linpeas v3.2.5 by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist [1;4mLEGEND[0m: : 95% a PE vector : You should take a look to it [1;96mLightCyan[0m: Users with console : Users without console & mounted devs : Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) [1;95mLightMagenta[0m: Your username Starting linpeas. Caching Writable Folders... ════════════════════════════════════╣ Basic information ╠════════════════════════════════════ OS: Linux version 5.10.0-kali8-amd64 (devel@kali.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.40-1kali1 (2021-05-31) User & Groups: uid=1000([1;96m[1;95mkali[0m[0m) gid=1000([1;96m[1;95mkali[0m[0m) groups=1000([1;96m[1;95mkali[0m[0m),20(dialout),24,25(floppy),27,29(audio),30(dip),44,46,109(netdev),118(bluetooth),120(wireshark),134(scanner),142(kaboxer) Hostname: kali Writable folder: /dev/shm [+] /usr/bin/fping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /usr/bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) [+] nmap is available for network discover & port scanning, you should use it yourself Caching directories DONE The total section execution took 11 seconds ════════════════════════════════════╣ System Information ╠════════════════════════════════════ ╔══════════╣ Operative system ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits Linux version 5.10.0-kali8-amd64 (devel@kali.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.40-1kali1 (2021-05-31) Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2021.2 Codename: kali-rolling This check took 0 seconds ╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.9.5p2 This check took 0 seconds ╔══════════╣ USBCreator ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation This check took 0 seconds ╔══════════╣ PATH ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games This check took 0 seconds ╔══════════╣ Date Sat 26 Jun 2021 06:28:02 PM EDT This check took 0 seconds ╔══════════╣ System stats Filesystem Size Used Avail Use% Mounted on udev 7.8G 0 7.8G 0% /dev tmpfs 1.6G 1.1M 1.6G 1% /run /dev/sda1 20G 9.2G 9.4G 50% / tmpfs 7.9G 0 7.9G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 1.6G 72K 1.6G 1% /run/user/1000 total used free shared buff/cache available Mem: 16361652 769796 12944512 8772 2647344 15245124 Swap: 0 0 0 This check took 0 seconds ╔══════════╣ CPU info Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 45 bits physical, 48 bits virtual CPU(s): 4 On-line CPU(s) list: 0-3 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 165 Model name: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz Stepping: 5 CPU MHz: 3696.002 BogoMIPS: 7392.00 Hypervisor vendor: VMware Virtualization type: full L1d cache: 128 KiB L1i cache: 128 KiB L2 cache: 1 MiB L3 cache: 20 MiB NUMA node0 CPU(s): 0-3 Vulnerability Itlb multihit: KVM: Mitigation: VMX unsupported Vulnerability L1tf: Not affected Vulnerability Mds: Not affected Vulnerability Meltdown: Not affected Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Vulnerability Spectre v2: Mitigation; Enhanced IBRS, IBPB conditional, RSB filling Vulnerability Srbds: Not affected Vulnerability Tsx async abort: Not affected Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat pku ospke md_clear flush_l1d arch_capabilities This check took 0 seconds ╔══════════╣ Environment ╚ Any private information inside environment variables? LESS_TERMCAP_se= HISTFILESIZE=0 POWERSHELL_TELEMETRY_OPTOUT=1 LANGUAGE= USER=kali LESS_TERMCAP_ue= XDG_SEAT=seat0 SSH_AGENT_PID=988 XDG_SESSION_TYPE=x11 SHLVL=1 HOME=/home/kali OLD=/home/kali DESKTOP_SESSION=lightdm-xsession GTK_MODULES=gail:atk-bridge XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0 LESS_TERMCAP_so= DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus COLORTERM=truecolor COMMAND_NOT_FOUND_INSTALL_PROMPT=1 QT_QPA_PLATFORMTHEME=qt5ct LOGNAME=kali QT_AUTO_SCREEN_SCALE_FACTOR=0 WINDOWID=0 LESS_TERMCAP_us= _=/home/kali/./linpeas.sh COLORFGBG=15;0 XDG_SESSION_CLASS=user TERM=xterm-256color XDG_SESSION_ID=2 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games SESSION_MANAGER=local/kali:@/tmp/.ICE-unix/940,unix/kali:/tmp/.ICE-unix/940 _JAVA_OPTIONS=-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true XDG_MENU_PREFIX=xfce- XDG_RUNTIME_DIR=/run/user/1000 XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0 DISPLAY=:0.0 LANG=en_US.UTF-8 XDG_CURRENT_DESKTOP=XFCE HISTSIZE=0 XAUTHORITY=/home/kali/.Xauthority XDG_SESSION_DESKTOP=lightdm-xsession LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36: SSH_AUTH_SOCK=/tmp/ssh-zJebGJtQlfwp/agent.940 XDG_GREETER_DATA_DIR=/var/lib/lightdm/data/kali SHELL=/usr/bin/zsh GDMSESSION=lightdm-xsession QT_ACCESSIBILITY=1 LESS_TERMCAP_mb= XDG_VTNR=7 LESS_TERMCAP_md= =/home/kali LESS_TERMCAP_me= XDG_CONFIG_DIRS=/etc/xdg XDG_DATA_DIRS=/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share HISTFILE=/dev/null This check took 0 seconds ╔══════════╣ Searching Signature verification failed in dmseg ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed Not Found This check took 0 seconds ╔══════════╣ Linux Protections ═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded. ═╣ grsecurity present? ............ grsecurity Not Found ═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Is ASLR enabled? ............... Yes ═╣ Printer? ....................... lpstat Not Found ═╣ Is this a virtual machine? ..... Yes (vmware) This check took 0 seconds The total section execution took 0 seconds ════════════════════════════════════╣ Containers ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ Container related tools present This check took 0 seconds ╔══════════╣ Container details ═╣ Is this a container? ........... No═╣ Any running containers? ........ No This check took 0 seconds The total section execution took 0 seconds ════════════════════════════════════╣ Devices ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) disk sda sda1 This check took 0 seconds ╔══════════╣ Unmounted file-system? ╚ Check if you can mount umounted devices / ext4 errors=remount-ro 0 1 /dev/sr0 /media0 udf,iso9660,noauto 0 0 This check took 0 seconds The total section execution took 0 seconds ════════════════════════════════════╣ Available Software ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ Useful software This check took 0 seconds ╔══════════╣ Installed Compiler ii clang 1:11.0-51+nmu5 amd64 C, C++ and Objective-C compiler (LLVM based), clang binary ii clang-11 1:11.0.1-2 amd64 C, C++ and Objective-C compiler ii clang-9 1:9.0.1-16 amd64 C, C++ and Objective-C compiler ii g++ 4:10.2.1-1 amd64 GNU C++ compiler ii g++-10 10.2.1-6 amd64 GNU C++ compiler ii gcc 4:10.2.1-1 amd64 GNU C compiler ii gcc-10 10.2.1-6 amd64 GNU C compiler ii llvm-11 1:11.0.1-2 amd64 Modular compiler and toolchain technologies ii llvm-11-runtime 1:11.0.1-2 amd64 Modular compiler and toolchain technologies, IR interpreter ii llvm-11-tools 1:11.0.1-2 amd64 Modular compiler and toolchain technologies, tools ii llvm-9 1:9.0.1-16 amd64 Modular compiler and toolchain technologies ii llvm-9-runtime 1:9.0.1-16 amd64 Modular compiler and toolchain technologies, IR interpreter ii llvm-9-tools 1:9.0.1-16 amd64 Modular compiler and toolchain technologies, tools ii python3-llvmlite 0.35.0-3 amd64 LLVM Python 3 binding for writing JIT compilers ii python3-numba 0.52.0-4 amd64 native machine code compiler for Python 3 /usr/bin/gcc This check took 0 seconds The total section execution took 0 seconds ════════════════════════════════════╣ Processes, Cron, Services, Timers & Sockets ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ Cleaned processes ╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes 1 0.0 0.0 166936 11464 ? Ss 15:30 0:02 /sbin/init splash 419 0.0 0.2 76120 33816 ? Ss 15:30 0:02 /lib/temd/systemd-journald 435 0.0 0.0 224344 264 ? Ssl 15:30 0:00 vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid 443 0.0 0.0 23220 6416 ? Ss 15:30 0:00 /lib/temd/systemd-d 505 0.0 0.0 8120 6792 ? Ss 15:30 0:00 /usr/sbin/haveged --Foreground --verbose=1 508 0.0 0.0 236496 7384 ? Ssl 15:30 0:05 /usr/bin 509 0.0 0.0 6684 2900 ? Ss 15:30 0:00 /usr/sbin/ -f 510 0.0 0.0 9020 5212 ? Ss 15:30 0:01 /usr/bin/dbus- --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only └─(Caps) 0x0000000020000000=cap_audit_write 511 0.0 0.1 254608 16764 ? Ssl 15:30 0:01 /usr/sbin/NetworkManager --no- 514 0.0 0.0 235324 9360 ? Ssl 15:30 0:03 /usr/libexec/polkitd --no-debug 515 0.0 0.0 220740 7892 ? Ssl 15:30 0:00 /usr/sbin/rlogd -n -iNONE 516 0.0 0.0 13976 7432 ? Ss 15:30 0:00 /lib/temd/systemd-logind 548 0.0 0.0 314712 10656 ? Ssl 15:30 0:00 /usr/sbin/ModemManager 609 0.0 0.0 308224 7376 ? SLsl 15:30 0:00 /usr/sbin/ 650 0.1 1.0 1274148 177344 tty7 Ssl+ 15:30 0:17 _ /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run//root/:0 -nolisten tcp vt7 -novtswitch 903 0.0 0.0 163628 8672 ? Sl 15:30 0:00 _ --session-child 15 22 [1;96m[1;95mkali[0m[0m 940 0.0 0.1 268752 23120 ? Ssl 15:30 0:00 _ xfce4-session [1;96m[1;95mkali[0m[0m 988 0.0 0.0 5964 468 ? Ss 15:30 0:00 _ /usr/bin/ssh-agent x-session-ager [1;96m[1;95mkali[0m[0m 1026 0.0 0.3 264292 57732 ? Sl 15:30 0:04 _ xfwm4 [1;96m[1;95mkali[0m[0m 1042 0.0 0.1 229204 25728 ? Sl 15:30 0:00 _ xfsettingsd [1;96m[1;95mkali[0m[0m 1058 0.0 0.3 334800 58148 ? Sl 15:30 0:01 _ xfce4-panel [1;96m[1;95mkali[0m[0m 1074 0.0 0.2 318132 43948 ? Sl 15:30 0:00 | _ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 16777223 whiskermenu Whisker Menu Show a menu to easily access installed applications [1;96m[1;95mkali[0m[0m 1137 0.0 0.1 342208 25536 ? Sl 15:30 0:00 | _ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libtray.so 16 16777225 systray Status Tray Plugin Provides status notifier items (application indicators) and legacy systray items [1;96m[1;95mkali[0m[0m 1138 0.0 0.2 509424 39500 ? Sl 15:30 0:05 | _ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libaudio-plugin.so 17 16777226 pulseaudio PulseAudio Plugin Adjust the audio volume of the PulseAudio sound system [1;96m[1;95mkali[0m[0m 1142 0.0 0.2 241512 35576 ? Sl 15:30 0:00 | _ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 18 16777227 notification-plugin Notification Plugin Notification plugin for the Xfce panel [1;96m[1;95mkali[0m[0m 1155 0.0 0.2 241716 36796 ? Sl 15:30 0:00 | _ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powerager.so 19 16777228 power-manager-plugin Power Manager Plugin Display the battery levels of your devices and control the brightness of your display [1;96m[1;95mkali[0m[0m 1159 0.0 0.2 241576 35480 ? Sl 15:30 0:00 | _ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 21 16777229 actions Action Buttons Log out, lock or other tem actions [1;96m[1;95mkali[0m[0m 1062 0.0 0.1 343240 25268 ? Sl 15:30 0:00 _ Thunar -- [1;96m[1;95mkali[0m[0m 1071 0.0 0.4 352248 74676 ? Sl 15:30 0:01 _ xfdesktop [1;96m[1;95mkali[0m[0m 1077 0.0 0.0 855308 9032 ? Sl 15:30 0:00 _ xiccd [1;96m[1;95mkali[0m[0m 1078 0.0 0.0 234028 4752 ? Sl 15:30 0:00 _ /usr/libexec/-2.0/demos/agent [1;96m[1;95mkali[0m[0m 1089 0.0 0.1 189480 16692 ? Sl 15:30 0:00 _ /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 [1;96m[1;95mkali[0m[0m 1094 0.0 0.1 268316 23364 ? Sl 15:30 0:00 _ light-locker [1;96m[1;95mkali[0m[0m 1100 0.0 0.2 439348 48732 ? Sl 15:30 0:00 _ /usr/bin/python3 /usr/bin/blue-applet [1;96m[1;95mkali[0m[0m 1102 0.0 0.1 264284 17404 ? Sl 15:30 0:00 _ /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd [1;96m[1;95mkali[0m[0m 1109 0.0 0.1 190488 17604 ? Sl 15:30 0:00 _ xfce4-power-ager [1;96m[1;95mkali[0m[0m 1118 0.0 0.2 474556 42876 ? Sl 15:30 0:00 _ nm-applet 651 0.0 0.0 5784 1720 tty1 Ss+ 15:30 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux 847 0.0 0.0 153692 3068 ? SNsl 15:30 0:00 /usr/libexec/-daemon └─(Caps) 0x0000000000800004=,cap_sys_nice [1;96m[1;95mkali[0m[0m 909 0.0 0.0 15348 9144 ? Ss 15:30 0:00 /lib/temd/systemd --user [1;96m[1;95mkali[0m[0m 910 0.0 0.0 101252 2732 ? S 15:30 0:00 _ (sd-pam) [1;96m[1;95mkali[0m[0m 929 0.0 0.0 95328 7656 ? S dash -rwxr-xr-x 1 root 1739200 Apr 12 14:21 /lib/temd/systemd -rwxr-xr-x 1 root 153832 Apr 12 14:21 /lib/temd/systemd-journald -rwxr-xr-x 1 root 264552 Apr 12 14:21 /lib/temd/systemd-logind lrwxrwxrwx 1 root 12 Apr 12 14:21 /lib/temd/systemd-udevd -> /bin/udevadm -rwxr-xr-x 1 root 64936 Feb 7 09:38 /sbin/agetty lrwxrwxrwx 1 root 20 Apr 12 14:21 /sbin/init -> /lib/temd/systemd -rwxr-xr-x 1 root 244928 Feb 21 09:02 /usr/bin/dbus- -rwxr-xr-x 1 root 579216 Apr 22 14:40 /usr/bin/dirmngr -rwxr-xr-x 1 root 410440 Apr 22 14:40 /usr/bin/gpg-agent -rwxr-xr-x 1 root 30952 Feb 13 05:49 /usr/bin/pipewire -rwxr-xr-x 1 root 608488 Feb 13 05:49 /usr/bin/pipewire-media-session -rwxr-xr-x 1 root 96584 Feb 26 17:51 /usr/bin/audio lrwxrwxrwx 1 root 9 Apr 5 08:00 /usr/bin/python3 -> python3.9 -rwxr-xr-x 1 root 403600 Dec 16 2020 /usr/bin/qterminal -rwxr-sr-x 1 ssh 354440 Mar 13 04:59 /usr/bin/ssh-agent -rwxr-xr-x 1 root 65360 Feb 25 11:49 /usr/bin/vmtoolsd -rwxr-xr-x 1 root 882080 Jun 2 19:34 /usr/bin/zsh -rwxr-xr-x 1 root 95912 Apr 22 07:10 /usr/libexec/at-spi2-registryd -rwxr-xr-x 1 root 26856 Apr 22 07:10 /usr/libexec/at-spi-bus-launcher -rwxr-xr-x 1 root 553848 Apr 25 22:28 /usr/libexec/bluetooth/obexd -rwxr-xr-x 1 root 366952 Nov 11 2020 /usr/libexec/ -rwxr-xr-x 1 root 88136 Feb 4 08:48 /usr/libexec/dconf-service -rwxr-xr-x 1 root 47448 Mar 17 10:53 /usr/libexec/-2.0/demos/agent -rwxr-xr-x 1 root 108776 Jan 16 03:50 /usr/libexec/gvfs-afc-volume-monitor -rwxr-xr-x 1 root 34968 Jan 16 03:50 /usr/libexec/gvfsd -rwxr-xr-x 1 root 43352 Jan 16 03:50 /usr/libexec/gvfsd-fuse -rwxr-xr-x 1 root 84200 Jan 16 03:50 /usr/libexec/gvfsd-metadata -rwxr-xr-x 1 root 55448 Jan 16 03:50 /usr/libexec/gvfsd-trash -rwxr-xr-x 1 root 112872 Jan 16 03:50 /usr/libexec/gvfs-goa-volume-monitor -rwxr-xr-x 1 root 112872 Jan 16 03:50 /usr/libexec/gvfs-gphoto2-volume-monitor -rwxr-xr-x 1 root 112872 Jan 16 03:50 /usr/libexec/gvfs-mtp-volume-monitor -rwxr-xr-x 1 root 195400 Jan 16 03:50 /usr/libexec/gvfs-udisks2-volume-monitor -rwxr-xr-x 1 root 115440 Apr 7 22:47 /usr/libexec/polkitd -rwxr-xr-x 1 root 68088 Apr 25 2020 /usr/libexec/-daemon -rwxr-xr-x 1 root 486216 Apr 26 15:12 /usr/libexec/udisks2/udisksd -rwxr-xr-x 1 root 251976 May 16 2020 /usr/libexec/upowerd -rwxr-xr-x 1 root 44688 Apr 30 2018 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 -rwxr-xr-x 1 root 104680 Dec 11 2020 /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd -rwxr-xr-x 1 root 34984 Feb 27 11:29 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 -rwxr-xr-x 1 root 108776 Dec 23 2020 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd -rwxr-xr-x 1 root 2452328 Apr 13 12:07 /usr/lib/xorg/Xorg -rwxr-xr-x 1 root 55792 Feb 22 17:43 /usr/sbin/cron -rwxr-xr-x 1 root 31464 Jan 13 18:56 /usr/sbin/haveged -rwxr-xr-x 1 root 280656 Feb 3 2020 /usr/sbin/ -rwxr-xr-x 1 root 1628512 Mar 12 13:09 /usr/sbin/ModemManager -rwxr-xr-x 1 root 3337088 Apr 12 15:15 /usr/sbin/NetworkManager -rwxr-xr-x 1 root 723280 Feb 17 13:04 /usr/sbin/rlogd This check took 0 seconds ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME This check took 0 seconds ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found process found (dump creds from memory as root) vsftpd Not Found apache2 Not Found sshd Not Found This check took 0 seconds ╔══════════╣ Different processes executed during 1 min (interesting is low number of repetitions) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs This check took 73 seconds ╔══════════╣ Cron jobs ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r-- 1 root root 1042 Feb 22 17:43 /etc/crontab /etc/cron.d: total 36 drwxr-xr-x 2 root root 4096 Jun 26 15:27 . drwxr-xr-x 157 root root 12288 Jun 26 17:00 .. -rw-r--r-- 1 root root 201 Feb 28 21:24 -rw-r--r-- 1 root root 607 Sep 13 2019 -rw-r--r-- 1 root root 712 May 11 2020 -rw-r--r-- 1 root root 102 Feb 22 17:43 -rw-r--r-- 1 root root 396 Feb 2 17:46 /etc/cron.daily: total 60 drwxr-xr-x 2 root root 4096 Jun 26 15:32 . drwxr-xr-x 157 root root 12288 Jun 26 17:00 .. -rwxr-xr-x 1 root root 539 Aug 8 2020 -rwxr-xr-x 1 root root 1478 Apr 13 11:53 -rwxr-xr-x 1 root root 157 Dec 13 2017 -rwxr-xr-x 1 root root 1298 May 18 10:02 -rwxr-xr-x 1 root root 377 Feb 28 11:37 -rwxr-xr-x 1 root root 1123 Feb 19 05:14 -rwxr-xr-x 1 root root 628 Dec 2 2020 -rwxr-xr-x 1 root root 1403 Sep 23 2020 -rw-r--r-- 1 root root 102 Feb 22 17:43 -rwxr-xr-x 1 root root 383 May 6 15:01 -rwxr-xr-x 1 root root 518 Feb 2 17:46 /etc/cron.hourly: total 20 drwxr-xr-x 2 root root 4096 Jun 26 15:22 . drwxr-xr-x 157 root root 12288 Jun 26 17:00 .. -rw-r--r-- 1 root root 102 Feb 22 17:43 /etc/cron.monthly: total 24 drwxr-xr-x 2 root root 4096 Jun 26 15:27 . drwxr-xr-x 157 root root 12288 Jun 26 17:00 .. -rw-r--r-- 1 root root 102 Feb 22 17:43 -rwxr-xr-x 1 root root 144 Jun 5 2013 /etc/cron.weekly: total 24 drwxr-xr-x 2 root root 4096 Jun 26 15:27 . drwxr-xr-x 157 root root 12288 Jun 26 17:00 .. -rwxr-xr-x 1 root root 813 Feb 19 05:14 -rw-r--r-- 1 root root 102 Feb 22 17:43 SHELL=/bin/sh PATH=/usr/local/s/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin This check took 0 seconds ╔══════════╣ Services ╚ Search for outdated versions [ - ] apache-htcacheclean [ - ] apache2 [ - ] apparmor [ - ] atftpd [ - ] avahi-daemon [ + ] binfmt-support [ - ] bluetooth [ - ] console-setup.sh [ + ] cron [ - ] cryptdisks [ - ] cryptdisks-early [ + ] dbus [ - ] dns2tcp [ + ] haveged [ - ] hwclock.sh [ - ] inetsim [ + ] inetutils-inetd [ - ] iodined [ - ] ipsec [ - ] keyboard-setup.sh [ + ] kmod [ + ] lightdm [ - ] mariadb [ - ] miredo [ + ] networking [ - ] nfs-common [ - ] nginx [ - ] nmbd [ - ] ntp [ + ] open-vm-tools [ - ] openvpn [ - ] plymouth [ + ] plymouth-log [ - ] postgresql [ + ] procps [ - ] ptunnel [ - ] pulseaudio-enable-autospawn [ - ] redsocks [ - ] rpcbind [ - ] rsync [ + ] rsyslog [ - ] rwhod [ - ] samba-ad-dc [ - ] saned [ - ] screen-cleanup [ - ] smartmontools [ - ] smbd [ - ] snmpd [ - ] speech-dispatcher [ - ] ssh [ - ] sslh [ - ] stunnel4 [ - ] sudo [ - ] sysstat [ + ] udev [ - ] x11-common [ - ] xl2tpd This check took 0 seconds ╔══════════╣ Systemd PATH ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin This check took 0 seconds ╔══════════╣ Analyzing .service files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#services This check took 1 seconds ╔══════════╣ System timers ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Sat 2021-06-26 18:39:00 EDT 9min left Sat 2021-06-26 18:09:11 EDT 20min ago phpsessionclean.service Sat 2021-06-26 21:10:01 EDT 2h 40min left Sat 2021-06-26 15:30:19 EDT 2h 58min ago apt-daily.service Sun 2021-06-27 00:00:00 EDT 5h 30min left n/a n/a logrotate.service Sun 2021-06-27 00:00:00 EDT 5h 30min left n/a n/a man-db.service Sun 2021-06-27 00:00:00 EDT 5h 30min left n/a n/a mlocate.service Sun 2021-06-27 03:10:19 EDT 8h left n/a n/a e2scrub_all.service Sun 2021-06-27 06:12:50 EDT 11h left Sat 2021-06-26 15:30:19 EDT 2h 58min ago apt-daily-upgrade.service Sun 2021-06-27 15:45:20 EDT 21h left Sat 2021-06-26 15:45:20 EDT 2h 43min ago systemd-tmpfiles-clean.service Mon 2021-06-28 00:46:55 EDT 1 day 6h left n/a n/a fstrim.service This check took 0 seconds ╔══════════╣ Analyzing .timer files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers This check took 0 seconds ╔══════════╣ Analyzing .socket files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets This check took 0 seconds ╔══════════╣ HTTP sockets ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets This check took 6 seconds ╔══════════╣ D-Bus config files ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/tem.d/-dbus.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/-dbus.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/net.hadess.SensorProxy.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/-service.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/org.freedesktop.GeoClue2.Agent.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/org.freedesktop.GeoClue2.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/-tem.conf ( ) Possible weak user policy found on /etc/dbus-1/tem.d/wpa_supplicant.conf ( ) This check took 0 seconds ╔══════════╣ D-Bus Service Objects list ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION 1 systemd root :1.0 init.scope - - 514 polkitd root :1.1 polkit.service - - 847 rtkit-daemon root :1.14 rtkit-daemon.service - - 516 systemd-logind root :1.2 systemd-logind.service - - 903 lightdm root :1.22 session-2.scope 2 - 511 NetworkManager root :1.3 NetworkManager.service - - 909 systemd kali :1.31 user@1000.service - - 930 pulseaudio kali :1.38 user@1000.service - - 940 xfce4-session kali :1.39 session-2.scope 2 - 548 ModemManager root :1.4 ModemManager.service - - 1042 xfsettingsd kali :1.40 session-2.scope 2 - 1045 upowerd root :1.41 upower.service - - 1078 agent kali :1.42 session-2.scope 2 - 1077 xiccd kali :1.43 session-2.scope 2 - 1088 colord colord :1.44 colord.service - - 1089 polkit-gnome-au kali :1.45 session-2.scope 2 - 1094 light-locker kali :1.46 session-2.scope 2 - 1109 xfce4-power-man kali :1.47 session-2.scope 2 - 1118 nm-applet kali :1.48 session-2.scope 2 - 1155 panel-19-power- kali :1.50 session-2.scope 2 - 1100 blueman-applet kali :1.51 session-2.scope 2 - 1200 obexd kali :1.54 user@1000.service - - 1208 gvfs-udisks2-vo kali :1.56 user@1000.service - - 1211 udisksd root :1.57 udisks2.service - - 609 lightdm root :1.6 lightdm.service - - 650 Xorg root :1.8 lightdm.service - - 170639 busctl kali :1.843 session-2.scope 2 - - - - (activatable) - - - - - - (activatable) - - - - - - (activatable) - - - - - - (activatable) - - - 1088 colord colord :1.44 colord.service - - 1 systemd root - init.scope - - 609 lightdm root :1.6 lightdm.service - - - - - (activatable) - - - 548 ModemManager root :1.4 ModemManager.service - - 511 NetworkManager root :1.3 NetworkManager.service - - 514 polkitd root :1.1 polkit.service - - 847 rtkit-daemon root :1.14 rtkit-daemon.service - - 1211 udisksd root :1.57 udisks2.service - - 1045 upowerd root :1.41 upower.service - - - - - (activatable) - - - - - - (activatable) - - - 516 systemd-logind root :1.2 systemd-logind.service - - - - - (activatable) - - - - - - (activatable) - - - - - - (activatable) - - - 1 systemd root :1.0 init.scope - - - - - (activatable) - - - This check took 0 seconds The total section execution took 81 seconds ════════════════════════════════════╣ Network Information ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ Hostname, hosts and DNS kali 127.0.0.1 localhost 127.0.1.1 kali ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters search bananaisu.local nameserver 1.1.1.1 nameserver 8.8.8.8 This check took 0 seconds ╔══════════╣ Content of /etc/inetd.conf & /etc/xinetd.conf This check took 0 seconds ╔══════════╣ Interfaces default 0.0.0.0 loopback 127.0.0.0 link-local 169.254.0.0 eth0: flags=4163 mtu 1500 inet 10.10.10.234 netmask 255.255.255.0 broadcast 10.10.10.255 inet6 fe80::20c:29ff:fe7e:b19e prefixlen 64 scopeid 0x20 ether 00:0c:29:7e:b1:9e txqueuelen 1000 (Ethernet) RX packets 452306 bytes 257689826 (245.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 294355 bytes 19330808 (18.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 84 bytes 8284 (8.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 84 bytes 8284 (8.