mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2025-12-06 17:11:29 +00:00
Compare commits
12 Commits
20250525-b
...
codex/fix-
| Author | SHA1 | Date | |
|---|---|---|---|
|
4e556fd594 | ||
|
|
c3a93a57fe | ||
|
f62d9fc550 | ||
|
|
11e9b8dde6 | ||
|
b9a9ad5ddf | ||
|
|
88f08a405e | ||
|
|
322792c4ec | ||
|
|
c150e63b52 | ||
|
|
7b8dcfbe8d | ||
|
|
aac3667247 | ||
|
|
64ab193d25 | ||
|
|
aab8241ede |
@@ -26,7 +26,7 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: echo_not_found, print_2title, print_info
|
||||
# Global Variables:
|
||||
# Global Variables: $NoEnvVars, $EnvVarsRed
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
@@ -35,5 +35,5 @@
|
||||
|
||||
print_2title "Environment"
|
||||
print_info "Any private information inside environment variables?"
|
||||
(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
|
||||
(env || printenv || set) 2>/dev/null | grep -Eiv "$NoEnvVars" | sed -${E} "s,$EnvVarsRed,${SED_RED},g" || echo_not_found "env || set"
|
||||
echo ""
|
||||
@@ -8,7 +8,7 @@
|
||||
# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $pid5, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
|
||||
# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 0
|
||||
|
||||
@@ -19,24 +19,30 @@ print_2title "Internet Access?"
|
||||
TIMEOUT_INTERNET_SECONDS=5
|
||||
|
||||
if [ "$SUPERFAST" ]; then
|
||||
TIMEOUT_INTERNET_SECONDS=2
|
||||
TIMEOUT_INTERNET_SECONDS=2.5
|
||||
fi
|
||||
|
||||
|
||||
# Run all checks in background
|
||||
check_tcp_80 2>/dev/null & pid1=$!
|
||||
check_tcp_443 2>/dev/null & pid2=$!
|
||||
check_tcp_443_bin 2>/dev/null & pid3=$!
|
||||
check_icmp 2>/dev/null & pid4=$!
|
||||
check_dns 2>/dev/null & pid5=$!
|
||||
check_tcp_80 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid1=$!
|
||||
check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
|
||||
check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
|
||||
check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
|
||||
|
||||
# Kill all after 10 seconds
|
||||
(sleep $TIMEOUT_INTERNET_SECONDS && kill -9 $pid1 $pid2 $pid3 $pid4 $pid5 2>/dev/null) &
|
||||
(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
|
||||
|
||||
check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
|
||||
tcp443_bin_status=$?
|
||||
|
||||
wait $pid1 $pid2 $pid3 $pid4 2>/dev/null
|
||||
|
||||
|
||||
# Wait for all to finish
|
||||
wait $pid1 $pid2 $pid3 $pid4 $pid5 2>/dev/null
|
||||
wait 2>/dev/null
|
||||
|
||||
if ! [ "$SUPERFAST" ] && ! [ "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
|
||||
if [ "$tcp443_bin_status" -eq 0 ] && \
|
||||
[ -z "$SUPERFAST" ] && [ -z "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
|
||||
echo ""
|
||||
print_2title "Is hostname malicious or leaked?"
|
||||
print_info "This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host."
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
# Title: Interesting Files - Interesting Environment Variables
|
||||
# ID: IF_Interesting_environment_variables
|
||||
# Author: Jack Vaughn
|
||||
# Last Update: 25-05-2025
|
||||
# Description: Searching possible sensitive environment variables inside of /proc/*/environ
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title
|
||||
# Global Variables: $MACPEAS, $NoEnvVars, $EnvVarsRed
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
if [ -z "$MACPEAS" ]; then
|
||||
print_2title "Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars"
|
||||
cat /proc/[0-9]*/environ 2>/dev/null | \
|
||||
tr '\0' '\n' | \
|
||||
grep -Eiv "$NoEnvVars" | \
|
||||
sort -u | \
|
||||
sed -${E} "s,$EnvVarsRed,${SED_RED},g"
|
||||
fi
|
||||
@@ -8,25 +8,19 @@
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pid, $pids
|
||||
# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_DNS, $local_pid
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
check_dns(){
|
||||
local TIMEOUT_INTERNET_SECONDS_DNS=$1
|
||||
if ! [ -f "/bin/bash" ]; then
|
||||
echo " /bin/bash not found"
|
||||
return
|
||||
fi
|
||||
|
||||
/bin/bash -c '
|
||||
for ip in 1.1.1.1 8.8.8.8 ; do
|
||||
(( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/$ip/53 && echo "DNS available" && exit 0) &
|
||||
pids+=($!)
|
||||
done
|
||||
for pid in ${pids[@]}; do
|
||||
wait $pid && exit 0
|
||||
done
|
||||
echo "DNS not available"
|
||||
' 2>/dev/null | grep "available" || echo "DNS not available"
|
||||
# example.com
|
||||
(bash -c '((( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS accessible") | grep "accessible" && exit 0 ) 2>/dev/null || echo "DNS is not accessible"') & local_pid=$!
|
||||
|
||||
sleep $TIMEOUT_INTERNET_SECONDS_DNS && kill -9 $local_pid 2>/dev/null && echo "DNS is not accessible"
|
||||
}
|
||||
@@ -8,11 +8,20 @@
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_ICMP, $local_pid
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
check_icmp(){
|
||||
(ping -c 1 1.1.1.1 | grep -E "1 received|1 packets received" && echo "Ping is available" || echo "Ping is not available" 2>/dev/null) | grep -i "available"
|
||||
local TIMEOUT_INTERNET_SECONDS_ICMP=$1
|
||||
if ! [ "$(command -v ping 2>/dev/null || echo -n '')" ]; then
|
||||
echo " ping not found"
|
||||
return
|
||||
fi
|
||||
|
||||
# example.com
|
||||
((ping -c 1 1.1.1.1 2>/dev/null | grep -Ei "1 received|1 packets received" && echo "ICMP is accessible" || echo "ICMP is not accessible" 2>/dev/null) | grep "accessible" && exit 0 ) 2>/dev/null || echo "ICMP is not accessible" & local_pid=$!
|
||||
|
||||
sleep $TIMEOUT_INTERNET_SECONDS_ICMP && kill -9 $local_pid 2>/dev/null && echo "ICMP is not accessible"
|
||||
}
|
||||
@@ -8,30 +8,21 @@
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pid, $pids
|
||||
# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_443
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
|
||||
check_tcp_443(){
|
||||
local TIMEOUT_INTERNET_SECONDS_443=$1
|
||||
if ! [ -f "/bin/bash" ]; then
|
||||
echo " /bin/bash not found"
|
||||
return
|
||||
fi
|
||||
|
||||
/bin/bash -c '
|
||||
for ip in 1.1.1.1 8.8.8.8; do
|
||||
(echo >/dev/tcp/$ip/443 && echo "Port 443 is accessible" && exit 0) &
|
||||
pids+=($!)
|
||||
done
|
||||
for pid in ${pids[@]}; do
|
||||
wait $pid && exit 0
|
||||
done
|
||||
echo "Port 80 is not accessible"
|
||||
' 2>/dev/null | grep "accessible" || echo "Port 80 is not accessible"
|
||||
# example.com
|
||||
(bash -c '(echo >/dev/tcp/104.18.74.230/443 2>/dev/null && echo "Port 443 is accessible" && exit 0) 2>/dev/null || echo "Port 443 is not accessible"') & local_pid=$!
|
||||
|
||||
sleep $TIMEOUT_INTERNET_SECONDS_443 && kill -9 $local_pid 2>/dev/null && echo "Port 443 is not accessible"
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -8,16 +8,39 @@
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Generated Global Variables: $url_lambda, $TIMEOUT_INTERNET_SECONDS_443_BIN
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
check_tcp_443_bin () {
|
||||
local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
|
||||
local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
|
||||
|
||||
check_tcp_443_bin(){
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
curl -s "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1 && echo "Port 443 is accessible with curl" || echo "Port 443 is not accessible with curl"
|
||||
if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
|
||||
-H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
|
||||
then
|
||||
echo "Port 443 is accessible with curl"
|
||||
return 0 # ✅ success
|
||||
else
|
||||
echo "Port 443 is not accessible with curl"
|
||||
return 1
|
||||
fi
|
||||
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1 && echo "Port 443 is accessible with wget" || echo "Port 443 is not accessible with wget"
|
||||
if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
|
||||
--header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
|
||||
then
|
||||
echo "Port 443 is accessible with wget"
|
||||
return 0
|
||||
else
|
||||
echo "Port 443 is not accessible with wget"
|
||||
return 1
|
||||
fi
|
||||
|
||||
else
|
||||
echo "Neither curl nor wget available"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
||||
@@ -8,25 +8,21 @@
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pid, $pids
|
||||
# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_80
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
|
||||
check_tcp_80(){
|
||||
local TIMEOUT_INTERNET_SECONDS_80=$1
|
||||
if ! [ -f "/bin/bash" ]; then
|
||||
echo " /bin/bash not found"
|
||||
return
|
||||
fi
|
||||
|
||||
/bin/bash -c '
|
||||
for ip in 1.1.1.1 8.8.8.8; do
|
||||
(echo >/dev/tcp/$ip/80 && echo "Port 80 is accessible" && exit 0) &
|
||||
pids+=($!)
|
||||
done
|
||||
for pid in ${pids[@]}; do
|
||||
wait $pid && exit 0
|
||||
done
|
||||
echo "Port 80 is not accessible"
|
||||
' 2>/dev/null | grep "accessible"
|
||||
# example.com
|
||||
(bash -c '(echo >/dev/tcp/104.18.74.230/80 2>/dev/null && echo "Port 80 is accessible" && exit 0) 2>/dev/null || echo "Port 80 is not accessible"') & local_pid=$!
