diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index 9638fac..68e81e7 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -813,6 +813,12 @@ search: bad_regex: "auth|accessfile=|secret=|user" remove_regex: "^#|^@" type: f + - name: "*" + value: + bad_regex: "nullok|nullok_secure|pam_permit\\.so|pam_rootok\\.so|pam_exec\\.so|pam_unix\\.so.*(nullok|remember=0)|sufficient\\s+pam_unix\\.so" + only_bad_lines: True + remove_regex: "^#|^@" + type: f type: d search_in: - ${ROOT_FOLDER}etc @@ -1235,12 +1241,20 @@ search: auto_check: False files: - - name: "agent*" + - name: "agent.*" value: type: f remove_path: ".dll" search_in: - ${ROOT_FOLDER}tmp + - ${ROOT_FOLDER}run + + - name: "ssh-agent.sock" + value: + type: f + search_in: + - ${ROOT_FOLDER}tmp + - ${ROOT_FOLDER}run - name: SSH_CONFIG value: @@ -2067,6 +2081,45 @@ search: type: f search_in: - common + + - name: "*.asc" + value: + type: f + remove_path: "/usr/share/|/usr/lib/|/lib/|/man/" + search_in: + - common + + - name: "secring.gpg" + value: + type: f + search_in: + - common + + - name: "pubring.kbx" + value: + type: f + search_in: + - common + + - name: "trustdb.gpg" + value: + type: f + search_in: + - common + + - name: "gpg-agent.conf" + value: + type: f + search_in: + - common + + - name: "secret.asc" + value: + type: f + just_list_file: True + search_in: + - common + - name: "private-keys-v1.d/*.key" value: type: f @@ -2844,6 +2897,85 @@ search: remove_path: "example" search_in: - common + + - name: Proxy_Config + value: + config: + auto_check: True + + files: + - name: "environment" + value: + bad_regex: "(http|https|ftp|all)_proxy|no_proxy" + only_bad_lines: True + remove_empty_lines: True + remove_regex: '^#' + type: f + check_extra_path: "^/etc/environment$" + search_in: + - common + + - name: "apt.conf" + value: + bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy" + only_bad_lines: True + remove_empty_lines: True + remove_regex: '^#' + type: f + search_in: + - common + + - name: "apt.conf.d" + value: + type: d + files: + - name: "*" + value: + bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy" + only_bad_lines: True + remove_empty_lines: True + remove_regex: '^#' + type: f + search_in: + - common + + - name: Sniffing_Artifacts + value: + config: + auto_check: True + + files: + - name: "*.pcap" + value: + just_list_file: True + type: f + search_in: + - common + + - name: "*.pcapng" + value: + just_list_file: True + type: f + search_in: + - common + + - name: "keys.log" + value: + bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET" + only_bad_lines: True + remove_empty_lines: True + type: f + search_in: + - common + + - name: "sslkeylog.log" + value: + bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET" + only_bad_lines: True + remove_empty_lines: True + type: f + search_in: + - common - name: Msmtprc value: @@ -3948,6 +4080,13 @@ search: search_in: - common + - name: "*.maintenance*" + value: + just_list_file: True + type: f + search_in: + - common + - name: "*.key" value: just_list_file: True diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh index 275d236..973247b 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh @@ -17,7 +17,7 @@ # Functions Used: print_2title, print_list, echo_not_found # Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC # Initial Functions: -# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $exec_value, $cmd, $cmd_path +# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $exec_value, $cmd, $cmd_path, $svc_path_entry, $svc_writable_path # Fat linpeas: 0 # Small linpeas: 1 @@ -113,6 +113,19 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then service=$(echo "$line" | awk '{print $1}') service_file=$(get_service_file "$service") if [ -n "$service_file" ]; then + # Check service-specific PATH entries (Environment=PATH=...) + svc_writable_path=$(grep -E '^Environment=.*PATH=' "$service_file" 2>/dev/null | sed -E 's/^Environment=//; s/^"//; s/"$//; s/^PATH=//' | tr ':' '\n' | while read -r svc_path_entry; do + [ -z "$svc_path_entry" ] && continue + if [ -d "$svc_path_entry" ] && [ -w "$svc_path_entry" ]; then + echo "$svc_path_entry" + fi + done) + if [ "$svc_writable_path" ]; then + for svc_path_entry in $svc_writable_path; do + echo "$service: Writable service PATH entry '$svc_path_entry'" | sed -${E} "s,.*,${SED_RED_YELLOW},g" + done + fi + # Check ExecStart paths grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null | while read -r exec_line; do @@ -130,6 +143,9 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check for relative paths only in the command, not arguments if [ -n "$cmd_path" ] && [ "${cmd_path#/}" = "$cmd_path" ] && [ "${cmd_path#\$}" = "$cmd_path" ]; then echo "$service: Uses relative path '$cmd_path' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g" + if [ "$svc_writable_path" ]; then + echo "$service: Relative Exec path + writable service PATH can allow path hijacking" | sed -${E} "s,.