▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |
    |---------------------------------------------------------------------------------| 
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |
    |         Follow on Twitter         :     @carlospolopm                           |
    |         Respect on HTB            :     SirBroccoli                             |
    |---------------------------------------------------------------------------------|
    |                                 Thank you!                                      |
    \---------------------------------------------------------------------------------/
          linpeas-ng by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
                               ╚═══════════════════╝
OS: Linux version 5.4.0-109-generic (buildd@ubuntu) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #123-Ubuntu SMP Fri Apr 8 09:10:54 UTC 2022
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: b2r
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)



Caching directories DONE

                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
                              ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-109-generic (buildd@ubuntu) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #123-Ubuntu SMP Fri Apr 8 09:10:54 UTC 2022
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.4 LTS
Release:	20.04
Codename:	focal

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560



╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

╔══════════╣ Date & uptime
Sat Aug 20 15:33:46 UTC 2022
 15:33:46 up 21 min,  0 users,  load average: 0.40, 0.29, 0.73

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
/dev/disk/by-id/dm-uuid-LVM-S0EQ4vI8gcwzDW214vbvDa0pSxD7eam0nrvgq4EdGPK983HC0NE8QF2Beac29VUP	/	ext4	defaults	0 1
/dev/disk/by-uuid/befd1c80-fe6b-4b86-b4ca-2f372c253599	/boot	ext4	defaults	0 1

╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
OLDPWD=/
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:22753
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
INVOCATION_ID=b362df8aacaa413a9837f4b1748c8dd8
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/dev/shm
HISTFILE=/dev/null

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2

╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (xen)

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
                                   ╚═══════════╝
╔══════════╣ Container related tools present
/snap/bin/lxc
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No


                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                     ╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. Yes
═╣ AWS Lambda? .......................... No

╔══════════╣ AWS EC2 Enumeration
ami-id: ami-08e1d45cf9c4f052a
instance-action: none
instance-id: i-0afcd77fb3fc17f27
instance-life-cycle: on-demand
instance-type: t2.nano
region: eu-west-1

══╣ Account Info
{
  "Code" : "Success",
  "LastUpdated" : "2022-08-20T15:11:30Z",
  "AccountId" : "739930428441"
}

══╣ Network Info
Mac: 02:d4:b2:e9:e2:e1/
Owner ID: 739930428441
Public Hostname: 
Security Groups: AllowEverything
Private IPv4s:

Subnet IPv4: 10.10.0.0/16
PrivateIPv6s:

Subnet IPv6: 
Public IPv4s:



