darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix su brute check.

Browse Source 
Added Usage help message to indicate '-a' invokes all checks.
Removed 'sudo' exists check, replaced with appropriate 'su' check.
This commit is contained in:
camercu 2023-06-11 10:45:51 -05:00
parent 898b29b0fa
commit 7f4965c0b7
2 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
linPEAS/builder/linpeas_parts/6_users_information.sh
View File

@ -25,7 +25,7 @@ if [ "$MACPEAS" ];then
print_2title "SystemKey" print_2title "SystemKey"
ls -l /var/db/SystemKey ls -l /var/db/SystemKey
if [ -r "/var/db/SystemKey" ]; then if [ -r "/var/db/SystemKey" ]; then
echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},"; echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},"; hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
fi fi
@ -71,7 +71,7 @@ fi
for filename in /etc/sudoers.d/*; do for filename in /etc/sudoers.d/*; do
if [ -r "$filename" ]; then if [ -r "$filename" ]; then
echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g" echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g"
grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
fi fi
done done
echo "" echo ""
@ -80,17 +80,17 @@ echo ""
print_2title "Checking sudo tokens" print_2title "Checking sudo tokens"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)" ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g"; echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
if [ "$(command -v gdb 2>/dev/null)" ]; then if [ "$(command -v gdb 2>/dev/null)" ]; then
echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g"; echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g";
fi fi
if [ "$CURRENT_USER_PIVOT_PID" ]; then if [ "$CURRENT_USER_PIVOT_PID" ]; then
echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g"; echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g";
fi fi
if [ -f "$HOME/.sudo_as_admin_successful" ]; then if [ -f "$HOME/.sudo_as_admin_successful" ]; then
echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},"; echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
fi fi
@ -100,7 +100,7 @@ if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$' ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
fi fi
else else
echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g"; echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
fi fi
@ -110,7 +110,7 @@ echo ""
if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
print_2title "Checking doas.conf" print_2title "Checking doas.conf"
doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null) doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
else echo_not_found "doas.conf" else echo_not_found "doas.conf"
fi fi
@ -214,8 +214,7 @@ if [ "$EXTRA_CHECKS" ]; then
fi fi
#-- UI) Brute su #-- UI) Brute su
EXISTS_SUDO="$(command -v sudo 2>/dev/null)" if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] && [ "$EXISTS_SUDO" ]; then
print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
POSSIBE_SU_BRUTE=$(check_if_su_brute); POSSIBE_SU_BRUTE=$(check_if_su_brute);
if [ "$POSSIBE_SU_BRUTE" ]; then if [ "$POSSIBE_SU_BRUTE" ]; then
@ -228,6 +227,6 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] &&
printf $GREEN"It's not possible to brute-force su.\n\n"$NC printf $GREEN"It's not possible to brute-force su.\n\n"$NC
fi fi
else else
print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)\n"$NC print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
fi fi
print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC

24
linPEAS/builder/linpeas_parts/linpeas_base.sh
View File

@ -74,6 +74,7 @@ THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lsc
HELP=$GREEN"Enumerate and search Privilege Escalation vectors. HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors. ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
${GREEN} Checks: ${GREEN} Checks:
${YELLOW} -a${BLUE} Perform all checks: 1 min of processes, su brute, and extra checks.
${YELLOW} -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list. ${YELLOW} -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list.
${YELLOW} -s${BLUE} Stealth & faster (don't check some time consuming checks) ${YELLOW} -s${BLUE} Stealth & faster (don't check some time consuming checks)
${YELLOW} -e${BLUE} Perform extra enumeration ${YELLOW} -e${BLUE} Perform extra enumeration
@ -81,20 +82,20 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours) ${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours)
${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' ${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
${YELLOW} -D${BLUE} Debug mode ${YELLOW} -D${BLUE} Debug mode
${GREEN} Network recon: ${GREEN} Network recon:
${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files ${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files
${YELLOW} -d <IP/NETMASK>${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 ${YELLOW} -d <IP/NETMASK>${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24
${YELLOW} -p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 ${YELLOW} -p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 ${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
$GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
${GREEN} Port forwarding (reverse connection): ${GREEN} Port forwarding (reverse connection):
${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a your host (LOCAL_IP:LOCAL_PORT) to a remote IP (REMOTE_IP:REMOTE_PORT) ${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a your host (LOCAL_IP:LOCAL_PORT) to a remote IP (REMOTE_IP:REMOTE_PORT)
${GREEN} Firmware recon: ${GREEN} Firmware recon:
${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder ${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
${GREEN} Misc: ${GREEN} Misc:
${YELLOW} -h${BLUE} To show this message ${YELLOW} -h${BLUE} To show this message
${YELLOW} -w${BLUE} Wait execution between big blocks of checks ${YELLOW} -w${BLUE} Wait execution between big blocks of checks
@ -124,12 +125,12 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
r) REGEXES="1";; r) REGEXES="1";;
f) SEARCH_IN_FOLDER=$OPTARG; f) SEARCH_IN_FOLDER=$OPTARG;
if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/" if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/"
SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/"; SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/";
fi; fi;
ROOT_FOLDER=$SEARCH_IN_FOLDER; ROOT_FOLDER=$SEARCH_IN_FOLDER;
REGEXES="1"; REGEXES="1";
CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_perms_files,interesting_files,api_keys_regex";; CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_perms_files,interesting_files,api_keys_regex";;
F) PORT_FORWARD=$OPTARG;; F) PORT_FORWARD=$OPTARG;;
esac esac
done done
@ -244,7 +245,7 @@ print_support () {
printf """ printf """
${GREEN}/---------------------------------------------------------------------------------\\ ${GREEN}/---------------------------------------------------------------------------------\\
| ${BLUE}Do you like PEASS?${GREEN} | | ${BLUE}Do you like PEASS?${GREEN} |
|---------------------------------------------------------------------------------| |---------------------------------------------------------------------------------|
| ${YELLOW}Get the latest version${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} | | ${YELLOW}Get the latest version${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} |
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@hacktricks_live${GREEN} | | ${YELLOW}Follow on Twitter${GREEN} : ${RED}@hacktricks_live${GREEN} |
| ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} | | ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} |
@ -315,7 +316,7 @@ idB="euid|egid$baduid"
sudovB="[01].[012345678].[0-9]+|1.9.[01234]|1.9.5p1" sudovB="[01].[012345678].[0-9]+|1.9.[01234]|1.9.5p1"
mounted=$( (cat /proc/self/mountinfo || cat /proc/1/mountinfo) 2>/dev/null | cut -d " " -f5 | grep "^/" | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}') mounted=$( (cat /proc/self/mountinfo || cat /proc/1/mountinfo) 2>/dev/null | cut -d " " -f5 | grep "^/" | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}')
if ! [ "$mounted" ]; then if ! [ "$mounted" ]; then
mounted=$( (mount -l || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}') mounted=$( (mount -l || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}')
fi fi
if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi #Don't let any blacklist to be empty if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi #Don't let any blacklist to be empty
@ -672,7 +673,7 @@ print_title(){
printf "╚" printf "╚"
for i in $(seq 1 $title_len); do printf "═"; done; printf "═"; for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
printf "╝" printf "╝"
printf $NC printf $NC
echo "" echo ""
} }
@ -745,8 +746,9 @@ su_brute_user_num (){
} }
check_if_su_brute(){ check_if_su_brute(){
EXISTS_SU="$(command -v su 2>/dev/null)"
error=$(echo "" | timeout 1 su $(whoami) -c whoami 2>&1); error=$(echo "" | timeout 1 su $(whoami) -c whoami 2>&1);
if ! echo $error | grep -q "must be run from a terminal"; then if [ "$EXISTS_SU" ] && ! echo $error | grep -q "must be run from a terminal"; then
echo "1" echo "1"
fi fi
} }
@ -1133,7 +1135,7 @@ elif echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | g
wait # Always wait at the end wait # Always wait at the end
CONT_THREADS=0 #Reset the threads counter CONT_THREADS=0 #Reset the threads counter
fi fi
if [ "$SEARCH_IN_FOLDER" ] || echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then if [ "$SEARCH_IN_FOLDER" ] || echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then
#GENERATE THE STORAGES OF THE FOUND FILES #GENERATE THE STORAGES OF THE FOUND FILES