darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more_checks

Browse Source
This commit is contained in:
carlospolop 2021-12-19 08:31:53 -05:00
parent a7f161a40d
commit 87fe48a900
12 changed files with 393 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
build_lists/sensitive_files.yaml
View File

@ -113,6 +113,7 @@ variables:
defaults: defaults:
auto_check: False #The builder will generate a check for the file (only linpeas) auto_check: False #The builder will generate a check for the file (only linpeas)
bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed
very_bad_regex: "" #The regex used to color yellow/red
check_extra_path: "" #Check if the found files are in a specific path (only linpeas) check_extra_path: "" #Check if the found files are in a specific path (only linpeas)
good_regex: "" #The regex to color green good_regex: "" #The regex to color green
just_list_file: False #Just mention the path to the file, do not cat it just_list_file: False #Just mention the path to the file, do not cat it
@ -615,6 +616,58 @@ search:
search_in: search_in:
- common - common
- name: Wifi Connections
value:
config:
auto_check: True
files:
- name: "system-connections"
value:
files:
- name: "*"
value:
bad_regex: "psk.*"
only_bad_lines: True
type: f
type: d
search_in:
- /etc
- name: PAM Auth
value:
config:
auto_check: True
files:
- name: "pam.d"
value:
files:
- name: "sshd"
value:
bad_regex: ".*"
line_grep: '-i "auth"'
remove_regex: "^#|^@"
type: f
type: d
search_in:
- /etc
- name: NFS Exports
value:
config:
auto_check: True
files:
- name: exports
value:
very_bad_regex: "no_root_squash|no_all_squash"
bad_regex: "insecure"
remove_regex: '\W+\#|^#'
type: f
search_in:
- /etc
- name: Anaconda ks - name: Anaconda ks
value: value:
config: config:
@ -629,7 +682,6 @@ search:
search_in: search_in:
- common - common
- name: Racoon - name: Racoon
value: value:
config: config:
@ -1921,7 +1973,7 @@ search:
auto_check: False auto_check: False
files: files:
- name: ".*_history.*" - name: '*_history*'
value: value:
bad_regex: "$pwd_inside_history" bad_regex: "$pwd_inside_history"
line_grep: '-a "$pwd_inside_history"' line_grep: '-a "$pwd_inside_history"'
@ -2137,6 +2189,19 @@ search:
search_in: search_in:
- common - common
- name: Pass Store Directories
value:
config:
auto_check: True
files:
- name: ".password-store"
value:
just_list_file: True
type: d
search_in:
- common
- name: FTP - name: FTP
value: value:
config: config:

14
linPEAS/builder/linpeas_parts/available_software.sh
View File

@ -4,11 +4,11 @@
#-- 1AS) Useful software #-- 1AS) Useful software
print_2title "Useful software" print_2title "Useful software"
command -v "$CONTAINER_CMDS" nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr authbind 2>/dev/null command -v "$CONTAINER_CMDS" nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr authbind
echo "" echo ""
#-- 2AS) Search for compilers #-- 2AS) Search for compilers
print_2title "Installed Compiler" print_2title "Installed Compilers"
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"); (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
echo "" echo ""
@ -25,16 +25,16 @@ if [ "$(command -v brew 2>/dev/null)" ]; then
fi fi
if [ "$MACPEAS" ]; then if [ "$MACPEAS" ]; then
print_2title "Writable Installed Applications" print_2title "Writable Installed Applications"
system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
if [ -w "$f" ]; then if [ -w "$f" ]; then
echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
fi fi
done done
system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
if [ -w "$f" ]; then if [ -w "$f" ]; then
echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
fi fi
done done
fi fi

