InfoSec LAB

Sorcerer_Initial_Foothold_UNIX

Created: 10 min read

System/Kernel

max@sorcerer:~$ uname -a ; cat /etc/*release
Linux sorcerer 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
  • 4.19.0-10-amd64
  • x86_64
  • Debian GNU/Linux 10 (buster)

Networks

max@sorcerer:~$ ip route ; /sbin/arp -a
default via 192.168.113.254 dev ens192 onlink 
192.168.113.0/24 dev ens192 proto kernel scope link src 192.168.113.100 
? (192.168.113.254) at 00:50:56:9e:ad:80 [ether] on ens192
max@sorcerer:~$ netstat -antup4
(No info could be read for "-p": geteuid()=1003 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:43449           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:7742            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:49951           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:34625           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:45551           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0    484 192.168.113.100:22      192.168.45.218:56682    ESTABLISHED -                   
udp        0      0 0.0.0.0:42309           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:35282           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:36944           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:39117           0.0.0.0:*                           -

tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN -

Users & Groups

max@sorcerer:~$ cat /etc/passwd ; ll /home
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
_rpc:x:106:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:107:65534::/var/lib/nfs:/usr/sbin/nologin
francis:x:1000:1000::/home/francis:/bin/bash
sofia:x:1001:1001::/home/sofia:/bin/bash
miriam:x:1002:1002::/home/miriam:/bin/bash
max:x:1003:1003::/home/max:/bin/bash
dennis:x:1004:1004::/home/dennis:/bin/bash
tomcat:x:1005:1005::/opt/tomcat:/bin/false
total 28K
4.0K drwxr-xr-x  2 dennis  dennis  4.0K Sep 24  2020 dennis
4.0K drwxr-xr-x  3 max     max     4.0K Sep 24  2020 max
4.0K drwxr-xr-x  7 root    root    4.0K Sep 24  2020 .
4.0K drwxr-xr-x  2 miriam  miriam  4.0K Sep 24  2020 miriam
4.0K drwxr-xr-x  2 sofia   sofia   4.0K Sep 24  2020 sofia
4.0K drwxr-xr-x  2 francis francis 4.0K Sep 24  2020 francis
4.0K drwxr-xr-x 18 root    root    4.0K Sep 24  2020 ..
  • francis
  • sofia
  • miriam
  • max
  • dennis
  • tomcat
max@sorcerer:~$ cut -d: -f1 /etc/passwd | xargs -n1 id
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=104(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
uid=106(_rpc) gid=65534(nogroup) groups=65534(nogroup)
uid=107(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(francis) gid=1000(francis) groups=1000(francis)
uid=1001(sofia) gid=1001(sofia) groups=1001(sofia)
uid=1002(miriam) gid=1002(miriam) groups=1002(miriam)
uid=1003(max) gid=1003(max) groups=1003(max)
uid=1004(dennis) gid=1004(dennis) groups=1004(dennis)
uid=1005(tomcat) gid=1005(tomcat) groups=1005(tomcat)
  • uid=1000(francis) gid=1000(francis) groups=1000(francis)
  • uid=1001(sofia) gid=1001(sofia) groups=1001(sofia)
  • uid=1002(miriam) gid=1002(miriam) groups=1002(miriam)
  • uid=1003(max) gid=1003(max) groups=1003(max)
  • uid=1004(dennis) gid=1004(dennis) groups=1004(dennis)
  • uid=1005(tomcat) gid=1005(tomcat) groups=1005(tomcat)

SUIDs

max@sorcerer:~$ find / -perm -04000 -ls -type f 2>/dev/null
   166328    116 -rwsr-xr-x   1 root     root       114784 Jun 24  2020 /usr/sbin/mount.nfs
   131537     44 -rwsr-xr-x   1 root     root        44200 Jun  3  2019 /usr/sbin/start-stop-daemon
   131139     64 -rwsr-xr-x   1 root     root        63736 Jul 27  2018 /usr/bin/passwd
   164794     36 -rwsr-xr-x   1 root     root        34896 Apr 22  2020 /usr/bin/fusermount
   134752     64 -rwsr-xr-x   1 root     root        63568 Jan 10  2019 /usr/bin/su
   135086     52 -rwsr-xr-x   1 root     root        51280 Jan 10  2019 /usr/bin/mount
   166426     16 -rwsr-xr-x   1 root     root        14664 Oct  9  2019 /usr/bin/vmware-user-suid-wrapper
   134605     44 -rwsr-xr-x   1 root     root        44440 Jul 27  2018 /usr/bin/newgrp
   131134     56 -rwsr-xr-x   1 root     root        54096 Jul 27  2018 /usr/bin/chfn
   135088     36 -rwsr-xr-x   1 root     root        34888 Jan 10  2019 /usr/bin/umount
   131137     84 -rwsr-xr-x   1 root     root        84016 Jul 27  2018 /usr/bin/gpasswd
   131135     44 -rwsr-xr-x   1 root     root        44528 Jul 27  2018 /usr/bin/chsh
      938     12 -rwsr-xr-x   1 root     root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   152206    428 -rwsr-xr-x   1 root     root       436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
   148810     52 -rwsr-xr--   1 root     messagebus    51184 Jul  5  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

