InfoSec LAB

FunboxEasyEnum_Initial_Foothold_UNIX

Created: 10 min read

System/Kernel

www-data@funbox7:/var/www/html$ uname -a ; cat /etc/*release
Linux funbox7 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
  • 4.15.0-117-generic
  • Ubuntu 18.04.5 LTS (Bionic Beaver)
  • x86_64

Networks

www-data@funbox7:/var/www/html$ ip route ; arp -a
default via 192.168.187.254 dev ens192 proto static 
192.168.187.0/24 dev ens192 proto kernel scope link src 192.168.187.132 
_gateway (192.168.187.254) at 00:50:56:9e:ad:80 [ether] on ens192
www-data@funbox7:/var/www/html$ netstat -antup4
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0     17 192.168.187.132:42238   192.168.45.204:9999     ESTABLISHED 2666/sh             
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -

Users & Groups

www-data@funbox7:/var/www/html$ cat /etc/passwd ; ll /home
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
karla:x:1000:1000:karla:/home/karla:/bin/bash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
harry:x:1001:1001:,,,:/home/harry:/bin/bash
sally:x:1002:1002:,,,:/home/sally:/bin/bash
goat:x:1003:1003:,,,:/home/goat:/bin/bash
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
lissy:x:1005:1005::/home/lissy:/bin/sh
total 28K
4.0K drwxr-xr-x  2 goat   goat   4.0K Feb 16  2021 goat
4.0K drwxr-xr-x  2 karla  karla  4.0K Feb 16  2021 karla
4.0K drwxr-xr-x  2 oracle oracle 4.0K Feb 16  2021 oracle
4.0K drwxr-xr-x  2 sally  sally  4.0K Jan 28  2021 sally
4.0K drwxr-xr-x  2 harry  harry  4.0K Jan 28  2021 harry
4.0K drwxr-xr-x 24 root   root   4.0K Sep 19  2020 ..
4.0K drwxr-xr-x  7 root   root   4.0K Sep 18  2020 .
  • karla
  • harry
  • sally
  • goat
  • oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
  • lissy
www-data@funbox7:/var/www/html$ cut -d: -f1 /etc/passwd | xargs -n1 id
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm)
uid=103(messagebus) gid=107(messagebus) groups=107(messagebus)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=106(uuidd) gid=110(uuidd) groups=110(uuidd)
uid=107(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=108(landscape) gid=112(landscape) groups=112(landscape)
uid=109(pollinate) gid=1(daemon) groups=1(daemon)
uid=110(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(karla) gid=1000(karla) groups=1000(karla),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),111(ssh)
uid=111(mysql) gid=113(mysql) groups=113(mysql)
uid=1001(harry) gid=1001(harry) groups=1001(harry)
uid=1002(sally) gid=1002(sally) groups=1002(sally)
uid=1003(goat) gid=1003(goat) groups=1003(goat),111(ssh)
uid=1004(oracle) gid=1004(oracle) groups=1004(oracle)
uid=1005(lissy) gid=1005(lissy) groups=1005(lissy)
  • uid=1001(harry) gid=1001(harry) groups=1001(harry)
  • uid=1002(sally) gid=1002(sally) groups=1002(sally)
  • uid=1003(goat) gid=1003(goat) groups=1003(goat),111(ssh)
  • uid=1004(oracle) gid=1004(oracle) groups=1004(oracle)
  • uid=1005(lissy) gid=1005(lissy) groups=1005(lissy)