128
linPEAS/builder/linpeas_parts/container.sh
View File

@ -1,3 +1,129 @@
###########################################
#---------) Container functions (---------#
###########################################
containerCheck() {
inContainer=""
containerType="$(echo_no)"
# Are we inside docker?
if [ -f "/.dockerenv" ] ||
grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai docker /proc/self/cgroup 2>/dev/null ||
[ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
inContainer="1"
containerType="docker\n"
fi
# Are we inside kubenetes?
if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
inContainer="1"
if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
else containerType="kubernetes\n"
fi
fi
# Are we inside LXC?
if env | grep "container=lxc" -qa 2>/dev/null ||
grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
inContainer="1"
containerType="lxc\n"
fi
# Are we inside podman?
if env | grep -qa "container=podman" 2>/dev/null ||
grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="podman\n"
fi
# Check for other container platforms that report themselves in PID 1 env
if [ -z "$inContainer" ]; then
if grep -a 'container=' /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
fi
fi
}
inDockerGroup() {
DOCKER_GROUP="No"
if groups 2>/dev/null | grep -q '\bdocker\b'; then
DOCKER_GROUP="Yes"
fi
}
checkDockerRootless() {
DOCKER_ROOTLESS="No"
if docker info 2>/dev/null|grep -q rootless; then
DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
fi
}
enumerateDockerSockets() {
dockerVersion="$(echo_not_found)"
if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
SEARCHED_DOCKER_SOCKETS="1"
for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do
if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then
echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
echo "Docker enummeration:"
docker_enumerated=""
if [ "$(command -v curl)" ]; then
sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
fi
if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
sockInfoResponse="$(docker info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
fi
else
echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g"
fi
done
fi
}
checkDockerVersionExploits() {
if echo "$dockerVersion" | grep -iq "not found"; then
VULN_CVE_2019_13139="$(echo_not_found)"
VULN_CVE_2019_5736="$(echo_not_found)"
return
fi
VULN_CVE_2019_13139="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
VULN_CVE_2019_13139="Yes"
fi
VULN_CVE_2019_5736="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
VULN_CVE_2019_5736="Yes"
fi
}
checkContainerExploits() {
VULN_CVE_2019_5021="$(echo_no)"
if [ -f "/etc/alpine-release" ]; then
alpineVersion=$(cat /etc/alpine-release)
if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
VULN_CVE_2019_5021="Yes"
fi
fi
}
############################################## ##############################################
#---------------) Containers (---------------# #---------------) Containers (---------------#
############################################## ##############################################
@ -57,7 +183,7 @@ if [ "$inContainer" ]; then
echo "" echo ""
print_2title "Container & breakout enumeration" print_2title "Container & breakout enumeration"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout"
print_list "Container ID ...................$NC $(cat /etc/hostname)" print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')"
if echo "$containerType" | grep -qi "docker"; then if echo "$containerType" | grep -qi "docker"; then
print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
fi fi

50
linPEAS/builder/linpeas_parts/interesting_files.sh
View File

@ -2,6 +2,20 @@
#----------) Interesting files (----------# #----------) Interesting files (----------#
########################################### ###########################################
check_critial_root_path(){
folder_path="$1"
if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi
}
##-- IF) SUID ##-- IF) SUID
print_2title "SUID - Check easy privesc, exploits and write perms" print_2title "SUID - Check easy privesc, exploits and write perms"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
@ -255,33 +269,26 @@ echo ""
##-- IF) Files (scripts) in /etc/profile.d/ ##-- IF) Files (scripts) in /etc/profile.d/
print_2title "Files (scripts) in /etc/profile.d/" print_2title "Files (scripts) in /etc/profile.d/"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files"
if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
(ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
if ! [ "$IAMROOT" ] && [ -w "/etc/profile" ]; then echo "You can modify /etc/profile" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/etc/profile"
if ! [ "$IAMROOT" ] && [ -w "/etc/profile.d/" ]; then echo "You have write privileges over /etc/profile.d/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/etc/profile.d/"
if ! [ "$IAMROOT" ] && [ "$(find /etc/profile.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/profile.d/ '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
fi fi
echo "" echo ""
##-- IF) Files (scripts) in /etc/init.d/ ##-- IF) Files (scripts) in /etc/init.d/
print_2title "Permissions in init, init.d, systemd, and rc.d" print_2title "Permissions in init, init.d, systemd, and rc.d"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d"
if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
if ! [ "$IAMROOT" ] && [ -w "/etc/init/" ]; then echo "You have write privileges over /etc/init/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/etc/init/"
if ! [ "$IAMROOT" ] && [ "$(find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/etc/init.d/"
if ! [ "$IAMROOT" ] && [ -w "/etc/init.d/" ]; then echo "You have write privileges over /etc/init.d/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/etc/rc.d/init.d"
if ! [ "$IAMROOT" ] && [ "$(find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/usr/local/etc/rc.d"
if ! [ "$IAMROOT" ] && [ -w "/etc/rc.d/init.d" ]; then echo "You have write privileges over /etc/rc.d/init.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/etc/rc.d"
if ! [ "$IAMROOT" ] && [ "$(find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/etc/systemd/"
if ! [ "$IAMROOT" ] && [ -w "/usr/local/etc/rc.d" ]; then echo "You have write privileges over /usr/local/etc/rc.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi check_critial_root_path "/lib/systemd/"
if ! [ "$IAMROOT" ] && [ "$(find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/etc/rc.d" ]; then echo "You have write privileges over /etc/rc.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/etc/systemd/" ]; then echo "You have write privileges over /etc/systemd/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/lib/systemd/" ]; then echo "You have write privileges over /lib/systemd/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
fi fi
echo "" echo ""
##-- IF) Hashes in passwd file ##-- IF) Hashes in passwd file
@ -534,6 +541,11 @@ if ! [ "$IAMROOT" ]; then
echo "" echo ""
fi fi
##-- IF) Passwords in history files
print_2title "Searching passwords in history files"
printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
echo ""
##-- IF) Passwords in config PHP files ##-- IF) Passwords in config PHP files
print_2title "Searching passwords in config PHP files" print_2title "Searching passwords in config PHP files"
printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done

