mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2026-02-12 07:36:35 +00:00
Compare commits
1 Commits
master
...
test/chack
| Author | SHA1 | Date | |
|---|---|---|---|
|
5158b2209c |
6
.github/workflows/chack-agent-pr-triage.yml
vendored
6
.github/workflows/chack-agent-pr-triage.yml
vendored
@@ -7,8 +7,7 @@ on:
|
||||
|
||||
jobs:
|
||||
chack_agent_triage:
|
||||
# Temporarily disabled by maintainer request.
|
||||
if: ${{ false && github.event.workflow_run.conclusion == 'success' }}
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
@@ -157,8 +156,7 @@ jobs:
|
||||
merge_or_comment:
|
||||
runs-on: ubuntu-latest
|
||||
needs: chack_agent_triage
|
||||
# Temporarily disabled by maintainer request.
|
||||
if: ${{ false && github.event.workflow_run.conclusion == 'success' && needs.chack_agent_triage.outputs.should_run == 'true' && needs.chack_agent_triage.outputs.decision != '' }}
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' && needs.chack_agent_triage.outputs.should_run == 'true' && needs.chack_agent_triage.outputs.decision != '' }}
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
@@ -7,9 +7,8 @@ on:
|
||||
|
||||
jobs:
|
||||
chack_agent_fix_master_failure:
|
||||
# Temporarily disabled by maintainer request.
|
||||
if: >
|
||||
${{ false && github.event.workflow_run.conclusion == 'failure' &&
|
||||
${{ github.event.workflow_run.conclusion == 'failure' &&
|
||||
github.event.workflow_run.head_branch == 'master' &&
|
||||
!startsWith(github.event.workflow_run.head_commit.message, 'Fix CI-master failures for run #') }}
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
@@ -7,9 +7,8 @@ on:
|
||||
|
||||
jobs:
|
||||
resolve_pr_context:
|
||||
# Temporarily disabled by maintainer request.
|
||||
if: >
|
||||
${{ false && github.event.workflow_run.conclusion == 'failure' &&
|
||||
${{ github.event.workflow_run.conclusion == 'failure' &&
|
||||
github.event.workflow_run.pull_requests &&
|
||||
github.event.workflow_run.pull_requests[0] &&
|
||||
!startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
|
||||
@@ -58,8 +57,7 @@ jobs:
|
||||
|
||||
chack_agent_on_failure:
|
||||
needs: resolve_pr_context
|
||||
# Temporarily disabled by maintainer request.
|
||||
if: ${{ false && needs.resolve_pr_context.outputs.author == 'carlospolop' && needs.resolve_pr_context.outputs.should_run == 'true' }}
|
||||
if: ${{ needs.resolve_pr_context.outputs.author == 'carlospolop' && needs.resolve_pr_context.outputs.should_run == 'true' }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
10
CHACK_AGENT_TESTING_NOTES.md
Normal file
10
CHACK_AGENT_TESTING_NOTES.md
Normal file
@@ -0,0 +1,10 @@
|
||||
# Chack Agent Testing Notes
|
||||
|
||||
This branch is intentionally prepared to validate automated CI-fix workflows.
|
||||
|
||||
## Why this exists
|
||||
- Provide a simple and explicit branch-level note for maintainers.
|
||||
- Exercise failure-triggered automation in a controlled way.
|
||||
|
||||
## Cleanup reminder
|
||||
After workflow validation is complete, revert the intentional CI break commit.
|
||||
@@ -813,12 +813,6 @@ search:
|
||||
bad_regex: "auth|accessfile=|secret=|user"
|
||||
remove_regex: "^#|^@"
|
||||
type: f
|
||||
- name: "*"
|
||||
value:
|
||||
bad_regex: "nullok|nullok_secure|pam_permit\\.so|pam_rootok\\.so|pam_exec\\.so|pam_unix\\.so.*(nullok|remember=0)|sufficient\\s+pam_unix\\.so"
|
||||
only_bad_lines: True
|
||||
remove_regex: "^#|^@"
|
||||
type: f
|
||||
type: d
|
||||
search_in:
|
||||
- ${ROOT_FOLDER}etc
|
||||
@@ -1241,20 +1235,12 @@ search:
|
||||
auto_check: False
|
||||
|
||||
files:
|
||||
- name: "agent.*"
|
||||
- name: "agent*"
|
||||
value:
|
||||
type: f
|
||||
remove_path: ".dll"
|
||||
search_in:
|
||||
- ${ROOT_FOLDER}tmp
|
||||
- ${ROOT_FOLDER}run
|
||||
|
||||
- name: "ssh-agent.sock"
|
||||
value:
|
||||
type: f
|
||||
search_in:
|
||||
- ${ROOT_FOLDER}tmp
|
||||
- ${ROOT_FOLDER}run
|
||||
|
||||
- name: SSH_CONFIG
|
||||
value:
|
||||
@@ -2081,45 +2067,6 @@ search:
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "*.asc"
|
||||
value:
|
||||
type: f
|
||||
remove_path: "/usr/share/|/usr/lib/|/lib/|/man/"
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "secring.gpg"
|
||||
value:
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "pubring.kbx"
|
||||
value:
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "trustdb.gpg"
|
||||
value:
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "gpg-agent.conf"
|
||||
value:
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "secret.asc"
|
||||
value:
|
||||
type: f
|
||||
just_list_file: True
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "private-keys-v1.d/*.key"
|
||||
value:
|
||||
type: f
|
||||
@@ -2897,85 +2844,6 @@ search:
|
||||
remove_path: "example"
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: Proxy_Config
|
||||
value:
|
||||
config:
|
||||
auto_check: True
|
||||
|
||||
files:
|
||||
- name: "environment"
|
||||
value:
|
||||
bad_regex: "(http|https|ftp|all)_proxy|no_proxy"
|
||||
only_bad_lines: True
|
||||
remove_empty_lines: True
|
||||
remove_regex: '^#'
|
||||
type: f
|
||||
check_extra_path: "^/etc/environment$"
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "apt.conf"
|
||||
value:
|
||||
bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy"
|
||||
only_bad_lines: True
|
||||
remove_empty_lines: True
|
||||
remove_regex: '^#'
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "apt.conf.d"
|
||||
value:
|
||||
type: d
|
||||
files:
|
||||
- name: "*"
|
||||
value:
|
||||
bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy"
|
||||
only_bad_lines: True
|
||||
remove_empty_lines: True
|
||||
remove_regex: '^#'
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: Sniffing_Artifacts
|
||||
value:
|
||||
config:
|
||||
auto_check: True
|
||||
|
||||
files:
|
||||
- name: "*.pcap"
|
||||
value:
|
||||
just_list_file: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "*.pcapng"
|
||||
value:
|
||||
just_list_file: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "keys.log"
|
||||
value:
|
||||
bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET"
|
||||
only_bad_lines: True
|
||||
remove_empty_lines: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "sslkeylog.log"
|
||||
value:
|
||||
bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET"
|
||||
only_bad_lines: True
|
||||
remove_empty_lines: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: Msmtprc
|
||||
value:
|
||||
@@ -4080,13 +3948,6 @@ search:
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "*.maintenance*"
|
||||
value:
|
||||
just_list_file: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "*.key"
|
||||
value:
