From 2e5bae66ea64b2b0329ba910da5409b95553c3b0 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 4 Nov 2025 12:57:12 +0000 Subject: [PATCH] =?UTF-8?q?Add=20linpeas=20privilege=20escalation=20checks?= =?UTF-8?q?=20from:=20HTB:=20Dump=20=E2=80=94=20Zip=20argument=20injection?= =?UTF-8?q?=20to=20RCE=20and=20tcpdump=20sudo=20misconfig=20to=20root?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../6_users_information/7_Sudo_l.sh | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh index 179780e..da2cb37 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh @@ -29,4 +29,27 @@ for f in /etc/sudoers.d/*; do grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" fi done -echo "" \ No newline at end of file +# Extra: Detect tcpdump sudoers patterns that can be abused (wildcards/-w/-Z/-r/-V) +_tcpdump_sudol="Matching Defaults entries for runner on runnervmf2e7y: + env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty + +User runner may run the following commands on runnervmf2e7y: + (ALL) NOPASSWD: ALL" +if [ -z "" ] && [ "" ]; then + _tcpdump_sudol="Matching Defaults entries for runner on runnervmf2e7y: + env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty + +User runner may run the following commands on runnervmf2e7y: + (ALL) NOPASSWD: ALL" +fi +if echo "" | grep -q "/tcpdump"; then + echo "Potentially dangerous sudo tcpdump rule(s) found:" | sed - "s,.*,,g" + printf "%s\n" "" | grep tcpdump | sed - "s,.*,,g" + print_info "tcpdump via sudo is commonly exploitable if arguments are not fully pinned (e.g., globbed -w path). Consider trying:" + echo " sudo tcpdump -c10 -w -w /dev/shm/out.pcap -F " | sed - "s,.*,,g" + echo " sudo tcpdump -c10 -w -Z root -w /dev/shm/root-owned -F " | sed - "s,.*,,g" + echo " sudo tcpdump -c10 -w -Z root -r crafted.pcap -w /etc/sudoers.d/linpeas -F " | sed - "s,.*,,g" + echo " sudo tcpdump -c10 -w -V /root/secret -w /tmp/dummy -F " | sed - "s,.*,,g" + echo " (use with caution; ensure correct perms, e.g., 440 for sudoers.d)" | sed - "s,.*,,g" + echo "" +fi