From 84524dfac51e6ff291dfbe9a5cf22ea521c1f6ea Mon Sep 17 00:00:00 2001 From: carlospolop Date: Thu, 23 Dec 2021 20:38:39 -0500 Subject: [PATCH 1/2] log4j --- linPEAS/README.md | 129 ++++-------------- .../linpeas_parts/6_software_information.sh | 31 ++--- linPEAS/builder/linpeas_parts/linpeas_base.sh | 2 +- 3 files changed, 36 insertions(+), 126 deletions(-) diff --git a/linPEAS/README.md b/linPEAS/README.md index c9c7389..ec5355e 100755 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -67,16 +67,37 @@ By default linpeas takes around **4 mins** to complete, but It could take from * - 20s/user bruteforce with top2000 passwords *(need `-a`)* - Notice that this check is **super noisy** - 1 min to monitor the processes in order to find very frequent cron jobs *(need `-a`)* - Notice that this check will need to **write** some info inside a file that will be deleted -**Other parameters:** +**Interesting parameters:** - **-a** (all checks) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.** - **-e** (extra enumeration) - This will execute **enumeration checkes that are avoided by default** - **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk) - **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users -- **-d** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took +- **-D** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took +- **-d/-p/-i/-t** (Local Network Enumeration) - Linpeas can also discover and port-scan local networks This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector. -![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/help.png) +``` +Enumerate and search Privilege Escalation vectors. +This tool enum and search possible misconfigurations (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...) inside the host and highlight possible misconfigurations with colors. + -h To show this message + -q Do not show banner + -e Perform extra enumeration + -s SuperFast (don't check some time consuming checks) - Stealth mode + -a All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly + -w Wait execution between big blocks of checks + -N Do not use colours + -D Debug mode + -P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' + -o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files). Select a comma separated list. + -L Force linpeas execution. + -M Force macpeas execution. + -d Discover hosts using fping or ping. Ex: -d 192.168.0.1/24 + -p -d Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139 + -i [-p ] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 + -t Automatic network scan (host discovery and port scanning) - This option writes to files + Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed +``` ## Hosts Discovery and Port Scanning @@ -137,7 +158,7 @@ The ![](https://placehold.it/15/bf80ff/000000?text=+) **Light Magenta** color is -## One liner +## One-liner Enumerator Here you have an old linpe version script in one line, **just copy and paste it**;) @@ -151,106 +172,6 @@ The default file where all the data is stored is: */tmp/linPE* (you can change i ```sh file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system information...";printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative system\n"$NC >> $file;(cat /proc/version || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATH\n"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Date\n"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo version\n"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Useful software?\n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilities\n"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environment\n"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Top and cleaned proccesses\n"$NC >> $file;ps aux 2>/dev/null | grep -v "\[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Services\n"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /etc/cron* 2>/dev/null >> $file;cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage information\n"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file;cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?\n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering network information...";printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file;cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file;cat /etc/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Ports\n"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering users information...";printf $B"[*] "$RED"USERS INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Me\n"$NC >> $file;(id || (whoami && groups)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusers\n"$NC >> $file;awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Login\n"$NC >> $file;w 2>/dev/null >> $file;last 2>/dev/null | tail >> $file;echo "" >> $file;printf $Y"[+] "$RED"Users with console\n"$NC >> $file;cat /etc/passwd 2>/dev/null | grep "sh$" >> $file;echo "" >> $file;printf $Y"[+] "$RED"All users\n"$NC >> $file;cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering files information...";printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"SUID\n"$NC >> $file;find / -perm -4000 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"SGID\n"$NC >> $file;find / -perm -g=s -type f 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file;ls -la $HOME 2>/dev/null | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file;find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file;find /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file;find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"Mails?