darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more checks

Browse Source
This commit is contained in:
carlospolop 2021-12-19 10:41:39 -05:00
parent 87fe48a900
commit 35cfa99ad4
13 changed files with 2056 additions and 1637 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
linPEAS/builder/linpeas_parts/system_information.sh → linPEAS/builder/linpeas_parts/1_system_information.sh
View File

@ -8,7 +8,7 @@ print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-e
(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
warn_exec lsb_release -a 2>/dev/null
if [ "$MACPEAS" ]; then
warn_exec system_profiler SPSoftwareDataType
warn_exec system_profiler SPSoftwareDataType
fi
echo ""
@ -22,21 +22,22 @@ fi
echo ""
#--SY) USBCreator
print_2title "USBCreator"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
if busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator; then
pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
if [ -z "$pc_version" ]; then
pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
fi
if [ -n "$pc_version" ]; then
pc_length=${#pc_version}
pc_major=$(echo "$pc_version" | cut -d. -f1)
pc_minor=$(echo "$pc_version" | cut -d. -f2)
if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor" -lt 21 ]; then
echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$VERBOSE" ]; then
print_2title "USBCreator"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
if [ -z "$pc_version" ]; then
pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
fi
if [ -n "$pc_version" ]; then
pc_length=${#pc_version}
pc_major=$(echo "$pc_version" | cut -d. -f1)
pc_minor=$(echo "$pc_version" | cut -d. -f2)
if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor" -lt 21 ]; then
echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
fi
fi
fi
fi
echo ""
@ -75,10 +76,12 @@ print_info "Any private information inside environment variables?"
echo ""
#-- SY) Dmesg
print_2title "Searching Signature verification failed in dmseg"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed"
(dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
echo ""
if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$VERBOSE" ]; then
print_2title "Searching Signature verification failed in dmesg"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed"
(dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
echo ""
fi
#-- SY) Kernel extensions
if [ "$MACPEAS" ]; then

7
linPEAS/builder/linpeas_parts/container.sh → linPEAS/builder/linpeas_parts/2_container.sh
View File

@ -130,7 +130,12 @@ checkContainerExploits() {
containerCheck
print_2title "Container related tools present"
command -v "$CONTAINER_CMDS"
command -v docker
command -v lxc
command -v rkt
command -v kubectl
command -v podman
command -v runc
print_2title "Container details"
print_list "Is this a container? ...........$NC $containerType"

2
linPEAS/builder/linpeas_parts/available_software.sh → linPEAS/builder/linpeas_parts/3_available_software.sh
View File

@ -4,7 +4,7 @@
#-- 1AS) Useful software
print_2title "Useful software"
command -v "$CONTAINER_CMDS" nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr authbind
for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
echo ""
#-- 2AS) Search for compilers

4
linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh → linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh
View File

@ -28,7 +28,7 @@ else
echo ""
#-- PCS) Binary processes permissions
print_2title "Binary processes permissions"
print_2title "Binary processes permissions (non 'root root' and not beloging to current user)"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
binW="IniTialiZZinnggg"
ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
@ -36,7 +36,7 @@ else
binW="$binW|$bpath"
fi
done
ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v "$USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
fi
echo ""

0
linPEAS/builder/linpeas_parts/network_information.sh → linPEAS/builder/linpeas_parts/5_network_information.sh
View File

38
linPEAS/builder/linpeas_parts/users_information.sh → linPEAS/builder/linpeas_parts/6_users_information.sh
View File

@ -42,18 +42,20 @@ command -v netpgp 2>/dev/null || echo_not_found "netpgp"
echo ""
#-- UI) Clipboard and highlighted text
print_2title "Clipboard or highlighted text?"
if [ "$(command -v xclip 2>/dev/null)" ]; then
echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
elif [ "$(command -v xsel 2>/dev/null)" ]; then
echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
elif [ "$(command -v pbpaste 2>/dev/null)" ]; then
echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
else echo_not_found "xsel and xclip"
if [ "$(command -v xclip 2>/dev/null)" ] || [ "$(command -v xsel 2>/dev/null)" ] || [ "$(command -v pbpaste 2>/dev/null)" ] || [ "$VERBOSE" ]; then
print_2title "Clipboard or highlighted text?"
if [ "$(command -v xclip 2>/dev/null)" ]; then
echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
elif [ "$(command -v xsel 2>/dev/null)" ]; then
echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
elif [ "$(command -v pbpaste 2>/dev/null)" ]; then
echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
else echo_not_found "xsel and xclip"
fi
echo ""
fi
echo ""
#-- UI) Sudo -l
print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
@ -103,13 +105,15 @@ fi
echo ""
#-- UI) Doas
print_2title "Checking doas.conf"
doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
else echo_not_found "doas.conf"
if [ -f "/etc/doas.conf" ] || [ "$VERBOSE" ]; then
print_2title "Checking doas.conf"
doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
else echo_not_found "doas.conf"
fi
echo ""
fi
echo ""
#-- UI) Pkexec policy
print_2title "Checking Pkexec policy"

590
linPEAS/builder/linpeas_parts/7_software_information.sh Normal file
View File

