From 2a71da4bb206a61b5e55b34eb80c5dfc9b32462d Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Thu, 5 Dec 2024 17:49:44 +0100 Subject: [PATCH] another linpeas fix --- linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh | 4 ++++ linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh | 2 +- linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh | 2 +- linPEAS/builder/src/linpeasBuilder.py | 2 +- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh b/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh index b558633..847144f 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh @@ -47,18 +47,22 @@ if [ "$is_az_vm" = "Yes" ]; then echo "" print_3title "Management token" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/" echo "" print_3title "Graph token" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/" echo "" print_3title "Vault token" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/" echo "" print_3title "Storage token" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/" echo "" fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh b/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh index 0031e31..a1b8188 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh @@ -36,7 +36,7 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then for f in $(find $d -name user.MYD 2>/dev/null); do if [ -r "$f" ]; then echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED}," - grep -oaE "[-_\.\*a-Z0-9]{3,}" "$f" | grep -v "mysql_native_password" + grep -oaE "[-_\.\*a-zA-Z0-9]{3,}" "$f" | grep -v "mysql_native_password" fi done diff --git a/linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh b/linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh index 0b78b4f..7f56802 100644 --- a/linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh +++ b/linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh @@ -16,7 +16,7 @@ check_tencent_cvm () { is_tencent_cvm="No" - if grep -qi Tencent /etc/cloud/cloud.cfg; then + if grep -qi Tencent /etc/cloud/cloud.cfg 2>/dev/null; then is_tencent_cvm="Yes" fi } \ No newline at end of file diff --git a/linPEAS/builder/src/linpeasBuilder.py b/linPEAS/builder/src/linpeasBuilder.py index 7f1cff3..e0f4e17 100644 --- a/linPEAS/builder/src/linpeasBuilder.py +++ b/linPEAS/builder/src/linpeasBuilder.py @@ -365,7 +365,7 @@ class LinpeasBuilder: rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5) if "sudo:" in rb.text: if len(b) <= 3: - sudoVB.append("[^a-z-Z0-9]"+b+"$") # Less false possitives applied to small names + sudoVB.append("[^a-zA-Z0-9]"+b+"$") # Less false possitives applied to small names else: sudoVB.append(b+"$") if "suid:" in rb.text: