darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge 32116e4c5e into 988ef11d59

Browse Source
This commit is contained in:
Carlos Polop 2021-10-21 15:09:10 +01:00 committed by GitHub
commit fb36433eec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 269 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_lists/sensitive_files.yaml
View File

@ -86,6 +86,8 @@ sudoVB1_markup: "peass{SUDOVB1_HERE}"
sudoVB2_markup: "peass{SUDOVB2_HERE}" sudoVB2_markup: "peass{SUDOVB2_HERE}"
cap_setuid_markup: "peass{CAP_SETUID_HERE}" cap_setuid_markup: "peass{CAP_SETUID_HERE}"
cap_setgid_markup: "peass{CAP_SETGID_HERE}" cap_setgid_markup: "peass{CAP_SETGID_HERE}"
les_markup: "peass{LES}"
les2_markup: "peass{LES2}"

87
linPEAS/builder/linpeas_base.sh
View File

@ -1187,6 +1187,21 @@ if echo $CHECKS | grep -q SysI; then
macosNotSigned /System/Library/Extensions macosNotSigned /System/Library/Extensions
fi fi
if [ "$(command -v bash 2>/dev/null)" ]; then
print_2title "Executing Linux Exploit Suggester"
les_b64="peass{LES}"
echo $les_b64 | base64 -d | bash
echo ""
fi
if [ "$(command -v perl 2>/dev/null)" ]; then
print_2title "Executing Linux Exploit Suggester 2"
les2_b64="peass{LES2}"
echo $les2_b64 | base64 -d | perl
echo ""
fi
#-- SY) AppArmor #-- SY) AppArmor
print_2title "Protections" print_2title "Protections"
print_list "AppArmor enabled? .............. "$NC print_list "AppArmor enabled? .............. "$NC
@ -1678,36 +1693,48 @@ if echo $CHECKS | grep -q ProCronSrvcsTmrsSocks; then
fi fi
echo "" echo ""
print_2title "Writable Sockets"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
find / -type s 2>/dev/null | while read l; do
if [ -w "$l" ]; then
echo "Socket '$l' is writable" | sed "s,.*,${SED_RED},";
fi
done
print_2title "Unix Sockets Listening" print_2title "Unix Sockets Listening"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID") # Search sockets using netstat and ss
unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
if ! [ "$unix_scks_list" ];then if ! [ "$unix_scks_list" ];then
unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc") unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
fi fi
printf "%s\n" "$unix_scks_list" | while read l; do if ! [ "$unix_scks_list" ];then
sckt_path=$(echo $l | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n 1) unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
fi
# But also search socket files
unix_scks_list2=$(find / -type s 2>/dev/null)
# Detele repeated dockets and check permissions
(printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
perms="" perms=""
if [ -r "$sckt_path" ]; then if [ -r "$l" ]; then
perms="Read " perms="Read "
fi fi
if [ -w "$sckt_path" ];then if [ -w "$l" ];then
perms="${perms}Write" perms="${perms}Write"
fi fi
if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$sckt_path,${SED_GREEN},g"; if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
else echo "$l" | sed -${E} "s,$sckt_path,${SED_RED},g"; echo " └─(${RED}${perms}${NC})" else
fi echo "$l" | sed -${E} "s,$l,${SED_RED},g"
done echo " └─(${RED}${perms}${NC})"
echo "" # Try to contact the socket
socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
#-- PSC) Search HTTP sockets if [ $? -eq 0 ]; then
print_2title "HTTP sockets" owner=$(ls -l "$s" | cut -d ' ' -f 3)
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1 | while read s; do echo "$socketcurl" | head -n 30
socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null) fi
if [ $? -eq 0 ]; then
owner=$(ls -l "$s" | cut -d ' ' -f 3)
echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
echo "$socketcurl" | head -n 30
fi fi
done done
echo "" echo ""
@ -1871,7 +1898,7 @@ if echo $CHECKS | grep -q Net; then
echo "" echo ""
fi fi
if [ "$AUTO_NETWORK_SCAN" ]; then if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] || [ "$AUTO_NETWORK_SCAN" ]; then
print_2title "Scanning local networks (using /24)" print_2title "Scanning local networks (using /24)"
select_nc select_nc
local_ips=$(ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.") local_ips=$(ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.")
@ -2735,7 +2762,8 @@ if echo $CHECKS | grep -q IntFiles; then
if ! [ "$STRACE" ]; then if ! [ "$STRACE" ]; then
echo_not_found "strace" echo_not_found "strace"
fi fi
find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null | while read s; do suids_files=$(find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
for s in $suids_files; do
s=$(ls -lahtr "$s") s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total"; then break; fi if echo "$s" | grep -qE "^total"; then break; fi
@ -2757,12 +2785,12 @@ if echo $CHECKS | grep -q IntFiles; then
fi fi
done; done;
if [ "$c" ]; then if [ "$c" ]; then
if echo \"$s\" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
else else
echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${SED_RED}," echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${SED_RED},"
printf $ITALIC printf $ITALIC
if [ "$STRINGS" ]; then if ! [ "$FAST" ] && [ "$STRINGS" ]; then
$STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do
sline_first="$(echo "$sline" | cut -d ' ' -f1)" sline_first="$(echo "$sline" | cut -d ' ' -f1)"
if echo "$sline_first" | grep -qEv "$cfuncs"; then if echo "$sline_first" | grep -qEv "$cfuncs"; then
@ -2777,7 +2805,7 @@ if echo $CHECKS | grep -q IntFiles; then
fi fi
fi fi
done done
if [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then
printf $ITALIC printf $ITALIC
echo "----------------------------------------------------------------------------------------" echo "----------------------------------------------------------------------------------------"
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
@ -2800,7 +2828,8 @@ if echo $CHECKS | grep -q IntFiles; then
##-- IF) SGID ##-- IF) SGID
print_2title "SGID" print_2title "SGID"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null | while read s; do sgids_files=$(find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
for s in $sgids_files; do
s=$(ls -lahtr "$s") s=$(ls -lahtr "$s")
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
if echo "$s" | grep -qE "^total";then break; fi if echo "$s" | grep -qE "^total";then break; fi
@ -2827,7 +2856,7 @@ if echo $CHECKS | grep -q IntFiles; then
else else
echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED}," echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED},"
printf $ITALIC printf $ITALIC
if [ "$STRINGS" ]; then if ! [ "$FAST" ] && [ "$STRINGS" ]; then
$STRINGS "$sname" | sort | uniq | while read sline; do $STRINGS "$sname" | sort | uniq | while read sline; do
sline_first="$(echo $sline | cut -d ' ' -f1)" sline_first="$(echo $sline | cut -d ' ' -f1)"
if echo "$sline_first" | grep -qEv "$cfuncs"; then if echo "$sline_first" | grep -qEv "$cfuncs"; then
@ -2842,7 +2871,7 @@ if echo $CHECKS | grep -q IntFiles; then
fi fi
fi fi
done done
if [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then
printf "$ITALIC" printf "$ITALIC"
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"

18
linPEAS/builder/src/linpeasBuilder.py
View File

@ -1,5 +1,6 @@
import re import re
import requests import requests
import base64
from .peasLoaded import PEASLoaded from .peasLoaded import PEASLoaded
from .peassRecord import PEASRecord from .peassRecord import PEASRecord
@ -24,7 +25,9 @@ from .yamlGlobals import (
SUDOVB1_MARKUP, SUDOVB1_MARKUP,
SUDOVB2_MARKUP, SUDOVB2_MARKUP,
CAP_SETUID_MARKUP, CAP_SETUID_MARKUP,
CAP_SETGID_MARKUP CAP_SETGID_MARKUP,
LES_MARKUP,
LES2_MARKUP
) )
@ -75,6 +78,13 @@ class LinpeasBuilder:
self.__replace_mark(EXTRASECTIONS_MARKUP, list(""), "") #Delete extra markup self.__replace_mark(EXTRASECTIONS_MARKUP, list(""), "") #Delete extra markup
print("[+] Building linux exploit suggesters...")
les_b64, les2_b64 = self.__get_linux_exploit_suggesters()
assert len(les_b64) > 100
assert len(les2_b64) > 100
self.__replace_mark(LES_MARKUP, list(les_b64), "")
self.__replace_mark(LES2_MARKUP, list(les2_b64), "")
print("[+] Building GTFOBins lists...") print("[+] Building GTFOBins lists...")
suidVB, sudoVB, capsVB = self.__get_gtfobins_lists() suidVB, sudoVB, capsVB = self.__get_gtfobins_lists()
assert len(suidVB) > 185, f"Len suidVB is {len(suidVB)}" assert len(suidVB) > 185, f"Len suidVB is {len(suidVB)}"
@ -271,6 +281,12 @@ class LinpeasBuilder:
analise_line += 'done; echo "";' analise_line += 'done; echo "";'
return analise_line return analise_line
def __get_linux_exploit_suggesters(self) -> tuple:
r1 = requests.get("https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh")
r2 = requests.get("https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl")
return(base64.b64encode(bytes(r1.text, 'utf-8')).decode("utf-8"), base64.b64encode(bytes(r2.text, 'utf-8')).decode("utf-8"))
def __get_gtfobins_lists(self) -> tuple: def __get_gtfobins_lists(self) -> tuple:
r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins") r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins")
bins = re.findall(r'/GTFOBins/GTFOBins.github.io/blob/master/_gtfobins/([\w_ \-]+).md', r.text) bins = re.findall(r'/GTFOBins/GTFOBins.github.io/blob/master/_gtfobins/([\w_ \-]+).md', r.text)

3
linPEAS/builder/src/yamlGlobals.py
View File

@ -40,3 +40,6 @@ SUDOVB1_MARKUP = YAML_LOADED["sudoVB1_markup"]
SUDOVB2_MARKUP = YAML_LOADED["sudoVB2_markup"] SUDOVB2_MARKUP = YAML_LOADED["sudoVB2_markup"]
CAP_SETUID_MARKUP = YAML_LOADED["cap_setuid_markup"] CAP_SETUID_MARKUP = YAML_LOADED["cap_setuid_markup"]
CAP_SETGID_MARKUP = YAML_LOADED["cap_setgid_markup"] CAP_SETGID_MARKUP = YAML_LOADED["cap_setgid_markup"]
LES_MARKUP = YAML_LOADED["les_markup"]
LES2_MARKUP = YAML_LOADED["les2_markup"]

347
linPEAS/linpeas.sh
View File

File diff suppressed because one or more lines are too long