*,${SED_RED_YELLOW},g" + fi fi done fi diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh index e7e386d..ed7d407 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh @@ -11,7 +11,7 @@ # License: GNU GPL # Version: 1.1 # Functions Used: print_2title, print_info -# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $NC, $RED +# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $SED_RED_YELLOW, $NC, $RED # Initial Functions: # Generated Global Variables: $unix_scks_list, $unix_scks_list2, $perms, $owner, $owner_info, $response, $socket, $cmd, $mode, $group # Fat linpeas: 0 @@ -142,10 +142,13 @@ if ! [ "$IAMROOT" ]; then # Highlight dangerous ownership if echo "$owner_info" | grep -q "root"; then echo " └─(${RED}Owned by root${NC})" + if echo "$perms" | grep -q "Write"; then + echo " └─High risk: root-owned and writable Unix socket" | sed -${E} "s,.*,${SED_RED_YELLOW},g" + fi fi fi fi done fi echo "" -fi \ No newline at end of file +fi diff --git a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh index 3cb5779..6a86560 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh @@ -5,10 +5,10 @@ # Description: Check for internet access # License: GNU GPL # Version: 1.0 -# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname -# Global Variables: +# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, print_3title, print_info, check_external_hostname +# Global Variables: $E # Initial Functions: -# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS +# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS # Fat linpeas: 0 # Small linpeas: 0 @@ -29,8 +29,8 @@ check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$! check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$! check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$! -# Kill all after 10 seconds -(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) & +# Kill all check workers after timeout + 1s without relying on integer arithmetic +(sleep "$TIMEOUT_INTERNET_SECONDS"; sleep 1; kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) & check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null tcp443_bin_status=$? @@ -50,3 +50,9 @@ if [ "$tcp443_bin_status" -eq 0 ] && \ fi echo "" +print_3title "Proxy discovery" +print_info "Checking common proxy env vars and apt proxy config" +(env | grep -iE '^(http|https|ftp|all)_proxy=|^no_proxy=') 2>/dev/null | sed -${E} "s,_proxy|no_proxy,${SED_RED_YELLOW},g" +grep -RinE 'Acquire::(http|https)::Proxy|proxy' /etc/apt/apt.conf /etc/apt/apt.conf.d 2>/dev/null | sed -${E} "s,proxy|Acquire::http::Proxy|Acquire::https::Proxy,${SED_RED_YELLOW},g" + +echo "" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh b/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh index 2e1ab94..575b007 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh @@ -5,8 +5,8 @@ # Description: Check network interfaces # License: GNU GPL # Version: 1.0 -# Functions Used: print_2title -# Global Variables: +# Functions Used: print_2title, print_3title +# Global Variables: $E, $SED_RED_YELLOW # Initial Functions: # Generated Global Variables: $iface, $state, $mac, $ip_file, $line # Fat linpeas: 0 @@ -73,4 +73,22 @@ else parse_network_interfaces fi -echo "" \ No newline at end of file +if command -v ip >/dev/null 2>&1; then + print_3title "Routing & policy quick view" + ip route 2>/dev/null + ip -6 route 2>/dev/null | head -n 30 + echo "" + ip rule 2>/dev/null + + print_3title "Virtual/overlay interfaces quick view" + ip -d link 2>/dev/null | grep -E "^[0-9]+:|veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale" | sed -${E} "s,veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale,${SED_RED_YELLOW},g" + + print_3title "Network namespaces quick view" + ip netns list 2>/dev/null + ls -la /var/run/netns/ 2>/dev/null +fi + +print_3title "Forwarding status" +sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwarding 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g" + +echo "" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh index c2f4ba9..482308c 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh @@ -6,7 +6,7 @@ # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_3title, print_info -# Global Variables: $E, $SED_RED +# Global Variables: $E, $SED_RED, $SED_RED_YELLOW # Initial Functions: # Generated Global Variables: $pid_dir, $tx_queue, $pid, $rem_port, $proc_file, $rem_ip, $local_ip, $rx_queue, $proto, $rem_addr, $program, $state, $header_sep, $proc_info, $inode, $header, $line, $local_addr, $local_port # Fat linpeas: 0 @@ -122,6 +122,45 @@ get_open_ports() { parse_proc_net_ports "udp" fi + # Focused local service exposure view + print_3title "Local-only listeners (loopback)" + if command -v ss >/dev/null 2>&1; then + ss -nltpu 2>/dev/null | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g" + elif command -v netstat >/dev/null 2>&1; then + netstat -punta 2>/dev/null | grep -i listen | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g" + fi + + print_3title "Unique listener bind addresses" + if command -v ss >/dev/null 2>&1; then + ss -nltpuH 2>/dev/null | awk '{ + a=$5 + if (a ~ /^\[/) { + sub(/^\[/, "", a) + sub(/\]:[0-9]+$/, "", a) + } else if (a ~ /:[0-9]+$/) { + sub(/:[0-9]+$/, "", a) + } + sub(/^::ffff:/, "", a) + if (a != "") print a + }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g" + elif command -v netstat >/dev/null 2>&1; then + netstat -punta 2>/dev/null | grep -i listen | awk '{ + a=$4 + if (a ~ /^\[/) { + sub(/^\[/, "", a) + sub(/\]:[0-9]+$/, "", a) + } else if (a ~ /:[0-9]+$/) { + sub(/:[0-9]+$/, "", a) + } + if (a == ":::" ) a="::" + sub(/^::ffff:/, "", a) + if (a != "") print a + }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g" + fi + + print_3title "Potential local forwarders/relays" + ps aux 2>/dev/null | grep -E "[s]ocat|[s]sh .*(-L|-R|-D)|[n]cat|[n]c .*-l" | sed -${E} "s,socat|ssh|-L|-R|-D|ncat|nc,${SED_RED_YELLOW},g" + # Additional port information if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then print_3title "Additional Port Information" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh index 97e97b4..37c3b3b 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh @@ -6,9 +6,9 @@ # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_3title, print_info, warn_exec -# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN +# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_RED_YELLOW # Initial Functions: -# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns +# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns, $dumpcap_test_file # Fat linpeas: 0 # Small linpeas: 1 @@ -26,8 +26,17 @@ check_command() { # Function to check if we can sniff on an interface check_interface_sniffable() { local iface=$1 - if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then - return 0 + if check_command tcpdump; then + if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then + return 0 + fi + elif check_command dumpcap; then + dumpcap_test_file="/tmp/.linpeas_dumpcap_test_$$.pcap" + if timeout 2 dumpcap -i "$iface" -c 1 -q -w "$dumpcap_test_file" >/dev/null 2>&1; then + rm -f "$dumpcap_test_file" 2>/dev/null + return 0 + fi + rm -f "$dumpcap_test_file" 2>/dev/null fi return 1 } @@ -55,6 +64,20 @@ check_network_traffic_analysis() { tools_found=1 # Check tcpdump version and capabilities warn_exec tcpdump --version 2>/dev/null | head -n 1 + getcap "$(command -v tcpdump)" 2>/dev/null + fi + + if check_command dumpcap; then + echo "dumpcap is available" | sed -${E} "s,.*,${SED_GREEN},g" + tools_found=1 + warn_exec dumpcap --version 2>/dev/null | head -n 1 + getcap "$(command -v dumpcap)" 2>/dev/null + + if id -nG 2>/dev/null | grep -qw wireshark; then + echo "Current user is in wireshark group" | sed -${E} "s,.*,${SED_GREEN},g" + elif getent group wireshark >/dev/null 2>&1; then + echo "wireshark group exists but current user is not in it" | sed -${E} "s,.*,${SED_RED_YELLOW},g" + fi fi if check_command tshark; then @@ -68,10 +91,28 @@ check_network_traffic_analysis() { echo "wireshark is available" | sed -${E} "s,.*,${SED_GREEN},g" tools_found=1 fi + + if check_command ngrep; then + echo "ngrep is available" | sed -${E} "s,.*,${SED_GREEN},g" + tools_found=1 + fi + + if check_command tcpflow; then + echo "tcpflow is available" | sed -${E} "s,.*,${SED_GREEN},g" + tools_found=1 + fi if [ $tools_found -eq 0 ]; then echo "No sniffing tools found" | sed -${E} "s,.*,${SED_RED},g" fi + + if check_command tcpdump; then + echo "Sniffable interfaces according to tcpdump -D:" + timeout 2 tcpdump -D 2>/dev/null + elif check_command dumpcap; then + echo "Sniffable interfaces according to dumpcap -D:" + timeout 2 dumpcap -D 2>/dev/null + fi # Check network interfaces echo "" @@ -88,25 +129,28 @@ check_network_traffic_analysis() { fi for iface in $interfaces; do - if [ "$iface" != "lo" ]; then # Skip loopback + if [ "$iface" = "lo" ]; then + echo -n "Interface $iface (loopback): " + else echo -n "Interface $iface: " - if check_interface_sniffable "$iface"; then - echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g" - interfaces_found=1 - - # Check promiscuous mode - if check_promiscuous_mode "$iface"; then - echo " - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g" - fi - - # Get interface details - if [ "$EXTRA_CHECKS" ]; then - echo " - Interface details:" - warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null - fi - else - echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g" + fi + + if check_interface_sniffable "$iface"; then + echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g" + interfaces_found=1 + + # Check promiscuous mode + if [ "$iface" != "lo" ] && check_promiscuous_mode "$iface"; then + echo " - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g" fi + + # Get interface details + if [ "$EXTRA_CHECKS" ]; then + echo " - Interface details:" + warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null + fi + else + echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g" fi done @@ -145,7 +189,12 @@ check_network_traffic_analysis() { print_info "To capture sensitive traffic, you can use:" echo "tcpdump -i -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g" echo "tshark -i -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g" + echo "dumpcap -i -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g" fi + + echo "" + print_3title "Running sniffing/traffic reconstruction processes" + ps aux 2>/dev/null | grep -E "[t]cpdump|[d]umpcap|[t]shark|[w]ireshark|[n]grep|[t]cpflow" | sed -${E} "s,.*,${SED_RED_YELLOW},g" # Additional information if [ "$EXTRA_CHECKS" ]; then diff --git a/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh b/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh index 1dc48ea..d06dd2c 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh @@ -6,9 +6,9 @@ # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found -# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW +# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW, $SED_RED_YELLOW # Initial Functions: -# Generated Global Variables: $rules_file, $cmd, $tool, $config_file +# Generated Global Variables: $rules_file, $cmd, $tool, $config_file, $sysctl_var # Fat linpeas: 0 # Small linpeas: 1 @@ -90,6 +90,9 @@ analyze_nftables() { # List all rules echo -e "\nNftables Ruleset:" warn_exec nft list ruleset 2>/dev/null + + echo -e "\nNftables Ruleset with handles (-a):" + warn_exec nft -a list ruleset 2>/dev/null | sed -${E} "s,\\bdrop\\b|\\breject\\b|handle [0-9]+,${SED_RED_YELLOW},g" # Check for saved rules echo -e "\nSaved Rules:" @@ -180,6 +183,17 @@ analyze_firewall_rules() { analyze_nftables analyze_firewalld analyze_ufw + + echo "" + print_3title "Forwarding and rp_filter" + for sysctl_var in net.ipv4.ip_forward net.ipv6.conf.all.forwarding net.ipv4.conf.all.rp_filter; do + sysctl "$sysctl_var" 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g" + done + + if check_command conntrack; then + echo -e "\nConntrack state (first 20):" + warn_exec conntrack -L 2>/dev/null | head -n 20 + fi # Additional checks if EXTRA_CHECKS is enabled if [ "$EXTRA_CHECKS" ]; then @@ -207,4 +221,4 @@ analyze_firewall_rules() { } # Run the main function -analyze_firewall_rules \ No newline at end of file +analyze_firewall_rules diff --git a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh index c941fef..2c4bff5 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh @@ -34,6 +34,9 @@ if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW}," fi for f in /etc/sudoers.d/*; do + if [ -w "$f" ]; then + echo "Sudoers file: $f is writable and may allow privilege escalation" | sed -${E} "s,.*,${SED_RED_YELLOW},g" + fi if [ -r "$f" ]; then echo "Sudoers file: $f is readable" | sed -${E} "s,.*,${SED_RED},g" grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh b/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh index 3bda4ad..8c16269 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh @@ -8,12 +8,12 @@ # Functions Used: print_2title, print_info # Global Variables:$DEBUG, $SEARCH_IN_FOLDER, $USER, $wgroups # Initial Functions: -# Generated Global Variables: $screensess, $screensess2 +# Generated Global Variables: $screensess, $screensess2, $uscreen # Fat linpeas: 0 # Small linpeas: 1 -if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then +if (command -v screen >/dev/null 2>&1 || [ -d "/run/screen" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Searching screen sessions" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions" screensess=$(screen -ls 2>/dev/null) @@ -25,5 +25,16 @@ if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_ find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," done + + if [ -r "/etc/passwd" ]; then + print_3title "Checking other users screen sessions" + cut -d: -f1,7 /etc/passwd 2>/dev/null | grep "sh$" | cut -d: -f1 | grep -v "^$USER$" | while read u; do + uscreen=$(screen -ls "${u}/" 2>/dev/null | grep -v "No Sockets found" | grep -v "^$") + if [ "$uscreen" ]; then + echo "User $u screen sessions:" + printf "%s\n" "$uscreen" | sed -${E} "s,.*,${SED_RED}," + fi + done + fi echo "" -fi \ No newline at end of file +fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh b/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh index 65947a0..5a04c58 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh @@ -8,7 +8,7 @@ # Functions Used: print_2title, print_3title # Global Variables: $HOME, $HOMESEARCH, $ROOT_FOLDER, $SEARCH_IN_FOLDER, $TIMEOUT, $USER, $wgroups # Initial Functions: -# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt, +# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $agent_sockets, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt, # Fat linpeas: 0 # Small linpeas: 1 @@ -19,12 +19,18 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)" hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)" hostsallow="$(ls /etc/hosts.allow 2>/dev/null)" - writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null) + agent_sockets=$(find /run/user /tmp -type s \( -path "/run/user/*/ssh-*/agent.*" -o -name "ssh-agent.sock" -o -path "/tmp/ssh-*" \) 2>/dev/null) + writable_agents=$(find /tmp /etc /home /run/user \ + \( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \ + -a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null) else sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)" hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)" hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)" - writable_agents=$(find ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null) + agent_sockets=$(find "${ROOT_FOLDER}"tmp "${ROOT_FOLDER}"run -type s \( -name "agent.*" -o -name "ssh-agent.sock" \) 2>/dev/null) + writable_agents=$(find "${ROOT_FOLDER}" \ + \( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \ + -a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null) fi peass{SSH} @@ -58,7 +64,7 @@ fi if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then print_3title "Some certificates were found (out limited):" printf "$certsb4_grep\n" | head -n 20 - printf "$$PSTORAGE_CERTSBIN\n" | head -n 20 + printf "$PSTORAGE_CERTSBIN\n" | head -n 20 echo "" fi if [ "$PSTORAGE_CERTSCLIENT" ]; then @@ -71,6 +77,11 @@ if [ "$PSTORAGE_SSH_AGENTS" ]; then printf "$PSTORAGE_SSH_AGENTS\n" echo "" fi +if [ "$agent_sockets" ]; then + print_3title "Potential SSH agent sockets were found:" + printf "%s\n" "$agent_sockets" | sed -${E} "s,.*,${SED_RED}," + echo "" +fi if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then print_3title "Listing SSH Agents" ssh-add -l diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh index 916b971..ae8e7f6 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh @@ -23,6 +23,7 @@ if ! [ "$STRACE" ]; then fi suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null) printf "%s\n" "$suids_files" | while read s; do + [ -z "$s" ] && continue s=$(ls -lahtr "$s") #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder if echo "$s" | grep -qE "^total"; then break; fi @@ -59,6 +60,8 @@ printf "%s\n" "$suids_files" | while read s; do if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" fi + elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline) (https://tinyurl.com/suidpath)\n" else #If not a path if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh index 1dfd91c..feeced2 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh @@ -17,6 +17,7 @@ print_2title "SGID" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid" sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) printf "%s\n" "$sgids_files" | while read s; do + [ -z "$s" ] && continue s=$(ls -lahtr "$s") #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder if echo "$s" | grep -qE "^total";then break; fi @@ -53,6 +54,8 @@ printf "%s\n" "$sgids_files" | while read s; do if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" fi + elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline)\n" else #If not a path if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" @@ -90,4 +93,4 @@ printf "%s\n" "$sgids_files" | while read s; do fi fi done; -echo "" \ No newline at end of file +echo "" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh index 503ad9f..a6dbdd2 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh @@ -6,7 +6,7 @@ # License: GNU GPL # Version: 1.0 # Functions Used: echo_not_found, print_2title, print_info -# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER +# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $writeB, $writeVB # Initial Functions: # Generated Global Variables: # Fat linpeas: 0 @@ -16,12 +16,12 @@ print_2title "Files with ACLs (limited to 50)" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls" if ! [ "$SEARCH_IN_FOLDER" ]; then - ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," + ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g" else - ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," + ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g" fi if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl || echo -n '')" ]; then #Find ACL files in macos (veeeery slow) - ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," + ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g" fi -echo "" \ No newline at end of file +echo "" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh index 61c3d66..7668dd3 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh @@ -8,7 +8,7 @@ # Functions Used: echo_not_found, print_2title, print_info, print_3title # Global Variables: $capsB, $capsVB, $IAMROOT, $SEARCH_IN_FOLDER # Initial Functions: -# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln +# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln, $proc_status, $proc_pid, $proc_name, $proc_uid, $user_name, $proc_inh, $proc_prm, $proc_eff, $proc_bnd, $proc_amb, $proc_inh_dec, $proc_prm_dec, $proc_eff_dec, $proc_bnd_dec, $proc_amb_dec # Fat linpeas: 0 # Small linpeas: 1 @@ -69,6 +69,40 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi done echo "" + + print_3title "Processes with capability sets (non-zero CapEff/CapAmb, limit 40)" + find /proc -maxdepth 2 -path "/proc/[0-9]*/status" 2>/dev/null | head -n 400 | while read -r proc_status; do + proc_pid=$(echo "$proc_status" | cut -d/ -f3) + proc_name=$(awk '/^Name:/{print $2}' "$proc_status" 2>/dev/null) + proc_uid=$(awk '/^Uid:/{print $2}' "$proc_status" 2>/dev/null) + user_name=$(awk -F: -v uid="$proc_uid" '$3==uid{print $1; exit}' /etc/passwd 2>/dev/null) + [ -z "$user_name" ] && user_name="$proc_uid" + + proc_inh=$(awk '/^CapInh:/{print $2}' "$proc_status" 2>/dev/null) + proc_prm=$(awk '/^CapPrm:/{print $2}' "$proc_status" 2>/dev/null) + proc_eff=$(awk '/^CapEff:/{print $2}' "$proc_status" 2>/dev/null) + proc_bnd=$(awk '/^CapBnd:/{print $2}' "$proc_status" 2>/dev/null) + proc_amb=$(awk '/^CapAmb:/{print $2}' "$proc_status" 2>/dev/null) + + [ -z "$proc_eff" ] && continue + if [ "$proc_eff" != "0000000000000000" ] || [ "$proc_amb" != "0000000000000000" ]; then + echo "PID $proc_pid ($proc_name) user=$user_name" + + proc_inh_dec=$(capsh --decode=0x"$proc_inh" 2>/dev/null) + proc_prm_dec=$(capsh --decode=0x"$proc_prm" 2>/dev/null) + proc_eff_dec=$(capsh --decode=0x"$proc_eff" 2>/dev/null) + proc_bnd_dec=$(capsh --decode=0x"$proc_bnd" 2>/dev/null) + proc_amb_dec=$(capsh --decode=0x"$proc_amb" 2>/dev/null) + + echo " CapInh: $proc_inh_dec" | sed -${E} "s,$capsB,${SED_RED},g" + echo " CapPrm: $proc_prm_dec" | sed -${E} "s,$capsB,${SED_RED},g" + echo " CapEff: $proc_eff_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g" + echo " CapBnd: $proc_bnd_dec" | sed -${E} "s,$capsB,${SED_RED},g" + echo " CapAmb: $proc_amb_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g" + echo "" + fi + done | head -n 240 + echo "" else print_3title "Current shell capabilities" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh index a0d4b97..079fc36 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh @@ -6,19 +6,27 @@ # License: GNU GPL # Version: 1.0 # Functions Used: echo_not_found, print_2title, print_info -# Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER +# Global Variables: $capsB, $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER # Initial Functions: -# Generated Global Variables: +# Generated Global Variables: $pam_cap_lines # Fat linpeas: 0 # Small linpeas: 0 -if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then +if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ] || grep -Rqs "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null; then print_2title "Users with capabilities" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities" if [ -f "/etc/security/capability.conf" ]; then - grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," + grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$capsB,${SED_RED},g" else echo_not_found "/etc/security/capability.conf" fi echo "" -fi \ No newline at end of file + print_info "Checking if PAM loads pam_cap.so" + pam_cap_lines=$(grep -RIn "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null) + if [ "$pam_cap_lines" ]; then + printf "%s\n" "$pam_cap_lines" | sed -${E} "s,pam_cap\\.so,${SED_RED_YELLOW},g" + else + echo_not_found "pam_cap.so in /etc/pam.d or /etc/pam.conf" + fi + echo "" +fi diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh index 9fbd931..853a50e 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh @@ -6,7 +6,7 @@ # License: GNU GPL # Version: 1.0 # Functions Used: print_2title, print_info -# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $wgroups +# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $ldsoconfdG, $wgroups # Initial Functions: # Generated Global Variables: $ini_path, $fpath # Fat linpeas: 0 @@ -26,40 +26,53 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then echo "Content of /etc/ld.so.conf:" cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" - # Check each configured folder - cat /etc/ld.so.conf 2>/dev/null | while read l; do - if echo "$l" | grep -q include; then + # Check each configured folder and include directives + cat /etc/ld.so.conf 2>/dev/null | while IFS= read -r l; do + l=$(echo "$l" | sed 's/#.