161
linPEAS/builder/linpeas_parts/linpeas_base.sh
View File

@ -52,7 +52,6 @@ ITALIC="${C}[3m"
if uname 2>/dev/null | grep -q 'Darwin' || /usr/bin/uname 2>/dev/null | grep -q 'Darwin'; then MACPEAS="1"; else MACPEAS=""; fi if uname 2>/dev/null | grep -q 'Darwin' || /usr/bin/uname 2>/dev/null | grep -q 'Darwin'; then MACPEAS="1"; else MACPEAS=""; fi
FAST="1" #By default stealth/fast mode FAST="1" #By default stealth/fast mode
SUPERFAST="" SUPERFAST=""
NOTEXPORT=""
DISCOVERY="" DISCOVERY=""
PORTS="" PORTS=""
QUIET="" QUIET=""
@ -60,8 +59,9 @@ CHECKS="peass{CHECKS}"
WAIT="" WAIT=""
PASSWORD="" PASSWORD=""
NOCOLOR="" NOCOLOR=""
VERBOSE="" DEBUG=""
AUTO_NETWORK_SCAN="" AUTO_NETWORK_SCAN=""
EXTRA_CHECKS=""
THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")" THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
@ -70,12 +70,12 @@ HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors. ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
${YELLOW}-h${BLUE} To show this message ${YELLOW}-h${BLUE} To show this message
${YELLOW}-q${BLUE} Do not show banner ${YELLOW}-q${BLUE} Do not show banner
${YELLOW}-a${BLUE} All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly ${YELLOW}-e${BLUE} Perform extra enumeration
${YELLOW}-s${BLUE} SuperFast (don't check some time consuming checks) - Stealth mode ${YELLOW}-s${BLUE} SuperFast (don't check some time consuming checks) - Stealth mode
${YELLOW}-w${BLUE} Wait execution between big blocks ${YELLOW}-a${BLUE} All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
${YELLOW}-n${BLUE} Do not export env variables related with history and do not check Internet connectivity ${YELLOW}-w${BLUE} Wait execution between big blocks of checks
${YELLOW}-N${BLUE} Do not use colours ${YELLOW}-N${BLUE} Do not use colours
${YELLOW}-v${BLUE} Verbose execution ${YELLOW}-D${BLUE} Debug mode
${YELLOW}-P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' ${YELLOW}-P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
${YELLOW}-o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list. ${YELLOW}-o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list.
${YELLOW}-L${BLUE} Force linpeas execution. ${YELLOW}-L${BLUE} Force linpeas execution.
@ -86,12 +86,11 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW}-t${BLUE} Automatic network scan (host discovery and port scanning) - This option writes to files ${YELLOW}-t${BLUE} Automatic network scan (host discovery and port scanning) - This option writes to files
$GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC" $GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC"
while getopts "h?asnd:p:i:P:qo:LMwNvt" opt; do while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do
case "$opt" in case "$opt" in
h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
a) FAST="";; a) FAST="";EXTRA_CHECKS="1";;
s) SUPERFAST=1;; s) SUPERFAST=1;;
n) NOTEXPORT=1;;
d) DISCOVERY=$OPTARG;; d) DISCOVERY=$OPTARG;;
p) PORTS=$OPTARG;; p) PORTS=$OPTARG;;
i) IP=$OPTARG;; i) IP=$OPTARG;;
@ -102,8 +101,9 @@ while getopts "h?asnd:p:i:P:qo:LMwNvt" opt; do
M) MACPEAS="1";; M) MACPEAS="1";;
w) WAIT=1;; w) WAIT=1;;
N) NOCOLOR="1";; N) NOCOLOR="1";;
v) VERBOSE="1";; D) DEBUG="1";;
t) AUTO_NETWORK_SCAN="1";; t) AUTO_NETWORK_SCAN="1";;
e) EXTRA_CHECKS="1";;
esac esac
done done
@ -510,7 +510,7 @@ profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|
knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com" knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com"
timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer" timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer"
commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib32$|libx32$|/lib64$|lost\+found|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$" commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib32$|libx32$|/lib64$|lost\+found|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$"
commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes" commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes"