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 This check took 0 seconds ╔══════════╣ Networks and neighbours Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.10.10.1 0.0.0.0 UG 100 0 0 eth0 10.10.10.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 Address HWtype HWaddress Flags Mask Iface 10.10.10.1 ether 08:55:31:b8:b6:28 C eth0 10.10.10.100 ether 2c:f0:5d:63:11:c9 C eth0 10.10.10.246 ether 00:0c:29:4c:82:c7 C eth0 This check took 0 seconds ╔══════════╣ Iptables rules iptables rules Not Found This check took 0 seconds ╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports This check took 0 seconds ╔══════════╣ Can I sniff with tcpdump? No This check took 0 seconds ╔══════════╣ Internet Access? Port 443 is accessible Port 80 is accessible Ping is available DNS available This check took 0 seconds The total section execution took 0 seconds ════════════════════════════════════╣ Users Information ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#users uid=1000([1;96m[1;95mkali[0m[0m) gid=1000([1;96m[1;95mkali[0m[0m) groups=1000([1;96m[1;95mkali[0m[0m),20(dialout),24,25(floppy),27,29(audio),30(dip),44,46,109(netdev),118(bluetooth),120(wireshark),134(scanner),142(kaboxer) This check took 0 seconds ╔══════════╣ Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found This check took 0 seconds ╔══════════╣ Clipboard or highlighted text? xsel and xclip Not Found This check took 0 seconds ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid This check took 3 seconds ╔══════════╣ Checking sudo tokens ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens /proc/sys/kernel/yama/ptrace_scope is enabled () wasn't found in PATH This check took 0 seconds ╔══════════╣ Checking doas.conf /etc/doas.conf Not Found This check took 0 seconds ╔══════════╣ Checking Pkexec policy ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration] AdminIdentities=unix-user:0 [Configuration] AdminIdentities=unix-group: This check took 0 seconds ╔══════════╣ Superusers :x:0:0:root:/root:/usr/bin/zsh This check took 0 seconds ╔══════════╣ Users with console [1;96mbanana[0m:x:1001:1001:,,,:/home/banana:/bin/bash [1;96m[1;95mkali[0m[0m:x:1000:1000:kali,,,:/home/kali:/usr/bin/zsh [1;96mpostgres[0m:x:119:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash :x:0:0:root:/root:/usr/bin/zsh This check took 0 seconds ╔══════════╣ All users & groups uid=0 gid=0 groups=0,20(dialout),120(wireshark),142(kaboxer) uid=1000([1;96m[1;95mkali[0m[0m) gid=1000([1;96m[1;95mkali[0m[0m) groups=1000([1;96m[1;95mkali[0m[0m),20(dialout),24,25(floppy),27,29(audio),30(dip),44,46,109(netdev),118(bluetooth),120(wireshark),134(scanner),142(kaboxer) uid=1001([1;96mbanana[0m) gid=1001([1;96mbanana[0m) groups=1001([1;96mbanana[0m) uid=100() gid=65534 groups=65534 uid=101() gid=101() groups=101() uid=102() gid=103() groups=103() uid=103() gid=104() groups=104() uid=104() gid=110() groups=110() uid=105() gid=111() groups=111() uid=106() gid=65534 groups=65534 uid=107() gid=112() groups=112() uid=108() gid=113() groups=113() uid=109() gid=114() groups=114() uid=10() gid=10() groups=10() uid=110() gid=65534 groups=65534 uid=111() gid=65534 groups=65534 uid=112() gid=65534 groups=65534 uid=113() gid=65534 groups=65534 uid=114() gid=46 groups=46 uid=115() gid=121() groups=121() uid=116() gid=122() groups=122() uid=117() gid=65534 groups=65534 uid=118() gid=65534 groups=65534 uid=119([1;96mpostgres[0m) gid=124([1;96mpostgres[0m) groups=124([1;96mpostgres[0m),119(ssl-cert) uid=120() gid=126() groups=126() uid=121() gid=127() groups=127() uid=122() gid=128() groups=128() uid=123() gid=29(audio) groups=29(audio) uid=124() gid=129() groups=129() uid=125() gid=130() groups=130() uid=126() gid=131() groups=131() uid=127() gid=132() groups=132(),29(audio) uid=128() gid=135() groups=135(),134(scanner) uid=129() gid=137() groups=137() uid=130() gid=138() groups=138() uid=131() gid=139() groups=139() uid=132() gid=140() groups=140() uid=133() gid=141(kpadmins) groups=141(kpadmins) uid=13() gid=13() groups=13() uid=1() gid=1() groups=1() uid=2(bin) gid=2(bin) groups=2(bin) uid=33() gid=33() groups=33() uid=34() gid=34() groups=34() uid=38() gid=38() groups=38() uid=39() gid=39() groups=39() uid=3() gid=3() groups=3() uid=41() gid=41() groups=41() uid=4() gid=65534 groups=65534 uid=5() gid=60() groups=60() uid=65534() gid=65534 groups=65534 uid=6() gid=12() groups=12() uid=7() gid=7() groups=7() uid=8() gid=8() groups=8() uid=999() gid=999() groups=999() uid=9() gid=9() groups=9() This check took 0 seconds ╔══════════╣ Login now 18:29:26 up 2:59, 1 user, load average: 0.60, 0.15, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [1;96m[1;95mkali[0m[0m tty7 :0 15:30 2:59m 17.99s 0.34s xfce4-session This check took 0 seconds ╔══════════╣ Last logons [1;96m[1;95mkali[0m[0m pts/7 Sat Jun 26 17:26:13 2021 - Sat Jun 26 17:26:33 2021 (00:00) 10.10.10.100 [1;96m[1;95mkali[0m[0m pts/6 Sat Jun 26 17:23:53 2021 - Sat Jun 26 17:26:13 2021 (00:02) 10.10.10.100 [1;96m[1;95mkali[0m[0m pts/6 Sat Jun 26 17:23:03 2021 - Sat Jun 26 17:23:43 2021 (00:00) 10.10.10.100 [1;96mbanana[0m pts/5 Sat Jun 26 17:02:07 2021 - Sat Jun 26 17:02:27 2021 (00:00) 10.10.10.100 [1;96mbanana[0m pts/5 Sat Jun 26 17:02:05 2021 - Sat Jun 26 17:02:05 2021 (00:00) 10.10.10.100 [1;96mbanana[0m pts/5 Sat Jun 26 17:01:16 2021 - Sat Jun 26 17:01:17 2021 (00:00) 10.10.10.100 [1;96m[1;95mkali[0m[0m tty7 Sat Jun 26 15:30:26 2021 still logged in 0.0.0.0 reboot tem boot Sat Jun 26 15:30:19 2021 still running 0.0.0.0 wtmp begins Sat Jun 26 15:30:19 2021 This check took 0 seconds ╔══════════╣ Last time logon each user Username Port From Latest [1;96m[1;95mkali[0m[0m pts/10 10.10.10.100 Sat Jun 26 17:40:40 -0400 2021 [1;96mbanana[0m pts/5 10.10.10.100 Sat Jun 26 17:02:07 -0400 2021 This check took 0 seconds ╔══════════╣ Password policy PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 ENCRYPT_METHOD SHA512 This check took 0 seconds ╔══════════╣ Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds Bruteforcing user root... Bruteforcing user postgres... Bruteforcing user kali... Bruteforcing user banana... This check took 71 seconds ╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! This check took 0 seconds The total section execution took 74 seconds ════════════════════════════════════╣ Software Information ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ MySQL version mysql Ver 15.1 Distrib 10.5.10-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper ═╣ MySQL connection using default root/root ........... No ═╣ MySQL connection using root/toor ................... No ═╣ MySQL connection using root/NOPASS ................. No This check took 0 seconds ╔══════════╣ Searching mysql credentials and exec From '/etc//mariadb.conf.d/50-server.cnf' Mysql user: user = mysql Found readable /etc/mysql/my.cnf [client-server] socket = /run/mysqld/mysqld.sock !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mariadb.conf.d/ This check took 0 seconds ╔══════════╣ Analizing PostgreSQL Files (limit 70) Version: psql (PostgreSQL) 13.2 (Debian 13.2-1) pgadmin*.db Not Found -rw-r----- 1 postgres postgres 4933 Jun 26 15:28 /etc/postgresql/13/main/ -rw-r--r-- 1 postgres postgres 28291 Jun 26 15:28 /etc/postgresql/13/main/ ssl = on ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' max_wal_size = 1GB min_wal_size = 80MB log_timezone = 'US/Eastern' stats_temp_directory = '/var/run/postgresql/13-main.pg_stat_tmp' datestyle = 'iso, mdy' timezone = 'US/Eastern' default_text_search_config = 'pg_catalog.english' -rw-r--r-- 1 root root 172 Nov 15 2019 /usr/lib/tmpfiles.d/ d /run/postgresql 2775 postgres postgres - - d /var/log/postgresql 1775 root postgres - - pgsql.conf Not Found ═╣ PostgreSQL connection to template0 using postgres/NOPASS ........ No ═╣ PostgreSQL connection to template1 using postgres/NOPASS ........ No ═╣ PostgreSQL connection to template0 using pgsql/NOPASS ........... No ═╣ PostgreSQL connection to template1 using pgsql/NOPASS ........... No This check took 0 seconds ╔══════════╣ Analizing Mongo Files (limit 70) Version: mongo Not Found mongod Not Found mongod*.conf Not Found This check took 0 seconds ╔══════════╣ Analizing Apache Files (limit 70) Version: Server version: Apache/2.4.46 (Debian) Server built: 2021-06-10T11:40:11 httpd Not Found ══╣ PHP exec extensions /etc/apache2/mods-enabled/php7.4.conf- /etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php -- /etc/apache2/mods-enabled/php7.4.conf- /etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php-source -- /etc/apache2/mods-available/php7.4.conf- /etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php -- /etc/apache2/mods-available/php7.4.conf- /etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php-source drwxr-xr-x 2 root root 4096 Jun 26 15:28 /etc/apache2/ # The directive sets the request scheme, hostname and port that # redirection URLs. In the context of virtual hosts, the # www.example.com drwxr-xr-x 2 root root 4096 Jun 26 15:27 /etc/nginx/ -rw-r--r-- 1 root root 0 Jun 26 15:28 /var/lib/apache2/site/enabled_by_admin/ This check took 0 seconds ╔══════════╣ Analizing Tomcat Files (limit 70) tomcat-users.xml Not Found This check took 0 seconds ╔══════════╣ Analizing FastCGI Files (limit 70) -rw-r--r-- 1 root root 1055 May 29 10:21 /etc/nginx/ This check took 0 seconds ╔══════════╣ Analizing Http conf Files (limit 70) httpd.conf Not Found This check took 0 seconds ╔══════════╣ Analizing Htpasswd Files (limit 70) .htpasswd Not Found This check took 0 seconds ╔══════════╣ Analizing PHPCookies Files (limit 70) /var/lib/php/sessions Not Found sess_* Not Found This check took 0 seconds ╔══════════╣ Analizing Wordpress Files (limit 70) wp-config.php Not Found This check took 0 seconds ╔══════════╣ Analizing Drupal Files (limit 70) settings.php Not Found This check took 0 seconds ╔══════════╣ Analizing Moodle Files (limit 70) config.php Not Found This check took 0 seconds ╔══════════╣ Analizing Supervisord Files (limit 70) supervisord.conf Not Found This check took 0 seconds ╔══════════╣ Analizing Cesi Files (limit 70) cesi.conf Not Found This check took 0 seconds ╔══════════╣ Analizing Rsync Files (limit 70) -rw-r--r-- 1 root root 1044 Feb 2 18:08 /usr/share/doc/rsync/examples/ [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz rsyncd.secrets Not Found This check took 0 seconds ╔══════════╣ Analizing Hostapd Files (limit 70) hostapd.conf Not Found This check took 0 seconds ╔══════════╣ Searching wifi conns file /etc/NetworkManager/system-connections/Wired connection 1 This check took 0 seconds ╔══════════╣ Analizing Anaconda-ks Files (limit 70) anaconda-ks.cfg Not Found This check took 0 seconds ╔══════════╣ Analizing VNC Files (limit 70) .vnc Not Found -rw-r--r-- 1 root root 1493 Mar 27 20:31 /etc/tight -rw-r--r-- 1 root root 4622 Mar 27 20:31 /usr/share/doc/tight -rw-r--r-- 1 root root 25 Mar 27 20:31 /var/lib/dpkg/info/tight -rw-r--r-- 1 root root 32 Mar 27 20:31 /var/lib/dpkg/info/xtight *vnc*.ini Not Found -rw-r--r-- 1 root root 371 Jun 2 13:59 /usr/share/legion/wordlists/ -rw-r--r-- 1 root root 9 Jun 16 16:16 /usr/share/metasploit-framework/data/wordlists/ *vnc*.xml Not Found This check took 0 seconds ╔══════════╣ Analizing Ldap Files (limit 70) The password hash is from the {SSHA} to 'structural' drwxr-xr-x 3 root root 4096 Jun 26 15:28 /usr/lib/python3/dist-packages/cme/protocols/ drwxr-xr-x 3 root root 4096 Jun 26 15:28 /usr/lib/python3/dist-packages/impacket/ drwxr-xr-x 3 root root 4096 Jun 26 15:28 /usr/lib/python3/dist-packages/pypykatz/ drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/doc/metasploit-framework/modules/auxiliary/admin/ drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/modules/auxiliary/admin/ drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/modules/exploits/windows/ drwxr-xr-x 3 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/net-ldap-0.17.0/lib/net/ This check took 0 seconds ╔══════════╣ Analizing Open VPN Files (limit 70) *.ovpn Not Found This check took 0 seconds ╔══════════╣ Searching ssl/ssh files This check took 0 seconds ╔══════════╣ Analizing SSH FILES Files (limit 70) id_dsa* Not Found id_rsa* Not Found known_hosts Not Found authorized_hosts Not Found authorized_keys Not Found ChallengeResponseAuthentication no UsePAM yes ══╣ Some certificates were found (out limited): /var/lib/inetsim/certs/default_cert.pem 162475PSTORAGE_CERTSBIN ══╣ Some SSH Agent files were found: /tmp/ssh-zJebGJtQlfwp/agent.940 ══╣ Some home ssh config file was found Include /etc/ssh/sshd_config.d/*.conf ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ══╣ /etc/hosts.allow file found, trying to read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Include /etc/ssh/ssh_config.d/*.conf * SendEnv LANG LC_* HashKnowns yes GSSAPIAuthentication yes This check took 0 seconds ╔══════════╣ Searching unexpected auth lines in /etc/pam.d/sshd No This check took 0 seconds ╔══════════╣ NFS exports? ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe /etc/exports Not Found This check took 0 seconds ╔══════════╣ Searching kerberos conf files and tickets ╚ https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt -rw-r--r-- 1 root root 185 Jul 9 2020 /usr/share/samba/setup/krb5.conf tickets kerberos Not Found klist Not Found This check took 0 seconds ╔══════════╣ Analizing Knockd Files (limit 70) *knockd* Not Found This check took 0 seconds ╔══════════╣ Analizing Kibana Files (limit 70) kibana.y*ml Not Found This check took 0 seconds ╔══════════╣ Analizing Elasticsearch Files (limit 70) The version is elasticsearch.y*ml Not Found This check took 0 seconds ╔══════════╣ Searching logstash files Not Found This check took 0 seconds ╔══════════╣ Searching Vault-ssh files vault-ssh-helper.hcl Not Found This check took 0 seconds ╔══════════╣ Searching AD cached hashes cached hashes Not Found This check took 0 seconds ╔══════════╣ Searching screen sessions ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions This check took 0 seconds ╔══════════╣ Searching tmux sessions ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions tmux Not Found This check took 0 seconds ╔══════════╣ Analizing CouchDB Files (limit 70) drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/doc/metasploit-framework/modules/auxiliary/scanner/ drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/modules/auxiliary/scanner/ This check took 0 seconds ╔══════════╣ Analizing Redis Files (limit 70) redis.conf Not Found This check took 0 seconds ╔══════════╣ Searching dovecot files dovecot credentials Not Found This check took 0 seconds ╔══════════╣ Analizing Mosquitto Files (limit 70) mosquitto.conf Not Found This check took 0 seconds ╔══════════╣ Analizing Neo4j Files (limit 70) drwxr-xr-x 6 root root 4096 Jun 26 15:28 /usr/lib/python3/dist-packages/ This check took 0 seconds ╔══════════╣ Analizing Cloud credentials Files (limit 70) drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/doc/metasploit-framework/modules/post/windows/gather/ drwxr-xr-x 5 root root 4096 Jun 26 15:25 /usr/share/faraday/server/www/scripts/ drwxr-xr-x 2 root root 12288 Jun 26 15:32 /usr/share/metasploit-framework/modules/post/windows/gather/ drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/railties-5.2.6/lib/rails/commands/ drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/railties-5.2.6/lib/rails/generators/rails/ drwxr-xr-x 2 root root 4096 Jun 26 15:26 /usr/share/powershell-empire/data/module_source/ drwxr-xr-x 4 root root 4096 Jun 26 15:27 /usr/share/powershell-empire/lib/modules/powershell/ drwxr-xr-x 2 root root 4096 Mar 29 05:02 /var/lib/powershell-empire/data/obfuscated_module_source/ credentials.db Not Found legacy_credentials.db Not Found access_tokens.db Not Found access_tokens.json Not Found accessTokens.json Not Found azureProfile.json Not Found TokenCache.dat Not Found AzureRMContext.json Not Found .bluemix Not Found This check took 0 seconds ╔══════════╣ Analizing Cloud-Init Files (limit 70) cloud.cfg Not Found This check took 0 seconds ╔══════════╣ Analizing CloudFlare Files (limit 70) .cloudflared Not Found This check took 0 seconds ╔══════════╣ Analizing Erlang Files (limit 70) .erlang.cookie Not Found This check took 0 seconds ╔══════════╣ Analizing GMV Auth Files (limit 70) gvm-tools.conf Not Found This check took 0 seconds ╔══════════╣ Analizing IPSec Files (limit 70) -rw------- 1 root root 175 Nov 11 2020 /etc/ -rw-r--r-- 1 root root 608 Nov 11 2020 /etc/ # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" # auto=start This check took 0 seconds ╔══════════╣ Analizing IRSSI Files (limit 70) .irssi Not Found This check took 0 seconds ╔══════════╣ Analizing Keyring Files (limit 70) drwxr-xr-x 2 root root 4096 Jun 26 15:22 /usr/share/ -rw-r--r-- 1 root root 262 May 14 2019 /usr/share/doc/john/README -rw-r--r-- 1 root root 344 May 14 2019 /usr/share/doc/john/README *.jks Not Found This check took 0 seconds ╔══════════╣ Analizing Filezilla Files (limit 70) filelliza Not Found filezilla.xml Not Found This check took 0 seconds ╔══════════╣ Analizing Backup Manager Files (limit 70) storage.php Not Found database.php Not Found This check took 0 seconds ╔══════════╣ Searching uncommon passwd files (splunk) passwd file: passwd file: passwd file: passwd file: This check took 0 seconds ╔══════════╣ Searching GitLab related files This check took 0 seconds ╔══════════╣ Analizing Github Files (limit 70) drwxr-xr-x 3 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/docile-1.4.0/ drwxr-xr-x 3 root root 4096 Jun 26 15:24 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/metasploit_data_models-4.1.4/ drwxr-xr-x 3 root root 4096 Jun 26 15:24 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/metasploit-model-3.1.4/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/mini_mime-1.1.0/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/nio4r-2.5.7/ drwxr-xr-x 3 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/public_suffix-4.0.6/ drwxr-xr-x 4 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/recog-2.3.20/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-exploitation-0.1.27/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.29/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-sslscan-0.1.6/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-text-0.2.34/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ruby_smb-2.0.10/ drwxr-xr-x 2 root root 4096 Jun 26 15:32 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/swagger-blocks-3.0.0/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/warden-1.2.9/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/xmlrpc-0.3.2/ drwxr-xr-x 2 root root 4096 Jun 26 15:26 /usr/share/powershell-empire/data/profiles/ .gitconfig Not Found .git-credentials Not Found -rw-r--r-- 1 root root 41 Jan 28 03:34 /usr/share/powershell-empire/data/profiles/ This check took 0 seconds ╔══════════╣ Analizing Svn Files (limit 70) .svn Not Found This check took 0 seconds ╔══════════╣ Analizing PGP-GPG Files (limit 70) /usr/bin/gpg netpgpkeys Not Found netpgp Not Found *.pgp Not Found -rw-r--r-- 1 root root 8700 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic -rw-r--r-- 1 root root 8709 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic -rw-r--r-- 1 root root 2453 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable -rw-r--r-- 1 root root 8132 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic -rw-r--r-- 1 root root 8141 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic -rw-r--r-- 1 root root 2332 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-buster-stable -rw-r--r-- 1 root root 7443 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic -rw-r--r-- 1 root root 7452 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic -rw-r--r-- 1 root root 2263 Feb 25 12:38 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable lrwxrwxrwx 1 root root 44 Jun 26 15:22 /etc/apt/trusted.gpg.d/kali-archive-keyring.gpg -> /usr/share/keyrings/kali-archive-keyring -rw------- 1 kali kali 1200 Jun 26 15:58 /home/kali/.gnupg/trustdb -rw-r--r-- 1 root root 444 May 14 2019 /usr/share/doc/john/README Cracking PGP Desktop / OpenPGP / GnuPG private (secret) keys with john ====================================================================== 1. Run gpg2john on PGP private key files (supports .skr files too!) E.g. $ ../run/gpg2john openwall.sec.asc > hashes E.g. $ ../run/gpg2john openwall.skr > hashes Ensure that the input file to gpg2john contains a single private key. 2. Run john on the output of gpg2john. E.g. $ ../run/john hashes -rw-r--r-- 1 root root 2899 Apr 22 14:40 /usr/share/gnupg/distsigkey -rw-r--r-- 1 root root 8700 Feb 25 12:38 /usr/share/keyrings/debian-archive-bullseye-automatic -rw-r--r-- 1 root root 8709 Feb 25 12:38 /usr/share/keyrings/debian-archive-bullseye-security-automatic -rw-r--r-- 1 root root 2453 Feb 25 12:38 /usr/share/keyrings/debian-archive-bullseye-stable -rw-r--r-- 1 root root 8132 Feb 25 12:38 /usr/share/keyrings/debian-archive-buster-automatic -rw-r--r-- 1 root root 8141 Feb 25 12:38 /usr/share/keyrings/debian-archive-buster-security-automatic -rw-r--r-- 1 root root 2332 Feb 25 12:38 /usr/share/keyrings/debian-archive-buster-stable -rw-r--r-- 1 root root 55625 Feb 25 12:38 /usr/share/keyrings/debian-archive-keyring -rw-r--r-- 1 root root 36873 Feb 25 12:38 /usr/share/keyrings/debian-archive-removed-keys -rw-r--r-- 1 root root 7443 Feb 25 12:38 /usr/share/keyrings/debian-archive-stretch-automatic -rw-r--r-- 1 root root 7452 Feb 25 12:38 /usr/share/keyrings/debian-archive-stretch-security-automatic -rw-r--r-- 1 root root 2263 Feb 25 12:38 /usr/share/keyrings/debian-archive-stretch-stable -rw-r--r-- 1 root root 4025 Jan 17 2020 /usr/share/keyrings/kali-archive-keyring drwx------ 4 kali kali 4096 Jun 26 18:30 /home/kali/ This check took 0 seconds ╔══════════╣ Analizing Cache Vi Files (limit 70) *.swp Not Found *.viminfo Not Found This check took 0 seconds ╔══════════╣ Checking if containerd(ctr) is available ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation This check took 0 seconds ╔══════════╣ Checking if runc is available ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation This check took 0 seconds ╔══════════╣ Searching docker files (limit 70) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket -rw-r--r-- 1 root root 496 Apr 9 2020 /usr/share/king-phisher/tools/mac_client/Dockerfile -rw-r--r-- 1 root root 1561 Jun 16 16:16 /usr/share/metasploit-framework/tools/payloads/ysoserial/Dockerfile -rw-r--r-- 1 root root 342 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/puma-5.3.2/tools/Dockerfile This check took 0 seconds ╔══════════╣ Analizing Firefox Files (limit 70) .mozilla Not Found This check took 0 seconds ╔══════════╣ Analizing Chrome Files (limit 70) google-chrome Not Found This check took 0 seconds ╔══════════╣ Analizing Autologin Files (limit 70) autologin Not Found autologin.conf Not Found This check took 0 seconds ╔══════════╣ S/Key authentication This check took 0 seconds ╔══════════╣ YubiKey authentication This check took 0 seconds ╔══════════╣ Passwords inside pam.d This check took 0 seconds ╔══════════╣ Analizing SNMP Files (limit 70) -rw------- 1 root root 3029 Sep 24 2020 /etc/snmp/ This check took 0 seconds ╔══════════╣ Analizing Pypirc Files (limit 