From a8b7084b3e3db2137a081873c649602204e835c7 Mon Sep 17 00:00:00 2001 From: Esonhugh Date: Mon, 22 Jan 2024 21:07:32 +0800 Subject: [PATCH 1/6] feat: aliyun cloud support [incomplete] --- linPEAS/builder/linpeas_parts/3_cloud.sh | 62 ++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index 39f53e4..bd573fc 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -30,6 +30,13 @@ check_do(){ fi } +check_aliyun_ecs () { + is_aliyun_ecs="No" + if [ -f "/etc/cloud/cloud.cfg.d/aliyun_cloud.cfg" ]; then + is_aliyun_ecs="Yes" + fi +} + check_ibm_vm(){ is_ibm_vm="No" if grep -q "nameserver 161.26.0.10" "/etc/resolv.conf" && grep -q "nameserver 161.26.0.11" "/etc/resolv.conf"; then @@ -131,6 +138,8 @@ check_aws_codebuild print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," check_do print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," +check_aliyun_ecs +print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," check_ibm_vm print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," check_az_vm @@ -140,6 +149,59 @@ print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes echo "" +if [ "$is_aliyun_ecs" = "Yes" ]; then + aliyun_req="" + aliyun_token="" + if [ "$(command -v curl)" ]; then + aliyun_token=$(curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:1000") + aliyun_req='curl -s -f -H "X-aliyun-ecs-metadata-token: $aliyun_token"' + elif [ "$(command -v wget)" ]; then + aliyun_token=$(wget -q -O - --method PUT "http://100.100.100.200/latest/api/token" --header "X-aliyun-ecs-metadata-token-ttl-seconds:1000") + aliyun_req='wget -q -O --header "X-aliyun-ecs-metadata-token: $aliyun_token"' + else + echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" + fi + + if [ "$aliyun_token" ]; then + print_2title "Aliyun ECS Enumeration" + print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata" + # Todo: print_info "Hacktricks Documents needs to be updated" + + print_3title "Instance Info" + i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname) + [ "$i_hostname" ] && echo "Hostname: $i_hostname" + i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id) + [ "i_instance_id" ] && echo "Instance ID: $i_instance_id" + i_aliyun_owner_account=$(eval $aliyun_req http://i00.100.100.200/latest/meta-data/owner-account-id) + [ "$i_aliyun_owner_account" ] && echo "Aliyun Owner Account: $i_aliyun_owner_account" + i_region_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/region-id) + [ "$i_region_id" ] && echo "Region ID: $i_region_id" + i_zone_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/zone-id) + [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id" + + print_3title "Network Info" + net_dns=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/dns-conf/nameservers) + [ "$net_dns" ] && echo "DNS: $net_dns" + net_mac=$(eval $aliyun_req http:// + + print_3title "Service account " + for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do + echo " Name: $sa" + echo " STS-Token: "$(eval $gcp_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa") + echo " ==============" + done + + print_3title "Possbile admin ssh Public keys" + for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/") + echo " Name: $key" + echo " Key: "$(eval $gcp_req "http://100.100.100.200/latest/meta-data/public-keys/$key/openssh-key") + echo " ==============" + done + + + fi +fi + if [ "$is_gcp" = "Yes" ]; then gcp_req="" if [ "$(command -v curl)" ]; then From 9865e2a5b0ec3916463c7614350e574e58aa0511 Mon Sep 17 00:00:00 2001 From: Esonhugh Date: Mon, 22 Jan 2024 21:32:48 +0800 Subject: [PATCH 2/6] feat: aliyun network enumeration --- linPEAS/builder/linpeas_parts/3_cloud.sh | 26 ++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index bd573fc..20b0f41 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -167,6 +167,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata" # Todo: print_info "Hacktricks Documents needs to be updated" + echo "" print_3title "Instance Info" i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname) [ "$i_hostname" ] && echo "Hostname: $i_hostname" @@ -179,11 +180,32 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then i_zone_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/zone-id) [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id" + echo "" print_3title "Network Info" + i_pub_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/public-ipv4) + [ "$i_pub_ipv4" ] && echo "Public IPv4: $i_pub_ipv4" + i_priv_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/private-ipv4) + [ "$i_priv_ipv4" ] && echo "Private IPv4: $i_priv_ipv4" net_dns=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/dns-conf/nameservers) [ "$net_dns" ] && echo "DNS: $net_dns" - net_mac=$(eval $aliyun_req http:// + + for mac in $(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/); do + echo " Mac: $mac" + echo " Mac VPC: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-id) + echo " Mac interface id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/network-interface-id) + echo " Mac netmask: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/netmask) + echo " Mac vswitch id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-id) + echo " Mac vswitch cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-cidr-block) + echo " Mac vswitch cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-ipv6-cidr-block) + echo " Mac vpc cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-cidr-block) + echo " Mac vpc cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-ipv6-cidr-blocks) + echo " Mac private ips: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/private-ipv4s) + echo " Mac private ips (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6s) + echo " Mac gateway: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/gateway) + echo " Mac gateway (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6-gateway) + done + echo "" print_3title "Service account " for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do echo " Name: $sa" @@ -191,6 +213,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then echo " ==============" done + echo "" print_3title "Possbile admin ssh Public keys" for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/") echo " Name: $key" @@ -198,7 +221,6 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then echo " ==============" done - fi fi From 74ccf2c08a41c51a75563009c7638a3a03bb637d Mon Sep 17 00:00:00 2001 From: Esonhugh Date: Mon, 22 Jan 2024 21:39:41 +0800 Subject: [PATCH 3/6] fix: missing do at the of for --- linPEAS/builder/linpeas_parts/3_cloud.