darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cursor improvements parts 1 and 2

Browse Source
This commit is contained in:
carlospolop 2025-05-19 06:36:35 +02:00
parent ea9b930fdb
commit 9820c18697
29 changed files with 971 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh
View File

@ -1,19 +0,0 @@
# Title: System Information - Enviroment
# ID: SY_Enviroment
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information inside environment variables
# License: GNU GPL
# Version: 1.0
# Functions Used: echo_not_found, print_2title, print_info
# Global Variables:
# Initial Functions:
# Generated Global Variables:
# Fat linpeas: 0
# Small linpeas: 1
print_2title "Environment"
print_info "Any private information inside environment variables?"
(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
echo ""

39
linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh Normal file
View File

@ -0,0 +1,39 @@
# Title: System Information - Environment
# ID: SY_Environment
# Author: Carlos Polop
# Last Update: 07-03-2024
# Description: Check for sensitive information in environment variables that could lead to privilege escalation:
# - Credentials in environment variables
# - API keys and tokens
# - Sensitive configuration data
# - Common vulnerable scenarios:
# * Hardcoded credentials in environment
# * API keys exposed in environment
# * Database credentials in environment
# * Service account tokens
# - Exploitation methods:
# * Credential harvesting: Extract sensitive data from environment
# * Common attack vectors:
# - Password/credential extraction
# - API key abuse
# - Token theft
# - Configuration data leakage
# * Exploit techniques:
# - Environment variable dumping
# - Credential reuse
# - Token reuse
# - Configuration abuse
# License: GNU GPL
# Version: 1.0
# Functions Used: echo_not_found, print_2title, print_info
# Global Variables:
# Initial Functions:
# Generated Global Variables:
# Fat linpeas: 0
# Small linpeas: 1
print_2title "Environment"
print_info "Any private information inside environment variables?"
(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
echo ""

20
linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh
View File

@ -1,8 +1,24 @@
# Title: System Information - Dmesg
# ID: SY_Dmesg
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Searching Signature verification failed in dmesg
# Last Update: 07-03-2024
# Description: Check for kernel signature verification failures that could lead to privilege escalation:
# - Failed kernel module signature verifications
# - Common vulnerable scenarios:
# * Disabled kernel module signing
# * Failed signature verifications
# * Unsigned kernel modules
# - Exploitation methods:
# * Kernel module injection: Load malicious kernel modules
# * Common attack vectors:
# - Kernel module loading
# - Kernel module replacement
# - Kernel module modification
# * Exploit techniques:
# - Module signing bypass
# - Kernel module injection
# - Kernel module modification
# - Kernel module replacement
# License: GNU GPL
# Version: 1.0
# Functions Used: echo_not_found, print_2title, print_info

25
linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh
View File

@ -1,8 +1,29 @@
# Title: System Information - MacOS OS checks
# ID: SY_Macos_os_checks
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Macos OS checks
# Last Update: 07-03-2024
# Description: Check for MacOS-specific vulnerabilities and misconfigurations that could lead to privilege escalation:
# - Unsigned kernel extensions
# - Non-Apple kernel extensions
# - System Integrity Protection (SIP) status
# - Gatekeeper status
# - Common vulnerable scenarios:
# * Disabled SIP
# * Unsigned kernel extensions
# * Third-party kernel extensions
# * Disabled Gatekeeper
# - Exploitation methods:
# * Kernel extension injection: Load malicious kernel extensions
# * Common attack vectors:
# - SIP bypass
# - Kernel extension loading
# - Gatekeeper bypass
# - System modification
# * Exploit techniques:
# - Kernel extension injection
# - SIP bypass
# - Gatekeeper bypass
# - System modification
# License: GNU GPL
# Version: 1.0
# Functions Used:macosNotSigned, print_2title

21
linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh
View File

@ -1,8 +1,25 @@
# Title: System Information - Linux Exploit Suggester
# ID: SY_Linux_exploit_suggester
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Linux Exploit Suggester tool execution
# Last Update: 07-03-2024
# Description: Execute Linux Exploit Suggester to identify potential kernel exploits:
# - Automated kernel vulnerability detection
# - Common vulnerable scenarios:
# * Known kernel vulnerabilities
# * Unpatched kernel versions
# * Missing security patches
# - Exploitation methods:
# * Kernel exploit execution: Use suggested exploits
# * Common attack vectors:
# - Kernel memory corruption
# - Race conditions
# - Use-after-free
# - Integer overflow
# * Exploit techniques:
# - Kernel memory manipulation
# - Privilege escalation
# - Root access acquisition
# - System compromise
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info

25
linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh
View File

@ -1,8 +1,27 @@
# Title: System Information - Linux Exploit Suggester 2
# Title: System Information - Linux Exploit Suggester 2
# ID: SY_Linux_exploit_suggester_2
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Linux Exploit Suggester 2 tool execution
# Last Update: 07-03-2024
# Description: Execute Linux Exploit Suggester 2 (Perl version) to identify potential kernel exploits:
# - Alternative kernel vulnerability detection
# - Perl-based exploit suggestions
# - Common vulnerable scenarios:
# * Known kernel vulnerabilities
# * Unpatched kernel versions
# * Missing security patches
# * Alternative exploit paths
# - Exploitation methods:
# * Kernel exploit execution: Use suggested exploits
# * Common attack vectors:
# - Kernel memory corruption
# - Race conditions
# - Use-after-free
# - Integer overflow
# * Exploit techniques:
# - Kernel memory manipulation
# - Privilege escalation
# - Root access acquisition
# - System compromise
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info

