darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

10k update

Browse Source
This commit is contained in:
carlospolop 2022-09-01 20:08:01 +02:00
parent a5ca003383
commit 8b444ba674
10 changed files with 415 additions and 259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
build_lists/sensitive_files.yaml
View File

@ -413,7 +413,7 @@ search:
exec: exec:
- 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"' - 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
- 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"' - 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"'
- if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'; fi - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null; fi
- if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi - if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi
- "print_3title 'PHP exec extensions'" - "print_3title 'PHP exec extensions'"
@ -442,11 +442,33 @@ search:
value: value:
bad_regex: "On" bad_regex: "On"
remove_regex: "^;" remove_regex: "^;"
line_grep: '"allow_"' line_grep: "allow_"
type: f type: f
search_in: search_in:
- common - common
- name: "nginx.conf"
value:
bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
remove_regex: "#"
type: f
remove_empty_lines: True
search_in:
- common
- name: "nginx"
value:
type: d
files:
- name: "*.conf"
value:
bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
remove_empty_lines: True
remove_regex: '#'
remove_path: "nginx.conf"
search_in:
- common
- name: PHP Sessions - name: PHP Sessions
value: value:
config: config:

2
linPEAS/builder/linpeas_parts/1_system_information.sh
View File

@ -162,7 +162,7 @@ if [ "$(command -v perl 2>/dev/null)" ]; then
print_2title "Executing Linux Exploit Suggester 2" print_2title "Executing Linux Exploit Suggester 2"
print_info "https://github.com/jondonas/linux-exploit-suggester-2" print_info "https://github.com/jondonas/linux-exploit-suggester-2"
les2_b64="peass{LES2}" les2_b64="peass{LES2}"
echo $les2_b64 | base64 -d | perl | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g" echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
echo "" echo ""
fi fi

38
linPEAS/builder/linpeas_parts/2_container.sh
View File

@ -285,26 +285,26 @@ if [ "$inContainer" ]; then
print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED}," print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/sys/kernel/security present ... $security_present\n" print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/sys/kernel/security writable .. $security_writable\n" print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
if [ "$EXTRA_CHECKS" ]; then if [ "$EXTRA_CHECKS" ]; then
print_list "/proc/kmsg readable ............ $kmsg_readable\n" print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/self/mem readable ........ $sched_debug_readable\n" print_list "/proc/self/mem readable ........ $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/kcore readable ........... $kcore_readable\n" print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/kmem readable ............ $kmem_readable\n" print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/kmem writable ............ $kmem_writable\n" print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/mem readable ............. $mem_readable\n" print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/proc/mem writable ............. $mem_writable\n" print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
fi fi
echo "" echo ""

