Fix variable reference when parsing URLs

Merge pull request #473 from Signum21/master
Fix IdentityNotMappedException in Vulnerable Leaked Handlers
2025-12-06 17:11:29 +00:00 · 2025-06-06 00:01:17 +02:00 · 2025-05-31 22:36:49 +02:00 · 2025-05-31 04:56:14 +02:00 · 2025-05-26 23:57:40 +02:00 · 2025-05-25 21:32:51 -04:00
13 changed files with 142 additions and 62 deletions
--- a/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh
@@ -26,7 +26,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
-# Global Variables:
+# Global Variables: $NoEnvVars, $EnvVarsRed
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
@@ -35,5 +35,5 @@
 print_2title "Environment"
 print_info "Any private information inside environment variables?"
-(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
+(env || printenv || set) 2>/dev/null | grep -Eiv "$NoEnvVars" | sed -${E} "s,$EnvVarsRed,${SED_RED},g" || echo_not_found "env || set"
 echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
@@ -8,7 +8,7 @@
 # Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $pid5, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
+# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
 # Fat linpeas: 0
 # Small linpeas: 0
@@ -19,24 +19,30 @@ print_2title "Internet Access?"
 TIMEOUT_INTERNET_SECONDS=5
 if [ "$SUPERFAST" ]; then
-  TIMEOUT_INTERNET_SECONDS=2
+  TIMEOUT_INTERNET_SECONDS=2.5
 fi
 # Run all checks in background
-check_tcp_80 2>/dev/null & pid1=$!
+check_tcp_80 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid1=$!
-check_tcp_443 2>/dev/null & pid2=$!
+check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
-check_tcp_443_bin 2>/dev/null & pid3=$!
+check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
-check_icmp 2>/dev/null & pid4=$!
+check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
 check_dns 2>/dev/null & pid5=$!
 # Kill all after 10 seconds
-(sleep $TIMEOUT_INTERNET_SECONDS && kill -9 $pid1 $pid2 $pid3 $pid4 $pid5 2>/dev/null) &
+(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
 check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
 tcp443_bin_status=$?
 wait $pid1 $pid2 $pid3 $pid4 2>/dev/null
 # Wait for all to finish
-wait $pid1 $pid2 $pid3 $pid4 $pid5 2>/dev/null
+wait 2>/dev/null
-if ! [ "$SUPERFAST" ] && ! [ "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
+if [ "$tcp443_bin_status" -eq 0 ] && \
   [ -z "$SUPERFAST" ] && [ -z "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
  echo ""
  print_2title "Is hostname malicious or leaked?"
  print_info "This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host."
--- a/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh
@@ -0,0 +1,22 @@
 # Title: Interesting Files - Interesting Environment Variables
 # ID: IF_Interesting_environment_variables
 # Author: Jack Vaughn
 # Last Update: 25-05-2025
 # Description: Searching possible sensitive environment variables inside of /proc/*/environ
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $MACPEAS, $NoEnvVars, $EnvVarsRed
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 if [ -z "$MACPEAS" ]; then
  print_2title "Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars"
  cat /proc/[0-9]*/environ 2>/dev/null | \
  tr '\0' '\n' | \
  grep -Eiv "$NoEnvVars" | \
  sort -u | \
  sed -${E} "s,$EnvVarsRed,${SED_RED},g"
 fi
--- a/linPEAS/builder/linpeas_parts/functions/check_dns.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_dns.sh
@@ -8,25 +8,19 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $pid, $pids
+# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_DNS, $local_pid
 # Fat linpeas: 0
 # Small linpeas: 1
 check_dns(){
  local TIMEOUT_INTERNET_SECONDS_DNS=$1
  if ! [ -f "/bin/bash" ]; then
    echo "  /bin/bash not found"
    return
  fi
-  /bin/bash -c '
+  # example.com
-      for ip in 1.1.1.1 8.8.8.8 ; do
+  (bash -c '((( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS accessible") | grep "accessible" && exit 0 ) 2>/dev/null || echo "DNS is not accessible"') & local_pid=$!
-        (( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/$ip/53 && echo "DNS available" && exit 0) &
+
-        pids+=($!)
+  sleep $TIMEOUT_INTERNET_SECONDS_DNS && kill -9 $local_pid 2>/dev/null && echo "DNS is not accessible"
      done
      for pid in ${pids[@]}; do
        wait $pid && exit 0
      done
      echo "DNS not available"
    ' 2>/dev/null | grep "available" || echo "DNS not available"
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_icmp.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_icmp.sh
@@ -8,11 +8,20 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_ICMP, $local_pid
 # Fat linpeas: 0
 # Small linpeas: 1
 check_icmp(){
-  (ping -c 1 1.1.1.1 | grep -E "1 received|1 packets received" && echo "Ping is available" || echo "Ping is not available" 2>/dev/null) | grep -i "available"
+  local TIMEOUT_INTERNET_SECONDS_ICMP=$1
  if ! [ "$(command -v ping 2>/dev/null || echo -n '')" ]; then
    echo "  ping not found"
    return
  fi
  # example.com
  ((ping -c 1 1.1.1.1 2>/dev/null | grep -Ei "1 received|1 packets received" && echo "ICMP is accessible" || echo "ICMP is not accessible" 2>/dev/null) | grep "accessible" && exit 0 ) 2>/dev/null || echo "ICMP is not accessible" & local_pid=$!
  sleep $TIMEOUT_INTERNET_SECONDS_ICMP && kill -9 $local_pid 2>/dev/null && echo "ICMP is not accessible"
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh
@@ -8,30 +8,21 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $pid, $pids
+# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_443
 # Fat linpeas: 0
 # Small linpeas: 1
 check_tcp_443(){
  local TIMEOUT_INTERNET_SECONDS_443=$1
  if ! [ -f "/bin/bash" ]; then
    echo "  /bin/bash not found"
    return
  fi
-  /bin/bash -c '
+  # example.com
-      for ip in 1.1.1.1 8.8.8.8; do
+  (bash -c '(echo >/dev/tcp/104.18.74.230/443 2>/dev/null && echo "Port 443 is accessible" && exit 0) 2>/dev/null || echo "Port 443 is not accessible"') & local_pid=$!
-        (echo >/dev/tcp/$ip/443 && echo "Port 443 is accessible" && exit 0) &
+
-        pids+=($!)
+  sleep $TIMEOUT_INTERNET_SECONDS_443 && kill -9 $local_pid 2>/dev/null && echo "Port 443 is not accessible"
      done
      for pid in ${pids[@]}; do
        wait $pid && exit 0
      done
      echo "Port 443 is not accessible"
    ' 2>/dev/null | grep "accessible" || echo "Port 443 is not accessible"
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
@@ -8,16 +8,39 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $url_lambda, $TIMEOUT_INTERNET_SECONDS_443_BIN
 # Fat linpeas: 0
 # Small linpeas: 1
 check_tcp_443_bin () {
  local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
  local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
  if command -v curl >/dev/null 2>&1; then
-    curl -s "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1 && echo "Port 443 is accessible with curl" || echo "Port 443 is not accessible with curl"
+    if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
         -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
    then
      echo "Port 443 is accessible with curl"
      return 0                      # ✅ success
    else
      echo "Port 443 is not accessible with curl"
      return 1
    fi
  elif command -v wget >/dev/null 2>&1; then
-    wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1 && echo "Port 443 is accessible with wget" || echo "Port 443 is not accessible with wget"
+    if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
         --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
    then
      echo "Port 443 is accessible with wget"
      return 0
    else
      echo "Port 443 is not accessible with wget"
      return 1
    fi
  else
    echo "Neither curl nor wget available"
    return 1
  fi
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh
@@ -8,25 +8,21 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $pid, $pids
+# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_80
 # Fat linpeas: 0
 # Small linpeas: 1
 check_tcp_80(){
  local TIMEOUT_INTERNET_SECONDS_80=$1
  if ! [ -f "/bin/bash" ]; then
    echo "  /bin/bash not found"
    return
  fi
-  /bin/bash -c '
+  # example.com
-      for ip in 1.1.1.1 8.8.8.8; do
+  (bash -c '(echo >/dev/tcp/104.18.74.230/80 2>/dev/null && echo "Port 80 is accessible" && exit 0) 2>/dev/null || echo "Port 80 is not accessible"') & local_pid=$!
-        (echo >/dev/tcp/$ip/80 && echo "Port 80 is accessible" && exit 0) &
+
-        pids+=($!)
+  sleep $TIMEOUT_INTERNET_SECONDS_80 && kill -9 $local_pid 2>/dev/null && echo "Port 80 is not accessible"
      done
      for pid in ${pids[@]}; do
        wait $pid && exit 0
      done
      echo "Port 80 is not accessible"
    ' 2>/dev/null | grep "accessible"
 }
--- a/linPEAS/builder/linpeas_parts/variables/EnvVarsRed.sh
+++ b/linPEAS/builder/linpeas_parts/variables/EnvVarsRed.sh
@@ -0,0 +1,18 @@
 # Title: Variables - EnvVarsRed
 # ID: EnvVarsRed
 # Author: Carlos Polop
 # Last Update: 26-05-2025
 # Description: Useless env vars
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $EnvVarsRed
 # Fat linpeas: 0
 # Small linpeas: 1
 EnvVarsRed="[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME|[aA][pP][iI][_][kK][eE][yY]|[aA][wW][sS]|[aA][zZ][uU][rR][eE]|[gG][cC][pP]|[aA][pP][iI]|[sS][eE][cC][rR][eE][tT]|[sS][qQ][lL]|[dD][aA][tT][aA][bB][aA][sS][eE]|[tT][oO][kK][eE][nN]"
--- a/linPEAS/builder/linpeas_parts/variables/NoEnvVars.sh
+++ b/linPEAS/builder/linpeas_parts/variables/NoEnvVars.sh
@@ -0,0 +1,16 @@
 # Title: Variables - NoEnvVars
 # ID: NoEnvVars
 # Author: Carlos Polop
 # Last Update: 26-05-2025
 # Description: Useless env vars
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $NoEnvVars
 # Fat linpeas: 0
 # Small linpeas: 1
 NoEnvVars="LESS_TERMCAP|JOURNAL_STREAM|XDG_SESSION|DBUS_SESSION|systemd\/sessions|systemd_exec|MEMORY_PRESSURE_WATCH|RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_|^PATH=|^INVOCATION_ID=|^WATCHDOG_PID=|^LISTEN_PID="
--- a/linPEAS/builder/src/linpeasBuilder.py
+++ b/linPEAS/builder/src/linpeasBuilder.py
@@ -97,7 +97,7 @@ class LinpeasBuilder:
        for orig_url in urls:
            tar_gz_bin_name = ""
            if ",,," in orig_url:
-                tar_gz_bin_name = url.split(",,,")[1]
+                tar_gz_bin_name = orig_url.split(",,,")[1]
                url = orig_url.split(",,,")[0]
            else:
                url = orig_url
--- a/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/ProcessesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/ProcessesInfo.cs
@@ -195,11 +195,11 @@ namespace winPEAS.Info.ProcessInfo
                                continue;
                            List<string> permsFile = PermissionsHelper.GetPermissionsFile(sFilePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
                            IdentityReference sid = null;
                            try
                            {
                                System.Security.AccessControl.FileSecurity fs = System.IO.File.GetAccessControl(sFilePath);
-                                IdentityReference sid = fs.GetOwner(typeof(SecurityIdentifier));
+                                sid = fs.GetOwner(typeof(SecurityIdentifier));
                                string ownerName = sid.Translate(typeof(NTAccount)).ToString();
                                // If current user already have permissions over that file or the proc belongs to the owner of the file,
                                // handler not interesting to elevate privs
@@ -207,6 +207,8 @@ namespace winPEAS.Info.ProcessInfo
                                    continue;
                                to_add["File Path"] = sFilePath;
                                string ownerName = sid.Translate(typeof(NTAccount)).ToString();
                                to_add["File Owner"] = ownerName;
                            }
                            catch (System.IO.FileNotFoundException)
@@ -218,7 +220,10 @@ namespace winPEAS.Info.ProcessInfo
                            {
                                continue;
                            }
-
+                            catch (System.Security.Principal.IdentityNotMappedException)
                            {
                                to_add["File Owner"] = sid.ToString();
                            }
                        }
                        else if (typeName == "key")
Author	SHA1	Message	Date
SirBroccoli	4e556fd594	Fix variable reference when parsing URLs	2025-06-06 00:01:17 +02:00
SirBroccoli	c3a93a57fe	Merge pull request #473 from Signum21/master Fix IdentityNotMappedException in Vulnerable Leaked Handlers	2025-05-31 22:36:49 +02:00
Signum21	f62d9fc550	Fix System.Security.Principal.IdentityNotMappedException in Vulnerable Leaked Handlers	2025-05-31 04:56:14 +02:00
SirBroccoli	11e9b8dde6	Merge pull request #472 from Jack-Vaughn/NoEnvVars-Update Add 4 noisy environment variables to NoEnvVars.sh	2025-05-26 23:57:40 +02:00
Jack Vaughn	b9a9ad5ddf	Add 4 noisy and useless environment variables to NoEnvVars.sh These variables (^PATH=\|^INVOCATION_ID=\|^WATCHDOG_PID=\|^LISTEN_PID=) frequently appear across processes on busy systems (10+ each on tested system) and produce a large volume of irrelevant output	2025-05-25 21:32:51 -04:00
carlospolop	88f08a405e	l	2025-05-26 02:55:07 +02:00
SirBroccoli	322792c4ec	Merge pull request #471 from Jack-Vaughn/environ-check Add module to check for sensitive environment variables via /proc/*/environ	2025-05-26 02:33:43 +02:00
Jack	c150e63b52	This module scans /proc/*/environ for potentially sensitive environment variables on Linux systems. It targets common keywords like token, password, secret, AWS, API, etc. Uses 'tr' instead of 'strings' to improve compatibility in minimal environments like containers. The check is skipped entirely on MacPEAS.	2025-05-25 12:55:34 -04:00
carlospolop	7b8dcfbe8d	f	2025-05-25 08:17:07 +02:00
carlospolop	aac3667247	f l	2025-05-25 08:15:48 +02:00
carlospolop	64ab193d25	f linpeas	2025-05-25 07:05:48 +02:00