linpeasv2.5.2
This commit is contained in:
kali
parent
3764ee868c
commit
577c6a4503
@ -43,8 +43,8 @@ It uses **/bin/sh** sintax, so can run in anything supporting `sh` (and the bina
|
|||||||
|
|
||||||
By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**.
|
By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**.
|
||||||
|
|
||||||
By default linpeas takes around **1 min** to complete, but It could take from **3 to 4 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
|
By default linpeas takes around **2 mins** to complete, but It could take from **4 to 5 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
|
||||||
- Less than 1 min to make almost all the checks
|
- From less than 1 min to 2 mins to make almost all the checks
|
||||||
- Almost 1 min to search for possible passwords inside all the accesible files of the system
|
- Almost 1 min to search for possible passwords inside all the accesible files of the system
|
||||||
- 20s/user bruteforce with top2000 passwords *(need `-a`)* - Notice that this check is **super noisy**
|
- 20s/user bruteforce with top2000 passwords *(need `-a`)* - Notice that this check is **super noisy**
|
||||||
- 1 min to monitor the processes in order to find very frequent cron jobs *(need `-a`)* - Notice that this check will need to **write** some info inside a file that will be deleted
|
- 1 min to monitor the processes in order to find very frequent cron jobs *(need `-a`)* - Notice that this check will need to **write** some info inside a file that will be deleted
|
||||||
@ -156,13 +156,15 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
|||||||
- [x] Useful software
|
- [x] Useful software
|
||||||
- [x] Installed compilers
|
- [x] Installed compilers
|
||||||
|
|
||||||
- **Processes, Cron, Services & Timers**
|
- **Processes, Cron, Services, Timers & Sockets**
|
||||||
- [x] Cleaned processes
|
- [x] Cleaned processes
|
||||||
- [x] Binary processes permissions
|
- [x] Binary processes permissions
|
||||||
- [x] Different processes executed during 1 min
|
- [x] Different processes executed during 1 min
|
||||||
- [x] Cron jobs
|
- [x] Cron jobs
|
||||||
- [x] Services
|
- [x] Services (list, writable .service, writable services binaries, systemd path, service binaries using relative path)
|
||||||
- [x] All timers
|
- [x] All timers (list, writable .timer, writable binaries, relative paths)
|
||||||
|
- [x] Sockets
|
||||||
|
- [x] D-Bus
|
||||||
|
|
||||||
- **Network Information**
|
- **Network Information**
|
||||||
- [x] Hostname, hosts & dns
|
- [x] Hostname, hosts & dns
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
VERSION="v2.5.1"
|
VERSION="v2.5.2"
|
||||||
ADVISORY="linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission."
|
ADVISORY="linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission."
|
||||||
|
|
||||||
|
|
||||||
@ -234,6 +234,9 @@ fi
|
|||||||
if [ -z "$FOUND_NC" ]; then
|
if [ -z "$FOUND_NC" ]; then
|
||||||
FOUND_NC=$(which nc.traditional 2>/dev/null);
|
FOUND_NC=$(which nc.traditional 2>/dev/null);
|
||||||
fi
|
fi
|
||||||
|
if [ -z "$FOUND_NC" ]; then
|
||||||
|
FOUND_NC=$(which nc.openbsd 2>/dev/null);
|
||||||
|
fi
|
||||||
if [ "$FOUND_NC" ]; then
|
if [ "$FOUND_NC" ]; then
|
||||||
SCAN_BAN_GOOD="$GREEN$FOUND_NC$B is available for network discover & port scanning$LG (linpeas can discover hosts and scan ports, learn more with -h)"
|
SCAN_BAN_GOOD="$GREEN$FOUND_NC$B is available for network discover & port scanning$LG (linpeas can discover hosts and scan ports, learn more with -h)"
|
||||||
fi
|
fi
|
||||||
@ -251,7 +254,7 @@ NOTEXPORT=""
|
|||||||
DISCOVERY=""
|
DISCOVERY=""
|
||||||
PORTS=""
|
PORTS=""
|
||||||
QUIET=""
|
QUIET=""
|
||||||
CHECKS="SysI,Devs,AvaSof,ProCronSrvcs,Net,UsrI,SofI,IntFiles"
|
CHECKS="SysI,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI,IntFiles"
|
||||||
WAIT=""
|
WAIT=""
|
||||||
HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
|
HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
|
||||||
$B This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$B inside the host and highlight possible misconfigs with colors.
|
$B This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$B inside the host and highlight possible misconfigs with colors.
|
||||||
@ -261,7 +264,7 @@ HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
|
|||||||
$Y-s$B SuperFast (don't check some time consuming checks) - Stealth mode
|
$Y-s$B SuperFast (don't check some time consuming checks) - Stealth mode
|
||||||
$Y-w$B Wait execution between big blocks
|
$Y-w$B Wait execution between big blocks
|
||||||
$Y-n$B Do not export env variables related with history
|
$Y-n$B Do not export env variables related with history
|
||||||
$Y-o$B Only execute selected checks (SysI, Devs, AvaSof, ProCronSrvcs, Net, UsrI, SofI, IntFiles). Select a comma separated list.
|
$Y-o$B Only execute selected checks (SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles). Select a comma separated list.