50
linPEAS/builder/linpeas_parts/3_cloud.sh
View File

@ -187,11 +187,11 @@ if [ "$is_aws_ecs" = "Yes" ]; then
if [ "$aws_ecs_metadata_uri" ]; then if [ "$aws_ecs_metadata_uri" ]; then
print_3title "Container Info" print_3title "Container Info"
exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri" exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
echo "" echo ""
print_3title "Task Info" print_3title "Task Info"
exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri/task" exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
echo "" echo ""
else else
echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info" echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
@ -199,7 +199,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
if [ "$aws_ecs_service_account_uri" ]; then if [ "$aws_ecs_service_account_uri" ]; then
print_3title "IAM Role" print_3title "IAM Role"
exec_with_jq $aws_ecs_req "$aws_ecs_service_account_uri" exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
echo "" echo ""
else else
echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)" echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
@ -214,52 +214,52 @@ if [ "$is_aws_ec2" = "Yes" ]; then
aws_req="" aws_req=""
if [ "$(command -v curl)" ]; then if [ "$(command -v curl)" ]; then
aws_req='curl -s -f -H "$HEADER"' aws_req="curl -s -f -H '$HEADER'"
elif [ "$(command -v wget)" ]; then elif [ "$(command -v wget)" ]; then
aws_req='wget -q -O - -H "$HEADER"' aws_req="wget -q -O - -H '$HEADER'"
else else
echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
fi fi
if [ "$aws_req" ]; then if [ "$aws_req" ]; then
printf "ami-id: "; $aws_req "$URL/ami-id"; echo "" printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
printf "instance-action: "; $aws_req "$URL/instance-action"; echo "" printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
printf "instance-id: "; $aws_req "$URL/instance-id"; echo "" printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
printf "instance-life-cycle: "; $aws_req "$URL/instance-life-cycle"; echo "" printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
printf "instance-type: "; $aws_req "$URL/instance-type"; echo "" printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
printf "region: "; $aws_req "$URL/placement/region"; echo "" printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
echo "" echo ""
print_3title "Account Info" print_3title "Account Info"
exec_with_jq $aws_req "$URL/identity-credentials/ec2/info"; echo "" exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
echo "" echo ""
print_3title "Network Info" print_3title "Network Info"
for mac in $($aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
echo "Mac: $mac" echo "Mac: $mac"
printf "Owner ID: "; $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo "" printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
printf "Public Hostname: "; $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo "" printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
printf "Security Groups: "; $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo "" printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
echo "Private IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo "" echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
printf "Subnet IPv4: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo "" printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
echo "PrivateIPv6s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo "" echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
printf "Subnet IPv6: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo "" printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
echo "Public IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo "" echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
echo "" echo ""
done done
echo "" echo ""
print_3title "IAM Role" print_3title "IAM Role"
exec_with_jq $aws_req "$URL/iam/info"; echo "" exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
for role in $($aws_req "$URL/iam/security-credentials/" 2>/dev/null); do for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
echo "Role: $role" echo "Role: $role"
exec_with_jq $aws_req "$URL/iam/security-credentials/$role"; echo "" exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
echo "" echo ""
done done
echo "" echo ""
print_3title "User Data" print_3title "User Data"
$aws_req "http://169.254.169.254/latest/user-data" eval $aws_req "http://169.254.169.254/latest/user-data"
fi fi
fi fi

353
linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh
View File

@ -3,146 +3,167 @@
#-----) Processes & Cron & Services & Timers (-----# #-----) Processes & Cron & Services & Timers (-----#
#################################################### ####################################################
#-- PCS) Cleaned proccesses if ! [ "$SEARCH_IN_FOLDER" ]; then
print_2title "Cleaned processes" #-- PCS) Cleaned proccesses
if [ "$NOUSEPS" ]; then print_2title "Cleaned processes"
printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC if [ "$NOUSEPS" ]; then
fi printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" fi
print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
if [ "$NOUSEPS" ]; then if [ "$NOUSEPS" ]; then
print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
pslist=$(print_ps) pslist=$(print_ps)
else else
(ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
echo "$psline" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," echo "$psline" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then
cpid=$(echo "$psline" | awk '{print $2}') cpid=$(echo "$psline" | awk '{print $2}')
caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')" caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
printf " └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g" printf " └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g"
fi
fi fi
fi done
done pslist=$(ps auxwww)
pslist=$(ps auxwww) echo ""
echo ""
#-- PCS) Binary processes permissions #-- PCS) Binary processes permissions
print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
binW="IniTialiZZinnggg" binW="IniTialiZZinnggg"
ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
if [ -w "$bpath" ]; then if [ -w "$bpath" ]; then
binW="$binW|$bpath" binW="$binW|$bpath"
fi fi
done done
ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN}," ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
fi
echo ""
fi
if ! [ "$SEARCH_IN_FOLDER" ]; then
#-- PCS) Files opened by processes belonging to other users
if ! [ "$IAMROOT" ]; then
print_2title "Files opened by processes belonging to other users"
print_info "This is usually empty because of the lack of privileges to read other user processes information"
lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
echo ""
fi
fi
if ! [ "$SEARCH_IN_FOLDER" ]; then
#-- PCS) Processes with credentials inside memory
print_2title "Processes with credentials in memory (root req)"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
echo ""
fi
if ! [ "$SEARCH_IN_FOLDER" ]; then
#-- PCS) Different processes 1 min
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
temp_file=$(mktemp)
if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
echo ""
fi
fi
if ! [ "$SEARCH_IN_FOLDER" ]; then
#-- PCS) Cron
print_2title "Cron jobs"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
command -v crontab 2>/dev/null || echo_not_found "crontab"
crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
command -v incrontab 2>/dev/null || echo_not_found "incrontab"
incrontab -l 2>/dev/null
ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
atq 2>/dev/null
else
print_2title "Cron jobs"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
fi fi
echo "" echo ""
#-- PCS) Files opened by processes belonging to other users
if ! [ "$IAMROOT" ]; then if ! [ "$SEARCH_IN_FOLDER" ]; then
print_2title "Files opened by processes belonging to other users" if [ "$MACPEAS" ]; then
print_info "This is usually empty because of the lack of privileges to read other user processes information" print_2title "Third party LaunchAgents & LaunchDemons"
lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
echo "" ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
echo ""
print_2title "Writable System LaunchAgents & LaunchDemons"
find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
program=""
program=$(defaults read "$f" Program 2>/dev/null)
if ! [ "$program" ]; then
program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
fi
if [ -w "$program" ]; then
echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
fi
done
echo ""
print_2title "StartupItems"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
echo ""
print_2title "Login Items"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
echo ""
print_2title "SPStartupItemDataType"
system_profiler SPStartupItemDataType
echo ""
print_2title "Emond scripts"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
ls -l /private/var/db/emondClients
echo ""
fi
fi fi
#-- PCS) Processes with credentials inside memory if ! [ "$SEARCH_IN_FOLDER" ]; then
print_2title "Processes with credentials in memory (root req)" #-- PCS) Services
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory" if [ "$EXTRA_CHECKS" ]; then
if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi print_2title "Services"
if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi print_info "Search for outdated versions"
if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi echo ""
if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi fi
if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
echo ""
#-- PCS) Different processes 1 min
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
temp_file=$(mktemp)
if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
echo ""
fi fi
#-- PCS) Cron if ! [ "$SEARCH_IN_FOLDER" ]; then
print_2title "Cron jobs" #-- PSC) systemd PATH
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs" print_2title "Systemd PATH"
command -v crontab 2>/dev/null || echo_not_found "crontab" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
command -v incrontab 2>/dev/null || echo_not_found "incrontab" WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
incrontab -l 2>/dev/null
ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
atq 2>/dev/null
echo ""
if [ "$MACPEAS" ]; then
print_2title "Third party LaunchAgents & LaunchDemons"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
echo ""
print_2title "Writable System LaunchAgents & LaunchDemons"
find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
program=""
program=$(defaults read "$f" Program 2>/dev/null)
if ! [ "$program" ]; then
program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
fi
if [ -w "$program" ]; then
echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
fi
done
echo ""
print_2title "StartupItems"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
echo ""
print_2title "Login Items"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
echo ""
print_2title "SPStartupItemDataType"
system_profiler SPStartupItemDataType
echo ""
print_2title "Emond scripts"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
ls -l /private/var/db/emondClients
echo "" echo ""
fi fi
#-- PCS) Services
if [ "$EXTRA_CHECKS" ]; then
print_2title "Services"
print_info "Search for outdated versions"
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
echo ""
fi
#-- PSC) systemd PATH
print_2title "Systemd PATH"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
echo ""
#-- PSC) .service files #-- PSC) .service files
#TODO: .service files in MACOS are folders #TODO: .service files in MACOS are folders
print_2title "Analyzing .service files" print_2title "Analyzing .service files"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
if [ ! -O "$s" ]; then #Remove services that belongs to the current user if [ ! -O "$s" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g" echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
fi fi
servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
@ -165,17 +186,19 @@ done
if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
echo "" echo ""
#-- PSC) Timers if ! [ "$SEARCH_IN_FOLDER" ]; then
print_2title "System timers" #-- PSC) Timers
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" print_2title "System timers"
(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
echo "" (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
echo ""
fi
#-- PSC) .timer files #-- PSC) .timer files
print_2title "Analyzing .timer files" print_2title "Analyzing .timer files"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
printf "%s\n" "$PSTORAGE_TIMER" | while read t; do printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
if ! [ "$IAMROOT" ] && [ -w "$t" ]; then if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
echo "$t" | sed -${E} "s,.*,${SED_RED},g" echo "$t" | sed -${E} "s,.*,${SED_RED},g"
fi fi
timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2) timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
@ -197,7 +220,7 @@ if ! [ "$IAMROOT" ]; then
print_2title "Analyzing .socket files" print_2title "Analyzing .socket files"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g" echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
fi fi
socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
@ -215,19 +238,25 @@ if ! [ "$IAMROOT" ]; then
done done
echo "" echo ""
print_2title "Unix Sockets Listening" if ! [ "$SEARCH_IN_FOLDER" ]; then
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" print_2title "Unix Sockets Listening"
# Search sockets using netstat and ss print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1) # Search sockets using netstat and ss
if ! [ "$unix_scks_list" ];then unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+") if ! [ "$unix_scks_list" ];then
fi unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
if ! [ "$unix_scks_list" ];then fi
unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2) if ! [ "$unix_scks_list" ];then
unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
fi
fi fi
# But also search socket files if ! [ "$SEARCH_IN_FOLDER" ]; then
unix_scks_list2=$(find / -type s 2>/dev/null) # But also search socket files
unix_scks_list2=$(find / -type s 2>/dev/null)
else
unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
fi
# Detele repeated dockets and check permissions # Detele repeated dockets and check permissions
(printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
@ -238,10 +267,20 @@ if ! [ "$IAMROOT" ]; then
if [ -w "$l" ];then if [ -w "$l" ];then
perms="${perms}Write" perms="${perms}Write"
fi fi
if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl)" ]; then
CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
perms="${perms} - Can Connect"
else
perms="${perms} - Cannot Connect"
fi
fi
if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g"; if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
else else
echo "$l" | sed -${E} "s,$l,${SED_RED},g" echo "$l" | sed -${E} "s,$l,${SED_RED},g"
echo " └─(${RED}${perms}${NC})" echo " └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
# Try to contact the socket # Try to contact the socket
socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null) socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -260,7 +299,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-b
if [ "$PSTORAGE_DBUS" ]; then if [ "$PSTORAGE_DBUS" ]; then
printf "%s\n" "$PSTORAGE_DBUS" | while read d; do printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
for f in $d/*; do for f in $d/*; do
if ! [ "$IAMROOT" ] && [ -w "$f" ]; then if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g" echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
fi fi
@ -282,19 +321,21 @@ if [ "$PSTORAGE_DBUS" ]; then
fi fi
echo "" echo ""
print_2title "D-Bus Service Objects list" if ! [ "$SEARCH_IN_FOLDER" ]; then
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus" print_2title "D-Bus Service Objects list"
dbuslist=$(busctl list 2>/dev/null) print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
if [ "$dbuslist" ]; then dbuslist=$(busctl list 2>/dev/null)
busctl list | while read line; do if [ "$dbuslist" ]; then
echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"; busctl list | while read line; do
if ! echo "$line" | grep -qE "$dbuslistG"; then echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
srvc_object=$(echo $line | cut -d " " -f1) if ! echo "$line" | grep -qE "$dbuslistG"; then
srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ') srvc_object=$(echo $line | cut -d " " -f1)
if [ "$srvc_object_info" ]; then srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED}," if [ "$srvc_object_info" ]; then
echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
fi
fi fi
fi done
done else echo_not_found "busctl"
else echo_not_found "busctl" fi
fi fi

4
linPEAS/builder/linpeas_parts/5_network_information.sh
View File

@ -155,6 +155,10 @@ if [ "$AUTO_NETWORK_SCAN" ]; then
echo "" echo ""
fi fi
done done
print_3title "Scanning top ports of host.docker.internal"
(tcp_port_scan "host.docker.internal" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
echo ""
fi fi
fi fi

74
linPEAS/builder/linpeas_parts/7_software_information.sh
View File

@ -5,14 +5,14 @@
NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so" NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so"
#-- SI) Useful software #-- SI) Useful software
if ! [ "SEARCH_IN_FOLDER" ]; then if ! [ "$SEARCH_IN_FOLDER" ]; then
print_2title "Useful software" print_2title "Useful software"
for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
echo "" echo ""
fi fi
#-- SI) Search for compilers #-- SI) Search for compilers
if ! [ "SEARCH_IN_FOLDER" ]; then if ! [ "$SEARCH_IN_FOLDER" ]; then
print_2title "Installed Compilers" print_2title "Installed Compilers"
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"); (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
echo "" echo ""
@ -221,20 +221,30 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)" hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)" hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null) writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
else
sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
writable_agents=$(find ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
fi fi
peass{SSH} peass{SSH}
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED}," grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
if [ "$TIMEOUT" ]; then if ! [ "$SEARCH_IN_FOLDER" ]; then
privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) if [ "$TIMEOUT" ]; then
privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null) privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null) privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null) privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
else
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
fi
else else
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout # If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null) privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
fi fi
if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
@ -267,7 +277,7 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
ssh-add -l ssh-add -l
echo "" echo ""
fi fi
if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then if gpg-connect-agent "keyinfo --list" /bye 2>/dev/null | grep "D - - 1"; then
print_3title "Listing gpg keys cached in gpg-agent" print_3title "Listing gpg keys cached in gpg-agent"
gpg-connect-agent "keyinfo --list" /bye gpg-connect-agent "keyinfo --list" /bye
echo "" echo ""
@ -284,29 +294,29 @@ fi
if [ "$hostsdenied" ]; then if [ "$hostsdenied" ]; then
print_3title "/etc/hosts.denied file found, read the rules:" print_3title "/etc/hosts.denied file found, read the rules:"
printf "$hostsdenied\n" printf "$hostsdenied\n"
cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN}," cat " ${ROOT_FOLDER}etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
echo "" echo ""
fi fi
if [ "$hostsallow" ]; then if [ "$hostsallow" ]; then
print_3title "/etc/hosts.allow file found, trying to read the rules:" print_3title "/etc/hosts.allow file found, trying to read the rules:"
printf "$hostsallow\n" printf "$hostsallow\n"
cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED}," cat " ${ROOT_FOLDER}etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
echo "" echo ""
fi fi
if [ "$sshconfig" ]; then if [ "$sshconfig" ]; then
echo "" echo ""
echo "Searching inside /etc/ssh/ssh_config for interesting info" echo "Searching inside /etc/ssh/ssh_config for interesting info"
grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED}," grep -v "^#" ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
fi fi
echo "" echo ""
peass{PAM Auth} peass{PAM Auth}
#-- SI) Passwords inside pam.d #-- SI) Passwords inside pam.d
pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#") pamdpass=$(grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#")
if [ "$pamdpass" ] || [ "$DEBUG" ]; then if [ "$pamdpass" ] || [ "$DEBUG" ]; then
print_2title "Passwords inside pam.d" print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo "" echo ""
fi fi
@ -558,26 +568,30 @@ peass{Cache Vi}
peass{Wget} peass{Wget}
##-- SI) containerd installed ##-- SI) containerd installed
containerd=$(command -v ctr) if ! [ "$SEARCH_IN_FOLDER" ]; then
if [ "$containerd" ] || [ "$DEBUG" ]; then containerd=$(command -v ctr)
print_2title "Checking if containerd(ctr) is available" if [ "$containerd" ] || [ "$DEBUG" ]; then
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" print_2title "Checking if containerd(ctr) is available"
if [ "$containerd" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," if [ "$containerd" ]; then
ctr image list 2>&1 echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
ctr image list 2>&1
fi
echo ""
fi fi
echo ""
fi fi
##-- SI) runc installed ##-- SI) runc installed
runc=$(command -v runc) if ! [ "$SEARCH_IN_FOLDER" ]; then
if [ "$runc" ] || [ "$DEBUG" ]; then runc=$(command -v runc)
print_2title "Checking if runc is available" if [ "$runc" ] || [ "$DEBUG" ]; then
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation" print_2title "Checking if runc is available"
if [ "$runc" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation"
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," if [ "$runc" ]; then
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
fi
echo ""
fi fi
echo ""
fi fi
#-- SI) Docker #-- SI) Docker

25
linPEAS/builder/linpeas_parts/8_interesting_files.sh
View File

@ -279,14 +279,25 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
fi fi
fi fi
##-- IF) Executable files added by user ##-- IF) Date times inside firmware
print_2title "Executable files added by user (limit 70)" if [ "$SEARCH_IN_FOLDER" ]; then
if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "FIles datetimes inside the firmware (limit 50)"
find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70 find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50
else echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"<date>\""
find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70 echo ""
fi fi
##-- IF) Executable files added by user
print_2title "Executable files potentially added by user (limit 70)"
if ! [ "$SEARCH_IN_FOLDER" ]; then
find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
else
find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
fi
echo ""
if [ "$MACPEAS" ]; then if [ "$MACPEAS" ]; then
print_2title "Unsigned Applications" print_2title "Unsigned Applications"
macosNotSigned /System/Applications macosNotSigned /System/Applications
@ -454,7 +465,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
##-- IF) Mail applications ##-- IF) Mail applications
print_2title "Searching installed mail applications" print_2title "Searching installed mail applications"
ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq
echo "" echo ""
##-- IF) Mails ##-- IF) Mails

88
linPEAS/builder/linpeas_parts/linpeas_base.sh
View File

@ -65,6 +65,7 @@ DEBUG=""
AUTO_NETWORK_SCAN="" AUTO_NETWORK_SCAN=""
EXTRA_CHECKS="" EXTRA_CHECKS=""
REGEXES="" REGEXES=""
PORT_FORWARD=""
THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")" THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
@ -78,15 +79,18 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files ${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files
${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours) ${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours)
${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' ${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
${YELLOW} -D${BLUE} Debug mode ${YELLOW} -D${BLUE} Debug mode
${GREEN} Network recon: ${GREEN} Network recon:
${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files ${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files
${YELLOW} -d <IP/NETMASK>${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 ${YELLOW} -d <IP/NETMASK>${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24
${YELLOW} -p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 ${YELLOW} -p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 ${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
$GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
${GREEN} Port forwarding:
${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a local IP to a remote IP
${GREEN} Firmware recon: ${GREEN} Firmware recon:
${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder ${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
@ -98,7 +102,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW} -q${BLUE} Do not show banner ${YELLOW} -q${BLUE} Do not show banner
${YELLOW} -N${BLUE} Do not use colours$NC" ${YELLOW} -N${BLUE} Do not use colours$NC"
while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
case "$opt" in case "$opt" in
h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
a) FAST="";EXTRA_CHECKS="1";; a) FAST="";EXTRA_CHECKS="1";;
@ -117,7 +121,15 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
t) AUTO_NETWORK_SCAN="1";; t) AUTO_NETWORK_SCAN="1";;
e) EXTRA_CHECKS="1";; e) EXTRA_CHECKS="1";;
r) REGEXES="1";; r) REGEXES="1";;
f) SEARCH_IN_FOLDER=$OPTARG; ROOT_FOLDER=$OPTARG; REGEXES="1"; CHECKS="software_information,interesting_files,api_keys_regex";; f) SEARCH_IN_FOLDER=$OPTARG;
if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/"
SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/";
fi;
ROOT_FOLDER=$SEARCH_IN_FOLDER;
REGEXES="1";
CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_files,api_keys_regex";;
F) PORT_FORWARD=$OPTARG;;
esac esac
done done
@ -510,11 +522,11 @@ TIMEOUT="$(command -v timeout 2>/dev/null)"
STRACE="$(command -v strace 2>/dev/null)" STRACE="$(command -v strace 2>/dev/null)"
STRINGS="$(command -v strings 2>/dev/null)" STRINGS="$(command -v strings 2>/dev/null)"
shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh" shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
notBackup="/tdbbackup$|/db_hotbackup$" notBackup="/tdbbackup$|/db_hotbackup$"
cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|" cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-motd|update-notifier-common|upstart|"
cronjobsB="centreon" cronjobsB="centreon"
processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port' processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port'
@ -577,7 +589,7 @@ elif [ -f "/bin/bash" ] && ! [ -L "/bin/bash" ]; then
FOUND_BASH="/bin/bash"; FOUND_BASH="/bin/bash";
fi fi
if [ "$FOUND_BASH" ]; then if [ "$FOUND_BASH" ]; then
SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n" SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery, port scanning and port forwarding$LG ($SCRIPTNAME can discover hosts, scan ports, and forward ports. Learn more with -h)\n"
fi fi
FOUND_NC=$(command -v nc 2>/dev/null) FOUND_NC=$(command -v nc 2>/dev/null)
@ -826,8 +838,8 @@ tcp_recon (){
for port in $PORTS; do for port in $PORTS; do
for j in $(seq 1 254) for j in $(seq 1 254)
do do
if [ "$FOUND_BASH" ] && [ "$$TIMEOUT" ]; then if [ "$FOUND_BASH" ] && [ "$TIMEOUT" ]; then
$TIMEOUT 5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" & $TIMEOUT 2.5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
elif [ "$NC_SCAN" ]; then elif [ "$NC_SCAN" ]; then
($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") & ($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") &
fi fi
@ -946,6 +958,24 @@ discovery_port_scan (){
} }
port_forward (){
LOCAL_IP=$1
LOCAL_PORT=$2
REMOTE_IP=$3
REMOTE_PORT=$4
echo "In your local machine execute:"
echo "cd /tmp; rm backpipe; mknod backpipe p;"
echo "nc -lvnp $LOCAL_PORT 0<backpipe | nc -lvnp 9009 1>backpipe"
echo ""
echo "Press any key when you have executed the commands"
read -n 1
bash -c "exec 3<>/dev/tcp/$REMOTE_IP/$REMOTE_PORT; exec 4<>/dev/tcp/$LOCAL_IP/9009; cat <&3 >&4 & cat <&4 >&3 &"
echo "If not error was indicated, your local port $LOCAL_PORT should be forwarded to $REMOTE_IP:$REMOTE_PORT"
}
########################################### ###########################################
#---) Exporting history env variables (---# #---) Exporting history env variables (---#
########################################### ###########################################
@ -1031,11 +1061,45 @@ elif [ "$IP" ]; then
exit 0 exit 0
fi fi
if [ "$PORT_FORWARD" ]; then
if ! [ "$FOUND_BASH" ]; then
printf $RED"[-] Err: Port forwarding not possible, no bash in PATH\n"$NC;
exit 0
fi
LOCAL_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 1)"
LOCAL_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 2)"
REMOTE_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 3)"
REMOTE_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 4)"
if ! [ "$LOCAL_IP" ] || ! [ "$LOCAL_PORT" ] || ! [ "$REMOTE_IP" ] || ! [ "$REMOTE_PORT" ]; then
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
exit 0
fi
#Check if LOCAL_PORT is a number
if ! [ "$(echo $LOCAL_PORT | grep -E '^[0-9]+$')" ]; then
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
fi
#Check if REMOTE_PORT is a number
if ! [ "$(echo $REMOTE_PORT | grep -E '^[0-9]+$')" ]; then
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
fi
port_forward "$LOCAL_IP" "$LOCAL_PORT" "$REMOTE_IP" "$REMOTE_PORT"
exit 0
fi
#Get HOMESEARCH #Get HOMESEARCH
HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")" if [ "$SEARCH_IN_FOLDER" ]; then
if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder HOMESEARCH="${ROOT_FOLDER}home/ ${ROOT_FOLDER}Users/ ${ROOT_FOLDER}root/ ${ROOT_FOLDER}var/www/"
HOMESEARCH="$HOME $HOMESEARCH" else
HOMESEARCH="/home/ /Users/ /root/ /var/www $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users|^/var/www" | tr "\n" " ")"
if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users|^/var/www"; then #If not listed and not in /home, /Users/, /root, or /var/www add current home folder
HOMESEARCH="$HOME $HOMESEARCH"
fi
fi fi
GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|" GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"

10
linPEAS/builder/src/linpeasBuilder.py
View File

@ -173,11 +173,11 @@ class LinpeasBuilder:
if type == "d": if type == "d":
find_line += "-type d " find_line += "-type d "
bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').upper()}" bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
self.bash_find_d_vars.add(bash_find_var) self.bash_find_d_vars.add(bash_find_var)
all_folder_regexes += regexes all_folder_regexes += regexes
else: else:
bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').upper()}" bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
self.bash_find_f_vars.add(bash_find_var) self.bash_find_f_vars.add(bash_find_var)
all_file_regexes += regexes all_file_regexes += regexes
@ -275,7 +275,7 @@ class LinpeasBuilder:
analise_line = "" analise_line = ""
if init: if init:
analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; ' analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do if ! [ -d "$f" ]; then continue; fi; ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" 2>/dev/null | sed -${E} "s,'+real_regex+',${SED_RED},"; '
#If just list, just list the file/directory #If just list, just list the file/directory
if frecord.just_list_file: if frecord.just_list_file:
@ -393,13 +393,13 @@ class LinpeasBuilder:
# If custom folder to search in # If custom folder to search in
regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n' regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n'
regexes_search_section += " timeout 120 find $SEARCH_IN_FOLDER -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" regexes_search_section += " timeout 120 find \"$ROOT_FOLDER\" -type f -not -path \"*/node_modules/*\" -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
# If search in all the file system # If search in all the file system
regexes_search_section += 'else\n' regexes_search_section += 'else\n'
for path in paths_to_search: for path in paths_to_search:
grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE" grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE"
regexes_search_section += " timeout 120 find "+path+" -type f -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" regexes_search_section += " timeout 120 find "+path+" -type f -not -path \"*/node_modules/*\" -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
regexes_search_section += 'fi\n' regexes_search_section += 'fi\n'
regexes_search_section += "wait\n" regexes_search_section += "wait\n"