ââââââââââââââ
âââââââ ââââââââ
âââââââ ââââââââââââââââââââ ââââ
ââââ â ââââââââââââââââââââââââââââââ ââââââ
â âââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââ âââââ âââââââââââââââââ
âââââââââââ ââââââ ââââââ â
ââââââ ââââââââ ââââ
ââ âââ âââââ âââ
ââ ââââââââââââ ââ
â ââ âââââââââââââââââââââââââââââ ââ
â âââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââ ââââ
âââââ âââââ ââââââ ââââ
ââââ âââââ âââââ â ââ
âââââ âââââ âââââââ âââââ âââââ
ââââââ âââââââ âââââââ âââââââ âââââ
ââââââââââââââ â âââââââââââââââ
âââââââââââââ ââââââââââââââ
âââââââââââ ââââââââââââââ
ââââââââââââââââââ ââââââââââââââââââââ
âââââ ââââââââââââââââââââââââââ âââââââââââââ
ââââââââ ââââââââââ ââââââââ
âââââââââââââââââââââââ
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Learn Cloud Hacking : https://training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
LinPEAS-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting LinPEAS. Caching Writable Folders...
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââĢ Basic information â âââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
OS: Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: academy
[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (LinPEAS can discover hosts and scan ports, learn more with -h)
Caching directories DONE
ââââââââââââââââââââââ
âââââââââââââââââââââââââââââââĢ System Information â ââââââââââââââââââââââââââââââ
ââââââââââââââââââââââ
ââââââââââââĢ Operative system
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits
Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
ââââââââââââĢ Sudo version
sudo Not Found
ââââââââââââĢ PATH
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ââââââââââââĢ Date & uptime
Fri Mar 21 09:10:31 EDT 2025
09:10:31 up 1:45, 1 user, load average: 0.13, 0.11, 0.08
ââââââââââââĢ Unmounted file-system?
â Check if you can mount umounted devices
UUID=24d0cea7-c37b-4fd6-838e-d05cfb61a601 / ext4 errors=remount-ro 0 1
UUID=930c51cc-089d-42bd-8e30-f08b86c52dca none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
ââââââââââââĢ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
ââââââââââââĢ Environment
â Any private information inside environment variables?
OLDPWD=/
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:16622
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=4e0f5e3c0d0a4ed8854a1d250ddad0f8
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
ââââââââââââĢ Searching Signature verification failed in dmesg
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed
dmesg Not Found
ââââââââââââĢ Executing Linux Exploit Suggester
â https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2019-13272] PTRACE_TRACEME
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
ââââââââââââĢ Protections
ââĢ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
ââĢ AppArmor profile? .............. unconfined
ââĢ is linuxONE? ................... s390x Not Found
ââĢ grsecurity present? ............ grsecurity Not Found
ââĢ PaX bins present? .............. PaX Not Found
ââĢ Execshield enabled? ............ Execshield Not Found
ââĢ SELinux enabled? ............... sestatus Not Found
ââĢ Seccomp enabled? ............... disabled
ââĢ User namespace? ................ enabled
ââĢ Cgroup2 enabled? ............... enabled
ââĢ Is ASLR enabled? ............... Yes
ââĢ Printer? ....................... No
ââĢ Is this a virtual machine? ..... Yes (oracle)
âââââââââââââ
ââââââââââââââââââââââââââââââââââââĢ Container â âââââââââââââââââââââââââââââââââââ
âââââââââââââ
ââââââââââââĢ Container related tools present (if any):
ââââââââââââĢ Container details
ââĢ Is this a container? ........... No
ââĢ Any running containers? ........ No
âââââââââ
ââââââââââââââââââââââââââââââââââââââĢ Cloud â âââââââââââââââââââââââââââââââââââââ
âââââââââ
Learn and practice cloud hacking techniques in training.hacktricks.xyz
ââĢ GCP Virtual Machine? ................. No
ââĢ GCP Cloud Funtion? ................... No
ââĢ AWS ECS? ............................. No
ââĢ AWS EC2? ............................. No
ââĢ AWS EC2 Beanstalk? ................... No
ââĢ AWS Lambda? .......................... No
ââĢ AWS Codebuild? ....................... No
ââĢ DO Droplet? .......................... No
ââĢ IBM Cloud VM? ........................ No
ââĢ Azure VM or Az metadata? ............. No
ââĢ Azure APP or IDENTITY_ENDPOINT? ...... No
ââĢ Azure Automation Account? ............ No
ââĢ Aliyun ECS? .......................... No
ââĢ Tencent CVM? ......................... No
ââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââĢ Processes, Crons, Timers, Services and Sockets â ââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââĢ Running processes (cleaned)
â Check weird & unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes
root 1 0.6 0.1 169420 10068 ? Ss 07:25 0:39 /sbin/init
root 332 0.1 0.1 29652 8728 ? Ss 07:27 0:06 /lib/systemd/systemd-journald
root 343 0.0 0.0 22732 5752 ? Ss 07:27 0:01 /lib/systemd/systemd-udevd
root 450 0.0 0.0 9488 5736 ? Ss 07:27 0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
systemd+ 531 0.0 0.0 93084 6432 ? Ssl 07:28 0:01 /lib/systemd/systemd-timesyncd
ââ(Caps) 0x0000000002000000=cap_sys_time
root 543 0.0 0.0 8504 2840 ? Ss 07:28 0:00 /usr/sbin/cron -f
root 547 0.0 0.0 225824 4312 ? Ssl 07:28 0:01 /usr/sbin/rsyslogd -n -iNONE
message+ 548 0.0 0.0 9084 4600 ? Ss 07:28 0:01 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
ââ(Caps) 0x0000000020000000=cap_audit_write
root 552 0.0 0.0 19544 7332 ? Ss 07:28 0:00 /lib/systemd/systemd-logind
root 553 0.0 0.0 6620 2884 ? Ss 07:28 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root 558 0.0 0.0 6924 3476 tty1 Ss 07:28 0:00 /bin/login -p --
root 928 0.0 0.0 7652 4524 tty1 S+ 07:33 0:00 _ -bash
root 938 0.0 0.0 9060 1332 tty1 T 07:33 0:00 _ ping 1.1.1.1
root 977 0.0 0.0 9060 1280 tty1 T 07:38 0:00 _ ping 1.1.1.1
root 574 0.0 0.0 15852 6672 ? Ss 07:28 0:00 /usr/sbin/sshd -D
root 601 0.0 0.3 214896 25928 ? Ss 07:28 0:01 /usr/sbin/apache2 -k start
