darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more_checks

Browse Source
This commit is contained in:
carlospolop 2021-12-19 08:31:53 -05:00
parent a7f161a40d
commit 87fe48a900
12 changed files with 393 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
build_lists/sensitive_files.yaml
View File

@ -113,6 +113,7 @@ variables:
defaults:
auto_check: False #The builder will generate a check for the file (only linpeas)
bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed
very_bad_regex: "" #The regex used to color yellow/red
check_extra_path: "" #Check if the found files are in a specific path (only linpeas)
good_regex: "" #The regex to color green
just_list_file: False #Just mention the path to the file, do not cat it
@ -543,11 +544,11 @@ search:
files:
- name: "mongod*.conf"
value:
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Supervisord
@ -558,11 +559,11 @@ search:
files:
- name: "supervisord.conf"
value:
bad_regex: "port.*=|username.*=|password.*="
only_bad_lines: True
type: f
search_in:
- common
bad_regex: "port.*=|username.*=|password.*="
only_bad_lines: True
type: f
search_in:
- common
- name: Cesi
value:
@ -586,19 +587,19 @@ search:
files:
- name: "rsyncd.conf"
value:
bad_regex: "secrets.*|auth.*users.*="
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
bad_regex: "secrets.*|auth.*users.*="
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "rsyncd.secrets"
value:
bad_regex: ".*"
type: f
search_in:
- common
bad_regex: ".*"
type: f
search_in:
- common
- name: Hostapd
value:
@ -608,12 +609,64 @@ search:
files:
- name: "hostapd.conf"
value:
bad_regex: "passphrase.*"
remove_regex: '^#'
remove_empty_lines: True
bad_regex: "passphrase.*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Wifi Connections
value:
config:
auto_check: True
files:
- name: "system-connections"
value:
files:
- name: "*"
value:
bad_regex: "psk.*"
only_bad_lines: True
type: f
type: d
search_in:
- /etc
- name: PAM Auth
value:
config:
auto_check: True
files:
- name: "pam.d"
value:
files:
- name: "sshd"
value:
bad_regex: ".*"
line_grep: '-i "auth"'
remove_regex: "^#|^@"
type: f
type: d
search_in:
- /etc
- name: NFS Exports
value:
config:
auto_check: True
files:
- name: exports
value:
very_bad_regex: "no_root_squash|no_all_squash"
bad_regex: "insecure"
remove_regex: '\W+\#|^#'
type: f
search_in:
- common
- /etc
- name: Anaconda ks
value:
@ -629,7 +682,6 @@ search:
search_in:
- common
- name: Racoon
value:
config:
@ -1921,7 +1973,7 @@ search:
auto_check: False
files:
- name: ".*_history.*"
- name: '*_history*'
value:
bad_regex: "$pwd_inside_history"
line_grep: '-a "$pwd_inside_history"'
@ -2136,6 +2188,19 @@ search:
type: f
search_in:
- common
- name: Pass Store Directories
value:
config:
auto_check: True
files:
- name: ".password-store"
value:
just_list_file: True
type: d
search_in:
- common
- name: FTP
value:

26
linPEAS/builder/linpeas_parts/available_software.sh
View File

@ -4,11 +4,11 @@
#-- 1AS) Useful software
print_2title "Useful software"
command -v "$CONTAINER_CMDS" nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr authbind 2>/dev/null
command -v "$CONTAINER_CMDS" nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr authbind
echo ""
#-- 2AS) Search for compilers
print_2title "Installed Compiler"
print_2title "Installed Compilers"
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
echo ""
@ -25,16 +25,16 @@ if [ "$(command -v brew 2>/dev/null)" ]; then
fi
if [ "$MACPEAS" ]; then
print_2title "Writable Installed Applications"
system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
if [ -w "$f" ]; then
echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
fi
done
print_2title "Writable Installed Applications"
system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
if [ -w "$f" ]; then
echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
fi
done
system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
if [ -w "$f" ]; then
echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
fi
done
system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
if [ -w "$f" ]; then
echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
fi
done
fi