22
linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh
View File

@ -1,8 +1,26 @@
# Title: System Information - CVE_2021_3560
# ID: SY_CVE_2021_3560
# Author: Carlos Polop
# Last Update: 07-10-2024
# Description: CVE-2021-3560 - paper box from HTB
# Last Update: 07-03-2024
# Description: Check for Polkit vulnerability (CVE-2021-3560) that could lead to privilege escalation:
# - Vulnerable Polkit versions:
# * polkit 0.105-26 (Ubuntu)
# * polkit 0.117-2 (RHEL)
# * polkit 0.115-6 (RHEL)
# - Common vulnerable scenarios:
# * Unpatched Polkit versions
# * Default Polkit configurations
# - Exploitation methods:
# * Race condition in Polkit authentication
# * Common attack vectors:
# - Authentication bypass
# - Privilege escalation
# - Root access acquisition
# * Exploit techniques:
# - Race condition exploitation
# - Authentication bypass
# - Privilege escalation
# - System compromise
# License: GNU GPL
# Version: 1.0
# Functions Used:

28
linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
View File

@ -1,8 +1,30 @@
# Title: System Information - Kernel Extensions
# Title: System Information - Protections
# ID: SY_Protections
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Kernel Extensions
# Last Update: 07-03-2024
# Description: Check for system security protections and their bypass possibilities:
# - AppArmor/SELinux status and profiles
# - ASLR status
# - Seccomp filters
# - Capabilities
# - Common vulnerable scenarios:
# * Disabled security modules
# * Weak security profiles
# * Missing security features
# * Misconfigured protections
# - Exploitation methods:
# * Protection bypass: Circumvent security measures
# * Common attack vectors:
# - AppArmor/SELinux bypass
# - ASLR bypass
# - Seccomp filter bypass
# - Capability abuse
# * Exploit techniques:
# - Profile bypass
# - Memory randomization bypass
# - Filter bypass
# - Capability exploitation
# - Protection circumvention
# License: GNU GPL
# Version: 1.0
# Functions Used: echo_not_found, print_2title, print_list, warn_exec

55
linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh Normal file
View File

@ -0,0 +1,55 @@
# Title: System Information - Kernel Modules
# ID: SY_Kernel_Modules
# Author: Carlos Polop
# Last Update: 07-03-2024
# Description: Check for kernel module vulnerabilities and misconfigurations that could lead to privilege escalation:
# - Loaded kernel modules with known vulnerabilities
# - Kernel modules with weak permissions that could be modified
# - Ability to load kernel modules as unprivileged user
# - Missing kernel module signing requirements
# - Exploitation methods:
# * Vulnerable modules: Use known exploits for vulnerable kernel modules
# * Weak permissions: Modify kernel modules to inject malicious code
# * Module loading: Load malicious kernel modules to get root access
# * Common vulnerable modules: nf_tables, eBPF, overlayfs, etc.
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_list
# Global Variables:
# Initial Functions:
# Generated Global Variables:
# Fat linpeas: 0
# Small linpeas: 1
print_2title "Kernel Modules Information"
# List loaded kernel modules
print_list "Loaded kernel modules? ........ "$NC
if [ -f "/proc/modules" ]; then
lsmod
else
echo_not_found "/proc/modules"
fi
# Check for kernel modules with weak permissions
print_list "Kernel modules with weak perms? "$NC
if [ -d "/lib/modules" ]; then
find /lib/modules -type f -name "*.ko" -ls 2>/dev/null | grep -Ev "root\s+root" | sed -${E} "s,.*,${SED_RED},g"
else
echo_not_found "/lib/modules"
fi
# Check for kernel modules that can be loaded by unprivileged users
print_list "Kernel modules loadable? "$NC
if [ -f "/proc/sys/kernel/modules_disabled" ]; then
if [ "$(cat /proc/sys/kernel/modules_disabled)" = "0" ]; then
echo "Modules can be loaded" | sed -${E} "s,.*,${SED_RED},g"
else
echo "Modules cannot be loaded" | sed -${E} "s,.*,${SED_GREEN},g"
fi
else
echo_not_found "/proc/sys/kernel/modules_disabled"
fi
echo ""

24
linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh
View File

@ -1,8 +1,28 @@
# Title: System Information - Operative System
# ID: SY_Operative_system
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the Operative system
# Last Update: 07-03-2024
# Description: Check for operating system information relevant to privilege escalation:
# - OS version and distribution
# - Kernel version
# - Architecture
# - Common vulnerable scenarios:
# * Outdated OS versions
# * Unpatched systems
# * Known vulnerable distributions
# * Architecture-specific vulnerabilities
# - Exploitation methods:
# * Version-specific exploits: Use known exploits for the OS version
# * Common attack vectors:
# - OS version exploits
# - Distribution-specific vulnerabilities
# - Architecture-specific exploits
# - Kernel version exploits
# * Exploit techniques:
# - Version-specific payloads
# - Distribution-specific attacks
# - Architecture-specific techniques
# - Kernel exploitation
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info, warn_exec

18
linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh
View File

@ -1,8 +1,22 @@
# Title: System Information - Sudo Version
# ID: SY_Sudo_version
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the Sudo Version
# Last Update: 07-03-2024
# Description: Check for sudo vulnerabilities and misconfigurations that could lead to privilege escalation:
# - Vulnerable sudo versions with known exploits
# - Common vulnerable versions and CVEs:
# * CVE-2021-3156 (Baron Samedit): Heap overflow in sudo
# * CVE-2021-23239: Potential privilege escalation
# * CVE-2021-23240: Potential privilege escalation
# * CVE-2021-23241: Potential privilege escalation
# - Exploitation methods:
# * Version exploits: Use known exploits for vulnerable sudo versions
# * Common targets: sudo < 1.9.5p2 (Baron Samedit)
# * Exploit techniques:
# - Heap overflow exploitation
# - Race conditions
# - Memory corruption
# - Command injection
# License: GNU GPL
# Version: 1.0
# Functions Used: echo_not_found, print_2title, print_info

