aug 12 2020 /usr/bin/chage ---s--x--x. 1 root root 162K Jan 26 16:58 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x. 1 root root 12K Mar 2 15:52 /usr/sbin/grub2-set-bootflag (Unknown SUID binary) -rwsr-x---. 1 root dbus 63K Apr 7 12:08 /usr/libexec/dbus-1/dbus-daemon-launch-helper [+] SGID [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwx--s--x. 1 root utmp 14K May 10 2019 /usr/libexec/utempter/utempter -r-xr-sr-x. 1 root ssh_keys 445K Apr 26 2020 /usr/libexec/openssh/ssh-keysign -rwxr-sr-x. 1 root tty 21K Jul 21 2020 /usr/bin/write [+] Checking misconfigurations of ld.so [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so /etc/ld.so.conf include ld.so.conf.d/*.conf ld.so.conf.d ld.so.conf.d/* cat: 'ld.so.conf.d/*': No such file or directory [+] Capabilities [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities Current capabilities: Current: = CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Shell capabilities: 0x0000000000000000= CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Files with capabilities (limited to 50): /usr/sbin/arping = cap_net_raw+p /usr/sbin/clockdiff = cap_net_raw+p /usr/bin/newgidmap = cap_setgid+ep /usr/bin/newuidmap = cap_setuid+ep /usr/bin/ping = cap_net_admin,cap_net_raw+p [+] Users with capabilities [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities /etc/security/capability.conf Not Found [+] Files with ACLs (limited to 50) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls # file: /usr/local/monitoring USER root rwx user michelle -wx GROUP root rwx mask rwx other --- files with acls in searched folders Not Found [+] .sh files in path [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path /usr/bin/lesspipe.sh /usr/bin/gettext.sh /usr/bin/setup-nsssysinit.sh /usr/bin/rescan-scsi-bus.sh [+] Unexpected in root find: ‘/boot’: Permission denied [+] Files (scripts) in /etc/profile.d/ [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files total 88 drwxr-xr-x. 2 root root 4096 May 10 05:06 . drwxr-xr-x. 97 root root 8192 May 10 11:25 .. -rw-r--r--. 1 root root 196 May 10 2019 colorgrep.csh -rw-r--r--. 1 root root 201 May 10 2019 colorgrep.sh -rw-r--r--. 1 root root 1741 Apr 26 2020 colorls.csh -rw-r--r--. 1 root root 1606 Apr 26 2020 colorls.sh -rw-r--r--. 1 root root 162 May 10 2019 colorxzgrep.csh -rw-r--r--. 1 root root 183 May 10 2019 colorxzgrep.sh -rw-r--r--. 1 root root 216 Nov 8 2019 colorzgrep.csh -rw-r--r--. 1 root root 220 Nov 8 2019 colorzgrep.sh -rw-r--r--. 1 root root 80 May 15 2020 csh.local -rw-r--r--. 1 root root 1107 Dec 14 2017 gawk.csh -rw-r--r--. 1 root root 757 Dec 14 2017 gawk.sh -rw-r--r--. 1 root root 2486 May 15 2020 lang.csh -rw-r--r--. 1 root root 2312 May 15 2020 lang.sh -rw-r--r--. 1 root root 500 May 11 2019 less.csh -rw-r--r--. 1 root root 253 May 11 2019 less.sh -rw-r--r--. 1 root root 81 May 15 2020 sh.local -rw-r--r--. 1 root root 120 Apr 6 2020 which2.csh -rw-r--r--. 1 root root 333 Apr 6 2020 which2.sh [+] Permissions in init, init.d, systemd, and rc.d [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d [+] Hashes inside passwd file? ........... No [+] Writable passwd file? ................ No [+] Credentials in fstab/mtab? ........... No [+] Can I read shadow files? ............. No [+] Can I read opasswd file? ............. No [+] Can I write in network-scripts? ...... No [+] Can I read root folder? .............. No [+] Searching root files in home dirs (limit 30) /home/ /home/michelle/.lesshst /home/michelle/.bash_history /root/ [+] Searching folders owned by me containing others files on it [+] Readable files belonging to root and readable by me but not world readable [+] Modified interesting files in the last 5mins (limit 100) /var/tmp/dnf-michelle-amu52m3m/dnf.log /var/tmp/dnf-michelle-amu52m3m/dnf.librepo.log /var/tmp/dnf-michelle-amu52m3m/dnf.rpm.log /var/tmp/dnf-michelle-amu52m3m/expired_repos.json /var/tmp/dnf-michelle-amu52m3m/hawkey.log [+] Writable log files (logrotten) (limit 100) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation logrotate Not Found Writable: /var/tmp/dnf-michelle-amu52m3m/dnf.log Writable: /var/tmp/dnf-michelle-amu52m3m/dnf.librepo.log Writable: /var/tmp/dnf-michelle-amu52m3m/dnf.rpm.log [+] Files inside /home/michelle (limit 20) total 360 drwx------. 4 michelle michelle 199 Jun 19 21:25 . drwxr-xr-x. 3 root root 22 Nov 3 2020 .. lrwxrwxrwx. 1 root root 9 May 10 10:56 .bash_history -> /dev/null -rw-r--r--. 1 michelle michelle 18 Nov 8 2019 .bash_logout -rw-r--r--. 1 michelle michelle 141 Nov 8 2019 .bash_profile -rw-r--r--. 1 michelle michelle 312 Nov 8 2019 .bashrc -rw-rw-r--. 1 michelle michelle 169 Jun 18 22:53 check-r3pek-pwn.sh drwx------. 2 michelle michelle 44 Jun 19 21:26 .gnupg lrwxrwxrwx. 1 root root 9 May 10 10:56 .lesshst -> /dev/null -rwxr-xr-x. 1 michelle michelle 341863 Jun 19 21:25 linpeas.sh drwxr-xr-x. 2 michelle michelle 29 Jun 19 21:15 .ssh -r--------. 1 michelle michelle 33 Jun 18 10:04 user.txt -rw-r--r--. 1 michelle michelle 658 Mar 20 2020 .zshrc [+] Files inside others home (limit 20) [+] Searching installed mail applications [+] Mails (limit 50) 2730698 0 -rw-rw---- 1 michelle mail 0 Apr 16 2020 /var/mail/michelle 2730698 0 -rw-rw---- 1 michelle mail 0 Apr 16 2020 /var/spool/mail/michelle [+] Backup folders [+] Backup files (limited 100) -rw-r--r--. 1 root root 5484 Nov 8 2019 /usr/share/nmap/scripts/http-backup-finder.nse -rw-r--r--. 1 root root 7251 Nov 8 2019 /usr/share/nmap/scripts/http-config-backup.nse -r--r--r--. 1 root root 2762 Aug 17 2020 /usr/share/man/man8/vgcfgbackup.8.gz -rw-r--r--. 1 root root 2670 Dec 8 2016 /usr/share/man/man1/db_hotbackup.1.gz -rw-r--r--. 1 root root 334 Feb 18 17:14 /usr/share/man/man1/mariabackup.1.gz -rw-r--r--. 1 root root 348 Feb 18 17:14 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz -rw-r--r--. 1 root root 14886 May 10 05:13 /usr/share/info/dir.old -rw-r--r--. 1 root root 305 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_1.conf -rw-r--r--. 1 root root 465 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_arp_ping_2.conf -rw-r--r--. 1 root root 194 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_1.conf -rw-r--r--. 1 root root 212 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_2.conf -rw-r--r--. 1 root root 241 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_ethtool_3.conf -rw-r--r--. 1 root root 447 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_multi_lw_1.conf -rw-r--r--. 1 root root 285 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_nsna_ping_1.conf -rw-r--r--. 1 root root 318 Jul 26 2020 /usr/share/doc/teamd/example_configs/activebackup_tipc.conf -rwxr-xr-x. 1 root root 41696 Jul 21 2020 /usr/lib64/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r--. 2 root root 1383 Aug 24 2020 /usr/lib/python3.6/site-packages/sos/plugins/__pycache__/ovirt_engine_backup.cpython-36.opt-1.pyc -rw-r--r--. 2 root root 1383 Aug 24 2020 /usr/lib/python3.6/site-packages/sos/plugins/__pycache__/ovirt_engine_backup.cpython-36.pyc -rw-r--r--. 1 root root 1758 Mar 24 2020 /usr/lib/python3.6/site-packages/sos/plugins/ovirt_engine_backup.py -rwxr-xr-x. 1 root root 21361680 Apr 19 11:55 /usr/bin/mariabackup -rwxr-xr-x. 1 root root 38412 Apr 19 11:47 /usr/bin/wsrep_sst_mariabackup -rw-r--r--. 