mirror of
https://github.com/carlospolop/PEASS-ng
synced 2025-02-21 10:30:58 +01:00
linpeasv2.3.4
This commit is contained in:
parent
3869fc9721
commit
35b6cafe72
linPEAS
@ -220,6 +220,7 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
||||
- [x] .sh scripts in PATH
|
||||
- [x] scripts in /etc/profile.d
|
||||
- [x] Hashes (passwd, shadow & master.passwd)
|
||||
- [x] Credentials in fstab
|
||||
- [x] Try to read root dir
|
||||
- [x] Files owned by root inside /home
|
||||
- [x] List of readable files belonging to root and not world readable
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
VERSION="v2.3.3"
|
||||
VERSION="v2.3.4"
|
||||
ADVISORY="linpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission."
|
||||
|
||||
###########################################
|
||||
@ -117,8 +117,8 @@ spath=":$PATH"
|
||||
for P in $ADDPATH; do
|
||||
if [ ! -z "${spath##*$P*}" ]; then export PATH="$PATH$P" 2>/dev/null; fi
|
||||
done
|
||||
writeB="\.sh$\|\./\|/etc/sysconfig/network-scripts/\|/etc/login.defs\|/etc/\|/sys/\|/lib\|/boot\|/root\|/home/\|/var/log/\|/mnt/\|/usr/local/sbin\|/usr/sbin\|/sbin/\|/usr/local/bin\|/usr/bin\|/bin\|/usr/local/games\|/usr/games\|/usr/lib"
|
||||
writeVB="/etc/init\|/etc/rc.d\|/etc/sys\|/etc/shadow\|/etc/master.passwd\|/etc/passwd\|/etc/group\|/etc/cron\|/lib/systemd/\|/systemd/system\|/var/spool/cron/crontabs\|/etc/anacrontab\|/var/spool/anacron"`echo $PATH 2>/dev/null| sed 's/:/\\\|/g'`
|
||||
writeB="\.sh$\|\./\|/authorized_keys\|/bin\|/boot\|/etc/apache2/apache2.conf\|/etc/apache2/httpd.conf\|/etc/hosts.allow\|/etc/hosts.deny\|/etc/httpd/conf/httpd.conf\|/etc/httpd/httpd.conf\|/etc/inetd.conf\|/etc/init\|/etc/incron.conf\|/etc/login.defs\|/etc/logrotate.d/\|/etc/modprobe.d/\|/etc/pam.d/\|/etc/php.*/fpm/pool.d/\|/etc/php/.*/fpm/pool.d/\|/etc/rsyslog.d/\|/etc/skel/\|/etc/sysconfig/network-scripts/\|/etc/sysctl.conf\|/etc/sysctl.d/\|/etc/uwsgi/apps-enabled/\|/etc/xinetd.conf\|/etc/xinetd.d/\|/etc/\|/home/\|/lib\|/mnt/\|/root\|/sys/\|/usr/bin\|/usr/games\|/usr/lib\|/usr/local/bin\|/usr/local/games\|/usr/local/sbin\|/usr/sbin\|/sbin/\|/var/log/"
|
||||
writeVB="/etc/anacrontab\|/etc/bash.bashrc\|/etc/bash_completion\|/etc/bash_completion.d/\|/etc/cron\|/etc/environment\|/etc/environment.d/\|/etc/group\|/etc/incron.d/\|/etc/init\|/etc/master.passwd\|/etc/passwd\|/etc/profile\|/etc/profile.d/\|/etc/rc.d\|/etc/shadow\|/etc/sudoers\|/etc/sudoers.d/\|/etc/supervisor/conf.d/\|/etc/supervisor/supervisord.conf\|/etc/sys\|/etc/systemd\|/lib/systemd/\|/root/.ssh/\|/systemd/system\|/var/spool/anacron\|/var/spool/cron/crontabs\|"`echo $PATH 2>/dev/null| sed 's/:/\\\|/g'`
|
||||
|
||||
sh_usrs=`cat /etc/passwd 2>/dev/null | grep -v "^root:" | grep -i "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/' | sed 's/|sys|/|sys[\\\s:]|^sys$|/' | sed 's/|daemon|/|daemon[\\\s:]|^daemon$|/' | sed 's/|/\\\|/g'`"ImPoSSssSiBlEee" #Modified bin, sys and daemon so they are not colored everywhere
|
||||
nosh_usrs=`cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | sort | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/' | sed 's/|/\\\|/g'`"ImPoSSssSiBlEee"
|
||||
@ -162,6 +162,8 @@ mail_apps="Postfix\|Dovecot\|Exim\|SquirrelMail\|Cyrus\|Sendmail\|Courier"
|
||||
|
||||
profiledG="01-locale-fix.sh\|bash_completion.sh\|colorgrep.csh\|colorgrep.sh\|colorxzgrep.csh\|colorxzgrep.sh\|colorzgrep.csh\|colorzgrep.sh\|csh.local\|gawk.csh\|gawk.sh\|kali.sh\|lang.csh\|lang.sh\|less.csh\|less.sh\|sh.local\|vte-2.91.sh"