|
||||||
$Y-d <IP/NETMASK>$B Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24
|
$Y-d <IP/NETMASK>$B Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24
|
||||||
$Y-p <PORT(s)> -d <IP/NETMASK>$B Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
|
$Y-p <PORT(s)> -d <IP/NETMASK>$B Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
|
||||||
$Y-i <IP> [-p <PORT(s)>]$B Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
|
$Y-i <IP> [-p <PORT(s)>]$B Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
|
||||||
@ -576,6 +579,8 @@ if [ "$IAMROOT" ]; then
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
|
||||||
###########################################
|
###########################################
|
||||||
#-----------) Some Basic Info (-----------#
|
#-----------) Some Basic Info (-----------#
|
||||||
###########################################
|
###########################################
|
||||||
@ -647,6 +652,130 @@ elif [ "$IP" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep IntFiles`" ] || [ "`echo $CHECKS | grep SofI`" ]; then
|
||||||
|
###########################################
|
||||||
|
#----------) Caching Finds (--------------#
|
||||||
|
###########################################
|
||||||
|
|
||||||
|
prep_to_find() {
|
||||||
|
echo "$1" | sed 's/ /" -o -name "/g' | sed 's/^/\\( -name "/g' | sed 's/$/" \\)/g'
|
||||||
|
}
|
||||||
|
|
||||||
|
printf $GREEN"Caching directories "$NC
|
||||||
|
SYSTEMD_RELEVANT_NAMES="*.service"
|
||||||
|
TIMERS_RELEVANT_NAMES="*.timer"
|
||||||
|
SOCKETS_RELEVANT_NAMES="*.socket"
|
||||||
|
DBUS_RELEVANT_NAMES="system.d session.d"
|
||||||
|
MYSQL_RELEVANT_NAMES="mysql"
|
||||||
|
POSTGRESQL_RELEVANT_NAMES="pgadmin*.db pg_hba.conf postgresql.conf pgsql.conf"
|
||||||
|
APACHE_RELEVANT_NAMES="sites-enabled 000-default"
|
||||||
|
PHP_RELEVANT_NAMES="sess_* *config*.php"
|
||||||
|
WORDPRESS_RELEVANT_NAMES="wp-config.php"
|
||||||
|
DRUPAL_RELEVANT_NAMES="settings.php"
|
||||||
|
TOMCAT_RELEVANT_NAMES="tomcat-users.xml"
|
||||||
|
MONGO_RELEVANT_NAMES="mongod*.conf"
|
||||||
|
SUPERVISORD_RELEVANT_NAMES="supervisord.conf"
|
||||||
|
CESI_RELEVANT_NAMES="cesi.conf"
|
||||||
|
RSYNCD_RELEVANT_NAMES="rsyncd.conf rsyncd.secrets"
|
||||||
|
HOSTAPAD_RELEVANT_NAMES="hostapd.conf"
|
||||||
|
ANACONDA_KS_RELEVANT_NAMES="anaconda-ks.cfg"
|
||||||
|
VNC_RELEVANT_NAMES=".vnc"
|
||||||
|
LDAP_RELEVANT_NAMES="ldap"
|
||||||
|
OVPN_RELEVANT_NAMES="*.ovpn"
|
||||||
|
SSH_RELEVANT_NAMES="id_dsa* id_rsa* known_hosts authorized_hosts authorized_keys *.pem *.cer *.crt *.csr *.der *.pfx *.p12 agent* config vault-ssh-helper.hcl .vault-token"
|
||||||
|
CLOUD_KEYS_RELEVANT_NAMES="credentials credentials.db legacy_credentials.db access_tokens.db accessTokens.json azureProfile.json cloud.cfg"
|
||||||
|
KERBEROS_RELEVANT_NAMES="krb5.conf"
|
||||||
|
KIBANA_RELEVANT_NAMES="kibana.y*ml"
|
||||||
|
KNOCK_RELEVANT_NAMES="knockd"
|
||||||
|
LOGSTASH_RELEVANT_NAMES="logstash"
|
||||||
|
ELASTICSEARCH_RELEVANT_NAMES="elasticsearch.y*ml"
|
||||||
|
COUCHDB_RELEVANT_NAMES="couchdb"
|
||||||
|
REDIS_RELEVANT_NAMES="redis.conf"
|
||||||
|
MOSQUITTO_RELEVANT_NAMES="mosquitto.conf"
|
||||||
|
NEO4J_RELEVANT_NAMES="neo4j"
|
||||||
|
DB_RELEVANT_NAMES="*.db *.sqlite *.sqlite3"
|
||||||
|
INSTERESTING_RELEVANT_NAMES="*_history .sudo_as_admin_successful .profile *bashrc *httpd.conf *.plan .htpasswd .gitconfig .git-credentials .git .svn *.rhost hosts.equiv Dockerfile docker-compose.yml"
|
||||||
|
PASSWORD_RELEVANT_NAMES="*password* *credential* creds*"
|
||||||
|
|
||||||
|
FIND_SYSTEMD_RELEVANT_NAMES=$(prep_to_find "$SYSTEMD_RELEVANT_NAMES")
|
||||||
|
FIND_TIMERS_RELEVANT_NAMES=$(prep_to_find "$TIMERS_RELEVANT_NAMES")
|
||||||
|
FIND_SOCKETS_RELEVANT_NAMES=$(prep_to_find "$SOCKETS_RELEVANT_NAMES")
|
||||||
|
FIND_DBUS_RELEVANT_NAMES=$(prep_to_find "$DBUS_RELEVANT_NAMES")
|
||||||
|
FIND_MYSQL_RELEVANT_NAMES=$(prep_to_find "$MYSQL_RELEVANT_NAMES")
|
||||||
|
FIND_POSTGRESQL_RELEVANT_NAMES=$(prep_to_find "$POSTGRESQL_RELEVANT_NAMES")
|
||||||
|
FIND_APACHE_RELEVANT_NAMES=$(prep_to_find "$APACHE_RELEVANT_NAMES")
|
||||||
|
FIND_PHP_RELEVANT_NAMES=$(prep_to_find "$PHP_RELEVANT_NAMES")
|
||||||
|
FIND_WORDPRESS_RELEVANT_NAMES=$(prep_to_find "$WORDPRESS_RELEVANT_NAMES")
|
||||||
|
FIND_DRUPAL_RELEVANT_NAMES=$(prep_to_find "$DRUPAL_RELEVANT_NAMES")
|
||||||
|
FIND_TOMCAT_RELEVANT_NAMES=$(prep_to_find "$TOMCAT_RELEVANT_NAMES")
|
||||||
|
FIND_MONGO_RELEVANT_NAMES=$(prep_to_find "$MONGO_RELEVANT_NAMES")
|
||||||
|
