more

2025-05-19 06:36:39 +02:00 · 2025-05-19 06:36:39 +02:00 · 604580adbd
commit 604580adbd
parent 9820c18697
3 changed files with 210 additions and 0 deletions
--- a/linPEAS/builder/linpeas_parts/1_system_information/17_Systemd.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Systemd.sh
@ -0,0 +1,75 @@
+# Title: System Information - Systemd
+# ID: SY_Systemd
+# Author: Carlos Polop
+# Last Update: 07-03-2024
+# Description: Check for systemd vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Systemd version vulnerabilities (CVE-2021-4034, CVE-2021-33910, etc.)
+#   - Services running as root that could be exploited
+#   - Services with dangerous capabilities that could be abused
+#   - Services with writable paths that could be used to inject malicious code
+#   - Exploitation methods:
+#     * Version exploits: Use known exploits for vulnerable systemd versions
+#     * Root services: Abuse services running as root to execute commands
+#     * Capabilities: Abuse services with dangerous capabilities (CAP_SYS_ADMIN, etc.)
+#     * Writable paths: Replace executables in writable paths to get code execution
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, print_list, warn_exec
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "Systemd Information"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/systemd-privilege-escalation"
+
+# Check systemd version
+print_list "Systemd version? .............. "$NC
+if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
+    systemctl --version | head -n 1 | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g"
+else
+    echo_not_found "systemctl"
+fi
+
+# Check for systemd services running as root
+print_list "Services running as root? ..... "$NC
+if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
+    systemctl list-units --type=service --state=running 2>/dev/null | grep -E "root|0:0" | sed -${E} "s,root|0:0,${SED_RED},g"
+else
+    echo_not_found "systemctl"
+fi
+
+# Check for systemd services with capabilities
+print_list "Running services with capabilities? ... "$NC
+if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
+    for service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do
+        if [ -f "/etc/systemd/system/$service" ] || [ -f "/lib/systemd/system/$service" ]; then
+            if grep -q "CapabilityBoundingSet" "/etc/systemd/system/$service" "/lib/systemd/system/$service" 2>/dev/null; then
+                echo "$service" | sed -${E} "s,.*,${SED_RED},g"
+            fi
+        fi
+    done
+else
+    echo_not_found "systemctl"
+fi
+
+# Check for systemd services with writable paths
+print_list "Services with writable paths? . "$NC
+if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
+    for service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do
+        if [ -f "/etc/systemd/system/$service" ] || [ -f "/lib/systemd/system/$service" ]; then
+            if grep -q "ExecStart\|ExecStartPre\|ExecStartPost" "/etc/systemd/system/$service" "/lib/systemd/system/$service" 2>/dev/null; then
+                for path in $(grep -E "ExecStart|ExecStartPre|ExecStartPost" "/etc/systemd/system/$service" "/lib/systemd/system/$service" 2>/dev/null | awk '{print $2}' | tr -d '"'); do
+                    if [ -w "$path" ]; then
+                        echo "$service: $path" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                done
+            fi
+        fi
+    done
+else
+    echo_not_found "systemctl"
+fi
+
+echo "" 
--- a/linPEAS/builder/linpeas_parts/1_system_information/19_System_Logging.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/19_System_Logging.sh
@ -0,0 +1,62 @@
+# Title: System Information - System Logging
+# ID: SY_System_Logging
+# Author: Carlos Polop
+# Last Update: 07-03-2024
+# Description: Check for logging system misconfigurations that could lead to privilege escalation:
+#   - Syslog/rsyslog configurations that log sensitive information
+#   - Auditd configurations that could be abused
+#   - Log files with weak permissions that could be modified
+#   - Log rotation configurations that could be exploited
+#   - Exploitation methods:
+#     * Sensitive info in logs: Extract credentials or sensitive data from logs
+#     * Weak permissions: Modify log files to inject malicious content
+#     * Log rotation: Abuse log rotation to execute malicious code
+#     * Log injection: Inject malicious content into logs that get executed
+#     * Common targets: /var/log/auth.log, /var/log/syslog, audit logs
