▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------| | Become a Patreon : https://www.patreon.com/peass | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli & makikvues | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/ linpeas-ng by carlospolop ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 95% a PE vector RED: You should take a look to it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username Starting linpeas. Caching Writable Folders... ╔═══════════════════╗ ═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════ ╚═══════════════════╝ OS: Linux version 4.15.0-108-generic (buildd@lcy01-amd64-013) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #109-Ubuntu SMP Fri Jun 19 11:33:10 UTC 2020 User & Groups: uid=1001(james) gid=1001(james) groups=1001(james) Hostname: overpass-prod Writable folder: /dev/shm [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE ╔════════════════════╗ ════════════════════════════════════════╣ System Information ╠════════════════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits Linux version 4.15.0-108-generic (buildd@lcy01-amd64-013) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #109-Ubuntu SMP Fri Jun 19 11:33:10 UTC 2020 Distributor ID: Ubuntu Description: Ubuntu 18.04.4 LTS Release: 18.04 Codename: bionic ╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.21p2 ╔══════════╣ PATH ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/go/bin New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/go/bin ╔══════════╣ Date & uptime Thu Jan 20 04:34:45 UTC 2022 04:34:45 up 41 min, 1 user, load average: 0.36, 0.08, 0.08 ╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) disk ╔══════════╣ Unmounted file-system? ╚ Check if you can mount umounted devices sed: -e expression #1, char 379: unknown option to `s' ╔══════════╣ Environment ╚ Any private information inside environment variables? LESSOPEN=| /usr/bin/lesspipe %s HISTFILESIZE=0 MAIL=/var/mail/james USER=james SSH_CLIENT=10.2.110.212 45034 22 SHLVL=1 HOME=/home/james SSH_TTY=/dev/pts/0 LOGNAME=james _=./linpeas.sh XDG_SESSION_ID=38 TERM=xterm-256color PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/go/bin XDG_RUNTIME_DIR=/run/user/1001 LANG=C.UTF-8 HISTSIZE=0 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36: SHELL=/bin/bash LESSCLOSE=/usr/bin/lesspipe %s %s PWD=/home/james SSH_CONNECTION=10.2.110.212 45034 10.10.255.93 22 HISTFILE=/dev/null ╔══════════╣ Searching Signature verification failed in dmesg ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed dmesg Not Found ╔══════════╣ Executing Linux Exploit Suggester ╚ https://github.com/mzet-/linux-exploit-suggester sed: -e expression #1, char 27: unknown option to `s' ╔══════════╣ Executing Linux Exploit Suggester 2 ╚ https://github.com/jondonas/linux-exploit-suggester-2 ╔══════════╣ Protections ═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set. apparmor module is loaded. ═╣ grsecurity present? ............ grsecurity Not Found ═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Is ASLR enabled? ............... Yes ═╣ Printer? ....................... No ═╣ Is this a virtual machine? ..... Yes (xen) ╔═══════════╗ ═════════════════════════════════════════════╣ Container ╠═════════════════════════════════════════════ ╚═══════════╝ ╔══════════╣ Container related tools present ╔══════════╣ Container details ═╣ Is this a container? ........... No ═╣ Any running containers? ........ No ╔════════════════════════════════════════════════╗ ══════════════════════════╣ Processes, Crons, Timers, Services and Sockets ╠══════════════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes ╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes root 1 0.3 0.9 159592 9104 ? Ss 03:53 0:07 /sbin/init maybe-ubiquity root 424 0.0 1.6 127636 16980 ? S) Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf ( ) ╔══════════╣ D-Bus Service Objects list ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0 593 systemd-network systemd-network :1.0 systemd-networkd.service - - :1.1 595 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - - :1.1166 11075 busctl james :1.1166 session-38.scope 38 - :1.2 1 systemd root :1.2 init.scope - - :1.3 625 accounts-daemon[0m root :1.3 accounts-daemon.service - - :1.4 623 systemd-logind root :1.4 systemd-logind.service - - :1.6 653 polkitd root :1.6 polkit.service - - :1.8 627 networkd-dispat root :1.8 networkd-dispatcher.se…ce - - :1.9 657 unattended-upgr root :1.9 unattended-upgrades.se…ce - - com.ubuntu.LanguageSelector - - - (activatable) - - com.ubuntu.SoftwareProperties - - - (activatable) - - io.netplan.Netplan - - - (activatable) - - org.freedesktop.Accounts 625 accounts-daemon[0m root :1.3 accounts-daemon.service - - org.freedesktop.DBus 1 systemd root - init.scope - - org.freedesktop.PolicyKit1 653 polkitd root :1.6 polkit.service - - org.freedesktop.hostname1 - - - (activatable) - - org.freedesktop.locale1 - - - (activatable) - - org.freedesktop.login1 623 systemd-logind root :1.4 systemd-logind.service - - org.freedesktop.network1 593 systemd-network systemd-network :1.0 systemd-networkd.service - - org.freedesktop.resolve1 595 systemd-resolve systemd-resolve :1.1 systemd-resolved.service - - org.freedesktop.systemd1 1 systemd root :1.2 init.scope - - org.freedesktop.thermald - - - (activatable) - - org.freedesktop.timedate1 - - - (activatable) - - ╔═════════════════════╗ ════════════════════════════════════════╣ Network Information ╠════════════════════════════════════════ ╚═════════════════════╝ ╔══════════╣ Hostname, hosts and DNS overpass-prod 127.0.0.1 localhost 127.0.1.1 overpass-prod 10.2.110.212 overpass.thm ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters nameserver 127.0.0.53 options edns0 search eu-west-1.compute.internal ╔══════════╣ Interfaces # symbolic names for networks, see networks(5) for more information link-local 169.254.0.0 eth0: flags=4163 mtu 9001 inet 10.10.255.93 netmask 255.255.0.0 broadcast 10.10.255.255 inet6 fe80::10:34ff:feec:66cf prefixlen 64 scopeid 0x20 ether 02:10:34:ec:66:cf txqueuelen 1000 (Ethernet) RX packets 3074 bytes 1500005 (1.5 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2311 bytes 484832 (484.8 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 400 bytes 38972 (38.9 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 400 bytes 38972 (38.9 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - ╔══════════╣ Can I sniff with tcpdump? No ╔═══════════════════╗ ═════════════════════════════════════════╣ Users Information ╠═════════════════════════════════════════ ╚═══════════════════╝ ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#users uid=1001(james) gid=1001(james) groups=1001(james) ╔══════════╣ Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid ╔══════════╣ Checking sudo tokens ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens ptrace protection is enabled (1) gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it ╔══════════╣ Checking Pkexec policy ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration] AdminIdentities=unix-user:0 [Configuration] AdminIdentities=unix-group:sudo;unix-group:admin ╔══════════╣ Superusers root:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with console james:x:1001:1001:,,,:/home/james:/bin/bash root:x:0:0:root:/root:/bin/bash tryhackme:x:1000:1000:tryhackme:/home/tryhackme:/bin/bash ╔══════════╣ All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=1000(tryhackme) gid=1000(tryhackme) groups=1000(tryhackme),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) uid=1001(james) gid=1001(james) groups=1001(james) uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm) uid=103(messagebus) gid=107(messagebus) groups=107(messagebus) uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup) uid=106(uuidd) gid=110(uuidd) groups=110(uuidd) uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup) uid=108(landscape) gid=112(landscape) groups=112(landscape) uid=109(pollinate) gid=1(daemon[0m) groups=1(daemon[0m) uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) ╔══════════╣ Login now 04:34:52 up 41 min, 1 user, load average: 0.58, 0.13, 0.10 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT james pts/0 10.2.110.212 04:24 28.00s 0.07s 0.00s /bin/sh ./linpeas.sh ╔══════════╣ Last logons tryhackme pts/0 Sat Jun 27 04:01:36 2020 - Sat Jun 27 04:15:54 2020 (00:14) 192.168.170.1 reboot system boot Sat Jun 27 04:01:18 2020 - Sat Jun 27 04:15:54 2020 (00:14) 0.0.0.0 tryhackme pts/0 Sat Jun 