@ -0,0 +1,590 @@
###########################################
#--------) Software Information (---------#
###########################################
#-- SI) Mysql version
if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$VERBOSE" ]; then
print_2title "MySQL version"
mysql --version 2>/dev/null || echo_not_found "mysql"
echo ""
#-- SI) Mysql connection root/root
print_list "MySQL connection using default root/root ........... "
mysqlconnect=$(mysqladmin -uroot -proot version 2>/dev/null)
if [ "$mysqlconnect" ]; then
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
mysql -u root --password=root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
#-- SI) Mysql connection root/toor
print_list "MySQL connection using root/toor ................... "
mysqlconnect=$(mysqladmin -uroot -ptoor version 2>/dev/null)
if [ "$mysqlconnect" ]; then
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
mysql -u root --password=toor -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
#-- SI) Mysql connection root/NOPASS
mysqlconnectnopass=$(mysqladmin -uroot version 2>/dev/null)
print_list "MySQL connection using root/NOPASS ................. "
if [ "$mysqlconnectnopass" ]; then
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
elif [ "$VERBOSE" ]; then echo_not_found
fi
#-- SI) Mysql credentials
if [ "$PSTORAGE_MYSQL" ] || [ "$VERBOSE" ]; then
print_2title "Searching mysql credentials and exec"
printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do
for f in $(find $d -name debian.cnf 2>/dev/null); do
if [ -r "$f" ]; then
echo "We can read the mysql debian.cnf. You can use this username/password to log in MySQL" | sed -${E} "s,.*,${SED_RED},"
cat "$f"
fi
done
for f in $(find $d -name user.MYD 2>/dev/null); do
if [ -r "$f" ]; then
echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED},"
grep -oaE "[-_\.\*a-Z0-9]{3,}" $f | grep -v "mysql_native_password"
fi
done
for f in $(grep -lr "user\s*=" $d 2>/dev/null | grep -v "debian.cnf"); do
if [ -r "$f" ]; then
u=$(cat "$f" | grep -v "#" | grep "user" | grep "=" 2>/dev/null)
echo "From '$f' Mysql user: $u" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
fi
done
for f in $(find $d -name my.cnf 2>/dev/null); do
if [ -r "$f" ]; then
echo "Found readable $f"
grep -v "^#" "$f" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed "s,password.*,${SED_RED},"
fi
done
mysqlexec=$(whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so")
if [ "$mysqlexec" ]; then
echo "Found $mysqlexec"
echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED},"
fi
done
elif [ "$VERBOSE" ]; then echo_not_found
fi
echo ""
peass{MariaDB}
peass{PostgreSQL}
#-- SI) PostgreSQL brute
if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$VERBOSE" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it.
#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ "
if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
print_list "PostgreSQL connection to template1 using postgres/NOPASS ........ "
if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.)*,${SED_RED},"
else echo_no
fi
print_list "PostgreSQL connection to template0 using pgsql/NOPASS ........... "
if [ "$(timeout 1 psql -U pgsql -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
print_list "PostgreSQL connection to template1 using pgsql/NOPASS ........... "
if [ "$(timeout 1 psql -U pgsql -d template1 -c 'select version()' 2> /dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{Mongo}
peass{Apache}
peass{Tomcat}
peass{FastCGI}
peass{Http_conf}
peass{Htpasswd}
peass{PHP Sessions}
peass{Wordpress}
peass{Drupal}
peass{Moodle}
peass{Supervisord}
peass{Cesi}
peass{Rsync}
peass{Hostapd}
peass{Wifi Connections}
peass{Anaconda ks}
peass{VNC}
peass{Ldap}
peass{OpenVPN}
#-- SI) ssh files
print_2title "Searching ssl/ssh files"
if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
writable_agents=$(find $folder_path -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')
peass{SSH}
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
if [ "$TIMEOUT" ]; then
privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
else
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
fi
if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
echo ""
print_3title "Possible private SSH keys were found!" | sed -${E} "s,private SSH keys,${SED_RED},"
if [ "$privatekeyfilesetc" ]; then printf "$privatekeyfilesetc\n" | sed -${E} "s,.*,${SED_RED},"; fi
if [ "$privatekeyfileshome" ]; then printf "$privatekeyfileshome\n" | sed -${E} "s,.*,${SED_RED},"; fi
if [ "$privatekeyfilesroot" ]; then printf "$privatekeyfilesroot\n" | sed -${E} "s,.*,${SED_RED},"; fi
if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed -${E} "s,.*,${SED_RED},"; fi
echo ""
fi
if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
print_3title "Some certificates were found (out limited):"
printf "$certsb4_grep\n" | head -n 20
printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
echo ""
fi
if [ "$PSTORAGE_CERTSCLIENT" ]; then
print_3title "Some client certificates were found:"
printf "$PSTORAGE_CERTSCLIENT\n"
echo ""
fi
if [ "$PSTORAGE_SSH_AGENTS" ]; then
print_3title "Some SSH Agent files were found:"
printf "$PSTORAGE_SSH_AGENTS\n"
echo ""
fi
if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
print_3title "Listing SSH Agents"
ssh-add -l
echo ""
fi
if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
print_3title "Listing gpg keys cached in gpg-agent"
gpg-connect-agent "keyinfo --list" /bye
echo ""
fi
if [ "$writable_agents" ]; then
print_3title "Writable ssh and gpg agents"
printf "%s\n" "$writable_agents"
fi
if [ "$PSTORAGE_SSH_CONFIG" ]; then
print_3title "Some home ssh config file was found"
printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done
echo ""
fi
if [ "$hostsdenied" ]; then
print_3title "/etc/hosts.denied file found, read the rules:"
printf "$hostsdenied\n"
cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
echo ""
fi
if [ "$hostsallow" ]; then
print_3title "/etc/hosts.allow file found, trying to read the rules:"
printf "$hostsallow\n"
cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
echo ""
fi
if [ "$sshconfig" ]; then
echo ""
echo "Searching inside /etc/ssh/ssh_config for interesting info"
grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
fi
echo ""
peass{PAM Auth}
#-- SI) Passwords inside pam.d
pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#")
if [ "$pamdpass" ] || [ "$VERBOSE" ]; then
print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{NFS Exports}
#-- SI) Kerberos
kadmin_exists="$(command -v kadmin)"
klist_exists="$(command -v klist)"
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$VERBOSE" ]; then
print_2title "Searching kerberos conf files and tickets"
print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory"
if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi
ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0), you might find tickets inside processes memory" | sed "s,is disabled,${SED_RED},g";
else echo "ptrace protection is enabled ($ptrace_scope), you need to disable it to search for tickets inside processes memory" | sed "s,is enabled,${SED_GREEN},g";
fi
printf "%s\n" "$PSTORAGE_KERBEROS" | while read f; do
if [ -r "$f" ]; then
if echo "$f" | grep -q .k5login; then
echo ".k5login file (users with access to the user who has this file in his home)"
cat "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
elif echo "$f" | grep -q keytab; then
echo ""
echo "keytab file found, you may be able to impersonate some kerberos principals and add users or modify passwords"
klist -k "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
printf "$(klist -k $f 2>/dev/null)\n" | awk '{print $2}' | while read l; do
if [ "$l" ] && echo "$l" | grep -q "@"; then
printf "$ITALIC --- Impersonation command: ${NC}kadmin -k -t /etc/krb5.keytab -p \"$l\"\n" | sed -${E} "s,$l,${SED_RED},g"
#kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid
#We could also try to create a new user or modify a password, but I'm not user if linpeas should do that
fi
done
elif echo "$f" | grep -q krb5.conf; then
ls -l "$f"
cat "$f" 2>/dev/null | sed -${E} "s,default_ccache_name,${SED_RED},";
elif echo "$f" | grep -q kadm5.acl; then
ls -l "$f"
cat "$f" 2>/dev/null
elif echo "$f" | grep -q sssd.conf; then
ls -l "$f"
cat "$f" 2>/dev/null | sed -${E} "s,cache_credentials ?= ?[tT][rR][uU][eE],${SED_RED},";
elif echo "$f" | grep -q secrets.ldb; then
