diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index b751bef..c725659 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -113,6 +113,7 @@ variables: defaults: auto_check: False #The builder will generate a check for the file (only linpeas) bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed + very_bad_regex: "" #The regex used to color yellow/red check_extra_path: "" #Check if the found files are in a specific path (only linpeas) good_regex: "" #The regex to color green just_list_file: False #Just mention the path to the file, do not cat it @@ -543,11 +544,11 @@ search: files: - name: "mongod*.conf" value: - type: f - remove_empty_lines: True - remove_regex: '\W+\#|^#' - search_in: - - common + type: f + remove_empty_lines: True + remove_regex: '\W+\#|^#' + search_in: + - common - name: Supervisord @@ -558,11 +559,11 @@ search: files: - name: "supervisord.conf" value: - bad_regex: "port.*=|username.*=|password.*=" - only_bad_lines: True - type: f - search_in: - - common + bad_regex: "port.*=|username.*=|password.*=" + only_bad_lines: True + type: f + search_in: + - common - name: Cesi value: @@ -586,19 +587,19 @@ search: files: - name: "rsyncd.conf" value: - bad_regex: "secrets.*|auth.*users.*=" - type: f - remove_empty_lines: True - remove_regex: '\W+\#|^#' - search_in: - - common + bad_regex: "secrets.*|auth.*users.*=" + type: f + remove_empty_lines: True + remove_regex: '\W+\#|^#' + search_in: + - common - name: "rsyncd.secrets" value: - bad_regex: ".*" - type: f - search_in: - - common + bad_regex: ".*" + type: f + search_in: + - common - name: Hostapd value: @@ -608,12 +609,64 @@ search: files: - name: "hostapd.conf" value: - bad_regex: "passphrase.*" - remove_regex: '^#' - remove_empty_lines: True + bad_regex: "passphrase.*" + remove_regex: '^#' + remove_empty_lines: True + type: f + search_in: + - common + + - name: Wifi Connections + value: + config: + auto_check: True + + files: + - name: "system-connections" + value: + files: + - name: "*" + value: + bad_regex: "psk.*" + only_bad_lines: True + type: f + type: d + search_in: + - /etc + + - name: PAM Auth + value: + config: + auto_check: True + + files: + - name: "pam.d" + value: + files: + - name: "sshd" + value: + bad_regex: ".*" + line_grep: '-i "auth"' + remove_regex: "^#|^@" + type: f + type: d + search_in: + - /etc + + - name: NFS Exports + value: + config: + auto_check: True + + files: + - name: exports + value: + very_bad_regex: "no_root_squash|no_all_squash" + bad_regex: "insecure" + remove_regex: '\W+\#|^#' type: f search_in: - - common + - /etc - name: Anaconda ks value: @@ -629,7 +682,6 @@ search: search_in: - common - - name: Racoon value: config: @@ -1921,7 +1973,7 @@ search: auto_check: False files: - - name: ".*_history.*" + - name: '*_history*' value: bad_regex: "$pwd_inside_history" line_grep: '-a "$pwd_inside_history"' @@ -2136,6 +2188,19 @@ search: type: f search_in: - common + + - name: Pass Store Directories + value: + config: + auto_check: True + + files: + - name: ".password-store" + value: + just_list_file: True + type: d + search_in: + - common - name: FTP value: diff --git a/linPEAS/builder/linpeas_parts/available_software.sh b/linPEAS/builder/linpeas_parts/available_software.sh index 5c9ecd4..488b51a 100644 --- a/linPEAS/builder/linpeas_parts/available_software.sh +++ b/linPEAS/builder/linpeas_parts/available_software.sh @@ -4,11 +4,11 @@ #-- 1AS) Useful software print_2title "Useful software" -command -v "$CONTAINER_CMDS" nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr authbind 2>/dev/null +command -v "$CONTAINER_CMDS" nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr authbind echo "" #-- 2AS) Search for compilers -print_2title "Installed Compiler" +print_2title "Installed Compilers" (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"); echo "" @@ -25,16 +25,16 @@ if [ "$(command -v brew 2>/dev/null)" ]; then fi if [ "$MACPEAS" ]; then -print_2title "Writable Installed Applications" -system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do - if [ -w "$f" ]; then - echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" - fi -done + print_2title "Writable Installed Applications" + system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do + if [ -w "$f" ]; then + echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" + fi + done -system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do - if [ -w "$f" ]; then - echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" - fi -done + system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do + if [ -w "$f" ]; then + echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" + fi + done fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/container.sh b/linPEAS/builder/linpeas_parts/container.sh index c1af4cf..046ed0f 100644 --- a/linPEAS/builder/linpeas_parts/container.sh +++ b/linPEAS/builder/linpeas_parts/container.sh @@ -1,3 +1,129 @@ +########################################### +#---------) Container functions (---------# +########################################### + +containerCheck() { + inContainer="" + containerType="$(echo_no)" + + # Are we inside docker? + if [ -f "/.dockerenv" ] || + grep "/docker/" /proc/1/cgroup -qa 2>/dev/null || + grep -qai docker /proc/self/cgroup 2>/dev/null || + [ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then + + inContainer="1" + containerType="docker\n" + fi + + # Are we inside kubenetes? + if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null || + grep -qai kubepods /proc/self/cgroup 2>/dev/null; then + + inContainer="1" + if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n" + else containerType="kubernetes\n" + fi + fi + + # Are we inside LXC? + if env | grep "container=lxc" -qa 2>/dev/null || + grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then + + inContainer="1" + containerType="lxc\n" + fi + + # Are we inside podman? + if env | grep -qa "container=podman" 2>/dev/null || + grep -qa "container=podman" /proc/1/environ 2>/dev/null; then + + inContainer="1" + containerType="podman\n" + fi + + # Check for other container platforms that report themselves in PID 1 env + if [ -z "$inContainer" ]; then + if grep -a 'container=' /proc/1/environ 2>/dev/null; then + inContainer="1" + containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n" + fi + fi +} + +inDockerGroup() { + DOCKER_GROUP="No" + if groups 2>/dev/null | grep -q '\bdocker\b'; then + DOCKER_GROUP="Yes" + fi +} + +checkDockerRootless() { + DOCKER_ROOTLESS="No" + if docker info 2>/dev/null|grep -q rootless; then + DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)" + fi +} + +enumerateDockerSockets() { + dockerVersion="$(echo_not_found)" + if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then + SEARCHED_DOCKER_SOCKETS="1" + for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do + if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then + echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g" + echo "Docker enummeration:" + docker_enumerated="" + + if [ "$(command -v curl)" ]; then + sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)" + dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4) + echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' + if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi + fi + + if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then + sockInfoResponse="$(docker info)" + dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4) + printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' + fi + + else + echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g" + fi + done + fi +} + +checkDockerVersionExploits() { + if echo "$dockerVersion" | grep -iq "not found"; then + VULN_CVE_2019_13139="$(echo_not_found)" + VULN_CVE_2019_5736="$(echo_not_found)" + return + fi + + VULN_CVE_2019_13139="$(echo_no)" + if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then + VULN_CVE_2019_13139="Yes" + fi + + VULN_CVE_2019_5736="$(echo_no)" + if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then + VULN_CVE_2019_5736="Yes" + fi +} + +checkContainerExploits() { + VULN_CVE_2019_5021="$(echo_no)" + if [ -f "/etc/alpine-release" ]; then + alpineVersion=$(cat /etc/alpine-release) + if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then + VULN_CVE_2019_5021="Yes" + fi + fi +} + + ############################################## #---------------) Containers (---------------# ############################################## @@ -57,7 +183,7 @@ if [ "$inContainer" ]; then echo "" print_2title "Container & breakout enumeration" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout" - print_list "Container ID ...................$NC $(cat /etc/hostname)" + print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')" if echo "$containerType" | grep -qi "docker"; then print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" fi diff --git a/linPEAS/builder/linpeas_parts/interesting_files.sh b/linPEAS/builder/linpeas_parts/interesting_files.sh index d1bc7be..3f47954 100644 --- a/linPEAS/builder/linpeas_parts/interesting_files.sh +++ b/linPEAS/builder/linpeas_parts/interesting_files.sh @@ -2,6 +2,20 @@ #----------) Interesting files (----------# ########################################### +check_critial_root_path(){ + folder_path="$1" + if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi +} + + + + + + + + ##-- IF) SUID print_2title "SUID - Check easy privesc, exploits and write perms" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" @@ -255,33 +269,26 @@ echo "" ##-- IF) Files (scripts) in /etc/profile.d/ print_2title "Files (scripts) in /etc/profile.d/" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files" -if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS +if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" - if ! [ "$IAMROOT" ] && [ -w "/etc/profile" ]; then echo "You can modify /etc/profile" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ -w "/etc/profile.d/" ]; then echo "You have write privileges over /etc/profile.d/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /etc/profile.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/profile.d/ '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + check_critial_root_path "/etc/profile" + check_critial_root_path "/etc/profile.d/" fi echo "" ##-- IF) Files (scripts) in /etc/init.d/ print_2title "Permissions in init, init.d, systemd, and rc.d" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d" -if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS - if ! [ "$IAMROOT" ] && [ -w "/etc/init/" ]; then echo "You have write privileges over /etc/init/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ -w "/etc/init.d/" ]; then echo "You have write privileges over /etc/init.d/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ -w "/etc/rc.d/init.d" ]; then echo "You have write privileges over /etc/rc.d/init.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ -w "/usr/local/etc/rc.d" ]; then echo "You have write privileges over /usr/local/etc/rc.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ -w "/etc/rc.d" ]; then echo "You have write privileges over /etc/rc.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ -w "/etc/systemd/" ]; then echo "You have write privileges over /etc/systemd/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ -w "/lib/systemd/" ]; then echo "You have write privileges over /lib/systemd/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if ! [ "$IAMROOT" ] && [ "$(find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi +if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS + check_critial_root_path "/etc/init/" + check_critial_root_path "/etc/init.d/" + check_critial_root_path "/etc/rc.d/init.d" + check_critial_root_path "/usr/local/etc/rc.d" + check_critial_root_path "/etc/rc.d" + check_critial_root_path "/etc/systemd/" + check_critial_root_path "/lib/systemd/" fi + echo "" ##-- IF) Hashes in passwd file @@ -534,6 +541,11 @@ if ! [ "$IAMROOT" ]; then echo "" fi +##-- IF) Passwords in history files +print_2title "Searching passwords in history files" +printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done +echo "" + ##-- IF) Passwords in config PHP files print_2title "Searching passwords in config PHP files" printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done diff --git a/linPEAS/builder/linpeas_parts/linpeas_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base.sh index df6fc85..357adad 100755 --- a/linPEAS/builder/linpeas_parts/linpeas_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base.sh @@ -52,7 +52,6 @@ ITALIC="${C}[3m" if uname 2>/dev/null | grep -q 'Darwin' || /usr/bin/uname 2>/dev/null | grep -q 'Darwin'; then MACPEAS="1"; else MACPEAS=""; fi FAST="1" #By default stealth/fast mode SUPERFAST="" -NOTEXPORT="" DISCOVERY="" PORTS="" QUIET="" @@ -60,8 +59,9 @@ CHECKS="peass{CHECKS}" WAIT="" PASSWORD="" NOCOLOR="" -VERBOSE="" +DEBUG="" AUTO_NETWORK_SCAN="" +EXTRA_CHECKS="" THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")" [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2 @@ -70,12 +70,12 @@ HELP=$GREEN"Enumerate and search Privilege Escalation vectors. ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors. ${YELLOW}-h${BLUE} To show this message ${YELLOW}-q${BLUE} Do not show banner - ${YELLOW}-a${BLUE} All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly + ${YELLOW}-e${BLUE} Perform extra enumeration ${YELLOW}-s${BLUE} SuperFast (don't check some time consuming checks) - Stealth mode - ${YELLOW}-w${BLUE} Wait execution between big blocks - ${YELLOW}-n${BLUE} Do not export env variables related with history and do not check Internet connectivity + ${YELLOW}-a${BLUE} All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly + ${YELLOW}-w${BLUE} Wait execution between big blocks of checks ${YELLOW}-N${BLUE} Do not use colours - ${YELLOW}-v${BLUE} Verbose execution + ${YELLOW}-D${BLUE} Debug mode ${YELLOW}-P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' ${YELLOW}-o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list. ${YELLOW}-L${BLUE} Force linpeas execution. @@ -86,12 +86,11 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${YELLOW}-t${BLUE} Automatic network scan (host discovery and port scanning) - This option writes to files $GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC" -while getopts "h?asnd:p:i:P:qo:LMwNvt" opt; do +while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do case "$opt" in h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; - a) FAST="";; + a) FAST="";EXTRA_CHECKS="1";; s) SUPERFAST=1;; - n) NOTEXPORT=1;; d) DISCOVERY=$OPTARG;; p) PORTS=$OPTARG;; i) IP=$OPTARG;; @@ -102,8 +101,9 @@ while getopts "h?asnd:p:i:P:qo:LMwNvt" opt; do M) MACPEAS="1";; w) WAIT=1;; N) NOCOLOR="1";; - v) VERBOSE="1";; + D) DEBUG="1";; t) AUTO_NETWORK_SCAN="1";; + e) EXTRA_CHECKS="1";; esac done @@ -510,7 +510,7 @@ profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh| knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com" -timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer" +timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer" commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib32$|libx32$|/lib64$|lost\+found|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$" commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes" @@ -584,7 +584,7 @@ echo_no (){ } print_title(){ - if [ "$VERBOSE" ]; then + if [ "$DEBUG" ]; then END_T2_TIME=$(date +%s 2>/dev/null) if [ "$START_T2_TIME" ]; then TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME)) @@ -605,7 +605,7 @@ print_title(){ } print_2title(){ - if [ "$VERBOSE" ]; then + if [ "$DEBUG" ]; then END_T2_TIME=$(date +%s 2>/dev/null) if [ "$START_T2_TIME" ]; then TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME)) @@ -864,139 +864,12 @@ discovery_port_scan (){ #---) Exporting history env variables (---# ########################################### -if ! [ "$NOTEXPORT" ]; then - unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH - export HISTFILE=/dev/null - export HISTSIZE=0 - export HISTFILESIZE=0 -fi +unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH +export HISTFILE=/dev/null +export HISTSIZE=0 +export HISTFILESIZE=0 -########################################### -#---------) Container functions (---------# -########################################### - -containerCheck() { - inContainer="" - containerType="$(echo_no)" - - # Are we inside docker? - if [ -f "/.dockerenv" ] || - grep "/docker/" /proc/1/cgroup -qa 2>/dev/null || - grep -qai docker /proc/self/cgroup 2>/dev/null || - [ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then - - inContainer="1" - containerType="docker\n" - fi - - # Are we inside kubenetes? - if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null || - grep -qai kubepods /proc/self/cgroup 2>/dev/null; then - - inContainer="1" - if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n" - else containerType="kubernetes\n" - fi - fi - - # Are we inside LXC? - if env | grep "container=lxc" -qa 2>/dev/null || - grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then - - inContainer="1" - containerType="lxc\n" - fi - - # Are we inside podman? - if env | grep -qa "container=podman" 2>/dev/null || - grep -qa "container=podman" /proc/1/environ 2>/dev/null; then - - inContainer="1" - containerType="podman\n" - fi - - # Check for other container platforms that report themselves in PID 1 env - if [ -z "$inContainer" ]; then - if grep -a 'container=' /proc/1/environ 2>/dev/null; then - inContainer="1" - containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n" - fi - fi -} - -inDockerGroup() { - DOCKER_GROUP="No" - if groups 2>/dev/null | grep -q '\bdocker\b'; then - DOCKER_GROUP="Yes" - fi -} - -checkDockerRootless() { - DOCKER_ROOTLESS="No" - if docker info 2>/dev/null|grep -q rootless; then - DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)" - fi -} - -enumerateDockerSockets() { - dockerVersion="$(echo_not_found)" - if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then - SEARCHED_DOCKER_SOCKETS="1" - for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do - if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then - echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g" - echo "Docker enummeration:" - docker_enumerated="" - - if [ "$(command -v curl)" ]; then - sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)" - dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4) - echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' - if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi - fi - - if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then - sockInfoResponse="$(docker info)" - dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4) - printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' - fi - - else - echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g" - fi - done - fi -} - -checkDockerVersionExploits() { - if echo "$dockerVersion" | grep -iq "not found"; then - VULN_CVE_2019_13139="$(echo_not_found)" - VULN_CVE_2019_5736="$(echo_not_found)" - return - fi - - VULN_CVE_2019_13139="$(echo_no)" - if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then - VULN_CVE_2019_13139="Yes" - fi - - VULN_CVE_2019_5736="$(echo_no)" - if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then - VULN_CVE_2019_5736="Yes" - fi -} - -checkContainerExploits() { - VULN_CVE_2019_5021="$(echo_no)" - if [ -f "/etc/alpine-release" ]; then - alpineVersion=$(cat /etc/alpine-release) - if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then - VULN_CVE_2019_5021="Yes" - fi - fi -} - ########################################### #-----------) Some Basic Info (-----------# diff --git a/linPEAS/builder/linpeas_parts/network_information.sh b/linPEAS/builder/linpeas_parts/network_information.sh index 92ebef1..c6255c8 100644 --- a/linPEAS/builder/linpeas_parts/network_information.sh +++ b/linPEAS/builder/linpeas_parts/network_information.sh @@ -15,9 +15,11 @@ warn_exec dnsdomainname 2>/dev/null echo "" #-- NI) /etc/inetd.conf -print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf" -(cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf" -echo "" +if [ "$EXTRA_CHECKS" ]; then + print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf" + (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf" + echo "" +fi #-- NI) Interfaces print_2title "Interfaces" @@ -26,14 +28,16 @@ cat /etc/networks 2>/dev/null echo "" #-- NI) Neighbours -print_2title "Networks and neighbours" -if [ "$MACOS" ]; then - netstat -rn 2>/dev/null -else - (route || ip n || cat /proc/net/route) 2>/dev/null +if [ "$EXTRA_CHECKS" ]; then + print_2title "Networks and neighbours" + if [ "$MACOS" ]; then + netstat -rn 2>/dev/null + else + (route || ip n || cat /proc/net/route) 2>/dev/null + fi + (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null + echo "" fi -(arp -e || arp -a || cat /proc/net/arp) 2>/dev/null -echo "" if [ "$MACPEAS" ]; then print_2title "Firewall status" @@ -41,9 +45,11 @@ if [ "$MACPEAS" ]; then fi #-- NI) Iptables -print_2title "Iptables rules" -(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules" -echo "" +if [ "$EXTRA_CHECKS" ]; then + print_2title "Iptables rules" + (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules" + echo "" +fi #-- NI) Ports print_2title "Active Ports" @@ -52,7 +58,7 @@ print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-por echo "" #-- NI) MacOS hardware ports -if [ "$MACPEAS" ]; then +if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then print_2title "Hardware Ports" networksetup -listallhardwareports echo "" @@ -93,7 +99,7 @@ fi echo "" #-- NI) Internet access -if ! [ "$SUPERFAST" ] && ! [ "$FAST" ] && ! [ "$NOTEXPORT" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then +if ! [ "$SUPERFAST" ] && [ "$EXTRA_CHECKS" ] && ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then print_2title "Internet Access?" check_tcp_80 2>/dev/null & check_tcp_443 2>/dev/null & @@ -111,7 +117,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] || [ "$AUTO_NETWORK_SCAN" ]; then else print_2title "Scanning local networks (using /24)" - if ! [ "$PING" ] && ![ "$FPING" ]; then + if ! [ "$PING" ] && ! [ "$FPING" ]; then printf $RED"[-] $DISCOVER_BAN_BAD\n$NC" fi @@ -162,15 +168,17 @@ if [ "$MACOS" ]; then system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED}," echo "" - print_2title "Bluetooth Info" - warn_exec system_profiler SPBluetoothDataType - echo "" + if [ "$EXTRA_CHECKS" ]; then + print_2title "Bluetooth Info" + warn_exec system_profiler SPBluetoothDataType + echo "" - print_2title "Ethernet Info" - warn_exec system_profiler SPEthernetDataType - echo "" + print_2title "Ethernet Info" + warn_exec system_profiler SPEthernetDataType + echo "" - print_2title "USB Info" - warn_exec system_profiler SPUSBDataType - echo "" + print_2title "USB Info" + warn_exec system_profiler SPUSBDataType + echo "" + fi fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh b/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh index 0a9a4e3..ec04292 100644 --- a/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh +++ b/linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh @@ -122,10 +122,12 @@ if [ "$MACPEAS" ]; then fi #-- PCS) Services -print_2title "Services" -print_info "Search for outdated versions" -(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl" -echo "" +if [ "$EXTRA_CHECKS" ]; then + print_2title "Services" + print_info "Search for outdated versions" + (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl" + echo "" +fi #-- PSC) systemd PATH print_2title "Systemd PATH" @@ -138,13 +140,13 @@ echo "" #TODO: .service files in MACOS are folders print_2title "Analyzing .service files" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services" -printf "%s\n" "$PSTORAGE_SYSTEMD\n" | while read s; do +printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do if [ ! -O "$s" ]; then #Remove services that belongs to the current user if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g" fi servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths - printf "%s\n" "$servicebinpaths\n" | while read sp; do + printf "%s\n" "$servicebinpaths" | while read sp; do if [ -w "$sp" ]; then echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g" fi @@ -172,7 +174,7 @@ echo "" #-- PSC) .timer files print_2title "Analyzing .timer files" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers" -printf "%s\n" "$PSTORAGE_TIMER\n" | while read t; do +printf "%s\n" "$PSTORAGE_TIMER" | while read t; do if ! [ "$IAMROOT" ] && [ -w "$t" ]; then echo "$t" | sed -${E} "s,.*,${SED_RED},g" fi diff --git a/linPEAS/builder/linpeas_parts/software_information.sh b/linPEAS/builder/linpeas_parts/software_information.sh index 49436fd..c0d7f48 100644 --- a/linPEAS/builder/linpeas_parts/software_information.sh +++ b/linPEAS/builder/linpeas_parts/software_information.sh @@ -129,14 +129,7 @@ peass{Rsync} peass{Hostapd} -#-- SI) Wifi conns -print_2title "Searching wifi conns file" -wifi=$(find /etc/NetworkManager/system-connections/ -type f 2>/dev/null) -if [ "$wifi" ]; then - printf "%s\n" "$wifi" | while read f; do echo "$f"; cat "$f" 2>/dev/null | grep "psk.*=" | sed "s,psk.