www-data 790 0.0 0.2 215856 19724 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 791 0.0 0.2 215872 19568 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 1110 0.0 0.0 2388 752 ? S 07:49 0:00 | _ sh -c uname -a; w; id; /bin/sh -i
www-data 1114 0.0 0.0 2388 1672 ? S 07:49 0:00 | _ /bin/sh -i
www-data 16363 5.8 0.0 3336 2604 ? S 09:10 0:01 | _ /bin/sh ./linpeas.sh
www-data 19064 0.0 0.0 3336 1036 ? S 09:10 0:00 | _ /bin/sh ./linpeas.sh
www-data 19067 0.0 0.0 7780 2844 ? R 09:10 0:00 | | _ ps fauxwww
www-data 19068 0.0 0.0 3336 1036 ? S 09:10 0:00 | _ /bin/sh ./linpeas.sh
www-data 792 0.0 0.1 215648 13668 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 793 0.0 0.3 219068 24688 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 794 0.0 0.1 215244 13312 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 947 0.0 0.2 215844 19872 ? S 07:34 0:00 _ /usr/sbin/apache2 -k start
www-data 1133 0.0 0.1 215204 11740 ? S 07:51 0:00 _ /usr/sbin/apache2 -k start
www-data 1134 0.0 0.1 215204 11740 ? S 07:51 0:00 _ /usr/sbin/apache2 -k start
mysql 742 0.6 1.0 1864276 89448 ? Ssl 07:28 0:39 /usr/sbin/mysqld
root 922 0.0 0.1 21028 8352 ? Ss 07:33 0:00 /lib/systemd/systemd --user
root 923 0.0 0.0 104848 2328 ? S 07:33 0:00 _ (sd-pam)
ââââââââââââĢ Processes with credentials in memory (root req)
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd process found (dump creds from memory as root)
apache2 process found (dump creds from memory as root)
sshd Not Found
ââââââââââââĢ Processes whose PPID belongs to a different user (not root)
â You will know if a user can somehow spawn processes as a different user
ââââââââââââĢ Files opened by processes belonging to other users
â This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
ââââââââââââĢ Systemd PATH
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ââââââââââââĢ Cron jobs
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1077 Jun 16 2021 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rw-r--r-- 1 root root 712 Dec 17 2018 php
/etc/cron.daily:
total 40
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rwxr-xr-x 1 root root 539 Aug 8 2020 apache2
-rwxr-xr-x 1 root root 1478 May 12 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Apr 18 2019 dpkg
-rwxr-xr-x 1 root root 377 Aug 28 2018 logrotate
-rwxr-xr-x 1 root root 1123 Feb 10 2019 man-db
-rwxr-xr-x 1 root root 249 Sep 27 2017 passwd
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rwxr-xr-x 1 root root 813 Feb 10 2019 man-db
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * /home/grimmie/backup.sh
ââââââââââââĢ System timers
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2025-03-21 09:39:00 EDT 28min left Fri 2025-03-21 09:09:01 EDT 1min 45s ago phpsessionclean.timer phpsessionclean.service
Sat 2025-03-22 00:00:00 EDT 14h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago logrotate.timer logrotate.service
Sat 2025-03-22 00:00:00 EDT 14h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago man-db.timer man-db.service
Sat 2025-03-22 02:07:26 EDT 16h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago apt-daily.timer apt-daily.service
Sat 2025-03-22 06:18:24 EDT 21h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sat 2025-03-22 07:40:53 EDT 22h left Fri 2025-03-21 07:40:53 EDT 1h 29min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
ââââââââââââĢ Analyzing .timer files
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers
ââââââââââââĢ Analyzing .service files
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services
/etc/systemd/system/multi-user.target.wants/mariadb.service could be executing some relative path
/etc/systemd/system/mysql.service could be executing some relative path
/etc/systemd/system/mysqld.service could be executing some relative path
You can't write on systemd PATH
ââââââââââââĢ Analyzing .socket files
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
ââââââââââââĢ Unix Sockets Listening
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets
/run/dbus/system_bus_socket
ââ(Read Write)
/run/mysqld/mysqld.sock
ââ(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
ââ(Read Write)
/run/systemd/journal/socket
ââ(Read Write)
/run/systemd/journal/stdout
ââ(Read Write)
/run/systemd/journal/syslog
ââ(Read Write)
/run/systemd/notify
ââ(Read Write)
/run/systemd/private
ââ(Read Write)
/run/udev/control
/run/user/0/systemd/private
/var/run/dbus/system_bus_socket
ââ(Read Write)
ââââââââââââĢ D-Bus Service Objects list
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 531 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
:1.13 552 systemd-logind root :1.13 systemd-logind.service - -
:1.180 21680 busctl www-data :1.180 apache2.service - -
:1.2 1 systemd root :1.2 init.scope - -
:1.28 922 systemd root :1.28 user@0.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 552 systemd-logind root :1.13 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - -
org.freedesktop.resolve1 - - - (activatable) - -
org.freedesktop.systemd1 1 systemd root :1.2 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - -
org.freedesktop.timesync1 531 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
ââââââââââââĢ D-Bus config files
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus
âââââââââââââââââââââââ
âââââââââââââââââââââââââââââââĢ Network Information â ââââââââââââââââââââââââââââââ
âââââââââââââââââââââââ
ââââââââââââĢ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:5d:4c:44 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.6/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 347sec preferred_lft 347sec
inet6 fe80::a00:27ff:fe5d:4c44/64 scope link
valid_lft forever preferred_lft forever
ââââââââââââĢ Hostname, hosts and DNS
academy
127.0.0.1 localhost
127.0.1.1 academy.tcm.sec academy
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 192.168.33.12
tcm.sec
ââââââââââââĢ Active Ports
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 32 *:21 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
ââââââââââââĢ Can I sniff with tcpdump?