27 03:59:56 2020 - Sat Jun 27 04:01:08 2020 (00:01) 192.168.170.1 tryhackme pts/0 Sat Jun 27 02:28:30 2020 - Sat Jun 27 03:59:50 2020 (01:31) 192.168.170.1 reboot system boot Sat Jun 27 02:27:38 2020 - Sat Jun 27 04:01:13 2020 (01:33) 0.0.0.0 tryhackme pts/0 Sat Jun 27 02:16:00 2020 - Sat Jun 27 02:27:33 2020 (00:11) 192.168.170.1 tryhackme tty1 Sat Jun 27 02:15:41 2020 - Sat Jun 27 02:17:21 2020 (00:01) 0.0.0.0 reboot system boot Sat Jun 27 02:14:58 2020 - Sat Jun 27 02:27:34 2020 (00:12) 0.0.0.0 wtmp begins Sat Jun 27 02:14:58 2020 ╔══════════╣ Last time logon each user Username Port From Latest tryhackme pts/0 10.10.155.141 Thu Sep 24 21:04:14 +0000 2020 james pts/0 10.2.110.212 Thu Jan 20 04:24:05 +0000 2022 ╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) ╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! ╔══════════════════════╗ ═══════════════════════════════════════╣ Software Information ╠═══════════════════════════════════════ ╚══════════════════════╝ ╔══════════╣ Useful software /usr/bin/base64 /usr/bin/curl /usr/bin/g++ /usr/bin/gcc /usr/bin/make /bin/nc /bin/netcat /usr/bin/perl /bin/ping /usr/bin/python3 /usr/bin/python3.6 /usr/bin/sudo /usr/bin/wget ╔══════════╣ Installed Compilers ii g++ 4:7.4.0-1ubuntu2.3 amd64 GNU C++ compiler ii g++-7 7.5.0-3ubuntu1~18.04 amd64 GNU C++ compiler ii gcc 4:7.4.0-1ubuntu2.3 amd64 GNU C compiler ii gcc-7 7.5.0-3ubuntu1~18.04 amd64 GNU C compiler /usr/bin/gcc ╔══════════╣ Searching mysql credentials and exec ╔══════════╣ Analyzing Rsync Files (limit 70) -rw-r--r-- 1 root root 1044 Feb 14 2020 /usr/share/doc/rsync/examples/rsyncd.conf [ftp] comment = public archive path = /var/www/pub use chroot = yes lock file = /var/lock/rsyncd read only = yes list = yes uid = nobody gid = nogroup strict modes = yes ignore errors = no ignore nonreadable = yes transfer logging = no timeout = 600 refuse options = checksum dry-run dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz ╔══════════╣ Analyzing Ldap Files (limit 70) The password hash is from the {SSHA} to 'structural' drwxr-xr-x 2 root root 4096 Jun 27 2020 /etc/ldap ╔══════════╣ Searching ssl/ssh files ╔══════════╣ Analyzing SSH Files (limit 70) -rw------- 1 james james 1766 Jun 27 2020 /home/james/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337 LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal 73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR 3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P 9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ 4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8 GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk 6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58 dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT 8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K 4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS 49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2 +hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk 2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7 -----END RSA PRIVATE KEY----- -rw-r--r-- 1 james james 401 Jun 27 2020 /home/james/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Kz42EMWhCKWlTuKIPJmNMAL53yO/QBkbjCP28TYpb3ioDXEdZjXFBAg3aAegUpbCBKJKTmOKTp7Z4AyWvRkUnzxw5e9K1hh7Apn1GdxR66Lj/1ssvZbP7wIL1gGYtavtcWPmW9JdPn72u82joXKH1KNLVksWTyif5XXoo21ppyVcVW0qo7tEeJi7mIweWfM3Mo8u4Hhb3AOsS8QLux2fKmp/a7bUA923MuZjRdRiEvzuZ7/DddgtcTRARnu/fUHjHp71ZqfD1wJ9b9zKFqmd/5v5ysuH0onozqOf8XExVHIAxRSq+OPiUmUzXPbi0ADxbpj2DVYMUuuPjpJjin/N james@overpass-prod -rw-rw-r-- 1 james james 401 Jun 27 2020 /home/james/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Kz42EMWhCKWlTuKIPJmNMAL53yO/QBkbjCP28TYpb3ioDXEdZjXFBAg3aAegUpbCBKJKTmOKTp7Z4AyWvRkUnzxw5e9K1hh7Apn1GdxR66Lj/1ssvZbP7wIL1gGYtavtcWPmW9JdPn72u82joXKH1KNLVksWTyif5XXoo21ppyVcVW0qo7tEeJi7mIweWfM3Mo8u4Hhb3AOsS8QLux2fKmp/a7bUA923MuZjRdRiEvzuZ7/DddgtcTRARnu/fUHjHp71ZqfD1wJ9b9zKFqmd/5v5ysuH0onozqOf8XExVHIAxRSq+OPiUmUzXPbi0ADxbpj2DVYMUuuPjpJjin/N james@overpass-prod ChallengeResponseAuthentication no UsePAM yes PasswordAuthentication yes ══╣ Possible private SSH keys were found! /home/james/.ssh/id_rsa ══╣ Some certificates were found (out limited): /etc/pollinate/entropy.ubuntu.com.pem /usr/local/go/src/crypto/tls/testdata/example-cert.pem /usr/local/go/src/crypto/tls/testdata/example-key.pem /usr/local/go/src/crypto/x509/test-file.crt /usr/local/go/src/crypto/x509/testdata/test-dir.crt 5336PSTORAGE_CERTSBIN ══╣ Some home ssh config file was found /usr/share/openssh/sshd_config ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ══╣ /etc/hosts.allow file found, trying to read the rules: /etc/hosts.allow Searching inside /etc/ssh/ssh_config for interesting info Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes ╔══════════╣ Analyzing PAM Auth Files (limit 70) drwxr-xr-x 2 root root 4096 Jun 27 2020 /etc/pam.d -rw-r--r-- 1 root root 2133 Mar 4 2019 /etc/pam.d/sshd ╔══════════╣ Searching tmux sessions ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions tmux 2.6 /tmp/tmux-1001 ╔══════════╣ Analyzing Cloud Init Files (limit 70) -rw-r--r-- 1 root root 3517 Jan 15 2020 /etc/cloud/cloud.cfg lock_passwd: True ╔══════════╣ Analyzing Keyring Files (limit 70) drwxr-xr-x 2 root root 4096 Feb 3 2020 /usr/share/keyrings ╔══════════╣ Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd passwd file: /etc/passwd passwd file: /usr/share/bash-completion/completions/passwd passwd file: /usr/share/lintian/overrides/passwd ╔══════════╣ Analyzing PGP-GPG Files (limit 70) /usr/bin/gpg netpgpkeys Not Found netpgp Not Found -rw-r--r-- 1 root root 2796 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg -rw-r--r-- 1 root root 2794 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1733 Sep 17 2018 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg -rw-r--r-- 1 root root 3267 Jan 10 2019 /usr/share/gnupg/distsigkey.gpg -rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg -rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg -rw-r--r-- 1 root root 2253 Mar 21 2018 /usr/share/keyrings/ubuntu-esm-keyring.gpg -rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-keyring.gpg -rw-r--r-- 1 root root 1139 Mar 21 2018 /usr/share/keyrings/ubuntu-fips-updates-keyring.gpg -rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg -rw-r--r-- 1 root root 2867 Feb 22 2018 /usr/share/popularity-contest/debian-popcon.gpg drwx------ 3 james james 4096 Jan 20 04:34 /home/james/.gnupg ╔══════════╣ Kubernetes information ╔══════════╣ Analyzing Postfix Files (limit 70) -rw-r--r-- 1 root root 675 Apr 2 2018 /usr/share/bash-completion/completions/postfix ╔══════════╣ Analyzing Bind Files (limit 70) -rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind -rw-r--r-- 1 root root 856 Apr 2 2018 /usr/share/bash-completion/completions/bind ╔══════════╣ Analyzing Other Interesting Files Files (limit 70) -rw-r--r-- 1 root root 3771 Apr 4 2018 /etc/skel/.bashrc -rw-r--r-- 1 james james 3771 Jun 27 2020 /home/james/.bashrc -rw-r--r-- 1 root root 807 Apr 4 2018 /etc/skel/.profile -rw-r--r-- 1 james james 807 Jun 27 2020 /home/james/.profile ╔═══════════════════╗ ═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════ ╚═══════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount -rwsr-xr-x 1 root root 27K Jan 8 2020 /bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 44K Mar 22 2019 /bin/su -rwsr-xr-x 1 root root 43K Jan 8 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping -rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwsr-xr-x 1 root root 44K Mar 22 2019 /usr/bin/chsh -rwsr-xr-x 1 root root 146K Jan 31 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 59K Mar 22 2019 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 22K Mar 27 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) -rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils -rwsr-xr-x 1 root root 40K Mar 22 2019 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/gpasswd -rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 14K Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-- 1 root messagebus 42K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 427K Mar 4 2019 /usr/lib/openssh/ssh-keysign ╔══════════╣ SGID ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root shadow 34K Feb 27 2019 /sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 34K Feb 27 2019 /sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root mlocate 43K Mar 1 2018 /usr/bin/mlocate -rwxr-sr-x 1 root ssh 355K Mar 4 2019 /usr/bin/ssh-agent -rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwxr-sr-x 1 root tty 31K Jan 8 2020 /usr/bin/wall -rwxr-sr-x 1 root shadow 71K Mar 22 2019 /usr/bin/chage -rwxr-sr-x 1 root crontab 39K Nov 16 2017 /usr/bin/crontab -rwxr-sr-x 1 root tty 14K Jan 17 2018 /usr/bin/bsd-write -rwxr-sr-x 1 root shadow 23K Mar 22 2019 /usr/bin/expiry -rwxr-sr-x 1 root utmp 10K Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter ╔══════════╣ Checking misconfigurations of ld.so ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf /usr/lib/x86_64-linux-gnu/libfakeroot /etc/ld.so.conf.d/libc.conf /usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu ╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities Current capabilities: Current: = CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Shell capabilities: 0x0000000000000000= CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Files with capabilities (limited to 50): /usr/bin/mtr-packet = cap_net_raw+ep ╔══════════╣ Users with capabilities ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities ╔══════════╣ Files with ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls files with acls in searched folders Not Found ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path /usr/bin/gettext.sh ╔══════════╣ Unexpected in root /swap.img /initrd.img /vmlinuz.old /vmlinuz /initrd.img.old ╔══════════╣ Files (scripts) in /etc/profile.d/ ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files total 32 drwxr-xr-x 2 root root 4096 Jun 27 2020 . drwxr-xr-x 90 root root 4096 Jun 27 2020 .. -rw-r--r-- 1 root root 96 Sep 27 2019 01-locale-fix.sh -rw-r--r-- 1 root root 1557 Dec 4 2017 Z97-byobu.sh -rwxr-xr-x 1 root root 3417 Jan 15 2020 Z99-cloud-locale-test.sh -rwxr-xr-x 1 root root 873 Jan 15 2020 Z99-cloudinit-warnings.sh -rw-r--r-- 1 root root 664 Apr 2 2018 bash_completion.sh -rw-r--r-- 1 root root 1003 Dec 29 2015 cedilla-portuguese.sh ╔══════════╣ Permissions in init, init.d, systemd, and rc.d ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No ╔══════════╣ Searching root files in home dirs (limit 30) /home/ /root/ ╔══════════╣ Searching folders owned by me containing others files on it (limit 100) /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service /sys/fs/cgroup/unified/user.slice/user-1001.slice/user@1001.service ╔══════════╣ Readable files belonging to root and readable by me but not world readable ╔══════════╣ Modified interesting files in the last 5mins (limit 100) /var/log/journal/da63cb942bf64540af49be48be5c7783/system.journal /var/log/journal/da63cb942bf64540af49be48be5c7783/user-1001.journal /var/log/auth.log /var/log/syslog /var/log/kern.log /home/james/.gnupg/trustdb.gpg /home/james/.gnupg/pubring.kbx ╔══════════╣ Writable log files (logrotten) (limit 100) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation ╔══════════╣ Files inside /home/james (limit 20) total 796 drwxr-xr-x 6 james james 4096 Jan 20 04:23 . drwxr-xr-x 4 root root 4096 Jun 27 2020 .. lrwxrwxrwx 1 james james 9 Jun 27 2020 .bash_history -> /dev/null -rw-r--r-- 1 james james 220 Jun 27 2020 .bash_logout -rw-r--r-- 1 james james 3771 Jun 27 2020 .bashrc drwx------ 2 james james 4096 Jun 27 2020 .cache drwx------ 3 james james 4096 Jan 20 04:34 .gnupg drwxrwxr-x 3 james james 4096 Jun 27 2020 .local -rw-r--r-- 1 james james 49 Jun 27 2020 .overpass -rw-r--r-- 1 james james 807 Jun 27 2020 .profile drwx------ 2 james james 4096 Jun 27 2020 .ssh -rwxr-xr-x 1 james james 762915 Jan 20 04:23 linpeas.sh -rw-rw-r-- 1 james james 438 Jun 27 2020 todo.txt -rw-rw-r-- 1 james james 38 Jun 27 2020 user.txt ╔══════════╣ Files inside others home (limit 20) ╔══════════╣ Searching installed mail applications ╔══════════╣ Mails (limit 50) ╔══════════╣ Backup folders ╔══════════╣ Backup files (limited 100) -rw-r--r-- 1 root root 2765 Feb 3 2020 /etc/apt/sources.list.curtin.old -rw-r--r-- 1 root root 0 Jun 19 2020 /usr/src/linux-headers-4.15.0-108-generic/include/config/net/team/mode/activebackup.h -rw-r--r-- 1 root root 0 Jun 19 2020 /usr/src/linux-headers-4.15.0-108-generic/include/config/wm831x/backup.h -rw-r--r-- 1 root root 217484 Jun 19 2020 /usr/src/linux-headers-4.15.0-108-generic/.config.old -rw-r--r-- 1 root root 2746 Dec 5 2019 /usr/share/man/man8/vgcfgbackup.8.gz -rwxr-xr-x 1 root root 226 Dec 4 2017 /usr/share/byobu/desktop/byobu.desktop.old -rw-r--r-- 1 root root 7867 Nov 7 2016 /usr/share/doc/telnet/README.telnet.old.gz -rw-r--r-- 1 root root 361345 Feb 2 2018 /usr/share/doc/manpages/Changes.old.gz -rw-r--r-- 1 root root 10939 Jun 27 2020 /usr/share/info/dir.old -rw-r--r-- 1 root root 35544 Dec 9 2019 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so -rw-r--r-- 1 root root 7905 Jun 19 2020 /lib/modules/4.15.0-108-generic/kernel/drivers/net/team/team_mode_activebackup.ko -rw-r--r-- 1 root root 7857 Jun 19 2020 /lib/modules/4.15.0-108-generic/kernel/drivers/power/supply/wm831x_backup.ko ╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found: /var/lib/mlocate/mlocate.db: regular file, no read permission ╔══════════╣ Web files?(output limit) ╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw-r--r-- 1 root root 1531 Jun 27 2020 /var/cache/apparmor/.features -rw-r--r-- 1 landscape landscape 0 Feb 3 2020 /var/lib/landscape/.cleanup.user -rw-r--r-- 1 root root 220 Apr 4 2018 /etc/skel/.bash_logout -rw------- 1 root root 0 Feb 3 2020 /etc/.pwd.lock -rw-r--r-- 1 root root 1531 Jun 27 2020 /etc/apparmor.d/cache/.features -rw-r--r-- 1 root root 20 Jan 20 03:53 /run/cloud-init/.instance-id -rw-r--r-- 1 root root 2 Jan 20 03:53 /run/cloud-init/.ds-identify.result -rw-r--r-- 1 james james 220 Jun 27 2020 /home/james/.bash_logout -rw-r--r-- 1 james james 49 Jun 27 2020 /home/james/.overpass ╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) -rw-r--r-- 1 root root 31226 Jun 27 2020 /var/backups/apt.extended_states.0 ╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/mqueue /dev/shm /etc/hosts /home/james /run/lock /run/screen /run/user/1001 /run/user/1001/gnupg /run/user/1001/systemd /tmp /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix #)You_can_write_even_more_files_inside_last_directory /var/crash /var/tmp ╔══════════╣ Interesting GROUP writable files (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files ╔══════════╣ Searching passwords in history files ╔══════════╣ Searching *password* or *credential* files in home (limit 70) /bin/systemd-ask-password /bin/systemd-tty-ask-password-agent /etc/pam.d/common-password /usr/lib/git-core/git-credential /usr/lib/git-core/git-credential-cache /usr/lib/git-core/git-credential-cache--daemon /usr/lib/git-core/git-credential-store #)There are more creds/passwds files in the previous parent folder /usr/lib/grub/i386-pc/password.mod /usr/lib/grub/i386-pc/password_pbkdf2.mod /usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-36.pyc /usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-36.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py /usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-36.pyc /usr/lib/python3/dist-packages/twisted/cred/credentials.py /usr/local/go/src/syscall/creds_test.go /usr/share/doc/git/contrib/credential /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc /usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c /usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c /usr/share/man/man1/git-credential-cache--daemon.1.gz /usr/share/man/man1/git-credential-cache.1.gz /usr/share/man/man1/git-credential-store.1.gz /usr/share/man/man1/git-credential.1.gz #)There are more creds/passwds files in the previous parent folder /usr/share/man/man7/gitcredentials.7.gz /usr/share/man/man8/systemd-ask-password-console.path.8.gz /usr/share/man/man8/systemd-ask-password-console.service.8.gz /usr/share/man/man8/systemd-ask-password-wall.path.8.gz /usr/share/man/man8/systemd-ask-password-wall.service.8.gz #)There are more creds/passwds files in the previous parent folder /usr/share/pam/common-password.md5sums /usr/share/ubuntu-advantage-tools/modules/credentials.sh /var/cache/debconf/passwords.dat /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords /var/lib/pam/password ╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs ╔══════════╣ Searching passwords inside logs (limit 70) base-passwd depends on libc6 (>= 2.8); however: base-passwd depends on libdebconfclient0 (>= 0.145); however: 2020-02-03 18:22:20 configure base-passwd:amd64 3.5.44 3.5.44 2020-02-03 18:22:20 install base-passwd:amd64 3.5.44 2020-02-03 