*,${SED_RED},"; done -else echo_not_found -fi -echo "" +peass{Wifi Connections} peass{Anaconda ks} @@ -152,6 +145,7 @@ if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CER sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)" hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)" hostsallow="$(ls /etc/hosts.allow 2>/dev/null)" +writable_agents=$(find $folder_path -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')') peass{SSH} @@ -197,6 +191,15 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then ssh-add -l echo "" fi +if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then + print_3title "Listing gpg keys cached in gpg-agent" + gpg-connect-agent "keyinfo --list" /bye + echo "" +fi +if [ "$writable_agents" ]; then + print_3title "Writable ssh and gpg agents" + printf "%s\n" "$writable_agents" +fi if [ "$PSTORAGE_SSH_CONFIG" ]; then print_3title "Some home ssh config file was found" printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done @@ -221,22 +224,14 @@ if [ "$sshconfig" ]; then fi echo "" -#-- SI) PAM auth -print_2title "Searching unexpected auth lines in /etc/pam.d/sshd" -pamssh=$(grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth) -if [ "$pamssh" ]; then - grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth | sed -${E} "s,.*,${SED_RED}," -else echo_no -fi +peass{PAM Auth} + +#-- SI) Passwords inside pam.d +print_2title "Passwords inside pam.d" +grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," echo "" -#-- SI) NFS exports -print_2title "NFS exports?" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe" -if [ "$(cat /etc/exports 2>/dev/null)" ]; then grep -v "^#" /etc/exports 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,no_root_squash|no_all_squash ,${SED_RED_YELLOW}," | sed -${E} "s,insecure,${SED_RED}," -else echo_not_found "/etc/exports" -fi -echo "" +peass{NFS Exports} #-- SI) Kerberos print_2title "Searching kerberos conf files and tickets" @@ -335,21 +330,34 @@ echo "" print_2title "Searching screen sessions" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" screensess=$(screen -ls 2>/dev/null) -if [ "$screensess" ]; then - printf "$screensess" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m," -else echo_not_found "screen" +screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null) +if [ "$screensess" ] || [ "$screensess2" ]; then + screen -v + printf "$screensess\n$screensess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m," +else + echo_not_found "screen" fi +find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do + echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," +done echo "" #-- SI) Tmux sessions tmuxdefsess=$(tmux ls 2>/dev/null) tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep) +tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null) print_2title "Searching tmux sessions"$N print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" -if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ]; then - printf "$tmuxdefsess\n$tmuxnondefsess\n" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m," -else echo_not_found "tmux" +if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ]; then + tmux -V + printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m," +else + echo_not_found "tmux" fi + +find /tmp -type s -path "/tmp/tmux*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do + echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," +done echo "" peass{CouchDB} @@ -410,7 +418,7 @@ echo "" print_2title "Analyzing kcpassword files" print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword" -printf "%s\n" "$PSTORAGE_KCPASSWORD\n" | while read f; do +printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do echo "$f" | sed -${E} "s,.*,${SED_RED}," base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED}," done @@ -521,12 +529,6 @@ if grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep -q yubikey; th fi echo "" -#-- SI) Passwords inside pam.d -print_2title "Passwords inside pam.d" -grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," -echo "" - - peass{SNMP} diff --git a/linPEAS/builder/linpeas_parts/system_information.sh b/linPEAS/builder/linpeas_parts/system_information.sh index 4967d6a..7f6ea6d 100644 --- a/linPEAS/builder/linpeas_parts/system_information.sh +++ b/linPEAS/builder/linpeas_parts/system_information.sh @@ -54,15 +54,19 @@ warn_exec uptime 2>/dev/null echo "" #-- SY) System stats -print_2title "System stats" -(df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk" -warn_exec free 2>/dev/null -echo "" +if [ "$EXTRA_CHECKS" ]; then + print_2title "System stats" + (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk" + warn_exec free 2>/dev/null + echo "" +fi #-- SY) CPU info -print_2title "CPU info" -warn_exec lscpu 2>/dev/null -echo "" +if [ "$EXTRA_CHECKS" ]; then + print_2title "CPU info" + warn_exec lscpu 2>/dev/null + echo "" +fi #-- SY) Environment vars print_2title "Environment" @@ -91,6 +95,9 @@ if [ "$(command -v bash 2>/dev/null)" ]; then print_info "https://github.com/mzet-/linux-exploit-suggester" les_b64="peass{LES}" echo $les_b64 | base64 -d | bash + if [ "$EXTRA_CHECKS" ]; then + echo $les_b64 | base64 -d | bash -s -- --checksec + fi echo "" fi diff --git a/linPEAS/builder/linpeas_parts/users_information.sh b/linPEAS/builder/linpeas_parts/users_information.sh index d0de135..2217adf 100644 --- a/linPEAS/builder/linpeas_parts/users_information.sh +++ b/linPEAS/builder/linpeas_parts/users_information.sh @@ -1,7 +1,6 @@ ########################################### #----------) Users Information (----------# ########################################### -print_title "Users Information" #-- UI) My user print_2title "My user" @@ -190,20 +189,22 @@ fi echo "" #-- UI) Password policy -print_2title "Password policy" -grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs" -echo "" - -if [ "$MACPEAS" ]; then - print_2title "Relevant last user info and user configs" - defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null +if [ "$EXTRA_CHECKS" ]; then + print_2title "Password policy" + grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs" echo "" - print_2title "Guest user status" - sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," - sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," - sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," - echo "" + if [ "$MACPEAS" ]; then + print_2title "Relevant last user info and user configs" + defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null + echo "" + + print_2title "Guest user status" + sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," + sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," + sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," + echo "" + fi fi #-- UI) Brute su diff --git a/linPEAS/builder/src/fileRecord.py b/linPEAS/builder/src/fileRecord.py index 3388faf..b06561a 100644 --- a/linPEAS/builder/src/fileRecord.py +++ b/linPEAS/builder/src/fileRecord.py @@ -4,6 +4,7 @@ class FileRecord: def __init__(self, regex: str, bad_regex: str=DEFAULTS["bad_regex"], + very_bad_regex: str=DEFAULTS["very_bad_regex"], check_extra_path: str =DEFAULTS["check_extra_path"], files: dict={}, good_regex: str=DEFAULTS["good_regex"], @@ -19,6 +20,7 @@ class FileRecord: self.regex = regex self.bad_regex = bad_regex + self.very_bad_regex = very_bad_regex self.check_extra_path = check_extra_path self.files = [FileRecord(regex=fr["name"],**fr["value"]) for fr in files] self.good_regex = good_regex diff --git a/linPEAS/builder/src/linpeasBuilder.py b/linPEAS/builder/src/linpeasBuilder.py index 2139467..585a6e7 100644 --- a/linPEAS/builder/src/linpeasBuilder.py +++ b/linPEAS/builder/src/linpeasBuilder.py @@ -228,7 +228,7 @@ class LinpeasBuilder: analise_line = "" if init: - analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then echo_not_found "'+frecord.regex+'"; fi; ' + analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; ' analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' #If just list, just list the file/directory @@ -244,6 +244,7 @@ class LinpeasBuilder: grep_only_bad_lines = f' | grep -E "{frecord.bad_regex}"' if frecord.bad_regex else "" grep_remove_regex = f' | grep -Ev "{frecord.remove_regex}"' if frecord.remove_regex else "" sed_bad_regex = ' | sed -${E} "s,'+frecord.bad_regex+',${SED_RED},g"' if frecord.bad_regex else "" + sed_very_bad_regex = ' | sed -${E} "s,'+frecord.very_bad_regex+',${SED_RED_YELLOW},g"' if frecord.very_bad_regex else "" sed_good_regex = ' | sed -${E} "s,'+frecord.good_regex+',${SED_GOOD},g"' if frecord.good_regex else "" if init: @@ -265,6 +266,9 @@ class LinpeasBuilder: if sed_bad_regex: analise_line += sed_bad_regex + + if sed_very_bad_regex: + analise_line += sed_very_bad_regex if sed_good_regex: analise_line += sed_good_regex