No
âââââââââââââââââââââ
ââââââââââââââââââââââââââââââââĢ Users Information â âââââââââââââââââââââââââââââââ
âââââââââââââââââââââ
ââââââââââââĢ My user
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ââââââââââââĢ Do I have PGP keys?
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
ââââââââââââĢ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
ââââââââââââĢ Checking sudo tokens
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused
ââââââââââââĢ Checking Pkexec policy
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2
ââââââââââââĢ Superusers
root:x:0:0:root:/root:/bin/bash
ââââââââââââĢ Users with console
grimmie:x:1000:1000:administrator,,,:/home/grimmie:/bin/bash
root:x:0:0:root:/root:/bin/bash
ââââââââââââĢ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(grimmie) gid=1000(administrator) groups=1000(administrator),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(mysql) gid=113(mysql) groups=113(mysql)
uid=107(ftp) gid=114(ftp) groups=114(ftp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
ââââââââââââĢ Login now
09:10:50 up 1:45, 1 user, load average: 0.51, 0.20, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 07:33 1:32m 0.20s 0.20s -bash
ââââââââââââĢ Last logons
root tty1 Sat May 29 13:31:08 2021 - down (00:12) 0.0.0.0
reboot system boot Sat May 29 13:30:20 2021 - Sat May 29 13:43:39 2021 (00:13) 0.0.0.0
root pts/0 Sat May 29 13:16:54 2021 - Sat May 29 13:27:56 2021 (00:11) 192.168.10.31
root tty1 Sat May 29 13:16:34 2021 - down (00:11) 0.0.0.0
reboot system boot Sat May 29 13:15:21 2021 - Sat May 29 13:27:58 2021 (00:12) 0.0.0.0
root pts/0 Sat May 29 13:08:39 2021 - Sat May 29 13:14:47 2021 (00:06) 192.168.10.31
administrator tty1 Sat May 29 13:06:40 2021 - down (00:08) 0.0.0.0
reboot system boot Sat May 29 13:05:58 2021 - Sat May 29 13:14:49 2021 (00:08) 0.0.0.0
wtmp begins Sat May 29 13:05:58 2021
ââââââââââââĢ Last time logon each user
Username Port From Latest
root tty1 Fri Mar 21 07:33:03 -0400 2025
grimmie pts/1 192.168.10.31 Sun May 30 03:21:39 -0400 2021
ââââââââââââĢ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
ââââââââââââĢ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
ââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââĢ Software Information â âââââââââââââââââââââââââââââ
ââââââââââââââââââââââââ
ââââââââââââĢ Useful software
/usr/bin/base64
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/socat
/usr/bin/wget
ââââââââââââĢ Installed Compilers
ââââââââââââĢ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.38 (Debian)
Server built: 2020-08-25T20:08:29
httpd Not Found
Nginx version: nginx Not Found
/etc/apache2/conf-available/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-available/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-available/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-available/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-available/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-available/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-available/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-available/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-enabled/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-enabled/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-enabled/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-enabled/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php-source
âââĢ PHP exec extensions
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 May 29 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 1332 Aug 8 2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 May 29 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 71958 Feb 13 2021 /etc/php/7.3/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 71570 Feb 13 2021 /etc/php/7.3/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
ââââââââââââĢ Analyzing MariaDB Files (limit 70)
-rw-r--r-- 1 root root 869 Oct 12 2020 /etc/mysql/mariadb.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
-rw------- 1 root root 277 May 29 2021 /etc/mysql/debian.cnf
ââââââââââââĢ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Mar 15 2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
ââââââââââââĢ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/pam.d
-rw-r--r-- 1 root root 2133 Jan 31 2020 /etc/pam.d/sshd
