mirror of
https://github.com/carlospolop/PEASS-ng
synced 2024-11-27 14:13:38 +01:00
linpeas update
This commit is contained in:
parent
bbc22b3a91
commit
999fcff035
@ -47,6 +47,22 @@ chmod +x linpeas_linux_amd64
|
||||
./linpeas_linux_amd64
|
||||
```
|
||||
|
||||
## Firmware Analysis
|
||||
If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options.
|
||||
|
||||
- If you **can emulate** the firmware, just run linpeas inside of it:
|
||||
```bash
|
||||
cp /path/to/linpeas.sh /mnt/linpeas.sh
|
||||
chroot /mnt #Supposing you have mounted the firmware FS in /mnt
|
||||
bash /linpeas.sh -o software_information,interesting_files,api_keys_regex
|
||||
```
|
||||
|
||||
- If you **cannot emulate** the firmware, use the `-f </path/to/folder` param:
|
||||
```bash
|
||||
# Point to the folder containing the files you want to analyze
|
||||
bash /path/to/linpeas.sh -f /path/to/folder
|
||||
```
|
||||
|
||||
## AV bypass
|
||||
```bash
|
||||
#open-ssl encryption
|
||||
@ -77,8 +93,9 @@ By default linpeas takes around **4 mins** to complete, but It could take from *
|
||||
- 1 min to monitor the processes in order to find very frequent cron jobs *(need `-a`)* - Notice that this check will need to **write** some info inside a file that will be deleted
|
||||
|
||||
**Interesting parameters:**
|
||||
- **-a** (all checks) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
|
||||
- **-a** (all checks except regex) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
|
||||
- **-e** (extra enumeration) - This will execute **enumeration checkes that are avoided by default**
|
||||
- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the silesystem**
|
||||
- **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk)
|
||||
- **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users
|
||||
- **-D** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took
|
||||
@ -93,12 +110,14 @@ This tool enum and search possible misconfigurations (known vulns, user, process
|
||||
-q Do not show banner
|
||||
-e Perform extra enumeration
|
||||
-s SuperFast (don't check some time consuming checks) - Stealth mode
|
||||
-a All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
|
||||
-a All checks except regexes - Noisy mode, for CTFs mainly
|
||||
-r Activate Regexes (this can take from some mins to several hours)
|
||||
-f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
|
||||
-w Wait execution between big blocks of checks
|
||||
-N Do not use colours
|
||||
-D Debug mode
|
||||
-P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
|
||||
-o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files). Select a comma separated list.
|
||||
-o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list.
|
||||
-L Force linpeas execution.
|
||||
-M Force macpeas execution.
|
||||
-d <IP/NETMASK> Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
|
||||
@ -186,17 +205,12 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
||||
|
||||
Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/stores/peass)** and show your love for our favorite peas
|
||||
|
||||
## TODO
|
||||
## Collaborate
|
||||
|
||||
- Add more checks
|
||||
- Mantain updated the list of vulnerable SUID binaries
|
||||
- Mantain updated all the blacklists used to color the output
|
||||
|
||||
If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
|
||||
If you want to help with the TODO tasks or with anything, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
|
||||
|
||||
If you find any issue, please report it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**.
|
||||
|
||||
|
||||
**Linpeas** is being **updated** every time I find something that could be useful to escalate privileges.
|
||||
|
||||
## Advisory
|
||||
|
8
linPEAS/TODO.md
Normal file
8
linPEAS/TODO.md
Normal file
@ -0,0 +1,8 @@
|
||||
- Add more checks
|
||||
- Add more potential files with passwords to sensitive_files.yaml
|
||||
- Add more regex of interesting APIs to regexes.yaml
|
||||
- Mantain updated the list of vulnerable SUID binaries
|
||||
- Mantain updated all the blacklists used to color the output
|
||||
- Improve the speed
|
||||
- Reduce the size of the script
|
||||
- Generate automatically an obfuscated version
|
@ -1,7 +1,7 @@
|
||||
from .src.peasLoaded import PEASLoaded
|
||||
from .src.linpeasBuilder import LinpeasBuilder
|
||||
from .src.linpeasBaseBuilder import LinpeasBaseBuilder
|
||||
from .src.yamlGlobals import FINAL_LINPEAS_PATH
|
||||
from .src.yamlGlobals import FINAL_FAT_LINPEAS_PATH, FINAL_LINPEAS_PATH, TEMPORARY_LINPEAS_BASE_PATH
|
||||
|
||||
import os
|
||||
import stat
|
||||
@ -18,7 +18,13 @@ def main():
|
||||
# Build final linpeas.sh
|
||||
lbuilder = LinpeasBuilder(ploaded)
|
||||
lbuilder.build()
|
||||
lbuilder.write_linpeas(FINAL_LINPEAS_PATH)
|
||||
lbuilder.write_linpeas(FINAL_FAT_LINPEAS_PATH)
|
||||
lbuilder.write_linpeas(FINAL_LINPEAS_PATH, rm_startswith="FAT_LINPEAS")
|
||||
os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file
|
||||
|
||||
st = os.stat(FINAL_FAT_LINPEAS_PATH)
|
||||
os.chmod(FINAL_FAT_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
|
||||
|
||||
st = os.stat(FINAL_LINPEAS_PATH)
|
||||
os.chmod(FINAL_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
|
||||
|
||||
|
@ -31,8 +31,8 @@ if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ "
|
||||
fi
|
||||
|
||||
#-- SY) CVE-2021-3560
|
||||
polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9)
|
||||
if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(rpm -qa | grep polkit | grep -c '0.117-2\|0.115-6')" -ge 1 ]]; then
|
||||
polkitVersion=$(systemctl status polkit.service 2>/dev/null | grep version | cut -d " " -f 9)
|
||||
if [ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 ] || [ "$(yum list installed 2>/dev/null | grep polkit | grep -c 0.117-2)" ]; then
|
||||
echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
echo ""
|
||||
fi
|
||||
@ -42,7 +42,7 @@ fi
|
||||
#-- https://stackoverflow.com/a/37939589
|
||||
kernelversion=$(uname -r | awk -F"-" '{print $1}')
|
||||
kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
|
||||
if [[ $kernelnumber -ge 5008000000 && $kernelnumber -lt 5017000000 ]]; then # if kernel version beteen 5.8 and 5.17
|
||||
if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version beteen 5.8 and 5.17
|
||||
echo "Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
echo ""
|
||||
fi
|
||||
@ -69,10 +69,15 @@ fi
|
||||
echo ""
|
||||
|
||||
#-- SY) PATH
|
||||
|
||||
print_2title "PATH"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
|
||||
echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g"
|
||||
else
|
||||
echo "New path exported: $PATH" 2>/dev/null
|
||||
fi
|
||||
echo ""
|
||||
|
||||
#-- SY) Date
|
||||
@ -104,7 +109,7 @@ fi
|
||||
|
||||
if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Unmounted file-system?"
|
||||
print_info "Check if you can mount unmounted devices"
|
||||
print_info "Check if you can mount umounted devices"
|
||||
grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
|
||||
echo ""
|
||||
fi
|
||||
@ -124,7 +129,7 @@ fi
|
||||
#-- SY) Environment vars
|
||||
print_2title "Environment"
|
||||
print_info "Any private information inside environment variables?"
|
||||
(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
|
||||
(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_KUBERNETES" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
|
||||
echo ""
|
||||
|
||||
#-- SY) Dmesg
|
||||
@ -198,6 +203,22 @@ print_list "Execshield enabled? ............ "$NC
|
||||
print_list "SELinux enabled? ............... "$NC
|
||||
(sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
|
||||
|
||||
#-- SY) Seccomp
|
||||
print_list "Seccomp enabled? ............... "$NC
|
||||
([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
|
||||
|
||||
#-- SY) AppArmor
|
||||
print_list "AppArmor profile? .............. "$NC
|
||||
(cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
|
||||
|
||||
#-- SY) AppArmor
|
||||
print_list "User namespace? ................ "$NC
|
||||
if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
|
||||
|
||||
#-- SY) cgroup2
|
||||
print_list "Cgroup2 enabled? ............... "$NC
|
||||
([ "$(grep cgroup2 /proc/filesystems)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
|
||||
|
||||
#-- SY) Gatekeeper
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_list "Gatekeeper enabled? .......... "$NC
|
||||
|
@ -26,6 +26,14 @@ containerCheck() {
|
||||
fi
|
||||
fi
|
||||
|
||||
# Inside concourse?
|
||||
if grep "/concourse" /proc/1/mounts -qa 2>/dev/null; then
|
||||
inContainer="1"
|
||||
if [ "$containerType" ]; then
|
||||
containerType="$containerType (concourse)\n"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Are we inside LXC?
|
||||
if env | grep "container=lxc" -qa 2>/dev/null ||
|
||||
grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
|
||||
@ -69,8 +77,10 @@ enumerateDockerSockets() {
|
||||
dockerVersion="$(echo_not_found)"
|
||||
if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
|
||||
SEARCHED_DOCKER_SOCKETS="1"
|
||||
for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do
|
||||
if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then
|
||||
for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -n -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
|
||||
if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
|
||||
if echo "$int_sock" | grep -Eq "docker"; then
|
||||
dock_sock="$int_sock"
|
||||
echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
|
||||
echo "Docker enummeration:"
|
||||
docker_enumerated=""
|
||||
@ -89,7 +99,11 @@ enumerateDockerSockets() {
|
||||
fi
|
||||
|
||||
else
|
||||
echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g"
|
||||
echo "You have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED},g"
|
||||
fi
|
||||
|
||||
else
|
||||
echo "You don't have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_GREEN},g"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -123,6 +137,39 @@ checkContainerExploits() {
|
||||
fi
|
||||
}
|
||||
|
||||
checkProcSysBreakouts(){
|
||||
if [ "$(ls -l /sys/fs/cgroup/*/release_agent 2>/dev/null)" ]; then release_agent_breakout1="Yes"; else release_agent_breakout1="No"; fi
|
||||
|
||||
mkdir /tmp/cgroup_3628d4
|
||||
mount -t cgroup -o memory cgroup /tmp/cgroup_3628d4 2>/dev/null
|
||||
if [ $? -eq 0 ]; then release_agent_breakout12="Yes"; else release_agent_breakout2="No"; fi
|
||||
rm -rf /tmp/cgroup_3628d4 2>/dev/null
|
||||
|
||||
core_pattern_breakout="$( (echo -n '' > /proc/sys/kernel/core_pattern && echo Yes) 2>/dev/null || echo No)"
|
||||
modprobe_present="$(ls -l `cat /proc/sys/kernel/modprobe` || echo No)"
|
||||
panic_on_oom_dos="$( (echo -n '' > /proc/sys/vm/panic_on_oom && echo Yes) 2>/dev/null || echo No)"
|
||||
panic_sys_fs_dos="$( (echo -n '' > /proc/sys/fs/suid_dumpable && echo Yes) 2>/dev/null || echo No)"
|
||||
binfmt_misc_breakout="$( (echo -n '' > /proc/sys/fs/binfmt_misc/register && echo Yes) 2>/dev/null || echo No)"
|
||||
proc_configgz_readable="$([ -r '/proc/config.gz' ] 2>/dev/null && echo Yes || echo No)"
|
||||
sysreq_trigger_dos="$( (echo -n '' > /proc/sysrq-trigger && echo Yes) 2>/dev/null || echo No)"
|
||||
kmsg_readable="$( (dmesg > /dev/null 2>&1 && echo Yes) 2>/dev/null || echo No)" # Kernel Exploit Dev
|
||||
kallsyms_readable="$( (head -n 1 /proc/kallsyms > /dev/null && echo Yes )2>/dev/null || echo No)" # Kernel Exploit Dev
|
||||
mem_readable="$( (head -n 1 /proc/self/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
if [ "$(head -n 1 /tmp/kcore 2>/dev/null)" ]; then kcore_readable="Yes"; else kcore_readable="No"; fi
|
||||
kmem_readable="$( (head -n 1 /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
kmem_writable="$( (echo -n '' > /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
mem_readable="$( (head -n 1 /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
mem_writable="$( (echo -n '' > /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
sched_debug_readable="$( (head -n 1 /proc/sched_debug > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
mountinfo_readable="$( (head -n 1 /proc/*/mountinfo > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
uevent_helper_breakout="$( (echo -n '' > /sys/kernel/uevent_helper && echo Yes) 2>/dev/null || echo No)"
|
||||
vmcoreinfo_readable="$( (head -n 1 /sys/kernel/vmcoreinfo > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
security_present="$( (ls -l /sys/kernel/security > /dev/null && echo Yes) 2>/dev/null || echo No)"
|
||||
security_writable="$( (echo -n '' > /sys/kernel/security/a && echo Yes) 2>/dev/null || echo No)"
|
||||
efi_vars_writable="$( (echo -n '' > /sys/firmware/efi/vars && echo Yes) 2>/dev/null || echo No)"
|
||||
efi_efivars_writable="$( (echo -n '' > /sys/firmware/efi/efivars && echo Yes) 2>/dev/null || echo No)"
|
||||
}
|
||||
|
||||
|
||||
##############################################
|
||||
#---------------) Containers (---------------#
|
||||
@ -137,6 +184,9 @@ command -v kubectl
|
||||
command -v podman
|
||||
command -v runc
|
||||
|
||||
print_2title "Am I Containered?"
