Merge pull request #483 from securitytime/patch-1

Update Beaprint.cs

.github/workflows/CI-master_tests.yml

@@ -99,6 +99,17 @@ jobs:
             Write-Error "winPEAS.exe not found at $exePath"
           }
       
+      - name: Execute winPEAS networkinfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath networkinfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+      
       # Copy the built versions
       - name: Copy all versions
         run: |

README.md

@@ -12,10 +12,10 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and
 
 These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
 
-- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
 - **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
 
-- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
+- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**
 - **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
 
 ## Quick Start

build_lists/sensitive_files.yaml

@@ -1271,6 +1271,8 @@ search:
     value:
         config:
           auto_check: True
+          exec:
+            - '(pwsh -Command "Save-AzContext -Path /tmp/az-context3489ht.json" && cat /tmp/az-context3489ht.json && rm /tmp/az-context3489ht.json) || echo_not_found "pwsh"'
 
         files:
           #- name: "credentials"
@@ -1379,13 +1381,54 @@ search:
                   - common
 
           - name: "AzureRMContext.json"
+            value:
+                bad_regex: "Id.*|Credential.*"
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "clouds.config"
+            value: 
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "service_principal_entries.json"
             value: 
                 bad_regex: ".*"
                 type: f
                 search_in: 
                   - common
           
-          - name: "ErrorRecords" #Azure logs can contain creentials
+          - name: "msal_token_cache.json"
+            value: 
+                bad_regex: ".*"
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "msal_http_cache.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "service_principal_entries.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "msal_token_cache.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "ErrorRecords" #Azure logs can contain crentials
             value: 
                 type: d
                 search_in: 
@@ -1458,7 +1501,7 @@ search:
         config:
           auto_check: True
           exec:
-            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting"; fi
+            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.wiki/en/linux-hardening/freeipa-pentesting.html"; fi
         
         files:
           - name: "ipa"

linPEAS/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
 
-**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**
+**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html)**
 
-Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**.
+Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.
 
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
 

linPEAS/builder/linpeas_builder.py

@@ -33,7 +33,7 @@ if __name__ == "__main__":
     parser.add_argument('--small', action='store_true', help='Build small version of linpeas.')
     parser.add_argument('--include', type=str, help='Build linpeas only with the modules indicated you can indicate section names or module IDs).')
     parser.add_argument('--exclude', type=str, help='Exclude the given modules (you can indicate section names or module IDs).')
-    parser.add_argument('--output', required=True, type=str, help='Parth to write the final linpeas file to.')
+    parser.add_argument('--output', required=True, type=str, help='Path to write the final linpeas file to.')
     args = parser.parse_args()
 
     all_modules = args.all

linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh

@@ -1,19 +0,0 @@
-# Title: System Information - Enviroment
-# ID: SY_Enviroment
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information inside environment variables
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables:
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-print_2title "Environment"
-print_info "Any private information inside environment variables?"
-(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
-echo ""

linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh

@@ -0,0 +1,39 @@
+# Title: System Information - Environment
+# ID: SY_Environment
+# Author: Carlos Polop
+# Last Update: 07-03-2024
+# Description: Check for sensitive information in environment variables that could lead to privilege escalation:
+#   - Credentials in environment variables
+#   - API keys and tokens
+#   - Sensitive configuration data
+#   - Common vulnerable scenarios:
+#     * Hardcoded credentials in environment
+#     * API keys exposed in environment
+#     * Database credentials in environment
+#     * Service account tokens
+#   - Exploitation methods:
+#     * Credential harvesting: Extract sensitive data from environment
+#     * Common attack vectors:
+#       - Password/credential extraction
+#       - API key abuse
+#       - Token theft
+#       - Configuration data leakage
+#     * Exploit techniques:
+#       - Environment variable dumping
+#       - Credential reuse
+#       - Token reuse
+#       - Configuration abuse
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $NoEnvVars, $EnvVarsRed
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Environment"
+print_info "Any private information inside environment variables?"
+(env || printenv || set) 2>/dev/null | grep -Eiv "$NoEnvVars" | sed -${E} "s,$EnvVarsRed,${SED_RED},g" || echo_not_found "env || set"
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh

@@ -1,8 +1,24 @@
 # Title: System Information - Dmesg
 # ID: SY_Dmesg
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Searching Signature verification failed in dmesg
+# Last Update: 07-03-2024
+# Description: Check for kernel signature verification failures that could lead to privilege escalation:
+#   - Failed kernel module signature verifications
+#   - Common vulnerable scenarios:
+#     * Disabled kernel module signing
+#     * Failed signature verifications
+#     * Unsigned kernel modules
+#   - Exploitation methods:
+#     * Kernel module injection: Load malicious kernel modules
+#     * Common attack vectors:
+#       - Kernel module loading
+#       - Kernel module replacement
+#       - Kernel module modification
+#     * Exploit techniques:
+#       - Module signing bypass
+#       - Kernel module injection
+#       - Kernel module modification
+#       - Kernel module replacement
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
@@ -15,7 +31,7 @@
 
 if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
     print_2title "Searching Signature verification failed in dmesg"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed"
     (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
     echo ""
 fi

linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh

@@ -1,8 +1,29 @@
 # Title: System Information - MacOS OS checks
 # ID: SY_Macos_os_checks
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Macos OS checks
+# Last Update: 07-03-2024
+# Description: Check for MacOS-specific vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Unsigned kernel extensions
+#   - Non-Apple kernel extensions
+#   - System Integrity Protection (SIP) status
+#   - Gatekeeper status
+#   - Common vulnerable scenarios:
+#     * Disabled SIP
+#     * Unsigned kernel extensions
+#     * Third-party kernel extensions
+#     * Disabled Gatekeeper
+#   - Exploitation methods:
+#     * Kernel extension injection: Load malicious kernel extensions
+#     * Common attack vectors:
+#       - SIP bypass
+#       - Kernel extension loading
+#       - Gatekeeper bypass
+#       - System modification
+#     * Exploit techniques:
+#       - Kernel extension injection
+#       - SIP bypass
+#       - Gatekeeper bypass
+#       - System modification
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:macosNotSigned, print_2title

linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh

@@ -1,8 +1,25 @@
 # Title: System Information - Linux Exploit Suggester
 # ID: SY_Linux_exploit_suggester
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Linux Exploit Suggester tool execution
+# Last Update: 07-03-2024
+# Description: Execute Linux Exploit Suggester to identify potential kernel exploits:
+#   - Automated kernel vulnerability detection
+#   - Common vulnerable scenarios:
+#     * Known kernel vulnerabilities
+#     * Unpatched kernel versions
+#     * Missing security patches
+#   - Exploitation methods:
+#     * Kernel exploit execution: Use suggested exploits
+#     * Common attack vectors:
+#       - Kernel memory corruption
+#       - Race conditions
+#       - Use-after-free
+#       - Integer overflow
+#     * Exploit techniques:
+#       - Kernel memory manipulation
+#       - Privilege escalation
+#       - Root access acquisition
+#       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info

linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh

@@ -1,8 +1,27 @@
-# Title: System Information - Linux Exploit Suggester 2 
+# Title: System Information - Linux Exploit Suggester 2
 # ID: SY_Linux_exploit_suggester_2
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Linux Exploit Suggester 2 tool execution
+# Last Update: 07-03-2024
+# Description: Execute Linux Exploit Suggester 2 (Perl version) to identify potential kernel exploits:
+#   - Alternative kernel vulnerability detection
+#   - Perl-based exploit suggestions
+#   - Common vulnerable scenarios:
+#     * Known kernel vulnerabilities
+#     * Unpatched kernel versions
+#     * Missing security patches
+#     * Alternative exploit paths
+#   - Exploitation methods:
+#     * Kernel exploit execution: Use suggested exploits
+#     * Common attack vectors:
+#       - Kernel memory corruption
+#       - Race conditions
+#       - Use-after-free
+#       - Integer overflow
+#     * Exploit techniques:
+#       - Kernel memory manipulation
+#       - Privilege escalation
+#       - Root access acquisition
+#       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info

linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh

@@ -1,8 +1,26 @@
 # Title: System Information - CVE_2021_3560
 # ID: SY_CVE_2021_3560
 # Author: Carlos Polop
-# Last Update: 07-10-2024
-# Description: CVE-2021-3560 - paper box from HTB
+# Last Update: 07-03-2024
+# Description: Check for Polkit vulnerability (CVE-2021-3560) that could lead to privilege escalation:
+#   - Vulnerable Polkit versions:
+#     * polkit 0.105-26 (Ubuntu)
+#     * polkit 0.117-2 (RHEL)
+#     * polkit 0.115-6 (RHEL)
+#   - Common vulnerable scenarios:
+#     * Unpatched Polkit versions
+#     * Default Polkit configurations
+#   - Exploitation methods:
+#     * Race condition in Polkit authentication
+#     * Common attack vectors:
+#       - Authentication bypass
+#       - Privilege escalation
+#       - Root access acquisition
+#     * Exploit techniques:
+#       - Race condition exploitation
+#       - Authentication bypass
+#       - Privilege escalation
+#       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:

linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh

@@ -1,8 +1,30 @@
-# Title: System Information - Kernel Extensions
+# Title: System Information - Protections
 # ID: SY_Protections
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Kernel Extensions
+# Last Update: 07-03-2024
+# Description: Check for system security protections and their bypass possibilities:
+#   - AppArmor/SELinux status and profiles
+#   - ASLR status
+#   - Seccomp filters
+#   - Capabilities
+#   - Common vulnerable scenarios:
+#     * Disabled security modules
+#     * Weak security profiles
+#     * Missing security features
+#     * Misconfigured protections
+#   - Exploitation methods:
+#     * Protection bypass: Circumvent security measures
+#     * Common attack vectors:
+#       - AppArmor/SELinux bypass
+#       - ASLR bypass
+#       - Seccomp filter bypass
+#       - Capability abuse
+#     * Exploit techniques:
+#       - Profile bypass
+#       - Memory randomization bypass
+#       - Filter bypass
+#       - Capability exploitation
+#       - Protection circumvention
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
@@ -112,4 +134,6 @@ if [ "$(command -v systemd-detect-virt 2>/dev/null || echo -n '')" ]; then
     if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
 else
     if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
-fi
+fi
+
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh

@@ -0,0 +1,62 @@
+# Title: System Information - Kernel Modules
+# ID: SY_Kernel_Modules
+# Author: Carlos Polop
+# Last Update: 07-03-2024
+# Description: Check for kernel module vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Loaded kernel modules with known vulnerabilities
+#   - Kernel modules with weak permissions that could be modified
+#   - Ability to load kernel modules as unprivileged user
+#   - Missing kernel module signing requirements
+#   - Exploitation methods:
+#     * Vulnerable modules: Use known exploits for vulnerable kernel modules
+#     * Weak permissions: Modify kernel modules to inject malicious code
+#     * Module loading: Load malicious kernel modules to get root access
+#     * Common vulnerable modules: nf_tables, eBPF, overlayfs, etc.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title
+# Global Variables: 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+echo ""
+print_2title "Kernel Modules Information"
+
+# List loaded kernel modules
+if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_3title "Loaded kernel modules"
+    if [ -f "/proc/modules" ]; then
+        lsmod
+    else
+        echo_not_found "/proc/modules"
+    fi
+fi
+
+# Check for kernel modules with weak permissions
+print_3title "Kernel modules with weak perms?"
+if [ -d "/lib/modules" ]; then
+    find /lib/modules -type f -name "*.ko" -ls 2>/dev/null | grep -Ev "root\s+root" | sed -${E} "s,.*,${SED_RED},g"
+    if [ $? -eq 1 ]; then
+        echo "No kernel modules with weak permissions found"
+    fi
+else
+    echo_not_found "/lib/modules"
+fi
+echo ""
+
+# Check for kernel modules that can be loaded by unprivileged users
+print_3title "Kernel modules loadable? "
+if [ -f "/proc/sys/kernel/modules_disabled" ]; then
+    if [ "$(cat /proc/sys/kernel/modules_disabled)" = "0" ]; then
+        echo "Modules can be loaded" | sed -${E} "s,.*,${SED_RED},g"
+    else
+        echo "Modules cannot be loaded" | sed -${E} "s,.*,${SED_GREEN},g"
+    fi
+else
+    echo_not_found "/proc/sys/kernel/modules_disabled"
+fi
+
+
+echo "" 

linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh

@@ -1,8 +1,28 @@
 # Title: System Information - Operative System
 # ID: SY_Operative_system
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Operative system
+# Last Update: 07-03-2024
+# Description: Check for operating system information relevant to privilege escalation:
+#   - OS version and distribution
+#   - Kernel version
+#   - Architecture
+#   - Common vulnerable scenarios:
+#     * Outdated OS versions
+#     * Unpatched systems
+#     * Known vulnerable distributions
+#     * Architecture-specific vulnerabilities
+#   - Exploitation methods:
+#     * Version-specific exploits: Use known exploits for the OS version
+#     * Common attack vectors:
+#       - OS version exploits
+#       - Distribution-specific vulnerabilities
+#       - Architecture-specific exploits
+#       - Kernel version exploits
+#     * Exploit techniques:
+#       - Version-specific payloads
+#       - Distribution-specific attacks
+#       - Architecture-specific techniques
+#       - Kernel exploitation
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info, warn_exec
@@ -13,7 +33,7 @@
 # Small linpeas: 1
 
 print_2title "Operative system"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
 (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
 warn_exec lsb_release -a 2>/dev/null
 if [ "$MACPEAS" ]; then

linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh

@@ -1,8 +1,22 @@
 # Title: System Information - Sudo Version
 # ID: SY_Sudo_version
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Sudo Version
+# Last Update: 07-03-2024
+# Description: Check for sudo vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Vulnerable sudo versions with known exploits
+#   - Common vulnerable versions and CVEs:
+#     * CVE-2021-3156 (Baron Samedit): Heap overflow in sudo
+#     * CVE-2021-23239: Potential privilege escalation
+#     * CVE-2021-23240: Potential privilege escalation
+#     * CVE-2021-23241: Potential privilege escalation
+#   - Exploitation methods:
+#     * Version exploits: Use known exploits for vulnerable sudo versions
+#     * Common targets: sudo < 1.9.5p2 (Baron Samedit)
+#     * Exploit techniques:
+#       - Heap overflow exploitation
+#       - Race conditions
+#       - Memory corruption
+#       - Command injection
 # License: GNU GPL
 # Version: 1.0 
 # Functions Used: echo_not_found, print_2title, print_info
@@ -15,7 +29,7 @@
 
 print_2title "Sudo version"
 if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version"
 sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
 else echo_not_found "sudo"
 fi

linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh

@@ -1,8 +1,22 @@
 # Title: System Information - USBCreator
 # ID: SY_USBCreator
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the USBCreator
+# Last Update: 07-03-2024
+# Description: Check for USBCreator vulnerabilities that could lead to privilege escalation:
+#   - Vulnerable policykit-desktop-privileges versions
+#   - Common vulnerable versions:
+#     * policykit-desktop-privileges < 0.21
+#   - Exploitation methods:
+#     * D-Bus command injection through USBCreator
+#     * Abuse of policykit privileges
+#     * Common attack vectors:
+#       - D-Bus method call injection
+#       - PolicyKit authentication bypass
+#       - Command execution through USB creation
+#     * Exploit techniques:
+#       - D-Bus method spoofing
+#       - PolicyKit privilege escalation
+#       - USB device creation abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
@@ -15,7 +29,7 @@
 
 if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
     print_2title "USBCreator"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html"
 
     pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
     if [ -z "$pc_version" ]; then

linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh

@@ -1,8 +1,25 @@
 # Title: System Information - Path
 # ID: SY_Path
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Path
+# Last Update: 07-03-2024
+# Description: Check for PATH environment misconfigurations that could lead to privilege escalation:
+#   - Writable directories in PATH
+#   - Current directory (.) in PATH
+#   - Common vulnerable scenarios:
+#     * Writable system directories in PATH
+#     * Current directory in PATH
+#     * Relative paths in PATH
+#   - Exploitation methods:
+#     * PATH hijacking: Place malicious executables in writable PATH directories
+#     * Common attack vectors:
+#       - Replace common binaries (ls, cat, etc.)
+#       - Create malicious executables with common names
+#       - Abuse sudo PATH inheritance
+#     * Exploit techniques:
+#       - Binary replacement
+#       - Symbolic link attacks
+#       - PATH manipulation
+#       - Sudo PATH abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
@@ -14,7 +31,7 @@
 
 
 print_2title "PATH"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses"
 if ! [ "$IAMROOT" ]; then
     echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
 fi

linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh

@@ -1,8 +1,28 @@
 # Title: System Information - Date
 # ID: SY_Date
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Date
+# Last Update: 07-03-2024
+# Description: Check for system date and uptime information relevant to privilege escalation:
+#   - System uptime
+#   - Last boot time
+#   - System time
+#   - Common vulnerable scenarios:
+#     * Long uptime (unpatched systems)
+#     * Time-based vulnerabilities
+#     * Scheduled tasks timing
+#     * Cron job timing
+#   - Exploitation methods:
+#     * Timing attacks: Abuse time-based vulnerabilities
+#     * Common attack vectors:
+#       - Race conditions
+#       - Time-of-check to time-of-use (TOCTOU)
+#       - Scheduled task abuse
+#       - Cron job timing
+#     * Exploit techniques:
+#       - Race condition exploitation
+#       - TOCTOU attacks
+#       - Scheduled task manipulation
+#       - Cron job abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec

linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh

@@ -1,8 +1,28 @@
 # Title: System Information - CPU info
 # ID: SY_CPU_info
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the CPU
+# Last Update: 07-03-2024
+# Description: Check for CPU information relevant to privilege escalation:
+#   - CPU architecture
+#   - CPU features
+#   - CPU vulnerabilities
+#   - Common vulnerable scenarios:
+#     * CPU-specific vulnerabilities (Spectre, Meltdown, etc.)
+#     * Missing CPU mitigations
+#     * Architecture-specific exploits
+#     * CPU feature abuse
+#   - Exploitation methods:
+#     * CPU-based attacks: Abuse CPU vulnerabilities
+#     * Common attack vectors:
+#       - Spectre/Meltdown exploitation
+#       - CPU feature abuse
+#       - Architecture-specific attacks
+#       - CPU timing attacks
+#     * Exploit techniques:
+#       - Side-channel attacks
+#       - CPU feature exploitation
+#       - Architecture-specific techniques
+#       - CPU timing exploitation
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec

linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh

@@ -1,8 +1,28 @@
 # Title: System Information - Mounts
 # ID: SY_Mounts
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the mounts
+# Last Update: 07-03-2024
+# Description: Check for mount point misconfigurations that could lead to privilege escalation:
+#   - Unmounted filesystems
+#   - Mount point permissions
+#   - Mount options
+#   - Common vulnerable scenarios:
+#     * Writable mount points
+#     * Insecure mount options
+#     * Unmounted sensitive filesystems
+#     * Shared mount points
+#   - Exploitation methods:
+#     * Mount point abuse: Exploit mount misconfigurations
+#     * Common attack vectors:
+#       - Mount point modification
+#       - Filesystem remounting
+#       - Mount option abuse
+#       - Shared mount exploitation
+#     * Exploit techniques:
+#       - Mount point manipulation
+#       - Filesystem remounting
+#       - Mount option exploitation
+#       - Shared mount abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info

linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh

@@ -1,8 +1,28 @@
 # Title: System Information - Disks
 # ID: SY_Disks
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the disks
+# Last Update: 07-03-2024
+# Description: Check for disk information and misconfigurations that could lead to privilege escalation:
+#   - Available disks
+#   - Disk permissions
+#   - SMB shares
+#   - Common vulnerable scenarios:
+#     * Writable disks
+#     * Insecure SMB shares
+#     * Exposed disk devices
+#     * Shared storage
+#   - Exploitation methods:
+#     * Disk access abuse: Exploit disk misconfigurations
+#     * Common attack vectors:
+#       - Disk device modification
+#       - SMB share abuse
+#       - Storage device access
+#       - Shared disk exploitation
+#     * Exploit techniques:
+#       - Disk device manipulation
+#       - SMB share exploitation
+#       - Storage device abuse
+#       - Shared disk access
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec

linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh

@@ -1,8 +1,28 @@
-# Title: System Information - Disks
+# Title: System Information - Disks Extra
 # ID: SY_Disks_extra
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the disks
+# Last Update: 07-03-2024
+# Description: Check for additional disk information and system resources relevant to privilege escalation:
+#   - Disk utilization
+#   - System resources
+#   - Storage statistics
+#   - Common vulnerable scenarios:
+#     * Low disk space (potential for race conditions)
+#     * Resource exhaustion
+#     * Storage device misconfigurations
+#     * System resource abuse
+#   - Exploitation methods:
+#     * Resource-based attacks: Abuse system resources
+#     * Common attack vectors:
+#       - Disk space exhaustion
+#       - Resource starvation
+#       - Storage device abuse
+#       - System resource manipulation
+#     * Exploit techniques:
+#       - Resource exhaustion
+#       - Storage device exploitation
+#       - System resource abuse
+#       - Resource-based attacks
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec

linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh

@@ -1,8 +1,25 @@
 # Title: Container - Container Tools
 # ID: CT_Container_tools
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Find container related tools in the PATH of the system
+# Last Update: 07-03-2024
+# Description: Find container related tools in the PATH of the system that could be used for container escape:
+#   - Container runtime tools
+#   - Container management tools
+#   - Container networking tools
+#   - Common vulnerable scenarios:
+#     * Misconfigured container tools
+#     * Privileged container tools
+#     * Container escape tools
+#   - Exploitation methods:
+#     * Tool abuse: Exploit container tool misconfigurations
+#     * Common attack vectors:
+#       - Runtime escape
+#       - Privilege escalation
+#       - Container breakout
+#     * Exploit techniques:
+#       - Tool misconfiguration abuse
+#       - Privileged tool exploitation
+#       - Container escape tool usage
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
@@ -12,11 +29,45 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
 print_2title "Container related tools present (if any):"
-command -v docker || echo -n ''
-command -v lxc || echo -n ''
-command -v rkt || echo -n ''
-command -v kubectl || echo -n ''
-command -v podman || echo -n ''
-command -v runc || echo -n ''
+
+# Container runtimes
+command -v docker
+command -v lxc
+command -v rkt
+command -v podman
+command -v runc
+command -v ctr
+command -v containerd
+command -v crio
+command -v nerdctl
+
+# Container management
+command -v kubectl
+command -v crictl
+command -v docker-compose
+command -v docker-machine
+command -v minikube
+command -v kind
+
+# Container networking
+command -v docker-proxy
+command -v cni
+command -v flanneld
+command -v calicoctl
+
+# Container security
+command -v apparmor_parser
+command -v seccomp
+command -v gvisor
+command -v kata-runtime
+
+# Container debugging
+command -v nsenter
+command -v unshare
+command -v chroot
+command -v capsh
+command -v setcap
+command -v getcap
+
+echo ""

linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh

@@ -15,7 +15,7 @@
 
 if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
   print_2title "Listing mounted tokens"
-  print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+  print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
   ALREADY_TOKENS="IinItialVaaluE"
   for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
       TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
@@ -29,4 +29,5 @@ if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/n
           echo ""
       fi
   done
-fi
+fi
+

linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh

@@ -1,21 +1,63 @@
 # Title: Container - Container details
 # ID: CT_Container_details
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get container details
+# Last Update: 07-03-2024
+# Description: Get detailed container information relevant to privilege escalation:
+#   - Container type and runtime
+#   - Running containers
+#   - Container configuration
+#   - Common vulnerable scenarios:
+#     * Misconfigured containers
+#     * Privileged containers
+#     * Exposed container APIs
+#     * Container networking
+#   - Exploitation methods:
+#     * Container breakout: Exploit container misconfigurations
+#     * Common attack vectors:
+#       - Runtime escape
+#       - Privilege escalation
+#       - Container breakout
+#       - Network escape
+#     * Exploit techniques:
+#       - Container misconfiguration abuse
+#       - Privileged container exploitation
+#       - Container API abuse
+#       - Network escape techniques
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: containerCheck, echo_no, print_2title, print_list
+# Functions Used: containerCheck, echo_no, print_2title, print_list, warn_exec
 # Global Variables: $containerType
 # Initial Functions: containerCheck
 # Generated Global Variables: $dockercontainers, $podmancontainers, $lxccontainers, $rktcontainers, $containerCounts
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
 print_2title "Container details"
+
 print_list "Is this a container? ...........$NC $containerType"
 
