LPE FreeBSD, не получается подняться до рута

[fdgdfgrgfgdf]

Доброго времени суток, решаю задачу на площадке, взял юзера но не могу взять рута. Были испробованны известные мною способы, это: поиск сплоитов, открытие шелла через привилигированные тулзы, внедриться в крон джобы, sudo там не стоит, скорее всего нужно как то расковырять рутовые процессы, но нет идей как именно, особенно бросается в глаза рутовый vnc проц, но пароля к нему нет, пытался брутить

Вывод LinEnum:

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.91

[-] Debug Info
[+] Thorough tests = Disabled (SUID/GUID checks will not be perfomed!)



### SYSTEM ##############################################
[-] Kernel information:
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64


[-] Hostname:
Poison


### USER/GROUP ##########################################
[-] Current user/group info:
uid=1001(charix) gid=1001(charix) groups=1001(charix)


[-] Group memberships:
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
uid=0(toor) gid=0(wheel) groups=0(wheel)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(operator) gid=5(operator) groups=5(operator)
uid=3(bin) gid=7(bin) groups=7(bin)
uid=4(tty) gid=65533(nogroup) groups=65533(nogroup)
uid=5(kmem) gid=65533(nogroup) groups=65533(nogroup)
uid=7(games) gid=13(games) groups=13(games)
uid=8(news) gid=8(news) groups=8(news)
uid=9(man) gid=9(man) groups=9(man)
uid=22(sshd) gid=22(sshd) groups=22(sshd)
uid=25(smmsp) gid=25(smmsp) groups=25(smmsp)
uid=26(mailnull) gid=26(mailnull) groups=26(mailnull)
uid=53(bind) gid=53(bind) groups=53(bind)
uid=59(unbound) gid=59(unbound) groups=59(unbound)
uid=62(proxy) gid=62(proxy) groups=62(proxy)
uid=64(_pflogd) gid=64(_pflogd) groups=64(_pflogd)
uid=65(_dhcp) gid=65(_dhcp) groups=65(_dhcp)
uid=66(uucp) gid=66(uucp) groups=66(uucp)
uid=68(pop) gid=6(mail) groups=6(mail)
uid=78(auditdistd) gid=77(audit) groups=77(audit)
uid=80(www) gid=80(www) groups=80(www)
uid=160(_ypldap) gid=160(_ypldap) groups=160(_ypldap)
uid=845(hast) gid=845(hast) groups=845(hast)
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
uid=601(_tss) gid=601(_tss) groups=601(_tss)
uid=556(messagebus) gid=556(messagebus) groups=556(messagebus)
uid=558(avahi) gid=558(avahi) groups=558(avahi)
uid=193(cups) gid=193(cups) groups=193(cups)
uid=1001(charix) gid=1001(charix) groups=1001(charix)


LinEnum.sh: [[: not found
[+] It looks like we have password hashes in /etc/passwd!
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh


[-] Contents of /etc/passwd:
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh


[-] Super user account(s):
root
toor


[+] We can read root's home directory!
total 0


[-] Are permissions on /home directories lax:
total 12
drwxr-xr-x 3 root wheel 512B Mar 19 16:08 .
drwxr-xr-x 20 root wheel 1.0K Jul 27 11:26 ..
drwxr-x--- 4 charix charix 512B Jul 27 12:30 charix


[-] Root is allowed to login via SSH:
PermitRootLogin yes


### ENVIRONMENTAL #######################################
[-] Environment information:
VENDOR=amd
SSH_CLIENT=10.10.14.231 39438 22
LOGNAME=charix
PAGER=more
OSTYPE=FreeBSD
MACHTYPE=x86_64
MAIL=/var/mail/charix
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/charix/bin
EDITOR=vi
HOST=Poison
REMOTEHOST=10.10.14.231
OLDPWD=/home/charix
PWD=/home/charix/LinEnum-master
GROUP=charix
TERM=xterm
SSH_TTY=/dev/pts/5
USER=charix
HOME=/home/charix
SSH_CONNECTION=10.10.14.231 39438 10.10.10.84 22
SHELL=/bin/csh
HOSTTYPE=FreeBSD
BLOCKSIZE=K
SHLVL=1


[-] Path information:
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/charix/bin


[-] Available shells:
# $FreeBSD: releng/11.1/etc/shells 59717 2000-04-27 21:58:46Z ache $
#
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/sh
/bin/csh
/bin/tcsh


[-] Current umask value:
0022
u=rwx,g=rx,o=rx


### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root wheel 730 Jul 21 2017 /etc/crontab

/etc/cron.d:
total 8
drwxr-xr-x 2 root wheel 512 Jul 21 2017 .
drwxr-xr-x 27 root wheel 2560 Mar 19 16:21 ..