FIND_SUPERVISORD_RELEVANT_NAMES=$(prep_to_find "$SUPERVISORD_RELEVANT_NAMES")
|
||||||
|
FIND_CESI_RELEVANT_NAMES=$(prep_to_find "$CESI_RELEVANT_NAMES")
|
||||||
|
FIND_RSYNCD_RELEVANT_NAMES=$(prep_to_find "$RSYNCD_RELEVANT_NAMES")
|
||||||
|
FIND_HOSTAPAD_RELEVANT_NAMES=$(prep_to_find "$HOSTAPAD_RELEVANT_NAMES")
|
||||||
|
FIND_ANACONDA_KS_RELEVANT_NAMES=$(prep_to_find "$ANACONDA_KS_RELEVANT_NAMES")
|
||||||
|
FIND_VNC_RELEVANT_NAMES=$(prep_to_find "$VNC_RELEVANT_NAMES")
|
||||||
|
FIND_LDAP_RELEVANT_NAMES=$(prep_to_find "$LDAP_RELEVANT_NAMES")
|
||||||
|
FIND_OVPN_RELEVANT_NAMES=$(prep_to_find "$OVPN_RELEVANT_NAMES")
|
||||||
|
FIND_SSH_RELEVANT_NAMES=$(prep_to_find "$SSH_RELEVANT_NAMES")
|
||||||
|
FIND_CLOUD_KEYS_RELEVANT_NAMES=$(prep_to_find "$CLOUD_KEYS_RELEVANT_NAMES")
|
||||||
|
FIND_KERBEROS_RELEVANT_NAMES=$(prep_to_find "$KERBEROS_RELEVANT_NAMES")
|
||||||
|
FIND_KIBANA_RELEVANT_NAMES=$(prep_to_find "$KIBANA_RELEVANT_NAMES")
|
||||||
|
FIND_KNOCK_RELEVANT_NAMES=$(prep_to_find "$sK_RELEVANT_NAMES")
|
||||||
|
FIND_LOGSTASH_RELEVANT_NAMES=$(prep_to_find "$LOGSTASH_RELEVANT_NAMES")
|
||||||
|
FIND_ELASTICSEARCH_RELEVANT_NAMES=$(prep_to_find "$ELASTICSEARCH_RELEVANT_NAMES")
|
||||||
|
FIND_COUCHDB_RELEVANT_NAMES=$(prep_to_find "$COUCHDB_RELEVANT_NAMES")
|
||||||
|
FIND_REDIS_RELEVANT_NAMES=$(prep_to_find "$REDIS_RELEVANT_NAMES")
|
||||||
|
FIND_MOSQUITTO_RELEVANT_NAMES=$(prep_to_find "$MOSQUITTO_RELEVANT_NAMES")
|
||||||
|
FIND_NEO4J_RELEVANT_NAMES=$(prep_to_find "$NEO4J_RELEVANT_NAMES")
|
||||||
|
FIND_DB_RELEVANT_NAMES=$(prep_to_find "$DB_RELEVANT_NAMES")
|
||||||
|
FIND_INSTERESTING_RELEVANT_NAMES=$(prep_to_find "$INSTERESTING_RELEVANT_NAMES")
|
||||||
|
FIND_PASSWORD_RELEVANT_NAMES=$(prep_to_find "$PASSWORD_RELEVANT_NAMES")
|
||||||
|
|
||||||
|
# Directories
|
||||||
|
FIND_DIR_VAR=$(eval find /var -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_DIR_VAR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_DIR_ETC=$(eval find /etc -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_DBUS_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_DIR_ETC" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_DIR_HOME=$(eval find /home -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_DIR_HOME" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_DIR_ROOT=$(eval find /root -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_DIR_ROOT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_DIR_TMP=$(eval find /tmp -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_DIR_TMP" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_DIR_USR=$(eval find /usr -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_DIR_USR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_DIR_OPT=$(eval find /opt -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_DIR_OPT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
|
||||||
|
# All
|
||||||
|
FIND_HOME=$(eval find /home $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_HOME" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_ETC=$(eval find /etc $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_KNOCK_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_ETC" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_ROOT=$(eval find /root $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_ROOT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_VAR=$(eval find /var $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_VAR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_TMP=$(eval find /tmp $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_TMP" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_OPT=$(eval find /opt $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_OPT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_USR=$(eval find /usr $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_USR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_MNT=$(eval find /mnt $FIND_SSH_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_MNT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_LIB=$(eval find /lib $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_LIB" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_RUN=$(eval find /run $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_RUN" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
FIND_SYSTEMD=$(eval find /run $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort)
|
||||||
|
if [ "$FIND_SYSTEMD" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
||||||
|
|
||||||
|
printf $Y"DONE\n"$NC
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
if [ "`echo $CHECKS | grep SysI`" ]; then
|
if [ "`echo $CHECKS | grep SysI`" ]; then
|
||||||
###########################################
|
###########################################
|
||||||
#-------------) System Info (-------------#
|
#-------------) System Info (-------------#
|
||||||
@ -676,11 +805,6 @@ if [ "`echo $CHECKS | grep SysI`" ]; then
|
|||||||
echo "New path exported: $PATH" 2>/dev/null | sed "s,$Wfolders\|\./\|\.:\|:\. ,${C}[1;31;103m&${C}[0m,g"
|
echo "New path exported: $PATH" 2>/dev/null | sed "s,$Wfolders\|\./\|\.:\|:\. ,${C}[1;31;103m&${C}[0m,g"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
printf $Y"[+] "$GREEN"Systemd PATH\n"$NC
|
|
||||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path\n"$NC
|
|
||||||
systemctl show-environment 2>/dev/null | grep "PATH" | sed "s,$Wfolders\|\./\|\.:\|:\.,${C}[1;31;103m&${C}[0m,g"
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
#-- 4SY) Date
|
#-- 4SY) Date
|
||||||
printf $Y"[+] "$GREEN"Date\n"$NC
|
printf $Y"[+] "$GREEN"Date\n"$NC
|
||||||
date 2>/dev/null || echo_not_found "date"
|
date 2>/dev/null || echo_not_found "date"
|
||||||
@ -695,7 +819,7 @@ if [ "`echo $CHECKS | grep SysI`" ]; then
|
|||||||
#-- 6SY) Environment vars
|
#-- 6SY) Environment vars
|
||||||
printf $Y"[+] "$GREEN"Environment\n"$NC
|
printf $Y"[+] "$GREEN"Environment\n"$NC
|
||||||
printf $B"[i] "$Y"Any private information inside environment variables?\n"$NC
|
printf $B"[i] "$Y"Any private information inside environment variables?\n"$NC
|
||||||
(env || set) 2>/dev/null | grep -v "^VERSION=\|ldsoconfdG\|pwd_inside_history\|kernelDCW_Ubuntu_Precise_1\|kernelDCW_Ubuntu_Precise_2\|kernelDCW_Ubuntu_Trusty_1\|kernelDCW_Ubuntu_Trusty_2\|kernelDCW_Ubuntu_Xenial\|kernelDCW_Rhel5\|kernelDCW_Rhel6_1\|kernelDCW_Rhel6_2\|kernelDCW_Rhel7\|^sudovB=\|^rootcommon=\|^mounted=\|^mountG=\|^notmounted=\|^mountpermsB=\|^mountpermsG=\|^kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG=\|sidB=\|sidVB=\|sudoB=\|sudoVB=\|sudocapsB=\|timersG=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler=\|PWD=\|LS_COLORS=\|pathshG=\|notBackup=" | sed "s,pwd\|passw\|PWD\|PASSW\|Passwd\|Pwd,${C}[1;31m&${C}[0m,g" || echo_not_found "env || set"
|
(env || set) 2>/dev/null | grep -v "RELEVANT*\|FIND*\|^VERSION=\|ldsoconfdG\|pwd_inside_history\|kernelDCW_Ubuntu_Precise_1\|kernelDCW_Ubuntu_Precise_2\|kernelDCW_Ubuntu_Trusty_1\|kernelDCW_Ubuntu_Trusty_2\|kernelDCW_Ubuntu_Xenial\|kernelDCW_Rhel5\|kernelDCW_Rhel6_1\|kernelDCW_Rhel6_2\|kernelDCW_Rhel7\|^sudovB=\|^rootcommon=\|^mounted=\|^mountG=\|^notmounted=\|^mountpermsB=\|^mountpermsG=\|^kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG=\|sidB=\|sidVB=\|sudoB=\|sudoVB=\|sudocapsB=\|timersG=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler=\|PWD=\|LS_COLORS=\|pathshG=\|notBackup=" | sed "s,pwd\|passw\|PWD\|PASSW\|Passwd\|Pwd,${C}[1;31m&${C}[0m,g" || echo_not_found "env || set"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
#-- 7SY) Dmesg
|
#-- 7SY) Dmesg
|
||||||
@ -730,6 +854,8 @@ if [ "`echo $CHECKS | grep SysI`" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
echo ""
|
||||||
|
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@ -750,6 +876,7 @@ if [ "`echo $CHECKS | grep Devs`" ]; then
|
|||||||
cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | sed "s,$mountG,${C}[1;32m&${C}[0m,g" | sed "s,$notmounted,${C}[1;31m&${C}[0m," | sed "s,$mounted,${C}[1;34m&${C}[0m," | sed "s,$Wfolders,${C}[1;31m&${C}[0m," | sed "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed "s,$mountpermsG,${C}[1;32m&${C}[0m,g"
|
cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | sed "s,$mountG,${C}[1;32m&${C}[0m,g" | sed "s,$notmounted,${C}[1;31m&${C}[0m," | sed "s,$mounted,${C}[1;34m&${C}[0m," | sed "s,$Wfolders,${C}[1;31m&${C}[0m," | sed "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed "s,$mountpermsG,${C}[1;32m&${C}[0m,g"
|
||||||
echo ""
|
echo ""
|
||||||
echo ""
|
echo ""
|
||||||
|
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@ -769,14 +896,15 @@ if [ "`echo $CHECKS | grep AvaSof`" ]; then
|
|||||||
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
|
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
|
||||||
echo ""
|
echo ""
|
||||||
echo ""
|
echo ""
|
||||||
|
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
if [ "`echo $CHECKS | grep ProCronSrvcs`" ]; then
|
if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then
|
||||||
####################################################
|
####################################################
