From 9820c186975a3125bd026017ecd4f84757c0d2e6 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Mon, 19 May 2025 06:36:35 +0200 Subject: [PATCH] Cursor improvements parts 1 and 2 --- .../1_system_information/10_Enviroment.sh | 19 -- .../1_system_information/10_Environment.sh | 39 +++ .../1_system_information/11_Dmesg.sh | 20 +- .../12_Macos_os_checks.sh | 25 +- .../13_Linux_exploit_suggester.sh | 21 +- .../14_Linux_exploit_suggester_2.sh | 25 +- .../1_system_information/15_CVE_2021_3560.sh | 22 +- .../1_system_information/16_Protections.sh | 28 +- .../1_system_information/17_Kernel_Modules.sh | 55 ++++ .../1_Operative_system.sh | 24 +- .../1_system_information/2_Sudo_version.sh | 18 +- .../1_system_information/3_USBCreator.sh | 18 +- .../1_system_information/4_Path.sh | 21 +- .../1_system_information/5_Date.sh | 24 +- .../1_system_information/6_CPU_info.sh | 24 +- .../1_system_information/7_Mounts.sh | 24 +- .../1_system_information/8_Disks.sh | 24 +- .../1_system_information/9_Disks_extra.sh | 26 +- .../2_container/1_Container_tools.sh | 71 ++++- .../2_container/2_List_mounted_tokens.sh | 3 +- .../2_container/3_Container_details.sh | 89 +++++- .../2_container/5_Container_breakout.sh | 293 ++++++++++++++---- .../14_Systemd.sh | 75 +++++ ...{14_Socket_files.sh => 15_Socket_files.sh} | 0 ...tening.sh => 16_Unix_sockets_listening.sh} | 0 ...ist.sh => 17_DBus_service_objects_list.sh} | 0 ...onfig_files.sh => 18_DBus_config_files.sh} | 0 .../8_Writable_log_files.sh | 24 ++ linPEAS/builder/src/linpeasModule.py | 154 +++++---- 29 files changed, 971 insertions(+), 195 deletions(-) delete mode 100644 linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh create mode 100644 linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh create mode 100644 linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh create mode 100644 linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Systemd.sh rename linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/{14_Socket_files.sh => 15_Socket_files.sh} (100%) rename linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/{15_Unix_sockets_listening.sh => 16_Unix_sockets_listening.sh} (100%) rename linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/{16_DBus_service_objects_list.sh => 17_DBus_service_objects_list.sh} (100%) rename linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/{17_DBus_config_files.sh => 18_DBus_config_files.sh} (100%) diff --git a/linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh b/linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh deleted file mode 100644 index 2a952bd..0000000 --- a/linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh +++ /dev/null @@ -1,19 +0,0 @@ -# Title: System Information - Enviroment -# ID: SY_Enviroment -# Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information inside environment variables -# License: GNU GPL -# Version: 1.0 -# Functions Used: echo_not_found, print_2title, print_info -# Global Variables: -# Initial Functions: -# Generated Global Variables: -# Fat linpeas: 0 -# Small linpeas: 1 - - -print_2title "Environment" -print_info "Any private information inside environment variables?" -(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set" -echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh b/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh new file mode 100644 index 0000000..25d36d4 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh @@ -0,0 +1,39 @@ +# Title: System Information - Environment +# ID: SY_Environment +# Author: Carlos Polop +# Last Update: 07-03-2024 +# Description: Check for sensitive information in environment variables that could lead to privilege escalation: +# - Credentials in environment variables +# - API keys and tokens +# - Sensitive configuration data +# - Common vulnerable scenarios: +# * Hardcoded credentials in environment +# * API keys exposed in environment +# * Database credentials in environment +# * Service account tokens +# - Exploitation methods: +# * Credential harvesting: Extract sensitive data from environment +# * Common attack vectors: +# - Password/credential extraction +# - API key abuse +# - Token theft +# - Configuration data leakage +# * Exploit techniques: +# - Environment variable dumping +# - Credential reuse +# - Token reuse +# - Configuration abuse +# License: GNU GPL +# Version: 1.0 +# Functions Used: echo_not_found, print_2title, print_info +# Global Variables: +# Initial Functions: +# Generated Global Variables: +# Fat linpeas: 0 +# Small linpeas: 1 + + +print_2title "Environment" +print_info "Any private information inside environment variables?" +(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set" +echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh index 9adc579..512ff03 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh @@ -1,8 +1,24 @@ # Title: System Information - Dmesg # ID: SY_Dmesg # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Searching Signature verification failed in dmesg +# Last Update: 07-03-2024 +# Description: Check for kernel signature verification failures that could lead to privilege escalation: +# - Failed kernel module signature verifications +# - Common vulnerable scenarios: +# * Disabled kernel module signing +# * Failed signature verifications +# * Unsigned kernel modules +# - Exploitation methods: +# * Kernel module injection: Load malicious kernel modules +# * Common attack vectors: +# - Kernel module loading +# - Kernel module replacement +# - Kernel module modification +# * Exploit techniques: +# - Module signing bypass +# - Kernel module injection +# - Kernel module modification +# - Kernel module replacement # License: GNU GPL # Version: 1.0 # Functions Used: echo_not_found, print_2title, print_info diff --git a/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh b/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh index 59bdf32..e795792 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh @@ -1,8 +1,29 @@ # Title: System Information - MacOS OS checks # ID: SY_Macos_os_checks # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Macos OS checks +# Last Update: 07-03-2024 +# Description: Check for MacOS-specific vulnerabilities and misconfigurations that could lead to privilege escalation: +# - Unsigned kernel extensions +# - Non-Apple kernel extensions +# - System Integrity Protection (SIP) status +# - Gatekeeper status +# - Common vulnerable scenarios: +# * Disabled SIP +# * Unsigned kernel extensions +# * Third-party kernel extensions +# * Disabled Gatekeeper +# - Exploitation methods: +# * Kernel extension injection: Load malicious kernel extensions +# * Common attack vectors: +# - SIP bypass +# - Kernel extension loading +# - Gatekeeper bypass +# - System modification +# * Exploit techniques: +# - Kernel extension injection +# - SIP bypass +# - Gatekeeper bypass +# - System modification # License: GNU GPL # Version: 1.0 # Functions Used:macosNotSigned, print_2title diff --git a/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh b/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh index 1278f2a..4500bf8 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh @@ -1,8 +1,25 @@ # Title: System Information - Linux Exploit Suggester # ID: SY_Linux_exploit_suggester # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Linux