darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

linpeasv2.2.7

Browse Source
This commit is contained in:
carlospolop 2020-01-03 09:57:59 -05:00
parent 9a0173ad7a
commit fc67c4abca
1 changed files with 22 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
linPEAS/linpeas.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
VERSION="v2.2.5" VERSION="v2.2.7"
########################################### ###########################################
#---------------) Colors (----------------# #---------------) Colors (----------------#
@ -151,7 +151,7 @@ notBackup="/tdbbackup$\|/db_hotbackup$"
cronjobsG=".placeholder\|0anacron\|0hourly\|apache2\|apport\|aptitude\|apt-compat\|bsdmainutils\|debtags\|dpkg\|e2scrub_all\|fake-hwclock\|john\|logrotate\|man-db\|mdadm\|mlocate\|ntp\|passwd\|php\|raid-check\|rwhod\|samba\|sysstat\|ubuntu-advantage-tools\|update-notifier-common" cronjobsG=".placeholder\|0anacron\|0hourly\|apache2\|apport\|aptitude\|apt-compat\|bsdmainutils\|debtags\|dpkg\|e2scrub_all\|fake-hwclock\|john\|logrotate\|man-db\|mdadm\|mlocate\|ntp\|passwd\|php\|raid-check\|rwhod\|samba\|sysstat\|ubuntu-advantage-tools\|update-notifier-common"
cronjobsB="centreon" cronjobsB="centreon"
processesVB="jdwp" processesVB="jdwp\|tmux\|screen"
mail_apps="Postfix\|Dovecot\|Exim\|SquirrelMail\|Cyrus\|Sendmail\|Courier" mail_apps="Postfix\|Dovecot\|Exim\|SquirrelMail\|Cyrus\|Sendmail\|Courier"
@ -210,7 +210,7 @@ fi
########################################### ###########################################
#---------) Parsing parameters (----------# #---------) Parsing parameters (----------#
########################################### ###########################################
# --) FAST - Do not check 1min of proccesesand su brute # --) FAST - Do not check 1min of procceses and su brute
# --) SUPERFAST - FAST & do not search for special filaes in all the folders # --) SUPERFAST - FAST & do not search for special filaes in all the folders
FAST="1" #By default stealth/fast mode FAST="1" #By default stealth/fast mode
@ -502,9 +502,6 @@ if [ "$IAMROOT" ]; then
fi fi
echo "" echo ""
echo "" echo ""
# To DELETE
printf $Y"\nIMPORTANT CHANGE:$GREEN For satisfying most users and thanks to the incorporation of the 2000pwds/user su bruteforce, the default behaviour of linpeas has been changed to fast/stealth (no writting to disk, no 1min processes check, and no su BF). Use the parameter$Y -a$GREEN to execute all these checks.\n\n"$NC
sleep 2.5
########################################### ###########################################
#-----------) Some Basic Info (-----------# #-----------) Some Basic Info (-----------#
########################################### ###########################################
@ -671,7 +668,7 @@ if [ "`echo $CHECKS | grep Devs`" ]; then
#-- 2D) Unmounted #-- 2D) Unmounted
printf $Y"[+] "$GREEN"Unmounted file-system?\n"$NC printf $Y"[+] "$GREEN"Unmounted file-system?\n"$NC
printf $B"[i] "$Y"Check if you can mount umounted devices\n"$NC printf $B"[i] "$Y"Check if you can mount umounted devices\n"$NC
cat /etc/fstab 2>/dev/null | grep -v "^#" | sed "s,$mountG,${C}[1;32m&${C}[0m,g" | sed "s,$notmounted,${C}[1;31m&${C}[0m," | sed "s,$mounted,${C}[1;34m&${C}[0m," | sed "s,$Wfolders,${C}[1;31m&${C}[0m," | sed "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed "s,$mountpermsG,${C}[1;32m&${C}[0m,g" cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | sed "s,$mountG,${C}[1;32m&${C}[0m,g" | sed "s,$notmounted,${C}[1;31m&${C}[0m," | sed "s,$mounted,${C}[1;34m&${C}[0m," | sed "s,$Wfolders,${C}[1;31m&${C}[0m," | sed "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed "s,$mountpermsG,${C}[1;32m&${C}[0m,g"
echo "" echo ""
echo "" echo ""
fi fi
@ -756,13 +753,13 @@ if [ "`echo $CHECKS | grep Net`" ]; then
#-- 1NI) Hostname, hosts and DNS #-- 1NI) Hostname, hosts and DNS
printf $Y"[+] "$GREEN"Hostname, hosts and DNS\n"$NC printf $Y"[+] "$GREEN"Hostname, hosts and DNS\n"$NC
cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null
dnsdomainname 2>/dev/null dnsdomainname 2>/dev/null
echo "" echo ""
#-- 2NI) /etc/inetd.conf #-- 2NI) /etc/inetd.conf
printf $Y"[+] "$GREEN"Content of /etc/inetd.conf\n"$NC printf $Y"[+] "$GREEN"Content of /etc/inetd.conf\n"$NC