|
||||
execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
|
||||
|
||||
print_2title "Container details"
|
||||
print_list "Is this a container? ...........$NC $containerType"
|
||||
|
||||
@ -177,6 +227,7 @@ if echo "$containerType" | grep -qi "docker"; then
|
||||
if [ "$inContainer" ]; then
|
||||
checkDockerRootless
|
||||
print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
|
||||
echo ""
|
||||
fi
|
||||
if df -h | grep docker; then
|
||||
print_2title "Docker Overlays"
|
||||
@ -184,6 +235,25 @@ if echo "$containerType" | grep -qi "docker"; then
|
||||
fi
|
||||
fi
|
||||
|
||||
#If token secrets mounted
|
||||
if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
|
||||
print_2title "Listing mounted tokens"
|
||||
print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
|
||||
ALREADY="IinItialVaaluE"
|
||||
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
|
||||
TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
|
||||
if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
|
||||
ALREADY="$ALREADY|$TOKEN"
|
||||
echo "Directory: $i"
|
||||
echo "Namespace: $(cat $i)"
|
||||
echo ""
|
||||
echo $TOKEN
|
||||
echo "================================================================================"
|
||||
echo ""
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ "$inContainer" ]; then
|
||||
echo ""
|
||||
print_2title "Container & breakout enumeration"
|
||||
@ -192,27 +262,90 @@ if [ "$inContainer" ]; then
|
||||
if echo "$containerType" | grep -qi "docker"; then
|
||||
print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
|
||||
fi
|
||||
print_list "Seccomp enabled? ............... "$NC
|
||||
([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
|
||||
|
||||
print_list "AppArmor profile? .............. "$NC
|
||||
(cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
|
||||
|
||||
print_list "User proc namespace? ........... "$NC
|
||||
if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
|
||||
|
||||
checkContainerExploits
|
||||
print_list "Vulnerable to CVE-2019-5021 .. $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
|
||||
print_3title "Breakout via mounts"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
|
||||
|
||||
checkProcSysBreakouts
|
||||
print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||
print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
|
||||
print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n"
|
||||
print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n"
|
||||
print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n"
|
||||
print_list "/proc/config.gz readable ....... $proc_configgz_readable\n"
|
||||
print_list "/proc/sched_debug readable ..... $sched_debug_readable\n"
|
||||
print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n"
|
||||
print_list "/sys/kernel/security present ... $security_present\n"
|
||||
print_list "/sys/kernel/security writable .. $security_writable\n"
|
||||
if [ "$EXTRA_CHECKS" ]; then
|
||||
print_list "/proc/kmsg readable ............ $kmsg_readable\n"
|
||||
print_list "/proc/kallsyms readable ........ $kallsyms_readable\n"
|
||||
print_list "/proc/self/mem readable ........ $sched_debug_readable\n"
|
||||
print_list "/proc/kcore readable ........... $kcore_readable\n"
|
||||
print_list "/proc/kmem readable ............ $kmem_readable\n"
|
||||
print_list "/proc/kmem writable ............ $kmem_writable\n"
|
||||
print_list "/proc/mem readable ............. $mem_readable\n"
|
||||
print_list "/proc/mem writable ............. $mem_writable\n"
|
||||
print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n"
|
||||
print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n"
|
||||
print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
print_3title "Namespaces"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
|
||||
ls -l /proc/self/ns/
|
||||
|
||||
if echo "$containerType" | grep -qi "kubernetes"; then
|
||||
print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
|
||||
print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
|
||||
print_2title "Kubernetes Information"
|
||||
echo ""
|
||||
|
||||
print_2title "Kubernetes Information"
|
||||
print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
|
||||
|
||||
|
||||
print_3title "Kubernetes service account folder"
|
||||
ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
|
||||
echo ""
|
||||
|
||||
print_3title "Kubernetes env vars"
|
||||
(env | set) | grep -Ei "kubernetes|kube"
|
||||
(env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
|
||||
echo ""
|
||||
|
||||
print_3title "Current sa user k8s permissions"
|
||||
print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
|
||||
kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
|
||||
"https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
|
||||
-X 'POST' -H 'Content-Type: application/json' \
|
||||
--header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
|
||||
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_2title "Container Capabilities"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
|
||||
if [ "$(command -v capsh)" ]; then
|
||||
capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
|
||||
else
|
||||
cat /proc/self/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_2title "Privilege Mode"
|
||||
@ -228,7 +361,7 @@ if [ "$inContainer" ]; then
|
||||
echo ""
|
||||
|
||||
print_2title "Interesting Files Mounted"
|
||||
(mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,docker.sock,${SED_RED_YELLOW},"
|
||||
(mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
|
||||
echo ""
|
||||
|
||||
print_2title "Possible Entrypoints"
|
||||
|
277
linPEAS/builder/linpeas_parts/3_cloud.sh
Normal file
277
linPEAS/builder/linpeas_parts/3_cloud.sh
Normal file
@ -0,0 +1,277 @@
|
||||
###########################################
|
||||
#-----------) Cloud functions (-----------#
|
||||
###########################################
|
||||
|
||||
GCP_GOOD_SCOPES="/devstorage.read_only|/logging.write|/monitoring|/servicecontrol|/service.management.readonly|/trace.append"
|
||||
GCP_BAD_SCOPES="/cloud-platform|/compute"
|
||||
|
||||
exec_with_jq(){
|
||||
if [ "$(command -v jq)" ]; then
|
||||
$@ | jq;
|
||||
else
|
||||
$@;
|
||||
fi
|
||||
}
|
||||
|
||||
check_gcp(){
|
||||
is_gcp="No"
|
||||
if grep -q metadata.google.internal /etc/hosts 2>/dev/null || (curl --connect-timeout 2 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]); then
|
||||
is_gcp="Yes"
|
||||
fi
|
||||
}
|
||||
|
||||
check_aws_ecs(){
|
||||
is_aws_ecs="No"
|
||||
if (env | grep -q ECS_CONTAINER_METADATA_URI_v4); then
|
||||
is_aws_ecs="Yes";
|
||||
aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI_v4;
|
||||
aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
|
||||
|
||||
elif (env | grep -q ECS_CONTAINER_METADATA_URI); then
|
||||
is_aws_ecs="Yes";
|
||||
aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI;
|
||||
aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
|
||||
|
||||
elif (env | grep -q AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); then
|
||||
is_aws_ecs="Yes";
|
||||
|
||||
|
||||
elif (curl --connect-timeout 2 "http://169.254.170.2/v2/credentials/" >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 "http://169.254.170.2/v2/credentials/" >/dev/null 2>&1 && [ "$?" -eq "0" ]); then
|
||||
is_aws_ecs="Yes";
|
||||
|
||||
fi
|
||||
|
||||
if [ "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
|
||||
aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
|
||||
fi
|
||||
}
|
||||
|
||||
check_aws_ec2(){
|
||||
is_aws_ec2="No"
|
||||
|
||||
if [ -d "/var/log/amazon/" ]; then
|
||||
is_aws_ec2="Yes"
|
||||
EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
|
||||
|
||||
else
|
||||
EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
|
||||
if [ "$(echo $EC2_TOKEN | cut -c1-2)" = "AQ" ]; then
|
||||
is_aws_ec2="Yes"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
check_aws_lambda(){
|
||||
is_aws_lambda="No"
|
||||
|
||||
if (env | grep -q AWS_LAMBDA_); then
|
||||
is_aws_lambda="Yes"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
check_gcp
|
||||
print_list "Google Cloud Platform? ............... $is_gcp\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_aws_ecs
|
||||
print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_aws_ec2
|
||||
print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_aws_lambda
|
||||
print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
|
||||
echo ""
|
||||
|
||||
if [ "$is_gcp" = "Yes" ]; then
|
||||
gcp_req=""
|
||||
if [ "$(command -v curl)" ]; then
|
||||
gcp_req='curl -s -f -H "X-Google-Metadata-Request: True"'
|
||||
elif [ "$(command -v wget)" ]; then
|
||||
gcp_req='wget -q -O - --header "X-Google-Metadata-Request: True"'
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||
fi
|
||||
|
||||
|
||||
if [ "$gcp_req" ]; then
|
||||
print_2title "Google CLoud Platform Enumeration"
|
||||
print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
|
||||
|
||||
## GC Project Info
|
||||
p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
|
||||
[ "$p_id" ] && echo "Project-ID: $p_id"
|
||||
p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
|
||||
[ "$p_num" ] && echo "Project Number: $p_num"
|
||||
pssh_k=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys')
|
||||
[ "$pssh_k" ] && echo "Project SSH-Keys: $pssh_k"
|
||||
p_attrs=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true')
|
||||
[ "$p_attrs" ] && echo "All Project Attributes: $p_attrs"
|
||||
|
||||
# OSLogin Info
|
||||
osl_u=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/users)
|
||||
[ "$osl_u" ] && echo "OSLogin users: $osl_u"
|
||||
osl_g=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/groups)
|
||||
[ "$osl_g" ] && echo "OSLogin Groups: $osl_g"
|
||||
osl_sk=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/security-keys)
|
||||
[ "$osl_sk" ] && echo "OSLogin Security Keys: $osl_sk"
|
||||
osl_au=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/authorize)
|
||||
[ "$osl_au" ] && echo "OSLogin Authorize: $osl_au"
|
||||
|
||||
# Instance Info
|
||||
inst_d=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/description)
|
||||
[ "$inst_d" ] && echo "Instance Description: "
|
||||
inst_hostn=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/hostname)
|
||||
[ "$inst_hostn" ] && echo "Hostname: $inst_hostn"
|
||||
inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
|
||||
[ "$inst_id" ] && echo "Instance ID: $inst_id"
|
||||
inst_img=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/image)
|
||||
[ "$inst_img" ] && echo "Instance Image: $inst_img"
|
||||
inst_mt=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/machine-type)
|
||||
[ "$inst_mt" ] && echo "Machine Type: $inst_mt"
|
||||
inst_n=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/name)
|
||||
[ "$inst_n" ] && echo "Instance Name: $inst_n"
|
||||
inst_tag=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/scheduling/tags)
|
||||
[ "$inst_tag" ] && echo "Instance tags: $inst_tag"
|
||||
inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
|
||||
[ "$inst_zone" ] && echo "Zone: $inst_zone"
|
||||
|
||||
inst_k8s_loc=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location")
|
||||
[ "$inst_k8s_loc" ] && echo "K8s Cluster Location: $inst_k8s_loc"
|
||||
inst_k8s_name=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name")
|
||||
[ "$inst_k8s_name" ] && echo "K8s Cluster name: $inst_k8s_name"
|
||||
inst_k8s_osl_e=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin")
|
||||
[ "$inst_k8s_osl_e" ] && echo "K8s OSLoging enabled: $inst_k8s_osl_e"
|
||||
inst_k8s_klab=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-labels")
|
||||
[ "$inst_k8s_klab" ] && echo "K8s Kube-labels: $inst_k8s_klab"
|
||||
inst_k8s_kubec=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubeconfig")
|
||||
[ "$inst_k8s_kubec" ] && echo "K8s Kubeconfig: $inst_k8s_kubec"
|
||||
inst_k8s_kubenv=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env")
|
||||
[ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv"
|
||||
|
||||
echo ""
|
||||
print_3title "Interfaces"
|
||||
for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do
|
||||
echo " IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip")
|
||||
echo " Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
|
||||
echo " Gateway: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
|
||||
echo " DNS: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
|
||||
echo " Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network")
|
||||
echo " ============== "
|
||||
done
|
||||
|
||||
echo ""
|
||||
print_3title "Service Accounts"
|
||||
for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do
|
||||
echo " Name: $sa"
|
||||
echo " Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email")
|
||||
echo " Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/aliases")
|
||||
echo " Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/identity")
|
||||
echo " Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
|
||||
echo " Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/token")
|
||||
echo " ============== "
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ "$is_aws_ecs" = "Yes" ]; then
|
||||
print_2title "AWS ECS Enumeration"
|
||||
|
||||
aws_ecs_req=""
|
||||
if [ "$(command -v curl)" ]; then
|
||||
aws_ecs_req='curl -s -f'
|
||||
elif [ "$(command -v wget)" ]; then
|
||||
aws_ecs_req='wget -q -O -'
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||