Exploit Suggester tool execution +# Last Update: 07-03-2024 +# Description: Execute Linux Exploit Suggester to identify potential kernel exploits: +# - Automated kernel vulnerability detection +# - Common vulnerable scenarios: +# * Known kernel vulnerabilities +# * Unpatched kernel versions +# * Missing security patches +# - Exploitation methods: +# * Kernel exploit execution: Use suggested exploits +# * Common attack vectors: +# - Kernel memory corruption +# - Race conditions +# - Use-after-free +# - Integer overflow +# * Exploit techniques: +# - Kernel memory manipulation +# - Privilege escalation +# - Root access acquisition +# - System compromise # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_info diff --git a/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh b/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh index 4d03955..1c663e1 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh @@ -1,8 +1,27 @@ -# Title: System Information - Linux Exploit Suggester 2 +# Title: System Information - Linux Exploit Suggester 2 # ID: SY_Linux_exploit_suggester_2 # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Linux Exploit Suggester 2 tool execution +# Last Update: 07-03-2024 +# Description: Execute Linux Exploit Suggester 2 (Perl version) to identify potential kernel exploits: +# - Alternative kernel vulnerability detection +# - Perl-based exploit suggestions +# - Common vulnerable scenarios: +# * Known kernel vulnerabilities +# * Unpatched kernel versions +# * Missing security patches +# * Alternative exploit paths +# - Exploitation methods: +# * Kernel exploit execution: Use suggested exploits +# * Common attack vectors: +# - Kernel memory corruption +# - Race conditions +# - Use-after-free +# - Integer overflow +# * Exploit techniques: +# - Kernel memory manipulation +# - Privilege escalation +# - Root access acquisition +# - System compromise # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_info diff --git a/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh b/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh index 6f6c1d1..12ad479 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh @@ -1,8 +1,26 @@ # Title: System Information - CVE_2021_3560 # ID: SY_CVE_2021_3560 # Author: Carlos Polop -# Last Update: 07-10-2024 -# Description: CVE-2021-3560 - paper box from HTB +# Last Update: 07-03-2024 +# Description: Check for Polkit vulnerability (CVE-2021-3560) that could lead to privilege escalation: +# - Vulnerable Polkit versions: +# * polkit 0.105-26 (Ubuntu) +# * polkit 0.117-2 (RHEL) +# * polkit 0.115-6 (RHEL) +# - Common vulnerable scenarios: +# * Unpatched Polkit versions +# * Default Polkit configurations +# - Exploitation methods: +# * Race condition in Polkit authentication +# * Common attack vectors: +# - Authentication bypass +# - Privilege escalation +# - Root access acquisition +# * Exploit techniques: +# - Race condition exploitation +# - Authentication bypass +# - Privilege escalation +# - System compromise # License: GNU GPL # Version: 1.0 # Functions Used: diff --git a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh index 07c8f03..854da66 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh @@ -1,8 +1,30 @@ -# Title: System Information - Kernel Extensions +# Title: System Information - Protections # ID: SY_Protections # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Kernel Extensions +# Last Update: 07-03-2024 +# Description: Check for system security protections and their bypass possibilities: +# - AppArmor/SELinux status and profiles +# - ASLR status +# - Seccomp filters +# - Capabilities +# - Common vulnerable scenarios: +# * Disabled security modules +# * Weak security profiles +# * Missing security features +# * Misconfigured protections +# - Exploitation methods: +# * Protection bypass: Circumvent security measures +# * Common attack vectors: +# - AppArmor/SELinux bypass +# - ASLR bypass +# - Seccomp filter bypass +# - Capability abuse +# * Exploit techniques: +# - Profile bypass +# - Memory randomization bypass +# - Filter bypass +# - Capability exploitation +# - Protection circumvention # License: GNU GPL # Version: 1.0 # Functions Used: echo_not_found, print_2title, print_list, warn_exec diff --git a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh new file mode 100644 index 0000000..2061777 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh @@ -0,0 +1,55 @@ +# Title: System Information - Kernel Modules +# ID: SY_Kernel_Modules +# Author: Carlos Polop +# Last Update: 07-03-2024 +# Description: Check for kernel module vulnerabilities and misconfigurations that could lead to privilege escalation: +# - Loaded kernel modules with known vulnerabilities +# - Kernel modules with weak permissions that could be modified +# - Ability to load kernel modules as unprivileged user +# - Missing kernel module signing requirements +# - Exploitation methods: +# * Vulnerable modules: Use known exploits for vulnerable kernel modules +# * Weak permissions: Modify kernel modules to inject malicious code +# * Module loading: Load malicious kernel modules to get root access +# * Common vulnerable modules: nf_tables, eBPF, overlayfs, etc. +# License: GNU GPL +# Version: 1.0 +# Functions Used: print_2title, print_list +# Global Variables: +# Initial Functions: +# Generated Global Variables: +# Fat linpeas: 0 +# Small linpeas: 1 + +print_2title "Kernel Modules Information" + +# List loaded kernel modules +print_list "Loaded kernel modules? ........ "$NC +if [ -f "/proc/modules" ]; then + lsmod +else + echo_not_found "/proc/modules" +fi + +# Check for kernel modules with weak permissions +print_list "Kernel modules with weak perms? "$NC +if [ -d "/lib/modules" ]; then + find /lib/modules -type f -name "*.ko" -ls 2>/dev/null | grep -Ev "root\s+root" | sed -${E} "s,.*,${SED_RED},g" +else + echo_not_found "/lib/modules" +fi + +# Check for kernel modules that can be loaded by unprivileged users +print_list "Kernel modules loadable? "$NC +if [ -f "/proc/sys/kernel/modules_disabled" ]; then + if [ "$(cat /proc/sys/kernel/modules_disabled)" = "0" ]; then + echo "Modules can be loaded" | sed -${E} "s,.*,${SED_RED},g" + else + echo "Modules cannot be loaded" | sed -${E} "s,.