|
||||
|
||||
sleep $TIMEOUT_INTERNET_SECONDS_80 && kill -9 $local_pid 2>/dev/null && echo "Port 80 is not accessible"
|
||||
}
|
||||
18
linPEAS/builder/linpeas_parts/variables/EnvVarsRed.sh
Normal file
18
linPEAS/builder/linpeas_parts/variables/EnvVarsRed.sh
Normal file
@@ -0,0 +1,18 @@
|
||||
# Title: Variables - EnvVarsRed
|
||||
# ID: EnvVarsRed
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 26-05-2025
|
||||
# Description: Useless env vars
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $EnvVarsRed
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
EnvVarsRed="[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME|[aA][pP][iI][_][kK][eE][yY]|[aA][wW][sS]|[aA][zZ][uU][rR][eE]|[gG][cC][pP]|[aA][pP][iI]|[sS][eE][cC][rR][eE][tT]|[sS][qQ][lL]|[dD][aA][tT][aA][bB][aA][sS][eE]|[tT][oO][kK][eE][nN]"
|
||||
|
||||
|
||||
16
linPEAS/builder/linpeas_parts/variables/NoEnvVars.sh
Normal file
16
linPEAS/builder/linpeas_parts/variables/NoEnvVars.sh
Normal file
@@ -0,0 +1,16 @@
|
||||
# Title: Variables - NoEnvVars
|
||||
# ID: NoEnvVars
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 26-05-2025
|
||||
# Description: Useless env vars
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used:
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $NoEnvVars
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
NoEnvVars="LESS_TERMCAP|JOURNAL_STREAM|XDG_SESSION|DBUS_SESSION|systemd\/sessions|systemd_exec|MEMORY_PRESSURE_WATCH|RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_|^PATH=|^INVOCATION_ID=|^WATCHDOG_PID=|^LISTEN_PID="
|
||||
@@ -97,7 +97,7 @@ class LinpeasBuilder:
|
||||
for orig_url in urls:
|
||||
tar_gz_bin_name = ""
|
||||
if ",,," in orig_url:
|
||||
tar_gz_bin_name = url.split(",,,")[1]
|
||||
tar_gz_bin_name = orig_url.split(",,,")[1]
|
||||
url = orig_url.split(",,,")[0]
|
||||
else:
|
||||
url = orig_url
|
||||
|
||||
@@ -512,7 +512,7 @@ namespace winPEAS.Checks
|
||||
}
|
||||
else if (!string.IsNullOrEmpty(resolutionInfo.Error))
|
||||
{
|
||||
Beaprint.BadPrint($" {resolutionInfo.Error}");
|
||||
Beaprint.PrintException($" {resolutionInfo.Error}");
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
|
||||
@@ -81,7 +81,7 @@ namespace winPEAS.Helpers
|
||||
/---------------------------------------------------------------------------------\
|
||||
| {1}Do you like PEASS?{0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.xyz {0} |
|
||||
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.xyz {0} |
|
||||
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
|
||||
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
|
||||
@@ -195,11 +195,11 @@ namespace winPEAS.Info.ProcessInfo
|
||||
continue;
|
||||
|
||||
List<string> permsFile = PermissionsHelper.GetPermissionsFile(sFilePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
|
||||
IdentityReference sid = null;
|
||||
try
|
||||
{
|
||||
System.Security.AccessControl.FileSecurity fs = System.IO.File.GetAccessControl(sFilePath);
|
||||
IdentityReference sid = fs.GetOwner(typeof(SecurityIdentifier));
|
||||
string ownerName = sid.Translate(typeof(NTAccount)).ToString();
|
||||
sid = fs.GetOwner(typeof(SecurityIdentifier));
|
||||
|
||||
// If current user already have permissions over that file or the proc belongs to the owner of the file,
|
||||
// handler not interesting to elevate privs
|
||||
@@ -207,6 +207,8 @@ namespace winPEAS.Info.ProcessInfo
|
||||
continue;
|
||||
|
||||
to_add["File Path"] = sFilePath;
|
||||
|
||||
string ownerName = sid.Translate(typeof(NTAccount)).ToString();
|
||||
to_add["File Owner"] = ownerName;
|
||||
}
|
||||
catch (System.IO.FileNotFoundException)
|
||||
@@ -218,7 +220,10 @@ namespace winPEAS.Info.ProcessInfo
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
catch (System.Security.Principal.IdentityNotMappedException)
|
||||
{
|
||||
to_add["File Owner"] = sid.ToString();
|
||||
}
|
||||
}
|
||||
|
||||
else if (typeName == "key")
|
||||
|
||||
Reference in New Issue
Block a user