diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh index 579d239..ae52286 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh @@ -24,15 +24,15 @@ fi suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null) for s in $suids_files; do s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + # If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder if echo "$s" | grep -qE "^total"; then break; fi sname="$(echo $s | awk '{print $9}')" if [ "$sname" = "." ] || [ "$sname" = ".." ]; then - true #Don't do nothing + true # Don't do nothing elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then # If write permision, win found (no check exploits) echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," else c="a" @@ -55,12 +55,12 @@ for s in $suids_files; do $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do sline_first="$(echo "$sline" | cut -d ' ' -f1)" if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then # If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then # And modifiable printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" fi else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then # Check if existing binary printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" fi fi @@ -105,7 +105,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sud sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) for s in $sgids_files; do s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + # If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder if echo "$s" | grep -qE "^total";then break; fi sname="$(echo $s | awk '{print $9}')" @@ -113,7 +113,7 @@ for s in $sgids_files; do true #Don't do nothing elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then # If write permision, win found (no check exploits) echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," else c="a" @@ -136,12 +136,12 @@ for s in $sgids_files; do $STRINGS "$sname" | sort | uniq | while read sline; do sline_first="$(echo $sline | cut -d ' ' -f1)" if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then # If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then # And modifiable printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" fi - else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary + else # If not a path + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then # Check if existing binary printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" fi fi @@ -456,7 +456,7 @@ fi if ! [ "$IAMROOT" ]; then print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" - #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all + # In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) printf "%s\n" "$obmowbe" | while read entry; do if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; @@ -488,4 +488,4 @@ if ! [ "$IAMROOT" ]; then fi done echo "" -fi \ No newline at end of file +fi