From 999fcff035e28d6f9d02d48f48c9ecfa3a9e1ef3 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Sat, 30 Jul 2022 12:14:53 +0200 Subject: [PATCH] linpeas update --- linPEAS/README.md | 38 +- linPEAS/TODO.md | 8 + linPEAS/builder/linpeas_builder.py | 10 +- .../linpeas_parts/1_system_information.sh | 35 +- linPEAS/builder/linpeas_parts/2_container.sh | 181 ++++- linPEAS/builder/linpeas_parts/3_cloud.sh | 277 +++++++ ... => 4_procs_crons_timers_srvcs_sockets.sh} | 6 - ...nformation.sh => 5_network_information.sh} | 8 +- ..._information.sh => 6_users_information.sh} | 10 +- .../linpeas_parts/7_interesting_files.sh | 638 ---------------- ...formation.sh => 7_software_information.sh} | 63 +- .../linpeas_parts/8_interesting_files.sh | 712 ++++++++++++++++++ .../builder/linpeas_parts/9_api_keys_regex.sh | 6 + linPEAS/builder/linpeas_parts/linpeas_base.sh | 180 +++-- linPEAS/builder/src/linpeasBuilder.py | 95 ++- linPEAS/builder/src/yamlGlobals.py | 29 +- 16 files changed, 1501 insertions(+), 795 deletions(-) create mode 100644 linPEAS/TODO.md create mode 100644 linPEAS/builder/linpeas_parts/3_cloud.sh rename linPEAS/builder/linpeas_parts/{3_procs_crons_timers_srvcs_sockets.sh => 4_procs_crons_timers_srvcs_sockets.sh} (96%) rename linPEAS/builder/linpeas_parts/{4_network_information.sh => 5_network_information.sh} (92%) rename linPEAS/builder/linpeas_parts/{5_users_information.sh => 6_users_information.sh} (93%) delete mode 100644 linPEAS/builder/linpeas_parts/7_interesting_files.sh rename linPEAS/builder/linpeas_parts/{6_software_information.sh => 7_software_information.sh} (93%) create mode 100644 linPEAS/builder/linpeas_parts/8_interesting_files.sh create mode 100644 linPEAS/builder/linpeas_parts/9_api_keys_regex.sh diff --git a/linPEAS/README.md b/linPEAS/README.md index 2aff17d9a..750c89ed9 100755 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -47,6 +47,22 @@ chmod +x linpeas_linux_amd64 ./linpeas_linux_amd64 ``` +## Firmware Analysis +If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options. + +- If you **can emulate** the firmware, just run linpeas inside of it: +```bash +cp /path/to/linpeas.sh /mnt/linpeas.sh +chroot /mnt #Supposing you have mounted the firmware FS in /mnt +bash /linpeas.sh -o software_information,interesting_files,api_keys_regex +``` + +- If you **cannot emulate** the firmware, use the `-f Execute linpeas to search passwords/file permissions misconfigs inside a folder -w Wait execution between big blocks of checks -N Do not use colours -D Debug mode -P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' - -o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files). Select a comma separated list. + -o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list. -L Force linpeas execution. -M Force macpeas execution. -d Discover hosts using fping or ping. Ex: -d 192.168.0.1/24 -p -d Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139 -i [-p ] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 -t Automatic network scan (host discovery and port scanning) - This option writes to files - Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed + Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed ``` ## Hosts Discovery and Port Scanning @@ -186,17 +205,12 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/stores/peass)** and show your love for our favorite peas -## TODO +## Collaborate -- Add more checks -- Mantain updated the list of vulnerable SUID binaries -- Mantain updated all the blacklists used to color the output - -If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**. +If you want to help with the TODO tasks or with anything, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**. If you find any issue, please report it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**. - **Linpeas** is being **updated** every time I find something that could be useful to escalate privileges. ## Advisory @@ -204,4 +218,4 @@ If you find any issue, please report it using **[github issues](https://github.c All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. -By Polop(TM) \ No newline at end of file +By Polop(TM) diff --git a/linPEAS/TODO.md b/linPEAS/TODO.md new file mode 100644 index 000000000..90a87781a --- /dev/null +++ b/linPEAS/TODO.md @@ -0,0 +1,8 @@ +- Add more checks +- Add more potential files with passwords to sensitive_files.yaml +- Add more regex of interesting APIs to regexes.yaml +- Mantain updated the list of vulnerable SUID binaries +- Mantain updated all the blacklists used to color the output +- Improve the speed +- Reduce the size of the script +- Generate automatically an obfuscated version \ No newline at end of file diff --git a/linPEAS/builder/linpeas_builder.py b/linPEAS/builder/linpeas_builder.py index be16c2952..f3262a1ad 100644 --- a/linPEAS/builder/linpeas_builder.py +++ b/linPEAS/builder/linpeas_builder.py @@ -1,7 +1,7 @@ from .src.peasLoaded import PEASLoaded from .src.linpeasBuilder import LinpeasBuilder from .src.linpeasBaseBuilder import LinpeasBaseBuilder -from .src.yamlGlobals import FINAL_LINPEAS_PATH +from .src.yamlGlobals import FINAL_FAT_LINPEAS_PATH, FINAL_LINPEAS_PATH, TEMPORARY_LINPEAS_BASE_PATH import os import stat @@ -18,7 +18,13 @@ def main(): # Build final linpeas.sh lbuilder = LinpeasBuilder(ploaded) lbuilder.build() - lbuilder.write_linpeas(FINAL_LINPEAS_PATH) + lbuilder.write_linpeas(FINAL_FAT_LINPEAS_PATH) + lbuilder.write_linpeas(FINAL_LINPEAS_PATH, rm_startswith="FAT_LINPEAS") + os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file + + st = os.stat(FINAL_FAT_LINPEAS_PATH) + os.chmod(FINAL_FAT_LINPEAS_PATH, st.st_mode | stat.S_IEXEC) + st = os.stat(FINAL_LINPEAS_PATH) os.chmod(FINAL_LINPEAS_PATH, st.st_mode | stat.S_IEXEC) diff --git a/linPEAS/builder/linpeas_parts/1_system_information.sh b/linPEAS/builder/linpeas_parts/1_system_information.sh index a2b57ffe6..02e2dec30 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information.sh @@ -31,8 +31,8 @@ if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ " fi #-- SY) CVE-2021-3560 -polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9) -if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(rpm -qa | grep polkit | grep -c '0.117-2\|0.115-6')" -ge 1 ]]; then +polkitVersion=$(systemctl status polkit.service 2>/dev/null | grep version | cut -d " " -f 9) +if [ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 ] || [ "$(yum list installed 2>/dev/null | grep polkit | grep -c 0.117-2)" ]; then echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW}," echo "" fi @@ -42,7 +42,7 @@ fi #-- https://stackoverflow.com/a/37939589 kernelversion=$(uname -r | awk -F"-" '{print $1}') kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }') -if [[ $kernelnumber -ge 5008000000 && $kernelnumber -lt 5017000000 ]]; then # if kernel version beteen 5.8 and 5.17 +if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version beteen 5.8 and 5.17 echo "Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED_YELLOW}," echo "" fi @@ -69,10 +69,15 @@ fi echo "" #-- SY) PATH + print_2title "PATH" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses" -echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" -echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g" +if ! [ "$IAMROOT" ]; then + echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" + echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g" +else + echo "New path exported: $PATH" 2>/dev/null +fi echo "" #-- SY) Date @@ -104,7 +109,7 @@ fi if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then print_2title "Unmounted file-system?" - print_info "Check if you can mount unmounted devices" + print_info "Check if you can mount umounted devices" grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g" echo "" fi @@ -124,7 +129,7 @@ fi #-- SY) Environment vars print_2title "Environment" print_info "Any private information inside environment variables?" -(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set" +(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_KUBERNETES" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set" echo "" #-- SY) Dmesg @@ -198,6 +203,22 @@ print_list "Execshield enabled? ............ "$NC print_list "SELinux enabled? ............... "$NC (sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED}," +#-- SY) Seccomp +print_list "Seccomp enabled? ............... "$NC +([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," + +#-- SY) AppArmor +print_list "AppArmor profile? .............. "$NC +(cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN}," + +#-- SY) AppArmor +print_list "User namespace? ................ "$NC +if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi + +#-- SY) cgroup2 +print_list "Cgroup2 enabled? ............... "$NC +([ "$(grep cgroup2 /proc/filesystems)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," + #-- SY) Gatekeeper if [ "$MACPEAS" ]; then print_list "Gatekeeper enabled? .......... "$NC diff --git a/linPEAS/builder/linpeas_parts/2_container.sh b/linPEAS/builder/linpeas_parts/2_container.sh index a3b63f518..e24906cbc 100644 --- a/linPEAS/builder/linpeas_parts/2_container.sh +++ b/linPEAS/builder/linpeas_parts/2_container.sh @@ -25,6 +25,14 @@ containerCheck() { else containerType="kubernetes\n" fi fi + + # Inside concourse? + if grep "/concourse" /proc/1/mounts -qa 2>/dev/null; then + inContainer="1" + if [ "$containerType" ]; then + containerType="$containerType (concourse)\n" + fi + fi # Are we inside LXC? if env | grep "container=lxc" -qa 2>/dev/null || @@ -69,27 +77,33 @@ enumerateDockerSockets() { dockerVersion="$(echo_not_found)" if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then SEARCHED_DOCKER_SOCKETS="1" - for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do - if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then - echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g" - echo "Docker enummeration:" - docker_enumerated="" - - if [ "$(command -v curl)" ]; then - sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)" - dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4) - echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' - if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi - fi - - if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then - sockInfoResponse="$(docker info)" - dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4) - printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' + for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -n -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do + if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then + if echo "$int_sock" | grep -Eq "docker"; then + dock_sock="$int_sock" + echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g" + echo "Docker enummeration:" + docker_enumerated="" + + if [ "$(command -v curl)" ]; then + sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)" + dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4) + echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' + if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi + fi + + if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then + sockInfoResponse="$(docker info)" + dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4) + printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' + fi + + else + echo "You have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED},g" fi else - echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g" + echo "You don't have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_GREEN},g" fi done fi @@ -123,6 +137,39 @@ checkContainerExploits() { fi } +checkProcSysBreakouts(){ + if [ "$(ls -l /sys/fs/cgroup/*/release_agent 2>/dev/null)" ]; then release_agent_breakout1="Yes"; else release_agent_breakout1="No"; fi + + mkdir /tmp/cgroup_3628d4 + mount -t cgroup -o memory cgroup /tmp/cgroup_3628d4 2>/dev/null + if [ $? -eq 0 ]; then release_agent_breakout12="Yes"; else release_agent_breakout2="No"; fi + rm -rf /tmp/cgroup_3628d4 2>/dev/null + + core_pattern_breakout="$( (echo -n '' > /proc/sys/kernel/core_pattern && echo Yes) 2>/dev/null || echo No)" + modprobe_present="$(ls -l `cat /proc/sys/kernel/modprobe` || echo No)" + panic_on_oom_dos="$( (echo -n '' > /proc/sys/vm/panic_on_oom && echo Yes) 2>/dev/null || echo No)" + panic_sys_fs_dos="$( (echo -n '' > /proc/sys/fs/suid_dumpable && echo Yes) 2>/dev/null || echo No)" + binfmt_misc_breakout="$( (echo -n '' > /proc/sys/fs/binfmt_misc/register && echo Yes) 2>/dev/null || echo No)" + proc_configgz_readable="$([ -r '/proc/config.gz' ] 2>/dev/null && echo Yes || echo No)" + sysreq_trigger_dos="$( (echo -n '' > /proc/sysrq-trigger && echo Yes) 2>/dev/null || echo No)" + kmsg_readable="$( (dmesg > /dev/null 2>&1 && echo Yes) 2>/dev/null || echo No)" # Kernel Exploit Dev + kallsyms_readable="$( (head -n 1 /proc/kallsyms > /dev/null && echo Yes )2>/dev/null || echo No)" # Kernel Exploit Dev + mem_readable="$( (head -n 1 /proc/self/mem > /dev/null && echo Yes) 2>/dev/null || echo No)" + if [ "$(head -n 1 /tmp/kcore 2>/dev/null)" ]; then kcore_readable="Yes"; else kcore_readable="No"; fi + kmem_readable="$( (head -n 1 /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)" + kmem_writable="$( (echo -n '' > /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)" + mem_readable="$( (head -n 1 /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)" + mem_writable="$( (echo -n '' > /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)" + sched_debug_readable="$( (head -n 1 /proc/sched_debug > /dev/null && echo Yes) 2>/dev/null || echo No)" + mountinfo_readable="$( (head -n 1 /proc/*/mountinfo > /dev/null && echo Yes) 2>/dev/null || echo No)" + uevent_helper_breakout="$( (echo -n '' > /sys/kernel/uevent_helper && echo Yes) 2>/dev/null || echo No)" + vmcoreinfo_readable="$( (head -n 1 /sys/kernel/vmcoreinfo > /dev/null && echo Yes) 2>/dev/null || echo No)" + security_present="$( (ls -l /sys/kernel/security > /dev/null && echo Yes) 2>/dev/null || echo No)" + security_writable="$( (echo -n '' > /sys/kernel/security/a && echo Yes) 2>/dev/null || echo No)" + efi_vars_writable="$( (echo -n '' > /sys/firmware/efi/vars && echo Yes) 2>/dev/null || echo No)" + efi_efivars_writable="$( (echo -n '' > /sys/firmware/efi/efivars && echo Yes) 2>/dev/null || echo No)" +} + ############################################## #---------------) Containers (---------------# @@ -137,6 +184,9 @@ command -v kubectl command -v podman command -v runc +print_2title "Am I Containered?" +execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED" + print_2title "Container details" print_list "Is this a container? ...........