18:22:20 status half-configured base-passwd:amd64 3.5.44 2020-02-03 18:22:20 status half-installed base-passwd:amd64 3.5.44 2020-02-03 18:22:20 status installed base-passwd:amd64 3.5.44 2020-02-03 18:22:20 status unpacked base-passwd:amd64 3.5.44 2020-02-03 18:22:22 status half-configured base-passwd:amd64 3.5.44 2020-02-03 18:22:22 status half-installed base-passwd:amd64 3.5.44 2020-02-03 18:22:22 status unpacked base-passwd:amd64 3.5.44 2020-02-03 18:22:22 upgrade base-passwd:amd64 3.5.44 3.5.44 2020-02-03 18:22:25 install passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:25 status half-installed passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:25 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:26 configure base-passwd:amd64 3.5.44 2020-02-03 18:22:26 status half-configured base-passwd:amd64 3.5.44 2020-02-03 18:22:26 status installed base-passwd:amd64 3.5.44 2020-02-03 18:22:26 status unpacked base-passwd:amd64 3.5.44 2020-02-03 18:22:27 configure passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:27 status half-configured passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:27 status installed passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:22:27 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 configure passwd:amd64 1:4.5-1ubuntu2 2020-02-03 18:23:09 status half-configured passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 status half-configured passwd:amd64 1:4.5-1ubuntu2 2020-02-03 18:23:09 status half-installed passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 status installed passwd:amd64 1:4.5-1ubuntu2 2020-02-03 18:23:09 status unpacked passwd:amd64 1:4.5-1ubuntu1 2020-02-03 18:23:09 status unpacked passwd:amd64 1:4.5-1ubuntu2 2020-02-03 18:23:09 upgrade passwd:amd64 1:4.5-1ubuntu1 1:4.5-1ubuntu2 2020-06-27 02:15:11,712 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords - wb: [644] 25 bytes 2020-06-27 02:15:11,713 - ssh_util.py[DEBUG]: line 123: option PasswordAuthentication added with yes 2020-06-27 02:15:11,763 - cc_set_passwords.py[DEBUG]: Restarted the SSH daemon. 2020-06-27 02:15:11,764 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords ran successfully 2020-06-27 02:27:45,022 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-06-27 02:27:45,022 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-06-27 04:01:22,241 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-06-27 04:01:22,241 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-06-27 04:16:03,013 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-06-27 04:16:03,013 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-06-27 04:39:18,919 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-06-27 04:39:18,919 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-06-27 05:44:17,465 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-06-27 05:44:17,465 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-06-27 15:53:05,717 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2020-06-27 15:53:05,718 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-09-24 20:55:55,109 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2020-09-24 20:55:55,109 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) 2022-01-20 03:54:14,269 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran 2022-01-20 03:54:14,269 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance) Binary file /var/log/journal/da63cb942bf64540af49be48be5c7783/user-1001.journal matches Jun 27 02:07:46 ubuntu-server chage[14820]: changed password expiry for sshd Jun 27 02:07:46 ubuntu-server usermod[14815]: change user 'sshd' password Jun 27 03:04:40 ubuntu-server systemd[1]: Started Dispatch Password Requests to Console Directory Watch. Preparing to unpack .../base-passwd_3.5.44_amd64.deb ... Preparing to unpack .../passwd_1%3a4.5-1ubuntu1_amd64.deb ... Selecting previously unselected package base-passwd. Selecting previously unselected package passwd. Setting up base-passwd (3.5.44) ... Setting up passwd (1:4.5-1ubuntu1) ... Shadow passwords are now on. Unpacking base-passwd (3.5.44) ... Unpacking base-passwd (3.5.44) over (3.5.44) ... Unpacking passwd (1:4.5-1ubuntu1) ... dpkg: base-passwd: dependency problems, but configuring anyway as you requested: