Fix Systemd module generated vars metadata

Co-authored-by: HackTricks PEASS Autoimprover <peass-autoimprover@hacktricks.xyz>

.github/workflows/codex-pr-triage.yml

@@ -28,6 +28,7 @@ jobs:
       - name: Resolve PR context
         id: gate
         env:
+          GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
         run: |
           pr_number="${{ github.event.workflow_run.pull_requests[0].number }}"

.github/workflows/pr-failure-codex-dispatch.yml

@@ -90,7 +90,7 @@ jobs:
         run: |
           gh api -X POST -H "Accept: application/vnd.github+json" \
             /repos/${{ github.repository }}/issues/${PR_NUMBER}/labels \
-            -f labels='["codex-fix-attempted"]'
+            -f labels[]=codex-fix-attempted
 
       - name: Checkout PR head
         uses: actions/checkout@v5

linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh

@@ -30,11 +30,33 @@
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks, $label, $sysctl_path, $sysctl_var, $zero_color, $nonzero_color, $sysctl_value
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
+print_sysctl_eq_zero() {
+    local label="$1"
+    local sysctl_path="$2"
+    local sysctl_var="$3"
+    local zero_color="$4"
+    local nonzero_color="$5"
+    local sysctl_value
+
+    print_list "$label" "$NC"
+    sysctl_value=$(cat "$sysctl_path" 2>/dev/null)
+    eval "$sysctl_var=\$sysctl_value"
+    if [ -z "$sysctl_value" ]; then
+        echo_not_found "$sysctl_path"
+    else
+        if [ "$sysctl_value" -eq 0 ]; then
+            echo "0" | sed -${E} "s,0,${zero_color},"
+        else
+            echo "$sysctl_value" | sed -${E} "s,.*,${nonzero_color},g"
+        fi
+    fi
+}
+
 #-- SY) AppArmor
 print_2title "Protections"
 print_list "AppArmor enabled? .............. "$NC
@@ -81,67 +103,25 @@ print_list "User namespace? ................ "$NC
 if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
 
 #-- SY) Unprivileged user namespaces
-print_list "unpriv_userns_clone? ........... "$NC
-unpriv_userns_clone=$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null)
-if [ -z "$unpriv_userns_clone" ]; then
-    echo_not_found "/proc/sys/kernel/unprivileged_userns_clone"
-else
-    if [ "$unpriv_userns_clone" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_GREEN},"; else echo "$unpriv_userns_clone" | sed -${E} "s,.*,${SED_RED},g"; fi
-fi
+print_sysctl_eq_zero "unpriv_userns_clone? ........... " "/proc/sys/kernel/unprivileged_userns_clone" "unpriv_userns_clone" "$SED_GREEN" "$SED_RED"
 
 #-- SY) Unprivileged eBPF
-print_list "unpriv_bpf_disabled? ........... "$NC
-unpriv_bpf_disabled=$(cat /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null)
-if [ -z "$unpriv_bpf_disabled" ]; then
-    echo_not_found "/proc/sys/kernel/unprivileged_bpf_disabled"
-else
-    if [ "$unpriv_bpf_disabled" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$unpriv_bpf_disabled" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "unpriv_bpf_disabled? ........... " "/proc/sys/kernel/unprivileged_bpf_disabled" "unpriv_bpf_disabled" "$SED_RED" "$SED_GREEN"
 
 #-- SY) cgroup2
 print_list "Cgroup2 enabled? ............... "$NC
 ([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
 
 #-- SY) Kernel hardening sysctls
-print_list "kptr_restrict? ................. "$NC
-kptr_restrict=$(cat /proc/sys/kernel/kptr_restrict 2>/dev/null)
-if [ -z "$kptr_restrict" ]; then
-    echo_not_found "/proc/sys/kernel/kptr_restrict"
-else
-    if [ "$kptr_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$kptr_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "kptr_restrict? ................. " "/proc/sys/kernel/kptr_restrict" "kptr_restrict" "$SED_RED" "$SED_GREEN"
 
-print_list "dmesg_restrict? ................ "$NC
-dmesg_restrict=$(cat /proc/sys/kernel/dmesg_restrict 2>/dev/null)
-if [ -z "$dmesg_restrict" ]; then
-    echo_not_found "/proc/sys/kernel/dmesg_restrict"
-else
-    if [ "$dmesg_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$dmesg_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "dmesg_restrict? ................ " "/proc/sys/kernel/dmesg_restrict" "dmesg_restrict" "$SED_RED" "$SED_GREEN"
 
-print_list "ptrace_scope? .................. "$NC
-ptrace_scope=$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)
-if [ -z "$ptrace_scope" ]; then
-    echo_not_found "/proc/sys/kernel/yama/ptrace_scope"
-else
-    if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "ptrace_scope? .................. " "/proc/sys/kernel/yama/ptrace_scope" "ptrace_scope" "$SED_RED" "$SED_GREEN"
 
-print_list "protected_symlinks? ............ "$NC
-protected_symlinks=$(cat /proc/sys/fs/protected_symlinks 2>/dev/null)
-if [ -z "$protected_symlinks" ]; then
-    echo_not_found "/proc/sys/fs/protected_symlinks"
-else
-    if [ "$protected_symlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_symlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "protected_symlinks? ............ " "/proc/sys/fs/protected_symlinks" "protected_symlinks" "$SED_RED" "$SED_GREEN"
 