|
||||||
#-----) Processes & Cron & Services & Timers (-----#
|
#-----) Processes & Cron & Services & Timers (-----#
|
||||||
####################################################
|
####################################################
|
||||||
printf $B"================================( "$GREEN"Processes, Cron, Services & Timers"$B" )================================\n"$NC
|
printf $B"================================( "$GREEN"Processes, Cron, Services, Timers & Sockets"$B" )================================\n"$NC
|
||||||
|
|
||||||
#-- 1PCS) Cleaned proccesses
|
#-- 1PCS) Cleaned proccesses
|
||||||
printf $Y"[+] "$GREEN"Cleaned processes\n"$NC
|
printf $Y"[+] "$GREEN"Cleaned processes\n"$NC
|
||||||
@ -821,11 +949,119 @@ if [ "`echo $CHECKS | grep ProCronSrvcs`" ]; then
|
|||||||
(service --status-all || chkconfig --list || rc-status) 2>/dev/null || echo_not_found "service|chkconfig|rc-status"
|
(service --status-all || chkconfig --list || rc-status) 2>/dev/null || echo_not_found "service|chkconfig|rc-status"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
#-- 6PSC) System timers
|
#-- PSC) systemd PATH
|
||||||
|
printf $Y"[+] "$GREEN"Systemd PATH\n"$NC
|
||||||
|
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path\n"$NC
|
||||||
|
systemctl show-environment 2>/dev/null | grep "PATH" | sed "s,$Wfolders\|\./\|\.:\|:\.,${C}[1;31;103m&${C}[0m,g"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
#-- PSC) Writable .service files
|
||||||
|
printf $Y"[+] "$GREEN"Writable services\n"$NC
|
||||||
|
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-service-files\n"$NC
|
||||||
|
services=$(echo "$FIND_ETC $FIND_LIB $FIND_RUN $FIND_USR $FIND_SYSTEMD" | grep -E '\.service')
|
||||||
|
for s in $services; do
|
||||||
|
if [ -w "$s" ]; then
|
||||||
|
echo "$s" | sed "s,.*,${C}[1;31;103m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
servicebinpaths="`grep -Po '^Exec.*?=[!@+-]*[\w/\-]+' \"$s\" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,'`" #Get invoked paths
|
||||||
|
for sp in $servicebinpaths; do
|
||||||
|
if [ -w "$sp" ]; then
|
||||||
|
echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${C}[1;31;103m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
relpath1="`grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' \"$s\" 2>/dev/null | grep -Iv \"=/\"`"
|
||||||
|
if [ "$relpath1" ]; then echo "$s is calling this relative path: $relpath1" | sed "s,relative.*,${C}[1;31m&${C}[0m,"; fi
|
||||||
|
relpath2="`grep -E '^Exec.*=.*/bin/[\w]*sh ' \"$s\" 2>/dev/null | grep -Ev \" /|\\\"/|'/\"`" #Uses a shell to execute something that don't start with absolute path (COLOR IS MESSED HERE BUT IT WORKS)
|
||||||
|
if [ "$relpath2" ]; then echo "$s is calling this relative path: $relpath2" | sed "s,relative.*,${C}[1;31m&${C}[0m,"; fi
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
#-- PSC) Timers
|
||||||
printf $Y"[+] "$GREEN"System timers\n"$NC
|
printf $Y"[+] "$GREEN"System timers\n"$NC
|
||||||
|
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers\n"$NC
|
||||||
(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed "s,$timersG,${C}[1;32m&${C}[0m,") || echo_not_found
|
(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed "s,$timersG,${C}[1;32m&${C}[0m,") || echo_not_found
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
#-- PSC) Writable .timer files
|
||||||
|
printf $Y"[+] "$GREEN".timer files\n"$NC
|
||||||
|
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-timers\n"$NC
|
||||||
|
timers=$(echo "$FIND_ETC $FIND_LIB $FIND_RUN $FIND_USR $FIND_SYSTEMD" | grep -E '\.timer')
|
||||||
|
for t in $timers; do
|
||||||
|
if [ -w "$t" ]; then
|
||||||
|
echo "$t" | sed "s,.*,${C}[1;31m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
timerbinpaths="`grep -Po '^Unit=*(.*?$)' \"$t\" 2>/dev/null | cut -d '=' -f2`"
|
||||||
|
for tb in $timerbinpaths; do
|
||||||
|
if [ -w "$tb" ]; then
|
||||||
|
echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${C}[1;31m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
|
||||||
|
if [ "$relpath" ]; then
|
||||||
|
echo "$t is calling a relative path: $relpath" | sed "s,relative.*,${C}[1;31m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
done
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
#-- PSC) Writable .socket files
|
||||||
|
printf $Y"[+] "$GREEN".socket files\n"$NC
|
||||||
|
printf $B"[i] "$Y"hhttps://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets\n"$NC
|
||||||
|
sockets=$(echo "$FIND_ETC $FIND_LIB $FIND_RUN $FIND_USR $FIND_SYSTEMD" | grep -E '\.socket')
