darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
Carlos.Martin 2021-08-27 21:17:14 +01:00
commit 757dbc83cc
33 changed files with 2451 additions and 1242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.github/workflows/CI-PR_from_dev.yml vendored Normal file
View File

@ -0,0 +1,26 @@
name: CI-PR_from_dev
on:
push:
branches:
- winpeas_dev
- linpeas_dev
workflow_dispatch:
jobs:
create_pull_request:
runs-on: ubuntu-latest
steps:
# checkout
- name: Checkout
uses: actions/checkout@v2
# PR
- name: Pull Request
uses: repo-sync/pull-request@v2
with:
destination_branch: "master"
github_token: ${{ secrets.PULL_REQUEST_TOKEN }}

61
.github/workflows/CI-linpeas_dev_test.yml vendored
View File

@ -1,61 +0,0 @@
name: CI-linpeas_dev_test
on:
push:
branches:
- linpeas_dev
workflow_dispatch:
jobs:
Build_and_test_linpeas_dev:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build linpeas
run: |
python3 -m pip install PyYAML
cd linPEAS
python3 -m builder.linpeas_builder
- name: Run linpeas
run: linPEAS/linpeas.sh
- name: Create local changes
run: git add linPEAS/linpeas.sh
- name: Commit results to Github
run: |
git config --local user.email ""
git config --global user.name "CI-linpeas-ubuntu"
git commit -m "linpeas.sh auto update" -a --allow-empty
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
- uses: actions/checkout@v2
- name: pull-request
uses: repo-sync/pull-request@v2
with:
destination_branch: "master"
github_token: ${{ secrets.PULL_REQUEST_TOKEN }}
Build_and_test_macpeas_dev:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- name: Build macpeas
run: |
python3 -m pip install PyYAML
cd linPEAS
python3 -m builder.linpeas_builder
- name: Run macpeas
run: linPEAS/linpeas.sh -o SysI,Container,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI

54
.github/workflows/CI-linpeas_master_test.yml vendored
View File

@ -1,54 +0,0 @@
name: CI-linpeas_master_test
on:
pull_request:
branches:
- master
workflow_dispatch:
jobs:
Build_and_test_linpeas_master:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build linpeas
run: |
python3 -m pip install PyYAML
cd linPEAS
python3 -m builder.linpeas_builder
- name: Run linpeas
run: linPEAS/linpeas.sh
- name: Create local changes
run: git add linPEAS/linpeas.sh
- name: Commit results to Github
run: |
git config --local user.email ""
git config --global user.name "CI-linpeas-ubuntu"
git commit -m "linpeas.sh auto update" -a --allow-empty
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
Build_and_test_macpeas_master:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- name: Build macpeas
run: |
python3 -m pip install PyYAML
cd linPEAS
python3 -m builder.linpeas_builder
- name: Run macpeas
run: linPEAS/linpeas.sh -o SysI,Container,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI

80
.github/workflows/CI-winpeas_master_test.yml → .github/workflows/CI-master_tests.yml vendored
View File