echo "You could use SSSDKCMExtractor to extract the tickets stored here" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
ls -l "$f"
elif echo "$f" | grep -q .secrets.mkey; then
echo "This is the secrets file to use with SSSDKCMExtractor" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
ls -l "$f"
fi
fi
done
ls -l "/tmp/krb5cc*" "/var/lib/sss/db/ccache_*" "/etc/opt/quest/vas/host.keytab" 2>/dev/null || echo_not_found "tickets kerberos"
klist 2>/dev/null || echo_not_found "klist"
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{Knockd}
peass{Kibana}
peass{Elasticsearch}
##-- SI) Logstash
print_2title "Searching logstash files"
if [ "$PSTORAGE_LOGSTASH" ] || [ "$VERBOSE" ]; then
printf "$PSTORAGE_LOGSTASH"
printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do
if [ -r "$d/startup.options" ]; then
echo "Logstash is running as user:"
cat "$d/startup.options" 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed -${E} "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,root,${SED_RED},"
fi
cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED},"
cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED},"
done
elif [ "$VERBOSE" ]; then echo_not_found
fi
echo ""
#-- SI) Vault-ssh
if [ "$PSTORAGE_VAULT_SSH_HELPER" ] || [ "$VERBOSE" ]; then
print_2title "Searching Vault-ssh files"
printf "$PSTORAGE_VAULT_SSH_HELPER\n"
printf "%s\n" "$PSTORAGE_VAULT_SSH_HELPER" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done
echo ""
vault secrets list 2>/dev/null
printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
elif [ "$VERBOSE" ]; then echo_not_found "vault-ssh-helper.hcl"
fi
echo ""
#-- SI) Cached AD Hashes
adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null)
if [ "$adhashes" ] || [ "$VERBOSE" ]; then
print_2title "Searching AD cached hashes"
ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
#-- SI) Screen sessions
if [ "$screensess" ] || [ "$screensess2" ] || [ "$VERBOSE" ]; then
print_2title "Searching screen sessions"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
screensess=$(screen -ls 2>/dev/null)
screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
screen -v
printf "$screensess\n$screensess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m,"
find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
#-- SI) Tmux sessions
tmuxdefsess=$(tmux ls 2>/dev/null)
tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$VERBOSE" ]; then
print_2title "Searching tmux sessions"$N
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
tmux -V
printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
find /tmp -type s -path "/tmp/tmux*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{CouchDB}
peass{Redis}
#-- SI) Dovecot
# Needs testing
dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null)
if [ "$dovecotpass" ] || [ "$VERBOSE" ]; then
print_2title "Searching dovecot files"
if [ -z "$dovecotpass" ]; then
echo_not_found "dovecot credentials"
else
printf "%s\n" "$dovecotpass" | while read d; do
df=$(echo $d |cut -d ':' -f1)
dp=$(echo $d |cut -d ':' -f2-)
echo "Found possible PLAIN text creds in $df"
echo "$dp" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
done
fi
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{Mosquitto}
peass{Neo4j}
peass{Cloud Credentials}
peass{Cloud Init}
peass{CloudFlare}
peass{Erlang}
peass{GMV Auth}
peass{IPSec}
peass{IRSSI}
peass{Keyring}
peass{Filezilla}
peass{Backup Manager}
##-- SI) passwd files (splunk)
SPLUNK_BIN="$(command -v splunk 2>/dev/null)"
if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$VERBOSE" ]; then
print_2title "Searching uncommon passwd files (splunk)"
if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi
printf "%s\n" "$PSTORAGE_SPLUNK" | sort | uniq | while read f; do
if [ -f "$f" ] && ! [ -x "$f" ]; then
echo "passwd file: $f" | sed "s,$f,${SED_RED},"
cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'|\$" | sed -${E} "s,password|pass|user|database|host|\$,${SED_RED},"
fi
done
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
if [ "$PSTORAGE_KCPASSWORD" ] || [ "$VERBOSE" ]; then
print_2title "Analyzing kcpassword files"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
echo "$f" | sed -${E} "s,.*,${SED_RED},"
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
done
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
##-- SI) Gitlab
if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$PSTORAGE_GITLAB" ] || [ "$VERBOSE" ]; then
print_2title "Searching GitLab related files"
#Check gitlab-rails
if [ "$(command -v gitlab-rails)" ]; then
echo "gitlab-rails was found. Trying to dump users..."
gitlab-rails runner 'User.where.not(username: "peasssssssss").each { |u| pp u.attributes }' | sed -${E} "s,email|password,${SED_RED},"
echo "If you have enough privileges, you can make an account under your control administrator by running: gitlab-rails runner 'user = User.find_by(email: \"youruser@example.com\"); user.admin = TRUE; user.save!'"
echo "Alternatively, you could change the password of any user by running: gitlab-rails runner 'user = User.find_by(email: \"admin@example.com\"); user.password = \"pass_peass_pass\"; user.password_confirmation = \"pass_peass_pass\"; user.save!'"
echo ""
fi
if [ "$(command -v gitlab-backup)" ]; then
echo "If you have enough privileges, you can create a backup of all the repositories inside gitlab using 'gitlab-backup create'"
echo "Then you can get the plain-text with something like 'git clone \@hashed/19/23/14348274[...]38749234.bundle'"
echo ""
fi
#Check gitlab files
printf "%s\n" "$PSTORAGE_GITLAB" | sort | uniq | while read f; do
if echo $f | grep -q secrets.yml; then
echo "Found $f" | sed "s,$f,${SED_RED},"
cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#"
elif echo $f | grep -q gitlab.yml; then
echo "Found $f" | sed "s,$f,${SED_RED},"
cat "$f" | grep -A 4 "repositories:"
elif echo $f | grep -q gitlab.rb; then
echo "Found $f" | sed "s,$f,${SED_RED},"
cat "$f" | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,email|user|password,${SED_RED},"
fi
echo ""
done
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{Github}
peass{Svn}
peass{PGP-GPG}
peass{Cache Vi}
peass{Wget}
##-- SI) containerd installed
containerd=$(command -v ctr)
if [ "$containerd" ] || [ "$VERBOSE" ]; then
print_2title "Checking if containerd(ctr) is available"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation"
if [ "$containerd" ]; then
echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
ctr image list
fi
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
##-- SI) runc installed
runc=$(command -v runc)
if [ "$runc" ] || [ "$VERBOSE" ]; then
print_2title "Checking if runc is available"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation"
if [ "$runc" ]; then
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
fi
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
#-- SI) Docker
if [ "$PSTORAGE_DOCKER" ] || [ "$VERBOSE" ]; then
print_2title "Searching docker files (limit 70)"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket"
printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
ls -l "$f" 2>/dev/null
if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then
echo "Docker socket file ($f) is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
fi
done
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{Firefox}
peass{Chrome}
peass{Autologin}
#-- SI) S/Key athentication
if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ "$VERBOSE" ] ; then
print_2title "S/Key authentication"
printf "System supports$RED S/Key$NC authentication\n"
if ! [ -d /etc/skey/ ]; then
echo "${GREEN}S/Key authentication enabled, but has not been initialized"
elif ! [ "$IAMROOT" ] && [ -w /etc/skey/ ]; then
echo "${RED}/etc/skey/ is writable by you"
ls -ld /etc/skey/
else
ls -ld /etc/skey/ 2>/dev/null
fi
elif [ "$VERBOSE" ]; then echo_not_found
fi
echo ""
#-- SI) YubiKey athentication
if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) || [ "$VERBOSE" ]; then
print_2title "YubiKey authentication"
printf "System supports$RED YubiKey$NC authentication\n"
if ! [ "$IAMROOT" ] && [ -w /var/db/yubikey/ ]; then
echo "${RED}/var/db/yubikey/ is writable by you"
ls -ld /var/db/yubikey/
else
ls -ld /var/db/yubikey/ 2>/dev/null
fi
echo ""
elif [ "$VERBOSE" ]; then echo_not_found
fi
peass{SNMP}
peass{Pypirc}
peass{Postfix}
peass{Ldaprc}
peass{Env}
peass{Msmtprc}
peass{Keepass}
peass{FTP}
peass{EXTRA_SECTIONS}
peass{Interesting logs}
peass{Windows Files}
peass{Other Interesting Files}

