diff --git a/linPEAS/builder/linpeas_parts/available_software.sh b/linPEAS/builder/linpeas_parts/available_software.sh index 8da4d10..5c9ecd4 100644 --- a/linPEAS/builder/linpeas_parts/available_software.sh +++ b/linPEAS/builder/linpeas_parts/available_software.sh @@ -13,15 +13,15 @@ print_2title "Installed Compiler" echo "" if [ "$(command -v pkg 2>/dev/null)" ]; then -print_2title "Vulnerable Packages" -pkg audit -F | sed -${E} "s,vulnerable,${SED_RED},g" -echo "" + print_2title "Vulnerable Packages" + pkg audit -F | sed -${E} "s,vulnerable,${SED_RED},g" + echo "" fi if [ "$(command -v brew 2>/dev/null)" ]; then -print_2title "Brew Installed Packages" -brew list -echo "" + print_2title "Brew Installed Packages" + brew list + echo "" fi if [ "$MACPEAS" ]; then @@ -37,3 +37,4 @@ system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" fi done +fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/container.sh b/linPEAS/builder/linpeas_parts/container.sh index d249e3a..c1af4cf 100644 --- a/linPEAS/builder/linpeas_parts/container.sh +++ b/linPEAS/builder/linpeas_parts/container.sh @@ -16,80 +16,81 @@ podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l) lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l) rktcontainers=$(rkt list 2>/dev/null | tail -n +2 | wc -l) if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then -echo_no + echo_no else -containerCounts="" -if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi -if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi -if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi -if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi -echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED}," -# List any running containers -if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi -if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi -if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi -if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi + containerCounts="" + if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi + if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi + if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi + if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi + echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED}," + + # List any running containers + if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi + if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi + if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi + if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi fi #If docker if echo "$containerType" | grep -qi "docker"; then -print_2title "Docker Container details" -inDockerGroup -print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," -print_list "Looking and enumerating Docker Sockets\n"$NC -enumerateDockerSockets -print_list "Docker version .................$NC$dockerVersion" -checkDockerVersionExploits -print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," -print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," -if [ "$inContainer" ]; then - checkDockerRootless - print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN}," -fi -if df -h | grep docker; then - print_2title "Docker Overlays" - df -h | grep docker -fi -fi - -if [ "$inContainer" ]; then -echo "" -print_2title "Container & breakout enumeration" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout" -print_list "Container ID ...................$NC $(cat /etc/hostname)" -if echo "$containerType" | grep -qi "docker"; then - print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" -fi -if echo "$containerType" | grep -qi "kubernetes"; then - print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n" - print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n" -fi - -checkContainerExploits -print_list "Vulnerable to CVE-2019-5021 .. $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," -echo "" - -print_2title "Container Capabilities" -capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" -echo "" - -print_2title "Privilege Mode" -if [ -x "$(command -v fdisk)" ]; then - if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then - echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW}," - else - echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN}," + print_2title "Docker Container details" + inDockerGroup + print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "Looking and enumerating Docker Sockets\n"$NC + enumerateDockerSockets + print_list "Docker version .................$NC$dockerVersion" + checkDockerVersionExploits + print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," + if [ "$inContainer" ]; then + checkDockerRootless + print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN}," + fi + if df -h | grep docker; then + print_2title "Docker Overlays" + df -h | grep docker fi -else - echo_not_found fi -echo "" -print_2title "Interesting Files Mounted" -(mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" -echo "" +if [ "$inContainer" ]; then + echo "" + print_2title "Container & breakout enumeration" + print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout" + print_list "Container ID ...................$NC $(cat /etc/hostname)" + if echo "$containerType" | grep -qi "docker"; then + print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" + fi + if echo "$containerType" | grep -qi "kubernetes"; then + print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n" + print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n" + fi -print_2title "Possible Entrypoints" -ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq -echo "" -fi + checkContainerExploits + print_list "Vulnerable to CVE-2019-5021 .. $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," + echo "" + + print_2title "Container Capabilities" + capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" + echo "" + + print_2title "Privilege Mode" + if [ -x "$(command -v fdisk)" ]; then + if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then + echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW}," + else + echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN}," + fi + else + echo_not_found + fi + echo "" + + print_2title "Interesting Files Mounted" + (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" + echo "" + + print_2title "Possible Entrypoints" + ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq + echo "" +fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh b/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh index fbb435e..0a9a4e3 100644 --- a/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh +++ b/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh @@ -1,3 +1,4 @@ + #################################################### #-----) Processes & Cron & Services & Timers (-----# #################################################### @@ -5,46 +6,46 @@ #-- PCS) Cleaned proccesses print_2title "Cleaned processes" if [ "$NOUSEPS" ]; then -printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC + printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC fi print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes" if [ "$NOUSEPS" ]; then -print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," -pslist=$(print_ps) + print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," + pslist=$(print_ps) else -(ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do + (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do echo "$psline" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then - cpid=$(echo "$psline" | awk '{print $2}') - caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')" - if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then + cpid=$(echo "$psline" | awk '{print $2}') + caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')" + if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then printf " └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g" + fi fi - fi -done -pslist=$(ps auxwww) -echo "" + done + pslist=$(ps auxwww) + echo "" -#-- PCS) Binary processes permissions -print_2title "Binary processes permissions" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes" -binW="IniTialiZZinnggg" -ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do + #-- PCS) Binary processes permissions + print_2title "Binary processes permissions" + print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes" + binW="IniTialiZZinnggg" + ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do if [ -w "$bpath" ]; then - binW="$binW|$bpath" + binW="$binW|$bpath" fi -done -ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v "$USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN}," + done + ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v "$USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN}," fi echo "" #-- PCS) Files opened by processes belonging to other users if ! [ "$IAMROOT" ]; then -print_2title "Files opened by processes belonging to other users" -print_info "This is usually empty because of the lack of privileges to read other user processes information" -lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," -echo "" + print_2title "Files opened by processes belonging to other users" + print_info "This is usually empty because of the lack of privileges to read other user processes information" + lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," + echo "" fi #-- PCS) Processes with credentials inside memory @@ -60,11 +61,11 @@ echo "" #-- PCS) Different processes 1 min if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then -print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs" -temp_file=$(mktemp) -if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi -echo "" + print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" + print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs" + temp_file=$(mktemp) + if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi + echo "" fi #-- PCS) Cron @@ -82,42 +83,42 @@ atq 2>/dev/null echo "" if [ "$MACPEAS" ]; then -print_2title "Third party LaunchAgents & LaunchDemons" -print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd" -ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null -echo "" + print_2title "Third party LaunchAgents & LaunchDemons" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd" + ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null + echo "" -print_2title "Writable System LaunchAgents & LaunchDemons" -find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do + print_2title "Writable System LaunchAgents & LaunchDemons" + find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do program="" program=$(defaults read "$f" Program 2>/dev/null) if ! [ "$program" ]; then - program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2) + program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2) fi if [ -w "$program" ]; then - echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},"; + echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi -done -echo "" + done + echo "" -print_2title "StartupItems" -print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items" -ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null -echo "" + print_2title "StartupItems" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items" + ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null + echo "" -print_2title "Login Items" -print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items" -osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null -echo "" + print_2title "Login Items" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items" + osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null + echo "" -print_2title "SPStartupItemDataType" -system_profiler SPStartupItemDataType -echo "" + print_2title "SPStartupItemDataType" + system_profiler SPStartupItemDataType + echo "" -print_2title "Emond scripts" -print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond" -ls -l /private/var/db/emondClients -echo "" + print_2title "Emond scripts" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond" + ls -l /private/var/db/emondClients + echo "" fi #-- PCS) Services @@ -138,26 +139,26 @@ echo "" print_2title "Analyzing .service files" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services" printf "%s\n" "$PSTORAGE_SYSTEMD\n" | while read s; do -if [ ! -O "$s" ]; then #Remove services that belongs to the current user + if [ ! -O "$s" ]; then #Remove services that belongs to the current user if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then - echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g" + echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g" fi servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths printf "%s\n" "$servicebinpaths\n" | while read sp; do - if [ -w "$sp" ]; then + if [ -w "$sp" ]; then echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g" - fi + fi done relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/") relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null | grep -Ev "/[a-zA-Z0-9_]+/") if [ "$relpath1" ] || [ "$relpath2" ]; then - if [ "$WRITABLESYSTEMDPATH" ]; then + if [ "$WRITABLESYSTEMDPATH" ]; then echo "$s is executing some relative path" | sed -${E} "s,.*,${SED_RED},"; - else + else echo "$s is executing some relative path" + fi fi - fi -fi + fi done if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi echo "" @@ -172,116 +173,116 @@ echo "" print_2title "Analyzing .timer files" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers" printf "%s\n" "$PSTORAGE_TIMER\n" | while read t; do -if ! [ "$IAMROOT" ] && [ -w "$t" ]; then + if ! [ "$IAMROOT" ] && [ -w "$t" ]; then echo "$t" | sed -${E} "s,.