|
||||||
|
for s in $sockets; do
|
||||||
|
if [ -w "$s" ]; then
|
||||||
|
echo "Writable files: $s" | sed "s,/.*,${C}[1;31m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
socketsbinpaths="`for s in $sockets; do grep -Po '^(Exec).*?=[!@+-]*/[\w/\-]+' \"$s\" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,'; done`"
|
||||||
|
for sb in $socketsbinpaths; do
|
||||||
|
if [ -w "$sb" ]; then
|
||||||
|
echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${C}[1;31m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
socketslistpaths="`for s in $sockets; do grep -Po '^(Listen).*?=[!@+-]*/[\w/\-]+' \"$s\" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,'; done`"
|
||||||
|
for sl in $socketsbinpaths; do
|
||||||
|
if [ -w "$sl" ]; then
|
||||||
|
echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${C}[1;31m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
#-- PSC) Search HTTP sockets
|
||||||
|
printf $Y"[+] "$GREEN"HTTP sockets\n"$NC
|
||||||
|
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets\n"$NC
|
||||||
|
for s in `ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1`; do
|
||||||
|
socketcurl="`curl --max-time 2 --unix-socket \"$s\" http:/index 2>/dev/null`"
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
owner="`ls -l \"$s\" | cut -d ' ' -f 3`"
|
||||||
|
echo "Socket $s owned by $owner uses HTTP. Response to /index:" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed "s,$idB,${C}[1;31m&${C}[0m,g"
|
||||||
|
echo "$socketcurl"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
#-- PSC) Writable and weak policies in D-Bus config files
|
||||||
|
printf $Y"[+] "$GREEN"D-Bus config files\n"$NC
|
||||||
|
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus\n"$NC
|
||||||
|
dbusfols=$(echo "$FIND_DIR_ETC" | grep -E '/dbus-1/system.d|/dbus-1/session.d')
|
||||||
|
for d in "$dbusfols"; do
|
||||||
|
for f in $d/*; do
|
||||||
|
if [ -w "$f" ]; then
|
||||||
|
echo "Writable $f" | sed "s,.*,${C}[1;31m&${C}[0m,g"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "`grep \"<policy>\" \"$f\" 2>/dev/null`" ]; then printf "Weak general policy found on $f\n" | sed "s,/.*,${C}[1;31m&${C}[0m,g"; fi
|
||||||
|
if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f\n" | sed "s,/.*,${C}[1;31m&${C}[0m,g"; fi
|
||||||
|
for g in `groups`; do
|
||||||
|
if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,/.*,${C}[1;31m&${C}[0m,g"; fi
|
||||||
|
done
|
||||||
|
#TODO: identify allows in context="default"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@ -874,7 +1110,6 @@ if [ "`echo $CHECKS | grep Net`" ]; then
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -888,7 +1123,7 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then
|
|||||||
#-- 1UI) My user
|
#-- 1UI) My user
|
||||||
printf $Y"[+] "$GREEN"My user\n"$NC
|
printf $Y"[+] "$GREEN"My user\n"$NC
|
||||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups\n"$NC
|
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups\n"$NC
|
||||||
(id || (whoami && groups)) 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed "s,$idB,${C}[1;31m&${C}[0m,g"
|
(id || (whoami && groups)) 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed "s,$groupsVB,${C}[1;31;103m&${C}[0m,g" | sed "s,$idB,${C}[1;31m&${C}[0m,g"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
#-- 2UI) PGP keys?
|
#-- 2UI) PGP keys?
|
||||||
@ -981,125 +1216,6 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then
|
|||||||
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
|
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
|
||||||
echo ""
|
echo ""
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
if [ "`echo $CHECKS | grep IntFiles`" ] || [ "`echo $CHECKS | grep SofI`" ]; then
|
|
||||||
###########################################
|
|
||||||
#----------) Caching Finds (--------------#
|
|
||||||
###########################################
|
|
||||||
|
|
||||||
prep_to_find() {
|
|
||||||
echo "$1" | sed 's/ /" -o -name "/g' | sed 's/^/\\( -name "/g' | sed 's/$/" \\)/g'
|
|
||||||
}
|
|
||||||
|
|
||||||
printf $GREEN"Caching directories "$NC
|
|
||||||
MYSQL_RELEVANT_NAMES="mysql"
|
|
||||||
POSTGRESQL_RELEVANT_NAMES="pgadmin*.db pg_hba.conf postgresql.conf pgsql.conf"
|
|
||||||
APACHE_RELEVANT_NAMES="sites-enabled 000-default"
|
|
||||||
PHP_RELEVANT_NAMES="sess_* *config*.php"
|
|
||||||
WORDPRESS_RELEVANT_NAMES="wp-config.php"
|
|
||||||
DRUPAL_RELEVANT_NAMES="settings.php"
|
|
||||||
TOMCAT_RELEVANT_NAMES="tomcat-users.xml"
|
|
||||||
MONGO_RELEVANT_NAMES="mongod*.conf"
|
|
||||||
SUPERVISORD_RELEVANT_NAMES="supervisord.conf"
|
|
||||||
CESI_RELEVANT_NAMES="cesi.conf"
|
|
||||||
RSYNCD_RELEVANT_NAMES="rsyncd.conf rsyncd.secrets"
|
|
||||||
HOSTAPAD_RELEVANT_NAMES="hostapd.conf"
|
|
||||||
ANACONDA_KS_RELEVANT_NAMES="anaconda-ks.cfg"
|
|
||||||
VNC_RELEVANT_NAMES=".vnc"
|
|
||||||
LDAP_RELEVANT_NAMES="ldap"
|
|
||||||
OVPN_RELEVANT_NAMES="*.ovpn"
|
|
||||||
SSH_RELEVANT_NAMES="id_dsa* id_rsa* known_hosts authorized_hosts authorized_keys *.pem *.cer *.crt *.csr *.der *.pfx *.p12 agent* config vault-ssh-helper.hcl .vault-token"
|
|
||||||
CLOUD_KEYS_RELEVANT_NAMES="credentials credentials.db legacy_credentials.db access_tokens.db accessTokens.json azureProfile.json cloud.cfg"
|
|
||||||
KERBEROS_RELEVANT_NAMES="krb5.conf"
|
|
||||||
KIBANA_RELEVANT_NAMES="kibana.y*ml"
|
|
||||||
KNOCK_RELEVANT_NAMES="knockd"
|
|
||||||
LOGSTASH_RELEVANT_NAMES="logstash"
|
|
||||||
ELASTICSEARCH_RELEVANT_NAMES="elasticsearch.y*ml"
|
|
||||||
COUCHDB_RELEVANT_NAMES="couchdb"
|
|
||||||
REDIS_RELEVANT_NAMES="redis.conf"
|
|
||||||
MOSQUITTO_RELEVANT_NAMES="mosquitto.conf"
|
|
||||||
NEO4J_RELEVANT_NAMES="neo4j"
|
|
||||||
SYSTEMD_RELEVANT_NAMES="*.service"
|
|
||||||
DB_RELEVANT_NAMES="*.db *.sqlite *.sqlite3"
|
|
||||||
INSTERESTING_RELEVANT_NAMES="*_history .sudo_as_admin_successful .profile *bashrc *httpd.conf *.plan .htpasswd .gitconfig .git-credentials .git .svn *.rhost hosts.equiv Dockerfile docker-compose.yml"
|
|
||||||
PASSWORD_RELEVANT_NAMES="*password* *credential* creds*"
|
|
||||||
|
|
||||||
FIND_MYSQL_RELEVANT_NAMES=$(prep_to_find "$MYSQL_RELEVANT_NAMES")
|
|
||||||
FIND_POSTGRESQL_RELEVANT_NAMES=$(prep_to_find "$POSTGRESQL_RELEVANT_NAMES")
|
|
||||||
FIND_APACHE_RELEVANT_NAMES=$(prep_to_find "$APACHE_RELEVANT_NAMES")
|
|
||||||
FIND_PHP_RELEVANT_NAMES=$(prep_to_find "$PHP_RELEVANT_NAMES")
|
|
||||||
FIND_WORDPRESS_RELEVANT_NAMES=$(prep_to_find "$WORDPRESS_RELEVANT_NAMES")
|
|
||||||
FIND_DRUPAL_RELEVANT_NAMES=$(prep_to_find "$DRUPAL_RELEVANT_NAMES")
|
|
||||||
FIND_TOMCAT_RELEVANT_NAMES=$(prep_to_find "$TOMCAT_RELEVANT_NAMES")
|
|
||||||
FIND_MONGO_RELEVANT_NAMES=$(prep_to_find "$MONGO_RELEVANT_NAMES")
|
|
||||||
FIND_SUPERVISORD_RELEVANT_NAMES=$(prep_to_find "$SUPERVISORD_RELEVANT_NAMES")
|
|
||||||
FIND_CESI_RELEVANT_NAMES=$(prep_to_find "$CESI_RELEVANT_NAMES")
|
|
||||||
FIND_RSYNCD_RELEVANT_NAMES=$(prep_to_find "$RSYNCD_RELEVANT_NAMES")
|
|
||||||
FIND_HOSTAPAD_RELEVANT_NAMES=$(prep_to_find "$HOSTAPAD_RELEVANT_NAMES")
|
|
||||||
FIND_ANACONDA_KS_RELEVANT_NAMES=$(prep_to_find "$ANACONDA_KS_RELEVANT_NAMES")
|
|
||||||
FIND_VNC_RELEVANT_NAMES=$(prep_to_find "$VNC_RELEVANT_NAMES")
|
|
||||||
FIND_LDAP_RELEVANT_NAMES=$(prep_to_find "$LDAP_RELEVANT_NAMES")
|
|
||||||
FIND_OVPN_RELEVANT_NAMES=$(prep_to_find "$OVPN_RELEVANT_NAMES")
|
|
||||||
FIND_SSH_RELEVANT_NAMES=$(prep_to_find "$SSH_RELEVANT_NAMES")
|
|
||||||
FIND_CLOUD_KEYS_RELEVANT_NAMES=$(prep_to_find "$CLOUD_KEYS_RELEVANT_NAMES")
|
|
||||||
FIND_KERBEROS_RELEVANT_NAMES=$(prep_to_find "$KERBEROS_RELEVANT_NAMES")
|
|
||||||
FIND_KIBANA_RELEVANT_NAMES=$(prep_to_find "$KIBANA_RELEVANT_NAMES")
|
|
||||||
FIND_KNOCK_RELEVANT_NAMES=$(prep_to_find "$sK_RELEVANT_NAMES")
|
|
||||||
FIND_LOGSTASH_RELEVANT_NAMES=$(prep_to_find "$LOGSTASH_RELEVANT_NAMES")
|
|
||||||
FIND_ELASTICSEARCH_RELEVANT_NAMES=$(prep_to_find "$ELASTICSEARCH_RELEVANT_NAMES")
|
|
||||||
FIND_COUCHDB_RELEVANT_NAMES=$(prep_to_find "$COUCHDB_RELEVANT_NAMES")
|
|
||||||
FIND_REDIS_RELEVANT_NAMES=$(prep_to_find "$REDIS_RELEVANT_NAMES")
|
|
||||||
FIND_MOSQUITTO_RELEVANT_NAMES=$(prep_to_find "$MOSQUITTO_RELEVANT_NAMES")
|
|
||||||
FIND_NEO4J_RELEVANT_NAMES=$(prep_to_find "$NEO4J_RELEVANT_NAMES")
|
|
||||||
FIND_SYSTEMD_RELEVANT_NAMES=$(prep_to_find "$SYSTEMD_RELEVANT_NAMES")
|
|
||||||
FIND_DB_RELEVANT_NAMES=$(prep_to_find "$DB_RELEVANT_NAMES")
|
|
||||||
FIND_INSTERESTING_RELEVANT_NAMES=$(prep_to_find "$INSTERESTING_RELEVANT_NAMES")
|
|
||||||
FIND_PASSWORD_RELEVANT_NAMES=$(prep_to_find "$PASSWORD_RELEVANT_NAMES")
|
|
||||||
|
|
||||||
# Directories
|
|
||||||
FIND_DIR_VAR=$(eval find /var -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_DIR_VAR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_DIR_ETC=$(eval find /etc -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_DIR_ETC" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_DIR_HOME=$(eval find /home -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_DIR_HOME" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_DIR_ROOT=$(eval find /root -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_DIR_ROOT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_DIR_TMP=$(eval find /tmp -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_DIR_TMP" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_DIR_USR=$(eval find /usr -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_DIR_USR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_DIR_OPT=$(eval find /opt -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_DIR_OPT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
|
|
||||||
# All
|
|
||||||
FIND_HOME=$(eval find /home $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_HOME" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_ETC=$(eval find /etc $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_KNOCK_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_ETC" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_ROOT=$(eval find /root $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_ROOT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_VAR=$(eval find /var $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_VAR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_TMP=$(eval find /tmp $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_TMP" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_OPT=$(eval find /opt $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_OPT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_USR=$(eval find /usr $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_USR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_MNT=$(eval find /mnt $FIND_SSH_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_MNT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_LIB=$(eval find /lib $FIND_SYSTEMD_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_LIB" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_RUN=$(eval find /run $FIND_SYSTEMD_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_RUN" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
FIND_SYSTEMD=$(eval find /run $FIND_SYSTEMD_RELEVANT_NAMES 2>/dev/null | sort)
|
|
||||||
if [ "$FIND_SYSTEMD" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi
|
|
||||||
|
|
||||||
printf $Y"DONE\n"$NC
|
|
||||||
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1432,9 +1548,9 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
|||||||
if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed "s,.*,${C}[1;31m&${C}[0m,"; fi
|
if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed "s,.*,${C}[1;31m&${C}[0m,"; fi
|
||||||
fi
|
fi
|
||||||
if [ "$certsb4_grep" ] || [ "$certsbin" ]; then
|
if [ "$certsb4_grep" ] || [ "$certsbin" ]; then
|
||||||
echo " --> Some certificates were found:"
|
echo " --> Some certificates were found (out limited):"
|
||||||
printf "$certsb4_grep\n"
|
printf "$certsb4_grep\n" | head -n 20
|
||||||
printf "$certsbin\n"
|
printf "$certsbin\n" | head -n 20
|
||||||
fi
|
fi
|
||||||
if [ "$clientcert" ]; then
|
if [ "$clientcert" ]; then
|
||||||
echo " --> Some client certificates were found:"
|
echo " --> Some client certificates were found:"
|
||||||
@ -1756,21 +1872,6 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
printf $Y"[+] "$GREEN"Relative paths in systemd services\n"$NC
|
|
||||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path\n"$NC
|
|
||||||
services=$(echo "$FIND_ETC $FIND_LIB $FIND_RUN $FIND_USR $FIND_SYSTEMD" | grep -E '\.service')
|
|
||||||
for s in $services; do
|
|
||||||
grep -HE '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -v "=/" | sed "s,Exec.*,${C}[1;31m&${C}[0m,"
|
|
||||||
grep -HE '^Exec.*=.*/bin/[\w]*sh ' "$s" 2>/dev/null | grep -Ev " /|\"/|'/" | sed "s,Exec.*,${C}[1;31m&${C}[0m," #Uses a shell to execute something that don't start with "/"
|
|
||||||
done
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
printf $Y"[+] "$GREEN"Checking permissions of binaries run by systemd services\n"$NC
|
|
||||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path\n"$NC
|
|
||||||
servicespaths="`for s in $services; do grep -Po '^Exec.*?=[!@+-]*[\w/\-]*' \"$s\" 2>/dev/null | cut -d "=" -f2 | sed 's,^[@\+!-]*,,'; done`;"
|
|
||||||
printf "$servicespaths" | sort | uniq | sed "s,$writeVB,${C}[1;31;103m&${C}[0m,"
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
|
|
||||||
##-- 6IF) .sh files in PATH
|
##-- 6IF) .sh files in PATH
|
||||||
printf $Y"[+] "$GREEN".sh files in path\n"$NC
|
printf $Y"[+] "$GREEN".sh files in path\n"$NC
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user