128
linPEAS/builder/linpeas_parts/container.sh
View File

@ -1,3 +1,129 @@
###########################################
#---------) Container functions (---------#
###########################################
containerCheck() {
inContainer=""
containerType="$(echo_no)"
# Are we inside docker?
if [ -f "/.dockerenv" ] ||
grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai docker /proc/self/cgroup 2>/dev/null ||
[ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
inContainer="1"
containerType="docker\n"
fi
# Are we inside kubenetes?
if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
inContainer="1"
if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
else containerType="kubernetes\n"
fi
fi
# Are we inside LXC?
if env | grep "container=lxc" -qa 2>/dev/null ||
grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
inContainer="1"
containerType="lxc\n"
fi
# Are we inside podman?
if env | grep -qa "container=podman" 2>/dev/null ||
grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="podman\n"
fi
# Check for other container platforms that report themselves in PID 1 env
if [ -z "$inContainer" ]; then
if grep -a 'container=' /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
fi
fi
}
inDockerGroup() {
DOCKER_GROUP="No"
if groups 2>/dev/null | grep -q '\bdocker\b'; then
DOCKER_GROUP="Yes"
fi
}
checkDockerRootless() {
DOCKER_ROOTLESS="No"
if docker info 2>/dev/null|grep -q rootless; then
DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
fi
}
enumerateDockerSockets() {
dockerVersion="$(echo_not_found)"
if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
SEARCHED_DOCKER_SOCKETS="1"
for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do
if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then
echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
echo "Docker enummeration:"
docker_enumerated=""
if [ "$(command -v curl)" ]; then
sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
fi
if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
sockInfoResponse="$(docker info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
fi
else
echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g"
fi
done
fi
}
checkDockerVersionExploits() {
if echo "$dockerVersion" | grep -iq "not found"; then
VULN_CVE_2019_13139="$(echo_not_found)"
VULN_CVE_2019_5736="$(echo_not_found)"
return
fi
VULN_CVE_2019_13139="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
VULN_CVE_2019_13139="Yes"
fi
VULN_CVE_2019_5736="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
VULN_CVE_2019_5736="Yes"
fi
}
checkContainerExploits() {
VULN_CVE_2019_5021="$(echo_no)"
if [ -f "/etc/alpine-release" ]; then
alpineVersion=$(cat /etc/alpine-release)
if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
VULN_CVE_2019_5021="Yes"
fi
fi
}
##############################################
#---------------) Containers (---------------#
##############################################
@ -57,7 +183,7 @@ if [ "$inContainer" ]; then
echo ""
print_2title "Container & breakout enumeration"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout"
print_list "Container ID ...................$NC $(cat /etc/hostname)"
print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')"
if echo "$containerType" | grep -qi "docker"; then
print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
fi

50
linPEAS/builder/linpeas_parts/interesting_files.sh
View File

@ -2,6 +2,20 @@
#----------) Interesting files (----------#
###########################################
check_critial_root_path(){
folder_path="$1"
if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi
}
##-- IF) SUID
print_2title "SUID - Check easy privesc, exploits and write perms"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
@ -255,33 +269,26 @@ echo ""
##-- IF) Files (scripts) in /etc/profile.d/
print_2title "Files (scripts) in /etc/profile.d/"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files"
if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
(ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
if ! [ "$IAMROOT" ] && [ -w "/etc/profile" ]; then echo "You can modify /etc/profile" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/etc/profile.d/" ]; then echo "You have write privileges over /etc/profile.d/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/profile.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/profile.d/ '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
check_critial_root_path "/etc/profile"
check_critial_root_path "/etc/profile.d/"
fi
echo ""
##-- IF) Files (scripts) in /etc/init.d/
print_2title "Permissions in init, init.d, systemd, and rc.d"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d"
if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS
if ! [ "$IAMROOT" ] && [ -w "/etc/init/" ]; then echo "You have write privileges over /etc/init/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/etc/init.d/" ]; then echo "You have write privileges over /etc/init.d/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/etc/rc.d/init.d" ]; then echo "You have write privileges over /etc/rc.d/init.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/usr/local/etc/rc.d" ]; then echo "You have write privileges over /usr/local/etc/rc.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/etc/rc.d" ]; then echo "You have write privileges over /etc/rc.d" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/etc/systemd/" ]; then echo "You have write privileges over /etc/systemd/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ -w "/lib/systemd/" ]; then echo "You have write privileges over /lib/systemd/" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if ! [ "$IAMROOT" ] && [ "$(find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
check_critial_root_path "/etc/init/"
check_critial_root_path "/etc/init.d/"
check_critial_root_path "/etc/rc.d/init.d"
check_critial_root_path "/usr/local/etc/rc.d"
check_critial_root_path "/etc/rc.d"
check_critial_root_path "/etc/systemd/"
check_critial_root_path "/lib/systemd/"
fi
echo ""
##-- IF) Hashes in passwd file
@ -534,6 +541,11 @@ if ! [ "$IAMROOT" ]; then
echo ""
fi
##-- IF) Passwords in history files
print_2title "Searching passwords in history files"
printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
echo ""
##-- IF) Passwords in config PHP files
print_2title "Searching passwords in config PHP files"
printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done

161
linPEAS/builder/linpeas_parts/linpeas_base.sh
View File

@ -52,7 +52,6 @@ ITALIC="${C}[3m"
if uname 2>/dev/null | grep -q 'Darwin' || /usr/bin/uname 2>/dev/null | grep -q 'Darwin'; then MACPEAS="1"; else MACPEAS=""; fi
FAST="1" #By default stealth/fast mode
SUPERFAST=""
NOTEXPORT=""
DISCOVERY=""
PORTS=""
QUIET=""
@ -60,8 +59,9 @@ CHECKS="peass{CHECKS}"
WAIT=""
PASSWORD=""
NOCOLOR=""
VERBOSE=""
DEBUG=""
AUTO_NETWORK_SCAN=""
EXTRA_CHECKS=""
THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
@ -70,12 +70,12 @@ HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
${YELLOW}-h${BLUE} To show this message
${YELLOW}-q${BLUE} Do not show banner
${YELLOW}-a${BLUE} All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
${YELLOW}-e${BLUE} Perform extra enumeration
${YELLOW}-s${BLUE} SuperFast (don't check some time consuming checks) - Stealth mode
${YELLOW}-w${BLUE} Wait execution between big blocks
${YELLOW}-n${BLUE} Do not export env variables related with history and do not check Internet connectivity
${YELLOW}-a${BLUE} All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
${YELLOW}-w${BLUE} Wait execution between big blocks of checks
${YELLOW}-N${BLUE} Do not use colours
${YELLOW}-v${BLUE} Verbose execution
${YELLOW}-D${BLUE} Debug mode
${YELLOW}-P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
${YELLOW}-o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list.
${YELLOW}-L${BLUE} Force linpeas execution.
@ -86,12 +86,11 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW}-t${BLUE} Automatic network scan (host discovery and port scanning) - This option writes to files
$GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC"
while getopts "h?asnd:p:i:P:qo:LMwNvt" opt; do
while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do
case "$opt" in
h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
a) FAST="";;
a) FAST="";EXTRA_CHECKS="1";;
s) SUPERFAST=1;;
n) NOTEXPORT=1;;
d) DISCOVERY=$OPTARG;;
p) PORTS=$OPTARG;;
i) IP=$OPTARG;;
@ -102,8 +101,9 @@ while getopts "h?asnd:p:i:P:qo:LMwNvt" opt; do
M) MACPEAS="1";;
w) WAIT=1;;
N) NOCOLOR="1";;
v) VERBOSE="1";;
D) DEBUG="1";;
t) AUTO_NETWORK_SCAN="1";;
e) EXTRA_CHECKS="1";;
esac
done
@ -510,7 +510,7 @@ profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|
knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com"
timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer"
timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer"
commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib32$|libx32$|/lib64$|lost\+found|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$"
commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes"
@ -584,7 +584,7 @@ echo_no (){
}
print_title(){
if [ "$VERBOSE" ]; then
if [ "$DEBUG" ]; then
END_T2_TIME=$(date +%s 2>/dev/null)
if [ "$START_T2_TIME" ]; then
TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME))
@ -605,7 +605,7 @@ print_title(){
}
print_2title(){
if [ "$VERBOSE" ]; then
if [ "$DEBUG" ]; then
END_T2_TIME=$(date +%s 2>/dev/null)
if [ "$START_T2_TIME" ]; then
TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME))
@ -864,139 +864,12 @@ discovery_port_scan (){
#---) Exporting history env variables (---#
###########################################
if ! [ "$NOTEXPORT" ]; then
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH
export HISTFILE=/dev/null
export HISTSIZE=0
export HISTFILESIZE=0
fi
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH
export HISTFILE=/dev/null
export HISTSIZE=0
export HISTFILESIZE=0
###########################################
#---------) Container functions (---------#
###########################################
containerCheck() {
inContainer=""
containerType="$(echo_no)"
# Are we inside docker?
if [ -f "/.dockerenv" ] ||
grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai docker /proc/self/cgroup 2>/dev/null ||
[ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
inContainer="1"
containerType="docker\n"
fi
# Are we inside kubenetes?
if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
inContainer="1"
if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
else containerType="kubernetes\n"
fi
fi
# Are we inside LXC?
if env | grep "container=lxc" -qa 2>/dev/null ||
grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
inContainer="1"
containerType="lxc\n"
fi
# Are we inside podman?
if env | grep -qa "container=podman" 2>/dev/null ||
grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="podman\n"
fi
# Check for other container platforms that report themselves in PID 1 env
if [ -z "$inContainer" ]; then
if grep -a 'container=' /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
fi
fi
}
inDockerGroup() {
DOCKER_GROUP="No"
if groups 2>/dev/null | grep -q '\bdocker\b'; then
DOCKER_GROUP="Yes"
fi
}
checkDockerRootless() {
DOCKER_ROOTLESS="No"
if docker info 2>/dev/null|grep -q rootless; then
DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
fi
}
enumerateDockerSockets() {
dockerVersion="$(echo_not_found)"
if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
SEARCHED_DOCKER_SOCKETS="1"
for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do
if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then
echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
echo "Docker enummeration:"
docker_enumerated=""
if [ "$(command -v curl)" ]; then
sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
fi
if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
sockInfoResponse="$(docker info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
fi
else
echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g"
fi
done
fi
}
checkDockerVersionExploits() {
if echo "$dockerVersion" | grep -iq "not found"; then
VULN_CVE_2019_13139="$(echo_not_found)"
VULN_CVE_2019_5736="$(echo_not_found)"
return
fi
VULN_CVE_2019_13139="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
VULN_CVE_2019_13139="Yes"
fi
VULN_CVE_2019_5736="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
VULN_CVE_2019_5736="Yes"
fi
}
checkContainerExploits() {
VULN_CVE_2019_5021="$(echo_no)"
if [ -f "/etc/alpine-release" ]; then
alpineVersion=$(cat /etc/alpine-release)
if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
VULN_CVE_2019_5021="Yes"
fi
fi
}
###########################################
#-----------) Some Basic Info (-----------#

58
linPEAS/builder/linpeas_parts/network_information.sh
View File

@ -15,9 +15,11 @@ warn_exec dnsdomainname 2>/dev/null
echo ""
#-- NI) /etc/inetd.conf
print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
(cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
echo ""
if [ "$EXTRA_CHECKS" ]; then
print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
(cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
echo ""
fi
#-- NI) Interfaces
print_2title "Interfaces"
@ -26,14 +28,16 @@ cat /etc/networks 2>/dev/null
echo ""
#-- NI) Neighbours
print_2title "Networks and neighbours"
if [ "$MACOS" ]; then
netstat -rn 2>/dev/null
else
(route || ip n || cat /proc/net/route) 2>/dev/null
if [ "$EXTRA_CHECKS" ]; then
print_2title "Networks and neighbours"
if [ "$MACOS" ]; then
netstat -rn 2>/dev/null
else
(route || ip n || cat /proc/net/route) 2>/dev/null
fi
(arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
echo ""
fi
(arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
echo ""
if [ "$MACPEAS" ]; then
print_2title "Firewall status"
@ -41,9 +45,11 @@ if [ "$MACPEAS" ]; then
fi
#-- NI) Iptables
print_2title "Iptables rules"
(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
echo ""
if [ "$EXTRA_CHECKS" ]; then
print_2title "Iptables rules"
(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
echo ""
fi
#-- NI) Ports
print_2title "Active Ports"
@ -52,7 +58,7 @@ print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-por
echo ""
#-- NI) MacOS hardware ports
if [ "$MACPEAS" ]; then
if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
print_2title "Hardware Ports"
networksetup -listallhardwareports
echo ""
@ -93,7 +99,7 @@ fi
echo ""
#-- NI) Internet access
if ! [ "$SUPERFAST" ] && ! [ "$FAST" ] && ! [ "$NOTEXPORT" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
if ! [ "$SUPERFAST" ] && [ "$EXTRA_CHECKS" ] && ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
print_2title "Internet Access?"
check_tcp_80 2>/dev/null &
check_tcp_443 2>/dev/null &
@ -111,7 +117,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] || [ "$AUTO_NETWORK_SCAN" ]; then
else
print_2title "Scanning local networks (using /24)"
if ! [ "$PING" ] && ![ "$FPING" ]; then
if ! [ "$PING" ] && ! [ "$FPING" ]; then
printf $RED"[-] $DISCOVER_BAN_BAD\n$NC"
fi
@ -162,15 +168,17 @@ if [ "$MACOS" ]; then
system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
echo ""
print_2title "Bluetooth Info"
warn_exec system_profiler SPBluetoothDataType
echo ""
if [ "$EXTRA_CHECKS" ]; then
print_2title "Bluetooth Info"
warn_exec system_profiler SPBluetoothDataType
echo ""
print_2title "Ethernet Info"
warn_exec system_profiler SPEthernetDataType
echo ""
print_2title "Ethernet Info"
warn_exec system_profiler SPEthernetDataType
echo ""
print_2title "USB Info"
warn_exec system_profiler SPUSBDataType
echo ""
print_2title "USB Info"
warn_exec system_profiler SPUSBDataType
echo ""
fi
fi

16
linPEAS/builder/linpeas_parts/procs_crons_timers_srvcs_sockets.sh
View File

@ -122,10 +122,12 @@ if [ "$MACPEAS" ]; then
fi
#-- PCS) Services
print_2title "Services"
print_info "Search for outdated versions"
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
echo ""
if [ "$EXTRA_CHECKS" ]; then
print_2title "Services"
print_info "Search for outdated versions"
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
echo ""
fi
#-- PSC) systemd PATH
print_2title "Systemd PATH"
@ -138,13 +140,13 @@ echo ""
#TODO: .service files in MACOS are folders
print_2title "Analyzing .service files"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services"
printf "%s\n" "$PSTORAGE_SYSTEMD\n" | while read s; do
printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
if [ ! -O "$s" ]; then #Remove services that belongs to the current user
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
fi
servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
printf "%s\n" "$servicebinpaths\n" | while read sp; do
printf "%s\n" "$servicebinpaths" | while read sp; do
if [ -w "$sp" ]; then
echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
fi
@ -172,7 +174,7 @@ echo ""
#-- PSC) .timer files
print_2title "Analyzing .timer files"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
printf "%s\n" "$PSTORAGE_TIMER\n" | while read t; do
printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
echo "$t" | sed -${E} "s,.*,${SED_RED},g"
fi

72
linPEAS/builder/linpeas_parts/software_information.sh
View File

@ -129,14 +129,7 @@ peass{Rsync}
peass{Hostapd}
#-- SI) Wifi conns
print_2title "Searching wifi conns file"
wifi=$(find /etc/NetworkManager/system-connections/ -type f 2>/dev/null)
if [ "$wifi" ]; then
printf "%s\n" "$wifi" | while read f; do echo "$f"; cat "$f" 2>/dev/null | grep "psk.*=" | sed "s,psk.*,${SED_RED},"; done
else echo_not_found
fi
echo ""
peass{Wifi Connections}
peass{Anaconda ks}
@ -152,6 +145,7 @@ if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CER
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
writable_agents=$(find $folder_path -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')
peass{SSH}
@ -197,6 +191,15 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
ssh-add -l
echo ""
fi
if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
print_3title "Listing gpg keys cached in gpg-agent"
gpg-connect-agent "keyinfo --list" /bye
echo ""
fi
if [ "$writable_agents" ]; then
print_3title "Writable ssh and gpg agents"
printf "%s\n" "$writable_agents"
fi
if [ "$PSTORAGE_SSH_CONFIG" ]; then
print_3title "Some home ssh config file was found"
printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done
@ -221,22 +224,14 @@ if [ "$sshconfig" ]; then
fi
echo ""
#-- SI) PAM auth
print_2title "Searching unexpected auth lines in /etc/pam.d/sshd"
pamssh=$(grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth)
if [ "$pamssh" ]; then
grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth | sed -${E} "s,.*,${SED_RED},"
else echo_no
fi
peass{PAM Auth}
#-- SI) Passwords inside pam.d
print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo ""
#-- SI) NFS exports
print_2title "NFS exports?"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe"
if [ "$(cat /etc/exports 2>/dev/null)" ]; then grep -v "^#" /etc/exports 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,no_root_squash|no_all_squash ,${SED_RED_YELLOW}," | sed -${E} "s,insecure,${SED_RED},"
else echo_not_found "/etc/exports"
fi
echo ""
peass{NFS Exports}
#-- SI) Kerberos
print_2title "Searching kerberos conf files and tickets"
@ -335,21 +330,34 @@ echo ""
print_2title "Searching screen sessions"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
screensess=$(screen -ls 2>/dev/null)
if [ "$screensess" ]; then
printf "$screensess" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m,"
else echo_not_found "screen"
screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
if [ "$screensess" ] || [ "$screensess2" ]; then
screen -v
printf "$screensess\n$screensess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m,"
else
echo_not_found "screen"
fi
find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo ""
#-- SI) Tmux sessions
tmuxdefsess=$(tmux ls 2>/dev/null)
tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
print_2title "Searching tmux sessions"$N
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ]; then
printf "$tmuxdefsess\n$tmuxnondefsess\n" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
else echo_not_found "tmux"
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ]; then
tmux -V
printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
else
echo_not_found "tmux"
fi
find /tmp -type s -path "/tmp/tmux*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done
echo ""
peass{CouchDB}
@ -410,7 +418,7 @@ echo ""
print_2title "Analyzing kcpassword files"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
printf "%s\n" "$PSTORAGE_KCPASSWORD\n" | while read f; do
printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
echo "$f" | sed -${E} "s,.*,${SED_RED},"
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
done
@ -521,12 +529,6 @@ if grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep -q yubikey; th
fi
echo ""
#-- SI) Passwords inside pam.d
print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo ""
peass{SNMP}