@ -1,4 +1,4 @@
name: CI-winpeas_master_test
name: CI-master_test
on:
pull_request:
@ -11,6 +11,7 @@ jobs:
Build_and_test_winpeas_master:
runs-on: windows-latest
needs: Build_and_test_linpeas_master
# environment variables
env:
@ -21,7 +22,12 @@ jobs:
steps:
# checkout
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@master
with:
persist-credentials: false
# Otherwise, you will failed to push refs to dest repo.
fetch-depth: 0
ref: refs/heads/${{ github.head_ref }}
# Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
- name: Setup MSBuild.exe
@ -74,22 +80,18 @@ jobs:
whoami
mkdir -p $env:USERPROFILE\AppData\Local\"PreEmptive Solutions"\"Dotfuscator Community Edition"\6.0 -erroraction 'silentlycontinue'
cp DotfuscatorCE\license\* $env:USERPROFILE\AppData\Local\"PreEmptive Solutions"\"Dotfuscator Community Edition"\6.0\
# build obfuscated versions
- name: Build obfuscated versions
run: |
DotfuscatorCE\dotfuscator.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\x64.xml"
DotfuscatorCE\dotfuscator.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\x86.xml"
DotfuscatorCE\dotfuscator.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\any.xml"
# copy the files
- name: Copy Dotfuscator generated files
run: |
cp $env:DotFuscatorGeneratedPath\x64\winPEASx64.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64.exe"
cp $env:DotFuscatorGeneratedPath\x86\winPEASx86.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86.exe"
cp $env:DotFuscatorGeneratedPath\any\winPEASany.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany.exe"
# Git add
- name: Create local changes
run: |
@ -97,17 +99,77 @@ jobs:
git add winPEAS\winPEASexe\binaries\x64\*
git add winPEAS\winPEASexe\binaries\x86\*
git add "winPEAS\winPEASexe\binaries\Obfuscated Releases\*.exe"
# Git commit
- name: Commit results to Github
run: |
git config --local user.email "ci@winpeas.com"
git config --global user.name "CI-winpeas"
git pull origin "${{ github.ref }}" --autostash --rebase -Xours
git commit -m "winpeas binaries auto update" -a --allow-empty
# Git push
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master
branch: refs/heads/${{ github.head_ref }}
github_token: ${{ secrets.GITHUB_TOKEN }}
force: true
Build_and_test_linpeas_master:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
persist-credentials: false
# Otherwise, you will failed to push refs to dest repo.
fetch-depth: 0
ref: refs/heads/${{ github.head_ref }}
- name: Build linpeas
run: |
python3 -m pip install PyYAML
cd linPEAS
python3 -m builder.linpeas_builder
- name: Run linpeas help
run: linPEAS/linpeas.sh -h
- name: Run linpeas
run: linPEAS/linpeas.sh
- name: Create local changes
run: git add linPEAS/linpeas.sh
- name: Commit results to Github
run: |
git config --local user.email ""
git config --global user.name "CI-linpeas-ubuntu"
git pull origin "${{ github.ref }}" --autostash --rebase -Xours
git commit -m "linpeas.sh auto update" -a --allow-empty
- name: Push changes
uses: ad-m/github-push-action@master
with:
branch: refs/heads/${{ github.head_ref }}
github_token: ${{ secrets.GITHUB_TOKEN }}
force: true
Build_and_test_macpeas_master:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- name: Build macpeas
run: |
python3 -m pip install PyYAML
python3 -m pip install requests
cd linPEAS
python3 -m builder.linpeas_builder
- name: Run macpeas help
run: linPEAS/linpeas.sh -h
- name: Run macpeas
run: linPEAS/linpeas.sh -o SysI,Container,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI

65
.github/workflows/CI-winpeas_dev_test.yml vendored
View File

@ -1,65 +0,0 @@
name: CI-winpeas_dev_test
on:
push:
branches:
- winpeas_dev
- linpeas_dev
paths:
- 'build_lists/sensitive_files.yaml'
- 'winPEAS/winPEASexe/**'
workflow_dispatch:
jobs:
Build_and_test_winpeas_dev:
runs-on: windows-latest
# environment variables
env:
Solution_Path: 'winPEAS\winPEASexe\winPEAS.sln'
Configuration: 'Release'
steps:
# checkout
- name: Checkout
uses: actions/checkout@v2
# Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
- name: Setup MSBuild.exe
uses: microsoft/setup-msbuild@v1.0.2
# Setup NuGet
- name: Setup NuGet.exe
uses: nuget/setup-nuget@v1
# Restore the packages for testing
- name: Restore the application
run: nuget restore $env:Solution_Path
# build
- name: run MSBuild
run: msbuild $env:Solution_Path
# Execute all unit tests in the solution
- name: Execute unit tests
run: dotnet test $env:Solution_Path
create_pull_request:
runs-on: ubuntu-latest
needs: Build_and_test_winpeas_dev
steps:
# checkout
- name: Checkout
uses: actions/checkout@v2
# PR
- name: Pull Request
uses: repo-sync/pull-request@v2
with:
destination_branch: "master"
github_token: ${{ secrets.PULL_REQUEST_TOKEN }}