$NC $containerType" @@ -177,6 +227,7 @@ if echo "$containerType" | grep -qi "docker"; then if [ "$inContainer" ]; then checkDockerRootless print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN}," + echo "" fi if df -h | grep docker; then print_2title "Docker Overlays" @@ -184,6 +235,25 @@ if echo "$containerType" | grep -qi "docker"; then fi fi +#If token secrets mounted +if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then + print_2title "Listing mounted tokens" + print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod" + ALREADY="IinItialVaaluE" + for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do + TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/')) + if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then + ALREADY="$ALREADY|$TOKEN" + echo "Directory: $i" + echo "Namespace: $(cat $i)" + echo "" + echo $TOKEN + echo "================================================================================" + echo "" + fi + done +fi + if [ "$inContainer" ]; then echo "" print_2title "Container & breakout enumeration" @@ -192,27 +262,90 @@ if [ "$inContainer" ]; then if echo "$containerType" | grep -qi "docker"; then print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" fi + print_list "Seccomp enabled? ............... "$NC + ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," + + print_list "AppArmor profile? .............. "$NC + (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN}," + + print_list "User proc namespace? ........... "$NC + if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi checkContainerExploits - print_list "Vulnerable to CVE-2019-5021 .. $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," + + print_3title "Breakout via mounts" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts" + + checkProcSysBreakouts + print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," + print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED}," + print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" + print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" + print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" + print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" + print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" + print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" + print_list "/sys/kernel/security present ... $security_present\n" + print_list "/sys/kernel/security writable .. $security_writable\n" + if [ "$EXTRA_CHECKS" ]; then + print_list "/proc/kmsg readable ............ $kmsg_readable\n" + print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" + print_list "/proc/self/mem readable ........ $sched_debug_readable\n" + print_list "/proc/kcore readable ........... $kcore_readable\n" + print_list "/proc/kmem readable ............ $kmem_readable\n" + print_list "/proc/kmem writable ............ $kmem_writable\n" + print_list "/proc/mem readable ............. $mem_readable\n" + print_list "/proc/mem writable ............. $mem_writable\n" + print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" + print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" + print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" + fi + + echo "" + print_3title "Namespaces" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces" + ls -l /proc/self/ns/ if echo "$containerType" | grep -qi "kubernetes"; then print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n" print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n" - print_2title "Kubernetes Information" echo "" + print_2title "Kubernetes Information" + print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod" + + print_3title "Kubernetes service account folder" ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null echo "" print_3title "Kubernetes env vars" - (env | set) | grep -Ei "kubernetes|kube" + (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType=" + echo "" + + print_3title "Current sa user k8s permissions" + print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles" + kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \ + "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \ + -X 'POST' -H 'Content-Type: application/json' \ + --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED}," + fi echo "" print_2title "Container Capabilities" - capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape" + if [ "$(command -v capsh)" ]; then + capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" + else + cat /proc/self/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g" + fi echo "" print_2title "Privilege Mode" @@ -228,10 +361,10 @@ if [ "$inContainer" ]; then echo "" print_2title "Interesting Files Mounted" - (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," + (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g" echo "" print_2title "Possible Entrypoints" ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq echo "" -fi \ No newline at end of file +fi diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh new file mode 100644 index 000000000..e1664238b --- /dev/null +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -0,0 +1,277 @@ +########################################### +#-----------) Cloud functions (-----------# +########################################### + +GCP_GOOD_SCOPES="/devstorage.read_only|/logging.write|/monitoring|/servicecontrol|/service.management.readonly|/trace.append" +GCP_BAD_SCOPES="/cloud-platform|/compute" + +exec_with_jq(){ + if [ "$(command -v jq)" ]; then + $@ | jq; + else + $@; + fi +} + +check_gcp(){ + is_gcp="No" + if grep -q metadata.google.internal /etc/hosts 2>/dev/null || (curl --connect-timeout 2 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]); then + is_gcp="Yes" + fi +} + +check_aws_ecs(){ + is_aws_ecs="No" + if (env | grep -q ECS_CONTAINER_METADATA_URI_v4); then + is_aws_ecs="Yes"; + aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI_v4; + aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" + + elif (env | grep -q ECS_CONTAINER_METADATA_URI); then + is_aws_ecs="Yes"; + aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI; + aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" + + elif (env | grep -q AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); then + is_aws_ecs="Yes"; + + + elif (curl --connect-timeout 2 "http://169.254.170.2/v2/credentials/" >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 "http://169.254.170.2/v2/credentials/" >/dev/null 2>&1 && [ "$?" -eq "0" ]); then + is_aws_ecs="Yes"; + + fi + + if [ "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then + aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" + fi +} + +check_aws_ec2(){ + is_aws_ec2="No" + + if [ -d "/var/log/amazon/" ]; then + is_aws_ec2="Yes" + EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null) + + else + EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null) + if [ "$(echo $EC2_TOKEN | cut -c1-2)" = "AQ" ]; then + is_aws_ec2="Yes" + fi + fi +} + +check_aws_lambda(){ + is_aws_lambda="No" + + if (env | grep -q AWS_LAMBDA_); then + is_aws_lambda="Yes" + fi +} + + +check_gcp +print_list "Google Cloud Platform? ............... $is_gcp\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," +check_aws_ecs +print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," +check_aws_ec2 +print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," +check_aws_lambda +print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," + +echo "" + +if [ "$is_gcp" = "Yes" ]; then + gcp_req="" + if [ "$(command -v curl)" ]; then + gcp_req='curl -s -f -H "X-Google-Metadata-Request: True"' + elif [ "$(command -v wget)" ]; then + gcp_req='wget -q -O - --header "X-Google-Metadata-Request: True"' + else + echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" + fi + + + if [ "$gcp_req" ]; then + print_2title "Google CLoud Platform Enumeration" + print_info "https://book.hacktricks.xyz/cloud-security/gcp-security" + + ## GC Project Info + p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id') + [ "$p_id" ] && echo "Project-ID: $p_id" + p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id') + [ "$p_num" ] && echo "Project Number: $p_num" + pssh_k=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys') + [ "$pssh_k" ] && echo "Project SSH-Keys: $pssh_k" + p_attrs=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true') + [ "$p_attrs" ] && echo "All Project Attributes: $p_attrs" + + # OSLogin Info + osl_u=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/users) + [ "$osl_u" ] && echo "OSLogin users: $osl_u" + osl_g=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/groups) + [ "$osl_g" ] && echo "OSLogin Groups: $osl_g" + osl_sk=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/security-keys) + [ "$osl_sk" ] && echo "OSLogin Security Keys: $osl_sk" + osl_au=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/authorize) + [ "$osl_au" ] && echo "OSLogin Authorize: $osl_au" + + # Instance Info + inst_d=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/description) + [ "$inst_d" ] && echo "Instance Description: " + inst_hostn=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/hostname) + [ "$inst_hostn" ] && echo "Hostname: $inst_hostn" + inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id) + [ "$inst_id" ] && echo "Instance ID: $inst_id" + inst_img=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/image) + [ "$inst_img" ] && echo "Instance Image: $inst_img" + inst_mt=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/machine-type) + [ "$inst_mt" ] && echo "Machine Type: $inst_mt" + inst_n=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/name) + [ "$inst_n" ] && echo "Instance Name: $inst_n" + inst_tag=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/scheduling/tags) + [ "$inst_tag" ] && echo "Instance tags: $inst_tag" + inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone) + [ "$inst_zone" ] && echo "Zone: $inst_zone" + + inst_k8s_loc=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location") + [ "$inst_k8s_loc" ] && echo "K8s Cluster Location: $inst_k8s_loc" + inst_k8s_name=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name") + [ "$inst_k8s_name" ] && echo "K8s Cluster name: $inst_k8s_name" + inst_k8s_osl_e=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin") + [ "$inst_k8s_osl_e" ] && echo "K8s OSLoging enabled: $inst_k8s_osl_e" + inst_k8s_klab=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-labels") + [ "$inst_k8s_klab" ] && echo "K8s Kube-labels: $inst_k8s_klab" + inst_k8s_kubec=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubeconfig") + [ "$inst_k8s_kubec" ] && echo "K8s Kubeconfig: $inst_k8s_kubec" + inst_k8s_kubenv=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env") + [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv" + + echo "" + print_3title "Interfaces" + for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do + echo " IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip") + echo " Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask") + echo " Gateway: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/gateway") + echo " DNS: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers") + echo " Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network") + echo " ============== " + done + + echo "" + print_3title "Service Accounts" + for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do + echo " Name: $sa" + echo " Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email") + echo " Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/aliases") + echo " Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/identity") + echo " Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g" + echo " Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/token") + echo " ============== " + done + fi +fi + + +if [ "$is_aws_ecs" = "Yes" ]; then + print_2title "AWS ECS Enumeration" + + aws_ecs_req="" + if [ "$(command -v curl)" ]; then + aws_ecs_req='curl -s -f' + elif [ "$(command -v wget)" ]; then + aws_ecs_req='wget -q -O -' + else + echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" + fi + + if [ "$aws_ecs_metadata_uri" ]; then + print_3title "Container Info" + exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri" + echo "" + + print_3title "Task Info" + exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri/task" + echo "" + else + echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info" + fi + + if [ "$aws_ecs_service_account_uri" ]; then + print_3title "IAM Role" + exec_with_jq $aws_ecs_req "$aws_ecs_service_account_uri" + echo "" + else + echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)" + fi +fi + +if [ "$is_aws_ec2" = "Yes" ]; then + print_2title "AWS EC2 Enumeration" + + HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN" + URL="http://169.254.169.254/latest/meta-data" + + aws_req="" + if [ "$(command -v curl)" ]; then + aws_req='curl -s -f -H "$HEADER"' + elif [ "$(command -v wget)" ]; then + aws_req='wget -q -O - -H "$HEADER"' + else + echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" + fi + + if [ "$aws_req" ]; then + printf "ami-id: "; $aws_req "$URL/ami-id"; echo "" + printf "instance-action: "; $aws_req "$URL/instance-action"; echo "" + printf "instance-id: "; $aws_req "$URL/instance-id"; echo "" + printf "instance-life-cycle: "; $aws_req "$URL/instance-life-cycle"; echo "" + printf "instance-type: "; $aws_req "$URL/instance-type"; echo "" + printf "region: "; $aws_req "$URL/placement/region"; echo "" + + echo "" + print_3title "Account Info" + exec_with_jq $aws_req "$URL/identity-credentials/ec2/info"; echo "" + + echo "" + print_3title "Network Info" + for mac in $($aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do + echo "Mac: $mac" + printf "Owner ID: "; $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo "" + printf "Public Hostname: "; $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo "" + printf "Security Groups: "; $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo "" + echo "Private IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo "" + printf "Subnet IPv4: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo "" + echo "PrivateIPv6s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo "" + printf "Subnet IPv6: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo "" + echo "Public IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo "" + echo "" + done + + echo "" + print_3title "IAM Role" + exec_with_jq $aws_req "$URL/iam/info"; echo "" + for role in $($aws_req "$URL/iam/security-credentials/" 2>/dev/null); do + echo "Role: $role" + exec_with_jq $aws_req "$URL/iam/security-credentials/$role"; echo "" + echo "" + done + + echo "" + print_3title "User Data" + $aws_req "http://169.254.169.254/latest/user-data" + fi +fi + +if [ "$is_aws_lambda" = "Yes" ]; then + print_2title "AWS Lambda Enumeration" + printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME + printf "Region: "; env | grep AWS_REGION + printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY + printf "Access Key ID: "; env | grep AWS_ACCESS_KEY_ID + printf "Session token: "; env | grep AWS_SESSION_TOKEN + printf "Security token: "; env | grep AWS_SECURITY_TOKEN + printf "Runtime API: "; env | grep AWS_LAMBDA_RUNTIME_API + printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next") +fi + diff --git a/linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh similarity index 96% rename from linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh rename to linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh index 5dda2e311..d117b736c 100644 --- a/linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh @@ -213,12 +213,6 @@ if ! [ "$IAMROOT" ]; then fi done done - if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then - echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" - fi - if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then - echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" - fi echo "" print_2title "Unix Sockets Listening" diff --git a/linPEAS/builder/linpeas_parts/4_network_information.sh b/linPEAS/builder/linpeas_parts/5_network_information.sh similarity index 92% rename from linPEAS/builder/linpeas_parts/4_network_information.sh rename to linPEAS/builder/linpeas_parts/5_network_information.sh index b92183625..6c4c69f68 100644 --- a/linPEAS/builder/linpeas_parts/4_network_information.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information.sh @@ -110,10 +110,14 @@ if [ "$AUTO_NETWORK_SCAN" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then fi if [ "$AUTO_NETWORK_SCAN" ]; then - if ! [ "$FOUND_NC" ]; then + if ! [ "$FOUND_NC" ] && ! [ "$FOUND_BASH" ]; then printf $RED"[-] $SCAN_BAN_BAD\n$NC" echo "The network is not going to be scanned..." + elif ! [ "$(command -v ifconfig)" ] && ! [ "$(command -v ip a)" ]; then + printf $RED"[-] No ifconfig or ip commands, cannot find local ips\n$NC" + echo "The network is not going to be scanned..." + else print_2title "Scanning local networks (using /24)" @@ -122,7 +126,7 @@ if [ "$AUTO_NETWORK_SCAN" ]; then fi select_nc - local_ips=$(ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.") + local_ips=$( (ip a 2>/dev/null || ifconfig) | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.") printf "%s\n" "$local_ips" | while read local_ip; do if ! [ -z "$local_ip" ]; then print_3title "Discovering hosts in $local_ip/24" diff --git a/linPEAS/builder/linpeas_parts/5_users_information.sh b/linPEAS/builder/linpeas_parts/6_users_information.sh similarity index 93% rename from linPEAS/builder/linpeas_parts/5_users_information.sh rename to linPEAS/builder/linpeas_parts/6_users_information.sh index 785a2cf72..d9e7c639a 100644 --- a/linPEAS/builder/linpeas_parts/5_users_information.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information.sh @@ -60,18 +60,18 @@ fi #-- UI) Sudo -l print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" -(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo" +(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo" if [ "$PASSWORD" ]; then - (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "sudo" + (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null || echo_not_found "sudo" fi -( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "/etc/sudoers" +( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null || echo_not_found "/etc/sudoers" if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW}," fi -for filename in /etc/sudoers.d/*; do +for filename in '/etc/sudoers.d/*'; do if [ -r "$filename" ]; then echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g" - grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," + grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" fi done echo "" diff --git a/linPEAS/builder/linpeas_parts/7_interesting_files.sh b/linPEAS/builder/linpeas_parts/7_interesting_files.sh deleted file mode 100644 index 4ddbec07d..000000000 --- a/linPEAS/builder/linpeas_parts/7_interesting_files.sh +++ /dev/null @@ -1,638 +0,0 @@ -########################################### -#----------) Interesting files (----------# -########################################### - -check_critial_root_path(){ - folder_path="$1" - if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi -} - - - - - - - - -##-- IF) SUID -print_2title "SUID - Check easy privesc, exploits and write perms" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" -if ! [ "$STRINGS" ]; then - echo_not_found "strings" -fi -if ! [ "$STRACE" ]; then - echo_not_found "strace" -fi -suids_files=$(find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null) -for s in $suids_files; do - s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder - if echo "$s" | grep -qE "^total"; then break; fi - - sname="$(echo $s | awk '{print $9}')" - if [ "$sname" = "." ] || [ "$sname" = ".." ]; then - true #Don't do nothing - elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then - echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) - echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else - c="a" - for b in $sidB; do - if echo $s | grep -q $(echo $b | cut -d % -f 1); then - echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," - c="" - break; - fi - done; - if [ "$c" ]; then - if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then - echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," - else - echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${SED_RED}," - printf $ITALIC - if ! [ "$FAST" ] && [ "$STRINGS" ]; then - $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do - sline_first="$(echo "$sline" | cut -d ' ' -f1)" - if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" - fi - else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" - fi - fi - fi - done - if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then - printf $ITALIC - echo "----------------------------------------------------------------------------------------" - echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." - OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH - export LD_LIBRARY_PATH="" - timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" - printf $NC - export LD_LIBRARY_PATH=$OLD_LD_LIBRARY_PATH - echo "----------------------------------------------------------------------------------------" - echo "" - fi - fi - fi - fi - fi -done; -echo "" - - -##-- IF) SGID -print_2title "SGID" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" -sgids_files=$(find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) -for s in $sgids_files; do - s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder - if echo "$s" | grep -qE "^total";then break; fi - - sname="$(echo $s | awk '{print $9}')" - if [ "$sname" = "." ] || [ "$sname" = ".." ]; then - true #Don't do nothing - elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then - echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) - echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else - c="a" - for b in $sidB; do - if echo "$s" | grep -q $(echo $b | cut -d % -f 1); then - echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," - c="" - break; - fi - done; - if [ "$c" ]; then - if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then - echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," - else - echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED}," - printf $ITALIC - if ! [ "$FAST" ] && [ "$STRINGS" ]; then - $STRINGS "$sname" | sort | uniq | while read sline; do - sline_first="$(echo $sline | cut -d ' ' -f1)" - if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" - fi - else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary - printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" - fi - fi - fi - done - if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then - printf "$ITALIC" - echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." - timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" - printf "$NC" - echo "" - fi - fi - fi - fi - fi -done; -echo "" - -##-- IF) Misconfigured ld.so -print_2title "Checking misconfigurations of ld.so" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so" -printf $ITALIC"/etc/ld.so.conf\n"$NC; -cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" -cat /etc/ld.so.conf 2>/dev/null | while read l; do - if echo "$l" | grep -q include; then - ini_path=$(echo "$l" | cut -d " " -f 2) - fpath=$(dirname "$ini_path") - if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - printf $ITALIC"$fpath\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - for f in $fpath/*; do - printf $ITALIC" $f\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - cat "$f" | grep -v "^#" | sed -${E} "s,$ldsoconfdG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - done - fi -done -echo "" - -##-- IF) Capabilities -print_2title "Capabilities" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" -echo "Current capabilities:" -(capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh" -(cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status" -echo "" -echo "Shell capabilities:" -(capsh --decode=0x"$(cat /proc/$PPID/status 2>/dev/null | grep CapEff | awk '{print $2}')" 2>/dev/null) || echo_not_found "capsh" -(cat "/proc/$PPID/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$PPID/status" -echo "" -echo "Files with capabilities (limited to 50):" -getcap -r / 2>/dev/null | head -n 50 | while read cb; do - capsVB_vuln="" - - for capVB in $capsVB; do - capname="$(echo $capVB | cut -d ':' -f 1)" - capbins="$(echo $capVB | cut -d ':' -f 2)" - if [ "$(echo $cb | grep -Ei $capname)" ] && [ "$(echo $cb | grep -E $capbins)" ]; then - echo "$cb" | sed -${E} "s,.*,${SED_RED_YELLOW}," - capsVB_vuln="1" - break - fi - done - - if ! [ "$capsVB_vuln" ]; then - echo "$cb" | sed -${E} "s,$capsB,${SED_RED}," - fi - - if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then - echo "$cb is writable" | sed -${E} "s,.