══╣ IAM Role


══╣ User Data


                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root           1  2.1  2.1 167372 10204 ?        Ss   15:12   0:27 /sbin/init maybe-ubiquity
root         343  0.3  1.9  35048  9232 ?        S<s  15:13   0:04 /lib/systemd/systemd-journald
root         376  0.7  1.1  22180  5680 ?        Ss   15:13   0:09 /lib/systemd/systemd-udevd
root         489  0.0  3.7 280196 17996 ?        SLsl 15:13   0:00 /sbin/multipathd -d -s
systemd+     524  0.1  1.0  90188  5284 ?        Ssl  15:13   0:01 /lib/systemd/systemd-timesyncd
  └─(Caps) 0x0000000002000000=cap_sys_time
systemd+     578  0.0  1.4  26572  6892 ?        Ss   15:14   0:00 /lib/systemd/systemd-networkd
  └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
systemd+     581  0.1  2.2  23860 10852 ?        Ss   15:14   0:01 /lib/systemd/systemd-resolved
root         601  0.0  1.7 239276  8252 ?        Ssl  15:14   0:00 /usr/lib/accountsservice/accounts-daemon
root         602  0.0  2.5 1158884 12256 ?       Ssl  15:14   0:00 /usr/bin/amazon-ssm-agent
root         737  0.1  3.5 1244272 17208 ?       Sl   15:15   0:02  _ /usr/bin/ssm-agent-worker
root         608  0.0  0.5   6812  2856 ?        Ss   15:14   0:00 /usr/sbin/cron -f
message+     613  0.0  0.8   7576  4276 ?        Ss   15:14   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         627  0.2  2.9  29656 14224 ?        Ss   15:14   0:02 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         629  0.0  1.6 236416  7812 ?        Ssl  15:14   0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog       634  0.0  0.8 224344  4224 ?        Ssl  15:14   0:00 /usr/sbin/rsyslogd -n -iNONE
root         636  0.6  5.2 742072 25448 ?        Ssl  15:14   0:07 /usr/lib/snapd/snapd
root         640  0.1  1.0  16540  5012 ?        Ss   15:14   0:01 /lib/systemd/systemd-logind
root         642  0.1  2.4 394660 11804 ?        Ssl  15:14   0:01 /usr/lib/udisks2/udisksd
daemon[0m       645  0.0  0.4   3792  2200 ?        Ss   15:14   0:00 /usr/sbin/atd -f
root         689  0.0  0.4   5600  2020 ttyS0    Ss+  15:14   0:00 /sbin/agetty -o -p -- u --keep-baud 115200,38400,9600 ttyS0 vt220
root         695  0.0  0.3   5828  1908 tty1     Ss+  15:14   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root         709  0.0  2.0 314452  9684 ?        Ssl  15:14   0:00 /usr/sbin/ModemManager
root         785  0.2  3.3 107904 16088 ?        Ssl  15:15   0:02 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root         796  0.0  2.1 193436 10216 ?        Ss   15:15   0:00 /usr/sbin/apache2 -k start
www-data     818  0.0  1.4 193888  7028 ?        S    15:15   0:00  _ /usr/sbin/apache2 -k start
www-data     820  0.0  1.3 193880  6340 ?        S    15:15   0:00  _ /usr/sbin/apache2 -k start
www-data     850  0.0  1.4 193880  6924 ?        S    15:15   0:00  _ /usr/sbin/apache2 -k start
www-data    1398  0.0  1.3 193880  6416 ?        S    15:25   0:00  _ /usr/sbin/apache2 -k start
www-data    1443  0.0  1.3 193880  6416 ?        S    15:26   0:00  _ /usr/sbin/apache2 -k start
www-data    1444  0.0  1.4 193880  7020 ?        S    15:26   0:00  _ /usr/sbin/apache2 -k start
www-data    1446  0.0  1.3 193880  6476 ?        S    15:27   0:00  _ /usr/sbin/apache2 -k start
www-data    1447  0.0  1.4 193872  7132 ?        S    15:27   0:00  _ /usr/sbin/apache2 -k start
www-data    1449  0.0  1.3 193880  6416 ?        S    15:27   0:00  _ /usr/sbin/apache2 -k start
www-data    1487  0.0  1.4 193872  7128 ?        S    15:27   0:00  _ /usr/sbin/apache2 -k start
www-data    1633  0.0  1.0  58932  5120 ?        Ss   15:30   0:00 php
www-data    1634  0.0  0.1   2608   528 ?        S    15:30   0:00  _ sh -c uname -a; w; id; /bin/sh -i
www-data    1638  0.0  0.3   2608  1732 ?        S    15:30   0:00      _ /bin/sh -i
www-data    1803  0.1  0.5   3536  2564 ?        S    15:33   0:00          _ /bin/sh ./linpeas.sh
www-data    4708  0.0  0.2   3536  1016 ?        S    15:33   0:00          |   _ /bin/sh ./linpeas.sh
www-data    4712  0.0  0.6   6036  2896 ?        R    15:33   0:00          |   |   _ ps fauxwww
www-data    4711  0.0  0.2   3536  1016 ?        S    15:33   0:00          |   _ /bin/sh ./linpeas.sh
www-data    1804  0.0  0.1   2516   560 ?        S    15:33   0:00          _ tee linlog

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes

╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND    PID TID TASKCMD               USER   FD      TYPE DEVICE SIZE/OFF   NODE NAME

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd Not Found
apache2 process found (dump creds from memory as root)
sshd: process found (dump creds from memory as root)

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root    1042 Feb 13  2020 /etc/crontab