account required pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
ââââââââââââĢ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/ldap
ââââââââââââĢ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 May 29 2021 /usr/share/keyrings
ââââââââââââĢ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Mar 1 2019 /usr/share/bash-completion/completions/postfix
ââââââââââââĢ Analyzing Github Files (limit 70)
drwxr-xr-x 3 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/google/recaptcha/.github
drwxr-xr-x 2 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/phpmyadmin/motranslator/.github
drwxr-xr-x 2 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/tecnickcom/tcpdf/.github
ââââââââââââĢ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 5851 May 29 2021 /etc/vsftpd.conf
anonymous_enable=YES
local_enable=YES
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
-rw-r--r-- 1 root root 41 Jun 18 2015 /usr/lib/tmpfiles.d/vsftpd.conf
-rw-r--r-- 1 root root 506 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 564 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 260 Feb 1 2008 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf
anonymous_enable
local_enable=YES
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 69 Feb 13 2021 /etc/php/7.3/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Feb 13 2021 /usr/share/php7.3-common/common/ftp.ini
ââââââââââââĢ Analyzing DNS Files (limit 70)
-rw-r--r-- 1 root root 856 Mar 1 2019 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 856 Mar 1 2019 /usr/share/bash-completion/completions/bind
ââââââââââââĢ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3526 Apr 18 2019 /etc/skel/.bashrc
-rw-r--r-- 1 grimmie administrator 3526 May 29 2021 /home/grimmie/.bashrc
-rw-r--r-- 1 root root 807 Apr 18 2019 /etc/skel/.profile
-rw-r--r-- 1 grimmie administrator 807 May 29 2021 /home/grimmie/.profile
ââââââââââââĢ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 22 May 29 2021 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf
lrwxrwxrwx 1 root root 24 May 29 2021 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 83 May 29 2021 /var/lib/dpkg/alternatives/my.cnf
ââââââââââââĢ Searching mysql credentials and exec
From '/etc/mysql/mariadb.conf.d/50-server.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
ââââââââââââĢ MySQL version
mysql Ver 15.1 Distrib 10.3.27-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
ââĢ MySQL connection using default root/root ........... No
ââĢ MySQL connection using root/toor ................... No
ââĢ MySQL connection using root/NOPASS ................. No
ââââââââââââĢ Analyzing PGP-GPG Files (limit 70)
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 8700 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7443 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 8700 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 55625 Mar 16 2021 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 36873 Mar 16 2021 /usr/share/keyrings/debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 7443 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-stable.gpg
ââââââââââââĢ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
ââââââââââââĢ Searching ssl/ssh files
ââââââââââââĢ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 root root 174 May 29 2021 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 94 May 29 2021 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 394 May 29 2021 /etc/ssh/ssh_host_rsa_key.pub
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
âââĢ Some certificates were found (out limited):
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
/etc/ssl/certs/CFCA_EV_ROOT.pem
/etc/ssl/certs/COMODO_Certification_Authority.pem
/etc/ssl/certs/COMODO_ECC_Certification_Authority.pem
16363PSTORAGE_CERTSBIN
âââĢ Some home ssh config file was found
/usr/share/openssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
âââĢ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
ââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââĢ Files with Interesting Permissions â ââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââ
ââââââââââââĢ SUID - Check easy privesc, exploits and write perms
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
ââââââââââââĢ SGID
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