fi
|
||||
|
||||
if [ "$aws_ecs_metadata_uri" ]; then
|
||||
print_3title "Container Info"
|
||||
exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri"
|
||||
echo ""
|
||||
|
||||
print_3title "Task Info"
|
||||
exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri/task"
|
||||
echo ""
|
||||
else
|
||||
echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
|
||||
fi
|
||||
|
||||
if [ "$aws_ecs_service_account_uri" ]; then
|
||||
print_3title "IAM Role"
|
||||
exec_with_jq $aws_ecs_req "$aws_ecs_service_account_uri"
|
||||
echo ""
|
||||
else
|
||||
echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$is_aws_ec2" = "Yes" ]; then
|
||||
print_2title "AWS EC2 Enumeration"
|
||||
|
||||
HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
|
||||
URL="http://169.254.169.254/latest/meta-data"
|
||||
|
||||
aws_req=""
|
||||
if [ "$(command -v curl)" ]; then
|
||||
aws_req='curl -s -f -H "$HEADER"'
|
||||
elif [ "$(command -v wget)" ]; then
|
||||
aws_req='wget -q -O - -H "$HEADER"'
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||
fi
|
||||
|
||||
if [ "$aws_req" ]; then
|
||||
printf "ami-id: "; $aws_req "$URL/ami-id"; echo ""
|
||||
printf "instance-action: "; $aws_req "$URL/instance-action"; echo ""
|
||||
printf "instance-id: "; $aws_req "$URL/instance-id"; echo ""
|
||||
printf "instance-life-cycle: "; $aws_req "$URL/instance-life-cycle"; echo ""
|
||||
printf "instance-type: "; $aws_req "$URL/instance-type"; echo ""
|
||||
printf "region: "; $aws_req "$URL/placement/region"; echo ""
|
||||
|
||||
echo ""
|
||||
print_3title "Account Info"
|
||||
exec_with_jq $aws_req "$URL/identity-credentials/ec2/info"; echo ""
|
||||
|
||||
echo ""
|
||||
print_3title "Network Info"
|
||||
for mac in $($aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
|
||||
echo "Mac: $mac"
|
||||
printf "Owner ID: "; $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
|
||||
printf "Public Hostname: "; $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
|
||||
printf "Security Groups: "; $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
|
||||
echo "Private IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
|
||||
printf "Subnet IPv4: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
|
||||
echo "PrivateIPv6s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
|
||||
printf "Subnet IPv6: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
|
||||
echo "Public IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
|
||||
echo ""
|
||||
done
|
||||
|
||||
echo ""
|
||||
print_3title "IAM Role"
|
||||
exec_with_jq $aws_req "$URL/iam/info"; echo ""
|
||||
for role in $($aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
|
||||
echo "Role: $role"
|
||||
exec_with_jq $aws_req "$URL/iam/security-credentials/$role"; echo ""
|
||||
echo ""
|
||||
done
|
||||
|
||||
echo ""
|
||||
print_3title "User Data"
|
||||
$aws_req "http://169.254.169.254/latest/user-data"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$is_aws_lambda" = "Yes" ]; then
|
||||
print_2title "AWS Lambda Enumeration"
|
||||
printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
|
||||
printf "Region: "; env | grep AWS_REGION
|
||||
printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY
|
||||
printf "Access Key ID: "; env | grep AWS_ACCESS_KEY_ID
|
||||
printf "Session token: "; env | grep AWS_SESSION_TOKEN
|
||||
printf "Security token: "; env | grep AWS_SECURITY_TOKEN
|
||||
printf "Runtime API: "; env | grep AWS_LAMBDA_RUNTIME_API
|
||||
printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
|
||||
fi
|
||||
|
@ -213,12 +213,6 @@ if ! [ "$IAMROOT" ]; then
|
||||
fi
|
||||
done
|
||||
done
|
||||
if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then
|
||||
echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
|
||||
fi
|
||||
if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then
|
||||
echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_2title "Unix Sockets Listening"
|
@ -110,10 +110,14 @@ if [ "$AUTO_NETWORK_SCAN" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
|
||||
fi
|
||||
|
||||
if [ "$AUTO_NETWORK_SCAN" ]; then
|
||||
if ! [ "$FOUND_NC" ]; then
|
||||
if ! [ "$FOUND_NC" ] && ! [ "$FOUND_BASH" ]; then
|
||||
printf $RED"[-] $SCAN_BAN_BAD\n$NC"
|
||||
echo "The network is not going to be scanned..."
|
||||
|
||||
elif ! [ "$(command -v ifconfig)" ] && ! [ "$(command -v ip a)" ]; then
|
||||
printf $RED"[-] No ifconfig or ip commands, cannot find local ips\n$NC"
|
||||
echo "The network is not going to be scanned..."
|
||||
|
||||
else
|
||||
print_2title "Scanning local networks (using /24)"
|
||||
|
||||
@ -122,7 +126,7 @@ if [ "$AUTO_NETWORK_SCAN" ]; then
|
||||
fi
|
||||
|
||||
select_nc
|
||||
local_ips=$(ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.")
|
||||
local_ips=$( (ip a 2>/dev/null || ifconfig) | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.")
|
||||
printf "%s\n" "$local_ips" | while read local_ip; do
|
||||
if ! [ -z "$local_ip" ]; then
|
||||
print_3title "Discovering hosts in $local_ip/24"
|
@ -60,18 +60,18 @@ fi
|
||||
#-- UI) Sudo -l
|
||||
print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
||||
(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
|
||||
(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
|
||||
if [ "$PASSWORD" ]; then
|
||||
(echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "sudo"
|
||||
(echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null || echo_not_found "sudo"
|
||||
fi
|
||||
( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "/etc/sudoers"
|
||||
( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null || echo_not_found "/etc/sudoers"
|
||||
if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
|
||||
echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
fi
|
||||
for filename in /etc/sudoers.d/*; do
|
||||
for filename in '/etc/sudoers.d/*'; do
|
||||
if [ -r "$filename" ]; then
|
||||
echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},"
|
||||
grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
echo ""
|
@ -1,638 +0,0 @@
|
||||
###########################################
|
||||
#----------) Interesting files (----------#
|
||||
###########################################
|
||||
|
||||
check_critial_root_path(){
|
||||
folder_path="$1"
|
||||
if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
|
||||
if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
|
||||
if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
##-- IF) SUID
|
||||
print_2title "SUID - Check easy privesc, exploits and write perms"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
||||
if ! [ "$STRINGS" ]; then
|
||||
echo_not_found "strings"
|
||||
fi
|
||||
if ! [ "$STRACE" ]; then
|
||||
echo_not_found "strace"
|
||||
fi
|
||||
suids_files=$(find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
|
||||
for s in $suids_files; do
|
||||
s=$(ls -lahtr "$s")
|
||||
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
|
||||
if echo "$s" | grep -qE "^total"; then break; fi
|
||||
|
||||
sname="$(echo $s | awk '{print $9}')"
|
||||
if [ "$sname" = "." ] || [ "$sname" = ".." ]; then
|
||||
true #Don't do nothing
|
||||
elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
|
||||
echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED},"
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
|
||||
echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else
|
||||
c="a"
|
||||
for b in $sidB; do
|
||||
if echo $s | grep -q $(echo $b | cut -d % -f 1); then
|
||||
echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m,"
|
||||
c=""
|
||||
break;
|
||||
fi
|
||||
done;
|
||||
if [ "$c" ]; then
|
||||
if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
|
||||
echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${SED_RED},"
|
||||
printf $ITALIC
|
||||
if ! [ "$FAST" ] && [ "$STRINGS" ]; then
|
||||
$STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do
|
||||
sline_first="$(echo "$sline" | cut -d ' ' -f1)"
|
||||
if echo "$sline_first" | grep -qEv "$cfuncs"; then
|
||||
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
|
||||
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
|
||||
fi
|
||||
else #If not a path
|
||||
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then
|
||||
printf $ITALIC
|
||||
echo "----------------------------------------------------------------------------------------"
|
||||
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
|
||||
OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
|
||||
export LD_LIBRARY_PATH=""
|
||||
timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"
|
||||
printf $NC
|
||||
export LD_LIBRARY_PATH=$OLD_LD_LIBRARY_PATH
|
||||
echo "----------------------------------------------------------------------------------------"
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ""
|
||||
|
||||
|
||||
##-- IF) SGID
|
||||
print_2title "SGID"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
||||
sgids_files=$(find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
|
||||
for s in $sgids_files; do
|
||||
s=$(ls -lahtr "$s")
|
||||
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
|
||||
if echo "$s" | grep -qE "^total";then break; fi
|
||||
|
||||
sname="$(echo $s | awk '{print $9}')"
|
||||
if [ "$sname" = "." ] || [ "$sname" = ".." ]; then
|
||||
true #Don't do nothing
|
||||
elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
|
||||
echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED},"
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
|
||||
echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else
|
||||
c="a"
|
||||
for b in $sidB; do
|
||||
if echo "$s" | grep -q $(echo $b | cut -d % -f 1); then
|
||||
echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m,"
|
||||
c=""
|
||||
break;
|
||||
fi
|
||||
done;
|
||||
if [ "$c" ]; then
|
||||
if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
|
||||
echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED},"
|
||||
printf $ITALIC
|
||||
if ! [ "$FAST" ] && [ "$STRINGS" ]; then
|
||||
$STRINGS "$sname" | sort | uniq | while read sline; do
|
||||
sline_first="$(echo $sline | cut -d ' ' -f1)"
|
||||
if echo "$sline_first" | grep -qEv "$cfuncs"; then
|
||||
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
|
||||
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n"
|
||||
fi
|
||||
else #If not a path
|
||||
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then
|
||||
printf "$ITALIC"
|
||||
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
|
||||
timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"
|
||||
printf "$NC"
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ""
|
||||
|
||||
##-- IF) Misconfigured ld.so
|
||||
print_2title "Checking misconfigurations of ld.so"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so"
|
||||
printf $ITALIC"/etc/ld.so.conf\n"$NC;
|
||||
cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
cat /etc/ld.so.conf 2>/dev/null | while read l; do
|
||||
if echo "$l" | grep -q include; then
|
||||
ini_path=$(echo "$l" | cut -d " " -f 2)
|
||||
fpath=$(dirname "$ini_path")
|
||||
if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
|
||||
printf $ITALIC"$fpath\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
for f in $fpath/*; do
|
||||
printf $ITALIC" $f\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
cat "$f" | grep -v "^#" | sed -${E} "s,$ldsoconfdG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
done
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- IF) Capabilities
|
||||
print_2title "Capabilities"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
|
||||
echo "Current capabilities:"
|
||||
(capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh"
|
||||
(cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status"
|
||||
echo ""
|
||||
echo "Shell capabilities:"
|
||||
(capsh --decode=0x"$(cat /proc/$PPID/status 2>/dev/null | grep CapEff | awk '{print $2}')" 2>/dev/null) || echo_not_found "capsh"
|
||||
(cat "/proc/$PPID/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$PPID/status"
|
||||
echo ""
|
||||
echo "Files with capabilities (limited to 50):"
|
||||
getcap -r / 2>/dev/null | head -n 50 | while read cb; do
|
||||
capsVB_vuln=""
|
||||
|
||||
for capVB in $capsVB; do
|
||||
capname="$(echo $capVB | cut -d ':' -f 1)"
|
||||
capbins="$(echo $capVB | cut -d ':' -f 2)"
|
||||
if [ "$(echo $cb | grep -Ei $capname)" ] && [ "$(echo $cb | grep -E $capbins)" ]; then
|
||||
echo "$cb" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
capsVB_vuln="1"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if ! [ "$capsVB_vuln" ]; then
|
||||
echo "$cb" | sed -${E} "s,$capsB,${SED_RED},"
|
||||
fi
|
||||
|
||||
if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then
|
||||
echo "$cb is writable" | sed -${E} "s,.*,${SED_RED},"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- IF) Users with capabilities
|
||||
if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Users with capabilities"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
|
||||
if [ -f "/etc/security/capability.conf" ]; then
|
||||
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
else echo_not_found "/etc/security/capability.conf"
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Files with ACLs
|
||||
print_2title "Files with ACLs (limited to 50)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls"
|
||||
( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
|
||||
if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow)