/etc/cron.d:
total 28
drwxr-xr-x   2 root root 4096 May  5 04:38 .
drwxr-xr-x 102 root root 4096 May  5 04:55 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rw-r--r--   1 root root  201 Feb 14  2020 e2scrub_all
-rw-r--r--   1 root root  814 May  5 04:38 persistence
-rw-r--r--   1 root root  712 Mar 27  2020 php
-rw-r--r--   1 root root  191 Feb 23 08:54 popularity-contest

/etc/cron.daily:
total 52
drwxr-xr-x   2 root root 4096 May  5 04:38 .
drwxr-xr-x 102 root root 4096 May  5 04:55 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  539 Sep 30  2020 apache2
-rwxr-xr-x   1 root root  376 Dec  4  2019 apport
-rwxr-xr-x   1 root root 1478 Apr  9  2020 apt-compat
-rwxr-xr-x   1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x   1 root root 1187 Sep  5  2019 dpkg
-rwxr-xr-x   1 root root  377 Jan 21  2019 logrotate
-rwxr-xr-x   1 root root 1123 Feb 25  2020 man-db
-rwxr-xr-x   1 root root 4574 Jul 18  2019 popularity-contest
-rwxr-xr-x   1 root root  214 May 14  2021 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Feb 23 08:51 .
drwxr-xr-x 102 root root 4096 May  5 04:55 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x   2 root root 4096 Feb 23 08:51 .
drwxr-xr-x 102 root root 4096 May  5 04:55 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x   2 root root 4096 Feb 23 08:55 .
drwxr-xr-x 102 root root 4096 May  5 04:55 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  813 Feb 25  2020 man-db
-rwxr-xr-x   1 root root  403 Aug  5  2021 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                        LEFT          LAST                        PASSED               UNIT                         ACTIVATES                     
Sat 2022-08-20 15:39:00 UTC 5min left     Sat 2022-08-20 15:14:39 UTC 19min ago            phpsessionclean.timer        phpsessionclean.service       
Sat 2022-08-20 16:02:54 UTC 29min left    Thu 2022-05-05 03:46:11 UTC 3 months 16 days ago apt-daily-upgrade.timer      apt-daily-upgrade.service     
Sat 2022-08-20 16:12:37 UTC 38min left    n/a                         n/a                  ua-timer.timer               ua-timer.service              
Sat 2022-08-20 19:16:45 UTC 3h 42min left Thu 2022-05-05 03:46:11 UTC 3 months 16 days ago motd-news.timer              motd-news.service             
Sat 2022-08-20 21:38:49 UTC 6h left       Thu 2022-05-05 03:46:11 UTC 3 months 16 days ago apt-daily.timer              apt-daily.service             
Sun 2022-08-21 00:00:00 UTC 8h left       Sat 2022-08-20 15:14:39 UTC 19min ago            logrotate.timer              logrotate.service             
Sun 2022-08-21 00:00:00 UTC 8h left       Sat 2022-08-20 15:14:39 UTC 19min ago            man-db.timer                 man-db.service                
Sun 2022-08-21 00:43:42 UTC 9h left       Thu 2022-05-05 03:46:11 UTC 3 months 16 days ago fwupd-refresh.timer          fwupd-refresh.service         
Sun 2022-08-21 03:10:33 UTC 11h left      Sat 2022-08-20 15:14:39 UTC 19min ago            e2scrub_all.timer            e2scrub_all.service           
Sun 2022-08-21 15:27:53 UTC 23h left      Sat 2022-08-20 15:27:53 UTC 6min ago             systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2022-08-22 00:00:00 UTC 1 day 8h left Sat 2022-08-20 15:14:39 UTC 19min ago            fstrim.timer                 fstrim.service                
n/a                         n/a           n/a                         n/a                  snapd.snap-repair.timer      snapd.snap-repair.service     
n/a                         n/a           n/a                         n/a                  ua-license-check.timer       ua-license-check.service      

