darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/carlospolop/linpe

Browse Source
This commit is contained in:
carlospolop 2019-06-08 16:46:29 +02:00
commit 168e31d535
1 changed files with 61 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -8,11 +8,11 @@ The goal of this script is to search for possible **Privilege Escalation vectors
This script does not have any dependency. This script does not have any dependency.
There is not need even for bash shell, **it runs using /bin/sh**. There is no need even for bash shell, **it runs using /bin/sh**.
It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs). It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs).
This script have several lists included inside it to be able to color the results in order to help to discover PE vector. This script has several lists included inside of it to be able to color the results in order to discover PE vector.
The script **automatically finds a writable directory** and writes the output of the checks there. The first console output will be the path of the file created. The script **automatically finds a writable directory** and writes the output of the checks there. The first console output will be the path of the file created.
@ -20,7 +20,7 @@ The script **automatically finds a writable directory** and writes the output of
## Colors ## Colors
LinPE uses colors to indicate where does each section begins. But **it also use them the identify potencial misconfigurations**. LinPE uses colors to indicate where does each section begin. But **it also uses them the identify potencial misconfigurations**.
The ![](https://placehold.it/15/b32400/000000?text=+) **Red/Yellow** ![](https://placehold.it/15/fff500/000000?text=+) color is used for identifing configurations that lead to PE (99% sure). The ![](https://placehold.it/15/b32400/000000?text=+) **Red/Yellow** ![](https://placehold.it/15/fff500/000000?text=+) color is used for identifing configurations that lead to PE (99% sure).
@ -31,7 +31,7 @@ The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for
- Not mounted devices - Not mounted devices
- Dangerous fstab permissions - Dangerous fstab permissions
- Writable files in interesting directories - Writable files in interesting directories
- SUID/SGID binaries that have some version vulnerable (it also specifies the vulnerable version) - SUID/SGID binaries that have some vulnerable version (it also specifies the vulnerable version)
- SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/) - SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/)
- 127.0.0.1 in netstat - 127.0.0.1 in netstat
- Known files that could contain passwords - Known files that could contain passwords
@ -46,7 +46,7 @@ The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used fo
- Common processes run by root - Common processes run by root
- Common not interesting devices to mount - Common not interesting devices to mount
- Not dangerous fstab permissions - Not dangerous fstab permissions
- SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesnt identify any vulnerable version) - SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesn't identify any vulnerable version)
- Common .sh files in path - Common .sh files in path
- Common names of users executing processes - Common names of users executing processes
@ -68,7 +68,7 @@ The ![](https://placehold.it/15/bf80ff/000000?text=+) **Light Magenta** color is
Here you have an old linpe version script in one line, **just copy and paste it**;) Here you have an old linpe version script in one line, **just copy and paste it**;)
This one-liner is deprecated (I am not going to update it more), but it could be useful in some cases so I will remain here: This one-liner is deprecated (I am not going to update it more), but it could be useful in some cases so it will remain here:
The default file where all the data is recorded is: */tmp/linPE* (you can change it at the beginning of the script) The default file where all the data is recorded is: */tmp/linPE* (you can change it at the beginning of the script)
@ -78,10 +78,10 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
``` ```
## What does linpe looks for ## What does linpe look for
- **System Information** - **System Information**
- [x] SO, kernel version & sudo version - [x] SO, kernel version & sudo version
- [x] PATH, Date, time, selinux & env (and exports a new path if lacks basic folders) - [x] PATH, Date, time, selinux & env (and exports a new path if basic folders lacks)
- [x] Useful software installed (special search for compilers) - [x] Useful software installed (special search for compilers)
- [x] Processes (Current, Executed within a minute, Binary permissions) - [x] Processes (Current, Executed within a minute, Binary permissions)
- [x] Services - [x] Services
@ -124,7 +124,7 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
- [x] Open VPN files (Credentials) - [x] Open VPN files (Credentials)
- [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, root login permitted) - [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, root login permitted)
- [x] AWS (Files with AWS keys) - [x] AWS (Files with AWS keys)
- [X] NFS (privilege escalation misconfiguration) - [x] NFS (privilege escalation misconfiguration)
- **Generic Interesting Files** - **Generic Interesting Files**
@ -147,4 +147,4 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
- [x] "pwd" and "passw" inside files (and get most probable lines) - [x] "pwd" and "passw" inside files (and get most probable lines)
By Polop(TM) By Polop<sup>(TM)</sup>