Enumerating as the asterisk user
Continuing Post Enumeration
System/Kernel
bash-3.2$ file /bin/bash ; uname -a ; cat /etc/*release
/bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
linux beep 2.6.18-238.12.1.el5 #1 smp tue may 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux
CentOS release 5.6 (Final)
beep 2.6.18-238.12.1.el5
CentOS release 5.6 (Final)
i386
Networks
bash-3.2$ netstat -antup
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:20004 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5038 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:878 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:4559 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7820/sh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 7820/sh
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN 3711/perl
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5038 127.0.0.1:57647 ESTABLISHED -
tcp 0 0 127.0.0.1:57647 127.0.0.1:5038 ESTABLISHED 3711/perl
tcp 0 0 10.10.10.7:443 10.10.14.7:55376 TIME_WAIT -
tcp 0 0 10.10.10.7:443 10.10.14.7:43152 ESTABLISHED 7820/sh
tcp 0 0 10.10.10.7:443 10.10.14.7:43166 TIME_WAIT -
tcp 0 0 10.10.10.7:42967 10.10.14.7:9999 ESTABLISHED 7820/sh
tcp 0 0 10.10.10.7:58017 10.10.14.7:4444 ESTABLISHED 7528/perl
udp 0 0 0.0.0.0:5000 0.0.0.0:* -
udp 0 0 0.0.0.0:10000 0.0.0.0:* -
udp 0 0 0.0.0.0:2727 0.0.0.0:* -
udp 0 0 0.0.0.0:4520 0.0.0.0:* -
udp 0 0 0.0.0.0:5060 0.0.0.0:* -
udp 0 0 0.0.0.0:69 0.0.0.0:* -
udp 0 0 0.0.0.0:4569 0.0.0.0:* -
udp 0 0 0.0.0.0:872 0.0.0.0:* -
udp 0 0 0.0.0.0:875 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 10.10.10.7:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* - Users
bash-3.2$ cat /etc/passwd ; ls -lasht /home
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
total 28K
8.0k drwxr-xr-x 22 root root 4.0k oct 15 16:33 ..
4.0K drwxrwxr-x 2 fanis fanis 4.0K Apr 7 2017 fanis
8.0K drwxr-xr-x 4 root root 4.0K Apr 7 2017 .
8.0K drwx------ 2 spamfilter spamfilter 4.0K Apr 7 2017 spamfilterfanis
spamfilter
root
SUIDs
bash-3.2$ find / -perm -04000 -ls -type f 2>/dev/null
1648519 72 -rws--x--x 1 root root 63900 Jun 13 2011 /usr/bin/sperl5.8.8
1649250 48 -rwsr-xr-x 1 root root 44932 May 25 2011 /usr/bin/gpasswd
230668 24 -rwsr-xr-x 1 root root 20300 Aug 11 2010 /usr/bin/passwd
230694 180 ---s--x--x 2 root root 174436 Mar 6 2011 /usr/bin/sudo
230607 20 -rws--x--x 1 root root 13496 Mar 10 2011 /usr/bin/chsh
230655 312 -rwsr-sr-x 1 root root 309676 Jan 6 2010 /usr/bin/crontab
230746 48 -rwsr-xr-x 1 root root 43492 Jan 27 2010 /usr/bin/at
1649248 48 -rwsr-xr-x 1 root root 43392 May 25 2011 /usr/bin/chage
230694 180 ---s--x--x 2 root root 174436 Mar 6 2011 /usr/bin/sudoedit
230605 20 -rws--x--x 1 root root 14392 Mar 10 2011 /usr/bin/chfn