|
||||
just_list_file: True
|
||||
|
||||
@@ -7,6 +7,9 @@ import os
|
||||
import stat
|
||||
import argparse
|
||||
|
||||
# Intentional break for CI automation workflow validation.
|
||||
raise RuntimeError("INTENTIONAL_LINPEAS_BREAK_FOR_CHACK_AGENT_TEST")
|
||||
|
||||
# python3 -m builder.linpeas_builder
|
||||
def main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output):
|
||||
# Load configuration
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
# Functions Used: print_2title, print_list, echo_not_found
|
||||
# Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $exec_value, $cmd, $cmd_path, $svc_path_entry, $svc_writable_path
|
||||
# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $exec_value, $cmd, $cmd_path
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -113,19 +113,6 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
service=$(echo "$line" | awk '{print $1}')
|
||||
service_file=$(get_service_file "$service")
|
||||
if [ -n "$service_file" ]; then
|
||||
# Check service-specific PATH entries (Environment=PATH=...)
|
||||
svc_writable_path=$(grep -E '^Environment=.*PATH=' "$service_file" 2>/dev/null | sed -E 's/^Environment=//; s/^"//; s/"$//; s/^PATH=//' | tr ':' '\n' | while read -r svc_path_entry; do
|
||||
[ -z "$svc_path_entry" ] && continue
|
||||
if [ -d "$svc_path_entry" ] && [ -w "$svc_path_entry" ]; then
|
||||
echo "$svc_path_entry"
|
||||
fi
|
||||
done)
|
||||
if [ "$svc_writable_path" ]; then
|
||||
for svc_path_entry in $svc_writable_path; do
|
||||
echo "$service: Writable service PATH entry '$svc_path_entry'" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
||||
done
|
||||
fi
|
||||
|
||||
# Check ExecStart paths
|
||||
grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null |
|
||||
while read -r exec_line; do
|
||||
@@ -143,9 +130,6 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
# Check for relative paths only in the command, not arguments
|
||||
if [ -n "$cmd_path" ] && [ "${cmd_path#/}" = "$cmd_path" ] && [ "${cmd_path#\$}" = "$cmd_path" ]; then
|
||||
echo "$service: Uses relative path '$cmd_path' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
|
||||
if [ "$svc_writable_path" ]; then
|
||||
echo "$service: Relative Exec path + writable service PATH can allow path hijacking" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.1
|
||||
# Functions Used: print_2title, print_info
|
||||
# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $SED_RED_YELLOW, $NC, $RED
|
||||
# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $NC, $RED
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $unix_scks_list, $unix_scks_list2, $perms, $owner, $owner_info, $response, $socket, $cmd, $mode, $group
|
||||
# Fat linpeas: 0
|
||||
@@ -142,13 +142,10 @@ if ! [ "$IAMROOT" ]; then
|
||||
# Highlight dangerous ownership
|
||||
if echo "$owner_info" | grep -q "root"; then
|
||||
echo " └─(${RED}Owned by root${NC})"
|
||||
if echo "$perms" | grep -q "Write"; then
|
||||
echo " └─High risk: root-owned and writable Unix socket" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
@@ -5,10 +5,10 @@
|
||||
# Description: Check for internet access
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, print_3title, print_info, check_external_hostname
|
||||
# Global Variables: $E
|
||||
# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
|
||||
# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 0
|
||||
|
||||
@@ -29,8 +29,8 @@ check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
|
||||
check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
|
||||
check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
|
||||
|
||||
# Kill all check workers after timeout + 1s without relying on integer arithmetic
|
||||
(sleep "$TIMEOUT_INTERNET_SECONDS"; sleep 1; kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
|
||||
# Kill all after 10 seconds
|
||||
(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
|
||||
|
||||
check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
|
||||
tcp443_bin_status=$?
