Automated enumeration
PEAS
ype@valentine:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| get latest linpeas : https://github.com/sponsors/carlospolop |
| follow on twitter : @carlospolopm |
| respect on htb : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
advisory: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
linux privesc checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
legend:
red/yellow: 95% a PE vector
red: You should take a look to it
lightcyan: Users with console
blue: Users without console & mounted devs
green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
lightmagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
╚═══════════════════╝
os: Linux version 3.2.0-23-generic (buildd@crested) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu4) ) #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012
user & groups: uid=1000(hype) gid=1000(hype) groups=1000(hype),24(cdrom),30(dip),46(plugdev),124(sambashare)
hostname: Valentine
writable folder: /home/hype
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
════════════════════════════════════════╣ System Information ╠════════════════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
linux version 3.2.0-23-generic (buildd@crested) (gcc version 4.6.3 (ubuntu/linaro 4.6.3-1ubuntu4) ) #36-ubuntu smp tue apr 10 20:39:51 UTC 2012
distributor id: Ubuntu
description: Ubuntu 12.04 LTS
release: 12.04
codename: precise
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.3p1
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034
./linpeas.sh: 1196: ./linpeas.sh: systemctl: not found
./linpeas.sh: 1197: ./linpeas.sh: [[: not found
./linpeas.sh: 1197: ./linpeas.sh: rpm: not found
./linpeas.sh: 1197: ./linpeas.sh: 0: not found
./linpeas.sh: 1207: ./linpeas.sh: [[: not found
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
new path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
╔══════════╣ Date & uptime
sat oct 8 11:48:45 PDT 2022
11:48:45 up 20:52, 1 user, load average: 0.58, 0.34, 0.27
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
╔══════════╣ Unmounted file-system?
╚ Check if you can mount unmounted devices
proc /proc proc nodev,noexec,nosuid 0 0
UUID=95d83c75-2be1-4714-bd77-fed615f4b5d9 / ext4 errors=remount-ro 0 1
/dev/sda5 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
LESSOPEN=| /usr/bin/lesspipe %s
HISTFILESIZE=0
MAIL=/var/mail/hype
SSH_CLIENT=10.10.14.5 45130 22
USER=hype
SHLVL=1
HOME=/home/hype
OLDPWD=/
XDG_SESSION_COOKIE=c9052f1b76300a5447f46cc700000004-1665252723.282881-2143221558
SSH_TTY=/dev/pts/1
LOGNAME=hype
_=./linpeas.sh
TERM=xterm-256color
path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
LANG=en_US.UTF-8
HISTSIZE=0
ls_colors=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/tmp
SSH_CONNECTION=10.10.14.5 45130 10.10.10.79 22
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: highly probable
tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
download url: https://www.exploit-db.com/download/40611
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exposure: highly probable
tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
download url: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2013-2094] perf_swevent
details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
exposure: highly probable
tags: RHEL=6,[ ubuntu=12.04{kernel:3.2.0-(23|29)-generic} ],fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64}
download url: https://www.exploit-db.com/download/26131
comments: No SMEP/SMAP bypass
[+] [CVE-2013-2094] perf_swevent 2
details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
exposure: highly probable
tags: [ ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} ]
download url: https://cyseclabs.com/exploits/vnik_v1.c
comments: No SMEP/SMAP bypass
[+] [CVE-2021-4034] PwnKit
details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
exposure: probable
tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
download url: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2015-3202] fuse (fusermount)
details: http://seclists.org/oss-sec/2015/q2/520
exposure: probable
tags: debian=7.0|8.0,[ ubuntu=* ]
download url: https://www.exploit-db.com/download/37089
comments: Needs cron or system admin interaction
[+] [CVE-2014-4699] ptrace/sysret
details: http://www.openwall.com/lists/oss-security/2014/07/08/16
exposure: probable
tags: [ ubuntu=12.04 ]
download url: https://www.exploit-db.com/download/34134
[+] [CVE-2014-4014] inode_capable
details: http://www.openwall.com/lists/oss-security/2014/06/10/4
exposure: probable
tags: [ ubuntu=12.04 ]
download url: https://www.exploit-db.com/download/33824
[+] [CVE-2021-3156] sudo Baron Samedit
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: less probable
tags: mint=19,ubuntu=18|20, debian=10
download url: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
exposure: less probable
tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
download url: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
exposure: less probable
tags: ubuntu=20.04{kernel:5.8.0-*}
download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
exposure: less probable
tags: mint=19
download url: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
exposure: less probable
download url:
comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2018-1000001] RationalLove
details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
exposure: less probable
tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
download url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
comments: kernel.unprivileged_userns_clone=1 required
[+] [CVE-2017-7308] af_packet
details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
exposure: less probable
tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
download url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
details: http://www.openwall.com/lists/oss-security/2017/02/22/3
exposure: less probable
tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
download url: https://www.exploit-db.com/download/41458
comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
exposure: less probable
tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
download url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
exposure: less probable
tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
download url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2016-2384] usb-midi
details: https://xairy.github.io/blog/2016/cve-2016-2384
exposure: less probable
tags: ubuntu=14.04,fedora=22
download url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2015-9322] BadIRET
details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
exposure: less probable
tags: RHEL<=7,fedora=20
download url: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exposure: less probable
tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
download url: https://www.exploit-db.com/download/39166
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exposure: less probable
download url: https://www.exploit-db.com/download/39230
[+] [CVE-2014-5207] fuse_suid
details: https://www.exploit-db.com/exploits/34923/
exposure: less probable
download url: https://www.exploit-db.com/download/34923
[+] [CVE-2014-0196] rawmodePTY
details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
exposure: less probable
download url: https://www.exploit-db.com/download/33516
[+] [CVE-2013-2094] semtex
details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
exposure: less probable
tags: RHEL=6
download url: https://www.exploit-db.com/download/25444
[+] [CVE-2013-1959] userns_root_sploit
details: http://www.openwall.com/lists/oss-security/2013/04/29/1
exposure: less probable
download url: https://www.exploit-db.com/download/25450
[+] [CVE-2013-0268] msr
details: https://www.exploit-db.com/exploits/27297/
exposure: less probable
download url: https://www.exploit-db.com/download/27297
[+] [CVE-2012-0809] death_star (sudo)
details: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
exposure: less probable
tags: fedora=16
download url: https://www.exploit-db.com/download/18436- Vulnerable to CVE-2021-4034
- [CVE-2016-5195] dirtycow