(cat /etc/inetd.conf 2>/dev/null | grep -v "^#") || echo_not_found "/etc/inetd.conf" (cat /etc/inetd.conf 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
echo "" echo ""
#-- 3NI) Networks and neighbours #-- 3NI) Networks and neighbours
@ -775,7 +772,7 @@ if [ "`echo $CHECKS | grep Net`" ]; then
#-- 4NI) Iptables #-- 4NI) Iptables
printf $Y"[+] "$GREEN"Iptables rules\n"$NC printf $Y"[+] "$GREEN"Iptables rules\n"$NC
(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#") 2>/dev/null || echo_not_found "iptables rules" (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
echo "" echo ""
#-- 5NI) Ports #-- 5NI) Ports
@ -842,7 +839,7 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then
#-- 6UI) Pkexec policy #-- 6UI) Pkexec policy
printf $Y"[+] "$GREEN"Checking Pkexec policy\n"$NC printf $Y"[+] "$GREEN"Checking Pkexec policy\n"$NC
(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$groupsB,${C}[1;31m&${C}[0m," | sed "s,$groupsVB,${C}[1;31m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," | sed "s,$GROUPS,${C}[1;31;103m&${C}[0m,") || echo_not_found "/etc/polkit-1/localauthority.conf.d" (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$groupsB,${C}[1;31m&${C}[0m," | sed "s,$groupsVB,${C}[1;31m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," | sed "s,$GROUPS,${C}[1;31;103m&${C}[0m,") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
echo "" echo ""
#-- 7UI) Brute su #-- 7UI) Brute su
@ -956,7 +953,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
for f in $mycfg; do for f in $mycfg; do
if [ -r $f ]; then if [ -r $f ]; then
echo "Found readable $f" echo "Found readable $f"
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,password.*,${C}[1;31m&${C}[0m," cat "$f" | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | sed "s,password.*,${C}[1;31m&${C}[0m,"
fi fi
done done
mysqlexec=`whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so"` mysqlexec=`whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so"`
@ -980,7 +977,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
for f in $postgconfs; do for f in $postgconfs; do
if [ -r $f ]; then if [ -r $f ]; then
echo "Found readable $f" echo "Found readable $f"
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,auth\|password\|md5\|user=\|pass=,${C}[1;31m&${C}[0m," 2>/dev/null cat "$f" | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | sed "s,auth\|password\|md5\|user=\|pass=,${C}[1;31m&${C}[0m," 2>/dev/null
echo "" echo ""
fi fi
done done
@ -1065,7 +1062,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
(mongo --version 2>/dev/null || mongod --version 2>/dev/null) || echo_not_found (mongo --version 2>/dev/null || mongod --version 2>/dev/null) || echo_not_found
for f in $mongos; do for f in $mongos; do
echo "Found $f" echo "Found $f"
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,auth*=*true\|pass.*,${C}[1;31m&${C}[0m," 2>/dev/null cat "$f" | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | sed "s,auth*=*true\|pass.*,${C}[1;31m&${C}[0m," 2>/dev/null
done done
#TODO: Check if you can login without password and warn the user #TODO: Check if you can login without password and warn the user
@ -1100,7 +1097,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
if [ `echo "$f" | grep -i "secrets"` ]; then if [ `echo "$f" | grep -i "secrets"` ]; then
cat "$f" 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," cat "$f" 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"
else else
cat "$f" 2>/dev/null | grep -v "^#" | grep -v "^$" | sed "s,secrets.*\|auth.*users.*=,${C}[1;31m&${C}[0m," cat "$f" 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | sed "s,secrets.*\|auth.*users.*=,${C}[1;31m&${C}[0m,"
fi fi
echo "" echo ""
done done
@ -1214,7 +1211,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
if [ "$sshconfig" ]; then if [ "$sshconfig" ]; then
echo "" echo ""
echo "Looking inside /etc/ssh/ssh_config for interesting info" echo "Looking inside /etc/ssh/ssh_config for interesting info"
cat "$sshconfig" 2>/dev/null | grep -v "^#" | grep -v "^$" | sed "s,User\|ProxyCommand,${C}[1;31m&${C}[0m," cat "$sshconfig" 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | sed "s,User\|ProxyCommand,${C}[1;31m&${C}[0m,"
fi fi
echo "" echo ""
@ -1242,7 +1239,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
##-- 25SI) NFS exports ##-- 25SI) NFS exports
