From ec9341554e231e6e5aaf2b2100eec792cc6421a2 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Mon, 24 Aug 2020 12:22:26 -0400 Subject: [PATCH] linpeasv2.7.1 --- linPEAS/README.md | 2 + linPEAS/linpeas.sh | 191 +++++++++++++++++++++++++++------------------ 2 files changed, 118 insertions(+), 75 deletions(-) diff --git a/linPEAS/README.md b/linPEAS/README.md index 035b562..5c883a2 100755 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -238,6 +238,7 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm - [x] Erlang Cookie - [X] GVM config - [x] IPSEC files + - [x] IRSSI config file - **Generic Interesting Files** @@ -248,6 +249,7 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm - [x] Files with ACLs - [x] .sh scripts in PATH - [x] scripts in /etc/profile.d + - [x] scripts in init, init.d and systemd - [x] Hashes (passwd, group, shadow & master.passwd) - [x] Credentials in fstab - [x] Try to read root dir diff --git a/linPEAS/linpeas.sh b/linPEAS/linpeas.sh index dc10091..759a7bc 100755 --- a/linPEAS/linpeas.sh +++ b/linPEAS/linpeas.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="v2.7.0" +VERSION="v2.7.1" ADVISORY="linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission." @@ -863,7 +863,7 @@ if [ "`echo $CHECKS | grep SysI`" ]; then #-- SY) Dmesg printf $Y"[+] "$GREEN"Searching Signature verification failed in dmseg\n"$NC - (dmesg 2>/dev/null | grep signature) || echo_not_found + (dmesg 2>/dev/null | grep "signature") || echo_not_found echo "" #-- SY) AppArmor @@ -882,19 +882,19 @@ if [ "`echo $CHECKS | grep SysI`" ]; then printf $Y"[+] "$GREEN"grsecurity present? ............ "$NC ((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity") - #-- SY) Execshield + #-- SY) PaX printf $Y"[+] "$GREEN"PaX bins present? .............. "$NC (which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo_not_found "PaX") - #-- SY) PaX + #-- SY) Execshield printf $Y"[+] "$GREEN"Execshield enabled? ............ "$NC (grep "exec-shield" /etc/sysctl.conf || echo_not_found "Execshield") | sed "s,=0,${C}[1;31m&${C}[0m," - #-- 8SY) SElinux + #-- SY) SElinux printf $Y"[+] "$GREEN"SELinux enabled? ............... "$NC (sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${C}[1;31m&${C}[0m," - #-- 11SY) ASLR + #-- SY) ASLR printf $Y"[+] "$GREEN"Is ASLR enabled? ............... "$NC ASLR=`cat /proc/sys/kernel/randomize_va_space 2>/dev/null` if [ -z "$ASLR" ]; then @@ -904,11 +904,11 @@ if [ "`echo $CHECKS | grep SysI`" ]; then echo "" fi - #-- 9SY) Printer + #-- SY) Printer printf $Y"[+] "$GREEN"Printer? ....................... "$NC lpstat -a 2>/dev/null || echo_not_found "lpstat" - #-- 10SY) Container + #-- SY) Container printf $Y"[+] "$GREEN"Is this a container? ........... "$NC dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -maxdepth 3 -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` @@ -917,7 +917,7 @@ if [ "`echo $CHECKS | grep SysI`" ]; then else echo_no fi - #-- ????) Containers Running + #-- SY) Containers Running printf $Y"[+] "$GREEN"Any running containers? ........ "$NC # Get counts of running containers for each platform dockercontainers=`docker ps --format "{{.Names}}" 2>/dev/null | wc -l` @@ -1024,7 +1024,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then crontab -l 2>/dev/null | sed "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," ls -al /etc/cron* 2>/dev/null | sed "s,$cronjobsG,${C}[1;32m&${C}[0m,g" | sed "s,$cronjobsB,${C}[1;31m&${C}[0m,g" cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs /var/spool/cron/crontabs/* /var/spool/anacron /etc/incron.d/* /var/spool/incron/* 2>/dev/null | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - crontab -l -u $USER 2>/dev/null + crontab -l -u "$USER" 2>/dev/null echo "" #-- 5PSC) Services @@ -1187,36 +1187,41 @@ if [ "`echo $CHECKS | grep Net`" ]; then ########################################### printf $B"===================================( "$GREEN"Network Information"$B" )====================================\n"$NC - #-- 1NI) Hostname, hosts and DNS + #-- NI) Hostname, hosts and DNS printf $Y"[+] "$GREEN"Hostname, hosts and DNS\n"$NC cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null dnsdomainname 2>/dev/null || echo_not_found "dnsdomainname" echo "" - #-- 2NI) /etc/inetd.conf + #-- NI) /etc/inetd.conf