131537 44 -rwsr-xr-x 1 root root 44200 Jun 3 2019 /usr/sbin/start-stop-daemon

SGIDs

max@sorcerer:~$ find / -type f -perm -02000 -ls 2>/dev/null
   131947     40 -rwxr-sr-x   1 root     shadow      39616 Feb 14  2019 /usr/sbin/unix_chkpwd
   136925     44 -rwxr-sr-x   1 root     crontab     43568 Oct 11  2019 /usr/bin/crontab
   132667     36 -rwxr-sr-x   1 root     tty         34896 Jan 10  2019 /usr/bin/wall
   136761     16 -rwxr-sr-x   1 root     tty         14736 May  4  2018 /usr/bin/bsd-write
   152199    316 -rwxr-sr-x   1 root     ssh        321672 Jan 31  2020 /usr/bin/ssh-agent
   131133     72 -rwxr-sr-x   1 root     shadow      71816 Jul 27  2018 /usr/bin/chage
   149025     20 -rwxr-sr-x   1 root     mail        18944 Dec  3  2017 /usr/bin/dotlockfile
   131136     32 -rwxr-sr-x   1 root     shadow      31000 Jul 27  2018 /usr/bin/expiry

Capabilities

max@sorcerer:~$ getcap -r / 2>/dev/null

Processes

max@sorcerer:~$ ps -auxwww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.5 104020 10312 ?        Ss   18:57   0:00 /sbin/init
root       249  0.0  0.4  34796  8268 ?        Ss   18:57   0:00 /lib/systemd/systemd-journald
root       270  0.0  0.0   7688   220 ?        Ss   18:57   0:00 /usr/sbin/blkmapd
root       278  0.0  0.2  22196  5216 ?        Ss   18:57   0:00 /lib/systemd/systemd-udevd
root       290  0.0  0.0 186768   512 ?        Ssl  18:57   0:00 vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid
root       311  0.0  0.0   9080   176 ?        Ss   18:57   0:00 /usr/sbin/rpc.idmapd
root       437  0.0  0.5  48220 10572 ?        Ss   18:57   0:00 /usr/bin/VGAuthService
_rpc       439  0.0  0.1   6824  3740 ?        Ss   18:57   0:00 /sbin/rpcbind -f -w
systemd+   440  0.0  0.3  93084  6468 ?        Ssl  18:57   0:00 /lib/systemd/systemd-timesyncd
root       443  0.0  0.6 123172 12524 ?        Ssl  18:57   0:00 /usr/bin/vmtoolsd
message+   457  0.0  0.1   8980  3764 ?        Ss   18:57   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root       458  0.0  1.2  31760 25112 ?        Ss   18:57   0:00 /usr/sbin/rpc.mountd --manage-gids
root       463  0.0  0.2 225824  4320 ?        Ssl  18:57   0:00 /usr/sbin/rsyslogd -n -iNONE
root       464  0.0  0.3  19308  6328 ?        Ss   18:57   0:00 /lib/systemd/systemd-logind
root       477  0.0  0.3  15852  6972 ?        Ss   18:57   0:00 /usr/sbin/sshd -D
tomcat     503  0.1  7.9 3141816 162320 ?      Sl   18:57   0:03 /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
root       525  0.0  0.1   8476  2776 ?        Ss   18:57   0:00 /usr/sbin/cron -f
root       532  0.0  0.0   5612  1656 tty1     Ss+  18:57   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root       537  0.0  0.0  69740  1724 ?        Ss   18:57   0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data   539  0.0  0.2  70352  5872 ?        S    18:57   0:00 nginx: worker process
root       960  0.0  0.3  16136  7192 ?        Ss   19:23   0:00 sshd: max [priv]
max        962  0.0  0.2  16136  4848 ?        S    19:23   0:00 sshd: max@pts/0
max        963  0.0  0.2   9500  4492 pts/0    Ss   19:23   0:00 -bash
max       1027  0.0  0.1  12640  3268 pts/0    R+   19:34   0:00 ps -auxwww
  • root 270 0.0 0.0 7688 220 ? Ss 18:57 0:00 /usr/sbin/blkmapd
  • root 311 0.0 0.0 9080 176 ? Ss 18:57 0:00 /usr/sbin/rpc.idmapd
  • _rpc 439 0.0 0.1 6824 3740 ? Ss 18:57 0:00 /sbin/rpcbind -f -w
  • root 458 0.0 1.2 31760 25112 ? Ss 18:57 0:00 /usr/sbin/rpc.mountd --manage-gids
  • tomcat 503 0.1 7.9 3141816 162320 ? Sl 18:57 0:03 /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
  • root 525 0.0 0.1 8476 2776 ? Ss 18:57 0:00 /usr/sbin/cron -f