+# Get container runtime info
+if [ "$(command -v docker || echo -n '')" ]; then
+    print_list "Docker version ...............$NC "
+    warn_exec docker version
+    print_list "Docker info .................$NC "
+    warn_exec docker info
+fi
+
+if [ "$(command -v podman || echo -n '')" ]; then
+    print_list "Podman version ..............$NC "
+    warn_exec podman version
+    print_list "Podman info ................$NC "
+    warn_exec podman info
+fi
+
+if [ "$(command -v lxc || echo -n '')" ]; then
+    print_list "LXC version ................$NC "
+    warn_exec lxc version
+    print_list "LXC info ...................$NC "
+    warn_exec lxc info
+fi
+
 print_list "Any running containers? ........ "$NC
 # Get counts of running containers for each platform
 dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
@@ -32,9 +74,36 @@ else
     if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
     echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
     
-    # List any running containers
-    if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
-    if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
-    if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
-    if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
-fi
+    # List any running containers with more details
+    if [ "$dockercontainers" -ne "0" ]; then 
+        echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"
+        docker ps -a 2>/dev/null
+        #echo "Docker Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #docker inspect $(docker ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+    if [ "$podmancontainers" -ne "0" ]; then 
+        echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"
+        podman ps -a 2>/dev/null
+        #echo "Podman Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #podman inspect $(podman ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+    if [ "$lxccontainers" -ne "0" ]; then 
+        echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"
+        lxc list 2>/dev/null
+        #echo "LXC Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #lxc config show $(lxc list -c n --format csv) 2>/dev/null | grep -E "security.privileged|security.capabilities|security.syscalls" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+    if [ "$rktcontainers" -ne "0" ]; then 
+        echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"
+        rkt list 2>/dev/null
+        #echo "RKT Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #rkt status $(rkt list --format=json 2>/dev/null | jq -r '.[].id') 2>/dev/null | grep -E "privileged|capabilities|security" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+fi
+
+
+echo ""

linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh

@@ -1,26 +1,62 @@
 # Title: Container - Container & breakout enumeration
 # ID: CT_Container_breakout
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Container breakout enumeration to see if in case we are inside a container we could escape
+# Last Update: 07-03-2024
+# Description: Container breakout enumeration to identify potential escape vectors:
+#   - Container runtime vulnerabilities
+#   - Mount point misconfigurations
+#   - Capability abuse
+#   - Namespace escape
+#   - Common vulnerable scenarios:
+#     * Privileged containers
+#     * Misconfigured mounts
+#     * Excessive capabilities
+#     * Namespace isolation bypass
+#     * Runtime vulnerabilities
+#     * Container escape tools
+#     * Shared kernel exploits
+#     * Container escape CVEs
+#   - Exploitation methods:
+#     * Mount escape: Abuse mount misconfigurations
+#     * Capability abuse: Exploit excessive capabilities
+#     * Namespace escape: Break out of container namespaces
+#     * Runtime escape: Exploit container runtime vulnerabilities
+#     * Common attack vectors:
+#       - Mount point manipulation
+#       - Capability exploitation
+#       - Namespace breakout
+#       - Runtime vulnerability abuse
+#       - Kernel exploit abuse
+#       - Container escape tool usage
+#     * Exploit techniques:
+#       - Mount point abuse
+#       - Capability escalation
+#       - Namespace escape
+#       - Runtime exploitation
+#       - Kernel exploitation
+#       - Container escape tool execution
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, echo_no, echo_not_found, print_2title, print_3title, print_info, print_list
-# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos,  $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
+# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, print_2title, print_3title, print_info, print_list, warn_exec
+# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
 # Initial Functions: containerCheck
-# Generated Global Variables: $defautl_docker_caps
+# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $containerd_version
 # Fat linpeas: 0
 # Small linpeas: 0
 
-
 if [ "$inContainer" ]; then
     echo ""
     print_2title "Container & breakout enumeration"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
+    
+    # Basic container info
     print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
     if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
         print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
     fi
+    
+    # Security mechanisms
+    print_3title "Security Mechanisms"
     print_list "Seccomp enabled? ............... "$NC
     ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
 
@@ -30,11 +66,53 @@ if [ "$inContainer" ]; then
     print_list "User proc namespace? ........... "$NC
     if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
 
+    # Known vulnerabilities
+    print_3title "Known Vulnerabilities"
+    
     checkContainerExploits
     print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-
+    
+    # Check for container escape tools
+    print_list "Container escape tools present .. "$NC
+    (command -v nsenter || command -v unshare || command -v chroot || command -v capsh || command -v setcap || command -v getcap || command -v docker || command -v kubectl || command -v ctr || command -v runc || command -v containerd || command -v crio || command -v podman || command -v lxc || command -v rkt || command -v nerdctl || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap|docker|kubectl|ctr|runc|containerd|crio|podman|lxc|rkt|nerdctl,${SED_RED},g"
+    
+    # Runtime vulnerabilities
+    print_3title "Runtime Vulnerabilities"
+    
+    # Check for known runtime vulnerabilities
+    if [ "$(command -v runc || echo -n '')" ]; then
+        print_list "Runc version ................. "$NC
+        warn_exec runc --version
+        # Check for specific runc vulnerabilities
+        runc_version=$(runc --version 2>/dev/null | grep -i "version" | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
+        if [ "$runc_version" ]; then
+            print_list "Runc CVE-2019-5736 ........... "$NC
+            if [ "$(echo $runc_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 0) || ($1 == 1 && $2 == 0 && $3 < 7)) print "Yes"; else print "No"; }')" = "Yes" ]; then
+                echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
+            else
+                echo "No"
+            fi
+        fi
+    fi
+    
+    if [ "$(command -v containerd || echo -n '')" ]; then
+        print_list "Containerd version ........... "$NC
+        warn_exec containerd --version
+        # Check for specific containerd vulnerabilities
+        containerd_version=$(containerd --version 2>/dev/null | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
+        if [ "$containerd_version" ]; then
+            print_list "Containerd CVE-2020-15257 ..... "$NC
+            if [ "$(echo $containerd_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 4) || ($1 == 1 && $2 == 4 && $3 < 3)) print "Yes"; else print "No"; }')" = "Yes" ]; then
+                echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
+            else
+                echo "No"
+            fi
+        fi
+    fi
+    
+    # Mount escape vectors
     print_3title "Breakout via mounts"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
     
     checkProcSysBreakouts
     print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
@@ -46,89 +124,170 @@ if [ "$inContainer" ]; then
     print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    
+    # Additional mount checks
+    print_list "Docker socket mounted? ......... "$NC
+    (mount | grep -E "docker.sock|/var/run/docker.sock" || echo "No") | sed -${E} "s,Yes|docker.sock,${SED_RED},"
+    
+    print_list "Common host filesystem mounted?  "$NC
+    (mount | grep -E "host|/host|/mnt/host" || echo "No") | sed -${E} "s,Yes|host,${SED_RED},"
+    
+    print_list "Interesting mounts ............. "$NC
+    mount | grep -E "docker|container|overlay|kubelet" | grep -v "proc" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
+    
+    # Check for writable mount points
+    print_list "Writable mount points ......... "$NC
+    mount | grep -E "rw," | grep -v "ro," | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
+    
+    # Check for shared mount points
+    print_list "Shared mount points ........... "$NC
+    mount | grep -E "shared|slave" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
+    
+    # Capability checks
+    print_3title "Capability Checks"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/capabilities-abuse-escape.html"
+    
+    print_list "Dangerous capabilities ......... "$NC
+    if [ "$(command -v capsh || echo -n '')" ]; then 
+        capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
+    else
+        defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
+        cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
+        echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
+    fi
+    
+    # Additional capability checks
+    print_list "Dangerous syscalls allowed ... "$NC
+    if [ -f "/proc/sys/kernel/yama/ptrace_scope" ]; then
+        (cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || echo "Not found") | sed -${E} "s,0,${SED_RED},"
+    else
+        echo "Not found"
+    fi
+    
+    # Namespace checks
+    print_3title "Namespace Checks"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
+    
+    print_list "Current namespaces ............. "$NC
+    ls -l /proc/self/ns/
+    
+    print_list "Host network namespace? ........ "$NC
+    if [ "$(ip netns list 2>/dev/null)" ]; then
+        echo "Yes - Host network namespace accessible" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    # Additional namespace checks
+    print_list "Host IPC namespace? ........... "$NC
+    if [ "$(ls -l /proc/self/ns/ipc 2>/dev/null)" = "$(ls -l /proc/1/ns/ipc 2>/dev/null)" ]; then
+        echo "Yes - Host IPC namespace shared" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    print_list "Host PID namespace? ........... "$NC
+    if [ "$(ls -l /proc/self/ns/pid 2>/dev/null)" = "$(ls -l /proc/1/ns/pid 2>/dev/null)" ]; then
+        echo "Yes - Host PID namespace shared" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    print_list "Host UTS namespace? ........... "$NC
+    if [ "$(ls -l /proc/self/ns/uts 2>/dev/null)" = "$(ls -l /proc/1/ns/uts 2>/dev/null)" ]; then
+        echo "Yes - Host UTS namespace shared" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    # Additional breakout vectors
+    print_3title "Additional Breakout Vectors"
+    
     print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
     print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    
+    # Check for container escape tools in PATH
+    print_list "Container escape tools in PATH . "$NC
+    (which nsenter 2>/dev/null || which unshare 2>/dev/null || which chroot 2>/dev/null || which capsh 2>/dev/null || which setcap 2>/dev/null || which getcap 2>/dev/null || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap,${SED_RED},g"
+
+    print_3title "Extra Breakout Vectors"
     print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-    if [ "$EXTRA_CHECKS" ]; then
-      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-    fi
+    print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
     
-    echo ""
-    print_3title "Namespaces"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
-    ls -l /proc/self/ns/
-
+    # Additional kernel checks
+    print_list "Kernel version .............. "$NC
+    uname -a | sed -${E} "s,$(uname -r),${SED_RED},"
+    
+    print_list "Kernel modules ............. "$NC
+    lsmod | grep -E "overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio" | sed -${E} "s,overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio,${SED_RED},g"
+    
+    # Additional container runtime checks
+    print_list "Container runtime sockets .. "$NC
+    (find /var/run -name "*.sock" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
+    
+    print_list "Container runtime configs .. "$NC
+    (find /etc -name "*.conf" -o -name "*.json" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
+    
+    # Kubernetes specific checks
     if echo "$containerType" | grep -qi "kubernetes"; then
+        print_3title "Kubernetes Specific Checks"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
+        
         print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
         print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
-        echo ""
         
-        print_2title "Kubernetes Information"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
-        
-        
-        print_3title "Kubernetes service account folder"
+        print_list "Kubernetes service account folder" | sed -${E} "s,.*,${SED_RED},"
         ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
-        echo ""
         
-        print_3title "Kubernetes env vars"
+        print_list "Kubernetes env vars" | sed -${E} "s,.*,${SED_RED},"
         (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
-        echo ""
-
-        print_3title "Current sa user k8s permissions"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
+        
+        print_list "Current sa user k8s permissions" | sed -${E} "s,.*,${SED_RED},"
         kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
           "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
             -X 'POST' -H 'Content-Type: application/json' \
             --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
-
+        
+        # Additional Kubernetes checks
+        print_list "Kubernetes API server ...... "$NC
+        (curl -s -k https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/version 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes secrets ......... "$NC
+        (kubectl get secrets 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes pods ............ "$NC
+        (kubectl get pods 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes services ........ "$NC
+        (kubectl get services 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes nodes ........... "$NC
+        (kubectl get nodes 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
     fi
-    echo ""
-
-    print_2title "Container Capabilities"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
-    if [ "$(command -v capsh || echo -n '')" ]; then 
-      capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
-    else
-      defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
-      cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
-      echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
-    fi
-    echo ""
-
-    print_2title "Privilege Mode"
-    if [ -x "$(command -v fdisk || echo -n '')" ]; then
-        if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
-            echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
-        else
-            echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
-        fi
-    else
-        echo_not_found
-    fi
-    echo ""
-
-    print_2title "Interesting Files Mounted"
+    
+    # Interesting files and mounts
+    print_3title "Interesting Files & Mounts"
+    print_list "Interesting files mounted ........ "$NC
     (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
-    echo ""
-
-    print_2title "Possible Entrypoints"
+    
+    print_list "Possible entrypoints ........... "$NC
     ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
+    
     echo ""
 fi

linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh

@@ -0,0 +1,46 @@
+# Title: Cloud - Azure Automation Account
+# ID: CL_Azure_automation_account
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Azure Automation Account Service Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_az_automation_acc, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_az_automation_acc,
+# Initial Functions: check_az_automation_acc
+# Generated Global Variables: $API_VERSION, $HEADER, $az_req
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
+
+if [ "$is_az_automation_acc" = "Yes" ]; then
+  print_2title "Azure Automation Account Service Enumeration"
+
+  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
+
+  az_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      az_req="curl -s -f -L -H '$HEADER'"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      az_req="wget -q -O - --header '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
+    echo
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    echo
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+    echo
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh

@@ -28,7 +28,7 @@ if [ "$is_ibm_vm" = "Yes" ]; then
     if [ "$(command -v curl || echo -n '')" ]; then
         ibm_req="curl -s -f -L -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
     elif [ "$(command -v wget || echo -n '')" ]; then
-        ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
+        ibm_req="wget -q -O - --header '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
     else 
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi

linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh

@@ -5,15 +5,15 @@
 # Description: Check if the current system is inside a cloud environment
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
-# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
-# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
+# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_az_automation_acc, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
+# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_automation_acc, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
+# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_az_automation_acc, check_aliyun_ecs, check_tencent_cvm
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.xyz\n"$NC
+printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}https://training.hacktricks.xyz\n"$NC
 echo ""
 
 print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
@@ -25,8 +25,9 @@ print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s
 print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure VM or Az metadata? ............. $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure APP or IDENTITY_ENDPOINT? ...... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure Automation Account? ............ $is_az_automation_acc\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 

linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh

@@ -8,7 +8,7 @@
 # Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_aws_ec2
 # Initial Functions: check_aws_ec2
-# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role
+# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role, $TOKEN, $TOKEN_HEADER, $TOKEN_TTL
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -16,14 +16,20 @@
 if [ "$is_aws_ec2" = "Yes" ]; then
     print_2title "AWS EC2 Enumeration"
     
-    HEADER="X-aws-ec2-metadata-token: "
+    TOKEN=""
+    TOKEN_HEADER="X-aws-ec2-metadata-token"
+    TOKEN_TTL="X-aws-ec2-metadata-token-ttl-seconds: 21600"
     URL="http://169.254.169.254/latest/meta-data"
     
     aws_req=""
     if [ "$(command -v curl || echo -n '')" ]; then
-        aws_req="curl -s -f -L -H '$HEADER'"
+        # Get token for IMDSv2
+        TOKEN=$(curl -s -f -X PUT "http://169.254.169.254/latest/api/token" -H "$TOKEN_TTL" 2>/dev/null)
+        aws_req="curl -s -f -L -H '$TOKEN_HEADER: $TOKEN'"
     elif [ "$(command -v wget || echo -n '')" ]; then
-        aws_req="wget -q -O - -H '$HEADER'"
+        # Get token for IMDSv2
+        TOKEN=$(wget -q -O - --method=PUT --header="$TOKEN_TTL" "http://169.254.169.254/latest/api/token" 2>/dev/null)
+        aws_req="wget -q -O - --header '$TOKEN_HEADER: $TOKEN'"
     else 
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi

linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh

@@ -26,7 +26,7 @@ if [ "$is_gcp_function" = "Yes" ]; then
     # GCP Enumeration
     if [ "$gcp_req" ]; then
         print_2title "Google Cloud Platform Enumeration"
-        print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
         p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')

linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh

@@ -26,7 +26,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then
 
     if [ "$gcp_req" ]; then
         print_2title "Google Cloud Platform Enumeration"
-        print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
         p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')

linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh

@@ -24,7 +24,7 @@ if [ "$is_az_vm" = "Yes" ]; then
   if [ "$(command -v curl || echo -n '')" ]; then
       az_req="curl -s -f -L -H '$HEADER'"
   elif [ "$(command -v wget || echo -n '')" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
+      az_req="wget -q -O - --header '$HEADER'"
   else 
       echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
   fi
@@ -47,22 +47,22 @@ if [ "$is_az_vm" = "Yes" ]; then
     echo ""
 
     print_3title "Management token"
-    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
     echo ""
 
     print_3title "Graph token"
-    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
     echo ""
     
     print_3title "Vault token"
-    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
     echo ""
 
     print_3title "Storage token"
-    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
     echo ""
   fi

linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh

@@ -17,7 +17,6 @@ API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/ov
 
 if [ "$is_az_app" = "Yes" ]; then
   print_2title "Azure App Service Enumeration"
-  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
 
   HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
 
@@ -25,7 +24,7 @@ if [ "$is_az_app" = "Yes" ]; then
   if [ "$(command -v curl || echo -n '')" ]; then
       az_req="curl -s -f -L -H '$HEADER'"
   elif [ "$(command -v wget || echo -n '')" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
+      az_req="wget -q -O - --header '$HEADER'"
   else 
       echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
   fi
@@ -33,13 +32,13 @@ if [ "$is_az_app" = "Yes" ]; then
   if [ "$az_req" ]; then
     print_3title "Management token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
-
+    echo
     print_3title "Graph token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
-    
+    echo
     print_3title "Vault token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
-
+    echo
     print_3title "Storage token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
   fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh

@@ -0,0 +1,193 @@
+# Title: Processes & Cron & Services & Timers - Services and Service Files
+# ID: PR_Services
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Services and service files analysis with privilege escalation vectors
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: echo_not_found, print_2title, print_info, print_3title
+# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
+# Initial Functions:
+# Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Services and Service Files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
+
+  # Function to check service content for privilege escalation vectors
+  check_service_content() {
+    local service="$1"
+    local findings=""
+    
+    # Check if service runs with elevated privileges
+    if systemctl show "$service" -p User 2>/dev/null | grep -q "root"; then
+      findings="${findings}RUNS_AS_ROOT: Service runs as root\n"
+    fi
+
+    # Get the executable path and check it
+    local exec_path=$(systemctl show "$service" -p ExecStart 2>/dev/null | cut -d= -f2 | cut -d' ' -f1)
+    if [ -n "$exec_path" ]; then
+      if [ -w "$exec_path" ]; then
+        findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+      fi
+      # Check for relative paths
+      #case "$exec_path" in
+      #  /*) : ;; # Absolute path, do nothing
+      #  *) findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n" ;;
+      #esac
+      # Check for weak permissions
+      if [ -e "$exec_path" ] && [ "$(stat -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
+        findings="${findings}WEAK_PERMS: Executable has 777 permissions\n"
+      fi
+    fi
+
+    # Check for unsafe configurations
+    if systemctl show "$service" -p ExecStart 2>/dev/null | grep -qE '(chmod|chown|mount|sudo|su)'; then
+      findings="${findings}UNSAFE_CMD: Uses potentially dangerous commands\n"
+    fi
+
+    # Check for environment variables with sensitive data
+    if systemctl show "$service" -p Environment 2>/dev/null | grep -qE '(PASS|SECRET|KEY|TOKEN|CRED)'; then
+      findings="${findings}SENSITIVE_ENV: Contains sensitive environment variables\n"
+    fi
+
+    # Check for capabilities
+    if systemctl show "$service" -p CapabilityBoundingSet 2>/dev/null | grep -qE '(CAP_SYS_ADMIN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH)'; then
+      findings="${findings}DANGEROUS_CAPS: Has dangerous capabilities\n"
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "  Potential issue in service: $service"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # Function to check service file for privilege escalation vectors
+  check_service_file() {
+    local service_file="$1"
+    local findings=""
+
+    # Check if service file is writable (following symlinks)
+    if [ -L "$service_file" ]; then
+      # If it's a symlink, check the target file
+      local target_file=$(readlink -f "$service_file")
+      if ! [ "$IAMROOT" ] && [ -w "$target_file" ] && [ -f "$target_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+        findings="${findings}WRITABLE_FILE: Service target file is writable: $target_file\n"
+      fi
+    elif ! [ "$IAMROOT" ] && [ -w "$service_file" ] && [ -f "$service_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+      findings="${findings}WRITABLE_FILE: Service file is writable\n"
+    fi
+
+    # Check for weak permissions (following symlinks)
+    if [ "$(stat -L -c %a "$service_file" 2>/dev/null)" = "777" ]; then
+      findings="${findings}WEAK_PERMS: Service file has 777 permissions\n"
+    fi
+
+    # Check for relative paths in Exec directives - Original logic
+    local relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$service_file" 2>/dev/null | grep -Iv "=/")
+    local relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$service_file" 2>/dev/null)
+    if [ "$relpath1" ] || [ "$relpath2" ]; then
+      if [ "$WRITABLESYSTEMDPATH" ]; then
+        findings="${findings}RELATIVE_PATH: Could be executing some relative path (systemd path is writable)\n"
+      else
+        findings="${findings}RELATIVE_PATH: Could be executing some relative path\n"
+      fi
+    fi
+
+    # Check for writable executables (following symlinks)
+    local exec_paths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$service_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$exec_paths" | while read -r exec_path; do
+      if [ -n "$exec_path" ]; then
+        if [ -L "$exec_path" ]; then
+          local target_exec=$(readlink -f "$exec_path")
+          if [ -w "$target_exec" ]; then
+            findings="${findings}WRITABLE_EXEC: Executable target is writable: $target_exec\n"
+          fi
+        elif [ -w "$exec_path" ]; then
+          findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+        fi
+      fi
+    done
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "  Potential issue in service file: $service_file"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # List all services and check for privilege escalation vectors
+  echo ""
+  print_3title "Active services:"
+  systemctl list-units --type=service --state=active 2>/dev/null | grep -v "UNIT" | while read -r line; do
+    service_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$service_unit" ]; then
+      # Print the service line with highlighting
+      echo "$line" | sed -${E} "s,$service_unit,${SED_GREEN},"
+
+      # Get service file path
+      service_path=$(systemctl show "$service_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$service_path" ]; then
+        check_service_file "$service_path"
+      fi
+
+      # Check service content for privilege escalation vectors
+      check_service_content "$service_unit"
+    fi
+  done || echo_not_found
+
+  # Check for disabled but available services
+  echo ""
+  print_3title "Disabled services:"
+  systemctl list-unit-files --type=service --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
+    service_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$service_unit" ]; then
+      # Print the service line with highlighting
+      echo "$line" | sed -${E} "s,$service_unit,${SED_GREEN},"
+
+      # Get service file path
+      service_path=$(systemctl show "$service_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$service_path" ]; then
+        check_service_file "$service_path"
+      fi
+
+      # Check service content for privilege escalation vectors
+      check_service_content "$service_unit"
+    fi
+  done || echo_not_found
+
+  # Check service files from PSTORAGE_SYSTEMD
+  if [ -n "$PSTORAGE_SYSTEMD" ]; then
+    echo ""
+    print_3title "Additional service files:"
+    printf "%s\n" "$PSTORAGE_SYSTEMD" | while read -r service_file; do
+      if [ -n "$service_file" ] && [ -e "$service_file" ]; then
+        check_service_file "$service_file"
+      fi
+    done
+  fi
+
+  # Check for outdated services if EXTRA_CHECKS is enabled
+  if [ "$EXTRA_CHECKS" ]; then
+    echo ""
+    print_3title "Service versions and status:"
+    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+  fi
+
+  # Check systemd path writability
+  if [ ! "$WRITABLESYSTEMDPATH" ]; then 
+    echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"
+  else
+    echo "You can write on systemd PATH" | sed -${E} "s,.*,${SED_RED},"
+    echo "If a relative path is used, it's possible to abuse it."
+  fi
+
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh

@@ -1,21 +0,0 @@
-# Title: Processes & Cron & Services & Timers - System Timers
-# ID: PR_System_timers
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: System Timers
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $SEARCH_IN_FOLDER, $timersG
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "System timers"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
-  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
-  echo ""
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh

@@ -0,0 +1,156 @@
+# Title: System Information - Systemd
+# ID: SY_Systemd
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Check for systemd vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Systemd version vulnerabilities (CVE-2021-4034, CVE-2021-33910, etc.)
+#   - Services running as root that could be exploited
+#   - Services with dangerous capabilities that could be abused
+#   - Services with writable paths that could be used to inject malicious code
+#   - Exploitation methods:
+#     * Version exploits: Use known exploits for vulnerable systemd versions
+#     * Root services: Abuse services running as root to execute commands
+#     * Capabilities: Abuse services with dangerous capabilities (CAP_SYS_ADMIN, etc.)
+#     * Writable paths: Replace executables in writable paths to get code execution
+# License: GNU GPL
+# Version: 1.1
+# Functions Used: print_2title, print_list, echo_not_found
+# Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
+# Initial Functions:
+# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $cmd
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+    print_2title "Systemd Information"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
+
+    # Function to check if systemctl is available
+    check_systemctl() {
+        if ! command -v systemctl >/dev/null 2>&1; then
+            echo_not_found "systemctl"
+            return 1
+        fi
+        return 0
+    }
+
+    # Function to get service file path
+    get_service_file() {
+        local service="$1"
+        local file=""
+        for path in "/etc/systemd/system/$service" "/lib/systemd/system/$service"; do
+            if [ -f "$path" ]; then
+                file="$path"
+                break
+            fi
+        done
+        echo "$file"
+    }
+
+    # Function to check dangerous capabilities
+    check_dangerous_caps() {
+        local caps="$1"
+        echo "$caps" | grep -qE '(CAP_SYS_ADMIN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_SETUID|CAP_SETGID|CAP_NET_ADMIN)'
+        return $?
+    }
+
+    # Check systemd version and known vulnerabilities
+    print_list "Systemd version and vulnerabilities? .............. "$NC
+    if check_systemctl; then
+        version=$(systemctl --version | head -n 1 | grep -oE '([0-9]+(\.[0-9]+)+)')
+        if [ -n "$version" ]; then
+            echo "$version" | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g"
+            # Check for known vulnerable versions
+            case "$version" in
+                "2.3"[0-4]|"2.3"[0-4]"."*)
+                    echo "  └─ Vulnerable to CVE-2021-4034 (Polkit)" | sed -${E} "s,.*,${SED_RED},g"
+                    ;;
+                "2.4"[0-9]|"2.4"[0-9]"."*)
+                    echo "  └─ Vulnerable to CVE-2021-33910 (systemd-tmpfiles)" | sed -${E} "s,.*,${SED_RED},g"
+                    ;;
+            esac
+        fi
+    fi
+
+    # Check for systemd services running as root
+    print_list "Services running as root? ..... "$NC
+    if check_systemctl; then
+        systemctl list-units --type=service --state=running 2>/dev/null | 
+        grep -E "root|0:0" | 
+        while read -r line; do
+            service=$(echo "$line" | awk '{print $1}')
+            user=$(systemctl show "$service" -p User 2>/dev/null | cut -d= -f2)
+            echo "$service (User: $user)" | sed -${E} "s,root|0:0,${SED_RED},g"
+        done
+        echo ""
+    else
+        echo ""
+    fi
+
+    # Check for systemd services with dangerous capabilities
+    print_list "Running services with dangerous capabilities? ... "$NC
+    if check_systemctl; then
+        systemctl list-units --type=service --state=running 2>/dev/null | 
+        grep -E "\.service" | 
+        while read -r line; do
+            service=$(echo "$line" | awk '{print $1}')
+            caps=$(systemctl show "$service" -p CapabilityBoundingSet 2>/dev/null | cut -d= -f2)
+            if [ -n "$caps" ] && check_dangerous_caps "$caps"; then
+                echo "$service: $caps" | sed -${E} "s,.*,${SED_RED},g"
+            fi
+        done
+        echo ""
+    else
+        echo ""
+    fi
+
+    # Check for systemd services with writable paths
+    print_list "Services with writable paths? . "$NC
+    if check_systemctl; then
+        systemctl list-units --type=service --state=running 2>/dev/null | 
+        grep -E "\.service" | 
+        while read -r line; do
+            service=$(echo "$line" | awk '{print $1}')
+            service_file=$(get_service_file "$service")
+            if [ -n "$service_file" ]; then
+                # Check ExecStart paths
+                grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null | 
+                while read -r exec_line; do
+                    # Extract the first word after ExecStart* as the command
+                    cmd=$(echo "$exec_line" | awk '{print $2}' | tr -d '"')
+                    # Extract the rest as arguments
+                    args=$(echo "$exec_line" | awk '{$1=$2=""; print $0}' | tr -d '"')
+                    
+                    # Only check the command path, not arguments
+                    if [ -n "$cmd" ] && [ -w "$cmd" ]; then
+                        echo "$service: $cmd (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                    # Check for relative paths only in the command, not arguments
+                    if [ -n "$cmd" ] && [ "${cmd#/}" = "$cmd" ] && ! echo "$cmd" | grep -qE '^-|^--'; then
+                        echo "$service: Uses relative path '$cmd' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                done
+            fi
+        done
+    else
+        echo ""
+    fi
+
+    echo ""
+
+    print_2title "Systemd PATH"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
+    if check_systemctl; then
+        systemctl show-environment 2>/dev/null | 
+        grep "PATH" | 
+        while read -r path_line; do
+            echo "$path_line" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
+            # Store writable paths for later use
+            if echo "$path_line" | grep -qE "$Wfolders"; then
+                WRITABLESYSTEMDPATH="$path_line"
+            fi
+        done
+    fi
+
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh

@@ -1,33 +0,0 @@
-# Title: Processes & Cron & Services & Timers - .timer files
-# ID: PR_Timer_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: .timer files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables: $timerbinpaths, $relpath
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-print_2title "Analyzing .timer files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
-printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
-  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-    echo "$t" | sed -${E} "s,.*,${SED_RED},g"
-  fi
-  timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
-  printf "%s\n" "$timerbinpaths" | while read tb; do
-    if [ -w "$tb" ]; then
-      echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g"
-    fi
-  done
-  #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
-  #for rp in "$relpath"; do
-  #  echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g"
-  #done
-done
-echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Services.sh

@@ -1,23 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Services
-# ID: PR_Services
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Services outdated versions
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  if [ "$EXTRA_CHECKS" ]; then
-    print_2title "Services"
-    print_info "Search for outdated versions"
-    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
-    echo ""
-  fi
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh

@@ -0,0 +1,146 @@
+# Title: Processes & Cron & Services & Timers - Socket Files Analysis
+# ID: PR_Socket_files
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Analyze .socket files for privilege escalation vectors:
+#   - Writable socket files
+#   - Socket files executing writable binaries
+#   - Socket files with writable listeners
+#   - Socket files with relative paths
+#   - Socket files with unsafe configurations
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: print_2title, print_info, print_list
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC
+# Initial Functions:
+# Generated Global Variables: $exec_path, $listen_path, $path, $exec_paths, $finding, $listen_paths, $socket_file, $findings, $target_file, $target_listen, $target_exec, $lpath
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$IAMROOT" ]; then
+    print_2title "Analyzing .socket files"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
+
+    # Function to check if path is relative
+    is_relative_path() {
+        local lpath="$1"
+        case "$lpath" in
+            /*) return 1 ;; # Absolute path
+            *) return 0 ;;  # Relative path
+        esac
+    }
+
+    # Function to check socket file content
+    check_socket_file() {
+        local socket_file="$1"
+        local findings=""
+
+        # Check if socket file is writable (following symlinks)
+        if [ -L "$socket_file" ]; then
+            # If it's a symlink, check the target file
+            local target_file=$(readlink -f "$socket_file")
+            if ! [ "$IAMROOT" ] && [ -w "$target_file" ] && [ -f "$target_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+                findings="${findings}WRITABLE_FILE: Socket target file is writable: $target_file\n"
+            fi
+        elif ! [ "$IAMROOT" ] && [ -w "$socket_file" ] && [ -f "$socket_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+            findings="${findings}WRITABLE_FILE: Socket file is writable\n"
+        fi
+
+        # Check for weak permissions (following symlinks)
+        if [ "$(stat -L -c %a "$socket_file" 2>/dev/null)" = "777" ]; then
+            findings="${findings}WEAK_PERMS: Socket file has 777 permissions\n"
+        fi
+
+        # Check for executables (following symlinks)
+        local exec_paths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$socket_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+        printf "%s\n" "$exec_paths" | while read -r exec_path; do
+            if [ -n "$exec_path" ]; then
+                # Check if executable is writable (following symlinks)
+                if [ -L "$exec_path" ]; then
+                    local target_exec=$(readlink -f "$exec_path")
+                    if [ -w "$target_exec" ]; then
+                        findings="${findings}WRITABLE_EXEC: Executable target is writable: $target_exec\n"
+                    fi
+                    # Check for weak permissions on target
+                    if [ -e "$target_exec" ] && [ "$(stat -L -c %a "$target_exec" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_EXEC_PERMS: Executable target has 777 permissions: $target_exec\n"
+                    fi
+                else
+                    if [ -w "$exec_path" ]; then
+                        findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+                    fi
+                    # Check for weak permissions
+                    if [ -e "$exec_path" ] && [ "$(stat -L -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_EXEC_PERMS: Executable has 777 permissions: $exec_path\n"
+                    fi
+                fi
+                # Check for relative paths
+                if is_relative_path "$exec_path"; then
+                    findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n"
+                fi
+            fi
+        done
+
+        # Check for listeners (following symlinks)
+        local listen_paths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$socket_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+        printf "%s\n" "$listen_paths" | while read -r listen_path; do
+            if [ -n "$listen_path" ]; then
+                # Check if listener path is writable (following symlinks)
+                if [ -L "$listen_path" ]; then
+                    local target_listen=$(readlink -f "$listen_path")
+                    if [ -w "$target_listen" ]; then
+                        findings="${findings}WRITABLE_LISTENER: Listener target path is writable: $target_listen\n"
+                    fi
+                    # Check for weak permissions on target
+                    if [ -e "$target_listen" ] && [ "$(stat -L -c %a "$target_listen" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_LISTENER_PERMS: Listener target path has 777 permissions: $target_listen\n"
+                    fi
+                else
+                    if [ -w "$listen_path" ]; then
+                        findings="${findings}WRITABLE_LISTENER: Listener path is writable: $listen_path\n"
+                    fi
+                    # Check for weak permissions
+                    if [ -e "$listen_path" ] && [ "$(stat -L -c %a "$listen_path" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_LISTENER_PERMS: Listener path has 777 permissions: $listen_path\n"
+                    fi
+                fi
+                # Check for relative paths
+                if is_relative_path "$listen_path"; then
+                    findings="${findings}RELATIVE_LISTENER: Uses relative path: $listen_path\n"
+                fi
+            fi
+        done
+
+        # Check for unsafe configurations
+        if grep -qE '^(User|Group)=root' "$socket_file" 2>/dev/null; then
+            findings="${findings}ROOT_USER: Socket runs as root\n"
+        fi
+        if grep -qE '^(CapabilityBoundingSet).*CAP_SYS_ADMIN' "$socket_file" 2>/dev/null; then
+            findings="${findings}DANGEROUS_CAPS: Has dangerous capabilities\n"
+        fi
+        if grep -qE '^(BindIP|BindIPv6Only)=yes' "$socket_file" 2>/dev/null; then
+            findings="${findings}NETWORK_BIND: Can bind to network interfaces\n"
+        fi
+
+        # If any findings, print them
+        if [ -n "$findings" ]; then
+            echo "Potential privilege escalation in socket file: $socket_file"
+            echo "$findings" | while read -r finding; do
+                [ -n "$finding" ] && echo "  └─ $finding" | sed -${E} "s,WRITABLE.*,${SED_RED},g" | sed -${E} "s,RELATIVE.*,${SED_RED_YELLOW},g"
+            done
+        fi
+    }
+
+    # Process each socket file
+    if [ -n "$PSTORAGE_SOCKET" ]; then
+        printf "%s\n" "$PSTORAGE_SOCKET" | while read -r socket_file; do
+            if [ -n "$socket_file" ] && [ -e "$socket_file" ]; then
+                check_socket_file "$socket_file"
+            fi
+        done
+    else
+        print_list "No socket files found" "$NC"
+    fi
+
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh

@@ -1,42 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Analyzing .service files
-# ID: PR_Service_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Analyze .service files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $WRITABLESYSTEMDPATH
-# Initial Functions:
-# Generated Global Variables: $relpath1, $relpath2, $servicebinpaths
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-#TODO: .service files in MACOS are folders
-print_2title "Analyzing .service files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
-printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
-  if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-      echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
-    fi
-    servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
-    printf "%s\n" "$servicebinpaths" | while read sp; do
-      if [ -w "$sp" ]; then
-        echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
-      fi
-    done
-    relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/")
-    relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null)
-    if [ "$relpath1" ] || [ "$relpath2" ]; then
-      if [ "$WRITABLESYSTEMDPATH" ]; then
-        echo "$s could be executing some relative path" | sed -${E} "s,.*,${SED_RED},";
-      else
-        echo "$s could be executing some relative path"
-      fi
-    fi
-  fi
-done
-if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
-echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh

@@ -0,0 +1,151 @@
+# Title: Processes & Cron & Services & Timers - Unix Sockets Analysis
+# ID: PR_Unix_sockets_listening
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Analyze Unix sockets for privilege escalation vectors:
+#   - Listening Unix sockets
+#   - Socket file permissions
+#   - Socket ownership
+#   - Socket connectivity
+#   - Socket protocol analysis
+# License: GNU GPL
+# Version: 1.1
+# Functions Used: print_2title, print_info
+# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $NC, $RED
+# Initial Functions:
+# Generated Global Variables: $unix_scks_list, $unix_scks_list2, $perms, $owner, $owner_info, $response, $socket, $cmd, $mode, $group
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$IAMROOT" ]; then
+    if ! [ "$SEARCH_IN_FOLDER" ]; then
+        print_2title "Unix Sockets Analysis"
+        print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
+
+
+        # Function to get socket permissions
+        get_socket_perms() {
+            local socket="$1"
+            local perms=""
+            
+            # Check read permission
+            if [ -r "$socket" ]; then
+                perms="Read "
+            fi
+            
+            # Check write permission
+            if [ -w "$socket" ]; then
+                perms="${perms}Write "
+            fi
+            
+            # Check execute permission
+            if [ -x "$socket" ]; then
+                perms="${perms}Execute "
+            fi
+            
+            # Check socket mode
+            local mode=$(stat -c "%a" "$socket" 2>/dev/null)
+            if [ "$mode" = "777" ] || [ "$mode" = "666" ]; then
+                perms="${perms}(Weak Permissions: $mode) "
+            fi
+            
+            echo "$perms"
+        }
+
+        # Function to check socket connectivity
+        check_socket_connectivity() {
+            local socket="$1"
+            local perms="$2"
+            
+            if [ "$EXTRA_CHECKS" ] && command -v curl >/dev/null 2>&1; then
+                # Try to connect to the socket
+                if curl -v --unix-socket "$socket" --max-time 1 http:/linpeas 2>&1 | grep -iq "Permission denied"; then
+                    perms="${perms} - Cannot Connect"
+                else
+                    perms="${perms} - Can Connect"
+                fi
+            fi
+            
+            echo "$perms"
+        }
+
+        # Function to analyze socket protocol
+        analyze_socket_protocol() {
+            local socket="$1"
+            local owner="$2"
+            local response=""
+            
+            # Try to get HTTP response
+            if command -v curl >/dev/null 2>&1; then
+                response=$(curl --max-time 2 --unix-socket "$socket" http:/index 2>/dev/null)
+                if [ $? -eq 0 ]; then
+                    echo "  └─ HTTP Socket (owned by $owner):" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+                    echo "     └─ Response to /index (limit 30):"
+                    echo "$response" | head -n 30 | sed 's/^/       /'
+                fi
+            fi
+        }
+
+        # Function to get socket owner and group
+        get_socket_owner() {
+            local socket="$1"
+            local owner=""
+            local group=""
+            
+            if [ -e "$socket" ]; then
+                owner=$(ls -l "$socket" 2>/dev/null | awk '{print $3}')
+                group=$(ls -l "$socket" 2>/dev/null | awk '{print $4}')
+                echo "$owner:$group"
+            fi
+        }
+
+        # Collect listening sockets using multiple methods
+        unix_scks_list=""
+        for cmd in "ss -xlp -H state listening" "ss -l -p -A 'unix'" "netstat -a -p --unix"; do
+            if [ -z "$unix_scks_list" ]; then
+                unix_scks_list=$($cmd 2>/dev/null | grep -Eo "/[a-zA-Z0-9\._/\-]+" | grep -v " " | sort -u)
+            fi
+        done
+
+        # Get additional socket information
+        if [ -z "$unix_scks_list" ]; then
+            unix_scks_list=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/" | sort -u)
+        fi
+
+        # Find socket files
+        if ! [ "$SEARCH_IN_FOLDER" ]; then
+            unix_scks_list2=$(find / -type s 2>/dev/null)
+        else
+            unix_scks_list2=$(find "$SEARCH_IN_FOLDER" -type s 2>/dev/null)
+        fi
+
+        # Process all found sockets
+        (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort -u | while read -r socket; do
+            if [ -n "$socket" ] && [ -e "$socket" ]; then
+                # Get socket information
+                perms=$(get_socket_perms "$socket")
+                perms=$(check_socket_connectivity "$socket" "$perms")
+                owner_info=$(get_socket_owner "$socket")
+                
+                # Print socket information
+                if [ -z "$perms" ]; then
+                    echo "$socket" | sed -${E} "s,$socket,${SED_GREEN},g"
+                else
+                    echo "$socket" | sed -${E} "s,$socket,${SED_RED},g"
+                    echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
+                    
+                    # Analyze socket protocol if we can connect
+                    if echo "$perms" | grep -q "Can Connect"; then
+                        analyze_socket_protocol "$socket" "$owner_info"
+                    fi
+                    
+                    # Highlight dangerous ownership
+                    if echo "$owner_info" | grep -q "root"; then
+                        echo "  └─(${RED}Owned by root${NC})"
+                    fi
+                fi
+            fi
+        done
+    fi
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh

@@ -0,0 +1,253 @@
+# Title: Processes & Cron & Services & Timers - D-Bus Analysis
+# ID: PR_DBus_analysis
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Comprehensive D-Bus analysis for privilege escalation vectors:
+#   - D-Bus Service Objects enumeration
+#   - D-Bus Service Object permissions and ownership
+#   - D-Bus Configuration files analysis
+#   - D-Bus Policy analysis
+#   - D-Bus Method and Interface analysis
+#   - D-Bus Privilege Escalation Vectors
+# License: GNU GPL
+# Version: 1.3
+# Functions Used: print_2title, print_3title, print_info, echo_not_found
+# Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $dbuslistG, $knw_usrs, $rootcommon, $SED_RED, $SED_GREEN, $SED_BLUE, $SED_LIGHT_CYAN, $SED_LIGHT_MAGENTA, $NC
+# Initial Functions:
+# Generated Global Variables: $dbuslist, $srvc_object, $genpol, $userpol, $grppol, $dangerous_service, $pattern, $dir, $weak_policies, $dangerous_services, $dangerous, $dbussrvc_object, $patterns, $methods, $file, $dbusservice, $session_services, $prop, $dangerous_session_services, $interface, $dangerous_methods, $dbus_file, $dbus_service, $method, $dangerous_patterns, $properties, $interfaces, $dangerous_props, $service, $info, $allow_rules
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+    print_2title "D-Bus Analysis"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
+
+
+    # Function to check for dangerous methods
+    check_dangerous_methods() {
+        service="$1"
+        interface="$2"
+        dangerous=0
+        dangerous_methods=""
+        
+        # Common dangerous method patterns - using space-separated string instead of array
+        patterns="StartUnit StopUnit RestartUnit EnableUnit DisableUnit SetProperty SetUser SetPassword CreateUser DeleteUser ModifyUser Execute Run Spawn Shell Command Exec Authenticate Login Logout Reboot Shutdown PowerOff Suspend Hibernate Update Install Uninstall Configure Modify Change Delete Remove Add Create Write Read Access Grant Revoke Allow Deny"
+        
+        # Get methods for the interface
+        methods=$(busctl introspect "$service" "$interface" 2>/dev/null | grep "method" | awk '{print $2}')
+        
+        # Check each method against dangerous patterns
+        for method in $methods; do
+            for pattern in $patterns; do
+                if echo "$method" | grep -qi "$pattern"; then
+                    dangerous=1
+                    dangerous_methods="${dangerous_methods}${method} "
+                fi
+            done
+        done
+        
+        if [ "$dangerous" -eq 1 ]; then
+            echo "  └─(${RED}Potentially dangerous methods found${NC})"
+            echo "     └─ $dangerous_methods" | sed 's/^/        /'
+        fi
+        
+        return $dangerous
+    }
+
+    # Function to check for dangerous properties
+    check_dangerous_properties() {
+        service="$1"
+        interface="$2"
+        dangerous=0
+        dangerous_props=""
+        
+        # Common dangerous property patterns - using space-separated string instead of array
+        patterns="Executable Command Path User Group Permission Access Auth Password Secret Key Token Credential Config Setting Policy Rule Allow Deny Write Read Execute"
+        
+        # Get properties for the interface
+        properties=$(busctl introspect "$service" "$interface" 2>/dev/null | grep "property" | awk '{print $2}')
+        
+        # Check each property against dangerous patterns
+        for prop in $properties; do
+            for pattern in $patterns; do
+                if echo "$prop" | grep -qi "$pattern"; then
+                    dangerous=1
+                    dangerous_props="${dangerous_props}${prop} "
+                fi
+            done
+        done
+        
+        if [ "$dangerous" -eq 1 ]; then
+            echo "  └─(${RED}Potentially dangerous properties found${NC})"
+            echo "     └─ $dangerous_props" | sed 's/^/        /'
+        fi
+        
+        return $dangerous
+    }
+
+    # Function to analyze service object
+    analyze_service_object() {
+        dbusservice="$1"
+        info=""
+        dangerous=0
+        
+        # Get service status
+        info=$(busctl status "$dbusservice" 2>/dev/null)
+        
+        # Check for root ownership
+        if echo "$info" | grep -qE "^(UID|EUID|OwnerUID)=0"; then
+            echo "  └─(${RED}Running as root${NC})"
+            dangerous=1
+        fi
+        
+        # Get service interfaces
+        interfaces=$(busctl tree "$dbusservice" 2>/dev/null)
+        if [ -n "$interfaces" ]; then
+            echo "  └─ Interfaces:"
+            echo "$interfaces" | sed 's/^/     /'
+            
+            # Check each interface for dangerous methods and properties
+            echo "$interfaces" | while read -r interface; do
+                if [ -n "$interface" ]; then
+                    if check_dangerous_methods "$dbusservice" "$interface"; then
+                        dangerous=1
+                    fi
+                    if check_dangerous_properties "$dbusservice" "$interface"; then
+                        dangerous=1
+                    fi
+                fi
+            done
+        fi
+        
+        # Check for known dangerous services - using space-separated string instead of array
+        dangerous_services="org.freedesktop.systemd1 org.freedesktop.PolicyKit1 org.freedesktop.Accounts org.freedesktop.login1 org.freedesktop.hostname1 org.freedesktop.timedate1 org.freedesktop.locale1 org.freedesktop.machine1 org.freedesktop.portable1 org.freedesktop.resolve1 org.freedesktop.timesync1 org.freedesktop.import1 org.freedesktop.export1 org.gnome.SettingsDaemon org.gnome.Shell org.gnome.SessionManager org.gnome.DisplayManager org.gnome.ScreenSaver"
+        
+        for dangerous_service in $dangerous_services; do
+            if echo "$dbusservice" | grep -qi "$dangerous_service"; then
+                echo "  └─(${RED}Known dangerous service: $dangerous_service${NC})"
+                dangerous=1
+            fi
+        done
+        
+        # If service is dangerous, provide exploitation hints
+        if [ "$dangerous" -eq 1 ]; then
+            echo "  └─(${RED}Potential privilege escalation vector${NC})"
+            echo "     └─ Try: busctl call $dbusservice / [Interface] [Method] [Arguments]"
+            echo "     └─ Or: dbus-send --session --dest=$dbusservice / [Interface] [Method] [Arguments]"
+        fi
+    }
+
+    # Function to analyze policy file
+    analyze_policy_file() {
+        file="$1"
+        weak_policies=0
+        
+        # Check file permissions
+        if ! [ "$IAMROOT" ] && [ -w "$file" ]; then
+            echo "  └─(${RED}Writable policy file${NC})"
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check general policy
+        genpol=$(grep "<policy>" "$file" 2>/dev/null)
+        if [ -n "$genpol" ]; then
+            echo "  └─(${RED}Weak general policy found${NC})"
+            echo "     └─ $genpol" | sed 's/^/        /'
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check user policies
+        userpol=$(grep "<policy user=" "$file" 2>/dev/null | grep -v "root")
+        if [ -n "$userpol" ]; then
+            echo "  └─(${RED}Weak user policy found${NC})"
+            echo "     └─ $userpol" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g"
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check group policies
+        grppol=$(grep "<policy group=" "$file" 2>/dev/null | grep -v "root")
+        if [ -n "$grppol" ]; then
+            echo "  └─(${RED}Weak group policy found${NC})"
+            echo "     └─ $grppol" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check for allow rules in default context
+        allow_rules=$(grep -A 5 "context=\"default\"" "$file" 2>/dev/null | grep "allow")
+        if [ -n "$allow_rules" ]; then
+            echo "  └─(${RED}Allow rules in default context${NC})"
+            echo "     └─ $allow_rules" | sed 's/^/        /'
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check for specific dangerous policy patterns - using space-separated string instead of array
+        dangerous_patterns="allow_any allow_all allow_root allow_user allow_group allow_anonymous allow_any_user allow_any_group allow_any_uid allow_any_gid allow_any_pid allow_any_connection allow_any_method allow_any_property allow_any_signal allow_any_interface allow_any_path allow_any_destination allow_any_sender allow_any_receiver"
+        
+        for pattern in $dangerous_patterns; do
+            if grep -qi "$pattern" "$file" 2>/dev/null; then
+                echo "  └─(${RED}Dangerous policy pattern found: $pattern${NC})"
+                weak_policies=$((weak_policies + 1))
+            fi
+        done
+        
+        return $weak_policies
+    }
+
+    # Analyze D-Bus Service Objects
+    dbuslist=$(busctl list 2>/dev/null)
+    if [ -n "$dbuslist" ]; then
+        echo "$dbuslist" | while read -r dbus_service; do
+            # Print service name with highlighting
+            echo "$dbus_service" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+            
+            # Analyze service if it's not in the known list
+            if ! echo "$dbus_service" | grep -qE "$dbuslistG"; then
+                dbussrvc_object=$(echo "$dbus_service" | cut -d " " -f1)
+                analyze_service_object "$dbussrvc_object"
+            fi
+        done
+    else
+        echo_not_found "busctl"
+    fi
+
+    # Analyze D-Bus Configuration Files
+    if [ "$PSTORAGE_DBUS" ]; then
+        echo ""
+        print_2title "D-Bus Configuration Files"
+        echo "$PSTORAGE_DBUS" | while read -r dir; do
+            for dbus_file in "$dir"/*; do
+                if [ -f "$dbus_file" ]; then
+                    echo "Analyzing $dbus_file:"
+                    if analyze_policy_file "$dbus_file"; then
+                        echo "  └─(${RED}Multiple weak policies found${NC})"
+                    fi
+                fi
+            done
+        done
+    fi
+
+    # Check for D-Bus session bus
+    if command -v dbus-send >/dev/null 2>&1; then
+        echo ""
+        print_3title "D-Bus Session Bus Analysis"
+        if dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep -q "Error"; then
+            echo "(${RED}No access to session bus${NC})"
+        else
+            echo "(${GREEN}Access to session bus available${NC})"
+            # List available services on session bus
+            session_services=$(dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep "string" | sed 's/^/     /')
+            echo "$session_services"
+            
+            # Check for known dangerous session services - using space-separated string instead of array
+            dangerous_session_services="org.gnome.SettingsDaemon org.gnome.Shell org.gnome.SessionManager org.gnome.DisplayManager org.gnome.ScreenSaver org.freedesktop.Notifications org.freedesktop.ScreenSaver org.freedesktop.PowerManagement org.freedesktop.UPower org.freedesktop.NetworkManager org.freedesktop.Avahi org.freedesktop.UDisks2 org.freedesktop.ModemManager1 org.freedesktop.PackageKit org.freedesktop.PolicyKit1 org.freedesktop.systemd1 org.freedesktop.Accounts org.freedesktop.login1"
+            
+            for dangerous_service in $dangerous_session_services; do
+                if echo "$session_services" | grep -qi "$dangerous_service"; then
+                    echo "  └─(${RED}Known dangerous session service: $dangerous_service${NC})"
+                    echo "     └─ Try: dbus-send --session --dest=$dangerous_service / [Interface] [Method] [Arguments]"
+                fi
+            done
+        fi
+    fi
+fi
+echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh

@@ -1,38 +0,0 @@
-# Title: Processes & Cron & Services & Timers - .socket files
-# ID: PR_Socket_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: .socket files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables: $socketsbinpaths, $socketslistpaths
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-#TODO: .socket files in MACOS are folders
-if ! [ "$IAMROOT" ]; then
-  print_2title "Analyzing .socket files"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
-  printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-      echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
-    fi
-    socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
-    printf "%s\n" "$socketsbinpaths" | while read sb; do
-      if [ -w "$sb" ]; then
-        echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g"
-      fi
-    done
-    socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
-    printf "%s\n" "$socketslistpaths" | while read sl; do
-      if [ -w "$sl" ]; then
-        echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g";
-      fi
-    done
-  done
-  echo ""
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh

@@ -1,72 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Unix Sockets Listening
-# ID: PR_Unix_sockets_listening
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Unix Sockets Listening
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
-# Initial Functions:
-# Generated Global Variables: $unix_scks_list, $unix_scks_list2, $unix_scks_list3, $perms, $socketcurl, $owner, $CANNOT_CONNECT_TO_SOCKET
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-#TODO: .socket files in MACOS are folders
-if ! [ "$IAMROOT" ]; then
-  if ! [ "$SEARCH_IN_FOLDER" ]; then
-    print_2title "Unix Sockets Listening"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
-    # Search sockets using netstat and ss
-    unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
-    if ! [ "$unix_scks_list" ];then
-      unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
-    fi
-    if ! [ "$unix_scks_list" ];then
-      unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
-    fi
-      unix_scks_list3=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/") 
-  fi
-  
-  if ! [ "$SEARCH_IN_FOLDER" ]; then
-    # But also search socket files
-    unix_scks_list2=$(find / -type s 2>/dev/null)
-  else
-    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
-  fi
-
-  # Detele repeated dockets and check permissions
-  (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2" && printf "%s\n" "$unix_scks_list3") | sort | uniq | while read l; do
-    perms=""
-    if [ -r "$l" ]; then
-      perms="Read "
-    fi
-    if [ -w "$l" ];then
-      perms="${perms}Write"
-    fi
-    
-    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl || echo -n '')" ]; then
-      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
-      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
-        perms="${perms} - Can Connect"
-      else
-        perms="${perms} - Cannot Connect"
-      fi
-    fi
-    
-    if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
-    else 
-      echo "$l" | sed -${E} "s,$l,${SED_RED},g"
-      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
-      # Try to contact the socket
-      socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
-      if [ $? -eq 0 ]; then
-        owner=$(ls -l "$s" | cut -d ' ' -f 3)
-        echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
-        echo "$socketcurl" | head -n 30
-      fi
-    fi
-  done
-  echo ""
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh

@@ -1,33 +0,0 @@
-# Title: Processes & Cron & Services & Timers - D-Bus Service Objects list
-# ID: PR_DBus_service_objects_list
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Enumerate D-Bus Service Objects list
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables:  $dbuslistG, $knw_usrs, $nosh_usrs, $rootcommon, $SEARCH_IN_FOLDER, $USER
-# Initial Functions:
-# Generated Global Variables: $dbuslist, $srvc_object, $srvc_object_info
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "D-Bus Service Objects list"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
-  dbuslist=$(busctl list 2>/dev/null)
-  if [ "$dbuslist" ]; then
-    busctl list | while read l; do
-      echo "$l" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
-      if ! echo "$l" | grep -qE "$dbuslistG"; then
-        srvc_object=$(echo $l | cut -d " " -f1)
-        srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
-        if [ "$srvc_object_info" ]; then
-          echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
-        fi
-      fi
-    done
-  else echo_not_found "busctl"
-  fi
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh

@@ -1,40 +0,0 @@
-# Title: Processes & Cron & Services & Timers - D-Bus config files
-# ID: PR_DBus_config_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Enumerate D-Bus config files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
-# Initial Functions:
-# Generated Global Variables: $genpol, $userpol, $grppol
-# Fat linpeas: 0
-# Small linpeas: 0
-
-print_2title "D-Bus config files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
-if [ "$PSTORAGE_DBUS" ]; then
-  printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
-    for f in $d/*; do
-      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-        echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
-      fi
-
-      genpol=$(grep "<policy>" "$f" 2>/dev/null)
-      if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-      #if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi
-
-      userpol=$(grep "<policy user=" "$f" 2>/dev/null | grep -v "root")
-      if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-      #for g in `groups`; do
-      #  if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi
-      #done
-      grppol=$(grep "<policy group=" "$f" 2>/dev/null | grep -v "root")
-      if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-
-      #TODO: identify allows in context="default"
-    done
-  done
-fi
-echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh

@@ -1,37 +1,227 @@
-# Title: Processes & Cron & Services & Timers - List proccesses
+# Title: Processes & Cron & Services & Timers - List processes
 # ID: PR_List_processes
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: List running proccesses removing the ones that aren't interesting
+# Last Update: 2024-03-19
+# Description: List running processes and check for unusual configurations
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.4
 # Functions Used: print_2title, print_info, print_ps
 # Global Variables: $capsB, $knw_usrs, $nosh_usrs, $NOUSEPS, $processesB, $processesDump, $processesVB, $rootcommon, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
-# Generated Global Variables: $pslist, $cpid, $caphex, $psline
+# Generated Global Variables: $pslist, $cpid, $caphex, $psline, $pid, $selinux_ctx, $current_env_vars, $env_findings, $apparmor_profile, $mount, $mount_findings, $fd_findings, $proc_cmd, $proc_user, $mount_point, $current_mounts, $fd_target, $var, $findings, $sec_findings, $proc_env_vars, $fd_count, $proc_mounts, $$escaped_var
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Running processes (cleaned)"
 
   if [ "$NOUSEPS" ]; then
     printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
   fi
-  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+  print_info "Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
 
   if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
     echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
   fi
 
+  # Get current process environment variables
+  if [ -r "/proc/self/environ" ]; then
+    current_env_vars=$(cat /proc/self/environ 2>/dev/null | tr '\0' '\n' | sort)
+  else
+    current_env_vars=$(env 2>/dev/null | sort)
+  fi
+  
+  # Get current process mounts
+  if [ -r "/proc/self/mountinfo" ]; then
+    current_mounts=$(cat /proc/self/mountinfo 2>/dev/null | sort)
+  else
+    current_mounts=$(mount 2>/dev/null | sort)
+  fi
+
+  # Function to check for unusual environment variables
+  check_env_vars() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Skip if we can't read the environment
+    [ ! -r "/proc/$pid/environ" ] && return
+    
+    # Get process environment variables
+    proc_env_vars=$(cat "/proc/$pid/environ" 2>/dev/null | tr '\0' '\n' | sort)
+    [ -z "$proc_env_vars" ] && return
+
+    # Find environment variables that the target process has but we don't
+    if [ -n "$current_env_vars" ]; then
+      echo "$proc_env_vars" | while read -r var; do
+        if [ -n "$var" ]; then
+          # Escape special regex characters in var
+          escaped_var=$(echo "$var" | sed 's/[][^$.*+?(){}|]/\\&/g')
+          if ! echo "$current_env_vars" | grep -q "^$escaped_var$"; then
+            if [ -z "$findings" ]; then
+              findings="Has additional environment variables:"
+            fi
+            findings="$findings\n  └─ $var"
+          fi
+        fi
+      done
+    else
+      # If we can't get current env vars, just show all process env vars
+      findings="Has environment variables:"
+      echo "$proc_env_vars" | while read -r var; do
+        if [ -n "$var" ]; then
+          findings="$findings\n  └─ $var"
+        fi
+      done
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
+  # Function to check for unusual security contexts
+  check_security_context() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Check SELinux context
+    if [ -r "/proc/$pid/attr/current" ]; then
+      selinux_ctx=$(cat "/proc/$pid/attr/current" 2>/dev/null)
+      if [ -n "$selinux_ctx" ] && [ "$selinux_ctx" != "unconfined" ]; then
+        findings="SELinux context: $selinux_ctx"
+      fi
+    fi
+    
+    # Check AppArmor profile
+    if [ -r "/proc/$pid/attr/apparmor/current" ]; then
+      apparmor_profile=$(cat "/proc/$pid/attr/apparmor/current" 2>/dev/null)
+      if [ -n "$apparmor_profile" ] && [ "$apparmor_profile" != "unconfined" ]; then
+        if [ -n "$findings" ]; then
+          findings="$findings\n  └─ AppArmor profile: $apparmor_profile"
+        else
+          findings="AppArmor profile: $apparmor_profile"
+        fi
+      fi
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
+  # Function to check for unusual mount namespaces
+  check_mount_namespace() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Skip if we can't read the mountinfo
+    [ ! -r "/proc/$pid/mountinfo" ] && return
+    
+    # Get process mounts
+    proc_mounts=$(cat "/proc/$pid/mountinfo" 2>/dev/null | sort)
+    [ -z "$proc_mounts" ] && return
+
+    # Find mounts that the target process has but we don't
+    if [ -n "$current_mounts" ]; then
+      echo "$proc_mounts" | while read -r mount; do
+        if [ -n "$mount" ] && ! echo "$current_mounts" | grep -q "^$mount$"; then
+          mount_point=$(echo "$mount" | sed "s,.* - \(.*\),\1,")
+          if [ -z "$findings" ]; then
+            findings="Has additional mounts:"
+          fi
+          findings="$findings\n  └─ $mount_point"
+        fi
+      done
+    else
+      # If we can't get current mounts, just show all process mounts
+      findings="Has mounts:"
+      echo "$proc_mounts" | while read -r mount; do
+        if [ -n "$mount" ]; then
+          mount_point=$(echo "$mount" | sed "s,.* - \(.*\),\1,")
+          findings="$findings\n  └─ $mount_point"
+        fi
+      done
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
+  # Function to check for unusual file descriptors
+  check_file_descriptors() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Skip if we can't read the file descriptors
+    [ ! -r "/proc/$pid/fd" ] && return
+
+    # Check for interesting file descriptors
+    for fd in /proc/$pid/fd/*; do
+      # Skip if fd doesn't exist or we can't access it
+      [ ! -e "$fd" ] && continue
+      
+      # Get fd target
+      fd_target=$(readlink "$fd" 2>/dev/null)
+      [ -z "$fd_target" ] && continue
+
+      # Skip if target doesn't exist
+      [ ! -e "$fd_target" ] && continue
+
+      # Check if we can access the FD but not the target file
+      if [ -r "$fd" ] && [ ! -r "$fd_target" ]; then
+        if [ -z "$findings" ]; then
+          findings="Readable FD to unreadable file: $fd -> $fd_target"
+        else
+          findings="$findings\n  └─ Readable FD to unreadable file: $fd -> $fd_target"
+        fi
+      fi
+      if [ -w "$fd" ] && [ ! -w "$fd_target" ]; then
+        if [ -z "$findings" ]; then
+          findings="Writable FD to unwritable file: $fd -> $fd_target"
+        else
+          findings="$findings\n  └─ Writable FD to unwritable file: $fd -> $fd_target"
+        fi
+      fi
+    done
+
+    # Check for unusual number of file descriptors
+    fd_count=$(ls -1 "/proc/$pid/fd" 2>/dev/null | wc -l)
+    [ -z "$fd_count" ] && return
+
+    # If process has more than 100 file descriptors, it might be interesting
+    if [ "$fd_count" -gt 100 ]; then
+      if [ -z "$findings" ]; then
+        findings="Unusual number of FDs: $fd_count"
+      else
+        findings="$findings\n  └─ Unusual number of FDs: $fd_count"
+      fi
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
   if [ "$NOUSEPS" ]; then
     print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
     pslist=$(print_ps)
   else
     (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
       echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
-      if [ "$(command -v capsh || echo -n '')" ] && ! echo "$psline" | grep -q root; then
+      if [ "$(command -v capsh || echo -n '')" ] && ! echo "$psline" | grep -q "root"; then
         cpid=$(echo "$psline" | awk '{print $2}')
         caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
         if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
@@ -42,5 +232,34 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     pslist=$(ps auxwww)
     echo ""
   fi
+
+  # Additional checks for each process
+  print_2title "Processes with unusual configurations"
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -d "/proc/$pid" ] && continue
+    
+    # Get process user and command
+    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
+    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
+    
+    # Run all checks and collect findings
+    sec_findings=$(check_security_context "$pid" "$proc_user" "$proc_cmd")
+    mount_findings=$(check_mount_namespace "$pid" "$proc_user" "$proc_cmd")
+    fd_findings=$(check_file_descriptors "$pid" "$proc_user" "$proc_cmd")
+    env_findings=$(check_env_vars "$pid" "$proc_user" "$proc_cmd")
+
+    # If any findings exist, print process info and findings
+    if [ -n "$env_findings" ] || [ -n "$sec_findings" ] || [ -n "$mount_findings" ] || [ -n "$fd_findings" ]; then
+      echo "Process $pid ($proc_user) - $proc_cmd"
+      [ -n "$env_findings" ] && echo "$env_findings"
+      [ -n "$sec_findings" ] && echo "$sec_findings"
+      [ -n "$mount_findings" ] && echo "$mount_findings"
+      [ -n "$fd_findings" ] && echo "$fd_findings"
+      echo ""
+    fi
+  done
+
   echo ""
 fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh

@@ -1,26 +1,103 @@
 # Title: Processes & Cron & Services & Timers - Processes with credentials inside memory
 # ID: PR_Process_cred_in_memory
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Processes with credentials inside memory
+# Last Update: 2024-03-19
+# Description: Processes with credentials inside memory and memory-mapped files
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $pslist, $SEARCH_IN_FOLDER
+# Global Variables: $pslist, $SEARCH_IN_FOLDER, $processesDump, $nosh_usrs, $processesB, $knw_usrs, $rootcommon, $sh_usrs, $processesVB
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $line, $cred_files, $filename, $fd_target, $found_cred_files, $proc, $proc_cmd, $pid, $proc_user, $cred_processes, $seen_files
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Processes with credentials in memory (root req)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
-  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
-  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
-  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
-  if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
-  if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
-  if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory"
+
+  # Common credential-storing processes
+  cred_processes="gdm-password gnome-keyring-daemon lightdm vsftpd apache2 sshd: mysql postgres redis-server mongod memcached elasticsearch jenkins tomcat nginx php-fpm supervisord vncserver xrdp teamviewer"
+
+  # Check for credential-storing processes
+  for proc in $cred_processes; do
+    if echo "$pslist" | grep -q "$proc"; then
+      echo "$proc process found (dump creds from memory as root)" | sed "s,$proc,${SED_RED},"
+    else
+      echo_not_found "$proc"
+    fi
+  done
+
+  # Check for processes with open handles to credential files
+  echo ""
+  print_2title "Opened Files by processes"
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -d "/proc/$pid" ] && continue
+    [ ! -r "/proc/$pid/fd" ] && continue
+
+    # Get process user and command
+    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
+    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
+    
+    # Skip processes that start with "sed " or contain "linpeas.sh"
+    echo "$proc_cmd" | grep -q "^sed " && continue
+    echo "$proc_cmd" | grep -q "linpeas.sh" && continue
+
+    # Variable to store unique files for this process
+    seen_files=""
+    found_cred_files=""
+    
+    # Check for open credential files
+    for fd in /proc/$pid/fd/*; do
+      [ ! -e "$fd" ] && continue
+      fd_target=$(readlink "$fd" 2>/dev/null)
+      [ -z "$fd_target" ] && continue
+      [ "$fd_target" = "/dev/null" ] && continue
+      echo "$fd_target" | grep -q "^socket:" && continue
+      echo "$fd_target" | grep -q "^anon_inode:" && continue
+
+      # Only add if not already seen (using case to check)
+      case " $seen_files " in
+        *" $fd_target "*) continue ;;
+        *)
+          seen_files="$seen_files $fd_target"
+          if [ -z "$found_cred_files" ]; then
+            echo "Process $pid ($proc_user) - $proc_cmd"
+            echo "  └─ Has open files:"
+            found_cred_files="yes"
+          fi
+          echo "    └─ $fd_target"
+          ;;
+      esac
+    done
+  done | sed -${E} "s,\.(pem|key|cred|db|sqlite|conf|cnf|ini|env|secret|token|auth|passwd|shadow)$,\1${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+
+  # Check for processes with memory-mapped files that might contain credentials
+  echo ""
+  print_2title "Processes with memory-mapped credential files"
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -d "/proc/$pid" ] && continue
+    [ ! -r "/proc/$pid/maps" ] && continue
+
+    # Get process user and command
+    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
+    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
+
+    # Check for memory-mapped files that might contain credentials
+    cred_files=$(grep -E '\.(pem|key|cred|db|sqlite|conf|cnf|ini|env|secret|token|auth|passwd|shadow)$' "/proc/$pid/maps" 2>/dev/null)
+    if [ -n "$cred_files" ]; then
+      echo "Process $pid ($proc_user) - $proc_cmd"
+      echo "  └─ Has memory-mapped credential files:"
+      echo "$cred_files" | while read -r line; do
+        filename=$(echo "$line" | sed "s,.*/\(.*\),\1,")
+        echo "    └─ $filename"
+      done
+    fi
+  done
+
   echo ""
 fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh

@@ -1,29 +1,56 @@
 # Title: Processes & Cron & Services & Timers - Process binaries permissions
 # ID: PR_Process_binaries_perms
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 2024-03-19
 # Description: Check the permissions of the binaries of the running processes
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.2
 # Functions Used: print_2title, print_info
 # Global Variables: $knw_usrs, $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
-# Generated Global Variables: $binW, $bpath
+# Generated Global Variables: $binW, $bpath, $pid
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$NOUSEPS" ]; then
     print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
-    binW="IniTialiZZinnggg"
-    ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
+    
+    # Get list of writable binaries
+    binW=""
+    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+      # Skip if process doesn't exist or we can't access it
+      [ ! -r "/proc/$pid/exe" ] && continue
+      
+      # Get binary path
+      bpath=$(readlink "/proc/$pid/exe" 2>/dev/null)
+      [ -z "$bpath" ] && continue
+      
+      # Check if binary is writable
       if [ -w "$bpath" ]; then
-        binW="$binW|$bpath"
+        if [ -z "$binW" ]; then
+          binW="$bpath"
+        else
+          binW="$binW|$bpath"
+        fi
       fi
     done
-    ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
+
+    # Get and display binary permissions
+    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+      # Skip if process doesn't exist or we can't access it
+      [ ! -r "/proc/$pid/exe" ] && continue
+      
+      # Get binary path
+      bpath=$(readlink "/proc/$pid/exe" 2>/dev/null)
+      [ -z "$bpath" ] && continue
+      
+      # Display binary permissions if file exists
+      if [ -e "$bpath" ]; then
+        ls -la "$bpath" 2>/dev/null
+      fi
+    done | grep -Ev "\sroot\s+root" | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
     echo ""
   fi
 fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh

@@ -1,36 +1,60 @@
 # Title: Processes & Cron & Services & Timers - Process opened by other users
 # ID: PR_Processes_PPID_different_user
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 2024-03-19
 # Description: Processes whose PPID belongs to a different user (not root)
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables: $ppid_user, $pid, $ppid, $user
+# Generated Global Variables: $ppid_user, $pid, $ppid, $user, $ppid_uid, $user_uid
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
   print_2title "Processes whose PPID belongs to a different user (not root)"
   print_info "You will know if a user can somehow spawn processes as a different user"
   
-  # Function to get user by PID
+  # Function to get user by PID using /proc
   get_user_by_pid() {
-    ps -p "$1" -o user | grep -v "USER"
+    if [ -r "/proc/$1/status" ]; then
+      grep "^Uid:" "/proc/$1/status" 2>/dev/null | awk '{print $2}'
+    fi
+  }
+
+  # Function to get username by UID
+  get_username_by_uid() {
+    if [ -r "/etc/passwd" ]; then
+      grep "^[^:]*:[^:]*:$1:" "/etc/passwd" 2>/dev/null | cut -d: -f1
+    fi
   }
 
   # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user
-  ps -eo pid,ppid,user | grep -v "PPID" | while read -r pid ppid user; do
-    if [ "$ppid" = "0" ]; then
-      continue
-    fi
-    ppid_user=$(get_user_by_pid "$ppid")
-    if echo "$user" | grep -Eqv "$ppid_user|root$"; then
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -r "/proc/$pid/status" ] && continue
+    
+    # Get process user
+    user_uid=$(get_user_by_pid "$pid")
+    [ -z "$user_uid" ] && continue
+    user=$(get_username_by_uid "$user_uid")
+    [ -z "$user" ] && continue
+
+    # Get PPID
+    ppid=$(grep "^PPid:" "/proc/$pid/status" 2>/dev/null | awk '{print $2}')
+    [ -z "$ppid" ] || [ "$ppid" = "0" ] && continue
+
+    # Get PPID user
+    ppid_uid=$(get_user_by_pid "$ppid")
+    [ -z "$ppid_uid" ] && continue
+    ppid_user=$(get_username_by_uid "$ppid_uid")
+    [ -z "$ppid_user" ] && continue
+
+    # Check if users are different and PPID user is not root
+    if [ "$user" != "$ppid_user" ] && [ "$ppid_user" != "root" ]; then
       echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
     fi
   done
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh

@@ -1,23 +1,64 @@
 # Title: Processes & Cron & Services & Timers - Files opened by processes belonging to other users
 # ID: PR_Files_open_process_other_user
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 2024-03-19
 # Description: Files opened by processes belonging to other users
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $IAMROOT, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $user_uid, $pid, $fd_target, $cmd, $user
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! [ "$IAMROOT" ]; then
     print_2title "Files opened by processes belonging to other users"
     print_info "This is usually empty because of the lack of privileges to read other user processes information"
-    lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+
+    # Function to get username by UID
+    get_username_by_uid() {
+      if [ -r "/etc/passwd" ]; then
+        grep "^[^:]*:[^:]*:$1:" "/etc/passwd" 2>/dev/null | cut -d: -f1
+      fi
+    }
+
+    # Check each process
+    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+      # Skip if process doesn't exist or we can't access it
+      [ ! -r "/proc/$pid/status" ] && continue
+      [ ! -r "/proc/$pid/fd" ] && continue
+
+      # Get process user
+      user_uid=$(grep "^Uid:" "/proc/$pid/status" 2>/dev/null | awk '{print $2}')
+      [ -z "$user_uid" ] && continue
+      user=$(get_username_by_uid "$user_uid")
+      [ -z "$user" ] && continue
+
+      # Skip if process belongs to current user
+      [ "$user" = "$USER" ] && continue
+
+      # Get process command
+      cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+      [ -z "$cmd" ] && continue
+
+      # Check file descriptors
+      for fd in /proc/$pid/fd/*; do
+        [ ! -e "$fd" ] && continue
+        fd_target=$(readlink "$fd" 2>/dev/null)
+        [ -z "$fd_target" ] && continue
+
+        # Skip if target doesn't exist or is a special file
+        [ ! -e "$fd_target" ] && continue
+        case "$fd_target" in
+          /dev/*|/proc/*|/sys/*) continue ;;
+        esac
+
+        echo "Process $pid ($user) - $cmd"
+        echo "  └─ Has open file: $fd_target" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+      done
+    done
     echo ""
   fi
 fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh

@@ -16,7 +16,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
     print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs"
     temp_file=$(mktemp)
     if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
       for i in $(seq 1 1210); do 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh

@@ -0,0 +1,250 @@
+# Title: Processes & Cron & Services & Timers - Cron jobs and Wildcards
+# ID: PR_Cron_jobs
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Enumerate system cron jobs and check for privilege escalation vectors
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB, $PATH
+# Initial Functions:
+# Generated Global Variables: $cmd, $VAR, $file, $path, $user_crontab, $username, $job_id, $cron_dir, $crontab, $findings, $line, $finding, $bin
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Check for vulnerable cron jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
+
+  print_3title "Cron jobs list"
+  command -v crontab 2>/dev/null || echo_not_found "crontab"
+  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
+  incrontab -l 2>/dev/null
+  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
+  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
+  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
+  atq 2>/dev/null
+  echo ""
+
+  print_3title "Checking for specific cron jobs vulnerabilities"
+
+
+
+  # Function to check if a binary is writable and executable
+  check_binary_perms() {
+    local bin="$1"
+    [ -z "$bin" ] && return
+    
+    # Skip if binary doesn't exist
+    [ ! -e "$bin" ] && return
+    
+    # Check if it's a regular file
+    [ ! -f "$bin" ] && return
+    
+    # Check if it's writable and executable
+    if [ -w "$bin" ]; then
+      echo "Writable binary: $bin"
+      ls -l "$bin" 2>/dev/null
+    fi
+  }
+
+  # Function to extract binary path from command
+  get_binary_path() {
+    local cmd="$1"
+    local bin=""
+    
+    # Try to get the first word of the command
+    bin=$(echo "$cmd" | awk '{print $1}')
+    [ -z "$bin" ] && return
+    
+    # If it's an absolute path, use it directly
+    if [ "$(echo "$bin" | cut -c1)" = "/" ]; then
+      echo "$bin"
+      return
+    fi
+    
+    # If it's a relative path, try to resolve it
+    if [ -e "$bin" ]; then
+      echo "$(pwd)/$bin"
+      return
+    fi
+    
+    # Try to find it in PATH
+    for path in $(echo "$PATH" | tr ':' ' '); do
+      if [ -x "$path/$bin" ]; then
+        echo "$path/$bin"
+        return
+      fi
+    done
+  }
+
+  # Function to check for privilege escalation vectors in a command
+  check_privesc_vectors() {
+    local cmd="$1"
+    local file="$2"
+    local findings=""
+    local bin=""
+
+    # Skip common false positives (mail commands, shell conditionals, variable assignments)
+    if echo "$cmd" | grep -qE '^(mail|echo|then|else|fi|if|for|while|do|done|case|esac|exit|return|break|continue|:|\[|test|\[\[|\]\]|true|false|source|\.|cd|pwd|export|unset|readonly|local|declare|typeset|alias|unalias|set|unset|shift|wait|trap|umask|ulimit|exec|eval|command|builtin|let|read|printf|^[[:space:]]*[A-Za-z0-9_]+[[:space:]]*[=:])'; then
+      return
+    fi
+
+    # Get the binary path
+    bin=$(get_binary_path "$cmd")
+    if [ -n "$bin" ]; then
+      check_binary_perms "$bin"
+    fi
+
+    # Check for wildcard injection vectors
+    # Attack: Using wildcards in tar/chmod/chown to execute arbitrary commands
+    # Example: tar cf archive.tar * (where * expands to --checkpoint=1 --checkpoint-action=exec=sh)
+    if echo "$cmd" | grep -qE '\*'; then
+      findings="${findings}POTENTIAL_WILDCARD_INJECTION: Command uses wildcards with potentially exploitable command\n"
+    fi
+
+    # Check for path hijacking vectors
+    # Attack: Using relative paths or commands without full path that can be hijacked
+    # Example: script.sh instead of /usr/bin/script.sh
+    if echo "$cmd" | grep -qE '^[[:space:]]*[^/][^[:space:]]*[[:space:]]'; then
+      # Skip common false positives like shell builtins, control structures, and variable assignments
+      # Also skip test commands ([ ]), logical operators (&& ||), and complex shell constructs
+      if ! echo "$cmd" | grep -qE '^[[:space:]]*(cd|\.|source|\./|if|then|else|fi|for|while|do|done|case|esac|exit|return|break|continue|:|\[[[:space:]]|test|\[\[|\]\]|true|false|export|unset|readonly|local|declare|typeset|alias|unalias|set|unset|shift|wait|trap|umask|ulimit|exec|eval|command|builtin|let|read|printf|[A-Za-z0-9_]+[[:space:]]*[=:]|&&|\|\||;|\(|\)|\{|\})'; then
+        findings="${findings}PATH_HIJACKING: Command uses relative path\n"
+      fi
+    fi
+
+    # Check for command injection vectors
+    # Attack: Using unquoted variables or command substitution that can be injected
+    # Example: echo $VAR or echo $(command)
+    if echo "$cmd" | grep -qE '\$\{?[A-Za-z0-9_]|\$\(|`'; then
+      findings="${findings}COMMAND_INJECTION: Command uses unquoted variables or command substitution\n"
+    fi
+
+    # Check for overly permissive commands
+    # Attack: Commands that can be used to escalate privileges
+    # Example: chmod 777, chown root, etc.
+    if echo "$cmd" | grep -qE '\b(chmod\s+[0-7]{3,4}|chown\s+root|chgrp\s+root|sudo|su |pkexec)\b'; then
+      findings="${findings}PERMISSIVE_COMMAND: Command modifies permissions or uses privilege escalation tools\n"
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "Potential privilege escalation in cron job:"
+      echo "  └─ File: $file"
+      echo "  └─ Command: $cmd"
+      if [ -n "$bin" ]; then
+        echo "  └─ Binary: $bin"
+      fi
+      echo "  └─ Findings:"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "     * $finding"
+      done
+    fi
+  }
+
+  # Check system crontabs
+  #echo "Checking system crontabs..."
+  #for crontab in /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /var/spool/cron/crontabs/* /etc/at* /etc/anacrontab /etc/incron.d/* /var/spool/incron/*; do
+  #  [ ! -f "$crontab" ] && continue
+  #  [ ! -r "$crontab" ] && continue
+
+  #  # Check if the file is writable
+  #  if [ -w "$crontab" ]; then
+  #    echo "Writable cron file: $crontab"
+  #  fi
+
+  #  # Check each line for privilege escalation vectors
+  #  while IFS= read -r line || [ -n "$line" ]; do
+  #    # Skip comments and empty lines
+  #    case "$line" in
+  #      \#*|"") continue ;;
+  #    esac
+
+  #    # Extract the command part (everything after the time specification)
+  #    cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
+  #    [ -z "$cmd" ] && continue
+
+  #    check_privesc_vectors "$cmd" "$crontab"
+  #  done < "$crontab"
+  #done
+
+  # Check user crontabs
+  #echo "Checking user crontabs..."
+  #if command -v crontab >/dev/null 2>&1; then
+  #  # Check current user's crontab
+  #  crontab -l 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
+  #    case "$line" in
+  #      \#*|"") continue ;;
+  #    esac
+  #    cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
+  #    [ -z "$cmd" ] && continue
+  #    check_privesc_vectors "$cmd" "current user crontab"
+  #  done
+
+  #  # Check other users' crontabs if accessible
+  #  for user_crontab in /var/spool/cron/crontabs/*; do
+  #    [ ! -f "$user_crontab" ] && continue
+  #    [ ! -r "$user_crontab" ] && continue
+  #    username=$(basename "$user_crontab")
+  #    [ "$username" = "$USER" ] && continue
+      
+  #    echo "Found crontab for user: $username"
+  #    while IFS= read -r line || [ -n "$line" ]; do
+  #      case "$line" in
+  #        \#*|"") continue ;;
+  #      esac
+  #      cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
+  #      [ -z "$cmd" ] && continue
+  #      check_privesc_vectors "$cmd" "$user_crontab"
+  #    done < "$user_crontab"
+  #  done
+  #else
+  #  echo_not_found "crontab"
+  #fi
+
+  # Check for writable cron directories
+  echo "Checking cron directories..."
+  for cron_dir in /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron/crontabs /usr/lib/cron/tabs /private/var/at/jobs /var/at/tabs /etc/periodic; do
+    [ ! -d "$cron_dir" ] && continue
+    if [ -w "$cron_dir" ]; then
+      echo "Writable cron directory: $cron_dir"
+    fi
+  done
+
+  # Check for at jobs
+  #if command -v atq >/dev/null 2>&1; then
+  #  echo "Checking at jobs..."
+  #  atq 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
+  #    [ -z "$line" ] && continue
+  #    job_id=$(echo "$line" | awk '{print $1}')
+  #    [ -z "$job_id" ] && continue
+  #    at -c "$job_id" 2>/dev/null | while IFS= read -r cmd || [ -n "$cmd" ]; do
+  #      case "$cmd" in
+  #        \#*|"") continue ;;
+  #      esac
+  #      check_privesc_vectors "$cmd" "at job $job_id"
+  #    done
+  #  done
+  #fi
+
+  # Check for incron jobs
+  #if command -v incrontab >/dev/null 2>&1; then
+  #  echo "Checking incron jobs..."
+  #  incrontab -l 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
+  #    case "$line" in
+  #      \#*|"") continue ;;
+  #    esac
+  #    cmd=$(echo "$line" | awk '{print $3}')
+  #    [ -z "$cmd" ] && continue
+  #    check_privesc_vectors "$cmd" "incron job"
+  #  done
+  #fi
+else
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
+  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
+fi
+echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh

@@ -1,22 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Systemd PATH
-# ID: PR_Systemd_path
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Systemd PATH
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $SEARCH_IN_FOLDER, $Wfolders
-# Initial Functions:
-# Generated Global Variables: $WRITABLESYSTEMDPATH
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Systemd PATH"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
-  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
-  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
-  echo ""
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh

@@ -1,33 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Cron jobs
-# ID: PR_Cron_jobs
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Enumerate system cron jobs
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
-  command -v crontab 2>/dev/null || echo_not_found "crontab"
-  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
-  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
-  incrontab -l 2>/dev/null
-  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
-  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
-  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
-  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
-  atq 2>/dev/null
-else
-  print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
-  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
-fi
-echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh

@@ -0,0 +1,169 @@
+# Title: Processes & Cron & Services & Timers - Third party LaunchAgents & LaunchDemons
+# ID: PR_Macos_launch_agents_daemons
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Third party LaunchAgents & LaunchDemons and privilege escalation vectors
+# License: GNU GPL
+# Version: 1.1
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $program, $plist_content, $binary_path, $periodic_dir, $workdir, $startup_dir, $line, $emond_script, $startup_item, $finding, $location, $findings, $login_item, $plist, $periodic_script, $plist_dir
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$MACPEAS" ]; then
+    print_2title "Third party LaunchAgents & LaunchDemons"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
+    print_info "Checking for privilege escalation vectors in LaunchAgents & LaunchDaemons:"
+    print_info "1. Writable plist files"
+    print_info "2. Writable program binaries"
+    print_info "3. Environment variables with sensitive data"
+    print_info "4. Unsafe program arguments"
+    print_info "5. RunAtLoad with elevated privileges"
+    print_info "6. KeepAlive with elevated privileges"
+
+    # Function to check plist content for privilege escalation vectors
+    check_plist_content() {
+      local plist="$1"
+      local findings=""
+      
+      # Check for environment variables
+      if defaults read "$plist" EnvironmentVariables 2>/dev/null | grep -qE '(PASS|SECRET|KEY|TOKEN|CRED)'; then
+        findings="${findings}ENV_VARS: Contains sensitive environment variables\n"
+      fi
+
+      # Check for RunAtLoad with elevated privileges
+      if defaults read "$plist" RunAtLoad 2>/dev/null | grep -q "true"; then
+        if [ -w "$plist" ]; then
+          findings="${findings}RUN_AT_LOAD: Runs at load and plist is writable\n"
+        fi
+      fi
+
+      # Check for KeepAlive with elevated privileges
+      if defaults read "$plist" KeepAlive 2>/dev/null | grep -q "true"; then
+        if [ -w "$plist" ]; then
+          findings="${findings}KEEP_ALIVE: Keeps running and plist is writable\n"
+        fi
+      fi
+
+      # Check for unsafe program arguments
+      if defaults read "$plist" ProgramArguments 2>/dev/null | grep -qE '(sudo|su|chmod|chown|chroot|mount)'; then
+        findings="${findings}UNSAFE_ARGS: Uses potentially dangerous program arguments\n"
+      fi
+
+      # Check for writable working directory
+      if defaults read "$plist" WorkingDirectory 2>/dev/null | grep -qE '^/'; then
+        local workdir=$(defaults read "$plist" WorkingDirectory 2>/dev/null)
+        if [ -w "$workdir" ]; then
+          findings="${findings}WRITABLE_WORKDIR: Working directory is writable\n"
+        fi
+      fi
+
+      # If any findings, print them
+      if [ -n "$findings" ]; then
+        echo "Potential privilege escalation in: $plist"
+        echo "$findings" | while read -r finding; do
+          [ -n "$finding" ] && echo "  └─ $finding"
+        done
+      fi
+    }
+
+    # Check system and user LaunchAgents & LaunchDaemons
+    for plist_dir in /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/; do
+      [ ! -d "$plist_dir" ] && continue
+      
+      echo "Checking $plist_dir..."
+      find "$plist_dir" -name "*.plist" 2>/dev/null | while read -r plist; do
+        # Check if plist is writable
+        if [ -w "$plist" ]; then
+          echo "Writable plist: $plist" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+        fi
+
+        # Get program path
+        program=""
+        program=$(defaults read "$plist" Program 2>/dev/null)
+        if ! [ "$program" ]; then
+          program=$(defaults read "$plist" ProgramArguments 2>/dev/null | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
+        fi
+
+        # Check if program is writable
+        if [ -n "$program" ] && [ -w "$program" ]; then
+          echo "Writable program: $program" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$program" 2>/dev/null
+        fi
+
+        # Check plist content for privilege escalation vectors
+        check_plist_content "$plist"
+      done
+    done
+    echo ""
+
+    print_2title "StartupItems"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
+    for startup_dir in /Library/StartupItems/ /System/Library/StartupItems/; do
+      [ ! -d "$startup_dir" ] && continue
+      echo "Checking $startup_dir..."
+      find "$startup_dir" -type f -executable 2>/dev/null | while read -r startup_item; do
+        if [ -w "$startup_item" ]; then
+          echo "Writable startup item: $startup_item" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$startup_item" 2>/dev/null
+        fi
+      done
+    done
+    echo ""
+
+    print_2title "Login Items"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
+    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null | tr ", " "\n" | while read -r login_item; do
+      if [ -n "$login_item" ]; then
+        # Try to find the actual binary
+        binary_path=$(mdfind "kMDItemDisplayName == '$login_item'" 2>/dev/null | head -n 1)
+        if [ -n "$binary_path" ] && [ -w "$binary_path" ]; then
+          echo "Writable login item binary: $binary_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$binary_path" 2>/dev/null
+        fi
+      fi
+    done
+    echo ""
+
+    print_2title "SPStartupItemDataType"
+    system_profiler SPStartupItemDataType 2>/dev/null | while read -r line; do
+      if echo "$line" | grep -q "Location:"; then
+        location=$(echo "$line" | cut -d: -f2- | xargs)
+        if [ -w "$location" ]; then
+          echo "Writable startup item location: $location" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$location" 2>/dev/null
+        fi
+      fi
+    done
+    echo ""
+
+    print_2title "Emond scripts"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
+    if [ -d "/private/var/db/emondClients" ]; then
+      find "/private/var/db/emondClients" -type f 2>/dev/null | while read -r emond_script; do
+        if [ -w "$emond_script" ]; then
+          echo "Writable emond script: $emond_script" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$emond_script" 2>/dev/null
+        fi
+      done
+    fi
+    echo ""
+
+    print_2title "Periodic tasks"
+    print_info "Checking periodic tasks for privilege escalation vectors"
+    for periodic_dir in /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly; do
+      [ ! -d "$periodic_dir" ] && continue
+      echo "Checking $periodic_dir..."
+      find "$periodic_dir" -type f -executable 2>/dev/null | while read -r periodic_script; do
+        if [ -w "$periodic_script" ]; then
+          echo "Writable periodic script: $periodic_script" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$periodic_script" 2>/dev/null
+        fi
+      done
+    done
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh

@@ -1,55 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Third party LaunchAgents & LaunchDemons
-# ID: PR_Macos_launch_agents_daemons
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Third party LaunchAgents & LaunchDemons
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables: $program
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  if [ "$MACPEAS" ]; then
-    print_2title "Third party LaunchAgents & LaunchDemons"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
-    ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
-    echo ""
-
-    print_2title "Writable System LaunchAgents & LaunchDemons"
-    find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
-      program=""
-      program=$(defaults read "$f" Program 2>/dev/null)
-      if ! [ "$program" ]; then
-        program=$(defaults read "$f" ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
-      fi
-      if [ -w "$program" ]; then
-        echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
-      fi
-    done
-    echo ""
-
-    print_2title "StartupItems"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
-    ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
-    echo ""
-
-    print_2title "Login Items"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
-    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
-    echo ""
-
-    print_2title "SPStartupItemDataType"
-    system_profiler SPStartupItemDataType
-    echo ""
-
-    print_2title "Emond scripts"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
-    ls -l /private/var/db/emondClients
-    echo ""
-  fi
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh

@@ -0,0 +1,156 @@
+# Title: Processes & Cron & Services & Timers - System Timers
+# ID: PR_System_timers
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: System Timers and privilege escalation vectors
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: echo_not_found, print_2title, print_info, print_3title
+# Global Variables: $SEARCH_IN_FOLDER, $timersG
+# Initial Functions:
+# Generated Global Variables: $timer_unit, $timer_path, $timer_content, $exec_path, $timer_file, $line, $findings, $unit_path, $finding, $service_unit, $timer, $target_unit, $target_file
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "System timers"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
+
+  # Function to check timer content for privilege escalation vectors
+  check_timer_content() {
+    local timer="$1"
+    local findings=""
+    
+    # Get the service unit this timer activates
+    local service_unit=$(systemctl show "$timer" -p Unit 2>/dev/null | cut -d= -f2)
+    if [ -n "$service_unit" ]; then
+      # Check if the service runs with elevated privileges
+      if systemctl show "$service_unit" -p User 2>/dev/null | grep -q "root"; then
+        findings="${findings}RUNS_AS_ROOT: Service runs as root\n"
+      fi
+
+      # Get the executable path
+      local exec_path=$(systemctl show "$service_unit" -p ExecStart 2>/dev/null | cut -d= -f2 | cut -d' ' -f1)
+      if [ -n "$exec_path" ]; then
+        if [ -w "$exec_path" ]; then
+          findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+        fi
+        # Check for relative paths
+        case "$exec_path" in
+          /*) : ;; # Absolute path, do nothing
+          *) findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n" ;;
+        esac
+      fi
+
+      # Check for unsafe configurations
+      if systemctl show "$service_unit" -p ExecStart 2>/dev/null | grep -qE '(chmod|chown|mount|sudo|su)'; then
+        findings="${findings}UNSAFE_CMD: Uses potentially dangerous commands\n"
+      fi
+
+      # Check for weak permissions
+      if [ -e "$exec_path" ] && [ "$(stat -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
+        findings="${findings}WEAK_PERMS: Executable has 777 permissions\n"
+      fi
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "Potential privilege escalation in timer: $timer"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # Function to check timer file for privilege escalation vectors
+  check_timer_file() {
+    local timer_file="$1"
+    local findings=""
+
+    # Check if timer file is writable (following symlinks)
+    if [ -L "$timer_file" ]; then
+      # If it's a symlink, check the target file
+      local target_file=$(readlink -f "$timer_file")
+      if [ -w "$target_file" ]; then
+        findings="${findings}WRITABLE_FILE: Timer target file is writable: $target_file\n"
+      fi
+    elif [ -w "$timer_file" ]; then
+      findings="${findings}WRITABLE_FILE: Timer file is writable\n"
+    fi
+
+    # Check for weak permissions (following symlinks)
+    if [ "$(stat -L -c %a "$timer_file" 2>/dev/null)" = "777" ]; then
+      findings="${findings}WEAK_PERMS: Timer file has 777 permissions\n"
+    fi
+
+    # Check for relative paths in Unit directive
+    if grep -q "^Unit=[^/]" "$timer_file" 2>/dev/null; then
+      findings="${findings}RELATIVE_PATH: Uses relative path in Unit directive\n"
+    fi
+
+    # Check for writable executables in Unit directive (following symlinks)
+    local unit_path=$(grep -Po '^Unit=*(.*?$)' "$timer_file" 2>/dev/null | cut -d '=' -f2)
+    if [ -n "$unit_path" ]; then
+      if [ -L "$unit_path" ]; then
+        local target_unit=$(readlink -f "$unit_path")
+        if [ -w "$target_unit" ]; then
+          findings="${findings}WRITABLE_UNIT: Unit target file is writable: $target_unit\n"
+        fi
+      elif [ -w "$unit_path" ]; then
+        findings="${findings}WRITABLE_UNIT: Unit file is writable: $unit_path\n"
+      fi
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "Potential privilege escalation in timer file: $timer_file"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # List all timers and check for privilege escalation vectors
+  print_3title "Active timers:"
+  systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | while read -r line; do
+    # Extract timer unit name
+    timer_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$timer_unit" ]; then
+      # Check if timer file is writable
+      timer_path=$(systemctl show "$timer_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$timer_path" ]; then
+        check_timer_file "$timer_path"
+      fi
+
+      # Check timer content for privilege escalation vectors
+      check_timer_content "$timer_unit"
+
+      # Print the timer line with highlighting
+      echo "$line" | sed -${E} "s,$timersG,${SED_GREEN},"
+    fi
+  done || echo_not_found
+
+  # Check for disabled but available timers
+  print_3title "Disabled timers:"
+  systemctl list-unit-files --type=timer --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
+    timer_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$timer_unit" ]; then
+      timer_path=$(systemctl show "$timer_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$timer_path" ]; then
+        check_timer_file "$timer_path"
+      fi
+    fi
+  done || echo_not_found
+
+  # Check timer files from PSTORAGE_TIMER
+  if [ -n "$PSTORAGE_TIMER" ]; then
+    print_3title "Additional timer files:"
+    printf "%s\n" "$PSTORAGE_TIMER" | while read -r timer_file; do
+      if [ -n "$timer_file" ] && [ -e "$timer_file" ]; then
+        check_timer_file "$timer_file"
+      fi
+    done
+  fi
+
+  echo ""
+fi

linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh

@@ -5,20 +5,48 @@
 # Description: Check for internet access
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_80, print_2title
-# Global Variables: $FAST, $TIMEOUT
+# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
+# Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
-if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
-  print_2title "Internet Access?"
-  check_tcp_80 2>/dev/null &
-  check_tcp_443 2>/dev/null &
-  check_icmp 2>/dev/null &
-  check_dns 2>/dev/null &
-  wait
-  echo ""
+
+print_2title "Internet Access?"
+
+TIMEOUT_INTERNET_SECONDS=5
+
+if [ "$SUPERFAST" ]; then
+  TIMEOUT_INTERNET_SECONDS=2.5
 fi
+
+
+# Run all checks in background
+check_tcp_80 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid1=$!
+check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
+check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
+check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
+
+# Kill all after 10 seconds
+(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
+
+check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
+tcp443_bin_status=$?
+
+wait $pid1 $pid2 $pid3 $pid4 2>/dev/null
+
+
+# Wait for all to finish
+wait 2>/dev/null
+
+if [ "$tcp443_bin_status" -eq 0 ] && \
+   [ -z "$SUPERFAST" ] && [ -z "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
+  echo ""
+  print_2title "Is hostname malicious or leaked?"
+  print_info "This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host."
+  check_external_hostname 2>/dev/null
+fi
+
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh

@@ -8,12 +8,69 @@
 # Functions Used: print_2title
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $iface, $state, $mac, $ip_file, $line
 # Fat linpeas: 0
 # Small linpeas: 1
 
+# Function to parse network interfaces from /proc/net/dev and other sources
+parse_network_interfaces() {
+    # Try to get interfaces from /proc/net/dev
+    if [ -f "/proc/net/dev" ]; then
+        echo "Network Interfaces from /proc/net/dev:"
+        echo "----------------------------------------"
+        # Skip header lines and format output
+        grep -v "^Inter\|^ face" /proc/net/dev | while read -r line; do
+            iface=$(echo "$line" | awk -F: '{print $1}' | tr -d ' ')
+            if [ -n "$iface" ]; then
+                echo "Interface: $iface"
+                # Try to get IP address from /sys/class/net
+                if [ -f "/sys/class/net/$iface/address" ]; then
+                    mac=$(cat "/sys/class/net/$iface/address" 2>/dev/null)
+                    echo "  MAC: $mac"
+                fi
+                # Try to get IP from /sys/class/net
+                if [ -d "/sys/class/net/$iface/ipv4" ]; then
+                    for ip_file in /sys/class/net/$iface/ipv4/addr_*; do
+                        if [ -f "$ip_file" ]; then
+                            ip=$(cat "$ip_file" 2>/dev/null)
+                            echo "  IP: $ip"
+                        fi
+                    done
+                fi
+                # Get interface state
+                if [ -f "/sys/class/net/$iface/operstate" ]; then
+                    state=$(cat "/sys/class/net/$iface/operstate" 2>/dev/null)
+                    echo "  State: $state"
+                fi
+                echo ""
+            fi
+        done
+    fi
+
+    # Try to get additional info from /proc/net/fib_trie
+    if [ -f "/proc/net/fib_trie" ]; then
+        echo "Additional IP Information from fib_trie:"
+        echo "----------------------------------------"
+        grep -A1 "Main" /proc/net/fib_trie | grep -v "\-\-" | while read -r line; do
+            if echo "$line" | grep -q "Main"; then
+                echo "Network: $(echo "$line" | awk '{print $2}')"
+            elif echo "$line" | grep -q "/"; then
+                echo "  IP: $(echo "$line" | awk '{print $2}')"
+            fi
+        done
+    fi
+}
 
 print_2title "Interfaces"
 cat /etc/networks 2>/dev/null
-(ifconfig || ip a || (cat /proc/net/dev; cat /proc/net/fib_trie; cat /proc/net/fib_trie6)) 2>/dev/null
+
+# Try standard tools first, then fall back to our custom function
+if command -v ifconfig >/dev/null 2>&1; then
+    ifconfig 2>/dev/null
+elif command -v ip >/dev/null 2>&1; then
+    ip a 2>/dev/null
+else
+    parse_network_interfaces
+fi
+
 echo ""

linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh

@@ -8,12 +8,100 @@
 # Functions Used: print_2title, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $conf, $line
 # Fat linpeas: 0
 # Small linpeas: 1
 
+# Function to get hostname using multiple methods
+get_hostname_info() {
+    print_3title "Hostname Information"
+    # Try multiple methods to get hostname
+    if command -v hostname >/dev/null 2>&1; then
+        echo "System hostname: $(hostname 2>/dev/null)"
+        echo "FQDN: $(hostname -f 2>/dev/null)"
+    else
+        # Fallback methods
+        if [ -f "/proc/sys/kernel/hostname" ]; then
+            echo "System hostname: $(cat /proc/sys/kernel/hostname 2>/dev/null)"
+        fi
+        if [ -f "/etc/hostname" ]; then
+            echo "Hostname from /etc/hostname: $(cat /etc/hostname 2>/dev/null)"
+        fi
+    fi
+    echo ""
+}
+
+# Function to get hosts file information
+get_hosts_info() {
+    print_3title "Hosts File Information"
+    if [ -f "/etc/hosts" ]; then
+        echo "Contents of /etc/hosts:"
+        grep -v "^#" /etc/hosts 2>/dev/null | grep -v "^$" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+    echo ""
+}
+
+# Function to get DNS information
+get_dns_info() {
+    print_3title "DNS Configuration"
+    
+    # Get resolv.conf information
+    if [ -f "/etc/resolv.conf" ]; then
+        echo "DNS Servers (resolv.conf):"
+        grep -v "^#" /etc/resolv.conf 2>/dev/null | grep -v "^$" | while read -r line; do
+            if echo "$line" | grep -q "nameserver"; then
+                echo "  $(echo "$line" | awk '{print $2}')"
+            elif echo "$line" | grep -q "search\|domain"; then
+                echo "  $line"
+            fi
+        done
+    fi
+
+    # Check for systemd-resolved configuration
+    if [ -f "/etc/systemd/resolved.conf" ]; then
+        echo -e "\nSystemd-resolved configuration:"
+        grep -v "^#" /etc/systemd/resolved.conf 2>/dev/null | grep -v "^$" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+
+    # Check for NetworkManager DNS settings
+    if [ -d "/etc/NetworkManager" ]; then
+        echo -e "\nNetworkManager DNS settings:"
+        find /etc/NetworkManager -type f -name "*.conf" 2>/dev/null | while read -r conf; do
+            if grep -q "dns=" "$conf" 2>/dev/null; then
+                echo "  From $conf:"
+                grep "dns=" "$conf" 2>/dev/null | while read -r line; do
+                    echo "    $line"
+                done
+            fi
+        done
+    fi
+
+    # Try to get DNS domain name
+    echo -e "\nDNS Domain Information:"
+    if command -v dnsdomainname >/dev/null 2>&1; then
+        warn_exec dnsdomainname 2>/dev/null
+    fi
+    if command -v domainname >/dev/null 2>&1; then
+        warn_exec domainname 2>/dev/null
+    fi
+
+    # Check for DNS cache status
+    if command -v systemd-resolve >/dev/null 2>&1; then
+        echo -e "\nDNS Cache Status (systemd-resolve):"
+        systemd-resolve --status 2>/dev/null | grep -A5 "DNS Servers" | grep -v "\-\-" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+    echo ""
+}
 
 print_2title "Hostname, hosts and DNS"
-cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
-warn_exec dnsdomainname 2>/dev/null
-echo ""
+
+# Execute all information gathering functions
+get_hostname_info
+get_hosts_info
+get_dns_info

linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh

@@ -5,21 +5,134 @@
 # Description: Networks and neighbours
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
+# Functions Used: print_2title, print_3title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $hwtype, $flags, $line, $iface, $dest, $ref, $use, $mask, $metric, $device, $hwaddr
 # Fat linpeas: 0
 # Small linpeas: 0
 
+# Function to parse routing information from /proc/net/route
+parse_proc_route() {
+    print_3title "Routing Table (from /proc/net/route)"
+    echo "Destination         Gateway         Genmask         Flags Metric Ref    Use Iface"
+    echo "--------------------------------------------------------------------------------"
+    # Skip header line and process each route
+    tail -n +2 /proc/net/route 2>/dev/null | while read -r line; do
+        if [ -n "$line" ]; then
+            # Extract fields
+            iface=$(echo "$line" | awk '{print $1}')
+            dest=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($2,7,2), substr($2,5,2), substr($2,3,2), substr($2,1,2)}'))
+            gw=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($3,7,2), substr($3,5,2), substr($3,3,2), substr($3,1,2)}'))
+            mask=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($4,7,2), substr($4,5,2), substr($4,3,2), substr($4,1,2)}'))
+            flags=$(echo "$line" | awk '{print $5}')
+            metric=$(echo "$line" | awk '{print $6}')
+            ref=$(echo "$line" | awk '{print $7}')
+            use=$(echo "$line" | awk '{print $8}')
+            
+            # Print formatted output
+            printf "%-18s %-15s %-15s %-6s %-6s %-6s %-6s %s\n" "$dest" "$gw" "$mask" "$flags" "$metric" "$ref" "$use" "$iface"
+        fi
+    done
+    echo ""
+}
+
+# Function to parse ARP information from /proc/net/arp
+parse_proc_arp() {
+    print_3title "ARP Table (from /proc/net/arp)"
+    echo "IP address       HW type     Flags     HW address           Mask     Device"
+    echo "------------------------------------------------------------------------"
+    # Skip header line and process each ARP entry
+    tail -n +2 /proc/net/arp 2>/dev/null | while read -r line; do
+        if [ -n "$line" ]; then
+            ip=$(echo "$line" | awk '{print $1}')
+            hwtype=$(echo "$line" | awk '{print $2}')
+            flags=$(echo "$line" | awk '{print $3}')
+            hwaddr=$(echo "$line" | awk '{print $4}')
+            mask=$(echo "$line" | awk '{print $5}')
+            device=$(echo "$line" | awk '{print $6}')
+            
+            # Print formatted output
+            printf "%-15s %-11s %-9s %-18s %-8s %s\n" "$ip" "$hwtype" "$flags" "$hwaddr" "$mask" "$device"
+        fi
+    done
+    echo ""
+}
+
+# Function to get network neighbors information
+get_network_neighbors() {
+    print_2title "Networks and neighbours"
+
+    # Get routing information
+    print_3title "Routing Information"
+    if [ "$MACPEAS" ]; then
+        # macOS specific
+        if command -v netstat >/dev/null 2>&1; then
+            netstat -rn 2>/dev/null
+        else
+            echo "No routing information available"
+        fi
+    else
+        # Linux systems
+        if command -v ip >/dev/null 2>&1; then
+            ip route 2>/dev/null
+            echo -e "\nNeighbor table:"
+            ip neigh 2>/dev/null
+        elif command -v route >/dev/null 2>&1; then
+            route -n 2>/dev/null
+        elif [ -f "/proc/net/route" ]; then
+            parse_proc_route
+        else
+            echo "No routing information available"
+        fi
+    fi
+
+    # Get ARP information
+    print_3title "ARP Information"
+    if command -v arp >/dev/null 2>&1; then
+        if [ "$MACPEAS" ]; then
+            arp -a 2>/dev/null
+        else
+            arp -e 2>/dev/null || arp -a 2>/dev/null
+        fi
+    elif [ -f "/proc/net/arp" ]; then
+        parse_proc_arp
+    else
+        echo "No ARP information available"
+    fi
+
+    # Additional neighbor discovery methods
+    print_3title "Additional Neighbor Information"
+    
+    # Check for IPv6 neighbors if available
+    if [ -f "/proc/net/ipv6_neigh" ]; then
+        echo "IPv6 Neighbors:"
+        cat /proc/net/ipv6_neigh 2>/dev/null | grep -v "^IP" | while read -r line; do
+            if [ -n "$line" ]; then
+                echo "  $line"
+            fi
+        done
+    fi
+
+    # Try to get LLDP neighbors if available
+    if command -v lldpctl >/dev/null 2>&1; then
+        echo -e "\nLLDP Neighbors:"
+        lldpctl 2>/dev/null | grep -A2 "Interface:" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+
+    # Try to get CDP neighbors if available
+    if command -v cdp >/dev/null 2>&1; then
+        echo -e "\nCDP Neighbors:"
+        cdp 2>/dev/null | grep -v "^$" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+
+    echo ""
+}
 
 if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Networks and neighbours"
-  if [ "$MACPEAS" ]; then
-    netstat -rn 2>/dev/null
-  else
-    (route || ip n || cat /proc/net/route) 2>/dev/null
-  fi
-  (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
-  echo ""
+    get_network_neighbors
 fi

linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh

@@ -5,15 +5,173 @@
 # Description: Enumerate open ports
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables:
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $E, $SED_RED
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pid_dir, $tx_queue, $pid, $rem_port, $proc_file, $rem_ip, $local_ip, $rx_queue, $proto, $rem_addr, $program, $state, $header_sep, $proc_info, $inode, $header, $line, $local_addr, $local_port
 # Fat linpeas: 0
 # Small linpeas: 1
 
+# Function to get process info from inode
+get_process_info() {
+    local inode=$1
+    local pid=""
+    local program=""
+    
+    if [ -n "$inode" ]; then
+        for pid_dir in /proc/[0-9]*/fd; do
+            if [ -d "$pid_dir" ]; then
+                if ls -l "$pid_dir" 2>/dev/null | grep -q "$inode"; then
+                    pid=$(echo "$pid_dir" | awk -F/ '{print $3}')
+                    if [ -f "/proc/$pid/cmdline" ]; then
+                        program=$(tr '\0' ' ' < "/proc/$pid/cmdline" | cut -d' ' -f1)
+                        program=$(basename "$program")
+                    fi
+                    break
+                fi
+            fi
+        done
+    fi
+    echo "$pid/$program"
+}
 
-print_2title "Active Ports"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
-( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
-echo ""
+# Function to parse /proc/net/tcp and /proc/net/udp files
+parse_proc_net_ports() {
+    local proto=$1
+    local proc_file="/proc/net/$proto"
+    local header="Proto  Recv-Q  Send-Q  Local Address          Foreign Address        State       PID/Program name"
+    local header_sep="--------------------------------------------------------------------------------"
+
+    if [ -f "$proc_file" ]; then
+        print_3title "Active $proto Ports (from /proc/net/$proto)"
+        echo "$header"
+        echo "$header_sep"
+
+        # Process each connection using a pipe
+        tail -n +2 "$proc_file" 2>/dev/null | while IFS= read -r line; do
+            [ -z "$line" ] && continue
+            
+            # Skip header
+            case "$line" in
+                *"sl"*) continue ;;
+                *) : ;;
+            esac
+
+            # Extract fields using awk
+            sl=$(echo "$line" | awk '{print $1}')
+            local_addr=$(echo "$line" | awk '{print $2}')
+            rem_addr=$(echo "$line" | awk '{print $3}')
+            st=$(echo "$line" | awk '{print $4}')
+            tx_queue=$(echo "$line" | awk '{print $5}')
+            rx_queue=$(echo "$line" | awk '{print $6}')
+            uid=$(echo "$line" | awk '{print $7}')
+            inode=$(echo "$line" | awk '{print $10}')
+
+            # Convert hex IP:port to decimal
+            local_ip=$(printf "%d.%d.%d.%d" $(echo "$local_addr" | awk -F: '{printf "0x%s 0x%s 0x%s 0x%s", substr($1,7,2), substr($1,5,2), substr($1,3,2), substr($1,1,2)}'))
+            local_port=$(printf "%d" "0x$(echo "$local_addr" | awk -F: '{print $2}')")
+            rem_ip=$(printf "%d.%d.%d.%d" $(echo "$rem_addr" | awk -F: '{printf "0x%s 0x%s 0x%s 0x%s", substr($1,7,2), substr($1,5,2), substr($1,3,2), substr($1,1,2)}'))
+            rem_port=$(printf "%d" "0x$(echo "$rem_addr" | awk -F: '{print $2}')")
+
+            # Get process information
+            proc_info=$(get_process_info "$inode")
+
+            # Get state name
+            case $st in
+                "01") state="ESTABLISHED" ;;
+                "02") state="SYN_SENT" ;;
+                "03") state="SYN_RECV" ;;
+                "04") state="FIN_WAIT1" ;;
+                "05") state="FIN_WAIT2" ;;
+                "06") state="TIME_WAIT" ;;
+                "07") state="CLOSE" ;;
+                "08") state="CLOSE_WAIT" ;;
+                "09") state="LAST_ACK" ;;
+                "0A") state="LISTEN" ;;
+                "0B") state="CLOSING" ;;
+                "0C") state="NEW_SYN_RECV" ;;
+                *) state="UNKNOWN" ;;
+            esac
+
+            # Only show listening ports
+            if [ "$state" = "LISTEN" ]; then
+                # Format the output
+                printf "%-6s %-8s %-8s %-21s %-21s %-12s %s\n" \
+                    "$proto" "$rx_queue" "$tx_queue" "$local_ip:$local_port" "$rem_ip:$rem_port" "$state" "$proc_info"
+            fi
+        done
+    fi
+    echo ""
+}
+
+# Function to get open ports information
+get_open_ports() {
+    print_2title "Active Ports"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
+
+    # Try standard tools first
+    if command -v netstat >/dev/null 2>&1; then
+        print_3title "Active Ports (netstat)"
+        netstat -punta 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
+    elif command -v ss >/dev/null 2>&1; then
+        print_3title "Active Ports (ss)"
+        ss -nltpu 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
+    else
+        # Fallback to parsing /proc/net files
+        parse_proc_net_ports "tcp"
+        parse_proc_net_ports "udp"
+    fi
+
+    # Additional port information
+    if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+        print_3title "Additional Port Information"
+
+        # Check for listening ports in /proc/net/unix
+        if [ -f "/proc/net/unix" ]; then
+            echo "Unix Domain Sockets:"
+            # Use awk to process the file in one go, avoiding duplicates and empty paths
+            awk '$8 != "" && $8 != "@" && $8 != "00000000" {
+                inode=$7
+                socket=$8
+                # Find process using inode
+                cmd="find /proc/[0-9]*/fd -ls 2>/dev/null | grep " inode " | head -n1 | awk \"{print \\$11}\" | xargs -r readlink"
+                pid=""
+                while (cmd | getline pid_dir) {
+                    if (pid_dir != "") {
+                        split(pid_dir, parts, "/")
+                        pid=parts[3]
+                        break
+                    }
+                }
+                close(cmd)
+                if (pid != "") {
+                    cmd="tr \\0 \" \" < /proc/" pid "/cmdline 2>/dev/null | cut -d\" \" -f1 | xargs -r basename"
+                    cmd | getline prog
+                    close(cmd)
+                    if (prog != "") {
+                        print "  " socket " (" pid "/" prog ")"
+                    } else {
+                        print "  " socket " (" pid ")"
+                    }
+                } else {
+                    print "  " socket
+                }
+            }' /proc/net/unix 2>/dev/null | sort -u
+        fi
+
+        # Check for ports in use by systemd
+        if command -v systemctl >/dev/null 2>&1; then
+            echo -e "\nSystemd Socket Units:"
+            systemctl list-sockets 2>/dev/null | while IFS= read -r line; do
+                [ -z "$line" ] && continue
+                if ! echo "$line" | grep -q "UNIT\|listed"; then
+                    echo "  $line"
+                fi
+            done
+        fi
+    fi
+
+    echo ""
+}
+
+get_open_ports

linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh

@@ -5,16 +5,84 @@
 # Description: MacOS network Capabilities
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title, warn_exec
-# Global Variables: $MACPEAS
+# Functions Used: print_2title, print_3title, warn_exec
+# Global Variables: $MACPEAS, $EXTRA_CHECKS
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $net_service
 # Fat linpeas: 0
 # Small linpeas: 0
 