9
.gitignore vendored
View File

@ -14,4 +14,11 @@ bin
packages
*cpython*
*/*cpython*
launch.json
launch.json
*.pyc
**/*.pyc
__pycache__
*/__pycache__
**/__pycache__
linPEAS/builder/__pycache__/*
linPEAS/builder/src/__pycache__/*

10
README.md
View File

@ -1,10 +1,12 @@
# PEASS - Privilege Escalation Awesome Scripts SUITE
# PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/peass.png)
![](https://img.shields.io/badge/Black-Arch-black) ![](https://img.shields.io/badge/Arch-AUR-brightgreen) ![](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202020-red)
![](https://img.shields.io/badge/Black-Arch-black) ![](https://img.shields.io/badge/Arch-AUR-brightgreen) ![](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202020-red) [![CI-master_test](https://github.com/carlospolop/PEASS-ng/actions/workflows/CI-master_tests.yml/badge.svg)](https://github.com/carlospolop/PEASS-ng/actions/workflows/CI-master_tests.yml)
# Basic Tutorial
[![Tutorial](https://img.youtube.com/vi/2Ey1WQXNp3w/0.jpg)](https://www.youtube.com/watch?v=9_fJv_weLU0&list=PL9fPq3eQfaaDxjpXaDYApfVA_IB8T14w7)
[![Packaging status](https://repology.org/badge/vertical-allrepos/peass.svg)](https://repology.org/project/peass/versions)
Here you will find **privilege escalation tools for Windows and Linux/Unix\* and MacOS**.
@ -18,7 +20,7 @@ These tools search for possible **local privilege escalation paths** that you co
## Let's improve PEASS together
If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)** and we will update the master version.
If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/CONTRIBUTING.md)** file.
## Please, if this tool has been useful for you consider to donate

338
build_lists/sensitive_files.yaml
View File

@ -80,6 +80,13 @@ storage_template: >
int_hidden_files_markup: "peass{INT_HIDDEN_FILES}"
suidVB1_markup: "peass{SUIDVB1_HERE}"
suidVB2_markup: "peass{SUIDVB2_HERE}"
sudoVB1_markup: "peass{SUDOVB1_HERE}"
sudoVB2_markup: "peass{SUDOVB2_HERE}"
cap_setuid_markup: "peass{CAP_SETUID_HERE}"
cap_setgid_markup: "peass{CAP_SETGID_HERE}"
##############################
@ -90,8 +97,8 @@ int_hidden_files_markup: "peass{INT_HIDDEN_FILES}"
variables_markup: "peass{VARIABLES}"
variables:
- name: pwd_inside_history
value: "7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@"
- name: pwd_inside_history
value: "enable_autologin|7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@|KEY=|TOKEN=|BEARER=|Authorization:"
@ -375,7 +382,7 @@ search:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
only_bad_lines: True
remove_empty_lines: True
remove_regex: '^#'
remove_regex: '#'
search_in:
- common
@ -402,6 +409,7 @@ search:
- /tmp
- /var
- /mnt
- /private
- name: PHP_files
value:
@ -571,9 +579,11 @@ search:
auto_check: True
files:
- name: "hostapd.conf"
- name: "hostapd.conf"
value:
bad_regex: "passphrase.*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
@ -592,13 +602,37 @@ search:
search_in:
- common
- name: Racoon
value:
config:
auto_check: True
files:
- name: "racoon.conf"
value:
remove_empty_lines: True
bad_regex: "pre_shared_key.*"
remove_regex: '^#'
type: f
search_in:
- common
- name: "psk.txt"
value:
remove_empty_lines: True
bad_regex: ".*"
type: f
search_in:
- common
- name: VNC
value:
config:
auto_check: True
files:
- name: ".vnc"
- name: ".vnc"
value:
files:
- name: "passwd"
@ -785,6 +819,7 @@ search:
type: f
search_in:
- /tmp
- /private
- name: SSH_CONFIG
value:
@ -1265,8 +1300,8 @@ search:
config:
auto_check: True
exec:
- '((command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null'
- '((command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null'
- '( (command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null'
- '( (command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null'
- '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null'
files:
@ -1354,7 +1389,78 @@ search:
- name: ".mozilla"
value:
files:
- name: "places.sqlite"
- name: "places.sqlite"
value:
just_list_file: True
- name: "bookmarkbackups"
value:
just_list_file: True
- name: "formhistory.sqlite"
value:
just_list_file: True
- name: "handlers.json"
value:
just_list_file: True
- name: "persdict.dat"
value:
just_list_file: True
- name: "addons.json"
value:
just_list_file: True
- name: "cookies.sqlite"
value:
just_list_file: True
- name: "cache2"
value:
just_list_file: True
- name: "startupCache"
value:
just_list_file: True
- name: "favicons.sqlite"
value:
just_list_file: True
- name: "prefs.js"
value:
just_list_file: True
- name: "downloads.sqlite"
value:
just_list_file: True
- name: "thumbnails"
value:
just_list_file: True
- name: "logins.json"
value:
just_list_file: True
- name: "key4.db"
value:
just_list_file: True
- name: "key3.db"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: "Firefox"
value:
files:
- name: "places.sqlite"
value:
just_list_file: True
@ -1434,6 +1540,10 @@ search:
- name: "google-chrome"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
@ -1481,6 +1591,185 @@ search:
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: "Chrome"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Opera
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "com.operasoftware.Opera"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Safari
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "Safari"
value:
files:
- name: "History.db"
value:
just_list_file: True
- name: "Downloads.plist"
value:
just_list_file: True
- name: "Book-marks.plist"
value:
just_list_file: True
- name: "TopSites.plist"
value:
just_list_file: True
- name: "UserNotificationPermissions.plist"
value:
just_list_file: True
- name: "LastSession.plist"
value:
just_list_file: True
type: d
search_in:
@ -1816,7 +2105,9 @@ search:
remove_regex: '^#'
type: d
search_in:
- common
- /etc #False possitives in home
- /var
- /usr
- name: SeedDMS
value:
@ -1847,6 +2138,19 @@ search:
type: f
search_in:
- common
- name: kcpassword
value:
config:
auto_check: False
files:
- name: "kcpassword"
value:
just_list_file: True
type: f
search_in:
- common
- name: Cacti
value:
@ -2265,13 +2569,6 @@ search:
search_in:
- common
- name: "system"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system.sav"
value:
just_list_file: True
@ -2356,6 +2653,13 @@ search:
type: f
search_in:
- common
- name: "system"
value:
just_list_file: True
type: f
search_in:
- common
# Final section
- name: Database
@ -2435,4 +2739,4 @@ search:
just_list_file: True
type: f
search_in:
- common
- common

10
linPEAS/README.md
View File

@ -1,9 +1,9 @@
# LinPEAS - Linux Privilege Escalation Awesome Script
[![CI-linpeas_prod](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/actions/workflows/CI-linpeas_prod.yml/badge.svg)](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/actions/workflows/CI-linpeas_prod.yml)
[![CI-master_test](https://github.com/carlospolop/PEASS-ng/actions/workflows/CI-master_tests.yml/badge.svg)](https://github.com/carlospolop/PEASS-ng/actions/workflows/CI-master_tests.yml)
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\* hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/privilege-escalation)**
**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/privilege-escalation)**
Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**.
@ -63,7 +63,7 @@ It uses **/bin/sh** syntax, so can run in anything supporting `sh` (and the bina
By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**.
By default linpeas takes around **2 mins** to complete, but It could take from **4 to 5 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
By default linpeas takes around **4 mins** to complete, but It could take from **5 to 10 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
- From less than 1 min to 2 mins to make almost all the checks
- Almost 1 min to search for possible passwords inside all the accesible files of the system
- 20s/user bruteforce with top2000 passwords *(need `-a`)* - Notice that this check is **super noisy**
@ -251,10 +251,6 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
- [x] Generic hashes MD5, SHA1, SHA256, SHA512
</details>
## Let's improve PEASS together
If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)** and we will update the master version.
## Please, if this tool has been useful for you consider to donate
[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.patreon.com/peass)

BIN
linPEAS/builder/__pycache__/__init__.cpython-39.pyc
View File

Binary file not shown.

BIN
linPEAS/builder/__pycache__/linpeas_builder.cpython-39.pyc
View File

Binary file not shown.

1231
linPEAS/builder/linpeas_base.sh
View File

File diff suppressed because it is too large Load Diff

BIN
linPEAS/builder/src/__pycache__/fileRecord.cpython-39.pyc
View File

Binary file not shown.

BIN
linPEAS/builder/src/__pycache__/linpeasBuilder.cpython-39.pyc
View File

Binary file not shown.

BIN
linPEAS/builder/src/__pycache__/peasLoaded.cpython-39.pyc
View File

Binary file not shown.

BIN
linPEAS/builder/src/__pycache__/peassRecord.cpython-39.pyc
View File

Binary file not shown.

BIN
linPEAS/builder/src/__pycache__/yamlGlobals.cpython-39.pyc
View File

Binary file not shown.

3
linPEAS/builder/src/fileRecord.py
View File

@ -46,6 +46,7 @@ class FileRecord:
search_in = list(set(search_in + COMMON_FILE_FOLDERS))
#Check that folders to search in are specified in ROOT_FOLDER
assert all(r in ROOT_FOLDER for r in search_in)
for r in search_in:
assert r in ROOT_FOLDER, f"{r} not in {ROOT_FOLDER}"
return search_in

