Compare commits
22 Commits
20250526-1
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
41128808a6 | ||
|
|
6fd96f4bdb | ||
|
|
a745f00dd7 | ||
|
933e12d7f1 | ||
|
|
4061cef7e8 | ||
|
|
b66ced3c63 | ||
|
|
cde725dacc | ||
|
|
f0f829890c | ||
|
|
99c36b8562 | ||
|
|
a74c6c820f | ||
|
|
53fd4d8dc8 | ||
|
9b37fd4ef4 | ||
|
f27b1d4816 | ||
|
d335b9254f | ||
|
|
d5e3c2a885 | ||
|
|
4af321d138 | ||
|
|
4e556fd594 | ||
|
|
39066f6867 | ||
|
|
c3a93a57fe | ||
|
|
f62d9fc550 | ||
|
|
11e9b8dde6 | ||
|
b9a9ad5ddf |
@ -33,7 +33,7 @@ if __name__ == "__main__":
|
||||
parser.add_argument('--small', action='store_true', help='Build small version of linpeas.')
|
||||
parser.add_argument('--include', type=str, help='Build linpeas only with the modules indicated you can indicate section names or module IDs).')
|
||||
parser.add_argument('--exclude', type=str, help='Exclude the given modules (you can indicate section names or module IDs).')
|
||||
parser.add_argument('--output', required=True, type=str, help='Parth to write the final linpeas file to.')
|
||||
parser.add_argument('--output', required=True, type=str, help='Path to write the final linpeas file to.')
|
||||
args = parser.parse_args()
|
||||
|
||||
all_modules = args.all
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
# Functions Used: print_2title
|
||||
# Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $DEBUG, $USER, $STRINGS
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass
|
||||
# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass, $mysqluser, $version_output, $major_version, $version, $process_info
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@ -102,4 +102,42 @@ if [ "$(command -v mysql || echo -n '')" ] || [ "$(command -v mysqladmin || echo
|
||||
else echo_no
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
### This section checks if MySQL (mysqld) is running as root and if its version is 4.x or 5.x to refer a known local privilege escalation exploit! ###
|
||||
|
||||
# Find the mysqld process
|
||||
process_info=$(ps aux | grep '[m]ysqld' | head -n1)
|
||||
|
||||
if [ -z "$process_info" ]; then
|
||||
echo "MySQL process not found." | sed -${E} "s,.*,${SED_GREEN},"
|
||||
else
|
||||
|
||||
# Extract the process user
|
||||
mysqluser=$(echo "$process_info" | awk '{print $1}')
|
||||
|
||||
# Get the MySQL version string
|
||||
version_output=$(mysqld --version 2>&1)
|
||||
|
||||
# Extract the version number (expects format like X.Y.Z)
|
||||
version=$(echo "$version_output" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
|
||||
|
||||
if [ -z "$version" ]; then
|
||||
echo "Unable to determine MySQL version." | sed -${E} "s,.*,${SED_GREEN},"
|
||||
else
|
||||
|
||||
# Extract the major version number (X from X.Y.Z)
|
||||
major_version=$(echo "$version" | cut -d. -f1)
|
||||
|
||||
# Check if MySQL is running as root and if the version is either 4.x or 5.x
|
||||
if [ "$mysqluser" = "root" ] && { [ "$major_version" -eq 4 ] || [ "$major_version" -eq 5 ]; }; then
|
||||
echo "MySQL is running as root with version $version. This is a potential local privilege escalation vulnerability!" | sed -${E} "s,.*,${SED_RED},"
|
||||
echo "\tRefer to: https://www.exploit-db.com/exploits/1518" | sed -${E} "s,.*,${SED_YELLOW},"
|
||||
echo "\tRefer to: https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf" | sed -${E} "s,.*,${SED_YELLOW},"
|
||||
else
|
||||
echo "MySQL is running as user '$mysqluser' with version $version." | sed -${E} "s,.*,${SED_GREEN},"
|
||||
fi
|
||||
### ------------------------------------------------------------------------------------------------------------------------------------------------ ###
|
||||
|
||||
fi
|
||||
fi
|
||||
@ -13,4 +13,4 @@
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
NoEnvVars="LESS_TERMCAP|JOURNAL_STREAM|XDG_SESSION|DBUS_SESSION|systemd\/sessions|systemd_exec|MEMORY_PRESSURE_WATCH|RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_"
|
||||
NoEnvVars="LESS_TERMCAP|JOURNAL_STREAM|XDG_SESSION|DBUS_SESSION|systemd\/sessions|systemd_exec|MEMORY_PRESSURE_WATCH|RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_|^PATH=|^INVOCATION_ID=|^WATCHDOG_PID=|^LISTEN_PID="