-rwxr-sr-x 1 root shadow 39K Feb 14 2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 15K May 4 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 31K Jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root tty 35K Jan 10 2019 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43K Oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root mail 19K Dec 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 71K Jul 27 2018 /usr/bin/chage
-rwxr-sr-x 1 root ssh 315K Jan 31 2020 /usr/bin/ssh-agent
ââââââââââââĢ Files with ACLs (limited to 50)
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls
files with acls in searched folders Not Found
ââââââââââââĢ Capabilities
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities
âââĢ Current shell capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
â Parent process capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
ââââââââââââĢ Checking misconfigurations of ld.so
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
- /usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
- /usr/local/lib/x86_64-linux-gnu
- /lib/x86_64-linux-gnu
- /usr/lib/x86_64-linux-gnu
/etc/ld.so.preload
ââââââââââââĢ Files (scripts) in /etc/profile.d/
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files
total 20
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 664 Mar 1 2019 bash_completion.sh
-rw-r--r-- 1 root root 1107 Sep 14 2018 gawk.csh
-rw-r--r-- 1 root root 757 Sep 14 2018 gawk.sh
ââââââââââââĢ Permissions in init, init.d, systemd, and rc.d
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd
ââââââââââââĢ AppArmor binary profiles
-rw-r--r-- 1 root root 3129 Feb 10 2019 usr.bin.man
-rw-r--r-- 1 root root 730 Nov 25 2020 usr.sbin.mysqld
ââĢ Hashes inside passwd file? ........... No
ââĢ Writable passwd file? ................ No
ââĢ Credentials in fstab/mtab? ........... No
ââĢ Can I read shadow files? ............. No
ââĢ Can I read shadow plists? ............ No
ââĢ Can I write shadow plists? ........... No
ââĢ Can I read opasswd file? ............. No
ââĢ Can I write in network-scripts? ...... No
ââĢ Can I read root folder? .............. No
ââââââââââââĢ Searching root files in home dirs (limit 30)
/home/
/root/
/var/www
/var/www/html
/var/www/html/index.html
ââââââââââââĢ Searching folders owned by me containing others files on it (limit 100)
ââââââââââââĢ Readable files belonging to root and readable by me but not world readable
ââââââââââââĢ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
/dev/mqueue
/dev/shm
/run/lock
/run/lock/apache2
/tmp
/tmp/linpeas.sh
/tmp/output.txt
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/lib/phpmyadmin
/var/lib/phpmyadmin/tmp
/var/lib/phpmyadmin/tmp/twig
/var/lib/phpmyadmin/tmp/twig/15
/var/lib/phpmyadmin/tmp/twig/15/15a885ca9738e5a84084a3e52f1f6b23c771ea4f7bdca01081f7b87d3b86a6f9.php
/var/lib/phpmyadmin/tmp/twig/21
/var/lib/phpmyadmin/tmp/twig/21/21a3bee2bc40466295b888b9fec6fb9d77882a7cf061fd3f3d7194b5d54ab837.php
/var/lib/phpmyadmin/tmp/twig/22
/var/lib/phpmyadmin/tmp/twig/22/22f328e86274b51eb9034592ac106d133734cc8f4fba3637fe76b0a4b958f16d.php
/var/lib/phpmyadmin/tmp/twig/28
/var/lib/phpmyadmin/tmp/twig/28/28bcfd31671cb4e1cff7084a80ef5574315cd27a4f33c530bc9ae8da8934caf6.php
/var/lib/phpmyadmin/tmp/twig/2e
/var/lib/phpmyadmin/tmp/twig/2e/2e6ed961bffa8943f6419f806fe7bfc2232df52e39c5880878e7f34aae869dd9.php
/var/lib/phpmyadmin/tmp/twig/31
/var/lib/phpmyadmin/tmp/twig/31/317c8816ee34910f2c19f0c2bd6f261441aea2562acc0463975f80a4f0ed98a9.php
/var/lib/phpmyadmin/tmp/twig/36
/var/lib/phpmyadmin/tmp/twig/36/360a7a01227c90acf0a097d75488841f91dc2939cebca8ee28845b8abccb62ee.php
/var/lib/phpmyadmin/tmp/twig/3b
/var/lib/phpmyadmin/tmp/twig/3b/3bf8a6b93e8c4961d320a65db6c6f551428da6ae8b8e0c87200629b4ddad332d.php
/var/lib/phpmyadmin/tmp/twig/41
/var/lib/phpmyadmin/tmp/twig/41/4161342482a4d1436d31f5619bbdbd176c50e500207e3f364662f5ba8210fe31.php
/var/lib/phpmyadmin/tmp/twig/42
/var/lib/phpmyadmin/tmp/twig/42/426cadcf834dab31a9c871f8a7c8eafa83f4c66a2297cfefa7aae7a7895fa955.php
/var/lib/phpmyadmin/tmp/twig/43
/var/lib/phpmyadmin/tmp/twig/43/43cb8c5a42f17f780372a6d8b976cafccd1f95b8656d9d9638fca2bb2c0c1ee6.php
/var/lib/phpmyadmin/tmp/twig/4c
/var/lib/phpmyadmin/tmp/twig/4c/4c13e8023eae0535704510f289140d5447e25e2dea14eaef5988afa2ae915cb9.php
