From f9cfdd200446a7687f5dc3cd51fef144bc52bab0 Mon Sep 17 00:00:00 2001
From: carlospolop <carlospolop@gmail.com>
Date: Wed, 3 Jul 2019 21:11:31 +0200
Subject: [PATCH] v1.1.3

---
 README.md |  4 +++-
 linpe.sh  | 57 ++++++++++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 322ec27..615a30b 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ This script does not have any dependency.
 
 There is no need even for bash shell, **it runs using /bin/sh**.
 
-It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs).
+It could take from **2 to 3 minutes** to execute the whole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs).
 
 This script has several lists included inside of it to be able to color the results in order to discover PE vector.
 
@@ -128,6 +128,8 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
   - [x] AWS (Files with AWS keys)
   - [x] NFS (privilege escalation misconfiguration)
   - [x] Kerberos (configuration & tickets in /tmp)
+  - [x] Kibana (credentials)
+  - [x] Logstash (Username and possible code execution)
 
 
 - **Generic Interesting Files**
diff --git a/linpe.sh b/linpe.sh
index 9aa536d..3b8fc1f 100755
--- a/linpe.sh
+++ b/linpe.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-VERSION="v1.1.2"
+VERSION="v1.1.3"
 
 C=$(printf '\033')
 RED="${C}[1;31m"
@@ -461,6 +461,14 @@ if [ "$apachever" ]; then
   echo "" >> $file
 fi
 
+#php coockies files
+phpcookies=`ls /var/lib/php/sessions 2>/dev/null`
+if [ "$phpcookies" ]; then
+  printf $Y"[+] "$GREEN"PHPCookies where found\n"$NC >> $file
+  ls /var/lib/php/sessions 2>/dev/null >> $file
+  echo "" >> $file
+fi
+
 #Wordpress user, password, databname and host
 wp=`find /var /etc /home /root /tmp /usr /opt -type f -name wp-config.php 2>/dev/null`
 if [ "$wp" ]; then
@@ -618,6 +626,26 @@ if [ "$krbtickets" ]; then
   echo "" >> $file
 fi
 
+#Kibana
+if [ -f "/etc/kibana/kibana.yml" ]; then
+  printf $Y"[+] "$GREEN"Found Kibana: /etc/kibana/kibana.yml\n"$NC >> $file
+  cat /etc/kibana/kibana.yml | grep -v "^#" | grep -v -e '^[[:space:]]*$' | sed "s,username\|password\|host\|port\|elasticsearch\|ssl,${C}[1;31m&${C}[0m," >> $file
+  echo "" >> $file
+fi
+
+#Logstash
+if [ -d "/etc/logstash" ]; then
+  printf $Y"[+] "$GREEN"Found Logstash: /etc/logstash\n"$NC >> $file
+  if [ -r /etc/logstash/startup.options ]; then 
+    echo "Logstash is running as user:" >> $file
+    cat /etc/logstash/startup.options 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," >> $file
+  fi
+  cat /etc/logstash/conf.d/out* | grep "exec\s*{\|command\s*=>" | sed "s,exec\s*{\|command\s*=>,${C}[1;31m&${C}[0m," >> $file
+  cat /etc/logstash/conf.d/filt* | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed "s,path\s*=>\|code\s*=>\|ruby\s*{,${C}[1;31m&${C}[0m," >> $file
+  echo "" >> $file
+fi
+
+
 echo "" >> $file
 printf $B"[*] "$GREEN"Gathering files information...\n"$NC
 printf $B"[*] "$GREEN"GENERAL INTERESTING FILES\n"$NC >> $file 
@@ -671,13 +699,28 @@ echo "" >> $file
 printf $Y"[+] "$GREEN".sh files in path\n"$NC >> $file
 for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null | sed "s,$pathshG,${C}[1;32m&${C}[0m," >> $file ; done
 echo "" >> $file
+ 
+hashespasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
+if [ "$hashespasswd" ]; then
+  printf $Y"[+] "$GREEN"Hashes inside passwd file\n"$NC >> $file
+  printf $B"[i] "$Y"Try to crack the hashes\n"$NC >> $file
+  for h in $hashespasswd; do echo $h | sed "s,.*,${C}[1;31m&${C}[0m," >> $file; done
+  echo "" >> $file
+fi
 
-printf $Y"[+] "$GREEN"Hashes inside passwd file? Readable shadow file, or /root?\n"$NC >> $file
-printf $B"[i] "$Y"Try to crack the hashes\n"$NC >> $file
-grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," >> $file
-cat /etc/shadow /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," >> $file
-ls -ahl /root/ 2>/dev/null >> $file
-echo "" >> $file
+shadowread=`cat /etc/shadow /etc/master.passwd 2>/dev/null`
+if [ "$shadowread" ]; then
+  printf $Y"[+] "$GREEN"Readable Shadow file\n"$NC >> $file
+  cat /etc/shadow /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," >> $file
+  echo "" >> $file
+fi
+
+rootread=`ls -ahl /root/ 2>/dev/null`
+if [ "$rootread" ]; then
+  printf $Y"[+] "$GREEN"Readable /root\n"$NC >> $file
+  ls -ahl /root/ 2>/dev/null >> $file
+  echo "" >> $file
+fi
 
 printf $Y"[+] "$GREEN"Files inside \$HOME (limit 20)\n"$NC >> $file
 ls -la $HOME 2>/dev/null | head -n 23 >> $file