SUIDs

www-data@funbox7:/var/www/html$ find / -perm -04000 -ls -type f 2>/dev/null | grep -v '/snap'
   130102     44 -rwsr-xr-x   1 root     root        44664 Mar 22  2019 /bin/su
   130035     32 -rwsr-xr-x   1 root     root        30800 Aug 11  2016 /bin/fusermount
   138602     44 -rwsr-xr-x   1 root     root        43088 Sep 16  2020 /bin/mount
   130086     64 -rwsr-xr-x   1 root     root        64424 Jun 28  2019 /bin/ping
   138603     28 -rwsr-xr-x   1 root     root        26696 Sep 16  2020 /bin/umount
   132376     52 -rwsr-sr-x   1 daemon   daemon      51464 Feb 20  2018 /usr/bin/at
   132774    148 -rwsr-xr-x   1 root     root       149080 Jan 31  2020 /usr/bin/sudo
   132633     40 -rwsr-xr-x   1 root     root        37136 Mar 22  2019 /usr/bin/newuidmap
   132522     76 -rwsr-xr-x   1 root     root        75824 Mar 22  2019 /usr/bin/gpasswd
   132649     60 -rwsr-xr-x   1 root     root        59640 Mar 22  2019 /usr/bin/passwd
   132669     24 -rwsr-xr-x   1 root     root        22520 Mar 27  2019 /usr/bin/pkexec
   132810     20 -rwsr-xr-x   1 root     root        18448 Jun 28  2019 /usr/bin/traceroute6.iputils
   132429     44 -rwsr-xr-x   1 root     root        44528 Mar 22  2019 /usr/bin/chsh
   132427     76 -rwsr-xr-x   1 root     root        76496 Mar 22  2019 /usr/bin/chfn
   132631     40 -rwsr-xr-x   1 root     root        37136 Mar 22  2019 /usr/bin/newgidmap
   132632     40 -rwsr-xr-x   1 root     root        40344 Mar 22  2019 /usr/bin/newgrp
   133184    428 -rwsr-xr-x   1 root     root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   133002     12 -rwsr-xr-x   1 root     root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
     1452    100 -rwsr-xr-x   1 root     root       100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   132995     44 -rwsr-xr--   1 root     messagebus    42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   133188     16 -rwsr-xr-x   1 root     root          14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1

SGIDs

www-data@funbox7:/var/www/html$ find / -perm -02000 -ls -type f 2>/dev/null | grep -v '/snap'
   130988     36 -rwxr-sr-x   1 root     shadow      34816 Jul 21  2020 /sbin/pam_extrausers_chkpwd
   138937     36 -rwxr-sr-x   1 root     shadow      34816 Jul 21  2020 /sbin/unix_chkpwd
   172568     32 -rwxr-sr-x   1 root     tty         30800 Sep 16  2020 /usr/bin/wall
   132376     52 -rwsr-sr-x   1 daemon   daemon      51464 Feb 20  2018 /usr/bin/at
   132387     16 -rwxr-sr-x   1 root     tty         14328 Jan 17  2018 /usr/bin/bsd-write
   132501     24 -rwxr-sr-x   1 root     shadow      22808 Mar 22  2019 /usr/bin/expiry
   132765    356 -rwxr-sr-x   1 root     ssh        362640 Mar  4  2019 /usr/bin/ssh-agent
   132422     72 -rwxr-sr-x   1 root     shadow      71816 Mar 22  2019 /usr/bin/chage
   132450     40 -rwxr-sr-x   1 root     crontab     39352 Nov 16  2017 /usr/bin/crontab
   132623     44 -rwxr-sr-x   1 root     mlocate     43088 Mar  1  2018 /usr/bin/mlocate
   178051      4 drwxrwsr-x   2 root     staff        4096 Sep 18  2020 /usr/local/share/fonts
   138099      4 drwxrwsr-x   3 root     staff        4096 Aug  6  2020 /usr/local/lib/python3.6
   138100      4 drwxrwsr-x   2 root     staff        4096 Aug  6  2020 /usr/local/lib/python3.6/dist-packages
     2536     12 -rwxr-sr-x   1 root     utmp        10232 Mar 11  2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
    16302      4 drwxr-sr-x   3 root     systemd-journal     4096 Sep 18  2020 /var/log/journal
     3525      4 drwxr-sr-x   2 root     systemd-journal     4096 Apr 30 21:00 /var/log/journal/7eb907a1e82c4e37b03c20faa67cf884
    16167      4 drwxrwsr-x   2 root     mail                4096 Aug  6  2020 /var/mail
    16165      4 drwxrwsr-x   2 root     staff               4096 Apr 24  2018 /var/local

