Understanding the tools/scripts you use in a Pentest

Earlier today a student shared with the infosec community that they failed their OSCP exam because they used a popular Linux enumeration tool called linPEAS.

linPEAS is a well-known enumeration script that searches for possible paths to escalate privileges on Linux/Unix* targets.

When reviewing their exam report, we found that a portion of the exploit chain they provided was considered by us to be an automated exploit since this automation is included in linPEAS. linPEAS utilizes a sudo token vulnerability which creates an executable binary and tests it in the background. If the executable works then the script will provide a command that the student needs to run the executable in order to escalate your privileges to obtain a root shell. 

Here is a snippet from the linPEAS source code that is used to execute the sudo token vulnerability: 

if [ ! “$SUPERFAST” ] && [ “$ptrace_scope” ] && [ “$ptrace_scope” -eq 0 ] && [ “$is_gdb” ]; then

    echo “Checking for sudo tokens in other shells owned by current user”

    for pid in $(pgrep ‘^(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$’ -u “$(id -u)” 2>/dev/null | grep -v “^$$$”); do

      echo “Injecting process $pid -> “$(cat “/proc/$pid/comm” 2>/dev/null)

      echo ‘call system(“echo | sudo -S cp /bin/sh /tmp/shrndom >/dev/null

Read More: https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/