/var/lib/phpmyadmin/tmp/twig/4e
/var/lib/phpmyadmin/tmp/twig/4e/4e68050e4aec7ca6cfa1665dd465a55a5d643fca6abb104a310e5145d7310851.php
/var/lib/phpmyadmin/tmp/twig/4e/4e8f70ab052f0a5513536d20f156e0649e1791c083804a629624d2cb1e052f1f.php
/var/lib/phpmyadmin/tmp/twig/4f
/var/lib/phpmyadmin/tmp/twig/4f/4f7c1ace051b6b8cb85528aa8aef0052b72277f654cb4f13f2fc063f8529efe4.php
/var/lib/phpmyadmin/tmp/twig/53
/var/lib/phpmyadmin/tmp/twig/53/53ec6cf1deb6f8f805eb3077b06e6ef3b7805e25082d74c09563f91a11c1dfcd.php
/var/lib/phpmyadmin/tmp/twig/5c
/var/lib/phpmyadmin/tmp/twig/5c/5cf13d5a4ba7434d92bc44defee51a93cfbafa0d7984fcb8cbea606d97fe3e1a.php
/var/lib/phpmyadmin/tmp/twig/61
/var/lib/phpmyadmin/tmp/twig/61/61cf92e037fb131bad1ea24485b8e2ab7f0dd05dbe0bcdec85d8a96c80458223.php
/var/lib/phpmyadmin/tmp/twig/6b
/var/lib/phpmyadmin/tmp/twig/6b/6b8deef855b316d17c87795aebdf5aa33b55fae3e6c453d2a5bab7c4085f85d7.php
/var/lib/phpmyadmin/tmp/twig/6c
/var/lib/phpmyadmin/tmp/twig/6c/6c9a7cd11578d393beebc51daa9a48d35c8b03d3a69fd786c55ceedf71a62d29.php
/var/lib/phpmyadmin/tmp/twig/73
/var/lib/phpmyadmin/tmp/twig/73/73a22388ea06dda0a2e91e156573fc4c47961ae6e35817742bb6901eb91d5478.php
/var/lib/phpmyadmin/tmp/twig/73/73ee99e209023ff62597f3f6e5f027a498c1261e4d35d310b0d0a2664f3c2c0d.php
/var/lib/phpmyadmin/tmp/twig/78
/var/lib/phpmyadmin/tmp/twig/78/786fc5d49e751f699117fbb46b2e5920f5cdae9b5b3e7bb04e39d201b9048164.php
/var/lib/phpmyadmin/tmp/twig/7d
/var/lib/phpmyadmin/tmp/twig/7d/7d8087d41c482579730682151ac3393f13b0506f63d25d3b07db85fcba5cdbeb.php
/var/lib/phpmyadmin/tmp/twig/7f
/var/lib/phpmyadmin/tmp/twig/7f/7f2fea86c14cdbd8cd63e93670d9fef0c3d91595972a398d9aa8d5d919c9aa63.php
/var/lib/phpmyadmin/tmp/twig/8a
/var/lib/phpmyadmin/tmp/twig/8a/8a16ca4dbbd4143d994e5b20d8e1e088f482b5a41bf77d34526b36523fc966d7.php
/var/lib/phpmyadmin/tmp/twig/8b
/var/lib/phpmyadmin/tmp/twig/8b/8b3d6e41c7dc114088cc4febcf99864574a28c46ce39fd02d9577bec9ce900de.php
/var/lib/phpmyadmin/tmp/twig/96
/var/lib/phpmyadmin/tmp/twig/96/96885525f00ce10c76c38335c2cf2e232a709122ae75937b4f2eafcdde7be991.php
/var/lib/phpmyadmin/tmp/twig/97
/var/lib/phpmyadmin/tmp/twig/97/9734627c3841f4edcd6c2b6f193947fc0a7a9a69dd1955f703f4f691af6b45e3.php
/var/lib/phpmyadmin/tmp/twig/99
/var/lib/phpmyadmin/tmp/twig/99/9937763182924ca59c5731a9e6a0d96c77ec0ca5ce3241eec146f7bca0a6a0dc.php
/var/lib/phpmyadmin/tmp/twig/9d
/var/lib/phpmyadmin/tmp/twig/9d/9d254bc0e43f46a8844b012d501626d3acdd42c4a2d2da29c2a5f973f04a04e8.php
/var/lib/phpmyadmin/tmp/twig/9d/9d6c5c59ee895a239eeb5956af299ac0e5eb1a69f8db50be742ff0c61b618944.php
/var/lib/phpmyadmin/tmp/twig/9e
/var/lib/phpmyadmin/tmp/twig/9e/9ed23d78fa40b109fca7524500b40ca83ceec9a3ab64d7c38d780c2acf911588.php
/var/lib/phpmyadmin/tmp/twig/a0
/var/lib/phpmyadmin/tmp/twig/a0/a0c00a54b1bb321f799a5f4507a676b317067ae03b1d45bd13363a544ec066b7.php
/var/lib/phpmyadmin/tmp/twig/a4
/var/lib/phpmyadmin/tmp/twig/a4/a49a944225d69636e60c581e17aaceefffebe40aeb5931afd4aaa3da6a0039b9.php
/var/lib/phpmyadmin/tmp/twig/a7
/var/lib/phpmyadmin/tmp/twig/a7/a7e9ef3e1f57ef5a497ace07803123d1b50decbe0fcb448cc66573db89b48e25.php
/var/lib/phpmyadmin/tmp/twig/ae
/var/lib/phpmyadmin/tmp/twig/ae/ae25b735c0398c0c6a34895cf07f858207e235cf453cadf07a003940bfb9cd05.php
/var/lib/phpmyadmin/tmp/twig/af
/var/lib/phpmyadmin/tmp/twig/af/af668e5234a26d3e85e170b10e3d989c2c0c0679b2e5110d593a80b4f58c6443.php
/var/lib/phpmyadmin/tmp/twig/af/af6dd1f6871b54f086eb95e1abc703a0e92824251df6a715be3d3628d2bd3143.php
/var/lib/phpmyadmin/tmp/twig/af/afa81ff97d2424c5a13db6e43971cb716645566bd8d5c987da242dddf3f79817.php
/var/lib/phpmyadmin/tmp/twig/b6
/var/lib/phpmyadmin/tmp/twig/b6/b6c8adb0e14792534ce716cd3bf1d57bc78d45138e62be7d661d75a5f03edcba.php
/var/lib/phpmyadmin/tmp/twig/c3
/var/lib/phpmyadmin/tmp/twig/c3/c34484a1ece80a38a03398208a02a6c9c564d1fe62351a7d7832d163038d96f4.php
/var/lib/phpmyadmin/tmp/twig/c5
/var/lib/phpmyadmin/tmp/twig/c5/c50d1c67b497a887bc492962a09da599ee6c7283a90f7ea08084a548528db689.php
/var/lib/phpmyadmin/tmp/twig/c7
/var/lib/phpmyadmin/tmp/twig/c7/c70df99bff2eea2f20aba19bbb7b8d5de327cecaedb5dc3d383203f7d3d02ad2.php
/var/lib/phpmyadmin/tmp/twig/ca
/var/lib/phpmyadmin/tmp/twig/ca/ca32544b55a5ebda555ff3c0c89508d6e8e139ef05d8387a14389443c8e0fb49.php
/var/lib/phpmyadmin/tmp/twig/d6
/var/lib/phpmyadmin/tmp/twig/d6/d66c84e71db338af3aae5892c3b61f8d85d8bb63e2040876d5bbb84af484fb41.php