*$//' | xargs 2>/dev/null) + [ -z "$l" ] && continue + + if echo "$l" | grep -qE '^include[[:space:]]+'; then ini_path=$(echo "$l" | cut -d " " -f 2) fpath=$(dirname "$ini_path") - if [ -d "/etc/ld.so.conf" ] && [ -w "$fpath" ]; then - echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + if [ -d "$fpath" ] && [ -w "$fpath" ]; then + echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},"; printf $RED_YELLOW$ITALIC"$fpath\n"$NC; else printf $GREEN$ITALIC"$fpath\n"$NC; fi - if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then - echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + if [ "$(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then + echo "You have write privileges over $(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi - for f in $fpath/*; do - if [ -w "$f" ]; then - echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + for f in $ini_path; do + [ -f "$f" ] || continue + + if [ -w "$f" ]; then + echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"; printf $RED_YELLOW$ITALIC"$f\n"$NC; else printf $GREEN$ITALIC" $f\n"$NC; fi - cat "$f" | grep -v "^#" | while read l2; do - if [ -f "$l2" ] && [ -w "$l2" ]; then - echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + cat "$f" 2>/dev/null | grep -v "^#" | while IFS= read -r l2; do + l2=$(echo "$l2" | xargs 2>/dev/null) + [ -z "$l2" ] && continue + + if [ -d "$l2" ] && [ -w "$l2" ]; then + echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},"; printf $RED_YELLOW$ITALIC" - $l2\n"$NC; - else - echo $ITALIC" - $l2"$NC | sed -${E} "s,$l2,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"; + elif [ -d "$l2" ]; then + echo $ITALIC" - $l2"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"; fi done done + elif [ -d "$l" ] && [ -w "$l" ]; then + echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},"; + printf $RED_YELLOW$ITALIC"$l\n"$NC; + else + echo $ITALIC"$l"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"; fi done echo "" @@ -75,4 +88,4 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then if [ -f "$l" ] && [ -w "$l" ]; then echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi done -fi \ No newline at end of file +fi diff --git a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh index c99df36..68b5838 100644 --- a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh @@ -217,7 +217,7 @@ print_title(){ max_title_len=80 rest_len=$((($max_title_len - $title_len) / 2)) - printf ${BLUE} + printf "%s" "${BLUE}" for i in $(seq 1 $rest_len); do printf " "; done printf "╔" for i in $(seq 1 $title_len); do printf "═"; done; printf "═"; @@ -231,13 +231,13 @@ print_title(){ echo "" - printf ${BLUE} + printf "%s" "${BLUE}" for i in $(seq 1 $rest_len); do printf " "; done printf "╚" for i in $(seq 1 $title_len); do printf "═"; done; printf "═"; printf "╝" - printf $NC + printf "%s" "${NC}" echo "" } diff --git a/linPEAS/builder/linpeas_parts/variables/capsB.sh b/linPEAS/builder/linpeas_parts/variables/capsB.sh index 727bb65..f056f2c 100644 --- a/linPEAS/builder/linpeas_parts/variables/capsB.sh +++ b/linPEAS/builder/linpeas_parts/variables/capsB.sh @@ -13,4 +13,4 @@ # Small linpeas: 1 -capsB="=ep|cap_chown|cap_former|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module" +capsB="=ep|cap_chown|cap_fowner|cap_fsetid|cap_setpcap|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module|cap_sys_rawio|cap_bpf|cap_perfmon" diff --git a/linPEAS/builder/linpeas_parts/variables/capsVB.sh b/linPEAS/builder/linpeas_parts/variables/capsVB.sh index 70dcff7..30be52e 100644 --- a/linPEAS/builder/linpeas_parts/variables/capsVB.sh +++ b/linPEAS/builder/linpeas_parts/variables/capsVB.sh @@ -18,7 +18,9 @@ cap_sys_ptrace:python \ cap_sys_module:kmod|python \ cap_dac_override:python|vim \ cap_chown:chown|python \ -cap_former:chown|python \ +cap_fowner:chown|python \ +cap_setfcap:python|perl|ruby|php|node|lua|bash \ +cap_setpcap:python|perl|ruby|php|node|lua|bash \ cap_setuid:peass{CAP_SETUID_HERE} \ cap_setgid:peass{CAP_SETGID_HERE} \ -cap_net_raw:python|tcpdump" \ No newline at end of file +cap_net_raw:python|tcpdump|dumpcap|tcpflow" diff --git a/linPEAS/builder/linpeas_parts/variables/pwd_in_variables.sh b/linPEAS/builder/linpeas_parts/variables/pwd_in_variables.sh index 5e098d6..8423433 100644 --- a/linPEAS/builder/linpeas_parts/variables/pwd_in_variables.sh +++ b/linPEAS/builder/linpeas_parts/variables/pwd_in_variables.sh @@ -24,4 +24,4 @@ pwd_in_variables7="MAILGUN_APIKEY|MAILGUN_API_KEY|MAILGUN_DOMAIN|MAILGUN_PRIV_KE