[-] Crontab contents:
# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: releng/11.1/etc/crontab 194170 2009-06-14 06:37:19Z brian $
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
#
#minute hour mday month wday who command
#
*/5 * * * * root /usr/libexec/atrun
#
# Save some entropy so that /dev/random can re-seed on boot.
*/11 * * * * operator /usr/libexec/save-entropy
#
# Rotate log files every hour, if necessary.
0 * * * * root newsyslog
#
# Perform daily/weekly/monthly maintenance.
1 3 * * * root periodic daily
15 4 * * 6 root periodic weekly
30 5 1 * * root periodic monthly
#
# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time. See adjkerntz(8) for details.
1,31 0-5 * * * root adjkerntz -a



### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 100.0 0.0 0 16 - RL 11:26 61:23.23 [idle]
root 0 0.0 0.0 0 160 - DLs 11:26 0:00.28 [kernel]
root 1 0.0 0.1 5408 520 - SLs 11:26 0:00.01 /sbin/init --
root 2 0.0 0.0 0 16 - DL 11:26 0:00.00 [crypto]
root 3 0.0 0.0 0 16 - DL 11:26 0:00.00 [crypto returns]
root 4 0.0 0.0 0 32 - DL 11:26 0:01.77 [cam]
root 5 0.0 0.0 0 16 - DL 11:26 0:00.00 [mpt_recovery0]
root 6 0.0 0.0 0 16 - DL 11:26 0:00.00 [sctp_iterator]
root 7 0.0 0.0 0 16 - DL 11:26 0:01.46 [rand_harvestq]
root 8 0.0 0.0 0 16 - DL 11:26 0:00.00 [soaiod1]
root 9 0.0 0.0 0 16 - DL 11:26 0:00.00 [soaiod2]
root 10 0.0 0.0 0 16 - DL 11:26 0:00.00 [audit]
root 12 0.0 0.1 0 736 - WL 11:26 0:22.03 [intr]
root 13 0.0 0.0 0 48 - DL 11:26 0:00.11 [geom]
root 14 0.0 0.0 0 160 - DL 11:26 0:00.28 [usb]
root 15 0.0 0.0 0 16 - DL 11:26 0:00.00 [soaiod3]
root 16 0.0 0.0 0 16 - DL 11:26 0:00.00 [soaiod4]
root 17 0.0 0.0 0 48 - DL 11:26 0:00.84 [pagedaemon]
root 18 0.0 0.0 0 16 - DL 11:26 0:00.05 [vmdaemon]
root 19 0.0 0.0 0 16 - DL 11:26 0:00.00 [pagezero]
root 20 0.0 0.0 0 32 - DL 11:26 0:00.09 [bufdaemon]
root 21 0.0 0.0 0 16 - DL 11:26 0:00.01 [bufspacedaemon]
root 22 0.0 0.0 0 16 - DL 11:26 0:02.46 [syncer]
root 23 0.0 0.0 0 16 - DL 11:26 0:01.04 [vnlru]
root 319 0.0 0.1 9560 744 - Ss 11:26 0:00.33 /sbin/devd
root 390 0.0 0.2 10500 1668 - Ss 11:26 0:00.24 /usr/sbin/syslogd -s
root 543 0.0 0.3 56320 3084 - S 11:27 0:03.12 /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/v
root 620 0.0 0.4 57812 3964 - Ss 11:27 0:00.05 /usr/sbin/sshd
root 624 0.0 0.4 85228 4440 - Is 11:27 0:00.02 sshd: charix [priv] (sshd)
charix 629 0.0 0.5 85228 4812 - S 11:27 0:00.44 sshd: charix@pts/1 (sshd)
root 633 0.0 0.4 85228 4484 - Is 11:27 0:00.02 sshd: charix [priv] (sshd)
charix 646 0.0 0.7 89324 6660 - I 11:27 0:02.70 sshd: charix@pts/3 (sshd)
root 650 0.0 0.4 99172 4104 - Ss 11:28 0:00.26 /usr/local/sbin/httpd -DNOHTTPACCEPT
root 685 0.0 0.3 20636 3120 - Ss 11:28 0:00.08 sendmail: accepting connections (sendmail)
smmsp 706 0.0 0.1 20636 796 - Is 11:29 0:00.00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail)
root 710 0.0 0.1 12592 532 - Ss 11:29 0:00.02 /usr/sbin/cron -s
www 779 0.0 0.8 101220 7636 - I 11:30 0:08.29 /usr/local/sbin/httpd -DNOHTTPACCEPT
www 810 0.0 0.8 103268 8580 - I 11:30 0:07.51 /usr/local/sbin/httpd -DNOHTTPACCEPT
root 869 0.0 0.5 85228 4752 - Is 11:34 0:00.01 sshd: charix [priv] (sshd)
www 872 0.0 0.7 101220 6712 - I 11:34 0:07.43 /usr/local/sbin/httpd -DNOHTTPACCEPT
charix 875 0.0 0.5 85228 5136 - I 11:34 0:00.02 sshd: charix@notty (sshd)
charix 886 0.0 0.3 21708 3408 - Is 11:34 0:00.11 -csh (csh)
www 1627 0.0 0.8 101220 8556 - I 12:00 0:00.37 /usr/local/sbin/httpd -DNOHTTPACCEPT