printf $Y"[+] "$GREEN"NFS exports?\n"$NC printf $Y"[+] "$GREEN"NFS exports?\n"$NC
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe\n"$NC
if [ "`cat /etc/exports 2>/dev/null`" ]; then cat /etc/exports 2>/dev/null | grep -v "^#" | sed "s,no_root_squash\|no_all_squash ,${C}[1;31;103m&${C}[0m," if [ "`cat /etc/exports 2>/dev/null`" ]; then cat /etc/exports 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | sed "s,no_root_squash\|no_all_squash ,${C}[1;31;103m&${C}[0m,"
else echo_not_found "/etc/exports" else echo_not_found "/etc/exports"
fi fi
echo "" echo ""
@ -1264,7 +1261,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
kibana=`find /var /etc /home /root /tmp /usr /opt -name "kibana.y*ml" 2>/dev/null` kibana=`find /var /etc /home /root /tmp /usr /opt -name "kibana.y*ml" 2>/dev/null`
if [ "$kibana" ]; then if [ "$kibana" ]; then
printf "$kibana\n" printf "$kibana\n"
for f in $kibana; do cat "$f" 2>/dev/null | grep -v "^#" | grep -v "^$" | grep -v -e '^[[:space:]]*$' | sed "s,username\|password\|host\|port\|elasticsearch\|ssl,${C}[1;31m&${C}[0m,"; done for f in $kibana; do cat "$f" 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | grep -v -e '^[[:space:]]*$' | sed "s,username\|password\|host\|port\|elasticsearch\|ssl,${C}[1;31m&${C}[0m,"; done
else echo_not_found "kibana.yml" else echo_not_found "kibana.yml"
fi fi
echo "" echo ""
@ -1291,7 +1288,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
elasticsearch=`find /var /etc /home /root /tmp /usr /opt -name "elasticsearch.y*ml" 2>/dev/null` elasticsearch=`find /var /etc /home /root /tmp /usr /opt -name "elasticsearch.y*ml" 2>/dev/null`
if [ "$elasticsearch" ]; then if [ "$elasticsearch" ]; then
printf "$elasticsearch\n" printf "$elasticsearch\n"
for f in $elasticsearch; do cat $f 2>/dev/null | grep -v "^#" | grep -v -e '^[[:space:]]*$' | grep "path.data\|path.logs\|cluster.name\|node.name\|network.host\|discovery.zen.ping.unicast.hosts"; done for f in $elasticsearch; do cat $f 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v -e '^[[:space:]]*$' | grep "path.data\|path.logs\|cluster.name\|node.name\|network.host\|discovery.zen.ping.unicast.hosts"; done
echo "Version: $(curl -X GET '10.10.10.115:9200' 2>/dev/null | grep number | cut -d ':' -f 2)" echo "Version: $(curl -X GET '10.10.10.115:9200' 2>/dev/null | grep number | cut -d ':' -f 2)"
else echo_not_found else echo_not_found
fi fi
@ -1330,11 +1327,12 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
echo "" echo ""
##-- 33SI) Tmux sessions ##-- 33SI) Tmux sessions
tmuxsess=`tmux ls 2>/dev/null` tmuxdefsess=`tmux ls 2>/dev/null`
tmuxnondefsess=`ps aux | grep "tmux " | grep -v grep`
printf $Y"[+] "$GREEN"Looking for tmux sessions\n"$N printf $Y"[+] "$GREEN"Looking for tmux sessions\n"$N
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions\n"$NC
if [ "$tmuxsess" ]; then if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ]; then
printf "$tmuxsess" | sed "s,.*,${C}[1;31m&${C}[0m," | sed "s,no server running on.*,${C}[32m&${C}[0m," printf "$tmuxdefsess\n$tmuxnondefsess\n" | sed "s,.*,${C}[1;31m&${C}[0m," | sed "s,no server running on.*,${C}[32m&${C}[0m,"
else echo_not_found "tmux" else echo_not_found "tmux"
fi fi
echo "" echo ""
@ -1359,7 +1357,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
for f in $redisconfs; do for f in $redisconfs; do
if [ -r $f ]; then if [ -r $f ]; then
echo "Found readable $f" echo "Found readable $f"
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,masterauth.*\|requirepass.*,${C}[1;31m&${C}[0m," 2>/dev/null cat "$f" | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | sed "s,masterauth.*\|requirepass.*,${C}[1;31m&${C}[0m," 2>/dev/null
fi fi
done done
echo "" echo ""
@ -1386,7 +1384,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
for f in $mqttconfs; do for f in $mqttconfs; do
if [ -r $f ]; then if [ -r $f ]; then
echo "Found readable $f" echo "Found readable $f"
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,password_file.*\|psk_file.*\|allow_anonymous.*true\|auth,${C}[1;31m&${C}[0m," 2>/dev/null cat "$f" | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null | grep -v "^$" | sed "s,password_file.*\|psk_file.*\|allow_anonymous.*true\|auth,${C}[1;31m&${C}[0m," 2>/dev/null
fi fi
done done
echo "" echo ""