InfoSec LAB

Nukem_Automated

Created: 3 min read

PEAS

Conducting an automated enumeration after performing a manual enumeration Due to the presence of a heavily enforced firewall, file transfer was not possible as the hhtp account. Now that I have made the lateral movement to the commander user via SSH, I can attempt to transfer the file via scp

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ sshpass -p CommanderKeenVorticons1990 scp ./linpeas.sh commander@$IP:/var/tmp

Delivery complete

Executing PEAS

CVEs

╔══════════╣ Executing Linux Exploit Suggester
 https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
 
   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: probable
   Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
 
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
 
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-2586] nft_object UAF
 
   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-0847] DirtyPipe
 
   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2021-4034] PwnKit
 
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: less probable
   Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit 2
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

Services

╔══════════╣ D-Bus Service Objects list
 https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus
NAME                            PID PROCESS         USER            CONNECTION    UNIT                     SESSION DESCRIPTION
:1.0                            254 systemd-logind  root            :1.0          systemd-logind.service   -       -
:1.1                              1 systemd         root            :1.1          init.scope               -       -
:1.13                           425 systemd         lightdm         :1.13         user@974.service         -       -
:1.14                           415 xfce4-session   commander       :1.14         session-1.scope          1       -
:1.15                           469 polkitd         polkitd         :1.15         polkit.service           -       -
:1.16                           438 lightdm-gtk-gre lightdm         :1.16         session-c1.scope         c1      -
:1.17                           511 panel-9-power-m commander       :1.17         session-1.scope          1       -
:1.18                           536 xfce4-power-man commander       :1.18         session-1.scope          1       -
:1.20                           522 upowerd         root            :1.20         upower.service           -       -
:1.21                           532 polkit-gnome-au commander       :1.21         session-1.scope          1       -
:1.22                           553 smbd            root            :1.22         smb.service              -       -
:1.23                           667 systemd-network systemd-network :1.23         systemd-networkd.service -       -
:1.3                            308 lightdm         root            :1.3          lightdm.service          -       -
:1.4                            370 Xorg            root            :1.4          lightdm.service          -       -
:1.59                          8797 busctl          commander       :1.59         session-7.scope          7       -
:1.8                            386 systemd         commander       :1.8          user@1000.service        -       -
:1.9                            421 lightdm         root            :1.9          session-c1.scope         c1      -
org.freedesktop.Avahi             - -               -               (activatable) -                        -       -
org.freedesktop.ColorManager      - -               -               (activatable) -                        -       -
org.freedesktop.DBus              1 systemd         root            -             init.scope               -       -
org.freedesktop.DisplayManager  308 lightdm         root            :1.3          lightdm.service          -       -
org.freedesktop.PolicyKit1      469 polkitd         polkitd         :1.15         polkit.service           -       -
org.freedesktop.UPower          522 upowerd         root            :1.20         upower.service           -       -
org.freedesktop.home1             - -               -               (activatable) -                        -       -
org.freedesktop.hostname1         - -               -               (activatable) -                        -       -
org.freedesktop.import1           - -               -               (activatable) -                        -       -
org.freedesktop.locale1           - -               -               (activatable) -                        -       -
org.freedesktop.login1          254 systemd-logind  root            :1.0          systemd-logind.service   -       -
org.freedesktop.machine1          - -               -               (activatable) -                        -       -
org.freedesktop.network1        667 systemd-network systemd-network :1.23         systemd-networkd.service -       -
org.freedesktop.portable1         - -               -               (activatable) -                        -       -
org.freedesktop.resolve1          - -               -               (activatable) -                        -       -
org.freedesktop.systemd1          1 systemd         root            :1.1          init.scope               -       -
org.freedesktop.timedate1         - -               -               (activatable) -                        -       -
org.freedesktop.timesync1         - -               -               (activatable) -                        -       -

Network

Sessions

Web

DB

Already enumerated

SSH

SUID

  • /usr/bin/dosbox
  • /usr/bin/sg

Interactive Graph View

Backlinks