Capabilities

www-data@funbox7:/var/www/html$ getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep

Processes

www-data@funbox7:/var/www/html$ ps -auxwww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.8 159776  9044 ?        Ss   20:57   0:00 /sbin/init maybe-ubiquity
root       509  0.0  0.9  94924  9688 ?        S<s  20:57   0:00 /lib/systemd/systemd-journald
root       516  0.0  0.1  97708  1712 ?        Ss   20:57   0:00 /sbin/lvmetad -f
root       543  0.0  0.4  45884  4780 ?        Ss   20:57   0:00 /lib/systemd/systemd-udevd
systemd+   729  0.0  0.3 141956  3220 ?        Ssl  20:57   0:00 /lib/systemd/systemd-timesyncd
root       808  0.0  1.0  89864 10684 ?        Ss   20:57   0:00 /usr/bin/VGAuthService
root       809  0.0  0.7 225760  7420 ?        S<sl 20:57   0:01 /usr/bin/vmtoolsd
systemd+   925  0.0  0.5  70660  5436 ?        Ss   20:57   0:00 /lib/systemd/systemd-resolved
root      1014  0.0  0.6 286248  6860 ?        Ssl  20:59   0:00 /usr/lib/accountsservice/accounts-daemon
root      1015  0.0  0.2 161616  2136 ?        Ssl  20:59   0:00 /usr/bin/lxcfs /var/lib/lxcfs/
root      1031  0.0  0.5  62156  5864 ?        Ss   20:59   0:00 /lib/systemd/systemd-logind
syslog    1032  0.0  0.5 263036  5064 ?        Ssl  20:59   0:00 /usr/sbin/rsyslogd -n
root      1033  0.0  0.3  30028  3248 ?        Ss   20:59   0:00 /usr/sbin/cron -f
daemon    1034  0.0  0.2  28332  2492 ?        Ss   20:59   0:00 /usr/sbin/atd -f
root      1057  0.0  1.7 169100 17264 ?        Ssl  20:59   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
message+  1059  0.0  0.4  50052  4712 ?        Ss   20:59   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root      1166  0.0  0.6  72304  6436 ?        Ss   20:59   0:00 /usr/sbin/sshd -D
root      1172  0.0  2.0 185948 20252 ?        Ssl  20:59   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root      1230  0.0  0.1  14888  2016 tty1     Ss+  20:59   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root      1231  0.0  0.6 288884  6528 ?        Ssl  20:59   0:00 /usr/lib/policykit-1/polkitd --no-debug
root      1312  0.0  2.5 489740 25680 ?        Ss   20:59   0:00 /usr/sbin/apache2 -k start
mysql     1319  0.0 17.6 1162520 177688 ?      Sl   20:59   0:00 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
systemd+  1824  0.0  0.5  71884  5596 ?        Ss   21:00   0:00 /lib/systemd/systemd-networkd
www-data  2199  0.0  2.4 496632 24700 ?        S    21:06   0:00 /usr/sbin/apache2 -k start
www-data  2666  0.0  0.0   4628   860 ?        S    21:39   0:00 sh -c bash
www-data  2667  0.0  0.3  18376  3100 ?        S    21:39   0:00 bash
www-data  2684  0.0  0.9  37296  9476 ?        S    21:43   0:00 python3 -c import pty; pty.spawn("/bin/bash")
www-data  2685  0.0  0.3  18508  3540 pts/0    Ss   21:43   0:00 /bin/bash
www-data  2801  0.0  0.3  36700  3128 pts/0    R+   21:52   0:00 ps -auxwww
  • root 1033 0.0 0.3 30028 3248 ? Ss 20:59 0:00 /usr/sbin/cron -f
  • mysql 1319 0.0 17.6 1162520 177688 ? Sl 20:59 0:00 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid

Cron & Systemd

www-data@funbox7:/var/www/html$ crontab -l ; cat /etc/crontab ; systemctl list-timers
no crontab for www-data
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
 
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
NEXT                         LEFT         LAST                         PASSED   
Wed 2025-04-30 22:09:00 UTC  14min left   Wed 2025-04-30 21:39:01 UTC  15min ago
Thu 2025-05-01 01:56:11 UTC  4h 1min left Wed 2025-04-30 21:00:04 UTC  54min ago
Thu 2025-05-01 06:15:40 UTC  8h left      Wed 2025-04-30 21:00:09 UTC  54min ago
Thu 2025-05-01 13:09:43 UTC  15h left     Wed 2025-04-30 21:00:07 UTC  54min ago
Thu 2025-05-01 21:13:18 UTC  23h left     Wed 2025-04-30 21:13:18 UTC  41min ago
Mon 2025-05-05 00:00:00 UTC  4 days left  Wed 2025-04-30 21:00:04 UTC  54min ago
 
6 timers listed.
Pass --all to see loaded but inactive timers, too.

Services

www-data@funbox7:/var/www/html$ systemctl list-units --state=running
UNIT                            LOAD   ACTIVE SUB     DESCRIPTION              
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable Fil
init.scope                      loaded active running System and Service Manager
accounts-daemon.service         loaded active running Accounts Service         
apache2.service                 loaded active running The Apache HTTP Server   
atd.service                     loaded active running Deferred execution schedul
cron.service                    loaded active running Regular background program
dbus.service                    loaded active running D-Bus System Message Bus 
getty@tty1.service              loaded active running Getty on tty1            
lvm2-lvmetad.service            loaded active running LVM2 metadata daemon     
lxcfs.service                   loaded active running FUSE filesystem for LXC  
mysql.service                   loaded active running MySQL Community Server   
networkd-dispatcher.service     loaded active running Dispatcher daemon for syst
open-vm-tools.service           loaded active running Service for virtual machin
polkit.service                  loaded active running Authorization Manager    
rsyslog.service                 loaded active running System Logging Service   
ssh.service                     loaded active running OpenBSD Secure Shell serve
systemd-journald.service        loaded active running Journal Service          
systemd-logind.service          loaded active running Login Service            
systemd-networkd.service        loaded active running Network Service          
systemd-resolved.service        loaded active running Network Name Resolution  
systemd-timesyncd.service       loaded active running Network Time Synchronizati
systemd-udevd.service           loaded active running udev Kernel Device Manager
unattended-upgrades.service     loaded active running Unattended Upgrades Shutdo
vgauth.service                  loaded active running Authentication service for
dbus.socket                     loaded active running D-Bus System Message Bus S
lvm2-lvmetad.socket             loaded active running LVM2 metadata daemon socke
syslog.socket                   loaded active running Syslog Socket            
systemd-journald-audit.socket   loaded active running Journal Audit Socket     
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket         loaded active running Journal Socket           
systemd-networkd.socket         loaded active running Network Service Netlink So
systemd-udevd-control.socket    loaded active running udev Control Socket      
systemd-udevd-kernel.socket     loaded active running udev Kernel Socket       
 
LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
 
33 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
  • apache2.service
  • mysql.service

Sudo Version

www-data@funbox7:/var/www/html$ sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

Sudo version 1.8.21p2

Glibc Version

www-data@funbox7:/var/www/html$ ldd --version
ldd (Ubuntu GLIBC 2.27-3ubuntu1.2) 2.27
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

ldd (Ubuntu GLIBC 2.27-3ubuntu1.2) 2.27

Interactive Graph View

Backlinks