*,${SED_GREEN},g" + fi +else + echo_not_found "/proc/sys/kernel/modules_disabled" +fi + + +echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh index 6873b82..ae0f03b 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh @@ -1,8 +1,28 @@ # Title: System Information - Operative System # ID: SY_Operative_system # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the Operative system +# Last Update: 07-03-2024 +# Description: Check for operating system information relevant to privilege escalation: +# - OS version and distribution +# - Kernel version +# - Architecture +# - Common vulnerable scenarios: +# * Outdated OS versions +# * Unpatched systems +# * Known vulnerable distributions +# * Architecture-specific vulnerabilities +# - Exploitation methods: +# * Version-specific exploits: Use known exploits for the OS version +# * Common attack vectors: +# - OS version exploits +# - Distribution-specific vulnerabilities +# - Architecture-specific exploits +# - Kernel version exploits +# * Exploit techniques: +# - Version-specific payloads +# - Distribution-specific attacks +# - Architecture-specific techniques +# - Kernel exploitation # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_info, warn_exec diff --git a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh index f9a9c6a..3c82cbb 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh @@ -1,8 +1,22 @@ # Title: System Information - Sudo Version # ID: SY_Sudo_version # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the Sudo Version +# Last Update: 07-03-2024 +# Description: Check for sudo vulnerabilities and misconfigurations that could lead to privilege escalation: +# - Vulnerable sudo versions with known exploits +# - Common vulnerable versions and CVEs: +# * CVE-2021-3156 (Baron Samedit): Heap overflow in sudo +# * CVE-2021-23239: Potential privilege escalation +# * CVE-2021-23240: Potential privilege escalation +# * CVE-2021-23241: Potential privilege escalation +# - Exploitation methods: +# * Version exploits: Use known exploits for vulnerable sudo versions +# * Common targets: sudo < 1.9.5p2 (Baron Samedit) +# * Exploit techniques: +# - Heap overflow exploitation +# - Race conditions +# - Memory corruption +# - Command injection # License: GNU GPL # Version: 1.0 # Functions Used: echo_not_found, print_2title, print_info diff --git a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh index 750df78..493b24c 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh @@ -1,8 +1,22 @@ # Title: System Information - USBCreator # ID: SY_USBCreator # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the USBCreator +# Last Update: 07-03-2024 +# Description: Check for USBCreator vulnerabilities that could lead to privilege escalation: +# - Vulnerable policykit-desktop-privileges versions +# - Common vulnerable versions: +# * policykit-desktop-privileges < 0.21 +# - Exploitation methods: +# * D-Bus command injection through USBCreator +# * Abuse of policykit privileges +# * Common attack vectors: +# - D-Bus method call injection +# - PolicyKit authentication bypass +# - Command execution through USB creation +# * Exploit techniques: +# - D-Bus method spoofing +# - PolicyKit privilege escalation +# - USB device creation abuse # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_info diff --git a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh index 7393bca..1d35f49 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh @@ -1,8 +1,25 @@ # Title: System Information - Path # ID: SY_Path # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the Path +# Last Update: 07-03-2024 +# Description: Check for PATH environment misconfigurations that could lead to privilege escalation: +# - Writable directories in PATH +# - Current directory (.) in PATH +# - Common vulnerable scenarios: +# * Writable system directories in PATH +# * Current directory in PATH +# * Relative paths in PATH +# - Exploitation methods: +# * PATH hijacking: Place malicious executables in writable PATH directories +# * Common attack vectors: +# - Replace common binaries (ls, cat, etc.) +# - Create malicious executables with common names +# - Abuse sudo PATH inheritance +# * Exploit techniques: +# - Binary replacement +# - Symbolic link attacks +# - PATH manipulation +# - Sudo PATH abuse # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_info diff --git a/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh b/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh index 57bb475..5c51ba1 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh @@ -1,8 +1,28 @@ # Title: System Information - Date # ID: SY_Date # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the Date +# Last Update: 07-03-2024 +# Description: Check for system date and uptime information relevant to privilege escalation: +# - System uptime +# - Last boot time +# - System time +# - Common vulnerable scenarios: +# * Long uptime (unpatched systems) +# * Time-based vulnerabilities +# * Scheduled tasks timing +# * Cron job timing +# - Exploitation methods: +# * Timing attacks: Abuse time-based vulnerabilities +# * Common attack vectors: +# - Race conditions +# - Time-of-check to time-of-use (TOCTOU) +# - Scheduled task abuse +# - Cron job timing +# * Exploit techniques: +# - Race condition exploitation +# - TOCTOU attacks +# - Scheduled task manipulation +# - Cron job abuse # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, warn_exec diff --git a/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh b/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh index 4785f32..4b0d5d9 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh @@ -1,8 +1,28 @@ # Title: System Information - CPU info # ID: SY_CPU_info # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the CPU +# Last Update: 07-03-2024 +# Description: Check for CPU information relevant to privilege escalation: +# - CPU architecture +# - CPU features +# - CPU vulnerabilities +# - Common vulnerable scenarios: +# * CPU-specific vulnerabilities (Spectre, Meltdown, etc.) +# * Missing CPU mitigations +# * Architecture-specific exploits +# * CPU feature abuse +# - Exploitation methods: +# * CPU-based attacks: Abuse CPU vulnerabilities +# * Common attack vectors: +# - Spectre/Meltdown exploitation +# - CPU feature abuse +# - Architecture-specific attacks +# - CPU timing attacks +# * Exploit techniques: +# - Side-channel attacks +# - CPU feature exploitation +# - Architecture-specific techniques +# - CPU timing exploitation # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, warn_exec diff --git a/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh b/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh index 31ec546..b8dfe99 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh @@ -1,8 +1,28 @@ # Title: System Information - Mounts # ID: SY_Mounts # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the mounts +# Last Update: 07-03-2024 +# Description: Check for mount point misconfigurations that could lead to privilege escalation: +# - Unmounted filesystems +# - Mount point permissions +# - Mount options +# - Common vulnerable scenarios: +# * Writable mount points +# * Insecure mount options +# * Unmounted sensitive filesystems +# * Shared mount points +# - Exploitation methods: +# * Mount point abuse: Exploit mount misconfigurations +# * Common attack vectors: +# - Mount point modification +# - Filesystem remounting +# - Mount option abuse +# - Shared mount exploitation +# * Exploit techniques: +# - Mount point manipulation +# - Filesystem remounting +# - Mount option exploitation +# - Shared mount abuse # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_info diff --git a/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh b/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh index 339db79..a775bda 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh @@ -1,8 +1,28 @@ # Title: System Information - Disks # ID: SY_Disks # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the disks +# Last Update: 07-03-2024 +# Description: Check for disk information and misconfigurations that could lead to privilege escalation: +# - Available disks +# - Disk permissions +# - SMB shares +# - Common vulnerable scenarios: +# * Writable disks +# * Insecure SMB shares +# * Exposed disk devices +# * Shared storage +# - Exploitation methods: +# * Disk access abuse: Exploit disk misconfigurations +# * Common attack vectors: +# - Disk device modification +# - SMB share abuse +# - Storage device access +# - Shared disk exploitation +# * Exploit techniques: +# - Disk device manipulation +# - SMB share exploitation +# - Storage device abuse +# - Shared disk access # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, warn_exec diff --git a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh index 7479e92..5691c7f 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh @@ -1,8 +1,28 @@ -# Title: System Information - Disks +# Title: System Information - Disks Extra # ID: SY_Disks_extra # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get Information about the disks +# Last Update: 07-03-2024 +# Description: Check for additional disk information and system resources relevant to privilege escalation: +# - Disk utilization +# - System resources +# - Storage statistics +# - Common vulnerable scenarios: +# * Low disk space (potential for race conditions) +# * Resource exhaustion +# * Storage device misconfigurations +# * System resource abuse +# - Exploitation methods: +# * Resource-based attacks: Abuse system resources +# * Common attack vectors: +# - Disk space exhaustion +# - Resource starvation +# - Storage device abuse +# - System resource manipulation +# * Exploit techniques: +# - Resource exhaustion +# - Storage device exploitation +# - System resource abuse +# - Resource-based attacks # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, warn_exec diff --git a/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh b/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh index 3e444f6..2f98956 100644 --- a/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh +++ b/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh @@ -1,22 +1,73 @@ # Title: Container - Container Tools # ID: CT_Container_tools # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Find container related tools in the PATH of the system +# Last Update: 07-03-2024 +# Description: Find container related tools in the PATH of the system that could be used for container escape: +# - Container runtime tools +# - Container management tools +# - Container networking tools +# - Common vulnerable scenarios: +# * Misconfigured container tools +# * Privileged container tools +# * Container escape tools +# - Exploitation methods: +# * Tool abuse: Exploit container tool misconfigurations +# * Common attack vectors: +# - Runtime escape +# - Privilege escalation +# - Container breakout +# * Exploit techniques: +# - Tool misconfiguration abuse +# - Privileged tool exploitation +# - Container escape tool usage # License: GNU GPL # Version: 1.0 -# Functions Used: print_2title +# Functions Used: print_2title, warn_exec # Global Variables: # Initial Functions: # Generated Global Variables: # Fat linpeas: 0 # Small linpeas: 1 - print_2title "Container related tools present (if any):" -command -v docker || echo -n '' -command -v lxc || echo -n '' -command -v rkt || echo -n '' -command -v kubectl || echo -n '' -command -v podman || echo -n '' -command -v runc || echo -n '' \ No newline at end of file + +# Container runtimes +warn_exec command -v docker +warn_exec command -v lxc +warn_exec command -v rkt +warn_exec command -v podman +warn_exec command -v runc +warn_exec command -v ctr +warn_exec command -v containerd +warn_exec command -v crio +warn_exec command -v nerdctl + +# Container management +warn_exec command -v kubectl +warn_exec command -v crictl +warn_exec command -v docker-compose +warn_exec command -v docker-machine +warn_exec command -v minikube +warn_exec command -v kind + +# Container networking +warn_exec command -v docker-proxy +warn_exec command -v cni +warn_exec command -v flanneld +warn_exec command -v calicoctl + +# Container security +warn_exec command -v apparmor_parser +warn_exec command -v seccomp +warn_exec command -v gvisor +warn_exec command -v kata-runtime + +# Container debugging +warn_exec command -v nsenter +warn_exec command -v unshare +warn_exec command -v chroot +warn_exec command -v capsh +warn_exec command -v setcap +warn_exec command -v getcap + +echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh index 441f307..669e9bd 100644 --- a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh +++ b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh @@ -29,4 +29,5 @@ if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/n echo "" fi done -fi \ No newline at end of file +fi + diff --git a/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh b/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh index 9a3f03a..56537d9 100644 --- a/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh +++ b/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh @@ -1,21 +1,63 @@ # Title: Container - Container details # ID: CT_Container_details # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Get container details +# Last Update: 07-03-2024 +# Description: Get detailed container information relevant to privilege escalation: +# - Container type and runtime +# - Running containers +# - Container configuration +# - Common vulnerable scenarios: +# * Misconfigured containers +# * Privileged containers +# * Exposed container APIs +# * Container networking +# - Exploitation methods: +# * Container breakout: Exploit container misconfigurations +# * Common attack vectors: +# - Runtime escape +# - Privilege escalation +# - Container breakout +# - Network escape +# * Exploit techniques: +# - Container misconfiguration abuse +# - Privileged container exploitation +# - Container API abuse +# - Network escape techniques # License: GNU GPL # Version: 1.0 -# Functions Used: containerCheck, echo_no, print_2title, print_list +# Functions Used: containerCheck, echo_no, print_2title, print_list, warn_exec # Global Variables: $containerType # Initial Functions: containerCheck # Generated Global Variables: $dockercontainers, $podmancontainers, $lxccontainers, $rktcontainers, $containerCounts # Fat linpeas: 0 # Small linpeas: 1 - print_2title "Container details" + print_list "Is this a container? ...........$NC $containerType" +# Get container runtime info +if [ "$(command -v docker || echo -n '')" ]; then + print_list "Docker version ...............$NC " + warn_exec docker version + print_list "Docker info .................$NC " + warn_exec docker info +fi + +if [ "$(command -v podman || echo -n '')" ]; then + print_list "Podman version ..............$NC " + warn_exec podman version + print_list "Podman info ................$NC " + warn_exec podman info +fi + +if [ "$(command -v lxc || echo -n '')" ]; then + print_list "LXC version ................$NC " + warn_exec lxc version + print_list "LXC info ...................$NC " + warn_exec lxc info +fi + print_list "Any running containers? ........ "$NC # Get counts of running containers for each platform dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l) @@ -32,9 +74,36 @@ else if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED}," - # List any running containers - if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi - if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi - if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi - if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi -fi \ No newline at end of file + # List any running containers with more details + if [ "$dockercontainers" -ne "0" ]; then + echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED}," + docker ps -a 2>/dev/null + #echo "Docker Container Details" | sed -${E} "s,.