1649252 28 -rwsr-xr-x 1 root root 23012 May 25 2011 /usr/bin/newgrp
1771403 16 -r-sr-xr-x 1 root root 14320 Jul 16 2019 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
34978 12 -r-sr-xr-x 1 root root 9532 Jul 16 2019 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
265431 12 -rws--x--x 1 vcsa root 5900 Nov 11 2007 /usr/libexec/mc/cons.saver
98917 184 -rwsr-xr-x 1 root root 176732 Apr 14 2011 /usr/libexec/openssh/ssh-keysign
1704163 12 -rwsr-xr-x 1 root root 6240 Jan 6 2007 /usr/sbin/ccreds_validate
1704023 36 -rws--x--x 1 root root 29564 Feb 27 2009 /usr/sbin/userhelper
1703996 16 -r-s--x--- 1 root apache 11608 May 4 2011 /usr/sbin/suexec
1703984 12 -rwsr-xr-x 1 root root 6896 Feb 1 2011 /usr/sbin/usernetctl
265384 176 -rwsr-xr-x 1 root root 169868 Mar 30 2011 /usr/kerberos/bin/ksu
1310806 60 -rwsr-xr-x 1 root root 53228 Mar 10 2011 /bin/mount
1310809 40 -rwsr-xr-x 1 root root 33744 Mar 10 2011 /bin/umount
1310772 28 -rwsr-xr-x 1 root root 24120 Mar 30 2011 /bin/su
1310736 40 -rwsr-xr-x 1 root root 35832 Sep 26 2009 /bin/ping
1310737 36 -rwsr-xr-x 1 root root 31244 Sep 26 2009 /bin/ping6
753889 48 -rwsr-x--- 1 root dbus 42088 Mar 31 2011 /lib/dbus-1/dbus-daemon-launch-helper
1212540 20 -rwsr-xr-x 1 root root 12376 Nov 1 2010 /sbin/pam_timestamp_check
1212621 80 -rwsr-xr-x 1 root root 71412 Mar 6 2011 /sbin/mount.nfs
1212625 80 -rwsr-xr-x 1 root root 71416 Mar 6 2011 /sbin/umount.nfs
1212626 80 -rwsr-xr-x 1 root root 71416 Mar 6 2011 /sbin/umount.nfs4
1212622 80 -rwsr-xr-x 1 root root 71416 Mar 6 2011 /sbin/mount.nfs4
1212541 24 -rwsr-xr-x 1 root root 19296 Nov 1 2010 /sbin/unix_chkpwdSGIDs
bash-3.2$ find / -perm -02000 -ls -type f 2>/dev/null
[...]
133444 12 -rwx--s--x 1 root utmp 4672 Feb 27 2009 /usr/libexec/utempter/utempter
1650208 16 -rwxr-sr-x 1 root lock 11008 Jan 9 2007 /usr/sbin/lockdev
1704015 184 -rwxr-sr-x 1 root postdrop 177032 May 31 2011 /usr/sbin/postqueue
1704009 168 -rwxr-sr-x 1 root postdrop 160652 May 31 2011 /usr/sbin/postdrop
1212588 8 -rwxr-sr-x 1 root root 4020 Feb 1 2011 /sbin/netreport
1147694 8 drwxrwsr-x 2 root mailman 4096 Apr 7 2017 /etc/mailman
Processes
bash-3.2$ ps -auxww | grep -i 'root' --color=auto
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
root 1 0.0 0.0 2172 672 ? Ss 17:53 0:00 init [3]
root 574 0.0 0.0 2396 688 ? S<s 17:54 0:00 /sbin/udevd -d
root 2316 0.0 0.6 25312 6472 ? Sl 17:54 0:00 /usr/sbin/vmtoolsd
root 2348 0.0 0.8 16124 8348 ? S 17:54 0:00 /usr/lib/vmware-vgauth/VGAuthService -s
root 2463 0.0 0.0 22456 528 ? Ssl 17:54 0:00 brcm_iscsiuio
root 2468 0.0 0.0 3728 524 ? Ss 17:54 0:00 iscsid
root 2469 0.0 0.4 4184 4180 ? S<Ls 17:54 0:00 iscsid
root 2716 0.0 0.0 12636 764 ? S<sl 17:54 0:00 auditd
root 2718 0.0 0.0 12172 684 ? S<sl 17:54 0:00 /sbin/audispd
root 2748 0.0 0.0 1828 628 ? Ss 17:54 0:00 syslogd -m 0
root 2751 0.0 0.0 1776 380 ? Ss 17:54 0:00 klogd -x
root 2818 0.0 0.0 1976 752 ? Ss 17:54 0:00 rpc.statd
root 2850 0.0 0.0 5964 616 ? Ss 17:54 0:00 rpc.idmapd
root 2909 0.0 0.0 1772 528 ? Ss 17:54 0:00 /usr/sbin/acpid
root 2995 0.0 0.1 3272 1108 ? S 17:54 0:00 hald-runner
root 3017 0.0 0.0 2072 684 ? S 17:54 0:00 hald-addon-storage: polling /dev/hdc
root 3055 0.0 0.1 7236 1044 ? Ss 17:54 0:00 /usr/sbin/sshd
root 3074 0.0 0.0 2848 856 ? Ss 17:54 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 3129 0.0 0.1 4636 1280 ? S 17:54 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --user=mysql
root 3475 0.0 0.1 6996 1768 ? Ss 17:54 0:00 /usr/libexec/postfix/master
root 3491 0.0 0.8 26236 8484 ? Ss 17:54 0:00 /usr/sbin/httpd
root 3522 0.0 0.0 4636 656 ? S 17:54 0:00 /bin/sh /usr/sbin/safe_asterisk -U asterisk -G asterisk
root 3548 0.0 0.1 5392 1116 ? Ss 17:54 0:00 crond
root 3603 0.0 0.3 24452 3964 ? Ss 17:54 0:00 /usr/bin/php /opt/elastix/elastix-updater/elxupdaterd
root 3617 0.0 0.0 2372 424 ? Ss 17:54 0:00 /usr/sbin/atd
root 3630 0.0 0.3 24452 3724 ? S 17:54 0:00 /usr/bin/php /opt/elastix/elastix-updater/elxupdaterd
root 3664 0.0 0.0 5716 684 ? Ss 17:54 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3665 0.0 0.0 5716 432 ? S 17:54 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3666 0.0 0.0 5716 420 ? S 17:54 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3667 0.0 0.0 5716 420 ? S 17:54 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3668 0.0 0.0 5716 420 ? S 17:54 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3756 0.0 1.3 19264 13660 ? Ss 17:54 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
root 3759 0.0 0.0 1760 472 tty1 Ss+ 17:54 0:00 /sbin/mingetty tty1
root 3760 0.0 0.0 1760 476 tty2 Ss+ 17:54 0:00 /sbin/mingetty tty2
root 3761 0.0 0.0 1760 476 tty3 Ss+ 17:54 0:00 /sbin/mingetty tty3
root 3762 0.0 0.0 1760 476 tty4 Ss+ 17:54 0:00 /sbin/mingetty tty4
root 3763 0.0 0.0 1760 472 tty5 Ss+ 17:54 0:00 /sbin/mingetty tty5
root 3764 0.0 0.0 1760 472 tty6 Ss+ 17:54 0:00 /sbin/mingetty tty6
root 4306 0.0 0.2 10088 2888 ? Ss 18:39 0:00 sshd: root@pts/0
root 4311 0.0 0.1 4640 1464 pts/0 Ss 18:39 0:00 -bash
root 4335 0.0 0.1 5028 1272 pts/0 S 18:39 0:00 su asterisk
asterisk 4349 0.0 0.0 4024 720 pts/0 R+ 18:40 0:00 grep -i root --color=autocrond
Cron & Systemd
bash-3.2$ crontab -l ; cat /etc/crontab
2 * * * * /var/lib/asterisk/bin/freepbx-cron-scheduler.php
SHELL=/bin/bash
path=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
2 * * * * /var/lib/asterisk/bin/freepbx-cron-scheduler.php
Sudo Version
bash-3.2$ sudo -V
Sudo version 1.7.2p1Sudo version 1.7.2p1
Glibc Version
bash-3.2$ ldd --version
ldd (GNU libc) 2.5
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.ldd (GNU libc) 2.5