89
linPEAS/builder/linpeas_parts/interesting_files.sh → linPEAS/builder/linpeas_parts/8_interesting_files.sh
View File

@ -203,13 +203,15 @@ done
echo ""
##-- IF) Users with capabilities
print_2title "Users with capabilities"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities"
if [ -f "/etc/security/capability.conf" ]; then
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
else echo_not_found "/etc/security/capability.conf"
if [ -f "/etc/security/capability.conf" ] || [ "$VERBOSE" ]; then
print_2title "Users with capabilities"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities"
if [ -f "/etc/security/capability.conf" ]; then
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
else echo_not_found "/etc/security/capability.conf"
fi
echo ""
fi
echo ""
##-- IF) Files with ACLs
print_2title "Files with ACLs (limited to 50)"
@ -245,11 +247,15 @@ echo $PATH | tr ":" "\n" | while read d; do
done
echo ""
print_2title "Broken links in path"
echo $PATH | tr ":" "\n" | while read d; do
find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},";
done
echo ""
broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken)
if [ "$broken_links" ] || [ "$VERBOSE" ]; then
print_2title "Broken links in path"
echo $PATH | tr ":" "\n" | while read d; do
find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},";
done
echo ""
fi
if [ "$MACPEAS" ]; then
@ -345,7 +351,7 @@ echo ""
##-- IF) Root files in home dirs
print_2title "Searching root files in home dirs (limit 30)"
(find $HOMESEARCH /Users -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found
(find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found
echo ""
##-- IF) Others files in my dirs
@ -392,7 +398,7 @@ echo ""
##-- IF) Files inside /home
print_2title "Files inside others home (limit 20)"
(find $HOMESEARCH /Users -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found
(find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found
echo ""
##-- IF) Mail applications
@ -527,29 +533,35 @@ if ! [ "$IAMROOT" ]; then
print_2title "Interesting GROUP writable files (not in Home) (max 500)"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files"
for g in $(groups); do
printf " Group $GREEN$g:\n$NC";
iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
printf "%s\n" "$iwfbg" | while read entry; do
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
elif echo "$entry" | grep -Eq "$writeVB"; then
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
else
echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
fi
done
if [ "$iwfbg" ] || [ "$VERBOSE" ]; then
printf " Group $GREEN$g:\n$NC";
printf "%s\n" "$iwfbg" | while read entry; do
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
elif echo "$entry" | grep -Eq "$writeVB"; then
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
else
echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
fi
done
fi
done
echo ""
fi
##-- IF) Passwords in history files
print_2title "Searching passwords in history files"
printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
echo ""
if [ "$PSTORAGE_HISTORY" ] || [ "$VERBOSE" ]; then
print_2title "Searching passwords in history files"
printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
echo ""
fi
##-- IF) Passwords in config PHP files
print_2title "Searching passwords in config PHP files"
printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
echo ""
if [ "$PSTORAGE_PHP_FILES" ] || [ "$VERBOSE" ]; then
print_2title "Searching passwords in config PHP files"
printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
echo ""
fi
##-- IF) TTY passwords
print_2title "Checking for TTY (sudo/su) passwords in audit logs"
@ -580,7 +592,7 @@ echo ""
if ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
##-- IF) Find possible files with passwords
print_2title "Finding passwords inside key folders (limit 70) - only PHP files"
intpwdfiles=$(timeout 150 grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$HOMESEARCH" /var/www /usr/local/www/ "$backup_folders_row" /tmp /etc /root /mnt /Users /private 2>/dev/null)
intpwdfiles=$(timeout 150 grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" $HOMESEARCH /var/www /usr/local/www/ $backup_folders_row /tmp /etc /mnt /private 2>/dev/null)
printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g"
echo ""
@ -590,13 +602,13 @@ if ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
##-- IF) Find possible files with passwords
print_2title "Finding possible password variables inside key folders (limit 140)"
timeout 150 grep -RiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" $HOMESEARCH /Users 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g"
timeout 150 grep -RiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" $HOMESEARCH 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g"
timeout 150 grep -RiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" /var/www $backup_folders_row /tmp /etc /root /mnt /private 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g"
echo ""
##-- IF) Find possible conf files with passwords
print_2title "Finding possible password in config files"
ppicf=$(find "$HOMESEARCH" /etc /root /tmp /private /Applications -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
ppicf=$(find $HOMESEARCH /etc /root /tmp /private /Applications -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
printf "%s\n" "$ppicf" | while read f; do
if grep -qEiI 'passwd.*|creden.*' \"$f\" 2>/dev/null; then
echo "$ITALIC $f$NC"
@ -607,8 +619,9 @@ if ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
##-- IF) Find possible files with usernames
print_2title "Finding 'username' string inside key folders (limit 70)"
timeout 150 grep -RiIE "username.*[=:].+" "$HOMESEARCH" /Users 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | grep -v "/linpeas" | sort | uniq | head -n 70 | sed -${E} "s,[uU][sS][eE][rR][nN][aA][mM][eE],${SED_RED},g"
timeout 150 grep -RiIE "username.*[=:].+" /var/www "$backup_folders_row" /tmp /etc /root /mnt /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | grep -v "/linpeas" | sort | uniq | head -n 70 | sed -${E} "s,[uU][sS][eE][rR][nN][aA][mM][eE],${SED_RED},g"
timeout 150 grep -RiIE "username.*[=:].+" $HOMESEARCH 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | grep -v "/linpeas" | sort | uniq | head -n 70 | sed -${E} "s,[uU][sS][eE][rR][nN][aA][mM][eE],${SED_RED},g" &
timeout 150 grep -RiIE "username.*[=:].+" /var/www $backup_folders_row /tmp /etc /root /mnt /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | grep -v "/linpeas" | sort | uniq | head -n 70 | sed -${E} "s,[uU][sS][eE][rR][nN][aA][mM][eE],${SED_RED},g" &
wait
echo ""
##-- IF) Specific hashes inside files
@ -622,7 +635,7 @@ if ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
regexapr1md5='\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}'
regexsha512crypt='\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}'
regexapachesha='\{SHA\}[0-9a-zA-Z/_=]{10,}'
timeout 150 grep -RIEHo "$regexblowfish|$regexjoomlavbulletin|$regexphpbb3|$regexwp|$regexdrupal|$regexlinuxmd5|$regexapr1md5|$regexsha512crypt|$regexapachesha" /etc "$backup_folders_row" /tmp /var/tmp /var/www /root "$HOMESEARCH" /mnt /Users /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | head -n 70 | sed "s,:.*,${SED_RED},"
timeout 150 grep -RIEHo "$regexblowfish|$regexjoomlavbulletin|$regexphpbb3|$regexwp|$regexdrupal|$regexlinuxmd5|$regexapr1md5|$regexsha512crypt|$regexapachesha" /etc $backup_folders_row /tmp /var/tmp /var/www $HOMESEARCH /mnt /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | head -n 70 | sed "s,:.*,${SED_RED},"
echo ""
fi
@ -633,18 +646,16 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
regexsha1='(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)'
regexsha256='(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)'
regexsha512='(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)'
timeout 150 grep -RIEHo "$regexmd5|$regexsha1|$regexsha256|$regexsha512" /etc "$backup_folders_row" /tmp /var/tmp /var/www /root "$HOMESEARCH" /mnt /Users /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 2){ print line_init; } if (cont == "2"){print " #)There are more hashes files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 50 | sed "s,:.*,${SED_RED}," | sed "s,There are more hashes files in the previous parent folder,${C}[3m&${C}[0m,"
timeout 150 grep -RIEHo "$regexmd5|$regexsha1|$regexsha256|$regexsha512" /etc $backup_folders_row /tmp /var/tmp /var/www $HOMESEARCH /mnt /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 2){ print line_init; } if (cont == "2"){print " #)There are more hashes files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 50 | sed "s,:.*,${SED_RED}," | sed "s,There are more hashes files in the previous parent folder,${C}[3m&${C}[0m,"
echo ""
fi
if ! [ "$SUPERFAST" ] && ! [ "$FAST" ]; then
##-- IF) Find URIs with user:password@hoststrings
print_2title "Finding URIs with user:password@host inside key folders"
timeout 150 find /var/www "$backup_folders_row" /tmp /etc /var/log /private/var/log -type f -exec grep -RiIE "://(.+):(.+)@" "{}" \; 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 grep -RiIE "://(.+):(.+)@" "$HOMESEARCH" 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 find /var/www $backup_folders_row /tmp /etc /var/log /private/var/log -type f -exec grep -RiIE "://(.+):(.+)@" "{}" \; 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 grep -RiIE "://(.+):(.+)@" $HOMESEARCH 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 grep -RiIE "://(.+):(.+)@" /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 grep -RiIE "://(.+):(.+)@" /root 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 grep -RiIE "://(.+):(.+)@" /Users 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 grep -RiIE "://(.+):(.+)@" /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
timeout 150 grep -RiIE "://(.+):(.+)@" /Applications 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"
echo ""