70) .pypirc Not Found This check took 0 seconds ╔══════════╣ Analizing Ldaprc Files (limit 70) .ldaprc Not Found This check took 0 seconds ╔══════════╣ Analizing Env Files (limit 70) .env Not Found This check took 0 seconds ╔══════════╣ Analizing Msmtprc Files (limit 70) .msmtprc Not Found This check took 0 seconds ╔══════════╣ Analizing Keepass Files (limit 70) *.kdbx Not Found KeePass.config* Not Found KeePass.ini Not Found KeePass.enforced* Not Found This check took 0 seconds ╔══════════╣ Analizing FTP Files (limit 70) *.ftpconfig Not Found ffftp.ini Not Found -rw-r--r-- 1 root root 69 Feb 20 04:45 /etc/php/7.4/mods-available/ -rw-r--r-- 1 root root 69 Feb 20 04:45 /usr/share/php7.4-common/common/ ftp.config Not Found ws_ftp.ini Not Found This check took 0 seconds ╔══════════╣ Analizing Bind Files (limit 70) -rw-r--r-- 1 root root 826 Aug 12 2020 /usr/share/bash-completion/completions/ This check took 0 seconds ╔══════════╣ Analizing SeedDMS Files (limit 70) seeddms* Not Found This check took 0 seconds ╔══════════╣ Analizing Ddclient Files (limit 70) ddclient.conf Not Found This check took 0 seconds ╔══════════╣ Analizing Interesting logs Files (limit 70) -rw-r--r-- 1 root root 62366 Mar 1 13:19 /usr/lib/python3/dist-packages/cherrypy/test/ -rw-r----- 1 www-data adm 0 Jun 26 15:27 /var/log/nginx/ -rw-r--r-- 1 root root 3699 Mar 1 13:19 /usr/lib/python3/dist-packages/cherrypy/test/ -rw-r----- 1 www-data adm 0 Jun 26 15:27 /var/log/nginx/ This check took 0 seconds ╔══════════╣ Analizing Windows Files Files (limit 70) unattend.inf Not Found *.rdg Not Found AppEvent.Evt Not Found ConsoleHost_history.txt Not Found FreeSSHDservice.ini Not Found NetSetup.log Not Found Ntds.dit Not Found RDCMan.settings Not Found SAM Not Found SYSTEM Not Found SecEvent.Evt Not Found appcmd.exe Not Found bash.exe Not Found datasources.xml Not Found default.sav Not Found drives.xml Not Found groups.xml Not Found https-xampp.conf Not Found https.conf Not Found iis6.log Not Found index.dat Not Found lrwxrwxrwx 1 root root 22 Jun 26 15:24 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf lrwxrwxrwx 1 root root 24 Jun 26 15:24 /etc/mysql/my.cnf -> /etc/alternatives/ -rw-r--r-- 1 root root 83 Jun 26 15:24 /var/lib/dpkg/alternatives/ my.ini Not Found ntuser.dat Not Found pagefile.sys Not Found -rw-r--r-- 1 root root 73002 Feb 20 04:45 /etc/php/7.4/apache2/ -rw-r--r-- 1 root root 72600 Feb 20 04:45 /etc/php/7.4/cli/ printers.xml Not Found recentservers.xml Not Found scclient.exe Not Found scheduledtasks.xml Not Found drwxr-xr-x 3 root root 4096 Jun 26 15:29 /etc/java-11-openjdk/ drwxr-xr-x 4 root root 4096 Jun 26 15:28 /etc/ drwxr-xr-x 3 root root 4096 Jun 26 15:24 /usr/lib/jvm/java-11-openjdk-amd64/conf/ drwxr-xr-x 2 root root 4096 Jun 26 15:24 /usr/lib/jvm/java-11-openjdk-amd64/lib/ drwxr-xr-x 3 root root 4096 Jun 26 15:28 /usr/lib/python3/dist-packages/django/core/checks/ drwxr-xr-x 3 root root 4096 Jun 26 15:25 /usr/lib/python3/dist-packages/flask_security/templates/ drwxr-xr-x 2 root root 4096 Jun 26 15:25 /usr/lib/python3/dist-packages/jedi/third_party/django-stubs/django-stubs/core/checks/ drwxr-xr-x 3 root root 4096 Jun 26 15:28 /usr/lib/python3/dist-packages/pypykatz/registry/ drwxr-xr-x 2 root root 4096 Jun 26 15:24 /usr/lib/ruby/2.7.0/rubygems/ drwxr-xr-x 2 root root 4096 Jun 26 15:24 /usr/lib/ruby/vendor_ruby/rubygems/ drwxr-xr-x 2 root root 4096 Jun 26 15:26 /usr/lib/x86_64-linux-gnu/ -rw-r--r-- 1 root root 0 Jun 26 15:28 /var/lib/apache2/conf/enabled_by_maint/ security.sav Not Found -rw-r--r-- 1 root root 30631 Jun 8 08:05 /usr/share/sqlmap/data/xml/banner/ services.xml Not Found setupinfo Not Found setupinfo.bak Not Found sitemanager.xml Not Found sites.ini Not Found drwxr-xr-x 3 root root 4096 Jun 26 15:28 /usr/lib/python3/dist-packages/pypykatz/registry/ software.sav Not Found sysprep.inf Not Found sysprep.xml Not Found system.sav Not Found unattend.txt Not Found unattend.xml Not Found unattended.xml Not Found wcx_ftp.ini Not Found web*.config Not Found winscp.ini Not Found wsl.exe Not Found This check took 0 seconds ╔══════════╣ Analizing Other Interesting Files Files (limit 70) -rw-r--r-- 1 root root 5349 Jun 26 15:27 /etc/skel/ -rw-r--r-- 1 banana banana 5349 Jun 26 16:58 /home/banana/ -rw-r--r-- 1 kali kali 5349 Jun 26 15:29 /home/kali/ -rw-r--r-- 1 root root 5349 May 4 04:45 /usr/share/kali-defaults/etc/skel/ .google_authenticator Not Found hosts.equiv Not Found .lesshst Not Found .plan Not Found -rw-r--r-- 1 root root 807 Feb 24 15:53 /etc/skel/ -rw-r--r-- 1 banana banana 807 Jun 26 16:58 /home/banana/ -rw-r--r-- 1 kali kali 807 Jun 26 15:29 /home/kali/ .recently-used.xbel Not Found .rhosts Not Found .sudo_as_admin_successful Not Found This check took 0 seconds The total section execution took 0 seconds ════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════ This check took 0 seconds ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid strace Not Found -rwsr-xr-x 1 root root 63K Feb 7 2020 /usr/bin[1;31m/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)[0m -rwsr-xr-x 1 root root 44K Feb 7 2020 /usr/bin[1;31m/newgrp ---> HP-UX_10.20[0m -rwsr-xr-x 1 root root 87K Feb 7 2020 /usr/bin -rwsr-xr-x 1 root root 52K Feb 7 2020 /usr/bin -rwsr-xr-x 1 root root 58K Feb 7 2020 /usr/bin[1;31m/chfn ---> SuSE_9.3/10[0m -rwsr-xr-- 1 root dip 395K Jan 6 19:10 /usr/sbin[1;31m/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)[0m -rwsr-xr-x 1 root root 35K Feb 7 09:38 /usr/bin[1;31m/umount ---> BSD/Linux(08-1996)[0m -rwsr-xr-x 1 root root 71K Feb 7 09:38 /usr/bin -rwsr-xr-x 1 root root 55K Feb 7 09:38 /usr/bin[1;31m/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8[0m -rwsr-xr-- 1 root messagebus 51K Feb 21 09:02 /usr/lib/dbus-1.0 -rwsr-xr-x 1 root root 155K Feb 23 16:23 /usr/bin[1;31m/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)[0m -rwsr-xr-x 1 root root 15K Feb 25 11:49 /usr/bin -rwsr-xr-x 1 root root 179K Feb 27 03:28 /usr/bin[1;31m/sudo ---> check_if_the_sudo_version_is_vulnerable[0m -rwsr-xr-x 1 root root 113K Mar 9 11:17 /usr/sbin -rwsr-xr-x 1 root root 471K Mar 13 04:59 /usr/lib/openssh -rwsr-xr-x 1 root root 19K Apr 7 22:47 /usr/libexec -rwsr-xr-x 1 root root 23K Apr 7 22:47 /usr/bin[1;31m/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)[0m -rwsr-sr-x 1 root root 15K Apr 13 12:07 /usr/lib/xorg -rwsr-xr-x 1 root root 35K Apr 21 08:34 /usr/bin -rwsr-xr-x 1 root root 43K May 6 15:24 /usr/sbin -rwsr-xr-- 1 root kismet 143K Jun 2 02:26 /usr/bin -rwsr-xr-- 1 root kismet 143K Jun 2 02:26 /usr/bin -rwsr-xr-- 1 root kismet 143K Jun 2 02:26 /usr/bin -rwsr-xr-- 1 root kismet 143K Jun 2 02:26 -rwsr-xr-- 1 root kismet 143K Jun 2 02:26 /usr/bin -rwsr-xr-- 1 root kismet 143K Jun 2 02:26 /usr/bin -rwsr-xr-- 1 root kismet 143K Jun 2 02:26 -rwsr-xr-- 1 root kismet 139K Jun 2 02:26 /usr/bin -rwsr-xr-- 1 root kismet 211K Jun 2 02:26 /usr/bin -rwsr-xr-- 1 root kismet 155K Jun 2 02:26 /usr/bin This check took 10 seconds ╔══════════╣ SGID ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root shadow 31K Feb 7 2020 /usr/bin -rwxr-sr-x 1 root shadow 79K Feb 7 2020 /usr/bin -rwxr-sr-x 1 root mlocate 43K Dec 2 2020 /usr/bin -rwxr-sr-x 1 root utmp 14K Dec 5 2020 /usr/lib/x86_64-linux-gnu/utempter -rwxr-sr-x 1 root mail 23K Feb 4 10:18 /usr/bin -rwxr-sr-x 1 root tty 23K Feb 7 09:38 --- It looks like /usr/bin/write.ul is executing /dev/ and you can impersonate it (strings line: /dev/) --- It looks like /usr/bin/write.ul is executing /usr/share/locale and you can impersonate it (strings line: /usr/share/locale) -rwxr-sr-x 1 root tty 35K Feb 7 09:38 /usr/bin -rwxr-sr-x 1 root crontab 43K Feb 22 17:43 /usr/bin -rwxr-sr-x 1 root ssh 347K Mar 13 04:59 /usr/bin -rwxr-sr-x 1 root shadow 38K Mar 15 15:01 /usr/sbin -rwsr-sr-x 1 root root 15K Apr 13 12:07 /usr/lib/xorg This check took 2 seconds ╔══════════╣ Checking misconfigurations of ld.so ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf /etc/ld.so.conf.d/libc.conf /etc/ld.so.conf.d/oracle.conf /etc/ld.so.conf.d/x86_64-linux-gnu.conf /etc/ld.so.conf.d/zz_i386-biarch-compat.conf This check took 0 seconds ╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities Current capabilities: Current: = CapBnd: 000001ffffffffff Shell capabilities: 0x0000000000000000= CapBnd: 000001ffffffffff Files with capabilities (limited to 50): /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin /usr/bin/dumpcap cap_net_admin,cap_net_raw=eip /usr/bin/fping cap_net_raw /usr/bin/gnome-keyring-daemon cap_ipc_lock /usr/bin/ping cap_net_raw This check took 1 seconds ╔══════════╣ Users with capabilities ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities /etc/security/capability.conf Not Found This check took 0 seconds ╔══════════╣ Files with ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls files with acls in searched folders Not Found This check took 1 seconds ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path /usr/bin /usr/bin This check took 0 seconds ╔══════════╣ Unexpected in root This check took 0 seconds ╔══════════╣ Files (scripts) in /etc/profile.d/ ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files total 40 drwxr-xr-x 2 root root 4096 Jun 26 15:27 . drwxr-xr-x 157 root root 12288 Jun 26 17:00 .. -rw-r--r-- 1 root root 726 Aug 12 2020 -rw-r--r-- 1 root root 1107 Feb 10 03:42 -rw-r--r-- 1 root root 757 Feb 10 03:42 -rw-r--r-- 1 root root 391 May 4 04:45 -rw-r--r-- 1 root root 1384 Feb 17 16:05 -rw-r--r-- 1 root root 966 Feb 17 16:05 This check took 0 seconds ╔══════════╣ Permissions in init, init.d, systemd, and rc.d ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No This check took 0 seconds ╔══════════╣ Searching root files in home dirs (limit 30) /home/ /root/ This check took 0 seconds ╔══════════╣ Searching folders owned by me containing others files on it (limit 100) //fs/cgroup/user.slice/user-1000.slice/user@1000.service This check took 0 seconds ╔══════════╣ Readable files belonging to root and readable by me but not world readable -rw-r----- 1 root dip 656 Jun 26 15:27 -rw-r----- 1 root dip 1093 Jun 26 15:27 This check took 1 seconds ╔══════════╣ Modified interesting files in the last 5mins (limit 100) /var/log/messages /var/log/journal/3260e15452d14d48bb882b5e46f1a81e/system.journal /var/log/journal/3260e15452d14d48bb882b5e46f1a81e/user-1000.journal /var/log/syslog /var/log/auth.log /var/log/user.log /var/log/daemon.log /.xsession-errors This check took 1 seconds ╔══════════╣ Writable log files (logrotten) (limit 100) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation logrotate 3.18.0 Default mail command: /usr/bin/mail Default compress command: /bin/gzip Default uncompress command: /bin/gunzip Default compress extension: .gz Default state file path: /var/lib/logrotate/status ACL support: yes SELinux support: yes This check took 0 seconds ╔══════════╣ Files inside /home/kali (limit 20) total 888 drwxr-xr-x 14 kali kali 4096 Jun 26 18:29 . drwxr-xr-x 4 root root 4096 Jun 26 16:58 .. -rw-r--r-- 1 kali kali 220 Jun 26 15:29 .bash_logout -rw-r--r-- 1 kali kali 5349 Jun 26 15:29 .bashrc -rw-r--r-- 1 kali kali 3526 Jun 26 15:29 .bashrc.original drwxr-xr-x 7 kali kali 4096 Jun 26 18:25 .cache drwx------ 9 kali kali 4096 Jun 26 15:55 .config drwxr-xr-x 2 kali kali 4096 Jun 26 15:30 Desktop -rw-r--r-- 1 kali kali 55 Jun 26 18:25 .dmrc drwxr-xr-x 2 kali kali 4096 Jun 26 15:30 Documents drwxr-xr-x 2 kali kali 4096 Jun 26 15:30 Downloads -rw-r--r-- 1 kali kali 11759 Jun 26 15:29 .face lrwxrwxrwx 1 kali kali 5 Jun 26 15:29 .face.icon -> .face drwx------ 4 kali kali 4096 Jun 26 18:30 .gnupg -rw------- 1 kali kali 0 Jun 26 15:30 .ICEauthority -rw-r--r-- 1 kali kali 191186 Jun 26 16:02 linpeas.out -rwxr-xr-x 1 kali kali 462476 Jun 26 15:57 linpeas.sh -rw-r--r-- 1 kali kali 117720 Jun 26 18:30 linpeas.txt drwxr-xr-x 3 kali kali 4096 Jun 26 15:30 .local drwxr-xr-x 2 kali kali 4096 Jun 26 15:30 Music drwxr-xr-x 2 kali kali 4096 Jun 26 15:30 Pictures -rw-r--r-- 1 kali kali 807 Jun 26 15:29 .profile This check took 0 seconds ╔══════════╣ Files inside others home (limit 20) /home/banana/.profile /home/banana/.bashrc.original /home/banana/.face /home/banana/.bash_history /home/banana/.bash_logout /home/banana/.zshrc /home/banana/.bashrc This check took 0 seconds ╔══════════╣ Searching installed mail applications This check took 0 seconds ╔══════════╣ Mails (limit 50) This check took 0 seconds ╔══════════╣ Backup folders This check took 0 seconds ╔══════════╣ Backup files (limited 100) -rw-r--r-- 1 root root 22106 Jun 26 16:58 /var/log/Xorg.1.log -rw-r--r-- 1 root root 1663 Nov 19 2020 /usr/share/man/man8/tdb.tdbtools.8.gz -rw-r--r-- 1 root root 351 May 24 00:04 /usr/share/man/man1/wsrep_sst_maria.1.gz -rwxr-xr-x 1 root root 640 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/nessus_rest-0.1.6/examples/-reports.rb -rw-r--r-- 1 root root 3196 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/nexpose-7.3.0/lib/nexpose/scheduled_.rb -rw-r--r-- 1 root root 320 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/sqlite3-1.4.2/ext/sqlite3/.h -rw-r--r-- 1 root root 25888 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/sqlite3-1.4.2/ext/sqlite3/.o -rw-r--r-- 1 root root 4474 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/sqlite3-1.4.2/ext/sqlite3/.c -rw-r--r-- 1 root root 1054 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/sqlite3-1.4.2/test/test_.rb -rw-r--r-- 1 root root 4035 Jun 16 16:16 /usr/share/metasploit-framework/lib/rex/parser/apple__manifestdb.rb -rw-r--r-- 1 root root 7214 Jun 16 16:16 /usr/share/metasploit-framework/modules/post/multi/gather/ubiquiti_unifi_.rb -rw-r--r-- 1 root root 7649 Jun 16 16:16 /usr/share/metasploit-framework/modules/post/multi/gather/apple_ios_.rb -rw-r--r-- 1 root root 13266 Jun 16 16:16 /usr/share/metasploit-framework/modules/exploits/windows/misc/ahsay__fileupload.rb -rw-r--r-- 1 root root 4599 Jun 16 16:16 /usr/share/metasploit-framework/modules/exploits/windows/browser/samsung_neti_wiewer_toavi_bof.rb -rw-r--r-- 1 root root 4086 Jun 16 16:16 /usr/share/metasploit-framework/modules/exploits/windows/browser/symantec_exec_pvcalendar.rb -rw-r--r-- 1 root root 2066 Jun 16 16:16 /usr/share/metasploit-framework/modules/exploits/multi/misc/veritas_net_cmdexec.rb -rw-r--r-- 1 root root 6652 Jun 16 16:16 /usr/share/metasploit-framework/modules/exploits/multi/http/wp_db__rce.rb -rw-r--r-- 1 root root 2527 Jun 16 16:16 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_simple__file_read.rb -rw-r--r-- 1 root root 2266 Jun 16 16:16 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/_file.rb -rwxr-xr-x 1 root root 3456 May 14 2019 /usr/share/john/android2john.py -rwxr-xr-x 1 root root 5711 Sep 13 2019 /usr/share/john/itunes_2john.pl -rw-r--r-- 1 root root 142 Jun 9 04:15 /usr/share/rubygems-integration/all/gems/wpscan-3.8.18/app/models/config_.rb -rw-r--r-- 1 root root 329 Jun 9 04:15 /usr/share/rubygems-integration/all/gems/wpscan-3.8.18/app/views/json/enumeration/config_s.erb -rw-r--r-- 1 root root 297 Jun 9 04:15 /usr/share/rubygems-integration/all/gems/wpscan-3.8.18/app/views/cli/enumeration/config_s.erb -rw-r--r-- 1 root root 414 Jun 9 04:15 /usr/share/rubygems-integration/all/gems/wpscan-3.8.18/app/finders/config_s.rb -rw-r--r-- 1 root root 679 Jun 9 04:15 /usr/share/rubygems-integration/all/gems/wpscan-3.8.18/app/finders/interesting_findings/_db.rb -rw-r--r-- 1 root root 5484 Oct 12 2020 /usr/share/nmap/scripts/http--finder.nse -rw-r--r-- 1 root root 7251 Oct 12 2020 /usr/share/nmap/scripts/http-config-.nse -rw-r--r-- 1 root root 1225 Jan 15 09:48 /usr/share/whatweb/plugins/barracuda--server.rb -rw-r--r-- 1 root root 1392 Jan 15 09:48 /usr/share/whatweb/plugins/pc.rb -rw-r--r-- 1 root root 799 Jan 15 09:48 /usr/share/whatweb/plugins/phpmypro.rb -rw-r--r-- 1 root root 7855 Feb 10 11:33 /usr/share/postgresql/13/man/man1/pg_base.1.gz -rw-r--r-- 1 root root 3032 Feb 10 11:33 /usr/share/postgresql/13/man/man1/pg_verify.1.gz -rw-r--r-- 1 root root 47206 Feb 10 11:33 /usr/share/locale/uk/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 12692 Feb 10 11:33 /usr/share/locale/uk/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 35801 Feb 10 11:33 /usr/share/locale/de/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 9826 Feb 10 11:33 /usr/share/locale/de/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 34475 Feb 10 11:33 /usr/share/locale/sv/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 9404 Feb 10 11:33 /usr/share/locale/sv/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 31204 Feb 10 11:33 /usr/share/locale/zh_CN/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 8913 Feb 10 11:33 /usr/share/locale/zh_CN/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 36152 Feb 10 11:33 /usr/share/locale/es/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 10237 Feb 10 11:33 /usr/share/locale/es/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 39623 Feb 10 11:33 /usr/share/locale/ja/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 11294 Feb 10 11:33 /usr/share/locale/ja/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 46093 Feb 10 11:33 /usr/share/locale/ru/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 12834 Feb 10 11:33 /usr/share/locale/ru/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 36124 Feb 10 11:33 /usr/share/locale/ko/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 10059 Feb 10 11:33 /usr/share/locale/ko/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 33682 Feb 10 11:33 /usr/share/locale/tr/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 35322 Feb 10 11:33 /usr/share/locale/cs/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 38304 Feb 10 11:33 /usr/share/locale/fr/LC_MESSAGES/pg_base-13.mo -rw-r--r-- 1 root root 10170 Feb 10 11:33 /usr/share/locale/fr/LC_MESSAGES/pg_verify-13.mo -rw-r--r-- 1 root root 522 Jun 9 2020 /usr/share/set/src/webattack/web_clone/applet.database -rw-r--r-- 1 root root 13409 Jun 16 16:16 /usr/share/doc/metasploit-framework/modules/post/multi/gather/ubiquiti_unifi_.md -rw-r--r-- 1 root root 2313 Jun 16 16:16 /usr/share/doc/metasploit-framework/modules/exploit/windows/misc/ahsay__fileupload.md -rw-r--r-- 1 root root 4229 Jun 16 16:16 /usr/share/doc/metasploit-framework/modules/exploit/multi/http/wp_db__rce.md -rw-r--r-- 1 root root 1359 Jun 16 16:16 /usr/share/doc/metasploit-framework/modules/auxiliary/scanner/http/_file.md -rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.gz -rwxr-xr-x 1 root root 1513 Jan 23 2020 /usr/share/doc/libipc-system-simple-perl/examples/rsync-.pl -rw-r--r-- 1 root root 416107 Dec 21 2020 /usr/share/doc/manpages/Changes.gz -rw-r--r-- 1 root root 303 Dec 15 2020 /usr/share/doc/hdparm/changelog.gz -rw-r--r-- 1 root root 194817 Oct 9 2020 /usr/share/doc/x11-common/changelog.Debian.gz -rw-r--r-- 1 root root 6427 Jan 1 12:45 /usr/share/doc/minicom/changelog.gz -rw-r--r-- 1 root root 43896 Feb 25 11:49 /usr/lib/open-vm-tools/plugins/vmsvc/libvm.so -rw-r--r-- 1 root root 13524 Feb 10 11:33 /usr/lib/postgresql/13/lib/bitcode/postgres/replication/_manifest.bc -rw-r--r-- 1 root root 53176 Feb 10 11:33 /usr/lib/postgresql/13/lib/bitcode/postgres/replication/base.bc -rwxr-xr-x 1 root root 122208 Feb 10 11:33 /usr/lib/postgresql/13/bin/pg_base -rwxr-xr-x 1 root root 96776 Feb 10 11:33 /usr/lib/postgresql/13/bin/pg_verify -rw-r--r-- 1 root root 9032 May 31 06:01 /usr/lib/modules/5.10.0-kali8-amd64/kernel/drivers/net/team/team_mode_active.ko -rw-r--r-- 1 root root 1952 Jun 26 15:28 /usr/lib/python3/dist-packages/wapitiCore/attack/__pycache__/mod_.cpython-39.pyc -rw-r--r-- 1 root root 3579 Feb 20 08:52 /usr/lib/python3/dist-packages/wapitiCore/attack/mod_.py -rw-r--r-- 1 root root 2121 Feb 13 12:50 /usr/lib/python3/dist-packages/wapitiCore/definitions/.py -rw-r--r-- 1 root root 1327 Jun 26 15:28 /usr/lib/python3/dist-packages/wapitiCore/definitions/__pycache__/.cpython-39.pyc -rw-r--r-- 1 root root 525 Apr 8 2017 /usr/lib/python3/dist-packages/wapitiCore/data/attacks/Payloads.txt -rw-r--r-- 1 root root 1578 Jun 26 15:28 /usr/lib/python3/dist-packages/wfuzz/plugins/scripts/__pycache__/s.cpython-39.pyc -rw-r--r-- 1 root root 2068 Nov 6 2020 /usr/lib/python3/dist-packages/wfuzz/plugins/scripts/s.py -rw-r--r-- 1 root root 30289 Jun 26 15:28 /usr/lib/python3/dist-packages/samba/netcmd/__pycache__/domain_.cpython-39.pyc -rw-r--r-- 1 root root 50384 Jul 9 2020 /usr/lib/python3/dist-packages/samba/netcmd/domain_.py -rw-r--r-- 1 root root 5307 Jul 9 2020 /usr/lib/python3/dist-packages/samba/tests/domain__offline.py -rw-r--r-- 1 root root 6746 Jul 9 2020 /usr/lib/python3/dist-packages/samba/tests/ntacls_.py -rw-r--r-- 1 root root 5047 Jun 26 15:28 /usr/lib/python3/dist-packages/samba/tests/__pycache__/ntacls_.cpython-39.pyc -rw-r--r-- 1 root root 19836 Jun 26 15:28 /usr/lib/python3/dist-packages/samba/tests/__pycache__/domain_.cpython-39.pyc -rw-r--r-- 1 root root 3899 Jun 26 15:28 /usr/lib/python3/dist-packages/samba/tests/__pycache__/domain__offline.cpython-39.pyc -rw-r--r-- 1 root root 27406 Jul 9 2020 /usr/lib/python3/dist-packages/samba/tests/domain_.py -rwxr-xr-x 1 root root 37699 May 24 00:04 /usr/bin/wsrep_sst_maria -rwxr-xr-x 1 root root 14488 Nov 19 2020 /usr/bin/tdb.tdbtools This check took 2 seconds ╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found: /etc/alternatives/regulatory: symbolic link to /lib/firmware/regulatory-debian Found: /var/lib/colord/mapping: SQLite 3.x database, last written using SQLite version 3034001 Found: /var/lib/colord/storage: SQLite 3.x database, last written using SQLite version 3034001 Found: /var/lib/command-not-found/commands: SQLite 3.x database, last written using SQLite version 3034001 Found: /var/lib/dpkg/alternatives/regulatory: ASCII text Found: /var/lib/mlocate/mlocate: regular file, no read permission -> Extracting tables from /var/lib/colord/mapping.db (limit 20) -> Extracting tables from /var/lib/colord/storage.db (limit 20) -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20) This check took 0 seconds ╔══════════╣ Web files?