diff --git a/.github/workflows/PR-tests.yml b/.github/workflows/PR-tests.yml index 1536b85..5a58e73 100644 --- a/.github/workflows/PR-tests.yml +++ b/.github/workflows/PR-tests.yml @@ -110,10 +110,9 @@ jobs: ref: ${{ github.head_ref }} # Setup go - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v6 with: - go-version: 1.17.0-rc1 - stable: false + go-version: '1.23' - run: go version # Build linpeas diff --git a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh index 50901c9..56e967b 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh @@ -80,10 +80,86 @@ print_list "Seccomp enabled? ............... "$NC print_list "User namespace? ................ "$NC if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi +#-- SY) Unprivileged user namespaces +print_list "unpriv_userns_clone? ........... "$NC +unpriv_userns_clone=$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null) +if [ -z "$unpriv_userns_clone" ]; then + echo_not_found "/proc/sys/kernel/unprivileged_userns_clone" +else + if [ "$unpriv_userns_clone" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_GREEN},"; else echo "$unpriv_userns_clone" | sed -${E} "s,.*,${SED_RED},g"; fi +fi + +#-- SY) Unprivileged eBPF +print_list "unpriv_bpf_disabled? ........... "$NC +unpriv_bpf_disabled=$(cat /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null) +if [ -z "$unpriv_bpf_disabled" ]; then + echo_not_found "/proc/sys/kernel/unprivileged_bpf_disabled" +else + if [ "$unpriv_bpf_disabled" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$unpriv_bpf_disabled" | sed -${E} "s,.*,${SED_GREEN},g"; fi +fi + #-- SY) cgroup2 print_list "Cgroup2 enabled? ............... "$NC ([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN}," +#-- SY) Kernel hardening sysctls +print_list "kptr_restrict? ................. "$NC +kptr_restrict=$(cat /proc/sys/kernel/kptr_restrict 2>/dev/null) +if [ -z "$kptr_restrict" ]; then + echo_not_found "/proc/sys/kernel/kptr_restrict" +else + if [ "$kptr_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$kptr_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi +fi + +print_list "dmesg_restrict? ................ "$NC +dmesg_restrict=$(cat /proc/sys/kernel/dmesg_restrict 2>/dev/null) +if [ -z "$dmesg_restrict" ]; then + echo_not_found "/proc/sys/kernel/dmesg_restrict" +else + if [ "$dmesg_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$dmesg_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi +fi + +print_list "ptrace_scope? .................. "$NC +ptrace_scope=$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null) +if [ -z "$ptrace_scope" ]; then + echo_not_found "/proc/sys/kernel/yama/ptrace_scope" +else + if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi +fi + +print_list "perf_event_paranoid? ........... "$NC +perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null) +if [ -z "$perf_event_paranoid" ]; then + echo_not_found "/proc/sys/kernel/perf_event_paranoid" +else + if [ "$perf_event_paranoid" -le 1 ]; then echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_RED},g"; else echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_GREEN},g"; fi +fi + +print_list "mmap_min_addr? ................. "$NC +mmap_min_addr=$(cat /proc/sys/vm/mmap_min_addr 2>/dev/null) +if [ -z "$mmap_min_addr" ]; then + echo_not_found "/proc/sys/vm/mmap_min_addr" +else + if [ "$mmap_min_addr" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$mmap_min_addr" | sed -${E} "s,.*,${SED_GREEN},g"; fi +fi + +print_list "lockdown mode? ................. "$NC +if [ -f "/sys/kernel/security/lockdown" ]; then + cat /sys/kernel/security/lockdown 2>/dev/null | sed -${E} "s,none,${SED_RED},g; s,integrity|confidentiality,${SED_GREEN},g" +else + echo_not_found "/sys/kernel/security/lockdown" +fi + +#-- SY) Kernel hardening config flags +print_list "Kernel hardening flags? ........ "$NC +if [ -f "/boot/config-$(uname -r)" ]; then + grep -E 'CONFIG_RANDOMIZE_BASE|CONFIG_STACKPROTECTOR|CONFIG_SLAB_FREELIST_|CONFIG_KASAN' /boot/config-$(uname -r) 2>/dev/null +elif [ -f "/proc/config.gz" ]; then + zcat /proc/config.gz 2>/dev/null | grep -E 'CONFIG_RANDOMIZE_BASE|CONFIG_STACKPROTECTOR|CONFIG_SLAB_FREELIST_|CONFIG_KASAN' +else + echo_not_found "kernel config" +fi + #-- SY) Gatekeeper if [ "$MACPEAS" ]; then print_list "Gatekeeper enabled? .......... "$NC @@ -136,4 +212,4 @@ else if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi fi -echo "" \ No newline at end of file +echo "" diff --git a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh index 41490d6..9beb7e0 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh @@ -58,5 +58,23 @@ else echo_not_found "/proc/sys/kernel/modules_disabled" fi +# Check for module signature enforcement +print_3title "Module signature enforcement? " +if [ -f "/proc/sys/kernel/module_sig_enforce" ]; then + if [ "$(cat /proc/sys/kernel/module_sig_enforce)" = "1" ]; then + echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g" + else + echo "Not enforced" | sed -${E} "s,.*,${SED_RED},g" + fi +elif [ -f "/sys/module/module/parameters/sig_enforce" ]; then + if [ "$(cat /sys/module/module/parameters/sig_enforce)" = "Y" ]; then + echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g" + else + echo "Not enforced" | sed -${E} "s,.*,${SED_RED},g" + fi +else + echo_not_found "module_sig_enforce" +fi -echo "" \ No newline at end of file + +echo "" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh index 894d5bf..a6c0918 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh @@ -17,7 +17,7 @@ if ! [ "$IAMROOT" ]; then print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files" #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all - obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200) + obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "/dev/*" ! -path "/snap/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200) printf "%s\n" "$obmowbe" | while read l; do if echo "$l" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$l\n"$NC; elif echo "$l" | grep -qE "$writeVB"; then