14
linPEAS/builder/linpeas_parts/linpeas_base.sh
View File

@ -519,7 +519,7 @@ ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client6
dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.redhat.ifcfgrh1|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.redhat.RHSM1|com.redhat.RHSM1.Facts|com.redhat.tuned|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.netplan.Netplan|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|org.blueman.Mechanism|org.bluez|org.debian.apt|org.fedoraproject.FirewallD1|org.fedoraproject.Setroubleshootd|org.fedoraproject.SetroubleshootFixit|org.fedoraproject.SetroubleshootPrivileged|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.bolt|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.import1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.machine1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.portable1|org.freedesktop.realmd|org.freedesktop.RealtimeKit1|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.opensuse.CupsPkHelper.Mechanism"
CONTAINER_CMDS="docker lxc rkt kubectl podman runc"
USEFUL_SOFTWARE="authbind aws base64 ctr curl doas docker fetch g++ gcc gdb kubectl lxc make nc nc.traditional ncat netcat nmap perl php ping podman python python2 python2.6 python2.7 python3 python3.6 python3.7 rkt ruby runc socat sudo wget xterm"
TIP_DOCKER_ROOTLESS="In rootless mode privilege escalation to root will not be possible."
GREP_DOCKER_SOCK_INFOS="Architecture|OSType|Name|DockerRootDir|NCPU|OperatingSystem|KernelVersion|ServerVersion"
GREP_DOCKER_SOCK_INFOS_IGNORE="IndexConfig"
@ -601,7 +601,17 @@ print_title(){
START_T1_TIME=$(date +%s 2>/dev/null)
fi
printf ${BLUE}"════════════════════════════════════╣ $GREEN$1${BLUE} ╠════════════════════════════════════\n"$NC
title=$1
title_len=$(echo $title | wc -c)
max_title_len=100
rest_len=$((($max_title_len - $title_len) / 2))
printf ${BLUE}
for i in $(seq 1 $rest_len); do printf "═"; done
printf "$GREEN${title}${BLUE}"
for i in $(seq 1 $rest_len); do printf "═"; done
printf $NC
echo ""
}
print_2title(){