*,${SED_RED}," + #docker inspect $(docker ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g" + echo "" + fi + if [ "$podmancontainers" -ne "0" ]; then + echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED}," + podman ps -a 2>/dev/null + #echo "Podman Container Details" | sed -${E} "s,.*,${SED_RED}," + #podman inspect $(podman ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g" + echo "" + fi + if [ "$lxccontainers" -ne "0" ]; then + echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED}," + lxc list 2>/dev/null + #echo "LXC Container Details" | sed -${E} "s,.*,${SED_RED}," + #lxc config show $(lxc list -c n --format csv) 2>/dev/null | grep -E "security.privileged|security.capabilities|security.syscalls" | sed -${E} "s,true|privileged|host,${SED_RED},g" + echo "" + fi + if [ "$rktcontainers" -ne "0" ]; then + echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED}," + rkt list 2>/dev/null + #echo "RKT Container Details" | sed -${E} "s,.*,${SED_RED}," + #rkt status $(rkt list --format=json 2>/dev/null | jq -r '.[].id') 2>/dev/null | grep -E "privileged|capabilities|security" | sed -${E} "s,true|privileged|host,${SED_RED},g" + echo "" + fi +fi + + +echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh index 1c461b9..f0d13cb 100644 --- a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh +++ b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh @@ -1,26 +1,62 @@ # Title: Container - Container & breakout enumeration # ID: CT_Container_breakout # Author: Carlos Polop -# Last Update: 22-08-2023 -# Description: Container breakout enumeration to see if in case we are inside a container we could escape +# Last Update: 07-03-2024 +# Description: Container breakout enumeration to identify potential escape vectors: +# - Container runtime vulnerabilities +# - Mount point misconfigurations +# - Capability abuse +# - Namespace escape +# - Common vulnerable scenarios: +# * Privileged containers +# * Misconfigured mounts +# * Excessive capabilities +# * Namespace isolation bypass +# * Runtime vulnerabilities +# * Container escape tools +# * Shared kernel exploits +# * Container escape CVEs +# - Exploitation methods: +# * Mount escape: Abuse mount misconfigurations +# * Capability abuse: Exploit excessive capabilities +# * Namespace escape: Break out of container namespaces +# * Runtime escape: Exploit container runtime vulnerabilities +# * Common attack vectors: +# - Mount point manipulation +# - Capability exploitation +# - Namespace breakout +# - Runtime vulnerability abuse +# - Kernel exploit abuse +# - Container escape tool usage +# * Exploit techniques: +# - Mount point abuse +# - Capability escalation +# - Namespace escape +# - Runtime exploitation +# - Kernel exploitation +# - Container escape tool execution # License: GNU GPL # Version: 1.0 -# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, echo_no, echo_not_found, print_2title, print_3title, print_info, print_list -# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable +# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, print_2title, print_3title, print_info, print_list, warn_exec +# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable # Initial Functions: containerCheck -# Generated Global Variables: $defautl_docker_caps +# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $containerd_version # Fat linpeas: 0 # Small linpeas: 0 - if [ "$inContainer" ]; then echo "" print_2title "Container & breakout enumeration" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html" + + # Basic container info print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')" if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" fi + + # Security mechanisms + print_3title "Security Mechanisms" print_list "Seccomp enabled? ............... "$NC ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," @@ -30,9 +66,51 @@ if [ "$inContainer" ]; then print_list "User proc namespace? ........... "$NC if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi + # Known vulnerabilities + print_3title "Known Vulnerabilities" + checkContainerExploits print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," - + + # Check for container escape tools + print_list "Container escape tools present .. "$NC + (command -v nsenter || command -v unshare || command -v chroot || command -v capsh || command -v setcap || command -v getcap || command -v docker || command -v kubectl || command -v ctr || command -v runc || command -v containerd || command -v crio || command -v podman || command -v lxc || command -v rkt || command -v nerdctl || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap|docker|kubectl|ctr|runc|containerd|crio|podman|lxc|rkt|nerdctl,${SED_RED},g" + + # Runtime vulnerabilities + print_3title "Runtime Vulnerabilities" + + # Check for known runtime vulnerabilities + if [ "$(command -v runc || echo -n '')" ]; then + print_list "Runc version ................. "$NC + warn_exec runc --version + # Check for specific runc vulnerabilities + runc_version=$(runc --version 2>/dev/null | grep -i "version" | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") + if [ "$runc_version" ]; then + print_list "Runc CVE-2019-5736 ........... "$NC + if [ "$(echo $runc_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 0) || ($1 == 1 && $2 == 0 && $3 < 7)) print "Yes"; else print "No"; }')" = "Yes" ]; then + echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED}," + else + echo "No" + fi + fi + fi + + if [ "$(command -v containerd || echo -n '')" ]; then + print_list "Containerd version ........... "$NC + warn_exec containerd --version + # Check for specific containerd vulnerabilities + containerd_version=$(containerd --version 2>/dev/null | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") + if [ "$containerd_version" ]; then + print_list "Containerd CVE-2020-15257 ..... "$NC + if [ "$(echo $containerd_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 4) || ($1 == 1 && $2 == 4 && $3 < 3)) print "Yes"; else print "No"; }')" = "Yes" ]; then + echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED}," + else + echo "No" + fi + fi + fi + + # Mount escape vectors print_3title "Breakout via mounts" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html" @@ -46,89 +124,170 @@ if [ "$inContainer" ]; then print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + + # Additional mount checks + print_list "Docker socket mounted? ......... "$NC + (mount | grep -E "docker.sock|/var/run/docker.sock" || echo "No") | sed -${E} "s,Yes|docker.sock,${SED_RED}," + + print_list "Common host filesystem mounted? "$NC + (mount | grep -E "host|/host|/mnt/host" || echo "No") | sed -${E} "s,Yes|host,${SED_RED}," + + print_list "Interesting mounts ............. "$NC + mount | grep -E "docker|container|overlay|kubelet" | grep -v "proc" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g" + + # Check for writable mount points + print_list "Writable mount points ......... "$NC + mount | grep -E "rw," | grep -v "ro," | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g" + + # Check