|
||||
ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- IF) Files with ResourceFork
|
||||
#if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then # TOO SLOW, CHECK IT LATER
|
||||
# print_2title "Files with ResourceFork"
|
||||
# print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#resource-forks-or-macos-ads"
|
||||
# find $HOMESEARCH -type f -exec ls -ld {} \; 2>/dev/null | grep -E ' [x\-]@ ' | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork"
|
||||
#fi
|
||||
#echo ""
|
||||
|
||||
##-- IF) .sh files in PATH
|
||||
print_2title ".sh files in path"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path"
|
||||
echo $PATH | tr ":" "\n" | while read d; do
|
||||
for f in $(find "$d" -name "*.sh" 2>/dev/null); do
|
||||
if ! [ "$IAMROOT" ] && [ -O "$f" ]; then
|
||||
echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED},"
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits)
|
||||
echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},";
|
||||
fi
|
||||
done
|
||||
done
|
||||
echo ""
|
||||
|
||||
|
||||
broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken)
|
||||
if [ "$broken_links" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Broken links in path"
|
||||
echo $PATH | tr ":" "\n" | while read d; do
|
||||
find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},";
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_2title "Unsigned Applications"
|
||||
macosNotSigned /System/Applications
|
||||
fi
|
||||
|
||||
##-- IF) Unexpected in /opt
|
||||
if [ "$(ls /opt 2>/dev/null)" ]; then
|
||||
print_2title "Unexpected in /opt (usually empty)"
|
||||
ls -la /opt
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Unexpected folders in /
|
||||
print_2title "Unexpected in root"
|
||||
if [ "$MACPEAS" ]; then
|
||||
(find / -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found
|
||||
else
|
||||
(find / -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- IF) Files (scripts) in /etc/profile.d/
|
||||
print_2title "Files (scripts) in /etc/profile.d/"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files"
|
||||
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
||||
(ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
|
||||
check_critial_root_path "/etc/profile"
|
||||
check_critial_root_path "/etc/profile.d/"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- IF) Files (scripts) in /etc/init.d/
|
||||
print_2title "Permissions in init, init.d, systemd, and rc.d"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d"
|
||||
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
||||
check_critial_root_path "/etc/init/"
|
||||
check_critial_root_path "/etc/init.d/"
|
||||
check_critial_root_path "/etc/rc.d/init.d"
|
||||
check_critial_root_path "/usr/local/etc/rc.d"
|
||||
check_critial_root_path "/etc/rc.d"
|
||||
check_critial_root_path "/etc/systemd/"
|
||||
check_critial_root_path "/lib/systemd/"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
##-- IF) Hashes in passwd file
|
||||
print_list "Hashes inside passwd file? ........... "
|
||||
if grep -qv '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Writable in passwd file
|
||||
print_list "Writable passwd file? ................ "
|
||||
if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Credentials in fstab
|
||||
print_list "Credentials in fstab/mtab? ........... "
|
||||
if grep -qE "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Read shadow files
|
||||
print_list "Can I read shadow files? ............. "
|
||||
if [ "$(cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null)" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
print_list "Can I read shadow plists? ............ "
|
||||
possible_check=""
|
||||
(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no
|
||||
|
||||
print_list "Can I write shadow plists? ........... "
|
||||
possible_check=""
|
||||
(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -w "$l" ];then echo "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no
|
||||
|
||||
##-- IF) Read opasswd file
|
||||
print_list "Can I read opasswd file? ............. "
|
||||
if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo ""
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) network-scripts
|
||||
print_list "Can I write in network-scripts? ...... "
|
||||
if ! [ "$IAMROOT" ] && [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
elif [ "$(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges on $(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Read root dir
|
||||
print_list "Can I read root folder? .............. "
|
||||
(ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no
|
||||
echo ""
|
||||
|
||||
##-- IF) Root files in home dirs
|
||||
print_2title "Searching root files in home dirs (limit 30)"
|
||||
(find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- IF) Others files in my dirs
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Searching folders owned by me containing others files on it (limit 100)"
|
||||
(find / -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Readable files belonging to root and not world readable
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Readable files belonging to root and readable by me but not world readable"
|
||||
(find / -type f -user root ! -perm -o=r 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Modified interesting files into specific folders in the last 5mins
|
||||
print_2title "Modified interesting files in the last 5mins (limit 100)"
|
||||
find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED},"
|
||||
echo ""
|
||||
|
||||
##-- IF) Writable log files
|
||||
print_2title "Writable log files (logrotten) (limit 100)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation"
|
||||
logrotate --version 2>/dev/null || echo_not_found "logrotate"
|
||||
lastWlogFolder="ImPOsSiBleeElastWlogFolder"
|
||||
logfind=$(find / -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 100)
|
||||
printf "%s\n" "$logfind" | while read log; do
|
||||
if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found
|
||||
if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC;
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log";
|
||||
elif ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders" && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${SED_RED},g";
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
echo ""
|
||||
|
||||
##-- IF) Files inside my home
|
||||
print_2title "Files inside $HOME (limit 20)"
|
||||
(ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- IF) Files inside /home
|
||||
print_2title "Files inside others home (limit 20)"
|
||||
(find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- IF) Mail applications
|
||||
print_2title "Searching installed mail applications"
|
||||
ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps"
|
||||
echo ""
|
||||
|
||||
##-- IF) Mails
|
||||
print_2title "Mails (limit 50)"
|
||||
(find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g" | sed "s,root,${SED_GREEN},g") || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- IF) Backup folders
|
||||
print_2title "Backup folders"
|
||||
printf "%s\n" "$backup_folders" | while read b ; do
|
||||
ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g";
|
||||
ls -l "$b" 2>/dev/null && echo ""
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- IF) Backup files
|
||||
print_2title "Backup files (limited 100)"
|
||||
backs=$(find / -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null)
|
||||
printf "%s\n" "$backs" | head -n 100 | while read b ; do
|
||||
if [ -r "$b" ]; then
|
||||
ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${SED_RED},g";
|
||||
fi;
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- IF) DB files
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_2title "Reading messages database"
|
||||
sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null
|
||||
sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null
|
||||
sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null
|
||||
|
||||
fi
|
||||
print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)"
|
||||
FILECMD="$(command -v file 2>/dev/null)"
|
||||
if [ "$PSTORAGE_DATABASE" ]; then
|
||||
printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do
|
||||
if [ "$FILECMD" ]; then
|
||||
echo "Found "$(file "$f") | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g";
|
||||
else
|
||||
echo "Found $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g";
|
||||
fi
|
||||
done
|
||||
SQLITEPYTHON=""
|
||||
echo ""
|
||||
printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do
|
||||
if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd
|
||||
if [ "$(command -v sqlite3 2>/dev/null)" ]; then
|
||||
tables=$(sqlite3 $f ".tables" 2>/dev/null)
|
||||
#printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g"
|
||||
elif [ "$(command -v python 2>/dev/null)" ] || [ "$(command -v python3 2>/dev/null)" ]; then
|
||||
SQLITEPYTHON=$(command -v python 2>/dev/null || command -v python3 2>/dev/null)
|
||||
tables=$($SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null)
|
||||
#printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g"
|
||||
else
|
||||
tables=""
|
||||
fi
|
||||
if [ "$tables" ] || [ "$DEBUG" ]; then
|
||||
printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC
|
||||
printf "%s\n" "$tables" | while read t; do
|
||||
columns=""
|
||||
# Search for credentials inside the table using sqlite3
|
||||
if [ -z "$SQLITEPYTHON" ]; then
|
||||
columns=$(sqlite3 $f ".schema $t" 2>/dev/null | grep "CREATE TABLE")
|
||||
# Search for credentials inside the table using python
|
||||
else
|
||||
columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null)
|
||||
fi
|
||||
#Check found columns for interesting fields
|
||||
INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt")
|
||||
if [ "$INTCOLUMN" ]; then
|
||||
printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g"
|
||||
printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${SED_RED},g"
|
||||
(sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head
|
||||
fi
|
||||
echo ""
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
echo ""
|
||||
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_2title "Downloaded Files"
|
||||
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|"
|
||||
fi
|
||||
|
||||
##-- IF) Web files
|
||||
print_2title "Web files?(output limit)"
|
||||
ls -alhR /var/www/ 2>/dev/null | head
|
||||
ls -alhR /srv/www/htdocs/ 2>/dev/null | head
|
||||
ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head
|
||||
ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head
|
||||
echo ""
|
||||
|
||||
##-- IF) All hidden files
|
||||
print_2title "All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)"
|
||||
find / -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme" | head -n 70
|
||||
echo ""
|
||||
|
||||
##-- IF) Readable files in /tmp, /var/tmp, bachups
|
||||
print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)"
|
||||
filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70)
|
||||
printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done
|
||||
echo ""
|
||||
|
||||
##-- IF) Interesting writable files by ownership or all
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
|
||||
#In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
|
||||
obmowbe=$(find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
|
||||
printf "%s\n" "$obmowbe" | while read entry; do
|
||||
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
|
||||
elif echo "$entry" | grep -qE "$writeVB"; then
|
||||
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Interesting writable files by group
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Interesting GROUP writable files (not in Home) (max 500)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
|
||||
for g in $(groups); do
|
||||
iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
|
||||
if [ "$iwfbg" ] || [ "$DEBUG" ]; then
|
||||
printf " Group $GREEN$g:\n$NC";
|
||||
printf "%s\n" "$iwfbg" | while read entry; do
|
||||
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
|
||||
elif echo "$entry" | grep -Eq "$writeVB"; then
|
||||
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords in history files
|
||||
if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching passwords in history files"
|
||||
printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords in config PHP files
|
||||
if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching passwords in config PHP files"
|
||||
printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords files in home
|
||||
if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching *password* or *credential* files in home (limit 70)"
|
||||
(printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) TTY passwords
|
||||
print_2title "Checking for TTY (sudo/su) passwords in audit logs"
|
||||
aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g"
|
||||
find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g"
|
||||
echo ""
|
||||
|
||||
##-- IF) IPs inside logs
|
||||
if [ "$DEBUG" ]; then
|
||||
print_2title "Searching IPs inside logs (limit 70)"
|
||||
(find /var/log/ /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords inside logs
|
||||
print_2title "Searching passwords inside logs (limit 70)"
|
||||
(find /var/log/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
|
||||
echo ""
|
||||
|
||||
if [ "$DEBUG" ]; then