|
||||
|
||||
knw_emails="aeb@debian.org\|berni@debian.org\|debian@jff.email\|debian-boot@lists.debian.org\|debian-med-packaging@lists.alioth.debian.org\|devel@kali.org\|gcs@debian.org\|guillem@debian.org\|guus@debian.org\|isc-dhcp@packages.debian.org\|kilobyte@angband.pl\|lamont@debian.org\|linux-xfs@vger.kernel.org\|mattia@debian.org\|mmind@debian.org\|open-iscsi@packages.debian.org\|open-isns@packages.debian.org\|packages@qa.debian.org\|packages@release.debian.org\|parted-maintainers@alioth-lists.debian.net\|petere@debian.org\|pkg-gnupg-maint@lists.alioth.debian.org\|pkg-gnutls-maint@lists.alioth.debian.org\|rogershimizu@gmail.com\|team+dns@tracker.debian.org\|team+lvm@tracker.debian.org\|thmarques@gmail.com\|tytso@mit.edu\|wpa@packages.debian.org"
|
||||
|
||||
if [ "$(/usr/bin/id -u)" -eq "0" ]; then
|
||||
IAMROOT="1"
|
||||
else
|
||||
@ -605,8 +607,8 @@ if [ "`echo $CHECKS | grep SysI`" ]; then
|
||||
#-- 3SY) PATH
|
||||
printf $Y"[+] "$GREEN"PATH\n"$NC
|
||||
printf $B"[i] "$Y"Any writable folder in original PATH? (a new completed path will be exported)\n"$NC
|
||||
echo $OLDPATH 2>/dev/null | sed "s,$Wfolders\|\.,${C}[1;31;103m&${C}[0m,g"
|
||||
echo "New path exported: $PATH" 2>/dev/null | sed "s,$Wfolders\|\.,${C}[1;31;103m&${C}[0m,g"
|
||||
echo $OLDPATH 2>/dev/null | sed "s,$Wfolders\|\./\|\.:\|:\.,${C}[1;31;103m&${C}[0m,g"
|
||||
echo "New path exported: $PATH" 2>/dev/null | sed "s,$Wfolders\|\./\|\.:\|:\. ,${C}[1;31;103m&${C}[0m,g"
|
||||
echo ""
|
||||
|
||||
#-- 4SY) Date
|
||||
@ -739,7 +741,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcs`" ]; then
|
||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs\n"$NC
|
||||
crontab -l 2>/dev/null | sed "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m,"
|
||||
ls -al /etc/cron* 2>/dev/null | sed "s,$cronjobsG,${C}[1;32m&${C}[0m,g" | sed "s,$cronjobsB,${C}[1;31m&${C}[0m,g"
|
||||
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m,"
|
||||
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs /var/spool/anacron /etc/incron.d/* /var/spool/incron/* 2>/dev/null | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m,"
|
||||
crontab -l -u $USER 2>/dev/null
|
||||
echo ""
|
||||
|
||||
@ -765,8 +767,8 @@ if [ "`echo $CHECKS | grep Net`" ]; then
|
||||
echo ""
|
||||
|
||||
#-- 2NI) /etc/inetd.conf
|
||||
printf $Y"[+] "$GREEN"Content of /etc/inetd.conf\n"$NC
|
||||
(cat /etc/inetd.conf 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
|
||||
printf $Y"[+] "$GREEN"Content of /etc/inetd.conf & /etc/xinetd.conf\n"$NC
|
||||
(cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
|
||||
echo ""
|
||||
|
||||
#-- 3NI) Networks and neighbours
|
||||
@ -809,7 +811,7 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then
|
||||
#-- 1UI) My user
|
||||
printf $Y"[+] "$GREEN"My user\n"$NC
|
||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups\n"$NC
|
||||
(id || (whoami && groups)) 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed "s,$groupsVB,${C}[1;31;103m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,$idB,${C}[1;31m&${C}[0m,g"
|
||||
(id || (whoami && groups)) 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed "s,$idB,${C}[1;31m&${C}[0m,g"
|
||||
echo ""
|
||||
|
||||
#-- 2UI) PGP keys?
|
||||