(output limit) /var/www/: total 12K drwxr-xr-x 3 root root 4.0K Jun 26 15:23 . drwxr-xr-x 12 root root 4.0K Jun 26 15:23 .. drwxr-xr-x 2 root root 4.0K Jun 26 15:28 html /var/www/html: total 24K drwxr-xr-x 2 root root 4.0K Jun 26 15:28 . drwxr-xr-x 3 root root 4.0K Jun 26 15:23 .. This check took 0 seconds ╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw------- 1 root root 0 Jun 26 15:22 /etc/.pwd.lock -rw-r--r-- 1 root root 0 Jun 26 15:27 /etc/.java/.systemPrefs/.system.lock -rw-r--r-- 1 root root 0 Jun 26 15:27 /etc/.java/.systemPrefs/.systemRootModFile -rw-r--r-- 1 root root 11759 May 19 22:51 /etc/skel/.face -rw-r--r-- 1 root root 220 Feb 24 15:53 /etc/skel/.bash_logout -rw-r--r-- 1 root root 10605 May 4 04:45 /etc/skel/.zshrc -rw-r--r-- 1 banana banana 11759 Jun 26 16:58 /home/banana/.face -rw-r--r-- 1 banana banana 220 Jun 26 16:58 /home/banana/.bash_logout -rw-r--r-- 1 banana banana 10605 Jun 26 16:58 /home/banana/.zshrc -rw-r--r-- 1 kali kali 55 Jun 26 18:25 /home/kali/.dmrc -rw------- 1 kali kali 10108 Jun 26 18:29 /home/kali/.xsession-errors -rw------- 1 kali kali 49 Jun 26 15:30 /home/kali/.Xauthority -rw------- 1 kali kali 0 Jun 26 15:30 /home/kali/.ICEauthority -rw-r--r-- 1 kali kali 11759 Jun 26 15:29 /home/kali/.face -rw-r--r-- 1 kali kali 220 Jun 26 15:29 /home/kali/.bash_logout -rw-r--r-- 1 kali kali 10605 Jun 26 15:29 /home/kali/.zshrc -rw-r--r-- 1 root root 55 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/nessus_rest-0.1.6/.document -rw-r--r-- 1 root root 86 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/nessus_rest-0.1.6/.travis.yml -rw-r--r-- 1 root root 0 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/railties-5.2.6/lib/rails/generators/rails/generator/templates/templates/.empty_directory -rw-r--r-- 1 root root 71 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-ole-0.1.7/.travis.yml -rw-r--r-- 1 root root 31 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-ole-0.1.7/.rspec -rw-r--r-- 1 root root 71 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-java-0.1.6/.travis.yml -rw-r--r-- 1 root root 31 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-java-0.1.6/.rspec -rw-r--r-- 1 root root 0 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/thin-1.8.1/ext/thin_parser/.sitearchdir.time -rw-r--r-- 1 root root 137 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/tzinfo-data-1.2021.1/.yardopts -rw-r--r-- 1 root root 0 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ed25519-1.2.4/ext/ed25519_ref10/.sitearchdir.time -rw-r--r-- 1 root root 401 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ed25519-1.2.4/.rubocop.yml -rw-r--r-- 1 root root 319 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ed25519-1.2.4/.travis.yml -rw-r--r-- 1 root root 79 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ed25519-1.2.4/.rspec -rw-r--r-- 1 root root 50 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/openssl-ccm-1.2.2/.yardopts -rw-r--r-- 1 root root 115 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/openssl-ccm-1.2.2/.rubocop.yml -rw-r--r-- 1 root root 50 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/openssl-cmac-2.0.1/.yardopts -rw-r--r-- 1 root root 115 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/openssl-cmac-2.0.1/.rubocop.yml -rw-r--r-- 1 root root 1166 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ruby_smb-2.0.10/.simplecov -rw-r--r-- 1 root root 12 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ruby_smb-2.0.10/.yardopts -rw-r--r-- 1 root root 53 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ruby_smb-2.0.10/.rspec -rw-r--r-- 1 root root 55 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/domain_name-0.5.20190701/.document -rw-r--r-- 1 root root 287 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/domain_name-0.5.20190701/.travis.yml -rw-r--r-- 1 root root 71 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.16/.travis.yml -rw-r--r-- 1 root root 31 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-core-0.1.16/.rspec -rw-r--r-- 1 root root 285 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/packetfu-1.1.13/.mailmap -rw-r--r-- 1 root root 82 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/packetfu-1.1.13/.document -rw-r--r-- 1 root root 122 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/packetfu-1.1.13/.travis.yml -rw-r--r-- 1 root root 32 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/packetfu-1.1.13/.rspec -rw-r--r-- 1 root root 71 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-struct2-0.1.3/.travis.yml -rw-r--r-- 1 root root 31 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-struct2-0.1.3/.rspec -rw-r--r-- 1 root root 71 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-nop-0.1.2/.travis.yml -rw-r--r-- 1 root root 31 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-nop-0.1.2/.rspec -rw-r--r-- 1 root root 1309 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/simplecov-html-0.12.3/.rubocop.yml -rw-r--r-- 1 root root 60 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/simplecov-html-0.12.3/.document -rw-r--r-- 1 root root 454 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/simplecov-html-0.12.3/.travis.yml -rw-r--r-- 1 root root 11 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/simplecov-html-0.12.3/.tool-versions -rw-r--r-- 1 root root 31 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-exploitation-0.1.27/.rspec -rw-r--r-- 1 root root 358 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/eventmachine-1.2.7/java/.classpath -rw-r--r-- 1 root root 369 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/eventmachine-1.2.7/java/.project -rw-r--r-- 1 root root 0 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/eventmachine-1.2.7/ext/.sitearchdir.time -rw-r--r-- 1 root root 31 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-sslscan-0.1.6/.rspec -rw-r--r-- 1 root root 23 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/metasploit_data_models-4.1.4/.coveralls.yml -rw-r--r-- 1 root root 1043 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/metasploit_data_models-4.1.4/.simplecov -rw-r--r-- 1 root root 77 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/metasploit_data_models-4.1.4/.yardopts -rw-r--r-- 1 root root 53 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/metasploit_data_models-4.1.4/.rspec -rw-r--r-- 1 root root 242 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/unf-0.1.4/.travis.yml -rw-r--r-- 1 root root 0 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/bcrypt_pbkdf-1.1.0/ext/mri/.sitearchdir.time -rw-r--r-- 1 root root 123 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/bcrypt_pbkdf-1.1.0/.travis.yml -rw-r--r-- 1 root root 79 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/ruby-macho-2.5.1/.yardopts -rw-r--r-- 1 root root 6 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/recog-2.3.20/.ruby-gemset -rw-r--r-- 1 root root 358 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/recog-2.3.20/.snyk -rw-r--r-- 1 root root 6 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/recog-2.3.20/.ruby-version -rw-r--r-- 1 root root 18 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/recog-2.3.20/.yardopts -rw-r--r-- 1 root root 433 Jun 18 02:53 /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/recog-2.3.20/.travis.yml This check took 0 seconds ╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rw------- 1 kali kali 394 Jun 26 15:30 /tmp/.xfsm-ICE-KDUX50 -r--r--r-- 1 root root 11 Jun 26 15:30 /tmp/.X0-lock -rwxr-xr-x 1 root root 12663 Jan 14 2004 /usr/share/spike/backups/citrix.c -rwxr-xr-x 1 root root 4242 Jan 14 2004 /usr/share/spike/backups/msrpcfuzz.c This check took 0 seconds ╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/mqueue /dev/shm /home/kali /run/lock /run/screen /run/screen/S-kali /run/user/1000 /run/user/1000/dbus-1 /run/user/1000/dbus-1/services /run/user/1000/dconf /run/user/1000/dconf/user /run/user/1000/gnupg /run/user/1000/gvfs /run/user/1000/ICEauthority /run/user/1000/pipewire-0.lock /run/user/1000/pulse /run/user/1000/pulse/pid /run/user/1000/systemd /run/user/1000/systemd/generator.late /run/user/1000/systemd/generator.late/app-blueman-autostart /run/user/1000/systemd/generator.late/app-geocluex2ddemox2dagent-autostart /run/user/1000/systemd/generator.late/app-lightx2dlocker-autostart /run/user/1000/systemd/generator.late/app-nmx2dapplet-autostart /run/user/1000/systemd/generator.late/app-orcax2dautostart-autostart #)You_can_write_even_more_files_inside_last_directory /run/user/1000/systemd/inaccessible /run/user/1000/systemd/inaccessible/dir /run/user/1000/systemd/inaccessible/reg /run/user/1000/systemd/units /tmp /tmp/.font-unix /tmp/.ICE-unix /tmp/ssh-zJebGJtQlfwp /tmp/.Test-unix /tmp/tmux-1000 #)You_can_write_even_more_files_inside_last_directory /varphp/sessions /var/spool/samba /var/tmp This check took 1 seconds ╔══════════╣ Interesting GROUP writable files (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files Group kali: Group dialout: Group cdrom: Group floppy: Group sudo: Group audio: Group dip: Group video: Group plugdev: Group netdev: Group bluetooth: Group wireshark: Group scanner: Group kaboxer: This check took 9 seconds ╔══════════╣ Searching passwords in config PHP files This check took 0 seconds ╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs This check took 0 seconds ╔══════════╣ Finding IPs inside logs (limit 70) 59 10.10.10.100 17 1.3.4.202 16 0.8.3.1 11 1.2.3.3 8 4.2.4.6 8 4.2.17.138 8 3.7.4.3 8 2.5.16.1 8 1.7.4.1 8 0.3.8.1 2 1.18.99.90 1 1.6.99.1 1 1.2.3.2 This check took 0 seconds ╔══════════╣ Finding passwords inside logs (limit 70) 2021-06-26 15:25:04 install cryptsetup-nuke-ord:amd64 2 2021-06-26 15:25:04 status half-installed cryptsetup-nuke-ord:amd64 2 2021-06-26 15:25:04 status unpacked cryptsetup-nuke-ord:amd64 2 2021-06-26 15:27:04 configure cryptsetup-nuke-ord:amd64 2 2021-06-26 15:27:04 status half-configured cryptsetup-nuke-ord:amd64 2 2021-06-26 15:27:04 status installed cryptsetup-nuke-ord:amd64 2 2021-06-26 15:27:04 status unpacked cryptsetup-nuke-ord:amd64 2 2021-06-26 19:22:41 configure base-d:amd64 3.5.49 3.5.49 2021-06-26 19:22:41 install base-d:amd64 3.5.49 2021-06-26 19:22:41 status half-configured base-d:amd64 3.5.49 2021-06-26 19:22:41 status half-installed base-d:amd64 3.5.49 2021-06-26 19:22:41 status installed base-d:amd64 3.5.49 2021-06-26 19:22:41 status unpacked base-d:amd64 3.5.49 2021-06-26 19:22:43 status half-configured base-d:amd64 3.5.49 2021-06-26 19:22:43 status half-installed base-d:amd64 3.5.49 2021-06-26 19:22:43 status unpacked base-d:amd64 3.5.49 2021-06-26 19:22:43 upgrade base-d:amd64 3.5.49 3.5.49 2021-06-26 19:22:44 install d:amd64 1:4.8.1-1 2021-06-26 19:22:44 status half-installed d:amd64 1:4.8.1-1 2021-06-26 19:22:44 status unpacked d:amd64 1:4.8.1-1 2021-06-26 19:22:45 configure base-d:amd64 3.5.49 2021-06-26 19:22:45 status half-configured base-d:amd64 3.5.49 2021-06-26 19:22:45 status installed base-d:amd64 3.5.49 2021-06-26 19:22:45 status unpacked base-d:amd64 3.5.49 2021-06-26 19:22:46 configure d:amd64 1:4.8.1-1 2021-06-26 19:22:46 status half-configured d:amd64 1:4.8.1-1 2021-06-26 19:22:46 status installed d:amd64 1:4.8.1-1 2021-06-26 19:22:46 status unpacked d:amd64 1:4.8.1-1 Description: Set up users and ords dmidecode: Administrator Password Status: Enabled dmidecode: Keyboard Password Status: Unknown dmidecode: Power-On Password Status: Disabled update-alternatives 2021-06-26 15:28:43: link group vncd updated to point to /usr/bin/tightvncpasswd This check took 0 seconds ╔══════════╣ Finding emails inside logs (limit 70) 1 mmyangfl@gmail.com 1 felix.lechner@lease-up.com This check took 0 seconds ╔══════════╣ Finding *password* or *credential* files in home (limit 70) /etc/cryptsetup-nuke- /etc/pam.d/common- /usr/bin/systemd-ask- /usr/bin/systemd-tty-ask--agent /usr/lib/cryptsetup-nuke- /usr/lib/git-core/git- /usr/lib/git-core/git--cache /usr/lib/git-core/git--cache--daemon /usr/lib/git-core/git--store #)[3mThere are more creds/passwds files in the previous parent folder[0m /usr/lib/grub/i386-pc/.mod /usr/lib/grub/i386-pc/_pbkdf2.mod /usr/lib/mysql/plugin/simple__check.so /usr/lib/postgresql/13/lib/bitcode/check /usr/lib/postgresql/13/lib/bitcode/check.index.bc /usr/lib/postgresql/13/lib/bitcode/check/passwordcheck.bc /usr/lib/postgresql/13/lib/check.so /usr/lib/pppd/2.4.9/fd.so /usr/lib/python3/dist-packages/cme/modules/gpp_.py /usr/lib/python3/dist-packages/cme/modules/__pycache__/gpp_.cpython-39.pyc /usr/lib/python3/dist-packages/django/contrib/admin/templates/admin/auth/user/change_.html /usr/lib/python3/dist-packages/django/contrib/admin/templates/registration/_change_done.html /usr/lib/python3/dist-packages/django/contrib/admin/templates/registration/_change_form.html /usr/lib/python3/dist-packages/django/contrib/admin/templates/registration/_reset_complete.html /usr/lib/python3/dist-packages/django/contrib/admin/templates/registration/_reset_confirm.html #)[3mThere are more creds/passwds files in the previous parent folder[0m /usr/lib/python3/dist-packages/django/contrib/auth/management/commands/change.py /usr/lib/python3/dist-packages/django/contrib/auth/management/commands/__pycache__/change.cpython-39.pyc /usr/lib/python3/dist-packages/django/contrib/auth/_validation.py /usr/lib/python3/dist-packages/django/contrib/auth/__pycache__/_validation.cpython-39.pyc /usr/lib/python3/dist-packages/django/contrib/auth/templates/auth/widgets/read_only__hash.html /usr/lib/python3/dist-packages/django/contrib/auth/templates/registration/_reset_subject.txt /usr/lib/python3/dist-packages/django/forms/jinja2/django/forms/widgets/.html /usr/lib/python3/dist-packages/django/forms/templates/django/forms/widgets/.html /usr/lib/python3/dist-packages/faraday/migrations/versions/b1d15a55556d_remove_ticketing_tools_s.py /usr/lib/python3/dist-packages/faraday/migrations/versions/__pycache__/b1d15a55556d_remove_ticketing_tools_s.cpython-39.pyc /usr/lib/python3/dist-packages/faraday/server/api/modules/s.py /usr/lib/python3/dist-packages/faraday/server/api/modules/__pycache__/s.cpython-39.pyc /usr/lib/python3/dist-packages/faraday/server/commands/change_.py /usr/lib/python3/dist-packages/faraday/server/commands/__pycache__/change_.cpython-39.pyc /usr/lib/python3/dist-packages/flask_security/less.py /usr/lib/python3/dist-packages/flask_security/_util.py /usr/lib/python3/dist-packages/flask_security/__pycache__/less.cpython-39.pyc /usr/lib/python3/dist-packages/flask_security/__pycache__/_util.cpython-39.pyc /usr/lib/python3/dist-packages/flask_security/templates/security/change_.html /usr/lib/python3/dist-packages/flask_security/templates/security/forgot_.html /usr/lib/python3/dist-packages/flask_security/templates/security/reset_.html /usr/lib/python3/dist-packages/jedi/third_party/django-stubs/django-stubs/contrib/auth/_validation.pyi /usr/lib/python3/dist-packages/minikerberos/common/creds.py /usr/lib/python3/dist-packages/minikerberos/common/__pycache__/creds.cpython-39.pyc /usr/lib/python3/dist-packages/msldap/authentication/ntlm/creds_calc.py /usr/lib/python3/dist-packages/msldap/authentication/ntlm/__pycache__/creds_calc.cpython-39.pyc /usr/lib/python3/dist-packages/msldap/commons/.py /usr/lib/python3/dist-packages/msldap/commons/__pycache__/.cpython-39.pyc /usr/lib/python3/dist-packages/pypykatz/dpapi/structures/file.py /usr/lib/python3/dist-packages/pypykatz/dpapi/structures/__pycache__/file.cpython-39.pyc /usr/lib/python3/dist-packages/pypykatz/utils/crypto/gp.py /usr/lib/python3/dist-packages/pypykatz/utils/crypto/__pycache__/gp.cpython-39.pyc /usr/lib/python3/dist-packages/samba/s.cpython-39-x86_64-linux-gnu.so /usr/lib/python3/dist-packages/samba/tests/s.py /usr/lib/python3/dist-packages/samba/tests/krb5_s.py /usr/lib/python3/dist-packages/samba/tests/_hash_fl2003.py /usr/lib/python3/dist-packages/samba/tests/_hash_fl2008.py #)[3mThere are more creds/passwds files in the previous parent folder[0m This check took 0 seconds ╔══════════╣ Finding passwords inside key folders (limit 70) - only PHP files This check took 1 seconds ╔══════════╣ Finding passwords inside key folders (limit 70) - no PHP files /etc/alternatives/desktop-theme/plymouth/kali.script: global.ordField = ordField; /etc/alternatives/desktop-theme/plymouth/kali.script:MAX_ORD_LENGTH = 16; /etc/alternatives/desktop-theme/plymouth/kali.script:ordDot.image = Image("ord-dot.png"); /etc/alternatives/desktop-theme/plymouth/kali.script: ordField.bullets[i].sprite = Sprite(ordDot.image); /etc/alternatives/desktop-theme/plymouth/kali.script: ordField.image = Image("ord-field.png"); /etc/alternatives/desktop-theme/plymouth/kali.script: ordField.sprite = Sprite(ordField.image); /etc/alternatives/desktop-theme/plymouth/kali.script: ordField.x = X_CENTER - ordField.image.GetWidth() / 2; /etc/alternatives/desktop-theme/plymouth/kali.script: ordField.y = container.sprite.GetY() + container.image.GetHeight(); /etc/alternatives/desktop-theme/plymouth/kali.script: ordField.z = 5; /etc/alternatives/msfdb: grep -v "^Enter ord for new role: $\|^Enter it again: $" "${TMPFILE}" /etc/alternatives/msfdb: ord: ${DB_PASS} /etc/alternatives/vncserver:$dFile = "$vncUserDir/d"; /etc/alternatives/vncserver:$quoteddFile = "edString($dFile); /etc/apache2/sites-available/default-ssl.conf: # file needs this ord: `xxj31ZMTZzkVA'. /etc/cloud/cloud.cfg.d/20_kali.cfg: lock_d: True /etc/cloud/cloud.cfg.d/20_kali.cfg: sudo: ["ALL=(ALL) NOD:ALL"] /etc/debconf.conf:#Bindd: secret /etc/default/ptunnel:#ord="mysecretord" /etc/init.d/ntp:UGID=$(getent d $RUNASUSER | cut -f 3,4 -d:) || true /etc/init.d/ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/java-11-openjdk/management/management.properties:# com.sun.management.jmxremote.ord.file=filepath /etc/java-11-openjdk/management/management.properties:# com.sun.management.jmxremote.ord.toHashes = true|false /etc/java-11-openjdk/management/management.properties:# javax.net.ssl.keyStoreord= /etc/java-11-openjdk/management/management.properties:# javax.net.ssl.trustStoreord= /etc/john/john.conf: length = 8; // ord length to try (NOTE: other [eg. shorter] /etc/john/john.conf:LogCrackedords = N /etc/john/john.conf: ord_length = 16; /* Change this to match config */ /etc/john/john.conf: ord_length = 8; /* Change this to match config */ /etc/john/john.conf:# Simple ord policy matching: require at least one digit. /etc/john/john.conf:# With: ord123 (Administrator:500) /etc/nsswitch.conf:d: files systemd /etc/pam.d/common-ord:ord [success=1 default=ignore] pam_unix.so obscure yescrypt /etc/postgresql/13/main/postgresql.conf:#ord_encryption = md5 # md5 or scram-sha-256 /etc/powershell-empire/config.yaml: ord: ord123 /etc/profile.d/vte-2.91.sh: [ "$" != "$HOME" ] && =${/#$HOME\//\~\/} /etc/profile.d/vte-2.91.sh: local ='~' /etc/profile.d/vte-2.91.sh: ="${//[[:cntrl:]]}" /etc/rc0.d/K01ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/rc1.d/K01ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/rc2.d/K01ntp:UGID=$(getent d $RUNASUSER | cut -f 3,4 -d:) || true /etc/rc2.d/K01ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/rc3.d/K01ntp:UGID=$(getent d $RUNASUSER | cut -f 3,4 -d:) || true /etc/rc3.d/K01ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/rc4.d/K01ntp:UGID=$(getent d $RUNASUSER | cut -f 3,4 -d:) || true /etc/rc4.d/K01ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/rc5.d/K01ntp:UGID=$(getent d $RUNASUSER | cut -f 3,4 -d:) || true /etc/rc5.d/K01ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/rc6.d/K01ptunnel:OPTIONS="-daemon $PIDFILE ${ord:+-x $ord}" /etc/redsocks.conf: // ord = "baz"; /etc/redsocks.conf: ord = pazzw0rd; /etc/samba/smb.conf: pam ord change = yes /etc/samba/smb.conf: d chat = *Enter\snew\s*\sord:* %n\n *Retype\snew\s*\sord:* %n\n *ord\supdated\ssuccessfully* . /etc/samba/smb.conf: d program = /usr/bin/d %u /etc/samba/smb.conf: unix ord sync = yes /etc/security/namespace.init: gid=$(echo "$d" | cut -f4 -d":") /etc/security/namespace.init: homedir=$(echo "$d" | cut -f6 -d":") /etc/security/namespace.init: d=$(getent d "$user") /etc/sqlmap/sqlmap.conf:# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&ord=guessme /etc/sqlmap/sqlmap.conf:# Examples: /etc/d or C:\boot.ini /etc/sqlmap/sqlmap.conf:# Example: username=admin&ord=0rd! /etc/sqlmap/sqlmap.conf:getordHashes = False /etc/sqlmap/sqlmap.conf:# mysql://USER:ORD@DBMS_IP:DBMS_PORT/DATABASE_NAME /etc/sqlmap/sqlmap.conf:# oracle://USER:ORD@DBMS_IP:DBMS_PORT/DATABASE_SID /etc/ssl/openssl.cnf:challengeord = A challenge ord /etc/ssl/openssl.cnf:challengeord_max = 20 /etc/ssl/openssl.cnf:challengeord_min = 4 /etc/ssl/openssl.cnf:# input_ord = secret /etc/ssl/openssl.cnf:# output_ord = secret /etc/subversion/config:# ord-stores = gpg-agent,gnome-keyring,kwallet /etc/subversion/config:# store-ords = no This check took 0 seconds ╔══════════╣ Finding possible password variables inside key folders (limit 140) /etc/alternatives/msfdb:="${PGPORT:-5432}" /etc/alternatives/msfdb:=msf /etc/alternatives/msfdb: if lsof -Pi :${} -sTCP:LISTEN -t >/dev/null ; then /etc/alternatives/msfdb: lsof -Pi :${} -sTCP:LISTEN /etc/alternatives/msfdb: ps -f $( lsof -Pi :${} -sTCP:LISTEN -t ) /etc/mysql/mariadb.conf.d/60-galera.cnf:#wsrep_cluster_name = "MariaDB Galera Cluster" /etc/postgresql/13/main/postgresql.conf:cluster_name = '13/main' # added to process titles if nonempty /etc/postgresql/13/main/postgresql.conf:#db_user_namespace = off /etc/postgresql-common/createcluster.conf:cluster_name = '%v/%c' This check took 0 seconds ╔══════════╣ Finding possible password in config files /etc/sqlmap/sqlmap.conf ORD@DBMS_IP:DBMS_PORT/DATABASE_NAME ORD@DBMS_IP:DBMS_PORT/DATABASE_SID ord=guessme tials. Useful only if the target URL requires ord tials. Useful only if the proxy requires ord ord=0rd! tials (user:ord). Useful if you want to ord ord hashes. ordHashes = False d or C:\boot.ini /etc/john/john-mail.conf ords (but that means sensitive information would be d and /etc/shadow while the john cronjob ord file, that will ORD FILE HERE, OR IT WILL BE LOST. Simply specify a location ord file. d ords will /etc/xl2tpd/xl2tpd.conf d for auth. /etc/nsswitch.conf d: files systemd /etc/debconf.conf ords. ord ords. ords ord ords.dat ords and one for everything else. ords ord is really d: secret /etc/apache2/apache2.conf d files from being /etc/security/faillock.conf d and ignore centralized (AD, IdM, LDAP, etc.) users. /etc/tightvncserver.conf d"; ords are always kept on the local filesystem. To do that, just /etc/samba/smb.conf ord with the SMB ord when the encrypted SMB ord in the ord sync = yes ord sync to work on a Debian GNU/Linux system, the following d program in Debian Sarge). d program = /usr/bin/d %u d chat = *Enter\snew\s*\sord:* %n\n *Retype\snew\s*\sord:* %n\n *ord\supdated\ssuccessfully* . ord changes d program'. The default is 'no'. ord change = yes ord; please adapt to your needs ord --gecos "" %u /etc/netsniff-ng/udp.conf d5 ord-chg /etc/netsniff-ng/oui.conf ce CORPORATION /etc/netsniff-ng/tcp.conf d5 d d /etc/adduser.conf d /etc/responder/Responder.conf tials. tials = On This check took 1 seconds ╔══════════╣ Finding 'username' string inside key folders (limit 70) /etc/alternatives/msfdb: : ${DB_USER} /etc/king-phisher/server_config.yml: setuid_: king-phisher /etc/powershell-empire/config.yaml: : empireadmin This check took 0 seconds ╔══════════╣ Searching specific hashes inside files - less false positives (limit 70) This check took 1 seconds ╔══════════╣ Searching md5/sha1/sha256/sha512 hashes inside files (limit 50 - only 1 per file) /etc/machine-id /etc/grub.d/05_debian_theme /etc/java-11-openjdk/security/java.security /etc/java-11-openjdk/security/blacklisted.certs /usr/share/spike/backups/msrpcfuzz.c /home/kali/linpeas.txt /home/kali/linpeas.out This check took 1 seconds ╔══════════╣ Finding URIs with user:password@host inside key folders database: postgresql://[1;31mking_phisher:fPsPiblCCDRF3JJz[0m@localhost/king_phisher "http://[1;31m*:*[0m@www" /home/kali/linpeas.out: database: postgresql://[1;31mking_phisher:fPsPiblCCDRF3JJz[0m@localhost/king_phisher /home/kali/linpeas.out:/home/kali/linpeas.out: database: postgresql://[1;31mking_phisher:fPsPiblCCDRF3JJz[0m@localhost/king_phisher /home/kali/linpeas.out:/home/kali/linpeas.out:"http://[1;31m*:*[0m@www" /home/kali/linpeas.out:"http://[1;31m*:*[0m@www" /home/kali/linpeas.txt: database: postgresql://[1;31m[1;31mking_phisher:fPsPiblCCDRF3JJz[0m[0m@localhost/king_phisher /home/kali/linpeas.txt:"http://[1;31m[1;31m*:*[0m[0m@www"