|
||||
##-- IF) Emails inside logs
|
||||
print_2title "Searching emails inside logs (limit 70)"
|
||||
(find /var/log/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
|
||||
##-- IF) Find possible files with passwords
|
||||
print_2title "Searching passwords inside key folders (limit 70) - only PHP files"
|
||||
intpwdfiles=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ $backup_folders_row /tmp /etc /mnt /private -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null)
|
||||
printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g"
|
||||
echo ""
|
||||
|
||||
print_2title "Searching passwords inside key folders (limit 70) - no PHP files"
|
||||
printf "%s\n" "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g"
|
||||
echo ""
|
||||
|
||||
##-- IF) Find possible files with passwords
|
||||
print_2title "Searching possible password variables inside key folders (limit 140)"
|
||||
timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
wait
|
||||
echo ""
|
||||
|
||||
##-- IF) Find possible conf files with passwords
|
||||
print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)"
|
||||
ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
|
||||
printf "%s\n" "$ppicf" | while read f; do
|
||||
if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' \"$f\" 2>/dev/null; then
|
||||
echo "$ITALIC $f$NC"
|
||||
grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- IF) Find possible regexes
|
||||
peass{REGEXES}
|
||||
fi
|
@ -5,11 +5,14 @@
|
||||
NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so"
|
||||
|
||||
#-- SI) Useful software
|
||||
if ! [ "SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Useful software"
|
||||
for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
#-- SI) Search for compilers
|
||||
if ! [ "SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Installed Compilers"
|
||||
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
|
||||
echo ""
|
||||
@ -25,6 +28,7 @@ if [ "$(command -v brew 2>/dev/null)" ]; then
|
||||
brew list
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_2title "Writable Installed Applications"
|
||||
@ -43,13 +47,14 @@ fi
|
||||
|
||||
#-- SI) Mysql version
|
||||
if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; then
|
||||
print_2title "MySQL"
|
||||
print_2title "MySQL version"
|
||||
mysql --version 2>/dev/null || echo_not_found "mysql"
|
||||
mysqluser=$(systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1)
|
||||
if [ "$mysqluser" ]; then
|
||||
echo "MySQL user: $mysqluser" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
|
||||
fi
|
||||
echo ""
|
||||
echo ""
|
||||
|
||||
#-- SI) Mysql connection root/root
|
||||
print_list "MySQL connection using default root/root ........... "
|
||||
@ -84,7 +89,7 @@ fi
|
||||
if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching mysql credentials and exec"
|
||||
printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do
|
||||
if [ -f "$d" ] && ! [ "$(basename $d)" = "mysql" ]; then
|
||||
if [ -f "$d" ] && ! [ "$(basename $d)" = "mysql" ]; then # Only interested in "mysql" that are folders (filesaren't the ones with creds)
|
||||
STRINGS="`command -v strings`"
|
||||
echo "Potential file containing credentials:"
|
||||
ls -l "$d"
|
||||
@ -146,7 +151,7 @@ if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then # In some O
|
||||
fi
|
||||
|
||||
print_list "PostgreSQL connection to template1 using postgres/NOPASS ........ "
|
||||
if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.)*,${SED_RED},"
|
||||
if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.*,${SED_RED},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
@ -211,10 +216,12 @@ fi
|
||||
#-- SI) ssh files
|
||||
print_2title "Searching ssl/ssh files"
|
||||
if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
|
||||
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
|
||||
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
|
||||
writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
||||
fi
|
||||
|
||||
peass{SSH}
|
||||
|
||||
@ -400,7 +407,7 @@ if [ "$adhashes" ] || [ "$DEBUG" ]; then
|
||||
fi
|
||||
|
||||
#-- SI) Screen sessions
|
||||
if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then
|
||||
if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Searching screen sessions"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
|
||||
screensess=$(screen -ls 2>/dev/null)
|
||||
@ -419,7 +426,7 @@ fi
|
||||
tmuxdefsess=$(tmux ls 2>/dev/null)
|
||||
tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
|
||||
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
|
||||
if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]; then
|
||||
if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Searching tmux sessions"$N
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
|
||||
tmux -V
|
||||
@ -457,6 +464,12 @@ peass{Mosquitto}
|
||||
|
||||
peass{Neo4j}
|
||||
|
||||
AWSVAULT="$(command -v aws-vault 2>/dev/null)"
|
||||
if [ "$AWSVAULT" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Check aws-vault"
|
||||
aws-vault list
|
||||
fi
|
||||
|
||||
peass{Cloud Credentials}
|
||||
|
||||
peass{Cloud Init}
|
||||
@ -551,7 +564,7 @@ if [ "$containerd" ] || [ "$DEBUG" ]; then
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
|
||||
if [ "$containerd" ]; then
|
||||
echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
|
||||
ctr image list
|
||||
ctr image list 2>&1
|
||||
fi
|
||||
echo ""
|
||||
fi
|
712
linPEAS/builder/linpeas_parts/8_interesting_files.sh
Normal file
712
linPEAS/builder/linpeas_parts/8_interesting_files.sh
Normal file
@ -0,0 +1,712 @@
|
||||
###########################################
|
||||
#----------) Interesting files (----------#
|
||||
###########################################
|
||||
|
||||
check_critial_root_path(){
|
||||
folder_path="$1"
|
||||
if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
|
||||
if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
|
||||
if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
##-- IF) SUID
|
||||
print_2title "SUID - Check easy privesc, exploits and write perms"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
||||
if ! [ "$STRINGS" ]; then
|
||||
echo_not_found "strings"
|
||||
fi
|
||||
if ! [ "$STRACE" ]; then
|
||||
echo_not_found "strace"
|
||||
fi
|
||||
suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
|
||||
for s in $suids_files; do
|
||||
s=$(ls -lahtr "$s")
|
||||
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
|
||||
if echo "$s" | grep -qE "^total"; then break; fi
|
||||
|
||||
sname="$(echo $s | awk '{print $9}')"
|
||||
if [ "$sname" = "." ] || [ "$sname" = ".." ]; then
|
||||
true #Don't do nothing
|
||||
elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
|
||||
echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED},"
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
|
||||
echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else
|
||||
c="a"
|
||||
for b in $sidB; do
|
||||
if echo $s | grep -q $(echo $b | cut -d % -f 1); then
|
||||
echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m,"
|
||||
c=""
|
||||
break;
|
||||
fi
|
||||
done;
|
||||
if [ "$c" ]; then
|
||||
if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
|
||||
echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED},"
|
||||
printf $ITALIC
|
||||
if ! [ "$FAST" ] && [ "$STRINGS" ]; then
|
||||
$STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do
|
||||
sline_first="$(echo "$sline" | cut -d ' ' -f1)"
|
||||
if echo "$sline_first" | grep -qEv "$cfuncs"; then
|
||||
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
|
||||
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
|
||||
fi
|
||||
else #If not a path
|
||||
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then
|
||||
printf $ITALIC
|
||||
echo "----------------------------------------------------------------------------------------"
|
||||
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
|
||||
OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
|
||||
export LD_LIBRARY_PATH=""
|
||||
timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"
|
||||
printf $NC
|
||||
export LD_LIBRARY_PATH=$OLD_LD_LIBRARY_PATH
|
||||
echo "----------------------------------------------------------------------------------------"
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ""
|
||||
|
||||
|
||||
##-- IF) SGID
|
||||
print_2title "SGID"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
||||
sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
|
||||
for s in $sgids_files; do
|
||||
s=$(ls -lahtr "$s")
|
||||
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
|
||||
if echo "$s" | grep -qE "^total";then break; fi
|
||||
|
||||
sname="$(echo $s | awk '{print $9}')"
|
||||
if [ "$sname" = "." ] || [ "$sname" = ".." ]; then
|
||||
true #Don't do nothing
|
||||
elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
|
||||
echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED},"
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
|
||||
echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else
|
||||
c="a"
|
||||
for b in $sidB; do
|
||||
if echo "$s" | grep -q $(echo $b | cut -d % -f 1); then
|
||||
echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m,"
|
||||
c=""
|
||||
break;
|
||||
fi
|
||||
done;
|
||||
if [ "$c" ]; then
|
||||
if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
|
||||
echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED},"
|
||||
printf $ITALIC
|
||||
if ! [ "$FAST" ] && [ "$STRINGS" ]; then
|
||||
$STRINGS "$sname" | sort | uniq | while read sline; do
|
||||
sline_first="$(echo $sline | cut -d ' ' -f1)"
|
||||
if echo "$sline_first" | grep -qEv "$cfuncs"; then
|
||||
if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
|
||||
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n"
|
||||
fi
|
||||
else #If not a path
|
||||
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then
|
||||
printf "$ITALIC"
|
||||
echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..."
|
||||
timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"
|
||||
printf "$NC"
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ""
|
||||
|
||||
##-- IF) Misconfigured ld.so
|
||||
if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
|
||||
print_2title "Checking misconfigurations of ld.so"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so"
|
||||
printf $ITALIC"/etc/ld.so.conf\n"$NC;
|
||||
cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
cat /etc/ld.so.conf 2>/dev/null | while read l; do
|
||||
if echo "$l" | grep -q include; then
|
||||
ini_path=$(echo "$l" | cut -d " " -f 2)
|
||||
fpath=$(dirname "$ini_path")
|
||||
if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
|
||||
printf $ITALIC"$fpath\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
for f in $fpath/*; do
|
||||
printf $ITALIC" $f\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
cat "$f" | grep -v "^#" | sed -${E} "s,$ldsoconfdG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
done
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Capabilities
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Capabilities"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
|
||||
if [ "$(command -v capsh)" ]; then
|
||||
echo "Current env capabilities:"
|
||||
(capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh"
|
||||
echo "Current proc capabilities:"
|
||||
(cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status"
|
||||
echo ""
|
||||
echo "Parent Shell capabilities:"
|
||||
(capsh --decode=0x"$(cat /proc/$PPID/status 2>/dev/null | grep CapEff | awk '{print $2}')" 2>/dev/null) || echo_not_found "capsh"
|
||||
else
|
||||
echo "Current capabilities:"
|
||||
cat /proc/self/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|0000003fffffffff,${SED_GREEN},g"
|
||||
echo ""
|
||||
echo "Shell capabilities:"
|
||||
cat /proc/$PPID/status | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s,0000000000000000|0000003fffffffff,${SED_GREEN},g"
|
||||
fi
|
||||
echo ""
|
||||
echo "Files with capabilities (limited to 50):"
|
||||
getcap -r / 2>/dev/null | head -n 50 | while read cb; do
|
||||
capsVB_vuln=""
|
||||
|
||||
for capVB in $capsVB; do
|
||||
capname="$(echo $capVB | cut -d ':' -f 1)"
|
||||
capbins="$(echo $capVB | cut -d ':' -f 2)"
|
||||
if [ "$(echo $cb | grep -Ei $capname)" ] && [ "$(echo $cb | grep -E $capbins)" ]; then
|
||||
echo "$cb" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
capsVB_vuln="1"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if ! [ "$capsVB_vuln" ]; then
|
||||
echo "$cb" | sed -${E} "s,$capsB,${SED_RED},"
|
||||
fi
|
||||
|
||||
if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then
|
||||
echo "$cb is writable" | sed -${E} "s,.*,${SED_RED},"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Users with capabilities
|
||||
if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Users with capabilities"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
|
||||
if [ -f "/etc/security/capability.conf" ]; then
|
||||
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
else echo_not_found "/etc/security/capability.conf"
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) AppArmor profiles to prevent suid/capabilities abuse
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
if [ -d "/etc/apparmor.d/" ] && [ -r "/etc/apparmor.d/" ]; then
|
||||
print_2title "AppArmor binary profiles"
|
||||
ls -l /etc/apparmor.d/ 2>/dev/null | grep -E "^-" | grep "\."