@ -896,6 +898,10 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then
|
||||
printf $Y"[+] "$GREEN"Password policy\n"$NC
|
||||
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
|
||||
echo ""
|
||||
|
||||
#-- 15UI) User timer
|
||||
printf $Y"[+] "$GREEN"User timers\n"$NC
|
||||
(systemctl --user list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)") || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
@ -1281,7 +1287,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 27SI) Knock
|
||||
##-- 28SI) Knock
|
||||
printf $Y"[+] "$GREEN"Looking for Knock configuration\n"$NC
|
||||
Knock=`find /etc/init.d -name "knockd" 2>/dev/null`
|
||||
if [ "$Knock" ]; then
|
||||
@ -1296,7 +1302,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
###-- 28SI) Logstash
|
||||
###-- 29SI) Logstash
|
||||
printf $Y"[+] "$GREEN"Looking for logstash files\n"$NC
|
||||
logstash=`find /var /etc /home /root /tmp /usr /opt -type d -name logstash 2>/dev/null`
|
||||
if [ "$logstash" ]; then
|
||||
@ -1313,7 +1319,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 29SI) Elasticsearch
|
||||
##-- 30SI) Elasticsearch
|
||||
printf $Y"[+] "$GREEN"Looking for elasticsearch files\n"$NC
|
||||
elasticsearch=`find /var /etc /home /root /tmp /usr /opt -name "elasticsearch.y*ml" 2>/dev/null`
|
||||
if [ "$elasticsearch" ]; then
|
||||
@ -1324,7 +1330,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 30SI) Vault-ssh
|
||||
##-- 31SI) Vault-ssh
|
||||
printf $Y"[+] "$GREEN"Looking for Vault-ssh files\n"$NC
|
||||
vaultssh=`find /etc /usr /home /root -name vault-ssh-helper.hcl 2>/dev/null`
|
||||
if [ "$vaultssh" ]; then
|
||||
@ -1337,7 +1343,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 31SI) Cached AD Hashes
|
||||
##-- 32SI) Cached AD Hashes
|
||||
adhashes=`ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null`
|
||||
printf $Y"[+] "$GREEN"Looking for AD cached hahses\n"$NC
|
||||
if [ "$adhashes" ]; then
|
||||
@ -1346,7 +1352,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 32SI) Screen sessions
|
||||
##-- 33SI) Screen sessions
|
||||
printf $Y"[+] "$GREEN"Looking for screen sessions\n"$N
|
||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions\n"$NC
|
||||
screensess=`screen -ls 2>/dev/null`
|
||||
@ -1356,7 +1362,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 33SI) Tmux sessions
|
||||
##-- 34SI) Tmux sessions
|
||||
tmuxdefsess=`tmux ls 2>/dev/null`
|
||||
tmuxnondefsess=`ps aux | grep "tmux " | grep -v grep`
|
||||
printf $Y"[+] "$GREEN"Looking for tmux sessions\n"$N
|
||||
@ -1367,7 +1373,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 34SI) Couchdb
|
||||
##-- 35SI) Couchdb
|
||||
printf $Y"[+] "$GREEN"Looking for Couchdb directory\n"$NC
|
||||
couchdb_dirs=`find /var /etc /home /root /tmp /usr /opt -type d -name "couchdb" 2>/dev/null`
|
||||
for d in $couchdb_dirs; do
|
||||
@ -1381,7 +1387,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- 35SI) Redis
|
||||
##-- 36SI) Redis
|
||||
printf $Y"[+] "$GREEN"Looking for redis.conf\n"$NC
|
||||
redisconfs=`find /var /etc /home /root /tmp /usr /opt -type f -name "redis.conf" 2>/dev/null`
|
||||
for f in $redisconfs; do
|
||||
@ -1392,7 +1398,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- 35SI) Dovecot
|
||||
##-- 37SI) Dovecot
|
||||
# Needs testing
|
||||
printf $Y"[+] "$GREEN"Looking for dovecot files\n"$NC
|
||||
dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null)
|
||||
@ -1408,7 +1414,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 36SI) Mosquitto
|
||||
##-- 38SI) Mosquitto
|
||||
printf $Y"[+] "$GREEN"Looking for mosquitto.conf\n"$NC
|
||||
mqttconfs=`find /var /etc /home /root /tmp /usr /opt -type f -name "mosquitto.conf" 2>/dev/null`
|
||||
for f in $mqttconfs; do
|
||||
@ -1419,7 +1425,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- 37SI) Neo4j
|
||||
##-- 39SI) Neo4j
|
||||
printf $Y"[+] "$GREEN"Looking for neo4j auth file\n"$NC
|
||||
neo4j=`find /var /etc /home /root /tmp /usr /opt -type d -name "neo4j" 2>/dev/null`
|
||||
for d in $neo4j; do
|
||||
@ -1492,84 +1498,90 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
##-- 4IF) Users with capabilities
|
||||
printf $Y"[+] "$GREEN"Users with capabilities\n"$NC
|
||||
if [ -f "/etc/security/capability.conf" ]; then
|
||||
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m,"
|
||||
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m,"
|
||||
else echo_not_found "/etc/security/capability.conf"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 4IF) .sh files in PATH
|
||||
##-- 5IF) .sh files in PATH
|
||||
printf $Y"[+] "$GREEN".sh files in path\n"$NC
|
||||
for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null | sed "s,$pathshG,${C}[1;32m&${C}[0m," ; done
|
||||
echo ""
|
||||
|
||||
##-- 5IF) Files (scripts) in /etc/profile.d/
|
||||
##-- 6IF) Files (scripts) in /etc/profile.d/
|
||||
printf $Y"[+] "$GREEN"Files (scripts) in /etc/profile.d/\n"$NC
|
||||
(ls -la /etc/profile.d/ | sed "s,$profiledG,${C}[1;32m&${C}[0m,") || echo_not_found "/etc/profile.d/"
|
||||
echo ""
|
||||
|
||||
##-- 6IF) Hashes in passwd file
|
||||
##-- 7IF) Hashes in passwd file
|
||||
printf $Y"[+] "$GREEN"Hashes inside passwd file? ........... "$NC
|
||||
if [ "`grep -v '^[^:]*:[x\*]' /etc/passwd 2>/dev/null`" ]; then grep -v '^[^:]*:[x\*]' /etc/passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- 7IF) Read shadow files
|
||||
printf $Y"[+] "$GREEN"Can I read shadow files? ........... "$NC
|
||||
if [ "`cat /etc/shadow /etc/master.passwd 2>/dev/null`" ]; then cat /etc/shadow /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"
|
||||
##-- 8IF) Credentials in fstab
|
||||
printf $Y"[+] "$GREEN"Credentials in fstab/mtab? ........... "$NC
|
||||
if [ "`grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null`" ]; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- 8IF) Read root dir
|
||||
printf $Y"[+] "$GREEN"Can I read root folder? ........... "$NC
|
||||
##-- 9IF) Read shadow files
|
||||
printf $Y"[+] "$GREEN"Can I read shadow files? ............. "$NC
|
||||
if [ "`cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/master.passwd 2>/dev/null`" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- 10IF) Read root dir
|
||||
printf $Y"[+] "$GREEN"Can I read root folder? .............. "$NC
|
||||
(ls -al /root/ 2>/dev/null) || echo_no
|
||||
echo ""
|
||||
|
||||
##-- 9IF) Root files in home dirs
|
||||
##-- 11IF) Root files in home dirs
|
||||
printf $Y"[+] "$GREEN"Looking for root files in home dirs (limit 20)\n"$NC
|
||||
(find /home -user root 2>/dev/null | head -n 20 | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m,") || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- 10IF) Others files in my dirs
|
||||
##-- 12IF) Others files in my dirs