www 1628 0.0 0.8 101220 8128 - I 12:00 0:00.38 /usr/local/sbin/httpd -DNOHTTPACCEPT
www 1629 0.0 0.5 99172 5088 - I 12:00 0:00.26 /usr/local/sbin/httpd -DNOHTTPACCEPT
www 1658 0.0 0.8 103268 8508 - S 12:03 0:00.21 /usr/local/sbin/httpd -DNOHTTPACCEPT
www 1730 0.0 0.6 101220 6048 - I 12:06 0:00.15 /usr/local/sbin/httpd -DNOHTTPACCEPT
www 1731 0.0 0.5 99172 4860 - I 12:06 0:00.15 /usr/local/sbin/httpd -DNOHTTPACCEPT
www 1732 0.0 0.5 101220 5428 - S 12:06 0:00.15 /usr/local/sbin/httpd -DNOHTTPACCEPT
root 1840 0.0 0.6 85228 5996 - Is 12:11 0:00.03 sshd: charix [priv] (sshd)
charix 1845 0.0 0.6 85228 6100 - I 12:12 0:00.11 sshd: charix@pts/2 (sshd)
root 1859 0.0 0.6 85228 6000 - Is 12:14 0:00.03 sshd: charix [priv] (sshd)
charix 1862 0.0 0.6 85228 6112 - I 12:14 0:00.06 sshd: charix@pts/4 (sshd)
root 1885 0.0 0.6 85228 6088 - Is 12:17 0:00.03 sshd: charix [priv] (sshd)
charix 1892 0.0 0.6 85228 6176 - S 12:17 0:00.08 sshd: charix@pts/5 (sshd)
root 1939 0.0 0.6 85228 6164 - Is 12:21 0:00.02 sshd: charix [priv] (sshd)
charix 1951 0.0 0.6 85228 6272 - S 12:22 0:00.14 sshd: charix@pts/6 (sshd)
root 2005 0.0 0.6 85228 6172 - Is 12:26 0:00.03 sshd: charix [priv] (sshd)
charix 2021 0.0 0.6 85228 6192 - I 12:26 0:00.02 sshd: charix@pts/7 (sshd)
root 2097 0.0 0.6 59920 5760 - Is 12:29 0:00.01 sshd: [accepted] (sshd)
root 529 0.0 0.2 23620 2512 v0- I 11:27 0:00.06 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth
root 540 0.0 0.3 67220 3400 v0- I 11:27 0:00.04 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 541 0.0 0.2 37620 2332 v0- I 11:27 0:00.01 twm
root 757 0.0 0.1 10484 1160 v0 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv0
root 758 0.0 0.1 10484 1160 v1 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv1
root 759 0.0 0.1 10484 1160 v2 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv2
root 760 0.0 0.1 10484 1160 v3 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv3
root 761 0.0 0.1 10484 1160 v4 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv4
root 762 0.0 0.1 10484 1160 v5 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv5
root 763 0.0 0.1 10484 1160 v6 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv6
root 764 0.0 0.1 10484 1160 v7 Is+ 11:29 0:00.00 /usr/libexec/getty Pc ttyv7
root 563 0.0 0.2 19660 1752 0 Is+ 11:27 0:00.02 -csh (csh)
charix 630 0.0 0.3 19660 2704 1 Ss+ 11:27 0:00.26 -csh (csh)
charix 1888 0.0 2.0 195028 20632 1 T 12:17 0:00.10 vim secret
charix 1901 0.0 0.5 24580 4620 1 T 12:17 0:00.02 ssh -L 6000:localhost:5901 root@10.10.14.244
charix 2079 0.0 2.1 195028 20904 1 T 12:29 0:00.08 vim root_pass.txt
charix 1846 0.0 0.3 19660 3184 2 Is+ 12:12 0:00.05 -csh (csh)
charix 647 0.0 0.3 19660 2576 3 Is+ 11:27 0:00.15 -csh (csh)
charix 1481 0.0 2.1 197076 21088 3 T 11:49 0:01.60 vim ex.pl
charix 1863 0.0 0.3 19660 3180 4 Is+ 12:14 0:00.05 -csh (csh)
charix 1893 0.0 0.3 19660 3156 5 Is 12:17 0:00.02 -csh (csh)
charix 1899 0.0 0.3 13180 2596 5 I 12:17 0:00.03 sh
charix 1905 0.0 0.4 19512 3892 5 T 12:18 0:00.01 vi .secret.swp
charix 1918 0.0 2.0 195028 20560 5 T 12:19 0:00.07 vim
charix 1923 0.0 2.0 195028 20632 5 T 12:20 0:00.07 vim secret.zip
charix 2119 0.0 0.3 13180 2780 5 I+ 12:30 0:00.01 sh LinEnum.sh
charix 2120 0.0 0.3 13180 2804 5 S+ 12:30 0:00.01 sh LinEnum.sh
charix 2121 0.0 0.2 8320 1656 5 S+ 12:30 0:00.00 tee -a
charix 2276 0.0 0.2 21208 2352 5 R+ 12:31 0:00.00 ps aux
charix 1952 0.0 0.3 19660 3508 6 Ss+ 12:22 0:00.07 -csh (csh)
charix 2022 0.0 0.3 19660 3280 7 Is+ 12:26 0:00.02 -csh (csh)


