darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.1

Browse Source
This commit is contained in:
carlospolop 2019-06-08 12:34:41 +02:00
parent d925d06062
commit 99b069fe99
3 changed files with 20 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -10,7 +10,7 @@ This script does not have any dependency.
There is not need even for bash shell, **it runs using /bin/sh**. There is not need even for bash shell, **it runs using /bin/sh**.
It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside files and 1 min to monitor the processes in order to find very frequent cron jobs). It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs).
This script have several lists included inside it to be able to color the results in order to help to discover PE vector. This script have several lists included inside it to be able to color the results in order to help to discover PE vector.

BIN
images/linpe.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.7 KiB

After

Width:  |  Height:  |  Size: 7.4 KiB

34
linpe.sh
View File

@ -119,11 +119,11 @@ notBackup="/tdbbackup$\|/db_hotbackup$"
if [ "$(/usr/bin/id -u)" -eq "0" ]; then printf $B"[*] "$RED"YOU ARE ALREADY ROOT!!! (nothing is going to be executed)\n"$NC; exit; fi if [ "$(/usr/bin/id -u)" -eq "0" ]; then printf $B"[*] "$RED"YOU ARE ALREADY ROOT!!! (nothing is going to be executed)\n"$NC; exit; fi
rm -rf $file 2>/dev/null rm -rf $file 2>/dev/null
echo "linpe v1.0" echo "linpe v1.1"
echo "Output File: $file" | sed "s,.*,${C}[1;4m&${C}[0m," echo "Output File: $file" | sed "s,.*,${C}[1;4m&${C}[0m,"
echo "" >> $file echo "" >> $file
echo "linpe v1.0" | sed "s,.*,${C}[1;94m&${C}[0m," >> $file echo "linpe v1.1" | sed "s,.*,${C}[1;94m&${C}[0m," >> $file
echo "https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist" >> $file echo "https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist" >> $file
echo "LEYEND:" | sed "s,LEYEND,${C}[1;4m&${C}[0m," >> $file echo "LEYEND:" | sed "s,LEYEND,${C}[1;4m&${C}[0m," >> $file
echo "RED/YELLOW: 99% a PE vector" | sed "s,RED/YELLOW,${C}[1;31;103m&${C}[0m," >> $file echo "RED/YELLOW: 99% a PE vector" | sed "s,RED/YELLOW,${C}[1;31;103m&${C}[0m," >> $file
@ -296,8 +296,8 @@ echo "" >> $file
printf $Y"[+] "$GREEN"Testing 'sudo -l' without password & /etc/sudoers\n"$NC >> $file printf $Y"[+] "$GREEN"Testing 'sudo -l' without password & /etc/sudoers\n"$NC >> $file
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands\n"$NC >> $file printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands\n"$NC >> $file
echo '' | sudo -S -l 2>/dev/null | sed "s,$sudoB,${C}[1;31m&${C}[0m," | sed "s,$sudoVB,${C}[1;31;103m&${C}[0m," >> $file echo '' | sudo -S -l 2>/dev/null | sed "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed "s,$sudoVB,${C}[1;31;103m&${C}[0m," >> $file
cat /etc/sudoers 2>/dev/null | sed "s,$sudoB,${C}[1;31m&${C}[0m," | sed "s,$sudoVB,${C}[1;31;103m&${C}[0m," >> $file cat /etc/sudoers 2>/dev/null | sed "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed "s,$sudoVB,${C}[1;31;103m&${C}[0m," >> $file
echo "" >> $file echo "" >> $file
@ -545,7 +545,7 @@ fi
if [ -d "/var/lib/ldap" ]; then if [ -d "/var/lib/ldap" ]; then
printf $Y"[+] "$GREEN"/var/lib/ldap has been found. Trying to extract passwords:\n"$NC >> $file; printf $Y"[+] "$GREEN"/var/lib/ldap has been found. Trying to extract passwords:\n"$NC >> $file;
echo "The password hash is from the {SSHA} to 'structural'" >> $file; echo "The password hash is from the {SSHA} to 'structural'" >> $file;
cat /var/lib/ldap/*.bdb 2>/dev/null | grep -i -a -E -o "description.*" | sort | uniq -u | sed "s,administrator\|password,${C}[1;31m&${C}[0m,Ig" >> $file; cat /var/lib/ldap/*.bdb 2>/dev/null | grep -i -a -E -o "description.*" | sort | uniq | sed "s,administrator\|password,${C}[1;31m&${C}[0m,Ig" >> $file;
fi fi
#ovpn #ovpn
@ -557,30 +557,34 @@ if [ "$ovpn" ]; then
fi fi
#SSH #SSH
ssh=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null` ssh=`find /home /user /root /etc /opt /var /mnt \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null`
if [ "$ssh" ]; then sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home /root /mnt /etc 2>/dev/null`
if [ "$ssh" ] || [ "$sshrootlogin" ] || [ "$privatekeyfiles" ]; then
printf $Y"[+] "$GREEN"SSH Files\n"$NC >> $file printf $Y"[+] "$GREEN"SSH Files\n"$NC >> $file
echo $ssh >> $file
echo "" >> $file
fi fi
sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` if [ "$ssh" ]; then
echo $ssh >> $file
fi
if [ "$sshrootlogin" = "yes" ]; then if [ "$sshrootlogin" = "yes" ]; then
echo "SSH root login is PERMITTED"| sed "s,.*,${C}[1;31m&${C}[0m," >> $file echo "SSH root login is PERMITTED"| sed "s,.*,${C}[1;31m&${C}[0m," >> $file
echo "" >> $file
fi fi
privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home /root 2>/dev/null`
if [ "$privatekeyfiles" ]; then if [ "$privatekeyfiles" ]; then
privatekeyfilesgrep=`grep -L "\"\|'\|(" $privatekeyfiles` # Check there are not that symbols in the file privatekeyfilesgrep=`grep -L "\"\|'\|(" $privatekeyfiles` # Check there are not that symbols in the file
fi fi
if [ "$privatekeyfilesgrep" ]; then if [ "$privatekeyfilesgrep" ]; then
echo "Private SSH keys found!:\n$privatekeyfilesgrep" | sed "s,.*,${C}[1;31m&${C}[0m," >> $file echo "Private SSH keys found!:\n$privatekeyfilesgrep" | sed "s,.*,${C}[1;31m&${C}[0m," >> $file
echo "" >> $file
fi fi
if [ "$ssh" ] || [ "$sshrootlogin" ] || [ "$privatekeyfiles" ]; then
echo "" >> $file
fi
#AWS #AWS
awskeyfiles=`grep -rli "aws_secret_access_key" /home /root 2>/dev/null | grep -v $(basename "$0")` awskeyfiles=`grep -rli "aws_secret_access_key" /home /root /mnt /etc 2>/dev/null | grep -v $(basename "$0")`
if [ "$awskeyfiles" ]; then if [ "$awskeyfiles" ]; then
printf $Y"[+] "$GREEN"AWS Keys\n"$NC >> $file printf $Y"[+] "$GREEN"AWS Keys\n"$NC >> $file
echo "AWS secret keys found!: $awskeyfiles" | sed "s,.*,${C}[1;31m&${C}[0m," >> $file echo "AWS secret keys found!: $awskeyfiles" | sed "s,.*,${C}[1;31m&${C}[0m," >> $file