1 root root 1498 Feb 4 2020 /etc/nsswitch.conf.bak [+] Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found: /var/lib/dnf/history.sqlite: SQLite 3.x database, last written using SQLite version 3026000 Found: /etc/pki/nssdb/cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order) Found: /etc/pki/nssdb/cert9.db: SQLite 3.x database, last written using SQLite version 0 Found: /etc/pki/nssdb/key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order) Found: /etc/pki/nssdb/key4.db: SQLite 3.x database, last written using SQLite version 0 Found: /etc/pki/nssdb/secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order) -> Extracting tables from /var/lib/dnf/history.sqlite (limit 20) -> Extracting tables from /etc/pki/nssdb/cert9.db (limit 20) -> Extracting tables from /etc/pki/nssdb/key4.db (limit 20) [+] Web files?(output limit) [+] Readable hidden interesting files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data -rw-r--r--. 1 root root 3019 May 15 2020 /etc/bashrc -rw-r--r--. 1 root root 376 Jul 21 2020 /etc/skel/.bashrc -rw-r--r--. 1 michelle michelle 312 Nov 8 2019 /home/michelle/.bashrc lrwxrwxrwx. 1 root root 9 May 10 10:56 /home/michelle/.lesshst -> /dev/null [+] All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-r--r--. 1 michelle michelle 18 Nov 8 2019 /home/michelle/.bash_logout -rw-r--r--. 1 michelle michelle 141 Nov 8 2019 /home/michelle/.bash_profile -rw-r--r--. 1 michelle michelle 658 Mar 20 2020 /home/michelle/.zshrc -rw-r--r--. 1 root root 39 Aug 11 2020 /usr/share/man/man5/.k5login.5.gz -rw-r--r--. 1 root root 42 Aug 11 2020 /usr/share/man/man5/.k5identity.5.gz -rw-r--r--. 1 root root 40 Jul 21 2020 /usr/share/man/man1/..1.gz -rw-r--r--. 1 root root 65 Apr 14 17:32 /usr/lib64/.libgnutls.so.30.28.0.hmac -rw-r--r--. 1 root root 65 May 10 2019 /usr/lib64/.libcrypt.so.1.1.0.hmac -rw-r--r--. 1 root root 65 Jul 20 2020 /usr/lib64/.libgcrypt.so.20.hmac -rw-r--r--. 1 root root 65 Apr 14 17:28 /usr/lib64/.libnettle.so.6.5.hmac -rw-r--r--. 1 root root 65 Apr 14 17:28 /usr/lib64/.libhogweed.so.4.5.hmac -rw-r--r--. 1 root root 65 Mar 30 10:34 /usr/lib64/.libcrypto.so.1.1.1g.hmac -rw-r--r--. 1 root root 65 Mar 30 10:34 /usr/lib64/.libssl.so.1.1.1g.hmac -rw-r--r--. 1 root root 0 Apr 16 2020 /var/cache/dnf/.gpgkeyschecked.yum -rw-r--r--. 1 root root 2470 May 6 2020 /var/lib/pear/.depdb -rw-r--r--. 1 root root 0 May 6 2020 /var/lib/pear/.depdblock -rw-r--r--. 1 root root 7145 May 6 2020 /var/lib/pear/.filemap -rw-r--r--. 1 root root 0 May 6 2020 /var/lib/pear/.lock -rw-r--r--. 1 root root 0 Apr 16 2020 /var/lib/rpm/.dbenv.lock -rw-r--r--. 1 root root 0 Apr 16 2020 /var/lib/rpm/.rpm.lock -rw-r--r--. 1 root root 208 May 10 05:06 /var/.updated -rw-r--r--. 1 root root 129 Apr 26 11:52 /etc/selinux/targeted/.policy.sha512 -rw-r--r--. 1 root root 18 Jul 21 2020 /etc/skel/.bash_logout -rw-r--r--. 1 root root 141 Jul 21 2020 /etc/skel/.bash_profile -rw-r--r--. 1 root root 658 Mar 20 2020 /etc/skel/.zshrc -rw-r--r--. 1 root root 208 May 10 05:06 /etc/.updated -rw-------. 1 root root 0 Apr 16 2020 /etc/.pwd.lock [+] Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rw-r--r--. 1 michelle michelle 4919 Jun 19 21:26 /var/tmp/dnf-michelle-amu52m3m/dnf.log -rw-rw-r--. 1 michelle michelle 912 Jun 19 21:26 /var/tmp/dnf-michelle-amu52m3m/dnf.librepo.log -rw-r--r--. 1 michelle michelle 108 Jun 19 21:26 /var/tmp/dnf-michelle-amu52m3m/dnf.rpm.log -rw-rw-r--. 1 michelle michelle 2 Jun 19 21:26 /var/tmp/dnf-michelle-amu52m3m/expired_repos.json -rw-rw-r--. 1 michelle michelle 102 Jun 19 21:26 /var/tmp/dnf-michelle-amu52m3m/hawkey.log [+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/mqueue /dev/shm /home/michelle /run/user/1000 /run/user/1000/systemd /tmp /tmp/tmux-1000 /var/spool/mail/michelle /var/tmp /var/tmp/dnf-michelle-amu52m3m /var/tmp/dnf-michelle-amu52m3m/dnf.librepo.log /var/tmp/dnf-michelle-amu52m3m/dnf.log /var/tmp/dnf-michelle-amu52m3m/dnf.rpm.log /var/tmp/dnf-michelle-amu52m3m/expired_repos.json /var/tmp/dnf-michelle-amu52m3m/hawkey.log #)You_can_write_even_more_files_inside_last_directory /var/tmp/dnf-michelle-amu52m3m/locks/cc827d6d789669ff0a2f89bc1dc0912494096014 [+] Interesting GROUP writable files (not in Home) (max 500) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files Group michelle: /var/tmp/dnf-michelle-amu52m3m/dnf.librepo.log /var/tmp/dnf-michelle-amu52m3m/expired_repos.json /var/tmp/dnf-michelle-amu52m3m/hawkey.log [+] Searching passwords in config PHP files [+] Checking for TTY (sudo/su) passwords in audit logs [+] Finding IPs inside logs (limit 70) [+] Finding passwords inside logs (limit 70) [+] Finding emails inside logs (limit 70) [+] Finding *password* or *credential* files in home (limit 70) /usr/lib/systemd/system/systemd-ask-password-console.service /usr/lib/systemd/system/systemd-ask-password-plymouth.service /usr/lib/systemd/system/systemd-ask-password-wall.service [+] Finding passwords inside key folders (limit 70) - only PHP files [+] Finding passwords inside key folders (limit 70) - no PHP files /etc/authselect/user-nsswitch.conf:# passwd: db files /etc/authselect/user-nsswitch.conf:passwd: sss files systemd /etc/libuser.conf:# LU_GROUPPASSWORD = !! /etc/libuser.conf:# LU_SHADOWPASSWORD = !! /etc/libuser.conf:# LU_USERPASSWORD = !! /etc/nsswitch.conf.bak:# passwd: db files /etc/nsswitch.conf.bak:passwd: sss files /etc/nsswitch.conf:# passwd: db files /etc/nsswitch.conf:passwd: sss files systemd /etc/nsswitch.conf.rpmnew:# passwd: db files /etc/nsswitch.conf.rpmnew:passwd: sss files /etc/pam.d/password-auth:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= /etc/pam.d/system-auth:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= /etc/pki/tls/openssl.cnf:challengePassword = A challenge password /etc/pki/tls/openssl.cnf:challengePassword_max = 20 /etc/pki/tls/openssl.cnf:challengePassword_min = 4 /etc/pki/tls/openssl.cnf:# input_password = secret /etc/pki/tls/openssl.cnf:# output_password = secret /etc/samba/smb.conf.example:# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] /etc/samba/smb.conf.example:; password server = /etc/samba/smb.conf.example:# password server = only use this option when the "security = server" /etc/samba/smb.conf.example:# Use "password server = *" to automatically locate Domain Controllers. /etc/security/namespace.init: gid=$(echo "$passwd" | cut -f4 -d":") /etc/security/namespace.init: homedir=$(echo "$passwd" | cut -f6 -d":") /etc/security/namespace.init: passwd=$(getent passwd "$user") /etc/selinux/semanage.conf:usepasswd=False /etc/selinux/targeted/contexts/files/file_contexts:/bin/systemd-tty-ask-password-agent -- system_u:object_r:systemd_passwd_agent_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/dovecot\.passwd.* system_u:object_r:dovecot_passwd_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/group\.lock -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/passwd\.adjunct.