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index 20b0f41..1b414c4 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -203,6 +203,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then echo " Mac private ips (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6s) echo " Mac gateway: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/gateway) echo " Mac gateway (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6-gateway) + done echo "" @@ -215,12 +216,13 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then echo "" print_3title "Possbile admin ssh Public keys" - for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/") + for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/") do echo " Name: $key" echo " Key: "$(eval $gcp_req "http://100.100.100.200/latest/meta-data/public-keys/$key/openssh-key") echo " ==============" done + fi fi From 0c5b8194d3e01315f99dd8b276903549881bf57d Mon Sep 17 00:00:00 2001 From: Esonhugh Date: Mon, 22 Jan 2024 21:46:12 +0800 Subject: [PATCH 4/6] format: better format of aliyun network print --- linPEAS/builder/linpeas_parts/3_cloud.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index 1b414c4..db8082d 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -189,21 +189,22 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then net_dns=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/dns-conf/nameservers) [ "$net_dns" ] && echo "DNS: $net_dns" + echo "========" for mac in $(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/); do echo " Mac: $mac" - echo " Mac VPC: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-id) echo " Mac interface id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/network-interface-id) echo " Mac netmask: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/netmask) + echo " Mac vpc id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-id) + echo " Mac vpc cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-cidr-block) + echo " Mac vpc cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-ipv6-cidr-blocks) echo " Mac vswitch id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-id) echo " Mac vswitch cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-cidr-block) echo " Mac vswitch cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-ipv6-cidr-block) - echo " Mac vpc cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-cidr-block) - echo " Mac vpc cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-ipv6-cidr-blocks) echo " Mac private ips: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/private-ipv4s) echo " Mac private ips (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6s) echo " Mac gateway: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/gateway) echo " Mac gateway (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6-gateway) - + echo "=======" done echo "" @@ -216,9 +217,9 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then echo "" print_3title "Possbile admin ssh Public keys" - for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/") do + for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do echo " Name: $key" - echo " Key: "$(eval $gcp_req "http://100.100.100.200/latest/meta-data/public-keys/$key/openssh-key") + echo " Key: "$(eval $gcp_req "http://100.100.100.200/latest/meta-data/public-keys/$keyopenssh-key") echo " ==============" done From 7daefe700fa1b860adfbb43831f6e9cc4ac3314b Mon Sep 17 00:00:00 2001 From: Esonhugh Date: Mon, 22 Jan 2024 21:49:22 +0800 Subject: [PATCH 5/6] update: bug of req var error --- linPEAS/builder/linpeas_parts/3_cloud.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index db8082d..42dc056 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -211,7 +211,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then print_3title "Service account " for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do echo " Name: $sa" - echo " STS-Token: "$(eval $gcp_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa") + echo " STS Token: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa") echo " ==============" done @@ -219,7 +219,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then print_3title "Possbile admin ssh Public keys" for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do echo " Name: $key" - echo " Key: "$(eval $gcp_req "http://100.100.100.200/latest/meta-data/public-keys/$keyopenssh-key") + echo " Key: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/${key}openssh-key") echo " ==============" done From edd8e3a397c2dc3826404bd8479548ab8a4d7a0e Mon Sep 17 00:00:00 2001 From: Esonhugh Date: Mon, 22 Jan 2024 22:04:21 +0800 Subject: [PATCH 6/6] feat: instance name and type --- linPEAS/builder/linpeas_parts/3_cloud.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index 42dc056..8612a64 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -172,7 +172,12 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname) [ "$i_hostname" ] && echo "Hostname: $i_hostname" i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id) - [ "i_instance_id" ] && echo "Instance ID: $i_instance_id" + [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id" + # no dup of hostname if in ACK it possibly leaks aliyun cluster service ClusterId + i_instance_name=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-name) + [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name" + i_instance_type=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-type) + [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type" i_aliyun_owner_account=$(eval $aliyun_req http://i00.100.100.200/latest/meta-data/owner-account-id) [ "$i_aliyun_owner_account" ] && echo "Aliyun Owner Account: $i_aliyun_owner_account" i_region_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/region-id)