darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

linpeas

Browse Source
This commit is contained in:
Carlos.Martin 2021-07-26 14:27:57 +01:00
parent d639922aaf
commit a2a9a82b50
3 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
build_lists/sensitive_files.yaml
View File

@ -574,6 +574,8 @@ search:
- name: "hostapd.conf" - name: "hostapd.conf"
value: value:
bad_regex: "passphrase.*" bad_regex: "passphrase.*"
remove_regex: '^#'
remove_empty_lines: True
type: f type: f
search_in: search_in:
- common - common
@ -1266,8 +1268,8 @@ search:
config: config:
auto_check: True auto_check: True
exec: exec:
- '((command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null' - '( (command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null'
- '((command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null' - '( (command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null'
- '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null' - '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null'
files: files:
@ -2533,13 +2535,6 @@ search:
search_in: search_in:
- common - common
- name: "system"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system.sav" - name: "system.sav"
value: value:
just_list_file: True just_list_file: True
@ -2625,6 +2620,13 @@ search:
search_in: search_in:
- common - common
- name: "system"
value:
just_list_file: True
type: f
search_in:
- common
# Final section # Final section
- name: Database - name: Database
value: value:

18
linPEAS/builder/linpeas_base.sh
View File

@ -1211,7 +1211,7 @@ if echo $CHECKS | grep -q SysI; then
(sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no (sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no
print_list "XProtect? ........ "$NC print_list "XProtect? ........ "$NC
(system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5) || echo_no (system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 | grep -Iv "^$") || echo_no
fi fi
#-- SY) ASLR #-- SY) ASLR
@ -1916,7 +1916,7 @@ if echo $CHECKS | grep -q UsrI; then
dscl . list /Users | while read uname; do dscl . list /Users | while read uname; do
ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2) ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2)
if grep -q "$ushell" /etc/shells; then #Shell user if grep -q "$ushell" /etc/shells; then #Shell user
finger "$uname" finger "$uname" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
echo "" echo ""
fi fi
done done
@ -2513,7 +2513,8 @@ if echo $CHECKS | grep -q IntFiles; then
if ! [ "$STRACE" ]; then if ! [ "$STRACE" ]; then
echo_not_found "strace" echo_not_found "strace"
fi fi
find / -perm -4000 -type f 2>/dev/null | xargs ls -lahtr | while read s; do find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null | while read s; do
s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total"; then break; fi if echo "$s" | grep -qE "^total"; then break; fi
@ -2574,7 +2575,8 @@ if echo $CHECKS | grep -q IntFiles; then
##-- IF) SGID ##-- IF) SGID
print_2title "SGID" print_2title "SGID"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
find / -perm -2000 -type f 2>/dev/null | xargs ls -lahtr | while read s; do find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null | while read s; do
s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total";then break; fi if echo "$s" | grep -qE "^total";then break; fi
@ -2968,8 +2970,8 @@ if echo $CHECKS | grep -q IntFiles; then
#In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
obmowbe=$(find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) obmowbe=$(find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
printf "%s\n" "$obmowbe" | while read entry; do printf "%s\n" "$obmowbe" | while read entry; do
if echo \"$entry\" | grep -q \"You_can_write_even_more_files_inside_last_directory\"; then printf $ITALIC"$entry\n"$NC; if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
elif echo \"$entry\" | grep -qE \"$writeVB\"; then elif echo "$entry" | grep -qE "$writeVB"; then
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
else else
echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
@ -2986,8 +2988,8 @@ if echo $CHECKS | grep -q IntFiles; then
printf " Group $GREEN$g:\n$NC"; printf " Group $GREEN$g:\n$NC";
iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
printf "%s\n" "$iwfbg" | while read entry; do printf "%s\n" "$iwfbg" | while read entry; do
if echo \"$entry\" | grep -q \"You_can_write_even_more_files_inside_last_directory\"; then printf $ITALIC"$entry\n"$NC; if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
elif echo \"$entry\" | grep -Eq \"$writeVB\"; then elif echo "$entry" | grep -Eq "$writeVB"; then
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
else else
echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"

7
linPEAS/builder/src/linpeasBuilder.py
View File

@ -69,6 +69,9 @@ class LinpeasBuilder:
peass_marks = self.__get_peass_marks() peass_marks = self.__get_peass_marks()
assert len(peass_marks) == 0, f"There are peass marks left: {', '.join(peass_marks)}" assert len(peass_marks) == 0, f"There are peass marks left: {', '.join(peass_marks)}"
#Check for empty seds
assert 'sed -${E} "s,,' not in self.linpeas_sh
def __get_peass_marks(self): def __get_peass_marks(self):
return re.findall(r'peass\{[\w\-\._ ]*\}', self.linpeas_sh) return re.findall(r'peass\{[\w\-\._ ]*\}', self.linpeas_sh)
@ -186,7 +189,7 @@ class LinpeasBuilder:
return sections return sections
def __construct_file_line(self, precord: PEASRecord, frecord: FileRecord, init: bool = True) -> str: def __construct_file_line(self, precord: PEASRecord, frecord: FileRecord, init: bool = True) -> str:
real_regex = frecord.regex[1:] if frecord.regex.startswith("*") else frecord.regex real_regex = frecord.regex[1:] if frecord.regex.startswith("*") and len(frecord.regex) > 1 else frecord.regex
real_regex = real_regex.replace(".","\\.").replace("*",".*") real_regex = real_regex.replace(".","\\.").replace("*",".*")
real_regex += "$" real_regex += "$"
@ -239,7 +242,7 @@ class LinpeasBuilder:
#In case file is type "d" #In case file is type "d"
if frecord.files: if frecord.files:
for ffrecord in frecord.files: for ffrecord in frecord.files:
ff_real_regex = ffrecord.regex[1:] if ffrecord.regex.startswith("*") else ffrecord.regex ff_real_regex = ffrecord.regex[1:] if ffrecord.regex.startswith("*") and ffrecord.regex != "*" else ffrecord.regex
ff_real_regex = ff_real_regex.replace("*",".*") ff_real_regex = ff_real_regex.replace("*",".*")
analise_line += 'for ff in $(find "$f" -name "'+ffrecord.regex+'"); do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False) analise_line += 'for ff in $(find "$f" -name "'+ffrecord.regex+'"); do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False)