-print_list "protected_hardlinks? ........... "$NC
-protected_hardlinks=$(cat /proc/sys/fs/protected_hardlinks 2>/dev/null)
-if [ -z "$protected_hardlinks" ]; then
-    echo_not_found "/proc/sys/fs/protected_hardlinks"
-else
-    if [ "$protected_hardlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_hardlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "protected_hardlinks? ........... " "/proc/sys/fs/protected_hardlinks" "protected_hardlinks" "$SED_RED" "$SED_GREEN"
 
 print_list "perf_event_paranoid? ........... "$NC
 perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
@@ -151,13 +131,7 @@ else
     if [ "$perf_event_paranoid" -le 1 ]; then echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_RED},g"; else echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_GREEN},g"; fi
 fi
 
-print_list "mmap_min_addr? ................. "$NC
-mmap_min_addr=$(cat /proc/sys/vm/mmap_min_addr 2>/dev/null)
-if [ -z "$mmap_min_addr" ]; then
-    echo_not_found "/proc/sys/vm/mmap_min_addr"
-else
-    if [ "$mmap_min_addr" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$mmap_min_addr" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "mmap_min_addr? ................. " "/proc/sys/vm/mmap_min_addr" "mmap_min_addr" "$SED_RED" "$SED_GREEN"
 
 print_list "lockdown mode? ................. "$NC
 if [ -f "/sys/kernel/security/lockdown" ]; then

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh

@@ -17,7 +17,7 @@
 # Functions Used: print_2title, print_list, echo_not_found
 # Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
-# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $cmd
+# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $exec_value, $cmd, $cmd_path
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -116,18 +116,20 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
                 # Check ExecStart paths
                 grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null | 
                 while read -r exec_line; do
-                    # Extract the first word after ExecStart* as the command
-                    cmd=$(echo "$exec_line" | awk '{print $2}' | tr -d '"')
-                    # Extract the rest as arguments
-                    args=$(echo "$exec_line" | awk '{$1=$2=""; print $0}' | tr -d '"')
+                    # Extract command from the right side of Exec*=, not from argv
+                    exec_value="${exec_line#*=}"
+                    exec_value=$(echo "$exec_value" | sed 's/^[[:space:]]*//')
+                    cmd=$(echo "$exec_value" | awk '{print $1}' | tr -d '"')
+                    # Strip systemd command prefixes (-, @, :, +, !) before path checks
+                    cmd_path=$(echo "$cmd" | sed -E 's/^[-@:+!]+//')
                     
                     # Only check the command path, not arguments
-                    if [ -n "$cmd" ] && [ -w "$cmd" ]; then
-                        echo "$service: $cmd (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    if [ -n "$cmd_path" ] && [ -w "$cmd_path" ]; then
+                        echo "$service: $cmd_path (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
                     fi
                     # Check for relative paths only in the command, not arguments
-                    if [ -n "$cmd" ] && [ "${cmd#/}" = "$cmd" ] && ! echo "$cmd" | grep -qE '^-|^--'; then
-                        echo "$service: Uses relative path '$cmd' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    if [ -n "$cmd_path" ] && [ "${cmd_path#/}" = "$cmd_path" ] && [ "${cmd_path#\$}" = "$cmd_path" ]; then
+                        echo "$service: Uses relative path '$cmd_path' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
                     fi
                 done
             fi
@@ -153,4 +155,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     fi
 
     echo ""
-fi
+fi

winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs

@@ -524,7 +524,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Looking for documents --limit 100--");
                 List<string> docFiles = InterestingFiles.InterestingFiles.ListUsersDocs();
-                Beaprint.ListPrint(docFiles.GetRange(0, docFiles.Count <= 100 ? docFiles.Count : 100));
+                Beaprint.ListPrint(MyUtils.GetLimitedRange(docFiles, 100));
             }
             catch (Exception ex)
             {
@@ -546,7 +546,7 @@ namespace winPEAS.Checks
 
                 if (recFiles.Count != 0)
                 {
-                    foreach (Dictionary<string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70))
+                    foreach (Dictionary<string, string> recF in MyUtils.GetLimitedRange(recFiles, 70))
                     {
                         Beaprint.AnsiPrint("    " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF);
                     }

winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs

@@ -348,8 +348,7 @@ namespace winPEAS.Checks
                 Beaprint.MainPrint("DNS cached --limit 70--");
                 Beaprint.GrayPrint(string.Format("    {0,-38}{1,-38}{2}", "Entry", "Name", "Data"));
                 List<Dictionary<string, string>> DNScache = NetworkInfoHelper.GetDNSCache();
-                foreach (Dictionary<string, string> entry in DNScache.GetRange(0,
-                    DNScache.Count <= 70 ? DNScache.Count : 70))
+                foreach (Dictionary<string, string> entry in MyUtils.GetLimitedRange(DNScache, 70))
                 {
                     Console.WriteLine($"    {entry["Entry"],-38}{entry["Name"],-38}{entry["Data"]}");
                 }

winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs

@@ -21,6 +21,11 @@ namespace winPEAS.Helpers
                 ""); //To get the default object you need to use an empty string
         }
 
+        public static List<T> GetLimitedRange<T>(List<T> items, int limit)
+        {
+            return items.GetRange(0, Math.Min(items.Count, limit));
+        }
+
         ////////////////////////////////////
         /////// MISC - Files & Paths ///////
         ////////////////////////////////////

winPEAS/winPEASps1/winPEAS.ps1

@@ -1677,7 +1677,7 @@ if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO"
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens" -ForegroundColor yellow
+Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens"
 Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege"
 Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups" -ForegroundColor Yellow
 Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow