▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Learn Cloud Hacking : https://training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
LinPEAS-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting LinPEAS. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: academy
[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (LinPEAS can discover hosts and scan ports, learn more with -h)
Caching directories DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits
Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
╔══════════╣ Sudo version
sudo Not Found
╔══════════╣ PATH
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Fri Mar 21 09:10:31 EDT 2025
09:10:31 up 1:45, 1 user, load average: 0.13, 0.11, 0.08
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=24d0cea7-c37b-4fd6-838e-d05cfb61a601 / ext4 errors=remount-ro 0 1
UUID=930c51cc-089d-42bd-8e30-f08b86c52dca none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
╔══════════╣ Environment
╚ Any private information inside environment variables?
OLDPWD=/
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:16622
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=4e0f5e3c0d0a4ed8854a1d250ddad0f8
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2019-13272] PTRACE_TRACEME
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (oracle)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present (if any):
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
Learn and practice cloud hacking techniques in training.hacktricks.xyz
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM or Az metadata? ............. No
═╣ Azure APP or IDENTITY_ENDPOINT? ...... No
═╣ Azure Automation Account? ............ No
═╣ Aliyun ECS? .......................... No
═╣ Tencent CVM? ......................... No
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes
root 1 0.6 0.1 169420 10068 ? Ss 07:25 0:39 /sbin/init
root 332 0.1 0.1 29652 8728 ? Ss 07:27 0:06 /lib/systemd/systemd-journald
root 343 0.0 0.0 22732 5752 ? Ss 07:27 0:01 /lib/systemd/systemd-udevd
root 450 0.0 0.0 9488 5736 ? Ss 07:27 0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
systemd+ 531 0.0 0.0 93084 6432 ? Ssl 07:28 0:01 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
root 543 0.0 0.0 8504 2840 ? Ss 07:28 0:00 /usr/sbin/cron -f
root 547 0.0 0.0 225824 4312 ? Ssl 07:28 0:01 /usr/sbin/rsyslogd -n -iNONE
message+ 548 0.0 0.0 9084 4600 ? Ss 07:28 0:01 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─(Caps) 0x0000000020000000=cap_audit_write
root 552 0.0 0.0 19544 7332 ? Ss 07:28 0:00 /lib/systemd/systemd-logind
root 553 0.0 0.0 6620 2884 ? Ss 07:28 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root 558 0.0 0.0 6924 3476 tty1 Ss 07:28 0:00 /bin/login -p --
root 928 0.0 0.0 7652 4524 tty1 S+ 07:33 0:00 _ -bash
root 938 0.0 0.0 9060 1332 tty1 T 07:33 0:00 _ ping 1.1.1.1
root 977 0.0 0.0 9060 1280 tty1 T 07:38 0:00 _ ping 1.1.1.1
root 574 0.0 0.0 15852 6672 ? Ss 07:28 0:00 /usr/sbin/sshd -D
root 601 0.0 0.3 214896 25928 ? Ss 07:28 0:01 /usr/sbin/apache2 -k start
www-data 790 0.0 0.2 215856 19724 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 791 0.0 0.2 215872 19568 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 1110 0.0 0.0 2388 752 ? S 07:49 0:00 | _ sh -c uname -a; w; id; /bin/sh -i
www-data 1114 0.0 0.0 2388 1672 ? S 07:49 0:00 | _ /bin/sh -i
www-data 16363 5.8 0.0 3336 2604 ? S 09:10 0:01 | _ /bin/sh ./linpeas.sh
www-data 19064 0.0 0.0 3336 1036 ? S 09:10 0:00 | _ /bin/sh ./linpeas.sh
www-data 19067 0.0 0.0 7780 2844 ? R 09:10 0:00 | | _ ps fauxwww
www-data 19068 0.0 0.0 3336 1036 ? S 09:10 0:00 | _ /bin/sh ./linpeas.sh
www-data 792 0.0 0.1 215648 13668 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 793 0.0 0.3 219068 24688 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 794 0.0 0.1 215244 13312 ? S 07:28 0:00 _ /usr/sbin/apache2 -k start
www-data 947 0.0 0.2 215844 19872 ? S 07:34 0:00 _ /usr/sbin/apache2 -k start
www-data 1133 0.0 0.1 215204 11740 ? S 07:51 0:00 _ /usr/sbin/apache2 -k start
www-data 1134 0.0 0.1 215204 11740 ? S 07:51 0:00 _ /usr/sbin/apache2 -k start
mysql 742 0.6 1.0 1864276 89448 ? Ssl 07:28 0:39 /usr/sbin/mysqld
root 922 0.0 0.1 21028 8352 ? Ss 07:33 0:00 /lib/systemd/systemd --user
root 923 0.0 0.0 104848 2328 ? S 07:33 0:00 _ (sd-pam)
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd process found (dump creds from memory as root)
apache2 process found (dump creds from memory as root)
sshd Not Found
╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Cron jobs
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1077 Jun 16 2021 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rw-r--r-- 1 root root 712 Dec 17 2018 php
/etc/cron.daily:
total 40
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rwxr-xr-x 1 root root 539 Aug 8 2020 apache2
-rwxr-xr-x 1 root root 1478 May 12 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Apr 18 2019 dpkg
-rwxr-xr-x 1 root root 377 Aug 28 2018 logrotate
-rwxr-xr-x 1 root root 1123 Feb 10 2019 man-db
-rwxr-xr-x 1 root root 249 Sep 27 2017 passwd
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rwxr-xr-x 1 root root 813 Feb 10 2019 man-db
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * /home/grimmie/backup.sh
╔══════════╣ System timers
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2025-03-21 09:39:00 EDT 28min left Fri 2025-03-21 09:09:01 EDT 1min 45s ago phpsessionclean.timer phpsessionclean.service
Sat 2025-03-22 00:00:00 EDT 14h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago logrotate.timer logrotate.service
Sat 2025-03-22 00:00:00 EDT 14h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago man-db.timer man-db.service
Sat 2025-03-22 02:07:26 EDT 16h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago apt-daily.timer apt-daily.service
Sat 2025-03-22 06:18:24 EDT 21h left Fri 2025-03-21 07:28:50 EDT 1h 41min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sat 2025-03-22 07:40:53 EDT 22h left Fri 2025-03-21 07:40:53 EDT 1h 29min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services
/etc/systemd/system/multi-user.target.wants/mariadb.service could be executing some relative path
/etc/systemd/system/mysql.service could be executing some relative path
/etc/systemd/system/mysqld.service could be executing some relative path
You can't write on systemd PATH
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets
/run/dbus/system_bus_socket
└─(Read Write)
/run/mysqld/mysqld.sock
└─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/udev/control
/run/user/0/systemd/private
/var/run/dbus/system_bus_socket
└─(Read Write)
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 531 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
:1.13 552 systemd-logind root :1.13 systemd-logind.service - -
:1.180 21680 busctl www-data :1.180 apache2.service - -
:1.2 1 systemd root :1.2 init.scope - -
:1.28 922 systemd root :1.28 user@0.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 552 systemd-logind root :1.13 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - -
org.freedesktop.resolve1 - - - (activatable) - -
org.freedesktop.systemd1 1 systemd root :1.2 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - -
org.freedesktop.timesync1 531 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - -
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:5d:4c:44 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.6/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 347sec preferred_lft 347sec
inet6 fe80::a00:27ff:fe5d:4c44/64 scope link
valid_lft forever preferred_lft forever
╔══════════╣ Hostname, hosts and DNS
academy
127.0.0.1 localhost
127.0.1.1 academy.tcm.sec academy
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 192.168.33.12
tcm.sec
╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 32 *:21 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)
╔══════════╣ Do I have PGP keys?
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
grimmie:x:1000:1000:administrator,,,:/home/grimmie:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(grimmie) gid=1000(administrator) groups=1000(administrator),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(mysql) gid=113(mysql) groups=113(mysql)
uid=107(ftp) gid=114(ftp) groups=114(ftp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
╔══════════╣ Login now
09:10:50 up 1:45, 1 user, load average: 0.51, 0.20, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 07:33 1:32m 0.20s 0.20s -bash
╔══════════╣ Last logons
root tty1 Sat May 29 13:31:08 2021 - down (00:12) 0.0.0.0
reboot system boot Sat May 29 13:30:20 2021 - Sat May 29 13:43:39 2021 (00:13) 0.0.0.0
root pts/0 Sat May 29 13:16:54 2021 - Sat May 29 13:27:56 2021 (00:11) 192.168.10.31
root tty1 Sat May 29 13:16:34 2021 - down (00:11) 0.0.0.0
reboot system boot Sat May 29 13:15:21 2021 - Sat May 29 13:27:58 2021 (00:12) 0.0.0.0
root pts/0 Sat May 29 13:08:39 2021 - Sat May 29 13:14:47 2021 (00:06) 192.168.10.31
administrator tty1 Sat May 29 13:06:40 2021 - down (00:08) 0.0.0.0
reboot system boot Sat May 29 13:05:58 2021 - Sat May 29 13:14:49 2021 (00:08) 0.0.0.0
wtmp begins Sat May 29 13:05:58 2021
╔══════════╣ Last time logon each user
Username Port From Latest
root tty1 Fri Mar 21 07:33:03 -0400 2025
grimmie pts/1 192.168.10.31 Sun May 30 03:21:39 -0400 2021
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/socat
/usr/bin/wget
╔══════════╣ Installed Compilers
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.38 (Debian)
Server built: 2020-08-25T20:08:29
httpd Not Found
Nginx version: nginx Not Found
/etc/apache2/conf-available/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-available/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-available/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-available/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-available/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-available/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-available/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-available/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-enabled/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-enabled/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <IfModule mod_mime.c>
/etc/apache2/conf-enabled/phpmyadmin.conf: AddType application/x-httpd-php .php
--
/etc/apache2/conf-enabled/phpmyadmin.conf- <FilesMatch ".+\.php$">
/etc/apache2/conf-enabled/phpmyadmin.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.3.conf: SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.3.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.3.conf: SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 May 29 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 1332 Aug 8 2020 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 May 29 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 71958 Feb 13 2021 /etc/php/7.3/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 71570 Feb 13 2021 /etc/php/7.3/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw-r--r-- 1 root root 869 Oct 12 2020 /etc/mysql/mariadb.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
-rw------- 1 root root 277 May 29 2021 /etc/mysql/debian.cnf
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Mar 15 2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/pam.d
-rw-r--r-- 1 root root 2133 Jan 31 2020 /etc/pam.d/sshd
account required pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 May 29 2021 /etc/ldap
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 May 29 2021 /usr/share/keyrings
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 675 Mar 1 2019 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing Github Files (limit 70)
drwxr-xr-x 3 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/google/recaptcha/.github
drwxr-xr-x 2 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/phpmyadmin/motranslator/.github
drwxr-xr-x 2 root root 4096 Oct 15 2020 /usr/share/phpmyadmin/vendor/tecnickcom/tcpdf/.github
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 5851 May 29 2021 /etc/vsftpd.conf
anonymous_enable=YES
local_enable=YES
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
-rw-r--r-- 1 root root 41 Jun 18 2015 /usr/lib/tmpfiles.d/vsftpd.conf
-rw-r--r-- 1 root root 506 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 564 Mar 6 2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf
anonymous_enable
local_enable
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 260 Feb 1 2008 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf
anonymous_enable
local_enable=YES
write_enable
anon_upload_enable
anon_mkdir_write_enable
anon_other_write_enable
-rw-r--r-- 1 root root 69 Feb 13 2021 /etc/php/7.3/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Feb 13 2021 /usr/share/php7.3-common/common/ftp.ini
╔══════════╣ Analyzing DNS Files (limit 70)
-rw-r--r-- 1 root root 856 Mar 1 2019 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 856 Mar 1 2019 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3526 Apr 18 2019 /etc/skel/.bashrc
-rw-r--r-- 1 grimmie administrator 3526 May 29 2021 /home/grimmie/.bashrc
-rw-r--r-- 1 root root 807 Apr 18 2019 /etc/skel/.profile
-rw-r--r-- 1 grimmie administrator 807 May 29 2021 /home/grimmie/.profile
╔══════════╣ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 22 May 29 2021 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf
lrwxrwxrwx 1 root root 24 May 29 2021 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 83 May 29 2021 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mariadb.conf.d/50-server.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
╔══════════╣ MySQL version
mysql Ver 15.1 Distrib 10.3.27-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 8700 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Mar 16 2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7443 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 8700 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8709 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2453 Mar 16 2021 /usr/share/keyrings/debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8132 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Mar 16 2021 /usr/share/keyrings/debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 55625 Mar 16 2021 /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 36873 Mar 16 2021 /usr/share/keyrings/debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 7443 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Mar 16 2021 /usr/share/keyrings/debian-archive-stretch-stable.gpg
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 root root 174 May 29 2021 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 94 May 29 2021 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 394 May 29 2021 /etc/ssh/ssh_host_rsa_key.pub
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/Amazon_Root_CA_1.pem
/etc/ssl/certs/Amazon_Root_CA_2.pem
/etc/ssl/certs/Amazon_Root_CA_3.pem
/etc/ssl/certs/Amazon_Root_CA_4.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
/etc/ssl/certs/CFCA_EV_ROOT.pem
/etc/ssl/certs/COMODO_Certification_Authority.pem
/etc/ssl/certs/COMODO_ECC_Certification_Authority.pem
16363PSTORAGE_CERTSBIN
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
╔══════════╣ SGID
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
-rwxr-sr-x 1 root shadow 39K Feb 14 2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 15K May 4 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 31K Jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root tty 35K Jan 10 2019 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43K Oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root mail 19K Dec 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 71K Jul 27 2018 /usr/bin/chage
-rwxr-sr-x 1 root ssh 315K Jan 31 2020 /usr/bin/ssh-agent
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls
files with acls in searched folders Not Found
╔══════════╣ Capabilities
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities
══╣ Current shell capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
╚ Parent process capabilities
CapInh: 0x0000000000000000=
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
- /usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
- /usr/local/lib/x86_64-linux-gnu
- /lib/x86_64-linux-gnu
- /usr/lib/x86_64-linux-gnu
/etc/ld.so.preload
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files
total 20
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 74 root root 4096 Mar 20 15:41 ..
-rw-r--r-- 1 root root 664 Mar 1 2019 bash_completion.sh
-rw-r--r-- 1 root root 1107 Sep 14 2018 gawk.csh
-rw-r--r-- 1 root root 757 Sep 14 2018 gawk.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3129 Feb 10 2019 usr.bin.man
-rw-r--r-- 1 root root 730 Nov 25 2020 usr.sbin.mysqld
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
/var/www
/var/www/html
/var/www/html/index.html
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
/dev/mqueue
/dev/shm
/run/lock
/run/lock/apache2
/tmp
/tmp/linpeas.sh
/tmp/output.txt
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/lib/phpmyadmin
/var/lib/phpmyadmin/tmp
/var/lib/phpmyadmin/tmp/twig
/var/lib/phpmyadmin/tmp/twig/15
/var/lib/phpmyadmin/tmp/twig/15/15a885ca9738e5a84084a3e52f1f6b23c771ea4f7bdca01081f7b87d3b86a6f9.php
/var/lib/phpmyadmin/tmp/twig/21
/var/lib/phpmyadmin/tmp/twig/21/21a3bee2bc40466295b888b9fec6fb9d77882a7cf061fd3f3d7194b5d54ab837.php
/var/lib/phpmyadmin/tmp/twig/22
/var/lib/phpmyadmin/tmp/twig/22/22f328e86274b51eb9034592ac106d133734cc8f4fba3637fe76b0a4b958f16d.php
/var/lib/phpmyadmin/tmp/twig/28
/var/lib/phpmyadmin/tmp/twig/28/28bcfd31671cb4e1cff7084a80ef5574315cd27a4f33c530bc9ae8da8934caf6.php
/var/lib/phpmyadmin/tmp/twig/2e
/var/lib/phpmyadmin/tmp/twig/2e/2e6ed961bffa8943f6419f806fe7bfc2232df52e39c5880878e7f34aae869dd9.php
/var/lib/phpmyadmin/tmp/twig/31
/var/lib/phpmyadmin/tmp/twig/31/317c8816ee34910f2c19f0c2bd6f261441aea2562acc0463975f80a4f0ed98a9.php
/var/lib/phpmyadmin/tmp/twig/36
/var/lib/phpmyadmin/tmp/twig/36/360a7a01227c90acf0a097d75488841f91dc2939cebca8ee28845b8abccb62ee.php
/var/lib/phpmyadmin/tmp/twig/3b
/var/lib/phpmyadmin/tmp/twig/3b/3bf8a6b93e8c4961d320a65db6c6f551428da6ae8b8e0c87200629b4ddad332d.php
/var/lib/phpmyadmin/tmp/twig/41
/var/lib/phpmyadmin/tmp/twig/41/4161342482a4d1436d31f5619bbdbd176c50e500207e3f364662f5ba8210fe31.php
/var/lib/phpmyadmin/tmp/twig/42
/var/lib/phpmyadmin/tmp/twig/42/426cadcf834dab31a9c871f8a7c8eafa83f4c66a2297cfefa7aae7a7895fa955.php
/var/lib/phpmyadmin/tmp/twig/43
/var/lib/phpmyadmin/tmp/twig/43/43cb8c5a42f17f780372a6d8b976cafccd1f95b8656d9d9638fca2bb2c0c1ee6.php
/var/lib/phpmyadmin/tmp/twig/4c
/var/lib/phpmyadmin/tmp/twig/4c/4c13e8023eae0535704510f289140d5447e25e2dea14eaef5988afa2ae915cb9.php
/var/lib/phpmyadmin/tmp/twig/4e
/var/lib/phpmyadmin/tmp/twig/4e/4e68050e4aec7ca6cfa1665dd465a55a5d643fca6abb104a310e5145d7310851.php
/var/lib/phpmyadmin/tmp/twig/4e/4e8f70ab052f0a5513536d20f156e0649e1791c083804a629624d2cb1e052f1f.php
/var/lib/phpmyadmin/tmp/twig/4f
/var/lib/phpmyadmin/tmp/twig/4f/4f7c1ace051b6b8cb85528aa8aef0052b72277f654cb4f13f2fc063f8529efe4.php
/var/lib/phpmyadmin/tmp/twig/53
/var/lib/phpmyadmin/tmp/twig/53/53ec6cf1deb6f8f805eb3077b06e6ef3b7805e25082d74c09563f91a11c1dfcd.php
/var/lib/phpmyadmin/tmp/twig/5c
/var/lib/phpmyadmin/tmp/twig/5c/5cf13d5a4ba7434d92bc44defee51a93cfbafa0d7984fcb8cbea606d97fe3e1a.php
/var/lib/phpmyadmin/tmp/twig/61
/var/lib/phpmyadmin/tmp/twig/61/61cf92e037fb131bad1ea24485b8e2ab7f0dd05dbe0bcdec85d8a96c80458223.php
/var/lib/phpmyadmin/tmp/twig/6b
/var/lib/phpmyadmin/tmp/twig/6b/6b8deef855b316d17c87795aebdf5aa33b55fae3e6c453d2a5bab7c4085f85d7.php
/var/lib/phpmyadmin/tmp/twig/6c
/var/lib/phpmyadmin/tmp/twig/6c/6c9a7cd11578d393beebc51daa9a48d35c8b03d3a69fd786c55ceedf71a62d29.php
/var/lib/phpmyadmin/tmp/twig/73
/var/lib/phpmyadmin/tmp/twig/73/73a22388ea06dda0a2e91e156573fc4c47961ae6e35817742bb6901eb91d5478.php
/var/lib/phpmyadmin/tmp/twig/73/73ee99e209023ff62597f3f6e5f027a498c1261e4d35d310b0d0a2664f3c2c0d.php
/var/lib/phpmyadmin/tmp/twig/78
/var/lib/phpmyadmin/tmp/twig/78/786fc5d49e751f699117fbb46b2e5920f5cdae9b5b3e7bb04e39d201b9048164.php
/var/lib/phpmyadmin/tmp/twig/7d
/var/lib/phpmyadmin/tmp/twig/7d/7d8087d41c482579730682151ac3393f13b0506f63d25d3b07db85fcba5cdbeb.php
/var/lib/phpmyadmin/tmp/twig/7f
/var/lib/phpmyadmin/tmp/twig/7f/7f2fea86c14cdbd8cd63e93670d9fef0c3d91595972a398d9aa8d5d919c9aa63.php
/var/lib/phpmyadmin/tmp/twig/8a
/var/lib/phpmyadmin/tmp/twig/8a/8a16ca4dbbd4143d994e5b20d8e1e088f482b5a41bf77d34526b36523fc966d7.php
/var/lib/phpmyadmin/tmp/twig/8b
/var/lib/phpmyadmin/tmp/twig/8b/8b3d6e41c7dc114088cc4febcf99864574a28c46ce39fd02d9577bec9ce900de.php
/var/lib/phpmyadmin/tmp/twig/96
/var/lib/phpmyadmin/tmp/twig/96/96885525f00ce10c76c38335c2cf2e232a709122ae75937b4f2eafcdde7be991.php
/var/lib/phpmyadmin/tmp/twig/97
/var/lib/phpmyadmin/tmp/twig/97/9734627c3841f4edcd6c2b6f193947fc0a7a9a69dd1955f703f4f691af6b45e3.php
/var/lib/phpmyadmin/tmp/twig/99
/var/lib/phpmyadmin/tmp/twig/99/9937763182924ca59c5731a9e6a0d96c77ec0ca5ce3241eec146f7bca0a6a0dc.php
/var/lib/phpmyadmin/tmp/twig/9d
/var/lib/phpmyadmin/tmp/twig/9d/9d254bc0e43f46a8844b012d501626d3acdd42c4a2d2da29c2a5f973f04a04e8.php
/var/lib/phpmyadmin/tmp/twig/9d/9d6c5c59ee895a239eeb5956af299ac0e5eb1a69f8db50be742ff0c61b618944.php
/var/lib/phpmyadmin/tmp/twig/9e
/var/lib/phpmyadmin/tmp/twig/9e/9ed23d78fa40b109fca7524500b40ca83ceec9a3ab64d7c38d780c2acf911588.php
/var/lib/phpmyadmin/tmp/twig/a0
/var/lib/phpmyadmin/tmp/twig/a0/a0c00a54b1bb321f799a5f4507a676b317067ae03b1d45bd13363a544ec066b7.php
/var/lib/phpmyadmin/tmp/twig/a4
/var/lib/phpmyadmin/tmp/twig/a4/a49a944225d69636e60c581e17aaceefffebe40aeb5931afd4aaa3da6a0039b9.php
/var/lib/phpmyadmin/tmp/twig/a7
/var/lib/phpmyadmin/tmp/twig/a7/a7e9ef3e1f57ef5a497ace07803123d1b50decbe0fcb448cc66573db89b48e25.php
/var/lib/phpmyadmin/tmp/twig/ae
/var/lib/phpmyadmin/tmp/twig/ae/ae25b735c0398c0c6a34895cf07f858207e235cf453cadf07a003940bfb9cd05.php
/var/lib/phpmyadmin/tmp/twig/af
/var/lib/phpmyadmin/tmp/twig/af/af668e5234a26d3e85e170b10e3d989c2c0c0679b2e5110d593a80b4f58c6443.php
/var/lib/phpmyadmin/tmp/twig/af/af6dd1f6871b54f086eb95e1abc703a0e92824251df6a715be3d3628d2bd3143.php
/var/lib/phpmyadmin/tmp/twig/af/afa81ff97d2424c5a13db6e43971cb716645566bd8d5c987da242dddf3f79817.php
/var/lib/phpmyadmin/tmp/twig/b6
/var/lib/phpmyadmin/tmp/twig/b6/b6c8adb0e14792534ce716cd3bf1d57bc78d45138e62be7d661d75a5f03edcba.php
/var/lib/phpmyadmin/tmp/twig/c3
/var/lib/phpmyadmin/tmp/twig/c3/c34484a1ece80a38a03398208a02a6c9c564d1fe62351a7d7832d163038d96f4.php
/var/lib/phpmyadmin/tmp/twig/c5
/var/lib/phpmyadmin/tmp/twig/c5/c50d1c67b497a887bc492962a09da599ee6c7283a90f7ea08084a548528db689.php
/var/lib/phpmyadmin/tmp/twig/c7
/var/lib/phpmyadmin/tmp/twig/c7/c70df99bff2eea2f20aba19bbb7b8d5de327cecaedb5dc3d383203f7d3d02ad2.php
/var/lib/phpmyadmin/tmp/twig/ca
/var/lib/phpmyadmin/tmp/twig/ca/ca32544b55a5ebda555ff3c0c89508d6e8e139ef05d8387a14389443c8e0fb49.php
/var/lib/phpmyadmin/tmp/twig/d6
/var/lib/phpmyadmin/tmp/twig/d6/d66c84e71db338af3aae5892c3b61f8d85d8bb63e2040876d5bbb84af484fb41.php
/var/lib/phpmyadmin/tmp/twig/dd
/var/lib/phpmyadmin/tmp/twig/dd/dd1476242f68168118c7ae6fc7223306d6024d66a38b3461e11a72d128eee8c1.php
/var/lib/phpmyadmin/tmp/twig/e8
/var/lib/phpmyadmin/tmp/twig/e8/e8184cd61a18c248ecc7e06a3f33b057e814c3c99a4dd56b7a7da715e1bc2af8.php
/var/lib/phpmyadmin/tmp/twig/e9
/var/lib/phpmyadmin/tmp/twig/e9/e93db45b0ff61ef08308b9a87b60a613c0a93fab9ee661c8271381a01e2fa57a.php
/var/lib/phpmyadmin/tmp/twig/f5
/var/lib/phpmyadmin/tmp/twig/f5/f589c1ad0b7292d669068908a26101f0ae7b5db110ba174ebc5492c80bc08508.php
/var/lib/phpmyadmin/tmp/twig/fa
/var/lib/phpmyadmin/tmp/twig/fa/fa249f377795e48c7d92167e29cef2fc31f50401a0bdbc95ddb51c0aec698b9e.php
/var/tmp
/var/www/html/academy
/var/www/html/academy/admin
/var/www/html/academy/admin/assets
/var/www/html/academy/admin/assets/css
/var/www/html/academy/admin/assets/css/bootstrap.css
/var/www/html/academy/admin/assets/css/font-awesome.css
/var/www/html/academy/admin/assets/css/style.css
/var/www/html/academy/admin/assets/fonts
/var/www/html/academy/admin/assets/fonts/FontAwesome.otf
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.eot
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.ttf
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.woff
/var/www/html/academy/admin/assets/fonts/fontawesome-webfont.woff2
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/admin/assets/img
/var/www/html/academy/admin/assets/js
/var/www/html/academy/admin/assets/js/bootstrap.js
/var/www/html/academy/admin/assets/js/jquery-1.11.1.js
/var/www/html/academy/admin/change-password.php
/var/www/html/academy/admin/check_availability.php
/var/www/html/academy/admin/course.php
/var/www/html/academy/admin/department.php
/var/www/html/academy/admin/edit-course.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/admin/includes/config.php
/var/www/html/academy/admin/includes/footer.php
/var/www/html/academy/admin/includes/header.php
/var/www/html/academy/admin/includes/menubar.php
/var/www/html/academy/admin/index.php
/var/www/html/academy/admin/level.php
/var/www/html/academy/admin/logout.php
/var/www/html/academy/admin/manage-students.php
/var/www/html/academy/admin/print.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/assets
/var/www/html/academy/assets/css
/var/www/html/academy/assets/css/bootstrap.css
/var/www/html/academy/assets/css/font-awesome.css
/var/www/html/academy/assets/css/style.css
/var/www/html/academy/assets/fonts
/var/www/html/academy/assets/fonts/FontAwesome.otf
/var/www/html/academy/assets/fonts/fontawesome-webfont.eot
/var/www/html/academy/assets/fonts/fontawesome-webfont.ttf
/var/www/html/academy/assets/fonts/fontawesome-webfont.woff
/var/www/html/academy/assets/fonts/fontawesome-webfont.woff2
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/assets/img
/var/www/html/academy/assets/js
/var/www/html/academy/assets/js/bootstrap.js
/var/www/html/academy/assets/js/jquery-1.11.1.js
/var/www/html/academy/change-password.php
/var/www/html/academy/check_availability.php
/var/www/html/academy/db
/var/www/html/academy/db/onlinecourse.sql
/var/www/html/academy/enroll-history.php
/var/www/html/academy/enroll.php
/var/www/html/academy/includes
/var/www/html/academy/includes/config.php
/var/www/html/academy/includes/footer.php
/var/www/html/academy/includes/header.php
/var/www/html/academy/includes/menubar.php
/var/www/html/academy/index.php
/var/www/html/academy/logout.php
/var/www/html/academy/my-profile.php
/var/www/html/academy/pincode-verification.php
/var/www/html/academy/print.php
#)You_can_write_even_more_files_inside_last_directory
/var/www/html/academy/studentphoto/reverseShell.php
/var/www/html/academy/studentphoto/reverseShell2.php
╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
Group www-data:
/tmp/output.txt
/tmp/linpeas.sh
╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path
/usr/bin/gettext.sh
╔══════════╣ Executable files potentially added by user (limit 70)
╔══════════╣ Unexpected in /opt (usually empty)
total 11332
drwxr-xr-x 2 root root 4096 May 29 2021 .
drwxr-xr-x 18 root root 4096 May 29 2021 ..
-rw-r--r-- 1 root root 1402271 Jun 3 2020 online-course-registration.zip
-rw-r--r-- 1 root root 10190261 Oct 15 2020 phpMyAdmin-4.9.7-all-languages.tar.gz
╔══════════╣ Unexpected in root
/vmlinuz
/initrd.img
/initrd.img.old
/vmlinuz.old
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/tmp/output.txt
/var/log/auth.log
/var/log/daemon.log
/var/log/syslog
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/www-data (limit 20)
╔══════════╣ Files inside others home (limit 20)
/home/grimmie/.bash_history
/home/grimmie/.bashrc
/home/grimmie/backup.sh
/home/grimmie/.profile
/home/grimmie/.bash_logout
/var/www/html/index.html
/var/www/html/academy/logout.php
/var/www/html/academy/enroll.php
/var/www/html/academy/check_availability.php
/var/www/html/academy/my-profile.php
/var/www/html/academy/change-password.php
/var/www/html/academy/print.php
/var/www/html/academy/studentphoto/reverseShell.php
/var/www/html/academy/studentphoto/reverseShell2.php
/var/www/html/academy/studentphoto/avatar-1.jpg.png
/var/www/html/academy/studentphoto/noimage.png
/var/www/html/academy/includes/footer.php
/var/www/html/academy/includes/header.php
/var/www/html/academy/includes/config.php
/var/www/html/academy/includes/menubar.php
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 4096 May 30 2021 /var/backups
total 12
-rw-r--r-- 1 root root 11996 May 29 2021 apt.extended_states.0
╔══════════╣ Backup files (limited 100)
-rwxr-xr-- 1 grimmie administrator 112 May 30 2021 /home/grimmie/backup.sh
-rw-r--r-- 1 root root 9716 Nov 28 2020 /usr/lib/modules/4.19.0-13-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9731 Mar 19 2021 /usr/lib/modules/4.19.0-16-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 303 Oct 26 2018 /usr/share/doc/hdparm/changelog.old.gz
-rw-r--r-- 1 root root 363752 Apr 30 2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 348 Nov 25 2020 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz
-rwxr-xr-x 1 root root 38412 Nov 25 2020 /usr/bin/wsrep_sst_mariabackup
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K May 29 2021 .
drwxr-xr-x 12 root root 4.0K May 29 2021 ..
drwxr-xr-x 3 root root 4.0K May 29 2021 html
/var/www/html:
total 24K
drwxr-xr-x 3 root root 4.0K May 29 2021 .
drwxr-xr-x 3 root root 4.0K May 29 2021 ..
╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 grimmie administrator 220 May 29 2021 /home/grimmie/.bash_logout
-rw-r--r-- 1 root root 946 Oct 15 2020 /usr/share/phpmyadmin/vendor/pragmarx/google2fa/.scrutinizer.yml
-rw-r--r-- 1 root root 799 Oct 15 2020 /usr/share/phpmyadmin/vendor/twig/twig/.php_cs.dist
-rw-r--r-- 1 root root 224 Oct 15 2020 /usr/share/phpmyadmin/vendor/twig/twig/.editorconfig
-rw-r--r-- 1 root root 0 Nov 15 2018 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 root root 0 Mar 21 07:27 /run/network/.ifstate.lock
-rw------- 1 root root 0 May 29 2021 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 18 2019 /etc/skel/.bash_logout
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-rw-rw- 1 www-data www-data 120001 Mar 21 2025 /tmp/output.txt
-rwxrwxrwx 1 www-data www-data 840082 Mar 21 07:52 /tmp/linpeas.sh
╔══════════╣ Searching passwords in history files
Binary file /usr/share/phpmyadmin/js/vendor/openlayers/theme/default/img/navigation_history.png matches
╔══════════╣ Searching passwords in config PHP files
/usr/share/phpmyadmin/config.inc.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/config.sample.inc.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:$cfg['Servers'][$i]['AllowNoPassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:$cfg['ShowChgPassword'] = true;
/var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
/var/www/html/academy/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
#)There are more creds/passwds files in the previous parent folder
/usr/lib/x86_64-linux-gnu/mariadb19/plugin/mysql_clear_password.so
/usr/lib/x86_64-linux-gnu/mariadb19/plugin/simple_password_check.so
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/usr/share/phpmyadmin/user_password.php
/var/cache/debconf/passwords.dat
/var/lib/pam/password
/var/www/html/academy/admin/change-password.php
/var/www/html/academy/change-password.php
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
2021-05-29 17:00:10 install base-passwd:amd64 <none> 3.5.46
2021-05-29 17:00:10 status half-installed base-passwd:amd64 3.5.46
2021-05-29 17:00:11 configure base-passwd:amd64 3.5.46 3.5.46
2021-05-29 17:00:11 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:11 status installed base-passwd:amd64 3.5.46
2021-05-29 17:00:11 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status half-installed base-passwd:amd64 3.5.46
2021-05-29 17:00:18 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:18 upgrade base-passwd:amd64 3.5.46 3.5.46
2021-05-29 17:00:21 install passwd:amd64 <none> 1:4.5-1.1
2021-05-29 17:00:21 status half-installed passwd:amd64 1:4.5-1.1
2021-05-29 17:00:21 status unpacked passwd:amd64 1:4.5-1.1
2021-05-29 17:00:24 configure base-passwd:amd64 3.5.46 <none>
2021-05-29 17:00:24 status half-configured base-passwd:amd64 3.5.46
2021-05-29 17:00:24 status installed base-passwd:amd64 3.5.46
2021-05-29 17:00:24 status unpacked base-passwd:amd64 3.5.46
2021-05-29 17:00:25 configure passwd:amd64 1:4.5-1.1 <none>
2021-05-29 17:00:25 status half-configured passwd:amd64 1:4.5-1.1
2021-05-29 17:00:25 status installed passwd:amd64 1:4.5-1.1
2021-05-29 17:00:25 status unpacked passwd:amd64 1:4.5-1.1
Description: Set up users and passwords
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'