18
linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh
View File

@ -1,8 +1,22 @@
# Title: System Information - USBCreator
# ID: SY_USBCreator
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the USBCreator
# Last Update: 07-03-2024
# Description: Check for USBCreator vulnerabilities that could lead to privilege escalation:
# - Vulnerable policykit-desktop-privileges versions
# - Common vulnerable versions:
# * policykit-desktop-privileges < 0.21
# - Exploitation methods:
# * D-Bus command injection through USBCreator
# * Abuse of policykit privileges
# * Common attack vectors:
# - D-Bus method call injection
# - PolicyKit authentication bypass
# - Command execution through USB creation
# * Exploit techniques:
# - D-Bus method spoofing
# - PolicyKit privilege escalation
# - USB device creation abuse
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info

21
linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh
View File

@ -1,8 +1,25 @@
# Title: System Information - Path
# ID: SY_Path
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the Path
# Last Update: 07-03-2024
# Description: Check for PATH environment misconfigurations that could lead to privilege escalation:
# - Writable directories in PATH
# - Current directory (.) in PATH
# - Common vulnerable scenarios:
# * Writable system directories in PATH
# * Current directory in PATH
# * Relative paths in PATH
# - Exploitation methods:
# * PATH hijacking: Place malicious executables in writable PATH directories
# * Common attack vectors:
# - Replace common binaries (ls, cat, etc.)
# - Create malicious executables with common names
# - Abuse sudo PATH inheritance
# * Exploit techniques:
# - Binary replacement
# - Symbolic link attacks
# - PATH manipulation
# - Sudo PATH abuse
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info

24
linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh
View File

@ -1,8 +1,28 @@
# Title: System Information - Date
# ID: SY_Date
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the Date
# Last Update: 07-03-2024
# Description: Check for system date and uptime information relevant to privilege escalation:
# - System uptime
# - Last boot time
# - System time
# - Common vulnerable scenarios:
# * Long uptime (unpatched systems)
# * Time-based vulnerabilities
# * Scheduled tasks timing
# * Cron job timing
# - Exploitation methods:
# * Timing attacks: Abuse time-based vulnerabilities
# * Common attack vectors:
# - Race conditions
# - Time-of-check to time-of-use (TOCTOU)
# - Scheduled task abuse
# - Cron job timing
# * Exploit techniques:
# - Race condition exploitation
# - TOCTOU attacks
# - Scheduled task manipulation
# - Cron job abuse
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, warn_exec

24
linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh
View File

@ -1,8 +1,28 @@
# Title: System Information - CPU info
# ID: SY_CPU_info
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the CPU
# Last Update: 07-03-2024
# Description: Check for CPU information relevant to privilege escalation:
# - CPU architecture
# - CPU features
# - CPU vulnerabilities
# - Common vulnerable scenarios:
# * CPU-specific vulnerabilities (Spectre, Meltdown, etc.)
# * Missing CPU mitigations
# * Architecture-specific exploits
# * CPU feature abuse
# - Exploitation methods:
# * CPU-based attacks: Abuse CPU vulnerabilities
# * Common attack vectors:
# - Spectre/Meltdown exploitation
# - CPU feature abuse
# - Architecture-specific attacks
# - CPU timing attacks
# * Exploit techniques:
# - Side-channel attacks
# - CPU feature exploitation
# - Architecture-specific techniques
# - CPU timing exploitation
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, warn_exec

24
linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh
View File

@ -1,8 +1,28 @@
# Title: System Information - Mounts
# ID: SY_Mounts
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the mounts
# Last Update: 07-03-2024
# Description: Check for mount point misconfigurations that could lead to privilege escalation:
# - Unmounted filesystems
# - Mount point permissions
# - Mount options
# - Common vulnerable scenarios:
# * Writable mount points
# * Insecure mount options
# * Unmounted sensitive filesystems
# * Shared mount points
# - Exploitation methods:
# * Mount point abuse: Exploit mount misconfigurations
# * Common attack vectors:
# - Mount point modification
# - Filesystem remounting
# - Mount option abuse
# - Shared mount exploitation
# * Exploit techniques:
# - Mount point manipulation
# - Filesystem remounting
# - Mount option exploitation
# - Shared mount abuse
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info

24
linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh
View File

@ -1,8 +1,28 @@
# Title: System Information - Disks
# ID: SY_Disks
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the disks
# Last Update: 07-03-2024
# Description: Check for disk information and misconfigurations that could lead to privilege escalation:
# - Available disks
# - Disk permissions
# - SMB shares
# - Common vulnerable scenarios:
# * Writable disks
# * Insecure SMB shares
# * Exposed disk devices
# * Shared storage
# - Exploitation methods:
# * Disk access abuse: Exploit disk misconfigurations
# * Common attack vectors:
# - Disk device modification
# - SMB share abuse
# - Storage device access
# - Shared disk exploitation
# * Exploit techniques:
# - Disk device manipulation
# - SMB share exploitation
# - Storage device abuse
# - Shared disk access
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, warn_exec

26
linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
View File

@ -1,8 +1,28 @@
# Title: System Information - Disks
# Title: System Information - Disks Extra
# ID: SY_Disks_extra
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get Information about the disks
# Last Update: 07-03-2024
# Description: Check for additional disk information and system resources relevant to privilege escalation:
# - Disk utilization
# - System resources
# - Storage statistics
# - Common vulnerable scenarios:
# * Low disk space (potential for race conditions)
# * Resource exhaustion
# * Storage device misconfigurations
# * System resource abuse
# - Exploitation methods:
# * Resource-based attacks: Abuse system resources
# * Common attack vectors:
# - Disk space exhaustion
# - Resource starvation
# - Storage device abuse
# - System resource manipulation
# * Exploit techniques:
# - Resource exhaustion
# - Storage device exploitation
# - System resource abuse
# - Resource-based attacks
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, warn_exec

71
linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh
View File

@ -1,22 +1,73 @@
# Title: Container - Container Tools
# ID: CT_Container_tools
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Find container related tools in the PATH of the system
# Last Update: 07-03-2024
# Description: Find container related tools in the PATH of the system that could be used for container escape:
# - Container runtime tools
# - Container management tools
# - Container networking tools
# - Common vulnerable scenarios:
# * Misconfigured container tools
# * Privileged container tools
# * Container escape tools
# - Exploitation methods:
# * Tool abuse: Exploit container tool misconfigurations
# * Common attack vectors:
# - Runtime escape
# - Privilege escalation
# - Container breakout
# * Exploit techniques:
# - Tool misconfiguration abuse
# - Privileged tool exploitation
# - Container escape tool usage
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title
# Functions Used: print_2title, warn_exec
# Global Variables:
# Initial Functions:
# Generated Global Variables:
# Fat linpeas: 0
# Small linpeas: 1
print_2title "Container related tools present (if any):"
command -v docker || echo -n ''
command -v lxc || echo -n ''
command -v rkt || echo -n ''
command -v kubectl || echo -n ''
command -v podman || echo -n ''
command -v runc || echo -n ''
# Container runtimes
warn_exec command -v docker
warn_exec command -v lxc
warn_exec command -v rkt
warn_exec command -v podman
warn_exec command -v runc
warn_exec command -v ctr
warn_exec command -v containerd
warn_exec command -v crio
warn_exec command -v nerdctl
# Container management
warn_exec command -v kubectl
warn_exec command -v crictl
warn_exec command -v docker-compose
warn_exec command -v docker-machine
warn_exec command -v minikube
warn_exec command -v kind
# Container networking
warn_exec command -v docker-proxy
warn_exec command -v cni
warn_exec command -v flanneld
warn_exec command -v calicoctl
# Container security
warn_exec command -v apparmor_parser
warn_exec command -v seccomp
warn_exec command -v gvisor
warn_exec command -v kata-runtime
# Container debugging
warn_exec command -v nsenter
warn_exec command -v unshare
warn_exec command -v chroot
warn_exec command -v capsh
warn_exec command -v setcap
warn_exec command -v getcap
echo ""

3
linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh
View File

@ -29,4 +29,5 @@ if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/n
echo ""
fi
done
fi
fi

89
linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh
View File

@ -1,21 +1,63 @@
# Title: Container - Container details
# ID: CT_Container_details
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Get container details
# Last Update: 07-03-2024
# Description: Get detailed container information relevant to privilege escalation:
# - Container type and runtime
# - Running containers
# - Container configuration
# - Common vulnerable scenarios:
# * Misconfigured containers
# * Privileged containers
# * Exposed container APIs
# * Container networking
# - Exploitation methods:
# * Container breakout: Exploit container misconfigurations
# * Common attack vectors:
# - Runtime escape
# - Privilege escalation
# - Container breakout
# - Network escape
# * Exploit techniques:
# - Container misconfiguration abuse
# - Privileged container exploitation
# - Container API abuse
# - Network escape techniques
# License: GNU GPL
# Version: 1.0
# Functions Used: containerCheck, echo_no, print_2title, print_list
# Functions Used: containerCheck, echo_no, print_2title, print_list, warn_exec
# Global Variables: $containerType
# Initial Functions: containerCheck
# Generated Global Variables: $dockercontainers, $podmancontainers, $lxccontainers, $rktcontainers, $containerCounts
# Fat linpeas: 0
# Small linpeas: 1
print_2title "Container details"
print_list "Is this a container? ...........$NC $containerType"
# Get container runtime info
if [ "$(command -v docker || echo -n '')" ]; then
print_list "Docker version ...............$NC "
warn_exec docker version
print_list "Docker info .................$NC "
warn_exec docker info
fi
if [ "$(command -v podman || echo -n '')" ]; then
print_list "Podman version ..............$NC "
warn_exec podman version
print_list "Podman info ................$NC "
warn_exec podman info
fi
if [ "$(command -v lxc || echo -n '')" ]; then
print_list "LXC version ................$NC "
warn_exec lxc version
print_list "LXC info ...................$NC "
warn_exec lxc info
fi
print_list "Any running containers? ........ "$NC
# Get counts of running containers for each platform
dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
@ -32,9 +74,36 @@ else
if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
# List any running containers
if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
fi
# List any running containers with more details
if [ "$dockercontainers" -ne "0" ]; then
echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"
docker ps -a 2>/dev/null
#echo "Docker Container Details" | sed -${E} "s,.*,${SED_RED},"
#docker inspect $(docker ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
echo ""
fi
if [ "$podmancontainers" -ne "0" ]; then
echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"
podman ps -a 2>/dev/null
#echo "Podman Container Details" | sed -${E} "s,.*,${SED_RED},"
#podman inspect $(podman ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
echo ""
fi
if [ "$lxccontainers" -ne "0" ]; then
echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"
lxc list 2>/dev/null
#echo "LXC Container Details" | sed -${E} "s,.*,${SED_RED},"
#lxc config show $(lxc list -c n --format csv) 2>/dev/null | grep -E "security.privileged|security.capabilities|security.syscalls" | sed -${E} "s,true|privileged|host,${SED_RED},g"
echo ""
fi
if [ "$rktcontainers" -ne "0" ]; then
echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"
rkt list 2>/dev/null
#echo "RKT Container Details" | sed -${E} "s,.*,${SED_RED},"
#rkt status $(rkt list --format=json 2>/dev/null | jq -r '.[].id') 2>/dev/null | grep -E "privileged|capabilities|security" | sed -${E} "s,true|privileged|host,${SED_RED},g"
echo ""
fi
fi
echo ""

293
linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh
View File

@ -1,26 +1,62 @@
# Title: Container - Container & breakout enumeration
# ID: CT_Container_breakout
# Author: Carlos Polop
# Last Update: 22-08-2023
# Description: Container breakout enumeration to see if in case we are inside a container we could escape
# Last Update: 07-03-2024
# Description: Container breakout enumeration to identify potential escape vectors:
# - Container runtime vulnerabilities
# - Mount point misconfigurations
# - Capability abuse
# - Namespace escape
# - Common vulnerable scenarios:
# * Privileged containers
# * Misconfigured mounts
# * Excessive capabilities
# * Namespace isolation bypass
# * Runtime vulnerabilities
# * Container escape tools
# * Shared kernel exploits
# * Container escape CVEs
# - Exploitation methods:
# * Mount escape: Abuse mount misconfigurations
# * Capability abuse: Exploit excessive capabilities
# * Namespace escape: Break out of container namespaces
# * Runtime escape: Exploit container runtime vulnerabilities
# * Common attack vectors:
# - Mount point manipulation
# - Capability exploitation
# - Namespace breakout
# - Runtime vulnerability abuse
# - Kernel exploit abuse
# - Container escape tool usage
# * Exploit techniques:
# - Mount point abuse
# - Capability escalation
# - Namespace escape
# - Runtime exploitation
# - Kernel exploitation
# - Container escape tool execution
# License: GNU GPL
# Version: 1.0
# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, echo_no, echo_not_found, print_2title, print_3title, print_info, print_list
# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, print_2title, print_3title, print_info, print_list, warn_exec
# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
# Initial Functions: containerCheck
# Generated Global Variables: $defautl_docker_caps
# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $containerd_version
# Fat linpeas: 0
# Small linpeas: 0
if [ "$inContainer" ]; then
echo ""
print_2title "Container & breakout enumeration"
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
# Basic container info
print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
fi
# Security mechanisms
print_3title "Security Mechanisms"
print_list "Seccomp enabled? ............... "$NC
([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
@ -30,9 +66,51 @@ if [ "$inContainer" ]; then
print_list "User proc namespace? ........... "$NC
if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
# Known vulnerabilities
print_3title "Known Vulnerabilities"
checkContainerExploits
print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
# Check for container escape tools
print_list "Container escape tools present .. "$NC
(command -v nsenter || command -v unshare || command -v chroot || command -v capsh || command -v setcap || command -v getcap || command -v docker || command -v kubectl || command -v ctr || command -v runc || command -v containerd || command -v crio || command -v podman || command -v lxc || command -v rkt || command -v nerdctl || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap|docker|kubectl|ctr|runc|containerd|crio|podman|lxc|rkt|nerdctl,${SED_RED},g"
# Runtime vulnerabilities
print_3title "Runtime Vulnerabilities"
# Check for known runtime vulnerabilities
if [ "$(command -v runc || echo -n '')" ]; then
print_list "Runc version ................. "$NC
warn_exec runc --version
# Check for specific runc vulnerabilities
runc_version=$(runc --version 2>/dev/null | grep -i "version" | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
if [ "$runc_version" ]; then
print_list "Runc CVE-2019-5736 ........... "$NC
if [ "$(echo $runc_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 0) || ($1 == 1 && $2 == 0 && $3 < 7)) print "Yes"; else print "No"; }')" = "Yes" ]; then
echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
else
echo "No"
fi
fi
fi
if [ "$(command -v containerd || echo -n '')" ]; then
print_list "Containerd version ........... "$NC
warn_exec containerd --version
# Check for specific containerd vulnerabilities
containerd_version=$(containerd --version 2>/dev/null | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
if [ "$containerd_version" ]; then
print_list "Containerd CVE-2020-15257 ..... "$NC
if [ "$(echo $containerd_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 4) || ($1 == 1 && $2 == 4 && $3 < 3)) print "Yes"; else print "No"; }')" = "Yes" ]; then
echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
else
echo "No"
fi
fi
fi
# Mount escape vectors
print_3title "Breakout via mounts"
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
@ -46,89 +124,170 @@ if [ "$inContainer" ]; then
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
# Additional mount checks
print_list "Docker socket mounted? ......... "$NC
(mount | grep -E "docker.sock|/var/run/docker.sock" || echo "No") | sed -${E} "s,Yes|docker.sock,${SED_RED},"
print_list "Common host filesystem mounted? "$NC
(mount | grep -E "host|/host|/mnt/host" || echo "No") | sed -${E} "s,Yes|host,${SED_RED},"
print_list "Interesting mounts ............. "$NC
mount | grep -E "docker|container|overlay|kubelet" | grep -v "proc" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
# Check for writable mount points
print_list "Writable mount points ......... "$NC
mount | grep -E "rw," | grep -v "ro," | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
# Check for shared mount points
print_list "Shared mount points ........... "$NC
mount | grep -E "shared|slave" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
# Capability checks
print_3title "Capability Checks"
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/capabilities-abuse-escape.html"
print_list "Dangerous capabilities ......... "$NC
if [ "$(command -v capsh || echo -n '')" ]; then
capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
else
defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
fi
# Additional capability checks
print_list "Dangerous syscalls allowed ... "$NC
if [ -f "/proc/sys/kernel/yama/ptrace_scope" ]; then
(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || echo "Not found") | sed -${E} "s,0,${SED_RED},"
else
echo "Not found"
fi
# Namespace checks
print_3title "Namespace Checks"
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
print_list "Current namespaces ............. "$NC
ls -l /proc/self/ns/
print_list "Host network namespace? ........ "$NC
if [ "$(ip netns list 2>/dev/null)" ]; then
echo "Yes - Host network namespace accessible" | sed -${E} "s,Yes,${SED_RED},"
else
echo "No"
fi
# Additional namespace checks
print_list "Host IPC namespace? ........... "$NC
if [ "$(ls -l /proc/self/ns/ipc 2>/dev/null)" = "$(ls -l /proc/1/ns/ipc 2>/dev/null)" ]; then
echo "Yes - Host IPC namespace shared" | sed -${E} "s,Yes,${SED_RED},"
else
echo "No"
fi
print_list "Host PID namespace? ........... "$NC
if [ "$(ls -l /proc/self/ns/pid 2>/dev/null)" = "$(ls -l /proc/1/ns/pid 2>/dev/null)" ]; then
echo "Yes - Host PID namespace shared" | sed -${E} "s,Yes,${SED_RED},"
else
echo "No"
fi
print_list "Host UTS namespace? ........... "$NC
if [ "$(ls -l /proc/self/ns/uts 2>/dev/null)" = "$(ls -l /proc/1/ns/uts 2>/dev/null)" ]; then
echo "Yes - Host UTS namespace shared" | sed -${E} "s,Yes,${SED_RED},"
else
echo "No"
fi
# Additional breakout vectors
print_3title "Additional Breakout Vectors"
print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
# Check for container escape tools in PATH
print_list "Container escape tools in PATH . "$NC
(which nsenter 2>/dev/null || which unshare 2>/dev/null || which chroot 2>/dev/null || which capsh 2>/dev/null || which setcap 2>/dev/null || which getcap 2>/dev/null || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap,${SED_RED},g"
print_3title "Extra Breakout Vectors"
print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
if [ "$EXTRA_CHECKS" ]; then
print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
fi
print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
echo ""
print_3title "Namespaces"
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
ls -l /proc/self/ns/
# Additional kernel checks
print_list "Kernel version .............. "$NC
uname -a | sed -${E} "s,$(uname -r),${SED_RED},"
print_list "Kernel modules ............. "$NC
lsmod | grep -E "overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio" | sed -${E} "s,overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio,${SED_RED},g"
# Additional container runtime checks
print_list "Container runtime sockets .. "$NC
(find /var/run -name "*.sock" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
print_list "Container runtime configs .. "$NC
(find /etc -name "*.conf" -o -name "*.json" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
# Kubernetes specific checks
if echo "$containerType" | grep -qi "kubernetes"; then
print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
echo ""
print_2title "Kubernetes Information"
print_3title "Kubernetes Specific Checks"
print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
print_3title "Kubernetes service account folder"
print_list "Kubernetes service account folder" | sed -${E} "s,.*,${SED_RED},"
ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
echo ""
print_3title "Kubernetes env vars"
print_list "Kubernetes env vars" | sed -${E} "s,.*,${SED_RED},"
(env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
echo ""
print_3title "Current sa user k8s permissions"
print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.html"
print_list "Current sa user k8s permissions" | sed -${E} "s,.*,${SED_RED},"
kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
"https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
-X 'POST' -H 'Content-Type: application/json' \
--header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
# Additional Kubernetes checks
print_list "Kubernetes API server ...... "$NC
(curl -s -k https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/version 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
print_list "Kubernetes secrets ......... "$NC
(kubectl get secrets 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
print_list "Kubernetes pods ............ "$NC
(kubectl get pods 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
print_list "Kubernetes services ........ "$NC
(kubectl get services 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
print_list "Kubernetes nodes ........... "$NC
(kubectl get nodes 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
fi
echo ""
print_2title "Container Capabilities"
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#capabilities-abuse-escape"
if [ "$(command -v capsh || echo -n '')" ]; then
capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
else
defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
fi
echo ""
print_2title "Privilege Mode"
if [ -x "$(command -v fdisk || echo -n '')" ]; then
if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
else
echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
fi
else
echo_not_found
fi
echo ""
print_2title "Interesting Files Mounted"
# Interesting files and mounts
print_3title "Interesting Files & Mounts"
print_list "Interesting files mounted ........ "$NC
(mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
echo ""
print_2title "Possible Entrypoints"
print_list "Possible entrypoints ........... "$NC
ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
echo ""
fi

75
linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Systemd.sh Normal file
View File

@ -0,0 +1,75 @@
# Title: System Information - Systemd
# ID: PR_Systemd
# Author: Carlos Polop
# Last Update: 07-03-2024
# Description: Check for systemd vulnerabilities and misconfigurations that could lead to privilege escalation:
# - Systemd version vulnerabilities (CVE-2021-4034, CVE-2021-33910, etc.)
# - Services running as root that could be exploited
# - Services with dangerous capabilities that could be abused
# - Services with writable paths that could be used to inject malicious code
# - Exploitation methods:
# * Version exploits: Use known exploits for vulnerable systemd versions
# * Root services: Abuse services running as root to execute commands
# * Capabilities: Abuse services with dangerous capabilities (CAP_SYS_ADMIN, etc.)
# * Writable paths: Replace executables in writable paths to get code execution
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info, print_list
# Global Variables:
# Initial Functions:
# Generated Global Variables: $sys_service, $exec_path
# Fat linpeas: 0
# Small linpeas: 1
print_2title "Systemd Information"
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
# Check systemd version
print_list "Systemd version? .............. "$NC
if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
systemctl --version | head -n 1 | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g"
else
echo_not_found "systemctl"
fi
# Check for systemd services running as root
print_list "Services running as root? ..... "$NC
if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
systemctl list-units --type=service --state=running 2>/dev/null | grep -E "root|0:0" | sed -${E} "s,root|0:0,${SED_RED},g"
else
echo_not_found "systemctl"
fi
# Check for systemd services with capabilities
print_list "Running services with capabilities? ... "$NC
if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
for sys_service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do
if [ -f "/etc/systemd/system/$sys_service" ] || [ -f "/lib/systemd/system/$sys_service" ]; then
if grep -q "CapabilityBoundingSet" "/etc/systemd/system/$sys_service" "/lib/systemd/system/$sys_service" 2>/dev/null; then
echo "$sys_service" | sed -${E} "s,.*,${SED_RED},g"
fi
fi
done
else
echo_not_found "systemctl"
fi
# Check for systemd services with writable paths
print_list "Running services with writable paths? . "$NC
if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then
for sys_service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do
if [ -f "/etc/systemd/system/$sys_service" ] || [ -f "/lib/systemd/system/$sys_service" ]; then
if grep -q "ExecStart\|ExecStartPre\|ExecStartPost" "/etc/systemd/system/$sys_service" "/lib/systemd/system/$sys_service" 2>/dev/null; then
for exec_path in $(grep -E "ExecStart|ExecStartPre|ExecStartPost" "/etc/systemd/system/$sys_service" "/lib/systemd/system/$sys_service" 2>/dev/null | awk '{print $2}' | tr -d '"'); do
if [ -w "$exec_path" ]; then
echo "$sys_service: $exec_path" | sed -${E} "s,.*,${SED_RED},g"
fi
done
fi
fi
done
else
echo_not_found "systemctl"
fi
echo ""

0
linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh → linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Socket_files.sh
View File

0
linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh → linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Unix_sockets_listening.sh
View File

0
linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh → linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_service_objects_list.sh
View File

0
linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh → linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/18_DBus_config_files.sh
View File

24
linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh
View File

@ -30,4 +30,28 @@ print_2title "Writable log files (logrotten) (limit 50)"
done
fi
# Check syslog configuration
print_2title "Syslog configuration (limit 50)"
if [ -f "/etc/rsyslog.conf" ]; then
grep -v "^#" /etc/rsyslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50
elif [ -f "/etc/syslog.conf" ]; then
grep -v "^#" /etc/syslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50
else
echo_not_found "syslog configuration"
fi
# Check auditd configuration
print_2title "Auditd configuration (limit 50)"
if [ -f "/etc/audit/auditd.conf" ]; then
grep -v "^#" /etc/audit/auditd.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50
else
echo_not_found "auditd configuration"
fi
# Check for log files with weak permissions
print_2title "Log files with potentially weak perms (limit 50)"
find /var/log -type f -ls 2>/dev/null | grep -Ev "root\s+root|root\s+systemd-journal|root\s+syslog|root\s+utmp" | sed -${E} "s,.*,${SED_RED},g" | head -n 50
echo ""