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
printf $Y"[+] "$GREEN"Looking for others files in folders owned by me\n"$NC
|
||||
(for d in `find /var /etc /home /root /tmp /usr /opt /boot /sys -type d -user $USER 2>/dev/null`; do find $d ! -user \`whoami\` -exec ls -l {} \; 2>/dev/null | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;13m&${C}[0m,g"; done) || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- 11IF) Readable files belonging to root and not world readable
|
||||
##-- 13IF) Readable files belonging to root and not world readable
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
printf $Y"[+] "$GREEN"Readable files belonging to root and readable by me but not world readable\n"$NC
|
||||
(for f in `find / -type f -user root ! -perm -o=r 2>/dev/null | grep -v "\.journal"`; do if [ -r $f ]; then ls -l $f 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"; fi; done) || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- 12IF) Files inside my home
|
||||
##-- 14IF) Files inside my home
|
||||
printf $Y"[+] "$GREEN"Files inside $HOME (limit 20)\n"$NC
|
||||
(ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- 13IF) Files inside /home
|
||||
##-- 15IF) Files inside /home
|
||||
printf $Y"[+] "$GREEN"Files inside others home (limit 20)\n"$NC
|
||||
(find /home -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- 14IF) Mail applications
|
||||
##-- 16IF) Mail applications
|
||||
printf $Y"[+] "$GREEN"Looking for installed mail applications\n"$NC
|
||||
ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc | grep -wi $mail_apps
|
||||
echo ""
|
||||
|
||||
##-- 15IF) Mails
|
||||
##-- 17IF) Mails
|
||||
printf $Y"[+] "$GREEN"Mails (limit 50)\n"$NC
|
||||
(find /var/mail/ /var/spool/mail/ -type f 2>/dev/null | head -n 50) || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- 16IF) Backup files
|
||||
##-- 18IF) Backup files
|
||||
printf $Y"[+] "$GREEN"Backup files?\n"$NC
|
||||
backs=`find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) 2>/dev/null`
|
||||
for b in $backs; do if [ -r $b ]; then ls -l "$b" | grep -v $notBackup | sed "s,backup\|bck\|\.bak\|\.old,${C}[1;31m&${C}[0m,g"; fi; done
|
||||
echo ""
|
||||
|
||||
##-- 17IF) DB files
|
||||
##-- 19IF) DB files
|
||||
printf $Y"[+] "$GREEN"Looking for tables inside readable .db/.sqlite files (limit 100)\n"$NC
|
||||
dbfiles=`find /var /etc /home /root /tmp /opt -type f \( -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" \) 2>/dev/null | grep -v "/man/\|^/usr/\|^/var/cache/" | head -n 100`
|
||||
if [ "$dbfiles" ]; then
|
||||
@ -1612,7 +1624,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 18IF) Web files
|
||||
##-- 20IF) Web files
|
||||
printf $Y"[+] "$GREEN"Web files?(output limit)\n"$NC
|
||||
ls -alhR /var/www/ 2>/dev/null | head
|
||||
ls -alhR /srv/www/htdocs/ 2>/dev/null | head
|
||||
@ -1620,7 +1632,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head
|
||||
echo ""
|
||||
|
||||
##-- 19IF) Interesting files
|
||||
##-- 21IF) Interesting files
|
||||
printf $Y"[+] "$GREEN"Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml\n"$NC
|
||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data\n"$NC
|
||||
fils=`find /etc /home /root /tmp /usr /opt /mnt /var/backups /var/www /var/opt /var/cache \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "*httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".gitconfig" -o -name ".git-credentials" -o -name ".git" -o -name ".svn" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null`
