darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

imprv

Browse Source
This commit is contained in:
Carlos Polop 2021-10-21 08:43:45 -04:00
parent 988ef11d59
commit 57cf17c4c0
1 changed files with 43 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
linPEAS/builder/linpeas_base.sh
View File

@ -1678,36 +1678,48 @@ if echo $CHECKS | grep -q ProCronSrvcsTmrsSocks; then
fi fi
echo "" echo ""
print_2title "Writable Sockets"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
find / -type s 2>/dev/null | while read l; do
if [ -w "$l" ]; then
echo "Socket '$l' is writable" | sed "s,.*,${SED_RED},";
fi
done
print_2title "Unix Sockets Listening" print_2title "Unix Sockets Listening"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID") # Search sockets using netstat and ss
unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
if ! [ "$unix_scks_list" ];then if ! [ "$unix_scks_list" ];then
unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc") unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
fi fi
printf "%s\n" "$unix_scks_list" | while read l; do if ! [ "$unix_scks_list" ];then
sckt_path=$(echo $l | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n 1) unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
fi
# But also search socket files
unix_scks_list2=$(find / -type s 2>/dev/null)
# Detele repeated dockets and check permissions
(printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
perms="" perms=""
if [ -r "$sckt_path" ]; then if [ -r "$l" ]; then
perms="Read " perms="Read "
fi fi
if [ -w "$sckt_path" ];then if [ -w "$l" ];then
perms="${perms}Write" perms="${perms}Write"
fi fi
if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$sckt_path,${SED_GREEN},g"; if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
else echo "$l" | sed -${E} "s,$sckt_path,${SED_RED},g"; echo " └─(${RED}${perms}${NC})" else
fi echo "$l" | sed -${E} "s,$l,${SED_RED},g"
done echo " └─(${RED}${perms}${NC})"
echo "" # Try to contact the socket
socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
#-- PSC) Search HTTP sockets if [ $? -eq 0 ]; then
print_2title "HTTP sockets" owner=$(ls -l "$s" | cut -d ' ' -f 3)
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1 | while read s; do echo "$socketcurl" | head -n 30
socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null) fi
if [ $? -eq 0 ]; then
owner=$(ls -l "$s" | cut -d ' ' -f 3)
echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
echo "$socketcurl" | head -n 30
fi fi
done done
echo "" echo ""
@ -1871,7 +1883,7 @@ if echo $CHECKS | grep -q Net; then
echo "" echo ""
fi fi
if [ "$AUTO_NETWORK_SCAN" ]; then if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] || [ "$AUTO_NETWORK_SCAN" ]; then
print_2title "Scanning local networks (using /24)" print_2title "Scanning local networks (using /24)"
select_nc select_nc
local_ips=$(ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.") local_ips=$(ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.")
@ -2735,7 +2747,8 @@ if echo $CHECKS | grep -q IntFiles; then
if ! [ "$STRACE" ]; then if ! [ "$STRACE" ]; then
echo_not_found "strace" echo_not_found "strace"
fi fi
find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null | while read s; do suids_files=$(find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
printf "%s\n" "$suids_files" | while read s; do
s=$(ls -lahtr "$s") s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total"; then break; fi if echo "$s" | grep -qE "^total"; then break; fi
@ -2757,12 +2770,12 @@ if echo $CHECKS | grep -q IntFiles; then
fi fi
done; done;
if [ "$c" ]; then if [ "$c" ]; then
if echo \"$s\" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
else else
echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${SED_RED}," echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${SED_RED},"
printf $ITALIC printf $ITALIC
if [ "$STRINGS" ]; then if ! [ "$FAST" ] && [ "$STRINGS" ]; then
$STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do
sline_first="$(echo "$sline" | cut -d ' ' -f1)" sline_first="$(echo "$sline" | cut -d ' ' -f1)"
if echo "$sline_first" | grep -qEv "$cfuncs"; then if echo "$sline_first" | grep -qEv "$cfuncs"; then
@ -2777,7 +2790,7 @@ if echo $CHECKS | grep -q IntFiles; then
fi fi
fi fi
done done
if [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then
printf $ITALIC printf $ITALIC
echo "----------------------------------------------------------------------------------------" echo "----------------------------------------------------------------------------------------"
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
@ -2800,7 +2813,8 @@ if echo $CHECKS | grep -q IntFiles; then
##-- IF) SGID ##-- IF) SGID
print_2title "SGID" print_2title "SGID"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null | while read s; do sgids_files=$(find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
printf "%s\n" "$sgids_files" | while read s; do
s=$(ls -lahtr "$s") s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total";then break; fi if echo "$s" | grep -qE "^total";then break; fi
@ -2827,7 +2841,7 @@ if echo $CHECKS | grep -q IntFiles; then
else else
echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED}," echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED},"
printf $ITALIC printf $ITALIC
if [ "$STRINGS" ]; then if ! [ "$FAST" ] && [ "$STRINGS" ]; then
$STRINGS "$sname" | sort | uniq | while read sline; do $STRINGS "$sname" | sort | uniq | while read sline; do
sline_first="$(echo $sline | cut -d ' ' -f1)" sline_first="$(echo $sline | cut -d ' ' -f1)"
if echo "$sline_first" | grep -qEv "$cfuncs"; then if echo "$sline_first" | grep -qEv "$cfuncs"; then
@ -2842,7 +2856,7 @@ if echo $CHECKS | grep -q IntFiles; then
fi fi
fi fi
done done
if [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then
printf "$ITALIC" printf "$ITALIC"
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"