|
||||
@@ -50,9 +50,3 @@ if [ "$tcp443_bin_status" -eq 0 ] && \
|
||||
fi
|
||||
|
||||
echo ""
|
||||
print_3title "Proxy discovery"
|
||||
print_info "Checking common proxy env vars and apt proxy config"
|
||||
(env | grep -iE '^(http|https|ftp|all)_proxy=|^no_proxy=') 2>/dev/null | sed -${E} "s,_proxy|no_proxy,${SED_RED_YELLOW},g"
|
||||
grep -RinE 'Acquire::(http|https)::Proxy|proxy' /etc/apt/apt.conf /etc/apt/apt.conf.d 2>/dev/null | sed -${E} "s,proxy|Acquire::http::Proxy|Acquire::https::Proxy,${SED_RED_YELLOW},g"
|
||||
|
||||
echo ""
|
||||
|
||||
@@ -5,8 +5,8 @@
|
||||
# Description: Check network interfaces
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_3title
|
||||
# Global Variables: $E, $SED_RED_YELLOW
|
||||
# Functions Used: print_2title
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $iface, $state, $mac, $ip_file, $line
|
||||
# Fat linpeas: 0
|
||||
@@ -73,22 +73,4 @@ else
|
||||
parse_network_interfaces
|
||||
fi
|
||||
|
||||
if command -v ip >/dev/null 2>&1; then
|
||||
print_3title "Routing & policy quick view"
|
||||
ip route 2>/dev/null
|
||||
ip -6 route 2>/dev/null | head -n 30
|
||||
echo ""
|
||||
ip rule 2>/dev/null
|
||||
|
||||
print_3title "Virtual/overlay interfaces quick view"
|
||||
ip -d link 2>/dev/null | grep -E "^[0-9]+:|veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale" | sed -${E} "s,veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale,${SED_RED_YELLOW},g"
|
||||
|
||||
print_3title "Network namespaces quick view"
|
||||
ip netns list 2>/dev/null
|
||||
ls -la /var/run/netns/ 2>/dev/null
|
||||
fi
|
||||
|
||||
print_3title "Forwarding status"
|
||||
sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwarding 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
|
||||
|
||||
echo ""
|
||||
echo ""
|
||||
@@ -6,7 +6,7 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_3title, print_info
|
||||
# Global Variables: $E, $SED_RED, $SED_RED_YELLOW
|
||||
# Global Variables: $E, $SED_RED
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pid_dir, $tx_queue, $pid, $rem_port, $proc_file, $rem_ip, $local_ip, $rx_queue, $proto, $rem_addr, $program, $state, $header_sep, $proc_info, $inode, $header, $line, $local_addr, $local_port
|
||||
# Fat linpeas: 0
|
||||
@@ -122,45 +122,6 @@ get_open_ports() {
|
||||
parse_proc_net_ports "udp"
|
||||
fi
|
||||
|
||||
# Focused local service exposure view
|
||||
print_3title "Local-only listeners (loopback)"
|
||||
if command -v ss >/dev/null 2>&1; then
|
||||
ss -nltpu 2>/dev/null | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
|
||||
elif command -v netstat >/dev/null 2>&1; then
|
||||
netstat -punta 2>/dev/null | grep -i listen | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
|
||||
fi
|
||||
|
||||
print_3title "Unique listener bind addresses"
|
||||
if command -v ss >/dev/null 2>&1; then
|
||||
ss -nltpuH 2>/dev/null | awk '{
|
||||
a=$5
|
||||
if (a ~ /^\[/) {
|
||||
sub(/^\[/, "", a)
|
||||
sub(/\]:[0-9]+$/, "", a)
|
||||
} else if (a ~ /:[0-9]+$/) {
|
||||
sub(/:[0-9]+$/, "", a)
|
||||
}
|
||||
sub(/^::ffff:/, "", a)
|
||||
if (a != "") print a
|
||||
}' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g"
|
||||
elif command -v netstat >/dev/null 2>&1; then
|
||||
netstat -punta 2>/dev/null | grep -i listen | awk '{
|
||||
a=$4
|
||||
if (a ~ /^\[/) {
|
||||
sub(/^\[/, "", a)
|
||||
sub(/\]:[0-9]+$/, "", a)
|
||||
} else if (a ~ /:[0-9]+$/) {
|
||||
sub(/:[0-9]+$/, "", a)
|
||||
}
|
||||
if (a == ":::" ) a="::"
|
||||
sub(/^::ffff:/, "", a)
|
||||
if (a != "") print a
|
||||
}' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g"
|
||||
fi
|
||||
|
||||
print_3title "Potential local forwarders/relays"
|
||||
ps aux 2>/dev/null | grep -E "[s]ocat|[s]sh .*(-L|-R|-D)|[n]cat|[n]c .*-l" | sed -${E} "s,socat|ssh|-L|-R|-D|ncat|nc,${SED_RED_YELLOW},g"
|
||||
|
||||
# Additional port information
|
||||
if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
|
||||
print_3title "Additional Port Information"
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_3title, print_info, warn_exec
|
||||
# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_RED_YELLOW
|
||||
# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns, $dumpcap_test_file
|
||||
# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -26,17 +26,8 @@ check_command() {
|
||||
# Function to check if we can sniff on an interface
|
||||
check_interface_sniffable() {
|
||||
local iface=$1
|
||||
if check_command tcpdump; then
|
||||
if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
elif check_command dumpcap; then
|
||||
dumpcap_test_file="/tmp/.linpeas_dumpcap_test_$$.pcap"
|
||||
if timeout 2 dumpcap -i "$iface" -c 1 -q -w "$dumpcap_test_file" >/dev/null 2>&1; then
|
||||
rm -f "$dumpcap_test_file" 2>/dev/null
|
||||
return 0
|
||||
fi
|
||||
rm -f "$dumpcap_test_file" 2>/dev/null
|
||||
if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
@@ -64,20 +55,6 @@ check_network_traffic_analysis() {
|
||||
tools_found=1
|
||||
# Check tcpdump version and capabilities
|
||||
warn_exec tcpdump --version 2>/dev/null | head -n 1
|
||||
getcap "$(command -v tcpdump)" 2>/dev/null
|
||||
fi
|
||||
|
||||
if check_command dumpcap; then
|
||||
echo "dumpcap is available" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
tools_found=1
|
||||
warn_exec dumpcap --version 2>/dev/null | head -n 1
|
||||
getcap "$(command -v dumpcap)" 2>/dev/null
|
||||
|
||||
if id -nG 2>/dev/null | grep -qw wireshark; then
|
||||
echo "Current user is in wireshark group" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
elif getent group wireshark >/dev/null 2>&1; then
|
||||
echo "wireshark group exists but current user is not in it" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
||||
fi
|
||||
fi
|
||||
|
||||
if check_command tshark; then
|
||||
@@ -91,28 +68,10 @@ check_network_traffic_analysis() {
|
||||
echo "wireshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
tools_found=1
|
||||
fi
|
||||
|
||||
if check_command ngrep; then
|
||||
echo "ngrep is available" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
tools_found=1
|
||||
fi
|
||||
|
||||
if check_command tcpflow; then
|
||||
echo "tcpflow is available" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
tools_found=1
|
||||
fi
|
||||
|
||||
if [ $tools_found -eq 0 ]; then
|
||||
echo "No sniffing tools found" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
|
||||
if check_command tcpdump; then
|
||||
echo "Sniffable interfaces according to tcpdump -D:"
|
||||
timeout 2 tcpdump -D 2>/dev/null
|
||||
elif check_command dumpcap; then
|
||||
echo "Sniffable interfaces according to dumpcap -D:"
|
||||
timeout 2 dumpcap -D 2>/dev/null
|
||||
fi
|
||||
|
||||
# Check network interfaces
|
||||
echo ""
|
||||
@@ -129,28 +88,25 @@ check_network_traffic_analysis() {
|
||||
fi
|
||||
|
||||
for iface in $interfaces; do
|
||||
if [ "$iface" = "lo" ]; then
|
||||
echo -n "Interface $iface (loopback): "
|
||||
else
|
||||
if [ "$iface" != "lo" ]; then # Skip loopback
|
||||
echo -n "Interface $iface: "
|
||||
fi
|
||||
|
||||
if check_interface_sniffable "$iface"; then
|
||||
echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
interfaces_found=1
|
||||
|
||||
# Check promiscuous mode
|
||||
if [ "$iface" != "lo" ] && check_promiscuous_mode "$iface"; then
|
||||
echo " - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
|
||||
if check_interface_sniffable "$iface"; then
|
||||
echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
interfaces_found=1
|
||||
|
||||
# Check promiscuous mode
|
||||
if check_promiscuous_mode "$iface"; then
|
||||
echo " - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
|
||||
# Get interface details
|
||||
if [ "$EXTRA_CHECKS" ]; then
|
||||
echo " - Interface details:"
|
||||
warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
|
||||
fi
|
||||
else
|
||||
echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
|
||||
# Get interface details
|
||||
if [ "$EXTRA_CHECKS" ]; then
|
||||
echo " - Interface details:"
|
||||
warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
|
||||
fi
|
||||
else
|
||||
echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
|
||||
@@ -189,12 +145,7 @@ check_network_traffic_analysis() {
|
||||
print_info "To capture sensitive traffic, you can use:"
|
||||
echo "tcpdump -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
echo "tshark -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
echo "dumpcap -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
print_3title "Running sniffing/traffic reconstruction processes"
|
||||
ps aux 2>/dev/null | grep -E "[t]cpdump|[d]umpcap|[t]shark|[w]ireshark|[n]grep|[t]cpflow" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
||||
|
||||
# Additional information
|
||||
if [ "$EXTRA_CHECKS" ]; then
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_3title, warn_exec, echo_not_found
|
||||
# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW, $SED_RED_YELLOW
|
||||
# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $rules_file, $cmd, $tool, $config_file, $sysctl_var
|
||||
# Generated Global Variables: $rules_file, $cmd, $tool, $config_file
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -90,9 +90,6 @@ analyze_nftables() {
|
||||
# List all rules
|
||||
echo -e "\nNftables Ruleset:"
|
||||
warn_exec nft list ruleset 2>/dev/null
|
||||
|
||||
echo -e "\nNftables Ruleset with handles (-a):"
|
||||
warn_exec nft -a list ruleset 2>/dev/null | sed -${E} "s,\\bdrop\\b|\\breject\\b|handle [0-9]+,${SED_RED_YELLOW},g"
|
||||
|
||||
# Check for saved rules
|
||||
echo -e "\nSaved Rules:"
|
||||
@@ -183,17 +180,6 @@ analyze_firewall_rules() {
|
||||
analyze_nftables
|
||||
analyze_firewalld
|
||||
analyze_ufw
|
||||
|
||||
echo ""
|
||||
print_3title "Forwarding and rp_filter"
|
||||
for sysctl_var in net.ipv4.ip_forward net.ipv6.conf.all.forwarding net.ipv4.conf.all.rp_filter; do
|
||||
sysctl "$sysctl_var" 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
|
||||
done
|
||||
|
||||
if check_command conntrack; then
|
||||
echo -e "\nConntrack state (first 20):"
|
||||
warn_exec conntrack -L 2>/dev/null | head -n 20
|
||||
fi
|
||||
|
||||
# Additional checks if EXTRA_CHECKS is enabled
|
||||
if [ "$EXTRA_CHECKS" ]; then
|
||||
@@ -221,4 +207,4 @@ analyze_firewall_rules() {
|
||||
}
|
||||
|
||||
# Run the main function
|
||||
analyze_firewall_rules
|
||||
analyze_firewall_rules
|
||||
@@ -34,9 +34,6 @@ if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
|
||||
echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
fi
|
||||
for f in /etc/sudoers.d/*; do
|
||||
if [ -w "$f" ]; then
|
||||
echo "Sudoers file: $f is writable and may allow privilege escalation" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
||||
fi
|
||||
if [ -r "$f" ]; then
|
||||
echo "Sudoers file: $f is readable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
|
||||
|
||||
@@ -8,12 +8,12 @@
|
||||
# Functions Used: print_2title, print_info
|
||||
# Global Variables:$DEBUG, $SEARCH_IN_FOLDER, $USER, $wgroups
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $screensess, $screensess2, $uscreen
|
||||
# Generated Global Variables: $screensess, $screensess2
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
if (command -v screen >/dev/null 2>&1 || [ -d "/run/screen" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
print_2title "Searching screen sessions"
|
||||
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
|
||||
screensess=$(screen -ls 2>/dev/null)
|
||||
@@ -25,16 +25,5 @@ if (command -v screen >/dev/null 2>&1 || [ -d "/run/screen" ] || [ "$DEBUG" ]) &
|
||||
find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
|
||||
echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
|
||||
done
|
||||
|
||||
if [ -r "/etc/passwd" ]; then
|
||||
print_3title "Checking other users screen sessions"
|
||||
cut -d: -f1,7 /etc/passwd 2>/dev/null | grep "sh$" | cut -d: -f1 | grep -v "^$USER$" | while read u; do
|
||||
uscreen=$(screen -ls "${u}/" 2>/dev/null | grep -v "No Sockets found" | grep -v "^$")
|
||||
if [ "$uscreen" ]; then
|
||||
echo "User $u screen sessions:"
|
||||
printf "%s\n" "$uscreen" | sed -${E} "s,.*,${SED_RED},"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
@@ -8,7 +8,7 @@
|
||||
# Functions Used: print_2title, print_3title
|
||||
# Global Variables: $HOME, $HOMESEARCH, $ROOT_FOLDER, $SEARCH_IN_FOLDER, $TIMEOUT, $USER, $wgroups
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $agent_sockets, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt,
|
||||
# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt,
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -19,18 +19,12 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
|
||||
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
|
||||
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
|
||||
agent_sockets=$(find /run/user /tmp -type s \( -path "/run/user/*/ssh-*/agent.*" -o -name "ssh-agent.sock" -o -path "/tmp/ssh-*" \) 2>/dev/null)
|
||||
writable_agents=$(find /tmp /etc /home /run/user \
|
||||
\( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \
|
||||
-a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null)
|
||||
writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
||||
else
|
||||
sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
|
||||
hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
|
||||
hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
|
||||
agent_sockets=$(find "${ROOT_FOLDER}"tmp "${ROOT_FOLDER}"run -type s \( -name "agent.*" -o -name "ssh-agent.sock" \) 2>/dev/null)
|
||||
writable_agents=$(find "${ROOT_FOLDER}" \
|
||||
\( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \
|
||||
-a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null)
|
||||
writable_agents=$(find ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
||||
fi
|
||||
|
||||
peass{SSH}
|
||||
@@ -64,7 +58,7 @@ fi
|
||||
if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
|
||||
print_3title "Some certificates were found (out limited):"
|
||||
printf "$certsb4_grep\n" | head -n 20
|
||||
printf "$PSTORAGE_CERTSBIN\n" | head -n 20
|
||||
printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
|
||||
echo ""
|
||||
fi
|
||||
if [ "$PSTORAGE_CERTSCLIENT" ]; then
|
||||
@@ -77,11 +71,6 @@ if [ "$PSTORAGE_SSH_AGENTS" ]; then
|
||||
printf "$PSTORAGE_SSH_AGENTS\n"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$agent_sockets" ]; then
|
||||
print_3title "Potential SSH agent sockets were found:"
|
||||
printf "%s\n" "$agent_sockets" | sed -${E} "s,.*,${SED_RED},"
|
||||
echo ""
|
||||
fi
|
||||
if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
|
||||
print_3title "Listing SSH Agents"
|
||||
ssh-add -l
|
||||
|
||||
@@ -23,7 +23,6 @@ if ! [ "$STRACE" ]; then
|
||||
fi
|
||||
suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
|
||||
printf "%s\n" "$suids_files" | while read s; do
|
||||
[ -z "$s" ] && continue
|
||||
s=$(ls -lahtr "$s")
|
||||
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
|
||||
if echo "$s" | grep -qE "^total"; then break; fi
|
||||
@@ -60,8 +59,6 @@ printf "%s\n" "$suids_files" | while read s; do
|
||||
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
|
||||
fi
|
||||
elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline) (https://tinyurl.com/suidpath)\n"
|
||||
else #If not a path
|
||||
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
|
||||
|
||||
@@ -17,7 +17,6 @@ print_2title "SGID"
|
||||
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
|
||||
sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
|
||||
printf "%s\n" "$sgids_files" | while read s; do
|
||||
[ -z "$s" ] && continue
|
||||
s=$(ls -lahtr "$s")
|
||||
#If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
|
||||
if echo "$s" | grep -qE "^total";then break; fi
|
||||
@@ -54,8 +53,6 @@ printf "%s\n" "$sgids_files" | while read s; do
|
||||
if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n"
|
||||
fi
|
||||
elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline)\n"
|
||||
else #If not a path
|
||||
if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary
|
||||
printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n"
|
||||
@@ -93,4 +90,4 @@ printf "%s\n" "$sgids_files" | while read s; do
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ""
|
||||
echo ""
|
||||
@@ -6,7 +6,7 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: echo_not_found, print_2title, print_info
|
||||
# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $writeB, $writeVB
|
||||
# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
@@ -16,12 +16,12 @@
|
||||
print_2title "Files with ACLs (limited to 50)"
|
||||
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
|
||||
( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
else
|
||||
( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
|
||||
( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
fi
|
||||
|
||||
if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl || echo -n '')" ]; then #Find ACL files in macos (veeeery slow)
|
||||
ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
|
||||
ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
fi
|
||||
echo ""
|
||||
echo ""
|
||||
@@ -8,7 +8,7 @@
|
||||
# Functions Used: echo_not_found, print_2title, print_info, print_3title
|
||||
# Global Variables: $capsB, $capsVB, $IAMROOT, $SEARCH_IN_FOLDER
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln, $proc_status, $proc_pid, $proc_name, $proc_uid, $user_name, $proc_inh, $proc_prm, $proc_eff, $proc_bnd, $proc_amb, $proc_inh_dec, $proc_prm_dec, $proc_eff_dec, $proc_bnd_dec, $proc_amb_dec
|
||||
# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -69,40 +69,6 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
|
||||
print_3title "Processes with capability sets (non-zero CapEff/CapAmb, limit 40)"
|
||||
find /proc -maxdepth 2 -path "/proc/[0-9]*/status" 2>/dev/null | head -n 400 | while read -r proc_status; do
|
||||
proc_pid=$(echo "$proc_status" | cut -d/ -f3)
|
||||
proc_name=$(awk '/^Name:/{print $2}' "$proc_status" 2>/dev/null)
|
||||
proc_uid=$(awk '/^Uid:/{print $2}' "$proc_status" 2>/dev/null)
|
||||
user_name=$(awk -F: -v uid="$proc_uid" '$3==uid{print $1; exit}' /etc/passwd 2>/dev/null)
|
||||
[ -z "$user_name" ] && user_name="$proc_uid"
|
||||
|
||||
proc_inh=$(awk '/^CapInh:/{print $2}' "$proc_status" 2>/dev/null)
|
||||
proc_prm=$(awk '/^CapPrm:/{print $2}' "$proc_status" 2>/dev/null)
|
||||
proc_eff=$(awk '/^CapEff:/{print $2}' "$proc_status" 2>/dev/null)
|
||||
proc_bnd=$(awk '/^CapBnd:/{print $2}' "$proc_status" 2>/dev/null)
|
||||
proc_amb=$(awk '/^CapAmb:/{print $2}' "$proc_status" 2>/dev/null)
|
||||
|
||||
[ -z "$proc_eff" ] && continue
|
||||
if [ "$proc_eff" != "0000000000000000" ] || [ "$proc_amb" != "0000000000000000" ]; then
|
||||
echo "PID $proc_pid ($proc_name) user=$user_name"
|
||||
|
||||
proc_inh_dec=$(capsh --decode=0x"$proc_inh" 2>/dev/null)
|
||||
proc_prm_dec=$(capsh --decode=0x"$proc_prm" 2>/dev/null)
|
||||
proc_eff_dec=$(capsh --decode=0x"$proc_eff" 2>/dev/null)
|
||||
proc_bnd_dec=$(capsh --decode=0x"$proc_bnd" 2>/dev/null)
|
||||
proc_amb_dec=$(capsh --decode=0x"$proc_amb" 2>/dev/null)
|
||||
|
||||
echo " CapInh: $proc_inh_dec" | sed -${E} "s,$capsB,${SED_RED},g"
|
||||
echo " CapPrm: $proc_prm_dec" | sed -${E} "s,$capsB,${SED_RED},g"
|
||||
echo " CapEff: $proc_eff_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g"
|
||||
echo " CapBnd: $proc_bnd_dec" | sed -${E} "s,$capsB,${SED_RED},g"
|
||||
echo " CapAmb: $proc_amb_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g"
|
||||
echo ""
|
||||
fi
|
||||
done | head -n 240
|
||||
echo ""
|
||||
|
||||
else
|
||||
print_3title "Current shell capabilities"
|
||||
|
||||
@@ -6,27 +6,19 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: echo_not_found, print_2title, print_info
|
||||
# Global Variables: $capsB, $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER
|
||||
# Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pam_cap_lines
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 0
|
||||
|
||||
|
||||
if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ] || grep -Rqs "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null; then
|
||||
if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Users with capabilities"
|
||||
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
|
||||
if [ -f "/etc/security/capability.conf" ]; then
|
||||
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$capsB,${SED_RED},g"
|
||||
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||
else echo_not_found "/etc/security/capability.conf"
|
||||
fi
|
||||
echo ""
|
||||
print_info "Checking if PAM loads pam_cap.so"
|
||||
pam_cap_lines=$(grep -RIn "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null)
|
||||
if [ "$pam_cap_lines" ]; then
|
||||
printf "%s\n" "$pam_cap_lines" | sed -${E} "s,pam_cap\\.so,${SED_RED_YELLOW},g"
|
||||
else
|
||||
echo_not_found "pam_cap.so in /etc/pam.d or /etc/pam.conf"
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
@@ -6,7 +6,7 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_info
|
||||
# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $ldsoconfdG, $wgroups
|
||||
# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $wgroups
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $ini_path, $fpath
|
||||
# Fat linpeas: 0
|
||||
@@ -26,53 +26,40 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
|
||||
echo "Content of /etc/ld.so.conf:"
|
||||
cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
|
||||
# Check each configured folder and include directives
|
||||
cat /etc/ld.so.conf 2>/dev/null | while IFS= read -r l; do
|
||||
l=$(echo "$l" | sed 's/#.*$//' | xargs 2>/dev/null)
|
||||
[ -z "$l" ] && continue
|
||||
|
||||
if echo "$l" | grep -qE '^include[[:space:]]+'; then
|
||||
# Check each configured folder
|
||||
cat /etc/ld.so.conf 2>/dev/null | while read l; do
|
||||
if echo "$l" | grep -q include; then
|
||||
ini_path=$(echo "$l" | cut -d " " -f 2)
|
||||
fpath=$(dirname "$ini_path")
|
||||
|
||||
if [ -d "$fpath" ] && [ -w "$fpath" ]; then
|
||||
echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
if [ -d "/etc/ld.so.conf" ] && [ -w "$fpath" ]; then
|
||||
echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
printf $RED_YELLOW$ITALIC"$fpath\n"$NC;
|
||||
else
|
||||
printf $GREEN$ITALIC"$fpath\n"$NC;
|
||||
fi
|
||||
|
||||
if [ "$(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then
|
||||
echo "You have write privileges over $(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then
|
||||
echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
fi
|
||||
|
||||
for f in $ini_path; do
|
||||
[ -f "$f" ] || continue
|
||||
|
||||
if [ -w "$f" ]; then
|
||||
echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
for f in $fpath/*; do
|
||||
if [ -w "$f" ]; then
|
||||
echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
printf $RED_YELLOW$ITALIC"$f\n"$NC;
|
||||
else
|
||||
printf $GREEN$ITALIC" $f\n"$NC;
|
||||
fi
|
||||
|
||||
cat "$f" 2>/dev/null | grep -v "^#" | while IFS= read -r l2; do
|
||||
l2=$(echo "$l2" | xargs 2>/dev/null)
|
||||
[ -z "$l2" ] && continue
|
||||
|
||||
if [ -d "$l2" ] && [ -w "$l2" ]; then
|
||||
echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
cat "$f" | grep -v "^#" | while read l2; do
|
||||
if [ -f "$l2" ] && [ -w "$l2" ]; then
|
||||
echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
printf $RED_YELLOW$ITALIC" - $l2\n"$NC;
|
||||
elif [ -d "$l2" ]; then
|
||||
echo $ITALIC" - $l2"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
|
||||
else
|
||||
echo $ITALIC" - $l2"$NC | sed -${E} "s,$l2,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
|
||||
fi
|
||||
done
|
||||
done
|
||||
elif [ -d "$l" ] && [ -w "$l" ]; then
|
||||
echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
printf $RED_YELLOW$ITALIC"$l\n"$NC;
|
||||
else
|
||||
echo $ITALIC"$l"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
@@ -88,4 +75,4 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
|
||||
if [ -f "$l" ] && [ -w "$l" ]; then echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
|
||||
done
|
||||
|
||||
fi
|
||||
fi
|
||||
@@ -217,7 +217,7 @@ print_title(){
|
||||
max_title_len=80
|
||||
rest_len=$((($max_title_len - $title_len) / 2))
|
||||
|
||||
printf "%s" "${BLUE}"
|
||||
printf ${BLUE}
|
||||
for i in $(seq 1 $rest_len); do printf " "; done
|
||||
printf "╔"
|
||||
for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
|
||||
@@ -231,13 +231,13 @@ print_title(){
|
||||
|
||||
echo ""
|
||||
|
||||
printf "%s" "${BLUE}"
|
||||
printf ${BLUE}
|
||||
for i in $(seq 1 $rest_len); do printf " "; done
|
||||
printf "╚"
|
||||
for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
|
||||
printf "╝"
|
||||
|
||||
printf "%s" "${NC}"
|
||||
printf $NC
|
||||
echo ""
|
||||
}
|
||||
|
||||
|
||||
@@ -13,4 +13,4 @@
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
capsB="=ep|cap_chown|cap_fowner|cap_fsetid|cap_setpcap|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module|cap_sys_rawio|cap_bpf|cap_perfmon"
|
||||
capsB="=ep|cap_chown|cap_former|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module"