154
linPEAS/builder/src/linpeasModule.py
View File

@ -36,89 +36,133 @@ class LinpeasModule:
if not (self.is_base or self.is_function or self.is_variable or self.is_check):
raise Exception(f"Module {path} doesn't belong to any section")
# Initi data
self.title = None
self.id = None
self.author = None
self.last_update = None
self.description = None
self.version = None
self.functions_used = None
self.global_variables = None
self.initial_functions = None
self.generated_global_variables = None
self.is_fat = None
self.is_small = None
self.sh_code = ""
is_description = False
for i,line in enumerate(self.module_text.splitlines()):
if i == 0:
if not line.startswith("# Title:"):
raise Exception(f"Wrong title in module {path}. It should start with '# Title: '")
self.title = line[8:].strip()
elif i == 1:
if not line.startswith("# ID:"):
raise Exception(f"Wrong ID in module {path}. It should start with '# ID: '")
self.id = line[5:].strip()
if line.startswith("# Title:"):
self.title = line[8:].strip()
is_description = False
elif line.startswith("# ID:"):
self.id = line[5:].strip()
is_description = False
if re.sub('^[0-9]+_', '', os.path.basename(path).replace(".sh", "")) not in [self.id, self.id[3:]]:
raise Exception(f"Wrong ID in module {path}. It should be the same as the filename")
elif i == 2:
if not line.startswith("# Author:"):
raise Exception(f"Wrong author in module {path}. It should start with '# Author: '")
elif line.startswith("# Author:"):
is_description = False
self.author = line[10:].strip()
elif i == 3:
if not line.startswith("# Last Update:"):
raise Exception(f"Wrong last update in module {path}. It should start with '# Last Update: '")
elif line.startswith("# Last Update:"):
is_description = False
self.last_update = line[15:].strip()
elif i == 4:
if not line.startswith("# Description:"):
raise Exception(f"Wrong description in module {path}. It should start with '# Description: '")
elif line.startswith("# Description:"):
self.description = line[15:].strip()
is_description = True
elif i == 5:
if not line.startswith("# License:"):
raise Exception(f"Wrong license in module {path}. It should start with '# License: '")
elif i == 6:
if not line.startswith("# Version:"):
raise Exception(f"Wrong version in module {path}. It should start with '# Version: '")
elif line.startswith("# Version:"):
is_description = False
self.version = line[11:].strip()
elif i == 7:
if not line.startswith("# Functions Used:"):
raise Exception(f"Wrong functions used in module {path}. It should start with '# Functions Used: '")
elif line.startswith("# Functions Used:"):
is_description = False
self.functions_used = line[17:].split(",")
self.functions_used = [f.strip() for f in self.functions_used if f.strip()]
if "/variables/" in path and self.functions_used:
raise Exception(f"Variables shouldn't user functions, so functions in module {path} should be empty")
elif i == 8:
if not line.startswith("# Global Variables:"):
raise Exception(f"Wrong global variables in module {path}. It should start with '# Global Variables: '")
elif line.startswith("# Global Variables:"):
is_description = False
self.global_variables = line[19:].split(",")
self.global_variables = [f.strip().replace("$", "") for f in self.global_variables if f.strip()]
elif i == 9:
if not line.startswith("# Initial Functions:"):
raise Exception(f"Wrong initial functions in module {path}. It should start with '# Initial Functions: '")
elif line.startswith("# Initial Functions:"):
is_description = False
self.initial_functions = line[20:].split(",")
self.initial_functions = [f.strip() for f in self.initial_functions if f.strip()]
elif i == 10:
if not line.startswith("# Generated Global Variables:"):
raise Exception(f"Wrong generated global variables in module {path}. It should start with '# Generated Global Variables: '")
elif line.startswith("# Generated Global Variables:"):
is_description = False
self.generated_global_variables = line[29:].split(",")
self.generated_global_variables = [f.strip().replace("$", "") for f in self.generated_global_variables if f.strip()]
elif i == 11:
if not line.startswith("# Fat linpeas:"):
raise Exception(f"Wrong generated global variables in module {path}. It should start with '# Generated Global Variables: '")
elif line.startswith("# Fat linpeas:"):
is_description = False
self.is_fat = bool(int(line[15]))
elif i == 12:
if not line.startswith("# Small linpeas:"):
raise Exception(f"Wrong generated global variables in module {path}. It should start with '# Generated Global Variables: '")
elif line.startswith("# Small linpeas:"):
is_description = False
self.is_small = bool(int(line[17]))
elif i == 13:
if line != "":
raise Exception(f"Wrong module {path}. Line 12 should be a new line")
elif is_description:
if line.strip():
self.description += line + "\n"
else: # If line empty, outside of description
is_description = False
else:
self.sh_code += line + "\n"
if line.strip():
self.sh_code += line + "\n"
if self.title is None:
raise Exception(f"Wrong title in module {path}. Some metadata should start with '# Title: '")
if self.id is None:
raise Exception(f"Wrong ID in module {path}. Some metadata should start with '# ID: '")
if self.author is None:
raise Exception(f"Wrong author in module {path}. Some metadata should start with '# Author: '")
if self.last_update is None:
raise Exception(f"Wrong last update in module {path}. Some metadata should start with '# Last Update: '")
if self.description is None:
raise Exception(f"Wrong description in module {path}. Some metadata should start with '# Description: '")
if self.version is None:
raise Exception(f"Wrong version in module {path}. Some metadata should start with '# Version: '")
if self.functions_used is None:
raise Exception(f"Wrong functions used in module {path}. Some metadata should start with '# Functions Used: '")
if self.global_variables is None:
raise Exception(f"Wrong global variables in module {path}. Some metadata should start with '# Global Variables: '")
if self.initial_functions is None:
raise Exception(f"Wrong initial functions in module {path}. Some metadata should start with '# Initial Functions: '")
if self.generated_global_variables is None:
raise Exception(f"Wrong generated global variables in module {path}. Some metadata should start with '# Generated Global Variables: '")
if self.is_fat is None:
raise Exception(f"Wrong fat linpeas in module {path}. Some metadata should start with '# Fat linpeas: '")
if self.is_small is None:
raise Exception(f"Wrong small linpeas in module {path}. Some metadata should start with '# Small linpeas: '")
if self.sh_code == "":
raise Exception(f"Wrong sh code in module {path}. No code found.")
self.sh_code = self.sh_code.strip()
self.defined_funcs = self.extract_function_names()
@ -126,15 +170,15 @@ class LinpeasModule:
# Check if the indicated dependencies are actually being used
for func in self.functions_used:
if func not in self.sh_code and func not in self.initial_functions and not "peass{" in self.sh_code:
raise Exception(f"Used function '{func}' in module {path} doesn't exist in the final code")
raise Exception(f"Used function '{func}' in module {path} doesn't exist in the module code")
for var in self.global_variables:
if var not in self.sh_code and not "peass{" in self.sh_code:
raise Exception(f"Used variable '{var}' in module {path} doesn't exist in the final code")
raise Exception(f"Used variable '{var}' in module {path} doesn't exist in the module code")
for var in self.generated_global_variables:
if var not in self.sh_code:
raise Exception(f"Generated variable '{var}' in module {path} doesn't exist in the final code")
raise Exception(f"Generated variable '{var}' in module {path} doesn't exist in the module code")
# Check for funcs and vars imported from itself
for func in self.defined_funcs:
@ -169,7 +213,7 @@ class LinpeasModule:
if len(var) > 2 and not var in linux_global_vars and var not in self.global_variables and var not in self.generated_global_variables:
if not var.startswith("PSTORAGE_"):
if not main_base or var not in main_base.generated_global_variables:
raise Exception(f"Variable '{var}' in module {path} is not defined")
raise Exception(f"Global Variable '{var}' in module {path} is not defined inside the 'Generated Global Variables' metadata")
def __eq__(self, other):