*,${SED_RED},g" -fi -timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2) -printf "%s\n" "$timerbinpaths" | while read tb; do + fi + timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2) + printf "%s\n" "$timerbinpaths" | while read tb; do if [ -w "$tb" ]; then - echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g" + echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g" fi -done -#relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`" -#for rp in "$relpath"; do -# echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g" -#done + done + #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`" + #for rp in "$relpath"; do + # echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g" + #done done echo "" #-- PSC) .socket files #TODO: .socket files in MACOS are folders if ! [ "$IAMROOT" ]; then -print_2title "Analyzing .socket files" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" -printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do + print_2title "Analyzing .socket files" + print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" + printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then - echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g" + echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g" fi socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') printf "%s\n" "$socketsbinpaths" | while read sb; do - if [ -w "$sb" ]; then + if [ -w "$sb" ]; then echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g" - fi + fi done socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') printf "%s\n" "$socketslistpaths" | while read sl; do - if [ -w "$sl" ]; then + if [ -w "$sl" ]; then echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g"; - fi + fi done -done -if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then + done + if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" -fi -if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then + fi + if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" -fi -echo "" + fi + echo "" -print_2title "Unix Sockets Listening" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" -# Search sockets using netstat and ss -unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1) -if ! [ "$unix_scks_list" ];then + print_2title "Unix Sockets Listening" + print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" + # Search sockets using netstat and ss + unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1) + if ! [ "$unix_scks_list" ];then unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+") -fi -if ! [ "$unix_scks_list" ];then + fi + if ! [ "$unix_scks_list" ];then unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2) -fi + fi + + # But also search socket files + unix_scks_list2=$(find / -type s 2>/dev/null) -# But also search socket files -unix_scks_list2=$(find / -type s 2>/dev/null) - -# Detele repeated dockets and check permissions -(printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do + # Detele repeated dockets and check permissions + (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do perms="" if [ -r "$l" ]; then - perms="Read " + perms="Read " fi if [ -w "$l" ];then - perms="${perms}Write" + perms="${perms}Write" fi if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g"; else - echo "$l" | sed -${E} "s,$l,${SED_RED},g" - echo " └─(${RED}${perms}${NC})" - # Try to contact the socket - socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null) - if [ $? -eq 0 ]; then + echo "$l" | sed -${E} "s,$l,${SED_RED},g" + echo " └─(${RED}${perms}${NC})" + # Try to contact the socket + socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null) + if [ $? -eq 0 ]; then owner=$(ls -l "$s" | cut -d ' ' -f 3) echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g" echo "$socketcurl" | head -n 30 + fi fi - fi -done -echo "" + done + echo "" fi #-- PSC) Writable and weak policies in D-Bus config files print_2title "D-Bus config files" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus" if [ "$PSTORAGE_DBUS" ]; then -printf "%s\n" "$PSTORAGE_DBUS" | while read d; do + printf "%s\n" "$PSTORAGE_DBUS" | while read d; do for f in $d/*; do - if ! [ "$IAMROOT" ] && [ -w "$f" ]; then + if ! [ "$IAMROOT" ] && [ -w "$f" ]; then echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g" - fi + fi - genpol=$(grep "" "$f" 2>/dev/null) - if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi - #if [ "`grep \"\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi + genpol=$(grep "" "$f" 2>/dev/null) + if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi + #if [ "`grep \"\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi - userpol=$(grep "/dev/null | grep -v "root") - if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi - #for g in `groups`; do - # if [ "`grep \"\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi - #done - grppol=$(grep "/dev/null | grep -v "root") - if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi + userpol=$(grep "/dev/null | grep -v "root") + if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi + #for g in `groups`; do + # if [ "`grep \"\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi + #done + grppol=$(grep "/dev/null | grep -v "root") + if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi - #TODO: identify allows in context="default" + #TODO: identify allows in context="default" done -done + done fi echo "" @@ -289,15 +290,15 @@ print_2title "D-Bus Service Objects list" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus" dbuslist=$(busctl list 2>/dev/null) if [ "$dbuslist" ]; then -busctl list | while read line; do + busctl list | while read line; do echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"; if ! echo "$line" | grep -qE "$dbuslistG"; then - srvc_object=$(echo $line | cut -d " " -f1) - srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ') - if [ "$srvc_object_info" ]; then + srvc_object=$(echo $line | cut -d " " -f1) + srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ') + if [ "$srvc_object_info" ]; then echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED}," + fi fi - fi -done + done else echo_not_found "busctl" fi \ No newline at end of file diff --git a/linPEAS/builder/src/linpeasBaseBuilder.py b/linPEAS/builder/src/linpeasBaseBuilder.py index b7a7ea2..ec58a1e 100644 --- a/linPEAS/builder/src/linpeasBaseBuilder.py +++ b/linPEAS/builder/src/linpeasBaseBuilder.py @@ -25,7 +25,7 @@ class LinpeasBaseBuilder: linpeas_part = file.read() checks.append(name_check) - self.linpeas_base += f"\nif echo $CHECKS | grep -q {name_check};\n" + self.linpeas_base += f"\nif echo $CHECKS | grep -q {name_check}; then\n" self.linpeas_base += f'print_title "{name}"\n' self.linpeas_base += linpeas_part self.linpeas_base += f"\nfi\necho ''\necho ''\n"