|
||||
@ -1644,18 +1656,18 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- 20IF) All hidden files
|
||||
##-- 22IF) All hidden files
|
||||
printf $Y"[+] "$GREEN"All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)\n"$NC
|
||||
find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/\|_history$\|.sudo_as_admin_successful\|\.profile\|\.bashrc\|\.plan\|\.htpasswd\|.gitconfig\|\.git-credentials\|\.rhosts\|\.gitignore\|.npmignore\|\.listing\|\.ignore\|\.uuid\|.depend\|.placeholder\|.gitkeep\|.keep" | head -n 70
|
||||
find / -type f -iname ".*" -exec ls -l {} \; 2>/dev/null | grep -v "/sys/\|_history$\|.sudo_as_admin_successful\|\.profile\|\.bashrc\|\.plan\|\.htpasswd\|.gitconfig\|\.git-credentials\|\.rhosts\|\.gitignore\|.npmignore\|\.listing\|\.ignore\|\.uuid\|.depend\|.placeholder\|.gitkeep\|.keep" | head -n 70
|
||||
echo ""
|
||||
|
||||
##-- 21IF) Readable files in /tmp, /var/tmp, /var/backups
|
||||
##-- 23IF) Readable files in /tmp, /var/tmp, /var/backups
|
||||
printf $Y"[+] "$GREEN"Readable files inside /tmp, /var/tmp, /var/backups(limit 70)\n"$NC
|
||||
filstmpback=`find /tmp /var/tmp /var/backups -type f 2>/dev/null | head -n 70`
|
||||
for f in $filstmpback; do if [ -r $f ]; then ls -l $f 2>/dev/null; fi; done
|
||||
echo ""
|
||||
|
||||
##-- 22IF) Interesting writable files by ownership or all
|
||||
##-- 24IF) Interesting writable files by ownership or all
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
printf $Y"[+] "$GREEN"Interesting writable files owned by me or writable by everyone (not in Home)\n"$NC
|
||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files\n"$NC
|
||||
@ -1664,7 +1676,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- 22IF) Interesting writable files by group
|
||||
##-- 25IF) Interesting writable files by group
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
printf $Y"[+] "$GREEN"Interesting GROUP writable files (not in Home)\n"$NC
|
||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files\n"$NC
|
||||
@ -1675,45 +1687,45 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- 23IF) Passwords in config PHP files
|
||||
##-- 26IF) Passwords in config PHP files
|
||||
printf $Y"[+] "$GREEN"Searching passwords in config PHP files\n"$NC
|
||||
configs=`find /var /etc /home /root /tmp /usr /opt -type f -name "*config*.php" 2>/dev/null`
|
||||
for c in $configs; do grep -i "password.* = ['\"]\|define.*passw\|db_pass" $c 2>/dev/null | grep -v "function\|password.* = \"\"\|password.* = ''" | sed '/^.\{150\}./d' | sort | uniq | sed "s,password\|db_pass,${C}[1;31m&${C}[0m,i"; done
|
||||
echo ""
|
||||
|
||||
##-- 24IF) IPs inside logs
|
||||
##-- 27IF) IPs inside logs
|
||||
printf $Y"[+] "$GREEN"Finding IPs inside logs (limit 70)\n"$NC
|
||||
grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" /var/log/ 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70
|
||||
grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" /var/log/ 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70
|
||||
echo ""
|
||||
|
||||
##-- 25IF) Passwords inside logs
|
||||
##-- 28IF) Passwords inside logs
|
||||
printf $Y"[+] "$GREEN"Finding passwords inside logs (limit 70)\n"$NC
|
||||