pwd_in_variables8="OKTA_OAUTH2_ISSUER|OMISE_KEY|OMISE_PKEY|OMISE_PUBKEY|OMISE_SKEY|ONESIGNAL_API_KEY|ONESIGNAL_USER_AUTH_KEY|OPENWHISK_KEY|OPEN_WHISK_KEY|OSSRH_PASS|OSSRH_SECRET|OSSRH_USER|OS_AUTH_URL|OS_PROJECT_NAME|OS_TENANT_ID|OS_TENANT_NAME|PAGERDUTY_APIKEY|PAGERDUTY_ESCALATION_POLICY_ID|PAGERDUTY_FROM_USER|PAGERDUTY_PRIORITY_ID|PAGERDUTY_SERVICE_ID|PANTHEON_SITE|PARSE_APP_ID|PARSE_JS_KEY|PAYPAL_CLIENT_ID|PAYPAL_CLIENT_SECRET|PERCY_TOKEN|PERSONAL_KEY|PERSONAL_SECRET|PG_DATABASE|PG_HOST|PLACES_APIKEY|PLACES_API_KEY|PLACES_APPID|PLACES_APPLICATION_ID|PLOTLY_APIKEY|POSTGRESQL_DB|POSTGRESQL_PASS|POSTGRES_ENV_POSTGRES_DB|POSTGRES_ENV_POSTGRES_USER|POSTGRES_PORT|PREBUILD_AUTH|PROD.ACCESS.KEY.ID|PROD.SECRET.KEY|PROD_BASE_URL_RUNSCOPE|PROJECT_CONFIG|PUBLISH_KEY|PUBLISH_SECRET|PUSHOVER_TOKEN|PUSHOVER_USER|PYPI_PASSOWRD|QUIP_TOKEN|RABBITMQ_SERVER_ADDR|REDISCLOUD_URL|REDIS_STUNNEL_URLS|REFRESH_TOKEN|RELEASE_GH_TOKEN|RELEASE_TOKEN|remoteUserToShareTravis|REPORTING_WEBDAV_URL|REPORTING_WEBDAV_USER|repoToken|REST_API_KEY|RINKEBY_PRIVATE_KEY|ROPSTEN_PRIVATE_KEY|route53_access_key_id|RTD_KEY_PASS|RTD_STORE_PASS|RUBYGEMS_AUTH_TOKEN|s3_access_key|S3_ACCESS_KEY_ID|S3_BUCKET_NAME_APP_LOGS|S3_BUCKET_NAME_ASSETS|S3_KEY" pwd_in_variables9="S3_KEY_APP_LOGS|S3_KEY_ASSETS|S3_PHOTO_BUCKET|S3_SECRET_APP_LOGS|S3_SECRET_ASSETS|S3_SECRET_KEY|S3_USER_ID|S3_USER_SECRET|SACLOUD_ACCESS_TOKEN|SACLOUD_ACCESS_TOKEN_SECRET|SACLOUD_API|SALESFORCE_BULK_TEST_SECURITY_TOKEN|SANDBOX_ACCESS_TOKEN|SANDBOX_AWS_ACCESS_KEY_ID|SANDBOX_AWS_SECRET_ACCESS_KEY|SANDBOX_LOCATION_ID|SAUCE_ACCESS_KEY|SECRETACCESSKEY|SECRETKEY|SECRET_0|SECRET_10|SECRET_11|SECRET_1|SECRET_2|SECRET_3|SECRET_4|SECRET_5|SECRET_6|SECRET_7|SECRET_8|SECRET_9|SECRET_KEY_BASE|SEGMENT_API_KEY|SELION_SELENIUM_SAUCELAB_GRID_CONFIG_FILE|SELION_SELENIUM_USE_SAUCELAB_GRID|SENDGRID|SENDGRID_API_KEY|SENDGRID_FROM_ADDRESS|SENDGRID_KEY|SENDGRID_USER|SENDWITHUS_KEY|SENTRY_AUTH_TOKEN|SERVICE_ACCOUNT_SECRET|SES_ACCESS_KEY|SES_SECRET_KEY|setDstAccessKey|setDstSecretKey|setSecretKey|SIGNING_KEY|SIGNING_KEY_SECRET|SIGNING_KEY_SID|SNOOWRAP_CLIENT_SECRET|SNOOWRAP_REDIRECT_URI|SNOOWRAP_REFRESH_TOKEN|SNOOWRAP_USER_AGENT|SNYK_API_TOKEN|SNYK_ORG_ID|SNYK_TOKEN|SOCRATA_APP_TOKEN|SOCRATA_USER|SONAR_ORGANIZATION_KEY|SONAR_PROJECT_KEY|SONAR_TOKEN|SONATYPE_GPG_KEY_NAME|SONATYPE_GPG_PASSPHRASE|SONATYPE_PASSSONATYPE_TOKEN_USER|SONATYPE_USER|SOUNDCLOUD_CLIENT_ID|SOUNDCLOUD_CLIENT_SECRET|SPACES_ACCESS_KEY_ID|SPACES_SECRET_ACCESS_KEY" pwd_in_variables10="SPA_CLIENT_ID|SPOTIFY_API_ACCESS_TOKEN|SPOTIFY_API_CLIENT_ID|SPOTIFY_API_CLIENT_SECRET|sqsAccessKey|sqsSecretKey|SRCCLR_API_TOKEN|SSHPASS|SSMTP_CONFIG|STARSHIP_ACCOUNT_SID|STARSHIP_AUTH_TOKEN|STAR_TEST_AWS_ACCESS_KEY_ID|STAR_TEST_BUCKET|STAR_TEST_LOCATION|STAR_TEST_SECRET_ACCESS_KEY|STORMPATH_API_KEY_ID|STORMPATH_API_KEY_SECRET|STRIPE_PRIVATE|STRIPE_PUBLIC|STRIP_PUBLISHABLE_KEY|STRIP_SECRET_KEY|SURGE_LOGIN|SURGE_TOKEN|SVN_PASS|SVN_USER|TESCO_API_KEY|THERA_OSS_ACCESS_ID|THERA_OSS_ACCESS_KEY|TRAVIS_ACCESS_TOKEN|TRAVIS_API_TOKEN|TRAVIS_COM_TOKEN|TRAVIS_E2E_TOKEN|TRAVIS_GH_TOKEN|TRAVIS_PULL_REQUEST|TRAVIS_SECURE_ENV_VARS|TRAVIS_TOKEN|TREX_CLIENT_ORGURL|TREX_CLIENT_TOKEN|TREX_OKTA_CLIENT_ORGURL|TREX_OKTA_CLIENT_TOKEN|TWILIO_ACCOUNT_ID|TWILIO_ACCOUNT_SID|TWILIO_API_KEY|TWILIO_API_SECRET|TWILIO_CHAT_ACCOUNT_API_SERVICE|TWILIO_CONFIGURATION_SID|TWILIO_SID|TWILIO_TOKEN|TWITTEROAUTHACCESSSECRET|TWITTEROAUTHACCESSTOKEN|TWITTER_CONSUMER_KEY|TWITTER_CONSUMER_SECRET|UNITY_SERIAL|URBAN_KEY|URBAN_MASTER_SECRET|URBAN_SECRET|userTravis|USER_ASSETS_ACCESS_KEY_ID|USER_ASSETS_SECRET_ACCESS_KEY|VAULT_APPROLE_SECRET_ID|VAULT_PATH|VIP_GITHUB_BUILD_REPO_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY_PASS" -pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY" \ No newline at end of file +pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY|USERNAME|PASSWORD|PASSWD|CREDENTIALS?" diff --git a/linPEAS/builder/linpeas_parts/variables/sudoB.sh b/linPEAS/builder/linpeas_parts/variables/sudoB.sh index 39f17dd..9d454bb 100644 --- a/linPEAS/builder/linpeas_parts/variables/sudoB.sh +++ b/linPEAS/builder/linpeas_parts/variables/sudoB.sh @@ -12,4 +12,4 @@ # Fat linpeas: 0 # Small linpeas: 1 -sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications" \ No newline at end of file +sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|/usermod|/sbin/ldconfig|/usr/sbin/ldconfig|ldconfig -f|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications" diff --git a/linPEAS/builder/linpeas_parts/variables/writeVB.sh b/linPEAS/builder/linpeas_parts/variables/writeVB.sh index 3eb017f..d7e41ec 100644 --- a/linPEAS/builder/linpeas_parts/variables/writeVB.sh +++ b/linPEAS/builder/linpeas_parts/variables/writeVB.sh @@ -13,4 +13,4 @@ # Small linpeas: 1 -writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH \ No newline at end of file +writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/ld.so.preload|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH