PenTest/privilege-escalation-awesome-scripts-suite
1
0
Fork 0
mirror of https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git synced 2025-12-06 09:01:29 +00:00
Code Issues Projects Releases Wiki Activity

Add linpeas privilege escalation checks from: Metasploit Wrap-Up 11/28/2025

Browse Source
This commit is contained in:
HackTricks News Bot
2025-11-29 01:41:29 +00:00
parent 80318c5005
commit e99e64cddf
2 changed files with 83 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
linPEAS/README.md
View File

@@ -102,6 +102,9 @@ It uses **/bin/sh** syntax, so can run in anything supporting `sh` (and the bina
By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**. By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**.
LinPEAS keeps expanding vendor-specific coverage; as of 29-Nov-2025 it warns when IGEL OS appliances still ship the SUID `setup`/`date` helpers that allow NetworkManager/systemd configuration hijacking (Metasploit module `linux/local/igel_network_priv_esc`).
By default linpeas takes around **4 mins** to complete, but It could take from **5 to 10 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*: By default linpeas takes around **4 mins** to complete, but It could take from **5 to 10 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
- From less than 1 min to 2 mins to make almost all the checks - From less than 1 min to 2 mins to make almost all the checks
- Almost 1 min to search for possible passwords inside all the accesible files of the system - Almost 1 min to search for possible passwords inside all the accesible files of the system

80
linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh Normal file
View File

@@ -0,0 +1,80 @@
# Title: Interesting Permissions Files - IGEL OS SUID setup/date abuse
# ID: IP_IGEL_OS_SUID
# Author: HT Bot
# Last Update: 29-11-2025
# Description: Detect IGEL OS environments that expose the SUID-root `setup`/`date` binaries and highlight writable NetworkManager/systemd configs that enable the documented privilege escalation chain (Metasploit linux/local/igel_network_priv_esc).
# License: GNU GPL
# Version: 1.0
# Functions Used: print_2title, print_info
# Global Variables: $ITALIC, $NC, $SED_GREEN, $SED_RED, $SED_RED_YELLOW, $SUPERFAST
# Initial Functions:
# Generated Global Variables: $igel_markers, $igel_marker_sources, $marker, $igel_suid_hits, $candidate, $writable_nm, $writable_systemd, $unitdir, $tmp_units
# Fat linpeas: 0
# Small linpeas: 1
igel_markers=""
igel_marker_sources=""
if [ -f /etc/os-release ] && grep -qi "igel" /etc/os-release 2>/dev/null; then
igel_markers="Yes"
igel_marker_sources="/etc/os-release"
fi
if [ -f /etc/issue ] && grep -qi "igel" /etc/issue 2>/dev/null; then
igel_markers="Yes"
igel_marker_sources="${igel_marker_sources} /etc/issue"
fi
for marker in /etc/igel /wfs/igel /userhome/.igel /config/sessions/igel; do
if [ -e "$marker" ]; then
igel_markers="Yes"
igel_marker_sources="${igel_marker_sources} $marker"
fi
done
igel_suid_hits=""
for candidate in /usr/bin/setup /bin/setup /usr/sbin/setup /opt/igel/bin/setup /usr/bin/date /bin/date /usr/lib/igel/date; do
if [ -u "$candidate" ]; then
igel_suid_hits="${igel_suid_hits}$(ls -lah "$candidate" 2>/dev/null)\n"
fi
done
if [ -n "$igel_markers" ] || [ -n "$igel_suid_hits" ]; then
print_2title "IGEL OS SUID setup/date privilege escalation surface"
print_info "https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025"
if [ -n "$igel_markers" ]; then
echo "Potential IGEL OS detected via: $igel_marker_sources" | sed -${E} "s,.*,${SED_GREEN},"
else
echo "IGEL-specific SUID helpers found but IGEL markers were not detected" | sed -${E} "s,.*,${SED_RED},"
fi
if [ -n "$igel_suid_hits" ]; then
echo "SUID-root helpers exposing configuration primitives:" | sed -${E} "s,.*,${SED_RED_YELLOW},"
printf "%b" "$igel_suid_hits"
else
echo "No SUID setup/date binaries were located (system may be patched)."
fi
writable_nm=""
writable_systemd=""
if ! [ "$SUPERFAST" ]; then
if [ -d /etc/NetworkManager ]; then
writable_nm=$(find /etc/NetworkManager -maxdepth 3 -type f -writable 2>/dev/null | head -n 25)
fi
for unitdir in /etc/systemd/system /lib/systemd/system /usr/lib/systemd/system; do
if [ -d "$unitdir" ]; then
tmp_units=$(find "$unitdir" -maxdepth 2 -type f -writable 2>/dev/null | head -n 15)
if [ -n "$tmp_units" ]; then
writable_systemd="${writable_systemd}${tmp_units}\n"
fi
fi
done
fi
if [ -n "$writable_nm" ]; then
echo "Writable NetworkManager profiles/hooks (swap Exec path to your payload):" | sed -${E} "s,.*,${SED_RED_YELLOW},"
echo "$writable_nm"
fi
if [ -n "$writable_systemd" ]; then
echo "Writable systemd unit files (edit ExecStart, then restart via setup/date):" | sed -${E} "s,.*,${SED_RED_YELLOW},"
printf "%b" "$writable_systemd"
fi
printf "$ITALIC Known exploitation chain: Use the SUID setup/date binaries to edit NetworkManager or systemd configs so ExecStart points to your payload, then trigger a service restart via the same helper to run as root (Metasploit linux/local/igel_network_priv_esc).$NC\n"
fi
echo ""