From 604580adbdefac6a7cbe98e8b856b788bbd3c73e Mon Sep 17 00:00:00 2001 From: carlospolop Date: Mon, 19 May 2025 06:36:39 +0200 Subject: [PATCH] more --- .../1_system_information/17_Systemd.sh | 75 +++++++++++++++++++ .../1_system_information/19_System_Logging.sh | 62 +++++++++++++++ .../20_Container_VM_Escape.sh | 73 ++++++++++++++++++ 3 files changed, 210 insertions(+) create mode 100644 linPEAS/builder/linpeas_parts/1_system_information/17_Systemd.sh create mode 100644 linPEAS/builder/linpeas_parts/1_system_information/19_System_Logging.sh create mode 100644 linPEAS/builder/linpeas_parts/1_system_information/20_Container_VM_Escape.sh diff --git a/linPEAS/builder/linpeas_parts/1_system_information/17_Systemd.sh b/linPEAS/builder/linpeas_parts/1_system_information/17_Systemd.sh new file mode 100644 index 0000000..5f1e422 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Systemd.sh @@ -0,0 +1,75 @@ +# Title: System Information - Systemd +# ID: SY_Systemd +# Author: Carlos Polop +# Last Update: 07-03-2024 +# Description: Check for systemd vulnerabilities and misconfigurations that could lead to privilege escalation: +# - Systemd version vulnerabilities (CVE-2021-4034, CVE-2021-33910, etc.) +# - Services running as root that could be exploited +# - Services with dangerous capabilities that could be abused +# - Services with writable paths that could be used to inject malicious code +# - Exploitation methods: +# * Version exploits: Use known exploits for vulnerable systemd versions +# * Root services: Abuse services running as root to execute commands +# * Capabilities: Abuse services with dangerous capabilities (CAP_SYS_ADMIN, etc.) +# * Writable paths: Replace executables in writable paths to get code execution +# License: GNU GPL +# Version: 1.0 +# Functions Used: print_2title, print_info, print_list, warn_exec +# Global Variables: $DEBUG +# Initial Functions: +# Generated Global Variables: +# Fat linpeas: 0 +# Small linpeas: 1 + +print_2title "Systemd Information" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/systemd-privilege-escalation" + +# Check systemd version +print_list "Systemd version? .............. "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + systemctl --version | head -n 1 | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g" +else + echo_not_found "systemctl" +fi + +# Check for systemd services running as root +print_list "Services running as root? ..... "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + systemctl list-units --type=service --state=running 2>/dev/null | grep -E "root|0:0" | sed -${E} "s,root|0:0,${SED_RED},g" +else + echo_not_found "systemctl" +fi + +# Check for systemd services with capabilities +print_list "Running services with capabilities? ... "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + for service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do + if [ -f "/etc/systemd/system/$service" ] || [ -f "/lib/systemd/system/$service" ]; then + if grep -q "CapabilityBoundingSet" "/etc/systemd/system/$service" "/lib/systemd/system/$service" 2>/dev/null; then + echo "$service" | sed -${E} "s,.*,${SED_RED},g" + fi + fi + done +else + echo_not_found "systemctl" +fi + +# Check for systemd services with writable paths +print_list "Services with writable paths? . "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + for service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do + if [ -f "/etc/systemd/system/$service" ] || [ -f "/lib/systemd/system/$service" ]; then + if grep -q "ExecStart\|ExecStartPre\|ExecStartPost" "/etc/systemd/system/$service" "/lib/systemd/system/$service" 2>/dev/null; then + for path in $(grep -E "ExecStart|ExecStartPre|ExecStartPost" "/etc/systemd/system/$service" "/lib/systemd/system/$service" 2>/dev/null | awk '{print $2}' | tr -d '"'); do + if [ -w "$path" ]; then + echo "$service: $path" | sed -${E} "s,.*,${SED_RED},g" + fi + done + fi + fi + done +else + echo_not_found "systemctl" +fi + +echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/19_System_Logging.sh b/linPEAS/builder/linpeas_parts/1_system_information/19_System_Logging.sh new file mode 100644 index 0000000..67f6610 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/1_system_information/19_System_Logging.sh @@ -0,0 +1,62 @@ +# Title: System Information - System Logging +# ID: SY_System_Logging +# Author: Carlos Polop +# Last Update: 07-03-2024 +# Description: Check for logging system misconfigurations that could lead to privilege escalation: +# - Syslog/rsyslog configurations that log sensitive information +# - Auditd configurations that could be abused +# - Log files with weak permissions that could be modified +# - Log rotation configurations that could be exploited +# - Exploitation methods: +# * Sensitive info in logs: Extract credentials or sensitive data from logs +# * Weak permissions: Modify log files to inject malicious content +# * Log rotation: Abuse log rotation to execute malicious code +# * Log injection: Inject malicious content into logs that get executed +# * Common targets: /var/log/auth.log, /var/log/syslog, audit logs +# License: GNU GPL +# Version: 1.0 +# Functions Used: print_2title, print_info, print_list, warn_exec +# Global Variables: $DEBUG +# Initial Functions: +# Generated Global Variables: +# Fat linpeas: 0 +# Small linpeas: 1 + +print_2title "System Logging Information" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/logs-privilege-escalation" + +# Check syslog configuration +print_list "Syslog configuration? ......... "$NC +if [ -f "/etc/rsyslog.conf" ]; then + grep -v "^#" /etc/rsyslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" +elif [ -f "/etc/syslog.conf" ]; then + grep -v "^#" /etc/syslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" +else + echo_not_found "syslog configuration" +fi + +# Check auditd configuration +print_list "Auditd configuration? ......... "$NC +if [ -f "/etc/audit/auditd.conf" ]; then + grep -v "^#" /etc/audit/auditd.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" +else + echo_not_found "auditd configuration" +fi + +# Check for log files with weak permissions +print_list "Log files with weak perms? .... "$NC +find /var/log -type f -ls 2>/dev/null | grep -v "root root" | sed -${E} "s,.*,${SED_RED},g" + +# Check for log rotation configurations +print_list "Log rotation configuration? ... "$NC +if [ -d "/etc/logrotate.d" ]; then + for conf in /etc/logrotate.d/*; do + if [ -f "$conf" ]; then + grep -v "^#" "$conf" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" + fi + done +else + echo_not_found "logrotate configuration" +fi + +echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/20_Container_VM_Escape.sh b/linPEAS/builder/linpeas_parts/1_system_information/20_Container_VM_Escape.sh new file mode 100644 index 0000000..8fc1287 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/1_system_information/20_Container_VM_Escape.sh @@ -0,0 +1,73 @@ +# Title: System Information - Container/VM Escape +# ID: SY_Container_VM_Escape +# Author: Carlos Polop +# Last Update: 07-03-2024 +# Description: Check for container/VM escape possibilities that could lead to host system compromise: +# - Container runtime detection (Docker, Podman, LXC) +# - Shared resources between container and host +# - Vulnerable container runtime versions +# - Container breakout possibilities through capabilities +# - Exploitation methods: +# * Shared resources: Abuse mounted volumes, sockets, or devices +# * Runtime exploits: Use known exploits for vulnerable container runtimes +# * Capability abuse: Exploit containers with dangerous capabilities +# * Common escape vectors: +# - Mount escape (CVE-2021-21284) +# - Capability escape (CAP_SYS_ADMIN, CAP_DAC_OVERRIDE) +# - Seccomp bypass +# - Kernel exploits from container +# - Shared namespaces abuse +# License: GNU GPL +# Version: 1.0 +# Functions Used: print_2title, print_info, print_list, warn_exec +# Global Variables: $DEBUG +# Initial Functions: +# Generated Global Variables: +# Fat linpeas: 0 +# Small linpeas: 1 + +print_2title "Container/VM Escape Information" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-breakout-privilege-escalation" + +# Check if running in container +print_list "Running in container? ......... "$NC +if [ -f "/.dockerenv" ]; then + echo "Yes (Docker)" | sed -${E} "s,.*,${SED_RED},g" +elif [ -f "/run/.containerenv" ]; then + echo "Yes (Podman)" | sed -${E} "s,.*,${SED_RED},g" +elif [ -f "/proc/1/cgroup" ] && grep -q "docker\|lxc" "/proc/1/cgroup" 2>/dev/null; then + echo "Yes (Container)" | sed -${E} "s,.*,${SED_RED},g" +else + echo "No" | sed -${E} "s,.*,${SED_GREEN},g" +fi + +# Check for shared resources +print_list "Shared resources with host? ... "$NC +if [ -f "/proc/mounts" ]; then + grep -E "docker|lxc" /proc/mounts 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" +else + echo_not_found "/proc/mounts" +fi + +# Check for container runtime vulnerabilities +print_list "Container runtime version? .... "$NC +if [ "$(command -v docker 2>/dev/null || echo -n '')" ]; then + docker version 2>/dev/null | grep "Version" | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g" +elif [ "$(command -v podman 2>/dev/null || echo -n '')" ]; then + podman version 2>/dev/null | grep "Version" | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g" +else + echo_not_found "container runtime" +fi + +# Check for container breakout possibilities +print_list "Container breakout possibilities? "$NC +if [ -f "/proc/self/status" ]; then + if grep -q "CapEff:\s*0000003fffffffff" "/proc/self/status" 2>/dev/null; then + echo "Container has all capabilities" | sed -${E} "s,.*,${SED_RED},g" + fi + if grep -q "Seccomp:\s*0" "/proc/self/status" 2>/dev/null; then + echo "Seccomp is disabled" | sed -${E} "s,.*,${SED_RED},g" + fi +fi + +echo "" \ No newline at end of file