555
linPEAS/builder/linpeas_parts/software_information.sh
View File

@ -1,555 +0,0 @@
###########################################
#--------) Software Information (---------#
###########################################
#-- SI) Mysql version
print_2title "MySQL version"
mysql --version 2>/dev/null || echo_not_found "mysql"
echo ""
#-- SI) Mysql connection root/root
print_list "MySQL connection using default root/root ........... "
mysqlconnect=$(mysqladmin -uroot -proot version 2>/dev/null)
if [ "$mysqlconnect" ]; then
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
mysql -u root --password=root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
#-- SI) Mysql connection root/toor
print_list "MySQL connection using root/toor ................... "
mysqlconnect=$(mysqladmin -uroot -ptoor version 2>/dev/null)
if [ "$mysqlconnect" ]; then
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
mysql -u root --password=toor -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
#-- SI) Mysql connection root/NOPASS
mysqlconnectnopass=$(mysqladmin -uroot version 2>/dev/null)
print_list "MySQL connection using root/NOPASS ................. "
if [ "$mysqlconnectnopass" ]; then
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
#-- SI) Mysql credentials
print_2title "Searching mysql credentials and exec"
if [ "$PSTORAGE_MYSQL" ]; then
printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do
for f in $(find $d -name debian.cnf 2>/dev/null); do
if [ -r "$f" ]; then
echo "We can read the mysql debian.cnf. You can use this username/password to log in MySQL" | sed -${E} "s,.*,${SED_RED},"
cat "$f"
fi
done
for f in $(find $d -name user.MYD 2>/dev/null); do
if [ -r "$f" ]; then
echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED},"
grep -oaE "[-_\.\*a-Z0-9]{3,}" $f | grep -v "mysql_native_password"
fi
done
for f in $(grep -lr "user\s*=" $d 2>/dev/null | grep -v "debian.cnf"); do
if [ -r "$f" ]; then
u=$(cat "$f" | grep -v "#" | grep "user" | grep "=" 2>/dev/null)
echo "From '$f' Mysql user: $u" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
fi
done
for f in $(find $d -name my.cnf 2>/dev/null); do
if [ -r "$f" ]; then
echo "Found readable $f"
grep -v "^#" "$f" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed "s,password.*,${SED_RED},"
fi
done
mysqlexec=$(whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so")
if [ "$mysqlexec" ]; then
echo "Found $mysqlexec"
echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED},"
fi
done
else echo_not_found
fi
echo ""
peass{MariaDB}
peass{PostgreSQL}
#-- SI) PostgreSQL brute
if [ "$TIMEOUT" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it.
#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ "
if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
print_list "PostgreSQL connection to template1 using postgres/NOPASS ........ "
if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.)*,${SED_RED},"
else echo_no
fi
print_list "PostgreSQL connection to template0 using pgsql/NOPASS ........... "
if [ "$(timeout 1 psql -U pgsql -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
print_list "PostgreSQL connection to template1 using pgsql/NOPASS ........... "
if [ "$(timeout 1 psql -U pgsql -d template1 -c 'select version()' 2> /dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
echo ""
fi
peass{Mongo}
peass{Apache}
peass{Tomcat}
peass{FastCGI}
peass{Http_conf}
peass{Htpasswd}
peass{PHP Sessions}
peass{Wordpress}
peass{Drupal}
peass{Moodle}
peass{Supervisord}
peass{Cesi}
peass{Rsync}
peass{Hostapd}
peass{Wifi Connections}
peass{Anaconda ks}
peass{VNC}
peass{Ldap}
peass{OpenVPN}
#-- SI) ssh files
print_2title "Searching ssl/ssh files"
if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
writable_agents=$(find $folder_path -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')
peass{SSH}
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
if [ "$TIMEOUT" ]; then
privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
else
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
fi
if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
echo ""
print_3title "Possible private SSH keys were found!" | sed -${E} "s,private SSH keys,${SED_RED},"
if [ "$privatekeyfilesetc" ]; then printf "$privatekeyfilesetc\n" | sed -${E} "s,.*,${SED_RED},"; fi
if [ "$privatekeyfileshome" ]; then printf "$privatekeyfileshome\n" | sed -${E} "s,.*,${SED_RED},"; fi
if [ "$privatekeyfilesroot" ]; then printf "$privatekeyfilesroot\n" | sed -${E} "s,.*,${SED_RED},"; fi
if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed -${E} "s,.*,${SED_RED},"; fi
echo ""
fi
if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
print_3title "Some certificates were found (out limited):"
printf "$certsb4_grep\n" | head -n 20
printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
echo ""
fi
if [ "$PSTORAGE_CERTSCLIENT" ]; then
print_3title "Some client certificates were found:"
printf "$PSTORAGE_CERTSCLIENT\n"
echo ""
fi
if [ "$PSTORAGE_SSH_AGENTS" ]; then
print_3title "Some SSH Agent files were found:"
printf "$PSTORAGE_SSH_AGENTS\n"
echo ""
fi
if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
print_3title "Listing SSH Agents"
ssh-add -l
echo ""
fi
if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
print_3title "Listing gpg keys cached in gpg-agent"
gpg-connect-agent "keyinfo --list" /bye
echo ""
fi
if [ "$writable_agents" ]; then
print_3title "Writable ssh and gpg agents"
printf "%s\n" "$writable_agents"
fi
if [ "$PSTORAGE_SSH_CONFIG" ]; then
print_3title "Some home ssh config file was found"
printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done
echo ""
fi
if [ "$hostsdenied" ]; then
print_3title "/etc/hosts.denied file found, read the rules:"
printf "$hostsdenied\n"
cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
echo ""
fi
if [ "$hostsallow" ]; then
print_3title "/etc/hosts.allow file found, trying to read the rules:"
printf "$hostsallow\n"
cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
echo ""
fi
if [ "$sshconfig" ]; then
echo ""
echo "Searching inside /etc/ssh/ssh_config for interesting info"
grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
fi
echo ""
peass{PAM Auth}
#-- SI) Passwords inside pam.d
print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo ""
peass{NFS Exports}
#-- SI) Kerberos
print_2title "Searching kerberos conf files and tickets"
print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory"
kadmin_exists="$(command -v kadmin)"
klist_exists="$(command -v klist)"
if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi
ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0), you might find tickets inside processes memory" | sed "s,is disabled,${SED_RED},g";
else echo "ptrace protection is enabled ($ptrace_scope), you need to disable it to search for tickets inside processes memory" | sed "s,is enabled,${SED_GREEN},g";
fi
printf "%s\n" "$PSTORAGE_KERBEROS" | while read f; do
if [ -r "$f" ]; then
if echo "$f" | grep -q .k5login; then
echo ".k5login file (users with access to the user who has this file in his home)"
cat "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
elif echo "$f" | grep -q keytab; then
echo ""
echo "keytab file found, you may be able to impersonate some kerberos principals and add users or modify passwords"
klist -k "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
printf "$(klist -k $f 2>/dev/null)\n" | awk '{print $2}' | while read l; do
if [ "$l" ] && echo "$l" | grep -q "@"; then
printf "$ITALIC --- Impersonation command: ${NC}kadmin -k -t /etc/krb5.keytab -p \"$l\"\n" | sed -${E} "s,$l,${SED_RED},g"
#kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid
#We could also try to create a new user or modify a password, but I'm not user if linpeas should do that
fi
done
elif echo "$f" | grep -q krb5.conf; then
ls -l "$f"
cat "$f" 2>/dev/null | sed -${E} "s,default_ccache_name,${SED_RED},";
elif echo "$f" | grep -q kadm5.acl; then
