linpeas update

linPEAS/README.md

@@ -47,6 +47,22 @@ chmod +x linpeas_linux_amd64
 ./linpeas_linux_amd64
 ```
 
+## Firmware Analysis
+If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options.
+
+- If you **can emulate** the firmware, just run linpeas inside of it:
+```bash
+cp /path/to/linpeas.sh /mnt/linpeas.sh
+chroot /mnt #Supposing you have mounted the firmware FS in /mnt
+bash /linpeas.sh -o software_information,interesting_files,api_keys_regex
+```
+
+- If you **cannot emulate** the firmware, use the `-f </path/to/folder` param:
+```bash
+# Point to the folder containing the files you want to analyze
+bash /path/to/linpeas.sh -f /path/to/folder
+```
+
 ## AV bypass
 ```bash
 #open-ssl encryption
@@ -77,8 +93,9 @@ By default linpeas takes around **4 mins** to complete, but It could take from *
 - 1 min to monitor the processes in order to find very frequent cron jobs *(need `-a`)* - Notice that this check will need to **write** some info inside a file that will be deleted
 
 **Interesting parameters:**
-- **-a** (all checks) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
+- **-a** (all checks except regex) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
 - **-e** (extra enumeration) - This will execute **enumeration checkes that are avoided by default**
+- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the silesystem**
 - **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk)
 - **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users
 - **-D** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took
@@ -93,19 +110,21 @@ This tool enum and search possible misconfigurations (known vulns, user, process
       -q Do not show banner
       -e Perform extra enumeration
       -s SuperFast (don't check some time consuming checks) - Stealth mode
-      -a All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
+      -a All checks except regexes - Noisy mode, for CTFs mainly
+      -r Activate Regexes (this can take from some mins to several hours)
+      -f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
       -w Wait execution between big blocks of checks
       -N Do not use colours
       -D Debug mode
       -P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
-      -o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files). Select a comma separated list.
+      -o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list.
       -L Force linpeas execution.
       -M Force macpeas execution.
       -d <IP/NETMASK> Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
       -p <PORT(s)> -d <IP/NETMASK> Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139
       -i <IP> [-p <PORT(s)>] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
       -t Automatic network scan (host discovery and port scanning) - This option writes to files
-  Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
+       Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
 ```
 
 ## Hosts Discovery and Port Scanning
@@ -186,22 +205,17 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
 
 Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/stores/peass)** and show your love for our favorite peas
 
-## TODO
+## Collaborate
 
-- Add more checks
-- Mantain updated the list of vulnerable SUID binaries
-- Mantain updated all the blacklists used to color the output
-
-If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
+If you want to help with the TODO tasks or with anything, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
 
 If you find any issue, please report it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**.
 
-
 **Linpeas** is being **updated** every time I find something that could be useful to escalate privileges.
 
 ## Advisory
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
 
-By Polop<sup>(TM)</sup>
+By Polop<sup>(TM)</sup>

linPEAS/TODO.md

@@ -0,0 +1,8 @@
+- Add more checks
+- Add more potential files with passwords to sensitive_files.yaml
+- Add more regex of interesting APIs to regexes.yaml
+- Mantain updated the list of vulnerable SUID binaries
+- Mantain updated all the blacklists used to color the output
+- Improve the speed
+- Reduce the size of the script
+- Generate automatically an obfuscated version

linPEAS/builder/linpeas_builder.py

@@ -1,7 +1,7 @@
 from .src.peasLoaded import PEASLoaded
 from .src.linpeasBuilder import LinpeasBuilder
 from .src.linpeasBaseBuilder import LinpeasBaseBuilder
-from .src.yamlGlobals import FINAL_LINPEAS_PATH
+from .src.yamlGlobals import FINAL_FAT_LINPEAS_PATH, FINAL_LINPEAS_PATH, TEMPORARY_LINPEAS_BASE_PATH
 
 import os
 import stat
@@ -18,7 +18,13 @@ def main():
     # Build final linpeas.sh
     lbuilder = LinpeasBuilder(ploaded)
     lbuilder.build()
-    lbuilder.write_linpeas(FINAL_LINPEAS_PATH)
+    lbuilder.write_linpeas(FINAL_FAT_LINPEAS_PATH)
+    lbuilder.write_linpeas(FINAL_LINPEAS_PATH, rm_startswith="FAT_LINPEAS")
+    os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file
+
+    st = os.stat(FINAL_FAT_LINPEAS_PATH)
+    os.chmod(FINAL_FAT_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
+
     st = os.stat(FINAL_LINPEAS_PATH)
     os.chmod(FINAL_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
 

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -31,8 +31,8 @@ if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ "
 fi
 
 #-- SY) CVE-2021-3560
-polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9)
-if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(rpm -qa | grep polkit | grep -c '0.117-2\|0.115-6')" -ge 1 ]]; then
+polkitVersion=$(systemctl status polkit.service 2>/dev/null | grep version | cut -d " " -f 9)
+if [ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 ] || [ "$(yum list installed 2>/dev/null | grep polkit | grep -c 0.117-2)" ]; then
     echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
     echo ""
 fi
@@ -42,7 +42,7 @@ fi
 #-- https://stackoverflow.com/a/37939589
 kernelversion=$(uname -r | awk -F"-" '{print $1}')
 kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
-if [[ $kernelnumber -ge 5008000000 && $kernelnumber -lt 5017000000 ]]; then # if kernel version beteen 5.8 and 5.17
+if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version beteen 5.8 and 5.17
     echo "Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED_YELLOW},"
     echo ""
 fi
@@ -69,10 +69,15 @@ fi
 echo ""
 
 #-- SY) PATH
+
 print_2title "PATH"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
-echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
-echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g"
+if ! [ "$IAMROOT" ]; then
+    echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
+    echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g"
+else
+    echo "New path exported: $PATH" 2>/dev/null
+fi
 echo ""
 
 #-- SY) Date
@@ -104,7 +109,7 @@ fi
 
 if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
     print_2title "Unmounted file-system?"
-    print_info "Check if you can mount unmounted devices"
+    print_info "Check if you can mount umounted devices"
     grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
     echo ""
 fi
@@ -124,7 +129,7 @@ fi
 #-- SY) Environment vars
 print_2title "Environment"
 print_info "Any private information inside environment variables?"
-(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
+(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_KUBERNETES" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
 echo ""
 
 #-- SY) Dmesg
@@ -198,6 +203,22 @@ print_list "Execshield enabled? ............ "$NC
 print_list "SELinux enabled? ............... "$NC
 (sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
 
+#-- SY) Seccomp
+print_list "Seccomp enabled? ............... "$NC
+([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+#-- SY) AppArmor
+print_list "AppArmor profile? .............. "$NC
+(cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
+
+#-- SY) AppArmor
+print_list "User namespace? ................ "$NC
+if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+
+#-- SY) cgroup2
+print_list "Cgroup2 enabled? ............... "$NC
+([ "$(grep cgroup2 /proc/filesystems)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
 #-- SY) Gatekeeper
 if [ "$MACPEAS" ]; then
     print_list "Gatekeeper enabled? .......... "$NC