/var/lib/phpmyadmin/tmp/twig/dd
/var/lib/phpmyadmin/tmp/twig/dd/dd1476242f68168118c7ae6fc7223306d6024d66a38b3461e11a72d128eee8c1.php
/var/lib/phpmyadmin/tmp/twig/e8
/var/lib/phpmyadmin/tmp/twig/e8/e8184cd61a18c248ecc7e06a3f33b057e814c3c99a4dd56b7a7da715e1bc2af8.php
/var/lib/phpmyadmin/tmp/twig/e9
/var/lib/phpmyadmin/tmp/twig/e9/e93db45b0ff61ef08308b9a87b60a613c0a93fab9ee661c8271381a01e2fa57a.php
/var/lib/phpmyadmin/tmp/twig/f5
/var/lib/phpmyadmin/tmp/twig/f5/f589c1ad0b7292d669068908a26101f0ae7b5db110ba174ebc5492c80bc08508.php
/var/lib/phpmyadmin/tmp/twig/fa
/var/lib/phpmyadmin/tmp/twig/fa/fa249f377795e48c7d92167e29cef2fc31f50401a0bdbc95ddb51c0aec698b9e.php
/var/tmp
/var/www/html/academy
/var/www/html/academy/admin
/var/www/html/academy/admin/assets
/var/www/html/academy/admin/assets/css
/var/www/html/academy/admin/assets/css/bootstrap.css
/var/www/html/academy/admin/assets/css/font-awesome.css
/var/www/html/academy/admin/assets/css/style.css
/var/www/html/academy/admin/assets/fonts
/var/www/html/academy/admin/assets/fonts/FontAwesome.otf
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.eot
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.ttf
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.woff
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.woff2
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/admin/assets/img
/var/www/html/academy/admin/assets/js
/var/www/html/academy/admin/assets/js/bootstrap.js
/var/www/html/academy/admin/assets/js/jquery-1.11.1.js
/var/www/html/academy/admin/change-password.php
/var/www/html/academy/admin/check_availability.php
/var/www/html/academy/admin/course.php
/var/www/html/academy/admin/department.php
/var/www/html/academy/admin/edit-course.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/admin/includes/config.php
/var/www/html/academy/admin/includes/footer.php
/var/www/html/academy/admin/includes/header.php
/var/www/html/academy/admin/includes/menubar.php
/var/www/html/academy/admin/index.php
/var/www/html/academy/admin/level.php
/var/www/html/academy/admin/logout.php
/var/www/html/academy/admin/manage-students.php
/var/www/html/academy/admin/print.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/assets
/var/www/html/academy/assets/css
/var/www/html/academy/assets/css/bootstrap.css
/var/www/html/academy/assets/css/font-awesome.css
/var/www/html/academy/assets/css/style.css
/var/www/html/academy/assets/fonts
/var/www/html/academy/assets/fonts/FontAwesome.otf
/var/www/html/academy/assets/fonts/fontawesome-webfont.eot
/var/www/html/academy/assets/fonts/fontawesome-webfont.ttf
/var/www/html/academy/assets/fonts/fontawesome-webfont.woff
/var/www/html/academy/assets/fonts/fontawesome-webfont.woff2
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/assets/img
/var/www/html/academy/assets/js
/var/www/html/academy/assets/js/bootstrap.js
/var/www/html/academy/assets/js/jquery-1.11.1.js
/var/www/html/academy/change-password.php
/var/www/html/academy/check_availability.php
/var/www/html/academy/db
/var/www/html/academy/db/onlinecourse.sql
/var/www/html/academy/enroll-history.php
/var/www/html/academy/enroll.php
/var/www/html/academy/includes
/var/www/html/academy/includes/config.php
/var/www/html/academy/includes/footer.php
/var/www/html/academy/includes/header.php
/var/www/html/academy/includes/menubar.php
/var/www/html/academy/index.php
/var/www/html/academy/logout.php
/var/www/html/academy/my-profile.php
/var/www/html/academy/pincode-verification.php
/var/www/html/academy/print.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/studentphoto/reverseShell.php
/var/www/html/academy/studentphoto/reverseShell2.php
ââââââââââââĢ Interesting GROUP writable files (not in Home) (max 200)
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
Group www-data:
/tmp/output.txt
/tmp/linpeas.sh
âââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââĢ Other Interesting Files â ââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââ
ââââââââââââĢ .sh files in path
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path
/usr/bin/gettext.sh
ââââââââââââĢ Executable files potentially added by user (limit 70)
ââââââââââââĢ Unexpected in /opt (usually empty)
total 11332
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 18 root root 4096 May 29 2021 ..
-rw-r--r-- 1 root root 1402271 Jun 3 2020 online-course-registration.zip
-rw-r--r-- 1 root root 10190261 Oct 15 2020 phpMyAdmin-4.9.7-all-languages.tar.gz
ââââââââââââĢ Unexpected in root
/vmlinuz
/initrd.img
/initrd.img.old
/vmlinuz.old
ââââââââââââĢ Modified interesting files in the last 5mins (limit 100)
/tmp/output.txt
/var/log/auth.log
/var/log/daemon.log
/var/log/syslog
ââââââââââââĢ Writable log files (logrotten) (limit 50)
â https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
ââââââââââââĢ Files inside /home/www-data (limit 20)
ââââââââââââĢ Files inside others home (limit 20)
/home/grimmie/.bash_history
/home/grimmie/.bashrc
/home/grimmie/backup.sh
/home/grimmie/.profile
/home/grimmie/.bash_logout
/var/www/html/index.html
/var/www/html/academy/logout.php
/var/www/html/academy/enroll.php
/var/www/html/academy/check_availability.php
/var/www/html/academy/my-profile.php
/var/www/html/academy/change-password.php
/var/www/html/academy/print.php
/var/www/html/academy/studentphoto/reverseShell.php
/var/www/html/academy/studentphoto/reverseShell2.php
/var/www/html/academy/studentphoto/avatar-1.jpg.png
/var/www/html/academy/studentphoto/noimage.png
/var/www/html/academy/includes/footer.php
/var/www/html/academy/includes/header.php
/var/www/html/academy/includes/config.php
/var/www/html/academy/includes/menubar.php
ââââââââââââĢ Searching installed mail applications
ââââââââââââĢ Mails (limit 50)
ââââââââââââĢ Backup folders
drwxr-xr-x 2 root root 4096 May 30 2021 /var/backups
total 12
-rw-r--r-- 1 root root 11996 May 29 2021 apt.extended_states.0
ââââââââââââĢ Backup files (limited 100)
-rwxr-xr-- 1 grimmie administrator 112 May 30 2021 /home/grimmie/backup.sh
-rw-r--r-- 1 root root 9716 Nov 28 2020 /usr/lib/modules/4.19.0-13-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9731 Mar 19 2021 /usr/lib/modules/4.19.0-16-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 303 Oct 26 2018 /usr/share/doc/hdparm/changelog.old.gz
-rw-r--r-- 1 root root 363752 Apr 30 2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 348 Nov 25 2020 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz
-rwxr-xr-x 1 root root 38412 Nov 25 2020 /usr/bin/wsrep_sst_mariabackup
ââââââââââââĢ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K May 29 2021 .
drwxr-xr-x 12 root root 4.0K May 29 2021 ..
drwxr-xr-x 3 root root 4.0K May 29 2021 html
/var/www/html:
total 24K
drwxr-xr-x 3 root root 4.0K May 29 2021 .
drwxr-xr-x 3 root root 4.0K May 29 2021 ..
ââââââââââââĢ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 grimmie administrator 220 May 29 2021 /home/grimmie/.bash_logout
-rw-r--r-- 1 root root 946 Oct 15 2020 /usr/share/phpmyadmin/vendor/pragmarx/google2fa/.scrutinizer.yml
-rw-r--r-- 1 root root 799 Oct 15 2020 /usr/share/phpmyadmin/vendor/twig/twig/.php_cs.dist
-rw-r--r-- 1 root root 224 Oct 15 2020 /usr/share/phpmyadmin/vendor/twig/twig/.editorconfig
-rw-r--r-- 1 root root 0 Nov 15 2018 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 root root 0 Mar 21 07:27 /run/network/.ifstate.lock
-rw------- 1 root root 0 May 29 2021 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 18 2019 /etc/skel/.bash_logout
ââââââââââââĢ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-rw-rw- 1 www-data www-data 120001 Mar 21 2025 /tmp/output.txt
-rwxrwxrwx 1 www-data www-data 840082 Mar 21 07:52 /tmp/linpeas.sh
ââââââââââââĢ Searching passwords in history files
Binary file /usr/share/phpmyadmin/js/vendor/openlayers/theme/default/img/navigation_history.png matches
ââââââââââââĢ Searching passwords in config PHP files
/usr/share/phpmyadmin/config.inc.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/config.sample.inc.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:$cfg['ShowChgPassword'] = true;
/var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
/var/www/html/academy/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
ââââââââââââĢ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
#)There are more creds/passwds files in the previous parent folder
/usr/lib/x86_64-linux-gnu/mariadb19/plugin/mysql_clear_password.so
/usr/lib/x86_64-linux-gnu/mariadb19/plugin/simple_password_check.so
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/usr/share/phpmyadmin/user_password.php
/var/cache/debconf/passwords.dat
/var/lib/pam/password
/var/www/html/academy/admin/change-password.php
/var/www/html/academy/change-password.php
ââââââââââââĢ Checking for TTY (sudo/su) passwords in audit logs
ââââââââââââĢ Checking for TTY (sudo/su) passwords in audit logs
ââââââââââââĢ Searching passwords inside logs (limit 70)
2021-05-29 17:00:10 install base-passwd:amd64 <none> 3.5.46
2021-05-29 17:00:10 status half-installed base-passwd:amd64 3.5.46
2021-05-29 17:00:11 configure base-passwd:amd64 3.5.46 3.5.46
2021-05-29 17:00:11 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:11 status installed base-passwd:amd64 3.5.46
2021-05-29 17:00:11 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status half-installed base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:18 upgrade base-passwd:amd64 3.5.46 3.5.46
2021-05-29 17:00:21 install passwd:amd64 <none> 1:4.5-1.1
2021-05-29 17:00:21 status half-installed passwd:amd64 1:4.5-1.1
2021-05-29 17:00:21 status unpacked passwd:amd64 1:4.5-1.1
2021-05-29 17:00:24 configure base-passwd:amd64 3.5.46 <none>
2021-05-29 17:00:24 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:24 status installed base-passwd:amd64 3.5.46
2021-05-29 17:00:24 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:25 configure passwd:amd64 1:4.5-1.1 <none>
2021-05-29 17:00:25 status half-configured passwd:amd64 1:4.5-1.1
2021-05-29 17:00:25 status installed passwd:amd64 1:4.5-1.1
2021-05-29 17:00:25 status unpacked passwd:amd64 1:4.5-1.1
Description: Set up users and passwords
ââââââââââââââââââ
âââââââââââââââââââââââââââââââââĢ API Keys Regex â ââââââââââââââââââââââââââââââââ
ââââââââââââââââââ
Regexes to search for API keys aren't activated, use param '-r'