diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index 98b3874..c64e9c1 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -2283,6 +2283,21 @@ search: - common + - name: Wget + value: + config: + auto_check: True + + files: + - name: ".wgetrc" + value: + bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*" + remove_empty_lines: True + remove_regex: '^#' + type: f + search_in: + - common + - name: Interesting logs value: config: diff --git a/linPEAS/builder/linpeas_base.sh b/linPEAS/builder/linpeas_base.sh index a2ed43a..200a660 100755 --- a/linPEAS/builder/linpeas_base.sh +++ b/linPEAS/builder/linpeas_base.sh @@ -881,7 +881,7 @@ containerCheck() { [ "$(find / -maxdepth 3 -name \"*dockerenv*\" -exec ls -la {} \; 2>/dev/null)" ] ; then inContainer="1" - containerType="docker" + containerType="docker\n" fi # Are we inside kubenetes? @@ -889,8 +889,8 @@ containerCheck() { grep -qai kubepods /proc/self/cgroup 2>/dev/null; then inContainer="1" - if [ "$containerType" ]; then containerType="$containerType (kubernetes)" - else containerType="kubernetes" + if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n" + else containerType="kubernetes\n" fi fi @@ -899,7 +899,7 @@ containerCheck() { grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then inContainer="1" - containerType="lxc" + containerType="lxc\n" fi # Are we inside podman? @@ -907,14 +907,14 @@ containerCheck() { grep -qa "container=podman" /proc/1/environ 2>/dev/null; then inContainer="1" - containerType="podman" + containerType="podman\n" fi # Check for other container platforms that report themselves in PID 1 env if [ -z "$inContainer" ]; then if grep -a 'container=' /proc/1/environ 2>/dev/null; then inContainer="1" - containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)" + containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n" fi fi } @@ -964,7 +964,7 @@ enumerateDockerSockets() { } checkDockerVersionExploits() { - if echo \"$dockerVersion\" | grep -iq \"not found\"; then + if echo "$dockerVersion" | grep -iq "not found"; then VULN_CVE_2019_13139="$(echo_not_found)" VULN_CVE_2019_5736="$(echo_not_found)" return @@ -1313,13 +1313,17 @@ if echo $CHECKS | grep -q Container; then checkDockerRootless print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN}," fi + if df -h | grep docker; then + print_2title "Docker Overlays" + df -h | grep docker + fi fi if [ "$inContainer" ]; then echo "" print_2title "Container & breakout enumeration" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout" - print_list "Container ID ...................$NC" $(cat /etc/hostname) + print_list "Container ID ...................$NC $(cat /etc/hostname)" if echo "$containerType" | grep -qi "docker"; then print_list "Container Full ID ..............$NC $(basename \"$(cat /proc/1/cpuset)\")\n" fi @@ -2556,6 +2560,8 @@ if echo $CHECKS | grep -q SofI; then peass{Cache Vi} + peass{Wget} + ##-- SI) containerd installed print_2title "Checking if containerd(ctr) is available" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation" diff --git a/linPEAS/builder/src/linpeasBuilder.py b/linPEAS/builder/src/linpeasBuilder.py index 908ae52..bf510ab 100644 --- a/linPEAS/builder/src/linpeasBuilder.py +++ b/linPEAS/builder/src/linpeasBuilder.py @@ -77,6 +77,10 @@ class LinpeasBuilder: print("[+] Building GTFOBins lists...") suidVB, sudoVB, capsVB = self.__get_gtfobins_lists() + assert len(suidVB) > 200, f"Len suidVB is {len(suidVB)}" + assert len(suidVB) > 250, f"Len sudo is {len(sudoVB)}" + assert len(capsVB) > 10, f"Len suidVB is {len(capsVB)}" + self.__replace_mark(SUIDVB1_MARKUP, suidVB[:int(len(suidVB)/2)], "|") self.__replace_mark(SUIDVB2_MARKUP, suidVB[int(len(suidVB)/2):], "|") self.__replace_mark(SUDOVB1_MARKUP, sudoVB[:int(len(sudoVB)/2)], "|")