PEAS
Conducting an automated enumeration after performing a manual enumeration
$ scp kali@192.168.45.218:~/PEN-200/PG_PRACTICE/peppo/linpeas.sh .
kali@192.168.45.218's password:
linpeas.sh 100% 820KB 4.4MB/s 00:00
Delivery complete
/Practice/Peppo/4-Post_Enumeration/attachments/Pasted-image-20250329234934.png)
Executing PEAS
CVEs
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2019-13272] PTRACE_TRACEME
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},[ debian=9{kernel:4.9.0-*} ],debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,[ debian=7|8|9|10|11 ],fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-10149] raptor_exim_wiz
Details: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
Exposure: less probable
Download URL: https://www.exploit-db.com/download/46996
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: less probable
Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.cContainers
/Practice/Peppo/4-Post_Enumeration/attachments/{1E276CA3-2C5C-43D3-86EE-3B38B7A90E6B}.png)
postgresredmine
/Practice/Peppo/4-Post_Enumeration/attachments/{CD9E3A90-1AB5-462D-9B08-2431ABCF5D86}.png)
Network
╔══════════╣ Interfaces
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:87:bb:a4:ca txqueuelen 0 (Ethernet)
RX packets 128577 bytes 55474473 (52.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 189066 bytes 20259712 (19.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.154.60 netmask 255.255.255.0 broadcast 192.168.154.255
ether 00:50:56:9e:e8:b9 txqueuelen 1000 (Ethernet)
RX packets 1244825 bytes 133866417 (127.6 MiB)
RX errors 0 dropped 265 overruns 0 frame 0
TX packets 431742 bytes 124432799 (118.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth069982c: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 5a:51:6a:02:fe:37 txqueuelen 0 (Ethernet)
RX packets 113 bytes 7835 (7.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 145 bytes 12766 (12.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth6f82195: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:0f:9a:09:8e:9b txqueuelen 0 (Ethernet)
RX packets 128464 bytes 57266716 (54.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 188925 bytes 20247178 (19.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Hostname, hosts and DNS
peppo
127.0.0.1 localhost
127.0.1.1 peppo
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 192.168.154.254
╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 463/node
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN - Group Membership (eleanor)
/Practice/Peppo/4-Post_Enumeration/attachments/{361B6977-2435-440D-862A-54CFEC882322}.png)
The eleanor user is part of the docker group
Installed Programs
/Practice/Peppo/4-Post_Enumeration/attachments/Pasted-image-20250330000315.png)
Compilers
/Practice/Peppo/4-Post_Enumeration/attachments/{6D5DD40B-2E37-436A-9320-177F1F9C9111}.png)
SSH
/Practice/Peppo/4-Post_Enumeration/attachments/{773018A5-FE66-4E58-A28A-72E64D8A5176}-1.png)
/Practice/Peppo/4-Post_Enumeration/attachments/{0BEC55D2-9534-41D0-8A16-01DAB8F91C00}.png)
/Practice/Peppo/4-Post_Enumeration/attachments/{9A7C6F9E-FB93-4F66-B969-407EF272DE69}.png)
Interesting Files / Directories
/Practice/Peppo/4-Post_Enumeration/attachments/{CE0ABE64-0D2A-4EE5-92CB-44953403EE9D}.png)
/Practice/Peppo/4-Post_Enumeration/attachments/{54A7E09E-DBE9-4BD3-812D-651A469275D5}.png)