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers

╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/cloud-init.target.wants/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/snap/core20/1328/etc/systemd/system/cloud-init.target.wants/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
/snap/core20/1328/usr/lib/systemd/system/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
/snap/core20/1328/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core20/1328/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core20/1328/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core20/1328/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core20/1328/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core20/1328/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/snap/core20/1328/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core20/1328/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core20/1328/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/cloud-init-hotplugd.socket is calling this writable listener: /run/cloud-init/hook-hotplug-cmd
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/org/kernel/linux/storage/multipathd
/run/dbus/system_bus_socket
  └─(Read Write)
/run/lvm/lvmpolld.socket
/run/snapd-snap.socket
  └─(Read Write)
/run/snapd.socket
  └─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/journal/syslog
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write)
/run/udev/control
/run/uuidd/request
  └─(Read Write)
/var/lib/amazon/ssm/ipc/health
/var/lib/amazon/ssm/ipc/termination
/var/snap/lxd/common/lxd/unix.socket

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
Possible weak user policy found on /etc/dbus-1/system.d/org.freedesktop.thermald.conf (        <policy group="power">)

╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                           PID PROCESS         USER             CONNECTION    UNIT                        SESSION DESCRIPTION
:1.0                           524 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -
:1.1                           581 systemd-resolve systemd-resolve  :1.1          systemd-resolved.service    -       -
:1.10                          636 snapd           root             :1.10         snapd.service               -       -
:1.11                          627 networkd-dispat root             :1.11         networkd-dispatcher.service -       -
:1.13                          785 unattended-upgr root             :1.13         unattended-upgrades.service -       -
:1.2                           578 systemd-network systemd-network  :1.2          systemd-networkd.service    -       -
:1.22                         7785 busctl          www-data         :1.22         apache2.service             -       -
:1.3                             1 systemd         root             :1.3          init.scope                  -       -
:1.4                           601 accounts-daemon[0m root             :1.4          accounts-daemon.service     -       -
:1.5                           629 polkitd         root             :1.5          polkit.service              -       -
:1.6                           642 udisksd         root             :1.6          udisks2.service             -       -
:1.7                           709 ModemManager    root             :1.7          ModemManager.service        -       -
:1.8                           640 systemd-logind  root             :1.8          systemd-logind.service      -       -
com.ubuntu.LanguageSelector      - -               -                (activatable) -                           -       -
com.ubuntu.SoftwareProperties    - -               -                (activatable) -                           -       -
io.netplan.Netplan               - -               -                (activatable) -                           -       -
org.freedesktop.Accounts       601 accounts-daemon[0m root             :1.4          accounts-daemon.service     -       -
org.freedesktop.DBus             1 systemd         root             -             init.scope                  -       -
org.freedesktop.ModemManager1  709 ModemManager    root             :1.7          ModemManager.service        -       -
org.freedesktop.PackageKit       - -               -                (activatable) -                           -       -
org.freedesktop.PolicyKit1     629 polkitd         root             :1.5          polkit.service              -       -
org.freedesktop.UDisks2        642 udisksd         root             :1.6          udisks2.service             -       -
org.freedesktop.UPower           - -               -                (activatable) -                           -       -
org.freedesktop.bolt             - -               -                (activatable) -                           -       -
org.freedesktop.fwupd            - -               -                (activatable) -                           -       -
org.freedesktop.hostname1        - -               -                (activatable) -                           -       -
org.freedesktop.locale1          - -               -                (activatable) -                           -       -
org.freedesktop.login1         640 systemd-logind  root             :1.8          systemd-logind.service      -       -
org.freedesktop.network1       578 systemd-network systemd-network  :1.2          systemd-networkd.service    -       -
org.freedesktop.resolve1       581 systemd-resolve systemd-resolve  :1.1          systemd-resolved.service    -       -
org.freedesktop.systemd1         1 systemd         root             :1.3          init.scope                  -       -
org.freedesktop.thermald         - -               -                (activatable) -                           -       -
org.freedesktop.timedate1        - -               -                (activatable) -                           -       -
org.freedesktop.timesync1      524 systemd-timesyn systemd-timesync :1.0          systemd-timesyncd.service   -       -


                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
                              ╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
b2r
127.0.0.1 localhost
127.0.1.1 b2r

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

nameserver 127.0.0.53
options edns0 trust-ad
search eu-west-1.compute.internal

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:d4:b2:e9:e2:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.10.177.92/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2420sec preferred_lft 2420sec
    inet6 fe80::d4:b2ff:fee9:e2e1/64 scope link 
       valid_lft forever preferred_lft forever

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp   LISTEN 0      4096         127.0.0.53%lo:53          0.0.0.0:*            
tcp   LISTEN 0      128                0.0.0.0:22          0.0.0.0:*            
tcp   LISTEN 0      511                      *:80                *:*            
tcp   LISTEN 0      128                   [::]:22             [::]:*            

╔══════════╣ Can I sniff with tcpdump?
No



                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Users with console
lachlan:x:1001:1001::/home/lachlan:/bin/sh
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1001(lachlan) gid=1001(lachlan) groups=1001(lachlan)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=111(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=112(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)

╔══════════╣ Login now
 15:34:00 up 21 min,  0 users,  load average: 0.46, 0.30, 0.73
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
reboot   system boot  Sat Aug 20 15:12:59 2022   still running                         0.0.0.0
reboot   system boot  Thu May  5 04:55:21 2022 - Thu May  5 04:57:39 2022  (00:02)     0.0.0.0
lachlan  pts/0        Thu May  5 04:39:19 2022 - Thu May  5 04:39:27 2022  (00:00)     192.168.56.1
setup    tty1         Thu May  5 04:37:12 2022 - crash                     (00:18)     0.0.0.0
reboot   system boot  Thu May  5 04:36:47 2022 - Thu May  5 04:57:39 2022  (00:20)     0.0.0.0
setup    tty1         Thu May  5 03:48:01 2022 - down                      (00:02)     0.0.0.0
reboot   system boot  Thu May  5 03:46:00 2022 - Thu May  5 03:50:09 2022  (00:04)     0.0.0.0

wtmp begins Thu May  5 03:46:00 2022

╔══════════╣ Last time logon each user
Username         Port     From             Latest
lachlan          pts/0    192.168.56.1     Thu May  5 04:39:19 +0000 2022

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)

╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!



                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
                             ╚══════════════════════╝
╔══════════╣ Searching mysql credentials and exec

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.41 (Ubuntu)
Server built:   2022-03-16T16:52:53
httpd Not Found

Nginx version: nginx Not Found

══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 May  5 04:38 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 May  5 04:38 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 May  5 04:38 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>




╔══════════╣ Analyzing Rsync Files (limit 70)


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Feb 23 08:54 /etc/ldap


╔══════════╣ Searching ssl/ssh files
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/snap/core20/1328/etc/ssl/certs/ACCVRAIZ1.pem
/snap/core20/1328/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/snap/core20/1328/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/snap/core20/1328/etc/ssl/certs/AffirmTrust_Commercial.pem
/snap/core20/1328/etc/ssl/certs/AffirmTrust_Networking.pem
/snap/core20/1328/etc/ssl/certs/AffirmTrust_Premium.pem
/snap/core20/1328/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/snap/core20/1328/etc/ssl/certs/Amazon_Root_CA_1.pem
/snap/core20/1328/etc/ssl/certs/Amazon_Root_CA_2.pem
/snap/core20/1328/etc/ssl/certs/Amazon_Root_CA_3.pem
/snap/core20/1328/etc/ssl/certs/Amazon_Root_CA_4.pem
/snap/core20/1328/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/snap/core20/1328/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/snap/core20/1328/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/snap/core20/1328/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/snap/core20/1328/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/snap/core20/1328/etc/ssl/certs/CA_Disig_Root_R2.pem
1803PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 May  5 04:38 /etc/pam.d
-rw-r--r-- 1 root root 2133 Dec  2  2021 /etc/pam.d/sshd




╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions
tmux 3.0a


/tmp/tmux-33
╔══════════╣ Analyzing Cloud Init Files (limit 70)

╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 200 Jan 14  2022 /snap/core20/1328/usr/share/keyrings
drwxr-xr-x 2 root root 4096 May  5 03:48 /usr/share/keyrings




╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /snap/core20/1328/etc/pam.d/passwd
passwd file: /snap/core20/1328/etc/passwd
passwd file: /snap/core20/1328/usr/share/bash-completion/completions/passwd
passwd file: /snap/core20/1328/usr/share/lintian/overrides/passwd
passwd file: /snap/core20/1328/var/lib/extrausers/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found