|
||||
|
||||
@ -292,9 +292,12 @@ class LinpeasBaseBuilder:
|
||||
all_module_paths += self.enumerate_directory(LINPEAS_PARTS["variables"])
|
||||
|
||||
for module in LINPEAS_PARTS["modules"]:
|
||||
exclude = False
|
||||
for ex_module in exclude_modules:
|
||||
if ex_module in module["folder_path"] or ex_module in [module["name"], module["name_check"]]:
|
||||
continue
|
||||
exclude = True
|
||||
break
|
||||
if exclude: continue
|
||||
all_module_paths += self.enumerate_directory(module["folder_path"])
|
||||
|
||||
for module in all_module_paths:
|
||||
|
||||
@ -97,7 +97,7 @@ class LinpeasBuilder:
|
||||
for orig_url in urls:
|
||||
tar_gz_bin_name = ""
|
||||
if ",,," in orig_url:
|
||||
tar_gz_bin_name = url.split(",,,")[1]
|
||||
tar_gz_bin_name = orig_url.split(",,,")[1]
|
||||
url = orig_url.split(",,,")[0]
|
||||
else:
|
||||
url = orig_url
|
||||
@ -402,9 +402,9 @@ class LinpeasBuilder:
|
||||
|
||||
|
||||
def __replace_mark(self, mark: str, find_calls: list, join_char: str):
|
||||
"""Substitude the markup with the actual code"""
|
||||
|
||||
self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed
|
||||
"""Substitute the markup with the actual code"""
|
||||
|
||||
self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char isn't needed
|
||||
|
||||
def write_linpeas(self, path):
|
||||
"""Write on disk the final linpeas"""
|
||||
|
||||
@ -106,8 +106,6 @@ def parse_line(line: str):
|
||||
|
||||
global FINAL_JSON, C_SECTION, C_MAIN_SECTION, C_2_SECTION, C_3_SECTION
|
||||
|
||||
if "Cron jobs" in line:
|
||||
a=1
|
||||
|
||||
if is_section(line, TITLE1_PATTERN):
|
||||
title = parse_title(line)
|
||||
@ -145,17 +143,26 @@ def parse_line(line: str):
|
||||
|
||||
|
||||
def parse_peass(outputpath: str, jsonpath: str = ""):
|
||||
global OUTPUT_PATH, JSON_PATH
|
||||
global OUTPUT_PATH, JSON_PATH, FINAL_JSON, C_SECTION, C_MAIN_SECTION, C_2_SECTION, C_3_SECTION
|
||||
|
||||
OUTPUT_PATH = outputpath
|
||||
JSON_PATH = jsonpath
|
||||
|
||||
for line in open(OUTPUT_PATH, 'r', encoding="utf8").readlines():
|
||||
line = line.strip()
|
||||
if not line or not clean_colors(line): #Remove empty lines or lines just with colors hex
|
||||
continue
|
||||
# Reset globals to avoid data leaking between executions
|
||||
FINAL_JSON = {}
|
||||
C_SECTION = FINAL_JSON
|
||||
C_MAIN_SECTION = FINAL_JSON
|
||||
C_2_SECTION = FINAL_JSON
|
||||
C_3_SECTION = FINAL_JSON
|
||||
|
||||
parse_line(line)
|
||||
with open(OUTPUT_PATH, 'r', encoding="utf8") as f:
|
||||
for line in f.readlines():
|
||||
line = line.strip()
|
||||
# Remove empty lines or lines containing only color codes
|
||||
if not line or not clean_colors(line):
|
||||
continue
|
||||
|
||||
parse_line(line)
|
||||
|
||||
if JSON_PATH:
|
||||
with open(JSON_PATH, "w") as f:
|
||||
|
||||
@ -102,17 +102,15 @@ namespace winPEAS.Checks
|
||||
{
|
||||
vulnHandlers = ProcessesInfo.GetVulnHandlers(progress);
|
||||
}
|
||||
Dictionary<string, string> colors = new Dictionary<string, string>();
|
||||
colors[Checks.CurrentUserName] = Beaprint.ansi_color_bad;
|
||||
colors[HandlesHelper.elevatedProcess] = Beaprint.ansi_color_bad;
|
||||
|
||||
foreach (Dictionary<string, string> handler in vulnHandlers)
|
||||
{
|
||||
Dictionary<string, string> colors = new Dictionary<string, string>()
|
||||
{
|
||||
{ Checks.CurrentUserName, Beaprint.ansi_color_bad },
|
||||
{ handler["Reason"], Beaprint.ansi_color_bad },
|
||||
};
|
||||
|
||||
Beaprint.DictPrint(vulnHandlers, colors, true);
|
||||
colors[handler["Reason"]] = Beaprint.ansi_color_bad;
|
||||
}
|
||||
Beaprint.DictPrint(vulnHandlers, colors, true);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
|
||||
@ -31,7 +31,7 @@ namespace winPEAS.Helpers
|
||||
public static string ansi_current_user = MAGENTA;
|
||||
|
||||
private static string Advisory =
|
||||
"winpeas should be used for authorized penetration testing and/or educational purposes only." +
|
||||
"winpeas should be used for authorized penetration testing and/or educational purposes only. " +
|
||||
"Any misuse of this software will not be the responsibility of the author or of any other collaborator. " +
|
||||
"Use it at your own devices and/or with the device owner's permission.";
|
||||
|
||||
@ -81,7 +81,7 @@ namespace winPEAS.Helpers
|
||||
/---------------------------------------------------------------------------------\
|
||||
| {1}Do you like PEASS?{0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.xyz {0} |
|
||||
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.xyz {0} |
|
||||
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
|
||||
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
|
||||
@ -12,6 +12,7 @@ namespace winPEAS.Helpers
|
||||
private const int CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION = 64;
|
||||
public const uint STATUS_INFO_LENGTH_MISMATCH = 0xC0000004;
|
||||
public const int DUPLICATE_SAME_ACCESS = 0x2;
|
||||
public const string elevatedProcess = "Access denied, process is probably elevated";
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
|
||||
public struct FILE_NAME_INFO
|
||||
@ -171,7 +172,7 @@ namespace winPEAS.Helpers
|
||||
// Hex perms from https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights and https://github.com/buffer/maltracer/blob/master/defines.py
|
||||
|
||||
//PROCESS_ALL_ACCESS
|
||||
if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess)
|
||||
if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess || (h.GrantedAccess & 0x1FFFFF) == h.GrantedAccess)
|
||||
{
|
||||
vulnHandler.isVuln = true;
|
||||
vulnHandler.reason = "PROCESS_ALL_ACCESS";
|
||||
@ -454,6 +455,8 @@ namespace winPEAS.Helpers
|
||||
}
|
||||
catch
|
||||
{
|
||||
data["name"] = elevatedProcess;
|
||||
data["sid"] = elevatedProcess;
|
||||
return data;
|
||||
}
|
||||
finally
|
||||
@ -469,12 +472,32 @@ namespace winPEAS.Helpers
|
||||
public static PT_RELEVANT_INFO getProcInfoById(int pid)
|
||||
{
|
||||
PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
|
||||
Process proc;
|
||||
|
||||
Process proc = Process.GetProcessById(pid);
|
||||
try
|
||||
{
|
||||
proc = Process.GetProcessById(pid);
|
||||
}
|
||||
catch
|
||||
{
|
||||
pri.pid = pid;
|
||||
pri.name = "Error, process may not exist";
|
||||
pri.userName = "Error, process may not exist";
|
||||
pri.userSid = "Error, process may not exist";
|
||||
pri.imagePath = "Error, process may not exist";
|
||||
return pri;
|
||||
}
|
||||
Dictionary<string, string> user = GetProcU(proc);
|
||||
|
||||
StringBuilder fileName = new StringBuilder(2000);
|
||||
Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
|
||||
|
||||
try
|
||||
{
|
||||
Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
|
||||
}
|
||||
catch
|
||||
{
|
||||
fileName = new StringBuilder(elevatedProcess);
|
||||
}
|
||||
|
||||
pri.pid = pid;
|
||||
pri.name = proc.ProcessName;
|
||||
|
||||
@ -195,11 +195,11 @@ namespace winPEAS.Info.ProcessInfo
|
||||
continue;
|
||||
|
||||
List<string> permsFile = PermissionsHelper.GetPermissionsFile(sFilePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
|
||||
IdentityReference sid = null;
|
||||
try
|
||||
{
|
||||
System.Security.AccessControl.FileSecurity fs = System.IO.File.GetAccessControl(sFilePath);
|
||||
IdentityReference sid = fs.GetOwner(typeof(SecurityIdentifier));
|
||||
string ownerName = sid.Translate(typeof(NTAccount)).ToString();
|
||||
sid = fs.GetOwner(typeof(SecurityIdentifier));
|
||||
|
||||
// If current user already have permissions over that file or the proc belongs to the owner of the file,
|
||||
// handler not interesting to elevate privs
|
||||
@ -207,6 +207,8 @@ namespace winPEAS.Info.ProcessInfo
|
||||
continue;
|
||||
|
||||
to_add["File Path"] = sFilePath;
|
||||
|
||||
string ownerName = sid.Translate(typeof(NTAccount)).ToString();
|
||||
to_add["File Owner"] = ownerName;
|
||||
}
|
||||
catch (System.IO.FileNotFoundException)
|
||||
@ -218,7 +220,10 @@ namespace winPEAS.Info.ProcessInfo
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
catch (System.Security.Principal.IdentityNotMappedException)
|
||||
{
|
||||
to_add["File Owner"] = sid.ToString();
|
||||
}
|
||||
}
|
||||
|
||||
else if (typeName == "key")
|
||||
|
||||
Loading…
Reference in New Issue
Block a user