ls -l "$f"
cat "$f" 2>/dev/null
elif echo "$f" | grep -q sssd.conf; then
ls -l "$f"
cat "$f" 2>/dev/null | sed -${E} "s,cache_credentials ?= ?[tT][rR][uU][eE],${SED_RED},";
elif echo "$f" | grep -q secrets.ldb; then
echo "You could use SSSDKCMExtractor to extract the tickets stored here" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
ls -l "$f"
elif echo "$f" | grep -q .secrets.mkey; then
echo "This is the secrets file to use with SSSDKCMExtractor" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
ls -l "$f"
fi
fi
done
ls -l "/tmp/krb5cc*" "/var/lib/sss/db/ccache_*" "/etc/opt/quest/vas/host.keytab" 2>/dev/null || echo_not_found "tickets kerberos"
klist 2>/dev/null || echo_not_found "klist"
echo ""
peass{Knockd}
peass{Kibana}
peass{Elasticsearch}
##-- SI) Logstash
print_2title "Searching logstash files"
if [ "$PSTORAGE_LOGSTASH" ]; then
printf "$PSTORAGE_LOGSTASH\n"
printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do
if [ -r "$d/startup.options" ]; then
echo "Logstash is running as user:"
cat "$d/startup.options" 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed -${E} "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,root,${SED_RED},"
fi
cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED},"
cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED},"
done
else echo_not_found
fi
echo ""
#-- SI) Vault-ssh
print_2title "Searching Vault-ssh files"
if [ "$PSTORAGE_VAULT_SSH_HELPER" ]; then
printf "$PSTORAGE_VAULT_SSH_HELPER\n"
printf "%s\n" "$PSTORAGE_VAULT_SSH_HELPER" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done
echo ""
vault secrets list 2>/dev/null
printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
else echo_not_found "vault-ssh-helper.hcl"
fi
echo ""
#-- SI) Cached AD Hashes
adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null)
print_2title "Searching AD cached hashes"
if [ "$adhashes" ]; then
ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null
else echo_not_found "cached hashes"
fi
echo ""
#-- SI) Screen sessions
print_2title "Searching screen sessions"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
screensess=$(screen -ls 2>/dev/null)
screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
if [ "$screensess" ] || [ "$screensess2" ]; then
screen -v
printf "$screensess\n$screensess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m,"
else
echo_not_found "screen"
fi
find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo ""
#-- SI) Tmux sessions
tmuxdefsess=$(tmux ls 2>/dev/null)
tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
print_2title "Searching tmux sessions"$N
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ]; then
tmux -V
printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
else
echo_not_found "tmux"
fi
find /tmp -type s -path "/tmp/tmux*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo ""
peass{CouchDB}
peass{Redis}
#-- SI) Dovecot
# Needs testing
print_2title "Searching dovecot files"
dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null)
if [ -z "$dovecotpass" ]; then
echo_not_found "dovecot credentials"
else
for d in $(grep -r "PLAIN" /etc/dovecot 2>/dev/null); do
df=$(echo $d |cut -d ':' -f1)
dp=$(echo $d |cut -d ':' -f2-)
echo "Found possible PLAIN text creds in $df"
echo "$dp" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
done
fi
echo ""
peass{Mosquitto}
peass{Neo4j}
peass{Cloud Credentials}
peass{Cloud Init}
peass{CloudFlare}
peass{Erlang}
peass{GMV Auth}
peass{IPSec}
peass{IRSSI}
peass{Keyring}
peass{Filezilla}
peass{Backup Manager}
##-- SI) passwd files (splunk)
print_2title "Searching uncommon passwd files (splunk)"
SPLUNK_BIN="$(command -v splunk 2>/dev/null)"
if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi
printf "%s\n" "$PSTORAGE_SPLUNK" | sort | uniq | while read f; do
if [ -f "$f" ] && ! [ -x "$f" ]; then
echo "passwd file: $f" | sed "s,$f,${SED_RED},"
cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'|\$" | sed -${E} "s,password|pass|user|database|host|\$,${SED_RED},"
fi
done
echo ""
print_2title "Analyzing kcpassword files"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
echo "$f" | sed -${E} "s,.*,${SED_RED},"
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
done
echo ""
##-- SI) Gitlab
print_2title "Searching GitLab related files"
#Check gitlab-rails
if [ "$(command -v gitlab-rails)" ]; then
echo "gitlab-rails was found. Trying to dump users..."
gitlab-rails runner 'User.where.not(username: "peasssssssss").each { |u| pp u.attributes }' | sed -${E} "s,email|password,${SED_RED},"
echo "If you have enough privileges, you can make an account under your control administrator by running: gitlab-rails runner 'user = User.find_by(email: \"youruser@example.com\"); user.admin = TRUE; user.save!'"
echo "Alternatively, you could change the password of any user by running: gitlab-rails runner 'user = User.find_by(email: \"admin@example.com\"); user.password = \"pass_peass_pass\"; user.password_confirmation = \"pass_peass_pass\"; user.save!'"
echo ""
fi
if [ "$(command -v gitlab-backup)" ]; then
echo "If you have enough privileges, you can create a backup of all the repositories inside gitlab using 'gitlab-backup create'"
echo "Then you can get the plain-text with something like 'git clone \@hashed/19/23/14348274[...]38749234.bundle'"
echo ""
fi
#Check gitlab files
printf "%s\n" "$PSTORAGE_GITLAB" | sort | uniq | while read f; do
if echo $f | grep -q secrets.yml; then
echo "Found $f" | sed "s,$f,${SED_RED},"
cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#"
elif echo $f | grep -q gitlab.yml; then
echo "Found $f" | sed "s,$f,${SED_RED},"
cat "$f" | grep -A 4 "repositories:"
elif echo $f | grep -q gitlab.rb; then
echo "Found $f" | sed "s,$f,${SED_RED},"
cat "$f" | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,email|user|password,${SED_RED},"
fi
echo ""
done
echo ""
peass{Github}
peass{Svn}
peass{PGP-GPG}
peass{Cache Vi}
peass{Wget}
##-- SI) containerd installed
print_2title "Checking if containerd(ctr) is available"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation"
containerd=$(command -v ctr)
if [ "$containerd" ]; then
echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
ctr image list
fi
echo ""
##-- SI) runc installed
print_2title "Checking if runc is available"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation"
runc=$(command -v runc)
if [ "$runc" ]; then
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
fi
echo ""
#-- SI) Docker
print_2title "Searching docker files (limit 70)"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket"
printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
ls -l "$f" 2>/dev/null
if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then
echo "Docker socket file ($f) is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
fi
done
echo ""
peass{Firefox}
peass{Chrome}
peass{Autologin}
#-- SI) S/Key athentication
print_2title "S/Key authentication"
if grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep -q skey; then
printf "System supports$RED S/Key$NC authentication\n"
if ! [ -d /etc/skey/ ]; then
echo "${GREEN}S/Key authentication enabled, but has not been initialized"
elif ! [ "$IAMROOT" ] && [ -w /etc/skey/ ]; then
echo "${RED}/etc/skey/ is writable by you"
ls -ld /etc/skey/
else
ls -ld /etc/skey/ 2>/dev/null
fi
fi
echo ""
#-- SI) YubiKey athentication
print_2title "YubiKey authentication"
if grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep -q yubikey; then
printf "System supports$RED YubiKey$NC authentication\n"
if ! [ "$IAMROOT" ] && [ -w /var/db/yubikey/ ]; then
echo "${RED}/var/db/yubikey/ is writable by you"
ls -ld /var/db/yubikey/
else
ls -ld /var/db/yubikey/ 2>/dev/null
fi
fi
echo ""
peass{SNMP}
peass{Pypirc}
peass{Postfix}
peass{Ldaprc}
peass{Env}
peass{Msmtprc}
peass{Keepass}
peass{FTP}
peass{EXTRA_SECTIONS}
peass{Interesting logs}
peass{Windows Files}
peass{Other Interesting Files}