|
||||
|
||||
@@ -18,9 +18,7 @@ cap_sys_ptrace:python \
|
||||
cap_sys_module:kmod|python \
|
||||
cap_dac_override:python|vim \
|
||||
cap_chown:chown|python \
|
||||
cap_fowner:chown|python \
|
||||
cap_setfcap:python|perl|ruby|php|node|lua|bash \
|
||||
cap_setpcap:python|perl|ruby|php|node|lua|bash \
|
||||
cap_former:chown|python \
|
||||
cap_setuid:peass{CAP_SETUID_HERE} \
|
||||
cap_setgid:peass{CAP_SETGID_HERE} \
|
||||
cap_net_raw:python|tcpdump|dumpcap|tcpflow"
|
||||
cap_net_raw:python|tcpdump"
|
||||
@@ -24,4 +24,4 @@ pwd_in_variables7="MAILGUN_APIKEY|MAILGUN_API_KEY|MAILGUN_DOMAIN|MAILGUN_PRIV_KE
|
||||
pwd_in_variables8="OKTA_OAUTH2_ISSUER|OMISE_KEY|OMISE_PKEY|OMISE_PUBKEY|OMISE_SKEY|ONESIGNAL_API_KEY|ONESIGNAL_USER_AUTH_KEY|OPENWHISK_KEY|OPEN_WHISK_KEY|OSSRH_PASS|OSSRH_SECRET|OSSRH_USER|OS_AUTH_URL|OS_PROJECT_NAME|OS_TENANT_ID|OS_TENANT_NAME|PAGERDUTY_APIKEY|PAGERDUTY_ESCALATION_POLICY_ID|PAGERDUTY_FROM_USER|PAGERDUTY_PRIORITY_ID|PAGERDUTY_SERVICE_ID|PANTHEON_SITE|PARSE_APP_ID|PARSE_JS_KEY|PAYPAL_CLIENT_ID|PAYPAL_CLIENT_SECRET|PERCY_TOKEN|PERSONAL_KEY|PERSONAL_SECRET|PG_DATABASE|PG_HOST|PLACES_APIKEY|PLACES_API_KEY|PLACES_APPID|PLACES_APPLICATION_ID|PLOTLY_APIKEY|POSTGRESQL_DB|POSTGRESQL_PASS|POSTGRES_ENV_POSTGRES_DB|POSTGRES_ENV_POSTGRES_USER|POSTGRES_PORT|PREBUILD_AUTH|PROD.ACCESS.KEY.ID|PROD.SECRET.KEY|PROD_BASE_URL_RUNSCOPE|PROJECT_CONFIG|PUBLISH_KEY|PUBLISH_SECRET|PUSHOVER_TOKEN|PUSHOVER_USER|PYPI_PASSOWRD|QUIP_TOKEN|RABBITMQ_SERVER_ADDR|REDISCLOUD_URL|REDIS_STUNNEL_URLS|REFRESH_TOKEN|RELEASE_GH_TOKEN|RELEASE_TOKEN|remoteUserToShareTravis|REPORTING_WEBDAV_URL|REPORTING_WEBDAV_USER|repoToken|REST_API_KEY|RINKEBY_PRIVATE_KEY|ROPSTEN_PRIVATE_KEY|route53_access_key_id|RTD_KEY_PASS|RTD_STORE_PASS|RUBYGEMS_AUTH_TOKEN|s3_access_key|S3_ACCESS_KEY_ID|S3_BUCKET_NAME_APP_LOGS|S3_BUCKET_NAME_ASSETS|S3_KEY"
|
||||
pwd_in_variables9="S3_KEY_APP_LOGS|S3_KEY_ASSETS|S3_PHOTO_BUCKET|S3_SECRET_APP_LOGS|S3_SECRET_ASSETS|S3_SECRET_KEY|S3_USER_ID|S3_USER_SECRET|SACLOUD_ACCESS_TOKEN|SACLOUD_ACCESS_TOKEN_SECRET|SACLOUD_API|SALESFORCE_BULK_TEST_SECURITY_TOKEN|SANDBOX_ACCESS_TOKEN|SANDBOX_AWS_ACCESS_KEY_ID|SANDBOX_AWS_SECRET_ACCESS_KEY|SANDBOX_LOCATION_ID|SAUCE_ACCESS_KEY|SECRETACCESSKEY|SECRETKEY|SECRET_0|SECRET_10|SECRET_11|SECRET_1|SECRET_2|SECRET_3|SECRET_4|SECRET_5|SECRET_6|SECRET_7|SECRET_8|SECRET_9|SECRET_KEY_BASE|SEGMENT_API_KEY|SELION_SELENIUM_SAUCELAB_GRID_CONFIG_FILE|SELION_SELENIUM_USE_SAUCELAB_GRID|SENDGRID|SENDGRID_API_KEY|SENDGRID_FROM_ADDRESS|SENDGRID_KEY|SENDGRID_USER|SENDWITHUS_KEY|SENTRY_AUTH_TOKEN|SERVICE_ACCOUNT_SECRET|SES_ACCESS_KEY|SES_SECRET_KEY|setDstAccessKey|setDstSecretKey|setSecretKey|SIGNING_KEY|SIGNING_KEY_SECRET|SIGNING_KEY_SID|SNOOWRAP_CLIENT_SECRET|SNOOWRAP_REDIRECT_URI|SNOOWRAP_REFRESH_TOKEN|SNOOWRAP_USER_AGENT|SNYK_API_TOKEN|SNYK_ORG_ID|SNYK_TOKEN|SOCRATA_APP_TOKEN|SOCRATA_USER|SONAR_ORGANIZATION_KEY|SONAR_PROJECT_KEY|SONAR_TOKEN|SONATYPE_GPG_KEY_NAME|SONATYPE_GPG_PASSPHRASE|SONATYPE_PASSSONATYPE_TOKEN_USER|SONATYPE_USER|SOUNDCLOUD_CLIENT_ID|SOUNDCLOUD_CLIENT_SECRET|SPACES_ACCESS_KEY_ID|SPACES_SECRET_ACCESS_KEY"
|
||||
pwd_in_variables10="SPA_CLIENT_ID|SPOTIFY_API_ACCESS_TOKEN|SPOTIFY_API_CLIENT_ID|SPOTIFY_API_CLIENT_SECRET|sqsAccessKey|sqsSecretKey|SRCCLR_API_TOKEN|SSHPASS|SSMTP_CONFIG|STARSHIP_ACCOUNT_SID|STARSHIP_AUTH_TOKEN|STAR_TEST_AWS_ACCESS_KEY_ID|STAR_TEST_BUCKET|STAR_TEST_LOCATION|STAR_TEST_SECRET_ACCESS_KEY|STORMPATH_API_KEY_ID|STORMPATH_API_KEY_SECRET|STRIPE_PRIVATE|STRIPE_PUBLIC|STRIP_PUBLISHABLE_KEY|STRIP_SECRET_KEY|SURGE_LOGIN|SURGE_TOKEN|SVN_PASS|SVN_USER|TESCO_API_KEY|THERA_OSS_ACCESS_ID|THERA_OSS_ACCESS_KEY|TRAVIS_ACCESS_TOKEN|TRAVIS_API_TOKEN|TRAVIS_COM_TOKEN|TRAVIS_E2E_TOKEN|TRAVIS_GH_TOKEN|TRAVIS_PULL_REQUEST|TRAVIS_SECURE_ENV_VARS|TRAVIS_TOKEN|TREX_CLIENT_ORGURL|TREX_CLIENT_TOKEN|TREX_OKTA_CLIENT_ORGURL|TREX_OKTA_CLIENT_TOKEN|TWILIO_ACCOUNT_ID|TWILIO_ACCOUNT_SID|TWILIO_API_KEY|TWILIO_API_SECRET|TWILIO_CHAT_ACCOUNT_API_SERVICE|TWILIO_CONFIGURATION_SID|TWILIO_SID|TWILIO_TOKEN|TWITTEROAUTHACCESSSECRET|TWITTEROAUTHACCESSTOKEN|TWITTER_CONSUMER_KEY|TWITTER_CONSUMER_SECRET|UNITY_SERIAL|URBAN_KEY|URBAN_MASTER_SECRET|URBAN_SECRET|userTravis|USER_ASSETS_ACCESS_KEY_ID|USER_ASSETS_SECRET_ACCESS_KEY|VAULT_APPROLE_SECRET_ID|VAULT_PATH|VIP_GITHUB_BUILD_REPO_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY_PASS"
|
||||
pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY|USERNAME|PASSWORD|PASSWD|CREDENTIALS?"
|
||||
pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY"
|
||||
@@ -12,4 +12,4 @@
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|/usermod|/sbin/ldconfig|/usr/sbin/ldconfig|ldconfig -f|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications"
|
||||
sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications"
|
||||
@@ -13,4 +13,4 @@
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/ld.so.preload|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH
|
||||
writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH
|
||||
Reference in New Issue
Block a user