Add linpeas privilege escalation checks from: An Evening with Claude (Code): sed-Based Command Safety Bypass in Claude Code (C

2025-12-05 20:40:08 -08:00 · 2025-11-26 01:46:17 +00:00
parent 80318c5005
commit 4b73810ff2
3 changed files with 165 additions and 0 deletions
--- a/linPEAS/builder/linpeas_parts/9_interesting_files/30_Suspicious_sed_history.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files/30_Suspicious_sed_history.sh
@@ -0,0 +1,64 @@
+# Title: Interesting Files - Suspicious sed persistence commands in history
+# ID: IF_Suspicious_sed_history
+# Author: HT Bot
+# Last Update: 26-11-2025
+# Description: Flags sed history entries that write/read sensitive startup files, indicating possible prompt-injection persistence (e.g., CVE-2025-64755 style attacks).
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $DEBUG, $HOME, $PSTORAGE_HISTORY
+# Initial Functions:
+# Generated Global Variables: $sed_history_sensitive, $sed_history_pattern, $history_candidates, $matches
+# Fat linpeas: 0
+# Small linpeas: 1
+
+sed_history_sensitive='\\.zsh(env|rc|profile|login|logout)|\\.zprofile|\\.zlogin|\\.zlogout|\\.bash(rc|_profile|_login|_logout)?|\\.profile|\\.kshrc|\\.cshrc|\\.login|\\.aws/credentials|\\.ssh/(authorized_keys|config)|\\.kube/config'
+sed_history_pattern="sed[^|;&]*[wWrR][[:space:]]*(~|/|\\.)[^|;&]*(${sed_history_sensitive})"
+
+history_candidates=""
+
+if [ "$PSTORAGE_HISTORY" ]; then
+  history_candidates="$PSTORAGE_HISTORY"
+fi
+
+if [ -z "$history_candidates" ]; then
+  if [ "$HOME" ]; then
+    for hf in "$HOME/.bash_history" "$HOME/.zsh_history" "$HOME/.zhistory" "$HOME/.history" "$HOME/.sh_history" "$HOME/.ksh_history" "$HOME/.config/fish/fish_history"; do
+      if [ -r "$hf" ]; then
+        if [ "$history_candidates" ]; then
+          history_candidates="$history_candidates"$'\n'"$hf"
+        else
+          history_candidates="$hf"
+        fi
+      fi
+    done
+  fi
+  for hf in "/root/.bash_history" "/root/.zsh_history" "/var/root/.zsh_history" "/var/root/.bash_history"; do
+    if [ -r "$hf" ]; then
+      if [ "$history_candidates" ]; then
+        history_candidates="$history_candidates"$'\n'"$hf"
+      else
+        history_candidates="$hf"
+      fi
+    fi
+  done
+fi
+
+if [ -z "$history_candidates" ] && [ -d "$HOME" ]; then
+  history_candidates=$(find "$HOME" -maxdepth 2 -type f \( -name "*_history" -o -name ".*history" -o -name "history" \) 2>/dev/null | head -n 40)
+fi
+
+history_candidates=$(printf "%s\n" "$history_candidates" | awk 'NF && !seen[$0]++')
+
+if [ "$history_candidates" ] || [ "$DEBUG" ]; then
+  print_2title "Suspicious sed commands writing sensitive files (history)"
+  printf "%s\n" "$history_candidates" | while IFS= read -r f; do
+    [ -n "$f" ] || continue
+    [ -r "$f" ] || continue
+    matches=$(grep -Ein --color=never -E "$sed_history_pattern" "$f" 2>/dev/null | head -n 20)
+    if [ "$matches" ]; then
+      printf "%s\n" "$matches" | sed -${E} "s,${sed_history_sensitive},${SED_RED},g"
+    fi
+  done
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/9_interesting_files/31_Suspicious_startup_payloads.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files/31_Suspicious_startup_payloads.sh
@@ -0,0 +1,58 @@
+# Title: Interesting Files - Suspicious payloads in shell startup files
+# ID: IF_Suspicious_startup_payloads
+# Author: HT Bot
+# Last Update: 26-11-2025
+# Description: Scans shell startup files for reverse-shell style commands likely dropped via sed-based persistence.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $DEBUG, $HOME
+# Initial Functions:
+# Generated Global Variables: $startup_indicator_pattern, $startup_files, $matches
+# Fat linpeas: 0
+# Small linpeas: 1
+