╔══════════╣ Analyzing Postfix Files (limit 70)

╔══════════╣ Analyzing FTP Files (limit 70)








╔══════════╣ Analyzing Bind Files (limit 70)

╔══════════╣ Analyzing Other Interesting Files (limit 70)











                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
                               ╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 140K Feb 23 18:25 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 23K Feb 21 12:58 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 51K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Dec  2  2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 67K Feb  7  2022 /usr/bin/su
-rwsr-xr-x 1 root root 44K Jul 14  2021 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 52K Jul 14  2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 39K Feb  7  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 67K Jul 14  2021 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 31K Feb 21 12:58 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 163K Jan 19  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 55K Feb  7  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 87K Jul 14  2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 84K Jul 14  2021 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 121K Feb 15  2022 /snap/snapd/14978/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 84K Jul 14  2021 /snap/core20/1328/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 52K Jul 14  2021 /snap/core20/1328/usr/bin/chsh
-rwsr-xr-x 1 root root 87K Jul 14  2021 /snap/core20/1328/usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Jul 21  2020 /snap/core20/1328/usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jul 14  2021 /snap/core20/1328/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 67K Jul 14  2021 /snap/core20/1328/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 67K Jul 21  2020 /snap/core20/1328/usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19  2021 /snap/core20/1328/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 39K Jul 21  2020 /snap/core20/1328/usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-- 1 root systemd-resolve 51K Jun 11  2020 /snap/core20/1328/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Dec  2  2021 /snap/core20/1328/usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root shadow 83K Jul 14  2021 /usr/bin/chage
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 31K Jul 14  2021 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 343K Dec  2  2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Feb  7  2022 /usr/bin/wall
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 83K Jul 14  2021 /snap/core20/1328/usr/bin/chage
-rwxr-sr-x 1 root shadow 31K Jul 14  2021 /snap/core20/1328/usr/bin/expiry
-rwxr-sr-x 1 root crontab 343K Dec  2  2021 /snap/core20/1328/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Jul 21  2020 /snap/core20/1328/usr/bin/wall
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /snap/core20/1328/usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /snap/core20/1328/usr/sbin/unix_chkpwd

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/libc.conf
/usr/local/lib
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	0000003fffffffff
CapAmb:	0000000000000000

Parent Shell capabilities:
0x0000000000000000=

Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/snap/core20/1328/usr/bin/ping = cap_net_raw+ep

╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3222 Mar 11  2020 sbin.dhclient
-rw-r--r-- 1 root root  3202 Feb 25  2020 usr.bin.man
-rw-r--r-- 1 root root 28249 Feb 18  2022 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  1575 Feb 11  2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1385 Dec  7  2019 usr.sbin.tcpdump

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh

╔══════════╣ Executable files added by user (limit 70)
2022-05-05+03:46:05.2439999400 /etc/console-setup/cached_setup_font.sh
2022-05-05+03:46:05.2439999400 /etc/console-setup/cached_setup_keyboard.sh
2022-05-05+03:46:05.2439999400 /etc/console-setup/cached_setup_terminal.sh
╔══════════╣ Unexpected in root

╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 44
drwxr-xr-x   2 root root 4096 May  5 03:48 .
drwxr-xr-x 102 root root 4096 May  5 04:55 ..
-rw-r--r--   1 root root   96 Dec  5  2019 01-locale-fix.sh
-rw-r--r--   1 root root 1557 Feb 17  2020 Z97-byobu.sh
-rwxr-xr-x   1 root root 3417 Nov  3  2021 Z99-cloud-locale-test.sh
-rwxr-xr-x   1 root root  873 Nov  3  2021 Z99-cloudinit-warnings.sh
-rw-r--r--   1 root root  835 Feb 18  2022 apps-bin-path.sh
-rw-r--r--   1 root root  729 Feb  2  2020 bash_completion.sh
-rw-r--r--   1 root root 1003 Aug 13  2019 cedilla-portuguese.sh
-rw-r--r--   1 root root 1107 Nov  3  2019 gawk.csh
-rw-r--r--   1 root root  757 Nov  3  2019 gawk.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)

╔══════════╣ Readable files belonging to root and readable by me but not world readable