\n"$NC >> $file;ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file;cat /etc/exports 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file;grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file;cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file;ls -ahl /root/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file;dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`;lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`;if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi;if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi;echo "" >> $file;printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file;find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file;find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file;echo "" >> $file;printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file;ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file;USER=`whoami`;HOME=/home/$USER;find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq >> $file;for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'; done >> $file;echo "" >> $file;printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file;ls -alhR /var/www/ 2>/dev/null | head >> $file;ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file;ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file;ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file;echo "" >> $file;printf $Y"[+] "$RED"Backup files?\n"$NC >> $file;find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file;grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file;grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file;sudo -l; ``` -## What does linpeas look for -
- Details - -- **System Information** - - [x] SO & kernel version - - [x] Sudo version - - [x] USBCreator PE - - [x] PATH - - [x] Date - - [x] System stats - - [x] Environment vars - - [x] AppArmor, grsecurity, Execshield, PaX, SElinux, ASLR - - [x] Printers - - [x] Dmesg (signature verifications) - - [x] Container? - -- **Devices** - - [x] sd* in /dev - - [x] Unmounted filesystems - -- **Available Software** - - [x] Useful software - - [x] Installed compilers - -- **Processes, Cron, Services, Timers & Sockets** - - [x] Cleaned processes - - [x] Binary processes permissions - - [x] Different processes executed during 1 min - - [x] Cron jobs - - [x] Services (list, writable .service, writable services binaries, systemd path, service binaries using relative path) - - [x] All timers (list, writable .timer, writable binaries, relative paths) - - [x] Sockets - - [x] D-Bus - -- **Network Information** - - [x] Hostname, hosts & dns - - [x] Content of /etc/inetd.conf - - [x] Networks and neighbours - - [x] Iptables rules - - [x] Active ports - - [x] Sniff permissions (tcpdump) - -- **Users Information** - - [x] Info about current user - - [x] PGP keys - - [x] `sudo -l` without password - - [x] doas config file - - [x] Pkexec policy - - [x] Try to login using `su` as other users (using as passwords: null pass, username, reverse username, and top2000pwds) - - [x] List of superusers - - [x] List of users with console - - [x] Login info (now, last logons, last time each user) - - [x] List of all users - - [x] Clipboard and highlighted text - - [x] Password policy - -- **Software Information** - - [x] Check out [sensitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml) - -- **Generic Interesting Files** - - [x] SUID & SGID files - - [x] Capabilities - - [x] /etc/ld.so.conf.d/ - - [x] Users with capabilities - - [x] Files with ACLs - - [x] .sh scripts in PATH - - [x] scripts in /etc/profile.d - - [x] scripts in init, init.d and systemd - - [x] Hashes (passwd, group, shadow & master.passwd) - - [x] Credentials in fstab - - [x] Try to read root dir - - [x] Files owned by root inside /home - - [x] List of readable files belonging to root and not world readable - - [x] Files modified in the last 5 minutes - - [x] Log files (logrotten) - - [x] Others files inside a folder owned by the current user - - [x] Reduced list of files inside my home and /home - - [x] Mail applications - - [x] Mails - - [x] Backup files - - [x] DB files - - [x] Web files - - [x] Files that can contain passwords (and search for passwords inside *_history files) - - [x] List of all hidden files - - [x] List ALL writable files for current user (global, user and groups) - - [x] Inside /tmp, /var/tmp and /var/backups - - [x] Password ins config PHP files - - [x] Get IPs, passwords and emails from logs - - [x] password or credential files in home - - [x] "pwd" and "passw" inside files (and get most probable lines) - - [x] Check for posible variable names containing credentials in files - - [x] Find "username" in fils - - [x] Specific hashes (blowfish, joomla&vbulletin, phpbb3, wp, drupal, linuxmd5, apr1md5, sha512crypt, apachesha) - - [x] Generic hashes MD5, SHA1, SHA256, SHA512 -
- -## Please, if this tool has been useful for you consider to donate - -[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.patreon.com/peass) ## PEASS Style diff --git a/linPEAS/builder/linpeas_parts/6_software_information.sh b/linPEAS/builder/linpeas_parts/6_software_information.sh index 4f9cc66..fd45103 100644 --- a/linPEAS/builder/linpeas_parts/6_software_information.sh +++ b/linPEAS/builder/linpeas_parts/6_software_information.sh @@ -72,7 +72,6 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; else echo_no fi echo "" -elif [ "$DEBUG" ]; then echo_not_found fi #-- SI) Mysql credentials @@ -109,7 +108,6 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED}," fi done -elif [ "$DEBUG" ]; then echo_not_found fi echo "" @@ -140,7 +138,6 @@ if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then # In some O else echo_no fi echo "" -elif [ "$DEBUG" ]; then echo_not_found fi peass{Mongo} @@ -177,9 +174,17 @@ peass{Anaconda ks} peass{VNC} +peass{OpenVPN} + peass{Ldap} -peass{OpenVPN} +if [ "$PSTORAGE_LOG4SHELL" ] || [ "$DEBUG" ]; then + print_2title "Searching Log4Shell vulnerable libraries" + printf "%s\n" "$PSTORAGE_LOG4SHELL" | while read f; do + echo "$f" | grep -E "log4j\-core\-(1\.|2\.[0-9][^0-9]|2\.1[0-6])" | sed -${E} "s,log4j\-core\-(1\.|2\.[0-9][^0-9]|2\.1[0-6]),${SED_RED},"; + done + echo "" +fi #-- SI) ssh files print_2title "Searching ssl/ssh files" @@ -274,7 +279,6 @@ if [ "$pamdpass" ] || [ "$DEBUG" ]; then print_2title "Passwords inside pam.d" grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," echo "" -elif [ "$DEBUG" ]; then echo_not_found fi peass{NFS Exports} @@ -331,7 +335,6 @@ if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ klist 2>/dev/null || echo_not_found "klist" echo "" -elif [ "$DEBUG" ]; then echo_not_found fi peass{Knockd} @@ -341,8 +344,8 @@ peass{Kibana} peass{Elasticsearch} ##-- SI) Logstash -print_2title "Searching logstash files" if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then + print_2title "Searching logstash files" printf "$PSTORAGE_LOGSTASH" printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do if [ -r "$d/startup.options" ]; then @@ -352,7 +355,6 @@ if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED}," cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED}," done -elif [ "$DEBUG" ]; then echo_not_found fi echo "" @@ -364,7 +366,6 @@ if [ "$PSTORAGE_VAULT_SSH_HELPER" ] || [ "$DEBUG" ]; then echo "" vault secrets list 2>/dev/null printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null -elif [ "$DEBUG" ]; then echo_not_found "vault-ssh-helper.hcl" fi echo "" @@ -374,7 +375,6 @@ if [ "$adhashes" ] || [ "$DEBUG" ]; then print_2title "Searching AD cached hashes" ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null echo "" -elif [ "$DEBUG" ]; then echo_not_found fi #-- SI) Screen sessions @@ -391,7 +391,6 @@ if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," done echo "" -elif [ "$DEBUG" ]; then echo_not_found fi #-- SI) Tmux sessions @@ -408,7 +407,6 @@ if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," done echo "" -elif [ "$DEBUG" ]; then echo_not_found fi peass{CouchDB} @@ -431,7 +429,6 @@ if [ "$dovecotpass" ] || [ "$DEBUG" ]; then done fi echo "" -elif [ "$DEBUG" ]; then echo_not_found fi peass{Mosquitto} @@ -470,7 +467,6 @@ if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$DEBUG" ]; then fi done echo "" -elif [ "$DEBUG" ]; then echo_not_found fi if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then @@ -481,7 +477,6 @@ if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED}," done echo "" -elif [ "$DEBUG" ]; then echo_not_found fi ##-- SI) Gitlab @@ -515,7 +510,6 @@ if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$ echo "" done echo "" -elif [ "$DEBUG" ]; then echo_not_found fi peass{Github} @@ -538,7 +532,6 @@ if [ "$containerd" ] || [ "$DEBUG" ]; then ctr image list fi echo "" -elif [ "$DEBUG" ]; then echo_not_found fi ##-- SI) runc installed @@ -550,7 +543,6 @@ if [ "$runc" ] || [ "$DEBUG" ]; then echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," fi echo "" -elif [ "$DEBUG" ]; then echo_not_found fi #-- SI) Docker @@ -564,7 +556,6 @@ if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then fi done echo "" -elif [ "$DEBUG" ]; then echo_not_found fi if [ -d "$HOME/.kube" ] || [ -d "/etc/kubernetes" ] || [ -d "/var/lib/localkube" ] || [ "`(env | set) | grep -Ei 'kubernetes|kube' | grep -v "PSTORAGE_KUBELET|USEFUL_SOFTWARE"`" ] || [ "$DEBUG" ]; then @@ -595,7 +586,6 @@ if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ " else ls -ld /etc/skey/ 2>/dev/null fi -elif [ "$DEBUG" ]; then echo_not_found fi echo "" @@ -610,7 +600,6 @@ if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) | ls -ld /var/db/yubikey/ 2>/dev/null fi echo "" -elif [ "$DEBUG" ]; then echo_not_found fi peass{SNMP} diff --git a/linPEAS/builder/linpeas_parts/linpeas_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base.sh index 73f2015..cfd4f5d 100755 --- a/linPEAS/builder/linpeas_parts/linpeas_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base.sh @@ -84,7 +84,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${YELLOW}-p -d ${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 ${YELLOW}-i [-p ]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 ${YELLOW}-t${BLUE} Automatic network scan (host discovery and port scanning) - This option writes to files - $GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC" + $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed$NC" while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do case "$opt" in From bc328b1163905a5b82f07f8b2a5c0eed48be511f Mon Sep 17 00:00:00 2001 From: carlospolop Date: Thu, 23 Dec 2021 20:41:15 -0500 Subject: [PATCH 2/2] log4j --- build_lists/sensitive_files.yaml | 15 +++++++++++++++ .../linpeas_parts/6_software_information.sh | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index ddb0b2c..17878c0 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -795,6 +795,21 @@ search: type: d search_in: - common + + - name: Log4Shell + value: + config: + auto_check: False + + files: + - name: "log4j-core*.jar" + value: + type: f + search_in: + - common + - /lib + - /lib32 + - /lib64 - name: OpenVPN value: diff --git a/linPEAS/builder/linpeas_parts/6_software_information.sh b/linPEAS/builder/linpeas_parts/6_software_information.sh index fd45103..4d627f4 100644 --- a/linPEAS/builder/linpeas_parts/6_software_information.sh +++ b/linPEAS/builder/linpeas_parts/6_software_information.sh @@ -181,7 +181,7 @@ peass{Ldap} if [ "$PSTORAGE_LOG4SHELL" ] || [ "$DEBUG" ]; then print_2title "Searching Log4Shell vulnerable libraries" printf "%s\n" "$PSTORAGE_LOG4SHELL" | while read f; do - echo "$f" | grep -E "log4j\-core\-(1\.|2\.[0-9][^0-9]|2\.1[0-6])" | sed -${E} "s,log4j\-core\-(1\.|2\.[0-9][^0-9]|2\.1[0-6]),${SED_RED},"; + echo "$f" | grep -E "log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6])" | sed -${E} "s,log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6]),${SED_RED},"; done echo "" fi