@ -584,7 +584,7 @@ echo_no (){
} }
print_title(){ print_title(){
if [ "$VERBOSE" ]; then if [ "$DEBUG" ]; then
END_T2_TIME=$(date +%s 2>/dev/null) END_T2_TIME=$(date +%s 2>/dev/null)
if [ "$START_T2_TIME" ]; then if [ "$START_T2_TIME" ]; then
TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME)) TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME))
@ -605,7 +605,7 @@ print_title(){
} }
print_2title(){ print_2title(){
if [ "$VERBOSE" ]; then if [ "$DEBUG" ]; then
END_T2_TIME=$(date +%s 2>/dev/null) END_T2_TIME=$(date +%s 2>/dev/null)
if [ "$START_T2_TIME" ]; then if [ "$START_T2_TIME" ]; then
TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME)) TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME))
@ -864,139 +864,12 @@ discovery_port_scan (){
#---) Exporting history env variables (---# #---) Exporting history env variables (---#
########################################### ###########################################
if ! [ "$NOTEXPORT" ]; then unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH export HISTFILE=/dev/null
export HISTFILE=/dev/null export HISTSIZE=0
export HISTSIZE=0 export HISTFILESIZE=0
export HISTFILESIZE=0
fi
###########################################
#---------) Container functions (---------#
###########################################
containerCheck() {
inContainer=""
containerType="$(echo_no)"
# Are we inside docker?
if [ -f "/.dockerenv" ] ||
grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai docker /proc/self/cgroup 2>/dev/null ||
[ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
inContainer="1"
containerType="docker\n"
fi
# Are we inside kubenetes?
if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
inContainer="1"
if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
else containerType="kubernetes\n"
fi
fi
# Are we inside LXC?
if env | grep "container=lxc" -qa 2>/dev/null ||
grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
inContainer="1"
containerType="lxc\n"
fi
# Are we inside podman?
if env | grep -qa "container=podman" 2>/dev/null ||
grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="podman\n"
fi
# Check for other container platforms that report themselves in PID 1 env
if [ -z "$inContainer" ]; then
if grep -a 'container=' /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
fi
fi
}
inDockerGroup() {
DOCKER_GROUP="No"
if groups 2>/dev/null | grep -q '\bdocker\b'; then
DOCKER_GROUP="Yes"
fi
}
checkDockerRootless() {
DOCKER_ROOTLESS="No"
if docker info 2>/dev/null|grep -q rootless; then
DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
fi
}
enumerateDockerSockets() {
dockerVersion="$(echo_not_found)"
if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
SEARCHED_DOCKER_SOCKETS="1"
for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do
if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then
echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
echo "Docker enummeration:"
docker_enumerated=""
if [ "$(command -v curl)" ]; then
sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
fi
if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
sockInfoResponse="$(docker info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
fi
else
echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g"
fi
done
fi
}
checkDockerVersionExploits() {
if echo "$dockerVersion" | grep -iq "not found"; then
VULN_CVE_2019_13139="$(echo_not_found)"
VULN_CVE_2019_5736="$(echo_not_found)"
return
fi
VULN_CVE_2019_13139="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
VULN_CVE_2019_13139="Yes"
fi
VULN_CVE_2019_5736="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
VULN_CVE_2019_5736="Yes"
fi
}
checkContainerExploits() {
VULN_CVE_2019_5021="$(echo_no)"
if [ -f "/etc/alpine-release" ]; then
alpineVersion=$(cat /etc/alpine-release)
if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
VULN_CVE_2019_5021="Yes"
fi
fi
}
########################################### ###########################################
#-----------) Some Basic Info (-----------# #-----------) Some Basic Info (-----------#