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
|
||||
##-- IF) Files with ACLs
|
||||
print_2title "Files with ACLs (limited to 50)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
else
|
||||
( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
fi
|
||||
|
||||
if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow)
|
||||
ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- IF) Files with ResourceFork
|
||||
#if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then # TOO SLOW, CHECK IT LATER
|
||||
# print_2title "Files with ResourceFork"
|
||||
# print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#resource-forks-or-macos-ads"
|
||||
# find $HOMESEARCH -type f -exec ls -ld {} \; 2>/dev/null | grep -E ' [x\-]@ ' | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork"
|
||||
#fi
|
||||
#echo ""
|
||||
|
||||
##-- IF) .sh files in PATH
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title ".sh files in path"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path"
|
||||
echo $PATH | tr ":" "\n" | while read d; do
|
||||
for f in $(find "$d" -name "*.sh" 2>/dev/null); do
|
||||
if ! [ "$IAMROOT" ] && [ -O "$f" ]; then
|
||||
echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED},"
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits)
|
||||
echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},";
|
||||
fi
|
||||
done
|
||||
done
|
||||
echo ""
|
||||
|
||||
broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken)
|
||||
if [ "$broken_links" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Broken links in path"
|
||||
echo $PATH | tr ":" "\n" | while read d; do
|
||||
find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},";
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
|
||||
##-- IF) Executable files added by user
|
||||
print_2title "Executable files added by user (limit 70)"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
|
||||
else
|
||||
find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
|
||||
fi
|
||||
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_2title "Unsigned Applications"
|
||||
macosNotSigned /System/Applications
|
||||
fi
|
||||
|
||||
##-- IF) Unexpected in /opt
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
if [ "$(ls /opt 2>/dev/null)" ]; then
|
||||
print_2title "Unexpected in /opt (usually empty)"
|
||||
ls -la /opt
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
|
||||
##-- IF) Unexpected folders in /
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Unexpected in root"
|
||||
if [ "$MACPEAS" ]; then
|
||||
(find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found
|
||||
else
|
||||
(find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Files (scripts) in /etc/profile.d/
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Files (scripts) in /etc/profile.d/"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files"
|
||||
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
||||
(ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
|
||||
check_critial_root_path "/etc/profile"
|
||||
check_critial_root_path "/etc/profile.d/"
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Files (scripts) in /etc/init.d/
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Permissions in init, init.d, systemd, and rc.d"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d"
|
||||
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
||||
check_critial_root_path "/etc/init/"
|
||||
check_critial_root_path "/etc/init.d/"
|
||||
check_critial_root_path "/etc/rc.d/init.d"
|
||||
check_critial_root_path "/usr/local/etc/rc.d"
|
||||
check_critial_root_path "/etc/rc.d"
|
||||
check_critial_root_path "/etc/systemd/"
|
||||
check_critial_root_path "/lib/systemd/"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Hashes in passwd file
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_list "Hashes inside passwd file? ........... "
|
||||
if grep -qv '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Writable in passwd file
|
||||
print_list "Writable passwd file? ................ "
|
||||
if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Credentials in fstab
|
||||
print_list "Credentials in fstab/mtab? ........... "
|
||||
if grep -qE "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Read shadow files
|
||||
print_list "Can I read shadow files? ............. "
|
||||
if [ "$(cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null)" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
print_list "Can I read shadow plists? ............ "
|
||||
possible_check=""
|
||||
(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no
|
||||
|
||||
print_list "Can I write shadow plists? ........... "
|
||||
possible_check=""
|
||||
(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -w "$l" ];then echo "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no
|
||||
|
||||
##-- IF) Read opasswd file
|
||||
print_list "Can I read opasswd file? ............. "
|
||||
if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo ""
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) network-scripts
|
||||
print_list "Can I write in network-scripts? ...... "
|
||||
if ! [ "$IAMROOT" ] && [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
elif [ "$(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges on $(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
else echo_no
|
||||
fi
|
||||
|
||||
##-- IF) Read root dir
|
||||
print_list "Can I read root folder? .............. "
|
||||
(ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Root files in home dirs
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Searching root files in home dirs (limit 30)"
|
||||
(find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Others files in my dirs
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Searching folders owned by me containing others files on it (limit 100)"
|
||||
(find $ROOT_FOLDER -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Readable files belonging to root and not world readable
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Readable files belonging to root and readable by me but not world readable"
|
||||
(find $ROOT_FOLDER -type f -user root ! -perm -o=r ! -path "/proc/*" 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Modified interesting files into specific folders in the last 5mins
|
||||
print_2title "Modified interesting files in the last 5mins (limit 100)"
|
||||
find $ROOT_FOLDER -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED},"
|
||||
echo ""
|
||||
|
||||
##-- IF) Writable log files
|
||||
if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below
|
||||
print_2title "Writable log files (logrotten) (limit 50)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation"
|
||||
logrotate --version 2>/dev/null || echo_not_found "logrotate"
|
||||
lastWlogFolder="ImPOsSiBleeElastWlogFolder"
|
||||
logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50)
|
||||
printf "%s\n" "$logfind" | while read log; do
|
||||
if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found
|
||||
if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC;
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case
|
||||
elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log";
|
||||
elif ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders" && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${SED_RED},g";
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
##-- IF) Files inside my home
|
||||
print_2title "Files inside $HOME (limit 20)"
|
||||
(ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- IF) Files inside /home
|
||||
print_2title "Files inside others home (limit 20)"
|
||||
(find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- IF) Mail applications
|
||||
print_2title "Searching installed mail applications"
|
||||
ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps"
|
||||
echo ""
|
||||
|
||||
##-- IF) Mails
|
||||
print_2title "Mails (limit 50)"
|
||||
(find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g") || echo_not_found
|
||||
echo ""
|
||||
|
||||
##-- IF) Backup folders
|
||||
if [ "$backup_folders" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Backup folders"
|
||||
printf "%s\n" "$backup_folders" | while read b ; do
|
||||
ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g";
|
||||
ls -l "$b" 2>/dev/null && echo ""
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
|
||||
##-- IF) Backup files
|
||||
print_2title "Backup files (limited 100)"
|
||||
backs=$(find $ROOT_FOLDER -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null)
|
||||
printf "%s\n" "$backs" | head -n 100 | while read b ; do
|
||||
if [ -r "$b" ]; then
|
||||
ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${SED_RED},g";
|
||||
fi;
|
||||
done
|
||||
echo ""
|
||||
|
||||
##-- IF) DB files
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_2title "Reading messages database"
|
||||
sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null
|
||||
sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null
|
||||
sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null
|
||||
|
||||
fi
|
||||
|
||||
|
||||
if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)"
|
||||
FILECMD="$(command -v file 2>/dev/null)"
|
||||
printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do
|
||||
if [ "$FILECMD" ]; then
|
||||
echo "Found "$(file "$f") | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g";
|
||||
else
|
||||
echo "Found $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g";
|
||||
fi
|
||||
done
|
||||
SQLITEPYTHON=""
|
||||
echo ""
|
||||
printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do
|
||||
if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd
|
||||
if [ "$(command -v sqlite3 2>/dev/null)" ]; then
|
||||
tables=$(sqlite3 $f ".tables" 2>/dev/null)
|
||||
#printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g"
|
||||
elif [ "$(command -v python 2>/dev/null)" ] || [ "$(command -v python3 2>/dev/null)" ]; then
|
||||
SQLITEPYTHON=$(command -v python 2>/dev/null || command -v python3 2>/dev/null)
|
||||
tables=$($SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null)
|
||||
#printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g"
|
||||
else
|
||||
tables=""
|
||||
fi
|
||||
if [ "$tables" ] || [ "$DEBUG" ]; then
|
||||
printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC
|
||||
printf "%s\n" "$tables" | while read t; do
|
||||
columns=""
|
||||
# Search for credentials inside the table using sqlite3
|
||||
if [ -z "$SQLITEPYTHON" ]; then
|
||||
columns=$(sqlite3 $f ".schema $t" 2>/dev/null | grep "CREATE TABLE")
|
||||
# Search for credentials inside the table using python
|
||||
else
|
||||
columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null)
|
||||
fi
|
||||
#Check found columns for interesting fields
|
||||
INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt")
|
||||
if [ "$INTCOLUMN" ]; then
|
||||
printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g"
|
||||
printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${SED_RED},g"
|
||||
(sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head
|
||||
echo ""
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
echo ""
|
||||
|
||||
if [ "$MACPEAS" ]; then
|
||||
print_2title "Downloaded Files"
|
||||
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|"
|
||||
fi
|
||||
|
||||
##-- IF) Web files
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Web files?(output limit)"
|
||||
ls -alhR /var/www/ 2>/dev/null | head
|
||||
ls -alhR /srv/www/htdocs/ 2>/dev/null | head
|
||||
ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head
|
||||
ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) All hidden files
|
||||
print_2title "All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)"
|
||||
find $ROOT_FOLDER -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme" | head -n 70
|
||||
echo ""
|
||||
|
||||
##-- IF) Readable files in /tmp, /var/tmp, bachups
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)"
|
||||
filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70)
|
||||
printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Interesting writable files by ownership or all
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
|
||||
#In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
|
||||
obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
|
||||
printf "%s\n" "$obmowbe" | while read entry; do
|
||||
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
|
||||
elif echo "$entry" | grep -qE "$writeVB"; then
|
||||
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Interesting writable files by group
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
print_2title "Interesting GROUP writable files (not in Home) (max 500)"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
|
||||
for g in $(groups); do
|
||||
iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
|
||||
if [ "$iwfbg" ] || [ "$DEBUG" ]; then
|
||||
printf " Group $GREEN$g:\n$NC";
|
||||
printf "%s\n" "$iwfbg" | while read entry; do
|
||||
if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
|
||||
elif echo "$entry" | grep -Eq "$writeVB"; then
|
||||
echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords in history cmd
|
||||
if [ "$(history 2>/dev/null)" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching passwords in history cmd"
|
||||
history | grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords in history files
|
||||
if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching passwords in history files"
|
||||
printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords in config PHP files
|
||||
if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching passwords in config PHP files"
|
||||
printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords files in home
|
||||
if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching *password* or *credential* files in home (limit 70)"
|
||||
(printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) TTY passwords
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Checking for TTY (sudo/su) passwords in audit logs"
|
||||
aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g"
|
||||
find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) IPs inside logs
|
||||
if [ "$DEBUG" ]; then
|
||||
print_2title "Searching IPs inside logs (limit 70)"
|
||||
(find /var/log/ /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70
|
||||
echo ""
|
||||
fi
|
||||
|
||||
##-- IF) Passwords inside logs
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Searching passwords inside logs (limit 70)"
|
||||
(find /var/log/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
if [ "$DEBUG" ]; then
|
||||
##-- IF) Emails inside logs
|
||||
print_2title "Searching emails inside logs (limit 70)"
|
||||
(find /var/log/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
|
||||
##-- IF) Find possible files with passwords
|
||||
print_2title "Searching passwords inside key folders (limit 70) - only PHP files"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
intpwdfiles=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ $backup_folders_row /tmp /etc /mnt /private -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null)
|
||||
else
|
||||
intpwdfiles=$(timeout 150 find $SEARCH_IN_FOLDER -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null)
|
||||
fi
|
||||
printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g"
|
||||
echo ""
|
||||
|
||||
print_2title "Searching passwords inside key folders (limit 70) - no PHP files"
|
||||
printf "%s\n" "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g"
|
||||
echo ""
|
||||
|
||||
##-- IF) Find possible files with passwords
|
||||
print_2title "Searching possible password variables inside key folders (limit 140)"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
else
|
||||
timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
fi
|
||||
wait
|
||||
echo ""
|
||||
|
||||
##-- IF) Find possible conf files with passwords
|
||||
print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
|
||||
else
|
||||
ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
|
||||
fi
|
||||
printf "%s\n" "$ppicf" | while read f; do
|
||||
if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' \"$f\" 2>/dev/null; then
|
||||
echo "$ITALIC $f$NC"
|
||||
grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
fi
|
6
linPEAS/builder/linpeas_parts/9_api_keys_regex.sh
Normal file
6
linPEAS/builder/linpeas_parts/9_api_keys_regex.sh
Normal file
@ -0,0 +1,6 @@
|
||||
|
||||
if [ "$REGEXES" ] && [ "$TIMEOUT" ]; then
|
||||
peass{REGEXES}
|
||||
else
|
||||
echo "Regexes to search for API keys aren't activated, use param '-r' "
|
||||
fi
|
@ -56,37 +56,49 @@ DISCOVERY=""
|
||||
PORTS=""
|
||||
QUIET=""
|
||||
CHECKS="peass{CHECKS}"
|
||||
SEARCH_IN_FOLDER=""
|
||||
ROOT_FOLDER="/"
|
||||
WAIT=""
|
||||
PASSWORD=""
|
||||
NOCOLOR=""
|
||||
DEBUG=""
|
||||
AUTO_NETWORK_SCAN=""
|
||||
EXTRA_CHECKS=""
|
||||
REGEXES=""
|
||||
THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
|
||||
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
|
||||
[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
|
||||
[ "$THREADS" -eq "$THREADS" ] 2>/dev/null && : || THREADS="2" #It THREADS is not a number, put number 2
|
||||
HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
|
||||
${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
|
||||
${YELLOW}-h${BLUE} To show this message
|
||||
${YELLOW}-e${BLUE} Perform extra enumeration
|
||||
${YELLOW}-s${BLUE} Stealth & faster (don't check some time consuming checks)
|
||||
${YELLOW}-a${BLUE} All checks except Internet connectivity checks and automatic network recon (use -t to enable them)
|
||||
${YELLOW}-t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files
|
||||
${GREEN} Checks:
|
||||
${YELLOW} -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list.
|
||||
${YELLOW} -s${BLUE} Stealth & faster (don't check some time consuming checks)
|
||||
${YELLOW} -e${BLUE} Perform extra enumeration
|
||||
${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files
|
||||
${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours)
|
||||
${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
|
||||
${YELLOW}-w${BLUE} Wait execution between big blocks of checks
|
||||
${YELLOW}-L${BLUE} Force linpeas execution.
|
||||
${YELLOW}-M${BLUE} Force macpeas execution.