* -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/passwd\.lock -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/passwd\.OLD -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/passwd[-\+]? -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/ptmptmp -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/\.pwd\.lock -- system_u:object_r:passwd_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/rc\.d/init\.d/yppasswd -- system_u:object_r:nis_initrc_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/security/opasswd\.old -- system_u:object_r:shadow_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/etc/security/opasswd -- system_u:object_r:shadow_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- system_u:object_r:vmware_host_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/sbin/unix_update -- system_u:object_r:updpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/chage -- system_u:object_r:passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/passwd -- system_u:object_r:passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/systemd-gnome-ask-password-agent -- system_u:object_r:systemd_passwd_agent_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/systemd-tty-ask-password-agent -- system_u:object_r:systemd_passwd_agent_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_host_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_host_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/libexec/httpd-ssl-pass-dialog -- system_u:object_r:httpd_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/systemd/system/yppasswdd.* -- system_u:object_r:nis_unit_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/chpasswd -- system_u:object_r:passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/pwhistory_helper -- system_u:object_r:updpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/rpc\.yppasswdd\.env -- system_u:object_r:yppasswdd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/rpc\.yppasswdd -- system_u:object_r:yppasswdd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/unix_update -- system_u:object_r:updpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/validate -- system_u:object_r:chkpwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 [+] Finding possible password variables inside key folders (limit 140) /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/michelle/public_git(/.*)? user_u:object_r:git_user_content_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/[^/]+/public_git(/.*)? unconfined_u:object_r:git_user_content_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/pgsql/test/regress(/.*)? system_u:object_r:postgresql_db_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/var/lib/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/var/lib/sepgsql(/.*)? system_u:object_r:postgresql_db_t:s0 /etc/selinux/targeted/contexts/sepgsql_contexts:db_database * system_u:object_r:sepgsql_db_t:s0 [+] Finding possible password in config files /etc/selinux/semanage.conf passwd check tells semanage to scan all pass word records for home directories passwd=False /etc/security/faillock.conf passwd and ignore centralized (AD, IdM, LDAP, etc.) users. /etc/security/pwquality.conf password quality limits password that must not be present in the password. password (plus one if password. If less than 0 password. password. password. password. password. password. password. password (digits, uppercase, lowercase, others). password. password. passwd entry GECOS string of the user. password is rejected if it fails the check and the value is not 0. /etc/authselect/user-nsswitch.conf passwd: db files passwd: sss files systemd /etc/nsswitch.conf passwd: db files passwd: sss files systemd /etc/sestatus.conf passwd [+] Finding 'username' string inside key folders (limit 70) /etc/libreport/events.d/collect_dnf.conf: if [[ $username != "root" ]]; then /etc/libreport/events.d/collect_dnf.conf: username=`cat username` /etc/libuser.conf:LU_USERNAME = %n [+] Searching specific hashes inside files - less false positives (limit 70)