printf $Y"[+] "$GREEN"Content of /etc/inetd.conf & /etc/xinetd.conf\n"$NC (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null) || echo_not_found "/etc/inetd.conf" echo "" - #-- 3NI) Networks and neighbours - printf $Y"[+] "$GREEN"Networks and neighbours\n"$NC + #-- NI) Interfaces + printf $Y"[+] "$GREEN"Interfaces\n"$NC cat /etc/networks 2>/dev/null (ifconfig || ip a) 2>/dev/null - (route || ip n) 2>/dev/null echo "" - #-- 4NI) Iptables + #-- NI) Neighbours + printf $Y"[+] "$GREEN"Networks and neighbours\n"$NC + (route || ip n) 2>/dev/null + (arp -e || arp -a) 2>/dev/null + echo "" + + #-- NI) Iptables printf $Y"[+] "$GREEN"Iptables rules\n"$NC (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules" echo "" - #-- 5NI) Ports + #-- NI) Ports printf $Y"[+] "$GREEN"Active Ports\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#internal-open-ports\n"$NC (netstat -punta || ss --ntpu) 2>/dev/null | sed "s,127.0.0.1,${C}[1;31m&${C}[0m," echo "" - #-- 6NI) tcpdump + #-- NI) tcpdump printf $Y"[+] "$GREEN"Can I sniff with tcpdump?\n"$NC timeout 1 tcpdump >/dev/null 2>&1 if [ $? -eq 124 ]; then #If 124, then timed out == It worked @@ -1297,6 +1302,7 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then done if [ -f "/tmp/shrndom" ]; then echo "Sudo tokens exploit worked, you can escalate privileges using '/tmp/shrndom -p'" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; + else echo "The escalation didn't work... (try again later?)" fi fi @@ -1376,12 +1382,12 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ########################################### printf $B"===================================( "$GREEN"Software Information"$B" )===================================\n"$NC - #-- 1SI) Mysql version + #-- SI) Mysql version printf $Y"[+] "$GREEN"MySQL version\n"$NC mysql --version 2>/dev/null || echo_not_found "mysql" echo "" - #-- 2SI) Mysql connection root/root + #-- SI) Mysql connection root/root printf $Y"[+] "$GREEN"MySQL connection using default root/root ........... "$NC mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` if [ "$mysqlconnect" ]; then @@ -1390,7 +1396,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then else echo_no fi - #-- 3SI) Mysql connection root/toor + #-- SI) Mysql connection root/toor printf $Y"[+] "$GREEN"MySQL connection using root/toor ................... "$NC mysqlconnect=`mysqladmin -uroot -ptoor version 2>/dev/null` if [ "$mysqlconnect" ]; then @@ -1399,7 +1405,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then else echo_no fi - #-- 4SI) Mysql connection root/NOPASS + #-- SI) Mysql connection root/NOPASS mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` printf $Y"[+] "$GREEN"MySQL connection using root/NOPASS ................. "$NC if [ "$mysqlconnectnopass" ]; then @@ -1408,7 +1414,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then else echo_no fi - #-- 5SI) Mysql credentials + #-- SI) Mysql credentials printf $Y"[+] "$GREEN"Searching mysql credentials and exec\n"$NC mysqldirs=$(echo "$FIND_DIR_ETC $FIND_DIR_USR $FIND_DIR_VAR" | grep -E '^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql' | grep -v "mysql/mysql") if [ "$mysqldirs" ]; then @@ -1451,7 +1457,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 6SI) PostgreSQL info + #-- SI) PostgreSQL info printf $Y"[+] "$GREEN"PostgreSQL version and pgadmin credentials\n"$NC postgver=`psql -V 2>/dev/null` postgdb=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'pgadmin.*\.db$') @@ -1470,7 +1476,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 7SI) PostgreSQL brute + #-- SI) PostgreSQL brute if [ "$TIMEOUT" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it. #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this printf $Y"[+] "$GREEN"PostgreSQL connection to template0 using postgres/NOPASS ........ "$NC @@ -1495,7 +1501,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then echo "" fi - #-- 8SI) Apache info + #-- SI) Apache info printf $Y"[+] "$GREEN"Apache server info\n"$NC apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` if [ "$apachever" ]; then @@ -1512,7 +1518,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 9SI) PHP cookies files + #-- SI) PHP cookies files phpsess1=`ls /var/lib/php/sessions 2>/dev/null` phpsess2=$(echo "$FIND_TMP $FIND_VAR" | grep -E '/tmp/.