mirror of
https://github.com/carlospolop/PEASS-ng
synced 2024-11-27 14:13:38 +01:00
improvements
This commit is contained in:
parent
438e00527d
commit
4a0b8fb065
5
build_lists/download_regexes.ps1
Normal file
5
build_lists/download_regexes.ps1
Normal file
@ -0,0 +1,5 @@
|
||||
$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
|
||||
$filePath = Join-Path $scriptDir "regexes.yaml"
|
||||
$url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
|
||||
|
||||
Invoke-WebRequest $url -OutFile $filePath
|
24
build_lists/download_regexes.py
Executable file
24
build_lists/download_regexes.py
Executable file
@ -0,0 +1,24 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import os
|
||||
import requests
|
||||
from pathlib import Path
|
||||
|
||||
|
||||
def download_regexes():
|
||||
print("[+] Downloading regexes...")
|
||||
url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
|
||||
response = requests.get(url)
|
||||
if response.status_code == 200:
|
||||
# Save the content of the response to a file
|
||||
script_folder = Path(os.path.dirname(os.path.abspath(__file__)))
|
||||
target_file = script_folder / 'regexes.yaml'
|
||||
|
||||
with open(target_file, "w") as file:
|
||||
file.write(response.text)
|
||||
print(f"Downloaded and saved in '{target_file}' successfully!")
|
||||
else:
|
||||
print("Error: Unable to download the regexes file.")
|
||||
exit(1)
|
||||
|
||||
download_regexes()
|
File diff suppressed because it is too large
Load Diff
4622
linPEAS/builder/linpeas_base.sh
Normal file
4622
linPEAS/builder/linpeas_base.sh
Normal file
File diff suppressed because one or more lines are too long
@ -37,6 +37,7 @@ search_for_regex(){
|
||||
timeout 120 find /tmp /srv /Applications -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &
|
||||
fi
|
||||
wait
|
||||
printf "\033[2K\r"
|
||||
}
|
||||
|
||||
|
||||
|
@ -218,7 +218,7 @@ checkProcSysBreakouts(){
|
||||
##############################################
|
||||
containerCheck
|
||||
|
||||
print_2title "Container related tools present"
|
||||
print_2title "Container related tools present (if any):"
|
||||
command -v docker
|
||||
command -v lxc
|
||||
command -v rkt
|
||||
@ -226,8 +226,10 @@ command -v kubectl
|
||||
command -v podman
|
||||
command -v runc
|
||||
|
||||
print_2title "Am I Containered?"
|
||||
execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
|
||||
if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
|
||||
print_2title "Am I Containered?"
|
||||
execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
|
||||
fi
|
||||
|
||||
print_2title "Container details"
|
||||
print_list "Is this a container? ...........$NC $containerType"
|
||||
@ -260,7 +262,7 @@ if echo "$containerType" | grep -qi "docker"; then
|
||||
print_2title "Docker Container details"
|
||||
inDockerGroup
|
||||
print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "Looking and enumerating Docker Sockets\n"$NC
|
||||
print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
|
||||
enumerateDockerSockets
|
||||
print_list "Docker version .................$NC$dockerVersion"
|
||||
checkDockerVersionExploits
|
||||
@ -268,7 +270,7 @@ if echo "$containerType" | grep -qi "docker"; then
|
||||
print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
if [ "$inContainer" ]; then
|
||||
checkDockerRootless
|
||||
print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
|
||||
print_list "Rootless Docker? ............... $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
|
||||
echo ""
|
||||
fi
|
||||
if df -h | grep docker; then
|
||||
@ -328,7 +330,6 @@ if [ "$inContainer" ]; then
|
||||
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
|
||||
print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
|
||||
print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
|
||||
|
@ -95,9 +95,9 @@ if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
|
||||
echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
|
||||
fi
|
||||
|
||||
if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
|
||||
echo "Current user has other interactive shells running" | sed -${E} "s,.*,${SED_RED},g";
|
||||
ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
|
||||
if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
|
||||
echo "Current user has other interactive shells running: " | sed -${E} "s,.*,${SED_RED},g";
|
||||
ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
|
||||
fi
|
||||
|
||||
else
|
||||
|
@ -527,7 +527,7 @@ STRINGS="$(command -v strings 2>/dev/null)"
|
||||
LDD="$(command -v ldd 2>/dev/null)"
|
||||
READELF="$(command -v readelf 2>/dev/null)"
|
||||
|
||||
shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
|
||||
shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/prl-opengl-switcher.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
|
||||
|
||||
notBackup="/tdbbackup$|/db_hotbackup$"
|
||||
|
||||
@ -542,7 +542,7 @@ mail_apps="Postfix|Dovecot|Exim|SquirrelMail|Cyrus|Sendmail|Courier"
|
||||
|
||||
profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|appmenu-qt5.sh|apps-bin-path.sh|bash_completion.sh|cedilla-portuguese.sh|colorgrep.csh|colorgrep.sh|colorls.csh|colorls.sh|colorxzgrep.csh|colorxzgrep.sh|colorzgrep.csh|colorzgrep.sh|csh.local|cursor.sh|gawk.csh|gawk.sh|im-config_wayland.sh|kali.sh|lang.csh|lang.sh|less.csh|less.sh|flatpak.sh|sh.local|vim.csh|vim.sh|vte.csh|vte-2.91.sh|which2.csh|which2.sh|xauthority.sh|Z97-byobu.sh|xdg_dirs_desktop_session.sh|Z99-cloudinit-warnings.sh|Z99-cloud-locale-test.sh"
|
||||
|
||||
knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com"
|
||||
knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|mmyangfl@gmail.com|rogershimizu@gmail.com|thmarques@gmail.com"
|
||||
|
||||
timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|dpkg-db-backup.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer"
|
||||
|
||||
@ -697,8 +697,8 @@ print_3title(){
|
||||
}
|
||||
|
||||
print_3title_no_nl(){
|
||||
echo -ne "\033[2K\r"
|
||||
printf ${BLUE}"\r══╣ $GREEN${1}..."$NC #There are 2 "═"
|
||||
printf "\033[2K\r"
|
||||
printf ${BLUE}"══╣ $GREEN${1}..."$NC #There are 2 "═"
|
||||
}
|
||||
|
||||
print_list(){
|
||||
|
@ -377,7 +377,7 @@ class LinpeasBuilder:
|
||||
|
||||
for values in regexes:
|
||||
section_name = values["name"]
|
||||
regexes_search_section += f'print_2title "Searching {section_name}"\n'
|
||||
regexes_search_section += f' print_2title "Searching {section_name}"\n'
|
||||
|
||||
for entry in values["regexes"]:
|
||||
name = entry["name"]
|
||||
|
@ -1,26 +1,11 @@
|
||||
import os
|
||||
import yaml
|
||||
import requests
|
||||
from pathlib import Path
|
||||
|
||||
|
||||
def download_regexes():
|
||||
print("[+] Downloading regexes...")
|
||||
url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
|
||||
response = requests.get(url)
|
||||
if response.status_code == 200:
|
||||
# Save the content of the response to a file
|
||||
script_folder = Path(os.path.dirname(os.path.abspath(__file__)))
|
||||
target_file = script_folder / '..' / '..' / '..' / 'build_lists' / 'regexes.yaml'
|
||||
|
||||
with open(target_file, "w") as file:
|
||||
file.write(response.text)
|
||||
print(f"Downloaded and saved in '{target_file}' successfully!")
|
||||
else:
|
||||
print("Error: Unable to download the regexes file.")
|
||||
exit(1)
|
||||
|
||||
download_regexes()
|
||||
script_folder = Path(os.path.dirname(os.path.abspath(__file__)))
|
||||
target_file = script_folder / '..' / '..' / '..' / 'build_lists' / 'download_regexes.py'
|
||||
os.system(target_file)
|
||||
|
||||
CURRENT_DIR = os.path.dirname(os.path.realpath(__file__))
|
||||
|
||||
|
@ -53,6 +53,7 @@ $wp.EntryPoint #Get the name of the ReflectedType, in obfuscated versions someti
|
||||
## Parameters Examples
|
||||
|
||||
```bash
|
||||
winpeas.exe -h # Get Help
|
||||
winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs)
|
||||
winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
|
||||
winpeas.exe notcolor #Do not color the output
|
||||
@ -64,35 +65,6 @@ winpeas.exe -linpeas=http://127.0.0.1/linpeas.sh #Execute also additional linpea
|
||||
winpeas.exe -lolbas #Execute also additional LOLBAS search check
|
||||
```
|
||||
|
||||
## Help
|
||||
```
|
||||
domain Enumerate domain information
|
||||
systeminfo Search system information
|
||||
userinfo Search user information
|
||||
processinfo Search processes information
|
||||
servicesinfo Search services information
|
||||
applicationsinfo Search installed applications information
|
||||
networkinfo Search network information
|
||||
windowscreds Search windows credentials
|
||||
browserinfo Search browser information
|
||||
filesinfo Search generic files that can contains credentials
|
||||
fileanalysis Search specific files that can contains credentials and for regexes inside files
|
||||
eventsinfo Display interesting events information
|
||||
|
||||
quiet Do not print banner
|
||||
notcolor Don't use ansi colors (all white)
|
||||
searchpf Search credentials via regex also in Program Files folders
|
||||
wait Wait for user input between checks
|
||||
debug Display debugging information - memory usage, method execution time
|
||||
log[=logfile] Log all output to file defined as logfile, or to "out.txt" if not specified
|
||||
MaxRegexFileSize=1000000 Max file size (in Bytes) to search regex in. Default: 1000000B
|
||||
|
||||
Additional checks (slower):
|
||||
-lolbas Run additional LOLBAS check
|
||||
-linpeas=[url] Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL
|
||||
(default: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh)
|
||||
```
|
||||
|
||||
## Basic information
|
||||
|
||||
The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
|
||||
|
Loading…
Reference in New Issue
Block a user