Cron & Systemd

max@sorcerer:~$ crontab -l ; cat /etc/crontab ; systemctl list-timers
no crontab for max
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
 
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
NEXT                         LEFT          LAST                         PASSED    UNIT                         ACTIVATES
Sat 2025-03-29 00:00:00 EDT  4h 24min left Fri 2025-03-28 18:59:20 EDT  36min ago logrotate.timer              logrotate.service
Sat 2025-03-29 00:00:00 EDT  4h 24min left Fri 2025-03-28 18:59:20 EDT  36min ago man-db.timer                 man-db.service
Sat 2025-03-29 06:31:11 EDT  10h left      Fri 2025-03-28 18:59:20 EDT  36min ago apt-daily-upgrade.timer      apt-daily-upgrade.service
Sat 2025-03-29 07:06:18 EDT  11h left      Fri 2025-03-28 18:59:20 EDT  36min ago apt-daily.timer              apt-daily.service
Sat 2025-03-29 19:12:54 EDT  23h left      Fri 2025-03-28 19:12:54 EDT  22min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.se
 
5 timers listed.
Pass --all to see loaded but inactive timers, too.

Services

max@sorcerer:~$ systemctl list-units --state=running
UNIT                              LOAD   ACTIVE SUB     DESCRIPTION                                                  
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point
init.scope                        loaded active running System and Service Manager                                   
cron.service                      loaded active running Regular background program processing daemon                 
dbus.service                      loaded active running D-Bus System Message Bus                                     
getty@tty1.service                loaded active running Getty on tty1                                                
nfs-blkmap.service                loaded active running pNFS block layout mapping daemon                             
nfs-idmapd.service                loaded active running NFSv4 ID-name mapping service                                
nfs-mountd.service                loaded active running NFS Mount Daemon                                             
nginx.service                     loaded active running A high performance web server and a reverse proxy server     
open-vm-tools.service             loaded active running Service for virtual machines hosted on VMware                
rpcbind.service                   loaded active running RPC bind portmap service                                     
rsyslog.service                   loaded active running System Logging Service                                       
ssh.service                       loaded active running OpenBSD Secure Shell server                                  
systemd-journald.service          loaded active running Journal Service                                              
systemd-logind.service            loaded active running Login Service                                                
systemd-timesyncd.service         loaded active running Network Time Synchronization                                 
systemd-udevd.service             loaded active running udev Kernel Device Manager                                   
tomcat.service                    loaded active running Apache Tomcat Web Application Container                      
vgauth.service                    loaded active running Authentication service for virtual machines hosted on VMware 
dbus.socket                       loaded active running D-Bus System Message Bus Socket                              
rpcbind.socket                    loaded active running RPCbind Server Activation Socket                             
syslog.socket                     loaded active running Syslog Socket                                                
systemd-journald-audit.socket     loaded active running Journal Audit Socket                                         
systemd-journald-dev-log.socket   loaded active running Journal Socket (/dev/log)                                    
systemd-journald.socket           loaded active running Journal Socket                                               
systemd-udevd-control.socket      loaded active running udev Control Socket                                          
systemd-udevd-kernel.socket       loaded active running udev Kernel Socket                                           
 
LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
 
27 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
  • nfs-blkmap.service
  • nfs-idmapd.service
  • nfs-mountd.service
  • nginx.service
  • rpcbind.service
  • tomcat.service

Sudo Version

max@sorcerer:~$ sudo --version
-bash: sudo: command not found
max@sorcerer:~$ /sbin/sudo --version
-bash: /sbin/sudo: No such file or directory
max@sorcerer:~$ /bin/sudo --version
-bash: /bin/sudo: No such file or directory
max@sorcerer:~$ doas
-bash: doas: command not found

Glibc Version

max@sorcerer:~$ ldd --version
ldd (Debian GLIBC 2.28-10) 2.28
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

ldd (Debian GLIBC 2.28-10) 2.28

Interactive Graph View

Backlinks