*sess_.*|/var/tmp/.*sess_.*') printf $Y"[+] "$GREEN"Searching PHPCookies\n"$NC @@ -1523,7 +1529,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 10SI) Wordpress user, password, databname and host + #-- SI) Wordpress user, password, databname and host printf $Y"[+] "$GREEN"Searching Wordpress wp-config.php files\n"$NC wp=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'wp-config\.php$') if [ "$wp" ]; then @@ -1533,7 +1539,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 10SI) Drupal user, password, databname and host + #-- SI) Drupal user, password, databname and host printf $Y"[+] "$GREEN"Searching Drupal settings.php files\n"$NC drup=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'settings\.php$') if [ "`echo $drup | grep '/default/settings.php'`" ]; then #Check path /default/settings.php @@ -1543,7 +1549,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 11SI) Tomcat users + #-- SI) Tomcat users printf $Y"[+] "$GREEN"Searching Tomcat users file\n"$NC tomcat=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'tomcat-users\.xml$') if [ "$tomcat" ]; then @@ -1553,7 +1559,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 12SI) Mongo Information + #-- SI) Mongo Information printf $Y"[+] "$GREEN"Mongo information\n"$NC mongos=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'mongod.*\.conf$') (mongo --version 2>/dev/null || mongod --version 2>/dev/null) || echo_not_found @@ -1565,7 +1571,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #TODO: Check if you can login without password and warn the user echo "" - #-- 13SI) Supervisord conf file + #-- SI) Supervisord conf file printf $Y"[+] "$GREEN"Searching supervisord configuration file\n"$NC supervisor=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'supervisord\.conf') if [ "$supervisor" ]; then @@ -1575,7 +1581,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 14SI) Cesi conf file + #-- SI) Cesi conf file cesi=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'cesi\.conf') printf $Y"[+] "$GREEN"Searching cesi configuration file\n"$NC if [ "$cesi" ]; then @@ -1585,7 +1591,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - #-- 15SI) Rsyncd conf file + #-- SI) Rsyncd conf file rsyncd=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'rsyncd\.conf|rsyncd\.secrets') printf $Y"[+] "$GREEN"Searching Rsyncd config file\n"$NC if [ "$rsyncd" ]; then @@ -1601,7 +1607,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then else echo_not_found "rsyncd.conf" fi - ##-- 16SI) Hostapd conf file + #-- SI) Hostapd conf file printf $Y"[+] "$GREEN"Searching Hostapd config file\n"$NC hostapd=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'hostapd\.conf') if [ "$hostapd" ]; then @@ -1612,7 +1618,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 17SI) Wifi conns + #-- SI) Wifi conns printf $Y"[+] "$GREEN"Searching wifi conns file\n"$NC wifi=`find /etc/NetworkManager/system-connections/ 2>/dev/null` if [ "$wifi" ]; then @@ -1622,7 +1628,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 18SI) Anaconda-ks conf files + #-- SI) Anaconda-ks conf files printf $Y"[+] "$GREEN"Searching Anaconda-ks config files\n"$NC anaconda=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'anaconda-ks\.cfg') if [ "$anaconda" ]; then @@ -1632,7 +1638,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 19SI) VNC files + #-- SI) VNC files printf $Y"[+] "$GREEN"Searching .vnc directories and their passwd files\n"$NC vnc=$(echo "$FIND_DIR_HOME $FIND_DIR_ROOT " | grep -E '\.vnc') if [ "$vnc" ]; then @@ -1642,7 +1648,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 20SI) LDAP directories + #-- SI) LDAP directories printf $Y"[+] "$GREEN"Searching ldap directories and their hashes\n"$NC ldap=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT" | grep -E 'ldap$') if [ "$ldap" ]; then @@ -1653,7 +1659,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 21SI) .ovpn files + #-- SI) .ovpn files printf $Y"[+] "$GREEN"Searching .ovpn files and credentials\n"$NC ovpn=$(echo "$FIND_ETC $FIND_USR $FIND_HOME $FIND_ROOT" | grep -E '\.ovpn') if [ "$ovpn" ]; then @@ -1663,7 +1669,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 22SI) ssh files + #-- SI) ssh files printf $Y"[+] "$GREEN"Searching ssl/ssh files\n"$NC ssh=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_MNT $FIND_USR $FIND_OPT" | grep -E 'id_dsa.