21
linPEAS/builder/linpeas_parts/system_information.sh
View File

@ -54,15 +54,19 @@ warn_exec uptime 2>/dev/null
echo ""
#-- SY) System stats
print_2title "System stats"
(df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
warn_exec free 2>/dev/null
echo ""
if [ "$EXTRA_CHECKS" ]; then
print_2title "System stats"
(df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
warn_exec free 2>/dev/null
echo ""
fi
#-- SY) CPU info
print_2title "CPU info"
warn_exec lscpu 2>/dev/null
echo ""
if [ "$EXTRA_CHECKS" ]; then
print_2title "CPU info"
warn_exec lscpu 2>/dev/null
echo ""
fi
#-- SY) Environment vars
print_2title "Environment"
@ -91,6 +95,9 @@ if [ "$(command -v bash 2>/dev/null)" ]; then
print_info "https://github.com/mzet-/linux-exploit-suggester"
les_b64="peass{LES}"
echo $les_b64 | base64 -d | bash
if [ "$EXTRA_CHECKS" ]; then
echo $les_b64 | base64 -d | bash -s -- --checksec
fi
echo ""
fi

27
linPEAS/builder/linpeas_parts/users_information.sh
View File

@ -1,7 +1,6 @@
###########################################
#----------) Users Information (----------#
###########################################
print_title "Users Information"
#-- UI) My user
print_2title "My user"
@ -190,20 +189,22 @@ fi
echo ""
#-- UI) Password policy
print_2title "Password policy"
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
echo ""
if [ "$MACPEAS" ]; then
print_2title "Relevant last user info and user configs"
defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
if [ "$EXTRA_CHECKS" ]; then
print_2title "Password policy"
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
echo ""
print_2title "Guest user status"
sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
echo ""
if [ "$MACPEAS" ]; then
print_2title "Relevant last user info and user configs"
defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
echo ""
print_2title "Guest user status"
sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
echo ""
fi
fi
#-- UI) Brute su

2
linPEAS/builder/src/fileRecord.py
View File

@ -4,6 +4,7 @@ class FileRecord:
def __init__(self,
regex: str,
bad_regex: str=DEFAULTS["bad_regex"],
very_bad_regex: str=DEFAULTS["very_bad_regex"],
check_extra_path: str =DEFAULTS["check_extra_path"],
files: dict={},
good_regex: str=DEFAULTS["good_regex"],
@ -19,6 +20,7 @@ class FileRecord:
self.regex = regex
self.bad_regex = bad_regex
self.very_bad_regex = very_bad_regex
self.check_extra_path = check_extra_path
self.files = [FileRecord(regex=fr["name"],**fr["value"]) for fr in files]
self.good_regex = good_regex

6
linPEAS/builder/src/linpeasBuilder.py
View File

@ -228,7 +228,7 @@ class LinpeasBuilder:
analise_line = ""
if init:
analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then echo_not_found "'+frecord.regex+'"; fi; '
analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
#If just list, just list the file/directory
@ -244,6 +244,7 @@ class LinpeasBuilder:
grep_only_bad_lines = f' | grep -E "{frecord.bad_regex}"' if frecord.bad_regex else ""
grep_remove_regex = f' | grep -Ev "{frecord.remove_regex}"' if frecord.remove_regex else ""
sed_bad_regex = ' | sed -${E} "s,'+frecord.bad_regex+',${SED_RED},g"' if frecord.bad_regex else ""
sed_very_bad_regex = ' | sed -${E} "s,'+frecord.very_bad_regex+',${SED_RED_YELLOW},g"' if frecord.very_bad_regex else ""
sed_good_regex = ' | sed -${E} "s,'+frecord.good_regex+',${SED_GOOD},g"' if frecord.good_regex else ""
if init:
@ -265,6 +266,9 @@ class LinpeasBuilder:
if sed_bad_regex:
analise_line += sed_bad_regex
if sed_very_bad_regex:
analise_line += sed_very_bad_regex
if sed_good_regex:
analise_line += sed_good_regex