darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
carlospolop 2021-12-19 13:17:45 -05:00
parent 83be61d946
commit c731f6ebe6
6 changed files with 68 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
linPEAS/builder/linpeas_parts/1_system_information.sh
View File

@ -22,7 +22,7 @@ fi
echo "" echo ""
#--SY) USBCreator #--SY) USBCreator
if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$VERBOSE" ]; then if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
print_2title "USBCreator" print_2title "USBCreator"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
@ -76,7 +76,7 @@ print_info "Any private information inside environment variables?"
echo "" echo ""
#-- SY) Dmesg #-- SY) Dmesg
if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$VERBOSE" ]; then if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$DEBUG" ]; then
print_2title "Searching Signature verification failed in dmesg" print_2title "Searching Signature verification failed in dmesg"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed"
(dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg" (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"

4
linPEAS/builder/linpeas_parts/5_users_information.sh
View File

@ -42,7 +42,7 @@ command -v netpgp 2>/dev/null || echo_not_found "netpgp"
echo "" echo ""
#-- UI) Clipboard and highlighted text #-- UI) Clipboard and highlighted text
if [ "$(command -v xclip 2>/dev/null)" ] || [ "$(command -v xsel 2>/dev/null)" ] || [ "$(command -v pbpaste 2>/dev/null)" ] || [ "$VERBOSE" ]; then if [ "$(command -v xclip 2>/dev/null)" ] || [ "$(command -v xsel 2>/dev/null)" ] || [ "$(command -v pbpaste 2>/dev/null)" ] || [ "$DEBUG" ]; then
print_2title "Clipboard or highlighted text?" print_2title "Clipboard or highlighted text?"
if [ "$(command -v xclip 2>/dev/null)" ]; then if [ "$(command -v xclip 2>/dev/null)" ]; then
echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED}," echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
@ -105,7 +105,7 @@ fi
echo "" echo ""
#-- UI) Doas #-- UI) Doas
if [ -f "/etc/doas.conf" ] || [ "$VERBOSE" ]; then if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
print_2title "Checking doas.conf" print_2title "Checking doas.conf"
doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null) doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then

77
linPEAS/builder/linpeas_parts/6_software_information.sh
View File

@ -40,7 +40,7 @@ if [ "$MACPEAS" ]; then
fi fi
#-- SI) Mysql version #-- SI) Mysql version
if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$VERBOSE" ]; then if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; then
print_2title "MySQL version" print_2title "MySQL version"
mysql --version 2>/dev/null || echo_not_found "mysql" mysql --version 2>/dev/null || echo_not_found "mysql"
echo "" echo ""
@ -71,11 +71,12 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$VERBOSE" ]
mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED}," mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
else echo_no else echo_no
fi fi
elif [ "$VERBOSE" ]; then echo_not_found echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Mysql credentials #-- SI) Mysql credentials
if [ "$PSTORAGE_MYSQL" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
print_2title "Searching mysql credentials and exec" print_2title "Searching mysql credentials and exec"
printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do
for f in $(find $d -name debian.cnf 2>/dev/null); do for f in $(find $d -name debian.cnf 2>/dev/null); do
@ -108,7 +109,7 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$VERBOSE" ]; then
echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED}," echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED},"
fi fi
done done
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
echo "" echo ""
@ -117,7 +118,7 @@ peass{MariaDB}
peass{PostgreSQL} peass{PostgreSQL}
#-- SI) PostgreSQL brute #-- SI) PostgreSQL brute
if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$VERBOSE" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it. if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it.
#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ " print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ "
if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED}," if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
@ -139,7 +140,7 @@ if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$VERBOSE" ]; then # In some
else echo_no else echo_no
fi fi
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Mongo} peass{Mongo}
@ -269,11 +270,11 @@ peass{PAM Auth}
#-- SI) Passwords inside pam.d #-- SI) Passwords inside pam.d
pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#") pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#")
if [ "$pamdpass" ] || [ "$VERBOSE" ]; then if [ "$pamdpass" ] || [ "$DEBUG" ]; then
print_2title "Passwords inside pam.d" print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{NFS Exports} peass{NFS Exports}
@ -281,7 +282,7 @@ peass{NFS Exports}
#-- SI) Kerberos #-- SI) Kerberos
kadmin_exists="$(command -v kadmin)" kadmin_exists="$(command -v kadmin)"
klist_exists="$(command -v klist)" klist_exists="$(command -v klist)"
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$VERBOSE" ]; then if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
print_2title "Searching kerberos conf files and tickets" print_2title "Searching kerberos conf files and tickets"
print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory" print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory"
@ -330,7 +331,7 @@ if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [
klist 2>/dev/null || echo_not_found "klist" klist 2>/dev/null || echo_not_found "klist"
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Knockd} peass{Knockd}
@ -341,7 +342,7 @@ peass{Elasticsearch}
##-- SI) Logstash ##-- SI) Logstash
print_2title "Searching logstash files" print_2title "Searching logstash files"
if [ "$PSTORAGE_LOGSTASH" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then
printf "$PSTORAGE_LOGSTASH" printf "$PSTORAGE_LOGSTASH"
printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do
if [ -r "$d/startup.options" ]; then if [ -r "$d/startup.options" ]; then
@ -351,33 +352,33 @@ if [ "$PSTORAGE_LOGSTASH" ] || [ "$VERBOSE" ]; then
cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED}," cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED},"
cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED}," cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED},"
done done
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
echo "" echo ""
#-- SI) Vault-ssh #-- SI) Vault-ssh
if [ "$PSTORAGE_VAULT_SSH_HELPER" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_VAULT_SSH_HELPER" ] || [ "$DEBUG" ]; then
print_2title "Searching Vault-ssh files" print_2title "Searching Vault-ssh files"
printf "$PSTORAGE_VAULT_SSH_HELPER\n" printf "$PSTORAGE_VAULT_SSH_HELPER\n"
printf "%s\n" "$PSTORAGE_VAULT_SSH_HELPER" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done printf "%s\n" "$PSTORAGE_VAULT_SSH_HELPER" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done
echo "" echo ""
vault secrets list 2>/dev/null vault secrets list 2>/dev/null
printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
elif [ "$VERBOSE" ]; then echo_not_found "vault-ssh-helper.hcl" elif [ "$DEBUG" ]; then echo_not_found "vault-ssh-helper.hcl"
fi fi
echo "" echo ""
#-- SI) Cached AD Hashes #-- SI) Cached AD Hashes
adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null) adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null)
if [ "$adhashes" ] || [ "$VERBOSE" ]; then if [ "$adhashes" ] || [ "$DEBUG" ]; then
print_2title "Searching AD cached hashes" print_2title "Searching AD cached hashes"
ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Screen sessions #-- SI) Screen sessions
if [ "$screensess" ] || [ "$screensess2" ] || [ "$VERBOSE" ]; then if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then
print_2title "Searching screen sessions" print_2title "Searching screen sessions"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
screensess=$(screen -ls 2>/dev/null) screensess=$(screen -ls 2>/dev/null)
@ -390,14 +391,14 @@ if [ "$screensess" ] || [ "$screensess2" ] || [ "$VERBOSE" ]; then
echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done done
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Tmux sessions #-- SI) Tmux sessions
tmuxdefsess=$(tmux ls 2>/dev/null) tmuxdefsess=$(tmux ls 2>/dev/null)
tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep) tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null) tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$VERBOSE" ]; then if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]; then
print_2title "Searching tmux sessions"$N print_2title "Searching tmux sessions"$N
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
tmux -V tmux -V
@ -407,7 +408,7 @@ if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$VERBOS
echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done done
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{CouchDB} peass{CouchDB}
@ -417,7 +418,7 @@ peass{Redis}
#-- SI) Dovecot #-- SI) Dovecot
# Needs testing # Needs testing
dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null) dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null)
if [ "$dovecotpass" ] || [ "$VERBOSE" ]; then if [ "$dovecotpass" ] || [ "$DEBUG" ]; then
print_2title "Searching dovecot files" print_2title "Searching dovecot files"
if [ -z "$dovecotpass" ]; then if [ -z "$dovecotpass" ]; then
echo_not_found "dovecot credentials" echo_not_found "dovecot credentials"
@ -430,7 +431,7 @@ if [ "$dovecotpass" ] || [ "$VERBOSE" ]; then
done done
fi fi
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Mosquitto} peass{Mosquitto}
@ -459,7 +460,7 @@ peass{Backup Manager}
##-- SI) passwd files (splunk) ##-- SI) passwd files (splunk)
SPLUNK_BIN="$(command -v splunk 2>/dev/null)" SPLUNK_BIN="$(command -v splunk 2>/dev/null)"
if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$DEBUG" ]; then
print_2title "Searching uncommon passwd files (splunk)" print_2title "Searching uncommon passwd files (splunk)"
if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi
printf "%s\n" "$PSTORAGE_SPLUNK" | sort | uniq | while read f; do printf "%s\n" "$PSTORAGE_SPLUNK" | sort | uniq | while read f; do
@ -469,10 +470,10 @@ if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$VERBOSE" ]; then
fi fi
done done
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
if [ "$PSTORAGE_KCPASSWORD" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
print_2title "Analyzing kcpassword files" print_2title "Analyzing kcpassword files"
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword" print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
@ -480,11 +481,11 @@ if [ "$PSTORAGE_KCPASSWORD" ] || [ "$VERBOSE" ]; then
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED}," base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
done done
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
##-- SI) Gitlab ##-- SI) Gitlab
if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$PSTORAGE_GITLAB" ] || [ "$VERBOSE" ]; then if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$PSTORAGE_GITLAB" ] || [ "$DEBUG" ]; then
print_2title "Searching GitLab related files" print_2title "Searching GitLab related files"
#Check gitlab-rails #Check gitlab-rails
if [ "$(command -v gitlab-rails)" ]; then if [ "$(command -v gitlab-rails)" ]; then
@ -514,7 +515,7 @@ if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$
echo "" echo ""
done done
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Github} peass{Github}
@ -529,7 +530,7 @@ peass{Wget}
##-- SI) containerd installed ##-- SI) containerd installed
containerd=$(command -v ctr) containerd=$(command -v ctr)
if [ "$containerd" ] || [ "$VERBOSE" ]; then if [ "$containerd" ] || [ "$DEBUG" ]; then
print_2title "Checking if containerd(ctr) is available" print_2title "Checking if containerd(ctr) is available"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation"
if [ "$containerd" ]; then if [ "$containerd" ]; then
@ -537,23 +538,23 @@ if [ "$containerd" ] || [ "$VERBOSE" ]; then
ctr image list ctr image list
fi fi
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
##-- SI) runc installed ##-- SI) runc installed
runc=$(command -v runc) runc=$(command -v runc)
if [ "$runc" ] || [ "$VERBOSE" ]; then if [ "$runc" ] || [ "$DEBUG" ]; then
print_2title "Checking if runc is available" print_2title "Checking if runc is available"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation"
if [ "$runc" ]; then if [ "$runc" ]; then
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
fi fi
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Docker #-- SI) Docker
if [ "$PSTORAGE_DOCKER" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
print_2title "Searching docker files (limit 70)" print_2title "Searching docker files (limit 70)"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket"
printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
@ -563,7 +564,7 @@ if [ "$PSTORAGE_DOCKER" ] || [ "$VERBOSE" ]; then
fi fi
done done
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Firefox} peass{Firefox}
@ -573,7 +574,7 @@ peass{Chrome}
peass{Autologin} peass{Autologin}
#-- SI) S/Key athentication #-- SI) S/Key athentication
if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ "$VERBOSE" ] ; then if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ "$DEBUG" ] ; then
print_2title "S/Key authentication" print_2title "S/Key authentication"
printf "System supports$RED S/Key$NC authentication\n" printf "System supports$RED S/Key$NC authentication\n"
if ! [ -d /etc/skey/ ]; then if ! [ -d /etc/skey/ ]; then
@ -584,12 +585,12 @@ if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ "
else else
ls -ld /etc/skey/ 2>/dev/null ls -ld /etc/skey/ 2>/dev/null
fi fi
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
echo "" echo ""
#-- SI) YubiKey athentication #-- SI) YubiKey athentication
if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) || [ "$VERBOSE" ]; then if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) || [ "$DEBUG" ]; then
print_2title "YubiKey authentication" print_2title "YubiKey authentication"
printf "System supports$RED YubiKey$NC authentication\n" printf "System supports$RED YubiKey$NC authentication\n"
if ! [ "$IAMROOT" ] && [ -w /var/db/yubikey/ ]; then if ! [ "$IAMROOT" ] && [ -w /var/db/yubikey/ ]; then
@ -599,7 +600,7 @@ if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) |
ls -ld /var/db/yubikey/ 2>/dev/null ls -ld /var/db/yubikey/ 2>/dev/null
fi fi
echo "" echo ""
elif [ "$VERBOSE" ]; then echo_not_found elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{SNMP} peass{SNMP}

10
linPEAS/builder/linpeas_parts/7_interesting_files.sh
View File

@ -203,7 +203,7 @@ done
echo "" echo ""
##-- IF) Users with capabilities ##-- IF) Users with capabilities
if [ -f "/etc/security/capability.conf" ] || [ "$VERBOSE" ]; then if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
print_2title "Users with capabilities" print_2title "Users with capabilities"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities"
if [ -f "/etc/security/capability.conf" ]; then if [ -f "/etc/security/capability.conf" ]; then
@ -249,7 +249,7 @@ echo ""
broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken) broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken)
if [ "$broken_links" ] || [ "$VERBOSE" ]; then if [ "$broken_links" ] || [ "$DEBUG" ]; then
print_2title "Broken links in path" print_2title "Broken links in path"
echo $PATH | tr ":" "\n" | while read d; do echo $PATH | tr ":" "\n" | while read d; do
find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},"; find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},";
@ -534,7 +534,7 @@ if ! [ "$IAMROOT" ]; then
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files"
for g in $(groups); do for g in $(groups); do
iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
if [ "$iwfbg" ] || [ "$VERBOSE" ]; then if [ "$iwfbg" ] || [ "$DEBUG" ]; then
printf " Group $GREEN$g:\n$NC"; printf " Group $GREEN$g:\n$NC";
printf "%s\n" "$iwfbg" | while read entry; do printf "%s\n" "$iwfbg" | while read entry; do
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
@ -550,14 +550,14 @@ if ! [ "$IAMROOT" ]; then
fi fi
##-- IF) Passwords in history files ##-- IF) Passwords in history files
if [ "$PSTORAGE_HISTORY" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then
print_2title "Searching passwords in history files" print_2title "Searching passwords in history files"
printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
echo "" echo ""
fi fi
##-- IF) Passwords in config PHP files ##-- IF) Passwords in config PHP files
if [ "$PSTORAGE_PHP_FILES" ] || [ "$VERBOSE" ]; then if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then
print_2title "Searching passwords in config PHP files" print_2title "Searching passwords in config PHP files"
printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
echo "" echo ""

16
linPEAS/builder/linpeas_parts/linpeas_base.sh
View File

@ -607,9 +607,25 @@ print_title(){
rest_len=$((($max_title_len - $title_len) / 2)) rest_len=$((($max_title_len - $title_len) / 2))
printf ${BLUE} printf ${BLUE}
for i in $(seq 1 $rest_len); do printf " "; done
printf "╔"
for i in $(seq 1 $title_len); do printf "═"; done; printf "══";
printf "╗"
echo ""
for i in $(seq 1 $rest_len); do printf "═"; done for i in $(seq 1 $rest_len); do printf "═"; done
printf "$GREEN${title}${BLUE}" printf "$GREEN${title}${BLUE}"
for i in $(seq 1 $rest_len); do printf "═"; done for i in $(seq 1 $rest_len); do printf "═"; done
echo ""
printf ${BLUE}
for i in $(seq 1 $rest_len); do printf " "; done
printf "╚"
for i in $(seq 1 $title_len); do printf "═"; done; printf "══";
printf "╝"
printf $NC printf $NC
echo "" echo ""
} }

6
linPEAS/builder/src/linpeasBuilder.py
View File

@ -208,7 +208,7 @@ class LinpeasBuilder:
for precord in self.ploaded.peasrecords: for precord in self.ploaded.peasrecords:
if precord.auto_check: if precord.auto_check:
section = f'if [ "$PSTORAGE_{precord.bash_name}" ] || [ "$VERBOSE" ]; then\n' section = f'if [ "$PSTORAGE_{precord.bash_name}" ] || [ "$DEBUG" ]; then\n'
section += f' print_2title "Analyzing {precord.name.replace("_"," ")} Files (limit 70)"\n' section += f' print_2title "Analyzing {precord.name.replace("_"," ")} Files (limit 70)"\n'
for exec_line in precord.exec: for exec_line in precord.exec:
@ -218,7 +218,6 @@ class LinpeasBuilder:
for frecord in precord.filerecords: for frecord in precord.filerecords:
section += " " + self.__construct_file_line(precord, frecord) + "\n" section += " " + self.__construct_file_line(precord, frecord) + "\n"
section += 'elif [ "$VERBOSE" ]; then echo_not_found\n'
section += "fi\n" section += "fi\n"
sections[precord.name] = section sections[precord.name] = section
@ -285,7 +284,8 @@ class LinpeasBuilder:
for ffrecord in frecord.files: for ffrecord in frecord.files:
ff_real_regex = ffrecord.regex[1:] if ffrecord.regex.startswith("*") and ffrecord.regex != "*" else ffrecord.regex ff_real_regex = ffrecord.regex[1:] if ffrecord.regex.startswith("*") and ffrecord.regex != "*" else ffrecord.regex
ff_real_regex = ff_real_regex.replace("*",".*") ff_real_regex = ff_real_regex.replace("*",".*")
analise_line += 'for ff in $(find "$f" -name "'+ffrecord.regex+'"); do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False) #analise_line += 'for ff in $(find "$f" -name "'+ffrecord.regex+'"); do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False)
analise_line += 'find "$f" -name "'+ffrecord.regex+'" | while read ff; do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False)
analise_line += 'done; echo "";' analise_line += 'done; echo "";'
return analise_line return analise_line