[-] Process binaries and associated permissions (from above list):
-r-xr-xr-x 1 root wheel 1203224 Jul 21 2017 /sbin/devd
-r-xr-xr-x 1 root wheel 1081600 Jul 21 2017 /sbin/init
-r-xr-xr-x 1 root wheel 31008 Jul 21 2017 /usr/libexec/getty
-rwxr-xr-x 1 root wheel 42792 Mar 16 00:26 /usr/local/bin/vmtoolsd
-rwxr-xr-x 1 root wheel 788153 Jan 2 2018 /usr/local/sbin/httpd
-r-xr-xr-x 1 root wheel 45304 Jul 21 2017 /usr/sbin/cron
-r-xr-xr-x 1 root wheel 313112 Jul 21 2017 /usr/sbin/sshd
-r-xr-xr-x 1 root wheel 45296 Jul 21 2017 /usr/sbin/syslogd


[-] Contents of /etc/inetd.conf:
# $FreeBSD: releng/11.1/etc/inetd.conf 285253 2015-07-07 20:15:09Z hrs $
#
# Internet server configuration database
#
# Define *both* IPv4 and IPv6 entries for dual-stack support.
# To disable a service, comment it out by prefixing the line with '#'.
# To enable a service, remove the '#' at the beginning of the line.
#
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
#ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
#ssh stream tcp6 nowait root /usr/sbin/sshd sshd -i -6
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
#shell stream tcp nowait root /usr/libexec/rshd rshd
#shell stream tcp6 nowait root /usr/libexec/rshd rshd
#login stream tcp nowait root /usr/libexec/rlogind rlogind
#login stream tcp6 nowait root /usr/libexec/rlogind rlogind
#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
#
# run comsat as root to be able to print partial mailbox contents w/ biff,
# or use the safer tty:tty to just print that new mail has been received.
#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
#
# ntalk is required for the 'talk' utility to work correctly
#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
#tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
#bootps dgram udp wait root /usr/libexec/bootpd bootpd
#
# "Small servers" -- used to be standard on, but we're more conservative
# about things due to Internet security concerns. Only turn on what you
# need.
#
#daytime stream tcp nowait root internal
#daytime stream tcp6 nowait root internal
#daytime dgram udp wait root internal
#daytime dgram udp6 wait root internal
#time stream tcp nowait root internal
#time stream tcp6 nowait root internal
#time dgram udp wait root internal
#time dgram udp6 wait root internal
#echo stream tcp nowait root internal
#echo stream tcp6 nowait root internal
#echo dgram udp wait root internal
#echo dgram udp6 wait root internal
#discard stream tcp nowait root internal
#discard stream tcp6 nowait root internal
#discard dgram udp wait root internal
#discard dgram udp6 wait root internal
#chargen stream tcp nowait root internal
#chargen stream tcp6 nowait root internal
#chargen dgram udp wait root internal
#chargen dgram udp6 wait root internal
#
# CVS servers - for master CVS repositories only! You must set the
# --allow-root path correctly or you open a trivial to exploit but
# deadly security hole.
#
#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here pserver
#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here kserver
#
# RPC based services (you MUST have rpcbind running to use these)
#
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
#rusersd/1-2 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld
#pcnfsd/1-2 dgram rpc/udp wait root /usr/local/libexec/rpc.pcnfsd rpc.pcnfsd
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad
#rquotad/1 dgram rpc/udp6 wait root /usr/libexec/rpc.rquotad rpc.rquotad
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd
#
# example entry for the optional pop3 server
#
#pop3 stream tcp nowait root /usr/local/libexec/popper popper
#
# example entry for the optional imap4 server
#
#imap4 stream tcp nowait root /usr/local/libexec/imapd imapd
#
# example entry for the optional nntp server
#
#nntp stream tcp nowait news /usr/local/libexec/nntpd nntpd
#
# example entry for the optional uucpd server
#
#uucpd stream tcp nowait root /usr/local/libexec/uucpd uucpd
#
# Return error for all "ident" requests
#
#auth stream tcp nowait root internal
#auth stream tcp6 nowait root internal
#
# Provide internally a real "ident" service which provides ~/.fakeid support,
# provides ~/.noident support, reports UNKNOWN as the operating system type
# and times out after 30 seconds.
#
#auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30
#auth stream tcp6 nowait root internal auth -r -f -n -o UNKNOWN -t 30
#
# Example entry for an external ident server
#
#auth stream tcp wait root /usr/local/sbin/identd identd -w -t120
#
# Example entry for the optional qmail MTA
# NOTE: This is no longer the correct way to handle incoming SMTP
# connections for qmail. Use tcpserver (http://cr.yp.to/ucspi-tcp.html)
# instead.
#
#smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/qmail-smtpd
#
# Enable the following two entries to enable samba startup from inetd
# (from the Samba documentation). Enable the third entry to enable the swat
# samba configuration tool.
#
#netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd
#netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd
#swat stream tcp nowait/400 root /usr/local/sbin/swat swat


[-] /usr/local/etc/rc.d binary permissions:
total 60
drwxr-xr-x 2 root wheel 512 Mar 19 13:14 .
drwxr-xr-x 18 root wheel 1024 Jan 24 2018 ..
-r-xr-xr-x 1 root wheel 6230 Jan 2 2018 apache24
-r-xr-xr-x 1 root wheel 881 Jan 2 2018 avahi-daemon
-r-xr-xr-x 1 root wheel 1129 Jan 2 2018 avahi-dnsconfd
-r-xr-xr-x 1 root wheel 539 Jan 20 2018 cupsd
-r-xr-xr-x 1 root wheel 796 Jan 2 2018 dbus
-r-xr-xr-x 1 root wheel 1834 Jan 2 2018 htcacheclean
-r-xr-xr-x 1 root wheel 1061 Jan 2 2018 php-fpm
-r-xr-xr-x 1 root wheel 1239 Jan 20 2018 tcsd
-r-xr-xr-x 1 root wheel 628 Jan 2 2018 tpmd
-r-xr-xr-x 1 root wheel 905 Mar 16 00:26 vmware-guestd
-r-xr-xr-x 1 root wheel 2148 Mar 16 00:26 vmware-kmod
-r-xr-xr-x 1 root wheel 1035 Jan 24 2018 vncserver


### SOFTWARE #############################################
[-] Apache version:
Server version: Apache/2.4.29 (FreeBSD)
Server built: unknown


[-] Installed Apache modules:
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_prefork_module (shared)
authn_file_module (shared)
authn_core_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_core_module (shared)
access_compat_module (shared)
auth_basic_module (shared)
reqtimeout_module (shared)
filter_module (shared)
mime_module (shared)
log_config_module (shared)
env_module (shared)
headers_module (shared)
setenvif_module (shared)
version_module (shared)
unixd_module (shared)
status_module (shared)
autoindex_module (shared)
dir_module (shared)
alias_module (shared)
php5_module (shared)


### INTERESTING FILES ####################################
[-] Useful file locations:
/usr/bin/nc
/usr/local/bin/wget


[-] Can we read/write sensitive files:
-rw-r--r-- 1 root wheel 1894 Mar 19 16:21 /etc/passwd
-rw-r--r-- 1 root wheel 546 Mar 19 16:08 /etc/group
-rw-r--r-- 1 root wheel 623 Jul 21 2017 /etc/profile
-rw------- 1 root wheel 2260 Mar 19 16:21 /etc/master.passwd


[+] rhost config file(s) and file contents:
-rw-r----- 1 charix charix 281 Mar 19 16:08 /home/charix/.rhosts
# $FreeBSD: releng/11.1/share/skel/dot.rhosts 50476 1999-08-28 00:22:10Z peter $
#
# .rhosts - trusted remote host name and user data base
#
# see hosts.equiv(5), rsh(1), rlogin(1), rcp(1)
#
# This file should NOT be group or other readable.
# OtherMachine
# OtherMachine myFriend


[+] Hosts.equiv file and contents:
-rw-r--r-- 1 root wheel 116 Jul 21 2017 /etc/hosts.equiv
# $FreeBSD: releng/11.1/etc/hosts.equiv 50472 1999-08-27 23:37:10Z peter $
#
#localhost
#my_very_good_friend.domain


[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root wheel 338 Jul 21 2017 /etc/nsswitch.conf
-rw-r--r-- 1 root wheel 5097 Jul 21 2017 /etc/inetd.conf
-rw-r--r-- 1 root wheel 458 Jul 21 2017 /etc/blacklistd.conf
-rw-r--r-- 1 root wheel 295 Jul 21 2017 /etc/nscd.conf
-rw-r--r-- 1 root wheel 1552 Jul 21 2017 /etc/syslog.conf
-rw-r--r-- 1 root wheel 1240 Jul 21 2017 /etc/apmd.conf
-rw-r--r-- 1 root wheel 1993 Jul 21 2017 /etc/devfs.conf
-rw-r--r-- 1 root wheel 567 Jul 21 2017 /etc/ddb.conf
-rw-r--r-- 1 root wheel 2894 Jul 21 2017 /etc/freebsd-update.conf
-rw-r--r-- 1 root wheel 272 Jul 21 2017 /etc/dhclient.conf
-rw-r--r-- 1 root wheel 10224 Jul 21 2017 /etc/devd.conf
-rw-r--r-- 1 root wheel 2070 Jul 21 2017 /etc/newsyslog.conf
-rw-r--r-- 1 root wheel 373 Jan 24 2018 /etc/sysctl.conf
-rw-r--r-- 1 root wheel 6790 Jul 21 2017 /etc/login.conf
-rw-r--r-- 1 root wheel 4077 Jul 21 2017 /etc/ntp.conf
-rw------- 1 root wheel 1699 Jul 21 2017 /etc/nsmb.conf
-rw-r--r-- 1 root wheel 109 Jul 21 2017 /etc/libmap.conf
-rw-r--r-- 1 root wheel 235 Jul 21 2017 /etc/libalias.conf
-rw-r--r-- 1 root wheel 566 Jul 21 2017 /etc/mac.conf
-rw-r--r-- 1 root wheel 1519 Jul 21 2017 /etc/portsnap.conf
-rw-r--r-- 1 root wheel 460 Mar 19 13:20 /etc/rc.conf
-rw-r--r-- 1 root wheel 46 Mar 19 13:13 /etc/resolv.conf
-rw-r--r-- 1 root wheel 46 Jan 24 2018 /etc/host.conf


[-] Any interesting mail in /var/mail:
total 16
drwxrwxr-x 2 root mail 512 Mar 19 16:33 .
drwxr-xr-x 25 root wheel 512 Jul 27 11:26 ..
-rw------- 1 _tss _tss 0 Jan 24 2018 _tss
-rw------- 1 avahi avahi 0 Jan 24 2018 avahi
-rw------- 1 charix charix 0 Mar 19 16:08 charix
-rw------- 1 cups cups 0 Jan 24 2018 cups
-rw------- 1 messagebus messagebus 0 Jan 24 2018 messagebus
-rw------- 1 root wheel 5264 Mar 19 16:33 root


### SCAN COMPLETE ####################################