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/kern.log
/var/log/syslog
/var/log/auth.log
/var/log/journal/113cfd14aea5442b9c02d5a5f48b55bb/system.journal

╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes

╔══════════╣ Files inside /home/www-data (limit 20)

╔══════════╣ Files inside others home (limit 20)
/home/lachlan/.profile
/home/lachlan/.bash_logout
/home/lachlan/bin/backup.sh
/home/lachlan/.bashrc
/home/lachlan/.bash_history
/home/lachlan/user.txt

╔══════════╣ Searching installed mail applications

╔══════════╣ Mails (limit 50)

╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 lachlan lachlan 56 May  5 04:38 /home/lachlan/bin/backup.sh
-rw-r--r-- 1 root root 9833 Apr  8 08:44 /usr/lib/modules/5.4.0-109-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Apr  8 08:44 /usr/lib/modules/5.4.0-109-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 1413 May  5 03:48 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 1802 Feb 15  2022 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 44048 Oct 12  2021 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-109/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237986 Apr  8 08:44 /usr/src/linux-headers-5.4.0-109-generic/.config.old
-rw-r--r-- 1 root root 0 Apr  8 08:44 /usr/src/linux-headers-5.4.0-109-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Apr  8 08:44 /usr/src/linux-headers-5.4.0-109-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 2756 Feb 13  2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 11886 May  5 03:43 /usr/share/info/dir.old
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 392817 Feb  9  2020 /usr/share/doc/manpages/Changes.old.gz
-rwxr-xr-x 1 root root 226 Feb 17  2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 2743 Feb 23 08:56 /etc/apt/sources.list.curtin.old

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
 -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)

╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x  3 root     root     4.0K May  5 04:38 .
drwxr-xr-x 14 root     root     4.0K May  5 04:38 ..
drwxr-xr-x  6 www-data www-data 4.0K May  5 04:38 html

/var/www/html:
total 32K
drwxr-xr-x 6 www-data www-data 4.0K May  5 04:38 .
drwxr-xr-x 3 root     root     4.0K May  5 04:38 ..

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 lachlan lachlan 220 Feb 25  2020 /home/lachlan/.bash_logout
-rw------- 1 root root 0 Jan 14  2022 /snap/core20/1328/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25  2020 /snap/core20/1328/etc/skel/.bash_logout
-rw-r--r-- 1 landscape landscape 0 Feb 23 08:55 /var/lib/landscape/.cleanup.user
-rw-r--r-- 1 root root 220 Feb 25  2020 /etc/skel/.bash_logout
-rw------- 1 root root 0 Feb 23 08:50 /etc/.pwd.lock
-rw------- 1 root root 0 Aug 20 15:15 /run/snapd/lock/.lock
-rw-r--r-- 1 root root 20 Aug 20 15:14 /run/cloud-init/.instance-id
-rw-r--r-- 1 root root 2 Aug 20 15:13 /run/cloud-init/.ds-identify.result

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/dev/shm/linlog
/dev/shm/linpeas.sh
/run/lock
/run/lock/apache2
/run/screen
/snap/core20/1328/run/lock
/snap/core20/1328/tmp
/snap/core20/1328/var/tmp
/tmp
/tmp/tmux-33
/var/cache/apache2/mod_cache_disk
/var/crash
/var/lib/php/sessions
/var/tmp
/var/www/html
/var/www/html/css
/var/www/html/css/custom.css
/var/www/html/cvs
/var/www/html/cvs/index.html
/var/www/html/cvs/shell.pdf.php
/var/www/html/dist
/var/www/html/dist/css
/var/www/html/dist/css/normalize.css
/var/www/html/dist/css/skeleton.css
/var/www/html/dist/images
/var/www/html/images
/var/www/html/index.html
/var/www/html/upload.php

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
  Group www-data:
/dev/shm/linlog
/dev/shm/linpeas.sh

╔══════════╣ Searching passwords in history files
echo -e "dHY5pzmNYoETv7SUaY\nthisistheway123\nthisistheway123" | passwd

╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/python3/dist-packages/cloudinit/config/__pycache__/cc_set_passwords.cpython-38.pyc
/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)There are more creds/passwds files in the previous parent folder