60
linPEAS/builder/src/linpeasBuilder.py
View File

@ -1,4 +1,5 @@
import re
import requests
from .peasLoaded import PEASLoaded
from .peassRecord import PEASRecord
@ -7,7 +8,7 @@ from .yamlGlobals import (
LINPEAS_BASE_PATH,
PEAS_FINDS_MARKUP,
PEAS_STORAGES_MARKUP,
PEAS_STORAGES_MARKUP,
PEAS_STORAGES_MARKUP,
INT_HIDDEN_FILES_MARKUP,
ROOT_FOLDER,
STORAGE_TEMPLATE,
@ -17,7 +18,13 @@ from .yamlGlobals import (
STORAGE_LINE_EXTRA_MARKUP,
EXTRASECTIONS_MARKUP,
PEAS_VARIABLES_MARKUP,
YAML_VARIABLES
YAML_VARIABLES,
SUIDVB1_MARKUP,
SUIDVB2_MARKUP,
SUDOVB1_MARKUP,
SUDOVB2_MARKUP,
CAP_SETUID_MARKUP,
CAP_SETGID_MARKUP
)
@ -32,12 +39,15 @@ class LinpeasBuilder:
self.linpeas_sh = file.read()
def build(self):
print("[+] Building variables...")
variables = self.__generate_variables()
self.__replace_mark(PEAS_VARIABLES_MARKUP, variables, "")
print("[+] Building finds...")
find_calls = self.__generate_finds()
self.__replace_mark(PEAS_FINDS_MARKUP, find_calls, " ")
print("[+] Building storages...")
storage_vars = self.__generate_storages()
self.__replace_mark(PEAS_STORAGES_MARKUP, storage_vars, " ")
@ -45,16 +55,16 @@ class LinpeasBuilder:
for s in re.findall(r'PSTORAGE_[\w]*', self.linpeas_sh):
assert s in self.bash_storages, f"{s} isn't created"
#Replace interesting hidden files markup for a list of all the serched hidden files
#Replace interesting hidden files markup for a list of all the searched hidden files
self.__replace_mark(INT_HIDDEN_FILES_MARKUP, sorted(self.hidden_files), "|")
#Check if there are duplicate peass marks
print("[+] Checking duplicates...")
peass_marks = self.__get_peass_marks()
for i,mark in enumerate(peass_marks):
for j in range(i+1,len(peass_marks)):
assert mark != peass_marks[j], f"Found repeated peass mark: {mark}"
#Generate autocheck sections
print("[+] Building autocheck sections...")
sections = self.__generate_sections()
for section_name, bash_lines in sections.items():
mark = "peass{"+section_name+"}"
@ -65,9 +75,22 @@ class LinpeasBuilder:
self.__replace_mark(EXTRASECTIONS_MARKUP, list(""), "") #Delete extra markup
#Check that there aren peass marks left in linpeas
print("[+] Building GTFOBins lists...")
suidVB, sudoVB, capsVB = self.__get_gtfobins_lists()
self.__replace_mark(SUIDVB1_MARKUP, suidVB[:int(len(suidVB)/2)], "|")
self.__replace_mark(SUIDVB2_MARKUP, suidVB[int(len(suidVB)/2):], "|")
self.__replace_mark(SUDOVB1_MARKUP, sudoVB[:int(len(sudoVB)/2)], "|")
self.__replace_mark(SUDOVB2_MARKUP, sudoVB[int(len(sudoVB)/2):], "|")
self.__replace_mark(CAP_SETUID_MARKUP, capsVB, "|")
self.__replace_mark(CAP_SETGID_MARKUP, capsVB, "|")
print("[+] Final sanity checks...")
#Check that there arent peass marks left in linpeas
peass_marks = self.__get_peass_marks()
assert len(peass_marks) == 0, f"There are peass marks left: {', '.join(peass_marks)}"
#Check for empty seds
assert 'sed -${E} "s,,' not in self.linpeas_sh
def __get_peass_marks(self):
@ -164,8 +187,6 @@ class LinpeasBuilder:
return storages
def __generate_sections(self) -> dict:
"""Generate sections for records with auto_check to True"""
sections = {}
@ -186,7 +207,7 @@ class LinpeasBuilder:
return sections
def __construct_file_line(self, precord: PEASRecord, frecord: FileRecord, init: bool = True) -> str:
real_regex = frecord.regex[1:] if frecord.regex.startswith("*") else frecord.regex
real_regex = frecord.regex[1:] if frecord.regex.startswith("*") and len(frecord.regex) > 1 else frecord.regex
real_regex = real_regex.replace(".","\\.").replace("*",".*")
real_regex += "$"
@ -239,13 +260,32 @@ class LinpeasBuilder:
#In case file is type "d"
if frecord.files:
for ffrecord in frecord.files:
ff_real_regex = ffrecord.regex[1:] if ffrecord.regex.startswith("*") else ffrecord.regex
ff_real_regex = ffrecord.regex[1:] if ffrecord.regex.startswith("*") and ffrecord.regex != "*" else ffrecord.regex
ff_real_regex = ff_real_regex.replace("*",".*")
analise_line += 'for ff in $(find "$f" -name "'+ffrecord.regex+'"); do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False)
analise_line += 'done; echo "";'
return analise_line
def __get_gtfobins_lists(self) -> tuple:
r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins")
bins = re.findall(r'/GTFOBins/GTFOBins.github.io/blob/master/_gtfobins/([\w_ \-]+).md', r.text)
sudoVB = []
suidVB = []
capsVB = []
for b in bins:
rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md")
if "sudo:" in rb.text:
sudoVB.append(b+"$")
if "suid:" in rb.text:
suidVB.append("/"+b+"$")
if "capabilities:" in rb.text:
capsVB.append(b)
return (suidVB, sudoVB, capsVB)
def __replace_mark(self, mark: str, find_calls: list, join_char: str):
"""Substitude the markup with the actual code"""

7
linPEAS/builder/src/yamlGlobals.py
View File

@ -33,3 +33,10 @@ YAML_VARIABLES = YAML_LOADED["variables"]
INT_HIDDEN_FILES_MARKUP = YAML_LOADED["int_hidden_files_markup"]
EXTRASECTIONS_MARKUP = YAML_LOADED["peas_extrasections_markup"]
SUIDVB1_MARKUP = YAML_LOADED["suidVB1_markup"]
SUIDVB2_MARKUP = YAML_LOADED["suidVB2_markup"]
SUDOVB1_MARKUP = YAML_LOADED["sudoVB1_markup"]
SUDOVB2_MARKUP = YAML_LOADED["sudoVB2_markup"]
CAP_SETUID_MARKUP = YAML_LOADED["cap_setuid_markup"]
CAP_SETGID_MARKUP = YAML_LOADED["cap_setgid_markup"]

