The PATH-derived portion of writeVB uses `sed 's/:/$|^/g'` to turn the
colon-separated PATH into an alternation regex. This produces patterns like
`^/usr/bin$|^/sbin$|^/bin` where every entry except the last gets a trailing
`$` anchor — making it an exact match on the directory name itself rather than
a prefix match on files inside it.
On modern merged-/usr distributions (Debian 10+, Ubuntu 20.04+, Fedora 17+,
Arch) `/bin` is a symlink to `usr/bin`, so `find /` returns `/usr/bin/bash`
rather than `/bin/bash`. The pattern `^/usr/bin$` does not match
`/usr/bin/bash` (the `$` prevents it), so a writable bash binary falls through
to the lower-severity writeB coloring (plain RED) instead of the 95% PE vector
RED/YELLOW.
Add explicit patterns for the common shell interpreters and env so they are
always flagged as 95% PE vectors regardless of PATH ordering or /usr-merge
layout:
/bin/bash /usr/bin/bash
/bin/sh /usr/bin/sh
/bin/dash /usr/bin/dash
/bin/zsh /usr/bin/zsh
/usr/bin/env
Co-authored-by: s1d3r <s1d3r@users.noreply.github.com>
* feat: detect hidden group access via newgrp (gshadow desync)
Problem: groups/id only show current session memberships
Fix: probe all system groups via newgrp to detect accessible groups not shown
Impact: identifies hidden access (docker, lxd, etc.) missed by standard checks
Real case: user present in gshadow docker group but not reflected in session
newgrp docker succeeds -> container escape -> root
* Update linPEAS/builder/linpeas_parts/6_users_information/19_Actual_groups.sh
fixed the command-injection vector.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Muthra <muthra@example.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: SirBroccoli <carlospolop@gmail.com>
* feat: MITRE ATT&CK integration for LinPEAS and WinPEAS
- Add -T T1234,T5678 flag to LinPEAS to filter checks by technique
- Add mitre=T1234,T5678 argument to WinPEAS for technique-based filtering
- Annotate every check title with MITRE technique ID(s) displayed in grey
- Add $_mitre_tag to Generated Global Variables in 0_variables_base.sh
- Add check_mitre_filter() shell function with prefix-match support
- Add MitreAttackIds property to ISystemCheck interface (C#)
- Update MainPrint/GreatPrint in Beaprint.cs to accept optional mitreIds
- Tag all 158 LinPEAS check modules with # Mitre: metadata
- Tag all 16 WinPEAS check classes with MitreAttackIds property
- Update linpeasModule.py to parse # Mitre: metadata field
- Update linpeasBaseBuilder.py to emit check_mitre_filter wrappers
- Add 3 MITRE argument parsing tests to ArgumentParsingTests.cs
* test: add MITRE filter coverage for LinPEAS builder and WinPEAS
LinPEAS (test_builder.py):
- test_mitre_flag_present_in_getopts: -T: must appear in getopts string
- test_mitre_flag_present_in_help_text: -T must appear in built help text
- test_mitre_filter_function_present: check_mitre_filter() must be in built script
WinPEAS (ArgumentParsingTests.cs):
- PassesMitreFilter_EmptyFilter_AllChecksPass: no filter -> all checks run
- PassesMitreFilter_ExactMatch_Passes: T1082 filter matches T1082 check
- PassesMitreFilter_NoMatch_Fails: T1082 filter rejects T1057 check
- PassesMitreFilter_PrefixMatch_Passes: T1552 filter matches T1552.001/T1552.005
- PassesMitreFilter_SubtechniqueDoesNotMatchDifferentBase_Fails: T1548 != T1552.001
* chore: ignore .github/instructions/ and untrack todos.instructions.md
* fix: complete and accurate MITRE ATT&CK mappings for LinPEAS and WinPEAS
gitignore:
- Add .github/instructions/ to .gitignore and untrack todos.instructions.md
LinPEAS — corrected mappings:
- 29_Interesting_environment_variables.sh: add missing T1552.007,T1082
- 3_USBCreator.sh: T1548 → T1548.003,T1068 (polkit bypass + CVE-class exploit)
- 9_Doas.sh: T1548 → T1548.003 (doas is a sudo/sudo-caching equivalent)
- 10_Pkexec.sh: T1548 → T1548.003,T1548.004,T1068 per-section specificity
- 2_Process_cred_in_memory.sh: T1003,T1055 → T1003.007 (Proc Filesystem, drop wrong T1055)
- 11_Superusers.sh: T1087.001,T1548 → T1087.001 (discovery only, no elevation abuse)
- 14/15/16 writable files: T1574 → T1574.009,T1574.010 (specific sub-techniques)
WinPEAS — corrected mappings:
- SystemInfo: class expanded to full technique union; WSUS T1195→T1072,T1068;
KrbRelayUp T1558→T1187,T1558; Object Manager T1548→T1068;
Named Pipes T1559.001→T1559; Low-priv pipes T1559.001→T1134.001,T1559
- EventsInfo: class expanded with T1078.003,T1552.001,T1059.001,T1082
- UserInfo: class expanded; Token privileges T1134→T1134.001
- ProcessInfo: Leaked Handlers T1134.003→T1134.001 (token impersonation, not make-token)
- ServicesInfo: class adds T1574.011,T1068
- ApplicationsInfo: class adds T1010,T1014
- NetworkInfo: class adds T1018,T1090
- ActiveDirectoryInfo: T1484→T1484.001; class adds T1003
- WindowsCreds: class sub-techniques T1552→T1552.001,T1552.002, T1555→T1555.003,T1555.004;
SSClient T1059→T1552.001 (wrong technique entirely)
- FilesInfo: class expanded with T1552.002,T1552.004,T1552.006,T1564.001,T1574.001,
T1059.004,T1114.001,T1218,T1649; Cloud Credentials T1552.005→T1552.001
- SoapClientInfo: T1059,T1071→T1559,T1071.001 (IPC/Web protocol, not scripting)
* fix: add missing T1613 and T1562.001 to SystemInfo class-level MitreAttackIds; label AD object enumeration with T1087.002 and T1018
* fix: correct linpeas mitre filter matching logic
* fix: MITRE code bugs — pass-through for untagged checks, remove dead OR in section gate
- PassesMitreFilter (Checks.cs): when MitreAttackIds is null or empty and a filter
is active, return true (pass-through) instead of false. Previously any future
ISystemCheck added without MITRE IDs would be silently excluded by an active filter.
- linpeasBaseBuilder.py: remove redundant '|| [ -z "$MITRE_FILTER" ]' from the
generated section-level gate. check_mitre_filter already returns 0 immediately
when MITRE_FILTER is empty, so the OR branch was unreachable and inconsistent with
the check-level gate which uses the same function without the extra guard.
- ArgumentParsingTests.cs: add PassesMitreFilter_NullMitreAttackIds_PassesThrough
and PassesMitreFilter_EmptyMitreAttackIds_PassesThrough regression tests.
* fix(mitre): 4 bugs — dead arg parser, wait logic, subprocess forks, cleanup race
Checks.cs: max-regex-file-size used string.Equals which requires exact match,
so 'max-regex-file-size=500000' could never match and MaxRegexFileSize was stuck
at 1000000 forever. Fixed to arg.StartsWith.
Checks.cs RunChecks: wait compared loop index i against
_systemCheckSelectedKeysHashSet.Count, which is 0 when all checks run (so
i < -1 is always false) and semantically wrong when a key subset is selected.
Replaced with a pre-count of checks that pass both filters and a running counter.
0_variables_base.sh check_mitre_filter: replaced two $(echo ... | tr ...)
subprocess forks per call with pure parameter-expansion while-loops. Zero
process forks, POSIX-compliant, ~632 fork()s saved per full filtered run.
Declares _mitre_tags_left and _mitre_filters_left in Generated Global Variables.
linpeas_builder.py: os.remove of the shared temp file raised FileNotFoundError
when multiple sequential builder invocations ran (the second saw the file
already deleted by the first). Wrapped in try/except FileNotFoundError.
Tests: Added PassesMitreFilter_SubtechniqueFilter_DoesNotMatchParentOnlyTag
and MaxRegexFileSize_ArgParsed_Correctly regression tests (16 total).
* ci: add manual build-artifacts workflow (winPEAS.exe + linpeas.sh)
* fix(linpeas): getopts silent mode — clear error when -T given without argument
Switch getopts to silent mode (leading ':') so the shell does not emit its
own terse 'No arg for -T option' message. Add explicit :) case that prints
ERROR: -T requires an argument (e.g. -T T1082,T1552)
and then dumps the help text before exiting 1. Add *) case for unrecognised
flags with the same pattern. Behaviour for all valid flags is unchanged.
* chore: untrack build-artifacts workflow, add to .gitignore
* Fix thread count override and add -z flag to set thread count
* Enforce THREADS >= 1 after detection; validate -z range; clarify help text
* Strip colours from -z warning; add regression tests for -z getopts/help
* Tighten getopts regression test: match 'while getopts' line with regex
SirBroccoli