+startup_indicator_pattern='curl[[:space:]].*\|[[:space:]]*(bash|sh)|wget[[:space:]].*\|[[:space:]]*(bash|sh)|bash[[:space:]]+-i[[:space:]]+>&|/dev/tcp|nc[[:space:]].*(-e|/bin/sh)|ncat[[:space:]].*(-e|/bin/sh)|socat[[:space:]]+TCP|python[[:space:]]+-c[[:space:]].*[Ss]ocket|perl[[:space:]]+-e[[:space:]].*[Ss]ocket|ruby[[:space:]]+-rsocket|php[[:space:]]+-r[[:space:]].*fsockopen'
+
+startup_files=""
+
+if [ "$HOME" ]; then
+  for f in "$HOME/.zshenv" "$HOME/.zprofile" "$HOME/.zlogin" "$HOME/.zlogout" "$HOME/.zshrc" \
+    "$HOME/.bashrc" "$HOME/.bash_profile" "$HOME/.bash_login" "$HOME/.bash_logout" "$HOME/.profile" \
+    "$HOME/.kshrc" "$HOME/.cshrc" "$HOME/.shrc" "$HOME/.config/fish/config.fish"; do
+    if [ -r "$f" ]; then
+      if [ "$startup_files" ]; then
+        startup_files="$startup_files"$'\n'"$f"
+      else
+        startup_files="$f"
+      fi
+    fi
+  done
+fi
+
+for f in "/etc/zshenv" "/etc/zprofile" "/etc/zlogin" "/etc/zlogout" "/etc/zsh/zshrc" "/etc/zshrc" \
+  "/etc/profile" "/etc/bash.bashrc" "/etc/bashrc" "/usr/local/etc/zshenv" "/usr/local/etc/zprofile" \
+  "/usr/local/etc/zlogin" "/usr/local/etc/zlogout" "/usr/local/etc/zshrc"; do
+  if [ -r "$f" ]; then
+    if [ "$startup_files" ]; then
+      startup_files="$startup_files"$'\n'"$f"
+    else
+      startup_files="$f"
+    fi
+  fi
+done
+
+startup_files=$(printf "%s\n" "$startup_files" | awk 'NF && !seen[$0]++')
+
+if [ "$startup_files" ] || [ "$DEBUG" ]; then
+  print_2title "Suspicious commands sourced by shell startup files"
+  printf "%s\n" "$startup_files" | while IFS= read -r f; do
+    [ -n "$f" ] || continue
+    [ -r "$f" ] || continue
+    matches=$(grep -Ein --color=never -E "$startup_indicator_pattern" "$f" 2>/dev/null | head -n 20)
+    if [ "$matches" ]; then
+      printf "%s\n" "$matches" | sed -${E} "s,${startup_indicator_pattern},${SED_RED},g"
+    fi
+  done
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/variables/PSTORAGE_HISTORY.sh
+++ b/linPEAS/builder/linpeas_parts/variables/PSTORAGE_HISTORY.sh
@@ -0,0 +1,43 @@
+# Title: Variables - History files inventory
+# ID: PSTORAGE_HISTORY
+# Author: HT Bot
+# Last Update: 26-11-2025
+# Description: Collects readable shell history files to be reused by other modules.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables: $HOME
+# Initial Functions:
+# Generated Global Variables: $PSTORAGE_HISTORY, $history_inventory_candidates
+# Fat linpeas: 0
+# Small linpeas: 1
+
+history_inventory_candidates=""
+
+add_history_path() {
+  [ -n "$1" ] || return 0
+  [ -r "$1" ] || return 0
+  if [ "$history_inventory_candidates" ]; then
+    history_inventory_candidates="${history_inventory_candidates}"$'
+'"$1"
+  else
+    history_inventory_candidates="$1"
+  fi
+}
+
+if [ "$HOME" ]; then
+  for hf in     "$HOME/.bash_history"     "$HOME/.bash_logout"     "$HOME/.bash_login"     "$HOME/.bash_profile"     "$HOME/.profile"     "$HOME/.zsh_history"     "$HOME/.zhistory"     "$HOME/.zshrc"     "$HOME/.zlogin"     "$HOME/.zlogout"     "$HOME/.zshenv"     "$HOME/.ksh_history"     "$HOME/.kshrc"     "$HOME/.cshrc"     "$HOME/.history"     "$HOME/.sh_history"     "$HOME/.config/fish/fish_history"; do
+    add_history_path "$hf"
+  done
+fi
+
+for hf in   "/root/.bash_history"   "/root/.zsh_history"   "/var/root/.bash_history"   "/var/root/.zsh_history"   "/etc/profile"   "/etc/zprofile"   "/etc/zlogin"   "/etc/zlogout"   "/etc/zsh/zshrc"   "/etc/zshenv"   "/etc/zshrc"   "/etc/bash.bashrc"   "/etc/bashrc"; do
+  add_history_path "$hf"
+done
+
+if [ -z "$history_inventory_candidates" ] && [ -n "$HOME" ] && [ -d "$HOME" ]; then
+  history_inventory_candidates=$(find "$HOME" -maxdepth 2 -type f     \( -name "*_history" -o -name ".*history" -o -name "history" \) 2>/dev/null | head -n 60)
+fi
+
+PSTORAGE_HISTORY=$(printf "%s
+" "$history_inventory_candidates" | awk 'NF && !seen[$0]++')