36
linPEAS/builder/linpeas_parts/network_information.sh
View File

@ -15,9 +15,11 @@ warn_exec dnsdomainname 2>/dev/null
echo "" echo ""
#-- NI) /etc/inetd.conf #-- NI) /etc/inetd.conf
print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf" if [ "$EXTRA_CHECKS" ]; then
(cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf" print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
echo "" (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
echo ""
fi
#-- NI) Interfaces #-- NI) Interfaces
print_2title "Interfaces" print_2title "Interfaces"
@ -26,14 +28,16 @@ cat /etc/networks 2>/dev/null
echo "" echo ""
#-- NI) Neighbours #-- NI) Neighbours
print_2title "Networks and neighbours" if [ "$EXTRA_CHECKS" ]; then
if [ "$MACOS" ]; then print_2title "Networks and neighbours"
if [ "$MACOS" ]; then
netstat -rn 2>/dev/null netstat -rn 2>/dev/null
else else
(route || ip n || cat /proc/net/route) 2>/dev/null (route || ip n || cat /proc/net/route) 2>/dev/null
fi
(arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
echo ""
fi fi
(arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
echo ""
if [ "$MACPEAS" ]; then if [ "$MACPEAS" ]; then
print_2title "Firewall status" print_2title "Firewall status"
@ -41,9 +45,11 @@ if [ "$MACPEAS" ]; then
fi fi
#-- NI) Iptables #-- NI) Iptables
print_2title "Iptables rules" if [ "$EXTRA_CHECKS" ]; then
(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules" print_2title "Iptables rules"
echo "" (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
echo ""
fi
#-- NI) Ports #-- NI) Ports
print_2title "Active Ports" print_2title "Active Ports"
@ -52,7 +58,7 @@ print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-por
echo "" echo ""
#-- NI) MacOS hardware ports #-- NI) MacOS hardware ports
if [ "$MACPEAS" ]; then if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
print_2title "Hardware Ports" print_2title "Hardware Ports"
networksetup -listallhardwareports networksetup -listallhardwareports
echo "" echo ""
@ -93,7 +99,7 @@ fi
echo "" echo ""
#-- NI) Internet access #-- NI) Internet access
if ! [ "$SUPERFAST" ] && ! [ "$FAST" ] && ! [ "$NOTEXPORT" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then if ! [ "$SUPERFAST" ] && [ "$EXTRA_CHECKS" ] && ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
print_2title "Internet Access?" print_2title "Internet Access?"
check_tcp_80 2>/dev/null & check_tcp_80 2>/dev/null &
check_tcp_443 2>/dev/null & check_tcp_443 2>/dev/null &
@ -111,7 +117,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] || [ "$AUTO_NETWORK_SCAN" ]; then
else else
print_2title "Scanning local networks (using /24)" print_2title "Scanning local networks (using /24)"
if ! [ "$PING" ] && ![ "$FPING" ]; then if ! [ "$PING" ] && ! [ "$FPING" ]; then
printf $RED"[-] $DISCOVER_BAN_BAD\n$NC" printf $RED"[-] $DISCOVER_BAN_BAD\n$NC"
fi fi
@ -162,6 +168,7 @@ if [ "$MACOS" ]; then
system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED}," system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
echo "" echo ""
if [ "$EXTRA_CHECKS" ]; then
print_2title "Bluetooth Info" print_2title "Bluetooth Info"
warn_exec system_profiler SPBluetoothDataType warn_exec system_profiler SPBluetoothDataType
echo "" echo ""
@ -173,4 +180,5 @@ if [ "$MACOS" ]; then
print_2title "USB Info" print_2title "USB Info"
warn_exec system_profiler SPUSBDataType warn_exec system_profiler SPUSBDataType
echo "" echo ""
fi
fi fi

16
linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh
View File

@ -122,10 +122,12 @@ if [ "$MACPEAS" ]; then
fi fi
#-- PCS) Services #-- PCS) Services
print_2title "Services" if [ "$EXTRA_CHECKS" ]; then
print_info "Search for outdated versions" print_2title "Services"
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl" print_info "Search for outdated versions"
echo "" (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
echo ""
fi
#-- PSC) systemd PATH #-- PSC) systemd PATH
print_2title "Systemd PATH" print_2title "Systemd PATH"
@ -138,13 +140,13 @@ echo ""
#TODO: .service files in MACOS are folders #TODO: .service files in MACOS are folders
print_2title "Analyzing .service files" print_2title "Analyzing .service files"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services"
printf "%s\n" "$PSTORAGE_SYSTEMD\n" | while read s; do printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
if [ ! -O "$s" ]; then #Remove services that belongs to the current user if [ ! -O "$s" ]; then #Remove services that belongs to the current user
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g" echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
fi fi
servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
printf "%s\n" "$servicebinpaths\n" | while read sp; do printf "%s\n" "$servicebinpaths" | while read sp; do
if [ -w "$sp" ]; then if [ -w "$sp" ]; then
echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g" echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
fi fi
@ -172,7 +174,7 @@ echo ""
#-- PSC) .timer files #-- PSC) .timer files
print_2title "Analyzing .timer files" print_2title "Analyzing .timer files"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
printf "%s\n" "$PSTORAGE_TIMER\n" | while read t; do printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
if ! [ "$IAMROOT" ] && [ -w "$t" ]; then if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
echo "$t" | sed -${E} "s,.*,${SED_RED},g" echo "$t" | sed -${E} "s,.*,${SED_RED},g"
fi fi