for shared mount points + print_list "Shared mount points ........... "$NC + mount | grep -E "shared|slave" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g" + + # Capability checks + print_3title "Capability Checks" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/capabilities-abuse-escape.html" + + print_list "Dangerous capabilities ......... "$NC + if [ "$(command -v capsh || echo -n '')" ]; then + capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" + else + defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap" + cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g" + echo $ITALIC"Run capsh --decode= to decode the capabilities"$NC + fi + + # Additional capability checks + print_list "Dangerous syscalls allowed ... "$NC + if [ -f "/proc/sys/kernel/yama/ptrace_scope" ]; then + (cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || echo "Not found") | sed -${E} "s,0,${SED_RED}," + else + echo "Not found" + fi + + # Namespace checks + print_3title "Namespace Checks" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html" + + print_list "Current namespaces ............. "$NC + ls -l /proc/self/ns/ + + print_list "Host network namespace? ........ "$NC + if [ "$(ip netns list 2>/dev/null)" ]; then + echo "Yes - Host network namespace accessible" | sed -${E} "s,Yes,${SED_RED}," + else + echo "No" + fi + + # Additional namespace checks + print_list "Host IPC namespace? ........... "$NC + if [ "$(ls -l /proc/self/ns/ipc 2>/dev/null)" = "$(ls -l /proc/1/ns/ipc 2>/dev/null)" ]; then + echo "Yes - Host IPC namespace shared" | sed -${E} "s,Yes,${SED_RED}," + else + echo "No" + fi + + print_list "Host PID namespace? ........... "$NC + if [ "$(ls -l /proc/self/ns/pid 2>/dev/null)" = "$(ls -l /proc/1/ns/pid 2>/dev/null)" ]; then + echo "Yes - Host PID namespace shared" | sed -${E} "s,Yes,${SED_RED}," + else + echo "No" + fi + + print_list "Host UTS namespace? ........... "$NC + if [ "$(ls -l /proc/self/ns/uts 2>/dev/null)" = "$(ls -l /proc/1/ns/uts 2>/dev/null)" ]; then + echo "Yes - Host UTS namespace shared" | sed -${E} "s,Yes,${SED_RED}," + else + echo "No" + fi + + # Additional breakout vectors + print_3title "Additional Breakout Vectors" + print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED}," print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED}," print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED}," print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED}," + + # Check for container escape tools in PATH + print_list "Container escape tools in PATH . "$NC + (which nsenter 2>/dev/null || which unshare 2>/dev/null || which chroot 2>/dev/null || which capsh 2>/dev/null || which setcap 2>/dev/null || which getcap 2>/dev/null || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap,${SED_RED},g" + + print_3title "Extra Breakout Vectors" print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED}," print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED}," print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED}," print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED}," print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED}," - if [ "$EXTRA_CHECKS" ]; then - print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED}," - print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED}," - fi + print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED}," + print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED}," - echo "" - print_3title "Namespaces" - print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html" - ls -l /proc/self/ns/ - + # Additional kernel checks + print_list "Kernel version .............. "$NC + uname -a | sed -${E} "s,$(uname -r),${SED_RED}," + + print_list "Kernel modules ............. "$NC + lsmod | grep -E "overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio" | sed -${E} "s,overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio,${SED_RED},g" + + # Additional container runtime checks + print_list "Container runtime sockets .. "$NC + (find /var/run -name "*.sock" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g" + + print_list "Container runtime configs .. "$NC + (find /etc -name "*.conf" -o -name "*.json" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g" + + # Kubernetes specific checks if echo "$containerType" | grep -qi "kubernetes"; then - print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n" - print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n" - echo "" - - print_2title "Kubernetes Information" + print_3title "Kubernetes Specific Checks" print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html" + print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n" + print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n" - print_3title "Kubernetes service account folder" + print_list "Kubernetes service account folder" | sed -${E} "s,.*,${SED_RED}," ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null - echo "" - print_3title "Kubernetes env vars" + print_list "Kubernetes env vars" | sed -${E} "s,.*,${SED_RED}," (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType=" - echo "" - - print_3title "Current sa user k8s permissions" - print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.html" + + print_list "Current sa user k8s permissions" | sed -${E} "s,.*,${SED_RED}," kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \ "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \ -X 'POST' -H 'Content-Type: application/json' \ --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED}," - + + # Additional Kubernetes checks + print_list "Kubernetes API server ...... "$NC + (curl -s -k https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/version 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN}," + + print_list "Kubernetes secrets ......... "$NC + (kubectl get secrets 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN}," + + print_list "Kubernetes pods ............ "$NC + (kubectl get pods 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN}," + + print_list "Kubernetes services ........ "$NC + (kubectl get services 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN}," + + print_list "Kubernetes nodes ........... "$NC + (kubectl get nodes 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN}," fi - echo "" - - print_2title "Container Capabilities" - print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#capabilities-abuse-escape" - if [ "$(command -v capsh || echo -n '')" ]; then - capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" - else - defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap" - cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g" - echo $ITALIC"Run capsh --decode= to decode the capabilities"$NC - fi - echo "" - - print_2title "Privilege Mode" - if [ -x "$(command -v fdisk || echo -n '')" ]; then - if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then - echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW}," - else - echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN}," - fi - else - echo_not_found - fi - echo "" - - print_2title "Interesting Files Mounted" + + # Interesting files and mounts + print_3title "Interesting Files & Mounts" + print_list "Interesting files mounted ........ "$NC (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g" - echo "" - - print_2title "Possible Entrypoints" + + print_list "Possible entrypoints ........... "$NC ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq + echo "" fi diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Systemd.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Systemd.sh new file mode 100644 index 0000000..6d197ef --- /dev/null +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Systemd.sh @@ -0,0 +1,75 @@ +# Title: System Information - Systemd +# ID: PR_Systemd +# Author: Carlos Polop +# Last Update: 07-03-2024 +# Description: Check for systemd vulnerabilities and misconfigurations that could lead to privilege escalation: +# - Systemd version vulnerabilities (CVE-2021-4034, CVE-2021-33910, etc.) +# - Services running as root that could be exploited +# - Services with dangerous capabilities that could be abused +# - Services with writable paths that could be used to inject malicious code +# - Exploitation methods: +# * Version exploits: Use known exploits for vulnerable systemd versions +# * Root services: Abuse services running as root to execute commands +# * Capabilities: Abuse services with dangerous capabilities (CAP_SYS_ADMIN, etc.) +# * Writable paths: Replace executables in writable paths to get code execution +# License: GNU GPL +# Version: 1.0 +# Functions Used: print_2title, print_info, print_list +# Global Variables: +# Initial Functions: +# Generated Global Variables: $sys_service, $exec_path +# Fat linpeas: 0 +# Small linpeas: 1 + +print_2title "Systemd Information" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services" + +# Check systemd version +print_list "Systemd version? .............. "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + systemctl --version | head -n 1 | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g" +else + echo_not_found "systemctl" +fi + +# Check for systemd services running as root +print_list "Services running as root? ..... "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + systemctl list-units --type=service --state=running 2>/dev/null | grep -E "root|0:0" | sed -${E} "s,root|0:0,${SED_RED},g" +else + echo_not_found "systemctl" +fi + +# Check for systemd services with capabilities +print_list "Running services with capabilities? ... "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + for sys_service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do + if [ -f "/etc/systemd/system/$sys_service" ] || [ -f "/lib/systemd/system/$sys_service" ]; then + if grep -q "CapabilityBoundingSet" "/etc/systemd/system/$sys_service" "/lib/systemd/system/$sys_service" 2>/dev/null; then + echo "$sys_service" | sed -${E} "s,.*,${SED_RED},g" + fi + fi + done +else + echo_not_found "systemctl" +fi + +# Check for systemd services with writable paths +print_list "Running services with writable paths? . "$NC +if [ "$(command -v systemctl 2>/dev/null || echo -n '')" ]; then + for sys_service in $(systemctl list-units --type=service --state=running 2>/dev/null | grep -E "\.service" | awk '{print $1}'); do + if [ -f "/etc/systemd/system/$sys_service" ] || [ -f "/lib/systemd/system/$sys_service" ]; then + if grep -q "ExecStart\|ExecStartPre\|ExecStartPost" "/etc/systemd/system/$sys_service" "/lib/systemd/system/$sys_service" 2>/dev/null; then + for exec_path in $(grep -E "ExecStart|ExecStartPre|ExecStartPost" "/etc/systemd/system/$sys_service" "/lib/systemd/system/$sys_service" 2>/dev/null | awk '{print $2}' | tr -d '"'); do + if [ -w "$exec_path" ]; then + echo "$sys_service: $exec_path" | sed -${E} "s,.*,${SED_RED},g" + fi + done + fi + fi + done +else + echo_not_found "systemctl" +fi + +echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Socket_files.sh similarity index 100% rename from linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh rename to linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Socket_files.sh diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Unix_sockets_listening.sh similarity index 100% rename from linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh rename to linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Unix_sockets_listening.sh diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_service_objects_list.sh similarity index 100% rename from linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh rename to linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_service_objects_list.sh diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/18_DBus_config_files.sh similarity index 100% rename from linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh rename to linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/18_DBus_config_files.sh diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh index 938aa99..271a465 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh @@ -30,4 +30,28 @@ print_2title "Writable log files (logrotten) (limit 50)" done fi +# Check syslog configuration +print_2title "Syslog configuration (limit 50)" +if [ -f "/etc/rsyslog.conf" ]; then + grep -v "^#" /etc/rsyslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50 +elif [ -f "/etc/syslog.conf" ]; then + grep -v "^#" /etc/syslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50 +else + echo_not_found "syslog configuration" +fi + + +# Check auditd configuration +print_2title "Auditd configuration (limit 50)" +if [ -f "/etc/audit/auditd.conf" ]; then + grep -v "^#" /etc/audit/auditd.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50 +else + echo_not_found "auditd configuration" +fi + +# Check for log files with weak permissions +print_2title "Log files with potentially weak perms (limit 50)" +find /var/log -type f -ls 2>/dev/null | grep -Ev "root\s+root|root\s+systemd-journal|root\s+syslog|root\s+utmp" | sed -${E} "s,.*,${SED_RED},g" | head -n 50 + + echo "" diff --git a/linPEAS/builder/src/linpeasModule.py b/linPEAS/builder/src/linpeasModule.py index 5dc0f5d..18eca79 100644 --- a/linPEAS/builder/src/linpeasModule.py +++ b/linPEAS/builder/src/linpeasModule.py @@ -36,89 +36,133 @@ class LinpeasModule: if not (self.is_base or self.is_function or self.is_variable or self.is_check): raise Exception(f"Module {path} doesn't belong to any section") + + # Initi data + self.title = None + self.id = None + self.author = None + self.last_update = None + self.description = None + self.version = None + self.functions_used = None + self.global_variables = None + self.initial_functions = None + self.generated_global_variables = None + self.is_fat = None + self.is_small = None + self.sh_code = "" + is_description = False for i,line in enumerate(self.module_text.splitlines()): - if i == 0: - if not line.startswith("# Title:"): - raise Exception(f"Wrong title in module {path}. It should start with '# Title: '") - self.title = line[8:].strip() - - elif i == 1: - if not line.startswith("# ID:"): - raise Exception(f"Wrong ID in module {path}. It should start with '# ID: '") - - self.id = line[5:].strip() + if line.startswith("# Title:"): + self.title = line[8:].strip() + is_description = False + + elif line.startswith("# ID:"): + self.id = line[5:].strip() + is_description = False if re.sub('^[0-9]+_', '', os.path.basename(path).replace(".sh", "")) not in [self.id, self.id[3:]]: raise Exception(f"Wrong ID