PEAS
Conducting an automated enumeration after performing basic system enumeration
www-data@THM-Chal:/dev/shm$ ./linpeas_CVE_check.sh > ./PEAS.out
Executing PEAS seems rather challenging due to the limited resource available in the target system
Shell session isn’t as stable either.
CVEs
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabledServices
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION
:1.0 1 systemd root :1.0 init.scope - -
:1.1 700 systemd-logind root :1.1 systemd-logind.service - -
:1.11 775 polkitd root :1.11 polkitd.service - -
:1.15 956 whoopsie whoopsie :1.15 whoopsie.service - -
:1.16 954 unattended-upgr root :1.16 unattended-upgrades.se... - -
:1.17 1248 lightdm root :1.17 lightdm.service - -
:1.18 1263 Xorg root :1.18 lightdm.service - -
:1.19 1286 lightdm root :1.19 session-c1.scope c1 -
:1.2 675 avahi-daemon avahi :1.2 avahi-daemon.service - -
:1.22 1303 unity-greeter lightdm :1.22 session-c1.scope c1 -
:1.23 1340 upstart lightdm :1.23 session-c1.scope c1 -
:1.24 1351 indicator-sessi lightdm :1.24 session-c1.scope c1 -
:1.25 1344 indicator-messa lightdm :1.25 session-c1.scope c1 -
:1.26 1346 indicator-power lightdm :1.26 session-c1.scope c1 -
:1.27 1345 indicator-bluet lightdm :1.27 session-c1.scope c1 -
:1.28 1347 indicator-datet lightdm :1.28 session-c1.scope c1 -
:1.30 1397 rtkit-daemon root :1.30 rtkit-daemon.service - -
:1.31 1349 indicator-keybo lightdm :1.31 session-c1.scope c1 -
:1.32 1396 pulseaudio lightdm :1.32 session-c1.scope c1 -
:1.33 1350 indicator-sound lightdm :1.33 session-c1.scope c1 -
:1.34 1353 unity-settings- lightdm :1.34 session-c1.scope c1 -
:1.35 1412 upowerd root :1.35 upower.service - -
:1.36 1342 nm-applet lightdm :1.36 session-c1.scope c1 -
:1.37 1426 colord colord :1.37 colord.service - -
:1.42 1614 cupsd root :1.42 cups.service - -
:1.43 1615 cups-browsed root :1.43 cups-browsed.service - -
:1.44 1615 cups-browsed root :1.44 cups-browsed.service - -
:1.5 647 accounts-daemon[0m root :1.5 accounts-daemon.service - -
:1.60 15445 busctl www-data :1.60 apache2.service - -
:1.8 719 NetworkManager root :1.8 NetworkManager.service - -
com.hp.hplip - - - (activatable) - -
com.ubuntu.LanguageSelector - - - (activatable) - -
com.ubuntu.SoftwareProperties - - - (activatable) - -
com.ubuntu.SystemService - - - (activatable) - -
com.ubuntu.USBCreator - - - (activatable) - -
com.ubuntu.WhoopsiePreferences - - - (activatable) - -
fi.epitest.hostap.WPASupplicant - - - (activatable) - -
fi.w1.wpa_supplicant1 - - - (activatable) - -
org.bluez - - - (activatable) - -
org.debian.apt - - - (activatable) - -
org.freedesktop.Accounts 647 accounts-daemon[0m root :1.5 accounts-daemon.service - -
org.freedesktop.Avahi 675 avahi-daemon avahi :1.2 avahi-daemon.service - -
org.freedesktop.ColorManager 1426 colord colord :1.37 colord.service - -
org.freedesktop.DBus 702 dbus-daemon[0m messagebus org.freedesktop.DBus dbus.service - -
org.freedesktop.DisplayManager 1248 lightdm root :1.17 lightdm.service - -
org.freedesktop.ModemManager1 - - - (activatable) - -
org.freedesktop.NetworkManager 719 NetworkManager root :1.8 NetworkManager.service - -
org.freedesktop.PackageKit - - - (activatable) - -
org.freedesktop.PolicyKit1 775 polkitd root :1.11 polkitd.service - -
org.freedesktop.RealtimeKit1 1397 rtkit-daemon root :1.30 rtkit-daemon.service - -
org.freedesktop.UDisks2 - - - (activatable) - -
org.freedesktop.UPower 1412 upowerd root :1.35 upower.service - -
org.freedesktop.fwupd - - - (activatable) - -
org.freedesktop.hostname1 - - - (activatable) - -
org.freedesktop.locale1 - - - (activatable) - -
org.freedesktop.login1 700 systemd-logind root :1.1 systemd-logind.service - -
org.freedesktop.network1 - - - (activatable) - -
org.freedesktop.nm_dispatcher - - - (activatable) - -
org.freedesktop.resolve1 - - - (activatable) - -
org.freedesktop.systemd1 1 systemd root :1.0 init.scope - -
org.freedesktop.thermald - - - (activatable) - -
org.freedesktop.timedate1 - - - (activatable) - -
org.opensuse.CupsPkHelper.Mechanism - - - (activatable) - - Network
Sudo Privileges (www-data)
already checked
Users with Console
Compilers
MySQL
SSH
Capabilities