|
||||
${YELLOW}-N${BLUE} Do not use colours
|
||||
${YELLOW} -D${BLUE} Debug mode
|
||||
${YELLOW}-q${BLUE} Do not show banner
|
||||
|
||||
${GREEN} Network recon:
|
||||
${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files
|
||||
${YELLOW} -d <IP/NETMASK>${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24
|
||||
${YELLOW} -p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
|
||||
${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
|
||||
$GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed$NC"
|
||||
$GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
|
||||
|
||||
while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do
|
||||
${GREEN} Firmware recon:
|
||||
${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
|
||||
|
||||
${GREEN} Misc:
|
||||
${YELLOW} -h${BLUE} To show this message
|
||||
${YELLOW} -w${BLUE} Wait execution between big blocks of checks
|
||||
${YELLOW} -L${BLUE} Force linpeas execution
|
||||
${YELLOW} -M${BLUE} Force macpeas execution
|
||||
${YELLOW} -q${BLUE} Do not show banner
|
||||
${YELLOW} -N${BLUE} Do not use colours$NC"
|
||||
|
||||
while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
|
||||
case "$opt" in
|
||||
h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
|
||||
a) FAST="";EXTRA_CHECKS="1";;
|
||||
@ -104,6 +116,8 @@ while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do
|
||||
D) DEBUG="1";;
|
||||
t) AUTO_NETWORK_SCAN="1";;
|
||||
e) EXTRA_CHECKS="1";;
|
||||
r) REGEXES="1";;
|
||||
f) SEARCH_IN_FOLDER=$OPTARG; ROOT_FOLDER=$OPTARG; REGEXES="1"; CHECKS="software_information,interesting_files,api_keys_regex";;
|
||||
esac
|
||||
done
|
||||
|
||||
@ -215,15 +229,15 @@ print_banner(){
|
||||
|
||||
print_support () {
|
||||
printf """
|
||||
${GREEN}/---------------------------------------------------------------------------\\
|
||||
${GREEN}/---------------------------------------------------------------------------------\\
|
||||
| ${BLUE}Do you like PEASS?${GREEN} |
|
||||
|---------------------------------------------------------------------------|
|
||||
| ${YELLOW}Get latest LinPEAS${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| ${YELLOW}Get the latest version${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} |
|
||||
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@carlospolopm${GREEN} |
|
||||
| ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} |
|
||||
|---------------------------------------------------------------------------|
|
||||
|---------------------------------------------------------------------------------|
|
||||
| ${BLUE}Thank you! ${GREEN} |
|
||||
\---------------------------------------------------------------------------/
|
||||
\---------------------------------------------------------------------------------/
|
||||
"""
|
||||
}
|
||||
|
||||
@ -369,9 +383,9 @@ sidVB='peass{SUIDVB1_HERE}'
|
||||
sidVB2='peass{SUIDVB2_HERE}'
|
||||
cfuncs='file|free|main|more|read|split|write'
|
||||
|
||||
sudoVB1=" \*|env_keep\+=LD_PRELOAD|peass{SUDOVB1_HERE}"
|
||||
sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|peass{SUDOVB1_HERE}"
|
||||
sudoVB2="peass{SUDOVB2_HERE}"
|
||||
sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount"
|
||||
sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount"
|
||||
sudoG="NOEXEC"
|
||||
|
||||
capsVB="cap_sys_admin:mount|python \
|
||||
@ -386,7 +400,7 @@ cap_net_raw:python|tcpdump"
|
||||
|
||||
|
||||
capsB="=ep|cap_chown|cap_former|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module"
|
||||
containercapsB="sys_admin|sys_ptrace|sys_module|dac_read_search|dac_override"
|
||||
containercapsB="sys_admin|sys_ptrace|sys_module|dac_read_search|dac_override|sys_rawio|syslog|net_raw|net_admin"
|
||||
|
||||
OLDPATH=$PATH
|
||||
ADDPATH=":/usr/local/sbin\
|
||||
@ -474,7 +488,10 @@ while $SEDOVERFLOW; do
|
||||
# WF=`find / -maxdepth $MAXPATH_FIND_W -type d ! -path "/proc/*" -and '(' -writable -or -user $USER ')' 2>/dev/null | sort`
|
||||
#fi
|
||||
Wfolders=$(printf "%s" "$WF" | tr '\n' '|')"|[a-zA-Z]+[a-zA-Z0-9]* +\*"
|
||||
Wfolder="$(printf "%s" "$WF" | grep "/shm" | head -n1)" # Try to get /dev/shm
|
||||
if ! [ "$Wfolder" ]; then
|
||||
Wfolder="$(printf "%s" "$WF" | grep "tmp\|shm\|home\|Users\|root\|etc\|var\|opt\|bin\|lib\|mnt\|private\|Applications" | head -n1)"
|
||||
fi
|
||||
printf "test\ntest\ntest\ntest"| sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
SEDOVERFLOW=false
|
||||
@ -497,11 +514,11 @@ shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsma
|
||||
|
||||
notBackup="/tdbbackup$|/db_hotbackup$"
|
||||
|
||||
cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|"
|
||||
cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|"
|
||||
cronjobsB="centreon"
|
||||
|
||||
processesVB="jdwp|tmux |screen |--inspect|--remote-debugging-port"
|
||||
processesB="knockd\|splunk"
|
||||
processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port'
|
||||
processesB="knockd|splunk"
|
||||
processesDump="gdm-password|gnome-keyring-daemon|lightdm|vsftpd|apache2|sshd:"
|
||||
|
||||
mail_apps="Postfix|Dovecot|Exim|SquirrelMail|Cyrus|Sendmail|Courier"
|
||||
@ -527,6 +544,10 @@ GREP_IGNORE_MOUNTS="/ /|/null | proc proc |/dev/console"
|
||||
|
||||
INT_HIDDEN_FILES="peass{INT_HIDDEN_FILES}"
|
||||
|
||||
FAT_LINPEAS_AMICONTAINED="peass{AMICONTAINED}"
|
||||
FAT_LINPEAS_GITLEAKS_LINUX="peass{GITLEAKS_LINUX}"
|
||||
FAT_LINPEAS_GITLEAKS_MACOS="peass{GITLEAKS_MACOS}"
|
||||
|
||||
###########################################
|
||||
#---------) Checks before start (---------#
|
||||
###########################################
|
||||
@ -548,7 +569,17 @@ else
|
||||
fi
|
||||
fi
|
||||
|
||||
SCAN_BAN_BAD="No port scan capabilities (nc not found)"
|
||||
SCAN_BAN_BAD="No port scan capabilities (nc and bash not found)"
|
||||
|
||||
if [ "$(command -v bash)" ] && ! [ -L "$(command -v bash)" ]; then
|
||||
FOUND_BASH=$(command -v bash);
|
||||
elif [ -f "/bin/bash" ] && ! [ -L "/bin/bash" ]; then
|
||||
FOUND_BASH="/bin/bash";
|
||||
fi
|
||||
if [ "$FOUND_BASH" ]; then
|
||||
SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n"
|
||||
fi
|
||||
|
||||
FOUND_NC=$(command -v nc 2>/dev/null)
|
||||
if [ -z "$FOUND_NC" ]; then
|
||||
FOUND_NC=$(command -v netcat 2>/dev/null);
|
||||
@ -563,7 +594,7 @@ if [ -z "$FOUND_NC" ]; then
|
||||
FOUND_NC=$(command -v nc.openbsd 2>/dev/null);
|
||||
fi
|
||||
if [ "$FOUND_NC" ]; then
|
||||
SCAN_BAN_GOOD="$GREEN$FOUND_NC${BLUE} is available for network discover & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)"
|
||||
SCAN_BAN_GOOD="$SCAN_BAN_GOOD$YELLOW[+] $GREEN$FOUND_NC${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n"
|
||||
fi
|
||||
|
||||
|
||||
@ -603,7 +634,7 @@ print_title(){
|
||||
|
||||
title=$1
|
||||
title_len=$(echo $title | wc -c)
|
||||
max_title_len=100
|
||||
max_title_len=80
|
||||
rest_len=$((($max_title_len - $title_len) / 2))
|
||||
|
||||
printf ${BLUE}
|
||||
@ -649,6 +680,10 @@ print_3title(){
|
||||
printf ${BLUE}"══╣ $GREEN$1\n"$NC #There are 2 "═"
|
||||
}
|
||||
|
||||
print_3title_no_nl(){
|
||||
printf ${BLUE}"\r══╣ $GREEN${1}..."$NC #There are 2 "═"
|
||||
}
|
||||
|
||||
print_list(){
|
||||
printf ${BLUE}"═╣ $GREEN$1"$NC #There is 1 "═"
|
||||
}
|
||||
@ -712,6 +747,23 @@ macosNotSigned(){
|
||||
done
|
||||
}
|
||||
|
||||
execBin(){
|
||||
TOOL_NAME=$1
|
||||
TOOL_LINK=$2
|
||||
B64_BIN=$3
|
||||
PARAMS=$4
|
||||
if [ "$B64_BIN" ]; then
|
||||
echo ""
|
||||
print_3title "Running $TOOL_NAME"
|
||||
print_info "$TOOL_LINK"
|
||||
echo "$B64_BIN" | base64 -d > $Wfolder/bin
|
||||
chmod +x $Wfolder/bin
|
||||
eval "$Wfolder/bin $PARAMS"
|
||||
rm -f $Wfolder/bin
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
###########################################
|
||||
#---------) Internet functions (----------#
|
||||
###########################################
|
||||
@ -774,7 +826,11 @@ tcp_recon (){
|
||||
for port in $PORTS; do
|
||||
for j in $(seq 1 254)
|
||||
do
|
||||
if [ "$FOUND_BASH" ]; then
|
||||
$FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
|
||||
elif [ "$NC_SCAN" ]; then
|
||||
($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") &
|
||||
fi
|
||||
done
|
||||
wait
|
||||
done
|
||||
@ -799,7 +855,11 @@ tcp_port_scan (){
|
||||
fi
|
||||
|
||||
for port in $PORTS; do
|
||||
if [ "$FOUND_BASH" ]; then
|
||||
$FOUND_BASH -c "(echo </dev/tcp/$IP/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP:$port\"" &
|
||||
elif [ "$NC_SCAN" ]; then
|
||||
($NC_SCAN "$IP" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") &
|
||||
fi
|
||||
done
|
||||
wait
|
||||
}
|
||||
@ -922,12 +982,12 @@ else
|
||||
fi
|
||||
|
||||
if [ "$SCAN_BAN_GOOD" ]; then
|
||||
printf $YELLOW"[+] $SCAN_BAN_GOOD\n$NC"
|
||||
printf "$SCAN_BAN_GOOD\n$NC"
|
||||
else
|
||||
printf $RED"[-] $SCAN_BAN_BAD\n$NC"
|
||||
fi
|
||||
if [ "$(command -v nmap 2>/dev/null)" ];then
|
||||
NMAP_GOOD=$GREEN"nmap${BLUE} is available for network discover & port scanning, you should use it yourself"
|
||||
NMAP_GOOD=$GREEN"nmap${BLUE} is available for network discovery & port scanning, you should use it yourself"
|
||||
printf $YELLOW"[+] $NMAP_GOOD\n$NC"
|
||||
fi
|
||||
echo ""
|
||||
@ -972,28 +1032,42 @@ elif [ "$IP" ]; then
|
||||
fi
|
||||
|
||||
|
||||
if echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then
|
||||
###########################################
|
||||
#----------) Caching Finds (--------------#
|
||||
###########################################
|
||||
|
||||
printf $GREEN"Caching directories "$NC
|
||||
|
||||
|
||||
#Get home
|
||||
#Get HOMESEARCH
|
||||
HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")"
|
||||
if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder
|
||||
HOMESEARCH="$HOME $HOMESEARCH"
|
||||
fi
|
||||
GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
|
||||
|
||||
|
||||
|
||||
|
||||
###########################################
|
||||
#----------) Caching Finds (--------------#
|
||||
###########################################
|
||||
if [ "$SEARCH_IN_FOLDER" ]; then
|
||||
printf $GREEN"Caching directories "$NC
|
||||
|
||||
CONT_THREADS=0
|
||||
# FIND ALL KNOWN INTERESTING SOFTWARE FILES
|
||||
peass{FINDS_CUSTOM}
|
||||
|
||||
wait # Always wait at the end
|
||||
CONT_THREADS=0 #Reset the threads counter
|
||||
|
||||
elif echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then
|
||||
|
||||
printf $GREEN"Caching directories "$NC
|
||||
|
||||
CONT_THREADS=0
|
||||
# FIND ALL KNOWN INTERESTING SOFTWARE FILES
|
||||
peass{FINDS_HERE}
|
||||
|
||||
wait # Always wait at the end
|
||||
CONT_THREADS=0 #Reset the threads counter
|
||||
fi
|
||||
|
||||
if [ "$SEARCH_IN_FOLDER" ] || echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then
|
||||
#GENERATE THE STORAGES OF THE FOUND FILES
|
||||
peass{STORAGES_HERE}
|
||||
|
||||
|
@ -9,6 +9,7 @@ from .fileRecord import FileRecord
|
||||
from .yamlGlobals import (
|
||||
TEMPORARY_LINPEAS_BASE_PATH,
|
||||
PEAS_FINDS_MARKUP,
|
||||
PEAS_FINDS_CUSTOM_MARKUP,
|
||||
PEAS_STORAGES_MARKUP,
|
||||
PEAS_STORAGES_MARKUP,
|
||||
INT_HIDDEN_FILES_MARKUP,
|
||||
@ -30,7 +31,10 @@ from .yamlGlobals import (
|
||||
LES_MARKUP,
|
||||
LES2_MARKUP,
|
||||
REGEXES_LOADED,
|
||||
REGEXES_MARKUP
|
||||
REGEXES_MARKUP,
|
||||
FAT_LINPEAS_AMICONTAINED_MARKUP,
|
||||
FAT_LINPEAS_GITLEAKS_LINUX_MARKUP,
|
||||
FAT_LINPEAS_GITLEAKS_MACOS_MARKUP
|
||||
)
|
||||
|
||||
|
||||
@ -50,8 +54,9 @@ class LinpeasBuilder:
|
||||
self.__replace_mark(PEAS_VARIABLES_MARKUP, variables, "")
|
||||
|
||||
print("[+] Building finds...")
|
||||
find_calls = self.__generate_finds()
|
||||
find_calls, find_custom_calls = self.__generate_finds()
|
||||
self.__replace_mark(PEAS_FINDS_MARKUP, find_calls, " ")
|
||||
self.__replace_mark(PEAS_FINDS_CUSTOM_MARKUP, find_custom_calls, " ")
|
||||
|
||||
print("[+] Building storages...")
|
||||
storage_vars = self.__generate_storages()
|
||||
@ -93,6 +98,16 @@ class LinpeasBuilder:
|
||||
self.__replace_mark(LES_MARKUP, list(les_b64), "")
|
||||
self.__replace_mark(LES2_MARKUP, list(les2_b64), "")
|
||||
|
||||
print("[+] Downloading Fat Linpeas binaries...")
|
||||
aimcont_b64 = self.__get_bin("https://github.com/genuinetools/amicontained/releases/latest/download/amicontained-linux-amd64")
|
||||
self.__replace_mark(FAT_LINPEAS_AMICONTAINED_MARKUP, list(aimcont_b64), "")
|
||||
|
||||
gitleaks_b64 = self.__get_bin("https://github.com/zricethezav/gitleaks/releases/download/v8.8.7/gitleaks_8.8.7_linux_x64.tar.gz", tar_gz="gitleaks")
|
||||
self.__replace_mark(FAT_LINPEAS_GITLEAKS_LINUX_MARKUP, list(gitleaks_b64), "")
|
||||
|
||||
gitleaks_b64_macos = self.__get_bin("https://github.com/zricethezav/gitleaks/releases/download/v8.8.7/gitleaks_8.8.7_darwin_x64.tar.gz", tar_gz="gitleaks")
|
||||
self.__replace_mark(FAT_LINPEAS_GITLEAKS_MACOS_MARKUP, list(gitleaks_b64_macos), "")
|
||||
|
||||
print("[+] Building GTFOBins lists...")
|
||||
suidVB, sudoVB, capsVB = self.__get_gtfobins_lists()
|
||||
assert len(suidVB) > 185, f"Len suidVB is {len(suidVB)}"
|
||||
@ -146,6 +161,11 @@ class LinpeasBuilder:
|
||||
def __generate_finds(self) -> list:
|
||||
"""Given the regexes to search on each root folder, generate the find command"""
|
||||
finds = []
|
||||
|
||||
finds_custom = []
|
||||
all_folder_regexes = []
|
||||
all_file_regexes = []
|
||||
|
||||
for type,searches in self.dict_to_search.items():
|
||||
for r,regexes in searches.items():
|
||||
if regexes:
|
||||
@ -153,25 +173,41 @@ class LinpeasBuilder:
|
||||
|
||||
if type == "d":
|
||||
find_line += "-type d "
|
||||
bash_find_var = f"FIND_DIR_{r[1:].replace('.','').upper()}"
|
||||
bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').upper()}"
|
||||
self.bash_find_d_vars.add(bash_find_var)
|
||||
all_folder_regexes += regexes
|
||||
else:
|
||||
bash_find_var = f"FIND_{r[1:].replace('.','').upper()}"
|
||||
bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').upper()}"
|
||||
self.bash_find_f_vars.add(bash_find_var)
|
||||
all_file_regexes += regexes
|
||||
|
||||
find_line += '-name \\"' + '\\" -o -name \\"'.join(regexes) + '\\"'
|
||||
find_line = FIND_TEMPLATE.replace(FIND_LINE_MARKUP, find_line)
|
||||
find_line = f"{bash_find_var}={find_line}"
|
||||
finds.append(find_line)
|
||||
|
||||
return finds
|
||||
# Buid folder and files finds when searching in a custom folder
|
||||
all_folder_regexes = list(set(all_folder_regexes))
|
||||
find_line = '$SEARCH_IN_FOLDER -type d -name \\"' + '\\" -o -name \\"'.join(all_folder_regexes) + '\\"'
|
||||
find_line = FIND_TEMPLATE.replace(FIND_LINE_MARKUP, find_line)
|
||||
find_line = f"FIND_DIR_CUSTOM={find_line}"
|
||||
finds_custom.append(find_line)
|
||||
|
||||
all_file_regexes = list(set(all_file_regexes))
|
||||
find_line = '$SEARCH_IN_FOLDER -name \\"' + '\\" -o -name \\"'.join(all_file_regexes) + '\\"'
|
||||
find_line = FIND_TEMPLATE.replace(FIND_LINE_MARKUP, find_line)
|
||||
find_line = f"FIND_CUSTOM={find_line}"
|
||||
finds_custom.append(find_line)
|
||||
|
||||
return finds, finds_custom
|
||||
|
||||
def __generate_storages(self) -> list:
|
||||
"""Generate the storages to save the results per entry"""
|
||||
storages = []
|
||||
all_f_finds = "$" + "\\n$".join(self.bash_find_f_vars)
|
||||
all_d_finds = "$" + "\\n$".join(self.bash_find_d_vars)
|
||||
all_finds = "$" + "\\n$".join(list(self.bash_find_f_vars) + list(self.bash_find_d_vars))
|
||||
custom_storages = ["FIND_CUSTOM", "FIND_DIR_CUSTOM"]
|
||||
all_f_finds = "$" + "\\n$".join(list(self.bash_find_f_vars) + custom_storages)
|
||||
all_d_finds = "$" + "\\n$".join(list(self.bash_find_d_vars) + custom_storages)
|
||||
all_finds = "$" + "\\n$".join(list(self.bash_find_f_vars) + list(self.bash_find_d_vars) + custom_storages)
|
||||
|
||||
for precord in self.ploaded.peasrecords:
|
||||
bash_storage_var = f"PSTORAGE_{precord.bash_name}"
|
||||
@ -239,7 +275,7 @@ class LinpeasBuilder:
|
||||
analise_line = ""
|
||||
if init:
|
||||
analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
|
||||
analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
|
||||
analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do if ! [ -d "$f" ]; then continue; fi; ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
|
||||
|
||||
#If just list, just list the file/directory
|
||||
if frecord.just_list_file:
|
||||
@ -303,6 +339,19 @@ class LinpeasBuilder:
|
||||
r2 = requests.get("https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl")
|
||||
return(base64.b64encode(bytes(r1.text, 'utf-8')).decode("utf-8"), base64.b64encode(bytes(r2.text, 'utf-8')).decode("utf-8"))
|
||||
|
||||
def __get_bin(self, url, tar_gz="") -> str:
|
||||
os.system(f"wget -q '{url}' -O /tmp/bin_builder")
|
||||
if tar_gz:
|
||||
os.system(f"cd /tmp; tar -xvzf /tmp/bin_builder; rm /tmp/bin_builder; mv {tar_gz} /tmp/bin_builder")
|
||||
os.system("base64 /tmp/bin_builder | tr -d '\n' > /tmp/binb64; rm /tmp/bin_builder")
|
||||
|
||||
b64bin = ""
|
||||
with open("/tmp/binb64", "r") as f:
|
||||
b64bin = f.read()
|
||||
|
||||
os.system("rm /tmp/binb64")
|
||||
return b64bin
|
||||
|
||||
def __get_gtfobins_lists(self) -> tuple:
|
||||
r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins")
|
||||
bins = re.findall(r'/GTFOBins/GTFOBins.github.io/blob/master/_gtfobins/([\w_ \-]+).md', r.text)
|
||||
@ -334,14 +383,24 @@ class LinpeasBuilder:
|
||||
|
||||
for entry in values["regexes"]:
|
||||
name = entry["name"]
|
||||
caseinsensitive = entry.get("caseinsensitive", False)
|
||||
regex = entry["regex"]
|
||||
regex = regex.replace('"', '\\"').strip()
|
||||
extra_grep = entry.get("extra_grep")
|
||||
extra_grep = f"| grep {extra_grep}" if extra_grep else ""
|
||||
|
||||
regexes_search_section += f'print_3title "Searching {name} (limited to 50)"\n'
|
||||
regexes_search_section += f'print_3title_no_nl "Searching {name} (limited to 50)..."\n'
|
||||
|
||||
# If custom folder to search in
|
||||
regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n'
|
||||
regexes_search_section += " timeout 120 find $SEARCH_IN_FOLDER -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
|
||||
|
||||
# If search in all the file system
|
||||
regexes_search_section += 'else\n'
|
||||
for path in paths_to_search:
|
||||
regexes_search_section += "timeout 120 find "+path+" -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 | sed -${E} \"s~"+regex+"~${SED_RED}~\" &\n"
|
||||
grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE"
|
||||
regexes_search_section += " timeout 120 find "+path+" -type f -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
|
||||
regexes_search_section += 'fi\n'
|
||||
|
||||
regexes_search_section += "wait\n"
|
||||
|
||||
@ -357,10 +416,16 @@ class LinpeasBuilder:
|
||||
|
||||
self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed
|
||||
|
||||
def write_linpeas(self, path):
|
||||
def write_linpeas(self, path, rm_startswith=""):
|
||||
"""Write on disk the final linpeas"""
|
||||
|
||||
with open(path, "w") as f:
|
||||
if not rm_startswith:
|
||||
f.write(self.linpeas_sh)
|
||||
else:
|
||||
tmp_linpeas = ""
|
||||
for line in self.linpeas_sh.splitlines():
|
||||
if not line.startswith(rm_startswith):
|
||||
tmp_linpeas += line + "\n"
|
||||
f.write(tmp_linpeas)
|
||||
|
||||
os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file
|
@ -15,36 +15,47 @@ LINPEAS_PARTS = [
|
||||
"name_check": "container",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/2_container.sh"
|
||||
},
|
||||
{
|
||||
"name": "Cloud",
|
||||
"name_check": "cloud",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/3_cloud.sh"
|
||||
},
|
||||
{
|
||||
"name": "Processes, Crons, Timers, Services and Sockets",
|
||||
"name_check": "procs_crons_timers_srvcs_sockets",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/3_procs_crons_timers_srvcs_sockets.sh"
|
||||
"file_path": LINPEAS_BASE_PARTS + "/4_procs_crons_timers_srvcs_sockets.sh"
|
||||
},
|
||||
{
|
||||
"name": "Network Information",
|
||||
"name_check": "network_information",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/4_network_information.sh"
|
||||
"file_path": LINPEAS_BASE_PARTS + "/5_network_information.sh"
|
||||
},
|
||||
{
|
||||
"name": "Users Information",
|
||||
"name_check": "users_information",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/5_users_information.sh"
|
||||
"file_path": LINPEAS_BASE_PARTS + "/6_users_information.sh"
|
||||
},
|
||||
{
|
||||
"name": "Software Information",
|
||||
"name_check": "software_information",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/6_software_information.sh"
|
||||
"file_path": LINPEAS_BASE_PARTS + "/7_software_information.sh"
|
||||
},
|
||||
{
|
||||
"name": "Interesting Files",
|
||||
"name_check": "interesting_files",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/7_interesting_files.sh"
|
||||
"file_path": LINPEAS_BASE_PARTS + "/8_interesting_files.sh"
|
||||
},
|
||||
{
|
||||
"name": "API Keys Regex",
|
||||
"name_check": "api_keys_regex",
|
||||
"file_path": LINPEAS_BASE_PARTS + "/9_api_keys_regex.sh"
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
LINPEAS_BASE_PATH = LINPEAS_BASE_PARTS + "/linpeas_base.sh"
|
||||
TEMPORARY_LINPEAS_BASE_PATH = CURRENT_DIR + "/../linpeas_base.sh"
|
||||
FINAL_FAT_LINPEAS_PATH = CURRENT_DIR + "/../../" + "linpeas_fat.sh"
|
||||
FINAL_LINPEAS_PATH = CURRENT_DIR + "/../../" + "linpeas.sh"
|
||||
YAML_NAME = "sensitive_files.yaml"
|
||||
YAML_REGEXES = "regexes.yaml"
|
||||
@ -68,6 +79,7 @@ assert all(f in ROOT_FOLDER for f in COMMON_DIR_FOLDERS)
|
||||
|
||||
PEAS_CHECKS_MARKUP = YAML_LOADED["peas_checks"]
|
||||
PEAS_FINDS_MARKUP = YAML_LOADED["peas_finds_markup"]
|
||||
PEAS_FINDS_CUSTOM_MARKUP = YAML_LOADED["peas_finds_custom_markup"]
|
||||
FIND_LINE_MARKUP = YAML_LOADED["find_line_markup"]
|
||||
FIND_TEMPLATE = YAML_LOADED["find_template"]
|
||||
|
||||
@ -93,3 +105,8 @@ CAP_SETGID_MARKUP = YAML_LOADED["cap_setgid_markup"]
|
||||
|
||||
LES_MARKUP = YAML_LOADED["les_markup"]
|
||||
LES2_MARKUP = YAML_LOADED["les2_markup"]
|
||||
|
||||
|
||||
FAT_LINPEAS_AMICONTAINED_MARKUP = YAML_LOADED["fat_linpeas_amicontained_markup"]
|
||||
FAT_LINPEAS_GITLEAKS_LINUX_MARKUP = YAML_LOADED["fat_linpeas_gitleaks_linux_markup"]
|
||||
FAT_LINPEAS_GITLEAKS_MACOS_MARKUP = YAML_LOADED["fat_linpeas_gitleaks_macos_markup"]
|
Loading…
Reference in New Issue
Block a user