/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs

╔══════════╣ Searching passwords inside logs (limit 70)
 base-passwd depends on libc6 (>= 2.8); however:
 base-passwd depends on libdebconfclient0 (>= 0.145); however:
2022-02-23 08:50:00 configure base-passwd:amd64 3.5.47 3.5.47
2022-02-23 08:50:00 install base-passwd:amd64 <none> 3.5.47
2022-02-23 08:50:00 status half-configured base-passwd:amd64 3.5.47
2022-02-23 08:50:00 status half-installed base-passwd:amd64 3.5.47
2022-02-23 08:50:00 status installed base-passwd:amd64 3.5.47
2022-02-23 08:50:00 status unpacked base-passwd:amd64 3.5.47
2022-02-23 08:50:05 status half-configured base-passwd:amd64 3.5.47
2022-02-23 08:50:05 status half-installed base-passwd:amd64 3.5.47
2022-02-23 08:50:05 status unpacked base-passwd:amd64 3.5.47
2022-02-23 08:50:05 upgrade base-passwd:amd64 3.5.47 3.5.47
2022-02-23 08:50:14 install passwd:amd64 <none> 1:4.8.1-1ubuntu5
2022-02-23 08:50:14 status half-installed passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:50:14 status unpacked passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:50:17 configure base-passwd:amd64 3.5.47 <none>
2022-02-23 08:50:17 status half-configured base-passwd:amd64 3.5.47
2022-02-23 08:50:17 status installed base-passwd:amd64 3.5.47
2022-02-23 08:50:17 status unpacked base-passwd:amd64 3.5.47
2022-02-23 08:50:20 configure passwd:amd64 1:4.8.1-1ubuntu5 <none>
2022-02-23 08:50:20 status half-configured passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:50:20 status installed passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:50:20 status unpacked passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:52:18 status half-configured passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:52:18 status half-installed passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:52:18 status unpacked passwd:amd64 1:4.8.1-1ubuntu5
2022-02-23 08:52:18 upgrade passwd:amd64 1:4.8.1-1ubuntu5 1:4.8.1-1ubuntu5.20.04.1
2022-02-23 08:52:19 configure passwd:amd64 1:4.8.1-1ubuntu5.20.04.1 <none>
2022-02-23 08:52:19 status half-configured passwd:amd64 1:4.8.1-1ubuntu5.20.04.1
2022-02-23 08:52:19 status installed passwd:amd64 1:4.8.1-1ubuntu5.20.04.1
2022-02-23 08:52:19 status unpacked passwd:amd64 1:4.8.1-1ubuntu5.20.04.1
2022-05-05 03:46:20,473 - cc_set_passwords.py[DEBUG]: Leaving SSH config 'PasswordAuthentication' unchanged. ssh_pwauth=None
2022-05-05 03:46:20,473 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords ran successfully
2022-05-05 03:46:20,473 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/iid-datasource-none/sem/config_set_passwords - wb: [644] 25 bytes
2022-05-05 04:37:06,411 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-05-05 04:37:06,411 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-05-05 04:55:41,029 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-05-05 04:55:41,029 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
2022-08-20 15:16:00,365 - handlers.py[DEBUG]: finish: modules-config/config-set-passwords: SUCCESS: config-set-passwords previously ran
2022-08-20 15:16:00,365 - helpers.py[DEBUG]: config-set-passwords already ran (freq=once-per-instance)
Preparing to unpack .../base-passwd_3.5.47_amd64.deb ...
Preparing to unpack .../passwd_1%3a4.8.1-1ubuntu5_amd64.deb ...
Selecting previously unselected package base-passwd.
Selecting previously unselected package passwd.
Setting up base-passwd (3.5.47) ...
Setting up passwd (1:4.8.1-1ubuntu5) ...
Shadow passwords are now on.
Unpacking base-passwd (3.5.47) ...
Unpacking base-passwd (3.5.47) over (3.5.47) ...
Unpacking passwd (1:4.8.1-1ubuntu5) ...
[    9.076613] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[   38.055933] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
dpkg: base-passwd: dependency problems, but configuring anyway as you requested:



                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
                                ╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'