╔══════════╣ Container related tools present (if any): /usr/bin/docker /usr/bin/runc
╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN -
lrwxrwxrwx 1 root root 37 Aug 3 18:40 /etc/nginx/sites-enabled/analytical -> /etc/nginx/sites-available/analytical server { listen 80; listen [::]:80; root /var/www/site; index index.html; server_name analytical.htb; if ($host != analytical.htb) { rewrite ^ http://analytical.htb/; } location / { try_files $uri $uri/ =404; } } lrwxrwxrwx 1 root root 46 Aug 3 19:17 /etc/nginx/sites-enabled/data.analytical.htb -> /etc/nginx/sites-available/data.analytical.htb server { listen 80; server_name data.analytical.htb; location / { proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }
╔══════════╣ Checking if containerd(ctr) is available ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
╔══════════╣ Checking if runc is available ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation runc was found in /usr/bin/runc, you may be able to escalate privileges with it
╔══════════╣ Analyzing Interesting logs Files (limit 70) -rw-r----- 1 www-data adm 17619 Dec 12 12:04 /var/log/nginx/access.log
-rw-r--r-- 1 root root 0 Aug 8 11:48 /var/log/nginx/error.log
╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation ══╣ Current shell capabilities CapInh: 0x0000000000000000= CapPrm: 0x0000000000000000= CapEff: 0x0000000000000000= CapBnd: 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore CapAmb: 0x0000000000000000=
══╣ Parent process capabilities CapInh: 0x0000000000000000= CapPrm: 0x0000000000000000= CapEff: 0x0000000000000000= CapBnd: 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50): /usr/bin/mtr-packet cap_net_raw=ep /usr/bin/ping cap_net_raw=ep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
╔══════════╣ Searching root files in home dirs (limit 30) /home/ /home/metalytics/.bash_history /home/metalytics/user.txt /root/ /var/www
╔═════════════════════════╗ ════════════════════════════╣ Other Interesting Files ╠════════════════════════════ ╚═════════════════════════╝ ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation /usr/bin/rescan-scsi-bus.sh /usr/bin/gettext.sh /usr/bin/dockerd-rootless.sh /usr/bin/dockerd-rootless-setuptool.sh
2023-08-08+11:53:02.9848993850 /usr/local/sbin/laurel
╔══════════╣ Unexpected in /opt (usually empty) total 12 drwxr-xr-x 3 root root 4096 Aug 8 11:37 . drwxr-xr-x 18 root root 4096 Aug 8 11:37 .. drwx--x--x 4 root root 4096 Aug 8 11:37 containerd
╔══════════╣ Executing Linux Exploit Suggester ╚ https://github.com/mzet-/linux-exploit-suggester [+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5 Exposure: less probable Tags: ubuntu=(20.04){kernel:5.12.13} Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1 Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
-rwsr-xr-x 1 root root 331K Aug 24 13:40 /usr/lib/openssh/ssh-keysign
|