in module {path}. It should be the same as the filename") - elif i == 2: - if not line.startswith("# Author:"): - raise Exception(f"Wrong author in module {path}. It should start with '# Author: '") + elif line.startswith("# Author:"): + is_description = False self.author = line[10:].strip() - elif i == 3: - if not line.startswith("# Last Update:"): - raise Exception(f"Wrong last update in module {path}. It should start with '# Last Update: '") + elif line.startswith("# Last Update:"): + is_description = False self.last_update = line[15:].strip() - elif i == 4: - if not line.startswith("# Description:"): - raise Exception(f"Wrong description in module {path}. It should start with '# Description: '") + elif line.startswith("# Description:"): self.description = line[15:].strip() + is_description = True - elif i == 5: - if not line.startswith("# License:"): - raise Exception(f"Wrong license in module {path}. It should start with '# License: '") - - elif i == 6: - if not line.startswith("# Version:"): - raise Exception(f"Wrong version in module {path}. It should start with '# Version: '") + elif line.startswith("# Version:"): + is_description = False self.version = line[11:].strip() - elif i == 7: - if not line.startswith("# Functions Used:"): - raise Exception(f"Wrong functions used in module {path}. It should start with '# Functions Used: '") + elif line.startswith("# Functions Used:"): + is_description = False self.functions_used = line[17:].split(",") self.functions_used = [f.strip() for f in self.functions_used if f.strip()] if "/variables/" in path and self.functions_used: raise Exception(f"Variables shouldn't user functions, so functions in module {path} should be empty") - elif i == 8: - if not line.startswith("# Global Variables:"): - raise Exception(f"Wrong global variables in module {path}. It should start with '# Global Variables: '") + elif line.startswith("# Global Variables:"): + is_description = False self.global_variables = line[19:].split(",") self.global_variables = [f.strip().replace("$", "") for f in self.global_variables if f.strip()] - elif i == 9: - if not line.startswith("# Initial Functions:"): - raise Exception(f"Wrong initial functions in module {path}. It should start with '# Initial Functions: '") + elif line.startswith("# Initial Functions:"): + is_description = False self.initial_functions = line[20:].split(",") self.initial_functions = [f.strip() for f in self.initial_functions if f.strip()] - - elif i == 10: - if not line.startswith("# Generated Global Variables:"): - raise Exception(f"Wrong generated global variables in module {path}. It should start with '# Generated Global Variables: '") + + elif line.startswith("# Generated Global Variables:"): + is_description = False self.generated_global_variables = line[29:].split(",") self.generated_global_variables = [f.strip().replace("$", "") for f in self.generated_global_variables if f.strip()] - elif i == 11: - if not line.startswith("# Fat linpeas:"): - raise Exception(f"Wrong generated global variables in module {path}. It should start with '# Generated Global Variables: '") + elif line.startswith("# Fat linpeas:"): + is_description = False self.is_fat = bool(int(line[15])) - - elif i == 12: - if not line.startswith("# Small linpeas:"): - raise Exception(f"Wrong generated global variables in module {path}. It should start with '# Generated Global Variables: '") + + elif line.startswith("# Small linpeas:"): + is_description = False self.is_small = bool(int(line[17])) - elif i == 13: - if line != "": - raise Exception(f"Wrong module {path}. Line 12 should be a new line") - + elif is_description: + if line.strip(): + self.description += line + "\n" + else: # If line empty, outside of description + is_description = False + else: - self.sh_code += line + "\n" + if line.strip(): + self.sh_code += line + "\n" + + if self.title is None: + raise Exception(f"Wrong title in module {path}. Some metadata should start with '# Title: '") + + if self.id is None: + raise Exception(f"Wrong ID in module {path}. Some metadata should start with '# ID: '") + + if self.author is None: + raise Exception(f"Wrong author in module {path}. Some metadata should start with '# Author: '") + + if self.last_update is None: + raise Exception(f"Wrong last update in module {path}. Some metadata should start with '# Last Update: '") + + if self.description is None: + raise Exception(f"Wrong description in module {path}. Some metadata should start with '# Description: '") + + if self.version is None: + raise Exception(f"Wrong version in module {path}. Some metadata should start with '# Version: '") + + if self.functions_used is None: + raise Exception(f"Wrong functions used in module {path}. Some metadata should start with '# Functions Used: '") + + if self.global_variables is None: + raise Exception(f"Wrong global variables in module {path}. Some metadata should start with '# Global Variables: '") + + if self.initial_functions is None: + raise Exception(f"Wrong initial functions in module {path}. Some metadata should start with '# Initial Functions: '") + + if self.generated_global_variables is None: + raise Exception(f"Wrong generated global variables in module {path}. Some metadata should start with '# Generated Global Variables: '") + + if self.is_fat is None: + raise Exception(f"Wrong fat linpeas in module {path}. Some metadata should start with '# Fat linpeas: '") + + if self.is_small is None: + raise Exception(f"Wrong small linpeas in module {path}. Some metadata should start with '# Small linpeas: '") + + if self.sh_code == "": + raise Exception(f"Wrong sh code in module {path}. No code found.") + + + self.sh_code = self.sh_code.strip() self.defined_funcs = self.extract_function_names() @@ -126,15 +170,15 @@ class LinpeasModule: # Check if the indicated dependencies are actually being used for func in self.functions_used: if func not in self.sh_code and func not in self.initial_functions and not "peass{" in self.sh_code: - raise Exception(f"Used function '{func}' in module {path} doesn't exist in the final code") + raise Exception(f"Used function '{func}' in module {path} doesn't exist in the module code") for var in self.global_variables: if var not in self.sh_code and not "peass{" in self.sh_code: - raise Exception(f"Used variable '{var}' in module {path} doesn't exist in the final code") + raise Exception(f"Used variable '{var}' in module {path} doesn't exist in the module code") for var in self.generated_global_variables: if var not in self.sh_code: - raise Exception(f"Generated variable '{var}' in module {path} doesn't exist in the final code") + raise Exception(f"Generated variable '{var}' in module {path} doesn't exist in the module code") # Check for funcs and vars imported from itself for func in self.defined_funcs: @@ -169,7 +213,7 @@ class LinpeasModule: if len(var) > 2 and not var in linux_global_vars and var not in self.global_variables and var not in self.generated_global_variables: if not var.startswith("PSTORAGE_"): if not main_base or var not in main_base.generated_global_variables: - raise Exception(f"Variable '{var}' in module {path} is not defined") + raise Exception(f"Global Variable '{var}' in module {path} is not defined inside the 'Generated Global Variables' metadata") def __eq__(self, other):