*|id_rsa.*|known_hosts|authorized_hosts|authorized_keys') certsb4=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_MNT $FIND_USR $FIND_OPT" | grep -E '.*\.pem|.*\.cer|.*\.crt' | grep -E -v '^/usr/share/.*' | grep -E -v '^/etc/ssl/.*' | grep -E -v '^/usr/local/lib/.*' | grep -E -v '^/usr/lib.*') @@ -1740,7 +1746,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 23SI) PAM auth + #-- SI) PAM auth printf $Y"[+] "$GREEN"Searching unexpected auth lines in /etc/pam.d/sshd\n"$NC pamssh=`cat /etc/pam.d/sshd 2>/dev/null | grep -v "^#\|^@" | grep -i auth` if [ "$pamssh" ]; then @@ -1749,7 +1755,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 24SI) Cloud keys + #-- SI) Cloud keys printf $Y"[+] "$GREEN"Searching Cloud credentials (AWS, Azure, GC)\n"$NC cloudcreds=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'credentials$|credentials\.db$|legacy_credentials\.db$|access_tokens\.db$|accessTokens\.json$|azureProfile\.json$') if [ "$cloudcreds" ]; then @@ -1763,7 +1769,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 25SI) NFS exports + #-- SI) NFS exports printf $Y"[+] "$GREEN"NFS exports?\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe\n"$NC if [ "`cat /etc/exports 2>/dev/null`" ]; then cat /etc/exports 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | sed "s,no_root_squash\|no_all_squash ,${C}[1;31;103m&${C}[0m," @@ -1771,7 +1777,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 26SI) Kerberos + #-- SI) Kerberos printf $Y"[+] "$GREEN"Searching kerberos conf files and tickets\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt\n"$NC krb5=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT" | grep -E 'krb5\.conf') @@ -1783,7 +1789,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then klist 2>/dev/null || echo_not_found "klist" echo "" - ##-- 27SI) kibana + #-- SI) kibana printf $Y"[+] "$GREEN"Searching Kibana yaml\n"$NC kibana=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'kibana\.y.*ml') if [ "$kibana" ]; then @@ -1793,7 +1799,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 28SI) Knock + #-- SI) Knock printf $Y"[+] "$GREEN"Searching Knock configuration\n"$NC Knock=$(echo "$FIND_ETC" | grep -E '/etc/init.d/.*knockd.*') if [ "$Knock" ]; then @@ -1808,7 +1814,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ###-- 29SI) Logstash + ##-- SI) Logstash printf $Y"[+] "$GREEN"Searching logstash files\n"$NC logstash=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT" | grep -E 'logstash') if [ "$logstash" ]; then @@ -1825,7 +1831,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 30SI) Elasticsearch + #-- SI) Elasticsearch printf $Y"[+] "$GREEN"Searching elasticsearch files\n"$NC elasticsearch=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'elasticsearch\.y.*ml') if [ "$elasticsearch" ]; then @@ -1836,7 +1842,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 31SI) Vault-ssh + #-- SI) Vault-ssh printf $Y"[+] "$GREEN"Searching Vault-ssh files\n"$NC vaultssh=$(echo "$FIND_ETC $FIND_USR $FIND_HOME $FIND_ROOT" | grep -E 'vault-ssh-helper\.hcl') if [ "$vaultssh" ]; then @@ -1849,7 +1855,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 32SI) Cached AD Hashes + #-- SI) Cached AD Hashes adhashes=`ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null` printf $Y"[+] "$GREEN"Searching AD cached hashes\n"$NC if [ "$adhashes" ]; then @@ -1858,7 +1864,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 33SI) Screen sessions + #-- SI) Screen sessions printf $Y"[+] "$GREEN"Searching screen sessions\n"$N printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions\n"$NC screensess=`screen -ls 2>/dev/null` @@ -1868,7 +1874,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 34SI) Tmux sessions + #-- SI) Tmux sessions tmuxdefsess=`tmux ls 2>/dev/null` tmuxnondefsess=`ps aux | grep "tmux " | grep -v grep` printf $Y"[+] "$GREEN"Searching tmux sessions\n"$N @@ -1879,7 +1885,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 35SI) Couchdb + #-- SI) Couchdb printf $Y"[+] "$GREEN"Searching Couchdb directory\n"$NC couchdb_dirs=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT" | grep -E 'couchdb') for d in $couchdb_dirs; do @@ -1893,7 +1899,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then done echo "" - ##-- 36SI) Redis + #-- SI) Redis printf $Y"[+] "$GREEN"Searching redis.conf\n"$NC redisconfs=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'redis\.conf$') for f in $redisconfs; do @@ -1904,7 +1910,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then done echo "" - ##-- 37SI) Dovecot + #-- SI) Dovecot # Needs testing printf $Y"[+] "$GREEN"Searching dovecot files\n"$NC dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null) @@ -1920,7 +1926,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi echo "" - ##-- 38SI) Mosquitto + #-- SI) Mosquitto printf $Y"[+] "$GREEN"Searching mosquitto.conf\n"$NC mqttconfs=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'mosquitto\.conf$') for f in $mqttconfs; do @@ -1931,7 +1937,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then done echo "" - ##-- 39SI) Neo4j + #-- SI) Neo4j printf $Y"[+] "$GREEN"Searching neo4j auth file\n"$NC neo4j=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT" | grep -E 'neo4j') for d in $neo4j; do @@ -1942,7 +1948,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then done echo "" - ##-- 40SI) Cloud-Init + #-- SI) Cloud-Init printf $Y"[+] "$GREEN"Searching Cloud-Init conf file\n"$NC cloudcfg=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT" | grep -E 'cloud\.cfg$') for f in $cloudcfg; do @@ -2066,7 +2072,13 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Capabilities printf $Y"[+] "$GREEN"Capabilities\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities\n"$NC - (getcap -r / 2>/dev/null | sed "s,$sudocapsB,${C}[1;31m&${C}[0m," | sed "s,$capsB,${C}[1;31m&${C}[0m,") || echo_not_found + capbins=`getcap -r / 2>/dev/null | cut -d " " -f1` + for cb in "`getcap -r / 2>/dev/null`"; do + echo "$cb" | sed "s,$sudocapsB,${C}[1;31m&${C}[0m," | sed "s,$capsB,${C}[1;31m&${C}[0m," + if [ -w "`echo \"$cb\" | cut -d \" \" -f1`" ]; then + echo "$cb is writable" | sed "s,.*,${C}[1;31m&${C}[0m," + fi + done echo "" ##-- IF) Users with capabilities @@ -2079,7 +2091,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Files with ACLs printf $Y"[+] "$GREEN"Files with ACLs\n"$NC - ((getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," + ((getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," echo "" ##-- IF) .sh files in PATH @@ -2095,11 +2107,30 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Files (scripts) in /etc/profile.d/ printf $Y"[+] "$GREEN"Files (scripts) in /etc/profile.d/\n"$NC (ls -la /etc/profile.d/ | sed "s,$profiledG,${C}[1;32m&${C}[0m,") || echo_not_found "/etc/profile.d/" + if [ -w "/etc/profile" ]; then echo "You can modify /etc/profile" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/profile.d/" ]; then echo "You have write privileges over /etc/profile.d/" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/profile.d/ -writable`" ]; then echo "You have write privileges over `find /etc/profile.d/ -writable`" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + echo "" + + ##-- IF) Files (scripts) in /etc/init.d/ + printf $Y"[+] "$GREEN"Permissions in init, init.d and systemd\n"$NC + if [ -w "/etc/init/" ]; then echo "You have write privileges over /etc/init/" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/init/ -writable -type f 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/init/ -writable`" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/init.d/" ]; then echo "You have write privileges over /etc/init.d/" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/init.d/ -writable `" ]; then echo "You have write privileges over `find /etc/init.d/ -writable`" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/rc.d/init.d" ]; then echo "You have write privileges over /etc/rc.d/init.d" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/rc.d/init.d -writable -type f 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/rc.d/init.d -writable`" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/usr/local/etc/rc.d" ]; then echo "You have write privileges over /usr/local/etc/rc.d" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /usr/local/etc/rc.d -writable -type f 2>/dev/null`" ]; then echo "You have write privileges over `find /usr/local/etc/rc.d -writable`" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/systemd/" ]; then echo "You have write privileges over /etc/systemd/" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/systemd/ -writable -type f 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/systemd/ -writable`" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/lib/systemd/" ]; then echo "You have write privileges over /lib/systemd/" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /lib/systemd/ -writable -type f 2>/dev/null`" ]; then echo "You have write privileges over `find /lib/systemd/ -writable`" | sed "s,.*,${C}[1;31;103m&${C}[0m,"; fi echo "" ##-- IF) Hashes in passwd file printf $Y"[+] "$GREEN"Hashes inside passwd file? ........... "$NC - if [ "`grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null`" ]; then grep -v '^[^:]*:[x\*]' /etc/passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," + if [ "`grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null`" ]; then grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," else echo_no fi @@ -2119,7 +2150,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Read shadow files printf $Y"[+] "$GREEN"Can I read shadow files? ............. "$NC - if [ "`cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null`" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," + if [ "`cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null`" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," else echo_no fi @@ -2149,7 +2180,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Others files in my dirs if ! [ "$IAMROOT" ]; then printf $Y"[+] "$GREEN"Searching others files in folders owned by me\n"$NC - (for d in `find /var /etc /home /root /tmp /usr /opt /boot /sys -type d -user $USER 2>/dev/null`; do find $d ! -user \`whoami\` -exec ls -l {} \; 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;13m&${C}[0m,g"; done) || echo_not_found + (for d in `find /var /etc /home /root /tmp /usr /opt /boot /sys -type d -user "$USER" 2>/dev/null`; do find "$d" ! -user "$USER" -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;13m&${C}[0m,g" echo "" fi @@ -2314,9 +2345,9 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then for entry in `find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -v $notExtensions | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 10){ print line_init; } if (cont == "10"){print "#)You_can_write_even_more_files_inside_last_directory"}; pre=act }' | head -n500`; do if [ `echo "$entry" | grep "You_can_write_even_more_files_inside_last_directory"` ]; then printf $ITALIC"$entry\n"$NC; elif [ `echo $entry | grep "$writeVB"` ]; then - echo $entry | sed "s,$writeVB,${C}[1;31;103m&${C}[0m," + echo "$entry" | sed "s,$writeVB,${C}[1;31;103m&${C}[0m," else - echo $entry | sed "s,$writeB,${C}[1;31m&${C}[0m," + echo "$entry" | sed "s,$writeB,${C}[1;31m&${C}[0m," fi done done @@ -2352,17 +2383,27 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then if ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then ##-- IF) Find possible files with passwords printf $Y"[+] "$GREEN"Finding 'pwd' or 'passw' variables (and interesting php db definitions) inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)\n"$NC - timeout 100 grep -RiIE "(pwd|passwd|password).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" /home /var/www /var/backups /tmp /etc /root /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed "s,pwd\|passw\|define,${C}[1;31m&${C}[0m,gI" + timeout 120 grep -RiIE "(pwd|passwd|password).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" /home /var/www /var/backups /tmp /etc /root /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed "s,pwd\|passw\|define,${C}[1;31m&${C}[0m,gI" echo "" ##-- IF) Find possible files with passwords printf $Y"[+] "$GREEN"Finding possible password variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)\n"$NC - timeout 100 grep -RiIE "($pwd_in_variables).*[=:].+" /home /var/www /var/backups /tmp /etc /root /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed -E "s,$pwd_in_variables,${C}[1;31m&${C}[0m,gI" + timeout 120 grep -RiIE "($pwd_in_variables).*[=:].+" /home /var/www /var/backups /tmp /etc /root /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed -E "s,$pwd_in_variables,${C}[1;31m&${C}[0m,gI" + echo "" + + ##-- IF) Find possible conf files with passwords + printf $Y"[+] "$GREEN"Finding possible password in config files\n"$NC + for f in `find /home /etc /root /tmp -name "*.conf" -o -name "*.cnf" -o -name "*.config" 2>/dev/null`; do + if [ "`grep -EiI 'passwd.*|creden.*' \"$f\"`" ]; then + echo $ITALIC" $f"$NC + grep -EiIo 'passw.*|creden.*' "$f" 2>/dev/null | sed "s,passw\|creden,${C}[1;31m&${C}[0m,gI" + fi + done echo "" ##-- IF) Find possible files with usernames printf $Y"[+] "$GREEN"Finding 'username' string inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)\n"$NC - timeout 100 grep -RiIE "username.*[=:].+" /home /var/www /var/backups /tmp /etc /root /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed "s,username,${C}[1;31m&${C}[0m,gI" + timeout 120 grep -RiIE "username.*[=:].+" /home /var/www /var/backups /tmp /etc /root /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed "s,username,${C}[1;31m&${C}[0m,gI" echo "" ##-- IF) Specific hashes inside files @@ -2376,7 +2417,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then regexapr1md5='\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}' regexsha512crypt='\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}' regexapachesha='\{SHA\}[0-9a-zA-Z/_=]{10,}' - timeout 100 grep -RIEHo "$regexblowfish|$regexjoomlavbulletin|$regexphpbb3|$regexwp|$regexdrupal|$regexlinuxmd5|$regexapr1md5|$regexsha512crypt|$regexapachesha" /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -v $notExtensions | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | head -n 70 | sed "s,:.*,${C}[1;31m&${C}[0m," + timeout 120 grep -RIEHo "$regexblowfish|$regexjoomlavbulletin|$regexphpbb3|$regexwp|$regexdrupal|$regexlinuxmd5|$regexapr1md5|$regexsha512crypt|$regexapachesha" /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -v $notExtensions | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | head -n 70 | sed "s,:.*,${C}[1;31m&${C}[0m," echo "" fi @@ -2387,17 +2428,17 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then regexsha1='(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)' regexsha256='(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)' regexsha512='(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)' - timeout 200 grep -RIEHo "$regexmd5|$regexsha1|$regexsha256|$regexsha512" /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -v $notExtensions | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 2){ print line_init; } if (cont == "2"){print " There are more hashes files in the previous parent folder"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 50 | sed "s,:.*,${C}[1;31m&${C}[0m," | sed "s,There are more hashes files in the previous parent folder,${C}[1;32m&${C}[0m," + timeout 240 grep -RIEHo "$regexmd5|$regexsha1|$regexsha256|$regexsha512" /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -v $notExtensions | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 2){ print line_init; } if (cont == "2"){print " There are more hashes files in the previous parent folder"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 50 | sed "s,:.*,${C}[1;31m&${C}[0m," | sed "s,There are more hashes files in the previous parent folder,${C}[1;32m&${C}[0m," echo "" fi if ! [ "$SUPERFAST" ] && ! [ "$FAST" ]; then ##-- IF) Find URIs with user:password@hoststrings printf $Y"[+] "$GREEN"Finding URIs with user:password@host inside /home /var/www /var/backups /tmp /etc /root /mnt\n"$NC - timeout 200 grep -RiIE "://(.+):(.+)@" /var/www /var/backups /tmp /etc 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" - timeout 200 grep -RiIE "://(.+):(.+)@" /home 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" - timeout 200 grep -RiIE "://(.+):(.+)@" /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" - timeout 200 grep -RiIE "://(.+):(.+)@" /root 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" + timeout 240 grep -RiIE "://(.+):(.+)@" /var/www /var/backups /tmp /etc 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" + timeout 240 grep -RiIE "://(.+):(.+)@" /home 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" + timeout 240 grep -RiIE "://(.+):(.+)@" /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" + timeout 240 grep -RiIE "://(.+):(.+)@" /root 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,gI" echo "" fi fi