+# Function to get network capabilities information
+get_macos_network_capabilities() {
+    print_2title "Network Capabilities"
+
+    # Basic network information
+    echo ""
+    print_3title "Network Interfaces and Configuration"
+    warn_exec system_profiler SPNetworkDataType
+
+    # Network locations
+    echo ""
+    print_3title "Network Locations"
+    warn_exec system_profiler SPNetworkLocationDataType
+
+    # Network extensions
+    echo ""
+    print_3title "Network Extensions"
+    if [ -d "/Library/SystemExtensions" ]; then
+        warn_exec systemextensionsctl list
+    fi
+
+    # Network security
+    echo ""
+    print_3title "Network Security"
+    if command -v networksetup >/dev/null 2>&1; then
+        echo "Firewall Status:"
+        warn_exec networksetup -getglobalstate
+        echo -e "\nFirewall Rules:"
+        warn_exec networksetup -listallnetworkservices | while read -r net_service; do
+            if [ -n "$net_service" ]; then
+                echo "Service: $net_service"
+                warn_exec networksetup -getwebproxy "$net_service"
+                warn_exec networksetup -getsecurewebproxy "$net_service"
+                warn_exec networksetup -getproxybypassdomains "$net_service"
+            fi
+        done
+    fi
+
+    # Additional network information if EXTRA_CHECKS is enabled
+    if [ "$EXTRA_CHECKS" ]; then
+        # Network preferences
+        echo ""
+        print_3title "Network Preferences"
+        if [ -f "/Library/Preferences/SystemConfiguration/preferences.plist" ]; then
+            warn_exec plutil -p /Library/Preferences/SystemConfiguration/preferences.plist | grep -A 5 "NetworkServices"
+        fi
+        
+        # Network statistics
+        echo ""
+        print_3title "Network Statistics"
+        warn_exec netstat -s
+        
+        # Network routes
+        echo ""
+        print_3title "Network Routes"
+        warn_exec netstat -rn
+        
+        # Network interfaces details
+        echo ""
+        print_3title "Network Interfaces Details"
+        warn_exec ifconfig -a
+        
+        # Network kernel extensions
+        echo ""
+        print_3title "Network Kernel Extensions"
+        warn_exec kextstat | grep -i network
+    fi
+
+    echo ""
+}
 
 if [ "$MACPEAS" ]; then
-  print_2title "Network Capabilities"
-  warn_exec system_profiler SPNetworkDataType
-  echo ""
+    get_macos_network_capabilities
 fi

linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh

@@ -5,42 +5,160 @@
 # Description: Enumerate macos network services
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title, warn_exec
-# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Functions Used: print_2title, print_3title, warn_exec
+# Global Variables: $EXTRA_CHECKS, $MACPEAS, $E, $SED_RED
 # Initial Functions:
-# Generated Global Variables: $rmMgmt, $scrShrng, $flShrng, $rLgn, $rAE, $bmM
+# Generated Global Variables: $sharing_service, $profile, $port3, $service_count, $port1, $port, $services, $total, $port_list, $count, $ports, $active_ports, $port2
 # Fat linpeas: 0
 # Small linpeas: 0
 
+# Function to check if a port is listening
+check_listening_port() {
+    local port=$1
+    local service=$2
+    local count=0
+    
+    # Check both IPv4 and IPv6
+    count=$(netstat -na 2>/dev/null | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.${port}" | wc -l)
+    echo "$count"
+}
+
+# Function to get sharing services status
+get_sharing_services_status() {
+    print_2title "MacOS Sharing Services Status"
+    
+    # Define services and their ports using parallel arrays
+    services="Screen Sharing File Sharing Remote Login Remote Management Remote Apple Events Back to My Mac AirPlay Receiver AirDrop Bonjour Printer Sharing Internet Sharing"
+    ports="5900 88,445,548 22 3283 3031 4488 7000 5353 5353 515,631 67,68"
+
+    # Check each service
+    echo "Service Status (0=OFF, >0=ON):"
+    echo "--------------------------------"
+    
+    # Get number of services
+    service_count=$(echo "$services" | wc -w)
+    
+    # Loop through services using index
+    i=1
+    while [ $i -le $service_count ]; do
+        sharing_service=$(echo "$services" | cut -d' ' -f$i)
+        port_list=$(echo "$ports" | cut -d' ' -f$i)
+        total=0
+        active_ports=""
+        
+        # Check each port for the service
+        port1=$(echo "$port_list" | cut -d',' -f1)
+        port2=$(echo "$port_list" | cut -d',' -f2)
+        port3=$(echo "$port_list" | cut -d',' -f3)
+        for port in $port1 $port2 $port3; do
+            if [ -n "$port" ]; then
+                count=$(check_listening_port "$port" "$sharing_service")
+                if [ "$count" -gt 0 ]; then
+                    total=$((total + count))
+                    if [ -n "$active_ports" ]; then
+                        active_ports="${active_ports},"
+                    fi
+                    active_ports="${active_ports}${port}"
+                fi
+            fi
+        done
+        
+        # Print service status
+        if [ "$total" -gt 0 ]; then
+            printf "%-20s: ON  (Ports: %s)\n" "$sharing_service" "$active_ports" | sed -${E} "s,ON.*,${SED_RED},g"
+        else
+            printf "%-20s: OFF\n" "$sharing_service"
+        fi
+        
+        i=$((i + 1))
+    done
+    echo ""
+}
+
+# Function to get VPN information
+get_vpn_info() {
+    print_3title "VPN Information"
+    
+    # Get VPN configurations
+    warn_exec system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED},g"
+    
+    # Check for VPN profiles
+    if [ -d "/Library/Preferences/SystemConfiguration" ]; then
+        echo -e "\nVPN Profiles:"
+        find /Library/Preferences/SystemConfiguration -name "*.plist" -exec grep -l "VPN" {} \; 2>/dev/null | while read -r profile; do
+            echo "Profile: $profile"
+            warn_exec plutil -p "$profile" | grep -A 5 "VPN"
+        done
+    fi
+    echo ""
+}
+
+# Function to get firewall information
+get_firewall_info() {
+    print_3title "Firewall Information"
+    
+    # Get firewall status
+    warn_exec system_profiler SPFirewallDataType
+    
+    # Get application firewall rules
+    if command -v /usr/libexec/ApplicationFirewall/socketfilterfw >/dev/null 2>&1; then
+        echo -e "\nApplication Firewall Rules:"
+        warn_exec /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
+    fi
+    
+    # Get pf firewall rules if available
+    if command -v pfctl >/dev/null 2>&1; then
+        echo -e "\nPF Firewall Rules:"
+        warn_exec pfctl -s rules 2>/dev/null
+    fi
+    echo ""
+}
+
+# Function to get additional network information
+get_additional_network_info() {
+    if [ "$EXTRA_CHECKS" ]; then
+        print_3title "Additional Network Information"
+        
+        # Bluetooth information
+        echo "Bluetooth Status:"
+        warn_exec system_profiler SPBluetoothDataType
+        
+        # Ethernet information
+        echo -e "\nEthernet Status:"
+        warn_exec system_profiler SPEthernetDataType
+        
+        # USB network adapters
+        echo -e "\nUSB Network Adapters:"
+        warn_exec system_profiler SPUSBDataType
+        
+        # Network kernel extensions
+        echo -e "\nNetwork Kernel Extensions:"
+        warn_exec kextstat | grep -i "network\|ethernet\|wifi\|bluetooth"
+        
+        # Network daemons
+        echo -e "\nNetwork Daemons:"
+        warn_exec launchctl list | grep -i "network\|vpn\|firewall\|sharing"
+    fi
+    echo ""
+}
+
+# Main function to get all network services information
+get_macos_network_services() {
+    if [ "$MACPEAS" ]; then
+        # Get sharing services status
+        get_sharing_services_status
+        
+        # Get VPN information
+        get_vpn_info
+        
+        # Get firewall information
+        get_firewall_info
+        
+        # Get additional network information if EXTRA_CHECKS is enabled
+        get_additional_network_info
+    fi
+}
 
 if [ "$MACPEAS" ]; then
-  print_2title "Any MacOS Sharing Service Enabled?"
-  rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l);
-  scrShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.5900" | wc -l);
-  flShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep -E "\*.88|\*.445|\*.548" | wc -l);
-  rLgn=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.22" | wc -l);
-  rAE=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.3031" | wc -l);
-  bmM=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.4488" | wc -l);
-  printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
-  echo ""
-  print_2title "VPN Creds"
-  system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password"  | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
-  echo ""
-  print_2title "Firewall status"
-  warn_exec system_profiler SPFirewallDataType
-  echo ""
-
-  if [ "$EXTRA_CHECKS" ]; then
-    print_2title "Bluetooth Info"
-    warn_exec system_profiler SPBluetoothDataType
-    echo ""
-
-    print_2title "Ethernet Info"
-    warn_exec system_profiler SPEthernetDataType
-    echo ""
-
-    print_2title "USB Info"
-    warn_exec system_profiler SPUSBDataType
-    echo ""
-  fi
+    get_macos_network_services
 fi

linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh

@@ -1,23 +1,168 @@
-# Title: Network Information - Tcpdump
+# Title: Network Information - Network Traffic Analysis
 # ID: NT_Tcpdump
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Can I sniff with tcpdump?
+# Description: Check network traffic analysis capabilities and tools
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_no, print_2title, print_info
-# Global Variables:
+# Functions Used: print_2title, print_3title, print_info, warn_exec
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns
 # Fat linpeas: 0
 # Small linpeas: 1
 
+# Function to check if a command exists and is executable
+check_command() {
+    local cmd=$1
+    if command -v "$cmd" >/dev/null 2>&1; then
+        if [ -x "$(command -v "$cmd")" ]; then
+            return 0
+        fi
+    fi
+    return 1
+}
 
-print_2title "Can I sniff with tcpdump?"
-timeout 1 tcpdump >/dev/null 2>&1
-if [ $? -eq 124 ]; then #If 124, then timed out == It worked
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
-    echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
-else echo_no
-fi
-echo ""
+# Function to check if we can sniff on an interface
+check_interface_sniffable() {
+    local iface=$1
+    if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
+        return 0
+    fi
+    return 1
+}
+
+# Function to check for promiscuous mode
+check_promiscuous_mode() {
+    local iface=$1
+    if ip link show "$iface" 2>/dev/null | grep -q "PROMISC"; then
+        return 0
+    fi
+    return 1
+}
+
+# Main function to check network traffic analysis capabilities
+check_network_traffic_analysis() {
+    print_2title "Network Traffic Analysis Capabilities"
+    
+    # Check for sniffing tools
+    echo ""
+    print_3title "Available Sniffing Tools"
+    tools_found=0
+    
+    if check_command tcpdump; then
+        echo "tcpdump is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+        # Check tcpdump version and capabilities
+        warn_exec tcpdump --version 2>/dev/null | head -n 1
+    fi
+    
+    if check_command tshark; then
+        echo "tshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+        # Check tshark version
+        warn_exec tshark --version 2>/dev/null | head -n 1
+    fi
+    
+    if check_command wireshark; then
+        echo "wireshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+    fi
+    
+    if [ $tools_found -eq 0 ]; then
+        echo "No sniffing tools found" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check network interfaces
+    echo ""
+    print_3title "Network Interfaces Sniffing Capabilities"
+    interfaces_found=0
+    
+    # Get list of network interfaces
+    if command -v ip >/dev/null 2>&1; then
+        interfaces=$(ip -o link show | awk -F': ' '{print $2}')
+    elif command -v ifconfig >/dev/null 2>&1; then
+        interfaces=$(ifconfig -a | grep -o '^[^ ]*:' | tr -d ':')
+    else
+        interfaces=$(ls /sys/class/net/ 2>/dev/null)
+    fi
+    
+    for iface in $interfaces; do
+        if [ "$iface" != "lo" ]; then  # Skip loopback
+            echo -n "Interface $iface: "
+            if check_interface_sniffable "$iface"; then
+                echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
+                interfaces_found=1
+                
+                # Check promiscuous mode
+                if check_promiscuous_mode "$iface"; then
+                    echo "  - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
+                fi
+                
+                # Get interface details
+                if [ "$EXTRA_CHECKS" ]; then
+                    echo "  - Interface details:"
+                    warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
+                fi
+            else
+                echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
+            fi
+        fi
+    done
+    
+    if [ $interfaces_found -eq 0 ]; then
+        echo "No sniffable interfaces found" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check for sensitive traffic patterns if we have sniffing capabilities
+    if [ $tools_found -eq 1 ] && [ $interfaces_found -eq 1 ]; then
+        echo ""
+        print_3title "Sensitive Traffic Detection"
+        print_info "Checking for common sensitive traffic patterns..."
+        
+        # List of sensitive traffic patterns to check
+        patterns="
+            - HTTP Basic Auth
+            - FTP credentials
+            - SMTP credentials
+            - MySQL/MariaDB traffic
+            - PostgreSQL traffic
+            - Redis traffic
+            - MongoDB traffic
+            - LDAP traffic
+            - SMB traffic
+            - DNS queries
+            - SNMP traffic
+            - Many more...
+        "
+        
+        echo "$patterns" | while read -r pattern; do
+            if [ -n "$pattern" ]; then
+                echo "$pattern"
+            fi
+        done
+        
+        print_info "To capture sensitive traffic, you can use:"
+        echo "tcpdump -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
+        echo "tshark -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
+    fi
+    
+    # Additional information
+    if [ "$EXTRA_CHECKS" ]; then
+        echo ""
+        print_3title "Additional Network Analysis Information"
+        
+        # Check for network monitoring tools
+        echo "Checking for network monitoring tools..."
+        for tool in nethogs iftop iotop nload bmon; do
+            if check_command "$tool"; then
+                echo "$tool is available" | sed -${E} "s,.*,${SED_GREEN},g"
+            fi
+        done
+    fi
+    
+    echo ""
+}
+
+# Run the main function
+check_network_traffic_analysis

linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh

@@ -1,20 +1,210 @@
-# Title: Network Information - Iptables
+# Title: Network Information - Firewall Rules Analysis
 # ID: NT_Iptables
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Enumerate iptables rules
+# Description: Analyze firewall rules and configurations
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
-# Global Variables: $EXTRA_CHECKS
+# Functions Used: print_2title, print_3title, warn_exec, echo_not_found
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $rules_file, $cmd, $tool, $config_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
+# Function to check if a command exists and is executable
+check_command() {
+    local cmd=$1
+    if command -v "$cmd" >/dev/null 2>&1; then
+        if [ -x "$(command -v "$cmd")" ]; then
+            return 0
+        fi
+    fi
+    return 1
+}
 
-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Iptables rules"
-  (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
-  echo ""
-fi
+# Function to analyze iptables rules
+analyze_iptables() {
+    echo ""
+    print_3title "Iptables Rules"
+    
+    # Check if iptables is available
+    if ! check_command iptables; then
+        echo_not_found "iptables"
+        return
+    fi
+    
+    # Check if we have permission to list rules
+    if ! timeout 1 iptables -L >/dev/null 2>&1; then
+        echo "No permission to list iptables rules" | sed -${E} "s,.*,${SED_RED},g"
+        return
+    fi
+    
+    # Get iptables version
+    warn_exec iptables --version 2>/dev/null
+    
+    # List all chains and rules
+    echo -e "\nFilter Table Rules:"
+    warn_exec iptables -L -v -n 2>/dev/null
+    
+    echo -e "\nNAT Table Rules:"
+    warn_exec iptables -t nat -L -v -n 2>/dev/null
+    
+    echo -e "\nMangle Table Rules:"
+    warn_exec iptables -t mangle -L -v -n 2>/dev/null
+    
+    # Check for custom chains
+    echo -e "\nCustom Chains:"
+    warn_exec iptables -L -v -n | grep -E "^Chain [A-Za-z]" | grep -v "INPUT\|OUTPUT\|FORWARD\|PREROUTING\|POSTROUTING" 2>/dev/null
+    
+    # Check for saved rules
+    echo -e "\nSaved Rules:"
+    for rules_file in /etc/iptables/* /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/iptables-save /etc/iptables.save; do
+        if [ -f "$rules_file" ]; then
+            echo "Found rules in $rules_file:"
+            warn_exec cat "$rules_file" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
+        fi
+    done
+}
+
+# Function to analyze nftables rules
+analyze_nftables() {
+    echo ""
+    print_3title "Nftables Rules"
+    
+    # Check if nft is available
+    if ! check_command nft; then
+        echo_not_found "nftables"
+        return
+    fi
+    
+    # Check if we have permission to list rules
+    if ! timeout 1 nft list ruleset >/dev/null 2>&1; then
+        echo "No permission to list nftables rules" | sed -${E} "s,.*,${SED_RED},g"
+        return
+    fi
+    
+    # Get nftables version
+    warn_exec nft --version 2>/dev/null
+    
+    # List all rules
+    echo -e "\nNftables Ruleset:"
+    warn_exec nft list ruleset 2>/dev/null
+    
+    # Check for saved rules
+    echo -e "\nSaved Rules:"
+    for rules_file in /etc/nftables.conf /etc/sysconfig/nftables.conf; do
+        if [ -f "$rules_file" ]; then
+            echo "Found rules in $rules_file:"
+            warn_exec cat "$rules_file" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
+        fi
+    done
+}
+
+# Function to analyze firewalld rules
+analyze_firewalld() {
+    echo ""
+    print_3title "Firewalld Rules"
+    
+    # Check if firewall-cmd is available
+    if ! check_command firewall-cmd; then
+        echo_not_found "firewalld"
+        return
+    fi
+    
+    # Check if firewalld is running
+    if ! systemctl is-active firewalld >/dev/null 2>&1; then
+        echo "Firewalld is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+        return
+    fi
+    
+    # Get firewalld version
+    warn_exec firewall-cmd --version 2>/dev/null
+    
+    # List all zones
+    echo -e "\nFirewalld Zones:"
+    warn_exec firewall-cmd --list-all-zones 2>/dev/null
+    
+    # List active zones
+    echo -e "\nActive Zones:"
+    warn_exec firewall-cmd --get-active-zones 2>/dev/null
+    
+    # List services
+    echo -e "\nAvailable Services:"
+    warn_exec firewall-cmd --list-services 2>/dev/null
+    
+    # List ports
+    echo -e "\nOpen Ports:"
+    warn_exec firewall-cmd --list-ports 2>/dev/null
+    
+    # List rich rules
+    echo -e "\nRich Rules:"
+    warn_exec firewall-cmd --list-rich-rules 2>/dev/null
+}
+
+# Function to analyze UFW rules
+analyze_ufw() {
+    echo ""
+    print_3title "UFW Rules"
+    
+    # Check if ufw is available
+    if ! check_command ufw; then
+        echo_not_found "ufw"
+        return
+    fi
+    
+    # Check if UFW is running
+    if ! ufw status >/dev/null 2>&1; then
+        echo "UFW is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+        return
+    fi
+    
+    # Get UFW version
+    warn_exec ufw version 2>/dev/null
+    
+    # List rules
+    echo -e "\nUFW Rules:"
+    warn_exec ufw status verbose 2>/dev/null
+    
+    # List numbered rules
+    echo -e "\nNumbered Rules:"
+    warn_exec ufw status numbered 2>/dev/null
+}
+
+# Main function to analyze firewall rules
+analyze_firewall_rules() {
+    print_2title "Firewall Rules Analysis"
+    
+    # Analyze different firewall systems
+    analyze_iptables
+    analyze_nftables
+    analyze_firewalld
+    analyze_ufw
+    
+    # Additional checks if EXTRA_CHECKS is enabled
+    if [ "$EXTRA_CHECKS" ]; then
+        echo ""
+        print_3title "Additional Firewall Information"
+        
+        # Check for common firewall configuration files
+        echo "Checking for firewall configuration files..."
+        for config_file in /etc/sysconfig/iptables /etc/sysconfig/ip6tables /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/nftables.conf /etc/ufw/user.rules /etc/ufw/user6.rules; do
+            if [ -f "$config_file" ]; then
+                echo "Found configuration file: $config_file" | sed -${E} "s,.*,${SED_GREEN},g"
+            fi
+        done
+        
+        # Check for firewall management tools
+        echo -e "\nChecking for firewall management tools..."
+        for tool in shorewall shorewall6 ferm; do
+            if check_command "$tool"; then
+                echo "$tool is available" | sed -${E} "s,.*,${SED_GREEN},g"
+            fi
+        done
+    fi
+    
+    echo ""
+}
+
+# Run the main function
+analyze_firewall_rules

linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh

@@ -1,20 +1,192 @@
-# Title: Network Information - Inetconf
+# Title: Network Information - Inetd/Xinetd Services Analysis
 # ID: NT_Inetdconf
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Check content of /etc/inetd.conf & /etc/xinetd.conf
+# Description: Analyze inetd and xinetd services and configurations
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title 
-# Global Variables: $EXTRA_CHECKS
+# Functions Used: print_2title, print_3title, warn_exec, echo_not_found
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $inetd_service, $log_file, $cmd, $service_name, $conf_file, $service_dir, $service_file, $inetd_file
 # Fat linpeas: 0
 # Small linpeas: 0
 
+# Function to check if a command exists and is executable
+check_command() {
+    local cmd=$1
+    if command -v "$cmd" >/dev/null 2>&1; then
+        if [ -x "$(command -v "$cmd")" ]; then
+            return 0
+        fi
+    fi
+    return 1
+}
 