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, print_list, warn_exec
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "System Logging Information"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/logs-privilege-escalation"
+
+# Check syslog configuration
+print_list "Syslog configuration? ......... "$NC
+if [ -f "/etc/rsyslog.conf" ]; then
+    grep -v "^#" /etc/rsyslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+elif [ -f "/etc/syslog.conf" ]; then
+    grep -v "^#" /etc/syslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+else
+    echo_not_found "syslog configuration"
+fi
+
+# Check auditd configuration
+print_list "Auditd configuration? ......... "$NC
+if [ -f "/etc/audit/auditd.conf" ]; then
+    grep -v "^#" /etc/audit/auditd.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+else
+    echo_not_found "auditd configuration"
+fi
+
+# Check for log files with weak permissions
+print_list "Log files with weak perms? .... "$NC
+find /var/log -type f -ls 2>/dev/null | grep -v "root root" | sed -${E} "s,.*,${SED_RED},g"
+
+# Check for log rotation configurations
+print_list "Log rotation configuration? ... "$NC
+if [ -d "/etc/logrotate.d" ]; then
+    for conf in /etc/logrotate.d/*; do
+        if [ -f "$conf" ]; then
+            grep -v "^#" "$conf" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+        fi
+    done
+else
+    echo_not_found "logrotate configuration"
+fi
+
+echo "" 
--- a/linPEAS/builder/linpeas_parts/1_system_information/20_Container_VM_Escape.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/20_Container_VM_Escape.sh
@ -0,0 +1,73 @@
+# Title: System Information - Container/VM Escape
+# ID: SY_Container_VM_Escape
+# Author: Carlos Polop
+# Last Update: 07-03-2024
+# Description: Check for container/VM escape possibilities that could lead to host system compromise:
+#   - Container runtime detection (Docker, Podman, LXC)
+#   - Shared resources between container and host
+#   - Vulnerable container runtime versions
+#   - Container breakout possibilities through capabilities
+#   - Exploitation methods:
+#     * Shared resources: Abuse mounted volumes, sockets, or devices
+#     * Runtime exploits: Use known exploits for vulnerable container runtimes
+#     * Capability abuse: Exploit containers with dangerous capabilities
+#     * Common escape vectors:
+#       - Mount escape (CVE-2021-21284)
+#       - Capability escape (CAP_SYS_ADMIN, CAP_DAC_OVERRIDE)
+#       - Seccomp bypass
+#       - Kernel exploits from container
+#       - Shared namespaces abuse
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, print_list, warn_exec
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "Container/VM Escape Information"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-breakout-privilege-escalation"
+
+# Check if running in container
+print_list "Running in container? ......... "$NC
+if [ -f "/.dockerenv" ]; then
+    echo "Yes (Docker)" | sed -${E} "s,.*,${SED_RED},g"
+elif [ -f "/run/.containerenv" ]; then
+    echo "Yes (Podman)" | sed -${E} "s,.*,${SED_RED},g"
+elif [ -f "/proc/1/cgroup" ] && grep -q "docker\|lxc" "/proc/1/cgroup" 2>/dev/null; then
+    echo "Yes (Container)" | sed -${E} "s,.*,${SED_RED},g"
+else
+    echo "No" | sed -${E} "s,.*,${SED_GREEN},g"
+fi
+
+# Check for shared resources
+print_list "Shared resources with host? ... "$NC
+if [ -f "/proc/mounts" ]; then
+    grep -E "docker|lxc" /proc/mounts 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+else
+    echo_not_found "/proc/mounts"
+fi
+
+# Check for container runtime vulnerabilities
+print_list "Container runtime version? .... "$NC
+if [ "$(command -v docker 2>/dev/null || echo -n '')" ]; then
+    docker version 2>/dev/null | grep "Version" | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g"
+elif [ "$(command -v podman 2>/dev/null || echo -n '')" ]; then
+    podman version 2>/dev/null | grep "Version" | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g"
+else
+    echo_not_found "container runtime"
+fi
+
+# Check for container breakout possibilities
+print_list "Container breakout possibilities? "$NC
+if [ -f "/proc/self/status" ]; then
+    if grep -q "CapEff:\s*0000003fffffffff" "/proc/self/status" 2>/dev/null; then
+        echo "Container has all capabilities" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    if grep -q "Seccomp:\s*0" "/proc/self/status" 2>/dev/null; then
+        echo "Seccomp is disabled" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+fi
+
+echo ""