grep -R -i "pwd\|passw" /var/log/ 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed "s,pwd\|passw,${C}[1;31m&${C}[0m,"
|
||||
echo ""
|
||||
|
||||
##-- 26IF) Emails inside logs
|
||||
##-- 29IF) Emails inside logs
|
||||
printf $Y"[+] "$GREEN"Finding emails inside logs (limit 70)\n"$NC
|
||||
grep -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /var/log/ 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70
|
||||
grep -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /var/log/ 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed "s,$knw_emails,${C}[1;32m&${C}[0m,g"
|
||||
echo ""
|
||||
|
||||
##-- 27IF) Passwords files in home
|
||||
##-- 30IF) Passwords files in home
|
||||
printf $Y"[+] "$GREEN"Finding *password* or *credential* files in home (limit 70)\n"$NC
|
||||
(find /home /root -type f \( -name "*password*" -o -name "*credential*" -o -name "creds*" \) 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " There are more creds/passwds files in the previous parent folder"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed "s,password\|credential,${C}[1;31m&${C}[0m," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[1;32m&${C}[0m,") || echo_not_found
|
||||
echo ""
|
||||
|
||||
if ! [ "$SUPERFAST" ]; then
|
||||
##-- 28IF) Extract possible passwords
|
||||
##-- 31IF) Extract possible passwords
|
||||
printf $Y"[+] "$GREEN"Extracting possible passwords from files in /etc /var/www /root /home\n"$NC
|
||||
grep -R -i "password.* = ['\"]\|define.*passw" /var/www /root /home 2>/dev/null | grep "\.php" | grep -v "function\|password.* = \"\"\|password.* = ''" | sed '/^.\{150\}./d' | sort | uniq | sed "s,password,${C}[1;31m&${C}[0m,"
|
||||
grep -R -i "password" /etc 2>/dev/null | grep "conf" | grep -v ":#\|:/\*\|: \*" | sort | uniq | sed "s,password,${C}[1;31m&${C}[0m,"
|
||||
echo ""
|
||||
|
||||
##-- 29IF) Find possible files with passwords
|
||||
printf $Y"[+] "$GREEN"Finding 'pwd' or 'passw' string inside /home, /var/www, /etc, /root and list possible web(/var/www) and config(/etc) passwords(limit 70)\n"$NC
|
||||
grep -lRi "pwd\|passw" /home /var/www /etc /root 2>/dev/null | grep -v "$notExtensions" | sort | uniq | head -n 70
|
||||
##-- 32IF) Find possible files with passwords
|
||||
printf $Y"[+] "$GREEN"Finding 'pwd' or 'passw' string inside /home, /var/www, /etc, /root (limit 70)\n"$NC
|
||||
grep -lRiI "pwd\|passw" /home /var/www /etc /root 2>/dev/null | sort | uniq | head -n 70
|
||||
echo ""
|
||||
|
||||
##-- 30IF) Specific hashes inside files
|
||||
##-- 33IF) Specific hashes inside files
|
||||
printf $Y"[+] "$GREEN"Looking for specific hashes inside files - less false positives (limit 70)\n"$NC
|
||||
regexblowfish='\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*'
|
||||
regexjoomlavbulletin='[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}'
|
||||
@ -1729,7 +1741,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
fi
|
||||
|
||||
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
|
||||
##-- 31IF) Specific hashes inside files
|
||||
##-- 34IF) Specific hashes inside files
|
||||
printf $Y"[+] "$GREEN"Looking for md5/sha1/sha256/sha512 hashes inside files (limit 50)\n"$NC
|
||||
regexmd5='(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)'
|
||||
regexsha1='(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)'
|
||||
|
Loading…
x
Reference in New Issue
Block a user