-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
-  (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
-  echo ""
-fi
+# Function to analyze inetd services
+analyze_inetd() {
+    echo ""
+    print_3title "Inetd Services"
+    
+    # Check if inetd is installed
+    if ! check_command inetd; then
+        echo_not_found "inetd"
+        return
+    fi
+    
+    # Check if inetd is running
+    if ! pgrep -x inetd >/dev/null 2>&1; then
+        echo "inetd is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+    fi
+    
+    # Get inetd version
+    warn_exec inetd -v 2>/dev/null
+    
+    # Check main configuration file
+    if [ -f "/etc/inetd.conf" ]; then
+        echo -e "\nInetd Configuration (/etc/inetd.conf):"
+        warn_exec cat /etc/inetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+        
+        # Check for potentially dangerous services
+        echo -e "\nPotentially Dangerous Services:"
+        warn_exec cat /etc/inetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" | grep -iE "shell|login|exec|rsh|rlogin|rexec|finger|telnet|ftp|tftp" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+    else
+        echo_not_found "/etc/inetd.conf"
+    fi
+    
+    # Check for additional configuration files
+    echo -e "\nAdditional Inetd Configuration Files:"
+    for conf_file in /etc/inetd.d/* /etc/inet/*.conf; do
+        if [ -f "$conf_file" ]; then
+            echo "Found configuration in $conf_file:"
+            warn_exec cat "$conf_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+        fi
+    done
+}
+
+# Function to analyze xinetd services
+analyze_xinetd() {
+    echo ""
+    print_3title "Xinetd Services"
+    
+    # Check if xinetd is installed
+    if ! check_command xinetd; then
+        echo_not_found "xinetd"
+        return
+    fi
+    
+    # Check if xinetd is running
+    if ! pgrep -x xinetd >/dev/null 2>&1; then
+        echo "xinetd is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+    fi
+    
+    # Get xinetd version
+    warn_exec xinetd -version 2>/dev/null
+    
+    # Check main configuration file
+    if [ -f "/etc/xinetd.conf" ]; then
+        echo -e "\nXinetd Configuration (/etc/xinetd.conf):"
+        warn_exec cat /etc/xinetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+        
+        # Check for included configurations
+        echo -e "\nIncluded Configurations:"
+        warn_exec grep -r "includedir" /etc/xinetd.conf 2>/dev/null
+    else
+        echo_not_found "/etc/xinetd.conf"
+    fi
+    
+    # Check for service-specific configurations
+    echo -e "\nService Configurations:"
+    for service_dir in /etc/xinetd.d/ /etc/xinetd/; do
+        if [ -d "$service_dir" ]; then
+            echo "Services in $service_dir:"
+            for service_file in "$service_dir"/*; do
+                if [ -f "$service_file" ]; then
+                    service_name=$(basename "$service_file")
+                    echo -e "\nService: $service_name"
+                    # Check if service is enabled
+                    if grep -q "disable.*=.*no" "$service_file" 2>/dev/null; then
+                        echo "Status: Enabled" | sed -${E} "s,.*,${SED_RED},g"
+                    else
+                        echo "Status: Disabled"
+                    fi
+                    # Show service configuration
+                    warn_exec cat "$service_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+                    
+                    # Check for potentially dangerous configurations
+                    if grep -qiE "server.*=.*/bin/|server.*=.*/sbin/|server.*=.*/usr/bin/|server.*=.*/usr/sbin/" "$service_file" 2>/dev/null; then
+                        echo "Warning: Service uses system binaries" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                    if grep -qiE "user.*=.*root|user.*=.*0" "$service_file" 2>/dev/null; then
+                        echo "Warning: Service runs as root" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                fi
+            done
+        fi
+    done
+}
+
+# Function to check for running inetd/xinetd services
+check_running_services() {
+    echo ""
+    print_3title "Running Inetd/Xinetd Services"
+    
+    # Check netstat for services
+    if check_command netstat; then
+        echo "Active Services (from netstat):"
+        warn_exec netstat -tulpn 2>/dev/null | grep -E "inetd|xinetd" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check ss for services
+    if check_command ss; then
+        echo -e "\nActive Services (from ss):"
+        warn_exec ss -tulpn 2>/dev/null | grep -E "inetd|xinetd" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check for service processes
+    echo -e "\nRunning Service Processes:"
+    for inetd_service in $(pgrep -l inetd 2>/dev/null; pgrep -l xinetd 2>/dev/null); do
+        echo "$inetd_service" | sed -${E} "s,.*,${SED_RED},g"
+    done
+}
+
+# Main function to analyze inetd/xinetd services
+analyze_inetd_services() {
+    print_2title "Inetd/Xinetd Services Analysis"
+    
+    # Analyze inetd and xinetd services
+    analyze_inetd
+    analyze_xinetd
+    
+    # Check for running services
+    check_running_services
+    
+    # Additional checks if EXTRA_CHECKS is enabled
+    if [ "$EXTRA_CHECKS" ]; then
+        echo ""
+        print_3title "Additional Inetd/Xinetd Information"
+        
+        # Check for inetd/xinetd logs
+        echo "Checking for service logs..."
+        for log_file in /var/log/inetd.log /var/log/xinetd.log /var/log/messages /var/log/syslog; do
+            if [ -f "$log_file" ]; then
+                echo "Found log file: $log_file" | sed -${E} "s,.*,${SED_GREEN},g"
+                warn_exec tail -n 20 "$log_file" | grep -iE "inetd|xinetd" 2>/dev/null
+            fi
+        done
+        
+        # Check for inetd/xinetd related files
+        echo -e "\nChecking for related files..."
+        for file in /etc/init.d/inetd /etc/init.d/xinetd /etc/default/inetd /etc/default/xinetd; do
+            if [ -f "$inetd_file" ]; then
+                echo "Found file: $inetd_file" | sed -${E} "s,.*,${SED_GREEN},g"
+                warn_exec cat "$inetd_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+            fi
+        done
+    fi
+    
+    echo ""
+}
+
+# Run the main function
+analyze_inetd_services

linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh

@@ -2,18 +2,59 @@
 # ID: UG_Pkexec
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Check Pkexec policy
+# Description: Check Pkexec policy and related files for privilege escalation
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $Groups, $groupsB, $groupsVB,$nosh_usrs, $sh_usrs, $USER
+# Functions Used: print_2title, print_info
+# Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pkexec_bin, $policy_dir, $policy_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-print_2title "Checking Pkexec policy"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
-(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
+print_2title "Checking Pkexec and Polkit"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2"
+
+echo ""
+print_3title "Polkit Binary"
+# Check pkexec binary
+pkexec_bin=$(command -v pkexec 2>/dev/null)
+if [ -n "$pkexec_bin" ]; then
+  echo "Pkexec binary found at: $pkexec_bin" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  if [ -u "$pkexec_bin" ]; then
+    echo "Pkexec binary has SUID bit set!" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  ls -l "$pkexec_bin" 2>/dev/null
+  
+  # Check polkit version for known vulnerabilities
+  if command -v pkexec >/dev/null 2>&1; then
+    pkexec --version 2>/dev/null
+  fi
+fi
+
+# Check polkit policies
+echo ""
+print_3title "Polkit Policies"
+for policy_dir in "/etc/polkit-1/localauthority.conf.d/" "/etc/polkit-1/rules.d/" "/usr/share/polkit-1/rules.d/"; do
+  if [ -d "$policy_dir" ]; then
+    echo "Checking $policy_dir:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    if [ -w "$policy_dir" ]; then
+      echo "WARNING: $policy_dir is writable!" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    for policy_file in "$policy_dir"/*; do
+      if [ -f "$policy_file" ]; then
+        if [ -w "$policy_file" ]; then
+          echo "WARNING: $policy_file is writable!" | sed -${E} "s,.*,${SED_RED},g"
+        fi
+        cat "$policy_file" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$Groups,${SED_RED},g"
+      fi
+    done
+  fi
+done
+
+# Check for polkit authentication agent
+echo ""
+print_3title "Polkit Authentication Agent"
+ps aux 2>/dev/null | grep -i "polkit" | grep -v "grep"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh

@@ -2,17 +2,36 @@
 # ID: UG_Superusers
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Superusers
+# Description: Check for superusers and users with UID 0
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
-# Global Variables:$knw_usrs ,$nosh_usrs,$sh_usrs, $USER
+# Functions Used: print_2title, print_info
+# Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $group
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-print_2title "Superusers"
-awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED_YELLOW}," | sed "s,root,${SED_RED},"
+print_2title "Superusers and UID 0 Users"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html"
+
+# Check /etc/passwd for UID 0 users
+echo ""
+print_3title "Users with UID 0 in /etc/passwd"
+awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
+
+if [ command -v getent >/dev/null 2>&1 ]; then
+    for group in sudo wheel adm docker lxd lxc root shadow disk video; do
+        if getent group "$group" >/dev/null 2>&1; then
+            echo "- Users in group '$group':"
+            getent group "$group" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g" | sed "s,root,${SED_RED},g"
+        fi
+    done
+fi
+
+# Check for users with sudo privileges in sudoers
+echo ""
+print_3title "Users with sudo privileges in sudoers"
+grep -v "^#" /etc/sudoers 2>/dev/null | grep -v "^$" | grep -v "^Defaults" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh

@@ -2,7 +2,7 @@
 # ID: UG_Login_now
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Login now
+# Description: Check currently logged in users and their sessions
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
@@ -13,6 +13,45 @@
 # Small linpeas: 1
 
 
-print_2title "Login now"
-(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+print_2title "Currently Logged in Users"
+
+# Check basic user information
+echo ""
+print_3title "Basic user information"
+(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+
+# Check for active sessions
+echo ""
+print_3title "Active sessions"
+if command -v w >/dev/null 2>&1; then
+  w 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for logged in users via utmp
+echo ""
+print_3title "Logged in users (utmp)"
+if [ -f "/var/run/utmp" ]; then
+  who -a 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for SSH sessions
+echo ""
+print_3title "SSH sessions"
+if command -v ss >/dev/null 2>&1; then
+  ss -tnp | grep ":22" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for screen sessions
+echo ""
+print_3title "Screen sessions"
+if command -v screen >/dev/null 2>&1; then
+  screen -ls 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for tmux sessions
+echo ""
+print_3title "Tmux sessions"
+if command -v tmux >/dev/null 2>&1; then
+  tmux list-sessions 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh

@@ -2,17 +2,54 @@
 # ID: UG_Last_logons
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Last logons
+# Description: Check last logons and login history
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $EXISTS_FINGER, $ushell
 # Fat linpeas: 0
-# Small linpeas: 0
+# Small linpeas: 1
 
+print_2title "Last Logons and Login History"
 
-print_2title "Last logons"
-(last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_RED}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+# Check last logins
 echo ""
+print_3title "Last logins"
+if command -v last >/dev/null 2>&1; then
+  last -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check failed login attempts
+echo ""
+print_3title "Failed login attempts"
+if command -v lastb >/dev/null 2>&1; then
+  lastb -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check auth logs for recent logins
+echo ""
+print_3title "Recent logins from auth.log (limit 20)"
+if [ -f "/var/log/auth.log" ]; then
+  grep -i "login\|authentication\|accepted" /var/log/auth.log 2>/dev/null | tail -n 20 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Last time logon each user
+echo ""
+if command -v lastlog >/dev/null 2>&1; then
+  print_3title "Last time logon each user"
+  lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+fi
+
+EXISTS_FINGER="$(command -v finger 2>/dev/null || echo -n '')"
+if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
+  dscl . list /Users | while read un; do
+    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      finger "$un" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+fi
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/16_Login_info.sh

@@ -1,29 +0,0 @@
-# Title: Users Information - Login info
-# ID: UG_Login_info
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Last time logon each user
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title
-# Global Variables: $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
-# Initial Functions:
-# Generated Global Variables: EXISTS_FINGER, ushell
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-print_2title "Last time logon each user"
-lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-
-EXISTS_FINGER="$(command -v finger 2>/dev/null || echo -n '')"
-if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
-  dscl . list /Users | while read un; do
-    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
-    if grep -q "$ushell" /etc/shells; then #Shell user
-      finger "$un" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-      echo ""
-    fi
-  done
-fi
-echo ""

linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh

@@ -14,6 +14,6 @@
 
 
 print_2title "My user"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users"
 (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh

@@ -8,15 +8,18 @@
 # Functions Used: print_2title
 # Global Variables: $MACPEAS 
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $user_home
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
 if [ "$MACPEAS" ];then
   print_2title "All Login and Logout hooks"
-  defaults read /Users/*/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
-  defaults read /private/var/root/Library/Preferences/com.apple.loginwindow.plist
+  for user_home in /Users/*/ /private/var/root/; do
+    if [ -f "${user_home}Library/Preferences/com.apple.loginwindow.plist" ]; then
+      echo "User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+      defaults read "${user_home}Library/Preferences/com.apple.loginwindow.plist" 2>/dev/null | grep -e "Hook" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+    fi
+  done
   echo ""
-
 fi

linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh

@@ -1,21 +1,29 @@
-# Title: Users Information - Macos systemKey
+# Title: Users Information - MacOS Keychains
 # ID: UG_Macos_keychains
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Get macOS systemKey
+# Description: Get macOS keychains information
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
+# Functions Used: print_2title, print_info
 # Global Variables: $MACPEAS
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $user_home
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
 if [ "$MACPEAS" ];then
   print_2title "Keychains"
-  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
-  security list-keychains
+  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker"
+  echo "System Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  security list-keychains 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+  echo -e "\nUser Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  for user_home in /Users/*/; do
+    if [ -d "${user_home}Library/Keychains" ]; then
+      echo "- User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+      ls -la "${user_home}Library/Keychains/" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  done
   echo ""
 fi

linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh

@@ -1,8 +1,8 @@
-# Title: Users Information - Macos systemKey
+# Title: Users Information - MacOS SystemKey
 # ID: UG_Macos_systemkey
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Get macOS systemKey
+# Description: Get macOS SystemKey information (used for FileVault encryption)
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
@@ -15,10 +15,14 @@
 
 if [ "$MACPEAS" ];then
   print_2title "SystemKey"
-  ls -l /var/db/SystemKey
+  echo "The SystemKey is used by FileVault to encrypt/decrypt the volume. If you can read it, you might be able to decrypt the disk."
+  echo -e "\nSystemKey file permissions:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  ls -l /var/db/SystemKey 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+  
   if [ -r "/var/db/SystemKey" ]; then
-    echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
-    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
+    echo -e "\nWARNING: You can read /var/db/SystemKey!" | sed -${E} "s,.*,${SED_RED},g"
+    echo "SystemKey content (first 24 bytes after header):" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},g"
   fi
   echo ""
 fi

linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh

@@ -2,21 +2,48 @@
 # ID: UG_Pgp_keys
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: PGP keys
+# Description: Check for PGP keys and related files that might contain sensitive information
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
-# Global Variables: 
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $HOME
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pgp_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-print_2title "Do I have PGP keys?"
-command -v gpg 2>/dev/null || echo_not_found "gpg"
-gpg --list-keys 2>/dev/null
-command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys"
-netpgpkeys --list-keys 2>/dev/null
-command -v netpgp 2>/dev/null || echo_not_found "netpgp"
+print_2title "PGP Keys and Related Files"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys"
+
+# Check for GPG
+echo "GPG:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+if command -v gpg >/dev/null 2>&1; then
+  echo "GPG is installed, listing keys:"
+  gpg --list-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+  # Check for private keys
+  gpg --list-secret-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+else
+  echo_not_found "gpg"
+fi
+
+# Check for NetPGP
+echo -e "\nNetPGP:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+if command -v netpgpkeys >/dev/null 2>&1; then
+  echo "NetPGP is installed" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+  netpgpkeys --list-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+else
+  echo_not_found "netpgpkeys"
+fi
+
+# Check for common PGP files
+echo -e "\nPGP Related Files:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+for pgp_file in "$HOME/.gnupg" "$HOME/.pgp" "$HOME/.openpgp" "$HOME/.ssh/gpg-agent.conf" "$HOME/.config/gpg"; do
+  if [ -e "$pgp_file" ]; then
+    echo "Found: $pgp_file"
+    if [ -d "$pgp_file" ]; then
+      ls -la "$pgp_file" 2>/dev/null
+    fi
+  fi
+done
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh

@@ -2,28 +2,52 @@
 # ID: UG_Clipboard_highlighted_text
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Clipboard and highlighted text
+# Description: Check clipboard and highlighted text for sensitive information
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
+# Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG, $pwd_inside_history
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $content
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
-  print_2title "Clipboard or highlighted text?"
+if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+  print_2title "Clipboard and Highlighted Text"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#clipboard"
+
+  # Function to check clipboard content
+  check_clipboard() {
+    local content="$1"
+    if [ -n "$content" ]; then
+      echo "$content" | sed -${E} "s,$pwd_inside_history,${SED_RED},g" | sed -${E} "s,(password|passwd|pwd).*=.*,${SED_RED},g" | sed -${E} "s,(token|key|secret).*=.*,${SED_RED},g"
+    fi
+  }
+
+  # Check different clipboard tools
   if [ "$(command -v xclip 2>/dev/null || echo -n '')" ]; then
-    echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-    echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Using xclip:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xclip -o -selection clipboard 2>/dev/null)"
+    echo "Highlighted text:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xclip -o 2>/dev/null)"
   elif [ "$(command -v xsel 2>/dev/null || echo -n '')" ]; then
-    echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-    echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Using xsel:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xsel -ob 2>/dev/null)"
+    echo "Highlighted text:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xsel -o 2>/dev/null)"
   elif [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ]; then
-    echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-  else echo_not_found "xsel and xclip"
+    echo "Using pbpaste:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(pbpaste 2>/dev/null)"
+  elif [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ]; then
+    echo "Using wl-paste:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(wl-paste 2>/dev/null)"
+  else
+    echo_not_found "clipboard tools (xclip, xsel, pbpaste, wl-paste)"
   fi
   echo ""
 fi

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
 if [ "$PASSWORD" ]; then
   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Checking sudo tokens"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens"
 ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
 if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
   echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";

linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh

@@ -2,23 +2,54 @@
 # ID: UG_Doas
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Checking doas.conf
+# Description: Check doas configuration and permissions for privilege escalation
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
-# Global Variables: $DEBUG, $nosh_usrs,  $sh_usrs, $USER
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $DEBUG, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables: $doas_dir_name
+# Generated Global Variables: $doas_dir_name, $doas_bin, $conf_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
-  print_2title "Checking doas.conf"
-  doas_dir_name=$(dirname "$(command -v doas || echo -n '')" 2>/dev/null)
-  if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
-    cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
-  else echo_not_found "doas.conf"
+if [ -f "/etc/doas.conf" ] || [ -f "/usr/local/etc/doas.conf" ] || [ "$DEBUG" ]; then
+  print_2title "Doas Configuration"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#doas"
+
+  # Find doas binary and its config locations
+  doas_bin=$(command -v doas 2>/dev/null)
+  if [ -n "$doas_bin" ]; then
+    doas_dir_name=$(dirname "$doas_bin")
+    echo "Doas binary found at: $doas_bin" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    
+    # Check doas binary permissions
+    if [ -u "$doas_bin" ]; then
+      echo "Doas binary has SUID bit set!" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    ls -l "$doas_bin" 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
   fi
-  echo ""
-fi
+
+  # Check all possible doas.conf locations
+  echo -e "\nChecking doas.conf files:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  for conf_file in "/etc/doas.conf" "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" "/usr/local/etc/doas.conf"; do
+    if [ -f "$conf_file" ]; then
+      echo "Found: $conf_file" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+      if [ -w "$conf_file" ]; then
+        echo "WARNING: $conf_file is writable!" | sed -${E} "s,.*,${SED_RED},g"
+      fi
+      cat "$conf_file" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED},g" | sed "s,root,${SED_RED},g" | sed "s,nopass,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed "s,$USER,${SED_RED_YELLOW},g"
+    fi
+  done
+
+  # Check if doas is working
+  if [ -n "$doas_bin" ]; then
+    echo -e "\nTesting doas:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    if $doas_bin -l 2>/dev/null; then
+      echo "doas -l command works!" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+    fi
+  fi
+else
+  echo_not_found "doas.conf"
+fi
+echo ""

linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh

@@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   containerd=$(command -v ctr || echo -n '')
   if [ "$containerd" ] || [ "$DEBUG" ]; then
     print_2title "Checking if containerd(ctr) is available"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation"
     if [ "$containerd" ]; then
       echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
       ctr image list 2>&1

linPEAS/builder/linpeas_parts/7_software_information/Docker.sh

@@ -15,7 +15,7 @@
 
 if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
   print_2title "Searching docker files (limit 70)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html#docker-breakout--privilege-escalation"
   printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
     ls -l "$f" 2>/dev/null
     if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then

linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh

@@ -15,7 +15,7 @@
 
 if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
   print_2title "Analyzing kcpassword files"
-  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
+  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword"
   printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
     echo "$f" | sed -${E} "s,.*,${SED_RED},"
     base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"

linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh

@@ -18,7 +18,7 @@ klist_exists="$(command -v klist || echo -n '')"
 kinit_exists="$(command -v kinit || echo -n '')"
 if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
   print_2title "Searching kerberos conf files and tickets"
-  print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory"
 
   if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
   if [ "$kinit_exists" ]; then echo "kadmin was found on $kinit_exists" | sed "s,$kinit_exists,${SED_RED},"; fi

linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh

@@ -8,7 +8,7 @@
 # Functions Used: print_2title
 # Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $DEBUG, $USER, $STRINGS
 # Initial Functions:
-# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass
+# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass, $mysqluser, $version_output, $major_version, $version, $process_info
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -102,4 +102,42 @@ if [ "$(command -v mysql || echo -n '')" ] || [ "$(command -v mysqladmin || echo
   else echo_no
   fi
   echo ""
+fi
+
+### This section checks if MySQL (mysqld) is running as root and if its version is 4.x or 5.x to refer a known local privilege escalation exploit! ###
+
+# Find the mysqld process
+process_info=$(ps aux | grep '[m]ysqld' | head -n1)
+
+if [ -z "$process_info" ]; then
+  echo "MySQL process not found." | sed -${E} "s,.*,${SED_GREEN},"
+else
+
+  # Extract the process user
+  mysqluser=$(echo "$process_info" | awk '{print $1}')
+
+  # Get the MySQL version string
+  version_output=$(mysqld --version 2>&1)
+
+  # Extract the version number (expects format like X.Y.Z)
+  version=$(echo "$version_output" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
+
+  if [ -z "$version" ]; then
+    echo "Unable to determine MySQL version." | sed -${E} "s,.*,${SED_GREEN},"
+  else
+
+    # Extract the major version number (X from X.Y.Z)
+    major_version=$(echo "$version" | cut -d. -f1)
+
+    # Check if MySQL is running as root and if the version is either 4.x or 5.x
+    if [ "$mysqluser" = "root" ] && { [ "$major_version" -eq 4 ] || [ "$major_version" -eq 5 ]; }; then
+      echo "MySQL is running as root with version $version. This is a potential local privilege escalation vulnerability!" | sed -${E} "s,.*,${SED_RED},"
+      echo "\tRefer to: https://www.exploit-db.com/exploits/1518" | sed -${E} "s,.*,${SED_YELLOW},"
+      echo "\tRefer to: https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf" | sed -${E} "s,.*,${SED_YELLOW},"
+    else
+      echo "MySQL is running as user '$mysqluser' with version $version." | sed -${E} "s,.*,${SED_GREEN},"
+    fi
+    ### ------------------------------------------------------------------------------------------------------------------------------------------------ ###
+  
+  fi
 fi

linPEAS/builder/linpeas_parts/7_software_information/Runc.sh

@@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   runc=$(command -v runc || echo -n '')
   if [ "$runc" ] || [ "$DEBUG" ]; then
     print_2title "Checking if runc is available"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#runc--privilege-escalation"
     if [ "$runc" ]; then
       echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
     fi

linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh

@@ -15,7 +15,7 @@
 
 if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching screen sessions"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   screensess=$(screen -ls 2>/dev/null)
   screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
   

linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh

@@ -18,7 +18,7 @@ tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
 tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
 if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching tmux sessions"$N
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   tmux -V
   printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
 

linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$IAMROOT" ]; then
   print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
   #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
   obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
   printf "%s\n" "$obmowbe" | while read l; do

linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$IAMROOT" ]; then
   print_2title "Interesting GROUP writable files (not in Home) (max 200)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
   for g in $(groups); do
     iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
     if [ "$iwfbg" ] || [ "$DEBUG" ]; then

linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "SUID - Check easy privesc, exploits and write perms"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 if ! [ "$STRINGS" ]; then
   echo_not_found "strings"
 fi

linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "SGID"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
 printf "%s\n" "$sgids_files" | while read s; do
   s=$(ls -lahtr "$s")

linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Files with ACLs (limited to 50)"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls"
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
 else