1503
linPEAS/linpeas.sh
View File

File diff suppressed because it is too large Load Diff

78
parser/README.md Normal file
View File

@ -0,0 +1,78 @@
# Privilege Escalation Awesome Scripts JSON exporter
This script allows you to transform the output of linpeas/macpeas/winpeas to JSON.
```python3
python3 peass-parser.py </path/to/executed_peass> </path/to/output_peass.json>
```
This script is still in beta version and has been tested only with linpeas output.
## Format
Basically, **each section has**:
- Infos (URLs or info about the section)
- Text lines (the real text info found in the section, colors included)
- More sections
There is a **maximun of 3 levels of sections**.
```json
{
"<Main Section Name>": {
"sections": {
"<Secondary Section Name>": {
"sections": {},
"lines": [
{
"raw_text": "\u001b[0m\u001b[1;33m[+] \u001b[1;32mnmap\u001b[1;34m is available for network discover & port scanning, you should use it yourself",
"clean_text": "[+] is available for network discover & port scanning, you should use it yourself",
"colors": {
"GREEN": [
"nmap"
],
"YELLOW": [
"[+]"
]
}
}
],
"infos": [
"https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits"
]
},
"infos": []
```
```json
{
"System Information": {
"sections": {
"Operative system": {
"sections": {},
"lines": [
{
"raw_text": "\u001b[0m\u001b[1;33m[+] \u001b[1;32mnmap\u001b[1;34m is available for network discover & port scanning, you should use it yourself",
"clean_text": "[+] is available for network discover & port scanning, you should use it yourself",
"colors": {
"GREEN": [
"nmap"
],
"YELLOW": [
"[+]"
]
}
}
],
"infos": [
"https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits"
]
},
"infos": []
```
There can also be a `<Third level Section Name>`
# TODO:
I'm looking for **someone that could create HTML and PDF reports** from this JSON.

153
parser/peass-parser.py Executable file
View File

@ -0,0 +1,153 @@
#!/usr/bin/env python3
import sys
import re
import json
# Pattern to identify main section titles
TITLE1_PATTERN = r"════════════════════════════════════╣"
TITLE2_PATTERN = r"╔══════════╣"
TITLE3_PATTERN = r"══╣"
INFO_PATTERN = r""
TITLE_CHARS = ['', '', '', '']
# Patterns for colors
## The order is important, the first string colored with a color will be the one selected (the same string cannot be colored with different colors)
COLORS = {
"REDYELLOW": [r"\x1b\[1;31;103m"],
"RED": [r"\x1b\[1;31m"],
"GREEN": [r"\x1b\[1;32m"],
"YELLOW": [r"\x1b\[1;33m"],
"BLUE": [r"\x1b\[1;34m"],
"MAGENTA": [r"\x1b\[1;95m", r"\x1b\[1;35m"],
"CYAN": [r"\x1b\[1;36m", r"\x1b\[1;96m"],
"LIGHT_GREY": [r"\x1b\[1;37m"],
"DARKGREY": [r"\x1b\[1;90m"],
}
# Final JSON structure
FINAL_JSON = {}
#Constructing the structure
C_SECTION = FINAL_JSON
C_MAIN_SECTION = FINAL_JSON
C_2_SECTION = FINAL_JSON
C_3_SECTION = FINAL_JSON
def is_section(line: str, pattern: str) -> bool:
"""Returns a boolean
Checks if line matches the pattern and returns True or False
"""
return line.find(pattern) > -1
def get_colors(line: str) -> dict:
"""Given a line return the colored strings"""
colors = {}
for c,regexs in COLORS.items():
colors[c] = []
for reg in regexs:
for re_found in re.findall(reg+"(.+?)\x1b|$", line):
re_found = clean_colors(re_found.strip())
#Avoid having the same color for the same string
if re_found and not any(re_found in values for values in colors.values()):
colors[c].append(re_found)
if not colors[c]:
del colors[c]
return colors
def clean_title(line: str) -> str:
"""Given a title clean it"""
for c in TITLE_CHARS:
line = line.replace(c,"")
line = line.encode("ascii", "ignore").decode() #Remove non ascii chars
line = line.strip()
return line
def clean_colors(line: str) -> str:
"""Given a line clean the colors inside of it"""
for reg in re.findall(r'\x1b[^ ]+\dm', line):
line = line.replace(reg,"")
line = line.replace('\x1b',"") #Sometimes that byte stays
line = line.strip()
return line
def parse_title(line: str) -> str:
""" Given a title, clean it"""
return clean_colors(clean_title(line))
def parse_line(line: str):
"""Parse the given line adding it to the FINAL_JSON structure"""
global FINAL_JSON, C_SECTION, C_MAIN_SECTION, C_2_SECTION, C_3_SECTION
if is_section(line, TITLE1_PATTERN):
title = parse_title(line)
FINAL_JSON[title] = { "sections": {}, "lines": [], "infos": [] }
C_MAIN_SECTION = FINAL_JSON[title]
C_SECTION = C_MAIN_SECTION
elif is_section(line, TITLE2_PATTERN):
title = parse_title(line)
C_MAIN_SECTION["sections"][title] = { "sections": {}, "lines": [], "infos": [] }
C_2_SECTION = C_MAIN_SECTION["sections"][title]
C_SECTION = C_2_SECTION
elif is_section(line, TITLE3_PATTERN):
title = parse_title(line)
C_2_SECTION["sections"][title] = { "sections": {}, "lines": [], "infos": [] }
C_3_SECTION = C_2_SECTION["sections"][title]
C_SECTION = C_3_SECTION
elif is_section(line, INFO_PATTERN):
title = parse_title(line)
C_SECTION["infos"].append(title)
#If here, then it's text
else:
#If no main section parsed yet, pass
if C_SECTION == {}:
return
C_SECTION["lines"].append({
"raw_text": line,
"clean_text": clean_colors(line),
"colors": get_colors(line)
})
def main():
for line in open(OUTPUT_PATH, 'r').readlines():
line = line.strip()
if not line or not clean_colors(line): #Remove empty lines or lines just with colors hex
continue
parse_line(line)
with open(JSON_PATH, "w") as f:
json.dump(FINAL_JSON, f)
# Start execution
if __name__ == "__main__":
try:
OUTPUT_PATH = sys.argv[1]
JSON_PATH = sys.argv[2]
except IndexError as err:
print("Error: Please pass the peas.out file and the path to save the json\n./peas-parser.py <output_file> <json_file.json>")
sys.exit(1)
main()

BIN
winPEAS/winPEASexe/binaries/Obfuscated Releases/Dotfuscated/any/winPEASany.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/Obfuscated Releases/Dotfuscated/x64/winPEASx64.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/Obfuscated Releases/Dotfuscated/x86/winPEASx86.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/Obfuscated Releases/winPEASany.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/Obfuscated Releases/winPEASx64.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/Obfuscated Releases/winPEASx86.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/Release/winPEASany.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe
View File

Binary file not shown.

5
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -36,7 +36,7 @@ namespace winPEAS.Helpers
"Any misuse of this software will not be the responsibility of the author or of any other collaborator. " +
"Use it at your own networks and/or with the network owner's permission.";
private static string Version = "v2.0-beta";
private static string Version = "ng";
/////////////////////////////////
///////// PRINT THINGS /////////
@ -87,6 +87,7 @@ namespace winPEAS.Helpers
|---------------------------------------------------------------------------|
| {3}Become a Patreon{0} : {2}https://www.patreon.com/peass{0} |
| {3}Follow on Twitter{0} : {2}@carlospolopm{0} |
| {3}Respect on HTB{0} : {2}SirBroccoli & makikvues{0} |
|---------------------------------------------------------------------------|
| {1}Thank you!{0} |
\---------------------------------------------------------------------------/
@ -101,7 +102,7 @@ namespace winPEAS.Helpers
PrintBanner();
}
Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)" + NOCOLOR);
Console.WriteLine(YELLOW + " WinPEAS" + GREEN + Version + NOCOLOR + YELLOW + " by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)" + NOCOLOR);
PrintMarketingBanner();