6
linPEAS/builder/src/linpeasBuilder.py
View File

@ -208,7 +208,8 @@ class LinpeasBuilder:
for precord in self.ploaded.peasrecords:
if precord.auto_check:
section = f' print_2title "Analyzing {precord.name.replace("_"," ")} Files (limit 70)"\n'
section = f'if [ "$PSTORAGE_{precord.bash_name}" ] || [ "$VERBOSE" ]; then\n'
section += f' print_2title "Analyzing {precord.name.replace("_"," ")} Files (limit 70)"\n'
for exec_line in precord.exec:
if exec_line:
@ -217,6 +218,9 @@ class LinpeasBuilder:
for frecord in precord.filerecords:
section += " " + self.__construct_file_line(precord, frecord) + "\n"
section += 'elif [ "$VERBOSE" ]; then echo_not_found\n'
section += "fi\n"
sections[precord.name] = section
return sections

16
linPEAS/builder/src/yamlGlobals.py
View File

@ -8,42 +8,42 @@ LINPEAS_PARTS = [
{
"name": "System Information",
"name_check": "system_information",
"file_path": LINPEAS_BASE_PARTS + "/system_information.sh"
"file_path": LINPEAS_BASE_PARTS + "/1_system_information.sh"
},
{
"name": "Container",
"name_check": "container",
"file_path": LINPEAS_BASE_PARTS + "/container.sh"
"file_path": LINPEAS_BASE_PARTS + "/2_container.sh"
},
{
"name": "Available Software",
"name_check": "available_software",
"file_path": LINPEAS_BASE_PARTS + "/available_software.sh"
"file_path": LINPEAS_BASE_PARTS + "/3_available_software.sh"
},
{
"name": "Processes, Crons, Timers, Services and Sockets",
"name_check": "procs_crons_timers_srvcs_sockets",
"file_path": LINPEAS_BASE_PARTS + "/procs_crons_timers_srvcs_sockets.sh"
"file_path": LINPEAS_BASE_PARTS + "/4_procs_crons_timers_srvcs_sockets.sh"
},
{
"name": "Network Information",
"name_check": "network_information",
"file_path": LINPEAS_BASE_PARTS + "/network_information.sh"
"file_path": LINPEAS_BASE_PARTS + "/5_network_information.sh"
},
{
"name": "Users Information",
"name_check": "users_information",
"file_path": LINPEAS_BASE_PARTS + "/users_information.sh"
"file_path": LINPEAS_BASE_PARTS + "/6_users_information.sh"
},
{
"name": "Software Information",
"name_check": "software_information",
"file_path": LINPEAS_BASE_PARTS + "/software_information.sh"
"file_path": LINPEAS_BASE_PARTS + "/7_software_information.sh"
},
{
"name": "Interesting Files",
"name_check": "interesting_files",
"file_path": LINPEAS_BASE_PARTS + "/interesting_files.sh"
"file_path": LINPEAS_BASE_PARTS + "/8_interesting_files.sh"
}
]

2331
linPEAS/linpeas.sh
View File

File diff suppressed because one or more lines are too long