Merge branch 'master' of https://github.com/carlospolop/linpe
This commit is contained in:
carlospolop
commit
168e31d535
20
README.md
20
README.md
@ -8,11 +8,11 @@ The goal of this script is to search for possible **Privilege Escalation vectors
|
||||
|
||||
This script does not have any dependency.
|
||||
|
||||
There is not need even for bash shell, **it runs using /bin/sh**.
|
||||
There is no need even for bash shell, **it runs using /bin/sh**.
|
||||
|
||||
It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs).
|
||||
|
||||
This script have several lists included inside it to be able to color the results in order to help to discover PE vector.
|
||||
This script has several lists included inside of it to be able to color the results in order to discover PE vector.
|
||||
|
||||
The script **automatically finds a writable directory** and writes the output of the checks there. The first console output will be the path of the file created.
|
||||
|
||||
@ -20,7 +20,7 @@ The script **automatically finds a writable directory** and writes the output of
|
||||
|
||||
## Colors
|
||||
|
||||
LinPE uses colors to indicate where does each section begins. But **it also use them the identify potencial misconfigurations**.
|
||||
LinPE uses colors to indicate where does each section begin. But **it also uses them the identify potencial misconfigurations**.
|
||||
|
||||
The  **Red/Yellow**  color is used for identifing configurations that lead to PE (99% sure).
|
||||
|
||||
@ -31,7 +31,7 @@ The  **Red** color is used for
|
||||
- Not mounted devices
|
||||
- Dangerous fstab permissions
|
||||
- Writable files in interesting directories
|
||||
- SUID/SGID binaries that have some version vulnerable (it also specifies the vulnerable version)
|
||||
- SUID/SGID binaries that have some vulnerable version (it also specifies the vulnerable version)
|
||||
- SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/)
|
||||
- 127.0.0.1 in netstat
|
||||
- Known files that could contain passwords
|
||||
@ -46,7 +46,7 @@ The  **Green** color is used fo
|
||||
- Common processes run by root
|
||||
- Common not interesting devices to mount
|
||||
- Not dangerous fstab permissions
|
||||
- SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesnt identify any vulnerable version)
|
||||
- SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesn't identify any vulnerable version)
|
||||
- Common .sh files in path
|
||||
- Common names of users executing processes
|
||||
|
||||
@ -68,7 +68,7 @@ The  **Light Magenta** color is
|
||||
|
||||
Here you have an old linpe version script in one line, **just copy and paste it**;)
|
||||
|
||||
This one-liner is deprecated (I am not going to update it more), but it could be useful in some cases so I will remain here:
|
||||
This one-liner is deprecated (I am not going to update it more), but it could be useful in some cases so it will remain here:
|
||||
|
||||
The default file where all the data is recorded is: */tmp/linPE* (you can change it at the beginning of the script)
|
||||
|
||||
@ -78,10 +78,10 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
||||
```
|
||||
|
||||
|
||||
## What does linpe looks for
|
||||
## What does linpe look for
|
||||
- **System Information**
|
||||
- [x] SO, kernel version & sudo version
|
||||
- [x] PATH, Date, time, selinux & env (and exports a new path if lacks basic folders)
|
||||
- [x] PATH, Date, time, selinux & env (and exports a new path if basic folders lacks)
|
||||
- [x] Useful software installed (special search for compilers)
|
||||
- [x] Processes (Current, Executed within a minute, Binary permissions)
|
||||
- [x] Services
|
||||
@ -124,7 +124,7 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
||||
- [x] Open VPN files (Credentials)
|
||||
- [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, root login permitted)
|
||||
- [x] AWS (Files with AWS keys)
|
||||
- [X] NFS (privilege escalation misconfiguration)
|
||||
- [x] NFS (privilege escalation misconfiguration)
|
||||
|
||||
|
||||
- **Generic Interesting Files**
|
||||
@ -147,4 +147,4 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
||||
- [x] "pwd" and "passw" inside files (and get most probable lines)
|
||||
|
||||
|
||||
By Polop(TM)
|
||||
By Polop<sup>(TM)</sup>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user