*,${SED_RED}," - fi -done -echo "" - -##-- IF) Users with capabilities -if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then - print_2title "Users with capabilities" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" - if [ -f "/etc/security/capability.conf" ]; then - grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," - else echo_not_found "/etc/security/capability.conf" - fi - echo "" -fi - -##-- IF) Files with ACLs -print_2title "Files with ACLs (limited to 50)" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls" -( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," - -if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow) - ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," -fi -echo "" - -##-- IF) Files with ResourceFork -#if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then # TOO SLOW, CHECK IT LATER -# print_2title "Files with ResourceFork" -# print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#resource-forks-or-macos-ads" -# find $HOMESEARCH -type f -exec ls -ld {} \; 2>/dev/null | grep -E ' [x\-]@ ' | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork" -#fi -#echo "" - -##-- IF) .sh files in PATH -print_2title ".sh files in path" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path" -echo $PATH | tr ":" "\n" | while read d; do - for f in $(find "$d" -name "*.sh" 2>/dev/null); do - if ! [ "$IAMROOT" ] && [ -O "$f" ]; then - echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits) - echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW}," - else - echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},"; - fi - done -done -echo "" - - -broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken) -if [ "$broken_links" ] || [ "$DEBUG" ]; then - print_2title "Broken links in path" - echo $PATH | tr ":" "\n" | while read d; do - find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},"; - done - echo "" -fi - -if [ "$MACPEAS" ]; then - print_2title "Unsigned Applications" - macosNotSigned /System/Applications -fi - -##-- IF) Unexpected in /opt -if [ "$(ls /opt 2>/dev/null)" ]; then - print_2title "Unexpected in /opt (usually empty)" - ls -la /opt - echo "" -fi - -##-- IF) Unexpected folders in / -print_2title "Unexpected in root" -if [ "$MACPEAS" ]; then - (find / -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found -else - (find / -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found -fi -echo "" - -##-- IF) Files (scripts) in /etc/profile.d/ -print_2title "Files (scripts) in /etc/profile.d/" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files" -if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS - (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" - check_critial_root_path "/etc/profile" - check_critial_root_path "/etc/profile.d/" -fi -echo "" - - ##-- IF) Files (scripts) in /etc/init.d/ -print_2title "Permissions in init, init.d, systemd, and rc.d" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d" -if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS - check_critial_root_path "/etc/init/" - check_critial_root_path "/etc/init.d/" - check_critial_root_path "/etc/rc.d/init.d" - check_critial_root_path "/usr/local/etc/rc.d" - check_critial_root_path "/etc/rc.d" - check_critial_root_path "/etc/systemd/" - check_critial_root_path "/lib/systemd/" -fi - -echo "" - -##-- IF) Hashes in passwd file -print_list "Hashes inside passwd file? ........... " -if grep -qv '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${SED_RED}," -else echo_no -fi - -##-- IF) Writable in passwd file -print_list "Writable passwd file? ................ " -if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," -elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," -elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," -else echo_no -fi - -##-- IF) Credentials in fstab -print_list "Credentials in fstab/mtab? ........... " -if grep -qE "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${SED_RED}," -else echo_no -fi - -##-- IF) Read shadow files -print_list "Can I read shadow files? ............. " -if [ "$(cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null)" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${SED_RED}," -else echo_no -fi - -print_list "Can I read shadow plists? ............ " -possible_check="" -(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no - -print_list "Can I write shadow plists? ........... " -possible_check="" -(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -w "$l" ];then echo "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no - -##-- IF) Read opasswd file -print_list "Can I read opasswd file? ............. " -if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo "" -else echo_no -fi - -##-- IF) network-scripts -print_list "Can I write in network-scripts? ...... " -if ! [ "$IAMROOT" ] && [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${SED_RED_YELLOW}," -elif [ "$(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges on $(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW}," -else echo_no -fi - -##-- IF) Read root dir -print_list "Can I read root folder? .............. " -(ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no -echo "" - -##-- IF) Root files in home dirs -print_2title "Searching root files in home dirs (limit 30)" -(find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found -echo "" - -##-- IF) Others files in my dirs -if ! [ "$IAMROOT" ]; then - print_2title "Searching folders owned by me containing others files on it (limit 100)" - (find / -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g" - echo "" -fi - -##-- IF) Readable files belonging to root and not world readable -if ! [ "$IAMROOT" ]; then - print_2title "Readable files belonging to root and readable by me but not world readable" - (find / -type f -user root ! -perm -o=r 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found - echo "" -fi - -##-- IF) Modified interesting files into specific folders in the last 5mins -print_2title "Modified interesting files in the last 5mins (limit 100)" -find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED}," -echo "" - -##-- IF) Writable log files -print_2title "Writable log files (logrotten) (limit 100)" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation" -logrotate --version 2>/dev/null || echo_not_found "logrotate" -lastWlogFolder="ImPOsSiBleeElastWlogFolder" -logfind=$(find / -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 100) -printf "%s\n" "$logfind" | while read log; do - if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found - if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC; - elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case - elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log"; - elif ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders" && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${SED_RED},g"; - fi - fi -done - -echo "" - -##-- IF) Files inside my home -print_2title "Files inside $HOME (limit 20)" -(ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found -echo "" - -##-- IF) Files inside /home -print_2title "Files inside others home (limit 20)" -(find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found -echo "" - -##-- IF) Mail applications -print_2title "Searching installed mail applications" -ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" -echo "" - -##-- IF) Mails -print_2title "Mails (limit 50)" -(find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g" | sed "s,root,${SED_GREEN},g") || echo_not_found -echo "" - -##-- IF) Backup folders -print_2title "Backup folders" -printf "%s\n" "$backup_folders" | while read b ; do - ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g"; - ls -l "$b" 2>/dev/null && echo "" -done -echo "" - -##-- IF) Backup files -print_2title "Backup files (limited 100)" -backs=$(find / -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null) -printf "%s\n" "$backs" | head -n 100 | while read b ; do - if [ -r "$b" ]; then - ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${SED_RED},g"; - fi; -done -echo "" - -##-- IF) DB files -if [ "$MACPEAS" ]; then - print_2title "Reading messages database" - sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null - sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null - sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null - -fi -print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)" -FILECMD="$(command -v file 2>/dev/null)" -if [ "$PSTORAGE_DATABASE" ]; then - printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do - if [ "$FILECMD" ]; then - echo "Found "$(file "$f") | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; - else - echo "Found $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; - fi - done - SQLITEPYTHON="" - echo "" - printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do - if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd - if [ "$(command -v sqlite3 2>/dev/null)" ]; then - tables=$(sqlite3 $f ".tables" 2>/dev/null) - #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" - elif [ "$(command -v python 2>/dev/null)" ] || [ "$(command -v python3 2>/dev/null)" ]; then - SQLITEPYTHON=$(command -v python 2>/dev/null || command -v python3 2>/dev/null) - tables=$($SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null) - #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" - else - tables="" - fi - if [ "$tables" ] || [ "$DEBUG" ]; then - printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC - printf "%s\n" "$tables" | while read t; do - columns="" - # Search for credentials inside the table using sqlite3 - if [ -z "$SQLITEPYTHON" ]; then - columns=$(sqlite3 $f ".schema $t" 2>/dev/null | grep "CREATE TABLE") - # Search for credentials inside the table using python - else - columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null) - fi - #Check found columns for interesting fields - INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt") - if [ "$INTCOLUMN" ]; then - printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g" - printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${SED_RED},g" - (sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head - fi - echo "" - done - fi - fi - done -fi -echo "" - -if [ "$MACPEAS" ]; then - print_2title "Downloaded Files" - sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|" -fi - -##-- IF) Web files -print_2title "Web files?(output limit)" -ls -alhR /var/www/ 2>/dev/null | head -ls -alhR /srv/www/htdocs/ 2>/dev/null | head -ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head -ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head -echo "" - -##-- IF) All hidden files -print_2title "All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)" -find / -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme" | head -n 70 -echo "" - -##-- IF) Readable files in /tmp, /var/tmp, bachups -print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)" -filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70) -printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done -echo "" - -##-- IF) Interesting writable files by ownership or all -if ! [ "$IAMROOT" ]; then - print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" - #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all - obmowbe=$(find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) - printf "%s\n" "$obmowbe" | while read entry; do - if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; - elif echo "$entry" | grep -qE "$writeVB"; then - echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," - else - echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," - fi - done - echo "" -fi - -##-- IF) Interesting writable files by group -if ! [ "$IAMROOT" ]; then - print_2title "Interesting GROUP writable files (not in Home) (max 500)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" - for g in $(groups); do - iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) - if [ "$iwfbg" ] || [ "$DEBUG" ]; then - printf " Group $GREEN$g:\n$NC"; - printf "%s\n" "$iwfbg" | while read entry; do - if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; - elif echo "$entry" | grep -Eq "$writeVB"; then - echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," - else - echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," - fi - done - fi - done - echo "" -fi - -##-- IF) Passwords in history files -if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in history files" - printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done - echo "" -fi - -##-- IF) Passwords in config PHP files -if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in config PHP files" - printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done - echo "" -fi - -##-- IF) Passwords files in home -if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then - print_2title "Searching *password* or *credential* files in home (limit 70)" - (printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found - echo "" -fi - -##-- IF) TTY passwords -print_2title "Checking for TTY (sudo/su) passwords in audit logs" -aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g" -find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g" -echo "" - -##-- IF) IPs inside logs -if [ "$DEBUG" ]; then - print_2title "Searching IPs inside logs (limit 70)" - (find /var/log/ /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70 - echo "" -fi - -##-- IF) Passwords inside logs -print_2title "Searching passwords inside logs (limit 70)" -(find /var/log/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED}," -echo "" - -if [ "$DEBUG" ]; then - ##-- IF) Emails inside logs - print_2title "Searching emails inside logs (limit 70)" - (find /var/log/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g" - echo "" -fi - - - - -if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then - ##-- IF) Find possible files with passwords - print_2title "Searching passwords inside key folders (limit 70) - only PHP files" - intpwdfiles=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ $backup_folders_row /tmp /etc /mnt /private -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null) - printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g" - echo "" - - print_2title "Searching passwords inside key folders (limit 70) - no PHP files" - printf "%s\n" "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g" - echo "" - - ##-- IF) Find possible files with passwords - print_2title "Searching possible password variables inside key folders (limit 140)" - timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & - timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & - wait - echo "" - - ##-- IF) Find possible conf files with passwords - print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)" - ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null) - printf "%s\n" "$ppicf" | while read f; do - if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' \"$f\" 2>/dev/null; then - echo "$ITALIC $f$NC" - grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g" - fi - done - echo "" - - ##-- IF) Find possible regexes - peass{REGEXES} -fi diff --git a/linPEAS/builder/linpeas_parts/6_software_information.sh b/linPEAS/builder/linpeas_parts/7_software_information.sh similarity index 93% rename from linPEAS/builder/linpeas_parts/6_software_information.sh rename to linPEAS/builder/linpeas_parts/7_software_information.sh index 6c1a4bcfe..d6441c1d8 100644 --- a/linPEAS/builder/linpeas_parts/6_software_information.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information.sh @@ -5,25 +5,29 @@ NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so" #-- SI) Useful software -print_2title "Useful software" -for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done -echo "" +if ! [ "SEARCH_IN_FOLDER" ]; then + print_2title "Useful software" + for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done + echo "" +fi #-- SI) Search for compilers -print_2title "Installed Compilers" -(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"); -echo "" +if ! [ "SEARCH_IN_FOLDER" ]; then + print_2title "Installed Compilers" + (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"); + echo "" -if [ "$(command -v pkg 2>/dev/null)" ]; then - print_2title "Vulnerable Packages" - pkg audit -F | sed -${E} "s,vulnerable,${SED_RED},g" - echo "" -fi + if [ "$(command -v pkg 2>/dev/null)" ]; then + print_2title "Vulnerable Packages" + pkg audit -F | sed -${E} "s,vulnerable,${SED_RED},g" + echo "" + fi -if [ "$(command -v brew 2>/dev/null)" ]; then - print_2title "Brew Installed Packages" - brew list - echo "" + if [ "$(command -v brew 2>/dev/null)" ]; then + print_2title "Brew Installed Packages" + brew list + echo "" + fi fi if [ "$MACPEAS" ]; then @@ -43,13 +47,14 @@ fi #-- SI) Mysql version if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; then - print_2title "MySQL" + print_2title "MySQL version" mysql --version 2>/dev/null || echo_not_found "mysql" mysqluser=$(systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1) if [ "$mysqluser" ]; then echo "MySQL user: $mysqluser" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," fi echo "" + echo "" #-- SI) Mysql connection root/root print_list "MySQL connection using default root/root ........... " @@ -84,7 +89,7 @@ fi if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then print_2title "Searching mysql credentials and exec" printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do - if [ -f "$d" ] && ! [ "$(basename $d)" = "mysql" ]; then + if [ -f "$d" ] && ! [ "$(basename $d)" = "mysql" ]; then # Only interested in "mysql" that are folders (filesaren't the ones with creds) STRINGS="`command -v strings`" echo "Potential file containing credentials:" ls -l "$d" @@ -146,7 +151,7 @@ if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then # In some O fi print_list "PostgreSQL connection to template1 using postgres/NOPASS ........ " - if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.)*,${SED_RED}," + if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.*,${SED_RED}," else echo_no fi @@ -211,10 +216,12 @@ fi #-- SI) ssh files print_2title "Searching ssl/ssh files" if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi -sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)" -hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)" -hostsallow="$(ls /etc/hosts.allow 2>/dev/null)" -writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null) +if ! [ "$SEARCH_IN_FOLDER" ]; then + sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)" + hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)" + hostsallow="$(ls /etc/hosts.allow 2>/dev/null)" + writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null) +fi peass{SSH} @@ -400,7 +407,7 @@ if [ "$adhashes" ] || [ "$DEBUG" ]; then fi #-- SI) Screen sessions -if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then +if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Searching screen sessions" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions" screensess=$(screen -ls 2>/dev/null) @@ -419,7 +426,7 @@ fi tmuxdefsess=$(tmux ls 2>/dev/null) tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep) tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null) -if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]; then +if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Searching tmux sessions"$N print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions" tmux -V @@ -457,6 +464,12 @@ peass{Mosquitto} peass{Neo4j} +AWSVAULT="$(command -v aws-vault 2>/dev/null)" +if [ "$AWSVAULT" ] || [ "$DEBUG" ]; then + print_2title "Check aws-vault" + aws-vault list +fi + peass{Cloud Credentials} peass{Cloud Init} @@ -551,7 +564,7 @@ if [ "$containerd" ] || [ "$DEBUG" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" if [ "$containerd" ]; then echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," - ctr image list + ctr image list 2>&1 fi echo "" fi diff --git a/linPEAS/builder/linpeas_parts/8_interesting_files.sh b/linPEAS/builder/linpeas_parts/8_interesting_files.sh new file mode 100644 index 000000000..4e0ce6f8a --- /dev/null +++ b/linPEAS/builder/linpeas_parts/8_interesting_files.sh @@ -0,0 +1,712 @@ +########################################### +#----------) Interesting files (----------# +########################################### + +check_critial_root_path(){ + folder_path="$1" + if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi +} + + + + +##-- IF) SUID +print_2title "SUID - Check easy privesc, exploits and write perms" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" +if ! [ "$STRINGS" ]; then + echo_not_found "strings" +fi +if ! [ "$STRACE" ]; then + echo_not_found "strace" +fi +suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null) +for s in $suids_files; do + s=$(ls -lahtr "$s") + #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + if echo "$s" | grep -qE "^total"; then break; fi + + sname="$(echo $s | awk '{print $9}')" + if [ "$sname" = "." ] || [ "$sname" = ".." ]; then + true #Don't do nothing + elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then + echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED}," + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else + c="a" + for b in $sidB; do + if echo $s | grep -q $(echo $b | cut -d % -f 1); then + echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," + c="" + break; + fi + done; + if [ "$c" ]; then + if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then + echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," + else + echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED}," + printf $ITALIC + if ! [ "$FAST" ] && [ "$STRINGS" ]; then + $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do + sline_first="$(echo "$sline" | cut -d ' ' -f1)" + if echo "$sline_first" | grep -qEv "$cfuncs"; then + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" + fi + else #If not a path + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" + fi + fi + fi + done + if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then + printf $ITALIC + echo "----------------------------------------------------------------------------------------" + echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." + OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH + export LD_LIBRARY_PATH="" + timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" + printf $NC + export LD_LIBRARY_PATH=$OLD_LD_LIBRARY_PATH + echo "----------------------------------------------------------------------------------------" + echo "" + fi + fi + fi + fi + fi +done; +echo "" + + +##-- IF) SGID +print_2title "SGID" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" +sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) +for s in $sgids_files; do + s=$(ls -lahtr "$s") + #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + if echo "$s" | grep -qE "^total";then break; fi + + sname="$(echo $s | awk '{print $9}')" + if [ "$sname" = "." ] || [ "$sname" = ".." ]; then + true #Don't do nothing + elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then + echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED}," + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else + c="a" + for b in $sidB; do + if echo "$s" | grep -q $(echo $b | cut -d % -f 1); then + echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," + c="" + break; + fi + done; + if [ "$c" ]; then + if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then + echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW}," + else + echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED}," + printf $ITALIC + if ! [ "$FAST" ] && [ "$STRINGS" ]; then + $STRINGS "$sname" | sort | uniq | while read sline; do + sline_first="$(echo $sline | cut -d ' ' -f1)" + if echo "$sline_first" | grep -qEv "$cfuncs"; then + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" + fi + else #If not a path + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" + fi + fi + fi + done + if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then + printf "$ITALIC" + echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." + timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g" + printf "$NC" + echo "" + fi + fi + fi + fi + fi +done; +echo "" + +##-- IF) Misconfigured ld.so +if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then + print_2title "Checking misconfigurations of ld.so" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so" + printf $ITALIC"/etc/ld.so.conf\n"$NC; + cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + cat /etc/ld.so.conf 2>/dev/null | while read l; do + if echo "$l" | grep -q include; then + ini_path=$(echo "$l" | cut -d " " -f 2) + fpath=$(dirname "$ini_path") + if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi + printf $ITALIC"$fpath\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + for f in $fpath/*; do + printf $ITALIC" $f\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + cat "$f" | grep -v "^#" | sed -${E} "s,$ldsoconfdG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" + done + fi + done + echo "" +fi + +##-- IF) Capabilities +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Capabilities" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" + if [ "$(command -v capsh)" ]; then + echo "Current env capabilities:" + (capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh" + echo "Current proc capabilities:" + (cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status" + echo "" + echo "Parent Shell capabilities:" + (capsh --decode=0x"$(cat /proc/$PPID/status 2>/dev/null | grep CapEff | awk '{print $2}')" 2>/dev/null) || echo_not_found "capsh" + else + echo "Current capabilities:" + cat /proc/self/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|0000003fffffffff,${SED_GREEN},g" + echo "" + echo "Shell capabilities:" + cat /proc/$PPID/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|0000003fffffffff,${SED_GREEN},g" + fi + echo "" + echo "Files with capabilities (limited to 50):" + getcap -r / 2>/dev/null | head -n 50 | while read cb; do + capsVB_vuln="" + + for capVB in $capsVB; do + capname="$(echo $capVB | cut -d ':' -f 1)" + capbins="$(echo $capVB | cut -d ':' -f 2)" + if [ "$(echo $cb | grep -Ei $capname)" ] && [ "$(echo $cb | grep -E $capbins)" ]; then + echo "$cb" | sed -${E} "s,.*,${SED_RED_YELLOW}," + capsVB_vuln="1" + break + fi + done + + if ! [ "$capsVB_vuln" ]; then + echo "$cb" | sed -${E} "s,$capsB,${SED_RED}," + fi + + if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then + echo "$cb is writable" | sed -${E} "s,.*,${SED_RED}," + fi + done + echo "" +fi + +##-- IF) Users with capabilities +if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then + print_2title "Users with capabilities" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" + if [ -f "/etc/security/capability.conf" ]; then + grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," + else echo_not_found "/etc/security/capability.conf" + fi + echo "" +fi + +##-- IF) AppArmor profiles to prevent suid/capabilities abuse +if ! [ "$SEARCH_IN_FOLDER" ]; then + if [ -d "/etc/apparmor.d/" ] && [ -r "/etc/apparmor.d/" ]; then + print_2title "AppArmor binary profiles" + ls -l /etc/apparmor.d/ 2>/dev/null | grep -E "^-" | grep "\." + echo "" + fi +fi + +##-- IF) Files with ACLs +print_2title "Files with ACLs (limited to 50)" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls" +if ! [ "$SEARCH_IN_FOLDER" ]; then + ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," +else + ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," +fi + +if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow) + ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," +fi +echo "" + +##-- IF) Files with ResourceFork +#if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then # TOO SLOW, CHECK IT LATER +# print_2title "Files with ResourceFork" +# print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#resource-forks-or-macos-ads" +# find $HOMESEARCH -type f -exec ls -ld {} \; 2>/dev/null | grep -E ' [x\-]@ ' | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork" +#fi +#echo "" + +##-- IF) .sh files in PATH +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title ".sh files in path" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path" + echo $PATH | tr ":" "\n" | while read d; do + for f in $(find "$d" -name "*.sh" 2>/dev/null); do + if ! [ "$IAMROOT" ] && [ -O "$f" ]; then + echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED}," + elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits) + echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else + echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},"; + fi + done + done + echo "" + + broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken) + if [ "$broken_links" ] || [ "$DEBUG" ]; then + print_2title "Broken links in path" + echo $PATH | tr ":" "\n" | while read d; do + find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},"; + done + echo "" + fi +fi + +##-- IF) Executable files added by user +print_2title "Executable files added by user (limit 70)" +if ! [ "$SEARCH_IN_FOLDER" ]; then + find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70 +else + find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70 +fi + +if [ "$MACPEAS" ]; then + print_2title "Unsigned Applications" + macosNotSigned /System/Applications +fi + +##-- IF) Unexpected in /opt +if ! [ "$SEARCH_IN_FOLDER" ]; then + if [ "$(ls /opt 2>/dev/null)" ]; then + print_2title "Unexpected in /opt (usually empty)" + ls -la /opt + echo "" + fi +fi + +##-- IF) Unexpected folders in / +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Unexpected in root" + if [ "$MACPEAS" ]; then + (find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found + else + (find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found + fi + echo "" +fi + +##-- IF) Files (scripts) in /etc/profile.d/ +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Files (scripts) in /etc/profile.d/" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files" + if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS + (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" + check_critial_root_path "/etc/profile" + check_critial_root_path "/etc/profile.d/" + fi + echo "" +fi + + ##-- IF) Files (scripts) in /etc/init.d/ + if ! [ "$SEARCH_IN_FOLDER" ]; then +print_2title "Permissions in init, init.d, systemd, and rc.d" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d" + if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS + check_critial_root_path "/etc/init/" + check_critial_root_path "/etc/init.d/" + check_critial_root_path "/etc/rc.d/init.d" + check_critial_root_path "/usr/local/etc/rc.d" + check_critial_root_path "/etc/rc.d" + check_critial_root_path "/etc/systemd/" + check_critial_root_path "/lib/systemd/" + fi + + echo "" +fi + +##-- IF) Hashes in passwd file +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_list "Hashes inside passwd file? ........... " + if grep -qv '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${SED_RED}," + else echo_no + fi + + ##-- IF) Writable in passwd file + print_list "Writable passwd file? ................ " + if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," + elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," + elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else echo_no + fi + + ##-- IF) Credentials in fstab + print_list "Credentials in fstab/mtab? ........... " + if grep -qE "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${SED_RED}," + else echo_no + fi + + ##-- IF) Read shadow files + print_list "Can I read shadow files? ............. " + if [ "$(cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null)" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${SED_RED}," + else echo_no + fi + + print_list "Can I read shadow plists? ............ " + possible_check="" + (for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no + + print_list "Can I write shadow plists? ........... " + possible_check="" + (for l in /var/db/dslocal/nodes/Default/users/*; do if [ -w "$l" ];then echo "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no + + ##-- IF) Read opasswd file + print_list "Can I read opasswd file? ............. " + if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo "" + else echo_no + fi + + ##-- IF) network-scripts + print_list "Can I write in network-scripts? ...... " + if ! [ "$IAMROOT" ] && [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${SED_RED_YELLOW}," + elif [ "$(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges on $(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW}," + else echo_no + fi + + ##-- IF) Read root dir + print_list "Can I read root folder? .............. " + (ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no + echo "" +fi + +##-- IF) Root files in home dirs +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Searching root files in home dirs (limit 30)" + (find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found + echo "" +fi + +##-- IF) Others files in my dirs +if ! [ "$IAMROOT" ]; then + print_2title "Searching folders owned by me containing others files on it (limit 100)" + (find $ROOT_FOLDER -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g" + echo "" +fi + +##-- IF) Readable files belonging to root and not world readable +if ! [ "$IAMROOT" ]; then + print_2title "Readable files belonging to root and readable by me but not world readable" + (find $ROOT_FOLDER -type f -user root ! -perm -o=r ! -path "/proc/*" 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found + echo "" +fi + +##-- IF) Modified interesting files into specific folders in the last 5mins +print_2title "Modified interesting files in the last 5mins (limit 100)" +find $ROOT_FOLDER -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED}," +echo "" + +##-- IF) Writable log files +if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below +print_2title "Writable log files (logrotten) (limit 50)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation" + logrotate --version 2>/dev/null || echo_not_found "logrotate" + lastWlogFolder="ImPOsSiBleeElastWlogFolder" + logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50) + printf "%s\n" "$logfind" | while read log; do + if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found + if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC; + elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case + elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log"; + elif ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders" && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${SED_RED},g"; + fi + fi + done +fi + +echo "" + +if ! [ "$SEARCH_IN_FOLDER" ]; then + ##-- IF) Files inside my home + print_2title "Files inside $HOME (limit 20)" + (ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found + echo "" + + ##-- IF) Files inside /home + print_2title "Files inside others home (limit 20)" + (find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found + echo "" + + ##-- IF) Mail applications + print_2title "Searching installed mail applications" + ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" + echo "" + + ##-- IF) Mails + print_2title "Mails (limit 50)" + (find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g") || echo_not_found + echo "" + + ##-- IF) Backup folders + if [ "$backup_folders" ] || [ "$DEBUG" ]; then + print_2title "Backup folders" + printf "%s\n" "$backup_folders" | while read b ; do + ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g"; + ls -l "$b" 2>/dev/null && echo "" + done + echo "" + fi +fi + +##-- IF) Backup files +print_2title "Backup files (limited 100)" +backs=$(find $ROOT_FOLDER -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null) +printf "%s\n" "$backs" | head -n 100 | while read b ; do + if [ -r "$b" ]; then + ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${SED_RED},g"; + fi; +done +echo "" + +##-- IF) DB files +if [ "$MACPEAS" ]; then + print_2title "Reading messages database" + sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null + sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null + sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null + +fi + + +if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then + print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)" + FILECMD="$(command -v file 2>/dev/null)" + printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do + if [ "$FILECMD" ]; then + echo "Found "$(file "$f") | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; + else + echo "Found $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g"; + fi + done + SQLITEPYTHON="" + echo "" + printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do + if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd + if [ "$(command -v sqlite3 2>/dev/null)" ]; then + tables=$(sqlite3 $f ".tables" 2>/dev/null) + #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" + elif [ "$(command -v python 2>/dev/null)" ] || [ "$(command -v python3 2>/dev/null)" ]; then + SQLITEPYTHON=$(command -v python 2>/dev/null || command -v python3 2>/dev/null) + tables=$($SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null) + #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" + else + tables="" + fi + if [ "$tables" ] || [ "$DEBUG" ]; then + printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC + printf "%s\n" "$tables" | while read t; do + columns="" + # Search for credentials inside the table using sqlite3 + if [ -z "$SQLITEPYTHON" ]; then + columns=$(sqlite3 $f ".schema $t" 2>/dev/null | grep "CREATE TABLE") + # Search for credentials inside the table using python + else + columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null) + fi + #Check found columns for interesting fields + INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt") + if [ "$INTCOLUMN" ]; then + printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g" + printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${SED_RED},g" + (sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head + echo "" + fi + done + fi + fi + done +fi +echo "" + +if [ "$MACPEAS" ]; then + print_2title "Downloaded Files" + sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|" +fi + +##-- IF) Web files +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Web files?(output limit)" + ls -alhR /var/www/ 2>/dev/null | head + ls -alhR /srv/www/htdocs/ 2>/dev/null | head + ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head + ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head + echo "" +fi + +##-- IF) All hidden files +print_2title "All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)" +find $ROOT_FOLDER -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme" | head -n 70 +echo "" + +##-- IF) Readable files in /tmp, /var/tmp, bachups +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)" + filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70) + printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done + echo "" +fi + +##-- IF) Interesting writable files by ownership or all +if ! [ "$IAMROOT" ]; then + print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" + #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all + obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) + printf "%s\n" "$obmowbe" | while read entry; do + if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; + elif echo "$entry" | grep -qE "$writeVB"; then + echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," + else + echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," + fi + done + echo "" +fi + +##-- IF) Interesting writable files by group +if ! [ "$IAMROOT" ]; then + print_2title "Interesting GROUP writable files (not in Home) (max 500)" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" + for g in $(groups); do + iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) + if [ "$iwfbg" ] || [ "$DEBUG" ]; then + printf " Group $GREEN$g:\n$NC"; + printf "%s\n" "$iwfbg" | while read entry; do + if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; + elif echo "$entry" | grep -Eq "$writeVB"; then + echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW}," + else + echo "$entry" | sed -${E} "s,$writeB,${SED_RED}," + fi + done + fi + done + echo "" +fi + +##-- IF) Passwords in history cmd +if [ "$(history 2>/dev/null)" ] || [ "$DEBUG" ]; then + print_2title "Searching passwords in history cmd" + history | grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED}," + echo "" +fi + +##-- IF) Passwords in history files +if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then + print_2title "Searching passwords in history files" + printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done + echo "" +fi + +##-- IF) Passwords in config PHP files +if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then + print_2title "Searching passwords in config PHP files" + printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done + echo "" +fi + +##-- IF) Passwords files in home +if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then + print_2title "Searching *password* or *credential* files in home (limit 70)" + (printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found + echo "" +fi + +##-- IF) TTY passwords +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Checking for TTY (sudo/su) passwords in audit logs" + aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g" + find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g" + echo "" +fi + +##-- IF) IPs inside logs +if [ "$DEBUG" ]; then + print_2title "Searching IPs inside logs (limit 70)" + (find /var/log/ /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70 + echo "" +fi + +##-- IF) Passwords inside logs +if ! [ "$SEARCH_IN_FOLDER" ]; then + print_2title "Searching passwords inside logs (limit 70)" + (find /var/log/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED}," + echo "" +fi + +if [ "$DEBUG" ]; then + ##-- IF) Emails inside logs + print_2title "Searching emails inside logs (limit 70)" + (find /var/log/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g" + echo "" +fi + + + + +if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then + ##-- IF) Find possible files with passwords + print_2title "Searching passwords inside key folders (limit 70) - only PHP files" + if ! [ "$SEARCH_IN_FOLDER" ]; then + intpwdfiles=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ $backup_folders_row /tmp /etc /mnt /private -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null) + else + intpwdfiles=$(timeout 150 find $SEARCH_IN_FOLDER -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null) + fi + printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g" + echo "" + + print_2title "Searching passwords inside key folders (limit 70) - no PHP files" + printf "%s\n" "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g" + echo "" + + ##-- IF) Find possible files with passwords + print_2title "Searching possible password variables inside key folders (limit 140)" + if ! [ "$SEARCH_IN_FOLDER" ]; then + timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & + timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & + else + timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & + fi + wait + echo "" + + ##-- IF) Find possible conf files with passwords + print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)" + if ! [ "$SEARCH_IN_FOLDER" ]; then + ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null) + else + ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null) + fi + printf "%s\n" "$ppicf" | while read f; do + if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' \"$f\" 2>/dev/null; then + echo "$ITALIC $f$NC" + grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g" + fi + done + echo "" +fi diff --git a/linPEAS/builder/linpeas_parts/9_api_keys_regex.sh b/linPEAS/builder/linpeas_parts/9_api_keys_regex.sh new file mode 100644 index 000000000..cb3ec34a3 --- /dev/null +++ b/linPEAS/builder/linpeas_parts/9_api_keys_regex.sh @@ -0,0 +1,6 @@ + +if [ "$REGEXES" ] && [ "$TIMEOUT" ]; then + peass{REGEXES} +else + echo "Regexes to search for API keys aren't activated, use param '-r' " +fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/linpeas_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base.sh index 0c86a58bf..438123a0a 100755 --- a/linPEAS/builder/linpeas_parts/linpeas_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base.sh @@ -56,37 +56,49 @@ DISCOVERY="" PORTS="" QUIET="" CHECKS="peass{CHECKS}" +SEARCH_IN_FOLDER="" +ROOT_FOLDER="/" WAIT="" PASSWORD="" NOCOLOR="" DEBUG="" AUTO_NETWORK_SCAN="" EXTRA_CHECKS="" +REGEXES="" THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")" [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2 [ "$THREADS" -eq "$THREADS" ] 2>/dev/null && : || THREADS="2" #It THREADS is not a number, put number 2 HELP=$GREEN"Enumerate and search Privilege Escalation vectors. ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors. - ${YELLOW}-h${BLUE} To show this message - ${YELLOW}-e${BLUE} Perform extra enumeration - ${YELLOW}-s${BLUE} Stealth & faster (don't check some time consuming checks) - ${YELLOW}-a${BLUE} All checks except Internet connectivity checks and automatic network recon (use -t to enable them) - ${YELLOW}-t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files - ${YELLOW}-o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list. - ${YELLOW}-P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' - ${YELLOW}-w${BLUE} Wait execution between big blocks of checks - ${YELLOW}-L${BLUE} Force linpeas execution. - ${YELLOW}-M${BLUE} Force macpeas execution. - ${YELLOW}-N${BLUE} Do not use colours - ${YELLOW}-D${BLUE} Debug mode - ${YELLOW}-q${BLUE} Do not show banner - ${YELLOW}-d ${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 - ${YELLOW}-p -d ${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 - ${YELLOW}-i [-p ]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 - $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed$NC" - -while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do + ${GREEN} Checks: + ${YELLOW} -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list. + ${YELLOW} -s${BLUE} Stealth & faster (don't check some time consuming checks) + ${YELLOW} -e${BLUE} Perform extra enumeration + ${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files + ${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours) + ${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' + ${YELLOW} -D${BLUE} Debug mode + + ${GREEN} Network recon: + ${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files + ${YELLOW} -d ${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 + ${YELLOW} -p -d ${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 + ${YELLOW} -i [-p ]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 + $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed + + ${GREEN} Firmware recon: + ${YELLOW} -f ${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder + + ${GREEN} Misc: + ${YELLOW} -h${BLUE} To show this message + ${YELLOW} -w${BLUE} Wait execution between big blocks of checks + ${YELLOW} -L${BLUE} Force linpeas execution + ${YELLOW} -M${BLUE} Force macpeas execution + ${YELLOW} -q${BLUE} Do not show banner + ${YELLOW} -N${BLUE} Do not use colours$NC" + +while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do case "$opt" in h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; a) FAST="";EXTRA_CHECKS="1";; @@ -104,6 +116,8 @@ while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do D) DEBUG="1";; t) AUTO_NETWORK_SCAN="1";; e) EXTRA_CHECKS="1";; + r) REGEXES="1";; + f) SEARCH_IN_FOLDER=$OPTARG; ROOT_FOLDER=$OPTARG; REGEXES="1"; CHECKS="software_information,interesting_files,api_keys_regex";; esac done @@ -215,15 +229,15 @@ print_banner(){ print_support () { printf """ - ${GREEN}/---------------------------------------------------------------------------\\ - | ${BLUE}Do you like PEASS?${GREEN} | - |---------------------------------------------------------------------------| - | ${YELLOW}Get latest LinPEAS${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} | - | ${YELLOW}Follow on Twitter${GREEN} : ${RED}@carlospolopm${GREEN} | - | ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} | - |---------------------------------------------------------------------------| - | ${BLUE}Thank you! ${GREEN} | - \---------------------------------------------------------------------------/ + ${GREEN}/---------------------------------------------------------------------------------\\ + | ${BLUE}Do you like PEASS?${GREEN} | + |---------------------------------------------------------------------------------| + | ${YELLOW}Get the latest version${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} | + | ${YELLOW}Follow on Twitter${GREEN} : ${RED}@carlospolopm${GREEN} | + | ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} | + |---------------------------------------------------------------------------------| + | ${BLUE}Thank you! ${GREEN} | + \---------------------------------------------------------------------------------/ """ } @@ -369,9 +383,9 @@ sidVB='peass{SUIDVB1_HERE}' sidVB2='peass{SUIDVB2_HERE}' cfuncs='file|free|main|more|read|split|write' -sudoVB1=" \*|env_keep\+=LD_PRELOAD|peass{SUDOVB1_HERE}" +sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|peass{SUDOVB1_HERE}" sudoVB2="peass{SUDOVB2_HERE}" -sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount" +sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount" sudoG="NOEXEC" capsVB="cap_sys_admin:mount|python \ @@ -386,7 +400,7 @@ cap_net_raw:python|tcpdump" capsB="=ep|cap_chown|cap_former|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module" -containercapsB="sys_admin|sys_ptrace|sys_module|dac_read_search|dac_override" +containercapsB="sys_admin|sys_ptrace|sys_module|dac_read_search|dac_override|sys_rawio|syslog|net_raw|net_admin" OLDPATH=$PATH ADDPATH=":/usr/local/sbin\ @@ -474,7 +488,10 @@ while $SEDOVERFLOW; do # WF=`find / -maxdepth $MAXPATH_FIND_W -type d ! -path "/proc/*" -and '(' -writable -or -user $USER ')' 2>/dev/null | sort` #fi Wfolders=$(printf "%s" "$WF" | tr '\n' '|')"|[a-zA-Z]+[a-zA-Z0-9]* +\*" - Wfolder="$(printf "%s" "$WF" | grep "tmp\|shm\|home\|Users\|root\|etc\|var\|opt\|bin\|lib\|mnt\|private\|Applications" | head -n1)" + Wfolder="$(printf "%s" "$WF" | grep "/shm" | head -n1)" # Try to get /dev/shm + if ! [ "$Wfolder" ]; then + Wfolder="$(printf "%s" "$WF" | grep "tmp\|shm\|home\|Users\|root\|etc\|var\|opt\|bin\|lib\|mnt\|private\|Applications" | head -n1)" + fi printf "test\ntest\ntest\ntest"| sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" >/dev/null 2>&1 if [ $? -eq 0 ]; then SEDOVERFLOW=false @@ -497,11 +514,11 @@ shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsma notBackup="/tdbbackup$|/db_hotbackup$" -cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|" +cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|" cronjobsB="centreon" -processesVB="jdwp|tmux |screen |--inspect|--remote-debugging-port" -processesB="knockd\|splunk" +processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port' +processesB="knockd|splunk" processesDump="gdm-password|gnome-keyring-daemon|lightdm|vsftpd|apache2|sshd:" mail_apps="Postfix|Dovecot|Exim|SquirrelMail|Cyrus|Sendmail|Courier" @@ -527,6 +544,10 @@ GREP_IGNORE_MOUNTS="/ /|/null | proc proc |/dev/console" INT_HIDDEN_FILES="peass{INT_HIDDEN_FILES}" +FAT_LINPEAS_AMICONTAINED="peass{AMICONTAINED}" +FAT_LINPEAS_GITLEAKS_LINUX="peass{GITLEAKS_LINUX}" +FAT_LINPEAS_GITLEAKS_MACOS="peass{GITLEAKS_MACOS}" + ########################################### #---------) Checks before start (---------# ########################################### @@ -548,7 +569,17 @@ else fi fi -SCAN_BAN_BAD="No port scan capabilities (nc not found)" +SCAN_BAN_BAD="No port scan capabilities (nc and bash not found)" + +if [ "$(command -v bash)" ] && ! [ -L "$(command -v bash)" ]; then + FOUND_BASH=$(command -v bash); +elif [ -f "/bin/bash" ] && ! [ -L "/bin/bash" ]; then + FOUND_BASH="/bin/bash"; +fi +if [ "$FOUND_BASH" ]; then + SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n" +fi + FOUND_NC=$(command -v nc 2>/dev/null) if [ -z "$FOUND_NC" ]; then FOUND_NC=$(command -v netcat 2>/dev/null); @@ -563,7 +594,7 @@ if [ -z "$FOUND_NC" ]; then FOUND_NC=$(command -v nc.openbsd 2>/dev/null); fi if [ "$FOUND_NC" ]; then - SCAN_BAN_GOOD="$GREEN$FOUND_NC${BLUE} is available for network discover & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)" + SCAN_BAN_GOOD="$SCAN_BAN_GOOD$YELLOW[+] $GREEN$FOUND_NC${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n" fi @@ -603,7 +634,7 @@ print_title(){ title=$1 title_len=$(echo $title | wc -c) - max_title_len=100 + max_title_len=80 rest_len=$((($max_title_len - $title_len) / 2)) printf ${BLUE} @@ -649,6 +680,10 @@ print_3title(){ printf ${BLUE}"══╣ $GREEN$1\n"$NC #There are 2 "═" } +print_3title_no_nl(){ + printf ${BLUE}"\r══╣ $GREEN${1}..."$NC #There are 2 "═" +} + print_list(){ printf ${BLUE}"═╣ $GREEN$1"$NC #There is 1 "═" } @@ -712,6 +747,23 @@ macosNotSigned(){ done } +execBin(){ + TOOL_NAME=$1 + TOOL_LINK=$2 + B64_BIN=$3 + PARAMS=$4 + if [ "$B64_BIN" ]; then + echo "" + print_3title "Running $TOOL_NAME" + print_info "$TOOL_LINK" + echo "$B64_BIN" | base64 -d > $Wfolder/bin + chmod +x $Wfolder/bin + eval "$Wfolder/bin $PARAMS" + rm -f $Wfolder/bin + echo "" + fi +} + ########################################### #---------) Internet functions (----------# ########################################### @@ -774,7 +826,11 @@ tcp_recon (){ for port in $PORTS; do for j in $(seq 1 254) do - ($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") & + if [ "$FOUND_BASH" ]; then + $FOUND_BASH -c "(echo /dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" & + elif [ "$NC_SCAN" ]; then + ($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") & + fi done wait done @@ -799,7 +855,11 @@ tcp_port_scan (){ fi for port in $PORTS; do - ($NC_SCAN "$IP" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") & + if [ "$FOUND_BASH" ]; then + $FOUND_BASH -c "(echo /dev/null && echo -e \"\n[+] Open port at: $IP:$port\"" & + elif [ "$NC_SCAN" ]; then + ($NC_SCAN "$IP" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") & + fi done wait } @@ -912,7 +972,7 @@ printf $LG"Writable folder: "$NC; echo $Wfolder if ! [ "$FAST" ] && ! [ "$AUTO_NETWORK_SCAN" ]; then - printf $LG"Remember that you can use the '-t' option to call the Internet connectivity checks and automatic network recon!\n"$NC; + printf $LG"Remember that you can use the '-t' option to call the Internet connectivity checks and automatic network recon!\n"$NC; fi if [ "$DISCOVER_BAN_GOOD" ]; then @@ -922,12 +982,12 @@ else fi if [ "$SCAN_BAN_GOOD" ]; then - printf $YELLOW"[+] $SCAN_BAN_GOOD\n$NC" + printf "$SCAN_BAN_GOOD\n$NC" else printf $RED"[-] $SCAN_BAN_BAD\n$NC" fi if [ "$(command -v nmap 2>/dev/null)" ];then - NMAP_GOOD=$GREEN"nmap${BLUE} is available for network discover & port scanning, you should use it yourself" + NMAP_GOOD=$GREEN"nmap${BLUE} is available for network discovery & port scanning, you should use it yourself" printf $YELLOW"[+] $NMAP_GOOD\n$NC" fi echo "" @@ -972,20 +1032,32 @@ elif [ "$IP" ]; then fi -if echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then - ########################################### - #----------) Caching Finds (--------------# - ########################################### +#Get HOMESEARCH +HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")" +if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder + HOMESEARCH="$HOME $HOMESEARCH" +fi +GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|" + + + +########################################### +#----------) Caching Finds (--------------# +########################################### +if [ "$SEARCH_IN_FOLDER" ]; then printf $GREEN"Caching directories "$NC + CONT_THREADS=0 + # FIND ALL KNOWN INTERESTING SOFTWARE FILES + peass{FINDS_CUSTOM} - #Get home - HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")" - if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder - HOMESEARCH="$HOME $HOMESEARCH" - fi - GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|" + wait # Always wait at the end + CONT_THREADS=0 #Reset the threads counter + +elif echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then + + printf $GREEN"Caching directories "$NC CONT_THREADS=0 # FIND ALL KNOWN INTERESTING SOFTWARE FILES @@ -993,7 +1065,9 @@ if echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | gre wait # Always wait at the end CONT_THREADS=0 #Reset the threads counter +fi +if [ "$SEARCH_IN_FOLDER" ] || echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then #GENERATE THE STORAGES OF THE FOUND FILES peass{STORAGES_HERE} diff --git a/linPEAS/builder/src/linpeasBuilder.py b/linPEAS/builder/src/linpeasBuilder.py index 8651e4ac0..9dadd246a 100644 --- a/linPEAS/builder/src/linpeasBuilder.py +++ b/linPEAS/builder/src/linpeasBuilder.py @@ -9,6 +9,7 @@ from .yamlGlobals import ( TEMPORARY_LINPEAS_BASE_PATH, PEAS_FINDS_MARKUP, + PEAS_FINDS_CUSTOM_MARKUP, PEAS_STORAGES_MARKUP, PEAS_STORAGES_MARKUP, INT_HIDDEN_FILES_MARKUP, @@ -30,7 +31,10 @@ LES_MARKUP, LES2_MARKUP, REGEXES_LOADED, - REGEXES_MARKUP + REGEXES_MARKUP, + FAT_LINPEAS_AMICONTAINED_MARKUP, + FAT_LINPEAS_GITLEAKS_LINUX_MARKUP, + FAT_LINPEAS_GITLEAKS_MACOS_MARKUP ) @@ -50,8 +54,9 @@ def build(self): self.__replace_mark(PEAS_VARIABLES_MARKUP, variables, "") print("[+] Building finds...") - find_calls = self.__generate_finds() + find_calls, find_custom_calls = self.__generate_finds() self.__replace_mark(PEAS_FINDS_MARKUP, find_calls, " ") + self.__replace_mark(PEAS_FINDS_CUSTOM_MARKUP, find_custom_calls, " ") print("[+] Building storages...") storage_vars = self.__generate_storages() @@ -93,6 +98,16 @@ def build(self): self.__replace_mark(LES_MARKUP, list(les_b64), "") self.__replace_mark(LES2_MARKUP, list(les2_b64), "") + print("[+] Downloading Fat Linpeas binaries...") + aimcont_b64 = self.__get_bin("https://github.com/genuinetools/amicontained/releases/latest/download/amicontained-linux-amd64") + self.__replace_mark(FAT_LINPEAS_AMICONTAINED_MARKUP, list(aimcont_b64), "") + + gitleaks_b64 = self.__get_bin("https://github.com/zricethezav/gitleaks/releases/download/v8.8.7/gitleaks_8.8.7_linux_x64.tar.gz", tar_gz="gitleaks") + self.__replace_mark(FAT_LINPEAS_GITLEAKS_LINUX_MARKUP, list(gitleaks_b64), "") + + gitleaks_b64_macos = self.__get_bin("https://github.com/zricethezav/gitleaks/releases/download/v8.8.7/gitleaks_8.8.7_darwin_x64.tar.gz", tar_gz="gitleaks") + self.__replace_mark(FAT_LINPEAS_GITLEAKS_MACOS_MARKUP, list(gitleaks_b64_macos), "") + print("[+] Building GTFOBins lists...") suidVB, sudoVB, capsVB = self.__get_gtfobins_lists() assert len(suidVB) > 185, f"Len suidVB is {len(suidVB)}" @@ -146,6 +161,11 @@ def __get_files_to_search(self): def __generate_finds(self) -> list: """Given the regexes to search on each root folder, generate the find command""" finds = [] + + finds_custom = [] + all_folder_regexes = [] + all_file_regexes = [] + for type,searches in self.dict_to_search.items(): for r,regexes in searches.items(): if regexes: @@ -153,25 +173,41 @@ def __generate_finds(self) -> list: if type == "d": find_line += "-type d " - bash_find_var = f"FIND_DIR_{r[1:].replace('.','').upper()}" + bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').upper()}" self.bash_find_d_vars.add(bash_find_var) + all_folder_regexes += regexes else: - bash_find_var = f"FIND_{r[1:].replace('.','').upper()}" + bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').upper()}" self.bash_find_f_vars.add(bash_find_var) + all_file_regexes += regexes find_line += '-name \\"' + '\\" -o -name \\"'.join(regexes) + '\\"' find_line = FIND_TEMPLATE.replace(FIND_LINE_MARKUP, find_line) find_line = f"{bash_find_var}={find_line}" finds.append(find_line) + + # Buid folder and files finds when searching in a custom folder + all_folder_regexes = list(set(all_folder_regexes)) + find_line = '$SEARCH_IN_FOLDER -type d -name \\"' + '\\" -o -name \\"'.join(all_folder_regexes) + '\\"' + find_line = FIND_TEMPLATE.replace(FIND_LINE_MARKUP, find_line) + find_line = f"FIND_DIR_CUSTOM={find_line}" + finds_custom.append(find_line) + + all_file_regexes = list(set(all_file_regexes)) + find_line = '$SEARCH_IN_FOLDER -name \\"' + '\\" -o -name \\"'.join(all_file_regexes) + '\\"' + find_line = FIND_TEMPLATE.replace(FIND_LINE_MARKUP, find_line) + find_line = f"FIND_CUSTOM={find_line}" + finds_custom.append(find_line) - return finds + return finds, finds_custom def __generate_storages(self) -> list: """Generate the storages to save the results per entry""" storages = [] - all_f_finds = "$" + "\\n$".join(self.bash_find_f_vars) - all_d_finds = "$" + "\\n$".join(self.bash_find_d_vars) - all_finds = "$" + "\\n$".join(list(self.bash_find_f_vars) + list(self.bash_find_d_vars)) + custom_storages = ["FIND_CUSTOM", "FIND_DIR_CUSTOM"] + all_f_finds = "$" + "\\n$".join(list(self.bash_find_f_vars) + custom_storages) + all_d_finds = "$" + "\\n$".join(list(self.bash_find_d_vars) + custom_storages) + all_finds = "$" + "\\n$".join(list(self.bash_find_f_vars) + list(self.bash_find_d_vars) + custom_storages) for precord in self.ploaded.peasrecords: bash_storage_var = f"PSTORAGE_{precord.bash_name}" @@ -239,7 +275,7 @@ def __construct_file_line(self, precord: PEASRecord, frecord: FileRecord, init: analise_line = "" if init: analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; ' - analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' + analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do if ! [ -d "$f" ]; then continue; fi; ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' #If just list, just list the file/directory if frecord.just_list_file: @@ -303,6 +339,19 @@ def __get_linux_exploit_suggesters(self) -> tuple: r2 = requests.get("https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl") return(base64.b64encode(bytes(r1.text, 'utf-8')).decode("utf-8"), base64.b64encode(bytes(r2.text, 'utf-8')).decode("utf-8")) + def __get_bin(self, url, tar_gz="") -> str: + os.system(f"wget -q '{url}' -O /tmp/bin_builder") + if tar_gz: + os.system(f"cd /tmp; tar -xvzf /tmp/bin_builder; rm /tmp/bin_builder; mv {tar_gz} /tmp/bin_builder") + os.system("base64 /tmp/bin_builder | tr -d '\n' > /tmp/binb64; rm /tmp/bin_builder") + + b64bin = "" + with open("/tmp/binb64", "r") as f: + b64bin = f.read() + + os.system("rm /tmp/binb64") + return b64bin + def __get_gtfobins_lists(self) -> tuple: r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins") bins = re.findall(r'/GTFOBins/GTFOBins.github.io/blob/master/_gtfobins/([\w_ \-]+).md', r.text) @@ -334,14 +383,24 @@ def __generate_regexes_search(self) -> str: for entry in values["regexes"]: name = entry["name"] + caseinsensitive = entry.get("caseinsensitive", False) regex = entry["regex"] regex = regex.replace('"', '\\"').strip() extra_grep = entry.get("extra_grep") extra_grep = f"| grep {extra_grep}" if extra_grep else "" - regexes_search_section += f'print_3title "Searching {name} (limited to 50)"\n' + regexes_search_section += f'print_3title_no_nl "Searching {name} (limited to 50)..."\n' + + # If custom folder to search in + regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n' + regexes_search_section += " timeout 120 find $SEARCH_IN_FOLDER -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" + + # If search in all the file system + regexes_search_section += 'else\n' for path in paths_to_search: - regexes_search_section += "timeout 120 find "+path+" -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 | sed -${E} \"s~"+regex+"~${SED_RED}~\" &\n" + grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE" + regexes_search_section += " timeout 120 find "+path+" -type f -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n" + regexes_search_section += 'fi\n' regexes_search_section += "wait\n" @@ -357,10 +416,16 @@ def __replace_mark(self, mark: str, find_calls: list, join_char: str): self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed - def write_linpeas(self, path): + def write_linpeas(self, path, rm_startswith=""): """Write on disk the final linpeas""" with open(path, "w") as f: - f.write(self.linpeas_sh) - - os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file \ No newline at end of file + if not rm_startswith: + f.write(self.linpeas_sh) + else: + tmp_linpeas = "" + for line in self.linpeas_sh.splitlines(): + if not line.startswith(rm_startswith): + tmp_linpeas += line + "\n" + f.write(tmp_linpeas) + diff --git a/linPEAS/builder/src/yamlGlobals.py b/linPEAS/builder/src/yamlGlobals.py index 095f39110..bf47f6a15 100644 --- a/linPEAS/builder/src/yamlGlobals.py +++ b/linPEAS/builder/src/yamlGlobals.py @@ -15,36 +15,47 @@ "name_check": "container", "file_path": LINPEAS_BASE_PARTS + "/2_container.sh" }, + { + "name": "Cloud", + "name_check": "cloud", + "file_path": LINPEAS_BASE_PARTS + "/3_cloud.sh" + }, { "name": "Processes, Crons, Timers, Services and Sockets", "name_check": "procs_crons_timers_srvcs_sockets", - "file_path": LINPEAS_BASE_PARTS + "/3_procs_crons_timers_srvcs_sockets.sh" + "file_path": LINPEAS_BASE_PARTS + "/4_procs_crons_timers_srvcs_sockets.sh" }, { "name": "Network Information", "name_check": "network_information", - "file_path": LINPEAS_BASE_PARTS + "/4_network_information.sh" + "file_path": LINPEAS_BASE_PARTS + "/5_network_information.sh" }, { "name": "Users Information", "name_check": "users_information", - "file_path": LINPEAS_BASE_PARTS + "/5_users_information.sh" + "file_path": LINPEAS_BASE_PARTS + "/6_users_information.sh" }, { "name": "Software Information", "name_check": "software_information", - "file_path": LINPEAS_BASE_PARTS + "/6_software_information.sh" + "file_path": LINPEAS_BASE_PARTS + "/7_software_information.sh" }, { "name": "Interesting Files", "name_check": "interesting_files", - "file_path": LINPEAS_BASE_PARTS + "/7_interesting_files.sh" + "file_path": LINPEAS_BASE_PARTS + "/8_interesting_files.sh" + }, + { + "name": "API Keys Regex", + "name_check": "api_keys_regex", + "file_path": LINPEAS_BASE_PARTS + "/9_api_keys_regex.sh" } ] LINPEAS_BASE_PATH = LINPEAS_BASE_PARTS + "/linpeas_base.sh" TEMPORARY_LINPEAS_BASE_PATH = CURRENT_DIR + "/../linpeas_base.sh" +FINAL_FAT_LINPEAS_PATH = CURRENT_DIR + "/../../" + "linpeas_fat.sh" FINAL_LINPEAS_PATH = CURRENT_DIR + "/../../" + "linpeas.sh" YAML_NAME = "sensitive_files.yaml" YAML_REGEXES = "regexes.yaml" @@ -68,6 +79,7 @@ PEAS_CHECKS_MARKUP = YAML_LOADED["peas_checks"] PEAS_FINDS_MARKUP = YAML_LOADED["peas_finds_markup"] +PEAS_FINDS_CUSTOM_MARKUP = YAML_LOADED["peas_finds_custom_markup"] FIND_LINE_MARKUP = YAML_LOADED["find_line_markup"] FIND_TEMPLATE = YAML_LOADED["find_template"] @@ -92,4 +104,9 @@ CAP_SETGID_MARKUP = YAML_LOADED["cap_setgid_markup"] LES_MARKUP = YAML_LOADED["les_markup"] -LES2_MARKUP = YAML_LOADED["les2_markup"] \ No newline at end of file +LES2_MARKUP = YAML_LOADED["les2_markup"] + + +FAT_LINPEAS_AMICONTAINED_MARKUP = YAML_LOADED["fat_linpeas_amicontained_markup"] +FAT_LINPEAS_GITLEAKS_LINUX_MARKUP = YAML_LOADED["fat_linpeas_gitleaks_linux_markup"] +FAT_LINPEAS_GITLEAKS_MACOS_MARKUP = YAML_LOADED["fat_linpeas_gitleaks_macos_markup"] \ No newline at end of file