72
linPEAS/builder/linpeas_parts/software_information.sh
View File

@ -129,14 +129,7 @@ peass{Rsync}
peass{Hostapd} peass{Hostapd}
#-- SI) Wifi conns peass{Wifi Connections}
print_2title "Searching wifi conns file"
wifi=$(find /etc/NetworkManager/system-connections/ -type f 2>/dev/null)
if [ "$wifi" ]; then
printf "%s\n" "$wifi" | while read f; do echo "$f"; cat "$f" 2>/dev/null | grep "psk.*=" | sed "s,psk.*,${SED_RED},"; done
else echo_not_found
fi
echo ""
peass{Anaconda ks} peass{Anaconda ks}
@ -152,6 +145,7 @@ if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CER
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)" sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)" hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)" hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
writable_agents=$(find $folder_path -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')
peass{SSH} peass{SSH}
@ -197,6 +191,15 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
ssh-add -l ssh-add -l
echo "" echo ""
fi fi
if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
print_3title "Listing gpg keys cached in gpg-agent"
gpg-connect-agent "keyinfo --list" /bye
echo ""
fi
if [ "$writable_agents" ]; then
print_3title "Writable ssh and gpg agents"
printf "%s\n" "$writable_agents"
fi
if [ "$PSTORAGE_SSH_CONFIG" ]; then if [ "$PSTORAGE_SSH_CONFIG" ]; then
print_3title "Some home ssh config file was found" print_3title "Some home ssh config file was found"
printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done
@ -221,22 +224,14 @@ if [ "$sshconfig" ]; then
fi fi
echo "" echo ""
#-- SI) PAM auth peass{PAM Auth}
print_2title "Searching unexpected auth lines in /etc/pam.d/sshd"
pamssh=$(grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth) #-- SI) Passwords inside pam.d
if [ "$pamssh" ]; then print_2title "Passwords inside pam.d"
grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth | sed -${E} "s,.*,${SED_RED}," grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
else echo_no
fi
echo "" echo ""
#-- SI) NFS exports peass{NFS Exports}
print_2title "NFS exports?"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe"
if [ "$(cat /etc/exports 2>/dev/null)" ]; then grep -v "^#" /etc/exports 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,no_root_squash|no_all_squash ,${SED_RED_YELLOW}," | sed -${E} "s,insecure,${SED_RED},"
else echo_not_found "/etc/exports"
fi
echo ""
#-- SI) Kerberos #-- SI) Kerberos
print_2title "Searching kerberos conf files and tickets" print_2title "Searching kerberos conf files and tickets"
@ -335,21 +330,34 @@ echo ""
print_2title "Searching screen sessions" print_2title "Searching screen sessions"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
screensess=$(screen -ls 2>/dev/null) screensess=$(screen -ls 2>/dev/null)
if [ "$screensess" ]; then screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
printf "$screensess" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m," if [ "$screensess" ] || [ "$screensess2" ]; then
else echo_not_found "screen" screen -v
printf "$screensess\n$screensess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m,"
else
echo_not_found "screen"
fi fi
find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo "" echo ""
#-- SI) Tmux sessions #-- SI) Tmux sessions
tmuxdefsess=$(tmux ls 2>/dev/null) tmuxdefsess=$(tmux ls 2>/dev/null)
tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep) tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
print_2title "Searching tmux sessions"$N print_2title "Searching tmux sessions"$N
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ]; then if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ]; then
printf "$tmuxdefsess\n$tmuxnondefsess\n" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m," tmux -V
else echo_not_found "tmux" printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
else
echo_not_found "tmux"
fi fi
find /tmp -type s -path "/tmp/tmux*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo "" echo ""
peass{CouchDB} peass{CouchDB}
@ -410,7 +418,7 @@ echo ""
print_2title "Analyzing kcpassword files" print_2title "Analyzing kcpassword files"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword" print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
printf "%s\n" "$PSTORAGE_KCPASSWORD\n" | while read f; do printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
echo "$f" | sed -${E} "s,.*,${SED_RED}," echo "$f" | sed -${E} "s,.*,${SED_RED},"
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED}," base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
done done
@ -521,12 +529,6 @@ if grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep -q yubikey; th
fi fi
echo "" echo ""
#-- SI) Passwords inside pam.d
print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo ""
peass{SNMP} peass{SNMP}

21
linPEAS/builder/linpeas_parts/system_information.sh
View File

@ -54,15 +54,19 @@ warn_exec uptime 2>/dev/null
echo "" echo ""
#-- SY) System stats #-- SY) System stats
print_2title "System stats" if [ "$EXTRA_CHECKS" ]; then
(df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk" print_2title "System stats"
warn_exec free 2>/dev/null (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
echo "" warn_exec free 2>/dev/null
echo ""
fi
#-- SY) CPU info #-- SY) CPU info
print_2title "CPU info" if [ "$EXTRA_CHECKS" ]; then
warn_exec lscpu 2>/dev/null print_2title "CPU info"
echo "" warn_exec lscpu 2>/dev/null
echo ""
fi
#-- SY) Environment vars #-- SY) Environment vars
print_2title "Environment" print_2title "Environment"
@ -91,6 +95,9 @@ if [ "$(command -v bash 2>/dev/null)" ]; then
print_info "https://github.com/mzet-/linux-exploit-suggester" print_info "https://github.com/mzet-/linux-exploit-suggester"
les_b64="peass{LES}" les_b64="peass{LES}"
echo $les_b64 | base64 -d | bash echo $les_b64 | base64 -d | bash
if [ "$EXTRA_CHECKS" ]; then
echo $les_b64 | base64 -d | bash -s -- --checksec
fi
echo "" echo ""
fi fi

11
linPEAS/builder/linpeas_parts/users_information.sh
View File

@ -1,7 +1,6 @@
########################################### ###########################################
#----------) Users Information (----------# #----------) Users Information (----------#
########################################### ###########################################
print_title "Users Information"
#-- UI) My user #-- UI) My user
print_2title "My user" print_2title "My user"
@ -190,11 +189,12 @@ fi
echo "" echo ""
#-- UI) Password policy #-- UI) Password policy
print_2title "Password policy" if [ "$EXTRA_CHECKS" ]; then
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs" print_2title "Password policy"
echo "" grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
echo ""
if [ "$MACPEAS" ]; then if [ "$MACPEAS" ]; then
print_2title "Relevant last user info and user configs" print_2title "Relevant last user info and user configs"
defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
echo "" echo ""
@ -204,6 +204,7 @@ if [ "$MACPEAS" ]; then
sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
echo "" echo ""
fi
fi fi
#-- UI) Brute su #-- UI) Brute su

2
linPEAS/builder/src/fileRecord.py
View File

@ -4,6 +4,7 @@ class FileRecord:
def __init__(self, def __init__(self,
regex: str, regex: str,
bad_regex: str=DEFAULTS["bad_regex"], bad_regex: str=DEFAULTS["bad_regex"],
very_bad_regex: str=DEFAULTS["very_bad_regex"],
check_extra_path: str =DEFAULTS["check_extra_path"], check_extra_path: str =DEFAULTS["check_extra_path"],
files: dict={}, files: dict={},
good_regex: str=DEFAULTS["good_regex"], good_regex: str=DEFAULTS["good_regex"],
@ -19,6 +20,7 @@ class FileRecord:
self.regex = regex self.regex = regex
self.bad_regex = bad_regex self.bad_regex = bad_regex
self.very_bad_regex = very_bad_regex
self.check_extra_path = check_extra_path self.check_extra_path = check_extra_path
self.files = [FileRecord(regex=fr["name"],**fr["value"]) for fr in files] self.files = [FileRecord(regex=fr["name"],**fr["value"]) for fr in files]
self.good_regex = good_regex self.good_regex = good_regex

6
linPEAS/builder/src/linpeasBuilder.py
View File

@ -228,7 +228,7 @@ class LinpeasBuilder:
analise_line = "" analise_line = ""
if init: if init:
analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then echo_not_found "'+frecord.regex+'"; fi; ' analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
#If just list, just list the file/directory #If just list, just list the file/directory
@ -244,6 +244,7 @@ class LinpeasBuilder:
grep_only_bad_lines = f' | grep -E "{frecord.bad_regex}"' if frecord.bad_regex else "" grep_only_bad_lines = f' | grep -E "{frecord.bad_regex}"' if frecord.bad_regex else ""
grep_remove_regex = f' | grep -Ev "{frecord.remove_regex}"' if frecord.remove_regex else "" grep_remove_regex = f' | grep -Ev "{frecord.remove_regex}"' if frecord.remove_regex else ""
sed_bad_regex = ' | sed -${E} "s,'+frecord.bad_regex+',${SED_RED},g"' if frecord.bad_regex else "" sed_bad_regex = ' | sed -${E} "s,'+frecord.bad_regex+',${SED_RED},g"' if frecord.bad_regex else ""
sed_very_bad_regex = ' | sed -${E} "s,'+frecord.very_bad_regex+',${SED_RED_YELLOW},g"' if frecord.very_bad_regex else ""
sed_good_regex = ' | sed -${E} "s,'+frecord.good_regex+',${SED_GOOD},g"' if frecord.good_regex else "" sed_good_regex = ' | sed -${E} "s,'+frecord.good_regex+',${SED_GOOD},g"' if frecord.good_regex else ""
if init: if init:
@ -266,6 +267,9 @@ class LinpeasBuilder:
if sed_bad_regex: if sed_bad_regex:
analise_line += sed_bad_regex analise_line += sed_bad_regex
if sed_very_bad_regex:
analise_line += sed_very_bad_regex
if sed_good_regex: if sed_good_regex:
analise_line += sed_good_regex analise_line += sed_good_regex